Before this patch, NSSCertDBTrustDomain::FindIssuer would iterate over its
candidate list (a CERTCertList) twice. This would have made it difficult to add
in candidate issuers from other sources (see e.g. bug 1514118, wherein the goal
is to bypass NSS' view of what certificates exist to facilitate third
party/enterprise roots). This patch reorganizes this function to make future
improvements easier.
Differential Revision: https://phabricator.services.mozilla.com/D16341
--HG--
extra : moz-landing-system : lando
As originally written, the keychain-backed secret storing implementation would
not overwrite a secret if prompted to generate or recover one with a label that
was already in use. Since libsecret and credential manager both do this by
default, this change makes the keychain-backed implementation behave the same
way.
Differential Revision: https://phabricator.services.mozilla.com/D15697
--HG--
extra : moz-landing-system : lando
Only STATE_SECURE_HIGH is used, and that's only in instances where
STATE_IS_SECURE is also used, so we can remove the security level
flags and just assume STATE_IS_SECURE is also STATE_SECURE_HIGH.
Differential Revision: https://phabricator.services.mozilla.com/D15600
--HG--
extra : moz-landing-system : lando
Enough linux-based systems don't have libsecret that we can't make it a
requirement on linux. For those that do, however, we can dynamically load the
library at runtime. For those that don't, we can fall back to NSS.
Differential Revision: https://phabricator.services.mozilla.com/D9969
--HG--
extra : moz-landing-system : lando
Allow access to device-id and vendor-id IOKit properties needed for AppleIntelHD3000GraphicsGLDriver.
Fixes a crash in the AppleIntelHD3000GraphicsGLDriver userland driver which is used in some 2011-era Macs.
Differential Revision: https://phabricator.services.mozilla.com/D15528
--HG--
extra : moz-landing-system : lando
This collects SSL_TIME_UNTIL_HANDSHAKE_FINISHED dependent on the key group used. This is nice to have in general and especially for the ecdhe-sidh thing.
Differential Revision: https://phabricator.services.mozilla.com/D13524
--HG--
extra : moz-landing-system : lando
In Bug 1499846 we added support for OSX to do Keychain-based reauthentication.
On newer versions of OSX, it's possible to instead do TouchID/FaceID for bio-
metric reauthentication, with a fallback to Keychain.
This implements that functionality. There's no C++ interface to access the
LocalAuthentication framework, so it adds an Objective-C method called by the
existing OSReauthenticator methods to perform its work.
Differential Revision: https://phabricator.services.mozilla.com/D11700
--HG--
extra : moz-landing-system : lando
This is a best effort attempt at ensuring that the adverse impact of
reformatting the entire tree over the comments would be minimal. I've used a
combination of strategies including disabling of formatting, some manual
formatting and some changes to formatting to work around some clang-format
limitations.
Differential Revision: https://phabricator.services.mozilla.com/D13371
--HG--
extra : moz-landing-system : lando
DecodeInclusionProof as originally implemented used the wrong convention - its
input argument should have always been an Input rather than a Reader.
Differential Revision: https://phabricator.services.mozilla.com/D11811
--HG--
extra : moz-landing-system : lando
The original implementation of Certificate Transparency included a definition
for the first version of the Signed Tree Head data structure but it was never
actually used. Now that we're implementing Binary Transparency, we need to
implement support for Signed Tree Head V2. Because the focus and approach are
different, the first step is to remove the original implementation.
Differential Revision: https://phabricator.services.mozilla.com/D11810
--HG--
extra : moz-landing-system : lando
The tables in SandboxFilterUtil.cpp should remain vertically aligned,
but clang-format would disagree. This patch excludes that region from
reformatting, and applies the other changes that clang-format would make
there.
Differential Revision: https://phabricator.services.mozilla.com/D12499
--HG--
extra : moz-landing-system : lando
Until more analysis is done, add back access to com.apple.CoreServices.coreservicesd to avoid extra allocations that are triggered when the service is blocked.
Differential Revision: https://phabricator.services.mozilla.com/D12479
--HG--
extra : moz-landing-system : lando
We shouldn't reenter DataStorageSharedThread::Shutdown(), but it may be
possible. To guard against potentially attempting to shut down the shared thread
more than once, we can check gDataStorageSharedThreadShutDown first.
Differential Revision: https://phabricator.services.mozilla.com/D12050
--HG--
extra : moz-landing-system : lando
This adds a hard coded number of retries for Windos re-auth.
I also changed to always return NS_OK unless a real error occurred to make this behave like the macOS version.
Differential Revision: https://phabricator.services.mozilla.com/D11438
--HG--
extra : moz-landing-system : lando
Judging by some stack traces we've received in crash reports, while shutting
down the DataStorageSharedThread, it is possible to process an event on that
thread that causes an attempt to re-initialize DataStorage. This wouldn't be a
problem because we have a shutdown sentinel boolean and we exit early if it is
true. However, checking the boolean involves acquiring the static lock for the
thread, which means we can't be holding the lock while we're shutting down the
thread.
Differential Revision: https://phabricator.services.mozilla.com/D11708
--HG--
extra : moz-landing-system : lando
Don't start the sandbox until after the port exchange so the parent process does not have to wait longer in ContentParent::LaunchSubprocess() for the (expensive) sandbox_init_with_parameters call to complete in the child. Remove the policy rule allowing access to the parent port now that it is already open when the sandbox is initialized and therefore not needed.
Differential Revision: https://phabricator.services.mozilla.com/D11186
--HG--
extra : moz-landing-system : lando
mingw-clang, when using SEH exceptions, compile these fine but don't unwind
them properly. When using sj/lj exceptions it can't compile them at all.
--HG--
extra : histedit_source : 4bda121d4d60ab6e7cf51a3d4287261c81904fe2
Add the /private/var directory to the list of file-read-metadata paths to avoid rendering issues on macOS 10.14 when sandbox early startup is enabled.
Differential Revision: https://phabricator.services.mozilla.com/D9933
--HG--
extra : moz-landing-system : lando
The original threading model of OSKeyStore could lead to a deadlock if an
asynchronous event were dispatched and then the isNSSKeyStore attribute were
queried. This patch removes that pitfall by moving the determination of the
attribute to OSKeyStore rather than the underlying implementation.
Additionally, the original threading model was inefficient in that it created
and destroyed a thread per asynchronous operation. This patch reworks this to
only ever create one worker thread.
Differential Revision: https://phabricator.services.mozilla.com/D9299
--HG--
extra : moz-landing-system : lando
In bug 1475775, we added code to remove the old NSS key DB if the user has set a
password on the grounds that the old DB could potentially be unencrypted and
contain secrets. However, we did so with the assumption that we were using the
new DB, which is not necessarily true when the system has been configured to
always use the old DB, as with some RedHat products. This patch checks for the
existence of the new DB before proceeding with deleting the old DB. Technically
this isn't sufficient, because the new DB could be present even if we're not
using it. However, we've already gone far into "this configuration isn't
supported" territory.
Differential Revision: https://phabricator.services.mozilla.com/D9318
--HG--
extra : moz-landing-system : lando
This patch morphs MasterPassword.jsm to OSKeyStore.jsm while keeping the same
API, as an adaptor between the API and the native API exposed as nsIOSKeyStore.idl.
Noted that OS Key Store has the concept of "recovery phrase" that we won't
be adopting here. The recovery phrase, together with our label, allow
the user to re-create the same key in OS key store.
Test case changes are needed because we have started asking for login in
places where we'll only do previously when "master password is enabled".
This also made some "when master password is enabled" tests invalid because
it is always considered enabled.
Some more test changes are needed simply because they previously rely on the
stable order of microtask resolutions (and the stable # of promises for a
specific operation). That has certainly changed with OSKeyStore.
The credit card form autofill is only enabled on Nightly.
Differential Revision: https://phabricator.services.mozilla.com/D4498
--HG--
rename : browser/extensions/formautofill/MasterPassword.jsm => browser/extensions/formautofill/OSKeyStore.jsm
rename : browser/extensions/formautofill/test/browser/browser_creditCard_fill_master_password.js => browser/extensions/formautofill/test/browser/browser_creditCard_fill_cancel_login.js
extra : rebase_source : cabbd8cdec86e5b3965cf1c8b6e635b73b6c2095
extra : histedit_source : 65e71057104465553fefa1d0b293580efed53075
Only allow access to "com.apple.windowserver.active" when the pref
"security.sandbox.content.mac.disconnect-windowserver" is set to true.
Depends on D6721
Differential Revision: https://phabricator.services.mozilla.com/D7357
--HG--
extra : moz-landing-system : lando
When early initialization of the sandbox is enabled, assert that the sandbox has already been enabled in ContentProcess::Init().
Depends on D6720
Differential Revision: https://phabricator.services.mozilla.com/D6721
--HG--
extra : moz-landing-system : lando
Pass sandbox parameters to content processes on the command line allowing for early sandbox startup.
Pref'd off behind "security.sandbox.content.mac.earlyinit" until it's ready to be enabled by default.
Once early startup is enabled by default and considered stable, the original sandbox startup code can be removed.
Depends on D6719
Differential Revision: https://phabricator.services.mozilla.com/D6720
--HG--
extra : moz-landing-system : lando
Simplify the content sandbox policy by removing APP_BINARY_PATH and APP_DIR Mac sandbox parameters and their associated rules in the policy. Keep APP_PATH which is a parent directory of APP_BINARY_PATH and APP_DIR. Change APP_PATH to be the path to the parent process .app directory and make GetAppPath return this path when called from the parent or a child process.
Depends on D6717
Differential Revision: https://phabricator.services.mozilla.com/D6719
--HG--
extra : moz-landing-system : lando
This is a straightforward patch.
Just add a new attribute in nsIProtocolProxyService to indicate whether PAC is still loading. If yes, fail the OCSP request.
Differential Revision: https://phabricator.services.mozilla.com/D9154
--HG--
extra : moz-landing-system : lando
Before this patch, Necko functions polling the state of TLS sockets
(essentially, TransportSecurityInfo) would cause a considerable amount of
locking on TransportSecurityInfo::mMutex instances via GetErrorCode(). Most of
this code only cared if an error had been set via SetCanceled(), so this patch
adds an atomic boolean mCanceled (and associated accessor GetCanceled()) that
can be used to the same effect but without acquiring the lock.
Differential Revision: https://phabricator.services.mozilla.com/D8754
--HG--
extra : moz-landing-system : lando
The compiler warns that jobLevel is uninitialized if none of the if-else
conditions are true. Simply replacing the leading assert with a
"else crash" tells the compiler that case will never actually happen.
Differential Revision: https://phabricator.services.mozilla.com/D8841
--HG--
extra : moz-landing-system : lando
Allow NPAPI sandbox to use restricting SIDs. This hardens the plugin sandbox.
Differential Revision: https://phabricator.services.mozilla.com/D8746
--HG--
extra : moz-landing-system : lando
If nsSecureBrowserUIImpl::OnLocationChange receives a
LOCATION_CHANGE_SAME_DOCUMENT notification, it doesn't need to (and in fact
shouldn't) update its security state or notify downstream listeners.
Differential Revision: https://phabricator.services.mozilla.com/D8900
--HG--
extra : moz-landing-system : lando
The desired outcome of this change is that we'll set
-Wl,--version-script based on linker kind and not on the output of
$LINKER -v.
This is a cheap way to address a simple problem that has a complicated
ideal solution. The underlying issue is that in some situations, when
targeting Android, a macOS system ld is interrogated to determine if
a cross-compiling linker "is GNU ld" and a particular linker feature
is set in that situation. The macOS system ld doesn't pass the "is
GNU ld" test, and the linker feature isn't set; that causes link
failures, even though the actual linker has nothing to do with the
system ld.
The ideal solution is to test for linker capabilities dynamically. We
do a lot of that in old-configure.in, and we don't do any of that in
toolchain.configure. Rather than start testing in
toolchain.configure, we hard-code: a cheap solution to the immediate
problem.
MinGW suffers somewhat from the opposite problem: the linker "is GNU
ld" (compatible), but the linker checks don't happen at all. We hard-code
for MinGW based on the C compiler instead.
Differential Revision: https://phabricator.services.mozilla.com/D8471
--HG--
extra : moz-landing-system : lando
In reimplementing the OCSP fetching code in bug 1456489, we improperly
translated an assertion that relied on the nullness of a pointer to rely on the
length of a data structure that was populated by reference. It turns out that
this made the assertion invalid because we could return a successful result and
have filled the data structure with zero-length data and it still would be valid
to operate on (the decoding code returns a malformed input result in this case).
To fix this, we can simply remove the assertion. This patch also adds a test to
exercise this case.
Differential Revision: https://phabricator.services.mozilla.com/D8883
--HG--
extra : moz-landing-system : lando
This patch morphs MasterPassword.jsm to OSKeyStore.jsm while keeping the same
API, as an adaptor between the API and the native API exposed as nsIOSKeyStore.idl.
Noted that OS Key Store has the concept of "recovery phrase" that we won't
be adopting here. The recovery phrase, together with our label, allow
the user to re-create the same key in OS key store.
Test case changes are needed because we have started asking for login in
places where we'll only do previously when "master password is enabled".
This also made some "when master password is enabled" tests invalid because
it is always considered enabled.
Some more test changes are needed simply because they previously rely on the
stable order of microtask resolutions (and the stable # of promises for a
specific operation). That has certainly changed with OSKeyStore.
The credit card form autofill is only enabled on Nightly.
Differential Revision: https://phabricator.services.mozilla.com/D4498
--HG--
rename : browser/extensions/formautofill/MasterPassword.jsm => browser/extensions/formautofill/OSKeyStore.jsm
rename : browser/extensions/formautofill/test/browser/browser_creditCard_fill_master_password.js => browser/extensions/formautofill/test/browser/browser_creditCard_fill_cancel_login.js
extra : moz-landing-system : lando
This patch introduces the interface with a stub implementation that does
nothing. Follow-up bugs will add platform-specific implementations.
Differential Revision: https://phabricator.services.mozilla.com/D8480
--HG--
extra : moz-landing-system : lando
Before this patch, if a TLS handshake completed but the server then closed the
connection without reading or writing, Firefox would display a connection reset
error page with a secure lock icon. This is misleading and confusing, so in this
patch, nsSecureBrowserUIImpl::OnLocationChange checks if an error page is being
loaded and sets the state to not secure.
Differential Revision: https://phabricator.services.mozilla.com/D8472
--HG--
extra : moz-landing-system : lando
The desired outcome of this change is that we'll set
`-Wl,--version-script` based on linker kind and not on the output of
`$LINKER -v`.
This is a cheap way to address a simple problem that has a complicated
ideal solution. The underlying issue is that in some situations, when
targeting Android, a macOS system `ld` is interrogated to determine if
a cross-compiling linker "is GNU ld" and a particular linker feature
is set in that situation. The macOS system `ld` doesn't pass the "is
GNU ld" test, and the linker feature isn't set; that causes link
failures, even though the actual linker has nothing to do with the
system `ld`.
The ideal solution is to test for linker capabilities dynamically. We
do a lot of that in old-configure.in, and we don't do any of that in
toolchain.configure. Rather than start testing in
toolchain.configure, we hard-code: a cheap solution to the immediate
problem.
Differential Revision: https://phabricator.services.mozilla.com/D8471
--HG--
extra : moz-landing-system : lando
The sandbox blocks GetTempFileName's prior response, causing the system to end up searching a number of (inaccessible) folders to use as a replacement for the temp folder. This patch provides a path to a new folder on the command line for the plugin process. This new temp folder, specific to this plugin process instance, is then communicated to the system via the TEMP/TMP environment variables. This is similar to what is done for the content process but avoids nsDirectoryService, which doesn't exist in plugin processes.
Differential Revision: https://phabricator.services.mozilla.com/D7532
--HG--
extra : moz-landing-system : lando
The sandbox blocks GetTempFileName's prior response, causing the system to end up searching a number of (inaccessible) folders to use as a replacement for the temp folder. This patch provides a path to a new folder on the command line for the plugin process. This new temp folder, specific to this plugin process instance, is then communicated to the system via the TEMP/TMP environment variables. This is similar to what is done for the content process but avoids nsDirectoryService, which doesn't exist in plugin processes.
Differential Revision: https://phabricator.services.mozilla.com/D7532
--HG--
extra : moz-landing-system : lando
Only allow access to "com.apple.windowserver.active" when the pref
"security.sandbox.content.mac.disconnect-windowserver" is set to true.
Depends on D6721
Differential Revision: https://phabricator.services.mozilla.com/D7357
--HG--
extra : moz-landing-system : lando
When early initialization of the sandbox is enabled, assert that the sandbox has already been enabled in ContentProcess::Init().
Depends on D6720
Differential Revision: https://phabricator.services.mozilla.com/D6721
--HG--
extra : moz-landing-system : lando
Pass sandbox parameters to content processes on the command
line allowing for early sandbox startup. Limited to Nightly
until confirmed to be stable and ready to ride the trains.
Enable early sandbox startup by default on Nightly and use
pref "security.sandbox.content.mac.earlyinit" to disable
early startup for debugging purposes.
Once early startup is stable, the original sandbox startup
code can be removed.
Depends on D6719
Differential Revision: https://phabricator.services.mozilla.com/D6720
--HG--
extra : moz-landing-system : lando
Simplify the content sandbox policy by removing APP_BINARY_PATH and APP_DIR Mac sandbox parameters and their associated rules in the policy. Keep APP_PATH which is a parent directory of APP_BINARY_PATH and APP_DIR.
Depends on D6717
Differential Revision: https://phabricator.services.mozilla.com/D6719
--HG--
extra : moz-landing-system : lando
Summary:
Resources that aren't secure (e.g. http) can be routed over secure transports
(e.g. http/2 alt-svc, https proxies). For display purposes (the site identity
widget) we don't want to treat these as secure. Bug 1040323 addressed this exact
issue but didn't include tests. Thus, when nsSecureBrowserUIImpl was
reimplemented in bug 832834, this aspect was neglected. This time, there is a
test.
Reviewers: Gijs
Tags: #secure-revision
Bug #: 1495321
Differential Revision: https://phabricator.services.mozilla.com/D7746
--HG--
extra : rebase_source : e17ec47938f41a692b41a7cf65f1d5e4b880e8a7
extra : amend_source : c445c2f5c7eff94be027e238c2f2befc91b3905a
This patch also switches all GlobalSign EV roots to using the CA/Browser Forum
EV policy OID.
Differential Revision: https://phabricator.services.mozilla.com/D8258
--HG--
extra : moz-landing-system : lando
The sandbox blocks GetTempFileName's prior response, causing the system to end up searching a number of (inaccessible) folders to use as a replacement for the temp folder. This patch provides a path to a new folder on the command line for the plugin process. This new temp folder, specific to this plugin process instance, is then communicated to the system via the TEMP/TMP environment variables. This is similar to what is done for the content process but avoids nsDirectoryService, which doesn't exist in plugin processes.
Differential Revision: https://phabricator.services.mozilla.com/D7532
--HG--
extra : moz-landing-system : lando
This patch removes linux64-jsdcov from the available builds on taskcluster along with any hacks used to run it. It also removes any 'coverage' entries that were added to skip tests.
Differential Revision: https://phabricator.services.mozilla.com/D7919
--HG--
extra : moz-landing-system : lando
The symantec distrust should now ride-the-trains in Firefox 64 Beta and Release.
Set security.pki.distrust_ca_policy to 2.
Differential Revision: https://phabricator.services.mozilla.com/D7745
--HG--
extra : moz-landing-system : lando
Only allow access to "com.apple.windowserver.active" when the pref
"security.sandbox.content.mac.disconnect-windowserver" is set to true.
Depends on D6721
Differential Revision: https://phabricator.services.mozilla.com/D7357
--HG--
extra : moz-landing-system : lando
When early initialization of the sandbox is enabled, assert that the sandbox has already been enabled in ContentProcess::Init().
Depends on D6720
Differential Revision: https://phabricator.services.mozilla.com/D6721
--HG--
extra : moz-landing-system : lando
Pass sandbox parameters to content processes on the command
line allowing for early sandbox startup. Limited to Nightly
until confirmed to be stable and ready to ride the trains.
Enable early sandbox startup by default on Nightly and use
pref "security.sandbox.content.mac.earlyinit" to disable
early startup for debugging purposes.
Once early startup is stable, the original sandbox startup
code can be removed.
Depends on D6719
Differential Revision: https://phabricator.services.mozilla.com/D6720
--HG--
extra : moz-landing-system : lando
Simplify the content sandbox policy by removing APP_BINARY_PATH and APP_DIR Mac sandbox parameters and their associated rules in the policy. Keep APP_PATH which is a parent directory of APP_BINARY_PATH and APP_DIR.
Depends on D6717
Differential Revision: https://phabricator.services.mozilla.com/D6719
--HG--
extra : moz-landing-system : lando
When navigating to an about: page that doesn't exist (e.g.
"about:somethingthatdoesnotexist"), the docShell will call
nsSecureBrowserUIImpl::OnLocationChange with a request that is null.
Consequently, we can't use that to QueryInterface to a nsISecurityEventSink to
call OnSecurityChange. The previous implementation would use the prior
request's nsISecurityEventSink, which was a bug but luckily this produced the
correct behavior. Since the original docShell the nsSecureBrowserUIImpl was
initialized with is what needs to be notified, we can just QueryInterface that
to an nsISecurityEventSink and call OnSecurityChange directly instead.
Differential Revision: https://phabricator.services.mozilla.com/D6951
--HG--
rename : browser/base/content/test/siteIdentity/browser_tls_handshake_failure.js => browser/base/content/test/siteIdentity/browser_navigation_failures.js
extra : moz-landing-system : lando
If class A is derived from class B, then an instance of class A can be
converted to B via a static cast, so a slower QI is not needed.
Differential Revision: https://phabricator.services.mozilla.com/D6861
--HG--
extra : moz-landing-system : lando
This patch removes the remaining mozilla-specific dependencies from the
certificate transparency implementation.
Depends on D6845
Differential Revision: https://phabricator.services.mozilla.com/D6846
--HG--
extra : moz-landing-system : lando
In order to make our certificate transparency implementation standalone, we
have to remove mozilla-specific dependencies such as mozilla::Vector.
Depends on D6844
Differential Revision: https://phabricator.services.mozilla.com/D6845
--HG--
extra : moz-landing-system : lando
Put the entire *.firefox.com domain in the list of sites covered by the mozilla services whitelisted roots, which currently include Digicert and Let's Encrypt.
Differential Revision: https://phabricator.services.mozilla.com/D7219
--HG--
extra : moz-landing-system : lando
