Commit Graph

16050 Commits

Author SHA1 Message Date
Bob Owen
86f8ba4dc4 Bug 1652463: Add rule to allow socket process to create server side of our IPC pipes. r=handyman
Differential Revision: https://phabricator.services.mozilla.com/D83976
2021-08-25 11:43:46 +00:00
Andi-Bogdan Postelnicu
2fc4f70e9b Bug 1725145 - Preparation for the hybrid build env. r=necko-reviewers,firefox-build-system-reviewers,valentin,glandium
Automatically generated path that adds flag `REQUIRES_UNIFIED_BUILD = True` to `moz.build`
when the module governed by the build config file is not buildable outside on the unified environment.

This needs to be done in order to have a hybrid build system that adds the possibility of combing
unified build components with ones that are built outside of the unified eco system.

Differential Revision: https://phabricator.services.mozilla.com/D122345
2021-08-25 10:46:17 +00:00
Benjamin Beurdouche
9bdc7ccc5d Bug 1724869 - land NSS fe82761e35aa UPGRADE_NSS_RELEASE, r=djackson
```
2021-08-17  Robert Relyea  <rrelyea@redhat.com>

	* lib/softoken/lowpbe.c:
	Bug 1726022 Cache additional PBE entries

	Firefox password manager is slow to load (22s for 361 passwords on
	an i7), using 100% CPU and causing laptop fans to spin up

	Possible solution based on increasing the number of cache entries
	used by the PKCS5v2 values as the current code thrashes the cache as
	we use 2 pbe's per read operation.

	This patch is tested for correctness, but not fixing the issue. New
	test cases are needed.

	[fe82761e35aa] [tip]
```

Differential Revision: https://phabricator.services.mozilla.com/D123442
2021-08-24 13:19:13 +00:00
Dana Keeler
3b68845290 Bug 1724072 - allow enabling 3DES only when deprecated versions of TLS are enabled r=rmf
Chrome has removed 3DES completely[0], but we're still seeing some uses of it
in telemetry. Our assumption is that this is either due to old devices that
can't be upgraded, and hence probably use TLS 1.0, or servers that bafflingly
choose 3DES when there are other, better, ciphersuites in common.
This patch allows 3DES to only be enabled when deprecated versions of TLS are
enabled. This should protect users against the latter case (where 3DES is
unnecessary) while allowing them to use it in the former case (where it may be
necessary).

NB: The only 3DES ciphersuite gecko makes possible to enable is
TLS_RSA_WITH_3DES_EDE_CBC_SHA. This patch also changes the preference
corresponding to this ciphersuite from "security.ssl3.rsa_des_ede3_sha" to
"security.ssl3.deprecated.rsa_des_ede3_sha".

[0] https://www.chromestatus.com/feature/6678134168485888

Differential Revision: https://phabricator.services.mozilla.com/D121797
2021-08-24 01:25:07 +00:00
ffxbld
80863c10b2 No Bug, mozilla-central repo-update HSTS HPKP remote-settings tld-suffixes - a=repo-update r=jcristau
Differential Revision: https://phabricator.services.mozilla.com/D123322
2021-08-23 11:37:13 +00:00
Andi-Bogdan Postelnicu
92603d5088 Bug 1617369 - Reformat recent rust changes with rustfmt r=emilio,webdriver-reviewers,necko-reviewers,valentin
Updated with rustfmt 1.4.37-stable (a178d03 2021-07-26)

Differential Revision: https://phabricator.services.mozilla.com/D122815
2021-08-23 09:30:24 +00:00
R. Martinho Fernandes
fe7cd2dd7f Bug 1713603 - Use NSS only on socket thread in CertVerifier::VerifyCertificateTransparencyPolicy r=keeler
Differential Revision: https://phabricator.services.mozilla.com/D117560
2021-08-19 16:35:28 +00:00
ffxbld
c7cfba7954 No Bug, mozilla-central repo-update HSTS HPKP remote-settings - a=repo-update r=jcristau
Differential Revision: https://phabricator.services.mozilla.com/D123079
2021-08-19 12:19:55 +00:00
Dana Keeler
8e545a80b3 Bug 1710731 - avoid unnecessary PKCS#11 module PIN prompts when looking for client certificates r=rmf
Differential Revision: https://phabricator.services.mozilla.com/D122398
2021-08-18 20:21:37 +00:00
ffxbld
e16e09b8e7 No Bug, mozilla-central repo-update HSTS HPKP remote-settings tld-suffixes - a=repo-update r=jcristau
Differential Revision: https://phabricator.services.mozilla.com/D122719
2021-08-16 12:17:21 +00:00
R. Martinho Fernandes
0909314705 Bug 1713602 - Use NSS only on the socket thread in NSSCertDBTrustDomain::IsChainValid r=keeler
Differential Revision: https://phabricator.services.mozilla.com/D116879
2021-08-14 02:11:30 +00:00
Valentin Gosu
0cfda7bb4a Bug 1705659 - Static-analysis check auto fix for auth code r=necko-reviewers,dragana
Depends on D112604

Differential Revision: https://phabricator.services.mozilla.com/D112605
2021-08-12 12:39:25 +00:00
Valentin Gosu
b3d74be7b8 Bug 1705659 - Make GetAuthenticator work with nsACString r=necko-reviewers,dragana
Depends on D112602

Differential Revision: https://phabricator.services.mozilla.com/D112597
2021-08-12 12:39:22 +00:00
ffxbld
dd278ba0c0 No Bug, mozilla-central repo-update HSTS HPKP remote-settings - a=repo-update r=jcristau
Differential Revision: https://phabricator.services.mozilla.com/D122458
2021-08-12 12:24:30 +00:00
Mike Hommey
0b4372e828 Bug 1721968 - Remove support for lucetc for rlbox. r=firefox-build-system-reviewers,shravanrn,mhentges
Differential Revision: https://phabricator.services.mozilla.com/D120700
2021-08-11 21:58:52 +00:00
Alexandre Lissy
f41c9baf2b Bug 1723753 - Remove XRE_USER_SYS_EXTENSION_DEV_DIR r=handyman,robwu,haik,gcp
Differential Revision: https://phabricator.services.mozilla.com/D121647
2021-08-10 15:54:02 +00:00
Narcis Beleuzu
625f7a5de1 Backed out changeset 4f793a75cd93 (bug 1724072) for geckoview failures . CLOSED TREE 2021-08-10 19:19:35 +03:00
Dana Keeler
2a64c08522 Bug 1724072 - allow enabling 3DES only when deprecated versions of TLS are enabled r=rmf
Chrome has removed 3DES completely[0], but we're still seeing some uses of it
in telemetry. Our assumption is that this is either due to old devices that
can't be upgraded, and hence probably use TLS 1.0, or servers that bafflingly
choose 3DES when there are other, better, ciphersuites in common.
This patch allows 3DES to only be enabled when deprecated versions of TLS are
enabled. This should protect users against the latter case (where 3DES is
unnecessary) while allowing them to use it in the former case (where it may be
necessary).

NB: The only 3DES ciphersuite gecko makes possible to enable is
TLS_RSA_WITH_3DES_EDE_CBC_SHA. This patch also changes the preference
corresponding to this ciphersuite from "security.ssl3.rsa_des_ede3_sha" to
"security.ssl3.deprecated.rsa_des_ede3_sha".

[0] https://www.chromestatus.com/feature/6678134168485888

Differential Revision: https://phabricator.services.mozilla.com/D121797
2021-08-10 15:25:37 +00:00
Nicklas Boman
cd8acaa740 Bug 1308105 - Replace PL_strpbrk with strpbrk r=xpcom-reviewers,kmag
Differential Revision: https://phabricator.services.mozilla.com/D116933
2021-08-10 11:30:39 +00:00
Benjamin Beurdouche
46e2563077 Bug 1724869 - land NSS 56238350052a UPGRADE_NSS_RELEASE, r=djackson
Differential Revision: https://phabricator.services.mozilla.com/D122202
2021-08-10 09:52:10 +00:00
ffxbld
7bf613163a No Bug, mozilla-central repo-update HSTS HPKP remote-settings tld-suffixes - a=repo-update r=jcristau
Differential Revision: https://phabricator.services.mozilla.com/D122093
2021-08-09 11:49:10 +00:00
Ben Hearsum
f5afc22625 Bug 1714200: skip failing xpcshell tests on M1 machines r=jmaher
Differential Revision: https://phabricator.services.mozilla.com/D121225
2021-08-06 19:16:55 +00:00
ffxbld
3b0b1c9a9a No Bug, mozilla-central repo-update HSTS HPKP remote-settings tld-suffixes - a=repo-update r=jcristau
Differential Revision: https://phabricator.services.mozilla.com/D121852
2021-08-05 12:14:03 +00:00
Martin Thomson
c240187284 Bug 1720464 - land NSS NSS_3_69_RTM UPGRADE_NSS_RELEASE, r=ckerschb DONTBUILD
2021-08-05  Martin Thomson  <mt@lowentropy.net>

o  	* lib/nss/nss.h, lib/softoken/softkver.h, lib/util/nssutil.h:
|  	Set version numbers to 3.69 final
|  	[2f5c77e2c5b9] [NSS_3_69_RTM] <NSS_3_69_BRANCH>
|
2021-07-30  Martin Thomson  <mt@lowentropy.net>

o  	* .hgtags:
|  	Added tag NSS_3_69_BETA1 for changeset 60211e7f03ee
|  	[51b699171a91] <NSS_3_69_BRANCH>
|
2021-07-29  Martin Thomson  <mt@lowentropy.net>

o  	* lib/ssl/sslsock.c:
|  	Bug 1722613 - Disable DTLS 1.0 and 1.1 by default, r=rrelyea
|
|  	[60211e7f03ee] [NSS_3_69_BETA1]
|
2021-07-15  Robert Relyea  <rrelyea@redhat.com>

o  	* automation/taskcluster/docker-builds/Dockerfile,
~  	automation/taskcluster/docker-gcc-4.4/Dockerfile,
   	automation/taskcluster/docker/Dockerfile, lib/softoken/sftkpwd.c,
   	tests/dbtests/dbtests.sh:
   	Bug 1720226 integrity checks in key4.db not happening on private
   	components with AES_CBC When we added support for AES, we also added
   	support for integrity checks on the encrypted components.

   	It turns out the code that verifies the integrity checks was broken
   	in 2 ways:

   	 1. it wasn't accurately operating when AES was being used (the if
   	statement wasn't actually triggering for AES_CBC because we were
   	looking for AES in the wrong field). 2. password update did not
   	update the integrity checks in the correct location, meaning any
   	database which AES encrypted keys, and which had their password
   	updated will not be able to validate their keys.

   	While we found this in a previous rebase, the patch had not been
   	pushed upstream.

   	 The attached patch needs sqlite3 to run the tests.

   	[1e86f5cfc1cd]

Differential Revision: https://phabricator.services.mozilla.com/D121837
2021-08-05 09:50:08 +00:00
stransky
2e7b1387b7 Bug 1721326 - Use small stack for DoClone(). r=jld
Patch author is Florian Weimer <fweimer 'at' redhat.com>

Differential Revision: https://phabricator.services.mozilla.com/D120709
2021-08-04 06:24:47 +00:00
Dana Keeler
f0cbaf362a Bug 1723211 - move reusable parts of osclientcerts to rsclientcerts r=rmf
Depends on D121419

Differential Revision: https://phabricator.services.mozilla.com/D121451
2021-08-03 18:34:22 +00:00
Dana Keeler
b0147ecfd1 Bug 1723211 - rework osclientcerts::manager to take a backend implementation as a trait r=rmf
Depends on D121418

Differential Revision: https://phabricator.services.mozilla.com/D121419
2021-08-03 18:34:21 +00:00
Dana Keeler
7053b26b8c Bug 1723211 - introduce error module to osclientcerts r=rmf
Differential Revision: https://phabricator.services.mozilla.com/D121418
2021-08-03 18:34:21 +00:00
Zibi Braniecki
7b320ed8a6 Bug 1613705 - [localization] part17: Fix racy tests to wait for l10n frame. r=platform-i18n-reviewers,dminor,application-update-reviewers,nalexander
Depends on D116791

Differential Revision: https://phabricator.services.mozilla.com/D116792
2021-08-03 16:25:16 +00:00
Butkovits Atila
949da905e7 Backed out 19 changesets (bug 1613705) for causing build bustages complaining about Document.cpp. CLOSED TREE
Backed out changeset 2ee1091dd20d (bug 1613705)
Backed out changeset d377afc0b09f (bug 1613705)
Backed out changeset de9d4378f0ac (bug 1613705)
Backed out changeset 9843372abb6e (bug 1613705)
Backed out changeset 5fc5918e5905 (bug 1613705)
Backed out changeset a7aeae7afd49 (bug 1613705)
Backed out changeset 5d61617a5402 (bug 1613705)
Backed out changeset 85bf98573899 (bug 1613705)
Backed out changeset 175af8a1b8c2 (bug 1613705)
Backed out changeset 93fcb23d7898 (bug 1613705)
Backed out changeset 595529cd906f (bug 1613705)
Backed out changeset 9f3e2963d925 (bug 1613705)
Backed out changeset 442289058933 (bug 1613705)
Backed out changeset fc3b9acb0e81 (bug 1613705)
Backed out changeset 408983c64f7f (bug 1613705)
Backed out changeset 08b637fc3fcd (bug 1613705)
Backed out changeset 6ef0aafd2db0 (bug 1613705)
Backed out changeset d88b294e0a5e (bug 1613705)
Backed out changeset e6bebff87544 (bug 1613705)
2021-08-03 12:36:01 +03:00
Zibi Braniecki
0bf7c83400 Bug 1613705 - [localization] part17: Fix racy tests to wait for l10n frame. r=platform-i18n-reviewers,dminor,application-update-reviewers,nalexander
Depends on D116791

Differential Revision: https://phabricator.services.mozilla.com/D116792
2021-08-03 05:52:06 +00:00
ffxbld
2831cbf797 No Bug, mozilla-central repo-update HSTS HPKP remote-settings - a=repo-update r=RyanVM
Differential Revision: https://phabricator.services.mozilla.com/D121518
2021-08-02 11:35:31 +00:00
Zibi Braniecki
9b6ec8c442 Bug 1660392 - [l10nregistry] part10: Fix mozapps update test to await for gAppUpdater. r=application-update-reviewers,bytesized
Differential Revision: https://phabricator.services.mozilla.com/D121126
2021-07-30 16:47:50 +00:00
Christoph Kerschbaumer
7aa6219ad0 Bug 1723086: Annotate all mixed content tests so that https-first does not interfere with them r=lyavor
Differential Revision: https://phabricator.services.mozilla.com/D121341
2021-07-30 09:12:46 +00:00
Alexandre Lissy
5064274394 Bug 1718210 - Enable SandboxTest on Windows/Debug r=gcp
Differential Revision: https://phabricator.services.mozilla.com/D121047
2021-07-29 15:07:24 +00:00
ffxbld
293f05bd5a No Bug, mozilla-central repo-update HSTS HPKP remote-settings - a=repo-update r=RyanVM
Differential Revision: https://phabricator.services.mozilla.com/D121171
2021-07-29 13:29:32 +00:00
Christoph Kerschbaumer
4a6250387f Bug 1719272: Annotate failing browser/ tests to potentially enable https-first mode in Nightly r=webcompat-reviewers,denschub,webdriver-reviewers,preferences-reviewers,Gijs,whimboo
Differential Revision: https://phabricator.services.mozilla.com/D119177
2021-07-28 19:16:16 +00:00
Sandor Molnar
68cdec0548 Backed out changeset 7eb8945dd8e3 (bug 1719272) for causing bustages in gecko decision task. CLOSED TREE 2021-07-28 19:47:06 +03:00
Christoph Kerschbaumer
bb716f0701 Bug 1719272: Annotate failing browser/ tests to potentially enable https-first mode in Nightly r=webcompat-reviewers,denschub,webdriver-reviewers,preferences-reviewers,Gijs,whimboo
Differential Revision: https://phabricator.services.mozilla.com/D119177
2021-07-28 16:08:07 +00:00
Alexandre Lissy
e59f6995be Bug 1718084 - Test allow $HOME/.config and block $HOME/.config/mozilla/ r=gcp
Differential Revision: https://phabricator.services.mozilla.com/D119179
2021-07-27 08:07:22 +00:00
Alexandre Lissy
583a763b25 Bug 1718084 - Block access to $HOME/.config/mozilla/ r=gcp
Differential Revision: https://phabricator.services.mozilla.com/D119180
2021-07-27 08:07:21 +00:00
Alexandre Lissy
6301b3cd09 Bug 1718084 - Reorganize test for lower complexity r=gcp
Differential Revision: https://phabricator.services.mozilla.com/D119375
2021-07-27 08:07:21 +00:00
ffxbld
24499204c2 No Bug, mozilla-central repo-update HSTS HPKP remote-settings tld-suffixes - a=repo-update r=pascalc
Differential Revision: https://phabricator.services.mozilla.com/D120836
2021-07-26 15:45:06 +00:00
Benjamin Beurdouche
a1a5fc3aa9 Bug 1720464 - land NSS e9236397be13 UPGRADE_NSS_RELEASE, r=beurdouche
```
2021-07-24  Benjamin Beurdouche  <bbeurdouche@mozilla.com>

	* doc/rst/build_artifacts.rst, doc/rst/community.rst,
	doc/rst/getting_started.rst, doc/rst/index.rst, doc/rst/more.rst,
	doc/rst/releases/index.rst, doc/rst/releases/nss_3_64.rst,
	doc/rst/releases/nss_3_65.rst, doc/rst/releases/nss_3_66.rst,
	doc/rst/releases/nss_3_67.rst, doc/rst/releases/nss_3_68.rst:
	Documentation: update and release notes for NSS 3.64 to 3.68
	[e9236397be13] [tip]

2021-07-20  Robert Relyea  <rrelyea@redhat.com>

	* gtests/ssl_gtest/nss_policy.h,
	gtests/ssl_gtest/ssl_auth_unittest.cc,
	gtests/ssl_gtest/ssl_extension_unittest.cc,
	gtests/ssl_gtest/tls_agent.cc, gtests/ssl_gtest/tls_agent.h,
	gtests/ssl_gtest/tls_connect.cc, lib/ssl/ssl3con.c,
	lib/ssl/sslimpl.h:
	Bug 1720235 SSL handling of signature algorithms ignores
	environmental invalid algorithms.

	Our QA is quite extensive on handling of alert corner cases. Our
	code that checks if a signature algorithm is supported ignores the
	role of policy. If SHA1 is turned off by policy, for instance, we
	only detect that late in the game. This shows up in our test cases
	as decrypt_alerts rather than illegal_parameter or handshake_error
	alerts. It also shows up in us apparently accepting a client auth
	request which only has invalid alerts.

	We also don't handle filtering out signature algorithms that are
	illegal in tls 13 mode.

	This patch not only fixes these issues, but also issues where we
	proposing signature algorithms in server mode that we don't support
	by policy.

	This patch includes:

	In gtests: 1) adding support for policy in ssl_gtests. Currently
	both the server an client will run with the same policy. The patch
	allows us to set policy on one and keeping the old policy on the
	other.

	2) Update extension tests which failed in tls 1.3 because the patch
	now correctly rejects illegal tls 1.3 auth values. The test was
	updated to use a legal auth value in tls 1.3 (so we are correctly
	testing the format issue.

	3) Update extension tests to handle the case where we try to use an
	illegal value for tls 1.3.

	4) add tests to ssl_auth_unittests.cc to make sure we can properly
	connect even when several auth methods are turned off by policy
	(make sure we don't advertize them on the client side, and that the
	server doesn't select them when the client doesn't advertize them).

	5) add tests to ssl_auth_unittests.cc to make sure we don't send
	empty client auth requests when the requester only sends invalid
	auth requests.

	patch itself: 1) The handling of policy checks for ssl schemes were
	scattered in various locations. I've consolidated them into a single
	function. That function now checks for NSS_ALG_USE_IN_ANY_SIGNATURE
	as if this is off by policy, we will fail if we try to use the
	algorithm in a signature in any case. NSS now supports policy on all
	signature algorithms, not just DSA, so we need to check the policy
	of all the algorithms.

	2) to support the policy check on the signature algorithms, I added
	a new ssl_AuthTypeToOID, which also replaces our switch in checking
	if the SPKI matches our auth type.

	 3) ssl_SignatureSchemeValid now accepts an spkiOid of
	SEC_OID_UNKNOWN. To allow us to filter signature schemes based on
	version and policy restrictions before we try to select a
	certificate. This prevents us from sending empty client auth
	messages when we are presented with only invalid signature schemes.

	4) We filter supported algorithms against policy early, preventing
	us from sending, or even setting invalid algorithms if they are
	turned off by policy.

	5) ssl ConsumeSignatureScheme was handling alerts inconsistently.
	The Consume could send an allert in it's failure case, but the check
	of scheme validity wouldn't sent an alert. The collers were
	inconstent as well. Now ssl_ConsumeSignatureScheme always sends and
	alert on failure, and the callers do not.

	[c71bb1bedf7d]
```

Differential Revision: https://phabricator.services.mozilla.com/D120787
2021-07-24 17:26:14 +00:00
Benjamin Beurdouche
dde8b5dd22 Bug 1720464 - land NSS 8f41147c2192 UPGRADE_NSS_RELEASE, r=beurdouche
```
2021-07-22  Benjamin Beurdouche  <bbeurdouche@mozilla.com>

	* doc/rst/index.rst:
	Display warning on the new NSS documentation
	[8f41147c2192] [tip]

2021-07-20  Robert Relyea  <rrelyea@redhat.com>

	* lib/softoken/sdb.c:
	Bug 1721476 sqlite 3.34 changed it's open semantics, causing nss
	failures.

	https://sqlite.org/forum/info/42cf8e985bb051a2

	sqlite is now permissive on opening a readonly file even if you ask
	for the file to be opened R/W.

	normally sqlite is very conservative in changing it's underlying
	semantics, but evidently they chose convience over compatibility.
	NSS now needs to check the file permissions itself to preserve nss
	semantics.

	[f2d34a957599]

2021-07-15  Robert Relyea  <rrelyea@redhat.com>

	* tests/common/init.sh, tests/common/parsegtestreport.sed,
	tests/common/parsegtestreport.sh, tests/gtests/gtests.sh,
	tests/ssl_gtests/ssl_gtests.sh:
	Bug 1720230 Gtest update changed the gtest reports, losing gtest
	details in all.sh reports.

	This patch includes the updated .sed script, and an experiment using
	bash instead to see how hard it would be to make a more robust
	parser.

	The robust parser generates identical output as sed, but takes about
	30x longer, so instead of subsecond operations, it takes almost half
	a minute. With that result, I think we can stay with sed and
	continue to update when we get new versions of gtests. (sigh).

	time cat report.xml.0 | sed -f parsegtestreport.sed > r1

	real 0m0.710s user 0m0.705s sys 0m0.008s

	time cat report.xml.0 | sh parsegtestreport.sh > r2

	real 0m25.066s user 0m17.759s sys 0m9.506s [rrelyea@localhost
	common]$ diff r1 r2

	updated: with review comments from Martin and move the report
	parsing to the common code so it can be shared with both ssl_gtests
	and gtests shell scripts.

	[f12856d5d2c2]

2021-07-13  Robert Relyea  <rrelyea@redhat.com>

	* gtests/softoken_gtest/softoken_dh_vectors.h, lib/softoken/pkcs11c.c,
	lib/softoken/pkcs11i.h, lib/softoken/pkcs11u.c,
	lib/softoken/sftkdhverify.c:
	Bug 1720228 NSS incorrectly accepting 1536 bit DH primes in FIPS
	mode

	When NSS is in FIPS mode, it should reject all primes smaller than
	2048. The ike 1536 prime is in the accepted primes table. In FIPS
	mode it should be rejected.

	[d2ec946e601a]

2021-07-15  Robert Relyea  <rrelyea@redhat.com>

	* cmd/manifest.mn, cmd/sdbthreadtst/Makefile,
	cmd/sdbthreadtst/manifest.mn, cmd/sdbthreadtst/sdbthreadtst.c,
	cmd/sdbthreadtst/sdbthreadtst.gyp, lib/softoken/sdb.c,
	lib/softoken/sftkdb.c, nss.gyp, tests/dbtests/dbtests.sh:
	Bug 1720232 SQLite calls could timeout in starvation situations.

	Some of our servers could cause random failures when trying to
	generate many key pairs from multiple threads. This is caused
	because some threads would starve long enough for them to give up on
	getting a begin transaction on sqlite. sqlite only allows one
	transaction at a time.

	Also, there were some bugs in error handling of the broken
	transaction case where NSS would try to cancel a transation after
	the begin failed (most cases were correct, but one case in
	particular was problematic).

	[b54b0d41e51b]

2021-07-13  Robert Relyea  <rrelyea@redhat.com>

	* lib/pk11wrap/pk11cxt.c, lib/pk11wrap/pk11hpke.c,
	lib/softoken/kbkdf.c, lib/softoken/sftkhmac.c,
	lib/softoken/sftkike.c:
	Bug 1720225 Coverity/cpp scanner errors found in nss 3.67

	A number of coverity/scanner issues were found in the kdf code which
	was added in nss 3.44 and the fixes never upstreamed, as well as
	coverity/scanner errors in nss 3.66. Not all errors were fixed,
	those errors which were determined to be false positives were just
	recorded. No attempt has been made to fix coverity/scanner errors in
	gtests.

	[d1b9709d8861]
```

Differential Revision: https://phabricator.services.mozilla.com/D120624
2021-07-23 09:23:50 +00:00
Dorel Luca
df0ba034a0 Backed out changeset 94ca8dafa006 (bug 1720464) for Browser-chrome failures in browser/base/content/test/performance/browser_startup_mainthreadio.js. UPGRADE_NSS_RELEASE CLOSED TREE 2021-07-22 20:49:30 +03:00
Benjamin Beurdouche
9753f750fd Bug 1720464 - land NSS 8f41147c2192 UPGRADE_NSS_RELEASE, r=beurdouche
```
2021-07-22  Benjamin Beurdouche  <bbeurdouche@mozilla.com>

	* doc/rst/index.rst:
	Display warning on the new NSS documentation
	[8f41147c2192] [tip]

2021-07-20  Robert Relyea  <rrelyea@redhat.com>

	* lib/softoken/sdb.c:
	Bug 1721476 sqlite 3.34 changed it's open semantics, causing nss
	failures.

	https://sqlite.org/forum/info/42cf8e985bb051a2

	sqlite is now permissive on opening a readonly file even if you ask
	for the file to be opened R/W.

	normally sqlite is very conservative in changing it's underlying
	semantics, but evidently they chose convience over compatibility.
	NSS now needs to check the file permissions itself to preserve nss
	semantics.

	[f2d34a957599]

2021-07-15  Robert Relyea  <rrelyea@redhat.com>

	* tests/common/init.sh, tests/common/parsegtestreport.sed,
	tests/common/parsegtestreport.sh, tests/gtests/gtests.sh,
	tests/ssl_gtests/ssl_gtests.sh:
	Bug 1720230 Gtest update changed the gtest reports, losing gtest
	details in all.sh reports.

	This patch includes the updated .sed script, and an experiment using
	bash instead to see how hard it would be to make a more robust
	parser.

	The robust parser generates identical output as sed, but takes about
	30x longer, so instead of subsecond operations, it takes almost half
	a minute. With that result, I think we can stay with sed and
	continue to update when we get new versions of gtests. (sigh).

	time cat report.xml.0 | sed -f parsegtestreport.sed > r1

	real 0m0.710s user 0m0.705s sys 0m0.008s

	time cat report.xml.0 | sh parsegtestreport.sh > r2

	real 0m25.066s user 0m17.759s sys 0m9.506s [rrelyea@localhost
	common]$ diff r1 r2

	updated: with review comments from Martin and move the report
	parsing to the common code so it can be shared with both ssl_gtests
	and gtests shell scripts.

	[f12856d5d2c2]

2021-07-13  Robert Relyea  <rrelyea@redhat.com>

	* gtests/softoken_gtest/softoken_dh_vectors.h, lib/softoken/pkcs11c.c,
	lib/softoken/pkcs11i.h, lib/softoken/pkcs11u.c,
	lib/softoken/sftkdhverify.c:
	Bug 1720228 NSS incorrectly accepting 1536 bit DH primes in FIPS
	mode

	When NSS is in FIPS mode, it should reject all primes smaller than
	2048. The ike 1536 prime is in the accepted primes table. In FIPS
	mode it should be rejected.

	[d2ec946e601a]

2021-07-15  Robert Relyea  <rrelyea@redhat.com>

	* cmd/manifest.mn, cmd/sdbthreadtst/Makefile,
	cmd/sdbthreadtst/manifest.mn, cmd/sdbthreadtst/sdbthreadtst.c,
	cmd/sdbthreadtst/sdbthreadtst.gyp, lib/softoken/sdb.c,
	lib/softoken/sftkdb.c, nss.gyp, tests/dbtests/dbtests.sh:
	Bug 1720232 SQLite calls could timeout in starvation situations.

	Some of our servers could cause random failures when trying to
	generate many key pairs from multiple threads. This is caused
	because some threads would starve long enough for them to give up on
	getting a begin transaction on sqlite. sqlite only allows one
	transaction at a time.

	Also, there were some bugs in error handling of the broken
	transaction case where NSS would try to cancel a transation after
	the begin failed (most cases were correct, but one case in
	particular was problematic).

	[b54b0d41e51b]

2021-07-13  Robert Relyea  <rrelyea@redhat.com>

	* lib/pk11wrap/pk11cxt.c, lib/pk11wrap/pk11hpke.c,
	lib/softoken/kbkdf.c, lib/softoken/sftkhmac.c,
	lib/softoken/sftkike.c:
	Bug 1720225 Coverity/cpp scanner errors found in nss 3.67

	A number of coverity/scanner issues were found in the kdf code which
	was added in nss 3.44 and the fixes never upstreamed, as well as
	coverity/scanner errors in nss 3.66. Not all errors were fixed,
	those errors which were determined to be false positives were just
	recorded. No attempt has been made to fix coverity/scanner errors in
	gtests.

	[d1b9709d8861]
```

Differential Revision: https://phabricator.services.mozilla.com/D120624
2021-07-22 13:53:32 +00:00
Benjamin Beurdouche
4582da2473 Bug 1709817 - Enable NSS documentation in firefox-src-tree. r=beurdouche
Differential Revision: https://phabricator.services.mozilla.com/D119913
2021-07-22 12:10:19 +00:00
ffxbld
10795c51f3 No Bug, mozilla-central repo-update HSTS HPKP remote-settings - a=repo-update r=jcristau
Differential Revision: https://phabricator.services.mozilla.com/D120594
2021-07-22 11:55:25 +00:00
Kashav Madan
5781dca888 Bug 1720688 - Support extended attribute syntax in protocol declarations, r=mccr8
Differential Revision: https://phabricator.services.mozilla.com/D119975
2021-07-22 02:24:43 +00:00