Commit Graph

16050 Commits

Author SHA1 Message Date
Christoph Kerschbaumer
543135c5fd Bug 1716500: Update test browser_HSTS.js to work with https-first enabled in PBM r=bbeurdouche
Differential Revision: https://phabricator.services.mozilla.com/D117736
2021-06-15 08:30:42 +00:00
Landry Breuil
2885db7706 Bug 1713745 - include nsXULAppAPI.h to reach GeckoProcessType definition r=gcp
Otherwise the build fails on OpenBSD:
In file included from security/sandbox/common/SandboxSettings.cpp:7:
/usr/obj/m-c/dist/include/mozilla/SandboxSettings.h:39:26: error: unknown type name 'GeckoProcessType'
bool StartOpenBSDSandbox(GeckoProcessType type);

Differential Revision: https://phabricator.services.mozilla.com/D116633
2021-06-14 17:17:24 +00:00
ffxbld
13e469a9fb No Bug, mozilla-central repo-update HSTS HPKP remote-settings tld-suffixes - a=repo-update r=jcristau
Differential Revision: https://phabricator.services.mozilla.com/D117636
2021-06-14 13:05:01 +00:00
Dana Keeler
ef0a88c6f2 Bug 1715142 - introduce nsIPublicKeyPinningService and remove 'type' parameter from nsISiteSecurityService r=rmf,necko-reviewers
The public key pinning implementation is much less complex than the HSTS
implementation, and only needs a small subset of the parameters of the latter.
Furthermore, the information it relies on is static, and so is safe to access
from content processes. This patch separates the two implementations, thus
simplifying both of them and avoiding some unnecessary IPC calls in the
process.

Differential Revision: https://phabricator.services.mozilla.com/D117096
2021-06-12 01:12:25 +00:00
Dana Keeler
20319689f0 Bug 1715142 - convert pinning to use a static pref r=rmf
This patch converts the pinning preference
"security.cert_pinning.enforcement_level" to be static. It also removes some
unused pinning preferences and parameters.

Differential Revision: https://phabricator.services.mozilla.com/D117095
2021-06-12 01:12:25 +00:00
Dana Keeler
cd240f895e Bug 1715142 - clear the TLS session cache in SetDisableAllSecurityChecksAndLetAttackersInterceptMyData r=rmf
Previously, SetDisableAllSecurityChecksAndLetAttackersInterceptMyData would
only work as expected if another operation happened to clear the TLS session
cache (namely, changing a preference that caused nsNSSComponent to change its
TLS options and clear the TLS session cache). This patch ensures that this
function works without relying on such coincidences.

Differential Revision: https://phabricator.services.mozilla.com/D117495
2021-06-12 01:12:24 +00:00
Butkovits Atila
e4394b27a2 Backed out 3 changesets (bug 1715142) for causing build bustages. CLOSED TREE
Backed out changeset 7e67994f6a65 (bug 1715142)
Backed out changeset f58d5156f332 (bug 1715142)
Backed out changeset f8a7bd4519c6 (bug 1715142)
2021-06-11 21:20:02 +03:00
Dana Keeler
f84faf1bf5 Bug 1715142 - introduce nsIPublicKeyPinningService and remove 'type' parameter from nsISiteSecurityService r=rmf,necko-reviewers
The public key pinning implementation is much less complex than the HSTS
implementation, and only needs a small subset of the parameters of the latter.
Furthermore, the information it relies on is static, and so is safe to access
from content processes. This patch separates the two implementations, thus
simplifying both of them and avoiding some unnecessary IPC calls in the
process.

Differential Revision: https://phabricator.services.mozilla.com/D117096
2021-06-11 17:58:19 +00:00
Dana Keeler
26694f522d Bug 1715142 - convert pinning to use a static pref r=rmf
This patch converts the pinning preference
"security.cert_pinning.enforcement_level" to be static. It also removes some
unused pinning preferences and parameters.

Differential Revision: https://phabricator.services.mozilla.com/D117095
2021-06-11 17:58:19 +00:00
Dana Keeler
6c87c3560b Bug 1715142 - clear the TLS session cache in SetDisableAllSecurityChecksAndLetAttackersInterceptMyData r=rmf
Previously, SetDisableAllSecurityChecksAndLetAttackersInterceptMyData would
only work as expected if another operation happened to clear the TLS session
cache (namely, changing a preference that caused nsNSSComponent to change its
TLS options and clear the TLS session cache). This patch ensures that this
function works without relying on such coincidences.

Differential Revision: https://phabricator.services.mozilla.com/D117495
2021-06-11 17:58:18 +00:00
Iulian Moraru
955a3ab572 Backed out 2 changesets (bug 1715142) for causing marionette failures on test_navigation.py and mochitest failures on browser_setIgnoreCertificateErrors.js. CLOSED TREE
Backed out changeset 83206685ca0b (bug 1715142)
Backed out changeset ab3060a5f69e (bug 1715142)
2021-06-11 02:45:34 +03:00
Dana Keeler
f3c620e4c3 Bug 1715142 - introduce nsIPublicKeyPinningService and remove 'type' parameter from nsISiteSecurityService r=rmf,necko-reviewers
The public key pinning implementation is much less complex than the HSTS
implementation, and only needs a small subset of the parameters of the latter.
Furthermore, the information it relies on is static, and so is safe to access
from content processes. This patch separates the two implementations, thus
simplifying both of them and avoiding some unnecessary IPC calls in the
process.

Differential Revision: https://phabricator.services.mozilla.com/D117096
2021-06-10 22:13:32 +00:00
Dana Keeler
50526906b2 Bug 1715142 - convert pinning to use a static pref r=rmf
This patch converts the pinning preference
"security.cert_pinning.enforcement_level" to be static. It also removes some
unused pinning preferences and parameters.

Differential Revision: https://phabricator.services.mozilla.com/D117095
2021-06-10 22:13:31 +00:00
ffxbld
51e47c5f62 No Bug, mozilla-central repo-update HSTS HPKP remote-settings - a=repo-update r=jcristau
Differential Revision: https://phabricator.services.mozilla.com/D117410
2021-06-10 14:50:41 +00:00
Julien Cristau
8376ac4322 Bug 1713766 - land NSS NSS_3_67_RTM UPGRADE_NSS_RELEASE, r=bbeurdouche,aryx
Differential Revision: https://phabricator.services.mozilla.com/D117422
2021-06-10 13:25:03 +00:00
Dana Keeler
dc0d26aaef Bug 1714263 - remove expired intermediate preloading telemetry r=rmf
Differential Revision: https://phabricator.services.mozilla.com/D117085
2021-06-09 22:33:13 +00:00
Dana Keeler
81b6f5967b Bug 1714263 - remove expired CRLITE_RESULT telemetry histogram r=rmf
Differential Revision: https://phabricator.services.mozilla.com/D117084
2021-06-09 22:33:12 +00:00
Dana Keeler
16983654e9 Bug 1687570 - remove nsIX509Cert.keyUsages r=johannh,dveditz
nsIX509Cert.keyUsages is only used by the front-end. As of bug 1688703, the new
certificate viewer utility files can be used anywhere in the front-end to
decode certificates. Since this code is JS instead of C/C++, this is
preferrable from the standpoint of reducing attack surface.

Differential Revision: https://phabricator.services.mozilla.com/D113197
2021-06-09 21:54:57 +00:00
Alexandre Lissy
6b0aef97c6 Bug 1715461 - Improve ARM64 syscall generation r=gcp
Differential Revision: https://phabricator.services.mozilla.com/D117270
2021-06-09 13:51:19 +00:00
Alexandre Lissy
6070f4b26f Bug 1715254 - Deny clone3 to force glibc fallback r=gcp
Differential Revision: https://phabricator.services.mozilla.com/D117297
2021-06-09 13:45:28 +00:00
R. Martinho Fernandes
d63b379cfd Bug 1703944 - Enable EV Treatment for ANF Secure Server Root CA r=keeler
Differential Revision: https://phabricator.services.mozilla.com/D116754
2021-06-07 21:37:24 +00:00
R. Martinho Fernandes
24cea1c7ed Bug 1707099 - Enable EV Treatment for Certum root certs ownd by Asseco r=keeler
Differential Revision: https://phabricator.services.mozilla.com/D116752
2021-06-07 21:37:23 +00:00
R. Martinho Fernandes
fff6a0bc5e Bug 1697074 - Enable EV Treatment for e-commerce monitoring's GLOBALTRUST 2020 root certificate r=keeler
Differential Revision: https://phabricator.services.mozilla.com/D116750
2021-06-07 21:37:23 +00:00
ffxbld
3efbffd2cc No Bug, mozilla-central repo-update HSTS HPKP remote-settings - a=repo-update r=jcristau
Differential Revision: https://phabricator.services.mozilla.com/D116991
2021-06-07 12:14:53 +00:00
Kershaw Chang
e9963421a1 Bug 1711971 - Make connection coalescing works for http3, r=necko-reviewers,dragana
Differential Revision: https://phabricator.services.mozilla.com/D115528
2021-06-07 09:52:31 +00:00
David Parks
78bd808d59 Bug 1682030 - Remove OSX flash sandbox. r=haik
Removes the Flash sandbox descriptor as part of removing all NPAPI plugin support.

Differential Revision: https://phabricator.services.mozilla.com/D108097
2021-06-06 23:26:26 +00:00
ffxbld
6a258cbbf9 No Bug, mozilla-central repo-update HSTS HPKP remote-settings tld-suffixes - a=repo-update r=RyanVM
Differential Revision: https://phabricator.services.mozilla.com/D116890
2021-06-04 20:23:51 +00:00
Alexandre Lissy
f82be201dc Bug 1714459 - Remove duplicated linux/arm64 syscalls definitions r=gcp
Differential Revision: https://phabricator.services.mozilla.com/D116827
2021-06-04 14:11:32 +00:00
Alexandre Lissy
95528d6cb2 Bug 1713776 - Allow faccessat2 r=gcp
Differential Revision: https://phabricator.services.mozilla.com/D116597
2021-06-03 20:04:08 +00:00
Alexandre Lissy
686d342f66 Bug 1714315 - Unregister sandbox test observers r=gcp
Differential Revision: https://phabricator.services.mozilla.com/D116708
2021-06-03 17:26:17 +00:00
Alexandre Lissy
6b5f586e94 Bug 1710625 - SandboxTest with SocketProcess r=necko-reviewers,handyman,jld,kershaw
Differential Revision: https://phabricator.services.mozilla.com/D114861
2021-06-03 06:45:59 +00:00
M. Sirringhaus
a44abd1d0d Bug 1696359 - Broken build on arm/arm64 with older kernel (missing __NR_statx, __NR_rseq) r=jld
Differential Revision: https://phabricator.services.mozilla.com/D107206
2021-06-03 00:07:21 +00:00
Dana Keeler
1b9fd10c83 Bug 1701192 - don't allow third-party loads to set HSTS state r=annevk,necko-reviewers,dragana
Differential Revision: https://phabricator.services.mozilla.com/D115715
2021-06-02 16:52:19 +00:00
R. Martinho Fernandes
7ea1bcd018 Bug 1597600 - make certificate overrides depend on origin attributes r=keeler,geckoview-reviewers,smaug,agi
Differential Revision: https://phabricator.services.mozilla.com/D91962
2021-06-01 06:55:07 +00:00
Brindusan Cristian
6ac5d624e0 Backed out changeset 3dff613dd244 for causing failures in nsSocketTransport2.cpp.
CLOSED TREE
2021-05-31 15:24:58 +03:00
ffxbld
1037e442e6 No Bug, mozilla-central repo-update HSTS HPKP remote-settings tld-suffixes - a=repo-update r=jcristau
Differential Revision: https://phabricator.services.mozilla.com/D116365
2021-05-31 11:09:20 +00:00
Brindusan Cristian
ca49f15f7d Backed out 14 changesets (bug 1705659, bug 472823, bug 669675) as requested by valentin for causing regressions. CLOSED TREE
Backed out changeset d920aa17a468 (bug 669675)
Backed out changeset adad38c05584 (bug 1705659)
Backed out changeset 361c177ed131 (bug 1705659)
Backed out changeset 46e559f45338 (bug 1705659)
Backed out changeset 3c9556a8df55 (bug 1705659)
Backed out changeset a179695a56c9 (bug 1705659)
Backed out changeset e688986c7011 (bug 1705659)
Backed out changeset de990e6c944d (bug 1705659)
Backed out changeset 0ea348abee78 (bug 1705659)
Backed out changeset 2f0aacbd42b1 (bug 1705659)
Backed out changeset c977551bad6e (bug 1705659)
Backed out changeset 5449d9e08034 (bug 1705659)
Backed out changeset b6b51bc167ac (bug 1705659)
Backed out changeset 27e709923ecb (bug 472823)
2021-05-31 13:16:34 +03:00
Dorel Luca
211b017ce9 Backed out changeset 089c88b9657b (bug 1597600) for XPCshell failures in toolkit/components/cleardata/tests/unit/test_certs.js. CLOSED TREE 2021-05-29 23:31:00 +03:00
R. Martinho Fernandes
a9e55ea7fc Bug 1597600 - make certificate overrides depend on origin attributes r=keeler,geckoview-reviewers,smaug,agi
Differential Revision: https://phabricator.services.mozilla.com/D91962
2021-05-29 19:34:35 +00:00
Benjamin Beurdouche
f86f71efeb Bug 1711262 - land NSS NSS_3_66_RTM UPGRADE_NSS_RELEASE, r=beurdouche
2021-05-28  Benjamin Beurdouche  <bbeurdouche@mozilla.com>

	* lib/nss/nss.h, lib/softoken/softkver.h, lib/util/nssutil.h:
	Set version numbers to 3.66 final
	[46633639570c] [NSS_3_66_RTM] <NSS_3_66_BRANCH>

	* .hgtags:
	Added tag NSS_3_66_BETA1 for changeset ef591b9d25a3
	[9904a426633e] <NSS_3_66_BRANCH>

Differential Revision: https://phabricator.services.mozilla.com/D116223
2021-05-28 10:37:43 +00:00
Joel Maher
2e841d22cb Bug 1704640 - Move mochitest browser-chrome / media from osx 10.14 to osx 10.15. r=ahal,preferences-reviewers
Differential Revision: https://phabricator.services.mozilla.com/D115951
2021-05-27 16:06:03 +00:00
ffxbld
1bf6f19298 No Bug, mozilla-central repo-update HSTS HPKP remote-settings tld-suffixes - a=repo-update r=RyanVM
Differential Revision: https://phabricator.services.mozilla.com/D116105
2021-05-27 14:31:44 +00:00
Iulian Moraru
38414bfb41 Backed out changeset 54267d9f3d78 (bug 1701192) for causing mochitest failures on test_hsts_upgrade_intercept.html. CLOSED TREE DONTBUILD 2021-05-27 03:17:12 +03:00
Dana Keeler
0c2f477cee Bug 1701192 - don't allow third-party loads to set HSTS state r=annevk,necko-reviewers,dragana
Differential Revision: https://phabricator.services.mozilla.com/D115715
2021-05-26 23:33:53 +00:00
Dana Keeler
ed3c20ccb5 Bug 1712848 - avoid OS APIs that normalize distinguished names in osclientcerts r=rmf
SecCertificateCopyNormalizedIssuerSequence and
SecCertificateCopyNormalizedSubjectSequence normalize DN sequences (shocking, I
know). This means that if the output from these functions is used to identify
certificates, naively comparing bytes will result in mismatches. Since
normalization is unnecessary and unwanted, we should avoid these functions in
osclientcerts.

Differential Revision: https://phabricator.services.mozilla.com/D115942
2021-05-26 20:16:29 +00:00
Valentin Gosu
69c6a23516 Bug 1705659 - Static-analysis check auto fix for auth code r=necko-reviewers,dragana
Depends on D112604

Differential Revision: https://phabricator.services.mozilla.com/D112605
2021-05-26 09:27:21 +00:00
Valentin Gosu
1fb3a73493 Bug 1705659 - Make auth code use nsACString instead of raw char pointers r=necko-reviewers,dragana
Depends on D112597

Differential Revision: https://phabricator.services.mozilla.com/D112598
2021-05-26 09:27:19 +00:00
Benjamin Beurdouche
b3d2b323ab Bug 1711262 - land NSS ef591b9d25a3 UPGRADE_NSS_RELEASE, r=beurdouche
2021-05-25  Benjamin Beurdouche  <bbeurdouche@mozilla.com>

	* lib/ckfw/builtins/certdata.txt:
	Bug 1710716 - Remove Expired Sonera Class2 CA from NSS. r=bwilson

	Depends on D115882

	[ef591b9d25a3] [tip]

	* lib/ckfw/builtins/certdata.txt:
	Bug 1710716 - Remove Expired Root Certificates from NSS - QuoVadis
	Root Certification Authority. r=bwilson

	Depends on D115877

	[f7ff828026cd]

	* lib/ckfw/builtins/certdata.txt:
	Bug 1708307 - Remove Trustis FPS Root CA from NSS. r=bwilson

	[4ef15c2043cf]

	* lib/ckfw/builtins/certdata.txt:
	Bug 1707097 - Add Certum Trusted Root CA to NSS. r=bwilson

	Depends on D115890

	[4f4982362348]

	* lib/ckfw/builtins/certdata.txt:
	Bug 1707097 - Add Certum EC-384 CA to NSS. r=bwilson

	Depends on D115889

	[171e74b54ca4]

	* lib/ckfw/builtins/certdata.txt:
	Bug 1703942 - Add ANF Secure Server Root CA to NSS. r=bwilson

	Depends on D115888

	[e189b4f85ce5]

	* lib/ckfw/builtins/certdata.txt:
	Bug 1697071 - Add GLOBALTRUST 2020 root cert to NSS. r=bwilson

	[487e89fcb141]

2021-05-20  Robert Relyea  <rrelyea@redhat.com>

	* doc/certutil.xml, doc/html/certutil.html, doc/html/derdump.html,
	doc/html/modutil.html, doc/html/pk12util.html, doc/html/pp.html,
	doc/html/signver.html, doc/html/ssltap.html, doc/modutil.xml,
	doc/nroff/certutil.1, doc/nroff/crlutil.1, doc/nroff/derdump.1,
	doc/nroff/modutil.1, doc/nroff/pk12util.1, doc/nroff/pp.1,
	doc/nroff/signtool.1, doc/nroff/signver.1, doc/nroff/ssltap.1,
	doc/nroff/vfychain.1, doc/nroff/vfyserv.1, doc/pk12util.xml,
	doc/signver.xml:
	Bug 1712184 NSS tools manpages need to be updated to reflect that
	sqlite is the default database.

	This patch does 2 things:

	1) update certutil.xml pk12util.xml modutil.xml and signver.xml to
	reflect the fact the the sql database is default. Many of these also
	has examples of specifying sql:dirname which is now the default. I
	did not replace them with dbm:dirname since we don't want to
	encourage regressing back. The one exception is in the paragraph
	explaining how to get to the old database format.

	2) I ran make in the diretory to update the .1 and .html files
	generated from the .xml files. There are a number of old updates to
	the .xml files which haven't been picked up in their corresponding
	html or man page files. This updates are included in this patch.

	It is really only necessary to review the changes to the .xml files,
	the rest were reviewed when their patches were applied.

	bob

	[da25615e92c8]

2021-05-24  Mike Hommey  <mh@glandium.org>

	* lib/freebl/freebl.gyp:
	Bug 1712230 - Don't build ppc-gcm.s with clang integrated assembler.
	r=bbeurdouche

	Like intel-gcm.s.

	[2300e178c90f]

2021-05-20  Robert Relyea  <rrelyea@redhat.com>

	* lib/freebl/blapi.h:
	Bug 1712211 Strict prototype error when trying to compile nss code
	that includes blapi.h

	in blapi.h, strict prototypes compiles fail on: extern
	BLAKE2BContext *BLAKE2B_NewContext();

	This patch fixes that problem.

	[207465bda46a]

Differential Revision: https://phabricator.services.mozilla.com/D115972
2021-05-26 07:56:40 +00:00
Henrik Skupin
fa4fbb78b4 Bug 1695031 - Combine build flags --disable-marionette and --enable-cdp as --disable-webdriver. r=firefox-build-system-reviewers,Gijs,smaug,keeler,jdescottes,glandium
Differential Revision: https://phabricator.services.mozilla.com/D115583
2021-05-25 09:13:28 +00:00
Andi-Bogdan Postelnicu
1cf28e7475 Bug 1519636 - Reformat recent changes to the Google coding style. r=emilio
Updated with clang-format version 12.0.0 (taskcluster-KEgO7qdgQ8uaewA6NkRnRA)

Differential Revision: https://phabricator.services.mozilla.com/D115804
2021-05-24 15:08:47 +00:00
ffxbld
bf49b309c8 No Bug, mozilla-central repo-update HSTS HPKP remote-settings - a=repo-update r=RyanVM
Differential Revision: https://phabricator.services.mozilla.com/D115803
2021-05-24 13:18:18 +00:00
R. Martinho Fernandes
9bd879aa56 Bug 1706999 - Remove CheckForStartComOrWoSign r=keeler
Differential Revision: https://phabricator.services.mozilla.com/D113135
2021-05-20 23:13:18 +00:00
Chris Martin
1d91d0549c Bug 1709383 - Add Win32k Lockdown status to about:support and Crash Reporter r=gsvelto,flod,bobowen,mossop,fluent-reviewers,chutten
- Move the decision logic for Win32k Lockdown to a common area where it can
  be re-used
- Cache the Win32k Lockdown state, since the result will never change
- Add IDL to allow JavaScript to query it
- Add it to the "about:support" page
- Add an annotation to Crash Reporter after the first time it's read

Differential Revision: https://phabricator.services.mozilla.com/D114850
2021-05-20 19:28:59 +00:00
Chris Martin
8cbf8ae88c Bug 1709383 - Gate Win32k Lockdown on whether WebRender is actually enabled r=bobowen
Win32k Lockdown requires WebRender, but WR is not currently guaranteed
on all computers. It can also fail to initialize and fallback to
non-WR render path.

We don't want a situation where "Win32k Lockdown + No WR" occurs without
the user explicitly requesting unsupported behavior.

Differential Revision: https://phabricator.services.mozilla.com/D114849
2021-05-20 19:28:59 +00:00
Benjamin Beurdouche
f3bb5ed250 Bug 1711262 - land NSS 40edc4f4c117 UPGRADE_NSS_RELEASE, r=beurdouche
2021-05-11  Robert Relyea  <rrelyea@redhat.com>

	* automation/abi-check/expected-report-libnss3.so.txt, automation/abi-
	check/expected-report-libssl3.so.txt, cmd/selfserv/selfserv.c,
	cmd/strsclnt/strsclnt.c, cmd/tstclnt/tstclnt.c, lib/nss/nss.def,
	lib/pk11wrap/pk11cxt.c, lib/pk11wrap/pk11load.c,
	lib/pk11wrap/pk11obj.c, lib/pk11wrap/pk11priv.h,
	lib/pk11wrap/pk11pub.h, lib/pk11wrap/pk11slot.c,
	lib/pk11wrap/secmodt.h, lib/softoken/config.mk,
	lib/softoken/fips_algorithms.h, lib/softoken/fipstokn.c,
	lib/softoken/pkcs11.c, lib/softoken/pkcs11c.c,
	lib/softoken/pkcs11i.h, lib/softoken/pkcs11u.c,
	lib/softoken/sftkmessage.c, lib/ssl/ssl3con.c, lib/ssl/sslimpl.h,
	lib/ssl/sslinfo.c, lib/ssl/sslt.h, lib/util/pkcs11n.h,
	tests/ssl/ssl.sh, tests/ssl/sslcov.txt:
	Bug 1710773 NSS needs FIPS 180-3 FIPS indicators. r=mt

	Changes from the review: The while loop was taken out of it's
	subshell pipe, which prevented the selfserv PID from being passed on
	to the final selfserv-kill. This eventally lead to a freeze on
	windows.

	The last paragraph of ISO 19790:2012 section 7.2.4.2 states:

	All services shall [02.24] provide an indicator when the service
	utilises an approved cryptographic algorithm, security function or
	process in an approved manner and those services or processes
	specified in 7.4.3

	This means our libraries need to grow an API or provide some
	additional information via contexts or similar in order for an
	application to be able to query this indicator. This can't be just a
	Security Policy description because ISO 24759:2017 section 6.2.4.2
	states:

	TE02.24.02: The tester shall execute all services and verify that
	the indicator provides an unambiguous indication of whether the
	service utilizes an approved cryptographic algorithm, security
	function or process in an approved manner or not.

	The indicator can't be just a marker over an algorithm either,
	because it needs to show different values based on whether the
	algorithm parameters causes the algorithm to run in approved or non-
	approved mode (ie keys outside of valid range for RSA means RSA is
	being used in non-approved mode ...)

	For NSS, there is a PKCS #11 design: https://docs.google.com/documen
	t/d/1Me9YksPE7K1Suvk9Ls5PqJXPpDmpAboLsrq0z54m_tA/edit?usp=sharing

	This patch implments the above design as well as: 1) NSS proper
	functions to access these indicators from either the pk11wrap layer
	or the ssl layer. 2) Updates to the ssl tests which will output the
	value of the

	Changes decription by file: cmd/selfserv/selfserv.c Add a FIPS
	indicator if the connection was excuted in FIPS mode on a FIPS
	token. cmd/strsclnt/strsclnt.c Add a FIPS indicator if the
	connection was excuted in FIPS mode on a FIPS token.
	cmd/tstclnt/tstclnt.c Add a FIPS indicator if the connection was
	excuted in FIPS mode on a FIPS token. lib/nss/nss.def Add the new
	pk11 functions to access the fips indicator. lib/pk11wrap/pk11cxt.c
	Implement a function to get the FIPS indicator for the current
	PK11Context. lib/pk11wrap/pk11load.c Get the fips indicator function
	from the PKCS #11 module using the vendor function interface from
	PKCS #11 v3.0 lib/pk11wrap/pk11obj.c Implement a function to get the
	FIPS indicator for a specific PKCS #11 object.
	lib/pk11wrap/pk11priv.h Add a generalized helper function to get the
	FIPS indicator used by all the other exported functions to get FIPS
	indicator. lib/pk11wrap/pk11pub.h Add function to get the FIPS
	indicator for the current PK11Context. lib/pk11wrap/pk11slot.c
	Implement a generalized helper function to get the FIPS indicator.
	Implement a function to get the FIPS indicator for the latest single
	shot operation on the slot. lib/pk11wrap/secmodt.h Add a new field
	to hold the fipsIndicator function. lib/softoken/fips_algorithms.h
	New sample header which vendors can replace with their own table. In
	the default NSS case, the table in this header will be empty.
	lib/softoken/fipstokn.c Add Vendor specific interface for the FIPS
	indicator to the FIPS token. lib/softoken/pkcs11.c Add Vendor
	specific interface for the FIPS indicator to the non-FIPS token.
	Factor out the code tha maps an attribute value to a mechanism flag
	to it's own file so it can be used by other parts of softoken. (new
	function is in pkcs11u.c Implement the function that returns the
	FIPS indicator. This function fetches the indicator from either the
	session or the object or both. The session indicator is in the
	crypto context (except the last operation indicator, which is in the
	session itself. The object indicator is in the base object.
	lib/softoken/pkcs11c.c Record the FIPS indicator in the various
	helper function.
	    - sftk_TerminateOp is called when a crypto operation had been
	finalized, so we can store that fips indicator in the lastOpWasFIPS
	field.
	    - sftk_InitGeneric is called when a crypto operation has been
	initialized, so we can make a preliminary determination if the
	operation is within the FIPS policy (could later change bases on
	other operations. For this to work, we need the actual mechanism, so
	pMechanism is now a parameter to sftk_InitGeneric.
	    - sftk_HKDF - HKDF when used in TLS has the unusual characteristic
	that the salt could actually be a key. In this case, usually the
	base key is some known public value which would not be FIPS
	generated, but the security is based on whether the salt is really a
	FIPS generated key. In this case we redo the calculation based on
	the salt key. lib/softoken/pkcs11i.h
	    - add the FIPS indicators to the various structures (crypto contexts,
	sessions, objects).
	    - add the FIPS indicators function list
	    - add pMechanism the the sftkInitGeneric function.
	    - add the helper function to map Attribute Types to Mechanism Flags.
	    - add the function that will look up the current operation in the FIPS
	table to determine that it is allowed by policy.
	lib/softoken/pkcs11u.c
	    - include the new fips_algorithms.h (if NSS_FIPS_DISABLED is not on)
	    - handle the FIPS status for objects and session on creation an copy.
	    - implement the helper function to map Attribute Types to Mechanism
	Flags.
	    - get the key length of a key. This involves getting the key type and
	then using the key type to determin the appropriate attribute to
	fetch. Most keys it's simply the CKA_VALUE. ECC is special, we get
	the key length from the curve. Since only a subset of curves can be
	FIPS Curves, we use key length to return false for other curves.
	    - the handle special function handles any unusal semantics for various
	mechanism types. This function precodes possible mechanism semantics
	we may need to check. The special handling can be selected by the
	mechanism table in fips_algorithms.h
	    - sftk_operationIsFIPS - the actual function to determine if the
	givelib/n operation is in the FIPS table. lib/softoken/sftkmessage.c
	    - just need to update the sftk_InitGeneric function to pass the
	mechanism. lib/ssl/ssl3con.c
	    - and functions to query the underlying crypto contexts to see if the
	current ssl session is running in FIPS approved mode based on the
	security policy. It does so by checking the CipherSpecIsFIPS
	function to verify that both the mac and the encryption algorithm
	FIPS conforms to the ciphers in the security profile (using
	PK11_GetFIPSStatus). We check both the cipher specs for read and
	write. These underlying specs depends on the keys used in these
	specs being generated with FIPS approved algorithms as well, so this
	verifies the kea and kdf functions as well. lib/ssl/sslimpl.h
	   - ass ssl_isFIPS() so it can be used by other files here in the ssl
	directory. lib/ssl/sslinfo.c
	   - set the new isFIPS field in the existing sslinfo structure.
	SSL_GetChannelInfo knows how to handle sslinfo structures that are
	smaller then expected and larger than expected. unknown fields will
	be set to '0' (so new applications running against old versions will
	always get zero for new fields). sslinfo that are smaller will only
	return a the subset the calling application expects (so old
	applications will not get the new fields). lib/ssl/sslt.h
	    - Add the new isFIPS field (must be at the end of the ChannelInfo
	structure). lib/util/pkcs11n.h
	    - add the new FIPS indicator defines. tests/ssl/ssl.h
	    - The main changes was to turn on verbose for the coverage tests so we
	can test the FIPS indicators on various cipher suites. NOTE: this
	only works with either NSS_TEST_FIPS_ALGORIHTMS set, or a vendor
	fips_algorthims.h, so vendors will need to do their own test
	interpretation. While working in ssl.sh I fixed an number of other
	issues:
	    - many tests that were skipped in FIPS mode were skipped not because
	they didn't work in FIPS mode, but because tstclnt requires a
	password when running in FIPS mode. I've now added the password if
	the function is running in fips mode and removed the fips
	restrictions.
	    - dtls had a race condition. the server side needed to come up before
	the client, but couldn't end before the client ran. We already had a
	sleep to guarrentee the former, I added a sleep before sending the
	server it's data to handle the latter.
	    - CURVE25519 is the default ECC curve, but it's not a fiPS curve, so I
	disable it in FIPS mode so we will actually get FIPS indicators when
	using ECDHE.
	    - I added TLS 1.3 to the coverage tests.

	[40edc4f4c117] [tip]

Differential Revision: https://phabricator.services.mozilla.com/D115625
2021-05-20 17:42:35 +00:00
Csoregi Natalia
91ab999d72 Backed out 2 changesets (bug 1709383) for failures on test_TelemetryEnvironment.js. CLOSED TREE
Backed out changeset 64774be5aaff (bug 1709383)
Backed out changeset 17a95b19bb75 (bug 1709383)
2021-05-20 20:33:51 +03:00
Petr Sumbera
f892fd889c Bug 1712064 - add missing ScopeExit header r=keeler
Bug 1711154 should have landed with the header for ScopeExit.

Differential Revision: https://phabricator.services.mozilla.com/D115586
2021-05-20 15:18:45 +00:00
Chris Martin
b2a51853d0 Bug 1709383 - Add Win32k Lockdown status to about:support and Crash Reporter r=gsvelto,flod,bobowen,mossop,fluent-reviewers,chutten
- Move the decision logic for Win32k Lockdown to a common area where it can
  be re-used
- Cache the Win32k Lockdown state, since the result will never change
- Add IDL to allow JavaScript to query it
- Add it to the "about:support" page
- Add an annotation to Crash Reporter after the first time it's read

Differential Revision: https://phabricator.services.mozilla.com/D114850
2021-05-20 14:28:03 +00:00
Chris Martin
e92b057a83 Bug 1709383 - Gate Win32k Lockdown on whether WebRender is actually enabled r=bobowen
Win32k Lockdown requires WebRender, but WR is not currently guaranteed
on all computers. It can also fail to initialize and fallback to
non-WR render path.

We don't want a situation where "Win32k Lockdown + No WR" occurs without
the user explicitly requesting unsupported behavior.

Differential Revision: https://phabricator.services.mozilla.com/D114849
2021-05-20 14:28:03 +00:00
ffxbld
b94c4af2ba No Bug, mozilla-central repo-update HSTS HPKP remote-settings tld-suffixes - a=repo-update r=jcristau
Differential Revision: https://phabricator.services.mozilla.com/D115585
2021-05-20 12:11:56 +00:00
Mike Hommey
0ec9b5902e Bug 1711836 - Fix GCC warning about the use of strncpy in SandboxBroker::ThreadMain. r=jld
Differential Revision: https://phabricator.services.mozilla.com/D115449
2021-05-20 08:22:20 +00:00
Dana Keeler
a6eb3f69cd Bug 1711599 - remove unused HSTS dynamic preloading implementation r=rmf,remote-protocol-reviewers,marionette-reviewers,whimboo
This patch removes the ability for Firefox profiles to receive dynamic HSTS
preloading information via kinto/remote settings. This feature was implemented
some time ago but was never used. It is being removed to make upcoming changes
easier.

Differential Revision: https://phabricator.services.mozilla.com/D115315
2021-05-20 00:27:12 +00:00
Dana Keeler
a3c7e02756 Bug 1711599 - remove unnecessary declarations from nsISiteSecurityService.idl r=rmf
This patch removes some unnecessary leftover declarations from
nsISiteSecurityService.idl that could have been removed in previous patches.

Differential Revision: https://phabricator.services.mozilla.com/D115314
2021-05-20 00:27:11 +00:00
Dana Keeler
e696abff89 Bug 1711154 - collect telemetry on how long it takes to look for client auth certificates r=bbeurdouche data-review?chutten
Enabling osclientcerts by default may have an impact on how long it takes to
scan for client authentication certificates. This patch adds telemetry to
measure this.

Differential Revision: https://phabricator.services.mozilla.com/D115257
2021-05-19 23:25:52 +00:00
Benjamin Beurdouche
bde2949605 Bug 1711262 - land NSS 8c299ec6b2bc UPGRADE_NSS_RELEASE, r=beurdouche
Differential Revision: https://phabricator.services.mozilla.com/D115395
2021-05-18 18:23:25 +00:00
Paul Adenot
2af226f89d Bug 1686681 - Dedup a copy-pasted block computing a constant about TTY. r=jld
Differential Revision: https://phabricator.services.mozilla.com/D113163
2021-05-18 15:57:15 +00:00
Paul Adenot
481376c0b0 Bug 1686681 - Handle ioctl(TCGETS, ...) by saying this is not a TTY. r=jld
When doing (e.g.) `MOZ_LOG=PlatformDecoderModule:4`, ffmpeg ends up doing
`ioctl(TCGETS, ...)` via `tcgetattr`, and this crashes the RDD. We don't care
much about the result, so let's just say `ENOTTY`.

Differential Revision: https://phabricator.services.mozilla.com/D113162
2021-05-18 15:57:15 +00:00
Alex Lopez
455d9a088b Bug 1696251 - Pass MachCommandBase object as first argument for Mach Commands. r=mhentges,remote-protocol-reviewers,marionette-reviewers,webdriver-reviewers,perftest-reviewers
As an intermediate step to allow mach commands as standalone functions, the MachCommandBase
subclass instance that currently corresponds to self has to be made available as a separate
argument (named command_context).

Differential Revision: https://phabricator.services.mozilla.com/D109650
2021-05-17 16:15:58 +00:00
ffxbld
2f54d388e2 No Bug, mozilla-central repo-update HSTS HPKP remote-settings - a=repo-update r=jcristau
Differential Revision: https://phabricator.services.mozilla.com/D115199
2021-05-17 12:36:43 +00:00
Benjamin Beurdouche
5a5e62989c Bug 1705477 - land NSS NSS_3_65_RTM UPGRADE_NSS_RELEASE, r=beurdouche
2021-05-14  Benjamin Beurdouche  <bbeurdouche@mozilla.com>

	* lib/nss/nss.h, lib/softoken/softkver.h, lib/util/nssutil.h:
	Set version numbers to 3.65 final
	[0e785b3a4a10] [NSS_3_65_RTM] <NSS_3_65_BRANCH>

	* .hgtags:
	Added tag NSS_3_65_BETA1 for changeset 1bdb4713e2f0
	[6f4869107d74] <NSS_3_65_BRANCH>

2021-05-11  Robert Relyea  <rrelyea@redhat.com>

	* gtests/pk11_gtest/pk11_hpke_unittest.cc:
	fix clang format error from patch for bug 1709750
	[1bdb4713e2f0] [NSS_3_65_BETA1]

	* coreconf/NetBSD.mk:
	Bug 1709654 Update for NetBSD configuration patch by Thomas Klausner
	r=rrelyea

	In the NetBSD configuration, the symbol hiding flags are not
	defined. This leads to conflicts when openssl and nss are linked
	into the same binary. For a longer discussion on the topic, see
	https://groups.google.com/a/mozilla.org/g/dev-tech-
	crypto/c/Al0Pt0zhARE

	 Match more closely to OpenBSD.mk, and in particular, hide symbols
	(MAPFILE).

	- fix wrong value of CPU_ARCH on NetBSD/evbarm-earmv7f
	- s/aarch64eb/aarch64/
	[a7769615f285]

Differential Revision: https://phabricator.services.mozilla.com/D115135
2021-05-14 10:46:49 +00:00
Dana Keeler
c82363485f Bug 1612116 - turn NSS not setting an error code into SEC_ERROR_LIBRARY_FAILURE r=bbeurdouche
Sometimes SSL_ForceHandshake will return SECFailure without setting an error
code. When this happens, calling GetXPCOMFromNSSError on that not-an-error-code
will fail. This patch first checks for this situation and substitutes
SEC_ERROR_LIBRARY_FAILURE if applicable.

Differential Revision: https://phabricator.services.mozilla.com/D114908
2021-05-13 17:29:07 +00:00
Dana Keeler
605f8d5b04 Bug 1691898 - revert the parts of bug 1689729 that caused a performance regression r=bbeurdouche
Bug 1689729 moved some certificate verification operations to the socket thread
using synchronous runnables. Unfortunately this caused a performance regression
that can't be addressed until all certificate verification operations that
involve NSS certificate resources happen on the socket thread. Until then, this
patch reverts that behavior.

Differential Revision: https://phabricator.services.mozilla.com/D115023
2021-05-13 17:27:31 +00:00
ffxbld
381ba4e4a3 No Bug, mozilla-central repo-update HSTS HPKP remote-settings tld-suffixes - a=repo-update r=RyanVM
Differential Revision: https://phabricator.services.mozilla.com/D115053
2021-05-13 14:34:42 +00:00
Alexandre Lissy
7f76b6c221 Bug 1647957 - Allow RDD and Socket processes to read /proc/self/{statm,smaps} on Linux r=gcp
Differential Revision: https://phabricator.services.mozilla.com/D114853
2021-05-11 16:23:23 +00:00
Alexandre Lissy
2758edd4f2 Bug 1710614 - Limit prctl() in Socket Process r=gcp
Differential Revision: https://phabricator.services.mozilla.com/D114848
2021-05-11 13:36:07 +00:00
Alexandre Lissy
904d40e6b7 Bug 1710603 - Allow stat on / from socket process for glibc 2.33 getaddrinfo() r=gcp
Differential Revision: https://phabricator.services.mozilla.com/D114841
2021-05-11 13:06:30 +00:00
Dana Keeler
19b3cf4df1 Bug 1709848 - osclientcerts: don't scan for certificates when loaded r=bbeurdouche
Before this patch, osclientcerts would look for client certificates and keys
upon initialization. However, this is unnecessary, given that most users won't
ever even be asked to use them. This patch avoids doing this work at startup,
saving some time there. Additionally, this should help avoid shutdown hangs
related to the background task that loads osclientcerts.

Differential Revision: https://phabricator.services.mozilla.com/D114655
2021-05-10 20:36:33 +00:00
Kershaw Chang
ef16e154ae Bug 1709551 - Re-enable echConfig tests, r=necko-reviewers,dragana
Differential Revision: https://phabricator.services.mozilla.com/D114738
2021-05-10 20:10:39 +00:00
ffxbld
5689f0cd89 No Bug, mozilla-central repo-update HSTS HPKP remote-settings - a=repo-update r=jcristau
Differential Revision: https://phabricator.services.mozilla.com/D114733
2021-05-10 10:48:04 +00:00
longsonr
6edb9f65b4 Bug 1710185 - export SECKEY_EncryptedPrivateKeyInfoTemplate r=bbeurdouche
Differential Revision: https://phabricator.services.mozilla.com/D114682
2021-05-08 15:21:50 +00:00
Benjamin Beurdouche
6f107407c9 Bug 1705477 - land NSS 1d066793c349 UPGRADE_NSS_RELEASE, r=beurdouche
2021-05-06  Martin Thomson  <mt@lowentropy.net>

	* gtests/pk11_gtest/pk11_hpke_unittest.cc:
	Bug 1709750 - Disable HPKE test when fuzzing, r=bbeurdouche

	[1d066793c349] [tip]

2021-05-05  Benjamin Beurdouche  <bbeurdouche@mozilla.com>

	* lib/freebl/ppc-gcm-wrap.c, lib/freebl/ppc-gcm.h:
	Bug 1566124 - Clang format run. r=beurdouche
	[cb714d62058c]

2021-05-05  mamonet  <maamoun.tk@gmail.com>

	* lib/freebl/Makefile, lib/freebl/freebl.gyp, lib/freebl/ppc-gcm-
	wrap.c, lib/freebl/ppc-gcm.h, lib/freebl/ppc-gcm.s,
	lib/freebl/rijndael.c:

	[1133fef2f7ce]

2021-03-17  Martin Thomson  <mt@lowentropy.net>

	* gtests/common/testvectors/hpke-convert.py,
	gtests/common/testvectors/hpke-vectors.h, lib/pk11wrap/pk11hpke.c,
	lib/pk11wrap/pk11hpke.h:
	Bug 1699021 - Add AES-256-GCM to HPKE, r=bbeurdouche

	[9fa53d717386]

	* automation/abi-check/expected-report-libssl3.so.txt,
	cmd/selfserv/selfserv.c, gtests/ssl_gtest/libssl_internals.c,
	gtests/ssl_gtest/libssl_internals.h,
	gtests/ssl_gtest/tls_connect.cc, gtests/ssl_gtest/tls_connect.h,
	gtests/ssl_gtest/tls_ech_unittest.cc, lib/ssl/sslexp.h,
	lib/ssl/sslsock.c, lib/ssl/sslt.h, lib/ssl/tls13ech.c,
	lib/ssl/tls13ech.h, lib/ssl/tls13exthandle.c,
	lib/ssl/tls13hashstate.c, lib/ssl/tls13hashstate.h:
	Bug 1698419 - ECH -10 updates, r=bbeurdouche

	The main changes here are:

	* an update to HPKE -08
	* a move to the single-byte configuration ID
	* reordering of ECHConfig

	The addition of the explicit configuration ID means that the API for
	constructing ECHConfig(List) needs to change. That means a name
	change, unfortunately. I took the opportunity to make further
	changes to the arguments.

	[fa93bd88b690]

2021-03-16  Martin Thomson  <mt@lowentropy.net>

	* coreconf/config.gypi, coreconf/config.mk,
	gtests/common/testvectors/hpke-convert.py,
	gtests/common/testvectors/hpke-vectors.h,
	gtests/pk11_gtest/pk11_hpke_unittest.cc,
	gtests/ssl_gtest/ssl_auth_unittest.cc,
	gtests/ssl_gtest/ssl_tls13compat_unittest.cc,
	gtests/ssl_gtest/tls_ech_unittest.cc, lib/pk11wrap/pk11hpke.c,
	lib/pk11wrap/pk11hpke.h, lib/pk11wrap/pk11pub.h, lib/ssl/tls13ech.c:
	Bug 1692930 - Update HPKE to final version, r=bbeurdouche

	This adds the final HPKE version string.

	This removes the draft version markers from the implementation and
	stops tracking the draft version with the exported syntax.

	I've added the script that I used to convert the JSON test vectors
	from the specification; that should allow us to pick up new tests
	relatively easily, especially if we need to add new algorithms.

	This change breaks several ECH test cases. As fixing those tests is
	extraordinarily fiddly, I'm going to defer making those changes
	until we need to update ECH. As we can't land this code until ECH is
	updated to depend on the final HPKE and until we have coordinated
	with servers on when the ECH update can be deployed, it should be OK
	to defer.

	In short, don't land this without the matching ECH changes.

	[e78141a928f4]

2021-05-04  Robert Relyea  <rrelyea@redhat.com>

	* automation/abi-check/expected-report-libnss3.so.txt,
	cmd/lib/basicutil.h, cmd/lib/secutil.c, cmd/lib/secutil.h,
	cmd/pk12util/pk12util.c, cmd/pp/pp.c, doc/pk12util.xml, doc/pp.xml,
	lib/nss/nss.def, lib/pk11wrap/pk11akey.c, lib/pk11wrap/pk11pub.h,
	lib/pkcs12/p12d.c, lib/pkcs12/p12e.c, lib/pkcs12/p12local.c,
	lib/pkcs12/p12local.h, lib/pkcs12/p12plcy.c, lib/util/secoidt.h,
	tests/tools/tools.sh:
	Bug 1707130 NSS should use modern algorithms in PKCS#12 files by
	default r=mt

	Also fixes: Bug 452464 pk12util -o fails when -C option specifies
	AES or Camellia ciphers

	Related: Bug 1694689 Firefox should use modern algorithms in PKCS#12
	files by default Bug 452471 pk12util -o fails when -c option
	specifies pkcs12v2 PBE ciphers

	 The base of this fix is was a simple 3 line fix in pkcs12.c,
	changing the initial setting of cipher and cert cipher.

	Overview for why this patch is larger than just 3 lines: 1. First
	issue was found in trying to change the mac hashing value. a. While
	the decrypt side knew how to handle SHA2 hashes, the equivalent code
	was not updated on the encrypt side. I refactored that code and
	placed the common function in p12local.c. Now p12e.c and p12d.c
	share common code to find the required function to produce the mac
	key. b. The prf hmac was hard coded to SHA1. I changed the code to
	pass the hmac matching the hashing algorithm for the mac. This
	required changes to p12e.c to calculate and pass the new hmac as
	well and adding new PK11_ExportEncryptedPrivateKey and
	PK11_ExportEncryptedPrivKey to take the PKCS #5 v2 parameters. I
	also corrected an error which prevented pkcs12 encoding of ciphers
	other than AES. 2. Once I've made my changes, I realized we didn't
	have a way of testing them. While we had code that verified that
	particular sets of parameters for pkcs12 worked together and could
	be listed and imported, we didn't have a way to verify what
	algorithms were actually generated by our tools. a. pk12util -l
	doesn't list the encryption used for the certs, so I updated pp to
	take a pkcs12 option. In doing so I had to update pp to handle
	indefinite encoding when decoding blocks. I also factored that
	decoding out in it's own function so the change only needed to be
	placed once. Finally I renabled a function which prints the output
	of an EncryptedPrivate key. This function was disabled long ago when
	the Encrypted Private key info was made private for NSS. It has
	since been exported, so these functions could easily be enabled
	(archeological note: I verified that this disabling was not a recent
	think I found I had done it back when I still have a netscape email
	address;). b. I updated tools.sh to us the new pp -t pkcs12 feature
	to verify that the key encryption, cert encryption, and hash
	functions matched what we expected when we exported a new key. I
	also updated tools.sh to handle the new hash variable option to
	pk12util. c. I discovered several tests commented out with comments
	that the don't work. I enabled those tests and discovered that they
	can now encrypt, but the can't decrypt because of pkcs12 policy. I
	updated the policy code, but I updated it to use the new NSS system
	wide policy mechanism. This enabled all the ciphers to work. There
	is still policy work to do. The pk12 policy currently only prevents
	ciphers from use in decrypting the certificates, not decrypting the
	keys and not encrypting. I left that for future work. 3. New options
	for pp and pk12util were added to the man pages for these tools.

	--------------------------------------------------------------------
	------- With that in mind, here's a file by file description of the
	patch:

	automation/abi-check/expected-report-libnss3.so.txt
	-Add new exported functions. (see lib/nss/nss.def)

	cmd/lib/basicutil.h:
	-Removed the HAVE_EPV_TEMPLATE ifdefs (NSS has exported the Encrypted
	Private Key data structure for a while now.

	cmd/lib/secutil.c: global: Updated several functions to take a const
	char * m (message) rather than a char * m global: Made the various
	PrintPKCS7 return an error code. global: Added a state variable to
	be passed around the various PKCS7 Print functions. It gives the
	proper context to interpret PKCS7 Data Content. PKCS 12 used PKCS7
	to package the various PKCS12 Safes and Bags.
	-Updated SECU_StripTagAndLength to handle indefinite encoding, and to
	set the Error code.
	-Added SECU_ExtractDERAndStep to grab the next DER Tag, Length, and
	Data.
	-Updated secu_PrintRawStringQuotesOptional to remove the inline DER
	parsing and use SECU_ExtractDERAndStep().
	-Updated SECU_PrintEncodedObjectID to return the SECOidTag just like
	SECU_PrintObjectID.
	-Renable SECU_PrintPrivateKey
	-Added secu_PrintPKCS12Attributes to print out the Attributes tied to
	a PKCS #12 Bag
	-Added secu_PrintPKCS12Bag to print out a PKCS #12 Bag
	-Added secu_PrintPKCS7Data, which uses the state to determine what it
	was printing out.
	-Added secu_PrintDERPKCS7ContentInfo which is identical to the global
	function SECU_PrintPKCS7ContentInfo except it takes a state
	variable. The latter function now calls the former.
	-Added secu_PrintPKCS12DigestInfo to print the Hash information of
	the Mac. DigestInfo is the name in the PKCS 12 spec.
	-Added secu_PrintPKCS12MacData to print the Mac portion of the PKCS
	12 file.
	-Added SECU_PrintPKCS12 to print otu the pkcs12 file.

	cmd/lib/secutil.h
	-Added string for pkc12 for the command line of pp reenabled
	SECU_PrintPrivateKey
	-Added SECU_PrintPKCS12 for export.

	cmd/pk12util/pk12util.c
	-Added the -M option to specify a hash algorithm for the mac. updated
	P12U_ExportPKCS12Object: pass the hash algorithm to the
	PasswordIntegrity handler.
	-Added PKCS12U_FindTagFromString: generalized string to SECOidTag
	which only filters based on the oid having a matching PKCS #11
	mechanism. updated PKCS12U_MapCipherFromString to call use
	PKCS12U_FindTagFromString to get the candidate tag before doing it's
	post processing to decide if the tag is really an encryption
	algorithm.
	-Added PKCS12U_MapHashFromString with is like MapCipherFromString
	except it verifies the resulting tag is a hash object.
	-Updated main to 1) change the default cipher, change the default
	certCipher, and process the new hash argument. NOTE: in the old code
	we did not encrypt the certs in FIPS mode. That's because the certs
	were encrypted with RC4 in the default pkcs12 file, which wasn't a
	FIPS algorithm. Since AES is, we can use it independent on whether
	or not we are in FIPS mode.

	cmd/pp/pp.c
	-Added the pkcs12 option which calls SECU_PrintPKCS12 from secutil.c

	lib/nss/nss.def
	-Add exports to the new PK11_ExportEncryptedPrivKeyInfoV2 and
	PK11_ExportEncryptedPrivateKeyInfoV2 (V2 means PKCS 5 v2, not
	Version 2 of ExportEncrypted*Info).
	-Add export for the old HASH_GetHMACOidTagByHashOidTag which should
	have been exported long ago to avoid the proliferation of copies of
	this function in places like ssl.

	lib/pk11wrap/pk11akey.c
	-Add PK11_ExportEncryptedPrivKeyInfoV2 (which the old function now
	calls), which takes the 3 PKCS 5 v2 parameters. The underlying pkcs5
	code can fill in missing tags if necessary, but supplying all three
	gives the caller full control of the underlying pkcs5 PBE used.
	-Add PK11_ExportEncryptedPrivateKeyInfoV2, same as the above function
	except it takes a cert which is used to look up the private key.
	It's the function that pkcs12 actually uses, but the former was
	exported for completeness.

	lib/pk11wrap/pk11pub.h
	-Added the new PK11_ExportEncryptedPriv*KeyInfoV2 functions.

	lib/pkcs12/p12d.c
	-Remove the switch statement and place it in p12local.c so that
	p12e.c can use the same function.

	lib/pkc12/p12e.c
	-Remove the unnecessary privAlg check so we can encode any mechanism
	we support. This only prevented encoding certificates in the pk12
	file, not the keys.
	-add code to get the hmac used in the pbe prf from the integrity
	hash, which is under application control.
	-Do the same for key encryption, then use the new
	PK11_ExportEncryptedPrivateKeyInfo to pass that hash value.
	-Use the new sec_pkcs12_algtag_to_keygen_mech so there is only one
	switch statement to update rather than 2.
	-Update the hash data to old the length of the largest hash rather
	than the length of a SHA1 hash.

	lib/pkcs12/p12local.c
	- Add new function new sec_pkcs12_algtag_to_keygen_mech to factor out
	the common switch statement between p12e and p12d.

	lib/pkcs12/p12local.h
	-Export the new sec_pkcs12_algtag_to_keygen_mech

	lib/pkcs12/p12plcy.c
	-Map the old p12 policy functions to use the new
	NSS_GetAlgorithmPolicy. We keep the old table so that applications
	can change the policy with the old PKCS12 specific defines (so the
	old code keeps working). NOTE: policies now default to true rather
	than false.

	lib/util/secoidt.h
	-Add new NSS_USE_ALG_IN_PKCS12 used by pk11plcy.c NOTE: I have not
	updated the policy table in pk11wrap/pk11pars.c, so we can't yet
	control pkcs12 policy with the nss system policy table. That's a
	patch for another time.

	test/tools/tool.sh
	-global: Remove trailing spaces
	-global: DEFAULT is changed to 'default'
	-Update the PBE mechanism to exactly match the string in secoid.c.
	PKCS #12 does case independent compares, so case doesn't matter
	there, but now I'm comparing to the output of pp, and I didn't want
	to spend the time to figure out case independent compares in bash.
	-Add our defauts and shell variables at the top so there are easy to
	change in the future. export_with_*** have all been colapsed into a
	single export_p12_file which handles taking 'default' and turning
	off that argument.
	-Add for loops for the hash functions.
	-Restore the camellia ciphers back now that they work.
	-Restore the pkcs12V2pbe back now that they work.
	-Collect various pbe types into single variables and use those
	variables in loops
	-Reduce the number of tests ran in optimized mode (which takes 60x
	the time to do a pbe then than debug mode based on a larger
	iterator).
	-Add verify_p12 which dumps out the p12 file and makes sure the
	expected CERT_ENCRYPTION, KEY_ENCRYPTION, and HASH are used.

	doc/pp.xml
	-Add pkcs12 option

	doc/pk12util.xml
	-Add -M option
	-Update synopsis with options in the description but not in the
	synopsis

	[0a1687e1b39e]

Differential Revision: https://phabricator.services.mozilla.com/D114584
2021-05-07 10:43:16 +00:00
Alexandru Michis
574bea557a Backed out 14 changesets (bug 1705659, bug 472823, bug 669675) for causing bustages in nsHttpChannelAuthProvider.cpp
CLOSED TREE

Backed out changeset 42561f42313d (bug 669675)
Backed out changeset 2aee05c2d6f3 (bug 1705659)
Backed out changeset ff4348e0a307 (bug 1705659)
Backed out changeset 897868e22c81 (bug 1705659)
Backed out changeset c808bf01dfe8 (bug 1705659)
Backed out changeset 5c13ec25cc2e (bug 1705659)
Backed out changeset 4337214c8846 (bug 1705659)
Backed out changeset 18d3a604336a (bug 1705659)
Backed out changeset 3af362aa2b25 (bug 1705659)
Backed out changeset 36eff14cf2ea (bug 1705659)
Backed out changeset 8af29f96ac77 (bug 1705659)
Backed out changeset eab68e8bea29 (bug 1705659)
Backed out changeset 05492b6578a9 (bug 1705659)
Backed out changeset 3259a8cb3db1 (bug 472823)
2021-05-06 17:37:17 +03:00
Valentin Gosu
ec981ec694 Bug 1705659 - Static-analysis check auto fix for auth code r=necko-reviewers,dragana
Depends on D112604

Differential Revision: https://phabricator.services.mozilla.com/D112605
2021-05-06 13:17:23 +00:00
Valentin Gosu
3618a7ca40 Bug 1705659 - Make auth code use nsACString instead of raw char pointers r=necko-reviewers,dragana
Depends on D112597

Differential Revision: https://phabricator.services.mozilla.com/D112598
2021-05-06 13:17:21 +00:00
ffxbld
dee8380024 No Bug, mozilla-central repo-update HSTS HPKP remote-settings tld-suffixes - a=repo-update r=jcristau
Differential Revision: https://phabricator.services.mozilla.com/D114472
2021-05-06 12:19:19 +00:00
Benjamin Beurdouche
7135b629a9 Bug 1709791 - Expose HASH_GetHashTypeByOidTag in nss.symbols. r=beurdouche
Differential Revision: https://phabricator.services.mozilla.com/D114471
2021-05-06 10:29:35 +00:00
Alexandre Lissy
7ace129b41 Bug 1706008 - Block PR_CAPBSET_READ with EINVAL r=gcp
Differential Revision: https://phabricator.services.mozilla.com/D114253
2021-05-05 16:13:51 +00:00
Kershaw Chang
d8b9cbf228 Bug 1709550 - Disable some tests, r=necko-reviewers,dragana
Differential Revision: https://phabricator.services.mozilla.com/D114328
2021-05-05 10:07:27 +00:00
Dana Keeler
ad61aa064a Bug 1670506 - OCSP requests shouldn't interact with the necko cache at all r=valentin
Differential Revision: https://phabricator.services.mozilla.com/D114030
2021-05-04 23:28:50 +00:00
Benjamin Beurdouche
37aa935e43 Bug 1705477 - land NSS c982fb957516 UPGRADE_NSS_RELEASE, r=beurdouche
Differential Revision: https://phabricator.services.mozilla.com/D114231
2021-05-04 13:33:25 +00:00
ffxbld
74cffb00e1 No Bug, mozilla-central repo-update HSTS HPKP remote-settings tld-suffixes - a=repo-update r=RyanVM
Differential Revision: https://phabricator.services.mozilla.com/D114090
2021-05-03 13:02:40 +00:00
Jed Davis
6f45e8a477 Bug 1705045 - Quietly deny MADV_MERGEABLE in Linux sandbox policies that filter madvise. r=gcp
This `madvise` type is used by one Linux distro's libc, and in
principle could be used by other userspace libraries trying to optimize
performance, and I'd rather not allow it (see bug for more details).

Therefore, this patch returns an error instead of treating it as an
unknown syscall (which crashes on Nightly).

However, the content policy doesn't yet filter `madvise` (bug 1510861);
this patch doesn't change that.

Differential Revision: https://phabricator.services.mozilla.com/D112884
2021-04-30 00:24:15 +00:00
Mitchell Hentges
a7cd22e13e Bug 1705376: Synchronize workspace-hack features and usage r=firefox-build-system-reviewers,glandium
Not all in-tree Rust libraries were using workspace-hack.
Additionally, some needed winapi features were missing from
workspace-hack's configuration.

Now, winapi is re-compiled less frequently on a full build.

Differential Revision: https://phabricator.services.mozilla.com/D113564
2021-04-29 15:19:27 +00:00
ffxbld
96a2aed50d No Bug, mozilla-central repo-update HSTS HPKP remote-settings tld-suffixes - a=repo-update r=jcristau
Differential Revision: https://phabricator.services.mozilla.com/D113781
2021-04-29 13:27:26 +00:00
Harry Twyford
f4b848daab Bug 1708209 - Use native checkboxes in all native windows. r=Gijs,preferences-reviewers
Differential Revision: https://phabricator.services.mozilla.com/D113678
2021-04-28 20:21:34 +00:00
Bob Owen
c0ca93fed8 Bug 1701791 p1: Don't enable win32k lockdown for the file content process. r=handyman
Win32k is required for moz-icon in the file content process and we don't want to
block enabling for web content processes on this and other uses that may only be
in the file content process.

Differential Revision: https://phabricator.services.mozilla.com/D112960
2021-04-27 07:41:15 +00:00
ffxbld
bab60a4a97 No Bug, mozilla-central repo-update HSTS HPKP remote-settings tld-suffixes - a=repo-update r=RyanVM
Differential Revision: https://phabricator.services.mozilla.com/D113337
2021-04-26 13:08:29 +00:00
Joel Maher
8a9f37b534 Bug 1706716 green up mda, xpcshell, browser-chrome, reftest for apple silicon. r=necko-reviewers,extension-reviewers,preferences-reviewers,application-update-reviewers,zombie,ahal,bytesized
Differential Revision: https://phabricator.services.mozilla.com/D113001
2021-04-22 18:39:40 +00:00
ffxbld
a8a6bed4a9 No Bug, mozilla-central repo-update HSTS HPKP remote-settings - a=repo-update r=jcristau
Differential Revision: https://phabricator.services.mozilla.com/D113120
2021-04-22 13:07:43 +00:00
R. Martinho Fernandes
4ecee0b048 Bug 1677866 - Report memory allocated by cert_storage crate r=keeler,emilio
Differential Revision: https://phabricator.services.mozilla.com/D107105
2021-04-19 22:12:56 +00:00
ffxbld
edb7cdee5c No Bug, mozilla-central repo-update HSTS HPKP remote-settings tld-suffixes - a=repo-update r=RyanVM
Differential Revision: https://phabricator.services.mozilla.com/D112553
2021-04-19 13:02:26 +00:00
R. Martinho Fernandes
d55d0ec5db Bug 1694649 - Rewrite GetFirstEVPolicy with pkix r=keeler
Differential Revision: https://phabricator.services.mozilla.com/D106489
2021-04-16 22:32:35 +00:00
Julien Cristau
7d483014b5 Bug 1699294 - fix pylint warning in pycert.py. r=keeler
Anomalous backslash in string: '\w'. String constant might be missing an r prefix. (W1401)

Differential Revision: https://phabricator.services.mozilla.com/D112367
2021-04-16 18:14:56 +00:00
Mike Hommey
6a41d8d7ad Bug 1515229 - Make MozStackWalk/MozWalkTheStack frame skipping more reliable. r=gerald,nika,bobowen,jld
Differential Revision: https://phabricator.services.mozilla.com/D110899
2021-04-16 04:06:02 +00:00
Ryan VanderMeulen
0853554188 Bug 1699657 - land NSS NSS_3_64_RTM UPGRADE_NSS_RELEASE, r=bbeurdouche
Differential Revision: https://phabricator.services.mozilla.com/D112222
2021-04-15 16:54:57 +00:00
ffxbld
a71e1d4b96 No Bug, mozilla-central repo-update HSTS HPKP remote-settings - a=repo-update r=RyanVM
Differential Revision: https://phabricator.services.mozilla.com/D112191
2021-04-15 15:11:48 +00:00
Butkovits Atila
8255e3083f Backed out changeset 5c6b15fcea71 (bug 1515229) for causing GTest failures. CLOSED TREE 2021-04-15 13:37:29 +03:00
Mike Hommey
2eacd46d46 Bug 1515229 - Make MozStackWalk/MozWalkTheStack frame skipping more reliable. r=gerald,nika,bobowen,jld
Differential Revision: https://phabricator.services.mozilla.com/D110899
2021-04-14 22:31:36 +00:00
Dana Keeler
2a52292ef3 Bug 1699294 - add 'mach generate-test-certs' command to generate test certificate and key artifacts r=glandium
In bug 1174288 and related bugs we created a framework for generating
test certificates (and later, keys) from specifications at build time. This
turned out to take too long to run on each build, so this system was largely
left disabled (see all of the "# Temporarily disabled. See bug 1256495."
comments removed in this patch). This patch introduces a mach command
("generate-test-certs") that can generate test certificates and keys. The
expectation is that when a developer needs to add new such artifacts, they can
use this new command. Similarly, when the artifacts need to be updated (for
example, because they've expired), this command can regenerate them all at
once.

Differential Revision: https://phabricator.services.mozilla.com/D108869
2021-04-14 22:24:11 +00:00
smolnar
22c6eb14ba Backed out changeset f7b0cdc3aeb0 (bug 1515229) for causing xpc failures in test_feature_stackwalking. CLOSED TREE 2021-04-14 12:25:37 +03:00
Mike Hommey
133396cb94 Bug 1515229 - Make MozStackWalk/MozWalkTheStack frame skipping more reliable. r=gerald,nika,bobowen,jld
Differential Revision: https://phabricator.services.mozilla.com/D110899
2021-04-14 04:47:09 +00:00
Dana Keeler
84e9f36dde Bug 1695974 - rework osclientcert signing on macOS for compatibility r=rmf
Previously, the macOS backend of osclientcerts used
kSecKeyAlgorithmRSASignatureDigestPKCS1v15Raw for RSA PKCS#1v1.5 signing, which
relies on the underlying implementation backing the signing key knowing how to
handle the given data to sign. On Catalina (which uses CryptoTokenKit as
opposed to TokenD), this doesn't appear to work (or, at least, there have been
reports of incompatibilities).
This patch parses out the data to be signed to determine the hash algorithm to
use and the hash data to sign, which is similar to how the Windows backend
works.

Differential Revision: https://phabricator.services.mozilla.com/D111344
2021-04-12 18:12:29 +00:00
ffxbld
0a36f70ec9 No Bug, mozilla-central repo-update HSTS HPKP remote-settings tld-suffixes - a=repo-update r=RyanVM
Differential Revision: https://phabricator.services.mozilla.com/D111640
2021-04-12 15:03:20 +00:00
Jan Horak
d9378b2513 Bug 1703636 Don't fail when one slot fails to provide certs; r=keeler
In some special cases the PK11_FindRawCertsWithSubject could return failure.
We don't want to return with failure but try the other slots before.

Differential Revision: https://phabricator.services.mozilla.com/D111261
2021-04-09 17:54:05 +00:00
Kartikaya Gupta
6dd5ec1cda Bug 1694200 - Check for the preferred client cert on macOS. r=keeler
On macOS, users can add "identity preference" items in the keychain. These
provide a mapping from email/URLs to client certificates. Identity
preferences can have wildcards and/or prefix matching for URLs, and
the macOS SecIdentityCopyPreferred API can be used to get the preferred
client cert for a URL. This patch uses this mechanism such that it
avoids prompting the user to choose a client certificate when a preferred
one has been set.

Differential Revision: https://phabricator.services.mozilla.com/D110123
2021-04-07 22:38:54 +00:00
David Parks
6b176f5987 Bug 1682030 - Remove NPAPI plugin process from GeckoChildProcess r=jld,gsvelto
Eliminates the NPAPI plugin process type from the GeckoChildProcess enum as part of NPAPI removal.  In order to avoid altering enum values when updating the process list, the GECKO_PROCESS_TYPE macro has been updated to include the desired enum value.  We want to resist altering the values as they need to be consistent e.g. in telemetry reports.

We also remove plugins from adjacent spots that need to maintain consistency with GeckoChildProcess -- most notably the nsICrashService.

Differential Revision: https://phabricator.services.mozilla.com/D108689
2021-04-06 19:28:20 +00:00
David Parks
d06598d3f3 Bug 1682030 - Remove Windows NPAPI plugin proccess sandbox r=bobowen
Removes Windows NPAPI process sandboxing code, including the code to establish a viable temp directory that was accessible by the sandboxed process.

Differential Revision: https://phabricator.services.mozilla.com/D108688
2021-04-06 19:28:19 +00:00
ffxbld
b5b443ea9c No Bug, mozilla-central repo-update HSTS HPKP remote-settings tld-suffixes - a=repo-update r=jcristau
Differential Revision: https://phabricator.services.mozilla.com/D110808
2021-04-06 08:12:18 +00:00
Csoregi Natalia
d68661e2cc Backed out 24 changesets (bug 1682030) for bustage on ProcessHangMonitor.cpp and nsCOMPtr.h. CLOSED TREE
Backed out changeset 5b1644096477 (bug 1682030)
Backed out changeset 35ae60eea3c7 (bug 1682030)
Backed out changeset 3eca76a6d639 (bug 1682030)
Backed out changeset 259c45447ad9 (bug 1682030)
Backed out changeset de9222dc8c31 (bug 1682030)
Backed out changeset 2986c7e14349 (bug 1682030)
Backed out changeset 6af3410bdb93 (bug 1682030)
Backed out changeset 42b0621c2927 (bug 1682030)
Backed out changeset 366e3e371858 (bug 1682030)
Backed out changeset 9adb2865adea (bug 1682030)
Backed out changeset 6af6af3bc03a (bug 1682030)
Backed out changeset da94a91b35ae (bug 1682030)
Backed out changeset 9143da258d0e (bug 1682030)
Backed out changeset 5e20d06952ba (bug 1682030)
Backed out changeset 6253d7e1ce7d (bug 1682030)
Backed out changeset 0e06ddeea3e2 (bug 1682030)
Backed out changeset 9c58d57c9e44 (bug 1682030)
Backed out changeset e90edd89430e (bug 1682030)
Backed out changeset 5861b8166b10 (bug 1682030)
Backed out changeset b4b88cdc7993 (bug 1682030)
Backed out changeset b80054e9805c (bug 1682030)
Backed out changeset 580d857674c0 (bug 1682030)
Backed out changeset a9cdf93c2662 (bug 1682030)
Backed out changeset 9c9c8b4998e2 (bug 1682030)
2021-04-06 03:54:12 +03:00
David Parks
3f9c44a9ed Bug 1682030 - Remove NPAPI plugin process from GeckoChildProcess r=jld,gsvelto
Eliminates the NPAPI plugin process type from the GeckoChildProcess enum as part of NPAPI removal.  In order to avoid altering enum values when updating the process list, the GECKO_PROCESS_TYPE macro has been updated to include the desired enum value.  We want to resist altering the values as they need to be consistent e.g. in telemetry reports.

We also remove plugins from adjacent spots that need to maintain consistency with GeckoChildProcess -- most notably the nsICrashService.

Differential Revision: https://phabricator.services.mozilla.com/D108689
2021-04-05 23:48:43 +00:00
David Parks
4e9ed60079 Bug 1682030 - Remove Windows NPAPI plugin proccess sandbox r=bobowen
Removes Windows NPAPI process sandboxing code, including the code to establish a viable temp directory that was accessible by the sandboxed process.

Differential Revision: https://phabricator.services.mozilla.com/D108688
2021-04-05 23:48:43 +00:00
Hamza Mahfooz
374e68294d Bug 1701460 - Remove expired Telemetry probe security.client_cert r=keeler
Differential Revision: https://phabricator.services.mozilla.com/D110496
2021-04-01 20:53:39 +00:00
ffxbld
b9c33eddf7 No Bug, mozilla-central repo-update HSTS HPKP remote-settings tld-suffixes - a=repo-update r=RyanVM
Differential Revision: https://phabricator.services.mozilla.com/D110552
2021-04-01 14:55:53 +00:00
ffxbld
7ffcf86c64 No Bug, mozilla-central repo-update HSTS HPKP remote-settings tld-suffixes - a=repo-update r=RyanVM
Differential Revision: https://phabricator.services.mozilla.com/D110105
2021-03-29 15:01:12 +00:00
ffxbld
57e9f18c25 No Bug, mozilla-central repo-update HSTS HPKP remote-settings tld-suffixes - a=repo-update r=RyanVM
Differential Revision: https://phabricator.services.mozilla.com/D109733
2021-03-25 14:56:34 +00:00
Simon Giesecke
a598a0c7c5 Bug 1679522 - Use <> style for including windows system headers. r=andi
Differential Revision: https://phabricator.services.mozilla.com/D98895
2021-03-25 10:19:44 +00:00
Simon Giesecke
760cc7e936 Bug 1679522 - Fix include directives and forward declarations. r=andi,necko-reviewers,jgilbert
- Add missing include directives and forward declarations.
- Remove some extra include directives.
- Add missing namespace qualifications.
- Move include directives out of namespace in toolkit/xre/GlobalSemaphore.h

Differential Revision: https://phabricator.services.mozilla.com/D98894
2021-03-25 10:19:44 +00:00
ffxbld
f6cb811758 No Bug, mozilla-central repo-update HSTS HPKP remote-settings - a=repo-update r=jcristau
Differential Revision: https://phabricator.services.mozilla.com/D109355
2021-03-22 14:58:39 +00:00
Moritz Birghan
a2a7769992 Bug 1689726 - avoid using NSS types in TrustOverrideUtils.h r=keeler
Differential Revision: https://phabricator.services.mozilla.com/D106888
2021-03-19 17:29:12 +00:00
Simon Giesecke
6ae9169f08 Bug 1698098 - Make use of nsBaseHashtable::Clone. r=xpcom-reviewers,mccr8
Differential Revision: https://phabricator.services.mozilla.com/D107617
2021-03-19 09:01:46 +00:00
Benjamin Beurdouche
8d848a2cbe Bug 1694020 - land NSS NSS_3_63_RTM UPGRADE_NSS_RELEASE, r=beurdouche
Differential Revision: https://phabricator.services.mozilla.com/D108957
2021-03-19 05:28:36 +00:00
ffxbld
10763f5ccf No Bug, mozilla-central repo-update HSTS HPKP remote-settings tld-suffixes - a=repo-update r=RyanVM
Differential Revision: https://phabricator.services.mozilla.com/D108949
2021-03-18 14:52:53 +00:00
Florian Quèze
ae4514b7a8 Bug 1665786 - browser_certificateManager.js should wait for the next refresh driver tick instead of relying on the implicit initial waitForCondition timer to wait for strings to be localized, r=keeler.
Differential Revision: https://phabricator.services.mozilla.com/D108515
2021-03-17 17:39:35 +00:00
Mike Conley
9420f7a7a8 Bug 1697863 - Use native menulist styling on some dialogs. r=harry
Differential Revision: https://phabricator.services.mozilla.com/D108101
2021-03-17 17:15:10 +00:00
Simon Giesecke
b9621d6376 Bug 1695162 - Use range-based for instead of custom hashtable iterators. r=xpcom-reviewers,kmag
Differential Revision: https://phabricator.services.mozilla.com/D108585
2021-03-17 15:49:46 +00:00
Csoregi Natalia
4e97659d91 Backed out 2 changesets (bug 1697863) for valgrind failures. CLOSED TREE
Backed out changeset f82846b236e3 (bug 1697863)
Backed out changeset 64166dc7f85f (bug 1697863)
2021-03-17 01:15:11 +02:00
Mike Conley
30507b25b5 Bug 1697863 - Use native menulist styling on some dialogs. r=harry
Differential Revision: https://phabricator.services.mozilla.com/D108101
2021-03-16 17:11:23 +00:00
ffxbld
b6c0f67943 No Bug, mozilla-central repo-update HSTS HPKP remote-settings tld-suffixes - a=repo-update r=RyanVM
Differential Revision: https://phabricator.services.mozilla.com/D108456
2021-03-15 14:52:33 +00:00
Jed Davis
8262eb0e29 Bug 1690921 - Detect socket syscalls only once per process when building Linux sandbox policies. r=gcp
The function to detect whether the kernel has separate syscalls for
socket operations (rather than only `socketcall`) had a comment that
it's called only once, which is no longer true.  So, this seems like a
good time to add a cache (but not on newer archs like `x86_64` where the
answer is constant).

This patch also removes the ifdefs on `__NR_socket`, because all archs
have it now, and our local headers will define it even if the build
host's headers don't.

Differential Revision: https://phabricator.services.mozilla.com/D105853
2021-03-12 21:12:11 +00:00
Jed Davis
2d6db34852 Bug 1690921 - Limit IPC sendmsg gather list sizes based on socket buffer capacity. r=mccr8,gcp
When setting up calls to `sendmsg` for IPC on Unix systems, we generate
`iovec`s for the entire message or until the `IOV_MAX` limit is reached,
whichever comes first.  However, messages can be very large (up to 256
MiB currently), while the OS socket buffer is relatively small (8KiB on
macOS and FreeBSD, ~200KiB on Linux).

This patch detects the socket buffer size with the `SO_SNDBUF` socket
option and cuts off the `iovec` array after it's reached; it also adjusts
the Linux sandbox policy to allow reading that value in all processes.

On my test machines this increases throughput on large messages by about
2.5x on macOS (from ~0.3 to ~0.7 GB/s), but on Linux the improvement is
only about 5% (most of the running time is spent elsewhere).

Differential Revision: https://phabricator.services.mozilla.com/D105852
2021-03-12 21:12:10 +00:00
Simon Giesecke
7d2448b7d5 Bug 1641178 - Add NSSCipherStrategy. r=dom-workers-and-storage-reviewers,jcj,janv
Differential Revision: https://phabricator.services.mozilla.com/D73290
2021-03-12 09:31:57 +00:00
Emilio Cobos Álvarez
d2b2c7b5e6 Bug 1697847 - Update crossbeam-utils in the tree. r=firefox-build-system-reviewers,mhentges,sheehan
We're already vendoring 0.8 so no reason not to do this. We're still
held back by an ancient tokio version, which I filed bug 1697845 for.

There are no breaking changes that affect any of our internal consumers.

Differential Revision: https://phabricator.services.mozilla.com/D108046
2021-03-11 18:15:44 +00:00
ffxbld
7a166f31cf No Bug, mozilla-central repo-update HSTS HPKP remote-settings - a=repo-update r=RyanVM
Differential Revision: https://phabricator.services.mozilla.com/D108027
2021-03-11 15:02:46 +00:00
Jan Alexander Steffens (heftig)
4920407bb3 Bug 1696845 - Use dlsym for gdk_*_display_get_type. r=stransky
Using `dlsym` for `gdk_wayland_display_get_type` is a cleaner solution
to bug 1696319, allowing running with a GTK that lacks the Wayland
backend.

Also adds a symmetric implementation for `gdk_x11_display_get_type`,
which should help running without X11.

Differential Revision: https://phabricator.services.mozilla.com/D107406
2021-03-11 14:32:53 +00:00
Benjamin Beurdouche
f8d14645f7 Bug 1694020 - land NSS 61e70233f80e UPGRADE_NSS_RELEASE, r=beurdouche
2021-03-10  Benjamin Beurdouche  <bbeurdouche@mozilla.com>

	* cmd/bltest/blapitest.c, lib/freebl/blapi.h,
	lib/freebl/chacha20poly1305-ppc.c, lib/freebl/chacha20poly1305.c,
	lib/freebl/loader.c:
	Bug 1613235 - Clang-format for: POWER ChaCha20 stream cipher vector
	acceleration r=beurdouche

	Depends on D107221

	[61e70233f80e] [tip]

2021-03-10  aoeu  <aoeuh@yandex.ru>

	* cmd/bltest/blapitest.c, lib/freebl/blapi.h, lib/freebl/blapit.h,
	lib/freebl/chacha20poly1305.c, lib/freebl/chacha20poly1305.h,
	lib/freebl/ldvector.c, lib/freebl/loader.c, lib/freebl/loader.h:
	Bug 1613235 - Add POWER ChaCha20 stream cipher vector acceleration.
	r=bbeurdouche

	Depends on D107220

	[4f7ba08bd991]

	* lib/freebl/Makefile, lib/freebl/chacha20-ppc64le.S,
	lib/freebl/chacha20poly1305-ppc.c, lib/freebl/chacha20poly1305.c,
	lib/freebl/freebl.gyp, lib/freebl/freebl_base.gypi:
	Bug 1613235 - Add POWER ChaCha20 stream cipher vector acceleration.
	r=bbeurdouche

	[764124fddaa2]

2021-03-10  Benjamin Beurdouche  <bbeurdouche@mozilla.com>

	* lib/freebl/ecl/ecp_secp384r1.c, lib/freebl/ecl/ecp_secp521r1.c:
	Bug 1697380 - Make a clang-format run on top of helpful
	contributions. r=beurdouche

	Depends on D106881

	[8a9174a78207]

	* lib/freebl/ecl/ecp_secp384r1.c:
	Bug 1683520 - ECCKiila P384, change syntax of nested structs
	initialization to prevent build isses with GCC 4.8. r=bbrumley

	Depends on D102389

	[150cbb169f1e]

2021-03-10  Billy Brumley  <bbrumley@gmail.com>

	* lib/freebl/ecl/ecp_secp384r1.c:
	Bug 1683520 - [lib/freebl/ecl] P-384: allow zero scalars in dual
	scalar multiplication r=bbeurdouche

	[76aca2d944ae]

2021-03-10  Benjamin Beurdouche  <bbeurdouche@mozilla.com>

	* lib/freebl/ecl/ecp_secp521r1.c:
	Bug 1683520 - ECCKiila P521, change syntax of nested structs
	initialization to prevent build isses with GCC 4.8. r=bbrumley

	Depends on D102406

	[5e7affa3ce43]

2021-03-10  Billy Brumley  <bbrumley@gmail.com>

	* lib/freebl/ecl/ecp_secp521r1.c:
	Bug 1683520 - [lib/freebl/ecl] P-521: allow zero scalars in dual
	scalar multiplication r=bbeurdouche

	[a8f4918cd546]

2021-03-08  Benjamin Beurdouche  <bbeurdouche@mozilla.com>

	* automation/taskcluster/scripts/run_hacl.sh,
	lib/freebl/verified/Hacl_Bignum25519_51.h,
	lib/freebl/verified/Hacl_Chacha20.c,
	lib/freebl/verified/Hacl_Chacha20.h,
	lib/freebl/verified/Hacl_Chacha20Poly1305_128.c,
	lib/freebl/verified/Hacl_Chacha20Poly1305_128.h,
	lib/freebl/verified/Hacl_Chacha20Poly1305_256.c,
	lib/freebl/verified/Hacl_Chacha20Poly1305_256.h,
	lib/freebl/verified/Hacl_Chacha20Poly1305_32.c,
	lib/freebl/verified/Hacl_Chacha20Poly1305_32.h,
	lib/freebl/verified/Hacl_Chacha20_Vec128.c,
	lib/freebl/verified/Hacl_Chacha20_Vec128.h,
	lib/freebl/verified/Hacl_Chacha20_Vec256.c,
	lib/freebl/verified/Hacl_Chacha20_Vec256.h,
	lib/freebl/verified/Hacl_Curve25519_51.c,
	lib/freebl/verified/Hacl_Curve25519_51.h,
	lib/freebl/verified/Hacl_Kremlib.h,
	lib/freebl/verified/Hacl_Poly1305_128.c,
	lib/freebl/verified/Hacl_Poly1305_128.h,
	lib/freebl/verified/Hacl_Poly1305_256.c,
	lib/freebl/verified/Hacl_Poly1305_256.h,
	lib/freebl/verified/Hacl_Poly1305_32.c,
	lib/freebl/verified/Hacl_Poly1305_32.h,
	lib/freebl/verified/kremlin/include/kremlin/internal/target.h,
	lib/freebl/verified/kremlin/include/kremlin/internal/types.h,
	lib/freebl/verified/kremlin/kremlib/dist/minimal/FStar_UInt128.h, li
	b/freebl/verified/kremlin/kremlib/dist/minimal/FStar_UInt128_Verifie
	d.h, lib/freebl/verified/kremlin/kremlib/dist/minimal/FStar_UInt_8_1
	6_32_64.h, lib/freebl/verified/kremlin/kremlib/dist/minimal/LowStar_
	Endianness.h, lib/freebl/verified/kremlin/kremlib/dist/minimal/fstar
	_uint128_gcc64.h, lib/freebl/verified/kremlin/kremlib/dist/minimal/f
	star_uint128_msvc.h, lib/freebl/verified/libintvector.h:
	Bug 1696800 - HACL* update March 2021 -
	c95ab70fcb2bc21025d8845281bc4bc8987ca683 r=beurdouche

	[3a85b452dbfa]

Differential Revision: https://phabricator.services.mozilla.com/D107995
2021-03-11 11:59:55 +00:00
Brindusan Cristian
208b2f5229 Backed out changeset 4f957141bf5f (bug 1689726) for GTest failures in psm_TrustOverrideTest.CheckCertDNIsInList. CLOSED TREE 2021-03-11 03:51:08 +02:00
Moritz Birghan
1b3fa7a521 Bug 1689726 - avoid using NSS types in TrustOverrideUtils.h r=keeler
Differential Revision: https://phabricator.services.mozilla.com/D106888
2021-03-11 00:07:30 +00:00
Bryce Seager van Dyk
c7fc3894ed Bug 1694450 - Return Error(ENOSYS) for unsupported madvise args in the GMP process. r=jld
Because Widevine may probe madvise using advice arguments we do not currently
support, including invalid arguments, this patch changes the handling of these
args so we will not crash in nightly.

Differential Revision: https://phabricator.services.mozilla.com/D106537
2021-03-10 20:58:44 +00:00
Dana Keeler
69dcaa6539 Bug 1694542 - cache intermediate certificates on the socket thread when it is idle r=mbirghan,rmf
Firefox sometimes caches intermediate certificates from verified connections in
case they are useful in the future. This operation involves modifying the NSS
cert database, and so should only be done on the socket thread (ideally when it
is idle).

Differential Revision: https://phabricator.services.mozilla.com/D106230
2021-03-10 17:09:03 +00:00
Simon Giesecke
ad01a10a3b Bug 1634281 - Use nsTHashMap instead of nsDataHashtable. r=xpcom-reviewers,necko-reviewers,jgilbert,nika,valentin
Note that this patch only transforms the use of the nsDataHashtable type alias
to a directly equivalent use of nsTHashMap. It does not change the specification
of the hash key type to make use of the key class deduction that nsTHashMap
allows for in some cases. That can be done in a separate step, but requires more
attention.

Differential Revision: https://phabricator.services.mozilla.com/D106008
2021-03-10 10:47:47 +00:00