Magic-Mirror/gecko-dev
1
0
Fork 0
mirror of https://github.com/mozilla/gecko-dev.git synced 2024-10-19 08:15:31 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
ca0521550a
gecko-dev/security/certverifier
History
David Keeler 455ab646d3 bug 1337950 - work around failing to load a FIPS PKCS#11 module DB in NSS initialization r=Cykesiopka,jcj 
Firefox essentially does not support running NSS in FIPS mode any longer. This
has always been the case on Android from what I can tell and it has been the
case on OS X since at least version 34 (see bug 1047584). It became the case on
Windows as of version 53 (see bug 1295937). Unfortunately, before this patch,
if a user attempted to run an affected version of Firefox using a profile
directory containing an NSS database collection that had FIPS enabled, NSS
initialization would fail and fall back to running in no DB mode, which had the
side-effect of making any saved passwords and certificates unavailable. This
patch attempts to detect and work around this failure mode by moving the
PKCS#11 module DB (which is where the FIPS bit is set) to a backup location and
basically running with a fresh, non-FIPS module DB. This allows Firefox to
initialize NSS with the preexisting key and certificate databases available.

MozReview-Commit-ID: 1E4u1ngZyRv

--HG--
rename : security/manager/ssl/tests/unit/test_sdr_preexisting.js => security/manager/ssl/tests/unit/test_broken_fips.js
rename : security/manager/ssl/tests/unit/test_sdr_preexisting/key3.db => security/manager/ssl/tests/unit/test_broken_fips/key3.db
extra : rebase_source : 887f457e998d6e57c6536573fbe3cb10547fe154
2017-04-20 10:31:22 -07:00
..
tests/gtest bug 1357226 - work around a library inefficiency with EC keys when verifying ECDSA signatures r=fkiefer,jcj 2017-04-11 14:11:28 -07:00
BRNameMatchingPolicy.cpp bug 1267463 - add a more nuanced subject common name fallback option for prerelease channels r=Cykesiopka,jcj 2016-04-25 15:55:18 -07:00
BRNameMatchingPolicy.h bug 1267463 - add a more nuanced subject common name fallback option for prerelease channels r=Cykesiopka,jcj 2016-04-25 15:55:18 -07:00
CertVerifier.cpp bug 1352262 - make OCSP timeout values configurable r=Cykesiopka,jcj 2017-03-31 15:21:40 -07:00
CertVerifier.h bug 1352262 - make OCSP timeout values configurable r=Cykesiopka,jcj 2017-03-31 15:21:40 -07:00
CNNICHashWhitelist.inc Bug 1335294: Remove const from data tables under security/ for better codegen on Windows. r=keeler 2017-02-13 09:41:20 +13:00
CTDiversityPolicy.cpp Bug 1320566 - Certificate Transparency - implement CT Policy. r=Dolske,keeler 2017-01-09 08:22:28 +02:00
CTDiversityPolicy.h Bug 1320566 - Certificate Transparency - implement CT Policy. r=Dolske,keeler 2017-01-09 08:22:28 +02:00
CTKnownLogs.h Bug 1335294: Remove const from data tables under security/ for better codegen on Windows. r=keeler 2017-02-13 09:41:20 +13:00
CTLog.h Bug 1320566 - Certificate Transparency - implement CT Policy. r=Dolske,keeler 2017-01-09 08:22:28 +02:00
CTLogVerifier.cpp bug 1357226 - work around a library inefficiency with EC keys when verifying ECDSA signatures r=fkiefer,jcj 2017-04-11 14:11:28 -07:00
CTLogVerifier.h bug 1357226 - work around a library inefficiency with EC keys when verifying ECDSA signatures r=fkiefer,jcj 2017-04-11 14:11:28 -07:00
CTObjectsExtractor.cpp Bug 1284256 - Certificate Transparency - verification of Signed Certificate Timestamps (RFC 6962); r=keeler, r=Cykesiopka 2016-07-05 08:35:06 +03:00
CTObjectsExtractor.h Bug 1284256 - Certificate Transparency - verification of Signed Certificate Timestamps (RFC 6962); r=keeler, r=Cykesiopka 2016-07-05 08:35:06 +03:00
CTPolicyEnforcer.cpp Bug 1320566 - Certificate Transparency - implement CT Policy. r=Dolske,keeler 2017-01-09 08:22:28 +02:00
CTPolicyEnforcer.h Bug 1320566 - Certificate Transparency - implement CT Policy. r=Dolske,keeler 2017-01-09 08:22:28 +02:00
CTSerialization.cpp Bug 1317951, part 1 - Certificate Transparency - extracted verification related fields from SCT to a separate struct. r=keeler 2016-11-23 15:37:31 +02:00
CTSerialization.h Bug 1284256 - Certificate Transparency - verification of Signed Certificate Timestamps (RFC 6962); r=keeler, r=Cykesiopka 2016-07-05 08:35:06 +03:00
CTVerifyResult.cpp Bug 1317951, part 2 - Certificate Transparency - basic support for disqualified logs. r=keeler 2016-11-29 22:51:46 +02:00
CTVerifyResult.h Bug 1317951, part 2 - Certificate Transparency - basic support for disqualified logs. r=keeler 2016-11-29 22:51:46 +02:00
ExtendedValidation.cpp bug 1349762 - handle two GlobalSign EV root transfers r=Cykesiopka,jcj 2017-04-03 17:17:38 -07:00
ExtendedValidation.h Bug 1313715 - Avoid unnecessary uses of PR_SetError() under security/apps/ and security/certverifier/. r=keeler 2016-12-14 20:10:25 +08:00
moz.build Bug 1344829 - add BUG_COMPONENT to security/* files. r=keeler 2017-03-09 05:33:30 -05:00
MultiLogCTVerifier.cpp Bug 1317951, part 2 - Certificate Transparency - basic support for disqualified logs. r=keeler 2016-11-29 22:51:46 +02:00
MultiLogCTVerifier.h Bug 1317951, part 1 - Certificate Transparency - extracted verification related fields from SCT to a separate struct. r=keeler 2016-11-23 15:37:31 +02:00
NSSCertDBTrustDomain.cpp bug 1337950 - work around failing to load a FIPS PKCS#11 module DB in NSS initialization r=Cykesiopka,jcj 2017-04-20 10:31:22 -07:00
NSSCertDBTrustDomain.h bug 1352262 - make OCSP timeout values configurable r=Cykesiopka,jcj 2017-03-31 15:21:40 -07:00
OCSPCache.cpp Bug 1328653 - Merging all the various *OriginAttributes to just one, r=huseby 2017-01-12 17:38:48 +01:00
OCSPCache.h Bug 1328653 - Merging all the various *OriginAttributes to just one, r=huseby 2017-01-12 17:38:48 +01:00
OCSPRequestor.cpp Bug 1308100 - Replace PL_strlen/PL_strnlen with strlen/strnlen;r=erahm 2017-04-13 20:47:00 +02:00
OCSPRequestor.h Bug 1330365 - Use mozilla::TimeStamp instead of NSPR's PRIntervalTime for OCSP timeout code. r=keeler 2017-01-14 13:12:43 +08:00
OCSPVerificationTrustDomain.cpp bug 1349762 - handle two GlobalSign EV root transfers r=Cykesiopka,jcj 2017-04-03 17:17:38 -07:00
OCSPVerificationTrustDomain.h bug 1349762 - handle two GlobalSign EV root transfers r=Cykesiopka,jcj 2017-04-03 17:17:38 -07:00
SignedCertificateTimestamp.cpp Bug 1317951, part 1 - Certificate Transparency - extracted verification related fields from SCT to a separate struct. r=keeler 2016-11-23 15:37:31 +02:00
SignedCertificateTimestamp.h Bug 1338374 - Make Vector not use AlignedStorage for its inline element storage. r=froydnj, r=keeler 2017-01-30 15:56:05 -08:00
SignedTreeHead.h Bug 1241574 - Certificate Transparency - base definitions and serialization to/from TLS wire format. r=keeler, r=Cykesiopka 2016-04-11 16:17:25 +03:00
StartComAndWoSignData.inc bug 1309707 - revoke StartCom and WoSign certificates issued after 21 October 2016 r=Cykesiopka,jcj 2016-10-12 17:02:33 -07:00