Bug 1583109 introduced new function templates StringJoin and StringJoinAppend.
These are now used to replace several custom loops across the codebase that
implement string-joining algorithms to simplify the code.
Differential Revision: https://phabricator.services.mozilla.com/D98750
Bug 1583109 introduced new function templates StringJoin and StringJoinAppend.
These are now used to replace several custom loops across the codebase that
implement string-joining algorithms to simplify the code.
Differential Revision: https://phabricator.services.mozilla.com/D98750
This patch removes telemetry probes for TLS 1.3 Delegated Credentials. The
probes are expiring soon and we do not plan to run any more experiments that
would justify their renewal. There is no plan to enable this feature in beta or
release until the draft hits RFC stage.
Differential Revision: https://phabricator.services.mozilla.com/D99557
2020-12-11 Kevin Jacobs <kjacobs@mozilla.com>
* lib/nss/nss.h, lib/softoken/softkver.h, lib/util/nssutil.h:
Set version numbers to 3.60 final
[2015cf6ca323] [NSS_3_60_RTM] <NSS_3_60_BRANCH>
2020-12-08 Kevin Jacobs <kjacobs@mozilla.com>
* .hgtags:
Added tag NSS_3_60_BETA1 for changeset f84fb229842a
[1fe6cb3c3874]
Differential Revision: https://phabricator.services.mozilla.com/D99488
This moves parts of IPCMessageUtils.h to two new header files and adapts
the include directives as necessary. The new header files are:
- EnumSerializer.h, which defines the templates for enum serializers
- IPCMessageUtilsSpecializations.h, which defines template specializations
of ParamTraits with extra dependencies (building upon both IPCMessageUtils.h
and EnumSerializer.h)
This should minimize the dependencies pulled in by every consumer of
IPCMessageUtils.h
Differential Revision: https://phabricator.services.mozilla.com/D94459
This patch removes the hand-rolled shared background thread in favor of
individual background synchronous event targets. Also, the timer configuration
was moved to the main thread. It now dispatches events to the background task
queue, which makes it easier to reason about.
Differential Revision: https://phabricator.services.mozilla.com/D98977
This patch extends the lifetimes of the following telemetry probes to Firefox 92:
CRLITE_RESULT
INTERMEDIATE_PRELOADING_ERRORS
INTERMEDIATE_PRELOADING_UPDATE_TIME_MS
security.intermediate_preloading_num_preloaded
security.intermediate_preloading_num_pending
This patch removes the following telemetry probes:
CRLITE_FASTER_THAN_OCSP_MS
OCSP_FASTER_THAN_CRLITE_MS
Differential Revision: https://phabricator.services.mozilla.com/D98988
32-bit Linux architectures have gained new versions of every system
call handling time values, to allow a transition to 64-bit time_t that
will continue to work after the year 2038; newer versions of glibc will
attempt them and fall back to the 32-bit path (without caching the
failure, so at best we take the overhead of handling SIGSYS).
This patch allows time64 syscalls in the same cases where we allow their
time32 versions, including the restrictions on clockid_t to prevent
interacting with other processes or threads of other processes. (I've
confirmed that the argument types match otherwise, so it's safe to reuse
the same policies.)
Differential Revision: https://phabricator.services.mozilla.com/D98693
Telemetry indicated that setting various security state (in particular, CRLite
state) was causing main thread hangs due to base64 decoding. This patch
rearranges cert_storage slightly to do these decodings off the main thread.
Differential Revision: https://phabricator.services.mozilla.com/D98691
This patch enables PSM and Firefox to use TLS 1.3 Encrypted Client Hello (draft -08). Specifically:
- Compile NSS with NSS_ENABLE_DRAFT_HPKE=1
- Add ECH "public_name" handling in SSLServerCertVerification.cpp (see: https://tools.ietf.org/html/draft-ietf-tls-esni-08#section-6.3.2)
- Adds `mIsAcceptedEch` to TransportSecurityInfo, and xpcshell tests for ECH use cases
- Adds EncryptedClientHelloServer to facilitate the xpcshell tests
- Un-ifdef Set/GetEchConfigs code in nsNSSIOLayer.cpp. Also reverted the Base64 encoding and decoding, as the data returned from DNS is already decoded (wire-format).
Differential Revision: https://phabricator.services.mozilla.com/D92651
This patch enables PSM and Firefox to use TLS 1.3 Encrypted Client Hello (draft -08). Specifically:
- Compile NSS with NSS_ENABLE_DRAFT_HPKE=1
- Add ECH "public_name" handling in SSLServerCertVerification.cpp (see: https://tools.ietf.org/html/draft-ietf-tls-esni-08#section-6.3.2)
- Adds `mIsAcceptedEch` to TransportSecurityInfo, and xpcshell tests for ECH use cases
- Adds EncryptedClientHelloServer to facilitate the xpcshell tests
- Un-ifdef Set/GetEchConfigs code in nsNSSIOLayer.cpp. Also reverted the Base64 encoding and decoding, as the data returned from DNS is already decoded (wire-format).
Differential Revision: https://phabricator.services.mozilla.com/D92651
This patch updates test_sanctions_symantec_apple_google.js to test a chain through an allow-listed Apple intermediate certificate chaining to a Symantec root certificate that is present in NSS.
Differential Revision: https://phabricator.services.mozilla.com/D98511
This patch changes a test referencing //VeriSign Class 3 Public Primary Certification Authority - G4//, which was removed in bug 1670769, with a similar VeriSign root CA that still exists and meets the same requirements for the test.
Differential Revision: https://phabricator.services.mozilla.com/D98510
2020-12-01 Kevin Jacobs <kjacobs@mozilla.com>
* lib/ckfw/builtins/nssckbi.h:
Bug 1678189 - December 2020 batch of root changes,
NSS_BUILTINS_LIBRARY_VERSION 2.46. r=bbeurdouche
[f8c49b334e51] [tip]
* lib/ckfw/builtins/certdata.txt:
Bug 1678166 - Add NAVER Global Root Certification Authority root
cert to NSS. r=bbeurdouche,KathleenWilson
[b9742b439a81]
2020-12-01 Benjamin Beurdouche <benjamin.beurdouche@inria.fr>
* lib/ckfw/builtins/certdata.txt:
Bug 1670769 - Remove 10 GeoTrust, thawte, and VeriSign root certs
from NSS. r=kjacobs,KathleenWilson
[4c69d6d0cf21]
2020-12-01 Kevin Jacobs <kjacobs@mozilla.com>
* lib/ssl/ssl3exthandle.c:
Bug 1674819 - Fix undefined shift when fuzzing r=bbeurdouche
In fuzzer mode, session tickets are serialized without any
encryption or integrity protection. This leads to a post-deserialize
UBSAN error when shifting by a fuzzed (large) authType value. A real
NSS server will not produce these values.
[a51fae403328]
2020-11-30 Benjamin Beurdouche <benjamin.beurdouche@inria.fr>
* build.sh, coreconf/config.gypi, lib/ckfw/builtins/testlib/builtins-
testlib.gyp, lib/ckfw/builtins/testlib/nssckbi-testlib.def, nss.gyp:
Bug 1678384 - Add a build flag to allow building nssckbi-testlib in
m-c r=kjacobs
[22bf7c680b60]
2020-12-01 Kevin Jacobs <kjacobs@mozilla.com>
* lib/dev/devslot.c:
Bug 1679290 - Don't hold slot lock when taking session lock
r=bbeurdouche
[[ https://hg.mozilla.org/projects/nss/rev/0ed11a5835ac1556ff978362c
d61069d48f4c5db | 0ed11a5835ac1556ff978362cd61069d48f4c5db ]] fixed
a number of race conditions related to NSSSlot member accesses.
Unfortunately the locking order that was imposed by that patch has
been found to cause problems for at least one PKCS11 module,
libnsspem.
This patch drops nested locking in favor of unlocking/re-locking.
While this isn't perfect, the original problem in bug 1663661 was
that `slot->token` could become NULL, which we can easily check
after reacquiring.
[19585ccc7a1f]
2020-11-25 Makoto Kato <m_kato@ga2.so-net.ne.jp>
* lib/freebl/blinit.c:
Bug 1678990 - Use __ARM_FEATURE_CRYPTO for feature detection.
r=bbeurdouche
Actually, we have CPU feature detection for Linux and FreeBSD on
aarch64 platform. But others don't.
macOS doesn't has any CPU feature detection for ARM Crypto
Extension, but toolchain default is turned on. So we should respect
__ARM_FEATURE_CRYPTO.
[f1e48fbead3d]
2020-11-19 Lauri Kasanen <cand@gmx.com>
* lib/freebl/Makefile:
Bug 1642174 - Resolve sha512-p8.o: ABI version 2 is not compatible
with ABI version 1 output. r=jcj Don't try to build the SHA-2
accelerated asm on old-ABI ppc.
Currently make only, I don't have enough gyp-fu to do that side.
However, the reporters of 1642174 and 1635625 both used make, not
gyp.
Signed-off-by: Lauri Kasanen <cand@gmx.com>
[d806f7992b10]
Differential Revision: https://phabricator.services.mozilla.com/D98509
Before this patch, when RemoteSecuritySettings would download multiple new
stashes, it would add the first one to cert_storage, which would reconstruct
the in-memory representation of all of the issuer/serial hashmaps/sets
(including preexisting ones), and then RemoteSecuritySettings would add the
second one, and cert_storage would reconstruct the entire in-memory
representation of the issuer/serial hashmaps/sets again, and so on, re-doing
all of the work each time. This is essentially O(n^2) work. This patch improves
both RemoteSecuritySettings and cert_storage to minimize this work, reducing it
to O(n).
Differential Revision: https://phabricator.services.mozilla.com/D97829
It's a common way to check the existence of system calls. Glibc may fall
back to fstatat when statx is called, passing down the null path.
Since we handle fstatat, let's return -EFAULT the same way the real
fstatat syscall would do.
This is needed for the sandbox not to constantly crash due to this statx
call in rustc:
09c9c9f7da/library/std/src/sys/unix/fs.rs (L119-L123)
Differential Revision: https://phabricator.services.mozilla.com/D98414
This allows us to avoid calling any NSSCertificateDB methods on the main
thread or allocating memory for xpconnect wrappers of cert objects.
Differential Revision: https://phabricator.services.mozilla.com/D97970
Simon Giesecke
ffxbld
Csoregi Natalia
smolnar
Moritz Birghan
Kevin Jacobs
Bob Clary
R. Martinho Fernandes
Dana Keeler
Benjamin Beurdouche
Victor Porof
Razvan Maries
Jed Davis
Bogdan Tara
Xidorn Quan
Mihai Alexandru Michis
Andreea Pavel
Emilio Cobos Álvarez
Valentin Gosu
Jean-Yves Avenard
Sylvestre Ledru