These includes provide some types and functionality that these files need. In
the default build environment, there's no issue because they pick up these
includes via piggybacking on neighboring files that they're unified with; but
in a non-unified build, the files need to directly have these includes, to
avoid build errors.
See https://bugzilla.mozilla.org/show_bug.cgi?id=1730265#c0 for the specific
build errors being addressed here.
Differential Revision: https://phabricator.services.mozilla.com/D125285
This was previously attempted in bug 1658042, but the library function that
this relies on (SecKeyIsAlgorithmSupported) was causing OS dialogs to appear on
our test machines, so it wasn't a viable option. Something seems to have
changed in the meantime (perhaps these dialogs were a bug in macOS?), and now
the function works as expected without dialogs.
Differential Revision: https://phabricator.services.mozilla.com/D124114
The Widevine CDM tries to open certain procfs/sysfs files, as noted
in the bug, but doesn't appear to need them; some of them are opened
repeatedly, causing log spam. This patch suppresses logging for the
files where this is known to happen, by adding "opened file" objects
that always silently fail.
It would also be possible to turn off all of this logging by default
and make it conditional on MOZ_SANDBOX_LOGGING, but it's relatively
low-noise (compared to content process file access) and provides some
value (see bug 1725828), so for now let's leave it enabled and just
blocklist a few files.
Differential Revision: https://phabricator.services.mozilla.com/D123562
```
2021-08-26 Benjamin Beurdouche <bbeurdouche@mozilla.com>
* lib/ssl/tls13con.c:
Backed out changeset fae49696d374
[e55700ee052e] [NSS_3_70_BETA1] <NSS_3_70_BRANCH>
* tests/tlsfuzzer/config.json.in, tests/tlsfuzzer/tlsfuzzer.sh:
Backed out changeset 7c3a0a99f7fa
[e79531c04e6b] <NSS_3_70_BRANCH>
* automation/abi-check/previous-nss-release, lib/nss/nss.h,
lib/softoken/softkver.h, lib/util/nssutil.h:
Set version numbers to 3.70 Beta
[cc0d44da6a0e]
2021-08-26 John M. Schanck <jschanck@mozilla.com>
* tests/tlsfuzzer/config.json.in, tests/tlsfuzzer/tlsfuzzer.sh:
Bug 1662515 - Enable tlsfuzzer/test-tls13-zero-content-type.py
r=bbeurdouche,djackson
[7c3a0a99f7fa]
2021-08-26 Benjamin Beurdouche <bbeurdouche@mozilla.com>
* lib/ssl/tls13con.c:
Bug 1662515 - Fix incorrect alert after successful decryption
r=djackson
[fae49696d374]
2021-08-24 Robert Relyea <rrelyea@redhat.com>
* tests/cert/cert.sh, tests/common/init.sh, tests/sdr/sdr.sh:
Bug 1726022 Update test case to verify fix.
Updated test cases to verify pbe caching fix. NOTE: putting
passwords on databases are key to reproducing the original issue.
[ff19b674c468]
2021-08-24 John M. Schanck <jschanck@mozilla.com>
* gtests/ssl_gtest/tls_ech_unittest.cc:
Bug 1714579 - Explicitly disable downgrade check in
TlsConnectStreamTls13.EchOuterWith12Max r=nss-reviewers,bbeurdouche
Depends on D123535
[608fd450d499]
* gtests/ssl_gtest/ssl_version_unittest.cc:
Bug 1714579 - Explicitly disable downgrade check in
TlsConnectTest.DisableFalseStartOnFallback r=nss-
reviewers,bbeurdouche
Depends on D122988
[7bd94de62243]
2021-08-24 Benjamin Beurdouche <bbeurdouche@mozilla.com>
* lib/util/nssb64d.c:
Formatting for lib/util
[db95b15ce1ff]
2021-08-24 John M. Schanck <jschanck@mozilla.com>
* lib/util/nssb64d.c:
Bug 1681975 - Avoid using a lookup table in nssb64d r=bbeurdouche
[d454db6ad1fb]
2021-08-24 Benjamin Beurdouche <bbeurdouche@mozilla.com>
* lib/freebl/sha512.c:
Bug 1724629 - Use HW accelerated SHA2 on AArch64 Big Endian.
r=jschanck
[7e31b8f7f741]
2021-08-24 John M. Schanck <jschanck@mozilla.com>
* lib/ssl/sslsock.c:
Bug 1714579 Change default value of enableHelloDowngradeCheck to
true r=mt
Firefox sets enableHelloDowngradeCheck to true by default, as of
[1576790](https://bugzilla.mozilla.org/show_bug.cgi?id=1576790). We
have a two year old open issue noting some issues with that
[1590870](https://bugzilla.mozilla.org/show_bug.cgi?id=1590870), but
I see no reason not to update the default in NSS.
[52137aa125f5]
2021-08-24 Benjamin Beurdouche <bbeurdouche@mozilla.com>
* gtests/pk11_gtest/pk11_hpke_unittest.cc:
Formatting for gtests/pk11_gtest/pk11_hpke_unittest.cc r=jschanck
The clang-format target was failing.
https://treeherder.mozilla.org/logviewer?job_id=348100377&repo=nss-
try
[36bc1c231bf6]
```
Differential Revision: https://phabricator.services.mozilla.com/D123784
Automatically generated path that adds flag `REQUIRES_UNIFIED_BUILD = True` to `moz.build`
when the module governed by the build config file is not buildable outside on the unified environment.
This needs to be done in order to have a hybrid build system that adds the possibility of combing
unified build components with ones that are built outside of the unified eco system.
Differential Revision: https://phabricator.services.mozilla.com/D122345
```
2021-08-17 Robert Relyea <rrelyea@redhat.com>
* lib/softoken/lowpbe.c:
Bug 1726022 Cache additional PBE entries
Firefox password manager is slow to load (22s for 361 passwords on
an i7), using 100% CPU and causing laptop fans to spin up
Possible solution based on increasing the number of cache entries
used by the PKCS5v2 values as the current code thrashes the cache as
we use 2 pbe's per read operation.
This patch is tested for correctness, but not fixing the issue. New
test cases are needed.
[fe82761e35aa] [tip]
```
Differential Revision: https://phabricator.services.mozilla.com/D123442
Chrome has removed 3DES completely[0], but we're still seeing some uses of it
in telemetry. Our assumption is that this is either due to old devices that
can't be upgraded, and hence probably use TLS 1.0, or servers that bafflingly
choose 3DES when there are other, better, ciphersuites in common.
This patch allows 3DES to only be enabled when deprecated versions of TLS are
enabled. This should protect users against the latter case (where 3DES is
unnecessary) while allowing them to use it in the former case (where it may be
necessary).
NB: The only 3DES ciphersuite gecko makes possible to enable is
TLS_RSA_WITH_3DES_EDE_CBC_SHA. This patch also changes the preference
corresponding to this ciphersuite from "security.ssl3.rsa_des_ede3_sha" to
"security.ssl3.deprecated.rsa_des_ede3_sha".
[0] https://www.chromestatus.com/feature/6678134168485888
Differential Revision: https://phabricator.services.mozilla.com/D121797
Chrome has removed 3DES completely[0], but we're still seeing some uses of it
in telemetry. Our assumption is that this is either due to old devices that
can't be upgraded, and hence probably use TLS 1.0, or servers that bafflingly
choose 3DES when there are other, better, ciphersuites in common.
This patch allows 3DES to only be enabled when deprecated versions of TLS are
enabled. This should protect users against the latter case (where 3DES is
unnecessary) while allowing them to use it in the former case (where it may be
necessary).
NB: The only 3DES ciphersuite gecko makes possible to enable is
TLS_RSA_WITH_3DES_EDE_CBC_SHA. This patch also changes the preference
corresponding to this ciphersuite from "security.ssl3.rsa_des_ede3_sha" to
"security.ssl3.deprecated.rsa_des_ede3_sha".
[0] https://www.chromestatus.com/feature/6678134168485888
Differential Revision: https://phabricator.services.mozilla.com/D121797
2021-08-05 Martin Thomson <mt@lowentropy.net>
o * lib/nss/nss.h, lib/softoken/softkver.h, lib/util/nssutil.h:
| Set version numbers to 3.69 final
| [2f5c77e2c5b9] [NSS_3_69_RTM] <NSS_3_69_BRANCH>
|
2021-07-30 Martin Thomson <mt@lowentropy.net>
o * .hgtags:
| Added tag NSS_3_69_BETA1 for changeset 60211e7f03ee
| [51b699171a91] <NSS_3_69_BRANCH>
|
2021-07-29 Martin Thomson <mt@lowentropy.net>
o * lib/ssl/sslsock.c:
| Bug 1722613 - Disable DTLS 1.0 and 1.1 by default, r=rrelyea
|
| [60211e7f03ee] [NSS_3_69_BETA1]
|
2021-07-15 Robert Relyea <rrelyea@redhat.com>
o * automation/taskcluster/docker-builds/Dockerfile,
~ automation/taskcluster/docker-gcc-4.4/Dockerfile,
automation/taskcluster/docker/Dockerfile, lib/softoken/sftkpwd.c,
tests/dbtests/dbtests.sh:
Bug 1720226 integrity checks in key4.db not happening on private
components with AES_CBC When we added support for AES, we also added
support for integrity checks on the encrypted components.
It turns out the code that verifies the integrity checks was broken
in 2 ways:
1. it wasn't accurately operating when AES was being used (the if
statement wasn't actually triggering for AES_CBC because we were
looking for AES in the wrong field). 2. password update did not
update the integrity checks in the correct location, meaning any
database which AES encrypted keys, and which had their password
updated will not be able to validate their keys.
While we found this in a previous rebase, the patch had not been
pushed upstream.
The attached patch needs sqlite3 to run the tests.
[1e86f5cfc1cd]
Differential Revision: https://phabricator.services.mozilla.com/D121837
ffxbld
Daniel Holbert
Ben Hearsum
Csoregi Natalia
Kershaw Chang
Dana Keeler
Mark Banner
Sylvestre Ledru
Benjamin Beurdouche
Marian-Vasile Laza
Agi Sferro
Dragana Damjanovic
Iulian Moraru
Sandor Molnar
Emilio Cobos Álvarez
Jed Davis
Bob Owen
Andi-Bogdan Postelnicu
R. Martinho Fernandes
Valentin Gosu
Mike Hommey
Alexandre Lissy
Narcis Beleuzu
Nicklas Boman
Martin Thomson
stransky