Граф коммитов

9640 Коммитов

Автор SHA1 Сообщение Дата
David Keeler fe26522550 bug 1172615 - check for and return early in the case of authentication bypass in AuthCertificateHook r=mcmanus
--HG--
extra : amend_source : 305df6e1ea028333d3077653f3e3fc098f40dd3f
2015-06-08 13:18:23 -07:00
Jed Davis 8ac1db457e Bug 1168555 - Work around Nuwa not always being single-threaded when a normal content process is. r=kang 2015-06-10 13:38:00 -04:00
Kai Engert 4de03b092c Bug 1174102 - Update to NSS 3.19.2, landing NSS_3_19_2_BETA1, r=nss-confcall 2015-06-12 11:10:17 +02:00
Cykesiopka c7d8bf951d Bug 1171819 - Convert test_cert_eku-*.js to generate certificates at build time. r=keeler
--HG--
extra : rebase_source : a683669da992833336c6aa03961b143d428ee0b7
2015-06-10 22:50:00 +02:00
Mike Perry 1c707fb2d0 Bug 629558 - Pref to make Intermediate Cert Store memory-only. r=keeler
--HG--
extra : rebase_source : 2678d1f74624fe1aa7db44053647a39fb8c8f8dc
2015-06-10 14:14:00 +02:00
Atul Kumar 246d750391 Bug 1136301 - Null check for mCert->slot added in destructorSafeDestroyNSSReference & MarkForPermDeletion. Formatting update in MarkForPermDeletion. r=keeler 2015-06-10 09:46:16 -07:00
David Keeler d67edd7f93 bug 1170303 - treat malformed name information in certificates as a domain name mismatch r=Cykesiopka 2015-06-01 13:55:23 -07:00
David Keeler 9091a35bfb bug 1171557 - make test_cert_trust.js certs a bit more realistic r=mgoodwin
According to the Baseline Requirements, root certificates MUST NOT
have the extendedKeyUsage extension. The extension is optional for
intermediates and required for end-entity certificates. This change
modifies the test certificates so they're more in line with the BRs.
2015-06-03 15:37:38 -07:00
David Keeler c3704cadb3 bug 1171557 - convert test_cert_trust.js to generate certificates at build time r=mgoodwin 2015-06-03 15:12:00 -07:00
Eric Rahm 6ac04795af Bug 1145893 - Shutdown nsNSSComponent background threads during xpcom-shutdown. r=keeler, a=me 2015-03-23 10:58:25 -07:00
Richard Barnes 8a4bc22436 Bug 1010068 - Disable OCSP for DV certificates in Firefox for Android r=keeler 2015-05-28 13:29:13 -07:00
Ryan VanderMeulen 56574135d1 Backed out changeset fda85020d842 (bug 1010068) for Android test_cert_overrides.js failures.
CLOSED TREE
2015-06-08 11:37:33 -04:00
Richard Barnes 3824033dee Bug 1010068 - Disable OCSP for DV certificates in Firefox for Android r=keeler 2015-05-28 13:29:13 -07:00
Carsten "Tomcat" Book ac2974150a merge mozilla-inbound to mozilla-central a=merge 2015-06-08 11:55:30 +02:00
ffxbld 9df7fce9a4 No bug, Automated HPKP preload list update from host bld-linux64-spot-1061 - a=hpkp-update 2015-06-06 03:26:59 -07:00
ffxbld 671e873521 No bug, Automated HSTS preload list update from host bld-linux64-spot-1061 - a=hsts-update 2015-06-06 03:26:57 -07:00
Jed Davis 9db695d73b Bug 1055310 - Step 3: Move syscall interceptions into SandboxFilter.cpp. r=kang
We can now keep the part of the policy implemented by upcalls to
userspace in the same place as the part of the policy that's handled
entirely in the kernel.  This will become more useful in the future
(e.g., bug 930258).
2015-06-05 15:17:40 -07:00
Jed Davis 5e4e0f9184 Bug 1055310 - Step 2: Move SIGSYS handling to Chromium TrapRegistry. r=kang
This is more complicated than I'd like it to be, because we don't have
a good way to combine a specific trap function's knowledge that we want
to get a crash dump with the SIGSYS handler's copy of the unprocessed
signal info (which breakpad wants).  The bpf_dsl interface requires a
specific trap function type (via the TrapRegistry superclass), so even
if we implement our own registry we can't change what's passed to it.
Normally we could use thread-local storage to get around that, but it's
not async signal safe.

As a result there is an imperfect compromise: the trap function returns
a failure with ENOSYS, Chromium's SIGSYS handler writes it into the
context, our SIGSYS handler reads it back out and uses a copy of
the original signal context for the crash dump.  Other error codes
(and returning ENOSYS via the seccomp-bpf policy itself) are handled
normally.
2015-06-05 15:17:35 -07:00
Jed Davis 3bd337c32c Bug 1055310 - Step 1: Convert seccomp-bpf policies to Chromium PolicyCompiler. r=kang
This completely rewrites SandboxFilter.cpp and removes SandboxAssembler.
System calls are now loosely grouped by what they do, now that order
doesn't matter, and most of the intersection the content and media
plugin whitelists is moved into a common superclass.  Hopefully this
improves the readability and comprehensibility of the syscall policies.

Also, the macros that take the syscall name are gone, because a plain
case label usually suffices now (the CASES_FOR_thing macros are a little
unsightly, but they're relatively simple), and at one point we saw
strange macro expansion issues with system header files that #define'd
some syscall names.

The signal handling is not migrated yet, so Trap() actions can't be used
yet; the next patch will take care of that, and to keep the intermediate
state working there's a minimal shim.

Bonus fix: non-const global variables use the "g" prefix; "s" is for
static class members and static variables in a function (where the
default is to allocate a separate copy per instance/activation).
2015-06-05 15:17:32 -07:00
David Keeler 1658fa2a61 bug 969985 - cleanup of test_certificate_usages.js - see the rest of this commit message r=mgoodwin
Converts test_certificate_usages.js to generate certificates at build time.
Also does miscellaneous cleanup to use modern JS practices.
Since the test_cert_eku-* suite of tests covers the extended key usage extension,
removes superfluous testcases involving EKU.
Finally, renames test_certificate_usages.js to test_cert_keyUsage.js for a more
consistent naming scheme.

--HG--
rename : security/manager/ssl/tests/unit/test_certificate_usages.js => security/manager/ssl/tests/unit/test_cert_keyUsage.js
2015-06-02 10:58:59 -07:00
Eric Rahm 75c4bebb79 Bug 1165515 - Part 13-2: Replace usage of PRLogModuleLevel and PR_LOG_*. rs=froydnj
This is straightforward mapping of PR_LOG levels to their LogLevel
counterparts:
  PR_LOG_ERROR   -> LogLevel::Error
  PR_LOG_WARNING -> LogLevel::Warning
  PR_LOG_WARN    -> LogLevel::Warning
  PR_LOG_INFO    -> LogLevel::Info
  PR_LOG_DEBUG   -> LogLevel::Debug
  PR_LOG_NOTICE  -> LogLevel::Debug
  PR_LOG_VERBOSE -> LogLevel::Verbose

Instances of PRLogModuleLevel were mapped to a fully qualified
mozilla::LogLevel, instances of PR_LOG levels in #defines were mapped to a
fully qualified mozilla::LogLevel::* level, and all other instances were
mapped to us a shorter format of LogLevel::*.

Bustage for usage of the non-fully qualified LogLevel were fixed by adding
|using mozilla::LogLevel;| where appropriate.
2015-06-03 15:25:57 -07:00
Eric Rahm 67f6de2a30 Bug 1165515 - Part 9: Remove instances of using numeric log levels 1-5. rs=froydnj 2015-06-03 15:22:35 -07:00
Eric Rahm cc58068318 Bug 1165515 - Part 5: Convert instances of PR_LOG_ALWAYS. r=froydnj
Most instances were converted to PR_LOG_INFO, some to PR_LOG_DEBUG, and some
to PR_LOG_ERROR.
2015-06-03 15:22:30 -07:00
Eric Rahm f50b813989 Bug 1165515 - Part 3: Convert PR_LOG_TEST to MOZ_LOG_TEST. r=froydnj 2015-06-03 15:22:28 -07:00
Cykesiopka 0d334e23eb Bug 1169195 - Convert test_bug644006.html mochitest to an xpcshell test. r=keeler
--HG--
rename : security/manager/ssl/tests/mochitest/bugs/test_bug644006.html => security/manager/ssl/tests/unit/test_constructX509FromBase64.js
2015-06-02 22:49:00 -04:00
Bob Owen 07490a1951 Bug 1166669: Enable process-level mitigations for the Windows content process sandbox. r=tabraldes 2015-06-03 09:13:00 +01:00
Nicholas Nethercote e849e6588b Bug 1170416 (part 3) - Remove the PLDHashTable2 typedef. r=froydnj.
--HG--
extra : rebase_source : 9510ea47204fffa163cac43aeaaac6ae1ad80419
2015-05-19 16:46:17 -07:00
Mike Hommey d060bd3d86 Bug 1170431 - Pass buildid as input to pycert.py. r=gps 2015-06-03 07:10:25 +09:00
Mike Hommey 79ea9f2368 Bug 1170431 part 0 - Use the *Path classes for GENERATED_FILES scripts and inputs. r=gps 2015-06-03 07:10:12 +09:00
Carsten "Tomcat" Book 5471309381 Backed out 14 changesets (bug 1165515) for linux x64 e10s m2 test failures
Backed out changeset d68dcf2ef372 (bug 1165515)
Backed out changeset 7c3b45a47811 (bug 1165515)
Backed out changeset b668b617bef2 (bug 1165515)
Backed out changeset d0916e1283a2 (bug 1165515)
Backed out changeset ac4dc7489942 (bug 1165515)
Backed out changeset e9632ce8bc65 (bug 1165515)
Backed out changeset c16d215cc7e4 (bug 1165515)
Backed out changeset e4d474f3c51a (bug 1165515)
Backed out changeset d87680bf9f7c (bug 1165515)
Backed out changeset b3c0a45ba99e (bug 1165515)
Backed out changeset 9370fa197674 (bug 1165515)
Backed out changeset 50970d668ca1 (bug 1165515)
Backed out changeset ffa4eb6d24b9 (bug 1165515)
Backed out changeset 5fcf1203cc1d (bug 1165515)

--HG--
extra : rebase_source : 6fb850d063cbabe738f97f0380302153e3eae97a
2015-06-02 13:05:56 +02:00
Eric Rahm a9afd68cef Bug 1165515 - Part 13-2: Replace usage of PRLogModuleLevel and PR_LOG_*. rs=froydnj
This is straightforward mapping of PR_LOG levels to their LogLevel
counterparts:
  PR_LOG_ERROR   -> LogLevel::Error
  PR_LOG_WARNING -> LogLevel::Warning
  PR_LOG_WARN    -> LogLevel::Warning
  PR_LOG_INFO    -> LogLevel::Info
  PR_LOG_DEBUG   -> LogLevel::Debug
  PR_LOG_NOTICE  -> LogLevel::Debug
  PR_LOG_VERBOSE -> LogLevel::Verbose

Instances of PRLogModuleLevel were mapped to a fully qualified
mozilla::LogLevel, instances of PR_LOG levels in #defines were mapped to a
fully qualified mozilla::LogLevel::* level, and all other instances were
mapped to us a shorter format of LogLevel::*.

Bustage for usage of the non-fully qualified LogLevel were fixed by adding
|using mozilla::LogLevel;| where appropriate.
2015-06-01 22:17:33 -07:00
Eric Rahm fb40eb5516 Bug 1165515 - Part 9: Remove instances of using numeric log levels 1-5. rs=froydnj 2015-06-01 22:17:26 -07:00
Eric Rahm 28978ade8c Bug 1165515 - Part 5: Convert instances of PR_LOG_ALWAYS. r=froydnj
Most instances were converted to PR_LOG_INFO, some to PR_LOG_DEBUG, and some
to PR_LOG_ERROR.
2015-06-01 22:17:21 -07:00
Eric Rahm 141e0ff4a2 Bug 1165515 - Part 3: Convert PR_LOG_TEST to MOZ_LOG_TEST. r=froydnj 2015-06-01 22:17:19 -07:00
Wes Kocher 4e9f80ed2e Backed out 14 changesets (bug 1165515) for b2g mochitest-6 permafail CLOSED TREE
Backed out changeset 9b97e2aa2ed9 (bug 1165515)
Backed out changeset 150606c022a2 (bug 1165515)
Backed out changeset 4e875a488349 (bug 1165515)
Backed out changeset 467e7feeb546 (bug 1165515)
Backed out changeset d6b6cc373197 (bug 1165515)
Backed out changeset 0615265b593c (bug 1165515)
Backed out changeset fafd1dce9f08 (bug 1165515)
Backed out changeset d1df869245f9 (bug 1165515)
Backed out changeset 6876a7c63611 (bug 1165515)
Backed out changeset b7841c94a9a3 (bug 1165515)
Backed out changeset e5e3617f7c73 (bug 1165515)
Backed out changeset 39be3db95978 (bug 1165515)
Backed out changeset 0ec74176f8de (bug 1165515)
Backed out changeset 5b928dd10d71 (bug 1165515)
2015-06-01 17:57:58 -07:00
Eric Rahm f82c0e7caf Bug 1165515 - Part 13-2: Replace usage of PRLogModuleLevel and PR_LOG_*. rs=froydnj
This is straightforward mapping of PR_LOG levels to their LogLevel
counterparts:
  PR_LOG_ERROR   -> LogLevel::Error
  PR_LOG_WARNING -> LogLevel::Warning
  PR_LOG_WARN    -> LogLevel::Warning
  PR_LOG_INFO    -> LogLevel::Info
  PR_LOG_DEBUG   -> LogLevel::Debug
  PR_LOG_NOTICE  -> LogLevel::Debug
  PR_LOG_VERBOSE -> LogLevel::Verbose

Instances of PRLogModuleLevel were mapped to a fully qualified
mozilla::LogLevel, instances of PR_LOG levels in #defines were mapped to a
fully qualified mozilla::LogLevel::* level, and all other instances were
mapped to us a shorter format of LogLevel::*.

Bustage for usage of the non-fully qualified LogLevel were fixed by adding
|using mozilla::LogLevel;| where appropriate.
2015-06-01 14:31:01 -07:00
Eric Rahm 4095cdb19f Bug 1165515 - Part 9: Remove instances of using numeric log levels 1-5. rs=froydnj 2015-06-01 14:31:00 -07:00
Eric Rahm 0a502beb23 Bug 1165515 - Part 5: Convert instances of PR_LOG_ALWAYS. r=froydnj
Most instances were converted to PR_LOG_INFO, some to PR_LOG_DEBUG, and some
to PR_LOG_ERROR.
2015-06-01 14:31:00 -07:00
Eric Rahm dc090e3fe5 Bug 1165515 - Part 3: Convert PR_LOG_TEST to MOZ_LOG_TEST. r=froydnj 2015-06-01 14:31:00 -07:00
Carsten "Tomcat" Book 7531d9be17 Merge mozilla-central to mozilla-inbound 2015-06-01 15:19:42 +02:00
Carsten "Tomcat" Book cfa2965ba6 merge mozilla-inbound to mozilla-central a=merge 2015-06-01 15:00:24 +02:00
ffxbld b6ea902b96 No bug, Automated HPKP preload list update from host bld-linux64-spot-534 - a=hpkp-update 2015-05-30 03:26:59 -07:00
ffxbld e6879816ca No bug, Automated HSTS preload list update from host bld-linux64-spot-534 - a=hsts-update 2015-05-30 03:26:57 -07:00
Cykesiopka 71fd1e3612 Bug 1169530 - Add l10n string for SSL_ERROR_WEAK_SERVER_CERT_KEY. r=dkeeler
Also removes the strings for the SSL_ERROR_UNUSED_5 and SSL_ERROR_UNUSED_10 errors.

--HG--
extra : rebase_source : 252d8f50085ccc57294a71c31f3b8b37c9cf2a90
2015-05-28 22:50:00 +02:00
Bob Owen 51a5fe52f3 Bug 1123759: Set low integrity on NPAPI processes for Windows sandboxing policy level >= 2. r=bbondy, r=bsmedberg 2015-05-22 17:05:45 +01:00
David Keeler a83c753047 bug 1166976 - generate some PSM xpcshell test certificates at build time r=Cykesiopka,mgoodwin,froydnj 2015-05-20 16:35:16 -07:00
Ryan VanderMeulen 5eae5c2c7b Bug 1166031 - Update NSS to NSS_3_19_1_RTM. a=sledru
--HG--
extra : transplant_source : %A7%DD%B5%C6%8C%1C%C1%C1%8C%CBY%E4%AD%87%0Bt%02%A9%B0%13
2015-05-28 14:14:52 -04:00
Nicholas Nethercote df91e412ac Bug 1168007 (part 7) - Use PLDHashTable2 in nsCertTree. r=froydnj.
It's possible that Clear() will be called on a table that hasn't had anything
inserted in it, but that's ok.

--HG--
extra : rebase_source : 454a79d9ec0fbf8d82706c12535c5862fe687cba
2015-05-18 21:14:51 -07:00
Nicholas Nethercote 58ee0c69e5 Bug 1168007 (part 6) - Use PLDHashTable2 in nsSecureBrowserUIImpl. r=froydnj.
--HG--
extra : rebase_source : fe8f14d5caf24931bace563518b7541beb838074
2015-05-18 21:02:48 -07:00
Cykesiopka 563c609fd0 Bug 1168695 - Add result strings to PSM xpcshell HPKP tests. r=keeler
--HG--
extra : rebase_source : 75fd17476020a68c60fd5e733c4d7a30fd05b8da
2015-05-28 02:26:00 +02:00