Граф коммитов

15469 Коммитов

Автор SHA1 Сообщение Дата
Kevin Jacobs d343e2c8e6 Bug 1655105 - land NSS NSS_3_56_BETA1 UPGRADE_NSS_RELEASE, r=jcj
2020-08-19  Kevin Jacobs  <kjacobs@mozilla.com>

	* tests/libpkix/certs/PayPalEE.cert:
	Bug 1659792 - Update libpkix tests with unexpired PayPal cert. r=jcj

	The in-tree `PayPalEE.cert `expired today. This patch replaces it
	with a current copy that expires on 12 Jan 2022.

	CI breakage before patch: https://treeherder.mozilla.org/#/jobs?repo
	=nss&revision=2890f342de631bf6774ac747515a8b5736e20d3f CI with the
	fix applied: https://treeherder.mozilla.org/#/jobs?repo=nss-
	try&revision=bd28f21d8acbcb15502bd4fc606fc9c0ed09c810

	[52c965eaffa1] [NSS_3_56_BETA1]

2020-08-18  Kevin Jacobs  <kjacobs@mozilla.com>

	* tests/interop/interop.sh:
	Bug 1659814 - Pull updated tls-interop for dependency fix. r=jcj

	[70376af425ae]

	* automation/release/nspr-version.txt:
	Bug 1656519 - NSS 3.56 should depend on NSPR 4.28. r=kaie

	[2890f342de63]

Differential Revision: https://phabricator.services.mozilla.com/D87648
2020-08-19 21:02:09 +00:00
Simon Giesecke cfd7d0ea9c Bug 1659923 - Avoid unnecessary copies around Base64Encode. r=xpcom-reviewers,necko-reviewers,froydnj,valentin
This also adds some more variants of Base64Encode and Base64EncodeAppend.

Differential Revision: https://phabricator.services.mozilla.com/D87559
2020-08-19 17:45:16 +00:00
Dana Keeler 67e203a187 Bug 1596401 - rework certificate deletion so it happens immediately r=rmf
Differential Revision: https://phabricator.services.mozilla.com/D86775
2020-08-17 23:23:03 +00:00
Dana Keeler f56f7f0410 Bug 1658042 - osclientcerts: differentiate between keys that can and cannot do modern crypto r=kjacobs,rmf
The keys exposed by osclientcerts may be from tokens that cannot do modern
crypto (namely, ECDSA and RSA-PSS). This patch attempts to identify and
differentiate between these keys. Unfortunately, there is no good way of doing
this on macOS at this time, so the implementation assumes everything supports
modern crypto on that platform. Additionally, the Windows implementation can't
make this determination if the cryptographic service provider would show UI, so
again in those cases the implementation assumes modern crypto is available.

Differential Revision: https://phabricator.services.mozilla.com/D86440
2020-08-17 19:47:41 +00:00
ffxbld 5c66804a14 No Bug, mozilla-central repo-update HSTS HPKP remote-settings tld-suffixes - a=repo-update r=RyanVM
Differential Revision: https://phabricator.services.mozilla.com/D87287
2020-08-17 14:16:45 +00:00
Mike Hommey 4ec1f6d39f Bug 1659057 - Allow hw.memsize system call. r=spohl
This fixes the following error when running on Apple Silicon DTK:

AGX: agxs_util.cpp:355:size_t getSystemMemorySize(): !!! Verification failed: status == 0

Differential Revision: https://phabricator.services.mozilla.com/D87048
2020-08-14 13:40:34 +00:00
ffxbld 0d60e704b5 No Bug, mozilla-central repo-update HSTS HPKP remote-settings - a=repo-update r=RyanVM
Differential Revision: https://phabricator.services.mozilla.com/D86996
2020-08-13 20:33:34 +00:00
Jean-Yves Avenard 35583748a1 Bug 1657521 - P4. Allow VP9 HW decoder in mac sandbox. r=haik
Differential Revision: https://phabricator.services.mozilla.com/D86546
2020-08-13 02:16:19 +00:00
Dana Keeler 576eb4cc71 bug 1598605 - add a test for decoding IPv6 subject alternative name entries r=kjacobs
Differential Revision: https://phabricator.services.mozilla.com/D56586
2020-08-12 17:41:35 +00:00
Bogdan Tara 98b30d23bf Backed out 5 changesets (bug 1657521) for assertion failure at Refs.h CLOSED TREE
Backed out changeset a0f450666c5b (bug 1657521)
Backed out changeset e97937bf5e3a (bug 1657521)
Backed out changeset 8d70f3cb5e3b (bug 1657521)
Backed out changeset 5c3c1ec039d2 (bug 1657521)
Backed out changeset 132eb437fdda (bug 1657521)
2020-08-12 11:14:44 +03:00
Jean-Yves Avenard 08ed820595 Bug 1657521 - P5. Allow VP9 HW decoder in mac sandbox. r=haik
Differential Revision: https://phabricator.services.mozilla.com/D86546
2020-08-12 04:08:58 +00:00
Dana Keeler e61827e4b0 Bug 1642592 - properly reinitialize insecure fallback hosts when clearing private data r=rmf
When the last private browsing context exits, observers are notified of the
event "last-pb-context-exited". Before this patch, the private browsing shared
TLS state object would clear its list of insecure fallback sites opon observing
this. However, this is not correct, because the list should be set to reflect
the current set of insecure fallback sites as parsed from the preference
"security.tls.insecure_fallback_hosts" (which is by default empty, but wouldn't
be if a user has modified it).

Differential Revision: https://phabricator.services.mozilla.com/D86586
2020-08-11 21:04:31 +00:00
Noemi Erli 68cd54888e Merge mozilla-central to autoland. a=merge CLOSED TREE 2020-08-11 18:56:44 +03:00
Noemi Erli 54c193f6bc Backed out changeset a93095760b1f (bug 1658042) for causing Bug 1658576 a=backout 2020-08-11 18:44:29 +03:00
Moritz Birghan ca3a2d02cd Bug 1649472 - Add telemetry for PHA in TLS 1.3 r=jcj,keeler
Differential Revision: https://phabricator.services.mozilla.com/D81715
2020-08-11 11:56:07 +00:00
Dana Keeler 3bccc9cac1 Bug 1658042 - osclientcerts: differentiate between keys that can and cannot do modern crypto r=kjacobs,rmf
The keys exposed by osclientcerts may be from tokens that cannot do modern
crypto (namely, ECDSA and RSA-PSS). This patch attempts to identify and
differentiate between these keys. Unfortunately, there is no good way of doing
this on macOS at this time, so the implementation assumes everything supports
modern crypto on that platform.

Differential Revision: https://phabricator.services.mozilla.com/D86440
2020-08-10 21:25:09 +00:00
Kevin Jacobs 5637d1775c Bug 1655105 - land NSS c06f22733446 UPGRADE_NSS_RELEASE, r=jcj
2020-08-07  Kevin Jacobs  <kjacobs@mozilla.com>

	* lib/pki/tdcache.c:
	Bug 1625791 - Call STAN_GetCERTCertificate to load CERTCertificate
	trust before caching. r=jcj,keeler

	When caching certificates, `td->cache->lock` must not be held when
	taking `slot->isPresentLock`. `add_cert_to_cache` holds then former
	when calling the sort function in `add_subject_entry`, which will [[
	https://searchfox.org/mozilla-central/rev/a3b25e347e2c22207c4b369b99
	246e4aebf861a7/security/nss/lib/pki/certificate.c#266 | call ]]
	`STAN_GetCERTCertificate` -> `fill_CERTCertificateFields` when
	`cc->nssCertificate` [[ https://searchfox.org/mozilla-central/rev/a3
	b25e347e2c22207c4b369b99246e4aebf861a7/security/nss/lib/pki/pki3hack
	.c#923 | is NULL ]].

	There are two problems with this:

	 # `fill_CERTCertificateFields` may end up locking
	`slot->isPresentLock` (bad ordering, bug 1651564) # The above may
	happen followed by another attempt to lock
	`td->cache->lock`(deadlock, this bug).

	By calling `STAN_GetCERTCertificate` prior to the first lock of
	`td->cache->lock`, we can prevent the problematic call to
	`fill_CERTCertificateFields` later on, because `cc->nssCertificate`
	will already be filled.

	[c06f22733446] [tip]

	* gtests/ssl_gtest/ssl_auth_unittest.cc, lib/ssl/ssl3con.c:
	Bug 1588941 - Send empty client cert msg when signature scheme
	selection fails. r=mt

	`ssl3_CompleteHandleCertificateRequest` does essentially two things:
	1) Calls the `getClientAuthData` hook for certificate selection, and
	2) calls `ssl_PickClientSignatureScheme` to select an appropriate
	signature scheme when a cert is selected.

	If the first function returns SECFailure, we default to sending an
	empty certificate message. If the latter fails, however, this
	bubbles up as a [[ https://searchfox.org/mozilla-central/rev/56bb74e
	a8e04bdac57c33cbe9b54d889b9262ade/security/nss/lib/ssl/tls13con.c#26
	70 | fatal error ]] (and an assertion failure) on the connection.
	Importantly, the signature scheme selection can fail for reasons
	that should not be considered fatal - notably when an RSA-PSS cert
	is selected, but the token on which the key resides does not
	actually support PSS.

	This patch treats the failure to find a usable signature scheme as a
	"no certificate" response, rather than killing the connection
	entirely.

	[41ecb7fe5546]

	* lib/freebl/Makefile, lib/freebl/freebl_base.gypi,
	lib/freebl/mpi/mpi_amd64_common.S, lib/freebl/mpi/mpi_amd64_gas.s:
	Bug 1656981 - Use 64x64->128 multiply and MP_COMBA on x86_64 Mac.
	r=mt

	This patch makes two MPI changes for MacOS:

	1. Rename `mpi_amd64_gas.s` to `mpi_amd64_common.S` and add defines
	for macho64, allowing Intel Macs to take advantage of the 64x64->128
	multiply code. 2. Define and use `NSS_USE_COMBA` on Intel Macs.

	Performance results with `rsaperf -n none -p 10 -e -x 65537`
	(default 2048-bit key): Before: `12629.12 operations/s. one
	operation every 79 microseconds` With 64x64->128 assembly: `29431.65
	operations/s. one operation every 33 microseconds` With MP_COMBA and
	64x64->128 assembly: `30332.99 operations/s. one operation every 32
	microseconds`

	[330bdab498a3]

	* lib/ssl/sslimpl.h:
	Bug 1656429 - Clang-format fixup, r=bustage
	[07083076fc92]

2020-08-05  Martin Thomson  <mt@lowentropy.net>

	* gtests/ssl_gtest/ssl_0rtt_unittest.cc,
	gtests/ssl_gtest/tls_connect.cc, lib/ssl/ssl3exthandle.c,
	lib/ssl/sslimpl.h, lib/ssl/tls13con.c, lib/ssl/tls13replay.c:
	Bug 1656429 - Correct RTT estimate used in anti-replay, r=kjacobs

	This was never a security problem, but the more time that passes
	between the handshake and sending a ticket, the more likely we are
	to reject 0-RTT. Eventually, 0-RTT only works if it is delayed in
	the network by a surprising amount.

	[b4a1c57eb569]

Differential Revision: https://phabricator.services.mozilla.com/D86454
2020-08-10 17:59:40 +00:00
ffxbld 0d46e87486 No Bug, mozilla-central repo-update HSTS HPKP remote-settings tld-suffixes - a=repo-update r=RyanVM
Differential Revision: https://phabricator.services.mozilla.com/D86553
2020-08-10 14:20:05 +00:00
Valentin Gosu 5e3e1f6296 Bug 1651672 - Clear and remove DataStorageClass::TRRBlacklist r=kershaw,necko-reviewers
Differential Revision: https://phabricator.services.mozilla.com/D86520
2020-08-10 09:46:32 +00:00
Dana Keeler 1be997b53b Bug 1651449 - rework intermediate caching to make use of nsNSSComponent's background task queue r=kjacobs,rmf
nsNSSComponent has a background task queue that can be used for importing
intermediates from TLS connections instead of using the certificate
verification thread pool.

This patch also addresses places where PSM was directly accessing the isperm
member of CERTCertificate, which is protected by a lock.

Differential Revision: https://phabricator.services.mozilla.com/D86051
2020-08-07 20:30:20 +00:00
Simon Giesecke 1e02318b49 Bug 1653335 - Replace MakeSpan uses by constructor calls. r=froydnj
Differential Revision: https://phabricator.services.mozilla.com/D83817
2020-08-07 07:49:47 +00:00
ffxbld 06d4ceb48a No Bug, mozilla-central repo-update HSTS HPKP remote-settings tld-suffixes - a=repo-update r=RyanVM
Differential Revision: https://phabricator.services.mozilla.com/D86217
2020-08-06 14:22:37 +00:00
Kevin Jacobs cb86341c99 Bug 1655105 - land NSS afa38fb2f0b5 UPGRADE_NSS_RELEASE, r=jcj
2020-07-27  Jan-Marek Glogowski  <glogow@fbihome.de>

	* lib/freebl/Makefile:
	Bug 1652032 Disable all freebl assembler code for MSVC arm64
	r=rrelyea,bbeurdouche

	There are two places, where NSS tries to compile either x86_64 MSVC
	assembler or GCC aarch64 code, which will fail the build. And also
	drop the non-MSVC arch build flags for them.

	AFAI could identify, there isn't any armasm64 compatible asm code in
	the whole NSS library, so I don't even adapt AS for the build. The
	cross-build finishes this way.

	[d98bbb6168f4]

2020-07-24  Benjamin Beurdouche  <bbeurdouche@mozilla.com>

	* cmd/bltest/blapitest.c, coreconf/config.gypi, coreconf/config.mk,
	lib/freebl/alg2268.c, lib/freebl/deprecated/alg2268.c,
	lib/freebl/freebl_base.gypi, lib/freebl/ldvector.c,
	lib/freebl/loader.c, lib/freebl/loader.h, lib/freebl/manifest.mn,
	lib/softoken/lowpbe.c, lib/softoken/pkcs11c.c:
	Bug 1652729 - Add build flag to disable RC2 and relocate to
	lib/freebl/deprecated. r=kjacobs

	[e6c6f1d2d544]

2020-07-27  Robert Relyea  <rrelyea@redhat.com>

	* gtests/softoken_gtest/manifest.mn,
	gtests/softoken_gtest/softoken_dh_vectors.h,
	gtests/softoken_gtest/softoken_gtest.cc,
	gtests/softoken_gtest/softoken_gtest.gyp, lib/freebl/blapi.h,
	lib/freebl/dh.c, lib/freebl/ldvector.c, lib/freebl/loader.c,
	lib/freebl/loader.h, lib/softoken/manifest.mn,
	lib/softoken/pkcs11.c, lib/softoken/pkcs11c.c,
	lib/softoken/pkcs11i.h, lib/softoken/pkcs11u.c,
	lib/softoken/sftkdhverify.c, lib/softoken/softoken.gyp:
	Bug 1648822 Add stricter validation of DH keys when in FIPS mode.

	Update: FIPS now also requires us to do y^q mod p testing on key
	generation (always). We now do that in FIPS mode only, but in all
	modes we do full DH verification for DH and ECDH. Because of this,
	the path has now separated out the prime checks, which are now only
	done for the DH operation if we aren't using a known prime and the
	subprime value has been provided. I've also learned we can accept
	keys that we do full validation on in FIPS mode, so I've added that
	to this patch, though we still can't generate those kinds of keys
	without adding the subprime at keygen time.

	The new FIPS standard is dh operations must use approved primes.
	Approved primes are those selected in the tls and ike RFCs.
	Currently tls and ike have modes with checks whether the primes are
	approved, but the check may not always happen. The safest thing to
	do in FIPS mode is only allow those primes. In addition, FIPS
	requires 1< y < p-1 (or technically 2<=y<=p-2, since y is an integer
	those two tests are identical).

	While making changes I realized we would want a mode where we can do
	more strict checks on the prime while not requiring that the prime
	be an approved prime. We already allow for strict checking if q is
	supplied with the private key, but there were a couple of issues
	with that check:

	 1. there was no way of actually setting q in the current NSS
	pk11wrap interfaces. 2. If the prime was a safe prime, but g was an
	actual generator, then we would fail the y^q mod p = 1 tests for 50%
	of the keys, even though those keys are safe. 3. We weren't checking
	primality of p and q.

	So the old code:

	 if (q) { check y^q mod p = 1 if not fail }

	 check 1 <y < p-1 (done in DH_Derive).

	New code:

	 if (! p is approved prime) { if (FIPS) fail; if (q) { y_test = y if
	(p,q-> p is a safe prime) { y_test = 1 } check prime is prime Fail
	if not check subprime is subprime fail if not y_test^q mod p = 1 } }
	check 1 < y < p-1 (done in DH_Derive)

	This means:

	Existing code non-fips without setting the subprime continues to run
	as before. Non-fips code which sets the subprime now runs slower,
	but p and q are checked if p or q where not prime, the derive fails
	(which it should). In FIPS mode only approved primes will succeed
	now. Non-fips code can now set the subprime to q=(p-1)/2 if it
	doesn't have an explicit q value (like in tls). If the derive
	succeeds, we know that p is a safe prime. If p is approved, the
	checks are skipped because we already know that p is a safe prime.
	Code can optionally do a test derive on a new p and remember it's
	safe so that we know longer need to check ever call (though if q is
	not (p-1)/2, you will need to continue to do the checks each call
	because y could still be a small subgroup).

	This patch:

	gtests/softoken_gtest

	 1. Added New dh tests to softoken_gtests. The tests were added to
	softoken_gtests because we need to test both non-FIPS and FIPS mode.
	Test vectors include a category, so the same test vectors can be
	used in FIPS and non-FIPS even though each class may have different
	results. Most of the test vectors where created either by dhparams
	command in openssl, dsaparams in openssl, and the nss makepqg
	command. Each vector includes a label, prime, base, optional
	subprime, optional public key, test type, and key class (basically
	size). 2. If public key is not supplied, we use a generated public
	key. 3. If subPrime is supplied to wet it on the private key after
	generation.

	lib/freebl/dh.c

	 add primality tests to KEA_VerifyKey().

	lib/softokn/

	 1. Allow CKA_SUBPRIME to be set after key generation or import.
	This affects how we test for it's existance, since it is now always
	there on the key, we check it's length to make sure it's non-zero.
	2. We implement the psuedocode above as real code. 3. We create two
	new functions: sftl_VerifyDH_Prime which return SECSuccess if Prime
	is an approved prime. sftk_IsSafePrime which returns SECSuess of
	both prime and subprime look reasonable, and sets a Bool to PR_TRUE
	is subprime -> prime is safe (subprime = (prime-1)/2. These
	functions are implemented in sftkdhverify.c 4.Cleanup incorrect
	nominclature on primes (safe primes are not strong primes).
	[0be91fa2217a]

	* gtests/softoken_gtest/softoken_dh_vectors.h,
	gtests/softoken_gtest/softoken_gtest.cc:
	Fix more of the timeout issues on tests. (Drop expensive 4098 dh
	tests ).
	[4014c075a31b]

2020-07-29  Makoto Kato  <m_kato@ga2.so-net.ne.jp>

	* coreconf/config.gypi, lib/freebl/Makefile, lib/freebl/blinit.c,
	lib/freebl/freebl.gyp, lib/freebl/sha1-armv8.c,
	lib/freebl/sha_fast.c, lib/freebl/sha_fast.h:
	Bug 1650702 - Use ARM's crypt extension for SHA1. r=kjacobs

	ARM Crypto extension has SHA1 acceleration. Using this, SHA1 is 3
	times faster on ARMv8 CPU. The following data is AWS's a1 instance
	(Cortex-A72).

	Before ====== ``` # mode in opreps cxreps context op time(sec)
	thrgput sha1_e 954Mb 31M 0 0.000 10000.000 10.000 95Mb ```

	After ===== ``` # mode in opreps cxreps context op time(sec) thrgput
	sha1_e 2Gb 94M 0 0.000 10000.000 10.000 288Mb ```

	[68b6eb737689]

2020-07-29  Jan-Marek Glogowski  <glogow@fbihome.de>

	* manifest.mn:
	Bug 1653975 - Set "all" as the default Makefile target r=jcj,rrelyea

	Just reorder the rules in manifest.mn, so all is again the first
	rule. This restores pre-3.53 Makefile defaults.

	[eb52747b7000]

2020-07-31  Makoto Kato  <m_kato@ga2.so-net.ne.jp>

	* lib/freebl/blapii.h, lib/freebl/blinit.c, nss-tool/hw-support.c:
	Bug 1654142 - Add CPU feature detection for Intel SHA extension.
	r=kjacobs

	[e6b77a9c417a]

2020-08-03  Nathan Froyd  <froydnj@mozilla.com>

	* coreconf/detect_host_arch.py:
	Bug 1656986 - special-case arm64 in detect_host_arch.py; r=jcj

	This case comes up when attempting to build NSS on ARM64 Mac. If we
	don't do this, we wind up detecting arm64 as "arm", with predictably
	bad consequences.

	[afa38fb2f0b5] [tip]

Differential Revision: https://phabricator.services.mozilla.com/D85888
2020-08-04 19:54:56 +00:00
Dana Keeler f468d1bd79 Bug 1656992 - osclientcerts: disable AIA fetching when looking for issuer certificates (macOS) r=kjacobs
When the macOS osclientcerts backend looks for issuer certificates, it can
result in network I/O unless it is specifically disabled. The Windows backend
already handles this, so this only applies to macOS.

Differential Revision: https://phabricator.services.mozilla.com/D85799
2020-08-04 18:06:14 +00:00
Mihai Alexandru Michis e7f08a598b Backed out 3 changesets (bug 1635828) for causing bc failures in browser_tab_detach_restore.js
CLOSED TREE

Backed out changeset 30c58380f352 (bug 1635828)
Backed out changeset d232cb3c4779 (bug 1635828)
Backed out changeset 7c47f9b403ae (bug 1635828)
2020-08-04 13:35:45 +03:00
Andrea Marchesini 263f055dd1 Bug 1635828 - Isolate HSTS per first-party when privacy.partition.network_state is set to true - part 2 - tests, r=timhuang
Differential Revision: https://phabricator.services.mozilla.com/D74078
2020-08-04 09:45:40 +00:00
Moritz Birghan c8319be878 Bug 634697 - Add permanent storage to user's client certificate selection r=keeler,baku,fluent-reviewers,Gijs
Differential Revision: https://phabricator.services.mozilla.com/D58820
2020-08-03 13:24:34 +00:00
ffxbld 8d979b9aee No Bug, mozilla-central repo-update HSTS HPKP remote-settings - a=repo-update r=RyanVM
Differential Revision: https://phabricator.services.mozilla.com/D85756
2020-08-03 14:13:18 +00:00
ffxbld 22530e66a4 No Bug, mozilla-central repo-update HSTS HPKP remote-settings tld-suffixes - a=repo-update r=jcristau
Differential Revision: https://phabricator.services.mozilla.com/D85411
2020-07-31 14:47:51 +00:00
R. Martinho Fernandes b2ff7fc0a5 Bug 1654835 - Remove CERTCertificate from PublicKeyPinningService.cpp r=keeler
Differential Revision: https://phabricator.services.mozilla.com/D84726
2020-07-30 08:44:59 +00:00
Haik Aftandilian d9488224c3 Bug 1655655 - Some MP4 Videos Fail to Play on Big Sur r=spohl
Allow access to the "com.apple.trustd.agent" service in the content process sandbox. VTDecompressionSessionCreate() fails without it, causing playback failure for some MP4 videos.

Translate deprecated OS version numbers so that sandbox version checks don't need to check for 10.16.

Differential Revision: https://phabricator.services.mozilla.com/D85213
2020-07-29 21:59:32 +00:00
Victor Porof 75bdf2b80e Bug 1597898 - Part 1: Update RKV dependency to safe-mode, r=nanj
Differential Revision: https://phabricator.services.mozilla.com/D54279
2020-07-29 17:38:20 +00:00
Butkovits Atila a07dcc53eb Backed out changeset 441baa36ba93 (bug 634697) for failure at test_sss_readstate.js. CLOSED TREE 2020-07-29 19:39:44 +03:00
Moritz Birghan 1bea811e47 Bug 634697 - Add permanent storage to user's client certificate selection r=keeler,baku,fluent-reviewers,Gijs
Differential Revision: https://phabricator.services.mozilla.com/D58820
2020-07-29 15:20:10 +00:00
Olli Pettay bccd166233 Bug 1654088, make WindowWatcher methods to use CStrings and not char and make window.open throw the correct exception, r=farre,geckoview-reviewers,agi*
Differential Revision: https://phabricator.services.mozilla.com/D84604
2020-07-27 21:36:24 +00:00
Jeff Muizelaar b083673982 Bug 1654699. Update core-foundation/core-graphics. r=kvark,keeler,jcj,chunmin
This includes updates to authenticator, cubeb-coreaudio,
metal, gfx-backend-vulkan, gfx-backend-metal, freetype

libloading is duplicated because of ash

Differential Revision: https://phabricator.services.mozilla.com/D84688
2020-07-24 22:35:25 +00:00
Csoregi Natalia ea1ddfabbf Backed out changeset 9702b4a4f53c (bug 1654699) for Gtest failures. CLOSED TREE 2020-07-24 21:29:52 +03:00
J.C. Jones ee419dca67 Bug 1649545 - land NSS NSS_3_55_RTM UPGRADE_NSS_RELEASE, r=keeler
2020-07-24  J.C. Jones  <jjones@mozilla.com>

	* lib/nss/nss.h, lib/softoken/softkver.h, lib/util/nssutil.h:
	Set version numbers to 3.55 final
	[6705eec655c8] [NSS_3_55_RTM] <NSS_3_55_BRANCH>

2020-07-22  Kai Engert  <kaie@kuix.de>

	* lib/nss/nssinit.c:
	Bug 1653310 - Backed out changeset ca207655b4b7, because with
	updated NSPR this workaround is no longer required. r=kjacobe
	[a448fe36e58b]

2020-07-21  Kevin Jacobs  <kjacobs@mozilla.com>

	* .hgtags:
	Added tag NSS_3_55_BETA1 for changeset 0768baa431e7
	[2572e14f17d6]

Differential Revision: https://phabricator.services.mozilla.com/D84845
2020-07-24 17:08:52 +00:00
Dana Keeler b4495c0f15 Bug 1654117 - prevent osclientcerts from loading on macOS <10.14 r=spohl
osclientcerts requires functions that are available starting in macOS 10.14, so
it shouldn't be possible to enable it in earlier versions.

Differential Revision: https://phabricator.services.mozilla.com/D84764
2020-07-24 16:25:08 +00:00
Jeff Muizelaar b17ab0c2e7 Bug 1654699. Update core-foundation/core-graphics. r=kvark,keeler,jcj,chunmin
This includes updates to authenticator, cubeb-coreaudio,
metal, gfx-backend-vulkan, gfx-backend-metal, freetype

libloading is duplicated because of ash

Differential Revision: https://phabricator.services.mozilla.com/D84688
2020-07-24 15:59:54 +00:00
Andreea Pavel 5995f3a608 Backed out 3 changesets (bug 1597898) for breaking raptor tests on win on a CLOSED TREE
Backed out changeset 5159ffa5705c (bug 1597898)
Backed out changeset 3cfb899ae94c (bug 1597898)
Backed out changeset ac992b048e32 (bug 1597898)
2020-07-24 18:54:28 +03:00
Victor Porof 9dd8820847 Bug 1597898 - Part 1: Update RKV dependency to safe-mode, r=nanj
Differential Revision: https://phabricator.services.mozilla.com/D54279
2020-07-24 13:51:20 +00:00
Mihai Alexandru Michis c3d9e17fa4 Backed out changeset 45fc4a780b2b (bug 1654699) for causing failures regarding AudioStream position.
CLOSED TREE
2020-07-23 23:13:52 +03:00
Jeff Muizelaar 4b666af85b Bug 1654699. Update core-foundation/core-graphics. r=kvark,keeler,chunmin
This includes updates to authenticator, cubeb-coreaudio,
metal, gfx-backend-vulkan, gfx-backend-metal, freetype

libloading is duplicated because of ash

Differential Revision: https://phabricator.services.mozilla.com/D84688
2020-07-23 17:01:14 +00:00
ffxbld faed2506ca No Bug, mozilla-central repo-update HSTS HPKP remote-settings tld-suffixes - a=repo-update r=RyanVM
Differential Revision: https://phabricator.services.mozilla.com/D84699
2020-07-23 14:25:47 +00:00
Mihai Alexandru Michis c92d36d257 Backed out changeset afc05ca167e7 (bug 1652463) for causing mochitest media spi failures. 2020-07-22 18:37:47 +03:00
Kevin Jacobs 99b3679870 Bug 1649545 - land NSS NSS_3_55_BETA1 UPGRADE_NSS_RELEASE, r=jcj
2020-07-21  Benjamin Beurdouche  <bbeurdouche@mozilla.com>

	* cmd/bltest/blapitest.c:
	Bug 1653202 - Fix issue disabling other mechanisms when SEED is
	deprecated in cmd/bltest/blapitest.c. r=kjacobs

	[0768baa431e7] [NSS_3_55_BETA1]

2020-07-21  Kevin Jacobs  <kjacobs@mozilla.com>

	* automation/release/nspr-version.txt:
	Bug 1652331 - NSS 3.55 should depend on NSPR 4.27. r=kaie

	[3deefc218cd9]

2020-07-20  Billy Brumley  <bbrumley@gmail.com>

	* lib/freebl/ec.c:
	Bug 1631573: Remove unnecessary scalar padding in ec.c
	r=kjacobs,bbeurdouche

	Subsequent calls to ECPoints_mul and ECPoint_mul remove this
	padding.

	Timing attack countermeasures are now applied more generally deeper
	in the call stack.

	[aeb2e583ee95]

2020-07-20  Kai Engert  <kaie@kuix.de>

	* lib/nss/nssinit.c:
	Bug 1653310 - On macOS check if nssckbi exists prior to loading it.
	r=kjacobs

	[ca207655b4b7]

Differential Revision: https://phabricator.services.mozilla.com/D84420
2020-07-21 23:37:38 +00:00
Kashav Madan ae956c4eef Bug 1653674 - Unskip passing fission tests, r=kmag
It's possible that some of these are still failing intermittently. We can't
really know without first unskipping them.

https://github.com/annygakh/audit-tests

Differential Revision: https://phabricator.services.mozilla.com/D84017
2020-07-21 15:42:48 +00:00
Bob Owen 6094408d95 Bug 1652463: Add rule to allow socket process to create server side of our IPC pipes. r=handyman
Differential Revision: https://phabricator.services.mozilla.com/D83976
2020-07-20 18:00:42 +00:00
Kevin Jacobs e3e0baf90e Bug 1649545 - land NSS 615362dff5ad UPGRADE_NSS_RELEASE, r=jcj
2020-07-18  Benjamin Beurdouche  <bbeurdouche@mozilla.com>

	* gtests/pk11_gtest/pk11_cipherop_unittest.cc, lib/softoken/pkcs11c.c:
	Bug 1636771 - Disable PKCS11 incremental mode for ChaCha20.
	r=kjacobs,rrelyea

	Depends on D74801

	[615362dff5ad] [tip]

	* gtests/pk11_gtest/pk11_chacha20poly1305_unittest.cc,
	lib/freebl/chacha20poly1305.c:
	Bug 1636771 - Fix incorrect call to Chacha20Poly1305 by PKCS11.
	r=jcj,kjacobs,rrelyea

	[a5e82e40f03e]

2020-07-16  Benjamin Beurdouche  <bbeurdouche@mozilla.com>

	* lib/softoken/pkcs11c.c:
	Bug 1637222 - Enforce IV length check for DES. r=kjacobs,jcj

	[0c70232cb6d3]

Differential Revision: https://phabricator.services.mozilla.com/D84043
2020-07-20 17:19:03 +00:00