Граф коммитов

15469 Коммитов

Автор SHA1 Сообщение Дата
Gijs Kruitbosch 222e2d1158 Bug 1644863 - fix trailing whitespace in cross-tree tests, r=emilio,marionette-reviewers,whimboo
Differential Revision: https://phabricator.services.mozilla.com/D79202
2020-06-17 22:45:31 +00:00
Mihai Alexandru Michis cce0439cc1 Backed out changeset da7cbff78183 (bug 1639284) for causing failures in test_engine_selector_remote_settings.js
CLOSED TREE
2020-06-17 20:51:02 +03:00
Kevin Jacobs 0c2287c77b Bug 1642687 - land NSS 6dcd00c13ffc UPGRADE_NSS_RELEASE, r=jcj
2020-06-15  J.C. Jones  <jjones@mozilla.com>

	* lib/ckfw/builtins/nssckbi.h:
	Bug 1618402 - June 2020 batch of root changes,
	NSS_BUILTINS_LIBRARY_VERSION 2.42 r=bbeurdouche,KathleenWilson

	All changes:

	Bug 1618402 - Remove 3 Symantec roots and disable Email trust bit
	for others Bug 1621151 - Disable Email trust bit for GRCA root Bug
	1639987 - Remove expired Staat der Nederlanden Root CA - G2 root
	cert Bug 1641718 - Remove "LuxTrust Global Root 2" root cert Bug
	1641716 - Add Microsoft's non-EV roots Bug 1645174 - Add Microsec's
	"e-Szigno Root CA 2017" root cert Bug 1645186 - Add "certSIGN Root
	CA G2" root cert Bug 1645199 - Remove Expired AddTrust root certs

	Depends on D79373

	[6dcd00c13ffc] [tip]

2020-06-12  J.C. Jones  <jjones@mozilla.com>

	* lib/ckfw/builtins/certdata.txt:
	Bug 1645186 - Add certSIGN Root CA G2 root cert r=KathleenWilson

	Friendly Name: certSIGN Root CA G2 Cert Location:
	http://crl.certsign.ro/certsign-rootg2.crt SHA-1 Fingerprint:
	26F993B4ED3D2827B0B94BA7E9151DA38D92E532 SHA-256 Fingerprint:
	657CFE2FA73FAA38462571F332A2363A46FCE7020951710702CDFBB6EEDA3305
	Trust Flags: Websites Test URL: https://testssl-valid-
	evcp.certsign.ro/

	Depends on D79372

	[d541eaaca2ef]

	* lib/ckfw/builtins/certdata.txt:
	Bug 1645174 - Add e-Szigno Root CA 2017 r=KathleenWilson,kjacobs

	Depends on D79371

	[6d397f2a5f01]

	* lib/ckfw/builtins/certdata.txt:
	Bug 1641716 - Add Microsoft non-EV roots r=KathleenWilson,kjacobs

	Friendly Name: Microsoft ECC Root Certificate Authority 2017 Cert
	Location: http://www.microsoft.com/pkiops/certs/Microsoft%20ECC%20Ro
	ot%20Certificate%20Authority%202017.crt SHA-1 Fingerprint:
	999A64C37FF47D9FAB95F14769891460EEC4C3C5 SHA-256 Fingerprint:
	358DF39D764AF9E1B766E9C972DF352EE15CFAC227AF6AD1D70E8E4A6EDCBA02
	Trust Flags: Websites Test URL:
	https://acteccroot2017.pki.microsoft.com/

	Friendly Name: Microsoft RSA Root Certificate Authority 2017 Cert
	Location: http://www.microsoft.com/pkiops/certs/Microsoft%20RSA%20Ro
	ot%20Certificate%20Authority%202017.crt SHA-1 Fingerprint:
	73A5E64A3BFF8316FF0EDCCC618A906E4EAE4D74 SHA-256 Fingerprint:
	C741F70F4B2A8D88BF2E71C14122EF53EF10EBA0CFA5E64CFA20F418853073E0
	Trust Flags: Websites Test URL:
	https://actrsaroot2017.pki.microsoft.com/

	Depends on D79370

	[576f52ca3f02]

	* lib/ckfw/builtins/certdata.txt:
	Bug 1645199 - Remove Expired AddTrust root certs
	r=KathleenWilson,kjacobs

	Remove the following two expired AddTrust root certs from NSS.

	Subject/Issuer: CN=AddTrust Class 1 CA Root; OU=AddTrust TTP
	Network; O=AddTrust AB; C=SE Valid To (GMT): 5/30/2020 SHA-1
	Fingerprint: CCAB0EA04C2301D6697BDD379FCD12EB24E3949D SHA-256
	Fingerprint:
	8C7209279AC04E275E16D07FD3B775E80154B5968046E31F52DD25766324E9A7

	Subject/Issuer: CN=AddTrust External CA Root; OU=AddTrust External
	TTP Network; O=AddTrust AB; C=SE Valid To (GMT): 5/30/2020 SHA-1
	Fingerprint: 02FAF3E291435468607857694DF5E45B68851868 SHA-256
	Fingerprint:
	687FA451382278FFF0C8B11F8D43D576671C6EB2BCEAB413FB83D965D06D2FF2

	Mozilla EV Policy OID(s): 1.3.6.1.4.1.6449.1.2.1.5.1

	Depends on D79369

	[96d0279ef929]

	* lib/ckfw/builtins/certdata.txt:
	Bug 1641718 - Remove "LuxTrust Global Root 2" root cert
	r=KathleenWilson,kjacobs

	Subject: CN=LuxTrust Global Root 2; O=LuxTrust S.A.; C=LU Valid From
	(GMT): 3/5/2015 Valid To (GMT): 3/5/2035 Certificate Serial Number:
	0A7EA6DF4B449EDA6A24859EE6B815D3167FBBB1 SHA-1 Fingerprint:
	1E0E56190AD18B2598B20444FF668A0417995F3F SHA-256 Fingerprint:
	54455F7129C20B1447C418F997168F24C58FC5023BF5DA5BE2EB6E1DD8902ED5

	Depends on D79368

	[cc40386d3958]

	* lib/ckfw/builtins/certdata.txt:
	Bug 1639987 - Remove expired Staat der Nederlanden Root CA - G2 root
	cert r=KathleenWilson,kjacobs

	Subject: CN=Staat der Nederlanden Root CA - G2; O=Staat der
	Nederlanden; C=NL Valid From (GMT): 3/26/2008 Valid To (GMT):
	3/25/2020 Certificate Serial Number: 0098968C SHA-1 Fingerprint:
	59AF82799186C7B47507CBCF035746EB04DDB716 SHA-256 Fingerprint:
	668C83947DA63B724BECE1743C31A0E6AED0DB8EC5B31BE377BB784F91B6716F

	Depends on D79367

	[7236f86d8db7]

	* lib/ckfw/builtins/certdata.txt:
	Bug 1621151 - Disable email trust bit for TW Government Root
	Certification Authority root r=kjacobs,KathleenWilson

	Depends on D79366

	[d56b95fc344f]

	* lib/ckfw/builtins/certdata.txt:
	Bug 1618402 - Disable email trust bit for several Symantec certs
	r=KathleenWilson,kjacobs

	Disable the Email trust bit for the following root certs"

	 Subject: CN=GeoTrust Global CA; O=GeoTrust Inc.; C=US Certificate
	Serial Number: 023456 SHA-1 Fingerprint:
	DE28F4A4FFE5B92FA3C503D1A349A7F9962A8212 SHA-256 Fingerprint:
	FF856A2D251DCD88D36656F450126798CFABAADE40799C722DE4D2B5DB36A73A

	 Subject: CN=GeoTrust Primary Certification Authority - G2; OU=(c)
	2007 GeoTrust Inc. - For authorized use only; O=GeoTrust Inc.; C=US
	Certificate Serial Number: 3CB2F4480A00E2FEEB243B5E603EC36B SHA-1
	Fingerprint: 8D1784D537F3037DEC70FE578B519A99E610D7B0 SHA-256
	Fingerprint:
	5EDB7AC43B82A06A8761E8D7BE4979EBF2611F7DD79BF91C1C6B566A219ED766

	 Subject: CN=GeoTrust Primary Certification Authority - G3; OU=(c)
	2008 GeoTrust Inc. - For authorized use only; O=GeoTrust Inc.; C=US
	Certificate Serial Number: 15AC6E9419B2794B41F627A9C3180F1F SHA-1
	Fingerprint: 039EEDB80BE7A03C6953893B20D2D9323A4C2AFD SHA-256
	Fingerprint:
	B478B812250DF878635C2AA7EC7D155EAA625EE82916E2CD294361886CD1FBD4

	 Subject: CN=GeoTrust Universal CA; O=GeoTrust Inc.; C=US
	Certificate Serial Number: 01 SHA-1 Fingerprint:
	E621F3354379059A4B68309D8A2F74221587EC79 SHA-256 Fingerprint:
	A0459B9F63B22559F5FA5D4C6DB3F9F72FF19342033578F073BF1D1B46CBB912

	 Subject: CN=GeoTrust Universal CA 2; O=GeoTrust Inc.; C=US
	Certificate Serial Number: 01 SHA-1 Fingerprint:
	379A197B418545350CA60369F33C2EAF474F2079 SHA-256 Fingerprint:
	A0234F3BC8527CA5628EEC81AD5D69895DA5680DC91D1CB8477F33F878B95B0B

	 Subject: CN=VeriSign Class 3 Public Primary Certification Authority
	- G4; OU=VeriSign Trust Network, (c) 2007 VeriSign, Inc. - For
	authorized use only; O=VeriSign, Inc.; C=US Certificate Serial
	Number: 2F80FE238C0E220F486712289187ACB3 SHA-1 Fingerprint:
	22D5D8DF8F0231D18DF79DB7CF8A2D64C93F6C3A SHA-256 Fingerprint:
	69DDD7EA90BB57C93E135DC85EA6FCD5480B603239BDC454FC758B2A26CF7F79

	 Subject: CN=VeriSign Class 3 Public Primary Certification Authority
	- G5; OU=VeriSign Trust Network, (c) 2006 VeriSign, Inc. - For
	authorized use only; O=VeriSign, Inc.; C=US Certificate Serial
	Number: 18DAD19E267DE8BB4A2158CDCC6B3B4A SHA-1 Fingerprint:
	4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5 SHA-256 Fingerprint:
	9ACFAB7E43C8D880D06B262A94DEEEE4B4659989C3D0CAF19BAF6405E41AB7DF

	Depends on D79365

	[606157f404c2]

	* lib/ckfw/builtins/certdata.txt:
	Bug 1618402 - Remove VeriSign CA and associated EgyptTrust distrust
	entries r=KathleenWilson,kjacobs

	Remove the VeriSign Class 3 Public Primary Certification Authority -
	G3 CA:

	Subject: CN=VeriSign Class 3 Public Primary Certification Authority
	- G3; OU=VeriSign Trust Network, (c) 1999 VeriSign, Inc. - For
	authorized use only; O=VeriSign, Inc.; C=US Certificate Serial
	Number: 009B7E0649A33E62B9D5EE90487129EF57 SHA-1 Fingerprint:
	132D0D45534B6997CDB2D5C339E25576609B5CC6 SHA-256 Fingerprint:
	EB04CF5EB1F39AFA762F2BB120F296CBA520C1B97DB1589565B81CB9A17B7244

	Because of the removal of VeriSign Class 3 Public Primary
	Certification Authority - G3, these knock-out entries, signed by
	that CA, should be removed:

	cert 1: Serial
	Number:4c:00:36:1b:e5:08:2b:a9:aa:ce:74:0a:05:3e:fb:34 Subject:
	CN=Egypt Trust Class 3 Managed PKI Enterprise Administrator
	CA,OU=Terms of use at https://www.egypttrust.com/epository/rpa
	(c)08,OU=VeriSign Trust Network,O=Egypt Trust,C=EG Not Valid Before:
	Sun May 18 00:00:00 2008 Not Valid After : Thu May 17 23:59:59 2018
	Fingerprint (MD5): A7:91:05:96:B1:56:01:26:4E:BF:80:80:08:86:1B:4D
	Fingerprint (SHA1):
	6A:2C:5C:B0:94:D5:E0:B7:57:FB:0F:58:42:AA:C8:13:A5:80:2F:E1

	cert 2: Serial
	Number:3e:0c:9e:87:69:aa:95:5c:ea:23:d8:45:9e:d4:5b:51 Subject:
	CN=Egypt Trust Class 3 Managed PKI Operational Administrator
	CA,OU=Terms of use at https://www.egypttrust.com/epository/rpa
	(c)08,OU=VeriSign Trust Network,O=Egypt Trust,C=EG Not Valid Before:
	Sun May 18 00:00:00 2008 Not Valid After : Thu May 17 23:59:59 2018
	Fingerprint (MD5): D0:C3:71:17:3E:39:80:C6:50:4F:04:22:DF:40:E1:34
	Fingerprint (SHA1):
	9C:65:5E:D5:FA:E3:B8:96:4D:89:72:F6:3A:63:53:59:3F:5E:B4:4E

	cert 3: Issuer: CN=VeriSign Class 3 Public Primary Certification
	Authority - G3,OU="(c) 1999 VeriSign, Inc. - For authorized use
	nly",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US Serial
	Number:12:bd:26:a2:ae:33:c0:7f:24:7b:6a:58:69:f2:0a:76 Subject:
	CN=Egypt Trust Class 3 Managed PKI SCO Administrator CA,OU=Terms of
	use at https://www.egypttrust.com/repository/rpa c)08,OU=VeriSign
	Trust Network,O=Egypt Trust,C=EG Not Valid Before: Sun May 18
	00:00:00 2008 Not Valid After : Thu May 17 23:59:59 2018 Fingerprint
	(MD5): C2:13:5E:B2:67:8A:5C:F7:91:EF:8F:29:0F:9B:77:6E Fingerprint
	(SHA1): 83:23:F1:4F:BC:9F:9B:80:B7:9D:ED:14:CD:01:57:CD:FB:08:95:D2

	Depends on D79364

	[8cd8fd97f0e7]

	* lib/ckfw/builtins/certdata.txt:
	Bug 1618402 - Remove Symantec and VeriSign roots
	r=KathleenWilson,kjacobs

	Remove the following root certs:

	Subject: CN=Symantec Class 2 Public Primary Certification Authority
	- G4; OU=Symantec Trust Network; O=Symantec Corporation; C=US
	Certificate Serial Number: 34176512403BB756802D80CB7955A61E SHA-1
	Fingerprint: 6724902E4801B02296401046B4B1672CA975FD2B SHA-256
	Fingerprint:
	FE863D0822FE7A2353FA484D5924E875656D3DC9FB58771F6F616F9D571BC592

	Subject: CN=Symantec Class 1 Public Primary Certification Authority
	- G4; OU=Symantec Trust Network; O=Symantec Corporation; C=US
	Certificate Serial Number: 216E33A5CBD388A46F2907B4273CC4D8 SHA-1
	Fingerprint: 84F2E3DD83133EA91D19527F02D729BFC15FE667 SHA-256
	Fingerprint:
	363F3C849EAB03B0A2A0F636D7B86D04D3AC7FCFE26A0A9121AB9795F6E176DF

	[06e27f62d77b]

2020-06-15  Mike Hommey  <mh@glandium.org>

	* lib/freebl/Makefile, lib/freebl/manifest.mn:
	Bug 1642146 - Move seed.o back into freeblpriv3. r=bbeurdouche

	[f46fca8ced7f]

Differential Revision: https://phabricator.services.mozilla.com/D79905
2020-06-17 16:10:17 +00:00
Kris Maglione 3bda67deab Bug 1638153: Part 2 - Fix uses of .rootTreeItem to get top browser window. r=geckoview-reviewers,nika,snorp
Differential Revision: https://phabricator.services.mozilla.com/D75429
2020-06-17 17:17:16 +00:00
Mathieu Leplatre a4d248daf8 Bug 1639284 - Store records, timestamp and metadata in one IndexedDB transaction r=Gijs,extension-reviewers,mixedpuppy
Differential Revision: https://phabricator.services.mozilla.com/D78246
2020-06-17 15:58:25 +00:00
Matt Woodrow d3e50c8f76 Bug 1644943 - Create single webprogress for CanonicalBrowsingContext, regardless of process the browser element contents are in. r=nika,kmag,Gijs
I think at this point we can remove all of RemoteWebProgressManager, some/all of the TabProgressListener recreations, and probably a bunch more.

Differential Revision: https://phabricator.services.mozilla.com/D79240
2020-06-17 02:59:29 +00:00
Razvan Maries c350ad5bd6 Backed out changeset f56d5efc5e43 (bug 1644943) for build bustages on nsFrameLoaderOwner.cpp. CLOSED TREE 2020-06-17 02:55:01 +03:00
Nicholas Nethercote a8f5f49b8a Bug 1645982 - Rename some service getters in `Services.py` to better match the types. r=froydnj
Differential Revision: https://phabricator.services.mozilla.com/D79791
2020-06-16 23:32:21 +00:00
Matt Woodrow 645b2bc301 Bug 1644943 - Create single webprogress for CanonicalBrowsingContext, regardless of process the browser element contents are in. r=nika,kmag,Gijs
I think at this point we can remove all of RemoteWebProgressManager, some/all of the TabProgressListener recreations, and probably a bunch more.

Differential Revision: https://phabricator.services.mozilla.com/D79240
2020-06-16 23:24:49 +00:00
Doug Thayer 2d9e62963a Bug 1644265 - Reject new DataStorages if we are shutting down r=keeler
Differential Revision: https://phabricator.services.mozilla.com/D79760
2020-06-16 18:29:35 +00:00
Butkovits Atila 9e85a224ef Backed out changeset d9608e8bff0c (bug 1633338) on request by dev. a=backout 2020-06-16 12:05:54 +03:00
Bogdan Tara 74ca6cc819 Backed out changeset 26231891f004 (bug 1644943) for browser_backforward_userinteraction.js and browser_sessionHistory.js failures CLOSED TREE 2020-06-16 02:46:15 +03:00
Matt Woodrow d075fa7e08 Bug 1644943 - Create single webprogress for CanonicalBrowsingContext, regardless of process the browser element contents are in. r=nika,kmag,Gijs
I think at this point we can remove all of RemoteWebProgressManager, some/all of the TabProgressListener recreations, and probably a bunch more.

Differential Revision: https://phabricator.services.mozilla.com/D79240
2020-06-15 22:01:34 +00:00
Kevin Jacobs 7fe6c40b58 Bug 1645525 - Remove EV treatment of AddTrust External CA Root. r=jcj
Differential Revision: https://phabricator.services.mozilla.com/D79738
2020-06-15 21:20:47 +00:00
Kevin Jacobs f072fe0915 Bug 1645188 - Disable EV treatment for LuxTrust Global Root 2. r=keeler
Differential Revision: https://phabricator.services.mozilla.com/D79359
2020-06-15 19:17:44 +00:00
Bogdan Tara 55458f847e Backed out 3 changesets (bug 1639030) for sandbox related bustages CLOSED TREE
Backed out changeset 55b963f34eb0 (bug 1639030)
Backed out changeset 0c2d7e8a4131 (bug 1639030)
Backed out changeset 9d82c8fa3d3b (bug 1639030)
2020-06-15 20:36:02 +03:00
Toshihito Kikuchi fb0684d83f Bug 1639030 - Part 3: Roll-up patch to apply remaining mozilla changes to chromium sandbox. r=bobowen
This commit applies patches under security/sandbox/chromium-shim/patches/after_update/.

Depends on D79560

Differential Revision: https://phabricator.services.mozilla.com/D79561
2020-06-15 15:57:13 +00:00
Toshihito Kikuchi 8a6f673311 Bug 1639030 - Part 2: Roll-up of chromium sandbox update and patches to get a running browser. r=bobowen
This commit does:
- Sync files under security/sandbox/chromium/ with Chromium 81.0.4044.138
- Update files under security/sandbox/chromium-shim/
- Apply patches under security/sandbox/chromium-shim/patches/with_update/
- Apply a workaround for Clang's bug to compile filesystem_interception.cc
- Add mozilla::AddWin32kLockdownPolicy to apply MITIGATION_WIN32K_DISABLE before SUBSYS_WIN32K_LOCKDOWN

Depends on D79558

Differential Revision: https://phabricator.services.mozilla.com/D79560
2020-06-15 15:57:03 +00:00
Toshihito Kikuchi be67c3dc79 Bug 1639030 - Part 1: Update with_update and after_update patches. r=bobowen
This commit updates files under security/sandbox/chromium-shim/patches/
to prepare our codebase for Chromium sandbox update.  See patch files for
the details of each patch.

This also removes the following patches from with_update no longer needed.

1) update_chromium_linux_x86_syscalls.patch is included in
   b4f3df4e77
2) ifdef_out_ApplyMitigationsToCurrentThread.patch cannot be used because
   we use ApplyMitigationsToCurrentThread since the following commit.
   4bed2eb502
3) mingw_base_win_get_caller.patch is included in
   d8b73eb8f0
4) fix_incorrect_int_use_in_Kernel32BaseVersion.patch is fixed by
   https://hg.mozilla.org/mozilla-central/rev/dc9d71fb3bac807a37dbfba35d609ac4ffff1980
5) revert_removal_of_AlterEnvironment_on_Windows.patch is altered by adding
   environment_internal.h/cc as a different commit.
6) mingw_undefine_MemoryBarrier.patch is no longer needed as
   base::subtle::MemoryBarrier was removed by
   bdbaaf4e7e
7) public_siginfo_fields.patch is included in
   6bd491daaf

Differential Revision: https://phabricator.services.mozilla.com/D79558
2020-06-15 15:56:51 +00:00
ffxbld ec8c8c7bde No Bug, mozilla-central repo-update HSTS HPKP remote-settings tld-suffixes - a=repo-update r=RyanVM
Differential Revision: https://phabricator.services.mozilla.com/D79691
2020-06-15 14:33:28 +00:00
Kevin Jacobs e9ae922ddc Bug 1642687 - land NSS cbf75aedf480 UPGRADE_NSS_RELEASE, r=jcj
2020-06-12  Kevin Jacobs  <kjacobs@mozilla.com>

	* cmd/lib/secutil.c:
	Bug 1645479 - Use SECITEM_CopyItem instead of SECITEM_MakeItem in
	secutil.c. r=jcj

	This patch converts a call to `SECITEM_MakeItem` to use
	`SECITEM_CopyItem` instead. Using the former works fine in NSS CI,
	but causes build failures in mozilla-central due to differences in
	how both symbols are exported (i.e. when folding nssutil into nss).

	[cbf75aedf480] [tip]

2020-06-11  Kevin Jacobs  <kjacobs@mozilla.com>

	* gtests/ssl_gtest/libssl_internals.c,
	gtests/ssl_gtest/ssl_resumption_unittest.cc:
	Bug 1644774 - Use ClearServerCache instead of
	SSLInt_ClearSelfEncryptKey for ticket invalidation. r=mt

	[7b2413d80ce3]

2020-06-10  Kevin Jacobs  <kjacobs@mozilla.com>

	* cmd/lib/basicutil.c, cmd/lib/secutil.c, cmd/lib/secutil.h,
	cmd/selfserv/selfserv.c, cmd/tstclnt/tstclnt.c, lib/ssl/tls13psk.c:
	Bug 1603042 - Support external PSKs in tstclnt/selfserv. r=jcj

	This patch adds support for TLS 1.3 external PSKs in tstclnt and
	selfserv with the `-z` option.

	Command examples:
	- `selfserv -D -p 4443 -d . -n localhost.localdomain -w nss -V tls1.3:
	-H 1 -z 0xAAAAAAAABBBBBBBBCCCCCCCCDDDDDDDD[:label] -m`
	- `tstclnt -h 127.0.0.1 -p 4443 -z
	0xAAAAAAAABBBBBBBBCCCCCCCCDDDDDDDD[:label] -d . -w nss`

	For OpenSSL interop:
	- `openssl s_server -nocert -port 4433 -psk
	AAAAAAAABBBBBBBBCCCCCCCCDDDDDDDD [-psk_identity label]`

	Note: If the optional label is omitted, both NSS tools and OpenSSL
	default to "Client_identity".

	[c1b1112af415]

2020-06-09  Kevin Jacobs  <kjacobs@mozilla.com>

	* lib/ssl/tls13con.c:
	Bug 1642638 - Don't assert sid ciphersuite to be defined in fuzzer
	mode. r=mt

	[238bd7912429]

2020-06-08  Kevin Jacobs  <kjacobs@mozilla.com>

	* lib/freebl/freebl.gyp, lib/freebl/freebl_base.gypi:
	Bug 1642802 - Win64 GYP builds to use HACL* curve25519.
	r=bbeurdouche

	This patch causes Windows 64-bit GYP builds to use HACL* curve25519
	rather than the 32-bit (fiat-crypto) implementation.

	For non-clang/GCC Win64 builds, we define `KRML_VERIFIED_UINT128` to
	workaround an upstream bug that breaks Win32 builds by selecting a
	64-bit `__int128` implementation (in types.h).

	For clang/GCC builds, using the compiler-provided type yields a ~5x
	speedup on Win64.

	[566fa62d6522]

2020-06-05  Jeff Walden  <jwalden@mit.edu>

	* lib/pk11wrap/pk11cert.c, lib/pk11wrap/pk11kea.c,
	lib/pk11wrap/pk11merge.c, lib/pk11wrap/pk11nobj.c,
	lib/pk11wrap/pk11obj.c, lib/pk11wrap/pk11skey.c,
	lib/pk11wrap/secmodi.h:
	Bug 1643557 - Make pk11_FindObjectByTemplate accept a size_t count
	rather than a signed type to avoid internal signed-unsigned
	comparison warnings. r=kjacobs

	Depends on D78454

	[5ee293d1a282]

	* lib/pk11wrap/pk11skey.c:
	Bug 1643557 - Make PK11_SetWrapKey explicitly handle being passed a
	negative wrap argument, to avoid a signed-unsigned comparison.
	r=kjacobs

	Depends on D78453

	[7bb3677a2ed0]

	* lib/pk11wrap/pk11akey.c, lib/pk11wrap/pk11cert.c,
	lib/pk11wrap/pk11obj.c, lib/pk11wrap/secmodi.h:
	Bug 1643557 - Change the type of the size argument to
	pk11_FindObjectsByTemplate to be size_t, consistent with the type of
	some (small) numeric values passed to it after the previous
	revision. r=kjacobs

	Depends on D78452

	[eaf223c2646a]

	* lib/pk11wrap/pk11slot.c:
	Bug 1643557 - Use size_t for various counts in pk11slot.c. r=kjacobs

	Depends on D78451

	[465a7954ce0a]

	* lib/pk11wrap/pk11priv.h, lib/pk11wrap/pk11slot.c:
	Bug 1643557 - Make pk11_MatchString accept a size_t length rather
	than an int length (consistent with all callers), and reformulate
	its internals to avoid a signed-unsigned comparison. r=kjacobs

	Depends on D78450

	[fff8c883ef7d]

	* lib/pk11wrap/pk11skey.c, lib/ssl/sslsnce.c, lib/util/secport.h:
	Bug 1643557 - Add PORT_AssertNotReached and use it instead of
	PORT_Assert(!"str"), which may warn about vacuous string literal to
	boolean conversions. r=kjacobs

	Depends on D78449

	[c0aa47eb2fdd]

	* lib/util/secoid.c:
	Bug 1643557 - Use SECOidTag as the type of a loop variable over all
	values of that type to avoid a signed-unsigned comparison warning.
	r=kjacobs

	Depends on D78448

	[d7f1e9975e67]

	* lib/util/utilpars.c:
	Bug 1643557 - Use size_t for a parameter-indexing variable to
	eliminate a signed-unsigned comparison warning. r=kjacobs

	Depends on D78447

	[5d7206908ca7]

	* lib/freebl/rsapkcs.c:
	Bug 1643557 - Used unsigned int for two for-loops upper-bounded by
	unsigned ints in rsa_FormatOneBlock. r=kjacobs

	Depends on D78446

	[ed9a1a41ca1e]

	* lib/pk11wrap/debug_module.c:
	Bug 1643557 - Use unsigned int for log level, consistent with
	PRLogModuleLevel. r=kjacobs

	[7f89fa701ce3]

Differential Revision: https://phabricator.services.mozilla.com/D79566
2020-06-12 23:42:37 +00:00
R. Martinho Fernandes f8424202b2 Bug 1612116 - Added diagnostics to ensure mErrorCode and mCanceled are consistent r=keeler
Differential Revision: https://phabricator.services.mozilla.com/D79274
2020-06-12 08:04:15 +00:00
Alexis Beingessner 0d843d258d Bug 1642721 - convert security.sandbox.logging.enabled to a StaticPref. r=bobowen
Depends on D78933

Differential Revision: https://phabricator.services.mozilla.com/D78934
2020-06-11 12:35:45 +00:00
Alexis Beingessner 83994a45b8 Bug 1642721 - convert the last two securit.sandbox.*.win32k VarCache prefs. r=bobowen
converts:
  * security.sandbox.rdd.win32k-disable
  * security.sandbox.gmp.win32k-disable

I'm assuming the pattern established by the other, newer, win32k StaticPrefs can
be followed here, and the xpcom checks aren't needed.

Differential Revision: https://phabricator.services.mozilla.com/D78933
2020-06-11 12:34:10 +00:00
ffxbld e1defa0ff0 No Bug, mozilla-central repo-update HSTS HPKP remote-settings - a=repo-update r=RyanVM
Differential Revision: https://phabricator.services.mozilla.com/D79301
2020-06-11 14:17:03 +00:00
Adam Roach [:abr] 67f6c3784b Bug 1639795: Update keystore name to be user-friendly r=MattN,keeler
***

Differential Revision: https://phabricator.services.mozilla.com/D78610
2020-06-10 21:53:19 +00:00
R. Martinho Fernandes 30d350f9a0 Bug 1594119 - include pk11pub.h in nsNSSComponent.cpp for PK11_GetCertsMatchingPrivateKey r=keeler
Differential Revision: https://phabricator.services.mozilla.com/D78255
2020-06-10 09:19:36 +00:00
Jan Andre Ikenmeyer 4ea170003e Bug 1496639 - Disable DHE ciphers by default. r=keeler
Differential Revision: https://phabricator.services.mozilla.com/D66270
2020-06-09 19:34:23 +00:00
Dana Keeler 63919c509b Bug 1630434 - de-duplicate preloaded intermediates that may have been cached in cert9.db r=kjacobs,bbeurdouche
In general, PSM caches intermediates from verified certificate chains in the
NSS certdb. Before bug 1619021, this would include preloaded intermediates,
which is unnecessary because cert_storage has a copy of those certificates, and
so they don't need to take up time and space in the NSS certdb. This patch
introduces the intermediate preloading healer, which periodically runs on a
background thread, looks for these duplicate intermediates, and removes them
from the NSS certdb.

Differential Revision: https://phabricator.services.mozilla.com/D77152
2020-06-09 18:02:52 +00:00
ffxbld 07c69ab5ee No Bug, mozilla-central repo-update HSTS HPKP remote-settings tld-suffixes - a=repo-update r=RyanVM
Differential Revision: https://phabricator.services.mozilla.com/D78679
2020-06-08 14:19:14 +00:00
Christoph Kerschbaumer fbce1c6145 Bug 1633338: Use IsPotentiallyTrustworthy to indicate top level window is secure for mixed content blocker. r=baku
Differential Revision: https://phabricator.services.mozilla.com/D75939
2020-06-08 07:05:16 +00:00
Kevin Jacobs 7c45f2a0f0 Bug 1642687 - land NSS d211f3013abb UPGRADE_NSS_RELEASE, r=jcj
2020-06-01  Kevin Jacobs  <kjacobs@mozilla.com>

	* coreconf/config.gypi, lib/freebl/Makefile, lib/freebl/blinit.c,
	lib/freebl/freebl.gyp, lib/freebl/sha256-armv8.c,
	lib/freebl/sha256.h, lib/freebl/sha512.c, mach:
	Bug 1528113 - Use ARM's crypto extension for SHA256
	[ea54fd986036]

2020-04-08  Kevin Jacobs  <kjacobs@mozilla.com>

	* automation/abi-check/expected-report-libssl3.so.txt,
	gtests/ssl_gtest/libssl_internals.c,
	gtests/ssl_gtest/libssl_internals.h, gtests/ssl_gtest/manifest.mn,
	gtests/ssl_gtest/ssl_0rtt_unittest.cc,
	gtests/ssl_gtest/ssl_extension_unittest.cc,
	gtests/ssl_gtest/ssl_gtest.gyp, gtests/ssl_gtest/tls_agent.cc,
	gtests/ssl_gtest/tls_agent.h, gtests/ssl_gtest/tls_connect.cc,
	gtests/ssl_gtest/tls_connect.h,
	gtests/ssl_gtest/tls_psk_unittest.cc, lib/ssl/manifest.mn,
	lib/ssl/ssl.gyp, lib/ssl/ssl3con.c, lib/ssl/ssl3ext.c,
	lib/ssl/ssl3ext.h, lib/ssl/sslerr.h, lib/ssl/sslexp.h,
	lib/ssl/sslimpl.h, lib/ssl/sslinfo.c, lib/ssl/sslsecur.c,
	lib/ssl/sslsock.c, lib/ssl/sslt.h, lib/ssl/tls13con.c,
	lib/ssl/tls13con.h, lib/ssl/tls13exthandle.c, lib/ssl/tls13psk.c,
	lib/ssl/tls13psk.h, lib/ssl/tls13replay.c:
	Bug 1603042 - TLS 1.3 out-of-band PSK support

	[a448d7919077]

2020-06-01  Makoto Kato  <m_kato@ga2.so-net.ne.jp>

	* coreconf/config.gypi, lib/freebl/Makefile, lib/freebl/blinit.c,
	lib/freebl/freebl.gyp, lib/freebl/sha256-armv8.c,
	lib/freebl/sha256.h, lib/freebl/sha512.c:
	Bug 1528113 - Use ARM's crypto extension for SHA256 r=kjacobs

	ARMv8 CPU has accelerated hardware instruction for SHA256 that
	supports GCC 4.9+. We should use it if available.

	[61c83f79e90c]

2020-06-02  Kevin Jacobs  <kjacobs@mozilla.com>

	* automation/abi-check/expected-report-libssl3.so.txt,
	gtests/ssl_gtest/libssl_internals.c,
	gtests/ssl_gtest/libssl_internals.h, gtests/ssl_gtest/manifest.mn,
	gtests/ssl_gtest/ssl_0rtt_unittest.cc,
	gtests/ssl_gtest/ssl_extension_unittest.cc,
	gtests/ssl_gtest/ssl_gtest.gyp, gtests/ssl_gtest/tls_agent.cc,
	gtests/ssl_gtest/tls_agent.h, gtests/ssl_gtest/tls_connect.cc,
	gtests/ssl_gtest/tls_connect.h,
	gtests/ssl_gtest/tls_psk_unittest.cc, lib/ssl/manifest.mn,
	lib/ssl/ssl.gyp, lib/ssl/ssl3con.c, lib/ssl/ssl3ext.c,
	lib/ssl/ssl3ext.h, lib/ssl/sslerr.h, lib/ssl/sslexp.h,
	lib/ssl/sslimpl.h, lib/ssl/sslinfo.c, lib/ssl/sslsecur.c,
	lib/ssl/sslsock.c, lib/ssl/sslt.h, lib/ssl/tls13con.c,
	lib/ssl/tls13con.h, lib/ssl/tls13exthandle.c, lib/ssl/tls13psk.c,
	lib/ssl/tls13psk.h, lib/ssl/tls13replay.c:
	Bug 1603042 - TLS 1.3 out-of-band PSK support r=mt

	This patch adds support for External (out-of-band) PSKs in TLS 1.3.
	An External PSK (EPSK) can be set by calling `SSL_AddExternalPsk`,
	and removed with `SSL_RemoveExternalPsk`. `SSL_AddExternalPsk0Rtt`
	can be used to add a PSK while also specifying a suite and
	max_early_data_size for use with 0-RTT.

	As part of handling PSKs more generically, the patch also changes
	how resumption PSKs are handled internally, so as to rely on the
	same mechanisms where possible.

	A socket is currently limited to only one External PSK at a time. If
	the server doesn't find the same identity for the configured EPSK,
	it will fall back to certificate authentication.

	[a2293e897889]

	* lib/freebl/mpi/mplogic.c:
	cast in LZCNTLOOP
	[96e65b2e9531]

	* lib/freebl/freebl.gyp:
	Use KRML_VERIFIED_UINT128 on MSVC builds
	[abd50c862bdb]

2020-06-03  Kevin Jacobs  <kjacobs@mozilla.com>

	* gtests/ssl_gtest/ssl_exporter_unittest.cc, lib/ssl/sslinfo.c,
	lib/ssl/tls13con.c:
	Bug 1643123 - Allow External PSKs to be used with Early Export
	[46ef0c025cfc]

2020-06-02  Sylvestre Ledru  <sledru@mozilla.com>

	* lib/ssl/tls13con.c:
	Bug 1642809 - Fix an assert (we need a comparison, not assignment)
	r=kjacobs

	[d0789cb32d8e]

2020-06-03  Mike Hommey  <mh@glandium.org>

	* cmd/shlibsign/Makefile:
	Bug 1642153 - Avoid infinite recursion when CHECKLOC is not set.
	r=jcj

	[e955ece90b05]

2020-06-03  Martin Thomson  <mt@lowentropy.net>

	* gtests/ssl_gtest/ssl_auth_unittest.cc,
	gtests/ssl_gtest/ssl_resumption_unittest.cc, lib/ssl/tls13con.c:
	Bug 1642871 - Allow tickets and PHA after resumption, r=kjacobs

	The first part of this is fairly simple: we accidentally disabled
	sending of session tickets after resumption.

	The second part is much less obvious, because the spec is unclear.
	This change takes the interpretation that it is OK to use post-
	handshake authentication if the handshake is resumed, but not OK if
	the handshake is based on a PSK. (This is based on a first-
	principles understanding of resumption being a continuation of a
	certificate-based connection rather than a reading of the spec, see
	the bug for why the spec appears to be unhelpful on this point.)

	This still prohibits the use of post-handshake authentication if an
	external PSK was used, but that is more an abundance of caution than
	anything principled.

	[e9502f71b7fe]

2020-06-04  Kevin Jacobs  <kjacobs@mozilla.com>

	* gtests/ssl_gtest/ssl_exporter_unittest.cc, lib/ssl/sslinfo.c,
	lib/ssl/tls13con.c:
	Bug 1643123 - Allow External PSKs to be used with Early Export r=mt

	This patch adjusts `tls13_exporter` to pull the hash algorithm from
	the first PSK when a suite is not configured yet, which allows early
	export with external PSKs.

	[d211f3013abb]

Differential Revision: https://phabricator.services.mozilla.com/D78578
2020-06-06 00:20:11 +00:00
Narcis Beleuzu 88034fc69a Backed out changeset 889d7cd14e4d (bug 1630434) for xpcshell failures on test_intermediate_preloads.js . CLOSED TREE 2020-06-05 11:08:57 +03:00
Dana Keeler 1130f3ee6a Bug 1630434 - de-duplicate preloaded intermediates that may have been cached in cert9.db r=kjacobs,bbeurdouche
In general, PSM caches intermediates from verified certificate chains in the
NSS certdb. Before bug 1619021, this would include preloaded intermediates,
which is unnecessary because cert_storage has a copy of those certificates, and
so they don't need to take up time and space in the NSS certdb. This patch
introduces the intermediate preloading healer, which periodically runs on a
background thread, looks for these duplicate intermediates, and removes them
from the NSS certdb.

Differential Revision: https://phabricator.services.mozilla.com/D77152
2020-06-05 00:44:52 +00:00
Martin Thomson e610b0e676 Bug 1643229 - Disable TLS 1.0 in release channels, r=keeler
Differential Revision: https://phabricator.services.mozilla.com/D78215
2020-06-05 00:29:13 +00:00
ffxbld 765a9c9ca1 No Bug, mozilla-central repo-update HSTS HPKP remote-settings - a=repo-update r=RyanVM
Differential Revision: https://phabricator.services.mozilla.com/D78285
2020-06-04 14:13:36 +00:00
Jed Davis 9c23d852e1 Bug 1639181 - Allow a safe subset of fd flag fcntls in the common sandbox policy. r=gcp
Content processes allow a restricted subset of F_{GET,SET}{FD,FL} that
prevents setting unknown or known-unsafe flags, which was copied to the
socket process policy; this patch moves it to the common policy and
removes RDD's copy of GMP's override.

The immediate reason for this is DMD using F_GETFL via fdopen to use a
file descriptor passed over IPC, but in general this should be safe and
it's a reasonable thing to expect to be able to use.

Differential Revision: https://phabricator.services.mozilla.com/D77379
2020-05-29 18:18:43 +00:00
Dana Keeler 0618ab7fe8 Bug 1641082 - remove old certificate viewer implementation r=kjacobs,bbeurdouche,fluent-reviewers,johannh
Differential Revision: https://phabricator.services.mozilla.com/D77145
2020-06-02 15:48:33 +00:00
Andrea Marchesini 5ccae203ff Bug 1638358 - Cookie Schemeful Same-Site - part 3 - update add/addNative methods, r=mayhemer,remote-protocol-reviewers,marionette-reviewers,maja_zf,MattN,whimboo
Differential Revision: https://phabricator.services.mozilla.com/D75627
2020-06-02 13:49:27 +00:00
Csoregi Natalia e960b9f449 Backed out 7 changesets (bug 1640405, bug 1638358) for failures on browser_webconsole_network_messages_status_code.js. CLOSED TREE
Backed out changeset ef5f7479ddf8 (bug 1640405)
Backed out changeset 286e0c83eb30 (bug 1638358)
Backed out changeset 89e396b2896e (bug 1638358)
Backed out changeset 33ad5fa05209 (bug 1638358)
Backed out changeset d213264c1379 (bug 1638358)
Backed out changeset 6bc05236afb4 (bug 1638358)
Backed out changeset 87e9d0ed3982 (bug 1638358)
2020-06-02 15:16:42 +03:00
Andrea Marchesini b4173bc59e Bug 1638358 - Cookie Schemeful Same-Site - part 3 - update add/addNative methods, r=mayhemer,remote-protocol-reviewers,marionette-reviewers,maja_zf,MattN,whimboo
Differential Revision: https://phabricator.services.mozilla.com/D75627
2020-06-02 09:13:51 +00:00
Razvan Maries 79fe28f0d6 Backed out 6 changesets (bug 1638358) for perma failures on browser_webconsole_navigate_to_parse_error.js. CLOSED TREE
Backed out changeset beb85cf281d5 (bug 1638358)
Backed out changeset 39f2e21623aa (bug 1638358)
Backed out changeset 2c873c72bf1f (bug 1638358)
Backed out changeset e91292c7c719 (bug 1638358)
Backed out changeset 0219ef931cd9 (bug 1638358)
Backed out changeset 4ac06f3992f4 (bug 1638358)
2020-06-02 00:24:46 +03:00
Razvan Maries a36bb7751f Backed out 3 changesets (bug 1638153) for perma failures on cross-origin-objects.html. CLOSED TREE
Backed out changeset f7aedc92d396 (bug 1638153)
Backed out changeset 07ec713926c6 (bug 1638153)
Backed out changeset 5a656842e241 (bug 1638153)
2020-06-01 23:51:35 +03:00
Andrea Marchesini 848f1f0043 Bug 1638358 - Cookie Schemeful Same-Site - part 3 - update add/addNative methods, r=mayhemer,remote-protocol-reviewers,marionette-reviewers,maja_zf,MattN,whimboo
Differential Revision: https://phabricator.services.mozilla.com/D75627
2020-06-01 17:59:13 +00:00
Kris Maglione b3fcd970ec Bug 1638153: Part 2 - Fix uses of .rootTreeItem to get top browser window. r=geckoview-reviewers,nika,snorp
Differential Revision: https://phabricator.services.mozilla.com/D75429
2020-06-01 17:59:01 +00:00
Dana Keeler 6461b8a32b Bug 1638920 - use a background task queue in cert_storage rather than a dedicated thread r=lina
Differential Revision: https://phabricator.services.mozilla.com/D77370
2020-06-01 16:26:55 +00:00
Noemi Erli e40be0aa72 Backed out 6 changesets (bug 1638358) for causing failures in test_Chrome_cookies.js CLOSED TREE
Backed out changeset 4e8fbe01aa38 (bug 1638358)
Backed out changeset 532731e94bb2 (bug 1638358)
Backed out changeset fad2ba760157 (bug 1638358)
Backed out changeset 932a3fdbd07c (bug 1638358)
Backed out changeset 05a62901a3f5 (bug 1638358)
Backed out changeset cddeada5c4a6 (bug 1638358)
2020-06-01 19:45:46 +03:00
Andrea Marchesini 165022b2c4 Bug 1638358 - Cookie Schemeful Same-Site - part 3 - update add/addNative methods, r=mayhemer,remote-protocol-reviewers,marionette-reviewers,maja_zf,MattN,whimboo
Differential Revision: https://phabricator.services.mozilla.com/D75627
2020-06-01 11:43:19 +00:00
ffxbld 12faf95015 No Bug, mozilla-central repo-update HSTS HPKP remote-settings tld-suffixes - a=repo-update r=RyanVM
Differential Revision: https://phabricator.services.mozilla.com/D77670
2020-06-01 14:16:14 +00:00
Dorel Luca 9574e25c80 Backed out 6 changesets (bug 1638358) for XPCShell failures in netwerk/cookie/test/unit/test_schemeMap.js. CLOSED TREE
Backed out changeset 745eab35e851 (bug 1638358)
Backed out changeset a45df1876e37 (bug 1638358)
Backed out changeset 1a85cc92d2fb (bug 1638358)
Backed out changeset 2156294cb158 (bug 1638358)
Backed out changeset 31101054c52c (bug 1638358)
Backed out changeset d284b50551ab (bug 1638358)
2020-06-01 14:38:22 +03:00
Andrea Marchesini d1c11476f6 Bug 1638358 - Cookie Schemeful Same-Site - part 3 - update add/addNative methods, r=mayhemer,remote-protocol-reviewers,marionette-reviewers,maja_zf,MattN,whimboo
Differential Revision: https://phabricator.services.mozilla.com/D75627
2020-06-01 10:28:51 +00:00
Sylvestre Ledru 4564119217 Bug 1617369 - Reformat recent rust changes with rustfmt r=froydnj
# ignore-this-changeset

Depends on D77580

Differential Revision: https://phabricator.services.mozilla.com/D77581
2020-05-30 12:58:22 +00:00
Jared Wein fa45bb7b32 Bug 1636729 - Record in telemetry if power settings are configured to not prompt for OS password. r=MattN
Differential Revision: https://phabricator.services.mozilla.com/D74692
2020-05-30 06:54:16 +00:00
Jared Wein 1d73213900 Bug 1636729 - Record in telemetry if the user has enabled the AutoAdminLogon feature. r=MattN
Differential Revision: https://phabricator.services.mozilla.com/D74670
2020-05-30 06:50:12 +00:00
Mike Hommey cab23e6d7f Bug 1641783 - Move MOZ_FOLD_LIBS to python configure. r=froydnj
Also remove MOZ_FOLD_LIBS_FLAGS because it is always empty since bug 1577521.

Differential Revision: https://phabricator.services.mozilla.com/D77410
2020-05-29 12:15:51 +00:00
J.C. Jones 98c9615522 Bug 1636656 - land NSS NSS_3_53_RTM UPGRADE_NSS_RELEASE, r=kjacobs
2020-05-29  J.C. Jones  <jjones@mozilla.com>

	* lib/nss/nss.h, lib/softoken/softkver.h, lib/util/nssutil.h:
	Set version numbers to 3.53 final
	[7e453a5afcb4] [NSS_3_53_RTM] <NSS_3_53_BRANCH>

2020-05-28  Kevin Jacobs  <kjacobs@mozilla.com>

	* .hgtags:
	Added tag NSS_3_53_BETA2 for changeset 8fe22033a88e
	[90c954f62c9d]

Differential Revision: https://phabricator.services.mozilla.com/D77555
2020-05-29 22:16:17 +00:00
Alexis Beingessner 0e39201277 Bug 1637727 - convert nsIOService prefs to StaticPrefs. r=KrisWright,necko-reviewers
converts:
 * security.data_uri.block_toplevel_data_uri_navigations
 * network.offline-mirrors-connectivity

Differential Revision: https://phabricator.services.mozilla.com/D77104
2020-05-28 18:23:25 +00:00
Alexis Beingessner 7fd95dd59d Bug 1637727 - convert network.ssl_tokens_cache prefs to StaticPrefs. r=KrisWright,necko-reviewers,valentin
converts:
 * network.ssl_tokens_cache_enabled
 * network.ssl_tokens_cache_capacity

Differential Revision: https://phabricator.services.mozilla.com/D77103
2020-05-29 07:56:16 +00:00
Kevin Jacobs 2bfb4bdcea Bug 1636656 - land NSS NSS_3_53_BETA2 UPGRADE_NSS_RELEASE, r=jcj
2020-05-28  Kevin Jacobs  <kjacobs@mozilla.com>

	* lib/softoken/pkcs11c.c:
	Bug 1640260 - Initialize PBE params r=jcj

	[8fe22033a88e] [NSS_3_53_BETA2]

2020-05-27  Benjamin Beurdouche  <bbeurdouche@mozilla.com>

	* lib/ckfw/builtins/certdata.txt:
	Bug 1618404 - Set CKA_NSS_SERVER_DISTRUST_AFTER for Symantec root
	certs. r=jcj

	[8bfb386f459f]

	* lib/ckfw/builtins/certdata.txt:
	Bug 1621159 - Set CKA_NSS_SERVER_DISTRUST_AFTER for Consorci AOC,
	GRCA, and SK ID root certs. r=jcj

	[4d1b7bbeebfe]

2020-05-26  Kevin Jacobs  <kjacobs@mozilla.com>

	* .hgtags:
	Added tag NSS_3_53_BETA1 for changeset c7a1c91cd9be
	[661e3e3f6ba5]

Differential Revision: https://phabricator.services.mozilla.com/D77388
2020-05-29 06:40:34 +00:00
Benjamin Beurdouche 290b838cb5 Bug 1615438 - Use CKA_NSS_SERVER_DISTRUST_AFTER from NSS for certificate validation. r=keeler
Differential Revision: https://phabricator.services.mozilla.com/D74662
2020-05-28 20:35:48 +00:00
ffxbld 3d17f898c9 No Bug, mozilla-central repo-update HSTS HPKP remote-settings tld-suffixes - a=repo-update r=RyanVM
Differential Revision: https://phabricator.services.mozilla.com/D77261
2020-05-28 14:33:09 +00:00
Dana Keeler faab9e59b4 Bug 1637404 - osclientcerts: attempt to find issuing certificates when looking for client certificates (macOS) r=kjacobs,mstange
To implement filtering client certificates by the acceptable CAs list sent by
servers when they request client certificates, we need the CAs that issued the
client certificates. To that end, this change modifies the macOS backend of
the osclientcerts module to also gather issuing CAs while looking for client
certificates. These certificates will not affect trust decisions in gecko.

Differential Revision: https://phabricator.services.mozilla.com/D74985
2020-05-28 00:19:22 +00:00
Erica Wright 2533f8da77 Bug 1636962 - Add telemetry for all page load errors r=johannh,xeonchen,nika
Differential Revision: https://phabricator.services.mozilla.com/D75873
2020-05-27 22:33:02 +00:00
Emilio Cobos Álvarez 54fd961a29 Bug 1641245 - Make string comparators not virtual. r=froydnj,necko-reviewers,geckoview-reviewers,jgilbert,agi,valentin
There's no use case for stateful comparators, so they can be just plain
function pointers.

This is used in some hot places like CSS selector matching.

Differential Revision: https://phabricator.services.mozilla.com/D77084
2020-05-27 18:11:12 +00:00
Kevin Jacobs 1ed51331e9 Bug 1636656 - land NSS NSS_3_53_BETA1 UPGRADE_NSS_RELEASE, r=jcj
Differential Revision: https://phabricator.services.mozilla.com/D76940
2020-05-27 03:26:56 +00:00
Matt Woodrow 7b18a9452b Bug 1631405 - Run nsMixedContentBlocker::AsyncOnChannelRedirect checks in the parent for documents, since this is now supported correctly. r=ckerschb
Differential Revision: https://phabricator.services.mozilla.com/D75449
2020-05-27 00:31:51 +00:00
Matt Woodrow 5cf1f845a8 Bug 1631405 - Update tests to account for security UI only living in the parent process. r=kmag,ckerschb,webcompat-reviewers,twisniewski
This is mostly changes to handle retrieving the security state asynchronously via the parent process, needing lots of async/await additions.

It also removes the docshell mixed content flag checks (which don't seem to be used in code, only tests), which are mostly still covered by checks of the security UI.

Differential Revision: https://phabricator.services.mozilla.com/D75448
2020-05-27 00:31:25 +00:00
Matt Woodrow e060a86c42 Bug 1631405 - Move nsISecureBrowserUI to be owned by the canonical browsing context instead of docshell. r=nika,ckerschb,Gijs,webcompat-reviewers,twisniewski
This removes all docshell nsISecureBrowserUI and mixed content properties, and moves them into CanonicalBrowsingContext/WindowGlobalParent. It makes the mixed content blocker just compute the state for the current load, and then send the results to the parent process, where we update the security state accordingly.

I think we could in the future remove onSecurityChange entirely, and instead just fire an event to the <browser> element notifying it of changes to the queryable securityUI.

Unfortunately we have a lot of existing code that depends on specific ordering between onSecurityChange and onLocationChange, so I had to hook into the RemoteWebProgress implementation in BrowserParent to mimic the same timings.

Differential Revision: https://phabricator.services.mozilla.com/D75447
2020-05-27 00:28:59 +00:00
Bogdan Tara a54ec3073f Backed out 4 changesets (bug 1631405) for multiple mochitest failures CLOSED TREE
Backed out changeset 9963cc0b23cb (bug 1631405)
Backed out changeset 469ac933ed7c (bug 1631405)
Backed out changeset 0c5f55864268 (bug 1631405)
Backed out changeset 20dcbcc2f3b8 (bug 1631405)
2020-05-27 01:30:20 +03:00
Matt Woodrow 7321550a61 Bug 1631405 - Run nsMixedContentBlocker::AsyncOnChannelRedirect checks in the parent for documents, since this is now supported correctly. r=ckerschb
Differential Revision: https://phabricator.services.mozilla.com/D75449
2020-05-26 21:19:45 +00:00
Matt Woodrow d692732bdd Bug 1631405 - Update tests to account for security UI only living in the parent process. r=kmag,ckerschb,webcompat-reviewers,twisniewski
This is mostly changes to handle retrieving the security state asynchronously via the parent process, needing lots of async/await additions.

It also removes the docshell mixed content flag checks (which don't seem to be used in code, only tests), which are mostly still covered by checks of the security UI.

Differential Revision: https://phabricator.services.mozilla.com/D75448
2020-05-26 21:19:28 +00:00
Matt Woodrow 240d417eb6 Bug 1631405 - Move nsISecureBrowserUI to be owned by the canonical browsing context instead of docshell. r=nika,ckerschb,Gijs,webcompat-reviewers,twisniewski
This removes all docshell nsISecureBrowserUI and mixed content properties, and moves them into CanonicalBrowsingContext/WindowGlobalParent. It makes the mixed content blocker just compute the state for the current load, and then send the results to the parent process, where we update the security state accordingly.

I think we could in the future remove onSecurityChange entirely, and instead just fire an event to the <browser> element notifying it of changes to the queryable securityUI.

Unfortunately we have a lot of existing code that depends on specific ordering between onSecurityChange and onLocationChange, so I had to hook into the RemoteWebProgress implementation in BrowserParent to mimic the same timings.

Differential Revision: https://phabricator.services.mozilla.com/D75447
2020-05-26 21:17:01 +00:00
David Major fcf2dc904b Bug 1640993 - Remove unused wrapper-windows.h after bug 1639302 r=keeler
Differential Revision: https://phabricator.services.mozilla.com/D76892
2020-05-26 18:07:29 +00:00
Dana Keeler 895abc2d2e Bug 1638369 - enable some TLS ciphersuites with SHA-2-based MACs for compatibility r=jcj,kjacobs
We have evidence that some sites have disabled ciphersuites with SHA-1-based
MACs due to attacks against SHA-1 (disregarding the fact that these attacks
don't necessarily apply to HMAC-SHA-1) while still relying on RSA key exchange.
Before this patch, PSM did not enable any ciphersuites with RSA key exchange
and non-SHA-1-based MACs. Consequently, Firefox would be unable to connect to
these sites while other browsers would.
This patch enables TLS_RSA_WITH_AES_128_GCM_SHA256 and
TLS_RSA_WITH_AES_256_GCM_SHA384, which are the only two ciphersuites (other
than grease) that Chrome enables that Firefox did not (before this patch).

Differential Revision: https://phabricator.services.mozilla.com/D76543
2020-05-22 21:20:43 +00:00
ffxbld b3c5906f23 No Bug, mozilla-central repo-update HSTS HPKP remote-settings tld-suffixes - a=repo-update r=RyanVM
Differential Revision: https://phabricator.services.mozilla.com/D76710
2020-05-26 14:53:18 +00:00
Kershaw Chang 104bf647be Bug 1602832 - P3: Skip failed tests r=dragana
Differential Revision: https://phabricator.services.mozilla.com/D67448
2020-05-26 14:30:26 +00:00
Butkovits Atila f167b5c275 Backed out 6 changesets (bug 1602832) for causing perma failure at test_trr_case_sensitivity.js. CLOSED TREE
Backed out changeset 0e9c378df995 (bug 1602832)
Backed out changeset 534fedb3836e (bug 1602832)
Backed out changeset db012c05d64e (bug 1602832)
Backed out changeset ca0c207dca21 (bug 1602832)
Backed out changeset bea1f3aeea49 (bug 1602832)
Backed out changeset 2d54acd78124 (bug 1602832)
2020-05-26 13:09:07 +03:00
Kershaw Chang 52a180d403 Bug 1602832 - P3: Skip failed tests r=dragana
Differential Revision: https://phabricator.services.mozilla.com/D67448
2020-05-26 08:35:32 +00:00
Moritz Birghan 53d0bd6bbd Bug 1620976 - Create UI for nsClientAuthRememberService r=keeler,fluent-reviewers,johannh
Differential Revision: https://phabricator.services.mozilla.com/D54336
2020-05-26 08:18:24 +00:00
Gian-Carlo Pascutto 31a659bfbe Bug 1571290 - Allow clock_gettime64 in the 32-bit linux seccomp-bpf profile. r=jld
Differential Revision: https://phabricator.services.mozilla.com/D76351
2020-05-22 23:11:59 +00:00
Kevin Jacobs 24b7b9ddd6 Bug 1636656 - land NSS c7a1c91cd9be UPGRADE_NSS_RELEASE, r=jcj
2020-05-22  J.C. Jones  <jjones@mozilla.com>

	* lib/freebl/altivec-types.h, lib/freebl/ppc-crypto.h:
	Bug 1629414 - Guard USE_PPC_CRYPTO and VSX types with __VSX__ and
	__ALTIVEC__ r=kjacobs

	This avoids build errors on non-VSX architectures even when not
	compiling the POWER accelerated code.

	[c7a1c91cd9be] [tip]

2020-05-21  Jeff Walden  <jwalden@mit.edu>

	* lib/freebl/aes-x86.c:
	Bug 1639033 - Use unsigned int for a loop counter to eliminate a
	signed-unsigned comparison warning in aes-x86.c. r=kjacobs

	Depends on D75847

	[e23fe363fa05]

	* lib/freebl/ec.c:
	Bug 1639033 - Used unsigned int instead of int in a few places in
	ec.c to eliminate signed-unsigned comparison warnings. r=kjacobs

	Depends on D75846

	[0d778b0e778f]

	* lib/freebl/cmac.c:
	Bug 1639033 - Use unsigned int rather than int for two variables to
	eliminate a bunch of signed-unsigned comparison warnings. r=kjacobs

	Depends on D75845

	[df5c8f6430a0]

	* lib/freebl/mpi/mplogic.c, lib/freebl/mpi/mplogic.h:
	Bug 1639033 - Use unsigned int for various count variables in
	mplogic.c to eliminate signed-unsigned comparison warnings.
	r=kjacobs

	Depends on D75844

	[ce5b8b7e010c]

	* lib/freebl/aeskeywrap.c:
	Bug 1639033 - Use size_t for loops up to sizeof(T) in aeskeywrap.c
	to eliminate some signed-comparison warnings. r=kjacobs

	Depends on D75843

	[563a7cd7484b]

	* lib/softoken/pkcs11i.h, lib/softoken/sftkike.c:
	Bug 1639033 - Change +sftk_xcbc_mac_pad's block-size argument to be
	unsigned int to avoid sign-comparison warnings. r=kjacobs

	Depends on D75842

	[a5f80d0805ca]

2020-05-22  Jeff Walden  <jwalden@mit.edu>

	* lib/jar/jar.c:
	Bug 1639033 - Use the jarType enum type, not int, for certain
	variables and arguments in jar.c -- for greater precision, and to
	avoid sign-comparison warnings. r=kjacobs

	Depends on D75841

	[e65dd5c2cf86]

2020-05-19  Jeff Walden  <jwalden@mit.edu>

	* lib/softoken/pkcs11.c, lib/softoken/pkcs11i.h:
	Bug 1639033 - Make all |moduleIndex| variables in pkcs11.c be
	unsigned, to eliminate a -Wsign-compare warning. r=kjacobs

	Depends on D75840

	[6512178a58f5]

	* cmd/lib/basicutil.c:
	Bug 1639033 - Fix signed-unsigned comparison warning in basicutil.c.
	r=kjacobs

	[98390eef50a1]

2020-05-22  Martin Thomson  <mt@lowentropy.net>

	* lib/ssl/sslencode.c:
	Bug 1640041 - Don't memcpy nothing, r=jcj

	Depends on D76421

	[8d7c96ab80a7]

	* lib/ssl/sslsock.c:
	Bug 1640042 - Don't memcpy nothing, r=jcj

	[1a634da46b87]

	* gtests/ssl_gtest/ssl_0rtt_unittest.cc,
	gtests/ssl_gtest/ssl_recordsep_unittest.cc,
	gtests/ssl_gtest/tls_connect.cc, lib/ssl/ssl.h, lib/ssl/ssl3gthr.c,
	lib/ssl/sslimpl.h, lib/ssl/sslsock.c, lib/ssl/tls13con.c:
	Bug 1639413 - Option to disable TLS 1.3 EndOfEarlyData message,
	r=kjacobs

	This adds the ability to disable EndOfEarlyData.

	On the client this is relatively simple, you just turn the message
	off.

	The server is complicated because the server uses this to drive the
	installation of the right keys. Without it, things get very messy.
	Thus, I have decided that this is best left to the
	SSL_RecordLayerData interface. That needs an ugly hack in order to
	let the new data to pass, but the damage is otherwise relatively
	minor, apart from one obvious thing.

	We never really built the SSL_RecordLayerData API to take
	application data. It only did that to support testing of the
	functions. Now that we have to deal with this new wrinkle, adding
	support for 0-RTT is necessary. This change does that. That requires
	a barrage of new checks to see if application data is acceptable.
	And then early data is captured in a completely different way, which
	adds another layer of awfulness.

	Note that this exposes us to the possibility that Certificate or
	Finished are received in early data when using SSL_RecordLayerData
	and this option. I don't think that fixing that is worthwhile as it
	requires tracking the epoch of handshake messages separate to
	ss->ssl3.crSpec and the epoch only really exists on that API so that
	applications don't accidentally do bad things. In QUIC, we
	specifically block handshake messages in early data, so we have
	ample protection.

	[10325739e149]

Differential Revision: https://phabricator.services.mozilla.com/D76572
2020-05-23 01:13:19 +00:00
Magnus Melin 4fb8f95bd5 Bug 1608894 - use getMostRecentWindow to find mainwindow, and hook that up for Thunderbird too. r=smaug
Differential Revision: https://phabricator.services.mozilla.com/D76019
2020-05-22 19:34:01 +00:00
Dana Keeler 3db8f6cd6b Bug 1638139 - use CRLite incremental stashes in the client r=jcj
Differential Revision: https://phabricator.services.mozilla.com/D76054
2020-05-22 20:50:14 +00:00
Sylvestre Ledru 4ab6fe5285 Bug 1617369 - Reformat recent rust changes with rustfmt r=emilio DONTBUILD
# ignore-this-changeset

Depends on D76451

Differential Revision: https://phabricator.services.mozilla.com/D76452
2020-05-22 11:50:08 +00:00
J.C. Jones 18fcf86435 Bug 1636656 - land NSS 527a1792be4e UPGRADE_NSS_RELEASE, r=kjacobs
2020-05-20  Benjamin Beurdouche  <bbeurdouche@mozilla.com>

	* lib/freebl/freebl_base.gypi:
	Bug 1638289 - Fix multiple definitions of SHA2 on ppc64le. r=kjacobs

	[527a1792be4e] [tip]

Differential Revision: https://phabricator.services.mozilla.com/D76415
2020-05-22 00:48:57 +00:00
ffxbld 663946fddd No Bug, mozilla-central repo-update HSTS HPKP remote-settings - a=repo-update r=RyanVM
Differential Revision: https://phabricator.services.mozilla.com/D76324
2020-05-21 14:05:50 +00:00
Lina Cambridge faf2fd15e4 Bug 1639018 - Change `TaskRunnable::dispatch` to take owned runnables. r=froydnj
This matches how the `Dispatch(already_AddRefed<nsIRunnable>)`
overloads work in C++: `Dispatch` takes ownership of the runnable, and
leaks it if dispatch fails—because the thread manager is shutting down,
for instance. This avoids a race where a runnable can be released on
either the owning or target thread.

Rust doesn't allow arbitrary `Self` types yet (see
rust-lang/rust#44874), so we need to change `dispatch` and
`dispatch_with_options` to be associated methods.

Differential Revision: https://phabricator.services.mozilla.com/D75858
2020-05-20 20:54:49 +00:00
Nathan Froyd 2e5f61bc12 Bug 1639302 - manually declare NCryptSignHash in osclientcerts; r=keeler
This function ought to be declared by `winapi`, but is not, for whatever
reason.  However, its definition is stable enough that we can just
declare it inline rather than invoking bindgen every single build (and
unnecessarily compiling a build script on non-windows platforms) to
discover its definition for us.

Differential Revision: https://phabricator.services.mozilla.com/D76015
2020-05-19 19:16:36 +00:00
J.C. Jones 02cb9eb00d Bug 1636656 - land NSS daa823a4a29b UPGRADE_NSS_RELEASE, r=kjacobs
2020-05-19  Robert Relyea  <rrelyea@redhat.com>

	* lib/freebl/dsa.c:
	Bug 1631576 - Force a fixed length for DSA exponentiation
	r=pereida,bbrumley

	[daa823a4a29b] [tip]

2020-05-14  Benjamin Beurdouche  <bbeurdouche@mozilla.com>

	* lib/freebl/Makefile, lib/freebl/deprecated/seed.c,
	lib/freebl/deprecated/seed.h, lib/freebl/freebl.gyp,
	lib/freebl/freebl_base.gypi, lib/freebl/seed.c, lib/freebl/seed.h:
	Bug 1636389 - Relocate deprecated seed algorithm. r=kjacobs

	[d2cfb4ccdf16]

2020-05-14  Jan-Marek Glogowski  <glogow@fbihome.de>

	* automation/taskcluster/scripts/split.sh, lib/Makefile,
	lib/manifest.mn:
	Bug 1637083 fix the lib dependencies for the split build
	r=jcj,rrelyea

	This build can be tested by running NSS_BUILD_MODULAR=1
	nss/automation/taskcluster/scripts/build.sh from a directory
	containing the nss and nspr repositories.

	To make this build's make conditionals easier to handle, it also
	merges the manifest.mn into the Makefile, because parts of the
	conditionals depends on $(OS_ARCH) setting.

	In the end, the goal is just to set the correct build $(DIRS).

	This also drops the freebl dependeny of ssl, which seems not to be
	needed, even if it's declared in /lib/ssl/ssl.gyp.

	[789d7241e1f0]

2020-05-13  Jan-Marek Glogowski  <glogow@fbihome.de>

	* coreconf/rules.mk, lib/ckfw/builtins/manifest.mn,
	lib/ckfw/manifest.mn, manifest.mn:
	Bug 1637083 Replace pre-dependency with shell hack r=rrelyea

	Originally I tried multiple variants using make's conditionals to
	limit DIRS and enforce building the parent directory before the sub-
	directory. None of them worked for me, most resulting in an infinite
	recursion, so I used the current pre-depends workaround to fulfill
	the real dependency.

	Now I remembered that automake can handle this case for SUBDIRS
	specifying "." as a directory. The generated Makefile handles it via
	shell scripting; not nice, but it works.

	So this gets rid of the workaround, replacing it with a small shell
	test.

	[744881490c78]

Differential Revision: https://phabricator.services.mozilla.com/D76050
2020-05-19 21:55:59 +00:00
Coroiu Cristina 44c378a7fb Backed out 5 changesets (bug 1602832) for browser-chrome failures at toolkit/mozapps/extensions/test/xpinstall/browser_doorhanger_installs.js on a CLOSED TREE
Backed out changeset 059a7f44d1a9 (bug 1602832)
Backed out changeset 2f3cc391b48a (bug 1602832)
Backed out changeset 24d1ce1b0ac9 (bug 1602832)
Backed out changeset 5ea85726cc48 (bug 1602832)
Backed out changeset ee00e846104e (bug 1602832)
2020-05-19 23:05:26 +03:00
Kershaw Chang 0e9baa4d27 Bug 1602832 - P3: Skip failed tests r=dragana
Differential Revision: https://phabricator.services.mozilla.com/D67448
2020-05-19 12:56:52 +00:00
Bogdan Tara 321028c39b Backed out changeset 36d497fc42c5 (bug 1620976) for browser_clientAuthRememberService.js failures CLOSED TREE 2020-05-19 16:58:18 +03:00
Moritz Birghan 9997066263 Bug 1620976 - Create UI for nsClientAuthRememberService r=keeler,fluent-reviewers,johannh
Differential Revision: https://phabricator.services.mozilla.com/D54336
2020-05-19 13:13:39 +00:00
Frederik Braun de3412e689 Bug 1613609 - Add required loadinfo flag requests initiated with SystemPrincipal r=necko-reviewers,dragana
Adding the flag to existing channel/loadinfo object for:
- PushServices HTTP, WebSocket
- NetworkGeolocationProvider
- NetUtil.jsm's NewChannel
- NetworkConnectivityService
- OCSP
- Portal Detection
- ProductAddonChecker.jsm
- URLClassifier

Differential Revision: https://phabricator.services.mozilla.com/D75063
2020-05-19 08:54:58 +00:00
ffxbld ca77ac929c No Bug, mozilla-central repo-update HSTS HPKP - a=repo-update r=RyanVM
Differential Revision: https://phabricator.services.mozilla.com/D75795
2020-05-18 14:04:41 +00:00
Mihai Alexandru Michis a2026344a1 Backed out 2 changesets (bug 1613609) for causing bustages.
CLOSED TREE

Backed out changeset dd6e395dc342 (bug 1613609)
Backed out changeset 5bcb7b13a4ad (bug 1613609)
2020-05-18 16:38:58 +03:00
Frederik Braun 3baff21cbd Bug 1613609 - Add required loadinfo flag requests initiated with SystemPrincipal r=necko-reviewers,dragana
Adding the flag to existing channel/loadinfo object for:
- PushServices HTTP, WebSocket
- NetworkGeolocationProvider
- NetUtil.jsm's NewChannel
- NetworkConnectivityService
- OCSP
- Portal Detection
- ProductAddonChecker.jsm
- URLClassifier

Differential Revision: https://phabricator.services.mozilla.com/D75063
2020-05-18 10:59:04 +00:00
Csoregi Natalia 5162f86676 Backed out 2 changesets (bug 1613609) for failures on nsXPConnect.cpp. CLOSED TREE
Backed out changeset c593a7296df4 (bug 1613609)
Backed out changeset 72199fc4ea2b (bug 1613609)
2020-05-18 13:05:12 +03:00
Frederik Braun 3b0d63cd07 Bug 1613609 - Add required loadinfo flag requests initiated with SystemPrincipal r=necko-reviewers,dragana
Adding the flag to existing channel/loadinfo object for:
- PushServices HTTP, WebSocket
- NetworkGeolocationProvider
- NetUtil.jsm's NewChannel
- NetworkConnectivityService
- OCSP
- Portal Detection
- ProductAddonChecker.jsm
- URLClassifier

Differential Revision: https://phabricator.services.mozilla.com/D75063
2020-05-18 09:19:17 +00:00
J.C. Jones 74a8ec946b Bug 1636656 - land NSS e2061fe522f5 UPGRADE_NSS_RELEASE, r=kjacobs
2020-05-12  Kevin Jacobs  <kjacobs@mozilla.com>

	* gtests/freebl_gtest/mpi_unittest.cc:
	Bug 1561331 - Additional modular inverse test r=jcj

	[e2061fe522f5] [tip]

2020-05-08  Jan-Marek Glogowski  <glogow@fbihome.de>

	* coreconf/rules.mk, lib/ckfw/builtins/Makefile,
	lib/ckfw/builtins/testlib/Makefile, lib/ckfw/capi/Makefile,
	lib/dev/Makefile, lib/freebl/Makefile, lib/pk11wrap/Makefile,
	lib/softoken/Makefile:
	Bug 1629553 Use order-prereq for $(MAKE_OBJDIR) r=rrelyea

	Introduces a simple "%/d" rule to create directories using
	$(MAKE_OBJDIR) and replace all explicit $(MAKE_OBJDIR) calls with an
	order-only-prerequisites.

	To expand the $(@D) prerequisite, this needs .SECONDEXPANSION.

	[c3f11da5acfc]

2020-05-05  Jan-Marek Glogowski  <glogow@fbihome.de>

	* coreconf/IRIX.mk, coreconf/OS2.mk, coreconf/README,
	coreconf/SunOS4.1.3_U1.mk, coreconf/SunOS5.mk, coreconf/UNIX.mk,
	coreconf/WIN32.mk, coreconf/config.mk, coreconf/location.mk,
	coreconf/mkdepend/Makefile, coreconf/mkdepend/cppsetup.c,
	coreconf/mkdepend/def.h, coreconf/mkdepend/ifparser.c,
	coreconf/mkdepend/ifparser.h, coreconf/mkdepend/imakemdep.h,
	coreconf/mkdepend/include.c, coreconf/mkdepend/main.c,
	coreconf/mkdepend/mkdepend.man, coreconf/mkdepend/parse.c,
	coreconf/mkdepend/pr.c, coreconf/rules.mk:
	Bug 1438431 Remove mkdepend tool and targets r=rrelyea

	[6c5f91e098a1]

	* coreconf/README, coreconf/rules.mk:
	Bug 1629553 Drop duplicate header DIR variables r=rrelyea

	[d1f954627260]

	* coreconf/OpenUNIX.mk, coreconf/README, coreconf/SCO_SV3.2.mk,
	coreconf/config.mk, coreconf/cpdist.pl, coreconf/import.pl,
	coreconf/jdk.mk, coreconf/jniregen.pl, coreconf/module.mk,
	coreconf/outofdate.pl, coreconf/release.pl, coreconf/rules.mk,
	coreconf/ruleset.mk, coreconf/source.mk, coreconf/version.mk:
	Bug 1629553 Drop coreconf java support r=rrelyea

	There aren't an Java sources in NSS, so just drop all the stuff
	referencing java, jars, jni, etc.

	I didn't try to remove it from tests.

	[7d285fe69c8c]

	* cmd/crmf-cgi/Makefile, cmd/crmf-cgi/config.mk,
	cmd/crmftest/Makefile, cmd/crmftest/config.mk, cmd/lib/Makefile,
	cmd/lib/config.mk, cmd/lib/manifest.mn, cmd/libpkix/config.mk,
	cmd/libpkix/perf/Makefile, cmd/libpkix/perf/manifest.mn,
	cmd/libpkix/pkix/Makefile, cmd/libpkix/pkix/certsel/Makefile,
	cmd/libpkix/pkix/certsel/manifest.mn,
	cmd/libpkix/pkix/checker/Makefile,
	cmd/libpkix/pkix/checker/manifest.mn,
	cmd/libpkix/pkix/crlsel/Makefile,
	cmd/libpkix/pkix/crlsel/manifest.mn,
	cmd/libpkix/pkix/params/Makefile,
	cmd/libpkix/pkix/params/manifest.mn,
	cmd/libpkix/pkix/results/Makefile,
	cmd/libpkix/pkix/results/manifest.mn,
	cmd/libpkix/pkix/store/Makefile, cmd/libpkix/pkix/store/manifest.mn,
	cmd/libpkix/pkix/top/Makefile, cmd/libpkix/pkix/top/manifest.mn,
	cmd/libpkix/pkix/util/Makefile, cmd/libpkix/pkix/util/manifest.mn,
	cmd/libpkix/pkix_pl/Makefile, cmd/libpkix/pkix_pl/module/Makefile,
	cmd/libpkix/pkix_pl/module/manifest.mn,
	cmd/libpkix/pkix_pl/pki/Makefile,
	cmd/libpkix/pkix_pl/pki/manifest.mn,
	cmd/libpkix/pkix_pl/system/Makefile,
	cmd/libpkix/pkix_pl/system/manifest.mn,
	cmd/libpkix/testutil/manifest.mn, cpputil/Makefile,
	cpputil/config.mk, cpputil/manifest.mn, lib/base/Makefile,
	lib/base/config.mk, lib/base/manifest.mn, lib/certdb/Makefile,
	lib/certdb/config.mk, lib/certdb/manifest.mn, lib/certhigh/Makefile,
	lib/certhigh/config.mk, lib/certhigh/manifest.mn, lib/ckfw/Makefile,
	lib/ckfw/builtins/Makefile, lib/ckfw/builtins/config.mk,
	lib/ckfw/builtins/manifest.mn, lib/ckfw/builtins/testlib/Makefile,
	lib/ckfw/builtins/testlib/config.mk,
	lib/ckfw/builtins/testlib/manifest.mn, lib/ckfw/capi/Makefile,
	lib/ckfw/capi/config.mk, lib/ckfw/capi/manifest.mn,
	lib/ckfw/config.mk, lib/ckfw/dbm/Makefile, lib/ckfw/dbm/config.mk,
	lib/ckfw/dbm/manifest.mn, lib/ckfw/manifest.mn, lib/crmf/Makefile,
	lib/crmf/config.mk, lib/crmf/manifest.mn, lib/cryptohi/Makefile,
	lib/cryptohi/config.mk, lib/cryptohi/manifest.mn,
	lib/dbm/src/config.mk, lib/dbm/src/manifest.mn, lib/dev/Makefile,
	lib/dev/config.mk, lib/dev/manifest.mn, lib/jar/Makefile,
	lib/jar/config.mk, lib/jar/manifest.mn, lib/libpkix/Makefile,
	lib/libpkix/config.mk, lib/libpkix/include/Makefile,
	lib/libpkix/include/config.mk, lib/libpkix/pkix/Makefile,
	lib/libpkix/pkix/certsel/Makefile,
	lib/libpkix/pkix/certsel/config.mk,
	lib/libpkix/pkix/certsel/manifest.mn,
	lib/libpkix/pkix/checker/Makefile,
	lib/libpkix/pkix/checker/config.mk,
	lib/libpkix/pkix/checker/manifest.mn, lib/libpkix/pkix/config.mk,
	lib/libpkix/pkix/crlsel/Makefile, lib/libpkix/pkix/crlsel/config.mk,
	lib/libpkix/pkix/crlsel/manifest.mn,
	lib/libpkix/pkix/params/Makefile, lib/libpkix/pkix/params/config.mk,
	lib/libpkix/pkix/params/manifest.mn,
	lib/libpkix/pkix/results/Makefile,
	lib/libpkix/pkix/results/config.mk,
	lib/libpkix/pkix/results/manifest.mn,
	lib/libpkix/pkix/store/Makefile, lib/libpkix/pkix/store/config.mk,
	lib/libpkix/pkix/store/manifest.mn, lib/libpkix/pkix/top/Makefile,
	lib/libpkix/pkix/top/config.mk, lib/libpkix/pkix/top/manifest.mn,
	lib/libpkix/pkix/util/Makefile, lib/libpkix/pkix/util/config.mk,
	lib/libpkix/pkix/util/manifest.mn, lib/libpkix/pkix_pl_nss/Makefile,
	lib/libpkix/pkix_pl_nss/config.mk,
	lib/libpkix/pkix_pl_nss/module/Makefile,
	lib/libpkix/pkix_pl_nss/module/config.mk,
	lib/libpkix/pkix_pl_nss/module/manifest.mn,
	lib/libpkix/pkix_pl_nss/pki/Makefile,
	lib/libpkix/pkix_pl_nss/pki/config.mk,
	lib/libpkix/pkix_pl_nss/pki/manifest.mn,
	lib/libpkix/pkix_pl_nss/system/Makefile,
	lib/libpkix/pkix_pl_nss/system/config.mk,
	lib/libpkix/pkix_pl_nss/system/manifest.mn, lib/pk11wrap/Makefile,
	lib/pk11wrap/config.mk, lib/pk11wrap/manifest.mn,
	lib/pkcs12/Makefile, lib/pkcs12/config.mk, lib/pkcs12/manifest.mn,
	lib/pkcs7/Makefile, lib/pkcs7/config.mk, lib/pkcs7/manifest.mn,
	lib/pki/Makefile, lib/pki/config.mk, lib/pki/manifest.mn,
	lib/sqlite/Makefile, lib/sysinit/Makefile, lib/util/Makefile,
	lib/zlib/Makefile, lib/zlib/config.mk, lib/zlib/manifest.mn:
	Bug 1629553 Merge simple config.mk files r=rrelyea

	There is really no good reason to explicitly change the TARGET
	variable. And the empty SHARED_LIBRARY variable should also be in
	the manifest.mn to begin with.

	All the other empty variables start empty or undefined, so there is
	also no need to explicitly set them empty.

	[dc1ef0faf4a6]

	* cmd/libpkix/testutil/config.mk, coreconf/OS2.mk, coreconf/WIN32.mk,
	coreconf/ruleset.mk, coreconf/suffix.mk, gtests/common/Makefile,
	gtests/common/manifest.mn, gtests/google_test/Makefile,
	gtests/google_test/manifest.mn, gtests/pkcs11testmodule/Makefile,
	gtests/pkcs11testmodule/config.mk,
	gtests/pkcs11testmodule/manifest.mn, lib/ckfw/builtins/config.mk,
	lib/ckfw/builtins/manifest.mn, lib/ckfw/builtins/testlib/config.mk,
	lib/ckfw/capi/config.mk, lib/ckfw/capi/manifest.mn,
	lib/freebl/config.mk, lib/nss/config.mk, lib/nss/manifest.mn,
	lib/smime/config.mk, lib/smime/manifest.mn, lib/softoken/config.mk,
	lib/softoken/legacydb/config.mk, lib/softoken/legacydb/manifest.mn,
	lib/softoken/manifest.mn, lib/sqlite/config.mk,
	lib/sqlite/manifest.mn, lib/ssl/config.mk, lib/ssl/manifest.mn,
	lib/sysinit/config.mk, lib/sysinit/manifest.mn, lib/util/config.mk,
	lib/util/manifest.mn:
	Bug 1629553 Rework the LIBRARY_NAME ruleset r=rrelyea

	* Drop the WIN% "32" default DLL suffix
	* Add default resource file handling => drop default RES
	* Generate IMPORT_LIBRARY based on IMPORT_LIB_SUFFIX and
	SHARED_LIBRARY, so we can drop all the explicit empty IMPORT_LIBRARY
	lines

	Originally this patch also tried to add a default MAPFILE rule, but
	this fails, because the ARCH makefiles set linker flags based on an
	existing MAPFILE variable.

	[877d721d93cd]

	* coreconf/rules.mk:
	Bug 1629553 Use an eval template for C++ compile rules r=rrelyea

	These pattern rules already had a comment to keep both in sync, so
	just use an eval template to enforce this.

	[9b628d9c57e5]

	* lib/freebl/Makefile:
	Bug 1629553 Use an eval template for freebl libs r=rrelyea

	[71dd05b782e4]

	* coreconf/rules.mk:
	Bug 1629553 Use an eval template for export targets r=rrelyea

	[45db681898be]

	* lib/pk11wrap/manifest.mn, lib/pk11wrap/pk11load.c,
	lib/pk11wrap/pk11wrap.gyp:
	Bug 1629553 Prefix pk11wrap (SHLIB|LIBRARY)_VERSION with NSS_
	r=rrelyea

	In the manifest.mn the LIBRARY_VERSION is normally used to define
	the major version of the build shared library. This ust works for
	the pk11wrap case, because pk11wrap is a static library. But it's
	still very confusing when reading the manifest.mn. Also the
	referenced define in the code is just named SHLIB_VERSION.

	So this prefixes the defines and the variables with NSS_, because it
	tries to load the NSS library, just as the SOFTOKEN_.*_VERSION is
	used to load the versioned softokn library.

	[cbb737bc6c0c]

	* Makefile, cmd/Makefile, cmd/shlibsign/Makefile,
	cmd/smimetools/rules.mk, coreconf/rules.mk, gtests/manifest.mn,
	lib/freebl/Makefile, lib/manifest.mn, manifest.mn:
	Bug 290526 Drop double-colon usage and add directory depends
	r=rrelyea

	Double-colon rule behaviour isn't really compatible with parallel
	build. This gets rid of all of them, so we can codify the directory
	dependencies.

	This leaves just three problems, which aren't really fixable with
	the current build system without completely replacing it:

	* everything depends on nsinstall
	* everything depends on installed headers
	* ckfw child directories depend on the build parent libs

	This is handled by the prepare_build target.

	Overall this allows most if the build to run in parallel.

	P.S. the release_md:: has to stay :-( P.P.S. no clue, why freebl
	must use libs: instead of using the TARGETS and .PHONY variables

	[f3a0ef69c056]

	* coreconf/WIN32.mk, gtests/certdb_gtest/manifest.mn,
	gtests/common/Makefile, gtests/google_test/Makefile,
	gtests/google_test/manifest.mn, gtests/pkcs11testmodule/Makefile:
	Bug 290526 Fix gtests build for WIN% targets r=rrelyea

	The google_test gtest build doesn't provide any exports for the
	shared library on Windows and the gyp build also builds just a
	static library. So build gtest and gtestutil libraries as static.

	For whatever reason, the Windows linker doesn't find the main
	function inside the gtestutil library, if we don't tell it to build
	a console executable. But linking works fine, if the object file is
	used directly. But since we can have different main() objects based
	on build flags, we enforce building console applications binaries.

	[a82a55886c1d]

	* cmd/bltest/manifest.mn, cmd/chktest/manifest.mn, cmd/crmf-
	cgi/manifest.mn, cmd/crmftest/manifest.mn, cmd/fipstest/manifest.mn,
	cmd/lib/Makefile, cmd/libpkix/testutil/Makefile,
	cmd/lowhashtest/manifest.mn, cmd/modutil/manifest.mn,
	cmd/pk11gcmtest/manifest.mn, cmd/pk11mode/manifest.mn,
	cmd/rsapoptst/manifest.mn, cmd/signtool/manifest.mn,
	cmd/ssltap/manifest.mn, coreconf/README, coreconf/rules.mk,
	cpputil/manifest.mn, gtests/google_test/manifest.mn,
	gtests/pkcs11testmodule/Makefile, lib/base/Makefile,
	lib/certdb/Makefile, lib/certhigh/Makefile, lib/ckfw/Makefile,
	lib/crmf/Makefile, lib/cryptohi/Makefile, lib/dbm/include/Makefile,
	lib/dev/Makefile, lib/dev/manifest.mn, lib/freebl/Makefile,
	lib/libpkix/Makefile, lib/libpkix/include/Makefile,
	lib/libpkix/include/manifest.mn, lib/libpkix/pkix/Makefile,
	lib/libpkix/pkix/certsel/Makefile,
	lib/libpkix/pkix/certsel/manifest.mn,
	lib/libpkix/pkix/checker/Makefile,
	lib/libpkix/pkix/checker/manifest.mn,
	lib/libpkix/pkix/crlsel/Makefile,
	lib/libpkix/pkix/crlsel/manifest.mn,
	lib/libpkix/pkix/params/Makefile,
	lib/libpkix/pkix/params/manifest.mn,
	lib/libpkix/pkix/results/Makefile,
	lib/libpkix/pkix/results/manifest.mn,
	lib/libpkix/pkix/store/Makefile, lib/libpkix/pkix/store/manifest.mn,
	lib/libpkix/pkix/top/Makefile, lib/libpkix/pkix/top/manifest.mn,
	lib/libpkix/pkix/util/Makefile, lib/libpkix/pkix/util/manifest.mn,
	lib/libpkix/pkix_pl_nss/Makefile,
	lib/libpkix/pkix_pl_nss/module/Makefile,
	lib/libpkix/pkix_pl_nss/module/manifest.mn,
	lib/libpkix/pkix_pl_nss/pki/Makefile,
	lib/libpkix/pkix_pl_nss/pki/manifest.mn,
	lib/libpkix/pkix_pl_nss/system/Makefile,
	lib/libpkix/pkix_pl_nss/system/manifest.mn, lib/nss/Makefile,
	lib/pk11wrap/Makefile, lib/pki/Makefile, lib/pki/manifest.mn,
	lib/softoken/Makefile, lib/softoken/legacydb/Makefile,
	lib/sqlite/Makefile, lib/sqlite/manifest.mn, lib/ssl/Makefile,
	lib/util/Makefile, lib/zlib/Makefile:
	Bug 290526 Drop recursive private_exports r=rrelyea

	Copying private headers is now simply included in the exports
	target, as these headers use an extra directory anyway.

	[989ecbd870f3]

	* Makefile, cmd/shlibsign/Makefile, coreconf/Makefile,
	coreconf/README, coreconf/nsinstall/Makefile, coreconf/rules.mk,
	coreconf/ruleset.mk, lib/Makefile, lib/ckfw/Makefile:
	Bug 290526 Parallelize part of the NSS build r=rrelyea

	This still serializes many targets, but at least these targets
	themself run their build in parallel. The main serialization happens
	in nss/Makefile and nss/coreconf/rules.mk's all target.

	We can't add these as real dependencies, as all Makefile snippets
	use the same variable names. I tried to always run sub-makes to hack
	in the depndencies, but these don't know of each other, so targets
	very often run twice, and this breaks the build.

	Having a tests:: target and a tests directory leads to misery (and
	doesn't work), so it's renamed to check.

	This just works with NSS_DISABLE_GTESTS=1 specified and is fixed by
	a follow up patch, which removes the double-colon usage and adds the
	directory dependencies!

	[5d0bfa092e0f]

	* coreconf/UNIX.mk, coreconf/WIN32.mk, coreconf/mkdepend/Makefile,
	coreconf/nsinstall/Makefile, coreconf/ruleset.mk:
	Bug 290526 Don't delete directories r=rrelyea

	If these files exist and aren't directories, there might be other
	problems. Trying to "fix" them by removing will break the build.

	[fb377d36262d]

	* coreconf/rules.mk:
	Bug 290526 Handle empty install variables r=rrelyea

	Originally I added the install commands to the individual build
	targets. But this breaks the incremental build, because there is
	actually no dependency for the install. But it turns out, that in
	the end it's enough to ignore empty defined variables, so just do
	this.

	[585942b1d556]

	* coreconf/rules.mk:
	Bug 290526 Handle parallel PROGRAM and PROGRAMS r=rrelyea

	I have no real clue, why PROGRAMS is actually working in the
	sequence build. There is no special make code really handling it,
	except for the install target.

	This patches code is inspired by the $(eval ...) example in the GNU
	make documentation. It generates a program specific make target and
	maps the programs objects based on the defined variables.

	[d30a6953b897]

Differential Revision: https://phabricator.services.mozilla.com/D75385
2020-05-15 14:40:39 +00:00
Dana Keeler b52b92bb4e Bug 1631847 - use effectiveTimestamp and parent fields from CRLite entries to determine most recent full and incremental filters r=jcj
Differential Revision: https://phabricator.services.mozilla.com/D75201
2020-05-14 20:06:47 +00:00
Emilio Cobos Álvarez b9c1bf761c Bug 312971 - Unprefix -moz-read-write / -moz-read-only. r=edgar
And remove some duplicated tests from WPT.

Differential Revision: https://phabricator.services.mozilla.com/D75231
2020-05-14 16:46:08 +00:00
ffxbld 9f539b6b93 No Bug, mozilla-central repo-update HSTS HPKP remote-settings - a=repo-update r=RyanVM
Differential Revision: https://phabricator.services.mozilla.com/D75307
2020-05-14 14:04:23 +00:00
Kershaw Chang 7922f6e91f Bug 1549323 - Make sure session cache is cleared in socket process r=keeler
Differential Revision: https://phabricator.services.mozilla.com/D74906
2020-05-14 12:21:59 +00:00
Aaron Klotz 2037d8f930 Bug 1448428 - Part 3: Transition EnterpriseRoots away from unified GeneratedJNIWrappers.h header; r=keeler
Depends on D58575

Differential Revision: https://phabricator.services.mozilla.com/D75159
2020-05-13 18:01:22 +00:00
Dana Keeler d9362e620b Bug 1631124 - osclientcerts: attempt to find issuing certificates when looking for client certificates (Windows) r=kjacobs,mhowell
To implement filtering client certificates by the acceptable CAs list sent by
servers when they request client certificates, we need the CAs that issued the
client certificates. To that end, this change modifies the Windows backend of
the osclientcerts module to also gather issuing CAs while looking for client
certificates. These certificates will not affect trust decisions in gecko.

Differential Revision: https://phabricator.services.mozilla.com/D74719
2020-05-12 22:20:26 +00:00
J.C. Jones 638a597baa Bug 1636656 - land NSS e3444f4cc638 UPGRADE_NSS_RELEASE,
Differential Revision: https://phabricator.services.mozilla.com/D74716
2020-05-11 18:20:52 +00:00
ffxbld f78dade689 No Bug, mozilla-central repo-update HSTS HPKP remote-settings - a=repo-update r=RyanVM
Differential Revision: https://phabricator.services.mozilla.com/D74713
2020-05-11 17:44:03 +00:00
Jared Wein 846382dc54 Bug 1633090 - Cache the result of the empty password checks. r=cmartin
Differential Revision: https://phabricator.services.mozilla.com/D72426
2020-05-08 18:32:45 +00:00
Gian-Carlo Pascutto b37cb7e592 Bug 1455498 - Whitelist directories passed in LD_LIBRARY_PATH. r=jld
Differential Revision: https://phabricator.services.mozilla.com/D70554
2020-05-07 15:40:42 +00:00
ffxbld bed945fee6 No Bug, mozilla-central repo-update HSTS HPKP remote-settings tld-suffixes - a=repo-update r=RyanVM
Differential Revision: https://phabricator.services.mozilla.com/D74235
2020-05-07 14:10:06 +00:00
Simon Giesecke 61ad805d68 Bug 1626570 - Use CopyableTArray in ipdlc as member type for now. r=nika
Differential Revision: https://phabricator.services.mozilla.com/D73685
2020-05-07 08:11:08 +00:00
Dana Keeler e8ebc73d50 Bug 1630038 - remove HPKP entirely r=kjacobs,bbeurdouche
This removes processing of HTTP Public Key Pinning headers, remotely modifying
pinning information, and using cached pinning information, all of which was
already disabled in bug 1412438. Static pins that ship with the browser are
still enforced.

Differential Revision: https://phabricator.services.mozilla.com/D73352
2020-05-06 22:57:50 +00:00
Benjamin Beurdouche 55a58de0c2 Bug 1635047 - Fix classification of Curve25519 KEA in telemetry. r=kjacobs,jcj
Differential Revision: https://phabricator.services.mozilla.com/D73606
2020-05-06 16:36:05 +00:00
Ricky Stewart 0015091b18 Bug 1633039 - Don't check for Python 2 in configure r=glandium
Differential Revision: https://phabricator.services.mozilla.com/D72895
2020-05-05 16:02:02 +00:00
Ricky Stewart fd72a5d35e Bug 1633016 - Remove a bunch of references to PYTHON(2) in Makefiles r=glandium
Differential Revision: https://phabricator.services.mozilla.com/D72479
2020-05-05 19:53:22 +00:00
Chanhee Cho ea6c5ac8d9 Bug 1622656 - OSKeyStore.cpp: replace r.size()<1 to r.empty(). r=sylvestre
Differential Revision: https://phabricator.services.mozilla.com/D73916
2020-05-05 18:48:37 +00:00
Ian Moody 9243ee5033 Bug 1536556 - Replace new Error(Cr.ERROR) with new Component.Exception. r=mossop
Passing Cr.ERROR to an Error constructor is incorrect since it just sets the
message of the error to the integer value of the Cr.ERROR. Cr.ERRORs need to be
used as the second argument to Component.Exception to correctly construct an
Exception object with its result property set to the Cr.ERROR value.

This was done automatically by an expansion of the new
mozilla/no-throw-cr-literal eslint rule that will be introduced in the next
commit.

Differential Revision: https://phabricator.services.mozilla.com/D28075
2020-05-05 15:00:55 +00:00
Simon Giesecke af0eae3289 Bug 1626570 - Improve handling of copying arrays in security/manager/ssl/. r=keeler
Differential Revision: https://phabricator.services.mozilla.com/D72343
2020-05-05 10:40:38 +00:00
Razvan Maries c2b627950c Backed out 10 changesets (bug 1626570) for build bustages. CLOSED TREE
Backed out changeset a3f17d392234 (bug 1626570)
Backed out changeset 5247e1ddd5d6 (bug 1626570)
Backed out changeset c339fd44c9f8 (bug 1626570)
Backed out changeset 4c69a4c013b3 (bug 1626570)
Backed out changeset e85450d69351 (bug 1626570)
Backed out changeset 793f978248b3 (bug 1626570)
Backed out changeset 68b4c2418d83 (bug 1626570)
Backed out changeset 52d0911d4ad3 (bug 1626570)
Backed out changeset a7d4e3a59ee3 (bug 1626570)
Backed out changeset 6c06d397a5d2 (bug 1626570)
2020-05-05 13:37:08 +03:00
Simon Giesecke 1892b9d6a8 Bug 1626570 - Improve handling of copying arrays in security/manager/ssl/. r=keeler
Differential Revision: https://phabricator.services.mozilla.com/D72343
2020-05-05 09:40:30 +00:00
ffxbld 960049edf3 No Bug, mozilla-central repo-update HSTS HPKP remote-settings - a=repo-update r=RyanVM
Differential Revision: https://phabricator.services.mozilla.com/D73699
2020-05-04 14:03:46 +00:00
J.C. Jones 92f783423e Bug 1629594 - land NSS NSS_3_52_RTM UPGRADE_NSS_RELEASE, r=kjacobs
2020-05-01  J.C. Jones  <jjones@mozilla.com>

	* lib/nss/nss.h, lib/softoken/softkver.h, lib/util/nssutil.h:
	Set version numbers to 3.52 final
	[befc258c4336] [NSS_3_52_RTM] <NSS_3_52_BRANCH>

2020-04-30  Kevin Jacobs  <kjacobs@mozilla.com>

	* .hgtags:
	Added tag NSS_3_52_BETA2 for changeset bb4462a16de8
	[c5d002af1d61]

Differential Revision: https://phabricator.services.mozilla.com/D73512
2020-05-01 23:34:59 +00:00
Ciure Andrei 1a902cc7ab Backed out changeset ebe0bd6a038c (bug 1614053) for landing with the wrong bug# UPGRADE_NSS_RELEASE CLOSED TREE 2020-05-02 02:06:52 +03:00
J.C. Jones ed1c0b9f61 Bug 1614053 - land NSS NSS_3_52_RTM UPGRADE_NSS_RELEASE, r=kjacobs
2020-05-01  J.C. Jones  <jjones@mozilla.com>

	* lib/nss/nss.h, lib/softoken/softkver.h, lib/util/nssutil.h:
	Set version numbers to 3.52 final
	[befc258c4336] [NSS_3_52_RTM] <NSS_3_52_BRANCH>

2020-04-30  Kevin Jacobs  <kjacobs@mozilla.com>

	* .hgtags:
	Added tag NSS_3_52_BETA2 for changeset bb4462a16de8
	[c5d002af1d61]

Differential Revision: https://phabricator.services.mozilla.com/D73512
2020-05-01 22:45:13 +00:00
Bogdan Tara f137fa0613 Backed out 6 changesets (bug 1632916, bug 1599658, bug 1633037, bug 1633039, bug 1633016, bug 1632920) for SA bustages CLOSED TREE
Backed out changeset 332ce0963b4e (bug 1633039)
Backed out changeset a9904cbc40d9 (bug 1633037)
Backed out changeset d06b0ec349f8 (bug 1599658)
Backed out changeset 8fd300cad80f (bug 1633016)
Backed out changeset f8820941c703 (bug 1632916)
Backed out changeset ac9c2c8746ed (bug 1632920)
2020-05-02 01:49:29 +03:00
Ricky Stewart 035981e445 Bug 1633039 - Don't check for Python 2 in configure r=glandium
Differential Revision: https://phabricator.services.mozilla.com/D72895
2020-04-30 15:23:51 +00:00
Ricky Stewart bb4e86d85a Bug 1633016 - Remove a bunch of references to PYTHON(2) in Makefiles r=glandium
Differential Revision: https://phabricator.services.mozilla.com/D72479
2020-04-30 15:25:22 +00:00
Kevin Jacobs a1a7ac61e5 Bug 1629594 - land NSS NSS_3_52_BETA2 UPGRADE_NSS_RELEASE, r=jcj
2020-04-30  zhujianwei7  <zhujianwei7@huawei.com>

	* lib/smime/cmssigdata.c:
	Bug 1630925 - Guard all instances of NSSCMSSignedData.signerInfos
	r=kjacobs

	[bb4462a16de8] [NSS_3_52_BETA2]

2020-04-30  Kevin Jacobs  <kjacobs@mozilla.com>

	* gtests/pk11_gtest/pk11_seed_cbc_unittest.cc, lib/freebl/seed.c,
	lib/freebl/seed.h:
	Bug 1619959 - Properly handle multi-block SEED ECB inputs.
	r=bbeurdouche,jcj

	[d67517e92371]

2020-04-28  Kevin Jacobs  <kjacobs@mozilla.com>

	* .hgtags:
	Added tag NSS_3_52_BETA1 for changeset 0b30eb1c3650
	[11415c3334ab]

2020-04-24  Robert Relyea  <rrelyea@redhat.com>

	* lib/libpkix/pkix_pl_nss/pki/pkix_pl_cert.c:
	Bug 1571677 Name Constraints validation: CN treated as DNS name even
	when syntactically invalid as DNS name r=mt

	This patch makes libpkix treat name contraints the same the NSS cert
	verifier. This proposal available for review for 9 months without
	objection.

	Time to make this official

	[0b30eb1c3650] [NSS_3_52_BETA1]

2020-04-27  Edouard Oger  <eoger@fastmail.com>

	* lib/freebl/blinit.c:
	Bug 1633498 - Do not define getauxval on iOS targets. r=jcj

	[7b5e3b9fbc7d]

2020-04-27  Robert Relyea  <rrelyea@redhat.com>

	* lib/softoken/sftkike.c:
	Bug 1629663 NSS missing IKEv1 Quick Mode KDF prf r=kjacobs

	Fix possible free before alloc error found by kjacobs
	[7f91e3dcfb9b]

2020-04-20  Robert Relyea  <rrelyea@redhat.com>

	* lib/softoken/pkcs11.c, lib/softoken/pkcs11c.c,
	lib/softoken/pkcs11i.h, lib/softoken/sftkike.c, lib/util/pkcs11n.h:
	Bug 1629663 NSS missing IKEv1 Quick Mode KDF prf r=kjacobs

	We found another KDF function in libreswan that is not using the NSS
	KDF API.

	Unfortunately, it seems the existing IKE KDF's in NSS are not usable
	for the Quick Mode use.

	The libreswan code is in compute_proto_keymat() and the
	specification is in https://tools.ietf.org/html/rfc2409#section-5.5

	It needs:

	KEYMAT = prf(SKEYID_d, [g(qm)^xy ] | protocol | SPI | Ni_b | Nr_b).

	which an be thought of as: KEYMAT = prf(KEY, [KEY] | BYTES)

	but with the kicker that it also does multiple rounds aka key
	expansion: KEYMAT = K1 | K2 | K3 | ...

	 where

	 K1 = prf(KEY, [KEY] | BYTES) K2 = prf(KEY, K1 | [KEY] | BYTES) K3 =
	prf(KEY, K1 | [KEY] | BYTES) etc.

	to generate the needed keying material >PRF size

	This patch implements this by extendind the Appendix B Mechanism to
	take and optional key and data in a new Mechanism parameter
	structure. Which flavor is used (old CK_MECHANISM_TYPE or the new
	parameter) is determined by the mechanism parameter lengths.
	Application which try to use this new feature on old versions of NSS
	will get an error (rather than invalid data).

	[225bb39eade1]

Differential Revision: https://phabricator.services.mozilla.com/D73383
2020-05-01 01:54:56 +00:00
Dana Keeler ab4256c574 Bug 1633879 - check for smart card changes at most once every 3 seconds r=kjacobs
Differential Revision: https://phabricator.services.mozilla.com/D73357
2020-04-30 22:41:06 +00:00
Toshihito Kikuchi e83bcb5130 Bug 1630281 - Cache the executable's IAT for ntdll.dll before COM initialization. r=mhowell
When the browser process starts a sandbox process, we copy the executable's IAT
for ntdll.dll into the new process to prevent DLL injection via IAT tampering as
the launcher process does.  However, if IAT has been modified by a module injected
via `SetWindowHookEx`, the browser process cannot copy IAT because a modified IAT
is invalid in a different process, failing to start any sandbox processes.

The proposed fix is to cache IAT before COM initialization which may load
modules via `SetWindowHookEx` for the first time in the process.

Differential Revision: https://phabricator.services.mozilla.com/D73303
2020-04-30 18:26:18 +00:00
ffxbld 39ea1433df No Bug, mozilla-central repo-update HSTS HPKP remote-settings - a=repo-update r=RyanVM
Differential Revision: https://phabricator.services.mozilla.com/D73270
2020-04-30 14:02:58 +00:00
Dana Keeler 24cee534ab Bug 1631404 - work around mozilla::pkix forbidding id-kp-OCSPSigning unless specifically required r=bbeurdouche
mozilla::pkix treats the id-kp-OCSPSigning extended key usage as forbidden
unless specifically required. Client authentication certificate filtering in
gecko uses mozilla::pkix, so before this patch, certificates with this EKU would
be filtered out. Normally this is correct, because client authentication
certificates should never have this EKU. However, there is at least one private
PKI where client certificates have this EKU. For interoperability, this patch
works around this restriction by falling back to requiring id-kp-OCSPSigning if
path building initially fails.

Differential Revision: https://phabricator.services.mozilla.com/D72760
2020-04-29 20:24:33 +00:00
Kershaw Chang 0cc88944bc Bug 1617950 - Don't block main thread if data storage is not ready r=necko-reviewers,valentin,keeler
Differential Revision: https://phabricator.services.mozilla.com/D72663
2020-04-27 22:02:43 +00:00
Kershaw Chang 4db371a46e Bug 1512478 - Use sync IPC to get client auth data from parent process r=keeler,mccr8
Differential Revision: https://phabricator.services.mozilla.com/D36911
2020-04-28 20:12:43 +00:00
Dana Keeler 9355164d5f Bug 1620972 - avoid unnecessary do_QueryInterface calls in TransportSecurityInfo r=kjacobs
Differential Revision: https://phabricator.services.mozilla.com/D72084
2020-04-23 19:14:08 +00:00
Christoph Kerschbaumer af3bb17589 Bug 1575356: Update Mixed Content Blocker to rely on BrowsingContext instead of nsIDocShellTreeItem. r=baku,smaug
Differential Revision: https://phabricator.services.mozilla.com/D71547
2020-04-28 13:08:57 +00:00
Csoregi Natalia 879ef8e0a4 Backed out changeset f4a75756b1b4 (bug 1575356) for failures on test_iframe_referrer_invalid.html. CLOSED TREE 2020-04-28 12:23:22 +03:00
Christoph Kerschbaumer 59c7891e26 Bug 1575356: Update Mixed Content Blocker to rely on BrowsingContext instead of nsIDocShellTreeItem. r=baku,smaug
Differential Revision: https://phabricator.services.mozilla.com/D71547
2020-04-28 07:32:51 +00:00
Csoregi Natalia 0185f41854 Backed out changeset 14568f3c84b6 (bug 1575356) for failures on test_iframe_referrer.html. CLOSED TREE 2020-04-28 10:01:30 +03:00
Christoph Kerschbaumer 73c3fa2f74 Bug 1575356: Update Mixed Content Blocker to rely on BrowsingContext instead of nsIDocShellTreeItem. r=baku,smaug
Differential Revision: https://phabricator.services.mozilla.com/D71547
2020-04-28 05:18:28 +00:00
Kevin Jacobs e4e3559e1b Bug 1629594 - land NSS aae226c20dfd UPGRADE_NSS_RELEASE, r=jcj
2020-04-24  Kevin Jacobs  <kjacobs@mozilla.com>

	* automation/abi-check/expected-report-libnss3.so.txt,
	gtests/softoken_gtest/softoken_gtest.cc, lib/nss/nss.def,
	lib/pk11wrap/pk11obj.c, lib/pk11wrap/pk11pub.h, lib/softoken/sdb.c:
	Bug 1612881 - Maintain PKCS11 C_GetAttributeValue semantics on
	attributes that lack NSS database columns r=keeler,rrelyea

	`sdb_GetAttributeValueNoLock` builds a query string from a list of
	attributes in the input template. Unfortunately,
	`sqlite3_prepare_v2` will fail the entire query if one of the
	attributes is missing from the underlying table. The PKCS #11 spec
	[[ https://www.cryptsoft.com/pkcs11doc/v220/pkcs11__all_8h.html#aC_G
	etAttributeValue | requires ]] setting the output `ulValueLen` field
	to -1 for such invalid attributes.

	This patch reads and stores the columns of nssPublic/nssPrivate when
	opened, then filters an input template in
	`sdb_GetAttributeValueNoLock` for unbacked/invalid attributes,
	removing them from the query and setting their template output
	lengths to -1.

	[aae226c20dfd] [tip]

2020-04-23  Kevin Jacobs  <kjacobs@mozilla.com>

	* lib/ssl/sslnonce.c:
	Bug 1531906 - Relax ssl3_SetSIDSessionTicket assertions to permit
	valid, evicted or externally-cached sids. r=mt

	This patch relaxes an overzealous assertion for the case where: 1)
	Two sockets start connections with a shared SID. 2) One receives an
	empty session ticket in the SH, and evicts the SID from cache. 3)
	The second socket receives a new session ticket, and attempts to set
	it in the SID.

	We currently assert that the sid is `in_client_cache` at 3), but
	clearly it cannot be. The outstanding reference remains valid
	despite the eviction.

	This also solves a related assertion failure after
	https://hg.mozilla.org/mozilla-central/rev/c5a8b641d905 where the
	same scenario occurs, but instead of being `in_client_cache` or
	evicted, the SID is `in_external_cache`.

	[a68de0859582]

2020-04-16  Robert Relyea  <rrelyea@redhat.com>

	* gtests/common/testvectors/kwp-vectors.h,
	gtests/pk11_gtest/manifest.mn,
	gtests/pk11_gtest/pk11_aeskeywrapkwp_unittest.cc,
	gtests/pk11_gtest/pk11_gtest.gyp, lib/freebl/aeskeywrap.c,
	lib/freebl/blapi.h, lib/freebl/blapit.h, lib/freebl/hmacct.c,
	lib/freebl/ldvector.c, lib/freebl/loader.c, lib/freebl/loader.h,
	lib/pk11wrap/pk11mech.c, lib/softoken/lowpbe.c,
	lib/softoken/pkcs11.c, lib/softoken/pkcs11c.c,
	lib/softoken/pkcs11i.h, lib/softoken/pkcs11u.c, lib/ssl/ssl3con.c,
	lib/util/secport.h:
	Bug 1630721 Softoken Functions for FIPS missing r=mt

	For FIPS we need the following:

	 1. NIST official Key padding for AES Key Wrap. 2. Combined
	Hash/Sign mechanisms for DSA and ECDSA.

	In the first case our AES_KEY_WRAP_PAD function addes pkcs8 padding
	to the normal AES_KEY_WRAP, which is a different algorithm then the
	padded key wrap specified by NIST. PKCS #11 recognized this and
	created a special mechanism to handle NIST padding. That is why we
	don't have industry test vectors for CKM_NSS_AES_KEY_WRAP_PAD. This
	patch implements that NIST version (while maintaining our own). Also
	PKCS #11 v3.0 specified PKCS #11 mechanism for AES_KEY_WRAP which
	are compatible (semantically) with the NSS vendor specific versions,
	but with non-vendor specific numbers. Softoken now accepts both
	numbers.

	This patch also updates softoken to handle DSA and ECDSA combined
	hash algorithms other than just SHA1 (which is no longer validated).

	Finally this patch uses the NIST KWP test vectors in new gtests for
	the AES_KEY_WRAP_KWP wrapping algorithm.

	As part of the AES_KEY_WRAP_KWP code, the Constant time macros have
	been generalized and moved to secport. Old macros scattered
	throughout the code have been deleted and existing contant time code
	has been updated to use the new macros.

	[3682d5ef3db5]

2020-04-21  Lauri Kasanen  <cand@gmx.com>

	* lib/freebl/Makefile, lib/freebl/freebl.gyp,
	lib/freebl/freebl_base.gypi, lib/freebl/gcm.h, lib/freebl/ppc-
	crypto.h, lib/freebl/scripts/LICENSE, lib/freebl/scripts/gen.sh,
	lib/freebl/scripts/ppc-xlate.pl, lib/freebl/scripts/sha512p8-ppc.pl,
	lib/freebl/sha512-p8.s, lib/freebl/sha512.c:
	Bug 1613238 - POWER SHA-2 digest vector acceleration. r=jcj,kjacobs

	[2d66bd9dcad4]

2020-04-18  Robert Relyea  <rrelyea@redhat.com>

	* coreconf/Linux.mk, coreconf/config.gypi, lib/softoken/sdb.c:
	Bug 1603801 [patch] Avoid dcache pollution from sdb_measureAccess()
	r=mt

	As implemented, when sdb_measureAccess() runs it creates up to
	10,000 negative dcache entries (cached nonexistent filenames).

	There is no advantage to leaving these particular filenames in the
	cache; they will never be searched again. Subsequent runs will run a
	new test with an intentionally different set of filenames. This can
	have detrimental effects on some systems; a massive negative dcache
	can lead to memory or performance problems.

	Since not all platforms have a problem with negative dcache entries,
	this patch is limitted to those platforms that request it at
	compilie time (Linux is current the only patch that does.)

	[928721f70164]

2020-04-16  Kevin Jacobs  <kjacobs@mozilla.com>

	* coreconf/config.gypi:
	Bug 1630458 - Produce debug symbols in GYP/MSVC debug builds. r=mt

	[25006e23a777]

2020-04-13  Robert Relyea  <rrelyea@redhat.com>

	* lib/ckfw/object.c, lib/ckfw/session.c:
	Bug 1629655 ckfw needs to support temporary session objects.
	r=kjacobs

	libckfw needs to create temporary objects whose space will to be
	freed after use (rather than at token shutdown). Currently only
	token objects are supported and they are allocated out of a global
	arena owned by the slot, so the objects only go away when the slot
	is closed.

	This patch sets the arena to NULL in nssCKFWObject_Create() if the
	object is a session object. This tells nssCKFWObject_Create() to
	create a new arena specifically for this object. That arena is
	stored in localArena. When the object is destroyed, any localArena's
	will be freed.

	[808ec0e6fd77]

2020-04-14  Robert Relyea  <rrelyea@redhat.com>

	* cmd/selfserv/selfserv.c, lib/ssl/sslsnce.c, tests/ssl/ssl.sh:
	Bug 1629661 MPConfig calls in SSL initializes policy before NSS is
	initialized. r=mt

	NSS has several config functions that multiprocess servers must call
	before NSS is initialized to set up shared memory caches between the
	processes. These functions call ssl_init(), which initializes the
	ssl policy. The ssl policy initialization, however needs to happen
	after NSS itself is initialized. Doing so before hand causes (in the
	best case) policy to be ignored by these servers, and crashes (in
	the worst case).

	Instead, these cache functions should just initialize those things
	it needs (that is the NSPR ssl error codes).

	This patch does: 1) fixes the cache init code to only initialize
	error codes. 2) fixes the selfserv MP code to 1) be compatible with
	ssl.sh's selfserv management (at least on Unix), and 2) mimic the
	way real servers handle the MP_Cache init code (calling NSS_Init
	after the cache set up). 3) update ssl.sh server policy test to test
	policy usage on an MP server. This is only done for non-windows like
	OS's because they can't catch the kill signal to force their
	children to shutdown.

	I've verified that the test fails if 2 and 3 are included but 1 is
	not (and succeeds if all three are included).

	[a252957a3805]

Differential Revision: https://phabricator.services.mozilla.com/D72409
2020-04-27 16:56:13 +00:00
ffxbld b534feae40 No Bug, mozilla-central repo-update HSTS HPKP remote-settings tld-suffixes - a=repo-update r=RyanVM
Differential Revision: https://phabricator.services.mozilla.com/D72661
2020-04-27 14:21:26 +00:00
Matthew Noorenberghe 9c2d00ba62 Bug 1631879 - Workaround IsOS/OS_DOMAINMEMBER missing from mingw headers.
Differential Revision: https://phabricator.services.mozilla.com/D72510
2020-04-25 05:16:13 +00:00
Jared Wein 071bc1727c Bug 1631879 - Remove the domain portion of the username when testing for a blank password. r=MattN,cmartin
Differential Revision: https://phabricator.services.mozilla.com/D72425
2020-04-25 02:52:05 +00:00
Jared Wein 37fdb67321 Bug 1631879 - Remove unused 'save' variable. r=MattN
Differential Revision: https://phabricator.services.mozilla.com/D72424
2020-04-24 19:36:27 +00:00
Jared Wein 528ff5f8d2 Bug 1631879 - Only check for blank passwords if the OS is not on a domain. r=MattN
Differential Revision: https://phabricator.services.mozilla.com/D72423
2020-04-24 19:57:42 +00:00
Jared Wein 30a2acc855 Bug 1631879 - Use GetUserNameEx with NameSamCompatible to make sure that we are retrieving fully qualified usernames. r=MattN,cmartin
Importing security.h introduced namespace collisions so I removed the `using namespace mozilla;` and replaced it with specific names.

Differential Revision: https://phabricator.services.mozilla.com/D72422
2020-04-24 20:04:34 +00:00
Kershaw Chang b0ac2c6c92 Bug 1485652 - Reimplement IsAcceptableForHost r=keeler
Differential Revision: https://phabricator.services.mozilla.com/D67949
2020-04-24 14:45:56 +00:00
Simon Giesecke 191a830575 Bug 1628715 - Part 7: Add MOZ_NONNULL_RETURN to infallible nsTArray::AppendElements. r=xpcom-reviewers,necko-reviewers,nika,valentin
Differential Revision: https://phabricator.services.mozilla.com/D70831
2020-04-24 13:31:14 +00:00
Jared Wein 0adaedd78b Bug 1631835 - Remove the limit of 3 attempts for authenticating with the OS account to allow for environments where more than three invalid auth attempts are allowed. r=MattN
One attempt will still be used by the blank password auth attempt. This does not completely fix the problem in this case but will allow a user to continue attempting until their account is locked out now.

Differential Revision: https://phabricator.services.mozilla.com/D71811
2020-04-21 19:32:18 +00:00
Ricky Stewart de06436cd7 Bug 1621441 - Update Python scripts that depend on PyECC to run in Python 3 and to leverage the ecdsa library instead r=glandium,keeler
Unfortunately, since the new ecdsa library has a different interface and slightly different inner workings compared to the old PyECC library, the changes to support this update are not trivial. Luckily the ecdsa library is extensible enough to allow us to adjust the library's functionality with function parameters rather than monkey-patching, as we were doing with the previous version of the code. All of these interface changes are in addition to the normal rote Python 3 updates. This was tested by running a build with and without this patch and ensuring there were no unexpected diffs.

Differential Revision: https://phabricator.services.mozilla.com/D70117
2020-04-17 20:56:09 +00:00
Jared Wein c31e94ac22 Bug 1629873 - Display login-related error messages in the Windows credential UI upon a failed authentication attempt. r=MattN
Differential Revision: https://phabricator.services.mozilla.com/D71701
2020-04-21 04:34:55 +00:00
Kevin Jacobs 7aef8cc570 Bug 1624450 - Remove CHECK_FORK_GETPID from Android NSS compilation r=glandium
CHECK_FORK_GETPID was useful back when Android didn't support pthread_atfork, which it has since at least ICS (API 14 or 15), and Fennec has required API 16 for a while now.

Moreover, softoken.h also defines CHECK_FORK_PTHREAD on its own, and pkcs11.c initialization code prioritizes CHECK_FORK_PTHREAD, while the finalization code prioritizes CHECK_FORK_GETPID, such that reinitialization was never possible.

Differential Revision: https://phabricator.services.mozilla.com/D67940
2020-04-21 03:03:58 +00:00
Dana Keeler 6472425855 Bug 1629059 - don't attempt to authenticate to tokens that aren't present r=bbeurdouche
Differential Revision: https://phabricator.services.mozilla.com/D71605
2020-04-20 22:42:13 +00:00
Dana Keeler b9d537d9a5 Bug 1630473 - temporarily stash the client certificate chain so NSS can send it to the server r=kjacobs,bbeurdouche
When sending a client certificate to a server in a TLS handshake, one of the
certificates in the chain should be issued by one of the issuers indicated in
the server's certificate_authorities list in the certificate request message.
The client auth data callback doesn't provide a way to specify this chain
directly - NSS builds it itself. This means that certificates known to gecko
but not NSS won't be included in the chain. This patch stashes the necessary
certificates temporarily so that NSS can find them and send them to the server.

Differential Revision: https://phabricator.services.mozilla.com/D71368
2020-04-20 22:39:20 +00:00
ffxbld 3e98c37370 No Bug, mozilla-central repo-update HSTS HPKP remote-settings - a=repo-update r=RyanVM
Differential Revision: https://phabricator.services.mozilla.com/D71596
2020-04-20 16:44:01 +00:00
Kershaw Chang 85532d60f8 Bug 1626076 - Make it possible to use DataStorage on socket process r=keeler,dragana,necko-reviewers
Differential Revision: https://phabricator.services.mozilla.com/D68877
2020-04-20 09:41:58 +00:00
Dana Keeler 237a6eb533 Bug 1630031 - Use MOZ_WIDGET_ANDROID instead of ANDROID for the enterprise roots for geckoview r=fabrice
'ANDROID means "the linux flavor used by Android, with bionic", while
MOZ_WIDGET_ANDROID identifies the UI toolkit used. Both are defined for
GeckoView, but other products like b2g only define ANDROID because they use
another widget layer.'

Differential Revision: https://phabricator.services.mozilla.com/D71371
2020-04-17 19:46:21 +00:00
Jared Wein 1e20b5d27c Bug 1630991 - Add missing initialization of out parameter. r=MattN
Differential Revision: https://phabricator.services.mozilla.com/D71366
2020-04-17 16:51:19 +00:00
Andreea Pavel cea2b48a5e Bug 1623745 - fix test_osreauthenticator.js r=test-fix on a CLOSED TREE 2020-04-17 03:42:24 +03:00
Andreea Pavel 86defb620e Backed out changeset bcb914fcd7d6 (bug 1623745) to revert the changes on a closed tree 2020-04-17 03:41:13 +03:00
Ciure Andrei dee341d82a Bug 1623745 - disable test_osreauthenticator.js on automation r=test-fix CLOSED TREE 2020-04-17 02:03:04 +03:00
Jared Wein 65a2ade1e3 Bug 1623745 - Add a value to the pwmgr.reauthenticated telemetry event to specify if the user was able to authenticate without a password. r=MattN,spohl
Differential Revision: https://phabricator.services.mozilla.com/D70136
2020-04-16 21:33:24 +00:00
ffxbld 618ba07d34 No Bug, mozilla-central repo-update HSTS HPKP remote-settings - a=repo-update r=RyanVM
Differential Revision: https://phabricator.services.mozilla.com/D71198
2020-04-16 16:16:14 +00:00
Kevin Jacobs 2a981b96ab Bug 1624128 - Update CK_GCM_PARAMS uses for PKCS11 v3.0 definition r=keeler
This patch initializes the ulIvBits member of CK_GCM_PARAMS, which is new in PKCS11 v3.

For libprio, we instead define NSS_PKCS11_2_0_COMPAT, which yields the old struct definition.

Differential Revision: https://phabricator.services.mozilla.com/D67740

--HG--
extra : moz-landing-system : lando
2020-04-14 18:32:19 +00:00
Kevin Jacobs 7d42f279f2 Bug 1629594 - land NSS 50dcc34d470d UPGRADE_NSS_RELEASE, r=jcj
2020-04-13  Kevin Jacobs  <kjacobs@mozilla.com>

	* lib/pk11wrap/debug_module.c, lib/pk11wrap/pk11load.c:
	Bug 1629105 - Update PKCS11 module debug logger for v3.0 r=rrelyea

	Differential Revision:
	https://phabricator.services.mozilla.com/D70582
	[50dcc34d470d] [tip]

2020-04-07  Robert Relyea  <rrelyea@redhat.com>

        * lib/ckfw/builtins/testlib/Makefile:
        Bug 1465613 Fix gmake issue create by the patch which adds ability
        to distrust certificates issued after a certain date for a specified
        root cert r=jcj

        I've been trying to run down an issue I've been having, and I think
        this bug is the source. Whenever I build ('gmake' build), I get the
        following untracted files: ? lib/ckfw/builtins/testlib/anchor.o ?
        lib/ckfw/builtins/testlib/bfind.o ?
        lib/ckfw/builtins/testlib/binst.o ?
        lib/ckfw/builtins/testlib/bobject.o ?
        lib/ckfw/builtins/testlib/bsession.o ?
        lib/ckfw/builtins/testlib/bslot.o ?
        lib/ckfw/builtins/testlib/btoken.o ?
        lib/ckfw/builtins/testlib/ckbiver.o ?
        lib/ckfw/builtins/testlib/constants.o

        This is because of the way lib/ckfw/builtins/testlib works, it uses
        the sources from the directory below, and explicitly reference them
        with ../{source_name}.c. The object file then becomes
        lib/ckfw/builtins/testlib/{OBJDIR}/../{source_name}.o.

        The simple fix would be to paper over the issue and just add these
        to .hgignore, but that would break our ability to build multiple
        platforms on a single source directory. I'll include a patch that
        fixes this issue.

        bob

        Differential Revision:
        https://phabricator.services.mozilla.com/D70077
        [92058f185316]

2020-04-06  Robert Relyea  <rrelyea@redhat.com>

	* automation/abi-check/expected-report-libnss3.so.txt,
	gtests/ssl_gtest/tls_hkdf_unittest.cc, lib/nss/nss.def,
	lib/pk11wrap/pk11pub.h, lib/pk11wrap/pk11skey.c,
	lib/ssl/sslprimitive.c, lib/ssl/tls13con.c, lib/ssl/tls13con.h,
	lib/ssl/tls13hkdf.c, lib/ssl/tls13replay.c, tests/ssl/ssl.sh:
	Bug 1561637 TLS 1.3 does not work in FIPS mode r=mt

	Part 2 of 2

	Use the official PKCS #11 HKDF mechanism to implement tls 1.3.

	1) The new mechanism is a single derive mechanism, so we no longer
	need to pick it based on the underlying hmac (Note, we still need to
	know the underlying hmac, which is passed in as a mechanism
	parameter).

	2) Use the new keygen to generate CKK_HKDF keys rather than doing it
	by hand with the random number generator (never was really the best
	way of doing this).

	3) modify tls13hkdf.c to use the new mechanisms: 1) Extract: use the
	new key handle in the mechanism parameters to pass the salt when the
	salt is a key handle. Extract: use the explicit NULL salt parameter
	if for the hash len salt of zeros. 2) Expand: Expand is mostly a
	helper function which takes a mechanism. For regular expand, the
	mechanism is the normal _Derive, for the Raw version its the _Data
	function. That creates a data object, which is extractable in FIPS
	mode.

	4) update slot handling in tls13hkdf.c: 1) we need to make sure that
	the key and the salt key are in the same slot. Provide a PK11wrap
	function to make that guarrentee (and use that function in
	PK11_WrapKey, which already has to do the same function). 2) When
	importing a 'data' key for the zero key case, make sure we import
	into the salt key's slot. If there is no salt key, use
	PK11_GetBestSlot() rather than PK11_GetInternal slot.

	Differential Revision:
	https://phabricator.services.mozilla.com/D69899
	[3d2b1738e064]

2020-04-06  Kevin Jacobs  <kjacobs@mozilla.com>

	* gtests/common/testvectors/curve25519-vectors.h,
	gtests/common/testvectors/p256ecdh-vectors.h,
	gtests/common/testvectors/p384ecdh-vectors.h,
	gtests/common/testvectors/p521ecdh-vectors.h,
	gtests/common/testvectors/rsa_oaep_2048_sha1_mgf1sha1-vectors.h,
	gtests/common/testvectors/rsa_oaep_2048_sha256_mgf1sha1-vectors.h,
	gtests/common/testvectors/rsa_oaep_2048_sha256_mgf1sha256-vectors.h,
	gtests/common/testvectors/rsa_oaep_2048_sha384_mgf1sha1-vectors.h,
	gtests/common/testvectors/rsa_oaep_2048_sha384_mgf1sha384-vectors.h,
	gtests/common/testvectors/rsa_oaep_2048_sha512_mgf1sha1-vectors.h,
	gtests/common/testvectors/rsa_oaep_2048_sha512_mgf1sha512-vectors.h,
	gtests/common/testvectors/rsa_pkcs1_2048_test-vectors.h,
	gtests/common/testvectors/rsa_pkcs1_3072_test-vectors.h,
	gtests/common/testvectors/rsa_pkcs1_4096_test-vectors.h,
	gtests/common/testvectors/rsa_pss_2048_sha1_mgf1_20-vectors.h,
	gtests/common/testvectors/rsa_pss_2048_sha256_mgf1_0-vectors.h,
	gtests/common/testvectors/rsa_pss_2048_sha256_mgf1_32-vectors.h,
	gtests/common/testvectors/rsa_pss_3072_sha256_mgf1_32-vectors.h,
	gtests/common/testvectors/rsa_pss_4096_sha256_mgf1_32-vectors.h,
	gtests/common/testvectors/rsa_pss_4096_sha512_mgf1_32-vectors.h,
	gtests/common/testvectors/rsa_pss_misc-vectors.h,
	gtests/common/testvectors/rsa_signature-vectors.h,
	gtests/common/testvectors/rsa_signature_2048_sha224-vectors.h,
	gtests/common/testvectors/rsa_signature_2048_sha256-vectors.h,
	gtests/common/testvectors/rsa_signature_2048_sha512-vectors.h,
	gtests/common/testvectors/rsa_signature_3072_sha256-vectors.h,
	gtests/common/testvectors/rsa_signature_3072_sha384-vectors.h,
	gtests/common/testvectors/rsa_signature_3072_sha512-vectors.h,
	gtests/common/testvectors/rsa_signature_4096_sha384-vectors.h,
	gtests/common/testvectors/rsa_signature_4096_sha512-vectors.h,
	gtests/common/testvectors_base/rsa_signature-vectors_base.txt,
	gtests/common/testvectors_base/test-structs.h,
	gtests/common/wycheproof/genTestVectors.py,
	gtests/pk11_gtest/manifest.mn, gtests/pk11_gtest/pk11_gtest.gyp,
	gtests/pk11_gtest/pk11_rsaencrypt_unittest.cc,
	gtests/pk11_gtest/pk11_rsaoaep_unittest.cc,
	gtests/pk11_gtest/pk11_rsapkcs1_unittest.cc,
	gtests/pk11_gtest/pk11_rsapss_unittest.cc:
	Bug 1612260 - Add Wycheproof vectors for RSA PKCS1 and PSS signing,
	PKCS1 and OEAP decryption. r=bbeurdouche

	This patch updates the Wycheproof script to build RSA test vectors
	(covering PKCS1 decryption/verification, as well as PSS and OAEP)
	and adds the appropriate test drivers.

	Differential Revision:
	https://phabricator.services.mozilla.com/D69847
	[469fd8633757]

2020-04-01  Kevin Jacobs  <kjacobs@mozilla.com>

	* automation/taskcluster/docker-fuzz32/Dockerfile:
	Bug 1626751 - Add apt-transport-https & apt-utils to fuzz32 docker
	image r=jcj

	We already install these packages on the image_builder image itself.
	It seems they're now required on the fuzz32 image as well.

	Differential Revision:
	https://phabricator.services.mozilla.com/D69274
	[c7a8195e3072]

2020-04-01  Giulio Benetti  <giulio.benetti@benettiengineering.com>

	* lib/freebl/Makefile:
	Bug 1624864 - Don't force ARMv7 for gcm-arm32-neon r=jcj
	[858209235972]

	* coreconf/config.gypi, coreconf/config.mk, lib/freebl/Makefile,
	lib/freebl/freebl.gyp, lib/freebl/gcm.c:
	Bug 1620799 - Introduce NSS_DISABLE_ARM32_NEON r=jcj

	Only some Arm32 supports neon, so let's introduce
	NSS_DISABLE_ARM32_NEON to allow disabling Neon acceleration when
	building for Arm32.

	Signed-off-by: Giulio Benetti
	<giulio.benetti@benettiengineering.com>
	[b47b2c35aa64]

2020-04-01  Kevin Jacobs  <kjacobs@mozilla.com>

	* automation/abi-check/expected-report-libnss3.so.txt, automation/abi-
	check/expected-report-libsoftokn3.so.txt, automation/abi-check
	/expected-report-libssl3.so.txt:
	Fixup ABI checks after libabigail update and Delegated Credentials
	backport. r=me
	[7f50f6ca7658]

2020-03-31  hajma  <tropikhajma@gmail.com>

	* coreconf/SunOS5.mk:
	Bug 1625133 - Fix implicit declaration of function 'getopt' on SunOS
	r=jcj
	[744788dd18dc]

2020-03-30  Robert Relyea  <rrelyea@redhat.com>

	* automation/abi-check/expected-report-libnss3.so.txt,
	gtests/pk11_gtest/pk11_hkdf_unittest.cc, lib/nss/nss.def,
	lib/pk11wrap/pk11mech.c, lib/pk11wrap/pk11obj.c,
	lib/pk11wrap/pk11pub.h, lib/softoken/pkcs11.c,
	lib/softoken/pkcs11c.c:
	Bug 1561637 TLS 1.3 does not work in FIPS mode

	Patch 1 of 2. This patch updates softoken and helper functions with
	the new PKCS #11 v3 HKDF, which handles all the correct key
	management so that we can work in FIPS mode

	1) Salts can be passed in as data, as and explicit NULL (which per
	spec means a zero filled buffer of length of the underlying HMAC),
	or through a key handle 2) A Data object can be used as a key
	(explicitly allowed for this mechanism by the spec). 3) A special
	mechansism produces a data object rather than a key, the latter
	which can be exported. Softoken does not do the optional validation
	on the pInfo to verify that the requested values are supposed to be
	data rather than keys. Some other tokens may.

	The old hkdf mechanism has been retained for compatibility (well
	namely until patch 2 is created, tls is still using it). The hkdf
	function has been broken off into it's own function rather than
	inline in the derive function.

	Note: because the base key and/or the export key could really be a
	data object, our explicit handling of sensitive and extractable are
	adjusted to take into account that those flags do not exist in data
	objects.

	Differential Revision:
	https://phabricator.services.mozilla.com/D68940
	[e0922aac5267]

2020-03-26  Hans Petter Jansson  <hpj@cl.no>

	* cmd/lowhashtest/lowhashtest.c:
	Bug 1622555 - Fix lowhashtest argument parsing. r=kjacobs
	[f3c5ab41c972]

2020-03-26  Benjamin Beurdouche  <bbeurdouche@mozilla.com>

	* lib/freebl/Makefile, lib/freebl/freebl.gyp:
	Bug 1624377 - Replace freebl flag -msse4 by -msse4.1 -msse4.2 which
	are supported by older compilers r=kjacobs

	Differential Revision:
	https://phabricator.services.mozilla.com/D68407
	[16ee7cb36fff]

2020-03-26  Robert Relyea  <rrelyea@redhat.com>

	* gtests/ssl_gtest/libssl_internals.c, lib/pk11wrap/exports.gyp,
	lib/pk11wrap/manifest.mn, lib/ssl/ssl3con.c, lib/ssl/sslprimitive.c,
	lib/ssl/sslspec.h, lib/ssl/tls13con.c, lib/ssl/tls13con.h,
	lib/ssl/tls13esni.c, lib/ssl/tls13exthandle.c:
	Bug 1623374 Need to support the new PKCS #11 Message interface for
	AES GCM and ChaCha Poly r=mt

	Update ssl to use the new PK11_AEADOp() interface. 1. We restore the
	use of PK11Context_Create() for AEAD operations. 2. AES GCM and
	CHACHA/Poly specific functions are no longer needed as PK11_AEADOp()
	handles all the mechanism specific processing. 3. TLS semantic
	differences between the two algorithms is handled by their
	parameters: 1. Nonce length is the length of the nonce counter. If
	it's zero, then XOR_Counter is used (and the nonce length is the
	sizeof(sslSequenceNumber)). 2. IV length is the full IV length -
	nonce length. 3. TLS 1.3 always uses XOR_Counter. 4. The IV is
	returned from the token in the encrypt case. Only in the explict
	nonce case is it examined. (The code depends on the fact that the
	count in the token will match sslSequenceNumber). I did have assert
	code to verify this was happening for testing, but it's removed from
	this patch it can be added back. 5. All the decrypt instances of
	XOR_Counter IV creation have been colapsed into tls13_WriteNonce().
	6. Even tough PK11_AEADOp returns and accepts the tag separately
	(for encrypt and decrypt respectively). The SSL code still returns
	the values as buffer||tag. 7. tls13_AEAD() has been enhanced so all
	uses of AEAD outside of the TLS stream can use it instead of their
	own wrapped version. It can handle streams (CreateContext()
	tls13_AEAD() tls13_AEAD() DestroyContext()) or single shot
	tls13_AEAD(context=NULL). In the later case, the keys for the single
	shot operation should not be resued. 8. libssl_internals.c in the
	gtests directory has been updated to handle advancing the internal
	iv counter when we artifically advance the seqNum. Since we don't
	have access to any token iv counter (including softoken), The code
	switches to simulated message mode, and updates the simulated state
	as appropriate. (obviously this is for testing only code as it
	reaches into normally private data structures).

	Differential Revision:
	https://phabricator.services.mozilla.com/D68480
	[e7c7f305078e]

2020-03-26  Robert Relyea  <rrelyea@redhat.com>

        * gtests/ssl_gtest/libssl_internals.c, lib/pk11wrap/exports.gyp,
        lib/pk11wrap/manifest.mn, lib/ssl/ssl3con.c, lib/ssl/sslprimitive.c,
        lib/ssl/sslspec.h, lib/ssl/tls13con.c, lib/ssl/tls13con.h,
        lib/ssl/tls13esni.c, lib/ssl/tls13exthandle.c:
        Bug 1623374 Need to support the new PKCS #11 Message interface for
        AES GCM and ChaCha Poly r=mt

        Update ssl to use the new PK11_AEADOp() interface. 1. We restore the
        use of PK11Context_Create() for AEAD operations. 2. AES GCM and
        CHACHA/Poly specific functions are no longer needed as PK11_AEADOp()
        handles all the mechanism specific processing. 3. TLS semantic
        differences between the two algorithms is handled by their
        parameters: 1. Nonce length is the length of the nonce counter. If
        it's zero, then XOR_Counter is used (and the nonce length is the
        sizeof(sslSequenceNumber)). 2. IV length is the full IV length -
        nonce length. 3. TLS 1.3 always uses XOR_Counter. 4. The IV is
        returned from the token in the encrypt case. Only in the explict
        nonce case is it examined. (The code depends on the fact that the
        count in the token will match sslSequenceNumber). I did have assert
        code to verify this was happening for testing, but it's removed from
        this patch it can be added back. 5. All the decrypt instances of
        XOR_Counter IV creation have been colapsed into tls13_WriteNonce().
        6. Even tough PK11_AEADOp returns and accepts the tag separately
        (for encrypt and decrypt respectively). The SSL code still returns
        the values as buffer||tag. 7. tls13_AEAD() has been enhanced so all
        uses of AEAD outside of the TLS stream can use it instead of their
        own wrapped version. It can handle streams (CreateContext()
        tls13_AEAD() tls13_AEAD() DestroyContext()) or single shot
        tls13_AEAD(context=NULL). In the later case, the keys for the single
        shot operation should not be resued. 8. libssl_internals.c in the
        gtests directory has been updated to handle advancing the internal
        iv counter when we artifically advance the seqNum. Since we don't
        have access to any token iv counter (including softoken), The code
        switches to simulated message mode, and updates the simulated state
        as appropriate. (obviously this is for testing only code as it
        reaches into normally private data structures).

        Differential Revision:
        https://phabricator.services.mozilla.com/D68480
        [e7c7f305078e]


2020-03-23  Kevin Jacobs  <kjacobs@mozilla.com>

	* lib/softoken/pkcs11.c:
	Bug 1624402 - Fix compilation error when NO_FORK_CHECK and
	CHECK_FORK_* are defined r=rrelyea

	Differential Revision:
	https://phabricator.services.mozilla.com/D67911
	[0225889e5292]

2020-03-23  Kevin Jacobs  <kjacobs@mozilla.com>

    * lib/util/pkcs11.h:
    Bug 1624130 - Require CK_FUNCTION_LIST structs to be packed.
    r=rrelyea

    Differential Revision:
    https://phabricator.services.mozilla.com/D67741
    [7ab62d3d0445]

2020-03-19  Robert Relyea  <rrelyea@redhat.com>

	* automation/abi-check/expected-report-libnss3.so.txt,
	gtests/pk11_gtest/pk11_aes_gcm_unittest.cc,
	gtests/pk11_gtest/pk11_chacha20poly1305_unittest.cc,
	lib/freebl/blapi.h, lib/freebl/blapii.h, lib/freebl/blapit.h,
	lib/freebl/chacha20poly1305.c, lib/freebl/gcm.c, lib/freebl/gcm.h,
	lib/freebl/intel-gcm-wrap.c, lib/freebl/intel-gcm.h,
	lib/freebl/ldvector.c, lib/freebl/loader.c, lib/freebl/loader.h,
	lib/freebl/rijndael.c, lib/freebl/rijndael.h, lib/nss/nss.def,
	lib/pk11wrap/pk11cxt.c, lib/pk11wrap/pk11mech.c,
	lib/pk11wrap/pk11priv.h, lib/pk11wrap/pk11pub.h,
	lib/pk11wrap/pk11skey.c, lib/pk11wrap/pk11slot.c,
	lib/pk11wrap/secmodti.h, lib/softoken/fipstokn.c,
	lib/softoken/pkcs11.c, lib/softoken/pkcs11c.c,
	lib/softoken/pkcs11i.h, lib/softoken/pkcs11u.c,
	lib/softoken/sftkmessage.c, lib/util/pkcs11n.h, lib/util/pkcs11t.h,
	lib/util/secport.h:
	Bug 1623374 Need to support the new PKCS #11 Message interface for
	AES GCM and ChaCha Poly

	PKCS #11 defines a new interface for handling AEAD type ciphers that
	allow multiple AEAD operations without repeating the key schedule.
	It also allows tokens to keep track of the number of operations, and
	generate IVs (depending on the cipher).

	This patch: 1. implement those new functions in softoken. With the
	addition of CKF_MESSAGE_* flags to various mechanism, we need to
	strip them when using the version 2 API of softoken (since there are
	no C_Message* function in version 2). For that we need a separate
	C_GetMechanismInfo function. We use the same trick we used to have a
	separate version function for the V2 interface. Also now that the
	new message functions are in their own file, they still need access
	to the common Session state processing functions. those have gone
	from static to exported within softoken to accomidate that. Same
	with sftk_MapDecryptError() (sftk_MapVerifyError() was also made
	global, though nothing else is yet using it). Only
	C_MessageEncrptInit(), C_EncryptMessage(), C_MessageEncryptFinal,
	C_MessageDecryptInit(), C_DecryptMessage(), and
	C_MessageDecryptFinal are implemented. C_EncryptMessageBegin(),
	C_EncryptMessageNext(), C_DecryptMessageBegin(), and
	C_DecryptMessageNext() are all part of the multi-part withing a
	multi-part operation and are only necessary for things like S/MIME
	(potentially). If we wanted to implement them, we would need more
	functions exported from freebl (and initaead, updateaead, finalaead
	for each mechanism type). 2. make those interfaces call aes_gcm and
	chacha20_poly1503 (and make adjustments for those ciphers). For AES,
	I added a new function AES_AEAD, which handles both encrypt and
	decrypt. Internally, the gcm functions (both the generic gcm and the
	intel gcm wrapper) had their init functions split into key
	scheduling and counter mode/tag initialization. The latter is still
	called from init, but the former is now for each update call. IV
	generation is handled by a single function in gcm.c, and shared with
	intel_gcm_wrapper.c Since the AES functions already know about the
	underlying PKCS #11 mechanism parameters, the new AEAD functions
	also parse the PKCS #11 GCM parameters. For Chacha/Poly new aead
	update functions were created called ChaChaPoly1305_Encrypt and
	ChaChaChaPoly1305_Decrypt. There was no Message specific
	initialization in the existing chacha_init, so no changes were
	needed there. The primary difference between _Encrypt/_Decrypt and
	_Seal/_Open is the fact that the tag is put at the end of the
	encrypted data buffer in the latter, and in a generic buffer in the
	former. 3. create new pk11wrap interfaces that also squash the api
	differences between the various mechanisms for aead (similiar to the
	way we do it for CBC and ECB crypto today). To accomplish this I
	added PK11_AEADOp() and PK11_AEADRawOp(). Both functions handle the
	case where the token only supports the single shot interface, by
	using the single short interface to simulate the Message interface.
	The PK11_AEADOp() also smooths out the differences in the parameters
	and symantics of the various mechanism so the application does not
	need to worry about the PKCS #11 differences in the mechanism. Both
	use contexts from the standard PK11_CreateContext(), so key
	schedules are done once for each key rather than once for each
	message. MESSAGE/AEAD operations are selected by adding the psuedo
	attribute flag CKA_NSS_MESSAGE to the requested operation
	(CKA_ENCRYPT, CKA_DECRYPT, CKA_SIGN, CKA_VERIFY). 4. write tests for
	the new interfaces Tests were added to make sure the PK11_AEADRawOp
	interface works, The single shot interface is used to test output of
	the message interface we also use two test only functions to force
	the connection to use the simulation interface, which is also
	compared to the non-simulate inteface. The AES_GCM also tests
	various IV generators.

	Differential Revision:
	https://phabricator.services.mozilla.com/D67552
	[293ac3688ced]

2020-03-18  Kevin Jacobs  <kjacobs@mozilla.com>

	* lib/freebl/mpi/mpcpucache.c:
	Bug 1623184 - Clear ECX prior to cpuid, fixing query for Extended
	Features r=bbeurdouche

	While trying to benchmark the recent HACL* AVX2 code, I noticed that
	it was not being called on two machines (that both support AVX2),
	instead using only the AVX version.

	In order to query for Extended Features (cpuid with EAX=7), we also
	need to set ECX to 0: https://www.intel.com/content/www/us/en
	/architecture-and-technology/64-ia-32-architectures-software-
	developer-vol-2a-manual.html. The current code fails to do this,
	resulting in flags that show no support.

	Initially, I wrote a separate `freebl_cpuid_ex` function that
	accepted a value for ECX as a separate input argument. However, some
	definitions of `freebl_cpuid` already zero ECX, so making this
	consistent is the simplest way to get the desired behavior.

	With this patch, the two test machines (MacOS and Linux x64)
	correctly use the AVX2 ChaCha20Poly1305 code.

	Differential Revision:
	https://phabricator.services.mozilla.com/D67235
	[06d41fe87c58]

2020-03-17  Robert Relyea  <rrelyea@redhat.com>

	* automation/abi-check/expected-report-libnss3.so.txt, automation/abi-
	check/expected-report-libsoftokn3.so.txt, cmd/pk11mode/pk11mode.c,
	lib/pk11wrap/pk11load.c, lib/pk11wrap/secmodi.h,
	lib/pk11wrap/secmodt.h, lib/softoken/fipstokn.c,
	lib/softoken/manifest.mn, lib/softoken/pkcs11.c,
	lib/softoken/pkcs11c.c, lib/softoken/pkcs11i.h,
	lib/softoken/sftkmessage.c, lib/softoken/softoken.gyp,
	lib/softoken/softoken.h, lib/softoken/softokn.def,
	lib/util/pkcs11.h, lib/util/pkcs11f.h, lib/util/pkcs11n.h,
	nss/automation/abi-check/new-report-libnss3.so.txt, nss/automation
	/abi-check/new-report-libsoftokn3.so.txt:
	Bug 1603628 Update NSS to handle PKCS #11 v3.0 r=ueno r=mt

	Update to PKCS #11 v3.0 part 2.

	Create the functions and switch to the C_Interface() function to
	fetch the PKCS #11 function table. Also PKCS #11 v3.0 uses a new
	fork safe interface. NSS can already handle the case if the PKCS #11
	module happens to be fork safe (when asked by the application to
	refresh the tokens in the child process, NSS can detect that such a
	refresh is not necessary and continue. Softoken could also be put in
	fork_safe mode with an environment variable. With this patch it's
	the default, and NSS asks for the fork safe API by default.
	Technically softoken should implement the old non-fork safe
	interface when PKCS #11 v2.0 is called, but NSS no longer needs it,
	and doing so would double the number of PKCS #11 interfaces are
	needed. You can still compile with fork unsafe semantics, and the
	PKCS #11 V3.0 module will do the right thing and not include the
	fork safe flag. Firefox does not fork(), so for firefox this is
	simply code that is no longer compilied.

	We now use C_GetInterface, which allows us to specify what kind of
	interface we want (PKCS #11 v3.0, PKCS #11 v2.0, fork safe, etc.).
	Vendor specific functions can now be accessed through the
	C_GetInterface. If the C_GetInterface function does not exists, we
	fall bak to the old C_GetFunctionList.

	There are 24 new functions in PKCS #11 v3.0: C_GetInterfaceList -
	return a table of all the supported interfaces C_GetInterface -
	return a specific interface. You can specify interface name, version
	and flags separately. You can leave off any of these and you will
	get what the token thinks is the best match of the interfaces that
	meet the criteria. We do this in softoken by the order of the
	interface list. C_SessionCancel - Cancel one or more multipart
	operation C_LoginUser - Supply a user name to C_Login(). This
	function has no meaning for softoken, so it just returns
	CKR_OPERATION_NOT_INITIALIZED under the theory that if we in the
	future want to support usernames, the NSS db would need special
	initialization to make that happen. C_Message* and C_*Message* (20
	functions in all) are the new AEAD interface (they are written
	generally so that it can be used for things other than AEAD). In
	this patch they are unimplemented (see the next patch).

	This patch adds regular (NSC_) and FIPS (FC_) versions of these
	functions. Also when creating the PKCS #11 v2.0 interface, we had to
	create a 2.0 specific version of C_GetInfo so that it can return a
	2.40 in the CK_VERSION field rather than 3.00. We do this with
	#defines since all the function tables are generated automagically
	with pkcs11f.h.

	Differential Revision:
	https://phabricator.services.mozilla.com/D67240
	[2364598f8a36]

2020-03-09  Benjamin Beurdouche  <bbeurdouche@mozilla.com>

	* automation/taskcluster/scripts/run_hacl.sh,
	lib/freebl/verified/Hacl_Poly1305_128.c,
	lib/freebl/verified/Hacl_Poly1305_256.c:
	Bug 1612493 - Fix Firefox build for Windows 2012 x64. r=kjacobs

	Differential Revision:
	https://phabricator.services.mozilla.com/D65945
	[7e09cdab32d0]

2020-03-02  Kurt Miller  <kurt@intricatesoftware.com>

        * lib/freebl/blinit.c:
        Bug 1618400 - Fix unused variable 'getauxval' on OpenBSD/arm64 r=jcj

        https://bugzilla.mozilla.org/show_bug.cgi?id=1618400
        [2c989888dee7]

2020-03-02  Giulio Benetti  <giulio.benetti@benettiengineering.com>

        * lib/freebl/blinit.c:
        Bug 1614183 - Check if PPC __has_include(<sys/auxv.h>). r=kjacobs
        Some build environment doesn't provide <sys/auxv.h> and this causes
        build failure, so let's check if that header exists by using
        __has_include() helper.

        Signed-off-by: Giulio Benetti
        <giulio.benetti@benettiengineering.com>
        [bb7c46049f26]

2020-02-28  Benjamin Beurdouche  <bbeurdouche@mozilla.com>

        * automation/taskcluster/scripts/run_hacl.sh,
        lib/freebl/verified/Hacl_Chacha20.c,
        lib/freebl/verified/Hacl_Chacha20Poly1305_128.c,
        lib/freebl/verified/Hacl_Chacha20Poly1305_32.c,
        lib/freebl/verified/Hacl_Chacha20_Vec128.c,
        lib/freebl/verified/Hacl_Curve25519_51.c,
        lib/freebl/verified/Hacl_Kremlib.h,
        lib/freebl/verified/Hacl_Poly1305_128.c,
        lib/freebl/verified/Hacl_Poly1305_32.c,
        lib/freebl/verified/kremlin/include/kremlin/internal/types.h,
        lib/freebl/verified/kremlin/kremlib/dist/minimal/FStar_UInt128.h, li
        b/freebl/verified/kremlin/kremlib/dist/minimal/FStar_UInt128_Verifie
        d.h, lib/freebl/verified/kremlin/kremlib/dist/minimal/FStar_UInt_8_1
        6_32_64.h, lib/freebl/verified/kremlin/kremlib/dist/minimal/LowStar_
        Endianness.h, lib/freebl/verified/kremlin/kremlib/dist/minimal/fstar
        _uint128_gcc64.h, lib/freebl/verified/libintvector.h:
        Bug 1617533 - Update of HACL* after libintvector.h and coding style
        changes. r=kjacobs

        *** Bug 1617533 - Clang format

        *** Bug 1617533 - Update HACL* commit for job in Taskcluster

        *** Bug 1617533 - Update HACL* Kremlin code

        Differential Revision:
        https://phabricator.services.mozilla.com/D63829
        [b6677ae9067e]

        * automation/taskcluster/graph/src/extend.js, coreconf/arch.mk,
        coreconf/config.mk, lib/freebl/Makefile, lib/freebl/blapii.h,
        lib/freebl/blinit.c, lib/freebl/chacha20poly1305.c,
        lib/freebl/freebl.gyp,
        lib/freebl/verified/Hacl_Chacha20Poly1305_256.c,
        lib/freebl/verified/Hacl_Chacha20Poly1305_256.h,
        lib/freebl/verified/Hacl_Chacha20_Vec256.c,
        lib/freebl/verified/Hacl_Chacha20_Vec256.h,
        lib/freebl/verified/Hacl_Poly1305_256.c,
        lib/freebl/verified/Hacl_Poly1305_256.h, nss-tool/hw-support.c:
        Bug 1612493 - Support for HACL* AVX2 code for Chacha20, Poly1305 and
        Chacha20Poly1305. r=kjacobs

        *** Bug 1612493 - Import AVX2 code from HACL*
        *** Bug 1612493 - Add CPU detection for AVX2, BMI1, BMI2, FMA, MOVBE
        *** Bug 1612493 - New flag NSS_DISABLE_AVX2 for freebl/Makefile and
        freebl.gyp
        *** Bug 1612493 - Disable use of AVX2 on GCC 4.4 which doesn’t
        support -mavx2
        *** Bug 1612493 - Disable tests when the platform doesn't have
        support for AVX2

        Differential Revision:
        https://phabricator.services.mozilla.com/D64718
        [d5deac55f543]


2020-02-18  Robert Relyea  <rrelyea@redhat.com>

	* cmd/bltest/blapitest.c, cmd/fipstest/fipstest.c,
	cmd/lib/pk11table.c, cmd/pk11gcmtest/pk11gcmtest.c,
	cmd/shlibsign/shlibsign.c,
	gtests/pk11_gtest/pk11_aes_gcm_unittest.cc,
	gtests/pk11_gtest/pk11_cbc_unittest.cc, lib/certdb/crl.c,
	lib/ckfw/dbm/db.c, lib/dev/devslot.c, lib/dev/devtoken.c,
	lib/dev/devutil.c, lib/freebl/fipsfreebl.c, lib/freebl/gcm.c,
	lib/freebl/intel-gcm-wrap.c, lib/pk11wrap/debug_module.c,
	lib/pk11wrap/dev3hack.c, lib/pk11wrap/pk11akey.c,
	lib/pk11wrap/pk11auth.c, lib/pk11wrap/pk11cert.c,
	lib/pk11wrap/pk11err.c, lib/pk11wrap/pk11load.c,
	lib/pk11wrap/pk11mech.c, lib/pk11wrap/pk11merge.c,
	lib/pk11wrap/pk11nobj.c, lib/pk11wrap/pk11obj.c,
	lib/pk11wrap/pk11pbe.c, lib/pk11wrap/pk11pk12.c,
	lib/pk11wrap/pk11pqg.c, lib/pk11wrap/pk11skey.c,
	lib/pk11wrap/pk11slot.c, lib/pk11wrap/pk11util.c, lib/pkcs12/p12d.c,
	lib/pkcs12/p12e.c, lib/softoken/fipstokn.c,
	lib/softoken/legacydb/lgattr.c, lib/softoken/legacydb/lgcreate.c,
	lib/softoken/legacydb/lgfind.c, lib/softoken/legacydb/lginit.c,
	lib/softoken/pkcs11.c, lib/softoken/pkcs11c.c,
	lib/softoken/pkcs11u.c, lib/softoken/sdb.c, lib/softoken/sftkdb.c,
	lib/softoken/sftkpwd.c, lib/ssl/ssl3con.c, lib/ssl/sslprimitive.c,
	lib/ssl/tls13con.c, lib/util/pkcs11.h, lib/util/pkcs11f.h,
	lib/util/pkcs11n.h, lib/util/pkcs11t.h, lib/util/secoid.c, nss-
	tool/enc/enctool.cc:
	Bug 1603628 Update NSS to handle PKCS #11 v3.0 r=daiki r=mhoye

	https://phabricator.services.mozilla.com/D63241

	This patch implements the first phase: updating the headers.

	lib/util/pkcs11.h lib/util/pkcs11f.h lib/util/pkcs11t.h

	Were updated using the released OASIS PKCS #11 v3.0 header files.
	lib/util/pkcs11n.h was updated to finally deprecate all uses of
	CK?_NETSCAPE_?.

	A new define as added: NSS_PKCS11_2_0_COMPAT. If it's defined, the
	small semantic changes (including the removal of deprecated defines)
	between the NSS PKCS #11 v2 header file and the new PKCS #11 v3 are
	reverted in favor of the PKCS #11 v2 definitions. This include the
	removal of CK?_NETSCAPE_? in favor of CK?_NSS_?.

	One notable change was caused by an inconsistancy between the spec
	and the released headers in PKCS #11 v2.40. CK_GCM_PARAMS had an
	extra field in the header that was not in the spec. OASIS considers
	the header file to be normative, so PKCS #11 v3.0 resolved the issue
	in favor of the header file definition. NSS had the spec definition,
	so now there are 2 defines for this structure:

	CK_NSS_GCM_PARAMS - the old nss define. Still used internally in
	freebl. CK_GCM_PARAMS_V3 - the new define. CK_GCM_PARAMS - no longer
	referenced in NSS itself. It's defined as CK_GCM_PARAMS_V3 if
	NSS_PKCS11_2_0_COMPAT is *not* defined, and it's defined as
	CKM_NSS_GCM_PARAMS if NSS_PKCS11_2_0_COMPAT is defined.

	Softoken has been updated to accept either CK_NSS_GCM_PARAMS or
	CK_GCM_PARAMS_V3. In a future patch NSS will be updated to use
	CK_GCM_PARAMS_V3 and fall back to CK_NSS_GMC_PARAMS.

	 One other semantic difference between the 3.0 version of pkcs11f.h
	and the version here: In the oasis version of the header, you must
	define CK_PKCS11_2_0_ONLY to get just the PKCS #11 v2 defines. In
	our version you must define CK_PKCS11_3 to get the PCKS #11 v3
	defines.

	Most of this patch is to handle changing the deprecated defines that
	have been removed in PCKS #11 v3 from NSS.

	Differential Revision:
	https://phabricator.services.mozilla.com/D63241
	[b5d90a7fe217]

Differential Revision: https://phabricator.services.mozilla.com/D70773

--HG--
extra : moz-landing-system : lando
2020-04-14 17:53:38 +00:00
Cameron McCormack d389bb562d Bug 1629779 - Avoid cert_storage rkv option warning. r=keeler
Differential Revision: https://phabricator.services.mozilla.com/D70805

--HG--
extra : moz-landing-system : lando
2020-04-14 17:47:25 +00:00
Toshihito Kikuchi 80dfd02627 Bug 1629361 - Disable the launcher process when a content process fails to start. r=mhowell
If a third-party application modifies IAT of ntdll.dll in the browser process
after process launch, the browser process fails to launch a sandbox process,
resulting in a situation where a window is opened without any functionality.

This patch is to mitigate that situation by disabling the launcher process
when the browser process fails to launch a sandbox process.

Differential Revision: https://phabricator.services.mozilla.com/D70873

--HG--
extra : moz-landing-system : lando
2020-04-14 16:14:22 +00:00
Dana Keeler 90d81515f7 Bug 1612587 - (2/2) incorporate all known potential issuing certificates when filtering client certificates r=kjacobs,jcj
When a server requests a client certificate, it can include a list of
distinguished names that it considers valid issuers for client certificates
(either as direct issuers or as transitive issuers). Before this patch, the
platform would call CERT_FilterCertListByCANames to filter potential client
certificates by this list of names. This function uses the "classic" NSS
certificate path-building algorithm and thus can't make use of other
certificates that gecko may know about, such as third-party intermediates and
preloaded intermediates.

This patch implements client certificate filtering by re-using the path building
implementation provided by mozilla::pkix to determine if each certificate has an
issuer with a name included in the acceptable list. These issuers include
third-party intermediates, preloaded intermediates, and all certificates known
to NSS. Note that this implementation does not actually verify the client
certificates - no signatures are checked and no particular key usages are
enforced. However, some properties are enforced, such as validity periods.

Differential Revision: https://phabricator.services.mozilla.com/D68101

--HG--
rename : security/manager/ssl/tests/mochitest/browser/pgo-ca-regular-usages.pem.certspec => security/manager/ssl/tests/mochitest/browser/intermediate.pem.certspec
extra : moz-landing-system : lando
2020-04-14 02:26:16 +00:00
Dana Keeler 7f9a18765c Bug 1612587 - (1/2) simplify flow of client auth certificate selection to enable future improvements r=kjacobs
Differential Revision: https://phabricator.services.mozilla.com/D68100

--HG--
extra : moz-landing-system : lando
2020-04-14 02:23:47 +00:00
Mike Conley 6cf2613a1e Bug 1628734 - Record the time to load certificates off of the main-thread as a scalar. r=keeler,data-review=chutten
Depends on D70441

Differential Revision: https://phabricator.services.mozilla.com/D70718

--HG--
extra : moz-landing-system : lando
2020-04-13 20:04:39 +00:00
Mike Conley d1811e175c Bug 1628734 - Record the time to initialize the NSS component as a scalar. r=keeler,data-review=chutten
Differential Revision: https://phabricator.services.mozilla.com/D70441

--HG--
extra : moz-landing-system : lando
2020-04-13 19:16:41 +00:00
Dana Keeler 69308ed152 Bug 1627756 - implement enterprise roots for android r=snorp
Differential Revision: https://phabricator.services.mozilla.com/D69855

--HG--
extra : moz-landing-system : lando
2020-04-09 00:54:11 +00:00
ffxbld 29bbf326cf No Bug, mozilla-central repo-update HSTS HPKP remote-settings tld-suffixes - a=repo-update r=RyanVM
Differential Revision: https://phabricator.services.mozilla.com/D70682

--HG--
extra : moz-landing-system : lando
2020-04-13 14:01:40 +00:00
Jeff Gilbert cb26f272b1 Bug 1623885 - Add "subsystem" to Mesa sandbox policy to fix libdrm-2.4.101+. r=gcp
Differential Revision: https://phabricator.services.mozilla.com/D70579

--HG--
extra : moz-landing-system : lando
2020-04-12 21:21:32 +00:00
Dzmitry Malyshau 0e42a4799d Bug 1628772 - Update core-foundation dependency to 0.7 r=kats
Differential Revision: https://phabricator.services.mozilla.com/D70432

--HG--
extra : moz-landing-system : lando
2020-04-11 20:14:41 +00:00
Jonathan Kew 3ec88e7ea4 Bug 1495900 - Add fontconfig cache directories to content-process sandbox read paths. r=jld
Differential Revision: https://phabricator.services.mozilla.com/D70170

--HG--
extra : moz-landing-system : lando
2020-04-11 02:28:35 +00:00
Mihai Alexandru Michis 5beb91b795 Backed out changeset d91a97562b48 (bug 1628772) for causing failures regarding core-foundation.
CLOSED TREE
2020-04-10 03:42:05 +03:00
Dzmitry Malyshau feed464a5d Bug 1628772 - Update core-foundation dependency to 0.7 r=kats
Differential Revision: https://phabricator.services.mozilla.com/D70432

--HG--
extra : moz-landing-system : lando
2020-04-09 20:57:18 +00:00
ffxbld c53603da3d No Bug, mozilla-central repo-update HSTS HPKP remote-settings tld-suffixes - a=repo-update r=RyanVM
Differential Revision: https://phabricator.services.mozilla.com/D70364

--HG--
extra : moz-landing-system : lando
2020-04-09 13:55:34 +00:00
Kershaw Chang 7829c32789 Bug 1627654 - Setup resumption callback when nsNSSSocketInfo is created r=keeler
Differential Revision: https://phabricator.services.mozilla.com/D69883

--HG--
extra : moz-landing-system : lando
2020-04-08 19:32:31 +00:00
Gabriele Svelto 2bc88d71e0 Bug 1614933 - Gather content processes' crash annotations at exception time instead of using IPC; r=froydnj
Crash annotations in content processes are currently sent over IPC via
shared memory buffers. To pave the way for the Rust rewrite of the exception
handler we are removing this code and gathering all the crash annotations
within the content processes themselves. This patch causes annotations to be
stored in the global table of each content process. They are then streamed
out to the parent process by the exception handler together with the
exception-time annotations.

This has a number of benefits:

* we have one less channel to exchange data between content processes and
  the parent process
* we save memory because we don't need to allocate the shared memory buffers
* annotations are faster because we don't stream them all out every time one
  changes
* we won't truncate annotations anymore if we run out of space in the shared
  segment.
* we don't need delayed annotations anymore, so we can get rid of the
  associated machinery

As I refactored the code I tried to adjust all the obsolete comments,
consolidate shared code and remove the redundant steps that were sometimes
present. In many places we had two entire crash annotation tables we merged to
change just a couple; that comes from the fact that historically we loaded
them from disk. Now it doesn't matter anymore and we can just go ahead and
change the ones we care about.

Differential Revision: https://phabricator.services.mozilla.com/D62586

--HG--
extra : moz-landing-system : lando
2020-04-08 06:55:40 +00:00
Gabriele Svelto ab22b90deb Bug 1614933 - Ensure that glibc's lazy initializers run before we enable the content process sandbox on Linux; r=jld
Differential Revision: https://phabricator.services.mozilla.com/D63471

--HG--
extra : moz-landing-system : lando
2020-04-08 06:55:40 +00:00
Gijs Kruitbosch f32397095e Bug 1624612 - fix sizing of the cert manager dialog, r=jaws,keeler
Differential Revision: https://phabricator.services.mozilla.com/D70057

--HG--
extra : moz-landing-system : lando
2020-04-07 18:05:02 +00:00
Cosmin Sabou 524917fc68 Backed out 2 changesets (bug 1612587) for causing mochitest failures on test_bug466080.html. CLOSED TREE
Backed out changeset 0df99ee3b674 (bug 1612587)
Backed out changeset 71db6e900a94 (bug 1612587)
2020-04-07 02:04:50 +03:00
Dana Keeler a69ac1f46f Bug 1612587 - (2/2) incorporate all known potential issuing certificates when filtering client certificates r=kjacobs,jcj
When a server requests a client certificate, it can include a list of
distinguished names that it considers valid issuers for client certificates
(either as direct issuers or as transitive issuers). Before this patch, the
platform would call CERT_FilterCertListByCANames to filter potential client
certificates by this list of names. This function uses the "classic" NSS
certificate path-building algorithm and thus can't make use of other
certificates that gecko may know about, such as third-party intermediates and
preloaded intermediates.

This patch implements client certificate filtering by re-using the path building
implementation provided by mozilla::pkix to determine if each certificate has an
issuer with a name included in the acceptable list. These issuers include
third-party intermediates, preloaded intermediates, and all certificates known
to NSS. Note that this implementation does not actually verify the client
certificates - no signatures are checked and no particular key usages are
enforced. However, some properties are enforced, such as validity periods.

Differential Revision: https://phabricator.services.mozilla.com/D68101

--HG--
rename : security/manager/ssl/tests/mochitest/browser/pgo-ca-regular-usages.pem.certspec => security/manager/ssl/tests/mochitest/browser/intermediate.pem.certspec
extra : moz-landing-system : lando
2020-04-06 21:56:18 +00:00
Dana Keeler db97e4855e Bug 1612587 - (1/2) simplify flow of client auth certificate selection to enable future improvements r=kjacobs
Differential Revision: https://phabricator.services.mozilla.com/D68100

--HG--
extra : moz-landing-system : lando
2020-04-01 05:07:08 +00:00
Chris Martin 777045b2f1 Bug 1347710 - Make GPU sandbox allow access to shader cache r=bobowen
When the GPU sandbox is enabled, access to most of the filesystem is blocked.

The GPU process uses a directory, "%profiledir%/shader-cache", to cache
compiled shared for performance reasons. Not allowing access to that directory
results in a HUGE performance backslide when the sandbox is turned on.

Differential Revision: https://phabricator.services.mozilla.com/D67893

--HG--
extra : moz-landing-system : lando
2020-04-06 20:45:06 +00:00
sonakshi c2aaee8a41 Bug 1584797 - Remove unused aProxyService parameter from applyFilter method r=valentin
Differential Revision: https://phabricator.services.mozilla.com/D69679

--HG--
extra : moz-landing-system : lando
2020-04-06 20:21:03 +00:00
Brian Grinstead 30b9da5519 Bug 1623992 - Automated rewrite from chrome://global/skin/ to chrome://global/skin/global.css in markup r=marionette-reviewers,perftest-reviewers,mossop,whimboo,sparky
This was generated with

```
cp .gitignore .rgignore
rg -l -g '*.{html,xhtml}' 'href="chrome://global/skin/"' | xargs sed -i "" 's/href\="chrome:\/\/global\/skin\/"/href\="chrome:\/\/global\/skin\/global.css"/g'
```

Differential Revision: https://phabricator.services.mozilla.com/D67687

--HG--
extra : moz-landing-system : lando
2020-04-03 22:23:23 +00:00
J.C. Jones 6ac6057d92 Bug 1626636 - Vendor rust-cascade v0.6.0 r=keeler
Add salts, file format v2, SHA256 hash support, and logic inversion

Differential Revision: https://phabricator.services.mozilla.com/D69435

--HG--
rename : third_party/rust/rust_cascade/test_data/test_mlbf => third_party/rust/rust_cascade/test_data/test_v1_murmur_mlbf
rename : third_party/rust/rust_cascade/test_data/test_short_mlbf => third_party/rust/rust_cascade/test_data/test_v1_murmur_short_mlbf
extra : moz-landing-system : lando
2020-04-02 20:30:15 +00:00
ffxbld 03d8a2f376 No Bug, mozilla-central repo-update HSTS HPKP remote-settings tld-suffixes - a=repo-update r=RyanVM
Differential Revision: https://phabricator.services.mozilla.com/D69815

--HG--
extra : moz-landing-system : lando
2020-04-06 13:52:26 +00:00
jayati f6e62ade90 Bug 1599985 - Ensure that new cert viewer shows the full cert chain when viewing an intermmediate authority cert.r=johannh
Differential Revision: https://phabricator.services.mozilla.com/D68527

--HG--
extra : moz-landing-system : lando
2020-04-04 06:37:44 +00:00
Kevin Jacobs d3ee51ff83 Bug 1621350 - land NSS NSS_3_51_1_RTM UPGRADE_NSS_RELEASE, r=jcj
2020-04-03  Kevin Jacobs  <kjacobs@mozilla.com>

	* lib/nss/nss.h, lib/softoken/softkver.h, lib/util/nssutil.h:
	Set version numbers to 3.51.1 final
	[81a16f9b6562] [NSS_3_51_1_RTM] <NSS_3_51_BRANCH>

2020-04-01  Kevin Jacobs  <kjacobs@mozilla.com>

	* .hgtags:
	Added tag NSS_3_51_1_BETA1 for changeset 581ed41d0a8d
	[99b5a3b50511] <NSS_3_51_BRANCH>

Differential Revision: https://phabricator.services.mozilla.com/D69651

--HG--
extra : moz-landing-system : lando
2020-04-03 22:39:37 +00:00
Michael Froman fce38bc562 Bug 1626385 - allow shmem in linux sandbox for socket process to support profiler. r=gcp
Differential Revision: https://phabricator.services.mozilla.com/D69582

--HG--
extra : moz-landing-system : lando
2020-04-03 15:28:55 +00:00
Kevin Jacobs 86b088f103 Bug 1621350 - land NSS NSS_3_51_1_BETA1 UPGRADE_NSS_RELEASE, r=jcj
Differential Revision: https://phabricator.services.mozilla.com/D69284

--HG--
extra : moz-landing-system : lando
2020-04-02 23:00:49 +00:00
ffxbld 11eaff63b3 No Bug, mozilla-central repo-update HSTS HPKP remote-settings tld-suffixes - a=repo-update r=RyanVM
Differential Revision: https://phabricator.services.mozilla.com/D69379

--HG--
extra : moz-landing-system : lando
2020-04-02 14:01:33 +00:00
Martin Thomson cbd463110b Bug 1626495 - Re-enable TLS 1.0 for release, r=keeler
This effectively backs out https://hg.mozilla.org/mozilla-central/rev/1d07ac23cc5a95bd8247054acd87883fc4585738

MozReview-Commit-ID: 8tI373kNU62

Differential Revision: https://phabricator.services.mozilla.com/D69149

--HG--
extra : moz-landing-system : lando
2020-04-01 15:24:12 +00:00
Markus Stange 8508c98750 Bug 1626115 - Add profiler label and marker for nsNSSComponent::InitializeNSS. r=florian
Differential Revision: https://phabricator.services.mozilla.com/D68932

--HG--
extra : moz-landing-system : lando
2020-03-31 18:45:23 +00:00