Adds content sandbox metadata to parent and child crash reports:
Includes the value of pref security.sandbox.content.level,
whether or not the system is capable of sandboxing, if the
sandbox was successfully turned on, and (on Linux systems)
the sandbox capabilities flags.
New crash report keys:
"ContentSandboxLevel" in parent and content
"ContentSandboxCapable" in parent
"ContentSandboxEnabled" in content
"ContentSandboxCapabilities" in content on Linux
HSTS priming changes the order of mixed-content blocking and HSTS
upgrades, and adds a priming request to check if a mixed-content load is
accesible over HTTPS and the server supports upgrading via the
Strict-Transport-Security header.
Every call site that uses AsyncOpen2 passes through the mixed-content
blocker, and has a LoadInfo. If the mixed-content blocker marks the load as
needing HSTS priming, nsHttpChannel will build and send an HSTS priming
request on the same URI with the scheme upgraded to HTTPS. If the server
allows the upgrade, then channel performs an internal redirect to the HTTPS URI,
otherwise use the result of mixed-content blocker to allow or block the
load.
nsISiteSecurityService adds an optional boolean out parameter to
determine if the HSTS state is already cached for negative assertions.
If the host has been probed within the previous 24 hours, no HSTS
priming check will be sent.
(r=ckerschb,r=mayhemer,r=jld,r=smaug,r=dkeeler,r=jmaher,p=ally)
chooseCertificate() currently uses a concatenation of the Common Name of the
server cert and the port of the server to allow the user to identify the server
requesting client authentication. Unfortunately, this approach is flawed, since
it doesn't take into account things like SAN entries, which might be very
different from the CN.
Using the hostname instead avoids this problem.
MozReview-Commit-ID: 6XjGCknWNi9
--HG--
extra : transplant_source : k%10N%7B%E8%A4%9B%C9%9A%23Q%D1%99%D2%A3%C0.%2B%7F%A5
HSTS priming changes the order of mixed-content blocking and HSTS
upgrades, and adds a priming request to check if a mixed-content load is
accesible over HTTPS and the server supports upgrading via the
Strict-Transport-Security header.
Every call site that uses AsyncOpen2 passes through the mixed-content
blocker, and has a LoadInfo. If the mixed-content blocker marks the load as
needing HSTS priming, nsHttpChannel will build and send an HSTS priming
request on the same URI with the scheme upgraded to HTTPS. If the server
allows the upgrade, then channel performs an internal redirect to the HTTPS URI,
otherwise use the result of mixed-content blocker to allow or block the
load.
nsISiteSecurityService adds an optional boolean out parameter to
determine if the HSTS state is already cached for negative assertions.
If the host has been probed within the previous 24 hours, no HSTS
priming check will be sent.
(r=ckerschb,r=mayhemer,r=jld,r=smaug,r=dkeeler,r=jmaher,p=ally)
HSTS priming changes the order of mixed-content blocking and HSTS
upgrades, and adds a priming request to check if a mixed-content load is
accesible over HTTPS and the server supports upgrading via the
Strict-Transport-Security header.
Every call site that uses AsyncOpen2 passes through the mixed-content
blocker, and has a LoadInfo. If the mixed-content blocker marks the load as
needing HSTS priming, nsHttpChannel will build and send an HSTS priming
request on the same URI with the scheme upgraded to HTTPS. If the server
allows the upgrade, then channel performs an internal redirect to the HTTPS URI,
otherwise use the result of mixed-content blocker to allow or block the
load.
nsISiteSecurityService adds an optional boolean out parameter to
determine if the HSTS state is already cached for negative assertions.
If the host has been probed within the previous 24 hours, no HSTS
priming check will be sent.
(r=ckerschb,r=mayhemer,r=jld,r=smaug,r=dkeeler,r=jmaher,p=ally)
Callers should use a UniquePtr to hold the platform handle.
MozReview-Commit-ID: 6BWnyAf4b3a
--HG--
extra : transplant_source : %26%CA%0D%28%08%9BT%97Z%A1%3Dq%CD%21%A1_%EFE%83%0E
extra : histedit_source : 77f8ed3d0fdec6cce0c95469130ade0fb547bb91
The WebRTC implementation inherits cipher suite preferences from PSM and then
enables a few mandatory ones and disables a number of undesirable ones. If PSM
makes a change to a cipher suite preference that isn't in WebRTC's whitelist or
blacklist, compatibility issues can arise. See bug 1288246 for an example.
--HG--
rename : security/manager/ssl/tests/unit/test_fallback_cipher.js => security/manager/ssl/tests/unit/test_weak_crypto.js
Bug 1084025 added this telemetry to measure the impact of bumping the fallback limit.
But we already bumped the fallback limit to TLS 1.2 long before. We will not need this kind of telemetry until we bump the fallback limit to TLS 1.3 that will not happen in the near future. So let's just remove wasting resource for now.
MozReview-Commit-ID: 22o8FirlYql
--HG--
extra : rebase_source : c04b6a7aa7bf8970b22c24dcb1d8f0184330cb43
nsIX509Cert provided the APIs getUsagesArray, requestUsagesArrayAsync, and
getUsagesString. These APIs were problematic in that the synchronous ones would
cause certificate verification to block the main thread and the asynchronous one
was needlessly indirect in its definition (it made use of two additional
special-case xpidl types) and needlessly complex in its implementation (it
required nsNSSComponent to manually manage a background thread without the aid
of recent improvements in that area (e.g. CryptoTask)). Furthermore, these APIs
would return string descriptions of the usages the certificate in question had
been verified for rather than using more concrete identifiers or values. This
paradigm is usable but imprecise. The new nsIX509CertDB API
asyncVerifyCertAtTime is much more expressive, enforces off-main-thread
computation, and makes use of CryptoTask for a simple implementation. Using this
API, previous uses of the old nsIX509Cert APIs can be replaced. As an additional
benefit, this removes a ton of obsolete C++ code.
MozReview-Commit-ID: KXVTcjAKehu
--HG--
extra : rebase_source : 50c51f73b2b61ed0ad4dc9702cc5df470ce998bc
The changes in bug 1217602 missed that browser_certViewer.js should have been
updated to use a nsIDialogParamBlock instead of a (mock) nsIPKIParamBlock.
"Luckily" the test harness completely ignored the errors resulting from this
oversight.
MozReview-Commit-ID: JlA62L5PPW8
--HG--
extra : rebase_source : ec06cd026f3aec8cc7a7c032cd1c9a9c5a8e9536
This removes the unnecessary setting of c-basic-offset from all
python-mode files.
This was automatically generated using
perl -pi -e 's/; *c-basic-offset: *[0-9]+//'
... on the affected files.
The bulk of these files are moz.build files but there a few others as
well.
MozReview-Commit-ID: 2pPf3DEiZqx
--HG--
extra : rebase_source : 0a7dcac80b924174a2c429b093791148ea6ac204
jprof is an in-tree profiling tool that runs on Linux.
This fixes the error:
Sandbox: seccomp sandbox violation: pid 29698, syscall 38, args 0 140731305513136 0 830 22509600 1. Killing process.
Sandbox: crash reporter is disabled (or failed); trying stack trace:
Sandbox: frame #01: __GI_setitimer (/build/glibc-GKVZIf/glibc-2.23/time/../sysdeps/unix/syscall-template.S:84)
Sandbox: frame #02: startSignalCounter(unsigned long) (.../mozilla-central/mozilla/tools/jprof/stub/libmalloc.cpp:464)
which occurs during shutdown when running with jprof enabled via the
JPROF_FLAGS environment variable containing JP_DEFER without actually
sending the signal to start jprof. It presumably occurs sooner if jprof
is actually used either via JP_START or by senging a SIGPROF/SIGALRM.
With the patch, these steps run to completion.
MozReview-Commit-ID: Fx4tzEyqIj2
--HG--
extra : transplant_source : %2AU%15F%8A%C5%E6%1D%03%20%1B%F6W%E9%EB%DA%8F%E7f%5D
fork() will now fail with EPERM instead of crashing; see code comment
and bug for more info. Tested with GTK3 Oxygen theme and SCIM, which
both seem to work. Also verified that GMP child processes still crash
on fork().
--HG--
extra : rebase_source : 267c4cb892b691502a9d7760bca4d23fee3fe449
PSM JS code already pass these rules, so enabling these rules will just help
catch future bugs.
MozReview-Commit-ID: AXM2VoG8jBP
--HG--
extra : transplant_source : 4h%89%5BV7%C6%FB%B2%80%CE%B16%DC%22%BA%20%09%FB%92
For some reason libfontconfig really Needs To Know.
MozReview-Commit-ID: KSET8D5h9xf
--HG--
extra : rebase_source : 10c5df6a4b8b85be120a9828686d0c63e3fff5d4
There are a few places in nsNSSCertificateDB.cpp where the following is done:
1. GetRawDER() is called on a nsIX509Cert to obtain the DER representation of
the cert.
2. The DER is used to construct a CERTCertificate for use with NSS functions.
This step of converting to the DER is unnecessary, since GetCert() will provide
an already constructed CERTCertificate.
MozReview-Commit-ID: 35KMYI7dCXc
--HG--
extra : transplant_source : %CA%ED%AC/%E3%29D%BB%8D%0F%A9Y%19%B2%E7a%1B%BE%ADv
This API (nsIX509CertDB.asyncVerifyCertAtTime) will eventually replace
nsIX509Cert.getUsagesArray, nsIX509Cert.requestUsagesArrayAsync, and
nsIX509Cert.getUsagesString because those APIs are architecturally problematic
and don't give very precise information in any case.
MozReview-Commit-ID: OzQaBnDRIo
--HG--
extra : rebase_source : 270de8dfa5ed5221a1e012661161842c0afb3e70
There are a few places in PSM where the result of an NSS function returning
char* is adopted by e.g. an nsXPIDLCString, which will use the wrong deallocator
when the string eventually gets destroyed.
This is basically Bug 1281564, but the free() call is buried within the Mozilla
string code instead.
MozReview-Commit-ID: HVSMyRpLnjS
--HG--
extra : transplant_source : Msmc%DB%16%23%87%00%A1%05%ABB%0BD%97%3B%A1%E7x
For 32-bit Linux 4.3+, always add socketcall dispatcher even if relevant
syscalls are known, because both entry points will exist.
See Linux kernel commit:
commit 9dea5dc921b5f4045a18c63eb92e84dc274d17eb
Author: Andy Lutomirski <luto@kernel.org>
Date: Tue Jul 14 15:24:24 2015 -0700
x86/entry/syscalls: Wire up 32-bit direct socket calls
MozReview-Commit-ID: I3GEvolGfsR
--HG--
extra : rebase_source : c358a6d39d9bf5701150e58f1002f6c6dc91cd6f
Nothing in the file requires functionality provided by the CPP unit test harness,
so making the file a GTest makes it more accessible.
MozReview-Commit-ID: FaAtF0blCwV
--HG--
rename : security/manager/ssl/tests/compiled/TestMD4.cpp => security/manager/ssl/tests/gtest/MD4Test.cpp
extra : transplant_source : edV%1F%0B97%1B%25%FA%0ABH%14%F5%A2Ms/%7E
Currently, running all the PSM GTests involves providing a filter that catches
all the various tests. This is annoying and error prone.
The changes here make running all PSM GTests as easy as:
mach gtest "psm*"
MozReview-Commit-ID: EqaysNvwJaQ
--HG--
extra : transplant_source : %0CCM%99%12%18%8D%B9%DD%84%0C%A06%0Ba%AD%A7%EB%B3%FB
Previously this implementation would use the expected names of the built-in
module and slot to get a handle on them. This doesn't work on distributions that
use other names. The new implementation searches through the slots from the
default module list for one where PK11_HasRootCerts returns true (which
indicates that NSS considers that slot to contain the default built-in root
list).
MozReview-Commit-ID: LmX27hQfFJU
--HG--
extra : rebase_source : 50383dcc77257fe08ce2c7d908e95cda7c4bbe9d
This makes the certificate viewer able to shrink itself down a bit on small
screen sizes. Without this patch, the "Close" button would be off the screen on
small resolutions like 1024x768. On larger screen sizes, this patch should have
no effect on the initial size of the certificate viewer window (although it now
can be made smaller manually).
MozReview-Commit-ID: IET9dxx23Xc
--HG--
extra : rebase_source : 487c88d626df7184502226b9ce02410adc504f12
This provides implementations of ChooseCertificate() with more flexibility, and
allows callers of ChooseCertificate() to be less complex.
A portion of this work involves reimplementing
nsNSSCertificate::FormatUIStrings() in JS and improving UI strings for l10n.
MozReview-Commit-ID: CE7Uc2ntwmZ
--HG--
extra : transplant_source : R%A8eC%CEO2%DC%20%F7%B4V%F3g%E6h%EB%D5%8D3
This fixes the following in the IDL:
1. Misleading or unclear parameter names in the IDL. |cn| in practice is the
concatenation of the CN of the server cert and the port of the server, and
|issuer| is the Organization of the issuer cert of the server cert.
2. Use of the |wstring| type. |AString| is generally preferred, and has the
benefit of letting implementations skip null checks due to the use of
references.
3. Using an explicit |canceled| outparam instead of just setting a return type.
There is no need for the outparam if the return type can be used.
4. Using |long| (int32_t) for |selectedIndex|. |unsigned long| (uint32_t) is
more logical, and paves the way for future changes.
This fixes the following in the Android implementation:
1. Lack of checks to ensure the QueryInterface() call succeeded. In practice,
the call will always succeed, but it's good practice to check anyways.
2. Setting a variable to an nsIPrefService instance initially, then later
setting it to a pref branch instance later on. This is confusing and
unnecessary.
This fixes the following in the desktop implementation:
1. Lack of null pointer checking.
2. Trying to get a parent window ref off a context that doesn't actually support
doing so.
3. Setting a variable to an nsIPrefService instance initially, then later
setting it to a pref branch instance later on. This is confusing and
unnecessary.
4. Abusal of the CAPS bundle.
5. Unnecessary variables.
6. Variables declared far away from where they are used.
7. Variable shadowing.
8. Style issues.
9. Lack of documentation.
This also fixes the following:
1. Lack of localisation notes.
MozReview-Commit-ID: FTc6XecJd6h
--HG--
extra : transplant_source : %ABQ%8F%E6%A3%25%FE%94%E4%D6X%3D%28%2C%05%5E%FB%84.-
This allows nsNSSCertificate::FormatUIStrings() to be reimplemented in JS, which
is a necessary step for making nsIClientAuthDialogs::ChooseCertificate() pass an
nsIArray of nsIX509Certs.
Also removes some deprecated and unused constants.
MozReview-Commit-ID: CJITKVlUEtP
--HG--
extra : transplant_source : %1C%09%B2%B5%F4%C4%28%1A%B2%E5%CFsu%8B%B6W%8El%9Cn
There are a few places in PSM where free() is used to free memory allocated by
NSS instead of PORT_Free() (or higher level deallocation functions that end up
calling PORT_Free()).
In practice, PORT_Free() is just a wrapper around PR_Free(), which is just a
wrapper around free() if we don't ask NSPR to use a zone allocator.
Gecko explicitly tells NSPR not to use a zone allocator, so the changes here are
mainly for making the code more obviously correct.
This patch also includes some misc cleanup.
MozReview-Commit-ID: 9Ccg5OwlhWR
--HG--
extra : rebase_source : 768979a4bedb1cbdab2398d2a416429d9a241dd6
4361f2ad66
renamed transport_security_state_static.certs to
transport_security_state_static.pins, so the URL needs to be updated to avoid
a 404.
MozReview-Commit-ID: 1FmYdi0mMcI
--HG--
extra : rebase_source : 25ebf2290cab6ee12f98bc65972b696c45d506d0
This is safe because TLS Feature checks have already been done when connecting
to the site in the first place.
MozReview-Commit-ID: HfbcrAv4bCJ
--HG--
extra : rebase_source : d1f22c1a4e2c8535e10bd071c937a1aac7b8e2fd
The preprocessor token HAVE_ANDROID_OS configures 'android_filesystem_config.h'
to include the correct header files from the environment.
MozReview-Commit-ID: oKwdjzDjij
The preprocessor token HAVE_ANDROID_OS configures 'android_filesystem_config.h'
to include the correct header files from the environment.
MozReview-Commit-ID: oKwdjzDjij
Prior to these changes, GetSymKeyByNickname() could theoretically leak. This
should not happen in practice, so the changes here just ensure that the code
doesn't cause leaks.
MozReview-Commit-ID: LWtqLmsBPV2
--HG--
extra : transplant_source : rWE%CD%D8%A7%87%3C%95%03%B5%03E%3E%06E%C7O%0D%F6
Create a base "nsIU2FToken" interface that all tokens must implement. This
patch does not change U2F.cpp from initializing tokens monolithically, but
if/when future tokens are added, the implementer may want to do that.
MozReview-Commit-ID: GQuu6NolF4D
--HG--
extra : transplant_source : %3Fi%8E%C4n%BF%C1%DB%DB%03HjG%B5%9Ct%9EMWH
Andi-Bogdan Postelnicu
Bob Owen
Julian Hector
Haik Aftandilian
Kate McKinley
Cykesiopka
Iris Hsiao
Franziskus Kiefer
Carsten "Tomcat" Book
Wei-Cheng Pan
David Keeler
Wes Kocher
Gian-Carlo Pascutto
Chris Peterson
Masatoshi Kimura
Thomas Zimmermann
Tom Tromey
L. David Baron
Jed Davis
Tim Taubert
Johann Hofmann
Richard Barnes
Gregory Szorc
Sergei Chernov
Mark Goodwin
Kai Engert
Onno Ekker
Sebastian Hengst
Gabor Krizsanits
ffxbld
Jonas Sicking
J.C. Jones
Julian Seward
Ryan VanderMeulen
Alexandre Lissy