This is a test only method, and the fact that the operation is not sync
with socket process can possibly cause racy tests.
This patch adds an async version of clearSSLExternalAndInternalSessionCache
that returns a promise.
Differential Revision: https://phabricator.services.mozilla.com/D162153
There are tools which consume `moz.build` files by reading every one in
the tree, rather than traversing `DIRS` for a specific build type (see
bug 1667271 comment #89 for background); as a result, we can end up with
CI test jobs that try to run sandboxing tests on build types like Linux
ASan where `security/sandbox` isn't built, and fail.
This patch applies a suggested workaround: add an otherwise redundant
`skip-if` declaration to the test manifests to skip them on the platforms
where they're not part of the build.
Note that sandboxing is disabled in the presence of Linux ASan or TSan
by logic in `toolkit/moz.configure`, but for code coverage builds it's
done via the CI mozconfig files adding `--disable-sandbox`.
Differential Revision: https://phabricator.services.mozilla.com/D163411
This is a test only method, and the fact that the operation is not sync
with socket process can possibly cause racy tests.
This patch adds an async version of clearSSLExternalAndInternalSessionCache
that returns a promise.
Differential Revision: https://phabricator.services.mozilla.com/D162153
Remove the unmaintained codesign.bash script.
Production builds are signed in automation using the Release Engineering script scriptworker-scripts/iscript.
Differential Revision: https://phabricator.services.mozilla.com/D161710
`SyncRunnable`'s helper functions take an `nsIRunnable *`; but the most
common way of building nsIRunnables, `NS_NewRunnableFunction`, returns
an `already_AddRefed<nsIRunnable>` instead. Add two new overloads of the
helper functions to eliminate the impedance mismatch.
(This does result in an uncomfortable amount of code duplication. While
we could eliminate that with appropriate use of SFINAE, it'll be simpler
if we wait for C++20 and its `requires` keyword.)
Additionally, add two explicitly-deleted overloads to catch and prevent
a previously-common antipattern that presumably resulted from this type
mismatch: accidentally wrapping the actual runnable in two layers of
`SyncRunnable`. Fix the former use-sites appropriately. (This was
probably harmless, but is also probably best avoided.)
No functional changes. This is in some sense a continuation of bug
1281626.
(This is no longer actually relevant to bug 1772908 due to a different
approach being taken. It remains in the patchset anyway, for
simplicity's sake.)
Differential Revision: https://phabricator.services.mozilla.com/D157131
2022-10-31 John M. Schanck <jschanck@mozilla.com>
* lib/util/secoid.c:
Bug 1798150 - on-demand initialization of OID tables. r=nss-
reviewers,nkulatova
[4684102858e2] [tip]
2022-10-31 Anna Weine <anna.weine@mozilla.com>
* lib/freebl/mpi/primes.c, lib/ssl/dhe-param.c:
Bug 1792821 - Modification of the primes.c and dhe-params.c in order
to have better looking tables r=jschanck
[e512213db1c6]
2022-10-25 John M. Schanck <jschanck@mozilla.com>
* doc/rst/releases/index.rst, doc/rst/releases/nss_3_79_2.rst:
Documentation: Release notes for NSS 3.79.2
[ea50dc1087db]
Differential Revision: https://phabricator.services.mozilla.com/D160812
certManager is the only thing using it (both here and in comm-central,
excluding suite/).
There are better ways to do it generally, so just remove it from elsewhere.
Differential Revision: https://phabricator.services.mozilla.com/D160720
Because nsNSSComponent doesn't shut down NSS any longer, this test isn't
testing a valid configuration of gecko and can be removed.
Differential Revision: https://phabricator.services.mozilla.com/D160579
When gecko encounters multiple responses from the same host with substantially
the same HSTS information, the implementation shouldn't update DataStorage,
because that can cause unnecessary writes. "Substantially the same" means the
information is identical except for the expiration time, which can be up to a
day different.
Differential Revision: https://phabricator.services.mozilla.com/D159875
The use of `-Xclang -Wall` somehow makes `-Wno-unknown-pragmas`
ineffective. `-Xclang -Wno-unknown-pragmas` does however work.
But we don't need to set `-Xclang -Wall` from the moz.builds in the first
place, as that's already done properly via warnings.configure (setting
-Wall on non-clang-cl and -W3 on clang-cl, which is the equivalent).
Differential Revision: https://phabricator.services.mozilla.com/D159366
In bug 1546720, nsNSSComponent::ShutdownNSS() stopped unloading the builtin
roots and osclientcerts modules to avoid crashes due to NSS' pervasive thread
safety issues. Since that function no longer unloads the builtin module, it
shouldn't need to wait until the task that loads it has completed. Hopefully
this will avoid some shutdown hangs.
Note that when NSS is finally shut down, all threads other than the main thread
have been joined, so there shouldn't be any concurrency concerns at that time.
Differential Revision: https://phabricator.services.mozilla.com/D159434
Defines the OCSP_AGE_AT_CRLITE_OVERRIDE histogram which records the age of an
OCSP response, in hours, when CRLite says a certificate is revoked and OCSP
says it's OK.
Differential Revision: https://phabricator.services.mozilla.com/D158991
Adds the CERT_REVOCATION_MECHANISMS histogram with bins "CRLite", "Stapled OCSP", "Cached OCSP", "OCSP", "OneCRL", and "Short Validity" to gauge how often we use each certificate revocation checking mechanisms. The Short Validity bin counts cases where a revocation check was not performed because the certificate had a short validity period. The other bin names are self-explanatory. We may use more than one mechanism per certificate, so we may accumulate to more than one bin per certificate.
Differential Revision: https://phabricator.services.mozilla.com/D158975
The current collection of preloaded intermediates is under 3MB. This should not
be a prohibitive amount for mobile users to download. Once downloaded, updates
to the collection are minimal and again should not be an issue.
Differential Revision: https://phabricator.services.mozilla.com/D159092
1. Allow to store more than one token per key.
2. Allow to use the token only once. The token will be removed after reading it.
3. Add a gtest.
Differential Revision: https://phabricator.services.mozilla.com/D153605
As discussed in the last patch, allowing `fstatfs` will also make
`statfs` work on any path that the process could open for reading
(subject to sandbox policy).
Differential Revision: https://phabricator.services.mozilla.com/D157542
We have code to handle `statfs` calls in content processes by
intercepting them and calling `open` and `fstatfs` instead; the former
is then recursively intercepted and brokered. This patch moves that
feature into the common policy, but does not allow `fstatfs` in any
other sandbox types (yet; see next patch). This doesn't affect security
because the caller could have attempted the `open` and `fstatfs`
syscalls itself.
Differential Revision: https://phabricator.services.mozilla.com/D157541
1. Allow to store more than one token per key.
2. Allow to use the token only once. The token will be removed after reading it.
3. Add a gtest.
Differential Revision: https://phabricator.services.mozilla.com/D153605
These macros will produce better outputs when they fail than these existing
patterns using `ENSURE_TRUE(NS_SUCCEEDED(...))` or similar, so this is a bulk
rewrite of existing tests to use them.
It should also help with discoverability when people base their tests off of
other existing tests.
Differential Revision: https://phabricator.services.mozilla.com/D157214
This was previously disabled in bug 1673194 because of start up crashes.
It seems like msmpeg2vdec.dll may use dynamic code to support encrypted
code that uses. In recent versions of Windows this only seems used
in the 32bit version. The 32bit version will opt out of ACG on the
threads where it needs to use VirtualProtect so we use the weaker
variant there.
Differential Revision: https://phabricator.services.mozilla.com/D153762
When setting alternative destktop for the mf cdm process, it seems
interfering the media foundation framework and make the video playback
stutter.
But if we call `SetAlternateDesktop(false)` which won't create a new
window station, then the video playback won't be affected.
My guess is that there might be some internal performance issues
inside the media foundation framework when using Dcomp API between
different window stations.
In addition, Chromium also didn't enable alternative desktop for their
mf cdm process. So it makes sense to us to disalbe that as well.
Differential Revision: https://phabricator.services.mozilla.com/D155026
Create a new type of utility process which would be used for media
foundation media engine CDM usage. The media engine is a media pipeline
provided by the Windows Media Foundation, and our final goal is to use
that pipeline to play encrypted content in order to achieve Widevine L1
protection to allow users to watch high resolution videos.
Differential Revision: https://phabricator.services.mozilla.com/D154033
Previously, instantiating an nsIX509Cert (implemented by nsNSSCertificate)
would cause NSS to be initialized. However, if 'new nsNSSCertificate()' was
called directly (rather than going through XPCOM), NSS would not be
initialized. This didn't seem to be a problem until bug 1787942 changed how
nsITransportSecurityInfo was sent between processes for PHttpChannel and
HttpChannelOnStartRequestArgs (namely, by using the direct IPC support rather
than first serializing to a string, sending it over IPC, and then deserializing
it). That direct IPC implementation uses 'new nsNSSCertificate()', which is now
a problem.
nsNSSCertificate used to make extensive use of NSS, which warranted ensuring
NSS was initialized before creating one at all. Now, as of bug 1748341, the
cases where nsNSSCertificate uses NSS are limited and clearly delineated.
Accordinly, this change makes it so nsNSSCertificate only initializes NSS if
and when it needs it, rather than relying on the XPCOM boilerplate to
initialize NSS first.
Differential Revision: https://phabricator.services.mozilla.com/D156353
In preparation for making nsISocketTransport.securityInfo a concrete type
(nsITransportSecurityInfo), nsITLSServerConnectionInfo needs to be moved off of
securityInfo. securityCallbacks seems like a reasonable place.
Differential Revision: https://phabricator.services.mozilla.com/D154256
In preparation for making nsISocketTransport.securityInfo a concrete type
(nsITransportSecurityInfo), nsITLSServerConnectionInfo needs to be moved off of
securityInfo. securityCallbacks seems like a reasonable place.
Differential Revision: https://phabricator.services.mozilla.com/D154256
This was previously disabled in bug 1673194 because of start up crashes.
It seems like msmpeg2vdec.dll may use dynamic code to support encrypted
code that uses. In recent versions of Windows this only seems used
in the 32bit version. The 32bit version will opt out of ACG on the
threads where it needs to use VirtualProtect so we use the weaker
variant there.
Differential Revision: https://phabricator.services.mozilla.com/D153762
This makes it easier to get parity between legacy and regular flex
without having to either have tons of arbitrary attribute selectors in
the xul sheet, nor adding attribute lookup hacks to the html flexbox
layout.
Also, reimplement the remaining supported flex attribute-values (0 and 1)
purely in terms of CSS rules in xul.css (regardless of whether
emulate-moz-box-with-flex is enabled).
In practice these are pretty uncommon and the style attribute does the
trick in every case I've tried.
Add a debug-only assertion to ensure we preserve behavior for now.
Add a new test with another behavior difference between flexbox
emulation and old xul layout because the old reftest now passes. Use
replaced elements, which in modern flex are treated differently.
Differential Revision: https://phabricator.services.mozilla.com/D154394
This makes it easier to get parity between legacy and regular flex
without having to either have tons of arbitrary attribute selectors in
the xul sheet, nor adding attribute lookup hacks to the html flexbox
layout.
Also, reimplement the remaining supported flex attribute-values (0 and 1)
purely in terms of CSS rules in xul.css (regardless of whether
emulate-moz-box-with-flex is enabled).
In practice these are pretty uncommon and the style attribute does the
trick in every case I've tried.
Add a debug-only assertion to ensure we preserve behavior for now.
Add a new test with another behavior difference between flexbox
emulation and old xul layout because the old reftest now passes. Use
replaced elements, which in modern flex are treated differently.
Differential Revision: https://phabricator.services.mozilla.com/D154394
When generating code for arrays of interfaces from the rust-xpidl
compiler, the type was declared incorrectly as ThinVec<RefPtr<T>>
instead of ThinVec<Option<RefPtr<T>>> meaning that null values in the
array would be handled incorrectly.
This patch fixes this code generation mistake and updates crates using
the interface to handle null values correctly.
Differential Revision: https://phabricator.services.mozilla.com/D153485
These constructors are unnecessary and can be defined with a `using` statement,
making it easier to change all constructors simultaneously.
Differential Revision: https://phabricator.services.mozilla.com/D153620
This improves consistency with the child process case, and will make it easier
to attach additional state without needing to thread it through every child
process callsite manually.
Differential Revision: https://phabricator.services.mozilla.com/D153619
This type is also used in other places to start non-initial actors, and will
allow us to attach additional state more easily without needing to thread it
through every child process callsite manually.
Differential Revision: https://phabricator.services.mozilla.com/D153618
We uninstall signal handlers in child processes after clone(), because
they probably won't do the right thing if invoked in that context.
However, the current code also resets signals which were ignored;
if that disposition was set by an outside program like `nohup`, the
expectation is that it should be inherited. This patch omits those
signals when resetting handlers (similar to what `exec` does).
Differential Revision: https://phabricator.services.mozilla.com/D151336
These tests set up an ECH server which will only negotiate http/1.1 in the TLS ALPN extension.
If the client doesn't send an ALPN offering at least http/1.1 the connection will fail with
SSL_ERROR_NEXT_PROTOCOL_NO_PROTOCOL.
Differential Revision: https://phabricator.services.mozilla.com/D153368
The biggest set of APIs from ns[T]StringObsolete which are still heavily used
are the string searching APIs. It appears the intention was for these to be
replaced by the `FindInReadable` APIs, however that doesn't appear to have
happened.
In addition, the APIs have some quirks around their handling of mixed character
widths. These APIs generally supported both narrow strings and the native
string type, probably because char16_t string literals weren't available until
c++11. Finally they also used easy-to-confuse unlabeled boolean and integer
optional arguments to control behaviour.
These patches do the following major changes to the searching APIs:
1. The ASCII case-insensitive search method was split out as
LowerCaseFindASCII, rather than using a boolean. This should be less
error-prone and more explicit, and allows the method to continue to use
narrow string literals for all string types (as only ASCII is supported).
2. The other [R]Find methods were restricted to only support arguments with
matching character types. I considered adding a FindASCII method which would
use narrow string literals for both wide and narrow strings but it would've
been the same amount of work as changing all of the literals to unicode
literals.
This ends up being the bulk of the changes in the patch.
3. All find methods were re-implemented using std::basic_string_view's find
algorithm or stl algorithms to reduce code complexity, and avoid the need to
carry around the logic from nsStringObsolete.cpp.
4. The implementations were moved to nsTStringRepr.cpp.
5. An overload of Find was added to try to catch callers which previously
called `Find(..., false)` or `Find(..., true)` to set case-sensitivity, due
to booleans normally implicitly coercing to `index_type`. This should
probably be removed at some point, but may be useful during the transition.
Differential Revision: https://phabricator.services.mozilla.com/D148300
This patch moves EqualsIgnoreCase to ns[T]StringObsolete, and removes
the aCount argument, instead migrating callers to use `StringBeginsWith`
with a case-insensitive comparator.
In addition, nsTStringRepr::Compare was removed and replaced with either
calls to methods like `StringBeginsWith` or the global `Compare` method.
These changes required some modifications at call-sites but should make
the behaviour less surprising and more consistent.
Differential Revision: https://phabricator.services.mozilla.com/D148299
`strerror` is async signal unsafe, and we're using it in contexts where
that's a problem: in particular in the child process after `clone()`ing,
where it can deadlock if it takes locks the parents' other threads had
held (or cause other undefined behavior), but also in the SIGSYS handler
if it's nested inside an async signal. It's also thread-unsafe.
This is mostly a mechanical replacement with the new `SANDBOX_LOG_ERRNO`
or `SANDBOX_LOG_WITH_ERROR`; two messages had the error string in the
middle and have been adjusted.
Differential Revision: https://phabricator.services.mozilla.com/D152099
This adds two new logging macros, which are intended to be async signal
safe:
* `SANDBOX_LOG_ERRNO`, which appends the error similarly to `perror` but
uses the error identifier (e.g., `EINVAL` instead of `Invalid argument`).
Unlike `perror`, formatting directives are available as for `SANDBOX_LOG`.
* `SANDBOX_LOG_WITH_ERROR` is the same thing but the error number is the
first argument instead of using `errno`; this is useful for newer POSIX
APIs which return an error number.
This will be used in the next patch to replace the existing use of
`strerror`, which is not async signal safe (or thread-safe).
Differential Revision: https://phabricator.services.mozilla.com/D152098
Originally this was written for B2G and used the Android logging
facility, which (like syslog) includes a severity level. However, all
current usage is on desktop where we just write to stderr, and there was
never much demand to add support for any log levels besides "error".
More importantly for the current situation, renaming the macro to
`SANDBOX_LOG` avoids confusion between `SANDBOX_LOG_ERROR` and
`SANDBOX_LOG_ERRNO` (or `SANDBOX_LOG_ERROR_ERRNO` or whatever).
Differential Revision: https://phabricator.services.mozilla.com/D152097
Two minor things I noticed while converting the existing sandbox logging:
1. One call site was using %u, but that doesn't exist in this printf
dialect, only %d; signedness is determined by the actual argument
type via template magic.
2. POSIX functions that return an error number just return the number;
there was one place that was negating it before use, as if it had
come from the Linux syscall ABI.
Differential Revision: https://phabricator.services.mozilla.com/D152096
This prevents copies and avoids the hack we have to avoid this, which
right now is using nsDependent{C,}String.
Non-virtual actors can still use `nsString` if they need to on the
receiving end.
Differential Revision: https://phabricator.services.mozilla.com/D152519
This patch adds two new telemetry histograms which collect specific types
of TLS handshake seperately from existing handshakes.
- The conservative histogram tracks handshakes used for essential connections (e.g. update checks)
- The first-try histogram tracks all initial connection attempts. This allows us to identify issues that might otherwise be masked by our retry logic.
A single handshake may belong to more than one histogram. All handshakes belong to the root histogram.
As the histogram buckets are aligned, it is possible to derive new histograms from these stored results.
For example, as ECH GREASE is only used on first-try handshakes, the histogram from non-GREASE first-try
handshakes can be calculated by subtracting the entries in the GREASE histogram from the first-try histogram.
This patch also extends the existing handshake necko tests to verify that the telemetry is recorded correctly.
Telemetry checks don't run if networking is running on the socket process as the histograms are no longer
accessible.
Differential Revision: https://phabricator.services.mozilla.com/D150754
If nsNSSSocketInfo::mFd is nullptr, it means the connection has been closed.
This isn't an error, and ClientAuthCertificateSelected shouldn't assert if this
happens.
Differential Revision: https://phabricator.services.mozilla.com/D151962
Cleanup our entitlement files by removing entitlements that use the default setting of false.
production.entitlements.xml and developer.entitlements.xml are used today.
The browser and plugin-container entitlement lists will be used when we enable using different entitlements for parent and child processes.
Differential Revision: https://phabricator.services.mozilla.com/D151943
Dana Keeler
Natalia Kulatova
Mark Banner
Valentin Gosu
Jed Davis
ffxbld
John Schanck
Cristian Tuns
Yannis Juglaret
Mike Hommey
Marian-Vasile Laza
Alexandre Lissy
Butkovits Atila
Barret Rennie
Marco Castelluccio
Chris H-C
Jan Andre Ikenmeyer
Haik Aftandilian
Robert Longson
Csoregi Natalia
trickypr
Ray Kraesig
Greg Stoll
Emilio Cobos Álvarez
Chris Martin
Sandor Molnar
Simon Friedberger
Norisz Fay
Noemi Erli
Dennis Jackson
Kershaw Chang
Joel Maher
Andreea Pavel
Nika Layzell
Narcis Beleuzu
Jeff Muizelaar
Cosmin Sabou
Bob Owen
Jan Varga
alwu
Iulian Moraru
Anna Weine
Fabrice Desré
Tooru Fujisawa
Andi-Bogdan Postelnicu
Kagami Sascha Rosylight