To implement filtering client certificates by the acceptable CAs list sent by
servers when they request client certificates, we need the CAs that issued the
client certificates. To that end, this change modifies the macOS backend of
the osclientcerts module to also gather issuing CAs while looking for client
certificates. These certificates will not affect trust decisions in gecko.
Differential Revision: https://phabricator.services.mozilla.com/D74985
There's no use case for stateful comparators, so they can be just plain
function pointers.
This is used in some hot places like CSS selector matching.
Differential Revision: https://phabricator.services.mozilla.com/D77084
This is mostly changes to handle retrieving the security state asynchronously via the parent process, needing lots of async/await additions.
It also removes the docshell mixed content flag checks (which don't seem to be used in code, only tests), which are mostly still covered by checks of the security UI.
Differential Revision: https://phabricator.services.mozilla.com/D75448
This removes all docshell nsISecureBrowserUI and mixed content properties, and moves them into CanonicalBrowsingContext/WindowGlobalParent. It makes the mixed content blocker just compute the state for the current load, and then send the results to the parent process, where we update the security state accordingly.
I think we could in the future remove onSecurityChange entirely, and instead just fire an event to the <browser> element notifying it of changes to the queryable securityUI.
Unfortunately we have a lot of existing code that depends on specific ordering between onSecurityChange and onLocationChange, so I had to hook into the RemoteWebProgress implementation in BrowserParent to mimic the same timings.
Differential Revision: https://phabricator.services.mozilla.com/D75447
This is mostly changes to handle retrieving the security state asynchronously via the parent process, needing lots of async/await additions.
It also removes the docshell mixed content flag checks (which don't seem to be used in code, only tests), which are mostly still covered by checks of the security UI.
Differential Revision: https://phabricator.services.mozilla.com/D75448
This removes all docshell nsISecureBrowserUI and mixed content properties, and moves them into CanonicalBrowsingContext/WindowGlobalParent. It makes the mixed content blocker just compute the state for the current load, and then send the results to the parent process, where we update the security state accordingly.
I think we could in the future remove onSecurityChange entirely, and instead just fire an event to the <browser> element notifying it of changes to the queryable securityUI.
Unfortunately we have a lot of existing code that depends on specific ordering between onSecurityChange and onLocationChange, so I had to hook into the RemoteWebProgress implementation in BrowserParent to mimic the same timings.
Differential Revision: https://phabricator.services.mozilla.com/D75447
We have evidence that some sites have disabled ciphersuites with SHA-1-based
MACs due to attacks against SHA-1 (disregarding the fact that these attacks
don't necessarily apply to HMAC-SHA-1) while still relying on RSA key exchange.
Before this patch, PSM did not enable any ciphersuites with RSA key exchange
and non-SHA-1-based MACs. Consequently, Firefox would be unable to connect to
these sites while other browsers would.
This patch enables TLS_RSA_WITH_AES_128_GCM_SHA256 and
TLS_RSA_WITH_AES_256_GCM_SHA384, which are the only two ciphersuites (other
than grease) that Chrome enables that Firefox did not (before this patch).
Differential Revision: https://phabricator.services.mozilla.com/D76543
2020-05-22 J.C. Jones <jjones@mozilla.com>
* lib/freebl/altivec-types.h, lib/freebl/ppc-crypto.h:
Bug 1629414 - Guard USE_PPC_CRYPTO and VSX types with __VSX__ and
__ALTIVEC__ r=kjacobs
This avoids build errors on non-VSX architectures even when not
compiling the POWER accelerated code.
[c7a1c91cd9be] [tip]
2020-05-21 Jeff Walden <jwalden@mit.edu>
* lib/freebl/aes-x86.c:
Bug 1639033 - Use unsigned int for a loop counter to eliminate a
signed-unsigned comparison warning in aes-x86.c. r=kjacobs
Depends on D75847
[e23fe363fa05]
* lib/freebl/ec.c:
Bug 1639033 - Used unsigned int instead of int in a few places in
ec.c to eliminate signed-unsigned comparison warnings. r=kjacobs
Depends on D75846
[0d778b0e778f]
* lib/freebl/cmac.c:
Bug 1639033 - Use unsigned int rather than int for two variables to
eliminate a bunch of signed-unsigned comparison warnings. r=kjacobs
Depends on D75845
[df5c8f6430a0]
* lib/freebl/mpi/mplogic.c, lib/freebl/mpi/mplogic.h:
Bug 1639033 - Use unsigned int for various count variables in
mplogic.c to eliminate signed-unsigned comparison warnings.
r=kjacobs
Depends on D75844
[ce5b8b7e010c]
* lib/freebl/aeskeywrap.c:
Bug 1639033 - Use size_t for loops up to sizeof(T) in aeskeywrap.c
to eliminate some signed-comparison warnings. r=kjacobs
Depends on D75843
[563a7cd7484b]
* lib/softoken/pkcs11i.h, lib/softoken/sftkike.c:
Bug 1639033 - Change +sftk_xcbc_mac_pad's block-size argument to be
unsigned int to avoid sign-comparison warnings. r=kjacobs
Depends on D75842
[a5f80d0805ca]
2020-05-22 Jeff Walden <jwalden@mit.edu>
* lib/jar/jar.c:
Bug 1639033 - Use the jarType enum type, not int, for certain
variables and arguments in jar.c -- for greater precision, and to
avoid sign-comparison warnings. r=kjacobs
Depends on D75841
[e65dd5c2cf86]
2020-05-19 Jeff Walden <jwalden@mit.edu>
* lib/softoken/pkcs11.c, lib/softoken/pkcs11i.h:
Bug 1639033 - Make all |moduleIndex| variables in pkcs11.c be
unsigned, to eliminate a -Wsign-compare warning. r=kjacobs
Depends on D75840
[6512178a58f5]
* cmd/lib/basicutil.c:
Bug 1639033 - Fix signed-unsigned comparison warning in basicutil.c.
r=kjacobs
[98390eef50a1]
2020-05-22 Martin Thomson <mt@lowentropy.net>
* lib/ssl/sslencode.c:
Bug 1640041 - Don't memcpy nothing, r=jcj
Depends on D76421
[8d7c96ab80a7]
* lib/ssl/sslsock.c:
Bug 1640042 - Don't memcpy nothing, r=jcj
[1a634da46b87]
* gtests/ssl_gtest/ssl_0rtt_unittest.cc,
gtests/ssl_gtest/ssl_recordsep_unittest.cc,
gtests/ssl_gtest/tls_connect.cc, lib/ssl/ssl.h, lib/ssl/ssl3gthr.c,
lib/ssl/sslimpl.h, lib/ssl/sslsock.c, lib/ssl/tls13con.c:
Bug 1639413 - Option to disable TLS 1.3 EndOfEarlyData message,
r=kjacobs
This adds the ability to disable EndOfEarlyData.
On the client this is relatively simple, you just turn the message
off.
The server is complicated because the server uses this to drive the
installation of the right keys. Without it, things get very messy.
Thus, I have decided that this is best left to the
SSL_RecordLayerData interface. That needs an ugly hack in order to
let the new data to pass, but the damage is otherwise relatively
minor, apart from one obvious thing.
We never really built the SSL_RecordLayerData API to take
application data. It only did that to support testing of the
functions. Now that we have to deal with this new wrinkle, adding
support for 0-RTT is necessary. This change does that. That requires
a barrage of new checks to see if application data is acceptable.
And then early data is captured in a completely different way, which
adds another layer of awfulness.
Note that this exposes us to the possibility that Certificate or
Finished are received in early data when using SSL_RecordLayerData
and this option. I don't think that fixing that is worthwhile as it
requires tracking the epoch of handshake messages separate to
ss->ssl3.crSpec and the epoch only really exists on that API so that
applications don't accidentally do bad things. In QUIC, we
specifically block handshake messages in early data, so we have
ample protection.
[10325739e149]
Differential Revision: https://phabricator.services.mozilla.com/D76572
This matches how the `Dispatch(already_AddRefed<nsIRunnable>)`
overloads work in C++: `Dispatch` takes ownership of the runnable, and
leaks it if dispatch fails—because the thread manager is shutting down,
for instance. This avoids a race where a runnable can be released on
either the owning or target thread.
Rust doesn't allow arbitrary `Self` types yet (see
rust-lang/rust#44874), so we need to change `dispatch` and
`dispatch_with_options` to be associated methods.
Differential Revision: https://phabricator.services.mozilla.com/D75858
This function ought to be declared by `winapi`, but is not, for whatever
reason. However, its definition is stable enough that we can just
declare it inline rather than invoking bindgen every single build (and
unnecessarily compiling a build script on non-windows platforms) to
discover its definition for us.
Differential Revision: https://phabricator.services.mozilla.com/D76015
2020-05-19 Robert Relyea <rrelyea@redhat.com>
* lib/freebl/dsa.c:
Bug 1631576 - Force a fixed length for DSA exponentiation
r=pereida,bbrumley
[daa823a4a29b] [tip]
2020-05-14 Benjamin Beurdouche <bbeurdouche@mozilla.com>
* lib/freebl/Makefile, lib/freebl/deprecated/seed.c,
lib/freebl/deprecated/seed.h, lib/freebl/freebl.gyp,
lib/freebl/freebl_base.gypi, lib/freebl/seed.c, lib/freebl/seed.h:
Bug 1636389 - Relocate deprecated seed algorithm. r=kjacobs
[d2cfb4ccdf16]
2020-05-14 Jan-Marek Glogowski <glogow@fbihome.de>
* automation/taskcluster/scripts/split.sh, lib/Makefile,
lib/manifest.mn:
Bug 1637083 fix the lib dependencies for the split build
r=jcj,rrelyea
This build can be tested by running NSS_BUILD_MODULAR=1
nss/automation/taskcluster/scripts/build.sh from a directory
containing the nss and nspr repositories.
To make this build's make conditionals easier to handle, it also
merges the manifest.mn into the Makefile, because parts of the
conditionals depends on $(OS_ARCH) setting.
In the end, the goal is just to set the correct build $(DIRS).
This also drops the freebl dependeny of ssl, which seems not to be
needed, even if it's declared in /lib/ssl/ssl.gyp.
[789d7241e1f0]
2020-05-13 Jan-Marek Glogowski <glogow@fbihome.de>
* coreconf/rules.mk, lib/ckfw/builtins/manifest.mn,
lib/ckfw/manifest.mn, manifest.mn:
Bug 1637083 Replace pre-dependency with shell hack r=rrelyea
Originally I tried multiple variants using make's conditionals to
limit DIRS and enforce building the parent directory before the sub-
directory. None of them worked for me, most resulting in an infinite
recursion, so I used the current pre-depends workaround to fulfill
the real dependency.
Now I remembered that automake can handle this case for SUBDIRS
specifying "." as a directory. The generated Makefile handles it via
shell scripting; not nice, but it works.
So this gets rid of the workaround, replacing it with a small shell
test.
[744881490c78]
Differential Revision: https://phabricator.services.mozilla.com/D76050
2020-05-12 Kevin Jacobs <kjacobs@mozilla.com>
* gtests/freebl_gtest/mpi_unittest.cc:
Bug 1561331 - Additional modular inverse test r=jcj
[e2061fe522f5] [tip]
2020-05-08 Jan-Marek Glogowski <glogow@fbihome.de>
* coreconf/rules.mk, lib/ckfw/builtins/Makefile,
lib/ckfw/builtins/testlib/Makefile, lib/ckfw/capi/Makefile,
lib/dev/Makefile, lib/freebl/Makefile, lib/pk11wrap/Makefile,
lib/softoken/Makefile:
Bug 1629553 Use order-prereq for $(MAKE_OBJDIR) r=rrelyea
Introduces a simple "%/d" rule to create directories using
$(MAKE_OBJDIR) and replace all explicit $(MAKE_OBJDIR) calls with an
order-only-prerequisites.
To expand the $(@D) prerequisite, this needs .SECONDEXPANSION.
[c3f11da5acfc]
2020-05-05 Jan-Marek Glogowski <glogow@fbihome.de>
* coreconf/IRIX.mk, coreconf/OS2.mk, coreconf/README,
coreconf/SunOS4.1.3_U1.mk, coreconf/SunOS5.mk, coreconf/UNIX.mk,
coreconf/WIN32.mk, coreconf/config.mk, coreconf/location.mk,
coreconf/mkdepend/Makefile, coreconf/mkdepend/cppsetup.c,
coreconf/mkdepend/def.h, coreconf/mkdepend/ifparser.c,
coreconf/mkdepend/ifparser.h, coreconf/mkdepend/imakemdep.h,
coreconf/mkdepend/include.c, coreconf/mkdepend/main.c,
coreconf/mkdepend/mkdepend.man, coreconf/mkdepend/parse.c,
coreconf/mkdepend/pr.c, coreconf/rules.mk:
Bug 1438431 Remove mkdepend tool and targets r=rrelyea
[6c5f91e098a1]
* coreconf/README, coreconf/rules.mk:
Bug 1629553 Drop duplicate header DIR variables r=rrelyea
[d1f954627260]
* coreconf/OpenUNIX.mk, coreconf/README, coreconf/SCO_SV3.2.mk,
coreconf/config.mk, coreconf/cpdist.pl, coreconf/import.pl,
coreconf/jdk.mk, coreconf/jniregen.pl, coreconf/module.mk,
coreconf/outofdate.pl, coreconf/release.pl, coreconf/rules.mk,
coreconf/ruleset.mk, coreconf/source.mk, coreconf/version.mk:
Bug 1629553 Drop coreconf java support r=rrelyea
There aren't an Java sources in NSS, so just drop all the stuff
referencing java, jars, jni, etc.
I didn't try to remove it from tests.
[7d285fe69c8c]
* cmd/crmf-cgi/Makefile, cmd/crmf-cgi/config.mk,
cmd/crmftest/Makefile, cmd/crmftest/config.mk, cmd/lib/Makefile,
cmd/lib/config.mk, cmd/lib/manifest.mn, cmd/libpkix/config.mk,
cmd/libpkix/perf/Makefile, cmd/libpkix/perf/manifest.mn,
cmd/libpkix/pkix/Makefile, cmd/libpkix/pkix/certsel/Makefile,
cmd/libpkix/pkix/certsel/manifest.mn,
cmd/libpkix/pkix/checker/Makefile,
cmd/libpkix/pkix/checker/manifest.mn,
cmd/libpkix/pkix/crlsel/Makefile,
cmd/libpkix/pkix/crlsel/manifest.mn,
cmd/libpkix/pkix/params/Makefile,
cmd/libpkix/pkix/params/manifest.mn,
cmd/libpkix/pkix/results/Makefile,
cmd/libpkix/pkix/results/manifest.mn,
cmd/libpkix/pkix/store/Makefile, cmd/libpkix/pkix/store/manifest.mn,
cmd/libpkix/pkix/top/Makefile, cmd/libpkix/pkix/top/manifest.mn,
cmd/libpkix/pkix/util/Makefile, cmd/libpkix/pkix/util/manifest.mn,
cmd/libpkix/pkix_pl/Makefile, cmd/libpkix/pkix_pl/module/Makefile,
cmd/libpkix/pkix_pl/module/manifest.mn,
cmd/libpkix/pkix_pl/pki/Makefile,
cmd/libpkix/pkix_pl/pki/manifest.mn,
cmd/libpkix/pkix_pl/system/Makefile,
cmd/libpkix/pkix_pl/system/manifest.mn,
cmd/libpkix/testutil/manifest.mn, cpputil/Makefile,
cpputil/config.mk, cpputil/manifest.mn, lib/base/Makefile,
lib/base/config.mk, lib/base/manifest.mn, lib/certdb/Makefile,
lib/certdb/config.mk, lib/certdb/manifest.mn, lib/certhigh/Makefile,
lib/certhigh/config.mk, lib/certhigh/manifest.mn, lib/ckfw/Makefile,
lib/ckfw/builtins/Makefile, lib/ckfw/builtins/config.mk,
lib/ckfw/builtins/manifest.mn, lib/ckfw/builtins/testlib/Makefile,
lib/ckfw/builtins/testlib/config.mk,
lib/ckfw/builtins/testlib/manifest.mn, lib/ckfw/capi/Makefile,
lib/ckfw/capi/config.mk, lib/ckfw/capi/manifest.mn,
lib/ckfw/config.mk, lib/ckfw/dbm/Makefile, lib/ckfw/dbm/config.mk,
lib/ckfw/dbm/manifest.mn, lib/ckfw/manifest.mn, lib/crmf/Makefile,
lib/crmf/config.mk, lib/crmf/manifest.mn, lib/cryptohi/Makefile,
lib/cryptohi/config.mk, lib/cryptohi/manifest.mn,
lib/dbm/src/config.mk, lib/dbm/src/manifest.mn, lib/dev/Makefile,
lib/dev/config.mk, lib/dev/manifest.mn, lib/jar/Makefile,
lib/jar/config.mk, lib/jar/manifest.mn, lib/libpkix/Makefile,
lib/libpkix/config.mk, lib/libpkix/include/Makefile,
lib/libpkix/include/config.mk, lib/libpkix/pkix/Makefile,
lib/libpkix/pkix/certsel/Makefile,
lib/libpkix/pkix/certsel/config.mk,
lib/libpkix/pkix/certsel/manifest.mn,
lib/libpkix/pkix/checker/Makefile,
lib/libpkix/pkix/checker/config.mk,
lib/libpkix/pkix/checker/manifest.mn, lib/libpkix/pkix/config.mk,
lib/libpkix/pkix/crlsel/Makefile, lib/libpkix/pkix/crlsel/config.mk,
lib/libpkix/pkix/crlsel/manifest.mn,
lib/libpkix/pkix/params/Makefile, lib/libpkix/pkix/params/config.mk,
lib/libpkix/pkix/params/manifest.mn,
lib/libpkix/pkix/results/Makefile,
lib/libpkix/pkix/results/config.mk,
lib/libpkix/pkix/results/manifest.mn,
lib/libpkix/pkix/store/Makefile, lib/libpkix/pkix/store/config.mk,
lib/libpkix/pkix/store/manifest.mn, lib/libpkix/pkix/top/Makefile,
lib/libpkix/pkix/top/config.mk, lib/libpkix/pkix/top/manifest.mn,
lib/libpkix/pkix/util/Makefile, lib/libpkix/pkix/util/config.mk,
lib/libpkix/pkix/util/manifest.mn, lib/libpkix/pkix_pl_nss/Makefile,
lib/libpkix/pkix_pl_nss/config.mk,
lib/libpkix/pkix_pl_nss/module/Makefile,
lib/libpkix/pkix_pl_nss/module/config.mk,
lib/libpkix/pkix_pl_nss/module/manifest.mn,
lib/libpkix/pkix_pl_nss/pki/Makefile,
lib/libpkix/pkix_pl_nss/pki/config.mk,
lib/libpkix/pkix_pl_nss/pki/manifest.mn,
lib/libpkix/pkix_pl_nss/system/Makefile,
lib/libpkix/pkix_pl_nss/system/config.mk,
lib/libpkix/pkix_pl_nss/system/manifest.mn, lib/pk11wrap/Makefile,
lib/pk11wrap/config.mk, lib/pk11wrap/manifest.mn,
lib/pkcs12/Makefile, lib/pkcs12/config.mk, lib/pkcs12/manifest.mn,
lib/pkcs7/Makefile, lib/pkcs7/config.mk, lib/pkcs7/manifest.mn,
lib/pki/Makefile, lib/pki/config.mk, lib/pki/manifest.mn,
lib/sqlite/Makefile, lib/sysinit/Makefile, lib/util/Makefile,
lib/zlib/Makefile, lib/zlib/config.mk, lib/zlib/manifest.mn:
Bug 1629553 Merge simple config.mk files r=rrelyea
There is really no good reason to explicitly change the TARGET
variable. And the empty SHARED_LIBRARY variable should also be in
the manifest.mn to begin with.
All the other empty variables start empty or undefined, so there is
also no need to explicitly set them empty.
[dc1ef0faf4a6]
* cmd/libpkix/testutil/config.mk, coreconf/OS2.mk, coreconf/WIN32.mk,
coreconf/ruleset.mk, coreconf/suffix.mk, gtests/common/Makefile,
gtests/common/manifest.mn, gtests/google_test/Makefile,
gtests/google_test/manifest.mn, gtests/pkcs11testmodule/Makefile,
gtests/pkcs11testmodule/config.mk,
gtests/pkcs11testmodule/manifest.mn, lib/ckfw/builtins/config.mk,
lib/ckfw/builtins/manifest.mn, lib/ckfw/builtins/testlib/config.mk,
lib/ckfw/capi/config.mk, lib/ckfw/capi/manifest.mn,
lib/freebl/config.mk, lib/nss/config.mk, lib/nss/manifest.mn,
lib/smime/config.mk, lib/smime/manifest.mn, lib/softoken/config.mk,
lib/softoken/legacydb/config.mk, lib/softoken/legacydb/manifest.mn,
lib/softoken/manifest.mn, lib/sqlite/config.mk,
lib/sqlite/manifest.mn, lib/ssl/config.mk, lib/ssl/manifest.mn,
lib/sysinit/config.mk, lib/sysinit/manifest.mn, lib/util/config.mk,
lib/util/manifest.mn:
Bug 1629553 Rework the LIBRARY_NAME ruleset r=rrelyea
* Drop the WIN% "32" default DLL suffix
* Add default resource file handling => drop default RES
* Generate IMPORT_LIBRARY based on IMPORT_LIB_SUFFIX and
SHARED_LIBRARY, so we can drop all the explicit empty IMPORT_LIBRARY
lines
Originally this patch also tried to add a default MAPFILE rule, but
this fails, because the ARCH makefiles set linker flags based on an
existing MAPFILE variable.
[877d721d93cd]
* coreconf/rules.mk:
Bug 1629553 Use an eval template for C++ compile rules r=rrelyea
These pattern rules already had a comment to keep both in sync, so
just use an eval template to enforce this.
[9b628d9c57e5]
* lib/freebl/Makefile:
Bug 1629553 Use an eval template for freebl libs r=rrelyea
[71dd05b782e4]
* coreconf/rules.mk:
Bug 1629553 Use an eval template for export targets r=rrelyea
[45db681898be]
* lib/pk11wrap/manifest.mn, lib/pk11wrap/pk11load.c,
lib/pk11wrap/pk11wrap.gyp:
Bug 1629553 Prefix pk11wrap (SHLIB|LIBRARY)_VERSION with NSS_
r=rrelyea
In the manifest.mn the LIBRARY_VERSION is normally used to define
the major version of the build shared library. This ust works for
the pk11wrap case, because pk11wrap is a static library. But it's
still very confusing when reading the manifest.mn. Also the
referenced define in the code is just named SHLIB_VERSION.
So this prefixes the defines and the variables with NSS_, because it
tries to load the NSS library, just as the SOFTOKEN_.*_VERSION is
used to load the versioned softokn library.
[cbb737bc6c0c]
* Makefile, cmd/Makefile, cmd/shlibsign/Makefile,
cmd/smimetools/rules.mk, coreconf/rules.mk, gtests/manifest.mn,
lib/freebl/Makefile, lib/manifest.mn, manifest.mn:
Bug 290526 Drop double-colon usage and add directory depends
r=rrelyea
Double-colon rule behaviour isn't really compatible with parallel
build. This gets rid of all of them, so we can codify the directory
dependencies.
This leaves just three problems, which aren't really fixable with
the current build system without completely replacing it:
* everything depends on nsinstall
* everything depends on installed headers
* ckfw child directories depend on the build parent libs
This is handled by the prepare_build target.
Overall this allows most if the build to run in parallel.
P.S. the release_md:: has to stay :-( P.P.S. no clue, why freebl
must use libs: instead of using the TARGETS and .PHONY variables
[f3a0ef69c056]
* coreconf/WIN32.mk, gtests/certdb_gtest/manifest.mn,
gtests/common/Makefile, gtests/google_test/Makefile,
gtests/google_test/manifest.mn, gtests/pkcs11testmodule/Makefile:
Bug 290526 Fix gtests build for WIN% targets r=rrelyea
The google_test gtest build doesn't provide any exports for the
shared library on Windows and the gyp build also builds just a
static library. So build gtest and gtestutil libraries as static.
For whatever reason, the Windows linker doesn't find the main
function inside the gtestutil library, if we don't tell it to build
a console executable. But linking works fine, if the object file is
used directly. But since we can have different main() objects based
on build flags, we enforce building console applications binaries.
[a82a55886c1d]
* cmd/bltest/manifest.mn, cmd/chktest/manifest.mn, cmd/crmf-
cgi/manifest.mn, cmd/crmftest/manifest.mn, cmd/fipstest/manifest.mn,
cmd/lib/Makefile, cmd/libpkix/testutil/Makefile,
cmd/lowhashtest/manifest.mn, cmd/modutil/manifest.mn,
cmd/pk11gcmtest/manifest.mn, cmd/pk11mode/manifest.mn,
cmd/rsapoptst/manifest.mn, cmd/signtool/manifest.mn,
cmd/ssltap/manifest.mn, coreconf/README, coreconf/rules.mk,
cpputil/manifest.mn, gtests/google_test/manifest.mn,
gtests/pkcs11testmodule/Makefile, lib/base/Makefile,
lib/certdb/Makefile, lib/certhigh/Makefile, lib/ckfw/Makefile,
lib/crmf/Makefile, lib/cryptohi/Makefile, lib/dbm/include/Makefile,
lib/dev/Makefile, lib/dev/manifest.mn, lib/freebl/Makefile,
lib/libpkix/Makefile, lib/libpkix/include/Makefile,
lib/libpkix/include/manifest.mn, lib/libpkix/pkix/Makefile,
lib/libpkix/pkix/certsel/Makefile,
lib/libpkix/pkix/certsel/manifest.mn,
lib/libpkix/pkix/checker/Makefile,
lib/libpkix/pkix/checker/manifest.mn,
lib/libpkix/pkix/crlsel/Makefile,
lib/libpkix/pkix/crlsel/manifest.mn,
lib/libpkix/pkix/params/Makefile,
lib/libpkix/pkix/params/manifest.mn,
lib/libpkix/pkix/results/Makefile,
lib/libpkix/pkix/results/manifest.mn,
lib/libpkix/pkix/store/Makefile, lib/libpkix/pkix/store/manifest.mn,
lib/libpkix/pkix/top/Makefile, lib/libpkix/pkix/top/manifest.mn,
lib/libpkix/pkix/util/Makefile, lib/libpkix/pkix/util/manifest.mn,
lib/libpkix/pkix_pl_nss/Makefile,
lib/libpkix/pkix_pl_nss/module/Makefile,
lib/libpkix/pkix_pl_nss/module/manifest.mn,
lib/libpkix/pkix_pl_nss/pki/Makefile,
lib/libpkix/pkix_pl_nss/pki/manifest.mn,
lib/libpkix/pkix_pl_nss/system/Makefile,
lib/libpkix/pkix_pl_nss/system/manifest.mn, lib/nss/Makefile,
lib/pk11wrap/Makefile, lib/pki/Makefile, lib/pki/manifest.mn,
lib/softoken/Makefile, lib/softoken/legacydb/Makefile,
lib/sqlite/Makefile, lib/sqlite/manifest.mn, lib/ssl/Makefile,
lib/util/Makefile, lib/zlib/Makefile:
Bug 290526 Drop recursive private_exports r=rrelyea
Copying private headers is now simply included in the exports
target, as these headers use an extra directory anyway.
[989ecbd870f3]
* Makefile, cmd/shlibsign/Makefile, coreconf/Makefile,
coreconf/README, coreconf/nsinstall/Makefile, coreconf/rules.mk,
coreconf/ruleset.mk, lib/Makefile, lib/ckfw/Makefile:
Bug 290526 Parallelize part of the NSS build r=rrelyea
This still serializes many targets, but at least these targets
themself run their build in parallel. The main serialization happens
in nss/Makefile and nss/coreconf/rules.mk's all target.
We can't add these as real dependencies, as all Makefile snippets
use the same variable names. I tried to always run sub-makes to hack
in the depndencies, but these don't know of each other, so targets
very often run twice, and this breaks the build.
Having a tests:: target and a tests directory leads to misery (and
doesn't work), so it's renamed to check.
This just works with NSS_DISABLE_GTESTS=1 specified and is fixed by
a follow up patch, which removes the double-colon usage and adds the
directory dependencies!
[5d0bfa092e0f]
* coreconf/UNIX.mk, coreconf/WIN32.mk, coreconf/mkdepend/Makefile,
coreconf/nsinstall/Makefile, coreconf/ruleset.mk:
Bug 290526 Don't delete directories r=rrelyea
If these files exist and aren't directories, there might be other
problems. Trying to "fix" them by removing will break the build.
[fb377d36262d]
* coreconf/rules.mk:
Bug 290526 Handle empty install variables r=rrelyea
Originally I added the install commands to the individual build
targets. But this breaks the incremental build, because there is
actually no dependency for the install. But it turns out, that in
the end it's enough to ignore empty defined variables, so just do
this.
[585942b1d556]
* coreconf/rules.mk:
Bug 290526 Handle parallel PROGRAM and PROGRAMS r=rrelyea
I have no real clue, why PROGRAMS is actually working in the
sequence build. There is no special make code really handling it,
except for the install target.
This patches code is inspired by the $(eval ...) example in the GNU
make documentation. It generates a program specific make target and
maps the programs objects based on the defined variables.
[d30a6953b897]
Differential Revision: https://phabricator.services.mozilla.com/D75385
To implement filtering client certificates by the acceptable CAs list sent by
servers when they request client certificates, we need the CAs that issued the
client certificates. To that end, this change modifies the Windows backend of
the osclientcerts module to also gather issuing CAs while looking for client
certificates. These certificates will not affect trust decisions in gecko.
Differential Revision: https://phabricator.services.mozilla.com/D74719
Dana Keeler
Erica Wright
Emilio Cobos Álvarez
Kevin Jacobs
Matt Woodrow
Bogdan Tara
David Major
ffxbld
Kershaw Chang
Butkovits Atila
Moritz Birghan
Gian-Carlo Pascutto
Magnus Melin
Sylvestre Ledru
J.C. Jones
Lina Cambridge
Nathan Froyd
Coroiu Cristina
Frederik Braun
Mihai Alexandru Michis
Csoregi Natalia
Aaron Klotz
J.C. Jones
Jared Wein