Граф коммитов

15029 Коммитов

Автор SHA1 Сообщение Дата
ffxbld a55a956277 No Bug, mozilla-central repo-update HSTS HPKP blocklist remote-settings tld-suffixes - a=repo-update r=RyanVM
Differential Revision: https://phabricator.services.mozilla.com/D53414

--HG--
extra : moz-landing-system : lando
2019-11-18 13:25:41 +00:00
Victor Porof 5e32e89575 Bug 1596642 - Use `rev` instead of both `branch` and `tag` for specifying rkv dependency version, r=heycam
Differential Revision: https://phabricator.services.mozilla.com/D53152

--HG--
extra : moz-landing-system : lando
2019-11-16 10:58:34 +00:00
J.C. Jones 2452039365 Bug 1592007 - land NSS e8f2720c8254 UPGRADE_NSS_RELEASE, r=kjacobs CLOSED TREE
2019-11-09  Dana Keeler  <dkeeler@mozilla.com>

	* gtests/mozpkix_gtest/pkixbuild_tests.cpp,
	gtests/mozpkix_gtest/pkixcert_extension_tests.cpp,
	gtests/mozpkix_gtest/pkixcert_signature_algorithm_tests.cpp,
	gtests/mozpkix_gtest/pkixcheck_CheckExtendedKeyUsage_tests.cpp,
	gtests/mozpkix_gtest/pkixcheck_CheckSignatureAlgorithm_tests.cpp,
	gtests/mozpkix_gtest/pkixgtest.h,
	lib/mozpkix/include/pkix/pkixtypes.h, lib/mozpkix/lib/pkixbuild.cpp:
	bug 1593141 - add validity period beginning argument to
	mozilla::pkix::TrustDomain::CheckRevocation r=jcj

	This allows TrustDomain implementations to make decisions based on
	when the validity period of a certificate began. For instance, if an
	implementation has revocation information that is valid and complete
	as of a particular time, but a certificate's validity period begins
	after that time, the implementation may decide to disregard this
	revocation information on the basis that the information it has
	available cannot possibly apply to that certificate.

	[e8f2720c8254] [tip]

Differential Revision: https://phabricator.services.mozilla.com/D53228

--HG--
extra : histedit_source : 8561f7624eabd6cf2113f5585035e84ff82d26b3
2019-11-15 18:08:09 +01:00
Dana Keeler 13ed5551e3 bug 1594510 - update all TrustDomain implementations in mozilla-central due to the mozilla::pkix API change in bug 1593141 r=mbirghan
Bug 1593141 adds a parameter to mozilla::pkix::TrustDomain::CheckRevocation.
This patch updates all TrustDomain implementations in mozilla-central to
reflect this.

Differential Revision: https://phabricator.services.mozilla.com/D52066

--HG--
extra : moz-landing-system : lando
2019-11-15 18:26:45 +00:00
Tim Nguyen 9d40766fe5 Bug 1596193 - Replace outdated references to XUL textbox. r=dao
Differential Revision: https://phabricator.services.mozilla.com/D53177

--HG--
extra : moz-landing-system : lando
2019-11-15 13:35:14 +00:00
ffxbld 6e44b2aa1e No Bug, mozilla-central repo-update HSTS HPKP blocklist remote-settings tld-suffixes - a=repo-update r=RyanVM
Differential Revision: https://phabricator.services.mozilla.com/D53009

--HG--
extra : moz-landing-system : lando
2019-11-14 23:48:44 +00:00
Sean Feng 3d651bb90e Bug 1578534 - Change nsIX509CertDB.constructX509 to take Array<uint8_t> r=keeler
Differential Revision: https://phabricator.services.mozilla.com/D44730

--HG--
extra : moz-landing-system : lando
2019-11-12 20:59:02 +00:00
Gabriele Svelto 6ff1e8b815 Bug 1516367 - Move the minidump-analyzer out of the crash reporter application bundle r=spohl,dmajor
The minidump-analyzer tool was originally conceived to be used from the crash
report client and as such was installed in the crash reporter client
application bundle on macOS. It was later adapted to work from Firefox itself
but this caused linking problems when invoked from the Firefox app bundle.
This patch moves the minidump-analyzer into the Firefox app bundle and adapts
the relevant code to find it there.

The minidump-analyzer was also not signed like the rest of our executables and
this patch addresses that issue too.

Differential Revision: https://phabricator.services.mozilla.com/D52910

--HG--
extra : moz-landing-system : lando
2019-11-14 21:11:59 +00:00
J.C. Jones 696043affe Bug 1592007 - land NSS 87f35ba4c82f UPGRADE_NSS_RELEASE, r=keeler
2019-11-13  J.C. Jones  <jjones@mozilla.com>

	* lib/softoken/pkcs11c.c:
	Bug 1591363 - Fixup double-free of params in nsc_SetupPBEKeyGen
	r=keeler

	Caused in commit 7ef8d2604494.

	[87f35ba4c82f] [tip]

2019-11-07  Makoto Kato  <m_kato@ga2.so-net.ne.jp>

	* lib/freebl/ctr.c:
	Bug 1592869 - Use NEON for ctr_xor. r=kjacobs

	Using NEON for ctr_xor, aes_ctr can improve 30%-40%i decode/encode
	time on Cortex-A72.

	[d244c7287908]

2019-11-12  Marcus Burghardt  <mburghardt@mozilla.com>

	* gtests/pk11_gtest/pk11_pbkdf2_unittest.cc, lib/pk11wrap/pk11pbe.c,
	lib/pk11wrap/pk11skey.c, lib/softoken/pkcs11c.c:
	Bug 1591363 - PBKDF2 memory leaks in NSC_GenerateKey. r=jcj

	A memory leak was reported and confirmed in this bug. However,
	during the "manual" analysis of the flow, another possible leak was
	found. I created a patch for both leaks, added gtests for unexpected
	keySizes and adjusted the general syntax of the gtest file.

	[7ef8d2604494]

2019-11-11  Tom Prince  <mozilla@hocat.ca>

	* automation/taskcluster/graph/src/extend.js,
	automation/taskcluster/windows/setup.sh:
	Bug 1594891 - Use tc-proxy for nss tooltool; r=dustin,jcj

	[c33b214b2ec8]

2019-11-08  Daiki Ueno  <dueno@redhat.com>

	* gtests/ssl_gtest/ssl_dhe_unittest.cc,
	gtests/ssl_gtest/ssl_ecdh_unittest.cc,
	gtests/ssl_gtest/tls_connect.h, lib/ssl/ssl3con.c:
	Bug 1566131, check policy against hash algorithms used for
	ServerKeyExchange, r=mt

	Summary: This adds necessary policy checks in
	`ssl3_ComputeCommonKeyHash()`, right before calculating hashes. Note
	that it currently doesn't check MD5 as it still needs to be allowed
	in TLS 1.1 or earlier and many tests fail if we change that.

	Reviewers: mt

	Reviewed By: mt

	Bug #: 1566131

	[c08947c6af57]

2019-11-08  Kai Engert  <kaie@kuix.de>

	* coreconf/coreconf.dep:
	Dummy change, trigger a build to test latest NSPR commits.
	[e766899c72a5]

	* automation/taskcluster/graph/src/extend.js:
	Bug 1579836 - Execute NSPR tests as part of NSS continuous
	integration. r=jcj
	[46bfbabf7e75]

2019-11-08  Dustin J. Mitchell  <dustin@mozilla.com>

	* automation/taskcluster/graph/npm-shrinkwrap.json,
	automation/taskcluster/graph/package.json,
	automation/taskcluster/graph/src/image_builder.js,
	automation/taskcluster/graph/src/queue.js,
	automation/taskcluster/scripts/tools.sh,
	automation/taskcluster/windows/gen_certs.sh,
	automation/taskcluster/windows/run_tests.sh:
	Bug 1594891 - Updates to run correctly on the new TC deployment
	r=jcj

	* Update the Taskcluster client used in the decision task to one
	that understands Taskcluster rootUrls.
	* Update scripts that fetch content to use the TASKCLUSTER_ROOT_URL
	  * the absence of this variale signals an "old" worker so we use an
	"old" URL

	[67d630e7cb7c]

2019-11-07  Tom Prince  <mozilla@hocat.ca>

	* .taskcluster.yml, automation/taskcluster/graph/src/extend.js,
	automation/taskcluster/graph/src/queue.js:
	Bug 1591275: Switch workers to use AWS Provder; r=kjacobs

	[a2bebaad41dd]

2019-11-06  Daiki Ueno  <dueno@redhat.com>

	* gtests/pk11_gtest/pk11_module_unittest.cc:
	Bug 1577803, clang-format, a=bustage
	[c9014b2892d5]

	* gtests/pk11_gtest/pk11_module_unittest.cc,
	gtests/pkcs11testmodule/pkcs11testmodule.cpp,
	lib/pk11wrap/debug_module.c, lib/pk11wrap/pk11obj.c,
	lib/pk11wrap/pk11slot.c, lib/pk11wrap/secmodti.h,
	lib/util/pkcs11t.h:
	Bug 1577803, pk11wrap: set friendly flag if token implements
	CKP_PUBLIC_CERTIFICATES_TOKEN, r=rrelyea

	Summary: This makes NSS look for CKO_PROFILE object at token
	initialization time to check if it implements the [[ https://docs
	.oasis-open.org/pkcs11/pkcs11-profiles/v3.0/pkcs11-profiles-v3.0.pdf
	| Public Certificates Token profile ]] as defined in PKCS #11 v3.0.
	If it is found, the token is automatically marked as friendly so no
	authentication attempts will be made when accessing certificates.

	Reviewers: rrelyea

	Reviewed By: rrelyea

	Subscribers: reviewbot

	Bug #: 1577803

	[b39c8eeabe6a]

2019-11-06  Martin Thomson  <mt@lowentropy.net>

	* lib/freebl/blinit.c, lib/freebl/gcm-ppc.c:
	Bug 1566126 - clang-format, a=bustage
	[6125200fbc88]

2019-11-06  Lauri Kasanen  <cand@gmx.com>

	* lib/freebl/Makefile, lib/freebl/altivec-types.h,
	lib/freebl/blapii.h, lib/freebl/blinit.c, lib/freebl/freebl.gyp,
	lib/freebl/gcm-ppc.c, lib/freebl/gcm.c, lib/freebl/gcm.h:
	Bug 1566126 - freebl: POWER GHASH Vector Acceleration, r=mt

	Implementation for POWER8 adapted from the ARM paper:
	https://conradoplg.cryptoland.net/files/2010/12/gcm14.pdf

	Benchmark of `bltest -E -m aes_gcm -i tests/aes_gcm/plaintext10 \
	-v tests/aes_gcm/iv10 -k tests/aes_gcm/key10 -5 10` on POWER8 3.3GHz.

	NSS_DISABLE_HW_CRYPTO=1 mode in symmkey opreps cxreps context op
	time(sec) thrgput aes_gcm_e 309Mb 192 5M 0 0.000 10000.000 10.001
	30Mb

	 mode in symmkey opreps cxreps context op time(sec) thrgput
	aes_gcm_e 829Mb 192 14M 0 0.000 10000.000 10.001 82Mb

	Notable operf results, sw: samples % image name symbol name 226033
	59.3991 libfreeblpriv3.so bmul 80606 21.1824 libfreeblpriv3.so
	rijndael_encryptBlock128 28851 7.5817 libfreeblpriv3.so
	gcm_HashMult_sftw

	hw: 213899 56.2037 libfreeblpriv3.so rijndael_encryptBlock128 45233
	11.8853 libfreeblpriv3.so gcm_HashMult_hw

	So the ghash part is ~5.6x faster.

	Signed-off-by: Lauri Kasanen <cand@gmx.com>
	[3d7e509d6d20]

2019-11-05  Marcus Burghardt  <mburghardt@mozilla.com>

	* lib/certdb/certdb.c, lib/util/secport.h:
	Bug 1589073 - Use of new PR_ASSERT_ARG in certdb.c. r=mt

	Bug 1588015 introduced in NSPR a new way to ASSERT values where the
	arguments are always used avoiding "unused variable" errors. This
	was implemented in NSS, at certdb.c.

	[73c28cad3dbb]

2019-11-05  Daiki Ueno  <dueno@redhat.com>

	* cpputil/nss_scoped_ptrs.h, gtests/manifest.mn,
	gtests/pk11_gtest/manifest.mn, gtests/pk11_gtest/pk11_gtest.gyp,
	gtests/pk11_gtest/pk11_module_unittest.cc,
	gtests/pkcs11testmodule/Makefile, gtests/pkcs11testmodule/config.mk,
	gtests/pkcs11testmodule/manifest.mn,
	gtests/pkcs11testmodule/pkcs11testmodule.cpp,
	gtests/pkcs11testmodule/pkcs11testmodule.def,
	gtests/pkcs11testmodule/pkcs11testmodule.gyp,
	gtests/pkcs11testmodule/pkcs11testmodule.rc, nss.gyp:
	Bug 1577803, gtests: import pkcs11testmodule from Firefox, r=rrelyea

	Summary: This adds a mock PKCS #11 module from Firefox and add basic
	tests around it. This is needed for proper testing of PKCS #11 v3.0
	profile objects (D45669).

	Reviewers: rrelyea

	Reviewed By: rrelyea

	Subscribers: reviewbot

	Bug #: 1577803

	[0a86945adf74]

Differential Revision: https://phabricator.services.mozilla.com/D52779

--HG--
extra : moz-landing-system : lando
2019-11-14 17:32:27 +00:00
Csoregi Natalia acb0f164ca Backed out changeset cbd4aa02eba9 (bug 1592007) for failures on browser_startup_mainthreadio.js UPGRADE_NSS_RELEASE . CLOSED TREE 2019-11-14 04:24:57 +02:00
Dana Keeler cc3995546b bug 1592111 - add the preference "security.osclientcerts.autoload" to control auto-loading the OS client certs module r=jcj
Differential Revision: https://phabricator.services.mozilla.com/D52288

--HG--
extra : moz-landing-system : lando
2019-11-13 21:19:57 +00:00
J.C. Jones 121d80b553 Bug 1592007 - land NSS 87f35ba4c82f UPGRADE_NSS_RELEASE, r=keeler
2019-11-13  J.C. Jones  <jjones@mozilla.com>

	* lib/softoken/pkcs11c.c:
	Bug 1591363 - Fixup double-free of params in nsc_SetupPBEKeyGen
	r=keeler

	Caused in commit 7ef8d2604494.

	[87f35ba4c82f] [tip]

2019-11-07  Makoto Kato  <m_kato@ga2.so-net.ne.jp>

	* lib/freebl/ctr.c:
	Bug 1592869 - Use NEON for ctr_xor. r=kjacobs

	Using NEON for ctr_xor, aes_ctr can improve 30%-40%i decode/encode
	time on Cortex-A72.

	[d244c7287908]

2019-11-12  Marcus Burghardt  <mburghardt@mozilla.com>

	* gtests/pk11_gtest/pk11_pbkdf2_unittest.cc, lib/pk11wrap/pk11pbe.c,
	lib/pk11wrap/pk11skey.c, lib/softoken/pkcs11c.c:
	Bug 1591363 - PBKDF2 memory leaks in NSC_GenerateKey. r=jcj

	A memory leak was reported and confirmed in this bug. However,
	during the "manual" analysis of the flow, another possible leak was
	found. I created a patch for both leaks, added gtests for unexpected
	keySizes and adjusted the general syntax of the gtest file.

	[7ef8d2604494]

2019-11-11  Tom Prince  <mozilla@hocat.ca>

	* automation/taskcluster/graph/src/extend.js,
	automation/taskcluster/windows/setup.sh:
	Bug 1594891 - Use tc-proxy for nss tooltool; r=dustin,jcj

	[c33b214b2ec8]

2019-11-08  Daiki Ueno  <dueno@redhat.com>

	* gtests/ssl_gtest/ssl_dhe_unittest.cc,
	gtests/ssl_gtest/ssl_ecdh_unittest.cc,
	gtests/ssl_gtest/tls_connect.h, lib/ssl/ssl3con.c:
	Bug 1566131, check policy against hash algorithms used for
	ServerKeyExchange, r=mt

	Summary: This adds necessary policy checks in
	`ssl3_ComputeCommonKeyHash()`, right before calculating hashes. Note
	that it currently doesn't check MD5 as it still needs to be allowed
	in TLS 1.1 or earlier and many tests fail if we change that.

	Reviewers: mt

	Reviewed By: mt

	Bug #: 1566131

	[c08947c6af57]

2019-11-08  Kai Engert  <kaie@kuix.de>

	* coreconf/coreconf.dep:
	Dummy change, trigger a build to test latest NSPR commits.
	[e766899c72a5]

	* automation/taskcluster/graph/src/extend.js:
	Bug 1579836 - Execute NSPR tests as part of NSS continuous
	integration. r=jcj
	[46bfbabf7e75]

2019-11-08  Dustin J. Mitchell  <dustin@mozilla.com>

	* automation/taskcluster/graph/npm-shrinkwrap.json,
	automation/taskcluster/graph/package.json,
	automation/taskcluster/graph/src/image_builder.js,
	automation/taskcluster/graph/src/queue.js,
	automation/taskcluster/scripts/tools.sh,
	automation/taskcluster/windows/gen_certs.sh,
	automation/taskcluster/windows/run_tests.sh:
	Bug 1594891 - Updates to run correctly on the new TC deployment
	r=jcj

	* Update the Taskcluster client used in the decision task to one
	that understands Taskcluster rootUrls.
	* Update scripts that fetch content to use the TASKCLUSTER_ROOT_URL
	  * the absence of this variale signals an "old" worker so we use an
	"old" URL

	[67d630e7cb7c]

2019-11-07  Tom Prince  <mozilla@hocat.ca>

	* .taskcluster.yml, automation/taskcluster/graph/src/extend.js,
	automation/taskcluster/graph/src/queue.js:
	Bug 1591275: Switch workers to use AWS Provder; r=kjacobs

	[a2bebaad41dd]

2019-11-06  Daiki Ueno  <dueno@redhat.com>

	* gtests/pk11_gtest/pk11_module_unittest.cc:
	Bug 1577803, clang-format, a=bustage
	[c9014b2892d5]

	* gtests/pk11_gtest/pk11_module_unittest.cc,
	gtests/pkcs11testmodule/pkcs11testmodule.cpp,
	lib/pk11wrap/debug_module.c, lib/pk11wrap/pk11obj.c,
	lib/pk11wrap/pk11slot.c, lib/pk11wrap/secmodti.h,
	lib/util/pkcs11t.h:
	Bug 1577803, pk11wrap: set friendly flag if token implements
	CKP_PUBLIC_CERTIFICATES_TOKEN, r=rrelyea

	Summary: This makes NSS look for CKO_PROFILE object at token
	initialization time to check if it implements the [[ https://docs
	.oasis-open.org/pkcs11/pkcs11-profiles/v3.0/pkcs11-profiles-v3.0.pdf
	| Public Certificates Token profile ]] as defined in PKCS #11 v3.0.
	If it is found, the token is automatically marked as friendly so no
	authentication attempts will be made when accessing certificates.

	Reviewers: rrelyea

	Reviewed By: rrelyea

	Subscribers: reviewbot

	Bug #: 1577803

	[b39c8eeabe6a]

2019-11-06  Martin Thomson  <mt@lowentropy.net>

	* lib/freebl/blinit.c, lib/freebl/gcm-ppc.c:
	Bug 1566126 - clang-format, a=bustage
	[6125200fbc88]

2019-11-06  Lauri Kasanen  <cand@gmx.com>

	* lib/freebl/Makefile, lib/freebl/altivec-types.h,
	lib/freebl/blapii.h, lib/freebl/blinit.c, lib/freebl/freebl.gyp,
	lib/freebl/gcm-ppc.c, lib/freebl/gcm.c, lib/freebl/gcm.h:
	Bug 1566126 - freebl: POWER GHASH Vector Acceleration, r=mt

	Implementation for POWER8 adapted from the ARM paper:
	https://conradoplg.cryptoland.net/files/2010/12/gcm14.pdf

	Benchmark of `bltest -E -m aes_gcm -i tests/aes_gcm/plaintext10 \
	-v tests/aes_gcm/iv10 -k tests/aes_gcm/key10 -5 10` on POWER8 3.3GHz.

	NSS_DISABLE_HW_CRYPTO=1 mode in symmkey opreps cxreps context op
	time(sec) thrgput aes_gcm_e 309Mb 192 5M 0 0.000 10000.000 10.001
	30Mb

	 mode in symmkey opreps cxreps context op time(sec) thrgput
	aes_gcm_e 829Mb 192 14M 0 0.000 10000.000 10.001 82Mb

	Notable operf results, sw: samples % image name symbol name 226033
	59.3991 libfreeblpriv3.so bmul 80606 21.1824 libfreeblpriv3.so
	rijndael_encryptBlock128 28851 7.5817 libfreeblpriv3.so
	gcm_HashMult_sftw

	hw: 213899 56.2037 libfreeblpriv3.so rijndael_encryptBlock128 45233
	11.8853 libfreeblpriv3.so gcm_HashMult_hw

	So the ghash part is ~5.6x faster.

	Signed-off-by: Lauri Kasanen <cand@gmx.com>
	[3d7e509d6d20]

2019-11-05  Marcus Burghardt  <mburghardt@mozilla.com>

	* lib/certdb/certdb.c, lib/util/secport.h:
	Bug 1589073 - Use of new PR_ASSERT_ARG in certdb.c. r=mt

	Bug 1588015 introduced in NSPR a new way to ASSERT values where the
	arguments are always used avoiding "unused variable" errors. This
	was implemented in NSS, at certdb.c.

	[73c28cad3dbb]

2019-11-05  Daiki Ueno  <dueno@redhat.com>

	* cpputil/nss_scoped_ptrs.h, gtests/manifest.mn,
	gtests/pk11_gtest/manifest.mn, gtests/pk11_gtest/pk11_gtest.gyp,
	gtests/pk11_gtest/pk11_module_unittest.cc,
	gtests/pkcs11testmodule/Makefile, gtests/pkcs11testmodule/config.mk,
	gtests/pkcs11testmodule/manifest.mn,
	gtests/pkcs11testmodule/pkcs11testmodule.cpp,
	gtests/pkcs11testmodule/pkcs11testmodule.def,
	gtests/pkcs11testmodule/pkcs11testmodule.gyp,
	gtests/pkcs11testmodule/pkcs11testmodule.rc, nss.gyp:
	Bug 1577803, gtests: import pkcs11testmodule from Firefox, r=rrelyea

	Summary: This adds a mock PKCS #11 module from Firefox and add basic
	tests around it. This is needed for proper testing of PKCS #11 v3.0
	profile objects (D45669).

	Reviewers: rrelyea

	Reviewed By: rrelyea

	Subscribers: reviewbot

	Bug #: 1577803

	[0a86945adf74]

Differential Revision: https://phabricator.services.mozilla.com/D52779

--HG--
extra : moz-landing-system : lando
2019-11-13 19:44:56 +00:00
Dana Keeler a841102f18 bug 1412438 - add preference to disable HPKP by default r=jcj
As Chrome has removed support for the HPKP (HTTP Public Key Pinning) header,
continuing to support it in Firefox is a compatibility risk. This patch adds
the preference "security.cert_pinning.hpkp.enabled" and sets it to false by
default. As such, the platform will no longer process the HPKP header nor
consult any cached HPKP information for certificate pins.
Preloaded (statically-compiled) pins are still enabled in Firefox by default.
This patch also disables dynamically setting pins via our remote security
settings infrastructure, as it uses the same backend and represents similar
compatibility risk.

Differential Revision: https://phabricator.services.mozilla.com/D52773

--HG--
extra : moz-landing-system : lando
2019-11-13 18:35:35 +00:00
Victor Porof 7ef335726f Bug 1594995 - Part 5: Use a safe-mode database for test_cert_storage_preexisting.js, r=keeler
Differential Revision: https://phabricator.services.mozilla.com/D52320

--HG--
extra : moz-landing-system : lando
2019-11-13 18:52:37 +00:00
Victor Porof 66c8eaefc1 Bug 1594995 - Part 4: Update cert_storage to use RKV in safe mode, r=keeler
Differential Revision: https://phabricator.services.mozilla.com/D52319

--HG--
extra : moz-landing-system : lando
2019-11-13 11:53:03 +00:00
Victor Porof 6e245fe362 Bug 1594995 - Part 2: Update RKV dependency to our safe-mode feature branch, r=keeler
Differential Revision: https://phabricator.services.mozilla.com/D52317

--HG--
extra : moz-landing-system : lando
2019-11-13 11:52:28 +00:00
J.C. Jones 3167ebf65d Bug 1592007 - land NSS dc9552c2aa77 UPGRADE_NSS_RELEASE, r=kjacobs
2019-11-04  Marcus Burghardt  <mburghardt@mozilla.com>

	* lib/pk11wrap/pk11cert.c:
	Bug 1590495 - Crash in PK11_MakeCertFromHandle->pk11_fastCert. r=jcj

	Fixed controls to avoid crashes caused by slots possibly without a
	token in pk11_fastCert. Also, improved arguments controls in
	PK11_MakeCertFromHandle.

	[dc9552c2aa77] [tip]

2019-11-01  Franziskus Kiefer  <franziskuskiefer@gmail.com>

	* gtests/pk11_gtest/manifest.mn,
	gtests/pk11_gtest/pk11_des_unittest.cc,
	gtests/pk11_gtest/pk11_gtest.gyp, lib/softoken/pkcs11c.c:
	Bug 1591742 - check des iv length and add test for it, r=jcj,kjacobs

	Summary: Let's make sure the DES IV has the length we expect it to
	have.

	Bug #: 1591742

	[35857ae98190]

2019-11-01  Dana Keeler  <dkeeler@mozilla.com>

	* gtests/mozpkix_gtest/pkixcheck_CheckKeyUsage_tests.cpp, lib/mozpkix
	/test-lib/pkixtestnss.cpp, tests/gtests/gtests.sh:
	Bug 1588567 - enable mozilla::pkix gtests in NSS r=jcj

	[27a29997f598]

2019-11-01  Deian Stefan  <deian@cs.ucsd.edu>

	* lib/softoken/pkcs11c.c:
	Bug 1591315 - Update NSC_Decrypt length in constant time r=kjacobs

	Update NSC_Decrypt length in constant time

	[7f578a829b29]

2019-11-01  Kai Engert  <kaie@kuix.de>

	* automation/taskcluster/graph/src/queue.js:
	Bug 1562671 - Limit Master Password KDF iterations for NSS
	continuous integration tests. r=mt
	[c8b490583b86]

	* lib/softoken/lgglue.c, lib/softoken/sftkdb.c, lib/softoken/sftkdb.h,
	lib/softoken/sftkdbti.h, lib/softoken/sftkpwd.c:
	Bug 1562671 - Add environment variables to control Master Password
	KDF iteration count. Disable iteration count for legacy DBM storage
	by default. r=rrelyea
	[ced91a705aa3]

2019-11-01  Bob Relyea  <rrelyea@redhat.com>

	* lib/softoken/legacydb/keydb.c, lib/softoken/lgglue.c,
	lib/softoken/pkcs11.c, lib/softoken/sftkdb.c, lib/softoken/sftkdb.h,
	lib/softoken/sftkdbti.h, lib/softoken/sftkpwd.c:
	Bug 1562671 - Support higher iteration count for Master Password
	KDF. Bob Relyea's base patch. Requires the follow-up patch. r=kaie
	[6619bb43d746]

2019-10-28  Martin Thomson  <mt@lowentropy.net>

	* coreconf/Linux.mk, coreconf/WIN32.mk, coreconf/command.mk,
	coreconf/config.gypi, coreconf/rules.mk, lib/freebl/aes-armv8.c,
	lib/freebl/aes-x86.c, lib/freebl/config.mk, lib/freebl/freebl.gyp,
	lib/freebl/intel-aes.h, lib/freebl/intel-gcm-wrap.c,
	lib/freebl/rijndael.c, lib/freebl/rijndael.h, lib/ssl/config.mk,
	lib/ssl/ssl.gyp:
	Bug 1590972 - Use -std=c99 for all C code, r=jcj

	This switches to using -std=c99 for compiling all C code.
	Previously, we only enabled this option for lib/freebl and lib/ssl.

	For Linux, this means we need to define _DEFAULT_SOURCE to access
	some of the functions we use. On glibc 2.12 (our oldest supported
	version), we also need to define _BSD_SOURCE to access these
	functions.

	The only tricky part is dealing with partial C99 implementation in
	gcc 4.4. From what I've seen, the only problem is that - in that
	mode - it doesn't support nesting of unnamed fields:
	https://gcc.gnu.org/onlinedocs/gcc-4.4.7/gcc/Unnamed-Fields.html

	This also switches from -std=c++0x to -std=c++11 as the 0x variant,
	though identical in meaning, is deprecated.

	[dbba7db4b79d]

2019-10-30  Giulio Benetti  <giulio.benetti@benettiengineering.com>

	* lib/freebl/aes-armv8.c, lib/freebl/rijndael.c:
	Bug 1590676 - Fix build if arm doesn't support NEON r=kjacobs

	At the moment NSS assumes that ARM supports NEON extension but this
	is not true and leads to build failure on ARM without NEON
	extension. Add check to assure USE_HW_AES is not defined if ARM
	without NEON extension is used.
	[58f2471ace3b]

2019-10-30  Martin Thomson  <mt@lowentropy.net>

	* gtests/ssl_gtest/tls_agent.cc:
	Bug 1575411 - Disable EMS for tests, a=bustage
	[6e5f69781137]

2019-10-29  J.C. Jones  <jjones@mozilla.com>

	* gtests/ssl_gtest/tls_esni_unittest.cc:
	Bug 1590970 - Fix clang-format from
	e7956ee3ba1b6d05e3175bbcd795583fde867720 r=me
	[d1e43cb9f227]

2019-10-29  Giulio Benetti  <giulio.benetti@benettiengineering.com>

	* lib/ssl/tls13esni.c:
	Bug 1590678 - Remove -Wmaybe-uninitialized warning in tls13esni.c
	r=jcj
	[df5e9021809a]

2019-10-29  Martin Thomson  <martin.thomson@gmail.com>

	* lib/ssl/ssl.h, lib/ssl/sslsock.c:
	Bug 1575411 - Enable extended master secret by default,
	r=jcj,kjacobs

	See the bug for discussion about the implications of this.

	[d1c68498610d]

2019-10-29  Martin Thomson  <mt@lowentropy.net>

	* gtests/ssl_gtest/tls_esni_unittest.cc, lib/ssl/sslexp.h:
	Bug 1590970 - Stop using time() for ESNI tests, r=kjacobs

	Summary: The ESNI tests were using time() rather than PR_Now(), so
	they slipped the net when I went looking for bad time functions. Now
	they do the right thing again.

	What we were probably seeing in the intermittents was the case where
	we set the time for most of the SSL functions to PR_Now(), and that
	was just before a second rollover. Then, when time() was called, it
	returned t+1 so the ESNI keys that were being generated in the ESNI
	tests were given a notBefore time that was in the future relative to
	the time being given to the TLS stack. Had the ESNI keys generation
	been given time() - 1 for notBefore, as I have done here, this would
	never have turned up.

	Reviewers: kjacobs

	Tags: #secure-revision

	Bug #: 1590970

	[e7956ee3ba1b]

Differential Revision: https://phabricator.services.mozilla.com/D51858

--HG--
extra : moz-landing-system : lando
2019-11-08 22:00:40 +00:00
ffxbld 46cd67e91a No Bug, mozilla-central repo-update HSTS HPKP blocklist remote-settings tld-suffixes - a=repo-update r=RyanVM
Differential Revision: https://phabricator.services.mozilla.com/D52533

--HG--
extra : moz-landing-system : lando
2019-11-11 14:21:48 +00:00
Kevin Jacobs b964726542 Bug 1575735 - Explicitly check key strength of TLS channel by setting authKeyBits earlier in SSL_AuthCertificate r=keeler
This patch provides Delegated Credential information (authKeyBits and signature scheme) to CertVerifier such that we can enforce a policy check and disallow weak keys in the Delegated Credential.

This information is not passed from http3 - adding this will be done in a separate bug.

Differential Revision: https://phabricator.services.mozilla.com/D47181

--HG--
rename : security/manager/ssl/tests/unit/test_delegated_credentials/delegated-selfsigned.key => security/manager/ssl/tests/unit/test_delegated_credentials/delegated.key
rename : security/manager/ssl/tests/unit/test_delegated_credentials/delegated-selfsigned.key.keyspec => security/manager/ssl/tests/unit/test_delegated_credentials/delegated.key.keyspec
extra : moz-landing-system : lando
2019-11-07 22:13:43 +00:00
Haik Aftandilian 757b208866 Bug 1593071 - [macOS] Land different entitlement files for parent and child processes r=spohl
Add separate entitlement files for the browser (aka parent process) and plugin-container processes. Leave the old production and developer entitlement files in place.

Once automation has been updated to use the new process-specific entitlement files (bug 1593072), the older entitlement files can be removed.

Future work will change the process-specific entitlements to be minimized for each process type.

Update codesign.bash to
  1) use the separate browser and plugin-container entitlement files
  2) only sign executables with entitlements, not sign unnecessary files
  3) output to a .dmg instead of a .zip file.

Differential Revision: https://phabricator.services.mozilla.com/D52117

--HG--
extra : moz-landing-system : lando
2019-11-07 13:26:05 +00:00
ffxbld 02b887e62e No Bug, mozilla-central repo-update HSTS HPKP blocklist remote-settings - a=repo-update r=RyanVM
Differential Revision: https://phabricator.services.mozilla.com/D52150

--HG--
extra : source : 90745d442c4b0885b14449065509484da5de9fe5
2019-11-07 15:36:28 +00:00
Ciure Andrei 98e9f97749 Backed out changeset 90745d442c4b for causing build bustages CLOSED TREE 2019-11-07 18:19:01 +02:00
ffxbld 3d9a3dab4a No Bug, mozilla-central repo-update HSTS HPKP blocklist remote-settings - a=repo-update r=RyanVM
Differential Revision: https://phabricator.services.mozilla.com/D52150

--HG--
extra : moz-landing-system : lando
2019-11-07 15:36:28 +00:00
Sean Feng b8410f69c1 Bug 1580318 - Remove nsIX509CertList from verifyCertFinished r=keeler
Differential Revision: https://phabricator.services.mozilla.com/D44244

--HG--
extra : moz-landing-system : lando
2019-11-07 14:35:16 +00:00
Gian-Carlo Pascutto 98d994f03d Bug 1591117 - Report ENOSYS on statx, but allow membarrier. r=jld
Differential Revision: https://phabricator.services.mozilla.com/D50623

--HG--
extra : moz-landing-system : lando
2019-11-07 09:21:51 +00:00
Dana Keeler 81beafa0f6 bug 1592532 - reinstate filtering client certificates by usage (reverts behavior from bug 1267643) r=kjacobs
Differential Revision: https://phabricator.services.mozilla.com/D52062

--HG--
extra : moz-landing-system : lando
2019-11-06 22:50:38 +00:00
Bob Owen e552a98014 Bug 1580742: Allow sandboxed x86 GMP process to duplicate crashreporter handle to the arm64 main process. r=handyman
Differential Revision: https://phabricator.services.mozilla.com/D51985

--HG--
extra : moz-landing-system : lando
2019-11-06 20:25:59 +00:00
Dana Keeler eba1bc1027 bug 1544244 - disable test_toolkit_securityreporter.js because TLS error reports are disabled by default and it intermittently fails r=kjacobs
Differential Revision: https://phabricator.services.mozilla.com/D51954

--HG--
extra : moz-landing-system : lando
2019-11-06 02:37:26 +00:00
Haik Aftandilian b13e5d4ca0 Bug 1576733 - Part 2 - Remove the Hardened Runtime AppleEvent entitlement r=spohl
Revert bug 1570581 by removing the AppleEvent entitlement from our hardened runtime configuration for both production and development.

Now that native messaging helpers are started 'disclaimed' with a new attribution chain, the entitlement is not needed.

Differential Revision: https://phabricator.services.mozilla.com/D48029

--HG--
extra : moz-landing-system : lando
2019-11-06 04:45:03 +00:00
Dana Keeler 4c0babeb5c bug 1550686 - remove nsIBadCertListener2 r=dragana,smaug
Differential Revision: https://phabricator.services.mozilla.com/D51001

--HG--
extra : moz-landing-system : lando
2019-11-06 00:19:14 +00:00
Narcis Beleuzu 88ff18d148 Backed out changeset 1adbdd45d961 (bug 1592007) for bc failures on browser_masterPassword.js UPGRADE_NSS_RELEASE. CLOSED TREE
--HG--
extra : histedit_source : 034b2747d1bffdb2c43a30d563ef4ecbf3f96e39
2019-11-06 03:16:30 +02:00
J.C. Jones 07491e58b7 Bug 1592007 - land NSS dc9552c2aa77 UPGRADE_NSS_RELEASE, r=kjacobs
2019-11-04  Marcus Burghardt  <mburghardt@mozilla.com>

	* lib/pk11wrap/pk11cert.c:
	Bug 1590495 - Crash in PK11_MakeCertFromHandle->pk11_fastCert. r=jcj

	Fixed controls to avoid crashes caused by slots possibly without a
	token in pk11_fastCert. Also, improved arguments controls in
	PK11_MakeCertFromHandle.

	[dc9552c2aa77] [tip]

2019-11-01  Franziskus Kiefer  <franziskuskiefer@gmail.com>

	* gtests/pk11_gtest/manifest.mn,
	gtests/pk11_gtest/pk11_des_unittest.cc,
	gtests/pk11_gtest/pk11_gtest.gyp, lib/softoken/pkcs11c.c:
	Bug 1591742 - check des iv length and add test for it, r=jcj,kjacobs

	Summary: Let's make sure the DES IV has the length we expect it to
	have.

	Bug #: 1591742

	[35857ae98190]

2019-11-01  Dana Keeler  <dkeeler@mozilla.com>

	* gtests/mozpkix_gtest/pkixcheck_CheckKeyUsage_tests.cpp, lib/mozpkix
	/test-lib/pkixtestnss.cpp, tests/gtests/gtests.sh:
	Bug 1588567 - enable mozilla::pkix gtests in NSS r=jcj

	[27a29997f598]

2019-11-01  Deian Stefan  <deian@cs.ucsd.edu>

	* lib/softoken/pkcs11c.c:
	Bug 1591315 - Update NSC_Decrypt length in constant time r=kjacobs

	Update NSC_Decrypt length in constant time

	[7f578a829b29]

2019-11-01  Kai Engert  <kaie@kuix.de>

	* automation/taskcluster/graph/src/queue.js:
	Bug 1562671 - Limit Master Password KDF iterations for NSS
	continuous integration tests. r=mt
	[c8b490583b86]

	* lib/softoken/lgglue.c, lib/softoken/sftkdb.c, lib/softoken/sftkdb.h,
	lib/softoken/sftkdbti.h, lib/softoken/sftkpwd.c:
	Bug 1562671 - Add environment variables to control Master Password
	KDF iteration count. Disable iteration count for legacy DBM storage
	by default. r=rrelyea
	[ced91a705aa3]

2019-11-01  Bob Relyea  <rrelyea@redhat.com>

	* lib/softoken/legacydb/keydb.c, lib/softoken/lgglue.c,
	lib/softoken/pkcs11.c, lib/softoken/sftkdb.c, lib/softoken/sftkdb.h,
	lib/softoken/sftkdbti.h, lib/softoken/sftkpwd.c:
	Bug 1562671 - Support higher iteration count for Master Password
	KDF. Bob Relyea's base patch. Requires the follow-up patch. r=kaie
	[6619bb43d746]

2019-10-28  Martin Thomson  <mt@lowentropy.net>

	* coreconf/Linux.mk, coreconf/WIN32.mk, coreconf/command.mk,
	coreconf/config.gypi, coreconf/rules.mk, lib/freebl/aes-armv8.c,
	lib/freebl/aes-x86.c, lib/freebl/config.mk, lib/freebl/freebl.gyp,
	lib/freebl/intel-aes.h, lib/freebl/intel-gcm-wrap.c,
	lib/freebl/rijndael.c, lib/freebl/rijndael.h, lib/ssl/config.mk,
	lib/ssl/ssl.gyp:
	Bug 1590972 - Use -std=c99 for all C code, r=jcj

	This switches to using -std=c99 for compiling all C code.
	Previously, we only enabled this option for lib/freebl and lib/ssl.

	For Linux, this means we need to define _DEFAULT_SOURCE to access
	some of the functions we use. On glibc 2.12 (our oldest supported
	version), we also need to define _BSD_SOURCE to access these
	functions.

	The only tricky part is dealing with partial C99 implementation in
	gcc 4.4. From what I've seen, the only problem is that - in that
	mode - it doesn't support nesting of unnamed fields:
	https://gcc.gnu.org/onlinedocs/gcc-4.4.7/gcc/Unnamed-Fields.html

	This also switches from -std=c++0x to -std=c++11 as the 0x variant,
	though identical in meaning, is deprecated.

	[dbba7db4b79d]

2019-10-30  Giulio Benetti  <giulio.benetti@benettiengineering.com>

	* lib/freebl/aes-armv8.c, lib/freebl/rijndael.c:
	Bug 1590676 - Fix build if arm doesn't support NEON r=kjacobs

	At the moment NSS assumes that ARM supports NEON extension but this
	is not true and leads to build failure on ARM without NEON
	extension. Add check to assure USE_HW_AES is not defined if ARM
	without NEON extension is used.
	[58f2471ace3b]

2019-10-30  Martin Thomson  <mt@lowentropy.net>

	* gtests/ssl_gtest/tls_agent.cc:
	Bug 1575411 - Disable EMS for tests, a=bustage
	[6e5f69781137]

2019-10-29  J.C. Jones  <jjones@mozilla.com>

	* gtests/ssl_gtest/tls_esni_unittest.cc:
	Bug 1590970 - Fix clang-format from
	e7956ee3ba1b6d05e3175bbcd795583fde867720 r=me
	[d1e43cb9f227]

2019-10-29  Giulio Benetti  <giulio.benetti@benettiengineering.com>

	* lib/ssl/tls13esni.c:
	Bug 1590678 - Remove -Wmaybe-uninitialized warning in tls13esni.c
	r=jcj
	[df5e9021809a]

2019-10-29  Martin Thomson  <martin.thomson@gmail.com>

	* lib/ssl/ssl.h, lib/ssl/sslsock.c:
	Bug 1575411 - Enable extended master secret by default,
	r=jcj,kjacobs

	See the bug for discussion about the implications of this.

	[d1c68498610d]

2019-10-29  Martin Thomson  <mt@lowentropy.net>

	* gtests/ssl_gtest/tls_esni_unittest.cc, lib/ssl/sslexp.h:
	Bug 1590970 - Stop using time() for ESNI tests, r=kjacobs

	Summary: The ESNI tests were using time() rather than PR_Now(), so
	they slipped the net when I went looking for bad time functions. Now
	they do the right thing again.

	What we were probably seeing in the intermittents was the case where
	we set the time for most of the SSL functions to PR_Now(), and that
	was just before a second rollover. Then, when time() was called, it
	returned t+1 so the ESNI keys that were being generated in the ESNI
	tests were given a notBefore time that was in the future relative to
	the time being given to the TLS stack. Had the ESNI keys generation
	been given time() - 1 for notBefore, as I have done here, this would
	never have turned up.

	Reviewers: kjacobs

	Tags: #secure-revision

	Bug #: 1590970

	[e7956ee3ba1b]

Differential Revision: https://phabricator.services.mozilla.com/D51858

--HG--
extra : moz-landing-system : lando
2019-11-05 20:29:59 +00:00
Brindusan Cristian b135033275 Backed out 2 changesets (bug 1576733) for android build bustages on OSFileConstants.cpp. CLOSED TREE
Backed out changeset 12df7898b0ee (bug 1576733)
Backed out changeset 4ab691bf4228 (bug 1576733)
2019-11-05 21:50:12 +02:00
Haik Aftandilian 2ee559082e Bug 1576733 - Part 2 - Remove the Hardened Runtime AppleEvent entitlement r=spohl
Revert bug 1570581 by removing the AppleEvent entitlement from our hardened runtime configuration for both production and development.

Now that native messaging helpers are started 'disclaimed' with a new attribution chain, the entitlement is not needed.

Differential Revision: https://phabricator.services.mozilla.com/D48029

--HG--
extra : moz-landing-system : lando
2019-11-05 17:42:09 +00:00
Bob Owen 71c23a88fd Bug 1593007: Allow for moz_log suffix in sandbox policy rules. r=mayhemer
Differential Revision: https://phabricator.services.mozilla.com/D51431

--HG--
extra : moz-landing-system : lando
2019-11-05 13:05:36 +00:00
Nicholas Nethercote 8b7aa8af65 Bug 1593426 - Fix a case missed in bug 1587162. r=erahm
This code is compiled when `MOZ_NEW_CERT_STORAGE` is not defined, which is the
case on beta.

Differential Revision: https://phabricator.services.mozilla.com/D51559

--HG--
extra : moz-landing-system : lando
2019-11-05 00:14:28 +00:00
ffxbld 7ecd576f74 No Bug, mozilla-central repo-update HSTS HPKP blocklist remote-settings - a=repo-update r=RyanVM
Differential Revision: https://phabricator.services.mozilla.com/D51601

--HG--
extra : moz-landing-system : lando
2019-11-04 13:51:07 +00:00
Nihanth Subramanya 2164478f1e Bug 1584479 - Part 1: Add flag for blocked social cookies in the content blocking log. r=Ehsan,droeh
Differential Revision: https://phabricator.services.mozilla.com/D47427

--HG--
extra : moz-landing-system : lando
2019-11-01 23:24:25 +00:00
Dorel Luca b9074d53a1 Backed out 4 changesets (bug 1584479) for Browser-chrome failures in toolkit/components/antitracking/test/browser/browser_socialtracking.js
Backed out changeset b0d9877bd8b0 (bug 1584479)
Backed out changeset d2c56bd61b08 (bug 1584479)
Backed out changeset 0edb22786545 (bug 1584479)
Backed out changeset 7e03b392edb3 (bug 1584479)
2019-11-02 01:18:42 +02:00
J.C. Jones dd40266492 Bug 1592007 - land NSS fcdda17cdc36 UPGRADE_NSS_RELEASE, r=kjacobs
2019-10-28  Kevin Jacobs  <kjacobs@mozilla.com>

        * automation/abi-check/expected-report-libssl3.so.txt,
        gtests/ssl_gtest/libssl_internals.c,
        gtests/ssl_gtest/libssl_internals.h, gtests/ssl_gtest/tls_agent.cc,
        gtests/ssl_gtest/tls_agent.h, gtests/ssl_gtest/tls_filter.h,
        gtests/ssl_gtest/tls_subcerts_unittest.cc, lib/ssl/ssl3con.c,
        lib/ssl/sslimpl.h, lib/ssl/sslinfo.c, lib/ssl/sslt.h,
        lib/ssl/tls13con.c:
        Bug 1588244 - Store TLS 1.3 peerDelegCred, authKeyBits, and scheme
        in SSLPreliminaryChannelInfo. r=mt

        This patch adjusts where we set `authKeyBits` (Et al.) for TLS 1.3,
        such that `CertVerifier` can check the strength of a delegated
        credential keypair.

         The corresponding PSM changeset is in D47181.

        [fcdda17cdc36] [tip]

2019-10-28  Kai Engert  <kaie@kuix.de>

        * coreconf/coreconf.dep:
        Dummy change, trigger a build after bustage to test latest NSPR
        commit
        [ec2adf31fb8c]

2019-10-26  Martin Thomson  <mt@lowentropy.net>

        * lib/ssl/sslauth.c, lib/ssl/sslcon.c, lib/ssl/tls13esni.c:
        Bug 1590970 - Use ssl_Time consistently, r=kjacobs

        I missed a few places that used PR_Now() before.

        [c6021063e64a]

2019-10-22  Deian Stefan  <deian@cs.ucsd.edu>

        * gtests/pk11_gtest/pk11_cbc_unittest.cc:
        Bug 1459141 - A few more CBC padding tests. r=jcj

        This patch adds more test vectors for AES-CBC and 3DES-CBC padding.

        [38f1c92a5e11]

2019-10-22  Marcus Burghardt  <mburghardt@mozilla.com>

        * cmd/btoa/btoa.c:
        Bug 1590339 - Fix MemoryLeak in btoa.c. r=kjacobs

        [5feab64d2d20]

2019-10-21  Marcus Burghardt  <mburghardt@mozilla.com>

        * lib/ckfw/builtins/testlib/certdata-testlib.txt:
        Bug 1589810 - Uninitialized variable warnings from certdata.perl.
        r=mt

        [3f40060ca7b3]

2019-10-19  Martin Thomson  <martin.thomson@gmail.com>

        * gtests/ssl_gtest/ssl_version_unittest.cc:
        Bug 1573118 - Fix busted unit tests, r=jcj

        These unit tests were broken by the change to TLS version defaults.

        In retrospect, this shouldn't have been surprising, but now that it
        I'm seeing bustage, I'm somewhat surprised that there are so few
        failures.

        [7e0b8364687b]

        * lib/ssl/sslsock.c:
        Bug 1573118 - Enable TLS 1.3 by default, r=jcj

        As planned for 3.47, but now for 3.48.

        [bc77cf318f38]

2019-10-18  J.C. Jones  <jjones@mozilla.com>

        * automation/abi-check/expected-report-libnss3.so.txt, automation/abi-
        check/expected-report-libsmime3.so.txt, automation/abi-check
        /expected-report-libssl3.so.txt, automation/abi-check/previous-nss-
        release, lib/nss/nss.h, lib/softoken/softkver.h, lib/util/nssutil.h:
        Set version numbers to 3.48 beta
        [0e7dd2050d09]

        * .hgtags:
        Added tag NSS_3_47_RTM for changeset 7ccb4ade5577
        [dcadb95b9d77] <NSS_3_47_BRANCH>

        * lib/nss/nss.h, lib/softoken/softkver.h, lib/util/nssutil.h:
        Set version numbers to 3.47 final
        [7ccb4ade5577] [NSS_3_47_RTM] <NSS_3_47_BRANCH>

Differential Revision: https://phabricator.services.mozilla.com/D50840

--HG--
extra : moz-landing-system : lando
2019-10-31 04:14:33 +00:00
Nihanth Subramanya e7620d9a8c Bug 1584479 - Part 1: Add flag for blocked social cookies in the content blocking log. r=Ehsan,droeh
Differential Revision: https://phabricator.services.mozilla.com/D47427

--HG--
extra : moz-landing-system : lando
2019-11-01 21:02:09 +00:00
Dana Keeler 06ed800ebe bug 1591691 - avoid network I/O when importing enterprise roots on MacOS r=spohl
Differential Revision: https://phabricator.services.mozilla.com/D51009

--HG--
extra : moz-landing-system : lando
2019-11-01 19:40:07 +00:00
Dragana Damjanovic e7b8f84a64 Bug 1581637 - Part 8 - Add Http3Session/Http3Stream. r=mayhemer
Differential Revision: https://phabricator.services.mozilla.com/D46652

--HG--
extra : moz-landing-system : lando
2019-11-01 14:55:55 +00:00
Sean Feng 78953e2b7f Bug 1592355 - Convert certList to raw array for Pins verification r=keeler
Differential Revision: https://phabricator.services.mozilla.com/D50967

--HG--
extra : moz-landing-system : lando
2019-10-31 23:56:32 +00:00
Haik Aftandilian 8d7d869309 Bug 1593041 - Add com.apple.security.smartcard entitlement to Firefox r=spohl
Add the com.apple.security.smartcard entitlement to Firefox's entitlements list.

Needed for clients of some CryptoTokenKit.framework API's, per SmartCardServices(7).

Differential Revision: https://phabricator.services.mozilla.com/D51303

--HG--
extra : moz-landing-system : lando
2019-11-01 15:43:10 +00:00
Nicholas Nethercote a518709339 Bug 1587162 - Fix UBSAN complaints about pref callbacks. r=erahm
Lots of these callbacks have a non-`void*` final parameter, which UBSAN
complains about. This commit changes them to have a `void*` parameter.

This requires undoing the machinery added in the first two commits of bug
1473631: `TypePrefChangeFunc` and `PREF_CHANGE_METHOD`. The resulting code is
simpler (which is good) and more boilerplate-y (which is bad) but avoids the
undefined behaviour (which is good).

Differential Revision: https://phabricator.services.mozilla.com/D50901

--HG--
extra : moz-landing-system : lando
2019-11-01 02:57:20 +00:00
ffxbld c1e90a0ee7 No Bug, mozilla-central repo-update HSTS HPKP blocklist remote-settings tld-suffixes - a=repo-update r=RyanVM
Differential Revision: https://phabricator.services.mozilla.com/D51261

--HG--
extra : moz-landing-system : lando
2019-10-31 14:46:55 +00:00
Dana Keeler 18ab5dba01 bug 1591691 - avoid network I/O when importing enterprise roots on Windows r=mhowell
Differential Revision: https://phabricator.services.mozilla.com/D51007

--HG--
extra : moz-landing-system : lando
2019-10-31 00:36:53 +00:00
Andreea Pavel 8846cf3d21 Backed out 13 changesets (bug 1581637) for xpchell failures at test_anonymous-coalescing.js on a CLOSED TREE
Backed out changeset 3a458217248d (bug 1581637)
Backed out changeset a5df33ec7393 (bug 1581637)
Backed out changeset c5d8950b4a4b (bug 1581637)
Backed out changeset 97ff4a06c2da (bug 1581637)
Backed out changeset 496ec0c5a60f (bug 1581637)
Backed out changeset 63b7f1ff1714 (bug 1581637)
Backed out changeset 6b80553abc74 (bug 1581637)
Backed out changeset 6b6b75fbec7f (bug 1581637)
Backed out changeset f09b9a4ba633 (bug 1581637)
Backed out changeset 21b721e37d39 (bug 1581637)
Backed out changeset 58ca75a25253 (bug 1581637)
Backed out changeset c28174eaccbe (bug 1581637)
Backed out changeset e6ff3db0a421 (bug 1581637)
2019-10-31 02:45:42 +02:00
Dana Keeler 06dafb8707 bug 1591271 - osclientcerts: support RSA-PSS on Windows r=kjacobs
Differential Revision: https://phabricator.services.mozilla.com/D50662

--HG--
extra : moz-landing-system : lando
2019-10-30 22:45:07 +00:00
Dragana Damjanovic 50665cfef1 Bug 1581637 - Part 8 - Add Http3Session/Http3Stream. r=mayhemer
Differential Revision: https://phabricator.services.mozilla.com/D46652

--HG--
extra : moz-landing-system : lando
2019-10-30 21:09:09 +00:00
Razvan Maries 5946283fbc Backed out changeset 8a690dff4180 (bug 1591691) for build bustages on EnterpriseRoots.cpp. CLOSED TREE 2019-10-30 22:51:25 +02:00
Dana Keeler e7f3e82efb bug 1591691 - avoid network I/O when importing enterprise roots on Windows r=mhowell
Differential Revision: https://phabricator.services.mozilla.com/D51007

--HG--
extra : moz-landing-system : lando
2019-10-30 19:55:42 +00:00
Gijs Kruitbosch 8af91551b6 Bug 1585732 - use staticprefs for media.cubeb.sandbox, r=haik
Differential Revision: https://phabricator.services.mozilla.com/D50955

--HG--
extra : moz-landing-system : lando
2019-10-29 23:33:45 +00:00
Gijs Kruitbosch 1bb658765f Bug 1585732 - use staticprefs for security.sandbox.content.level, r=haik
Differential Revision: https://phabricator.services.mozilla.com/D50954

--HG--
extra : moz-landing-system : lando
2019-10-29 23:32:39 +00:00
Sean Feng 74eaf3ce20 Bug 1592083 - Convert certList to raw array for nsITransportSecurityInfo r=keeler,Ehsan,kershaw
This patch converts the certList attribute of nsITransportSecurityInfo
from nsIX509CertList to Array<nsIx509Cert>

Differential Revision: https://phabricator.services.mozilla.com/D48745

--HG--
extra : moz-landing-system : lando
2019-10-29 17:20:07 +00:00
Haik Aftandilian 87432d9ae1 Bug 1586888 - Test security/sandbox/test/browser_content_sandbox_fs.js has failures on macOS Catalina r=gcp
Don't test with directories not present on macOS 10.15.

Differential Revision: https://phabricator.services.mozilla.com/D49499

--HG--
extra : moz-landing-system : lando
2019-10-29 10:45:43 +00:00
ffxbld b6ddb7ea53 No Bug, mozilla-central repo-update HSTS HPKP remote-settings tld-suffixes - a=repo-update r=RyanVM
Differential Revision: https://phabricator.services.mozilla.com/D50806

--HG--
extra : moz-landing-system : lando
2019-10-28 13:17:59 +00:00
Sean Feng ce3169b453 Bug 1590709 - Fix crash in TransportSecurityInfo::ReadCertList r=keeler
Differential Revision: https://phabricator.services.mozilla.com/D50557

--HG--
extra : moz-landing-system : lando
2019-10-25 18:20:53 +00:00
Dana Keeler bca86d27cc bug 1589824 - pass a typed array to OS.File.writeAtomic in certificate export r=Gijs
OS.File.writeAtomic expects either a utf-8 string or a typed array. This patch
fixes instances in pippki.js in certificate export where this was not
guaranteed to be the case. It also extends the test for this functionality to
cover more cases.

Differential Revision: https://phabricator.services.mozilla.com/D50117

--HG--
extra : moz-landing-system : lando
2019-10-25 17:37:20 +00:00
Dana Keeler 2e5c90833c bug 1590888 - reinstate filtering of client certificate selection during the TLS handshake r=kjacobs
Bug 1267643 removed filtering of client certificates based on the
"certificate_authorities" list sent in the client certificate request from the
server in TLS handshakes because it is impossible to implement as specified
without false negatives (i.e. excluding certificates that could be usable but
don't seem to be according to the certificates the client is aware of). In
practice, however, it seems enough users rely on this behavior[0] that we
should add it back until the platform can save client certificate selections
across restarts and the "select one automatically" option is removed (see also
bug 634697).

[0] See e.g. bug 1588703, bug 1590297, bug 1590596, bug 1074195 comment 27,
and any other duplicates of this bug.

Differential Revision: https://phabricator.services.mozilla.com/D50355

--HG--
extra : moz-landing-system : lando
2019-10-25 17:11:25 +00:00
Martin Thomson afe157c082 Bug 1576790 - Enable version downgrade sentinel in TLS, r=keeler
This change enables the version downgrade sentinel across all channels.  We
don't have good telemetry on this, but Chrome reports 0.02%, which is low enough
to just make the change without additional validation on our end.

This only really affects intercepting middleboxes that forward the real server's
ServerHello.random.  That's a terrible idea, and, as above, the evidence
suggests that this is now rare enough to have those boxes break connections.
The pref will remain for those cases where problems persist.

Differential Revision: https://phabricator.services.mozilla.com/D50387

--HG--
extra : moz-landing-system : lando
2019-10-24 00:49:51 +00:00
Dana Keeler e064323a59 bug 1063276 - include the peer cert chain from the TLS handshake when verifying server certificates r=kjacobs
Differential Revision: https://phabricator.services.mozilla.com/D50129

--HG--
extra : moz-landing-system : lando
2019-10-24 22:48:40 +00:00
ffxbld f5837b4bc2 No Bug, mozilla-central repo-update HSTS HPKP remote-settings tld-suffixes - a=repo-update r=RyanVM
Differential Revision: https://phabricator.services.mozilla.com/D50470

--HG--
extra : moz-landing-system : lando
2019-10-24 14:42:33 +00:00
Dana Keeler 766d2e096c Bug 1584401 - build osclientcerts in-tree on Windows. r=jcj,kjacobs
This adds a preliminary implementation of a PKCS#11 module that allows Firefox
to access client certificates for TLS client authentication on Windows.
2019-09-18 10:27:50 -07:00
Haik Aftandilian 43ab4ea7a3 Bug 1587962 - [10.15] "Use keyboard navigation" and "jump to spot" scrolling preferences do not work r=spohl
Update sandbox rules to allow services and files needed for global UI system preferences.

Update tests now that stat() calls on the filesystem are permitted.

Differential Revision: https://phabricator.services.mozilla.com/D50298

--HG--
extra : moz-landing-system : lando
2019-10-23 19:56:56 +00:00
Marcus Burghardt ec4fc41539 Bug 1586081 - Remove special EV treatment from GlobalSign Extended Validation CA - SHA256 - G2. r=keeler
In 2017-04, due a transition of two CA certs from GobalSign to Google, a temporary and exceptional EV treatment was deployed in PSM for this transition:
https://bugzilla.mozilla.org/show_bug.cgi?id=1349762

This exception was removed with this patch.

Differential Revision: https://phabricator.services.mozilla.com/D49106

--HG--
extra : moz-landing-system : lando
2019-10-15 17:11:35 +00:00
Geoff Brown de6c41dd8a Bug 1585119 - Re-enable yet more mochitests on android; r=geckoview-reviewers,snorp
Most of these tests have been disabled for a long time; they run well
in the current test environment.
This completes my review of skipped Android tests.

Differential Revision: https://phabricator.services.mozilla.com/D49954

--HG--
extra : moz-landing-system : lando
2019-10-22 20:10:27 +00:00
Tim Nguyen 6d79a27dfb Bug 1590387 - Remove remaining usages of XUL textboxes. r=bgrins
Differential Revision: https://phabricator.services.mozilla.com/D50063

--HG--
extra : moz-landing-system : lando
2019-10-22 19:27:23 +00:00
Daniel Varga 964a732b29 Backed out changeset 055ba7efc9cd (bug 1584401) for rust build bustage. On a CLOSED TREE 2019-10-22 22:04:40 +03:00
Dana Keeler 28cc0dc938 bug 1584401 - build osclientcerts in-tree on Windows r=jcj,kjacobs
This adds a preliminary implementation of a PKCS#11 module that allows Firefox
to access client certificates for TLS client authentication on Windows.
2019-09-18 10:27:50 -07:00
Gian-Carlo Pascutto c92f1fd819 Bug 1581239 - Verify that sandboxed processes' access to /proc/self/fd is blocked. r=jld
Differential Revision: https://phabricator.services.mozilla.com/D46815

--HG--
extra : moz-landing-system : lando
2019-10-18 01:12:38 +00:00
Mihai Alexandru Michis 44e67f1a7f Backed out changeset 11e5baee978e (bug 1580315) for issues related to certList. CLOSED TREE 2019-10-21 23:50:35 +03:00
Sean Feng 2279d51cf5 Bug 1580315 - Convert certList to raw array for nsITransportSecurityInfo r=keeler,Ehsan,kershaw
This patch converts the certList attribute of nsITransportSecurityInfo
from nsIX509CertList to Array<nsIx509Cert>

Differential Revision: https://phabricator.services.mozilla.com/D48745

--HG--
extra : moz-landing-system : lando
2019-10-21 19:49:01 +00:00
ffxbld 4c889635b4 No Bug, mozilla-central repo-update HSTS HPKP blocklist remote-settings - a=repo-update r=RyanVM
Differential Revision: https://phabricator.services.mozilla.com/D49928

--HG--
extra : moz-landing-system : lando
2019-10-21 13:23:30 +00:00
J.C. Jones 71a6cf2bcd Bug 1577822 - land NSS NSS_3_47_RTM UPGRADE_NSS_RELEASE, r=kjacobs
2019-10-18  J.C. Jones  <jjones@mozilla.com>

	* lib/nss/nss.h, lib/softoken/softkver.h, lib/util/nssutil.h:
	Set version numbers to 3.47 final
	[7ccb4ade5577] [NSS_3_47_RTM] <NSS_3_47_BRANCH>

	* .hgtags:
	Added tag NSS_3_47_BETA4 for changeset d3c8638f85cd
	[d5bd7be1bf2a]

Differential Revision: https://phabricator.services.mozilla.com/D49813

--HG--
extra : moz-landing-system : lando
2019-10-18 22:42:33 +00:00
J.C. Jones 00dafac3ef Bug 1577822 - land NSS NSS_3_47_BETA4 UPGRADE_NSS_RELEASE, r=kjacobs
2019-10-18  Deian Stefan  <deian@cs.ucsd.edu>

	* lib/softoken/pkcs11c.c:
	Bug 1459141 - Rewrite softoken CBC pad check to be constant
	r=jcj,kjacobs

	[d3c8638f85cd] [NSS_3_47_BETA4]

2019-10-17  Kevin Jacobs  <kjacobs@mozilla.com>

	* gtests/pk11_gtest/pk11_cbc_unittest.cc:
	Bug 1589120 - Additional test vectors for CBC padding. r=jcj

	This patch adds more test vectors for AES-CBC and 3DES-CBC padding.

	[7f17b911ac99]

	* gtests/pk11_gtest/manifest.mn,
	gtests/pk11_gtest/pk11_aeskeywrappad_unittest.cc,
	gtests/pk11_gtest/pk11_gtest.gyp:
	Bug 1589120 - Tests for padded AES key wrap r=jcj

	This patch adds test vectors for padded AES Key Wrap. AES-CBC and
	3DES-CBC ports of the same vectors will be included in a separate
	revision.

	[fb4d9b6ea2c4]

2019-10-16  Kevin Jacobs  <kjacobs@mozilla.com>

	* gtests/ssl_gtest/tls_agent.cc, gtests/ssl_gtest/tls_agent.h,
	gtests/ssl_gtest/tls_subcerts_unittest.cc, lib/ssl/ssl3con.c,
	lib/ssl/sslimpl.h, lib/ssl/tls13subcerts.c,
	tests/common/certsetup.sh, tests/ssl_gtests/ssl_gtests.sh:
	Bug 1588244 - SSLExp_DelegateCredential to support 'rsaEncryption'
	end-entity certs with default scheme override r=mt

	If an end-entity cert has an SPKI type of 'rsaEncryption', override
	the DC alg to be `ssl_sig_rsa_pss_rsae_sha256`.

	[93383e0fb833]

2019-10-16  J.C. Jones  <jjones@mozilla.com>

	* .hgtags:
	Added tag NSS_3_47_BETA3 for changeset f10c3e0757b7
	[fa8a67bee2dc]

Differential Revision: https://phabricator.services.mozilla.com/D49774

--HG--
extra : moz-landing-system : lando
2019-10-18 17:05:24 +00:00
Sean Feng d08c434be2 Bug 1580315 - Use cert array to do certList serialization r=keeler
The internal representation of certList has been converted to
cert array, and this patch does it for the serialization.

Differential Revision: https://phabricator.services.mozilla.com/D49347

--HG--
extra : moz-landing-system : lando
2019-10-18 13:42:54 +00:00
Marcus Burghardt b7e036202f Bug 1585449 - Disable EV treatment for Global Chambersign Root – 2008 root. r=keeler
Differential Revision: https://phabricator.services.mozilla.com/D48959

--HG--
extra : moz-landing-system : lando
2019-10-11 20:15:29 +00:00
ffxbld 716fe01e26 No Bug, mozilla-central repo-update HSTS HPKP blocklist remote-settings - a=repo-update r=RyanVM
Differential Revision: https://phabricator.services.mozilla.com/D49605

--HG--
extra : moz-landing-system : lando
2019-10-17 14:34:51 +00:00
Srujana Peddinti e41bc4753a Bug 1570009 - Part 3 : Added GPU Process testing to the framework. r=bobowen
Adds support for creating and using a PSandboxTesting actor in the GPU process.

Differential Revision: https://phabricator.services.mozilla.com/D42386

--HG--
extra : moz-landing-system : lando
2019-10-14 15:26:47 +00:00
Srujana Peddinti 847842be97 Bug 1570009 - Part 2 : Added Content Process testing to the framework. r=bobowen
Adds the ability to create and run sandbox tests in a content process.

Differential Revision: https://phabricator.services.mozilla.com/D37913

--HG--
extra : moz-landing-system : lando
2019-10-14 15:08:47 +00:00
Srujana Peddinti 51255aa5b8 Bug 1570009 - Part 1: Create a top-level actor in child processes capable of testing the sandbox. r=bobowen,dmajor
This patch includes a new browser chrome mochitest that uses a new XPCOM service (moxISandboxTest) to create a new top-level actor (PSandboxTesting) between the chrome process and any supported child processes (in later parts of this patch set). The framework is makes it easy to add new C/C++ instructions to be tested for permission under real sandbox conditions. Test results can be conditioned on the type of OS, process, sandbox level, etc.

Differential Revision: https://phabricator.services.mozilla.com/D37706

--HG--
extra : moz-landing-system : lando
2019-10-15 07:19:54 +00:00
J.C. Jones ab56e5f10e Bug 1577822 - land NSS NSS_3_47_BETA3 UPGRADE_NSS_RELEASE, r=kjacobs
2019-10-16  J.C. Jones  <jjones@mozilla.com>

	* lib/softoken/pkcs11c.c:
	Bug 1459141 - Backed out changeset 474d62c9d0db for PK11_Wrap/Unwrap
	issues r=me
	[f10c3e0757b7] [NSS_3_47_BETA3]

2019-10-15  J.C. Jones  <jjones@mozilla.com>

	* .hgtags:
	Added tag NSS_3_47_BETA2 for changeset f657d65428c6
	[3ca8b20b24ee]

	* cmd/addbuiltin/addbuiltin.c:
	Bug 1465613 - Fixup clang format a=bustage
	[f657d65428c6] [NSS_3_47_BETA2]

2019-10-11  Marcus Burghardt  <mburghardt@mozilla.com>

	* automation/abi-check/expected-report-libnss3.so.txt, automation/abi-
	check/expected-report-libsmime3.so.txt, automation/abi-check
	/expected-report-libssl3.so.txt, cmd/addbuiltin/addbuiltin.c,
	cmd/lib/secutil.c, gtests/softoken_gtest/manifest.mn,
	gtests/softoken_gtest/softoken_gtest.gyp,
	gtests/softoken_gtest/softoken_nssckbi_testlib_gtest.cc,
	lib/certdb/certdb.c, lib/certdb/certt.h, lib/ckfw/builtins/README,
	lib/ckfw/builtins/certdata.txt, lib/ckfw/builtins/manifest.mn,
	lib/ckfw/builtins/nssckbi.h, lib/ckfw/builtins/testlib/Makefile,
	lib/ckfw/builtins/testlib/builtins-testlib.gyp,
	lib/ckfw/builtins/testlib/certdata-testlib.txt,
	lib/ckfw/builtins/testlib/config.mk,
	lib/ckfw/builtins/testlib/manifest.mn, lib/ckfw/builtins/testlib
	/nssckbi-testlib.rc,
	lib/ckfw/builtins/testlib/testcert_err_distrust.txt,
	lib/ckfw/builtins/testlib/testcert_no_distrust.txt,
	lib/ckfw/builtins/testlib/testcert_ok_distrust.txt,
	lib/ckfw/manifest.mn, lib/nss/nss.def, lib/pki/pki3hack.c,
	lib/softoken/sdb.c, lib/util/pkcs11n.h, nss.gyp, tests/cert/cert.sh:
	Bug 1465613 - Created two new fields for scheduled distrust from
	builtins and updated support commands. r=jcj,kjacobs,mt

	Added two new fields do scheduled distrust of CAs in
	nssckbi/builtins. Also, created a testlib to validate these fields
	with gtests.

	[52024949df95]

2019-10-14  Martin Thomson  <martin.thomson@gmail.com>

	* lib/ssl/tls13con.c:
	Bug 1588557 - Fix debug statement, r=jcj

	[0f563a2571c3]

2019-10-15  Dana Keeler  <dkeeler@mozilla.com>

	* gtests/mozpkix_gtest/pkixder_universal_types_tests.cpp,
	lib/mozpkix/include/pkix/pkixder.h, lib/mozpkix/lib/pkixcert.cpp:
	bug 1579060 - fix handling of issuerUniqueID and subjectUniqueID in
	mozilla::pkix::BackCert r=jcj

	According to RFC 5280, the definitions of issuerUniqueID and
	subjectUniqueID in TBSCertificate are as follows:

	 issuerUniqueID [1] IMPLICIT UniqueIdentifier OPTIONAL,
	subjectUniqueID [2] IMPLICIT UniqueIdentifier OPTIONAL,

	where UniqueIdentifier is a BIT STRING.

	IMPLICIT tags replace the tag of the underlying type. For these
	fields, there is no specified class (just a tag number within the
	class), and the underlying type of BIT STRING is "primitive" (i.e.
	not constructed). Thus, the tags should be of the form CONTEXT
	SPECIFIC | [number in class], which comes out to 0x81 and 0x82,
	respectively.

	When originally implemented, mozilla::pkix incorrectly required that
	the CONSTRUCTED bit also be set for these fields. Consequently, the
	library would reject any certificate that actually contained these
	fields. Evidently such certificates are rare.

	[c50f933d37a5]

2019-10-14  Deian Stefan  <deian@cs.ucsd.edu>

	* lib/softoken/pkcs11c.c:
	Bug 1459141 - Rewrite softoken CBC pad check to be constant time.
	r=kjacobs,jcj
	[474d62c9d0db]

2019-10-11  J.C. Jones  <jjones@mozilla.com>

	* .hgtags:
	Added tag NSS_3_47_BETA1 for changeset 93245f5733b3
	[f60dbafbc182]

Differential Revision: https://phabricator.services.mozilla.com/D49470

--HG--
extra : moz-landing-system : lando
2019-10-16 19:12:50 +00:00
J.C. Jones 962e9e53a9 Backed out changeset 3eb63c112f5a (Bug 1577822) for breaking WebAuthn mochitests UPGRADE_NSS_RELEASE
Differential Revision: https://phabricator.services.mozilla.com/D49374

--HG--
extra : moz-landing-system : lando
2019-10-16 04:36:58 +00:00
J.C. Jones 4309dccf1b Bug 1577822 - land NSS NSS_3_47_BETA2 UPGRADE_NSS_RELEASE, r=kjacobs
2019-10-15  J.C. Jones  <jjones@mozilla.com>

	* cmd/addbuiltin/addbuiltin.c:
	Bug 1465613 - Fixup clang format a=bustage
	[f657d65428c6] [NSS_3_47_BETA2]

2019-10-11  Marcus Burghardt  <mburghardt@mozilla.com>

	* automation/abi-check/expected-report-libnss3.so.txt, automation/abi-
	check/expected-report-libsmime3.so.txt, automation/abi-check
	/expected-report-libssl3.so.txt, cmd/addbuiltin/addbuiltin.c,
	cmd/lib/secutil.c, gtests/softoken_gtest/manifest.mn,
	gtests/softoken_gtest/softoken_gtest.gyp,
	gtests/softoken_gtest/softoken_nssckbi_testlib_gtest.cc,
	lib/certdb/certdb.c, lib/certdb/certt.h, lib/ckfw/builtins/README,
	lib/ckfw/builtins/certdata.txt, lib/ckfw/builtins/manifest.mn,
	lib/ckfw/builtins/nssckbi.h, lib/ckfw/builtins/testlib/Makefile,
	lib/ckfw/builtins/testlib/builtins-testlib.gyp,
	lib/ckfw/builtins/testlib/certdata-testlib.txt,
	lib/ckfw/builtins/testlib/config.mk,
	lib/ckfw/builtins/testlib/manifest.mn, lib/ckfw/builtins/testlib
	/nssckbi-testlib.rc,
	lib/ckfw/builtins/testlib/testcert_err_distrust.txt,
	lib/ckfw/builtins/testlib/testcert_no_distrust.txt,
	lib/ckfw/builtins/testlib/testcert_ok_distrust.txt,
	lib/ckfw/manifest.mn, lib/nss/nss.def, lib/pki/pki3hack.c,
	lib/softoken/sdb.c, lib/util/pkcs11n.h, nss.gyp, tests/cert/cert.sh:
	Bug 1465613 - Created two new fields for scheduled distrust from
	builtins and updated support commands. r=jcj,kjacobs,mt

	Added two new fields do scheduled distrust of CAs in
	nssckbi/builtins. Also, created a testlib to validate these fields
	with gtests.

	[52024949df95]

2019-10-14  Martin Thomson  <martin.thomson@gmail.com>

	* lib/ssl/tls13con.c:
	Bug 1588557 - Fix debug statement, r=jcj

	[0f563a2571c3]

2019-10-15  Dana Keeler  <dkeeler@mozilla.com>

	* gtests/mozpkix_gtest/pkixder_universal_types_tests.cpp,
	lib/mozpkix/include/pkix/pkixder.h, lib/mozpkix/lib/pkixcert.cpp:
	bug 1579060 - fix handling of issuerUniqueID and subjectUniqueID in
	mozilla::pkix::BackCert r=jcj

	According to RFC 5280, the definitions of issuerUniqueID and
	subjectUniqueID in TBSCertificate are as follows:

	 issuerUniqueID [1] IMPLICIT UniqueIdentifier OPTIONAL,
	subjectUniqueID [2] IMPLICIT UniqueIdentifier OPTIONAL,

	where UniqueIdentifier is a BIT STRING.

	IMPLICIT tags replace the tag of the underlying type. For these
	fields, there is no specified class (just a tag number within the
	class), and the underlying type of BIT STRING is "primitive" (i.e.
	not constructed). Thus, the tags should be of the form CONTEXT
	SPECIFIC | [number in class], which comes out to 0x81 and 0x82,
	respectively.

	When originally implemented, mozilla::pkix incorrectly required that
	the CONSTRUCTED bit also be set for these fields. Consequently, the
	library would reject any certificate that actually contained these
	fields. Evidently such certificates are rare.

	[c50f933d37a5]

2019-10-14  Deian Stefan  <deian@cs.ucsd.edu>

	* lib/softoken/pkcs11c.c:
	Bug 1459141 - Rewrite softoken CBC pad check to be constant time.
	r=kjacobs,jcj
	[474d62c9d0db]

2019-10-11  J.C. Jones  <jjones@mozilla.com>

	* .hgtags:
	Added tag NSS_3_47_BETA1 for changeset 93245f5733b3
	[f60dbafbc182]

Differential Revision: https://phabricator.services.mozilla.com/D49365

--HG--
extra : moz-landing-system : lando
2019-10-16 00:57:04 +00:00
Sean Feng 2fa45cc172 Bug 1580315 - Change certList internal representation to Array r=keeler
This patch intends to change the internal reprensentation of certList
from nsIX509CertList to Array for TransportSecurityInfo.

Differential Revision: https://phabricator.services.mozilla.com/D48744

--HG--
extra : moz-landing-system : lando
2019-10-15 19:57:23 +00:00
ffxbld cbc7251ad9 No Bug, mozilla-central repo-update HSTS HPKP blocklist remote-settings tld-suffixes - a=repo-update r=RyanVM
Differential Revision: https://phabricator.services.mozilla.com/D49151

--HG--
extra : moz-landing-system : lando
2019-10-14 13:16:30 +00:00
J.C. Jones 685c607058 Bug 1577822 - land NSS NSS_3_47_BETA1 UPGRADE_NSS_RELEASE, r=kjacobs
2019-10-11  Kai Engert  <kaie@kuix.de>

	* automation/release/nspr-version.txt:
	Bug 1583068 - Require NSPR version 4.23 r=jcj
	[93245f5733b3] [NSS_3_47_BETA1]

2019-10-11  Kevin Jacobs  <kjacobs@mozilla.com>

	* coreconf/config.gypi, lib/freebl/freebl.gyp:
	Bug 1152625 - Add gyp flag for disabling ARM HW AES r=jcj

	Adds an option to disable ARMv8 HW AES, if `-Ddisable_arm_hw_aes=1`
	is passed to build.sh.

	Depends on D34473

	[9abcea09fdd4]

2019-10-11  Makoto Kato  <m_kato@ga2.so-net.ne.jp>

	* lib/freebl/aes-armv8.c:
	Bug 1152625 - Part 2. Remove __builtin_assume to avoid crash on PGO.
	r=kjacobs,mt

	`AESContext->iv` doesn't align to 16 bytes on PGO build, so we
	should remove __builtin_assume. Also, I guess that `expandedKey` has
	same problem.

	[1b0f5c5335ee]

	* lib/freebl/Makefile, lib/freebl/aes-armv8.c, lib/freebl/aes-armv8.h,
	lib/freebl/freebl.gyp, lib/freebl/intel-aes.h,
	lib/freebl/rijndael.c:
	Bug 1152625 - Support AES HW acceleration on ARMv8. r=kjacobs,jcj

	[efb895a43899]

2019-09-06  Martin Thomson  <mt@lowentropy.net>

	* gtests/ssl_gtest/ssl_auth_unittest.cc,
	gtests/ssl_gtest/ssl_ciphersuite_unittest.cc,
	gtests/ssl_gtest/ssl_extension_unittest.cc,
	gtests/ssl_gtest/ssl_fuzz_unittest.cc,
	gtests/ssl_gtest/tls_esni_unittest.cc, lib/ssl/ssl3con.c,
	lib/ssl/ssl3exthandle.c, lib/ssl/sslimpl.h, lib/ssl/tls13con.c:
	Bug 1549225 - Up front Signature Scheme validation, r=ueno

	Summary: This patch started as an attempt to ensure that a DSA
	signature scheme would not be advertised if we weren't willing to
	negotiate versions less than TLS 1.3. Then I realized that we didn't
	do the same for PKCS#1 RSA.

	Then I realized that we were still willing to try to establish
	connections when we had a certificate that we couldn't use.

	Then I realized that ssl3_config_match_init() wasn't being run
	consistently. On resumption, we only ran it when we were PARANOID.
	That's silly because we weren't checking policies.

	Then I realized that we were allowing ECDSA certificates to be used
	when the named group in the certificate was disabled. We weren't
	enforcing that consistently either. However, I also discovered that
	the check we have wouldn't work without a tweak because in TLS 1.3
	the named group is part of the signature scheme; the configured
	named groups are only used prior to TLS 1.3 when selecting
	ECDSA/ECDH certificates.

	So that sounds like a lot of changes but what it boils down to is
	more robust checking of the configuration prior to starting a
	connection. As a result, we should be offering fewer options that
	we're unwilling or unable to follow through on. A good number of
	tests needed tweaking as a result because we were relying on getting
	past the checks in those tests. No real problems were found as a
	result; this just moves failures that might arise from
	misconfiguration a little earlier in the process.

	[9b418f0a4912]

2019-10-08  Kevin Jacobs  <kjacobs@mozilla.com>

	* gtests/pk11_gtest/pk11_der_private_key_import_unittest.cc,
	lib/pk11wrap/pk11pk12.c:
	Bug 1586947 - Store nickname during EC key import. r=jcj

	This patch stores the nickname (if specified) during EC key import.
	This was already done for all other key types.

	[c319019aee75]

2019-10-08  Marcus Burghardt  <mburghardt@mozilla.com>

	* lib/certdb/stanpcertdb.c, lib/pk11wrap/pk11load.c,
	lib/pki/pki3hack.c:
	Bug 1586456 - Unnecessary conditional in pki3hack, pk11load and
	stanpcertdb. r=jcj

	Some conditionals that are always true were removed.

	[b34061c3a377]

Differential Revision: https://phabricator.services.mozilla.com/D49030

--HG--
extra : moz-landing-system : lando
2019-10-12 00:01:25 +00:00
ffxbld 8d4072c53b No Bug, mozilla-central repo-update HSTS HPKP blocklist remote-settings - a=repo-update r=RyanVM
Differential Revision: https://phabricator.services.mozilla.com/D48836

--HG--
extra : moz-landing-system : lando
2019-10-10 14:38:00 +00:00
Johann Hofmann ede37582aa Bug 1583067 - Use correct window opener for chrome windows in certManager.js. r=kmag
Differential Revision: https://phabricator.services.mozilla.com/D47923

--HG--
extra : moz-landing-system : lando
2019-10-08 21:37:57 +00:00
Kevin Jacobs f44743a255 Bug 1564179 - Add telemetry for delegated credentials r=jcj
This patch adds telemetry for the Delegated Credentials TLS extension [0].

The data review questions are answered in [1], though I've never gone through this process, so questions I'm unsure how to answer are highlighted.

[0] https://tools.ietf.org/html/draft-ietf-tls-subcerts-04
[1] https://docs.google.com/document/d/1UAljhHppirlQphDFn9ly9-iWbK8V23GhoRztAS1rGvk

Differential Revision: https://phabricator.services.mozilla.com/D46379

--HG--
extra : moz-landing-system : lando
2019-10-07 23:38:34 +00:00
Ricky Stewart c010710916 Bug 1586358 - Replace existing instances of GENERATED_FILES with references to the GeneratedFile template r=firefox-build-system-reviewers,mshal
(Same content as bad revision https://phabricator.services.mozilla.com/D48230, but with a very small change to config/external/icu/data/moz.build to fix the build breakage.)

Try push: https://treeherder.mozilla.org/#/jobs?repo=try&revision=833f6a69fcac689488a640b43e8e0bdaa086a56c

Differential Revision: https://phabricator.services.mozilla.com/D48409

--HG--
extra : moz-landing-system : lando
2019-10-07 21:15:19 +00:00
Kris Maglione 3ed2b788cf Bug 1583886: Fix yet more untested content windows which open chrome windows. r=nika
Differential Revision: https://phabricator.services.mozilla.com/D47135

--HG--
extra : moz-landing-system : lando
2019-10-07 19:47:36 +00:00
Junior Hsu 1f16c48cd1 Bug 1584005 - P2 fix tests with wrong parameter to ZipWriter r=michal
Differential Revision: https://phabricator.services.mozilla.com/D47359

--HG--
extra : moz-landing-system : lando
2019-10-07 18:29:15 +00:00
Daniel Varga 052ef806b5 Backed out changeset 8d95f2c8867b (bug 1586358) for build bustage with FATAL ERROR PROCESSING MOZBUILD FILE. On a CLOSED TREE
--HG--
extra : rebase_source : 325fbad2455afc7f693087e75fa57dba79f4d86b
2019-10-07 20:22:08 +03:00
Ricky Stewart 940d91af38 Bug 1586358 - Replace existing instances of GENERATED_FILES with references to the GeneratedFile template r=nalexander
This patch doesn't remove all references to GENERATED_FILES, but does remove most of them, leaving only those which can't be trivially translated to the new template.

Try push: https://treeherder.mozilla.org/#/jobs?repo=try&revision=e4a25230c3992b9c5519ceb351fb37f6b2bf605e

Differential Revision: https://phabricator.services.mozilla.com/D48230

--HG--
extra : moz-landing-system : lando
2019-10-07 15:31:05 +00:00
ffxbld 5a0922f7cb No Bug, mozilla-central repo-update HSTS HPKP blocklist remote-settings - a=repo-update r=RyanVM
Differential Revision: https://phabricator.services.mozilla.com/D48342

--HG--
extra : moz-landing-system : lando
2019-10-07 13:11:07 +00:00
Sylvestre Ledru f12b9fa5c3 Bug 1519636 - Reformat recent changes to the Google coding style r=Ehsan
# ignore-this-changeset

Differential Revision: https://phabricator.services.mozilla.com/D47737

--HG--
extra : moz-landing-system : lando
2019-10-06 18:29:55 +00:00
Dana Keeler 67fc934d4b bug 1570222 - avoid passing unrelated certificates to mozilla::pkix from NSSCertDBTrustDomain r=kjacobs
During path building, mozilla::pkix filters out candidate certificates provided
by trust domains where the subject distinguished name does not match the issuer
distinguished name of the certificate it's trying to find an issuer for.
However, if there's a problem decoding the candidate issuer certificate,
mozilla::pkix will make a note of this error, regardless of if that certificate
was potentially a suitable issuer. If no trusted path is found, the error from
that unrelated certificate may ultimately be returned by mozilla::pkix,
resulting in confusion.

Before this patch, NSSCertDBTrustDomain could cause this behavior by blithely
passing every known 3rd party certificate to mozilla::pkix (other sources of
certificates already filter on subject distinguished name). This patch adds
filtering to 3rd party certificates as well.

Differential Revision: https://phabricator.services.mozilla.com/D48120

--HG--
extra : moz-landing-system : lando
2019-10-04 16:46:08 +00:00
Haik Aftandilian c0f7925547 Bug 1578907 - MacOS 10.15 Beta - Flash File Picker broken r=spohl
Allow access to extra services needed to open file pickers from the Flash process on 10.15.

Differential Revision: https://phabricator.services.mozilla.com/D48145

--HG--
extra : moz-landing-system : lando
2019-10-04 15:38:07 +00:00
J.C. Jones 26d284f717 Bug 1577822 - land NSS dc86215aea17 UPGRADE_NSS_RELEASE, r=kjacobs
2019-10-03  Kevin Jacobs  <kjacobs@mozilla.com>

	* gtests/pk11_gtest/pk11_cbc_unittest.cc, lib/softoken/pkcs11c.c:
	Bug 1576307 - Fixup for fips tests, permit NULL iv as necessary.
	r=jcj

	ECB mode should not require an IV.

	[dc86215aea17] [tip]

2019-09-30  Kevin Jacobs  <kjacobs@mozilla.com>

	* gtests/pk11_gtest/pk11_cbc_unittest.cc, lib/softoken/pkcs11c.c:
	Bug 1576307 - Check mechanism param and param length before casting
	to mechanism-specific structs. r=jcj

	This patch adds missing PKCS11 input parameter checks, which are
	needed prior to casting to mechanism-specific structs.

	[53d92a324080]

Differential Revision: https://phabricator.services.mozilla.com/D48109

--HG--
extra : moz-landing-system : lando
2019-10-03 20:05:41 +00:00
ffxbld 9238ced3bb No Bug, mozilla-central repo-update HSTS HPKP blocklist remote-settings - a=repo-update r=RyanVM
Differential Revision: https://phabricator.services.mozilla.com/D48055

--HG--
extra : moz-landing-system : lando
2019-10-03 13:40:24 +00:00
J.C. Jones a9376fa7c8 Bug 1577822 - land NSS c0913ad7a560 UPGRADE_NSS_RELEASE, r=kjacobs
2019-10-01  Kevin Jacobs  <kjacobs@mozilla.com>

	* lib/softoken/pkcs11c.c:
	Bug 1577953 - Support longer (up to RFC maximum) HKDF outputs r=jcj

	HKDF-Expand enforces a maximum output length much shorter than
	stated in the RFC. This patch aligns the implementation with the RFC
	by allocating more output space when necessary.

	[c0913ad7a560] [tip]

2019-09-30  Kevin Jacobs  <kjacobs@mozilla.com>

	* gtests/common/testvectors/curve25519-vectors.h,
	gtests/pk11_gtest/pk11_curve25519_unittest.cc,
	gtests/pk11_gtest/pk11_ecdsa_unittest.cc,
	gtests/pk11_gtest/pk11_ecdsa_vectors.h,
	gtests/pk11_gtest/pk11_signature_test.h:
	Bug 1558234 - Additional EC key tests, r=jcj

	Adds additional EC key corner case testing.

	[c20364849713]

Differential Revision: https://phabricator.services.mozilla.com/D47805

--HG--
extra : moz-landing-system : lando
2019-10-01 22:59:31 +00:00
Cameron McCormack 3a96c1c704 Bug 1584904 - Remove cert_storage dependency on style. r=keeler
Differential Revision: https://phabricator.services.mozilla.com/D47727

--HG--
extra : moz-landing-system : lando
2019-10-01 16:58:38 +00:00
shravanrn@gmail.com bb7e97ff6a Bug 1575985 part 2 - Allow RW access to /dev/null in content sandbox r=gcp
This is needed by lucet to run WASM sandboxed libraries.

Differential Revision: https://phabricator.services.mozilla.com/D46108

--HG--
extra : moz-landing-system : lando
2019-09-30 21:57:34 +00:00
Anny Gakhokidze 4b5f88535e Bug 1582531 - Update fission annotations for mochitests, r=kmag
Differential Revision: https://phabricator.services.mozilla.com/D47646

--HG--
extra : moz-landing-system : lando
2019-10-01 14:24:15 +00:00
Kershaw Chang ea003728d3 Bug 1560353 - Add test for external session cache r=keeler
Differential Revision: https://phabricator.services.mozilla.com/D47432

--HG--
extra : moz-landing-system : lando
2019-09-30 13:25:03 +00:00
Kershaw Chang 3f5bb45b8e Bug 1560353 - Extend SSLTokensCache to store the result of VerifySSLServerCert r=dragana,keeler
Differential Revision: https://phabricator.services.mozilla.com/D46159

--HG--
extra : moz-landing-system : lando
2019-10-01 12:10:58 +00:00
Gabriele Svelto 10d41866a5 Bug 1585156 - Remove useless inclusions of nsIDOMWindow.h and nsIDOMWindowUtils.h r=smaug
Differential Revision: https://phabricator.services.mozilla.com/D47678

--HG--
extra : moz-landing-system : lando
2019-09-30 22:06:47 +00:00
Kevin Jacobs ba6668c25c Bug 1583610 - Prefer TLS_CHACHA20_POLY1305_SHA256 in TLS1.3 on ARM r=keeler
This patch sets the preference order for `TLS_CHACHA20_POLY1305_SHA256` over `TLS_AES_128_GCM_SHA256` for ARM builds.

As noted in the bug, this is far from an ideal way to do this. The implementation is purposefully simplistic so as to minimize any performance hit. If we want to accept doing this configuration for every new TLS connection, `SSL_CipherSuiteOrderGet` **will** return the pref-filtered (i.e. only the enabled) ciphers, but in the default NSS order. We would have to build a new list by referencing this output with another ordered list defined in PSM. If we want to leave NSS as-is (instead of offering a global reconfiguration API), we should do this.

Differential Revision: https://phabricator.services.mozilla.com/D47485

--HG--
extra : rebase_source : 0252cf321225cd644a463fd94561fd6af38b3837
extra : source : 4836c05dd2eee11bf9d836fb0505e77450b0651b
2019-09-30 14:43:43 +00:00
Ciure Andrei e309d0402c Backed out changeset 4836c05dd2ee (bug 1583610) for causing toolchanins bustages CLOSED TREE 2019-09-30 22:01:19 +03:00
Kevin Jacobs 2dc56b1bbe Bug 1583610 - Prefer TLS_CHACHA20_POLY1305_SHA256 in TLS1.3 on ARM r=keeler
This patch sets the preference order for `TLS_CHACHA20_POLY1305_SHA256` over `TLS_AES_128_GCM_SHA256` for ARM builds.

As noted in the bug, this is far from an ideal way to do this. The implementation is purposefully simplistic so as to minimize any performance hit. If we want to accept doing this configuration for every new TLS connection, `SSL_CipherSuiteOrderGet` **will** return the pref-filtered (i.e. only the enabled) ciphers, but in the default NSS order. We would have to build a new list by referencing this output with another ordered list defined in PSM. If we want to leave NSS as-is (instead of offering a global reconfiguration API), we should do this.

Differential Revision: https://phabricator.services.mozilla.com/D47485

--HG--
extra : moz-landing-system : lando
2019-09-30 14:43:43 +00:00
J.C. Jones af55efcd96 Bug 1577822 - land NSS 5619cbbca3db UPGRADE_NSS_RELEASE, r=kjacobs
2019-09-27  J.C. Jones  <jjones@mozilla.com>

	* lib/softoken/pkcs11.c, lib/softoken/pkcs11i.h,
	lib/softoken/pkcs11u.c:
	Bug 1508776 - Remove unneeded refcounting from SFTKSession
	r=mt,kjacobs

	SFTKSession objects are only ever actually destroyed at PK11 session
	closure, as the session is always the final holder -- and asserting
	refCount == 1 shows that to be true. Because of that,
	NSC_CloseSession can just call `sftk_DestroySession` directly and
	leave `sftk_FreeSession` as a no-op to be removed in the future.

	[5619cbbca3db] [tip]

Differential Revision: https://phabricator.services.mozilla.com/D47631

--HG--
extra : moz-landing-system : lando
2019-09-30 16:26:14 +00:00
ffxbld 8a664f77d8 No Bug, mozilla-central repo-update HSTS HPKP blocklist remote-settings tld-suffixes - a=repo-update r=RyanVM
Differential Revision: https://phabricator.services.mozilla.com/D47597

--HG--
extra : moz-landing-system : lando
2019-09-30 13:11:37 +00:00
Kershaw Chang 71689c452b Bug 1580138 - Use peer id to isolate token cache r=dragana,keeler
Differential Revision: https://phabricator.services.mozilla.com/D45406

--HG--
extra : moz-landing-system : lando
2019-09-30 12:15:07 +00:00
J.C. Jones ecb14a1f95 Bug 1577822 - land NSS be9c48ad76cb UPGRADE_NSS_RELEASE, r=kjacobs
2019-09-27  Daiki Ueno  <dueno@redhat.com>

	* cmd/lib/Makefile, cmd/lib/lib.gyp, cmd/lib/manifest.mn,
	cmd/lib/secutil.c, cmd/lib/secutil.h, cmd/platlibs.mk,
	cmd/selfserv/selfserv.c, cmd/tstclnt/tstclnt.c, tests/ssl/ssl.sh:
	Bug 1494063, add -x option to tstclnt/selfserv to export keying
	material, r=mt

	Reviewers: rrelyea, mt

	Reviewed By: mt

	Subscribers: HubertKario

	Bug #: 1494063

	[be9c48ad76cb] [tip]

2019-02-25  Martin Thomson  <martin.thomson@gmail.com>

	* gtests/pk11_gtest/manifest.mn, gtests/pk11_gtest/pk11_gtest.gyp,
	gtests/pk11_gtest/pk11_import_unittest.cc,
	gtests/pk11_gtest/pk11_key_unittest.cc,
	gtests/pk11_gtest/pk11_keygen.cc, gtests/pk11_gtest/pk11_keygen.h:
	Bug 1515342 - Tests for invalid DH public keys, r=jcj

	Summary: This prevents crashes on invalid, particularly NULL, keys
	for DH and ECDH.

	I factored out test code already landed for this.

	[7e3476b7a912]

2019-09-27  Martin Thomson  <martin.thomson@gmail.com>

	* cpputil/nss_scoped_ptrs.h, cpputil/scoped_ptrs_util.h,
	gtests/common/testvectors/curve25519-vectors.h,
	gtests/der_gtest/der_quickder_unittest.cc, lib/util/quickder.c:
	Bug 1515342 - Checks for invalid bit strings, r=jcj

	[f4fe0da73446]

2019-09-27  Martin Thomson  <mt@lowentropy.net>

	* cmd/lib/derprint.c:
	Bug 1581024 - Fix pointer comparisons, a=bustage
	[062bc5e9859a]

2019-09-24  Kevin Jacobs  <kjacobs@mozilla.com>

	* cmd/lib/derprint.c:
	Bug 1581024 - fixup pointer wrap check to prevent it from being
	optimized out. r=jcj

	[f7fef2487a60]

2019-09-26  Deian Stefan  <deian@cs.ucsd.edu>

	* lib/softoken/pkcs11c.c, lib/softoken/tlsprf.c:
	Bug 1582343 - Use constant time memcmp in more places r=kjacobs,jcj
	[86ef6ba1f1d7]

2019-09-26  Marcus Burghardt  <mburghardt@mozilla.com>

	* gtests/pk11_gtest/pk11_aes_gcm_unittest.cc, lib/freebl/gcm.c,
	lib/freebl/intel-gcm-wrap.c:
	Bug 1578238 - Validate tag size in AES_GCM. r=kjacobs,jcj

	Validate tag size in AES_GCM.

	[4e3971fd992c]

	* gtests/pk11_gtest/manifest.mn, gtests/pk11_gtest/pk11_gtest.gyp,
	gtests/pk11_gtest/pk11_seed_cbc_unittest.cc, lib/freebl/seed.c:
	Bug 1576295 - SEED_CBC encryption check input arguments.
	r=kjacobs,jcj,mt

	Ensure the arguments passed to these functions are valid.

	[7580a5a212c7]

Differential Revision: https://phabricator.services.mozilla.com/D47494

--HG--
extra : moz-landing-system : lando
2019-09-27 20:31:22 +00:00
Aaron Klotz d6a413befe Bug 1584587: Compile OSReauthenticator.cpp via SOURCES instead of UNIFIED_SOUCES on Windows; r=keeler
Differential Revision: https://phabricator.services.mozilla.com/D47467

--HG--
extra : moz-landing-system : lando
2019-09-27 20:25:44 +00:00
dleblanccyr 5a7f6525d2 Bug 1573143 - Links certificate issuer to its respective tab. r=johannh
Depends on D41979

Differential Revision: https://phabricator.services.mozilla.com/D41610

--HG--
extra : moz-landing-system : lando
2019-09-27 15:35:41 +00:00
Anny Gakhokidze f1c694e18f Bug 1582531 - Update fission annotations for skipped tests that are now passing succesfully, r=kmag
Differential Revision: https://phabricator.services.mozilla.com/D47347

--HG--
extra : moz-landing-system : lando
2019-09-27 14:25:10 +00:00
Martin Thomson a7ed72cb2e Bug 1579285 - Add pref to override minimum TLS version r=keeler
The intent of adding this pref is to allow us to change defaults for
security.tls.version.min for a progressive rollout of a TLS 1.0 and 1.1
deprecation.  During that process, we'd like to offer the option to enable these
old TLS versions, without adding a pref override that would cause those versions
to remain enabled once we finish the rollout.

Those people who have triggered the override will be able to access TLS 1.0 and
1.1 sites until we eventually remove the code that respects this pref.  What is
likely to happen is that this pref will remain in code past the end of our
rollout for part of a release cycle, plus maybe the next cycle depending on
how timing works out.

This pref is a simple boolean that we'll remove in March 2020.

Differential Revision: https://phabricator.services.mozilla.com/D45798

--HG--
extra : moz-landing-system : lando
2019-09-27 01:26:08 +00:00
Coroiu Cristina 735d79f681 Backed out 4 changesets (bug 1579285, bug 1579270) for browser-chrome failures at browser/base/content/test/siteIdentity/browser_deprecatedTLSVersions.js on a CLOSED TREE
Backed out changeset 36d7cc55bd16 (bug 1579285)
Backed out changeset 26e3ed3c1592 (bug 1579285)
Backed out changeset 913652258fe6 (bug 1579285)
Backed out changeset 0781e60dd54c (bug 1579270)
2019-09-27 04:19:59 +03:00
Martin Thomson bcf590a1d0 Bug 1579285 - Add pref to override minimum TLS version r=keeler
The intent of adding this pref is to allow us to change defaults for
security.tls.version.min for a progressive rollout of a TLS 1.0 and 1.1
deprecation.  During that process, we'd like to offer the option to enable these
old TLS versions, without adding a pref override that would cause those versions
to remain enabled once we finish the rollout.

Those people who have triggered the override will be able to access TLS 1.0 and
1.1 sites until we eventually remove the code that respects this pref.  What is
likely to happen is that this pref will remain in code past the end of our
rollout for part of a release cycle, plus maybe the next cycle depending on
how timing works out.

This pref is a simple boolean that we'll remove in March 2020.

Differential Revision: https://phabricator.services.mozilla.com/D45798

--HG--
extra : moz-landing-system : lando
2019-09-16 19:36:08 +00:00
Tim Nguyen 85e78f6671 Bug 1562811 - Replace XUL textboxes with HTML inputs in security/manager/pki/resources/content/load_device.xul. r=Gijs
Differential Revision: https://phabricator.services.mozilla.com/D36564

--HG--
extra : moz-landing-system : lando
2019-09-26 16:31:15 +00:00
Carolina 5f207f00a6 Bug 1580923 - Fixes problem when opening a certificate from downloadcert.xul.r=johannh
Differential Revision: https://phabricator.services.mozilla.com/D46054

--HG--
extra : moz-landing-system : lando
2019-09-26 16:13:32 +00:00
ffxbld c9b081d8c9 No Bug, mozilla-central repo-update HSTS HPKP blocklist remote-settings tld-suffixes - a=repo-update r=RyanVM
Differential Revision: https://phabricator.services.mozilla.com/D47244

--HG--
extra : moz-landing-system : lando
2019-09-26 14:33:06 +00:00
Kershaw Chang b219613dd5 Bug 1580272 - Remove unnecessary call to proxyStartSSL r=keeler
Differential Revision: https://phabricator.services.mozilla.com/D46969

--HG--
extra : moz-landing-system : lando
2019-09-24 17:44:55 +00:00
Victor Porof b0783dc7ee Bug 1583439 - Update lmdb-rkv-sys, lmdb-rkv and rkv crates to their latest versions, r=froydnj
Differential Revision: https://phabricator.services.mozilla.com/D46899

--HG--
extra : moz-landing-system : lando
2019-09-26 11:52:13 +00:00
Dragana Damjanovic 1d40d354bd Bug 1577643 - Implement a security info class for the quic transport. r=keeler
Differential Revision: https://phabricator.services.mozilla.com/D44073

--HG--
extra : moz-landing-system : lando
2019-09-25 20:23:56 +00:00
Dragana Damjanovic 5f2cea9512 Bug 1577643 - Make AuthCertificateHook work without PRFileDesc and also make code work with TransportSecurityInfo. r=keeler
This patch makes the certificate authentication work with TransportSecurityInfo, so that it can be used for nsNSSSocketInfo and a quic's version of the security info class.
Also it adds a new AuthCertificateHookWithInfo function that will be called by Http3Session to authenticate certificates.

Differential Revision: https://phabricator.services.mozilla.com/D44064

--HG--
extra : moz-landing-system : lando
2019-09-26 10:14:53 +00:00
Brian Grinstead b7788d49ec Bug 1581914 - Set default margins for html|input in global.css r=dao
Differential Revision: https://phabricator.services.mozilla.com/D46531

--HG--
extra : moz-landing-system : lando
2019-09-25 16:20:19 +00:00
Daniel Varga 90b9fde46d Backed out changeset 156e22161091 (bug 1580138) for build bustage in toolkit/library/gtest/target. On a CLOSED TREE 2019-09-25 13:42:43 +03:00
Kershaw Chang d2ab74115b Bug 1580138 - Use peer id to isolate token cache r=dragana,keeler
Differential Revision: https://phabricator.services.mozilla.com/D45406

--HG--
extra : moz-landing-system : lando
2019-09-25 10:22:25 +00:00
Mihai Alexandru Michis 3ced6be81c Backed out 1 changesets (bug 1577643) for causing bustages in QuicSocketControl.h:45:57 CLOSED TREE
Backed out changeset 48ce2b670f32 (bug 1577643)
2019-09-25 03:08:58 +03:00
Dragana Damjanovic 2fe2e913f8 Bug 1577643 - Implement a security info class for the quic transport. r=keeler
Differential Revision: https://phabricator.services.mozilla.com/D44073

--HG--
extra : moz-landing-system : lando
2019-09-24 20:56:39 +00:00
J.C. Jones 3e77ba718d Bug 1577822 - land NSS 03039d4fad57 UPGRADE_NSS_RELEASE, r=kjacobs
2019-09-23  Daiki Ueno  <dueno@redhat.com>

	* gtests/ssl_gtest/ssl_recordsize_unittest.cc, lib/ssl/ssl3con.c,
	tests/tlsfuzzer/config.json.in, tests/tlsfuzzer/tlsfuzzer.sh:
	Bug 1580286, account for IV size when checking TLS 1.2 records, r=mt

	Summary: This increases the limit of record expansion by 16 so that
	it doesn't reject maximum block padding when HMAC-SHA384 is used.

	To test this, tlsfuzzer is updated to the latest version (commit
	80d7932ead1d8dae6e555cfd2b1c4c5beb2847df).

	Reviewers: mt

	Reviewed By: mt

	Bug #: 1580286

	[03039d4fad57] [tip]

2019-09-20  Kai Engert  <kaie@kuix.de>

	* tests/smime/smime.sh:
	Bug 1577448 - Create additional nested S/MIME test messages for
	Thunderbird. r=jcj
	[57977ceea00e]

2019-09-19  Kai Engert  <kaie@kuix.de>

	* automation/taskcluster/docker-gcc-4.4/Dockerfile,
	automation/taskcluster/graph/src/try_syntax.js,
	automation/taskcluster/scripts/build.sh,
	automation/taskcluster/scripts/build_gyp.sh,
	automation/taskcluster/scripts/build_nspr.sh,
	automation/taskcluster/scripts/check_abi.sh,
	automation/taskcluster/scripts/gen_coverage_report.sh,
	automation/taskcluster/scripts/run_coverity.sh,
	automation/taskcluster/scripts/run_scan_build.sh,
	automation/taskcluster/windows/build.sh,
	automation/taskcluster/windows/build_gyp.sh:
	Bug 1399095 - Allow nss-try to be used to test NSPR changes.
	r=kjacobs
	[6e1a8a7cb469]

2019-09-16  Marcus Burghardt  <mburghardt@mozilla.com>

	* gtests/ssl_gtest/manifest.mn,
	gtests/ssl_gtest/ssl_cipherorder_unittest.cc,
	gtests/ssl_gtest/ssl_gtest.gyp, lib/ssl/ssl3con.c, lib/ssl/sslexp.h,
	lib/ssl/sslsock.c:
	Bug 1267894 - New functions for CipherSuites Ordering and gtests.
	r=jcj,kjacobs,mt

	Created two new experimental functions which permit the caller
	change the default order of CipherSuites used during the handshake.

	[2deb38fc1d68]

2019-09-18  Christian Weisgerber  <naddy@mips.inka.de>

	* tests/policy/policy.sh, tests/ssl/ssl.sh:
	Bug 1581507 - Fix unportable grep expression in test scripts
	r=marcusburghardt
	[edc1e405afa4]

2019-09-18  Franziskus Kiefer  <franziskuskiefer@gmail.com>

	* lib/jar/jarfile.c:
	Bug 1234830 - [CID 1242894][CID 1242852] unused values.
	r=kaie,r=kjacobs
	[b6d3f5c95aad]

2019-09-18  Kai Engert  <kaie@kuix.de>

	* cmd/symkeyutil/symkeyutil.c:
	Bug 1581759 - fix incorrect if condition in symkeyutil. r=kjacobs
	[306550105228]

Differential Revision: https://phabricator.services.mozilla.com/D46967

--HG--
extra : moz-landing-system : lando
2019-09-24 17:22:25 +00:00
Kris Maglione 7bffa91bb4 Bug 1583114: Fix straggling callers which create chrome windows with content openers. r=nika
Differential Revision: https://phabricator.services.mozilla.com/D46989

--HG--
extra : moz-landing-system : lando
2019-09-24 20:05:37 +00:00
Andrew Halberstadt 898dfb96b4 Bug 1567642 - [lint.flake8] Fix misc flake8 under Python 3 lint issues r=gbrown
Differential Revision: https://phabricator.services.mozilla.com/D45417

--HG--
extra : moz-landing-system : lando
2019-09-24 14:44:01 +00:00
Kershaw Chang 141e986c3f Bug 1546816 - Part 1-6: Add a helper function: AuthCertificateParseResults r=keeler
Differential Revision: https://phabricator.services.mozilla.com/D45024

--HG--
extra : moz-landing-system : lando
2019-09-18 10:03:57 +00:00
Geoff Brown dcb380399e Bug 1582785 - Enable some xpcshell tests on Android; r=geckoview-reviewers,agi
Most of these tests have been disabled for a long time; they run well
in the current test environment.

Differential Revision: https://phabricator.services.mozilla.com/D46642

--HG--
extra : moz-landing-system : lando
2019-09-23 22:43:55 +00:00
Dana Keeler 3d10b528b0 bug 1581986 - fix undefined shift behavior in md4 implementation r=kjacobs
Using left shift on a uint8_t promotes it to a signed integer. If the shift is
large enough that the sign bit gets affected, we have undefined behavior. This
patch fixes this by first casting to uint32_t.

Differential Revision: https://phabricator.services.mozilla.com/D46820

--HG--
extra : moz-landing-system : lando
2019-09-23 19:17:52 +00:00
Cosmin Sabou 5ba1c3f18f Backed out changeset 098d87f4abbc (bug 1580923) for browser chrome failures on browser_openTabAndSendCertInfo.js. CLOSED TREE 2019-09-23 20:15:29 +03:00
Carolina 1ea5f188a8 Bug 1580923 - Fixes problem when opening a certificate from downloadcert.xul.r=johannh
Differential Revision: https://phabricator.services.mozilla.com/D46054

--HG--
extra : moz-landing-system : lando
2019-09-23 15:08:42 +00:00
Kershaw Chang aae1400b3c Bug 1546816 - Part 1-5: Add AuthCertificateSetResults helper function r=keeler
Differential Revision: https://phabricator.services.mozilla.com/D45023

--HG--
extra : moz-landing-system : lando
2019-09-18 09:53:37 +00:00
ffxbld bdeece726d No Bug, mozilla-central repo-update HSTS HPKP blocklist remote-settings tld-suffixes - a=repo-update r=RyanVM
Differential Revision: https://phabricator.services.mozilla.com/D46777

--HG--
extra : moz-landing-system : lando
2019-09-23 13:09:04 +00:00
Dana Keeler c790b6fff5 bug 1581962 - improve nsINSSComponent::HasUserCertsInstalled by using the more efficient FindNonCACertificatesWithPrivateKeys r=kjacobs
CERT_FindUserCertsByUsage is inefficient when the corpus of known certificates
consists mostly of certificates that don't have corresponding private keys,
which is expected to be the case for most Firefox users. This change updates
the "does the user have any client certificates" functionality to use the more
efficient "FindNonCACertificatesWithPrivateKeys" function added in bug 1573542.

Differential Revision: https://phabricator.services.mozilla.com/D46499

--HG--
extra : moz-landing-system : lando
2019-09-20 16:13:21 +00:00
Zibi Braniecki d112b782ad Bug 1581692 - Remove unused .properties from mobile. CLOSED TREE
Differential Revision: https://phabricator.services.mozilla.com//D46195

Depends on D46194

--HG--
extra : histedit_source : ac50af1eda77301fa016896fc3cc8bb03de7a9d3
2019-09-18 19:39:00 +03:00
ffxbld 959ff7f82f No Bug, mozilla-central repo-update HSTS HPKP blocklist remote-settings tld-suffixes - a=repo-update r=RyanVM
Differential Revision: https://phabricator.services.mozilla.com/D46469

--HG--
extra : moz-landing-system : lando
2019-09-19 14:37:28 +00:00
Dana Keeler 16bb37cff1 bug 1573542 - be more efficient about finding client certificates r=jcj,kjacobs
Before this patch, Firefox would call CERT_FindUserCertsByUsage to gather all
known client certificates. This function enumerates all known certificates and
filters some of them out. When there are many certificates that are not client
certificates (e.g. roots and intermediates), this is inefficient. Since this is
likely to be the case for most users, this patch optimizes this task by instead
first searching for private keys and then gathering all certificates that have
corresponding public keys.

Differential Revision: https://phabricator.services.mozilla.com/D46187

--HG--
extra : moz-landing-system : lando
2019-09-18 23:28:05 +00:00
J.C. Jones 484db3870b Bug 1577822 - land NSS a3ee4f26b4c1 UPGRADE_NSS_RELEASE, r=kjacobs
2019-09-18  Kevin Jacobs  <kjacobs@mozilla.com>

	* cmd/lib/derprint.c:
	Bug 1581024 - Check for pointer wrap in derprint.c. r=jcj

	Check for pointer wrap on output-length check in the derdump
	utility.

	[a3ee4f26b4c1] [tip]

2019-09-18  Giulio Benetti  <giulio.benetti@micronovasrl.com>

	* lib/freebl/gcm-aarch64.c:
	Bug 1580126 - Fix build failure on aarch64_be while building
	freebl/gcm r=kjacobs

	Build failure is caused by different #ifdef conditions in gcm.c and
	gcm-aarch64.c that leads to double declaration of the same gcm_*
	functions.

	Fix #ifdef condition in gcm-aarch64.c making it the same as the one
	in gcm.c.

	Signed-off-by: Giulio Benetti <giulio.benetti@micronovasrl.com>
	[fa0d958de0c3]

2019-09-17  Kai Engert  <kaie@kuix.de>

	* automation/taskcluster/graph/src/extend.js:
	Bug 1385039 - Build NSPR tests as part of NSS continuous
	integration. r=kjacobs
	[cc97f1a93038]

2019-09-17  Landry Breuil  <landry@openbsd.org>

	* lib/freebl/Makefile:
	Bug 1581391 - include gcm-aarch64 on all unices, not only linux
	r=kjacobs
	[e7b4f293fa4e]

2019-09-17  Martin Thomson  <mt@lowentropy.net>

	* mach:
	Bug 1581041 - Rename mach-commands to mach-completion, r=jcj

	This means that we can point our completion at the gecko one.

	[bc91272fcbdc]

2019-09-16  Jenine  <jenine_c@outlook.com>

	* cmd/pk11importtest/pk11importtest.c, lib/softoken/pkcs11.c:
	Bug 1558313 - Fix clang warnings in pk11importtest.c and pkcs11.c
	r=marcusburghardt

	[4569b745f74e]

2019-09-13  Daiki Ueno  <dueno@redhat.com>

	* lib/certhigh/certvfy.c:
	Bug 1542207, fix policy check on signature algorithms, r=rrelyea

	Reviewers: rrelyea

	Reviewed By: rrelyea

	Bug #: 1542207

	[ed8a41d16c1c]

2019-09-05  Daiki Ueno  <dueno@redhat.com>

	* lib/freebl/drbg.c:
	Bug 1560329, drbg: perform continuous test on entropy source,
	r=rrelyea

	Summary: FIPS 140-2 section 4.9.2 requires a conditional self test
	to check that consecutive entropy blocks from the system are
	different. As neither getentropy() nor /dev/urandom provides that
	check on the output, this adds the self test at caller side.

	Reviewers: rrelyea

	Reviewed By: rrelyea

	Bug #: 1560329

	[c66dd879d16a]

2019-09-06  Martin Thomson  <mt@lowentropy.net>

	* automation/taskcluster/graph/src/queue.js:
	Bug 1579290 - Disable LSAN during builds, r=ueno

	Summary: See the bug description for details.

	[f28f3d7b7cf0]

2019-09-13  Kai Engert  <kaie@kuix.de>

	* Makefile, build.sh, coreconf/nspr.sh, help.txt:
	Bug 1385061 - Build NSPR tests with NSS make; Add gyp parameters to
	build/run NSPR tests. r=jcj
	[8b4a226f7d23]

2019-09-11  Kai Engert  <kaie@kuix.de>

	* nss.gyp:
	Bug 1577359 - Build atob and btoa for Thunderbird. r=jcj
	[1fe61aadaf57]

2019-09-10  Marcus Burghardt  <mburghardt@mozilla.com>

	* cmd/pk12util/pk12util.c:
	Bug 1579036 - Define error when trying to export non-existent cert
	with pk12util. r=jcj

	[65ab97f03c89]

2019-09-04  Martin Thomson  <mt@lowentropy.net>

	* gtests/mozpkix_gtest/pkixder_input_tests.cpp:
	Bug 1578626 - Remove undefined nullptr decrement, r=keeler

	Summary: This uses uintptr_t to avoid the worst. It still looks
	terrible and might trip static analysis warnings, but the
	reinterpret_cast should hide that.

	This assumes that sizeof(uintptr_t) == sizeof(void*), so I've added
	an assertion so that we'll at least fail the test on those systems.
	(We could use GTEST_SKIP instead, but we don't have that in the
	version of gtest that we use.)

	Reviewers: keeler

	Tags: #secure-revision

	Bug #: 1578626

	[d2485b1c997e]

2019-09-05  Marcus Burghardt  <mburghardt@mozilla.com>

	* gtests/pk11_gtest/pk11_find_certs_unittest.cc:
	Bug 1578751 - Ensure a consistent style for
	pk11_find_certs_unittest.cc. r=jcj

	Adjusted the style and clang-format after the changes in some var
	names.

	[e95fee7f59e5]

Differential Revision: https://phabricator.services.mozilla.com/D46246

--HG--
extra : moz-landing-system : lando
2019-09-18 03:27:20 +00:00
Kershaw Chang 7449dd820c Bug 1546816 - Part 1-4: Remove mTelemetryID and mTelemetryValue from SSLServerCertVerificationResult r=keeler
Differential Revision: https://phabricator.services.mozilla.com/D45022

--HG--
extra : moz-landing-system : lando
2019-09-18 09:30:56 +00:00
Henri Sivonen c193518677 Bug 1490601 part 2 - Move C++ entry points to encoding_c_mem to mfbt/. r=jwalden
Differential Revision: https://phabricator.services.mozilla.com/D43957

--HG--
extra : moz-landing-system : lando
2019-09-18 08:26:34 +00:00
Dana Keeler 24dc3d00a4 bug 1578882 - wait on the loadable roots background task before handing out CertVerifier handles r=tjr
If code acquires a handle on the certificate verifier before the loadable roots
background task completes, that instance of the verifier may not know about any
enterprise certificates loaded, and so early certificate verifications relying
on those certificates may fail. To prevent this, this patch ensures that the
background task has completed before returning the handle. Note that there
should be no effect on performance since CertVerifier already ensures that the
background task has completed internally before looking for potential issuer
certificates.

Differential Revision: https://phabricator.services.mozilla.com/D46224

--HG--
extra : moz-landing-system : lando
2019-09-18 00:06:58 +00:00
Kevin Jacobs 671a4b685e Bug 1562773 - Add delegated credentials tests r=keeler,jcj
Add xpcshell tests for Delegated Credentials

Differential Revision: https://phabricator.services.mozilla.com/D37918

--HG--
extra : moz-landing-system : lando
2019-09-17 23:31:36 +00:00
Dana Keeler dbf19a6cd5 bug 1577944 - avoid calling CERT_NewTempCertificate in NSSCertDBTrustDomain::GetCertTrust for enterprise certificates r=jcj,kjacobs
Calling CERT_NewTempCertificate on an enterprise certificate is inefficient
because NSS tries (and fails) to find a copy of that certificate in its internal
data structures (which includes querying softoken, which involves hitting the
disk). We can avoid doing so for these certificates in
NSSCertDBTrustDomain::GetCertTrust because we already know what trust values
they should have (after checking the relevant blocklists).

Differential Revision: https://phabricator.services.mozilla.com/D45588

--HG--
extra : moz-landing-system : lando
2019-09-17 20:30:15 +00:00
Dragana Damjanovic a8b9f215c0 Bug 1580557 - Remove nsISSLSocketControl.serverRootCertIsBuiltInRoot. r=keeler
Differential Revision: https://phabricator.services.mozilla.com/D45988

--HG--
extra : moz-landing-system : lando
2019-09-16 18:22:20 +00:00
Dana Keeler d0234b3ced bug 1571548 - support "current user" registry locations for enterprise certificates on Windows r=kjacobs,mhowell
Differential Revision: https://phabricator.services.mozilla.com/D45720

--HG--
extra : moz-landing-system : lando
2019-09-12 20:00:45 +00:00
Johann Hofmann 8847236f13 Bug 1573502 - Always use system principal as triggeringPrincipal for about:certificate. r=jkt
about:certificate is always trusted and we don't have to use the content principal in browser.js

Differential Revision: https://phabricator.services.mozilla.com/D45939

--HG--
extra : moz-landing-system : lando
2019-09-16 09:06:00 +00:00
Dragana Damjanovic c667e010d5 Bug 1578883 - Expose some functions needed for Quic. r=keeler
Differential Revision: https://phabricator.services.mozilla.com/D44727

--HG--
extra : moz-landing-system : lando
2019-09-05 19:51:32 +00:00
Sean Feng 11e85f21b9 Bug 1580313 - Remove nsIX509CertList from asPKCS7Blob r=keeler
Differential Revision: https://phabricator.services.mozilla.com/D44516

--HG--
extra : moz-landing-system : lando
2019-09-13 17:23:09 +00:00
ffxbld 5af1f73d04 No Bug, mozilla-central repo-update HSTS HPKP blocklist remote-settings tld-suffixes - a=repo-update r=RyanVM
Differential Revision: https://phabricator.services.mozilla.com/D45662

--HG--
extra : moz-landing-system : lando
2019-09-12 13:37:51 +00:00
Kevin Jacobs 4bf9806ed6 Bug 1562773 - Propagate Delegated Credential flag to nsITransportSecurityInfo r=keeler,jcj
This patch adds a new `mIsDelegatedCredential` parameter to nsITransportSecurityInfo, indicating whether or not a delegated credential keypair was used in the TLS handshake (see: https://tools.ietf.org/html/draft-ietf-tls-subcerts-03) .

This functionality is only available if _security.tls.enable_delegated_credentials_ is set to true.

Differential Revision: https://phabricator.services.mozilla.com/D39807

--HG--
extra : moz-landing-system : lando
2019-09-11 15:19:57 +00:00
Razvan Maries 2fb41871a9 Backed out 2 changesets (bug 1562773) for build bustages. CLOSED TREE
Backed out changeset 154b23d4a214 (bug 1562773)
Backed out changeset f32f7a644981 (bug 1562773)
2019-09-11 04:40:29 +03:00
Kevin Jacobs c2dfc6480d Bug 1562773 - Add delegated credentials tests r=keeler,jcj
Add xpcshell tests for Delegated Credentials

Differential Revision: https://phabricator.services.mozilla.com/D37918

--HG--
extra : moz-landing-system : lando
2019-09-10 20:15:12 +00:00
J.C. Jones a54604ea14 Bug 1562773 - Propagate Delegated Credential flag to nsITransportSecurityInfo r=keeler
This patch adds a new `mIsDelegatedCredential` parameter to nsITransportSecurityInfo, indicating whether or not a delegated credential keypair was used in the TLS handshake (see: https://tools.ietf.org/html/draft-ietf-tls-subcerts-03) .

This functionality is only available if _security.tls.enable_delegated_credentials_ is set to true.

Differential Revision: https://phabricator.services.mozilla.com/D39807

--HG--
extra : moz-landing-system : lando
2019-09-10 19:55:46 +00:00
Moritz Birghan 5c1548df4e Bug 1260640 - Update nsNSSCertificateDB::getCertsFromPackage() so callers don't need to convert the returned certs into usable formats r=keeler
Differential Revision: https://phabricator.services.mozilla.com/D40615

--HG--
extra : moz-landing-system : lando
2019-09-10 07:39:51 +00:00
Kershaw Chang 60f9b2d557 Bug 1546816 - Part 1-3: Always do certificate verification on a background thread r=keeler
Differential Revision: https://phabricator.services.mozilla.com/D45021

--HG--
extra : moz-landing-system : lando
2019-09-09 13:53:06 +00:00
Kershaw Chang 21e358df0e Bug 1546816 - Part 1-2: Simplify collecting telemetry r=keeler
Differential Revision: https://phabricator.services.mozilla.com/D45020

--HG--
extra : moz-landing-system : lando
2019-09-09 13:50:50 +00:00
Kershaw Chang 487ae96c4a Bug 1546816 - Part 1-1: Remove MITM_OK flag and bypassAuthentication r=keeler
Differential Revision: https://phabricator.services.mozilla.com/D45019

--HG--
extra : moz-landing-system : lando
2019-09-09 13:46:45 +00:00
ffxbld 5114c33332 No Bug, mozilla-central repo-update HSTS HPKP remote-settings - a=repo-update r=RyanVM
Differential Revision: https://phabricator.services.mozilla.com/D45181

--HG--
extra : moz-landing-system : lando
2019-09-09 13:07:55 +00:00
Ryan Alderete 2e2b52b880 Bug 1572846 - Update Clearkey to use NSS for decryption instead of OpenAES r=bryce,jld
Clearkey previously relied on OpenAES to do its encryption.  In order to
facilitate future changes and the need for CBC support, switch to NSS, which
should be more flexible and actively maintained.

Differential Revision: https://phabricator.services.mozilla.com/D41993

--HG--
extra : moz-landing-system : lando
2019-09-05 19:19:06 +00:00
Sean Feng a3ec48a51a Bug 1577836 - Remove nsIX509CertList from getCerts and loadCertsFromCache r=keeler
Differential Revision: https://phabricator.services.mozilla.com/D44239

--HG--
extra : moz-landing-system : lando
2019-09-05 21:35:54 +00:00
Daiki Ueno 2f97770e81 Bug 1579023, disable preconnect if there is an unfriendly token r=keeler
To determine whether speculative connections can be established, mozilla::net::CanEnableSpeculativeConnect checks:
1. if there is any removable slot, and
2. if there is any user cert and a private key that can be used for client authentication

However, in practice some HSM's are not removable and (1) is not sufficient, which results in a random PIN prompt appearing at (2).
This patch tighten (1) so that it also checks there is no "unfriendly" token which requires authentication anyway.

Differential Revision: https://phabricator.services.mozilla.com/D44809

--HG--
extra : moz-landing-system : lando
2019-09-06 08:12:39 +00:00
J.C. Jones e46ef2b607 Bug 1577822 - land NSS cf0df88aa807 UPGRADE_NSS_RELEASE, r=kjacobs
2019-08-30  Alexander Scheel  <ascheel@redhat.com>

	* automation/taskcluster/scripts/build_softoken.sh,
	cmd/lib/pk11table.c, gtests/pk11_gtest/pk11_aes_cmac_unittest.cc,
	gtests/pk11_gtest/pk11_gtest.gyp, lib/pk11wrap/debug_module.c,
	lib/pk11wrap/pk11mech.c, lib/softoken/pkcs11.c,
	lib/softoken/pkcs11c.c, lib/util/pkcs11t.h:
	Bug 1570501 - Expose AES-CMAC in PKCS #11 API, r=mt

	[cf0df88aa807] [tip]

	* cpputil/freebl_scoped_ptrs.h, gtests/freebl_gtest/cmac_unittests.cc,
	gtests/freebl_gtest/freebl_gtest.gyp, lib/freebl/blapi.h,
	lib/freebl/cmac.c, lib/freebl/cmac.h, lib/freebl/exports.gyp,
	lib/freebl/freebl_base.gypi, lib/freebl/ldvector.c,
	lib/freebl/loader.c, lib/freebl/loader.h, lib/freebl/manifest.mn:
	Bug 1570501 - Add AES-CMAC implementation to freebl, r=mt

	[a42c6882ba1b]

2019-09-05  David Cooper  <dcooper16@gmail.com>

	* lib/smime/cmssiginfo.c:
	Bug 657379 - NSS uses the wrong OID for signatureAlgorithm field of
	signerInfo in CMS for DSA and ECDSA. r=rrelyea
	[7a83b248de30]

2019-09-05  Daiki Ueno  <dueno@redhat.com>

	* lib/freebl/drbg.c:
	Backed out changeset 934c8d0e7aba

	It turned out to cause some new errors in LSan; backing out for now.
	[34a254dd1357]

	* lib/freebl/drbg.c:
	Bug 1560329, drbg: perform continuous test on entropy source,
	r=rrelyea

	Summary: FIPS 140-2 section 4.9.2 requires a conditional self test
	to check that consecutive entropy blocks from the system are
	different. As neither getentropy() nor /dev/urandom provides that
	check on the output, this adds the self test at caller side.

	Reviewers: rrelyea

	Reviewed By: rrelyea

	Bug #: 1560329

	[934c8d0e7aba]

2019-08-30  Kevin Jacobs  <kjacobs@mozilla.com>

	* coreconf/WIN32.mk:
	Bug 1576664 - Remove -mms-bitfields from win32 makefile r=jcj

	[bf4de7985f3d]

2019-08-29  Dana Keeler  <dkeeler@mozilla.com>

	* automation/abi-check/expected-report-libnss3.so.txt,
	gtests/pk11_gtest/pk11_find_certs_unittest.cc, lib/nss/nss.def,
	lib/pk11wrap/pk11cert.c, lib/pk11wrap/pk11pub.h:
	bug 1577038 - add PK11_GetCertsFromPrivateKey r=jcj,kjacobs

	PK11_GetCertFromPrivateKey only returns one certificate with a
	public key that matches the given private key. This change
	introduces PK11_GetCertsFromPrivateKey, which returns a list of all
	certificates with public keys that match the given private key.

	[9befa8d296c0]

2019-08-30  J.C. Jones  <jjones@mozilla.com>

	* automation/abi-check/previous-nss-release, lib/nss/nss.h,
	lib/softoken/softkver.h, lib/util/nssutil.h:
	Set version numbers to 3.47 beta
	[685cea0a7b48]

	* lib/nss/nss.h, lib/softoken/softkver.h, lib/util/nssutil.h:
	Set version numbers to 3.46 final
	[decbf7bd40fd] [NSS_3_46_RTM]

Differential Revision: https://phabricator.services.mozilla.com/D44927

--HG--
extra : moz-landing-system : lando
2019-09-06 00:25:25 +00:00
Dana Keeler 29758e98f9 bug 1578732 - #include more headers in RootCertificateTelemetryUtils.cpp so it can compile when chunking changes in unified builds r=kjacobs
Differential Revision: https://phabricator.services.mozilla.com/D44742

--HG--
extra : moz-landing-system : lando
2019-09-05 17:46:31 +00:00
Kershaw Chang 5fad51dd02 Bug 1560354 - Transform some nss types into gecko types. r=keeler,dragana
Differential Revision: https://phabricator.services.mozilla.com/D35566

--HG--
extra : moz-landing-system : lando
2019-09-05 15:49:35 +00:00
ffxbld 3e8fdbe0ed No Bug, mozilla-central repo-update HSTS HPKP remote-settings tld-suffixes - a=repo-update r=RyanVM
Differential Revision: https://phabricator.services.mozilla.com/D44828

--HG--
extra : moz-landing-system : lando
2019-09-05 13:17:10 +00:00
Aaron Klotz 296735628c Bug 1578786: Fix up some includes and namespaces in security/manager/ssl so that it may compile in non-unified mode; r=keeler
Differential Revision: https://phabricator.services.mozilla.com/D44700

--HG--
extra : moz-landing-system : lando
2019-09-04 18:35:50 +00:00
Kershaw Chang 64b7f325a6 Bug 1577428 - Not allow nsICertOverrideService to be implemented in js r=keeler,ato
Differential Revision: https://phabricator.services.mozilla.com/D43931

--HG--
rename : security/manager/ssl/tests/unit/test_js_cert_override_service.js => security/manager/ssl/tests/unit/test_allow_all_cert_errors.js
extra : moz-landing-system : lando
2019-09-04 17:17:44 +00:00
Dana Keeler b108e38d22 bug 1576755 - split "unknown" bucket in CERT_VALIDATION_SUCCESS_BY_CA (and other _BY_CA probes) r=jcj,kjacobs
The "unknown" bucket is inconsistent and often much higher than we expect. This
patch splits that bucket by adding the categories "from softoken (cert9.db)",
"from an external PKCS#11 token", and "imported from the OS via the 'Enterprise
Roots' feature". Hopefully this will give us more insight into this data.

Differential Revision: https://phabricator.services.mozilla.com/D44065

--HG--
extra : moz-landing-system : lando
2019-09-03 22:19:14 +00:00
Ehsan Akhgari 86c74f0485 Bug 1576641 - Add two new content blocking event flags to indicate a tracking/social-tracking cookie has been loaded in a tab; r=baku,droeh
Differential Revision: https://phabricator.services.mozilla.com/D44216

--HG--
extra : moz-landing-system : lando
2019-09-03 17:37:43 +00:00
Andreea Pavel aa258365a2 Backed out changeset 2e0c2fea2799 (bug 1577428) linting doc failure on a CLOSED TREE
--HG--
rename : security/manager/ssl/tests/unit/test_allow_all_cert_errors.js => security/manager/ssl/tests/unit/test_js_cert_override_service.js
2019-09-03 18:25:52 +03:00
Kershaw Chang f7c12de97f Bug 1577428 - Not allow nsICertOverrideService to be implemented in js r=keeler
Differential Revision: https://phabricator.services.mozilla.com/D43931

--HG--
rename : security/manager/ssl/tests/unit/test_js_cert_override_service.js => security/manager/ssl/tests/unit/test_allow_all_cert_errors.js
extra : moz-landing-system : lando
2019-09-02 17:03:38 +00:00
Bob Owen 17bddfd388 Bug 1575906: Allow the GMP process to duplicate Section handles to the main process. r=handyman
Differential Revision: https://phabricator.services.mozilla.com/D44237

--HG--
extra : moz-landing-system : lando
2019-08-30 21:39:57 +00:00
J.C. Jones 61fc016d4c Bug 1564499 - land NSS NSS_3_46_RTM UPGRADE_NSS_RELEASE, r=kjacobs
2019-08-30  J.C. Jones  <jjones@mozilla.com>

	* lib/nss/nss.h, lib/softoken/softkver.h, lib/util/nssutil.h:
	Set version numbers to 3.46 final
	[decbf7bd40fd] [NSS_3_46_RTM]

2019-08-27  J.C. Jones  <jjones@mozilla.com>

	* .hgtags:
	Added tag NSS_3_46_BETA2 for changeset 24b0fc700203
	[29cd579e74e4]

Differential Revision: https://phabricator.services.mozilla.com/D44206

--HG--
extra : moz-landing-system : lando
2019-08-30 16:34:27 +00:00
ffxbld 3b375c8b7b No Bug, mozilla-central repo-update HSTS HPKP blocklist remote-settings - a=repo-update r=RyanVM
Differential Revision: https://phabricator.services.mozilla.com/D43967

--HG--
extra : moz-landing-system : lando
2019-08-29 13:14:59 +00:00
Barret Rennie b0cbc31990 Bug 1510569 - Implement serializers for nsITransportSecurityInfo, nsIX509Cert, and nsIX509CertList r=froydnj,keeler,mayhemer
As part of the ongoing effort to port the nsIWebProgress events from
RemoteWebProgress / WebProgressChild to BrowserParent / BrowserChild, we need
to (de)serialize the nsITransportSecurityInfo instance across the IPC layer.
The existing code was calling `NS_SerializeToString` which has the overhead of
(a) allocating a buffer and also performing base64 encoding/decoding. This
patch adds `IPC::ParamTraits` implementations for `nsITransportSecurityInfo`,
`nsIX509Certificate`, and `nsIX509CertList` that (de)serializes the params
directly onto and off of the IPC message so that we don't go through the
overhead of allocating and encoding/decoding an additional buffer.

This (de)serialization will address the performance issues present in the
current implementation.

As a side effect, I also make nsITransportSecurityInfo a builtinclass XPCOM
interface, since the existing serialization code was assuming it was, there is
only one implementation, and it is in C++.

Differential Revision: https://phabricator.services.mozilla.com/D35090

--HG--
extra : moz-landing-system : lando
2019-08-28 18:55:31 +00:00
Dorel Luca b09fe526aa Backed out 4 changesets (bug 1510569) for build bustage. CLOSED TREE
Backed out changeset d7db6a1935ce (bug 1510569)
Backed out changeset 03b7cf756a7f (bug 1510569)
Backed out changeset fa318eec0e76 (bug 1510569)
Backed out changeset cecb17bd8c03 (bug 1510569)
2019-08-28 21:46:40 +03:00
Barret Rennie 4ab0fd7d38 Bug 1510569 - Implement serializers for nsITransportSecurityInfo, nsIX509Cert, and nsIX509CertList r=froydnj,keeler,mayhemer
As part of the ongoing effort to port the nsIWebProgress events from
RemoteWebProgress / WebProgressChild to BrowserParent / BrowserChild, we need
to (de)serialize the nsITransportSecurityInfo instance across the IPC layer.
The existing code was calling `NS_SerializeToString` which has the overhead of
(a) allocating a buffer and also performing base64 encoding/decoding. This
patch adds `IPC::ParamTraits` implementations for `nsITransportSecurityInfo`,
`nsIX509Certificate`, and `nsIX509CertList` that (de)serializes the params
directly onto and off of the IPC message so that we don't go through the
overhead of allocating and encoding/decoding an additional buffer.

This (de)serialization will address the performance issues present in the
current implementation.

As a side effect, I also make nsITransportSecurityInfo a builtinclass XPCOM
interface, since the existing serialization code was assuming it was, there is
only one implementation, and it is in C++.

Differential Revision: https://phabricator.services.mozilla.com/D35090

--HG--
extra : moz-landing-system : lando
2019-08-28 18:00:16 +00:00
J.C. Jones 95ca91b62f Bug 1564499 - land NSS NSS_3_46_BETA2 UPGRADE_NSS_RELEASE, r=kjacobs
2019-08-27  Kevin Jacobs  <kjacobs@mozilla.com>

        * automation/taskcluster/graph/src/extend.js,
        automation/taskcluster/scripts/build_gyp.sh,
        automation/taskcluster/windows/build_gyp.sh, fuzz/fuzz.gyp,
        gtests/pk11_gtest/pk11_gtest.gyp,
        gtests/softoken_gtest/softoken_gtest.gyp, tests/all.sh,
        tests/ssl/ssl.sh:
        Bug 1485533 - Close gaps in taskcluster SSL testing. r=mt

        This patch increases SSL testing on taskcluster, specifically,
        running an additional 395 tests on each SSL cycle (more for FIPS
        targets), and adding a new 'stress' cycle.

        Notable changes:

        1) This patch removes SSL stress tests from the default
        `NSS_SSL_RUN` list in all.sh and ssl.sh. If stress tests are needed,
        this variable must be set to include.

        2) The "normal_normal" case is added to `NSS_SSL_TESTS` for all
        targets. FIPS targets also run "normal_fips", "fips_normal", and
        "fips_fips".

        3) `--enable-libpkix` is now set for all taskcluster "build.sh"
        builds in order to support a number of OCSP tests that were
        previously not run.

        [24b0fc700203] [NSS_3_46_BETA2]

2019-08-23  Edouard Oger  <eoger@fastmail.com>

        * lib/sqlite/Makefile, lib/sqlite/sqlite.gyp:
        Bug 1549847 - Ignore sqlite compilation warnings. r=mt

        [7f146eb7adac]

2019-08-23  J.C. Jones  <jjones@mozilla.com>

        * .hgtags:
        Added tag NSS_3_46_BETA1 for changeset 44aa330de2aa
        [d3035cc9dc73]

Differential Revision: https://phabricator.services.mozilla.com/D43724

--HG--
extra : moz-landing-system : lando
2019-08-28 14:30:55 +00:00
Sylvestre Ledru d264b841c9 Bug 1576502 - Fix some wording issues r=mhoye
Differential Revision: https://phabricator.services.mozilla.com/D43363

--HG--
extra : moz-landing-system : lando
2019-08-27 15:38:58 +00:00
ffxbld 36f90d0df0 No Bug, mozilla-central repo-update HSTS HPKP remote-settings tld-suffixes - a=repo-update r=RyanVM
Differential Revision: https://phabricator.services.mozilla.com/D43457

--HG--
extra : moz-landing-system : lando
2019-08-26 14:49:18 +00:00
Ciure Andrei 0a6d4a24f8 Merge inbound to mozilla-central. a=merge 2019-08-24 12:51:09 +03:00
Alex Vincent cec0c5cbdb Bug 1508169, Remove performAction* from nsITreeView.idl in mozilla-central. r=peterv, johannh
performAction, performActionOnRow and performActionOnCell are methods of the
nsITreeView interface that are never called.  This is to remove these methods.
A comm-central patch will be along shortly.

Differential Revision: https://phabricator.services.mozilla.com/D39273
2019-08-24 00:49:55 +02:00
J.C. Jones 73f0968aaa Bug 1564499 - land NSS NSS_3_46_BETA1 UPGRADE_NSS_RELEASE, r=kjacobs
2019-08-23  Kevin Jacobs  <kjacobs@mozilla.com>

	* tests/common/cleanup.sh:
	Bug 1560593 - Check that BUILD_OPT is defined before testing its
	value. r=jcj

	[44aa330de2aa] [NSS_3_46_BETA1]

	* cmd/strsclnt/strsclnt.c:
	Bug 1575968 - Add strsclnt option to enforce the use of either IPv4
	or IPv6 r=jcj

	[da284d8993ea]

2019-08-23  Marcus Burghardt  <mburghardt@mozilla.com>

	* gtests/softoken_gtest/softoken_gtest.cc:
	Bug 1573942 - Gtest for pkcs11.txt with different breaking line
	formats. r=kjacobs

	[d07a07eb0e40]

2019-08-21  Kevin Jacobs  <kjacobs@mozilla.com>

	* lib/util/utilmod.c:
	Bug 1564284: Added check for CR + LF, r=marcusburghardt,kjacobs

	Looks good and it was already tested locally with this gtest patch:

	[d1d2e1e320cd]

2019-08-22  Martin Thomson  <mt@lowentropy.net>

	* lib/ssl/ssl3con.c:
	Bug 1528666 - Formatting, a=bustage
	[60eeac76c8ec]

2019-08-20  Martin Thomson  <martin.thomson@gmail.com>

	* gtests/ssl_gtest/ssl_0rtt_unittest.cc,
	gtests/ssl_gtest/ssl_resumption_unittest.cc, lib/ssl/ssl3con.c:
	Bug 1528666 - Correct resumption validation checks, r=jcj

	We allowed cross-suite resumption before, but it didn't work. This
	enables that for clients.

	As a secondary minor tweak, clients will no longer validate the
	availability of a cipher suite based on their configured version
	range when attempting resumption. Instead, they will check whether
	the suite works for the version in the session that they are
	attempting to resume. In theory, this doesn't change anything
	because the previous session should not have selected an
	incompatible combination of version and cipher suite, but it's worth
	being extra precise.

	[cab2c8905214]

2019-08-22  Martin Thomson  <mt@lowentropy.net>

	* gtests/ssl_gtest/ssl_auth_unittest.cc,
	gtests/ssl_gtest/ssl_resumption_unittest.cc, lib/ssl/ssl3con.c:
	Bug 1568803 - More tests for client certificate authentication,
	r=kjacobs

	These were previously disabled because of difficulties (at the time)
	in writing these tests for TLS 1.3. The framework, and my
	understanding of it, has since improved, so these tests can be
	restored and expanded. This exposed a minor correctness issue that
	is also corrected.

	[95f97d31c313]

Differential Revision: https://phabricator.services.mozilla.com/D43308

--HG--
extra : moz-landing-system : lando
2019-08-23 22:45:47 +00:00
Gijs Kruitbosch 871832fcf9 Bug 1575564 - avoid non-mainthread use of NS_GetSpecialDirectory in linux sandboxbroker, r=jld,gcp
Differential Revision: https://phabricator.services.mozilla.com/D42951

--HG--
extra : moz-landing-system : lando
2019-08-22 16:37:18 +00:00
ffxbld 409e5b7a75 No Bug, mozilla-central repo-update HSTS HPKP blocklist remote-settings - a=repo-update r=RyanVM
Differential Revision: https://phabricator.services.mozilla.com/D43052

--HG--
extra : moz-landing-system : lando
2019-08-22 13:43:50 +00:00
Mike Hommey 66d7fe943e Bug 1575420 - Replace MOZ_WIDGET_TOOLKIT value of "gtk3" with "gtk". r=froydnj
Differential Revision: https://phabricator.services.mozilla.com/D42765

--HG--
extra : moz-landing-system : lando
2019-08-21 12:25:42 +00:00
Oana Pop Rus 3223cd3dc2 Backed out 4 changesets (bug 1510569) for causing build bustage on a CLOSED TREE
Backed out changeset eae555c11f25 (bug 1510569)
Backed out changeset 2fb8938d16db (bug 1510569)
Backed out changeset b480af862022 (bug 1510569)
Backed out changeset 642cd6323cdc (bug 1510569)
2019-08-21 22:55:43 +03:00
Haik Aftandilian 3ad0ca9116 Bug 1570581 - Starting with Firefox 68.0.1, Adobe Acrobat Extension for Firefox fails to send apple events to target application (Acrobat) r=handyman
Relax our Hardened Runtime settings to allow the com.apple.security.automation.apple-events entitlement so that native messaging webextension helper apps (which are launched by and are child processes of Firefox) can use Apple Events to signal other processes. This will apply to Firefox and all child processes.

Differential Revision: https://phabricator.services.mozilla.com/D42929

--HG--
extra : moz-landing-system : lando
2019-08-21 18:42:55 +00:00
Geoff Brown b7e778a5ea Bug 1554276 - Disable xpcshell test_certDB_import.js and test_certDB_import_with_master_password.js on geckoview; r=snorp
With these last two tests skipped we can run xpcshell tests against geckoview builds.

Differential Revision: https://phabricator.services.mozilla.com/D42893

--HG--
extra : moz-landing-system : lando
2019-08-21 18:24:47 +00:00
Barret Rennie d8a4453540 Bug 1510569 - Implement serializers for nsITransportSecurityInfo, nsIX509Cert, and nsIX509CertList r=froydnj,keeler
As part of the ongoing effort to port the nsIWebProgress events from
RemoteWebProgress / WebProgressChild to BrowserParent / BrowserChild, we need
to (de)serialize the nsITransportSecurityInfo instance across the IPC layer.
The existing code was calling `NS_SerializeToString` which has the overhead of
(a) allocating a buffer and also performing base64 encoding/decoding. This
patch adds `IPC::ParamTraits` implementations for `nsITransportSecurityInfo`,
`nsIX509Certificate`, and `nsIX509CertList` that (de)serializes the params
directly onto and off of the IPC message so that we don't go through the
overhead of allocating and encoding/decoding an additional buffer.

This (de)serialization will address the performance issues present in the
current implementation.

As a side effect, I also make nsITransportSecurityInfo a builtinclass XPCOM
interface, since the existing serialization code was assuming it was, there is
only one implementation, and it is in C++.

Differential Revision: https://phabricator.services.mozilla.com/D35090

--HG--
extra : moz-landing-system : lando
2019-08-21 18:24:56 +00:00
J.C. Jones 6d66ec3bef Bug 1564499 - land NSS eeb9a6715a93 UPGRADE_NSS_RELEASE, r=kjacobs
2019-08-20  Marcus Burghardt  <mburghardt@mozilla.com>

	* lib/ckfw/builtins/certdata.txt:
	Bug 1574670 - Remove Expired root certificates - Class 2 Primary,
	UTN-USERFirst-Client, Deutsche Telekom Root CA 2.
	r=jcj,KathleenWilson

	[eeb9a6715a93] [tip]

2019-08-12  Kevin Jacobs  <kjacobs@mozilla.com>

	* lib/softoken/pkcs11c.c:
	Bug 1572164 - Don't unnecessarily free session in NSC_WrapKey r=jcj

	[b306ff3d6f4d]

Differential Revision: https://phabricator.services.mozilla.com/D42768

--HG--
extra : moz-landing-system : lando
2019-08-21 15:56:17 +00:00
Barret Rennie 3f90c2f83f Bug 1564221 - Make nsITransportSecurityInfo builtinclass r=keeler
There are no longer any consumers of the JS-implemented
`FakeTransportSecurityInfo` class, so it can be removed. That removes the last
JS-implemented `nsITransportSecurityInfo` instance and it therefore can be
marked `builtinclass`.

Differential Revision: https://phabricator.services.mozilla.com/D40355

--HG--
extra : moz-landing-system : lando
2019-08-20 21:38:24 +00:00
Barret Rennie a72079afcb Bug 1564221 - Do not use FakeTransportSecurityInfo in test_sss_resetState.js r=keeler
As part of making `nsITranportSecurityInfo` builtinclass, we can no longer
use JS-implemented `nsITransportSecurityInfo` instances in test cases.
This patch migrates `test_sss_resetState.js` to use `add_connection_test()` to
get a valid `nsITransportSecurityInfo` instance for the unit tests.

Differential Revision: https://phabricator.services.mozilla.com/D40352

--HG--
extra : moz-landing-system : lando
2019-08-20 21:38:19 +00:00
Barret Rennie 85e3659e3d Bug 1564221 - Do not use FakeTransportSecurityInfo in test_sss_originAttributes.js r=keeler
As part of making `nsITranportSecurityInfo` builtinclass, we can no longer use
JS-implemented `nsITransportSecurityInfo` instances in test cases. This patch
migrates `test_sss_originAttributes.js` to use `add_connection_test()` to get a
valid `nsITransportSecurityInfo` instance for the unit tests.

Differential Revision: https://phabricator.services.mozilla.com/D40351

--HG--
extra : moz-landing-system : lando
2019-08-20 21:38:07 +00:00
Barret Rennie f94a2e2dd7 Bug 1564221 - Do not use FakeTransportSecurityInfo in test_sss_enumerate.js r=keeler
As part of making `nsITranportSecurityInfo` builtinclass, we can no longer
use JS-implemented `nsITransportSecurityInfo` instances in test cases.
This patch migrates `test_sss_enumerate.js` to use `add_connection_test()` to
get a valid `nsITransportSecurityInfo` instance for the unit tests.

Differential Revision: https://phabricator.services.mozilla.com/D40350

--HG--
extra : moz-landing-system : lando
2019-08-20 21:38:04 +00:00
Barret Rennie e206c0bf71 Bug 1564221 - Do not use FakeTransportSecurityInfo in test_pinning_header_parsing.js r=keeler
As part of making `nsITranportSecurityInfo` builtinclass, we can no longer use
JS-implemented `nsITransportSecurityInfo` instances in test cases. This patch
migrates `test_pinning_header_parsing.js` to use `add_connection_test()` to get
a valid `nsITransportSecurityInfo` instance for the unit tests.

Differential Revision: https://phabricator.services.mozilla.com/D40349

--HG--
extra : moz-landing-system : lando
2019-08-20 21:37:51 +00:00
Barret Rennie 8cbcec1089 Bug 1564221 - Do not use FakeTransportSecurityInfo in test_ocsp_must_staple.js r=keeler
As part of making `nsITranportSecurityInfo` builtinclass, we can no longer use
JS-implemented `nsITransportSecurityInfo` instances in test cases. This patch
migrates `test_ocsp_must_staple.js` to use `add_connection_test()` to get a
valid `nsITransportSecurityInfo` instance for the unit tests.

Differential Revision: https://phabricator.services.mozilla.com/D40348

--HG--
extra : moz-landing-system : lando
2019-08-20 21:37:47 +00:00
Barret Rennie 4fee6b8f31 Bug 1564221 - Do not use FakeTransportSecurityInfo in test_forget_about_site_security_headers.js r=keeler
As part of making `nsITranportSecurityInfo` builtinclass, we can no longer use
JS-implemented `nsITransportSecurityInfo` instances in test cases. This patch
migrates `test_forget_about_site_security_headers.js to use
`add_connection_test()` to get a valid `nsITransportSecurityInfo` instance for
the unit tests.

Differential Revision: https://phabricator.services.mozilla.com/D40347

--HG--
extra : moz-landing-system : lando
2019-08-20 21:37:38 +00:00
Barret Rennie ac3d0eba23 Bug 1564221 - Add a contract ID for nsITransportSecurityInfo r=keeler
There is now a contract ID for `nsITransportSecurityInfo`, allowing
`mozilla::psm::TransportSecurityInfo` instances to be created from JS. Tests
using a JS-implemented `nsITransportSecurityInfo` that were not modifying,
e.g., the `serverCert` attribute have been updated to create a
`mozilla::psm::TransportSecurityInfo` via the contract.

Differential Revision: https://phabricator.services.mozilla.com/D40346

--HG--
extra : moz-landing-system : lando
2019-08-20 21:38:59 +00:00
J.C. Jones c8cf90a75f Bug 1564499 - land NSS ea8bc9f43de3 UPGRADE_NSS_RELEASE, r=kjacobs
Revset: reverse(bbfc55939d75~-1::ea8bc9f43de3)

2019-08-19  Kai Engert  <kaie@kuix.de>

	* automation/release/nspr-version.txt:
	Bug 1562330 - require NSPR version 4.22 r=jcj
	[ea8bc9f43de3] [tip]

2019-08-16  J.C. Jones  <jjones@mozilla.com>

	* cmd/selfserv/selfserv.c:
	Bug 1574220 - Fixup clang-format r=bustage
	[165664ff322c]

2019-08-15  Marcus Burghardt  <mburghardt@mozilla.com>

	* cmd/selfserv/selfserv.c, cmd/tstclnt/tstclnt.c,
	cmd/vfyserv/vfyserv.c:
	Bug 1574220 - Improve controls after errors in tstcln, selfserv and
	vfyserv cmds. r=kjacobs

	Differential Revision:
	https://phabricator.services.mozilla.com/D42165
	[32766e60ffa8]

2019-08-16  Marcus Burghardt  <mburghardt@mozilla.com>

	* lib/sqlite/README, lib/sqlite/sqlite3.c, lib/sqlite/sqlite3.h:
	Bug 1550636 - Upgrade SQLite in NSS to v3.29 (2019-07-10). r=jcj

	#define SQLITE_VERSION "3.29.0" #define SQLITE_VERSION_NUMBER
	3029000 #define SQLITE_SOURCE_ID "2019-07-10 17:32:03
	fc82b73eaac8b36950e527f12c4b5dc1e147e6f4ad2217ae43ad82882a88bfa6"

	Differential Revision:
	https://phabricator.services.mozilla.com/D42332
	[ed55badc848d]

2019-08-15  Marcus Burghardt  <mburghardt@mozilla.com>

	* lib/ckfw/builtins/certdata.txt, lib/ckfw/builtins/nssckbi.h:
	Bug 1566569 - Remove Swisscom Root CA 2 root certificate. r=jcj

	Differential Revision:
	https://phabricator.services.mozilla.com/D42161
	[660d7c210878]

Differential Revision: https://phabricator.services.mozilla.com/D42554

--HG--
extra : moz-landing-system : lando
2019-08-20 14:59:04 +00:00
Gian-Carlo Pascutto 8b7a11d51c Bug 1573578 - Whitelist brk syscall if jemalloc is disabled. r=jld
Differential Revision: https://phabricator.services.mozilla.com/D41998

--HG--
extra : moz-landing-system : lando
2019-08-14 22:50:51 +00:00
Cosmin Sabou 2e5b997146 Backed out 9 changesets (bug 1564221) for devtools failures on browser_net_security-redirect.js.
Backed out changeset bcae1e55fc27 (bug 1564221)
Backed out changeset 0efeb9b1f5fa (bug 1564221)
Backed out changeset aaa8ffb687f2 (bug 1564221)
Backed out changeset a1947eef7d86 (bug 1564221)
Backed out changeset 6cd17e69d1c7 (bug 1564221)
Backed out changeset ede7219b9a9e (bug 1564221)
Backed out changeset 63d578684d29 (bug 1564221)
Backed out changeset e804c46a9541 (bug 1564221)
Backed out changeset 4cd81a6d3b25 (bug 1564221)

--HG--
extra : histedit_source : 3b34632390a828e53929751dd79fe800b08a0ecb
2019-08-19 23:59:28 +03:00
Barret Rennie 244c61a02f Bug 1564221 - Make nsITransportSecurityInfo builtinclass r=keeler
There are no longer any consumers of the JS-implemented
`FakeTransportSecurityInfo` class, so it can be removed. That removes the last
JS-implemented `nsITransportSecurityInfo` instance and it therefore can be
marked `builtinclass`.

Differential Revision: https://phabricator.services.mozilla.com/D40355

--HG--
extra : moz-landing-system : lando
2019-08-06 17:55:53 +00:00
Barret Rennie a27ae13275 Bug 1564221 - Do not use FakeTransportSecurityInfo in test_sss_resetState.js r=keeler
As part of making `nsITranportSecurityInfo` builtinclass, we can no longer
use JS-implemented `nsITransportSecurityInfo` instances in test cases.
This patch migrates `test_sss_resetState.js` to use `add_connection_test()` to
get a valid `nsITransportSecurityInfo` instance for the unit tests.

Differential Revision: https://phabricator.services.mozilla.com/D40352

--HG--
extra : moz-landing-system : lando
2019-08-06 17:55:55 +00:00
Barret Rennie 4c2087cc62 Bug 1564221 - Do not use FakeTransportSecurityInfo in test_sss_originAttributes.js r=keeler
As part of making `nsITranportSecurityInfo` builtinclass, we can no longer use
JS-implemented `nsITransportSecurityInfo` instances in test cases. This patch
migrates `test_sss_originAttributes.js` to use `add_connection_test()` to get a
valid `nsITransportSecurityInfo` instance for the unit tests.

Differential Revision: https://phabricator.services.mozilla.com/D40351

--HG--
extra : moz-landing-system : lando
2019-08-06 17:55:56 +00:00
Barret Rennie e50685ff95 Bug 1564221 - Do not use FakeTransportSecurityInfo in test_sss_enumerate.js r=keeler
As part of making `nsITranportSecurityInfo` builtinclass, we can no longer
use JS-implemented `nsITransportSecurityInfo` instances in test cases.
This patch migrates `test_sss_enumerate.js` to use `add_connection_test()` to
get a valid `nsITransportSecurityInfo` instance for the unit tests.

Differential Revision: https://phabricator.services.mozilla.com/D40350

--HG--
extra : moz-landing-system : lando
2019-08-06 17:55:58 +00:00
Barret Rennie b50d3762cd Bug 1564221 - Do not use FakeTransportSecurityInfo in test_pinning_header_parsing.js r=keeler
As part of making `nsITranportSecurityInfo` builtinclass, we can no longer use
JS-implemented `nsITransportSecurityInfo` instances in test cases. This patch
migrates `test_pinning_header_parsing.js` to use `add_connection_test()` to get
a valid `nsITransportSecurityInfo` instance for the unit tests.

Differential Revision: https://phabricator.services.mozilla.com/D40349

--HG--
extra : moz-landing-system : lando
2019-08-06 17:56:00 +00:00
Barret Rennie cc3aa27173 Bug 1564221 - Do not use FakeTransportSecurityInfo in test_ocsp_must_staple.js r=keeler
As part of making `nsITranportSecurityInfo` builtinclass, we can no longer use
JS-implemented `nsITransportSecurityInfo` instances in test cases. This patch
migrates `test_ocsp_must_staple.js` to use `add_connection_test()` to get a
valid `nsITransportSecurityInfo` instance for the unit tests.

Differential Revision: https://phabricator.services.mozilla.com/D40348

--HG--
extra : moz-landing-system : lando
2019-08-06 17:56:02 +00:00
Barret Rennie fb73718374 Bug 1564221 - Do not use FakeTransportSecurityInfo in test_forget_about_site_security_headers.js r=keeler
As part of making `nsITranportSecurityInfo` builtinclass, we can no longer use
JS-implemented `nsITransportSecurityInfo` instances in test cases. This patch
migrates `test_forget_about_site_security_headers.js to use
`add_connection_test()` to get a valid `nsITransportSecurityInfo` instance for
the unit tests.

Differential Revision: https://phabricator.services.mozilla.com/D40347

--HG--
extra : moz-landing-system : lando
2019-08-06 17:56:04 +00:00
Barret Rennie fa178b7009 Bug 1564221 - Add a contract ID for nsITransportSecurityInfo r=keeler
There is now a contract ID for `nsITransportSecurityInfo`, allowing
`mozilla::psm::TransportSecurityInfo` instances to be created from JS. Tests
using a JS-implemented `nsITransportSecurityInfo` that were not modifying,
e.g., the `serverCert` attribute have been updated to create a
`mozilla::psm::TransportSecurityInfo` via the contract.

Differential Revision: https://phabricator.services.mozilla.com/D40346

--HG--
extra : moz-landing-system : lando
2019-08-06 17:56:05 +00:00
Carolina 617b075a9c Bug 1572848 - Adjusts browser_certViewer.js tests for the new cert viewer (about:certificate).r=johannh
Differential Revision: https://phabricator.services.mozilla.com/D41470

--HG--
extra : moz-landing-system : lando
2019-08-19 13:09:46 +00:00
ffxbld f1d77648cd No Bug, mozilla-central repo-update HSTS HPKP remote-settings - a=repo-update r=RyanVM
Differential Revision: https://phabricator.services.mozilla.com/D42498

--HG--
extra : moz-landing-system : lando
2019-08-19 14:33:17 +00:00
Christian Holler 601bb91a9b Bug 1566342 - Implement changes for HTTP2 fuzzing in Necko. r=mayhemer
Differential Revision: https://phabricator.services.mozilla.com/D38182

--HG--
extra : moz-landing-system : lando
2019-08-19 13:46:18 +00:00
Mark Banner b1970e6a2f Bug 1571466 - Cleanup unnecessary ESLint global definitions. r=mossop
These are raised as redeclares or unused variables by ESLint 6.

Differential Revision: https://phabricator.services.mozilla.com/D37268

--HG--
extra : moz-landing-system : lando
2019-08-19 07:11:56 +00:00
Matthew Noorenberghe 1af788f2cb Bug 1571555 - Mock the prompt service for the master password prompt in test_sdr.js. r=keeler
Differential Revision: https://phabricator.services.mozilla.com/D42383

--HG--
extra : moz-landing-system : lando
2019-08-16 22:33:45 +00:00
Matthew Noorenberghe 91e9a4e6b4 Bug 1571555 - Use a blank string in place of the username or password when decryption fails. r=keeler
Don't show the login in about:logins if the username or password cannot be decrypted.

Differential Revision: https://phabricator.services.mozilla.com/D40845

--HG--
extra : moz-landing-system : lando
2019-08-16 20:27:34 +00:00
Gabriele Svelto 14db2c37b8 Bug 1571711 - Factorize crash handling out of the various process IPC classes r=froydnj
Differential Revision: https://phabricator.services.mozilla.com/D41657

--HG--
extra : moz-landing-system : lando
2019-08-15 12:06:51 +00:00
Csoregi Natalia 7d39932994 Merge mozilla-central to autoland. CLOSED TREE 2019-08-15 22:38:37 +03:00
Csoregi Natalia 41813d2fc0 Merge autoland to mozilla-central. a=merge 2019-08-15 22:32:31 +03:00
Csoregi Natalia 058a6017fc Backed out changeset ee3e55708782 (bug 1570840) for breaking Netflix and Flash on Mac Nightly. a=backout 2019-08-15 22:00:21 +03:00
ffxbld 925db3aae7 No Bug, mozilla-central repo-update HSTS HPKP remote-settings - a=repo-update r=RyanVM
Differential Revision: https://phabricator.services.mozilla.com/D42137

--HG--
extra : moz-landing-system : lando
2019-08-15 15:04:59 +00:00
Bogdan Tara f326b67e0e Backed out changeset c60ee628dd0e (bug 1571711) for RemoteSandboxBroker related bustages CLOSED TREE 2019-08-15 01:50:01 +03:00
Gabriele Svelto d888c0a6b5 Bug 1571711 - Factorize crash handling out of the various process IPC classes r=froydnj
Differential Revision: https://phabricator.services.mozilla.com/D41657

--HG--
extra : moz-landing-system : lando
2019-08-13 21:43:00 +00:00
Haik Aftandilian 243b7d4b1e Bug 1570840 - Set com.apple.security.cs.disable-library-validation=false in Hardened Runtime entitlement files r=handyman
Set com.apple.security.cs.disable-library-validation=false in developer and production Hardened Runtime entitlements now that the definition has changed to mean allow/disallow unsigned libraries.

Differential Revision: https://phabricator.services.mozilla.com/D40525

--HG--
extra : moz-landing-system : lando
2019-08-14 19:42:19 +00:00
Nicholas Nethercote 281d296163 Bug 1573720 - Convert network.auth.force-generic-ntlm-v1 to a static pref. r=keeler
Differential Revision: https://phabricator.services.mozilla.com/D41913

--HG--
extra : moz-landing-system : lando
2019-08-15 05:29:49 +00:00
arthur.iakab b24139d864 Backed out changeset 5d42edca79d4 (bug 1560354) for causing mass failures on mozilla/Maybe.h:488 CLOSED TREE 2019-08-15 03:01:50 +03:00
Cosmin Sabou 62a26df9c6 Backed out changeset 55df21f1b7d6 (bug 1566342) for causing build bustages on FuzzyLayer.cpp. CLOSED TREE 2019-08-14 02:20:11 +03:00
Christian Holler 295a59729c Bug 1566342 - Implement changes for HTTP2 fuzzing in Necko. r=mayhemer
Differential Revision: https://phabricator.services.mozilla.com/D38182

--HG--
extra : moz-landing-system : lando
2019-08-13 22:00:57 +00:00
J.C. Jones 32759c8ed5 Bug 1573662 - Rename sanctions test routines to make it easier to add new ones r=keeler
1) Multipurpose-ing the TLSServer specialization to `SanctionsTestServer`
2) Renaming the `security/manager/ssl/tests/unit/test_symantec_apple_google` folder of certs to `test_sanctions`
3) Prepend a `symantec-` to the start of all relevant certs in the new `test_sanctions` folder
4) Renaming the existing xpcshell test to `test_sanctions_symantec_apple_google.js`

Differential Revision: https://phabricator.services.mozilla.com/D39942

--HG--
rename : security/manager/ssl/tests/unit/test_symantec_apple_google/default-ee.key => security/manager/ssl/tests/unit/test_sanctions/default-ee.key
rename : security/manager/ssl/tests/unit/test_symantec_apple_google/default-ee.key.keyspec => security/manager/ssl/tests/unit/test_sanctions/default-ee.key.keyspec
rename : security/manager/ssl/tests/unit/test_symantec_apple_google/default-ee.pem => security/manager/ssl/tests/unit/test_sanctions/default-ee.pem
rename : security/manager/ssl/tests/unit/test_symantec_apple_google/default-ee.pem.certspec => security/manager/ssl/tests/unit/test_sanctions/default-ee.pem.certspec
rename : security/manager/ssl/tests/unit/test_symantec_apple_google/moz.build => security/manager/ssl/tests/unit/test_sanctions/moz.build
rename : security/manager/ssl/tests/unit/test_symantec_apple_google/ee-from-whitelist-after-cutoff.pem => security/manager/ssl/tests/unit/test_sanctions/symantec-ee-from-whitelist-after-cutoff.pem
rename : security/manager/ssl/tests/unit/test_symantec_apple_google/ee-from-whitelist-after-cutoff.pem.certspec => security/manager/ssl/tests/unit/test_sanctions/symantec-ee-from-whitelist-after-cutoff.pem.certspec
rename : security/manager/ssl/tests/unit/test_symantec_apple_google/ee-from-whitelist-before-cutoff.pem => security/manager/ssl/tests/unit/test_sanctions/symantec-ee-from-whitelist-before-cutoff.pem
rename : security/manager/ssl/tests/unit/test_symantec_apple_google/ee-from-whitelist-before-cutoff.pem.certspec => security/manager/ssl/tests/unit/test_sanctions/symantec-ee-from-whitelist-before-cutoff.pem.certspec
rename : security/manager/ssl/tests/unit/test_symantec_apple_google/ee-not-whitelisted-after-cutoff.pem => security/manager/ssl/tests/unit/test_sanctions/symantec-ee-not-whitelisted-after-cutoff.pem
rename : security/manager/ssl/tests/unit/test_symantec_apple_google/ee-not-whitelisted-after-cutoff.pem.certspec => security/manager/ssl/tests/unit/test_sanctions/symantec-ee-not-whitelisted-after-cutoff.pem.certspec
rename : security/manager/ssl/tests/unit/test_symantec_apple_google/ee-not-whitelisted-before-cutoff.pem => security/manager/ssl/tests/unit/test_sanctions/symantec-ee-not-whitelisted-before-cutoff.pem
rename : security/manager/ssl/tests/unit/test_symantec_apple_google/ee-not-whitelisted-before-cutoff.pem.certspec => security/manager/ssl/tests/unit/test_sanctions/symantec-ee-not-whitelisted-before-cutoff.pem.certspec
rename : security/manager/ssl/tests/unit/test_symantec_apple_google/intermediate-other-crossigned.pem => security/manager/ssl/tests/unit/test_sanctions/symantec-intermediate-other-crossigned.pem
rename : security/manager/ssl/tests/unit/test_symantec_apple_google/intermediate-other-crossigned.pem.certspec => security/manager/ssl/tests/unit/test_sanctions/symantec-intermediate-other-crossigned.pem.certspec
rename : security/manager/ssl/tests/unit/test_symantec_apple_google/intermediate-other.pem => security/manager/ssl/tests/unit/test_sanctions/symantec-intermediate-other.pem
rename : security/manager/ssl/tests/unit/test_symantec_apple_google/intermediate-other.pem.certspec => security/manager/ssl/tests/unit/test_sanctions/symantec-intermediate-other.pem.certspec
rename : security/manager/ssl/tests/unit/test_symantec_apple_google/intermediate-whitelisted.pem => security/manager/ssl/tests/unit/test_sanctions/symantec-intermediate-whitelisted.pem
rename : security/manager/ssl/tests/unit/test_symantec_apple_google/intermediate-whitelisted.pem.certspec => security/manager/ssl/tests/unit/test_sanctions/symantec-intermediate-whitelisted.pem.certspec
rename : security/manager/ssl/tests/unit/test_symantec_apple_google/real-google-g2-intermediate.pem => security/manager/ssl/tests/unit/test_sanctions/symantec-real-google-g2-intermediate.pem
rename : security/manager/ssl/tests/unit/test_symantec_apple_google/real-googlecom.pem => security/manager/ssl/tests/unit/test_sanctions/symantec-real-googlecom.pem
rename : security/manager/ssl/tests/unit/test_symantec_apple_google/test-ca.pem => security/manager/ssl/tests/unit/test_sanctions/symantec-test-ca.pem
rename : security/manager/ssl/tests/unit/test_symantec_apple_google/test-ca.pem.certspec => security/manager/ssl/tests/unit/test_sanctions/symantec-test-ca.pem.certspec
rename : security/manager/ssl/tests/unit/test_symantec_apple_google.js => security/manager/ssl/tests/unit/test_sanctions_symantec_apple_google.js
rename : security/manager/ssl/tests/unit/tlsserver/cmd/SymantecSanctionsServer.cpp => security/manager/ssl/tests/unit/tlsserver/cmd/SanctionsTestServer.cpp
extra : moz-landing-system : lando
2019-08-13 20:59:17 +00:00
Sylvestre Ledru 645f2d5773 Bug 1519636 - Reformat recent changes to the Google coding style r=Ehsan
# ignore-this-changeset

Differential Revision: https://phabricator.services.mozilla.com/D41559

--HG--
extra : moz-landing-system : lando
2019-08-13 07:15:25 +00:00
Haik Aftandilian ecc3193420 Bug 1564434 - MT_safe_localtime generates incorrect value in sandboxed content process r=handyman
Allow access to timezone data files from the content/flash/GMP/utility sandbox.

Remove unneeded regex providing access to ^/private/tmp/KSInstallAction\. files.

Differential Revision: https://phabricator.services.mozilla.com/D41455

--HG--
extra : moz-landing-system : lando
2019-08-12 21:36:03 +00:00
J.C. Jones 66170e3716 Bug 1564499 - land NSS bbfc55939d75 UPGRADE_NSS_RELEASE, r=kjacobs
Revset: reverse(89aa19677e37~-1::bbfc55939d75)

2019-08-14  Kevin Jacobs  <kjacobs@mozilla.com>

	* gtests/ssl_gtest/tls_agent.cc:
	Bug 1572593 - Re-revert call to CheckCertReqAgainstDefaultCAs to
	avoid memory leak (filed as bug 1573945). r=jcj

	Revert back to the changes Franziskus had made. Updated the in-
	source bug number to point to the new memleak bug.

	Differential Revision:
	https://phabricator.services.mozilla.com/D42020
	[bbfc55939d75] [tip]

2019-08-12  Kevin Jacobs  <kjacobs@mozilla.com>

	* gtests/freebl_gtest/freebl_gtest.gyp,
	gtests/mozpkix_gtest/mozpkix_gtest.gyp:
	Bug 1415118 - Fix --enable-libpkix builds from build.sh r=mt,jcj

	Differential Revision:
	https://phabricator.services.mozilla.com/D41617
	[f8926908be71]

2019-08-14  J.C. Jones  <jjones@mozilla.com>

	* gtests/ssl_gtest/tls_agent.cc, lib/ssl/ssl3ext.c:
	Bug 1572593 - Reset advertised extensions in ssl_ConstructExtensions
	r=mt,kjacobs

	Reset the list of advertised extensions before sending a new set.

	This reverts the changes of https://hg.mozilla.org/projects/nss/rev/
	1ca362213631d6edc885b6b965b52ecffcf29afd

	Differential Revision:
	https://phabricator.services.mozilla.com/D41302
	[b03ff661491e]

2019-08-14  Kevin Jacobs  <kjacobs@mozilla.com>

	* lib/freebl/ctr.c:
	Bug 1539788 - UBSAN fixup for 128b counter. r=mt,jcj

	Differential Revision:
	https://phabricator.services.mozilla.com/D41884
	[9d1f5e71773d]

2019-08-13  Kevin Jacobs  <kjacobs@mozilla.com>

	* lib/freebl/chacha20poly1305.c, lib/freebl/ctr.c, lib/freebl/gcm.c,
	lib/freebl/intel-gcm-wrap.c, lib/freebl/rsapkcs.c:
	Bug 1539788 - Add length checks for cryptographic primitives
	r=mt,jcj

	This patch adds additional length checks around cryptographic
	primitives.

	Differential Revision:
	https://phabricator.services.mozilla.com/D36079
	[dfd6996fe742]

2019-08-13  Marcus Burghardt  <mburghardt@mozilla.com>

	* gtests/freebl_gtest/mpi_unittest.cc, lib/freebl/mpi/README,
	lib/freebl/mpi/mpi.c, lib/freebl/mpi/mpi.h:
	Bug 1542077 - Added extra controls and tests to mp_set_int and
	mp_set_ulong. r=jcj,kjacobs

	Differential Revision:
	https://phabricator.services.mozilla.com/D40649
	[9bc47e69613e]

2019-08-13  J.C. Jones  <jjones@mozilla.com>

	* gtests/ssl_gtest/ssl_resumption_unittest.cc,
	gtests/ssl_gtest/tls_agent.cc:
	Bug 1572791 - Fixup clang-format r=bustage
	[ec113de50cdd]

	* gtests/ssl_gtest/tls_agent.cc,
	gtests/ssl_gtest/tls_subcerts_unittest.cc, lib/ssl/tls13subcerts.c:
	Bug 1572791 - Check for nulls in SSLExp_DelegateCredential and its
	tests r=kjacobs

	This particularly catches test errors in tls_subcerts_unittest when
	the profile is stale.

	Differential Revision:
	https://phabricator.services.mozilla.com/D41429
	[ed5067857563]

2019-08-13  Kevin Jacobs  <kjacobs@mozilla.com>

	* gtests/ssl_gtest/ssl_auth_unittest.cc,
	gtests/ssl_gtest/ssl_cert_ext_unittest.cc,
	gtests/ssl_gtest/ssl_resumption_unittest.cc,
	gtests/ssl_gtest/tls_agent.cc:
	Bug 1572791 - Fix ASAN cert errors when SSL gtests run on empty
	profile r=jcj

	Differential Revision:
	https://phabricator.services.mozilla.com/D41787
	[cef2aa7f3b8c]

2019-08-09  Kevin Jacobs  <kjacobs@mozilla.com>

	* tests/common/cleanup.sh:
	Bug 1560593 - Cleanup.sh to treat core dumps as test failures on
	optimized builds. r=jcj

	Differential Revision:
	https://phabricator.services.mozilla.com/D41392
	[360010725fdb]

Differential Revision: https://phabricator.services.mozilla.com/D42139

--HG--
extra : moz-landing-system : lando
2019-08-15 16:06:15 +00:00
ffxbld 21d02cb6fe No Bug, mozilla-central repo-update HSTS HPKP blocklist remote-settings tld-suffixes - a=repo-update r=RyanVM
Differential Revision: https://phabricator.services.mozilla.com/D41541

--HG--
extra : moz-landing-system : lando
2019-08-12 13:08:23 +00:00
Daniel Varga 8f35473d07 Backed out changeset 65c6d801e7b4 (bug 1571555) for browser chrome failure at browser/components/aboutlogins/tests/browser/browser_masterPassword.js
--HG--
extra : rebase_source : 9182aebd42d50c9a502dc7fabaf99238ac5e62c5
2019-08-10 22:35:50 +03:00
Gabriele Svelto beb62c4c31 Bug 1282776 - Finalize crash reports for child process crashes happening too early r=froydnj
This changes the way crash reports for child processes happening too early
during the child process' startup. Before bug 1547698 we wrote a partial
.extra file with those crashes that lacked the process type. The user would
not be notified of those crashes until she restarted Firefox and even when
submitted those crashes would be erroneously labeled as browser crashes.

After bug 1547698 we stopped writing .extra files entirely for those crashes
which left orphaned .dmp files among the pending crash reports.

This patch does three things to improve the situation:

* It writes a partial .extra file so that the crashes are detected at the next
  startup. So the user is still not notified directly of these crashes but she
  can report them later.
* It adds the process type to the .extra file so that the crash reporters are
  labelled correctly.
* It fixes a leak in the `pidToMinidump` hash-map. Since the crashes were
  not finalized the `ChildProcessData` strucutre associated with them would
  never be fred.

Differential Revision: https://phabricator.services.mozilla.com/D40810

--HG--
extra : moz-landing-system : lando
2019-08-09 14:23:19 +00:00
Jared Wein 018b8a1983 Bug 1571555 - Use a blank string in place of the username or password when decryption fails. r=keeler
Don't show the login in about:logins if the username or password cannot be decrypted.

Differential Revision: https://phabricator.services.mozilla.com/D40845

--HG--
extra : moz-landing-system : lando
2019-08-10 00:19:48 +00:00
Gabriele Svelto 53d4ac9807 Bug 1572565 - Make the remote sandbox broker process' telemetry string consistent r=jld
Differential Revision: https://phabricator.services.mozilla.com/D41291

--HG--
extra : moz-landing-system : lando
2019-08-09 00:03:33 +00:00
Tom Schuster 2c4cb96468 Bug 1558915 - Use infallible nsIURI::SchemeIs everywhere. r=smaug
Differential Revision: https://phabricator.services.mozilla.com/D41367

--HG--
extra : moz-landing-system : lando
2019-08-09 15:17:06 +00:00