Граф коммитов

15029 Коммитов

Автор SHA1 Сообщение Дата
Dragana Damjanovic 50665cfef1 Bug 1581637 - Part 8 - Add Http3Session/Http3Stream. r=mayhemer
Differential Revision: https://phabricator.services.mozilla.com/D46652

--HG--
extra : moz-landing-system : lando
2019-10-30 21:09:09 +00:00
Razvan Maries 5946283fbc Backed out changeset 8a690dff4180 (bug 1591691) for build bustages on EnterpriseRoots.cpp. CLOSED TREE 2019-10-30 22:51:25 +02:00
Dana Keeler e7f3e82efb bug 1591691 - avoid network I/O when importing enterprise roots on Windows r=mhowell
Differential Revision: https://phabricator.services.mozilla.com/D51007

--HG--
extra : moz-landing-system : lando
2019-10-30 19:55:42 +00:00
Gijs Kruitbosch 8af91551b6 Bug 1585732 - use staticprefs for media.cubeb.sandbox, r=haik
Differential Revision: https://phabricator.services.mozilla.com/D50955

--HG--
extra : moz-landing-system : lando
2019-10-29 23:33:45 +00:00
Gijs Kruitbosch 1bb658765f Bug 1585732 - use staticprefs for security.sandbox.content.level, r=haik
Differential Revision: https://phabricator.services.mozilla.com/D50954

--HG--
extra : moz-landing-system : lando
2019-10-29 23:32:39 +00:00
Sean Feng 74eaf3ce20 Bug 1592083 - Convert certList to raw array for nsITransportSecurityInfo r=keeler,Ehsan,kershaw
This patch converts the certList attribute of nsITransportSecurityInfo
from nsIX509CertList to Array<nsIx509Cert>

Differential Revision: https://phabricator.services.mozilla.com/D48745

--HG--
extra : moz-landing-system : lando
2019-10-29 17:20:07 +00:00
Haik Aftandilian 87432d9ae1 Bug 1586888 - Test security/sandbox/test/browser_content_sandbox_fs.js has failures on macOS Catalina r=gcp
Don't test with directories not present on macOS 10.15.

Differential Revision: https://phabricator.services.mozilla.com/D49499

--HG--
extra : moz-landing-system : lando
2019-10-29 10:45:43 +00:00
ffxbld b6ddb7ea53 No Bug, mozilla-central repo-update HSTS HPKP remote-settings tld-suffixes - a=repo-update r=RyanVM
Differential Revision: https://phabricator.services.mozilla.com/D50806

--HG--
extra : moz-landing-system : lando
2019-10-28 13:17:59 +00:00
Sean Feng ce3169b453 Bug 1590709 - Fix crash in TransportSecurityInfo::ReadCertList r=keeler
Differential Revision: https://phabricator.services.mozilla.com/D50557

--HG--
extra : moz-landing-system : lando
2019-10-25 18:20:53 +00:00
Dana Keeler bca86d27cc bug 1589824 - pass a typed array to OS.File.writeAtomic in certificate export r=Gijs
OS.File.writeAtomic expects either a utf-8 string or a typed array. This patch
fixes instances in pippki.js in certificate export where this was not
guaranteed to be the case. It also extends the test for this functionality to
cover more cases.

Differential Revision: https://phabricator.services.mozilla.com/D50117

--HG--
extra : moz-landing-system : lando
2019-10-25 17:37:20 +00:00
Dana Keeler 2e5c90833c bug 1590888 - reinstate filtering of client certificate selection during the TLS handshake r=kjacobs
Bug 1267643 removed filtering of client certificates based on the
"certificate_authorities" list sent in the client certificate request from the
server in TLS handshakes because it is impossible to implement as specified
without false negatives (i.e. excluding certificates that could be usable but
don't seem to be according to the certificates the client is aware of). In
practice, however, it seems enough users rely on this behavior[0] that we
should add it back until the platform can save client certificate selections
across restarts and the "select one automatically" option is removed (see also
bug 634697).

[0] See e.g. bug 1588703, bug 1590297, bug 1590596, bug 1074195 comment 27,
and any other duplicates of this bug.

Differential Revision: https://phabricator.services.mozilla.com/D50355

--HG--
extra : moz-landing-system : lando
2019-10-25 17:11:25 +00:00
Martin Thomson afe157c082 Bug 1576790 - Enable version downgrade sentinel in TLS, r=keeler
This change enables the version downgrade sentinel across all channels.  We
don't have good telemetry on this, but Chrome reports 0.02%, which is low enough
to just make the change without additional validation on our end.

This only really affects intercepting middleboxes that forward the real server's
ServerHello.random.  That's a terrible idea, and, as above, the evidence
suggests that this is now rare enough to have those boxes break connections.
The pref will remain for those cases where problems persist.

Differential Revision: https://phabricator.services.mozilla.com/D50387

--HG--
extra : moz-landing-system : lando
2019-10-24 00:49:51 +00:00
Dana Keeler e064323a59 bug 1063276 - include the peer cert chain from the TLS handshake when verifying server certificates r=kjacobs
Differential Revision: https://phabricator.services.mozilla.com/D50129

--HG--
extra : moz-landing-system : lando
2019-10-24 22:48:40 +00:00
ffxbld f5837b4bc2 No Bug, mozilla-central repo-update HSTS HPKP remote-settings tld-suffixes - a=repo-update r=RyanVM
Differential Revision: https://phabricator.services.mozilla.com/D50470

--HG--
extra : moz-landing-system : lando
2019-10-24 14:42:33 +00:00
Dana Keeler 766d2e096c Bug 1584401 - build osclientcerts in-tree on Windows. r=jcj,kjacobs
This adds a preliminary implementation of a PKCS#11 module that allows Firefox
to access client certificates for TLS client authentication on Windows.
2019-09-18 10:27:50 -07:00
Haik Aftandilian 43ab4ea7a3 Bug 1587962 - [10.15] "Use keyboard navigation" and "jump to spot" scrolling preferences do not work r=spohl
Update sandbox rules to allow services and files needed for global UI system preferences.

Update tests now that stat() calls on the filesystem are permitted.

Differential Revision: https://phabricator.services.mozilla.com/D50298

--HG--
extra : moz-landing-system : lando
2019-10-23 19:56:56 +00:00
Marcus Burghardt ec4fc41539 Bug 1586081 - Remove special EV treatment from GlobalSign Extended Validation CA - SHA256 - G2. r=keeler
In 2017-04, due a transition of two CA certs from GobalSign to Google, a temporary and exceptional EV treatment was deployed in PSM for this transition:
https://bugzilla.mozilla.org/show_bug.cgi?id=1349762

This exception was removed with this patch.

Differential Revision: https://phabricator.services.mozilla.com/D49106

--HG--
extra : moz-landing-system : lando
2019-10-15 17:11:35 +00:00
Geoff Brown de6c41dd8a Bug 1585119 - Re-enable yet more mochitests on android; r=geckoview-reviewers,snorp
Most of these tests have been disabled for a long time; they run well
in the current test environment.
This completes my review of skipped Android tests.

Differential Revision: https://phabricator.services.mozilla.com/D49954

--HG--
extra : moz-landing-system : lando
2019-10-22 20:10:27 +00:00
Tim Nguyen 6d79a27dfb Bug 1590387 - Remove remaining usages of XUL textboxes. r=bgrins
Differential Revision: https://phabricator.services.mozilla.com/D50063

--HG--
extra : moz-landing-system : lando
2019-10-22 19:27:23 +00:00
Daniel Varga 964a732b29 Backed out changeset 055ba7efc9cd (bug 1584401) for rust build bustage. On a CLOSED TREE 2019-10-22 22:04:40 +03:00
Dana Keeler 28cc0dc938 bug 1584401 - build osclientcerts in-tree on Windows r=jcj,kjacobs
This adds a preliminary implementation of a PKCS#11 module that allows Firefox
to access client certificates for TLS client authentication on Windows.
2019-09-18 10:27:50 -07:00
Gian-Carlo Pascutto c92f1fd819 Bug 1581239 - Verify that sandboxed processes' access to /proc/self/fd is blocked. r=jld
Differential Revision: https://phabricator.services.mozilla.com/D46815

--HG--
extra : moz-landing-system : lando
2019-10-18 01:12:38 +00:00
Mihai Alexandru Michis 44e67f1a7f Backed out changeset 11e5baee978e (bug 1580315) for issues related to certList. CLOSED TREE 2019-10-21 23:50:35 +03:00
Sean Feng 2279d51cf5 Bug 1580315 - Convert certList to raw array for nsITransportSecurityInfo r=keeler,Ehsan,kershaw
This patch converts the certList attribute of nsITransportSecurityInfo
from nsIX509CertList to Array<nsIx509Cert>

Differential Revision: https://phabricator.services.mozilla.com/D48745

--HG--
extra : moz-landing-system : lando
2019-10-21 19:49:01 +00:00
ffxbld 4c889635b4 No Bug, mozilla-central repo-update HSTS HPKP blocklist remote-settings - a=repo-update r=RyanVM
Differential Revision: https://phabricator.services.mozilla.com/D49928

--HG--
extra : moz-landing-system : lando
2019-10-21 13:23:30 +00:00
J.C. Jones 71a6cf2bcd Bug 1577822 - land NSS NSS_3_47_RTM UPGRADE_NSS_RELEASE, r=kjacobs
2019-10-18  J.C. Jones  <jjones@mozilla.com>

	* lib/nss/nss.h, lib/softoken/softkver.h, lib/util/nssutil.h:
	Set version numbers to 3.47 final
	[7ccb4ade5577] [NSS_3_47_RTM] <NSS_3_47_BRANCH>

	* .hgtags:
	Added tag NSS_3_47_BETA4 for changeset d3c8638f85cd
	[d5bd7be1bf2a]

Differential Revision: https://phabricator.services.mozilla.com/D49813

--HG--
extra : moz-landing-system : lando
2019-10-18 22:42:33 +00:00
J.C. Jones 00dafac3ef Bug 1577822 - land NSS NSS_3_47_BETA4 UPGRADE_NSS_RELEASE, r=kjacobs
2019-10-18  Deian Stefan  <deian@cs.ucsd.edu>

	* lib/softoken/pkcs11c.c:
	Bug 1459141 - Rewrite softoken CBC pad check to be constant
	r=jcj,kjacobs

	[d3c8638f85cd] [NSS_3_47_BETA4]

2019-10-17  Kevin Jacobs  <kjacobs@mozilla.com>

	* gtests/pk11_gtest/pk11_cbc_unittest.cc:
	Bug 1589120 - Additional test vectors for CBC padding. r=jcj

	This patch adds more test vectors for AES-CBC and 3DES-CBC padding.

	[7f17b911ac99]

	* gtests/pk11_gtest/manifest.mn,
	gtests/pk11_gtest/pk11_aeskeywrappad_unittest.cc,
	gtests/pk11_gtest/pk11_gtest.gyp:
	Bug 1589120 - Tests for padded AES key wrap r=jcj

	This patch adds test vectors for padded AES Key Wrap. AES-CBC and
	3DES-CBC ports of the same vectors will be included in a separate
	revision.

	[fb4d9b6ea2c4]

2019-10-16  Kevin Jacobs  <kjacobs@mozilla.com>

	* gtests/ssl_gtest/tls_agent.cc, gtests/ssl_gtest/tls_agent.h,
	gtests/ssl_gtest/tls_subcerts_unittest.cc, lib/ssl/ssl3con.c,
	lib/ssl/sslimpl.h, lib/ssl/tls13subcerts.c,
	tests/common/certsetup.sh, tests/ssl_gtests/ssl_gtests.sh:
	Bug 1588244 - SSLExp_DelegateCredential to support 'rsaEncryption'
	end-entity certs with default scheme override r=mt

	If an end-entity cert has an SPKI type of 'rsaEncryption', override
	the DC alg to be `ssl_sig_rsa_pss_rsae_sha256`.

	[93383e0fb833]

2019-10-16  J.C. Jones  <jjones@mozilla.com>

	* .hgtags:
	Added tag NSS_3_47_BETA3 for changeset f10c3e0757b7
	[fa8a67bee2dc]

Differential Revision: https://phabricator.services.mozilla.com/D49774

--HG--
extra : moz-landing-system : lando
2019-10-18 17:05:24 +00:00
Sean Feng d08c434be2 Bug 1580315 - Use cert array to do certList serialization r=keeler
The internal representation of certList has been converted to
cert array, and this patch does it for the serialization.

Differential Revision: https://phabricator.services.mozilla.com/D49347

--HG--
extra : moz-landing-system : lando
2019-10-18 13:42:54 +00:00
Marcus Burghardt b7e036202f Bug 1585449 - Disable EV treatment for Global Chambersign Root – 2008 root. r=keeler
Differential Revision: https://phabricator.services.mozilla.com/D48959

--HG--
extra : moz-landing-system : lando
2019-10-11 20:15:29 +00:00
ffxbld 716fe01e26 No Bug, mozilla-central repo-update HSTS HPKP blocklist remote-settings - a=repo-update r=RyanVM
Differential Revision: https://phabricator.services.mozilla.com/D49605

--HG--
extra : moz-landing-system : lando
2019-10-17 14:34:51 +00:00
Srujana Peddinti e41bc4753a Bug 1570009 - Part 3 : Added GPU Process testing to the framework. r=bobowen
Adds support for creating and using a PSandboxTesting actor in the GPU process.

Differential Revision: https://phabricator.services.mozilla.com/D42386

--HG--
extra : moz-landing-system : lando
2019-10-14 15:26:47 +00:00
Srujana Peddinti 847842be97 Bug 1570009 - Part 2 : Added Content Process testing to the framework. r=bobowen
Adds the ability to create and run sandbox tests in a content process.

Differential Revision: https://phabricator.services.mozilla.com/D37913

--HG--
extra : moz-landing-system : lando
2019-10-14 15:08:47 +00:00
Srujana Peddinti 51255aa5b8 Bug 1570009 - Part 1: Create a top-level actor in child processes capable of testing the sandbox. r=bobowen,dmajor
This patch includes a new browser chrome mochitest that uses a new XPCOM service (moxISandboxTest) to create a new top-level actor (PSandboxTesting) between the chrome process and any supported child processes (in later parts of this patch set). The framework is makes it easy to add new C/C++ instructions to be tested for permission under real sandbox conditions. Test results can be conditioned on the type of OS, process, sandbox level, etc.

Differential Revision: https://phabricator.services.mozilla.com/D37706

--HG--
extra : moz-landing-system : lando
2019-10-15 07:19:54 +00:00
J.C. Jones ab56e5f10e Bug 1577822 - land NSS NSS_3_47_BETA3 UPGRADE_NSS_RELEASE, r=kjacobs
2019-10-16  J.C. Jones  <jjones@mozilla.com>

	* lib/softoken/pkcs11c.c:
	Bug 1459141 - Backed out changeset 474d62c9d0db for PK11_Wrap/Unwrap
	issues r=me
	[f10c3e0757b7] [NSS_3_47_BETA3]

2019-10-15  J.C. Jones  <jjones@mozilla.com>

	* .hgtags:
	Added tag NSS_3_47_BETA2 for changeset f657d65428c6
	[3ca8b20b24ee]

	* cmd/addbuiltin/addbuiltin.c:
	Bug 1465613 - Fixup clang format a=bustage
	[f657d65428c6] [NSS_3_47_BETA2]

2019-10-11  Marcus Burghardt  <mburghardt@mozilla.com>

	* automation/abi-check/expected-report-libnss3.so.txt, automation/abi-
	check/expected-report-libsmime3.so.txt, automation/abi-check
	/expected-report-libssl3.so.txt, cmd/addbuiltin/addbuiltin.c,
	cmd/lib/secutil.c, gtests/softoken_gtest/manifest.mn,
	gtests/softoken_gtest/softoken_gtest.gyp,
	gtests/softoken_gtest/softoken_nssckbi_testlib_gtest.cc,
	lib/certdb/certdb.c, lib/certdb/certt.h, lib/ckfw/builtins/README,
	lib/ckfw/builtins/certdata.txt, lib/ckfw/builtins/manifest.mn,
	lib/ckfw/builtins/nssckbi.h, lib/ckfw/builtins/testlib/Makefile,
	lib/ckfw/builtins/testlib/builtins-testlib.gyp,
	lib/ckfw/builtins/testlib/certdata-testlib.txt,
	lib/ckfw/builtins/testlib/config.mk,
	lib/ckfw/builtins/testlib/manifest.mn, lib/ckfw/builtins/testlib
	/nssckbi-testlib.rc,
	lib/ckfw/builtins/testlib/testcert_err_distrust.txt,
	lib/ckfw/builtins/testlib/testcert_no_distrust.txt,
	lib/ckfw/builtins/testlib/testcert_ok_distrust.txt,
	lib/ckfw/manifest.mn, lib/nss/nss.def, lib/pki/pki3hack.c,
	lib/softoken/sdb.c, lib/util/pkcs11n.h, nss.gyp, tests/cert/cert.sh:
	Bug 1465613 - Created two new fields for scheduled distrust from
	builtins and updated support commands. r=jcj,kjacobs,mt

	Added two new fields do scheduled distrust of CAs in
	nssckbi/builtins. Also, created a testlib to validate these fields
	with gtests.

	[52024949df95]

2019-10-14  Martin Thomson  <martin.thomson@gmail.com>

	* lib/ssl/tls13con.c:
	Bug 1588557 - Fix debug statement, r=jcj

	[0f563a2571c3]

2019-10-15  Dana Keeler  <dkeeler@mozilla.com>

	* gtests/mozpkix_gtest/pkixder_universal_types_tests.cpp,
	lib/mozpkix/include/pkix/pkixder.h, lib/mozpkix/lib/pkixcert.cpp:
	bug 1579060 - fix handling of issuerUniqueID and subjectUniqueID in
	mozilla::pkix::BackCert r=jcj

	According to RFC 5280, the definitions of issuerUniqueID and
	subjectUniqueID in TBSCertificate are as follows:

	 issuerUniqueID [1] IMPLICIT UniqueIdentifier OPTIONAL,
	subjectUniqueID [2] IMPLICIT UniqueIdentifier OPTIONAL,

	where UniqueIdentifier is a BIT STRING.

	IMPLICIT tags replace the tag of the underlying type. For these
	fields, there is no specified class (just a tag number within the
	class), and the underlying type of BIT STRING is "primitive" (i.e.
	not constructed). Thus, the tags should be of the form CONTEXT
	SPECIFIC | [number in class], which comes out to 0x81 and 0x82,
	respectively.

	When originally implemented, mozilla::pkix incorrectly required that
	the CONSTRUCTED bit also be set for these fields. Consequently, the
	library would reject any certificate that actually contained these
	fields. Evidently such certificates are rare.

	[c50f933d37a5]

2019-10-14  Deian Stefan  <deian@cs.ucsd.edu>

	* lib/softoken/pkcs11c.c:
	Bug 1459141 - Rewrite softoken CBC pad check to be constant time.
	r=kjacobs,jcj
	[474d62c9d0db]

2019-10-11  J.C. Jones  <jjones@mozilla.com>

	* .hgtags:
	Added tag NSS_3_47_BETA1 for changeset 93245f5733b3
	[f60dbafbc182]

Differential Revision: https://phabricator.services.mozilla.com/D49470

--HG--
extra : moz-landing-system : lando
2019-10-16 19:12:50 +00:00
J.C. Jones 962e9e53a9 Backed out changeset 3eb63c112f5a (Bug 1577822) for breaking WebAuthn mochitests UPGRADE_NSS_RELEASE
Differential Revision: https://phabricator.services.mozilla.com/D49374

--HG--
extra : moz-landing-system : lando
2019-10-16 04:36:58 +00:00
J.C. Jones 4309dccf1b Bug 1577822 - land NSS NSS_3_47_BETA2 UPGRADE_NSS_RELEASE, r=kjacobs
2019-10-15  J.C. Jones  <jjones@mozilla.com>

	* cmd/addbuiltin/addbuiltin.c:
	Bug 1465613 - Fixup clang format a=bustage
	[f657d65428c6] [NSS_3_47_BETA2]

2019-10-11  Marcus Burghardt  <mburghardt@mozilla.com>

	* automation/abi-check/expected-report-libnss3.so.txt, automation/abi-
	check/expected-report-libsmime3.so.txt, automation/abi-check
	/expected-report-libssl3.so.txt, cmd/addbuiltin/addbuiltin.c,
	cmd/lib/secutil.c, gtests/softoken_gtest/manifest.mn,
	gtests/softoken_gtest/softoken_gtest.gyp,
	gtests/softoken_gtest/softoken_nssckbi_testlib_gtest.cc,
	lib/certdb/certdb.c, lib/certdb/certt.h, lib/ckfw/builtins/README,
	lib/ckfw/builtins/certdata.txt, lib/ckfw/builtins/manifest.mn,
	lib/ckfw/builtins/nssckbi.h, lib/ckfw/builtins/testlib/Makefile,
	lib/ckfw/builtins/testlib/builtins-testlib.gyp,
	lib/ckfw/builtins/testlib/certdata-testlib.txt,
	lib/ckfw/builtins/testlib/config.mk,
	lib/ckfw/builtins/testlib/manifest.mn, lib/ckfw/builtins/testlib
	/nssckbi-testlib.rc,
	lib/ckfw/builtins/testlib/testcert_err_distrust.txt,
	lib/ckfw/builtins/testlib/testcert_no_distrust.txt,
	lib/ckfw/builtins/testlib/testcert_ok_distrust.txt,
	lib/ckfw/manifest.mn, lib/nss/nss.def, lib/pki/pki3hack.c,
	lib/softoken/sdb.c, lib/util/pkcs11n.h, nss.gyp, tests/cert/cert.sh:
	Bug 1465613 - Created two new fields for scheduled distrust from
	builtins and updated support commands. r=jcj,kjacobs,mt

	Added two new fields do scheduled distrust of CAs in
	nssckbi/builtins. Also, created a testlib to validate these fields
	with gtests.

	[52024949df95]

2019-10-14  Martin Thomson  <martin.thomson@gmail.com>

	* lib/ssl/tls13con.c:
	Bug 1588557 - Fix debug statement, r=jcj

	[0f563a2571c3]

2019-10-15  Dana Keeler  <dkeeler@mozilla.com>

	* gtests/mozpkix_gtest/pkixder_universal_types_tests.cpp,
	lib/mozpkix/include/pkix/pkixder.h, lib/mozpkix/lib/pkixcert.cpp:
	bug 1579060 - fix handling of issuerUniqueID and subjectUniqueID in
	mozilla::pkix::BackCert r=jcj

	According to RFC 5280, the definitions of issuerUniqueID and
	subjectUniqueID in TBSCertificate are as follows:

	 issuerUniqueID [1] IMPLICIT UniqueIdentifier OPTIONAL,
	subjectUniqueID [2] IMPLICIT UniqueIdentifier OPTIONAL,

	where UniqueIdentifier is a BIT STRING.

	IMPLICIT tags replace the tag of the underlying type. For these
	fields, there is no specified class (just a tag number within the
	class), and the underlying type of BIT STRING is "primitive" (i.e.
	not constructed). Thus, the tags should be of the form CONTEXT
	SPECIFIC | [number in class], which comes out to 0x81 and 0x82,
	respectively.

	When originally implemented, mozilla::pkix incorrectly required that
	the CONSTRUCTED bit also be set for these fields. Consequently, the
	library would reject any certificate that actually contained these
	fields. Evidently such certificates are rare.

	[c50f933d37a5]

2019-10-14  Deian Stefan  <deian@cs.ucsd.edu>

	* lib/softoken/pkcs11c.c:
	Bug 1459141 - Rewrite softoken CBC pad check to be constant time.
	r=kjacobs,jcj
	[474d62c9d0db]

2019-10-11  J.C. Jones  <jjones@mozilla.com>

	* .hgtags:
	Added tag NSS_3_47_BETA1 for changeset 93245f5733b3
	[f60dbafbc182]

Differential Revision: https://phabricator.services.mozilla.com/D49365

--HG--
extra : moz-landing-system : lando
2019-10-16 00:57:04 +00:00
Sean Feng 2fa45cc172 Bug 1580315 - Change certList internal representation to Array r=keeler
This patch intends to change the internal reprensentation of certList
from nsIX509CertList to Array for TransportSecurityInfo.

Differential Revision: https://phabricator.services.mozilla.com/D48744

--HG--
extra : moz-landing-system : lando
2019-10-15 19:57:23 +00:00
ffxbld cbc7251ad9 No Bug, mozilla-central repo-update HSTS HPKP blocklist remote-settings tld-suffixes - a=repo-update r=RyanVM
Differential Revision: https://phabricator.services.mozilla.com/D49151

--HG--
extra : moz-landing-system : lando
2019-10-14 13:16:30 +00:00
J.C. Jones 685c607058 Bug 1577822 - land NSS NSS_3_47_BETA1 UPGRADE_NSS_RELEASE, r=kjacobs
2019-10-11  Kai Engert  <kaie@kuix.de>

	* automation/release/nspr-version.txt:
	Bug 1583068 - Require NSPR version 4.23 r=jcj
	[93245f5733b3] [NSS_3_47_BETA1]

2019-10-11  Kevin Jacobs  <kjacobs@mozilla.com>

	* coreconf/config.gypi, lib/freebl/freebl.gyp:
	Bug 1152625 - Add gyp flag for disabling ARM HW AES r=jcj

	Adds an option to disable ARMv8 HW AES, if `-Ddisable_arm_hw_aes=1`
	is passed to build.sh.

	Depends on D34473

	[9abcea09fdd4]

2019-10-11  Makoto Kato  <m_kato@ga2.so-net.ne.jp>

	* lib/freebl/aes-armv8.c:
	Bug 1152625 - Part 2. Remove __builtin_assume to avoid crash on PGO.
	r=kjacobs,mt

	`AESContext->iv` doesn't align to 16 bytes on PGO build, so we
	should remove __builtin_assume. Also, I guess that `expandedKey` has
	same problem.

	[1b0f5c5335ee]

	* lib/freebl/Makefile, lib/freebl/aes-armv8.c, lib/freebl/aes-armv8.h,
	lib/freebl/freebl.gyp, lib/freebl/intel-aes.h,
	lib/freebl/rijndael.c:
	Bug 1152625 - Support AES HW acceleration on ARMv8. r=kjacobs,jcj

	[efb895a43899]

2019-09-06  Martin Thomson  <mt@lowentropy.net>

	* gtests/ssl_gtest/ssl_auth_unittest.cc,
	gtests/ssl_gtest/ssl_ciphersuite_unittest.cc,
	gtests/ssl_gtest/ssl_extension_unittest.cc,
	gtests/ssl_gtest/ssl_fuzz_unittest.cc,
	gtests/ssl_gtest/tls_esni_unittest.cc, lib/ssl/ssl3con.c,
	lib/ssl/ssl3exthandle.c, lib/ssl/sslimpl.h, lib/ssl/tls13con.c:
	Bug 1549225 - Up front Signature Scheme validation, r=ueno

	Summary: This patch started as an attempt to ensure that a DSA
	signature scheme would not be advertised if we weren't willing to
	negotiate versions less than TLS 1.3. Then I realized that we didn't
	do the same for PKCS#1 RSA.

	Then I realized that we were still willing to try to establish
	connections when we had a certificate that we couldn't use.

	Then I realized that ssl3_config_match_init() wasn't being run
	consistently. On resumption, we only ran it when we were PARANOID.
	That's silly because we weren't checking policies.

	Then I realized that we were allowing ECDSA certificates to be used
	when the named group in the certificate was disabled. We weren't
	enforcing that consistently either. However, I also discovered that
	the check we have wouldn't work without a tweak because in TLS 1.3
	the named group is part of the signature scheme; the configured
	named groups are only used prior to TLS 1.3 when selecting
	ECDSA/ECDH certificates.

	So that sounds like a lot of changes but what it boils down to is
	more robust checking of the configuration prior to starting a
	connection. As a result, we should be offering fewer options that
	we're unwilling or unable to follow through on. A good number of
	tests needed tweaking as a result because we were relying on getting
	past the checks in those tests. No real problems were found as a
	result; this just moves failures that might arise from
	misconfiguration a little earlier in the process.

	[9b418f0a4912]

2019-10-08  Kevin Jacobs  <kjacobs@mozilla.com>

	* gtests/pk11_gtest/pk11_der_private_key_import_unittest.cc,
	lib/pk11wrap/pk11pk12.c:
	Bug 1586947 - Store nickname during EC key import. r=jcj

	This patch stores the nickname (if specified) during EC key import.
	This was already done for all other key types.

	[c319019aee75]

2019-10-08  Marcus Burghardt  <mburghardt@mozilla.com>

	* lib/certdb/stanpcertdb.c, lib/pk11wrap/pk11load.c,
	lib/pki/pki3hack.c:
	Bug 1586456 - Unnecessary conditional in pki3hack, pk11load and
	stanpcertdb. r=jcj

	Some conditionals that are always true were removed.

	[b34061c3a377]

Differential Revision: https://phabricator.services.mozilla.com/D49030

--HG--
extra : moz-landing-system : lando
2019-10-12 00:01:25 +00:00
ffxbld 8d4072c53b No Bug, mozilla-central repo-update HSTS HPKP blocklist remote-settings - a=repo-update r=RyanVM
Differential Revision: https://phabricator.services.mozilla.com/D48836

--HG--
extra : moz-landing-system : lando
2019-10-10 14:38:00 +00:00
Johann Hofmann ede37582aa Bug 1583067 - Use correct window opener for chrome windows in certManager.js. r=kmag
Differential Revision: https://phabricator.services.mozilla.com/D47923

--HG--
extra : moz-landing-system : lando
2019-10-08 21:37:57 +00:00
Kevin Jacobs f44743a255 Bug 1564179 - Add telemetry for delegated credentials r=jcj
This patch adds telemetry for the Delegated Credentials TLS extension [0].

The data review questions are answered in [1], though I've never gone through this process, so questions I'm unsure how to answer are highlighted.

[0] https://tools.ietf.org/html/draft-ietf-tls-subcerts-04
[1] https://docs.google.com/document/d/1UAljhHppirlQphDFn9ly9-iWbK8V23GhoRztAS1rGvk

Differential Revision: https://phabricator.services.mozilla.com/D46379

--HG--
extra : moz-landing-system : lando
2019-10-07 23:38:34 +00:00
Ricky Stewart c010710916 Bug 1586358 - Replace existing instances of GENERATED_FILES with references to the GeneratedFile template r=firefox-build-system-reviewers,mshal
(Same content as bad revision https://phabricator.services.mozilla.com/D48230, but with a very small change to config/external/icu/data/moz.build to fix the build breakage.)

Try push: https://treeherder.mozilla.org/#/jobs?repo=try&revision=833f6a69fcac689488a640b43e8e0bdaa086a56c

Differential Revision: https://phabricator.services.mozilla.com/D48409

--HG--
extra : moz-landing-system : lando
2019-10-07 21:15:19 +00:00
Kris Maglione 3ed2b788cf Bug 1583886: Fix yet more untested content windows which open chrome windows. r=nika
Differential Revision: https://phabricator.services.mozilla.com/D47135

--HG--
extra : moz-landing-system : lando
2019-10-07 19:47:36 +00:00
Junior Hsu 1f16c48cd1 Bug 1584005 - P2 fix tests with wrong parameter to ZipWriter r=michal
Differential Revision: https://phabricator.services.mozilla.com/D47359

--HG--
extra : moz-landing-system : lando
2019-10-07 18:29:15 +00:00
Daniel Varga 052ef806b5 Backed out changeset 8d95f2c8867b (bug 1586358) for build bustage with FATAL ERROR PROCESSING MOZBUILD FILE. On a CLOSED TREE
--HG--
extra : rebase_source : 325fbad2455afc7f693087e75fa57dba79f4d86b
2019-10-07 20:22:08 +03:00
Ricky Stewart 940d91af38 Bug 1586358 - Replace existing instances of GENERATED_FILES with references to the GeneratedFile template r=nalexander
This patch doesn't remove all references to GENERATED_FILES, but does remove most of them, leaving only those which can't be trivially translated to the new template.

Try push: https://treeherder.mozilla.org/#/jobs?repo=try&revision=e4a25230c3992b9c5519ceb351fb37f6b2bf605e

Differential Revision: https://phabricator.services.mozilla.com/D48230

--HG--
extra : moz-landing-system : lando
2019-10-07 15:31:05 +00:00
ffxbld 5a0922f7cb No Bug, mozilla-central repo-update HSTS HPKP blocklist remote-settings - a=repo-update r=RyanVM
Differential Revision: https://phabricator.services.mozilla.com/D48342

--HG--
extra : moz-landing-system : lando
2019-10-07 13:11:07 +00:00
Sylvestre Ledru f12b9fa5c3 Bug 1519636 - Reformat recent changes to the Google coding style r=Ehsan
# ignore-this-changeset

Differential Revision: https://phabricator.services.mozilla.com/D47737

--HG--
extra : moz-landing-system : lando
2019-10-06 18:29:55 +00:00
Dana Keeler 67fc934d4b bug 1570222 - avoid passing unrelated certificates to mozilla::pkix from NSSCertDBTrustDomain r=kjacobs
During path building, mozilla::pkix filters out candidate certificates provided
by trust domains where the subject distinguished name does not match the issuer
distinguished name of the certificate it's trying to find an issuer for.
However, if there's a problem decoding the candidate issuer certificate,
mozilla::pkix will make a note of this error, regardless of if that certificate
was potentially a suitable issuer. If no trusted path is found, the error from
that unrelated certificate may ultimately be returned by mozilla::pkix,
resulting in confusion.

Before this patch, NSSCertDBTrustDomain could cause this behavior by blithely
passing every known 3rd party certificate to mozilla::pkix (other sources of
certificates already filter on subject distinguished name). This patch adds
filtering to 3rd party certificates as well.

Differential Revision: https://phabricator.services.mozilla.com/D48120

--HG--
extra : moz-landing-system : lando
2019-10-04 16:46:08 +00:00
Haik Aftandilian c0f7925547 Bug 1578907 - MacOS 10.15 Beta - Flash File Picker broken r=spohl
Allow access to extra services needed to open file pickers from the Flash process on 10.15.

Differential Revision: https://phabricator.services.mozilla.com/D48145

--HG--
extra : moz-landing-system : lando
2019-10-04 15:38:07 +00:00
J.C. Jones 26d284f717 Bug 1577822 - land NSS dc86215aea17 UPGRADE_NSS_RELEASE, r=kjacobs
2019-10-03  Kevin Jacobs  <kjacobs@mozilla.com>

	* gtests/pk11_gtest/pk11_cbc_unittest.cc, lib/softoken/pkcs11c.c:
	Bug 1576307 - Fixup for fips tests, permit NULL iv as necessary.
	r=jcj

	ECB mode should not require an IV.

	[dc86215aea17] [tip]

2019-09-30  Kevin Jacobs  <kjacobs@mozilla.com>

	* gtests/pk11_gtest/pk11_cbc_unittest.cc, lib/softoken/pkcs11c.c:
	Bug 1576307 - Check mechanism param and param length before casting
	to mechanism-specific structs. r=jcj

	This patch adds missing PKCS11 input parameter checks, which are
	needed prior to casting to mechanism-specific structs.

	[53d92a324080]

Differential Revision: https://phabricator.services.mozilla.com/D48109

--HG--
extra : moz-landing-system : lando
2019-10-03 20:05:41 +00:00
ffxbld 9238ced3bb No Bug, mozilla-central repo-update HSTS HPKP blocklist remote-settings - a=repo-update r=RyanVM
Differential Revision: https://phabricator.services.mozilla.com/D48055

--HG--
extra : moz-landing-system : lando
2019-10-03 13:40:24 +00:00
J.C. Jones a9376fa7c8 Bug 1577822 - land NSS c0913ad7a560 UPGRADE_NSS_RELEASE, r=kjacobs
2019-10-01  Kevin Jacobs  <kjacobs@mozilla.com>

	* lib/softoken/pkcs11c.c:
	Bug 1577953 - Support longer (up to RFC maximum) HKDF outputs r=jcj

	HKDF-Expand enforces a maximum output length much shorter than
	stated in the RFC. This patch aligns the implementation with the RFC
	by allocating more output space when necessary.

	[c0913ad7a560] [tip]

2019-09-30  Kevin Jacobs  <kjacobs@mozilla.com>

	* gtests/common/testvectors/curve25519-vectors.h,
	gtests/pk11_gtest/pk11_curve25519_unittest.cc,
	gtests/pk11_gtest/pk11_ecdsa_unittest.cc,
	gtests/pk11_gtest/pk11_ecdsa_vectors.h,
	gtests/pk11_gtest/pk11_signature_test.h:
	Bug 1558234 - Additional EC key tests, r=jcj

	Adds additional EC key corner case testing.

	[c20364849713]

Differential Revision: https://phabricator.services.mozilla.com/D47805

--HG--
extra : moz-landing-system : lando
2019-10-01 22:59:31 +00:00
Cameron McCormack 3a96c1c704 Bug 1584904 - Remove cert_storage dependency on style. r=keeler
Differential Revision: https://phabricator.services.mozilla.com/D47727

--HG--
extra : moz-landing-system : lando
2019-10-01 16:58:38 +00:00
shravanrn@gmail.com bb7e97ff6a Bug 1575985 part 2 - Allow RW access to /dev/null in content sandbox r=gcp
This is needed by lucet to run WASM sandboxed libraries.

Differential Revision: https://phabricator.services.mozilla.com/D46108

--HG--
extra : moz-landing-system : lando
2019-09-30 21:57:34 +00:00
Anny Gakhokidze 4b5f88535e Bug 1582531 - Update fission annotations for mochitests, r=kmag
Differential Revision: https://phabricator.services.mozilla.com/D47646

--HG--
extra : moz-landing-system : lando
2019-10-01 14:24:15 +00:00
Kershaw Chang ea003728d3 Bug 1560353 - Add test for external session cache r=keeler
Differential Revision: https://phabricator.services.mozilla.com/D47432

--HG--
extra : moz-landing-system : lando
2019-09-30 13:25:03 +00:00
Kershaw Chang 3f5bb45b8e Bug 1560353 - Extend SSLTokensCache to store the result of VerifySSLServerCert r=dragana,keeler
Differential Revision: https://phabricator.services.mozilla.com/D46159

--HG--
extra : moz-landing-system : lando
2019-10-01 12:10:58 +00:00
Gabriele Svelto 10d41866a5 Bug 1585156 - Remove useless inclusions of nsIDOMWindow.h and nsIDOMWindowUtils.h r=smaug
Differential Revision: https://phabricator.services.mozilla.com/D47678

--HG--
extra : moz-landing-system : lando
2019-09-30 22:06:47 +00:00
Kevin Jacobs ba6668c25c Bug 1583610 - Prefer TLS_CHACHA20_POLY1305_SHA256 in TLS1.3 on ARM r=keeler
This patch sets the preference order for `TLS_CHACHA20_POLY1305_SHA256` over `TLS_AES_128_GCM_SHA256` for ARM builds.

As noted in the bug, this is far from an ideal way to do this. The implementation is purposefully simplistic so as to minimize any performance hit. If we want to accept doing this configuration for every new TLS connection, `SSL_CipherSuiteOrderGet` **will** return the pref-filtered (i.e. only the enabled) ciphers, but in the default NSS order. We would have to build a new list by referencing this output with another ordered list defined in PSM. If we want to leave NSS as-is (instead of offering a global reconfiguration API), we should do this.

Differential Revision: https://phabricator.services.mozilla.com/D47485

--HG--
extra : rebase_source : 0252cf321225cd644a463fd94561fd6af38b3837
extra : source : 4836c05dd2eee11bf9d836fb0505e77450b0651b
2019-09-30 14:43:43 +00:00
Ciure Andrei e309d0402c Backed out changeset 4836c05dd2ee (bug 1583610) for causing toolchanins bustages CLOSED TREE 2019-09-30 22:01:19 +03:00
Kevin Jacobs 2dc56b1bbe Bug 1583610 - Prefer TLS_CHACHA20_POLY1305_SHA256 in TLS1.3 on ARM r=keeler
This patch sets the preference order for `TLS_CHACHA20_POLY1305_SHA256` over `TLS_AES_128_GCM_SHA256` for ARM builds.

As noted in the bug, this is far from an ideal way to do this. The implementation is purposefully simplistic so as to minimize any performance hit. If we want to accept doing this configuration for every new TLS connection, `SSL_CipherSuiteOrderGet` **will** return the pref-filtered (i.e. only the enabled) ciphers, but in the default NSS order. We would have to build a new list by referencing this output with another ordered list defined in PSM. If we want to leave NSS as-is (instead of offering a global reconfiguration API), we should do this.

Differential Revision: https://phabricator.services.mozilla.com/D47485

--HG--
extra : moz-landing-system : lando
2019-09-30 14:43:43 +00:00
J.C. Jones af55efcd96 Bug 1577822 - land NSS 5619cbbca3db UPGRADE_NSS_RELEASE, r=kjacobs
2019-09-27  J.C. Jones  <jjones@mozilla.com>

	* lib/softoken/pkcs11.c, lib/softoken/pkcs11i.h,
	lib/softoken/pkcs11u.c:
	Bug 1508776 - Remove unneeded refcounting from SFTKSession
	r=mt,kjacobs

	SFTKSession objects are only ever actually destroyed at PK11 session
	closure, as the session is always the final holder -- and asserting
	refCount == 1 shows that to be true. Because of that,
	NSC_CloseSession can just call `sftk_DestroySession` directly and
	leave `sftk_FreeSession` as a no-op to be removed in the future.

	[5619cbbca3db] [tip]

Differential Revision: https://phabricator.services.mozilla.com/D47631

--HG--
extra : moz-landing-system : lando
2019-09-30 16:26:14 +00:00
ffxbld 8a664f77d8 No Bug, mozilla-central repo-update HSTS HPKP blocklist remote-settings tld-suffixes - a=repo-update r=RyanVM
Differential Revision: https://phabricator.services.mozilla.com/D47597

--HG--
extra : moz-landing-system : lando
2019-09-30 13:11:37 +00:00
Kershaw Chang 71689c452b Bug 1580138 - Use peer id to isolate token cache r=dragana,keeler
Differential Revision: https://phabricator.services.mozilla.com/D45406

--HG--
extra : moz-landing-system : lando
2019-09-30 12:15:07 +00:00
J.C. Jones ecb14a1f95 Bug 1577822 - land NSS be9c48ad76cb UPGRADE_NSS_RELEASE, r=kjacobs
2019-09-27  Daiki Ueno  <dueno@redhat.com>

	* cmd/lib/Makefile, cmd/lib/lib.gyp, cmd/lib/manifest.mn,
	cmd/lib/secutil.c, cmd/lib/secutil.h, cmd/platlibs.mk,
	cmd/selfserv/selfserv.c, cmd/tstclnt/tstclnt.c, tests/ssl/ssl.sh:
	Bug 1494063, add -x option to tstclnt/selfserv to export keying
	material, r=mt

	Reviewers: rrelyea, mt

	Reviewed By: mt

	Subscribers: HubertKario

	Bug #: 1494063

	[be9c48ad76cb] [tip]

2019-02-25  Martin Thomson  <martin.thomson@gmail.com>

	* gtests/pk11_gtest/manifest.mn, gtests/pk11_gtest/pk11_gtest.gyp,
	gtests/pk11_gtest/pk11_import_unittest.cc,
	gtests/pk11_gtest/pk11_key_unittest.cc,
	gtests/pk11_gtest/pk11_keygen.cc, gtests/pk11_gtest/pk11_keygen.h:
	Bug 1515342 - Tests for invalid DH public keys, r=jcj

	Summary: This prevents crashes on invalid, particularly NULL, keys
	for DH and ECDH.

	I factored out test code already landed for this.

	[7e3476b7a912]

2019-09-27  Martin Thomson  <martin.thomson@gmail.com>

	* cpputil/nss_scoped_ptrs.h, cpputil/scoped_ptrs_util.h,
	gtests/common/testvectors/curve25519-vectors.h,
	gtests/der_gtest/der_quickder_unittest.cc, lib/util/quickder.c:
	Bug 1515342 - Checks for invalid bit strings, r=jcj

	[f4fe0da73446]

2019-09-27  Martin Thomson  <mt@lowentropy.net>

	* cmd/lib/derprint.c:
	Bug 1581024 - Fix pointer comparisons, a=bustage
	[062bc5e9859a]

2019-09-24  Kevin Jacobs  <kjacobs@mozilla.com>

	* cmd/lib/derprint.c:
	Bug 1581024 - fixup pointer wrap check to prevent it from being
	optimized out. r=jcj

	[f7fef2487a60]

2019-09-26  Deian Stefan  <deian@cs.ucsd.edu>

	* lib/softoken/pkcs11c.c, lib/softoken/tlsprf.c:
	Bug 1582343 - Use constant time memcmp in more places r=kjacobs,jcj
	[86ef6ba1f1d7]

2019-09-26  Marcus Burghardt  <mburghardt@mozilla.com>

	* gtests/pk11_gtest/pk11_aes_gcm_unittest.cc, lib/freebl/gcm.c,
	lib/freebl/intel-gcm-wrap.c:
	Bug 1578238 - Validate tag size in AES_GCM. r=kjacobs,jcj

	Validate tag size in AES_GCM.

	[4e3971fd992c]

	* gtests/pk11_gtest/manifest.mn, gtests/pk11_gtest/pk11_gtest.gyp,
	gtests/pk11_gtest/pk11_seed_cbc_unittest.cc, lib/freebl/seed.c:
	Bug 1576295 - SEED_CBC encryption check input arguments.
	r=kjacobs,jcj,mt

	Ensure the arguments passed to these functions are valid.

	[7580a5a212c7]

Differential Revision: https://phabricator.services.mozilla.com/D47494

--HG--
extra : moz-landing-system : lando
2019-09-27 20:31:22 +00:00
Aaron Klotz d6a413befe Bug 1584587: Compile OSReauthenticator.cpp via SOURCES instead of UNIFIED_SOUCES on Windows; r=keeler
Differential Revision: https://phabricator.services.mozilla.com/D47467

--HG--
extra : moz-landing-system : lando
2019-09-27 20:25:44 +00:00
dleblanccyr 5a7f6525d2 Bug 1573143 - Links certificate issuer to its respective tab. r=johannh
Depends on D41979

Differential Revision: https://phabricator.services.mozilla.com/D41610

--HG--
extra : moz-landing-system : lando
2019-09-27 15:35:41 +00:00
Anny Gakhokidze f1c694e18f Bug 1582531 - Update fission annotations for skipped tests that are now passing succesfully, r=kmag
Differential Revision: https://phabricator.services.mozilla.com/D47347

--HG--
extra : moz-landing-system : lando
2019-09-27 14:25:10 +00:00
Martin Thomson a7ed72cb2e Bug 1579285 - Add pref to override minimum TLS version r=keeler
The intent of adding this pref is to allow us to change defaults for
security.tls.version.min for a progressive rollout of a TLS 1.0 and 1.1
deprecation.  During that process, we'd like to offer the option to enable these
old TLS versions, without adding a pref override that would cause those versions
to remain enabled once we finish the rollout.

Those people who have triggered the override will be able to access TLS 1.0 and
1.1 sites until we eventually remove the code that respects this pref.  What is
likely to happen is that this pref will remain in code past the end of our
rollout for part of a release cycle, plus maybe the next cycle depending on
how timing works out.

This pref is a simple boolean that we'll remove in March 2020.

Differential Revision: https://phabricator.services.mozilla.com/D45798

--HG--
extra : moz-landing-system : lando
2019-09-27 01:26:08 +00:00
Coroiu Cristina 735d79f681 Backed out 4 changesets (bug 1579285, bug 1579270) for browser-chrome failures at browser/base/content/test/siteIdentity/browser_deprecatedTLSVersions.js on a CLOSED TREE
Backed out changeset 36d7cc55bd16 (bug 1579285)
Backed out changeset 26e3ed3c1592 (bug 1579285)
Backed out changeset 913652258fe6 (bug 1579285)
Backed out changeset 0781e60dd54c (bug 1579270)
2019-09-27 04:19:59 +03:00
Martin Thomson bcf590a1d0 Bug 1579285 - Add pref to override minimum TLS version r=keeler
The intent of adding this pref is to allow us to change defaults for
security.tls.version.min for a progressive rollout of a TLS 1.0 and 1.1
deprecation.  During that process, we'd like to offer the option to enable these
old TLS versions, without adding a pref override that would cause those versions
to remain enabled once we finish the rollout.

Those people who have triggered the override will be able to access TLS 1.0 and
1.1 sites until we eventually remove the code that respects this pref.  What is
likely to happen is that this pref will remain in code past the end of our
rollout for part of a release cycle, plus maybe the next cycle depending on
how timing works out.

This pref is a simple boolean that we'll remove in March 2020.

Differential Revision: https://phabricator.services.mozilla.com/D45798

--HG--
extra : moz-landing-system : lando
2019-09-16 19:36:08 +00:00
Tim Nguyen 85e78f6671 Bug 1562811 - Replace XUL textboxes with HTML inputs in security/manager/pki/resources/content/load_device.xul. r=Gijs
Differential Revision: https://phabricator.services.mozilla.com/D36564

--HG--
extra : moz-landing-system : lando
2019-09-26 16:31:15 +00:00
Carolina 5f207f00a6 Bug 1580923 - Fixes problem when opening a certificate from downloadcert.xul.r=johannh
Differential Revision: https://phabricator.services.mozilla.com/D46054

--HG--
extra : moz-landing-system : lando
2019-09-26 16:13:32 +00:00
ffxbld c9b081d8c9 No Bug, mozilla-central repo-update HSTS HPKP blocklist remote-settings tld-suffixes - a=repo-update r=RyanVM
Differential Revision: https://phabricator.services.mozilla.com/D47244

--HG--
extra : moz-landing-system : lando
2019-09-26 14:33:06 +00:00
Kershaw Chang b219613dd5 Bug 1580272 - Remove unnecessary call to proxyStartSSL r=keeler
Differential Revision: https://phabricator.services.mozilla.com/D46969

--HG--
extra : moz-landing-system : lando
2019-09-24 17:44:55 +00:00
Victor Porof b0783dc7ee Bug 1583439 - Update lmdb-rkv-sys, lmdb-rkv and rkv crates to their latest versions, r=froydnj
Differential Revision: https://phabricator.services.mozilla.com/D46899

--HG--
extra : moz-landing-system : lando
2019-09-26 11:52:13 +00:00
Dragana Damjanovic 1d40d354bd Bug 1577643 - Implement a security info class for the quic transport. r=keeler
Differential Revision: https://phabricator.services.mozilla.com/D44073

--HG--
extra : moz-landing-system : lando
2019-09-25 20:23:56 +00:00
Dragana Damjanovic 5f2cea9512 Bug 1577643 - Make AuthCertificateHook work without PRFileDesc and also make code work with TransportSecurityInfo. r=keeler
This patch makes the certificate authentication work with TransportSecurityInfo, so that it can be used for nsNSSSocketInfo and a quic's version of the security info class.
Also it adds a new AuthCertificateHookWithInfo function that will be called by Http3Session to authenticate certificates.

Differential Revision: https://phabricator.services.mozilla.com/D44064

--HG--
extra : moz-landing-system : lando
2019-09-26 10:14:53 +00:00
Brian Grinstead b7788d49ec Bug 1581914 - Set default margins for html|input in global.css r=dao
Differential Revision: https://phabricator.services.mozilla.com/D46531

--HG--
extra : moz-landing-system : lando
2019-09-25 16:20:19 +00:00
Daniel Varga 90b9fde46d Backed out changeset 156e22161091 (bug 1580138) for build bustage in toolkit/library/gtest/target. On a CLOSED TREE 2019-09-25 13:42:43 +03:00
Kershaw Chang d2ab74115b Bug 1580138 - Use peer id to isolate token cache r=dragana,keeler
Differential Revision: https://phabricator.services.mozilla.com/D45406

--HG--
extra : moz-landing-system : lando
2019-09-25 10:22:25 +00:00
Mihai Alexandru Michis 3ced6be81c Backed out 1 changesets (bug 1577643) for causing bustages in QuicSocketControl.h:45:57 CLOSED TREE
Backed out changeset 48ce2b670f32 (bug 1577643)
2019-09-25 03:08:58 +03:00
Dragana Damjanovic 2fe2e913f8 Bug 1577643 - Implement a security info class for the quic transport. r=keeler
Differential Revision: https://phabricator.services.mozilla.com/D44073

--HG--
extra : moz-landing-system : lando
2019-09-24 20:56:39 +00:00
J.C. Jones 3e77ba718d Bug 1577822 - land NSS 03039d4fad57 UPGRADE_NSS_RELEASE, r=kjacobs
2019-09-23  Daiki Ueno  <dueno@redhat.com>

	* gtests/ssl_gtest/ssl_recordsize_unittest.cc, lib/ssl/ssl3con.c,
	tests/tlsfuzzer/config.json.in, tests/tlsfuzzer/tlsfuzzer.sh:
	Bug 1580286, account for IV size when checking TLS 1.2 records, r=mt

	Summary: This increases the limit of record expansion by 16 so that
	it doesn't reject maximum block padding when HMAC-SHA384 is used.

	To test this, tlsfuzzer is updated to the latest version (commit
	80d7932ead1d8dae6e555cfd2b1c4c5beb2847df).

	Reviewers: mt

	Reviewed By: mt

	Bug #: 1580286

	[03039d4fad57] [tip]

2019-09-20  Kai Engert  <kaie@kuix.de>

	* tests/smime/smime.sh:
	Bug 1577448 - Create additional nested S/MIME test messages for
	Thunderbird. r=jcj
	[57977ceea00e]

2019-09-19  Kai Engert  <kaie@kuix.de>

	* automation/taskcluster/docker-gcc-4.4/Dockerfile,
	automation/taskcluster/graph/src/try_syntax.js,
	automation/taskcluster/scripts/build.sh,
	automation/taskcluster/scripts/build_gyp.sh,
	automation/taskcluster/scripts/build_nspr.sh,
	automation/taskcluster/scripts/check_abi.sh,
	automation/taskcluster/scripts/gen_coverage_report.sh,
	automation/taskcluster/scripts/run_coverity.sh,
	automation/taskcluster/scripts/run_scan_build.sh,
	automation/taskcluster/windows/build.sh,
	automation/taskcluster/windows/build_gyp.sh:
	Bug 1399095 - Allow nss-try to be used to test NSPR changes.
	r=kjacobs
	[6e1a8a7cb469]

2019-09-16  Marcus Burghardt  <mburghardt@mozilla.com>

	* gtests/ssl_gtest/manifest.mn,
	gtests/ssl_gtest/ssl_cipherorder_unittest.cc,
	gtests/ssl_gtest/ssl_gtest.gyp, lib/ssl/ssl3con.c, lib/ssl/sslexp.h,
	lib/ssl/sslsock.c:
	Bug 1267894 - New functions for CipherSuites Ordering and gtests.
	r=jcj,kjacobs,mt

	Created two new experimental functions which permit the caller
	change the default order of CipherSuites used during the handshake.

	[2deb38fc1d68]

2019-09-18  Christian Weisgerber  <naddy@mips.inka.de>

	* tests/policy/policy.sh, tests/ssl/ssl.sh:
	Bug 1581507 - Fix unportable grep expression in test scripts
	r=marcusburghardt
	[edc1e405afa4]

2019-09-18  Franziskus Kiefer  <franziskuskiefer@gmail.com>

	* lib/jar/jarfile.c:
	Bug 1234830 - [CID 1242894][CID 1242852] unused values.
	r=kaie,r=kjacobs
	[b6d3f5c95aad]

2019-09-18  Kai Engert  <kaie@kuix.de>

	* cmd/symkeyutil/symkeyutil.c:
	Bug 1581759 - fix incorrect if condition in symkeyutil. r=kjacobs
	[306550105228]

Differential Revision: https://phabricator.services.mozilla.com/D46967

--HG--
extra : moz-landing-system : lando
2019-09-24 17:22:25 +00:00
Kris Maglione 7bffa91bb4 Bug 1583114: Fix straggling callers which create chrome windows with content openers. r=nika
Differential Revision: https://phabricator.services.mozilla.com/D46989

--HG--
extra : moz-landing-system : lando
2019-09-24 20:05:37 +00:00
Andrew Halberstadt 898dfb96b4 Bug 1567642 - [lint.flake8] Fix misc flake8 under Python 3 lint issues r=gbrown
Differential Revision: https://phabricator.services.mozilla.com/D45417

--HG--
extra : moz-landing-system : lando
2019-09-24 14:44:01 +00:00
Kershaw Chang 141e986c3f Bug 1546816 - Part 1-6: Add a helper function: AuthCertificateParseResults r=keeler
Differential Revision: https://phabricator.services.mozilla.com/D45024

--HG--
extra : moz-landing-system : lando
2019-09-18 10:03:57 +00:00
Geoff Brown dcb380399e Bug 1582785 - Enable some xpcshell tests on Android; r=geckoview-reviewers,agi
Most of these tests have been disabled for a long time; they run well
in the current test environment.

Differential Revision: https://phabricator.services.mozilla.com/D46642

--HG--
extra : moz-landing-system : lando
2019-09-23 22:43:55 +00:00
Dana Keeler 3d10b528b0 bug 1581986 - fix undefined shift behavior in md4 implementation r=kjacobs
Using left shift on a uint8_t promotes it to a signed integer. If the shift is
large enough that the sign bit gets affected, we have undefined behavior. This
patch fixes this by first casting to uint32_t.

Differential Revision: https://phabricator.services.mozilla.com/D46820

--HG--
extra : moz-landing-system : lando
2019-09-23 19:17:52 +00:00
Cosmin Sabou 5ba1c3f18f Backed out changeset 098d87f4abbc (bug 1580923) for browser chrome failures on browser_openTabAndSendCertInfo.js. CLOSED TREE 2019-09-23 20:15:29 +03:00
Carolina 1ea5f188a8 Bug 1580923 - Fixes problem when opening a certificate from downloadcert.xul.r=johannh
Differential Revision: https://phabricator.services.mozilla.com/D46054

--HG--
extra : moz-landing-system : lando
2019-09-23 15:08:42 +00:00
Kershaw Chang aae1400b3c Bug 1546816 - Part 1-5: Add AuthCertificateSetResults helper function r=keeler
Differential Revision: https://phabricator.services.mozilla.com/D45023

--HG--
extra : moz-landing-system : lando
2019-09-18 09:53:37 +00:00
ffxbld bdeece726d No Bug, mozilla-central repo-update HSTS HPKP blocklist remote-settings tld-suffixes - a=repo-update r=RyanVM
Differential Revision: https://phabricator.services.mozilla.com/D46777

--HG--
extra : moz-landing-system : lando
2019-09-23 13:09:04 +00:00
Dana Keeler c790b6fff5 bug 1581962 - improve nsINSSComponent::HasUserCertsInstalled by using the more efficient FindNonCACertificatesWithPrivateKeys r=kjacobs
CERT_FindUserCertsByUsage is inefficient when the corpus of known certificates
consists mostly of certificates that don't have corresponding private keys,
which is expected to be the case for most Firefox users. This change updates
the "does the user have any client certificates" functionality to use the more
efficient "FindNonCACertificatesWithPrivateKeys" function added in bug 1573542.

Differential Revision: https://phabricator.services.mozilla.com/D46499

--HG--
extra : moz-landing-system : lando
2019-09-20 16:13:21 +00:00
Zibi Braniecki d112b782ad Bug 1581692 - Remove unused .properties from mobile. CLOSED TREE
Differential Revision: https://phabricator.services.mozilla.com//D46195

Depends on D46194

--HG--
extra : histedit_source : ac50af1eda77301fa016896fc3cc8bb03de7a9d3
2019-09-18 19:39:00 +03:00
ffxbld 959ff7f82f No Bug, mozilla-central repo-update HSTS HPKP blocklist remote-settings tld-suffixes - a=repo-update r=RyanVM
Differential Revision: https://phabricator.services.mozilla.com/D46469

--HG--
extra : moz-landing-system : lando
2019-09-19 14:37:28 +00:00
Dana Keeler 16bb37cff1 bug 1573542 - be more efficient about finding client certificates r=jcj,kjacobs
Before this patch, Firefox would call CERT_FindUserCertsByUsage to gather all
known client certificates. This function enumerates all known certificates and
filters some of them out. When there are many certificates that are not client
certificates (e.g. roots and intermediates), this is inefficient. Since this is
likely to be the case for most users, this patch optimizes this task by instead
first searching for private keys and then gathering all certificates that have
corresponding public keys.

Differential Revision: https://phabricator.services.mozilla.com/D46187

--HG--
extra : moz-landing-system : lando
2019-09-18 23:28:05 +00:00
J.C. Jones 484db3870b Bug 1577822 - land NSS a3ee4f26b4c1 UPGRADE_NSS_RELEASE, r=kjacobs
2019-09-18  Kevin Jacobs  <kjacobs@mozilla.com>

	* cmd/lib/derprint.c:
	Bug 1581024 - Check for pointer wrap in derprint.c. r=jcj

	Check for pointer wrap on output-length check in the derdump
	utility.

	[a3ee4f26b4c1] [tip]

2019-09-18  Giulio Benetti  <giulio.benetti@micronovasrl.com>

	* lib/freebl/gcm-aarch64.c:
	Bug 1580126 - Fix build failure on aarch64_be while building
	freebl/gcm r=kjacobs

	Build failure is caused by different #ifdef conditions in gcm.c and
	gcm-aarch64.c that leads to double declaration of the same gcm_*
	functions.

	Fix #ifdef condition in gcm-aarch64.c making it the same as the one
	in gcm.c.

	Signed-off-by: Giulio Benetti <giulio.benetti@micronovasrl.com>
	[fa0d958de0c3]

2019-09-17  Kai Engert  <kaie@kuix.de>

	* automation/taskcluster/graph/src/extend.js:
	Bug 1385039 - Build NSPR tests as part of NSS continuous
	integration. r=kjacobs
	[cc97f1a93038]

2019-09-17  Landry Breuil  <landry@openbsd.org>

	* lib/freebl/Makefile:
	Bug 1581391 - include gcm-aarch64 on all unices, not only linux
	r=kjacobs
	[e7b4f293fa4e]

2019-09-17  Martin Thomson  <mt@lowentropy.net>

	* mach:
	Bug 1581041 - Rename mach-commands to mach-completion, r=jcj

	This means that we can point our completion at the gecko one.

	[bc91272fcbdc]

2019-09-16  Jenine  <jenine_c@outlook.com>

	* cmd/pk11importtest/pk11importtest.c, lib/softoken/pkcs11.c:
	Bug 1558313 - Fix clang warnings in pk11importtest.c and pkcs11.c
	r=marcusburghardt

	[4569b745f74e]

2019-09-13  Daiki Ueno  <dueno@redhat.com>

	* lib/certhigh/certvfy.c:
	Bug 1542207, fix policy check on signature algorithms, r=rrelyea

	Reviewers: rrelyea

	Reviewed By: rrelyea

	Bug #: 1542207

	[ed8a41d16c1c]

2019-09-05  Daiki Ueno  <dueno@redhat.com>

	* lib/freebl/drbg.c:
	Bug 1560329, drbg: perform continuous test on entropy source,
	r=rrelyea

	Summary: FIPS 140-2 section 4.9.2 requires a conditional self test
	to check that consecutive entropy blocks from the system are
	different. As neither getentropy() nor /dev/urandom provides that
	check on the output, this adds the self test at caller side.

	Reviewers: rrelyea

	Reviewed By: rrelyea

	Bug #: 1560329

	[c66dd879d16a]

2019-09-06  Martin Thomson  <mt@lowentropy.net>

	* automation/taskcluster/graph/src/queue.js:
	Bug 1579290 - Disable LSAN during builds, r=ueno

	Summary: See the bug description for details.

	[f28f3d7b7cf0]

2019-09-13  Kai Engert  <kaie@kuix.de>

	* Makefile, build.sh, coreconf/nspr.sh, help.txt:
	Bug 1385061 - Build NSPR tests with NSS make; Add gyp parameters to
	build/run NSPR tests. r=jcj
	[8b4a226f7d23]

2019-09-11  Kai Engert  <kaie@kuix.de>

	* nss.gyp:
	Bug 1577359 - Build atob and btoa for Thunderbird. r=jcj
	[1fe61aadaf57]

2019-09-10  Marcus Burghardt  <mburghardt@mozilla.com>

	* cmd/pk12util/pk12util.c:
	Bug 1579036 - Define error when trying to export non-existent cert
	with pk12util. r=jcj

	[65ab97f03c89]

2019-09-04  Martin Thomson  <mt@lowentropy.net>

	* gtests/mozpkix_gtest/pkixder_input_tests.cpp:
	Bug 1578626 - Remove undefined nullptr decrement, r=keeler

	Summary: This uses uintptr_t to avoid the worst. It still looks
	terrible and might trip static analysis warnings, but the
	reinterpret_cast should hide that.

	This assumes that sizeof(uintptr_t) == sizeof(void*), so I've added
	an assertion so that we'll at least fail the test on those systems.
	(We could use GTEST_SKIP instead, but we don't have that in the
	version of gtest that we use.)

	Reviewers: keeler

	Tags: #secure-revision

	Bug #: 1578626

	[d2485b1c997e]

2019-09-05  Marcus Burghardt  <mburghardt@mozilla.com>

	* gtests/pk11_gtest/pk11_find_certs_unittest.cc:
	Bug 1578751 - Ensure a consistent style for
	pk11_find_certs_unittest.cc. r=jcj

	Adjusted the style and clang-format after the changes in some var
	names.

	[e95fee7f59e5]

Differential Revision: https://phabricator.services.mozilla.com/D46246

--HG--
extra : moz-landing-system : lando
2019-09-18 03:27:20 +00:00
Kershaw Chang 7449dd820c Bug 1546816 - Part 1-4: Remove mTelemetryID and mTelemetryValue from SSLServerCertVerificationResult r=keeler
Differential Revision: https://phabricator.services.mozilla.com/D45022

--HG--
extra : moz-landing-system : lando
2019-09-18 09:30:56 +00:00
Henri Sivonen c193518677 Bug 1490601 part 2 - Move C++ entry points to encoding_c_mem to mfbt/. r=jwalden
Differential Revision: https://phabricator.services.mozilla.com/D43957

--HG--
extra : moz-landing-system : lando
2019-09-18 08:26:34 +00:00
Dana Keeler 24dc3d00a4 bug 1578882 - wait on the loadable roots background task before handing out CertVerifier handles r=tjr
If code acquires a handle on the certificate verifier before the loadable roots
background task completes, that instance of the verifier may not know about any
enterprise certificates loaded, and so early certificate verifications relying
on those certificates may fail. To prevent this, this patch ensures that the
background task has completed before returning the handle. Note that there
should be no effect on performance since CertVerifier already ensures that the
background task has completed internally before looking for potential issuer
certificates.

Differential Revision: https://phabricator.services.mozilla.com/D46224

--HG--
extra : moz-landing-system : lando
2019-09-18 00:06:58 +00:00
Kevin Jacobs 671a4b685e Bug 1562773 - Add delegated credentials tests r=keeler,jcj
Add xpcshell tests for Delegated Credentials

Differential Revision: https://phabricator.services.mozilla.com/D37918

--HG--
extra : moz-landing-system : lando
2019-09-17 23:31:36 +00:00
Dana Keeler dbf19a6cd5 bug 1577944 - avoid calling CERT_NewTempCertificate in NSSCertDBTrustDomain::GetCertTrust for enterprise certificates r=jcj,kjacobs
Calling CERT_NewTempCertificate on an enterprise certificate is inefficient
because NSS tries (and fails) to find a copy of that certificate in its internal
data structures (which includes querying softoken, which involves hitting the
disk). We can avoid doing so for these certificates in
NSSCertDBTrustDomain::GetCertTrust because we already know what trust values
they should have (after checking the relevant blocklists).

Differential Revision: https://phabricator.services.mozilla.com/D45588

--HG--
extra : moz-landing-system : lando
2019-09-17 20:30:15 +00:00
Dragana Damjanovic a8b9f215c0 Bug 1580557 - Remove nsISSLSocketControl.serverRootCertIsBuiltInRoot. r=keeler
Differential Revision: https://phabricator.services.mozilla.com/D45988

--HG--
extra : moz-landing-system : lando
2019-09-16 18:22:20 +00:00
Dana Keeler d0234b3ced bug 1571548 - support "current user" registry locations for enterprise certificates on Windows r=kjacobs,mhowell
Differential Revision: https://phabricator.services.mozilla.com/D45720

--HG--
extra : moz-landing-system : lando
2019-09-12 20:00:45 +00:00
Johann Hofmann 8847236f13 Bug 1573502 - Always use system principal as triggeringPrincipal for about:certificate. r=jkt
about:certificate is always trusted and we don't have to use the content principal in browser.js

Differential Revision: https://phabricator.services.mozilla.com/D45939

--HG--
extra : moz-landing-system : lando
2019-09-16 09:06:00 +00:00
Dragana Damjanovic c667e010d5 Bug 1578883 - Expose some functions needed for Quic. r=keeler
Differential Revision: https://phabricator.services.mozilla.com/D44727

--HG--
extra : moz-landing-system : lando
2019-09-05 19:51:32 +00:00
Sean Feng 11e85f21b9 Bug 1580313 - Remove nsIX509CertList from asPKCS7Blob r=keeler
Differential Revision: https://phabricator.services.mozilla.com/D44516

--HG--
extra : moz-landing-system : lando
2019-09-13 17:23:09 +00:00
ffxbld 5af1f73d04 No Bug, mozilla-central repo-update HSTS HPKP blocklist remote-settings tld-suffixes - a=repo-update r=RyanVM
Differential Revision: https://phabricator.services.mozilla.com/D45662

--HG--
extra : moz-landing-system : lando
2019-09-12 13:37:51 +00:00
Kevin Jacobs 4bf9806ed6 Bug 1562773 - Propagate Delegated Credential flag to nsITransportSecurityInfo r=keeler,jcj
This patch adds a new `mIsDelegatedCredential` parameter to nsITransportSecurityInfo, indicating whether or not a delegated credential keypair was used in the TLS handshake (see: https://tools.ietf.org/html/draft-ietf-tls-subcerts-03) .

This functionality is only available if _security.tls.enable_delegated_credentials_ is set to true.

Differential Revision: https://phabricator.services.mozilla.com/D39807

--HG--
extra : moz-landing-system : lando
2019-09-11 15:19:57 +00:00
Razvan Maries 2fb41871a9 Backed out 2 changesets (bug 1562773) for build bustages. CLOSED TREE
Backed out changeset 154b23d4a214 (bug 1562773)
Backed out changeset f32f7a644981 (bug 1562773)
2019-09-11 04:40:29 +03:00
Kevin Jacobs c2dfc6480d Bug 1562773 - Add delegated credentials tests r=keeler,jcj
Add xpcshell tests for Delegated Credentials

Differential Revision: https://phabricator.services.mozilla.com/D37918

--HG--
extra : moz-landing-system : lando
2019-09-10 20:15:12 +00:00
J.C. Jones a54604ea14 Bug 1562773 - Propagate Delegated Credential flag to nsITransportSecurityInfo r=keeler
This patch adds a new `mIsDelegatedCredential` parameter to nsITransportSecurityInfo, indicating whether or not a delegated credential keypair was used in the TLS handshake (see: https://tools.ietf.org/html/draft-ietf-tls-subcerts-03) .

This functionality is only available if _security.tls.enable_delegated_credentials_ is set to true.

Differential Revision: https://phabricator.services.mozilla.com/D39807

--HG--
extra : moz-landing-system : lando
2019-09-10 19:55:46 +00:00
Moritz Birghan 5c1548df4e Bug 1260640 - Update nsNSSCertificateDB::getCertsFromPackage() so callers don't need to convert the returned certs into usable formats r=keeler
Differential Revision: https://phabricator.services.mozilla.com/D40615

--HG--
extra : moz-landing-system : lando
2019-09-10 07:39:51 +00:00
Kershaw Chang 60f9b2d557 Bug 1546816 - Part 1-3: Always do certificate verification on a background thread r=keeler
Differential Revision: https://phabricator.services.mozilla.com/D45021

--HG--
extra : moz-landing-system : lando
2019-09-09 13:53:06 +00:00
Kershaw Chang 21e358df0e Bug 1546816 - Part 1-2: Simplify collecting telemetry r=keeler
Differential Revision: https://phabricator.services.mozilla.com/D45020

--HG--
extra : moz-landing-system : lando
2019-09-09 13:50:50 +00:00
Kershaw Chang 487ae96c4a Bug 1546816 - Part 1-1: Remove MITM_OK flag and bypassAuthentication r=keeler
Differential Revision: https://phabricator.services.mozilla.com/D45019

--HG--
extra : moz-landing-system : lando
2019-09-09 13:46:45 +00:00
ffxbld 5114c33332 No Bug, mozilla-central repo-update HSTS HPKP remote-settings - a=repo-update r=RyanVM
Differential Revision: https://phabricator.services.mozilla.com/D45181

--HG--
extra : moz-landing-system : lando
2019-09-09 13:07:55 +00:00
Ryan Alderete 2e2b52b880 Bug 1572846 - Update Clearkey to use NSS for decryption instead of OpenAES r=bryce,jld
Clearkey previously relied on OpenAES to do its encryption.  In order to
facilitate future changes and the need for CBC support, switch to NSS, which
should be more flexible and actively maintained.

Differential Revision: https://phabricator.services.mozilla.com/D41993

--HG--
extra : moz-landing-system : lando
2019-09-05 19:19:06 +00:00
Sean Feng a3ec48a51a Bug 1577836 - Remove nsIX509CertList from getCerts and loadCertsFromCache r=keeler
Differential Revision: https://phabricator.services.mozilla.com/D44239

--HG--
extra : moz-landing-system : lando
2019-09-05 21:35:54 +00:00
Daiki Ueno 2f97770e81 Bug 1579023, disable preconnect if there is an unfriendly token r=keeler
To determine whether speculative connections can be established, mozilla::net::CanEnableSpeculativeConnect checks:
1. if there is any removable slot, and
2. if there is any user cert and a private key that can be used for client authentication

However, in practice some HSM's are not removable and (1) is not sufficient, which results in a random PIN prompt appearing at (2).
This patch tighten (1) so that it also checks there is no "unfriendly" token which requires authentication anyway.

Differential Revision: https://phabricator.services.mozilla.com/D44809

--HG--
extra : moz-landing-system : lando
2019-09-06 08:12:39 +00:00
J.C. Jones e46ef2b607 Bug 1577822 - land NSS cf0df88aa807 UPGRADE_NSS_RELEASE, r=kjacobs
2019-08-30  Alexander Scheel  <ascheel@redhat.com>

	* automation/taskcluster/scripts/build_softoken.sh,
	cmd/lib/pk11table.c, gtests/pk11_gtest/pk11_aes_cmac_unittest.cc,
	gtests/pk11_gtest/pk11_gtest.gyp, lib/pk11wrap/debug_module.c,
	lib/pk11wrap/pk11mech.c, lib/softoken/pkcs11.c,
	lib/softoken/pkcs11c.c, lib/util/pkcs11t.h:
	Bug 1570501 - Expose AES-CMAC in PKCS #11 API, r=mt

	[cf0df88aa807] [tip]

	* cpputil/freebl_scoped_ptrs.h, gtests/freebl_gtest/cmac_unittests.cc,
	gtests/freebl_gtest/freebl_gtest.gyp, lib/freebl/blapi.h,
	lib/freebl/cmac.c, lib/freebl/cmac.h, lib/freebl/exports.gyp,
	lib/freebl/freebl_base.gypi, lib/freebl/ldvector.c,
	lib/freebl/loader.c, lib/freebl/loader.h, lib/freebl/manifest.mn:
	Bug 1570501 - Add AES-CMAC implementation to freebl, r=mt

	[a42c6882ba1b]

2019-09-05  David Cooper  <dcooper16@gmail.com>

	* lib/smime/cmssiginfo.c:
	Bug 657379 - NSS uses the wrong OID for signatureAlgorithm field of
	signerInfo in CMS for DSA and ECDSA. r=rrelyea
	[7a83b248de30]

2019-09-05  Daiki Ueno  <dueno@redhat.com>

	* lib/freebl/drbg.c:
	Backed out changeset 934c8d0e7aba

	It turned out to cause some new errors in LSan; backing out for now.
	[34a254dd1357]

	* lib/freebl/drbg.c:
	Bug 1560329, drbg: perform continuous test on entropy source,
	r=rrelyea

	Summary: FIPS 140-2 section 4.9.2 requires a conditional self test
	to check that consecutive entropy blocks from the system are
	different. As neither getentropy() nor /dev/urandom provides that
	check on the output, this adds the self test at caller side.

	Reviewers: rrelyea

	Reviewed By: rrelyea

	Bug #: 1560329

	[934c8d0e7aba]

2019-08-30  Kevin Jacobs  <kjacobs@mozilla.com>

	* coreconf/WIN32.mk:
	Bug 1576664 - Remove -mms-bitfields from win32 makefile r=jcj

	[bf4de7985f3d]

2019-08-29  Dana Keeler  <dkeeler@mozilla.com>

	* automation/abi-check/expected-report-libnss3.so.txt,
	gtests/pk11_gtest/pk11_find_certs_unittest.cc, lib/nss/nss.def,
	lib/pk11wrap/pk11cert.c, lib/pk11wrap/pk11pub.h:
	bug 1577038 - add PK11_GetCertsFromPrivateKey r=jcj,kjacobs

	PK11_GetCertFromPrivateKey only returns one certificate with a
	public key that matches the given private key. This change
	introduces PK11_GetCertsFromPrivateKey, which returns a list of all
	certificates with public keys that match the given private key.

	[9befa8d296c0]

2019-08-30  J.C. Jones  <jjones@mozilla.com>

	* automation/abi-check/previous-nss-release, lib/nss/nss.h,
	lib/softoken/softkver.h, lib/util/nssutil.h:
	Set version numbers to 3.47 beta
	[685cea0a7b48]

	* lib/nss/nss.h, lib/softoken/softkver.h, lib/util/nssutil.h:
	Set version numbers to 3.46 final
	[decbf7bd40fd] [NSS_3_46_RTM]

Differential Revision: https://phabricator.services.mozilla.com/D44927

--HG--
extra : moz-landing-system : lando
2019-09-06 00:25:25 +00:00
Dana Keeler 29758e98f9 bug 1578732 - #include more headers in RootCertificateTelemetryUtils.cpp so it can compile when chunking changes in unified builds r=kjacobs
Differential Revision: https://phabricator.services.mozilla.com/D44742

--HG--
extra : moz-landing-system : lando
2019-09-05 17:46:31 +00:00
Kershaw Chang 5fad51dd02 Bug 1560354 - Transform some nss types into gecko types. r=keeler,dragana
Differential Revision: https://phabricator.services.mozilla.com/D35566

--HG--
extra : moz-landing-system : lando
2019-09-05 15:49:35 +00:00
ffxbld 3e8fdbe0ed No Bug, mozilla-central repo-update HSTS HPKP remote-settings tld-suffixes - a=repo-update r=RyanVM
Differential Revision: https://phabricator.services.mozilla.com/D44828

--HG--
extra : moz-landing-system : lando
2019-09-05 13:17:10 +00:00
Aaron Klotz 296735628c Bug 1578786: Fix up some includes and namespaces in security/manager/ssl so that it may compile in non-unified mode; r=keeler
Differential Revision: https://phabricator.services.mozilla.com/D44700

--HG--
extra : moz-landing-system : lando
2019-09-04 18:35:50 +00:00
Kershaw Chang 64b7f325a6 Bug 1577428 - Not allow nsICertOverrideService to be implemented in js r=keeler,ato
Differential Revision: https://phabricator.services.mozilla.com/D43931

--HG--
rename : security/manager/ssl/tests/unit/test_js_cert_override_service.js => security/manager/ssl/tests/unit/test_allow_all_cert_errors.js
extra : moz-landing-system : lando
2019-09-04 17:17:44 +00:00
Dana Keeler b108e38d22 bug 1576755 - split "unknown" bucket in CERT_VALIDATION_SUCCESS_BY_CA (and other _BY_CA probes) r=jcj,kjacobs
The "unknown" bucket is inconsistent and often much higher than we expect. This
patch splits that bucket by adding the categories "from softoken (cert9.db)",
"from an external PKCS#11 token", and "imported from the OS via the 'Enterprise
Roots' feature". Hopefully this will give us more insight into this data.

Differential Revision: https://phabricator.services.mozilla.com/D44065

--HG--
extra : moz-landing-system : lando
2019-09-03 22:19:14 +00:00
Ehsan Akhgari 86c74f0485 Bug 1576641 - Add two new content blocking event flags to indicate a tracking/social-tracking cookie has been loaded in a tab; r=baku,droeh
Differential Revision: https://phabricator.services.mozilla.com/D44216

--HG--
extra : moz-landing-system : lando
2019-09-03 17:37:43 +00:00
Andreea Pavel aa258365a2 Backed out changeset 2e0c2fea2799 (bug 1577428) linting doc failure on a CLOSED TREE
--HG--
rename : security/manager/ssl/tests/unit/test_allow_all_cert_errors.js => security/manager/ssl/tests/unit/test_js_cert_override_service.js
2019-09-03 18:25:52 +03:00
Kershaw Chang f7c12de97f Bug 1577428 - Not allow nsICertOverrideService to be implemented in js r=keeler
Differential Revision: https://phabricator.services.mozilla.com/D43931

--HG--
rename : security/manager/ssl/tests/unit/test_js_cert_override_service.js => security/manager/ssl/tests/unit/test_allow_all_cert_errors.js
extra : moz-landing-system : lando
2019-09-02 17:03:38 +00:00
Bob Owen 17bddfd388 Bug 1575906: Allow the GMP process to duplicate Section handles to the main process. r=handyman
Differential Revision: https://phabricator.services.mozilla.com/D44237

--HG--
extra : moz-landing-system : lando
2019-08-30 21:39:57 +00:00
J.C. Jones 61fc016d4c Bug 1564499 - land NSS NSS_3_46_RTM UPGRADE_NSS_RELEASE, r=kjacobs
2019-08-30  J.C. Jones  <jjones@mozilla.com>

	* lib/nss/nss.h, lib/softoken/softkver.h, lib/util/nssutil.h:
	Set version numbers to 3.46 final
	[decbf7bd40fd] [NSS_3_46_RTM]

2019-08-27  J.C. Jones  <jjones@mozilla.com>

	* .hgtags:
	Added tag NSS_3_46_BETA2 for changeset 24b0fc700203
	[29cd579e74e4]

Differential Revision: https://phabricator.services.mozilla.com/D44206

--HG--
extra : moz-landing-system : lando
2019-08-30 16:34:27 +00:00
ffxbld 3b375c8b7b No Bug, mozilla-central repo-update HSTS HPKP blocklist remote-settings - a=repo-update r=RyanVM
Differential Revision: https://phabricator.services.mozilla.com/D43967

--HG--
extra : moz-landing-system : lando
2019-08-29 13:14:59 +00:00
Barret Rennie b0cbc31990 Bug 1510569 - Implement serializers for nsITransportSecurityInfo, nsIX509Cert, and nsIX509CertList r=froydnj,keeler,mayhemer
As part of the ongoing effort to port the nsIWebProgress events from
RemoteWebProgress / WebProgressChild to BrowserParent / BrowserChild, we need
to (de)serialize the nsITransportSecurityInfo instance across the IPC layer.
The existing code was calling `NS_SerializeToString` which has the overhead of
(a) allocating a buffer and also performing base64 encoding/decoding. This
patch adds `IPC::ParamTraits` implementations for `nsITransportSecurityInfo`,
`nsIX509Certificate`, and `nsIX509CertList` that (de)serializes the params
directly onto and off of the IPC message so that we don't go through the
overhead of allocating and encoding/decoding an additional buffer.

This (de)serialization will address the performance issues present in the
current implementation.

As a side effect, I also make nsITransportSecurityInfo a builtinclass XPCOM
interface, since the existing serialization code was assuming it was, there is
only one implementation, and it is in C++.

Differential Revision: https://phabricator.services.mozilla.com/D35090

--HG--
extra : moz-landing-system : lando
2019-08-28 18:55:31 +00:00
Dorel Luca b09fe526aa Backed out 4 changesets (bug 1510569) for build bustage. CLOSED TREE
Backed out changeset d7db6a1935ce (bug 1510569)
Backed out changeset 03b7cf756a7f (bug 1510569)
Backed out changeset fa318eec0e76 (bug 1510569)
Backed out changeset cecb17bd8c03 (bug 1510569)
2019-08-28 21:46:40 +03:00
Barret Rennie 4ab0fd7d38 Bug 1510569 - Implement serializers for nsITransportSecurityInfo, nsIX509Cert, and nsIX509CertList r=froydnj,keeler,mayhemer
As part of the ongoing effort to port the nsIWebProgress events from
RemoteWebProgress / WebProgressChild to BrowserParent / BrowserChild, we need
to (de)serialize the nsITransportSecurityInfo instance across the IPC layer.
The existing code was calling `NS_SerializeToString` which has the overhead of
(a) allocating a buffer and also performing base64 encoding/decoding. This
patch adds `IPC::ParamTraits` implementations for `nsITransportSecurityInfo`,
`nsIX509Certificate`, and `nsIX509CertList` that (de)serializes the params
directly onto and off of the IPC message so that we don't go through the
overhead of allocating and encoding/decoding an additional buffer.

This (de)serialization will address the performance issues present in the
current implementation.

As a side effect, I also make nsITransportSecurityInfo a builtinclass XPCOM
interface, since the existing serialization code was assuming it was, there is
only one implementation, and it is in C++.

Differential Revision: https://phabricator.services.mozilla.com/D35090

--HG--
extra : moz-landing-system : lando
2019-08-28 18:00:16 +00:00
J.C. Jones 95ca91b62f Bug 1564499 - land NSS NSS_3_46_BETA2 UPGRADE_NSS_RELEASE, r=kjacobs
2019-08-27  Kevin Jacobs  <kjacobs@mozilla.com>

        * automation/taskcluster/graph/src/extend.js,
        automation/taskcluster/scripts/build_gyp.sh,
        automation/taskcluster/windows/build_gyp.sh, fuzz/fuzz.gyp,
        gtests/pk11_gtest/pk11_gtest.gyp,
        gtests/softoken_gtest/softoken_gtest.gyp, tests/all.sh,
        tests/ssl/ssl.sh:
        Bug 1485533 - Close gaps in taskcluster SSL testing. r=mt

        This patch increases SSL testing on taskcluster, specifically,
        running an additional 395 tests on each SSL cycle (more for FIPS
        targets), and adding a new 'stress' cycle.

        Notable changes:

        1) This patch removes SSL stress tests from the default
        `NSS_SSL_RUN` list in all.sh and ssl.sh. If stress tests are needed,
        this variable must be set to include.

        2) The "normal_normal" case is added to `NSS_SSL_TESTS` for all
        targets. FIPS targets also run "normal_fips", "fips_normal", and
        "fips_fips".

        3) `--enable-libpkix` is now set for all taskcluster "build.sh"
        builds in order to support a number of OCSP tests that were
        previously not run.

        [24b0fc700203] [NSS_3_46_BETA2]

2019-08-23  Edouard Oger  <eoger@fastmail.com>

        * lib/sqlite/Makefile, lib/sqlite/sqlite.gyp:
        Bug 1549847 - Ignore sqlite compilation warnings. r=mt

        [7f146eb7adac]

2019-08-23  J.C. Jones  <jjones@mozilla.com>

        * .hgtags:
        Added tag NSS_3_46_BETA1 for changeset 44aa330de2aa
        [d3035cc9dc73]

Differential Revision: https://phabricator.services.mozilla.com/D43724

--HG--
extra : moz-landing-system : lando
2019-08-28 14:30:55 +00:00
Sylvestre Ledru d264b841c9 Bug 1576502 - Fix some wording issues r=mhoye
Differential Revision: https://phabricator.services.mozilla.com/D43363

--HG--
extra : moz-landing-system : lando
2019-08-27 15:38:58 +00:00
ffxbld 36f90d0df0 No Bug, mozilla-central repo-update HSTS HPKP remote-settings tld-suffixes - a=repo-update r=RyanVM
Differential Revision: https://phabricator.services.mozilla.com/D43457

--HG--
extra : moz-landing-system : lando
2019-08-26 14:49:18 +00:00
Ciure Andrei 0a6d4a24f8 Merge inbound to mozilla-central. a=merge 2019-08-24 12:51:09 +03:00
Alex Vincent cec0c5cbdb Bug 1508169, Remove performAction* from nsITreeView.idl in mozilla-central. r=peterv, johannh
performAction, performActionOnRow and performActionOnCell are methods of the
nsITreeView interface that are never called.  This is to remove these methods.
A comm-central patch will be along shortly.

Differential Revision: https://phabricator.services.mozilla.com/D39273
2019-08-24 00:49:55 +02:00
J.C. Jones 73f0968aaa Bug 1564499 - land NSS NSS_3_46_BETA1 UPGRADE_NSS_RELEASE, r=kjacobs
2019-08-23  Kevin Jacobs  <kjacobs@mozilla.com>

	* tests/common/cleanup.sh:
	Bug 1560593 - Check that BUILD_OPT is defined before testing its
	value. r=jcj

	[44aa330de2aa] [NSS_3_46_BETA1]

	* cmd/strsclnt/strsclnt.c:
	Bug 1575968 - Add strsclnt option to enforce the use of either IPv4
	or IPv6 r=jcj

	[da284d8993ea]

2019-08-23  Marcus Burghardt  <mburghardt@mozilla.com>

	* gtests/softoken_gtest/softoken_gtest.cc:
	Bug 1573942 - Gtest for pkcs11.txt with different breaking line
	formats. r=kjacobs

	[d07a07eb0e40]

2019-08-21  Kevin Jacobs  <kjacobs@mozilla.com>

	* lib/util/utilmod.c:
	Bug 1564284: Added check for CR + LF, r=marcusburghardt,kjacobs

	Looks good and it was already tested locally with this gtest patch:

	[d1d2e1e320cd]

2019-08-22  Martin Thomson  <mt@lowentropy.net>

	* lib/ssl/ssl3con.c:
	Bug 1528666 - Formatting, a=bustage
	[60eeac76c8ec]

2019-08-20  Martin Thomson  <martin.thomson@gmail.com>

	* gtests/ssl_gtest/ssl_0rtt_unittest.cc,
	gtests/ssl_gtest/ssl_resumption_unittest.cc, lib/ssl/ssl3con.c:
	Bug 1528666 - Correct resumption validation checks, r=jcj

	We allowed cross-suite resumption before, but it didn't work. This
	enables that for clients.

	As a secondary minor tweak, clients will no longer validate the
	availability of a cipher suite based on their configured version
	range when attempting resumption. Instead, they will check whether
	the suite works for the version in the session that they are
	attempting to resume. In theory, this doesn't change anything
	because the previous session should not have selected an
	incompatible combination of version and cipher suite, but it's worth
	being extra precise.

	[cab2c8905214]

2019-08-22  Martin Thomson  <mt@lowentropy.net>

	* gtests/ssl_gtest/ssl_auth_unittest.cc,
	gtests/ssl_gtest/ssl_resumption_unittest.cc, lib/ssl/ssl3con.c:
	Bug 1568803 - More tests for client certificate authentication,
	r=kjacobs

	These were previously disabled because of difficulties (at the time)
	in writing these tests for TLS 1.3. The framework, and my
	understanding of it, has since improved, so these tests can be
	restored and expanded. This exposed a minor correctness issue that
	is also corrected.

	[95f97d31c313]

Differential Revision: https://phabricator.services.mozilla.com/D43308

--HG--
extra : moz-landing-system : lando
2019-08-23 22:45:47 +00:00
Gijs Kruitbosch 871832fcf9 Bug 1575564 - avoid non-mainthread use of NS_GetSpecialDirectory in linux sandboxbroker, r=jld,gcp
Differential Revision: https://phabricator.services.mozilla.com/D42951

--HG--
extra : moz-landing-system : lando
2019-08-22 16:37:18 +00:00
ffxbld 409e5b7a75 No Bug, mozilla-central repo-update HSTS HPKP blocklist remote-settings - a=repo-update r=RyanVM
Differential Revision: https://phabricator.services.mozilla.com/D43052

--HG--
extra : moz-landing-system : lando
2019-08-22 13:43:50 +00:00
Mike Hommey 66d7fe943e Bug 1575420 - Replace MOZ_WIDGET_TOOLKIT value of "gtk3" with "gtk". r=froydnj
Differential Revision: https://phabricator.services.mozilla.com/D42765

--HG--
extra : moz-landing-system : lando
2019-08-21 12:25:42 +00:00
Oana Pop Rus 3223cd3dc2 Backed out 4 changesets (bug 1510569) for causing build bustage on a CLOSED TREE
Backed out changeset eae555c11f25 (bug 1510569)
Backed out changeset 2fb8938d16db (bug 1510569)
Backed out changeset b480af862022 (bug 1510569)
Backed out changeset 642cd6323cdc (bug 1510569)
2019-08-21 22:55:43 +03:00
Haik Aftandilian 3ad0ca9116 Bug 1570581 - Starting with Firefox 68.0.1, Adobe Acrobat Extension for Firefox fails to send apple events to target application (Acrobat) r=handyman
Relax our Hardened Runtime settings to allow the com.apple.security.automation.apple-events entitlement so that native messaging webextension helper apps (which are launched by and are child processes of Firefox) can use Apple Events to signal other processes. This will apply to Firefox and all child processes.

Differential Revision: https://phabricator.services.mozilla.com/D42929

--HG--
extra : moz-landing-system : lando
2019-08-21 18:42:55 +00:00
Geoff Brown b7e778a5ea Bug 1554276 - Disable xpcshell test_certDB_import.js and test_certDB_import_with_master_password.js on geckoview; r=snorp
With these last two tests skipped we can run xpcshell tests against geckoview builds.

Differential Revision: https://phabricator.services.mozilla.com/D42893

--HG--
extra : moz-landing-system : lando
2019-08-21 18:24:47 +00:00
Barret Rennie d8a4453540 Bug 1510569 - Implement serializers for nsITransportSecurityInfo, nsIX509Cert, and nsIX509CertList r=froydnj,keeler
As part of the ongoing effort to port the nsIWebProgress events from
RemoteWebProgress / WebProgressChild to BrowserParent / BrowserChild, we need
to (de)serialize the nsITransportSecurityInfo instance across the IPC layer.
The existing code was calling `NS_SerializeToString` which has the overhead of
(a) allocating a buffer and also performing base64 encoding/decoding. This
patch adds `IPC::ParamTraits` implementations for `nsITransportSecurityInfo`,
`nsIX509Certificate`, and `nsIX509CertList` that (de)serializes the params
directly onto and off of the IPC message so that we don't go through the
overhead of allocating and encoding/decoding an additional buffer.

This (de)serialization will address the performance issues present in the
current implementation.

As a side effect, I also make nsITransportSecurityInfo a builtinclass XPCOM
interface, since the existing serialization code was assuming it was, there is
only one implementation, and it is in C++.

Differential Revision: https://phabricator.services.mozilla.com/D35090

--HG--
extra : moz-landing-system : lando
2019-08-21 18:24:56 +00:00
J.C. Jones 6d66ec3bef Bug 1564499 - land NSS eeb9a6715a93 UPGRADE_NSS_RELEASE, r=kjacobs
2019-08-20  Marcus Burghardt  <mburghardt@mozilla.com>

	* lib/ckfw/builtins/certdata.txt:
	Bug 1574670 - Remove Expired root certificates - Class 2 Primary,
	UTN-USERFirst-Client, Deutsche Telekom Root CA 2.
	r=jcj,KathleenWilson

	[eeb9a6715a93] [tip]

2019-08-12  Kevin Jacobs  <kjacobs@mozilla.com>

	* lib/softoken/pkcs11c.c:
	Bug 1572164 - Don't unnecessarily free session in NSC_WrapKey r=jcj

	[b306ff3d6f4d]

Differential Revision: https://phabricator.services.mozilla.com/D42768

--HG--
extra : moz-landing-system : lando
2019-08-21 15:56:17 +00:00
Barret Rennie 3f90c2f83f Bug 1564221 - Make nsITransportSecurityInfo builtinclass r=keeler
There are no longer any consumers of the JS-implemented
`FakeTransportSecurityInfo` class, so it can be removed. That removes the last
JS-implemented `nsITransportSecurityInfo` instance and it therefore can be
marked `builtinclass`.

Differential Revision: https://phabricator.services.mozilla.com/D40355

--HG--
extra : moz-landing-system : lando
2019-08-20 21:38:24 +00:00
Barret Rennie a72079afcb Bug 1564221 - Do not use FakeTransportSecurityInfo in test_sss_resetState.js r=keeler
As part of making `nsITranportSecurityInfo` builtinclass, we can no longer
use JS-implemented `nsITransportSecurityInfo` instances in test cases.
This patch migrates `test_sss_resetState.js` to use `add_connection_test()` to
get a valid `nsITransportSecurityInfo` instance for the unit tests.

Differential Revision: https://phabricator.services.mozilla.com/D40352

--HG--
extra : moz-landing-system : lando
2019-08-20 21:38:19 +00:00
Barret Rennie 85e3659e3d Bug 1564221 - Do not use FakeTransportSecurityInfo in test_sss_originAttributes.js r=keeler
As part of making `nsITranportSecurityInfo` builtinclass, we can no longer use
JS-implemented `nsITransportSecurityInfo` instances in test cases. This patch
migrates `test_sss_originAttributes.js` to use `add_connection_test()` to get a
valid `nsITransportSecurityInfo` instance for the unit tests.

Differential Revision: https://phabricator.services.mozilla.com/D40351

--HG--
extra : moz-landing-system : lando
2019-08-20 21:38:07 +00:00
Barret Rennie f94a2e2dd7 Bug 1564221 - Do not use FakeTransportSecurityInfo in test_sss_enumerate.js r=keeler
As part of making `nsITranportSecurityInfo` builtinclass, we can no longer
use JS-implemented `nsITransportSecurityInfo` instances in test cases.
This patch migrates `test_sss_enumerate.js` to use `add_connection_test()` to
get a valid `nsITransportSecurityInfo` instance for the unit tests.

Differential Revision: https://phabricator.services.mozilla.com/D40350

--HG--
extra : moz-landing-system : lando
2019-08-20 21:38:04 +00:00
Barret Rennie e206c0bf71 Bug 1564221 - Do not use FakeTransportSecurityInfo in test_pinning_header_parsing.js r=keeler
As part of making `nsITranportSecurityInfo` builtinclass, we can no longer use
JS-implemented `nsITransportSecurityInfo` instances in test cases. This patch
migrates `test_pinning_header_parsing.js` to use `add_connection_test()` to get
a valid `nsITransportSecurityInfo` instance for the unit tests.

Differential Revision: https://phabricator.services.mozilla.com/D40349

--HG--
extra : moz-landing-system : lando
2019-08-20 21:37:51 +00:00
Barret Rennie 8cbcec1089 Bug 1564221 - Do not use FakeTransportSecurityInfo in test_ocsp_must_staple.js r=keeler
As part of making `nsITranportSecurityInfo` builtinclass, we can no longer use
JS-implemented `nsITransportSecurityInfo` instances in test cases. This patch
migrates `test_ocsp_must_staple.js` to use `add_connection_test()` to get a
valid `nsITransportSecurityInfo` instance for the unit tests.

Differential Revision: https://phabricator.services.mozilla.com/D40348

--HG--
extra : moz-landing-system : lando
2019-08-20 21:37:47 +00:00
Barret Rennie 4fee6b8f31 Bug 1564221 - Do not use FakeTransportSecurityInfo in test_forget_about_site_security_headers.js r=keeler
As part of making `nsITranportSecurityInfo` builtinclass, we can no longer use
JS-implemented `nsITransportSecurityInfo` instances in test cases. This patch
migrates `test_forget_about_site_security_headers.js to use
`add_connection_test()` to get a valid `nsITransportSecurityInfo` instance for
the unit tests.

Differential Revision: https://phabricator.services.mozilla.com/D40347

--HG--
extra : moz-landing-system : lando
2019-08-20 21:37:38 +00:00
Barret Rennie ac3d0eba23 Bug 1564221 - Add a contract ID for nsITransportSecurityInfo r=keeler
There is now a contract ID for `nsITransportSecurityInfo`, allowing
`mozilla::psm::TransportSecurityInfo` instances to be created from JS. Tests
using a JS-implemented `nsITransportSecurityInfo` that were not modifying,
e.g., the `serverCert` attribute have been updated to create a
`mozilla::psm::TransportSecurityInfo` via the contract.

Differential Revision: https://phabricator.services.mozilla.com/D40346

--HG--
extra : moz-landing-system : lando
2019-08-20 21:38:59 +00:00
J.C. Jones c8cf90a75f Bug 1564499 - land NSS ea8bc9f43de3 UPGRADE_NSS_RELEASE, r=kjacobs
Revset: reverse(bbfc55939d75~-1::ea8bc9f43de3)

2019-08-19  Kai Engert  <kaie@kuix.de>

	* automation/release/nspr-version.txt:
	Bug 1562330 - require NSPR version 4.22 r=jcj
	[ea8bc9f43de3] [tip]

2019-08-16  J.C. Jones  <jjones@mozilla.com>

	* cmd/selfserv/selfserv.c:
	Bug 1574220 - Fixup clang-format r=bustage
	[165664ff322c]

2019-08-15  Marcus Burghardt  <mburghardt@mozilla.com>

	* cmd/selfserv/selfserv.c, cmd/tstclnt/tstclnt.c,
	cmd/vfyserv/vfyserv.c:
	Bug 1574220 - Improve controls after errors in tstcln, selfserv and
	vfyserv cmds. r=kjacobs

	Differential Revision:
	https://phabricator.services.mozilla.com/D42165
	[32766e60ffa8]

2019-08-16  Marcus Burghardt  <mburghardt@mozilla.com>

	* lib/sqlite/README, lib/sqlite/sqlite3.c, lib/sqlite/sqlite3.h:
	Bug 1550636 - Upgrade SQLite in NSS to v3.29 (2019-07-10). r=jcj

	#define SQLITE_VERSION "3.29.0" #define SQLITE_VERSION_NUMBER
	3029000 #define SQLITE_SOURCE_ID "2019-07-10 17:32:03
	fc82b73eaac8b36950e527f12c4b5dc1e147e6f4ad2217ae43ad82882a88bfa6"

	Differential Revision:
	https://phabricator.services.mozilla.com/D42332
	[ed55badc848d]

2019-08-15  Marcus Burghardt  <mburghardt@mozilla.com>

	* lib/ckfw/builtins/certdata.txt, lib/ckfw/builtins/nssckbi.h:
	Bug 1566569 - Remove Swisscom Root CA 2 root certificate. r=jcj

	Differential Revision:
	https://phabricator.services.mozilla.com/D42161
	[660d7c210878]

Differential Revision: https://phabricator.services.mozilla.com/D42554

--HG--
extra : moz-landing-system : lando
2019-08-20 14:59:04 +00:00
Gian-Carlo Pascutto 8b7a11d51c Bug 1573578 - Whitelist brk syscall if jemalloc is disabled. r=jld
Differential Revision: https://phabricator.services.mozilla.com/D41998

--HG--
extra : moz-landing-system : lando
2019-08-14 22:50:51 +00:00
Cosmin Sabou 2e5b997146 Backed out 9 changesets (bug 1564221) for devtools failures on browser_net_security-redirect.js.
Backed out changeset bcae1e55fc27 (bug 1564221)
Backed out changeset 0efeb9b1f5fa (bug 1564221)
Backed out changeset aaa8ffb687f2 (bug 1564221)
Backed out changeset a1947eef7d86 (bug 1564221)
Backed out changeset 6cd17e69d1c7 (bug 1564221)
Backed out changeset ede7219b9a9e (bug 1564221)
Backed out changeset 63d578684d29 (bug 1564221)
Backed out changeset e804c46a9541 (bug 1564221)
Backed out changeset 4cd81a6d3b25 (bug 1564221)

--HG--
extra : histedit_source : 3b34632390a828e53929751dd79fe800b08a0ecb
2019-08-19 23:59:28 +03:00
Barret Rennie 244c61a02f Bug 1564221 - Make nsITransportSecurityInfo builtinclass r=keeler
There are no longer any consumers of the JS-implemented
`FakeTransportSecurityInfo` class, so it can be removed. That removes the last
JS-implemented `nsITransportSecurityInfo` instance and it therefore can be
marked `builtinclass`.

Differential Revision: https://phabricator.services.mozilla.com/D40355

--HG--
extra : moz-landing-system : lando
2019-08-06 17:55:53 +00:00
Barret Rennie a27ae13275 Bug 1564221 - Do not use FakeTransportSecurityInfo in test_sss_resetState.js r=keeler
As part of making `nsITranportSecurityInfo` builtinclass, we can no longer
use JS-implemented `nsITransportSecurityInfo` instances in test cases.
This patch migrates `test_sss_resetState.js` to use `add_connection_test()` to
get a valid `nsITransportSecurityInfo` instance for the unit tests.

Differential Revision: https://phabricator.services.mozilla.com/D40352

--HG--
extra : moz-landing-system : lando
2019-08-06 17:55:55 +00:00
Barret Rennie 4c2087cc62 Bug 1564221 - Do not use FakeTransportSecurityInfo in test_sss_originAttributes.js r=keeler
As part of making `nsITranportSecurityInfo` builtinclass, we can no longer use
JS-implemented `nsITransportSecurityInfo` instances in test cases. This patch
migrates `test_sss_originAttributes.js` to use `add_connection_test()` to get a
valid `nsITransportSecurityInfo` instance for the unit tests.

Differential Revision: https://phabricator.services.mozilla.com/D40351

--HG--
extra : moz-landing-system : lando
2019-08-06 17:55:56 +00:00
Barret Rennie e50685ff95 Bug 1564221 - Do not use FakeTransportSecurityInfo in test_sss_enumerate.js r=keeler
As part of making `nsITranportSecurityInfo` builtinclass, we can no longer
use JS-implemented `nsITransportSecurityInfo` instances in test cases.
This patch migrates `test_sss_enumerate.js` to use `add_connection_test()` to
get a valid `nsITransportSecurityInfo` instance for the unit tests.

Differential Revision: https://phabricator.services.mozilla.com/D40350

--HG--
extra : moz-landing-system : lando
2019-08-06 17:55:58 +00:00
Barret Rennie b50d3762cd Bug 1564221 - Do not use FakeTransportSecurityInfo in test_pinning_header_parsing.js r=keeler
As part of making `nsITranportSecurityInfo` builtinclass, we can no longer use
JS-implemented `nsITransportSecurityInfo` instances in test cases. This patch
migrates `test_pinning_header_parsing.js` to use `add_connection_test()` to get
a valid `nsITransportSecurityInfo` instance for the unit tests.

Differential Revision: https://phabricator.services.mozilla.com/D40349

--HG--
extra : moz-landing-system : lando
2019-08-06 17:56:00 +00:00
Barret Rennie cc3aa27173 Bug 1564221 - Do not use FakeTransportSecurityInfo in test_ocsp_must_staple.js r=keeler
As part of making `nsITranportSecurityInfo` builtinclass, we can no longer use
JS-implemented `nsITransportSecurityInfo` instances in test cases. This patch
migrates `test_ocsp_must_staple.js` to use `add_connection_test()` to get a
valid `nsITransportSecurityInfo` instance for the unit tests.

Differential Revision: https://phabricator.services.mozilla.com/D40348

--HG--
extra : moz-landing-system : lando
2019-08-06 17:56:02 +00:00
Barret Rennie fb73718374 Bug 1564221 - Do not use FakeTransportSecurityInfo in test_forget_about_site_security_headers.js r=keeler
As part of making `nsITranportSecurityInfo` builtinclass, we can no longer use
JS-implemented `nsITransportSecurityInfo` instances in test cases. This patch
migrates `test_forget_about_site_security_headers.js to use
`add_connection_test()` to get a valid `nsITransportSecurityInfo` instance for
the unit tests.

Differential Revision: https://phabricator.services.mozilla.com/D40347

--HG--
extra : moz-landing-system : lando
2019-08-06 17:56:04 +00:00
Barret Rennie fa178b7009 Bug 1564221 - Add a contract ID for nsITransportSecurityInfo r=keeler
There is now a contract ID for `nsITransportSecurityInfo`, allowing
`mozilla::psm::TransportSecurityInfo` instances to be created from JS. Tests
using a JS-implemented `nsITransportSecurityInfo` that were not modifying,
e.g., the `serverCert` attribute have been updated to create a
`mozilla::psm::TransportSecurityInfo` via the contract.

Differential Revision: https://phabricator.services.mozilla.com/D40346

--HG--
extra : moz-landing-system : lando
2019-08-06 17:56:05 +00:00
Carolina 617b075a9c Bug 1572848 - Adjusts browser_certViewer.js tests for the new cert viewer (about:certificate).r=johannh
Differential Revision: https://phabricator.services.mozilla.com/D41470

--HG--
extra : moz-landing-system : lando
2019-08-19 13:09:46 +00:00
ffxbld f1d77648cd No Bug, mozilla-central repo-update HSTS HPKP remote-settings - a=repo-update r=RyanVM
Differential Revision: https://phabricator.services.mozilla.com/D42498

--HG--
extra : moz-landing-system : lando
2019-08-19 14:33:17 +00:00
Christian Holler 601bb91a9b Bug 1566342 - Implement changes for HTTP2 fuzzing in Necko. r=mayhemer
Differential Revision: https://phabricator.services.mozilla.com/D38182

--HG--
extra : moz-landing-system : lando
2019-08-19 13:46:18 +00:00
Mark Banner b1970e6a2f Bug 1571466 - Cleanup unnecessary ESLint global definitions. r=mossop
These are raised as redeclares or unused variables by ESLint 6.

Differential Revision: https://phabricator.services.mozilla.com/D37268

--HG--
extra : moz-landing-system : lando
2019-08-19 07:11:56 +00:00
Matthew Noorenberghe 1af788f2cb Bug 1571555 - Mock the prompt service for the master password prompt in test_sdr.js. r=keeler
Differential Revision: https://phabricator.services.mozilla.com/D42383

--HG--
extra : moz-landing-system : lando
2019-08-16 22:33:45 +00:00
Matthew Noorenberghe 91e9a4e6b4 Bug 1571555 - Use a blank string in place of the username or password when decryption fails. r=keeler
Don't show the login in about:logins if the username or password cannot be decrypted.

Differential Revision: https://phabricator.services.mozilla.com/D40845

--HG--
extra : moz-landing-system : lando
2019-08-16 20:27:34 +00:00
Gabriele Svelto 14db2c37b8 Bug 1571711 - Factorize crash handling out of the various process IPC classes r=froydnj
Differential Revision: https://phabricator.services.mozilla.com/D41657

--HG--
extra : moz-landing-system : lando
2019-08-15 12:06:51 +00:00
Csoregi Natalia 7d39932994 Merge mozilla-central to autoland. CLOSED TREE 2019-08-15 22:38:37 +03:00
Csoregi Natalia 41813d2fc0 Merge autoland to mozilla-central. a=merge 2019-08-15 22:32:31 +03:00
Csoregi Natalia 058a6017fc Backed out changeset ee3e55708782 (bug 1570840) for breaking Netflix and Flash on Mac Nightly. a=backout 2019-08-15 22:00:21 +03:00
ffxbld 925db3aae7 No Bug, mozilla-central repo-update HSTS HPKP remote-settings - a=repo-update r=RyanVM
Differential Revision: https://phabricator.services.mozilla.com/D42137

--HG--
extra : moz-landing-system : lando
2019-08-15 15:04:59 +00:00
Bogdan Tara f326b67e0e Backed out changeset c60ee628dd0e (bug 1571711) for RemoteSandboxBroker related bustages CLOSED TREE 2019-08-15 01:50:01 +03:00
Gabriele Svelto d888c0a6b5 Bug 1571711 - Factorize crash handling out of the various process IPC classes r=froydnj
Differential Revision: https://phabricator.services.mozilla.com/D41657

--HG--
extra : moz-landing-system : lando
2019-08-13 21:43:00 +00:00
Haik Aftandilian 243b7d4b1e Bug 1570840 - Set com.apple.security.cs.disable-library-validation=false in Hardened Runtime entitlement files r=handyman
Set com.apple.security.cs.disable-library-validation=false in developer and production Hardened Runtime entitlements now that the definition has changed to mean allow/disallow unsigned libraries.

Differential Revision: https://phabricator.services.mozilla.com/D40525

--HG--
extra : moz-landing-system : lando
2019-08-14 19:42:19 +00:00
Nicholas Nethercote 281d296163 Bug 1573720 - Convert network.auth.force-generic-ntlm-v1 to a static pref. r=keeler
Differential Revision: https://phabricator.services.mozilla.com/D41913

--HG--
extra : moz-landing-system : lando
2019-08-15 05:29:49 +00:00
arthur.iakab b24139d864 Backed out changeset 5d42edca79d4 (bug 1560354) for causing mass failures on mozilla/Maybe.h:488 CLOSED TREE 2019-08-15 03:01:50 +03:00
Cosmin Sabou 62a26df9c6 Backed out changeset 55df21f1b7d6 (bug 1566342) for causing build bustages on FuzzyLayer.cpp. CLOSED TREE 2019-08-14 02:20:11 +03:00
Christian Holler 295a59729c Bug 1566342 - Implement changes for HTTP2 fuzzing in Necko. r=mayhemer
Differential Revision: https://phabricator.services.mozilla.com/D38182

--HG--
extra : moz-landing-system : lando
2019-08-13 22:00:57 +00:00
J.C. Jones 32759c8ed5 Bug 1573662 - Rename sanctions test routines to make it easier to add new ones r=keeler
1) Multipurpose-ing the TLSServer specialization to `SanctionsTestServer`
2) Renaming the `security/manager/ssl/tests/unit/test_symantec_apple_google` folder of certs to `test_sanctions`
3) Prepend a `symantec-` to the start of all relevant certs in the new `test_sanctions` folder
4) Renaming the existing xpcshell test to `test_sanctions_symantec_apple_google.js`

Differential Revision: https://phabricator.services.mozilla.com/D39942

--HG--
rename : security/manager/ssl/tests/unit/test_symantec_apple_google/default-ee.key => security/manager/ssl/tests/unit/test_sanctions/default-ee.key
rename : security/manager/ssl/tests/unit/test_symantec_apple_google/default-ee.key.keyspec => security/manager/ssl/tests/unit/test_sanctions/default-ee.key.keyspec
rename : security/manager/ssl/tests/unit/test_symantec_apple_google/default-ee.pem => security/manager/ssl/tests/unit/test_sanctions/default-ee.pem
rename : security/manager/ssl/tests/unit/test_symantec_apple_google/default-ee.pem.certspec => security/manager/ssl/tests/unit/test_sanctions/default-ee.pem.certspec
rename : security/manager/ssl/tests/unit/test_symantec_apple_google/moz.build => security/manager/ssl/tests/unit/test_sanctions/moz.build
rename : security/manager/ssl/tests/unit/test_symantec_apple_google/ee-from-whitelist-after-cutoff.pem => security/manager/ssl/tests/unit/test_sanctions/symantec-ee-from-whitelist-after-cutoff.pem
rename : security/manager/ssl/tests/unit/test_symantec_apple_google/ee-from-whitelist-after-cutoff.pem.certspec => security/manager/ssl/tests/unit/test_sanctions/symantec-ee-from-whitelist-after-cutoff.pem.certspec
rename : security/manager/ssl/tests/unit/test_symantec_apple_google/ee-from-whitelist-before-cutoff.pem => security/manager/ssl/tests/unit/test_sanctions/symantec-ee-from-whitelist-before-cutoff.pem
rename : security/manager/ssl/tests/unit/test_symantec_apple_google/ee-from-whitelist-before-cutoff.pem.certspec => security/manager/ssl/tests/unit/test_sanctions/symantec-ee-from-whitelist-before-cutoff.pem.certspec
rename : security/manager/ssl/tests/unit/test_symantec_apple_google/ee-not-whitelisted-after-cutoff.pem => security/manager/ssl/tests/unit/test_sanctions/symantec-ee-not-whitelisted-after-cutoff.pem
rename : security/manager/ssl/tests/unit/test_symantec_apple_google/ee-not-whitelisted-after-cutoff.pem.certspec => security/manager/ssl/tests/unit/test_sanctions/symantec-ee-not-whitelisted-after-cutoff.pem.certspec
rename : security/manager/ssl/tests/unit/test_symantec_apple_google/ee-not-whitelisted-before-cutoff.pem => security/manager/ssl/tests/unit/test_sanctions/symantec-ee-not-whitelisted-before-cutoff.pem
rename : security/manager/ssl/tests/unit/test_symantec_apple_google/ee-not-whitelisted-before-cutoff.pem.certspec => security/manager/ssl/tests/unit/test_sanctions/symantec-ee-not-whitelisted-before-cutoff.pem.certspec
rename : security/manager/ssl/tests/unit/test_symantec_apple_google/intermediate-other-crossigned.pem => security/manager/ssl/tests/unit/test_sanctions/symantec-intermediate-other-crossigned.pem
rename : security/manager/ssl/tests/unit/test_symantec_apple_google/intermediate-other-crossigned.pem.certspec => security/manager/ssl/tests/unit/test_sanctions/symantec-intermediate-other-crossigned.pem.certspec
rename : security/manager/ssl/tests/unit/test_symantec_apple_google/intermediate-other.pem => security/manager/ssl/tests/unit/test_sanctions/symantec-intermediate-other.pem
rename : security/manager/ssl/tests/unit/test_symantec_apple_google/intermediate-other.pem.certspec => security/manager/ssl/tests/unit/test_sanctions/symantec-intermediate-other.pem.certspec
rename : security/manager/ssl/tests/unit/test_symantec_apple_google/intermediate-whitelisted.pem => security/manager/ssl/tests/unit/test_sanctions/symantec-intermediate-whitelisted.pem
rename : security/manager/ssl/tests/unit/test_symantec_apple_google/intermediate-whitelisted.pem.certspec => security/manager/ssl/tests/unit/test_sanctions/symantec-intermediate-whitelisted.pem.certspec
rename : security/manager/ssl/tests/unit/test_symantec_apple_google/real-google-g2-intermediate.pem => security/manager/ssl/tests/unit/test_sanctions/symantec-real-google-g2-intermediate.pem
rename : security/manager/ssl/tests/unit/test_symantec_apple_google/real-googlecom.pem => security/manager/ssl/tests/unit/test_sanctions/symantec-real-googlecom.pem
rename : security/manager/ssl/tests/unit/test_symantec_apple_google/test-ca.pem => security/manager/ssl/tests/unit/test_sanctions/symantec-test-ca.pem
rename : security/manager/ssl/tests/unit/test_symantec_apple_google/test-ca.pem.certspec => security/manager/ssl/tests/unit/test_sanctions/symantec-test-ca.pem.certspec
rename : security/manager/ssl/tests/unit/test_symantec_apple_google.js => security/manager/ssl/tests/unit/test_sanctions_symantec_apple_google.js
rename : security/manager/ssl/tests/unit/tlsserver/cmd/SymantecSanctionsServer.cpp => security/manager/ssl/tests/unit/tlsserver/cmd/SanctionsTestServer.cpp
extra : moz-landing-system : lando
2019-08-13 20:59:17 +00:00
Sylvestre Ledru 645f2d5773 Bug 1519636 - Reformat recent changes to the Google coding style r=Ehsan
# ignore-this-changeset

Differential Revision: https://phabricator.services.mozilla.com/D41559

--HG--
extra : moz-landing-system : lando
2019-08-13 07:15:25 +00:00
Haik Aftandilian ecc3193420 Bug 1564434 - MT_safe_localtime generates incorrect value in sandboxed content process r=handyman
Allow access to timezone data files from the content/flash/GMP/utility sandbox.

Remove unneeded regex providing access to ^/private/tmp/KSInstallAction\. files.

Differential Revision: https://phabricator.services.mozilla.com/D41455

--HG--
extra : moz-landing-system : lando
2019-08-12 21:36:03 +00:00
J.C. Jones 66170e3716 Bug 1564499 - land NSS bbfc55939d75 UPGRADE_NSS_RELEASE, r=kjacobs
Revset: reverse(89aa19677e37~-1::bbfc55939d75)

2019-08-14  Kevin Jacobs  <kjacobs@mozilla.com>

	* gtests/ssl_gtest/tls_agent.cc:
	Bug 1572593 - Re-revert call to CheckCertReqAgainstDefaultCAs to
	avoid memory leak (filed as bug 1573945). r=jcj

	Revert back to the changes Franziskus had made. Updated the in-
	source bug number to point to the new memleak bug.

	Differential Revision:
	https://phabricator.services.mozilla.com/D42020
	[bbfc55939d75] [tip]

2019-08-12  Kevin Jacobs  <kjacobs@mozilla.com>

	* gtests/freebl_gtest/freebl_gtest.gyp,
	gtests/mozpkix_gtest/mozpkix_gtest.gyp:
	Bug 1415118 - Fix --enable-libpkix builds from build.sh r=mt,jcj

	Differential Revision:
	https://phabricator.services.mozilla.com/D41617
	[f8926908be71]

2019-08-14  J.C. Jones  <jjones@mozilla.com>

	* gtests/ssl_gtest/tls_agent.cc, lib/ssl/ssl3ext.c:
	Bug 1572593 - Reset advertised extensions in ssl_ConstructExtensions
	r=mt,kjacobs

	Reset the list of advertised extensions before sending a new set.

	This reverts the changes of https://hg.mozilla.org/projects/nss/rev/
	1ca362213631d6edc885b6b965b52ecffcf29afd

	Differential Revision:
	https://phabricator.services.mozilla.com/D41302
	[b03ff661491e]

2019-08-14  Kevin Jacobs  <kjacobs@mozilla.com>

	* lib/freebl/ctr.c:
	Bug 1539788 - UBSAN fixup for 128b counter. r=mt,jcj

	Differential Revision:
	https://phabricator.services.mozilla.com/D41884
	[9d1f5e71773d]

2019-08-13  Kevin Jacobs  <kjacobs@mozilla.com>

	* lib/freebl/chacha20poly1305.c, lib/freebl/ctr.c, lib/freebl/gcm.c,
	lib/freebl/intel-gcm-wrap.c, lib/freebl/rsapkcs.c:
	Bug 1539788 - Add length checks for cryptographic primitives
	r=mt,jcj

	This patch adds additional length checks around cryptographic
	primitives.

	Differential Revision:
	https://phabricator.services.mozilla.com/D36079
	[dfd6996fe742]

2019-08-13  Marcus Burghardt  <mburghardt@mozilla.com>

	* gtests/freebl_gtest/mpi_unittest.cc, lib/freebl/mpi/README,
	lib/freebl/mpi/mpi.c, lib/freebl/mpi/mpi.h:
	Bug 1542077 - Added extra controls and tests to mp_set_int and
	mp_set_ulong. r=jcj,kjacobs

	Differential Revision:
	https://phabricator.services.mozilla.com/D40649
	[9bc47e69613e]

2019-08-13  J.C. Jones  <jjones@mozilla.com>

	* gtests/ssl_gtest/ssl_resumption_unittest.cc,
	gtests/ssl_gtest/tls_agent.cc:
	Bug 1572791 - Fixup clang-format r=bustage
	[ec113de50cdd]

	* gtests/ssl_gtest/tls_agent.cc,
	gtests/ssl_gtest/tls_subcerts_unittest.cc, lib/ssl/tls13subcerts.c:
	Bug 1572791 - Check for nulls in SSLExp_DelegateCredential and its
	tests r=kjacobs

	This particularly catches test errors in tls_subcerts_unittest when
	the profile is stale.

	Differential Revision:
	https://phabricator.services.mozilla.com/D41429
	[ed5067857563]

2019-08-13  Kevin Jacobs  <kjacobs@mozilla.com>

	* gtests/ssl_gtest/ssl_auth_unittest.cc,
	gtests/ssl_gtest/ssl_cert_ext_unittest.cc,
	gtests/ssl_gtest/ssl_resumption_unittest.cc,
	gtests/ssl_gtest/tls_agent.cc:
	Bug 1572791 - Fix ASAN cert errors when SSL gtests run on empty
	profile r=jcj

	Differential Revision:
	https://phabricator.services.mozilla.com/D41787
	[cef2aa7f3b8c]

2019-08-09  Kevin Jacobs  <kjacobs@mozilla.com>

	* tests/common/cleanup.sh:
	Bug 1560593 - Cleanup.sh to treat core dumps as test failures on
	optimized builds. r=jcj

	Differential Revision:
	https://phabricator.services.mozilla.com/D41392
	[360010725fdb]

Differential Revision: https://phabricator.services.mozilla.com/D42139

--HG--
extra : moz-landing-system : lando
2019-08-15 16:06:15 +00:00
ffxbld 21d02cb6fe No Bug, mozilla-central repo-update HSTS HPKP blocklist remote-settings tld-suffixes - a=repo-update r=RyanVM
Differential Revision: https://phabricator.services.mozilla.com/D41541

--HG--
extra : moz-landing-system : lando
2019-08-12 13:08:23 +00:00
Daniel Varga 8f35473d07 Backed out changeset 65c6d801e7b4 (bug 1571555) for browser chrome failure at browser/components/aboutlogins/tests/browser/browser_masterPassword.js
--HG--
extra : rebase_source : 9182aebd42d50c9a502dc7fabaf99238ac5e62c5
2019-08-10 22:35:50 +03:00
Gabriele Svelto beb62c4c31 Bug 1282776 - Finalize crash reports for child process crashes happening too early r=froydnj
This changes the way crash reports for child processes happening too early
during the child process' startup. Before bug 1547698 we wrote a partial
.extra file with those crashes that lacked the process type. The user would
not be notified of those crashes until she restarted Firefox and even when
submitted those crashes would be erroneously labeled as browser crashes.

After bug 1547698 we stopped writing .extra files entirely for those crashes
which left orphaned .dmp files among the pending crash reports.

This patch does three things to improve the situation:

* It writes a partial .extra file so that the crashes are detected at the next
  startup. So the user is still not notified directly of these crashes but she
  can report them later.
* It adds the process type to the .extra file so that the crash reporters are
  labelled correctly.
* It fixes a leak in the `pidToMinidump` hash-map. Since the crashes were
  not finalized the `ChildProcessData` strucutre associated with them would
  never be fred.

Differential Revision: https://phabricator.services.mozilla.com/D40810

--HG--
extra : moz-landing-system : lando
2019-08-09 14:23:19 +00:00
Jared Wein 018b8a1983 Bug 1571555 - Use a blank string in place of the username or password when decryption fails. r=keeler
Don't show the login in about:logins if the username or password cannot be decrypted.

Differential Revision: https://phabricator.services.mozilla.com/D40845

--HG--
extra : moz-landing-system : lando
2019-08-10 00:19:48 +00:00
Gabriele Svelto 53d4ac9807 Bug 1572565 - Make the remote sandbox broker process' telemetry string consistent r=jld
Differential Revision: https://phabricator.services.mozilla.com/D41291

--HG--
extra : moz-landing-system : lando
2019-08-09 00:03:33 +00:00
Tom Schuster 2c4cb96468 Bug 1558915 - Use infallible nsIURI::SchemeIs everywhere. r=smaug
Differential Revision: https://phabricator.services.mozilla.com/D41367

--HG--
extra : moz-landing-system : lando
2019-08-09 15:17:06 +00:00
Nicholas Nethercote b256ece713 Bug 1571934 - Inline security-prefs.js into all.js. r=keeler
security-prefs.js is #included into greprefs.js, but there's no good reason for
it to be separate from all.js. Having it separate makes it easier to overlook,
and all.js has a bunch of `security.*` prefs in it anyway.

This patch inlines it into all.js. It inlines it at the start of the file to
minimize the risk of the change, so that the prefs end up in greprefs.js in the
same order as before.

Differential Revision: https://phabricator.services.mozilla.com/D40919

--HG--
extra : moz-landing-system : lando
2019-08-07 17:41:22 +00:00
Jed Davis 660156542f Bug 1559368 - When determining sandbox capabilities, check for the specific X11 socket that would be used. r=gcp
Differential Revision: https://phabricator.services.mozilla.com/D40915

--HG--
extra : moz-landing-system : lando
2019-08-07 22:34:50 +00:00
Kevin Jacobs 019f597297 Bug 1564499 - land NSS 89aa19677e37 UPGRADE_NSS_RELEASE, r=jcj
Differential Revision: https://phabricator.services.mozilla.com/D40907

--HG--
extra : moz-landing-system : lando
2019-08-07 16:20:37 +00:00
Moritz Birghan 899a70f4b9 Bug 1563849 - Get btoa(getDERString(cert)) from an API r=keeler
Differential Revision: https://phabricator.services.mozilla.com/D39970

--HG--
extra : moz-landing-system : lando
2019-08-06 09:03:38 +00:00
Andreea Pavel 53820aa30c Backed out 9 changesets (bug 1564221) xpcshell failures on a CLOSED TREE
Backed out changeset 36e33a3b59f0 (bug 1564221)
Backed out changeset 12d1607c1415 (bug 1564221)
Backed out changeset 8c3157ad3ac9 (bug 1564221)
Backed out changeset ad7a644c5a8d (bug 1564221)
Backed out changeset 31f730109760 (bug 1564221)
Backed out changeset a140da3467e0 (bug 1564221)
Backed out changeset 02a324e713d6 (bug 1564221)
Backed out changeset dc76eeb3a74a (bug 1564221)
Backed out changeset bc933f236434 (bug 1564221)
2019-08-06 20:49:21 +03:00
Barret Rennie 3df3c840f0 Bug 1564221 - Make nsITransportSecurityInfo builtinclass r=keeler
There are no longer any consumers of the JS-implemented
`FakeTransportSecurityInfo` class, so it can be removed. That removes the last
JS-implemented `nsITransportSecurityInfo` instance and it therefore can be
marked `builtinclass`.

Differential Revision: https://phabricator.services.mozilla.com/D40355

--HG--
extra : moz-landing-system : lando
2019-08-06 15:36:52 +00:00
Barret Rennie 82b162a511 Bug 1564221 - Do not use FakeTransportSecurityInfo in test_sss_resetState.js r=keeler
As part of making `nsITranportSecurityInfo` builtinclass, we can no longer
use JS-implemented `nsITransportSecurityInfo` instances in test cases.
This patch migrates `test_sss_resetState.js` to use `add_connection_test()` to
get a valid `nsITransportSecurityInfo` instance for the unit tests.

Differential Revision: https://phabricator.services.mozilla.com/D40352

--HG--
extra : moz-landing-system : lando
2019-08-06 16:14:34 +00:00
Barret Rennie 62b5e6bead Bug 1564221 - Do not use FakeTransportSecurityInfo in test_sss_originAttributes.js r=keeler
As part of making `nsITranportSecurityInfo` builtinclass, we can no longer use
JS-implemented `nsITransportSecurityInfo` instances in test cases. This patch
migrates `test_sss_originAttributes.js` to use `add_connection_test()` to get a
valid `nsITransportSecurityInfo` instance for the unit tests.

Differential Revision: https://phabricator.services.mozilla.com/D40351

--HG--
extra : moz-landing-system : lando
2019-08-06 15:36:18 +00:00
Barret Rennie e7f9be23da Bug 1564221 - Do not use FakeTransportSecurityInfo in test_sss_enumerate.js r=keeler
As part of making `nsITranportSecurityInfo` builtinclass, we can no longer
use JS-implemented `nsITransportSecurityInfo` instances in test cases.
This patch migrates `test_sss_enumerate.js` to use `add_connection_test()` to
get a valid `nsITransportSecurityInfo` instance for the unit tests.

Differential Revision: https://phabricator.services.mozilla.com/D40350

--HG--
extra : moz-landing-system : lando
2019-08-06 16:17:35 +00:00
Barret Rennie b829b4078b Bug 1564221 - Do not use FakeTransportSecurityInfo in test_pinning_header_parsing.js r=keeler
As part of making `nsITranportSecurityInfo` builtinclass, we can no longer use
JS-implemented `nsITransportSecurityInfo` instances in test cases. This patch
migrates `test_pinning_header_parsing.js` to use `add_connection_test()` to get
a valid `nsITransportSecurityInfo` instance for the unit tests.

Differential Revision: https://phabricator.services.mozilla.com/D40349

--HG--
extra : moz-landing-system : lando
2019-08-06 15:35:51 +00:00
Barret Rennie a1140840ab Bug 1564221 - Do not use FakeTransportSecurityInfo in test_ocsp_must_staple.js r=keeler
As part of making `nsITranportSecurityInfo` builtinclass, we can no longer use
JS-implemented `nsITransportSecurityInfo` instances in test cases. This patch
migrates `test_ocsp_must_staple.js` to use `add_connection_test()` to get a
valid `nsITransportSecurityInfo` instance for the unit tests.

Differential Revision: https://phabricator.services.mozilla.com/D40348

--HG--
extra : moz-landing-system : lando
2019-08-06 15:35:32 +00:00
Barret Rennie 2629fef012 Bug 1564221 - Do not use FakeTransportSecurityInfo in test_forget_about_site_security_headers.js r=keeler
As part of making `nsITranportSecurityInfo` builtinclass, we can no longer use
JS-implemented `nsITransportSecurityInfo` instances in test cases. This patch
migrates `test_forget_about_site_security_headers.js to use
`add_connection_test()` to get a valid `nsITransportSecurityInfo` instance for
the unit tests.

Differential Revision: https://phabricator.services.mozilla.com/D40347

--HG--
extra : moz-landing-system : lando
2019-08-06 16:03:52 +00:00
Barret Rennie adf4a3e19e Bug 1564221 - Add a contract ID for nsITransportSecurityInfo r=keeler
There is now a contract ID for `nsITransportSecurityInfo`, allowing
`mozilla::psm::TransportSecurityInfo` instances to be created from JS. Tests
using a JS-implemented `nsITransportSecurityInfo` that were not modifying,
e.g., the `serverCert` attribute have been updated to create a
`mozilla::psm::TransportSecurityInfo` via the contract.

Differential Revision: https://phabricator.services.mozilla.com/D40346

--HG--
extra : moz-landing-system : lando
2019-08-06 15:35:04 +00:00
J.C. Jones 83fd5c4742 Bug 1564499 - land NSS 777b6070fe76 UPGRADE_NSS_RELEASE, r=me
--HG--
extra : rebase_source : 6a0e320432b452bc692f712c63c0cc66699cd130
2019-08-05 15:58:54 +00:00
Moritz Birghan 978fb0351d Bug 1360307 - Improves the arguments to mozilla::psm::InitializeNSS r=keeler
Differential Revision: https://phabricator.services.mozilla.com/D39011

--HG--
extra : moz-landing-system : lando
2019-08-02 17:51:22 +00:00
Cosmin Sabou 9b936b2958 Merge autoland to mozilla-central. a=merge 2019-08-02 18:59:53 +03:00
Mihai Alexandru Michis e9b6a4610d Backed out changeset f742215abea8 (bug 1564499) for causing Bug 1570891. UPGRADE_NSS_RELEASE a=backout 2019-08-02 12:45:49 +03:00
Razvan Maries f57bfff083 Merge mozilla-inbound to mozilla-central a=merge
--HG--
rename : dom/media/encoder/EncodedFrameContainer.h => dom/media/encoder/EncodedFrame.h
2019-08-02 06:50:08 +03:00
J.C. Jones 8c9ade1d25 Bug 1564499 - land NSS 009a7163c80a UPGRADE_NSS_RELEASE, r=me
--HG--
extra : rebase_source : 6f459dfb1cd7238d9c4b258d41b8b411941acb6e
2019-07-31 20:20:02 +00:00
ffxbld 6dfb6ea6a1 No Bug, mozilla-central repo-update HSTS HPKP blocklist remote-settings - a=repo-update r=RyanVM
Differential Revision: https://phabricator.services.mozilla.com/D40198

--HG--
extra : moz-landing-system : lando
2019-08-01 13:24:01 +00:00
Bob Owen 6a19f3eb75 Bug 1569139: Add a static pref to enable win32k lockdown in the Windows content process sandbox policy. r=aklotz
Differential Revision: https://phabricator.services.mozilla.com/D39870

--HG--
extra : moz-landing-system : lando
2019-08-01 10:55:54 +00:00
Moritz Birghan 31f729e8c4 Bug 1004308 - rename BadCertServer to BadCertAndPinningServer r=keeler
Differential Revision: https://phabricator.services.mozilla.com/D39748

--HG--
rename : security/manager/ssl/tests/unit/tlsserver/cmd/BadCertServer.cpp => security/manager/ssl/tests/unit/tlsserver/cmd/BadCertAndPinningServer.cpp
extra : moz-landing-system : lando
2019-07-31 17:06:07 +00:00
Kershaw Chang 39ab60f95d Bug 1267643 - Remove client certificate filtering based on CA names r=keeler
Differential Revision: https://phabricator.services.mozilla.com/D39345

--HG--
extra : moz-landing-system : lando
2019-08-02 12:45:51 +00:00
Gurzau Raul 08ddcd8a5a Backed out changeset 4a66bfcbaca5 (bug 1360307) for build bustage at Logging.h on a CLOSED TREE. 2019-07-31 20:22:43 +03:00
Moritz Birghan 356d25bd08 Bug 1360307 - Improves the arguments to mozilla::psm::InitializeNSS r=keeler
Differential Revision: https://phabricator.services.mozilla.com/D39011

--HG--
extra : moz-landing-system : lando
2019-07-31 16:52:02 +00:00
Johann Hofmann 7b984428e8 Bug 1567826 - Don't mark any secureContext pages as insecure. r=nhnt11,keeler,Ehsan
Differential Revision: https://phabricator.services.mozilla.com/D39012

--HG--
extra : moz-landing-system : lando
2019-07-30 12:31:22 +00:00
Ciure Andrei e432090afa Backed out changeset ded87cc3f3ee (bug 1567826) for causing browser_check_identity_state.js to perma fail CLOSED TREE 2019-07-30 12:50:29 +03:00
Johann Hofmann 04c28108fc Bug 1567826 - Don't mark any secureContext pages as insecure. r=nhnt11,keeler,Ehsan
Differential Revision: https://phabricator.services.mozilla.com/D39012

--HG--
extra : moz-landing-system : lando
2019-07-30 07:52:59 +00:00
ffxbld 9ee911f801 No Bug, mozilla-central repo-update HSTS HPKP blocklist remote-settings - a=repo-update r=RyanVM
Differential Revision: https://phabricator.services.mozilla.com/D39676

--HG--
extra : moz-landing-system : lando
2019-07-29 13:29:43 +00:00
Bogdan Tara 7658261678 Backed out changeset 9bed62de3d16 (bug 1267643) for browser_urlbar_speculative_connect_not_with_client_cert.js failures CLOSED TREE 2019-07-29 13:02:17 +03:00
Kershaw Chang 2d553f2a61 Bug 1267643 - Remove client certificate filtering based on CA names r=keeler
Differential Revision: https://phabricator.services.mozilla.com/D39345

--HG--
extra : moz-landing-system : lando
2019-07-29 08:48:01 +00:00
J.C. Jones 3295f36c36 Bug 1569223 - Add support to pykey.py for exporting EC keys r=keeler
Differential Revision: https://phabricator.services.mozilla.com/D39520

--HG--
extra : moz-landing-system : lando
2019-07-26 17:56:31 +00:00
J.C. Jones 7d89d6183a Bug 1569223 - Support EC keys in TLSServer.cpp r=keeler
Differential Revision: https://phabricator.services.mozilla.com/D39519

--HG--
extra : moz-landing-system : lando
2019-07-26 19:17:40 +00:00
J.C. Jones aca1e19c11 Bug 1569221 - Change TLSServer.cpp to support the modern SSL_ConfigServerCert r=keeler
This patch does not change the existing servers to use the new mechanism, rather
attempting to be minimalist. I filed Bug 1569222 for that.

Differential Revision: https://phabricator.services.mozilla.com/D39518

--HG--
extra : moz-landing-system : lando
2019-07-26 20:09:43 +00:00
Jared Wein d2b2321cc8 Bug 1567667 - Decrypted strings returned from asyncDecryptStrings need to be converted to UTF16. r=keeler
Differential Revision: https://phabricator.services.mozilla.com/D39443

--HG--
extra : moz-landing-system : lando
2019-07-26 19:13:11 +00:00
Tom Ritter 334edd038c Bug 1563774 - Enable Binary Signature Policy on the RDD process r=bobowen
To do this, we preload the AV libraries. They may not be needed right now,
but by doing this now we ensure that future RDD work won't mysteriously
fail during development for some poor coworker.

Differential Revision: https://phabricator.services.mozilla.com/D37928

--HG--
extra : moz-landing-system : lando
2019-07-23 17:49:55 +00:00
Kannan Vijayan 3fb6190ec6 Bug 1559414 - Rename unaudited pre-fission methods with SameProcess for future audit burndown. r=nika
Differential Revision: https://phabricator.services.mozilla.com/D39378

--HG--
extra : moz-landing-system : lando
2019-07-26 16:48:31 +00:00
Gian-Carlo Pascutto c43f365472 Bug 1565996 - Handle relative paths in linker config parsing. r=jld
Differential Revision: https://phabricator.services.mozilla.com/D38634

--HG--
extra : moz-landing-system : lando
2019-07-26 14:03:53 +00:00
Bob Owen 23d09ead45 Bug 1565848: Revert latest change to MITIGATION_DLL_SEARCH_ORDER. r=aklotz
This is until any regressions can be fixed, see bug 1568850.

Differential Revision: https://phabricator.services.mozilla.com/D39357

--HG--
extra : moz-landing-system : lando
2019-07-25 17:44:24 +00:00
ffxbld b7828720b0 No Bug, mozilla-central repo-update HSTS HPKP blocklist remote-settings tld-suffixes - a=repo-update r=RyanVM
Differential Revision: https://phabricator.services.mozilla.com/D39331

--HG--
extra : moz-landing-system : lando
2019-07-25 13:20:25 +00:00
Andreea Pavel e4263c00eb Merge mozilla-inbound to mozilla-central. a=merge 2019-07-25 08:59:39 +03:00
Moritz Birghan 1b9a759258 Bug 1549818 - Removes expired FIPS_ENABLED telemetry probe r=keeler
Differential Revision: https://phabricator.services.mozilla.com/D39027

--HG--
extra : moz-landing-system : lando
2019-07-24 19:59:27 +00:00
Haik Aftandilian a19efece81 Bug 1566540 - [10.15] Crash in [@ CrashReporter::TerminateHandler] r=spohl
To avoid crashing in macOS 10.15, allow access to the proc_info PROC_INFO_CALL_SETCONTROL syscall variant in the GMP and RDD sandboxes.

Differential Revision: https://phabricator.services.mozilla.com/D39079

--HG--
extra : moz-landing-system : lando
2019-07-24 14:48:41 +00:00
Moritz Birghan e58c39f78e Bug 1549015 - Removes privilegedPackageRoot r=keeler
nsIX509CertDB::PrivilegedPackageRoot was added in bug 1178518 to support privileged packaged apps for Firefox OS. However, we no longer need to support this use-case.

Differential Revision: https://phabricator.services.mozilla.com/D38655

--HG--
extra : moz-landing-system : lando
2019-07-24 19:54:41 +00:00
Kershaw Chang 0bcf85d6e8 Bug 1566030 - Remove nsIClientAuthUserDecision r=keeler,snorp
This patch removes nsIClientAuthUserDecision and add another output parameter to nsIClientAuthDialogs.chooseCertificate.

Differential Revision: https://phabricator.services.mozilla.com/D38074

--HG--
extra : moz-landing-system : lando
2019-07-24 17:49:45 +00:00
Moritz Birghan 206270643c Bug 1567005 - Deletes SECKEYEncryptedPrivateKeyInfo_true r=keeler
Differential Revision: https://phabricator.services.mozilla.com/D39007

--HG--
extra : moz-landing-system : lando
2019-07-24 17:08:15 +00:00
J.C. Jones b979163b23 Bug 1564499 - land NSS a31fc0eefc4c UPGRADE_NSS_RELEASE, r=me
--HG--
extra : rebase_source : 49049f21b591cf139ea6f4c7fc91f53dfb4e4e1e
2019-07-23 19:31:53 +00:00
J.C. Jones b2cd117111 Bug 1562773 - Add a preference to enable Delegated Credentials in NSS r=keeler
This patch adds a new pref, "security.tls.enable_delegated_credentials",
default false, which controls the NSS option SSL_ENABLE_DELEGATED_CREDENTIALS.

Tests are in D37918.

Differential Revision: https://phabricator.services.mozilla.com/D37907

--HG--
extra : moz-landing-system : lando
2019-07-22 20:53:48 +00:00
Boris Zbarsky 0f70d08ec8 Bug 1566595. Stop using [array] in nsIBinaryOutputStream. r=froydnj
Differential Revision: https://phabricator.services.mozilla.com/D38387

--HG--
extra : moz-landing-system : lando
2019-07-22 20:27:39 +00:00
Moritz Birghan c3b9c4615e Bug 1559520 - Removes nsIX509CertDB::DeveloperImportedRoot r=keeler
Differential Revision: https://phabricator.services.mozilla.com/D38052

--HG--
extra : moz-landing-system : lando
2019-07-22 13:16:13 +00:00
Ciure Andrei 98278afa46 Backed out changeset a858e4411532 (bug 1566595) for causing Windows MinGW builds bustages CLOSED TREE 2019-07-22 21:39:08 +03:00
Boris Zbarsky 9c74919340 Bug 1566595. Stop using [array] in nsIBinaryOutputStream. r=froydnj
Differential Revision: https://phabricator.services.mozilla.com/D38387

--HG--
extra : moz-landing-system : lando
2019-07-22 14:52:04 +00:00
Paul Adenot 6d321304a4 Bug 1565575 - Allow access to AudioComponentRegistrar when doing audio remoting on OSX to be able to use system decoders. r=haik
When audio remoting is enabled, we can remove most of the sandbox exceptions,
except one, that allows using system calls to do decoding of audio and video
using system decoders (h264 and aac). Not doing that results in most mp4 files
to be unplayable, erroring out when doing calls like this:

https://searchfox.org/mozilla-central/rev/da855d65d1fbdd714190cab2c46130f7422f3699/dom/media/platforms/apple/AppleATDecoder.cpp:336
https://searchfox.org/mozilla-central/rev/da855d65d1fbdd714190cab2c46130f7422f3699/dom/media/platforms/apple/AppleATDecoder.cpp:545

We'll be able to remove it again when we'll use the RDD for everything, but in
the meantime, this exception is needed.

Differential Revision: https://phabricator.services.mozilla.com/D38465

--HG--
extra : moz-landing-system : lando
2019-07-22 08:22:40 +00:00
ffxbld 6f481990b3 No Bug, mozilla-central repo-update HSTS HPKP remote-settings - a=repo-update r=RyanVM
Differential Revision: https://phabricator.services.mozilla.com/D38858

--HG--
extra : moz-landing-system : lando
2019-07-22 13:21:35 +00:00
Kris Maglione e40b418215 Bug 1566952: Part 2 - Update Fission failure annotations after skipping crashes. r=mccr8
When a test crashes, the harness skips all of the remaining tests in the
directory. That means that with crashes skipped, we now try to run a whole lot
more tests than we did before, and a lot of them fail under Fission.

This patch adds annotations to the new failures that show up after part 1.

Differential Revision: https://phabricator.services.mozilla.com/D38726

--HG--
extra : rebase_source : 292157039c88fc615f5de41679e96e72766ac4db
2019-07-19 12:30:10 -07:00
Dragana Damjanovic 1ed2904c50 Bug 1560354 - Transform some nss types into gecko types. r=keeler
Differential Revision: https://phabricator.services.mozilla.com/D35566

--HG--
extra : moz-landing-system : lando
2019-07-02 21:26:36 +00:00
Dana Keeler e32b862175 bug 1560403 - leave cert_storage's lmdb open in rw mode r=nanj
Bug 1543795 configured lmdb to use less memory when opening a database in
read/write mode, so we can remove the workaround code in cert_storage that was
added in bug 1538093 as a way to mitigate the memory usage.

Differential Revision: https://phabricator.services.mozilla.com/D38525

--HG--
extra : moz-landing-system : lando
2019-07-18 21:43:14 +00:00
ffxbld 28af937c05 No Bug, mozilla-central repo-update HSTS HPKP blocklist remote-settings tld-suffixes - a=repo-update r=RyanVM
Differential Revision: https://phabricator.services.mozilla.com/D38478

--HG--
extra : moz-landing-system : lando
2019-07-18 12:58:04 +00:00
Kris Maglione 0962c2b731 Bug 1566182: Annotate mochitests that fail with Fission enabled. r=mccr8
My preference was to annotate most of the failing tests with `fail-if` so that
if they start passing, the `fail-if` needs to be removed and they need to keep
passing. That doesn't work for tests that timeout, or which trigger failures
from their cleanup functions, however, so those tests need skip-if. And tests
with fail in their cleanup functions likely leave the browser in an
inconsistent state for subsequent tests, anyway, so really should be skipped
regardless.

There are some remaining tests which still fail because of crashes. I chose
not to skip them here, but to fix the crashes in separate bugs instead.

Differential Revision: https://phabricator.services.mozilla.com/D38247

--HG--
extra : rebase_source : 39ba8fec2e882cfe577c5f2b58ab7e4b461f1178
2019-07-15 16:19:32 -07:00
Gurzau Raul a40be3ff67 Merge mozilla-central to autoland. a=merge CLOSED TREE 2019-07-17 06:53:00 +03:00
Gurzau Raul 21df1f7413 Merge inbound to mozilla-central. a=merge 2019-07-17 06:48:50 +03:00
Moritz Birghan 0b20e8b949 Bug 1297357 - Switch work from nsNSSCertificateDB::AddCertFromBase64() to nsNSSCertificateDB::AddCert(). r=keeler
Before the nsNSSCertificateDB::AddCert() function encoded the given DER input into Base64 and then called nsNSSCertificateDB::AddCertFromBase64() to do the remaining work. In nsNSSCertificateDB::AddCertFromBase64() the input was then eventually decoded back into DER.
Now nsNSSCertificateDB::AddCertFromBase64() encodes its input into DER and then calls nsNSSCertificateDB::AddCert() which now does the remaining work without converting between formats.

Differential Revision: https://phabricator.services.mozilla.com/D37738

--HG--
extra : moz-landing-system : lando
2019-07-16 18:02:49 +00:00
Dana Keeler 18e9f3ba80 bug 1564481 - reset HSTS/HPKP state to factory settings rather than storing knockout entries for preloaded sites r=jcj r=KevinJacobs
As originally implemented, nsISiteSecurityService.removeState allowed direct
access to remove HSTS state. It also provided the implementation for when the
browser encountered an HSTS header with "max-age=0". In bug 775370, it was
updated to store an entry that would override preloaded information when
processing such headers. However, this meant that the semantics of the direct
access API had changed. Preloaded information could be overridden if a user
invoked the "forget about this site" feature. This change fixes the public API
(and renames it to "resetState") so it actually behaves as its consumers expect.

Reviewers: jcj!, KevinJacobs!

Tags: #secure-revision

Bug #: 1564481

Differential Revision: https://phabricator.services.mozilla.com/D38108

--HG--
extra : rebase_source : 8dd5460d3fd3c0ce92746cc83fae220d6e2a83cf
extra : amend_source : 171ebb015e9f9ae775f0caa22e161d41970f3d51
2019-07-11 13:48:28 -07:00
Mihai Alexandru Michis 22b330ecb3 Merge inbound to mozilla-central. a=merge 2019-07-16 07:08:15 +03:00
J.C. Jones 0b2f8f9f7c Bug 1564499 - land NSS 8c6fad5544a6 UPGRADE_NSS_RELEASE, r=me
--HG--
extra : rebase_source : 5434866d8339b5c9f91a5114d37b863e7880f6e8
2019-07-15 21:40:37 +00:00
ffxbld 4ede446d10 No Bug, mozilla-central repo-update HSTS HPKP blocklist remote-settings - a=repo-update r=RyanVM
Differential Revision: https://phabricator.services.mozilla.com/D38063

--HG--
extra : moz-landing-system : lando
2019-07-15 17:06:26 +00:00
Bob Owen 95b19e37ff Bug 1564899: Make CloseHandleWrapper CHECK a DCHECK on non-Nightly builds. r=handyman
This is because we are hitting it frequently during PolicyBase::OnJobEmpty and
currently we can't work out how this can happen.

Differential Revision: https://phabricator.services.mozilla.com/D38090

--HG--
extra : moz-landing-system : lando
2019-07-15 17:19:17 +00:00
Tim Nguyen f9b01dd5b0 Bug 1565921 - Load editMenuOverlay.js and globalOverlay.js on documents with HTML inputs. r=Gijs
Differential Revision: https://phabricator.services.mozilla.com/D38018

--HG--
extra : moz-landing-system : lando
2019-07-15 11:14:44 +00:00
Carolina 9196c76343 Bug 1560538 - Opens a new tab to show the certificate. r=johannh,keeler
Not sure what to do in pippki.js, for the moment I put an incorrect id.

Differential Revision: https://phabricator.services.mozilla.com/D35531

--HG--
extra : moz-landing-system : lando
2019-07-15 12:32:43 +00:00
Boris Zbarsky 5062731c15 Bug 1565688. Remove unused IOService arg from NS_NewURI. r=mayhemer
Differential Revision: https://phabricator.services.mozilla.com/D37968

--HG--
extra : moz-landing-system : lando
2019-07-15 13:39:51 +00:00
ffxbld 7c0acde6a7 No Bug, mozilla-central repo-update HSTS HPKP blocklist remote-settings tld-suffixes - a=repo-update r=RyanVM
Differential Revision: https://phabricator.services.mozilla.com/D37716

--HG--
extra : moz-landing-system : lando
2019-07-11 12:55:28 +00:00
Bob Owen 7b91f43ece Bug 1557282: SetLockdownDefaultDacl for content process sandbox policy for Windows 10 or later. r=jmathies
Differential Revision: https://phabricator.services.mozilla.com/D33301

--HG--
extra : moz-landing-system : lando
2019-07-10 14:57:01 +00:00
Dana Keeler ba0c7e0e3a bug 1563056 - download the most recent CRLite filter and all following incremental filters r=jcj
Differential Revision: https://phabricator.services.mozilla.com/D37333

--HG--
extra : moz-landing-system : lando
2019-07-11 00:29:44 +00:00
Bobby Holley 3b7fbc734f Bug 1562763 - Move some types around. r=jld
Having to namespace these into GeckoChildProcessHost is annoying. The
|using| declarations help to some extent, but it's easier to just put
them in mozilla::ipc.

Differential Revision: https://phabricator.services.mozilla.com/D36538

--HG--
extra : moz-landing-system : lando
2019-07-10 22:37:35 +00:00
Barret Rennie acd77aae10 Bug 1289211 - Rename InfallibleTArray to nsTArray in security/manager/ r=keeler
Differential Revision: https://phabricator.services.mozilla.com/D36967

--HG--
extra : moz-landing-system : lando
2019-07-10 03:33:22 +00:00
Ciure Andrei 310109bd2e Merge mozilla-central to autoland. a=merge CLOSED TREE
--HG--
extra : rebase_source : 3b80d073fd836431e45fa7bfd52e0af0bf065f66
2019-07-10 18:47:38 +03:00
Haik Aftandilian 7105b782dc Bug 1556846 - [10.15] Crash in [@ mozilla::plugins::PluginUtilsOSX::SetProcessName] r=spohl
Allow limited access to the proc_pidinfo() syscall from the Mac utility process sandbox.

Differential Revision: https://phabricator.services.mozilla.com/D37533

--HG--
extra : moz-landing-system : lando
2019-07-10 15:00:05 +00:00
J.C. Jones 12e7f4d58f Bug 1564499 - land NSS 264f19e7ede7 UPGRADE_NSS_RELEASE, r=me
--HG--
extra : rebase_source : ff8107777ed0677caaa7249d77f5cf3871c25de2
extra : amend_source : bc8998d1b575164552d4b44396a7db4122a04777
2019-07-09 18:01:15 +00:00
Narcis Beleuzu 59c3fccd33 Merge inbound to mozilla-central. a=merge 2019-07-09 06:45:48 +03:00
Sebastian Hengst 654b6e825b merge mozilla-central to mozilla-inbound. a=merge CLOSED TREE 2019-07-08 15:11:29 +02:00
Sebastian Hengst 3134e9d91c Backed out 3 changesets (bug 1541557) for failures in SpecialPowersObserverAPI.js. a=backout CLOSED TREE
Backed out changeset 5b91c8869f42 (bug 1541557)
Backed out changeset a636725ad217 (bug 1541557)
Backed out changeset 7e6657f88b76 (bug 1561150)

--HG--
rename : testing/specialpowers/content/MozillaLogger.js => testing/mochitest/tests/SimpleTest/MozillaLogger.js
rename : testing/specialpowers/content/specialpowersAPI.js => testing/specialpowers/content/SpecialPowersAPI.jsm
rename : testing/specialpowers/content/SpecialPowersObserverAPI.js => testing/specialpowers/content/SpecialPowersAPIParent.jsm
rename : testing/specialpowers/content/specialpowers.js => testing/specialpowers/content/SpecialPowersChild.jsm
rename : testing/specialpowers/content/SpecialPowersObserver.jsm => testing/specialpowers/content/SpecialPowersParent.jsm
extra : amend_source : 158c9e896d32778e71f4fd343227f531d693e511
2019-07-08 14:38:45 +02:00
Sebastian Hengst 515d14403f Backed out 34 changesets (bug 1561150, bug 1541557, bug 1561724, bug 1561999, bug 1558298, bug 1561061, bug 1532795, bug 1560400, bug 1561122) for beta simulation failures (bug 1563905, bug 1564001). a=backout
Backed out changeset 210d6d52e8b0 (bug 1541557)
Backed out changeset 3115db154c45 (bug 1561122)
Backed out changeset b42748878b6e (bug 1561122)
Backed out changeset 266160ca8e9d (bug 1561999)
Backed out changeset 00e935828f41 (bug 1561724)
Backed out changeset 4aaf4882780d (bug 1561150)
Backed out changeset 6644e38a6692 (bug 1561150)
Backed out changeset 72cd895b1613 (bug 1561061)
Backed out changeset f0bac27bad8a (bug 1560400)
Backed out changeset 95da39224eab (bug 1560400)
Backed out changeset 3fe4d4942fd2 (bug 1532795)
Backed out changeset 23e90c6fec2b (bug 1532795)
Backed out changeset a7f093fbef06 (bug 1532795)
Backed out changeset c873f0eb94be (bug 1532795)
Backed out changeset cf359a8ec753 (bug 1532795)
Backed out changeset f2c260cae4b5 (bug 1541557)
Backed out changeset 054a0b7aa81d (bug 1541557)
Backed out changeset f808ec45ff9c (bug 1541557)
Backed out changeset 1025eeef0954 (bug 1541557)
Backed out changeset fe88b250e418 (bug 1541557)
Backed out changeset 6680278c231b (bug 1541557)
Backed out changeset 255735c1ff63 (bug 1541557)
Backed out changeset 51969e1c9c44 (bug 1558298)
Backed out changeset d12525990565 (bug 1558298)
Backed out changeset ef4ec8f0f886 (bug 1558298)
Backed out changeset 45a9599d9641 (bug 1558298)
Backed out changeset 4ccecdba1c34 (bug 1558298)
Backed out changeset 0e91fc9541c2 (bug 1558298)
Backed out changeset edd1cc6badf7 (bug 1558298)
Backed out changeset ba24251835fb (bug 1558298)
Backed out changeset ca88016511bb (bug 1558298)
Backed out changeset c95e6e599836 (bug 1558298)
Backed out changeset 9b1a9d802434 (bug 1558298)
Backed out changeset f859e4de0007 (bug 1558298)

--HG--
rename : testing/mochitest/tests/SimpleTest/MozillaLogger.js => testing/specialpowers/content/MozillaLogger.js
rename : testing/specialpowers/content/SpecialPowersParent.jsm => testing/specialpowers/content/SpecialPowersObserver.jsm
rename : testing/specialpowers/content/SpecialPowersAPIParent.jsm => testing/specialpowers/content/SpecialPowersObserverAPI.js
rename : testing/specialpowers/content/SpecialPowersChild.jsm => testing/specialpowers/content/specialpowers.js
rename : testing/specialpowers/content/SpecialPowersAPI.jsm => testing/specialpowers/content/specialpowersAPI.js
extra : rebase_source : 223d2e49710b016c9973765d402c61692004518e
extra : amend_source : ec773fe82334e6da536bb21e83a994a5f2d03091
2019-07-08 10:37:28 +02:00
Jed Davis 0ba66c379f Bug 1534780 - Add free interconversion between UniqueFileHandle and ipc::FileDescriptor and use it in a few places. r=froydnj
Now that UniqueFileHandle can be used more widely, and with
ipc::FileDescriptor being essentially a copyable UniqueFileHandle, it
makes sense to add a move constructor and a "forget"-like method to
convert between them when needed.

Depends on D26737

Differential Revision: https://phabricator.services.mozilla.com/D26738

--HG--
extra : moz-landing-system : lando
2019-06-28 19:46:58 +00:00
ffxbld 18132fb6de No Bug, mozilla-central repo-update HSTS HPKP blocklist remote-settings - a=repo-update r=RyanVM
Differential Revision: https://phabricator.services.mozilla.com/D37242

--HG--
extra : moz-landing-system : lando
2019-07-08 12:47:22 +00:00
Sylvestre Ledru e77bfc655d Bug 1519636 - Reformat recent changes to the Google coding style r=Ehsan
# ignore-this-changeset

Differential Revision: https://phabricator.services.mozilla.com/D38057

--HG--
extra : moz-landing-system : lando
2019-07-16 07:33:44 +00:00
Noemi Erli ad06a86a88 Merge mozilla-central to inbound. a=merge CLOSED TREE 2019-07-08 12:53:36 +03:00
J.C. Jones 61484db444 Bug 1550889 - land NSS NSS_3_45_RTM UPGRADE_NSS_RELEASE, r=me
--HG--
extra : rebase_source : d983d1f4fbb04332d4cf317e36cff87523c56636
2019-07-05 17:57:05 +00:00
Victor Porof 221861fb7c Bug 1561435 - Fix linting errors for security/, r=standard8
# ignore-this-changeset

Differential Revision: https://phabricator.services.mozilla.com/D35929

--HG--
extra : source : d6f4b7c214863a85893d946968caeeec07126be1
extra : intermediate-source : 03e188f8f4f00d8eae72ff1a690c9cbacc2313da
2019-06-21 16:21:34 -07:00
Victor Porof 858f3b554b Bug 1561435 - Format security/, a=automatic-formatting
# ignore-this-changeset

Differential Revision: https://phabricator.services.mozilla.com/D35928

--HG--
extra : source : 4e926f91b17c2b13cdaf13e017629286275dbc00
2019-07-05 10:57:28 +02:00
Victor Porof b5a4cb3848 Bug 1558517 - Pre 3.0: Remove conflicting eslint rules, and turn on "curly: all" everywhere, r=standard8
Differential Revision: https://phabricator.services.mozilla.com/D34535

--HG--
extra : source : 74ed7ee773393d305c4e948a57a1b1e32b1f12e8
extra : intermediate-source : 403d0757d61683e0a85d0bb07768eb39fbd0af72
2019-06-28 17:14:01 +02:00
Razvan Maries daed363fd7 Merge mozilla-inbound to mozilla-central a=merge 2019-07-05 00:40:17 +03:00
Csoregi Natalia 0c754625a9 Merge mozilla-central to mozilla-inbound. CLOSED TREE 2019-07-04 12:54:22 +03:00
Oana Pop Rus 2ad74ef9f7 Merge mozilla-central to inbound. a=merge CLOSED TREE 2019-07-04 06:38:21 +03:00
Narcis Beleuzu 6d2dcfb90a Backed out changeset 08ff2f330260 (bug 1562809) for bc failures on browser_exportP12_passwordUI.js . CLOSED TREE 2019-07-03 23:39:29 +03:00
J.C. Jones bc5c1226d8 Bug 1550889 - land NSS NSS_3_45_BETA2 UPGRADE_NSS_RELEASE, r=me
--HG--
extra : rebase_source : 9dbabf7a7500a34854642e5c55cc4507c4c1aa4a
2019-07-03 17:02:31 +00:00
ffxbld c3dff17808 No Bug, mozilla-central repo-update HSTS HPKP blocklist remote-settings tld-suffixes - a=repo-update r=RyanVM
Differential Revision: https://phabricator.services.mozilla.com/D36908

--HG--
extra : moz-landing-system : lando
2019-07-04 13:06:12 +00:00
Tim Nguyen 6374da2c07 Bug 1562809 - Convert XUL textboxes in setp12password.xul and changepassword.xul to HTML inputs. r=keeler
Differential Revision: https://phabricator.services.mozilla.com/D36560

--HG--
extra : moz-landing-system : lando
2019-07-03 17:32:25 +00:00
Dana Keeler ca691e2faf bug 1553550 - removing expiring intermediate preloading telemetry r=jcj
Differential Revision: https://phabricator.services.mozilla.com/D36516

--HG--
extra : moz-landing-system : lando
2019-07-03 16:49:18 +00:00
Haik Aftandilian a218f608fc Bug 1558924 - [10.15] Widevine crashes on macOS Catalina Beta r=handyman
Allow limited access to the proc_pidinfo() syscall from the GMP sandbox.

Differential Revision: https://phabricator.services.mozilla.com/D36810

--HG--
extra : moz-landing-system : lando
2019-07-03 18:17:55 +00:00
Tim Nguyen 02f77cdcee Bug 1562809 - Convert XUL textboxes in setp12password.xul and changepassword.xul to HTML inputs. r=keeler
Differential Revision: https://phabricator.services.mozilla.com/D36560

--HG--
extra : moz-landing-system : lando
2019-07-03 21:59:55 +00:00