In a profile, loading the loadable roots PKCS#11 module (i.e. the built-in root
CA module) accounted for about 60% of the time to initialize PSM/NSS. Since we
only need the roots module loaded when we're actually looking for an issuing
certificate or querying a certificate's trust, we can do the load
asynchronously (where it hopefully finishes before we actually need it, because
otherwise we'll have to wait anyway).
MozReview-Commit-ID: JyY6NtpQAUj
--HG--
extra : rebase_source : f63a697b18a409dd042289afa2b727b09f81f19f
As a result of CNNIC issuing an unconstrained intermediate certificate that
misissued an end-entity certificate for google.com (see bug 1146026 and
bug 1177209), we implemented a system that would in theory enable Firefox to
continue to trust certificates that were valid at the time but not newly issued
certificates. This consisted of a whitelist added in bug 1151512. The CNNIC
roots have since been removed from NSS in bug 1380868. We can now remove the
whitelist in Firefox.
MozReview-Commit-ID: 7VXOuvwzbct
--HG--
extra : rebase_source : 20e6e39c40417a9b7f2962e06cf9de85e3e08ee8
It's silly to use prmem.h within Firefox code given that in our configuration
its functions are just wrappers for malloc() et al. (Indeed, in some places we
mix PR_Malloc() with free(), or malloc() with PR_Free().)
This patch removes all uses, except for the places where we need to use
PR_Free() to free something allocated by another NSPR function; in those cases
I've added a comment explaining which function did the allocation.
--HG--
extra : rebase_source : 0f781bca68b5bf3c4c191e09e277dfc8becffa09
CERT_CreateSubjectCertList is not an inexpensive function call, since it
enumerates the certificate database (i.e. reads from disk a lot). If we're
verifying for a TLS handshake, however, we should already have in memory a
certificate chain sent by the peer (there are some cases where we won't, such as
session resumption (see bug 731478)). If we can, we should use those
certificates before falling back to calling CERT_CreateSubjectCertList.
MozReview-Commit-ID: ASjVGsELb1O
--HG--
extra : rebase_source : 1efc635d4a98079c87f77ef3794e4b2f20eec59f
Firefox essentially does not support running NSS in FIPS mode any longer. This
has always been the case on Android from what I can tell and it has been the
case on OS X since at least version 34 (see bug 1047584). It became the case on
Windows as of version 53 (see bug 1295937). Unfortunately, before this patch,
if a user attempted to run an affected version of Firefox using a profile
directory containing an NSS database collection that had FIPS enabled, NSS
initialization would fail and fall back to running in no DB mode, which had the
side-effect of making any saved passwords and certificates unavailable. This
patch attempts to detect and work around this failure mode by moving the
PKCS#11 module DB (which is where the FIPS bit is set) to a backup location and
basically running with a fresh, non-FIPS module DB. This allows Firefox to
initialize NSS with the preexisting key and certificate databases available.
MozReview-Commit-ID: 1E4u1ngZyRv
--HG--
rename : security/manager/ssl/tests/unit/test_sdr_preexisting.js => security/manager/ssl/tests/unit/test_broken_fips.js
rename : security/manager/ssl/tests/unit/test_sdr_preexisting/key3.db => security/manager/ssl/tests/unit/test_broken_fips/key3.db
extra : rebase_source : 887f457e998d6e57c6536573fbe3cb10547fe154
The default OCSP timeout for soft-fail DV is still 2 seconds. This patch makes
it configurable on the interval (0, 5] seconds.
The default OCSP timeout for EV and hard-fail DV is still 10 seconds. This patch
makes it configurable on the interval (0, 20] seconds.
MozReview-Commit-ID: CPd8pwYrJhj
--HG--
extra : rebase_source : 45bd7d06ea013f0a776ea18be9408dedb18271d8
(adapted from bug 1349762 comment 0)
Google Trust Services (GTS) recently purchased two roots from GlobalSign that
are both enabled for EV treatment: "GlobalSign Root CA - R2" and "GlobalSign ECC
Root CA - R4".
However, GTS does not have an EV audit, so we are going to turn off EV treatment
for both of those root certificates.
But "GlobalSign Root CA - R2" has intermediate cert "GlobalSign Extended
Validation CA - SHA256 - G2" that continues to be controlled by GlobalSign, to
be used to migrate their customers off dependence on that root.
This patch removes EV treatment for "GlobalSign ECC Root CA - R4". It also
removes EV treatment for all chains rooted in "GlobalSign Root CA - R2" unless
the "GlobalSign Extended Validation CA - SHA256 - G2" intermediate is in the
chain.
MozReview-Commit-ID: Ej9L9zTwoPN
--HG--
extra : rebase_source : 575f1a48646cf728d879d0cf53c888654e4a32ad
mozilla::TimeStamp is generally superior to PRIntervalTime, and switching lets
us get rid of yet another NSPR dependency.
This patch also:
1. Gets rid of code in nsNSSHttpRequestSession::createFcn() that limits the
max OCSP timeout. This is a relic from when NSS was used for OCSP requests,
and is no longer necessary.
2. Converts all uses of PR_NOT_REACHED() to MFBT asserts while we're nearby.
MozReview-Commit-ID: KvgOWWhP8Km
--HG--
extra : rebase_source : ea832a1acc4423cf6cfc98862af6b1c29a83ce56
PR_ASSERT() is an unnecessary dependency on NSPR.
We can use MOZ_ASSERT() instead, which accomplishes the same task but doesn't
depend on NSPR.
MozReview-Commit-ID: 9gyWUkv3KxQ
--HG--
extra : rebase_source : 313ce6c8de3db3ce72635e37f09d28316ae02c51
(Note that content signature verification does not use the unified certificate
verifier and thus will still consult OneCRL.)
MozReview-Commit-ID: 6KvHOngpabT
--HG--
extra : rebase_source : 601f4d8d1c66befb77d0c07a2d84f3f04416f996
The PR_SetError() + PR_GetError() pattern is error prone and unnecessary.
Also fixes Bug 1254403.
MozReview-Commit-ID: DRI69xY4vxC
--HG--
extra : rebase_source : aa07c0dfb5cc2a203e772b415b7a75b27d9bad3c
Previously PSM would load EV information on-demand (i.e. just before verifying a
certificate). This simplifies this operation, removes a dubious optimization
(loading the EV information on another thread while opening a network
connection), and relocates the loading operation to when we are likely to have
good disk locality (i.e. when we've just loaded the built-in roots module).
This also removes the now-unused MOZ_NO_EV_CERTS build flag.
MozReview-Commit-ID: 8Rnl4ozF95V
--HG--
extra : rebase_source : 5b2e76079c256f7e3c55b1d4ec0d9f654fec44f6
Previously PSM would load EV information on-demand (i.e. just before verifying a
certificate). This simplifies this operation, removes a dubious optimization
(loading the EV information on another thread while opening a network
connection), and relocates the loading operation to when we are likely to have
good disk locality (i.e. when we've just loaded the built-in roots module).
This also removes the now-unused MOZ_NO_EV_CERTS build flag.
MozReview-Commit-ID: 8Rnl4ozF95V
--HG--
extra : rebase_source : 344b68c81af1ed3fb038e4e96c3c50e939d32c3d
The patch is generated from following command:
rgrep -l unused.h|xargs sed -i -e s,mozilla/unused.h,mozilla/Unused.h,
MozReview-Commit-ID: AtLcWApZfES
--HG--
rename : mfbt/unused.h => mfbt/Unused.h
Scoped.h is deprecated in favour of the standardised UniquePtr.
This patch removes use of Scoped.h everywhere in PSM except ScopedNSSTypes.h,
which is exported. Other consumers of ScopedNSSTypes.h can move off Scoped.h
at their own pace.
This patch also changes parameters and return types of various functions to make
ownership more explicit.
MozReview-Commit-ID: BFbtCDjENzy
--HG--
extra : transplant_source : %0B%C7%9F%40%FA9%A4%F2%5E%0D%92%1C%A6%A49%94%C3%7E%1Cz
The function basically duplicates existing Mozilla string class functionality.
MozReview-Commit-ID: 9IFEXuT9cW1
--HG--
extra : rebase_source : 0d0c4492a63f7a168b6092fdb2e1bf8ec09d5308
mozilla::BitwiseCast does the same thing, but provides static asserts that
mitigate some of the risk of using reinterpret_cast.
MozReview-Commit-ID: ENQ8QC6Nl9o
--HG--
extra : rebase_source : c1725c8363c0f7f9877601de5ab5f152ef4d0439
The (more) modern Mozilla string classes can be used instead, which at the very
least provide built in automatic memory management and performance improvements.
MozReview-Commit-ID: 4l2Er5rkeI0
--HG--
extra : transplant_source : %A1%16%AB%02m%CA%25HfW%40%96Mq%0D%F0%91%9C%99%29
ScopedPK11SlotInfo is based on Scoped.h, which is deprecated in favour of the
standardised UniquePtr.
Also changes PK11SlotInfo parameters of various functions to make ownership more
explicit, and replaces some manual management of PK11SlotInfo pointers.
MozReview-Commit-ID: JtNH2lJsjwx
--HG--
extra : rebase_source : 9d764e0dd3a1f2df14c16f8f14a3c5392770c9a1
ScopedCERTCertList is based on Scoped.h, which is deprecated in favour of the
standardised UniquePtr.
Also changes CERTCertList parameters of various functions to make ownership more
explicit.
MozReview-Commit-ID: EXqxTK6inqy
--HG--
extra : transplant_source : %9B%A9a%94%D1%7E%2BTa%9E%9Fu%9F%02%B3%1AT%1B%F1%F6
Also converts the longer |UniquePtr<char, void(&)(void*)> foo(..., PORT_Free)|
to the shorter and equivalent |UniquePORTString foo(...)|.
MozReview-Commit-ID: LlrTNUYBP4V
--HG--
extra : transplant_source : afU%FB%0EC%3E%E0pm%A3-%0E%C8%83%CF%0A%B1%9E%ED
When a built-in root certificate has its trust changed from the default value,
the platform has to essentially create a copy of it in the read/write
certificate database with the new trust settings. At that point, the desired
behavior is that the platform still considers that certificate a built-in root.
Before this patch, this would indeed happen for the duration of that run of the
platform, but as soon as it restarted, the certificate in question would only
appear to be from the read/write database, and thus was not considered a
built-in root. This patch changes the test of built-in-ness to explicitly
search the built-in certificate slot for the certificate in question. If found,
it is considered a built-in root.
MozReview-Commit-ID: HCtZpPQVEGZ
--HG--
extra : rebase_source : 759e9c5a7bb14f14a77e62eae2ba40c085f04ccd