We've a report of a compilation error on a different system because
std::function was undefined.
MozReview-Commit-ID: 2MboMUdLzHj
--HG--
extra : rebase_source : be6d73506402a1838b96ce55e69b44dcb00949f1
See the previous patch for an explanation of the mistake that this is
meant to catch.
Note that, even for arguments that really are 64-bit on 32-bit platforms
(typically off_t), it's generally not safe to pass them directly to
syscall(): some architectures, like ARM, use ABIs that require such
arguments to be passed in aligned register pairs, and they'll be aligned
differently for syscall() vs. the actual system call due to the leading
system call number argument. The syscall(2) man page discusses this
and documents that such arguments should be split into high/low halves,
passed separately, and manually padded.
Therefore, this patch rejects any argument types larger than a word.
MozReview-Commit-ID: FVhpri4zcWk
--HG--
extra : rebase_source : 0329fe68be2a4e16fb71736627f0190e005c9972
The values in arch_seccomp_data::args are uint64_t even on 32-bit
platforms, and syscall takes varargs, so the arguments need to be
explicitly cast to the word size in order to be passed correctly.
MozReview-Commit-ID: 5ldv6WbL2Z3
--HG--
extra : rebase_source : c6ef37d8b367ad6025e510e58e6ab4d2f96cfc9e
As a result of this patch, the hash algorithm used in add-on signature
verification will come from the PKCS#7 signature. If SHA-256 is present, it will
be used. SHA-1 is used as a fallback. Otherwise, the signature is invalid.
This means that, for example, if the PKCS#7 signature only has SHA-1 but there
are SHA-256 hashes in the signature file and/or manifest file, only the SHA-1
hashes in the signature file and manifest file will be used, if they are present
(and verification will fail if they are not present). Similarly, if the PKCS#7
signature has SHA-256, there must be SHA-256 hashes in the signature file and
manifest file (even if SHA-1 is also present in the PKCS#7 signature).
MozReview-Commit-ID: K3OQEpIrnUW
--HG--
extra : rebase_source : 704a2a18e166bfaf3e3d944d13918054bd012000
SegmentCertificateChain, when provided a cert chain from nsISSLStatus, delivers
the EE as the Root, the Root as the EE, and the intermediates in reverse order.
Basically, now that Bug 1406856 landed, it's clear this was backward in its
thinking, so reverse it for the common case.
MozReview-Commit-ID: Ahtv9U9A9oS
--HG--
extra : rebase_source : 75c8688c5041652fd966babe91cb8c6287e19ad0
This helps with getting the tests that are running out of /tmp
to pass, who get confused if their paths change underneath them.
It's also a bit faster.
MozReview-Commit-ID: CWtngVNhA0t
--HG--
extra : rebase_source : 304481a18c371c3253448971f48064bcbd681a81
This may be required if people have @import in their userContent.css, and
in any case our tests check for this.
MozReview-Commit-ID: 8uJcWiC2rli
--HG--
extra : rebase_source : 3542ea305aabaca0500d66f8e86f5c12170d793e
This adds two methods to nsNSSCertList: ForEachCertificateInChain, and
SegmentCertificateChain. The ForEach method calls a supplied function for each
certificate in the chain, one by one.
That method is then used by the Segment method, which (assuming the chain is
ordered) splits it into Root, End Entity, and everything in-between as a list of
Intermediates.
This patch does _not_ try to add these methods to the IDL, as it's not
straightforward to me on how to handle the nsCOMPtr or std::function arguments.
These methods will be first used by Bug 1409259.
(Update to fix gtest bustage on Linux)
MozReview-Commit-ID: 8qjwF3juLTr
--HG--
extra : rebase_source : 3dee871a4622b8ad84cca247dc9a9f3ceb3b4bd9
There are specific versions needed for security/manager/ssl/tests/unit/pycert.py,
so let's give PIP some installation help:
0.1.7 for pyasn1 and 0.0.5 for pyasn1_modules
(recent versions break pycert/pykey/pycms)
MozReview-Commit-ID: Fk98UPd8bJo
--HG--
extra : rebase_source : 79436d4e99cda1dca438015835fdfa83a78c4dc7
This prctl is used by PulseAudio; once bug 1394163 is resolved, allowing
it can be made conditional on the media.cubeb.sandbox pref.
MozReview-Commit-ID: 6jAM65V32vK
--HG--
extra : rebase_source : abb039aff7cefc0aa3b95f4574fdf1e3fb0d93a6
This adds two methods to nsNSSCertList: ForEachCertificateInChain, and
SegmentCertificateChain. The ForEach method calls a supplied function for each
certificate in the chain, one by one.
That method is then used by the Segment method, which (assuming the chain is
ordered) splits it into Root, End Entity, and everything in-between as a list of
Intermediates.
This patch does _not_ try to add these methods to the IDL, as it's not
straightforward to me on how to handle the nsCOMPtr or std::function arguments.
These methods will be first used by Bug 1409259.
MozReview-Commit-ID: 8qjwF3juLTr
--HG--
extra : rebase_source : 39e2e8530ac23c6b96eb73f406bca32a59bcccf5
There are specific versions needed for security/manager/ssl/tests/unit/pycert.py,
so let's give PIP some installation help:
0.1.7 for pyasn1 and 0.0.5 for pyasn1_modules
(recent versions break pycert/pykey/pycms)
MozReview-Commit-ID: Fk98UPd8bJo
--HG--
extra : rebase_source : 79436d4e99cda1dca438015835fdfa83a78c4dc7
Modified from bug 1248818 comment 11:
Before this patch, if a user had a smart card (PKCS#11 device) with removable
slots, Firefox would launch a thread for each module and loop, calling
SECMOD_WaitForAnyTokenEvent to be alerted to any insertions/removals. At
shutdown, we would call SECMOD_CancelWait, which would cancel any waiting
threads. However, since that involved calling 3rd party code, we really had no
idea if these modules were behaving correctly (and, indeed, they often weren't,
judging by the shutdown crashes we were getting).
The real solution is to stop relying on PKCS#11, but since that's unlikely in
the near future, the next best thing would be to load these modules in a child
process. That way, misbehaving modules don't cause Firefox to hang/crash/etc.
That's a lot of engineering work, though, so what this patch does is avoids the
issue by never calling SECMOD_WaitForAnyTokenEvent (and thus we never have to
call SECMOD_CancelWait, etc.). Instead, every time Firefox performs an operation
that may be affected by a newly added or removed smart card, it first has NSS
refresh its view of any removable slots. This is similar to how we ensure the
loadable roots module has been loaded (see bug 1372656).
MozReview-Commit-ID: JpmLdV7Vvor
--HG--
extra : rebase_source : d3503d19fa9297106d661a017a38c30969fa39b4
This lets us replace moz_xstrdup() of string literals with AssignLiteral(),
among other improvements.
--HG--
extra : rebase_source : 9994d8ccb4f196cf63564b0dac2ae6c4370defb4
Currently the Gecko Profiler defines a moderate amount of stuff when
MOZ_GECKO_PROFILER is undefined. It also #includes various headers, including
JS ones. This is making it difficult to separate Gecko's media stack for
inclusion in Servo.
This patch greatly simplifies how things are exposed. The starting point is:
- GeckoProfiler.h can be #included unconditionally;
- everything else from the profiler must be guarded by MOZ_GECKO_PROFILER.
In practice this introduces way too many #ifdefs, so the patch loosens it by
adding no-op macros for a number of the most common operations.
The net result is that #ifdefs and macros are used a bit more, but almost
nothing is exposed in non-MOZ_GECKO_PROFILER builds (including
ProfilerMarkerPayload.h and GeckoProfiler.h), and understanding what is exposed
is much simpler than before.
Note also that in BHR, ThreadStackHelper is now entirely absent in
non-MOZ_GECKO_PROFILER builds.
Before this patch, if a user set their TLS version range preferences to only
allow TLS 1.3, any connections made with the BE_CONSERVATIVE flag or via the
telemetry studies flags would fail because we would attempt to set an
inconsistent TLS version range (the minimum was greater than the maximum). This
fixes that by setting the minimum to the flag-configured maximum. This
intentionally overrides the user's preferences because it is in the context of
browser-critical services (i.e. update servers) or telemetry studies.
MozReview-Commit-ID: 1kKE5nOVQz8
--HG--
extra : rebase_source : 047aa03f401d75aba3f6c5f4c572d2cc451a329e
The PRFileDesc* returned by PR_PopIOLayer must be used rather than a preexisting
pointer to the layer in question.
MozReview-Commit-ID: 8PsCA5npaj6
--HG--
extra : rebase_source : 7488d70ffd428b103ae51d1ebcf15745acd9bf12
I think that trying to slice this up by feature is just going to lead to complications down the line,
so to keep it simple I've moved this to the launch code for all sandboxed children, not just when the
Alternate Desktop is enabled.
This also, similar to chromium, only adds them to the blocklist if they are loaded in the parent.
It is helpful to have a slot which never has a token, so that the
absense of a token can be asserted in unit tests.
Add a third token that is always empty, and update a number of unit
tests to check for it.
MozReview-Commit-ID: 4apvRRhZJus
--HG--
extra : rebase_source : cd3bb819bcf66c769f36a428ed26ea8fa6c68a26
NSS command-line utilities may add a built-in root certificate module with the
name "Root Certs" if run on a profile that has a copy of the module file (which
is an unexpected configuration in general for Firefox). This can cause breakage.
To work around this, PSM now simply deletes any module named "Root Certs" at
startup. In an effort to prevent PSM from deleting unrelated modules
coincidentally named "Root Certs", we also prevent the user from using the
Firefox UI to name modules "Root Certs".
MozReview-Commit-ID: ABja3wpShO9
--HG--
extra : rebase_source : cfc62fb3fabf491a72f009601f3ec6973244642e
Move constructors are more appropriate for these classes, since the
underlying hashtable code will be moving them around, not copying them.
We can take this opportunity to fix a bug in nsClientAuthRememberEntry:
it wasn't transferring the value of mEntryKey, which would have been
disastrous if the underlying hash table was ever resized.
ChildPrivileges is a leftover from the B2G process model; it's now
mostly unused, except for the Windows sandbox using it to carry whether
a content process has file:/// access.
In general, when sandboxing needs to interact with process launch, the
inputs are some subset of: the GeckoProcessType, the subtype if content,
various prefs and even GPU configuration; and the resulting launch
adjustments are platform-specific. And on some platforms (e.g., OS X)
it's all done after launch. So a simple enum used cross-platform isn't
a good fit.
MozReview-Commit-ID: K31OHOpJzla
--HG--
extra : rebase_source : 3928b44eb86cd076bcac7897536590555237b76b
Per the root program's request, this patch removes EV treatment for four WoSign
roots:
Common Name: CA 沃通根证书
SHA-256 Fingerprint: D6:F0:34:BD:94:AA:23:3F:02:97:EC:A4:24:5B:28:39:73:E4:47:AA:59:0F:31:0C:77:F4:8F:DF:83:11:22:54
Common Name: Certification Authority of WoSign
SHA-256 Fingerprint: 4B:22:D5:A6:AE:C9:9F:3C:DB:79:AA:5E:C0:68:38:47:9C:D5:EC:BA:71:64:F7:F2:2D:C1:D6:5F:63:D8:57:08
Common Name: Certification Authority of WoSign G2
SHA-256 Fingerprint: D4:87:A5:6F:83:B0:74:82:E8:5E:96:33:94:C1:EC:C2:C9:E5:1D:09:03:EE:94:6B:02:C3:01:58:1E:D9:9E:16
Common Name: CA WoSign ECC Root
SHA-256 Fingerprint: 8B:45:DA:1C:06:F7:91:EB:0C:AB:F2:6B:E5:88:F5:FB:23:16:5C:2E:61:4B:F8:85:56:2D:0D:CE:50:B2:9B:02
MozReview-Commit-ID: Bxp9LgvxCsp
--HG--
extra : rebase_source : 065d98cc654d3fb22c17ea185253ce917b48e270
This does two things:
1) Move the level 3 rules to always be applicable, and simplifies level 2 accordingly
2) Consistently uses the raw string literal syntax for regexes
MozReview-Commit-ID: 6iwjOvRVMM7
--HG--
extra : rebase_source : 3ac59219ad0793a98bdb203fb3d247561216a560
Incidentally, this means we can remove certificateUsageVerifyCA and
certificateUsageStatusResponder from CertVerifier, since we no longer use them.
MozReview-Commit-ID: Bbqn8fShfTm
--HG--
extra : rebase_source : 012cb08dcbe33fe889c9f6824959b1a02cd0bdc7
By using the PartialConfigEnvironment, the clients of buildconfig will
depend on config.statusd/ files instead of config.status directly.
Clients can access substs and defines using buildconfig.substs['FOO'] or
buildconfig.defines['BAR'], and then collect file-level dependencies for
make using buildconfig.get_dependencies(). All GENERATED_FILES rules
already make use of this because file_generate.py automatically includes
these dependencies (along with all python modules loaded).
As a result of this commit, re-running configure will no longer cause
the world to be rebuilt. Although config.status is updated, no build
steps use config.status directly and instead depend on values in
config.statusd/, which are written with FileAvoidWrite. Since those
files are not official targets according to the make backend, make won't
try to continually rebuild the backend when those files are out of date.
And since they are FileAvoidWrite, make will only re-run dependent steps
if the actual configure value has changed.
As a result of using JSON to load data from the config.statusd
directory, substs can be unicode (instead of a bare string type).
generate_certdata.py converts the subst manually to a string so the
value can be exported to the environment without issue on Windows.
Additionally, patching the buildconfig.substs dict no longer works, so
the unit-symbolstore.py test was modified to patch the underlying
buildconfig.substs._dict instead.
The other files that needed to be modified make use of all the defines
for the preprocessor. Those that are used during 'mach build' now use
buildconfig.defines['ALLDEFINES'], which maps to a special
FileAvoidWrite file generated for the PartialConfigEnvironment.
MozReview-Commit-ID: 2pJ4s3TVeS8
--HG--
extra : rebase_source : d6bb0208483f9f043e7be1b36907ca13243985f8
In bug 1386754 we disabled 3DES after determining that it had a similar-ish
usage level as RC4. We gathered compatibility reports and telemetry for the last
two months and see that while 3DES usage is fairly low, it is the only
ciphersuite available for a variety of websites, including many government
systems.
3DES, while legacy, is not known to be insecure. Therefore, we're going to call
this experiment complete, use the collected WebCompat issues from Bug 1386908
for future reference, and re-enable 3DES.
MozReview-Commit-ID: 3lY1zHLNO9l
--HG--
extra : rebase_source : ecb51c6dbc6862991083b1f46920d86d7480582f
Bug 1255425 changed an 'of' to an 'in', which caused the code that would keep
preexisting entries on the preload list if there was a connection error to loop
over the indices in the array and not the values themselves. Thanks, JavaScript.
MozReview-Commit-ID: DvVWhpImp8n
--HG--
extra : rebase_source : 149c8d0fb46d3b71a9de19aaedfb5e0dd5b9a460
The NS_LITERAL_STRING macro creates a temporary nsLiteralString to encapsulate the char16_t string literal and its length, but AssignLiteral() can determine the char16_t string literal's length at compile-time without nsLiteralString.
MozReview-Commit-ID: H9I6vNDMdIr
--HG--
extra : rebase_source : cf537a1f65af003c6c4f8919b925b0f305c1dd4d
extra : source : 13b89ce4e6a66c840f82a335c71f5a12938aba22
PulseAudio is the only thing that's known to need this. Note that the
same file often exists as /etc/machine-id, and we currently allow reading
all of /etc (which includes other fingerprinting hazards as well).
MozReview-Commit-ID: FoyKQzhAV6M
--HG--
extra : rebase_source : 593ee0b94cf507681a034d22cd06a9050d56b86a
This helps with getting the tests that are running out of /tmp
to pass, who get confused if their paths change underneath them.
It's also a bit faster.
MozReview-Commit-ID: CWtngVNhA0t
--HG--
extra : rebase_source : b7fe3ad6317fafa382a2ad38c7d9d5338aeafc9b
This may be required if people have @import in their userContent.css, and
in any case our tests check for this.
MozReview-Commit-ID: 8uJcWiC2rli
--HG--
extra : rebase_source : 38bd2a2ffc593bf94b3c16f0c755d169d5998f7f
This commit adds two new xpcshell tests, both of them testing whether the
security state in TransportSecurityInfo includes the new
STATE_CERT_DISTRUST_IMMINENT flag under the correct circumstances.
The first test, test_symantec_apple_google.js, tests the four combinations of
certs that chain to an affected Symantec root: with/without a whitelisted
intermediate, and before/after the notBefore cutoff date.
The second test, test_symantec_apple_google_unaffected.js, tests an unrelated
ca->intermediate->ee chain that does not chain to an affected root, and ensures
the flag is not set.
This patch adds SymantecSanctionsServer to the mozbuild and xpcshell test
infrastructure files to ensure it runs properly on TaskCluster, too.
MozReview-Commit-ID: GtUXH2VFFh
--HG--
rename : security/manager/ssl/tests/unit/bad_certs/default-ee.key => security/manager/ssl/tests/unit/test_symantec_apple_google/default-ee.key
rename : security/manager/ssl/tests/unit/bad_certs/default-ee.key.keyspec => security/manager/ssl/tests/unit/test_symantec_apple_google/default-ee.key.keyspec
rename : security/manager/ssl/tests/unit/bad_certs/default-ee.pem => security/manager/ssl/tests/unit/test_symantec_apple_google/default-ee.pem
rename : security/manager/ssl/tests/unit/bad_certs/default-ee.pem.certspec => security/manager/ssl/tests/unit/test_symantec_apple_google/default-ee.pem.certspec
rename : security/manager/ssl/tests/unit/tlsserver/cmd/BadCertServer.cpp => security/manager/ssl/tests/unit/tlsserver/cmd/SymantecSanctionsServer.cpp
extra : rebase_source : f399bca5a13db3efa5bbaa5136c8effc3948ed5e
This patch adds a new diagnostic status flag to nsIWebProgressListener,
STATE_CERT_DISTRUST_IMMINENT, which indicates that the certificate chain is
going to change validity due to an upcoming distrust event. The first of
these events is this bug, affecting various roots from Symantec.
The STATE_CERT_DISTRUST_IMMINENT flag is set by nsNSSCallbacks and passed,
via nsSecureBrowserUIImpl, to browser.js where it is used to alert the console.
Adding this sort of diagnostic printing to be accessible to browser.js is a
long-desired goal, as future functionality can start doing more decision-making
there. We may, for example, also want to degrade the lock icon, which will be
straightforward with this flag.
This commit does not implement the IsCertificateDistrustImminent method. That is
follow-on work.
MozReview-Commit-ID: 75IOdc24XIV
--HG--
extra : rebase_source : e6a95d0be65f667eff0b131274272f0df91f8732
This is the list of affected Symantec roots and the Apple and Google carved out
sub-CAs being whitelisted. These lists are created using the crtshToDNStruct
tool.
These sub-CAs are to be explicitly whitelisted in the distrust logic being
applied to Symantec root CAs.
Sources:
https://groups.google.com/d/msg/mozilla.dev.security.policy/FLHRT79e3XE/riCrpXsfAgAJhttps://groups.google.com/d/msg/mozilla.dev.security.policy/FLHRT79e3XE/90qkf8jsAQAJ
MozReview-Commit-ID: 3atUGcjG6GD
* * *
[mq]: crtsh_linting
MozReview-Commit-ID: 5gGq5DZXEIi
* * *
[mq]: fix_crtsh_script
MozReview-Commit-ID: JRgkD6OODnO
* * *
[mq]: fix_crtsh_also
MozReview-Commit-ID: Gza1HnYic2I
--HG--
extra : rebase_source : 8ca642964d3ce0308b8081fc52713d9f0104024d
Since we'll need the same structs and mechanisms to work with the Symantec roots,
this patch makes the matching function generic and moves it into a new header,
"TrustOverrides.h".
This also moves the GlobalSignData out into "TrustOverride-GlobalSignData.inc"
and the WoSign/StartCom to "TrustOverride-StartComAndWoSignData.inc".
MozReview-Commit-ID: 2yWcvrngKwr
--HG--
rename : security/certverifier/StartComAndWoSignData.inc => security/certverifier/TrustOverride-StartComAndWoSignData.inc
extra : rebase_source : 26d86765277563ddafd5bbf0f4372ccdb280d062
This removes the allow-all override in the content policy, which means it will
fall back to the more restrictive prctl policy in SandboxPolicyCommon.
MozReview-Commit-ID: CncoGi0HLxR
--HG--
extra : rebase_source : 6cb1834c56a1781f1512b7b078ba3469c3dd8537
Bug 1388851 adds hardware U2F support to Gecko; the instructions to test
involve flipping two prefs, but the common case will be using harwdare tokens,
so this patch makes users only haave to flip the "security.webauth.u2f" or
"security.webauth.webauthn" prefs as they choose.
MozReview-Commit-ID: 346120ZI8p4
--HG--
extra : rebase_source : fa491214d3b5532ea7e4843a9e52a19ab432a925
Bug 1364159 introduced an optimization that attempted to avoid reading from the
user's cached certificate database as much as possible when building a verified
certificate chain. Unfortunately this had the side-effect of not preferring root
certificates in path building, which can result in unnecessarily long chains
(which rather defeats the purpose, since it means more signature verifications).
This patch reverts the functionality changes from that bug but keeps the test
that was added (the test didn't directly test the functionality changes - it's
more of a check that path building will query the cached certificate db when
necessary).
MozReview-Commit-ID: I56THTLUytH
--HG--
extra : rebase_source : 7db9597e25b98942450840519d707046cc660781
In the future, bug 1377940 will make the sqlite-backed databases the default,
but until we're sure this will stick we want to be able to control this with a
Firefox-only change. The use of a preference to configure which format to use
will hopefully allow us to restore the old behavior quickly and relatively
safely if necessary. Note that doing this should be done with care; any changes
made in the sqlite databases after upgrade migration will not be reflected if
we need to go back to the old database format. Thus, user data (imported CAs,
client certificates, and keys) can be lost.
MozReview-Commit-ID: tkovdiCU9v
--HG--
extra : rebase_source : e74358bd65afb5844fa8fc5b729eba2bbc5bb2db
As a special case to deal with PulseAudio, testing for a process's
existence with kill(pid, 0) quietly fails with EPERM instead.
(I also added some commentary on umask, since I was touching that part of
the code anyway.)
MozReview-Commit-ID: CM0Aqii13j4
--HG--
extra : rebase_source : 44ef05e9a39a9eea4a649399c63b865f5523d43b
The nsIU2FToken and its implementors are no longer needed; the soft token was
re-implemented into dom/webauthn/U2FSoftTokenManager.cpp during the WebAuthn
implementation. When the dom/u2f/ code changed to the implementation from
WebAuthn, the old synchronous version became dead code.
This patch removes the dead code.
MozReview-Commit-ID: 2yDD0tccgZr
--HG--
extra : transplant_source : %B3%96Te%E7%02%08%98%1A%B2%FA%1C%40%C4J%BC%B2%85j%81
- This patch reworks the U2F module to asynchronously call U2FManager,
which in turn handles constructing and managing the U2FTokenManager
via IPC.
- Add U2FTransaction{Parent,Child} implementations to mirror similar ones for
WebAuthn
- Rewrite all tests to compensate for U2F executing asynchronously now.
- Used async tasks, used the manifest parameters for prefs and scheme,
and generally made these cleaner.
NOTE TO REVIEWERS:
Since this is huge, I recommend the following:
keeler - please review U2F.cpp/h, the tests, and the security-prefs.js. Most
of the U2F logic is still in U2F.cpp like before, but there's been
some reworking of how it is called.
ttaubert - please review U2FManager, the Transaction classes, build changes,
and the changes to nsGlobalWindow. All of these should be very
similar to the WebAuthn code it's patterned off.
MozReview-Commit-ID: C1ZN2ch66Rm
--HG--
extra : transplant_source : %EA%98%D2%87C%FD%CC%A5%3D%B5%9B%1C%DA%A5J%CD%05%94%13%0D
This was missed in the original implementation of bug 1372656.
MozReview-Commit-ID: 8Sm26YlxZ7l
--HG--
extra : rebase_source : 6613fea8b292cc1645073539e110a53369c78886
This fixes improper usages of Find where an offset was actually being use for
the boolean ignore case flag. It also fixes a few instances of passing in a
literal wchar_t to our functions where a NS_LITERAL_STRING or char16_t should
be used instead.
--HG--
extra : rebase_source : 5de1e9335895d65e6db06c510e8887d27be3390f
extra : source : f762f605dd83fc6331161a33e1ef5d54cafbd08d
This handles the different error code returned by NSS and that the pkcs#11
module db has a different filename.
MozReview-Commit-ID: HJK4zsf6IS0
--HG--
extra : rebase_source : eec55c21861137d83b2f1cc5a9a654b9c47dc42f