Граф коммитов

12978 Коммитов

Автор SHA1 Сообщение Дата
Andreea Pavel e1c8aba28f Merge mozilla-central to mozilla-inbound r=merge a=merge on a CLOSED TREE 2017-11-09 22:17:00 +02:00
David Keeler 0c8c69a89a bug 1235287 - set a longer ocsp request timeout in test_ocsp_stapling_expired.js to avoid intermittent failures on android r=jcj
MozReview-Commit-ID: 3CJqnQ4EGXn

--HG--
extra : rebase_source : 3bdeac9d603d2f7d723e82fcfc75971ff9c44df0
2017-11-09 09:40:28 -08:00
Kyle Machulis bcce449ae5 Bug 1408186 - Remove nsIDOMHTMLSelectElement and nsIDOMHTMLOptionsCollection; r=bz
MozReview-Commit-ID: Gh3JwLUtmz9

--HG--
extra : rebase_source : 6cdee487246406cafe0e5a9afe4a44f62d131c8b
2017-10-12 16:32:25 -07:00
Sebastian Hengst a353221537 merge mozilla-inbound to mozilla-central. r=merge a=merge 2017-11-09 00:00:16 +02:00
ffxbld f9ad119371 No bug, Automated HPKP preload list update from host bld-linux64-spot-034 - a=hpkp-update 2017-11-08 11:49:18 -08:00
ffxbld d3a0bf4332 No bug, Automated HSTS preload list update from host bld-linux64-spot-034 - a=hsts-update 2017-11-08 11:49:15 -08:00
ffxbld 5a7c2c5964 No bug, Automated HPKP preload list update from host bld-linux64-spot-035 - a=hpkp-update 2017-11-08 10:47:08 -08:00
ffxbld ac31e8cfe6 No bug, Automated HSTS preload list update from host bld-linux64-spot-035 - a=hsts-update 2017-11-08 10:47:05 -08:00
Narcis Beleuzu 218e1676cb Merge inbound to mozilla-central r=merge a=merge 2017-11-08 12:51:09 +02:00
Bob Owen cd430d0c58 Bug 1415250 Part 1: Block prntm64.dll and guard32.dll in sandboxed child processes. r=jimm 2017-11-08 08:06:14 +00:00
Franziskus Kiefer 327d4f6ae1 Bug 1401594 - land NSS NSS_3_34_BETA3 UPGRADE_NSS_RELEASE CLOSED TREE, r=me
MozReview-Commit-ID: HCa9qQq2zPP
2017-11-08 15:26:20 +01:00
Franziskus Kiefer 714a126090 Bug 1401594 - land NSS NSS_3_34_BETA2 UPGRADE_NSS_RELEASE, r=me
MozReview-Commit-ID: IZcYFTH0x9o

--HG--
extra : rebase_source : 224952488b3e4beef03d707aa43c17a095df02f9
2017-11-08 11:44:14 +01:00
Margareta Eliza Balazs 0c57f53d9c Merge autoland to mozilla-central r=merge a=merge 2017-11-07 23:55:23 +02:00
ffxbld c9735e7bb6 No bug, Automated HPKP preload list update from host bld-linux64-spot-032 - a=hpkp-update 2017-11-07 11:43:05 -08:00
ffxbld d45b8e51c2 No bug, Automated HSTS preload list update from host bld-linux64-spot-032 - a=hsts-update 2017-11-07 11:43:01 -08:00
ffxbld d5e7732988 No bug, Automated HPKP preload list update from host bld-linux64-spot-036 - a=hpkp-update 2017-11-07 10:43:47 -08:00
ffxbld 5a48a94698 No bug, Automated HSTS preload list update from host bld-linux64-spot-036 - a=hsts-update 2017-11-07 10:43:43 -08:00
Martin Thomson 195dbda63e Bug 1414735 - Upgrade Firefox to NSS 3.35, r=franziskus UPGRADE_NSS_RELEASE
MozReview-Commit-ID: 6hDnHCWVeWz

--HG--
extra : rebase_source : 4bf98010c7afefe9bc0f2da240bb676bd82496b6
2017-11-07 12:24:58 +11:00
Ryan VanderMeulen a2f1dcd1e0 Merge m-c to autoland. a=merge 2017-11-06 14:51:08 -05:00
ffxbld fe19e42a3c No bug, Automated HPKP preload list update from host bld-linux64-spot-035 - a=hpkp-update 2017-11-06 11:36:57 -08:00
ffxbld 5ec06cbae9 No bug, Automated HSTS preload list update from host bld-linux64-spot-035 - a=hsts-update 2017-11-06 11:36:53 -08:00
ffxbld 883506c13d No bug, Automated HPKP preload list update from host bld-linux64-spot-030 - a=hpkp-update 2017-11-06 11:03:31 -08:00
ffxbld af031d585f No bug, Automated HSTS preload list update from host bld-linux64-spot-030 - a=hsts-update 2017-11-06 11:03:27 -08:00
ffxbld 38bf4c4f20 No bug, Automated HPKP preload list update from host bld-linux64-spot-035 - a=hpkp-update 2017-11-05 11:26:07 -08:00
ffxbld f03e7e263d No bug, Automated HSTS preload list update from host bld-linux64-spot-035 - a=hsts-update 2017-11-05 11:26:03 -08:00
ffxbld 9b91644ce1 No bug, Automated HPKP preload list update from host bld-linux64-spot-030 - a=hpkp-update 2017-11-05 10:47:13 -08:00
ffxbld 0e84a5f304 No bug, Automated HSTS preload list update from host bld-linux64-spot-030 - a=hsts-update 2017-11-05 10:47:09 -08:00
ffxbld a9ac7e1e95 No bug, Automated HPKP preload list update from host bld-linux64-spot-036 - a=hpkp-update 2017-11-04 11:27:47 -07:00
ffxbld 0c16c4d46a No bug, Automated HSTS preload list update from host bld-linux64-spot-036 - a=hsts-update 2017-11-04 11:27:43 -07:00
Sebastian Hengst 3af6639030 merge autoland to mozilla-central. r=merge a=merge
MozReview-Commit-ID: 6lOkhi71eQ3
2017-11-04 10:53:33 +01:00
ffxbld 066b6713fd No bug, Automated HPKP preload list update from host bld-linux64-spot-030 - a=hpkp-update 2017-11-03 11:33:33 -07:00
ffxbld 422df817cd No bug, Automated HSTS preload list update from host bld-linux64-spot-030 - a=hsts-update 2017-11-03 11:33:29 -07:00
Sebastian Hengst 68106833b3 merge mozilla-inbound to mozilla-central. r=merge a=merge
MozReview-Commit-ID: xcHQOq7Rbv
2017-11-02 22:59:04 +01:00
Sebastian Hengst 8da0763166 merge autoland to mozilla-central. r=merge a=merge
MozReview-Commit-ID: 60XtziNG2CK
2017-11-02 22:57:14 +01:00
ffxbld 299b665375 No bug, Automated HPKP preload list update from host bld-linux64-spot-031 - a=hpkp-update 2017-11-02 11:32:01 -07:00
ffxbld 06f236c2b4 No bug, Automated HSTS preload list update from host bld-linux64-spot-031 - a=hsts-update 2017-11-02 11:31:57 -07:00
Franziskus Kiefer 1db8f13af3 Bug 1401594 - land NSS NSS_3_34_BETA1 UPGRADE_NSS_RELEASE, r=me
MozReview-Commit-ID: 8ckNdJ29KWZ

--HG--
extra : rebase_source : 9766af247842aabce5e46c4a8d1d03c3f70d21f7
2017-11-01 15:38:36 +01:00
J.C. Jones bc2d08ffc7 Bug 1414198 - Include <functional> in nsNSSCertificate.h r=keeler
We've a report of a compilation error on a different system because
std::function was undefined.

MozReview-Commit-ID: 2MboMUdLzHj

--HG--
extra : rebase_source : be6d73506402a1838b96ce55e69b44dcb00949f1
2017-11-03 17:11:04 -07:00
David Keeler 6922b82c52 bug 1357815 - 4/4: go a bit overboard on testcases for SHA-256 support in add-on signatures r=jcj
MozReview-Commit-ID: K4WYTYPXpi1

--HG--
rename : security/manager/ssl/tests/unit/test_signed_apps/signed_app_sha1_and_sha256.zip => security/manager/ssl/tests/unit/test_signed_apps/app_mf-1-256_sf-1-256_p7-1-256.zip
rename : security/manager/ssl/tests/unit/test_signed_apps/sha1_and_sha256_manifest_sha1_signature_file.zip => security/manager/ssl/tests/unit/test_signed_apps/app_mf-1-256_sf-1_p7-1.zip
rename : security/manager/ssl/tests/unit/test_signed_apps/sha1_and_sha256_manifest_sha256_signature_file.zip => security/manager/ssl/tests/unit/test_signed_apps/app_mf-1-256_sf-256_p7-1.zip
rename : security/manager/ssl/tests/unit/test_signed_apps/sha1_manifest_sha1_and_sha256_signature_file.zip => security/manager/ssl/tests/unit/test_signed_apps/app_mf-1_sf-1-256_p7-1.zip
rename : security/manager/ssl/tests/unit/test_signed_apps/signed_app.zip => security/manager/ssl/tests/unit/test_signed_apps/app_mf-1_sf-1_p7-1.zip
rename : security/manager/ssl/tests/unit/test_signed_apps/signed_app_sha256_signature_file.zip => security/manager/ssl/tests/unit/test_signed_apps/app_mf-1_sf-256_p7-1.zip
rename : security/manager/ssl/tests/unit/test_signed_apps/sha256_manifest_sha1_and_sha256_signature_file.zip => security/manager/ssl/tests/unit/test_signed_apps/app_mf-256_sf-1-256_p7-1.zip
rename : security/manager/ssl/tests/unit/test_signed_apps/signed_app_sha256_manifest.zip => security/manager/ssl/tests/unit/test_signed_apps/app_mf-256_sf-1_p7-1.zip
rename : security/manager/ssl/tests/unit/test_signed_apps/signed_app_sha256.zip => security/manager/ssl/tests/unit/test_signed_apps/app_mf-256_sf-256_p7-256.zip
extra : rebase_source : f56c5c9309590bd37d933e8e8fbff8535296b874
2017-10-27 11:20:33 -07:00
Jed Davis 0b91cda795 Bug 1413312 - Fix media plugin sandbox policy for sched_get_priority_{min,max}. r=gcp
MozReview-Commit-ID: Bz4EWU13HAJ

--HG--
extra : rebase_source : 848880e083827a6f40e6ba289a5357ff6b4fa5f6
2017-10-31 18:12:43 -06:00
Jed Davis de1cbf125f Bug 1412464 - Change sandboxing inotify denial from seccomp-bpf to symbol interception. r=gcp
MozReview-Commit-ID: DY0qdGYGNdL

--HG--
extra : rebase_source : 02448ea28e8c1ea0d25776455d9ebb30d829b482
2017-10-30 19:45:39 -06:00
Jed Davis a2451f13e5 Bug 1412480 - Statically check for overly large syscall arguments. r=gcp
See the previous patch for an explanation of the mistake that this is
meant to catch.

Note that, even for arguments that really are 64-bit on 32-bit platforms
(typically off_t), it's generally not safe to pass them directly to
syscall(): some architectures, like ARM, use ABIs that require such
arguments to be passed in aligned register pairs, and they'll be aligned
differently for syscall() vs. the actual system call due to the leading
system call number argument.  The syscall(2) man page discusses this
and documents that such arguments should be split into high/low halves,
passed separately, and manually padded.

Therefore, this patch rejects any argument types larger than a word.

MozReview-Commit-ID: FVhpri4zcWk

--HG--
extra : rebase_source : 0329fe68be2a4e16fb71736627f0190e005c9972
2017-10-27 19:51:26 -06:00
Jed Davis 6d4b2907e1 Bug 1412480 - Fix syscall argument types in seccomp-bpf sandbox traps. r=gcp
The values in arch_seccomp_data::args are uint64_t even on 32-bit
platforms, and syscall takes varargs, so the arguments need to be
explicitly cast to the word size in order to be passed correctly.

MozReview-Commit-ID: 5ldv6WbL2Z3

--HG--
extra : rebase_source : c6ef37d8b367ad6025e510e58e6ab4d2f96cfc9e
2017-10-27 20:51:25 -06:00
David Keeler 6034b39937 bug 1357815 - 3/4: support SHA256 in PKCS#7 signatures on add-ons r=dveditz,jcj
As a result of this patch, the hash algorithm used in add-on signature
verification will come from the PKCS#7 signature. If SHA-256 is present, it will
be used. SHA-1 is used as a fallback. Otherwise, the signature is invalid.

This means that, for example, if the PKCS#7 signature only has SHA-1 but there
are SHA-256 hashes in the signature file and/or manifest file, only the SHA-1
hashes in the signature file and manifest file will be used, if they are present
(and verification will fail if they are not present). Similarly, if the PKCS#7
signature has SHA-256, there must be SHA-256 hashes in the signature file and
manifest file (even if SHA-1 is also present in the PKCS#7 signature).

MozReview-Commit-ID: K3OQEpIrnUW

--HG--
extra : rebase_source : 704a2a18e166bfaf3e3d944d13918054bd012000
2017-10-24 15:27:53 -07:00
David Keeler 7617737c9f bug 1357815 - 2/4: refactor away unnecessary parts of certificate verification in add-on signature verification r=jcj
MozReview-Commit-ID: 4JKWIZ0wnuO

--HG--
extra : rebase_source : 7f032046b3a81c2b3f2135451af07a1e38e94664
2017-10-24 13:32:02 -07:00
David Keeler 543678ab80 bug 1357815 - 1/4: move VerifyCMSDetachedSignatureIncludingCertificate to where it's used r=jcj
MozReview-Commit-ID: JsBPGhDxQoS

--HG--
extra : rebase_source : 88a1c0b73762f28c53ffd645f2eba260743a4062
2017-10-24 13:18:14 -07:00
Ryan VanderMeulen f44bfd0fc0 Merge m-c to autoland. a=merge 2017-11-01 21:55:56 -04:00
ffxbld 269dcb47f7 No bug, Automated HPKP preload list update from host bld-linux64-spot-303 - a=hpkp-update 2017-11-01 18:38:41 -07:00
ffxbld 249a4851fb No bug, Automated HSTS preload list update from host bld-linux64-spot-303 - a=hsts-update 2017-11-01 18:38:37 -07:00
ffxbld f2bc4e722f No bug, Automated HPKP preload list update from host bld-linux64-spot-039 - a=hpkp-update 2017-10-31 12:14:57 -07:00
ffxbld f4901979dd No bug, Automated HSTS preload list update from host bld-linux64-spot-039 - a=hsts-update 2017-10-31 12:14:53 -07:00
J.C. Jones f04a229953 Bug 1412994 - Ensure SegmentCertificateChain returns results in PSM order r=keeler
SegmentCertificateChain, when provided a cert chain from nsISSLStatus, delivers
the EE as the Root, the Root as the EE, and the intermediates in reverse order.

Basically, now that Bug 1406856 landed, it's clear this was backward in its
thinking, so reverse it for the common case.

MozReview-Commit-ID: Ahtv9U9A9oS

--HG--
extra : rebase_source : 75c8688c5041652fd966babe91cb8c6287e19ad0
2017-10-30 16:49:41 -07:00
Sebastian Hengst 6979ea37b4 merge mozilla-central to autoland. r=merge a=merge 2017-10-30 23:58:16 +01:00
Sebastian Hengst f07fc93141 merge mozilla-inbound to mozilla-central. r=merge a=merge
MozReview-Commit-ID: 4PW6ESqLL73
2017-10-30 23:52:23 +01:00
ffxbld da6d577b00 No bug, Automated HPKP preload list update from host bld-linux64-spot-033 - a=hpkp-update 2017-10-30 11:46:17 -07:00
ffxbld 0eee83e64e No bug, Automated HSTS preload list update from host bld-linux64-spot-033 - a=hsts-update 2017-10-30 11:46:14 -07:00
Bob Owen e67fce9b1f Bug 1412827: Add Symantec DLLs ffm64 and ffm to the sandboxed child blocklist. r=jimm
This patch also adds k7pswsen.dll unconditionally as it is still appearing
in many crash reports despite the block working in a test VM.
2017-10-30 16:28:26 +00:00
Jed Davis 6557099666 Bug 1411115 - Allow F_SETLK fcntl in sandboxed content processes. r=gcp
MozReview-Commit-ID: ARc7EpfN73o

--HG--
extra : rebase_source : 21c35a65a7c45387e2bd7fd7aba5f82ecf7c9ab3
2017-10-27 18:05:53 -06:00
Jed Davis ee247f0d5f Bug 1409900 - Handle sandboxed statfs() by replacing it with open+fstatfs. r=gcp
MozReview-Commit-ID: 4Q0XMWcxaAc

--HG--
extra : rebase_source : e6065c91ddb271b71b5577ca0d6c39349565724c
2017-10-27 19:32:37 -06:00
Jed Davis 27d4543313 Bug 1409900 - Disallow quotactl in sandboxed content processes. r=gcp
MozReview-Commit-ID: 3svUgLLTZKL

--HG--
extra : rebase_source : 2f51310f19cff45313cafd2bdcc60f2999b729b3
2017-10-25 12:43:13 -06:00
Sebastian Hengst d67d120cc4 Backed out 4 changesets (bug 1386404) for mass failures, e.g. in browser-chrome's dom/tests/browser/browser_xhr_sandbox.js. r=backout on a CLOSED TREE
Backed out changeset 36556e1a5ac7 (bug 1386404)
Backed out changeset b136f90dc49f (bug 1386404)
Backed out changeset 4600c2d575f9 (bug 1386404)
Backed out changeset c2c40e4d9815 (bug 1386404)
2017-10-30 19:10:01 +01:00
Gian-Carlo Pascutto 3d94d8e8e1 Bug 1386404 - Only do the tmp remapping if needed. r=jld
This helps with getting the tests that are running out of /tmp
to pass, who get confused if their paths change underneath them.

It's also a bit faster.

MozReview-Commit-ID: CWtngVNhA0t

--HG--
extra : rebase_source : 304481a18c371c3253448971f48064bcbd681a81
2017-10-26 18:02:10 +02:00
Gian-Carlo Pascutto 577b3a7731 Bug 1386404 - Intercept access to /tmp and rewrite to content process tempdir. r=jld
MozReview-Commit-ID: 2h9hw6opYof

--HG--
extra : rebase_source : f3121d7afff22e3f72c66e3a5553e731a83a2e1c
2017-10-26 17:50:49 +02:00
Gian-Carlo Pascutto 6a66615d8d Bug 1386404 - Enable access to the entire chrome dir from content. r=jld
This may be required if people have @import in their userContent.css, and
in any case our tests check for this.

MozReview-Commit-ID: 8uJcWiC2rli

--HG--
extra : rebase_source : 3542ea305aabaca0500d66f8e86f5c12170d793e
2017-10-26 18:57:03 +02:00
Gian-Carlo Pascutto 802f1b9395 Bug 1386404 - Enable content-process specific tmpdir on Linux. r=haik
MozReview-Commit-ID: 6Hijq0to9MG

--HG--
extra : rebase_source : c7a3559e4cbdfd1885d13a489c4eeb311ca973fa
2017-10-12 11:18:25 +02:00
Franziskus Kiefer 0ab6bdd2fa Bug 1413937 - add sha384 and sha512 to pycert and pykey, r=keeler
MozReview-Commit-ID: ArjNHLC1MFC

Differential Revision: https://phabricator.services.mozilla.com/D185

--HG--
extra : rebase_source : 781abe2faa33aa4f55902db1b191159f9c88254d
2017-11-09 16:55:12 +01:00
Sebastian Hengst 794abc6fba merge mozilla-central to autoland. r=merge a=merge 2017-10-29 23:01:08 +01:00
ffxbld 8af3c26b61 No bug, Automated HPKP preload list update from host bld-linux64-spot-033 - a=hpkp-update 2017-10-29 11:34:19 -07:00
ffxbld c61725847a No bug, Automated HSTS preload list update from host bld-linux64-spot-033 - a=hsts-update 2017-10-29 11:34:15 -07:00
Sebastian Hengst d6f574cf1b merge autoland to mozilla-central. r=merge a=merge
MozReview-Commit-ID: DMG276CdAzv
2017-10-28 23:57:08 +02:00
ffxbld 8d7205d5c7 No bug, Automated HPKP preload list update from host bld-linux64-spot-023 - a=hpkp-update 2017-10-28 11:38:28 -07:00
ffxbld b03d306da6 No bug, Automated HSTS preload list update from host bld-linux64-spot-023 - a=hsts-update 2017-10-28 11:38:24 -07:00
ffxbld e009038b12 No bug, Automated HPKP preload list update from host bld-linux64-spot-037 - a=hpkp-update 2017-10-28 11:23:31 -07:00
ffxbld 261757d83a No bug, Automated HSTS preload list update from host bld-linux64-spot-037 - a=hsts-update 2017-10-28 11:23:28 -07:00
Sebastian Hengst 2f6f3e1167 merge autoland to mozilla-central. r=merge a=merge
MozReview-Commit-ID: JSVOeP0nq5J
2017-10-27 23:28:23 +02:00
ffxbld a5b2d14190 No bug, Automated HPKP preload list update from host bld-linux64-spot-022 - a=hpkp-update 2017-10-27 11:38:58 -07:00
ffxbld 28eb630b74 No bug, Automated HSTS preload list update from host bld-linux64-spot-022 - a=hsts-update 2017-10-27 11:38:54 -07:00
Attila Craciun 21363323fd Backed out 2 changesets (bug 1409900) for failing browser chrome on Linux opt at browser/base/content/test/general/browser_bug590206.js r=backout a=backout.
Backed out changeset 83296a355dd4 (bug 1409900)
Backed out changeset 072007f83431 (bug 1409900)
2017-10-27 16:15:47 +03:00
Sebastian Hengst 5c15da1f08 merge mozilla-inbound to mozilla-central. r=merge a=merge
--HG--
rename : testing/talos/tests/__init__.py => testing/talos/talos/unittests/__init__.py
rename : testing/talos/tests/browser_output.ts.txt => testing/talos/talos/unittests/browser_output.ts.txt
rename : testing/talos/tests/browser_output.tsvg.txt => testing/talos/talos/unittests/browser_output.tsvg.txt
rename : testing/talos/tests/profile.tgz => testing/talos/talos/unittests/profile.tgz
rename : testing/talos/tests/ps-Acj.out => testing/talos/talos/unittests/ps-Acj.out
rename : testing/talos/tests/test_talosconfig_browser_config.json => testing/talos/talos/unittests/test_talosconfig_browser_config.json
rename : testing/talos/tests/test_talosconfig_test_config.json => testing/talos/talos/unittests/test_talosconfig_test_config.json
rename : testing/talos/tests/xrestop_output.txt => testing/talos/talos/unittests/xrestop_output.txt
2017-10-27 12:45:34 +03:00
J.C. Jones d4d890633b Bug 1411683 - Add foreach and segment utility methods to nsNSSCertList r=keeler
This adds two methods to nsNSSCertList: ForEachCertificateInChain, and
SegmentCertificateChain. The ForEach method calls a supplied function for each
certificate in the chain, one by one.

That method is then used by the Segment method, which (assuming the chain is
ordered) splits it into Root, End Entity, and everything in-between as a list of
Intermediates.

This patch does _not_ try to add these methods to the IDL, as it's not
straightforward to me on how to handle the nsCOMPtr or std::function arguments.

These methods will be first used by Bug 1409259.

(Update to fix gtest bustage on Linux)

MozReview-Commit-ID: 8qjwF3juLTr

--HG--
extra : rebase_source : 3dee871a4622b8ad84cca247dc9a9f3ceb3b4bd9
2017-10-25 13:37:50 -05:00
J.C. Jones eac42bd3b1 Bug 1411683 - Add "requirements.txt" for pycert.py r=keeler
There are specific versions needed for security/manager/ssl/tests/unit/pycert.py,
so let's give PIP some installation help:

0.1.7 for pyasn1 and 0.0.5 for pyasn1_modules

(recent versions break pycert/pykey/pycms)

MozReview-Commit-ID: Fk98UPd8bJo

--HG--
extra : rebase_source : 79436d4e99cda1dca438015835fdfa83a78c4dc7
2017-10-25 16:03:58 -05:00
Mark Goodwin 032fc16f72 Bug 1406856 - Re-plumb nsISSLStatus.idl to carry with it the whole nsIX509CertList r=jcj,keeler
MozReview-Commit-ID: 2YDmCzqdm26

--HG--
extra : rebase_source : 5b1f345698948b193addfa9326b5a29f9572a411
2017-10-26 17:52:11 +01:00
Sebastian Hengst e434e03817 Backed out changeset 51eaba841505 (bug 1406856) for failing eslint at security/manager/ssl/tests/unit/head_psm.js:732:53 | Multiple spaces found before '='. r=backout
--HG--
extra : amend_source : 46ecb5c0f3f8c682aa0eaf27e14527b516710903
2017-10-28 12:49:09 +02:00
Mark Goodwin 63bf63249d Bug 1406856 - Re-plumb nsISSLStatus.idl to carry with it the whole nsIX509CertList r=keeler
MozReview-Commit-ID: 2YDmCzqdm26

--HG--
extra : rebase_source : 7de06b44adbcfc3891555b4176663d20d4f96a1a
2017-10-26 17:52:11 +01:00
Jed Davis 76b1bdf7de Bug 1408497 - Disallow inotify in sandboxed content processes. r=gcp
MozReview-Commit-ID: nKyIvMNQAt

--HG--
extra : rebase_source : 5347e8da745d6f4a0cd4e81e76fe6b94d94eac30
2017-10-25 13:35:47 -06:00
Jed Davis 5f10d1f416 Bug 1409900 - Handle sandboxed statfs() by replacing it with open+fstatfs. r=gcp
MozReview-Commit-ID: 4Q0XMWcxaAc

--HG--
extra : rebase_source : 6bd36df3155fc5cdda67720e313028a68e2f0901
2017-10-25 13:08:26 -06:00
Jed Davis fce1017953 Bug 1409900 - Disallow quotactl in sandboxed content processes. r=gcp
MozReview-Commit-ID: 3svUgLLTZKL

--HG--
extra : rebase_source : 54623b48c65a1319905cab5aa520928681ec0023
2017-10-25 12:43:13 -06:00
Jed Davis 160e1dcfe0 Bug 1410191 - Correctly handle errors when using syscalls in sandbox trap handlers. r=gcp
MozReview-Commit-ID: JX81xpNBMIm

--HG--
extra : rebase_source : c7334f3e0b61b4fb4e0305cc6fc5d3173d08c032
2017-10-25 16:38:20 -06:00
Jed Davis b8aa6b6de9 Bug 1410241 - Don't call destructors on objects we use in the SIGSYS handler. r=gcp
MozReview-Commit-ID: LAgORUSvDh9

--HG--
extra : rebase_source : b39836ebb7405202c60b075b30b48966ac644e71
2017-10-25 17:58:22 -06:00
Jed Davis aa4363afaa Bug 1410280 - Re-allow PR_GET_NAME for sandboxed content processes. r=gcp
This prctl is used by PulseAudio; once bug 1394163 is resolved, allowing
it can be made conditional on the media.cubeb.sandbox pref.

MozReview-Commit-ID: 6jAM65V32vK

--HG--
extra : rebase_source : abb039aff7cefc0aa3b95f4574fdf1e3fb0d93a6
2017-10-25 11:04:34 -06:00
Sebastian Hengst d10e26c913 merge mozilla-central to mozilla-inbound. r=merge a=merge 2017-10-27 00:00:25 +02:00
ffxbld 7c460507ae No bug, Automated HPKP preload list update from host bld-linux64-spot-038 - a=hpkp-update 2017-10-26 11:33:02 -07:00
ffxbld 13bc938b90 No bug, Automated HSTS preload list update from host bld-linux64-spot-038 - a=hsts-update 2017-10-26 11:32:58 -07:00
Phil Ringnalda a173b09db6 Backed out changeset ccc0e72f2152 (bug 1403260) for hanging Mac browser-chrome in printing tests
MozReview-Commit-ID: IZNT5Jh8nzB
2017-10-25 23:00:17 -07:00
Haik Aftandilian 362316451f Bug 1403260 - [Mac] Remove access to print server from content process sandbox r=mconley
MozReview-Commit-ID: Ia21je8TTIg

--HG--
extra : rebase_source : 656e9e3ac8d1fb741d46881458bb0b7fb402d688
2017-10-22 23:02:58 -07:00
Sebastian Hengst 23c958dc39 Backed out 2 changesets (bug 1411683) for build bustage in security/manager/ssl/tests/gtest/CertListTest.cpp. r=backout on a CLOSED TREE
Backed out changeset 9d579c7e46b9 (bug 1411683)
Backed out changeset 21a17ab8b0fc (bug 1411683)
2017-10-27 23:53:55 +02:00
Sebastian Hengst 841ee307e6 merge mozilla-central to autoland. r=merge a=merge 2017-10-27 23:32:15 +02:00
J.C. Jones de44bcbd15 Bug 1411683 - Add foreach and segment utility methods to nsNSSCertList r=keeler
This adds two methods to nsNSSCertList: ForEachCertificateInChain, and
SegmentCertificateChain. The ForEach method calls a supplied function for each
certificate in the chain, one by one.

That method is then used by the Segment method, which (assuming the chain is
ordered) splits it into Root, End Entity, and everything in-between as a list of
Intermediates.

This patch does _not_ try to add these methods to the IDL, as it's not
straightforward to me on how to handle the nsCOMPtr or std::function arguments.

These methods will be first used by Bug 1409259.

MozReview-Commit-ID: 8qjwF3juLTr

--HG--
extra : rebase_source : 39e2e8530ac23c6b96eb73f406bca32a59bcccf5
2017-10-25 13:37:50 -05:00
J.C. Jones 6594c2801b Bug 1411683 - Add "requirements.txt" for pycert.py r=keeler
There are specific versions needed for security/manager/ssl/tests/unit/pycert.py,
so let's give PIP some installation help:

0.1.7 for pyasn1 and 0.0.5 for pyasn1_modules

(recent versions break pycert/pykey/pycms)

MozReview-Commit-ID: Fk98UPd8bJo

--HG--
extra : rebase_source : 79436d4e99cda1dca438015835fdfa83a78c4dc7
2017-10-25 16:03:58 -05:00
Sebastian Hengst 443416f881 Merge mozilla-central to autoland. r=merge a=merge 2017-10-26 00:39:55 +02:00
ffxbld f9617fb9bd No bug, Automated HPKP preload list update from host bld-linux64-spot-036 - a=hpkp-update 2017-10-25 11:22:54 -07:00
ffxbld 769ad2d454 No bug, Automated HSTS preload list update from host bld-linux64-spot-036 - a=hsts-update 2017-10-25 11:22:50 -07:00
Chris Manchester c86173526a Bug 1403346 - Replace all uses of ALLOW_COMPILER_WARNINGS with a template, remove ALLOW_COMPILER_WARNINGS. r=glandium
MozReview-Commit-ID: 1G2o4fy74cf
2017-10-25 15:12:09 -07:00
David Keeler 83ca10065e bug 1180826 - add support for sha256 digests in add-on signature manifests r=dveditz,jcj
MozReview-Commit-ID: HTlm6esgPUx

--HG--
extra : rebase_source : 50f082dea0b2afb1e9099fb94364863a4d85543b
2017-10-09 13:53:23 -07:00
Andrea Marchesini ec610d5b7e Bug 1409329 - NS_NewBufferedOutputStream should take the ownership of the outputStream, r=smaug 2017-10-24 14:38:23 +02:00
Sebastian Hengst af53b8aad8 merge mozilla-central to autoland. r=merge a=merge 2017-10-23 23:52:54 +02:00
Sebastian Hengst 0021c0caf6 merge autoland to mozilla-central. r=merge a=merge
MozReview-Commit-ID: 4FPQxtXkXoF
2017-10-23 23:48:36 +02:00
ffxbld 9224f75aad No bug, Automated HPKP preload list update from host bld-linux64-spot-032 - a=hpkp-update 2017-10-23 11:21:33 -07:00
ffxbld 8322ac2945 No bug, Automated HSTS preload list update from host bld-linux64-spot-032 - a=hsts-update 2017-10-23 11:21:30 -07:00
ffxbld 6a17c316ba No bug, Automated HPKP preload list update from host bld-linux64-spot-036 - a=hpkp-update 2017-10-22 11:23:23 -07:00
ffxbld eabd4bce16 No bug, Automated HSTS preload list update from host bld-linux64-spot-036 - a=hsts-update 2017-10-22 11:23:19 -07:00
ffxbld 3f2fe4b3fa No bug, Automated HPKP preload list update from host bld-linux64-spot-031 - a=hpkp-update 2017-10-22 11:10:23 -07:00
ffxbld cc6a84456b No bug, Automated HSTS preload list update from host bld-linux64-spot-031 - a=hsts-update 2017-10-22 11:10:20 -07:00
Sebastian Hengst fc5faa6d80 merge autoland to mozilla-central. r=merge a=merge
MozReview-Commit-ID: DmqQMMkwBYJ
2017-10-22 11:33:04 +02:00
ffxbld 198fe54503 No bug, Automated HPKP preload list update from host bld-linux64-spot-035 - a=hpkp-update 2017-10-21 11:24:10 -07:00
ffxbld 3aeaefef0b No bug, Automated HSTS preload list update from host bld-linux64-spot-035 - a=hsts-update 2017-10-21 11:24:06 -07:00
ffxbld 7f7b3b43f6 No bug, Automated HPKP preload list update from host bld-linux64-spot-324 - a=hpkp-update 2017-10-20 22:50:42 -07:00
ffxbld a84b3aab6c No bug, Automated HSTS preload list update from host bld-linux64-spot-324 - a=hsts-update 2017-10-20 22:50:38 -07:00
Sebastian Hengst 7e9a8a9bc9 merge mozilla-central to autoland. r=merge a=merge 2017-10-21 11:00:23 +02:00
David Keeler 3961574fa2 bug 1381154 - remove smartcard monitoring threads r=jcj,mgoodwin
Modified from bug 1248818 comment 11:
Before this patch, if a user had a smart card (PKCS#11 device) with removable
slots, Firefox would launch a thread for each module and loop, calling
SECMOD_WaitForAnyTokenEvent to be alerted to any insertions/removals. At
shutdown, we would call SECMOD_CancelWait, which would cancel any waiting
threads. However, since that involved calling 3rd party code, we really had no
idea if these modules were behaving correctly (and, indeed, they often weren't,
judging by the shutdown crashes we were getting).
The real solution is to stop relying on PKCS#11, but since that's unlikely in
the near future, the next best thing would be to load these modules in a child
process. That way, misbehaving modules don't cause Firefox to hang/crash/etc.
That's a lot of engineering work, though, so what this patch does is avoids the
issue by never calling SECMOD_WaitForAnyTokenEvent (and thus we never have to
call SECMOD_CancelWait, etc.). Instead, every time Firefox performs an operation
that may be affected by a newly added or removed smart card, it first has NSS
refresh its view of any removable slots. This is similar to how we ensure the
loadable roots module has been loaded (see bug 1372656).

MozReview-Commit-ID: JpmLdV7Vvor

--HG--
extra : rebase_source : d3503d19fa9297106d661a017a38c30969fa39b4
2017-09-28 14:27:21 -07:00
Masatoshi Kimura dbd92543c6 Bug 1313150 - Remove |weak| parameter from nsIMutableArray methods. r=froydnj
MozReview-Commit-ID: 7JoD4VYzZp3

--HG--
extra : rebase_source : 5db437f1c34608aa223916874d62b48c59baeae8
2017-10-21 23:53:02 +09:00
Tom Ritter 387fbfc8b6 Bug 1406736 Match MinGW's macro so we declare gmtime_r under MinGW too r=froydnj
MozReview-Commit-ID: 2U2ToeyVUUt

--HG--
extra : rebase_source : a4ebd43f4529cc6b815f5bb849021a994dda959f
2017-10-09 00:18:19 -05:00
Sebastian Hengst 2592ce224a merge mozilla-central to autoland. r=merge a=merge 2017-10-20 11:45:03 +02:00
Sebastian Hengst bc6dddb88b merge autoland to mozilla-central. r=merge a=merge
MozReview-Commit-ID: BY4c5BIOF81
2017-10-20 11:37:54 +02:00
ffxbld dec4e39e21 No bug, Automated HPKP preload list update from host bld-linux64-spot-326 - a=hpkp-update 2017-10-19 22:45:36 -07:00
ffxbld e46be631b4 No bug, Automated HSTS preload list update from host bld-linux64-spot-326 - a=hsts-update 2017-10-19 22:45:32 -07:00
ffxbld 1c4da216e0 No bug, Automated HPKP preload list update from host bld-linux64-spot-301 - a=hpkp-update 2017-10-19 10:44:01 -07:00
ffxbld e93bac77bf No bug, Automated HSTS preload list update from host bld-linux64-spot-301 - a=hsts-update 2017-10-19 10:43:57 -07:00
Sebastian Hengst bf793df477 merge mozilla-inbound to mozilla-central. r=merge a=merge
MozReview-Commit-ID: HasKw28SN45
2017-10-19 11:26:22 +02:00
ffxbld 161b9f45ac No bug, Automated HPKP preload list update from host bld-linux64-spot-302 - a=hpkp-update 2017-10-18 23:02:08 -07:00
ffxbld 9e31463fe9 No bug, Automated HSTS preload list update from host bld-linux64-spot-302 - a=hsts-update 2017-10-18 23:02:04 -07:00
Ryan VanderMeulen cb612851ed Merge inbound to m-c. a=merge 2017-10-18 21:01:34 -04:00
Sebastian Hengst 3e8ed7e2b5 merge autoland to mozilla-central. r=merge a=merge
MozReview-Commit-ID: D8YSuNsBw9o
2017-10-19 00:04:37 +02:00
ffxbld d0448c9700 No bug, Automated HPKP preload list update from host bld-linux64-spot-301 - a=hpkp-update 2017-10-18 10:44:21 -07:00
ffxbld e71bbf3687 No bug, Automated HSTS preload list update from host bld-linux64-spot-301 - a=hsts-update 2017-10-18 10:44:17 -07:00
Sebastian Hengst 73dd633569 merge autoland to mozilla-central. r=merge a=merge
MozReview-Commit-ID: JvxL3r663v
2017-10-18 11:42:41 +02:00
ffxbld ef0a21cfb7 No bug, Automated HPKP preload list update from host bld-linux64-spot-302 - a=hpkp-update 2017-10-17 22:48:33 -07:00
ffxbld 618a00c142 No bug, Automated HSTS preload list update from host bld-linux64-spot-302 - a=hsts-update 2017-10-17 22:48:30 -07:00
Nicholas Nethercote 78030c0e7b Bug 1409598 - Change nsIXPCScriptable::className and nsIClassInfo::{contractID,classDescription} from string to AUTF8String. r=froydnj.
This lets us replace moz_xstrdup() of string literals with AssignLiteral(),
among other improvements.

--HG--
extra : rebase_source : 9994d8ccb4f196cf63564b0dac2ae6c4370defb4
2017-10-18 13:17:26 +11:00
ffxbld dca019c94b No bug, Automated HPKP preload list update from host bld-linux64-spot-324 - a=hpkp-update 2017-10-17 10:44:24 -07:00
ffxbld 64dcdb175e No bug, Automated HSTS preload list update from host bld-linux64-spot-324 - a=hsts-update 2017-10-17 10:44:21 -07:00
Sebastian Hengst 32f7c8fec3 merge mozilla-inbound to mozilla-central. r=merge a=merge
MozReview-Commit-ID: 1h3kZyrtqSt
2017-10-17 11:45:16 +02:00
Sebastian Hengst af89102d41 merge autoland to mozilla-central. r=merge a=merge
MozReview-Commit-ID: JRsSap6SwOZ
2017-10-17 11:42:24 +02:00
ffxbld 0498069c9a No bug, Automated HPKP preload list update from host bld-linux64-spot-315 - a=hpkp-update 2017-10-16 23:06:00 -07:00
ffxbld 962f3aa143 No bug, Automated HSTS preload list update from host bld-linux64-spot-315 - a=hsts-update 2017-10-16 23:05:56 -07:00
ffxbld e5bbda30b9 No bug, Automated HPKP preload list update from host bld-linux64-spot-307 - a=hpkp-update 2017-10-15 22:50:12 -07:00
ffxbld 28ef948b68 No bug, Automated HSTS preload list update from host bld-linux64-spot-307 - a=hsts-update 2017-10-15 22:50:09 -07:00
ffxbld 40b456626e No bug, Automated HPKP preload list update from host bld-linux64-spot-301 - a=hpkp-update 2017-10-15 10:33:36 -07:00
ffxbld 93cacab1f5 No bug, Automated HSTS preload list update from host bld-linux64-spot-301 - a=hsts-update 2017-10-15 10:33:33 -07:00
ffxbld 39f4a652d1 No bug, Automated HPKP preload list update from host bld-linux64-spot-302 - a=hpkp-update 2017-10-14 22:59:04 -07:00
ffxbld 0c0219f6c4 No bug, Automated HSTS preload list update from host bld-linux64-spot-302 - a=hsts-update 2017-10-14 22:59:01 -07:00
ffxbld 01970ed92d No bug, Automated HPKP preload list update from host bld-linux64-spot-327 - a=hpkp-update 2017-10-14 10:38:55 -07:00
ffxbld 957ff16de8 No bug, Automated HSTS preload list update from host bld-linux64-spot-327 - a=hsts-update 2017-10-14 10:38:51 -07:00
ffxbld b864294e1e No bug, Automated HPKP preload list update from host bld-linux64-spot-329 - a=hpkp-update 2017-10-13 23:34:33 -07:00
ffxbld 36c79a8634 No bug, Automated HSTS preload list update from host bld-linux64-spot-329 - a=hsts-update 2017-10-13 23:34:30 -07:00
Sebastian Hengst 24583b9443 merge mozilla-central to autoland. r=merge a=merge 2017-10-20 01:08:09 +02:00
ffxbld 471e3a93c9 No bug, Automated HPKP preload list update from host bld-linux64-spot-305 - a=hpkp-update 2017-10-13 10:47:02 -07:00
ffxbld c478ef3218 No bug, Automated HSTS preload list update from host bld-linux64-spot-305 - a=hsts-update 2017-10-13 10:46:59 -07:00
ffxbld 138ee08992 No bug, Automated HPKP preload list update from host bld-linux64-spot-032 - a=hpkp-update 2017-10-13 00:02:05 -07:00
ffxbld 15e460fc58 No bug, Automated HSTS preload list update from host bld-linux64-spot-032 - a=hsts-update 2017-10-13 00:02:01 -07:00
Sebastian Hengst 5c00b8540d merge mozilla-inbound to mozilla-central. r=merge a=merge
MozReview-Commit-ID: AlcL6XYDkf
2017-10-12 23:58:31 +02:00
ffxbld ef0d419a79 No bug, Automated HPKP preload list update from host bld-linux64-spot-306 - a=hpkp-update 2017-10-12 10:52:26 -07:00
ffxbld ee7b9d0f42 No bug, Automated HSTS preload list update from host bld-linux64-spot-306 - a=hsts-update 2017-10-12 10:52:23 -07:00
Sebastian Hengst e22c8fc5ef merge autoland to mozilla-central. r=merge a=merge
MozReview-Commit-ID: JX8NRn7MQY4
2017-10-12 11:34:05 +02:00
ffxbld 32465a09d0 No bug, Automated HPKP preload list update from host bld-linux64-spot-302 - a=hpkp-update 2017-10-11 23:23:04 -07:00
ffxbld 5459aabb52 No bug, Automated HSTS preload list update from host bld-linux64-spot-302 - a=hsts-update 2017-10-11 23:23:00 -07:00
Matthew Gregan 28e8f43756 Bug 1408821 - Allow FIONBIO ioctl from the content sandbox. r=jld
--HG--
extra : rebase_source : c6a1b525bc7d9207583200fd5d5059a8155b889f
2017-10-16 14:54:46 +13:00
ffxbld 90fa230f6d No bug, Automated HPKP preload list update from host bld-linux64-spot-327 - a=hpkp-update 2017-10-11 11:05:07 -07:00
ffxbld 5793b91bb2 No bug, Automated HSTS preload list update from host bld-linux64-spot-327 - a=hsts-update 2017-10-11 11:05:03 -07:00
Tim Taubert 6ecc0e0e1a Bug 1401594 - land NSS 4bf658832d89 UPGRADE_NSS_RELEASE, r=me 2017-10-12 15:34:02 +02:00
ffxbld e8c853cf32 No bug, Automated HPKP preload list update from host bld-linux64-spot-302 - a=hpkp-update 2017-10-10 22:59:38 -07:00
ffxbld 426bb81282 No bug, Automated HSTS preload list update from host bld-linux64-spot-302 - a=hsts-update 2017-10-10 22:59:34 -07:00
Sebastian Hengst 01cd7f3d0f merge mozilla-inbound to mozilla-central. r=merge a=merge
MozReview-Commit-ID: GbmY183Epi2
2017-10-10 23:56:11 +02:00
ffxbld c8b9469182 No bug, Automated HPKP preload list update from host bld-linux64-spot-303 - a=hpkp-update 2017-10-10 10:45:25 -07:00
ffxbld 4d59676f4f No bug, Automated HSTS preload list update from host bld-linux64-spot-303 - a=hsts-update 2017-10-10 10:45:22 -07:00
ffxbld 678b6b5093 No bug, Automated HPKP preload list update from host bld-linux64-spot-302 - a=hpkp-update 2017-10-09 22:53:39 -07:00
ffxbld c5ca0896eb No bug, Automated HSTS preload list update from host bld-linux64-spot-302 - a=hsts-update 2017-10-09 22:53:35 -07:00
Sebastian Hengst c2d6023454 merge mozilla-inbound to mozilla-central. r=merge a=merge
MozReview-Commit-ID: 36L7JL73CzG
2017-10-09 23:52:04 +02:00
Sebastian Hengst c623cb074c merge autoland to mozilla-central. r=merge a=merge
MozReview-Commit-ID: 63rZAVDkxDT
2017-10-09 23:46:29 +02:00
ffxbld b53e29293c No bug, Automated HPKP preload list update from host bld-linux64-spot-303 - a=hpkp-update 2017-10-09 10:45:59 -07:00
ffxbld 50ebdd5c44 No bug, Automated HSTS preload list update from host bld-linux64-spot-303 - a=hsts-update 2017-10-09 10:45:55 -07:00
Sebastian Hengst f7efb5fc2c Merge mozilla-central to mozilla-inbound. r=merge a=merge on a CLOSED TREE 2017-10-12 12:03:15 +02:00
Jim Mathies 17a6cb2cbf Bug 1407766 - Remove symantec dlls from the content process dll blocklist due to process startup issues associated with symantec av products. r=bobowen
MozReview-Commit-ID: JMOIptO2y7F
2017-10-11 18:00:18 -05:00
Sebastian Hengst aa78440a09 merge mozilla-inbound to mozilla-central. r=merge a=merge
MozReview-Commit-ID: EE6DcCgHufi
2017-10-09 11:19:20 +02:00
ffxbld 6c0975fc33 No bug, Automated HPKP preload list update from host bld-linux64-spot-303 - a=hpkp-update 2017-10-08 22:51:19 -07:00
ffxbld f804ab0aa0 No bug, Automated HSTS preload list update from host bld-linux64-spot-303 - a=hsts-update 2017-10-08 22:51:15 -07:00
ffxbld 7e3b55bb22 No bug, Automated HPKP preload list update from host bld-linux64-spot-302 - a=hpkp-update 2017-10-07 23:08:04 -07:00
ffxbld d51cd0971c No bug, Automated HSTS preload list update from host bld-linux64-spot-302 - a=hsts-update 2017-10-07 23:08:00 -07:00
ffxbld aa721cc82a No bug, Automated HPKP preload list update from host bld-linux64-spot-308 - a=hpkp-update 2017-10-07 10:39:48 -07:00
ffxbld c48db0de1a No bug, Automated HSTS preload list update from host bld-linux64-spot-308 - a=hsts-update 2017-10-07 10:39:44 -07:00
Nicholas Nethercote 8a68e6fb83 Bug 1403868 (part 4) - Reduce tools/profiler/public/*.h to almost nothing in non-MOZ_GECKO_PROFILER builds. r=mstange.
Currently the Gecko Profiler defines a moderate amount of stuff when
MOZ_GECKO_PROFILER is undefined. It also #includes various headers, including
JS ones. This is making it difficult to separate Gecko's media stack for
inclusion in Servo.

This patch greatly simplifies how things are exposed. The starting point is:

- GeckoProfiler.h can be #included unconditionally;

- everything else from the profiler must be guarded by MOZ_GECKO_PROFILER.

In practice this introduces way too many #ifdefs, so the patch loosens it by
adding no-op macros for a number of the most common operations.

The net result is that #ifdefs and macros are used a bit more, but almost
nothing is exposed in non-MOZ_GECKO_PROFILER builds (including
ProfilerMarkerPayload.h and GeckoProfiler.h), and understanding what is exposed
is much simpler than before.

Note also that in BHR, ThreadStackHelper is now entirely absent in
non-MOZ_GECKO_PROFILER builds.
2017-10-04 09:11:18 +11:00
David Keeler 5f608d08d6 bug 1404824 - reconcile inconsistent TLS version range settings by erring on the conservative side r=mayhemer
Before this patch, if a user set their TLS version range preferences to only
allow TLS 1.3, any connections made with the BE_CONSERVATIVE flag or via the
telemetry studies flags would fail because we would attempt to set an
inconsistent TLS version range (the minimum was greater than the maximum). This
fixes that by setting the minimum to the flag-configured maximum. This
intentionally overrides the user's preferences because it is in the context of
browser-critical services (i.e. update servers) or telemetry studies.

MozReview-Commit-ID: 1kKE5nOVQz8

--HG--
extra : rebase_source : 047aa03f401d75aba3f6c5f4c572d2cc451a329e
2017-10-03 14:51:57 -07:00
David Keeler c24fb615fa bug 1404824 - fix error-handling case of plaintext-layer popping in nsNSSSocketInfo r=mayhemer
The PRFileDesc* returned by PR_PopIOLayer must be used rather than a preexisting
pointer to the layer in question.

MozReview-Commit-ID: 8PsCA5npaj6

--HG--
extra : rebase_source : 7488d70ffd428b103ae51d1ebcf15745acd9bf12
2017-10-03 14:29:31 -07:00
Bob Owen ff9470afb1 Bug 1406068: Expand the list of DLLs that are suspected of causing a crash in ImageBridgeChild::InitForContent. r=jimm
I think that trying to slice this up by feature is just going to lead to complications down the line,
so to keep it simple I've moved this to the launch code for all sandboxed children, not just when the
Alternate Desktop is enabled.
This also, similar to chromium, only adds them to the blocklist if they are loaded in the parent.
2017-10-10 10:42:22 +01:00
Kris Maglione 4a767c7e6e Bug 1404198: Part 2j - Switch to NS_NewTimer* everywhere else. r=njn
MozReview-Commit-ID: LmGIgfmNSmk

--HG--
extra : rebase_source : bf34e852beb0c8f6eafd09184c2e0cda95f95f83
2017-09-24 19:57:48 -07:00
Wouter Verhelst 900dd77859 Bug 1404421 - Add an empty slot to the test PKCS#11 module r=keeler
It is helpful to have a slot which never has a token, so that the
absense of a token can be asserted in unit tests.

Add a third token that is always empty, and update a number of unit
tests to check for it.

MozReview-Commit-ID: 4apvRRhZJus

--HG--
extra : rebase_source : cd3bb819bcf66c769f36a428ed26ea8fa6c68a26
2017-10-01 12:10:20 +02:00
Jed Davis 3709f8d1e4 Bug 1406233 - Include sys/sysmacros.h for major()/minor() macros in Linux sandbox broker. r=gcp
MozReview-Commit-ID: G1D4yxLAAqg

--HG--
extra : rebase_source : 2b13a20e324a3160ce393f7eb7913d78cc274419
2017-10-05 18:10:49 -06:00
Jed Davis 860bc842e2 Bug 1405891 - Block tty-related ioctl()s in sandboxed content processes. r=gcp
MozReview-Commit-ID: KiBfibjLSfK

--HG--
extra : rebase_source : e0cdbb5026c03d2b5a12fb49161aee392efb4189
2017-10-05 19:53:31 -06:00
Haik Aftandilian 90adeb05d8 Bug 1404919 - Whitelist Extensis Suitcase Fusion fontvaults and /System/Library/Fonts. r=Alex_Gaynor
MozReview-Commit-ID: 5UaqiHBKd90

--HG--
extra : rebase_source : 3497f97815d57e9e3fa0cc13482af5d0d81cfd87
2017-10-12 18:29:42 -07:00
David Keeler 6bbfc835f0 bug 1406396 - work around NSS utils potentially loading spurious root cert modules r=mgoodwin
NSS command-line utilities may add a built-in root certificate module with the
name "Root Certs" if run on a profile that has a copy of the module file (which
is an unexpected configuration in general for Firefox). This can cause breakage.
To work around this, PSM now simply deletes any module named "Root Certs" at
startup. In an effort to prevent PSM from deleting unrelated modules
coincidentally named "Root Certs", we also prevent the user from using the
Firefox UI to name modules "Root Certs".

MozReview-Commit-ID: ABja3wpShO9

--HG--
extra : rebase_source : cfc62fb3fabf491a72f009601f3ec6973244642e
2017-10-13 11:27:30 -07:00
David Keeler 2a15781174 Bug 1369561 - Address misc. SnprintfLiteral correctness nits. r=jld, r=froydnj 2017-09-15 14:47:54 -07:00
Nathan Froyd 4438ffeabf Bug 1406486 - provide nsClientAuthRememberEntry/nsCertOverrideEntry with move constructors; r=keeler
Move constructors are more appropriate for these classes, since the
underlying hashtable code will be moving them around, not copying them.
We can take this opportunity to fix a bug in nsClientAuthRememberEntry:
it wasn't transferring the value of mEntryKey, which would have been
disastrous if the underlying hash table was ever resized.
2017-10-09 10:39:38 -04:00
Ryan VanderMeulen 0dcd727f08 Merge m-c to autoland. a=merge 2017-10-11 17:55:13 -04:00
Jed Davis a9b7865141 Bug 1316153 - Remove base::ChildPrivileges from IPC. r=billm,bobowen
ChildPrivileges is a leftover from the B2G process model; it's now
mostly unused, except for the Windows sandbox using it to carry whether
a content process has file:/// access.

In general, when sandboxing needs to interact with process launch, the
inputs are some subset of: the GeckoProcessType, the subtype if content,
various prefs and even GPU configuration; and the resulting launch
adjustments are platform-specific.  And on some platforms (e.g., OS X)
it's all done after launch.  So a simple enum used cross-platform isn't
a good fit.

MozReview-Commit-ID: K31OHOpJzla

--HG--
extra : rebase_source : 3928b44eb86cd076bcac7897536590555237b76b
2017-09-08 16:16:50 -06:00
Tom Ritter 701ee70a22 Bug 1406687 Pass return values from fwrite to Unused to silence the warn-unused-result warning r=njn
MozReview-Commit-ID: 4v6tPF5aMz7

--HG--
extra : rebase_source : fe434db73a8da686391462c12b91648348abcdc9
2017-10-09 15:01:48 -05:00
Sebastian Hengst 57b7c19650 merge mozilla-central to autoland. r=merge a=merge 2017-10-11 11:51:32 +02:00
Gian-Carlo Pascutto 433feb3f7e Bug 1387837 - Add library paths from /etc/ld.so.conf to broker read access policy. r=jld
MozReview-Commit-ID: S5vq6suTU4

--HG--
extra : rebase_source : b82f3ff902ca6e4929a8458aa952f409e30356b5
2017-10-06 12:35:35 +02:00
Nicolas Vigier 21244bc461 Bug 1305396 - Replace memmove with std::copy_backward in a file that doesn't include cstring explicitly. r=keeler 2017-10-16 20:03:54 +02:00
J.C. Jones d01c97d43a Bug 1392852 - Disable EV treatment for old StartCom root certificates r=keeler
Per the root program's request, this patch removes EV treatment for three
StartCom roots:

1) CN=StartCom Certification Authority, OU=Secure Digital Certificate Signing, O=StartCom Ltd., C=IL
SHA-256 Fingerprint: C7:66:A9:BE:F2:D4:07:1C:86:3A:31:AA:49:20:E8:13:B2:D1:98:60:8C:B7:B7:CF:E2:11:43:B8:36:DF:09:EA

2) CN=StartCom Certification Authority, OU=Secure Digital Certificate Signing, O=StartCom Ltd., C=IL
SHA-256 Fingerprint: E1:78:90:EE:09:A3:FB:F4:F4:8B:9C:41:4A:17:D6:37:B7:A5:06:47:E9:BC:75:23:22:72:7F:CC:17:42:A9:11

3) CN=StartCom Certification Authority G2, OU=null, O=StartCom Ltd., C=IL
SHA-256 Fingerprint: C7:BA:65:67:DE:93:A7:98:AE:1F:AA:79:1E:71:2D:37:8F:AE:1F:93:C4:39:7F:EA:44:1B:B7:CB:E6:FD:59:95

MozReview-Commit-ID: COOu1zvoNWG

--HG--
extra : rebase_source : 68ce6ebd850f3a796bb52e71d05b02b8d860c9f7
2017-10-16 16:14:06 -07:00
J.C. Jones 11a9b47490 Bug 1387261 - Remove EV treatment for WoSign roots r=keeler
Per the root program's request, this patch removes EV treatment for four WoSign
roots:

Common Name: CA 沃通根证书
SHA-256 Fingerprint: D6:F0:34:BD:94:AA:23:3F:02:97:EC:A4:24:5B:28:39:73:E4:47:AA:59:0F:31:0C:77:F4:8F:DF:83:11:22:54

Common Name: Certification Authority of WoSign
SHA-256 Fingerprint: 4B:22:D5:A6:AE:C9:9F:3C:DB:79:AA:5E:C0:68:38:47:9C:D5:EC:BA:71:64:F7:F2:2D:C1:D6:5F:63:D8:57:08

Common Name: Certification Authority of WoSign G2
SHA-256 Fingerprint: D4:87:A5:6F:83:B0:74:82:E8:5E:96:33:94:C1:EC:C2:C9:E5:1D:09:03:EE:94:6B:02:C3:01:58:1E:D9:9E:16

Common Name: CA WoSign ECC Root
SHA-256 Fingerprint: 8B:45:DA:1C:06:F7:91:EB:0C:AB:F2:6B:E5:88:F5:FB:23:16:5C:2E:61:4B:F8:85:56:2D:0D:CE:50:B2:9B:02

MozReview-Commit-ID: Bxp9LgvxCsp

--HG--
extra : rebase_source : 065d98cc654d3fb22c17ea185253ce917b48e270
2017-10-16 16:08:56 -07:00
Haik Aftandilian 9d77bd9d20 Bug 1393805 - Part 5 - Test that the system extensions dev dir is readable from content. r=bobowen
MozReview-Commit-ID: 7YN7S7R39CU

--HG--
extra : rebase_source : 092f1046a3f6b44c807f7632275615a6bdd674dd
2017-09-27 16:01:57 -07:00
Haik Aftandilian 1e86039b0d Bug 1393805 - Part 4 - Add Linux whitelisted directory for system extensions development. r=gcp
MozReview-Commit-ID: 2eTx1eM1fCM

--HG--
extra : rebase_source : c9c40b552b65a36b1ddb94e31ab04d84571e8d87
2017-10-04 10:50:48 -07:00
Haik Aftandilian 35249752a0 Bug 1393805 - Part 3 - Add Windows whitelisted directory for system extensions development. r=bobowen
MozReview-Commit-ID: 8K5c3mUlqna

--HG--
extra : rebase_source : 0f5a47e8504a38939a1c34a4bc4073bcdc1545d3
2017-10-02 15:17:15 -07:00
Haik Aftandilian c0bfbc91e0 Bug 1393805 - Part 2 - Add Mac whitelisted directory for system extensions development. r=Alex_Gaynor
MozReview-Commit-ID: ADkcqFAsKaY

--HG--
extra : rebase_source : 02db543e05109e764228862ef5c760a0132eb4c2
2017-10-05 16:06:36 -07:00
Mark Banner 4de6bf22b1 Bug 1411368 - Automatically fix no-multi-spaces issues raised when using ESLint 4. r=mossop
MozReview-Commit-ID: H5YVp3rnzGo

--HG--
extra : rebase_source : 5b45b6c0df834131812d094e975047eaad374e06
2017-10-26 11:47:01 +01:00
Sebastian Hengst ee63f2e30a Backed out changeset 0317bcff40bc (bug 1406687) for build bustage at testing/gtest/gtest/src/gtest.cc:3871: 'Unused' was not declared in this scope. r=backout 2017-10-09 18:52:39 +02:00
Tom Ritter 22d2cdf063 Bug 1406687 Pass return values from fwrite to Unused to silence the warn-unused-result warning r=njn
MozReview-Commit-ID: 4v6tPF5aMz7

--HG--
extra : rebase_source : c54b129c6815096035e262322f40aa0884b1ae56
2017-10-09 00:26:16 -05:00
Sylvestre Ledru e0ca72f574 Bug 1406845 - AddMesaSysfsPaths: Resource leak on dir r=gcp
MozReview-Commit-ID: 3ul84cttRAF

--HG--
extra : rebase_source : 6d5306ef859f2db6101c08fb6aad405ffce30696
2017-10-09 09:29:29 +02:00
Jed Davis 9bac6e88bd Bug 1328896 - Restrict fcntl() in sandboxed content processes. r=gcp
MozReview-Commit-ID: BDBTwlT82mf

--HG--
extra : rebase_source : 9036abfb23768e7b17181fbc680692468d66ccd0
2017-07-24 17:33:07 -06:00
David Keeler 14bdb29dc1 bug 1407081 - rework signed app tests for flexibility with upcoming hash algorithm changes r=Cykesiopka,jcj
MozReview-Commit-ID: 6HnJPrG7GfK

--HG--
rename : security/manager/ssl/tests/unit/test_signed_apps/gentestfiles/sign_b2g_app.py => security/manager/ssl/tests/unit/sign_app.py
rename : dom/manifest/test/blue-150.png => security/manager/ssl/tests/unit/test_signed_apps/app/data/image.png
rename : security/manager/ssl/tests/unit/test_signed_apps/valid_app_1.zip => security/manager/ssl/tests/unit/test_signed_apps/signed_app.zip
rename : security/manager/ssl/tests/unit/test_signed_apps/unknown_issuer_app_1.zip => security/manager/ssl/tests/unit/test_signed_apps/unknown_issuer_app.zip
rename : security/manager/ssl/tests/unit/test_signed_apps/unsigned_app_1.zip => security/manager/ssl/tests/unit/test_signed_apps/unsigned_app.zip
rename : security/manager/ssl/tests/unit/test_signed_apps/trusted_ca1.der => security/manager/ssl/tests/unit/test_signed_apps/xpcshellTestRoot.der
extra : rebase_source : eacc6ec67b282c93e86254693f48c8bdf6f55816
2017-10-10 16:55:09 -07:00
David Keeler 65f33e8410 bug 1257362 - remove the code-signing usage from certverifier as nothing uses it r=Cykesiopka
MozReview-Commit-ID: 6nWy8k6fMvw

--HG--
extra : rebase_source : fa9f78d39b89bfd3416a7a869bf6436d19ac74bc
2017-10-02 16:24:38 -07:00
Wes Kocher 6dc323cfe9 Merge m-c to autoland, a=merge
MozReview-Commit-ID: Dxbv9TjDlDY
2017-10-04 16:47:41 -07:00
Wes Kocher d8985b6e57 Merge inbound to central, a=merge
MozReview-Commit-ID: IUFdbLdYFhX
2017-10-04 16:37:59 -07:00
Wes Kocher 960beae3a6 Merge autoland to central, a=merge
MozReview-Commit-ID: 5q3B4i0wpSI
2017-10-04 14:57:59 -07:00
ffxbld 278e956997 No bug, Automated HPKP preload list update from host bld-linux64-spot-324 - a=hpkp-update 2017-10-04 10:43:24 -07:00
ffxbld 9e73581c10 No bug, Automated HSTS preload list update from host bld-linux64-spot-324 - a=hsts-update 2017-10-04 10:43:20 -07:00
Wes Kocher 7b3327cb2e Merge autoland to central, a=merge
MozReview-Commit-ID: 4jAMhgCDoPO
2017-10-03 13:25:44 -07:00
ffxbld 6068998290 No bug, Automated HPKP preload list update from host bld-linux64-spot-304 - a=hpkp-update 2017-10-03 10:57:31 -07:00
ffxbld fb3d97bc0b No bug, Automated HSTS preload list update from host bld-linux64-spot-304 - a=hsts-update 2017-10-03 10:57:27 -07:00
Alex Gaynor 535c9e8dc3 Bug 1380674 - remove the ability to create directories in the content temp directory on macOS; r=haik
MozReview-Commit-ID: 8SDcDTqp2F5

--HG--
extra : rebase_source : e8094606e5a302db41f7d7fd22656b7e8697d549
2017-10-03 09:49:44 -04:00
Sebastian Hengst 508993b411 Backed out changeset ee6479d783a6 (bug 1257362) for sometimes failing security/manager/ssl/tests/mochitest/browser/browser_certViewer.js, at least on Linux x64 debug. r=backout on a CLOSED TREE 2017-10-05 00:36:02 +02:00
Sebastian Hengst 6c211079d0 Backed out changeset 8198bc4c7e3c (bug 1393805) 2017-10-05 00:20:11 +02:00
Sebastian Hengst d60d5571f3 Backed out changeset 45695eda1c1c (bug 1393805) 2017-10-05 00:20:06 +02:00
Sebastian Hengst 072e34c960 Backed out changeset 1ba3220d84fa (bug 1393805) 2017-10-05 00:20:00 +02:00
Sebastian Hengst e8b4c9dc97 Backed out changeset 4fe99f70e199 (bug 1393805) 2017-10-05 00:19:55 +02:00
David Keeler fcb5ab8367 bug 1257362 - remove the code-signing usage from certverifier as nothing uses it r=Cykesiopka
MozReview-Commit-ID: 6nWy8k6fMvw

--HG--
extra : rebase_source : 47a708ecc729c1b25a2a0382001ebd53716cd395
2017-10-02 16:24:38 -07:00
Kai Engert 2d9f082720 Bug 1401594 - "Upgrade Firefox 58 to use NSS 3.34" r=franziskus
MozReview-Commit-ID: 2ExI2oh0bPY

--HG--
extra : rebase_source : aa820344a3bbe16bb87186dddd0e8585d54981ae
2017-09-20 08:17:00 +02:00
Franziskus Kiefer a4d3f610eb Bug 1401594 - land NSS 6fb9c5396d52 UPGRADE_NSS_RELEASE, r=me
MozReview-Commit-ID: 8NmVvC1r7uS

--HG--
extra : rebase_source : a14736e0191c18ffd63b3268b5cefd6e33cccc60
2017-10-04 10:42:25 +02:00
Wes Kocher 83fd890d27 Merge m-c to autoland, a=merge CLOSED TREE
MozReview-Commit-ID: HeJwJwwTzhQ
2017-10-02 16:26:42 -07:00
Wes Kocher 382a7d90d6 Merge inbound to central, a=merge
MozReview-Commit-ID: CvJ9hmTQBcR
2017-10-02 16:22:37 -07:00
Wes Kocher 55fe1fc9f2 Merge autoland to central, a=merge
MozReview-Commit-ID: 4ygim4sQ5zd
2017-10-02 16:02:42 -07:00
ffxbld fbd250c41f No bug, Automated HPKP preload list update from host bld-linux64-spot-303 - a=hpkp-update 2017-10-02 10:46:46 -07:00
ffxbld 00090bf720 No bug, Automated HSTS preload list update from host bld-linux64-spot-303 - a=hsts-update 2017-10-02 10:46:43 -07:00
ffxbld ecafa414e2 No bug, Automated HPKP preload list update from host bld-linux64-spot-307 - a=hpkp-update 2017-10-01 10:58:36 -07:00
ffxbld 4e45118331 No bug, Automated HSTS preload list update from host bld-linux64-spot-307 - a=hsts-update 2017-10-01 10:58:32 -07:00
Sebastian Hengst 55e6971a70 merge autoland to mozilla-central. r=merge a=merge
MozReview-Commit-ID: 3D21HjGG3i4
2017-10-01 00:59:41 +02:00
ffxbld 97263882e6 No bug, Automated HPKP preload list update from host bld-linux64-spot-326 - a=hpkp-update 2017-09-30 11:03:15 -07:00
ffxbld 7dfb61f787 No bug, Automated HSTS preload list update from host bld-linux64-spot-326 - a=hsts-update 2017-09-30 11:03:11 -07:00
Gian-Carlo Pascutto 4ebb238032 Bug 1384804 - Allow reading /proc/self/status for libnuma. r=jld
MozReview-Commit-ID: LLwmPVtj0PE

--HG--
extra : rebase_source : 13d3a0cfce2ffc05280ce80d5d84e37b48f242e9
extra : histedit_source : e4e63c8a90c7b7ef16078d6ad9228b685e681c7e
2017-09-28 16:19:02 +02:00
Wes Kocher eb9a2ed0f2 Merge inbound to central, a=merge
MozReview-Commit-ID: IqwKWn7ceHC
2017-09-29 14:47:25 -07:00
Wes Kocher 1b5b528b2e Merge autoland to central, a=merge
MozReview-Commit-ID: LJgJXsmBQcx
2017-09-29 14:45:37 -07:00
ffxbld f2b181af94 No bug, Automated HPKP preload list update from host bld-linux64-spot-327 - a=hpkp-update 2017-09-29 10:33:54 -07:00
ffxbld 00f17ea93c No bug, Automated HSTS preload list update from host bld-linux64-spot-327 - a=hsts-update 2017-09-29 10:33:50 -07:00
Sebastian Hengst 5253bb7207 merge autoland to mozilla-central. r=merge a=merge
MozReview-Commit-ID: 2gWLO0vz64b
2017-09-29 13:30:42 +02:00
Alex Gaynor d755224ded Bug 1403567 - Remove unused access to AppleGraphicsPolicyClient iokit from content process; r=haik
MozReview-Commit-ID: 9yTMgo2FNKm

--HG--
extra : rebase_source : 72cc3a295d8823460aae21ebe149ece2df69d087
2017-09-26 13:05:18 -04:00
Alex Gaynor d1aef777b6 Bug 1404426 - Simplify the macOS content sandbox policy; r=haik
This does two things:

1) Move the level 3 rules to always be applicable, and simplifies level 2 accordingly
2) Consistently uses the raw string literal syntax for regexes

MozReview-Commit-ID: 6iwjOvRVMM7

--HG--
extra : rebase_source : 3ac59219ad0793a98bdb203fb3d247561216a560
2017-09-29 13:13:49 -04:00
David Keeler d26e95be10 bug 1257403 - don't bother verifying CA or email certificates when importing r=Cykesiopka
Incidentally, this means we can remove certificateUsageVerifyCA and
certificateUsageStatusResponder from CertVerifier, since we no longer use them.

MozReview-Commit-ID: Bbqn8fShfTm

--HG--
extra : rebase_source : 012cb08dcbe33fe889c9f6824959b1a02cd0bdc7
2017-09-22 15:42:20 -07:00
Sebastian Hengst 5e8bacff75 merge mozilla-central to mozilla-inbound. r=merge a=merge 2017-09-29 13:32:19 +02:00
Kai Engert 47d3b3ac0b Bug 730495, guarantee that sqlite3_config is called before any other SQLite function, r=asuth, r=froydnj, r=mak 2017-09-29 13:25:06 +02:00
Wes Kocher 134e495909 Merge m-c to autoland, a=merge
MozReview-Commit-ID: 6RdWW73Lc0A
2017-09-28 17:16:12 -07:00
Haik Aftandilian f39cc5cc25 Bug 1401756 - [Mac] Remove unneeded mach-lookups from plugin sandbox rules. r=Alex_Gaynor
MozReview-Commit-ID: JsgBzNJC4zF

--HG--
extra : rebase_source : deffeff5e6d39318c55bf3d487071139abaf3c92
2017-09-20 14:05:27 -07:00
Haik Aftandilian 414270b14a Bug 1403669 - [Mac] Per-user and system extensions dir regexes only work for 1-character subdirectory names. r=Alex_Gaynor
MozReview-Commit-ID: L9vNruzMEez

--HG--
extra : rebase_source : 8530cbf1baef919a5a379564d190fb08674aa28d
2017-09-27 11:48:39 -07:00
David Parks 29d5db60ba Bug 1403707 - Change content sandbox job level to JOB_LOCKDOWN. r=bobowen
Changing definition of Windows content sandbox level 4 (the current Nightly default) to increase the job level from JOB_RESTRICTED to JOB_LOCKDOWN.
2017-09-27 13:36:06 -07:00
Haik Aftandilian 9a88df4221 Bug 1393805 - Part 5 - Test that the system extensions dev dir is readable from content. r=bobowen
MozReview-Commit-ID: 7YN7S7R39CU

--HG--
extra : rebase_source : 01e3fe0acb051723219d9d5de5b1fd19d9751c34
2017-09-27 16:01:57 -07:00
Haik Aftandilian e1dd4bac03 Bug 1393805 - Part 4 - Add Linux whitelisted directory for system extensions development. r=gcp
MozReview-Commit-ID: 2eTx1eM1fCM

--HG--
extra : rebase_source : 25cff10f2887795ce954b5fbca74df41fefa5c3e
2017-10-04 10:50:48 -07:00
Haik Aftandilian 213bec3e84 Bug 1393805 - Part 3 - Add Windows whitelisted directory for system extensions development. r=bobowen
MozReview-Commit-ID: 8K5c3mUlqna

--HG--
extra : rebase_source : 33b71d3ab20c0fdf24bcee39d4395757031213be
2017-10-02 15:17:15 -07:00
Haik Aftandilian 165980edfa Bug 1393805 - Part 2 - Add Mac whitelisted directory for system extensions development. r=Alex_Gaynor
MozReview-Commit-ID: ADkcqFAsKaY

--HG--
extra : rebase_source : 492194ea7914d6f09b349f95b3eeea0bd003256a
2017-09-27 13:27:39 -07:00
Jed Davis ae5c1fb5c6 Bug 1401666 - Adjust sandbox policy to allow Mesa 12 to use libudev for device identification. r=gcp
MozReview-Commit-ID: JRRI9nd83TP

--HG--
extra : rebase_source : 3c5e3edd6606f33468120100f2a63533f1757935
2017-10-03 20:35:28 -06:00
Mike Shal 9e6798ac00 Bug 1402012 - Update buildconfig.py to use PartialConfigEnvironment; r=glandium
By using the PartialConfigEnvironment, the clients of buildconfig will
depend on config.statusd/ files instead of config.status directly.
Clients can access substs and defines using buildconfig.substs['FOO'] or
buildconfig.defines['BAR'], and then collect file-level dependencies for
make using buildconfig.get_dependencies(). All GENERATED_FILES rules
already make use of this because file_generate.py automatically includes
these dependencies (along with all python modules loaded).

As a result of this commit, re-running configure will no longer cause
the world to be rebuilt. Although config.status is updated, no build
steps use config.status directly and instead depend on values in
config.statusd/, which are written with FileAvoidWrite. Since those
files are not official targets according to the make backend, make won't
try to continually rebuild the backend when those files are out of date.
And since they are FileAvoidWrite, make will only re-run dependent steps
if the actual configure value has changed.

As a result of using JSON to load data from the config.statusd
directory, substs can be unicode (instead of a bare string type).
generate_certdata.py converts the subst manually to a string so the
value can be exported to the environment without issue on Windows.

Additionally, patching the buildconfig.substs dict no longer works, so
the unit-symbolstore.py test was modified to patch the underlying
buildconfig.substs._dict instead.

The other files that needed to be modified make use of all the defines
for the preprocessor. Those that are used during 'mach build' now use
buildconfig.defines['ALLDEFINES'], which maps to a special
FileAvoidWrite file generated for the PartialConfigEnvironment.

MozReview-Commit-ID: 2pJ4s3TVeS8

--HG--
extra : rebase_source : d6bb0208483f9f043e7be1b36907ca13243985f8
2017-08-24 22:52:01 -04:00
Mark Goodwin ae55f5a197 Bug 1359428 - Remove preference to select OneCRL update mechanism r=keeler,leplatrem,rhelmer
MozReview-Commit-ID: A6CwZrIDmTn

--HG--
extra : rebase_source : 41e17d29f982d23f30f48a6f85ad20fc84b018c6
2017-09-29 10:47:27 +01:00
Sebastian Hengst 5a95ac34b4 merge mozilla-central to autoland. r=merge a=merge 2017-09-29 11:49:46 +02:00
Haik Aftandilian fa37753064 Bug 1403744 - Part 2 - Test that the per-user extensions dir is readable from content on Windows. r=bobowen
MozReview-Commit-ID: 7YN7S7R39CU

--HG--
extra : rebase_source : c86998b1738ee1f4d24562105acf63c20811b8a1
2017-09-29 12:44:22 -07:00
Haik Aftandilian d54db04ac2 Bug 1403744 - Part 1 - Whitelist the per-user extensions dir XRE_USER_SYS_EXTENSION_DIR on Windows. r=bobowen
MozReview-Commit-ID: 8K5c3mUlqna

--HG--
extra : rebase_source : 00f91b3e1112766731119c1cbe14a08387202f60
2017-09-27 16:14:30 -07:00
J.C. Jones 86123e3d8d Bug 1405511 - Re-enable 3DES on nightly builds r=keeler
In bug 1386754 we disabled 3DES after determining that it had a similar-ish
usage level as RC4. We gathered compatibility reports and telemetry for the last
two months and see that while 3DES usage is fairly low, it is the only
ciphersuite available for a variety of websites, including many government
systems.

3DES, while legacy, is not known to be insecure. Therefore, we're going to call
this experiment complete, use the collected WebCompat issues from Bug 1386908
for future reference, and re-enable 3DES.

MozReview-Commit-ID: 3lY1zHLNO9l

--HG--
extra : rebase_source : ecb51c6dbc6862991083b1f46920d86d7480582f
2017-10-03 16:25:36 -07:00
Sebastian Hengst fea24c0daf merge mozilla-central to autoland. r=merge a=merge
--HG--
extra : rebase_source : 819bdfcc5e3f50cb5a3d8d76ce1f88ceeb0dd5a9
2017-10-17 23:54:52 +02:00
David Keeler 56adac5efc bug 783994 - use the sqlite-backed certificate and key DBs r=jcj
MozReview-Commit-ID: 2K8JVGc0mAj

--HG--
rename : security/manager/ssl/tests/unit/test_sdr_preexisting.js => security/manager/ssl/tests/unit/test_sdr_preexisting_with_password.js
extra : rebase_source : e9d3a7470dfdad3ea43b788e5eda0eb7a93e5cd0
2017-09-22 14:34:20 -07:00
Margareta Eliza Balazs fe45ae3748 Merge mozilla-central to mozilla-autoland. r=merge a=merge CLOSED TREE 2017-11-08 00:08:26 +02:00
David Keeler 67fd50d803 bug 1410546 - Disable EV treatment for "Security Communication EV RootCA1" root certificate r=mgoodwin
MozReview-Commit-ID: 7sERUm9gaQX

--HG--
extra : rebase_source : 9ec46921974dd9fce19fa4a3308804dfdc8c731d
2017-11-02 13:19:04 -07:00
ffxbld f54c1723be No bug, Automated HPKP preload list update from host bld-linux64-spot-302 - a=hpkp-update 2017-09-27 10:38:25 -07:00
ffxbld 3a16ce743e No bug, Automated HSTS preload list update from host bld-linux64-spot-302 - a=hsts-update 2017-09-27 10:38:22 -07:00
Wes Kocher 9d9610f6a3 Merge m-c to autoland, a=merge
MozReview-Commit-ID: Kjjgw1Pdb3U
2017-09-26 17:15:46 -07:00
Wes Kocher 22a72df7fe Merge inbound to m-c a=merge
MozReview-Commit-ID: 6viJ4wRxLa8
2017-09-26 15:54:51 -07:00
Bob Owen 8cf423ff54 Bug 1403230: Block WRusr.dll in child processes when using Alternate Desktop. r=jimm 2017-09-26 19:23:39 +01:00
ffxbld 3dbb47302e No bug, Automated HPKP preload list update from host bld-linux64-spot-303 - a=hpkp-update 2017-09-26 10:34:42 -07:00
ffxbld 00a87df5f6 No bug, Automated HSTS preload list update from host bld-linux64-spot-303 - a=hsts-update 2017-09-26 10:34:38 -07:00
Wes Kocher 3a1e5b73d3 Merge autoland to central, a=merge
MozReview-Commit-ID: 9UQPQrkhjsZ
2017-09-25 16:25:22 -07:00
ffxbld cf9c6529ef No bug, Automated HPKP preload list update from host bld-linux64-spot-307 - a=hpkp-update 2017-09-25 10:41:00 -07:00
ffxbld 13d0d05c38 No bug, Automated HSTS preload list update from host bld-linux64-spot-307 - a=hsts-update 2017-09-25 10:40:56 -07:00
Sebastian Hengst c0203b7b61 merge mozilla-inbound to mozilla-central. r=merge a=merge
MozReview-Commit-ID: HGJIeJkelZe
2017-09-24 23:52:35 +02:00
ffxbld f6dc0e40b5 No bug, Automated HPKP preload list update from host bld-linux64-spot-301 - a=hpkp-update 2017-09-24 10:43:38 -07:00
ffxbld 9fb62f395f No bug, Automated HSTS preload list update from host bld-linux64-spot-301 - a=hsts-update 2017-09-24 10:43:34 -07:00
ffxbld 3d38c3ccc5 No bug, Automated HPKP preload list update from host bld-linux64-spot-306 - a=hpkp-update 2017-09-23 10:33:39 -07:00
ffxbld d4542c60a8 No bug, Automated HSTS preload list update from host bld-linux64-spot-306 - a=hsts-update 2017-09-23 10:33:35 -07:00
ffxbld c92594521f No bug, Automated HPKP preload list update from host bld-linux64-spot-360 - a=hpkp-update 2017-09-22 20:41:32 -07:00
ffxbld 8efdfac860 No bug, Automated HSTS preload list update from host bld-linux64-spot-360 - a=hsts-update 2017-09-22 20:41:29 -07:00
ffxbld 56ad02e34d No bug, Automated HPKP preload list update from host bld-linux64-spot-304 - a=hpkp-update 2017-09-22 10:34:18 -07:00
ffxbld fce8a1a7fd No bug, Automated HSTS preload list update from host bld-linux64-spot-304 - a=hsts-update 2017-09-22 10:34:14 -07:00
David Keeler 4c42c44c85 bug 1401796 - fix HSTS preload script to keep preexisting hosts if there was a connection error r=jcj DONTBUILD NPOTB
Bug 1255425 changed an 'of' to an 'in', which caused the code that would keep
preexisting entries on the preload list if there was a connection error to loop
over the indices in the array and not the values themselves. Thanks, JavaScript.

MozReview-Commit-ID: DvVWhpImp8n

--HG--
extra : rebase_source : 149c8d0fb46d3b71a9de19aaedfb5e0dd5b9a460
2017-09-25 11:00:21 -07:00
Chris Peterson 5698729243 Bug 870698 - Part 10: Replace Append(NS_LITERAL_STRING("")) with AppendLiteral(u""). r=erahm
The NS_LITERAL_STRING macro creates a temporary nsLiteralString to encapsulate the char16_t string literal and its length, but AssignLiteral() can determine the char16_t string literal's length at compile-time without nsLiteralString.

MozReview-Commit-ID: H9I6vNDMdIr

--HG--
extra : rebase_source : cf537a1f65af003c6c4f8919b925b0f305c1dd4d
extra : source : 13b89ce4e6a66c840f82a335c71f5a12938aba22
2017-09-07 18:32:54 -07:00
Chris Peterson a0c8081df4 Bug 870698 - Part 4: Replace Equals("") with EqualsLiteral(""). r=erahm
MozReview-Commit-ID: G1GhyvD29WK

--HG--
extra : rebase_source : 115842c37a40041bdca7b4e1ff0a5680b02ced15
extra : source : 90bfff9c01d80086cdc17637f310e898fea295ea
2017-09-06 01:13:45 -07:00
Chris Peterson 45aa2a8e8e Bug 870698 - Part 2: Replace Append("") with AppendLiteral(""). r=erahm
MozReview-Commit-ID: CrkIP4iHP1U

--HG--
extra : rebase_source : 5dc4e91a3f1860773c199f1abf3f66479218834a
extra : intermediate-source : ba51cc79847f2b43ba616f4a5d2bbc6958ca9f6d
extra : source : 1fda2fa990cc918c748ffa14fcc5dbe13fe3bdc3
2017-09-03 22:14:11 -07:00
Chris Peterson 9f4c1f5278 Bug 870698 - Part 1: Replace Assign("") with AssignLiteral(""). r=erahm
MozReview-Commit-ID: A0u9PP49OW3

--HG--
extra : rebase_source : 7d5286959f510eb4b7df1b7e32d5b9b58719c48b
extra : intermediate-source : f552b4a78236c42bc09030b3eb008725a3edb9c8
extra : source : 26ac4a1014f6661a70e3bf9f552407e12c2c3981
2017-09-03 22:12:56 -07:00
Alex Gaynor 79cf374320 Bug 1403210 - Remove unused access to AppleSNBFBUserClient iokit from content process; r=haik
MozReview-Commit-ID: K4Z48UFfq2w

--HG--
extra : rebase_source : 8664f3e04503ecc48813d45d26b5433afcc65251
2017-09-26 11:32:01 -04:00
Wes Kocher bedaaf0009 Merge autoland to central, a=merge
MozReview-Commit-ID: KNeXnxjnn5u
2017-09-21 16:29:32 -07:00
ffxbld ec671e96e6 No bug, Automated HPKP preload list update from host bld-linux64-spot-302 - a=hpkp-update 2017-09-21 10:46:13 -07:00
ffxbld 7ecdba9161 No bug, Automated HSTS preload list update from host bld-linux64-spot-302 - a=hsts-update 2017-09-21 10:46:09 -07:00
Jed Davis d64e9b800d Bug 1396542 - Let sandboxed content processes read /var/lib/dbus/machine-id. r=gcp
PulseAudio is the only thing that's known to need this.  Note that the
same file often exists as /etc/machine-id, and we currently allow reading
all of /etc (which includes other fingerprinting hazards as well).

MozReview-Commit-ID: FoyKQzhAV6M

--HG--
extra : rebase_source : 593ee0b94cf507681a034d22cd06a9050d56b86a
2017-09-19 19:54:41 -06:00
Valentin Gosu 7822c999e1 Bug 910207 - Disable preconnect when user certificates are installed r=keeler
MozReview-Commit-ID: 1vGPxDCAcQR

--HG--
extra : rebase_source : 3dda6f50ddbe1e03c7b7625c6039cb20896ef05e
2017-09-19 01:51:41 +02:00
Sebastian Hengst 1133016f04 Backed out 6 changesets (bug 1386404) for XPCshell failures, at least on Linux. r=backout on a CLOSED TREE
Backed out changeset c80acdea24c1 (bug 1386404)
Backed out changeset 6224ffae752a (bug 1386404)
Backed out changeset 9eba087cf64a (bug 1386404)
Backed out changeset eac6eb517096 (bug 1386404)
Backed out changeset 802a00ea50e7 (bug 1386404)
Backed out changeset d7f697bac6ef (bug 1386404)
2017-11-03 20:28:00 +01:00
Gian-Carlo Pascutto 859dfba3ed Bug 1386404 - Whitelist the prefix used by the XPCOM leak logs. r=haik
MozReview-Commit-ID: HI68lvyJIPQ

--HG--
extra : rebase_source : 95804e003ae2cde2b4baa1f5d1bba43d2d0830b5
2017-11-03 13:18:56 +01:00
Gian-Carlo Pascutto 9dd0bca893 Bug 1386404 - Only do the tmp remapping if needed. r=jld
This helps with getting the tests that are running out of /tmp
to pass, who get confused if their paths change underneath them.

It's also a bit faster.

MozReview-Commit-ID: CWtngVNhA0t

--HG--
extra : rebase_source : b7fe3ad6317fafa382a2ad38c7d9d5338aeafc9b
2017-10-26 18:02:10 +02:00
Gian-Carlo Pascutto 12fb914457 Bug 1386404 - Intercept access to /tmp and rewrite to content process tempdir. r=jld
MozReview-Commit-ID: 2h9hw6opYof

--HG--
extra : rebase_source : 821381f48b822415ae3d477341071099e7c1db54
2017-10-26 17:50:49 +02:00
Gian-Carlo Pascutto 88fc2f8563 Bug 1386404 - Enable access to the entire chrome dir from content. r=jld
This may be required if people have @import in their userContent.css, and
in any case our tests check for this.

MozReview-Commit-ID: 8uJcWiC2rli

--HG--
extra : rebase_source : 38bd2a2ffc593bf94b3c16f0c755d169d5998f7f
2017-10-26 18:57:03 +02:00
Gian-Carlo Pascutto fff36a228d Bug 1386404 - Enable content-process specific tmpdir on Linux. r=haik
MozReview-Commit-ID: 6Hijq0to9MG

--HG--
extra : rebase_source : 083bf3d52e228ce953d31ef997f969a0e4a562ec
2017-10-12 11:18:25 +02:00
J.C. Jones cdfad59288 Bug 1409259 - Add xpcshell tests for the Symantec distrust r=keeler
This commit adds two new xpcshell tests, both of them testing whether the
security state in TransportSecurityInfo includes the new
STATE_CERT_DISTRUST_IMMINENT flag under the correct circumstances.

The first test, test_symantec_apple_google.js, tests the four combinations of
certs that chain to an affected Symantec root: with/without a whitelisted
intermediate, and before/after the notBefore cutoff date.

The second test, test_symantec_apple_google_unaffected.js, tests an unrelated
ca->intermediate->ee chain that does not chain to an affected root, and ensures
the flag is not set.

This patch adds SymantecSanctionsServer to the mozbuild and xpcshell test
infrastructure files to ensure it runs properly on TaskCluster, too.

MozReview-Commit-ID: GtUXH2VFFh

--HG--
rename : security/manager/ssl/tests/unit/bad_certs/default-ee.key => security/manager/ssl/tests/unit/test_symantec_apple_google/default-ee.key
rename : security/manager/ssl/tests/unit/bad_certs/default-ee.key.keyspec => security/manager/ssl/tests/unit/test_symantec_apple_google/default-ee.key.keyspec
rename : security/manager/ssl/tests/unit/bad_certs/default-ee.pem => security/manager/ssl/tests/unit/test_symantec_apple_google/default-ee.pem
rename : security/manager/ssl/tests/unit/bad_certs/default-ee.pem.certspec => security/manager/ssl/tests/unit/test_symantec_apple_google/default-ee.pem.certspec
rename : security/manager/ssl/tests/unit/tlsserver/cmd/BadCertServer.cpp => security/manager/ssl/tests/unit/tlsserver/cmd/SymantecSanctionsServer.cpp
extra : rebase_source : f399bca5a13db3efa5bbaa5136c8effc3948ed5e
2017-11-01 11:12:11 -07:00
J.C. Jones 0e002bccbd Bug 1409259 - Add a console warning for soon-to-be-distrusted roots r=keeler,ttaubert
This patch adds a new diagnostic status flag to nsIWebProgressListener,
STATE_CERT_DISTRUST_IMMINENT, which indicates that the certificate chain is
going to change validity due to an upcoming distrust event. The first of
these events is this bug, affecting various roots from Symantec.

The STATE_CERT_DISTRUST_IMMINENT flag is set by nsNSSCallbacks and passed,
via nsSecureBrowserUIImpl, to browser.js where it is used to alert the console.

Adding this sort of diagnostic printing to be accessible to browser.js is a
long-desired goal, as future functionality can start doing more decision-making
there. We may, for example, also want to degrade the lock icon, which will be
straightforward with this flag.

This commit does not implement the IsCertificateDistrustImminent method. That is
follow-on work.

MozReview-Commit-ID: 75IOdc24XIV

--HG--
extra : rebase_source : e6a95d0be65f667eff0b131274272f0df91f8732
2017-10-18 22:29:42 -07:00
J.C. Jones ce24b2607a Bug 1409259 - Add Symantec root and Apple/Google intermediate lists r=keeler
This is the list of affected Symantec roots and the Apple and Google carved out
sub-CAs being whitelisted. These lists are created using the crtshToDNStruct
tool.

These sub-CAs are to be explicitly whitelisted in the distrust logic being
applied to Symantec root CAs.

Sources:
https://groups.google.com/d/msg/mozilla.dev.security.policy/FLHRT79e3XE/riCrpXsfAgAJ
https://groups.google.com/d/msg/mozilla.dev.security.policy/FLHRT79e3XE/90qkf8jsAQAJ

MozReview-Commit-ID: 3atUGcjG6GD
* * *
[mq]: crtsh_linting

MozReview-Commit-ID: 5gGq5DZXEIi
* * *
[mq]: fix_crtsh_script

MozReview-Commit-ID: JRgkD6OODnO
* * *
[mq]: fix_crtsh_also

MozReview-Commit-ID: Gza1HnYic2I

--HG--
extra : rebase_source : 8ca642964d3ce0308b8081fc52713d9f0104024d
2017-10-18 17:17:20 -07:00
J.C. Jones 8cd0cda935 Bug 1409259 - Refactor "TrustOverrides" header for existing trust overrides r=keeler
Since we'll need the same structs and mechanisms to work with the Symantec roots,
this patch makes the matching function generic and moves it into a new header,
"TrustOverrides.h".

This also moves the GlobalSignData out into "TrustOverride-GlobalSignData.inc"
and the WoSign/StartCom to "TrustOverride-StartComAndWoSignData.inc".

MozReview-Commit-ID: 2yWcvrngKwr

--HG--
rename : security/certverifier/StartComAndWoSignData.inc => security/certverifier/TrustOverride-StartComAndWoSignData.inc
extra : rebase_source : 26d86765277563ddafd5bbf0f4372ccdb280d062
2017-10-16 23:17:52 -07:00
Dan Banner b2e847755c Bug 1367704 - Enable the semi ESLint rule across the tree. r=standard8
MozReview-Commit-ID: GrlcOI9K2hJ

--HG--
extra : rebase_source : 6574cf3c67eb11733ffd9999c260f71c8551abc4
2017-05-28 19:57:46 +01:00
Jed Davis 55a0096f3c Bug 1320834 - Reduce prctl policy for desktop content processes. r=gcp
This removes the allow-all override in the content policy, which means it will
fall back to the more restrictive prctl policy in SandboxPolicyCommon.

MozReview-Commit-ID: CncoGi0HLxR

--HG--
extra : rebase_source : 6cb1834c56a1781f1512b7b078ba3469c3dd8537
2017-04-12 18:41:20 -06:00
Jed Davis 2a020d2e77 Bug 1408493 - Don't restrict ioctl() in sandboxed content if ALSA might be used. r=gcp
MozReview-Commit-ID: 61AmLLcPaWw

--HG--
extra : rebase_source : ba3ad2886b871a8753e9ac30c46fc3356f4fb1c4
2017-10-13 14:34:10 -06:00
Jed Davis b61d9d2cbe Bug 1408498 - Allow FIONREAD in sandboxed content processes, for libgio. r=gcp
MozReview-Commit-ID: 23mO3vCb7Gu

--HG--
extra : rebase_source : b0183cb4d8d6a5e6ab03e9d4e1db1a3bb76a3569
2017-10-13 14:32:43 -06:00
Jed Davis df2e63a6ff Bug 1408568 - Handle SandboxReport::ProcType::FILE correctly in XPCOM bindings. r=gcp
MozReview-Commit-ID: EwNTeG4cbZG

--HG--
extra : rebase_source : feed835fd56053644c5fa390d95884fc9b17439b
2017-10-13 17:33:01 -06:00
ffxbld 2ef8bd8a46 No bug, Automated HPKP preload list update from host bld-linux64-spot-306 - a=hpkp-update 2017-09-20 10:26:32 -07:00
ffxbld 0ca9f5fd6b No bug, Automated HSTS preload list update from host bld-linux64-spot-306 - a=hsts-update 2017-09-20 10:26:28 -07:00
Franziskus Kiefer 260bd8768a Bug 1386955 - land NSS_3_33_RTM, no code changes, only version numbers, UPGRADE_NSS_RELEASE, r=me
MozReview-Commit-ID: GjKGBcoghDh

--HG--
extra : amend_source : f33a891a76d22de7f9d6a985cf744523c9e7ed18
2017-09-20 09:10:07 +02:00
Wes Kocher 2d19ba5cc6 Merge autoland to central, a=merge
MozReview-Commit-ID: Eh11kawjrJB
2017-09-19 14:05:54 -07:00
ffxbld d08b24e613 No bug, Automated HPKP preload list update from host bld-linux64-spot-304 - a=hpkp-update 2017-09-19 10:33:25 -07:00
ffxbld 6353638e7a No bug, Automated HSTS preload list update from host bld-linux64-spot-304 - a=hsts-update 2017-09-19 10:33:21 -07:00
J.C. Jones a986ec2088 Bug 1399959 - Prefer hardware instead of software U2F tokens r=keeler
Bug 1388851 adds hardware U2F support to Gecko; the instructions to test
involve flipping two prefs, but the common case will be using harwdare tokens,
so this patch makes users only haave to flip the "security.webauth.u2f" or
"security.webauth.webauthn" prefs as they choose.

MozReview-Commit-ID: 346120ZI8p4

--HG--
extra : rebase_source : fa491214d3b5532ea7e4843a9e52a19ab432a925
2017-09-14 10:51:20 -07:00
David Keeler bae8112f6b bug 1400913 - back out the functionality changes from bug 1364159 (but keep the test) r=jcj
Bug 1364159 introduced an optimization that attempted to avoid reading from the
user's cached certificate database as much as possible when building a verified
certificate chain. Unfortunately this had the side-effect of not preferring root
certificates in path building, which can result in unnecessarily long chains
(which rather defeats the purpose, since it means more signature verifications).
This patch reverts the functionality changes from that bug but keeps the test
that was added (the test didn't directly test the functionality changes - it's
more of a check that path building will query the cached certificate db when
necessary).

MozReview-Commit-ID: I56THTLUytH

--HG--
extra : rebase_source : 7db9597e25b98942450840519d707046cc660781
2017-09-18 10:28:58 -07:00
Wes Kocher 519bb0922b Merge inbound to central, a=merge
MozReview-Commit-ID: EK8iFR1hSRp
2017-09-18 16:21:01 -07:00
ffxbld 1c13d5cf85 No bug, Automated HPKP preload list update from host bld-linux64-spot-301 - a=hpkp-update 2017-09-18 10:35:17 -07:00
ffxbld ccaa664c63 No bug, Automated HSTS preload list update from host bld-linux64-spot-301 - a=hsts-update 2017-09-18 10:35:13 -07:00
David Keeler b21e2ea33f bug 1368652 - test that viewing a certificate with a long OID doesn't crash the browser r=Cykesiopka
MozReview-Commit-ID: JhUvDEJJvJy

--HG--
extra : rebase_source : 37046eb12c04f93e869c0a8b108bcf504ccaabae
2017-09-15 14:18:27 -07:00
ffxbld 05c4c3bc0c No bug, Automated HPKP preload list update from host bld-linux64-spot-302 - a=hpkp-update 2017-09-17 10:41:04 -07:00
ffxbld 9398bc50e1 No bug, Automated HSTS preload list update from host bld-linux64-spot-302 - a=hsts-update 2017-09-17 10:41:01 -07:00
ffxbld 6769c4c331 No bug, Automated HPKP preload list update from host bld-linux64-spot-304 - a=hpkp-update 2017-09-16 10:23:59 -07:00
ffxbld 9d03c0efa0 No bug, Automated HSTS preload list update from host bld-linux64-spot-304 - a=hsts-update 2017-09-16 10:23:56 -07:00
ffxbld 184f0c7888 No bug, Automated HPKP preload list update from host bld-linux64-spot-361 - a=hpkp-update 2017-09-15 10:33:02 -07:00
ffxbld 2d79ffc5bb No bug, Automated HSTS preload list update from host bld-linux64-spot-361 - a=hsts-update 2017-09-15 10:32:58 -07:00
Sebastian Hengst 220e7cecae merge mozilla-central to autoland. r=merge a=merge 2017-09-15 00:01:52 +02:00
Sebastian Hengst dfb0dfbb5e merge autoland to mozilla-inbound. r=merge a=merge
MozReview-Commit-ID: 1gVeCMsyp4B
2017-09-14 23:56:36 +02:00
ffxbld 60074a5f28 No bug, Automated HPKP preload list update from host bld-linux64-spot-306 - a=hpkp-update 2017-09-14 10:42:33 -07:00
ffxbld b549e15598 No bug, Automated HSTS preload list update from host bld-linux64-spot-306 - a=hsts-update 2017-09-14 10:42:30 -07:00
David Keeler eae47e2f71 bug 805305 - remove nsIDataSignatureVerifier.verifySignature r=mgoodwin
MozReview-Commit-ID: 9QyN7VzGJN0

--HG--
extra : rebase_source : 8c89004a192291dd0703e3e52f8fb7f36b467bc5
2017-09-01 16:21:37 -07:00
David Keeler 9f77404d3f bug 1398932 - add a preference for enabling the sqlite-backed NSS databases r=Cykesiopka,jcj
In the future, bug 1377940 will make the sqlite-backed databases the default,
but until we're sure this will stick we want to be able to control this with a
Firefox-only change. The use of a preference to configure which format to use
will hopefully allow us to restore the old behavior quickly and relatively
safely if necessary. Note that doing this should be done with care; any changes
made in the sqlite databases after upgrade migration will not be reflected if
we need to go back to the old database format. Thus, user data (imported CAs,
client certificates, and keys) can be lost.

MozReview-Commit-ID: tkovdiCU9v

--HG--
extra : rebase_source : e74358bd65afb5844fa8fc5b729eba2bbc5bb2db
2017-09-06 14:31:27 -07:00
Sebastian Hengst 45bab258b7 merge mozilla-central to autoland. r=merge a=merge 2017-09-14 00:11:28 +02:00
Sebastian Hengst 006a58c35d merge mozilla-inbound to mozilla-central. r=merge a=merge
MozReview-Commit-ID: 2iVDKexRjxu
2017-09-13 23:58:43 +02:00
ffxbld 6326724982 No bug, Automated HPKP preload list update from host bld-linux64-spot-308 - a=hpkp-update 2017-09-13 10:23:19 -07:00
ffxbld 72ed6c99a5 No bug, Automated HSTS preload list update from host bld-linux64-spot-308 - a=hsts-update 2017-09-13 10:23:16 -07:00
Sebastian Hengst e4a2f44531 merge autoland to mozilla-central. r=merge a=merge
MozReview-Commit-ID: 9SALJlvWgoZ
2017-09-13 13:32:44 +02:00
Sebastian Hengst 1fbe7771e8 merge mozilla-inbound to mozilla-central. r=merge a=merge
MozReview-Commit-ID: GUc4LEY8qp4
2017-09-13 11:27:47 +02:00
ffxbld e76c0fee79 No bug, Automated HPKP preload list update from host bld-linux64-spot-304 - a=hpkp-update 2017-09-12 10:29:28 -07:00
ffxbld e5c0388101 No bug, Automated HSTS preload list update from host bld-linux64-spot-304 - a=hsts-update 2017-09-12 10:29:25 -07:00
Sebastian Hengst ecf716b8bb merge mozilla-inbound to mozilla-central. r=merge a=merge
MozReview-Commit-ID: CmMBcpJapLy
2017-09-12 11:35:15 +02:00
Bob Owen 6b4635da55 Bug 1395952: Enhance telemetry for failed launch of Windows sandboxed process by process type/error code key. r=jimm, data-r=rweiss
Only one telemetry accumlation will occur for each key per session.
2017-09-12 07:53:52 +01:00
Gian-Carlo Pascutto bda88cac9f Bug 1396733 - Add flatpak font dirs to the sandbox whitelist. r=jld
Also clean up the order of paths a bit.

MozReview-Commit-ID: GM62r4N9wL7

--HG--
extra : rebase_source : 7cf620e020808d01a38f38be1fcf2a841df26367
2017-09-13 13:41:21 +02:00
Sebastian Hengst 7dd2b068b5 merge mozilla-central to mozilla-inbound. r=merge a=merge 2017-09-13 13:35:21 +02:00
Bob Owen 2e66e542ea Bug 1314801 Part 2: Enable MITIGATION_IMAGE_LOAD_NO_LOW_LABEL and MITIGATION_IMAGE_LOAD_NO_REMOTE on Windows content sandbox. r=jimm 2017-09-13 11:19:41 +01:00
Bob Owen 5e9dff873e Bug 1314801 Part 1: Compile chromium sandbox features that require at least UCRT SDK version 10.0.10586.0. r=jimm 2017-09-13 11:19:41 +01:00
Sebastian Hengst a3ed708553 merge mozilla-central to mozilla-inbound. r=merge a=merge 2017-09-13 11:44:38 +02:00
Valentin Gosu acc302eb58 Bug 1399300 - Backed out changeset a51cf9c048a1 (bug 910207) a=backout
MozReview-Commit-ID: 3l6B9n7VM1o
2017-09-13 10:51:18 +02:00
Franziskus Kiefer 13f706ca4e Bug 1386955 - land NSS a83094ccf952 UPGRADE_NSS_RELEASE, r=me
MozReview-Commit-ID: 9F66BeXNp3a

--HG--
extra : rebase_source : aac70379cd6e09112bec2af693eda051eba8d84c
2017-09-12 14:46:59 +02:00
Jed Davis e6cee20f4d Bug 1397753 - Disallow kill() in sandboxed content processes. r=gcp
As a special case to deal with PulseAudio, testing for a process's
existence with kill(pid, 0) quietly fails with EPERM instead.

(I also added some commentary on umask, since I was touching that part of
the code anyway.)

MozReview-Commit-ID: CM0Aqii13j4

--HG--
extra : rebase_source : 44ef05e9a39a9eea4a649399c63b865f5523d43b
2017-09-07 08:29:02 -06:00
Jed Davis db2eef4339 Bug 1299581 - Fail waitpid et al. with ECHILD in sandboxed content processes. r=gcp
MozReview-Commit-ID: 7Qjcnrd7KqK

--HG--
extra : rebase_source : 98e9bcb247edad657d8e45e30901861a9193f249
2017-09-07 08:27:32 -06:00
Matthew Noorenberghe 601308df05 Bug 306730 - Do not include the token name in prompts for the internal key slot. r=keeler
MozReview-Commit-ID: 3TPZrTQxQC5

--HG--
extra : rebase_source : eacd92dfa3937f8f05f4de0617eb09099517a504
2017-09-12 14:42:19 -07:00
Sebastian Hengst be553422dd merge mozilla-central to autoland. r=merge a=merge 2017-09-13 11:30:55 +02:00
Wes Kocher 05c4aba599 Merge m-c to autoland, a=merge CLOSED TREE
MozReview-Commit-ID: 2dRRh6JLTIL
2017-09-11 15:21:36 -07:00
Wes Kocher e376f14721 Merge inbound to central, a=merge
MozReview-Commit-ID: GDeX9aPb7Fn
2017-09-11 14:41:45 -07:00
ffxbld 51eae08453 No bug, Automated HPKP preload list update from host bld-linux64-spot-306 - a=hpkp-update 2017-09-11 10:29:02 -07:00
ffxbld e79c3e437e No bug, Automated HSTS preload list update from host bld-linux64-spot-306 - a=hsts-update 2017-09-11 10:28:58 -07:00
ffxbld 00fa5daced No bug, Automated HPKP preload list update from host bld-linux64-spot-301 - a=hpkp-update 2017-09-10 10:14:51 -07:00
ffxbld 359e0d79b4 No bug, Automated HSTS preload list update from host bld-linux64-spot-301 - a=hsts-update 2017-09-10 10:14:48 -07:00
ffxbld 70cfd6ceec No bug, Automated HPKP preload list update from host bld-linux64-spot-303 - a=hpkp-update 2017-09-09 10:21:22 -07:00
ffxbld 5a1296fc1c No bug, Automated HSTS preload list update from host bld-linux64-spot-303 - a=hsts-update 2017-09-09 10:21:19 -07:00
Phil Ringnalda 2dba33e427 Backed out 3 changesets (bug 1245527) for ASan browser-chrome leaks and Android mochitest bustage
Backed out changeset 8ee1f7aebd62 (bug 1245527)
Backed out changeset e6a5de8d1246 (bug 1245527)
Backed out changeset be63e73426b4 (bug 1245527)

MozReview-Commit-ID: AU22LgPh9iB
2017-09-09 00:09:21 -07:00
J.C. Jones 9ade50e63c Bug 1245527 - Remove NSS U2F SoftToken. r=ttaubert, r=jed
The nsIU2FToken and its implementors are no longer needed; the soft token was
re-implemented into dom/webauthn/U2FSoftTokenManager.cpp during the WebAuthn
implementation. When the dom/u2f/ code changed to the implementation from
WebAuthn, the old synchronous version became dead code.

This patch removes the dead code.

MozReview-Commit-ID: 2yDD0tccgZr

--HG--
extra : transplant_source : %B3%96Te%E7%02%08%98%1A%B2%FA%1C%40%C4J%BC%B2%85j%81
2017-09-05 12:32:42 -07:00
J.C. Jones 50501cbead Bug 1245527 - Rewrite U2F.cpp to use U2FTokenManager. r=keeler, r=ttaubert
- This patch reworks the U2F module to asynchronously call U2FManager,
  which in turn handles constructing and managing the U2FTokenManager
  via IPC.
- Add U2FTransaction{Parent,Child} implementations to mirror similar ones for
  WebAuthn
- Rewrite all tests to compensate for U2F executing asynchronously now.
  - Used async tasks, used the manifest parameters for prefs and scheme,
    and generally made these cleaner.

NOTE TO REVIEWERS:
 Since this is huge, I recommend the following:

 keeler - please review U2F.cpp/h, the tests, and the security-prefs.js. Most
          of the U2F logic is still in U2F.cpp like before, but there's been
          some reworking of how it is called.

 ttaubert - please review U2FManager, the Transaction classes, build changes,
            and the changes to nsGlobalWindow. All of these should be very
            similar to the WebAuthn code it's patterned off.


MozReview-Commit-ID: C1ZN2ch66Rm

--HG--
extra : transplant_source : %EA%98%D2%87C%FD%CC%A5%3D%B5%9B%1C%DA%A5J%CD%05%94%13%0D
2017-09-05 12:32:42 -07:00
Honza Bambas 43860c7a61 Bug 910207 - Prevent client certificate pop-up coming from a speculative connection, r=dkeeler
MozReview-Commit-ID: IHKzHwsJUiQ
2017-09-01 10:42:00 +02:00
ffxbld d29c832536 No bug, Automated HPKP preload list update from host bld-linux64-spot-309 - a=hpkp-update 2017-09-08 10:17:35 -07:00
ffxbld df6782f918 No bug, Automated HSTS preload list update from host bld-linux64-spot-309 - a=hsts-update 2017-09-08 10:17:31 -07:00
Andrew Halberstadt 7527e600f0 Bug 1392787 - Disable manifestparser tests using 'disabled' key instead of comment, r=jmaher
MozReview-Commit-ID: IQL7hWxQX9F

--HG--
extra : rebase_source : b78cbf7913fc1b0a27dfa085c38957e2bc2467d0
2017-08-22 16:56:02 -04:00
Sebastian Hengst 5d9781d9f8 merge autoland to mozilla-central. r=merge a=merge
MozReview-Commit-ID: 6Nq2hl5g0a5
2017-09-07 23:50:27 +02:00
ffxbld 44c6939142 No bug, Automated HPKP preload list update from host bld-linux64-spot-307 - a=hpkp-update 2017-09-07 10:13:01 -07:00
ffxbld e280855418 No bug, Automated HSTS preload list update from host bld-linux64-spot-307 - a=hsts-update 2017-09-07 10:12:58 -07:00
David Keeler a42d5a4889 bug 1397471 - nsNSSCertificateDB::GetCerts needs to wait until the loadable roots have been loaded r=Cykesiopka
This was missed in the original implementation of bug 1372656.

MozReview-Commit-ID: 8Sm26YlxZ7l

--HG--
extra : rebase_source : 6613fea8b292cc1645073539e110a53369c78886
2017-09-06 14:29:17 -07:00
Eric Rahm 0617c21c24 Bug 1393230 - Part 2: Fix more improper string usages. r=njn
This fixes improper usages of Find where an offset was actually being use for
the boolean ignore case flag. It also fixes a few instances of passing in a
literal wchar_t to our functions where a NS_LITERAL_STRING or char16_t should
be used instead.

--HG--
extra : rebase_source : 5de1e9335895d65e6db06c510e8887d27be3390f
extra : source : f762f605dd83fc6331161a33e1ef5d54cafbd08d
2017-08-31 15:52:30 -07:00
ffxbld 67f38de244 No bug, Automated HPKP preload list update from host bld-linux64-spot-307 - a=hpkp-update 2017-09-06 10:37:57 -07:00
ffxbld ae7a4f2407 No bug, Automated HSTS preload list update from host bld-linux64-spot-307 - a=hsts-update 2017-09-06 10:37:54 -07:00
David Keeler 5938a7bd62 bug 1393143 - remove a few unused attributes and methods on PKCS#11 interfaces r=Cykesiopka
MozReview-Commit-ID: FKO6G6ZKjAZ

--HG--
extra : rebase_source : 265ca140aa62ebf0694849d44d3d7574c0496309
2017-08-17 16:11:57 -07:00
Sebastian Hengst 4d2231acf0 merge mozilla-central to autoland. r=merge a=merge 2017-09-05 23:58:08 +02:00
Sebastian Hengst 01c1a3c741 merge mozilla-inbound to mozilla-central. r=merge a=merge
MozReview-Commit-ID: 17ViEoPyjPa
2017-09-05 23:55:39 +02:00
Sebastian Hengst d1986f991d merge autoland to mozilla-central. r=merge a=merge
MozReview-Commit-ID: H5cwbdymJQw
2017-09-05 23:53:59 +02:00
ffxbld 4d8e389498 No bug, Automated HPKP preload list update from host bld-linux64-spot-307 - a=hpkp-update 2017-09-05 10:36:00 -07:00
ffxbld 1fe438ee01 No bug, Automated HSTS preload list update from host bld-linux64-spot-307 - a=hsts-update 2017-09-05 10:35:56 -07:00
Sebastian Hengst a17af05f6f merge mozilla-inbound to mozilla-central. r=merge a=merge
MozReview-Commit-ID: L5exd68pNSG
2017-09-05 11:40:49 +02:00
ffxbld f2a1911ad3 No bug, Automated HPKP preload list update from host bld-linux64-spot-306 - a=hpkp-update 2017-09-04 10:22:51 -07:00
ffxbld 2c66811b63 No bug, Automated HSTS preload list update from host bld-linux64-spot-306 - a=hsts-update 2017-09-04 10:22:48 -07:00
David Keeler 179d6cf432 bug 1396137 - update broken fips pkcs#11 module db handling code for when we use the sqlite-backed databses r=jcj
This handles the different error code returned by NSS and that the pkcs#11
module db has a different filename.

MozReview-Commit-ID: HJK4zsf6IS0

--HG--
extra : rebase_source : eec55c21861137d83b2f1cc5a9a654b9c47dc42f
2017-09-01 15:54:40 -07:00