Bug 1583109 introduced new function templates StringJoin and StringJoinAppend.
These are now used to replace several custom loops across the codebase that
implement string-joining algorithms to simplify the code.
Differential Revision: https://phabricator.services.mozilla.com/D98750
Bug 1583109 introduced new function templates StringJoin and StringJoinAppend.
These are now used to replace several custom loops across the codebase that
implement string-joining algorithms to simplify the code.
Differential Revision: https://phabricator.services.mozilla.com/D98750
This patch removes telemetry probes for TLS 1.3 Delegated Credentials. The
probes are expiring soon and we do not plan to run any more experiments that
would justify their renewal. There is no plan to enable this feature in beta or
release until the draft hits RFC stage.
Differential Revision: https://phabricator.services.mozilla.com/D99557
This moves parts of IPCMessageUtils.h to two new header files and adapts
the include directives as necessary. The new header files are:
- EnumSerializer.h, which defines the templates for enum serializers
- IPCMessageUtilsSpecializations.h, which defines template specializations
of ParamTraits with extra dependencies (building upon both IPCMessageUtils.h
and EnumSerializer.h)
This should minimize the dependencies pulled in by every consumer of
IPCMessageUtils.h
Differential Revision: https://phabricator.services.mozilla.com/D94459
This patch removes the hand-rolled shared background thread in favor of
individual background synchronous event targets. Also, the timer configuration
was moved to the main thread. It now dispatches events to the background task
queue, which makes it easier to reason about.
Differential Revision: https://phabricator.services.mozilla.com/D98977
This patch extends the lifetimes of the following telemetry probes to Firefox 92:
CRLITE_RESULT
INTERMEDIATE_PRELOADING_ERRORS
INTERMEDIATE_PRELOADING_UPDATE_TIME_MS
security.intermediate_preloading_num_preloaded
security.intermediate_preloading_num_pending
This patch removes the following telemetry probes:
CRLITE_FASTER_THAN_OCSP_MS
OCSP_FASTER_THAN_CRLITE_MS
Differential Revision: https://phabricator.services.mozilla.com/D98988
Telemetry indicated that setting various security state (in particular, CRLite
state) was causing main thread hangs due to base64 decoding. This patch
rearranges cert_storage slightly to do these decodings off the main thread.
Differential Revision: https://phabricator.services.mozilla.com/D98691
This patch enables PSM and Firefox to use TLS 1.3 Encrypted Client Hello (draft -08). Specifically:
- Compile NSS with NSS_ENABLE_DRAFT_HPKE=1
- Add ECH "public_name" handling in SSLServerCertVerification.cpp (see: https://tools.ietf.org/html/draft-ietf-tls-esni-08#section-6.3.2)
- Adds `mIsAcceptedEch` to TransportSecurityInfo, and xpcshell tests for ECH use cases
- Adds EncryptedClientHelloServer to facilitate the xpcshell tests
- Un-ifdef Set/GetEchConfigs code in nsNSSIOLayer.cpp. Also reverted the Base64 encoding and decoding, as the data returned from DNS is already decoded (wire-format).
Differential Revision: https://phabricator.services.mozilla.com/D92651
This patch enables PSM and Firefox to use TLS 1.3 Encrypted Client Hello (draft -08). Specifically:
- Compile NSS with NSS_ENABLE_DRAFT_HPKE=1
- Add ECH "public_name" handling in SSLServerCertVerification.cpp (see: https://tools.ietf.org/html/draft-ietf-tls-esni-08#section-6.3.2)
- Adds `mIsAcceptedEch` to TransportSecurityInfo, and xpcshell tests for ECH use cases
- Adds EncryptedClientHelloServer to facilitate the xpcshell tests
- Un-ifdef Set/GetEchConfigs code in nsNSSIOLayer.cpp. Also reverted the Base64 encoding and decoding, as the data returned from DNS is already decoded (wire-format).
Differential Revision: https://phabricator.services.mozilla.com/D92651
This patch updates test_sanctions_symantec_apple_google.js to test a chain through an allow-listed Apple intermediate certificate chaining to a Symantec root certificate that is present in NSS.
Differential Revision: https://phabricator.services.mozilla.com/D98511
This patch changes a test referencing //VeriSign Class 3 Public Primary Certification Authority - G4//, which was removed in bug 1670769, with a similar VeriSign root CA that still exists and meets the same requirements for the test.
Differential Revision: https://phabricator.services.mozilla.com/D98510
2020-12-01 Kevin Jacobs <kjacobs@mozilla.com>
* lib/ckfw/builtins/nssckbi.h:
Bug 1678189 - December 2020 batch of root changes,
NSS_BUILTINS_LIBRARY_VERSION 2.46. r=bbeurdouche
[f8c49b334e51] [tip]
* lib/ckfw/builtins/certdata.txt:
Bug 1678166 - Add NAVER Global Root Certification Authority root
cert to NSS. r=bbeurdouche,KathleenWilson
[b9742b439a81]
2020-12-01 Benjamin Beurdouche <benjamin.beurdouche@inria.fr>
* lib/ckfw/builtins/certdata.txt:
Bug 1670769 - Remove 10 GeoTrust, thawte, and VeriSign root certs
from NSS. r=kjacobs,KathleenWilson
[4c69d6d0cf21]
2020-12-01 Kevin Jacobs <kjacobs@mozilla.com>
* lib/ssl/ssl3exthandle.c:
Bug 1674819 - Fix undefined shift when fuzzing r=bbeurdouche
In fuzzer mode, session tickets are serialized without any
encryption or integrity protection. This leads to a post-deserialize
UBSAN error when shifting by a fuzzed (large) authType value. A real
NSS server will not produce these values.
[a51fae403328]
2020-11-30 Benjamin Beurdouche <benjamin.beurdouche@inria.fr>
* build.sh, coreconf/config.gypi, lib/ckfw/builtins/testlib/builtins-
testlib.gyp, lib/ckfw/builtins/testlib/nssckbi-testlib.def, nss.gyp:
Bug 1678384 - Add a build flag to allow building nssckbi-testlib in
m-c r=kjacobs
[22bf7c680b60]
2020-12-01 Kevin Jacobs <kjacobs@mozilla.com>
* lib/dev/devslot.c:
Bug 1679290 - Don't hold slot lock when taking session lock
r=bbeurdouche
[[ https://hg.mozilla.org/projects/nss/rev/0ed11a5835ac1556ff978362c
d61069d48f4c5db | 0ed11a5835ac1556ff978362cd61069d48f4c5db ]] fixed
a number of race conditions related to NSSSlot member accesses.
Unfortunately the locking order that was imposed by that patch has
been found to cause problems for at least one PKCS11 module,
libnsspem.
This patch drops nested locking in favor of unlocking/re-locking.
While this isn't perfect, the original problem in bug 1663661 was
that `slot->token` could become NULL, which we can easily check
after reacquiring.
[19585ccc7a1f]
2020-11-25 Makoto Kato <m_kato@ga2.so-net.ne.jp>
* lib/freebl/blinit.c:
Bug 1678990 - Use __ARM_FEATURE_CRYPTO for feature detection.
r=bbeurdouche
Actually, we have CPU feature detection for Linux and FreeBSD on
aarch64 platform. But others don't.
macOS doesn't has any CPU feature detection for ARM Crypto
Extension, but toolchain default is turned on. So we should respect
__ARM_FEATURE_CRYPTO.
[f1e48fbead3d]
2020-11-19 Lauri Kasanen <cand@gmx.com>
* lib/freebl/Makefile:
Bug 1642174 - Resolve sha512-p8.o: ABI version 2 is not compatible
with ABI version 1 output. r=jcj Don't try to build the SHA-2
accelerated asm on old-ABI ppc.
Currently make only, I don't have enough gyp-fu to do that side.
However, the reporters of 1642174 and 1635625 both used make, not
gyp.
Signed-off-by: Lauri Kasanen <cand@gmx.com>
[d806f7992b10]
Differential Revision: https://phabricator.services.mozilla.com/D98509
Before this patch, when RemoteSecuritySettings would download multiple new
stashes, it would add the first one to cert_storage, which would reconstruct
the in-memory representation of all of the issuer/serial hashmaps/sets
(including preexisting ones), and then RemoteSecuritySettings would add the
second one, and cert_storage would reconstruct the entire in-memory
representation of the issuer/serial hashmaps/sets again, and so on, re-doing
all of the work each time. This is essentially O(n^2) work. This patch improves
both RemoteSecuritySettings and cert_storage to minimize this work, reducing it
to O(n).
Differential Revision: https://phabricator.services.mozilla.com/D97829
This allows us to avoid calling any NSSCertificateDB methods on the main
thread or allocating memory for xpconnect wrappers of cert objects.
Differential Revision: https://phabricator.services.mozilla.com/D97970
This removes telemetry regarding baseline requirements sections 9.2.1 and 9.2.2
(subject alternative name and subject common name) that is no longer necessary.
More specifically, this removes the histogram categories
BR_9_2_1_SUBJECT_ALT_NAMES and BR_9_2_2_SUBJECT_COMMON_NAME.
Differential Revision: https://phabricator.services.mozilla.com/D97507
This patch uses nsICertStorage.hasPriorData() and a new local field on the
CRLite filter Remote Settings collection to avoid re-downloading and
re-processing CRLite filters and stashes that have already been put into
cert_storage.
Differential Revision: https://phabricator.services.mozilla.com/D97381
ffxbld
Simon Giesecke
Csoregi Natalia
Kevin Jacobs
Bob Clary
Dana Keeler
R. Martinho Fernandes
Benjamin Beurdouche
Victor Porof
Razvan Maries
Moritz Birghan
Bogdan Tara
Xidorn Quan
Mihai Alexandru Michis
Andreea Pavel
Valentin Gosu
Emilio Cobos Álvarez