Граф коммитов

24 Коммитов

Автор SHA1 Сообщение Дата
Felipe Gomes 254ff126ef Bug 1429148 - Add nsIPK11Token.isInternalKeyToken. r=keeler,MattN
MozReview-Commit-ID: Gdd7MxDXoTC

--HG--
extra : rebase_source : a367c07755046657d7f2133d4858ea6e6b0c219a
2018-02-20 20:43:41 -03:00
David Keeler 5bfa1a1ac8 bug 1430906 - don't hold around a test key forever in mozilla::pkix gtests r=franziskus
Before this patch, mozilla::pkix gtests would generate a public/private key pair
and stash it in a global variable. Since this wasn't part of XPCOM nor tracked
by the PSM/NSS shutdown machinery, it wouldn't get released at the appropriate
time. The solution to this is to generate the key and then essentially export it
as data, so no NSS objects are held alive. Since NSS considers private keys
stored in the persistent database sensitive and won't export them in the clear,
we "encrypt" the key material with an empty password so we can import it when
necessary. (While the gtests don't use persistent keys, the test utilties in the
gtests are also used by some xpcshell tests that do use persistent keys, hence
the need to encrypt the key material.)

--HG--
extra : rebase_source : df10c25a462a3ba0396f5ba4a43a52fb924548ff
extra : amend_source : d95722891e49a99c471046cd9c758e914a02838e
2018-01-12 13:57:51 -08:00
Kai Engert e1c5635b55 Bug 1420060, restrict export of symbols to Windows, suggested by Masatoshi Kimura, r=kaie 2018-01-11 15:04:17 +01:00
Kai Engert 46f290697e Bug 1420060, export new NSS APIs in Firefox' specific API export list, r=franziskus 2018-01-11 14:42:09 +01:00
Andreea Pavel 5967533f02 Backed out 4 changesets (bug 1428538, bug 1420060) for mochitest mass failures UPGRADE_NSS_RELEASE on a CLOSED TREE
Backed out changeset 7604bcd50b63 (bug 1420060)
Backed out changeset 7ce1e0ca10e1 (bug 1420060)
Backed out changeset 617446a093ba (bug 1428538)
Backed out changeset fb3c27bdee46 (bug 1420060)
2018-01-11 17:35:54 +02:00
Kai Engert ec3151d097 Bug 1420060, additional bustage fix as suggested by Masatoshi Kimura, r=kaie, CLOSED TREE 2018-01-11 15:04:17 +01:00
Kai Engert 69aae135c3 Bug 1420060, trivial bustage fix, export new NSS APIs in Firefox' specific API export list 2018-01-11 14:42:09 +01:00
Franziskus Kiefer 1db8f13af3 Bug 1401594 - land NSS NSS_3_34_BETA1 UPGRADE_NSS_RELEASE, r=me
MozReview-Commit-ID: 8ckNdJ29KWZ

--HG--
extra : rebase_source : 9766af247842aabce5e46c4a8d1d03c3f70d21f7
2017-11-01 15:38:36 +01:00
David Keeler 175158cc25 Bug 1411458 - Confirm we actually have a PKCS#7 signedData content info. r=jcj
MozReview-Commit-ID: GKfL1C0EPWt
2017-10-25 09:54:13 -07:00
David Keeler 3961574fa2 bug 1381154 - remove smartcard monitoring threads r=jcj,mgoodwin
Modified from bug 1248818 comment 11:
Before this patch, if a user had a smart card (PKCS#11 device) with removable
slots, Firefox would launch a thread for each module and loop, calling
SECMOD_WaitForAnyTokenEvent to be alerted to any insertions/removals. At
shutdown, we would call SECMOD_CancelWait, which would cancel any waiting
threads. However, since that involved calling 3rd party code, we really had no
idea if these modules were behaving correctly (and, indeed, they often weren't,
judging by the shutdown crashes we were getting).
The real solution is to stop relying on PKCS#11, but since that's unlikely in
the near future, the next best thing would be to load these modules in a child
process. That way, misbehaving modules don't cause Firefox to hang/crash/etc.
That's a lot of engineering work, though, so what this patch does is avoids the
issue by never calling SECMOD_WaitForAnyTokenEvent (and thus we never have to
call SECMOD_CancelWait, etc.). Instead, every time Firefox performs an operation
that may be affected by a newly added or removed smart card, it first has NSS
refresh its view of any removable slots. This is similar to how we ensure the
loadable roots module has been loaded (see bug 1372656).

MozReview-Commit-ID: JpmLdV7Vvor

--HG--
extra : rebase_source : d3503d19fa9297106d661a017a38c30969fa39b4
2017-09-28 14:27:21 -07:00
Kai Engert 2d9f082720 Bug 1401594 - "Upgrade Firefox 58 to use NSS 3.34" r=franziskus
MozReview-Commit-ID: 2ExI2oh0bPY

--HG--
extra : rebase_source : aa820344a3bbe16bb87186dddd0e8585d54981ae
2017-09-20 08:17:00 +02:00
Franziskus Kiefer 13f706ca4e Bug 1386955 - land NSS a83094ccf952 UPGRADE_NSS_RELEASE, r=me
MozReview-Commit-ID: 9F66BeXNp3a

--HG--
extra : rebase_source : aac70379cd6e09112bec2af693eda051eba8d84c
2017-09-12 14:46:59 +02:00
David Keeler 5938a7bd62 bug 1393143 - remove a few unused attributes and methods on PKCS#11 interfaces r=Cykesiopka
MozReview-Commit-ID: FKO6G6ZKjAZ

--HG--
extra : rebase_source : 265ca140aa62ebf0694849d44d3d7574c0496309
2017-08-17 16:11:57 -07:00
Franziskus Kiefer 0738b607f4 Bug 1386955 - land NSS 4bf658832d89 UPGRADE_NSS_RELEASE, r=me
MozReview-Commit-ID: 7V3T5SpKqi7

--HG--
extra : rebase_source : 165b8ba5806ed4423f5c6048b9776f9f2ffb10cc
2017-09-05 12:52:00 +02:00
Sajjad Arshad f9ecfce269 Bug 1391506 - Creating max version, fallback limit, and alt server hello flag values for the tlsFlags r=keeler
Additional-Author: Patrick McManus <mcmanus@ducksong.com>

MozReview-Commit-ID: AmsvDtvDGPt

--HG--
extra : rebase_source : fc537ef1a50db23b9e77cd48d3941d7e32228bec
2017-08-29 09:04:08 -04:00
Franziskus Kiefer 3d4912c914 Bug 1345368 - land NSS 57e38a8407b3, r=me
UPGRADE_NSS_RELEASE

--HG--
extra : rebase_source : 64f2e33d0ca49b6870882d204e899442af785ba4
extra : amend_source : 7277b5d0c15a2d51726d216f57bfed7958b45c8a
2017-05-16 17:12:24 +02:00
David Keeler af0ce9fbd6 bug 1357226 - work around a library inefficiency with EC keys when verifying ECDSA signatures r=fkiefer,jcj
Calling VFY_VerifyDigestDirect causes the provided SECKEYPublicKey to be
reimported to the softoken regardless of if it already exists on it. EC keys
must be verified upon import (to see if the point is on the curve to avoid some
small subgroup attacks), and so repeatedly doing this with a static key (say,
for example, a key corresponding to a built-in certificate transparency log) is
inefficient. This patch alters the certificate transparency implementation to
import these keys each once and then use PK11_Verify for ECDSA signature
verification, which doesn't have the same drawback.

Since this change causes CertVerifier to hold an NSS resource (via its
MultiLogCTVerifier having a list of CTLogVerifier, each of which now has a
SECKEYPublicKey), nsNSSComponent has to make sure it goes away before shutting
down NSS. This patch ensures this happens in nsNSSComponent::ShutdownNSS().

MozReview-Commit-ID: 6VSmz7S53y2

--HG--
extra : rebase_source : 4994db9de80a6c1aec3d7e322ff30d040140ce92
2017-04-11 14:11:28 -07:00
Cykesiopka 7995951109 Bug 1338897 - Avoid using NSS Base64 functions in PSM. r=keeler
The NSS Base64 functions are less safe and convenient to use than the XPCOM ones.
They're also an unnecessary dependency on NSS.

The NSS Base64 functions behave slightly differently than the XPCOM ones:
1. ATOB_ConvertAsciiToItem() / NSSBase64_DecodeBuffer() silently ignore invalid
   characters like CRLF, space and so on. Base64Decode() will return an error
   if these characters are encountered.
2. BTOA_DataToAscii() will produce output that has CRLF inserted every 64
   characters. Base64Encode() doesn't do this.

For the reasons listed below, no unexpected compatibility issues should arise:
1. AppSignatureVerification.cpp already filters out CRLF and spaces for Manifest
   and Signature values before decoding.
2. ExtendedValidation.cpp is only given what should be valid hard-coded input to
   decode.
3. ContentSignatureVerifier.cpp already splits on CRLF for when it needs to
   decode PEM certs. Spaces shouldn't be likely.
   For Content-Signature header verification, examination of real input to a
   running instance of Firefox suggests CRLF and spaces will not be present in
   the header to decode.
4. nsCryptoHash.cpp encode is affected, but we actually don't want the CRLF
   behaviour.
5. nsDataSignatureVerifier.cpp decode is affected, but we add whitespace
   stripping to maintain backwards compatibility.
6. nsKeygenHandler.cpp encode is affected, but the previous CRLF behaviour was
   arguably a bug, since neither WHATWG or W3C specs specified this.

MozReview-Commit-ID: IWMFxqVZMeX

--HG--
extra : rebase_source : 4863b2e5eabef0555e8e1ebe39216d0d9393f3e9
2017-03-17 23:31:40 +08:00
Cykesiopka d80bc035b4 Bug 1342736 - Remove nsIX509CertDB.verifySignedManifestAsync(). r=mgoodwin
verifySignedManifestAsync() was added in Bug 1059216 to support Trusted Hosted
Apps.

However, Bug 1196988 removed THA and no add-ons use this method, so there's no
point in keeping it around.

MozReview-Commit-ID: 6xBRxvRZfjh

--HG--
extra : rebase_source : 5b8cf9c5863187b55325a8f9929bbe52c6478ec5
2017-02-26 20:25:36 +08:00
Kai Engert c8dbb3b86e Bug 1334127 - update firefox nss.symbols, r=franziskus
--HG--
extra : rebase_source : ae7d157350878c0988f39ac49a9d8731be9a8632
2017-02-10 02:29:00 +01:00
David Keeler 4b4f5adfbc bug 1329360 - avoid some NSS functions that internally use PK11_GetInternalKeySlot r=Cykesiopka
CERT_AddTempCertToPerm and CERT_ImportCerts (when called with keepCerts=true)
internally use PK11_GetInternalKeySlot. The current plan for making NSS always
available involves initializing it in memory-only mode and later opening the
user's certificate and key databases. Doing so means that
PK11_GetInternalKeySlot will not return the right token, so we can't rely on
functions that make use of it internally. For now we'll simply use equivalent
functions that take an explicit PK11SlotInfo argument and pass in the current
internal token. A later patch will change all places where PSM and Gecko use the
internal token to use the correct token.

MozReview-Commit-ID: CpSo5dIkyVW

--HG--
extra : rebase_source : 4f6e1707b34cb8dcf5e89cf3620c2d76fea39c82
2017-01-06 16:29:12 -08:00
Dragana Damjanovic 1b10767070 Bug 1320252 - Send early-data even without alpn. r=keeler
--HG--
extra : rebase_source : b1d45d7014ed58cb8531d09374f1a5c27668e6ac
2017-01-06 11:51:00 -05:00
Jonathan Hao e9caa3195f Bug 1316283 - Isolate SSL session cache by origin attributes. r=keeler
--HG--
extra : rebase_source : e10216124e22219b02c4f2cb57de27575be2ee57
2016-11-25 20:07:57 +08:00
Ted Mielczarek a449823a50 bug 1295937 - build NSS using gyp files. r=glandium
MozReview-Commit-ID: Gm1PLWSJwbD

--HG--
rename : config/external/nss/moz.build => security/moz.build
rename : config/external/nss/nss.symbols => security/nss.symbols
extra : rebase_source : bedd3b2f315f8504e1d0cb1ee94720e380466e5b
2016-11-09 12:37:09 -05:00