The function to detect whether the kernel has separate syscalls for
socket operations (rather than only `socketcall`) had a comment that
it's called only once, which is no longer true. So, this seems like a
good time to add a cache (but not on newer archs like `x86_64` where the
answer is constant).
This patch also removes the ifdefs on `__NR_socket`, because all archs
have it now, and our local headers will define it even if the build
host's headers don't.
Differential Revision: https://phabricator.services.mozilla.com/D105853
When setting up calls to `sendmsg` for IPC on Unix systems, we generate
`iovec`s for the entire message or until the `IOV_MAX` limit is reached,
whichever comes first. However, messages can be very large (up to 256
MiB currently), while the OS socket buffer is relatively small (8KiB on
macOS and FreeBSD, ~200KiB on Linux).
This patch detects the socket buffer size with the `SO_SNDBUF` socket
option and cuts off the `iovec` array after it's reached; it also adjusts
the Linux sandbox policy to allow reading that value in all processes.
On my test machines this increases throughput on large messages by about
2.5x on macOS (from ~0.3 to ~0.7 GB/s), but on Linux the improvement is
only about 5% (most of the running time is spent elsewhere).
Differential Revision: https://phabricator.services.mozilla.com/D105852
We're already vendoring 0.8 so no reason not to do this. We're still
held back by an ancient tokio version, which I filed bug 1697845 for.
There are no breaking changes that affect any of our internal consumers.
Differential Revision: https://phabricator.services.mozilla.com/D108046
Using `dlsym` for `gdk_wayland_display_get_type` is a cleaner solution
to bug 1696319, allowing running with a GTK that lacks the Wayland
backend.
Also adds a symmetric implementation for `gdk_x11_display_get_type`,
which should help running without X11.
Differential Revision: https://phabricator.services.mozilla.com/D107406
Because Widevine may probe madvise using advice arguments we do not currently
support, including invalid arguments, this patch changes the handling of these
args so we will not crash in nightly.
Differential Revision: https://phabricator.services.mozilla.com/D106537
Firefox sometimes caches intermediate certificates from verified connections in
case they are useful in the future. This operation involves modifying the NSS
cert database, and so should only be done on the socket thread (ideally when it
is idle).
Differential Revision: https://phabricator.services.mozilla.com/D106230
Note that this patch only transforms the use of the nsDataHashtable type alias
to a directly equivalent use of nsTHashMap. It does not change the specification
of the hash key type to make use of the key class deduction that nsTHashMap
allows for in some cases. That can be done in a separate step, but requires more
attention.
Differential Revision: https://phabricator.services.mozilla.com/D106008
Using `dlsym` for `gdk_wayland_display_get_type` is a cleaner solution
to bug 1696319, allowing running with a GTK that lacks the Wayland
backend.
Also adds a symmetric implementation for `gdk_x11_display_get_type`,
which should help running without X11.
Differential Revision: https://phabricator.services.mozilla.com/D107406
Otherwise the OCSP channel that tries to check the certificate for the DoH
server will also try to use TRR leading to DNS failures.
Differential Revision: https://phabricator.services.mozilla.com/D106884
This makes the naming more consistent with other functions called
Insert and/or Update. Also, it removes the ambiguity whether
Put expects that an entry already exists or not, in particular because
it differed from nsTHashtable::PutEntry in that regard.
Differential Revision: https://phabricator.services.mozilla.com/D105473
When osclientcerts obtains or uses an OS handle on a private key, the
underlying implementation may display some sort of authentication or pin
prompt. In some cases, caching this handle rather than obtaining it multiple
times can prevent multiple prompts. So, this is what this patch does.
Differential Revision: https://phabricator.services.mozilla.com/D106222
2021-02-19 Benjamin Beurdouche <bbeurdouche@mozilla.com>
* lib/nss/nss.h, lib/softoken/softkver.h, lib/util/nssutil.h:
Set version numbers to 3.62 final
[a8e045a9fff6] [NSS_3_62_RTM] <NSS_3_62_BRANCH>
2021-02-15 Benjamin Beurdouche <bbeurdouche@mozilla.com>
* .hgtags:
Added tag NSS_3_62_BETA1 for changeset a5c857139b37
[145c269c82d6] <NSS_3_62_BRANCH>
Differential Revision: https://phabricator.services.mozilla.com/D105739
This is only used for CORS preflight requests. It is controlled by a pref.
Connections that server such request will be isolated from other anonymous connections.
Differential Revision: https://phabricator.services.mozilla.com/D96775
```
2021-02-05 Danh <congdanhqx@gmail.com>
* gtests/manifest.mn:
Bug 1688374 - Fix parallel build NSS-3.61 with make. r=kjacobs
[a5c857139b37] [NSS_3_62_BETA1]
2021-02-05 Robert Relyea <rrelyea@redhat.com>
* lib/libpkix/pkix/util/pkix_tools.c:
Bug 1682044 pkix_Build_GatherCerts() + pkix_CacheCert_Add() can
corrupt "cachedCertTable"
Patch by Andrew Cagney Preliminary Review by Ryan Sleevie Tested
against all.sh rrelyea. r=kjacobs
(this bug is old)
pkix_Build_GatherCerts() has two code paths for creating the list
"certsFound":
pkix_CacheCert_Lookup() this sets "certsFound" to a new list
"certsFound" and "cachedCertTable" share items but not the list
pkix_CacheCert_Add(pkix_pl_Pk11CertStore_CertQuery()) this sets
"certsFound" to a new list; and then adds the list to
"cachedCertTable" "certsFound" and "cachedCertTable" share a linked
list
Because the latter doesn't create a separate list, deleting list
elements from "certsFound" can also delete list elements from within
"cacheCertTable". And if this happens while pkix_CacheCert_Lookup()
is trying to update the same element's reference, a core dump can
result.
In detail (note that reference counts may occasionally seem off by
1, its because data is being captured before function local
variables release their reference):
pkix_Build_GatherCerts() calls pkix_pl_Pk11CertStore_CertQuery()
(via a pointer) to sets "certsFound":
PKIX_CHECK(getCerts (certStore, state->certSel, state->verifyNode,
&nbioContext, &certsFound, plContext), PKIX_GETCERTSFAILED);
it then calls:
PKIX_CHECK(pkix_CacheCert_Add (certStore, certSelParams,
certsFound, plContext), PKIX_CACHECERTADDFAILED);
[dafda4eee75c]
```
Differential Revision: https://phabricator.services.mozilla.com/D105209
Jed Davis
Simon Giesecke
Emilio Cobos Álvarez
ffxbld
Jan Alexander Steffens (heftig)
Benjamin Beurdouche
Brindusan Cristian
Moritz Birghan
Bryce Seager van Dyk
Dana Keeler
Narcis Beleuzu
Bob Owen
Benjamin Beurdouche
Horst
Butkovits Atila
Sylvestre Ledru
R. Martinho Fernandes
Valentin Gosu
Bogdan Tara
Haik Aftandilian
Jonathan Kew
Dragana Damjanovic
Alexis Beingessner
Greg Tatum