The follow issues are fixed:
- Returning a failure result when failing to get a pref value instead of more
gracefully falling back to a default.
- Using an enum instead of a more strongly typed enum class.
- Using a pref branch instead of the preferred Preferences.h API.
- Manual memory management.
- Unnecessary use of pointers.
MozReview-Commit-ID: FKw5kBhnwxL
--HG--
extra : transplant_source : %21K%E2%83/%A5%AB%DB3%F4%FB%2CUD%9E%B6l%1C%3A%22
- Merge in test changes from Bug 1255784.
- Remove the unnecessary mutex
- Stop doing direct memory work in NSS Token
- Clean up direct memory work in ContentParent
- In order to store persistent crypto parameters, the NSSToken had to move
onto the main thread and be interfaced with via IDL/IPDL.
- Support Register/Sign via NSS using a long-lived secret key
- Rename the softtoken/usbtoken "enable" prefs, because of hierarchy issues
with the WebIDL Pref shadowing.
- Also orders the includes on nsNSSModule.cpp
- Attestation Certificates are in Part 2.
Updates per keeler review comments:
- Use //-style comments everywhere
- Refactor the PrivateKeyFromKeyHandle method
- Rename the logging and fix extraneous NS_WARN_IF/logging combinations
- Other updates from review
April 11-12:
- Correct usage of the "usageCount" flag for PK11_UnwrapPrivKey
- Rebase up to latest
April 15:
- Rebase to latest
MozReview-Commit-ID: 6T8jNmwFvHJ
--HG--
extra : transplant_source : w%26%CES%2Cu%04%3EAl%04%2Cb%E2v%C9%08%3A%CC%F4
Not all systems (i.e., Gonk) support CLOCK_MONOTONIC_COARSE and
CLOCK_REALTIME_COARSE. With this patch, we don't refer to them if
they are not supported.
This patch does the following:
- Implements nsNSSShutDownObject.
- Replaces more raw pointers with smart pointers.
- Fixes other misc issues.
MozReview-Commit-ID: HulWdonEbP8
--HG--
extra : transplant_source : %DC%27%14%AE%28%A2F%80%1F%2C%83L%D3h%A2%C7k%F0%1C%2B
Also converts the longer |UniquePtr<char, void(&)(void*)> foo(..., PORT_Free)|
to the shorter and equivalent |UniquePORTString foo(...)|.
MozReview-Commit-ID: LlrTNUYBP4V
--HG--
extra : transplant_source : afU%FB%0EC%3E%E0pm%A3-%0E%C8%83%CF%0A%B1%9E%ED
It is unused since the changes in Bug 825583 landed.
MozReview-Commit-ID: 2u2eu0aDqeH
--HG--
extra : transplant_source : f%5Ev%00%B6%8B%3E%5E%26%C3%10%25%D9%16%C1%98yhf%D2
Before this patch, the default policy for the use of SHA1 in certificate
signatures was "allow all" due to compatibility concerns.
After gathering telemetry, we are confident that we can enforce the policy of
"allow for locally-installed roots" (or certificates valid before 2016) without
too much breakage.
MozReview-Commit-ID: 8GxtgdbaS3P
--HG--
extra : rebase_source : d1bed911f2d5d40229ea06556fee0848668e98b6
Before this patch, the default policy for the use of SHA1 in certificate
signatures was "allow all" due to compatibility concerns.
After gathering telemetry, we are confident that we can enforce the policy of
"allow for locally-installed roots" (or certificates valid before 2016) without
too much breakage.
MozReview-Commit-ID: 8GxtgdbaS3P
--HG--
extra : rebase_source : 7e81131a6c215bf7af514f150ebe2eb16a5c612a
After these additions, the majority of the API surface should be covered.
MozReview-Commit-ID: CvpEX6Cm94d
--HG--
rename : security/manager/ssl/tests/unit/test_pkcs11_list.js => security/manager/ssl/tests/unit/test_pkcs11_module.js
extra : transplant_source : %B3%E0%09%B9%E4b%D0A%F0%00r%08%1F%9Dm%E7%CC9%E3l
Entries in kSTSPreloadList currently look like:
class nsSTSPreload
{
public:
const char *mHost;
const bool mIncludeSubdomains;
};
This is inefficient for a couple of reasons:
* The structure has a bunch of wasted space: it takes 8 bytes on 32-bit
platforms and 16 bytes on 64-bit platforms, even though it only uses 5
and 9 bytes, respectively.
* The |const char*| requires additional space in the form of relocations
(at least on Linux/Android), which doubles the space cost of
individual entries. (The space cost of the relocations is mitigated
somewhat on Linux and Android because of elfhack, but there's still
extra cost in the on-disk format and during the load of libxul to
process those relocations.)
* The relocations the structure requires means that the data in it can't
be shared between processes, which is important for e10s with multiple
content processes.
We can make it more efficient by structuring it like so:
static const char kSTSPreloadHosts[] = {
// One giant character array containing the hosts, in order:
// "example.com\0example.org\0example.test\0..."
// Use an array rather than a literal string due to compiler limitations.
};
struct nsSTSPreload
{
// An index into kSTSPreloadHosts for the hostname.
uint32_t mHostIndex: 31;
// We use the same datatype for both members so that MSVC will pack
// the bitfields into a single uint32_t.
uint32_t mIncludeSubdomains: 1;
};
nsSTSPreload now has no wasted space and is significantly smaller,
especially on 64-bit platforms (saves ~29K on 32-bit platforms and ~85K
on 64-bit platforms). This organization does add a couple extra
operations to searching for preload list entries, depending on your
platform, but the space savings make it worth it.
The main loop of |output| tweaks entries, filters out entries based on
some conditions, and writes out the actual entries we're going to use.
Let's separate those three steps so it's clearer what's happening where.
There are a long tail of C4311 and C4312 warnings in VS2015. Rather than
wait until all of them are fixed to land VS2015, we're taking the easy
way out and disabling these warnings in every directory currently
exhibiting a warning. This is evil. But it is a lesser evil than
globally disabling C4311 and C4312. At least with this approach new
C4311 and C4312 warnings in directories that aren't suppressing them
shouldn't be introduced.
MozReview-Commit-ID: 2cwWrjMD6B9
--HG--
extra : rebase_source : 3e7b8ea042765fdf138f5ca93a0f9dab75a95fcd
As part of unblocking building with VS2015u1 in automation, I'm mass
disabling compiler warnings that are turned into errors. This is not
the preferred mechanism to fix compilation warnings. But the warning
occurs in third party code, so my hands are tied.
MozReview-Commit-ID: A0UF2RHJzVo
--HG--
extra : rebase_source : 3fc5300f6f67274162f4d65fd83eb9c18b4bf716
This is what Google suggests in its style guide, and somebody
already changed one of these comments to the new style.
--HG--
extra : rebase_source : fe3f7fc17a2fc09ad0ba01fa1511dc8dba7653e1
When building non-gonk builds, ANDROID_VERSION is not set. Beginning with NDK 11, getdtablesize is no longer included. This means that we should use the stub version of the function that is defined in android_stub.h for all android platforms. This patch moves the function out of the "#if ANDROID_VERSION >=21" block so that all android code can use it.
Adding glandium as the reviewer, because he reviewed the original patch at bug 1103816.
MozReview-Commit-ID: 2NmUl5XuvDS
--HG--
extra : transplant_source : %03%8C/%E0%20t%D0%3Al4%D4Oh%CB_%07%8A%24r%CC
As part of unblocking building with VS2015u1 in automation, I'm mass
disabling compiler warnings that are turned into errors. This is not
the preferred mechanism to fix compilation warnings. So hopefully
someone fixes the underlying problem someday. However, there are tons
of ignored warnings in security/certverifier, so I guess the workaround
in this patch is par for the course.
MozReview-Commit-ID: 7GZ9RpkxnwT
--HG--
extra : rebase_source : 023a438b6458fb4859018cde421d51072f0f0490
As part of unblocking building with VS2015u1 in automation, I'm mass
disabling compiler warnings that are turned into errors. This is not
the preferred mechanism to fix compilation warnings. But the warning
occurs in third party code, so my hands are tied.
MozReview-Commit-ID: BCXQcEejre9
--HG--
extra : rebase_source : a36a432edc834ec806dd4341f247143b178902a4
As part of unblocking building with VS2015u1 in automation, I'm mass
disabling compiler warnings that are turned into errors. This is not
the preferred mechanism to fix compilation warnings. But the warning
occurs in third party code, so my hands are tied.
MozReview-Commit-ID: 6n8nl517Ly
--HG--
extra : rebase_source : 19c1c012e1ddf15accbdf1a1050e4d607f9c7b31
There are two parts to this change. The first is a module to drive kinto
collection sync. This gives server-provided last-update times to each module
managing collection information so that data is only fetched when updates are
necessary. This also keeps track of when pings last took place (for future use)
and any apparent difference between client and server clock (we need this later
for the content signing work).
Currently only one module (the kinto version of the OneCRL client) consumes this
information, though more will follow.
The second is a minor change to nsBlocklistService.js to ensure that this ping
takes place whenever the existing blocklist ping happens.
MozReview-Commit-ID: 7SN03AOJ4Wc
When a built-in root certificate has its trust changed from the default value,
the platform has to essentially create a copy of it in the read/write
certificate database with the new trust settings. At that point, the desired
behavior is that the platform still considers that certificate a built-in root.
Before this patch, this would indeed happen for the duration of that run of the
platform, but as soon as it restarted, the certificate in question would only
appear to be from the read/write database, and thus was not considered a
built-in root. This patch changes the test of built-in-ness to explicitly
search the built-in certificate slot for the certificate in question. If found,
it is considered a built-in root.
MozReview-Commit-ID: HCtZpPQVEGZ
--HG--
extra : rebase_source : 759e9c5a7bb14f14a77e62eae2ba40c085f04ccd
When a built-in root certificate has its trust changed from the default value,
the platform has to essentially create a copy of it in the read/write
certificate database with the new trust settings. At that point, the desired
behavior is that the platform still considers that certificate a built-in root.
Before this patch, this would indeed happen for the duration of that run of the
platform, but as soon as it restarted, the certificate in question would only
appear to be from the read/write database, and thus was not considered a
built-in root. This patch changes the test of built-in-ness to explicitly
search the built-in certificate slot for the certificate in question. If found,
it is considered a built-in root.
MozReview-Commit-ID: HCtZpPQVEGZ
--HG--
extra : rebase_source : 898ef37459723f1d8479cfdc58658ccb00e782a9
nsX509CertValidity has several copy-pasted routines that differ only
slightly in the parameters they use for formatting times. Let's have a
single place to do the formatting and pass in the appropriate
parameters.
Before this change, if a certificate's issuer DN did not have an organization
component, nsIX509Cert.issuerOrganization would fall back to using the issuer
common name. This was never a good idea, because this gave misleading
information to consumers of this interface. Furthermore, it appears that all
consumers of this interface already do such a fallback (for display purposes)
when they've determined that it's a reasonable thing to do.
MozReview-Commit-ID: p2gmSP0nZW
--HG--
extra : rebase_source : 2248ff01e8c0e9a79b27f4406fdc2f0a4ed98360
Modify the Mac sandbox to allow temporary files to be created in a
parent-specified subdirectory of NS_OS_TEMP_DIR. This is similar to the
Windows approach. The parent provides a UUID in a preference which is
used by the content process to form the subdirectory name.
MozReview-Commit-ID: 6BONpfZz8ZI
--HG--
extra : rebase_source : ad18e091918356a1a40c13f1453972b4512ad476
This lets us remove things like gotos in the code, and makes resource ownership slightly clearer.
MozReview-Commit-ID: Kucn7exhLd7
--HG--
extra : transplant_source : %27%FF%D2tjLI%9B5ep%21%B7%FA%92%08%14%07%12%C6
Be warned. Do not attemp to change the .js "test" source code in ./js
They are meant to check
- the outdated 0666 octal constant is still parsed correctly,
- the outdated 0666 octal constant raises syntax error flag
in strict mode, etc.
So leave them alone.
It no longer serves any useful purpose:
1. It is no longer possible to add explicit trust for server certs post Bug 825583.
1A. The Add Exception feature is better suited for this anyways.
2. It isn't possible to set explicit distrust in the Cert Manager, only remove explicit trust.
3. Importing may also inadvertently cause verification failures (see Bug 1202636).
From Chromium commit comment:
Sandbox: Add support for file system policies that use implied device paths.
A policy rule of the form \HarddiskVolume0\Foo\bar allows sandboxed code
to use \\.\HarddiskVolume0\Foo\bar directly.
This takes the TLS Error Reporting functionality used in the aboutNetError.xhtml
and aboutCertError.xhtml error pages and moves it to its own component. This
allows us to make use of this same error reporting functionality from elsewhere.
Notably, this allows us to send error reports for issues that occur when loading
subresources.
The xpcshell test included is in security/manager/ssl/tests because we need to
make use of tlsserver functionality from the PSM tests.
This takes the TLS Error Reporting functionality used in the aboutNetError.xhtml
and aboutCertError.xhtml error pages and moves it to its own component. This
allows us to make use of this same error reporting functionality from elsewhere.
Notably, this allows us to send error reports for issues that occur when loading
subresources.
The xpcshell test included is in security/manager/ssl/tests because we need to
make use of tlsserver functionality from the PSM tests.
Logging output that happens with every TLS socket poll, read, or write
should really be Verbose, not Debug.
--HG--
extra : amend_source : 455a72faa041e51b5356410d7c216aa1fdadc6c6
These rules are copied from toolkit/.eslintrc (with non-passing rules excluded and previously commented out and passing rules included).
--HG--
extra : rebase_source : 0afa42350cc961cbb3cf6d985b3978f4dc5d3dcb
test_ocsp_stapling.js can take ~290s to run on e.g. b2g-emu-x86-kk, which is very close to the default 300s limit.
Splitting out some tests should reduce the intermittent time outs.
--HG--
rename : security/manager/ssl/tests/unit/test_ocsp_stapling.js => security/manager/ssl/tests/unit/test_ocsp_must_staple.js
Before this patch, we were measuring where SHA-1 was being used in TLS
certificates: nowhere, in end-entities, in intermediates, or in both. However,
the possible SHA-1 policies don't differentiate between end-entities and
intermediates and instead depended on whether or not each certificate has a
notBefore value after 2015 (i.e. >= 0:00:00 1 January 2016 UTC). We need to
gather telemetry on the possible policy configurations.
--HG--
extra : rebase_source : 301c821c8de16ffb924cd198dd0a4d3139536019
security/certverifier/NSSCertDBTrustDomain.cpp:433:26 [-Wformat] format specifies type 'long' but the argument has underlying type 'int'
security/certverifier/NSSCertDBTrustDomain.cpp:433:48 [-Wformat] format specifies type 'long long' but the argument has type 'mozilla::pkix::Time'
nsIKeyObject and nsIKeyObjectFactory defined an interface that was largely
unimplemented. This cuts the interface back to what actually exists in code.
--HG--
extra : rebase_source : 6241e801c3bd7f17518af648158fcfdcd0bda9cf
Using TEST_DIRS is nothing more than a shortcut for
if CONFIG['ENABLE_TESTS']:
DIRS += [...]
As such, we might as well remove it being a separate variable, and use some
Context magic to just fill DIRS when ENABLE_TESTS is set.
The security/manager/ssl/tests/unit/moz.build change ensures that the order
of DIRS before the change is kept, not because it matters, but because it
allows to confirm that nothing else is modified by this change.
Adds:
bug 1193480:
CN=Certification Authority of WoSign G2,O=WoSign CA Limited,C=CN
CN=CA WoSign ECC Root,O=WoSign CA Limited,C=CN
bug 1147675:
CN=TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H6,O=TÜRKTRUST Bilgi İletişim ve Bilişim Güvenliği Hizmetleri A...,L=Ankara,C=TR
bug 1230985:
OU=Security Communication RootCA2,O="SECOM Trust Systems CO.,LTD.",C=JP
bug 1213044:
CN=OISTE WISeKey Global Root GB CA,OU=OISTE Foundation Endorsed,O=WISeKey,C=CH
Carsten "Tomcat" Book
ffxbld
Cykesiopka
Jonas Sicking
Julian Hector
J.C. Jones
Tim Taubert
Mark Goodwin
Thomas Zimmermann
Kai Engert
Chris Pearce
David Keeler
Ryan VanderMeulen
Wes Kocher
Dave Townsend
Bob Owen
timeless@mozdev.org
Martin Thomson
Kyle Huey
Ted Mielczarek
Nathan Froyd
Gregory Szorc
Boris Zbarsky
Sebastian Hengst
Brian Smith
Nathan Toone
Nicholas Nethercote
Tooru Fujisawa
Mike Shal
Franziskus Kiefer
Richard Barnes
Masatoshi Kimura
Nathan Froyd
Daniel Holbert
sajitk
Aniket Vyas
Tim Taubert
Haik Aftandilian
Nihanth Subramanya
Ehsan Akhgari
Ben Kelly
ISHIKAWA, Chiaki
Aidin Gharibnavaz
simplyblue
Bill McCloskey
Gijs Kruitbosch
Phil Ringnalda
Sylvestre Ledru
Patrick McManus
Jan de Mooij
Chris Peterson
Shu-yu Guo
Mike Hommey
Nick Alexander
Jed Davis
Magnus Melin
Panos Astithas