Commit Graph

2977 Commits

Author SHA1 Message Date
Nicholas Nethercote
e7f3233097 Bug 1120476 (part 4) - Remove PLDHashTableOps::finalize. r=froydnj.
--HG--
extra : rebase_source : b14dda8cdd5cd896d1e32950e38b2a9f7da4d99e
2015-01-13 19:02:35 -08:00
Nicholas Nethercote
00b5865c2a Bug 1120476 (part 3) - Remove PLDHashTable::data. r=froydnj.
--HG--
extra : rebase_source : 24d10af3dbce3ada5252503bc80bb1a4e31bc1c9
2015-01-13 16:42:13 -08:00
Brian Smith
e55c663696 Bug 1115910: Remove now-unneeded nullptr polyfill for old versions of GCC, r=keeler
--HG--
extra : rebase_source : 11e0060fd9b7622f0ec6792b69aa3c2ea9128aa5
2015-01-13 01:03:08 -08:00
Brian Smith
fa25a10ca6 Bug 1115906, Part 3: Make formatting of struct/class/enum class more consistent, r=keeler
--HG--
extra : rebase_source : 0ba4b630b93775ff68abc583238ba2525b8d56f5
2015-01-13 16:53:34 -08:00
Brian Smith
a66d4c2b8b Bug 1115906, Part 2: Annotate classes and member functions with override and final, r=keeler
--HG--
extra : rebase_source : 79bb236bef83ed3e884d73e029ac29a5aa999840
extra : source : d14d86bcebd38be80d00a263c3145eb0dbcc53cd
2015-01-13 16:54:10 -08:00
Brian Smith
b706f556b9 Bug 1115906, Part 1: Add workarounds for missing final/override support in GCC before version 4.7, r=keeler
--HG--
rename : security/pkix/include/pkix/nullptr.h => security/pkix/include/pkix/stdkeywords.h
extra : rebase_source : 9cacd9729ac4cfb1e4bf920c8afdffb831b60d36
extra : source : f673d05dfc9a6d830e5e3c01976b41588cc70ead
2015-01-07 14:53:11 -08:00
Masatoshi Kimura
82d5ce8388 Bug 1120664 - Rename mozilla::pkix::Result::ERROR_INVALID_TIME to avoid collision with a macro defined in windows.h. r=bsmith 2015-01-15 07:24:18 +09:00
Mike Hommey
628a1b5bd3 Bug 1120937 - Properly initialize the session field from C_OpenSession in the PKCS#11 test module. r=dkeeler 2015-01-14 15:18:50 +09:00
Brian Smith
5c7ed202b2 Bug 1118122: Reland Bug 1115903, Part 2: Delete most defaulted assignment operators and some defaulted copy constructors, r=jcj
--HG--
extra : rebase_source : 9fae7948648e355f2ac15275a343ac0806f82f3b
2015-01-12 23:12:01 -08:00
Cykesiopka
b58326c911 Bug 1120098 - Re-enable test_ocsp_timeout.js on Windows. r=dkeeler 2015-01-10 08:41:00 +01:00
Steve Singer
66aade4c48 Bug 1120125 - Fix compile error on big endian platforms. r=keeler 2015-01-10 14:31:00 +01:00
Masatoshi Kimura
f70d08c5aa Bug 1120062 - Part 1: Remove most Nullptr.h includes. r=waldo 2015-01-11 11:34:52 +09:00
Chris Peterson
0b8b25193e Bug 1118076 - Remove MOZ_THIS_IN_INITIALIZER_LIST. r=Waldo 2015-01-06 21:39:46 -08:00
David Keeler
5112c0f46a bug 1065909 - canonicalize hostnames in nsSiteSecurityService and PublicKeyPinningService r=mmc 2015-01-09 09:46:05 -08:00
Brad Lassey
899dca0947 bug 1118554 - fix gcc4.9 warnings on Android, <cstdlib> instead of <stdlib.h> r=gcp
--HG--
extra : rebase_source : cbb04c5973878e350e890c4df2ce271d32b7587e
2015-01-08 10:19:39 -05:00
Jacek Caban
55b1872f77 Bug 1119179 - Avoid gmtime_r duplication if it's provided by mingw. r=bsmith 2015-01-09 11:41:15 +01:00
Mark Goodwin ext:(%2C%20Harsh%20Pathak%20%3Chpathak%40mozilla.com%3E)
3bda017935 Bug 1024809 - (OneCRL) Create a blocklist mechanism to revoke intermediate certs. r=keeler r=Unfocused 2015-01-07 06:08:00 +01:00
Ehsan Akhgari
b6e35bb4b4 Bug 1118486 - Part 1: Use = delete instead of MOZ_DELETE directly; r=Waldo
Most of this patch (with the exception of dom/bindings/Codegen.py) was
generated by the following bash script:

#!/bin/bash

function convert() {
echo "Converting $1 to $2..."
find . ! -wholename "*nsprpub*" \
       ! -wholename "*security/nss*" \
       ! -wholename "*/.hg*" \
       ! -wholename "*/.git*" \
       ! -wholename "obj-*" \
         -type f \
      \( -iname "*.cpp" \
         -o -iname "*.h" \
         -o -iname "*.cc" \
         -o -iname "*.idl" \
         -o -iname "*.ipdl" \
         -o -iname "*.ipdlh" \
         -o -iname "*.mm" \) | \
    xargs -n 1 sed -i -e "s/\b$1\b/$2/g"
}

convert MOZ_DELETE '= delete'
2015-01-08 23:19:05 -05:00
David Keeler
a1f3b2453c bug 1101194 - follow-up to fix bustage in TestCertDB r=bustage on a CLOSED TREE
Turns out there was a code path that resulted in attempting to acquire a lock
on the DataStorage mutex when one had already been acquired, resulting in
deadlock. This fixes it.
2015-01-08 10:56:07 -08:00
Kai Engert
1aabca1e25 Bug 1107731, upgrade Mozilla 37 to use NSS 3.18 (this is beta 5), r=wtc 2015-01-08 19:40:05 +01:00
David Keeler
b18f07bda4 bug 1101194 - add telemetry for DataStorage table size r=mgoodwin 2015-01-07 13:23:07 -08:00
Cykesiopka
7d1003f392 Bug 989485 - Split test_cert_eku.js into multiple files to avoid time outs. r=keeler 2015-01-08 01:15:00 -05:00
Brian Smith
7e9ea7c5f5 Bug 1118599 - Remove now-unneeded MOZILLA_PKIX_ENUM_CLASS workaround for GCC enum class bugs. r=mmc 2015-01-06 18:28:09 -08:00
Michael Pruett
b9d2bd339e Bug 1118024 - Use new PL_DHashTable{Add,Lookup,Remove} functions. r=nfroyd 2015-01-05 20:27:28 -06:00
Mike Hommey
403bf99083 Bug 1110760 - Build and Package Chromium Sandbox wow_helper. r=gps 2015-01-08 10:44:41 +09:00
Mike Hommey
0e7bbf59c9 Bug 1110760 - Increase the chances of the wow_helper target code symbols being in the assumed order. r=aklotz 2015-01-08 10:44:41 +09:00
Bob Owen
15af7f7f74 Bug 1110760 - Import Chromium Sandbox wow_helper code. r=aklotz 2015-01-08 10:44:40 +09:00
David Keeler
8f6f828f17 bug 1114741 - have nsRandomGenerator guard against NSS shutdown r=jcj
nsRandomGenerator uses NSS resources but does not prevent against NSS shutting
down while doing so. To fix this, nsRandomGenerator must implement
nsNSSShutDownObject.
2015-01-05 16:11:26 -08:00
Brad Lassey
1c9ee71594 bug 1118554 - make android's stdcxx work r=glandium 2015-01-06 23:34:31 -05:00
Brian Smith
f64580a5e6 Bug 1073867, Part 5: Make DSS test faster, r=mmc
--HG--
extra : rebase_source : 5d3ae5b6c777382d69134d5c38fca0c52c93c3a2
extra : histedit_source : 15209d1249d2eb638143409404cbbe15f0a2715b
2014-12-24 17:56:10 -08:00
Nicholas Nethercote
9a2b68d42b Bug 1117611 - Fix shadowed variable in SandboxBroker::SetSecurityLevelForContentProcess(). r=bobowen.
--HG--
extra : rebase_source : 29f25cc34bd5f66bac2454c30613344fb63a92b5
2015-01-05 15:54:22 -08:00
Ehsan Akhgari
4b5d28601f Bug 1116559 - Remove the code to handle shutdown-cleanse from the cert override service code; r=keeler
shutdown-cleanse has not been a thing for quite a while.
2015-01-05 21:01:27 -05:00
Andrew Bartlett
3823a96109 Bug 423758 - Add NTLMv2 to internal NTLM handler. r=keeler
NTLMv2 is the default.

This adds a new preference:
network.ntlm.force-generic-ntlm-v1

This is to allow use of NTLMv1 in case issues are found in the NTLMv2
handler, or when contacting a server or backing DC that does not
support NTLMv2 for any reason.

To support this, we also:
 - Revert "Bug 1030426 - network.negotiate-auth.allow-insecure-ntlm-v1-https allows sending NTLMv1 credentials in plain to HTTP proxies, r=mcmanus"

 - Revert "Bug 1023748 - Allow NTLMv1 over SSL/TLS by default, r=jduell"

 - Remove LM code from internal NTLM handler

   The LM response should essentially never be sent, the last practical
   use case was CIFS connections to Windows 9X, I have never seen a web
   server that could only do LM

   It is removed before the NTLMv2 work is done so as to avoid having 3
   possible states here (LM, NTLM, NTLMv2) to control via preferences.

Developed with Garming Sam <garming@catalyst.net.nz>
2014-12-22 15:55:00 -05:00
Brian Smith
0df174721c Bug 1117003 - Backout cset ca3c73188295 (Bug 1115903, Part 2), r=ehsan 2015-01-02 12:26:14 -08:00
Phil Ringnalda
577013867e Merge m-i to m-c, a=merge 2015-01-03 20:02:33 -08:00
ffxbld
5968e9ce33 No bug, Automated HPKP preload list update from host bld-linux64-spot-100 - a=hpkp-update 2015-01-03 03:20:27 -08:00
ffxbld
44b7deef25 No bug, Automated HSTS preload list update from host bld-linux64-spot-100 - a=hsts-update 2015-01-03 03:20:25 -08:00
Brian Smith
47e92f2b3c Bug 1115903, Part 2: Delete most defaulted assignment operators and some defaulted copy constructors, r=jcj
--HG--
extra : rebase_source : 6c8575de36355521baf69bba89eba530cd4e8b09
2014-12-26 23:49:47 -08:00
Brian Smith
39853892f9 Bug 1115903, Remove VS2010 workarounds, r=mmc
--HG--
extra : rebase_source : 742973c0f2d547371fbeca72e384053c70b5ba0f
2014-12-26 21:39:54 -08:00
Brian Smith
17c1065e6f Bug 1115761, Part 4: Add "fall through" comment, r=jcj
--HG--
extra : rebase_source : 1e40d7d7d85c1a02eb6195ecee1038ea40a6a9ab
2014-12-26 15:07:56 -08:00
Brian Smith
a1d102d4f2 Bug 1115761, Part 3: Rename NSS-based crypto functions, r=jcj
--HG--
extra : rebase_source : b11b172fac76c7845d2a97cabf1bad9e04a50367
2014-12-23 14:51:52 -08:00
Brian Smith
b3bf235584 Bug 1115761, Part 2: Use NotReached more consistently in pkixnss.cpp, r=jcj
--HG--
extra : rebase_source : 80647fc11d40d822dc042af1d797cb34062a84ab
2014-12-23 22:35:53 -08:00
Brian Smith
b88b8f38dd Bug 1115761, Part 1: Remove obsolete references to NSS stuff in comments, r=jcj
--HG--
extra : rebase_source : 65af59d9695b424f057b40c54aab6973a39bcc25
2014-12-26 12:40:45 -08:00
Brian Smith
e3671889ff Bug 1035414, Part 2: Always check subject's issuer matches issuer's subject, r=jcj
--HG--
extra : rebase_source : a75eca6ed909fa4f241b1a736656b7e8c99eb3ea
2014-12-26 10:13:18 -08:00
Brian Smith
68fac13f07 Bug 1035414, Part 1: Test issuer/subject name matching, r=jcj
--HG--
extra : rebase_source : 8faab27888502083565db3681f10a310b69b1845
2014-12-26 11:35:48 -08:00
Brian Smith
df0803d83c Bug 1073867, Part 4: Test that DSS end-entity certificates are rejected, r=mmc
--HG--
extra : rebase_source : 7cfdcdf08f2ae8909062b8803de6702ab47ec65a
2014-12-26 11:40:51 -08:00
Brian Smith
257741f645 Bug 1073867, Part 3: Reject DSS end-entity certificates, r=mmc
--HG--
extra : rebase_source : 76546b57aade1a15b394a2e53d8c12d62906dcac
2014-12-24 00:51:52 -08:00
David Erceg
86c1c8ddf5 Bug 1111848 - Remove nsISiteSecurityService.shouldIgnoreHeaders and implementation. r=keeler 2014-12-22 20:26:49 +11:00
Ehsan Akhgari
0d12ab6f75 Bug 1115076 - Wait for about:privatebrowsing to load in test_sts_privatebrowsing_perwindowpb.html; r=jdm 2014-12-31 09:32:03 -05:00
Ehsan Akhgari
8d1f34cb76 Bug 1117043 - Mark virtual overridden functions as MOZ_OVERRIDE in security; r=bsmith 2015-01-02 09:02:04 -05:00
ffxbld
c859dae2e4 No bug, Automated HPKP preload list update from host b-linux64-ix-0002 - a=hpkp-update 2014-12-27 03:21:29 -08:00
ffxbld
bc4966f0aa No bug, Automated HSTS preload list update from host b-linux64-ix-0002 - a=hsts-update 2014-12-27 03:21:25 -08:00
Kaspar Brand
6542374a70 Bug 1112487 - The signing certificates with key usage only non-repudiation is taken as invalid for signing. r=keeler 2014-12-17 21:31:00 -05:00
Tom Schuster
2d05106e74 Bug 1110835 - Simplify some code nsSecureBrowserUIImpl around UpdateSecurityState. r=keeler 2014-12-25 21:31:11 +01:00
Masatoshi Kimura
bf2b64547c Bug 1114295 - Remove the dead pref for TLS_DHE_DSS_WITH_AES_128_CBC_SHA. r=keeler 2014-12-24 22:21:12 +09:00
Tom Schuster
8d71a7d0ca Bug 764496 - Make EV detection work in content processes. r=keeler,kanru 2014-12-24 14:04:24 +01:00
Brian Smith
3c27e21f16 Bug 1115181: Remove pkixnss.h dependency from pkixcert_signature_algorithm_tests, r=keeler
--HG--
extra : rebase_source : 2a4e11338b06d33ab8ad1536dc05c082db330d68
2014-12-23 14:51:16 -08:00
Brian Smith
d72d293161 Bug 1070444: Remove NSS dependencies in pkixbuild_tests.cpp, r=keeler
--HG--
extra : rebase_source : f07e38d40f1644cce30191f5d8ab29ac06582683
2014-12-22 01:20:59 -08:00
Brian Smith
2e3f19b2fa Bug 1114701: Replace function pointers with function references, r=keeler
--HG--
extra : rebase_source : 350e7f8170f6b1176e46b829026e9ee27b3303e5
2014-12-23 12:43:25 -08:00
Daniel Holbert
33c7419e62 Bug 1114671: Use function pointer (instead of reference) in pkix/bind.h, for consistency & to fix -Wignored-qualifiers build warning for 'const'. r=briansmith 2014-12-22 13:04:36 -08:00
Brian Smith
e7cd1a4936 Bug 1107666, Part 2: Further fix for SSL_OCSP_STAPLING telemetry, r=keeler
--HG--
extra : rebase_source : b2dbbd4eaa8aea019b40eddfc19fb8af20ef3a4c
2014-12-20 07:03:57 -08:00
Carsten "Tomcat" Book
0b4b40c804 Backed out changeset 8fd0df8e208c (bug 423758) for bustage 2014-12-22 09:05:34 +01:00
J.C. Jones
2a55f8138d Bug 968451 - Document the exported functions exposed from mozilla::pkix (pkix/pkix.h). r=keeler 2014-12-19 12:25:00 +01:00
Andrew Bartlett
1b11a5e146 Bug 423758 - Add NTLMv2 to internal NTLM handler. r=keeler
NTLMv2 is the default.

This adds a new preference:
network.ntlm.force-generic-ntlm-v1

This is to allow use of NTLMv1 in case issues are found in the NTLMv2
handler, or when contacting a server or backing DC that does not
support NTLMv2 for any reason.

To support this, we also:
 - Revert "Bug 1030426 - network.negotiate-auth.allow-insecure-ntlm-v1-https allows sending NTLMv1 credentials in plain to HTTP proxies, r=mcmanus"

 - Revert "Bug 1023748 - Allow NTLMv1 over SSL/TLS by default, r=jduell"

 - Remove LM code from internal NTLM handler

   The LM response should essentially never be sent, the last practical
   use case was CIFS connections to Windows 9X, I have never seen a web
   server that could only do LM

   It is removed before the NTLMv2 work is done so as to avoid having 3
   possible states here (LM, NTLM, NTLMv2) to control via preferences.

Developed with Garming Sam <garming@catalyst.net.nz>
2014-12-18 17:25:00 +01:00
Phil Ringnalda
5015a7c40e Merge m-c to m-i
--HG--
extra : rebase_source : 55a788f13c946c7110ca313969051c34f731637e
2014-12-20 12:19:27 -08:00
ffxbld
2e74909c2f No bug, Automated HPKP preload list update from host bld-linux64-spot-115 - a=hpkp-update 2014-12-20 03:20:57 -08:00
ffxbld
bf0ab57a50 No bug, Automated HSTS preload list update from host bld-linux64-spot-115 - a=hsts-update 2014-12-20 03:20:56 -08:00
Michael Wu
14f46b1099 Bug 1103816 - Add support for gonk-L to android_stub.h, r=glandium 2014-12-16 21:35:09 -05:00
Blake Kaplan
0a4a7c82ef Bug 1113313 - Rename these functions to better reflect what they do. r=billm
--HG--
extra : rebase_source : ae61b3dd6dd5ce50a131a640060d7be57e562e4d
2014-12-19 12:07:04 -05:00
Brian Smith
aac41f8e45 Bug 1073867, Part 2: Remove now-unused DSA test certificates, r=keeler
--HG--
extra : rebase_source : 150c65abc66a48f70bca6e2dca8727fa402505ea
2014-12-15 20:49:42 -08:00
Brian Smith
1d6f6a61f9 Bug 1073867, Part 1: Remove DSS certificate support from mozilla::pkix, r=keeler
--HG--
extra : rebase_source : 3bef46a794e53584fd35b7640a6f4c9aaea4acab
2014-12-04 20:55:15 -08:00
Brian Smith
ee192894d6 Bug 1111399, Part 2: Implement RFC822 (email) name constraints, r=keeler
--HG--
extra : rebase_source : 5905e247eee4d3562d741e6e9656dc4c40d821e4
2014-12-20 08:15:35 -08:00
Brian Smith
0c55f197b8 Bug 1111399, Part 1: Preconditions for RFC822 name constraints, r=keeler
--HG--
extra : rebase_source : cd20b448a6c77ba27c86cb3d8e6c121f92a2ba93
2014-12-20 07:35:44 -08:00
Brian Smith
49557a456e Bug 1111398: Rename ValidDNSIDMatchType to IDRole, r=keeler
--HG--
extra : rebase_source : a07e58b82a61db595711c0ab887bec70d4145888
2014-12-13 22:29:58 -08:00
Brian Smith
202319530d Bug 1111397, Part 2: Remove test_bug484111.html, r=keeler
--HG--
extra : rebase_source : 56617ea82e9028295203173d1ea5e6ccfdbf9722
2014-12-14 21:51:26 -08:00
Brian Smith
5fdc768a51 Bug 1111397: Refactor error handling for name matching, r=keeler
--HG--
extra : rebase_source : 7b1061874d7b6e02a158085c3a6580a7fc718bbe
2014-12-13 17:05:46 -08:00
Ryan VanderMeulen
d2ebc2ac1b Merge inbound to m-c. a=merge
CLOSED TREE
2014-12-17 20:53:20 -05:00
Brian Smith
ab604352ec Bug 952863, Part 2: Remove dead code for non-ECDHE TLS False Start, r=keeler
--HG--
extra : rebase_source : 47ee95682f769b8e10aaf55b0f4fccfef1fcdea0
2014-12-10 10:13:18 -08:00
Nathan Froyd
a25f7bb7ef Bug 1112608 - use GENERATED_INCLUDES in security/manager/{boot,pki}/src/; r=mshal
The sole use of Makefile.in in the security/manager/{boot,pki}/src/
directories is so we can add $(DIST)/public/nss to INCLUDES.
GENERATED_INCLUDES can be used to handle this case instead, at the cost
of hardcoding the path to $(DIST).  This seems reasonable enough, since
a number of moz.build files already know about dist/ and its location
within the objdir.
2014-12-17 11:02:19 -05:00
Kai-Zhen Li
5e505281df bug 1102277 - Update seccomp filter for newer bionic. r=jld 2014-11-21 01:07:15 +08:00
Brian Smith
c2c84b2d85 Bug 1111392: Add tests for malformed name constraints where there are no names of the constrained type, r=keeler
--HG--
extra : rebase_source : 048619553c7725eee1cb73df64faae8c8890c995
2014-10-30 16:48:31 -07:00
Brian Smith
711e0958fb Bug 952863, Part 1: Require ECDHE for TLS False Start, r=keeler
--HG--
extra : rebase_source : d983e440de5be7c097a3e0f4afe0de805c540919
2014-12-12 11:39:01 -08:00
Masatoshi Kimura
7e7387fa88 Bug 1092835 - Log usage of weak ciphers in the console. r=keeler,mcmanus 2014-12-13 20:09:01 +09:00
Brian Smith
16e97557a6 Bug 1084025, Part 3: Clean up some bits, r=keeler, r=emk
--HG--
extra : rebase_source : 7aa1de4e9c391bf3e3cd5df79c62fff4546a8c67
2014-12-12 16:42:41 -08:00
Brian Smith
746ee1cc1d Bug 1107666: Fix OCSP stapling telemetry (SSL_OCSP_STAPLING), r=keeler
--HG--
extra : rebase_source : 926f091b2a361d7dce30bee918d6659259f1b3e4
2014-12-11 23:22:35 -08:00
David Keeler
f43341290a bug 1108408 - GeneralName types such as otherName where the value is a SEQUENCE should have the CONSTRUCTED bit set r=briansmith 2014-12-08 13:39:19 -08:00
Monica Chew
43d32595f5 Bug 1101969: Disable pinning on media.mozilla.com (r=keeler) 2014-12-12 09:10:57 -08:00
Monica Chew
28d916edec Bug 1004781: Enable pinning for facebook in production mode (r=keeler) 2014-12-12 09:10:53 -08:00
Brian Smith
5fc13799a4 Bug 940787: Stop requiring ALPN/NPN for False Start, r=keeler
--HG--
extra : rebase_source : f8946e1fc631f2458807a559104a1dca01f444ac
2014-12-10 10:50:48 -08:00
Brian Smith
a0b84fea0a Bug 1109766: Require AES-GCM for TLS False Start, r=keeler
--HG--
extra : rebase_source : 8370c628863e644131ed1fbe6b8e49b5dc1215dc
2014-12-10 10:19:00 -08:00
Brian Smith
5c47242dce Bug 861310: Require TLS 1.2 for TLS False Start, r=keeler
--HG--
extra : rebase_source : d4bb253a84270c84acdf7ed4f84bc0186231e521
2014-12-10 10:04:45 -08:00
Cykesiopka
7dea3f8ad2 Bug 1109252 - Make remaining PSM test cert generation scripts print out cert information as necessary. r=keeler 2014-12-10 21:32:00 +01:00
Jed Davis
11b93c27db Bug 1093334 - Delete unnecessary copies of Chromium headers in security/sandbox/linux. r=kang 2014-12-10 17:26:12 -08:00
Jed Davis
95e992685b Bug 1093334 - Adjust includes of Linux sandboxing headers from Chromium. r=kang
Also re-sorts some of the includes into something closer to the style guide.
2014-12-10 17:26:12 -08:00
Jed Davis
4424491b98 Bug 1093334 - Import more headers from Chromium rev 9522fad406dd161400daa518075828e47bd47f60. r=kang 2014-12-10 17:26:12 -08:00
Jed Davis
5748fc5814 Bug 1102209 - Remove use of CodeGen::JoinInstructions in the Linux sandboxing code. r=kang
This reorganizes SandboxAssembler to stack up the policy rules and
traverse them in reverse order to build the filter DAG from tail to head
(i.e., starting with "deny all" and prepending allow and return-errno
rules).  Thus, this code will continue to work (perhaps with minor
changes, such as to the NodePtr typedef) with future versions of the
Chromium sandbox code that don't allow mutating the filter program with
the JoinInstructions method.
2014-12-10 17:26:12 -08:00
Jed Davis
fa76014b99 Bug 1108759 - Fix B2G no-optimization builds. r=glandium 2014-12-10 16:17:47 -08:00
Cykesiopka
e5ba430e1c Bug 1109245 - Modify test_keysize_ev.js to run on B2G. r=dkeeler 2014-12-09 12:07:00 -05:00
Cykesiopka
e0e9311fed Bug 978426 - Re-enable test_sts_preloadlist_perwindowpb.js on B2G. r=dkeeler 2014-12-09 11:37:00 +01:00
Brian Smith
5c002c8cf0 Bug 1107791 Remove support for unusual wildcard names in certificates, r=keeler
--HG--
extra : rebase_source : bd142d2e85059a0d0fd36325242553e94a7d4377
2014-12-04 17:12:09 -08:00
Brian Smith
1f021d1dc2 Bug 1107790: Remove support for absolute hostnames in presented DNS IDs and name constraints, r=keeler
--HG--
extra : rebase_source : cf402f902196e729026d713cd6d62f5c3b889a12
2014-12-08 16:42:54 -08:00
Brian Smith
182ca6d6e1 Bug 1107787: Disable TLS_DHE_DSS_WITH_AES_128_CBC_SHA, r=keeler
--HG--
extra : rebase_source : 063d859c69adc8deba9d1842f4bd42a9b862bbe5
2014-12-04 19:50:58 -08:00
Brian Smith
df0494a7e3 Bug 1037098: Remove preferences for cipher suites disabled in bug 1036765, r=keeler
--HG--
extra : rebase_source : b033bea062c8cafecd93830fa54f4cf184fa28df
2014-12-04 19:47:17 -08:00
Brian Smith
2493786334 Bug 1107946: Fixed unused variable warnings in pkixnames_tests.cpp, r=keeler
--HG--
extra : rebase_source : 23d20e91c8b408363acab7c6d4d67a86d2293dff
2014-12-05 12:14:49 -08:00
Ryan VanderMeulen
dc8568d63a Backed out changesets fb903f13f215, 9c5c712698e4, and 36d257ead3da (bug 1092835) for causing test_csp_allow_https_schemes.html permafail on Android 2.3.
CLOSED TREE
2014-12-09 14:00:47 -05:00
Masatoshi Kimura
605569f981 Bug 1092835 - Log usage of weak ciphers in the console. r=keeler,mcmanus 2014-12-10 00:54:06 +09:00
Masatoshi Kimura
152424e082 Bug 1093724 - Add a range check to the TLS version prefs loading code. r=keeler 2014-12-09 21:48:29 +09:00
Masatoshi Kimura
587906641b Bug 1084025 - Add telemetry to measure failures due to not falling back. r=keeler 2014-12-09 07:19:05 +09:00
Ryan VanderMeulen
be6607416e Merge inbound to m-c. a=merge 2014-12-08 15:46:14 -05:00
Jay Wang
32debb7f9a Bug 1105452 - Need to use new Audio system APIs for audio offload playback. r=roc, r=jld, r=ggrisco
Resolve the build failure caused by API changes

There are some changes in Audio APIs in Android version
21. Modifying the code to use the new APIs.

Change-Id: I24fdeb20f8f957d05fb6c0c317de0a6f0769c347

Resolve seccomp violation caused by syscall 256

Modify the filter to allow syscall 256 (set_tid_address).

Change-Id: I49461770c4c5e70bf68462d34321381b0b7ead0a
2014-12-02 17:10:00 -05:00
Carsten "Tomcat" Book
0813821e4d merge mozilla-inbound to mozilla-central a=merge 2014-12-08 12:48:58 +01:00
ffxbld
c15c36922a No bug, Automated HPKP preload list update from host bld-linux64-spot-132 - a=hpkp-update 2014-12-06 03:20:43 -08:00
ffxbld
3651d911d5 No bug, Automated HSTS preload list update from host bld-linux64-spot-132 - a=hsts-update 2014-12-06 03:20:41 -08:00
Cykesiopka
138fceadf6 Bug 1085074 - Part 3 - Update inadequately sized Delegated Signer cert. r=briansmith 2014-12-07 20:42:00 +01:00
Cykesiopka
28d4d715c5 Bug 1085074 - Part 2 - Use explicit bit sizes for key size cert file names. r=briansmith 2014-12-07 20:41:00 +01:00
Cykesiopka
92c07ad107 Bug 1085074 - Part 1 - Use adequate/OK and inadequate/notOK to refer to sizes for key size tests. r=briansmith 2014-12-07 20:23:00 +01:00
David Keeler
88be9791ce bug 1020237 - follow-up to fix build bustage r=bustage on a CLOSED TREE 2014-12-05 10:12:58 -08:00
David Keeler
d9e1912427 bug 1020237 - prefer root certificates to non-root certificates in NSSCertDBTrustDomain::FindIssuer r=briansmith 2014-12-04 13:37:01 -08:00
Brian Smith
3a97f29d06 Bug 970542, Part 9: Better document name constraints as reference IDs, r=keeler
--HG--
extra : rebase_source : 60413188771454081226d58d03156c15ce795ca7
2014-10-26 11:26:26 -07:00
Brian Smith
adaf412263 Bug 970542, Part 8: IPAddress name constraint tests, r=keeler
--HG--
extra : rebase_source : e8cc0158248d4621da19dfef56089957af417f73
2014-10-26 16:57:00 -07:00
Brian Smith
f9a98ddf90 Bug 970542, Part 7: More CN-ID name constraint tests, r=keeler
--HG--
extra : rebase_source : 7a3d1d31cdc08ea1b989428cfc85f60a00528c72
2014-12-03 21:35:29 -08:00
Brian Smith
54e073fbcf Bug 970542, Part 6: DNSName name constraint tests, r=keeler
--HG--
extra : rebase_source : ec31862fc25cfcba1454ae862a26e7a27513e9b6
2014-10-19 23:53:45 -07:00
Brian Smith
02208f546b Bug 970542, Part 5: New name constraint implementation, r=keeler, r=mmc
--HG--
extra : rebase_source : 849161ac892b05e5ff2d5552c632fc647d309085
2014-10-18 15:38:42 -07:00
Brian Smith
9b37d008b6 Bug 970542, Part 4: DirectoryName name constraint matching, r=keeler
--HG--
extra : rebase_source : 01770088851823ae1005227dcd43d82d015f4b0e
2014-10-18 14:51:37 -07:00
Brian Smith
c21142ee14 Bug 970542, Part 3: IPAddress name constraint matching, r=keeler
--HG--
extra : rebase_source : f47ef9ead3323704595b91873811d1ead2403839
2014-10-17 13:02:26 -07:00
Brian Smith
f8c7ead55e Bug 970542, Part 2: DNSName name constraint matching, r=keeler
--HG--
extra : rebase_source : 50b1a7d5d9da97cc64e09d5e6cdc41b8200c3551
2014-10-20 22:20:58 -07:00
Brian Smith
539fa2a14d Bug 970542, Part 1: Refactor name matching within CN AVAs to reduce duplicate logic, r=keeler
--HG--
extra : rebase_source : f129b24c58377f34ac7d80ee7d5e8775635843ff
2014-10-16 16:44:27 -07:00
Steven Michaud
4933c1b33d Bug 1083284 - New sandbox rules for Adobe's code fragment. r=areinald 2014-12-08 12:10:14 -06:00
Bob Owen
2824b2a003 Bug 1105729: Pre VS2010 SP1 define our own verion of _xgetbv. r=tabraldes 2014-11-28 18:58:33 +00:00
Cykesiopka
012a5db140 Bug 1009158 - Fix and re-enable PSM xpcshell tests that would previously time out on Android due to LD_LIBRARY_PATH issues. r=keeler 2014-12-03 09:15:00 +01:00
Masatoshi Kimura
6d98b6a986 Bug 1102632 - Stop triggering non-secure fallback for SSL_ERROR_UNSUPPORTED_VERSION. r=keeler 2014-12-02 20:33:24 +09:00
Kai Engert
3665e05348 Bug 1088969 - Upgrade Mozilla 36 to use NSS 3.17.3, changing version numbers, only. 2014-12-01 14:34:08 +01:00
Jan Beich
d76f92bf8d Bug 1105851 - Unbreak non-unified non-SPS build after 1054498. r=jcj 2014-11-30 21:27:45 +01:00
Bob Owen
513e26d6ce Bug 1094667: Use the USER_NON_ADMIN access token by default for the Windows content sandbox. r=tabraldes 2014-11-29 17:12:18 +00:00
Bob Owen
976a5c00ec Bug 928044 Part 3: Add logging changes back into the Chromium interception code. r=tabraldes 2014-11-29 17:12:18 +00:00
Bob Owen
9a0a395aed Bug 928044 Part 2: Enable the content sandbox by default on Windows with an open policy. r=tabraldes,glandium,jimm
--HG--
rename : security/sandbox/win/src/warnonlysandbox/wosCallbacks.h => security/sandbox/win/src/logging/loggingCallbacks.h
rename : security/sandbox/win/src/warnonlysandbox/wosTypes.h => security/sandbox/win/src/logging/loggingTypes.h
rename : security/sandbox/win/src/warnonlysandbox/warnOnlySandbox.cpp => security/sandbox/win/src/logging/sandboxLogging.cpp
rename : security/sandbox/win/src/warnonlysandbox/warnOnlySandbox.h => security/sandbox/win/src/logging/sandboxLogging.h
2014-11-29 17:12:18 +00:00
Bob Owen
f1c46b88fc Bug 928044 Part 1: Remove Chromium interception logging changes. r=tabraldes 2014-11-29 17:12:17 +00:00
ffxbld
9c4b8697e8 No bug, Automated HPKP preload list update from host b-linux64-ix-0005 - a=hpkp-update 2014-11-29 03:19:59 -08:00
ffxbld
fc4c314b24 No bug, Automated HSTS preload list update from host b-linux64-ix-0005 - a=hsts-update 2014-11-29 03:19:56 -08:00
Kai Engert
5120a5ba80 Bug 1088969 - Upgrade Mozilla 36 to use NSS 3.18, land beta 4 which backs out bug 1073330 2014-11-28 07:56:26 +01:00
Carsten "Tomcat" Book
004f2edc52 Backed out changeset 761071f57ab6 (bug 1024809) for emulator ics bustage 2014-11-27 16:30:41 +01:00
Mark Goodwin ext:(%2C%20Harsh%20Pathak%20%3Chpathak%40mozilla.com%3E)
e1eaa1f5df Bug 1024809 - (OneCRL) Create a blocklist mechanism to revoke intermediate certs. r=keeler,Unfocused 2014-11-27 04:12:00 +01:00
Masatoshi Kimura
5754d27f07 Bug 1092998 - Followup to address review comments. r=keeler 2014-11-27 21:39:33 +09:00
Bob Owen
0313e26177 Bug 1027902: Use an intial integrity level of low for the GMP sandbox on Windows. r=tabraldes 2014-11-27 08:44:45 +00:00
Blake Kaplan
0a803d9447 Bug 582297 - Make <keygen> work in e10s. r=billm/dkeeler 2014-11-26 14:28:28 -08:00
Masatoshi Kimura
d651e82425 Bug 1092998 - Deal with "cipher mismatch intolerant" servers. r=keeler 2014-11-27 07:19:11 +09:00
Rob Stradling
2f38dd3438 bug 1104109 - follow-up to fix new EV OID description strings (they need to match if the OIDs are the same) r=keeler 2014-11-26 11:28:17 -08:00
Bob Owen
7ca0b31e65 Bug 1041775 Part 3: Re-apply pre-vista stdout/err process inheritance change to Chromium code after merge. r=tabraldes
Originally landed as changsets:
https://hg.mozilla.org/mozilla-central/rev/f94a07671389
2014-11-18 15:11:47 +00:00
Bob Owen
57f83c8aaa Bug 1041775 Part 2: Re-apply warn only sandbox changes to Chromium code after merge. r=tabraldes
Originally landed as changsets:
https://hg.mozilla.org/mozilla-central/rev/e7eef85c1b0a
https://hg.mozilla.org/mozilla-central/rev/8d0aca89e1b2
2014-11-18 15:09:55 +00:00
Bob Owen
13e2a562f7 Bug 1041775 Part 1: Update Chromium sandbox code to commit 9522fad406dd161400daa518075828e47bd47f60. r=jld,aklotz,glandium
--HG--
rename : security/sandbox/chromium/sandbox/linux/sandbox_export.h => security/sandbox/chromium/sandbox/sandbox_export.h
2014-11-18 13:48:21 +00:00
Cykesiopka
82d0372c82 Bug 1103336 - Fix and re-enable PSM xpcshell tests that don't use add_tls_server_setup() on Android. r=dkeeler 2014-11-22 00:08:00 +01:00
J.C. Jones
ab36d11f8d Bug 1104109 - December 2014 batch of EV root CA Changes. r=keeler 2014-11-24 16:36:00 +01:00
Richard Barnes
78927cb49c Bug 968817 - Only accept certs for server TLS which use EKU (and which assert the TLS Server Authentication EKU) r=keeler 2014-11-24 20:33:50 -05:00
Jed Davis
eb5a7b8072 Bug 1101170 - Move Linux sandbox code into plugin-container on desktop. r=kang r=glandium
Specifically:
* SandboxCrash() uses internal Gecko interfaces, so stays in libxul.
* SandboxInfo moves to libxul from libmozsandbox, which no longer exists.
* Where libxul calls Set*Sandbox(), it uses weak symbols.
* Everything remains as it was on mobile.
2014-11-24 15:22:13 -08:00
Jed Davis
279ab5b3c8 Bug 1101170 - Move sandbox status info into a separate module. r=kang r=glandium
This changes the interface so that the code which determines the flags
can live in one place, but checking the flags doesn't need to call into
another library.

Also removes the no-op wrappers for Set*Sandbox when disabled at build
time; nothing used them, one of them was unusable due to having the wrong
type, and all they really accomplish is allowing sloppiness with ifdefs
(which could hide actual mistakes).
2014-11-24 15:22:13 -08:00
Richard Barnes
c8d1717147 Bug 1088255 - Collect telemetry on CAs that appear in valid cert chains r=keeler 2014-11-07 16:26:46 -05:00
Carsten "Tomcat" Book
99c627c356 merge mozilla-inbound to mozilla-central a=merge 2014-11-24 13:30:23 +01:00
ffxbld
ad59d69d06 No bug, Automated HPKP preload list update from host bld-linux64-spot-132 - a=hpkp-update 2014-11-22 03:19:44 -08:00
ffxbld
cd9a4bdea2 No bug, Automated HSTS preload list update from host bld-linux64-spot-132 - a=hsts-update 2014-11-22 03:19:41 -08:00
Kai Engert
d568114769 Bug 1088969 - Upgrade Mozilla 36 to use NSS 3.18 - NSS_3_18_BETA3, r=wtc 2014-11-20 20:29:15 +01:00
Carsten "Tomcat" Book
00488eb57e Backed out changeset 1aebb84c8af1 (bug 1041775) for Windows 8 PGO Build Bustage on a CLOSED TREE
--HG--
rename : security/sandbox/chromium/sandbox/sandbox_export.h => security/sandbox/chromium/sandbox/linux/sandbox_export.h
2014-11-20 16:11:56 +01:00
Carsten "Tomcat" Book
aadab21ee9 Backed out changeset ec63befb3ad7 (bug 1041775) 2014-11-20 16:11:12 +01:00
Carsten "Tomcat" Book
0f9bf9f40f Backed out changeset ebe866ff8a44 (bug 1041775) 2014-11-20 16:11:06 +01:00
David Keeler
cc65ea472a bug 1079436 - fix validThrough as returned by VerifyEncodedOCSPResponse r=briansmith
validThrough should now be the time through which, if passed in as the given
time to validate an OCSP response at, VerifyEncodedOCSPResponse will still
consider it trustworthy. After that time, it will be expired. This makes it
so the OCSP cache compares validity period responses consistently with
mozilla::pkix.
2014-11-21 10:43:43 -08:00
Bob Owen
a52aebdb85 Bug 1041775 Part 3: Re-apply pre-vista stdout/err process inheritance change to Chromium code after merge. r=tabraldes
Originally landed as changsets:
https://hg.mozilla.org/mozilla-central/rev/f94a07671389
2014-11-18 15:11:47 +00:00
Bob Owen
87ccc9be29 Bug 1041775 Part 2: Re-apply warn only sandbox changes to Chromium code after merge. r=tabraldes
Originally landed as changsets:
https://hg.mozilla.org/mozilla-central/rev/e7eef85c1b0a
https://hg.mozilla.org/mozilla-central/rev/8d0aca89e1b2
2014-11-18 15:09:55 +00:00
Bob Owen
aae8e1186c Bug 1041775 Part 1: Update Chromium sandbox code to commit 9522fad406dd161400daa518075828e47bd47f60. r=jld,aklotz
--HG--
rename : security/sandbox/chromium/sandbox/linux/sandbox_export.h => security/sandbox/chromium/sandbox/sandbox_export.h
2014-11-18 13:48:21 +00:00
David Keeler
975927dcc7 bug 1091232 - update PSM data structures that are affected by root CA changes r=mmc 2014-11-18 16:41:18 -08:00
Cykesiopka
509363556e Bug 1089305 - Switch EV tests to SQL DB and partially clean up scripts. r=keeler 2014-11-17 21:12:00 +01:00
Monica Chew
2d3f38456b Bug 1092606: Filter out duplicate pinsets as well as domains (r=keeler) 2014-11-17 12:54:42 -08:00
Kai Engert
75427f88c8 Bug 1088969 - Upgrade Mozilla 36 to use NSS 3.18 - NSS_3_18_BETA2 2014-11-17 14:57:45 +01:00
Cykesiopka
e59f7d10ca Bug 1084606 - Allow overrides for MOZILLA_PKIX_ERROR_INADEQUATE_KEY_SIZE. r=dkeeler 2014-11-11 00:59:00 +01:00
Gregory Szorc
d8dfd9b547 Merge inbound to m-c; a=merge
--HG--
extra : amend_source : 2e89bf359e356566aee6b04bb864979539e1c90d
2014-11-15 13:57:08 -08:00
ffxbld
09c8458513 No bug, Automated HPKP preload list update from host b-linux64-ix-0011 - a=hpkp-update 2014-11-15 03:21:19 -08:00
ffxbld
f9882b9437 No bug, Automated HSTS preload list update from host b-linux64-ix-0011 - a=hsts-update 2014-11-15 03:21:16 -08:00
David Keeler
2a1194b40c bug 940994 - follow-up to fix some issues that were missed in review r=mmc 2014-11-14 16:46:23 -08:00
Monica Chew
24a5ab6b1d Bug 1098288: Enable pinning on spideroak (r=keeler) 2014-11-14 11:17:40 -08:00
Masatoshi Kimura
40351c3a65 Bug 1094495 - Disable C4480 in security/pkix. r=keeler 2014-11-12 07:41:42 +09:00
Cykesiopka
d10e8aef8f Bug 1057035 - Fix terminology used in the certificate exception dialog. r=keeler 2014-10-27 21:06:00 -04:00
Masatoshi Kimura
55d966ec5f Bug 1093595 - Change strings to add a description about weak encryption. r=dolske 2014-11-11 07:29:44 +09:00
Masatoshi Kimura
f4f4964baf Bug 1093595 - Treat SSL3 and RC4 as broken. r=keeler 2014-11-11 07:29:44 +09:00
Carsten "Tomcat" Book
925df8e984 merge mozilla-inbound to mozilla-central a=merge 2014-11-10 14:24:51 +01:00
ffxbld
818d809dde No bug, Automated HPKP preload list update from host bld-linux64-spot-144 - a=hpkp-update 2014-11-08 03:20:20 -08:00
ffxbld
a9a58b836b No bug, Automated HSTS preload list update from host bld-linux64-spot-144 - a=hsts-update 2014-11-08 03:20:17 -08:00
Monica Chew
ccfc8984aa Bug 1030135: Promote pin for services.mozilla.com to production mode (r=keeler) 2014-11-07 12:00:50 -08:00
Shashank Sabniveesu
c51de0f3e3 Bug 940994 - Adding '.p7b' to 'known file types' list of 'Certificate Manager'. r=keeler 2014-10-07 14:30:00 +02:00
Chris Peterson
23bc91c094 Bug 1095926 - Fix -Wcomment warning in OCSP test and mark some OCSP tests as FAIL_ON_WARNINGS. r=briansmith 2014-10-11 20:13:45 -07:00
Michael Ratcliffe
e2616dda10 Bug 1090913 - Make mochitests fail when it has 0 passes and 0 fails r=jmaher 2014-11-05 16:00:52 +00:00
Jed Davis
c0003b43bf Bug 1077057 - Expose Linux sandboxing information to JS via nsSystemInfo. r=kang r=froydnj
This adds "hasSeccompBPF" for seccomp-bpf support; other "has" keys
will be added in the future (e.g., user namespaces).

This also adds "canSandboxContent" and "canSandboxMedia", which are
absent if the corresponding type of sandboxing isn't enabled at build
type (or is disabled with environment variables), and otherwise present
as a boolean indicating whether that type of sandboxing is supported.
Currently this is always the same as hasSeccompBPF, but that could change
in the future.

Some changes have been made to the "mozilla/Sandbox.h" interface to
support this; the idea is that the MOZ_DISABLE_*_SANDBOX environment
variables should be equivalent to disabling MOZ_*_SANDBOX at build time.
2014-11-06 13:11:00 +01:00
David Keeler
28de902146 bug 1039642 - follow-up to fix non-unified build bustage (missing include and namespace) r=bustage a=metered 2014-11-06 14:23:21 -08:00
David Keeler
a8eff24a19 bug 1039642 - clean up the implementation of nsPkcs11 for style and safety r=jcj r=mmc a=metered 2014-11-05 14:05:46 -08:00
David Keeler
12b9e52c8f bug 1039642 - test that smart card events are no longer emitted after removing a PKCS#11 module r=jcj r=mmc a=metered
--HG--
rename : security/manager/ssl/tests/unit/test_pkcs11_insert_remove.js => security/manager/ssl/tests/unit/test_pkcs11_no_events_after_removal.js
2014-11-05 13:54:21 -08:00
David Keeler
533af6553c bug 1039642 - stop PKCS#11 module threads before deleting them r=jcj r=mmc a=metered 2014-11-05 13:53:28 -08:00
Jed Davis
eb420073d5 Bug 1093893 - Fix B2G sandbox for ICS Bionic pthread_kill(). r=kang 2014-11-06 11:04:14 -08:00
Chris Peterson
9fa6824ffd Bug 1092710 - Fix -Wunused-const-variable warning-as-error in non-unified security/certverifier. r=keeler
--HG--
extra : rebase_source : c13f7e565c8459263191f9bb16d4221b6f163443
2014-11-01 12:14:41 -07:00
Dragana Damjanovic
2e68ce12bc Bug 1087213 - Implenent bind function in nsNSSIOLayer. r=honza 2014-10-22 02:06:00 +02:00
Monica Chew
ab81f38ecb Bug 1004781: Remove unnecessary cert for facebook (r=keeler) 2014-11-04 10:54:26 -08:00
Monica Chew
d16e874df2 Bug 1092606: Don't import Chromium pinsets for domains that are already in our list (r=keeler,jcj) 2014-11-04 10:53:52 -08:00
David Keeler
469763fa53 bug 1079658 - follow-up bustage fix (unnecessary multi-line C++-style comment) r=bustage on a CLOSED TREE 2014-11-03 13:48:48 -08:00
David Keeler
85ea7a8d6f bug 1079658 - check for the id-pkix-ocsp-nocheck extension when decoding certificates r=briansmith 2014-11-03 11:35:15 -08:00