summaryrefslogtreecommitdiffstats
path: root/security
Commit message (Collapse)AuthorAgeLines
* Issue #1280 - Follow-up: Get rid of HPKP pinning mode.adesh2020-11-18-42/+14
| | | | | | This was a leftover from HPKP removal. Also remove a couple of unused variables from security/manager/ssl/nsSiteSecurityService.cpp.
* Issue #1280 - Remove hostname parameter to trust domain.adeshkp2020-09-21-19/+12
| | | | | | Host name was purely being used for HPKP and since HPKP is killed, this can also go. Currently it doesn't do anything other than generating build warnings.
* [NSS] Version and build bumpMoonchild2020-08-30-6/+7
|
* [NSS] Prevent slotLock race in NSC_GetTokenInfoJ.C. Jones2020-08-30-2/+4
| | | | | Basically, NSC_GetTokenInfo doesn't lock slot->slotLock before accessing slot after obtaining it, even though slotLock is defined as its lock.
* [NSS] Version and build bumpMoonchild2020-07-10-7/+6
|
* [NSS] Implement constant-time GCD and modular inversionSohaib ul Hassan2020-07-10-132/+292
| | | | | | | | | | | | The implementation is based on the work by Bernstein and Yang (https://eprint.iacr.org/2019/266) "Fast constant-time gcd computation and modular inversion". It fixes the old mp_gcd and s_mp_invmod_odd_m functions. The patch also fixes mpl_significant_bits s_mp_div_2d and s_mp_mul_2d by having less control flow to reduce side-channel leaks. Co-authored by : Billy Bob Brumley
* [NSS] Bump NSS versionMoonchild2020-06-03-6/+7
|
* [NSS] Force a fixed length for DSA exponentiationMoonchild2020-06-03-10/+35
|
* Issue #1501 - Un-bust building of NSS after update to 3.48 on Solaris.athenian2002020-04-14-1/+1
|
* Issue #1280 - Un-bust certerror pages and ForgetAboutSitewolfbeast2020-04-14-18/+5
|
* Issue #1280 - Part 2: Remove HPKP tests.wolfbeast2020-04-14-1040/+0
|
* Issue #1280 - Part 1: Remove HPKP components.wolfbeast2020-04-14-2636/+32
| | | | | This also removes leftover plumbing for storing preload information in SiteSecurityService since no service still uses it.
* Issue #1498 - Part 6: Remove STS preloadlist pref.wolfbeast2020-04-14-8/+0
|
* Issue #1498 - Part 5: Update SSService CID and correct mismatch.wolfbeast2020-04-14-4/+4
|
* Issue #1498 - Part 4: Remove clearPreloads.wolfbeast2020-04-14-20/+0
| | | | Also tag #1280
* Issue #1498 - Part 3: Remove support for storing "knockout" values.wolfbeast2020-04-14-10/+4
|
* Issue #1498 - Part 2: Stop persisting preload states.wolfbeast2020-04-14-6/+1
| | | | | | Since we don't use preloading anymore for either HPKP or HSTS, we no longer need persistent storage in the profile for preload states. Tag #1280 also
* Issue #1498 - Part 1: Stop using HSTS preload lists.wolfbeast2020-04-14-103881/+8
|
* Take nsSiteSecurityService out of UNIFIED_SOURCESMatt A. Tobin2020-04-14-1/+4
| | | | It exceeded the obj file sections limit because of the HSTS preload list so it cannot be built in UNIFIED mode.
* Issue #447 - Update HSTS preload listwolfbeast2020-04-14-9018/+14842
|
* Issue #1467 - Part 4: Rename NSS_SQLSTORE to MOZ_SECURITY_SQLSTORE.wolfbeast2020-04-14-4/+4
| | | | Rename the build config option accordingly.
* Issue #1467 - Part 3: Use UTF-8 file paths for NSS-SQL database.wolfbeast2020-04-14-2/+11
|
* Issue #1467 - Part 1: Set up conditional NSS-SQL builds.wolfbeast2020-04-14-0/+16
| | | | | | | - Adds buildconfig option --enable-nss-sqlstore - Prefixes NSS dbinit with either sql: or dbm: depending on config - Pre-initializes mozStorage when NSS-SQL storage is used to prevent an sqlite3_config race in NSS Init
* Issue #1053 - Remove android support from nsNSSComponent.cppMatt A. Tobin2020-04-14-61/+17
|
* Issue #447 - Update HSTS preload list & reduce debug spewwolfbeast2020-04-14-8493/+14130
| | | | | Commented out spewing dump() statements in loops. With the ever growing HSTS list it takes too much time and is pointless to display.
* Issue #1338 - Follow-up: Also cache the most recent PBKDF1 hashKai Engert2020-01-23-50/+140
| | | | This rewrites the caching mechanism to apply to both PBKDF1 and PBKDF2
* Issue #1338 - Bump NSS versionwolfbeast2020-01-20-3/+3
| | | | | | | Our NSS version is closer to the currently-released .1, so bump version to that. Note: we still have some additional patches to the in-tree version in place so this isn't a 100% match to the RTM one.
* Issue #1338: Follow-up: Cache the most recent PBKDF2 password hash,Kai Engert2020-01-14-1/+83
| | | | | | to speed up repeated SDR operations. Landed on NSS-3.48 for Bug 1606992
* Issue #1338 - Followup: certdb: propagate trust information if trustDaiki Ueno2020-01-10-8/+22
| | | | | | | | | | | | | module is loaded afterwards, Summary: When the builtin trust module is loaded after some temp certs being created, these temp certs are usually not accompanied by trust information. This causes a problem in UXP as it loads the module from a separate thread while accessing the network cache which populates temp certs. This change makes it properly roll up the trust information, if a temp cert doesn't have trust information.
* Issue #1338 - Un-bust building of NSS after update to 3.48 on Linux.wolfbeast2020-01-10-1/+2
|
* Be more consistent about decoding IP addresses in PSM.wolfbeast2020-01-09-2/+7
|
* Issue #1338 - Part 2: Update NSS to 3.48-RTMwolfbeast2020-01-02-31445/+1622266
|
* Issue #1118 - Part 6: Fix various tests that are no longer correct.wolfbeast2019-12-22-1/+1
| | | | | The behavior change of document.open() requires these tests to be changed to account for the new spec behavior.
* Update NSS version.wolfbeast2019-12-06-6/+8
|
* [NSS] Bug 1586176 - EncryptUpdate should use maxout not block size.Craig Disselkoen2019-12-06-1/+1
|
* [NSS] Bug 1508776 - Remove unneeded refcounting from SFTKSessionJ.C. Jones2019-12-06-24/+11
| | | | | | | | SFTKSession objects are only ever actually destroyed at PK11 session closure, as the session is always the final holder -- and asserting refCount == 1 shows that to be true. Because of that, NSC_CloseSession can just call `sftk_DestroySession` directly and leave `sftk_FreeSession` as a no-op to be removed in the future.
* Issue #447 - Update HSTS preload listwolfbeast2019-11-19-3828/+3982
|
* Issue #1289 - Part 3: Update tests.wolfbeast2019-11-14-0/+36
|
* Issue #1289 - Part 2: Clear out the preload list except for testwolfbeast2019-11-14-503/+2
| | | | domains.
* Issue #1289 - Part 1: Add a pref to disable HPKP header processing.wolfbeast2019-11-14-4/+37
|
* Issue #447 - Improve the getHSTSPreloadList scriptwolfbeast2019-11-09-12/+16
| | | | | | | | | - Use HEAD instead of GET for probe to avoid loading pages - Reduce retries to 2 - Reduce timeout to 10 s (since we're just getting a HEAD this is royal) - Identify ourselves to websites as an automated tool - Improve performance of list merging (O(n^2) was getting too expensive) - Add a total counter and perform GC every 200 requests
* Issue #447 - Update HSTS preload list.wolfbeast2019-11-09-11027/+26141
|
* Issue #1064 - Part 3: Fix notifyObservers() call.wolfbeast2019-11-04-1/+1
|
* Issue #1064 - Part 2: Fix shorthand and services module import.wolfbeast2019-11-04-3/+6
|
* Merge branch 'master' into certexception-workwolfbeast2019-11-04-232/+315
|\
| * Merge pull request #1262 from athenian200/solaris-workMoonchild2019-11-02-193/+200
| |\ | | | | | | Support Modern Solaris
| | * MoonchildProductions#1251 - Part 16: Resolve namespace conflicts with dbm on ↵athenian2002019-10-21-193/+200
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Solaris. https://bugzilla.mozilla.org/show_bug.cgi?id=1513913 Mozilla's solution to this is arguably overkill, since the namespace issue on Solaris only required them to change (or temporarily undefine) __log2. Instead they changed ALL the functions to be something along the lines of dbm_log2. They haven't changed the external interface at all, though. If you're unhappy with this patch, I think I could also use XP_SOLARIS ifdefs to undefine __log2 prior to where it's declared in the dbm headers. The good thing about Mozilla's solution is that it guarantees this namespace issue never occurs again on any platform, though.
| * | Update NSS versionwolfbeast2019-10-24-6/+7
| | |
| * | Add length checks for cryptographic primitivesKevin Jacobs2019-10-24-9/+56
| | | | | | | | | | | | | | | This rollup patch adds additional length checks around cryptographic primitives.
| * | Support longer (up to RFC maximum) HKDF outputswolfbeast2019-10-24-8/+25
| |/ | | | | | | | | | | HKDF-Expand enforces a maximum output length much shorter than stated in the RFC. This patch aligns the implementation with the RFC by allocating more output space when necessary.