| Commit message (Collapse) | Author | Age | Lines |
|
|
|
|
|
| |
This was a leftover from HPKP removal.
Also remove a couple of unused variables from security/manager/ssl/nsSiteSecurityService.cpp.
|
|
|
|
|
|
| |
Host name was purely being used for HPKP and since HPKP is killed,
this can also go. Currently it doesn't do anything other than
generating build warnings.
|
| |
|
|
|
|
|
| |
Basically, NSC_GetTokenInfo doesn't lock slot->slotLock before accessing slot
after obtaining it, even though slotLock is defined as its lock.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
The implementation is based on the work by Bernstein and Yang
(https://eprint.iacr.org/2019/266)
"Fast constant-time gcd computation and modular inversion".
It fixes the old mp_gcd and s_mp_invmod_odd_m functions. The patch also fixes
mpl_significant_bits s_mp_div_2d and s_mp_mul_2d by having less control flow to
reduce side-channel leaks.
Co-authored by : Billy Bob Brumley
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
| |
This also removes leftover plumbing for storing preload information
in SiteSecurityService since no service still uses it.
|
| |
|
| |
|
|
|
|
| |
Also tag #1280
|
| |
|
|
|
|
|
|
| |
Since we don't use preloading anymore for either HPKP or HSTS, we no
longer need persistent storage in the profile for preload states.
Tag #1280 also
|
| |
|
|
|
|
| |
It exceeded the obj file sections limit because of the HSTS preload list so it cannot be built in UNIFIED mode.
|
| |
|
|
|
|
| |
Rename the build config option accordingly.
|
| |
|
|
|
|
|
|
|
| |
- Adds buildconfig option --enable-nss-sqlstore
- Prefixes NSS dbinit with either sql: or dbm: depending on config
- Pre-initializes mozStorage when NSS-SQL storage is used to prevent
an sqlite3_config race in NSS Init
|
| |
|
|
|
|
|
| |
Commented out spewing dump() statements in loops. With the ever growing
HSTS list it takes too much time and is pointless to display.
|
|
|
|
| |
This rewrites the caching mechanism to apply to both PBKDF1 and PBKDF2
|
|
|
|
|
|
|
| |
Our NSS version is closer to the currently-released .1, so bump version
to that.
Note: we still have some additional patches to the in-tree version in
place so this isn't a 100% match to the RTM one.
|
|
|
|
|
|
| |
to speed up repeated SDR operations.
Landed on NSS-3.48 for Bug 1606992
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
module is loaded afterwards,
Summary: When the builtin trust module is loaded after some temp certs
being created, these temp certs are usually not accompanied by trust
information. This causes a problem in UXP as it loads the module from a
separate thread while accessing the network cache which populates temp
certs.
This change makes it properly roll up the trust information, if a temp
cert doesn't have trust information.
|
| |
|
| |
|
| |
|
|
|
|
|
| |
The behavior change of document.open() requires these tests to be
changed to account for the new spec behavior.
|
| |
|
| |
|
|
|
|
|
|
|
|
| |
SFTKSession objects are only ever actually destroyed at PK11 session
closure, as the session is always the final holder -- and asserting
refCount == 1 shows that to be true. Because of that, NSC_CloseSession
can just call `sftk_DestroySession` directly and leave
`sftk_FreeSession` as a no-op to be removed in the future.
|
| |
|
| |
|
|
|
|
| |
domains.
|
| |
|
|
|
|
|
|
|
|
|
| |
- Use HEAD instead of GET for probe to avoid loading pages
- Reduce retries to 2
- Reduce timeout to 10 s (since we're just getting a HEAD this is royal)
- Identify ourselves to websites as an automated tool
- Improve performance of list merging (O(n^2) was getting too expensive)
- Add a total counter and perform GC every 200 requests
|
| |
|
| |
|
| |
|
|\ |
|
| |\
| | |
| | | |
Support Modern Solaris
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Solaris.
https://bugzilla.mozilla.org/show_bug.cgi?id=1513913
Mozilla's solution to this is arguably overkill, since the namespace issue on Solaris only required them to change (or temporarily undefine) __log2. Instead they changed ALL the functions to be something along the lines of dbm_log2. They haven't changed the external interface at all, though.
If you're unhappy with this patch, I think I could also use XP_SOLARIS ifdefs to undefine __log2 prior to where it's declared in the dbm headers. The good thing about Mozilla's solution is that it guarantees this namespace issue never occurs again on any platform, though.
|
| | | |
|
| | |
| | |
| | |
| | |
| | | |
This rollup patch adds additional length checks around cryptographic
primitives.
|
| |/
| |
| |
| |
| |
| | |
HKDF-Expand enforces a maximum output length much shorter than stated in
the RFC. This patch aligns the implementation with the RFC by allocating
more output space when necessary.
|