| Commit message (Collapse) | Author | Age | Lines |
|
|
|
|
|
| |
Host name was purely being used for HPKP and since HPKP is killed,
this can also go. Currently it doesn't do anything other than
generating build warnings.
|
| |
|
|
|
|
|
| |
Basically, NSC_GetTokenInfo doesn't lock slot->slotLock before accessing slot
after obtaining it, even though slotLock is defined as its lock.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
The implementation is based on the work by Bernstein and Yang
(https://eprint.iacr.org/2019/266)
"Fast constant-time gcd computation and modular inversion".
It fixes the old mp_gcd and s_mp_invmod_odd_m functions. The patch also fixes
mpl_significant_bits s_mp_div_2d and s_mp_mul_2d by having less control flow to
reduce side-channel leaks.
Co-authored by : Billy Bob Brumley
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
| |
This also removes leftover plumbing for storing preload information
in SiteSecurityService since no service still uses it.
|
| |
|
| |
|
|
|
|
| |
Also tag #1280
|
| |
|
|
|
|
|
|
| |
Since we don't use preloading anymore for either HPKP or HSTS, we no
longer need persistent storage in the profile for preload states.
Tag #1280 also
|
| |
|
|
|
|
| |
It exceeded the obj file sections limit because of the HSTS preload list so it cannot be built in UNIFIED mode.
|
| |
|
|
|
|
| |
Rename the build config option accordingly.
|
| |
|
|
|
|
|
|
|
| |
- Adds buildconfig option --enable-nss-sqlstore
- Prefixes NSS dbinit with either sql: or dbm: depending on config
- Pre-initializes mozStorage when NSS-SQL storage is used to prevent
an sqlite3_config race in NSS Init
|
| |
|
|
|
|
|
| |
Commented out spewing dump() statements in loops. With the ever growing
HSTS list it takes too much time and is pointless to display.
|
|
|
|
| |
This rewrites the caching mechanism to apply to both PBKDF1 and PBKDF2
|
|
|
|
|
|
|
| |
Our NSS version is closer to the currently-released .1, so bump version
to that.
Note: we still have some additional patches to the in-tree version in
place so this isn't a 100% match to the RTM one.
|
|
|
|
|
|
| |
to speed up repeated SDR operations.
Landed on NSS-3.48 for Bug 1606992
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
module is loaded afterwards,
Summary: When the builtin trust module is loaded after some temp certs
being created, these temp certs are usually not accompanied by trust
information. This causes a problem in UXP as it loads the module from a
separate thread while accessing the network cache which populates temp
certs.
This change makes it properly roll up the trust information, if a temp
cert doesn't have trust information.
|
| |
|
| |
|
| |
|
|
|
|
|
| |
The behavior change of document.open() requires these tests to be
changed to account for the new spec behavior.
|
| |
|
| |
|
|
|
|
|
|
|
|
| |
SFTKSession objects are only ever actually destroyed at PK11 session
closure, as the session is always the final holder -- and asserting
refCount == 1 shows that to be true. Because of that, NSC_CloseSession
can just call `sftk_DestroySession` directly and leave
`sftk_FreeSession` as a no-op to be removed in the future.
|
| |
|
| |
|
|
|
|
| |
domains.
|
| |
|
|
|
|
|
|
|
|
|
| |
- Use HEAD instead of GET for probe to avoid loading pages
- Reduce retries to 2
- Reduce timeout to 10 s (since we're just getting a HEAD this is royal)
- Identify ourselves to websites as an automated tool
- Improve performance of list merging (O(n^2) was getting too expensive)
- Add a total counter and perform GC every 200 requests
|
| |
|
| |
|
| |
|
|\ |
|
| |\
| | |
| | | |
Support Modern Solaris
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Solaris.
https://bugzilla.mozilla.org/show_bug.cgi?id=1513913
Mozilla's solution to this is arguably overkill, since the namespace issue on Solaris only required them to change (or temporarily undefine) __log2. Instead they changed ALL the functions to be something along the lines of dbm_log2. They haven't changed the external interface at all, though.
If you're unhappy with this patch, I think I could also use XP_SOLARIS ifdefs to undefine __log2 prior to where it's declared in the dbm headers. The good thing about Mozilla's solution is that it guarantees this namespace issue never occurs again on any platform, though.
|
| | | |
|
| | |
| | |
| | |
| | |
| | | |
This rollup patch adds additional length checks around cryptographic
primitives.
|
| |/
| |
| |
| |
| |
| | |
HKDF-Expand enforces a maximum output length much shorter than stated in
the RFC. This patch aligns the implementation with the RFC by allocating
more output space when necessary.
|
| |
| |
| |
| |
| |
| |
| |
| | |
Previously, HSTS preload list values could be overridden temporarily due
to counter-intuitive behavior of the API's removeState function.
This adds an explicit flag to the API for writing knockout values to
the Site Security Service, with the default resetting to whatever the
preload list state is.
|