summaryrefslogtreecommitdiffstats
path: root/security
Commit message (Collapse)AuthorAgeLines
* [NSS] Implement constant-time GCD and modular inversionSohaib ul Hassan2020-07-10-132/+292
| | | | | | | | | | | | The implementation is based on the work by Bernstein and Yang (https://eprint.iacr.org/2019/266) "Fast constant-time gcd computation and modular inversion". It fixes the old mp_gcd and s_mp_invmod_odd_m functions. The patch also fixes mpl_significant_bits s_mp_div_2d and s_mp_mul_2d by having less control flow to reduce side-channel leaks. Co-authored by : Billy Bob Brumley
* [NSS] Bump NSS versionMoonchild2020-06-03-6/+7
|
* [NSS] Force a fixed length for DSA exponentiationMoonchild2020-06-03-10/+35
|
* Issue #1501 - Un-bust building of NSS after update to 3.48 on Solaris.athenian2002020-04-14-1/+1
|
* Issue #1280 - Un-bust certerror pages and ForgetAboutSitewolfbeast2020-04-14-18/+5
|
* Issue #1280 - Part 2: Remove HPKP tests.wolfbeast2020-04-14-1040/+0
|
* Issue #1280 - Part 1: Remove HPKP components.wolfbeast2020-04-14-2636/+32
| | | | | This also removes leftover plumbing for storing preload information in SiteSecurityService since no service still uses it.
* Issue #1498 - Part 6: Remove STS preloadlist pref.wolfbeast2020-04-14-8/+0
|
* Issue #1498 - Part 5: Update SSService CID and correct mismatch.wolfbeast2020-04-14-4/+4
|
* Issue #1498 - Part 4: Remove clearPreloads.wolfbeast2020-04-14-20/+0
| | | | Also tag #1280
* Issue #1498 - Part 3: Remove support for storing "knockout" values.wolfbeast2020-04-14-10/+4
|
* Issue #1498 - Part 2: Stop persisting preload states.wolfbeast2020-04-14-6/+1
| | | | | | Since we don't use preloading anymore for either HPKP or HSTS, we no longer need persistent storage in the profile for preload states. Tag #1280 also
* Issue #1498 - Part 1: Stop using HSTS preload lists.wolfbeast2020-04-14-103881/+8
|
* Take nsSiteSecurityService out of UNIFIED_SOURCESMatt A. Tobin2020-04-14-1/+4
| | | | It exceeded the obj file sections limit because of the HSTS preload list so it cannot be built in UNIFIED mode.
* Issue #447 - Update HSTS preload listwolfbeast2020-04-14-9018/+14842
|
* Issue #1467 - Part 4: Rename NSS_SQLSTORE to MOZ_SECURITY_SQLSTORE.wolfbeast2020-04-14-4/+4
| | | | Rename the build config option accordingly.
* Issue #1467 - Part 3: Use UTF-8 file paths for NSS-SQL database.wolfbeast2020-04-14-2/+11
|
* Issue #1467 - Part 1: Set up conditional NSS-SQL builds.wolfbeast2020-04-14-0/+16
| | | | | | | - Adds buildconfig option --enable-nss-sqlstore - Prefixes NSS dbinit with either sql: or dbm: depending on config - Pre-initializes mozStorage when NSS-SQL storage is used to prevent an sqlite3_config race in NSS Init
* Issue #1053 - Remove android support from nsNSSComponent.cppMatt A. Tobin2020-04-14-61/+17
|
* Issue #447 - Update HSTS preload list & reduce debug spewwolfbeast2020-04-14-8493/+14130
| | | | | Commented out spewing dump() statements in loops. With the ever growing HSTS list it takes too much time and is pointless to display.
* Issue #1338 - Follow-up: Also cache the most recent PBKDF1 hashKai Engert2020-01-23-50/+140
| | | | This rewrites the caching mechanism to apply to both PBKDF1 and PBKDF2
* Issue #1338 - Bump NSS versionwolfbeast2020-01-20-3/+3
| | | | | | | Our NSS version is closer to the currently-released .1, so bump version to that. Note: we still have some additional patches to the in-tree version in place so this isn't a 100% match to the RTM one.
* Issue #1338: Follow-up: Cache the most recent PBKDF2 password hash,Kai Engert2020-01-14-1/+83
| | | | | | to speed up repeated SDR operations. Landed on NSS-3.48 for Bug 1606992
* Issue #1338 - Followup: certdb: propagate trust information if trustDaiki Ueno2020-01-10-8/+22
| | | | | | | | | | | | | module is loaded afterwards, Summary: When the builtin trust module is loaded after some temp certs being created, these temp certs are usually not accompanied by trust information. This causes a problem in UXP as it loads the module from a separate thread while accessing the network cache which populates temp certs. This change makes it properly roll up the trust information, if a temp cert doesn't have trust information.
* Issue #1338 - Un-bust building of NSS after update to 3.48 on Linux.wolfbeast2020-01-10-1/+2
|
* Be more consistent about decoding IP addresses in PSM.wolfbeast2020-01-09-2/+7
|
* Issue #1338 - Part 2: Update NSS to 3.48-RTMwolfbeast2020-01-02-31445/+1622266
|
* Issue #1118 - Part 6: Fix various tests that are no longer correct.wolfbeast2019-12-22-1/+1
| | | | | The behavior change of document.open() requires these tests to be changed to account for the new spec behavior.
* Update NSS version.wolfbeast2019-12-06-6/+8
|
* [NSS] Bug 1586176 - EncryptUpdate should use maxout not block size.Craig Disselkoen2019-12-06-1/+1
|
* [NSS] Bug 1508776 - Remove unneeded refcounting from SFTKSessionJ.C. Jones2019-12-06-24/+11
| | | | | | | | SFTKSession objects are only ever actually destroyed at PK11 session closure, as the session is always the final holder -- and asserting refCount == 1 shows that to be true. Because of that, NSC_CloseSession can just call `sftk_DestroySession` directly and leave `sftk_FreeSession` as a no-op to be removed in the future.
* Issue #447 - Update HSTS preload listwolfbeast2019-11-19-3828/+3982
|
* Issue #1289 - Part 3: Update tests.wolfbeast2019-11-14-0/+36
|
* Issue #1289 - Part 2: Clear out the preload list except for testwolfbeast2019-11-14-503/+2
| | | | domains.
* Issue #1289 - Part 1: Add a pref to disable HPKP header processing.wolfbeast2019-11-14-4/+37
|
* Issue #447 - Improve the getHSTSPreloadList scriptwolfbeast2019-11-09-12/+16
| | | | | | | | | - Use HEAD instead of GET for probe to avoid loading pages - Reduce retries to 2 - Reduce timeout to 10 s (since we're just getting a HEAD this is royal) - Identify ourselves to websites as an automated tool - Improve performance of list merging (O(n^2) was getting too expensive) - Add a total counter and perform GC every 200 requests
* Issue #447 - Update HSTS preload list.wolfbeast2019-11-09-11027/+26141
|
* Issue #1064 - Part 3: Fix notifyObservers() call.wolfbeast2019-11-04-1/+1
|
* Issue #1064 - Part 2: Fix shorthand and services module import.wolfbeast2019-11-04-3/+6
|
* Merge branch 'master' into certexception-workwolfbeast2019-11-04-232/+315
|\
| * Merge pull request #1262 from athenian200/solaris-workMoonchild2019-11-02-193/+200
| |\ | | | | | | Support Modern Solaris
| | * MoonchildProductions#1251 - Part 16: Resolve namespace conflicts with dbm on ↵athenian2002019-10-21-193/+200
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Solaris. https://bugzilla.mozilla.org/show_bug.cgi?id=1513913 Mozilla's solution to this is arguably overkill, since the namespace issue on Solaris only required them to change (or temporarily undefine) __log2. Instead they changed ALL the functions to be something along the lines of dbm_log2. They haven't changed the external interface at all, though. If you're unhappy with this patch, I think I could also use XP_SOLARIS ifdefs to undefine __log2 prior to where it's declared in the dbm headers. The good thing about Mozilla's solution is that it guarantees this namespace issue never occurs again on any platform, though.
| * | Update NSS versionwolfbeast2019-10-24-6/+7
| | |
| * | Add length checks for cryptographic primitivesKevin Jacobs2019-10-24-9/+56
| | | | | | | | | | | | | | | This rollup patch adds additional length checks around cryptographic primitives.
| * | Support longer (up to RFC maximum) HKDF outputswolfbeast2019-10-24-8/+25
| |/ | | | | | | | | | | HKDF-Expand enforces a maximum output length much shorter than stated in the RFC. This patch aligns the implementation with the RFC by allocating more output space when necessary.
| * Properly implement various HSTS states.wolfbeast2019-09-05-16/+27
| | | | | | | | | | | | | | | | Previously, HSTS preload list values could be overridden temporarily due to counter-intuitive behavior of the API's removeState function. This adds an explicit flag to the API for writing knockout values to the Site Security Service, with the default resetting to whatever the preload list state is.
* | No issue: Clean up `exceptionDialog.js`wolfbeast2019-08-17-14/+11
| | | | | | | | | | - Fix some quoting, comments and inconsistencies and code style - Swap manually grabbing service components out for using `Services.*`
* | Issue #1064: Don't get certificate details synchronously.wolfbeast2019-08-17-51/+31
|/ | | | | | | This avoids getting data synchronously on the main thread in an XHR (which has been deprecated for a long time and _may_ actually be blocked in our networking) and attempts to be more predictable by always firing an update request for the dialog from the XHR request handlers.
* Update NSS version.wolfbeast2019-07-17-7/+6
|
* Prohibit the use of RSASSA-PKCS1-v1_5 algorithms in TLS 1.3wolfbeast2019-07-17-0/+20
| | | | This is a spec compliance issue.