| Commit message (Collapse) | Author | Age | Files | Lines |
| |
|
| |
|
|
|
|
| |
Differential Revision: https://phabricator.services.mozilla.com/D11722
|
|
|
|
| |
Differential Revision: https://phabricator.services.mozilla.com//D10357
|
|
|
|
| |
Differential Revision: https://phabricator.services.mozilla.com//D9914
|
| |
|
|
|
|
| |
See https://bugzilla.mozilla.org/show_bug.cgi?id=1471566#c4
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Reviewers: mt
Tags: #secure-revision
Bug #: 1498437
Differential Revision: https://phabricator.services.mozilla.com/D8496
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Summary:
If we get a second session ticket in TLS 1.3 (as boringssl is wont to
do, and maybe others) while the external session cache is enabled, we assert.
The fix is to stop assuming that only in_client_cache sessions have a ticket
attached. The bigger fix ensures that sessions are properly labelled so that we
correctly create a new session in the event that we get multiple tickets from a
server.
I *think* that this isn't that high a priority. Michal is apparently working on
code related to this, but should still be able to make progress by disabling TLS
1.3 (or avoiding boringSSL servers).
Reviewers: franziskus, ekr
Reviewed By: franziskus
Bug #: 1489945
Differential Revision: https://phabricator.services.mozilla.com/D5740
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Summary:
This adds basic support for MSVC to build.sh. It uses the registry and vswhere
(which is part of the standard mozilla-build setup now) to work out paths and
set them properly. It's probably a little fragile, but it's better than the
shoestring and tape we have in builds right now.
I took the liberty of sanitizing the command-line options a little here. Mostly
that is sorting them, but I also deprecated the -m32 option in favour of
specifying target architecture with -t. That turned out to be a lot cleaner.
Reviewers: jcj
Reviewed By: jcj
Bug #: 1434943
Differential Revision: https://phabricator.services.mozilla.com/D5125
|
|
|
|
| |
Differential Revision: https://phabricator.services.mozilla.com/D7996
|
|
|
|
|
|
|
|
|
| |
Tags: #secure-revision
Bug #: 1495451
Differential Revision: https://phabricator.services.mozilla.com/D7358
|
|
|
|
| |
k=kwilson
|
|
|
|
| |
Differential Revision: https://phabricator.services.mozilla.com/D2721
|
|
|
|
|
|
| |
Differential Revision: https://phabricator.services.mozilla.com/D2719
Differential Revision: https://phabricator.services.mozilla.com/D2720
Differential Revision: https://phabricator.services.mozilla.com/D2861
|
|\ |
|
| |
| |
| |
| |
| |
| | |
clang-cl. r=froydnj
MozReview-Commit-ID: 6BCF6VYMI88
|
| |
| |
| |
| | |
structures. r=keeler
|
| |
| |
| |
| | |
CertVerifier.h . CLOSED TREE
|
| |
| |
| |
| | |
structures. r=keeler
|
| |
| |
| |
| | |
MozReview-Commit-ID: K3aWVqsO0O8
|
| |
| |
| |
| |
| |
| |
| | |
Backed out changeset 9d7f1e63d6f7 (bug 525063)
Backed out changeset 9d7f1e63d6f7 (bug 525063)
Backed out changeset 9d7f1e63d6f7 (bug 525063)
Backed out changeset 9d7f1e63d6f7 (bug 525063)
|
| |
| |
| |
| | |
Differential Revision: https://phabricator.services.mozilla.com/D894
|
| | |
|
| |
| |
| |
| | |
Differential Revision: https://phabricator.services.mozilla.com/D839
|
| |
| |
| |
| |
| |
| | |
avoid unbounded search r=fkiefer,jcj
MozReview-Commit-ID: Ght1wx5lb34
|
| |
| |
| |
| |
| |
| |
| |
| | |
Reviewed By: keeler, johannh
Bug #: 1448787
Differential Revision: https://phabricator.services.mozilla.com/D805
|
| |
| |
| |
| | |
Differential Revision: https://phabricator.services.mozilla.com/D689
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
constraint failures r=jcj
Certificate verification failures that result from additional policy constraint
failures now use the error code
"MOZILLA_PKIX_ERROR_ADDITIONAL_POLICY_CONSTRAINT_FAILED" (also known as
"Result::ERROR_ADDITIONAL_POLICY_CONSTRAINT_FAILED", depending on the context).
MozReview-Commit-ID: 9rE7gRBapRF
|
| |
| |
| |
| |
| |
| | |
subject certificate rather than the potential issuer, set keepGoing to false r=jcj
MozReview-Commit-ID: DEr4YgXfkOL
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
r=franziskus
Before this patch, mozilla::pkix gtests would generate a public/private key pair
and stash it in a global variable. Since this wasn't part of XPCOM nor tracked
by the PSM/NSS shutdown machinery, it wouldn't get released at the appropriate
time. The solution to this is to generate the key and then essentially export it
as data, so no NSS objects are held alive. Since NSS considers private keys
stored in the persistent database sensitive and won't export them in the clear,
we "encrypt" the key material with an empty password so we can import it when
necessary. (While the gtests don't use persistent keys, the test utilties in the
gtests are also used by some xpcshell tests that do use persistent keys, hence
the need to encrypt the key material.)
|
| |
| |
| |
| | |
MozReview-Commit-ID: 4s4JdXZPvmv
|
| |
| |
| |
| | |
MozReview-Commit-ID: HbF5oT5HW6f
|
| |
| |
| |
| | |
MozReview-Commit-ID: 5orfnoude7h
|
| |
| |
| |
| | |
MozReview-Commit-ID: 7duJk2gSd4m
|
| | |
|
| |
| |
| |
| | |
MozReview-Commit-ID: DjDkL20wRg0
|
| |
| |
| |
| | |
MozReview-Commit-ID: 2U2ToeyVUUt
|
| |
| |
| |
| | |
include cstring explicitly. r=keeler
|
| |
| |
| |
| |
| |
| | |
warn-unused-result warning r=njn
MozReview-Commit-ID: 4v6tPF5aMz7
|
| |
| |
| |
| | |
testing/gtest/gtest/src/gtest.cc:3871: 'Unused' was not declared in this scope. r=backout
|
| |
| |
| |
| |
| |
| | |
warn-unused-result warning r=njn
MozReview-Commit-ID: 4v6tPF5aMz7
|
| |
| |
| |
| |
| |
| | |
CreateEncodedBasicConstraints (which takes a pointer-to-long, rather than a long). r=keeler
MozReview-Commit-ID: Ki8AHuW5zyP
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
warning, in pkix/test/gtest. r=keeler
The gtest headers trigger many instances of this warning, due to their usage of
NULL instead of nullptr.
MozReview-Commit-ID: Dhv7mPHpZ7I
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
r=keeler
The only reason this param is a pointer is so that it can be optional. It's not
an outparam -- the function does not (and does not intend to) modify it -- so
it should be declared as 'const' to make that clearer & to allow clients to
pass in pointers to const values.
MozReview-Commit-ID: HbF96YNfnSt
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
--enable-warnings-as-errors builds. r=keeler
MSVC 2017 headers aren't warning free at the -Wall level.
Since PSM enables -Wall in some moz.build files, this breaks
--enable-warnings-as-errors builds.
As a temporary measure, disable enough warnings to get working builds.
MozReview-Commit-ID: G0oUsAYYct2
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
(adapted from bug 1349762 comment 0)
Google Trust Services (GTS) recently purchased two roots from GlobalSign that
are both enabled for EV treatment: "GlobalSign Root CA - R2" and "GlobalSign ECC
Root CA - R4".
However, GTS does not have an EV audit, so we are going to turn off EV treatment
for both of those root certificates.
But "GlobalSign Root CA - R2" has intermediate cert "GlobalSign Extended
Validation CA - SHA256 - G2" that continues to be controlled by GlobalSign, to
be used to migrate their customers off dependence on that root.
This patch removes EV treatment for "GlobalSign ECC Root CA - R4". It also
removes EV treatment for all chains rooted in "GlobalSign Root CA - R2" unless
the "GlobalSign Extended Validation CA - SHA256 - G2" intermediate is in the
chain.
MozReview-Commit-ID: Ej9L9zTwoPN
|
| |
| |
| |
| | |
PathBuildingStep::Check() r=keeler
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
gtest class r=Cykesiopka,dholbert
pkixocsp_VerifyEncodedResponse_GetCertTrust has a field trustDomain that
deliberately shadows the field it inherits from so that code doesn't use it by
accident.
MozReview-Commit-ID: 1Y4W6sA7lHD
|