| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
| |
Differential Revision: https://phabricator.services.mozilla.com/D177803
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
r=nss-reviewers,bbeurdouche
NSS tasks using LSAN seem to run into frequent failures due to ptrace(2)
failing with EACCES (Permission Denied), apparently coming from the
apparmor profile for docker on the VM.
Until now Linux tests tasks were using the nss-{1,3}/linux-gcp pools,
which use the same base image as gecko builders. This switches them to
a new pool using the same base image as used by gecko's test tasks,
where ptrace appears to work reliably.
Differential Revision: https://phabricator.services.mozilla.com/D177037
|
|
|
|
| |
Differential Revision: https://phabricator.services.mozilla.com/D153944
|
|
|
|
|
|
| |
r=nss-reviewers,jschanck
Differential Revision: https://phabricator.services.mozilla.com/D158327
|
|
|
|
|
|
| |
changes r=nkulatova
Differential Revision: https://phabricator.services.mozilla.com/D170903
|
|
|
|
|
|
| |
whitespace in ECCKiila files r=nss-reviewers,nkulatova
Differential Revision: https://phabricator.services.mozilla.com/D169262
|
| |
|
| |
|
| |
|
| |
|
|
|
|
| |
Differential Revision: https://phabricator.services.mozilla.com/D170225
|
| |
|
|
|
|
|
|
| |
task. r=nkulatova
Differential Revision: https://phabricator.services.mozilla.com/D169317
|
|
|
|
|
|
|
|
|
| |
images r=nkulatova
As of the images dated 20230126, our docker-in-docker-based image build
process dies trying to retrieve the base images.
Differential Revision: https://phabricator.services.mozilla.com/D169316
|
| |
|
|
|
|
| |
Differential Revision: https://phabricator.services.mozilla.com/D166506
|
|
|
|
|
|
| |
r=nss-reviewers,bbeurdouche
Differential Revision: https://phabricator.services.mozilla.com/D164770
|
| |
|
|
|
|
|
|
|
| |
Adding: clang-10.
Removing: gcc-6, gcc-9, gcc-10.
Differential Revision: https://phabricator.services.mozilla.com/D162545
|
| |
|
|
|
|
| |
Differential Revision: https://phabricator.services.mozilla.com/D163369
|
| |
|
|
|
|
|
|
|
| |
Clean up problemantic terms are master, slave, whitelist, blacklist.
These are usually easily changes to main/server, client, allowlist, and blocklist (or other similiar terms, which are often more descriptive anyway). Things related to the tls/ssl master key, which part of the tls spec and needs to first be handled by the tls ietf working group.
Differential Revision: https://phabricator.services.mozilla.com/D163522
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
r=nss-reviewers,releng-reviewers,jlorenzo,bbeurdouche
When we moved tasks to run on GCP from AWS in bug 1799315, we started
using a newer version of docker-worker including the changes from bug
1637302; as a result, artifacts are compressed with gzip before upload
to s3, and downloads now come with a "content-encoding: gzip" header and
compressed content, regardless of the client's "accept-encoding".
Unfortunately docker-worker doesn't handle that encoding and expects an
artifact called image.tar to be uncompressed. To work around that
issue, we now compress docker images in image_builder with zstd before
upload.
[Ideally we'd install the zstd package in the nssdev/image_builder
docker image itself instead of doing it in every task, however I'm not
sure who owns that or how it's built so this might be good enough for
right now.]
Differential Revision: https://phabricator.services.mozilla.com/D163306
|
|
|
|
| |
Differential Revision: https://phabricator.services.mozilla.com/D161376
|
|
|
|
| |
Differential Revision: https://phabricator.services.mozilla.com/D162252
|
|
|
|
|
|
| |
r=nss-reviewers,jschanck
Differential Revision: https://phabricator.services.mozilla.com/D160237
|
|
|
|
| |
Differential Revision: https://phabricator.services.mozilla.com/D158323
|
|
|
|
| |
Differential Revision: https://phabricator.services.mozilla.com/D157770
|
| |
|
|
|
|
|
|
|
|
|
|
| |
It was required to update docker-interop image to ubuntu 20.04 since a newer Go release was required for the BoGo tests to run.
See nss/gtests/nss_bogo_shim/config.json for a list of disabled BoGo test, including short descriptions/bug links.
A -loose-local-errors falg was added to Bogo (runner.go) to allow usage of more tests by ignoring differences in local errors on the Go side of test connections, similar to the remote error 'suppression' used. The code is patched to the BoGo runner after cloning in nss/tests/bogo/bogo.sh and can be found in nss/gtests/nss_bogo_shim/nss_loose_local_errors.patch.
Differential Revision: https://phabricator.services.mozilla.com/D147675
|
|
|
|
| |
Differential Revision: https://phabricator.services.mozilla.com/D154994
|
| |
|
|
|
|
|
|
|
|
|
|
| |
r=kjacobs,rrelyea
Previously we only used the "object" attribute (mapped to CKA_LABEL) to find certificates by PKCS #11 URI. This updates the logic to match also with "id" (mapped to CKA_ID) and reject the request if a "type" attribute is present with the value other than "cert".
Note: as "id" may not be null-terminated, the PKCS #11 URI API had to be revamped to allow binary blobs. This is still not perfect because PK11URIAttribute doesn't have a length field of value.
Differential Revision: https://phabricator.services.mozilla.com/D98940
|
| |
|
| |
|
| |
|
| |
|
|
|
|
| |
Differential Revision: https://phabricator.services.mozilla.com/D138149
|
| |
|
|
|
|
| |
Differential Revision: https://phabricator.services.mozilla.com/D147375
|
|
|
|
| |
Differential Revision: https://phabricator.services.mozilla.com/D137702
|
|
|
|
|
|
| |
r=rrelyea
Differential Revision: https://phabricator.services.mozilla.com/D146334
|
|
|
|
| |
Differential Revision: https://phabricator.services.mozilla.com/D145355
|
| |
|
| |
|
|
|
|
|
|
| |
Depends on D141764
Differential Revision: https://phabricator.services.mozilla.com/D141765
|
|
|
|
|
|
| |
Depends on D131425
Differential Revision: https://phabricator.services.mozilla.com/D141764
|
|
|
|
| |
Differential Revision: https://phabricator.services.mozilla.com/D131425
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
TLS 1.3
We need to be able to select Client certificates based on the schemes sent to us from the server. Rather than changing the callback function, this patch adds those schemes to the ssl socket info as suggested by Dana. In addition, two helpful functions have been added to aid User applications in properly selecting the Certificate:
PRBool SSL_CertIsUsable(PRFileDesc *fd, CERTCertificate *cert) - returns true if the given cert matches the schemes of the server, the schemes configured on the socket, capability of the token the private key resides on, and the current policy. For future SSL protocol, additional restrictions may be parsed.
SSL_FilterCertListBySocket(PRFileDesc *fd, CERTCertList *certlist) - removes the certs from the cert list that doesn't pass the SSL_CertIsUsable() call.
In addition the built in cert selection function (NSS_GetClientAuthData) uses the above functions to filter the list. In order to support the NSS_GetClientAuthData three new functions have been added:
SECStatus CERT_FilterCertListByNickname(CERTCertList *certList, char *nickname, void *pwarg) -- removes the certs that don't match the 'nickname'.
SECStatus CERT_FilterCertListByCertList(CERTCertlist *certList, const CERTCertlist *filterList ) -- removes all the certs on the first cert list that isn't on the second.
PRBool CERT_IsInList(CERTCertificate *, const CERTCertList *certList) -- returns true if cert is on certList.
In addition
* PK11_FindObjectForCert() is exported so the token the cert lives on can be accessed.
* the ssle ssl_PickClientSignatureScheme() function (along with several supporing functions) have been modified so it can be used by SSL_CertIsUsable()
Differential Revision: https://phabricator.services.mozilla.com/D135715
|