summaryrefslogtreecommitdiff
path: root/lib/dev
Commit message (Collapse)AuthorAgeFilesLines
* Bug 1774657 Updating an old dbm with lots of certs with keys to sql results ↵Robert Relyea2023-05-151-0/+3
| | | | | | | | | | | | | | in a database that is slow to access. This patch solves the problems in 3 ways: 1) The initial underlying issue is solved by not generating a trust record for user certs if they have default trust values (lib/softoken/legacydb/pcertdb.c). This will cause new databases created from old dbm databases to function normally. 2) Skip the integrity check if the record we are reading is already the default trust value (lib/softoken/sftkdb.c). This will increase the performance of reading sqlite databases created from the old dbm databases before patch 1 to perform reasonably. 3) Increase the cashe count. (lib/softoken/lowpbe.c). This affects applications which do multiple private key operations on the same private keys. Usually high speed operations would copy the keys to a session key for better performance, but sometimes that's not possible. This allows up to 20 RSA keys to be references by the application without a performance hit from the PBE checking integrity and/or decrypting the key entry. Differential Revision: https://phabricator.services.mozilla.com/D165221
* Bug 1792821 - Updating the clang-format version to 10. r=jschanckAnna Weine2022-10-071-1/+1
| | | | Differential Revision: https://phabricator.services.mozilla.com/D158323
* Bug 205717 - Use PK11_GetSlotInfo instead of raw C_GetSlotInfo calls. r=rrelyeaJohn M. Schanck2022-04-281-4/+1
| | | | Differential Revision: https://phabricator.services.mozilla.com/D144633
* Bug 1756271 - Remove token member from NSSSlot struct. r=rrelyeaJohn M. Schanck2022-03-234-46/+40
| | | | Differential Revision: https://phabricator.services.mozilla.com/D139547
* Bug 1370866 - Check return value of PK11Slot_GetNSSToken. r=djacksonJohn M. Schanck2022-02-232-21/+10
| | | | Differential Revision: https://phabricator.services.mozilla.com/D139420
* Bug 1682863 - Revert nssSlot_IsTokenPresent to 3.58 after ongoing Fx hangs ↵Kevin Jacobs2020-12-221-30/+6
| | | | | | | | | | | | | | | | | | | | with slow PKCS11 devices. r=bbeurdouche This patch reverts the `nssSlot_IsTokenPresent` changes made in bug 1663661 and bug 1679290, restoring the version used in NSS 3.58 and earlier. It's not an actual `hg backout` because the comment in lib/dev/devt.h is worth keeping. While removing the nested locking did resolve the hang for some (most?) third-party modules, problems remain with some slower tokens after an even further relaxation of the locking, which defeats the purpose of addressing the races in the first place. The crash addressed by these patches was caused by the Intermediate Preloading Healer in Firefox, which has been disabled. We clearly have insufficient test coverage for third-party modules, and now that osclientcerts is enabled in Fx Nightly, any problems caused by these and similar changes is unlikely to be reported until Fx Beta, well after NSS RTM. I think the best option at this point is to simply revert NSS. Differential Revision: https://phabricator.services.mozilla.com/D100344
* Bug 1679290 - Don't hold slot lock when taking session lock r=bbeurdoucheKevin Jacobs2020-12-011-0/+14
| | | | | | | | [[ https://hg.mozilla.org/projects/nss/rev/0ed11a5835ac1556ff978362cd61069d48f4c5db | 0ed11a5835ac1556ff978362cd61069d48f4c5db ]] fixed a number of race conditions related to NSSSlot member accesses. Unfortunately the locking order that was imposed by that patch has been found to cause problems for at least one PKCS11 module, libnsspem. This patch drops nested locking in favor of unlocking/re-locking. While this isn't perfect, the original problem in bug 1663661 was that `slot->token` could become NULL, which we can easily check after reacquiring. Differential Revision: https://phabricator.services.mozilla.com/D98247
* Bug 1663661 - Guard against NULL token in nssSlot_IsTokenPresent. r=jcjKevin Jacobs2020-11-032-6/+19
| | | | | | This patch addresses locking inconsistency in `nssSlot_IsTokenPresent` by retaining the slot lock for the duration of accesses to `slot->token`. This is already done correctly elsewhere. As a side effect, this introduces an ordering requirement: we take `slot->lock` followed by `session->lock`. Differential Revision: https://phabricator.services.mozilla.com/D95636
* Bug 1629553 Use order-prereq for $(MAKE_OBJDIR) r=rrelyeaJan-Marek Glogowski2020-05-081-2/+1
| | | | | | | | | | Introduces a simple "%/d" rule to create directories using $(MAKE_OBJDIR) and replace all explicit $(MAKE_OBJDIR) calls with an order-only-prerequisites. To expand the $(@D) prerequisite, this needs .SECONDEXPANSION. Differential Revision: https://phabricator.services.mozilla.com/D70989
* Bug 1629553 Merge simple config.mk files r=rrelyeaJan-Marek Glogowski2020-05-053-20/+7
| | | | | | | | | | | There is really no good reason to explicitly change the TARGET variable. And the empty SHARED_LIBRARY variable should also be in the manifest.mn to begin with. All the other empty variables start empty or undefined, so there is also no need to explicitly set them empty. Differential Revision: https://phabricator.services.mozilla.com/D70691
* Bug 290526 Drop recursive private_exports r=rrelyeaJan-Marek Glogowski2020-05-052-4/+0
| | | | | | | Copying private headers is now simply included in the exports target, as these headers use an extra directory anyway. Differential Revision: https://phabricator.services.mozilla.com/D69021
* Bug 1603628 Update NSS to handle PKCS #11 v3.0 r=daiki r=mhoyeRobert Relyea2020-02-183-24/+24
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | https://phabricator.services.mozilla.com/D63241 This patch implements the first phase: updating the headers. lib/util/pkcs11.h lib/util/pkcs11f.h lib/util/pkcs11t.h Were updated using the released OASIS PKCS #11 v3.0 header files. lib/util/pkcs11n.h was updated to finally deprecate all uses of CK?_NETSCAPE_?. A new define as added: NSS_PKCS11_2_0_COMPAT. If it's defined, the small semantic changes (including the removal of deprecated defines) between the NSS PKCS #11 v2 header file and the new PKCS #11 v3 are reverted in favor of the PKCS #11 v2 definitions. This include the removal of CK?_NETSCAPE_? in favor of CK?_NSS_?. One notable change was caused by an inconsistancy between the spec and the released headers in PKCS #11 v2.40. CK_GCM_PARAMS had an extra field in the header that was not in the spec. OASIS considers the header file to be normative, so PKCS #11 v3.0 resolved the issue in favor of the header file definition. NSS had the spec definition, so now there are 2 defines for this structure: CK_NSS_GCM_PARAMS - the old nss define. Still used internally in freebl. CK_GCM_PARAMS_V3 - the new define. CK_GCM_PARAMS - no longer referenced in NSS itself. It's defined as CK_GCM_PARAMS_V3 if NSS_PKCS11_2_0_COMPAT is *not* defined, and it's defined as CKM_NSS_GCM_PARAMS if NSS_PKCS11_2_0_COMPAT is defined. Softoken has been updated to accept either CK_NSS_GCM_PARAMS or CK_GCM_PARAMS_V3. In a future patch NSS will be updated to use CK_GCM_PARAMS_V3 and fall back to CK_NSS_GMC_PARAMS. One other semantic difference between the 3.0 version of pkcs11f.h and the version here: In the oasis version of the header, you must define CK_PKCS11_2_0_ONLY to get just the PKCS #11 v2 defines. In our version you must define CK_PKCS11_3 to get the PCKS #11 v3 defines. Most of this patch is to handle changing the deprecated defines that have been removed in PCKS #11 v3 from NSS. Differential Revision: https://phabricator.services.mozilla.com/D63241
* Bug 1461731 - wait indefinitely in nssSlot_IsTokenPresent; r=rrelyea,fkieferNathan Froyd2018-05-301-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Crashes for a particular hang have been spiking in the last month, and all the crashes are associated with macOS 10.12 and 10.13. The crashes look like this: Thread 1: waiting on a condition variable in nssSlot_IsTokenPresent Thread 2: waiting on the (contended) lock in nssSlot_IsTokenPresent Thread 3: waiting on the (contended) lock in nssSlot_IsTokenPresent Thread 2 and 3 are waiting on the lock associated with the condition variable that thread 1 is holding. One would expect that thread 1 would drop the lock associated with the condition variable when the wait occurs, and enable thread 2 or thread 3 to make progress. But the particular wait in question passes a (relative) timeout of zero (which corresponds to what would be PR_INTERVAL_NO_WAIT), which is unusual in NSS code and condition variable-using programs in general. A relative timeout of zero on macOS needs to be translated to an absolute time for the underlying API, pthread_cond_timedwait. What appears to be happening is that some absolute time, $NOW, is determined before calling pthread_cond_timedwait. We then call into pthread_cond_timedwait and do whatever work we need to do before checking whether the specified time ($NOW) has passed. Of course it has; we are at some time $NOW + epsilon, and so the wait times out. The wait appears to time out without the lock ever being released; if the lock was released, even if ever-so-shortly, presumably one of the other threads would be able to make progress. Since the hang only occurs on macOS 10.12 and 10.13, we are assuming that there was some change in the condition variable code that attempts to optimize extremely short timeouts, or treats timeouts of zero differently (even if inadvertently). The other possibility is this is the way macOS has always worked, and the crash data we have is only for those versions of the operating system. In any event, there's no need to specify a timeout of zero here. We can specify an "infinite" wait instead (PR_INTERVAL_NO_TIMEOUT) and let another thread make progress, waking us up when it is done.
* Bug 1458518, Nicknames of existing certificates in NSS SQL DB should remain ↵Robert Relyea2018-05-021-1/+3
| | | | unchanged on repeated import attempts, r=kaie
* Bug 1447628, devslot: avoid deadlock when re-inserting a token, r=rrelyeaDaiki Ueno2018-03-222-7/+13
|
* Bug 1438277 - Be even more defensive about bad token implementations in ↵David Keeler2018-02-271-1/+1
| | | | | | | | | | | | | | nssCryptokiObject_Create r=ttaubert Summary: add a null check in nssCryptokiObject_Create that seems to be necessary Reviewers: ttaubert Reviewed By: ttaubert Bug #: 1438277 Differential Revision: https://phabricator.services.mozilla.com/D640
* bug 1054373Robert Relyea2018-02-142-7/+25
| | | | | | Crash in PK11_DoesMechanism due to race condition fix additional race with reset. r=mt
* Bug 1054373Robert Relyea2018-01-152-18/+61
| | | | | | | | Crash in PK11_DoesMechanism due to race condition Fix is present race. initial review r=rsleevi second review r=kamel
* Backed out changeset 272dde8958e9Martin Thomson2018-01-052-52/+14
| | | | | | | This seems to trigger assertion failures in PR_Unlock across a number of utilities. It seems intermittent and limited to win32 builds. It's also possible that this is a latent bug, but right now the change is making things noticeably worse.
* Bug 1054373, Crash in PK11_DoesMechanism due to race condition, r=rsleeviRobert Relyea2018-01-042-14/+52
|
* Backed out changeset 919051b7381eRobert Relyea2018-01-032-55/+15
|
* Crash in PK11_DoesMechanism due to race conditionRobert Relyea2018-01-032-15/+55
| | | | | bug 1054373 r=rsleevi
* Bug 1421788 - Add a length check in nssCryptokiObject_Create to maybe ↵David Keeler2017-12-011-1/+7
| | | | | | | | | | | | prevent null pointer deref r=ttaubert Reviewers: ttaubert Reviewed By: ttaubert Bug #: 1421788 Differential Revision: https://phabricator.services.mozilla.com/D302
* Bug 1381784, Avoid deadlock in nssSlot_IsTokenPresent, r=ttaubertDaiki Ueno2017-07-181-6/+7
|
* Bug 1273678 - Own PK11SlotInfos in NSSSlot/NSSToken r=franziskus (thx=keeler)Tim Taubert2017-05-292-6/+19
| | | | Differential Revision: https://nss-review.dev.mozaws.net/D332
* From 5bfd9dd537eb2c932d40658a08c45ad4ef3cd9ef Mon Sep 17 00:00:00 2001varunnaganathan2016-08-172-41/+50
| | | | Bug 1162897, Rename and export find_objects_by_template(), r=rrelyea
* Bug 1297397, avoid race condition in nssSlot_IsTokenPresent() that caused ↵Kamil Dudka2017-01-161-3/+10
| | | | spurious SEC_ERROR_NO_TOKEN, r=rrelyea
* bug 1316604 - Add variables for <(nss_dist_dir)/{public,private}. r=franziskusTed Mielczarek2016-11-101-1/+1
| | | | | Mozilla's build system currently puts NSS public headers directly in $(DIST)/include/nss, so we need a way to override the export directory.
* Bug 1311615 - Building with gyp should copy headers, libs, executables to ↵Tim Taubert2016-10-211-2/+2
| | | | | | the right directory r=franziskus Differential Revision: https://nss-dev.phacility.com/D104
* bug 1237872 - Add gyp build system for NSS. r=fkieferTed Mielczarek2016-09-232-0/+57
|
* Backed out changeset 81e3545065adKai Engert2016-09-262-24/+15
|
* Bug 1162897, Allow certificates to be specified by RFC7512 PKCS#11 URI, ↵varunnaganathan2016-09-262-15/+24
| | | | | | patch 0008, r=rrelyea Rename and export find_objects_by_template()
* Bug 1251185, NSS clang-format: else line-break fixes, r=ttaubertNSS_3_23_BETA7Franziskus Kiefer2016-02-254-106/+56
|
* Bug 1244152 - NSS clang-format: lib/dev, r=kaieNSS_3_23_BETA3Franziskus Kiefer2016-02-0510-2452/+2205
|
* Bug 1213980 - [CID 1286127] Variable objects going out of scope leaks the ↵Franziskus Kiefer2015-10-141-0/+1
| | | | storage it points to, r=mt
* Bug 1182667 - Enable warnings as errors, r=rrelyeaMartin Thomson2015-08-172-5/+1
|
* Backed out changeset 4355f55afeb2 (Bug 1158489)Martin Thomson2015-08-122-1/+5
|
* Bug 1182667 - Removing warnings, enabling -Werror, r=rrelyeaMartin Thomson2015-08-072-5/+1
|
* Bug 863871: Remove CVS keywords from NSS source files, Part 1 (trivialBrian Smith2013-04-2514-46/+0
| | | | cases). r=wtc.
* Bug 845556, adjust Makefiles and tests to new NSS directory layout, r=wtcKai Engert2013-02-281-1/+1
| | | | (Previous changeset with identical description was accidentally empty.)
* Bug 845556, reorganize NSS directory layout, moving files, very large ↵Kai Engert2013-02-2814-0/+5115
changeset! r=wtc
View Lorry Controller Status