[Classic] Update SQLite, NSS and NSPR. #1725
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This also moves the implementation of nsIPKCS11ModuleDB into its own file. MozReview-Commit-ID: LYXixzbx3Ia
…er's NSS database r=Cykesiopka,jcj The sqlite-backed NSS database implementation requires explicitly setting some kind of pin (password, really). To maintain behavior compatibility with the old database implementation, we set the pin to the empty string as necessary. Previously this would only happen on Android (NSS_DISABLE_DBM builds), but because we're moving towards using the sqlite-backed implementation on all platforms, we should enable this code everywhere and move it to a more central location. This also fixes some now-unnecessary test behavior. MozReview-Commit-ID: KKtxmvOZt78
…when we use the sqlite-backed databses r=jcj This handles the different error code returned by NSS and that the pkcs#11 module db has a different filename. MozReview-Commit-ID: HJK4zsf6IS0
…abases r=Cykesiopka,jcj In the future, bug 1377940 will make the sqlite-backed databases the default, but until we're sure this will stick we want to be able to control this with a Firefox-only change. The use of a preference to configure which format to use will hopefully allow us to restore the old behavior quickly and relatively safely if necessary. Note that doing this should be done with care; any changes made in the sqlite databases after upgrade migration will not be reflected if we need to go back to the old database format. Thus, user data (imported CAs, client certificates, and keys) can be lost. MozReview-Commit-ID: tkovdiCU9v
…SQLite function, r=asuth, r=froydnj, r=mak
…ofile migration code NSS stores the password encrypting key in key3.db. When Firefox uses the sqlite-backed NSS databases by default (bug 783994), this file will be called key4.db. The Firefox profile migration code needs to know this.
MOZPSM_NSSDBDIR_OVERRIDE was added in bug 462919 for integration with xulrunner applications. Upcoming changes we're aiming to make with how PSM handles NSS and the certificate/key databases (e.g. making the sqlite-backed implementation mandatory) mean we have to take this feature into account. xulrunner isn't supported any longer. Searching the web for "MOZPSM_NSSDBDIR_OVERRIDE" yields two kinds of results: mozilla-central source code and a man page for nss-gui, which it seems is the only project that ever made use of MOZPSM_NSSDBDIR_OVERRIDE (and hasn't been updated since 2013, from what I can tell). I think it's fair to conclude that this isn't a widely-used (let alone known) feature. To make development easier, we should remove it. MozReview-Commit-ID: 56vcTYSzDPq
MozReview-Commit-ID: 2K8JVGc0mAj
…acked NSS DBs r=jcj MozReview-Commit-ID: 2qoJz5gDPyY
…adable roots have been loaded r=Cykesiopka This was missed in the original implementation of bug 1372656. MozReview-Commit-ID: 8Sm26YlxZ7l
…nterfaces r=Cykesiopka MozReview-Commit-ID: FKO6G6ZKjAZ
…franziskus, r=mattn, a=RyanVM Reviewers: franziskus, mattn Bug #: 1475775 Differential Revision: https://phabricator.services.mozilla.com/D2202
…the old one r=jcj In bug 1475775, we added code to remove the old NSS key DB if the user has set a password on the grounds that the old DB could potentially be unencrypted and contain secrets. However, we did so with the assumption that we were using the new DB, which is not necessarily true when the system has been configured to always use the old DB, as with some RedHat products. This patch checks for the existence of the new DB before proceeding with deleting the old DB. Technically this isn't sufficient, because the new DB could be present even if we're not using it. However, we've already gone far into "this configuration isn't supported" territory. Differential Revision: https://phabricator.services.mozilla.com/D9318
…toshi Kimura, r=kaie
Apparently a prehistoric server implementation would send a certificate_authorities field that didn't include the outer DER SEQUENCE tag, so PSM attempted to detect this and work around it. Telemetry indicates this is unnecessary now: https://mzl.la/2Lbi1Lz
…Data_HasDigests in security/nss.symbols, r=jcj
NSS 3.42 added a new build flag, enable_sslkeylogfile, to toggle the availability of the SSLKEYLOGFILE variable (see Bug 1515236 and Bug 1519209).
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
I did one thing from #1630. I also made scripts for updating NSS and NSPR.
Because of a lot of updates and migration from DBM to SQL file format, this should be well tested.
I done some tests on Linux and seems that all is migrated and works fine.
However there are some things like https://bugzilla.mozilla.org/show_bug.cgi?id=1435376 and https://bugzilla.mozilla.org/show_bug.cgi?id=1444943 and https://bugzilla.mozilla.org/show_bug.cgi?id=1607652, which I didn't checked/added.
This also helps for https://www.reddit.com/r/waterfox/comments/i6mptw/no_tls_13/, but I didn't activated TLS 1.3 as default, I keep that decision for you, but looks like all, which is needed for TLS 1.3 is already done.