| ☠☠ backed out by 11f9875cfe18 ☠ ☠ | |
| author | Franziskus Kiefer <franziskuskiefer@gmail.com> |
| Tue, 06 Jun 2017 09:57:53 +0200 | |
| changeset 362545 | b5195ecbebe63d1a72448636283040c5a16ee5d4 |
| parent 362544 | ebc4d874b576956224e0b66ccb91658a9bf8b347 |
| child 362546 | 952cf10f8d8afa91d5b4e86702febfb0f19aa91e |
| push id | 31983 |
| push user | kwierso@gmail.com |
| push date | Wed, 07 Jun 2017 00:19:30 +0000 |
| treeherder | mozilla-central@5801aa478de1 [default view] [failures only] |
| perfherder | [talos] [build metrics] [platform microbench] (compared to previous push) |
| reviewers | me |
| bugs | 1345368 |
| milestone | 55.0a1 |
| first release with | nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
|
| last release without | nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
|
--- a/security/nss/TAG-INFO +++ b/security/nss/TAG-INFO @@ -1,1 +1,1 @@ -29290a4a9bd0 +NSS_3_31_BETA1
--- a/security/nss/automation/taskcluster/docker/setup.sh +++ b/security/nss/automation/taskcluster/docker/setup.sh @@ -42,19 +42,16 @@ apt_packages+=('g++-6-multilib') apt_packages+=('g++-4.8-multilib') apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 60C317803A41BA51845E371A1E9377A2BA9EF27F echo "deb http://ppa.launchpad.net/ubuntu-toolchain-r/test/ubuntu xenial main" > /etc/apt/sources.list.d/toolchain.list # Install packages. apt-get -y update apt-get install -y --no-install-recommends ${apt_packages[@]} -# 32-bit builds -ln -s /usr/include/x86_64-linux-gnu/zconf.h /usr/include - # Download clang. curl -LO http://releases.llvm.org/4.0.0/clang+llvm-4.0.0-x86_64-linux-gnu-ubuntu-16.04.tar.xz curl -LO http://releases.llvm.org/4.0.0/clang+llvm-4.0.0-x86_64-linux-gnu-ubuntu-16.04.tar.xz.sig # Verify the signature. gpg --keyserver pool.sks-keyservers.net --recv-keys B6C8F98282B944E3B0D5C2530FC3042E345AD05D gpg --verify *.tar.xz.sig # Install into /usr/local/. tar xJvf *.tar.xz -C /usr/local --strip-components=1
--- a/security/nss/automation/taskcluster/graph/src/extend.js +++ b/security/nss/automation/taskcluster/graph/src/extend.js @@ -37,40 +37,39 @@ queue.filter(task => { // Make modular builds only on Linux make. if (task.symbol == "modular" && task.collection != "make") { return false; } } if (task.tests == "bogo" || task.tests == "interop") { // No windows - if (task.platform == "windows2012-64") { + if (task.platform == "windows2012-64" || + task.platform == "windows2012-32") { return false; } // No ARM; TODO: enable if (task.platform == "aarch64") { return false; } } // Only old make builds have -Ddisable_libpkix=0 and can run chain tests. - if (task.tests == "chains" && task.collection != "make" && - task.platform != "windows2012-64") { + if (task.tests == "chains" && task.collection != "make") { return false; } if (task.group == "Test") { // Don't run test builds on old make platforms if (task.collection == "make") { return false; } } - // Don't run additional hardware tests on ARM (we don't have anything there). if (task.group == "Cipher" && task.platform == "aarch64" && task.env && (task.env.NSS_DISABLE_PCLMUL == "1" || task.env.NSS_DISABLE_HW_AES == "1" || task.env.NSS_DISABLE_AVX == "1")) { return false; } return true; @@ -149,23 +148,44 @@ export default async function main() { CCC: "clang++", }, platform: "linux64", collection: "asan", image: LINUX_IMAGE, features: ["allowPtrace"], }, "--ubsan --asan"); + await scheduleWindows("Windows 2012 64 (debug, make)", { + platform: "windows2012-64", + collection: "make", + env: {USE_64: "1"} + }, "build.sh"); + + await scheduleWindows("Windows 2012 32 (debug, make)", { + platform: "windows2012-32", + collection: "make" + }, "build.sh"); + await scheduleWindows("Windows 2012 64 (opt)", { - env: {BUILD_OPT: "1"} - }); + platform: "windows2012-64", + }, "build_gyp.sh --opt"); await scheduleWindows("Windows 2012 64 (debug)", { + platform: "windows2012-64", collection: "debug" - }); + }, "build_gyp.sh"); + + await scheduleWindows("Windows 2012 32 (opt)", { + platform: "windows2012-32", + }, "build_gyp.sh --opt -m32"); + + await scheduleWindows("Windows 2012 32 (debug)", { + platform: "windows2012-32", + collection: "debug" + }, "build_gyp.sh -m32"); await scheduleFuzzing(); await scheduleFuzzing32(); await scheduleTools(); let aarch64_base = { image: "franziskus/nss-aarch64-ci", @@ -570,38 +590,36 @@ async function scheduleTestBuilds(base, })); return queue.submit(); } /*****************************************************************************/ -async function scheduleWindows(name, base) { +async function scheduleWindows(name, base, build_script) { base = merge(base, { workerType: "nss-win2012r2", - platform: "windows2012-64", env: { PATH: "c:\\mozilla-build\\python;c:\\mozilla-build\\msys\\local\\bin;" + "c:\\mozilla-build\\7zip;c:\\mozilla-build\\info-zip;" + "c:\\mozilla-build\\python\\Scripts;c:\\mozilla-build\\yasm;" + "c:\\mozilla-build\\msys\\bin;c:\\Windows\\system32;" + "c:\\mozilla-build\\upx391w;c:\\mozilla-build\\moztools-x64\\bin;" + "c:\\mozilla-build\\wget", DOMSUF: "localdomain", HOST: "localhost", - USE_64: "1" } }); // Build base definition. let build_base = merge(base, { command: [ WINDOWS_CHECKOUT_CMD, - "bash -c nss/automation/taskcluster/windows/build.sh" + `bash -c 'nss/automation/taskcluster/windows/${build_script}'` ], artifacts: [{ expires: 24 * 7, type: "directory", path: "public\\build" }], kind: "build", symbol: "B"
--- a/security/nss/automation/taskcluster/graph/src/try_syntax.js +++ b/security/nss/automation/taskcluster/graph/src/try_syntax.js @@ -17,18 +17,20 @@ function parseOptions(opts) { let builds = intersect(opts.build.split(""), ["d", "o"]); // If the given value is nonsense default to debug and opt builds. if (builds.length == 0) { builds = ["d", "o"]; } // Parse platforms. - let allPlatforms = ["linux", "linux64", "linux64-asan", "win64", - "linux64-make", "linux-make", "linux-fuzz", "linux64-fuzz", "aarch64"]; + let allPlatforms = ["linux", "linux64", "linux64-asan", + "win", "win64", "win-make", "win64-make", + "linux64-make", "linux-make", "linux-fuzz", + "linux64-fuzz", "aarch64"]; let platforms = intersect(opts.platform.split(/\s*,\s*/), allPlatforms); // If the given value is nonsense or "none" default to all platforms. if (platforms.length == 0 && opts.platform != "none") { platforms = allPlatforms; } // Parse unit tests. @@ -80,16 +82,19 @@ function filter(opts) { } // Filter unit tests. if (task.tests) { let found = opts.unittests.some(test => { if (task.group && task.group.toLowerCase() == "ssl" && test == "ssl") { return true; } + if (task.group && task.group.toLowerCase() == "cipher" && test == "cipher") { + return true; + } return task.symbol.toLowerCase().startsWith(test); }); if (!found) { return false; } } @@ -104,26 +109,30 @@ function filter(opts) { let found = opts.platforms.some(platform => { let aliases = { "linux": "linux32", "linux-fuzz": "linux32", "linux64-asan": "linux64", "linux64-fuzz": "linux64", "linux64-make": "linux64", "linux-make": "linux32", - "win64": "windows2012-64" + "win64-make": "windows2012-64", + "win-make": "windows2012-32", + "win64": "windows2012-64", + "win": "windows2012-32" }; // Check the platform name. let keep = (task.platform == (aliases[platform] || platform)); // Additional checks. if (platform == "linux64-asan") { keep &= coll("asan"); - } else if (platform == "linux64-make" || platform == "linux-make") { + } else if (platform == "linux64-make" || platform == "linux-make" || + platform == "win64-make" || platform == "win-make") { keep &= coll("make"); } else if (platform == "linux64-fuzz" || platform == "linux-fuzz") { keep &= coll("fuzz"); } else { keep &= coll("opt") || coll("debug"); } return keep;
--- a/security/nss/automation/taskcluster/windows/build.sh +++ b/security/nss/automation/taskcluster/windows/build.sh @@ -1,14 +1,18 @@ #!/usr/bin/env bash set -v -e -x # Set up the toolchain. -source $(dirname $0)/setup.sh +if [ "$USE_64" = 1 ]; then + source $(dirname $0)/setup64.sh +else + source $(dirname $0)/setup32.sh +fi # Clone NSPR. hg_clone https://hg.mozilla.org/projects/nspr nspr default # Build. make -C nss nss_build_all # Package.
new file mode 100644 --- /dev/null +++ b/security/nss/automation/taskcluster/windows/build_gyp.sh @@ -0,0 +1,34 @@ +#!/usr/bin/env bash + +set -v -e -x + +# Set up the toolchain. +if [[ "$@" == *"-m32"* ]]; then + source $(dirname $0)/setup32.sh +else + source $(dirname $0)/setup64.sh +fi + +# Install GYP. +cd gyp +python -m virtualenv test-env +test-env/Scripts/python setup.py install +test-env/Scripts/python -m pip install --upgrade pip +test-env/Scripts/pip install --upgrade setuptools +cd .. + +export GYP_MSVS_OVERRIDE_PATH="${VSPATH}" +export GYP_MSVS_VERSION="2015" +export GYP="${PWD}/gyp/test-env/Scripts/gyp" + +# Fool GYP. +touch "${VSPATH}/VC/vcvarsall.bat" + +# Clone NSPR. +hg_clone https://hg.mozilla.org/projects/nspr nspr default + +# Build with gyp. +GYP=${GYP} ./nss/build.sh -g -v "$@" + +# Package. +7z a public/build/dist.7z dist
--- a/security/nss/automation/taskcluster/windows/releng.manifest +++ b/security/nss/automation/taskcluster/windows/releng.manifest @@ -1,10 +1,26 @@ [ { "version": "Visual Studio 2015 Update 3 14.0.25425.01 / SDK 10.0.14393.0", "size": 326656969, "digest": "babc414ffc0457d27f5a1ed24a8e4873afbe2f1c1a4075469a27c005e1babc3b2a788f643f825efedff95b79686664c67ec4340ed535487168a3482e68559bc7", "algorithm": "sha512", "filename": "vs2015u3.zip", "unpack": true + }, + { + "version": "Ninja 1.7.1", + "size": 184821, + "digest": "e4f9a1ae624a2630e75264ba37d396d9c7407d6e6aea3763056210ba6e1387908bd31cf4037a6a3661a418e86c4d2761e0c333e6a3bd0d66549d2b0d72d3f43b", + "algorithm": "sha512", + "filename": "ninja171.zip", + "unpack": true + }, + { + "size": 13063963, + "visibility": "public", + "digest": "47a19f8f863eab3414abab2b9e9bd901ab896c799b3d9254b456b2f59374b085b99de805e21069a0819f01eecb3f43f7e2395a8c644c04bcbfa5711261cca29d", + "algorithm": "sha512", + "filename": "gyp-2017-05-23.zip", + "unpack": true } ]
--- a/security/nss/automation/taskcluster/windows/setup.sh +++ b/security/nss/automation/taskcluster/windows/setup.sh @@ -1,30 +1,26 @@ #!/usr/bin/env bash set -v -e -x +export VSPATH="$(pwd)/vs2015u3" +export NINJA_PATH="$(pwd)/ninja/bin" + +export WINDOWSSDKDIR="${VSPATH}/SDK" +export VS90COMNTOOLS="${VSPATH}/VC" +export INCLUDE="${VSPATH}/VC/include:${VSPATH}/SDK/Include/10.0.14393.0/ucrt:${VSPATH}/SDK/Include/10.0.14393.0/shared:${VSPATH}/SDK/Include/10.0.14393.0/um" + # Usage: hg_clone repo dir [revision=@] hg_clone() { repo=$1 dir=$2 rev=${3:-@} for i in 0 2 5; do sleep $i hg clone -r "$rev" "$repo" "$dir" && return rm -rf "$dir" done exit 1 } hg_clone https://hg.mozilla.org/build/tools tools default - tools/scripts/tooltool/tooltool_wrapper.sh $(dirname $0)/releng.manifest https://api.pub.build.mozilla.org/tooltool/ non-existant-file.sh /c/mozilla-build/python/python.exe /c/builds/tooltool.py --authentication-file /c/builds/relengapi.tok -c /c/builds/tooltool_cache -VSPATH="$(pwd)/vs2015u3" - -export WINDOWSSDKDIR="${VSPATH}/SDK" -export WIN32_REDIST_DIR="${VSPATH}/VC/redist/x64/Microsoft.VC140.CRT" -export WIN_UCRT_REDIST_DIR="${VSPATH}/SDK/Redist/ucrt/DLLs/x64" - -export PATH="${VSPATH}/VC/bin/amd64:${VSPATH}/VC/bin:${VSPATH}/SDK/bin/x64:${VSPATH}/VC/redist/x64/Microsoft.VC140.CRT:${VSPATH}/SDK/Redist/ucrt/DLLs/x64:${PATH}" - -export INCLUDE="${VSPATH}/VC/include:${VSPATH}/SDK/Include/10.0.14393.0/ucrt:${VSPATH}/SDK/Include/10.0.14393.0/shared:${VSPATH}/SDK/Include/10.0.14393.0/um" -export LIB="${VSPATH}/VC/lib/amd64:${VSPATH}/SDK/lib/10.0.14393.0/ucrt/x64:${VSPATH}/SDK/lib/10.0.14393.0/um/x64"
new file mode 100644 --- /dev/null +++ b/security/nss/automation/taskcluster/windows/setup32.sh @@ -0,0 +1,10 @@ +#!/usr/bin/env bash + +set -v -e -x + +source $(dirname $0)/setup.sh + +export WIN32_REDIST_DIR="${VSPATH}/VC/redist/x86/Microsoft.VC140.CRT" +export WIN_UCRT_REDIST_DIR="${VSPATH}/SDK/Redist/ucrt/DLLs/x86" +export PATH="${NINJA_PATH}:${VSPATH}/VC/bin/amd64_x86:${VSPATH}/VC/bin/amd64:${VSPATH}/VC/bin:${VSPATH}/SDK/bin/x86:${VSPATH}/SDK/bin/x64:${VSPATH}/VC/redist/x86/Microsoft.VC140.CRT:${VSPATH}/VC/redist/x64/Microsoft.VC140.CRT:${VSPATH}/SDK/Redist/ucrt/DLLs/x86:${VSPATH}/SDK/Redist/ucrt/DLLs/x64:${PATH}" +export LIB="${VSPATH}/VC/lib:${VSPATH}/SDK/lib/10.0.14393.0/ucrt/x86:${VSPATH}/SDK/lib/10.0.14393.0/um/x86"
new file mode 100644 --- /dev/null +++ b/security/nss/automation/taskcluster/windows/setup64.sh @@ -0,0 +1,10 @@ +#!/usr/bin/env bash + +set -v -e -x + +source $(dirname $0)/setup.sh + +export WIN32_REDIST_DIR="${VSPATH}/VC/redist/x64/Microsoft.VC140.CRT" +export WIN_UCRT_REDIST_DIR="${VSPATH}/SDK/Redist/ucrt/DLLs/x64" +export PATH="${NINJA_PATH}:${VSPATH}/VC/bin/amd64:${VSPATH}/VC/bin:${VSPATH}/SDK/bin/x64:${VSPATH}/VC/redist/x64/Microsoft.VC140.CRT:${VSPATH}/SDK/Redist/ucrt/DLLs/x64:${PATH}" +export LIB="${VSPATH}/VC/lib/amd64:${VSPATH}/SDK/lib/10.0.14393.0/ucrt/x64:${VSPATH}/SDK/lib/10.0.14393.0/um/x64"
--- a/security/nss/build.sh +++ b/security/nss/build.sh @@ -10,16 +10,17 @@ # This build system is still under development. It does not yet support all # the features or platforms that NSS supports. set -e cwd=$(cd $(dirname $0); pwd -P) source "$cwd"/coreconf/nspr.sh source "$cwd"/coreconf/sanitizers.sh +GYP=${GYP:-gyp} # Usage info show_help() { cat "$cwd"/help.txt } run_verbose() @@ -178,28 +179,28 @@ fi mkdir -p "$dist_dir" echo $target > "$dist_dir"/latest if [[ "$rebuild_nspr" = 1 && "$no_local_nspr" = 0 ]]; then nspr_build "${nspr_params[@]}" mv -f "$nspr_config".new "$nspr_config" fi if [ "$rebuild_gyp" = 1 ]; then - if ! hash gyp 2> /dev/null; then + if ! hash ${GYP} 2> /dev/null; then echo "Please install gyp" 1>&2 exit 1 fi # These extra arguments aren't used in determining whether to rebuild. obj_dir="$dist_dir"/$target gyp_params+=(-Dnss_dist_obj_dir=$obj_dir) if [ "$no_local_nspr" = 0 ]; then set_nspr_path "$obj_dir/include/nspr:$obj_dir/lib" fi - run_verbose run_scanbuild gyp -f ninja "${gyp_params[@]}" "$cwd"/nss.gyp + run_verbose run_scanbuild ${GYP} -f ninja "${gyp_params[@]}" "$cwd"/nss.gyp mv -f "$gyp_config".new "$gyp_config" fi # Run ninja. if hash ninja 2>/dev/null; then ninja=ninja elif hash ninja-build 2>/dev/null; then
--- a/security/nss/coreconf/config.gypi +++ b/security/nss/coreconf/config.gypi @@ -475,30 +475,32 @@ 'MinimumRequiredVersion': '5.01', # XP. 'TargetMachine': '1', 'ImageHasSafeExceptionHandlers': 'false', }, 'VCCLCompilerTool': { 'PreprocessorDefinitions': [ 'WIN32', ], + 'AdditionalOptions': [ '/EHsc' ], }, }, }], [ 'target_arch=="x64"', { 'msvs_configuration_platform': 'x64', 'msvs_settings': { 'VCLinkerTool': { 'TargetMachine': '17', # x86-64 }, 'VCCLCompilerTool': { 'PreprocessorDefinitions': [ 'WIN64', '_AMD64_', ], + 'AdditionalOptions': [ '/EHsc' ], }, }, }], ], }], [ 'disable_dbm==1', { 'defines': [ 'NSS_DISABLE_DBM',
--- a/security/nss/coreconf/coreconf.dep +++ b/security/nss/coreconf/coreconf.dep @@ -5,8 +5,9 @@ /* * A dummy header file that is a dependency for all the object files. * Used to force a full recompilation of NSS in Mozilla's Tinderbox * depend builds. See comments in rules.mk. */ #error "Do not include this header file." +
--- a/security/nss/cpputil/scoped_ptrs.h +++ b/security/nss/cpputil/scoped_ptrs.h @@ -29,16 +29,17 @@ struct ScopedDelete { void operator()(SECAlgorithmID* id) { SECOID_DestroyAlgorithmID(id, true); } void operator()(SECItem* item) { SECITEM_FreeItem(item, true); } void operator()(SECKEYPublicKey* key) { SECKEY_DestroyPublicKey(key); } void operator()(SECKEYPrivateKey* key) { SECKEY_DestroyPrivateKey(key); } void operator()(SECKEYPrivateKeyList* list) { SECKEY_DestroyPrivateKeyList(list); } void operator()(PK11URI* uri) { PK11URI_DestroyURI(uri); } + void operator()(PLArenaPool* arena) { PORT_FreeArena(arena, PR_FALSE); } }; template <class T> struct ScopedMaybeDelete { void operator()(T* ptr) { if (ptr) { ScopedDelete del; del(ptr); @@ -57,12 +58,13 @@ SCOPED(PK11SlotInfo); SCOPED(PK11SymKey); SCOPED(PRFileDesc); SCOPED(SECAlgorithmID); SCOPED(SECItem); SCOPED(SECKEYPublicKey); SCOPED(SECKEYPrivateKey); SCOPED(SECKEYPrivateKeyList); SCOPED(PK11URI); +SCOPED(PLArenaPool); #undef SCOPED #endif // scoped_ptrs_h__
--- a/security/nss/fuzz/config/clone_libfuzzer.sh +++ b/security/nss/fuzz/config/clone_libfuzzer.sh @@ -1,6 +1,6 @@ #!/bin/sh -LIBFUZZER_REVISION=8837e6cbbc842ab7524b06a2f7360c36add316b3 +LIBFUZZER_REVISION=56bd1d43451cca4b6a11d3be316bb77ab159b09d d=$(dirname $0) $d/git-copy.sh https://chromium.googlesource.com/chromium/llvm-project/llvm/lib/Fuzzer $LIBFUZZER_REVISION $d/../libFuzzer
new file mode 100644 --- /dev/null +++ b/security/nss/gtests/freebl_gtest/ecl_unittest.cc @@ -0,0 +1,124 @@ +// This Source Code Form is subject to the terms of the Mozilla Public +// License, v. 2.0. If a copy of the MPL was not distributed with this file, +// You can obtain one at http://mozilla.org/MPL/2.0/. + +#include "gtest/gtest.h" + +#include <stdint.h> + +#include "blapi.h" +#include "scoped_ptrs.h" +#include "secerr.h" + +namespace nss_test { + +class ECLTest : public ::testing::Test { + protected: + const ECCurveName GetCurveName(std::string name) { + if (name == "P256") return ECCurve_NIST_P256; + if (name == "P384") return ECCurve_NIST_P384; + if (name == "P521") return ECCurve_NIST_P521; + return ECCurve_pastLastCurve; + } + std::vector<uint8_t> hexStringToBytes(std::string s) { + std::vector<uint8_t> bytes; + for (size_t i = 0; i < s.length(); i += 2) { + bytes.push_back(std::stoul(s.substr(i, 2), nullptr, 16)); + } + return bytes; + } + std::string bytesToHexString(std::vector<uint8_t> bytes) { + std::stringstream s; + for (auto b : bytes) { + s << std::setfill('0') << std::setw(2) << std::uppercase << std::hex + << static_cast<int>(b); + } + return s.str(); + } + void ecName2params(const std::string curve, SECItem *params) { + SECOidData *oidData = nullptr; + + switch (GetCurveName(curve)) { + case ECCurve_NIST_P256: + oidData = SECOID_FindOIDByTag(SEC_OID_ANSIX962_EC_PRIME256V1); + break; + case ECCurve_NIST_P384: + oidData = SECOID_FindOIDByTag(SEC_OID_SECG_EC_SECP384R1); + break; + case ECCurve_NIST_P521: + oidData = SECOID_FindOIDByTag(SEC_OID_SECG_EC_SECP521R1); + break; + default: + FAIL(); + } + ASSERT_NE(oidData, nullptr); + + if (SECITEM_AllocItem(nullptr, params, (2 + oidData->oid.len)) == nullptr) { + FAIL() << "Couldn't allocate memory for OID."; + } + params->data[0] = SEC_ASN1_OBJECT_ID; + params->data[1] = oidData->oid.len; + memcpy(params->data + 2, oidData->oid.data, oidData->oid.len); + } + + void TestECDH_Derive(const std::string p, const std::string secret, + const std::string group_name, const std::string result, + const SECStatus expected_status) { + ECParams ecParams = {0}; + ScopedSECItem ecEncodedParams(SECITEM_AllocItem(nullptr, nullptr, 0U)); + ScopedPLArenaPool arena(PORT_NewArena(DER_DEFAULT_CHUNKSIZE)); + + ASSERT_TRUE(arena && ecEncodedParams); + + ecName2params(group_name, ecEncodedParams.get()); + EC_FillParams(arena.get(), ecEncodedParams.get(), &ecParams); + + std::vector<uint8_t> p_bytes = hexStringToBytes(p); + ASSERT_GT(p_bytes.size(), 0U); + SECItem public_value = {siBuffer, p_bytes.data(), + static_cast<unsigned int>(p_bytes.size())}; + + std::vector<uint8_t> secret_bytes = hexStringToBytes(secret); + ASSERT_GT(secret_bytes.size(), 0U); + SECItem secret_value = {siBuffer, secret_bytes.data(), + static_cast<unsigned int>(secret_bytes.size())}; + + ScopedSECItem derived_secret(SECITEM_AllocItem(nullptr, nullptr, 0U)); + + SECStatus rv = ECDH_Derive(&public_value, &ecParams, &secret_value, false, + derived_secret.get()); + ASSERT_EQ(expected_status, rv); + if (expected_status != SECSuccess) { + // Abort when we expect an error. + return; + } + + std::string derived_result = bytesToHexString(std::vector<uint8_t>( + derived_secret->data, derived_secret->data + derived_secret->len)); + std::cout << "derived secret: " << derived_result << std::endl; + EXPECT_EQ(derived_result, result); + } +}; + +TEST_F(ECLTest, TestECDH_DeriveP256) { + TestECDH_Derive( + "045ce5c643dffa402bc1837bbcbc223e51d06f20200470d341adfa9deed1bba10e850a16" + "368b673732a5c220a778990b22a0e74cdc3b22c7410b9dd552a5635497", + "971", "P256", "0", SECFailure); +} +TEST_F(ECLTest, TestECDH_DeriveP521) { + TestECDH_Derive( + "04" + "00c6858e06b70404e9cd9e3ecb662395b4429c648139053fb521f828af606b4d3dbaa14b" + "5e77efe75928fe1dc127a2ffa8de3348b3c1856a429bf97e7e31c2e5bd66" + "011839296a789a3bc0045c8a5fb42c7d1bd998f54449579b446817afbd17273e662c97ee" + "72995ef42640c550b9013fad0761353c7086a272c24088be94769fd16650", + "01fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffa5186" + "8783bf2f966b7fcc0148f709a5d03bb5c9b8899c47aebb6fb71e913863f7", + "P521", + "01BC33425E72A12779EACB2EDCC5B63D1281F7E86DBC7BF99A7ABD0CFE367DE4666D6EDB" + "B8525BFFE5222F0702C3096DEC0884CE572F5A15C423FDF44D01DD99C61D", + SECSuccess); +} + +} // nss_test
--- a/security/nss/gtests/freebl_gtest/freebl_gtest.gyp +++ b/security/nss/gtests/freebl_gtest/freebl_gtest.gyp @@ -8,16 +8,17 @@ ], 'targets': [ { 'target_name': 'freebl_gtest', 'type': 'executable', 'sources': [ 'mpi_unittest.cc', 'dh_unittest.cc', + 'ecl_unittest.cc', '<(DEPTH)/gtests/common/gtests.cc' ], 'dependencies': [ '<(DEPTH)/exports.gyp:nss_exports', '<(DEPTH)/lib/util/util.gyp:nssutil3', '<(DEPTH)/gtests/google_test/google_test.gyp:gtest', '<(DEPTH)/lib/nss/nss.gyp:nss_static', '<(DEPTH)/lib/pk11wrap/pk11wrap.gyp:pk11wrap_static', @@ -60,16 +61,17 @@ 'defines': [ 'NSS_USE_STATIC_LIBS' ], }, ], 'target_defaults': { 'include_dirs': [ '<(DEPTH)/lib/freebl/mpi', + '<(DEPTH)/lib/freebl/', ], # For test builds we have to set MPI defines. 'conditions': [ [ 'ct_verif==1', { 'defines': [ 'CT_VERIF', ], }],
--- a/security/nss/gtests/freebl_gtest/mpi_unittest.cc +++ b/security/nss/gtests/freebl_gtest/mpi_unittest.cc @@ -1,21 +1,16 @@ // This Source Code Form is subject to the terms of the Mozilla Public // License, v. 2.0. If a copy of the MPL was not distributed with this file, // You can obtain one at http://mozilla.org/MPL/2.0/. -#include "secdert.h" -#include "secitem.h" -#include "secport.h" - #include "gtest/gtest.h" #include <stdint.h> #include <string.h> -#include <string> #ifdef __MACH__ #include <mach/clock.h> #include <mach/mach.h> #endif #include "mpi.h" namespace nss_test {
--- a/security/nss/gtests/freebl_gtest/prng_kat_unittest.cc +++ b/security/nss/gtests/freebl_gtest/prng_kat_unittest.cc @@ -29,29 +29,30 @@ typedef struct PRNGTestValuesStr { std::vector<PRNGTestValues> test_vector; bool contains(std::string& s, const char* to_find) { return s.find(to_find) != std::string::npos; } std::string trim(std::string str) { - std::string whitespace = " \t"; + std::string whitespace = " \t\r\n"; const auto strBegin = str.find_first_not_of(whitespace); if (strBegin == std::string::npos) { return ""; } const auto strEnd = str.find_last_not_of(whitespace); const auto strRange = strEnd - strBegin + 1; return str.substr(strBegin, strRange); } std::vector<uint8_t> hex_string_to_bytes(std::string s) { std::vector<uint8_t> bytes; - for (size_t i = 0; i < s.length() - 1; i += 2) { + assert(s.length() % 2 == 0); + for (size_t i = 0; i < s.length(); i += 2) { bytes.push_back(std::stoul(s.substr(i, 2), nullptr, 16)); } return bytes; } std::vector<uint8_t> read_option_s(std::string& s) { size_t start = s.find("=") + 1; assert(start > 0);
--- a/security/nss/lib/ckfw/builtins/builtins.gyp +++ b/security/nss/lib/ckfw/builtins/builtins.gyp @@ -14,44 +14,46 @@ 'bfind.c', 'binst.c', 'bobject.c', 'bsession.c', 'bslot.c', 'btoken.c', 'ckbiver.c', 'constants.c', - '<(INTERMEDIATE_DIR)/certdata.c' + '<(certdata_c)', ], 'dependencies': [ '<(DEPTH)/exports.gyp:nss_exports', '<(DEPTH)/lib/ckfw/ckfw.gyp:nssckfw', '<(DEPTH)/lib/base/base.gyp:nssb' ], 'actions': [ { 'msvs_cygwin_shell': 0, 'action': [ - 'perl', - 'certdata.perl', + 'python', + 'certdata.py', 'certdata.txt', '<@(_outputs)', ], 'inputs': [ + 'certdata.py', 'certdata.perl', 'certdata.txt' ], 'outputs': [ - '<(INTERMEDIATE_DIR)/certdata.c' + '<(certdata_c)' ], 'action_name': 'generate_certdata_c' } ], 'variables': { - 'mapfile': 'nssckbi.def' + 'mapfile': 'nssckbi.def', + 'certdata_c': '<(INTERMEDIATE_DIR)/certdata.c', } } ], 'target_defaults': { 'include_dirs': [ '.' ] },
new file mode 100755 --- /dev/null +++ b/security/nss/lib/ckfw/builtins/certdata.py @@ -0,0 +1,18 @@ +#!/usr/bin/env python +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +import subprocess +import os +import sys + +def main(): + args = [os.path.realpath(x) for x in sys.argv[1:]] + script = os.path.dirname(os.path.abspath(__file__))+'/certdata.perl' + subprocess.check_call([os.environ.get('PERL', 'perl'), script] + args, + env=os.environ) + +if __name__ == '__main__': + main()
--- a/security/nss/lib/dev/devslot.c +++ b/security/nss/lib/dev/devslot.c @@ -26,16 +26,17 @@ static PRIntervalTime s_token_delay_time = 0; NSS_IMPLEMENT PRStatus nssSlot_Destroy( NSSSlot *slot) { if (slot) { if (PR_ATOMIC_DECREMENT(&slot->base.refCount) == 0) { + PK11_FreeSlot(slot->pk11slot); PZ_DestroyLock(slot->base.lock); return nssArena_Destroy(slot->base.arena); } } return PR_SUCCESS; } void @@ -219,20 +220,27 @@ nssSlot_GetCryptokiEPV( { return slot->epv; } NSS_IMPLEMENT NSSToken * nssSlot_GetToken( NSSSlot *slot) { - if (nssSlot_IsTokenPresent(slot)) { - return nssToken_AddRef(slot->token); + NSSToken *rvToken = NULL; + nssSlot_EnterMonitor(slot); + + /* Even if a token should be present, check `slot->token` too as it + * might be gone already. This would happen mostly on shutdown. */ + if (nssSlot_IsTokenPresent(slot) && slot->token) { + rvToken = nssToken_AddRef(slot->token); } - return (NSSToken *)NULL; + + nssSlot_ExitMonitor(slot); + return rvToken; } NSS_IMPLEMENT PRStatus nssSession_EnterMonitor( nssSession *s) { if (s->lock) PZ_Lock(s->lock);
--- a/security/nss/lib/dev/devtoken.c +++ b/security/nss/lib/dev/devtoken.c @@ -24,21 +24,26 @@ extern const NSSError NSS_ERROR_PKCS11; #define OBJECT_STACK_SIZE 16 NSS_IMPLEMENT PRStatus nssToken_Destroy( NSSToken *tok) { if (tok) { if (PR_ATOMIC_DECREMENT(&tok->base.refCount) == 0) { + PK11_FreeSlot(tok->pk11slot); PZ_DestroyLock(tok->base.lock); nssTokenObjectCache_Destroy(tok->cache); - /* The token holds the first/last reference to the slot. - * When the token is actually destroyed, that ref must go too. - */ + + /* We're going away, let the nssSlot know in case it's held + * alive by someone else. Usually we should hold the last ref. */ + nssSlot_EnterMonitor(tok->slot); + tok->slot->token = NULL; + nssSlot_ExitMonitor(tok->slot); + (void)nssSlot_Destroy(tok->slot); return nssArena_Destroy(tok->base.arena); } } return PR_SUCCESS; } NSS_IMPLEMENT void
--- a/security/nss/lib/freebl/ecl/ecp_jm.c +++ b/security/nss/lib/freebl/ecl/ecp_jm.c @@ -122,16 +122,27 @@ ec_GFp_pt_add_jm_aff(const mp_int *px, c } /* A = qx * pz^2, B = qy * pz^3 */ MP_CHECKOK(group->meth->field_sqr(pz, A, group->meth)); MP_CHECKOK(group->meth->field_mul(A, pz, B, group->meth)); MP_CHECKOK(group->meth->field_mul(A, qx, A, group->meth)); MP_CHECKOK(group->meth->field_mul(B, qy, B, group->meth)); + /* Check P == Q */ + if (mp_cmp(A, px) == 0) { + if (mp_cmp(B, py) == 0) { + /* If Px == Qx && Py == Qy, double P. */ + return ec_GFp_pt_dbl_jm(px, py, pz, paz4, rx, ry, rz, raz4, + scratch, group); + } + /* If Px == Qx && Py != Qy, return point at infinity. */ + return ec_GFp_pt_set_inf_jac(rx, ry, rz); + } + /* C = A - px, D = B - py */ MP_CHECKOK(group->meth->field_sub(A, px, C, group->meth)); MP_CHECKOK(group->meth->field_sub(B, py, D, group->meth)); /* C2 = C^2, C3 = C^3 */ MP_CHECKOK(group->meth->field_sqr(C, C2, group->meth)); MP_CHECKOK(group->meth->field_mul(C, C2, C3, group->meth));
--- a/security/nss/lib/pk11wrap/dev3hack.c +++ b/security/nss/lib/pk11wrap/dev3hack.c @@ -109,17 +109,17 @@ nssSlot_CreateFromPK11SlotInfo(NSSTrustD rvSlot = nss_ZNEW(arena, NSSSlot); if (!rvSlot) { nssArena_Destroy(arena); return NULL; } rvSlot->base.refCount = 1; rvSlot->base.lock = PZ_NewLock(nssILockOther); rvSlot->base.arena = arena; - rvSlot->pk11slot = nss3slot; + rvSlot->pk11slot = PK11_ReferenceSlot(nss3slot); rvSlot->epv = nss3slot->functionList; rvSlot->slotID = nss3slot->slotID; /* Grab the slot name from the PKCS#11 fixed-length buffer */ rvSlot->base.name = nssUTF8_Duplicate(nss3slot->slot_name, td->arena); rvSlot->lock = (nss3slot->isThreadSafe) ? NULL : nss3slot->sessionLock; return rvSlot; } @@ -145,17 +145,17 @@ nssToken_CreateFromPK11SlotInfo(NSSTrust } rvToken->base.refCount = 1; rvToken->base.lock = PZ_NewLock(nssILockOther); if (!rvToken->base.lock) { nssArena_Destroy(arena); return NULL; } rvToken->base.arena = arena; - rvToken->pk11slot = nss3slot; + rvToken->pk11slot = PK11_ReferenceSlot(nss3slot); rvToken->epv = nss3slot->functionList; rvToken->defaultSession = nssSession_ImportNSS3Session(td->arena, nss3slot->session, nss3slot->sessionLock, nss3slot->defRWSession); #if 0 /* we should do this instead of blindly continuing. */ if (!rvToken->defaultSession) { PORT_SetError(SEC_ERROR_NO_TOKEN);
--- a/security/nss/lib/softoken/legacydb/legacydb.gyp +++ b/security/nss/lib/softoken/legacydb/legacydb.gyp @@ -52,15 +52,15 @@ 'mapfile': 'nssdbm.def' } } ], 'target_defaults': { 'defines': [ 'SHLIB_SUFFIX=\"<(dll_suffix)\"', 'SHLIB_PREFIX=\"<(dll_prefix)\"', - 'LG_LIB_NAME=\"libnssdbm3.so\"' + 'LG_LIB_NAME=\"<(dll_prefix)nssdbm3.<(dll_suffix)\"' ] }, 'variables': { 'module': 'nss' } }
--- a/security/nss/lib/softoken/softoken.gyp +++ b/security/nss/lib/softoken/softoken.gyp @@ -86,16 +86,16 @@ 'mapfile': 'softokn.def' } } ], 'target_defaults': { 'defines': [ 'SHLIB_SUFFIX=\"<(dll_suffix)\"', 'SHLIB_PREFIX=\"<(dll_prefix)\"', - 'SOFTOKEN_LIB_NAME=\"libsoftokn3.so\"', + 'SOFTOKEN_LIB_NAME=\"<(dll_prefix)softokn3.<(dll_suffix)\"', 'SHLIB_VERSION=\"3\"' ] }, 'variables': { 'module': 'nss' } }