Bug 1523175 - land NSS 536fd7c9db5a UPGRADE_NSS_RELEASE, r=me
authorJ.C. Jones <jc@mozilla.com>
Fri, 01 Mar 2019 15:42:49 +0000
changeset 519992 5e4d951c88fdaf4a2be82dc8b855fbd5fd4f3644
parent 519991 f8fb6e47bb24093cb635cb475d1ff3df2d8697b0
child 519993 e2a5031c85cd9c7bb7c87c8afe4510bc3711c436
push id10862
push userffxbld-merge
push dateMon, 11 Mar 2019 13:01:11 +0000
treeherdermozilla-beta@a2e7f5c935da [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersme
bugs1523175
milestone67.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1523175 - land NSS 536fd7c9db5a UPGRADE_NSS_RELEASE, r=me
security/nss/TAG-INFO
security/nss/build.sh
security/nss/coreconf/config.gypi
security/nss/coreconf/coreconf.dep
security/nss/help.txt
security/nss/lib/pk11wrap/pk11pars.c
security/nss/lib/pk11wrap/pk11util.c
security/nss/lib/pk11wrap/secmodi.h
security/nss/mach
security/nss/nss.gyp
--- a/security/nss/TAG-INFO
+++ b/security/nss/TAG-INFO
@@ -1,1 +1,1 @@
-f7be0a534e89
+536fd7c9db5a
--- a/security/nss/build.sh
+++ b/security/nss/build.sh
@@ -98,16 +98,17 @@ while [ $# -gt 0 ]; do
         --ct-verif) gyp_params+=(-Dct_verif=1) ;;
         --nspr) nspr_clean; rebuild_nspr=1 ;;
         --with-nspr=?*) set_nspr_path "${1#*=}"; no_local_nspr=1 ;;
         --system-nspr) set_nspr_path "/usr/include/nspr/:"; no_local_nspr=1 ;;
         --system-sqlite) gyp_params+=(-Duse_system_sqlite=1) ;;
         --enable-fips) gyp_params+=(-Ddisable_fips=0) ;;
         --enable-libpkix) gyp_params+=(-Ddisable_libpkix=0) ;;
         --mozpkix-only) gyp_params+=(-Dmozpkix_only=1 -Ddisable_tests=1 -Dsign_libs=0) ;;
+	-D*) gyp_params+=("$1") ;;
         *) show_help; exit 2 ;;
     esac
     shift
 done
 
 # Set the target architecture and build type.
 gyp_params+=(-Dtarget_arch="$target_arch")
 if [ "$opt_build" = 1 ]; then
--- a/security/nss/coreconf/config.gypi
+++ b/security/nss/coreconf/config.gypi
@@ -89,16 +89,17 @@
     'cc_use_gnu_ld%': '<(cc_use_gnu_ld)',
     # Some defaults
     'disable_tests%': 0,
     'disable_chachapoly%': 0,
     'disable_dbm%': 0,
     'disable_libpkix%': 1,
     'disable_werror%': 0,
     'mozilla_client%': 0,
+    'comm_client%': 0,
     'moz_fold_libs%': 0,
     'moz_folded_library_name%': '',
     'sanitizer_flags%': 0,
     'test_build%': 0,
     'no_zdefs%': 0,
     'fuzz%': 0,
     'fuzz_tls%': 0,
     'fuzz_oss%': 0,
--- a/security/nss/coreconf/coreconf.dep
+++ b/security/nss/coreconf/coreconf.dep
@@ -5,9 +5,8 @@
 
 /*
  * A dummy header file that is a dependency for all the object files.
  * Used to force a full recompilation of NSS in Mozilla's Tinderbox
  * depend builds.  See comments in rules.mk.
  */
 
 #error "Do not include this header file."
-
--- a/security/nss/help.txt
+++ b/security/nss/help.txt
@@ -1,17 +1,17 @@
 Usage: build.sh [-h] [-c|-cc] [-v] [-j <n>] [--gyp|-g] [--opt|-o]
                 [-t <x64|x86|...>|--target=<x64|x86|...>]
                 [--clang|--gcc|--msvc] [--scan-build[=dir]] [--disable-tests]
                 [--pprof] [--asan] [--msan] [--ubsan[=bool,shift,...]
                 [--fuzz[=tls|oss]] [--sancov[=edge|bb|func|...]]
                 [--emit-llvm] [--no-zdefs] [--test] [--ct-verif]
                 [--nspr|--with-nspr=<include>:<lib>|--system-nspr]
                 [--system-sqlite] [--enable-fips] [--enable-libpkix]
-                [--mozpkix-only]
+                [--mozpkix-only] [-D<gyp-option>]
 
 This script builds NSS with gyp and ninja.
 
 NSS build tool options:
 
     -h               display this help and exit
     -c               clean before build
     -cc              clean without building
@@ -46,8 +46,9 @@ NSS build tool options:
                      --with-nspr=<include>:<lib> sets include and lib paths
     --system-nspr    attempt to use system nspr
                      shorthand for --with-nspr=/usr/include/nspr:
     --system-sqlite  use system sqlite
     --enable-fips    enable FIPS checks
     --enable-libpkix make libpkix part of the build
     --mozpkix-only   build only static mozpkix and mozpkix-test libraries
                      support for this build option is limited
+    -D<gyp-option>   pass an option directly to gyp
--- a/security/nss/lib/pk11wrap/pk11pars.c
+++ b/security/nss/lib/pk11wrap/pk11pars.c
@@ -810,16 +810,20 @@ SECMOD_CreateModuleEx(const char *librar
     }
     /* new field */
     if (parameters) {
         mod->libraryParams = PORT_ArenaStrdup(mod->arena, parameters);
     }
 
     mod->internal = NSSUTIL_ArgHasFlag("flags", "internal", nssc);
     mod->isFIPS = NSSUTIL_ArgHasFlag("flags", "FIPS", nssc);
+    /* if the system FIPS mode is enabled, force FIPS to be on */
+    if (secmod_GetSystemFIPSEnabled()) {
+        mod->isFIPS = PR_TRUE;
+    }
     mod->isCritical = NSSUTIL_ArgHasFlag("flags", "critical", nssc);
     slotParams = NSSUTIL_ArgGetParamValue("slotParams", nssc);
     mod->slotInfo = NSSUTIL_ArgParseSlotInfo(mod->arena, slotParams,
                                              &mod->slotInfoCount);
     if (slotParams)
         PORT_Free(slotParams);
     /* new field */
     mod->trustOrder = NSSUTIL_ArgReadLong("trustOrder", nssc,
--- a/security/nss/lib/pk11wrap/pk11util.c
+++ b/security/nss/lib/pk11wrap/pk11util.c
@@ -90,16 +90,41 @@ SECMOD_Shutdown()
 #endif
     if (secmod_PrivateModuleCount) {
         PORT_SetError(SEC_ERROR_BUSY);
         return SECFailure;
     }
     return SECSuccess;
 }
 
+int
+secmod_GetSystemFIPSEnabled(void)
+{
+#ifdef LINUX
+    FILE *f;
+    char d;
+    size_t size;
+
+    f = fopen("/proc/sys/crypto/fips_enabled", "r");
+    if (!f) {
+        return 0;
+    }
+
+    size = fread(&d, 1, sizeof(d), f);
+    fclose(f);
+    if (size != sizeof(d)) {
+        return 0;
+    }
+    if (d == '1') {
+        return 1;
+    }
+#endif
+    return 0;
+}
+
 /*
  * retrieve the internal module
  */
 SECMODModule *
 SECMOD_GetInternalModule(void)
 {
     return internalModule;
 }
@@ -423,17 +448,17 @@ SECMOD_DeleteModule(const char *name, in
  */
 SECStatus
 SECMOD_DeleteInternalModule(const char *name)
 {
     SECMODModuleList *mlp;
     SECMODModuleList **mlpp;
     SECStatus rv = SECFailure;
 
-    if (pendingModule) {
+    if (secmod_GetSystemFIPSEnabled() || pendingModule) {
         PORT_SetError(SEC_ERROR_MODULE_STUCK);
         return rv;
     }
     if (!moduleLock) {
         PORT_SetError(SEC_ERROR_NOT_INITIALIZED);
         return rv;
     }
 
@@ -958,17 +983,17 @@ SECMOD_DestroyModuleList(SECMODModuleLis
 }
 
 PRBool
 SECMOD_CanDeleteInternalModule(void)
 {
 #ifdef NSS_FIPS_DISABLED
     return PR_FALSE;
 #else
-    return (PRBool)(pendingModule == NULL);
+    return (PRBool)((pendingModule == NULL) && !secmod_GetSystemFIPSEnabled());
 #endif
 }
 
 /*
  * check to see if the module has added new slots. PKCS 11 v2.20 allows for
  * modules to add new slots, but never remove them. Slots cannot be added
  * between a call to C_GetSlotLlist(Flag, NULL, &count) and the subsequent
  * C_GetSlotList(flag, &data, &count) so that the array doesn't accidently
--- a/security/nss/lib/pk11wrap/secmodi.h
+++ b/security/nss/lib/pk11wrap/secmodi.h
@@ -110,16 +110,23 @@ SECStatus PBE_PK11ParamToAlgid(SECOidTag
 PK11SymKey *pk11_TokenKeyGenWithFlagsAndKeyType(PK11SlotInfo *slot,
                                                 CK_MECHANISM_TYPE type, SECItem *param, CK_KEY_TYPE keyType,
                                                 int keySize, SECItem *keyId, CK_FLAGS opFlags,
                                                 PK11AttrFlags attrFlags, void *wincx);
 
 CK_MECHANISM_TYPE pk11_GetPBECryptoMechanism(SECAlgorithmID *algid,
                                              SECItem **param, SECItem *pwd, PRBool faulty3DES);
 
+/* Get the state of the system FIPS mode */
+/* NSS uses this to force FIPS mode if the system bit is on. Applications which
+ * use the SECMOD_CanDeleteInteral() to check to see if they can switch to or
+ * from FIPS mode will automatically be told that they can't swith out of FIPS
+ * mode */
+int secmod_GetSystemFIPSEnabled();
+
 extern void pk11sdr_Init(void);
 extern void pk11sdr_Shutdown(void);
 
 /*
  * Private to pk11wrap.
  */
 
 PRBool pk11_LoginStillRequired(PK11SlotInfo *slot, void *wincx);
--- a/security/nss/mach
+++ b/security/nss/mach
@@ -34,38 +34,43 @@ def run_tests(test, cycles="standard", e
     })
     os_env = os.environ
     os_env.update(env)
     command = cwd + "/tests/all.sh"
     stdout = stderr = DEVNULL if silent else None
     subprocess.check_call(command, env=os_env, stdout=stdout, stderr=stderr)
 
 class cfAction(argparse.Action):
-    docker_command = ["docker"]
+    docker_command = None
     restorecon = None
 
     def __call__(self, parser, args, values, option_string=None):
-        if not args.noroot:
-            self.setDockerCommand()
+        self.setDockerCommand(args)
 
         if values:
             files = [os.path.relpath(os.path.abspath(x), start=cwd) for x in values]
         else:
             files = self.modifiedFiles()
-        files = [os.path.join('/home/worker/nss', x) for x in files]
 
         # First check if we can run docker.
         try:
             with open(os.devnull, "w") as f:
                 subprocess.check_call(
                     self.docker_command + ["images"], stdout=f)
         except:
-            print("Please install docker and start the docker daemon.")
-            sys.exit(1)
+            self.docker_command = None
 
+        if self.docker_command is None:
+            print("warning: running clang-format directly, which isn't guaranteed to be correct")
+            command = [cwd + "/automation/clang-format/run_clang_format.sh"] + files
+            repr(command)
+            subprocess.call(command)
+            return
+
+        files = [os.path.join('/home/worker/nss', x) for x in files]
         docker_image = 'clang-format-service:latest'
         cf_docker_folder = cwd + "/automation/clang-format"
 
         # Build the image if necessary.
         if self.filesChanged(cf_docker_folder):
             self.buildImage(docker_image, cf_docker_folder)
 
         # Check if we have the docker image.
@@ -108,21 +113,27 @@ class cfAction(argparse.Action):
 
     def buildImage(self, docker_image, cf_docker_folder):
         command = self.docker_command + [
             "build", "-t", docker_image, cf_docker_folder
         ]
         subprocess.check_call(command)
         return
 
-    def setDockerCommand(self):
+    def setDockerCommand(self, args):
+        from distutils.spawn import find_executable
         if platform.system() == "Linux":
-            from distutils.spawn import find_executable
-            self.restorecon = find_executable('restorecon')
-            self.docker_command = ["sudo"] + self.docker_command
+            self.restorecon = find_executable("restorecon")
+        dcmd = find_executable("docker")
+        if dcmd is not None:
+            self.docker_command = [dcmd]
+            if not args.noroot:
+                self.docker_command = ["sudo"] + self.docker_command
+        else:
+            self.docker_command = None
 
     def modifiedFiles(self):
         files = []
         if os.path.exists(os.path.join(cwd, '.hg')):
             st = subprocess.Popen(['hg', 'status', '-m', '-a'],
                                   cwd=cwd, stdout=subprocess.PIPE, universal_newlines=True)
             for line in iter(st.stdout.readline, ''):
                 files += [line[2:].rstrip()]
--- a/security/nss/nss.gyp
+++ b/security/nss/nss.gyp
@@ -101,16 +101,23 @@
           'type': 'none',
           'dependencies': [
             'cmd/certutil/certutil.gyp:certutil',
             'cmd/modutil/modutil.gyp:modutil',
             'cmd/pk12util/pk12util.gyp:pk12util',
             'cmd/shlibsign/shlibsign.gyp:shlibsign',
           ],
           'conditions': [
+            [ 'comm_client==1', {
+              'dependencies': [
+                'cmd/smimetools/smimetools.gyp:cmsutil',
+              ],
+            }],
+          ],
+          'conditions': [
             [ 'mozilla_client==0', {
               'dependencies': [
                 'cmd/crlutil/crlutil.gyp:crlutil',
                 'cmd/pwdecrypt/pwdecrypt.gyp:pwdecrypt',
                 'cmd/signtool/signtool.gyp:signtool',
                 'cmd/signver/signver.gyp:signver',
                 'cmd/smimetools/smimetools.gyp:cmsutil',
                 'cmd/ssltap/ssltap.gyp:ssltap',