nagai/fune
3
0
Fork 0
forked from mirrors/gecko-dev
Code Pull requests Activity

Bug 1602020 - land NSS c46bc59ce7d4 UPGRADE_NSS_RELEASE, r=kjacobs

Browse source 
2019-12-06  Daiki Ueno  <dueno@redhat.com>

	* lib/pki/pki3hack.c:
	Bug 1593167, certdb: propagate trust information if trust module is
	loaded afterwards, r=rrelyea,keeler

	Summary: When the builtin trust module is loaded after some temp
	certs being created, these temp certs are usually not accompanied by
	trust information. This causes a problem in Firefox as it loads the
	module from a separate thread while accessing the network cache
	which populates temp certs.

	This change makes it properly roll up the trust information, if a
	temp cert doesn't have trust information.

	Reviewers: rrelyea, keeler

	Reviewed By: rrelyea, keeler

	Subscribers: reviewbot, heftig

	Bug #: 1593167

	[c46bc59ce7d4] [tip]

2019-11-08  Martin Thomson  <mt@lowentropy.net>

	* lib/ssl/tls13subcerts.c:
	Bug 1594965 - Include saltLength in DC SPKI, r=kjacobs

	Summary: I discovered this when validating new additions to our root
	store policy. The encodings there didn't line up with what we were
	producing with DC.

	[661058254ade]

2019-12-04  J.C. Jones  <jjones@mozilla.com>

	* automation/release/nss-release-helper.py:
	Bug 1535787 - Further improvements to the release-helper API r=mt

	[7baba392bf8b]

	* automation/release/nss-release-helper.py:
	Bug 1535787 - flake8 style updates to nss-release-helper.py
	r=kjacobs

	Depends on D23757

	[b31e68a789fa]

	* automation/release/nss-release-helper.py:
	Bug 1535787 - Use Python for the regexes in nss-release-helper
	r=keeler,kjacobs

	automation/release/nss-release-helper.py doesn't actually edit the
	files correctly on MacOS due to differences between GNU and BSD sed.
	It's python, so let's just use python regexes.

	[92271739e848]

2019-12-04  Franziskus Kiefer  <franziskuskiefer@gmail.com>

	* automation/taskcluster/graph/src/extend.js,
	automation/taskcluster/graph/src/queue.js,
	automation/taskcluster/scripts/check_abi.sh, build.sh,
	coreconf/config.gypi, help.txt, lib/freebl/freebl_base.gypi, mach,
	tests/all.sh, tests/common/init.sh, tests/remote/Makefile:
	Bug 1594933 - disable libnssdbm by default; keep build on CI, r=jcj

	Disale libnssdbm by default and add flag to enable it in builds. On
	CI a build and certs test with enabled legacy DB are added.

	Note that for some reason the coverage build fails. I have no idea
	why. I'm open for ideas.

	[c1fad130dce2]

2019-12-03  Makoto Kato  <m_kato@ga2.so-net.ne.jp>

	* lib/freebl/Makefile, lib/freebl/freebl.gyp, lib/freebl/gcm-
	arm32-neon.c, lib/freebl/gcm.c:
	Bug 1562548 - Improve GCM perfomance on aarch32 using NEON.
	r=kjacobs

	Optimize GCM perfomance using
	https://conradoplg.cryptoland.net/files/2010/12/gcm14.pdf via ARM's
	NEON.

	[a9ba652046e6]

2019-12-03  J.C. Jones  <jjones@mozilla.com>

	* automation/abi-check/expected-report-libssl3.so.txt, automation/abi-
	check/previous-nss-release, lib/nss/nss.h, lib/softoken/softkver.h,
	lib/util/nssutil.h:
	Set version numbers to 3.49 beta
	[3051793c68fc]

2019-12-02  J.C. Jones  <jjones@mozilla.com>

	* .hgtags:
	Added tag NSS_3_48_BETA1 for changeset 77976f3fefca
	[06d5b4f91a9c]

Differential Revision: https://phabricator.services.mozilla.com/D56378

--HG--
extra : moz-landing-system : lando
This commit is contained in:
J.C. Jones 2019-12-16 20:53:59 +00:00
parent cddff0f0b1
commit 5615541267
26 changed files with 513 additions and 131 deletions
repo.diff.show_diff_stats Download patch file Download diff file Expand all files Collapse all files

2
old-configure.in
View file

@ -1508,7 +1508,7 @@ MOZ_ARG_WITH_BOOL(system-nss,
_USE_SYSTEM_NSS=1 )
if test -n "$_USE_SYSTEM_NSS"; then
AM_PATH_NSS(3.48, [MOZ_SYSTEM_NSS=1], [AC_MSG_ERROR([you don't have NSS installed or your version is too old])])
AM_PATH_NSS(3.49, [MOZ_SYSTEM_NSS=1], [AC_MSG_ERROR([you don't have NSS installed or your version is too old])])
fi
NSS_CFLAGS="$NSS_CFLAGS -I${DIST}/include/nss"

2
security/nss/TAG-INFO
View file

@ -1 +1 @@
NSS_3_48_RTM
c46bc59ce7d4

13
security/nss/automation/abi-check/expected-report-libssl3.so.txt
View file

@ -1,13 +0,0 @@
1 function with some indirect sub-type change:
[C]'function SECStatus SSL_GetPreliminaryChannelInfo(PRFileDesc*, SSLPreliminaryChannelInfo*, PRUintn)' at sslinfo.c:113:1 has some indirect sub-type changes:
parameter 2 of type 'SSLPreliminaryChannelInfo*' has sub-type changes:
in pointed to type 'typedef SSLPreliminaryChannelInfo' at sslt.h:424:1:
underlying type 'struct SSLPreliminaryChannelInfoStr' at sslt.h:373:1 changed:
type size changed from 192 to 288 (in bits)
3 data member insertions:
'PRBool SSLPreliminaryChannelInfoStr::peerDelegCred', at offset 192 (in bits) at sslt.h:418:1
'PRUint32 SSLPreliminaryChannelInfoStr::authKeyBits', at offset 224 (in bits) at sslt.h:419:1
'SSLSignatureScheme SSLPreliminaryChannelInfoStr::signatureScheme', at offset 256 (in bits) at sslt.h:420:1

2
security/nss/automation/abi-check/previous-nss-release
View file

@ -1 +1 @@
NSS_3_47_BRANCH
NSS_3_48_BRANCH

220
security/nss/automation/release/nss-release-helper.py
View file

@ -5,9 +5,9 @@
import os
import sys
import datetime
import shutil
import glob
import re
import tempfile
from optparse import OptionParser
from subprocess import check_call
from subprocess import check_output
@ -32,136 +32,203 @@ abi_report_files = ['automation/abi-check/expected-report-libfreebl3.so.txt',
'automation/abi-check/expected-report-libsoftokn3.so.txt',
'automation/abi-check/expected-report-libssl3.so.txt']
def check_call_noisy(cmd, *args, **kwargs):
print "Executing command:", cmd
print("Executing command: {}".format(cmd))
check_call(cmd, *args, **kwargs)
o = OptionParser(usage="client.py [options] remove_beta | set_beta | print_library_versions | print_root_ca_version | set_root_ca_version | set_version_to_minor_release | set_version_to_patch_release | set_release_candidate_number | set_4_digit_release_number | create_nss_release_archive")
try:
options, args = o.parse_args()
action = args[0]
except IndexError:
o.print_help()
sys.exit(2)
def exit_with_failure(what):
print "failure: ", what
print("failure: {}".format(what))
sys.exit(2)
def check_files_exist():
if (not os.path.exists(nssutil_h) or not os.path.exists(softkver_h)
or not os.path.exists(nss_h) or not os.path.exists(nssckbi_h)):
or not os.path.exists(nss_h) or not os.path.exists(nssckbi_h)):
exit_with_failure("cannot find expected header files, must run from inside NSS hg directory")
def sed_inplace(sed_expression, filename):
backup_file = filename + '.tmp'
check_call_noisy(["sed", "-i.tmp", sed_expression, filename])
os.remove(backup_file)
class Replacement():
def __init__(self, regex="", repl=""):
self.regex = regex
self.repl = repl
self.matcher = re.compile(self.regex)
def replace(self, line):
return self.matcher.sub(self.repl, line)
def inplace_replace(replacements=[], filename=""):
for r in replacements:
if not isinstance(r, Replacement):
raise TypeError("Expecting a list of Replacement objects")
with tempfile.NamedTemporaryFile(mode="w", delete=False) as tmp_file:
with open(filename) as in_file:
for line in in_file:
for r in replacements:
line = r.replace(line)
tmp_file.write(line)
shutil.copystat(filename, tmp_file.name)
shutil.move(tmp_file.name, filename)
def toggle_beta_status(is_beta):
check_files_exist()
if (is_beta):
print "adding Beta status to version numbers"
sed_inplace('s/^\(#define *NSSUTIL_VERSION *\"[0-9.]\+\)\" *$/\\1 Beta\"/', nssutil_h)
sed_inplace('s/^\(#define *NSSUTIL_BETA *\)PR_FALSE *$/\\1PR_TRUE/', nssutil_h)
sed_inplace('s/^\(#define *SOFTOKEN_VERSION *\"[0-9.]\+\" *SOFTOKEN_ECC_STRING\) *$/\\1 \" Beta"/', softkver_h)
sed_inplace('s/^\(#define *SOFTOKEN_BETA *\)PR_FALSE *$/\\1PR_TRUE/', softkver_h)
sed_inplace('s/^\(#define *NSS_VERSION *\"[0-9.]\+\" *_NSS_CUSTOMIZED\) *$/\\1 \" Beta"/', nss_h)
sed_inplace('s/^\(#define *NSS_BETA *\)PR_FALSE *$/\\1PR_TRUE/', nss_h)
print("adding Beta status to version numbers")
inplace_replace(filename=nssutil_h, replacements=[
Replacement(regex=r'^(#define *NSSUTIL_VERSION *\"[0-9.]+)\" *$',
repl=r'\g<1> Beta"'),
Replacement(regex=r'^(#define *NSSUTIL_BETA *)PR_FALSE *$',
repl=r'\g<1>PR_TRUE')])
inplace_replace(filename=softkver_h, replacements=[
Replacement(regex=r'^(#define *SOFTOKEN_VERSION *\"[0-9.]+\" *SOFTOKEN_ECC_STRING) *$',
repl=r'\g<1> " Beta"'),
Replacement(regex=r'^(#define *SOFTOKEN_BETA *)PR_FALSE *$',
repl=r'\g<1>PR_TRUE')])
inplace_replace(filename=nss_h, replacements=[
Replacement(regex=r'^(#define *NSS_VERSION *\"[0-9.]+\" *_NSS_CUSTOMIZED) *$',
repl=r'\g<1> " Beta"'),
Replacement(regex=r'^(#define *NSS_BETA *)PR_FALSE *$',
repl=r'\g<1>PR_TRUE')])
else:
print "removing Beta status from version numbers"
sed_inplace('s/^\(#define *NSSUTIL_VERSION *\"[0-9.]\+\) *Beta\" *$/\\1\"/', nssutil_h)
sed_inplace('s/^\(#define *NSSUTIL_BETA *\)PR_TRUE *$/\\1PR_FALSE/', nssutil_h)
sed_inplace('s/^\(#define *SOFTOKEN_VERSION *\"[0-9.]\+\" *SOFTOKEN_ECC_STRING\) *\" *Beta\" *$/\\1/', softkver_h)
sed_inplace('s/^\(#define *SOFTOKEN_BETA *\)PR_TRUE *$/\\1PR_FALSE/', softkver_h)
sed_inplace('s/^\(#define *NSS_VERSION *\"[0-9.]\+\" *_NSS_CUSTOMIZED\) *\" *Beta\" *$/\\1/', nss_h)
sed_inplace('s/^\(#define *NSS_BETA *\)PR_TRUE *$/\\1PR_FALSE/', nss_h)
print "please run 'hg stat' and 'hg diff' to verify the files have been verified correctly"
print("removing Beta status from version numbers")
inplace_replace(filename=nssutil_h, replacements=[
Replacement(regex=r'^(#define *NSSUTIL_VERSION *\"[0-9.]+) *Beta\" *$',
repl=r'\g<1>"'),
Replacement(regex=r'^(#define *NSSUTIL_BETA *)PR_TRUE *$',
repl=r'\g<1>PR_FALSE')])
inplace_replace(filename=softkver_h, replacements=[
Replacement(regex=r'^(#define *SOFTOKEN_VERSION *\"[0-9.]+\" *SOFTOKEN_ECC_STRING) *\" *Beta\" *$',
repl=r'\g<1>'),
Replacement(regex=r'^(#define *SOFTOKEN_BETA *)PR_TRUE *$',
repl=r'\g<1>PR_FALSE')])
inplace_replace(filename=nss_h, replacements=[
Replacement(regex=r'^(#define *NSS_VERSION *\"[0-9.]+\" *_NSS_CUSTOMIZED) *\" *Beta\" *$',
repl=r'\g<1>'),
Replacement(regex=r'^(#define *NSS_BETA *)PR_TRUE *$',
repl=r'\g<1>PR_FALSE')])
print("please run 'hg stat' and 'hg diff' to verify the files have been verified correctly")
def print_beta_versions():
check_call_noisy(["egrep", "#define *NSSUTIL_VERSION|#define *NSSUTIL_BETA", nssutil_h])
check_call_noisy(["egrep", "#define *SOFTOKEN_VERSION|#define *SOFTOKEN_BETA", softkver_h])
check_call_noisy(["egrep", "#define *NSS_VERSION|#define *NSS_BETA", nss_h])
def remove_beta_status():
print "--- removing beta flags. Existing versions were:"
print("--- removing beta flags. Existing versions were:")
print_beta_versions()
toggle_beta_status(False)
print "--- finished modifications, new versions are:"
print("--- finished modifications, new versions are:")
print_beta_versions()
def set_beta_status():
print "--- adding beta flags. Existing versions were:"
print("--- adding beta flags. Existing versions were:")
print_beta_versions()
toggle_beta_status(True)
print "--- finished modifications, new versions are:"
print("--- finished modifications, new versions are:")
print_beta_versions()
def print_library_versions():
check_files_exist()
check_call_noisy(["egrep", "#define *NSSUTIL_VERSION|#define NSSUTIL_VMAJOR|#define *NSSUTIL_VMINOR|#define *NSSUTIL_VPATCH|#define *NSSUTIL_VBUILD|#define *NSSUTIL_BETA", nssutil_h])
check_call_noisy(["egrep", "#define *SOFTOKEN_VERSION|#define SOFTOKEN_VMAJOR|#define *SOFTOKEN_VMINOR|#define *SOFTOKEN_VPATCH|#define *SOFTOKEN_VBUILD|#define *SOFTOKEN_BETA", softkver_h])
check_call_noisy(["egrep", "#define *NSS_VERSION|#define NSS_VMAJOR|#define *NSS_VMINOR|#define *NSS_VPATCH|#define *NSS_VBUILD|#define *NSS_BETA", nss_h])
def print_root_ca_version():
check_files_exist()
check_call_noisy(["grep", "define *NSS_BUILTINS_LIBRARY_VERSION", nssckbi_h])
def ensure_arguments_after_action(how_many, usage):
if (len(sys.argv) != (2+how_many)):
if (len(sys.argv) != (2 + how_many)):
exit_with_failure("incorrect number of arguments, expected parameters are:\n" + usage)
def set_major_versions(major):
sed_inplace('s/^\(#define *NSSUTIL_VMAJOR *\).*$/\\1' + major + '/', nssutil_h)
sed_inplace('s/^\(#define *SOFTOKEN_VMAJOR *\).*$/\\1' + major + '/', softkver_h)
sed_inplace('s/^\(#define *NSS_VMAJOR *\).*$/\\1' + major + '/', nss_h)
for name, file in [["NSSUTIL_VMAJOR", nssutil_h],
["SOFTOKEN_VMAJOR", softkver_h],
["NSS_VMAJOR", nss_h]]:
inplace_replace(filename=file, replacements=[
Replacement(regex=r'^(#define *{} ?).*$'.format(name),
repl=r'\g<1>{}'.format(major))])
def set_minor_versions(minor):
sed_inplace('s/^\(#define *NSSUTIL_VMINOR *\).*$/\\1' + minor + '/', nssutil_h)
sed_inplace('s/^\(#define *SOFTOKEN_VMINOR *\).*$/\\1' + minor + '/', softkver_h)
sed_inplace('s/^\(#define *NSS_VMINOR *\).*$/\\1' + minor + '/', nss_h)
for name, file in [["NSSUTIL_VMINOR", nssutil_h],
["SOFTOKEN_VMINOR", softkver_h],
["NSS_VMINOR", nss_h]]:
inplace_replace(filename=file, replacements=[
Replacement(regex=r'^(#define *{} ?).*$'.format(name),
repl=r'\g<1>{}'.format(minor))])
def set_patch_versions(patch):
sed_inplace('s/^\(#define *NSSUTIL_VPATCH *\).*$/\\1' + patch + '/', nssutil_h)
sed_inplace('s/^\(#define *SOFTOKEN_VPATCH *\).*$/\\1' + patch + '/', softkver_h)
sed_inplace('s/^\(#define *NSS_VPATCH *\).*$/\\1' + patch + '/', nss_h)
for name, file in [["NSSUTIL_VPATCH", nssutil_h],
["SOFTOKEN_VPATCH", softkver_h],
["NSS_VPATCH", nss_h]]:
inplace_replace(filename=file, replacements=[
Replacement(regex=r'^(#define *{} ?).*$'.format(name),
repl=r'\g<1>{}'.format(patch))])
def set_build_versions(build):
sed_inplace('s/^\(#define *NSSUTIL_VBUILD *\).*$/\\1' + build + '/', nssutil_h)
sed_inplace('s/^\(#define *SOFTOKEN_VBUILD *\).*$/\\1' + build + '/', softkver_h)
sed_inplace('s/^\(#define *NSS_VBUILD *\).*$/\\1' + build + '/', nss_h)
for name, file in [["NSSUTIL_VBUILD", nssutil_h],
["SOFTOKEN_VBUILD", softkver_h],
["NSS_VBUILD", nss_h]]:
inplace_replace(filename=file, replacements=[
Replacement(regex=r'^(#define *{} ?).*$'.format(name),
repl=r'\g<1>{}'.format(build))])
def set_full_lib_versions(version):
sed_inplace('s/^\(#define *NSSUTIL_VERSION *\"\)\([0-9.]\+\)\(.*\)$/\\1' + version + '\\3/', nssutil_h)
sed_inplace('s/^\(#define *SOFTOKEN_VERSION *\"\)\([0-9.]\+\)\(.*\)$/\\1' + version + '\\3/', softkver_h)
sed_inplace('s/^\(#define *NSS_VERSION *\"\)\([0-9.]\+\)\(.*\)$/\\1' + version + '\\3/', nss_h)
for name, file in [["NSSUTIL_VERSION", nssutil_h],
["SOFTOKEN_VERSION", softkver_h],
["NSS_VERSION", nss_h]]:
inplace_replace(filename=file, replacements=[
Replacement(regex=r'^(#define *{} *\")([0-9.]+)(.*)$'.format(name),
repl=r'\g<1>{}\g<3>'.format(version))])
def set_root_ca_version():
ensure_arguments_after_action(2, "major_version minor_version")
major = args[1].strip()
minor = args[2].strip()
version = major + '.' + minor
sed_inplace('s/^\(#define *NSS_BUILTINS_LIBRARY_VERSION *\"\).*$/\\1' + version + '/', nssckbi_h)
sed_inplace('s/^\(#define *NSS_BUILTINS_LIBRARY_VERSION_MAJOR *\).*$/\\1' + major + '/', nssckbi_h)
sed_inplace('s/^\(#define *NSS_BUILTINS_LIBRARY_VERSION_MINOR *\).*$/\\1' + minor + '/', nssckbi_h)
inplace_replace(filename=nssckbi_h, replacements=[
Replacement(regex=r'^(#define *NSS_BUILTINS_LIBRARY_VERSION *\").*$',
repl=r'\g<1>{}"'.format(version)),
Replacement(regex=r'^(#define *NSS_BUILTINS_LIBRARY_VERSION_MAJOR ?).*$',
repl=r'\g<1>{}'.format(major)),
Replacement(regex=r'^(#define *NSS_BUILTINS_LIBRARY_VERSION_MINOR ?).*$',
repl=r'\g<1>{}'.format(minor))])
def set_all_lib_versions(version, major, minor, patch, build):
grep_major = check_output(['grep', 'define.*NSS_VMAJOR', nss_h])
grep_minor = check_output(['grep', 'define.*NSS_VMINOR', nss_h])
old_major = int(grep_major.split()[2]);
old_minor = int(grep_minor.split()[2]);
old_major = int(grep_major.split()[2])
old_minor = int(grep_minor.split()[2])
new_major = int(major)
new_minor = int(minor)
if (old_major < new_major or (old_major == new_major and old_minor < new_minor)):
print "You're increasing the minor (or major) version:"
print "- erasing ABI comparison expectations"
print("You're increasing the minor (or major) version:")
print("- erasing ABI comparison expectations")
new_branch = "NSS_" + str(old_major) + "_" + str(old_minor) + "_BRANCH"
print "- setting reference branch to the branch of the previous version: " + new_branch
print("- setting reference branch to the branch of the previous version: " + new_branch)
with open(abi_base_version_file, "w") as abi_base:
abi_base.write("%s\n" % new_branch)
for report_file in abi_report_files:
@ -174,6 +241,7 @@ def set_all_lib_versions(version, major, minor, patch, build):
set_patch_versions(patch)
set_build_versions(build)
def set_version_to_minor_release():
ensure_arguments_after_action(2, "major_version minor_version")
major = args[1].strip()
@ -183,6 +251,7 @@ def set_version_to_minor_release():
build = "0"
set_all_lib_versions(version, major, minor, patch, build)
def set_version_to_patch_release():
ensure_arguments_after_action(3, "major_version minor_version patch_release")
major = args[1].strip()
@ -192,11 +261,13 @@ def set_version_to_patch_release():
build = "0"
set_all_lib_versions(version, major, minor, patch, build)
def set_release_candidate_number():
ensure_arguments_after_action(1, "release_candidate_number")
build = args[1].strip()
set_build_versions(build)
def set_4_digit_release_number():
ensure_arguments_after_action(4, "major_version minor_version patch_release 4th_digit_release_number")
major = args[1].strip()
@ -206,21 +277,22 @@ def set_4_digit_release_number():
version = major + '.' + minor + '.' + patch + '.' + build
set_all_lib_versions(version, major, minor, patch, build)
def create_nss_release_archive():
ensure_arguments_after_action(3, "nss_release_version nss_hg_release_tag path_to_stage_directory")
nssrel = args[1].strip() #e.g. 3.19.3
nssreltag = args[2].strip() #e.g. NSS_3_19_3_RTM
stagedir = args[3].strip() #e.g. ../stage
nssrel = args[1].strip() # e.g. 3.19.3
nssreltag = args[2].strip() # e.g. NSS_3_19_3_RTM
stagedir = args[3].strip() # e.g. ../stage
with open('automation/release/nspr-version.txt') as nspr_version_file:
nsprrel = next(nspr_version_file).strip()
nspr_tar = "nspr-" + nsprrel + ".tar.gz"
nsprtar_with_path= stagedir + "/v" + nsprrel + "/src/" + nspr_tar
nsprtar_with_path = stagedir + "/v" + nsprrel + "/src/" + nspr_tar
if (not os.path.exists(nsprtar_with_path)):
exit_with_failure("cannot find nspr archive at expected location " + nsprtar_with_path)
nss_stagedir= stagedir + "/" + nssreltag + "/src"
nss_stagedir = stagedir + "/" + nssreltag + "/src"
if (os.path.exists(nss_stagedir)):
exit_with_failure("nss stage directory already exists: " + nss_stagedir)
@ -230,7 +302,7 @@ def create_nss_release_archive():
check_call_noisy(["hg", "archive", "-r", nssreltag, "--prefix=nss-" + nssrel + "/nss",
stagedir + "/" + nssreltag + "/src/" + nss_tar, "-X", ".hgtags"])
check_call_noisy(["tar", "-xz", "-C", nss_stagedir, "-f", nsprtar_with_path])
print "changing to directory " + nss_stagedir
print("changing to directory " + nss_stagedir)
os.chdir(nss_stagedir)
check_call_noisy(["tar", "-xz", "-f", nss_tar])
check_call_noisy(["mv", "-i", "nspr-" + nsprrel + "/nspr", "nss-" + nssrel + "/"])
@ -241,9 +313,23 @@ def create_nss_release_archive():
check_call_noisy(["tar", "-cz", "--remove-files", "-f", nss_nspr_tar, "nss-" + nssrel])
check_call("sha1sum " + nss_tar + " " + nss_nspr_tar + " > SHA1SUMS", shell=True)
check_call("sha256sum " + nss_tar + " " + nss_nspr_tar + " > SHA256SUMS", shell=True)
print "created directory " + nss_stagedir + " with files:"
print("created directory " + nss_stagedir + " with files:")
check_call_noisy(["ls", "-l"])
o = OptionParser(usage="client.py [options] " + " | ".join([
"remove_beta", "set_beta", "print_library_versions", "print_root_ca_version",
"set_root_ca_version", "set_version_to_minor_release",
"set_version_to_patch_release", "set_release_candidate_number",
"set_4_digit_release_number", "create_nss_release_archive"]))
try:
options, args = o.parse_args()
action = args[0]
except IndexError:
o.print_help()
sys.exit(2)
if action in ('remove_beta'):
remove_beta_status()

53
security/nss/automation/taskcluster/graph/src/extend.js
View file

@ -110,6 +110,11 @@ queue.filter(task => {
return false;
}
// Don't run DBM builds on aarch64.
if (task.group == "DBM" && task.platform == "aarch64") {
return false;
}
return true;
});
@ -500,7 +505,7 @@ async function scheduleLinux(name, overrides, args = "") {
}
// The task that generates certificates.
let task_cert = queue.scheduleTask(merge(build_base, {
let cert_base = merge(build_base, {
name: "Certificates",
command: [
"/bin/bash",
@ -509,7 +514,8 @@ async function scheduleLinux(name, overrides, args = "") {
],
parent: task_build,
symbol: "Certs"
}));
});
let task_cert = queue.scheduleTask(cert_base);
// Schedule tests.
scheduleTests(task_build, task_cert, merge(base, {
@ -592,6 +598,25 @@ async function scheduleLinux(name, overrides, args = "") {
symbol: "modular"
}));
if (base.collection != "make") {
let task_build_dbm = queue.scheduleTask(merge(extra_base, {
name: `${name} w/ legacy-db`,
command: [
"/bin/bash",
"-c",
checkout_and_gyp + "--enable-legacy-db"
],
symbol: "B",
group: "DBM",
}));
let task_cert_dbm = queue.scheduleTask(merge(cert_base, {
parent: task_build_dbm,
group: "DBM",
symbol: "Certs"
}));
}
return queue.submit();
}
@ -830,11 +855,11 @@ async function scheduleWindows(name, base, build_script) {
workerType: "win2012r2",
env: {
PATH: "c:\\mozilla-build\\bin;c:\\mozilla-build\\python;" +
"c:\\mozilla-build\\msys\\local\\bin;c:\\mozilla-build\\7zip;" +
"c:\\mozilla-build\\info-zip;c:\\mozilla-build\\python\\Scripts;" +
"c:\\mozilla-build\\yasm;c:\\mozilla-build\\msys\\bin;" +
"c:\\Windows\\system32;c:\\mozilla-build\\upx391w;" +
"c:\\mozilla-build\\moztools-x64\\bin;c:\\mozilla-build\\wget",
"c:\\mozilla-build\\msys\\local\\bin;c:\\mozilla-build\\7zip;" +
"c:\\mozilla-build\\info-zip;c:\\mozilla-build\\python\\Scripts;" +
"c:\\mozilla-build\\yasm;c:\\mozilla-build\\msys\\bin;" +
"c:\\Windows\\system32;c:\\mozilla-build\\upx391w;" +
"c:\\mozilla-build\\moztools-x64\\bin;c:\\mozilla-build\\wget",
DOMSUF: "localdomain",
HOST: "localhost",
},
@ -1039,12 +1064,6 @@ function scheduleTests(task_build, task_cert, test_base) {
queue.scheduleTask(merge(ssl_base, {
name: "SSL tests (pkix)", symbol: "pkix", cycle: "pkix"
}));
queue.scheduleTask(merge(ssl_base, {
name: "SSL tests (sharedb)", symbol: "sharedb", cycle: "sharedb"
}));
queue.scheduleTask(merge(ssl_base, {
name: "SSL tests (upgradedb)", symbol: "upgradedb", cycle: "upgradedb"
}));
queue.scheduleTask(merge(ssl_base, {
name: "SSL tests (stress)", symbol: "stress", cycle: "sharedb",
env: {NSS_SSL_RUN: "stress"}
@ -1211,7 +1230,15 @@ async function scheduleTools() {
symbol: "Coverage",
name: "Coverage",
image: FUZZ_IMAGE,
type: "other",
features: ["allowPtrace"],
artifacts: {
public: {
expires: 24 * 7,
type: "directory",
path: "/home/worker/artifacts"
}
},
command: [
"/bin/bash",
"-c",

3
security/nss/automation/taskcluster/graph/src/queue.js
View file

@ -220,6 +220,9 @@ export async function submit() {
maps.forEach(map => { task = map(merge({}, task)) });
let log_id = `${task.name} @ ${task.platform}[${task.collection || "opt"}]`;
if (task.group) {
log_id = `${task.group}::${log_id}`;
}
console.log(`+ Submitting ${log_id}.`);
// Index that task for each tag specified

3
security/nss/automation/taskcluster/scripts/check_abi.sh
View file

@ -97,7 +97,8 @@ abi_diff()
rm -f ${ABI_REPORT}
PREVDIST=${HGDIR}/baseline/dist
NEWDIST=${HGDIR}/dist
ALL_SOs="libfreebl3.so libfreeblpriv3.so libnspr4.so libnss3.so libnssckbi.so libnssdbm3.so libnsssysinit.so libnssutil3.so libplc4.so libplds4.so libsmime3.so libsoftokn3.so libssl3.so"
# libnssdbm3.so isn't built by default anymore, skip it.
ALL_SOs="libfreebl3.so libfreeblpriv3.so libnspr4.so libnss3.so libnssckbi.so libnsssysinit.so libnssutil3.so libplc4.so libplds4.so libsmime3.so libsoftokn3.so libssl3.so"
for SO in ${ALL_SOs}; do
if [ ! -f ${HGDIR}/nss/automation/abi-check/expected-report-$SO.txt ]; then
touch ${HGDIR}/nss/automation/abi-check/expected-report-$SO.txt

5
security/nss/build.sh
View file

@ -113,8 +113,8 @@ while [ $# -gt 0 ]; do
--fuzz) fuzz=1 ;;
--fuzz=oss) fuzz=1; fuzz_oss=1 ;;
--fuzz=tls) fuzz=1; fuzz_tls=1 ;;
--sancov) enable_sancov ;;
--sancov=?*) enable_sancov "${1#*=}" ;;
--sancov) enable_sancov; gyp_params+=(-Dcoverage=1) ;;
--sancov=?*) enable_sancov "${1#*=}"; gyp_params+=(-Dcoverage=1) ;;
--emit-llvm) gyp_params+=(-Demit_llvm=1 -Dsign_libs=0) ;;
--no-zdefs) gyp_params+=(-Dno_zdefs=1) ;;
--static) gyp_params+=(-Dstatic_libs=1) ;;
@ -130,6 +130,7 @@ while [ $# -gt 0 ]; do
--enable-libpkix) gyp_params+=(-Ddisable_libpkix=0) ;;
--mozpkix-only) gyp_params+=(-Dmozpkix_only=1 -Ddisable_tests=1 -Dsign_libs=0) ;;
--disable-keylog) sslkeylogfile=0 ;;
--enable-legacy-db) gyp_params+=(-Ddisable_dbm=0) ;;
-D*) gyp_params+=("$1") ;;
*) show_help; exit 2 ;;
esac

3
security/nss/coreconf/config.gypi
View file

@ -99,7 +99,7 @@
'disable_arm_hw_aes%': 0,
'disable_tests%': 0,
'disable_chachapoly%': 0,
'disable_dbm%': 0,
'disable_dbm%': 1,
'disable_libpkix%': 1,
'disable_werror%': 0,
'mozilla_client%': 0,
@ -124,6 +124,7 @@
'only_dev_random%': 1,
'disable_fips%': 1,
'mozpkix_only%': 0,
'coverage%': 0,
},
'target_defaults': {
# Settings specific to targets should go here.

1
security/nss/coreconf/coreconf.dep
View file

@ -10,3 +10,4 @@
*/
#error "Do not include this header file."

3
security/nss/help.txt
View file

@ -7,7 +7,7 @@ Usage: build.sh [-h] [-c|-cc] [-v] [-j <n>] [--gyp|-g] [--opt|-o]
[--nspr|--with-nspr=<include>:<lib>|--system-nspr]
[--system-sqlite] [--enable-fips] [--enable-libpkix]
[--mozpkix-only] [-D<gyp-option>]
[--rebuild]
[--rebuild] [--enable-legacy-db]
This script builds NSS with gyp and ninja.
@ -53,6 +53,7 @@ NSS build tool options:
--system-sqlite use system sqlite
--enable-fips enable FIPS checks
--enable-libpkix make libpkix part of the build
--enable-legacy-db enable the legacy db (libnssdbm)
--mozpkix-only build only static mozpkix and mozpkix-test libraries
support for this build option is limited
--disable-keylog disable support for logging key data to a file specified

2
security/nss/lib/freebl/Makefile
View file

@ -124,6 +124,7 @@ ifeq ($(CPU_ARCH),aarch64)
EXTRA_SRCS += aes-armv8.c gcm-aarch64.c
endif
ifeq ($(CPU_ARCH),arm)
EXTRA_SRCS += gcm-arm32-neon.c
ifdef CC_IS_CLANG
DEFINES += -DUSE_HW_AES
EXTRA_SRCS += aes-armv8.c
@ -781,6 +782,7 @@ endif
ifeq ($(CPU_ARCH),arm)
$(OBJDIR)/$(PROG_PREFIX)aes-armv8$(OBJ_SUFFIX): CFLAGS += -march=armv8-a -mfpu=crypto-neon-fp-armv8
$(OBJDIR)/$(PROG_PREFIX)gcm-arm32-neon$(OBJ_SUFFIX): CFLAGS += -mfpu=neon
endif
ifeq ($(CPU_ARCH),aarch64)
$(OBJDIR)/$(PROG_PREFIX)aes-armv8$(OBJ_SUFFIX): CFLAGS += -march=armv8-a+crypto

26
security/nss/lib/freebl/freebl.gyp
View file

@ -116,6 +116,22 @@
}]
]
},
{
'target_name': 'gcm-aes-arm32-neon_c_lib',
'type': 'static_library',
'sources': [
'gcm-arm32-neon.c'
],
'dependencies': [
'<(DEPTH)/exports.gyp:nss_exports'
],
'cflags': [
'-mfpu=neon'
],
'cflags_mozilla': [
'-mfpu=neon'
]
},
{
'target_name': 'gcm-aes-aarch64_c_lib',
'type': 'static_library',
@ -212,6 +228,11 @@
'armv8_c_lib'
],
}],
[ 'target_arch=="arm"', {
'dependencies': [
'gcm-aes-arm32-neon_c_lib',
],
}],
[ 'target_arch=="arm64" or target_arch=="aarch64"', {
'dependencies': [
'gcm-aes-aarch64_c_lib',
@ -263,6 +284,11 @@
'armv8_c_lib',
],
}],
[ 'target_arch=="arm"', {
'dependencies': [
'gcm-aes-arm32-neon_c_lib',
],
}],
[ 'target_arch=="arm64" or target_arch=="aarch64"', {
'dependencies': [
'gcm-aes-aarch64_c_lib',

2
security/nss/lib/freebl/freebl_base.gypi
View file

@ -73,7 +73,7 @@
'mpi/mp_comba.c',
],
'conditions': [
[ 'cc_is_clang==1 and fuzz!=1', {
[ 'cc_is_clang==1 and fuzz!=1 and coverage!=1', {
'cflags': [
'-no-integrated-as',
],

202
security/nss/lib/freebl/gcm-arm32-neon.c Normal file
View file

@ -0,0 +1,202 @@
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#ifdef FREEBL_NO_DEPEND
#include "stubs.h"
#endif
#include "blapii.h"
#include "blapit.h"
#include "gcm.h"
#include "secerr.h"
#include "prtypes.h"
#if defined(__ARM_NEON__) || defined(__ARM_NEON)
#include <arm_neon.h>
SECStatus
gcm_HashWrite_hw(gcmHashContext *ghash, unsigned char *outbuf)
{
vst1_u8(outbuf, vrev64_u8(vcreate_u8(ghash->x_high)));
vst1_u8(outbuf + 8, vrev64_u8(vcreate_u8(ghash->x_low)));
return SECSuccess;
}
/* Carry-less multiplication. a * b = ret. */
static inline uint8x16_t
clmul(const uint8x8_t a, const uint8x8_t b)
{
uint8x16_t d, e, f, g, h, i, j, k, l, m, n;
uint8x8_t t_high, t_low;
uint8x16_t t0, t1, t2, t3;
const uint8x8_t k16 = vcreate_u8(0xffff);
const uint8x8_t k32 = vcreate_u8(0xffffffff);
const uint8x8_t k48 = vcreate_u8(0xffffffffffff);
// D = A * B
d = vreinterpretq_u8_p16(vmull_p8(vreinterpret_p8_u8(a),
vreinterpret_p8_u8(b)));
// E = A * B1
e = vreinterpretq_u8_p16(vmull_p8(vreinterpret_p8_u8(a),
vreinterpret_p8_u8(vext_u8(b, b, 1))));
// F = A1 * B
f = vreinterpretq_u8_p16(vmull_p8(vreinterpret_p8_u8(vext_u8(a, a, 1)),
vreinterpret_p8_u8(b)));
// G = A * B2
g = vreinterpretq_u8_p16(vmull_p8(vreinterpret_p8_u8(a),
vreinterpret_p8_u8(vext_u8(b, b, 2))));
// H = A2 * B
h = vreinterpretq_u8_p16(vmull_p8(vreinterpret_p8_u8(vext_u8(a, a, 2)),
vreinterpret_p8_u8(b)));
// I = A * B3
i = vreinterpretq_u8_p16(vmull_p8(vreinterpret_p8_u8(a),
vreinterpret_p8_u8(vext_u8(b, b, 3))));
// J = A3 * B
j = vreinterpretq_u8_p16(vmull_p8(vreinterpret_p8_u8(vext_u8(a, a, 3)),
vreinterpret_p8_u8(b)));
// K = A * B4
k = vreinterpretq_u8_p16(vmull_p8(vreinterpret_p8_u8(a),
vreinterpret_p8_u8(vext_u8(b, b, 4))));
// L = E + F
l = veorq_u8(e, f);
// M = G + H
m = veorq_u8(g, h);
// N = I + J
n = veorq_u8(i, j);
// t0 = (L) (P0 + P1) << 8
t_high = vget_high_u8(l);
t_low = vget_low_u8(l);
t_low = veor_u8(t_low, t_high);
t_high = vand_u8(t_high, k48);
t_low = veor_u8(t_low, t_high);
t0 = vcombine_u8(t_low, t_high);
t0 = vextq_u8(t0, t0, 15);
// t1 = (M) (P2 + P3) << 16
t_high = vget_high_u8(m);
t_low = vget_low_u8(m);
t_low = veor_u8(t_low, t_high);
t_high = vand_u8(t_high, k32);
t_low = veor_u8(t_low, t_high);
t1 = vcombine_u8(t_low, t_high);
t1 = vextq_u8(t1, t1, 14);
// t2 = (N) (P4 + P5) << 24
t_high = vget_high_u8(n);
t_low = vget_low_u8(n);
t_low = veor_u8(t_low, t_high);
t_high = vand_u8(t_high, k16);
t_low = veor_u8(t_low, t_high);
t2 = vcombine_u8(t_low, t_high);
t2 = vextq_u8(t2, t2, 13);
// t3 = (K) (P6 + P7) << 32
t_high = vget_high_u8(k);
t_low = vget_low_u8(k);
t_low = veor_u8(t_low, t_high);
t_high = vdup_n_u8(0);
t3 = vcombine_u8(t_low, t_high);
t3 = vextq_u8(t3, t3, 12);
t0 = veorq_u8(t0, t1);
t2 = veorq_u8(t2, t3);
return veorq_u8(veorq_u8(d, t0), t2);
}
SECStatus
gcm_HashMult_hw(gcmHashContext *ghash, const unsigned char *buf,
unsigned int count)
{
const uint8x8_t h_low = vcreate_u8(ghash->h_low);
const uint8x8_t h_high = vcreate_u8(ghash->h_high);
uint8x16_t ci;
uint8x8_t ci_low;
uint8x8_t ci_high;
uint8x16_t z0, z2, z1a;
uint8x16_t z_high, z_low;
uint8x16_t t;
int64x2_t t1, t2, t3;
uint64x2_t z_low_l, z_low_r, z_high_l, z_high_r;
size_t i;
ci = vcombine_u8(vcreate_u8(ghash->x_low), vcreate_u8(ghash->x_high));
for (i = 0; i < count; i++, buf += 16) {
ci = veorq_u8(ci, vcombine_u8(vrev64_u8(vld1_u8(buf + 8)),
vrev64_u8(vld1_u8(buf))));
ci_high = vget_high_u8(ci);
ci_low = vget_low_u8(ci);
/* Do binary mult ghash->X = C * ghash->H (Karatsuba). */
z0 = clmul(ci_low, h_low);
z2 = clmul(ci_high, h_high);
z1a = clmul(veor_u8(ci_high, ci_low), veor_u8(h_high, h_low));
z1a = veorq_u8(z0, z1a);
z1a = veorq_u8(z2, z1a);
z_high = vcombine_u8(veor_u8(vget_low_u8(z2), vget_high_u8(z1a)),
vget_high_u8(z2));
z_low = vcombine_u8(vget_low_u8(z0),
veor_u8(vget_high_u8(z0), vget_low_u8(z1a)));
/* Shift one (multiply by x) as gcm spec is stupid. */
z_low_l = vshlq_n_u64(vreinterpretq_u64_u8(z_low), 1);
z_low_r = vshrq_n_u64(vreinterpretq_u64_u8(z_low), 63);
z_high_l = vshlq_n_u64(vreinterpretq_u64_u8(z_high), 1);
z_high_r = vshrq_n_u64(vreinterpretq_u64_u8(z_high), 63);
z_low = vreinterpretq_u8_u64(
vcombine_u64(vget_low_u64(z_low_l),
vorr_u64(vget_high_u64(z_low_l),
vget_low_u64(z_low_r))));
z_high = vreinterpretq_u8_u64(
vcombine_u64(vorr_u64(vget_low_u64(z_high_l),
vget_high_u64(z_low_r)),
vorr_u64(vget_high_u64(z_high_l),
vget_low_u64(z_high_r))));
/* Reduce */
t1 = vshlq_n_s64(vreinterpretq_s64_u8(z_low), 57);
t2 = vshlq_n_s64(vreinterpretq_s64_u8(z_low), 62);
t3 = vshlq_n_s64(vreinterpretq_s64_u8(z_low), 63);
t = vreinterpretq_u8_s64(veorq_s64(t1, veorq_s64(t2, t3)));
z_low = vcombine_u8(vget_low_u8(z_low),
veor_u8(vget_high_u8(z_low), vget_low_u8(t)));
z_high = vcombine_u8(veor_u8(vget_low_u8(z_high), vget_high_u8(t)),
vget_high_u8(z_high));
t = vreinterpretq_u8_u64(vshrq_n_u64(vreinterpretq_u64_u8(z_low), 1));
z_high = veorq_u8(z_high, z_low);
z_low = veorq_u8(z_low, t);
t = vreinterpretq_u8_u64(vshrq_n_u64(vreinterpretq_u64_u8(t), 6));
z_low = vreinterpretq_u8_u64(
vshrq_n_u64(vreinterpretq_u64_u8(z_low), 1));
z_low = veorq_u8(z_low, z_high);
ci = veorq_u8(z_low, t);
}
vst1_u8((uint8_t *)&ghash->x_high, vget_high_u8(ci));
vst1_u8((uint8_t *)&ghash->x_low, vget_low_u8(ci));
return SECSuccess;
}
SECStatus
gcm_HashInit_hw(gcmHashContext *ghash)
{
ghash->ghash_mul = gcm_HashMult_hw;
ghash->x_low = 0;
ghash->x_high = 0;
ghash->hw = PR_TRUE;
return SECSuccess;
}
SECStatus
gcm_HashZeroX_hw(gcmHashContext *ghash)
{
ghash->x_low = 0;
ghash->x_high = 0;
return SECSuccess;
}
#endif /* __ARM_NEON__ || __ARM_NEON */

10
security/nss/lib/freebl/gcm.c
View file

@ -21,6 +21,12 @@
#if defined(__aarch64__) && defined(IS_LITTLE_ENDIAN) && \
(defined(__clang__) || defined(__GNUC__) && __GNUC__ > 6)
#define USE_ARM_GCM
#elif defined(__arm__) && defined(IS_LITTLE_ENDIAN) && \
(defined(__ARM_NEON__) || defined(__ARM_NEON))
/* We don't test on big endian platform, so disable this on big endian.
* Also, we don't check whether compiler support NEON well, so this uses
* that compiler uses -mfpu=neon only. */
#define USE_ARM_GCM
#endif
/* Forward declarations */
@ -93,7 +99,11 @@ gcmHash_InitContext(gcmHashContext *ghash, const unsigned char *H, PRBool sw)
ghash->h_low = get64(H + 8);
ghash->h_high = get64(H);
#ifdef USE_ARM_GCM
#if defined(__aarch64__)
if (arm_pmull_support() && !sw) {
#else
if (arm_neon_support() && !sw) {
#endif
#elif defined(USE_PPC_CRYPTO)
if (ppc_crypto_support() && !sw) {
#else

6
security/nss/lib/nss/nss.h
View file

@ -22,12 +22,12 @@
* The format of the version string should be
* "<major version>.<minor version>[.<patch level>[.<build number>]][ <ECC>][ <Beta>]"
*/
#define NSS_VERSION "3.48" _NSS_CUSTOMIZED
#define NSS_VERSION "3.49" _NSS_CUSTOMIZED " Beta"
#define NSS_VMAJOR 3
#define NSS_VMINOR 48
#define NSS_VMINOR 49
#define NSS_VPATCH 0
#define NSS_VBUILD 0
#define NSS_BETA PR_FALSE
#define NSS_BETA PR_TRUE
#ifndef RC_INVOKED

30
security/nss/lib/pki/pki3hack.c
View file

@ -921,14 +921,28 @@ stan_GetCERTCertificate(NSSCertificate *c, PRBool forceUpdate)
}
if (!cc->nssCertificate || forceUpdate) {
fill_CERTCertificateFields(c, cc, forceUpdate);
} else if (CERT_GetCertTrust(cc, &certTrust) != SECSuccess &&
!c->object.cryptoContext) {
/* if it's a perm cert, it might have been stored before the
* trust, so look for the trust again. But a temp cert can be
* ignored.
*/
CERTCertTrust *trust = NULL;
trust = nssTrust_GetCERTCertTrustForCert(c, cc);
} else if (CERT_GetCertTrust(cc, &certTrust) != SECSuccess) {
CERTCertTrust *trust;
if (!c->object.cryptoContext) {
/* If it's a perm cert, it might have been stored before the
* trust, so look for the trust again.
*/
trust = nssTrust_GetCERTCertTrustForCert(c, cc);
} else {
/* If it's a temp cert, it might have been stored before the
* builtin trust module is loaded, so look for the trust
* again, but don't set the empty trust if it is not found.
*/
NSSTrust *t = nssTrustDomain_FindTrustForCertificate(c->object.cryptoContext->td, c);
if (!t) {
goto loser;
}
trust = cert_trust_from_stan_trust(t, cc->arena);
nssTrust_Destroy(t);
if (!trust) {
goto loser;
}
}
CERT_LockCertTrust(cc);
cc->trust = trust;

6
security/nss/lib/softoken/softkver.h
View file

@ -17,11 +17,11 @@
* The format of the version string should be
* "<major version>.<minor version>[.<patch level>[.<build number>]][ <ECC>][ <Beta>]"
*/
#define SOFTOKEN_VERSION "3.48" SOFTOKEN_ECC_STRING
#define SOFTOKEN_VERSION "3.49" SOFTOKEN_ECC_STRING " Beta"
#define SOFTOKEN_VMAJOR 3
#define SOFTOKEN_VMINOR 48
#define SOFTOKEN_VMINOR 49
#define SOFTOKEN_VPATCH 0
#define SOFTOKEN_VBUILD 0
#define SOFTOKEN_BETA PR_FALSE
#define SOFTOKEN_BETA PR_TRUE
#endif /* _SOFTKVER_H_ */

12
security/nss/lib/ssl/tls13subcerts.c
View file

@ -7,6 +7,7 @@
#include "nss.h"
#include "pk11func.h"
#include "secder.h"
#include "sechash.h"
#include "ssl.h"
#include "sslproto.h"
#include "sslimpl.h"
@ -538,6 +539,15 @@ tls13_MakePssSpki(const SECKEYPublicKey *pub, SECOidTag hashOid)
goto loser; /* Code already set. */
}
/* Always include saltLength: all hashes are larger than 20. */
unsigned int saltLength = HASH_ResultLenByOidTag(hashOid);
PORT_Assert(saltLength > 20);
if (!SEC_ASN1EncodeInteger(arena, &params.saltLength, saltLength)) {
PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
goto loser;
}
/* Omit the trailerField always. */
SECItem *algorithmItem =
SEC_ASN1EncodeItem(arena, NULL, &params,
SEC_ASN1_GET(SECKEY_RSAPSSParamsTemplate));
@ -752,6 +762,8 @@ SSLExp_DelegateCredential(const CERTCertificate *cert,
goto loser;
}
PRINT_BUF(20, (NULL, "delegated credential", dcBuf.buf, dcBuf.len));
SECKEY_DestroySubjectPublicKeyInfo(spki);
SECKEY_DestroyPrivateKey(tmpPriv);
tls13_DestroyDelegatedCredential(dc);

6
security/nss/lib/util/nssutil.h
View file

@ -19,12 +19,12 @@
* The format of the version string should be
* "<major version>.<minor version>[.<patch level>[.<build number>]][ <Beta>]"
*/
#define NSSUTIL_VERSION "3.48"
#define NSSUTIL_VERSION "3.49 Beta"
#define NSSUTIL_VMAJOR 3
#define NSSUTIL_VMINOR 48
#define NSSUTIL_VMINOR 49
#define NSSUTIL_VPATCH 0
#define NSSUTIL_VBUILD 0
#define NSSUTIL_BETA PR_FALSE
#define NSSUTIL_BETA PR_TRUE
SEC_BEGIN_PROTOS

16
security/nss/mach
View file

@ -444,7 +444,8 @@ class covAction(argparse.Action):
def runSslGtests(self, outdir):
env = {
"GTESTFILTER": "*", # Prevent parallel test runs.
"ASAN_OPTIONS": "coverage=1:coverage_dir=" + outdir
"ASAN_OPTIONS": "coverage=1:coverage_dir=" + outdir,
"NSS_DEFAULT_DB_TYPE": "dbm"
}
run_tests("ssl_gtests", env=env, silent=True)
@ -463,7 +464,7 @@ class covAction(argparse.Action):
print("\nBuild with coverage sanitizers...\n")
sancov_args = "edge,no-prune,trace-pc-guard,trace-cmp"
subprocess.check_call([
os.path.join(cwd, "build.sh"), "-c", "--clang", "--asan",
os.path.join(cwd, "build.sh"), "-c", "--clang", "--asan", "--enable-legacy-db",
"--sancov=" + sancov_args
])
@ -478,7 +479,8 @@ class covAction(argparse.Action):
symcov_file = os.path.join(outdir, "ssl_gtest.symcov")
out = open(symcov_file, 'wb')
subprocess.check_call([
# Don't exit immediately on error
symbol_retcode = subprocess.call([
"sancov",
"-blacklist=" + os.path.join(cwd, ".sancov-blacklist"),
"-symbolize", sancov_file,
@ -486,8 +488,14 @@ class covAction(argparse.Action):
], stdout=out)
out.close()
print("\nCoverage report: " + symcov_file)
print("\nCopying ssl_gtests to artifacts...")
shutil.copyfile(os.path.join(cwd, "../dist/Debug/bin/ssl_gtest"),
os.path.join(outdir, "ssl_gtest"))
print("\nCoverage report: " + symcov_file)
if symbol_retcode > 0:
print("sancov failed to symbolize with return code {}".format(symbol_retcode))
sys.exit(symbol_retcode)
class commandsAction(argparse.Action):
commands = []

10
security/nss/tests/all.sh
View file

@ -51,10 +51,10 @@
# pkix - run test suites with PKIX enabled
# upgradedb - upgrade existing certificate databases to shareable
# format (creates them if doesn't exist yet) and run
# test suites with those databases
# test suites with those databases. Requires to enable libdm.
# sharedb - run test suites with shareable database format
# enabled (databases are created directly to this
# format)
# format). This is the default and doesn't need to be run separately.
#
# Mandatory environment variables (to be set before testing):
# -----------------------------------------------------------
@ -135,7 +135,7 @@ run_tests()
}
########################## run_cycle_standard ##########################
# run test suites with dbm database (no PKIX, no sharedb)
# run test suites with sql database (no PKIX)
########################################################################
run_cycle_standard()
{
@ -144,7 +144,7 @@ run_cycle_standard()
TESTS="${ALL_TESTS}"
TESTS_SKIP="cipher libpkix sdr ocsp pkits"
NSS_DEFAULT_DB_TYPE="dbm"
NSS_DEFAULT_DB_TYPE=${NSS_DEFAULT_DB_TYPE:-"sql"}
export NSS_DEFAULT_DB_TYPE
run_tests
@ -288,7 +288,7 @@ if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then
. ./init.sh
fi
cycles="standard pkix upgradedb sharedb"
cycles="standard pkix"
CYCLES=${NSS_CYCLES:-$cycles}
NO_INIT_SUPPORT=`certutil --build-flags |grep -cw NSS_NO_INIT_SUPPORT`

4
security/nss/tests/common/init.sh
View file

@ -651,9 +651,9 @@ if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then
RELOAD_CRL=1
# if test mode isn't set, test scripts default to expecting dbm
# if test mode isn't set, test scripts default to expecting sql
if [ "${TEST_MODE}" = "" ]; then
NSS_DEFAULT_DB_TYPE="dbm"
NSS_DEFAULT_DB_TYPE=${NSS_DEFAULT_DB_TYPE:-"sql"}
export NSS_DEFAULT_DB_TYPE
fi

2
security/nss/tests/remote/Makefile
View file

@ -56,7 +56,7 @@ ifeq ($(OS_TARGET),Android)
TEST_SHELL?=$$HOME/bin/sh
ANDROID_PORT?="2222"
#Define the subset of tests that is known to work on Android
NSS_CYCLES?="standard pkix upgradedb sharedb"
NSS_CYCLES?="standard pkix sharedb"
NSS_TESTS?="cipher lowhash libpkix cert dbtests tools sdr crmf smime ssl ocsp merge pkits chains"
NSS_SSL_TESTS?="crl normal_normal iopr"
NSS_SSL_RUN?="cov auth stress"