diff --git a/debian/changelog b/debian/changelog index f73606a5..0f2e9edb 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,8 +1,49 @@ -nss (2:3.105-2deepin1) unstable; urgency=medium +nss (2:3.110-1+deb13u2) trixie-security; urgency=medium - * fix CVE-2026-2781 + * CVE-2026-6766 + * CVE-2026-6767 + * CVE-2026-6772 - -- zengwei Sat, 28 Feb 2026 10:09:36 +0800 + -- Moritz Mühlenhoff Sun, 17 May 2026 18:37:16 +0200 + +nss (2:3.110-1+deb13u1) trixie-security; urgency=medium + + * CVE-2026-2781 + + -- Moritz Mühlenhoff Wed, 25 Feb 2026 20:47:21 +0100 + +nss (2:3.110-1) unstable; urgency=medium + + * New upstream release. + * debian/libnss3.symbols: Add NSS_3.110 symbol version. + + -- Mike Hommey Wed, 02 Apr 2025 08:39:10 +0900 + +nss (2:3.109-1) unstable; urgency=medium + + * New upstream release. + + -- Mike Hommey Wed, 05 Mar 2025 06:13:17 +0900 + +nss (2:3.108-1) unstable; urgency=medium + + * New upstream release. + * debian/libnss3.symbols: Add NSS_3.107 (not a typo) and NSSUTIL_3.108 + symbol versions. + + -- Mike Hommey Sun, 16 Feb 2025 05:02:59 +0900 + +nss (2:3.107-1) unstable; urgency=medium + + * New upstream release. + + -- Mike Hommey Wed, 08 Jan 2025 07:35:40 +0900 + +nss (2:3.106-1) unstable; urgency=medium + + * New upstream release. + + -- Mike Hommey Tue, 19 Nov 2024 07:29:02 +0900 nss (2:3.105-2) unstable; urgency=medium diff --git a/debian/libnss3.symbols b/debian/libnss3.symbols index c351eaec..43c64516 100644 --- a/debian/libnss3.symbols +++ b/debian/libnss3.symbols @@ -22,6 +22,9 @@ libnss3.so libnss3 #MINVER# (symver)NSS_3.10 2:3.13.4-2~ (symver)NSS_3.10.2 2:3.13.4-2~ (symver)NSS_3.101 2:3.101 +# This is not a typo. + (symver)NSS_3.107 2:3.108 + (symver)NSS_3.110 2:3.110 (symver)NSS_3.11 2:3.13.4-2~ (symver)NSS_3.11.1 2:3.13.4-2~ (symver)NSS_3.11.2 2:3.13.4-2~ @@ -101,6 +104,7 @@ libnssdbm3.so libnss3 #MINVER# libnssutil3.so libnss3 #MINVER# * Build-Depends-Package: libnss3-dev (symver)NSSUTIL_3.101 2:3.101 + (symver)NSSUTIL_3.108 2:3.108 (symver)NSSUTIL_3.12 2:3.13.4-2~ (symver)NSSUTIL_3.12.3 2:3.13.4-2~ (symver)NSSUTIL_3.12.5 2:3.13.4-2~ diff --git a/debian/patches/CVE-2026-2781.patch b/debian/patches/CVE-2026-2781.patch index 19075a6a..416a1762 100644 --- a/debian/patches/CVE-2026-2781.patch +++ b/debian/patches/CVE-2026-2781.patch @@ -1,17 +1,15 @@ -From b7159ee944072fb04a0990ace2f9326cf85ece5f Mon Sep 17 00:00:00 2001 -From: zengwei -Date: Sat, 28 Feb 2026 10:08:57 +0800 -Subject: [PATCH] CVE-2026-2781 +# HG changeset patch +# User John Schanck +# Date 1770830509 0 +# Node ID 245385e16fa62111d6e3c3fbd847b020755f64f0 +# Parent 76e6887ecc1a5410233ad9c5f4cadae4e298a37b +Bug 2009552 - avoid integer overflow in platform-independent ghash. r=nss-reviewers,nkulatova ---- - nss/lib/freebl/gcm.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) +Differential Revision: https://phabricator.services.mozilla.com/D278681 -diff --git a/nss/lib/freebl/gcm.c b/nss/lib/freebl/gcm.c -index d728867..e087cc4 100644 ---- a/nss/lib/freebl/gcm.c -+++ b/nss/lib/freebl/gcm.c -@@ -353,7 +353,7 @@ gcmHash_Update(gcmHashContext *ghash, const unsigned char *buf, +--- nss-3.110.orig/nss/lib/freebl/gcm.c ++++ nss-3.110/nss/lib/freebl/gcm.c +@@ -357,7 +357,7 @@ gcmHash_Update(gcmHashContext *ghash, co unsigned int blocks; SECStatus rv; @@ -20,6 +18,3 @@ index d728867..e087cc4 100644 /* first deal with the current buffer of data. Try to fill it out so * we can hash it */ --- -2.20.1 - diff --git a/debian/patches/CVE-2026-6766.patch b/debian/patches/CVE-2026-6766.patch new file mode 100644 index 00000000..bc87c2f2 --- /dev/null +++ b/debian/patches/CVE-2026-6766.patch @@ -0,0 +1,22 @@ +# HG changeset patch +# User John Schanck +# Date 1773760657 0 +# Node ID 42da9a7f8a035849ba92e89dd095d4219a3e1d3d +# Parent 2d03bf59ca4feacb31a30923f730f549f25332e8 +Bug 2023207 - Fix integer underflow in tls13_AEAD when ciphertext is shorter than tag. r=#nss-reviewers + +Differential Revision: https://phabricator.services.mozilla.com/D287662 + +--- nss-3.110.orig/nss/lib/ssl/tls13con.c ++++ nss-3.110/nss/lib/ssl/tls13con.c +@@ -4988,6 +4988,10 @@ tls13_AEAD(PK11Context *context, PRBool + PORT_Memcpy(ivOut, ivIn, ivLen); + } + if (decrypt) { ++ if (inLen < tagLen) { ++ PORT_SetError(SEC_ERROR_INPUT_LEN); ++ return SECFailure; ++ } + inLen = inLen - tagLen; + tag = (unsigned char *)in + inLen; + /* tag is const on decrypt, but returned on encrypt */ diff --git a/debian/patches/CVE-2026-6767.patch b/debian/patches/CVE-2026-6767.patch new file mode 100644 index 00000000..4e2f0f0a --- /dev/null +++ b/debian/patches/CVE-2026-6767.patch @@ -0,0 +1,239 @@ + +# HG changeset patch +# User Dana Keeler +# Date 1773854548 0 +# Node ID 4e693e8b5c0db30ee8e0043edabcf9787a747aa8 +# Parent 42da9a7f8a035849ba92e89dd095d4219a3e1d3d +Bug 2023209 - ensure permittedSubtrees don't match wildcards that could be outside the permitted tree r?jschanck + +Differential Revision: https://phabricator.services.mozilla.com/D287712 + +--- nss-3.110.orig/nss/gtests/mozpkix_gtest/pkixnames_tests.cpp ++++ nss-3.110/nss/gtests/mozpkix_gtest/pkixnames_tests.cpp +@@ -2132,6 +2132,45 @@ static const NameConstraintParams NAME_C + Result::ERROR_BAD_DER, Result::ERROR_BAD_DER + }, + ++ // Wildcard SANs have subtle outcomes. ++ { ByteString(), DNSName("*.example.com"), ++ GeneralSubtree(DNSName(".example.com")), ++ Success, ++ Result::ERROR_CERT_NOT_IN_NAME_SPACE ++ }, ++ { ByteString(), DNSName("*.example.com"), ++ GeneralSubtree(DNSName("example.com")), ++ Success, ++ Result::ERROR_CERT_NOT_IN_NAME_SPACE ++ }, ++ // A certificate with a wildcard SAN entry like `*.example.com` can't be ++ // issued by a CA with a DNSName name constraint entry like `foo.example.com` ++ // in either the permitted or excluded subtrees. If in the permitted subtree, ++ // the certificate would be valid for `bar.example.com`, which would violate ++ // the constraint. If in the excluded subtree, the certificate would be valid ++ // for `foo.example.com`, which would violate the constraint. ++ { ByteString(), DNSName("*.example.com"), ++ GeneralSubtree(DNSName("foo.example.com")), ++ Result::ERROR_CERT_NOT_IN_NAME_SPACE, ++ Result::ERROR_CERT_NOT_IN_NAME_SPACE ++ }, ++ { ByteString(), DNSName("*.foo.example.com"), ++ GeneralSubtree(DNSName("example.com")), ++ Success, ++ Result::ERROR_CERT_NOT_IN_NAME_SPACE ++ }, ++ { ByteString(), DNSName("*.example.com"), ++ GeneralSubtree(DNSName("foo.example.org")), ++ Result::ERROR_CERT_NOT_IN_NAME_SPACE, ++ Success ++ }, ++ // `*invalid.example.com` is an invalid presented DNSID. ++ { ByteString(), DNSName("*invalid.example.com"), ++ GeneralSubtree(DNSName("invalid.example.com")), ++ Result::ERROR_BAD_DER, ++ Result::ERROR_BAD_DER ++ }, ++ + ///////////////////////////////////////////////////////////////////////////// + // Basic IP Address constraints (non-CN-ID) + +--- nss-3.110.orig/nss/lib/mozpkix/lib/pkixnames.cpp ++++ nss-3.110/nss/lib/mozpkix/lib/pkixnames.cpp +@@ -172,6 +172,12 @@ enum class IDRole + NameConstraint = 2, + }; + ++enum class NameConstraintsSubtrees : uint8_t ++{ ++ permittedSubtrees = der::CONSTRUCTED | der::CONTEXT_SPECIFIC | 0, ++ excludedSubtrees = der::CONSTRUCTED | der::CONTEXT_SPECIFIC | 1 ++}; ++ + enum class AllowWildcards { No = 0, Yes = 1 }; + + // DNSName constraints implicitly allow subdomain matching when there is no +@@ -184,16 +190,22 @@ enum class AllowDotlessSubdomainMatches + bool IsValidDNSID(Input hostname, IDRole idRole, + AllowWildcards allowWildcards); + ++// `subtreesType` is relevant only when `referenceDNSIDRole` is ++// `IDRole::NameConstraint`. + Result MatchPresentedDNSIDWithReferenceDNSID( + Input presentedDNSID, + AllowWildcards allowWildcards, + AllowDotlessSubdomainMatches allowDotlessSubdomainMatches, + IDRole referenceDNSIDRole, ++ /*optional*/ const NameConstraintsSubtrees* subtreesType, + Input referenceDNSID, + /*out*/ bool& matches); + ++// `subtreesType` is relevant only when `referenceDNSIDRole` is ++// `IDRole::NameConstraint`. + Result MatchPresentedRFC822NameWithReferenceRFC822Name( + Input presentedRFC822Name, IDRole referenceRFC822NameRole, ++ /*optional*/ const NameConstraintsSubtrees* subtreesType, + Input referenceRFC822Name, /*out*/ bool& matches); + + } // namespace +@@ -212,7 +224,7 @@ MatchPresentedDNSIDWithReferenceDNSID(In + return MatchPresentedDNSIDWithReferenceDNSID( + presentedDNSID, AllowWildcards::Yes, + AllowDotlessSubdomainMatches::Yes, IDRole::ReferenceID, +- referenceDNSID, matches); ++ nullptr, referenceDNSID, matches); + } + + // Verify that the given end-entity cert, which is assumed to have been already +@@ -731,7 +743,7 @@ MatchPresentedIDWithReferenceID(GeneralN + rv = MatchPresentedDNSIDWithReferenceDNSID( + presentedID, AllowWildcards::Yes, + AllowDotlessSubdomainMatches::Yes, IDRole::ReferenceID, +- referenceID, foundMatch); ++ nullptr, referenceID, foundMatch); + break; + + case GeneralNameType::iPAddress: +@@ -741,7 +753,7 @@ MatchPresentedIDWithReferenceID(GeneralN + + case GeneralNameType::rfc822Name: + rv = MatchPresentedRFC822NameWithReferenceRFC822Name( +- presentedID, IDRole::ReferenceID, referenceID, foundMatch); ++ presentedID, IDRole::ReferenceID, nullptr, referenceID, foundMatch); + break; + + case GeneralNameType::directoryName: +@@ -767,20 +779,16 @@ MatchPresentedIDWithReferenceID(GeneralN + return Success; + } + +-enum class NameConstraintsSubtrees : uint8_t +-{ +- permittedSubtrees = der::CONSTRUCTED | der::CONTEXT_SPECIFIC | 0, +- excludedSubtrees = der::CONSTRUCTED | der::CONTEXT_SPECIFIC | 1 +-}; +- + Result CheckPresentedIDConformsToNameConstraintsSubtrees( + GeneralNameType presentedIDType, + Input presentedID, + Reader& nameConstraints, + NameConstraintsSubtrees subtreesType); ++ + Result MatchPresentedIPAddressWithConstraint(Input presentedID, + Input iPAddressConstraint, + /*out*/ bool& foundMatch); ++ + Result MatchPresentedDirectoryNameWithConstraint( + NameConstraintsSubtrees subtreesType, Input presentedID, + Input directoryNameConstraint, /*out*/ bool& matches); +@@ -886,7 +894,7 @@ CheckPresentedIDConformsToNameConstraint + rv = MatchPresentedDNSIDWithReferenceDNSID( + presentedID, AllowWildcards::Yes, + AllowDotlessSubdomainMatches::Yes, IDRole::NameConstraint, +- base, matches); ++ &subtreesType, base, matches); + if (rv != Success) { + return rv; + } +@@ -911,7 +919,7 @@ CheckPresentedIDConformsToNameConstraint + + case GeneralNameType::rfc822Name: + rv = MatchPresentedRFC822NameWithReferenceRFC822Name( +- presentedID, IDRole::NameConstraint, base, matches); ++ presentedID, IDRole::NameConstraint, &subtreesType, base, matches); + if (rv != Success) { + return rv; + } +@@ -1094,6 +1102,7 @@ MatchPresentedDNSIDWithReferenceDNSID( + AllowWildcards allowWildcards, + AllowDotlessSubdomainMatches allowDotlessSubdomainMatches, + IDRole referenceDNSIDRole, ++ /*optional*/ const NameConstraintsSubtrees* subtreesType, + Input referenceDNSID, + /*out*/ bool& matches) + { +@@ -1184,18 +1193,28 @@ MatchPresentedDNSIDWithReferenceDNSID( + return NotReached("Skipping '*' failed", + Result::FATAL_ERROR_LIBRARY_FAILURE); + } +- do { +- // This will happen if reference is a single, relative label +- if (reference.AtEnd()) { +- matches = false; +- return Success; +- } +- uint8_t referenceByte; +- if (reference.Read(referenceByte) != Success) { +- return NotReached("invalid reference ID", +- Result::FATAL_ERROR_INVALID_ARGS); +- } +- } while (!reference.Peek('.')); ++ // For the permittedSubtrees of a name constraint, wildcard presented ++ // DNSIDs of the form `*.example.com` only match if the name constraint is ++ // of the form `.example.com` or `example.com`. To put it another way, a ++ // permittedSubtrees of `foo.example.com` does not match a wildcard ++ // presented DNSID of `*.example.com`, because in that case, the ++ // certificate could be valid for `bar.example.com`, which does not match ++ // the name constraint. ++ if (referenceDNSIDRole != IDRole::NameConstraint || ++ (subtreesType && *subtreesType != NameConstraintsSubtrees::permittedSubtrees)) { ++ do { ++ // This will happen if reference is a single, relative label ++ if (reference.AtEnd()) { ++ matches = false; ++ return Success; ++ } ++ uint8_t referenceByte; ++ if (reference.Read(referenceByte) != Success) { ++ return NotReached("invalid reference ID", ++ Result::FATAL_ERROR_INVALID_ARGS); ++ } ++ } while (!reference.Peek('.')); ++ } + } + + for (;;) { +@@ -1552,11 +1571,13 @@ IsValidRFC822Name(Input input) + } + } + ++// `subtreesType` is relevant only when `referenceRFC822NameRole` is ++// `IDRole::NameConstraint`. + Result +-MatchPresentedRFC822NameWithReferenceRFC822Name(Input presentedRFC822Name, +- IDRole referenceRFC822NameRole, +- Input referenceRFC822Name, +- /*out*/ bool& matches) ++MatchPresentedRFC822NameWithReferenceRFC822Name( ++ Input presentedRFC822Name, IDRole referenceRFC822NameRole, ++ /*optional*/ const NameConstraintsSubtrees* subtreesType, ++ Input referenceRFC822Name, /*out*/ bool& matches) + { + if (!IsValidRFC822Name(presentedRFC822Name)) { + return Result::ERROR_BAD_DER; +@@ -1599,6 +1620,7 @@ MatchPresentedRFC822NameWithReferenceRFC + return MatchPresentedDNSIDWithReferenceDNSID( + presentedDNSID, AllowWildcards::No, + AllowDotlessSubdomainMatches::No, IDRole::NameConstraint, ++ subtreesType, + referenceRFC822Name, matches); + } + } diff --git a/debian/patches/CVE-2026-6772.patch b/debian/patches/CVE-2026-6772.patch new file mode 100644 index 00000000..4abc75ee --- /dev/null +++ b/debian/patches/CVE-2026-6772.patch @@ -0,0 +1,359 @@ + +# HG changeset patch +# User Dennis Jackson +# Date 1776100981 0 +# Node ID 961f1a40f5e7d182723a216e236e1e638eaddb40 +# Parent 5c15dd1fb0151b7ca62b0d6e95a9942778dcabe2 +Bug 2026089 - Clarify extension negotiation mechanism for TLS Handshakes r=#nss-reviewers + +Differential Revision: https://phabricator.services.mozilla.com/D289764 + +--- nss-3.110.orig/nss/gtests/ssl_gtest/ssl_certificate_compression_unittest.cc ++++ nss-3.110/nss/gtests/ssl_gtest/ssl_certificate_compression_unittest.cc +@@ -500,8 +500,6 @@ TEST_F(TlsConnectStreamTls13, + + EXPECT_TRUE(SSLInt_ExtensionNegotiated(server_->ssl_fd(), + ssl_certificate_compression_xtn)); +- EXPECT_TRUE(SSLInt_ExtensionNegotiated(client_->ssl_fd(), +- ssl_certificate_compression_xtn)); + + uint16_t certCompressionAlg = filterExtension->getCertCompressionAlg(); + EXPECT_EQ(certCompressionAlg, serverPreferableAlg.id); +@@ -1391,8 +1389,6 @@ TEST_F(TlsConnectStreamTls13, Certificat + server_->ReadBytes(50); + + EXPECT_EQ(1U, called); +- EXPECT_TRUE(SSLInt_ExtensionNegotiated(client_->ssl_fd(), +- ssl_certificate_compression_xtn)); + + SendReceive(60); + client_->CheckClientAuthCompleted(); +@@ -1469,8 +1465,6 @@ TEST_F(TlsConnectStreamTls13, + server_->ReadBytes(50); + + EXPECT_EQ(1U, called); +- EXPECT_TRUE(SSLInt_ExtensionNegotiated(client_->ssl_fd(), +- ssl_certificate_compression_xtn)); + + SendReceive(60); + client_->CheckClientAuthCompleted(); +--- nss-3.110.orig/nss/lib/ssl/ssl3ext.c ++++ nss-3.110/nss/lib/ssl/ssl3ext.c +@@ -336,6 +336,26 @@ ssl3_ExtensionAdvertised(const sslSocket + xtnData->numAdvertised, ex_type); + } + ++void ++ssl3_RecordExtensionNegotiated(const sslSocket *ss, TLSExtensionData *xtnData, ++ PRUint16 ex_type) ++{ ++ /* Record that an extension was negotiated during a full TLS handshake. ++ * This function must NOT be used to track extensions carried in ++ * post-handshake messages (e.g. CertificateRequest during PHA); ++ * their negotiation state should instead be stored in dedicated fields on ++ * TLSExtensionData or sslSocket (e.g. xtnData->compressionAlg for ++ * certificate compression). */ ++ PORT_Assert(!ss->firstHsDone || ++ ss->opt.enableRenegotiation != SSL_RENEGOTIATE_NEVER); ++ PORT_Assert(!arrayContainsExtension(xtnData->negotiated, ++ xtnData->numNegotiated, ex_type)); ++ PORT_Assert(xtnData->numNegotiated < SSL_MAX_EXTENSIONS); ++ if (xtnData->numNegotiated < SSL_MAX_EXTENSIONS) { ++ xtnData->negotiated[xtnData->numNegotiated++] = ex_type; ++ } ++} ++ + PRBool + ssl3_ExtensionAdvertisedClientHelloInner(const sslSocket *ss, PRUint16 ex_type) + { +--- nss-3.110.orig/nss/lib/ssl/ssl3ext.h ++++ nss-3.110/nss/lib/ssl/ssl3ext.h +@@ -175,6 +175,9 @@ void ssl3_ResetExtensionData(TLSExtensio + + PRBool ssl3_ExtensionNegotiated(const sslSocket *ss, PRUint16 ex_type); + PRBool ssl3_ExtensionAdvertised(const sslSocket *ss, PRUint16 ex_type); ++void ssl3_RecordExtensionNegotiated(const sslSocket *ss, ++ TLSExtensionData *xtnData, ++ PRUint16 ex_type); + + SECStatus ssl3_RegisterExtensionSender(const sslSocket *ss, + TLSExtensionData *xtnData, +--- nss-3.110.orig/nss/lib/ssl/ssl3exthandle.c ++++ nss-3.110/nss/lib/ssl/ssl3exthandle.c +@@ -165,7 +165,7 @@ ssl3_HandleServerNameXtn(const sslSocket + ssl3_FreeSniNameArray(xtnData); + xtnData->sniNameArr = names; + xtnData->sniNameArrSize = 1; +- xtnData->negotiated[xtnData->numNegotiated++] = ssl_server_name_xtn; ++ ssl3_RecordExtensionNegotiated(ss, xtnData, ssl_server_name_xtn); + } + return SECSuccess; + +@@ -345,7 +345,7 @@ ssl3_SelectAppProtocol(const sslSocket * + } + + xtnData->nextProtoState = SSL_NEXT_PROTO_NEGOTIATED; +- xtnData->negotiated[xtnData->numNegotiated++] = extension; ++ ssl3_RecordExtensionNegotiated(ss, xtnData, extension); + return SECITEM_CopyItem(NULL, &xtnData->nextProto, &result); + } + +@@ -447,7 +447,7 @@ ssl3_ClientHandleAppProtoXtn(const sslSo + + SECITEM_FreeItem(&xtnData->nextProto, PR_FALSE); + xtnData->nextProtoState = SSL_NEXT_PROTO_SELECTED; +- xtnData->negotiated[xtnData->numNegotiated++] = ssl_app_layer_protocol_xtn; ++ ssl3_RecordExtensionNegotiated(ss, xtnData, ssl_app_layer_protocol_xtn); + return SECITEM_CopyItem(NULL, &xtnData->nextProto, &protocol_name); + } + +@@ -528,7 +528,7 @@ ssl3_ServerHandleStatusRequestXtn(const + PORT_Assert(ss->sec.isServer); + + /* remember that we got this extension. */ +- xtnData->negotiated[xtnData->numNegotiated++] = ssl_cert_status_xtn; ++ ssl3_RecordExtensionNegotiated(ss, xtnData, ssl_cert_status_xtn); + + if (ss->version >= SSL_LIBRARY_VERSION_TLS_1_3) { + sender = tls13_ServerSendStatusRequestXtn; +@@ -606,7 +606,7 @@ ssl3_ClientHandleStatusRequestXtn(const + } + + /* Keep track of negotiated extensions. */ +- xtnData->negotiated[xtnData->numNegotiated++] = ssl_cert_status_xtn; ++ ssl3_RecordExtensionNegotiated(ss, xtnData, ssl_cert_status_xtn); + return SECSuccess; + } + +@@ -859,7 +859,7 @@ ssl3_ClientHandleSessionTicketXtn(const + } + + /* Keep track of negotiated extensions. */ +- xtnData->negotiated[xtnData->numNegotiated++] = ssl_session_ticket_xtn; ++ ssl3_RecordExtensionNegotiated(ss, xtnData, ssl_session_ticket_xtn); + return SECSuccess; + } + +@@ -1309,7 +1309,7 @@ ssl3_ServerHandleSessionTicketXtn(const + } + + /* Keep track of negotiated extensions. */ +- xtnData->negotiated[xtnData->numNegotiated++] = ssl_session_ticket_xtn; ++ ssl3_RecordExtensionNegotiated(ss, xtnData, ssl_session_ticket_xtn); + + /* Parse the received ticket sent in by the client. We are + * lenient about some parse errors, falling back to a fullshake +@@ -1387,7 +1387,7 @@ ssl3_HandleRenegotiationInfoXtn(const ss + /* remember that we got this extension and it was correct. */ + CONST_CAST(sslSocket, ss) + ->peerRequestedProtection = 1; +- xtnData->negotiated[xtnData->numNegotiated++] = ssl_renegotiation_info_xtn; ++ ssl3_RecordExtensionNegotiated(ss, xtnData, ssl_renegotiation_info_xtn); + if (ss->sec.isServer) { + /* prepare to send back the appropriate response */ + rv = ssl3_RegisterExtensionSender(ss, xtnData, +@@ -1522,7 +1522,7 @@ ssl3_ClientHandleUseSRTPXtn(const sslSoc + } + + /* OK, this looks fine. */ +- xtnData->negotiated[xtnData->numNegotiated++] = ssl_use_srtp_xtn; ++ ssl3_RecordExtensionNegotiated(ss, xtnData, ssl_use_srtp_xtn); + xtnData->dtlsSRTPCipherSuite = cipher; + return SECSuccess; + } +@@ -1593,7 +1593,7 @@ ssl3_ServerHandleUseSRTPXtn(const sslSoc + + /* OK, we have a valid cipher and we've selected it */ + xtnData->dtlsSRTPCipherSuite = cipher; +- xtnData->negotiated[xtnData->numNegotiated++] = ssl_use_srtp_xtn; ++ ssl3_RecordExtensionNegotiated(ss, xtnData, ssl_use_srtp_xtn); + + return ssl3_RegisterExtensionSender(ss, xtnData, + ssl_use_srtp_xtn, +@@ -1639,8 +1639,12 @@ ssl3_HandleSigAlgsXtn(const sslSocket *s + return SECFailure; + } + +- /* Keep track of negotiated extensions. */ +- xtnData->negotiated[xtnData->numNegotiated++] = ssl_signature_algorithms_xtn; ++ /* Keep track of negotiated extensions. Only the server consumes this ++ * entry; on the client, skipping prevents numNegotiated overflow ++ * during repeated post-handshake CertificateRequests. */ ++ if (ss->sec.isServer) { ++ ssl3_RecordExtensionNegotiated(ss, xtnData, ssl_signature_algorithms_xtn); ++ } + return SECSuccess; + } + +@@ -1711,7 +1715,7 @@ ssl3_HandleExtendedMasterSecretXtn(const + SSL_GETPID(), ss->fd)); + + /* Keep track of negotiated extensions. */ +- xtnData->negotiated[xtnData->numNegotiated++] = ssl_extended_master_secret_xtn; ++ ssl3_RecordExtensionNegotiated(ss, xtnData, ssl_extended_master_secret_xtn); + + if (ss->sec.isServer) { + return ssl3_RegisterExtensionSender(ss, xtnData, +@@ -1758,7 +1762,7 @@ ssl3_ClientHandleSignedCertTimestampXtn( + } + *scts = *data; + /* Keep track of negotiated extensions. */ +- xtnData->negotiated[xtnData->numNegotiated++] = ssl_signed_cert_timestamp_xtn; ++ ssl3_RecordExtensionNegotiated(ss, xtnData, ssl_signed_cert_timestamp_xtn); + return SECSuccess; + } + +@@ -1794,7 +1798,7 @@ ssl3_ServerHandleSignedCertTimestampXtn( + return SECFailure; + } + +- xtnData->negotiated[xtnData->numNegotiated++] = ssl_signed_cert_timestamp_xtn; ++ ssl3_RecordExtensionNegotiated(ss, xtnData, ssl_signed_cert_timestamp_xtn); + PORT_Assert(ss->sec.isServer); + return ssl3_RegisterExtensionSender(ss, xtnData, + ssl_signed_cert_timestamp_xtn, +@@ -1934,7 +1938,7 @@ ssl_HandleSupportedGroupsXtn(const sslSo + } + + /* Remember that we negotiated this extension. */ +- xtnData->negotiated[xtnData->numNegotiated++] = ssl_supported_groups_xtn; ++ ssl3_RecordExtensionNegotiated(ss, xtnData, ssl_supported_groups_xtn); + + return SECSuccess; + } +@@ -1975,7 +1979,7 @@ ssl_HandleRecordSizeLimitXtn(const sslSo + /* We can't enforce the maximum on a server. But we do need to ensure + * that we don't apply a limit that is too large. */ + xtnData->recordSizeLimit = PR_MIN(maxLimit, limit); +- xtnData->negotiated[xtnData->numNegotiated++] = ssl_record_size_limit_xtn; ++ ssl3_RecordExtensionNegotiated(ss, xtnData, ssl_record_size_limit_xtn); + return SECSuccess; + } + +--- nss-3.110.orig/nss/lib/ssl/tls13ech.c ++++ nss-3.110/nss/lib/ssl/tls13ech.c +@@ -2437,7 +2437,7 @@ tls13_MaybeHandleEchSignal(sslSocket *ss + PORT_SetError(SSL_ERROR_BAD_2ND_CLIENT_HELLO); + return SECFailure; + } +- ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ssl_tls13_encrypted_client_hello_xtn; ++ ssl3_RecordExtensionNegotiated(ss, &ss->xtnData, ssl_tls13_encrypted_client_hello_xtn); + + /* Only overwrite client_random with client_inner_random if CHInner was + * succesfully used for handshake (NOT if HRR is received). */ +--- nss-3.110.orig/nss/lib/ssl/tls13exthandle.c ++++ nss-3.110/nss/lib/ssl/tls13exthandle.c +@@ -446,8 +446,7 @@ tls13_ServerHandleKeyShareXtn(const sslS + } + + /* Keep track of negotiated extensions. */ +- xtnData->negotiated[xtnData->numNegotiated++] = +- ssl_tls13_key_share_xtn; ++ ssl3_RecordExtensionNegotiated(ss, xtnData, ssl_tls13_key_share_xtn); + + return SECSuccess; + +@@ -746,7 +745,7 @@ tls13_ServerHandlePreSharedKeyXtn(const + return SECSuccess; + } + +- xtnData->negotiated[xtnData->numNegotiated++] = ssl_tls13_pre_shared_key_xtn; ++ ssl3_RecordExtensionNegotiated(ss, xtnData, ssl_tls13_pre_shared_key_xtn); + return SECSuccess; + + alert_loser: +@@ -816,7 +815,7 @@ tls13_ClientHandlePreSharedKeyXtn(const + } + + /* Keep track of negotiated extensions. */ +- xtnData->negotiated[xtnData->numNegotiated++] = ssl_tls13_pre_shared_key_xtn; ++ ssl3_RecordExtensionNegotiated(ss, xtnData, ssl_tls13_pre_shared_key_xtn); + xtnData->selectedPsk = candidate; + + return SECSuccess; +@@ -860,7 +859,7 @@ tls13_ServerHandleEarlyDataXtn(const ssl + return SECFailure; + } + +- xtnData->negotiated[xtnData->numNegotiated++] = ssl_tls13_early_data_xtn; ++ ssl3_RecordExtensionNegotiated(ss, xtnData, ssl_tls13_early_data_xtn); + + return SECSuccess; + } +@@ -885,7 +884,7 @@ tls13_ClientHandleEarlyDataXtn(const ssl + } + + /* Keep track of negotiated extensions. */ +- xtnData->negotiated[xtnData->numNegotiated++] = ssl_tls13_early_data_xtn; ++ ssl3_RecordExtensionNegotiated(ss, xtnData, ssl_tls13_early_data_xtn); + + return SECSuccess; + } +@@ -1101,7 +1100,7 @@ tls13_ServerHandleCookieXtn(const sslSoc + } + + /* Keep track of negotiated extensions. */ +- xtnData->negotiated[xtnData->numNegotiated++] = ssl_tls13_cookie_xtn; ++ ssl3_RecordExtensionNegotiated(ss, xtnData, ssl_tls13_cookie_xtn); + + return SECSuccess; + } +@@ -1138,7 +1137,7 @@ tls13_ServerHandlePostHandshakeAuthXtn(c + * NST immediately following the client Finished. */ + if (!IS_DTLS(ss)) { + /* Keep track of negotiated extensions. */ +- xtnData->negotiated[xtnData->numNegotiated++] = ssl_tls13_post_handshake_auth_xtn; ++ ssl3_RecordExtensionNegotiated(ss, xtnData, ssl_tls13_post_handshake_auth_xtn); + } + + return SECSuccess; +@@ -1209,8 +1208,7 @@ tls13_ServerHandlePskModesXtn(const sslS + } + + /* Keep track of negotiated extensions. */ +- xtnData->negotiated[xtnData->numNegotiated++] = +- ssl_tls13_psk_key_exchange_modes_xtn; ++ ssl3_RecordExtensionNegotiated(ss, xtnData, ssl_tls13_psk_key_exchange_modes_xtn); + + return SECSuccess; + } +@@ -1554,8 +1552,7 @@ tls13_ClientHandleDelegatedCredentialsXt + } + + xtnData->peerDelegCred = dc; +- xtnData->negotiated[xtnData->numNegotiated++] = +- ssl_delegated_credentials_xtn; ++ ssl3_RecordExtensionNegotiated(ss, xtnData, ssl_delegated_credentials_xtn); + return SECSuccess; + alert_loser: + ssl3_ExtSendAlert(ss, alert_fatal, illegal_parameter); +@@ -1619,8 +1616,7 @@ tls13_ServerHandleDelegatedCredentialsXt + + /* Keep track of negotiated extensions. */ + xtnData->peerRequestedDelegCred = PR_TRUE; +- xtnData->negotiated[xtnData->numNegotiated++] = +- ssl_delegated_credentials_xtn; ++ ssl3_RecordExtensionNegotiated(ss, xtnData, ssl_delegated_credentials_xtn); + + return ssl3_RegisterExtensionSender( + ss, xtnData, ssl_delegated_credentials_xtn, +@@ -1709,7 +1705,7 @@ tls13_ServerHandleInnerEchXtn(const sslS + } + + xtnData->ech->receivedInnerXtn = PR_TRUE; +- xtnData->negotiated[xtnData->numNegotiated++] = ssl_tls13_encrypted_client_hello_xtn; ++ ssl3_RecordExtensionNegotiated(ss, xtnData, ssl_tls13_encrypted_client_hello_xtn); + return SECSuccess; + + alert_loser: +@@ -1995,7 +1991,9 @@ ssl3_HandleCertificateCompressionXtn(con + for (int j = 0; j < ss->ssl3.supportedCertCompressionAlgorithmsCount; j++) { + if (ss->ssl3.supportedCertCompressionAlgorithms[j].id == alg) { + xtnData->compressionAlg = alg; +- xtnData->negotiated[xtnData->numNegotiated++] = ssl_certificate_compression_xtn; ++ if (ss->sec.isServer) { ++ ssl3_RecordExtensionNegotiated(ss, xtnData, ssl_certificate_compression_xtn); ++ } + algFound = SECSuccess; + break; + } diff --git a/debian/patches/series b/debian/patches/series index 1b23084d..07e25d82 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1,3 +1,6 @@ 38_hurd.patch 80_security_tools.patch CVE-2026-2781.patch +CVE-2026-6766.patch +CVE-2026-6767.patch +CVE-2026-6772.patch diff --git a/nss/.hg_archival.txt b/nss/.hg_archival.txt index c01a3dcd..bf738eeb 100644 --- a/nss/.hg_archival.txt +++ b/nss/.hg_archival.txt @@ -1,4 +1,4 @@ repo: 9949429068caa6bb8827a8ceeaa7c605d722f47f -node: c08d594c13fddb2f55e91222d8fc7cc1ac52abe7 -branch: default -tag: NSS_3_105_RTM +node: 0b262be660fd747f60fbdda34374734961ddbc81 +branch: NSS_3_110_BRANCH +tag: NSS_3_110_RTM diff --git a/nss/.taskcluster.yml b/nss/.taskcluster.yml index 107dc5e5..7a92d576 100644 --- a/nss/.taskcluster.yml +++ b/nss/.taskcluster.yml @@ -1,3 +1,4 @@ +# yamllint disable rule:line-length # This file is rendered via JSON-e in a hook with context: # { # tasks_for: 'hg-push', @@ -9,87 +10,192 @@ --- version: 1 tasks: - - $let: - # sometimes the push user is just `ffxbld` or the like, but we want an - # email-like field.. - ownerEmail: - $if: '"@" in push.owner' - then: '${push.owner}' - else: '${push.owner}@noreply.mozilla.org' - # ensure there's no trailing `/` on the repo URL - repoUrl: - $if: 'repository.url[-1] == "/"' - then: {$eval: 'repository.url[:-1]'} - else: {$eval: 'repository.url'} - # scheduler id - schedulerId: 'nss-level-${repository.level}' - in: - taskId: '${ownTaskId}' - taskGroupId: '${ownTaskId}' - schedulerId: '${schedulerId}' - created: {$fromNow: ''} - deadline: {$fromNow: '1 day'} - expires: {$fromNow: '14 days'} - - metadata: - owner: mozilla-taskcluster-maintenance@mozilla.com - source: "${repository.url}" - name: "NSS Decision Task" - description: | - The task that creates all of the other tasks in the task graph - - workerType: "linux-gcp" - provisionerId: "nss-${repository.level}" - - scopes: - - 'assume:repo:${repoUrl[8:]}:branch:default' - tags: - createdForUser: "${ownerEmail}" - - routes: - - "tc-treeherder-stage.v2.${repository.project}.${push.revision}.${push.pushlog_id}" - - "tc-treeherder.v2.${repository.project}.${push.revision}.${push.pushlog_id}" - - payload: - # TODO: use nssdev org , not djmitche, once the image is pushed there - image: djmitche/nss-decision:0.0.3 - - env: - TC_OWNER: "${ownerEmail}" - TC_SOURCE: "${repository.url}" - TC_PROJECT: ${repository.project} - TC_SCHEDULER_ID: "${schedulerId}" - MOZ_SCM_LEVEL: "${repository.level}" - NSS_PUSHLOG_ID: '${push.pushlog_id}' - NSS_HEAD_REPOSITORY: '${repository.url}' - NSS_HEAD_REVISION: '${push.revision}' - - maxRunTime: 1800 - - command: - - bash - - -cx - - > - bin/checkout.sh && - nss/automation/taskcluster/scripts/extend_task_graph.sh - - features: - taskclusterProxy: true - - artifacts: - 'public/docker-contexts': - type: 'directory' - path: '/home/worker/docker-contexts' - # This needs to be at least the deadline of the - # decision task + the docker-image task deadlines. - # It is set to a week to allow for some time for - # debugging, but they are not useful long-term. - expires: {$fromNow: '7 day'} - - extra: - treeherder: - symbol: D - build: - platform: nss-decision - machine: - platform: nss-decision + # NOTE: support for actions in ci-admin requires that the `tasks` property be + # an array *before* JSON-e rendering takes place. + - $if: 'tasks_for in ["hg-push", "action"]' + then: + $let: + # sometimes the push user is just `ffxbld` or the like, but we want an + # email-like field.. + ownerEmail: + $if: '"@" in push.owner' + then: '${push.owner}' + else: '${push.owner}@noreply.mozilla.org' + # ensure there's no trailing `/` on the repo URL + repoUrl: + $if: 'repository.url[-1] == "/"' + then: {$eval: 'repository.url[:-1]'} + else: {$eval: 'repository.url'} + trustDomain: nss + treeherder_link: '[Treeherder job](https://treeherder.mozilla.org/#/jobs?repo=${repository.project}&revision=${push.revision}&selectedTaskRun=${ownTaskId})' + expires: {$fromNow: '14 days'} + in: + taskId: {$if: 'tasks_for != "action"', then: '${ownTaskId}'} + taskGroupId: + $if: 'tasks_for == "action"' + then: '${action.taskGroupId}' + else: '${ownTaskId}' + schedulerId: 'nss-level-${repository.level}' + created: {$fromNow: ''} + deadline: {$fromNow: '1 day'} + expires: {$eval: 'expires'} + + metadata: + $merge: + - owner: mozilla-taskcluster-maintenance@mozilla.com + source: "${repoUrl}/raw-file/${push.revision}/.taskcluster.yml" + - $if: 'tasks_for == "hg-push"' + then: + name: "NSS Decision Task" + description: The task that creates all of the other tasks in the task graph + else: + name: "Action: ${action.title}" + description: | + ${action.description} + + ${treeherder_link} + + Action triggered by clientID `${clientId}` + + provisionerId: "${trustDomain}-${repository.level}" + workerType: "decision-gcp" + + tags: + $if: 'tasks_for == "hg-push"' + then: + createdForUser: "${ownerEmail}" + kind: decision-task + else: + createdForUser: '${ownerEmail}' + kind: action-callback + + + routes: + $flattenDeep: + - "tc-treeherder.v2.${repository.project}.${push.revision}" + - $if: 'tasks_for == "hg-push"' + then: + - "index.${trustDomain}.v2.${repository.project}.latest.taskgraph.decision" + - "index.${trustDomain}.v2.${repository.project}.revision.${push.revision}.taskgraph.decision" + - "index.${trustDomain}.v2.${repository.project}.pushlog-id.${push.pushlog_id}.decision" + else: + - "index.${trustDomain}.v2.${repository.project}.revision.${push.revision}.taskgraph.actions.${ownTaskId}" + - "index.${trustDomain}.v2.${repository.project}.pushlog-id.${push.pushlog_id}.actions.${ownTaskId}" + + scopes: + $if: 'tasks_for == "hg-push"' + then: + - 'assume:repo:${repoUrl[8:]}:branch:default' + - 'in-tree:hook-action:project-${trustDomain}/in-tree-action-${repository.level}-*' + - 'index:insert-task:${trustDomain}.v2.${repository.project}.*' + else: + - '${action.repo_scope}' + + dependencies: [] + requires: all-completed + + priority: low + retries: 0 + + payload: + image: mozillareleases/taskgraph:decision-v13.0.0@sha256:57e4c2d2ad92cea663dcc02cacbfd88b3506edde80e19fbd8a57b3dfe37ae9bd + + env: + $merge: + - NSS_BASE_REPOSITORY: 'https://hg.mozilla.org/projects/nss' + NSS_REPOSITORY_TYPE: 'hg' + NSS_BASE_REV: '${push.base_revision}' + NSS_HEAD_REPOSITORY: '${repository.url}' + NSS_HEAD_REV: '${push.revision}' + HG_STORE_PATH: /builds/worker/checkouts/hg-store + TASKCLUSTER_CACHES: /builds/worker/checkouts + REPOSITORIES: {$json: {nss: NSS}} + - $if: 'tasks_for == "action"' + then: + ACTION_TASK_GROUP_ID: '${action.taskGroupId}' + ACTION_TASK_ID: {$json: {$eval: 'taskId'}} + ACTION_INPUT: {$json: {$eval: 'input'}} + ACTION_CALLBACK: '${action.cb_name}' + + cache: + "${trustDomain}-level-${repository.level}-checkouts-sparse-v3": /builds/worker/checkouts + + maxRunTime: 1800 + + command: + - /usr/local/bin/run-task + - '--nss-checkout=/builds/worker/checkouts/nss' + - '--' + - bash + - -cx + - $if: 'tasks_for == "action"' + then: > + cd /builds/worker/checkouts/nss && + ln -s /builds/worker/artifacts artifacts && + taskgraph action-callback + else: > + cd /builds/worker/checkouts/nss && + ln -s /builds/worker/artifacts artifacts && + taskgraph decision + --pushlog-id='${push.pushlog_id}' + --pushdate='${push.pushdate}' + --project='${repository.project}' + --owner='${ownerEmail}' + --level='${repository.level}' + --tasks-for='${tasks_for}' + --repository-type=hg + --base-repository="$NSS_BASE_REPOSITORY" + --base-rev="$NSS_BASE_REV" + --head-repository="$NSS_HEAD_REPOSITORY" + --head-ref="$NSS_HEAD_REF" + --head-rev="$NSS_HEAD_REV" + + features: + taskclusterProxy: true + + artifacts: + 'public': + type: 'directory' + path: '/builds/worker/artifacts' + expires: {$eval: expires} + 'public/docker-contexts': + type: 'directory' + path: '/builds/worker/checkouts/nss/docker-contexts' + # This needs to be at least the deadline of the + # decision task + the docker-image task deadlines. + # It is set to a week to allow for some time for + # debugging, but they are not useful long-term. + expires: {$fromNow: '7 day'} + + extra: + $merge: + - treeherder: + $merge: + - machine: + platform: nss-decision + - $if: 'tasks_for == "hg-push"' + then: + symbol: D + else: + groupName: 'action-callback' + groupSymbol: 'AC' + symbol: "${action.symbol}" + - $if: 'tasks_for == "action"' + then: + parent: '${action.taskGroupId}' + action: + name: '${action.name}' + context: + taskGroupId: '${action.taskGroupId}' + taskId: {$eval: 'taskId'} + input: {$eval: 'input'} + clientId: {$eval: 'clientId'} + - tasks_for: '${tasks_for}' + - $if: 'tasks_for == "hg-push"' + then: + notify: + email: + $merge: + - link: + text: "Treeherder Jobs" + href: "https://treeherder.mozilla.org/#/jobs?repo=${repository.project}&revision=${push.revision}" diff --git a/nss/automation/abi-check/expected-report-libnss3.so.txt b/nss/automation/abi-check/expected-report-libnss3.so.txt index 0bf11a4f..97b1735c 100644 --- a/nss/automation/abi-check/expected-report-libnss3.so.txt +++ b/nss/automation/abi-check/expected-report-libnss3.so.txt @@ -1,4 +1,10 @@ +3 Added functions: + + 'function const char* SECMOD_FlagsToPolicyString(PRUint32, PRBool)' {SECMOD_FlagsToPolicyString@@NSS_3.110} + 'function SECOidTag SECMOD_PolicyStringToOid(const char*, const char*)' {SECMOD_PolicyStringToOid@@NSS_3.110} + 'function PRUint32 SECMOD_PolicyStringToOpt(const char*)' {SECMOD_PolicyStringToOpt@@NSS_3.110} + 1 function with some indirect sub-type change: [C]'function SECStatus CERT_AddOCSPAcceptableResponses(CERTOCSPRequest*, SECOidTag, ...)' at ocsp.c:2202:1 has some indirect sub-type changes: @@ -6,10 +12,10 @@ underlying type 'enum __anonymous_enum__' at secoidt.h:34:1 changed: type size hasn't changed 1 enumerator insertion: - '__anonymous_enum__::SEC_OID_MLKEM768X25519' value '389' + '__anonymous_enum__::SEC_OID_TLS_REQUIRE_EMS' value '390' 1 enumerator change: - '__anonymous_enum__::SEC_OID_TOTAL' from value '389' to '390' at secoidt.h:34:1 + '__anonymous_enum__::SEC_OID_TOTAL' from value '390' to '391' at secoidt.h:34:1 diff --git a/nss/automation/abi-check/expected-report-libnssutil3.so.txt b/nss/automation/abi-check/expected-report-libnssutil3.so.txt index 6d12ca2a..71a04c6d 100644 --- a/nss/automation/abi-check/expected-report-libnssutil3.so.txt +++ b/nss/automation/abi-check/expected-report-libnssutil3.so.txt @@ -1,15 +1,15 @@ 1 function with some indirect sub-type change: - [C]'function SECOidTag HASH_GetHMACOidTagByHashOidTag_Util(SECOidTag)' at nsshash.c:146:1 has some indirect sub-type changes: + [C]'function SECOidTag HASH_GetHMACOidTagByHashOidTag_Util(SECOidTag)' at nsshash.c:149:1 has some indirect sub-type changes: return type changed: underlying type 'enum __anonymous_enum__' at secoidt.h:34:1 changed: type size hasn't changed 1 enumerator insertion: - '__anonymous_enum__::SEC_OID_MLKEM768X25519' value '389' + '__anonymous_enum__::SEC_OID_TLS_REQUIRE_EMS' value '390' 1 enumerator change: - '__anonymous_enum__::SEC_OID_TOTAL' from value '389' to '390' at secoidt.h:34:1 + '__anonymous_enum__::SEC_OID_TOTAL' from value '390' to '391' at secoidt.h:34:1 diff --git a/nss/automation/abi-check/expected-report-libsmime3.so.txt b/nss/automation/abi-check/expected-report-libsmime3.so.txt index ab649232..03752448 100644 --- a/nss/automation/abi-check/expected-report-libsmime3.so.txt +++ b/nss/automation/abi-check/expected-report-libsmime3.so.txt @@ -31,10 +31,10 @@ underlying type 'enum __anonymous_enum__' at secoidt.h:34:1 changed: type size hasn't changed 1 enumerator insertion: - '__anonymous_enum__::SEC_OID_MLKEM768X25519' value '389' + '__anonymous_enum__::SEC_OID_TLS_REQUIRE_EMS' value '390' 1 enumerator change: - '__anonymous_enum__::SEC_OID_TOTAL' from value '389' to '390' at secoidt.h:34:1 + '__anonymous_enum__::SEC_OID_TOTAL' from value '390' to '391' at secoidt.h:34:1 diff --git a/nss/automation/abi-check/previous-nss-release b/nss/automation/abi-check/previous-nss-release index c2f48d34..c2e70582 100644 --- a/nss/automation/abi-check/previous-nss-release +++ b/nss/automation/abi-check/previous-nss-release @@ -1 +1 @@ -NSS_3_104_BRANCH +NSS_3_109_BRANCH diff --git a/nss/automation/ossfuzz/build.sh b/nss/automation/ossfuzz/build.sh index e967ea86..0b5e8934 100755 --- a/nss/automation/ossfuzz/build.sh +++ b/nss/automation/ossfuzz/build.sh @@ -7,7 +7,7 @@ ################################################################################ # List of targets disabled for oss-fuzz. -declare -A disabled=([pkcs8]=1) +declare -A disabled=() # List of targets we want to fuzz in TLS and non-TLS mode. declare -A tls_targets=([tls-client]=1 [tls-server]=1 [dtls-client]=1 [dtls-server]=1) @@ -24,8 +24,6 @@ copy_fuzzer() # Zip and copy the corpus, if any. if [ -d "$SRC/nss-corpus/$name" ]; then zip $OUT/${name}_seed_corpus.zip $SRC/nss-corpus/$name/* - else - zip $OUT/${name}_seed_corpus.zip $SRC/nss-corpus/*/* fi } diff --git a/nss/automation/release/nspr-version.txt b/nss/automation/release/nspr-version.txt index 9b2fe29d..d49f82fc 100644 --- a/nss/automation/release/nspr-version.txt +++ b/nss/automation/release/nspr-version.txt @@ -1,4 +1,4 @@ -4.35 +4.36 # The first line of this file must contain the human readable NSPR # version number, which is the minimum required version of NSPR diff --git a/nss/automation/release/nss-release-helper.py b/nss/automation/release/nss-release-helper.py index f018f89c..11d23349 100755 --- a/nss/automation/release/nss-release-helper.py +++ b/nss/automation/release/nss-release-helper.py @@ -303,16 +303,16 @@ def create_nss_release_archive(): check_call_noisy(["mkdir", "-p", nss_stagedir]) check_call_noisy(["hg", "archive", "-r", nssreltag, "--prefix=nss-" + nssrel + "/nss", stagedir + "/" + nssreltag + "/src/" + nss_tar, "-X", ".hgtags"]) - check_call_noisy(["tar", "-xz", "-C", nss_stagedir, "-f", nsprtar_with_path]) + check_call_noisy(["gtar", "-xz", "-C", nss_stagedir, "-f", nsprtar_with_path]) print("changing to directory " + nss_stagedir) os.chdir(nss_stagedir) - check_call_noisy(["tar", "-xz", "-f", nss_tar]) + check_call_noisy(["gtar", "-xz", "-f", nss_tar]) check_call_noisy(["mv", "-i", "nspr-" + nsprrel + "/nspr", "nss-" + nssrel + "/"]) check_call_noisy(["rmdir", "nspr-" + nsprrel]) nss_nspr_tar = "nss-" + nssrel + "-with-nspr-" + nsprrel + ".tar.gz" - check_call_noisy(["tar", "-cz", "--remove-files", "-f", nss_nspr_tar, "nss-" + nssrel]) + check_call_noisy(["gtar", "-cz", "--remove-files", "-f", nss_nspr_tar, "nss-" + nssrel]) check_call("sha1sum " + nss_tar + " " + nss_nspr_tar + " > SHA1SUMS", shell=True) check_call("sha256sum " + nss_tar + " " + nss_nspr_tar + " > SHA256SUMS", shell=True) print("created directory " + nss_stagedir + " with files:") diff --git a/nss/automation/taskcluster/docker-aarch64/Dockerfile b/nss/automation/taskcluster/docker-aarch64/Dockerfile deleted file mode 100644 index aca173cd..00000000 --- a/nss/automation/taskcluster/docker-aarch64/Dockerfile +++ /dev/null @@ -1,29 +0,0 @@ -FROM franziskus/xenial:aarch64 -MAINTAINER Franziskus Kiefer - -RUN useradd -d /home/worker -s /bin/bash -m worker -WORKDIR /home/worker - -# Add build and test scripts. -ADD bin /home/worker/bin -RUN chmod +x /home/worker/bin/* - -# Install dependencies. -ADD setup.sh /tmp/setup.sh -RUN bash /tmp/setup.sh - -# Change user. -# USER worker # See bug 1347473. - -# Env variables. -ENV HOME /home/worker -ENV SHELL /bin/bash -ENV USER worker -ENV LOGNAME worker -ENV LANG en_US.UTF-8 -ENV LC_ALL en_US.UTF-8 -ENV HOST localhost -ENV DOMSUF localdomain - -# Set a default command for debugging. -CMD ["/bin/bash", "--login"] diff --git a/nss/automation/taskcluster/docker-aarch64/bin/checkout.sh b/nss/automation/taskcluster/docker-aarch64/bin/checkout.sh deleted file mode 100755 index 9167f6bd..00000000 --- a/nss/automation/taskcluster/docker-aarch64/bin/checkout.sh +++ /dev/null @@ -1,20 +0,0 @@ -#!/usr/bin/env bash - -set -v -e -x - -if [ $(id -u) = 0 ]; then - # Drop privileges by re-running this script. - exec su worker $0 -fi - -# Default values for testing. -REVISION=${NSS_HEAD_REVISION:-default} -REPOSITORY=${NSS_HEAD_REPOSITORY:-https://hg.mozilla.org/projects/nss} - -# Clone NSS. -for i in 0 2 5; do - sleep $i - hg clone -r $REVISION $REPOSITORY nss && exit 0 - rm -rf nss -done -exit 1 diff --git a/nss/automation/taskcluster/docker-aarch64/setup.sh b/nss/automation/taskcluster/docker-aarch64/setup.sh deleted file mode 100755 index b76514ad..00000000 --- a/nss/automation/taskcluster/docker-aarch64/setup.sh +++ /dev/null @@ -1,42 +0,0 @@ -#!/usr/bin/env bash - -set -v -e -x - -export DEBIAN_FRONTEND=noninteractive - -apt-get -y update -apt-get -y install software-properties-common - -# Add more repos -add-apt-repository "deb http://ports.ubuntu.com/ xenial main restricted universe multiverse" -add-apt-repository "deb http://ports.ubuntu.com/ xenial-security main restricted universe multiverse" -add-apt-repository "deb http://ports.ubuntu.com/ xenial-updates main restricted universe multiverse" -add-apt-repository "deb http://ports.ubuntu.com/ xenial-backports main restricted universe multiverse" - -# Update. -apt-get -y update -apt-get -y dist-upgrade - -apt_packages=() -apt_packages+=('build-essential') -apt_packages+=('ca-certificates') -apt_packages+=('curl') -apt_packages+=('libxml2-utils') -apt_packages+=('zlib1g-dev') -apt_packages+=('ninja-build') -apt_packages+=('gyp') -apt_packages+=('mercurial') -apt_packages+=('locales') - -# Install packages. -apt-get install -y --no-install-recommends ${apt_packages[@]} - -locale-gen en_US.UTF-8 -dpkg-reconfigure locales - -# Cleanup. -rm -rf ~/.ccache ~/.cache -apt-get autoremove -y -apt-get clean -apt-get autoclean -rm $0 diff --git a/nss/automation/taskcluster/docker-acvp/bin/checkout.sh b/nss/automation/taskcluster/docker-acvp/bin/checkout.sh deleted file mode 100755 index 4862a397..00000000 --- a/nss/automation/taskcluster/docker-acvp/bin/checkout.sh +++ /dev/null @@ -1,26 +0,0 @@ -#!/usr/bin/env bash - -set -v -e -x - -if [ $(id -u) = 0 ]; then - # Drop privileges by re-running this script. - exec su worker $0 -fi - -# Default values for testing. -REVISION=${NSS_HEAD_REVISION:-default} -REPOSITORY=${NSS_HEAD_REPOSITORY:-https://hg.mozilla.org/projects/nss} - -# Clone NSS. -hg clone -r $REVISION $REPOSITORY nss - -# Clone NSPR if needed. -hg clone -r default https://hg.mozilla.org/projects/nspr - -pushd nspr -hg revert --all -if [[ -f ../nss/nspr.patch && "$ALLOW_NSPR_PATCH" == "1" ]]; then - cat ../nss/nspr.patch | patch -p1 -fi -popd - diff --git a/nss/automation/taskcluster/docker-arm/Dockerfile b/nss/automation/taskcluster/docker-arm/Dockerfile deleted file mode 100644 index 5b8cfca2..00000000 --- a/nss/automation/taskcluster/docker-arm/Dockerfile +++ /dev/null @@ -1,26 +0,0 @@ -FROM armv7/armhf-ubuntu:16.04 -MAINTAINER Franziskus Kiefer - -RUN useradd -d /home/worker -s /bin/bash -m worker -WORKDIR /home/worker - -# Add build and test scripts. -ADD bin /home/worker/bin -RUN chmod +x /home/worker/bin/* - -# Install dependencies. -ADD setup.sh /tmp/setup.sh -RUN bash /tmp/setup.sh - -# Env variables. -ENV HOME /home/worker -ENV SHELL /bin/bash -ENV USER worker -ENV LOGNAME worker -ENV LANG en_US.UTF-8 -ENV LC_ALL en_US.UTF-8 -ENV HOST localhost -ENV DOMSUF localdomain - -# Set a default command for debugging. -CMD ["/bin/bash", "--login"] diff --git a/nss/automation/taskcluster/docker-arm/bin/checkout.sh b/nss/automation/taskcluster/docker-arm/bin/checkout.sh deleted file mode 100755 index 4b891289..00000000 --- a/nss/automation/taskcluster/docker-arm/bin/checkout.sh +++ /dev/null @@ -1,25 +0,0 @@ -#!/usr/bin/env bash - -set -v -e -x - -if [ $(id -u) = 0 ]; then - # set up fake uname - if [ ! -f /bin/uname-real ]; then - mv /bin/uname /bin/uname-real - ln -s /home/worker/bin/uname.sh /bin/uname - fi - # Drop privileges by re-running this script. - exec su worker $0 -fi - -# Default values for testing. -REVISION=${NSS_HEAD_REVISION:-default} -REPOSITORY=${NSS_HEAD_REPOSITORY:-https://hg.mozilla.org/projects/nss} - -# Clone NSS. -for i in 0 2 5; do - sleep $i - hg clone -r $REVISION $REPOSITORY nss && exit 0 - rm -rf nss -done -exit 1 diff --git a/nss/automation/taskcluster/docker-arm/bin/uname.sh b/nss/automation/taskcluster/docker-arm/bin/uname.sh deleted file mode 100755 index 61ad13c3..00000000 --- a/nss/automation/taskcluster/docker-arm/bin/uname.sh +++ /dev/null @@ -1,18 +0,0 @@ -#!/bin/bash -args=`getopt rmvs $*` -set -- $args -for i -do - if [ "$i" == "-v" ]; then - /bin/uname-real -v - fi - if [ "$i" == "-r" ]; then - echo "4.4.16-v7+" - fi - if [ "$i" == "-m" ]; then - echo "armv7l" - fi - if [ "$i" == "-s" ]; then - echo "Linux" - fi -done \ No newline at end of file diff --git a/nss/automation/taskcluster/docker-arm/setup.sh b/nss/automation/taskcluster/docker-arm/setup.sh deleted file mode 100755 index 78c63925..00000000 --- a/nss/automation/taskcluster/docker-arm/setup.sh +++ /dev/null @@ -1,36 +0,0 @@ -#!/usr/bin/env bash - -set -v -e -x - -export DEBIAN_FRONTEND=noninteractive - -# Update. -apt-get -y update -apt-get -y dist-upgrade - -apt_packages=() -apt_packages+=('build-essential') -apt_packages+=('ca-certificates') -apt_packages+=('curl') -apt_packages+=('locales') -apt_packages+=('python-dev') -apt_packages+=('python-pip') -apt_packages+=('python-setuptools') -apt_packages+=('zlib1g-dev') - -# Install packages. -apt-get install -y --no-install-recommends ${apt_packages[@]} - -# Latest Mercurial. -pip install --upgrade pip -pip install Mercurial - -locale-gen en_US.UTF-8 -dpkg-reconfigure locales - -# Cleanup. -rm -rf ~/.ccache ~/.cache -apt-get autoremove -y -apt-get clean -apt-get autoclean -rm $0 diff --git a/nss/automation/taskcluster/docker-builds/bin/checkout.sh b/nss/automation/taskcluster/docker-builds/bin/checkout.sh deleted file mode 100644 index 9167f6bd..00000000 --- a/nss/automation/taskcluster/docker-builds/bin/checkout.sh +++ /dev/null @@ -1,20 +0,0 @@ -#!/usr/bin/env bash - -set -v -e -x - -if [ $(id -u) = 0 ]; then - # Drop privileges by re-running this script. - exec su worker $0 -fi - -# Default values for testing. -REVISION=${NSS_HEAD_REVISION:-default} -REPOSITORY=${NSS_HEAD_REPOSITORY:-https://hg.mozilla.org/projects/nss} - -# Clone NSS. -for i in 0 2 5; do - sleep $i - hg clone -r $REVISION $REPOSITORY nss && exit 0 - rm -rf nss -done -exit 1 diff --git a/nss/automation/taskcluster/docker-clang-format/bin/checkout.sh b/nss/automation/taskcluster/docker-clang-format/bin/checkout.sh deleted file mode 100644 index 9167f6bd..00000000 --- a/nss/automation/taskcluster/docker-clang-format/bin/checkout.sh +++ /dev/null @@ -1,20 +0,0 @@ -#!/usr/bin/env bash - -set -v -e -x - -if [ $(id -u) = 0 ]; then - # Drop privileges by re-running this script. - exec su worker $0 -fi - -# Default values for testing. -REVISION=${NSS_HEAD_REVISION:-default} -REPOSITORY=${NSS_HEAD_REPOSITORY:-https://hg.mozilla.org/projects/nss} - -# Clone NSS. -for i in 0 2 5; do - sleep $i - hg clone -r $REVISION $REPOSITORY nss && exit 0 - rm -rf nss -done -exit 1 diff --git a/nss/automation/taskcluster/docker-decision/Dockerfile b/nss/automation/taskcluster/docker-decision/Dockerfile deleted file mode 100644 index 091426e0..00000000 --- a/nss/automation/taskcluster/docker-decision/Dockerfile +++ /dev/null @@ -1,38 +0,0 @@ -# Minimal image for running the decision task. -FROM ubuntu:bionic-20221215 -LABEL maintainer="Martin Thomson " - -RUN apt-get update \ - && apt-get install -y --no-install-recommends \ - ca-certificates \ - curl \ - locales \ - mercurial \ - nodejs \ - npm \ - && rm -rf /var/lib/apt/lists/* \ - && apt-get autoremove -y && apt-get clean -y - -ENV SHELL /bin/bash -ENV USER worker -ENV LOGNAME $USER -ENV HOME /home/$USER -ENV LANG en_US.UTF-8 -ENV LC_ALL $LANG -ENV HOST localhost -ENV DOMSUF localdomain - -RUN locale-gen $LANG \ - && DEBIAN_FRONTEND=noninteractive dpkg-reconfigure locales - -RUN useradd -d $HOME -s $SHELL -m $USER -WORKDIR $HOME - -# Add build and test scripts. -ADD bin $HOME/bin -RUN chmod +x $HOME/bin/* - -USER $USER - -# Set a default command for debugging. -CMD ["/bin/bash", "--login"] diff --git a/nss/automation/taskcluster/docker-decision/bin/checkout.sh b/nss/automation/taskcluster/docker-decision/bin/checkout.sh deleted file mode 100644 index 0cdd2ac4..00000000 --- a/nss/automation/taskcluster/docker-decision/bin/checkout.sh +++ /dev/null @@ -1,15 +0,0 @@ -#!/usr/bin/env bash - -set -v -e -x - -# Default values for testing. -REVISION=${NSS_HEAD_REVISION:-default} -REPOSITORY=${NSS_HEAD_REPOSITORY:-https://hg.mozilla.org/projects/nss} - -# Clone NSS. -for i in 0 2 5; do - sleep $i - hg clone -r $REVISION $REPOSITORY nss && exit 0 - rm -rf nss -done -exit 1 diff --git a/nss/automation/taskcluster/docker-fuzz/bin/checkout.sh b/nss/automation/taskcluster/docker-fuzz/bin/checkout.sh deleted file mode 100644 index 9167f6bd..00000000 --- a/nss/automation/taskcluster/docker-fuzz/bin/checkout.sh +++ /dev/null @@ -1,20 +0,0 @@ -#!/usr/bin/env bash - -set -v -e -x - -if [ $(id -u) = 0 ]; then - # Drop privileges by re-running this script. - exec su worker $0 -fi - -# Default values for testing. -REVISION=${NSS_HEAD_REVISION:-default} -REPOSITORY=${NSS_HEAD_REPOSITORY:-https://hg.mozilla.org/projects/nss} - -# Clone NSS. -for i in 0 2 5; do - sleep $i - hg clone -r $REVISION $REPOSITORY nss && exit 0 - rm -rf nss -done -exit 1 diff --git a/nss/automation/taskcluster/docker-gcc-4.4/Dockerfile b/nss/automation/taskcluster/docker-gcc-4.4/Dockerfile deleted file mode 100644 index 866e8066..00000000 --- a/nss/automation/taskcluster/docker-gcc-4.4/Dockerfile +++ /dev/null @@ -1,41 +0,0 @@ -FROM ubuntu:14.04 -LABEL maintainer="Martin Thomson " - -RUN dpkg --add-architecture i386 -RUN apt-get update \ - && apt-get install -y --no-install-recommends \ - ca-certificates \ - g++-4.4 \ - gcc-4.4 \ - locales \ - make \ - patch \ - mercurial \ - sqlite3 \ - zlib1g-dev \ - && rm -rf /var/lib/apt/lists/* \ - && apt-get autoremove -y && apt-get clean -y - -ENV SHELL /bin/bash -ENV USER worker -ENV LOGNAME $USER -ENV HOME /home/$USER -ENV LANG en_US.UTF-8 -ENV LC_ALL $LANG -ENV HOST localhost -ENV DOMSUF localdomain - -RUN locale-gen $LANG \ - && DEBIAN_FRONTEND=noninteractive dpkg-reconfigure locales - -RUN useradd -d $HOME -s $SHELL -m $USER -WORKDIR $HOME - -# Add build and test scripts. -ADD bin $HOME/bin -RUN chmod +x $HOME/bin/* - -USER $USER - -# Set a default command for debugging. -CMD ["/bin/bash", "--login"] diff --git a/nss/automation/taskcluster/docker-gcc-4.4/bin/checkout.sh b/nss/automation/taskcluster/docker-gcc-4.4/bin/checkout.sh deleted file mode 100644 index 9167f6bd..00000000 --- a/nss/automation/taskcluster/docker-gcc-4.4/bin/checkout.sh +++ /dev/null @@ -1,20 +0,0 @@ -#!/usr/bin/env bash - -set -v -e -x - -if [ $(id -u) = 0 ]; then - # Drop privileges by re-running this script. - exec su worker $0 -fi - -# Default values for testing. -REVISION=${NSS_HEAD_REVISION:-default} -REPOSITORY=${NSS_HEAD_REPOSITORY:-https://hg.mozilla.org/projects/nss} - -# Clone NSS. -for i in 0 2 5; do - sleep $i - hg clone -r $REVISION $REPOSITORY nss && exit 0 - rm -rf nss -done -exit 1 diff --git a/nss/automation/taskcluster/docker/bin/checkout.sh b/nss/automation/taskcluster/docker/bin/checkout.sh deleted file mode 100644 index 9167f6bd..00000000 --- a/nss/automation/taskcluster/docker/bin/checkout.sh +++ /dev/null @@ -1,20 +0,0 @@ -#!/usr/bin/env bash - -set -v -e -x - -if [ $(id -u) = 0 ]; then - # Drop privileges by re-running this script. - exec su worker $0 -fi - -# Default values for testing. -REVISION=${NSS_HEAD_REVISION:-default} -REPOSITORY=${NSS_HEAD_REPOSITORY:-https://hg.mozilla.org/projects/nss} - -# Clone NSS. -for i in 0 2 5; do - sleep $i - hg clone -r $REVISION $REPOSITORY nss && exit 0 - rm -rf nss -done -exit 1 diff --git a/nss/automation/taskcluster/graph/npm-shrinkwrap.json b/nss/automation/taskcluster/graph/npm-shrinkwrap.json deleted file mode 100644 index 70718432..00000000 --- a/nss/automation/taskcluster/graph/npm-shrinkwrap.json +++ /dev/null @@ -1,2963 +0,0 @@ -{ - "name": "decision-task", - "version": "0.0.1", - "lockfileVersion": 1, - "requires": true, - "dependencies": { - "ansi-regex": { - "version": "2.0.0", - "resolved": "https://registry.npmjs.org/ansi-regex/-/ansi-regex-2.0.0.tgz", - "integrity": "sha1-xQYbbg74qBd15Q9dZhUb9r83EQc=" - }, - "ansi-styles": { - "version": "2.2.1", - "resolved": "https://registry.npmjs.org/ansi-styles/-/ansi-styles-2.2.1.tgz", - "integrity": "sha1-tDLdM1i2NM914eRmQ2gkBTPB3b4=" - }, - "anymatch": { - "version": "1.3.0", - "resolved": "https://registry.npmjs.org/anymatch/-/anymatch-1.3.0.tgz", - "integrity": "sha1-o+Uvo5FoyCX/V7AkgSbOWo/5VQc=", - "optional": true, - "requires": { - "arrify": "1.0.1", - "micromatch": "2.3.11" - } - }, - "argparse": { - "version": "1.0.9", - "resolved": "https://registry.npmjs.org/argparse/-/argparse-1.0.9.tgz", - "integrity": "sha1-c9g7wmP4bpf4zE9rrhsOkKfSLIY=", - "requires": { - "sprintf-js": "1.0.3" - } - }, - "arr-diff": { - "version": "2.0.0", - "resolved": "https://registry.npmjs.org/arr-diff/-/arr-diff-2.0.0.tgz", - "integrity": "sha1-jzuCf5Vai9ZpaX5KQlasPOrjVs8=", - "optional": true, - "requires": { - "arr-flatten": "1.0.1" - } - }, - "arr-flatten": { - "version": "1.0.1", - "resolved": "https://registry.npmjs.org/arr-flatten/-/arr-flatten-1.0.1.tgz", - "integrity": "sha1-5f/lTUXhnzLyFukeuZyM6JK7YEs=", - "optional": true - }, - "array-find-index": { - "version": "1.0.2", - "resolved": "https://registry.npmjs.org/array-find-index/-/array-find-index-1.0.2.tgz", - "integrity": "sha1-3wEKoSh+Fku9pvlyOwqWoexBh6E=" - }, - "array-uniq": { - "version": "1.0.3", - "resolved": "https://registry.npmjs.org/array-uniq/-/array-uniq-1.0.3.tgz", - "integrity": "sha1-r2rId6Jcx/dOBYiUdThY39sk/bY=" - }, - "array-unique": { - "version": "0.2.1", - "resolved": "https://registry.npmjs.org/array-unique/-/array-unique-0.2.1.tgz", - "integrity": "sha1-odl8yvy8JiXMcPrc6zalDFiwGlM=", - "optional": true - }, - "arrify": { - "version": "1.0.1", - "resolved": "https://registry.npmjs.org/arrify/-/arrify-1.0.1.tgz", - "integrity": "sha1-iYUI2iIm84DfkEcoRWhJwVAaSw0=", - "optional": true - }, - "asn1": { - "version": "0.2.3", - "resolved": "https://registry.npmjs.org/asn1/-/asn1-0.2.3.tgz", - "integrity": "sha1-2sh4dxPJlmhJ/IGAd36+nB3fO4Y=" - }, - "assert-plus": { - "version": "0.2.0", - "resolved": "https://registry.npmjs.org/assert-plus/-/assert-plus-0.2.0.tgz", - "integrity": "sha1-104bh+ev/A24qttwIfP+SBAasjQ=" - }, - "async": { - "version": "2.1.1", - "resolved": "https://registry.npmjs.org/async/-/async-2.1.1.tgz", - "integrity": "sha1-4RttEAQ/IlTvthohFj2EDM3bjSg=", - "requires": { - "lodash": "4.16.4" - } - }, - "async-each": { - "version": "1.0.1", - "resolved": "https://registry.npmjs.org/async-each/-/async-each-1.0.1.tgz", - "integrity": "sha1-GdOGodntxufByF04iu28xW0zYC0=", - "optional": true - }, - "asynckit": { - "version": "0.4.0", - "resolved": "https://registry.npmjs.org/asynckit/-/asynckit-0.4.0.tgz", - "integrity": "sha1-x57Zf380y48robyXkLzDZkdLS3k=" - }, - "aws-sign2": { - "version": "0.6.0", - "resolved": "https://registry.npmjs.org/aws-sign2/-/aws-sign2-0.6.0.tgz", - "integrity": "sha1-FDQt0428yU0OW4fXY81jYSwOeU8=" - }, - "aws4": { - "version": "1.5.0", - "resolved": "https://registry.npmjs.org/aws4/-/aws4-1.5.0.tgz", - "integrity": "sha1-Cin/t5wxyecS7rCH6OemS0pW11U=" - }, - "b64": { - "version": "4.1.2", - "resolved": "https://registry.npmjs.org/b64/-/b64-4.1.2.tgz", - "integrity": "sha512-+GUspBxlH3CJaxMUGUE1EBoWM6RKgWiYwUDal0qdf8m3ArnXNN1KzKVo5HOnE/FSq4HHyWf3TlHLsZI8PKQgrQ==", - "requires": { - "hoek": "6.1.3" - }, - "dependencies": { - "hoek": { - "version": "6.1.3", - "resolved": "https://registry.npmjs.org/hoek/-/hoek-6.1.3.tgz", - "integrity": "sha512-YXXAAhmF9zpQbC7LEcREFtXfGq5K1fmd+4PHkBq8NUqmzW3G+Dq10bI/i0KucLRwss3YYFQ0fSfoxBZYiGUqtQ==" - } - } - }, - "babel-cli": { - "version": "6.16.0", - "resolved": "https://registry.npmjs.org/babel-cli/-/babel-cli-6.16.0.tgz", - "integrity": "sha1-Tg0c9ARC73gzD3/viOs6ChsWvTc=", - "requires": { - "babel-core": "6.17.0", - "babel-polyfill": "6.16.0", - "babel-register": "6.16.3", - "babel-runtime": "6.11.6", - "bin-version-check": "2.1.0", - "chalk": "1.1.1", - "chokidar": "1.6.0", - "commander": "2.9.0", - "convert-source-map": "1.3.0", - "fs-readdir-recursive": "0.1.2", - "glob": "5.0.15", - "lodash": "4.16.4", - "log-symbols": "1.0.2", - "output-file-sync": "1.1.2", - "path-exists": "1.0.0", - "path-is-absolute": "1.0.1", - "request": "2.75.0", - "slash": "1.0.0", - "source-map": "0.5.6", - "v8flags": "2.0.11" - } - }, - "babel-code-frame": { - "version": "6.16.0", - "resolved": "https://registry.npmjs.org/babel-code-frame/-/babel-code-frame-6.16.0.tgz", - "integrity": "sha1-+Q5g2ghikJ084JhzO105h8l8uN4=", - "requires": { - "chalk": "1.1.1", - "esutils": "2.0.2", - "js-tokens": "2.0.0" - } - }, - "babel-compile": { - "version": "2.0.0", - "resolved": "https://registry.npmjs.org/babel-compile/-/babel-compile-2.0.0.tgz", - "integrity": "sha1-JwRg2Fzah1iqXGMWWzZaa8RMmXY=", - "requires": { - "babel-core": "6.17.0", - "commander": "2.9.0", - "fs-walk": "0.0.1", - "lodash": "4.16.4", - "mkdirp": "0.5.1", - "rimraf": "2.5.4" - } - }, - "babel-core": { - "version": "6.17.0", - "resolved": "https://registry.npmjs.org/babel-core/-/babel-core-6.17.0.tgz", - "integrity": "sha1-bEV2RH30eeJB5YyAfkvH2k239CU=", - "requires": { - "babel-code-frame": "6.16.0", - "babel-generator": "6.17.0", - "babel-helpers": "6.16.0", - "babel-messages": "6.8.0", - "babel-register": "6.16.3", - "babel-runtime": "6.11.6", - "babel-template": "6.16.0", - "babel-traverse": "6.16.0", - "babel-types": "6.16.0", - "babylon": "6.11.6", - "convert-source-map": "1.3.0", - "debug": "2.2.0", - "json5": "0.4.0", - "lodash": "4.16.4", - "minimatch": "3.0.3", - "path-exists": "1.0.0", - "path-is-absolute": "1.0.1", - "private": "0.1.6", - "shebang-regex": "1.0.0", - "slash": "1.0.0", - "source-map": "0.5.6" - } - }, - "babel-generator": { - "version": "6.17.0", - "resolved": "https://registry.npmjs.org/babel-generator/-/babel-generator-6.17.0.tgz", - "integrity": "sha1-uJTjgIvu94APJVBjW/4CS2ImzzM=", - "requires": { - "babel-messages": "6.8.0", - "babel-runtime": "6.11.6", - "babel-types": "6.16.0", - "detect-indent": "3.0.1", - "jsesc": "1.3.0", - "lodash": "4.16.4", - "source-map": "0.5.6" - } - }, - "babel-helper-call-delegate": { - "version": "6.8.0", - "resolved": "https://registry.npmjs.org/babel-helper-call-delegate/-/babel-helper-call-delegate-6.8.0.tgz", - "integrity": "sha1-nSg+dIZ3m2sEgYZKEbNx6lwB+mQ=", - "requires": { - "babel-helper-hoist-variables": "6.8.0", - "babel-runtime": "6.11.6", - "babel-traverse": "6.16.0", - "babel-types": "6.16.0" - } - }, - "babel-helper-define-map": { - "version": "6.9.0", - "resolved": "https://registry.npmjs.org/babel-helper-define-map/-/babel-helper-define-map-6.9.0.tgz", - "integrity": "sha1-Zin5sqfljhjoN5pX0eb7spaZAvs=", - "requires": { - "babel-helper-function-name": "6.8.0", - "babel-runtime": "6.11.6", - "babel-types": "6.16.0", - "lodash": "4.16.4" - } - }, - "babel-helper-function-name": { - "version": "6.8.0", - "resolved": "https://registry.npmjs.org/babel-helper-function-name/-/babel-helper-function-name-6.8.0.tgz", - "integrity": "sha1-oDNroUUmoHXN9QL8UtP+hLEvejQ=", - "requires": { - "babel-helper-get-function-arity": "6.8.0", - "babel-runtime": "6.11.6", - "babel-template": "6.16.0", - "babel-traverse": "6.16.0", - "babel-types": "6.16.0" - } - }, - "babel-helper-get-function-arity": { - "version": "6.8.0", - "resolved": "https://registry.npmjs.org/babel-helper-get-function-arity/-/babel-helper-get-function-arity-6.8.0.tgz", - "integrity": "sha1-iCdsJL0lHN9vYbb4n3RfSGztkq8=", - "requires": { - "babel-runtime": "6.11.6", - "babel-types": "6.16.0" - } - }, - "babel-helper-hoist-variables": { - "version": "6.8.0", - "resolved": "https://registry.npmjs.org/babel-helper-hoist-variables/-/babel-helper-hoist-variables-6.8.0.tgz", - "integrity": "sha1-iwdm3AJuqepCO8KzTmZaTac3Oq8=", - "requires": { - "babel-runtime": "6.11.6", - "babel-types": "6.16.0" - } - }, - "babel-helper-optimise-call-expression": { - "version": "6.8.0", - "resolved": "https://registry.npmjs.org/babel-helper-optimise-call-expression/-/babel-helper-optimise-call-expression-6.8.0.tgz", - "integrity": "sha1-QXVijpyJ/DYXSQTycHDynThWfwY=", - "requires": { - "babel-runtime": "6.11.6", - "babel-types": "6.16.0" - } - }, - "babel-helper-regex": { - "version": "6.9.0", - "resolved": "https://registry.npmjs.org/babel-helper-regex/-/babel-helper-regex-6.9.0.tgz", - "integrity": "sha1-x0Jl/eGA/5oWc1/uBeY8rbngsFc=", - "requires": { - "babel-runtime": "6.11.6", - "babel-types": "6.16.0", - "lodash": "4.16.4" - } - }, - "babel-helper-remap-async-to-generator": { - "version": "6.16.2", - "resolved": "https://registry.npmjs.org/babel-helper-remap-async-to-generator/-/babel-helper-remap-async-to-generator-6.16.2.tgz", - "integrity": "sha1-JDFb3oMmxgAi3AU8zoTP441yS4I=", - "requires": { - "babel-helper-function-name": "6.8.0", - "babel-runtime": "6.11.6", - "babel-template": "6.16.0", - "babel-traverse": "6.16.0", - "babel-types": "6.16.0" - } - }, - "babel-helper-replace-supers": { - "version": "6.16.0", - "resolved": "https://registry.npmjs.org/babel-helper-replace-supers/-/babel-helper-replace-supers-6.16.0.tgz", - "integrity": "sha1-Icl2I8x+QwhVdT8lJ0ASJiajnms=", - "requires": { - "babel-helper-optimise-call-expression": "6.8.0", - "babel-messages": "6.8.0", - "babel-runtime": "6.11.6", - "babel-template": "6.16.0", - "babel-traverse": "6.16.0", - "babel-types": "6.16.0" - } - }, - "babel-helpers": { - "version": "6.16.0", - "resolved": "https://registry.npmjs.org/babel-helpers/-/babel-helpers-6.16.0.tgz", - "integrity": "sha1-EJXsENmSeUYFU+Z+s+7plz04Z+M=", - "requires": { - "babel-runtime": "6.11.6", - "babel-template": "6.16.0" - } - }, - "babel-messages": { - "version": "6.8.0", - "resolved": "https://registry.npmjs.org/babel-messages/-/babel-messages-6.8.0.tgz", - "integrity": "sha1-v1BHNsqWfm1l7wrbWipflHyODrk=", - "requires": { - "babel-runtime": "6.11.6" - } - }, - "babel-plugin-check-es2015-constants": { - "version": "6.8.0", - "resolved": "https://registry.npmjs.org/babel-plugin-check-es2015-constants/-/babel-plugin-check-es2015-constants-6.8.0.tgz", - "integrity": "sha1-2/Akwy7Te/2o3uHnbaAjhqjSb+c=", - "requires": { - "babel-runtime": "6.11.6" - } - }, - "babel-plugin-syntax-async-functions": { - "version": "6.13.0", - "resolved": "https://registry.npmjs.org/babel-plugin-syntax-async-functions/-/babel-plugin-syntax-async-functions-6.13.0.tgz", - "integrity": "sha1-ytnK0RkbWtY0vzCuCHI5HgZHvpU=" - }, - "babel-plugin-transform-async-to-generator": { - "version": "6.16.0", - "resolved": "https://registry.npmjs.org/babel-plugin-transform-async-to-generator/-/babel-plugin-transform-async-to-generator-6.16.0.tgz", - "integrity": "sha1-Gew2yxSGtZ+fRorfpCzhOQjKKZk=", - "requires": { - "babel-helper-remap-async-to-generator": "6.16.2", - "babel-plugin-syntax-async-functions": "6.13.0", - "babel-runtime": "6.11.6" - } - }, - "babel-plugin-transform-es2015-arrow-functions": { - "version": "6.8.0", - "resolved": "https://registry.npmjs.org/babel-plugin-transform-es2015-arrow-functions/-/babel-plugin-transform-es2015-arrow-functions-6.8.0.tgz", - "integrity": "sha1-W2Ovwxgb3JqMTUgbWk8/fX/vPZ0=", - "requires": { - "babel-runtime": "6.11.6" - } - }, - "babel-plugin-transform-es2015-block-scoped-functions": { - "version": "6.8.0", - "resolved": "https://registry.npmjs.org/babel-plugin-transform-es2015-block-scoped-functions/-/babel-plugin-transform-es2015-block-scoped-functions-6.8.0.tgz", - "integrity": "sha1-7ZXWKcS1pxriloK5mPcNmDPrNm0=", - "requires": { - "babel-runtime": "6.11.6" - } - }, - "babel-plugin-transform-es2015-block-scoping": { - "version": "6.15.0", - "resolved": "https://registry.npmjs.org/babel-plugin-transform-es2015-block-scoping/-/babel-plugin-transform-es2015-block-scoping-6.15.0.tgz", - "integrity": "sha1-W0Q8oUK+jR22qMKuQvUZWLZrcPY=", - "requires": { - "babel-runtime": "6.11.6", - "babel-template": "6.16.0", - "babel-traverse": "6.16.0", - "babel-types": "6.16.0", - "lodash": "4.16.4" - } - }, - "babel-plugin-transform-es2015-classes": { - "version": "6.14.0", - "resolved": "https://registry.npmjs.org/babel-plugin-transform-es2015-classes/-/babel-plugin-transform-es2015-classes-6.14.0.tgz", - "integrity": "sha1-h9UUnukftHWSJAn5r1srpdHjkoc=", - "requires": { - "babel-helper-define-map": "6.9.0", - "babel-helper-function-name": "6.8.0", - "babel-helper-optimise-call-expression": "6.8.0", - "babel-helper-replace-supers": "6.16.0", - "babel-messages": "6.8.0", - "babel-runtime": "6.11.6", - "babel-template": "6.16.0", - "babel-traverse": "6.16.0", - "babel-types": "6.16.0" - } - }, - "babel-plugin-transform-es2015-computed-properties": { - "version": "6.8.0", - "resolved": "https://registry.npmjs.org/babel-plugin-transform-es2015-computed-properties/-/babel-plugin-transform-es2015-computed-properties-6.8.0.tgz", - "integrity": "sha1-9RAQ/WGzvXtrYKX9/TB7t6UnmHA=", - "requires": { - "babel-helper-define-map": "6.9.0", - "babel-runtime": "6.11.6", - "babel-template": "6.16.0" - } - }, - "babel-plugin-transform-es2015-destructuring": { - "version": "6.16.0", - "resolved": "https://registry.npmjs.org/babel-plugin-transform-es2015-destructuring/-/babel-plugin-transform-es2015-destructuring-6.16.0.tgz", - "integrity": "sha1-BQ/ghm9dU7NgYu4QzfW/5k+Slic=", - "requires": { - "babel-runtime": "6.11.6" - } - }, - "babel-plugin-transform-es2015-duplicate-keys": { - "version": "6.8.0", - "resolved": "https://registry.npmjs.org/babel-plugin-transform-es2015-duplicate-keys/-/babel-plugin-transform-es2015-duplicate-keys-6.8.0.tgz", - "integrity": "sha1-/Y9/cXH8EIzBxwwxZLnxWoHCX30=", - "requires": { - "babel-runtime": "6.11.6", - "babel-types": "6.16.0" - } - }, - "babel-plugin-transform-es2015-for-of": { - "version": "6.8.0", - "resolved": "https://registry.npmjs.org/babel-plugin-transform-es2015-for-of/-/babel-plugin-transform-es2015-for-of-6.8.0.tgz", - "integrity": "sha1-gu2hObpCcN2hNcPsGx8oE/pi8jw=", - "requires": { - "babel-runtime": "6.11.6" - } - }, - "babel-plugin-transform-es2015-function-name": { - "version": "6.9.0", - "resolved": "https://registry.npmjs.org/babel-plugin-transform-es2015-function-name/-/babel-plugin-transform-es2015-function-name-6.9.0.tgz", - "integrity": "sha1-jBNbF9vQZOW7pW7FEbqu4vyoJxk=", - "requires": { - "babel-helper-function-name": "6.8.0", - "babel-runtime": "6.11.6", - "babel-types": "6.16.0" - } - }, - "babel-plugin-transform-es2015-literals": { - "version": "6.8.0", - "resolved": "https://registry.npmjs.org/babel-plugin-transform-es2015-literals/-/babel-plugin-transform-es2015-literals-6.8.0.tgz", - "integrity": "sha1-UKouXHlY/CqyXXTsEX4MyY8EZGg=", - "requires": { - "babel-runtime": "6.11.6" - } - }, - "babel-plugin-transform-es2015-modules-amd": { - "version": "6.8.0", - "resolved": "https://registry.npmjs.org/babel-plugin-transform-es2015-modules-amd/-/babel-plugin-transform-es2015-modules-amd-6.8.0.tgz", - "integrity": "sha1-JdlUqgvwQDH8RtKo5iMLsau95KM=", - "requires": { - "babel-plugin-transform-es2015-modules-commonjs": "6.16.0", - "babel-runtime": "6.11.6", - "babel-template": "6.16.0" - } - }, - "babel-plugin-transform-es2015-modules-commonjs": { - "version": "6.16.0", - "resolved": "https://registry.npmjs.org/babel-plugin-transform-es2015-modules-commonjs/-/babel-plugin-transform-es2015-modules-commonjs-6.16.0.tgz", - "integrity": "sha1-CjS0R7yIrRpwmIttGZzKbQuWyJI=", - "requires": { - "babel-plugin-transform-strict-mode": "6.11.3", - "babel-runtime": "6.11.6", - "babel-template": "6.16.0", - "babel-types": "6.16.0" - } - }, - "babel-plugin-transform-es2015-modules-systemjs": { - "version": "6.14.0", - "resolved": "https://registry.npmjs.org/babel-plugin-transform-es2015-modules-systemjs/-/babel-plugin-transform-es2015-modules-systemjs-6.14.0.tgz", - "integrity": "sha1-xRm1xz4yOI5nnJse30Gy/CPcMwM=", - "requires": { - "babel-helper-hoist-variables": "6.8.0", - "babel-runtime": "6.11.6", - "babel-template": "6.16.0" - } - }, - "babel-plugin-transform-es2015-modules-umd": { - "version": "6.12.0", - "resolved": "https://registry.npmjs.org/babel-plugin-transform-es2015-modules-umd/-/babel-plugin-transform-es2015-modules-umd-6.12.0.tgz", - "integrity": "sha1-XXNVnrSSZnde0oHEC+iKQhvTcaM=", - "requires": { - "babel-plugin-transform-es2015-modules-amd": "6.8.0", - "babel-runtime": "6.11.6", - "babel-template": "6.16.0" - } - }, - "babel-plugin-transform-es2015-object-super": { - "version": "6.8.0", - "resolved": "https://registry.npmjs.org/babel-plugin-transform-es2015-object-super/-/babel-plugin-transform-es2015-object-super-6.8.0.tgz", - "integrity": "sha1-G4WHQKWkQAiHwj3P9vTVbupKJMU=", - "requires": { - "babel-helper-replace-supers": "6.16.0", - "babel-runtime": "6.11.6" - } - }, - "babel-plugin-transform-es2015-parameters": { - "version": "6.17.0", - "resolved": "https://registry.npmjs.org/babel-plugin-transform-es2015-parameters/-/babel-plugin-transform-es2015-parameters-6.17.0.tgz", - "integrity": "sha1-4G0wzviX9GrbRzRwe74Sig1CfVg=", - "requires": { - "babel-helper-call-delegate": "6.8.0", - "babel-helper-get-function-arity": "6.8.0", - "babel-runtime": "6.11.6", - "babel-template": "6.16.0", - "babel-traverse": "6.16.0", - "babel-types": "6.16.0" - } - }, - "babel-plugin-transform-es2015-shorthand-properties": { - "version": "6.8.0", - "resolved": "https://registry.npmjs.org/babel-plugin-transform-es2015-shorthand-properties/-/babel-plugin-transform-es2015-shorthand-properties-6.8.0.tgz", - "integrity": "sha1-8KTF/UcWMKzzM8LZnD1ne/CVIUk=", - "requires": { - "babel-runtime": "6.11.6", - "babel-types": "6.16.0" - } - }, - "babel-plugin-transform-es2015-spread": { - "version": "6.8.0", - "resolved": "https://registry.npmjs.org/babel-plugin-transform-es2015-spread/-/babel-plugin-transform-es2015-spread-6.8.0.tgz", - "integrity": "sha1-Ahf3N+O4IfpaZp8YfG7VkgXwXpw=", - "requires": { - "babel-runtime": "6.11.6" - } - }, - "babel-plugin-transform-es2015-sticky-regex": { - "version": "6.8.0", - "resolved": "https://registry.npmjs.org/babel-plugin-transform-es2015-sticky-regex/-/babel-plugin-transform-es2015-sticky-regex-6.8.0.tgz", - "integrity": "sha1-5z0wCkQKNdXGT1wqNE3CNuPfR74=", - "requires": { - "babel-helper-regex": "6.9.0", - "babel-runtime": "6.11.6", - "babel-types": "6.16.0" - } - }, - "babel-plugin-transform-es2015-template-literals": { - "version": "6.8.0", - "resolved": "https://registry.npmjs.org/babel-plugin-transform-es2015-template-literals/-/babel-plugin-transform-es2015-template-literals-6.8.0.tgz", - "integrity": "sha1-huuHbQosY12k7ASLT33p38iX5ms=", - "requires": { - "babel-runtime": "6.11.6" - } - }, - "babel-plugin-transform-es2015-typeof-symbol": { - "version": "6.8.0", - "resolved": "https://registry.npmjs.org/babel-plugin-transform-es2015-typeof-symbol/-/babel-plugin-transform-es2015-typeof-symbol-6.8.0.tgz", - "integrity": "sha1-hMKesSGTckgJVaAg/vemXETzBTM=", - "requires": { - "babel-runtime": "6.11.6" - } - }, - "babel-plugin-transform-es2015-unicode-regex": { - "version": "6.11.0", - "resolved": "https://registry.npmjs.org/babel-plugin-transform-es2015-unicode-regex/-/babel-plugin-transform-es2015-unicode-regex-6.11.0.tgz", - "integrity": "sha1-YpjOq6rYjVCj9POS2N6ZcmD27yw=", - "requires": { - "babel-helper-regex": "6.9.0", - "babel-runtime": "6.11.6", - "regexpu-core": "2.0.0" - } - }, - "babel-plugin-transform-regenerator": { - "version": "6.16.1", - "resolved": "https://registry.npmjs.org/babel-plugin-transform-regenerator/-/babel-plugin-transform-regenerator-6.16.1.tgz", - "integrity": "sha1-p13msEihQVSq4UsBInVsW+05L1k=", - "requires": { - "babel-runtime": "6.11.6", - "babel-types": "6.16.0", - "private": "0.1.6" - } - }, - "babel-plugin-transform-runtime": { - "version": "6.15.0", - "resolved": "https://registry.npmjs.org/babel-plugin-transform-runtime/-/babel-plugin-transform-runtime-6.15.0.tgz", - "integrity": "sha1-PXW02Umtga8VdXAnOEb7Wa6w1Xw=", - "requires": { - "babel-runtime": "6.11.6" - } - }, - "babel-plugin-transform-strict-mode": { - "version": "6.11.3", - "resolved": "https://registry.npmjs.org/babel-plugin-transform-strict-mode/-/babel-plugin-transform-strict-mode-6.11.3.tgz", - "integrity": "sha1-GDdBMlEmvH7Jz0wPwlfT58pa/UA=", - "requires": { - "babel-runtime": "6.11.6", - "babel-types": "6.16.0" - } - }, - "babel-polyfill": { - "version": "6.16.0", - "resolved": "https://registry.npmjs.org/babel-polyfill/-/babel-polyfill-6.16.0.tgz", - "integrity": "sha1-LUUCHfh+JqN0ttTRqcZZZNF/JCI=", - "requires": { - "babel-runtime": "6.11.6", - "core-js": "2.4.1", - "regenerator-runtime": "0.9.5" - } - }, - "babel-preset-es2015": { - "version": "6.16.0", - "resolved": "https://registry.npmjs.org/babel-preset-es2015/-/babel-preset-es2015-6.16.0.tgz", - "integrity": "sha1-Wazs0e++uvSPiUBIQPL+eMTSrVw=", - "requires": { - "babel-plugin-check-es2015-constants": "6.8.0", - "babel-plugin-transform-es2015-arrow-functions": "6.8.0", - "babel-plugin-transform-es2015-block-scoped-functions": "6.8.0", - "babel-plugin-transform-es2015-block-scoping": "6.15.0", - "babel-plugin-transform-es2015-classes": "6.14.0", - "babel-plugin-transform-es2015-computed-properties": "6.8.0", - "babel-plugin-transform-es2015-destructuring": "6.16.0", - "babel-plugin-transform-es2015-duplicate-keys": "6.8.0", - "babel-plugin-transform-es2015-for-of": "6.8.0", - "babel-plugin-transform-es2015-function-name": "6.9.0", - "babel-plugin-transform-es2015-literals": "6.8.0", - "babel-plugin-transform-es2015-modules-amd": "6.8.0", - "babel-plugin-transform-es2015-modules-commonjs": "6.16.0", - "babel-plugin-transform-es2015-modules-systemjs": "6.14.0", - "babel-plugin-transform-es2015-modules-umd": "6.12.0", - "babel-plugin-transform-es2015-object-super": "6.8.0", - "babel-plugin-transform-es2015-parameters": "6.17.0", - "babel-plugin-transform-es2015-shorthand-properties": "6.8.0", - "babel-plugin-transform-es2015-spread": "6.8.0", - "babel-plugin-transform-es2015-sticky-regex": "6.8.0", - "babel-plugin-transform-es2015-template-literals": "6.8.0", - "babel-plugin-transform-es2015-typeof-symbol": "6.8.0", - "babel-plugin-transform-es2015-unicode-regex": "6.11.0", - "babel-plugin-transform-regenerator": "6.16.1" - } - }, - "babel-preset-taskcluster": { - "version": "3.0.0", - "resolved": "https://registry.npmjs.org/babel-preset-taskcluster/-/babel-preset-taskcluster-3.0.0.tgz", - "integrity": "sha1-QEfdaJJzFmGkjgRVHMBazTp3TFc=", - "requires": { - "babel-plugin-syntax-async-functions": "6.13.0", - "babel-plugin-transform-async-to-generator": "6.16.0", - "babel-plugin-transform-runtime": "6.15.0", - "babel-plugin-transform-strict-mode": "6.11.3", - "babel-preset-es2015": "6.16.0", - "babel-runtime": "6.11.6" - } - }, - "babel-register": { - "version": "6.16.3", - "resolved": "https://registry.npmjs.org/babel-register/-/babel-register-6.16.3.tgz", - "integrity": "sha1-ewwMp7/euRiLpMJ+X8t1maSXxiQ=", - "requires": { - "babel-core": "6.17.0", - "babel-runtime": "6.11.6", - "core-js": "2.4.1", - "home-or-tmp": "1.0.0", - "lodash": "4.16.4", - "mkdirp": "0.5.1", - "path-exists": "1.0.0", - "source-map-support": "0.4.3" - } - }, - "babel-runtime": { - "version": "6.11.6", - "resolved": "https://registry.npmjs.org/babel-runtime/-/babel-runtime-6.11.6.tgz", - "integrity": "sha1-bbcH/vLUnEm/o8tk79tDa1GLgiI=", - "requires": { - "core-js": "2.4.1", - "regenerator-runtime": "0.9.5" - } - }, - "babel-template": { - "version": "6.16.0", - "resolved": "https://registry.npmjs.org/babel-template/-/babel-template-6.16.0.tgz", - "integrity": "sha1-4UndGp8Do1+BfdvE0EgZiOfryMo=", - "requires": { - "babel-runtime": "6.11.6", - "babel-traverse": "6.16.0", - "babel-types": "6.16.0", - "babylon": "6.11.6", - "lodash": "4.16.4" - } - }, - "babel-traverse": { - "version": "6.16.0", - "resolved": "https://registry.npmjs.org/babel-traverse/-/babel-traverse-6.16.0.tgz", - "integrity": "sha1-+6ha4f1NEH3pzgAxScxX9TvvDE8=", - "requires": { - "babel-code-frame": "6.16.0", - "babel-messages": "6.8.0", - "babel-runtime": "6.11.6", - "babel-types": "6.16.0", - "babylon": "6.11.6", - "debug": "2.2.0", - "globals": "8.18.0", - "invariant": "2.2.1", - "lodash": "4.16.4" - } - }, - "babel-types": { - "version": "6.16.0", - "resolved": "https://registry.npmjs.org/babel-types/-/babel-types-6.16.0.tgz", - "integrity": "sha1-ccyh2+Uzd2YiXFwZMHHo68vP/P4=", - "requires": { - "babel-runtime": "6.11.6", - "esutils": "2.0.2", - "lodash": "4.16.4", - "to-fast-properties": "1.0.2" - } - }, - "babylon": { - "version": "6.11.6", - "resolved": "https://registry.npmjs.org/babylon/-/babylon-6.11.6.tgz", - "integrity": "sha1-VtxS5iSIKEHH/glSV/vLSlu2GuE=" - }, - "balanced-match": { - "version": "0.4.2", - "resolved": "https://registry.npmjs.org/balanced-match/-/balanced-match-0.4.2.tgz", - "integrity": "sha1-yz8+PHMtwPAe5wtAPzAuYddwmDg=" - }, - "bcrypt-pbkdf": { - "version": "1.0.0", - "resolved": "https://registry.npmjs.org/bcrypt-pbkdf/-/bcrypt-pbkdf-1.0.0.tgz", - "integrity": "sha1-PKdrhSQccXC/fZcD57mqdGMAQNQ=", - "optional": true, - "requires": { - "tweetnacl": "0.14.3" - } - }, - "bin-version": { - "version": "1.0.4", - "resolved": "https://registry.npmjs.org/bin-version/-/bin-version-1.0.4.tgz", - "integrity": "sha1-nrSY7m/Xb3q5p8FgQ2+JV5Q1144=", - "requires": { - "find-versions": "1.2.1" - } - }, - "bin-version-check": { - "version": "2.1.0", - "resolved": "https://registry.npmjs.org/bin-version-check/-/bin-version-check-2.1.0.tgz", - "integrity": "sha1-5OXfKQuQaffRETJAMe/BP90RpbA=", - "requires": { - "bin-version": "1.0.4", - "minimist": "1.2.0", - "semver": "4.3.6", - "semver-truncate": "1.1.2" - } - }, - "binary-extensions": { - "version": "1.7.0", - "resolved": "https://registry.npmjs.org/binary-extensions/-/binary-extensions-1.7.0.tgz", - "integrity": "sha1-bBYQ2xY6v7NO3+QvpCM0Oh4BGF0=", - "optional": true - }, - "bl": { - "version": "1.1.2", - "resolved": "https://registry.npmjs.org/bl/-/bl-1.1.2.tgz", - "integrity": "sha1-/cqHGplxOqANGeO7ukHER4emU5g=", - "requires": { - "readable-stream": "2.0.6" - }, - "dependencies": { - "readable-stream": { - "version": "2.0.6", - "resolved": "https://registry.npmjs.org/readable-stream/-/readable-stream-2.0.6.tgz", - "integrity": "sha1-j5A0HmilPMySh4jaz80Rs265t44=", - "requires": { - "core-util-is": "1.0.2", - "inherits": "2.0.3", - "isarray": "1.0.0", - "process-nextick-args": "1.0.7", - "string_decoder": "0.10.31", - "util-deprecate": "1.0.2" - } - } - } - }, - "boom": { - "version": "2.10.1", - "resolved": "https://registry.npmjs.org/boom/-/boom-2.10.1.tgz", - "integrity": "sha1-OciRjO/1eZ+D+UkqhI9iWt0Mdm8=", - "requires": { - "hoek": "2.16.3" - } - }, - "bounce": { - "version": "1.2.3", - "resolved": "https://registry.npmjs.org/bounce/-/bounce-1.2.3.tgz", - "integrity": "sha512-3G7B8CyBnip5EahCZJjnvQ1HLyArC6P5e+xcolo13BVI9ogFaDOsNMAE7FIWliHtIkYI8/nTRCvCY9tZa3Mu4g==", - "requires": { - "boom": "7.3.0", - "hoek": "6.1.3" - }, - "dependencies": { - "boom": { - "version": "7.3.0", - "resolved": "https://registry.npmjs.org/boom/-/boom-7.3.0.tgz", - "integrity": "sha512-Swpoyi2t5+GhOEGw8rEsKvTxFLIDiiKoUc2gsoV6Lyr43LHBIzch3k2MvYUs8RTROrIkVJ3Al0TkaOGjnb+B6A==", - "requires": { - "hoek": "6.1.3" - } - }, - "hoek": { - "version": "6.1.3", - "resolved": "https://registry.npmjs.org/hoek/-/hoek-6.1.3.tgz", - "integrity": "sha512-YXXAAhmF9zpQbC7LEcREFtXfGq5K1fmd+4PHkBq8NUqmzW3G+Dq10bI/i0KucLRwss3YYFQ0fSfoxBZYiGUqtQ==" - } - } - }, - "brace-expansion": { - "version": "1.1.6", - "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.6.tgz", - "integrity": "sha1-cZfX6qm4fmSDkOph/GbIRCdCDfk=", - "requires": { - "balanced-match": "0.4.2", - "concat-map": "0.0.1" - } - }, - "braces": { - "version": "1.8.5", - "resolved": "https://registry.npmjs.org/braces/-/braces-1.8.5.tgz", - "integrity": "sha1-uneWLhLf+WnWt2cR6RS3N4V79qc=", - "optional": true, - "requires": { - "expand-range": "1.8.2", - "preserve": "0.2.0", - "repeat-element": "1.1.2" - } - }, - "buffer-shims": { - "version": "1.0.0", - "resolved": "https://registry.npmjs.org/buffer-shims/-/buffer-shims-1.0.0.tgz", - "integrity": "sha1-mXjOMXOIxkmth5MCjDR37wRKi1E=", - "optional": true - }, - "builtin-modules": { - "version": "1.1.1", - "resolved": "https://registry.npmjs.org/builtin-modules/-/builtin-modules-1.1.1.tgz", - "integrity": "sha1-Jw8HbFpywC9bZaR9+Uxf46J4iS8=" - }, - "camelcase": { - "version": "2.1.1", - "resolved": "https://registry.npmjs.org/camelcase/-/camelcase-2.1.1.tgz", - "integrity": "sha1-fB0W1nmhu+WcoCys7PsBHiAfWh8=" - }, - "camelcase-keys": { - "version": "2.1.0", - "resolved": "https://registry.npmjs.org/camelcase-keys/-/camelcase-keys-2.1.0.tgz", - "integrity": "sha1-MIvur/3ygRkFHvodkyITyRuPkuc=", - "requires": { - "camelcase": "2.1.1", - "map-obj": "1.0.1" - } - }, - "caseless": { - "version": "0.11.0", - "resolved": "https://registry.npmjs.org/caseless/-/caseless-0.11.0.tgz", - "integrity": "sha1-cVuW6phBWTzDMGeSP17GDr2k99c=" - }, - "chalk": { - "version": "1.1.1", - "resolved": "https://registry.npmjs.org/chalk/-/chalk-1.1.1.tgz", - "integrity": "sha1-UJr7ZwZudJn36zU1x3RFdyri0Bk=", - "requires": { - "ansi-styles": "2.2.1", - "escape-string-regexp": "1.0.5", - "has-ansi": "2.0.0", - "strip-ansi": "3.0.1", - "supports-color": "2.0.0" - } - }, - "chokidar": { - "version": "1.6.0", - "resolved": "https://registry.npmjs.org/chokidar/-/chokidar-1.6.0.tgz", - "integrity": "sha1-kMMq1IApAddxPeUy3ChOlqY60Fg=", - "optional": true, - "requires": { - "anymatch": "1.3.0", - "async-each": "1.0.1", - "fsevents": "1.2.7", - "glob-parent": "2.0.0", - "inherits": "2.0.3", - "is-binary-path": "1.0.1", - "is-glob": "2.0.1", - "path-is-absolute": "1.0.1", - "readdirp": "2.1.0" - } - }, - "combined-stream": { - "version": "1.0.5", - "resolved": "https://registry.npmjs.org/combined-stream/-/combined-stream-1.0.5.tgz", - "integrity": "sha1-k4NwpXtKUd6ix3wV1cX9+JUWQAk=", - "requires": { - "delayed-stream": "1.0.0" - } - }, - "commander": { - "version": "2.9.0", - "resolved": "https://registry.npmjs.org/commander/-/commander-2.9.0.tgz", - "integrity": "sha1-nJkJQXbhIkDLItbFFGCYQA/g99Q=", - "requires": { - "graceful-readlink": "1.0.1" - } - }, - "component-emitter": { - "version": "1.3.0", - "resolved": "https://registry.npmjs.org/component-emitter/-/component-emitter-1.3.0.tgz", - "integrity": "sha512-Rd3se6QB+sO1TwqZjscQrurpEPIfO0/yYnSin6Q/rD3mOutHvUrCAhJub3r90uNb+SESBuE0QYoB90YdfatsRg==" - }, - "concat-map": { - "version": "0.0.1", - "resolved": "https://registry.npmjs.org/concat-map/-/concat-map-0.0.1.tgz", - "integrity": "sha1-2Klr13/Wjfd5OnMDajug1UBdR3s=" - }, - "convert-source-map": { - "version": "1.3.0", - "resolved": "https://registry.npmjs.org/convert-source-map/-/convert-source-map-1.3.0.tgz", - "integrity": "sha1-6fPpxuJyjvwmdmlqcOs4L3MQamc=" - }, - "cookiejar": { - "version": "2.1.2", - "resolved": "https://registry.npmjs.org/cookiejar/-/cookiejar-2.1.2.tgz", - "integrity": "sha512-Mw+adcfzPxcPeI+0WlvRrr/3lGVO0bD75SxX6811cxSh1Wbxx7xZBGK1eVtDf6si8rg2lhnUjsVLMFMfbRIuwA==" - }, - "core-js": { - "version": "2.4.1", - "resolved": "https://registry.npmjs.org/core-js/-/core-js-2.4.1.tgz", - "integrity": "sha1-TekR5mew6ukSTjQlS1OupvxhjT4=" - }, - "core-util-is": { - "version": "1.0.2", - "resolved": "https://registry.npmjs.org/core-util-is/-/core-util-is-1.0.2.tgz", - "integrity": "sha1-tf1UIgqivFq1eqtxQMlAdUUDwac=" - }, - "cryptiles": { - "version": "2.0.5", - "resolved": "https://registry.npmjs.org/cryptiles/-/cryptiles-2.0.5.tgz", - "integrity": "sha1-O9/s3GCBR8HGcgL6KR59ylnqo7g=", - "requires": { - "boom": "2.10.1" - } - }, - "currently-unhandled": { - "version": "0.4.1", - "resolved": "https://registry.npmjs.org/currently-unhandled/-/currently-unhandled-0.4.1.tgz", - "integrity": "sha1-mI3zP+qxke95mmE2nddsF635V+o=", - "requires": { - "array-find-index": "1.0.2" - } - }, - "dashdash": { - "version": "1.14.0", - "resolved": "https://registry.npmjs.org/dashdash/-/dashdash-1.14.0.tgz", - "integrity": "sha1-KeSGxUGL8PNWA0qZPVFoajPoQUE=", - "requires": { - "assert-plus": "1.0.0" - }, - "dependencies": { - "assert-plus": { - "version": "1.0.0", - "resolved": "https://registry.npmjs.org/assert-plus/-/assert-plus-1.0.0.tgz", - "integrity": "sha1-8S4PPF13sLHN2RRpQuTpbB5N1SU=" - } - } - }, - "debug": { - "version": "2.2.0", - "resolved": "https://registry.npmjs.org/debug/-/debug-2.2.0.tgz", - "integrity": "sha1-+HBX6ZWxofauaklgZkE3vFbwOdo=", - "requires": { - "ms": "0.7.1" - } - }, - "decamelize": { - "version": "1.2.0", - "resolved": "https://registry.npmjs.org/decamelize/-/decamelize-1.2.0.tgz", - "integrity": "sha1-9lNNFRSCabIDUue+4m9QH5oZEpA=" - }, - "delayed-stream": { - "version": "1.0.0", - "resolved": "https://registry.npmjs.org/delayed-stream/-/delayed-stream-1.0.0.tgz", - "integrity": "sha1-3zrhmayt+31ECqrgsp4icrJOxhk=" - }, - "detect-indent": { - "version": "3.0.1", - "resolved": "https://registry.npmjs.org/detect-indent/-/detect-indent-3.0.1.tgz", - "integrity": "sha1-ncXl3bzu+DJXZLlFGwK8bVQIT3U=", - "requires": { - "get-stdin": "4.0.1", - "minimist": "1.2.0", - "repeating": "1.1.3" - } - }, - "ecc-jsbn": { - "version": "0.1.1", - "resolved": "https://registry.npmjs.org/ecc-jsbn/-/ecc-jsbn-0.1.1.tgz", - "integrity": "sha1-D8c6ntXw1Tw4GTOYUj735UN3dQU=", - "optional": true, - "requires": { - "jsbn": "0.1.0" - } - }, - "error-ex": { - "version": "1.3.0", - "resolved": "https://registry.npmjs.org/error-ex/-/error-ex-1.3.0.tgz", - "integrity": "sha1-5ntD8+gsluo6WE/+4Ln8MyXYAtk=", - "requires": { - "is-arrayish": "0.2.1" - } - }, - "escape-string-regexp": { - "version": "1.0.5", - "resolved": "https://registry.npmjs.org/escape-string-regexp/-/escape-string-regexp-1.0.5.tgz", - "integrity": "sha1-G2HAViGQqN/2rjuyzwIAyhMLhtQ=" - }, - "esprima": { - "version": "2.7.3", - "resolved": "https://registry.npmjs.org/esprima/-/esprima-2.7.3.tgz", - "integrity": "sha1-luO3DVd59q1JzQMmc9HDEnZ7pYE=" - }, - "esutils": { - "version": "2.0.2", - "resolved": "https://registry.npmjs.org/esutils/-/esutils-2.0.2.tgz", - "integrity": "sha1-Cr9PHKpbyx96nYrMbepPqqBLrJs=" - }, - "expand-brackets": { - "version": "0.1.5", - "resolved": "https://registry.npmjs.org/expand-brackets/-/expand-brackets-0.1.5.tgz", - "integrity": "sha1-3wcoTjQqgHzXM6xa9yQR5YHRF3s=", - "optional": true, - "requires": { - "is-posix-bracket": "0.1.1" - } - }, - "expand-range": { - "version": "1.8.2", - "resolved": "https://registry.npmjs.org/expand-range/-/expand-range-1.8.2.tgz", - "integrity": "sha1-opnv/TNf4nIeuujiV+x5ZE/IUzc=", - "optional": true, - "requires": { - "fill-range": "2.2.3" - } - }, - "extend": { - "version": "3.0.0", - "resolved": "https://registry.npmjs.org/extend/-/extend-3.0.0.tgz", - "integrity": "sha1-WkdDU7nzNT3dgXbf03uRyDpG8dQ=" - }, - "extglob": { - "version": "0.3.2", - "resolved": "https://registry.npmjs.org/extglob/-/extglob-0.3.2.tgz", - "integrity": "sha1-Lhj/PS9JqydlzskCPwEdqo2DSaE=", - "optional": true, - "requires": { - "is-extglob": "1.0.0" - } - }, - "extsprintf": { - "version": "1.0.2", - "resolved": "https://registry.npmjs.org/extsprintf/-/extsprintf-1.0.2.tgz", - "integrity": "sha1-4QgOBljjALBilJkMxw4VAiNf1VA=" - }, - "fast-safe-stringify": { - "version": "2.0.7", - "resolved": "https://registry.npmjs.org/fast-safe-stringify/-/fast-safe-stringify-2.0.7.tgz", - "integrity": "sha512-Utm6CdzT+6xsDk2m8S6uL8VHxNwI6Jub+e9NYTcAms28T84pTa25GJQV9j0CY0N1rM8hK4x6grpF2BQf+2qwVA==" - }, - "filename-regex": { - "version": "2.0.0", - "resolved": "https://registry.npmjs.org/filename-regex/-/filename-regex-2.0.0.tgz", - "integrity": "sha1-mW4+gEebmLmJfxWopYs9CE6SZ3U=", - "optional": true - }, - "fill-range": { - "version": "2.2.3", - "resolved": "https://registry.npmjs.org/fill-range/-/fill-range-2.2.3.tgz", - "integrity": "sha1-ULd9/X5Gm8dJJHCWNpn+eoSFpyM=", - "optional": true, - "requires": { - "is-number": "2.1.0", - "isobject": "2.1.0", - "randomatic": "1.1.5", - "repeat-element": "1.1.2", - "repeat-string": "1.5.4" - } - }, - "find-up": { - "version": "1.1.2", - "resolved": "https://registry.npmjs.org/find-up/-/find-up-1.1.2.tgz", - "integrity": "sha1-ay6YIrGizgpgq2TWEOzK1TyyTQ8=", - "requires": { - "path-exists": "2.1.0", - "pinkie-promise": "2.0.1" - }, - "dependencies": { - "path-exists": { - "version": "2.1.0", - "resolved": "https://registry.npmjs.org/path-exists/-/path-exists-2.1.0.tgz", - "integrity": "sha1-D+tsZPD8UY2adU3V77YscCJ2H0s=", - "requires": { - "pinkie-promise": "2.0.1" - } - } - } - }, - "find-versions": { - "version": "1.2.1", - "resolved": "https://registry.npmjs.org/find-versions/-/find-versions-1.2.1.tgz", - "integrity": "sha1-y96fEuOFdaCvG+G5osXV/Y8Ya2I=", - "requires": { - "array-uniq": "1.0.3", - "get-stdin": "4.0.1", - "meow": "3.7.0", - "semver-regex": "1.0.0" - } - }, - "flatmap": { - "version": "0.0.3", - "resolved": "https://registry.npmjs.org/flatmap/-/flatmap-0.0.3.tgz", - "integrity": "sha1-Hxik2TgVLUlZZfnJWNkjqy3WabQ=" - }, - "for-in": { - "version": "0.1.6", - "resolved": "https://registry.npmjs.org/for-in/-/for-in-0.1.6.tgz", - "integrity": "sha1-yfluib+tGKVFr17D7TUqHZ5bTcg=", - "optional": true - }, - "for-own": { - "version": "0.1.4", - "resolved": "https://registry.npmjs.org/for-own/-/for-own-0.1.4.tgz", - "integrity": "sha1-AUm0GjkIjHUV9R6+HBOG1F+TUHI=", - "optional": true, - "requires": { - "for-in": "0.1.6" - } - }, - "forever-agent": { - "version": "0.6.1", - "resolved": "https://registry.npmjs.org/forever-agent/-/forever-agent-0.6.1.tgz", - "integrity": "sha1-+8cfDEGt6zf5bFd60e1C2P2sypE=" - }, - "form-data": { - "version": "2.0.0", - "resolved": "https://registry.npmjs.org/form-data/-/form-data-2.0.0.tgz", - "integrity": "sha1-bwrrrcxdoWwT4ezBETfYX5uIOyU=", - "requires": { - "asynckit": "0.4.0", - "combined-stream": "1.0.5", - "mime-types": "2.1.12" - } - }, - "formidable": { - "version": "1.2.1", - "resolved": "https://registry.npmjs.org/formidable/-/formidable-1.2.1.tgz", - "integrity": "sha512-Fs9VRguL0gqGHkXS5GQiMCr1VhZBxz0JnJs4JmMp/2jL18Fmbzvv7vOFRU+U8TBkHEE/CX1qDXzJplVULgsLeg==" - }, - "fs-readdir-recursive": { - "version": "0.1.2", - "resolved": "https://registry.npmjs.org/fs-readdir-recursive/-/fs-readdir-recursive-0.1.2.tgz", - "integrity": "sha1-MVtPuMHKW4xH3v7zGdBz2tNWgFk=" - }, - "fs-walk": { - "version": "0.0.1", - "resolved": "https://registry.npmjs.org/fs-walk/-/fs-walk-0.0.1.tgz", - "integrity": "sha1-9/yRw64e6tB8mYvF0N1B8tvr0zU=", - "requires": { - "async": "2.1.1" - } - }, - "fs.realpath": { - "version": "1.0.0", - "resolved": "https://registry.npmjs.org/fs.realpath/-/fs.realpath-1.0.0.tgz", - "integrity": "sha1-FQStJSMVjKpA20onh8sBQRmU6k8=" - }, - "fsevents": { - "version": "1.2.7", - "resolved": "https://registry.npmjs.org/fsevents/-/fsevents-1.2.7.tgz", - "integrity": "sha512-Pxm6sI2MeBD7RdD12RYsqaP0nMiwx8eZBXCa6z2L+mRHm2DYrOYwihmhjpkdjUHwQhslWQjRpEgNq4XvBmaAuw==", - "optional": true, - "requires": { - "nan": "2.12.1", - "node-pre-gyp": "0.10.3" - }, - "dependencies": { - "abbrev": { - "version": "1.1.1", - "bundled": true, - "optional": true - }, - "ansi-regex": { - "version": "2.1.1", - "bundled": true, - "optional": true - }, - "aproba": { - "version": "1.2.0", - "bundled": true, - "optional": true - }, - "are-we-there-yet": { - "version": "1.1.5", - "bundled": true, - "optional": true, - "requires": { - "delegates": "^1.0.0", - "readable-stream": "^2.0.6" - } - }, - "balanced-match": { - "version": "1.0.0", - "bundled": true, - "optional": true - }, - "brace-expansion": { - "version": "1.1.11", - "bundled": true, - "optional": true, - "requires": { - "balanced-match": "^1.0.0", - "concat-map": "0.0.1" - } - }, - "chownr": { - "version": "1.1.1", - "bundled": true, - "optional": true - }, - "code-point-at": { - "version": "1.1.0", - "bundled": true, - "optional": true - }, - "concat-map": { - "version": "0.0.1", - "bundled": true, - "optional": true - }, - "console-control-strings": { - "version": "1.1.0", - "bundled": true, - "optional": true - }, - "core-util-is": { - "version": "1.0.2", - "bundled": true, - "optional": true - }, - "debug": { - "version": "2.6.9", - "bundled": true, - "optional": true, - "requires": { - "ms": "2.0.0" - } - }, - "deep-extend": { - "version": "0.6.0", - "bundled": true, - "optional": true - }, - "delegates": { - "version": "1.0.0", - "bundled": true, - "optional": true - }, - "detect-libc": { - "version": "1.0.3", - "bundled": true, - "optional": true - }, - "fs-minipass": { - "version": "1.2.5", - "bundled": true, - "optional": true, - "requires": { - "minipass": "^2.2.1" - } - }, - "fs.realpath": { - "version": "1.0.0", - "bundled": true, - "optional": true - }, - "gauge": { - "version": "2.7.4", - "bundled": true, - "optional": true, - "requires": { - "aproba": "^1.0.3", - "console-control-strings": "^1.0.0", - "has-unicode": "^2.0.0", - "object-assign": "^4.1.0", - "signal-exit": "^3.0.0", - "string-width": "^1.0.1", - "strip-ansi": "^3.0.1", - "wide-align": "^1.1.0" - } - }, - "glob": { - "version": "7.1.3", - "bundled": true, - "optional": true, - "requires": { - "fs.realpath": "^1.0.0", - "inflight": "^1.0.4", - "inherits": "2", - "minimatch": "^3.0.4", - "once": "^1.3.0", - "path-is-absolute": "^1.0.0" - } - }, - "has-unicode": { - "version": "2.0.1", - "bundled": true, - "optional": true - }, - "iconv-lite": { - "version": "0.4.24", - "bundled": true, - "optional": true, - "requires": { - "safer-buffer": ">= 2.1.2 < 3" - } - }, - "ignore-walk": { - "version": "3.0.1", - "bundled": true, - "optional": true, - "requires": { - "minimatch": "^3.0.4" - } - }, - "inflight": { - "version": "1.0.6", - "bundled": true, - "optional": true, - "requires": { - "once": "^1.3.0", - "wrappy": "1" - } - }, - "inherits": { - "version": "2.0.3", - "bundled": true, - "optional": true - }, - "ini": { - "version": "1.3.5", - "bundled": true, - "optional": true - }, - "is-fullwidth-code-point": { - "version": "1.0.0", - "bundled": true, - "optional": true, - "requires": { - "number-is-nan": "^1.0.0" - } - }, - "isarray": { - "version": "1.0.0", - "bundled": true, - "optional": true - }, - "minimatch": { - "version": "3.0.4", - "bundled": true, - "optional": true, - "requires": { - "brace-expansion": "^1.1.7" - } - }, - "minimist": { - "version": "0.0.8", - "bundled": true, - "optional": true - }, - "minipass": { - "version": "2.3.5", - "bundled": true, - "optional": true, - "requires": { - "safe-buffer": "^5.1.2", - "yallist": "^3.0.0" - } - }, - "minizlib": { - "version": "1.2.1", - "bundled": true, - "optional": true, - "requires": { - "minipass": "^2.2.1" - } - }, - "mkdirp": { - "version": "0.5.1", - "bundled": true, - "optional": true, - "requires": { - "minimist": "0.0.8" - } - }, - "ms": { - "version": "2.0.0", - "bundled": true, - "optional": true - }, - "needle": { - "version": "2.2.4", - "bundled": true, - "optional": true, - "requires": { - "debug": "^2.1.2", - "iconv-lite": "^0.4.4", - "sax": "^1.2.4" - } - }, - "node-pre-gyp": { - "version": "0.10.3", - "bundled": true, - "optional": true, - "requires": { - "detect-libc": "^1.0.2", - "mkdirp": "^0.5.1", - "needle": "^2.2.1", - "nopt": "^4.0.1", - "npm-packlist": "^1.1.6", - "npmlog": "^4.0.2", - "rc": "^1.2.7", - "rimraf": "^2.6.1", - "semver": "^5.3.0", - "tar": "^4" - } - }, - "nopt": { - "version": "4.0.1", - "bundled": true, - "optional": true, - "requires": { - "abbrev": "1", - "osenv": "^0.1.4" - } - }, - "npm-bundled": { - "version": "1.0.5", - "bundled": true, - "optional": true - }, - "npm-packlist": { - "version": "1.2.0", - "bundled": true, - "optional": true, - "requires": { - "ignore-walk": "^3.0.1", - "npm-bundled": "^1.0.1" - } - }, - "npmlog": { - "version": "4.1.2", - "bundled": true, - "optional": true, - "requires": { - "are-we-there-yet": "~1.1.2", - "console-control-strings": "~1.1.0", - "gauge": "~2.7.3", - "set-blocking": "~2.0.0" - } - }, - "number-is-nan": { - "version": "1.0.1", - "bundled": true, - "optional": true - }, - "object-assign": { - "version": "4.1.1", - "bundled": true, - "optional": true - }, - "once": { - "version": "1.4.0", - "bundled": true, - "optional": true, - "requires": { - "wrappy": "1" - } - }, - "os-homedir": { - "version": "1.0.2", - "bundled": true, - "optional": true - }, - "os-tmpdir": { - "version": "1.0.2", - "bundled": true, - "optional": true - }, - "osenv": { - "version": "0.1.5", - "bundled": true, - "optional": true, - "requires": { - "os-homedir": "^1.0.0", - "os-tmpdir": "^1.0.0" - } - }, - "path-is-absolute": { - "version": "1.0.1", - "bundled": true, - "optional": true - }, - "process-nextick-args": { - "version": "2.0.0", - "bundled": true, - "optional": true - }, - "rc": { - "version": "1.2.8", - "bundled": true, - "optional": true, - "requires": { - "deep-extend": "^0.6.0", - "ini": "~1.3.0", - "minimist": "^1.2.0", - "strip-json-comments": "~2.0.1" - }, - "dependencies": { - "minimist": { - "version": "1.2.0", - "bundled": true, - "optional": true - } - } - }, - "readable-stream": { - "version": "2.3.6", - "bundled": true, - "optional": true, - "requires": { - "core-util-is": "~1.0.0", - "inherits": "~2.0.3", - "isarray": "~1.0.0", - "process-nextick-args": "~2.0.0", - "safe-buffer": "~5.1.1", - "string_decoder": "~1.1.1", - "util-deprecate": "~1.0.1" - } - }, - "rimraf": { - "version": "2.6.3", - "bundled": true, - "optional": true, - "requires": { - "glob": "^7.1.3" - } - }, - "safe-buffer": { - "version": "5.1.2", - "bundled": true, - "optional": true - }, - "safer-buffer": { - "version": "2.1.2", - "bundled": true, - "optional": true - }, - "sax": { - "version": "1.2.4", - "bundled": true, - "optional": true - }, - "semver": { - "version": "5.6.0", - "bundled": true, - "optional": true - }, - "set-blocking": { - "version": "2.0.0", - "bundled": true, - "optional": true - }, - "signal-exit": { - "version": "3.0.2", - "bundled": true, - "optional": true - }, - "string-width": { - "version": "1.0.2", - "bundled": true, - "optional": true, - "requires": { - "code-point-at": "^1.0.0", - "is-fullwidth-code-point": "^1.0.0", - "strip-ansi": "^3.0.0" - } - }, - "string_decoder": { - "version": "1.1.1", - "bundled": true, - "optional": true, - "requires": { - "safe-buffer": "~5.1.0" - } - }, - "strip-ansi": { - "version": "3.0.1", - "bundled": true, - "optional": true, - "requires": { - "ansi-regex": "^2.0.0" - } - }, - "strip-json-comments": { - "version": "2.0.1", - "bundled": true, - "optional": true - }, - "tar": { - "version": "4.4.8", - "bundled": true, - "optional": true, - "requires": { - "chownr": "^1.1.1", - "fs-minipass": "^1.2.5", - "minipass": "^2.3.4", - "minizlib": "^1.1.1", - "mkdirp": "^0.5.0", - "safe-buffer": "^5.1.2", - "yallist": "^3.0.2" - } - }, - "util-deprecate": { - "version": "1.0.2", - "bundled": true, - "optional": true - }, - "wide-align": { - "version": "1.1.3", - "bundled": true, - "optional": true, - "requires": { - "string-width": "^1.0.2 || 2" - } - }, - "wrappy": { - "version": "1.0.2", - "bundled": true, - "optional": true - }, - "yallist": { - "version": "3.0.3", - "bundled": true, - "optional": true - } - } - }, - "generate-function": { - "version": "2.0.0", - "resolved": "https://registry.npmjs.org/generate-function/-/generate-function-2.0.0.tgz", - "integrity": "sha1-aFj+fAlpt9TpCTM3ZHrHn2DfvnQ=" - }, - "generate-object-property": { - "version": "1.2.0", - "resolved": "https://registry.npmjs.org/generate-object-property/-/generate-object-property-1.2.0.tgz", - "integrity": "sha1-nA4cQDCM6AT0eDYYuTf6iPmdUNA=", - "requires": { - "is-property": "1.0.2" - } - }, - "get-stdin": { - "version": "4.0.1", - "resolved": "https://registry.npmjs.org/get-stdin/-/get-stdin-4.0.1.tgz", - "integrity": "sha1-uWjGsKBDhDJJAui/Gl3zJXmkUP4=" - }, - "getpass": { - "version": "0.1.6", - "resolved": "https://registry.npmjs.org/getpass/-/getpass-0.1.6.tgz", - "integrity": "sha1-KD/9n8ElaECHUxHBtg6MQBhxEOY=", - "requires": { - "assert-plus": "1.0.0" - }, - "dependencies": { - "assert-plus": { - "version": "1.0.0", - "resolved": "https://registry.npmjs.org/assert-plus/-/assert-plus-1.0.0.tgz", - "integrity": "sha1-8S4PPF13sLHN2RRpQuTpbB5N1SU=" - } - } - }, - "glob": { - "version": "5.0.15", - "resolved": "https://registry.npmjs.org/glob/-/glob-5.0.15.tgz", - "integrity": "sha1-G8k2ueAvSmA/zCIuz3Yz0wuLk7E=", - "requires": { - "inflight": "1.0.6", - "inherits": "2.0.3", - "minimatch": "3.0.3", - "once": "1.4.0", - "path-is-absolute": "1.0.1" - } - }, - "glob-base": { - "version": "0.3.0", - "resolved": "https://registry.npmjs.org/glob-base/-/glob-base-0.3.0.tgz", - "integrity": "sha1-27Fk9iIbHAscz4Kuoyi0l98Oo8Q=", - "optional": true, - "requires": { - "glob-parent": "2.0.0", - "is-glob": "2.0.1" - } - }, - "glob-parent": { - "version": "2.0.0", - "resolved": "https://registry.npmjs.org/glob-parent/-/glob-parent-2.0.0.tgz", - "integrity": "sha1-gTg9ctsFT8zPUzbaqQLxgvbtuyg=", - "requires": { - "is-glob": "2.0.1" - } - }, - "globals": { - "version": "8.18.0", - "resolved": "https://registry.npmjs.org/globals/-/globals-8.18.0.tgz", - "integrity": "sha1-k9SmK9ysOM+vr8R9awNHaMsP/LQ=" - }, - "graceful-fs": { - "version": "4.1.9", - "resolved": "https://registry.npmjs.org/graceful-fs/-/graceful-fs-4.1.9.tgz", - "integrity": "sha1-uqy6N9GdEfnRRtNXi8mZWMN4fik=" - }, - "graceful-readlink": { - "version": "1.0.1", - "resolved": "https://registry.npmjs.org/graceful-readlink/-/graceful-readlink-1.0.1.tgz", - "integrity": "sha1-TK+tdrxi8C+gObL5Tpo906ORpyU=" - }, - "har-validator": { - "version": "2.0.6", - "resolved": "https://registry.npmjs.org/har-validator/-/har-validator-2.0.6.tgz", - "integrity": "sha1-zcvAgYgmWtEZtqWnyKtw7s+10n0=", - "requires": { - "chalk": "1.1.1", - "commander": "2.9.0", - "is-my-json-valid": "2.15.0", - "pinkie-promise": "2.0.1" - } - }, - "has-ansi": { - "version": "2.0.0", - "resolved": "https://registry.npmjs.org/has-ansi/-/has-ansi-2.0.0.tgz", - "integrity": "sha1-NPUEnOHs3ysGSa8+8k5F7TVBbZE=", - "requires": { - "ansi-regex": "2.0.0" - } - }, - "hawk": { - "version": "3.1.3", - "resolved": "https://registry.npmjs.org/hawk/-/hawk-3.1.3.tgz", - "integrity": "sha1-B4REvXwWQLD+VA0sm3PVlnjo4cQ=", - "requires": { - "boom": "2.10.1", - "cryptiles": "2.0.5", - "hoek": "2.16.3", - "sntp": "1.0.9" - } - }, - "hoek": { - "version": "2.16.3", - "resolved": "https://registry.npmjs.org/hoek/-/hoek-2.16.3.tgz", - "integrity": "sha1-ILt0A9POo5jpHcRxCo/xuCdKJe0=" - }, - "home-or-tmp": { - "version": "1.0.0", - "resolved": "https://registry.npmjs.org/home-or-tmp/-/home-or-tmp-1.0.0.tgz", - "integrity": "sha1-S58eQIAMPlDGwn94FnavzOcfOYU=", - "requires": { - "os-tmpdir": "1.0.2", - "user-home": "1.1.1" - } - }, - "hosted-git-info": { - "version": "2.1.5", - "resolved": "https://registry.npmjs.org/hosted-git-info/-/hosted-git-info-2.1.5.tgz", - "integrity": "sha1-C6gdkNouJas0ozLm7HeTbhWYEYs=" - }, - "http-signature": { - "version": "1.1.1", - "resolved": "https://registry.npmjs.org/http-signature/-/http-signature-1.1.1.tgz", - "integrity": "sha1-33LiZwZs0Kxn+3at+OE0qPvPkb8=", - "requires": { - "assert-plus": "0.2.0", - "jsprim": "1.3.1", - "sshpk": "1.10.1" - } - }, - "indent-string": { - "version": "2.1.0", - "resolved": "https://registry.npmjs.org/indent-string/-/indent-string-2.1.0.tgz", - "integrity": "sha1-ji1INIdCEhtKghi3oTfppSBJ3IA=", - "requires": { - "repeating": "2.0.1" - }, - "dependencies": { - "repeating": { - "version": "2.0.1", - "resolved": "https://registry.npmjs.org/repeating/-/repeating-2.0.1.tgz", - "integrity": "sha1-UhTFOpJtNVJwdSf7q0FdvAjQbdo=", - "requires": { - "is-finite": "1.0.2" - } - } - } - }, - "inflight": { - "version": "1.0.6", - "resolved": "https://registry.npmjs.org/inflight/-/inflight-1.0.6.tgz", - "integrity": "sha1-Sb1jMdfQLQwJvJEKEHW6gWW1bfk=", - "requires": { - "once": "1.4.0", - "wrappy": "1.0.2" - } - }, - "inherits": { - "version": "2.0.3", - "resolved": "https://registry.npmjs.org/inherits/-/inherits-2.0.3.tgz", - "integrity": "sha1-Yzwsg+PaQqUC9SRmAiSA9CCCYd4=" - }, - "intersect": { - "version": "1.0.1", - "resolved": "https://registry.npmjs.org/intersect/-/intersect-1.0.1.tgz", - "integrity": "sha1-MyZQ4QhU2MCsWMGSvcJ6i/fnoww=" - }, - "invariant": { - "version": "2.2.1", - "resolved": "https://registry.npmjs.org/invariant/-/invariant-2.2.1.tgz", - "integrity": "sha1-sJcBBUdmjH4zcCjr6Bbr42yKjVQ=", - "requires": { - "loose-envify": "1.2.0" - } - }, - "is-arrayish": { - "version": "0.2.1", - "resolved": "https://registry.npmjs.org/is-arrayish/-/is-arrayish-0.2.1.tgz", - "integrity": "sha1-d8mYQFJ6qOyxqLppe4BkWnqSap0=" - }, - "is-binary-path": { - "version": "1.0.1", - "resolved": "https://registry.npmjs.org/is-binary-path/-/is-binary-path-1.0.1.tgz", - "integrity": "sha1-dfFmQrSA8YenEcgUFh/TpKdlWJg=", - "optional": true, - "requires": { - "binary-extensions": "1.7.0" - } - }, - "is-buffer": { - "version": "1.1.4", - "resolved": "https://registry.npmjs.org/is-buffer/-/is-buffer-1.1.4.tgz", - "integrity": "sha1-z8hszV3FpS+oBIkRHGkgxFfi2Ys=" - }, - "is-builtin-module": { - "version": "1.0.0", - "resolved": "https://registry.npmjs.org/is-builtin-module/-/is-builtin-module-1.0.0.tgz", - "integrity": "sha1-VAVy0096wxGfj3bDDLwbHgN6/74=", - "requires": { - "builtin-modules": "1.1.1" - } - }, - "is-dotfile": { - "version": "1.0.2", - "resolved": "https://registry.npmjs.org/is-dotfile/-/is-dotfile-1.0.2.tgz", - "integrity": "sha1-LBMjg/ORmfjtwmjKAbmwB9IFzE0=", - "optional": true - }, - "is-equal-shallow": { - "version": "0.1.3", - "resolved": "https://registry.npmjs.org/is-equal-shallow/-/is-equal-shallow-0.1.3.tgz", - "integrity": "sha1-IjgJj8Ih3gvPpdnqxMRdY4qhxTQ=", - "optional": true, - "requires": { - "is-primitive": "2.0.0" - } - }, - "is-extendable": { - "version": "0.1.1", - "resolved": "https://registry.npmjs.org/is-extendable/-/is-extendable-0.1.1.tgz", - "integrity": "sha1-YrEQ4omkcUGOPsNqYX1HLjAd/Ik=", - "optional": true - }, - "is-extglob": { - "version": "1.0.0", - "resolved": "https://registry.npmjs.org/is-extglob/-/is-extglob-1.0.0.tgz", - "integrity": "sha1-rEaBd8SUNAWgkvyPKXYMb/xiBsA=" - }, - "is-finite": { - "version": "1.0.2", - "resolved": "https://registry.npmjs.org/is-finite/-/is-finite-1.0.2.tgz", - "integrity": "sha1-zGZ3aVYCvlUO8R6LSqYwU0K20Ko=", - "requires": { - "number-is-nan": "1.0.1" - } - }, - "is-glob": { - "version": "2.0.1", - "resolved": "https://registry.npmjs.org/is-glob/-/is-glob-2.0.1.tgz", - "integrity": "sha1-0Jb5JqPe1WAPP9/ZEZjLCIjC2GM=", - "requires": { - "is-extglob": "1.0.0" - } - }, - "is-my-json-valid": { - "version": "2.15.0", - "resolved": "https://registry.npmjs.org/is-my-json-valid/-/is-my-json-valid-2.15.0.tgz", - "integrity": "sha1-k27do8o8IR/ZjzstPgjaQ/eykVs=", - "requires": { - "generate-function": "2.0.0", - "generate-object-property": "1.2.0", - "jsonpointer": "4.0.0", - "xtend": "4.0.1" - } - }, - "is-number": { - "version": "2.1.0", - "resolved": "https://registry.npmjs.org/is-number/-/is-number-2.1.0.tgz", - "integrity": "sha1-Afy7s5NGOlSPL0ZszhbezknbkI8=", - "requires": { - "kind-of": "3.0.4" - } - }, - "is-posix-bracket": { - "version": "0.1.1", - "resolved": "https://registry.npmjs.org/is-posix-bracket/-/is-posix-bracket-0.1.1.tgz", - "integrity": "sha1-MzTceXdDaOkvAW5vvAqI9c1ua8Q=", - "optional": true - }, - "is-primitive": { - "version": "2.0.0", - "resolved": "https://registry.npmjs.org/is-primitive/-/is-primitive-2.0.0.tgz", - "integrity": "sha1-IHurkWOEmcB7Kt8kCkGochADRXU=" - }, - "is-property": { - "version": "1.0.2", - "resolved": "https://registry.npmjs.org/is-property/-/is-property-1.0.2.tgz", - "integrity": "sha1-V/4cTkhHTt1lsJkR8msc1Ald2oQ=" - }, - "is-typedarray": { - "version": "1.0.0", - "resolved": "https://registry.npmjs.org/is-typedarray/-/is-typedarray-1.0.0.tgz", - "integrity": "sha1-5HnICFjfDBsR3dppQPlgEfzaSpo=" - }, - "is-utf8": { - "version": "0.2.1", - "resolved": "https://registry.npmjs.org/is-utf8/-/is-utf8-0.2.1.tgz", - "integrity": "sha1-Sw2hRCEE0bM2NA6AeX6GXPOffXI=" - }, - "isarray": { - "version": "1.0.0", - "resolved": "https://registry.npmjs.org/isarray/-/isarray-1.0.0.tgz", - "integrity": "sha1-u5NdSFgsuhaMBoNJV6VKPgcSTxE=" - }, - "isobject": { - "version": "2.1.0", - "resolved": "https://registry.npmjs.org/isobject/-/isobject-2.1.0.tgz", - "integrity": "sha1-8GVWEJaj8dou9GJy+BXIQNh+DIk=", - "optional": true, - "requires": { - "isarray": "1.0.0" - } - }, - "isstream": { - "version": "0.1.2", - "resolved": "https://registry.npmjs.org/isstream/-/isstream-0.1.2.tgz", - "integrity": "sha1-R+Y/evVa+m+S4VAOaQ64uFKcCZo=" - }, - "jodid25519": { - "version": "1.0.2", - "resolved": "https://registry.npmjs.org/jodid25519/-/jodid25519-1.0.2.tgz", - "integrity": "sha1-BtSRIlUJNBlHfUJWM2BuDpB4KWc=", - "optional": true, - "requires": { - "jsbn": "0.1.0" - } - }, - "js-tokens": { - "version": "2.0.0", - "resolved": "https://registry.npmjs.org/js-tokens/-/js-tokens-2.0.0.tgz", - "integrity": "sha1-eZA/VWPud4zBFi5tzxoAJ8l/nLU=" - }, - "js-yaml": { - "version": "3.6.1", - "resolved": "https://registry.npmjs.org/js-yaml/-/js-yaml-3.6.1.tgz", - "integrity": "sha1-bl/mfYsgXOTSL60Ft3geja3MSzA=", - "requires": { - "argparse": "1.0.9", - "esprima": "2.7.3" - } - }, - "jsbn": { - "version": "0.1.0", - "resolved": "https://registry.npmjs.org/jsbn/-/jsbn-0.1.0.tgz", - "integrity": "sha1-ZQmH2g3XT06/WhE3eiqi0nPpff0=", - "optional": true - }, - "jsesc": { - "version": "1.3.0", - "resolved": "https://registry.npmjs.org/jsesc/-/jsesc-1.3.0.tgz", - "integrity": "sha1-RsP+yMGJKxKwgz25vHYiF226s0s=" - }, - "json-schema": { - "version": "0.2.3", - "resolved": "https://registry.npmjs.org/json-schema/-/json-schema-0.2.3.tgz", - "integrity": "sha1-tIDIkuWaLwWVTOcnvT8qTogvnhM=" - }, - "json-stringify-safe": { - "version": "5.0.1", - "resolved": "https://registry.npmjs.org/json-stringify-safe/-/json-stringify-safe-5.0.1.tgz", - "integrity": "sha1-Epai1Y/UXxmg9s4B1lcB4sc1tus=" - }, - "json5": { - "version": "0.4.0", - "resolved": "https://registry.npmjs.org/json5/-/json5-0.4.0.tgz", - "integrity": "sha1-BUNS5MTIDIbAkjh31EneF2pzLI0=" - }, - "jsonpointer": { - "version": "4.0.0", - "resolved": "https://registry.npmjs.org/jsonpointer/-/jsonpointer-4.0.0.tgz", - "integrity": "sha1-ZmHhYdL8RF8Z+YQwIxNDci4fy9U=" - }, - "jsprim": { - "version": "1.3.1", - "resolved": "https://registry.npmjs.org/jsprim/-/jsprim-1.3.1.tgz", - "integrity": "sha1-KnJW9wQSop7jZwqspiWZTE3P8lI=", - "requires": { - "extsprintf": "1.0.2", - "json-schema": "0.2.3", - "verror": "1.3.6" - } - }, - "kind-of": { - "version": "3.0.4", - "resolved": "https://registry.npmjs.org/kind-of/-/kind-of-3.0.4.tgz", - "integrity": "sha1-e47PGKThf4Jp1ztQHJ8jLJaIenQ=", - "requires": { - "is-buffer": "1.1.4" - } - }, - "load-json-file": { - "version": "1.1.0", - "resolved": "https://registry.npmjs.org/load-json-file/-/load-json-file-1.1.0.tgz", - "integrity": "sha1-lWkFcI1YtLq0wiYbBPWfMcmTdMA=", - "requires": { - "graceful-fs": "4.1.9", - "parse-json": "2.2.0", - "pify": "2.3.0", - "pinkie-promise": "2.0.1", - "strip-bom": "2.0.0" - } - }, - "lodash": { - "version": "4.16.4", - "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.16.4.tgz", - "integrity": "sha1-Ac4wa5utExnypVKGdPiCl663ASc=" - }, - "log-symbols": { - "version": "1.0.2", - "resolved": "https://registry.npmjs.org/log-symbols/-/log-symbols-1.0.2.tgz", - "integrity": "sha1-N2/3tY6jCGoPCfrMdGF+ylAeGhg=", - "requires": { - "chalk": "1.1.1" - } - }, - "loose-envify": { - "version": "1.2.0", - "resolved": "https://registry.npmjs.org/loose-envify/-/loose-envify-1.2.0.tgz", - "integrity": "sha1-aaZarT3lQs9O4PT+dOjjPHCcyw8=", - "requires": { - "js-tokens": "1.0.3" - }, - "dependencies": { - "js-tokens": { - "version": "1.0.3", - "resolved": "https://registry.npmjs.org/js-tokens/-/js-tokens-1.0.3.tgz", - "integrity": "sha1-FOVutoyPGpLEPVn1AU7CncIPKuE=" - } - } - }, - "loud-rejection": { - "version": "1.6.0", - "resolved": "https://registry.npmjs.org/loud-rejection/-/loud-rejection-1.6.0.tgz", - "integrity": "sha1-W0b4AUft7leIcPCG0Eghz5mOVR8=", - "requires": { - "currently-unhandled": "0.4.1", - "signal-exit": "3.0.1" - } - }, - "map-obj": { - "version": "1.0.1", - "resolved": "https://registry.npmjs.org/map-obj/-/map-obj-1.0.1.tgz", - "integrity": "sha1-2TPOuSBdgr3PSIb2dCvcK03qFG0=" - }, - "meow": { - "version": "3.7.0", - "resolved": "https://registry.npmjs.org/meow/-/meow-3.7.0.tgz", - "integrity": "sha1-cstmi0JSKCkKu/qFaJJYcwioAfs=", - "requires": { - "camelcase-keys": "2.1.0", - "decamelize": "1.2.0", - "loud-rejection": "1.6.0", - "map-obj": "1.0.1", - "minimist": "1.2.0", - "normalize-package-data": "2.3.5", - "object-assign": "4.1.0", - "read-pkg-up": "1.0.1", - "redent": "1.0.0", - "trim-newlines": "1.0.0" - } - }, - "merge": { - "version": "1.2.0", - "resolved": "https://registry.npmjs.org/merge/-/merge-1.2.0.tgz", - "integrity": "sha1-dTHjnUlJwoGma4xabgJl6LBYlNo=" - }, - "methods": { - "version": "1.1.2", - "resolved": "https://registry.npmjs.org/methods/-/methods-1.1.2.tgz", - "integrity": "sha1-VSmk1nZUE07cxSZmVoNbD4Ua/O4=" - }, - "micromatch": { - "version": "2.3.11", - "resolved": "https://registry.npmjs.org/micromatch/-/micromatch-2.3.11.tgz", - "integrity": "sha1-hmd8l9FyCzY0MdBNDRUpO9OMFWU=", - "optional": true, - "requires": { - "arr-diff": "2.0.0", - "array-unique": "0.2.1", - "braces": "1.8.5", - "expand-brackets": "0.1.5", - "extglob": "0.3.2", - "filename-regex": "2.0.0", - "is-extglob": "1.0.0", - "is-glob": "2.0.1", - "kind-of": "3.0.4", - "normalize-path": "2.0.1", - "object.omit": "2.0.0", - "parse-glob": "3.0.4", - "regex-cache": "0.4.3" - } - }, - "mime": { - "version": "2.4.4", - "resolved": "https://registry.npmjs.org/mime/-/mime-2.4.4.tgz", - "integrity": "sha512-LRxmNwziLPT828z+4YkNzloCFC2YM4wrB99k+AV5ZbEyfGNWfG8SO1FUXLmLDBSo89NrJZ4DIWeLjy1CHGhMGA==" - }, - "mime-db": { - "version": "1.24.0", - "resolved": "https://registry.npmjs.org/mime-db/-/mime-db-1.24.0.tgz", - "integrity": "sha1-4tE/k58AFsbk6a0lqGUvEmxGfww=" - }, - "mime-types": { - "version": "2.1.12", - "resolved": "https://registry.npmjs.org/mime-types/-/mime-types-2.1.12.tgz", - "integrity": "sha1-FSuiVndwIN1GY/VMLnvCY4HnFyk=", - "requires": { - "mime-db": "1.24.0" - } - }, - "minimatch": { - "version": "3.0.3", - "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-3.0.3.tgz", - "integrity": "sha1-Kk5AkLlrLbBqnX3wEFWmKnfJt3Q=", - "requires": { - "brace-expansion": "1.1.6" - } - }, - "minimist": { - "version": "1.2.0", - "resolved": "https://registry.npmjs.org/minimist/-/minimist-1.2.0.tgz", - "integrity": "sha1-o1AIsg9BOD7sH7kU9M1d95omQoQ=" - }, - "mkdirp": { - "version": "0.5.1", - "resolved": "https://registry.npmjs.org/mkdirp/-/mkdirp-0.5.1.tgz", - "integrity": "sha1-MAV0OOrGz3+MR2fzhkjWaX11yQM=", - "requires": { - "minimist": "0.0.8" - }, - "dependencies": { - "minimist": { - "version": "0.0.8", - "resolved": "https://registry.npmjs.org/minimist/-/minimist-0.0.8.tgz", - "integrity": "sha1-hX/Kv8M5fSYluCKCYuhqp6ARsF0=" - } - } - }, - "ms": { - "version": "0.7.1", - "resolved": "https://registry.npmjs.org/ms/-/ms-0.7.1.tgz", - "integrity": "sha1-nNE8A62/8ltl7/3nzoZO6VIBcJg=" - }, - "nan": { - "version": "2.12.1", - "resolved": "https://registry.npmjs.org/nan/-/nan-2.12.1.tgz", - "integrity": "sha512-JY7V6lRkStKcKTvHO5NVSQRv+RV+FIL5pvDoLiAtSL9pKlC5x9PKQcZDsq7m4FO4d57mkhC6Z+QhAh3Jdk5JFw==", - "optional": true - }, - "node-uuid": { - "version": "1.4.7", - "resolved": "https://registry.npmjs.org/node-uuid/-/node-uuid-1.4.7.tgz", - "integrity": "sha1-baWhdmjEs91ZYjvaEc9/pMH2Cm8=" - }, - "normalize-package-data": { - "version": "2.3.5", - "resolved": "https://registry.npmjs.org/normalize-package-data/-/normalize-package-data-2.3.5.tgz", - "integrity": "sha1-jZJPFClg4Xd+f/4XBUNjHMfLAt8=", - "requires": { - "hosted-git-info": "2.1.5", - "is-builtin-module": "1.0.0", - "semver": "4.3.6", - "validate-npm-package-license": "3.0.1" - } - }, - "normalize-path": { - "version": "2.0.1", - "resolved": "https://registry.npmjs.org/normalize-path/-/normalize-path-2.0.1.tgz", - "integrity": "sha1-R4hqwWYnYNQmG32XnSQXCdPOP3o=", - "optional": true - }, - "number-is-nan": { - "version": "1.0.1", - "resolved": "https://registry.npmjs.org/number-is-nan/-/number-is-nan-1.0.1.tgz", - "integrity": "sha1-CXtgK1NCKlIsGvuHkDGDNpQaAR0=" - }, - "oauth-sign": { - "version": "0.8.2", - "resolved": "https://registry.npmjs.org/oauth-sign/-/oauth-sign-0.8.2.tgz", - "integrity": "sha1-Rqarfwrq2N6unsBWV4C31O/rnUM=" - }, - "object-assign": { - "version": "4.1.0", - "resolved": "https://registry.npmjs.org/object-assign/-/object-assign-4.1.0.tgz", - "integrity": "sha1-ejs9DpgGPUP0wD8uiubNUahog6A=" - }, - "object.omit": { - "version": "2.0.0", - "resolved": "https://registry.npmjs.org/object.omit/-/object.omit-2.0.0.tgz", - "integrity": "sha1-hoWXMz1U5gZilAu0WGBd1q4S/pQ=", - "optional": true, - "requires": { - "for-own": "0.1.4", - "is-extendable": "0.1.1" - } - }, - "once": { - "version": "1.4.0", - "resolved": "https://registry.npmjs.org/once/-/once-1.4.0.tgz", - "integrity": "sha1-WDsap3WWHUsROsF9nFC6753Xa9E=", - "requires": { - "wrappy": "1.0.2" - } - }, - "os-tmpdir": { - "version": "1.0.2", - "resolved": "https://registry.npmjs.org/os-tmpdir/-/os-tmpdir-1.0.2.tgz", - "integrity": "sha1-u+Z0BseaqFxc/sdm/lc0VV36EnQ=" - }, - "output-file-sync": { - "version": "1.1.2", - "resolved": "https://registry.npmjs.org/output-file-sync/-/output-file-sync-1.1.2.tgz", - "integrity": "sha1-0KM+7+YaIF+suQCS6CZZjVJFznY=", - "requires": { - "graceful-fs": "4.1.9", - "mkdirp": "0.5.1", - "object-assign": "4.1.0" - } - }, - "parse-glob": { - "version": "3.0.4", - "resolved": "https://registry.npmjs.org/parse-glob/-/parse-glob-3.0.4.tgz", - "integrity": "sha1-ssN2z7EfNVE7rdFz7wu246OIORw=", - "optional": true, - "requires": { - "glob-base": "0.3.0", - "is-dotfile": "1.0.2", - "is-extglob": "1.0.0", - "is-glob": "2.0.1" - } - }, - "parse-json": { - "version": "2.2.0", - "resolved": "https://registry.npmjs.org/parse-json/-/parse-json-2.2.0.tgz", - "integrity": "sha1-9ID0BDTvgHQfhGkJn43qGPVaTck=", - "requires": { - "error-ex": "1.3.0" - } - }, - "path-exists": { - "version": "1.0.0", - "resolved": "https://registry.npmjs.org/path-exists/-/path-exists-1.0.0.tgz", - "integrity": "sha1-1aiZjrce83p0w06w2eum6HjuoIE=" - }, - "path-is-absolute": { - "version": "1.0.1", - "resolved": "https://registry.npmjs.org/path-is-absolute/-/path-is-absolute-1.0.1.tgz", - "integrity": "sha1-F0uSaHNVNP+8es5r9TpanhtcX18=" - }, - "path-type": { - "version": "1.1.0", - "resolved": "https://registry.npmjs.org/path-type/-/path-type-1.1.0.tgz", - "integrity": "sha1-WcRPfuSR2nBNpBXaWkBwuk+P5EE=", - "requires": { - "graceful-fs": "4.1.9", - "pify": "2.3.0", - "pinkie-promise": "2.0.1" - } - }, - "pify": { - "version": "2.3.0", - "resolved": "https://registry.npmjs.org/pify/-/pify-2.3.0.tgz", - "integrity": "sha1-7RQaasBDqEnqWISY59yosVMw6Qw=" - }, - "pinkie": { - "version": "2.0.4", - "resolved": "https://registry.npmjs.org/pinkie/-/pinkie-2.0.4.tgz", - "integrity": "sha1-clVrgM+g1IqXToDnckjoDtT3+HA=" - }, - "pinkie-promise": { - "version": "2.0.1", - "resolved": "https://registry.npmjs.org/pinkie-promise/-/pinkie-promise-2.0.1.tgz", - "integrity": "sha1-ITXW36ejWMBprJsXh3YogihFD/o=", - "requires": { - "pinkie": "2.0.4" - } - }, - "preserve": { - "version": "0.2.0", - "resolved": "https://registry.npmjs.org/preserve/-/preserve-0.2.0.tgz", - "integrity": "sha1-gV7R9uvGWSb4ZbMQwHE7yzMVzks=", - "optional": true - }, - "private": { - "version": "0.1.6", - "resolved": "https://registry.npmjs.org/private/-/private-0.1.6.tgz", - "integrity": "sha1-VcapdtD5uvuZJIUTUP5HubX7t8E=" - }, - "process-nextick-args": { - "version": "1.0.7", - "resolved": "https://registry.npmjs.org/process-nextick-args/-/process-nextick-args-1.0.7.tgz", - "integrity": "sha1-FQ4gt1ZZCtP5EJPyWk8q2L/zC6M=" - }, - "qs": { - "version": "6.2.1", - "resolved": "https://registry.npmjs.org/qs/-/qs-6.2.1.tgz", - "integrity": "sha1-zgPF/wk1vB2daanxTL0Y5WjWdiU=" - }, - "randomatic": { - "version": "1.1.5", - "resolved": "https://registry.npmjs.org/randomatic/-/randomatic-1.1.5.tgz", - "integrity": "sha1-Xp718tVzxnvSuBJK6QtRVuRXhAs=", - "optional": true, - "requires": { - "is-number": "2.1.0", - "kind-of": "3.0.4" - } - }, - "read-pkg": { - "version": "1.1.0", - "resolved": "https://registry.npmjs.org/read-pkg/-/read-pkg-1.1.0.tgz", - "integrity": "sha1-9f+qXs0pyzHAR0vKfXVra7KePyg=", - "requires": { - "load-json-file": "1.1.0", - "normalize-package-data": "2.3.5", - "path-type": "1.1.0" - } - }, - "read-pkg-up": { - "version": "1.0.1", - "resolved": "https://registry.npmjs.org/read-pkg-up/-/read-pkg-up-1.0.1.tgz", - "integrity": "sha1-nWPBMnbAZZGNV/ACpX9AobZD+wI=", - "requires": { - "find-up": "1.1.2", - "read-pkg": "1.1.0" - } - }, - "readable-stream": { - "version": "2.1.5", - "resolved": "https://registry.npmjs.org/readable-stream/-/readable-stream-2.1.5.tgz", - "integrity": "sha1-ZvqLcg4UOLNkaB8q0aY8YYRIydA=", - "optional": true, - "requires": { - "buffer-shims": "1.0.0", - "core-util-is": "1.0.2", - "inherits": "2.0.3", - "isarray": "1.0.0", - "process-nextick-args": "1.0.7", - "string_decoder": "0.10.31", - "util-deprecate": "1.0.2" - } - }, - "readdirp": { - "version": "2.1.0", - "resolved": "https://registry.npmjs.org/readdirp/-/readdirp-2.1.0.tgz", - "integrity": "sha1-TtCtBg3zBzMAxIRANz9y0cxkLXg=", - "optional": true, - "requires": { - "graceful-fs": "4.1.9", - "minimatch": "3.0.3", - "readable-stream": "2.1.5", - "set-immediate-shim": "1.0.1" - } - }, - "redent": { - "version": "1.0.0", - "resolved": "https://registry.npmjs.org/redent/-/redent-1.0.0.tgz", - "integrity": "sha1-z5Fqsf1fHxbfsggi3W7H9zDCr94=", - "requires": { - "indent-string": "2.1.0", - "strip-indent": "1.0.1" - } - }, - "regenerate": { - "version": "1.3.1", - "resolved": "https://registry.npmjs.org/regenerate/-/regenerate-1.3.1.tgz", - "integrity": "sha1-AwAgOl0v3PiRFtzoQnXQEfWQPzM=" - }, - "regenerator-runtime": { - "version": "0.9.5", - "resolved": "https://registry.npmjs.org/regenerator-runtime/-/regenerator-runtime-0.9.5.tgz", - "integrity": "sha1-QD1tQKS9/5wzDdk5Lcuy2ai7ofw=" - }, - "regex-cache": { - "version": "0.4.3", - "resolved": "https://registry.npmjs.org/regex-cache/-/regex-cache-0.4.3.tgz", - "integrity": "sha1-mxpsNdTQ3871cRrmUejp09cRQUU=", - "optional": true, - "requires": { - "is-equal-shallow": "0.1.3", - "is-primitive": "2.0.0" - } - }, - "regexpu-core": { - "version": "2.0.0", - "resolved": "https://registry.npmjs.org/regexpu-core/-/regexpu-core-2.0.0.tgz", - "integrity": "sha1-SdA4g3uNz4v6W5pCE5k45uoq4kA=", - "requires": { - "regenerate": "1.3.1", - "regjsgen": "0.2.0", - "regjsparser": "0.1.5" - } - }, - "regjsgen": { - "version": "0.2.0", - "resolved": "https://registry.npmjs.org/regjsgen/-/regjsgen-0.2.0.tgz", - "integrity": "sha1-bAFq3qxVT3WCP+N6wFuS1aTtsfc=" - }, - "regjsparser": { - "version": "0.1.5", - "resolved": "https://registry.npmjs.org/regjsparser/-/regjsparser-0.1.5.tgz", - "integrity": "sha1-fuj4Tcb6eS0/0K4ijSS9lJ6tIFw=", - "requires": { - "jsesc": "0.5.0" - }, - "dependencies": { - "jsesc": { - "version": "0.5.0", - "resolved": "https://registry.npmjs.org/jsesc/-/jsesc-0.5.0.tgz", - "integrity": "sha1-597mbjXW/Bb3EP6R1c9p9w8IkR0=" - } - } - }, - "repeat-element": { - "version": "1.1.2", - "resolved": "https://registry.npmjs.org/repeat-element/-/repeat-element-1.1.2.tgz", - "integrity": "sha1-7wiaF40Ug7quTZPrmLT55OEdmQo=" - }, - "repeat-string": { - "version": "1.5.4", - "resolved": "https://registry.npmjs.org/repeat-string/-/repeat-string-1.5.4.tgz", - "integrity": "sha1-ZOwMkeD0tHX5DVtkNlHj5uW2wtU=", - "optional": true - }, - "repeating": { - "version": "1.1.3", - "resolved": "https://registry.npmjs.org/repeating/-/repeating-1.1.3.tgz", - "integrity": "sha1-PUEUIYh3U3SU+X93+Xhfq4EPpKw=", - "requires": { - "is-finite": "1.0.2" - } - }, - "request": { - "version": "2.75.0", - "resolved": "https://registry.npmjs.org/request/-/request-2.75.0.tgz", - "integrity": "sha1-0rgmiihtoT6qXQGt9dGMyQ9lfZM=", - "requires": { - "aws-sign2": "0.6.0", - "aws4": "1.5.0", - "bl": "1.1.2", - "caseless": "0.11.0", - "combined-stream": "1.0.5", - "extend": "3.0.0", - "forever-agent": "0.6.1", - "form-data": "2.0.0", - "har-validator": "2.0.6", - "hawk": "3.1.3", - "http-signature": "1.1.1", - "is-typedarray": "1.0.0", - "isstream": "0.1.2", - "json-stringify-safe": "5.0.1", - "mime-types": "2.1.12", - "node-uuid": "1.4.7", - "oauth-sign": "0.8.2", - "qs": "6.2.1", - "stringstream": "0.0.5", - "tough-cookie": "2.3.1", - "tunnel-agent": "0.4.3" - } - }, - "rimraf": { - "version": "2.5.4", - "resolved": "https://registry.npmjs.org/rimraf/-/rimraf-2.5.4.tgz", - "integrity": "sha1-loAAk8vxoMhr2VtGJUZ1NcKd+gQ=", - "requires": { - "glob": "7.1.1" - }, - "dependencies": { - "glob": { - "version": "7.1.1", - "resolved": "https://registry.npmjs.org/glob/-/glob-7.1.1.tgz", - "integrity": "sha1-gFIR3wT6rxxjo2ADBs31reULLsg=", - "requires": { - "fs.realpath": "1.0.0", - "inflight": "1.0.6", - "inherits": "2.0.3", - "minimatch": "3.0.3", - "once": "1.4.0", - "path-is-absolute": "1.0.1" - } - } - } - }, - "safe-buffer": { - "version": "5.2.0", - "resolved": "https://registry.npmjs.org/safe-buffer/-/safe-buffer-5.2.0.tgz", - "integrity": "sha512-fZEwUGbVl7kouZs1jCdMLdt95hdIv0ZeHg6L7qPeciMZhZ+/gdesW4wgTARkrFWEpspjEATAzUGPG8N2jJiwbg==" - }, - "semver": { - "version": "4.3.6", - "resolved": "https://registry.npmjs.org/semver/-/semver-4.3.6.tgz", - "integrity": "sha1-MAvG4OhjdPe6YQaLWx7NV/xlMto=" - }, - "semver-regex": { - "version": "1.0.0", - "resolved": "https://registry.npmjs.org/semver-regex/-/semver-regex-1.0.0.tgz", - "integrity": "sha1-kqSWkGX5xwxpR1PVUkj8aPj2Usk=" - }, - "semver-truncate": { - "version": "1.1.2", - "resolved": "https://registry.npmjs.org/semver-truncate/-/semver-truncate-1.1.2.tgz", - "integrity": "sha1-V/Qd5pcHpicJp+AQS6IRcQnqR+g=", - "requires": { - "semver": "5.3.0" - }, - "dependencies": { - "semver": { - "version": "5.3.0", - "resolved": "https://registry.npmjs.org/semver/-/semver-5.3.0.tgz", - "integrity": "sha1-myzl094C0XxgEq0yaqa00M9U+U8=" - } - } - }, - "set-immediate-shim": { - "version": "1.0.1", - "resolved": "https://registry.npmjs.org/set-immediate-shim/-/set-immediate-shim-1.0.1.tgz", - "integrity": "sha1-SysbJ+uAip+NzEgaWOXlb1mfP2E=", - "optional": true - }, - "shebang-regex": { - "version": "1.0.0", - "resolved": "https://registry.npmjs.org/shebang-regex/-/shebang-regex-1.0.0.tgz", - "integrity": "sha1-2kL0l0DAtC2yypcoVxyxkMmO/qM=" - }, - "signal-exit": { - "version": "3.0.1", - "resolved": "https://registry.npmjs.org/signal-exit/-/signal-exit-3.0.1.tgz", - "integrity": "sha1-WkyISZK2OnrNm623iUw+6c/MrYE=" - }, - "slash": { - "version": "1.0.0", - "resolved": "https://registry.npmjs.org/slash/-/slash-1.0.0.tgz", - "integrity": "sha1-xB8vbDn8FtHNF61LXYlhFK5HDVU=" - }, - "slugid": { - "version": "1.1.0", - "resolved": "https://registry.npmjs.org/slugid/-/slugid-1.1.0.tgz", - "integrity": "sha1-4J8AiZwJ9acFjtw23UnwRv1QqCo=", - "requires": { - "uuid": "2.0.3" - } - }, - "sntp": { - "version": "1.0.9", - "resolved": "https://registry.npmjs.org/sntp/-/sntp-1.0.9.tgz", - "integrity": "sha1-ZUEYTMkK7qbG57NeJlkIJEPGYZg=", - "requires": { - "hoek": "2.16.3" - } - }, - "source-map": { - "version": "0.5.6", - "resolved": "https://registry.npmjs.org/source-map/-/source-map-0.5.6.tgz", - "integrity": "sha1-dc449SvwczxafwwRjYEzSiu19BI=" - }, - "source-map-support": { - "version": "0.4.3", - "resolved": "https://registry.npmjs.org/source-map-support/-/source-map-support-0.4.3.tgz", - "integrity": "sha1-aTyDg9Q4mkVpSGmHwhl0TfxgFoU=", - "requires": { - "source-map": "0.5.6" - } - }, - "spdx-correct": { - "version": "1.0.2", - "resolved": "https://registry.npmjs.org/spdx-correct/-/spdx-correct-1.0.2.tgz", - "integrity": "sha1-SzBz2TP/UfORLwOsVRlJikFQ20A=", - "requires": { - "spdx-license-ids": "1.2.2" - } - }, - "spdx-expression-parse": { - "version": "1.0.4", - "resolved": "https://registry.npmjs.org/spdx-expression-parse/-/spdx-expression-parse-1.0.4.tgz", - "integrity": "sha1-m98vIOH0DtRH++JzJmGR/O1RYmw=" - }, - "spdx-license-ids": { - "version": "1.2.2", - "resolved": "https://registry.npmjs.org/spdx-license-ids/-/spdx-license-ids-1.2.2.tgz", - "integrity": "sha1-yd96NCRZSt5r0RkA1ZZpbcBrrFc=" - }, - "sprintf-js": { - "version": "1.0.3", - "resolved": "https://registry.npmjs.org/sprintf-js/-/sprintf-js-1.0.3.tgz", - "integrity": "sha1-BOaSb2YolTVPPdAVIDYzuFcpfiw=" - }, - "sshpk": { - "version": "1.10.1", - "resolved": "https://registry.npmjs.org/sshpk/-/sshpk-1.10.1.tgz", - "integrity": "sha1-MOGl0ykkSXShr2FREznVla9mOLA=", - "requires": { - "asn1": "0.2.3", - "assert-plus": "1.0.0", - "bcrypt-pbkdf": "1.0.0", - "dashdash": "1.14.0", - "ecc-jsbn": "0.1.1", - "getpass": "0.1.6", - "jodid25519": "1.0.2", - "jsbn": "0.1.0", - "tweetnacl": "0.14.3" - }, - "dependencies": { - "assert-plus": { - "version": "1.0.0", - "resolved": "https://registry.npmjs.org/assert-plus/-/assert-plus-1.0.0.tgz", - "integrity": "sha1-8S4PPF13sLHN2RRpQuTpbB5N1SU=" - } - } - }, - "string_decoder": { - "version": "0.10.31", - "resolved": "https://registry.npmjs.org/string_decoder/-/string_decoder-0.10.31.tgz", - "integrity": "sha1-YuIDvEF2bGwoyfyEMB2rHFMQ+pQ=" - }, - "stringstream": { - "version": "0.0.5", - "resolved": "https://registry.npmjs.org/stringstream/-/stringstream-0.0.5.tgz", - "integrity": "sha1-TkhM1N5aC7vuGORjB3EKioFiGHg=" - }, - "strip-ansi": { - "version": "3.0.1", - "resolved": "https://registry.npmjs.org/strip-ansi/-/strip-ansi-3.0.1.tgz", - "integrity": "sha1-ajhfuIU9lS1f8F0Oiq+UJ43GPc8=", - "requires": { - "ansi-regex": "2.0.0" - } - }, - "strip-bom": { - "version": "2.0.0", - "resolved": "https://registry.npmjs.org/strip-bom/-/strip-bom-2.0.0.tgz", - "integrity": "sha1-YhmoVhZSBJHzV4i9vxRHqZx+aw4=", - "requires": { - "is-utf8": "0.2.1" - } - }, - "strip-indent": { - "version": "1.0.1", - "resolved": "https://registry.npmjs.org/strip-indent/-/strip-indent-1.0.1.tgz", - "integrity": "sha1-DHlipq3vp7vUrDZkYKY4VSrhoKI=", - "requires": { - "get-stdin": "4.0.1" - } - }, - "superagent": { - "version": "5.1.0", - "resolved": "https://registry.npmjs.org/superagent/-/superagent-5.1.0.tgz", - "integrity": "sha512-7V6JVx5N+eTL1MMqRBX0v0bG04UjrjAvvZJTF/VDH/SH2GjSLqlrcYepFlpTrXpm37aSY6h3GGVWGxXl/98TKA==", - "requires": { - "component-emitter": "1.3.0", - "cookiejar": "2.1.2", - "debug": "4.1.1", - "fast-safe-stringify": "2.0.7", - "form-data": "2.5.1", - "formidable": "1.2.1", - "methods": "1.1.2", - "mime": "2.4.4", - "qs": "6.9.0", - "readable-stream": "3.4.0", - "semver": "6.3.0" - }, - "dependencies": { - "combined-stream": { - "version": "1.0.8", - "resolved": "https://registry.npmjs.org/combined-stream/-/combined-stream-1.0.8.tgz", - "integrity": "sha512-FQN4MRfuJeHf7cBbBMJFXhKSDq+2kAArBlmRBvcvFE5BB1HZKXtSFASDhdlz9zOYwxh8lDdnvmMOe/+5cdoEdg==", - "requires": { - "delayed-stream": "1.0.0" - } - }, - "debug": { - "version": "4.1.1", - "resolved": "https://registry.npmjs.org/debug/-/debug-4.1.1.tgz", - "integrity": "sha512-pYAIzeRo8J6KPEaJ0VWOh5Pzkbw/RetuzehGM7QRRX5he4fPHx2rdKMB256ehJCkX+XRQm16eZLqLNS8RSZXZw==", - "requires": { - "ms": "2.1.2" - } - }, - "form-data": { - "version": "2.5.1", - "resolved": "https://registry.npmjs.org/form-data/-/form-data-2.5.1.tgz", - "integrity": "sha512-m21N3WOmEEURgk6B9GLOE4RuWOFf28Lhh9qGYeNlGq4VDXUlJy2th2slBNU8Gp8EzloYZOibZJ7t5ecIrFSjVA==", - "requires": { - "asynckit": "0.4.0", - "combined-stream": "1.0.8", - "mime-types": "2.1.12" - } - }, - "ms": { - "version": "2.1.2", - "resolved": "https://registry.npmjs.org/ms/-/ms-2.1.2.tgz", - "integrity": "sha512-sGkPx+VjMtmA6MX27oA4FBFELFCZZ4S4XqeGOXCv68tT+jb3vk/RyaKWP0PTKyWtmLSM0b+adUTEvbs1PEaH2w==" - }, - "qs": { - "version": "6.9.0", - "resolved": "https://registry.npmjs.org/qs/-/qs-6.9.0.tgz", - "integrity": "sha512-27RP4UotQORTpmNQDX8BHPukOnBP3p1uUJY5UnDhaJB+rMt9iMsok724XL+UHU23bEFOHRMQ2ZhI99qOWUMGFA==" - }, - "readable-stream": { - "version": "3.4.0", - "resolved": "https://registry.npmjs.org/readable-stream/-/readable-stream-3.4.0.tgz", - "integrity": "sha512-jItXPLmrSR8jmTRmRWJXCnGJsfy85mB3Wd/uINMXA65yrnFo0cPClFIUWzo2najVNSl+mx7/4W8ttlLWJe99pQ==", - "requires": { - "inherits": "2.0.3", - "string_decoder": "1.3.0", - "util-deprecate": "1.0.2" - } - }, - "semver": { - "version": "6.3.0", - "resolved": "https://registry.npmjs.org/semver/-/semver-6.3.0.tgz", - "integrity": "sha512-b39TBaTSfV6yBrapU89p5fKekE2m/NwnDocOVruQFS1/veMgdzuPcnOM34M6CwxW8jH/lxEa5rBoDeUwu5HHTw==" - }, - "string_decoder": { - "version": "1.3.0", - "resolved": "https://registry.npmjs.org/string_decoder/-/string_decoder-1.3.0.tgz", - "integrity": "sha512-hkRX8U1WjJFd8LsDJ2yQ/wWWxaopEsABU1XfkM8A+j0+85JAGppt16cr1Whg6KIbb4okU6Mql6BOj+uup/wKeA==", - "requires": { - "safe-buffer": "5.2.0" - } - } - } - }, - "supports-color": { - "version": "2.0.0", - "resolved": "https://registry.npmjs.org/supports-color/-/supports-color-2.0.0.tgz", - "integrity": "sha1-U10EXOa2Nj+kARcIRimZXp3zJMc=" - }, - "taskcluster-client": { - "version": "22.0.0", - "resolved": "https://registry.npmjs.org/taskcluster-client/-/taskcluster-client-22.0.0.tgz", - "integrity": "sha512-L9Z84WXWVLkCYlcxNl6TAXBqoERyB0iavNgsymQqu9TGMLh3Acl7J55PzthZr/o1F3sVfHwRgDnxM1CidaYbEQ==", - "requires": { - "debug": "4.1.1", - "hawk": "7.0.10", - "lodash": "4.17.15", - "slugid": "2.0.0", - "superagent": "5.1.0", - "taskcluster-lib-urls": "12.0.0" - }, - "dependencies": { - "boom": { - "version": "7.3.0", - "resolved": "https://registry.npmjs.org/boom/-/boom-7.3.0.tgz", - "integrity": "sha512-Swpoyi2t5+GhOEGw8rEsKvTxFLIDiiKoUc2gsoV6Lyr43LHBIzch3k2MvYUs8RTROrIkVJ3Al0TkaOGjnb+B6A==", - "requires": { - "hoek": "6.1.3" - } - }, - "cryptiles": { - "version": "4.1.3", - "resolved": "https://registry.npmjs.org/cryptiles/-/cryptiles-4.1.3.tgz", - "integrity": "sha512-gT9nyTMSUC1JnziQpPbxKGBbUg8VL7Zn2NB4E1cJYvuXdElHrwxrV9bmltZGDzet45zSDGyYceueke1TjynGzw==", - "requires": { - "boom": "7.3.0" - } - }, - "debug": { - "version": "4.1.1", - "resolved": "https://registry.npmjs.org/debug/-/debug-4.1.1.tgz", - "integrity": "sha512-pYAIzeRo8J6KPEaJ0VWOh5Pzkbw/RetuzehGM7QRRX5he4fPHx2rdKMB256ehJCkX+XRQm16eZLqLNS8RSZXZw==", - "requires": { - "ms": "2.1.2" - } - }, - "hawk": { - "version": "7.0.10", - "resolved": "https://registry.npmjs.org/hawk/-/hawk-7.0.10.tgz", - "integrity": "sha512-3RWF4SXN9CdZ1VDAe6Pn3Rd0tC3Lw+GV+esX5oKCrXoScZK3Ri6dl5Wt986M/hlzU+GuapTGiB0rBhGeRIBQsw==", - "requires": { - "b64": "4.1.2", - "boom": "7.3.0", - "cryptiles": "4.1.3", - "hoek": "6.1.3", - "sntp": "3.0.2" - } - }, - "hoek": { - "version": "6.1.3", - "resolved": "https://registry.npmjs.org/hoek/-/hoek-6.1.3.tgz", - "integrity": "sha512-YXXAAhmF9zpQbC7LEcREFtXfGq5K1fmd+4PHkBq8NUqmzW3G+Dq10bI/i0KucLRwss3YYFQ0fSfoxBZYiGUqtQ==" - }, - "lodash": { - "version": "4.17.15", - "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.17.15.tgz", - "integrity": "sha512-8xOcRHvCjnocdS5cpwXQXVzmmh5e5+saE2QGoeQmbKmRS6J3VQppPOIt0MnmE+4xlZoumy0GPG0D0MVIQbNA1A==" - }, - "ms": { - "version": "2.1.2", - "resolved": "https://registry.npmjs.org/ms/-/ms-2.1.2.tgz", - "integrity": "sha512-sGkPx+VjMtmA6MX27oA4FBFELFCZZ4S4XqeGOXCv68tT+jb3vk/RyaKWP0PTKyWtmLSM0b+adUTEvbs1PEaH2w==" - }, - "slugid": { - "version": "2.0.0", - "resolved": "https://registry.npmjs.org/slugid/-/slugid-2.0.0.tgz", - "integrity": "sha512-zTCivUfTk2GC6MU4Fjcz0iXwAjhe0NweMJqpfWcGrBbrm2dWtVAUupAonfsc7ysw4M0kZ934Nle5ljwM2dR+/g==", - "requires": { - "uuid": "3.3.3", - "uuid-parse": "1.1.0" - } - }, - "sntp": { - "version": "3.0.2", - "resolved": "https://registry.npmjs.org/sntp/-/sntp-3.0.2.tgz", - "integrity": "sha512-MCAPpBPFjNp1fwDVCLSRuWuH9gONtb2R+lS1esC6Mp8lP6jy60FVUtP/Qr0jBvcWAVbhzx06y1b6ptXiy32dug==", - "requires": { - "boom": "7.3.0", - "bounce": "1.2.3", - "hoek": "6.1.3", - "teamwork": "3.2.0" - } - }, - "uuid": { - "version": "3.3.3", - "resolved": "https://registry.npmjs.org/uuid/-/uuid-3.3.3.tgz", - "integrity": "sha512-pW0No1RGHgzlpHJO1nsVrHKpOEIxkGg1xB+v0ZmdNH5OAeAwzAVrCnI2/6Mtx+Uys6iaylxa+D3g4j63IKKjSQ==" - } - } - }, - "taskcluster-lib-urls": { - "version": "12.0.0", - "resolved": "https://registry.npmjs.org/taskcluster-lib-urls/-/taskcluster-lib-urls-12.0.0.tgz", - "integrity": "sha512-OrEFE0m3p/+mGsmIwjttLhSKg3io6MpJLhYtPNjVSZA9Ix8Y5tprN3vM6a3MjWt5asPF6AKZsfT43cgpGwJB0g==" - }, - "teamwork": { - "version": "3.2.0", - "resolved": "https://registry.npmjs.org/teamwork/-/teamwork-3.2.0.tgz", - "integrity": "sha512-xAmJ8PIVjRZMXAHgUuOP8ITsv0SedyWAit2UWiNImXgg/F+BxrsG46ZegElNBM0Dwp+iMfbigg/Ll/M2oDRYww==" - }, - "to-fast-properties": { - "version": "1.0.2", - "resolved": "https://registry.npmjs.org/to-fast-properties/-/to-fast-properties-1.0.2.tgz", - "integrity": "sha1-8/XAw7pymafvmUJ+RGMyV63kMyA=" - }, - "tough-cookie": { - "version": "2.3.1", - "resolved": "https://registry.npmjs.org/tough-cookie/-/tough-cookie-2.3.1.tgz", - "integrity": "sha1-mcd9+7fYBCSeiimdTLD9gf7wg/0=" - }, - "trim-newlines": { - "version": "1.0.0", - "resolved": "https://registry.npmjs.org/trim-newlines/-/trim-newlines-1.0.0.tgz", - "integrity": "sha1-WIeWa7WCpFA6QetST301ARgVphM=" - }, - "tunnel-agent": { - "version": "0.4.3", - "resolved": "https://registry.npmjs.org/tunnel-agent/-/tunnel-agent-0.4.3.tgz", - "integrity": "sha1-Y3PbdpCf5XDgjXNYM2Xtgop07us=" - }, - "tweetnacl": { - "version": "0.14.3", - "resolved": "https://registry.npmjs.org/tweetnacl/-/tweetnacl-0.14.3.tgz", - "integrity": "sha1-PaOC9nDyXe1417PReSEZvKC3Ey0=", - "optional": true - }, - "user-home": { - "version": "1.1.1", - "resolved": "https://registry.npmjs.org/user-home/-/user-home-1.1.1.tgz", - "integrity": "sha1-K1viOjK2Onyd640PKNSFcko98ZA=" - }, - "util-deprecate": { - "version": "1.0.2", - "resolved": "https://registry.npmjs.org/util-deprecate/-/util-deprecate-1.0.2.tgz", - "integrity": "sha1-RQ1Nyfpw3nMnYvvS1KKJgUGaDM8=" - }, - "uuid": { - "version": "2.0.3", - "resolved": "https://registry.npmjs.org/uuid/-/uuid-2.0.3.tgz", - "integrity": "sha1-Z+LoY3lyFVMN/zGOW/nc6/1Hsho=" - }, - "uuid-parse": { - "version": "1.1.0", - "resolved": "https://registry.npmjs.org/uuid-parse/-/uuid-parse-1.1.0.tgz", - "integrity": "sha512-OdmXxA8rDsQ7YpNVbKSJkNzTw2I+S5WsbMDnCtIWSQaosNAcWtFuI/YK1TjzUI6nbkgiqEyh8gWngfcv8Asd9A==" - }, - "v8flags": { - "version": "2.0.11", - "resolved": "https://registry.npmjs.org/v8flags/-/v8flags-2.0.11.tgz", - "integrity": "sha1-vKjzDw1tYGEswsAGQeaWLUKuaIE=", - "requires": { - "user-home": "1.1.1" - } - }, - "validate-npm-package-license": { - "version": "3.0.1", - "resolved": "https://registry.npmjs.org/validate-npm-package-license/-/validate-npm-package-license-3.0.1.tgz", - "integrity": "sha1-KAS6vnEq0zeUWaz74kdGqywwP7w=", - "requires": { - "spdx-correct": "1.0.2", - "spdx-expression-parse": "1.0.4" - } - }, - "verror": { - "version": "1.3.6", - "resolved": "https://registry.npmjs.org/verror/-/verror-1.3.6.tgz", - "integrity": "sha1-z/XfEpRtKX0rqu+qJoniW+AcAFw=", - "requires": { - "extsprintf": "1.0.2" - } - }, - "wrappy": { - "version": "1.0.2", - "resolved": "https://registry.npmjs.org/wrappy/-/wrappy-1.0.2.tgz", - "integrity": "sha1-tSQ9jz7BqjXxNkYFvA0QNuMKtp8=" - }, - "xtend": { - "version": "4.0.1", - "resolved": "https://registry.npmjs.org/xtend/-/xtend-4.0.1.tgz", - "integrity": "sha1-pcbVMr5lbiPbgg77lDofBJmNY68=" - } - } -} diff --git a/nss/automation/taskcluster/graph/package.json b/nss/automation/taskcluster/graph/package.json deleted file mode 100644 index 66b3aeb6..00000000 --- a/nss/automation/taskcluster/graph/package.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "name": "decision-task", - "version": "0.0.1", - "private": true, - "author": "Tim Taubert ", - "description": "Decision Task for NSS", - "scripts": { - "compile": "babel-compile -p taskcluster src:lib", - "install": "npm run compile" - }, - "dependencies": { - "babel-cli": "^6.14.0", - "babel-compile": "^2.0.0", - "babel-preset-taskcluster": "^3.0.0", - "babel-runtime": "^6.11.6", - "flatmap": "0.0.3", - "intersect": "^1.0.1", - "js-yaml": "^3.6.1", - "merge": "^1.2.0", - "minimist": "^1.2.0", - "slugid": "^1.1.0", - "tar": "^6.2.1", - "taskcluster-client": "^22.0.0" - } -} diff --git a/nss/automation/taskcluster/graph/src/context_hash.js b/nss/automation/taskcluster/graph/src/context_hash.js deleted file mode 100644 index b1ad5bce..00000000 --- a/nss/automation/taskcluster/graph/src/context_hash.js +++ /dev/null @@ -1,57 +0,0 @@ -/* This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ - -import fs from "fs"; -import path from "path"; -import crypto from "crypto"; -import flatmap from "flatmap"; - -// Compute the SHA-256 digest. -function sha256(data) { - let hash = crypto.createHash("sha256"); - hash.update(data); - return hash.digest("hex"); -} - -// Recursively collect a list of all files of a given directory. -function collectFilesInDirectory(dir) { - if (fs.lstatSync(dir).isFile()) { - return [dir]; - } - - return flatmap(fs.readdirSync(dir), entry => { - let entry_path = path.join(dir, entry); - - if (fs.lstatSync(entry_path).isDirectory()) { - return collectFilesInDirectory(entry_path); - } - - return [entry_path]; - }); -} - -// A list of hashes for each file in the given path. -function collectFileHashes(context_path) { - let root = path.join(__dirname, "../../../.."); - let dir = path.join(root, context_path); - let files = collectFilesInDirectory(dir).sort(); - - return files.map(file => { - return sha256(file + "|" + fs.readFileSync(file, "utf-8")); - }); -} - -// Compute a context hash for the given context path. -export default function (context_path) { - // Regenerate when image_builder.js changes - let hashes = collectFileHashes("automation/taskcluster/graph/src/image_builder.js"); - - // Regenerate images when the image itself changes. - hashes = hashes.concat(collectFileHashes(context_path)); - - // Generate a new prefix every month to ensure the image stays buildable. - let now = new Date(); - let prefix = `${now.getUTCFullYear()}-${now.getUTCMonth() + 1}:`; - return sha256(prefix + hashes.join(",")); -} diff --git a/nss/automation/taskcluster/graph/src/extend.js b/nss/automation/taskcluster/graph/src/extend.js deleted file mode 100644 index 55f73005..00000000 --- a/nss/automation/taskcluster/graph/src/extend.js +++ /dev/null @@ -1,1228 +0,0 @@ -/* This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ - -import merge from "./merge"; -import * as queue from "./queue"; - -const LINUX_IMAGE = { - name: "linux", - path: "automation/taskcluster/docker" -}; - -const LINUX_BUILDS_IMAGE = { - name: "linux-builds", - path: "automation/taskcluster/docker-builds" -}; - -const ACVP_IMAGE = { - name: "acvp", - path: "automation/taskcluster/docker-acvp" -}; - -const CLANG_FORMAT_IMAGE = { - name: "clang-format", - path: "automation/taskcluster/docker-clang-format" -}; - -const LINUX_GCC44_IMAGE = { - name: "linux-gcc-4.4", - path: "automation/taskcluster/docker-gcc-4.4" -}; - -const FUZZ_IMAGE = { - name: "fuzz", - path: "automation/taskcluster/docker-fuzz" -}; - -const WINDOWS_CHECKOUT_CMD = - "bash -c \"hg clone -r $NSS_HEAD_REVISION $NSS_HEAD_REPOSITORY nss || " + - "(sleep 2; hg clone -r $NSS_HEAD_REVISION $NSS_HEAD_REPOSITORY nss) || " + - "(sleep 5; hg clone -r $NSS_HEAD_REVISION $NSS_HEAD_REPOSITORY nss)\""; -const MAC_CHECKOUT_CMD = ["bash", "-c", - "hg clone -r $NSS_HEAD_REVISION $NSS_HEAD_REPOSITORY nss || " + - "(sleep 2; hg clone -r $NSS_HEAD_REVISION $NSS_HEAD_REPOSITORY nss) || " + - "(sleep 5; hg clone -r $NSS_HEAD_REVISION $NSS_HEAD_REPOSITORY nss)"]; - -/*****************************************************************************/ - -queue.filter(task => { - if (task.group == "Builds") { - // Remove extra builds on {A,UB}San and ARM. - if (task.collection == "asan" || task.platform == "aarch64") { - return false; - } - - // Make modular builds only on Linux make. - if (task.symbol == "modular" && task.collection != "make") { - return false; - } - } - - if (task.tests == "bogo" || task.tests == "tlsfuzzer") { - // No windows - if (task.platform == "windows2012-64" || - task.platform == "windows2012-32") { - return false; - } - - // No ARM; TODO: enable - if (task.platform == "aarch64") { - return false; - } - - // No mac - if (task.platform == "mac") { - return false; - } - } - - if (task.tests == "fips" && - (task.platform == "mac" || task.platform == "aarch64")) { - return false; - } - - // Only old make builds have -Ddisable_libpkix=0 and can run chain tests. - if (task.tests == "chains" && task.collection != "make") { - return false; - } - - // Don't run all additional hardware tests on ARM. - if (task.group == "Cipher" && task.platform == "aarch64" && task.env && - (task.env.NSS_DISABLE_PCLMUL == "1" || task.env.NSS_DISABLE_SSE4_1 == "1" - || task.env.NSS_DISABLE_AVX == "1" || task.env.NSS_DISABLE_AVX2 == "1")) { - return false; - } - - // Don't run ARM specific hardware tests on non-ARM. - // TODO: our server that runs task cluster doesn't support Intel SHA extensions. - if (task.group == "Cipher" && task.platform != "aarch64" && task.env && - (task.env.NSS_DISABLE_HW_SHA1 == "1" || task.env.NSS_DISABLE_HW_SHA2 == "1")) { - return false; - } - - // Don't run DBM builds on aarch64. - if (task.group == "DBM" && task.platform == "aarch64") { - return false; - } - - return true; -}); - -queue.map(task => { - if (task.collection == "asan") { - // CRMF and FIPS tests still leak, unfortunately. - if (task.tests == "crmf") { - task.env.ASAN_OPTIONS = "detect_leaks=0"; - } - } - - if (task.tests == "ssl") { - if (!task.env) { - task.env = {}; - } - - // Stress tests to not include other SSL tests - if (task.symbol == "stress") { - task.env.NSS_SSL_TESTS = "normal_normal"; - } else { - task.env.NSS_SSL_TESTS = "crl iopr policy normal_normal"; - } - - // FIPS runs - if (task.collection == "fips") { - task.env.NSS_SSL_TESTS += " fips_fips fips_normal normal_fips"; - } - - if (task.platform == "mac") { - task.maxRunTime = 7200; - } - } - - // Windows is slow. - if ((task.platform == "windows2012-32" || task.platform == "windows2012-64") && - task.tests == "chains") { - task.maxRunTime = 7200; - } - - if (task.platform == "mac" && task.tests == "tools") { - task.maxRunTime = 7200; - } - return task; -}); - -/*****************************************************************************/ - -export default async function main() { - await scheduleLinux("Linux 32 (opt)", { - platform: "linux32", - image: LINUX_IMAGE - }, "-t ia32 --opt"); - - await scheduleLinux("Linux 32 (debug)", { - platform: "linux32", - collection: "debug", - image: LINUX_IMAGE - }, "-t ia32"); - - await scheduleLinux("Linux 64 (opt)", { - platform: "linux64", - image: LINUX_IMAGE - }, "--opt"); - - await scheduleLinux("Linux 64 (debug)", { - platform: "linux64", - collection: "debug", - image: LINUX_IMAGE - }); - - await scheduleLinux("Linux 64 (debug, make)", { - env: {USE_64: "1"}, - platform: "linux64", - image: LINUX_IMAGE, - collection: "make", - command: [ - "/bin/bash", - "-c", - "bin/checkout.sh && nss/automation/taskcluster/scripts/build.sh" - ], - }); - - await scheduleLinux("Linux 64 (opt, make)", { - env: {USE_64: "1", BUILD_OPT: "1"}, - platform: "linux64", - image: LINUX_IMAGE, - collection: "make", - command: [ - "/bin/bash", - "-c", - "bin/checkout.sh && nss/automation/taskcluster/scripts/build.sh" - ], - }); - - await scheduleLinux("Linux 32 (debug, make)", { - platform: "linux32", - image: LINUX_IMAGE, - collection: "make", - command: [ - "/bin/bash", - "-c", - "bin/checkout.sh && nss/automation/taskcluster/scripts/build.sh" - ], - }); - - await scheduleLinux("Linux 64 (ASan, debug)", { - env: { - UBSAN_OPTIONS: "print_stacktrace=1", - NSS_DISABLE_ARENA_FREE_LIST: "1", - NSS_DISABLE_UNLOAD: "1", - CC: "clang", - CCC: "clang++", - }, - platform: "linux64", - collection: "asan", - image: LINUX_IMAGE, - features: ["allowPtrace"], - }, "--ubsan --asan"); - - await scheduleLinux("Linux 64 (FIPS opt)", { - platform: "linux64", - collection: "fips", - image: LINUX_IMAGE, - }, "--enable-fips --opt"); - - await scheduleWindows("Windows 2012 64 (debug, make)", { - platform: "windows2012-64", - collection: "make", - env: {USE_64: "1"} - }, "build.sh"); - - await scheduleWindows("Windows 2012 32 (debug, make)", { - platform: "windows2012-32", - collection: "make" - }, "build.sh"); - - await scheduleWindows("Windows 2012 64 (opt)", { - platform: "windows2012-64", - }, "build_gyp.sh --opt"); - - await scheduleWindows("Windows 2012 64 (debug)", { - platform: "windows2012-64", - collection: "debug" - }, "build_gyp.sh"); - - await scheduleWindows("Windows 2012 64 Static (opt)", { - platform: "windows2012-64", - collection: "opt-static" - }, "build_gyp.sh --opt --static"); - - await scheduleWindows("Windows 2012 32 (opt)", { - platform: "windows2012-32", - }, "build_gyp.sh --opt -t ia32"); - - await scheduleWindows("Windows 2012 32 (debug)", { - platform: "windows2012-32", - collection: "debug" - }, "build_gyp.sh -t ia32"); - - await scheduleFuzzing(); - await scheduleFuzzing32(); - - await scheduleTools(); - - let aarch64_base = { - image: "franziskus/nss-aarch64-ci", - provisioner: "localprovisioner", - workerType: "nss-aarch64", - platform: "aarch64", - maxRunTime: 7200 - }; - - await scheduleLinux("Linux AArch64 (debug)", - merge(aarch64_base, { - command: [ - "/bin/bash", - "-c", - "bin/checkout.sh && nss/automation/taskcluster/scripts/build_gyp.sh" - ], - collection: "debug", - }) - ); - - await scheduleLinux("Linux AArch64 (opt)", - merge(aarch64_base, { - command: [ - "/bin/bash", - "-c", - "bin/checkout.sh && nss/automation/taskcluster/scripts/build_gyp.sh --opt" - ], - collection: "opt", - }) - ); - - await scheduleLinux("Linux AArch64 (debug, make)", - merge(aarch64_base, { - env: {USE_64: "1"}, - command: [ - "/bin/bash", - "-c", - "bin/checkout.sh && nss/automation/taskcluster/scripts/build.sh" - ], - collection: "make", - }) - ); - - await scheduleMac("Mac (opt)", {collection: "opt"}, "--opt"); - await scheduleMac("Mac Static (opt)", {collection: "opt-static"}, "--opt --static -Ddisable_libpkix=1"); - await scheduleMac("Mac (debug)", {collection: "debug"}); - - // Must be executed after all other tasks are scheduled - queue.clearFilters(); - await scheduleCodeReview(); -} - - -async function scheduleMac(name, base, args = "") { - let mac_base = merge(base, { - env: { - PATH: "/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin", - NSS_TASKCLUSTER_MAC: "1", - DOMSUF: "localdomain", - HOST: "localhost", - }, - provisioner: "releng-hardware", - workerType: `nss-${process.env.MOZ_SCM_LEVEL}-b-osx-1015`, - platform: "mac" - }); - - // Build base definition. - let build_base_without_command_symbol = merge(mac_base, { - maxRunTime: 7200, - artifacts: [{ - expires: 24 * 7, - type: "directory", - path: "public" - }], - kind: "build", - }); - - let gyp_cmd = "nss/automation/taskcluster/scripts/build_gyp.sh "; - - if (!("collection" in base) || - (base.collection != "make" && - base.collection != "asan" && - base.collection != "fips" && - base.collection != "fuzz")) { - let nspr_gyp = gyp_cmd + "--nspr-only --nspr-test-build --nspr-test-run "; - let nspr_build = merge(build_base_without_command_symbol, { - command: [ - MAC_CHECKOUT_CMD, - ["bash", "-c", - nspr_gyp + args] - ], - symbol: "NSPR" - }); - // The task that tests NSPR. - let nspr_task_build = queue.scheduleTask(merge(nspr_build, {name})); - } - - let build_base = merge(build_base_without_command_symbol, { - command: [ - MAC_CHECKOUT_CMD, - ["bash", "-c", - gyp_cmd + args] - ], - symbol: "B" - }); - - // The task that builds NSPR+NSS. - let task_build = queue.scheduleTask(merge(build_base, {name})); - - // The task that generates certificates. - let task_cert = queue.scheduleTask(merge(build_base, { - name: "Certificates", - command: [ - MAC_CHECKOUT_CMD, - ["bash", "-c", - "nss/automation/taskcluster/scripts/gen_certs.sh"] - ], - parent: task_build, - symbol: "Certs" - })); - - // Schedule tests. - scheduleTests(task_build, task_cert, merge(mac_base, { - command: [ - MAC_CHECKOUT_CMD, - ["bash", "-c", - "nss/automation/taskcluster/scripts/run_tests.sh"] - ] - })); - - return queue.submit(); -} - -/*****************************************************************************/ - -async function scheduleLinux(name, overrides, args = "") { - let checkout_and_gyp = "bin/checkout.sh && nss/automation/taskcluster/scripts/build_gyp.sh "; - let artifacts_and_kind = { - artifacts: { - public: { - expires: 24 * 7, - type: "directory", - path: "/home/worker/artifacts" - } - }, - kind: "build", - }; - - if (!("collection" in overrides) || - (overrides.collection != "make" && - overrides.collection != "asan" && - overrides.collection != "fips" && - overrides.collection != "fuzz")) { - let nspr_gyp = checkout_and_gyp + "--nspr-only --nspr-test-build --nspr-test-run "; - - let nspr_base = merge({ - command: [ - "/bin/bash", - "-c", - nspr_gyp + args - ], - }, overrides); - let nspr_without_symbol = merge(nspr_base, artifacts_and_kind); - let nspr_build = merge(nspr_without_symbol, { - symbol: "NSPR", - }); - // The task that tests NSPR. - let nspr_task_build = queue.scheduleTask(merge(nspr_build, {name})); - } - - // Construct a base definition. This takes |overrides| second because - // callers expect to be able to overwrite the |command| key. - let base = merge({ - command: [ - "/bin/bash", - "-c", - checkout_and_gyp + args - ], - }, overrides); - - let base_without_symbol = merge(base, artifacts_and_kind); - - // The base for building. - let build_base = merge(base_without_symbol, { - symbol: "B", - }); - - // The task that builds NSPR+NSS. - let task_build = queue.scheduleTask(merge(build_base, {name})); - - // Make builds run FIPS tests, which need an extra FIPS build. - if (base.collection == "make") { - let extra_build = queue.scheduleTask(merge(build_base, { - env: { NSS_FORCE_FIPS: "1" }, - group: "FIPS", - name: `${name} w/ NSS_FORCE_FIPS` - })); - - // The task that generates certificates. - let task_cert = queue.scheduleTask(merge(build_base, { - name: "Certificates", - command: [ - "/bin/bash", - "-c", - "bin/checkout.sh && nss/automation/taskcluster/scripts/gen_certs.sh" - ], - parent: extra_build, - symbol: "Certs-F", - group: "FIPS", - })); - - // Schedule FIPS tests. - queue.scheduleTask(merge(base, { - parent: task_cert, - name: "FIPS", - command: [ - "/bin/bash", - "-c", - "bin/checkout.sh && nss/automation/taskcluster/scripts/run_tests.sh" - ], - cycle: "standard", - kind: "test", - name: "FIPS tests", - symbol: "Tests-F", - tests: "fips", - group: "FIPS" - })); - } - - // The task that generates certificates. - let cert_base = merge(build_base, { - name: "Certificates", - command: [ - "/bin/bash", - "-c", - "bin/checkout.sh && nss/automation/taskcluster/scripts/gen_certs.sh" - ], - parent: task_build, - symbol: "Certs" - }); - let task_cert = queue.scheduleTask(cert_base); - - // Schedule tests. - scheduleTests(task_build, task_cert, merge(base, { - command: [ - "/bin/bash", - "-c", - "bin/checkout.sh && nss/automation/taskcluster/scripts/run_tests.sh" - ], - provisioner: "nss-t", - workerType: "t-linux-xlarge-gcp" - })); - - // Extra builds. - let extra_base = merge(build_base, { - group: "Builds", - image: LINUX_BUILDS_IMAGE, - }); - queue.scheduleTask(merge(extra_base, { - name: `${name} w/ clang-4`, - env: { - CC: "clang-4.0", - CCC: "clang++-4.0", - }, - symbol: "clang-4" - })); - queue.scheduleTask(merge(extra_base, { - name: `${name} w/ clang-10`, - env: { - CC: "clang-10", - CCC: "clang++-10", - }, - symbol: "clang-10" - })); - queue.scheduleTask(merge(extra_base, { - name: `${name} w/ gcc-4.4`, - image: LINUX_GCC44_IMAGE, - env: { - USE_64: "1", - CC: "gcc-4.4", - CCC: "g++-4.4", - // gcc-4.6 introduced nullptr. - NSS_DISABLE_GTESTS: "1", - }, - // Use the old Makefile-based build system, GYP doesn't have a proper GCC - // version check for __int128 support. It's mainly meant to cover RHEL6. - command: [ - "/bin/bash", - "-c", - "bin/checkout.sh && nss/automation/taskcluster/scripts/build.sh", - ], - symbol: "gcc-4.4" - })); - - queue.scheduleTask(merge(extra_base, { - name: `${name} w/ gcc-4.8`, - env: { - CC: "gcc-4.8", - CCC: "g++-4.8", - // gcc-4.8 has incomplete c++11 support - NSS_DISABLE_GTESTS: "1", - }, - // Use -Ddisable-intelhw_sha=1, GYP doesn't have a proper GCC version - // check for Intel SHA support. - command: [ - "/bin/bash", - "-c", - "bin/checkout.sh && nss/automation/taskcluster/scripts/build.sh", - ], - symbol: "gcc-4.8" - })); - - queue.scheduleTask(merge(extra_base, { - name: `${name} w/ gcc-5`, - env: { - CC: "gcc-5", - CCC: "g++-5" - }, - symbol: "gcc-5" - })); - - queue.scheduleTask(merge(extra_base, { - name: `${name} w/ gcc-11`, - env: { - CC: "gcc-11", - CCC: "g++-11", - }, - symbol: "gcc-11" - })); - - queue.scheduleTask(merge(extra_base, { - name: `${name} w/ modular builds`, - image: LINUX_IMAGE, - env: {NSS_BUILD_MODULAR: "1"}, - command: [ - "/bin/bash", - "-c", - "bin/checkout.sh && nss/automation/taskcluster/scripts/build.sh", - ], - symbol: "modular" - })); - - if (base.collection != "make") { - let task_build_dbm = queue.scheduleTask(merge(extra_base, { - name: `${name} w/ legacy-db`, - command: [ - "/bin/bash", - "-c", - checkout_and_gyp + "--enable-legacy-db " + args - ], - symbol: "B", - group: "DBM", - })); - - let task_cert_dbm = queue.scheduleTask(merge(cert_base, { - parent: task_build_dbm, - group: "DBM", - symbol: "Certs" - })); - } - - return queue.submit(); -} - -/*****************************************************************************/ - -function scheduleFuzzingRun(base, name, target, max_len, symbol = null, corpus = null) { - const MAX_FUZZ_TIME = 300; - - queue.scheduleTask(merge(base, { - name, - command: [ - "/bin/bash", - "-c", - "bin/checkout.sh && nss/automation/taskcluster/scripts/fuzz.sh " + - `${target} ${corpus || target} ` + - `-max_total_time=${MAX_FUZZ_TIME} ` + - `-max_len=${max_len}` - ], - provisioner: "nss-t", - workerType: "t-linux-xlarge-gcp", - symbol: symbol || name - })); -} - -async function scheduleFuzzing() { - let base = { - env: { - ASAN_OPTIONS: "allocator_may_return_null=1:detect_stack_use_after_return=1", - UBSAN_OPTIONS: "print_stacktrace=1", - NSS_DISABLE_ARENA_FREE_LIST: "1", - NSS_DISABLE_UNLOAD: "1", - CC: "clang", - CCC: "clang++" - }, - features: ["allowPtrace"], - platform: "linux64", - collection: "fuzz", - image: FUZZ_IMAGE - }; - - // Build base definition. - let build_base = merge(base, { - command: [ - "/bin/bash", - "-c", - "bin/checkout.sh && " + - "nss/automation/taskcluster/scripts/build_gyp.sh --fuzz" - ], - artifacts: { - public: { - expires: 24 * 7, - type: "directory", - path: "/home/worker/artifacts" - } - }, - kind: "build", - symbol: "B" - }); - - // The task that builds NSPR+NSS. - let task_build = queue.scheduleTask(merge(build_base, { - name: "Linux x64 (debug, fuzz)" - })); - - // The task that builds NSPR+NSS (TLS fuzzing mode). - let task_build_tls = queue.scheduleTask(merge(build_base, { - name: "Linux x64 (debug, TLS fuzz)", - symbol: "B", - group: "TLS", - command: [ - "/bin/bash", - "-c", - "bin/checkout.sh && " + - "nss/automation/taskcluster/scripts/build_gyp.sh --fuzz=tls" - ], - })); - - // Schedule tests. - queue.scheduleTask(merge(base, { - parent: task_build_tls, - name: "Gtests", - command: [ - "/bin/bash", - "-c", - "bin/checkout.sh && nss/automation/taskcluster/scripts/run_tests.sh" - ], - env: {GTESTFILTER: "*Fuzz*"}, - tests: "ssl_gtests gtests", - cycle: "standard", - symbol: "Gtest", - kind: "test" - })); - - // Schedule fuzzing runs. - let run_base = merge(base, {parent: task_build, kind: "test"}); - scheduleFuzzingRun(run_base, "CertDN", "certDN", 4096); - scheduleFuzzingRun(run_base, "QuickDER", "quickder", 10000); - - // Schedule MPI fuzzing runs. - let mpi_base = merge(run_base, {group: "MPI"}); - let mpi_names = ["add", "addmod", "div", "mod", "mulmod", "sqr", - "sqrmod", "sub", "submod"]; - for (let name of mpi_names) { - scheduleFuzzingRun(mpi_base, `MPI (${name})`, `mpi-${name}`, 4096, name); - } - scheduleFuzzingRun(mpi_base, `MPI (invmod)`, `mpi-invmod`, 256, "invmod"); - scheduleFuzzingRun(mpi_base, `MPI (expmod)`, `mpi-expmod`, 2048, "expmod"); - - // Schedule TLS fuzzing runs (non-fuzzing mode). - let tls_base = merge(run_base, {group: "TLS"}); - scheduleFuzzingRun(tls_base, "TLS Client", "tls-client", 20000, "client-nfm", - "tls-client-no_fuzzer_mode"); - scheduleFuzzingRun(tls_base, "TLS Server", "tls-server", 20000, "server-nfm", - "tls-server-no_fuzzer_mode"); - scheduleFuzzingRun(tls_base, "DTLS Client", "dtls-client", 20000, - "dtls-client-nfm", "dtls-client-no_fuzzer_mode"); - scheduleFuzzingRun(tls_base, "DTLS Server", "dtls-server", 20000, - "dtls-server-nfm", "dtls-server-no_fuzzer_mode"); - - // Schedule TLS fuzzing runs (fuzzing mode). - let tls_fm_base = merge(tls_base, {parent: task_build_tls}); - scheduleFuzzingRun(tls_fm_base, "TLS Client", "tls-client", 20000, "client"); - scheduleFuzzingRun(tls_fm_base, "TLS Server", "tls-server", 20000, "server"); - scheduleFuzzingRun(tls_fm_base, "DTLS Client", "dtls-client", 20000, "dtls-client"); - scheduleFuzzingRun(tls_fm_base, "DTLS Server", "dtls-server", 20000, "dtls-server"); - - return queue.submit(); -} - -async function scheduleFuzzing32() { - let base = { - env: { - ASAN_OPTIONS: "allocator_may_return_null=1:detect_stack_use_after_return=1", - UBSAN_OPTIONS: "print_stacktrace=1", - NSS_DISABLE_ARENA_FREE_LIST: "1", - NSS_DISABLE_UNLOAD: "1", - CC: "clang", - CCC: "clang++" - }, - features: ["allowPtrace"], - platform: "linux32", - collection: "fuzz", - image: FUZZ_IMAGE - }; - - // Build base definition. - let build_base = merge(base, { - command: [ - "/bin/bash", - "-c", - "bin/checkout.sh && " + - "nss/automation/taskcluster/scripts/build_gyp.sh --fuzz -t ia32" - ], - artifacts: { - public: { - expires: 24 * 7, - type: "directory", - path: "/home/worker/artifacts" - } - }, - kind: "build", - symbol: "B" - }); - - // The task that builds NSPR+NSS. - let task_build = queue.scheduleTask(merge(build_base, { - name: "Linux 32 (debug, fuzz)" - })); - - // The task that builds NSPR+NSS (TLS fuzzing mode). - let task_build_tls = queue.scheduleTask(merge(build_base, { - name: "Linux 32 (debug, TLS fuzz)", - symbol: "B", - group: "TLS", - command: [ - "/bin/bash", - "-c", - "bin/checkout.sh && " + - "nss/automation/taskcluster/scripts/build_gyp.sh --fuzz=tls -t ia32" - ], - })); - - // Schedule tests. - queue.scheduleTask(merge(base, { - parent: task_build_tls, - name: "Gtests", - command: [ - "/bin/bash", - "-c", - "bin/checkout.sh && nss/automation/taskcluster/scripts/run_tests.sh" - ], - env: {GTESTFILTER: "*Fuzz*"}, - tests: "ssl_gtests gtests", - cycle: "standard", - symbol: "Gtest", - kind: "test" - })); - - // Schedule fuzzing runs. - let run_base = merge(base, {parent: task_build, kind: "test"}); - scheduleFuzzingRun(run_base, "CertDN", "certDN", 4096); - scheduleFuzzingRun(run_base, "QuickDER", "quickder", 10000); - - // Schedule MPI fuzzing runs. - let mpi_base = merge(run_base, {group: "MPI"}); - let mpi_names = ["add", "addmod", "div", "expmod", "mod", "mulmod", "sqr", - "sqrmod", "sub", "submod"]; - for (let name of mpi_names) { - scheduleFuzzingRun(mpi_base, `MPI (${name})`, `mpi-${name}`, 4096, name); - } - scheduleFuzzingRun(mpi_base, `MPI (invmod)`, `mpi-invmod`, 256, "invmod"); - - // Schedule TLS fuzzing runs (non-fuzzing mode). - let tls_base = merge(run_base, {group: "TLS"}); - scheduleFuzzingRun(tls_base, "TLS Client", "tls-client", 20000, "client-nfm", - "tls-client-no_fuzzer_mode"); - scheduleFuzzingRun(tls_base, "TLS Server", "tls-server", 20000, "server-nfm", - "tls-server-no_fuzzer_mode"); - scheduleFuzzingRun(tls_base, "DTLS Client", "dtls-client", 20000, - "dtls-client-nfm", "dtls-client-no_fuzzer_mode"); - scheduleFuzzingRun(tls_base, "DTLS Server", "dtls-server", 20000, - "dtls-server-nfm", "dtls-server-no_fuzzer_mode"); - - // Schedule TLS fuzzing runs (fuzzing mode). - let tls_fm_base = merge(tls_base, {parent: task_build_tls}); - scheduleFuzzingRun(tls_fm_base, "TLS Client", "tls-client", 20000, "client"); - scheduleFuzzingRun(tls_fm_base, "TLS Server", "tls-server", 20000, "server"); - scheduleFuzzingRun(tls_fm_base, "DTLS Client", "dtls-client", 20000, "dtls-client"); - scheduleFuzzingRun(tls_fm_base, "DTLS Server", "dtls-server", 20000, "dtls-server"); - - return queue.submit(); -} - -/*****************************************************************************/ - -async function scheduleWindows(name, base, build_script) { - base = merge(base, { - workerType: "b-win2012-azure", - env: { - PATH: "c:\\mozilla-build\\bin;c:\\mozilla-build\\python;" + - "c:\\mozilla-build\\msys\\local\\bin;c:\\mozilla-build\\7zip;" + - "c:\\mozilla-build\\info-zip;c:\\mozilla-build\\python\\Scripts;" + - "c:\\mozilla-build\\yasm;c:\\mozilla-build\\msys\\bin;" + - "c:\\Windows\\system32;c:\\mozilla-build\\upx391w;" + - "c:\\mozilla-build\\moztools-x64\\bin;c:\\mozilla-build\\wget;c:\\Program Files\\Mercurial", - DOMSUF: "localdomain", - HOST: "localhost", - }, - features: ["taskclusterProxy"], - scopes: ["project:releng:services/tooltool/api/download/internal"], - }); - - let artifacts_and_kind = { - artifacts: [{ - expires: 24 * 7, - type: "directory", - path: "public\\build" - }], - kind: "build", - }; - - let build_without_command_symbol = merge(base, artifacts_and_kind); - - // Build base definition. - let build_base = merge(build_without_command_symbol, { - command: [ - WINDOWS_CHECKOUT_CMD, - `bash -c 'nss/automation/taskcluster/windows/${build_script}'` - ], - symbol: "B" - }); - - if (!("collection" in base) || - (base.collection != "make" && - base.collection != "asan" && - base.collection != "fips" && - base.collection != "fuzz")) { - let nspr_gyp = - `bash -c 'nss/automation/taskcluster/windows/${build_script} --nspr-only --nspr-test-build --nspr-test-run'`; - let nspr_build = merge(build_without_command_symbol, { - command: [ - WINDOWS_CHECKOUT_CMD, - nspr_gyp - ], - symbol: "NSPR" - }); - // The task that tests NSPR. - let task_build = queue.scheduleTask(merge(nspr_build, {name})); - } - - // Make builds run FIPS tests, which need an extra FIPS build. - if (base.collection == "make") { - let extra_build = queue.scheduleTask(merge(build_base, { - env: { NSS_FORCE_FIPS: "1" }, - group: "FIPS", - name: `${name} w/ NSS_FORCE_FIPS` - })); - - // The task that generates certificates. - let task_cert = queue.scheduleTask(merge(build_base, { - name: "Certificates", - command: [ - WINDOWS_CHECKOUT_CMD, - "bash -c nss/automation/taskcluster/windows/gen_certs.sh" - ], - parent: extra_build, - symbol: "Certs-F", - group: "FIPS", - })); - - // Schedule FIPS tests. - queue.scheduleTask(merge(base, { - parent: task_cert, - name: "FIPS", - command: [ - WINDOWS_CHECKOUT_CMD, - "bash -c nss/automation/taskcluster/windows/run_tests.sh" - ], - cycle: "standard", - kind: "test", - name: "FIPS tests", - symbol: "Tests-F", - tests: "fips", - group: "FIPS" - })); - } - - // The task that builds NSPR+NSS. - let task_build = queue.scheduleTask(merge(build_base, {name})); - - // The task that generates certificates. - let task_cert = queue.scheduleTask(merge(build_base, { - name: "Certificates", - command: [ - WINDOWS_CHECKOUT_CMD, - "bash -c nss/automation/taskcluster/windows/gen_certs.sh" - ], - parent: task_build, - symbol: "Certs" - })); - - // Schedule tests. - scheduleTests(task_build, task_cert, merge(base, { - command: [ - WINDOWS_CHECKOUT_CMD, - "bash -c nss/automation/taskcluster/windows/run_tests.sh" - ] - })); - - return queue.submit(); -} - -/*****************************************************************************/ - -function scheduleTests(task_build, task_cert, test_base) { - test_base = merge(test_base, {kind: "test"}); - let no_cert_base = merge(test_base, {parent: task_build}); - let cert_base = merge(test_base, {parent: task_cert}); - let cert_base_long = merge(cert_base, {maxRunTime: 7200}); - - // Schedule tests that do NOT need certificates. This is defined as - // the test itself not needing certs AND not running under the upgradedb - // cycle (which itself needs certs). If cycle is not defined, default is all. - queue.scheduleTask(merge(no_cert_base, { - name: "Gtests", symbol: "Gtest", tests: "ssl_gtests gtests", cycle: "standard" - })); - queue.scheduleTask(merge(no_cert_base, { - name: "Bogo tests", - symbol: "Bogo", - tests: "bogo", - cycle: "standard", - image: LINUX_BUILDS_IMAGE, - })); - queue.scheduleTask(merge(no_cert_base, { - name: "tlsfuzzer tests", symbol: "tlsfuzzer", tests: "tlsfuzzer", cycle: "standard" - })); - queue.scheduleTask(merge(no_cert_base, { - name: "MPI tests", symbol: "MPI", tests: "mpi", cycle: "standard" - })); - queue.scheduleTask(merge(cert_base, { - name: "Chains tests", symbol: "Chains", tests: "chains" - })); - queue.scheduleTask(merge(cert_base_long, { - name: "Cipher tests", symbol: "Default", tests: "cipher", group: "Cipher" - })); - queue.scheduleTask(merge(cert_base_long, { - name: "Cipher tests", symbol: "NoAES", tests: "cipher", - env: {NSS_DISABLE_HW_AES: "1"}, group: "Cipher" - })); - queue.scheduleTask(merge(cert_base_long, { - name: "Cipher tests", symbol: "NoSHA", tests: "cipher", - env: { - NSS_DISABLE_HW_SHA1: "1", - NSS_DISABLE_HW_SHA2: "1" - }, group: "Cipher" - })); - queue.scheduleTask(merge(cert_base_long, { - name: "Cipher tests", symbol: "NoPCLMUL", tests: "cipher", - env: {NSS_DISABLE_PCLMUL: "1"}, group: "Cipher" - })); - queue.scheduleTask(merge(cert_base_long, { - name: "Cipher tests", symbol: "NoAVX", tests: "cipher", - env: {NSS_DISABLE_AVX: "1"}, group: "Cipher" - })); - queue.scheduleTask(merge(cert_base_long, { - name: "Cipher tests", symbol: "NoAVX2", tests: "cipher", - env: {NSS_DISABLE_AVX2: "1"}, group: "Cipher" - })); - queue.scheduleTask(merge(cert_base_long, { - name: "Cipher tests", symbol: "NoSSSE3|NEON", tests: "cipher", - env: { - NSS_DISABLE_ARM_NEON: "1", - NSS_DISABLE_SSSE3: "1" - }, group: "Cipher" - })); - queue.scheduleTask(merge(cert_base_long, { - name: "Cipher tests", symbol: "NoSSE4.1", tests: "cipher", - env: {NSS_DISABLE_SSE4_1: "1"}, group: "Cipher" - })); - queue.scheduleTask(merge(cert_base, { - name: "EC tests", symbol: "EC", tests: "ec" - })); - queue.scheduleTask(merge(cert_base, { - name: "Lowhash tests", symbol: "Lowhash", tests: "lowhash" - })); - queue.scheduleTask(merge(cert_base, { - name: "SDR tests", symbol: "SDR", tests: "sdr" - })); - queue.scheduleTask(merge(cert_base, { - name: "Policy tests", symbol: "Policy", tests: "policy" - })); - - // Schedule tests that need certificates. - queue.scheduleTask(merge(cert_base, { - name: "CRMF tests", symbol: "CRMF", tests: "crmf" - })); - queue.scheduleTask(merge(cert_base, { - name: "DB tests", symbol: "DB", tests: "dbtests" - })); - queue.scheduleTask(merge(cert_base, { - name: "Merge tests", symbol: "Merge", tests: "merge" - })); - queue.scheduleTask(merge(cert_base, { - name: "S/MIME tests", symbol: "SMIME", tests: "smime" - })); - queue.scheduleTask(merge(cert_base, { - name: "Tools tests", symbol: "Tools", tests: "tools" - })); - - // SSL tests, need certificates too. - let ssl_base = merge(cert_base, {tests: "ssl", group: "SSL"}); - queue.scheduleTask(merge(ssl_base, { - name: "SSL tests (standard)", symbol: "standard", cycle: "standard" - })); - queue.scheduleTask(merge(ssl_base, { - name: "SSL tests (pkix)", symbol: "pkix", cycle: "pkix" - })); - queue.scheduleTask(merge(ssl_base, { - name: "SSL tests (stress)", symbol: "stress", cycle: "sharedb", - env: {NSS_SSL_RUN: "stress"} - })); -} - -/*****************************************************************************/ - -async function scheduleTools() { - let base = { - platform: "nss-tools", - kind: "test" - }; - - // ABI check task - queue.scheduleTask(merge(base, { - symbol: "abi", - name: "abi", - image: LINUX_BUILDS_IMAGE, - command: [ - "/bin/bash", - "-c", - "bin/checkout.sh && nss/automation/taskcluster/scripts/check_abi.sh" - ], - })); - - queue.scheduleTask(merge(base, { - symbol: "clang-format", - name: "clang-format", - image: CLANG_FORMAT_IMAGE, - command: [ - "/bin/bash", - "-c", - "bin/checkout.sh && nss/automation/clang-format/run_clang_format.sh" - ] - })); - - queue.scheduleTask(merge(base, { - symbol: "acvp", - name: "acvp", - image: ACVP_IMAGE, - command: [ - "/bin/bash", - "-c", - "bin/checkout.sh && bin/run.sh" - ] - })); - - queue.scheduleTask(merge(base, { - symbol: "scan-build", - name: "scan-build", - image: FUZZ_IMAGE, - env: { - USE_64: "1", - CC: "clang", - CCC: "clang++", - }, - artifacts: { - public: { - expires: 24 * 7, - type: "directory", - path: "/home/worker/artifacts" - } - }, - command: [ - "/bin/bash", - "-c", - "bin/checkout.sh && nss/automation/taskcluster/scripts/run_scan_build.sh" - ] - })); - - queue.scheduleTask(merge(base, { - symbol: "hacl", - name: "hacl", - image: LINUX_BUILDS_IMAGE, - command: [ - "/bin/bash", - "-c", - "bin/checkout.sh && nss/automation/taskcluster/scripts/run_hacl.sh" - ] - })); - - queue.scheduleTask(merge(base, { - symbol: "Coverage", - name: "Coverage", - image: FUZZ_IMAGE, - type: "other", - features: ["allowPtrace"], - artifacts: { - public: { - expires: 24 * 7, - type: "directory", - path: "/home/worker/artifacts" - } - }, - command: [ - "/bin/bash", - "-c", - "bin/checkout.sh && nss/automation/taskcluster/scripts/gen_coverage_report.sh" - ] - })); - - return queue.submit(); -} - -async function scheduleCodeReview() { - let tasks = queue.taggedTasks("code-review"); - if(! tasks) { - console.debug("No code review tasks, skipping ending task"); - return - } - - // From https://hg.mozilla.org/mozilla-central/file/tip/taskcluster/ci/code-review/kind.yml - queue.scheduleTask({ - platform: "nss-tools", - name: "code-review-issues", - description: "List all issues found in static analysis and linting tasks", - - // No logic on that task - image: LINUX_IMAGE, - command: ["/bin/true"], - - // This task must run after all analyzer tasks are completed - parents: tasks, - - // This option permits to run the task - // regardless of the analyzers tasks exit status - // as we are interested in the task failures - requires: "all-resolved", - - // Publish code review trigger on pulse - routes: ["project.relman.codereview.v1.try_ending"], - - kind: "code-review", - symbol: "E" - }); - - return queue.submit(); -}; diff --git a/nss/automation/taskcluster/graph/src/image_builder.js b/nss/automation/taskcluster/graph/src/image_builder.js deleted file mode 100644 index a61d7b81..00000000 --- a/nss/automation/taskcluster/graph/src/image_builder.js +++ /dev/null @@ -1,69 +0,0 @@ -/* This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ - -import * as queue from "./queue"; -import context_hash from "./context_hash"; -import taskcluster from "taskcluster-client"; - -const fs = require("fs"); -const tar = require("tar"); - -async function taskHasImageArtifact(taskId) { - let queue = new taskcluster.Queue(taskcluster.fromEnvVars()); - let {artifacts} = await queue.listLatestArtifacts(taskId); - return artifacts.some(artifact => artifact.name == "public/image.tar.zst"); -} - -async function findTaskWithImageArtifact(ns) { - let index = new taskcluster.Index(taskcluster.fromEnvVars()); - let {taskId} = await index.findTask(ns); - let has_image = await taskHasImageArtifact(taskId); - return has_image ? taskId : null; -} - -export async function findTask({name, path}) { - let hash = await context_hash(path); - let ns = `docker.images.v1.${process.env.TC_PROJECT}.${name}.hash.${hash}`; - return findTaskWithImageArtifact(ns).catch(() => null); -} - -export async function buildTask({name, path}) { - let hash = await context_hash(path); - let ns = `docker.images.v1.${process.env.TC_PROJECT}.${name}.hash.${hash}`; - let fullPath = "/home/worker/nss/" + path - let contextName = name + ".tar.gz"; - let contextRoot = "/home/worker/docker-contexts/"; - let contextPath = contextRoot + contextName; - - if (!fs.existsSync(contextRoot)) { - fs.mkdirSync(contextRoot); - } - - await tar.create({gzip: true, file: contextPath, cwd: fullPath}, ["."]); - - return { - name: `Image Builder (${name})`, - image: "mozillareleases/image_builder:5.0.0", - workerType: "images-gcp", - routes: ["index." + ns], - env: { - IMAGE_NAME: name, - CONTEXT_PATH: "public/docker-contexts/" + contextName, - CONTEXT_TASK_ID: process.env.TASK_ID, - HASH: hash - }, - artifacts: { - "public/image.tar.zst": { - type: "file", - expires: 24 * 90, - path: "/workspace/image.tar.zst" - } - }, - platform: "nss-decision", - features: ["allowPtrace", "chainOfTrust"], - maxRunTime: 7200, - kind: "build", - symbol: `I(${name})` - }; -} diff --git a/nss/automation/taskcluster/graph/src/index.js b/nss/automation/taskcluster/graph/src/index.js deleted file mode 100644 index 78f4af8e..00000000 --- a/nss/automation/taskcluster/graph/src/index.js +++ /dev/null @@ -1,22 +0,0 @@ -/* This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ - -import * as try_syntax from "./try_syntax"; -import * as queue from "./queue"; -import extend from "./extend"; - -const main = async () => { - // Init try syntax filter. - if (process.env.TC_PROJECT == "nss-try") { - await try_syntax.initFilter(); - } - - // Extend the task graph. - await extend(); -}; - -main().catch(err => { - console.error(err); - process.exit(1); -}); diff --git a/nss/automation/taskcluster/graph/src/merge.js b/nss/automation/taskcluster/graph/src/merge.js deleted file mode 100644 index 17043dd8..00000000 --- a/nss/automation/taskcluster/graph/src/merge.js +++ /dev/null @@ -1,10 +0,0 @@ -/* This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ - -import {recursive as merge} from "merge"; - -// We always want to clone. -export default function (...args) { - return merge(true, ...args); -} diff --git a/nss/automation/taskcluster/graph/src/queue.js b/nss/automation/taskcluster/graph/src/queue.js deleted file mode 100644 index 2a693472..00000000 --- a/nss/automation/taskcluster/graph/src/queue.js +++ /dev/null @@ -1,308 +0,0 @@ -/* This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ - -import {clone} from "merge"; -import merge from "./merge"; -import slugid from "slugid"; -import taskcluster from "taskcluster-client"; -import * as image_builder from "./image_builder"; - -let maps = []; -let filters = []; - -let tasks = new Map(); -let tags = new Map(); -let image_tasks = new Map(); -let parameters = {}; - -let queue = new taskcluster.Queue({ - rootUrl: process.env.TASKCLUSTER_PROXY_URL, -}); - -function fromNow(hours) { - let d = new Date(); - d.setHours(d.getHours() + (hours|0)); - return d.toJSON(); -} - -function parseRoutes(routes) { - let rv = [ - `tc-treeherder.v2.${process.env.TC_PROJECT}.${process.env.NSS_HEAD_REVISION}.${process.env.NSS_PUSHLOG_ID}`, - ...routes - ]; - - // Notify about failures (except on try). - // Turned off, too noisy. - /*if (process.env.TC_PROJECT != "nss-try") { - rv.push(`notify.email.${process.env.TC_OWNER}.on-failed`, - `notify.email.${process.env.TC_OWNER}.on-exception`); - }*/ - - return rv; -} - -function parseFeatures(list) { - return list.reduce((map, feature) => { - map[feature] = true; - return map; - }, {}); -} - -function parseArtifacts(artifacts) { - let copy = clone(artifacts); - Object.keys(copy).forEach(key => { - copy[key].expires = fromNow(copy[key].expires); - }); - return copy; -} - -function parseCollection(name) { - let collection = {}; - collection[name] = true; - return collection; -} - -function parseTreeherder(def) { - let treeherder = { - build: { - platform: def.platform - }, - machine: { - platform: def.platform - }, - symbol: def.symbol, - jobKind: def.kind - }; - - if (def.group) { - treeherder.groupSymbol = def.group; - } - - if (def.collection) { - treeherder.collection = parseCollection(def.collection); - } - - if (def.tier) { - treeherder.tier = def.tier; - } - - return treeherder; -} - -function convertTask(def) { - let scopes = []; - let dependencies = []; - - let env = merge({ - NSS_HEAD_REPOSITORY: process.env.NSS_HEAD_REPOSITORY, - NSS_HEAD_REVISION: process.env.NSS_HEAD_REVISION, - NSS_MAX_MP_PBE_ITERATION_COUNT: "100", - }, def.env || {}); - - if (def.parent) { - dependencies.push(def.parent); - env.TC_PARENT_TASK_ID = def.parent; - } - if (def.parents) { - dependencies = dependencies.concat(def.parents); - } - if (dependencies.length === 0) { - // If task has no dependencies, make it depend on the Decision task. - dependencies.push(process.env.TASK_ID); - } - - if (def.tests) { - env.NSS_TESTS = def.tests; - } - - if (def.cycle) { - env.NSS_CYCLES = def.cycle; - } - if (def.kind === "build") { - // Disable leak checking during builds (bug 1579290). - if (env.ASAN_OPTIONS) { - env.ASAN_OPTIONS += ":detect_leaks=0"; - } else { - env.ASAN_OPTIONS = "detect_leaks=0"; - } - } - - let payload = { - env, - command: def.command, - maxRunTime: def.maxRunTime || 3600 - }; - - if (def.image) { - payload.image = def.image; - } - - if (def.artifacts) { - payload.artifacts = parseArtifacts(def.artifacts); - } - - if (def.features) { - payload.features = parseFeatures(def.features); - - if (payload.features.allowPtrace) { - scopes.push("docker-worker:feature:allowPtrace"); - } - } - - if (def.scopes) { - // Need to add existing scopes in the task definition - scopes.push.apply(scopes, def.scopes) - } - - let extra = Object.assign({ - treeherder: parseTreeherder(def) - }, parameters); - - return { - provisionerId: def.provisioner || `nss-${process.env.MOZ_SCM_LEVEL}`, - workerType: def.workerType || "linux-gcp", - schedulerId: process.env.TC_SCHEDULER_ID, - taskGroupId: process.env.TASK_ID, - - scopes, - created: fromNow(0), - deadline: fromNow(24), - - dependencies, - requires: def.requires || "all-completed", - routes: parseRoutes(def.routes || []), - - metadata: { - name: def.name, - description: def.name, - owner: process.env.TC_OWNER, - source: process.env.TC_SOURCE - }, - - payload, - extra, - }; -} - -export function map(fun) { - maps.push(fun); -} - -export function filter(fun) { - filters.push(fun); -} - -export function addParameters(params) { - parameters = Object.assign(parameters, params); -} - -export function clearFilters(fun) { - filters = []; -} - -export function taggedTasks(tag) { - return tags[tag]; -} - -export function scheduleTask(def) { - let taskId = slugid.v4(); - tasks.set(taskId, merge({}, def)); - return taskId; -} - -export async function submit() { - let promises = new Map(); - - for (let [taskId, task] of tasks) { - // Allow filtering tasks before we schedule them. - if (!filters.every(filter => filter(task))) { - continue; - } - - // Allow changing tasks before we schedule them. - maps.forEach(map => { task = map(merge({}, task)) }); - - let log_id = `${task.name} @ ${task.platform}[${task.collection || "opt"}]`; - if (task.group) { - log_id = `${task.group}::${log_id}`; - } - console.log(`+ Submitting ${log_id}.`); - - // Index that task for each tag specified - if(task.tags) { - task.tags.map(tag => { - if(!tags[tag]) { - tags[tag] = []; - } - tags[tag].push(taskId); - }); - } - - let parent = task.parent; - - // Convert the task definition. - task = await convertTask(task); - - // Convert the docker image definition. - let image_def = task.payload.image; - if (image_def && image_def.hasOwnProperty("path")) { - let key = `${image_def.name}:${image_def.path}`; - let data = {}; - - // Check the cache first. - if (image_tasks.has(key)) { - data = image_tasks.get(key); - } else { - data.taskId = await image_builder.findTask(image_def); - data.isPending = !data.taskId; - - // No task found. - if (data.isPending) { - let image_task = await image_builder.buildTask(image_def); - - // Schedule a new image builder task immediately. - data.taskId = slugid.v4(); - - try { - await queue.createTask(data.taskId, convertTask(image_task)); - } catch (e) { - console.error("! FAIL: Scheduling image builder task failed."); - continue; /* Skip this task on failure. */ - } - } - - // Store in cache. - image_tasks.set(key, data); - } - - if (data.isPending) { - task.dependencies.push(data.taskId); - } - - task.payload.image = { - path: "public/image.tar.zst", - taskId: data.taskId, - type: "task-image" - }; - } - - // Wait for the parent task to be created before scheduling dependants. - let predecessor = parent ? promises.get(parent) : Promise.resolve(); - - promises.set(taskId, predecessor.then(() => { - // Schedule the task. - return queue.createTask(taskId, task).catch(err => { - console.error(`! FAIL: Scheduling ${log_id} failed.`, err); - }); - })); - } - - // Wait for all requests to finish. - if (promises.length) { - await Promise.all([...promises.values()]); - console.log("=== Total:", promises.length, "tasks. ==="); - } - - tasks.clear(); -} diff --git a/nss/automation/taskcluster/graph/src/try_syntax.js b/nss/automation/taskcluster/graph/src/try_syntax.js deleted file mode 100644 index 73286499..00000000 --- a/nss/automation/taskcluster/graph/src/try_syntax.js +++ /dev/null @@ -1,201 +0,0 @@ -/* This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ - -import * as queue from "./queue"; -import path from 'path' -import fs from 'fs' -import intersect from "intersect"; -import parse_args from "minimist"; -import util from "util"; -import child_process from 'child_process'; - -let execFile = util.promisify(child_process.execFile); - -function parseOptions(opts) { - opts = parse_args(opts.split(/\s+/), { - default: {build: "do", platform: "all", unittests: "none", tools: "none"}, - alias: {b: "build", p: "platform", u: "unittests", t: "tools", e: "extra-builds"}, - string: ["build", "platform", "unittests", "tools", "extra-builds"] - }); - - // Parse build types (d=debug, o=opt). - let builds = intersect(opts.build.split(""), ["d", "o"]); - - // If the given value is nonsense default to debug and opt builds. - if (builds.length == 0) { - builds = ["d", "o"]; - } - - // Parse platforms. - let allPlatforms = ["linux", "linux64", "linux64-asan", "linux64-fips", - "win", "win64", "win-make", "win64-make", - "linux64-make", "linux-make", "linux-fuzz", - "linux64-fuzz", "aarch64", "aarch64-make", "mac"]; - let platforms = intersect(opts.platform.split(/\s*,\s*/), allPlatforms); - - // If the given value is nonsense or "none" default to all platforms. - if (platforms.length == 0 && opts.platform != "none") { - platforms = allPlatforms; - } - - // Parse unit tests. - let aliases = {"gtests": "gtest"}; - let allUnitTests = ["bogo", "crmf", "chains", "cipher", "db", "ec", "fips", - "gtest", "lowhash", "merge", "sdr", "smime", "tools", - "ssl", "mpi", "scert", "spki", "policy", "tlsfuzzer"]; - let unittests = intersect(opts.unittests.split(/\s*,\s*/).map(t => { - return aliases[t] || t; - }), allUnitTests); - - // If the given value is "all" run all tests. - // If it's nonsense then don't run any tests. - if (opts.unittests == "all") { - unittests = allUnitTests; - } else if (unittests.length == 0) { - unittests = []; - } - - // Parse tools. - let allTools = ["clang-format", "scan-build", "hacl", "acvp", "saw", "abi", "coverage"]; - let tools = intersect(opts.tools.split(/\s*,\s*/), allTools); - - // If the given value is "all" run all tools. - // If it's nonsense then don't run any tools. - if (opts.tools == "all") { - tools = allTools; - } else if (tools.length == 0) { - tools = []; - } - - return { - builds: builds, - platforms: platforms, - unittests: unittests, - extra: (opts.e == "all"), - tools: tools - }; -} - -function filter(opts) { - return function (task) { - // Filter tools. We can immediately return here as those - // are not affected by platform or build type selectors. - if (task.platform == "nss-tools") { - return opts.tools.some(tool => { - return task.symbol.toLowerCase().startsWith(tool) || - (task.group && task.group.toLowerCase().startsWith(tool)); - }); - } - - // Filter unit tests. - if (task.tests) { - let found = opts.unittests.some(test => { - if (task.group && task.group.toLowerCase() == "ssl" && test == "ssl") { - return true; - } - if (task.group && task.group.toLowerCase() == "cipher" && test == "cipher") { - return true; - } - return task.symbol.toLowerCase().startsWith(test); - }); - - if (!found) { - return false; - } - } - - // Filter extra builds. - if (task.group == "Builds" && !opts.extra) { - return false; - } - - let coll = name => name == (task.collection || "opt"); - - // Filter by platform. - let found = opts.platforms.some(platform => { - let aliases = { - "aarch64-make": "aarch64", - "linux": "linux32", - "linux-fuzz": "linux32", - "linux64-asan": "linux64", - "linux64-fips": "linux64", - "linux64-fuzz": "linux64", - "linux64-make": "linux64", - "linux-make": "linux32", - "win64-make": "windows2012-64", - "win-make": "windows2012-32", - "win64": "windows2012-64", - "win": "windows2012-32" - }; - - // Check the platform name. - let keep = (task.platform == (aliases[platform] || platform)); - - // Additional checks. - if (platform == "linux64-asan") { - keep &= coll("asan"); - } else if (platform == "linux64-fips") { - keep &= coll("fips"); - } else if (platform == "linux64-make" || platform == "linux-make" || - platform == "win64-make" || platform == "win-make" || - platform == "aarch64-make") { - keep &= coll("make"); - } else if (platform == "linux64-fuzz" || platform == "linux-fuzz") { - keep &= coll("fuzz"); - } else { - keep &= coll("opt") || coll("debug"); - } - - return keep; - }); - - if (!found) { - return false; - } - - // Finally, filter by build type. - let isDebug = coll("debug") || coll("asan") || coll("make") || - coll("fuzz"); - return (isDebug && opts.builds.includes("d")) || - (!isDebug && opts.builds.includes("o")); - } -} - -async function getCommitComment() { - const res = await execFile('hg', ['log', '-r', '.', '-T', '{desc}']); - return res.stdout; -}; - -export async function initFilter() { - let comment = await getCommitComment(); - - // Load try_task_config.json - // Add parameters to queue for created tasks - let config_path = path.normalize(path.join(__dirname, '../../../../try_task_config.json')) - if (fs.existsSync(config_path)) { - var payload = JSON.parse(fs.readFileSync(config_path)); - if (payload['version'] == 2) { - queue.addParameters(payload['parameters']); - } - } - - // Check for try syntax in changeset comment. - let match = comment.match(/\btry:\s*(.*)\s*$/m); - - // Add try syntax filter. - if (match) { - let match1 = match[1]; - queue.filter(filter(parseOptions(match1))); - - if (match1.includes("--nspr-patch")) { - queue.map(task => { - if (!task.env) { - task.env = {}; - } - task.env.ALLOW_NSPR_PATCH = "1"; - return task; - }); - } - } -} diff --git a/nss/automation/taskcluster/scripts/build.sh b/nss/automation/taskcluster/scripts/build.sh index 0e817e82..ab6bf5db 100755 --- a/nss/automation/taskcluster/scripts/build.sh +++ b/nss/automation/taskcluster/scripts/build.sh @@ -1,8 +1,17 @@ #!/usr/bin/env bash -source $(dirname "$0")/tools.sh +. $(dirname "$0")/tools.sh + +set -e + +test -v VCS_PATH + +# builds write to the source dir (and its parent), so move the source trees to +# our workspace from the (cached) checkout dir +cp -a "${VCS_PATH}/nss" "${VCS_PATH}/nspr" . if [ -n "$NSS_BUILD_MODULAR" ]; then + ln -sf /builds/worker/artifacts artifacts $(dirname "$0")/build_nspr.sh || exit $? $(dirname "$0")/build_util.sh || exit $? $(dirname "$0")/build_softoken.sh || exit $? @@ -10,13 +19,10 @@ if [ -n "$NSS_BUILD_MODULAR" ]; then exit fi -# Clone NSPR if needed. -hg_clone https://hg.mozilla.org/projects/nspr ./nspr default - pushd nspr hg revert --all if [[ -f ../nss/nspr.patch && "$ALLOW_NSPR_PATCH" == "1" ]]; then - cat ../nss/nspr.patch | patch -p1 + patch -p1 < ../nss/nspr.patch fi popd @@ -24,5 +30,10 @@ popd make -C nss nss_build_all # Package. -mkdir artifacts -tar cvfjh artifacts/dist.tar.bz2 dist +if [ `uname` = Linux ]; then + artifacts=/builds/worker/artifacts +else + mkdir artifacts + artifacts=artifacts +fi +tar cvfjh ${artifacts}/dist.tar.bz2 dist diff --git a/nss/automation/taskcluster/scripts/build_cryptofuzz.sh b/nss/automation/taskcluster/scripts/build_cryptofuzz.sh new file mode 100755 index 00000000..fb5aed23 --- /dev/null +++ b/nss/automation/taskcluster/scripts/build_cryptofuzz.sh @@ -0,0 +1,97 @@ +#!/usr/bin/env bash + +source $(dirname "$0")/tools.sh + +# Do differential fuzzing with Botan (and not OpenSSL) since NSS has +# symbol collisions with OpenSSL and therefore they can't be used together +# in Cryptofuzz. +export CRYPTOFUZZ_VERSION="687d3064c5cef2b0fe1f30824065a2f2c9c0bbd8" +export BOTAN_VERSION="3.6.1" + +git clone -q https://github.com/MozillaSecurity/cryptofuzz.git +git -C cryptofuzz checkout "$CRYPTOFUZZ_VERSION" + +git clone -q https://github.com/randombit/botan.git +git -C botan checkout "$BOTAN_VERSION" + +export CC="clang" +export CXX="clang++" + +export CFLAGS="-fsanitize=address,fuzzer-no-link -O2 -g" +export CXXFLAGS="-fsanitize=address,fuzzer-no-link -O2 -g" + +if [ "$1" = "--i386" ]; then + # Make sure everything is compiled and linked with 32-bit. + export CFLAGS="$CFLAGS -m32" + export CXXFLAGS="$CXXFLAGS -m32" + + export LD_FLAGS="$LD_FLAGS -m32" + export LINK_FLAGS="$LINK_FLAGS -m32" + + # Some static libraries aren't built on 32-bit systems, but still assumed + # to exist by Cryptofuzz. + sed -i "/libhw-acc-crypto-avx.a/d" cryptofuzz/modules/nss/Makefile + sed -i "/libhw-acc-crypto-avx2.a/d" cryptofuzz/modules/nss/Makefile +else + # UBSan is only enabled for 64-bit builds of NSS. + export CFLAGS="$CFLAGS -fsanitize=undefined" + export CXXFLAGS="$CXXFLAGS -fsanitize=undefined" +fi + +# Build Botan. +pushd botan +if [ "$1" = "--i386" ]; then + ./configure.py --cpu=x86_32 \ + --cc-bin=$CXX \ + --cc-abi-flags="$CXXFLAGS" \ + --disable-shared \ + --disable-modules=locking_allocator \ + --build-targets=static \ + --without-documentation +else + ./configure.py --cc-bin=$CXX \ + --cc-abi-flags="$CXXFLAGS" \ + --disable-shared \ + --disable-modules=locking_allocator \ + --build-targets=static \ + --without-documentation +fi +make -j"$(nproc)" +popd + +# Generate Cryptofuzz header. +pushd cryptofuzz +./gen_repository.py +popd + +# Build Botan module. +export CXXFLAGS="$CXXFLAGS -DCRYPTOFUZZ_BOTAN" +export LIBBOTAN_A_PATH="$(realpath botan/libbotan-3.a)" +export BOTAN_INCLUDE_PATH="$(realpath botan/build/include)" + +pushd cryptofuzz/modules/botan +make -j"$(nproc)" +popd + +# Build NSS module. +export NSS_NSPR_PATH="$PWD" +export CXXFLAGS="$CXXFLAGS -I $NSS_NSPR_PATH/dist/public/nss -I $NSS_NSPR_PATH/dist/Debug/include/nspr -DCRYPTOFUZZ_NSS -DCRYPTOFUZZ_NO_OPENSSL" +export LINK_FLAGS="$LINK_FLAGS -lsqlite3" + +# The library lies somewhere else than what is expected by Cryptofuzz. +sed -i "s/nspr\/Debug\/pr\/src/dist\/Debug\/lib/" cryptofuzz/modules/nss/Makefile + +pushd cryptofuzz/modules/nss +make -j"$(nproc)" +popd + +# Build Cryptofuzz. +export LIBFUZZER_LINK="-fsanitize=fuzzer" + +pushd cryptofuzz +make -j"$(nproc)" +popd + +# Package +mkdir -p artifacts +tar cvfjh artifacts/cryptofuzz.tar.bz2 cryptofuzz diff --git a/nss/automation/taskcluster/scripts/build_gyp.sh b/nss/automation/taskcluster/scripts/build_gyp.sh index 349615d1..e59ab1d2 100755 --- a/nss/automation/taskcluster/scripts/build_gyp.sh +++ b/nss/automation/taskcluster/scripts/build_gyp.sh @@ -1,19 +1,24 @@ #!/usr/bin/env bash -source $(dirname "$0")/tools.sh +. $(dirname "$0")/tools.sh -# Clone NSPR if needed. -hg_clone https://hg.mozilla.org/projects/nspr ./nspr default +set -e + +test -n "${VCS_PATH}" + +# builds write to the source dir (and its parent), so move the source trees to +# our workspace from the (cached) checkout dir +cp -a "${VCS_PATH}/nspr" "${VCS_PATH}/nss" . pushd nspr hg revert --all -if [[ -f ../nss/nspr.patch && "$ALLOW_NSPR_PATCH" == "1" ]]; then - cat ../nss/nspr.patch | patch -p1 +if [ -f "../nss/nspr.patch" ] && [ "$ALLOW_NSPR_PATCH" = "1" ]; then + patch -p1 < ../nss/nspr.patch fi popd # Dependencies -# For MacOS we have hardware in the CI which doesn't allow us o deploy VMs. +# For MacOS we have hardware in the CI which doesn't allow us to deploy VMs. # The setup is hardcoded and can't be changed easily. # This part is a helper We install dependencies manually to help. if [ "$(uname)" = "Darwin" ]; then @@ -26,10 +31,14 @@ fi nss/build.sh -g -v --enable-libpkix -Denable_draft_hpke=1 "$@" # Package. -if [[ $(uname) = "Darwin" ]]; then +if [ "$(uname)" = "Darwin" ]; then mkdir -p public tar cvfjh public/dist.tar.bz2 dist else - mkdir artifacts + if [ "$(uname)" = Linux ]; then + ln -s /builds/worker/artifacts artifacts + else + mkdir artifacts + fi tar cvfjh artifacts/dist.tar.bz2 dist fi diff --git a/nss/automation/taskcluster/scripts/check_abi.sh b/nss/automation/taskcluster/scripts/check_abi.sh index 88ae643a..7932fdc3 100755 --- a/nss/automation/taskcluster/scripts/check_abi.sh +++ b/nss/automation/taskcluster/scripts/check_abi.sh @@ -2,8 +2,6 @@ set_env() { - cd /home/worker - HGDIR=/home/worker OUTPUTDIR=$(pwd)$(echo "/output") DATE=$(date "+TB [%Y-%m-%d %H:%M:%S]") @@ -12,80 +10,51 @@ set_env() mkdir "${OUTPUTDIR}" fi - if [ ! -d "nspr" ]; then - for i in 0 2 5; do - sleep $i - hg clone -r "default" "https://hg.mozilla.org/projects/nspr" "${HGDIR}/nspr" && break - rm -rf nspr - done - fi - + cp -a ${VCS_PATH}/nss ${VCS_PATH}/nspr . pushd nspr - hg revert --all if [[ -f ../nss/nspr.patch && "$ALLOW_NSPR_PATCH" == "1" ]]; then cat ../nss/nspr.patch | patch -p1 fi popd cd nss - ./build.sh -v -c + ./build.sh -v -c --python=python3 cd .. } check_abi() { set_env - set +e #reverses set -e from build.sh to allow possible hg clone failures if [[ "$1" != --nobuild ]]; then # Start nobuild block echo "######## NSS ABI CHECK ########" echo "######## creating temporary HG clones ########" - rm -rf ${HGDIR}/baseline - mkdir ${HGDIR}/baseline - BASE_NSS=`cat ${HGDIR}/nss/automation/abi-check/previous-nss-release` #Reads the version number of the last release from the respective file - NSS_CLONE_RESULT=0 - for i in 0 2 5; do - sleep $i - hg clone -u "${BASE_NSS}" "https://hg.mozilla.org/projects/nss" "${HGDIR}/baseline/nss" - if [ $? -eq 0 ]; then - NSS_CLONE_RESULT=0 - break - fi - rm -rf "${HGDIR}/baseline/nss" - NSS_CLONE_RESULT=1 - done - if [ ${NSS_CLONE_RESULT} -ne 0 ]; then + rm -rf baseline + mkdir baseline + BASE_NSS=`cat nss/automation/abi-check/previous-nss-release` #Reads the version number of the last release from the respective file + if ! hg clone -u "${BASE_NSS}" "${VCS_PATH}/nss" baseline/nss; then echo "invalid tag in automation/abi-check/previous-nss-release" return 1 fi - BASE_NSPR=NSPR_$(head -1 ${HGDIR}/baseline/nss/automation/release/nspr-version.txt | cut -d . -f 1-2 | tr . _)_BRANCH - hg clone -u "${BASE_NSPR}" "https://hg.mozilla.org/projects/nspr" "${HGDIR}/baseline/nspr" - NSPR_CLONE_RESULT=$? - - if [ ${NSPR_CLONE_RESULT} -ne 0 ]; then - rm -rf "${HGDIR}/baseline/nspr" - for i in 0 2 5; do - sleep $i - hg clone -u "default" "https://hg.mozilla.org/projects/nspr" "${HGDIR}/baseline/nspr" && break - rm -rf "${HGDIR}/baseline/nspr" - done + BASE_NSPR=NSPR_$(head -1 baseline/nss/automation/release/nspr-version.txt | cut -d . -f 1-2 | tr . _)_BRANCH + if ! hg clone -u "${BASE_NSPR}" "${VCS_PATH}/nspr" baseline/nspr; then + rm -rf baseline/nspr + hg clone -u "default" "${VCS_PATH}/nspr" baseline/nspr echo "Nonexisting tag ${BASE_NSPR} derived from ${BASE_NSS} automation/release/nspr-version.txt" echo "Using default branch instead." fi echo "######## building baseline NSPR/NSS ########" - echo "${HGDIR}/baseline/nss/build.sh" - cd ${HGDIR}/baseline/nss - ./build.sh -v -c - cd ${HGDIR} + echo "${PWD}/baseline/nss/build.sh" + cd baseline/nss + ./build.sh -v -c --python=python3 + cd - else # Else nobuild block echo "######## using existing baseline NSPR/NSS build ########" fi # End nobuild block - set +e #reverses set -e from build.sh to allow abidiff failures - echo "######## Starting abidiff procedure ########" abi_diff } @@ -96,24 +65,24 @@ abi_diff() ABI_PROBLEM_FOUND=0 ABI_REPORT=${OUTPUTDIR}/abi-diff.txt rm -f ${ABI_REPORT} - PREVDIST=${HGDIR}/baseline/dist - NEWDIST=${HGDIR}/dist + PREVDIST=baseline/dist + NEWDIST=dist # libnssdbm3.so isn't built by default anymore, skip it. ALL_SOs="libfreebl3.so libfreeblpriv3.so libnspr4.so libnss3.so libnssckbi.so libnsssysinit.so libnssutil3.so libplc4.so libplds4.so libsmime3.so libsoftokn3.so libssl3.so" for SO in ${ALL_SOs}; do - if [ ! -f ${HGDIR}/nss/automation/abi-check/expected-report-$SO.txt ]; then - touch ${HGDIR}/nss/automation/abi-check/expected-report-$SO.txt + if [ ! -f nss/automation/abi-check/expected-report-$SO.txt ]; then + touch nss/automation/abi-check/expected-report-$SO.txt fi abidiff --hd1 $PREVDIST/public/ --hd2 $NEWDIST/public \ $PREVDIST/*/lib/$SO $NEWDIST/*/lib/$SO \ - > ${HGDIR}/nss/automation/abi-check/new-report-temp$SO.txt + > nss/automation/abi-check/new-report-temp$SO.txt RET=$? - cat ${HGDIR}/nss/automation/abi-check/new-report-temp$SO.txt \ + cat nss/automation/abi-check/new-report-temp$SO.txt \ | grep -v "^Functions changes summary:" \ | grep -v "^Variables changes summary:" \ | sed -e 's/__anonymous_enum__[0-9]*/__anonymous_enum__/g' \ - > ${HGDIR}/nss/automation/abi-check/new-report-$SO.txt - rm -f ${HGDIR}/nss/automation/abi-check/new-report-temp$SO.txt + > nss/automation/abi-check/new-report-$SO.txt + rm -f nss/automation/abi-check/new-report-temp$SO.txt ABIDIFF_ERROR=$((($RET & 0x01) != 0)) ABIDIFF_USAGE_ERROR=$((($RET & 0x02) != 0)) @@ -150,18 +119,18 @@ abi_diff() if [ $REPORT_RET_AS_FAILURE -ne 0 ]; then ABI_PROBLEM_FOUND=1 - echo "abidiff {$PREVDIST , $NEWDIST} for $SO FAILED with result $RET, or failed writing to ${HGDIR}/nss/automation/abi-check/new-report-$SO.txt" + echo "abidiff {$PREVDIST , $NEWDIST} for $SO FAILED with result $RET, or failed writing to nss/automation/abi-check/new-report-$SO.txt" fi - if [ ! -f ${HGDIR}/nss/automation/abi-check/expected-report-$SO.txt ]; then + if [ ! -f nss/automation/abi-check/expected-report-$SO.txt ]; then ABI_PROBLEM_FOUND=1 - echo "FAILED to access report file: ${HGDIR}/nss/automation/abi-check/expected-report-$SO.txt" + echo "FAILED to access report file: nss/automation/abi-check/expected-report-$SO.txt" fi - diff -wB -u ${HGDIR}/nss/automation/abi-check/expected-report-$SO.txt \ - ${HGDIR}/nss/automation/abi-check/new-report-$SO.txt >> ${ABI_REPORT} + diff -wB -u nss/automation/abi-check/expected-report-$SO.txt \ + nss/automation/abi-check/new-report-$SO.txt >> ${ABI_REPORT} if [ ! -f ${ABI_REPORT} ]; then ABI_PROBLEM_FOUND=1 - echo "FAILED to compare exepcted and new report: ${HGDIR}/nss/automation/abi-check/new-report-$SO.txt" + echo "FAILED to compare exepcted and new report: nss/automation/abi-check/new-report-$SO.txt" fi done diff --git a/nss/automation/taskcluster/scripts/cryptofuzz.sh b/nss/automation/taskcluster/scripts/cryptofuzz.sh new file mode 100755 index 00000000..e6f9c9d0 --- /dev/null +++ b/nss/automation/taskcluster/scripts/cryptofuzz.sh @@ -0,0 +1,42 @@ +#!/usr/bin/env bash + +source $(dirname "$0")/tools.sh + +# Fetch Cryptofuzz artifact. +if [ "$TASKCLUSTER_ROOT_URL" = "https://taskcluster.net" ] || [ -z "$TASKCLUSTER_ROOT_URL" ]; then + url=https://queue.taskcluster.net/v1/task/$TC_PARENT_TASK_ID/artifacts/public/cryptofuzz.tar.bz2 +else + url=$TASKCLUSTER_ROOT_URL/api/queue/v1/task/$TC_PARENT_TASK_ID/artifacts/public/cryptofuzz.tar.bz2 +fi + +if [ ! -d "cryptofuzz" ]; then + curl --retry 3 -Lo cryptofuzz.tar.bz2 $url + tar xvjf cryptofuzz.tar.bz2 +fi + +# Clone corpus. +mkdir -p nss/fuzz/corpus/cryptofuzz + +pushd nss/fuzz/corpus/cryptofuzz +curl -O "https://storage.googleapis.com/cryptofuzz-backup.clusterfuzz-external.appspot.com/corpus/libFuzzer/cryptofuzz_cryptofuzz-nss/public.zip" +unzip public.zip +rm -f public.zip +popd + +# Generate dictionary +./cryptofuzz/generate_dict + +# Run Cryptofuzz. +# Decrease the default ASAN quarantine size of 256 MB as we tend to run +# out of memory on 32-bit. +ASAN_OPTIONS="quarantine_size_mb=128" ./cryptofuzz/cryptofuzz -dict="cryptofuzz-dict.txt" --force-module=nss "nss/fuzz/corpus/cryptofuzz" "$@" + +# Alert if version is older than half a year. +cryptofuzz_timestamp=$(git -C cryptofuzz show -s --format=%ct $CRYPTOFUZZ_VERSION) +current_timestamp=$(date +%s) +half_a_year=$((60 * 60 * 24 * 183)) + +if [ $((current_timestamp - cryptofuzz_timestamp)) -gt $half_a_year ]; then + echo "Cryptofuzz version is older than half a year. Please consider updating it (and Botan). Thanks!" >&2 + exit 1 +fi diff --git a/nss/automation/taskcluster/scripts/fuzz.sh b/nss/automation/taskcluster/scripts/fuzz.sh index 2d1f22f2..4dd817fa 100755 --- a/nss/automation/taskcluster/scripts/fuzz.sh +++ b/nss/automation/taskcluster/scripts/fuzz.sh @@ -9,20 +9,30 @@ shift 2 # Fetch artifact if needed. fetch_dist +export DIST=${PWD}/dist + +cp -a "${VCS_PATH}/nss" . + # Create and change to corpus directory. mkdir -p "nss/fuzz/corpus/$corpus" -cd "nss/fuzz/corpus/$corpus" +pushd "nss/fuzz/corpus/$corpus" -# Fetch and unzip the public OSS-Fuzz corpus. -curl -O "https://storage.googleapis.com/nss-backup.clusterfuzz-external.appspot.com/corpus/libFuzzer/nss_$corpus/public.zip" -unzip public.zip -rm public.zip +# Fetch and unzip the public OSS-Fuzz corpus. Handle the case that there +# may be no corpus yet for new fuzz targets. +code=$(curl -w "%{http_code}" -O "https://storage.googleapis.com/nss-backup.clusterfuzz-external.appspot.com/corpus/libFuzzer/nss_$corpus/public.zip") +if [[ $code -eq 200 ]]; then + unzip public.zip +fi +rm -f public.zip # Change back to previous working directory. -cd $OLDPWD +popd # Fetch objdir name. objdir=$(cat dist/latest) +# Get libFuzzer options. +readarray -t options < <(python nss/fuzz/config/libfuzzer_options.py nss/fuzz/options/"$corpus".options) + # Run nssfuzz. -dist/"$objdir"/bin/nssfuzz-"$target" "nss/fuzz/corpus/$corpus" "$@" +dist/"$objdir"/bin/nssfuzz-"$target" "nss/fuzz/corpus/$corpus" "${options[@]}" "$@" diff --git a/nss/automation/taskcluster/scripts/gen_certs.sh b/nss/automation/taskcluster/scripts/gen_certs.sh index c03db7e9..bf2f26e1 100755 --- a/nss/automation/taskcluster/scripts/gen_certs.sh +++ b/nss/automation/taskcluster/scripts/gen_certs.sh @@ -2,8 +2,9 @@ source $(dirname "$0")/tools.sh -# Fetch artifact if needed. -fetch_dist +set -e + +test -n "${VCS_PATH}" # Generate certificates. NSS_TESTS=cert NSS_CYCLES="standard pkix sharedb" $(dirname $0)/run_tests.sh @@ -12,10 +13,10 @@ NSS_TESTS=cert NSS_CYCLES="standard pkix sharedb" $(dirname $0)/run_tests.sh echo 1 > tests_results/security/localhost # Package. -if [[ $(uname) = "Darwin" ]]; then - mkdir -p public - tar cvfjh public/dist.tar.bz2 dist tests_results +if [ $(uname) = Linux ]; then + artifacts=/builds/worker/artifacts else - mkdir artifacts - tar cvfjh artifacts/dist.tar.bz2 dist tests_results + mkdir public + artifacts=public fi +tar cvfjh ${artifacts}/dist.tar.bz2 dist tests_results diff --git a/nss/automation/taskcluster/scripts/gen_coverage_report.sh b/nss/automation/taskcluster/scripts/gen_coverage_report.sh index bb2cb4d2..6e860806 100755 --- a/nss/automation/taskcluster/scripts/gen_coverage_report.sh +++ b/nss/automation/taskcluster/scripts/gen_coverage_report.sh @@ -2,8 +2,7 @@ source $(dirname "$0")/tools.sh -# Clone NSPR. -hg_clone https://hg.mozilla.org/projects/nspr ./nspr default +cp -a ${VCS_PATH}/nss ${VCS_PATH}/nspr . pushd nspr hg revert --all @@ -12,7 +11,7 @@ if [[ -f ../nss/nspr.patch && "$ALLOW_NSPR_PATCH" == "1" ]]; then fi popd -out=/home/worker/artifacts +out=/builds/worker/artifacts mkdir -p $out # Generate coverage report. diff --git a/nss/automation/taskcluster/scripts/patches/01_ed25519.patch b/nss/automation/taskcluster/scripts/patches/01_ed25519.patch new file mode 100644 index 00000000..3bb030a4 --- /dev/null +++ b/nss/automation/taskcluster/scripts/patches/01_ed25519.patch @@ -0,0 +1,96 @@ +Bug 1325335 + +diff --git a/dist/gcc-compatible/Hacl_Ed25519.c b/dist/gcc-compatible/Hacl_Ed25519.c +index 2f6e0bc3ca..f7a5ea6d75 100644 +--- a/dist/gcc-compatible/Hacl_Ed25519.c ++++ b/dist/gcc-compatible/Hacl_Ed25519.c +@@ -25,12 +25,13 @@ + #include "internal/Hacl_Ed25519.h" + + #include "internal/Hacl_Krmllib.h" +-#include "internal/Hacl_Hash_SHA2.h" + #include "internal/Hacl_Ed25519_PrecompTable.h" + #include "internal/Hacl_Curve25519_51.h" + #include "internal/Hacl_Bignum_Base.h" + #include "internal/Hacl_Bignum25519_51.h" + ++#include "../Hacl_Hash_SHA2_shim.h" ++ + static inline void + fsum(uint64_t *out, uint64_t *a, uint64_t *b) + { +@@ -1669,50 +1670,6 @@ load_32_bytes(uint64_t *out, uint8_t *b) + out[4U] = b41; + } + +-static inline void +-sha512_pre_msg(uint8_t *hash, uint8_t *prefix, uint32_t len, uint8_t *input) +-{ +- uint8_t buf[128U] = { 0U }; +- uint64_t block_state[8U] = { 0U }; +- Hacl_Streaming_MD_state_64 +- s = { .block_state = block_state, .buf = buf, .total_len = (uint64_t)(uint32_t)0U }; +- Hacl_Streaming_MD_state_64 p = s; +- Hacl_SHA2_Scalar32_sha512_init(block_state); +- Hacl_Streaming_MD_state_64 *st = &p; +- Hacl_Streaming_Types_error_code +- err0 = Hacl_Streaming_SHA2_update_512(st, prefix, (uint32_t)32U); +- Hacl_Streaming_Types_error_code err1 = Hacl_Streaming_SHA2_update_512(st, input, len); +- KRML_HOST_IGNORE(err0); +- KRML_HOST_IGNORE(err1); +- Hacl_Streaming_SHA2_finish_512(st, hash); +-} +- +-static inline void +-sha512_pre_pre2_msg( +- uint8_t *hash, +- uint8_t *prefix, +- uint8_t *prefix2, +- uint32_t len, +- uint8_t *input) +-{ +- uint8_t buf[128U] = { 0U }; +- uint64_t block_state[8U] = { 0U }; +- Hacl_Streaming_MD_state_64 +- s = { .block_state = block_state, .buf = buf, .total_len = (uint64_t)(uint32_t)0U }; +- Hacl_Streaming_MD_state_64 p = s; +- Hacl_SHA2_Scalar32_sha512_init(block_state); +- Hacl_Streaming_MD_state_64 *st = &p; +- Hacl_Streaming_Types_error_code +- err0 = Hacl_Streaming_SHA2_update_512(st, prefix, (uint32_t)32U); +- Hacl_Streaming_Types_error_code +- err1 = Hacl_Streaming_SHA2_update_512(st, prefix2, (uint32_t)32U); +- Hacl_Streaming_Types_error_code err2 = Hacl_Streaming_SHA2_update_512(st, input, len); +- KRML_HOST_IGNORE(err0); +- KRML_HOST_IGNORE(err1); +- KRML_HOST_IGNORE(err2); +- Hacl_Streaming_SHA2_finish_512(st, hash); +-} +- + static inline void + sha512_modq_pre(uint64_t *out, uint8_t *prefix, uint32_t len, uint8_t *input) + { +diff --git a/dist/gcc-compatible/Hacl_Ed25519.h b/dist/gcc-compatible/Hacl_Ed25519.h +index 12e16e142c..7d6f87dff2 100644 +--- a/dist/gcc-compatible/Hacl_Ed25519.h ++++ b/dist/gcc-compatible/Hacl_Ed25519.h +@@ -36,7 +36,6 @@ extern "C" { + + #include "Hacl_Streaming_Types.h" + #include "Hacl_Krmllib.h" +-#include "Hacl_Hash_SHA2.h" + + /******************************************************************************** + Verified C library for EdDSA signing and verification on the edwards25519 curve. +diff --git a/dist/gcc-compatible/internal/Hacl_Ed25519.h b/dist/gcc-compatible/internal/Hacl_Ed25519.h +index ba77b6dc09..ad36672b92 100644 +--- a/dist/gcc-compatible/internal/Hacl_Ed25519.h ++++ b/dist/gcc-compatible/internal/Hacl_Ed25519.h +@@ -35,7 +35,6 @@ extern "C" { + #include "krml/internal/target.h" + + #include "internal/Hacl_Krmllib.h" +-#include "internal/Hacl_Hash_SHA2.h" + #include "internal/Hacl_Ed25519_PrecompTable.h" + #include "internal/Hacl_Curve25519_51.h" + #include "internal/Hacl_Bignum_Base.h" diff --git a/nss/automation/taskcluster/scripts/patches/02_alloca.patch b/nss/automation/taskcluster/scripts/patches/02_alloca.patch new file mode 100644 index 00000000..4875811e --- /dev/null +++ b/nss/automation/taskcluster/scripts/patches/02_alloca.patch @@ -0,0 +1,15 @@ +Bug 1857190 - include alloca.h on Solaris + +diff --git a/dist/karamel/include/krml/internal/builtin.h b/dist/karamel/include/krml/internal/builtin.h +index f55e5f824e..07ff156788 100644 +--- a/dist/karamel/include/krml/internal/builtin.h ++++ b/dist/karamel/include/krml/internal/builtin.h +@@ -7,6 +7,8 @@ + /* For alloca, when using KaRaMeL's -falloca */ + #if (defined(_WIN32) || defined(_WIN64)) + #include ++#elif (defined(sun)) ++#include + #endif + + /* If some globals need to be initialized before the main, then karamel will diff --git a/nss/automation/taskcluster/scripts/patches/Hacl_Ed25519.c.patch b/nss/automation/taskcluster/scripts/patches/Hacl_Ed25519.c.patch deleted file mode 100644 index dc2ffc04..00000000 --- a/nss/automation/taskcluster/scripts/patches/Hacl_Ed25519.c.patch +++ /dev/null @@ -1,50 +0,0 @@ -28d27 -< #include "internal/Hacl_Hash_SHA2.h" -33a33,34 -> #include "../Hacl_Hash_SHA2_shim.h" -> -1670,1713d1670 -< } -< -< static inline void -< sha512_pre_msg(uint8_t *hash, uint8_t *prefix, uint32_t len, uint8_t *input) -< { -< uint8_t buf[128U] = { 0U }; -< uint64_t block_state[8U] = { 0U }; -< Hacl_Streaming_MD_state_64 -< s = { .block_state = block_state, .buf = buf, .total_len = (uint64_t)(uint32_t)0U }; -< Hacl_Streaming_MD_state_64 p = s; -< Hacl_SHA2_Scalar32_sha512_init(block_state); -< Hacl_Streaming_MD_state_64 *st = &p; -< Hacl_Streaming_Types_error_code -< err0 = Hacl_Streaming_SHA2_update_512(st, prefix, (uint32_t)32U); -< Hacl_Streaming_Types_error_code err1 = Hacl_Streaming_SHA2_update_512(st, input, len); -< KRML_HOST_IGNORE(err0); -< KRML_HOST_IGNORE(err1); -< Hacl_Streaming_SHA2_finish_512(st, hash); -< } -< -< static inline void -< sha512_pre_pre2_msg( -< uint8_t *hash, -< uint8_t *prefix, -< uint8_t *prefix2, -< uint32_t len, -< uint8_t *input) -< { -< uint8_t buf[128U] = { 0U }; -< uint64_t block_state[8U] = { 0U }; -< Hacl_Streaming_MD_state_64 -< s = { .block_state = block_state, .buf = buf, .total_len = (uint64_t)(uint32_t)0U }; -< Hacl_Streaming_MD_state_64 p = s; -< Hacl_SHA2_Scalar32_sha512_init(block_state); -< Hacl_Streaming_MD_state_64 *st = &p; -< Hacl_Streaming_Types_error_code -< err0 = Hacl_Streaming_SHA2_update_512(st, prefix, (uint32_t)32U); -< Hacl_Streaming_Types_error_code -< err1 = Hacl_Streaming_SHA2_update_512(st, prefix2, (uint32_t)32U); -< Hacl_Streaming_Types_error_code err2 = Hacl_Streaming_SHA2_update_512(st, input, len); -< KRML_HOST_IGNORE(err0); -< KRML_HOST_IGNORE(err1); -< KRML_HOST_IGNORE(err2); -< Hacl_Streaming_SHA2_finish_512(st, hash); diff --git a/nss/automation/taskcluster/scripts/patches/Hacl_Ed25519.h.internal.patch b/nss/automation/taskcluster/scripts/patches/Hacl_Ed25519.h.internal.patch deleted file mode 100644 index f79016fc..00000000 --- a/nss/automation/taskcluster/scripts/patches/Hacl_Ed25519.h.internal.patch +++ /dev/null @@ -1,2 +0,0 @@ -38d37 -< #include "internal/Hacl_Hash_SHA2.h" diff --git a/nss/automation/taskcluster/scripts/patches/Hacl_Ed25519.h.patch b/nss/automation/taskcluster/scripts/patches/Hacl_Ed25519.h.patch deleted file mode 100644 index 781bde53..00000000 --- a/nss/automation/taskcluster/scripts/patches/Hacl_Ed25519.h.patch +++ /dev/null @@ -1,2 +0,0 @@ -39d38 -< #include "Hacl_Hash_SHA2.h" diff --git a/nss/automation/taskcluster/scripts/run_hacl.sh b/nss/automation/taskcluster/scripts/run_hacl.sh index afce0280..cd616a0a 100755 --- a/nss/automation/taskcluster/scripts/run_hacl.sh +++ b/nss/automation/taskcluster/scripts/run_hacl.sh @@ -8,7 +8,6 @@ fi set -e -x -v -# The docker image this is running in has NSS sources. # Get the HACL* source, containing a snapshot of the C code, extracted on the # HACL CI. git clone -q "https://github.com/hacl-star/hacl-star" ~/hacl-star @@ -16,11 +15,20 @@ git -C ~/hacl-star checkout -q 0f136f28935822579c244f287e1d2a1908a7e552 # Format the C snapshot. cd ~/hacl-star/dist/mozilla -cp ~/nss/.clang-format . +cp ${VCS_PATH}/nss/.clang-format . find . -type f -name '*.[ch]' -exec clang-format -i {} \+ cd ~/hacl-star/dist/karamel -cp ~/nss/.clang-format . +cp ${VCS_PATH}/nss/.clang-format . find . -type f -name '*.[ch]' -exec clang-format -i {} \+ +cd ~/hacl-star/dist/gcc-compatible +cp ${VCS_PATH}/nss/.clang-format . +find . -type f -name '*.[ch]' -exec clang-format -i {} \+ + +cd ~/hacl-star +patches=(${VCS_PATH}/nss/automation/taskcluster/scripts/patches/*.patch) +for f in "${patches[@]}"; do + git apply "$f" +done # These diff commands will return 1 if there are differences and stop the script. @@ -30,22 +38,19 @@ find . -type f -name '*.[ch]' -exec clang-format -i {} \+ # For instance, the files Hacl_Chacha20.h are present in both directories, but the content differs. # TODO(Bug 1899443): remove these exceptions -files=($(find ~/nss/lib/freebl/verified/internal -type f -name '*.[ch]')) +files=($(find ${VCS_PATH}/nss/lib/freebl/verified/internal -type f -name '*.[ch]' -not -path "*/freebl/verified/internal/libcrux*")) for f in "${files[@]}"; do file_name=$(basename "$f") hacl_file=($(find ~/hacl-star/dist/mozilla/internal/ -type f -name $file_name)) if [ $file_name == "Hacl_Ed25519.h" \ - -o $file_name == "Hacl_Ed25519_PrecompTable.h" \ - -o $file_name == "libcrux_sha3_internal.h" \ - -o $file_name == "libcrux_core.h" \ - -o $file_name == "libcrux_mlkem_portable.h" ] + -o $file_name == "Hacl_Ed25519_PrecompTable.h" ] then - continue; + continue fi - diff $hacl_file $f + diff -u $hacl_file $f done -files=($(find ~/nss/lib/freebl/verified/ -type f -name '*.[ch]' -not -path "*/freebl/verified/internal/*" -not -path "*/freebl/verified/config.h")) +files=($(find ${VCS_PATH}/nss/lib/freebl/verified/ -type f -name '*.[ch]' -not -path "*/freebl/verified/internal/*" -not -path "*/freebl/verified/config.h" -not -path "*/freebl/verified/libcrux*")) for f in "${files[@]}"; do file_name=$(basename "$f") hacl_file=($(find ~/hacl-star/dist/mozilla/ ~/hacl-star/dist/karamel/ -type f -name $file_name -not -path "*/hacl-star/dist/mozilla/internal/*")) @@ -53,67 +58,43 @@ for f in "${files[@]}"; do -o $file_name == "Hacl_P384.h" \ -o $file_name == "Hacl_P521.c" \ -o $file_name == "Hacl_P521.h" \ - -o $file_name == "libcrux_mlkem_portable.c" \ - -o $file_name == "libcrux_sha3_internal.h" \ - -o $file_name == "libcrux_core.h" \ + -o $file_name == "eurydice_glue.h" \ -o $file_name == "target.h" ] then - continue; + continue fi if [ $file_name == "Hacl_Ed25519.h" \ -o $file_name == "Hacl_Ed25519.c" ] then - continue; + continue fi - diff $hacl_file $f + diff -u $hacl_file $f done # Here we process the code that's not located in /hacl-star/dist/mozilla/ but # /hacl-star/dist/gcc-compatible. -cd ~/hacl-star/dist/gcc-compatible -cp ~/nss/.clang-format . -find . -type f -name '*.[ch]' -exec clang-format -i {} \+ - -patches=($(find ~/nss/automation/taskcluster/scripts/patches/ -type f -name '*.patch')) -for f in "${patches[@]}"; do - file_name=$(basename "$f") - file_name="${file_name%.*}" - if_internal="${file_name##*.}" - if [ $if_internal == "internal" ] - then - file_name="${file_name%.*}" - patch_file=($(find ~/hacl-star/dist/gcc-compatible/internal/ -type f -name $file_name)) - else - patch_file=($(find ~/hacl-star/dist/gcc-compatible/ -type f -name $file_name -not -path "*/hacl-star/dist/gcc-compatible/internal/*")) - fi - if [ ! -z "$patch_file" ] - then - patch $patch_file $f - fi -done - -files=($(find ~/nss/lib/freebl/verified/internal -type f -name '*.[ch]')) +files=($(find ${VCS_PATH}/nss/lib/freebl/verified/internal -type f -name '*.[ch]')) for f in "${files[@]}"; do file_name=$(basename "$f") hacl_file=($(find ~/hacl-star/dist/gcc-compatible/internal/ -type f -name $file_name)) if [ $file_name != "Hacl_Ed25519.h" \ -a $file_name != "Hacl_Ed25519_PrecompTable.h" ] then - continue; + continue fi - diff $hacl_file $f + diff -u $hacl_file $f done -files=($(find ~/nss/lib/freebl/verified/ -type f -name '*.[ch]' -not -path "*/freebl/verified/internal/*")) +files=($(find ${VCS_PATH}/nss/lib/freebl/verified/ -type f -name '*.[ch]' -not -path "*/freebl/verified/internal/*")) for f in "${files[@]}"; do file_name=$(basename "$f") hacl_file=($(find ~/hacl-star/dist/gcc-compatible/ -type f -name $file_name -not -path "*/hacl-star/dist/gcc-compatible/internal/*")) if [ $file_name != "Hacl_Ed25519.h" \ -a $file_name != "Hacl_Ed25519.c" ] then - continue; + continue fi - diff $hacl_file $f + diff -u $hacl_file $f done diff --git a/nss/automation/taskcluster/scripts/run_scan_build.sh b/nss/automation/taskcluster/scripts/run_scan_build.sh index 3d2c5459..37820510 100755 --- a/nss/automation/taskcluster/scripts/run_scan_build.sh +++ b/nss/automation/taskcluster/scripts/run_scan_build.sh @@ -2,17 +2,12 @@ source $(dirname "$0")/tools.sh -# Clone NSPR if needed. -if [ ! -d "nspr" ]; then - hg_clone https://hg.mozilla.org/projects/nspr ./nspr default - - pushd nspr - hg revert --all - if [[ -f ../nss/nspr.patch && "$ALLOW_NSPR_PATCH" == "1" ]]; then - cat ../nss/nspr.patch | patch -p1 - fi - popd +cp -a "${VCS_PATH}/nss" "${VCS_PATH}/nspr" . +cd nspr +if [[ -f ../nss/nspr.patch && "$ALLOW_NSPR_PATCH" == "1" ]]; then + cat ../nss/nspr.patch | patch -p1 fi +cd .. # Build. cd nss @@ -41,13 +36,14 @@ for i in "${!scan[@]}"; do done # run scan-build (only building affected directories) -scan-build -o /home/worker/artifacts --use-cc=$CC --use-c++=$CCC make nss_build_all && cd .. +scan-build -o /builds/worker/artifacts --use-cc=$CC --use-c++=$CCC make nss_build_all +STATUS=$? +cd .. # print errors we found set +v +x -STATUS=0 for i in "${!scan[@]}"; do - n=$(grep -Rn "$i" /home/worker/artifacts/*/report-*.html | wc -l) + n=$(grep -Rn "$i" /builds/worker/artifacts/*/report-*.html | wc -l) if [ $n -ne ${scan[$i]} ]; then STATUS=1 echo "$(date '+%T') WARNING - TEST-UNEXPECTED-FAIL: $i contains $n scan-build errors" diff --git a/nss/automation/taskcluster/scripts/run_tests.sh b/nss/automation/taskcluster/scripts/run_tests.sh index b8e26761..143966ba 100755 --- a/nss/automation/taskcluster/scripts/run_tests.sh +++ b/nss/automation/taskcluster/scripts/run_tests.sh @@ -5,5 +5,11 @@ source $(dirname "$0")/tools.sh # Fetch artifact if needed. fetch_dist +export DIST=${PWD}/dist + +# tests write to the source dir (and its parent), so move the source tree to +# our workspace from the (cached) checkout dir +cp -a "${VCS_PATH}/nss" . + # Run tests. cd nss/tests && ./all.sh diff --git a/nss/automation/taskcluster/windows/build.sh b/nss/automation/taskcluster/windows/build.sh index 527a5ea0..64c76794 100644 --- a/nss/automation/taskcluster/windows/build.sh +++ b/nss/automation/taskcluster/windows/build.sh @@ -2,6 +2,12 @@ set -v -e -x +test -v VCS_PATH + +# builds write to the source dir (and its parent), so move the source trees to +# our workspace from the (cached) checkout dir +cp -a "${VCS_PATH}/nss" "${VCS_PATH}/nspr" . + if [[ "$USE_64" == 1 ]]; then m=x64 else @@ -9,9 +15,6 @@ else fi source "$(dirname "$0")/setup.sh" -# Clone NSPR. -hg_clone https://hg.mozilla.org/projects/nspr nspr default - pushd nspr hg revert --all if [[ -f ../nss/nspr.patch && "$ALLOW_NSPR_PATCH" == "1" ]]; then @@ -20,7 +23,7 @@ fi popd # Build. -make -C nss nss_build_all +mozmake -C nss nss_build_all # Package. 7z a public/build/dist.7z dist diff --git a/nss/automation/taskcluster/windows/build_gyp.sh b/nss/automation/taskcluster/windows/build_gyp.sh index 122980ba..30920bce 100644 --- a/nss/automation/taskcluster/windows/build_gyp.sh +++ b/nss/automation/taskcluster/windows/build_gyp.sh @@ -14,12 +14,14 @@ done [[ "$m" == "ia32" ]] && m=x86 source "$(dirname "$0")/setup.sh" +git clone https://chromium.googlesource.com/external/gyp + # Install GYP. pushd gyp -python -m virtualenv test-env +python -m venv ./test-env test-env/Scripts/python setup.py install test-env/Scripts/python -m pip install --upgrade pip -test-env/Scripts/pip install --upgrade 'setuptools<45.0.0' +test-env/Scripts/pip install --upgrade 'setuptools<45.0.0' six # Fool GYP. touch "${VSPATH}/VC/vcvarsall.bat" export GYP_MSVS_OVERRIDE_PATH="${VSPATH}" @@ -28,8 +30,11 @@ popd export PATH="${PATH}:${PWD}/ninja/bin:${PWD}/gyp/test-env/Scripts" -# Clone NSPR. -hg_clone https://hg.mozilla.org/projects/nspr nspr default +test -v VCS_PATH + +# builds write to the source dir (and its parent), so move the source trees to +# our workspace from the (cached) checkout dir +cp -a "${VCS_PATH}/nspr" "${VCS_PATH}/nss" . pushd nspr hg revert --all @@ -38,6 +43,11 @@ if [[ -f ../nss/nspr.patch && "$ALLOW_NSPR_PATCH" == "1" ]]; then fi popd +make () { + mozmake "$@" +} +export -f make + # Build with gyp. ./nss/build.sh -g -v --enable-libpkix -Denable_draft_hpke=1 "$@" diff --git a/nss/automation/taskcluster/windows/gen_certs.sh b/nss/automation/taskcluster/windows/gen_certs.sh index 594112b9..6a4a75ee 100644 --- a/nss/automation/taskcluster/windows/gen_certs.sh +++ b/nss/automation/taskcluster/windows/gen_certs.sh @@ -15,6 +15,11 @@ fi wget -t 3 --retry-connrefused -w 5 --random-wait $url -O dist.7z 7z x dist.7z +export DIST=${PWD}/dist +# tests write to the source dir (and its parent), so move the source tree to +# our workspace from the (cached) checkout dir +cp -a "${VCS_PATH}/nss" . + # Generate certificates. NSS_TESTS=cert NSS_CYCLES="standard pkix sharedb" nss/tests/all.sh diff --git a/nss/automation/taskcluster/windows/releng.manifest b/nss/automation/taskcluster/windows/releng.manifest index d571c544..2ec01e59 100644 --- a/nss/automation/taskcluster/windows/releng.manifest +++ b/nss/automation/taskcluster/windows/releng.manifest @@ -14,13 +14,5 @@ "algorithm": "sha512", "filename": "ninja171.zip", "unpack": true - }, - { - "size": 13063963, - "visibility": "public", - "digest": "47a19f8f863eab3414abab2b9e9bd901ab896c799b3d9254b456b2f59374b085b99de805e21069a0819f01eecb3f43f7e2395a8c644c04bcbfa5711261cca29d", - "algorithm": "sha512", - "filename": "gyp-2017-05-23.zip", - "unpack": true } ] diff --git a/nss/automation/taskcluster/windows/run_tests.sh b/nss/automation/taskcluster/windows/run_tests.sh index 2392559d..2aa32014 100644 --- a/nss/automation/taskcluster/windows/run_tests.sh +++ b/nss/automation/taskcluster/windows/run_tests.sh @@ -15,5 +15,9 @@ fi wget -t 3 --retry-connrefused -w 5 --random-wait $url -O dist.7z 7z x dist.7z +export DIST=${PWD}/dist + +cp -a "${VCS_PATH}/nss" . + # Run tests. cd nss/tests && ./all.sh diff --git a/nss/automation/taskcluster/windows/setup.sh b/nss/automation/taskcluster/windows/setup.sh index d5bed3b8..eb235d10 100644 --- a/nss/automation/taskcluster/windows/setup.sh +++ b/nss/automation/taskcluster/windows/setup.sh @@ -15,42 +15,41 @@ hg_clone() { exit 1 } -hg_clone https://hg.mozilla.org/build/tools tools b8d7c263dfc3 -tools/scripts/tooltool/tooltool_wrapper.sh \ - $(dirname $0)/releng.manifest http://taskcluster/tooltool.mozilla-releng.net/ \ - non-existant-file.sh /c/mozilla-build/python/python.exe \ - /c/builds/tooltool.py \ - -c /c/builds/tooltool_cache +export SSL_CERT_FILE=/c/mozilla-build/python3/Lib/site-packages/certifi/cacert.pem -# This needs $m to be set. -[[ -n "$m" ]] - -# Setup MSVC paths. -export VSPATH="${PWD}/vs2017_15.4.2" -UCRTVersion="10.0.15063.0" +/c/mozilla-build/python/python.exe /c/builds/tooltool.py -c /c/builds/tooltool_cache --url ${TASKCLUSTER_PROXY_URL}/tooltool.mozilla-releng.net/ --overwrite -m $(dirname $0)/releng.manifest fetch -export WINDOWSSDKDIR="${VSPATH}/SDK" -export VS90COMNTOOLS="${VSPATH}/VC" -export WIN32_REDIST_DIR="${VSPATH}/VC/redist/${m}/Microsoft.VC141.CRT" -export WIN_UCRT_REDIST_DIR="${VSPATH}/SDK/Redist/ucrt/DLLs/${m}" +# This needs $m to be set. +if [ -n "$m" ]; then + + # Setup MSVC paths. + export VSPATH="${PWD}/vs2017_15.4.2" + UCRTVersion="10.0.15063.0" + + export WINDOWSSDKDIR="${VSPATH}/SDK" + export VS90COMNTOOLS="${VSPATH}/VC" + export WIN32_REDIST_DIR="${VSPATH}/VC/redist/${m}/Microsoft.VC141.CRT" + export WIN_UCRT_REDIST_DIR="${VSPATH}/SDK/Redist/ucrt/DLLs/${m}" + + if [ "$m" == "x86" ]; then + PATH="${VSPATH}/VC/bin/Hostx64/x64:${PATH}" + PATH="${VSPATH}/VC/bin/Hostx64/x86:${PATH}" + fi + PATH="${VSPATH}/VC/bin/Host${m}/${m}:${PATH}" + PATH="${WIN32_REDIST_DIR}:${PATH}" + PATH="${WIN_UCRT_REDIST_DIR}:${PATH}" + PATH="${VSPATH}/SDK/bin/${UCRTVersion}/x64:${PATH}" + export PATH + + LIB="${LIB}:${VSPATH}/VC/lib/${m}" + LIB="${LIB}:${VSPATH}/SDK/lib/${UCRTVersion}/ucrt/${m}" + LIB="${LIB}:${VSPATH}/SDK/lib/${UCRTVersion}/um/${m}" + export LIB + + INCLUDE="${INCLUDE}:${VSPATH}/VC/include" + INCLUDE="${INCLUDE}:${VSPATH}/SDK/Include/${UCRTVersion}/ucrt" + INCLUDE="${INCLUDE}:${VSPATH}/SDK/Include/${UCRTVersion}/shared" + INCLUDE="${INCLUDE}:${VSPATH}/SDK/Include/${UCRTVersion}/um" + export INCLUDE -if [ "$m" == "x86" ]; then - PATH="${PATH}:${VSPATH}/VC/bin/Hostx64/x86" - PATH="${PATH}:${VSPATH}/VC/bin/Hostx64/x64" fi -PATH="${PATH}:${VSPATH}/VC/bin/Host${m}/${m}" -PATH="${PATH}:${WIN32_REDIST_DIR}" -PATH="${PATH}:${WIN_UCRT_REDIST_DIR}" -PATH="${PATH}:${VSPATH}/SDK/bin/${UCRTVersion}/x64" -export PATH - -LIB="${LIB}:${VSPATH}/VC/lib/${m}" -LIB="${LIB}:${VSPATH}/SDK/lib/${UCRTVersion}/ucrt/${m}" -LIB="${LIB}:${VSPATH}/SDK/lib/${UCRTVersion}/um/${m}" -export LIB - -INCLUDE="${INCLUDE}:${VSPATH}/VC/include" -INCLUDE="${INCLUDE}:${VSPATH}/SDK/Include/${UCRTVersion}/ucrt" -INCLUDE="${INCLUDE}:${VSPATH}/SDK/Include/${UCRTVersion}/shared" -INCLUDE="${INCLUDE}:${VSPATH}/SDK/Include/${UCRTVersion}/um" -export INCLUDE diff --git a/nss/build.sh b/nss/build.sh index 73c6d77d..e3e7c800 100755 --- a/nss/build.sh +++ b/nss/build.sh @@ -70,7 +70,7 @@ ninja_params=() # Assume that MSVC is wanted if this is running on windows. platform=$(uname -s) -if [ "${platform%-*}" = "MINGW32_NT" -o "${platform%-*}" = "MINGW64_NT" ]; then +if [ "${platform%-*}" = "MINGW32_NT" -o "${platform%-*}" = "MINGW64_NT" -o "${platform%%-*}" = "MSYS_NT" ]; then msvc=1 fi @@ -104,6 +104,7 @@ while [ $# -gt 0 ]; do --pprof) gyp_params+=(-Duse_pprof=1) ;; --asan) enable_sanitizer asan ;; --msan) enable_sanitizer msan ;; + --tsan) enable_sanitizer tsan ;; --sourcecov) enable_sourcecov ;; --ubsan) enable_ubsan ;; --ubsan=?*) enable_ubsan "${1#*=}" ;; @@ -139,6 +140,18 @@ while [ $# -gt 0 ]; do shift done +if [ "$opt_build" = 1 ] && [ "$fuzz" = 1 ]; then + echo "Specifiying --opt with --fuzz is not supported." >&2 + exit 1 +fi + +if [ -n "${sanitizers["tsan"]:-}" ] && ([ "$CC" != "clang" ] || + [ "$CCC" != "clang++" ] || + [ "$CXX" != "clang++" ]); then + echo "Specifying --tsan requires clang." >&2 + exit 1 +fi + if [ -n "$python" ]; then gyp_params+=(-Dpython="$python") fi diff --git a/nss/cmd/lib/basicutil.h b/nss/cmd/lib/basicutil.h index a95723b5..a6676a2c 100644 --- a/nss/cmd/lib/basicutil.h +++ b/nss/cmd/lib/basicutil.h @@ -17,10 +17,10 @@ #include #ifdef SECUTIL_NEW -typedef int (*SECU_PPFunc)(PRFileDesc *out, SECItem *item, - char *msg, int level); +typedef int (*SECU_PPFunc)(PRFileDesc *out, const SECItem *item, + const char *msg, int level); #else -typedef int (*SECU_PPFunc)(FILE *out, SECItem *item, char *msg, int level); +typedef int (*SECU_PPFunc)(FILE *out, const SECItem *item, const char *msg, int level); #endif /* print out an error message */ diff --git a/nss/cmd/lib/secutil.c b/nss/cmd/lib/secutil.c index c01496ec..5b8ee50c 100644 --- a/nss/cmd/lib/secutil.c +++ b/nss/cmd/lib/secutil.c @@ -1570,7 +1570,7 @@ printStringWithoutCRLF(FILE *out, const char *str) } int -SECU_PrintDumpDerIssuerAndSerial(FILE *out, SECItem *der, char *m, +SECU_PrintDumpDerIssuerAndSerial(FILE *out, const SECItem *der, const char *m, int level) { PLArenaPool *arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); @@ -2403,7 +2403,7 @@ SECU_PrintCertAttributes(FILE *out, CERTAttribute **attrs, char *m, int level) /* sometimes a PRErrorCode, other times a SECStatus. Sigh. */ int -SECU_PrintCertificateRequest(FILE *out, SECItem *der, char *m, int level) +SECU_PrintCertificateRequest(FILE *out, const SECItem *der, const char *m, int level) { PLArenaPool *arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); CERTCertificateRequest *cr; @@ -2762,7 +2762,7 @@ secu_PrintSignerInfo(FILE *out, SEC_PKCS7SignerInfo *info, some */ void -SECU_PrintCRLInfo(FILE *out, CERTCrl *crl, char *m, int level) +SECU_PrintCRLInfo(FILE *out, CERTCrl *crl, const char *m, int level) { CERTCrlEntry *entry; int iv; @@ -2842,7 +2842,7 @@ secu_PrintPKCS7Signed(FILE *out, SEC_PKCS7SignedData *src, while ((aCert = src->rawCerts[iv++]) != NULL) { snprintf(om, sizeof(om), "Certificate (%x)", iv); rv = SECU_PrintSignedData(out, aCert, om, level + 2, - (SECU_PPFunc)SECU_PrintCertificate); + SECU_PrintCertificate); if (rv) return rv; } @@ -2969,7 +2969,7 @@ secu_PrintPKCS7SignedAndEnveloped(FILE *out, while ((aCert = src->rawCerts[iv++]) != NULL) { snprintf(om, sizeof(om), "Certificate (%x)", iv); rv = SECU_PrintSignedData(out, aCert, om, level + 2, - (SECU_PPFunc)SECU_PrintCertificate); + SECU_PrintCertificate); if (rv) return rv; } @@ -3009,7 +3009,7 @@ secu_PrintPKCS7SignedAndEnveloped(FILE *out, } int -SECU_PrintCrl(FILE *out, SECItem *der, char *m, int level) +SECU_PrintCrl(FILE *out, const SECItem *der, const char *m, int level) { PLArenaPool *arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); CERTCrl *c = NULL; @@ -3206,10 +3206,10 @@ secu_PrintPKCS12Bag(FILE *out, SECItem *item, const char *desc, int level) case SEC_OID_PKCS12_SDSI_CERT_BAG: if (strcmp(desc, "Crl Bag") == 0) { rv = SECU_PrintSignedData(out, &bagValue, NULL, level + 1, - (SECU_PPFunc)SECU_PrintCrl); + SECU_PrintCrl); } else { rv = SECU_PrintSignedData(out, &bagValue, NULL, level + 1, - (SECU_PPFunc)SECU_PrintCertificate); + SECU_PrintCertificate); } break; case SEC_OID_PKCS12_V1_SAFE_CONTENTS_BAG_ID: @@ -3588,7 +3588,7 @@ SEC_PrintCertificateAndTrust(CERTCertificate *cert, data.len = cert->derCert.len; rv = SECU_PrintSignedData(stdout, &data, label, 0, - (SECU_PPFunc)SECU_PrintCertificate); + SECU_PrintCertificate); if (rv) { return (SECFailure); } diff --git a/nss/cmd/lib/secutil.h b/nss/cmd/lib/secutil.h index 753f1fa6..963602a3 100644 --- a/nss/cmd/lib/secutil.h +++ b/nss/cmd/lib/secutil.h @@ -213,7 +213,7 @@ SECU_PrintCertificateNames(CERTCertDBHandle *handle, PRFileDesc *out, int SECU_CheckCertNameExists(CERTCertDBHandle *handle, char *nickname); /* Dump contents of cert req */ -extern int SECU_PrintCertificateRequest(FILE *out, SECItem *der, char *m, +extern int SECU_PrintCertificateRequest(FILE *out, const SECItem *der, const char *m, int level); /* Dump contents of certificate */ @@ -223,7 +223,7 @@ extern int SECU_PrintCertificate(FILE *out, const SECItem *der, const char *m, extern int SECU_PrintCertificateBasicInfo(FILE *out, const SECItem *der, const char *m, int level); -extern int SECU_PrintDumpDerIssuerAndSerial(FILE *out, SECItem *der, char *m, +extern int SECU_PrintDumpDerIssuerAndSerial(FILE *out, const SECItem *der, const char *m, int level); /* Dump contents of a DER certificate name (issuer or subject) */ @@ -270,10 +270,10 @@ extern SECStatus SEC_PrintCertificateAndTrust(CERTCertificate *cert, const char *label, CERTCertTrust *trust); -extern int SECU_PrintCrl(FILE *out, SECItem *der, char *m, int level); +extern int SECU_PrintCrl(FILE *out, const SECItem *der, const char *m, int level); extern void -SECU_PrintCRLInfo(FILE *out, CERTCrl *crl, char *m, int level); +SECU_PrintCRLInfo(FILE *out, CERTCrl *crl, const char *m, int level); extern void SECU_PrintString(FILE *out, const SECItem *si, const char *m, int level); diff --git a/nss/cmd/manifest.mn b/nss/cmd/manifest.mn index 06bb99f4..1af88bf4 100644 --- a/nss/cmd/manifest.mn +++ b/nss/cmd/manifest.mn @@ -49,6 +49,7 @@ NSS_SRCDIRS = \ makepqg \ multinit \ nss-policy-check \ + nssdefaults \ ocspclnt \ ocspresp \ oidcalc \ diff --git a/nss/cmd/nssdefaults/Makefile b/nss/cmd/nssdefaults/Makefile new file mode 100644 index 00000000..d7c879ae --- /dev/null +++ b/nss/cmd/nssdefaults/Makefile @@ -0,0 +1,48 @@ +#! gmake +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +####################################################################### +# (1) Include initial platform-independent assignments (MANDATORY). # +####################################################################### + +include manifest.mn + +####################################################################### +# (2) Include "global" configuration information. (OPTIONAL) # +####################################################################### + +include $(CORE_DEPTH)/coreconf/config.mk + +####################################################################### +# (3) Include "component" configuration information. (OPTIONAL) # +####################################################################### + +####################################################################### +# (4) Include "local" platform-dependent assignments (OPTIONAL). # +####################################################################### + +include ../platlibs.mk + + +####################################################################### +# (5) Execute "global" rules. (OPTIONAL) # +####################################################################### + +include $(CORE_DEPTH)/coreconf/rules.mk + +####################################################################### +# (6) Execute "component" rules. (OPTIONAL) # +####################################################################### + + + +####################################################################### +# (7) Execute "local" rules. (OPTIONAL). # +####################################################################### + + +include ../platrules.mk + diff --git a/nss/cmd/nssdefaults/manifest.mn b/nss/cmd/nssdefaults/manifest.mn new file mode 100644 index 00000000..6ffb899b --- /dev/null +++ b/nss/cmd/nssdefaults/manifest.mn @@ -0,0 +1,23 @@ +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +CORE_DEPTH = ../.. + +DEFINES += -DNSPR20 + +# MODULE public and private header directories are implicitly REQUIRED. +MODULE = nss + +CSRCS = \ + nssdefaults.c \ + $(NULL) + +# The MODULE is always implicitly required. +# Listing it here in REQUIRES makes it appear twice in the cc command line. +REQUIRES = seccmd + +PROGRAM = nssdefaults + +# USE_STATIC_LIBS = 1 diff --git a/nss/cmd/nssdefaults/nssdefaults.c b/nss/cmd/nssdefaults/nssdefaults.c new file mode 100644 index 00000000..b35b45f2 --- /dev/null +++ b/nss/cmd/nssdefaults/nssdefaults.c @@ -0,0 +1,261 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#ifdef _CRTDBG_MAP_ALLOC +#include +#include +#endif + +#include "nspr.h" +#include "nss.h" +#include "pk11func.h" +#include "secutil.h" +#include "secmod.h" +#include "utilpars.h" + +static char *progName; + +#define ERR_USAGE 2 +#define ERR_UNKNOWN_DB_TYPE 3 +#define ERR_UNKNOWN_POLICY 4 +#define ERR_GET_POLICY_FAIL 5 +#define ERR_UNKNOWN_OPTION 6 +#define ERR_GET_OPTION_FAIL 7 +#define ERR_INIT_FAILED -1 +#define ERR_NO_COMMANDS_FOUND -2 + +static void +Usage() +{ + PR_fprintf(PR_STDERR, + "Usage: %s [-d certdir] [-P dbprefix] [--dbtype] [-p policy] [-o option] [--system-fips] [-x][-a]\n", + progName); + exit(ERR_USAGE); +} + +enum { + opt_CertDir = 0, + opt_DBPrefix, + opt_DBType, + opt_Policy, + opt_Option, + opt_SystemFips, + opt_Fips, + opt_Hex, + opt_All, +}; + +static secuCommandFlag nssdefault_options[] = { + { /* opt_CertDir */ 'd', PR_TRUE, 0, PR_FALSE }, + { /* opt_DBPrefix */ 'P', PR_TRUE, 0, PR_FALSE }, + { /* opt_DBType */ 'b', PR_FALSE, 0, PR_FALSE, "dbtype" }, + { /* opt_Policy */ 'p', PR_TRUE, 0, PR_FALSE }, + { /* opt_Option */ 'o', PR_TRUE, 0, PR_FALSE }, + { /* opt_SystemFips */ 's', PR_FALSE, 0, PR_FALSE, "system-fips" }, + { /* opt_Fips */ 'f', PR_FALSE, 0, PR_FALSE, "fips" }, + { /* opt_Hex */ 'x', PR_FALSE, 0, PR_FALSE }, + { /* opt_All */ 'a', PR_FALSE, 0, PR_FALSE }, +}; + +void +dump_Raw(char *label, CK_ATTRIBUTE *attr) +{ + int i; + unsigned char *value = (unsigned char *)attr->pValue; + printf("0x"); + for (i = 0; i < attr->ulValueLen; i++) { + printf("%02x", value[i]); + } + printf("<%s>\n", label); +} + +char *DBTypeName[] = { "None", "sql", "extern", "dbm", "multiaccess" }; + +int +print_DBType(NSSDBType dbType, PRBool phex) +{ + printf("Default DBType: "); + if (phex) { + printf("0x%x\n", dbType); + return 0; + } + if (dbType >= PR_ARRAY_SIZE(DBTypeName)) { + printf("unknown(%d)\n", dbType); + return ERR_UNKNOWN_DB_TYPE; + } + printf("%s\n", DBTypeName[dbType]); + return 0; +} + +int +print_Bool(const char *label, PRBool val, PRBool phex) +{ + if (phex) { + printf("%s0x%x\n", label, val); + return 0; + } + printf("%s%s\n", label, val ? "true" : "false"); + return 0; +} + +int +print_Policy(const char *policy, PRBool phex, PRBool all) +{ + SECOidTag oid = SECMOD_PolicyStringToOid(policy, "any"); + PRUint32 flags; + const char *comma = ""; + int i; + SECStatus rv; + + printf("Policy %s: ", policy); + if (oid == SEC_OID_UNKNOWN) { + printf("unknown policy\n"); + return ERR_UNKNOWN_POLICY; + } + rv = NSS_GetAlgorithmPolicy(oid, &flags); + if (rv != SECSuccess) { + SECU_PrintPRandOSError("policy failed"); + return ERR_GET_POLICY_FAIL; + } + if (phex) { + printf("0x%04x\n", flags); + return 0; + } + if (flags == 0) { + printf("none\n"); + return 0; + } + for (i = 0; i < sizeof(flags) * PR_BITS_PER_BYTE; i++) { + PRUint32 flag = (1 << i); + const char *value; + if ((flags & flag) == 0) { + continue; + } + value = SECMOD_FlagsToPolicyString(flag, PR_TRUE); + if (value != NULL) { + printf("%s%s", comma, value); + comma = ","; + continue; + } + if (all) { + printf("%sUnused(%04x)", comma, flag); + comma = ","; + continue; + } + } + printf("\n"); + return 0; +} + +int +print_Option(const char *optionString, PRBool phex) +{ + PRInt32 option = SECMOD_PolicyStringToOpt(optionString); + PRInt32 value; + SECStatus rv; + + printf("Option %s: ", optionString); + if (option == 0) { + printf("unknown option\n"); + return ERR_UNKNOWN_OPTION; + } + + rv = NSS_OptionGet(option, &value); + if (rv != SECSuccess) { + SECU_PrintPRandOSError("get option failed"); + return ERR_GET_OPTION_FAIL; + } + if (phex) { + printf("0x%04x\n", value); + } else { + printf("%d\n", value); + } + return 0; +} + +int +main(int argc, char **argv) +{ + char *dbprefix = ""; + char *nssdir = NULL; + SECStatus rv; + secuCommand nssdefault; + int local_errno = ERR_NO_COMMANDS_FOUND; + PRBool phex, all; + + nssdefault.numCommands = 0; + nssdefault.commands = 0; + nssdefault.numOptions = PR_ARRAY_SIZE(nssdefault_options); + nssdefault.options = nssdefault_options; + +#ifdef _CRTDBG_MAP_ALLOC + _CrtSetDbgFlag(_CRTDBG_ALLOC_MEM_DF | _CRTDBG_LEAK_CHECK_DF); +#endif + + progName = strrchr(argv[0], '/'); + progName = progName ? progName + 1 : argv[0]; + + rv = SECU_ParseCommandLine(argc, argv, progName, &nssdefault); + + if (rv != SECSuccess) { + Usage(); + } + + phex = nssdefault.options[opt_Hex].activated; + all = nssdefault.options[opt_All].activated; + + if (nssdefault.options[opt_CertDir].activated) { + nssdir = nssdefault.options[opt_CertDir].arg; + } + if (nssdefault.options[opt_DBPrefix].activated) { + dbprefix = nssdefault.options[opt_DBPrefix].arg; + } + + PR_Init(PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 1); + if (nssdir == NULL) { + rv = NSS_NoDB_Init(""); + } else { + rv = NSS_Initialize(nssdir, dbprefix, dbprefix, "secmod.db", 0); + } + if (rv != SECSuccess) { + SECU_PrintPRandOSError(progName); + local_errno = ERR_INIT_FAILED; + goto done; + } + /* prints the default db type */ + if (nssdefault.options[opt_DBType].activated) { + char *appName = NULL; + NSSDBType dbType = NSS_DB_TYPE_NONE; + _NSSUTIL_EvaluateConfigDir(nssdir, &dbType, &appName); + if (appName) { + PORT_Free(appName); + } + local_errno = print_DBType(dbType, phex); + } + if (nssdefault.options[opt_SystemFips].activated) { + local_errno = print_Bool("System FIPS: ", NSS_GetSystemFIPSEnabled(), + phex); + } + if (nssdefault.options[opt_Fips].activated) { + local_errno = print_Bool("FIPS: ", PK11_IsFIPS(), phex); + } + if (nssdefault.options[opt_Policy].activated) { + local_errno = print_Policy(nssdefault.options[opt_Policy].arg, + phex, all); + } + if (nssdefault.options[opt_Option].activated) { + local_errno = print_Option(nssdefault.options[opt_Option].arg, phex); + } + if (local_errno == ERR_NO_COMMANDS_FOUND) { + printf("no data request made\n"); + } + +done: + if (NSS_Shutdown() != SECSuccess) { + local_errno = 1; + } + PL_ArenaFinish(); + PR_Cleanup(); + return local_errno; +} diff --git a/nss/cmd/nssdefaults/nssdefaults.gyp b/nss/cmd/nssdefaults/nssdefaults.gyp new file mode 100644 index 00000000..48a9c7f0 --- /dev/null +++ b/nss/cmd/nssdefaults/nssdefaults.gyp @@ -0,0 +1,29 @@ +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +{ + 'includes': [ + '../../coreconf/config.gypi', + '../../cmd/platlibs.gypi' + ], + 'targets': [ + { + 'target_name': 'nssdefaults', + 'type': 'executable', + 'sources': [ + 'nssdefaults.c' + ], + 'dependencies': [ + '<(DEPTH)/exports.gyp:nss_exports' + ] + } + ], + 'target_defaults': { + 'defines': [ + 'NSPR20' + ] + }, + 'variables': { + 'module': 'nss' + } +} diff --git a/nss/cmd/ocspclnt/ocspclnt.c b/nss/cmd/ocspclnt/ocspclnt.c index 1dcaae29..3f476146 100644 --- a/nss/cmd/ocspclnt/ocspclnt.c +++ b/nss/cmd/ocspclnt/ocspclnt.c @@ -555,7 +555,7 @@ print_raw_certificates(FILE *out_file, SECItem **raw_certs, int level) while ((raw_cert = raw_certs[i++]) != NULL) { snprintf(cert_label, sizeof(cert_label), "Certificate (%d)", i); (void)SECU_PrintSignedData(out_file, raw_cert, cert_label, level + 1, - (SECU_PPFunc)SECU_PrintCertificate); + SECU_PrintCertificate); } } diff --git a/nss/cmd/pk12util/pk12util.c b/nss/cmd/pk12util/pk12util.c index c08eff24..ec3c4c12 100644 --- a/nss/cmd/pk12util/pk12util.c +++ b/nss/cmd/pk12util/pk12util.c @@ -32,12 +32,12 @@ static void Usage() { #define FPS PR_fprintf(PR_STDERR, - FPS "Usage: %s -i importfile [-d certdir] [-P dbprefix] [-h tokenname]\n", + FPS "Usage: %s -i importfile [-I] [-d certdir] [-P dbprefix] [-h tokenname]\n", progName); FPS "\t\t [-k slotpwfile | -K slotpw] [-w p12filepwfile | -W p12filepw]\n"); FPS "\t\t [-v]\n"); - FPS "Usage: %s -l listfile [-d certdir] [-P dbprefix] [-h tokenname]\n", + FPS "Usage: %s -l listfile [-I] [-d certdir] [-P dbprefix] [-h tokenname]\n", progName); FPS "\t\t [-k slotpwfile | -K slotpw] [-w p12filepwfile | -W p12filepw]\n"); FPS "\t\t [-v]\n"); @@ -351,7 +351,8 @@ P12U_InitSlot(PK11SlotInfo *slot, secuPWData *slotPw) */ SEC_PKCS12DecoderContext * p12U_ReadPKCS12File(SECItem *uniPwp, char *in_file, PK11SlotInfo *slot, - secuPWData *slotPw, secuPWData *p12FilePw) + secuPWData *slotPw, secuPWData *p12FilePw, + PRBool ignoreIntegrity) { SEC_PKCS12DecoderContext *p12dcx = NULL; p12uContext *p12cxt = NULL; @@ -449,16 +450,19 @@ p12U_ReadPKCS12File(SECItem *uniPwp, char *in_file, PK11SlotInfo *slot, /* revert the option setting */ if (forceUnicode != pk12uForceUnicode) { - rv = NSS_OptionSet(__NSS_PKCS12_DECODE_FORCE_UNICODE, pk12uForceUnicode); - if (rv != SECSuccess) { + if (SECSuccess != NSS_OptionSet(__NSS_PKCS12_DECODE_FORCE_UNICODE, pk12uForceUnicode)) { SECU_PrintError(progName, "PKCS12 decoding failed to set option"); pk12uErrno = PK12UERR_DECODEVERIFY; + rv = SECFailure; } } /* rv has been set at this point */ done: - if (rv != SECSuccess) { + /* if we are ignoring Integrity and we failed because we couldn't + * verify the integrity code, go ahead and succeed */ + if (rv != SECSuccess && !(ignoreIntegrity && + (pk12uErrno == PK12UERR_DECODEVERIFY))) { if (p12dcx != NULL) { SEC_PKCS12DecoderFinish(p12dcx); p12dcx = NULL; @@ -490,7 +494,8 @@ p12U_ReadPKCS12File(SECItem *uniPwp, char *in_file, PK11SlotInfo *slot, */ PRIntn P12U_ImportPKCS12Object(char *in_file, PK11SlotInfo *slot, - secuPWData *slotPw, secuPWData *p12FilePw) + secuPWData *slotPw, secuPWData *p12FilePw, + PRBool ignoreIntegrity) { SEC_PKCS12DecoderContext *p12dcx = NULL; SECItem uniPwitem = { 0 }; @@ -509,7 +514,8 @@ P12U_ImportPKCS12Object(char *in_file, PK11SlotInfo *slot, do { trypw = PR_FALSE; /* normally we do this once */ rv = SECFailure; - p12dcx = p12U_ReadPKCS12File(&uniPwitem, in_file, slot, slotPw, p12FilePw); + p12dcx = p12U_ReadPKCS12File(&uniPwitem, in_file, slot, slotPw, + p12FilePw, ignoreIntegrity); if (p12dcx == NULL) { goto loser; @@ -777,14 +783,16 @@ P12U_ExportPKCS12Object(char *nn, char *outfile, PK11SlotInfo *inSlot, PRIntn P12U_ListPKCS12File(char *in_file, PK11SlotInfo *slot, - secuPWData *slotPw, secuPWData *p12FilePw) + secuPWData *slotPw, secuPWData *p12FilePw, + PRBool ignoreIntegrity) { SEC_PKCS12DecoderContext *p12dcx = NULL; SECItem uniPwitem = { 0 }; SECStatus rv = SECFailure; const SEC_PKCS12DecoderItem *dip; - p12dcx = p12U_ReadPKCS12File(&uniPwitem, in_file, slot, slotPw, p12FilePw); + p12dcx = p12U_ReadPKCS12File(&uniPwitem, in_file, slot, slotPw, p12FilePw, + ignoreIntegrity); /* did the blob authenticate properly? */ if (p12dcx == NULL) { SECU_PrintError(progName, "PKCS12 decode not verified"); @@ -819,7 +827,7 @@ P12U_ListPKCS12File(char *in_file, PK11SlotInfo *slot, } else if (SECU_PrintSignedData(stdout, dip->der, (dip->hasKey) ? "(has private key)" : "", - 0, (SECU_PPFunc)SECU_PrintCertificate) != + 0, SECU_PrintCertificate) != 0) { SECU_PrintError(progName, "PKCS12 print cert bag failed"); } @@ -997,7 +1005,8 @@ enum { opt_CertCipher, opt_KeyLength, opt_CertKeyLength, - opt_Mac + opt_Mac, + opt_IgnoreIntegrity }; static secuCommandFlag pk12util_options[] = { @@ -1018,7 +1027,8 @@ static secuCommandFlag pk12util_options[] = { { /* opt_CertCipher */ 'C', PR_TRUE, 0, PR_FALSE }, { /* opt_KeyLength */ 'm', PR_TRUE, 0, PR_FALSE, "key_len" }, { /* opt_CertKeyLength */ 0, PR_TRUE, 0, PR_FALSE, "cert_key_len" }, - { /* opt_Mac */ 'M', PR_TRUE, 0, PR_FALSE, PR_FALSE } + { /* opt_Mac */ 'M', PR_TRUE, 0, PR_FALSE }, + { /* opt_IgnoreIntegrity */ 'I', PR_FALSE, 0, PR_FALSE } }; int @@ -1039,6 +1049,7 @@ main(int argc, char **argv) int certKeyLen = 0; secuCommand pk12util; PRInt32 forceUnicode; + PRBool ignoreIntegrity = PR_FALSE; #ifdef _CRTDBG_MAP_ALLOC _CrtSetDbgFlag(_CRTDBG_ALLOC_MEM_DF | _CRTDBG_LEAK_CHECK_DF); @@ -1113,6 +1124,9 @@ main(int argc, char **argv) if (pk12util.options[opt_Raw].activated) { dumpRawFile = PR_TRUE; } + if (pk12util.options[opt_IgnoreIntegrity].activated) { + ignoreIntegrity = PR_TRUE; + } if (pk12util.options[opt_KeyLength].activated) { keyLen = atoi(pk12util.options[opt_KeyLength].arg); } @@ -1183,7 +1197,8 @@ main(int argc, char **argv) } if (pk12util.options[opt_Import].activated) { - P12U_ImportPKCS12Object(import_file, slot, &slotPw, &p12FilePw); + P12U_ImportPKCS12Object(import_file, slot, &slotPw, &p12FilePw, + ignoreIntegrity); } else if (pk12util.options[opt_Export].activated) { P12U_ExportPKCS12Object(pk12util.options[opt_Nickname].arg, @@ -1191,7 +1206,8 @@ main(int argc, char **argv) hash, &slotPw, &p12FilePw); } else if (pk12util.options[opt_List].activated) { - P12U_ListPKCS12File(import_file, slot, &slotPw, &p12FilePw); + P12U_ListPKCS12File(import_file, slot, &slotPw, &p12FilePw, + ignoreIntegrity); } else { Usage(); diff --git a/nss/cmd/pp/pp.c b/nss/cmd/pp/pp.c index b89b9ad0..3585eaab 100644 --- a/nss/cmd/pp/pp.c +++ b/nss/cmd/pp/pp.c @@ -147,7 +147,7 @@ main(int argc, char **argv) if (PORT_Strcmp(typeTag, SEC_CT_CERTIFICATE) == 0 || PORT_Strcmp(typeTag, "c") == 0) { rv = SECU_PrintSignedData(outFile, &data, "Certificate", 0, - (SECU_PPFunc)SECU_PrintCertificate); + SECU_PrintCertificate); } else if (PORT_Strcmp(typeTag, SEC_CT_CERTIFICATE_ID) == 0 || PORT_Strcmp(typeTag, "ci") == 0) { rv = SECU_PrintSignedContent(outFile, &data, 0, 0, diff --git a/nss/cmd/signver/pk7print.c b/nss/cmd/signver/pk7print.c index d8dbe09a..b821a146 100644 --- a/nss/cmd/signver/pk7print.c +++ b/nss/cmd/signver/pk7print.c @@ -487,7 +487,7 @@ sv_PrintCRLInfo(FILE *out, CERTCrl *crl, char *m) } int -sv_PrintCertificate(FILE *out, SECItem *der, char *m, int level) +sv_PrintCertificate(FILE *out, const SECItem *der, const char *m, int level) { PLArenaPool *arena = NULL; CERTCertificate *c; diff --git a/nss/cmd/smimetools/cmsutil.c b/nss/cmd/smimetools/cmsutil.c index b139cf76..8fa952be 100644 --- a/nss/cmd/smimetools/cmsutil.c +++ b/nss/cmd/smimetools/cmsutil.c @@ -1635,7 +1635,8 @@ main(int argc, char **argv) NULL, NULL); /* detached digests */ if (!ecx) { fprintf(stderr, "%s: cannot create encoder context.\n", progName); - exit(1); + exitstatus = 1; + goto loser; } if (cms_verbose) { fprintf(stderr, "input len [%d]\n", input.len); @@ -1650,13 +1651,18 @@ main(int argc, char **argv) if (rv) { fprintf(stderr, "%s: failed to add data to encoder.\n", progName); - exit(1); + (void)NSS_CMSEncoder_Finish(ecx); + PORT_FreeArena(arena, PR_FALSE); + exitstatus = 1; + goto loser; } } rv = NSS_CMSEncoder_Finish(ecx); if (rv) { SECU_PrintError(progName, "failed to encode data"); - exit(1); + PORT_FreeArena(arena, PR_FALSE); + exitstatus = 1; + goto loser; } if (cms_verbose) { @@ -1668,6 +1674,7 @@ main(int argc, char **argv) } PORT_FreeArena(arena, PR_FALSE); } +loser: if (cmsg) NSS_CMSMessage_Destroy(cmsg); if (outFile != stdout) diff --git a/nss/cmd/tstclnt/tstclnt.c b/nss/cmd/tstclnt/tstclnt.c index c1a71393..e70d13fe 100644 --- a/nss/cmd/tstclnt/tstclnt.c +++ b/nss/cmd/tstclnt/tstclnt.c @@ -588,11 +588,11 @@ verifyFromSideChannel(CERTCertificate *cert, ServerCertAuth *sca) static void dumpCertificatePEM(CERTCertificate *cert) { - SECItem data; - data.data = cert->derCert.data; - data.len = cert->derCert.len; - fprintf(stderr, "%s\n%s\n%s\n", NS_CERT_HEADER, - BTOA_DataToAscii(data.data, data.len), NS_CERT_TRAILER); + char *asciiDER = BTOA_DataToAscii(cert->derCert.data, cert->derCert.len); + if (asciiDER) { + fprintf(stderr, "%s\n%s\n%s\n", NS_CERT_HEADER, asciiDER, NS_CERT_TRAILER); + PORT_Free(asciiDER); + } } static void @@ -608,9 +608,9 @@ dumpServerCertificateChain(PRFileDesc *fd) if (!dumpServerChain) { return; } else if (dumpServerChain == 1) { - dumpFunction = (SECU_PPFunc)SECU_PrintCertificateBasicInfo; + dumpFunction = SECU_PrintCertificateBasicInfo; } else { - dumpFunction = (SECU_PPFunc)SECU_PrintCertificate; + dumpFunction = SECU_PrintCertificate; if (dumpServerChain > 2) { dumpCertPEM = PR_TRUE; } diff --git a/nss/cmd/tstclnt/tstclnt.gyp b/nss/cmd/tstclnt/tstclnt.gyp index 0aa012ac..cdb31bb7 100644 --- a/nss/cmd/tstclnt/tstclnt.gyp +++ b/nss/cmd/tstclnt/tstclnt.gyp @@ -16,7 +16,6 @@ 'dependencies': [ '<(DEPTH)/exports.gyp:dbm_exports', '<(DEPTH)/exports.gyp:nss_exports', - '<(DEPTH)/lib/ssl/ssl.gyp:ssl', '<(DEPTH)/lib/zlib/zlib.gyp:nss_zlib' ], 'include_dirs': [ diff --git a/nss/cmd/vfyserv/vfyserv.c b/nss/cmd/vfyserv/vfyserv.c index 3747cc24..5c3d42ef 100644 --- a/nss/cmd/vfyserv/vfyserv.c +++ b/nss/cmd/vfyserv/vfyserv.c @@ -340,16 +340,19 @@ client_main(int connections) /* Setup network connection. */ prStatus = PR_GetHostByName(hostName, buffer, sizeof(buffer), &hostEntry); if (prStatus != PR_SUCCESS) { + PORT_Free(hostName); exitErr("PR_GetHostByName"); } rv = PR_EnumerateHostEnt(0, &hostEntry, port, &addr); if (rv < 0) { + PORT_Free(hostName); exitErr("PR_EnumerateHostEnt"); } secStatus = launch_thread(&threadMGR, do_connects, &addr, 1); if (secStatus != SECSuccess) { + PORT_Free(hostName); exitErr("launch_thread"); } @@ -440,6 +443,8 @@ main(int argc, char **argv) Usage(progName); } } + PL_DestroyOptState(optstate); + optstate = NULL; if (port == 0) { port = 443; @@ -461,6 +466,8 @@ main(int argc, char **argv) /* Initialize the NSS libraries. */ if (certDir) { secStatus = NSS_Init(certDir); + PR_Free(certDir); + certDir = NULL; } else { secStatus = NSS_NoDB_Init(NULL); diff --git a/nss/coreconf/arch.mk b/nss/coreconf/arch.mk index 711d19df..fbc15ef8 100644 --- a/nss/coreconf/arch.mk +++ b/nss/coreconf/arch.mk @@ -141,8 +141,8 @@ endif # If uname -s returns "MINGW*_NT-*", we assume that we are using # the uname.exe in the MSYS toolkit. # -ifneq (,$(filter MINGW32_NT-% MINGW64_NT-%,$(OS_ARCH))) - OS_RELEASE := $(patsubst MINGW64_NT-%,%,$(patsubst MINGW32_NT-%,%,$(OS_ARCH))) +ifneq (,$(filter MSYS_NT-% MINGW32_NT-% MINGW64_NT-%,$(OS_ARCH))) + OS_RELEASE := $(patsubst MSYS_NT-%,%,$(patsubst MINGW64_NT-%,%,$(patsubst MINGW32_NT-%,%,$(OS_ARCH)))) OS_ARCH = WINNT USE_MSYS = 1 ifndef CPU_ARCH diff --git a/nss/coreconf/config.gypi b/nss/coreconf/config.gypi index b9403a95..eccce08d 100644 --- a/nss/coreconf/config.gypi +++ b/nss/coreconf/config.gypi @@ -200,7 +200,7 @@ }], [ 'fuzz==1', { 'variables': { - 'debug_optimization_level%': '1', + 'debug_optimization_level%': '3', }, }], [ 'target_arch=="ia32" or target_arch=="x64"', { diff --git a/nss/coreconf/coreconf.dep b/nss/coreconf/coreconf.dep index 5182f755..590d1bfa 100644 --- a/nss/coreconf/coreconf.dep +++ b/nss/coreconf/coreconf.dep @@ -10,3 +10,4 @@ */ #error "Do not include this header file." + diff --git a/nss/coreconf/sanitizers.py b/nss/coreconf/sanitizers.py index 48fd148c..5e6159de 100644 --- a/nss/coreconf/sanitizers.py +++ b/nss/coreconf/sanitizers.py @@ -5,7 +5,7 @@ def main(): if len(sys.argv) < 2: - raise Exception('Specify either "asan", "fuzzer", "msan", "sancov", "sourcecov" or "ubsan" as argument.') + raise Exception('Specify either "asan", "fuzzer", "msan", "sancov", "sourcecov", "tsan" or "ubsan" as argument.') sanitizer = sys.argv[1] if sanitizer == "ubsan": @@ -30,6 +30,10 @@ def main(): if sanitizer == "sourcecov": print('-fprofile-instr-generate -fcoverage-mapping', end='') return + if sanitizer == "tsan": + print('-fsanitize=thread ', end='') + print('-fno-omit-frame-pointer -fno-optimize-sibling-calls ', end='') + return if sanitizer == "fuzzer": print('-fsanitize=fuzzer-no-link ', end='') return diff --git a/nss/doc/pk12util.xml b/nss/doc/pk12util.xml index 184c8805..45a7a4fa 100644 --- a/nss/doc/pk12util.xml +++ b/nss/doc/pk12util.xml @@ -38,6 +38,7 @@ -P dbprefix -r -v + -I --cert-key-len certKeyLength -k slotPasswordFile|-K slotPassword -w p12filePasswordFile|-W p12filePassword @@ -146,6 +147,11 @@ Enable debug logging when importing. + + -I + Ignore integrity check results on importing and listing. + + -w p12filePasswordFile Specify the text file containing the pkcs #12 file password. @@ -317,7 +323,7 @@ Certificate Friendly Name: Thawte Freemail Member's Thawte Consulting (Pty) L Password Encryption - PKCS #12 provides for not only the protection of the private keys but also the certificate and meta-data associated with the keys. Password-based encryption is used to protect private keys on export to a PKCS #12 file and, optionally, the associated certificates. If no algorithm is specified, the tool defaults to using PKCS #12 SHA-1 and 3-key triple DES for private key encryption. When not in FIPS mode, PKCS #12 SHA-1 and 40-bit RC4 is used for certificate encryption. When in FIPS mode, there is no certificate encryption. If certificate encryption is not wanted, specify "NONE" as the argument of the option. + PKCS #12 provides for not only the protection of the private keys but also the certificate and meta-data associated with the keys. Password-based encryption is used to protect private keys on export to a PKCS #12 file and, optionally, the associated certificates. If no algorithm is specified, the tool defaults to using AES-256-CBC for private key encryption and AES-128-CBC for certificate encryption. If certificate encryption is not wanted, specify "NONE" as the argument of the option. The private key is always protected with strong encryption by default. Several types of ciphers are supported. @@ -327,6 +333,7 @@ Certificate Friendly Name: Thawte Freemail Member's Thawte Consulting (Pty) L PBES2 with AES-CBC-Pad as underlying encryption scheme ("AES-128-CBC", "AES-192-CBC", and "AES-256-CBC") + PBES2 with CAMELLIA-CBC-Pad as underlying encryption scheme ("CAMELLIA-128-CBC", "CAMELLIA-192-CBC", and "CAMELLIA-256-CBC") diff --git a/nss/doc/rst/releases/index.rst b/nss/doc/rst/releases/index.rst index 02d41f51..607dc402 100644 --- a/nss/doc/rst/releases/index.rst +++ b/nss/doc/rst/releases/index.rst @@ -8,11 +8,18 @@ Releases :glob: :hidden: + nss_3_110.rst + nss_3_109.rst + nss_3_108.rst + nss_3_101_3.rst + nss_3_107.rst + nss_3_106.rst + nss_3_105.rst nss_3_104.rst nss_3_103.rst nss_3_102_1.rst nss_3_102.rst - nss_3_101.2.rst + nss_3_101_2.rst nss_3_101_1.rst nss_3_101.rst nss_3_100.rst @@ -76,44 +83,33 @@ Releases .. note:: - **NSS 3.104** is the latest version of NSS. - Complete release notes are available here: :ref:`mozilla_projects_nss_nss_3_104_release_notes` + **NSS 3.110** is the latest version of NSS. + Complete release notes are available here: :ref:`mozilla_projects_nss_nss_3_110_release_notes` - **NSS 3.101.2 (ESR)** is the latest ESR version of NSS. - Complete release notes are available here: :ref:`mozilla_projects_nss_nss_3_101_1_release_notes` + **NSS 3.101.3 (ESR)** is the latest ESR version of NSS. + Complete release notes are available here: :ref:`mozilla_projects_nss_nss_3_101_3_release_notes` .. container:: - Changes in 3.104 included in this release: - - - Bug 1910071 - Copy original corpus to heap-allocated buffer - - Bug 1910079 - Fix min ssl version for DTLS client fuzzer - - Bug 1908990 - Remove OS2 support just like we did on NSPR - - Bug 1910605 - clang-format NSS improvements - - Bug 1902078 - Adding basicutil.h to use HexString2SECItem function - - Bug 1908990 - removing dirent.c from build - - Bug 1902078 - Allow handing in keymaterial to shlibsign to make the output reproducible ( - - Bug 1908990 - remove nec4.3, sunos4, riscos and SNI references - - Bug 1908990 - remove other old OS (BSDI, old HP UX, NCR, openunix, sco, unixware or reliantUnix - - Bug 1908990 - remove mentions of WIN95 - - Bug 1908990 - remove mentions of WIN16 - - Bug 1913750 - More explicit directory naming - - Bug 1913755 - Add more options to TLS server fuzz target - - Bug 1913675 - Add more options to TLS client fuzz target - - Bug 1835240 - Use OSS-Fuzz corpus in NSS CI - - Bug 1908012 - set nssckbi version number to 2.70. - - Bug 1914499 - Remove Email Trust bit from ACCVRAIZ1 root cert. - - Bug 1908009 - Remove Email Trust bit from certSIGN ROOT CA. - - Bug 1908006 - Add Cybertrust Japan Roots to NSS. - - Bug 1908004 - Add Taiwan CA Roots to NSS. - - Bug 1911354 - remove search by decoded serial in nssToken_FindCertificateByIssuerAndSerialNumber. - - Bug 1913132 - Fix tstclnt CI build failure - - Bug 1913047 - vfyserv: ensure peer cert chain is in db for CERT_VerifyCertificateNow. - - Bug 1912427 - Enable all supported protocol versions for UDP - - Bug 1910361 - Actually use random PSK hash type - - Bug 1911576: Initialize NSS DB once - - Bug 1910361 - Additional ECH cipher suites and PSK hash types - - Bug 1903604: Automate corpus file generation for TLS client Fuzzer - - Bug 1910364 - Fix crash with UNSAFE_FUZZER_MODE - - Bug 1910605 - clang-format shlibsign.c + Changes in 3.110 included in this release: + - Bug 1930806 - FIPS changes need to be upstreamed: force ems policy. + - Bug 1954724 - Prevent excess allocations in sslBuffer_Grow. + - Bug 1953429 - Remove Crl templates from ASN1 fuzz target. + - Bug 1953429 - Remove CERT_CrlTemplate from ASN1 fuzz target. + - Bug 1952855 - Fix memory leak in NSS_CMSMessage_IsSigned. + - Bug 1930807 - NSS policy updates. + - Bug 1951161 - Improve locking in nssPKIObject_GetInstances. + - Bug 1951394 - Fix race in sdb_GetMetaData. + - Bug 1951800 - Fix member access within null pointer. + - Bug 1950077 - Increase smime fuzzer memory limit. + - Bug 1949677 - Enable resumption when using custom extensions. + - Bug 1952568 - change CN of server12 test certificate. + - Bug 1949118 - Part 2: Add missing check in NSS_CMSDigestContext_FinishSingle. + - Bug 1949118 - Part 1: Fix smime UBSan errors. + - Bug 1930806 - FIPS changes need to be upstreamed: updated key checks. + - Bug 1951491 - Don't build libpkix in static builds. + - Bug 1951395 - handle `-p all` in try syntax. + - Bug 1951346 - fix opt-make builds to actually be opt. + - Bug 1951346 - fix opt-static builds to actually be opt. + - Bug 1916439 - Remove extraneous assert. diff --git a/nss/doc/rst/releases/nss_3_101.2.rst b/nss/doc/rst/releases/nss_3_101_2.rst similarity index 100% rename from nss/doc/rst/releases/nss_3_101.2.rst rename to nss/doc/rst/releases/nss_3_101_2.rst diff --git a/nss/doc/rst/releases/nss_3_101_3.rst b/nss/doc/rst/releases/nss_3_101_3.rst new file mode 100644 index 00000000..73ae978d --- /dev/null +++ b/nss/doc/rst/releases/nss_3_101_3.rst @@ -0,0 +1,61 @@ +.. _mozilla_projects_nss_nss_3_101_3_release_notes: + +NSS 3.101_3 release notes +========================= + +`Introduction <#introduction>`__ +-------------------------------- + +.. container:: + + Network Security Services (NSS) 3.101.3 was released on *23 January 2025**. + +`Distribution Information <#distribution_information>`__ +-------------------------------------------------------- + +.. container:: + + The HG tag is NSS_3_101_3_RTM. NSS 3.101_3 requires NSPR 4.35 or newer. + + NSS 3.101_3 source distributions are available on ftp.mozilla.org for secure HTTPS download: + + - Source tarballs: + https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_101_3_RTM/src/ + + Other releases are available :ref:`mozilla_projects_nss_releases`. + +.. _changes_in_nss_3.101_3: + +`Changes in NSS 3.101_3 <#changes_in_nss_3.101_3>`__ +------------------------------------------------------------------ + +.. container:: + + - Bug 1935984 - Ensure zero-initialization of collectArgs.cert + - Bug 1927953 - don't look for secmod.db in nssutil_ReadSecmodDB if NSS_DISABLE_DBM is set + - Bug 1926256 - fix build error from 9505f79d + - Bug 1926256 - simplify error handling in get_token_objects_for_cache. + - Bug 1923767 - pk12util: improve error handling in p12U_ReadPKCS12File. + - Bug 1909768 - UBSAN fix: applying zero offset to null pointer in sslsnce.c. + - Bug 1908623 - move list size check after lock acquisition in sftk_PutObjectToList. + - Bug 1899402 - Correctly destroy bulkkey in error scenario. + +`Compatibility <#compatibility>`__ +---------------------------------- + +.. container:: + + NSS 3.101_3 shared libraries are backwards-compatible with all older NSS 3.x shared + libraries. A program linked with older NSS 3.x shared libraries will work with + this new version of the shared libraries without recompiling or + relinking. Furthermore, applications that restrict their use of NSS APIs to the + functions listed in NSS Public Functions will remain compatible with future + versions of the NSS shared libraries. + +`Feedback <#feedback>`__ +------------------------ + +.. container:: + + Bugs discovered should be reported by filing a bug report on + `bugzilla.mozilla.org `__ (product NSS). diff --git a/nss/doc/rst/releases/nss_3_105.rst b/nss/doc/rst/releases/nss_3_105.rst new file mode 100644 index 00000000..028721d9 --- /dev/null +++ b/nss/doc/rst/releases/nss_3_105.rst @@ -0,0 +1,70 @@ +.. _mozilla_projects_nss_nss_3_105_release_notes: + +NSS 3.105 release notes +======================== + +`Introduction <#introduction>`__ +-------------------------------- + +.. container:: + + Network Security Services (NSS) 3.105 was released on *26 September 2024**. + +`Distribution Information <#distribution_information>`__ +-------------------------------------------------------- + +.. container:: + + The HG tag is NSS_3_105_RTM. NSS 3.105 requires NSPR 4.35 or newer. + + NSS 3.105 source distributions are available on ftp.mozilla.org for secure HTTPS download: + + - Source tarballs: + https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_105_RTM/src/ + + Other releases are available :ref:`mozilla_projects_nss_releases`. + +.. _changes_in_nss_3.105: + +`Changes in NSS 3.105 <#changes_in_nss_3.105>`__ +------------------------------------------------------------------ + +.. container:: + + - Bug 1915792 - Allow importing PKCS#8 private EC keys missing public key + - Bug 1909768 - UBSAN fix: applying zero offset to null pointer in sslsnce.c + - Bug 1919577 - set KRML_MUSTINLINE=inline in makefile builds + - Bug 1918965 - Don't set CKA_SIGN for CKK_EC_MONTGOMERY private keys + - Bug 1918767 - override default definition of KRML_MUSTINLINE + - Bug 1916525 - libssl support for mlkem768x25519 + - Bug 1916524 - support for ML-KEM-768 in softoken and pk11wrap + - Bug 1866841 - Add Libcrux implementation of ML-KEM 768 to FreeBL + - Bug 1911912 - Avoid misuse of ctype(3) functions + - Bug 1917311 - part 2: run clang-format + - Bug 1917311 - part 1: upgrade to clang-format 13 + - Bug 1916953 - clang-format fuzz + - Bug 1910370 - DTLS client message buffer may not empty be on retransmit + - Bug 1916413 - Optionally print config for TLS client and server fuzz target + - Bug 1916059 - Fix some simple documentation issues in NSS. + - Bug 1915439 - improve performance of NSC_FindObjectsInit when template has CKA_TOKEN attr + - Bug 1912828 - define CKM_NSS_ECDHE_NO_PAIRWISE_CHECK_KEY_PAIR_GEN + +`Compatibility <#compatibility>`__ +---------------------------------- + +.. container:: + + NSS 3.105 shared libraries are backwards-compatible with all older NSS 3.x shared + libraries. A program linked with older NSS 3.x shared libraries will work with + this new version of the shared libraries without recompiling or + relinking. Furthermore, applications that restrict their use of NSS APIs to the + functions listed in NSS Public Functions will remain compatible with future + versions of the NSS shared libraries. + +`Feedback <#feedback>`__ +------------------------ + +.. container:: + + Bugs discovered should be reported by filing a bug report on + `bugzilla.mozilla.org `__ (product NSS). diff --git a/nss/doc/rst/releases/nss_3_106.rst b/nss/doc/rst/releases/nss_3_106.rst new file mode 100644 index 00000000..8ec10cd0 --- /dev/null +++ b/nss/doc/rst/releases/nss_3_106.rst @@ -0,0 +1,52 @@ +.. _mozilla_projects_nss_nss_3_106_release_notes: + +NSS 3.106 release notes +======================== + +`Introduction <#introduction>`__ +-------------------------------- + +.. container:: + + Network Security Services (NSS) 3.106 was released on *24 October 2024**. + +`Distribution Information <#distribution_information>`__ +-------------------------------------------------------- + +.. container:: + + The HG tag is NSS_3_106_RTM. NSS 3.106 requires NSPR 4.35 or newer. The latest version of NSPR is 4.36. + + NSS 3.106 source distributions are available on ftp.mozilla.org for secure HTTPS download: + + - Source tarballs: + https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_106_RTM/src/ + + Other releases are available :ref:`mozilla_projects_nss_releases`. + +.. _changes_in_nss_3.106: + +`Changes in NSS 3.106 <#changes_in_nss_3.106>`__ +------------------------------------------------------------------ + +.. container:: + + - Bug 1925975 - NSS 3.106 should be distributed with NSPR 4.36. + - Bug 1923767 - pk12util: improve error handling in p12U_ReadPKCS12File. + - Bug 1899402 - Correctly destroy bulkkey in error scenario. + - Bug 1919997 - PKCS7 fuzz target, r=djackson,nss-reviewers. + - Bug 1923002 - Extract certificates with handshake collection script. + - Bug 1923006 - Specify len_control for fuzz targets. + - Bug 1923280 - Fix memory leak in dumpCertificatePEM. + - Bug 1102981 - Fix UBSan errors for SECU_PrintCertificate and SECU_PrintCertificateBasicInfo. + - Bug 1921528 - add new error codes to mozilla::pkix for Firefox to use. + - Bug 1921768 - allow null phKey in NSC_DeriveKey. + - Bug 1921801 - Only create seed corpus zip from existing corpus. + - Bug 1826035 - Use explicit allowlist for for KDF PRFS. + - Bug 1920138 - Increase optimization level for fuzz builds. + - Bug 1920470 - Remove incorrect assert. + - Bug 1914870 - Use libFuzzer options from fuzz/options/\*.options in CI. + - Bug 1920945 - Polish corpus collection for automation. + - Bug 1917572 - Detect new and unfuzzed SSL options. + - Bug 1804646 - PKCS12 fuzzing target. + diff --git a/nss/doc/rst/releases/nss_3_107.rst b/nss/doc/rst/releases/nss_3_107.rst new file mode 100644 index 00000000..d7cbf3c5 --- /dev/null +++ b/nss/doc/rst/releases/nss_3_107.rst @@ -0,0 +1,54 @@ +.. _mozilla_projects_nss_nss_3_107_release_notes: + +NSS 3.107 release notes +======================== + +`Introduction <#introduction>`__ +-------------------------------- + +.. container:: + + Network Security Services (NSS) 3.107 was released on *21 November 2024**. + +`Distribution Information <#distribution_information>`__ +-------------------------------------------------------- + +.. container:: + + The HG tag is NSS_3_107_RTM. NSS 3.107 requires NSPR 4.35 or newer. The latest version of NSPR is 4.36. + + NSS 3.107 source distributions are available on ftp.mozilla.org for secure HTTPS download: + + - Source tarballs: + https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_107_RTM/src/ + + Other releases are available :ref:`mozilla_projects_nss_releases`. + +.. _changes_in_nss_3.107: + +`Changes in NSS 3.107 <#changes_in_nss_3.107>`__ +------------------------------------------------------------------ + +.. container:: + + - Bug 1923038 - Remove MPI fuzz targets. + - Bug 1925512 - Remove globals `lockStatus` and `locksEverDisabled`. + - Bug 1919015 - Enable PKCS8 fuzz target. + - Bug 1923037 - Integrate Cryptofuzz in CI. + - Bug 1913677 - Part 2: Set tls server target socket options in config class. + - Bug 1913677 - Part 1: Set tls client target socket options in config class. + - Bug 1913680 - Support building with thread sanitizer. + - Bug 1922392 - set nssckbi version number to 2.72. + - Bug 1919913 - remove Websites Trust Bit from Entrust Root Certification Authority - G4. + - Bug 1920641 - remove Security Communication RootCA3 root cert. + - Bug 1918559 - remove SecureSign RootCA11 root cert. + - Bug 1922387 - Add distrust-after for TLS to Entrust Roots. + - Bug 1927096 - update expected error code in pk12util pbmac1 tests. + - Bug 1929041 - Use random tstclnt args with handshake collection script. + - Bug 1920466 - Remove extraneous assert in ssl3gthr.c. + - Bug 1928402 - Adding missing release notes for NSS_3_105. + - Bug 1874451 - Enable the disabled mlkem tests for dtls. + - Bug 1874451 - NSS gtests filter cleans up the constucted buffer before the use. + - Bug 1925505 - Make ssl_SetDefaultsFromEnvironment thread-safe. + - Bug 1925503 - Remove short circuit test from ssl_Init. + diff --git a/nss/doc/rst/releases/nss_3_108.rst b/nss/doc/rst/releases/nss_3_108.rst new file mode 100644 index 00000000..faed67b1 --- /dev/null +++ b/nss/doc/rst/releases/nss_3_108.rst @@ -0,0 +1,75 @@ +.. _mozilla_projects_nss_nss_3_108_release_notes: + +NSS 3.108 release notes +======================== + +`Introduction <#introduction>`__ +-------------------------------- + +.. container:: + + Network Security Services (NSS) 3.108 was released on *4 February 2024**. + +`Distribution Information <#distribution_information>`__ +-------------------------------------------------------- + +.. container:: + + The HG tag is NSS_3_108_RTM. NSS 3.108 requires NSPR 4.35 or newer. The latest version of NSPR is 4.36. + + NSS 3.108 source distributions are available on ftp.mozilla.org for secure HTTPS download: + + - Source tarballs: + https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_108_RTM/src/ + + Other releases are available :ref:`mozilla_projects_nss_releases`. + +.. _changes_in_nss_3.108: + +`Changes in NSS 3.108 <#changes_in_nss_3.108>`__ +------------------------------------------------------------------ + +.. container:: + + - Bug 1923285 - libclang-16 -> libclang-19 + - Bug 1939086 - Turn off Secure Email Trust Bit for Security Communication ECC RootCA1. + - Bug 1937332 - Turn off Secure Email Trust Bit for BJCA Global Root CA1 and BJCA Global Root CA2. + - Bug 1915902 - Remove SwissSign Silver CA – G2. + - Bug 1938245 - Add D-Trust 2023 TLS Roots to NSS + - Bug 1942301 - fix fips test failure on windows. + - Bug 1935925 - change default sensitivity of KEM keys. + - Bug 1936001 - Part 1: Introduce frida hooks and script, + - Bug 1942350 - add missing arm_neon.h include to gcm.c. + - Bug 1831552 - ci: update windows workers to win2022 r=nss-reviewers,nkulatova NSS_3_108_BETA2 + - Bug 1831552 - strip trailing carriage returns in tools tests r=nss-reviewers,nkulatova + - Bug 1880256 - work around unix/windows path translation issues in cert test script r=nss-reviewers,nkulatova + - Bug 1831552 - ci: let the windows setup script work without $m r=nss-reviewers,nkulatova + - Bug 1880255 - detect msys r=nss-reviewers,nkulatova + - Bug 1936680 - add a specialized CTR_Update variant for AES-GCM. r=nss-reviewers,keeler + - Bug 1930807 NSS policy updates - cavs NSS_3_108_BETA1 + - Bug 1930806 FIPS changes need to be upstreamed: FIPS 140-3 RNG + - Bug 1930806 FIPS changes need to be upstreamed: Add SafeZero + - Bug 1930806 FIPS changes need to be upstreamed - updated POST + - Bug 1933031 Segmentation fault in SECITEM_Hash during pkcs12 processing + - Bug 1929922 - Extending NSS with LoadModuleFromFunction functionality r=keeler,nss-reviewers + - Bug 1935984 - Ensure zero-initialization of collectArgs.cert, r=djackson,nss-reviewers + - Bug 1934526 - pkcs7 fuzz target use CERT_DestroyCertificate, r=djackson,nss-reviewers + - Bug 1915898 - Fix actual underlying ODR violations issue, r=djackson,nss-reviewers + - Bug 1184059 - mozilla::pkix: allow reference ID labels to begin and/or end with hyphens r=jschanck + - Bug 1927953 - don't look for secmod.db in nssutil_ReadSecmodDB if NSS_DISABLE_DBM is set r=jschanck + - Bug 1934526 - Fix memory leak in pkcs7 fuzz target, r=djackson,nss-reviewers + - Bug 1934529 - Set -O2 for ASan builds in CI, r=djackson,nss-reviewers + - Bug 1934543 - Change branch of tlsfuzzer dependency, r=djackson,nss-reviewers + - Bug 1915898 - Run tests in CI for ASan builds with detect_odr_violation=1, r=djackson,nss-reviewers + - Bug 1934241 - Fix coverage failure in CI, r=djackson,nss-reviewers + - Bug 1934213 - Add fuzzing for delegated credentials, DTLS short header and Tls13BackendEch, r=djackson,nss-reviewers + - Bug 1927142 - Add fuzzing for SSL_EnableTls13GreaseEch and SSL_SetDtls13VersionWorkaround, r=djackson,nss-reviewers + - Bug 1913677 - Part 3: Restructure fuzz/, r=djackson,nss-reviewers + - Bug 1931925 - Extract testcases from ssl gtests for fuzzing, r=djackson,nss-reviewers + - Bug 1923037 - Force Cryptofuzz to use NSS in CI, r=nss-reviewers,nkulatova + - Bug 1923037 - Fix Cryptofuzz on 32 bit in CI, r=nss-reviewers,nkulatova + - Bug 1933154 - Update Cryptofuzz repository link, r=nss-reviewers,nkulatova + - Bug 1926256 - fix build error from 9505f79d r=jschanck + - Bug 1926256 - simplify error handling in get_token_objects_for_cache. r=rrelyea + - Bug 1931973 - nss doc: fix a warning r=bbeurdouche + - Bug 1930797 pkcs12 fixes from RHEL need to be picked up. \ No newline at end of file diff --git a/nss/doc/rst/releases/nss_3_109.rst b/nss/doc/rst/releases/nss_3_109.rst new file mode 100644 index 00000000..fd0e1e17 --- /dev/null +++ b/nss/doc/rst/releases/nss_3_109.rst @@ -0,0 +1,62 @@ +.. _mozilla_projects_nss_nss_3_109_release_notes: + +NSS 3.109 release notes +======================== + +`Introduction <#introduction>`__ +-------------------------------- + +.. container:: + + Network Security Services (NSS) 3.109 was released on *28 February 2024**. + +`Distribution Information <#distribution_information>`__ +-------------------------------------------------------- + +.. container:: + + The HG tag is NSS_3_109_RTM. NSS 3.109 requires NSPR 4.35 or newer. The latest version of NSPR is 4.36. + + NSS 3.109 source distributions are available on ftp.mozilla.org for secure HTTPS download: + + - Source tarballs: + https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_109_RTM/src/ + + Other releases are available :ref:`mozilla_projects_nss_releases`. + +.. _changes_in_nss_3.109: + +`Changes in NSS 3.109 <#changes_in_nss_3.109>`__ +------------------------------------------------------------------ + +.. container:: + + - Bug 1939512 - Call BL_Init before RNG_RNGInit() so that special SHA instructions can be used if available + - Bug 1930807 - NSS policy updates - fix inaccurate key policy issues + - Bug 1945883 - SMIME fuzz target + - Bug 1914256 - ASN1 decoder fuzz target + - Bug 1936001 - Part 2: Revert "Extract testcases from ssl gtests for fuzzing" + - Bug 1915155 - Add fuzz/README.md + - Bug 1936001 - Part 4: Fix tstclnt arguments script + - Bug 1944545 - Extend pkcs7 fuzz target + - Bug 1912320 - Extend certDN fuzz target + - Bug 1854095 - delete old docker image definitions and task scheduling code + - Bug 1854095 - apply nspr patch in acvp script + - Bug 1854095 - parse try syntax on pushes to nss-try + - Bug 1854095 - add "fuzz" task kind + - Bug 1854095 - add "test" task kind + - Bug 1854095 - add "certs" task kind + - Bug 1854095 - add "build" task kind + - Bug 1854095 - add "tools" task kind + - Bug 1854095 - add "fuzz" docker image + - Bug 1854095 - add "gcc-4.4" docker image + - Bug 1854095 - add "clang-format" docker image + - Bug 1854095 - add "acvp" docker image + - Bug 1854095 - add "builds" docker image + - Bug 1854095 - switch .taskcluster.yml to taskgraph + - Bug 1944300 - restore alloca.h include + - Bug 1944300 - refactor run_hacl.sh slightly + - Bug 1944300 - ignore all libcrux files in run_hacl.sh + - Bug 1944300 - use `diff -u` in HACL* consistency check + - Bug 1944300 - revert changes to HACL* files from bug 1866841 + - Bug 1936001 - Part 3: Package frida corpus script diff --git a/nss/doc/rst/releases/nss_3_110.rst b/nss/doc/rst/releases/nss_3_110.rst new file mode 100644 index 00000000..00aa9017 --- /dev/null +++ b/nss/doc/rst/releases/nss_3_110.rst @@ -0,0 +1,54 @@ +.. _mozilla_projects_nss_nss_3_110_release_notes: + +NSS 3.110 release notes +======================== + +`Introduction <#introduction>`__ +-------------------------------- + +.. container:: + + Network Security Services (NSS) 3.110 was released on *28 March 2025**. + +`Distribution Information <#distribution_information>`__ +-------------------------------------------------------- + +.. container:: + + The HG tag is NSS_3_110_RTM. NSS 3.110 requires NSPR 4.35 or newer. The latest version of NSPR is 4.36. + + NSS 3.110 source distributions are available on ftp.mozilla.org for secure HTTPS download: + + - Source tarballs: + https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_110_RTM/src/ + + Other releases are available :ref:`mozilla_projects_nss_releases`. + +.. _changes_in_nss_3.110: + +`Changes in NSS 3.110 <#changes_in_nss_3.110>`__ +------------------------------------------------------------------ + +.. container:: + + - Bug 1930806 - FIPS changes need to be upstreamed: force ems policy. + - Bug 1954724 - Prevent excess allocations in sslBuffer_Grow. + - Bug 1953429 - Remove Crl templates from ASN1 fuzz target. + - Bug 1953429 - Remove CERT_CrlTemplate from ASN1 fuzz target. + - Bug 1952855 - Fix memory leak in NSS_CMSMessage_IsSigned. + - Bug 1930807 - NSS policy updates. + - Bug 1951161 - Improve locking in nssPKIObject_GetInstances. + - Bug 1951394 - Fix race in sdb_GetMetaData. + - Bug 1951800 - Fix member access within null pointer. + - Bug 1950077 - Increase smime fuzzer memory limit. + - Bug 1949677 - Enable resumption when using custom extensions. + - Bug 1952568 - change CN of server12 test certificate. + - Bug 1949118 - Part 2: Add missing check in NSS_CMSDigestContext_FinishSingle. + - Bug 1949118 - Part 1: Fix smime UBSan errors. + - Bug 1930806 - FIPS changes need to be upstreamed: updated key checks. + - Bug 1951491 - Don't build libpkix in static builds. + - Bug 1951395 - handle `-p all` in try syntax. + - Bug 1951346 - fix opt-make builds to actually be opt. + - Bug 1951346 - fix opt-static builds to actually be opt. + - Bug 1916439 - Remove extraneous assert. + diff --git a/nss/fuzz/README.md b/nss/fuzz/README.md new file mode 100644 index 00000000..a5d144b8 --- /dev/null +++ b/nss/fuzz/README.md @@ -0,0 +1,24 @@ +# Build +The fuzz targets can be build with `./build.sh --fuzz [--disable-tests]`. They compile with ASan and UBSan by default, see `coreconf/fuzz.sh`. + +# OSS-Fuzz +All fuzz targets run continuously on oss-fuzz, the respective `project.yaml` can be found at https://github.com/google/oss-fuzz/blob/master/projects/nss/project.yaml. An overview with code coverage is available at https://introspector.oss-fuzz.com/project-profile?project=nss, as well as a link to a more detailed fuzz introspector report. + +# MozillaSecurity/orion +We regularly run two services, one to collect coverage information ourselves and another one to mirror the public oss-fuzz corpora and populate the private bucket with new testcases. Code coverage reports can be found at https://fuzzmanager.fuzzing.mozilla.org/covmanager/reports/. + +- nss-coverage service: https://github.com/MozillaSecurity/orion/tree/master/services/nss-coverage +- nss-corpus-update service: https://github.com/MozillaSecurity/orion/tree/master/services/nss-corpus-update + +# Adding a new fuzz target +The fuzz targets are located at `fuzz/targets`. Some additional things to keep in my mind when adding a new fuzz target: +- Every fuzz target needs a `.options` file at `fuzz/options`, other fuzz tooling depends on it. +- For CI integration, schedule the corresponding fuzzing runs at `automation/taskcluster/graph/src/extend.js`. +- Testcases can be extracted from the existing tests by adding hooks to `fuzz/config/frida_corpus/hooks.js` and `fuzz/config/frida_corpus/cli.py`. + +# Useful Links +- https://oss-fuzz.com/ +- https://introspector.oss-fuzz.com/project-profile?project=nss +- https://fuzzmanager.fuzzing.mozilla.org/covmanager/reports/ +- https://github.com/MozillaSecurity/orion +- https://treeherder.mozilla.org/jobs?repo=nss-try diff --git a/nss/fuzz/asn1_mutators.h b/nss/fuzz/asn1_mutators.h deleted file mode 100644 index 8bf02d49..00000000 --- a/nss/fuzz/asn1_mutators.h +++ /dev/null @@ -1,16 +0,0 @@ -/* This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this file, - * You can obtain one at http://mozilla.org/MPL/2.0/. */ - -#ifndef asn1_mutators_h__ -#define asn1_mutators_h__ - -#include -#include - -size_t ASN1MutatorFlipConstructed(uint8_t *Data, size_t Size, size_t MaxSize, - unsigned int Seed); -size_t ASN1MutatorChangeType(uint8_t *Data, size_t Size, size_t MaxSize, - unsigned int Seed); - -#endif // asn1_mutators_h__ diff --git a/nss/fuzz/config/frida_corpus/cli.py b/nss/fuzz/config/frida_corpus/cli.py new file mode 100644 index 00000000..6a914211 --- /dev/null +++ b/nss/fuzz/config/frida_corpus/cli.py @@ -0,0 +1,206 @@ +#!/usr/bin/env python +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at https://mozilla.org/MPL/2.0/. + +import argparse +import hashlib +import os +import threading + +import frida + +ARGUMENTS = {} +SOCKETS = {} +TERMINATE = threading.Condition() + + +def store_for_target(target, data): + filename = hashlib.sha1(data).hexdigest() + directory = os.path.join(ARGUMENTS["output"], target) + + os.makedirs(directory, exist_ok=True) + + with open(os.path.join(directory, filename), "wb") as f: + f.write(data) + + +# --- asn1 --- + + +def on_SEC_ASN1DecodeItem_Util(payload): + if not "data" in payload: + return + + store_for_target("asn1", bytes(payload["data"].values())) + + +# --- certDN --- + + +def on_CERT_AsciiToName(payload): + if not "data" in payload: + return + + store_for_target("certDN", payload["data"].encode()) + + +# --- pkcs7 --- + + +def on_CERT_DecodeCertPackage(payload): + if not "data" in payload: + return + + store_for_target("pkcs7", bytes(payload["data"].values())) + + +# --- pkcs8 --- + + +def on_PK11_ImportDERPrivateKeyInfoAndReturnKey(payload): + if not "data" in payload: + return + + store_for_target("pkcs8", bytes(payload["data"].values())) + + +# --- pkcs12 --- + + +def on_SEC_PKCS12DecoderUpdate(payload): + if not "data" in payload: + return + + store_for_target("pkcs12", bytes(payload["data"].values())) + + +# --- quickder --- + + +def on_SEC_QuickDERDecodeItem_Util(payload): + if not "data" in payload: + return + + store_for_target("quickder", bytes(payload["data"].values())) + + +# --- smime --- + + +def on_NSS_CMSDecoder_Update(payload): + if not "data" in payload: + return + + store_for_target("smime", bytes(payload["data"].values())) + + +# --- TLS --- + + +def on_ssl_DefClose(payload): + ss = payload["ss"] + if not ss in SOCKETS: + return + + # There is no way for us to determine (in a clean and future-proof) + # way the variant (DTLS/TLS) and origin (client/server) of the + # received data. + # Since you want to minimize the corpus anyway, we just say it belongs + # to all possible targets. + data = SOCKETS[ss].lstrip(b"\x00") + store_for_target("tls-client", data) + + base_output_path = os.path.abspath(ARGUMENTS["output"]) + for target in ["dtls-client", "dtls-server", "tls-client", "tls-server"]: + if not os.path.exists(os.path.join(base_output_path, target)): + os.symlink(os.path.join(base_output_path, "tls-client"), + os.path.join(base_output_path, target), + target_is_directory=True) + + del SOCKETS[ss] + + +def on_ssl_DefRecv(payload): + if not "data" in payload: + return + + ss = payload["ss"] + if not ss in SOCKETS: + SOCKETS[ss] = bytes() + + SOCKETS[ss] += bytes(payload["data"].values()) + + +def on_ssl_DefRead(payload): + if not "data" in payload: + return + + ss = payload["ss"] + if not ss in SOCKETS: + SOCKETS[ss] = bytes() + + SOCKETS[ss] += bytes(payload["data"].values()) + + +def script_on_message(message, _data): + if message["type"] != "send": + print(message) + return + + assert message["type"] == "send" + + payload = message["payload"] + func = "on_" + payload["func"] + + assert func in globals() + globals()[func](payload) + + +def session_on_detached(): + with TERMINATE: + TERMINATE.notify_all() + + +def main(): + parser = argparse.ArgumentParser() + parser.add_argument("--script", required=True, type=str) + parser.add_argument("--nss-build", + required=True, + type=str, + help="e.g. /path/to/dist/Debug") + parser.add_argument("--program", required=True, type=str) + parser.add_argument("--output", required=True, type=str) + + args, programargs = parser.parse_known_args() + + global ARGUMENTS + ARGUMENTS = vars(args) + + with open(args.script, "r") as f: + script = f.read() + + pid = frida.spawn(program=args.program, + argv=programargs, + env={ + **os.environ, "LD_LIBRARY_PATH": + os.path.join(args.nss_build, "lib") + }) + session = frida.attach(pid) + + script = session.create_script(script) + script.load() + + script.on("message", script_on_message) + + session.resume() + frida.resume(pid) + + session.on("detached", session_on_detached) + + with TERMINATE: + TERMINATE.wait() + + +if __name__ == "__main__": + main() diff --git a/nss/fuzz/config/frida_corpus/hooks.js b/nss/fuzz/config/frida_corpus/hooks.js new file mode 100644 index 00000000..cf7e5ba9 --- /dev/null +++ b/nss/fuzz/config/frida_corpus/hooks.js @@ -0,0 +1,181 @@ +// This Source Code Form is subject to the terms of the Mozilla Public +// License, v. 2.0. If a copy of the MPL was not distributed with this +// file, You can obtain one at https://mozilla.org/MPL/2.0/. + +// --- asn1 --- + +if (DebugSymbol.findFunctionsNamed("SEC_ASN1DecodeItem_Util").length) { + console.log("Attaching `SEC_ASN1DecodeItem_Util` interceptor..."); + Interceptor.attach(DebugSymbol.fromName("SEC_ASN1DecodeItem_Util").address, { + onEnter: function (args) { + const secItem = args[3]; // { type(8), data(8), len(4) } + + const len = secItem.add(8).add(8).readUInt(); + const buf = secItem.add(8).readByteArray(len); + + send({ + func: "SEC_ASN1DecodeItem_Util", + data: new Uint8Array(buf), + }); + }, + }); +} + +// --- certDN --- + +if (DebugSymbol.findFunctionsNamed("CERT_AsciiToName").length) { + console.log("Attaching `CERT_AsciiToName` interceptor..."); + Interceptor.attach(DebugSymbol.fromName("CERT_AsciiToName").address, { + onEnter: function (args) { + send({ + func: "CERT_AsciiToName", + data: args[0].readUtf8String(), + }); + }, + }); +} + +// --- pkcs7 --- + +if (DebugSymbol.findFunctionsNamed("CERT_DecodeCertPackage").length) { + console.log("Attaching `CERT_DecodeCertPackage` interceptor..."); + Interceptor.attach(DebugSymbol.fromName("CERT_DecodeCertPackage").address, { + onEnter: function (args) { + const len = args[1].toInt32(); + const buf = args[0].readByteArray(len); + + send({ + func: "CERT_DecodeCertPackage", + data: new Uint8Array(buf), + }); + }, + }); +} + +// --- pkcs8 --- + +if ( + DebugSymbol.findFunctionsNamed("PK11_ImportDERPrivateKeyInfoAndReturnKey") + .length +) { + console.log( + "Attaching `PK11_ImportDERPrivateKeyInfoAndReturnKey` interceptor...", + ); + Interceptor.attach( + DebugSymbol.fromName("PK11_ImportDERPrivateKeyInfoAndReturnKey").address, + { + onEnter: function (args) { + const secItem = args[3]; // { type(8), data(8), len(4) } + + const len = secItem.add(8).add(8).readUInt(); + const buf = secItem.add(8).readByteArray(len); + + send({ + func: "PK11_ImportDERPrivateKeyInfoAndReturnKey", + data: new Uint8Array(buf), + }); + }, + }, + ); +} + +// --- pkcs12 --- + +if (DebugSymbol.findFunctionsNamed("SEC_PKCS12DecoderUpdate").length) { + console.log("Attaching `SEC_PKCS12DecoderUpdate` interceptor..."); + Interceptor.attach(DebugSymbol.fromName("SEC_PKCS12DecoderUpdate").address, { + onEnter: function (args) { + const len = args[2].toInt32(); + const buf = args[1].readByteArray(len); + + send({ func: "SEC_PKCS12DecoderUpdate", data: new Uint8Array(buf) }); + }, + }); +} + +// --- quickder --- + +if (DebugSymbol.findFunctionsNamed("SEC_QuickDERDecodeItem_Util").length) { + console.log("Attaching `SEC_QuickDERDecodeItem_Util` interceptor..."); + Interceptor.attach( + DebugSymbol.fromName("SEC_QuickDERDecodeItem_Util").address, + { + onEnter: function (args) { + const secItem = args[3]; // { type(8), data(8), len(4) } + + const len = secItem.add(8).add(8).readUInt(); + const buf = secItem.add(8).readByteArray(len); + + send({ + func: "SEC_QuickDERDecodeItem_Util", + data: new Uint8Array(buf), + }); + }, + }, + ); +} + +// -- smime -- + +if (DebugSymbol.findFunctionsNamed("NSS_CMSDecoder_Update").length) { + console.log("Attaching `NSS_CMSDecoder_Update` interceptor..."); + Interceptor.attach(DebugSymbol.fromName("NSS_CMSDecoder_Update").address, { + onEnter: function (args) { + const len = args[2].toInt32(); + const buf = args[1].readByteArray(len); + + send({ func: "NSS_CMSDecoder_Update", data: new Uint8Array(buf) }); + }, + }); +} + +// --- TLS --- + +if (DebugSymbol.findFunctionsNamed("ssl_DefClose").length) { + console.log("Attaching `ssl_DefClose` interceptor..."); + Interceptor.attach(DebugSymbol.fromName("ssl_DefClose").address, { + onEnter: function (args) { + send({ func: "ssl_DefClose", ss: args[0] }); + }, + }); +} + +if (DebugSymbol.findFunctionsNamed("ssl_DefRecv").length) { + console.log("Attaching `ssl_DefRecv` interceptor..."); + Interceptor.attach(DebugSymbol.fromName("ssl_DefRecv").address, { + onEnter: function (args) { + this.ss = args[0]; + this.buf = args[1]; + this.len = args[2].toInt32(); + }, + onLeave: function (_retVal) { + const buf = this.buf.readByteArray(this.len); + + send({ + func: "ssl_DefRecv", + ss: this.ss, + data: new Uint8Array(buf), + }); + }, + }); +} + +if (DebugSymbol.findFunctionsNamed("ssl_DefRead").length) { + console.log("Attaching `ssl_DefRead` interceptor..."); + Interceptor.attach(DebugSymbol.fromName("ssl_DefRead").address, { + onEnter: function (args) { + this.ss = args[0]; + this.buf = args[1]; + this.len = args[2].toInt32(); + }, + onLeave: function (_retVal) { + const buf = this.buf.readByteArray(this.len); + + send({ + func: "ssl_DefRead", + ss: this.ss, + data: new Uint8Array(buf), + }); + }, + }); +} diff --git a/nss/fuzz/config/frida_corpus/pyproject.toml b/nss/fuzz/config/frida_corpus/pyproject.toml new file mode 100644 index 00000000..9737cc64 --- /dev/null +++ b/nss/fuzz/config/frida_corpus/pyproject.toml @@ -0,0 +1,14 @@ +[build-system] +requires = ["setuptools>=64"] +build-backend = "setuptools.build_meta" + +[project] +name = "frida-corpus" +requires-python = ">=3.9" +dependencies = [ + "frida>=16.6.5" +] +dynamic = ["version"] + +[project.scripts] +frida-corpus = "cli:main" diff --git a/nss/fuzz/config/gen_corpus.py b/nss/fuzz/config/gen_corpus.py deleted file mode 100644 index 48722025..00000000 --- a/nss/fuzz/config/gen_corpus.py +++ /dev/null @@ -1,137 +0,0 @@ -#!/usr/bin/env python3 - -import argparse -import hashlib -import itertools -import os -import re -import subprocess -import sys -import threading - -EXTERNAL_PSK = "0x783666676F55306932745A32303354442B394A3271735A7A30714B464B645943" -ECH_CONFIGS = "AEX+DQBBcQAgACDh4IuiuhhInUcKZx5uYcehlG9PQ1ZlzhvVZyjJl7dscQAEAAEAAQASY2xvdWRmbGFyZS1lY2guY29tAAA=" - -TSTCLNT_ARGS = [ - "-o", # Override bad server cert. Make it OK. - "-D", # Run without a cert database - "-Q", # Quit after handshake - "-b", # Load the default "builtins" root CA module - "--enable-rfc8701-grease", - "--enable-ch-extension-permutation", - "--zlib-certificate-compression", - "-z", - EXTERNAL_PSK, - "-N", - ECH_CONFIGS, -] - - -def brrrrr(hosts, args): - tstclnt_bin = os.path.join(args.nss, "bin/tstclnt") - ld_libary_path = os.path.join(args.nss, "lib") - - for host in hosts: - try: - result = subprocess.run([ - "strace", "-f", "-x", "-s", "65535", "-e", "trace=network", - tstclnt_bin, "-h", host - ] + TSTCLNT_ARGS, - env={ - "LD_LIBRARY_PATH": ld_libary_path, - }, - stdout=subprocess.PIPE, - stderr=subprocess.PIPE, - timeout=1, - text=True) - except subprocess.TimeoutExpired: - print("Getting handshake timed out for:", host, file=sys.stderr) - continue - - client_data = bytearray() - server_data = bytearray() - - lines = result.stderr.splitlines() - for line in lines: - sendto = line.startswith("sendto(") - recvfrom = line.startswith("recvfrom(") - - if not (sendto or recvfrom): - continue - - match = re.search(r"(\\x[a-f0-9]{2})+", line) - if match is None: - continue - - data = bytearray.fromhex(match.group(0).replace("\\x", "")) - - # After the initial "Client Hello", each sent/received data - # block can be added accordingly. - if not client_data: - if len(data) > 5 and data[0] == 0x16 and data[5] == 0x01: - client_data = data - - continue - - if sendto: - client_data += data - continue - - assert recvfrom - server_data += data - - if not (client_data and server_data): - print("Failed to get handshake for:", host, file=sys.stderr) - continue - - # The data sent by the client is used as the corpus for the TLS - # server target as it simulates a server receiving client data. - filename = hashlib.sha1(client_data).hexdigest() - with open(os.path.join(args.output, "tls-server-corpus", filename), - "wb") as f: - f.write(client_data) - - # The data sent by the server is used as the corpus for the TLS - # client target as it simulates a client receiving server data. - filename = hashlib.sha1(server_data).hexdigest() - with open(os.path.join(args.output, "tls-client-corpus", filename), - "wb") as f: - f.write(server_data) - - -def main(): - parser = argparse.ArgumentParser() - parser.add_argument("--nss", - required=True, - help="e.g. /path/to/dist/Debug") - parser.add_argument("--hosts", required=True) - parser.add_argument("--threads", required=True, type=int) - parser.add_argument("--output", required=True) - - args = parser.parse_args() - - with open(args.hosts, "r") as f: - hosts = f.read().splitlines() - - os.makedirs(os.path.join(args.output, "client"), exist_ok=True) - os.makedirs(os.path.join(args.output, "server"), exist_ok=True) - - chunks = itertools.batched(hosts, len(hosts) // args.threads) - threads = [] - - while chunk := next(chunks, None): - thread = threading.Thread(target=brrrrr, args=( - chunk, - args, - )) - thread.daemon = True - thread.start() - - threads.append(thread) - - for thread in threads: - thread.join() - - -if __name__ == "__main__": - main() diff --git a/nss/fuzz/config/libfuzzer_options.py b/nss/fuzz/config/libfuzzer_options.py new file mode 100644 index 00000000..712acc91 --- /dev/null +++ b/nss/fuzz/config/libfuzzer_options.py @@ -0,0 +1,19 @@ +#!/usr/bin/env python +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at https://mozilla.org/MPL/2.0/. + +import sys +import toml + + +def main(): + with open(sys.argv[1], "r") as f: + data = toml.load(f) + + for key, value in data["libfuzzer"].items(): + print(f"-{key}={value}") + + +if __name__ == "__main__": + main() diff --git a/nss/fuzz/config/tstclnt_arguments.py b/nss/fuzz/config/tstclnt_arguments.py new file mode 100644 index 00000000..409a8eac --- /dev/null +++ b/nss/fuzz/config/tstclnt_arguments.py @@ -0,0 +1,64 @@ +#!/usr/bin/env python +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at https://mozilla.org/MPL/2.0/. + +import random +import string + +ECH_CONFIGS ="AEX+DQBBcQAgACDh4IuiuhhInUcKZx5uYcehlG9PQ1ZlzhvVZyjJl7dscQAEAAEAAQASY2xvdWRmbGFyZS1lY2guY29tAAA=" + + +def main(): + # Use Encrypted Client Hello with the given Base64-encoded ECHConfigs. + if random.randint(0, 1): + print(f"-N {ECH_CONFIGS}") + + # Configure a TLS 1.3 External PSK with the given hex string for a key. + if random.randint(0, 1): + print(f"-z 0x{''.join(random.choices(string.hexdigits, k=16))}") + + # Enable the session ticket extension. + if random.randint(0, 1): + print("-u") + + # Enable the cert_status extension (OCSP stapling). + if random.randint(0, 1): + print("-T") + + # Enable the signed_certificate_timestamp extension. + if random.randint(0, 1): + print("-U") + + # Enable the delegated credentials extension. + if random.randint(0, 1): + print("-B") + + # Enable the extended master secret extension [RFC7627). + if random.randint(0, 1): + print("-G") + + # Allow 0-RTT data (TLS 1.3 only). + if random.randint(0, 1): + print("-Z") + + # Enable Encrypted Client Hello GREASEing with the given padding size (0-255). + if random.randint(0, 1): + print(f"-i {random.randint(0, 255)}") + + # Enable middlebox compatibility mode (TLS 1.3 only). + if random.randint(0, 1): + print("-e") + + if random.randint(0, 1): + print("--enable-rfc8701-grease") + + if random.randint(0, 1): + print("--enable-ch-extension-permutation") + + if random.randint(0, 1): + print("--zlib-certificate-compression") + + +if __name__ =="__main__": + main() diff --git a/nss/fuzz/fuzz.gyp b/nss/fuzz/fuzz.gyp index 2734d090..1edb5bd5 100644 --- a/nss/fuzz/fuzz.gyp +++ b/nss/fuzz/fuzz.gyp @@ -1,377 +1,14 @@ -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. { 'includes': [ '../coreconf/config.gypi', ], - 'target_defaults': { - 'variables': { - 'debug_optimization_level': '3', - }, - 'cflags_cc': [ - '-Wno-vla-extension', - ], - 'target_conditions': [ - [ '_type=="executable"', { - 'libraries!': [ - '<@(nspr_libs)', - ], - 'libraries': [ - '<(nss_dist_obj_dir)/lib/libplds4.a', - '<(nss_dist_obj_dir)/lib/libnspr4.a', - '<(nss_dist_obj_dir)/lib/libplc4.a', - ], - }], - ], - }, 'targets': [ { - 'target_name': 'fuzz_base', - 'type': 'static_library', - 'sources': [ - 'shared.cc', - ], - 'dependencies': [ - '<(DEPTH)/exports.gyp:nss_exports', - '<(DEPTH)/lib/certdb/certdb.gyp:certdb', - '<(DEPTH)/lib/certhigh/certhigh.gyp:certhi', - '<(DEPTH)/lib/cryptohi/cryptohi.gyp:cryptohi', - '<(DEPTH)/lib/ssl/ssl.gyp:ssl', - '<(DEPTH)/lib/base/base.gyp:nssb', - '<(DEPTH)/lib/dev/dev.gyp:nssdev', - '<(DEPTH)/lib/pki/pki.gyp:nsspki', - '<(DEPTH)/lib/util/util.gyp:nssutil', - '<(DEPTH)/lib/nss/nss.gyp:nss_static', - '<(DEPTH)/lib/pkcs7/pkcs7.gyp:pkcs7', - # This is a static build of pk11wrap, softoken, and freebl. - '<(DEPTH)/lib/pk11wrap/pk11wrap.gyp:pk11wrap_static', - '<(DEPTH)/lib/libpkix/libpkix.gyp:libpkix', - ], - 'cflags_cc': [ - '-Wno-error=shadow', - ], - 'conditions': [ - ['fuzz_oss==0', { - 'all_dependent_settings': { - 'libraries': [ - '-fsanitize=fuzzer', - ], - } - }, { - 'all_dependent_settings': { - 'libraries': ['-lFuzzingEngine'], - } - }] - ], - }, - { - 'target_name': 'nssfuzz-mpi-base', + 'target_name': 'fuzz', 'type': 'none', 'dependencies': [ - '<(DEPTH)/exports.gyp:nss_exports', - 'fuzz_base', + '<(DEPTH)/fuzz/targets/targets.gyp:nssfuzz', ], - 'direct_dependent_settings': { - 'include_dirs': [ - '<(DEPTH)/lib/freebl/mpi', - ], - 'sources': [ - 'mpi_helper.cc', - ], - 'conditions': [ - [ 'fuzz_oss==1', { - 'libraries': [ - '/usr/lib/x86_64-linux-gnu/libcrypto.a', - ], - }, { - 'libraries': [ - '-lcrypto', - ], - }], - # For static builds we have to set MPI defines. - [ 'target_arch=="ia32"', { - 'defines': [ - 'MP_USE_UINT_DIGIT', - 'MP_ASSEMBLY_MULTIPLY', - 'MP_ASSEMBLY_SQUARE', - 'MP_ASSEMBLY_DIV_2DX1D', - ], - }], - ], - }, }, - { - 'target_name': 'nssfuzz-pkcs8', - 'type': 'executable', - 'sources': [ - 'asn1_mutators.cc', - 'pkcs8_target.cc', - ], - 'dependencies': [ - '<(DEPTH)/exports.gyp:nss_exports', - 'fuzz_base', - ], - }, - { - 'target_name': 'nssfuzz-quickder', - 'type': 'executable', - 'sources': [ - 'asn1_mutators.cc', - 'quickder_target.cc', - ], - 'dependencies': [ - '<(DEPTH)/exports.gyp:nss_exports', - 'fuzz_base', - ], - }, - { - 'target_name': 'nssfuzz-certDN', - 'type': 'executable', - 'sources': [ - 'certDN_target.cc', - ], - 'dependencies': [ - '<(DEPTH)/exports.gyp:nss_exports', - 'fuzz_base', - ], - }, - { - 'target_name': 'nssfuzz-mpi-add', - 'type': 'executable', - 'sources': [ - 'mpi_add_target.cc', - ], - 'dependencies': [ - '<(DEPTH)/exports.gyp:nss_exports', - 'nssfuzz-mpi-base', - ], - }, - { - 'target_name': 'nssfuzz-mpi-sub', - 'type': 'executable', - 'sources': [ - 'mpi_sub_target.cc', - ], - 'dependencies': [ - '<(DEPTH)/exports.gyp:nss_exports', - 'nssfuzz-mpi-base', - ], - }, - { - 'target_name': 'nssfuzz-mpi-sqr', - 'type': 'executable', - 'sources': [ - 'mpi_sqr_target.cc', - ], - 'dependencies': [ - '<(DEPTH)/exports.gyp:nss_exports', - 'nssfuzz-mpi-base', - ], - }, - { - 'target_name': 'nssfuzz-mpi-div', - 'type': 'executable', - 'sources': [ - 'mpi_div_target.cc', - ], - 'dependencies': [ - '<(DEPTH)/exports.gyp:nss_exports', - 'nssfuzz-mpi-base', - ], - }, - { - 'target_name': 'nssfuzz-mpi-mod', - 'type': 'executable', - 'sources': [ - 'mpi_mod_target.cc', - ], - 'dependencies': [ - '<(DEPTH)/exports.gyp:nss_exports', - 'nssfuzz-mpi-base', - ], - }, - { - 'target_name': 'nssfuzz-mpi-sqrmod', - 'type': 'executable', - 'sources': [ - 'mpi_sqrmod_target.cc', - ], - 'dependencies': [ - '<(DEPTH)/exports.gyp:nss_exports', - 'nssfuzz-mpi-base', - ], - }, - { - 'target_name': 'nssfuzz-mpi-addmod', - 'type': 'executable', - 'sources': [ - 'mpi_addmod_target.cc', - ], - 'dependencies': [ - '<(DEPTH)/exports.gyp:nss_exports', - 'nssfuzz-mpi-base', - ], - }, - { - 'target_name': 'nssfuzz-mpi-submod', - 'type': 'executable', - 'sources': [ - 'mpi_submod_target.cc', - ], - 'dependencies': [ - '<(DEPTH)/exports.gyp:nss_exports', - 'nssfuzz-mpi-base', - ], - }, - { - 'target_name': 'nssfuzz-mpi-mulmod', - 'type': 'executable', - 'sources': [ - 'mpi_mulmod_target.cc', - ], - 'dependencies': [ - '<(DEPTH)/exports.gyp:nss_exports', - 'nssfuzz-mpi-base', - ], - }, - { - 'target_name': 'nssfuzz-mpi-expmod', - 'type': 'executable', - 'sources': [ - 'mpi_expmod_target.cc', - ], - 'dependencies': [ - '<(DEPTH)/exports.gyp:nss_exports', - 'nssfuzz-mpi-base', - ], - }, - { - 'target_name': 'nssfuzz-mpi-invmod', - 'type': 'executable', - 'sources': [ - 'mpi_invmod_target.cc', - ], - 'dependencies': [ - '<(DEPTH)/exports.gyp:nss_exports', - 'nssfuzz-mpi-base', - ], - 'include_dirs': [ - '<(DEPTH)/lib/freebl', - ], - }, - { - 'target_name': 'nssfuzz-tls-base', - 'type': 'static_library', - 'sources': [ - 'tls_common.cc', - 'tls_mutators.cc', - 'tls_socket.cc', - ], - 'dependencies': [ - '<(DEPTH)/cpputil/cpputil.gyp:cpputil', - '<(DEPTH)/exports.gyp:nss_exports', - 'fuzz_base', - ], - 'include_dirs': [ - '<(DEPTH)/lib/ssl', - ], - 'direct_dependent_settings': { - 'include_dirs': [ - '<(DEPTH)/lib/freebl', - '<(DEPTH)/lib/ssl', - ], - }, - }, - { - 'target_name': 'nssfuzz-tls-client', - 'type': 'executable', - 'sources': [ - 'tls_client_config.cc', - 'tls_client_target.cc', - ], - 'dependencies': [ - '<(DEPTH)/exports.gyp:nss_exports', - '<(DEPTH)/cpputil/cpputil.gyp:cpputil', - 'nssfuzz-tls-base', - ], - }, - { - 'target_name': 'nssfuzz-tls-server', - 'type': 'executable', - 'sources': [ - 'tls_server_certs.cc', - 'tls_server_config.cc', - 'tls_server_target.cc', - ], - 'dependencies': [ - '<(DEPTH)/exports.gyp:nss_exports', - '<(DEPTH)/cpputil/cpputil.gyp:cpputil', - 'nssfuzz-tls-base', - ], - }, - { - 'target_name': 'nssfuzz-dtls-client', - 'type': 'executable', - 'sources': [ - 'tls_client_config.cc', - 'tls_client_target.cc', - ], - 'defines': [ - 'IS_DTLS_FUZZ' - ], - 'dependencies': [ - '<(DEPTH)/exports.gyp:nss_exports', - '<(DEPTH)/cpputil/cpputil.gyp:cpputil', - 'nssfuzz-tls-base', - ], - }, - { - 'target_name': 'nssfuzz-dtls-server', - 'type': 'executable', - 'sources': [ - 'tls_server_certs.cc', - 'tls_server_config.cc', - 'tls_server_target.cc', - ], - 'defines': [ - 'IS_DTLS_FUZZ' - ], - 'dependencies': [ - '<(DEPTH)/exports.gyp:nss_exports', - '<(DEPTH)/cpputil/cpputil.gyp:cpputil', - 'nssfuzz-tls-base', - ], - }, - { - 'target_name': 'nssfuzz', - 'type': 'none', - 'dependencies': [ - 'nssfuzz-certDN', - 'nssfuzz-dtls-client', - 'nssfuzz-dtls-server', - 'nssfuzz-pkcs8', - 'nssfuzz-quickder', - 'nssfuzz-tls-client', - 'nssfuzz-tls-server', - ], - 'conditions': [ - ['OS=="linux"', { - 'dependencies': [ - 'nssfuzz-mpi-add', - 'nssfuzz-mpi-addmod', - 'nssfuzz-mpi-div', - 'nssfuzz-mpi-expmod', - 'nssfuzz-mpi-invmod', - 'nssfuzz-mpi-mod', - 'nssfuzz-mpi-mulmod', - 'nssfuzz-mpi-sqr', - 'nssfuzz-mpi-sqrmod', - 'nssfuzz-mpi-sub', - 'nssfuzz-mpi-submod', - ], - }], - ], - } - ], + ] } diff --git a/nss/fuzz/mpi_add_target.cc b/nss/fuzz/mpi_add_target.cc deleted file mode 100644 index 3ebad370..00000000 --- a/nss/fuzz/mpi_add_target.cc +++ /dev/null @@ -1,42 +0,0 @@ -/* This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ - -/* - * This target fuzzes NSS mpi against openssl bignum. - * It therefore requires openssl to be installed. - */ - -#include "mpi_helper.h" - -extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { - // We require at least size 3 to get two integers from Data. - if (size < 3) { - return 0; - } - INIT_FOUR_NUMBERS - - // Compare with OpenSSL addition - assert(mp_add(&a, &b, &c) == MP_OKAY); - (void)BN_add(C, A, B); - check_equal(C, &c, max_size); - - // Check a + b == a - -b - mp_neg(&b, &b); - assert(mp_sub(&a, &b, &r) == MP_OKAY); - bool eq = mp_cmp(&r, &c) == 0; - if (!eq) { - char rC[max_size], cC[max_size], aC[max_size], bC[max_size]; - mp_tohex(&r, rC); - mp_tohex(&c, cC); - mp_tohex(&a, aC); - mp_tohex(&b, bC); - std::cout << "a = " << std::hex << aC << std::endl; - std::cout << "-b = " << std::hex << bC << std::endl; - std::cout << "a + b = " << std::hex << cC << std::endl; - std::cout << "a - -b = " << std::hex << rC << std::endl; - } - assert(eq); - - CLEANUP_AND_RETURN -} diff --git a/nss/fuzz/mpi_addmod_target.cc b/nss/fuzz/mpi_addmod_target.cc deleted file mode 100644 index a7802b62..00000000 --- a/nss/fuzz/mpi_addmod_target.cc +++ /dev/null @@ -1,27 +0,0 @@ -/* This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ - -/* - * This target fuzzes NSS mpi against openssl bignum. - * It therefore requires openssl to be installed. - */ - -#include "mpi_helper.h" - -extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { - // We require at least size 3 to get two integers from Data. - if (size < 3) { - return 0; - } - INIT_FOUR_NUMBERS - - auto modulus = get_modulus(data, size, ctx); - // Compare with OpenSSL add mod - m1 = &std::get<1>(modulus); - assert(mp_addmod(&a, &b, m1, &c) == MP_OKAY); - (void)BN_mod_add(C, A, B, std::get<0>(modulus), ctx); - check_equal(C, &c, max_size); - - CLEANUP_AND_RETURN -} diff --git a/nss/fuzz/mpi_div_target.cc b/nss/fuzz/mpi_div_target.cc deleted file mode 100644 index 08c714ee..00000000 --- a/nss/fuzz/mpi_div_target.cc +++ /dev/null @@ -1,36 +0,0 @@ -/* This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ - -/* - * This target fuzzes NSS mpi against openssl bignum. - * It therefore requires openssl to be installed. - */ - -#include "mpi_helper.h" - -extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { - // We require at least size 3 to get two integers from Data. - if (size < 3) { - return 0; - } - INIT_FOUR_NUMBERS - - // We can't divide by 0. - if (mp_cmp_z(&b) == 0) { - CLEANUP_AND_RETURN - } - - // Compare with OpenSSL division - assert(mp_div(&a, &b, &c, &r) == MP_OKAY); - BN_div(C, R, A, B, ctx); - check_equal(C, &c, max_size); - check_equal(R, &r, max_size); - - // Check c * b + r == a - assert(mp_mul(&c, &b, &c) == MP_OKAY); - assert(mp_add(&c, &r, &c) == MP_OKAY); - assert(mp_cmp(&c, &a) == 0); - - CLEANUP_AND_RETURN -} diff --git a/nss/fuzz/mpi_expmod_target.cc b/nss/fuzz/mpi_expmod_target.cc deleted file mode 100644 index b9be5854..00000000 --- a/nss/fuzz/mpi_expmod_target.cc +++ /dev/null @@ -1,36 +0,0 @@ -/* This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ - -/* - * This target fuzzes NSS mpi against openssl bignum. - * It therefore requires openssl to be installed. - */ - -#include "mpi_helper.h" - -extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { - // We require at least size 3 to get two integers from Data. - if (size < 3) { - return 0; - } - INIT_FOUR_NUMBERS - - auto modulus = get_modulus(data, size, ctx); - // Compare with OpenSSL exp mod - m1 = &std::get<1>(modulus); - // The exponent b (B) can get really big. Make it smaller if necessary. - if (MP_USED(&b) > 100) { - size_t shift = (MP_USED(&b) - 100) * MP_DIGIT_BIT; - mp_div_2d(&b, shift, &b, nullptr); - BN_rshift(B, B, shift); - } - check_equal(A, &a, max_size); - check_equal(B, &b, max_size); - check_equal(std::get<0>(modulus), m1, 3 * max_size); - assert(mp_exptmod(&a, &b, m1, &c) == MP_OKAY); - (void)BN_mod_exp(C, A, B, std::get<0>(modulus), ctx); - check_equal(C, &c, 2 * max_size); - - CLEANUP_AND_RETURN -} diff --git a/nss/fuzz/mpi_helper.cc b/nss/fuzz/mpi_helper.cc deleted file mode 100644 index d092fdb1..00000000 --- a/nss/fuzz/mpi_helper.cc +++ /dev/null @@ -1,106 +0,0 @@ -/* This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ - -/* Helper functions for MPI fuzzing targets. */ - -#include "mpi_helper.h" -#include -#include - -char *to_char(const uint8_t *x) { - return reinterpret_cast(const_cast(x)); -} - -void print_bn(std::string label, BIGNUM *x) { - char *xc = BN_bn2hex(x); - std::cout << label << ": " << std::hex << xc << std::endl; - OPENSSL_free(xc); -} - -// Check that the two numbers are equal. -void check_equal(BIGNUM *b, mp_int *m, size_t max_size) { - char *bnBc = BN_bn2hex(b); - char mpiMc[max_size]; - mp_tohex(m, mpiMc); - std::string bnA(bnBc); - std::string mpiA(mpiMc); - OPENSSL_free(bnBc); - // We have to strip leading zeros from bignums, ignoring the sign. - if (bnA.at(0) != '-') { - bnA.erase(0, std::min(bnA.find_first_not_of('0'), bnA.size() - 1)); - } else if (bnA.at(1) == '0') { - bnA.erase(1, std::min(bnA.find_first_not_of('0', 1) - 1, bnA.size() - 1)); - } - - if (mpiA != bnA) { - std::cout << "openssl: " << std::hex << bnA << std::endl; - std::cout << "nss: " << std::hex << mpiA << std::endl; - } - - assert(mpiA == bnA); -} - -// Parse data into two numbers for MPI and OpenSSL Bignum. -void parse_input(const uint8_t *data, size_t size, BIGNUM *A, BIGNUM *B, - mp_int *a, mp_int *b) { - // Note that b might overlap a. - size_t len = (size_t)size / 2; - assert(mp_read_raw(a, to_char(data), len) == MP_OKAY); - assert(mp_read_raw(b, to_char(data) + len, len) == MP_OKAY); - // Force a positive sign. - // TODO: add tests for negatives. - MP_SIGN(a) = MP_ZPOS; - MP_SIGN(b) = MP_ZPOS; - - // Skip the first byte as it's interpreted as sign by NSS. - assert(BN_bin2bn(data + 1, len - 1, A) != nullptr); - assert(BN_bin2bn(data + len + 1, len - 1, B) != nullptr); - - check_equal(A, a, 2 * size + 1); - check_equal(B, b, 2 * size + 1); -} - -// Parse data into a number for MPI and OpenSSL Bignum. -void parse_input(const uint8_t *data, size_t size, BIGNUM *A, mp_int *a) { - assert(mp_read_raw(a, to_char(data), size) == MP_OKAY); - - // Force a positive sign. - // TODO: add tests for negatives. - MP_SIGN(a) = MP_ZPOS; - - // Skip the first byte as it's interpreted as sign by NSS. - assert(BN_bin2bn(data + 1, size - 1, A) != nullptr); - - check_equal(A, a, 4 * size + 1); -} - -// Take a chunk in the middle of data and use it as modulus. -std::tuple get_modulus(const uint8_t *data, size_t size, - BN_CTX *ctx) { - BIGNUM *r1 = BN_CTX_get(ctx); - mp_int r2; - assert(mp_init(&r2) == MP_OKAY); - - size_t len = static_cast(size / 4); - if (len != 0) { - assert(mp_read_raw(&r2, to_char(data + len), len) == MP_OKAY); - MP_SIGN(&r2) = MP_ZPOS; - - assert(BN_bin2bn(data + len + 1, len - 1, r1) != nullptr); - check_equal(r1, &r2, 2 * len + 1); - } - - // If we happen to get 0 for the modulus, take a random number. - if (mp_cmp_z(&r2) == 0 || len == 0) { - mp_zero(&r2); - BN_zero(r1); - std::mt19937 rng(data[0]); - std::uniform_int_distribution dist(1, MP_DIGIT_MAX); - mp_digit x = dist(rng); - mp_add_d(&r2, x, &r2); - BN_add_word(r1, x); - } - - return std::make_tuple(r1, r2); -} diff --git a/nss/fuzz/mpi_helper.h b/nss/fuzz/mpi_helper.h deleted file mode 100644 index ef7041b2..00000000 --- a/nss/fuzz/mpi_helper.h +++ /dev/null @@ -1,87 +0,0 @@ -/* This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ - -/* Helper functions for MPI fuzzing targets. */ - -#ifndef mpi_helper_h__ -#define mpi_helper_h__ - -#include -#include -#include -#include - -#include "hasht.h" -#include "mpi.h" - -#include - -void check_equal(BIGNUM *b, mp_int *m, size_t max_size); -void parse_input(const uint8_t *data, size_t size, BIGNUM *A, BIGNUM *B, - mp_int *a, mp_int *b); -void parse_input(const uint8_t *data, size_t size, BIGNUM *A, mp_int *a); -std::tuple get_modulus(const uint8_t *data, size_t size, - BN_CTX *ctx); -void print_bn(std::string label, BIGNUM *x); - -// Initialise MPI and BN variables -// XXX: Also silence unused variable warnings for R. -#define INIT_FOUR_NUMBERS \ - mp_int a, b, c, r; \ - mp_int *m1 = nullptr; \ - BN_CTX *ctx = BN_CTX_new(); \ - BN_CTX_start(ctx); \ - BIGNUM *A = BN_CTX_get(ctx); \ - BIGNUM *B = BN_CTX_get(ctx); \ - BIGNUM *C = BN_CTX_get(ctx); \ - BIGNUM *R = BN_CTX_get(ctx); \ - assert(mp_init(&a) == MP_OKAY); \ - assert(mp_init(&b) == MP_OKAY); \ - assert(mp_init(&c) == MP_OKAY); \ - assert(mp_init(&r) == MP_OKAY); \ - size_t max_size = 2 * size + 1; \ - parse_input(data, size, A, B, &a, &b); \ - do { \ - (void)(R); \ - } while (0); - -// Initialise MPI and BN variables -// XXX: Also silence unused variable warnings for B. -#define INIT_THREE_NUMBERS \ - mp_int a, b, c; \ - BN_CTX *ctx = BN_CTX_new(); \ - BN_CTX_start(ctx); \ - BIGNUM *A = BN_CTX_get(ctx); \ - BIGNUM *B = BN_CTX_get(ctx); \ - BIGNUM *C = BN_CTX_get(ctx); \ - assert(mp_init(&a) == MP_OKAY); \ - assert(mp_init(&b) == MP_OKAY); \ - assert(mp_init(&c) == MP_OKAY); \ - size_t max_size = 4 * size + 1; \ - parse_input(data, size, A, &a); \ - do { \ - (void)(B); \ - } while (0); - -#define CLEANUP_AND_RETURN \ - mp_clear(&a); \ - mp_clear(&b); \ - mp_clear(&c); \ - mp_clear(&r); \ - if (m1) { \ - mp_clear(m1); \ - } \ - BN_CTX_end(ctx); \ - BN_CTX_free(ctx); \ - return 0; - -#define CLEANUP_AND_RETURN_THREE \ - mp_clear(&a); \ - mp_clear(&b); \ - mp_clear(&c); \ - BN_CTX_end(ctx); \ - BN_CTX_free(ctx); \ - return 0; - -#endif // mpi_helper_h__ diff --git a/nss/fuzz/mpi_invmod_target.cc b/nss/fuzz/mpi_invmod_target.cc deleted file mode 100644 index 6480d543..00000000 --- a/nss/fuzz/mpi_invmod_target.cc +++ /dev/null @@ -1,69 +0,0 @@ -/* This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ - -/* - * This target fuzzes NSS mpi against openssl bignum. - * It therefore requires openssl to be installed. - */ - -#include "mpi_helper.h" -#include "mpprime.h" - -#include - -extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { - // We require at least size 4 to get everything we need from data. - if (size < 4) { - return 0; - } - - INIT_THREE_NUMBERS - - // Make a prime of length size. - int count = 0; - mp_err res = MP_NO; - // mpp_make_prime is so slow :( use something smaller than size. - int primeLen = std::max(static_cast(size / 4), 3); - uint8_t bp[primeLen]; - memcpy(bp, data, primeLen); - do { - bp[0] |= 0x80; /* set high-order bit */ - bp[primeLen - 1] |= 0x01; /* set low-order bit */ - ++count; - assert(mp_read_unsigned_octets(&b, bp, primeLen) == MP_OKAY); - } while ((res = mpp_make_prime(&b, primeLen * 8, PR_FALSE)) != MP_YES && - count < 10); - if (res != MP_YES) { - return 0; - } - - // Use the same prime in OpenSSL B - char tmp[max_size]; - mp_toradix(&b, tmp, 16); - int tmpLen; - assert((tmpLen = BN_hex2bn(&B, tmp)) != 0); - - // Compare with OpenSSL invmod - res = mp_invmod(&a, &b, &c); - BIGNUM *X = BN_mod_inverse(C, A, B, ctx); - if (res != MP_OKAY) { - // In case we couldn't compute the inverse, OpenSSL shouldn't be able to - // either. - assert(X == nullptr); - } else { - check_equal(C, &c, max_size); - - // Check a * c mod b == 1 - assert(mp_mulmod(&a, &c, &b, &c) == MP_OKAY); - bool eq = mp_cmp_d(&c, 1) == 0; - if (!eq) { - char cC[max_size]; - mp_tohex(&c, cC); - std::cout << "c = " << std::hex << cC << std::endl; - } - assert(eq); - } - - CLEANUP_AND_RETURN_THREE -} diff --git a/nss/fuzz/mpi_mod_target.cc b/nss/fuzz/mpi_mod_target.cc deleted file mode 100644 index 85c883fa..00000000 --- a/nss/fuzz/mpi_mod_target.cc +++ /dev/null @@ -1,36 +0,0 @@ -/* This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ - -/* - * This target fuzzes NSS mpi against openssl bignum. - * It therefore requires openssl to be installed. - */ - -#include "mpi_helper.h" - -extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { - // We require at least size 3 to get two integers from Data. - if (size < 3) { - return 0; - } - INIT_FOUR_NUMBERS - - // We can't divide by 0. - if (mp_cmp_z(&b) == 0) { - CLEANUP_AND_RETURN - } - - // Compare with OpenSSL mod - assert(mp_mod(&a, &b, &c) == MP_OKAY); - (void)BN_mod(C, A, B, ctx); - check_equal(C, &c, max_size); - - // Check a mod b = a - floor(a / b) * b - assert(mp_div(&a, &b, &r, nullptr) == MP_OKAY); - assert(mp_mul(&r, &b, &r) == MP_OKAY); - assert(mp_sub(&a, &r, &r) == MP_OKAY); - assert(mp_cmp(&c, &r) == 0); - - CLEANUP_AND_RETURN -} diff --git a/nss/fuzz/mpi_mulmod_target.cc b/nss/fuzz/mpi_mulmod_target.cc deleted file mode 100644 index 75585e2d..00000000 --- a/nss/fuzz/mpi_mulmod_target.cc +++ /dev/null @@ -1,27 +0,0 @@ -/* This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ - -/* - * This target fuzzes NSS mpi against openssl bignum. - * It therefore requires openssl to be installed. - */ - -#include "mpi_helper.h" - -extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { - // We require at least size 3 to get two integers from Data. - if (size < 3) { - return 0; - } - INIT_FOUR_NUMBERS - - auto modulus = get_modulus(data, size, ctx); - // Compare with OpenSSL mul mod - m1 = &std::get<1>(modulus); - assert(mp_mulmod(&a, &b, m1, &c) == MP_OKAY); - (void)BN_mod_mul(C, A, B, std::get<0>(modulus), ctx); - check_equal(C, &c, max_size); - - CLEANUP_AND_RETURN -} diff --git a/nss/fuzz/mpi_sqr_target.cc b/nss/fuzz/mpi_sqr_target.cc deleted file mode 100644 index b404d624..00000000 --- a/nss/fuzz/mpi_sqr_target.cc +++ /dev/null @@ -1,40 +0,0 @@ -/* This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ - -/* - * This target fuzzes NSS mpi against openssl bignum. - * It therefore requires openssl to be installed. - */ - -#include "mpi_helper.h" - -extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { - // We require at least size 2 to get an integers from Data. - if (size < 2) { - return 0; - } - - INIT_THREE_NUMBERS - - // Compare with OpenSSL sqr - assert(mp_sqr(&a, &c) == MP_OKAY); - (void)BN_sqr(C, A, ctx); - check_equal(C, &c, max_size); - - // Check a * a == a**2 - assert(mp_mul(&a, &a, &b) == MP_OKAY); - bool eq = mp_cmp(&b, &c) == 0; - if (!eq) { - char rC[max_size], cC[max_size], aC[max_size]; - mp_tohex(&b, rC); - mp_tohex(&c, cC); - mp_tohex(&a, aC); - std::cout << "a = " << std::hex << aC << std::endl; - std::cout << "a * a = " << std::hex << cC << std::endl; - std::cout << "a ** 2 = " << std::hex << rC << std::endl; - } - assert(eq); - - CLEANUP_AND_RETURN_THREE -} diff --git a/nss/fuzz/mpi_sqrmod_target.cc b/nss/fuzz/mpi_sqrmod_target.cc deleted file mode 100644 index ca403b57..00000000 --- a/nss/fuzz/mpi_sqrmod_target.cc +++ /dev/null @@ -1,36 +0,0 @@ -/* This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ - -/* - * This target fuzzes NSS mpi against openssl bignum. - * It therefore requires openssl to be installed. - */ - -#include "mpi_helper.h" - -extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { - // We require at least size 3 to get two integers from Data. - if (size < 3) { - return 0; - } - - INIT_THREE_NUMBERS - - // We can't divide by 0. - if (mp_cmp_z(&b) == 0) { - mp_clear(&a); - mp_clear(&b); - mp_clear(&c); - BN_CTX_end(ctx); - BN_CTX_free(ctx); - return 0; - } - - // Compare with OpenSSL square mod - assert(mp_sqrmod(&a, &b, &c) == MP_OKAY); - (void)BN_mod_sqr(C, A, B, ctx); - check_equal(C, &c, max_size); - - CLEANUP_AND_RETURN_THREE -} diff --git a/nss/fuzz/mpi_sub_target.cc b/nss/fuzz/mpi_sub_target.cc deleted file mode 100644 index da20d74d..00000000 --- a/nss/fuzz/mpi_sub_target.cc +++ /dev/null @@ -1,42 +0,0 @@ -/* This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ - -/* - * This target fuzzes NSS mpi against openssl bignum. - * It therefore requires openssl to be installed. - */ - -#include "mpi_helper.h" - -extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { - // We require at least size 3 to get two integers from Data. - if (size < 3) { - return 0; - } - INIT_FOUR_NUMBERS - - // Compare with OpenSSL subtraction - assert(mp_sub(&a, &b, &c) == MP_OKAY); - (void)BN_sub(C, A, B); - check_equal(C, &c, max_size); - - // Check a - b == a + -b - mp_neg(&b, &b); - assert(mp_add(&a, &b, &r) == MP_OKAY); - bool eq = mp_cmp(&r, &c) == 0; - if (!eq) { - char rC[max_size], cC[max_size], aC[max_size], bC[max_size]; - mp_tohex(&r, rC); - mp_tohex(&c, cC); - mp_tohex(&a, aC); - mp_tohex(&b, bC); - std::cout << "a = " << std::hex << aC << std::endl; - std::cout << "-b = " << std::hex << bC << std::endl; - std::cout << "a - b = " << std::hex << cC << std::endl; - std::cout << "a + -b = " << std::hex << rC << std::endl; - } - assert(eq); - - CLEANUP_AND_RETURN -} diff --git a/nss/fuzz/mpi_submod_target.cc b/nss/fuzz/mpi_submod_target.cc deleted file mode 100644 index 26b2c532..00000000 --- a/nss/fuzz/mpi_submod_target.cc +++ /dev/null @@ -1,27 +0,0 @@ -/* This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ - -/* - * This target fuzzes NSS mpi against openssl bignum. - * It therefore requires openssl to be installed. - */ - -#include "mpi_helper.h" - -extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { - // We require at least size 3 to get two integers from Data. - if (size < 3) { - return 0; - } - INIT_FOUR_NUMBERS - - auto modulus = get_modulus(data, size, ctx); - // Compare with OpenSSL sub mod - m1 = &std::get<1>(modulus); - assert(mp_submod(&a, &b, m1, &c) == MP_OKAY); - (void)BN_mod_sub(C, A, B, std::get<0>(modulus), ctx); - check_equal(C, &c, 2 * max_size); - - CLEANUP_AND_RETURN -} diff --git a/nss/fuzz/options/asn1.options b/nss/fuzz/options/asn1.options new file mode 100644 index 00000000..c23a03e4 --- /dev/null +++ b/nss/fuzz/options/asn1.options @@ -0,0 +1,3 @@ +[libfuzzer] +len_control = 100 +max_len = 16777215 diff --git a/nss/fuzz/options/certDN.options b/nss/fuzz/options/certDN.options index 635be52a..9fda93fc 100644 --- a/nss/fuzz/options/certDN.options +++ b/nss/fuzz/options/certDN.options @@ -1,3 +1,2 @@ [libfuzzer] max_len = 4096 - diff --git a/nss/fuzz/options/dtls-client-no_fuzzer_mode.options b/nss/fuzz/options/dtls-client-no_fuzzer_mode.options index 29e5ba71..c23a03e4 100644 --- a/nss/fuzz/options/dtls-client-no_fuzzer_mode.options +++ b/nss/fuzz/options/dtls-client-no_fuzzer_mode.options @@ -1,3 +1,3 @@ [libfuzzer] +len_control = 100 max_len = 16777215 - diff --git a/nss/fuzz/options/dtls-client.options b/nss/fuzz/options/dtls-client.options index 29e5ba71..c23a03e4 100644 --- a/nss/fuzz/options/dtls-client.options +++ b/nss/fuzz/options/dtls-client.options @@ -1,3 +1,3 @@ [libfuzzer] +len_control = 100 max_len = 16777215 - diff --git a/nss/fuzz/options/dtls-server-no_fuzzer_mode.options b/nss/fuzz/options/dtls-server-no_fuzzer_mode.options index 29e5ba71..c23a03e4 100644 --- a/nss/fuzz/options/dtls-server-no_fuzzer_mode.options +++ b/nss/fuzz/options/dtls-server-no_fuzzer_mode.options @@ -1,3 +1,3 @@ [libfuzzer] +len_control = 100 max_len = 16777215 - diff --git a/nss/fuzz/options/dtls-server.options b/nss/fuzz/options/dtls-server.options index 29e5ba71..c23a03e4 100644 --- a/nss/fuzz/options/dtls-server.options +++ b/nss/fuzz/options/dtls-server.options @@ -1,3 +1,3 @@ [libfuzzer] +len_control = 100 max_len = 16777215 - diff --git a/nss/fuzz/options/mpi-add.options b/nss/fuzz/options/mpi-add.options deleted file mode 100644 index fd32ac16..00000000 --- a/nss/fuzz/options/mpi-add.options +++ /dev/null @@ -1,3 +0,0 @@ -[libfuzzer] -max_len = 2048 - diff --git a/nss/fuzz/options/mpi-addmod.options b/nss/fuzz/options/mpi-addmod.options deleted file mode 100644 index fd32ac16..00000000 --- a/nss/fuzz/options/mpi-addmod.options +++ /dev/null @@ -1,3 +0,0 @@ -[libfuzzer] -max_len = 2048 - diff --git a/nss/fuzz/options/mpi-div.options b/nss/fuzz/options/mpi-div.options deleted file mode 100644 index fd32ac16..00000000 --- a/nss/fuzz/options/mpi-div.options +++ /dev/null @@ -1,3 +0,0 @@ -[libfuzzer] -max_len = 2048 - diff --git a/nss/fuzz/options/mpi-expmod.options b/nss/fuzz/options/mpi-expmod.options deleted file mode 100644 index 98fcc343..00000000 --- a/nss/fuzz/options/mpi-expmod.options +++ /dev/null @@ -1,3 +0,0 @@ -[libfuzzer] -max_len = 1024 - diff --git a/nss/fuzz/options/mpi-invmod.options b/nss/fuzz/options/mpi-invmod.options deleted file mode 100644 index a38c2fe3..00000000 --- a/nss/fuzz/options/mpi-invmod.options +++ /dev/null @@ -1,2 +0,0 @@ -[libfuzzer] -max_len = 256 diff --git a/nss/fuzz/options/mpi-mod.options b/nss/fuzz/options/mpi-mod.options deleted file mode 100644 index fd32ac16..00000000 --- a/nss/fuzz/options/mpi-mod.options +++ /dev/null @@ -1,3 +0,0 @@ -[libfuzzer] -max_len = 2048 - diff --git a/nss/fuzz/options/mpi-mulmod.options b/nss/fuzz/options/mpi-mulmod.options deleted file mode 100644 index fd32ac16..00000000 --- a/nss/fuzz/options/mpi-mulmod.options +++ /dev/null @@ -1,3 +0,0 @@ -[libfuzzer] -max_len = 2048 - diff --git a/nss/fuzz/options/mpi-sqr.options b/nss/fuzz/options/mpi-sqr.options deleted file mode 100644 index fd32ac16..00000000 --- a/nss/fuzz/options/mpi-sqr.options +++ /dev/null @@ -1,3 +0,0 @@ -[libfuzzer] -max_len = 2048 - diff --git a/nss/fuzz/options/mpi-sqrmod.options b/nss/fuzz/options/mpi-sqrmod.options deleted file mode 100644 index fd32ac16..00000000 --- a/nss/fuzz/options/mpi-sqrmod.options +++ /dev/null @@ -1,3 +0,0 @@ -[libfuzzer] -max_len = 2048 - diff --git a/nss/fuzz/options/mpi-sub.options b/nss/fuzz/options/mpi-sub.options deleted file mode 100644 index fd32ac16..00000000 --- a/nss/fuzz/options/mpi-sub.options +++ /dev/null @@ -1,3 +0,0 @@ -[libfuzzer] -max_len = 2048 - diff --git a/nss/fuzz/options/mpi-submod.options b/nss/fuzz/options/mpi-submod.options deleted file mode 100644 index fd32ac16..00000000 --- a/nss/fuzz/options/mpi-submod.options +++ /dev/null @@ -1,3 +0,0 @@ -[libfuzzer] -max_len = 2048 - diff --git a/nss/fuzz/options/pkcs12.options b/nss/fuzz/options/pkcs12.options new file mode 100644 index 00000000..3c7b1142 --- /dev/null +++ b/nss/fuzz/options/pkcs12.options @@ -0,0 +1,4 @@ +[libfuzzer] +len_control = 100 +max_len = 16777215 +rss_limit_mb = 4096 diff --git a/nss/fuzz/options/pkcs7.options b/nss/fuzz/options/pkcs7.options new file mode 100644 index 00000000..c23a03e4 --- /dev/null +++ b/nss/fuzz/options/pkcs7.options @@ -0,0 +1,3 @@ +[libfuzzer] +len_control = 100 +max_len = 16777215 diff --git a/nss/fuzz/options/pkcs8.options b/nss/fuzz/options/pkcs8.options new file mode 100644 index 00000000..c23a03e4 --- /dev/null +++ b/nss/fuzz/options/pkcs8.options @@ -0,0 +1,3 @@ +[libfuzzer] +len_control = 100 +max_len = 16777215 diff --git a/nss/fuzz/options/quickder.options b/nss/fuzz/options/quickder.options index 29e5ba71..e92c66e1 100644 --- a/nss/fuzz/options/quickder.options +++ b/nss/fuzz/options/quickder.options @@ -1,3 +1,4 @@ [libfuzzer] +len_control = 100 max_len = 16777215 diff --git a/nss/fuzz/options/smime.options b/nss/fuzz/options/smime.options new file mode 100644 index 00000000..3c7b1142 --- /dev/null +++ b/nss/fuzz/options/smime.options @@ -0,0 +1,4 @@ +[libfuzzer] +len_control = 100 +max_len = 16777215 +rss_limit_mb = 4096 diff --git a/nss/fuzz/options/tls-client-no_fuzzer_mode.options b/nss/fuzz/options/tls-client-no_fuzzer_mode.options index 29e5ba71..e92c66e1 100644 --- a/nss/fuzz/options/tls-client-no_fuzzer_mode.options +++ b/nss/fuzz/options/tls-client-no_fuzzer_mode.options @@ -1,3 +1,4 @@ [libfuzzer] +len_control = 100 max_len = 16777215 diff --git a/nss/fuzz/options/tls-client.options b/nss/fuzz/options/tls-client.options index 29e5ba71..e92c66e1 100644 --- a/nss/fuzz/options/tls-client.options +++ b/nss/fuzz/options/tls-client.options @@ -1,3 +1,4 @@ [libfuzzer] +len_control = 100 max_len = 16777215 diff --git a/nss/fuzz/options/tls-server-no_fuzzer_mode.options b/nss/fuzz/options/tls-server-no_fuzzer_mode.options index 29e5ba71..e92c66e1 100644 --- a/nss/fuzz/options/tls-server-no_fuzzer_mode.options +++ b/nss/fuzz/options/tls-server-no_fuzzer_mode.options @@ -1,3 +1,4 @@ [libfuzzer] +len_control = 100 max_len = 16777215 diff --git a/nss/fuzz/options/tls-server.options b/nss/fuzz/options/tls-server.options index 29e5ba71..e92c66e1 100644 --- a/nss/fuzz/options/tls-server.options +++ b/nss/fuzz/options/tls-server.options @@ -1,3 +1,4 @@ [libfuzzer] +len_control = 100 max_len = 16777215 diff --git a/nss/fuzz/pkcs8_target.cc b/nss/fuzz/pkcs8_target.cc deleted file mode 100644 index 6ce6f6d0..00000000 --- a/nss/fuzz/pkcs8_target.cc +++ /dev/null @@ -1,39 +0,0 @@ -/* This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ - -#include -#include - -#include "keyhi.h" -#include "pk11pub.h" - -#include "asn1_mutators.h" -#include "shared.h" - -extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { - SECItem data = {siBuffer, (unsigned char *)Data, (unsigned int)Size}; - - static std::unique_ptr db(new NSSDatabase()); - assert(db != nullptr); - - PK11SlotInfo *slot = PK11_GetInternalSlot(); - assert(slot != nullptr); - - SECKEYPrivateKey *key = nullptr; - if (PK11_ImportDERPrivateKeyInfoAndReturnKey(slot, &data, nullptr, nullptr, - false, false, KU_ALL, &key, - nullptr) == SECSuccess) { - SECKEY_DestroyPrivateKey(key); - } - - PK11_FreeSlot(slot); - return 0; -} - -extern "C" size_t LLVMFuzzerCustomMutator(uint8_t *data, size_t size, - size_t max_size, unsigned int seed) { - return CustomMutate( - Mutators({ASN1MutatorFlipConstructed, ASN1MutatorChangeType}), data, size, - max_size, seed); -} diff --git a/nss/fuzz/targets/asn1.cc b/nss/fuzz/targets/asn1.cc new file mode 100644 index 00000000..556f10ca --- /dev/null +++ b/nss/fuzz/targets/asn1.cc @@ -0,0 +1,91 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#include +#include + +#include "certt.h" +#include "keythi.h" +#include "secasn1.h" +#include "secdert.h" + +#include "asn1/mutators.h" +#include "base/mutate.h" + +const SEC_ASN1Template *templates[] = {CERT_AttributeTemplate, + CERT_CertExtensionTemplate, + CERT_CertificateRequestTemplate, + CERT_CertificateTemplate, + CERT_IssuerAndSNTemplate, + CERT_NameTemplate, + CERT_PublicKeyAndChallengeTemplate, + CERT_RDNTemplate, + CERT_SequenceOfCertExtensionTemplate, + CERT_SetOfAttributeTemplate, + CERT_SignedDataTemplate, + CERT_SubjectPublicKeyInfoTemplate, + CERT_TimeChoiceTemplate, + CERT_ValidityTemplate, + SEC_AnyTemplate, + SEC_BitStringTemplate, + SEC_BMPStringTemplate, + SEC_BooleanTemplate, + SEC_CertSequenceTemplate, + SEC_EnumeratedTemplate, + SEC_GeneralizedTimeTemplate, + SEC_IA5StringTemplate, + SEC_IntegerTemplate, + SEC_NullTemplate, + SEC_ObjectIDTemplate, + SEC_OctetStringTemplate, + SEC_PointerToAnyTemplate, + SEC_PointerToEnumeratedTemplate, + SEC_PointerToGeneralizedTimeTemplate, + SEC_PointerToOctetStringTemplate, + SEC_PrintableStringTemplate, + SEC_SetOfAnyTemplate, + SEC_SetOfEnumeratedTemplate, + SEC_SequenceOfAnyTemplate, + SEC_SequenceOfObjectIDTemplate, + SEC_SignedCertificateTemplate, + SEC_SkipTemplate, + SEC_T61StringTemplate, + SEC_UniversalStringTemplate, + SEC_UTCTimeTemplate, + SEC_UTF8StringTemplate, + SEC_VisibleStringTemplate, + SECKEY_DHParamKeyTemplate, + SECKEY_DHPublicKeyTemplate, + SECKEY_DSAPrivateKeyExportTemplate, + SECKEY_DSAPublicKeyTemplate, + SECKEY_PQGParamsTemplate, + SECKEY_PrivateKeyInfoTemplate, + SECKEY_RSAPSSParamsTemplate, + SECKEY_RSAPublicKeyTemplate, + SECOID_AlgorithmIDTemplate}; + +extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { + static char *dest[2048]; + + PORTCheapArenaPool pool; + PORT_InitCheapArena(&pool, DER_DEFAULT_CHUNKSIZE); + + for (auto tpl : templates) { + memset(dest, 0, sizeof(dest)); + + SECItem buf = {siBuffer, (unsigned char *)data, (unsigned int)size}; + (void)SEC_ASN1DecodeItem(&pool.arena, dest, tpl, &buf); + } + + PORT_DestroyCheapArena(&pool); + + return 0; +} + +extern "C" size_t LLVMFuzzerCustomMutator(uint8_t *data, size_t size, + size_t max_size, unsigned int seed) { + return CustomMutate( + Mutators({ASN1Mutators::FlipConstructed, ASN1Mutators::ChangeType}), data, + size, max_size, seed); +} diff --git a/nss/fuzz/certDN_target.cc b/nss/fuzz/targets/certDN.cc similarity index 94% rename from nss/fuzz/certDN_target.cc rename to nss/fuzz/targets/certDN.cc index 37e1361c..0a99cfe8 100644 --- a/nss/fuzz/certDN_target.cc +++ b/nss/fuzz/targets/certDN.cc @@ -19,6 +19,7 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { CERTName* certName = CERT_AsciiToName(name.c_str()); if (certName) { char* out; + TEST_FUNCTION(CERT_FormatName) TEST_FUNCTION(CERT_NameToAscii) TEST_FUNCTION(CERT_GetCertEmailAddress) @@ -39,6 +40,8 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { free(out); out = CERT_NameToAsciiInvertible(certName, CERT_N2A_INVERTIBLE); free(out); + + (void)CERT_CompareName(certName, certName); } CERT_DestroyName(certName); diff --git a/nss/fuzz/targets/lib/asn1/asn1.gyp b/nss/fuzz/targets/lib/asn1/asn1.gyp new file mode 100644 index 00000000..a71aed74 --- /dev/null +++ b/nss/fuzz/targets/lib/asn1/asn1.gyp @@ -0,0 +1,17 @@ +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +{ + 'includes': [ + '../../../../coreconf/config.gypi', + ], + 'targets': [ + { + 'target_name': 'asn1', + 'type': 'static_library', + 'sources': [ + 'mutators.cc', + ], + } + ], +} diff --git a/nss/fuzz/asn1_mutators.cc b/nss/fuzz/targets/lib/asn1/mutators.cc similarity index 60% rename from nss/fuzz/asn1_mutators.cc rename to nss/fuzz/targets/lib/asn1/mutators.cc index 12d8c372..6b709e13 100644 --- a/nss/fuzz/asn1_mutators.cc +++ b/nss/fuzz/targets/lib/asn1/mutators.cc @@ -2,57 +2,56 @@ * License, v. 2.0. If a copy of the MPL was not distributed with this * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ -#include -#include +#include "mutators.h" + +#include +#include #include #include -#include "asn1_mutators.h" - -using namespace std; - -static tuple ParseItem(uint8_t *Data, size_t MaxLength) { +static std::tuple ParseItem(uint8_t *data, + size_t maxLength) { // Short form. Bit 8 has value "0" and bits 7-1 give the length. - if ((Data[1] & 0x80) == 0) { - size_t length = min(static_cast(Data[1]), MaxLength - 2); - return make_tuple(&Data[2], length); + if ((data[1] & 0x80) == 0) { + size_t length = std::min(static_cast(data[1]), maxLength - 2); + return std::make_tuple(&data[2], length); } // Constructed, indefinite length. Read until {0x00, 0x00}. - if (Data[1] == 0x80) { - void *offset = memmem(&Data[2], MaxLength - 2, "\0", 2); - size_t length = offset ? (static_cast(offset) - &Data[2]) + 2 - : MaxLength - 2; - return make_tuple(&Data[2], length); + if (data[1] == 0x80) { + void *offset = memmem(&data[2], maxLength - 2, "\0", 2); + size_t length = offset ? (static_cast(offset) - &data[2]) + 2 + : maxLength - 2; + return std::make_tuple(&data[2], length); } // Long form. Two to 127 octets. Bit 8 of first octet has value "1" // and bits 7-1 give the number of additional length octets. - size_t octets = min(static_cast(Data[1] & 0x7f), MaxLength - 2); + size_t octets = std::min(static_cast(data[1] & 0x7f), maxLength - 2); // Handle lengths bigger than 32 bits. if (octets > 4) { // Ignore any further children, assign remaining length. - return make_tuple(&Data[2] + octets, MaxLength - 2 - octets); + return std::make_tuple(&data[2] + octets, maxLength - 2 - octets); } // Parse the length. size_t length = 0; for (size_t j = 0; j < octets; j++) { - length = (length << 8) | Data[2 + j]; + length = (length << 8) | data[2 + j]; } - length = min(length, MaxLength - 2 - octets); - return make_tuple(&Data[2] + octets, length); + length = std::min(length, maxLength - 2 - octets); + return std::make_tuple(&data[2] + octets, length); } -static vector ParseItems(uint8_t *Data, size_t Size) { - vector items; - vector lengths; +static std::vector ParseItems(uint8_t *data, size_t size) { + std::vector items; + std::vector lengths; // The first item is always the whole corpus. - items.push_back(Data); - lengths.push_back(Size); + items.push_back(data); + lengths.push_back(size); // Can't use iterators here because the `items` vector is modified inside the // loop. That's safe as long as we always check `items.size()` before every @@ -71,7 +70,7 @@ static vector ParseItems(uint8_t *Data, size_t Size) { uint8_t *content; size_t length; - tie(content, length) = ParseItem(item, remaining); + std::tie(content, length) = ParseItem(item, remaining); if (length > 0) { // Record the item. @@ -92,25 +91,27 @@ static vector ParseItems(uint8_t *Data, size_t Size) { return items; } -size_t ASN1MutatorFlipConstructed(uint8_t *Data, size_t Size, size_t MaxSize, - unsigned int Seed) { - auto items = ParseItems(Data, Size); +namespace ASN1Mutators { - std::mt19937 rng(Seed); +size_t FlipConstructed(uint8_t *data, size_t size, size_t maxSize, + unsigned int seed) { + auto items = ParseItems(data, size); + + std::mt19937 rng(seed); std::uniform_int_distribution dist(0, items.size() - 1); uint8_t *item = items.at(dist(rng)); // Flip "constructed" type bit. item[0] ^= 0x20; - return Size; + return size; } -size_t ASN1MutatorChangeType(uint8_t *Data, size_t Size, size_t MaxSize, - unsigned int Seed) { - auto items = ParseItems(Data, Size); +size_t ChangeType(uint8_t *data, size_t size, size_t maxSize, + unsigned int seed) { + auto items = ParseItems(data, size); - std::mt19937 rng(Seed); + std::mt19937 rng(seed); std::uniform_int_distribution dist(0, items.size() - 1); uint8_t *item = items.at(dist(rng)); @@ -118,5 +119,7 @@ size_t ASN1MutatorChangeType(uint8_t *Data, size_t Size, size_t MaxSize, static std::uniform_int_distribution tdist(0, 30); item[0] = tdist(rng); - return Size; + return size; } + +} // namespace ASN1Mutators diff --git a/nss/fuzz/targets/lib/asn1/mutators.h b/nss/fuzz/targets/lib/asn1/mutators.h new file mode 100644 index 00000000..79f8240b --- /dev/null +++ b/nss/fuzz/targets/lib/asn1/mutators.h @@ -0,0 +1,20 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this file, + * You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#ifndef ASN1_MUTATORS_H_ +#define ASN1_MUTATORS_H_ + +#include +#include + +namespace ASN1Mutators { + +size_t FlipConstructed(uint8_t *data, size_t size, size_t maxSize, + unsigned int seed); +size_t ChangeType(uint8_t *data, size_t size, size_t maxSize, + unsigned int seed); + +} // namespace ASN1Mutators + +#endif // ASN1_MUTATORS_H_ diff --git a/nss/fuzz/targets/lib/base/base.gyp b/nss/fuzz/targets/lib/base/base.gyp new file mode 100644 index 00000000..0b3f5a3e --- /dev/null +++ b/nss/fuzz/targets/lib/base/base.gyp @@ -0,0 +1,17 @@ +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +{ + 'includes': [ + '../../../../coreconf/config.gypi', + ], + 'targets': [ + { + 'target_name': 'base', + 'type': 'static_library', + 'sources': [ + 'mutate.cc', + ], + } + ], +} diff --git a/nss/fuzz/targets/lib/base/database.h b/nss/fuzz/targets/lib/base/database.h new file mode 100644 index 00000000..c7836934 --- /dev/null +++ b/nss/fuzz/targets/lib/base/database.h @@ -0,0 +1,19 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#ifndef BASE_DATABASE_H_ +#define BASE_DATABASE_H_ + +#include + +#include "nss.h" + +// TODO(mdauer): Add constructor for initializing with DB. +class NSSDatabase { + public: + NSSDatabase() { assert(NSS_NoDB_Init(nullptr) == SECSuccess); } + ~NSSDatabase() { assert(NSS_Shutdown() == SECSuccess); } +}; + +#endif // BASE_DATABASE_H_ diff --git a/nss/fuzz/shared.cc b/nss/fuzz/targets/lib/base/mutate.cc similarity index 72% rename from nss/fuzz/shared.cc rename to nss/fuzz/targets/lib/base/mutate.cc index 3ff3dcf5..5e961946 100644 --- a/nss/fuzz/shared.cc +++ b/nss/fuzz/targets/lib/base/mutate.cc @@ -2,21 +2,21 @@ * License, v. 2.0. If a copy of the MPL was not distributed with this * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ -#include "shared.h" +#include "mutate.h" #include #include #include size_t CustomMutate(Mutators mutators, uint8_t* data, size_t size, - size_t max_size, unsigned int seed) { + size_t maxSize, unsigned int seed) { std::mt19937 rng(seed); static std::bernoulli_distribution bdist; if (bdist(rng)) { std::uniform_int_distribution idist(0, mutators.size() - 1); - return mutators.at(idist(rng))(data, size, max_size, seed); + return mutators.at(idist(rng))(data, size, maxSize, seed); } - return LLVMFuzzerMutate(data, size, max_size); + return LLVMFuzzerMutate(data, size, maxSize); } diff --git a/nss/fuzz/shared.h b/nss/fuzz/targets/lib/base/mutate.h similarity index 65% rename from nss/fuzz/shared.h rename to nss/fuzz/targets/lib/base/mutate.h index 2f196788..30e63d26 100644 --- a/nss/fuzz/shared.h +++ b/nss/fuzz/targets/lib/base/mutate.h @@ -1,32 +1,21 @@ -/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ -/* vim: set ts=2 et sw=2 tw=80: */ /* This Source Code Form is subject to the terms of the Mozilla Public * License, v. 2.0. If a copy of the MPL was not distributed with this file, * You can obtain one at http://mozilla.org/MPL/2.0/. */ -#ifndef SHARED_H_ -#define SHARED_H_ +#ifndef BASE_MUTATE_H_ +#define BASE_MUTATE_H_ -#include #include #include #include -#include "nss.h" - extern "C" size_t LLVMFuzzerMutate(uint8_t* data, size_t size, size_t maxSize); extern "C" size_t LLVMFuzzerCustomMutator(uint8_t* data, size_t size, size_t maxSize, unsigned int seed); -class NSSDatabase { - public: - NSSDatabase() { assert(NSS_NoDB_Init(nullptr) == SECSuccess); } - ~NSSDatabase() { assert(NSS_Shutdown() == SECSuccess); } -}; - typedef std::vector Mutators; size_t CustomMutate(Mutators mutators, uint8_t* data, size_t size, size_t maxSize, unsigned int seed); -#endif // SHARED_H_ +#endif // BASE_MUTATE_H_ diff --git a/nss/fuzz/targets/lib/tls/client_config.cc b/nss/fuzz/targets/lib/tls/client_config.cc new file mode 100644 index 00000000..94c5d2bb --- /dev/null +++ b/nss/fuzz/targets/lib/tls/client_config.cc @@ -0,0 +1,262 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#include "client_config.h" + +#include +#include +#include + +#include "nss_scoped_ptrs.h" +#include "nssb64.h" +#include "prio.h" +#include "prtypes.h" +#include "seccomon.h" +#include "ssl.h" +#include "sslexp.h" + +#include "common.h" + +const SSLCertificateCompressionAlgorithm kCompressionAlg = { + 0x1337, "fuzz", TlsCommon::DummyCompressionEncode, + TlsCommon::DummyCompressionDecode}; +const PRUint8 kPskIdentity[] = "fuzz-psk-identity"; +#ifndef IS_DTLS_FUZZ +const char kEchConfigs[] = + "AEX+" + "DQBBcQAgACDh4IuiuhhInUcKZx5uYcehlG9PQ1ZlzhvVZyjJl7dscQAEAAEAAQASY2xvdWRmbG" + "FyZS1lY2guY29tAAA="; +#endif // IS_DTLS_FUZZ + +static SECStatus AuthCertificateHook(void* arg, PRFileDesc* fd, PRBool checksig, + PRBool isServer) { + assert(!isServer); + + auto config = reinterpret_cast(arg); + if (config->FailCertificateAuthentication()) return SECFailure; + + return SECSuccess; +} + +static SECStatus CanFalseStartCallback(PRFileDesc* fd, void* arg, + PRBool* canFalseStart) { + *canFalseStart = true; + return SECSuccess; +} + +namespace TlsClient { + +// XOR 64-bit chunks of data to build a bitmap of config options derived from +// the fuzzing input. This seems the only way to fuzz various options while +// still maintaining compatibility with BoringSSL or OpenSSL fuzzers. +Config::Config(const uint8_t* data, size_t len) { + union { + uint64_t bitmap; + struct { + uint32_t config; + uint16_t ssl_version_range_min; + uint16_t ssl_version_range_max; + }; + }; + + for (size_t i = 0; i < len; i++) { + bitmap ^= static_cast(data[i]) << (8 * (i % 8)); + } + + // Map SSL version values to a valid range. + ssl_version_range_min = + SSL_VERSION_RANGE_MIN_VALID + + (ssl_version_range_min % + (1 + SSL_VERSION_RANGE_MAX_VALID - SSL_VERSION_RANGE_MIN_VALID)); + ssl_version_range_max = + ssl_version_range_min + + (ssl_version_range_max % + (1 + SSL_VERSION_RANGE_MAX_VALID - ssl_version_range_min)); + + config_ = config; + ssl_version_range_ = { + .min = ssl_version_range_min, + .max = ssl_version_range_max, + }; +} + +void Config::SetCallbacks(PRFileDesc* fd) { + SECStatus rv = SSL_AuthCertificateHook(fd, AuthCertificateHook, this); + assert(rv == SECSuccess); + + rv = SSL_SetCanFalseStartCallback(fd, CanFalseStartCallback, nullptr); + assert(rv == SECSuccess); +} + +void Config::SetSocketOptions(PRFileDesc* fd) { + SECStatus rv = SSL_OptionSet(fd, SSL_ENABLE_EXTENDED_MASTER_SECRET, + this->EnableExtendedMasterSecret()); + assert(rv == SECSuccess); + + rv = SSL_OptionSet(fd, SSL_REQUIRE_DH_NAMED_GROUPS, + this->RequireDhNamedGroups()); + assert(rv == SECSuccess); + + rv = SSL_OptionSet(fd, SSL_ENABLE_FALSE_START, this->EnableFalseStart()); + assert(rv == SECSuccess); + + rv = SSL_OptionSet(fd, SSL_ENABLE_DEFLATE, this->EnableDeflate()); + assert(rv == SECSuccess); + + rv = SSL_OptionSet(fd, SSL_CBC_RANDOM_IV, this->CbcRandomIv()); + assert(rv == SECSuccess); + + rv = SSL_OptionSet(fd, SSL_REQUIRE_SAFE_NEGOTIATION, + this->RequireSafeNegotiation()); + assert(rv == SECSuccess); + + rv = SSL_OptionSet(fd, SSL_NO_CACHE, this->NoCache()); + assert(rv == SECSuccess); + + rv = SSL_OptionSet(fd, SSL_ENABLE_GREASE, this->EnableGrease()); + assert(rv == SECSuccess); + + rv = SSL_OptionSet(fd, SSL_ENABLE_CH_EXTENSION_PERMUTATION, + this->EnableCHExtensionPermutation()); + assert(rv == SECSuccess); + + if (this->SetCertificateCompressionAlgorithm()) { + rv = SSL_SetCertificateCompressionAlgorithm(fd, kCompressionAlg); + assert(rv == SECSuccess); + } + + if (this->SetVersionRange()) { + rv = SSL_VersionRangeSet(fd, &ssl_version_range_); + assert(rv == SECSuccess); + } + + if (this->AddExternalPsk()) { + ScopedPK11SlotInfo slot(PK11_GetInternalSlot()); + assert(slot); + + ScopedPK11SymKey key(PK11_KeyGen(slot.get(), CKM_NSS_CHACHA20_POLY1305, + nullptr, 32, nullptr)); + assert(key); + + rv = SSL_AddExternalPsk(fd, key.get(), kPskIdentity, + sizeof(kPskIdentity) - 1, this->PskHashType()); + assert(rv == SECSuccess); + } + + rv = SSL_OptionSet(fd, SSL_ENABLE_POST_HANDSHAKE_AUTH, + this->EnablePostHandshakeAuth()); + assert(rv == SECSuccess); + + rv = SSL_OptionSet(fd, SSL_ENABLE_0RTT_DATA, this->EnableZeroRtt()); + assert(rv == SECSuccess); + + rv = SSL_OptionSet(fd, SSL_ENABLE_ALPN, this->EnableAlpn()); + assert(rv == SECSuccess); + + rv = SSL_OptionSet(fd, SSL_ENABLE_FALLBACK_SCSV, this->EnableFallbackScsv()); + assert(rv == SECSuccess); + + rv = SSL_OptionSet(fd, SSL_ENABLE_OCSP_STAPLING, this->EnableOcspStapling()); + assert(rv == SECSuccess); + + rv = SSL_OptionSet(fd, SSL_ENABLE_SESSION_TICKETS, + this->EnableSessionTickets()); + assert(rv == SECSuccess); + + rv = SSL_OptionSet(fd, SSL_ENABLE_TLS13_COMPAT_MODE, + this->EnableTls13CompatMode()); + assert(rv == SECSuccess); + + rv = SSL_OptionSet(fd, SSL_NO_LOCKS, this->NoLocks()); + assert(rv == SECSuccess); + + rv = SSL_EnableTls13GreaseEch(fd, this->EnableTls13GreaseEch()); + assert(rv == SECSuccess); + + rv = SSL_SetDtls13VersionWorkaround(fd, this->SetDtls13VersionWorkaround()); + assert(rv == SECSuccess); + + rv = SSL_OptionSet(fd, SSL_ENABLE_DELEGATED_CREDENTIALS, + this->EnableDelegatedCredentials()); + assert(rv == SECSuccess); + + rv = SSL_OptionSet(fd, SSL_ENABLE_DTLS_SHORT_HEADER, + this->EnableDtlsShortHeader()); + assert(rv == SECSuccess); + +#ifndef IS_DTLS_FUZZ + rv = + SSL_OptionSet(fd, SSL_ENABLE_RENEGOTIATION, SSL_RENEGOTIATE_UNRESTRICTED); + assert(rv == SECSuccess); + + if (this->SetClientEchConfigs()) { + ScopedSECItem echConfigsBin(NSSBase64_DecodeBuffer( + nullptr, nullptr, kEchConfigs, sizeof(kEchConfigs))); + assert(echConfigsBin); + + rv = SSL_SetClientEchConfigs(fd, echConfigsBin->data, echConfigsBin->len); + assert(rv == SECSuccess); + } +#endif // IS_DTLS_FUZZ +} + +std::ostream& operator<<(std::ostream& out, Config& config) { + out << "============= ClientConfig =============" + << "\n"; + out << "SSL_NO_CACHE: " << config.NoCache() << "\n"; + out << "SSL_ENABLE_EXTENDED_MASTER_SECRET: " + << config.EnableExtendedMasterSecret() << "\n"; + out << "SSL_REQUIRE_DH_NAMED_GROUPS: " + << config.RequireDhNamedGroups() << "\n"; + out << "SSL_ENABLE_FALSE_START: " << config.EnableFalseStart() + << "\n"; + out << "SSL_ENABLE_DEFLATE: " << config.EnableDeflate() + << "\n"; + out << "SSL_CBC_RANDOM_IV: " << config.CbcRandomIv() + << "\n"; + out << "SSL_REQUIRE_SAFE_NEGOTIATION: " + << config.RequireSafeNegotiation() << "\n"; + out << "SSL_ENABLE_GREASE: " << config.EnableGrease() + << "\n"; + out << "SSL_ENABLE_CH_EXTENSION_PERMUTATION: " + << config.EnableCHExtensionPermutation() << "\n"; + out << "SSL_SetCertificateCompressionAlgorithm: " + << config.SetCertificateCompressionAlgorithm() << "\n"; + out << "SSL_VersionRangeSet: " << config.SetVersionRange() + << "\n"; + out << " Min: " + << config.SslVersionRange().min << "\n"; + out << " Max: " + << config.SslVersionRange().max << "\n"; + out << "SSL_AddExternalPsk: " << config.AddExternalPsk() + << "\n"; + out << " Type: " << config.PskHashType() + << "\n"; + out << "SSL_ENABLE_POST_HANDSHAKE_AUTH: " + << config.EnablePostHandshakeAuth() << "\n"; + out << "SSL_ENABLE_0RTT_DATA: " << config.EnableZeroRtt() + << "\n"; + out << "SSL_ENABLE_ALPN: " << config.EnableAlpn() + << "\n"; + out << "SSL_ENABLE_FALLBACK_SCSV: " + << config.EnableFallbackScsv() << "\n"; + out << "SSL_ENABLE_OCSP_STAPLING: " + << config.EnableOcspStapling() << "\n"; + out << "SSL_ENABLE_SESSION_TICKETS: " + << config.EnableSessionTickets() << "\n"; + out << "SSL_ENABLE_TLS13_COMPAT_MODE: " + << config.EnableTls13CompatMode() << "\n"; + out << "SSL_NO_LOCKS: " << config.NoLocks() << "\n"; + out << "SSL_EnableTls13GreaseEch: " + << config.EnableTls13GreaseEch() << "\n"; + out << "SSL_SetDtls13VersionWorkaround: " + << config.SetDtls13VersionWorkaround() << "\n"; + out << "SSL_SetClientEchConfigs: " + << config.SetClientEchConfigs() << "\n"; + out << "========================================"; + + return out; +} + +} // namespace TlsClient diff --git a/nss/fuzz/targets/lib/tls/client_config.h b/nss/fuzz/targets/lib/tls/client_config.h new file mode 100644 index 00000000..2749a9d4 --- /dev/null +++ b/nss/fuzz/targets/lib/tls/client_config.h @@ -0,0 +1,76 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this file, + * You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#ifndef TLS_CLIENT_CONFIG_H_ +#define TLS_CLIENT_CONFIG_H_ + +#include +#include +#include + +#include "prio.h" +#include "sslt.h" + +#ifdef IS_DTLS_FUZZ +#define SSL_VERSION_RANGE_MIN_VALID 0x0302 +#else +#define SSL_VERSION_RANGE_MIN_VALID 0x0301 +#endif +#define SSL_VERSION_RANGE_MAX_VALID 0x0304 + +namespace TlsClient { + +class Config { + public: + Config(const uint8_t* data, size_t len); + + void SetCallbacks(PRFileDesc* fd); + void SetSocketOptions(PRFileDesc* fd); + + SSLHashType PskHashType() { + if (config_ % 2) return ssl_hash_sha256; + + return ssl_hash_sha384; + }; + SSLVersionRange SslVersionRange() { return ssl_version_range_; }; + + // NOTE: When adding more config options here, don't forget to print + // them in the "<<"-overloaded operator. + bool FailCertificateAuthentication() { return config_ & (1 << 0); }; + bool EnableExtendedMasterSecret() { return config_ & (1 << 1); }; + bool RequireDhNamedGroups() { return config_ & (1 << 2); }; + bool EnableFalseStart() { return config_ & (1 << 3); }; + bool EnableDeflate() { return config_ & (1 << 4); }; + bool CbcRandomIv() { return config_ & (1 << 5); }; + bool RequireSafeNegotiation() { return config_ & (1 << 6); }; + bool NoCache() { return config_ & (1 << 7); }; + bool EnableGrease() { return config_ & (1 << 8); }; + bool EnableCHExtensionPermutation() { return config_ & (1 << 9); }; + bool SetCertificateCompressionAlgorithm() { return config_ & (1 << 10); }; + bool SetClientEchConfigs() { return config_ & (1 << 11); }; + bool SetVersionRange() { return config_ & (1 << 12); }; + bool AddExternalPsk() { return config_ & (1 << 13); }; + bool EnablePostHandshakeAuth() { return config_ & (1 << 14); }; + bool EnableZeroRtt() { return config_ & (1 << 15); }; + bool EnableAlpn() { return config_ & (1 << 16); }; + bool EnableFallbackScsv() { return config_ & (1 << 17); }; + bool EnableOcspStapling() { return config_ & (1 << 18); }; + bool EnableSessionTickets() { return config_ & (1 << 19); }; + bool EnableTls13CompatMode() { return config_ & (1 << 20); }; + bool NoLocks() { return config_ & (1 << 21); }; + bool EnableTls13GreaseEch() { return config_ & (1 << 22); }; + bool SetDtls13VersionWorkaround() { return config_ & (1 << 23); }; + bool EnableDelegatedCredentials() { return config_ & (1 << 24); }; + bool EnableDtlsShortHeader() { return config_ & (1 << 25); }; + + private: + uint32_t config_; + SSLVersionRange ssl_version_range_; +}; + +std::ostream& operator<<(std::ostream& out, Config& config); + +} // namespace TlsClient + +#endif // TLS_CLIENT_CONFIG_H_ diff --git a/nss/fuzz/tls_common.cc b/nss/fuzz/targets/lib/tls/common.cc similarity index 81% rename from nss/fuzz/tls_common.cc rename to nss/fuzz/targets/lib/tls/common.cc index 60a89cad..0fcc6d5d 100644 --- a/nss/fuzz/tls_common.cc +++ b/nss/fuzz/targets/lib/tls/common.cc @@ -2,18 +2,21 @@ * License, v. 2.0. If a copy of the MPL was not distributed with this * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ -#include "tls_common.h" +#include "common.h" #include #include #include #include "prio.h" +#include "secport.h" #include "ssl.h" #include "sslexp.h" static PRTime FixedTime(void*) { return 1234; } +namespace TlsCommon { + // Fix the time input, to avoid any time-based variation. void FixTime(PRFileDesc* fd) { SECStatus rv = SSL_SetTimeFunc(fd, FixedTime, nullptr); @@ -67,17 +70,32 @@ void DoHandshake(PRFileDesc* fd, bool isServer) { } SECStatus DummyCompressionEncode(const SECItem* input, SECItem* output) { + if (!input || !input->data || input->len == 0 || !output) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return SECFailure; + } + SECITEM_CopyItem(nullptr, output, input); - PORT_Memcpy(output->data, input->data, output->len); return SECSuccess; } SECStatus DummyCompressionDecode(const SECItem* input, unsigned char* output, size_t outputLen, size_t* usedLen) { - assert(input->len == outputLen); + if (!input || !input->data || input->len == 0 || !output || outputLen == 0) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return SECFailure; + } + + if (input->len > outputLen) { + PORT_SetError(SEC_ERROR_BAD_DATA); + return SECFailure; + } + PORT_Memcpy(output, input->data, input->len); - *usedLen = outputLen; + *usedLen = input->len; return SECSuccess; } + +} // namespace TlsCommon diff --git a/nss/fuzz/tls_common.h b/nss/fuzz/targets/lib/tls/common.h similarity index 93% rename from nss/fuzz/tls_common.h rename to nss/fuzz/targets/lib/tls/common.h index 134d0fa4..ba87841f 100644 --- a/nss/fuzz/tls_common.h +++ b/nss/fuzz/targets/lib/tls/common.h @@ -10,6 +10,8 @@ #include "prio.h" #include "seccomon.h" +namespace TlsCommon { + void FixTime(PRFileDesc* fd); void EnableAllProtocolVersions(); void EnableAllCipherSuites(PRFileDesc* fd); @@ -19,4 +21,6 @@ SECStatus DummyCompressionEncode(const SECItem* input, SECItem* output); SECStatus DummyCompressionDecode(const SECItem* input, unsigned char* output, size_t outputLen, size_t* usedLen); +} // namespace TlsCommon + #endif // TLS_COMMON_H_ diff --git a/nss/fuzz/tls_mutators.cc b/nss/fuzz/targets/lib/tls/mutators.cc similarity index 85% rename from nss/fuzz/tls_mutators.cc rename to nss/fuzz/targets/lib/tls/mutators.cc index 0022c71a..fc253d86 100644 --- a/nss/fuzz/tls_mutators.cc +++ b/nss/fuzz/targets/lib/tls/mutators.cc @@ -2,6 +2,8 @@ * License, v. 2.0. If a copy of the MPL was not distributed with this * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ +#include "mutators.h" + #include #include #include @@ -11,12 +13,6 @@ #include "tls_parser.h" -using namespace nss_test; - -// Number of additional bytes in the TLS header. -// Used to properly skip DTLS seqnums. -static size_t gExtraHeaderBytes = 0; - // Helper class to simplify TLS record manipulation. class Record { public: @@ -40,9 +36,9 @@ class Record { } void truncate(size_t length) { - assert(length >= 5 + gExtraHeaderBytes); + assert(length >= 5 + EXTRA_HEADER_BYTES); uint8_t *dest = const_cast(data_); - size_t l = length - (5 + gExtraHeaderBytes); + size_t l = length - (5 + EXTRA_HEADER_BYTES); dest[3] = (l >> 8) & 0xff; dest[4] = l & 0xff; memmove(dest + length, data_ + size_, remaining_); @@ -70,23 +66,23 @@ class Record { std::vector> ParseRecords(const uint8_t *data, size_t size) { std::vector> records; - TlsParser parser(data, size); + nss_test::TlsParser parser(data, size); while (parser.remaining()) { size_t offset = parser.consumed(); // Skip type, version, and DTLS seqnums. - if (!parser.Skip(3 + gExtraHeaderBytes)) { + if (!parser.Skip(3 + EXTRA_HEADER_BYTES)) { break; } - DataBuffer fragment; + nss_test::DataBuffer fragment; if (!parser.ReadVariable(&fragment, 2)) { break; } records.push_back(Record::Create(data + offset, - fragment.len() + 5 + gExtraHeaderBytes, + fragment.len() + 5 + EXTRA_HEADER_BYTES, parser.remaining())); } @@ -95,11 +91,8 @@ std::vector> ParseRecords(const uint8_t *data, namespace TlsMutators { -// Handle seqnums in DTLS transcripts. -void SetIsDTLS() { gExtraHeaderBytes = 8; } - // Mutator that drops whole TLS records. -size_t DropRecord(uint8_t *data, size_t size, size_t max_size, +size_t DropRecord(uint8_t *data, size_t size, size_t maxSize, unsigned int seed) { std::mt19937 rng(seed); @@ -121,7 +114,7 @@ size_t DropRecord(uint8_t *data, size_t size, size_t max_size, } // Mutator that shuffles TLS records in a transcript. -size_t ShuffleRecords(uint8_t *data, size_t size, size_t max_size, +size_t ShuffleRecords(uint8_t *data, size_t size, size_t maxSize, unsigned int seed) { std::mt19937 rng(seed); @@ -152,7 +145,7 @@ size_t ShuffleRecords(uint8_t *data, size_t size, size_t max_size, } // Mutator that duplicates a single TLS record and randomly inserts it. -size_t DuplicateRecord(uint8_t *data, size_t size, size_t max_size, +size_t DuplicateRecord(uint8_t *data, size_t size, size_t maxSize, unsigned int seed) { std::mt19937 rng(seed); @@ -165,7 +158,7 @@ size_t DuplicateRecord(uint8_t *data, size_t size, size_t max_size, // Pick a record to duplicate at random. std::uniform_int_distribution dist(0, records.size() - 1); auto &rec = records.at(dist(rng)); - if (size + rec->size() > max_size) { + if (size + rec->size() > maxSize) { return 0; } @@ -177,7 +170,7 @@ size_t DuplicateRecord(uint8_t *data, size_t size, size_t max_size, } // Mutator that truncates a TLS record. -size_t TruncateRecord(uint8_t *data, size_t size, size_t max_size, +size_t TruncateRecord(uint8_t *data, size_t size, size_t maxSize, unsigned int seed) { std::mt19937 rng(seed); @@ -192,12 +185,12 @@ size_t TruncateRecord(uint8_t *data, size_t size, size_t max_size, auto &rec = records.at(dist(rng)); // Need a record with data. - if (rec->size() <= 5 + gExtraHeaderBytes) { + if (rec->size() <= 5 + EXTRA_HEADER_BYTES) { return 0; } // Truncate. - std::uniform_int_distribution dist2(5 + gExtraHeaderBytes, + std::uniform_int_distribution dist2(5 + EXTRA_HEADER_BYTES, rec->size() - 1); size_t new_length = dist2(rng); rec->truncate(new_length); @@ -207,16 +200,16 @@ size_t TruncateRecord(uint8_t *data, size_t size, size_t max_size, } // Mutator that splits a TLS record in two. -size_t FragmentRecord(uint8_t *data, size_t size, size_t max_size, +size_t FragmentRecord(uint8_t *data, size_t size, size_t maxSize, unsigned int seed) { std::mt19937 rng(seed); // We can't deal with DTLS yet. - if (gExtraHeaderBytes > 0) { + if (EXTRA_HEADER_BYTES > 0) { return 0; } - if (size + 5 > max_size) { + if (size + 5 > maxSize) { return 0; } @@ -259,7 +252,7 @@ size_t FragmentRecord(uint8_t *data, size_t size, size_t max_size, // Cross-over function that merges and shuffles two transcripts. size_t CrossOver(const uint8_t *data1, size_t size1, const uint8_t *data2, - size_t size2, uint8_t *out, size_t max_out_size, + size_t size2, uint8_t *out, size_t maxOutSize, unsigned int seed) { std::mt19937 rng(seed); @@ -283,7 +276,7 @@ size_t CrossOver(const uint8_t *data1, size_t size1, const uint8_t *data2, size_t total = 0; for (auto &rec : records1) { size_t length = rec->size(); - if (total + length > max_out_size) { + if (total + length > maxOutSize) { break; } @@ -295,4 +288,4 @@ size_t CrossOver(const uint8_t *data1, size_t size1, const uint8_t *data2, return total; } -} // namespace TlsMutators +} // namespace TlsMutators \ No newline at end of file diff --git a/nss/fuzz/tls_mutators.h b/nss/fuzz/targets/lib/tls/mutators.h similarity index 55% rename from nss/fuzz/tls_mutators.h rename to nss/fuzz/targets/lib/tls/mutators.h index 11c3d070..3a389037 100644 --- a/nss/fuzz/tls_mutators.h +++ b/nss/fuzz/targets/lib/tls/mutators.h @@ -8,23 +8,29 @@ #include #include -namespace TlsMutators { +// Number of additional bytes in the TLS header. +// Used to properly skip DTLS seqnums. +#ifdef IS_DTLS_FUZZ +#define EXTRA_HEADER_BYTES 8 +#else +#define EXTRA_HEADER_BYTES 0 +#endif -void SetIsDTLS(); +namespace TlsMutators { -size_t DropRecord(uint8_t *data, size_t size, size_t max_size, +size_t DropRecord(uint8_t *data, size_t size, size_t maxSize, unsigned int seed); -size_t ShuffleRecords(uint8_t *data, size_t size, size_t max_size, +size_t ShuffleRecords(uint8_t *data, size_t size, size_t maxSize, unsigned int seed); -size_t DuplicateRecord(uint8_t *data, size_t size, size_t max_size, +size_t DuplicateRecord(uint8_t *data, size_t size, size_t maxSize, unsigned int seed); -size_t TruncateRecord(uint8_t *data, size_t size, size_t max_size, +size_t TruncateRecord(uint8_t *data, size_t size, size_t maxSize, unsigned int seed); -size_t FragmentRecord(uint8_t *data, size_t size, size_t max_size, +size_t FragmentRecord(uint8_t *data, size_t size, size_t maxSize, unsigned int seed); size_t CrossOver(const uint8_t *data1, size_t size1, const uint8_t *data2, - size_t size2, uint8_t *out, size_t max_out_size, + size_t size2, uint8_t *out, size_t maxOutSize, unsigned int seed); } // namespace TlsMutators diff --git a/nss/fuzz/tls_server_certs.cc b/nss/fuzz/targets/lib/tls/server_certs.cc similarity index 96% rename from nss/fuzz/tls_server_certs.cc rename to nss/fuzz/targets/lib/tls/server_certs.cc index 20732a5e..73c6be49 100644 --- a/nss/fuzz/tls_server_certs.cc +++ b/nss/fuzz/targets/lib/tls/server_certs.cc @@ -2,14 +2,15 @@ * License, v. 2.0. If a copy of the MPL was not distributed with this * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ -#include -#include +#include "server_certs.h" -#include "ssl.h" +#include +#include +#include #include "cpputil.h" #include "nss_scoped_ptrs.h" -#include "tls_server_certs.h" +#include "ssl.h" const uint8_t kP256ServerCert[] = { 0x30, 0x82, 0x01, 0xcf, 0x30, 0x82, 0x01, 0x76, 0xa0, 0x03, 0x02, 0x01, @@ -252,16 +253,16 @@ const uint8_t kRsaServerKey[] = { 0xfe, 0xbf, 0xda, 0x0e, 0xce, 0x28, 0xb9, 0xdb, 0x9b, 0xcf, 0x6e, 0xa8, 0xe4, 0x60, 0xca, 0x98}; -void InstallServerCertificate(PRFileDesc* fd, const uint8_t* cert_data, - size_t cert_len, const uint8_t* key_data, - size_t key_len) { +static void InstallServerCertificate(PRFileDesc* fd, const uint8_t* certData, + size_t certLen, const uint8_t* keyData, + size_t keyLen) { ScopedPK11SlotInfo slot(PK11_GetInternalSlot()); assert(slot); - SECItem certItem = {siBuffer, toUcharPtr(cert_data), - static_cast(cert_len)}; - SECItem pkcs8Item = {siBuffer, toUcharPtr(key_data), - static_cast(key_len)}; + SECItem certItem = {siBuffer, toUcharPtr(certData), + static_cast(certLen)}; + SECItem pkcs8Item = {siBuffer, toUcharPtr(keyData), + static_cast(keyLen)}; // Import the certificate. static CERTCertDBHandle* certDB = CERT_GetDefaultCertDB(); @@ -284,6 +285,8 @@ void InstallServerCertificate(PRFileDesc* fd, const uint8_t* cert_data, assert(rv == SECSuccess); } +namespace TlsServer { + void InstallServerCertificates(PRFileDesc* fd) { // ECDSA P-256 certificate. InstallServerCertificate(fd, kP256ServerCert, sizeof(kP256ServerCert), @@ -292,4 +295,8 @@ void InstallServerCertificates(PRFileDesc* fd) { // RSA-2048 certificate. InstallServerCertificate(fd, kRsaServerCert, sizeof(kRsaServerCert), kRsaServerKey, sizeof(kRsaServerKey)); + + // TODO(mdauer): Install more different cerificate types. } + +} // namespace TlsServer diff --git a/nss/fuzz/tls_server_certs.h b/nss/fuzz/targets/lib/tls/server_certs.h similarity index 67% rename from nss/fuzz/tls_server_certs.h rename to nss/fuzz/targets/lib/tls/server_certs.h index c0db2539..c9987fd8 100644 --- a/nss/fuzz/tls_server_certs.h +++ b/nss/fuzz/targets/lib/tls/server_certs.h @@ -2,11 +2,15 @@ * License, v. 2.0. If a copy of the MPL was not distributed with this file, * You can obtain one at http://mozilla.org/MPL/2.0/. */ -#ifndef tls_server_certs_h__ -#define tls_server_certs_h__ +#ifndef TLS_SERVER_CERT_H_ +#define TLS_SERVER_CERT_H_ #include "prio.h" +namespace TlsServer { + void InstallServerCertificates(PRFileDesc* fd); -#endif // tls_server_certs_h__ +} // namespace TlsServer + +#endif // TLS_SERVER_CERT_H_ diff --git a/nss/fuzz/targets/lib/tls/server_config.cc b/nss/fuzz/targets/lib/tls/server_config.cc new file mode 100644 index 00000000..c342d23a --- /dev/null +++ b/nss/fuzz/targets/lib/tls/server_config.cc @@ -0,0 +1,213 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#include "server_config.h" + +#include +#include +#include + +#include "nss_scoped_ptrs.h" +#include "pk11pub.h" +#include "prio.h" +#include "seccomon.h" +#include "ssl.h" +#include "sslexp.h" +#include "sslt.h" + +#include "common.h" + +const SSLCertificateCompressionAlgorithm kCompressionAlg = { + 0x1337, "fuzz", TlsCommon::DummyCompressionEncode, + TlsCommon::DummyCompressionDecode}; +const PRUint8 kPskIdentity[] = "fuzz-psk-identity"; + +static SECStatus AuthCertificateHook(void* arg, PRFileDesc* fd, PRBool checksig, + PRBool isServer) { + assert(isServer); + auto config = reinterpret_cast(arg); + if (config->FailCertificateAuthentication()) return SECFailure; + + return SECSuccess; +} + +static SECStatus CanFalseStartCallback(PRFileDesc* fd, void* arg, + PRBool* canFalseStart) { + *canFalseStart = true; + return SECSuccess; +} + +namespace TlsServer { + +// XOR 64-bit chunks of data to build a bitmap of config options derived from +// the fuzzing input. This seems the only way to fuzz various options while +// still maintaining compatibility with BoringSSL or OpenSSL fuzzers. +Config::Config(const uint8_t* data, size_t len) { + union { + uint64_t bitmap; + struct { + uint32_t config; + uint16_t ssl_version_range_min; + uint16_t ssl_version_range_max; + }; + }; + + for (size_t i = 0; i < len; i++) { + bitmap ^= static_cast(data[i]) << (8 * (i % 8)); + } + + // Map SSL version values to a valid range. + ssl_version_range_min = + SSL_VERSION_RANGE_MIN_VALID + + (ssl_version_range_min % + (1 + SSL_VERSION_RANGE_MAX_VALID - SSL_VERSION_RANGE_MIN_VALID)); + ssl_version_range_max = + ssl_version_range_min + + (ssl_version_range_max % + (1 + SSL_VERSION_RANGE_MAX_VALID - ssl_version_range_min)); + + config_ = config; + ssl_version_range_ = { + .min = ssl_version_range_min, + .max = ssl_version_range_max, + }; +} + +void Config::SetCallbacks(PRFileDesc* fd) { + SECStatus rv = SSL_AuthCertificateHook(fd, AuthCertificateHook, this); + assert(rv == SECSuccess); + + rv = SSL_SetCanFalseStartCallback(fd, CanFalseStartCallback, nullptr); + assert(rv == SECSuccess); +} + +void Config::SetSocketOptions(PRFileDesc* fd) { + SECStatus rv = SSL_OptionSet(fd, SSL_ENABLE_EXTENDED_MASTER_SECRET, + this->EnableExtendedMasterSecret()); + assert(rv == SECSuccess); + + rv = SSL_OptionSet(fd, SSL_REQUEST_CERTIFICATE, this->RequestCertificate()); + assert(rv == SECSuccess); + + rv = SSL_OptionSet(fd, SSL_REQUIRE_CERTIFICATE, this->RequireCertificate()); + assert(rv == SECSuccess); + + rv = SSL_OptionSet(fd, SSL_ENABLE_DEFLATE, this->EnableDeflate()); + assert(rv == SECSuccess); + + rv = SSL_OptionSet(fd, SSL_CBC_RANDOM_IV, this->EnableCbcRandomIv()); + assert(rv == SECSuccess); + + rv = SSL_OptionSet(fd, SSL_REQUIRE_SAFE_NEGOTIATION, + this->RequireSafeNegotiation()); + assert(rv == SECSuccess); + + rv = SSL_OptionSet(fd, SSL_NO_CACHE, this->NoCache()); + assert(rv == SECSuccess); + + rv = SSL_OptionSet(fd, SSL_ENABLE_GREASE, this->EnableGrease()); + assert(rv == SECSuccess); + + if (this->SetCertificateCompressionAlgorithm()) { + rv = SSL_SetCertificateCompressionAlgorithm(fd, kCompressionAlg); + assert(rv == SECSuccess); + } + + if (this->SetVersionRange()) { + rv = SSL_VersionRangeSet(fd, &ssl_version_range_); + assert(rv == SECSuccess); + } + + if (this->AddExternalPsk()) { + ScopedPK11SlotInfo slot(PK11_GetInternalSlot()); + assert(slot); + + ScopedPK11SymKey key(PK11_KeyGen(slot.get(), CKM_NSS_CHACHA20_POLY1305, + nullptr, 32, nullptr)); + assert(key); + + rv = SSL_AddExternalPsk(fd, key.get(), kPskIdentity, + sizeof(kPskIdentity) - 1, this->PskHashType()); + assert(rv == SECSuccess); + } + + rv = SSL_OptionSet(fd, SSL_ENABLE_0RTT_DATA, this->EnableZeroRtt()); + assert(rv == SECSuccess); + + rv = SSL_OptionSet(fd, SSL_ENABLE_ALPN, this->EnableAlpn()); + assert(rv == SECSuccess); + + rv = SSL_OptionSet(fd, SSL_ENABLE_FALLBACK_SCSV, this->EnableFallbackScsv()); + assert(rv == SECSuccess); + + rv = SSL_OptionSet(fd, SSL_ENABLE_SESSION_TICKETS, + this->EnableSessionTickets()); + assert(rv == SECSuccess); + + rv = SSL_OptionSet(fd, SSL_NO_LOCKS, this->NoLocks()); + assert(rv == SECSuccess); + + rv = SSL_EnableTls13BackendEch(fd, this->EnableTls13BackendEch()); + assert(rv == SECSuccess); + + rv = SSL_OptionSet(fd, SSL_ENABLE_DELEGATED_CREDENTIALS, + this->EnableDelegatedCredentials()); + assert(rv == SECSuccess); + + rv = SSL_OptionSet(fd, SSL_ENABLE_DTLS_SHORT_HEADER, + this->EnableDtlsShortHeader()); + assert(rv == SECSuccess); + +#ifndef IS_DTLS_FUZZ + rv = + SSL_OptionSet(fd, SSL_ENABLE_RENEGOTIATION, SSL_RENEGOTIATE_UNRESTRICTED); + assert(rv == SECSuccess); +#endif +} + +std::ostream& operator<<(std::ostream& out, Config& config) { + out << "============= ServerConfig =============" + << "\n"; + out << "SSL_NO_CACHE: " << config.NoCache() << "\n"; + out << "SSL_ENABLE_EXTENDED_MASTER_SECRET: " + << config.EnableExtendedMasterSecret() << "\n"; + out << "SSL_REQUEST_CERTIFICATE: " + << config.RequestCertificate() << "\n"; + out << "SSL_REQUIRE_CERTIFICATE: " + << config.RequireCertificate() << "\n"; + out << "SSL_ENABLE_DEFLATE: " << config.EnableDeflate() + << "\n"; + out << "SSL_CBC_RANDOM_IV: " + << config.EnableCbcRandomIv() << "\n"; + out << "SSL_REQUIRE_SAFE_NEGOTIATION: " + << config.RequireSafeNegotiation() << "\n"; + out << "SSL_ENABLE_GREASE: " << config.EnableGrease() + << "\n"; + out << "SSL_SetCertificateCompressionAlgorithm: " + << config.SetCertificateCompressionAlgorithm() << "\n"; + out << "SSL_VersionRangeSet: " << config.SetVersionRange() + << "\n"; + out << " Min: " + << config.SslVersionRange().min << "\n"; + out << " Max: " + << config.SslVersionRange().max << "\n"; + out << "SSL_AddExternalPsk: " << config.AddExternalPsk() + << "\n"; + out << " Type: " << config.PskHashType() + << "\n"; + out << "SSL_ENABLE_0RTT_DATA: " << config.EnableZeroRtt() + << "\n"; + out << "SSL_ENABLE_ALPN: " << config.EnableAlpn() + << "\n"; + out << "SSL_ENABLE_FALLBACK_SCSV: " + << config.EnableFallbackScsv() << "\n"; + out << "SSL_ENABLE_SESSION_TICKETS: " + << config.EnableSessionTickets() << "\n"; + out << "SSL_NO_LOCKS: " << config.NoLocks() << "\n"; + out << "========================================"; + + return out; +} + +} // namespace TlsServer diff --git a/nss/fuzz/targets/lib/tls/server_config.h b/nss/fuzz/targets/lib/tls/server_config.h new file mode 100644 index 00000000..03aab24a --- /dev/null +++ b/nss/fuzz/targets/lib/tls/server_config.h @@ -0,0 +1,70 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this file, + * You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#ifndef TLS_SERVER_CONFIG_H_ +#define TLS_SERVER_CONFIG_H_ + +#include +#include +#include + +#include "prio.h" +#include "sslt.h" + +#ifdef IS_DTLS_FUZZ +#define SSL_VERSION_RANGE_MIN_VALID 0x0302 +#else +#define SSL_VERSION_RANGE_MIN_VALID 0x0301 +#endif +#define SSL_VERSION_RANGE_MAX_VALID 0x0304 + +namespace TlsServer { + +class Config { + public: + Config(const uint8_t* data, size_t len); + + void SetCallbacks(PRFileDesc* fd); + void SetSocketOptions(PRFileDesc* fd); + + SSLHashType PskHashType() { + if (config_ % 2) return ssl_hash_sha256; + + return ssl_hash_sha384; + }; + SSLVersionRange SslVersionRange() { return ssl_version_range_; }; + + // NOTE: When adding more config options here, don't forget to print + // them in the "<<"-overloaded operator. + bool EnableExtendedMasterSecret() { return config_ & (1 << 0); }; + bool RequestCertificate() { return config_ & (1 << 1); }; + bool RequireCertificate() { return config_ & (1 << 2); }; + bool EnableDeflate() { return config_ & (1 << 3); }; + bool EnableCbcRandomIv() { return config_ & (1 << 4); }; + bool RequireSafeNegotiation() { return config_ & (1 << 5); }; + bool NoCache() { return config_ & (1 << 6); }; + bool EnableGrease() { return config_ & (1 << 7); }; + bool SetCertificateCompressionAlgorithm() { return config_ & (1 << 8); }; + bool SetVersionRange() { return config_ & (1 << 9); }; + bool AddExternalPsk() { return config_ & (1 << 10); }; + bool EnableZeroRtt() { return config_ & (1 << 11); }; + bool EnableAlpn() { return config_ & (1 << 12); }; + bool EnableFallbackScsv() { return config_ & (1 << 13); }; + bool EnableSessionTickets() { return config_ & (1 << 14); }; + bool NoLocks() { return config_ & (1 << 15); }; + bool FailCertificateAuthentication() { return config_ & (1 << 16); } + bool EnableTls13BackendEch() { return config_ & (1 << 17); } + bool EnableDelegatedCredentials() { return config_ & (1 << 18); }; + bool EnableDtlsShortHeader() { return config_ & (1 << 19); }; + + private: + uint32_t config_; + SSLVersionRange ssl_version_range_; +}; + +std::ostream& operator<<(std::ostream& out, Config& config); + +} // namespace TlsServer + +#endif // TLS_SERVER_CONFIG_H_ diff --git a/nss/fuzz/tls_socket.cc b/nss/fuzz/targets/lib/tls/socket.cc similarity index 56% rename from nss/fuzz/tls_socket.cc rename to nss/fuzz/targets/lib/tls/socket.cc index 05aed342..aafc1633 100644 --- a/nss/fuzz/tls_socket.cc +++ b/nss/fuzz/targets/lib/tls/socket.cc @@ -2,16 +2,19 @@ * License, v. 2.0. If a copy of the MPL was not distributed with this * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ -#include -#include +#include "socket.h" + #include +#include +#include +#include -#include "prerror.h" +#include "prinrval.h" #include "prio.h" -#include "tls_socket.h" +namespace TlsSocket { -int32_t DummyPrSocket::Read(PRFileDesc *f, void *data, int32_t len) { +int32_t DummyPrSocket::Read(PRFileDesc *fd, void *data, int32_t len) { assert(data && len > 0); int32_t amount = std::min(len, static_cast(len_)); @@ -23,12 +26,14 @@ int32_t DummyPrSocket::Read(PRFileDesc *f, void *data, int32_t len) { return amount; } -int32_t DummyPrSocket::Write(PRFileDesc *f, const void *buf, int32_t length) { +int32_t DummyPrSocket::Write(PRFileDesc *fd, const void *buf, int32_t length) { return length; } -int32_t DummyPrSocket::Recv(PRFileDesc *f, void *buf, int32_t buflen, +int32_t DummyPrSocket::Recv(PRFileDesc *fd, void *buf, int32_t buflen, int32_t flags, PRIntervalTime to) { assert(flags == 0); - return Read(f, buf, buflen); + return Read(fd, buf, buflen); } + +} // namespace TlsSocket diff --git a/nss/fuzz/tls_socket.h b/nss/fuzz/targets/lib/tls/socket.h similarity index 54% rename from nss/fuzz/tls_socket.h rename to nss/fuzz/targets/lib/tls/socket.h index e30f6fa3..e14a8f2a 100644 --- a/nss/fuzz/tls_socket.h +++ b/nss/fuzz/targets/lib/tls/socket.h @@ -2,19 +2,24 @@ * License, v. 2.0. If a copy of the MPL was not distributed with this file, * You can obtain one at http://mozilla.org/MPL/2.0/. */ -#ifndef tls_socket_h__ -#define tls_socket_h__ +#ifndef TLS_SOCKET_H_ +#define TLS_SOCKET_H_ + +#include #include "dummy_io.h" +#include "prinrval.h" +#include "prio.h" + +namespace TlsSocket { class DummyPrSocket : public DummyIOLayerMethods { public: DummyPrSocket(const uint8_t *buf, size_t len) : buf_(buf), len_(len) {} - virtual ~DummyPrSocket() {} - int32_t Read(PRFileDesc *f, void *data, int32_t len) override; - int32_t Write(PRFileDesc *f, const void *buf, int32_t length) override; - int32_t Recv(PRFileDesc *f, void *buf, int32_t buflen, int32_t flags, + int32_t Read(PRFileDesc *fd, void *data, int32_t len) override; + int32_t Write(PRFileDesc *fd, const void *buf, int32_t length) override; + int32_t Recv(PRFileDesc *fd, void *buf, int32_t buflen, int32_t flags, PRIntervalTime to) override; private: @@ -22,4 +27,6 @@ class DummyPrSocket : public DummyIOLayerMethods { size_t len_; }; -#endif // tls_socket_h__ +} // namespace TlsSocket + +#endif // TLS_SOCKET_H_ diff --git a/nss/fuzz/targets/lib/tls/tls.gyp b/nss/fuzz/targets/lib/tls/tls.gyp new file mode 100644 index 00000000..a74ca992 --- /dev/null +++ b/nss/fuzz/targets/lib/tls/tls.gyp @@ -0,0 +1,43 @@ +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +{ + 'includes': [ + '../../../../coreconf/config.gypi', + ], + 'targets': [ + { + 'target_name': 'tls_client', + 'type': 'none', + 'direct_dependent_settings': { + 'sources': [ + 'client_config.cc', + 'common.cc', + 'mutators.cc', + 'socket.cc' + ], + 'include_dirs': [ + '<(DEPTH)/lib/freebl', + '<(DEPTH)/lib/ssl', + ], + }, + }, + { + 'target_name': 'tls_server', + 'type': 'none', + 'direct_dependent_settings': { + 'sources': [ + 'common.cc', + 'mutators.cc', + 'server_certs.cc', + 'server_config.cc', + 'socket.cc' + ], + 'include_dirs': [ + '<(DEPTH)/lib/freebl', + '<(DEPTH)/lib/ssl', + ], + }, + }, + ], +} diff --git a/nss/fuzz/targets/pkcs12.cc b/nss/fuzz/targets/pkcs12.cc new file mode 100644 index 00000000..e2f1402d --- /dev/null +++ b/nss/fuzz/targets/pkcs12.cc @@ -0,0 +1,68 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#include +#include +#include + +#include "nss_scoped_ptrs.h" +#include "p12.h" +#include "pk11pub.h" +#include "seccomon.h" + +#include "asn1/mutators.h" +#include "base/database.h" +#include "base/mutate.h" + +static SECItem* nicknameCollision(SECItem* oldNick, PRBool* cancel, + void* wincx) { + *cancel = true; + return nullptr; +} + +extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { + static NSSDatabase db = NSSDatabase(); + + ScopedPK11SlotInfo slot(PK11_GetInternalSlot()); + assert(slot); + + // Initialize the decoder. + SECItem pwItem = {siBuffer, nullptr, 0}; + ScopedSEC_PKCS12DecoderContext dcx( + SEC_PKCS12DecoderStart(&pwItem, slot.get(), nullptr, nullptr, nullptr, + nullptr, nullptr, nullptr)); + assert(dcx); + + SECStatus rv = SEC_PKCS12DecoderUpdate(dcx.get(), (unsigned char*)data, size); + if (rv != SECSuccess) { + return 0; + } + + // Verify the blob. + rv = SEC_PKCS12DecoderVerify(dcx.get()); + if (rv != SECSuccess) { + return 0; + } + + // Validate bags. + rv = SEC_PKCS12DecoderValidateBags(dcx.get(), nicknameCollision); + if (rv != SECSuccess) { + return 0; + } + + // Import cert and key. + rv = SEC_PKCS12DecoderImportBags(dcx.get()); + if (rv != SECSuccess) { + return 0; + } + + return 0; +} + +extern "C" size_t LLVMFuzzerCustomMutator(uint8_t* data, size_t size, + size_t maxSize, unsigned int seed) { + return CustomMutate( + Mutators({ASN1Mutators::FlipConstructed, ASN1Mutators::ChangeType}), data, + size, maxSize, seed); +} diff --git a/nss/fuzz/targets/pkcs7.cc b/nss/fuzz/targets/pkcs7.cc new file mode 100644 index 00000000..ccba501a --- /dev/null +++ b/nss/fuzz/targets/pkcs7.cc @@ -0,0 +1,37 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#include +#include + +#include "cert.h" +#include "prtypes.h" + +#include "asn1/mutators.h" +#include "base/database.h" +#include "base/mutate.h" + +extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { + static NSSDatabase db = NSSDatabase(); + + CERTCertificate *cert = CERT_DecodeCertFromPackage((char *)data, (int)size); + if (cert) { + SECCertificateUsage usage; + (void)CERT_VerifyCertificateNow(CERT_GetDefaultCertDB(), cert, PR_TRUE, + certificateUsageCheckAllUsages, nullptr, + &usage); + (void)CERT_VerifyCertName(cert, "fuzz.host"); + + CERT_DestroyCertificate(cert); + } + + return 0; +} + +extern "C" size_t LLVMFuzzerCustomMutator(uint8_t *data, size_t size, + size_t maxSize, unsigned int seed) { + return CustomMutate( + Mutators({ASN1Mutators::FlipConstructed, ASN1Mutators::ChangeType}), data, + size, maxSize, seed); +} diff --git a/nss/fuzz/targets/pkcs8.cc b/nss/fuzz/targets/pkcs8.cc new file mode 100644 index 00000000..4200ef83 --- /dev/null +++ b/nss/fuzz/targets/pkcs8.cc @@ -0,0 +1,40 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#include +#include +#include + +#include "keyhi.h" +#include "nss_scoped_ptrs.h" +#include "pk11pub.h" + +#include "asn1/mutators.h" +#include "base/database.h" +#include "base/mutate.h" + +extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { + static NSSDatabase db = NSSDatabase(); + + SECItem derPki = {siBuffer, (unsigned char *)data, (unsigned int)size}; + + ScopedPK11SlotInfo slot(PK11_GetInternalSlot()); + assert(slot); + + SECKEYPrivateKey *key = nullptr; + if (PK11_ImportDERPrivateKeyInfoAndReturnKey(slot.get(), &derPki, nullptr, + nullptr, false, false, KU_ALL, + &key, nullptr) == SECSuccess) { + SECKEY_DestroyPrivateKey(key); + } + + return 0; +} + +extern "C" size_t LLVMFuzzerCustomMutator(uint8_t *data, size_t size, + size_t maxSize, unsigned int seed) { + return CustomMutate( + Mutators({ASN1Mutators::FlipConstructed, ASN1Mutators::ChangeType}), data, + size, maxSize, seed); +} diff --git a/nss/fuzz/quickder_target.cc b/nss/fuzz/targets/quickder.cc similarity index 82% rename from nss/fuzz/quickder_target.cc rename to nss/fuzz/targets/quickder.cc index 11c431a4..2be9a53c 100644 --- a/nss/fuzz/quickder_target.cc +++ b/nss/fuzz/targets/quickder.cc @@ -6,11 +6,13 @@ #include #include -#include "asn1_mutators.h" #include "certt.h" #include "keythi.h" #include "secdert.h" -#include "shared.h" +#include "secport.h" + +#include "asn1/mutators.h" +#include "base/mutate.h" const std::vector templates = { CERT_AttributeTemplate, @@ -68,25 +70,25 @@ const std::vector templates = { SECKEY_RSAPublicKeyTemplate, SECOID_AlgorithmIDTemplate}; -extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { - char *dest[2048]; +extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { + static char *dest[2048]; - for (auto tpl : templates) { - PORTCheapArenaPool pool; - SECItem buf = {siBuffer, const_cast(Data), - static_cast(Size)}; + PORTCheapArenaPool pool; + PORT_InitCheapArena(&pool, DER_DEFAULT_CHUNKSIZE); - PORT_InitCheapArena(&pool, DER_DEFAULT_CHUNKSIZE); + for (auto tpl : templates) { + SECItem buf = {siBuffer, (unsigned char *)data, (unsigned int)size}; (void)SEC_QuickDERDecodeItem(&pool.arena, dest, tpl, &buf); - PORT_DestroyCheapArena(&pool); } + PORT_DestroyCheapArena(&pool); + return 0; } extern "C" size_t LLVMFuzzerCustomMutator(uint8_t *data, size_t size, size_t max_size, unsigned int seed) { return CustomMutate( - Mutators({ASN1MutatorFlipConstructed, ASN1MutatorChangeType}), data, size, - max_size, seed); + Mutators({ASN1Mutators::FlipConstructed, ASN1Mutators::ChangeType}), data, + size, max_size, seed); } diff --git a/nss/fuzz/targets/smime.cc b/nss/fuzz/targets/smime.cc new file mode 100644 index 00000000..131a3936 --- /dev/null +++ b/nss/fuzz/targets/smime.cc @@ -0,0 +1,32 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#include +#include + +#include "scoped_ptrs_smime.h" +#include "smime.h" + +#include "asn1/mutators.h" +#include "base/database.h" +#include "base/mutate.h" + +extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { + static NSSDatabase db = NSSDatabase(); + + SECItem buffer = {siBuffer, (unsigned char *)data, (unsigned int)size}; + + ScopedNSSCMSMessage cmsg(NSS_CMSMessage_CreateFromDER( + &buffer, nullptr, nullptr, nullptr, nullptr, nullptr, nullptr)); + (void)NSS_CMSMessage_IsSigned(cmsg.get()); + + return 0; +} + +extern "C" size_t LLVMFuzzerCustomMutator(uint8_t *data, size_t size, + size_t maxSize, unsigned int seed) { + return CustomMutate( + Mutators({ASN1Mutators::FlipConstructed, ASN1Mutators::ChangeType}), data, + size, maxSize, seed); +} diff --git a/nss/fuzz/targets/targets.gyp b/nss/fuzz/targets/targets.gyp new file mode 100644 index 00000000..91fc65be --- /dev/null +++ b/nss/fuzz/targets/targets.gyp @@ -0,0 +1,232 @@ +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +{ + 'includes': [ + '../../coreconf/config.gypi', + ], + 'target_defaults': { + 'variables': { + 'debug_optimization_level': '3', + }, + 'target_conditions': [ + [ '_type=="executable"', { + 'libraries!': [ + '<@(nspr_libs)', + ], + 'libraries': [ + '<(nss_dist_obj_dir)/lib/libplds4.a', + '<(nss_dist_obj_dir)/lib/libnspr4.a', + '<(nss_dist_obj_dir)/lib/libplc4.a', + ], + }], + ], + }, + 'targets': [ + { + 'target_name': 'nssfuzz_base', + 'type': 'none', + 'dependencies': [ + '<(DEPTH)/lib/certdb/certdb.gyp:certdb', + '<(DEPTH)/lib/certhigh/certhigh.gyp:certhi', + '<(DEPTH)/lib/cryptohi/cryptohi.gyp:cryptohi', + '<(DEPTH)/lib/ssl/ssl.gyp:ssl', + '<(DEPTH)/lib/base/base.gyp:nssb', + '<(DEPTH)/lib/dev/dev.gyp:nssdev', + '<(DEPTH)/lib/pki/pki.gyp:nsspki', + '<(DEPTH)/lib/util/util.gyp:nssutil', + '<(DEPTH)/lib/nss/nss.gyp:nss_static', + '<(DEPTH)/lib/pkcs7/pkcs7.gyp:pkcs7', + '<(DEPTH)/lib/pkcs12/pkcs12.gyp:pkcs12', + '<(DEPTH)/lib/smime/smime.gyp:smime', + # This is a static build of pk11wrap, softoken, and freebl. + '<(DEPTH)/lib/pk11wrap/pk11wrap.gyp:pk11wrap_static', + '<(DEPTH)/lib/libpkix/libpkix.gyp:libpkix', + ], + 'direct_dependent_settings': { + 'include_dirs': [ '<(DEPTH)/fuzz/targets/lib' ], + }, + 'conditions': [ + ['fuzz_oss==0', { + 'all_dependent_settings': { + 'libraries': [ + '-fsanitize=fuzzer', + ], + } + }, { + 'all_dependent_settings': { + 'libraries': [ '-lFuzzingEngine' ], + } + }] + ], + }, + { + 'target_name': 'nssfuzz-asn1', + 'type': 'executable', + 'sources': [ + 'asn1.cc', + ], + 'dependencies': [ + '<(DEPTH)/exports.gyp:nss_exports', + '<(DEPTH)/fuzz/targets/lib/asn1/asn1.gyp:asn1', + '<(DEPTH)/fuzz/targets/lib/base/base.gyp:base', + 'nssfuzz_base', + ], + }, + { + 'target_name': 'nssfuzz-certDN', + 'type': 'executable', + 'sources': [ + 'certDN.cc', + ], + 'dependencies': [ + '<(DEPTH)/cpputil/cpputil.gyp:cpputil', + '<(DEPTH)/exports.gyp:nss_exports', + 'nssfuzz_base', + ], + }, + { + 'target_name': 'nssfuzz-dtls-client', + 'type': 'executable', + 'sources': [ + 'tls_client.cc', + ], + 'defines': [ 'IS_DTLS_FUZZ' ], + 'dependencies': [ + '<(DEPTH)/cpputil/cpputil.gyp:cpputil', + '<(DEPTH)/exports.gyp:nss_exports', + '<(DEPTH)/fuzz/targets/lib/base/base.gyp:base', + '<(DEPTH)/fuzz/targets/lib/tls/tls.gyp:tls_client', + 'nssfuzz_base', + ], + }, + { + 'target_name': 'nssfuzz-dtls-server', + 'type': 'executable', + 'sources': [ + 'tls_server.cc', + ], + 'defines': [ 'IS_DTLS_FUZZ' ], + 'dependencies': [ + '<(DEPTH)/cpputil/cpputil.gyp:cpputil', + '<(DEPTH)/exports.gyp:nss_exports', + '<(DEPTH)/fuzz/targets/lib/base/base.gyp:base', + '<(DEPTH)/fuzz/targets/lib/tls/tls.gyp:tls_server', + 'nssfuzz_base', + ], + }, + { + 'target_name': 'nssfuzz-pkcs7', + 'type': 'executable', + 'sources': [ + 'pkcs7.cc', + ], + 'dependencies': [ + '<(DEPTH)/exports.gyp:nss_exports', + '<(DEPTH)/fuzz/targets/lib/asn1/asn1.gyp:asn1', + '<(DEPTH)/fuzz/targets/lib/base/base.gyp:base', + 'nssfuzz_base', + ], + }, + { + 'target_name': 'nssfuzz-pkcs8', + 'type': 'executable', + 'sources': [ + 'pkcs8.cc', + ], + 'dependencies': [ + '<(DEPTH)/cpputil/cpputil.gyp:cpputil', + '<(DEPTH)/exports.gyp:nss_exports', + '<(DEPTH)/fuzz/targets/lib/asn1/asn1.gyp:asn1', + '<(DEPTH)/fuzz/targets/lib/base/base.gyp:base', + 'nssfuzz_base', + ], + }, + { + 'target_name': 'nssfuzz-pkcs12', + 'type': 'executable', + 'sources': [ + 'pkcs12.cc', + ], + 'dependencies': [ + '<(DEPTH)/cpputil/cpputil.gyp:cpputil', + '<(DEPTH)/exports.gyp:nss_exports', + '<(DEPTH)/fuzz/targets/lib/asn1/asn1.gyp:asn1', + '<(DEPTH)/fuzz/targets/lib/base/base.gyp:base', + 'nssfuzz_base', + ], + }, + { + 'target_name': 'nssfuzz-quickder', + 'type': 'executable', + 'sources': [ + 'quickder.cc', + ], + 'dependencies': [ + '<(DEPTH)/exports.gyp:nss_exports', + '<(DEPTH)/fuzz/targets/lib/asn1/asn1.gyp:asn1', + '<(DEPTH)/fuzz/targets/lib/base/base.gyp:base', + 'nssfuzz_base', + ], + }, + { + 'target_name': 'nssfuzz-smime', + 'type': 'executable', + 'sources': [ + 'smime.cc', + ], + 'dependencies': [ + '<(DEPTH)/cpputil/cpputil.gyp:cpputil', + '<(DEPTH)/exports.gyp:nss_exports', + '<(DEPTH)/fuzz/targets/lib/asn1/asn1.gyp:asn1', + '<(DEPTH)/fuzz/targets/lib/base/base.gyp:base', + 'nssfuzz_base', + ], + }, + { + 'target_name': 'nssfuzz-tls-client', + 'type': 'executable', + 'sources': [ + 'tls_client.cc', + ], + 'dependencies': [ + '<(DEPTH)/cpputil/cpputil.gyp:cpputil', + '<(DEPTH)/exports.gyp:nss_exports', + '<(DEPTH)/fuzz/targets/lib/base/base.gyp:base', + '<(DEPTH)/fuzz/targets/lib/tls/tls.gyp:tls_client', + 'nssfuzz_base', + ], + }, + { + 'target_name': 'nssfuzz-tls-server', + 'type': 'executable', + 'sources': [ + 'tls_server.cc', + ], + 'dependencies': [ + '<(DEPTH)/cpputil/cpputil.gyp:cpputil', + '<(DEPTH)/exports.gyp:nss_exports', + '<(DEPTH)/fuzz/targets/lib/base/base.gyp:base', + '<(DEPTH)/fuzz/targets/lib/tls/tls.gyp:tls_server', + 'nssfuzz_base', + ], + }, + { + 'target_name': 'nssfuzz', + 'type': 'none', + 'dependencies': [ + 'nssfuzz-asn1', + 'nssfuzz-certDN', + 'nssfuzz-dtls-client', + 'nssfuzz-dtls-server', + 'nssfuzz-pkcs7', + 'nssfuzz-pkcs8', + 'nssfuzz-pkcs12', + 'nssfuzz-quickder', + 'nssfuzz-smime', + 'nssfuzz-tls-client', + 'nssfuzz-tls-server', + ], + }, + ], +} diff --git a/nss/fuzz/targets/tls_client.cc b/nss/fuzz/targets/tls_client.cc new file mode 100644 index 00000000..da05efa2 --- /dev/null +++ b/nss/fuzz/targets/tls_client.cc @@ -0,0 +1,81 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#include +#include +#include +#include + +#include "blapi.h" +#include "seccomon.h" +#include "ssl.h" +#include "sslimpl.h" + +#include "base/database.h" +#include "base/mutate.h" +#include "tls/client_config.h" +#include "tls/common.h" +#include "tls/mutators.h" +#include "tls/socket.h" + +#ifdef IS_DTLS_FUZZ +#define ImportFD DTLS_ImportFD +#else +#define ImportFD SSL_ImportFD +#endif // IS_DTLS_FUZZ + +extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { + static NSSDatabase db = NSSDatabase(); + static PRDescIdentity id = PR_GetUniqueIdentity("fuzz-client"); + + // Create and import dummy socket. + TlsSocket::DummyPrSocket socket = TlsSocket::DummyPrSocket(data, size); + ScopedPRFileDesc prFd(DummyIOLayerMethods::CreateFD(id, &socket)); + PRFileDesc* sslFd = ImportFD(nullptr, prFd.get()); + assert(sslFd == prFd.get()); + + // Derive client config from input data. + TlsClient::Config config = TlsClient::Config(data, size); + + if (ssl_trace >= 90) { + std::cerr << config << "\n"; + } + + // Reset the RNG state. + assert(RNG_RandomUpdate(NULL, 0) == SECSuccess); + assert(SSL_SetURL(sslFd, "fuzz.client") == SECSuccess); + + TlsCommon::EnableAllProtocolVersions(); + TlsCommon::EnableAllCipherSuites(sslFd); + TlsCommon::FixTime(sslFd); + + // Set socket callbacks & options from client config. + config.SetCallbacks(sslFd); + config.SetSocketOptions(sslFd); + + // Perform the acutal handshake. + TlsCommon::DoHandshake(sslFd, false); + + // Release all SIDs. + SSL_ClearSessionCache(); + + return 0; +} + +extern "C" size_t LLVMFuzzerCustomMutator(uint8_t* data, size_t size, + size_t maxSize, unsigned int seed) { + Mutators mutators = {TlsMutators::DropRecord, TlsMutators::ShuffleRecords, + TlsMutators::DuplicateRecord, + TlsMutators::TruncateRecord, + TlsMutators::FragmentRecord}; + return CustomMutate(mutators, data, size, maxSize, seed); +} + +extern "C" size_t LLVMFuzzerCustomCrossOver(const uint8_t* data1, size_t size1, + const uint8_t* data2, size_t size2, + uint8_t* out, size_t maxOutSize, + unsigned int seed) { + return TlsMutators::CrossOver(data1, size1, data2, size2, out, maxOutSize, + seed); +} \ No newline at end of file diff --git a/nss/fuzz/targets/tls_server.cc b/nss/fuzz/targets/tls_server.cc new file mode 100644 index 00000000..c085c38c --- /dev/null +++ b/nss/fuzz/targets/tls_server.cc @@ -0,0 +1,110 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#include +#include +#include + +#include "blapi.h" +#include "seccomon.h" +#include "ssl.h" +#include "sslimpl.h" + +#include "base/database.h" +#include "base/mutate.h" +#include "tls/common.h" +#include "tls/mutators.h" +#include "tls/server_certs.h" +#include "tls/server_config.h" +#include "tls/socket.h" + +#ifdef IS_DTLS_FUZZ +#define ImportFD DTLS_ImportFD +#else +#define ImportFD SSL_ImportFD +#endif // IS_DTLS_FUZZ + +class SSLServerSessionCache { + public: + SSLServerSessionCache() { + assert(SSL_ConfigServerSessionIDCache(1024, 0, 0, ".") == SECSuccess); + } + + ~SSLServerSessionCache() { + assert(SSL_ShutdownServerSessionIDCache() == SECSuccess); + } +}; + +static PRStatus InitModelSocket(void* arg) { + PRFileDesc* fd = reinterpret_cast(arg); + + TlsCommon::EnableAllCipherSuites(fd); + TlsServer::InstallServerCertificates(fd); + + return PR_SUCCESS; +} + +extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { + static NSSDatabase db = NSSDatabase(); + static SSLServerSessionCache cache = SSLServerSessionCache(); + static PRDescIdentity id = PR_GetUniqueIdentity("fuzz-server"); + + // Create model socket. + static ScopedPRFileDesc model(ImportFD(nullptr, PR_NewTCPSocket())); + assert(model); + + // Initialize the model socket once. + static PRCallOnceType initModelOnce; + PR_CallOnceWithArg(&initModelOnce, InitModelSocket, model.get()); + + // Create and import dummy socket. + TlsSocket::DummyPrSocket socket = TlsSocket::DummyPrSocket(data, size); + ScopedPRFileDesc prFd(DummyIOLayerMethods::CreateFD(id, &socket)); + PRFileDesc* sslFd = ImportFD(model.get(), prFd.get()); + assert(sslFd == prFd.get()); + + // Derive server config from input data. + TlsServer::Config config = TlsServer::Config(data, size); + + if (ssl_trace >= 90) { + std::cerr << config << "\n"; + } + + // Keeping things determinstic. + assert(RNG_RandomUpdate(NULL, 0) == SECSuccess); + assert(SSL_SetURL(sslFd, "fuzz.server") == SECSuccess); + + TlsCommon::EnableAllProtocolVersions(); + TlsCommon::EnableAllCipherSuites(sslFd); + TlsCommon::FixTime(sslFd); + + // Set socket options from server config. + config.SetCallbacks(sslFd); + config.SetSocketOptions(sslFd); + + // Perform the acutal handshake. + TlsCommon::DoHandshake(sslFd, true); + + // Clear the cache. We never want to resume as we couldn't reproduce that. + SSL_ClearSessionCache(); + + return 0; +} + +extern "C" size_t LLVMFuzzerCustomMutator(uint8_t* data, size_t size, + size_t maxSize, unsigned int seed) { + return CustomMutate( + {TlsMutators::DropRecord, TlsMutators::ShuffleRecords, + TlsMutators::DuplicateRecord, TlsMutators::TruncateRecord, + TlsMutators::FragmentRecord}, + data, size, maxSize, seed); +} + +extern "C" size_t LLVMFuzzerCustomCrossOver(const uint8_t* data1, size_t size1, + const uint8_t* data2, size_t size2, + uint8_t* out, size_t maxOutSize, + unsigned int seed) { + return TlsMutators::CrossOver(data1, size1, data2, size2, out, maxOutSize, + seed); +} diff --git a/nss/fuzz/tls_client_config.cc b/nss/fuzz/tls_client_config.cc deleted file mode 100644 index d6ad8b88..00000000 --- a/nss/fuzz/tls_client_config.cc +++ /dev/null @@ -1,210 +0,0 @@ -/* This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ - -#include "tls_client_config.h" - -#include -#include - -#include "sslt.h" - -const uint32_t CONFIG_FAIL_CERT_AUTH = 1 << 0; -const uint32_t CONFIG_ENABLE_EXTENDED_MS = 1 << 1; -const uint32_t CONFIG_REQUIRE_DH_NAMED_GROUPS = 1 << 2; -const uint32_t CONFIG_ENABLE_FALSE_START = 1 << 3; -const uint32_t CONFIG_ENABLE_DEFLATE = 1 << 4; -const uint32_t CONFIG_ENABLE_CBC_RANDOM_IV = 1 << 5; -const uint32_t CONFIG_REQUIRE_SAFE_NEGOTIATION = 1 << 6; -const uint32_t CONFIG_NO_CACHE = 1 << 7; -const uint32_t CONFIG_ENABLE_GREASE = 1 << 8; -const uint32_t CONFIG_ENABLE_CH_EXTENSION_PERMUTATION = 1 << 9; -const uint32_t CONFIG_SET_CERTIFICATION_COMPRESSION_ALGORITHM = 1 << 10; -const uint32_t CONFIG_SET_CLIENT_ECH_CONFIGS = 1 << 11; -const uint32_t CONFIG_VERSION_RANGE_SET = 1 << 12; -const uint32_t CONFIG_ADD_EXTERNAL_PSK = 1 << 13; -const uint32_t CONFIG_ENABLE_POST_HANDSHAKE_AUTH = 1 << 14; -const uint32_t CONFIG_ENABLE_ZERO_RTT = 1 << 15; -const uint32_t CONFIG_ENABLE_ALPN = 1 << 16; -const uint32_t CONFIG_ENABLE_FALLBACK_SCSV = 1 << 17; -const uint32_t CONFIG_ENABLE_OCSP_STAPLING = 1 << 18; -const uint32_t CONFIG_ENABLE_SESSION_TICKETS = 1 << 19; -const uint32_t CONFIG_ENABLE_TLS13_COMPAT_MODE = 1 << 20; -const uint32_t CONFIG_NO_LOCKS = 1 << 21; - -// XOR 64-bit chunks of data to build a bitmap of config options derived from -// the fuzzing input. This seems the only way to fuzz various options while -// still maintaining compatibility with BoringSSL or OpenSSL fuzzers. -ClientConfig::ClientConfig(const uint8_t* data, size_t len) { - union { - uint64_t bitmap; - struct { - uint32_t config; - uint16_t ssl_version_range_min; - uint16_t ssl_version_range_max; - }; - }; - - for (size_t i = 0; i < len; i++) { - bitmap ^= static_cast(data[i]) << (8 * (i % 8)); - } - - // Map SSL version values to a valid range. - ssl_version_range_min = - SSL_VERSION_RANGE_MIN_VALID + - (ssl_version_range_min % - (1 + SSL_VERSION_RANGE_MAX_VALID - SSL_VERSION_RANGE_MIN_VALID)); - ssl_version_range_max = - ssl_version_range_min + - (ssl_version_range_max % - (1 + SSL_VERSION_RANGE_MAX_VALID - ssl_version_range_min)); - - config_ = config; - ssl_version_range_ = { - .min = ssl_version_range_min, - .max = ssl_version_range_max, - }; -} - -bool ClientConfig::FailCertificateAuthentication() { - return config_ & CONFIG_FAIL_CERT_AUTH; -} - -bool ClientConfig::EnableExtendedMasterSecret() { - return config_ & CONFIG_ENABLE_EXTENDED_MS; -} - -bool ClientConfig::RequireDhNamedGroups() { - return config_ & CONFIG_REQUIRE_DH_NAMED_GROUPS; -} - -bool ClientConfig::EnableFalseStart() { - return config_ & CONFIG_ENABLE_FALSE_START; -} - -bool ClientConfig::EnableDeflate() { return config_ & CONFIG_ENABLE_DEFLATE; } - -bool ClientConfig::EnableCbcRandomIv() { - return config_ & CONFIG_ENABLE_CBC_RANDOM_IV; -} - -bool ClientConfig::RequireSafeNegotiation() { - return config_ & CONFIG_REQUIRE_SAFE_NEGOTIATION; -} - -bool ClientConfig::NoCache() { return config_ & CONFIG_NO_CACHE; } - -bool ClientConfig::EnableGrease() { return config_ & CONFIG_ENABLE_GREASE; } - -bool ClientConfig::EnableCHExtensionPermutation() { - return config_ & CONFIG_ENABLE_CH_EXTENSION_PERMUTATION; -}; - -bool ClientConfig::SetCertificateCompressionAlgorithm() { - return config_ & CONFIG_SET_CERTIFICATION_COMPRESSION_ALGORITHM; -} - -bool ClientConfig::SetClientEchConfigs() { - return config_ & CONFIG_SET_CLIENT_ECH_CONFIGS; -} - -bool ClientConfig::SetVersionRange() { - return config_ & CONFIG_VERSION_RANGE_SET; -} - -bool ClientConfig::AddExternalPsk() { - return config_ & CONFIG_ADD_EXTERNAL_PSK; -} - -bool ClientConfig::EnablePostHandshakeAuth() { - return config_ & CONFIG_ENABLE_POST_HANDSHAKE_AUTH; -} - -bool ClientConfig::EnableZeroRtt() { return config_ & CONFIG_ENABLE_ZERO_RTT; } - -bool ClientConfig::EnableAlpn() { return config_ & CONFIG_ENABLE_ALPN; } - -bool ClientConfig::EnableFallbackScsv() { - return config_ & CONFIG_ENABLE_FALLBACK_SCSV; -} - -bool ClientConfig::EnableOcspStapling() { - return config_ & CONFIG_ENABLE_OCSP_STAPLING; -} - -bool ClientConfig::EnableSessionTickets() { - return config_ & CONFIG_ENABLE_SESSION_TICKETS; -} - -bool ClientConfig::EnableTls13CompatMode() { - return config_ & CONFIG_ENABLE_TLS13_COMPAT_MODE; -} - -bool ClientConfig::NoLocks() { return config_ & CONFIG_NO_LOCKS; } - -SSLHashType ClientConfig::PskHashType() { - if (config_ % 2) return ssl_hash_sha256; - - return ssl_hash_sha384; -} - -const SSLVersionRange& ClientConfig::VersionRange() { - return ssl_version_range_; -} - -std::ostream& operator<<(std::ostream& out, - std::unique_ptr& config) { - out << "============= ClientConfig =============" - << "\n"; - out << "SSL_NO_CACHE: " << config->NoCache() - << "\n"; - out << "SSL_ENABLE_EXTENDED_MASTER_SECRET: " - << config->EnableExtendedMasterSecret() << "\n"; - out << "SSL_REQUIRE_DH_NAMED_GROUPS: " - << config->RequireDhNamedGroups() << "\n"; - out << "SSL_ENABLE_FALSE_START: " - << config->EnableFalseStart() << "\n"; - out << "SSL_ENABLE_DEFLATE: " << config->EnableDeflate() - << "\n"; - out << "SSL_CBC_RANDOM_IV: " - << config->EnableCbcRandomIv() << "\n"; - out << "SSL_REQUIRE_SAFE_NEGOTIATION: " - << config->RequireSafeNegotiation() << "\n"; - out << "SSL_ENABLE_GREASE: " << config->EnableGrease() - << "\n"; - out << "SSL_ENABLE_CH_EXTENSION_PERMUTATION: " - << config->EnableCHExtensionPermutation() << "\n"; - out << "SSL_SetCertificateCompressionAlgorithm: " - << config->SetCertificateCompressionAlgorithm() << "\n"; - out << "SSL_VersionRangeSet: " << config->SetVersionRange() - << "\n"; - out << " Min: " - << config->VersionRange().min << "\n"; - out << " Max: " - << config->VersionRange().max << "\n"; - out << "SSL_AddExternalPsk: " << config->AddExternalPsk() - << "\n"; - out << " Type: " << config->PskHashType() - << "\n"; - out << "SSL_ENABLE_POST_HANDSHAKE_AUTH: " - << config->EnablePostHandshakeAuth() << "\n"; - out << "SSL_ENABLE_0RTT_DATA: " << config->EnableZeroRtt() - << "\n"; - out << "SSL_ENABLE_ALPN: " << config->EnableAlpn() - << "\n"; - out << "SSL_ENABLE_FALLBACK_SCSV: " - << config->EnableFallbackScsv() << "\n"; - out << "SSL_ENABLE_OCSP_STAPLING: " - << config->EnableOcspStapling() << "\n"; - out << "SSL_ENABLE_SESSION_TICKETS: " - << config->EnableSessionTickets() << "\n"; - out << "SSL_ENABLE_TLS13_COMPAT_MODE: " - << config->EnableTls13CompatMode() << "\n"; - out << "SSL_NO_LOCKS: " << config->NoLocks() - << "\n"; - out << "SSL_SetClientEchConfigs: " - << config->SetClientEchConfigs() << "\n"; - out << "========================================"; - - return out; -} diff --git a/nss/fuzz/tls_client_config.h b/nss/fuzz/tls_client_config.h deleted file mode 100644 index 8f097632..00000000 --- a/nss/fuzz/tls_client_config.h +++ /dev/null @@ -1,60 +0,0 @@ -/* This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this file, - * You can obtain one at http://mozilla.org/MPL/2.0/. */ - -#ifndef TLS_CLIENT_CONFIG_H_ -#define TLS_CLIENT_CONFIG_H_ - -#include -#include -#include -#include - -#include "sslt.h" - -#ifdef IS_DTLS_FUZZ -#define SSL_VERSION_RANGE_MIN_VALID 0x0302 -#else -#define SSL_VERSION_RANGE_MIN_VALID 0x0301 -#endif -#define SSL_VERSION_RANGE_MAX_VALID 0x0304 - -class ClientConfig { - public: - ClientConfig(const uint8_t* data, size_t len); - - bool FailCertificateAuthentication(); - bool EnableExtendedMasterSecret(); - bool RequireDhNamedGroups(); - bool EnableFalseStart(); - bool EnableDeflate(); - bool EnableCbcRandomIv(); - bool RequireSafeNegotiation(); - bool NoCache(); - bool EnableGrease(); - bool EnableCHExtensionPermutation(); - bool SetCertificateCompressionAlgorithm(); - bool SetClientEchConfigs(); - bool SetVersionRange(); - bool AddExternalPsk(); - bool EnablePostHandshakeAuth(); - bool EnableZeroRtt(); - bool EnableAlpn(); - bool EnableFallbackScsv(); - bool EnableOcspStapling(); - bool EnableSessionTickets(); - bool EnableTls13CompatMode(); - bool NoLocks(); - - SSLHashType PskHashType(); - const SSLVersionRange& VersionRange(); - - private: - uint32_t config_; - SSLVersionRange ssl_version_range_; -}; - -std::ostream& operator<<(std::ostream& out, - std::unique_ptr& config); - -#endif // TLS_CLIENT_CONFIG_H_ diff --git a/nss/fuzz/tls_client_target.cc b/nss/fuzz/tls_client_target.cc deleted file mode 100644 index 25bc2956..00000000 --- a/nss/fuzz/tls_client_target.cc +++ /dev/null @@ -1,263 +0,0 @@ -/* This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ - -#include -#include -#include -#include -#include - -#include "blapi.h" -#include "shared.h" -#include "ssl.h" -#include "sslexp.h" -#include "sslimpl.h" -#include "sslt.h" -#include "tls_client_config.h" -#include "tls_common.h" -#include "tls_mutators.h" -#include "tls_socket.h" - -#ifdef IS_DTLS_FUZZ -__attribute__((constructor)) static void set_is_dtls() { - TlsMutators::SetIsDTLS(); -} - -#define ImportFD DTLS_ImportFD -#else -#define ImportFD SSL_ImportFD - -static PRUint8 gEchConfigs[1024]; -static unsigned int gEchConfigsLen; - -const HpkeSymmetricSuite kEchHpkeCipherSuites[] = { - {HpkeKdfHkdfSha256, HpkeAeadAes128Gcm}, - {HpkeKdfHkdfSha256, HpkeAeadAes256Gcm}, - {HpkeKdfHkdfSha256, HpkeAeadChaCha20Poly1305}, - - {HpkeKdfHkdfSha384, HpkeAeadAes128Gcm}, - {HpkeKdfHkdfSha384, HpkeAeadAes256Gcm}, - {HpkeKdfHkdfSha384, HpkeAeadChaCha20Poly1305}, - - {HpkeKdfHkdfSha512, HpkeAeadAes128Gcm}, - {HpkeKdfHkdfSha512, HpkeAeadAes256Gcm}, - {HpkeKdfHkdfSha512, HpkeAeadChaCha20Poly1305}, -}; -#endif // IS_DTLS_FUZZ -const SSLCertificateCompressionAlgorithm kCompressionAlg = { - 0x1337, "fuzz", DummyCompressionEncode, DummyCompressionDecode}; -const PRUint8 kPskIdentity[] = "fuzz-identity"; - -static void SetSocketOptions(PRFileDesc* fd, - std::unique_ptr& config) { - SECStatus rv = SSL_OptionSet(fd, SSL_NO_CACHE, config->NoCache()); - assert(rv == SECSuccess); - - rv = SSL_OptionSet(fd, SSL_ENABLE_EXTENDED_MASTER_SECRET, - config->EnableExtendedMasterSecret()); - assert(rv == SECSuccess); - - rv = SSL_OptionSet(fd, SSL_REQUIRE_DH_NAMED_GROUPS, - config->RequireDhNamedGroups()); - assert(rv == SECSuccess); - - rv = SSL_OptionSet(fd, SSL_ENABLE_FALSE_START, config->EnableFalseStart()); - assert(rv == SECSuccess); - - rv = SSL_OptionSet(fd, SSL_ENABLE_DEFLATE, config->EnableDeflate()); - assert(rv == SECSuccess); - - rv = SSL_OptionSet(fd, SSL_CBC_RANDOM_IV, config->EnableCbcRandomIv()); - assert(rv == SECSuccess); - - rv = SSL_OptionSet(fd, SSL_REQUIRE_SAFE_NEGOTIATION, - config->RequireSafeNegotiation()); - assert(rv == SECSuccess); - - rv = SSL_OptionSet(fd, SSL_ENABLE_GREASE, config->EnableGrease()); - assert(rv == SECSuccess); - - rv = SSL_OptionSet(fd, SSL_ENABLE_CH_EXTENSION_PERMUTATION, - config->EnableCHExtensionPermutation()); - assert(rv == SECSuccess); - - if (config->SetCertificateCompressionAlgorithm()) { - rv = SSL_SetCertificateCompressionAlgorithm(fd, kCompressionAlg); - assert(rv == SECSuccess); - } - - if (config->SetVersionRange()) { - rv = SSL_VersionRangeSet(fd, &config->VersionRange()); - assert(rv == SECSuccess); - } - - if (config->AddExternalPsk()) { - PK11SlotInfo* slot = PK11_GetInternalSlot(); - assert(slot); - - PK11SymKey* key = - PK11_KeyGen(slot, CKM_NSS_CHACHA20_POLY1305, nullptr, 32, nullptr); - assert(key); - - rv = SSL_AddExternalPsk(fd, key, kPskIdentity, sizeof(kPskIdentity) - 1, - config->PskHashType()); - assert(rv == SECSuccess); - - PK11_FreeSlot(slot); - PK11_FreeSymKey(key); - } - - rv = SSL_OptionSet(fd, SSL_ENABLE_POST_HANDSHAKE_AUTH, - config->EnablePostHandshakeAuth()); - assert(rv == SECSuccess); - - rv = SSL_OptionSet(fd, SSL_ENABLE_0RTT_DATA, config->EnableZeroRtt()); - assert(rv == SECSuccess); - - rv = SSL_OptionSet(fd, SSL_ENABLE_ALPN, config->EnableAlpn()); - assert(rv == SECSuccess); - - rv = - SSL_OptionSet(fd, SSL_ENABLE_FALLBACK_SCSV, config->EnableFallbackScsv()); - assert(rv == SECSuccess); - - rv = - SSL_OptionSet(fd, SSL_ENABLE_OCSP_STAPLING, config->EnableOcspStapling()); - assert(rv == SECSuccess); - - rv = SSL_OptionSet(fd, SSL_ENABLE_SESSION_TICKETS, - config->EnableSessionTickets()); - assert(rv == SECSuccess); - - rv = SSL_OptionSet(fd, SSL_ENABLE_TLS13_COMPAT_MODE, - config->EnableTls13CompatMode()); - assert(rv == SECSuccess); - - rv = SSL_OptionSet(fd, SSL_NO_LOCKS, config->NoLocks()); - assert(rv == SECSuccess); - -#ifndef IS_DTLS_FUZZ - rv = - SSL_OptionSet(fd, SSL_ENABLE_RENEGOTIATION, SSL_RENEGOTIATE_UNRESTRICTED); - assert(rv == SECSuccess); - - if (config->SetClientEchConfigs()) { - const sslNamedGroupDef* group_def = - ssl_LookupNamedGroup(ssl_grp_ec_curve25519); - assert(group_def); - - const SECOidData* oid_data = SECOID_FindOIDByTag(group_def->oidTag); - assert(oid_data); - - ScopedSECItem params( - SECITEM_AllocItem(nullptr, nullptr, (2 + oid_data->oid.len))); - assert(params); - - params->data[0] = SEC_ASN1_OBJECT_ID; - params->data[1] = oid_data->oid.len; - PORT_Memcpy((void*)(params->data + 2), oid_data->oid.data, - oid_data->oid.len); - - SECKEYPublicKey* pub_key = nullptr; - SECKEYPrivateKey* priv_key = - SECKEY_CreateECPrivateKey(params.get(), &pub_key, nullptr); - assert(pub_key); - assert(priv_key); - - rv = SSL_EncodeEchConfigId( - 77, "fuzz.name", 100, HpkeDhKemX25519Sha256, pub_key, - kEchHpkeCipherSuites, - sizeof(kEchHpkeCipherSuites) / sizeof(HpkeSymmetricSuite), gEchConfigs, - &gEchConfigsLen, sizeof(gEchConfigs)); - - SECKEY_DestroyPublicKey(pub_key); - SECKEY_DestroyPrivateKey(priv_key); - - assert(rv == SECSuccess); - - rv = SSL_SetClientEchConfigs(fd, gEchConfigs, gEchConfigsLen); - assert(rv == SECSuccess); - } -#endif // IS_DTLS_FUZZ -} - -// This is only called when we set SSL_ENABLE_FALSE_START=1, -// so we can always just set *canFalseStart=true. -static SECStatus CanFalseStartCallback(PRFileDesc* fd, void* arg, - PRBool* canFalseStart) { - *canFalseStart = true; - return SECSuccess; -} - -static SECStatus AuthCertificateHook(void* arg, PRFileDesc* fd, PRBool checksig, - PRBool isServer) { - assert(!isServer); - - auto config = reinterpret_cast(arg); - if (config->FailCertificateAuthentication()) return SECFailure; - - return SECSuccess; -} - -static void SetupCallbacks(PRFileDesc* fd, - std::unique_ptr& config) { - SECStatus rv = SSL_AuthCertificateHook(fd, AuthCertificateHook, config.get()); - assert(rv == SECSuccess); - - rv = SSL_SetCanFalseStartCallback(fd, CanFalseStartCallback, nullptr); - assert(rv == SECSuccess); -} - -extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t len) { - static std::unique_ptr db(new NSSDatabase()); - - EnableAllProtocolVersions(); - std::unique_ptr config(new ClientConfig(data, len)); - - // Reset the RNG state. - assert(RNG_RandomUpdate(NULL, 0) == SECSuccess); - - // Create and import dummy socket. - std::unique_ptr socket(new DummyPrSocket(data, len)); - static PRDescIdentity id = PR_GetUniqueIdentity("fuzz-client"); - ScopedPRFileDesc fd(DummyIOLayerMethods::CreateFD(id, socket.get())); - PRFileDesc* ssl_fd = ImportFD(nullptr, fd.get()); - assert(ssl_fd == fd.get()); - - // Print the client config for debugging. - if (ssl_trace >= 90) { - std::cerr << config << "\n"; - } - - // Probably not too important for clients. - SSL_SetURL(ssl_fd, "server"); - - FixTime(ssl_fd); - SetSocketOptions(ssl_fd, config); - EnableAllCipherSuites(ssl_fd); - SetupCallbacks(ssl_fd, config); - DoHandshake(ssl_fd, false); - - // Release all SIDs. - SSL_ClearSessionCache(); - - return 0; -} - -extern "C" size_t LLVMFuzzerCustomMutator(uint8_t* data, size_t size, - size_t max_size, unsigned int seed) { - Mutators mutators = {TlsMutators::DropRecord, TlsMutators::ShuffleRecords, - TlsMutators::DuplicateRecord, - TlsMutators::TruncateRecord, - TlsMutators::FragmentRecord}; - return CustomMutate(mutators, data, size, max_size, seed); -} - -extern "C" size_t LLVMFuzzerCustomCrossOver(const uint8_t* data1, size_t size1, - const uint8_t* data2, size_t size2, - uint8_t* out, size_t max_out_size, - unsigned int seed) { - return TlsMutators::CrossOver(data1, size1, data2, size2, out, max_out_size, - seed); -} diff --git a/nss/fuzz/tls_server_config.cc b/nss/fuzz/tls_server_config.cc deleted file mode 100644 index ad4b2d60..00000000 --- a/nss/fuzz/tls_server_config.cc +++ /dev/null @@ -1,170 +0,0 @@ -/* This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ - -#include "tls_server_config.h" - -#include -#include - -#include "sslt.h" - -const uint32_t CONFIG_ENABLE_EXTENDED_MS = 1 << 0; -const uint32_t CONFIG_REQUEST_CERTIFICATE = 1 << 1; -const uint32_t CONFIG_REQUIRE_CERTIFICATE = 1 << 2; -const uint32_t CONFIG_ENABLE_DEFLATE = 1 << 3; -const uint32_t CONFIG_ENABLE_CBC_RANDOM_IV = 1 << 4; -const uint32_t CONFIG_REQUIRE_SAFE_NEGOTIATION = 1 << 5; -const uint32_t CONFIG_NO_CACHE = 1 << 6; -const uint32_t CONFIG_ENABLE_GREASE = 1 << 7; -const uint32_t CONFIG_SET_CERTIFICATION_COMPRESSION_ALGORITHM = 1 << 8; -const uint32_t CONFIG_VERSION_RANGE_SET = 1 << 9; -const uint32_t CONFIG_ADD_EXTERNAL_PSK = 1 << 10; -const uint32_t CONFIG_ENABLE_ZERO_RTT = 1 << 11; -const uint32_t CONFIG_ENABLE_ALPN = 1 << 12; -const uint32_t CONFIG_ENABLE_FALLBACK_SCSV = 1 << 13; -const uint32_t CONFIG_ENABLE_SESSION_TICKETS = 1 << 14; -const uint32_t CONFIG_NO_LOCKS = 1 << 15; - -// XOR 64-bit chunks of data to build a bitmap of config options derived from -// the fuzzing input. This seems the only way to fuzz various options while -// still maintaining compatibility with BoringSSL or OpenSSL fuzzers. -ServerConfig::ServerConfig(const uint8_t* data, size_t len) { - union { - uint64_t bitmap; - struct { - uint32_t config; - uint16_t ssl_version_range_min; - uint16_t ssl_version_range_max; - }; - }; - - for (size_t i = 0; i < len; i++) { - bitmap ^= static_cast(data[i]) << (8 * (i % 8)); - } - - // Map SSL version values to a valid range. - ssl_version_range_min = - SSL_VERSION_RANGE_MIN_VALID + - (ssl_version_range_min % - (1 + SSL_VERSION_RANGE_MAX_VALID - SSL_VERSION_RANGE_MIN_VALID)); - ssl_version_range_max = - ssl_version_range_min + - (ssl_version_range_max % - (1 + SSL_VERSION_RANGE_MAX_VALID - ssl_version_range_min)); - - config_ = config; - ssl_version_range_ = { - .min = ssl_version_range_min, - .max = ssl_version_range_max, - }; -} - -bool ServerConfig::EnableExtendedMasterSecret() { - return config_ & CONFIG_ENABLE_EXTENDED_MS; -} - -bool ServerConfig::RequestCertificate() { - return config_ & CONFIG_REQUEST_CERTIFICATE; -} - -bool ServerConfig::RequireCertificate() { - return config_ & CONFIG_REQUIRE_CERTIFICATE; -} - -bool ServerConfig::EnableDeflate() { return config_ & CONFIG_ENABLE_DEFLATE; } - -bool ServerConfig::EnableCbcRandomIv() { - return config_ & CONFIG_ENABLE_CBC_RANDOM_IV; -} - -bool ServerConfig::RequireSafeNegotiation() { - return config_ & CONFIG_REQUIRE_SAFE_NEGOTIATION; -} - -bool ServerConfig::NoCache() { return config_ & CONFIG_NO_CACHE; } - -bool ServerConfig::EnableGrease() { return config_ & CONFIG_ENABLE_GREASE; } - -bool ServerConfig::SetCertificateCompressionAlgorithm() { - return config_ & CONFIG_SET_CERTIFICATION_COMPRESSION_ALGORITHM; -} - -bool ServerConfig::SetVersionRange() { - return config_ & CONFIG_VERSION_RANGE_SET; -} - -bool ServerConfig::AddExternalPsk() { - return config_ & CONFIG_ADD_EXTERNAL_PSK; -} - -bool ServerConfig::EnableZeroRtt() { return config_ & CONFIG_ENABLE_ZERO_RTT; } - -bool ServerConfig::EnableAlpn() { return config_ & CONFIG_ENABLE_ALPN; } - -bool ServerConfig::EnableFallbackScsv() { - return config_ & CONFIG_ENABLE_FALLBACK_SCSV; -} - -bool ServerConfig::EnableSessionTickets() { - return config_ & CONFIG_ENABLE_SESSION_TICKETS; -} - -bool ServerConfig::NoLocks() { return config_ & CONFIG_NO_LOCKS; } - -SSLHashType ServerConfig::PskHashType() { - if (config_ % 2) return ssl_hash_sha256; - - return ssl_hash_sha384; -} - -const SSLVersionRange& ServerConfig::VersionRange() { - return ssl_version_range_; -} - -std::ostream& operator<<(std::ostream& out, - std::unique_ptr& config) { - out << "============= ServerConfig =============" - << "\n"; - out << "SSL_NO_CACHE: " << config->NoCache() - << "\n"; - out << "SSL_ENABLE_EXTENDED_MASTER_SECRET: " - << config->EnableExtendedMasterSecret() << "\n"; - out << "SSL_REQUEST_CERTIFICATE: " - << config->RequestCertificate() << "\n"; - out << "SSL_REQUIRE_CERTIFICATE: " - << config->RequireCertificate() << "\n"; - out << "SSL_ENABLE_DEFLATE: " << config->EnableDeflate() - << "\n"; - out << "SSL_CBC_RANDOM_IV: " - << config->EnableCbcRandomIv() << "\n"; - out << "SSL_REQUIRE_SAFE_NEGOTIATION: " - << config->RequireSafeNegotiation() << "\n"; - out << "SSL_ENABLE_GREASE: " << config->EnableGrease() - << "\n"; - out << "SSL_SetCertificateCompressionAlgorithm: " - << config->SetCertificateCompressionAlgorithm() << "\n"; - out << "SSL_VersionRangeSet: " << config->SetVersionRange() - << "\n"; - out << " Min: " - << config->VersionRange().min << "\n"; - out << " Max: " - << config->VersionRange().max << "\n"; - out << "SSL_AddExternalPsk: " << config->AddExternalPsk() - << "\n"; - out << " Type: " << config->PskHashType() - << "\n"; - out << "SSL_ENABLE_0RTT_DATA: " << config->EnableZeroRtt() - << "\n"; - out << "SSL_ENABLE_ALPN: " << config->EnableAlpn() - << "\n"; - out << "SSL_ENABLE_FALLBACK_SCSV: " - << config->EnableFallbackScsv() << "\n"; - out << "SSL_ENABLE_SESSION_TICKETS: " - << config->EnableSessionTickets() << "\n"; - out << "SSL_NO_LOCKS: " << config->NoLocks() - << "\n"; - out << "========================================"; - - return out; -} diff --git a/nss/fuzz/tls_server_config.h b/nss/fuzz/tls_server_config.h deleted file mode 100644 index abe17e96..00000000 --- a/nss/fuzz/tls_server_config.h +++ /dev/null @@ -1,54 +0,0 @@ -/* This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this file, - * You can obtain one at http://mozilla.org/MPL/2.0/. */ - -#ifndef TLS_SERVER_CONFIG_H_ -#define TLS_SERVER_CONFIG_H_ - -#include -#include -#include -#include - -#include "sslt.h" - -#ifdef IS_DTLS_FUZZ -#define SSL_VERSION_RANGE_MIN_VALID 0x0302 -#else -#define SSL_VERSION_RANGE_MIN_VALID 0x0301 -#endif -#define SSL_VERSION_RANGE_MAX_VALID 0x0304 - -class ServerConfig { - public: - ServerConfig(const uint8_t* data, size_t len); - - bool EnableExtendedMasterSecret(); - bool RequestCertificate(); - bool RequireCertificate(); - bool EnableDeflate(); - bool EnableCbcRandomIv(); - bool RequireSafeNegotiation(); - bool NoCache(); - bool EnableGrease(); - bool SetCertificateCompressionAlgorithm(); - bool SetVersionRange(); - bool AddExternalPsk(); - bool EnableZeroRtt(); - bool EnableAlpn(); - bool EnableFallbackScsv(); - bool EnableSessionTickets(); - bool NoLocks(); - - SSLHashType PskHashType(); - const SSLVersionRange& VersionRange(); - - private: - uint32_t config_; - SSLVersionRange ssl_version_range_; -}; - -std::ostream& operator<<(std::ostream& out, - std::unique_ptr& config); - -#endif // TLS_SERVER_CONFIG_H_ diff --git a/nss/fuzz/tls_server_target.cc b/nss/fuzz/tls_server_target.cc deleted file mode 100644 index e0976524..00000000 --- a/nss/fuzz/tls_server_target.cc +++ /dev/null @@ -1,191 +0,0 @@ -/* This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ - -#include -#include -#include -#include - -#include "blapi.h" -#include "prinit.h" -#include "seccomon.h" -#include "shared.h" -#include "ssl.h" -#include "sslexp.h" -#include "sslimpl.h" -#include "tls_common.h" -#include "tls_mutators.h" -#include "tls_server_certs.h" -#include "tls_server_config.h" -#include "tls_socket.h" - -#ifdef IS_DTLS_FUZZ -__attribute__((constructor)) static void set_is_dtls() { - TlsMutators::SetIsDTLS(); -} - -#define ImportFD DTLS_ImportFD -#else -#define ImportFD SSL_ImportFD -#endif - -const SSLCertificateCompressionAlgorithm kCompressionAlg = { - 0x1337, "fuzz", DummyCompressionEncode, DummyCompressionDecode}; -const PRUint8 kPskIdentity[] = "fuzz-identity"; - -class SSLServerSessionCache { - public: - SSLServerSessionCache() { - assert(SSL_ConfigServerSessionIDCache(1024, 0, 0, ".") == SECSuccess); - } - - ~SSLServerSessionCache() { - assert(SSL_ShutdownServerSessionIDCache() == SECSuccess); - } -}; - -static void SetSocketOptions(PRFileDesc* fd, - std::unique_ptr& config) { - SECStatus rv = SSL_OptionSet(fd, SSL_NO_CACHE, config->NoCache()); - assert(rv == SECSuccess); - - rv = SSL_OptionSet(fd, SSL_ENABLE_EXTENDED_MASTER_SECRET, - config->EnableExtendedMasterSecret()); - assert(rv == SECSuccess); - - rv = SSL_OptionSet(fd, SSL_REQUEST_CERTIFICATE, config->RequestCertificate()); - assert(rv == SECSuccess); - - rv = SSL_OptionSet(fd, SSL_REQUIRE_CERTIFICATE, config->RequireCertificate()); - assert(rv == SECSuccess); - - rv = SSL_OptionSet(fd, SSL_ENABLE_DEFLATE, config->EnableDeflate()); - assert(rv == SECSuccess); - - rv = SSL_OptionSet(fd, SSL_CBC_RANDOM_IV, config->EnableCbcRandomIv()); - assert(rv == SECSuccess); - - rv = SSL_OptionSet(fd, SSL_REQUIRE_SAFE_NEGOTIATION, - config->RequireSafeNegotiation()); - assert(rv == SECSuccess); - - rv = SSL_OptionSet(fd, SSL_ENABLE_GREASE, config->EnableGrease()); - assert(rv == SECSuccess); - - if (config->SetCertificateCompressionAlgorithm()) { - rv = SSL_SetCertificateCompressionAlgorithm(fd, kCompressionAlg); - assert(rv == SECSuccess); - } - - if (config->SetVersionRange()) { - rv = SSL_VersionRangeSet(fd, &config->VersionRange()); - assert(rv == SECSuccess); - } - - if (config->AddExternalPsk()) { - PK11SlotInfo* slot = PK11_GetInternalSlot(); - assert(slot); - - PK11SymKey* key = - PK11_KeyGen(slot, CKM_NSS_CHACHA20_POLY1305, nullptr, 32, nullptr); - assert(key); - - rv = SSL_AddExternalPsk(fd, key, kPskIdentity, sizeof(kPskIdentity) - 1, - ssl_hash_sha256); - assert(rv == SECSuccess); - - PK11_FreeSlot(slot); - PK11_FreeSymKey(key); - } - - rv = SSL_OptionSet(fd, SSL_ENABLE_0RTT_DATA, config->EnableZeroRtt()); - assert(rv == SECSuccess); - - rv = SSL_OptionSet(fd, SSL_ENABLE_ALPN, config->EnableAlpn()); - assert(rv == SECSuccess); - - rv = - SSL_OptionSet(fd, SSL_ENABLE_FALLBACK_SCSV, config->EnableFallbackScsv()); - assert(rv == SECSuccess); - - rv = SSL_OptionSet(fd, SSL_ENABLE_SESSION_TICKETS, - config->EnableSessionTickets()); - assert(rv == SECSuccess); - - rv = SSL_OptionSet(fd, SSL_NO_LOCKS, config->NoLocks()); - assert(rv == SECSuccess); - -#ifndef IS_DTLS_FUZZ - rv = - SSL_OptionSet(fd, SSL_ENABLE_RENEGOTIATION, SSL_RENEGOTIATE_UNRESTRICTED); - assert(rv == SECSuccess); -#endif -} - -static PRStatus InitModelSocket(void* arg) { - PRFileDesc* fd = reinterpret_cast(arg); - - EnableAllCipherSuites(fd); - InstallServerCertificates(fd); - - return PR_SUCCESS; -} - -extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t len) { - static std::unique_ptr db(new NSSDatabase()); - static std::unique_ptr cache( - new SSLServerSessionCache()); - - EnableAllProtocolVersions(); - std::unique_ptr config(new ServerConfig(data, len)); - - // Reset the RNG state. - assert(RNG_RandomUpdate(NULL, 0) == SECSuccess); - - // Create model socket. - static ScopedPRFileDesc model(ImportFD(nullptr, PR_NewTCPSocket())); - assert(model); - - // Initialize the model socket once. - static PRCallOnceType initModelOnce; - PR_CallOnceWithArg(&initModelOnce, InitModelSocket, model.get()); - - // Create and import dummy socket. - std::unique_ptr socket(new DummyPrSocket(data, len)); - static PRDescIdentity id = PR_GetUniqueIdentity("fuzz-server"); - ScopedPRFileDesc fd(DummyIOLayerMethods::CreateFD(id, socket.get())); - PRFileDesc* ssl_fd = ImportFD(model.get(), fd.get()); - assert(ssl_fd == fd.get()); - - // Print the server config for debugging. - if (ssl_trace >= 90) { - std::cerr << config << "\n"; - } - - FixTime(ssl_fd); - SetSocketOptions(ssl_fd, config); - DoHandshake(ssl_fd, true); - - // Clear the cache. We never want to resume as we couldn't reproduce that. - SSL_ClearSessionCache(); - - return 0; -} - -extern "C" size_t LLVMFuzzerCustomMutator(uint8_t* data, size_t size, - size_t max_size, unsigned int seed) { - return CustomMutate( - {TlsMutators::DropRecord, TlsMutators::ShuffleRecords, - TlsMutators::DuplicateRecord, TlsMutators::TruncateRecord, - TlsMutators::FragmentRecord}, - data, size, max_size, seed); -} - -extern "C" size_t LLVMFuzzerCustomCrossOver(const uint8_t* data1, size_t size1, - const uint8_t* data2, size_t size2, - uint8_t* out, size_t max_out_size, - unsigned int seed) { - return TlsMutators::CrossOver(data1, size1, data2, size2, out, max_out_size, - seed); -} diff --git a/nss/gtests/mozpkix_gtest/pkixnames_tests.cpp b/nss/gtests/mozpkix_gtest/pkixnames_tests.cpp index 9bb09379..e796d436 100644 --- a/nss/gtests/mozpkix_gtest/pkixnames_tests.cpp +++ b/nss/gtests/mozpkix_gtest/pkixnames_tests.cpp @@ -105,6 +105,16 @@ static const PresentedMatchesReference DNSID_MATCH_PARAMS[] = DNS_ID_MATCH("_example", "_example"), DNS_ID_MATCH("*._._", "x._._"), + // We allow reference ID labels to start and end with hyphens for + // compatibility. + DNS_ID_MATCH("*.example.com", "-.example.com"), + DNS_ID_MATCH("*.example.com", "-hyphenstart.example.com"), + DNS_ID_MATCH("*.example.com", "hyphenend-.example.com"), + // Presented ID labels may not start or end with hyphens. + DNS_ID_BAD_DER("-.example.com", "-.example.com"), + DNS_ID_BAD_DER("-hyphenstart.example.com", "-hyphenstart.example.com"), + DNS_ID_BAD_DER("hyphenend-.example.com", "hyphenend-.example.com"), + // See bug 1139039 // A DNS-ID must not end in an all-numeric label. We don't consider // underscores to be numeric. @@ -371,13 +381,13 @@ static const InputValidity DNSNAMES_VALIDITY[] = I("a...", false, false), // Punycode - I("xn--", false, false), - I("xn--.", false, false), - I("xn--.a", false, false), - I("a.xn--", false, false), - I("a.xn--.", false, false), - I("a.xn--.b", false, false), - I("a.xn--.b", false, false), + I("xn--", true, false), + I("xn--.", true, false), + I("xn--.a", true, false), + I("a.xn--", true, false), + I("a.xn--.", true, false), + I("a.xn--.b", true, false), + I("a.xn--.b", true, false), I("a.xn--\0.b", false, false), I("a.xn--a.b", true, true), I("xn--a", true, true), @@ -416,7 +426,7 @@ static const InputValidity DNSNAMES_VALIDITY[] = I("a.b.c.d.e.f.g.h.i.j.k.l.m.n.o.p.q.r.s.t.u.v.w.x.y.z", true, true), I("A.B.C.D.E.F.G.H.I.J.K.L.M.N.O.P.Q.R.S.T.U.V.W.X.Y.Z", true, true), I("0.1.2.3.4.5.6.7.8.9.a", true, true), // "a" needed to avoid numeric last label - I("a-b", true, true), // hyphen (a label cannot start or end with a hyphen) + I("a-b", true, true), // hyphen (presented ID labels cannot start or end with a hyphen) // Underscores I("a_b", true, true), @@ -469,17 +479,17 @@ static const InputValidity DNSNAMES_VALIDITY[] = I("a.1-1", true, true), I("a.1-a", true, true), - // labels cannot start with a hyphen - I("-", false, false), - I("-1", false, false), - - // labels cannot end with a hyphen - I("1-", false, false), - I("1-.a", false, false), - I("a-", false, false), - I("a-.a", false, false), - I("a.1-.a", false, false), - I("a.a-.a", false, false), + // presented ID labels cannot start with a hyphen + I("-", true, false), + I("-1", true, false), + + // presented ID labels cannot end with a hyphen + I("1-", true, false), + I("1-.a", true, false), + I("a-", true, false), + I("a-.a", true, false), + I("a.1-.a", true, false), + I("a.a-.a", true, false), // labels can contain a hyphen in the middle I("a-b", true, true), diff --git a/nss/gtests/pk11_gtest/pk11_kbkdf.cc b/nss/gtests/pk11_gtest/pk11_kbkdf.cc index 3800dcdd..d9ad981b 100644 --- a/nss/gtests/pk11_gtest/pk11_kbkdf.cc +++ b/nss/gtests/pk11_gtest/pk11_kbkdf.cc @@ -132,5 +132,88 @@ TEST_F(Pkcs11KbkdfTest, TestAdditionalKey) { sizeof(expectedAdditional) / sizeof(*expectedAdditional)); } +TEST_F(Pkcs11KbkdfTest, TestPRFs) { + // Table 161 of PKCS#11 v3.0 / Table 192 of PKCS#11 v3.1. + CK_SP800_108_PRF_TYPE allowedPRFs[] = { + CKM_SHA_1_HMAC, + CKM_SHA224_HMAC, + CKM_SHA256_HMAC, + CKM_SHA384_HMAC, + CKM_SHA512_HMAC, + CKM_SHA3_224_HMAC, + CKM_SHA3_256_HMAC, + CKM_SHA3_384_HMAC, + CKM_SHA3_512_HMAC, + /* CKM_DES3_CMAC, */ + CKM_AES_CMAC, + }; + CK_SP800_108_PRF_TYPE disallowedPRFs[] = { + CKM_MD2_HMAC, + CKM_MD5_HMAC, + CKM_RIPEMD128_HMAC, + CKM_RIPEMD160_HMAC, + }; + + CK_BYTE inputKey[] = {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, + 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f}; + + CK_SP800_108_COUNTER_FORMAT iterator = {CK_FALSE, 8}; + CK_BYTE fixedData[] = {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, + 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f}; + + CK_PRF_DATA_PARAM dataParams[] = { + {CK_SP800_108_BYTE_ARRAY, fixedData, + sizeof(fixedData) / sizeof(*fixedData)}, + {CK_SP800_108_ITERATION_VARIABLE, &iterator, sizeof(iterator)}}; + + CK_KEY_TYPE ckGeneric = CKK_GENERIC_SECRET; + CK_OBJECT_CLASS ckClass = CKO_SECRET_KEY; + CK_ULONG derivedLength = 16; + + CK_ATTRIBUTE derivedTemplate[] = { + {CKA_CLASS, &ckClass, sizeof(ckClass)}, + {CKA_KEY_TYPE, &ckGeneric, sizeof(ckGeneric)}, + {CKA_VALUE_LEN, &derivedLength, sizeof(derivedLength)}}; + + CK_OBJECT_HANDLE keyHandle; + CK_DERIVED_KEY derivedKey = { + derivedTemplate, sizeof(derivedTemplate) / sizeof(*derivedTemplate), + &keyHandle}; + + SECItem keyItem = {siBuffer, inputKey, sizeof(inputKey) / sizeof(*inputKey)}; + + for (CK_SP800_108_PRF_TYPE prfType : allowedPRFs) { + ScopedPK11SymKey p11Key = ImportKey(prfType, &keyItem); + + CK_SP800_108_KDF_PARAMS kdfParams = { + prfType, sizeof(dataParams) / sizeof(*dataParams), dataParams, 1, + &derivedKey}; + SECItem paramsItem = {siBuffer, (unsigned char *)&kdfParams, + sizeof(kdfParams)}; + + ScopedPK11SymKey result(PK11_Derive(p11Key.get(), CKM_SP800_108_COUNTER_KDF, + ¶msItem, CKM_SHA512_HMAC, CKA_SIGN, + derivedLength)); + ASSERT_NE(result, nullptr); + + ASSERT_EQ(PK11_ExtractKeyValue(result.get()), SECSuccess); + } + + for (CK_SP800_108_PRF_TYPE prfType : disallowedPRFs) { + ScopedPK11SymKey p11Key = ImportKey(prfType, &keyItem); + + CK_SP800_108_KDF_PARAMS kdfParams = { + prfType, sizeof(dataParams) / sizeof(*dataParams), dataParams, 1, + &derivedKey}; + SECItem paramsItem = {siBuffer, (unsigned char *)&kdfParams, + sizeof(kdfParams)}; + + ScopedPK11SymKey result(PK11_Derive(p11Key.get(), CKM_SP800_108_COUNTER_KDF, + ¶msItem, CKM_SHA512_HMAC, CKA_SIGN, + derivedLength)); + ASSERT_EQ(result, nullptr); + } +} + // Close the namespace } // namespace nss_test diff --git a/nss/gtests/pk11_gtest/pk11_module_unittest.cc b/nss/gtests/pk11_gtest/pk11_module_unittest.cc index 4eaa894c..67116c1b 100644 --- a/nss/gtests/pk11_gtest/pk11_module_unittest.cc +++ b/nss/gtests/pk11_gtest/pk11_module_unittest.cc @@ -155,4 +155,84 @@ TEST_F(Pkcs11NonAsciiTest, LoadUnload) { } #endif // defined(_WIN32) +class Pkcs11ModuleLoadFunctionTest : public ::testing::Test { + public: + Pkcs11ModuleLoadFunctionTest() { library = NULL; }; + + void TearDown() override { + if (library != NULL) { + PR_UnloadLibrary(library); + } + } + PRLibrary *library; +}; + +CK_RV NotSuppoted_GetFunctionList(CK_FUNCTION_LIST_PTR_PTR ppFunctionList) { + return CKR_FUNCTION_NOT_SUPPORTED; +} + +CK_RV SupportedButNull(CK_FUNCTION_LIST_PTR_PTR ppFunctionList) { + ppFunctionList = NULL; + return CKR_OK; +} + +TEST_F(Pkcs11ModuleLoadFunctionTest, LoadModuleWithNullFunc) { + ScopedSECMODModule userModule( + SECMOD_LoadUserModuleWithFunction("LoadFunctionModule", NULL)); + EXPECT_NE(userModule, nullptr); + EXPECT_FALSE(userModule->loaded); +} + +TEST_F(Pkcs11ModuleLoadFunctionTest, LoadModuleWithUnsupportedFunc) { + ScopedSECMODModule userModule(SECMOD_LoadUserModuleWithFunction( + "LoadFunctionModule", &NotSuppoted_GetFunctionList)); + EXPECT_FALSE(userModule->loaded); +} + +TEST_F(Pkcs11ModuleLoadFunctionTest, LoadModuleWithEmptyFunctionList) { + ScopedSECMODModule userModule(SECMOD_LoadUserModuleWithFunction( + "LoadFunctionModule", &SupportedButNull)); + EXPECT_NE(userModule, nullptr); + EXPECT_FALSE(userModule->loaded); +} + +TEST_F(Pkcs11ModuleLoadFunctionTest, SuccessLoadModuleWithFunction) { + library = PR_LoadLibrary(DLL_PREFIX "pkcs11testmodule." DLL_SUFFIX); + EXPECT_NE(nullptr, library); + + CK_C_GetFunctionList fentry = NULL; + fentry = (CK_C_GetFunctionList)PR_FindSymbol(library, "C_GetFunctionList"); + EXPECT_NE(nullptr, fentry); + + ScopedSECMODModule userModule( + SECMOD_LoadUserModuleWithFunction("LoadFunctionModule", fentry)); + EXPECT_NE(nullptr, userModule); + EXPECT_EQ(userModule->loaded, PR_TRUE); + + /* We can find the module*/ + ScopedSECMODModule module(SECMOD_FindModule("LoadFunctionModule")); + EXPECT_NE(nullptr, module); + + CK_INFO info; + EXPECT_EQ(SECSuccess, PK11_GetModInfo(userModule.get(), &info)); + /* See pkcs11testmodule.cpp */ + CK_VERSION expectedCryptokiVersion = {2, 2}; + CK_VERSION expectedLibraryVersion = {0, 0}; + EXPECT_EQ(info.cryptokiVersion.minor, expectedCryptokiVersion.minor); + EXPECT_EQ(info.cryptokiVersion.major, expectedCryptokiVersion.major); + + EXPECT_EQ( + 0, PORT_Memcmp((char *)info.manufacturerID, "Test PKCS11 Manufacturer ID", + sizeof("Test PKCS11 Manufacturer ID") - 1)); + EXPECT_EQ(info.flags, 0UL); + + EXPECT_EQ(0, + PORT_Memcmp((char *)info.libraryDescription, "Test PKCS11 Library", + sizeof("Test PKCS11 Library") - 1)); + EXPECT_EQ(info.libraryVersion.minor, expectedLibraryVersion.minor); + EXPECT_EQ(info.libraryVersion.major, expectedLibraryVersion.major); + + EXPECT_EQ(SECSuccess, SECMOD_UnloadUserModule(userModule.get())); +} + } // namespace nss_test diff --git a/nss/gtests/ssl_gtest/ssl_drop_unittest.cc b/nss/gtests/ssl_gtest/ssl_drop_unittest.cc index 8b2eecac..b5ee5aed 100644 --- a/nss/gtests/ssl_gtest/ssl_drop_unittest.cc +++ b/nss/gtests/ssl_gtest/ssl_drop_unittest.cc @@ -916,4 +916,42 @@ INSTANTIATE_TEST_SUITE_P(DatagramReorder13, TlsReorderDatagram13, INSTANTIATE_TEST_SUITE_P(DatagramFragment13, TlsFragmentationAndRecoveryTest, ::testing::Values(true, false)); +class FirstDropThenKeepHandshakeFilter : public TlsHandshakeFilter { + public: + FirstDropThenKeepHandshakeFilter(const std::shared_ptr& a) + : TlsHandshakeFilter(a) {} + + virtual PacketFilter::Action FilterHandshake( + const TlsHandshakeFilter::HandshakeHeader& header, + const DataBuffer& input, DataBuffer* output) { + if (enabled) { + return KEEP; + } else { + enabled = true; + return DROP; + } + } + + private: + bool enabled = false; +}; + +// This test is responsible for checking that when DTLS fragments the message, +// the hanshake will be successfully reconstructed, but if one of handshakes +// was dropped, they are not going to be glued all together. + +// See: https://bugzilla.mozilla.org/show_bug.cgi?id=1874451 +TEST_F(TlsConnectDatagram13, PreviousHandshakeRemovedWhenDropped) { + EnsureTlsSetup(); + static const std::vector client_groups = { + ssl_grp_ec_secp384r1, ssl_grp_ec_secp521r1, ssl_grp_ec_curve25519}; + client_->ConfigNamedGroups(client_groups); + // Ensure that the message is indeed longer than the MTU we install. + EXPECT_EQ(SECSuccess, SSL_SendAdditionalKeyShares(client_->ssl_fd(), 2)); + + SSLInt_SetMTU(client_->ssl_fd(), 150); + auto filter = MakeTlsFilter(client_); + Connect(); +} + } // namespace nss_test diff --git a/nss/gtests/ssl_gtest/ssl_ems_unittest.cc b/nss/gtests/ssl_gtest/ssl_ems_unittest.cc index 39b2d587..7693e191 100644 --- a/nss/gtests/ssl_gtest/ssl_ems_unittest.cc +++ b/nss/gtests/ssl_gtest/ssl_ems_unittest.cc @@ -93,4 +93,37 @@ TEST_P(TlsConnectGenericPre13, ConnectNormalResumeWithExtendedMasterSecret) { Connect(); } +TEST_P(TlsConnectGenericPre13, ConnectExtendedMasterSecretWithPolicy) { + server_->SetPolicy(SEC_OID_TLS_REQUIRE_EMS, NSS_USE_ALG_IN_SSL_KX, 0); + client_->SetPolicy(SEC_OID_TLS_REQUIRE_EMS, NSS_USE_ALG_IN_SSL_KX, 0); + EnableExtendedMasterSecret(); + Connect(); +} + +TEST_P(TlsConnectGenericPre13, ConnectNoExtendedMasterSecretWithServerPolicy) { + server_->SetPolicy(SEC_OID_TLS_REQUIRE_EMS, NSS_USE_ALG_IN_SSL_KX, 0); + ConnectExpectAlert(server_, kTlsAlertHandshakeFailure); + server_->CheckErrorCode(SSL_ERROR_MISSING_EXTENDED_MASTER_SECRET); +} + +TEST_P(TlsConnectGenericPre13, ConnectNoExtendedMasterSecretWithClientPolicy) { + client_->SetPolicy(SEC_OID_TLS_REQUIRE_EMS, NSS_USE_ALG_IN_SSL_KX, 0); + ConnectExpectFailOneSide(TlsAgent::CLIENT); + client_->CheckErrorCode(SSL_ERROR_MISSING_EXTENDED_MASTER_SECRET); +} + +TEST_P(TlsConnectGenericPre13, ConnectNoExtendedMasterSecretClientWithPolicy) { + server_->SetPolicy(SEC_OID_TLS_REQUIRE_EMS, NSS_USE_ALG_IN_SSL_KX, 0); + server_->EnableExtendedMasterSecret(); + ConnectExpectAlert(server_, kTlsAlertHandshakeFailure); + server_->CheckErrorCode(SSL_ERROR_MISSING_EXTENDED_MASTER_SECRET); +} + +TEST_P(TlsConnectGenericPre13, ConnectNoExtendedMasterSecretServerWithPolicy) { + client_->SetPolicy(SEC_OID_TLS_REQUIRE_EMS, NSS_USE_ALG_IN_SSL_KX, 0); + client_->EnableExtendedMasterSecret(); + ConnectExpectFailOneSide(TlsAgent::CLIENT); + client_->CheckErrorCode(SSL_ERROR_MISSING_EXTENDED_MASTER_SECRET); +} + } // namespace nss_test diff --git a/nss/gtests/ssl_gtest/ssl_fuzz_unittest.cc b/nss/gtests/ssl_gtest/ssl_fuzz_unittest.cc index ef6f7602..509683a1 100644 --- a/nss/gtests/ssl_gtest/ssl_fuzz_unittest.cc +++ b/nss/gtests/ssl_gtest/ssl_fuzz_unittest.cc @@ -2,6 +2,9 @@ * License, v. 2.0. If a copy of the MPL was not distributed with this file, * You can obtain one at http://mozilla.org/MPL/2.0/. */ +#include +#include + #include "blapi.h" #include "ssl.h" #include "sslimpl.h" @@ -19,6 +22,51 @@ namespace nss_test { #define FUZZ_P(c, f) TEST_P(c, DISABLED_Fuzz_##f) #endif +static std::unordered_set gFuzzedSslOptions = { + SSL_SECURITY, // irrelevant + SSL_SOCKS, // irrelevant + SSL_REQUEST_CERTIFICATE, // tls_server + SSL_HANDSHAKE_AS_CLIENT, // irrelevant + SSL_HANDSHAKE_AS_SERVER, // irrelevant + SSL_ENABLE_SSL2, // obsolete + SSL_ENABLE_SSL3, // obsolete + SSL_NO_CACHE, // tls_client, tls_server + SSL_REQUIRE_CERTIFICATE, // tls_server + SSL_ENABLE_FDX, + SSL_V2_COMPATIBLE_HELLO, // obsolete + SSL_ENABLE_TLS, // obsolete + SSL_ROLLBACK_DETECTION, + SSL_NO_STEP_DOWN, // unsupported + SSL_BYPASS_PKCS11, // unsupported + SSL_NO_LOCKS, // tls_client, tls_server + SSL_ENABLE_SESSION_TICKETS, // tls_client, tls_server + SSL_ENABLE_DEFLATE, // tls_client, tls_server + SSL_ENABLE_RENEGOTIATION, + SSL_REQUIRE_SAFE_NEGOTIATION, // tls_client, tls_server + SSL_ENABLE_FALSE_START, // tls_client + SSL_CBC_RANDOM_IV, // tls_client, tls_server + SSL_ENABLE_OCSP_STAPLING, // tls_client + SSL_ENABLE_NPN, // defunct + SSL_ENABLE_ALPN, // tls_client, tls_server + SSL_REUSE_SERVER_ECDHE_KEY, + SSL_ENABLE_FALLBACK_SCSV, // tls_client, tls_server + SSL_ENABLE_SERVER_DHE, + SSL_ENABLE_EXTENDED_MASTER_SECRET, // tls_client, tls_server + SSL_ENABLE_SIGNED_CERT_TIMESTAMPS, + SSL_REQUIRE_DH_NAMED_GROUPS, // tls_client + SSL_ENABLE_0RTT_DATA, // tls_client, tls_server + SSL_RECORD_SIZE_LIMIT, + SSL_ENABLE_TLS13_COMPAT_MODE, // tls_client + SSL_ENABLE_DTLS_SHORT_HEADER, // tls_client, tls_server + SSL_ENABLE_HELLO_DOWNGRADE_CHECK, + SSL_ENABLE_V2_COMPATIBLE_HELLO, + SSL_ENABLE_POST_HANDSHAKE_AUTH, // tls_client + SSL_ENABLE_DELEGATED_CREDENTIALS, // tls_client, tls_server + SSL_SUPPRESS_END_OF_EARLY_DATA, + SSL_ENABLE_GREASE, // tls_client, tls_server + SSL_ENABLE_CH_EXTENSION_PERMUTATION, // tls_client +}; + const uint8_t kShortEmptyFinished[8] = {0}; const uint8_t kLongEmptyFinished[128] = {0}; @@ -241,6 +289,21 @@ FUZZ_P(TlsFuzzTest, UnencryptedSessionTickets) { client_->CheckCipherSuite(static_cast(suite)); } +class MiscFuzzTest : public ::testing::Test {}; + +FUZZ_F(MiscFuzzTest, UnfuzzedSslOption) { + PRIntn val; + SECStatus rv; + + for (PRInt32 option = 0; option < std::numeric_limits::max(); + ++option) { + rv = SSL_OptionGetDefault(option, &val); + // The return value should either be a failure (=> there is no such + // option) or the the option should be in the fuzzed options. + EXPECT_TRUE(rv == SECFailure || gFuzzedSslOptions.count(option)); + } +} + INSTANTIATE_TEST_SUITE_P( FuzzStream, TlsFuzzTest, ::testing::Combine(TlsConnectTestBase::kTlsVariantsStream, diff --git a/nss/gtests/ssl_gtest/ssl_gather_unittest.cc b/nss/gtests/ssl_gtest/ssl_gather_unittest.cc index 2b0b722a..5a181c3a 100644 --- a/nss/gtests/ssl_gtest/ssl_gather_unittest.cc +++ b/nss/gtests/ssl_gtest/ssl_gather_unittest.cc @@ -43,6 +43,21 @@ TEST_F(TlsConnectTest, GatherExcessiveV3Record) { 2000); } +TEST_P(TlsConnectDatagram, DtlsGatherCIDRecord) { + TlsRecordHeader cidRecordHeader(ssl_variant_datagram, version_, 0x30, 0); + DataBuffer buffer = DataBuffer(10); + TlsRecord cidRecord = {cidRecordHeader, buffer}; + + EnsureTlsSetup(); + Connect(); + client_->SendRecordDirect(cidRecord); + + // CIDs are not supported, invalid records in DTLS should be silently + // discarded. + server_->WaitForErrorCode(0, 1000); + client_->WaitForErrorCode(0, 1000); +} + // Gather a 3-byte v2 header, with a fragment length of 2. TEST_F(GatherV2ClientHelloTest, GatherV2RecordLongHeader) { DataBuffer buffer; diff --git a/nss/gtests/ssl_gtest/tls_ech_unittest.cc b/nss/gtests/ssl_gtest/tls_ech_unittest.cc index 58b34baa..e860b7b3 100644 --- a/nss/gtests/ssl_gtest/tls_ech_unittest.cc +++ b/nss/gtests/ssl_gtest/tls_ech_unittest.cc @@ -2479,6 +2479,26 @@ TEST_F(TlsConnectStreamTls13Ech, EchCustomExtensionWriter) { Connect(); } +TEST_F(TlsConnectStreamTls13, EchCustomExtensionWriterZeroRtt) { + EnsureTlsSetup(); + SetupEch(client_, server_); + SetupForZeroRtt(); + + client_->Set0RttEnabled(true); + server_->Set0RttEnabled(true); + ASSERT_EQ(SECSuccess, SSL_InstallExtensionHooks( + client_->ssl_fd(), 62028, EmptyExtensionWriter, + nullptr, NoopExtensionHandler, nullptr)); + SetupEch(client_, server_); + ExpectResumption(RESUME_TICKET); + + ZeroRttSendReceive(true, true); + Handshake(); + ExpectEarlyDataAccepted(true); + CheckConnected(); + SendReceive(); +} + TEST_F(TlsConnectStreamTls13Ech, EchCustomExtensionWriterOuterOnly) { EnsureTlsSetup(); SetupEch(client_, server_); diff --git a/nss/gtests/ssl_gtest/tls_filter.cc b/nss/gtests/ssl_gtest/tls_filter.cc index ab52a07e..13221f54 100644 --- a/nss/gtests/ssl_gtest/tls_filter.cc +++ b/nss/gtests/ssl_gtest/tls_filter.cc @@ -643,7 +643,6 @@ PacketFilter::Action TlsHandshakeFilter::FilterRecord( preceding_fragment_.Assign(handshake); continue; } - preceding_fragment_.Truncate(0); DataBuffer filtered; PacketFilter::Action action; @@ -653,6 +652,7 @@ PacketFilter::Action TlsHandshakeFilter::FilterRecord( action = FilterHandshake(header, handshake, &filtered); } if (action == DROP) { + preceding_fragment_.Truncate(0); changed = true; std::cerr << "handshake drop: " << handshake << std::endl; continue; @@ -669,6 +669,7 @@ PacketFilter::Action TlsHandshakeFilter::FilterRecord( changed = true; } + preceding_fragment_.Truncate(0); offset = header.Write(output, offset, *source); } output->Truncate(offset); diff --git a/nss/gtests/ssl_gtest/tls_mlkem_unittest.cc b/nss/gtests/ssl_gtest/tls_mlkem_unittest.cc index a1438114..5e205219 100644 --- a/nss/gtests/ssl_gtest/tls_mlkem_unittest.cc +++ b/nss/gtests/ssl_gtest/tls_mlkem_unittest.cc @@ -51,11 +51,6 @@ TEST_P(TlsKeyExchangeTest, Tls12ClientMlkem768x25519NotSupported) { } TEST_P(TlsKeyExchangeTest13, Tls12ServerMlkem768x25519NotSupported) { - if (variant_ == ssl_variant_datagram) { - /* Bug 1874451 - reenable this test */ - return; - } - EnsureKeyShareSetup(); client_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_2, @@ -137,10 +132,6 @@ static void CheckECDHShareReuse( } TEST_P(TlsKeyExchangeTest13, Mlkem768x25519ShareReuseFirst) { - if (variant_ == ssl_variant_datagram) { - /* Bug 1874451 - reenable this test */ - return; - } EnsureKeyShareSetup(); ConfigNamedGroups({ssl_grp_kem_mlkem768x25519, ssl_grp_ec_curve25519}); EXPECT_EQ(SECSuccess, SSL_SendAdditionalKeyShares(client_->ssl_fd(), 1)); @@ -153,10 +144,6 @@ TEST_P(TlsKeyExchangeTest13, Mlkem768x25519ShareReuseFirst) { } TEST_P(TlsKeyExchangeTest13, Mlkem768x25519ShareReuseSecond) { - if (variant_ == ssl_variant_datagram) { - /* Bug 1874451 - reenable this test */ - return; - } EnsureKeyShareSetup(); ConfigNamedGroups({ssl_grp_ec_curve25519, ssl_grp_kem_mlkem768x25519}); EXPECT_EQ(SECSuccess, SSL_SendAdditionalKeyShares(client_->ssl_fd(), 1)); diff --git a/nss/gtests/ssl_gtest/tls_subcerts_unittest.cc b/nss/gtests/ssl_gtest/tls_subcerts_unittest.cc index 5e01dee5..6706d0ad 100644 --- a/nss/gtests/ssl_gtest/tls_subcerts_unittest.cc +++ b/nss/gtests/ssl_gtest/tls_subcerts_unittest.cc @@ -376,6 +376,12 @@ TEST_P(TlsConnectTls13, DCWeakKey) { ssl_sig_rsa_pss_pss_sha256}; client_->SetSignatureSchemes(kSchemes, PR_ARRAY_SIZE(kSchemes)); server_->SetSignatureSchemes(kSchemes, PR_ARRAY_SIZE(kSchemes)); + PRInt32 keySizeFlags; + ASSERT_EQ(SECSuccess, + NSS_OptionGet(NSS_KEY_SIZE_POLICY_FLAGS, &keySizeFlags)); + // turn off the signing key sizes so we actually test the ssl tests + ASSERT_EQ(SECSuccess, NSS_OptionSet(NSS_KEY_SIZE_POLICY_FLAGS, + NSS_KEY_SIZE_POLICY_SSL_FLAG)); #if RSA_MIN_MODULUS_BITS > RSA_WEAK_KEY // save the MIN POLICY length. PRInt32 minRsa; @@ -413,6 +419,7 @@ TEST_P(TlsConnectTls13, DCWeakKey) { #if RSA_MIN_MODULUS_BITS > RSA_WEAK_KEY ASSERT_EQ(SECSuccess, NSS_OptionSet(NSS_RSA_MIN_KEY_SIZE, minRsa)); #endif + ASSERT_EQ(SECSuccess, NSS_OptionSet(NSS_KEY_SIZE_POLICY_FLAGS, keySizeFlags)); } class ReplaceDCSigScheme : public TlsHandshakeFilter { diff --git a/nss/lib/ckfw/builtins/certdata.txt b/nss/lib/ckfw/builtins/certdata.txt index 110a8147..1ed5a248 100644 --- a/nss/lib/ckfw/builtins/certdata.txt +++ b/nss/lib/ckfw/builtins/certdata.txt @@ -323,7 +323,10 @@ CKA_VALUE MULTILINE_OCTAL \174\136\232\166\351\131\220\305\174\203\065\021\145\121 END CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE -CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +# For Server Distrust After: Sat Nov 30 23:59:59 2024 +CKA_NSS_SERVER_DISTRUST_AFTER MULTILINE_OCTAL +\062\064\061\061\063\060\062\063\065\071\065\071\132 +END CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE # Trust for "Entrust.net Premium 2048 Secure Server CA" @@ -627,7 +630,10 @@ CKA_VALUE MULTILINE_OCTAL \036\177\132\264\074 END CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE -CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +# For Server Distrust After: Sat Nov 30 23:59:59 2024 +CKA_NSS_SERVER_DISTRUST_AFTER MULTILINE_OCTAL +\062\064\061\061\063\060\062\063\065\071\065\071\132 +END CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE # Trust for "Entrust Root Certification Authority" @@ -2341,174 +2347,6 @@ CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE -# -# Certificate "SwissSign Silver CA - G2" -# -# Issuer: CN=SwissSign Silver CA - G2,O=SwissSign AG,C=CH -# Serial Number:4f:1b:d4:2f:54:bb:2f:4b -# Subject: CN=SwissSign Silver CA - G2,O=SwissSign AG,C=CH -# Not Valid Before: Wed Oct 25 08:32:46 2006 -# Not Valid After : Sat Oct 25 08:32:46 2036 -# Fingerprint (SHA-256): BE:6C:4D:A2:BB:B9:BA:59:B6:F3:93:97:68:37:42:46:C3:C0:05:99:3F:A9:8F:02:0D:1D:ED:BE:D4:8A:81:D5 -# Fingerprint (SHA1): 9B:AA:E5:9F:56:EE:21:CB:43:5A:BE:25:93:DF:A7:F0:40:D1:1D:CB -CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE -CKA_TOKEN CK_BBOOL CK_TRUE -CKA_PRIVATE CK_BBOOL CK_FALSE -CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "SwissSign Silver CA - G2" -CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 -CKA_SUBJECT MULTILINE_OCTAL -\060\107\061\013\060\011\006\003\125\004\006\023\002\103\110\061 -\025\060\023\006\003\125\004\012\023\014\123\167\151\163\163\123 -\151\147\156\040\101\107\061\041\060\037\006\003\125\004\003\023 -\030\123\167\151\163\163\123\151\147\156\040\123\151\154\166\145 -\162\040\103\101\040\055\040\107\062 -END -CKA_ID UTF8 "0" -CKA_ISSUER MULTILINE_OCTAL -\060\107\061\013\060\011\006\003\125\004\006\023\002\103\110\061 -\025\060\023\006\003\125\004\012\023\014\123\167\151\163\163\123 -\151\147\156\040\101\107\061\041\060\037\006\003\125\004\003\023 -\030\123\167\151\163\163\123\151\147\156\040\123\151\154\166\145 -\162\040\103\101\040\055\040\107\062 -END -CKA_SERIAL_NUMBER MULTILINE_OCTAL -\002\010\117\033\324\057\124\273\057\113 -END -CKA_VALUE MULTILINE_OCTAL -\060\202\005\275\060\202\003\245\240\003\002\001\002\002\010\117 -\033\324\057\124\273\057\113\060\015\006\011\052\206\110\206\367 -\015\001\001\005\005\000\060\107\061\013\060\011\006\003\125\004 -\006\023\002\103\110\061\025\060\023\006\003\125\004\012\023\014 -\123\167\151\163\163\123\151\147\156\040\101\107\061\041\060\037 -\006\003\125\004\003\023\030\123\167\151\163\163\123\151\147\156 -\040\123\151\154\166\145\162\040\103\101\040\055\040\107\062\060 -\036\027\015\060\066\061\060\062\065\060\070\063\062\064\066\132 -\027\015\063\066\061\060\062\065\060\070\063\062\064\066\132\060 -\107\061\013\060\011\006\003\125\004\006\023\002\103\110\061\025 -\060\023\006\003\125\004\012\023\014\123\167\151\163\163\123\151 -\147\156\040\101\107\061\041\060\037\006\003\125\004\003\023\030 -\123\167\151\163\163\123\151\147\156\040\123\151\154\166\145\162 -\040\103\101\040\055\040\107\062\060\202\002\042\060\015\006\011 -\052\206\110\206\367\015\001\001\001\005\000\003\202\002\017\000 -\060\202\002\012\002\202\002\001\000\304\361\207\177\323\170\061 -\367\070\311\370\303\231\103\274\307\367\274\067\347\116\161\272 -\113\217\245\163\035\134\156\230\256\003\127\256\070\067\103\057 -\027\075\037\310\316\150\020\301\170\256\031\003\053\020\372\054 -\171\203\366\350\271\150\271\125\362\004\104\247\071\371\374\004 -\213\036\361\242\115\047\371\141\173\272\267\345\242\023\266\353 -\141\076\320\154\321\346\373\372\136\355\035\264\236\240\065\133 -\241\222\313\360\111\222\376\205\012\005\076\346\331\013\342\117 -\273\334\225\067\374\221\351\062\065\042\321\037\072\116\047\205 -\235\260\025\224\062\332\141\015\107\115\140\102\256\222\107\350 -\203\132\120\130\351\212\213\271\135\241\334\335\231\112\037\066 -\147\273\110\344\203\266\067\353\110\072\257\017\147\217\027\007 -\350\004\312\357\152\061\207\324\300\266\371\224\161\173\147\144 -\270\266\221\112\102\173\145\056\060\152\014\365\220\356\225\346 -\362\315\202\354\331\241\112\354\366\262\113\345\105\205\346\155 -\170\223\004\056\234\202\155\066\251\304\061\144\037\206\203\013 -\052\364\065\012\170\311\125\317\101\260\107\351\060\237\231\276 -\141\250\006\204\271\050\172\137\070\331\033\251\070\260\203\177 -\163\301\303\073\110\052\202\017\041\233\270\314\250\065\303\204 -\033\203\263\076\276\244\225\151\001\072\211\000\170\004\331\311 -\364\231\031\253\126\176\133\213\206\071\025\221\244\020\054\011 -\062\200\140\263\223\300\052\266\030\013\235\176\215\111\362\020 -\112\177\371\325\106\057\031\222\243\231\247\046\254\273\214\074 -\346\016\274\107\007\334\163\121\361\160\144\057\010\371\264\107 -\035\060\154\104\352\051\067\205\222\150\146\274\203\070\376\173 -\071\056\323\120\360\037\373\136\140\266\251\246\372\047\101\361 -\233\030\162\362\365\204\164\112\311\147\304\124\256\110\144\337 -\214\321\156\260\035\341\007\217\010\036\231\234\161\351\114\330 -\245\367\107\022\037\164\321\121\236\206\363\302\242\043\100\013 -\163\333\113\246\347\163\006\214\301\240\351\301\131\254\106\372 -\346\057\370\317\161\234\106\155\271\304\025\215\070\171\003\105 -\110\357\304\135\327\010\356\207\071\042\206\262\015\017\130\103 -\367\161\251\110\056\375\352\326\037\002\003\001\000\001\243\201 -\254\060\201\251\060\016\006\003\125\035\017\001\001\377\004\004 -\003\002\001\006\060\017\006\003\125\035\023\001\001\377\004\005 -\060\003\001\001\377\060\035\006\003\125\035\016\004\026\004\024 -\027\240\315\301\344\101\266\072\133\073\313\105\235\275\034\302 -\230\372\206\130\060\037\006\003\125\035\043\004\030\060\026\200 -\024\027\240\315\301\344\101\266\072\133\073\313\105\235\275\034 -\302\230\372\206\130\060\106\006\003\125\035\040\004\077\060\075 -\060\073\006\011\140\205\164\001\131\001\003\001\001\060\056\060 -\054\006\010\053\006\001\005\005\007\002\001\026\040\150\164\164 -\160\072\057\057\162\145\160\157\163\151\164\157\162\171\056\163 -\167\151\163\163\163\151\147\156\056\143\157\155\057\060\015\006 -\011\052\206\110\206\367\015\001\001\005\005\000\003\202\002\001 -\000\163\306\201\340\047\322\055\017\340\225\060\342\232\101\177 -\120\054\137\137\142\141\251\206\152\151\030\014\164\111\326\135 -\204\352\101\122\030\157\130\255\120\126\040\152\306\275\050\151 -\130\221\334\221\021\065\251\072\035\274\032\245\140\236\330\037 -\177\105\221\151\331\176\273\170\162\301\006\017\052\316\217\205 -\160\141\254\240\315\013\270\071\051\126\204\062\116\206\273\075 -\304\052\331\327\037\162\356\376\121\241\042\101\261\161\002\143 -\032\202\260\142\253\136\127\022\037\337\313\335\165\240\300\135 -\171\220\214\033\340\120\346\336\061\376\230\173\160\137\245\220 -\330\255\370\002\266\157\323\140\335\100\113\042\305\075\255\072 -\172\237\032\032\107\221\171\063\272\202\334\062\151\003\226\156 -\037\113\360\161\376\343\147\162\240\261\277\134\213\344\372\231 -\042\307\204\271\033\215\043\227\077\355\045\340\317\145\273\365 -\141\004\357\335\036\262\132\101\042\132\241\237\135\054\350\133 -\311\155\251\014\014\170\252\140\306\126\217\001\132\014\150\274 -\151\031\171\304\037\176\227\005\277\305\351\044\121\136\324\325 -\113\123\355\331\043\132\066\003\145\243\301\003\255\101\060\363 -\106\033\205\220\257\145\265\325\261\344\026\133\170\165\035\227 -\172\155\131\251\052\217\173\336\303\207\211\020\231\111\163\170 -\310\075\275\121\065\164\052\325\361\176\151\033\052\273\073\275 -\045\270\232\132\075\162\141\220\146\207\356\014\326\115\324\021 -\164\013\152\376\013\003\374\243\125\127\211\376\112\313\256\133 -\027\005\310\362\215\043\061\123\070\322\055\152\077\202\271\215 -\010\152\367\136\101\164\156\303\021\176\007\254\051\140\221\077 -\070\312\127\020\015\275\060\057\307\245\346\101\240\332\256\005 -\207\232\240\244\145\154\114\011\014\211\272\270\323\271\300\223 -\212\060\372\215\345\232\153\025\001\116\147\252\332\142\126\076 -\204\010\146\322\304\066\175\247\076\020\374\210\340\324\200\345 -\000\275\252\363\116\006\243\172\152\371\142\162\343\011\117\353 -\233\016\001\043\361\237\273\174\334\334\154\021\227\045\262\362 -\264\143\024\322\006\052\147\214\203\365\316\352\007\330\232\152 -\036\354\344\012\273\052\114\353\011\140\071\316\312\142\330\056 -\156 -END -CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE -CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE -CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE - -# Trust for "SwissSign Silver CA - G2" -# Issuer: CN=SwissSign Silver CA - G2,O=SwissSign AG,C=CH -# Serial Number:4f:1b:d4:2f:54:bb:2f:4b -# Subject: CN=SwissSign Silver CA - G2,O=SwissSign AG,C=CH -# Not Valid Before: Wed Oct 25 08:32:46 2006 -# Not Valid After : Sat Oct 25 08:32:46 2036 -# Fingerprint (SHA-256): BE:6C:4D:A2:BB:B9:BA:59:B6:F3:93:97:68:37:42:46:C3:C0:05:99:3F:A9:8F:02:0D:1D:ED:BE:D4:8A:81:D5 -# Fingerprint (SHA1): 9B:AA:E5:9F:56:EE:21:CB:43:5A:BE:25:93:DF:A7:F0:40:D1:1D:CB -CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST -CKA_TOKEN CK_BBOOL CK_TRUE -CKA_PRIVATE CK_BBOOL CK_FALSE -CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "SwissSign Silver CA - G2" -CKA_CERT_SHA1_HASH MULTILINE_OCTAL -\233\252\345\237\126\356\041\313\103\132\276\045\223\337\247\360 -\100\321\035\313 -END -CKA_CERT_MD5_HASH MULTILINE_OCTAL -\340\006\241\311\175\317\311\374\015\300\126\165\226\330\142\023 -END -CKA_ISSUER MULTILINE_OCTAL -\060\107\061\013\060\011\006\003\125\004\006\023\002\103\110\061 -\025\060\023\006\003\125\004\012\023\014\123\167\151\163\163\123 -\151\147\156\040\101\107\061\041\060\037\006\003\125\004\003\023 -\030\123\167\151\163\163\123\151\147\156\040\123\151\154\166\145 -\162\040\103\101\040\055\040\107\062 -END -CKA_SERIAL_NUMBER MULTILINE_OCTAL -\002\010\117\033\324\057\124\273\057\113 -END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST -CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE - # # Certificate "SecureTrust CA" # @@ -3808,140 +3646,6 @@ CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE -# -# Certificate "SecureSign RootCA11" -# -# Issuer: CN=SecureSign RootCA11,O="Japan Certification Services, Inc.",C=JP -# Serial Number: 1 (0x1) -# Subject: CN=SecureSign RootCA11,O="Japan Certification Services, Inc.",C=JP -# Not Valid Before: Wed Apr 08 04:56:47 2009 -# Not Valid After : Sun Apr 08 04:56:47 2029 -# Fingerprint (SHA-256): BF:0F:EE:FB:9E:3A:58:1A:D5:F9:E9:DB:75:89:98:57:43:D2:61:08:5C:4D:31:4F:6F:5D:72:59:AA:42:16:12 -# Fingerprint (SHA1): 3B:C4:9F:48:F8:F3:73:A0:9C:1E:BD:F8:5B:B1:C3:65:C7:D8:11:B3 -CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE -CKA_TOKEN CK_BBOOL CK_TRUE -CKA_PRIVATE CK_BBOOL CK_FALSE -CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "SecureSign RootCA11" -CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 -CKA_SUBJECT MULTILINE_OCTAL -\060\130\061\013\060\011\006\003\125\004\006\023\002\112\120\061 -\053\060\051\006\003\125\004\012\023\042\112\141\160\141\156\040 -\103\145\162\164\151\146\151\143\141\164\151\157\156\040\123\145 -\162\166\151\143\145\163\054\040\111\156\143\056\061\034\060\032 -\006\003\125\004\003\023\023\123\145\143\165\162\145\123\151\147 -\156\040\122\157\157\164\103\101\061\061 -END -CKA_ID UTF8 "0" -CKA_ISSUER MULTILINE_OCTAL -\060\130\061\013\060\011\006\003\125\004\006\023\002\112\120\061 -\053\060\051\006\003\125\004\012\023\042\112\141\160\141\156\040 -\103\145\162\164\151\146\151\143\141\164\151\157\156\040\123\145 -\162\166\151\143\145\163\054\040\111\156\143\056\061\034\060\032 -\006\003\125\004\003\023\023\123\145\143\165\162\145\123\151\147 -\156\040\122\157\157\164\103\101\061\061 -END -CKA_SERIAL_NUMBER MULTILINE_OCTAL -\002\001\001 -END -CKA_VALUE MULTILINE_OCTAL -\060\202\003\155\060\202\002\125\240\003\002\001\002\002\001\001 -\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060 -\130\061\013\060\011\006\003\125\004\006\023\002\112\120\061\053 -\060\051\006\003\125\004\012\023\042\112\141\160\141\156\040\103 -\145\162\164\151\146\151\143\141\164\151\157\156\040\123\145\162 -\166\151\143\145\163\054\040\111\156\143\056\061\034\060\032\006 -\003\125\004\003\023\023\123\145\143\165\162\145\123\151\147\156 -\040\122\157\157\164\103\101\061\061\060\036\027\015\060\071\060 -\064\060\070\060\064\065\066\064\067\132\027\015\062\071\060\064 -\060\070\060\064\065\066\064\067\132\060\130\061\013\060\011\006 -\003\125\004\006\023\002\112\120\061\053\060\051\006\003\125\004 -\012\023\042\112\141\160\141\156\040\103\145\162\164\151\146\151 -\143\141\164\151\157\156\040\123\145\162\166\151\143\145\163\054 -\040\111\156\143\056\061\034\060\032\006\003\125\004\003\023\023 -\123\145\143\165\162\145\123\151\147\156\040\122\157\157\164\103 -\101\061\061\060\202\001\042\060\015\006\011\052\206\110\206\367 -\015\001\001\001\005\000\003\202\001\017\000\060\202\001\012\002 -\202\001\001\000\375\167\252\245\034\220\005\073\313\114\233\063 -\213\132\024\105\244\347\220\026\321\337\127\322\041\020\244\027 -\375\337\254\326\037\247\344\333\174\367\354\337\270\003\332\224 -\130\375\135\162\174\214\077\137\001\147\164\025\226\343\002\074 -\207\333\256\313\001\216\302\363\146\306\205\105\364\002\306\072 -\265\142\262\257\372\234\277\244\346\324\200\060\230\363\015\266 -\223\217\251\324\330\066\362\260\374\212\312\054\241\025\063\225 -\061\332\300\033\362\356\142\231\206\143\077\277\335\223\052\203 -\250\166\271\023\037\267\316\116\102\205\217\042\347\056\032\362 -\225\011\262\005\265\104\116\167\241\040\275\251\362\116\012\175 -\120\255\365\005\015\105\117\106\161\375\050\076\123\373\004\330 -\055\327\145\035\112\033\372\317\073\260\061\232\065\156\310\213 -\006\323\000\221\362\224\010\145\114\261\064\006\000\172\211\342 -\360\307\003\131\317\325\326\350\247\062\263\346\230\100\206\305 -\315\047\022\213\314\173\316\267\021\074\142\140\007\043\076\053 -\100\156\224\200\011\155\266\263\157\167\157\065\010\120\373\002 -\207\305\076\211\002\003\001\000\001\243\102\060\100\060\035\006 -\003\125\035\016\004\026\004\024\133\370\115\117\262\245\206\324 -\072\322\361\143\232\240\276\011\366\127\267\336\060\016\006\003 -\125\035\017\001\001\377\004\004\003\002\001\006\060\017\006\003 -\125\035\023\001\001\377\004\005\060\003\001\001\377\060\015\006 -\011\052\206\110\206\367\015\001\001\005\005\000\003\202\001\001 -\000\240\241\070\026\146\056\247\126\037\041\234\006\372\035\355 -\271\042\305\070\046\330\116\117\354\243\177\171\336\106\041\241 -\207\167\217\007\010\232\262\244\305\257\017\062\230\013\174\146 -\051\266\233\175\045\122\111\103\253\114\056\053\156\172\160\257 -\026\016\343\002\154\373\102\346\030\235\105\330\125\310\350\073 -\335\347\341\364\056\013\034\064\134\154\130\112\373\214\210\120 -\137\225\034\277\355\253\042\265\145\263\205\272\236\017\270\255 -\345\172\033\212\120\072\035\275\015\274\173\124\120\013\271\102 -\257\125\240\030\201\255\145\231\357\276\344\234\277\304\205\253 -\101\262\124\157\334\045\315\355\170\342\216\014\215\011\111\335 -\143\173\132\151\226\002\041\250\275\122\131\351\175\065\313\310 -\122\312\177\201\376\331\153\323\367\021\355\045\337\370\347\371 -\244\372\162\227\204\123\015\245\320\062\030\121\166\131\024\154 -\017\353\354\137\200\214\165\103\203\303\205\230\377\114\236\055 -\015\344\167\203\223\116\265\226\007\213\050\023\233\214\031\215 -\101\047\111\100\356\336\346\043\104\071\334\241\042\326\272\003 -\362 -END -CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE -CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE -CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE - -# Trust for "SecureSign RootCA11" -# Issuer: CN=SecureSign RootCA11,O="Japan Certification Services, Inc.",C=JP -# Serial Number: 1 (0x1) -# Subject: CN=SecureSign RootCA11,O="Japan Certification Services, Inc.",C=JP -# Not Valid Before: Wed Apr 08 04:56:47 2009 -# Not Valid After : Sun Apr 08 04:56:47 2029 -# Fingerprint (SHA-256): BF:0F:EE:FB:9E:3A:58:1A:D5:F9:E9:DB:75:89:98:57:43:D2:61:08:5C:4D:31:4F:6F:5D:72:59:AA:42:16:12 -# Fingerprint (SHA1): 3B:C4:9F:48:F8:F3:73:A0:9C:1E:BD:F8:5B:B1:C3:65:C7:D8:11:B3 -CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST -CKA_TOKEN CK_BBOOL CK_TRUE -CKA_PRIVATE CK_BBOOL CK_FALSE -CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "SecureSign RootCA11" -CKA_CERT_SHA1_HASH MULTILINE_OCTAL -\073\304\237\110\370\363\163\240\234\036\275\370\133\261\303\145 -\307\330\021\263 -END -CKA_CERT_MD5_HASH MULTILINE_OCTAL -\267\122\164\342\222\264\200\223\362\165\344\314\327\362\352\046 -END -CKA_ISSUER MULTILINE_OCTAL -\060\130\061\013\060\011\006\003\125\004\006\023\002\112\120\061 -\053\060\051\006\003\125\004\012\023\042\112\141\160\141\156\040 -\103\145\162\164\151\146\151\143\141\164\151\157\156\040\123\145 -\162\166\151\143\145\163\054\040\111\156\143\056\061\034\060\032 -\006\003\125\004\003\023\023\123\145\143\165\162\145\123\151\147 -\156\040\122\157\157\164\103\101\061\061 -END -CKA_SERIAL_NUMBER MULTILINE_OCTAL -\002\001\001 -END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST -CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE - # # Certificate "Microsec e-Szigno Root CA 2009" # @@ -4939,7 +4643,10 @@ CKA_VALUE MULTILINE_OCTAL \007\072\027\144\265\004\265\043\041\231\012\225\073\227\174\357 END CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE -CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +# For Server Distrust After: Sat Nov 30 23:59:59 2024 +CKA_NSS_SERVER_DISTRUST_AFTER MULTILINE_OCTAL +\062\064\061\061\063\060\062\063\065\071\065\071\132 +END CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE # Trust for "AffirmTrust Commercial" @@ -5067,7 +4774,10 @@ CKA_VALUE MULTILINE_OCTAL \355\132\000\124\205\034\026\066\222\014\134\372\246\255\277\333 END CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE -CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +# For Server Distrust After: Sat Nov 30 23:59:59 2024 +CKA_NSS_SERVER_DISTRUST_AFTER MULTILINE_OCTAL +\062\064\061\061\063\060\062\063\065\071\065\071\132 +END CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE # Trust for "AffirmTrust Networking" @@ -5227,7 +4937,10 @@ CKA_VALUE MULTILINE_OCTAL \051\340\266\270\011\150\031\034\030\103 END CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE -CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +# For Server Distrust After: Sat Nov 30 23:59:59 2024 +CKA_NSS_SERVER_DISTRUST_AFTER MULTILINE_OCTAL +\062\064\061\061\063\060\062\063\065\071\065\071\132 +END CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE # Trust for "AffirmTrust Premium" @@ -5335,7 +5048,10 @@ CKA_VALUE MULTILINE_OCTAL \214\171 END CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE -CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +# For Server Distrust After: Sat Nov 30 23:59:59 2024 +CKA_NSS_SERVER_DISTRUST_AFTER MULTILINE_OCTAL +\062\064\061\061\063\060\062\063\065\071\065\071\132 +END CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE # Trust for "AffirmTrust Premium ECC" @@ -10269,7 +9985,10 @@ CKA_VALUE MULTILINE_OCTAL \105\366 END CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE -CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +# For Server Distrust After: Sat Nov 30 23:59:59 2024 +CKA_NSS_SERVER_DISTRUST_AFTER MULTILINE_OCTAL +\062\064\061\061\063\060\062\063\065\071\065\071\132 +END CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE # Trust for "Entrust Root Certification Authority - G2" @@ -10416,7 +10135,10 @@ CKA_VALUE MULTILINE_OCTAL \231\267\046\101\133\045\140\256\320\110\032\356\006 END CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE -CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +# For Server Distrust After: Sat Nov 30 23:59:59 2024 +CKA_NSS_SERVER_DISTRUST_AFTER MULTILINE_OCTAL +\062\064\061\061\063\060\062\063\065\071\065\071\132 +END CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE # Trust for "Entrust Root Certification Authority - EC1" @@ -15014,7 +14736,7 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL \002\021\000\331\265\103\177\257\251\071\017\000\000\000\000\125 \145\255\130 END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_MUST_VERIFY_TRUST CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE @@ -21228,173 +20950,6 @@ CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE -# -# Certificate "Security Communication RootCA3" -# -# Issuer: CN=Security Communication RootCA3,O="SECOM Trust Systems CO.,LTD.",C=JP -# Serial Number:00:e1:7c:37:40:fd:1b:fe:67 -# Subject: CN=Security Communication RootCA3,O="SECOM Trust Systems CO.,LTD.",C=JP -# Not Valid Before: Thu Jun 16 06:17:16 2016 -# Not Valid After : Mon Jan 18 06:17:16 2038 -# Fingerprint (SHA-256): 24:A5:5C:2A:B0:51:44:2D:06:17:76:65:41:23:9A:4A:D0:32:D7:C5:51:75:AA:34:FF:DE:2F:BC:4F:5C:52:94 -# Fingerprint (SHA1): C3:03:C8:22:74:92:E5:61:A2:9C:5F:79:91:2B:1E:44:13:91:30:3A -CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE -CKA_TOKEN CK_BBOOL CK_TRUE -CKA_PRIVATE CK_BBOOL CK_FALSE -CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "Security Communication RootCA3" -CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 -CKA_SUBJECT MULTILINE_OCTAL -\060\135\061\013\060\011\006\003\125\004\006\023\002\112\120\061 -\045\060\043\006\003\125\004\012\023\034\123\105\103\117\115\040 -\124\162\165\163\164\040\123\171\163\164\145\155\163\040\103\117 -\056\054\114\124\104\056\061\047\060\045\006\003\125\004\003\023 -\036\123\145\143\165\162\151\164\171\040\103\157\155\155\165\156 -\151\143\141\164\151\157\156\040\122\157\157\164\103\101\063 -END -CKA_ID UTF8 "0" -CKA_ISSUER MULTILINE_OCTAL -\060\135\061\013\060\011\006\003\125\004\006\023\002\112\120\061 -\045\060\043\006\003\125\004\012\023\034\123\105\103\117\115\040 -\124\162\165\163\164\040\123\171\163\164\145\155\163\040\103\117 -\056\054\114\124\104\056\061\047\060\045\006\003\125\004\003\023 -\036\123\145\143\165\162\151\164\171\040\103\157\155\155\165\156 -\151\143\141\164\151\157\156\040\122\157\157\164\103\101\063 -END -CKA_SERIAL_NUMBER MULTILINE_OCTAL -\002\011\000\341\174\067\100\375\033\376\147 -END -CKA_VALUE MULTILINE_OCTAL -\060\202\005\177\060\202\003\147\240\003\002\001\002\002\011\000 -\341\174\067\100\375\033\376\147\060\015\006\011\052\206\110\206 -\367\015\001\001\014\005\000\060\135\061\013\060\011\006\003\125 -\004\006\023\002\112\120\061\045\060\043\006\003\125\004\012\023 -\034\123\105\103\117\115\040\124\162\165\163\164\040\123\171\163 -\164\145\155\163\040\103\117\056\054\114\124\104\056\061\047\060 -\045\006\003\125\004\003\023\036\123\145\143\165\162\151\164\171 -\040\103\157\155\155\165\156\151\143\141\164\151\157\156\040\122 -\157\157\164\103\101\063\060\036\027\015\061\066\060\066\061\066 -\060\066\061\067\061\066\132\027\015\063\070\060\061\061\070\060 -\066\061\067\061\066\132\060\135\061\013\060\011\006\003\125\004 -\006\023\002\112\120\061\045\060\043\006\003\125\004\012\023\034 -\123\105\103\117\115\040\124\162\165\163\164\040\123\171\163\164 -\145\155\163\040\103\117\056\054\114\124\104\056\061\047\060\045 -\006\003\125\004\003\023\036\123\145\143\165\162\151\164\171\040 -\103\157\155\155\165\156\151\143\141\164\151\157\156\040\122\157 -\157\164\103\101\063\060\202\002\042\060\015\006\011\052\206\110 -\206\367\015\001\001\001\005\000\003\202\002\017\000\060\202\002 -\012\002\202\002\001\000\343\311\162\111\367\060\336\011\174\251 -\100\201\130\323\264\072\335\272\141\017\223\120\156\151\074\065 -\302\356\133\163\220\033\147\114\041\354\137\065\273\071\076\053 -\012\140\357\273\155\053\206\373\161\242\310\254\344\126\224\371 -\311\257\261\162\324\040\254\164\322\270\025\255\121\376\205\164 -\241\271\020\376\005\200\371\122\223\263\100\075\165\020\254\300 -\226\267\247\176\166\274\343\033\122\031\316\021\037\013\004\064 -\365\330\365\151\074\167\363\144\364\015\252\205\336\340\011\120 -\004\027\226\204\267\310\212\274\115\162\374\034\273\317\363\006 -\115\371\237\144\367\176\246\146\206\065\161\310\021\200\114\301 -\161\100\130\036\276\240\163\366\374\076\120\341\340\057\046\075 -\176\134\043\265\171\160\336\372\340\321\245\326\014\101\161\173 -\367\352\214\034\210\307\354\213\365\321\057\125\226\106\174\132 -\073\130\073\373\272\330\055\265\045\332\172\116\317\104\256\041 -\246\236\230\312\040\156\174\273\210\205\133\373\300\020\142\273 -\362\371\047\107\357\321\211\071\103\304\337\336\341\101\277\124 -\163\040\227\055\154\332\363\324\007\243\346\271\330\157\256\374 -\214\031\056\323\147\147\053\225\333\130\134\265\152\002\363\270 -\203\136\264\153\276\101\176\127\011\165\104\120\125\315\132\021 -\141\041\012\141\302\251\210\375\023\274\055\211\057\315\141\340 -\225\276\312\265\173\341\173\064\147\013\037\266\014\307\174\036 -\031\123\312\247\261\112\025\040\126\024\160\075\053\202\054\017 -\235\025\035\107\200\107\377\170\231\016\061\257\157\076\217\355 -\206\151\036\173\030\210\024\262\302\374\202\063\056\234\113\055 -\373\160\073\161\252\053\173\046\047\363\032\302\334\373\027\270 -\241\352\313\240\264\256\323\224\176\172\320\253\303\354\070\055 -\021\056\210\277\324\077\255\022\073\102\254\217\002\156\175\314 -\321\137\141\276\241\274\072\152\110\352\046\125\042\026\135\137 -\015\377\047\063\237\030\003\164\212\133\122\040\107\153\105\115 -\042\167\214\125\047\360\257\036\214\311\203\042\124\267\232\320 -\117\331\316\374\331\056\034\226\050\261\002\323\003\275\045\122 -\034\064\146\117\043\253\364\167\202\226\035\321\127\060\010\021 -\005\375\127\321\331\307\002\003\001\000\001\243\102\060\100\060 -\035\006\003\125\035\016\004\026\004\024\144\024\174\374\130\162 -\026\246\012\051\064\025\157\052\313\274\374\257\250\253\060\016 -\006\003\125\035\017\001\001\377\004\004\003\002\001\006\060\017 -\006\003\125\035\023\001\001\377\004\005\060\003\001\001\377\060 -\015\006\011\052\206\110\206\367\015\001\001\014\005\000\003\202 -\002\001\000\334\002\043\010\342\357\041\072\307\015\267\046\322 -\142\223\247\245\043\162\007\040\202\140\337\030\327\124\255\151 -\045\222\236\331\024\317\231\271\122\201\317\256\154\212\073\132 -\071\310\154\001\103\302\042\155\002\360\142\315\116\143\103\300 -\024\332\364\143\360\352\364\161\356\116\207\343\161\251\364\311 -\127\345\056\137\034\171\273\043\252\207\104\127\351\275\065\115 -\101\273\113\050\243\230\262\033\331\013\027\007\345\367\352\235 -\365\166\327\277\304\266\201\130\377\310\377\144\151\142\171\255 -\156\016\037\177\356\035\151\345\267\162\161\263\376\245\001\065 -\224\124\053\300\122\155\217\125\304\311\322\270\313\312\064\010 -\121\205\240\365\274\264\027\130\352\012\134\172\275\143\306\072 -\057\377\226\111\031\204\352\147\330\004\261\141\364\000\133\112 -\267\234\161\067\031\205\171\277\201\260\307\023\016\166\161\076 -\072\200\006\256\006\026\247\215\265\302\304\313\377\100\245\134 -\215\245\311\072\355\162\201\312\134\230\074\322\064\003\167\010 -\375\360\051\131\135\041\010\307\140\277\244\161\173\270\331\036 -\202\276\011\257\145\157\050\253\277\113\265\356\076\010\107\047 -\240\017\157\017\213\077\254\225\030\363\271\016\334\147\125\156 -\142\236\106\016\321\004\170\312\162\256\166\331\245\370\262\337 -\210\011\141\213\357\044\116\321\131\077\132\324\075\311\223\074 -\053\144\365\201\015\026\226\367\222\303\376\061\157\350\052\062 -\164\016\364\114\230\112\030\016\060\124\325\305\353\274\305\025 -\236\350\231\041\353\047\053\011\012\333\361\346\160\030\126\273 -\014\344\276\371\350\020\244\023\222\270\034\340\333\147\035\123 -\003\244\042\247\334\135\222\020\074\352\377\374\033\020\032\303 -\330\320\234\235\145\313\320\053\047\061\003\036\066\341\075\166 -\165\014\377\105\046\271\335\121\274\043\307\137\330\330\207\020 -\100\022\015\075\070\067\347\104\074\030\300\123\011\144\217\377 -\325\232\246\174\160\056\163\125\041\350\337\377\203\271\035\076 -\062\036\326\246\175\054\361\146\351\134\035\247\243\316\136\045 -\062\053\343\225\254\052\007\316\264\050\170\206\074\055\246\235 -\115\322\164\060\335\144\121\025\333\203\203\121\327\257\375\063 -\235\115\146 -END -CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE -CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE -CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE - -# Trust for "Security Communication RootCA3" -# Issuer: CN=Security Communication RootCA3,O="SECOM Trust Systems CO.,LTD.",C=JP -# Serial Number:00:e1:7c:37:40:fd:1b:fe:67 -# Subject: CN=Security Communication RootCA3,O="SECOM Trust Systems CO.,LTD.",C=JP -# Not Valid Before: Thu Jun 16 06:17:16 2016 -# Not Valid After : Mon Jan 18 06:17:16 2038 -# Fingerprint (SHA-256): 24:A5:5C:2A:B0:51:44:2D:06:17:76:65:41:23:9A:4A:D0:32:D7:C5:51:75:AA:34:FF:DE:2F:BC:4F:5C:52:94 -# Fingerprint (SHA1): C3:03:C8:22:74:92:E5:61:A2:9C:5F:79:91:2B:1E:44:13:91:30:3A -CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST -CKA_TOKEN CK_BBOOL CK_TRUE -CKA_PRIVATE CK_BBOOL CK_FALSE -CKA_MODIFIABLE CK_BBOOL CK_FALSE -CKA_LABEL UTF8 "Security Communication RootCA3" -CKA_CERT_SHA1_HASH MULTILINE_OCTAL -\303\003\310\042\164\222\345\141\242\234\137\171\221\053\036\104 -\023\221\060\072 -END -CKA_CERT_MD5_HASH MULTILINE_OCTAL -\034\232\026\377\236\134\340\115\212\024\001\364\065\135\051\046 -END -CKA_ISSUER MULTILINE_OCTAL -\060\135\061\013\060\011\006\003\125\004\006\023\002\112\120\061 -\045\060\043\006\003\125\004\012\023\034\123\105\103\117\115\040 -\124\162\165\163\164\040\123\171\163\164\145\155\163\040\103\117 -\056\054\114\124\104\056\061\047\060\045\006\003\125\004\003\023 -\036\123\145\143\165\162\151\164\171\040\103\157\155\155\165\156 -\151\143\141\164\151\157\156\040\122\157\157\164\103\101\063 -END -CKA_SERIAL_NUMBER MULTILINE_OCTAL -\002\011\000\341\174\067\100\375\033\376\147 -END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST -CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE - # # Certificate "Security Communication ECC RootCA1" # @@ -21508,7 +21063,7 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL \002\011\000\326\135\233\263\170\201\056\353 END CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE @@ -21676,7 +21231,7 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL \154\040 END CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE @@ -21791,7 +21346,7 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL \112\353 END CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE @@ -26247,3 +25802,339 @@ CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE + +# +# Certificate "D-TRUST BR Root CA 2 2023" +# +# Issuer: CN=D-TRUST BR Root CA 2 2023,O=D-Trust GmbH,C=DE +# Serial Number:73:3b:30:04:48:5b:d9:4d:78:2e:73:4b:c9:a1:dc:66 +# Subject: CN=D-TRUST BR Root CA 2 2023,O=D-Trust GmbH,C=DE +# Not Valid Before: Tue May 09 08:56:31 2023 +# Not Valid After : Sun May 09 08:56:30 2038 +# Fingerprint (SHA-256): 05:52:E6:F8:3F:DF:65:E8:FA:96:70:E6:66:DF:28:A4:E2:13:40:B5:10:CB:E5:25:66:F9:7C:4F:B9:4B:2B:D1 +# Fingerprint (SHA1): 2D:B0:70:EE:71:94:AF:69:68:17:DB:79:CE:58:9F:A0:6B:96:F7:87 +CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE +CKA_TOKEN CK_BBOOL CK_TRUE +CKA_PRIVATE CK_BBOOL CK_FALSE +CKA_MODIFIABLE CK_BBOOL CK_FALSE +CKA_LABEL UTF8 "D-TRUST BR Root CA 2 2023" +CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 +CKA_SUBJECT MULTILINE_OCTAL +\060\110\061\013\060\011\006\003\125\004\006\023\002\104\105\061 +\025\060\023\006\003\125\004\012\023\014\104\055\124\162\165\163 +\164\040\107\155\142\110\061\042\060\040\006\003\125\004\003\023 +\031\104\055\124\122\125\123\124\040\102\122\040\122\157\157\164 +\040\103\101\040\062\040\062\060\062\063 +END +CKA_ID UTF8 "0" +CKA_ISSUER MULTILINE_OCTAL +\060\110\061\013\060\011\006\003\125\004\006\023\002\104\105\061 +\025\060\023\006\003\125\004\012\023\014\104\055\124\162\165\163 +\164\040\107\155\142\110\061\042\060\040\006\003\125\004\003\023 +\031\104\055\124\122\125\123\124\040\102\122\040\122\157\157\164 +\040\103\101\040\062\040\062\060\062\063 +END +CKA_SERIAL_NUMBER MULTILINE_OCTAL +\002\020\163\073\060\004\110\133\331\115\170\056\163\113\311\241 +\334\146 +END +CKA_VALUE MULTILINE_OCTAL +\060\202\005\251\060\202\003\221\240\003\002\001\002\002\020\163 +\073\060\004\110\133\331\115\170\056\163\113\311\241\334\146\060 +\015\006\011\052\206\110\206\367\015\001\001\015\005\000\060\110 +\061\013\060\011\006\003\125\004\006\023\002\104\105\061\025\060 +\023\006\003\125\004\012\023\014\104\055\124\162\165\163\164\040 +\107\155\142\110\061\042\060\040\006\003\125\004\003\023\031\104 +\055\124\122\125\123\124\040\102\122\040\122\157\157\164\040\103 +\101\040\062\040\062\060\062\063\060\036\027\015\062\063\060\065 +\060\071\060\070\065\066\063\061\132\027\015\063\070\060\065\060 +\071\060\070\065\066\063\060\132\060\110\061\013\060\011\006\003 +\125\004\006\023\002\104\105\061\025\060\023\006\003\125\004\012 +\023\014\104\055\124\162\165\163\164\040\107\155\142\110\061\042 +\060\040\006\003\125\004\003\023\031\104\055\124\122\125\123\124 +\040\102\122\040\122\157\157\164\040\103\101\040\062\040\062\060 +\062\063\060\202\002\042\060\015\006\011\052\206\110\206\367\015 +\001\001\001\005\000\003\202\002\017\000\060\202\002\012\002\202 +\002\001\000\256\377\011\131\221\200\012\112\150\346\044\077\270 +\247\344\310\072\012\072\026\315\311\043\141\240\223\161\362\253 +\213\163\217\240\147\145\140\322\124\153\143\121\157\111\063\340 +\162\007\023\175\070\315\006\222\007\051\122\153\116\167\154\004 +\323\225\372\335\114\214\331\135\301\141\175\113\347\050\263\104 +\201\173\121\257\335\063\261\150\174\326\116\114\376\053\150\271 +\312\146\151\304\354\136\127\177\367\015\307\234\066\066\345\007 +\140\254\300\114\352\010\154\357\006\174\117\133\050\172\010\374 +\223\135\233\366\234\264\213\206\272\041\271\364\360\350\131\132 +\050\241\064\204\032\045\221\266\265\217\357\262\371\200\372\371 +\075\074\021\162\330\343\057\206\166\305\171\054\301\251\220\223 +\106\230\147\313\203\152\240\120\043\247\073\366\201\071\340\355 +\360\271\277\145\361\330\313\172\373\357\163\003\316\000\364\175 +\327\340\135\073\146\270\334\216\272\203\313\207\166\003\374\045 +\331\347\043\157\006\375\147\363\340\377\204\274\107\277\265\026 +\030\106\151\024\314\005\367\333\323\111\254\153\314\253\344\265 +\013\103\044\136\113\153\115\147\337\326\265\076\117\170\037\224 +\161\044\352\336\160\374\361\223\376\236\223\132\344\224\132\227 +\124\014\065\173\137\154\356\000\037\044\354\003\272\002\365\166 +\364\237\324\232\355\205\054\070\042\057\307\330\057\166\021\117 +\375\154\134\350\365\216\047\207\177\031\112\041\107\220\035\171 +\215\034\133\370\317\112\205\344\355\263\133\215\276\304\144\050 +\135\101\304\156\254\070\132\117\043\164\164\251\022\303\366\322 +\271\021\025\063\007\221\330\073\067\072\143\060\006\321\305\042 +\066\050\142\043\020\340\106\314\227\254\326\053\135\144\044\325 +\356\034\016\336\373\010\132\165\052\366\143\155\316\013\102\276 +\321\272\160\034\234\041\345\017\061\151\027\327\374\012\264\336 +\355\200\234\313\222\264\213\365\336\131\242\130\011\245\143\107 +\013\341\101\062\064\101\331\232\261\331\250\260\033\132\336\015 +\015\364\342\262\135\065\200\271\201\324\204\151\221\002\313\165 +\320\215\305\265\075\011\221\011\217\024\241\024\164\171\076\326 +\311\025\035\244\131\131\042\334\366\212\105\075\074\022\326\076 +\135\062\057\002\003\001\000\001\243\201\216\060\201\213\060\017 +\006\003\125\035\023\001\001\377\004\005\060\003\001\001\377\060 +\035\006\003\125\035\016\004\026\004\024\147\220\360\326\336\265 +\030\325\106\051\176\134\253\370\236\010\274\144\225\020\060\016 +\006\003\125\035\017\001\001\377\004\004\003\002\001\006\060\111 +\006\003\125\035\037\004\102\060\100\060\076\240\074\240\072\206 +\070\150\164\164\160\072\057\057\143\162\154\056\144\055\164\162 +\165\163\164\056\156\145\164\057\143\162\154\057\144\055\164\162 +\165\163\164\137\142\162\137\162\157\157\164\137\143\141\137\062 +\137\062\060\062\063\056\143\162\154\060\015\006\011\052\206\110 +\206\367\015\001\001\015\005\000\003\202\002\001\000\064\367\263 +\167\123\333\060\026\271\055\245\041\361\100\041\165\353\353\110 +\026\201\075\163\340\236\047\052\353\167\251\023\244\152\012\132 +\132\024\063\075\150\037\201\256\151\375\214\237\145\154\064\102 +\331\055\320\177\170\026\261\072\254\043\061\255\136\177\256\347 +\256\053\372\272\374\074\227\225\100\223\137\303\055\003\243\355 +\244\157\123\327\372\100\016\060\365\000\040\054\000\114\214\073 +\264\243\037\266\277\221\062\253\257\222\230\323\026\346\324\321 +\124\134\103\133\056\256\357\127\052\250\264\157\244\357\015\126 +\024\332\041\253\040\166\236\003\374\046\270\236\077\076\003\046 +\346\114\333\235\137\102\204\075\105\003\003\034\131\210\312\334 +\056\141\044\132\244\352\047\013\163\022\276\122\263\012\317\062 +\027\342\036\207\032\026\225\110\155\132\340\320\317\011\222\046 +\146\221\330\243\141\016\252\201\201\177\350\122\202\321\102\347 +\340\035\030\372\244\205\066\347\206\340\015\353\274\324\311\326 +\074\103\361\135\111\156\176\201\233\151\265\211\142\217\210\122 +\330\327\376\047\301\043\305\313\053\002\273\261\137\376\373\103 +\205\003\106\276\135\306\312\041\046\377\327\002\236\164\112\334 +\370\023\025\261\201\127\066\313\145\134\321\035\061\167\351\045 +\303\303\262\062\067\325\361\230\011\344\155\143\200\010\253\006 +\222\201\324\351\160\217\247\077\262\355\206\214\202\152\065\310 +\102\132\202\321\122\032\105\017\025\245\000\360\224\173\145\047 +\127\071\103\317\174\177\346\275\065\263\173\361\031\114\336\072 +\226\317\351\166\356\003\347\302\103\122\074\152\201\350\301\132 +\200\275\021\135\223\153\373\307\346\144\077\273\151\034\351\335 +\045\213\257\164\311\124\100\312\313\223\023\012\355\373\146\222 +\021\312\365\300\372\330\203\125\003\174\323\305\042\106\165\160 +\153\171\110\006\052\202\232\277\346\353\026\016\042\105\001\274 +\335\066\224\064\251\065\046\212\327\227\271\356\010\162\277\064 +\222\160\203\200\253\070\252\131\150\335\100\244\030\220\262\363 +\325\003\312\046\312\357\325\307\340\217\123\216\360\000\343\250 +\355\237\371\255\167\340\053\143\117\236\303\356\067\273\170\011 +\204\236\271\156\373\051\231\220\350\200\323\237\044 +END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE + +# Trust for "D-TRUST BR Root CA 2 2023" +# Issuer: CN=D-TRUST BR Root CA 2 2023,O=D-Trust GmbH,C=DE +# Serial Number:73:3b:30:04:48:5b:d9:4d:78:2e:73:4b:c9:a1:dc:66 +# Subject: CN=D-TRUST BR Root CA 2 2023,O=D-Trust GmbH,C=DE +# Not Valid Before: Tue May 09 08:56:31 2023 +# Not Valid After : Sun May 09 08:56:30 2038 +# Fingerprint (SHA-256): 05:52:E6:F8:3F:DF:65:E8:FA:96:70:E6:66:DF:28:A4:E2:13:40:B5:10:CB:E5:25:66:F9:7C:4F:B9:4B:2B:D1 +# Fingerprint (SHA1): 2D:B0:70:EE:71:94:AF:69:68:17:DB:79:CE:58:9F:A0:6B:96:F7:87 +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST +CKA_TOKEN CK_BBOOL CK_TRUE +CKA_PRIVATE CK_BBOOL CK_FALSE +CKA_MODIFIABLE CK_BBOOL CK_FALSE +CKA_LABEL UTF8 "D-TRUST BR Root CA 2 2023" +CKA_CERT_SHA1_HASH MULTILINE_OCTAL +\055\260\160\356\161\224\257\151\150\027\333\171\316\130\237\240 +\153\226\367\207 +END +CKA_CERT_MD5_HASH MULTILINE_OCTAL +\341\011\355\323\140\324\126\033\107\037\267\014\137\033\137\205 +END +CKA_ISSUER MULTILINE_OCTAL +\060\110\061\013\060\011\006\003\125\004\006\023\002\104\105\061 +\025\060\023\006\003\125\004\012\023\014\104\055\124\162\165\163 +\164\040\107\155\142\110\061\042\060\040\006\003\125\004\003\023 +\031\104\055\124\122\125\123\124\040\102\122\040\122\157\157\164 +\040\103\101\040\062\040\062\060\062\063 +END +CKA_SERIAL_NUMBER MULTILINE_OCTAL +\002\020\163\073\060\004\110\133\331\115\170\056\163\113\311\241 +\334\146 +END +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST +CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE + +# +# Certificate "D-TRUST EV Root CA 2 2023" +# +# Issuer: CN=D-TRUST EV Root CA 2 2023,O=D-Trust GmbH,C=DE +# Serial Number:69:26:09:7e:80:4b:4c:a0:a7:8c:78:62:53:5f:5a:6f +# Subject: CN=D-TRUST EV Root CA 2 2023,O=D-Trust GmbH,C=DE +# Not Valid Before: Tue May 09 09:10:33 2023 +# Not Valid After : Sun May 09 09:10:32 2038 +# Fingerprint (SHA-256): 8E:82:21:B2:E7:D4:00:78:36:A1:67:2F:0D:CC:29:9C:33:BC:07:D3:16:F1:32:FA:1A:20:6D:58:71:50:F1:CE +# Fingerprint (SHA1): A5:5B:D8:47:6C:8F:19:F7:4C:F4:6D:6B:B6:C2:79:82:22:DF:54:8B +CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE +CKA_TOKEN CK_BBOOL CK_TRUE +CKA_PRIVATE CK_BBOOL CK_FALSE +CKA_MODIFIABLE CK_BBOOL CK_FALSE +CKA_LABEL UTF8 "D-TRUST EV Root CA 2 2023" +CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 +CKA_SUBJECT MULTILINE_OCTAL +\060\110\061\013\060\011\006\003\125\004\006\023\002\104\105\061 +\025\060\023\006\003\125\004\012\023\014\104\055\124\162\165\163 +\164\040\107\155\142\110\061\042\060\040\006\003\125\004\003\023 +\031\104\055\124\122\125\123\124\040\105\126\040\122\157\157\164 +\040\103\101\040\062\040\062\060\062\063 +END +CKA_ID UTF8 "0" +CKA_ISSUER MULTILINE_OCTAL +\060\110\061\013\060\011\006\003\125\004\006\023\002\104\105\061 +\025\060\023\006\003\125\004\012\023\014\104\055\124\162\165\163 +\164\040\107\155\142\110\061\042\060\040\006\003\125\004\003\023 +\031\104\055\124\122\125\123\124\040\105\126\040\122\157\157\164 +\040\103\101\040\062\040\062\060\062\063 +END +CKA_SERIAL_NUMBER MULTILINE_OCTAL +\002\020\151\046\011\176\200\113\114\240\247\214\170\142\123\137 +\132\157 +END +CKA_VALUE MULTILINE_OCTAL +\060\202\005\251\060\202\003\221\240\003\002\001\002\002\020\151 +\046\011\176\200\113\114\240\247\214\170\142\123\137\132\157\060 +\015\006\011\052\206\110\206\367\015\001\001\015\005\000\060\110 +\061\013\060\011\006\003\125\004\006\023\002\104\105\061\025\060 +\023\006\003\125\004\012\023\014\104\055\124\162\165\163\164\040 +\107\155\142\110\061\042\060\040\006\003\125\004\003\023\031\104 +\055\124\122\125\123\124\040\105\126\040\122\157\157\164\040\103 +\101\040\062\040\062\060\062\063\060\036\027\015\062\063\060\065 +\060\071\060\071\061\060\063\063\132\027\015\063\070\060\065\060 +\071\060\071\061\060\063\062\132\060\110\061\013\060\011\006\003 +\125\004\006\023\002\104\105\061\025\060\023\006\003\125\004\012 +\023\014\104\055\124\162\165\163\164\040\107\155\142\110\061\042 +\060\040\006\003\125\004\003\023\031\104\055\124\122\125\123\124 +\040\105\126\040\122\157\157\164\040\103\101\040\062\040\062\060 +\062\063\060\202\002\042\060\015\006\011\052\206\110\206\367\015 +\001\001\001\005\000\003\202\002\017\000\060\202\002\012\002\202 +\002\001\000\330\216\243\211\200\013\262\127\122\334\251\123\114 +\067\271\177\143\027\023\357\247\133\043\133\151\165\260\231\012 +\027\301\213\304\333\250\340\314\061\272\302\362\315\135\351\267 +\370\035\257\152\304\225\207\327\107\311\225\330\202\004\120\075 +\201\010\377\344\075\263\261\326\305\262\375\210\011\333\234\204 +\354\045\027\024\207\177\060\170\233\152\130\311\266\163\050\074 +\064\367\231\367\177\323\246\370\034\105\174\255\054\214\224\077 +\330\147\020\123\176\042\315\116\045\121\360\045\044\065\021\136 +\020\306\354\207\146\211\201\150\272\314\053\235\107\163\037\275 +\315\221\244\162\152\234\242\033\030\240\157\354\120\364\175\100 +\302\250\060\317\275\163\310\023\053\020\023\036\213\232\250\072 +\224\163\323\030\151\012\112\377\301\001\003\377\171\177\265\110 +\177\173\356\350\051\157\066\114\225\141\206\330\371\242\163\212 +\356\256\057\226\356\150\315\075\115\050\102\371\105\053\062\033 +\106\125\026\152\246\113\051\371\273\225\126\277\106\035\354\035 +\223\035\300\145\262\037\241\103\256\126\236\240\261\217\153\022 +\267\140\155\170\013\312\212\134\355\036\226\016\203\246\110\225 +\215\073\243\041\304\256\130\306\000\262\204\264\043\244\226\206 +\065\270\330\236\330\254\064\111\230\143\225\305\313\155\110\107 +\342\362\056\030\036\320\061\253\335\164\354\371\334\214\270\034 +\216\150\043\272\320\363\120\334\317\145\217\163\072\062\307\174 +\376\312\202\042\117\276\216\142\107\146\345\315\207\342\350\325 +\017\030\237\345\004\162\113\106\074\020\362\104\302\144\126\161 +\116\165\350\234\311\046\164\305\175\131\321\012\133\017\155\376 +\236\165\034\030\306\032\072\174\330\015\004\314\315\267\105\145 +\172\261\217\270\256\204\110\076\263\172\115\250\003\342\342\176 +\001\026\131\150\030\103\063\260\322\334\260\032\103\065\356\245 +\332\251\106\134\256\206\201\101\001\112\164\046\354\237\006\277 +\302\005\067\144\165\170\051\150\375\305\365\353\376\107\371\344 +\205\260\341\173\061\235\246\177\162\243\271\304\054\056\314\231 +\127\016\041\014\105\001\224\145\353\145\011\306\143\042\013\063 +\111\222\110\074\374\315\316\260\076\216\236\213\370\376\111\305 +\065\162\107\002\003\001\000\001\243\201\216\060\201\213\060\017 +\006\003\125\035\023\001\001\377\004\005\060\003\001\001\377\060 +\035\006\003\125\035\016\004\026\004\024\252\374\221\020\033\207 +\221\137\026\271\277\117\113\221\136\000\034\261\062\200\060\016 +\006\003\125\035\017\001\001\377\004\004\003\002\001\006\060\111 +\006\003\125\035\037\004\102\060\100\060\076\240\074\240\072\206 +\070\150\164\164\160\072\057\057\143\162\154\056\144\055\164\162 +\165\163\164\056\156\145\164\057\143\162\154\057\144\055\164\162 +\165\163\164\137\145\166\137\162\157\157\164\137\143\141\137\062 +\137\062\060\062\063\056\143\162\154\060\015\006\011\052\206\110 +\206\367\015\001\001\015\005\000\003\202\002\001\000\223\313\245 +\037\231\021\354\232\015\137\054\025\223\306\077\276\020\215\170 +\102\360\156\220\107\107\216\243\222\062\215\160\217\366\133\215 +\276\211\316\107\001\152\033\040\040\211\133\310\202\020\154\340 +\347\231\252\153\306\052\240\143\065\221\152\205\045\255\027\070 +\245\233\176\120\362\166\352\205\005\052\047\101\053\261\201\321 +\242\366\100\165\251\016\313\361\125\110\330\354\321\354\263\350 +\316\024\241\065\354\302\136\065\032\253\246\026\001\006\216\352 +\334\057\243\212\312\054\221\353\122\216\137\014\233\027\317\313 +\163\007\031\304\152\302\163\124\357\174\103\122\143\301\021\312 +\302\105\261\364\073\123\365\151\256\074\343\245\336\254\350\124 +\267\262\221\375\254\251\037\362\207\344\027\306\111\250\174\330 +\012\101\364\362\076\347\167\064\004\122\335\350\201\362\115\057 +\124\105\235\025\341\117\314\345\336\064\127\020\311\043\162\027 +\160\215\120\160\037\126\154\314\271\377\072\132\117\143\172\303 +\156\145\007\035\204\241\377\251\014\143\211\155\262\100\210\071 +\327\037\167\150\265\374\234\325\326\147\151\133\250\164\333\374 +\211\366\033\062\367\244\044\246\166\267\107\123\357\215\111\217 +\251\266\203\132\245\226\220\105\141\365\336\003\117\046\017\250 +\213\360\003\226\260\254\025\320\161\132\152\173\224\346\160\223 +\332\361\151\340\262\142\115\236\217\377\211\235\233\135\315\105 +\351\224\002\042\215\340\065\177\350\361\004\171\161\154\124\203 +\370\063\271\005\062\033\130\125\021\117\320\345\047\107\161\354 +\355\332\147\326\142\246\113\115\017\151\242\311\274\354\042\113 +\224\307\150\224\027\176\342\216\050\076\266\306\352\365\064\154 +\237\067\210\007\070\333\206\161\372\315\225\110\103\156\243\117 +\202\207\327\064\230\156\113\223\171\140\165\151\017\360\032\325 +\123\372\041\014\302\077\351\077\037\030\214\222\135\170\247\166 +\147\031\273\262\352\177\351\160\011\126\126\243\260\014\013\055 +\066\136\305\351\304\325\203\313\206\027\227\054\154\023\157\207 +\132\257\111\246\035\333\315\070\004\056\137\342\112\065\016\055 +\113\370\242\044\004\215\330\341\143\136\002\222\064\332\230\141 +\134\034\157\130\166\144\263\374\002\270\365\235\012 +END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE + +# Trust for "D-TRUST EV Root CA 2 2023" +# Issuer: CN=D-TRUST EV Root CA 2 2023,O=D-Trust GmbH,C=DE +# Serial Number:69:26:09:7e:80:4b:4c:a0:a7:8c:78:62:53:5f:5a:6f +# Subject: CN=D-TRUST EV Root CA 2 2023,O=D-Trust GmbH,C=DE +# Not Valid Before: Tue May 09 09:10:33 2023 +# Not Valid After : Sun May 09 09:10:32 2038 +# Fingerprint (SHA-256): 8E:82:21:B2:E7:D4:00:78:36:A1:67:2F:0D:CC:29:9C:33:BC:07:D3:16:F1:32:FA:1A:20:6D:58:71:50:F1:CE +# Fingerprint (SHA1): A5:5B:D8:47:6C:8F:19:F7:4C:F4:6D:6B:B6:C2:79:82:22:DF:54:8B +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST +CKA_TOKEN CK_BBOOL CK_TRUE +CKA_PRIVATE CK_BBOOL CK_FALSE +CKA_MODIFIABLE CK_BBOOL CK_FALSE +CKA_LABEL UTF8 "D-TRUST EV Root CA 2 2023" +CKA_CERT_SHA1_HASH MULTILINE_OCTAL +\245\133\330\107\154\217\031\367\114\364\155\153\266\302\171\202 +\042\337\124\213 +END +CKA_CERT_MD5_HASH MULTILINE_OCTAL +\226\264\170\011\360\011\313\167\353\273\033\115\157\066\274\266 +END +CKA_ISSUER MULTILINE_OCTAL +\060\110\061\013\060\011\006\003\125\004\006\023\002\104\105\061 +\025\060\023\006\003\125\004\012\023\014\104\055\124\162\165\163 +\164\040\107\155\142\110\061\042\060\040\006\003\125\004\003\023 +\031\104\055\124\122\125\123\124\040\105\126\040\122\157\157\164 +\040\103\101\040\062\040\062\060\062\063 +END +CKA_SERIAL_NUMBER MULTILINE_OCTAL +\002\020\151\046\011\176\200\113\114\240\247\214\170\142\123\137 +\132\157 +END +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST +CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE diff --git a/nss/lib/ckfw/builtins/nssckbi.h b/nss/lib/ckfw/builtins/nssckbi.h index 224659db..876c5481 100644 --- a/nss/lib/ckfw/builtins/nssckbi.h +++ b/nss/lib/ckfw/builtins/nssckbi.h @@ -46,8 +46,8 @@ * It's recommend to switch back to 0 after having reached version 98/99. */ #define NSS_BUILTINS_LIBRARY_VERSION_MAJOR 2 -#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 70 -#define NSS_BUILTINS_LIBRARY_VERSION "2.70" +#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 74 +#define NSS_BUILTINS_LIBRARY_VERSION "2.74" /* These version numbers detail the semantic changes to the ckfw engine. */ #define NSS_BUILTINS_HARDWARE_VERSION_MAJOR 1 diff --git a/nss/lib/cryptohi/seckey.c b/nss/lib/cryptohi/seckey.c index 4272ea31..5bd3ac08 100644 --- a/nss/lib/cryptohi/seckey.c +++ b/nss/lib/cryptohi/seckey.c @@ -1139,12 +1139,21 @@ SECKEY_PrivateKeyStrengthInBits(const SECKEYPrivateKey *privk) case rsaKey: case rsaPssKey: case rsaOaepKey: - /* some tokens don't export CKA_MODULUS on the private key, - * PK11_SignatureLen works around this if necessary */ - bitSize = PK11_SignatureLen((SECKEYPrivateKey *)privk) * PR_BITS_PER_BYTE; - if (bitSize == -1) { - bitSize = 0; + rv = PK11_ReadAttribute(privk->pkcs11Slot, privk->pkcs11ID, + CKA_MODULUS, NULL, ¶ms); + if ((rv != SECSuccess) || (params.data == NULL)) { + /* some tokens don't export CKA_MODULUS on the private key, + * PK11_SignatureLen works around this if necessary. This + * method is less percise because it returns bytes instead + * of bits, so we only do it if we can't get the modulus */ + bitSize = PK11_SignatureLen((SECKEYPrivateKey *)privk) * PR_BITS_PER_BYTE; + if (bitSize == -1) { + return 0; + } + return bitSize; } + bitSize = SECKEY_BigIntegerBitLength(¶ms); + PORT_Free(params.data); return bitSize; case dsaKey: case fortezzaKey: diff --git a/nss/lib/dev/devutil.c b/nss/lib/dev/devutil.c index 302a6b56..50b2b07c 100644 --- a/nss/lib/dev/devutil.c +++ b/nss/lib/dev/devutil.c @@ -577,9 +577,11 @@ get_token_objects_for_cache( } else { PRUint32 j; for (j = 0; j < i; j++) { - /* Any token references that were removed in successful loop iterations - * need to be restored before we call nssCryptokiObjectArray_Destroy */ - nssToken_AddRef(cache->objects[objectType][j]->object->token); + /* Objects that were successfully added to the cache do not own a + * token reference (they share a reference with the cache itself). + * Nulling out the pointer here prevents the token's refcount + * from being decremented in nssCryptokiObject_Destroy */ + cache->objects[objectType][j]->object->token = NULL; nssArena_Destroy(cache->objects[objectType][j]->arena); } nss_ZFreeIf(cache->objects[objectType]); diff --git a/nss/lib/freebl/aeskeywrap.c b/nss/lib/freebl/aeskeywrap.c index 09c0667c..a3fe484e 100644 --- a/nss/lib/freebl/aeskeywrap.c +++ b/nss/lib/freebl/aeskeywrap.c @@ -512,7 +512,7 @@ AESKeyWrap_EncryptKWP(AESKeyWrapContext *cx, unsigned char *output, PORT_Memcpy(iv + AES_KEY_WRAP_BLOCK_SIZE, input, inputLen); rv = AES_Encrypt(&cx->aescx, output, pOutputLen, maxOutputLen, iv, outLen); - PORT_Memset(iv, 0, sizeof(iv)); + PORT_SafeZero(iv, sizeof(iv)); return rv; } @@ -528,7 +528,7 @@ AESKeyWrap_EncryptKWP(AESKeyWrapContext *cx, unsigned char *output, PORT_ZFree(newBuf, paddedInputLen); /* a little overkill, we only need to clear out the length, but this * is easier to verify we got it all */ - PORT_Memset(iv, 0, sizeof(iv)); + PORT_SafeZero(iv, sizeof(iv)); return rv; } @@ -631,12 +631,12 @@ AESKeyWrap_DecryptKWP(AESKeyWrapContext *cx, unsigned char *output, loser: /* if we failed, make sure we don't return any data to the user */ if ((rv != SECSuccess) && (output == newBuf)) { - PORT_Memset(newBuf, 0, paddedLen); + PORT_SafeZero(newBuf, paddedLen); } /* clear out CSP sensitive data from the heap and stack */ if (allocBuf) { PORT_ZFree(allocBuf, paddedLen); } - PORT_Memset(iv, 0, sizeof(iv)); + PORT_SafeZero(iv, sizeof(iv)); return rv; } diff --git a/nss/lib/freebl/blapii.h b/nss/lib/freebl/blapii.h index a34ad28a..f54a740e 100644 --- a/nss/lib/freebl/blapii.h +++ b/nss/lib/freebl/blapii.h @@ -113,10 +113,10 @@ PRBool ppc_crypto_support(); #ifdef NSS_FIPS_DISABLED #define BLAPI_CLEAR_STACK(stack_size) #else -#define BLAPI_CLEAR_STACK(stack_size) \ - { \ - volatile char _stkclr[stack_size]; \ - PORT_Memset((void *)&_stkclr[0], 0, stack_size); \ +#define BLAPI_CLEAR_STACK(stack_size) \ + { \ + volatile char _stkclr[stack_size]; \ + PORT_SafeZero((void *)&_stkclr[0], stack_size); \ } #endif diff --git a/nss/lib/freebl/config.mk b/nss/lib/freebl/config.mk index a4182a41..6daf2cfd 100644 --- a/nss/lib/freebl/config.mk +++ b/nss/lib/freebl/config.mk @@ -90,4 +90,8 @@ ifeq ($(OS_ARCH), Darwin) EXTRA_SHARED_LIBS += -dylib_file @executable_path/libplc4.dylib:$(DIST)/lib/libplc4.dylib -dylib_file @executable_path/libplds4.dylib:$(DIST)/lib/libplds4.dylib endif +ifdef NSS_FIPS_140_3 +DEFINES += -DNSS_FIPS_140_3 +endif + endif diff --git a/nss/lib/freebl/dh.c b/nss/lib/freebl/dh.c index bdd5dd63..1c8e75fb 100644 --- a/nss/lib/freebl/dh.c +++ b/nss/lib/freebl/dh.c @@ -445,7 +445,7 @@ KEA_PrimeCheck(SECItem *prime) PRBool KEA_Verify(SECItem *Y, SECItem *prime, SECItem *subPrime) { - mp_int p, q, y, r; + mp_int p, q, y, r, psub1; mp_err err; int cmp = 1; /* default is false */ if (!Y || !prime || !subPrime) { @@ -456,13 +456,30 @@ KEA_Verify(SECItem *Y, SECItem *prime, SECItem *subPrime) MP_DIGITS(&q) = 0; MP_DIGITS(&y) = 0; MP_DIGITS(&r) = 0; + MP_DIGITS(&psub1) = 0; CHECK_MPI_OK(mp_init(&p)); CHECK_MPI_OK(mp_init(&q)); CHECK_MPI_OK(mp_init(&y)); CHECK_MPI_OK(mp_init(&r)); + CHECK_MPI_OK(mp_init(&psub1)); SECITEM_TO_MPINT(*prime, &p); SECITEM_TO_MPINT(*subPrime, &q); SECITEM_TO_MPINT(*Y, &y); + CHECK_MPI_OK(mp_sub_d(&p, 1, &psub1)); + /* + * We check that the public value isn't zero (which isn't in the + * group), one (subgroup of order one) or p-1 (subgroup of order 2). We + * also check that the public value is less than p, to avoid being fooled + * by values like p+1 or 2*p-1. + * This check is required by SP-800-56Ar3. It's also done in derive, + * but this is only called in various FIPS cases, so put it here to help + * reviewers find it. + */ + if (mp_cmp_d(&y, 1) <= 0 || + mp_cmp(&y, &psub1) >= 0) { + err = MP_BADARG; + goto cleanup; + } /* compute r = y**q mod p */ CHECK_MPI_OK(mp_exptmod(&y, &q, &p, &r)); /* compare to 1 */ @@ -472,6 +489,7 @@ KEA_Verify(SECItem *Y, SECItem *prime, SECItem *subPrime) mp_clear(&q); mp_clear(&y); mp_clear(&r); + mp_clear(&psub1); if (err) { MP_TO_SEC_ERROR(err); return PR_FALSE; diff --git a/nss/lib/freebl/drbg.c b/nss/lib/freebl/drbg.c index 1fe60729..70504f2e 100644 --- a/nss/lib/freebl/drbg.c +++ b/nss/lib/freebl/drbg.c @@ -135,7 +135,7 @@ prng_Hash_df(PRUint8 *requested_bytes, unsigned int no_of_bytes_to_return, unsigned int hash_return_len; SHA256_Begin(&ctx); SHA256_Update(&ctx, &counter, 1); - SHA256_Update(&ctx, (unsigned char *)&tmp, sizeof tmp); + SHA256_Update(&ctx, (unsigned char *)&tmp, sizeof(tmp)); SHA256_Update(&ctx, input_string_1, input_string_1_len); if (input_string_2) { SHA256_Update(&ctx, input_string_2, input_string_2_len); @@ -168,7 +168,8 @@ prng_instantiate(RNGContext *rng, const PRUint8 *bytes, unsigned int len) } prng_Hash_df(V(rng), VSize(rng), bytes, len, NULL, 0); rng->V_type = prngCGenerateType; - prng_Hash_df(rng->C, sizeof rng->C, rng->V_Data, sizeof rng->V_Data, NULL, 0); + prng_Hash_df(rng->C, sizeof(rng->C), rng->V_Data, sizeof(rng->V_Data), + NULL, 0); PRNG_RESET_RESEED_COUNT(rng) return SECSuccess; } @@ -197,7 +198,7 @@ prng_initEntropy(void) SHA256_Update(&ctx, block, sizeof(block)); SHA256_End(&ctx, globalrng->previousEntropyHash, NULL, sizeof(globalrng->previousEntropyHash)); - PORT_Memset(block, 0, sizeof(block)); + PORT_SafeZero(block, sizeof(block)); SHA256_DestroyContext(&ctx, PR_FALSE); return PR_SUCCESS; } @@ -246,8 +247,8 @@ prng_getEntropy(PRUint8 *buffer, size_t requestLength) } out: - PORT_Memset(hash, 0, sizeof hash); - PORT_Memset(block, 0, sizeof block); + PORT_SafeZero(hash, sizeof(hash)); + PORT_SafeZero(block, sizeof(block)); return rv; } @@ -262,14 +263,14 @@ static SECStatus prng_reseed(RNGContext *rng, const PRUint8 *entropy, unsigned int entropy_len, const PRUint8 *additional_input, unsigned int additional_input_len) { - PRUint8 noiseData[(sizeof rng->V_Data) + PRNG_SEEDLEN]; + PRUint8 noiseData[(sizeof(rng->V_Data)) + PRNG_SEEDLEN]; PRUint8 *noise = &noiseData[0]; SECStatus rv; /* if entropy wasn't supplied, fetch it. (normal operation case) */ if (entropy == NULL) { entropy_len = PRNG_SEEDLEN; - rv = prng_getEntropy(&noiseData[sizeof rng->V_Data], entropy_len); + rv = prng_getEntropy(&noiseData[sizeof(rng->V_Data)], entropy_len); if (rv != SECSuccess) { return SECFailure; /* error is already set */ } @@ -277,12 +278,12 @@ prng_reseed(RNGContext *rng, const PRUint8 *entropy, unsigned int entropy_len, /* NOTE: this code is only available for testing, not to applications */ /* if entropy was too big for the stack variable, get it from malloc */ if (entropy_len > PRNG_SEEDLEN) { - noise = PORT_Alloc(entropy_len + (sizeof rng->V_Data)); + noise = PORT_Alloc(entropy_len + (sizeof(rng->V_Data))); if (noise == NULL) { return SECFailure; } } - PORT_Memcpy(&noise[sizeof rng->V_Data], entropy, entropy_len); + PORT_Memcpy(&noise[sizeof(rng->V_Data)], entropy, entropy_len); } if (entropy_len < 256 / PR_BITS_PER_BYTE) { @@ -292,13 +293,14 @@ prng_reseed(RNGContext *rng, const PRUint8 *entropy, unsigned int entropy_len, } rng->V_type = prngReseedType; - PORT_Memcpy(noise, rng->V_Data, sizeof rng->V_Data); - prng_Hash_df(V(rng), VSize(rng), noise, (sizeof rng->V_Data) + entropy_len, + PORT_Memcpy(noise, rng->V_Data, sizeof(rng->V_Data)); + prng_Hash_df(V(rng), VSize(rng), noise, (sizeof(rng->V_Data)) + entropy_len, additional_input, additional_input_len); /* clear potential CSP */ - PORT_Memset(noise, 0, (sizeof rng->V_Data) + entropy_len); + PORT_Memset(noise, 0, (sizeof(rng->V_Data)) + entropy_len); rng->V_type = prngCGenerateType; - prng_Hash_df(rng->C, sizeof rng->C, rng->V_Data, sizeof rng->V_Data, NULL, 0); + prng_Hash_df(rng->C, sizeof(rng->C), rng->V_Data, sizeof(rng->V_Data), + NULL, 0); PRNG_RESET_RESEED_COUNT(rng) if (noise != &noiseData[0]) { @@ -379,7 +381,7 @@ prng_Hashgen(RNGContext *rng, PRUint8 *returned_bytes, unsigned int carry; SHA256_Begin(&ctx); - SHA256_Update(&ctx, data, sizeof data); + SHA256_Update(&ctx, data, sizeof(data)); SHA256_End(&ctx, thisHash, &len, SHA256_LENGTH); if (no_of_returned_bytes < SHA256_LENGTH) { len = no_of_returned_bytes; @@ -390,11 +392,11 @@ prng_Hashgen(RNGContext *rng, PRUint8 *returned_bytes, /* The carry parameter is a bool (increment or not). * This increments data if no_of_returned_bytes is not zero */ carry = no_of_returned_bytes; - PRNG_ADD_CARRY_ONLY(data, (sizeof data) - 1, carry); + PRNG_ADD_CARRY_ONLY(data, (sizeof(data)) - 1, carry); SHA256_DestroyContext(&ctx, PR_FALSE); } - PORT_Memset(data, 0, sizeof data); - PORT_Memset(thisHash, 0, sizeof thisHash); + PORT_SafeZero(data, sizeof(data)); + PORT_SafeZero(thisHash, sizeof(thisHash)); } /* @@ -429,11 +431,11 @@ prng_generateNewBytes(RNGContext *rng, #define w H rng->V_type = prngAdditionalDataType; SHA256_Begin(&ctx); - SHA256_Update(&ctx, rng->V_Data, sizeof rng->V_Data); + SHA256_Update(&ctx, rng->V_Data, sizeof(rng->V_Data)); SHA256_Update(&ctx, additional_input, additional_input_len); - SHA256_End(&ctx, w, NULL, sizeof w); - PRNG_ADD_BITS_AND_CARRY(V(rng), VSize(rng), w, sizeof w, carry) - PORT_Memset(w, 0, sizeof w); + SHA256_End(&ctx, w, NULL, sizeof(w)); + PRNG_ADD_BITS_AND_CARRY(V(rng), VSize(rng), w, sizeof(w), carry) + PORT_Memset(w, 0, sizeof(w)); SHA256_DestroyContext(&ctx, PR_FALSE); #undef w } @@ -446,16 +448,16 @@ prng_generateNewBytes(RNGContext *rng, } /* advance our internal state... */ rng->V_type = prngGenerateByteType; - SHA256_HashBuf(H, rng->V_Data, sizeof rng->V_Data); - PRNG_ADD_BITS_AND_CARRY(V(rng), VSize(rng), H, sizeof H, carry) - PRNG_ADD_BITS(V(rng), VSize(rng), rng->C, sizeof rng->C, carry); + SHA256_HashBuf(H, rng->V_Data, sizeof(rng->V_Data)); + PRNG_ADD_BITS_AND_CARRY(V(rng), VSize(rng), H, sizeof(H), carry) + PRNG_ADD_BITS(V(rng), VSize(rng), rng->C, sizeof(rng->C), carry); PRNG_ADD_BITS_AND_CARRY(V(rng), VSize(rng), rng->reseed_counter, - sizeof rng->reseed_counter, carry) + sizeof(rng->reseed_counter), carry) carry = 1; - PRNG_ADD_CARRY_ONLY(rng->reseed_counter, (sizeof rng->reseed_counter) - 1, carry); + PRNG_ADD_CARRY_ONLY(rng->reseed_counter, (sizeof(rng->reseed_counter)) - 1, carry); /* if the prng failed, don't return any output, signal softoken */ - PORT_Memset(H, 0, sizeof H); + PORT_SafeZero(H, sizeof(H)); if (!rng->isValid) { PORT_Memset(returned_bytes, 0, no_of_returned_bytes); PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); @@ -491,17 +493,17 @@ rng_init(void) } /* Try to get some seed data for the RNG */ - rv = prng_getEntropy(bytes, sizeof bytes); + rv = prng_getEntropy(bytes, sizeof(bytes)); if (rv == SECSuccess) { /* if this is our first call, instantiate, otherwise reseed * prng_instantiate gets a new clean state, we want to mix * any previous entropy we may have collected */ if (V(globalrng)[0] == 0) { - rv = prng_instantiate(globalrng, bytes, sizeof bytes); + rv = prng_instantiate(globalrng, bytes, sizeof(bytes)); } else { - rv = prng_reseed_test(globalrng, bytes, sizeof bytes, NULL, 0); + rv = prng_reseed_test(globalrng, bytes, sizeof(bytes), NULL, 0); } - memset(bytes, 0, sizeof bytes); + memset(bytes, 0, sizeof(bytes)); } else { PZ_DestroyLock(globalrng->lock); globalrng->lock = NULL; @@ -532,20 +534,20 @@ rng_init(void) static void prng_freeRNGContext(RNGContext *rng) { - PRUint8 inputhash[VSize(rng) + (sizeof rng->C)]; + PRUint8 inputhash[VSize(rng) + (sizeof(rng->C))]; /* destroy context lock */ SKIP_AFTER_FORK(PZ_DestroyLock(globalrng->lock)); /* zero global RNG context except for C & V to preserve entropy */ - prng_Hash_df(inputhash, sizeof rng->C, rng->C, sizeof rng->C, NULL, 0); - prng_Hash_df(&inputhash[sizeof rng->C], VSize(rng), V(rng), VSize(rng), + prng_Hash_df(inputhash, sizeof(rng->C), rng->C, sizeof(rng->C), NULL, 0); + prng_Hash_df(&inputhash[sizeof(rng->C)], VSize(rng), V(rng), VSize(rng), NULL, 0); - memset(rng, 0, sizeof *rng); - memcpy(rng->C, inputhash, sizeof rng->C); - memcpy(V(rng), &inputhash[sizeof rng->C], VSize(rng)); + memset(rng, 0, sizeof(*rng)); + memcpy(rng->C, inputhash, sizeof(rng->C)); + memcpy(V(rng), &inputhash[sizeof(rng->C)], VSize(rng)); - memset(inputhash, 0, sizeof inputhash); + memset(inputhash, 0, sizeof(inputhash)); } /* @@ -621,7 +623,7 @@ RNG_RandomUpdate(const void *data, size_t bytes) if (bytes > sizeof(globalrng->additionalDataCache)) { rv = prng_reseed_test(globalrng, NULL, 0, data, (unsigned int)bytes); /* if we aren't going to fill or overflow the buffer, just cache it */ - } else if (bytes < ((sizeof globalrng->additionalDataCache) - globalrng->additionalAvail)) { + } else if (bytes < ((sizeof(globalrng->additionalDataCache)) - globalrng->additionalAvail)) { PORT_Memcpy(globalrng->additionalDataCache + globalrng->additionalAvail, data, bytes); globalrng->additionalAvail += (PRUint32)bytes; @@ -632,7 +634,7 @@ RNG_RandomUpdate(const void *data, size_t bytes) * remainder. We know the remainder will fit in the buffer because * we already handled the case where bytes > the size of the buffer. */ - size_t bufRemain = (sizeof globalrng->additionalDataCache) - globalrng->additionalAvail; + size_t bufRemain = (sizeof(globalrng->additionalDataCache)) - globalrng->additionalAvail; /* fill the rest of the buffer */ if (bufRemain) { PORT_Memcpy(globalrng->additionalDataCache + globalrng->additionalAvail, @@ -643,7 +645,7 @@ RNG_RandomUpdate(const void *data, size_t bytes) /* reseed from buffer */ rv = prng_reseed_test(globalrng, NULL, 0, globalrng->additionalDataCache, - sizeof globalrng->additionalDataCache); + sizeof(globalrng->additionalDataCache)); /* copy the rest into the cache */ PORT_Memcpy(globalrng->additionalDataCache, data, bytes); @@ -693,21 +695,21 @@ prng_GenerateGlobalRandomBytes(RNGContext *rng, * see if we have enough bytes to fulfill the request. */ if (len <= rng->dataAvail) { - memcpy(output, rng->data + ((sizeof rng->data) - rng->dataAvail), len); - memset(rng->data + ((sizeof rng->data) - rng->dataAvail), 0, len); + memcpy(output, rng->data + ((sizeof(rng->data)) - rng->dataAvail), len); + memset(rng->data + ((sizeof(rng->data)) - rng->dataAvail), 0, len); rng->dataAvail -= len; rv = SECSuccess; /* if we are asking for a small number of bytes, cache the rest of * the bytes */ - } else if (len < sizeof rng->data) { - rv = prng_generateNewBytes(rng, rng->data, sizeof rng->data, + } else if (len < sizeof(rng->data)) { + rv = prng_generateNewBytes(rng, rng->data, sizeof(rng->data), rng->additionalAvail ? rng->additionalDataCache : NULL, rng->additionalAvail); rng->additionalAvail = 0; if (rv == SECSuccess) { memcpy(output, rng->data, len); memset(rng->data, 0, len); - rng->dataAvail = (sizeof rng->data) - len; + rng->dataAvail = (sizeof(rng->data)) - len; } /* we are asking for lots of bytes, just ask the generator to pass them */ } else { @@ -858,7 +860,7 @@ PRNGTEST_Uninstantiate() PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); return SECFailure; } - PORT_Memset(&testContext, 0, sizeof testContext); + PORT_Memset(&testContext, 0, sizeof(testContext)); return SECSuccess; } @@ -943,31 +945,31 @@ PRNGTEST_RunHealthTests() /********************************************/ /* Generate random bytes with a known seed. */ /********************************************/ - rng_status = PRNGTEST_Instantiate(entropy, sizeof entropy, + rng_status = PRNGTEST_Instantiate(entropy, sizeof(entropy), NULL, 0, NULL, 0); if (rng_status != SECSuccess) { /* Error set by PRNGTEST_Instantiate */ return SECFailure; } - rng_status = PRNGTEST_Generate(result, sizeof rng_known_result, NULL, 0); + rng_status = PRNGTEST_Generate(result, sizeof(rng_known_result), NULL, 0); if ((rng_status != SECSuccess) || (PORT_Memcmp(result, rng_known_result, - sizeof rng_known_result) != 0)) { + sizeof(rng_known_result)) != 0)) { PRNGTEST_Uninstantiate(); PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); return SECFailure; } - rng_status = PRNGTEST_Reseed(reseed_entropy, sizeof reseed_entropy, - additional_input, sizeof additional_input); + rng_status = PRNGTEST_Reseed(reseed_entropy, sizeof(reseed_entropy), + additional_input, sizeof(additional_input)); if (rng_status != SECSuccess) { /* Error set by PRNG_Reseed */ PRNGTEST_Uninstantiate(); return SECFailure; } - rng_status = PRNGTEST_Generate(result, sizeof rng_reseed_result, NULL, 0); + rng_status = PRNGTEST_Generate(result, sizeof(rng_reseed_result), NULL, 0); if ((rng_status != SECSuccess) || (PORT_Memcmp(result, rng_reseed_result, - sizeof rng_reseed_result) != 0)) { + sizeof(rng_reseed_result)) != 0)) { PRNGTEST_Uninstantiate(); PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); return SECFailure; @@ -981,13 +983,13 @@ PRNGTEST_RunHealthTests() return SECFailure; } /* This generate should now reseed */ - rng_status = PRNGTEST_Generate(result, sizeof rng_reseed_result, NULL, 0); + rng_status = PRNGTEST_Generate(result, sizeof(rng_reseed_result), NULL, 0); if ((rng_status != SECSuccess) || /* NOTE we fail if the result is equal to the no_reseed_result. * no_reseed_result is the value we would have gotten if we didn't * do an automatic reseed in PRNGTEST_Generate */ (PORT_Memcmp(result, rng_no_reseed_result, - sizeof rng_no_reseed_result) == 0)) { + sizeof(rng_no_reseed_result)) == 0)) { PRNGTEST_Uninstantiate(); PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); return SECFailure; diff --git a/nss/lib/freebl/dsa.c b/nss/lib/freebl/dsa.c index b81d9a37..08ecae01 100644 --- a/nss/lib/freebl/dsa.c +++ b/nss/lib/freebl/dsa.c @@ -471,7 +471,7 @@ dsa_SignDigest(DSAPrivateKey *key, SECItem *signature, const SECItem *digest, err = MP_OKAY; signature->len = dsa_signature_len; cleanup: - PORT_Memset(localDigestData, 0, DSA_MAX_SUBPRIME_LEN); + PORT_SafeZero(localDigestData, DSA_MAX_SUBPRIME_LEN); mp_clear(&p); mp_clear(&q); mp_clear(&g); @@ -532,7 +532,7 @@ DSA_SignDigest(DSAPrivateKey *key, SECItem *signature, const SECItem *digest) rv = dsa_SignDigest(key, signature, digest, kSeed); } while (rv != SECSuccess && PORT_GetError() == SEC_ERROR_NEED_RANDOM && --retries > 0); - PORT_Memset(kSeed, 0, sizeof kSeed); + PORT_SafeZero(kSeed, sizeof kSeed); return rv; } @@ -673,7 +673,7 @@ DSA_VerifyDigest(DSAPublicKey *key, const SECItem *signature, verified = SECSuccess; /* Signature verified. */ } cleanup: - PORT_Memset(localDigestData, 0, sizeof localDigestData); + PORT_SafeZero(localDigestData, sizeof localDigestData); mp_clear(&p); mp_clear(&q); mp_clear(&g); diff --git a/nss/lib/freebl/ec.c b/nss/lib/freebl/ec.c index fab31004..303553fe 100644 --- a/nss/lib/freebl/ec.c +++ b/nss/lib/freebl/ec.c @@ -690,7 +690,7 @@ X25519_DerivePublicKey(const SECItem *privateKey, SECItem *publicKey) return SECFailure; } - rv = method->pt_mul(publicKey, (SECItem *) privateKey, NULL); + rv = method->pt_mul(publicKey, (SECItem *)privateKey, NULL); return rv; } @@ -708,5 +708,5 @@ EC_DerivePublicKey(const SECItem *privateKey, const ECParams *ecParams, SECItem return SECFailure; } - return method->pt_mul(publicKey, (SECItem *) privateKey, NULL); + return method->pt_mul(publicKey, (SECItem *)privateKey, NULL); } diff --git a/nss/lib/freebl/gcm.c b/nss/lib/freebl/gcm.c index d728867b..a2f63a6a 100644 --- a/nss/lib/freebl/gcm.c +++ b/nss/lib/freebl/gcm.c @@ -28,6 +28,10 @@ #define USE_ARM_GCM #endif +#if defined(__ARM_NEON) || defined(__ARM_NEON__) +#include +#endif + /* Forward declarations */ SECStatus gcm_HashInit_hw(gcmHashContext *ghash); SECStatus gcm_HashWrite_hw(gcmHashContext *ghash, unsigned char *outbuf); @@ -480,7 +484,7 @@ gcmHash_Final(gcmHashContext *ghash, unsigned char *outbuf, rv = SECSuccess; cleanup: - PORT_Memset(T, 0, sizeof(T)); + PORT_SafeZero(T, sizeof(T)); return rv; } @@ -596,15 +600,15 @@ GCM_CreateContext(void *context, freeblCipherFunc cipher, if (rv != SECSuccess) { goto loser; } - PORT_Memset(H, 0, AES_BLOCK_SIZE); + PORT_SafeZero(H, AES_BLOCK_SIZE); gcm->ctr_context_init = PR_TRUE; return gcm; loser: - PORT_Memset(H, 0, AES_BLOCK_SIZE); + PORT_SafeZero(H, AES_BLOCK_SIZE); if (ghash && ghash->mem) { void *mem = ghash->mem; - PORT_Memset(ghash, 0, sizeof(gcmHashContext)); + PORT_SafeZero(ghash, sizeof(gcmHashContext)); PORT_Free(mem); } if (gcm) { @@ -613,6 +617,120 @@ GCM_CreateContext(void *context, freeblCipherFunc cipher, return NULL; } +static inline unsigned int +load32_be(const unsigned char *p) +{ + return ((unsigned int)p[0]) << 24 | p[1] << 16 | p[2] << 8 | p[3]; +} + +static inline void +store32_be(unsigned char *p, const unsigned int c) +{ + p[0] = (unsigned char)(c >> 24); + p[1] = (unsigned char)(c >> 16); + p[2] = (unsigned char)(c >> 8); + p[3] = (unsigned char)c; +} + +static inline void +gcm_ctr_xor(unsigned char *target, const unsigned char *x, + const unsigned char *y, unsigned int count) +{ + for (unsigned int i = 0; i < count; i++) { + target[i] = x[i] ^ y[i]; + } +} + +static inline void +gcm_ctr_xor_block(unsigned char *target, const unsigned char *x, + const unsigned char *y) +{ +#if defined(__ARM_NEON) || defined(__ARM_NEON__) + vst1q_u8(target, veorq_u8(vld1q_u8(x), vld1q_u8(y))); +#else + gcm_ctr_xor(target, x, y, AES_BLOCK_SIZE); +#endif +} + +static SECStatus +gcm_CTR_Update(CTRContext *ctr, unsigned char *outbuf, + unsigned int *outlen, unsigned int maxout, + const unsigned char *inbuf, unsigned int inlen) +{ + PORT_Assert(ctr->counterBits == 32); + PORT_Assert(0 < ctr->bufPtr && ctr->bufPtr <= AES_BLOCK_SIZE); + + // The AES-GCM message length limit is 2^32 - 2 blocks. + const unsigned int blockLimit = 0xFFFFFFFEUL; + + unsigned char *const pCounter = ctr->counter + AES_BLOCK_SIZE - 4; + unsigned int counter = load32_be(pCounter); + + // Calculate the number of times that the counter has already been incremented. + unsigned char *const pCounterFirst = ctr->counterFirst + AES_BLOCK_SIZE - 4; + unsigned int ticks = (counter - load32_be(pCounterFirst)) & 0xFFFFFFFFUL; + + // Get the number of bytes of keystream that are available in the internal buffer. + const unsigned int bufBytes = AES_BLOCK_SIZE - ctr->bufPtr; + + // Calculate the number of times that we will increment the counter while + // encrypting inbuf. We can encrypt bufBytes bytes of the input without + // incrementing the counter. + unsigned int newTicks; + if (inlen < bufBytes) { + newTicks = 0; + } else if ((inlen - bufBytes) % AES_BLOCK_SIZE) { + newTicks = ((inlen - bufBytes) / AES_BLOCK_SIZE) + 1; + } else { + newTicks = ((inlen - bufBytes) / AES_BLOCK_SIZE); + } + + // Ensure that the counter will not exceed the limit. + if (ticks > blockLimit - newTicks) { + PORT_SetError(SEC_ERROR_INPUT_LEN); + return SECFailure; + } + + *outlen = inlen; + if (maxout < inlen) { + PORT_SetError(SEC_ERROR_OUTPUT_LEN); + return SECFailure; + } + + if (bufBytes) { + unsigned int needed = PR_MIN(bufBytes, inlen); + gcm_ctr_xor(outbuf, inbuf, ctr->buffer + ctr->bufPtr, needed); + ctr->bufPtr += needed; + outbuf += needed; + inbuf += needed; + inlen -= needed; + PORT_Assert(inlen == 0 || ctr->bufPtr == AES_BLOCK_SIZE); + } + while (inlen >= AES_BLOCK_SIZE) { + unsigned int tmp; + SECStatus rv = (*ctr->cipher)(ctr->context, ctr->buffer, &tmp, AES_BLOCK_SIZE, + ctr->counter, AES_BLOCK_SIZE, AES_BLOCK_SIZE); + PORT_Assert(rv == SECSuccess); + (void)rv; + store32_be(pCounter, ++counter); + gcm_ctr_xor_block(outbuf, inbuf, ctr->buffer); + outbuf += AES_BLOCK_SIZE; + inbuf += AES_BLOCK_SIZE; + inlen -= AES_BLOCK_SIZE; + } + if (inlen) { + unsigned int tmp; + SECStatus rv = (*ctr->cipher)(ctr->context, ctr->buffer, &tmp, AES_BLOCK_SIZE, + ctr->counter, AES_BLOCK_SIZE, AES_BLOCK_SIZE); + PORT_Assert(rv == SECSuccess); + (void)rv; + store32_be(pCounter, ++counter); + gcm_ctr_xor(outbuf, inbuf, ctr->buffer, inlen); + ctr->bufPtr = inlen; + } + return SECSuccess; +} + SECStatus gcm_InitCounter(GCMContext *gcm, const unsigned char *iv, unsigned int ivLen, unsigned int tagBits, const unsigned char *aad, @@ -670,8 +788,8 @@ gcm_InitCounter(GCMContext *gcm, const unsigned char *iv, unsigned int ivLen, /* calculate the final tag key. NOTE: gcm->tagKey is zero to start with. * if this assumption changes, we would need to explicitly clear it here */ PORT_Memset(gcm->tagKey, 0, sizeof(gcm->tagKey)); - rv = CTR_Update(&gcm->ctr_context, gcm->tagKey, &tmp, AES_BLOCK_SIZE, - gcm->tagKey, AES_BLOCK_SIZE, AES_BLOCK_SIZE); + rv = gcm_CTR_Update(&gcm->ctr_context, gcm->tagKey, &tmp, AES_BLOCK_SIZE, + gcm->tagKey, AES_BLOCK_SIZE); if (rv != SECSuccess) { goto loser; } @@ -682,11 +800,11 @@ gcm_InitCounter(GCMContext *gcm, const unsigned char *iv, unsigned int ivLen, goto loser; } - PORT_Memset(&ctrParams, 0, sizeof ctrParams); + PORT_SafeZero(&ctrParams, sizeof ctrParams); return SECSuccess; loser: - PORT_Memset(&ctrParams, 0, sizeof ctrParams); + PORT_SafeZero(&ctrParams, sizeof ctrParams); if (freeCtr) { CTR_DestroyContext(&gcm->ctr_context, PR_FALSE); } @@ -788,8 +906,8 @@ GCM_EncryptUpdate(GCMContext *gcm, unsigned char *outbuf, return SECFailure; } - rv = CTR_Update(&gcm->ctr_context, outbuf, outlen, maxout, - inbuf, inlen, AES_BLOCK_SIZE); + rv = gcm_CTR_Update(&gcm->ctr_context, outbuf, outlen, maxout, + inbuf, inlen); if (rv != SECSuccess) { return SECFailure; } @@ -866,13 +984,13 @@ GCM_DecryptUpdate(GCMContext *gcm, unsigned char *outbuf, if (NSS_SecureMemcmp(tag, intag, tagBytes) != 0) { /* force a CKR_ENCRYPTED_DATA_INVALID error at in softoken */ PORT_SetError(SEC_ERROR_BAD_DATA); - PORT_Memset(tag, 0, sizeof(tag)); + PORT_SafeZero(tag, sizeof(tag)); return SECFailure; } - PORT_Memset(tag, 0, sizeof(tag)); + PORT_SafeZero(tag, sizeof(tag)); /* finish the decryption */ - return CTR_Update(&gcm->ctr_context, outbuf, outlen, maxout, - inbuf, inlen, AES_BLOCK_SIZE); + return gcm_CTR_Update(&gcm->ctr_context, outbuf, outlen, maxout, + inbuf, inlen); } void @@ -1069,8 +1187,8 @@ GCM_EncryptAEAD(GCMContext *gcm, unsigned char *outbuf, tagBytes = (gcm->tagBits + (PR_BITS_PER_BYTE - 1)) / PR_BITS_PER_BYTE; - rv = CTR_Update(&gcm->ctr_context, outbuf, outlen, maxout, - inbuf, inlen, AES_BLOCK_SIZE); + rv = gcm_CTR_Update(&gcm->ctr_context, outbuf, outlen, maxout, + inbuf, inlen); CTR_DestroyContext(&gcm->ctr_context, PR_FALSE); if (rv != SECSuccess) { return SECFailure; @@ -1159,13 +1277,13 @@ GCM_DecryptAEAD(GCMContext *gcm, unsigned char *outbuf, /* force a CKR_ENCRYPTED_DATA_INVALID error at in softoken */ CTR_DestroyContext(&gcm->ctr_context, PR_FALSE); PORT_SetError(SEC_ERROR_BAD_DATA); - PORT_Memset(tag, 0, sizeof(tag)); + PORT_SafeZero(tag, sizeof(tag)); return SECFailure; } - PORT_Memset(tag, 0, sizeof(tag)); + PORT_SafeZero(tag, sizeof(tag)); /* finish the decryption */ - rv = CTR_Update(&gcm->ctr_context, outbuf, outlen, maxout, - inbuf, inlen, AES_BLOCK_SIZE); + rv = gcm_CTR_Update(&gcm->ctr_context, outbuf, outlen, maxout, + inbuf, inlen); CTR_DestroyContext(&gcm->ctr_context, PR_FALSE); return rv; } diff --git a/nss/lib/freebl/hmacct.c b/nss/lib/freebl/hmacct.c index a1b2ba35..2a5dc074 100644 --- a/nss/lib/freebl/hmacct.c +++ b/nss/lib/freebl/hmacct.c @@ -274,10 +274,10 @@ MAC(unsigned char *mdOut, hashObj->end(mdState, mdOut, mdOutLen, mdOutMax); hashObj->destroy(mdState, PR_TRUE); - PORT_Memset(lengthBytes, 0, sizeof lengthBytes); - PORT_Memset(hmacPad, 0, sizeof hmacPad); - PORT_Memset(firstBlock, 0, sizeof firstBlock); - PORT_Memset(macOut, 0, sizeof macOut); + PORT_SafeZero(lengthBytes, sizeof lengthBytes); + PORT_SafeZero(hmacPad, sizeof hmacPad); + PORT_SafeZero(firstBlock, sizeof firstBlock); + PORT_SafeZero(macOut, sizeof macOut); return SECSuccess; } diff --git a/nss/lib/freebl/intel-gcm-wrap.c b/nss/lib/freebl/intel-gcm-wrap.c index 5adbd81f..320f2dbe 100644 --- a/nss/lib/freebl/intel-gcm-wrap.c +++ b/nss/lib/freebl/intel-gcm-wrap.c @@ -195,7 +195,7 @@ intel_aes_gcmInitCounter(intel_AES_GCMContext *gcm, void intel_AES_GCM_DestroyContext(intel_AES_GCMContext *gcm, PRBool freeit) { - PORT_Memset(gcm, 0, sizeof(intel_AES_GCMContext)); + PORT_SafeZero(gcm, sizeof(intel_AES_GCMContext)); if (freeit) { PORT_Free(gcm); } diff --git a/nss/lib/freebl/mpi/mpi-priv.h b/nss/lib/freebl/mpi/mpi-priv.h index 416a9f4f..00342482 100644 --- a/nss/lib/freebl/mpi/mpi-priv.h +++ b/nss/lib/freebl/mpi/mpi-priv.h @@ -90,14 +90,6 @@ extern const float s_logv_2[]; /* }}} */ -/* {{{ Comparison constants */ - -#define MP_LT -1 -#define MP_EQ 0 -#define MP_GT 1 - -/* }}} */ - /* {{{ private function declarations */ void s_mp_setz(mp_digit *dp, mp_size count); /* zero digits */ diff --git a/nss/lib/freebl/mpi/mpi.h b/nss/lib/freebl/mpi/mpi.h index 7c9cd5dd..e1ce6fca 100644 --- a/nss/lib/freebl/mpi/mpi.h +++ b/nss/lib/freebl/mpi/mpi.h @@ -45,6 +45,11 @@ SEC_BEGIN_PROTOS #define MP_UNDEF -5 /* answer is undefined */ #define MP_LAST_CODE MP_UNDEF +/* Comparison constants */ +#define MP_LT -1 +#define MP_EQ 0 +#define MP_GT 1 + typedef unsigned int mp_sign; typedef unsigned int mp_size; typedef int mp_err; diff --git a/nss/lib/freebl/ppc-gcm-wrap.c b/nss/lib/freebl/ppc-gcm-wrap.c index ac58744c..5deced14 100644 --- a/nss/lib/freebl/ppc-gcm-wrap.c +++ b/nss/lib/freebl/ppc-gcm-wrap.c @@ -169,7 +169,7 @@ ppc_aes_gcmInitCounter(ppc_AES_GCMContext *gcm, void ppc_AES_GCM_DestroyContext(ppc_AES_GCMContext *gcm, PRBool freeit) { - PORT_Memset(gcm, 0, sizeof(ppc_AES_GCMContext)); + PORT_SafeZero(gcm, sizeof(ppc_AES_GCMContext)); if (freeit) { PORT_Free(gcm); } diff --git a/nss/lib/freebl/pqg.c b/nss/lib/freebl/pqg.c index 62d46b50..73ff5402 100644 --- a/nss/lib/freebl/pqg.c +++ b/nss/lib/freebl/pqg.c @@ -703,7 +703,7 @@ makePrimefromPrimesShaweTaylor( mp_clear(&a); mp_clear(&z); mp_clear(&two_length_minus_1); - PORT_Memset(x, 0, sizeof(x)); + PORT_SafeZero(x, sizeof(x)); if (err) { MP_TO_SEC_ERROR(err); rv = SECFailure; @@ -859,7 +859,7 @@ makePrimefromSeedShaweTaylor( mp_clear(&c); mp_clear(&c0); mp_clear(&one); - PORT_Memset(x, 0, sizeof(x)); + PORT_SafeZero(x, sizeof(x)); if (err) { MP_TO_SEC_ERROR(err); rv = SECFailure; @@ -1072,7 +1072,7 @@ makePfromQandSeed( CHECK_MPI_OK(mp_sub_d(&c, 1, &c)); /* c -= 1 */ CHECK_MPI_OK(mp_sub(&X, &c, P)); /* P = X - c */ cleanup: - PORT_Memset(V_j, 0, sizeof V_j); + PORT_SafeZero(V_j, sizeof V_j); mp_clear(&W); mp_clear(&X); mp_clear(&c); @@ -1221,7 +1221,7 @@ makeGfromIndex(HASH_HashType hashtype, /* step 11. * return valid G */ cleanup: - PORT_Memset(data, 0, sizeof(data)); + PORT_SafeZero(data, sizeof(data)); if (hashcx) { hashobj->destroy(hashcx, PR_TRUE); } diff --git a/nss/lib/freebl/rijndael.c b/nss/lib/freebl/rijndael.c index cbd7eca4..f88d271c 100644 --- a/nss/lib/freebl/rijndael.c +++ b/nss/lib/freebl/rijndael.c @@ -1251,7 +1251,7 @@ AES_DestroyContext(AESContext *cx, PRBool freeit) cx->worker_cx = NULL; cx->destroy = NULL; } - PORT_Memset(cx, 0, sizeof(AESContext)); + PORT_SafeZero(cx, sizeof(AESContext)); if (freeit) { PORT_Free(mem); } else { diff --git a/nss/lib/freebl/rsa.c b/nss/lib/freebl/rsa.c index 9ff059b2..23dde6eb 100644 --- a/nss/lib/freebl/rsa.c +++ b/nss/lib/freebl/rsa.c @@ -140,11 +140,11 @@ rsa_build_from_primes(const mp_int *p, const mp_int *q, /* at least one exponent must be given */ PORT_Assert(!(needPublicExponent && needPrivateExponent)); - /* 2. Compute phi = (p-1)*(q-1) */ + /* 2. Compute phi = lcm((p-1),(q-1)) */ CHECK_MPI_OK(mp_sub_d(p, 1, &psub1)); CHECK_MPI_OK(mp_sub_d(q, 1, &qsub1)); + CHECK_MPI_OK(mp_lcm(&psub1, &qsub1, &phi)); if (needPublicExponent || needPrivateExponent) { - CHECK_MPI_OK(mp_lcm(&psub1, &qsub1, &phi)); /* 3. Compute d = e**-1 mod(phi) */ /* or e = d**-1 mod(phi) as necessary */ if (needPublicExponent) { @@ -165,6 +165,15 @@ rsa_build_from_primes(const mp_int *p, const mp_int *q, goto cleanup; } + /* make sure we weren't passed in a d or e = 1 mod phi */ + /* just need to check d, because if one is = 1 mod phi, they both are */ + CHECK_MPI_OK(mp_mod(d, &phi, &tmp)); + if (mp_cmp_d(&tmp, 1) == MP_EQ) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + rv = SECFailure; + goto cleanup; + } + /* 4. Compute exponent1 = d mod (p-1) */ CHECK_MPI_OK(mp_mod(d, &psub1, &tmp)); MPINT_TO_SECITEM(&tmp, &key->exponent1, key->arena); @@ -1157,6 +1166,8 @@ rsa_PrivateKeyOpCRTCheckedPubKey(RSAPrivateKey *key, mp_int *m, mp_int *c) /* Perform a public key operation v = m ** e mod n */ CHECK_MPI_OK(mp_exptmod(m, &e, &n, &v)); if (mp_cmp(&v, c) != 0) { + /* this error triggers a fips fatal error lock */ + PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); rv = SECFailure; } cleanup: diff --git a/nss/lib/freebl/rsapkcs.c b/nss/lib/freebl/rsapkcs.c index 47706992..7f718648 100644 --- a/nss/lib/freebl/rsapkcs.c +++ b/nss/lib/freebl/rsapkcs.c @@ -978,14 +978,14 @@ rsa_GetHMACContext(const SECHashObject *hash, RSAPrivateKey *key, /* now create the hmac key */ hmac = HMAC_Create(hash, keyHash, keyLen, PR_TRUE); if (hmac == NULL) { - PORT_Memset(keyHash, 0, sizeof(keyHash)); + PORT_SafeZero(keyHash, sizeof(keyHash)); return NULL; } HMAC_Begin(hmac); HMAC_Update(hmac, input, inputLen); rv = HMAC_Finish(hmac, keyHash, &keyLen, sizeof(keyHash)); if (rv != SECSuccess) { - PORT_Memset(keyHash, 0, sizeof(keyHash)); + PORT_SafeZero(keyHash, sizeof(keyHash)); HMAC_Destroy(hmac, PR_TRUE); return NULL; } @@ -993,7 +993,7 @@ rsa_GetHMACContext(const SECHashObject *hash, RSAPrivateKey *key, * reuse the original context allocated above so we don't * need to allocate and free another one */ rv = HMAC_ReInit(hmac, hash, keyHash, keyLen, PR_TRUE); - PORT_Memset(keyHash, 0, sizeof(keyHash)); + PORT_SafeZero(keyHash, sizeof(keyHash)); if (rv != SECSuccess) { HMAC_Destroy(hmac, PR_TRUE); return NULL; @@ -1043,7 +1043,7 @@ rsa_HMACPrf(HMACContext *hmac, const char *label, int labelLen, return rv; } PORT_Memcpy(output, hmacLast, left); - PORT_Memset(hmacLast, 0, sizeof(hmacLast)); + PORT_SafeZero(hmacLast, sizeof(hmacLast)); } return rv; } @@ -1088,7 +1088,7 @@ rsa_GetErrorLength(HMACContext *hmac, int hashLen, int maxLegalLen) outLength = PORT_CT_SEL(PORT_CT_LT(candidate, maxLegalLen), candidate, outLength); } - PORT_Memset(out, 0, sizeof(out)); + PORT_SafeZero(out, sizeof(out)); return outLength; } diff --git a/nss/lib/freebl/shvfy.c b/nss/lib/freebl/shvfy.c index 20d13fec..4743eb46 100644 --- a/nss/lib/freebl/shvfy.c +++ b/nss/lib/freebl/shvfy.c @@ -365,7 +365,7 @@ blapi_SHVerifyDSACheck(PRFileDesc *shFD, const SECHashObject *hashObj, /* verify the hash against the check file */ rv = DSA_VerifyDigest(key, signature, &hash); - PORT_Memset(hashBuf, 0, sizeof hashBuf); + PORT_SafeZero(hashBuf, sizeof hashBuf); return (rv == SECSuccess) ? PR_TRUE : PR_FALSE; } #endif @@ -427,7 +427,7 @@ blapi_SHVerifyHMACCheck(PRFileDesc *shFD, const SECHashObject *hashObj, if (rv == SECSuccess) { result = SECITEM_ItemsAreEqual(signature, &hash); } - PORT_Memset(hashBuf, 0, sizeof hashBuf); + PORT_SafeZero(hashBuf, sizeof hashBuf); return result; } @@ -451,7 +451,7 @@ blapi_SHVerifyFile(const char *shName, PRBool self, PRBool rerun) #ifndef NSS_STRICT_INTEGRITY DSAPublicKey key; - PORT_Memset(&key, 0, sizeof(key)); + PORT_SafeZero(&key, sizeof(key)); #endif /* If our integrity check was never ran or failed, fail any other @@ -597,7 +597,7 @@ blapi_SHVerifyFile(const char *shName, PRBool self, PRBool rerun) shFD = NULL; loser: - PORT_Memset(&header, 0, sizeof header); + PORT_SafeZero(&header, sizeof header); if (checkName != NULL) { PORT_Free(checkName); } diff --git a/nss/lib/freebl/stubs.c b/nss/lib/freebl/stubs.c index a79cf69a..4d22ea01 100644 --- a/nss/lib/freebl/stubs.c +++ b/nss/lib/freebl/stubs.c @@ -144,6 +144,7 @@ STUB_DECLARE(void, PORT_Free_Util, (void *ptr)); STUB_DECLARE(void, PORT_FreeArena_Util, (PLArenaPool * arena, PRBool zero)); STUB_DECLARE(int, PORT_GetError_Util, (void)); STUB_DECLARE(PLArenaPool *, PORT_NewArena_Util, (unsigned long chunksize)); +STUB_DECLARE(void, PORT_SafeZero, (void *p, size_t n)); STUB_DECLARE(void, PORT_SetError_Util, (int value)); STUB_DECLARE(void *, PORT_ZAlloc_Util, (size_t len)); STUB_DECLARE(void *, PORT_ZAllocAligned_Util, (size_t bytes, size_t alignment, void **mem)); @@ -488,6 +489,20 @@ PORT_GetError_stub(void) return errno; } +extern void +PORT_SafeZero(void *p, size_t n) +{ + STUB_SAFE_CALL2(PORT_SafeZero, p, n); + /* just use a generic call in the case where we are running + * standalone freebl */ + if (p != NULL) { + volatile unsigned char *__vl = (unsigned char *)p; + size_t __nl = n; + while (__nl--) + *__vl++ = 0; + } +} + extern void PORT_SetError_stub(int value) { diff --git a/nss/lib/freebl/stubs.h b/nss/lib/freebl/stubs.h index 58cb9d08..6f4a929a 100644 --- a/nss/lib/freebl/stubs.h +++ b/nss/lib/freebl/stubs.h @@ -27,6 +27,7 @@ #define PORT_FreeArena PORT_FreeArena_stub #define PORT_GetError PORT_GetError_stub #define PORT_NewArena PORT_NewArena_stub +#define PORT_SaveZero PORT_SaveZero_stub #define PORT_SetError PORT_SetError_stub #define PORT_ZAlloc PORT_ZAlloc_stub #define PORT_ZFree PORT_ZFree_stub diff --git a/nss/lib/freebl/sysrand.c b/nss/lib/freebl/sysrand.c index 814dd6e5..92c9769d 100644 --- a/nss/lib/freebl/sysrand.c +++ b/nss/lib/freebl/sysrand.c @@ -8,7 +8,9 @@ #include "seccomon.h" -#if defined(XP_UNIX) && defined(SEED_ONLY_DEV_URANDOM) +#if defined(XP_UNIX) && defined(NSS_FIPS_140_3) +#include "unix_fips140_3.c" +#elif defined(XP_UNIX) && defined(SEED_ONLY_DEV_URANDOM) #include "unix_urandom.c" #elif defined(XP_UNIX) #include "unix_rand.c" diff --git a/nss/lib/freebl/tlsprfalg.c b/nss/lib/freebl/tlsprfalg.c index 1e5e6788..e75a7918 100644 --- a/nss/lib/freebl/tlsprfalg.c +++ b/nss/lib/freebl/tlsprfalg.c @@ -82,8 +82,8 @@ TLS_P_hash(HASH_HashType hashType, const SECItem *secret, const char *label, /* clear out state so it's not left on the stack */ if (cx) HMAC_Destroy(cx, PR_TRUE); - PORT_Memset(state, 0, sizeof(state)); - PORT_Memset(outbuf, 0, sizeof(outbuf)); + PORT_SafeZero(state, sizeof(state)); + PORT_SafeZero(outbuf, sizeof(outbuf)); return rv; } diff --git a/nss/lib/freebl/unix_fips140_3.c b/nss/lib/freebl/unix_fips140_3.c new file mode 100644 index 00000000..b5cce082 --- /dev/null +++ b/nss/lib/freebl/unix_fips140_3.c @@ -0,0 +1,80 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#include +#include +#include +#include "secerr.h" +#include "secrng.h" +#include "prprf.h" +#include +#include "prinit.h" + +#ifndef GRND_RANDOM +/* if you don't have get random, you'll need to add your platform specific + * support for FIPS 104-3 compliant random seed source here */ +PR_STATIC_ASSERT("You'll need to add our platform specific solution for FIPS 140-3 RNG" == NULL); +#endif + +/* syscall getentropy() is limited to retrieving 256 bytes */ +#define GETENTROPY_MAX_BYTES 256 + +void +RNG_SystemInfoForRNG(void) +{ + PRUint8 bytes[SYSTEM_RNG_SEED_COUNT]; + size_t numBytes = RNG_SystemRNG(bytes, SYSTEM_RNG_SEED_COUNT); + if (!numBytes) { + /* error is set */ + return; + } + RNG_RandomUpdate(bytes, numBytes); + PORT_SaveZero(bytes, sizeof(bytes)); +} + +static unsigned int rng_grndFlags = 0; +static PRCallOnceType rng_KernelFips; + +static PRStatus +rng_getKernelFips() +{ + if (NSS_GetSystemFIPSEnabled()) { + rng_grndFlags = GRND_RANDOM; + } + return PR_SUCCESS; +} + +size_t +RNG_SystemRNG(void *dest, size_t maxLen) +{ + + size_t fileBytes = 0; + unsigned char *buffer = dest; + ssize_t result; + + PR_CallOnce(&rng_KernelFips, rng_getKernelFips); + + while (fileBytes < maxLen) { + size_t getBytes = maxLen - fileBytes; + if (getBytes > GETENTROPY_MAX_BYTES) { + getBytes = GETENTROPY_MAX_BYTES; + } + /* FIP 140-3 requires full kernel reseeding for chained entropy sources + * so we need to use getrandom with GRND_RANDOM. + * getrandom returns -1 on failure, otherwise returns + * the number of bytes, which can be less than getBytes */ + result = getrandom(buffer, getBytes, rng_grndFlags); + if (result < 0) { + break; + } + fileBytes += result; + buffer += result; + } + if (fileBytes == maxLen) { /* success */ + return maxLen; + } + /* in FIPS 104-3 we don't fallback, just fail */ + PORT_SetError(SEC_ERROR_NEED_RANDOM); + return 0; +} diff --git a/nss/lib/freebl/unix_urandom.c b/nss/lib/freebl/unix_urandom.c index 73006cdb..3f92920b 100644 --- a/nss/lib/freebl/unix_urandom.c +++ b/nss/lib/freebl/unix_urandom.c @@ -22,7 +22,7 @@ RNG_SystemInfoForRNG(void) return; } RNG_RandomUpdate(bytes, numBytes); - PORT_Memset(bytes, 0, sizeof bytes); + PORT_SafeZero(bytes, sizeof bytes); } size_t @@ -41,6 +41,9 @@ RNG_SystemRNG(void *dest, size_t maxLen) if (getBytes > GETENTROPY_MAX_BYTES) { getBytes = GETENTROPY_MAX_BYTES; } + + /* get entropy returns 0 on success and always return + * getBytes on success */ result = getentropy(buffer, getBytes); if (result == 0) { /* success */ fileBytes += getBytes; @@ -61,7 +64,7 @@ RNG_SystemRNG(void *dest, size_t maxLen) /* ENOSYS means the kernel doesn't support getentropy()/getrandom(). * Reset the number of bytes to get and fall back to /dev/urandom. */ fileBytes = 0; -#endif +#endif /* platorm has getentropy */ fd = open("/dev/urandom", O_RDONLY); if (fd < 0) { PORT_SetError(SEC_ERROR_NEED_RANDOM); diff --git a/nss/lib/freebl/verified/karamel/include/krml/fstar_int.h b/nss/lib/freebl/verified/karamel/include/krml/fstar_int.h index f96246f4..c7a5afb5 100644 --- a/nss/lib/freebl/verified/karamel/include/krml/fstar_int.h +++ b/nss/lib/freebl/verified/karamel/include/krml/fstar_int.h @@ -12,62 +12,48 @@ * * GCC, MSVC, and Clang implement a >> b as an arithmetic shift. * - * GCC: - * https://gcc.gnu.org/onlinedocs/gcc-9.1.0/gcc/Integers-implementation.html#Integers-implementation - * MSVC: - * https://docs.microsoft.com/en-us/cpp/cpp/left-shift-and-right-shift-operators-input-and-output?view=vs-2019#right-shifts + * GCC: https://gcc.gnu.org/onlinedocs/gcc-9.1.0/gcc/Integers-implementation.html#Integers-implementation + * MSVC: https://docs.microsoft.com/en-us/cpp/cpp/left-shift-and-right-shift-operators-input-and-output?view=vs-2019#right-shifts * Clang: tested that Clang 7, 8 and 9 compile this to an arithmetic shift * * We implement arithmetic shift right simply as >> in these compilers * and bail out in others. */ -#if !(defined(_MSC_VER) || defined(__GNUC__) || \ - (defined(__clang__) && (__clang_major__ >= 7))) +#if !(defined(_MSC_VER) || defined(__GNUC__) || (defined(__clang__) && (__clang_major__ >= 7))) static inline int8_t FStar_Int8_shift_arithmetic_right(int8_t a, uint32_t b) { do { - KRML_HOST_EPRINTF( - "Could not identify compiler so could not provide an implementation of " - "signed arithmetic shift right.\n"); + KRML_HOST_EPRINTF("Could not identify compiler so could not provide an implementation of signed arithmetic shift right.\n"); KRML_HOST_EXIT(255); } while (0); } static inline int16_t -FStar_Int16_shift_arithmetic_right(int16_t a, - uint32_t b) +FStar_Int16_shift_arithmetic_right(int16_t a, uint32_t b) { do { - KRML_HOST_EPRINTF( - "Could not identify compiler so could not provide an implementation of " - "signed arithmetic shift right.\n"); + KRML_HOST_EPRINTF("Could not identify compiler so could not provide an implementation of signed arithmetic shift right.\n"); KRML_HOST_EXIT(255); } while (0); } static inline int32_t -FStar_Int32_shift_arithmetic_right(int32_t a, - uint32_t b) +FStar_Int32_shift_arithmetic_right(int32_t a, uint32_t b) { do { - KRML_HOST_EPRINTF( - "Could not identify compiler so could not provide an implementation of " - "signed arithmetic shift right.\n"); + KRML_HOST_EPRINTF("Could not identify compiler so could not provide an implementation of signed arithmetic shift right.\n"); KRML_HOST_EXIT(255); } while (0); } static inline int64_t -FStar_Int64_shift_arithmetic_right(int64_t a, - uint32_t b) +FStar_Int64_shift_arithmetic_right(int64_t a, uint32_t b) { do { - KRML_HOST_EPRINTF( - "Could not identify compiler so could not provide an implementation of " - "signed arithmetic shift right.\n"); + KRML_HOST_EPRINTF("Could not identify compiler so could not provide an implementation of signed arithmetic shift right.\n"); KRML_HOST_EXIT(255); } while (0); } @@ -81,22 +67,19 @@ FStar_Int8_shift_arithmetic_right(int8_t a, uint32_t b) } static inline int16_t -FStar_Int16_shift_arithmetic_right(int16_t a, - uint32_t b) +FStar_Int16_shift_arithmetic_right(int16_t a, uint32_t b) { return (a >> b); } static inline int32_t -FStar_Int32_shift_arithmetic_right(int32_t a, - uint32_t b) +FStar_Int32_shift_arithmetic_right(int32_t a, uint32_t b) { return (a >> b); } static inline int64_t -FStar_Int64_shift_arithmetic_right(int64_t a, - uint32_t b) +FStar_Int64_shift_arithmetic_right(int64_t a, uint32_t b) { return (a >> b); } diff --git a/nss/lib/freebl/verified/karamel/include/krml/internal/compat.h b/nss/lib/freebl/verified/karamel/include/krml/internal/compat.h index 27ff0e3b..964d1c52 100644 --- a/nss/lib/freebl/verified/karamel/include/krml/internal/compat.h +++ b/nss/lib/freebl/verified/karamel/include/krml/internal/compat.h @@ -17,15 +17,16 @@ typedef struct { typedef int32_t Prims_pos, Prims_nat, Prims_nonzero, Prims_int, krml_checked_int_t; -#define RETURN_OR(x) \ - do { \ - int64_t __ret = x; \ - if (__ret < INT32_MIN || INT32_MAX < __ret) { \ - KRML_HOST_PRINTF("Prims.{int,nat,pos} integer overflow at %s:%d\n", \ - __FILE__, __LINE__); \ - KRML_HOST_EXIT(252); \ - } \ - return (int32_t)__ret; \ +#define RETURN_OR(x) \ + do { \ + int64_t __ret = x; \ + if (__ret < INT32_MIN || INT32_MAX < __ret) { \ + KRML_HOST_PRINTF( \ + "Prims.{int,nat,pos} integer overflow at %s:%d\n", __FILE__, \ + __LINE__); \ + KRML_HOST_EXIT(252); \ + } \ + return (int32_t)__ret; \ } while (0) #endif diff --git a/nss/lib/freebl/verified/karamel/include/krml/internal/types.h b/nss/lib/freebl/verified/karamel/include/krml/internal/types.h index b2072512..2cf1887a 100644 --- a/nss/lib/freebl/verified/karamel/include/krml/internal/types.h +++ b/nss/lib/freebl/verified/karamel/include/krml/internal/types.h @@ -5,9 +5,9 @@ #define KRML_TYPES_H #include -#include #include #include +#include /* Types which are either abstract, meaning that have to be implemented in C, or * which are models, meaning that they are swapped out at compile-time for @@ -33,8 +33,7 @@ typedef FILE *FStar_IO_fd_read, *FStar_IO_fd_write; typedef void *FStar_Dyn_dyn; -typedef const char *C_String_t, *C_String_t_, *C_Compat_String_t, - *C_Compat_String_t_; +typedef const char *C_String_t, *C_String_t_, *C_Compat_String_t, *C_Compat_String_t_; typedef int exit_code; typedef FILE *channel; @@ -55,12 +54,15 @@ typedef const char *Prims_string; /* This code makes a number of assumptions and should be refined. In particular, * it assumes that: any non-MSVC amd64 compiler supports int128. Maybe it would * be easier to just test for defined(__SIZEOF_INT128__) only? */ -#if (defined(__x86_64__) || defined(__x86_64) || defined(__aarch64__) || \ - (defined(__powerpc64__) && defined(__LITTLE_ENDIAN__)) || \ - defined(__s390x__) || \ - (defined(_MSC_VER) && defined(_M_X64) && defined(__clang__)) || \ - (defined(__mips__) && defined(__LP64__)) || \ - (defined(__riscv) && __riscv_xlen == 64) || defined(__SIZEOF_INT128__)) +#if (defined(__x86_64__) || \ + defined(__x86_64) || \ + defined(__aarch64__) || \ + (defined(__powerpc64__) && defined(__LITTLE_ENDIAN__)) || \ + defined(__s390x__) || \ + (defined(_MSC_VER) && defined(_M_X64) && defined(__clang__)) || \ + (defined(__mips__) && defined(__LP64__)) || \ + (defined(__riscv) && __riscv_xlen == 64) || \ + defined(__SIZEOF_INT128__)) #define HAS_INT128 1 #endif diff --git a/nss/lib/freebl/verified/karamel/include/krml/lowstar_endianness.h b/nss/lib/freebl/verified/karamel/include/krml/lowstar_endianness.h index 7d95b4cb..fa66dc8e 100644 --- a/nss/lib/freebl/verified/karamel/include/krml/lowstar_endianness.h +++ b/nss/lib/freebl/verified/karamel/include/krml/lowstar_endianness.h @@ -4,16 +4,15 @@ #ifndef __LOWSTAR_ENDIANNESS_H #define __LOWSTAR_ENDIANNESS_H -#include #include +#include /******************************************************************************/ /* Implementing C.fst (part 2: endian-ness macros) */ /******************************************************************************/ /* ... for Linux */ -#if defined(__linux__) || defined(__CYGWIN__) || \ - defined(__USE_SYSTEM_ENDIAN_H__) || defined(__GLIBC__) +#if defined(__linux__) || defined(__CYGWIN__) || defined(__USE_SYSTEM_ENDIAN_H__) || defined(__GLIBC__) #include /* ... for OSX */ @@ -97,10 +96,8 @@ #define le64toh(x) (x) /* ... generic big-endian fallback code */ -/* ... AIX doesn't have __BYTE_ORDER__ (with XLC compiler) & is always - * big-endian */ -#elif (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == __ORDER_BIG_ENDIAN__) || \ - defined(_AIX) +/* ... AIX doesn't have __BYTE_ORDER__ (with XLC compiler) & is always big-endian */ +#elif (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == __ORDER_BIG_ENDIAN__) || defined(_AIX) /* byte swapping code inspired by: * https://github.com/rweather/arduinolibs/blob/master/libraries/Crypto/utility/EndianUtil.h diff --git a/nss/lib/freebl/verified/karamel/include/krmllib.h b/nss/lib/freebl/verified/karamel/include/krmllib.h index 80de5943..1f461f35 100644 --- a/nss/lib/freebl/verified/karamel/include/krmllib.h +++ b/nss/lib/freebl/verified/karamel/include/krmllib.h @@ -16,12 +16,13 @@ * argument "-bundle FStar.*"). You can then include the headers of your choice * one by one, using -add-early-include. */ -#include "krml/fstar_int.h" -#include "krml/internal/builtin.h" +#include "krml/internal/target.h" #include "krml/internal/callconv.h" +#include "krml/internal/builtin.h" #include "krml/internal/debug.h" -#include "krml/internal/target.h" #include "krml/internal/types.h" + #include "krml/lowstar_endianness.h" +#include "krml/fstar_int.h" #endif /* __KRMLLIB_H */ diff --git a/nss/lib/freebl/verified/karamel/krmllib/dist/minimal/FStar_UInt128.h b/nss/lib/freebl/verified/karamel/krmllib/dist/minimal/FStar_UInt128.h index 1af0e8f6..b9dcb380 100644 --- a/nss/lib/freebl/verified/karamel/krmllib/dist/minimal/FStar_UInt128.h +++ b/nss/lib/freebl/verified/karamel/krmllib/dist/minimal/FStar_UInt128.h @@ -8,68 +8,61 @@ #include #include - #include "krml/internal/compat.h" -#include "krml/internal/target.h" -#include "krml/internal/types.h" #include "krml/lowstar_endianness.h" +#include "krml/internal/types.h" +#include "krml/internal/target.h" -static inline FStar_UInt128_uint128 FStar_UInt128_add(FStar_UInt128_uint128 a, - FStar_UInt128_uint128 b); +static inline FStar_UInt128_uint128 +FStar_UInt128_add(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b); -static inline FStar_UInt128_uint128 FStar_UInt128_add_underspec( - FStar_UInt128_uint128 a, FStar_UInt128_uint128 b); +static inline FStar_UInt128_uint128 +FStar_UInt128_add_underspec(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b); -static inline FStar_UInt128_uint128 FStar_UInt128_add_mod( - FStar_UInt128_uint128 a, FStar_UInt128_uint128 b); +static inline FStar_UInt128_uint128 +FStar_UInt128_add_mod(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b); -static inline FStar_UInt128_uint128 FStar_UInt128_sub(FStar_UInt128_uint128 a, - FStar_UInt128_uint128 b); +static inline FStar_UInt128_uint128 +FStar_UInt128_sub(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b); -static inline FStar_UInt128_uint128 FStar_UInt128_sub_underspec( - FStar_UInt128_uint128 a, FStar_UInt128_uint128 b); +static inline FStar_UInt128_uint128 +FStar_UInt128_sub_underspec(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b); -static inline FStar_UInt128_uint128 FStar_UInt128_sub_mod( - FStar_UInt128_uint128 a, FStar_UInt128_uint128 b); +static inline FStar_UInt128_uint128 +FStar_UInt128_sub_mod(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b); -static inline FStar_UInt128_uint128 FStar_UInt128_logand( - FStar_UInt128_uint128 a, FStar_UInt128_uint128 b); +static inline FStar_UInt128_uint128 +FStar_UInt128_logand(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b); -static inline FStar_UInt128_uint128 FStar_UInt128_logxor( - FStar_UInt128_uint128 a, FStar_UInt128_uint128 b); +static inline FStar_UInt128_uint128 +FStar_UInt128_logxor(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b); -static inline FStar_UInt128_uint128 FStar_UInt128_logor( - FStar_UInt128_uint128 a, FStar_UInt128_uint128 b); +static inline FStar_UInt128_uint128 +FStar_UInt128_logor(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b); -static inline FStar_UInt128_uint128 FStar_UInt128_lognot( - FStar_UInt128_uint128 a); +static inline FStar_UInt128_uint128 FStar_UInt128_lognot(FStar_UInt128_uint128 a); -static inline FStar_UInt128_uint128 FStar_UInt128_shift_left( - FStar_UInt128_uint128 a, uint32_t s); +static inline FStar_UInt128_uint128 +FStar_UInt128_shift_left(FStar_UInt128_uint128 a, uint32_t s); -static inline FStar_UInt128_uint128 FStar_UInt128_shift_right( - FStar_UInt128_uint128 a, uint32_t s); +static inline FStar_UInt128_uint128 +FStar_UInt128_shift_right(FStar_UInt128_uint128 a, uint32_t s); -static inline bool FStar_UInt128_eq(FStar_UInt128_uint128 a, - FStar_UInt128_uint128 b); +static inline bool FStar_UInt128_eq(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b); -static inline bool FStar_UInt128_gt(FStar_UInt128_uint128 a, - FStar_UInt128_uint128 b); +static inline bool FStar_UInt128_gt(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b); -static inline bool FStar_UInt128_lt(FStar_UInt128_uint128 a, - FStar_UInt128_uint128 b); +static inline bool FStar_UInt128_lt(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b); -static inline bool FStar_UInt128_gte(FStar_UInt128_uint128 a, - FStar_UInt128_uint128 b); +static inline bool FStar_UInt128_gte(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b); -static inline bool FStar_UInt128_lte(FStar_UInt128_uint128 a, - FStar_UInt128_uint128 b); +static inline bool FStar_UInt128_lte(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b); -static inline FStar_UInt128_uint128 FStar_UInt128_eq_mask( - FStar_UInt128_uint128 a, FStar_UInt128_uint128 b); +static inline FStar_UInt128_uint128 +FStar_UInt128_eq_mask(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b); -static inline FStar_UInt128_uint128 FStar_UInt128_gte_mask( - FStar_UInt128_uint128 a, FStar_UInt128_uint128 b); +static inline FStar_UInt128_uint128 +FStar_UInt128_gte_mask(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b); static inline FStar_UInt128_uint128 FStar_UInt128_uint64_to_uint128(uint64_t a); @@ -77,8 +70,7 @@ static inline uint64_t FStar_UInt128_uint128_to_uint64(FStar_UInt128_uint128 a); static inline FStar_UInt128_uint128 FStar_UInt128_mul32(uint64_t x, uint32_t y); -static inline FStar_UInt128_uint128 FStar_UInt128_mul_wide(uint64_t x, - uint64_t y); +static inline FStar_UInt128_uint128 FStar_UInt128_mul_wide(uint64_t x, uint64_t y); #define __FStar_UInt128_H_DEFINED #endif diff --git a/nss/lib/freebl/verified/karamel/krmllib/dist/minimal/FStar_UInt128_Verified.h b/nss/lib/freebl/verified/karamel/krmllib/dist/minimal/FStar_UInt128_Verified.h index 57cc6a30..e6d872c8 100644 --- a/nss/lib/freebl/verified/karamel/krmllib/dist/minimal/FStar_UInt128_Verified.h +++ b/nss/lib/freebl/verified/karamel/krmllib/dist/minimal/FStar_UInt128_Verified.h @@ -6,18 +6,16 @@ #ifndef __FStar_UInt128_Verified_H #define __FStar_UInt128_Verified_H +#include "FStar_UInt_8_16_32_64.h" #include #include - -#include "FStar_UInt_8_16_32_64.h" -#include "krml/internal/target.h" #include "krml/internal/types.h" +#include "krml/internal/target.h" static inline uint64_t -FStar_UInt128_constant_time_carry(uint64_t a, - uint64_t b) +FStar_UInt128_constant_time_carry(uint64_t a, uint64_t b) { - return (a ^ ((a ^ b) | ((a - b) ^ b))) >> 63U; + return (a ^ ((a ^ b) | ((a - b) ^ b))) >> (uint32_t)63U; } static inline uint64_t @@ -27,8 +25,7 @@ FStar_UInt128_carry(uint64_t a, uint64_t b) } static inline FStar_UInt128_uint128 -FStar_UInt128_add(FStar_UInt128_uint128 a, - FStar_UInt128_uint128 b) +FStar_UInt128_add(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b) { FStar_UInt128_uint128 lit; lit.low = a.low + b.low; @@ -37,8 +34,7 @@ FStar_UInt128_add(FStar_UInt128_uint128 a, } static inline FStar_UInt128_uint128 -FStar_UInt128_add_underspec( - FStar_UInt128_uint128 a, FStar_UInt128_uint128 b) +FStar_UInt128_add_underspec(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b) { FStar_UInt128_uint128 lit; lit.low = a.low + b.low; @@ -47,8 +43,7 @@ FStar_UInt128_add_underspec( } static inline FStar_UInt128_uint128 -FStar_UInt128_add_mod( - FStar_UInt128_uint128 a, FStar_UInt128_uint128 b) +FStar_UInt128_add_mod(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b) { FStar_UInt128_uint128 lit; lit.low = a.low + b.low; @@ -57,8 +52,7 @@ FStar_UInt128_add_mod( } static inline FStar_UInt128_uint128 -FStar_UInt128_sub(FStar_UInt128_uint128 a, - FStar_UInt128_uint128 b) +FStar_UInt128_sub(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b) { FStar_UInt128_uint128 lit; lit.low = a.low - b.low; @@ -67,8 +61,7 @@ FStar_UInt128_sub(FStar_UInt128_uint128 a, } static inline FStar_UInt128_uint128 -FStar_UInt128_sub_underspec( - FStar_UInt128_uint128 a, FStar_UInt128_uint128 b) +FStar_UInt128_sub_underspec(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b) { FStar_UInt128_uint128 lit; lit.low = a.low - b.low; @@ -77,8 +70,7 @@ FStar_UInt128_sub_underspec( } static inline FStar_UInt128_uint128 -FStar_UInt128_sub_mod_impl( - FStar_UInt128_uint128 a, FStar_UInt128_uint128 b) +FStar_UInt128_sub_mod_impl(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b) { FStar_UInt128_uint128 lit; lit.low = a.low - b.low; @@ -87,15 +79,13 @@ FStar_UInt128_sub_mod_impl( } static inline FStar_UInt128_uint128 -FStar_UInt128_sub_mod( - FStar_UInt128_uint128 a, FStar_UInt128_uint128 b) +FStar_UInt128_sub_mod(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b) { return FStar_UInt128_sub_mod_impl(a, b); } static inline FStar_UInt128_uint128 -FStar_UInt128_logand( - FStar_UInt128_uint128 a, FStar_UInt128_uint128 b) +FStar_UInt128_logand(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b) { FStar_UInt128_uint128 lit; lit.low = a.low & b.low; @@ -104,8 +94,7 @@ FStar_UInt128_logand( } static inline FStar_UInt128_uint128 -FStar_UInt128_logxor( - FStar_UInt128_uint128 a, FStar_UInt128_uint128 b) +FStar_UInt128_logxor(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b) { FStar_UInt128_uint128 lit; lit.low = a.low ^ b.low; @@ -114,8 +103,7 @@ FStar_UInt128_logxor( } static inline FStar_UInt128_uint128 -FStar_UInt128_logor( - FStar_UInt128_uint128 a, FStar_UInt128_uint128 b) +FStar_UInt128_logor(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b) { FStar_UInt128_uint128 lit; lit.low = a.low | b.low; @@ -124,8 +112,7 @@ FStar_UInt128_logor( } static inline FStar_UInt128_uint128 -FStar_UInt128_lognot( - FStar_UInt128_uint128 a) +FStar_UInt128_lognot(FStar_UInt128_uint128 a) { FStar_UInt128_uint128 lit; lit.low = ~a.low; @@ -133,29 +120,24 @@ FStar_UInt128_lognot( return lit; } -static uint32_t FStar_UInt128_u32_64 = 64U; +static uint32_t FStar_UInt128_u32_64 = (uint32_t)64U; static inline uint64_t -FStar_UInt128_add_u64_shift_left(uint64_t hi, - uint64_t lo, - uint32_t s) +FStar_UInt128_add_u64_shift_left(uint64_t hi, uint64_t lo, uint32_t s) { return (hi << s) + (lo >> (FStar_UInt128_u32_64 - s)); } static inline uint64_t -FStar_UInt128_add_u64_shift_left_respec(uint64_t hi, - uint64_t lo, - uint32_t s) +FStar_UInt128_add_u64_shift_left_respec(uint64_t hi, uint64_t lo, uint32_t s) { return FStar_UInt128_add_u64_shift_left(hi, lo, s); } static inline FStar_UInt128_uint128 -FStar_UInt128_shift_left_small( - FStar_UInt128_uint128 a, uint32_t s) +FStar_UInt128_shift_left_small(FStar_UInt128_uint128 a, uint32_t s) { - if (s == 0U) { + if (s == (uint32_t)0U) { return a; } else { FStar_UInt128_uint128 lit; @@ -166,18 +148,16 @@ FStar_UInt128_shift_left_small( } static inline FStar_UInt128_uint128 -FStar_UInt128_shift_left_large( - FStar_UInt128_uint128 a, uint32_t s) +FStar_UInt128_shift_left_large(FStar_UInt128_uint128 a, uint32_t s) { FStar_UInt128_uint128 lit; - lit.low = 0ULL; + lit.low = (uint64_t)0U; lit.high = a.low << (s - FStar_UInt128_u32_64); return lit; } static inline FStar_UInt128_uint128 -FStar_UInt128_shift_left( - FStar_UInt128_uint128 a, uint32_t s) +FStar_UInt128_shift_left(FStar_UInt128_uint128 a, uint32_t s) { if (s < FStar_UInt128_u32_64) { return FStar_UInt128_shift_left_small(a, s); @@ -187,26 +167,21 @@ FStar_UInt128_shift_left( } static inline uint64_t -FStar_UInt128_add_u64_shift_right(uint64_t hi, - uint64_t lo, - uint32_t s) +FStar_UInt128_add_u64_shift_right(uint64_t hi, uint64_t lo, uint32_t s) { return (lo >> s) + (hi << (FStar_UInt128_u32_64 - s)); } static inline uint64_t -FStar_UInt128_add_u64_shift_right_respec(uint64_t hi, - uint64_t lo, - uint32_t s) +FStar_UInt128_add_u64_shift_right_respec(uint64_t hi, uint64_t lo, uint32_t s) { return FStar_UInt128_add_u64_shift_right(hi, lo, s); } static inline FStar_UInt128_uint128 -FStar_UInt128_shift_right_small( - FStar_UInt128_uint128 a, uint32_t s) +FStar_UInt128_shift_right_small(FStar_UInt128_uint128 a, uint32_t s) { - if (s == 0U) { + if (s == (uint32_t)0U) { return a; } else { FStar_UInt128_uint128 lit; @@ -217,18 +192,16 @@ FStar_UInt128_shift_right_small( } static inline FStar_UInt128_uint128 -FStar_UInt128_shift_right_large( - FStar_UInt128_uint128 a, uint32_t s) +FStar_UInt128_shift_right_large(FStar_UInt128_uint128 a, uint32_t s) { FStar_UInt128_uint128 lit; lit.low = a.high >> (s - FStar_UInt128_u32_64); - lit.high = 0ULL; + lit.high = (uint64_t)0U; return lit; } static inline FStar_UInt128_uint128 -FStar_UInt128_shift_right( - FStar_UInt128_uint128 a, uint32_t s) +FStar_UInt128_shift_right(FStar_UInt128_uint128 a, uint32_t s) { if (s < FStar_UInt128_u32_64) { return FStar_UInt128_shift_right_small(a, s); @@ -238,81 +211,66 @@ FStar_UInt128_shift_right( } static inline bool -FStar_UInt128_eq(FStar_UInt128_uint128 a, - FStar_UInt128_uint128 b) +FStar_UInt128_eq(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b) { return a.low == b.low && a.high == b.high; } static inline bool -FStar_UInt128_gt(FStar_UInt128_uint128 a, - FStar_UInt128_uint128 b) +FStar_UInt128_gt(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b) { return a.high > b.high || (a.high == b.high && a.low > b.low); } static inline bool -FStar_UInt128_lt(FStar_UInt128_uint128 a, - FStar_UInt128_uint128 b) +FStar_UInt128_lt(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b) { return a.high < b.high || (a.high == b.high && a.low < b.low); } static inline bool -FStar_UInt128_gte(FStar_UInt128_uint128 a, - FStar_UInt128_uint128 b) +FStar_UInt128_gte(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b) { return a.high > b.high || (a.high == b.high && a.low >= b.low); } static inline bool -FStar_UInt128_lte(FStar_UInt128_uint128 a, - FStar_UInt128_uint128 b) +FStar_UInt128_lte(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b) { return a.high < b.high || (a.high == b.high && a.low <= b.low); } static inline FStar_UInt128_uint128 -FStar_UInt128_eq_mask( - FStar_UInt128_uint128 a, FStar_UInt128_uint128 b) +FStar_UInt128_eq_mask(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b) { FStar_UInt128_uint128 lit; - lit.low = - FStar_UInt64_eq_mask(a.low, b.low) & FStar_UInt64_eq_mask(a.high, b.high); - lit.high = - FStar_UInt64_eq_mask(a.low, b.low) & FStar_UInt64_eq_mask(a.high, b.high); + lit.low = FStar_UInt64_eq_mask(a.low, b.low) & FStar_UInt64_eq_mask(a.high, b.high); + lit.high = FStar_UInt64_eq_mask(a.low, b.low) & FStar_UInt64_eq_mask(a.high, b.high); return lit; } static inline FStar_UInt128_uint128 -FStar_UInt128_gte_mask( - FStar_UInt128_uint128 a, FStar_UInt128_uint128 b) +FStar_UInt128_gte_mask(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b) { FStar_UInt128_uint128 lit; - lit.low = (FStar_UInt64_gte_mask(a.high, b.high) & - ~FStar_UInt64_eq_mask(a.high, b.high)) | - (FStar_UInt64_eq_mask(a.high, b.high) & - FStar_UInt64_gte_mask(a.low, b.low)); - lit.high = (FStar_UInt64_gte_mask(a.high, b.high) & - ~FStar_UInt64_eq_mask(a.high, b.high)) | - (FStar_UInt64_eq_mask(a.high, b.high) & - FStar_UInt64_gte_mask(a.low, b.low)); + lit.low = + (FStar_UInt64_gte_mask(a.high, b.high) & ~FStar_UInt64_eq_mask(a.high, b.high)) | (FStar_UInt64_eq_mask(a.high, b.high) & FStar_UInt64_gte_mask(a.low, b.low)); + lit.high = + (FStar_UInt64_gte_mask(a.high, b.high) & ~FStar_UInt64_eq_mask(a.high, b.high)) | (FStar_UInt64_eq_mask(a.high, b.high) & FStar_UInt64_gte_mask(a.low, b.low)); return lit; } static inline FStar_UInt128_uint128 -FStar_UInt128_uint64_to_uint128( - uint64_t a) +FStar_UInt128_uint64_to_uint128(uint64_t a) { FStar_UInt128_uint128 lit; lit.low = a; - lit.high = 0ULL; + lit.high = (uint64_t)0U; return lit; } static inline uint64_t -FStar_UInt128_uint128_to_uint64( - FStar_UInt128_uint128 a) +FStar_UInt128_uint128_to_uint64(FStar_UInt128_uint128 a) { return a.low; } @@ -320,10 +278,10 @@ FStar_UInt128_uint128_to_uint64( static inline uint64_t FStar_UInt128_u64_mod_32(uint64_t a) { - return a & 0xffffffffULL; + return a & (uint64_t)0xffffffffU; } -static uint32_t FStar_UInt128_u32_32 = 32U; +static uint32_t FStar_UInt128_u32_32 = (uint32_t)32U; static inline uint64_t FStar_UInt128_u32_combine(uint64_t hi, uint64_t lo) @@ -332,18 +290,14 @@ FStar_UInt128_u32_combine(uint64_t hi, uint64_t lo) } static inline FStar_UInt128_uint128 -FStar_UInt128_mul32(uint64_t x, - uint32_t y) +FStar_UInt128_mul32(uint64_t x, uint32_t y) { FStar_UInt128_uint128 lit; - lit.low = FStar_UInt128_u32_combine( - (x >> FStar_UInt128_u32_32) * (uint64_t)y + - (FStar_UInt128_u64_mod_32(x) * (uint64_t)y >> FStar_UInt128_u32_32), - FStar_UInt128_u64_mod_32(FStar_UInt128_u64_mod_32(x) * (uint64_t)y)); + lit.low = + FStar_UInt128_u32_combine((x >> FStar_UInt128_u32_32) * (uint64_t)y + (FStar_UInt128_u64_mod_32(x) * (uint64_t)y >> FStar_UInt128_u32_32), + FStar_UInt128_u64_mod_32(FStar_UInt128_u64_mod_32(x) * (uint64_t)y)); lit.high = - ((x >> FStar_UInt128_u32_32) * (uint64_t)y + - (FStar_UInt128_u64_mod_32(x) * (uint64_t)y >> FStar_UInt128_u32_32)) >> - FStar_UInt128_u32_32; + ((x >> FStar_UInt128_u32_32) * (uint64_t)y + (FStar_UInt128_u64_mod_32(x) * (uint64_t)y >> FStar_UInt128_u32_32)) >> FStar_UInt128_u32_32; return lit; } @@ -354,29 +308,19 @@ FStar_UInt128_u32_combine_(uint64_t hi, uint64_t lo) } static inline FStar_UInt128_uint128 -FStar_UInt128_mul_wide(uint64_t x, - uint64_t y) +FStar_UInt128_mul_wide(uint64_t x, uint64_t y) { FStar_UInt128_uint128 lit; - lit.low = FStar_UInt128_u32_combine_( - FStar_UInt128_u64_mod_32(x) * (y >> FStar_UInt128_u32_32) + - FStar_UInt128_u64_mod_32( - (x >> FStar_UInt128_u32_32) * FStar_UInt128_u64_mod_32(y) + - (FStar_UInt128_u64_mod_32(x) * FStar_UInt128_u64_mod_32(y) >> - FStar_UInt128_u32_32)), - FStar_UInt128_u64_mod_32(FStar_UInt128_u64_mod_32(x) * - FStar_UInt128_u64_mod_32(y))); - lit.high = (x >> FStar_UInt128_u32_32) * (y >> FStar_UInt128_u32_32) + - (((x >> FStar_UInt128_u32_32) * FStar_UInt128_u64_mod_32(y) + - (FStar_UInt128_u64_mod_32(x) * FStar_UInt128_u64_mod_32(y) >> - FStar_UInt128_u32_32)) >> - FStar_UInt128_u32_32) + - ((FStar_UInt128_u64_mod_32(x) * (y >> FStar_UInt128_u32_32) + - FStar_UInt128_u64_mod_32( - (x >> FStar_UInt128_u32_32) * FStar_UInt128_u64_mod_32(y) + - (FStar_UInt128_u64_mod_32(x) * FStar_UInt128_u64_mod_32(y) >> - FStar_UInt128_u32_32))) >> - FStar_UInt128_u32_32); + lit.low = + FStar_UInt128_u32_combine_(FStar_UInt128_u64_mod_32(x) * (y >> FStar_UInt128_u32_32) + + FStar_UInt128_u64_mod_32((x >> FStar_UInt128_u32_32) * FStar_UInt128_u64_mod_32(y) + (FStar_UInt128_u64_mod_32(x) * FStar_UInt128_u64_mod_32(y) >> FStar_UInt128_u32_32)), + FStar_UInt128_u64_mod_32(FStar_UInt128_u64_mod_32(x) * FStar_UInt128_u64_mod_32(y))); + lit.high = + (x >> FStar_UInt128_u32_32) * (y >> FStar_UInt128_u32_32) + + (((x >> FStar_UInt128_u32_32) * FStar_UInt128_u64_mod_32(y) + (FStar_UInt128_u64_mod_32(x) * FStar_UInt128_u64_mod_32(y) >> FStar_UInt128_u32_32)) >> FStar_UInt128_u32_32) + + ((FStar_UInt128_u64_mod_32(x) * (y >> FStar_UInt128_u32_32) + + FStar_UInt128_u64_mod_32((x >> FStar_UInt128_u32_32) * FStar_UInt128_u64_mod_32(y) + (FStar_UInt128_u64_mod_32(x) * FStar_UInt128_u64_mod_32(y) >> FStar_UInt128_u32_32))) >> + FStar_UInt128_u32_32); return lit; } diff --git a/nss/lib/freebl/verified/karamel/krmllib/dist/minimal/FStar_UInt_8_16_32_64.h b/nss/lib/freebl/verified/karamel/krmllib/dist/minimal/FStar_UInt_8_16_32_64.h index b9897eee..876cf842 100644 --- a/nss/lib/freebl/verified/karamel/krmllib/dist/minimal/FStar_UInt_8_16_32_64.h +++ b/nss/lib/freebl/verified/karamel/krmllib/dist/minimal/FStar_UInt_8_16_32_64.h @@ -8,11 +8,10 @@ #include #include - #include "krml/internal/compat.h" -#include "krml/internal/target.h" -#include "krml/internal/types.h" #include "krml/lowstar_endianness.h" +#include "krml/internal/types.h" +#include "krml/internal/target.h" extern krml_checked_int_t FStar_UInt64_n; @@ -36,10 +35,10 @@ static KRML_NOINLINE uint64_t FStar_UInt64_eq_mask(uint64_t a, uint64_t b) { uint64_t x = a ^ b; - uint64_t minus_x = ~x + 1ULL; + uint64_t minus_x = ~x + (uint64_t)1U; uint64_t x_or_minus_x = x | minus_x; - uint64_t xnx = x_or_minus_x >> 63U; - return xnx - 1ULL; + uint64_t xnx = x_or_minus_x >> (uint32_t)63U; + return xnx - (uint64_t)1U; } static KRML_NOINLINE uint64_t @@ -52,8 +51,8 @@ FStar_UInt64_gte_mask(uint64_t a, uint64_t b) uint64_t x_sub_y_xor_y = x_sub_y ^ y; uint64_t q = x_xor_y | x_sub_y_xor_y; uint64_t x_xor_q = x ^ q; - uint64_t x_xor_q_ = x_xor_q >> 63U; - return x_xor_q_ - 1ULL; + uint64_t x_xor_q_ = x_xor_q >> (uint32_t)63U; + return x_xor_q_ - (uint64_t)1U; } extern Prims_string FStar_UInt64_to_string(uint64_t uu___); @@ -86,10 +85,10 @@ static KRML_NOINLINE uint32_t FStar_UInt32_eq_mask(uint32_t a, uint32_t b) { uint32_t x = a ^ b; - uint32_t minus_x = ~x + 1U; + uint32_t minus_x = ~x + (uint32_t)1U; uint32_t x_or_minus_x = x | minus_x; - uint32_t xnx = x_or_minus_x >> 31U; - return xnx - 1U; + uint32_t xnx = x_or_minus_x >> (uint32_t)31U; + return xnx - (uint32_t)1U; } static KRML_NOINLINE uint32_t @@ -102,8 +101,8 @@ FStar_UInt32_gte_mask(uint32_t a, uint32_t b) uint32_t x_sub_y_xor_y = x_sub_y ^ y; uint32_t q = x_xor_y | x_sub_y_xor_y; uint32_t x_xor_q = x ^ q; - uint32_t x_xor_q_ = x_xor_q >> 31U; - return x_xor_q_ - 1U; + uint32_t x_xor_q_ = x_xor_q >> (uint32_t)31U; + return x_xor_q_ - (uint32_t)1U; } extern Prims_string FStar_UInt32_to_string(uint32_t uu___); @@ -135,11 +134,11 @@ extern uint32_t FStar_UInt16_n_minus_one; static KRML_NOINLINE uint16_t FStar_UInt16_eq_mask(uint16_t a, uint16_t b) { - uint16_t x = (uint32_t)a ^ (uint32_t)b; - uint16_t minus_x = (uint32_t)~x + 1U; - uint16_t x_or_minus_x = (uint32_t)x | (uint32_t)minus_x; - uint16_t xnx = (uint32_t)x_or_minus_x >> 15U; - return (uint32_t)xnx - 1U; + uint16_t x = a ^ b; + uint16_t minus_x = ~x + (uint16_t)1U; + uint16_t x_or_minus_x = x | minus_x; + uint16_t xnx = x_or_minus_x >> (uint32_t)15U; + return xnx - (uint16_t)1U; } static KRML_NOINLINE uint16_t @@ -147,13 +146,13 @@ FStar_UInt16_gte_mask(uint16_t a, uint16_t b) { uint16_t x = a; uint16_t y = b; - uint16_t x_xor_y = (uint32_t)x ^ (uint32_t)y; - uint16_t x_sub_y = (uint32_t)x - (uint32_t)y; - uint16_t x_sub_y_xor_y = (uint32_t)x_sub_y ^ (uint32_t)y; - uint16_t q = (uint32_t)x_xor_y | (uint32_t)x_sub_y_xor_y; - uint16_t x_xor_q = (uint32_t)x ^ (uint32_t)q; - uint16_t x_xor_q_ = (uint32_t)x_xor_q >> 15U; - return (uint32_t)x_xor_q_ - 1U; + uint16_t x_xor_y = x ^ y; + uint16_t x_sub_y = x - y; + uint16_t x_sub_y_xor_y = x_sub_y ^ y; + uint16_t q = x_xor_y | x_sub_y_xor_y; + uint16_t x_xor_q = x ^ q; + uint16_t x_xor_q_ = x_xor_q >> (uint32_t)15U; + return x_xor_q_ - (uint16_t)1U; } extern Prims_string FStar_UInt16_to_string(uint16_t uu___); @@ -185,11 +184,11 @@ extern uint32_t FStar_UInt8_n_minus_one; static KRML_NOINLINE uint8_t FStar_UInt8_eq_mask(uint8_t a, uint8_t b) { - uint8_t x = (uint32_t)a ^ (uint32_t)b; - uint8_t minus_x = (uint32_t)~x + 1U; - uint8_t x_or_minus_x = (uint32_t)x | (uint32_t)minus_x; - uint8_t xnx = (uint32_t)x_or_minus_x >> 7U; - return (uint32_t)xnx - 1U; + uint8_t x = a ^ b; + uint8_t minus_x = ~x + (uint8_t)1U; + uint8_t x_or_minus_x = x | minus_x; + uint8_t xnx = x_or_minus_x >> (uint32_t)7U; + return xnx - (uint8_t)1U; } static KRML_NOINLINE uint8_t @@ -197,13 +196,13 @@ FStar_UInt8_gte_mask(uint8_t a, uint8_t b) { uint8_t x = a; uint8_t y = b; - uint8_t x_xor_y = (uint32_t)x ^ (uint32_t)y; - uint8_t x_sub_y = (uint32_t)x - (uint32_t)y; - uint8_t x_sub_y_xor_y = (uint32_t)x_sub_y ^ (uint32_t)y; - uint8_t q = (uint32_t)x_xor_y | (uint32_t)x_sub_y_xor_y; - uint8_t x_xor_q = (uint32_t)x ^ (uint32_t)q; - uint8_t x_xor_q_ = (uint32_t)x_xor_q >> 7U; - return (uint32_t)x_xor_q_ - 1U; + uint8_t x_xor_y = x ^ y; + uint8_t x_sub_y = x - y; + uint8_t x_sub_y_xor_y = x_sub_y ^ y; + uint8_t q = x_xor_y | x_sub_y_xor_y; + uint8_t x_xor_q = x ^ q; + uint8_t x_xor_q_ = x_xor_q >> (uint32_t)7U; + return x_xor_q_ - (uint8_t)1U; } extern Prims_string FStar_UInt8_to_string(uint8_t uu___); diff --git a/nss/lib/freebl/verified/karamel/krmllib/dist/minimal/LowStar_Endianness.h b/nss/lib/freebl/verified/karamel/krmllib/dist/minimal/LowStar_Endianness.h index 8e292758..a710d23d 100644 --- a/nss/lib/freebl/verified/karamel/krmllib/dist/minimal/LowStar_Endianness.h +++ b/nss/lib/freebl/verified/karamel/krmllib/dist/minimal/LowStar_Endianness.h @@ -8,11 +8,10 @@ #include #include - #include "krml/internal/compat.h" -#include "krml/internal/target.h" -#include "krml/internal/types.h" #include "krml/lowstar_endianness.h" +#include "krml/internal/types.h" +#include "krml/internal/target.h" static inline void store128_le(uint8_t *x0, FStar_UInt128_uint128 x1); diff --git a/nss/lib/freebl/verified/karamel/krmllib/dist/minimal/fstar_uint128_gcc64.h b/nss/lib/freebl/verified/karamel/krmllib/dist/minimal/fstar_uint128_gcc64.h index a5ef2557..51c23258 100644 --- a/nss/lib/freebl/verified/karamel/krmllib/dist/minimal/fstar_uint128_gcc64.h +++ b/nss/lib/freebl/verified/karamel/krmllib/dist/minimal/fstar_uint128_gcc64.h @@ -155,10 +155,10 @@ FStar_UInt128_eq_mask(uint128_t x, uint128_t y) inline static uint128_t FStar_UInt128_gte_mask(uint128_t x, uint128_t y) { - uint64_t mask = (FStar_UInt64_gte_mask(x >> 64, y >> 64) & - ~(FStar_UInt64_eq_mask(x >> 64, y >> 64))) | - (FStar_UInt64_eq_mask(x >> 64, y >> 64) & - FStar_UInt64_gte_mask((uint64_t)x, (uint64_t)y)); + uint64_t mask = + (FStar_UInt64_gte_mask(x >> 64, y >> 64) & + ~(FStar_UInt64_eq_mask(x >> 64, y >> 64))) | + (FStar_UInt64_eq_mask(x >> 64, y >> 64) & FStar_UInt64_gte_mask((uint64_t)x, (uint64_t)y)); return ((uint128_t)mask) << 64 | mask; } @@ -169,8 +169,7 @@ FStar_UInt128___proj__Mkuint128__item__low(uint128_t x) } inline static uint64_t -FStar_UInt128___proj__Mkuint128__item__high( - uint128_t x) +FStar_UInt128___proj__Mkuint128__item__high(uint128_t x) { return (uint64_t)(x >> 64); } diff --git a/nss/lib/freebl/verified/karamel/krmllib/dist/minimal/fstar_uint128_msvc.h b/nss/lib/freebl/verified/karamel/krmllib/dist/minimal/fstar_uint128_msvc.h index 7f5298ae..e9b366e2 100644 --- a/nss/lib/freebl/verified/karamel/krmllib/dist/minimal/fstar_uint128_msvc.h +++ b/nss/lib/freebl/verified/karamel/krmllib/dist/minimal/fstar_uint128_msvc.h @@ -3,19 +3,17 @@ /* This file was generated by KaRaMeL * then hand-edited to use MSVC intrinsics KaRaMeL invocation: - * C:\users\barrybo\mitls2c\karamel\_build\src\Karamel.native -minimal - * -fnouint128 C:/users/barrybo/mitls2c/FStar/ulib/FStar.UInt128.fst -tmpdir - * ../secure_api/out/runtime_switch/uint128 -skip-compilation -add-include - * "krmllib0.h" -drop FStar.Int.Cast.Full -bundle FStar.UInt128=FStar.*,Prims F* - * version: 15104ff8 KaRaMeL version: 318b7fa8 + * C:\users\barrybo\mitls2c\karamel\_build\src\Karamel.native -minimal -fnouint128 C:/users/barrybo/mitls2c/FStar/ulib/FStar.UInt128.fst -tmpdir ../secure_api/out/runtime_switch/uint128 -skip-compilation -add-include "krmllib0.h" -drop FStar.Int.Cast.Full -bundle FStar.UInt128=FStar.*,Prims + * F* version: 15104ff8 + * KaRaMeL version: 318b7fa8 */ #ifndef FSTAR_UINT128_MSVC #define FSTAR_UINT128_MSVC +#include "krml/internal/types.h" #include "FStar_UInt128.h" #include "FStar_UInt_8_16_32_64.h" -#include "krml/internal/types.h" #ifndef _MSC_VER #error This file only works with the MSVC compiler @@ -34,8 +32,8 @@ // Define .low and .high in terms of the __m128i fields, to reduce // the amount of churn in this file. #if HAS_OPTIMIZED -#include #include +#include #define low m128i_u64[0] #define high m128i_u64[1] #endif @@ -83,8 +81,7 @@ store128_be(uint8_t *b, uint128_t n) } inline static uint64_t -FStar_UInt128_constant_time_carry(uint64_t a, - uint64_t b) +FStar_UInt128_constant_time_carry(uint64_t a, uint64_t b) { return (a ^ (a ^ b | a - b ^ b)) >> (uint32_t)63U; } @@ -96,8 +93,7 @@ FStar_UInt128_carry(uint64_t a, uint64_t b) } inline static FStar_UInt128_uint128 -FStar_UInt128_add(FStar_UInt128_uint128 a, - FStar_UInt128_uint128 b) +FStar_UInt128_add(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b) { #if HAS_OPTIMIZED uint64_t l, h; @@ -115,8 +111,7 @@ FStar_UInt128_add(FStar_UInt128_uint128 a, } inline static FStar_UInt128_uint128 -FStar_UInt128_add_underspec( - FStar_UInt128_uint128 a, FStar_UInt128_uint128 b) +FStar_UInt128_add_underspec(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b) { #if HAS_OPTIMIZED return FStar_UInt128_add(a, b); @@ -129,8 +124,7 @@ FStar_UInt128_add_underspec( } inline static FStar_UInt128_uint128 -FStar_UInt128_add_mod( - FStar_UInt128_uint128 a, FStar_UInt128_uint128 b) +FStar_UInt128_add_mod(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b) { #if HAS_OPTIMIZED return FStar_UInt128_add(a, b); @@ -143,8 +137,7 @@ FStar_UInt128_add_mod( } inline static FStar_UInt128_uint128 -FStar_UInt128_sub(FStar_UInt128_uint128 a, - FStar_UInt128_uint128 b) +FStar_UInt128_sub(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b) { #if HAS_OPTIMIZED uint64_t l, h; @@ -161,8 +154,7 @@ FStar_UInt128_sub(FStar_UInt128_uint128 a, } inline static FStar_UInt128_uint128 -FStar_UInt128_sub_underspec( - FStar_UInt128_uint128 a, FStar_UInt128_uint128 b) +FStar_UInt128_sub_underspec(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b) { #if HAS_OPTIMIZED return FStar_UInt128_sub(a, b); @@ -175,8 +167,7 @@ FStar_UInt128_sub_underspec( } inline static FStar_UInt128_uint128 -FStar_UInt128_sub_mod_impl( - FStar_UInt128_uint128 a, FStar_UInt128_uint128 b) +FStar_UInt128_sub_mod_impl(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b) { FStar_UInt128_uint128 lit; lit.low = a.low - b.low; @@ -185,8 +176,7 @@ FStar_UInt128_sub_mod_impl( } inline static FStar_UInt128_uint128 -FStar_UInt128_sub_mod( - FStar_UInt128_uint128 a, FStar_UInt128_uint128 b) +FStar_UInt128_sub_mod(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b) { #if HAS_OPTIMIZED return FStar_UInt128_sub(a, b); @@ -196,8 +186,7 @@ FStar_UInt128_sub_mod( } inline static FStar_UInt128_uint128 -FStar_UInt128_logand( - FStar_UInt128_uint128 a, FStar_UInt128_uint128 b) +FStar_UInt128_logand(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b) { #if HAS_OPTIMIZED return _mm_and_si128(a, b); @@ -210,8 +199,7 @@ FStar_UInt128_logand( } inline static FStar_UInt128_uint128 -FStar_UInt128_logxor( - FStar_UInt128_uint128 a, FStar_UInt128_uint128 b) +FStar_UInt128_logxor(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b) { #if HAS_OPTIMIZED return _mm_xor_si128(a, b); @@ -224,8 +212,7 @@ FStar_UInt128_logxor( } inline static FStar_UInt128_uint128 -FStar_UInt128_logor( - FStar_UInt128_uint128 a, FStar_UInt128_uint128 b) +FStar_UInt128_logor(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b) { #if HAS_OPTIMIZED return _mm_or_si128(a, b); @@ -238,8 +225,7 @@ FStar_UInt128_logor( } inline static FStar_UInt128_uint128 -FStar_UInt128_lognot( - FStar_UInt128_uint128 a) +FStar_UInt128_lognot(FStar_UInt128_uint128 a) { #if HAS_OPTIMIZED return _mm_andnot_si128(a, a); @@ -254,24 +240,19 @@ FStar_UInt128_lognot( static const uint32_t FStar_UInt128_u32_64 = (uint32_t)64U; inline static uint64_t -FStar_UInt128_add_u64_shift_left(uint64_t hi, - uint64_t lo, - uint32_t s) +FStar_UInt128_add_u64_shift_left(uint64_t hi, uint64_t lo, uint32_t s) { - return (hi << s) + (lo >> (FStar_UInt128_u32_64 - s)); + return (hi << s) + (lo >> FStar_UInt128_u32_64 - s); } inline static uint64_t -FStar_UInt128_add_u64_shift_left_respec(uint64_t hi, - uint64_t lo, - uint32_t s) +FStar_UInt128_add_u64_shift_left_respec(uint64_t hi, uint64_t lo, uint32_t s) { return FStar_UInt128_add_u64_shift_left(hi, lo, s); } inline static FStar_UInt128_uint128 -FStar_UInt128_shift_left_small( - FStar_UInt128_uint128 a, uint32_t s) +FStar_UInt128_shift_left_small(FStar_UInt128_uint128 a, uint32_t s) { if (s == (uint32_t)0U) return a; @@ -284,18 +265,16 @@ FStar_UInt128_shift_left_small( } inline static FStar_UInt128_uint128 -FStar_UInt128_shift_left_large( - FStar_UInt128_uint128 a, uint32_t s) +FStar_UInt128_shift_left_large(FStar_UInt128_uint128 a, uint32_t s) { FStar_UInt128_uint128 lit; lit.low = (uint64_t)0U; - lit.high = a.low << (s - FStar_UInt128_u32_64); + lit.high = a.low << s - FStar_UInt128_u32_64; return lit; } inline static FStar_UInt128_uint128 -FStar_UInt128_shift_left( - FStar_UInt128_uint128 a, uint32_t s) +FStar_UInt128_shift_left(FStar_UInt128_uint128 a, uint32_t s) { #if HAS_OPTIMIZED if (s == 0) { @@ -316,24 +295,19 @@ FStar_UInt128_shift_left( } inline static uint64_t -FStar_UInt128_add_u64_shift_right(uint64_t hi, - uint64_t lo, - uint32_t s) +FStar_UInt128_add_u64_shift_right(uint64_t hi, uint64_t lo, uint32_t s) { - return (lo >> s) + (hi << (FStar_UInt128_u32_64 - s)); + return (lo >> s) + (hi << FStar_UInt128_u32_64 - s); } inline static uint64_t -FStar_UInt128_add_u64_shift_right_respec(uint64_t hi, - uint64_t lo, - uint32_t s) +FStar_UInt128_add_u64_shift_right_respec(uint64_t hi, uint64_t lo, uint32_t s) { return FStar_UInt128_add_u64_shift_right(hi, lo, s); } inline static FStar_UInt128_uint128 -FStar_UInt128_shift_right_small( - FStar_UInt128_uint128 a, uint32_t s) +FStar_UInt128_shift_right_small(FStar_UInt128_uint128 a, uint32_t s) { if (s == (uint32_t)0U) return a; @@ -346,18 +320,16 @@ FStar_UInt128_shift_right_small( } inline static FStar_UInt128_uint128 -FStar_UInt128_shift_right_large( - FStar_UInt128_uint128 a, uint32_t s) +FStar_UInt128_shift_right_large(FStar_UInt128_uint128 a, uint32_t s) { FStar_UInt128_uint128 lit; - lit.low = a.high >> (s - FStar_UInt128_u32_64); + lit.low = a.high >> s - FStar_UInt128_u32_64; lit.high = (uint64_t)0U; return lit; } inline static FStar_UInt128_uint128 -FStar_UInt128_shift_right( - FStar_UInt128_uint128 a, uint32_t s) +FStar_UInt128_shift_right(FStar_UInt128_uint128 a, uint32_t s) { #if HAS_OPTIMIZED if (s == 0) { @@ -378,43 +350,37 @@ FStar_UInt128_shift_right( } inline static bool -FStar_UInt128_eq(FStar_UInt128_uint128 a, - FStar_UInt128_uint128 b) +FStar_UInt128_eq(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b) { return a.low == b.low && a.high == b.high; } inline static bool -FStar_UInt128_gt(FStar_UInt128_uint128 a, - FStar_UInt128_uint128 b) +FStar_UInt128_gt(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b) { return a.high > b.high || a.high == b.high && a.low > b.low; } inline static bool -FStar_UInt128_lt(FStar_UInt128_uint128 a, - FStar_UInt128_uint128 b) +FStar_UInt128_lt(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b) { return a.high < b.high || a.high == b.high && a.low < b.low; } inline static bool -FStar_UInt128_gte(FStar_UInt128_uint128 a, - FStar_UInt128_uint128 b) +FStar_UInt128_gte(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b) { return a.high > b.high || a.high == b.high && a.low >= b.low; } inline static bool -FStar_UInt128_lte(FStar_UInt128_uint128 a, - FStar_UInt128_uint128 b) +FStar_UInt128_lte(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b) { return a.high < b.high || a.high == b.high && a.low <= b.low; } inline static FStar_UInt128_uint128 -FStar_UInt128_eq_mask( - FStar_UInt128_uint128 a, FStar_UInt128_uint128 b) +FStar_UInt128_eq_mask(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b) { #if HAS_OPTIMIZED // PCMPW to produce 4 32-bit values, all either 0x0 or 0xffffffff @@ -430,17 +396,14 @@ FStar_UInt128_eq_mask( return _mm_and_si128(ret64, s64); #else FStar_UInt128_uint128 lit; - lit.low = - FStar_UInt64_eq_mask(a.low, b.low) & FStar_UInt64_eq_mask(a.high, b.high); - lit.high = - FStar_UInt64_eq_mask(a.low, b.low) & FStar_UInt64_eq_mask(a.high, b.high); + lit.low = FStar_UInt64_eq_mask(a.low, b.low) & FStar_UInt64_eq_mask(a.high, b.high); + lit.high = FStar_UInt64_eq_mask(a.low, b.low) & FStar_UInt64_eq_mask(a.high, b.high); return lit; #endif } inline static FStar_UInt128_uint128 -FStar_UInt128_gte_mask( - FStar_UInt128_uint128 a, FStar_UInt128_uint128 b) +FStar_UInt128_gte_mask(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b) { #if HAS_OPTIMIZED && 0 // ge - compare 3,2,1,0 for >= and generating 0 or 0xffffffff for each @@ -462,15 +425,15 @@ FStar_UInt128_gte_mask( _mm_and_si128(eq0, _mm_and_si128(eq1, ge2)); // t2 = (eq0 & eq1 & ge2) ret = _mm_or_si128(ret, t2); __m128i eq2 = _mm_srli_si128(eq1, 4); // shift eq from 3,2,1,0 to 0x0,00,00,3 - __m128i ge3 = _mm_srli_si128( - ge2, 4); // shift original ge from 3,2,1,0 to 0x0,0x0,0x0,3 + __m128i ge3 = + _mm_srli_si128(ge2, 4); // shift original ge from 3,2,1,0 to 0x0,0x0,0x0,3 __m128i t3 = _mm_and_si128( eq0, _mm_and_si128( eq1, _mm_and_si128(eq2, ge3))); // t3 = (eq0 & eq1 & eq2 & ge3) ret = _mm_or_si128(ret, t3); return _mm_shuffle_epi32( - ret, _MM_SHUFFLE(0, 0, 0, - 0)); // the result is in 0. Shuffle into all dwords. + ret, + _MM_SHUFFLE(0, 0, 0, 0)); // the result is in 0. Shuffle into all dwords. #else FStar_UInt128_uint128 lit; lit.low = FStar_UInt64_gte_mask(a.high, b.high) & @@ -486,8 +449,7 @@ FStar_UInt128_gte_mask( } inline static FStar_UInt128_uint128 -FStar_UInt128_uint64_to_uint128( - uint64_t a) +FStar_UInt128_uint64_to_uint128(uint64_t a) { #if HAS_OPTIMIZED return _mm_set_epi64x(0, a); @@ -500,8 +462,7 @@ FStar_UInt128_uint64_to_uint128( } inline static uint64_t -FStar_UInt128_uint128_to_uint64( - FStar_UInt128_uint128 a) +FStar_UInt128_uint128_to_uint64(FStar_UInt128_uint128 a) { return a.low; } @@ -521,8 +482,7 @@ FStar_UInt128_u32_combine(uint64_t hi, uint64_t lo) } inline static FStar_UInt128_uint128 -FStar_UInt128_mul32(uint64_t x, - uint32_t y) +FStar_UInt128_mul32(uint64_t x, uint32_t y) { #if HAS_OPTIMIZED uint64_t l, h; @@ -532,12 +492,13 @@ FStar_UInt128_mul32(uint64_t x, FStar_UInt128_uint128 lit; lit.low = FStar_UInt128_u32_combine( (x >> FStar_UInt128_u32_32) * (uint64_t)y + - (FStar_UInt128_u64_mod_32(x) * (uint64_t)y >> FStar_UInt128_u32_32), + (FStar_UInt128_u64_mod_32(x) * (uint64_t)y >> + FStar_UInt128_u32_32), FStar_UInt128_u64_mod_32(FStar_UInt128_u64_mod_32(x) * (uint64_t)y)); - lit.high = - (x >> FStar_UInt128_u32_32) * (uint64_t)y + - (FStar_UInt128_u64_mod_32(x) * (uint64_t)y >> FStar_UInt128_u32_32) >> - FStar_UInt128_u32_32; + lit.high = (x >> FStar_UInt128_u32_32) * (uint64_t)y + + (FStar_UInt128_u64_mod_32(x) * (uint64_t)y >> + FStar_UInt128_u32_32) >> + FStar_UInt128_u32_32; return lit; #endif } @@ -558,8 +519,8 @@ FStar_UInt128_mul_wide_impl_t_(uint64_t x, uint64_t y) { K_quad tmp; tmp.fst = FStar_UInt128_u64_mod_32(x); - tmp.snd = FStar_UInt128_u64_mod_32(FStar_UInt128_u64_mod_32(x) * - FStar_UInt128_u64_mod_32(y)); + tmp.snd = FStar_UInt128_u64_mod_32( + FStar_UInt128_u64_mod_32(x) * FStar_UInt128_u64_mod_32(y)); tmp.thd = x >> FStar_UInt128_u32_32; tmp.f3 = (x >> FStar_UInt128_u32_32) * FStar_UInt128_u64_mod_32(y) + (FStar_UInt128_u64_mod_32(x) * FStar_UInt128_u64_mod_32(y) >> @@ -574,10 +535,10 @@ FStar_UInt128_u32_combine_(uint64_t hi, uint64_t lo) } inline static FStar_UInt128_uint128 -FStar_UInt128_mul_wide_impl(uint64_t x, - uint64_t y) +FStar_UInt128_mul_wide_impl(uint64_t x, uint64_t y) { - K_quad scrut = FStar_UInt128_mul_wide_impl_t_(x, y); + K_quad scrut = + FStar_UInt128_mul_wide_impl_t_(x, y); uint64_t u1 = scrut.fst; uint64_t w3 = scrut.snd; uint64_t x_ = scrut.thd; @@ -587,14 +548,13 @@ FStar_UInt128_mul_wide_impl(uint64_t x, u1 * (y >> FStar_UInt128_u32_32) + FStar_UInt128_u64_mod_32(t_), w3); lit.high = x_ * (y >> FStar_UInt128_u32_32) + (t_ >> FStar_UInt128_u32_32) + - ((u1 * (y >> FStar_UInt128_u32_32) + FStar_UInt128_u64_mod_32(t_)) >> + (u1 * (y >> FStar_UInt128_u32_32) + FStar_UInt128_u64_mod_32(t_) >> FStar_UInt128_u32_32); return lit; } inline static FStar_UInt128_uint128 -FStar_UInt128_mul_wide(uint64_t x, - uint64_t y) +FStar_UInt128_mul_wide(uint64_t x, uint64_t y) { #if HAS_OPTIMIZED uint64_t l, h; diff --git a/nss/lib/mozpkix/include/pkix/Result.h b/nss/lib/mozpkix/include/pkix/Result.h index 5b788877..7e391d0e 100644 --- a/nss/lib/mozpkix/include/pkix/Result.h +++ b/nss/lib/mozpkix/include/pkix/Result.h @@ -180,6 +180,10 @@ static const unsigned int FATAL_ERROR_FLAG = 0x800; MOZILLA_PKIX_MAP(ERROR_SELF_SIGNED_CERT, 55, \ MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT) \ MOZILLA_PKIX_MAP(ERROR_MITM_DETECTED, 56, MOZILLA_PKIX_ERROR_MITM_DETECTED) \ + MOZILLA_PKIX_MAP(ERROR_INSUFFICIENT_CERTIFICATE_TRANSPARENCY, 57, \ + MOZILLA_PKIX_ERROR_INSUFFICIENT_CERTIFICATE_TRANSPARENCY) \ + MOZILLA_PKIX_MAP(ERROR_ISSUER_NO_LONGER_TRUSTED, 58, \ + MOZILLA_PKIX_ERROR_ISSUER_NO_LONGER_TRUSTED) \ MOZILLA_PKIX_MAP(FATAL_ERROR_INVALID_ARGS, FATAL_ERROR_FLAG | 1, \ SEC_ERROR_INVALID_ARGS) \ MOZILLA_PKIX_MAP(FATAL_ERROR_INVALID_STATE, FATAL_ERROR_FLAG | 2, \ diff --git a/nss/lib/mozpkix/include/pkix/pkixnss.h b/nss/lib/mozpkix/include/pkix/pkixnss.h index 54249b51..6711959e 100644 --- a/nss/lib/mozpkix/include/pkix/pkixnss.h +++ b/nss/lib/mozpkix/include/pkix/pkixnss.h @@ -94,6 +94,8 @@ enum ErrorCode { MOZILLA_PKIX_ERROR_ADDITIONAL_POLICY_CONSTRAINT_FAILED = ERROR_BASE + 13, MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT = ERROR_BASE + 14, MOZILLA_PKIX_ERROR_MITM_DETECTED = ERROR_BASE + 15, + MOZILLA_PKIX_ERROR_INSUFFICIENT_CERTIFICATE_TRANSPARENCY = ERROR_BASE + 16, + MOZILLA_PKIX_ERROR_ISSUER_NO_LONGER_TRUSTED = ERROR_BASE + 17, END_OF_LIST }; diff --git a/nss/lib/mozpkix/lib/pkixnames.cpp b/nss/lib/mozpkix/lib/pkixnames.cpp index ef8d2655..7f31d5e3 100644 --- a/nss/lib/mozpkix/lib/pkixnames.cpp +++ b/nss/lib/mozpkix/lib/pkixnames.cpp @@ -1967,8 +1967,9 @@ IsValidDNSID(Input hostname, IDRole idRole, AllowWildcards allowWildcards) } switch (b) { case '-': - if (labelLength == 0) { - return false; // Labels must not start with a hyphen. + // Only reference ID labels can start with a hyphen. + if (labelLength == 0 && idRole != IDRole::ReferenceID) { + return false; } labelIsAllNumeric = false; labelEndsWithHyphen = true; @@ -2028,8 +2029,9 @@ IsValidDNSID(Input hostname, IDRole idRole, AllowWildcards allowWildcards) (idRole != IDRole::NameConstraint || !isFirstByte)) { return false; } - if (labelEndsWithHyphen) { - return false; // Labels must not end with a hyphen. + // Only reference ID labels can end with a hyphen. + if (labelEndsWithHyphen && idRole != IDRole::ReferenceID) { + return false; } labelLength = 0; break; @@ -2046,8 +2048,9 @@ IsValidDNSID(Input hostname, IDRole idRole, AllowWildcards allowWildcards) return false; } - if (labelEndsWithHyphen) { - return false; // Labels must not end with a hyphen. + // Only reference ID labels can end with a hyphen. + if (labelEndsWithHyphen && idRole != IDRole::ReferenceID) { + return false; } if (labelIsAllNumeric) { diff --git a/nss/lib/mozpkix/lib/pkixnss.cpp b/nss/lib/mozpkix/lib/pkixnss.cpp index 98575c85..606ef708 100644 --- a/nss/lib/mozpkix/lib/pkixnss.cpp +++ b/nss/lib/mozpkix/lib/pkixnss.cpp @@ -389,6 +389,13 @@ RegisterErrorTable() { "MOZILLA_PKIX_ERROR_MITM_DETECTED", "Your connection is being intercepted by a TLS proxy. Uninstall it if " "possible or configure your device to trust its root certificate." }, + { "MOZILLA_PKIX_ERROR_INSUFFICIENT_CERTIFICATE_TRANSPARENCY", + "The server presented insufficient certificate transparency information." + " Its certificate may not have been publicly disclosed, and it may have " + "been misissued." }, + { "MOZILLA_PKIX_ERROR_ISSUER_NO_LONGER_TRUSTED", + "The certificate was issued by a certificate authority that is no longer" + " trusted to issue new certificates." }, }; // Note that these error strings are not localizable. // When these strings change, update the localization information too. diff --git a/nss/lib/nss/nss.def b/nss/lib/nss/nss.def index 7c9bdda6..f9bb3fba 100644 --- a/nss/lib/nss/nss.def +++ b/nss/lib/nss/nss.def @@ -1270,3 +1270,17 @@ SECKEY_PrivateKeyStrengthInBits; ;+ local: ;+ *; ;+}; +;+NSS_3.107 { # NSS 3.107 release +;+ global: +SECMOD_LoadUserModuleWithFunction; +;+ local: +;+ *; +;+}; +;+NSS_3.110 { # NSS 3.110 release +;+ global: +SECMOD_FlagsToPolicyString; +SECMOD_PolicyStringToOid; +SECMOD_PolicyStringToOpt; +;+ local: +;+ *; +;+}; diff --git a/nss/lib/nss/nss.h b/nss/lib/nss/nss.h index b9a7a00d..b3bccd46 100644 --- a/nss/lib/nss/nss.h +++ b/nss/lib/nss/nss.h @@ -22,12 +22,12 @@ * The format of the version string should be * ".[.[.]][ ][ ]" */ -#define NSS_VERSION "3.105" _NSS_CUSTOMIZED " Beta" +#define NSS_VERSION "3.110" _NSS_CUSTOMIZED #define NSS_VMAJOR 3 -#define NSS_VMINOR 105 +#define NSS_VMINOR 110 #define NSS_VPATCH 0 #define NSS_VBUILD 0 -#define NSS_BETA PR_TRUE +#define NSS_BETA PR_FALSE #ifndef RC_INVOKED diff --git a/nss/lib/pk11wrap/pk11load.c b/nss/lib/pk11wrap/pk11load.c index 0ad25c54..b143b715 100644 --- a/nss/lib/pk11wrap/pk11load.c +++ b/nss/lib/pk11wrap/pk11load.c @@ -387,19 +387,12 @@ CK_RV NSC_GetInterface(CK_UTF8CHAR_PTR pInterfaceName, char **NSC_ModuleDBFunc(unsigned long function, char *parameters, void *args); #endif -/* - * load a new module into our address space and initialize it. - */ SECStatus -secmod_LoadPKCS11Module(SECMODModule *mod, SECMODModule **oldModule) +secmod_DetermineModuleFunctionList(SECMODModule *mod) { PRLibrary *library = NULL; CK_C_GetInterface ientry = NULL; CK_C_GetFunctionList fentry = NULL; - CK_INFO info; - CK_ULONG slotCount = 0; - SECStatus rv; - PRBool alreadyLoaded = PR_FALSE; char *disableUnload = NULL; #ifndef NSS_STATIC_SOFTOKEN const char *nss_interface; @@ -407,11 +400,6 @@ secmod_LoadPKCS11Module(SECMODModule *mod, SECMODModule **oldModule) #endif CK_INTERFACE_PTR interface; - if (mod->loaded) - return SECSuccess; - - mod->fipsIndicator = NULL; - /* internal modules get loaded from their internal list */ if (mod->internal && (mod->dllName == NULL)) { #ifdef NSS_STATIC_SOFTOKEN @@ -553,6 +541,25 @@ secmod_LoadPKCS11Module(SECMODModule *mod, SECMODModule **oldModule) } #endif + return SECSuccess; + +fail: + mod->functionList = NULL; + disableUnload = PR_GetEnvSecure("NSS_DISABLE_UNLOAD"); + if (library && !disableUnload) { + PR_UnloadLibrary(library); + } + return SECFailure; +} + +SECStatus +secmod_InitializeModuleAndGetSlotInfo(SECMODModule *mod, SECMODModule **oldModule) +{ + CK_INFO info; + CK_ULONG slotCount = 0; + SECStatus rv; + PRBool alreadyLoaded = PR_FALSE; + /* This test operation makes sure our locking system is * consistent even if we are using non-thread safe tokens by * simulating unsafe tokens with safe ones. */ @@ -643,13 +650,80 @@ secmod_LoadPKCS11Module(SECMODModule *mod, SECMODModule **oldModule) } fail: mod->functionList = NULL; - disableUnload = PR_GetEnvSecure("NSS_DISABLE_UNLOAD"); - if (library && !disableUnload) { - PR_UnloadLibrary(library); - } return SECFailure; } +/* + * load a new module into our address space and initialize it. + */ +SECStatus +secmod_LoadPKCS11Module(SECMODModule *mod, SECMODModule **oldModule) +{ + SECStatus rv = SECFailure; + if (mod->loaded) { + return SECSuccess; + } + + mod->fipsIndicator = NULL; + + rv = secmod_DetermineModuleFunctionList(mod); + if (rv != SECSuccess) { // The error code is set up by secmod_DetermineModuleFunctionList. + return rv; + } + + if (mod->loaded == PR_TRUE) { + return SECSuccess; + } + + rv = secmod_InitializeModuleAndGetSlotInfo(mod, oldModule); + if (rv != SECSuccess) { // The error code is set up by secmod_InitializeModuleAndGetSlotInfo + return rv; + } + + return SECSuccess; +} + +/* + * load a new module using provided fentry function + */ +SECStatus +secmod_LoadPKCS11ModuleFromFunction(SECMODModule *mod, SECMODModule **oldModule, + CK_C_GetFunctionList fentry) +{ + SECStatus rv = SECFailure; + CK_RV crv; + if (mod->loaded) { + return SECSuccess; + } + + mod->fipsIndicator = NULL; + + if (!fentry) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return SECFailure; + } + + crv = fentry((CK_FUNCTION_LIST_PTR *)&mod->functionList); + if (crv != CKR_OK) { + mod->functionList = NULL; + PORT_SetError(PK11_MapError(crv)); + return SECFailure; + } + + if (mod->functionList == NULL) { + PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); + return SECFailure; + } + + mod->flags = 0; + rv = secmod_InitializeModuleAndGetSlotInfo(mod, oldModule); + if (rv != SECSuccess) { + return rv; + } + + return SECSuccess; +} + SECStatus SECMOD_UnloadModule(SECMODModule *mod) { @@ -692,9 +766,9 @@ SECMOD_UnloadModule(SECMODModule *mod) } library = (PRLibrary *)mod->library; - /* paranoia */ + /* if no library, then we should not unload it */ if (library == NULL) { - return SECFailure; + return SECSuccess; } disableUnload = PR_GetEnvSecure("NSS_DISABLE_UNLOAD"); diff --git a/nss/lib/pk11wrap/pk11mech.c b/nss/lib/pk11wrap/pk11mech.c index b98499fe..25e38da6 100644 --- a/nss/lib/pk11wrap/pk11mech.c +++ b/nss/lib/pk11wrap/pk11mech.c @@ -1719,10 +1719,19 @@ PK11_ParamToAlgid(SECOidTag algTag, SECItem *param, case CKM_JUNIPER_CBC128: case CKM_JUNIPER_COUNTER: case CKM_JUNIPER_SHUFFLE: - newParams = SEC_ASN1EncodeItem(NULL, NULL, param, - SEC_ASN1_GET(SEC_OctetStringTemplate)); - if (newParams == NULL) - break; + if (param && param->len > 0) { + newParams = SEC_ASN1EncodeItem(NULL, NULL, param, + SEC_ASN1_GET(SEC_OctetStringTemplate)); + if (newParams == NULL) + break; + } else { + /* if no parameters have been supplied, then use NULL params + * The SECOID_SetAlgorithmID encoder will encode that as no + * params (since params are optional) or with an explicit NULL + * (for some historical cases where explicit NULL is expected). + */ + newParams = NULL; + } rv = SECSuccess; break; } diff --git a/nss/lib/pk11wrap/pk11obj.c b/nss/lib/pk11wrap/pk11obj.c index 2581c477..de1e9216 100644 --- a/nss/lib/pk11wrap/pk11obj.c +++ b/nss/lib/pk11wrap/pk11obj.c @@ -555,6 +555,7 @@ PK11_SignatureLen(SECKEYPrivateKey *key) switch (key->keyType) { case rsaKey: + case rsaPssKey: val = PK11_GetPrivateModulusLen(key); if (val == -1) { return pk11_backupGetSignLength(key); @@ -2093,10 +2094,11 @@ PK11_MatchItem(PK11SlotInfo *slot, CK_OBJECT_HANDLE searchID, if ((theTemplate[0].ulValueLen == 0) || (theTemplate[0].ulValueLen == -1)) { PORT_DestroyCheapArena(&tmpArena); - if (matchclass == CKO_CERTIFICATE) + if (matchclass == CKO_CERTIFICATE) { PORT_SetError(SEC_ERROR_BAD_KEY); - else + } else { PORT_SetError(SEC_ERROR_NO_KEY); + } return CK_INVALID_HANDLE; } diff --git a/nss/lib/pk11wrap/pk11pars.c b/nss/lib/pk11wrap/pk11pars.c index 2d12806d..845e38d1 100644 --- a/nss/lib/pk11wrap/pk11pars.c +++ b/nss/lib/pk11wrap/pk11pars.c @@ -437,6 +437,8 @@ static const oidValDef kxOptList[] = { { CIPHER_NAME("ECDHE-RSA"), SEC_OID_TLS_ECDHE_RSA, NSS_USE_ALG_IN_SSL_KX }, { CIPHER_NAME("ECDH-ECDSA"), SEC_OID_TLS_ECDH_ECDSA, NSS_USE_ALG_IN_SSL_KX }, { CIPHER_NAME("ECDH-RSA"), SEC_OID_TLS_ECDH_RSA, NSS_USE_ALG_IN_SSL_KX }, + { CIPHER_NAME("TLS-REQUIRE-EMS"), SEC_OID_TLS_REQUIRE_EMS, NSS_USE_ALG_IN_SSL_KX }, + }; static const oidValDef smimeKxOptList[] = { @@ -793,6 +795,79 @@ secmod_getOperationString(NSSPolicyOperation operation) return "invalid"; } +/* Allow external applications fetch the policy oid based on the internal + * string mapping used by the configuration system. The search can be + * narrowed by supplying the name of the table (list) that the policy + * is on. The value 'Any' allows the policy to be searched on all lists */ +SECOidTag +SECMOD_PolicyStringToOid(const char *policy, const char *list) +{ + PRBool any = (PORT_Strcasecmp(list, "Any") == 0) ? PR_TRUE : PR_FALSE; + int len = PORT_Strlen(policy); + int i, j; + + for (i = 0; i < PR_ARRAY_SIZE(algOptLists); i++) { + const algListsDef *algOptList = &algOptLists[i]; + if (any || (PORT_Strcasecmp(algOptList->description, list) == 0)) { + for (j = 0; j < algOptList->entries; j++) { + const oidValDef *algOpt = &algOptList->list[j]; + unsigned name_size = algOpt->name_size; + if (len == name_size && + PORT_Strcasecmp(algOpt->name, policy) == 0) { + return algOpt->oid; + } + } + } + } + return SEC_OID_UNKNOWN; +} + +/* Allow external applications fetch the NSS option based on the internal + * string mapping used by the configuration system. */ +PRUint32 +SECMOD_PolicyStringToOpt(const char *policy) +{ + int len = PORT_Strlen(policy); + int i; + + for (i = 0; i < PR_ARRAY_SIZE(freeOptList); i++) { + const optionFreeDef *freeOpt = &freeOptList[i]; + unsigned name_size = freeOpt->name_size; + if (len == name_size && + PORT_Strcasecmp(freeOpt->name, policy) == 0) { + return freeOpt->option; + } + } + return 0; +} + +/* Allow external applications map policy flags to their string equivalance. + * Some strings represent more than one flag. If more than one flag is included + * the returned string is the string that contains any of the + * supplied flags unless exact is specified. If exact is specified, then the + * returned value matches all the included flags and only those flags. For + * Example: 'ALL-SIGNATURE' has the bits NSS_USE_ALG_IN_CERTSIGNATURE| + * NSS_USE_ALG_IN_SMIME_SIGNATURE|NSS_USE_ALG_IN_ANY_SIGNATURE. If you ask for + * NSS_USE_ALG_IN_CERT_SIGNATURE|NSS_USE_ALG_IN_SMIME_SIGNATURE and don't set + * exact, this function will return 'ALL-SIGNATURE' if you do set exact, you must + * include all three bits in value to get 'All-SIGNATURE'*/ +const char * +SECMOD_FlagsToPolicyString(PRUint32 val, PRBool exact) +{ + int i; + + for (i = 0; i < PR_ARRAY_SIZE(policyFlagList); i++) { + const policyFlagDef *policy = &policyFlagList[i]; + if (exact && (policy->flag == val)) { + return policy->name; + } + if (!exact && ((policy->flag & val) == policy->flag)) { + return policy->name; + } + } + return NULL; +} + static SECStatus secmod_applyCryptoPolicy(const char *policyString, NSSPolicyOperation operation, PRBool printPolicyFeedback, PRUint32 policyCheckFlags) @@ -2240,6 +2315,72 @@ SECMOD_LoadModule(char *modulespec, SECMODModule *parent, PRBool recurse) return module; } +SECMODModule * +SECMOD_LoadModuleWithFunction(const char *moduleName, CK_C_GetFunctionList fentry) +{ + SECMODModule *module = NULL; + SECMODModule *oldModule = NULL; + SECStatus rv; + + /* initialize the underlying module structures */ + SECMOD_Init(); + + module = secmod_NewModule(); + if (module == NULL) { + goto loser; + } + + module->commonName = PORT_ArenaStrdup(module->arena, moduleName ? moduleName : ""); + module->internal = PR_FALSE; + module->isFIPS = PR_FALSE; + /* if the system FIPS mode is enabled, force FIPS to be on */ + if (SECMOD_GetSystemFIPSEnabled()) { + module->isFIPS = PR_TRUE; + } + + module->isCritical = PR_FALSE; + /* new field */ + module->trustOrder = NSSUTIL_DEFAULT_TRUST_ORDER; + /* new field */ + module->cipherOrder = NSSUTIL_DEFAULT_CIPHER_ORDER; + /* new field */ + module->isModuleDB = PR_FALSE; + module->moduleDBOnly = PR_FALSE; + + module->ssl[0] = 0; + module->ssl[1] = 0; + + secmod_PrivateModuleCount++; + + /* load it */ + rv = secmod_LoadPKCS11ModuleFromFunction(module, &oldModule, fentry); + if (rv != SECSuccess) { + goto loser; + } + + /* if we just reload an old module, no need to add it to any lists. + * we simple release all our references */ + if (oldModule) { + /* This module already exists, don't link it anywhere. This + * will probably destroy this module */ + SECMOD_DestroyModule(module); + return oldModule; + } + + SECMOD_AddModuleToList(module); + /* handle any additional work here */ + return module; + +loser: + if (module) { + if (module->loaded) { + SECMOD_UnloadModule(module); + } + SECMOD_AddModuleToUnloadList(module); + } + return module; +} + /* * load a PKCS#11 module and add it to the default NSS trust domain */ @@ -2262,6 +2403,25 @@ SECMOD_LoadUserModule(char *modulespec, SECMODModule *parent, PRBool recurse) return newmod; } +SECMODModule * +SECMOD_LoadUserModuleWithFunction(const char *moduleName, CK_C_GetFunctionList fentry) +{ + SECStatus rv = SECSuccess; + SECMODModule *newmod = SECMOD_LoadModuleWithFunction(moduleName, fentry); + SECMODListLock *moduleLock = SECMOD_GetDefaultModuleListLock(); + + if (newmod) { + SECMOD_GetReadLock(moduleLock); + rv = STAN_AddModuleToDefaultTrustDomain(newmod); + SECMOD_ReleaseReadLock(moduleLock); + if (SECSuccess != rv) { + SECMOD_DestroyModule(newmod); + return NULL; + } + } + return newmod; +} + /* * remove the PKCS#11 module from the default NSS trust domain, call * C_Finalize, and destroy the module structure diff --git a/nss/lib/pk11wrap/pk11pbe.c b/nss/lib/pk11wrap/pk11pbe.c index 99875c22..eb853814 100644 --- a/nss/lib/pk11wrap/pk11pbe.c +++ b/nss/lib/pk11wrap/pk11pbe.c @@ -770,9 +770,10 @@ sec_pkcs5CreateAlgorithmID(SECOidTag algorithm, algorithm = sec_pkcs5v2_get_pbe(cipherAlgorithm); } + SECOidTag hashAlg = HASH_GetHashOidTagByHMACOidTag(cipherAlgorithm); + /* set the PKCS5v2 specific parameters */ if (keyLength == 0) { - SECOidTag hashAlg = HASH_GetHashOidTagByHMACOidTag(cipherAlgorithm); if (hashAlg != SEC_OID_UNKNOWN) { keyLength = HASH_ResultLenByOidTag(hashAlg); } else { @@ -787,18 +788,25 @@ sec_pkcs5CreateAlgorithmID(SECOidTag algorithm, prfAlg = SEC_OID_HMAC_SHA1; } - /* build the PKCS5v2 cipher algorithm id */ - cipherParams = pk11_GenerateNewParamWithKeyLen( - PK11_AlgtagToMechanism(cipherAlgorithm), keyLength); - if (!cipherParams) { - goto loser; + /* build the PKCS5v2 cipher algorithm id, if cipher + * is an HMAC, the cipherParams should be NULL */ + if (hashAlg == SEC_OID_UNKNOWN) { + cipherParams = pk11_GenerateNewParamWithKeyLen( + PK11_AlgtagToMechanism(cipherAlgorithm), keyLength); + if (!cipherParams) { + goto loser; + } + } else { + cipherParams = NULL; } PORT_Memset(&pbeV2_param, 0, sizeof(pbeV2_param)); rv = PK11_ParamToAlgid(cipherAlgorithm, cipherParams, poolp, &pbeV2_param.cipherAlgId); - SECITEM_FreeItem(cipherParams, PR_TRUE); + if (cipherParams) { + SECITEM_FreeItem(cipherParams, PR_TRUE); + } if (rv != SECSuccess) { goto loser; } diff --git a/nss/lib/pk11wrap/secmod.h b/nss/lib/pk11wrap/secmod.h index 53181f01..fee21d6b 100644 --- a/nss/lib/pk11wrap/secmod.h +++ b/nss/lib/pk11wrap/secmod.h @@ -6,6 +6,7 @@ #include "seccomon.h" #include "secmodt.h" #include "prinrval.h" +#include "pkcs11.h" /* These mechanisms flags are visible to all other libraries. */ /* They must be converted to internal SECMOD_*_FLAG */ @@ -60,6 +61,9 @@ extern SECMODModule *SECMOD_LoadModule(char *moduleSpec, SECMODModule *parent, extern SECMODModule *SECMOD_LoadUserModule(char *moduleSpec, SECMODModule *parent, PRBool recurse); +extern SECMODModule *SECMOD_LoadUserModuleWithFunction(const char *moduleName, + CK_C_GetFunctionList fentry); + SECStatus SECMOD_UnloadUserModule(SECMODModule *mod); SECMODModule *SECMOD_CreateModule(const char *lib, const char *name, @@ -189,6 +193,31 @@ SECStatus SECMOD_CancelWait(SECMODModule *mod); * Caller must not hold a module list read lock. */ SECStatus SECMOD_UpdateSlotList(SECMODModule *mod); + +/* + * Utilities to expose policy strings to applications: + * + * Policy strings are used by system configuration to specify what algorithms + * are included by policy. Each algorithm as a bitmask of operations allowed + * for that policy (Sign, SSL_KX, etc). Algorithm policies are tied to a oid, + * usually the primary oid used for that algorithm in X.509. + * In addition to policy oids, NSS has options, which are selected by a + * PRUint32. Options return an integer value, usually a limit (max key size, + * min key size, etc). + */ +/* Fetch the oid for a particular policy based on the string used to configure + * that policy. Policy are organized into logical list (ECC, HASH, MAC, + * CIPHER, SSL-KX, etc.). The search is restricted to a partular list unless + * ANY is specified). policy and list are case insensitive */ +SECOidTag SECMOD_PolicyStringToOid(const char *policy, const char *list); +/* fetch the Option integer based on the option string */ +PRUint32 SECMOD_PolicyStringToOpt(const char *optionString); +/* fetch a string descript of a particular bit value. The first match that has + * any of the requested bits is returns unless exact is specified, in which + * case the string must map to all existing bits. If no match is found, NULL + * is returned */ +const char *SECMOD_FlagsToPolicyString(PRUint32 val, PRBool exact); + SEC_END_PROTOS #endif diff --git a/nss/lib/pk11wrap/secmodi.h b/nss/lib/pk11wrap/secmodi.h index 9f220d6b..637114a9 100644 --- a/nss/lib/pk11wrap/secmodi.h +++ b/nss/lib/pk11wrap/secmodi.h @@ -57,6 +57,8 @@ extern unsigned long SECMOD_InternaltoPubCipherFlags(unsigned long internalFlags /* Library functions */ SECStatus secmod_LoadPKCS11Module(SECMODModule *, SECMODModule **oldModule); +SECStatus secmod_LoadPKCS11ModuleFromFunction(SECMODModule *, SECMODModule **oldModule, CK_C_GetFunctionList f); + SECStatus SECMOD_UnloadModule(SECMODModule *); void SECMOD_SetInternalModule(SECMODModule *); PRBool secmod_IsInternalKeySlot(SECMODModule *); diff --git a/nss/lib/pkcs12/p12d.c b/nss/lib/pkcs12/p12d.c index 15966897..c3a496f6 100644 --- a/nss/lib/pkcs12/p12d.c +++ b/nss/lib/pkcs12/p12d.c @@ -1918,7 +1918,7 @@ sec_pkcs12_set_nickname_for_cert(sec_PKCS12SafeBag *cert, static SECItem * sec_pkcs12_get_der_cert(sec_PKCS12SafeBag *cert) { - if (!cert) { + if (!cert || !cert->safeBagContent.certBag) { PORT_SetError(SEC_ERROR_INVALID_ARGS); return NULL; } @@ -3179,6 +3179,12 @@ SEC_PKCS12DecoderIterateNext(SEC_PKCS12DecoderContext *p12dcx, p12dcx->decitem.der = sec_pkcs12_get_der_cert(bag); p12dcx->decitem.friendlyName = sec_pkcs12_get_friendlyName(bag); p12dcx->decitem.hasKey = sec_pkcs12_bagHasKey(p12dcx, bag); + /* if we don't understand the cert, or it's not parsable, skip it */ + /* as per the comment above, friendlyName may be null legitimately */ + if (!p12dcx->decitem.der) { + p12dcx->decitem.type = 0; /* clear out the type we are ignoring */ + continue; + } break; case SEC_OID_PKCS12_V1_PKCS8_SHROUDED_KEY_BAG_ID: p12dcx->decitem.shroudAlg = PORT_ZNew(SECAlgorithmID); @@ -3195,6 +3201,7 @@ SEC_PKCS12DecoderIterateNext(SEC_PKCS12DecoderContext *p12dcx, break; case SEC_OID_UNKNOWN: /* ignore these */ + p12dcx->decitem.type = 0; /* clear out the type we are ignoring */ continue; } *ipp = &p12dcx->decitem; diff --git a/nss/lib/pkcs12/p12local.c b/nss/lib/pkcs12/p12local.c index 98a54a63..3e0a96c3 100644 --- a/nss/lib/pkcs12/p12local.c +++ b/nss/lib/pkcs12/p12local.c @@ -102,7 +102,7 @@ sec_pkcs12_integrity_key(PK11SlotInfo *slot, sec_PKCS12MacData *macData, *hmacMech = PK11_AlgtagToMechanism(hmacAlg); /* pkcs12v2 hmac uses UTF8 rather than unicode */ if (!sec_pkcs12_convert_item_to_unicode(NULL, &utf8Pw, pwitem, - PR_TRUE, PR_FALSE, PR_FALSE)) { + PR_FALSE, PR_FALSE, PR_FALSE)) { return NULL; } symKey = PK11_PBEKeyGen(slot, prfAlgid, &utf8Pw, PR_FALSE, pwarg); diff --git a/nss/lib/pkcs7/certread.c b/nss/lib/pkcs7/certread.c index 15094f2d..da0fa0de 100644 --- a/nss/lib/pkcs7/certread.c +++ b/nss/lib/pkcs7/certread.c @@ -324,10 +324,11 @@ CERT_DecodeCertPackage(char *certbuf, /* check entire length if definite length */ if (seqLen || seqLenLen) { if (certlen != (seqLen + seqLenLen + 2L)) { - if (certlen > (seqLen + seqLenLen + 2L)) + if (certlen > (seqLen + seqLenLen + 2L)) { PORT_SetError(SEC_ERROR_EXTRA_INPUT); - else + } else { PORT_SetError(SEC_ERROR_INPUT_LEN); + } goto notder; } } @@ -520,6 +521,8 @@ CERT_DecodeCertFromPackage(char *certbuf, int certlen) CERTCertificate *cert = NULL; collectArgs.arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); + collectArgs.cert.data = NULL; + collectArgs.cert.len = 0; rv = CERT_DecodeCertPackage(certbuf, certlen, collect_certs, (void *)&collectArgs); diff --git a/nss/lib/pkcs7/p7decode.c b/nss/lib/pkcs7/p7decode.c index 7a01f367..8498c5de 100644 --- a/nss/lib/pkcs7/p7decode.c +++ b/nss/lib/pkcs7/p7decode.c @@ -542,6 +542,7 @@ sec_pkcs7_decoder_start_decrypt(SEC_PKCS7DecoderContext *p7dcx, int depth, * We are done with (this) bulkkey now. */ PK11_FreeSymKey(bulkkey); + bulkkey = NULL; if (decryptobj == NULL) { p7dcx->error = PORT_GetError(); @@ -849,6 +850,8 @@ sec_pkcs7_decoder_notify(void *arg, PRBool before, void *dest, int depth) case SEC_OID_PKCS7_DIGESTED_DATA: digd = cinfo->content.digestedData; + if (digd == NULL) + break; /* * XXX Want to do the digest or not? Maybe future enhancement... diff --git a/nss/lib/pki/pkibase.c b/nss/lib/pki/pkibase.c index f58a262c..de394391 100644 --- a/nss/lib/pki/pkibase.c +++ b/nss/lib/pki/pkibase.c @@ -333,10 +333,12 @@ nssPKIObject_GetInstances( { nssCryptokiObject **instances = NULL; PRUint32 i; + + nssPKIObject_Lock(object); if (object->numInstances == 0) { + nssPKIObject_Unlock(object); return (nssCryptokiObject **)NULL; } - nssPKIObject_Lock(object); instances = nss_ZNEWARRAY(NULL, nssCryptokiObject *, object->numInstances + 1); if (instances) { diff --git a/nss/lib/smime/cmsdecode.c b/nss/lib/smime/cmsdecode.c index e4789798..64868e20 100644 --- a/nss/lib/smime/cmsdecode.c +++ b/nss/lib/smime/cmsdecode.c @@ -43,6 +43,7 @@ static void nss_cms_decoder_update_filter(void *arg, const char *data, static SECStatus nss_cms_before_data(NSSCMSDecoderContext *p7dcx); static SECStatus nss_cms_after_data(NSSCMSDecoderContext *p7dcx); static SECStatus nss_cms_after_end(NSSCMSDecoderContext *p7dcx); +static void nss_cms_decoder_update(void *p7ecx, const char *data, unsigned long len); static void nss_cms_decoder_work_data(NSSCMSDecoderContext *p7dcx, const unsigned char *data, unsigned long len, @@ -294,7 +295,7 @@ nss_cms_before_data(NSSCMSDecoderContext *p7dcx) } /* now set up the parent to hand decoded data to the next level decoder */ - p7dcx->cb = (NSSCMSContentCallback)NSS_CMSDecoder_Update; + p7dcx->cb = (NSSCMSContentCallback)nss_cms_decoder_update; p7dcx->cb_arg = childp7dcx; PORT_ArenaUnmark(poolp, mark); @@ -556,6 +557,15 @@ nss_cms_decoder_work_data(NSSCMSDecoderContext *p7dcx, PORT_Free(buf); } +/* + * nss_cms_decoder_update - deliver decoded data to the next higher level! + */ +static void +nss_cms_decoder_update(void *p7ecx, const char *data, unsigned long len) +{ + (void)NSS_CMSDecoder_Update((NSSCMSDecoderContext *)p7ecx, data, len); +} + /* * nss_cms_decoder_update_filter - process ASN.1 data * diff --git a/nss/lib/smime/cmsdigest.c b/nss/lib/smime/cmsdigest.c index a59fd777..6cb2a508 100644 --- a/nss/lib/smime/cmsdigest.c +++ b/nss/lib/smime/cmsdigest.c @@ -260,7 +260,7 @@ NSS_CMSDigestContext_FinishSingle(NSSCMSDigestContext *cmsdigcx, /* get the digests into arena, then copy the first digest into poolp */ rv = NSS_CMSDigestContext_FinishMultiple(cmsdigcx, arena, &dp); - if (rv == SECSuccess && dp) { + if (rv == SECSuccess && dp && dp[0]) { /* now copy it into poolp */ rv = SECITEM_CopyItem(poolp, digest, dp[0]); } diff --git a/nss/lib/smime/cmsencode.c b/nss/lib/smime/cmsencode.c index 703492b5..0a4f246d 100644 --- a/nss/lib/smime/cmsencode.c +++ b/nss/lib/smime/cmsencode.c @@ -36,8 +36,8 @@ struct NSSCMSEncoderContextStr { static SECStatus nss_cms_before_data(NSSCMSEncoderContext *p7ecx); static SECStatus nss_cms_after_data(NSSCMSEncoderContext *p7ecx); -static SECStatus nss_cms_encoder_update(NSSCMSEncoderContext *p7ecx, - const char *data, unsigned long len); +static void nss_cms_encoder_update(void *p7ecx, + const char *data, unsigned long len); static SECStatus nss_cms_encoder_work_data(NSSCMSEncoderContext *p7ecx, SECItem *dest, const unsigned char *data, unsigned long len, PRBool final, PRBool innermost); @@ -473,12 +473,12 @@ nss_cms_encoder_work_data(NSSCMSEncoderContext *p7ecx, SECItem *dest, * * no recursion here because we REALLY want to end up at the next higher encoder! */ -static SECStatus -nss_cms_encoder_update(NSSCMSEncoderContext *p7ecx, const char *data, unsigned long len) +static void +nss_cms_encoder_update(void *p7ecx, const char *data, unsigned long len) { /* XXX Error handling needs help. Return what? Do "Finish" on failure? */ - return nss_cms_encoder_work_data(p7ecx, NULL, (const unsigned char *)data, - len, PR_FALSE, PR_FALSE); + (void)nss_cms_encoder_work_data((NSSCMSEncoderContext *)p7ecx, NULL, (const unsigned char *)data, + len, PR_FALSE, PR_FALSE); } /* diff --git a/nss/lib/smime/cmsenvdata.c b/nss/lib/smime/cmsenvdata.c index 95b3fb98..0fc71c8b 100644 --- a/nss/lib/smime/cmsenvdata.c +++ b/nss/lib/smime/cmsenvdata.c @@ -66,10 +66,7 @@ NSS_CMSEnvelopedData_Destroy(NSSCMSEnvelopedData *edp) return; recipientinfos = edp->recipientInfos; - if (recipientinfos == NULL) - return; - - while ((ri = *recipientinfos++) != NULL) + while (recipientinfos && (ri = *recipientinfos++) != NULL) NSS_CMSRecipientInfo_Destroy(ri); NSS_CMSContentInfo_Destroy(&(edp->contentInfo)); diff --git a/nss/lib/softoken/kbkdf.c b/nss/lib/softoken/kbkdf.c index 14f7320f..f7ae731a 100644 --- a/nss/lib/softoken/kbkdf.c +++ b/nss/lib/softoken/kbkdf.c @@ -264,6 +264,29 @@ kbkdf_ValidateDerived(CK_DERIVED_KEY_PTR key) return CKR_MECHANISM_PARAM_INVALID; } +static PRBool +kbkdf_ValidPRF(CK_SP800_108_PRF_TYPE prf) +{ + // See Table 161 of PKCS#11 v3.0 or Table 192 of PKCS#11 v3.1. + switch (prf) { + case CKM_AES_CMAC: + /* case CKM_DES3_CMAC: */ + return PR_TRUE; + case CKM_SHA_1_HMAC: + case CKM_SHA224_HMAC: + case CKM_SHA256_HMAC: + case CKM_SHA384_HMAC: + case CKM_SHA512_HMAC: + case CKM_SHA3_224_HMAC: + case CKM_SHA3_256_HMAC: + case CKM_SHA3_384_HMAC: + case CKM_SHA3_512_HMAC: + /* Valid HMAC <-> HASH isn't NULL */ + return sftk_HMACMechanismToHash(prf) != HASH_AlgNULL; + } + return PR_FALSE; +} + static CK_RV kbkdf_ValidateParameters(CK_MECHANISM_TYPE mech, const CK_SP800_108_KDF_PARAMS *params, CK_ULONG keySize) { @@ -273,14 +296,7 @@ kbkdf_ValidateParameters(CK_MECHANISM_TYPE mech, const CK_SP800_108_KDF_PARAMS * /* Start with checking the prfType as a mechanism against a list of * PRFs allowed by PKCS#11 v3.0. */ - if (!(/* The following types aren't defined in NSS yet. */ - /* params->prfType != CKM_3DES_CMAC && */ - params->prfType == CKM_AES_CMAC || /* allow */ - /* We allow any HMAC except MD2 and MD5. */ - params->prfType != CKM_MD2_HMAC || /* disallow */ - params->prfType != CKM_MD5_HMAC || /* disallow */ - sftk_HMACMechanismToHash(params->prfType) != HASH_AlgNULL /* Valid HMAC <-> HASH isn't NULL */ - )) { + if (!kbkdf_ValidPRF(params->prfType)) { return CKR_MECHANISM_PARAM_INVALID; } diff --git a/nss/lib/softoken/lowpbe.c b/nss/lib/softoken/lowpbe.c index 999e684b..eaa955fc 100644 --- a/nss/lib/softoken/lowpbe.c +++ b/nss/lib/softoken/lowpbe.c @@ -1765,16 +1765,20 @@ sftk_fips_pbkdf_PowerUpSelfTests(void) unsigned char iteration_count = 5; unsigned char keyLen = 64; char *inKeyData = TEST_KEY; - static const unsigned char saltData[] = { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07 }; + static const unsigned char saltData[] = { + 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, + 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f + }; + static const unsigned char pbkdf_known_answer[] = { - 0x31, 0xf0, 0xe5, 0x39, 0x9f, 0x39, 0xb9, 0x29, - 0x68, 0xac, 0xf2, 0xe9, 0x53, 0x9b, 0xb4, 0x9c, - 0x28, 0x59, 0x8b, 0x5c, 0xd8, 0xd4, 0x02, 0x37, - 0x18, 0x22, 0xc1, 0x92, 0xd0, 0xfa, 0x72, 0x90, - 0x2c, 0x8d, 0x19, 0xd4, 0x56, 0xfb, 0x16, 0xfa, - 0x8d, 0x5c, 0x06, 0x33, 0xd1, 0x5f, 0x17, 0xb1, - 0x22, 0xd9, 0x9c, 0xaf, 0x5e, 0x3f, 0xf3, 0x66, - 0xc6, 0x14, 0xfe, 0x83, 0xfa, 0x1a, 0x2a, 0xc5 + 0x73, 0x8c, 0xfa, 0x02, 0xe8, 0xdb, 0x43, 0xe4, + 0x99, 0xc5, 0xfd, 0xd9, 0x4d, 0x8e, 0x3e, 0x7b, + 0xc4, 0xda, 0x22, 0x1b, 0xe1, 0xae, 0x23, 0x7a, + 0x21, 0x27, 0xbd, 0xcc, 0x78, 0xc4, 0xe6, 0xc5, + 0x33, 0x38, 0x35, 0xe0, 0x68, 0x1a, 0x1e, 0x06, + 0xad, 0xaf, 0x7f, 0xd7, 0x3f, 0x0e, 0xc0, 0x90, + 0x17, 0x97, 0x73, 0x75, 0x7b, 0x88, 0x49, 0xd8, + 0x6f, 0x78, 0x5a, 0xde, 0x50, 0x20, 0x55, 0x33 }; sftk_PBELockInit(); diff --git a/nss/lib/softoken/pkcs11.c b/nss/lib/softoken/pkcs11.c index f9ad7bdf..0d78831e 100644 --- a/nss/lib/softoken/pkcs11.c +++ b/nss/lib/softoken/pkcs11.c @@ -1301,8 +1301,8 @@ sftk_handlePrivateKeyObject(SFTKSession *session, SFTKObject *object, CK_KEY_TYP return CKR_TEMPLATE_INCOMPLETE; } /* for ECDSA and EDDSA. Change if the structure of any of them is modified. */ - derive = (key_type == CKK_EC_EDWARDS) ? CK_FALSE : CK_TRUE; /* CK_TRUE for ECDH */ - sign = (key_type == CKK_EC_MONTGOMERY) ? CK_FALSE : CK_TRUE; /* for ECDSA and EDDSA */ + derive = (key_type == CKK_EC_EDWARDS) ? CK_FALSE : CK_TRUE; /* CK_TRUE for ECDH */ + sign = (key_type == CKK_EC_MONTGOMERY) ? CK_FALSE : CK_TRUE; /* for ECDSA and EDDSA */ encrypt = CK_FALSE; recover = CK_FALSE; wrap = CK_FALSE; @@ -3211,14 +3211,15 @@ SFTK_DestroySlotData(SFTKSlot *slot) char ** NSC_ModuleDBFunc(unsigned long function, char *parameters, void *args) { -#ifndef NSS_DISABLE_DBM +#ifdef NSS_DISABLE_DBM + return NSSUTIL_DoModuleDBFunction(function, parameters, args); +#else char *secmod = NULL; char *appName = NULL; char *filename = NULL; NSSDBType dbType = NSS_DB_TYPE_NONE; PRBool rw; static char *success = "Success"; -#endif /* NSS_DISABLE_DBM */ char **rvstr = NULL; rvstr = NSSUTIL_DoModuleDBFunction(function, parameters, args); @@ -3230,7 +3231,6 @@ NSC_ModuleDBFunc(unsigned long function, char *parameters, void *args) return NULL; } -#ifndef NSS_DISABLE_DBM /* The legacy database uses the old dbm, which is only linked with the * legacy DB handler, which is only callable from softoken */ @@ -3322,8 +3322,8 @@ NSC_ModuleDBFunc(unsigned long function, char *parameters, void *args) PORT_Free(appName); if (filename) PORT_Free(filename); -#endif /* NSS_DISABLE_DBM */ return rvstr; +#endif /* NSS_DISABLE_DBM */ } static void @@ -3486,12 +3486,13 @@ nsc_CommonInitialize(CK_VOID_PTR pReserved, PRBool isFIPS) return crv; } - rv = RNG_RNGInit(); /* initialize random number generator */ + rv = BL_Init(); /* initialize freebl engine */ if (rv != SECSuccess) { crv = CKR_DEVICE_ERROR; return crv; } - rv = BL_Init(); /* initialize freebl engine */ + + rv = RNG_RNGInit(); /* initialize random number generator */ if (rv != SECSuccess) { crv = CKR_DEVICE_ERROR; return crv; diff --git a/nss/lib/softoken/pkcs11c.c b/nss/lib/softoken/pkcs11c.c index f06c2b43..7bcfe545 100644 --- a/nss/lib/softoken/pkcs11c.c +++ b/nss/lib/softoken/pkcs11c.c @@ -44,6 +44,7 @@ #include "prprf.h" #include "prenv.h" +#include "prerror.h" #define __PASTE(x, y) x##y #define BAD_PARAM_CAST(pMech, typeSize) (!pMech->pParameter || pMech->ulParameterLen < typeSize) @@ -5272,7 +5273,7 @@ sftk_PairwiseConsistencyCheck(CK_SESSION_HANDLE hSession, SFTKSlot *slot, if ((signature_length >= pairwise_digest_length) && (PORT_Memcmp(known_digest, signature + (signature_length - pairwise_digest_length), pairwise_digest_length) == 0)) { PORT_Free(signature); - return CKR_DEVICE_ERROR; + return CKR_GENERAL_ERROR; } /* Verify the known hash using the public key. */ @@ -5308,106 +5309,148 @@ sftk_PairwiseConsistencyCheck(CK_SESSION_HANDLE hSession, SFTKSlot *slot, if (isDerivable) { SFTKAttribute *pubAttribute = NULL; - CK_OBJECT_HANDLE newKey; PRBool isFIPS = sftk_isFIPS(slot->slotID); - CK_RV crv2; - CK_OBJECT_CLASS secret = CKO_SECRET_KEY; - CK_KEY_TYPE generic = CKK_GENERIC_SECRET; - CK_ULONG keyLen = 128; - CK_BBOOL ckTrue = CK_TRUE; - CK_ATTRIBUTE template[] = { - { CKA_CLASS, &secret, sizeof(secret) }, - { CKA_KEY_TYPE, &generic, sizeof(generic) }, - { CKA_VALUE_LEN, &keyLen, sizeof(keyLen) }, - { CKA_DERIVE, &ckTrue, sizeof(ckTrue) } - }; - CK_ULONG templateCount = PR_ARRAY_SIZE(template); - CK_ECDH1_DERIVE_PARAMS ecParams; + NSSLOWKEYPrivateKey *lowPrivKey = NULL; + ECPrivateKey *ecPriv = NULL; + SECItem *lowPubValue = NULL; + SECItem item = { siBuffer, NULL, 0 }; + SECStatus rv; crv = CKR_OK; /*paranoia, already get's set before we drop to the end */ - /* FIPS 140-2 requires we verify that the resulting key is a valid key. - * The easiest way to do this is to do a derive operation, which checks - * the validity of the key */ + /* FIPS 140-3 requires we verify that the resulting key is a valid key + * by recalculating the public can an compare it to our own public + * key. */ + lowPrivKey = sftk_GetPrivKey(privateKey, keyType, &crv); + if (lowPrivKey == NULL) { + return sftk_MapCryptError(PORT_GetError()); + } + /* recalculate the public key from the private key */ switch (keyType) { case CKK_DH: - mech.mechanism = CKM_DH_PKCS_DERIVE; - pubAttribute = sftk_FindAttribute(publicKey, CKA_VALUE); - if (pubAttribute == NULL) { - return CKR_DEVICE_ERROR; + rv = DH_Derive(&lowPrivKey->u.dh.base, &lowPrivKey->u.dh.prime, + &lowPrivKey->u.dh.privateValue, &item, 0); + if (rv != SECSuccess) { + return CKR_GENERAL_ERROR; } - mech.pParameter = pubAttribute->attrib.pValue; - mech.ulParameterLen = pubAttribute->attrib.ulValueLen; + lowPubValue = SECITEM_DupItem(&item); + SECITEM_ZfreeItem(&item, PR_FALSE); + pubAttribute = sftk_FindAttribute(publicKey, CKA_VALUE); break; case CKK_EC_MONTGOMERY: case CKK_EC: - mech.mechanism = CKM_ECDH1_DERIVE; - pubAttribute = sftk_FindAttribute(publicKey, CKA_EC_POINT); - if (pubAttribute == NULL) { - return CKR_DEVICE_ERROR; + rv = EC_NewKeyFromSeed(&lowPrivKey->u.ec.ecParams, &ecPriv, + lowPrivKey->u.ec.privateValue.data, + lowPrivKey->u.ec.privateValue.len); + if (rv != SECSuccess) { + return CKR_GENERAL_ERROR; + } + /* make sure it has the same encoding */ + if (PR_GetEnvSecure("NSS_USE_DECODED_CKA_EC_POINT") || + lowPrivKey->u.ec.ecParams.type != ec_params_named) { + lowPubValue = SECITEM_DupItem(&ecPriv->publicValue); + } else { + lowPubValue = SEC_ASN1EncodeItem(NULL, NULL, &ecPriv->publicValue, + SEC_ASN1_GET(SEC_OctetStringTemplate)); } - ecParams.kdf = CKD_NULL; - ecParams.ulSharedDataLen = 0; - ecParams.pSharedData = NULL; - ecParams.ulPublicDataLen = pubAttribute->attrib.ulValueLen; - ecParams.pPublicData = pubAttribute->attrib.pValue; - mech.pParameter = &ecParams; - mech.ulParameterLen = sizeof(ecParams); + pubAttribute = sftk_FindAttribute(publicKey, CKA_EC_POINT); + /* clear out our generated private key */ + PORT_FreeArena(ecPriv->ecParams.arena, PR_TRUE); break; default: return CKR_DEVICE_ERROR; } - crv = NSC_DeriveKey(hSession, &mech, privateKey->handle, template, templateCount, &newKey); - if (crv != CKR_OK) { - sftk_FreeAttribute(pubAttribute); - return crv; + /* now compare new public key with our already generated key */ + if ((pubAttribute == NULL) || (lowPubValue == NULL) || + (pubAttribute->attrib.ulValueLen != lowPubValue->len) || + (PORT_Memcmp(pubAttribute->attrib.pValue, lowPubValue->data, + lowPubValue->len) != 0)) { + if (pubAttribute) + sftk_FreeAttribute(pubAttribute); + if (lowPubValue) + SECITEM_ZfreeItem(lowPubValue, PR_TRUE); + PORT_SetError(SEC_ERROR_BAD_KEY); + return CKR_GENERAL_ERROR; } + SECITEM_ZfreeItem(lowPubValue, PR_TRUE); + /* FIPS requires full validation, but in fipx mode NSC_Derive * only does partial validation with approved primes, now handle * full validation */ if (isFIPS && keyType == CKK_DH) { - SECItem pubKey; - SECItem prime; - SECItem subPrime; + SECItem pubKey = { siBuffer, pubAttribute->attrib.pValue, + pubAttribute->attrib.ulValueLen }; + SECItem base = { siBuffer, NULL, 0 }; + SECItem prime = { siBuffer, NULL, 0 }; + SECItem subPrime = { siBuffer, NULL, 0 }; + SECItem generator = { siBuffer, NULL, 0 }; const SECItem *subPrimePtr = &subPrime; - pubKey.data = pubAttribute->attrib.pValue; - pubKey.len = pubAttribute->attrib.ulValueLen; - prime.data = subPrime.data = NULL; - prime.len = subPrime.len = 0; crv = sftk_Attribute2SecItem(NULL, &prime, privateKey, CKA_PRIME); if (crv != CKR_OK) { goto done; } - crv = sftk_Attribute2SecItem(NULL, &prime, privateKey, CKA_PRIME); + crv = sftk_Attribute2SecItem(NULL, &base, privateKey, CKA_BASE); + if (crv != CKR_OK) { + goto done; + } /* we ignore the return code an only look at the length */ - if (subPrime.len == 0) { - /* subprime not supplied, In this case look it up. - * This only works with approved primes, but in FIPS mode - * that's the only kine of prime that will get here */ - subPrimePtr = sftk_VerifyDH_Prime(&prime, isFIPS); - if (subPrimePtr == NULL) { - crv = CKR_GENERAL_ERROR; + /* do we have a known prime ? */ + subPrimePtr = sftk_VerifyDH_Prime(&prime, &generator, isFIPS); + if (subPrimePtr == NULL) { + if (subPrime.len == 0) { + /* if not a known prime, subprime must be supplied */ + crv = CKR_ATTRIBUTE_VALUE_INVALID; + goto done; + } else { + /* not a known prime, check for primality of prime + * and subPrime */ + if (!KEA_PrimeCheck(&prime)) { + crv = CKR_ATTRIBUTE_VALUE_INVALID; + goto done; + } + if (!KEA_PrimeCheck(&subPrime)) { + crv = CKR_ATTRIBUTE_VALUE_INVALID; + goto done; + } + /* if we aren't using a defined group, make sure base is in the + * subgroup. If it's not, then our key could fail or succeed sometimes. + * This makes the failure reliable */ + if (!KEA_Verify(&base, &prime, &subPrime)) { + crv = CKR_ATTRIBUTE_VALUE_INVALID; + } + } + subPrimePtr = &subPrime; + } else { + /* we're using a known group, make sure we are using the known generator for that group */ + if (SECITEM_CompareItem(&generator, &base) != 0) { + crv = CKR_ATTRIBUTE_VALUE_INVALID; goto done; } + if (subPrime.len != 0) { + /* we have a known prime and a supplied subPrime, + * make sure the subPrime matches the subPrime for + * the known Prime */ + if (SECITEM_CompareItem(subPrimePtr, &subPrime) != 0) { + crv = CKR_ATTRIBUTE_VALUE_INVALID; + goto done; + } + } } if (!KEA_Verify(&pubKey, &prime, (SECItem *)subPrimePtr)) { - crv = CKR_GENERAL_ERROR; + crv = CKR_ATTRIBUTE_VALUE_INVALID; } done: + SECITEM_ZfreeItem(&base, PR_FALSE); SECITEM_ZfreeItem(&subPrime, PR_FALSE); SECITEM_ZfreeItem(&prime, PR_FALSE); } /* clean up before we return */ sftk_FreeAttribute(pubAttribute); - crv2 = NSC_DestroyObject(hSession, newKey); if (crv != CKR_OK) { return crv; } - if (crv2 != CKR_OK) { - return crv2; - } } return CKR_OK; @@ -6087,7 +6130,6 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hSession, sftk_FreeObject(privateKey); return crv; } - *phPrivateKey = privateKey->handle; *phPublicKey = publicKey->handle; sftk_FreeObject(publicKey); @@ -7503,8 +7545,9 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession, /* * now lets create an object to hang the attributes off of */ - PORT_Assert(phKey); - *phKey = CK_INVALID_HANDLE; + if (phKey) { + *phKey = CK_INVALID_HANDLE; + } key = sftk_NewObject(slot); /* fill in the handle later */ if (key == NULL) { @@ -8670,7 +8713,7 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession, /* if the prime is an approved prime, we can skip all the other * checks. */ - subPrime = sftk_VerifyDH_Prime(&dhPrime, isFIPS); + subPrime = sftk_VerifyDH_Prime(&dhPrime, NULL, isFIPS); if (subPrime == NULL) { SECItem dhSubPrime; /* If the caller set the subprime value, it means that @@ -9050,7 +9093,9 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession, crv = sftk_handleObject(key, session); session->lastOpWasFIPS = key->isFIPS; sftk_FreeSession(session); - *phKey = key->handle; + if (phKey) { + *phKey = key->handle; + } sftk_FreeObject(key); } return crv; diff --git a/nss/lib/softoken/pkcs11i.h b/nss/lib/softoken/pkcs11i.h index 58e7cceb..2656635a 100644 --- a/nss/lib/softoken/pkcs11i.h +++ b/nss/lib/softoken/pkcs11i.h @@ -960,7 +960,7 @@ char **NSC_ModuleDBFunc(unsigned long function, char *parameters, void *args); /* dh verify functions */ /* verify that dhPrime matches one of our known primes, and if so return * it's subprime value */ -const SECItem *sftk_VerifyDH_Prime(SECItem *dhPrime, PRBool isFIPS); +const SECItem *sftk_VerifyDH_Prime(SECItem *dhPrime, SECItem *generator, PRBool isFIPS); /* check if dhSubPrime claims dhPrime is a safe prime. */ SECStatus sftk_IsSafePrime(SECItem *dhPrime, SECItem *dhSubPrime, PRBool *isSafe); /* map an operation Attribute to a Mechanism flag */ diff --git a/nss/lib/softoken/pkcs11u.c b/nss/lib/softoken/pkcs11u.c index ef811e73..49318cb3 100644 --- a/nss/lib/softoken/pkcs11u.c +++ b/nss/lib/softoken/pkcs11u.c @@ -2400,15 +2400,28 @@ sftk_handleSpecial(SFTKSlot *slot, CK_MECHANISM *mech, switch (mechInfo->special) { case SFTKFIPSDH: { SECItem dhPrime; + SECItem dhBase; + SECItem dhGenerator; + PRBool fipsOk = PR_FALSE; const SECItem *dhSubPrime; CK_RV crv = sftk_Attribute2SecItem(NULL, &dhPrime, source, CKA_PRIME); if (crv != CKR_OK) { return PR_FALSE; } - dhSubPrime = sftk_VerifyDH_Prime(&dhPrime, PR_TRUE); + crv = sftk_Attribute2SecItem(NULL, &dhBase, source, CKA_BASE); + if (crv != CKR_OK) { + return PR_FALSE; + } + dhSubPrime = sftk_VerifyDH_Prime(&dhPrime, &dhGenerator, PR_TRUE); + fipsOk = (dhSubPrime) ? PR_TRUE : PR_FALSE; + if (fipsOk && (SECITEM_CompareItem(&dhBase, &dhGenerator) != 0)) { + fipsOk = PR_FALSE; + } + SECITEM_ZfreeItem(&dhPrime, PR_FALSE); - return (dhSubPrime) ? PR_TRUE : PR_FALSE; + SECITEM_ZfreeItem(&dhBase, PR_FALSE); + return fipsOk; } case SFTKFIPSNone: return PR_FALSE; diff --git a/nss/lib/softoken/sdb.c b/nss/lib/softoken/sdb.c index 0dab04f1..46ddc71c 100644 --- a/nss/lib/softoken/sdb.c +++ b/nss/lib/softoken/sdb.c @@ -1664,7 +1664,7 @@ CK_RV sdb_GetMetaData(SDB *sdb, const char *id, SECItem *item1, SECItem *item2) { SDBPrivate *sdb_p = sdb->private; - sqlite3 *sqlDB = sdb_p->sqlXactDB; + sqlite3 *sqlDB = NULL; sqlite3_stmt *stmt = NULL; int sqlerr = SQLITE_OK; CK_RV error = CKR_OK; diff --git a/nss/lib/softoken/sftkdhverify.c b/nss/lib/softoken/sftkdhverify.c index 43104861..3b8cd684 100644 --- a/nss/lib/softoken/sftkdhverify.c +++ b/nss/lib/softoken/sftkdhverify.c @@ -6726,11 +6726,18 @@ static const SECItem subprime_tls_8192 = { siBuffer, (unsigned char *)subprime_tls_8192_data, sizeof(subprime_tls_8192_data) }; +/* generator for all the groups is 2 */ +static const unsigned char generator_2_data[] = { 2 }; + +static const SECItem generator_2 = { siBuffer, + (unsigned char *)generator_2_data, + sizeof(generator_2_data) }; + /* * verify that dhPrime matches one of our known primes */ const SECItem * -sftk_VerifyDH_Prime(SECItem *dhPrime, PRBool isFIPS) +sftk_VerifyDH_Prime(SECItem *dhPrime, SECItem *g, PRBool isFIPS) { /* use the length to decide which primes to check */ switch (dhPrime->len) { @@ -6741,56 +6748,78 @@ sftk_VerifyDH_Prime(SECItem *dhPrime, PRBool isFIPS) } if (PORT_Memcmp(dhPrime->data, prime_ike_1536, sizeof(prime_ike_1536)) == 0) { + if (g) + *g = generator_2; return &subprime_ike_1536; } break; case 2048 / PR_BITS_PER_BYTE: if (PORT_Memcmp(dhPrime->data, prime_tls_2048, sizeof(prime_tls_2048)) == 0) { + if (g) + *g = generator_2; return &subprime_tls_2048; } if (PORT_Memcmp(dhPrime->data, prime_ike_2048, sizeof(prime_ike_2048)) == 0) { + if (g) + *g = generator_2; return &subprime_ike_2048; } break; case 3072 / PR_BITS_PER_BYTE: if (PORT_Memcmp(dhPrime->data, prime_tls_3072, sizeof(prime_tls_3072)) == 0) { + if (g) + *g = generator_2; return &subprime_tls_3072; } if (PORT_Memcmp(dhPrime->data, prime_ike_3072, sizeof(prime_ike_3072)) == 0) { + if (g) + *g = generator_2; return &subprime_ike_3072; } break; case 4096 / PR_BITS_PER_BYTE: if (PORT_Memcmp(dhPrime->data, prime_tls_4096, sizeof(prime_tls_4096)) == 0) { + if (g) + *g = generator_2; return &subprime_tls_4096; } if (PORT_Memcmp(dhPrime->data, prime_ike_4096, sizeof(prime_ike_4096)) == 0) { + if (g) + *g = generator_2; return &subprime_ike_4096; } break; case 6144 / PR_BITS_PER_BYTE: if (PORT_Memcmp(dhPrime->data, prime_tls_6144, sizeof(prime_tls_6144)) == 0) { + if (g) + *g = generator_2; return &subprime_tls_6144; } if (PORT_Memcmp(dhPrime->data, prime_ike_6144, sizeof(prime_ike_6144)) == 0) { + if (g) + *g = generator_2; return &subprime_ike_6144; } break; case 8192 / PR_BITS_PER_BYTE: if (PORT_Memcmp(dhPrime->data, prime_tls_8192, sizeof(prime_tls_8192)) == 0) { + if (g) + *g = generator_2; return &subprime_tls_8192; } if (PORT_Memcmp(dhPrime->data, prime_ike_8192, sizeof(prime_ike_8192)) == 0) { + if (g) + *g = generator_2; return &subprime_ike_8192; } break; diff --git a/nss/lib/softoken/softkver.h b/nss/lib/softoken/softkver.h index f76600d7..aaf522fa 100644 --- a/nss/lib/softoken/softkver.h +++ b/nss/lib/softoken/softkver.h @@ -17,11 +17,11 @@ * The format of the version string should be * ".[.[.]][ ][ ]" */ -#define SOFTOKEN_VERSION "3.105" SOFTOKEN_ECC_STRING " Beta" +#define SOFTOKEN_VERSION "3.110" SOFTOKEN_ECC_STRING #define SOFTOKEN_VMAJOR 3 -#define SOFTOKEN_VMINOR 105 +#define SOFTOKEN_VMINOR 110 #define SOFTOKEN_VPATCH 0 #define SOFTOKEN_VBUILD 0 -#define SOFTOKEN_BETA PR_TRUE +#define SOFTOKEN_BETA PR_FALSE #endif /* _SOFTKVER_H_ */ diff --git a/nss/lib/ssl/SSLerrs.h b/nss/lib/ssl/SSLerrs.h index d26c5f0c..7ae07774 100644 --- a/nss/lib/ssl/SSLerrs.h +++ b/nss/lib/ssl/SSLerrs.h @@ -435,7 +435,7 @@ ER3(SSL_ERROR_UNSUPPORTED_SIGNATURE_ALGORITHM, (SSL_ERROR_BASE + 135), "The peer used an unsupported combination of signature and hash algorithm.") ER3(SSL_ERROR_MISSING_EXTENDED_MASTER_SECRET, (SSL_ERROR_BASE + 136), - "The peer tried to resume without a correct extended_master_secret extension") + "The peer did not use an extended master secret when required, either due to policy or because the previous session had it enabled") ER3(SSL_ERROR_UNEXPECTED_EXTENDED_MASTER_SECRET, (SSL_ERROR_BASE + 137), "The peer tried to resume with an unexpected extended_master_secret extension") diff --git a/nss/lib/ssl/ssl3con.c b/nss/lib/ssl/ssl3con.c index a4aa7c01..a7c8bb4c 100644 --- a/nss/lib/ssl/ssl3con.c +++ b/nss/lib/ssl/ssl3con.c @@ -1282,6 +1282,7 @@ ssl3_SignHashesWithPrivKey(SSL3Hashes *hash, SECKEYPrivateKey *key, if (useRsaPss || hash->hashAlg == ssl_hash_none) { CK_MECHANISM_TYPE mech = PK11_MapSignKeyType(key->keyType); int signatureLen = PK11_SignatureLen(key); + PRInt32 optval; SECItem *params = NULL; CK_RSA_PKCS_PSS_PARAMS pssParams; @@ -1293,6 +1294,17 @@ ssl3_SignHashesWithPrivKey(SSL3Hashes *hash, SECKEYPrivateKey *key, PORT_SetError(SEC_ERROR_INVALID_KEY); goto done; } + /* since we are calling PK11_SignWithMechanism directly, we need to check the + * key policy ourselves (which is already checked in SGN_Digest */ + rv = NSS_OptionGet(NSS_KEY_SIZE_POLICY_FLAGS, &optval); + if ((rv == SECSuccess) && + ((optval & NSS_KEY_SIZE_POLICY_SIGN_FLAG) == NSS_KEY_SIZE_POLICY_SIGN_FLAG)) { + rv = SECKEY_EnforceKeySize(key->keyType, SECKEY_PrivateKeyStrengthInBits(key), + SEC_ERROR_SIGNATURE_ALGORITHM_DISABLED); + if (rv != SECSuccess) { + goto done; /* error code already set */ + } + } buf->len = (unsigned)signatureLen; buf->data = (unsigned char *)PORT_Alloc(signatureLen); @@ -3508,6 +3520,27 @@ ssl3_ComputeMasterSecretInt(sslSocket *ss, PK11SymKey *pms, CK_TLS12_MASTER_KEY_DERIVE_PARAMS master_params; unsigned int master_params_len; + /* if we are using TLS and we aren't using the extended master secret, + * and SEC_OID_TLS_REQUIRE_EMS policy is true, fail. The caller will + * send an alert (eventually). In the RSA Server case, the alert + * won't happen until Finish time because the upper level code + * can't tell a difference between this failure and an RSA decrypt + * failure, so it will proceed with a faux key */ + if (isTLS) { + PRUint32 policy; + SECStatus rv; + + /* first fetch the policy for this algorithm */ + rv = NSS_GetAlgorithmPolicy(SEC_OID_TLS_REQUIRE_EMS, &policy); + /* we only look at the policy if we can fetch it. */ + if ((rv == SECSuccess) && (policy & NSS_USE_ALG_IN_SSL_KX)) { + /* just set the error, we don't want to map any errors + * set by NSS_GetAlgorithmPolicy here */ + PORT_SetError(SSL_ERROR_MISSING_EXTENDED_MASTER_SECRET); + return SECFailure; + } + } + if (isTLS12) { if (isDH) master_derive = CKM_TLS12_MASTER_KEY_DERIVE_DH; @@ -3568,6 +3601,7 @@ tls_ComputeExtendedMasterSecretInt(sslSocket *ss, PK11SymKey *pms, ssl3CipherSpec *pwSpec = ss->ssl3.pwSpec; CK_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_PARAMS extended_master_params; SSL3Hashes hashes; + /* * Determine whether to use the DH/ECDH or RSA derivation modes. */ @@ -9484,7 +9518,7 @@ ssl3_HandleClientHelloPart2(sslSocket *ss, if (suite->cipher_suite == sid->u.ssl3.cipherSuite) break; } - PORT_Assert(j > 0); + if (j == 0) break; diff --git a/nss/lib/ssl/ssl3ext.c b/nss/lib/ssl/ssl3ext.c index a1b0a52e..30b6289d 100644 --- a/nss/lib/ssl/ssl3ext.c +++ b/nss/lib/ssl/ssl3ext.c @@ -737,9 +737,13 @@ ssl_CallCustomExtensionSenders(sslSocket *ss, sslBuffer *buf, } } - rv = sslBuffer_Append(buf, tail.buf, tail.len); - if (rv != SECSuccess) { - goto loser; /* Code already set. */ + /* Restore saved extension and move the marker. */ + if (ss->xtnData.lastXtnOffset) { + ss->xtnData.lastXtnOffset = buf->len; + rv = sslBuffer_Append(buf, tail.buf, tail.len); + if (rv != SECSuccess) { + goto loser; /* Code already set. */ + } } sslBuffer_Clear(&tail); diff --git a/nss/lib/ssl/ssl3gthr.c b/nss/lib/ssl/ssl3gthr.c index 674ea89d..d2aa08a1 100644 --- a/nss/lib/ssl/ssl3gthr.c +++ b/nss/lib/ssl/ssl3gthr.c @@ -358,7 +358,6 @@ dtls_GatherData(sslSocket *ss, sslGather *gs, int flags) * no alert is sent [RFC6347, Section 4.1.2.7]. */ if (contentType & 0x10) { - PORT_Assert(PR_FALSE); PORT_SetError(SSL_ERROR_RX_UNKNOWN_RECORD_TYPE); gs->dtlsPacketOffset = 0; gs->dtlsPacket.len = 0; diff --git a/nss/lib/ssl/sslencode.c b/nss/lib/ssl/sslencode.c index 7c7045d9..e725572c 100644 --- a/nss/lib/ssl/sslencode.c +++ b/nss/lib/ssl/sslencode.c @@ -43,8 +43,8 @@ sslBuffer_Grow(sslBuffer *b, unsigned int newLen) /* If buf is non-NULL, space must be non-zero; * if buf is NULL, space must be zero. */ PORT_Assert((b->buf && b->space) || (!b->buf && !b->space)); - newLen = PR_MAX(newLen, b->len + 1024); if (newLen > b->space) { + newLen = PR_MAX(newLen, b->space + 2048); unsigned char *newBuf; if (b->buf) { newBuf = (unsigned char *)PORT_Realloc(b->buf, newLen); diff --git a/nss/lib/ssl/sslinit.c b/nss/lib/ssl/sslinit.c index 25747b57..8155dfb0 100644 --- a/nss/lib/ssl/sslinit.c +++ b/nss/lib/ssl/sslinit.c @@ -14,7 +14,6 @@ #include "sslimpl.h" #include "sslproto.h" -static int ssl_isInited = 0; static PRCallOnceType ssl_init = { 0 }; PR_STATIC_ASSERT(sizeof(unsigned long) <= sizeof(PRUint64)); @@ -57,18 +56,11 @@ ssl_InitCallOnce(void *arg) SECStatus ssl_Init(void) { - PRStatus nrv; - - /* short circuit test if we are already inited */ - if (!ssl_isInited) { - int error; - /* only do this once at init time, block all others until we are done */ - nrv = PR_CallOnceWithArg(&ssl_init, ssl_InitCallOnce, &error); - if (nrv != PR_SUCCESS) { - PORT_SetError(error); - return SECFailure; - } - ssl_isInited = 1; + int error; + PRStatus nrv = PR_CallOnceWithArg(&ssl_init, ssl_InitCallOnce, &error); + if (nrv != PR_SUCCESS) { + PORT_SetError(error); + return SECFailure; } return SECSuccess; } diff --git a/nss/lib/ssl/sslsock.c b/nss/lib/ssl/sslsock.c index 7f11c096..1fffe69f 100644 --- a/nss/lib/ssl/sslsock.c +++ b/nss/lib/ssl/sslsock.c @@ -124,7 +124,8 @@ sslSessionIDLookupFunc ssl_sid_lookup; static PRDescIdentity ssl_layer_id; -PRBool locksEverDisabled; /* implicitly PR_FALSE */ +static PRCallOnceType ssl_setDefaultsFromEnvironment = { 0 }; + PRBool ssl_force_locks; /* implicitly PR_FALSE */ int ssl_lock_readers = 1; /* default true. */ char ssl_debug; @@ -136,9 +137,6 @@ FILE *ssl_keylog_iob; PZLock *ssl_keylog_lock; #endif -char lockStatus[] = "Locks are ENABLED. "; -#define LOCKSTATUS_OFFSET 10 /* offset of ENABLED */ - /* SRTP_NULL_HMAC_SHA1_80 and SRTP_NULL_HMAC_SHA1_32 are not implemented. */ static const PRUint16 srtpCiphers[] = { SRTP_AES128_CM_HMAC_SHA1_80, @@ -205,6 +203,7 @@ PR_STATIC_ASSERT(SSL_NAMED_GROUP_COUNT == PR_ARRAY_SIZE(ssl_named_groups)); /* forward declarations. */ static sslSocket *ssl_NewSocket(PRBool makeLocks, SSLProtocolVariant variant); static SECStatus ssl_MakeLocks(sslSocket *ss); +static PRStatus ssl_SetDefaultsFromEnvironmentCallOnce(void); static void ssl_SetDefaultsFromEnvironment(void); static PRStatus ssl_PushIOLayer(sslSocket *ns, PRFileDesc *stack, PRDescIdentity id); @@ -779,10 +778,7 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 which, PRIntn val) if (val && ssl_force_locks) val = PR_FALSE; /* silent override */ ss->opt.noLocks = val; - if (val) { - locksEverDisabled = PR_TRUE; - strcpy(lockStatus + LOCKSTATUS_OFFSET, "DISABLED."); - } else if (!holdingLocks) { + if (!val && !holdingLocks) { rv = ssl_MakeLocks(ss); if (rv != SECSuccess) { ss->opt.noLocks = PR_TRUE; @@ -1315,10 +1311,6 @@ SSL_OptionSetDefault(PRInt32 which, PRIntn val) if (val && ssl_force_locks) val = PR_FALSE; /* silent override */ ssl_defaults.noLocks = val; - if (val) { - locksEverDisabled = PR_TRUE; - strcpy(lockStatus + LOCKSTATUS_OFFSET, "DISABLED."); - } break; case SSL_ENABLE_SESSION_TICKETS: @@ -3908,92 +3900,93 @@ ssl_MakeLocks(sslSocket *ss) #define LOWER(x) (x | 0x20) /* cheap ToLower function ignores LOCALE */ -static void -ssl_SetDefaultsFromEnvironment(void) +static PRStatus +ssl_SetDefaultsFromEnvironmentCallOnce(void) { #if defined(NSS_HAVE_GETENV) - static int firsttime = 1; - - if (firsttime) { - char *ev; - firsttime = 0; + char *ev; #ifdef DEBUG - ssl_trace_iob = NULL; - ev = PR_GetEnvSecure("SSLDEBUGFILE"); - if (ev && ev[0]) { - ssl_trace_iob = fopen(ev, "w"); - } - if (!ssl_trace_iob) { - ssl_trace_iob = stderr; - } + ssl_trace_iob = NULL; + ev = PR_GetEnvSecure("SSLDEBUGFILE"); + if (ev && ev[0]) { + ssl_trace_iob = fopen(ev, "w"); + } + if (!ssl_trace_iob) { + ssl_trace_iob = stderr; + } #ifdef TRACE - ev = PR_GetEnvSecure("SSLTRACE"); - if (ev && ev[0]) { - ssl_trace = atoi(ev); - SSL_TRACE(("SSL: tracing set to %d", ssl_trace)); - } + ev = PR_GetEnvSecure("SSLTRACE"); + if (ev && ev[0]) { + ssl_trace = atoi(ev); + SSL_TRACE(("SSL: tracing set to %d", ssl_trace)); + } #endif /* TRACE */ - ev = PR_GetEnvSecure("SSLDEBUG"); - if (ev && ev[0]) { - ssl_debug = atoi(ev); - SSL_TRACE(("SSL: debugging set to %d", ssl_debug)); - } + ev = PR_GetEnvSecure("SSLDEBUG"); + if (ev && ev[0]) { + ssl_debug = atoi(ev); + SSL_TRACE(("SSL: debugging set to %d", ssl_debug)); + } #endif /* DEBUG */ #ifdef NSS_ALLOW_SSLKEYLOGFILE - ssl_keylog_iob = NULL; - ev = PR_GetEnvSecure("SSLKEYLOGFILE"); - if (ev && ev[0]) { - ssl_keylog_iob = fopen(ev, "a"); - if (!ssl_keylog_iob) { - SSL_TRACE(("SSL: failed to open key log file")); - } else { - if (ftell(ssl_keylog_iob) == 0) { - fputs("# SSL/TLS secrets log file, generated by NSS\n", - ssl_keylog_iob); - } - SSL_TRACE(("SSL: logging SSL/TLS secrets to %s", ev)); - ssl_keylog_lock = PR_NewLock(); - if (!ssl_keylog_lock) { - SSL_TRACE(("SSL: failed to create key log lock")); - fclose(ssl_keylog_iob); - ssl_keylog_iob = NULL; - } + ssl_keylog_iob = NULL; + ev = PR_GetEnvSecure("SSLKEYLOGFILE"); + if (ev && ev[0]) { + ssl_keylog_iob = fopen(ev, "a"); + if (!ssl_keylog_iob) { + SSL_TRACE(("SSL: failed to open key log file")); + } else { + if (ftell(ssl_keylog_iob) == 0) { + fputs("# SSL/TLS secrets log file, generated by NSS\n", + ssl_keylog_iob); + } + SSL_TRACE(("SSL: logging SSL/TLS secrets to %s", ev)); + ssl_keylog_lock = PR_NewLock(); + if (!ssl_keylog_lock) { + SSL_TRACE(("SSL: failed to create key log lock")); + fclose(ssl_keylog_iob); + ssl_keylog_iob = NULL; } } + } #endif - ev = PR_GetEnvSecure("SSLFORCELOCKS"); - if (ev && ev[0] == '1') { - ssl_force_locks = PR_TRUE; - ssl_defaults.noLocks = 0; - strcpy(lockStatus + LOCKSTATUS_OFFSET, "FORCED. "); - SSL_TRACE(("SSL: force_locks set to %d", ssl_force_locks)); - } - ev = PR_GetEnvSecure("NSS_SSL_ENABLE_RENEGOTIATION"); - if (ev) { - if (ev[0] == '1' || LOWER(ev[0]) == 'u') - ssl_defaults.enableRenegotiation = SSL_RENEGOTIATE_UNRESTRICTED; - else if (ev[0] == '0' || LOWER(ev[0]) == 'n') - ssl_defaults.enableRenegotiation = SSL_RENEGOTIATE_NEVER; - else if (ev[0] == '2' || LOWER(ev[0]) == 'r') - ssl_defaults.enableRenegotiation = SSL_RENEGOTIATE_REQUIRES_XTN; - else if (ev[0] == '3' || LOWER(ev[0]) == 't') - ssl_defaults.enableRenegotiation = SSL_RENEGOTIATE_TRANSITIONAL; - SSL_TRACE(("SSL: enableRenegotiation set to %d", - ssl_defaults.enableRenegotiation)); - } - ev = PR_GetEnvSecure("NSS_SSL_REQUIRE_SAFE_NEGOTIATION"); - if (ev && ev[0] == '1') { - ssl_defaults.requireSafeNegotiation = PR_TRUE; - SSL_TRACE(("SSL: requireSafeNegotiation set to %d", - PR_TRUE)); - } - ev = PR_GetEnvSecure("NSS_SSL_CBC_RANDOM_IV"); - if (ev && ev[0] == '0') { - ssl_defaults.cbcRandomIV = PR_FALSE; - SSL_TRACE(("SSL: cbcRandomIV set to 0")); - } + ev = PR_GetEnvSecure("SSLFORCELOCKS"); + if (ev && ev[0] == '1') { + ssl_force_locks = PR_TRUE; + ssl_defaults.noLocks = 0; + SSL_TRACE(("SSL: force_locks set to %d", ssl_force_locks)); + } + ev = PR_GetEnvSecure("NSS_SSL_ENABLE_RENEGOTIATION"); + if (ev) { + if (ev[0] == '1' || LOWER(ev[0]) == 'u') + ssl_defaults.enableRenegotiation = SSL_RENEGOTIATE_UNRESTRICTED; + else if (ev[0] == '0' || LOWER(ev[0]) == 'n') + ssl_defaults.enableRenegotiation = SSL_RENEGOTIATE_NEVER; + else if (ev[0] == '2' || LOWER(ev[0]) == 'r') + ssl_defaults.enableRenegotiation = SSL_RENEGOTIATE_REQUIRES_XTN; + else if (ev[0] == '3' || LOWER(ev[0]) == 't') + ssl_defaults.enableRenegotiation = SSL_RENEGOTIATE_TRANSITIONAL; + SSL_TRACE(("SSL: enableRenegotiation set to %d", + ssl_defaults.enableRenegotiation)); + } + ev = PR_GetEnvSecure("NSS_SSL_REQUIRE_SAFE_NEGOTIATION"); + if (ev && ev[0] == '1') { + ssl_defaults.requireSafeNegotiation = PR_TRUE; + SSL_TRACE(("SSL: requireSafeNegotiation set to %d", + PR_TRUE)); + } + ev = PR_GetEnvSecure("NSS_SSL_CBC_RANDOM_IV"); + if (ev && ev[0] == '0') { + ssl_defaults.cbcRandomIV = PR_FALSE; + SSL_TRACE(("SSL: cbcRandomIV set to 0")); } #endif /* NSS_HAVE_GETENV */ + return PR_SUCCESS; +} + +static void +ssl_SetDefaultsFromEnvironment(void) +{ + PR_CallOnce(&ssl_setDefaultsFromEnvironment, ssl_SetDefaultsFromEnvironmentCallOnce); } const sslNamedGroupDef * diff --git a/nss/lib/ssl/tls13con.c b/nss/lib/ssl/tls13con.c index 707f9219..98f2f2b7 100644 --- a/nss/lib/ssl/tls13con.c +++ b/nss/lib/ssl/tls13con.c @@ -402,8 +402,15 @@ tls13_CreateKEMKeyPair(sslSocket *ss, const sslNamedGroupDef *groupDef, } privKey = PK11_GenerateKeyPairWithOpFlags(slot, mechanism, - ¶mSet, &pubKey, PK11_ATTR_SESSION | PK11_ATTR_SENSITIVE | PK11_ATTR_PRIVATE, + ¶mSet, &pubKey, PK11_ATTR_SESSION | PK11_ATTR_INSENSITIVE | PK11_ATTR_PUBLIC, CKF_DERIVE, CKF_DERIVE, ss->pkcs11PinArg); + + if (!privKey) { + privKey = PK11_GenerateKeyPairWithOpFlags(slot, mechanism, + ¶mSet, &pubKey, PK11_ATTR_SESSION | PK11_ATTR_SENSITIVE | PK11_ATTR_PRIVATE, + CKF_DERIVE, CKF_DERIVE, ss->pkcs11PinArg); + } + PK11_FreeSlot(slot); if (!privKey || !pubKey) { goto loser; @@ -774,7 +781,7 @@ tls13_HandleKEMCiphertext(sslSocket *ss, TLS13KeyShareEntry *entry, sslKeyPair * return SECFailure; } - rv = PK11_Decapsulate(keyPair->privKey, &ct, CKM_HKDF_DERIVE, PK11_ATTR_SESSION | PK11_ATTR_SENSITIVE, CKF_DERIVE, outKey); + rv = PK11_Decapsulate(keyPair->privKey, &ct, CKM_HKDF_DERIVE, PK11_ATTR_SESSION | PK11_ATTR_INSENSITIVE, CKF_DERIVE, outKey); if (rv != SECSuccess) { ssl_MapLowLevelError(SSL_ERROR_KEY_EXCHANGE_FAILURE); } @@ -818,7 +825,7 @@ tls13_HandleKEMKey(sslSocket *ss, } rv = PK11_Encapsulate(peerKey, - CKM_HKDF_DERIVE, PK11_ATTR_SESSION | PK11_ATTR_SENSITIVE | PK11_ATTR_PRIVATE, + CKM_HKDF_DERIVE, PK11_ATTR_SESSION | PK11_ATTR_INSENSITIVE | PK11_ATTR_PUBLIC, CKF_DERIVE, key, ciphertext); /* Destroy the imported public key */ diff --git a/nss/lib/util/nsshash.c b/nss/lib/util/nsshash.c index 0feb207a..a4271187 100644 --- a/nss/lib/util/nsshash.c +++ b/nss/lib/util/nsshash.c @@ -107,6 +107,9 @@ HASH_GetHashOidTagByHMACOidTag(SECOidTag hmacOid) switch (hmacOid) { /* no oid exists for HMAC_MD2 */ /* NSS does not define a oid for HMAC_MD4 */ + case SEC_OID_HMAC_MD5: + hashOid = SEC_OID_MD5; + break; case SEC_OID_HMAC_SHA1: hashOid = SEC_OID_SHA1; break; @@ -150,6 +153,9 @@ HASH_GetHMACOidTagByHashOidTag(SECOidTag hashOid) switch (hashOid) { /* no oid exists for HMAC_MD2 */ /* NSS does not define a oid for HMAC_MD4 */ + case SEC_OID_MD5: + hmacOid = SEC_OID_HMAC_MD5; + break; case SEC_OID_SHA1: hmacOid = SEC_OID_HMAC_SHA1; break; diff --git a/nss/lib/util/nssutil.def b/nss/lib/util/nssutil.def index f4526e5f..9ae91a4b 100644 --- a/nss/lib/util/nssutil.def +++ b/nss/lib/util/nssutil.def @@ -372,3 +372,9 @@ NSS_SetAlgorithmPolicyAll; ;+ local: ;+ *; ;+}; +;+NSSUTIL_3.108 { # NSS Utilities 3.108 release +;+ global: +PORT_SafeZero; +;+ local: +;+ *; +;+}; diff --git a/nss/lib/util/nssutil.h b/nss/lib/util/nssutil.h index d59436e0..62812c39 100644 --- a/nss/lib/util/nssutil.h +++ b/nss/lib/util/nssutil.h @@ -19,12 +19,12 @@ * The format of the version string should be * ".[.[.]][ ]" */ -#define NSSUTIL_VERSION "3.105 Beta" +#define NSSUTIL_VERSION "3.110" #define NSSUTIL_VMAJOR 3 -#define NSSUTIL_VMINOR 105 +#define NSSUTIL_VMINOR 110 #define NSSUTIL_VPATCH 0 #define NSSUTIL_VBUILD 0 -#define NSSUTIL_BETA PR_TRUE +#define NSSUTIL_BETA PR_FALSE SEC_BEGIN_PROTOS diff --git a/nss/lib/util/secasn1d.c b/nss/lib/util/secasn1d.c index 7d9ecfa9..28b050a1 100644 --- a/nss/lib/util/secasn1d.c +++ b/nss/lib/util/secasn1d.c @@ -3005,7 +3005,11 @@ SEC_ASN1DecoderFinish(SEC_ASN1DecoderContext *cx) SECStatus rv; if (!cx || cx->status == needBytes) { - PORT_SetError(SEC_ERROR_BAD_DER); + if (0 == PORT_GetError()) { + /* don't clobber a real reason for the failure like bad password + * or invalid algorithm */ + PORT_SetError(SEC_ERROR_BAD_DER); + } rv = SECFailure; } else { rv = SECSuccess; diff --git a/nss/lib/util/secoid.c b/nss/lib/util/secoid.c index 1bc5e3d7..85e4be38 100644 --- a/nss/lib/util/secoid.c +++ b/nss/lib/util/secoid.c @@ -1898,6 +1898,9 @@ const static SECOidData oids[SEC_OID_TOTAL] = { ODE(SEC_OID_MLKEM768X25519, "ML-KEM-768+X25519 key exchange", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), + ODE(SEC_OID_TLS_REQUIRE_EMS, + "TLS Require EMS", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), + }; /* PRIVATE EXTENDED SECOID Table @@ -2191,6 +2194,8 @@ SECOID_Init(void) /* turn off NSS_USE_POLICY_IN_SSL by default */ xOids[SEC_OID_APPLY_SSL_POLICY].notPolicyFlags = NSS_USE_POLICY_IN_SSL; + /* turn off TLS REQUIRE EMS by default */ + xOids[SEC_OID_TLS_REQUIRE_EMS].notPolicyFlags = ~0; envVal = PR_GetEnvSecure("NSS_HASH_ALG_SUPPORT"); if (envVal) @@ -2274,6 +2279,11 @@ SECOID_FindOID(const SECItem *oid) return NULL; } + if ((oid == NULL) || (oid->data == NULL)) { + PORT_SetError(SEC_ERROR_UNRECOGNIZED_OID); + return NULL; + } + ret = PL_HashTableLookupConst(oidhash, oid); if (ret == NULL) { ret = secoid_FindDynamic(oid); diff --git a/nss/lib/util/secoidt.h b/nss/lib/util/secoidt.h index d6eae43f..19899b79 100644 --- a/nss/lib/util/secoidt.h +++ b/nss/lib/util/secoidt.h @@ -534,6 +534,8 @@ typedef enum { SEC_OID_MLKEM768X25519 = 389, + SEC_OID_TLS_REQUIRE_EMS = 390, + SEC_OID_TOTAL } SECOidTag; diff --git a/nss/lib/util/secport.c b/nss/lib/util/secport.c index 20a620d5..c764cb1a 100644 --- a/nss/lib/util/secport.c +++ b/nss/lib/util/secport.c @@ -209,6 +209,44 @@ PORT_GetError(void) return (PR_GetError()); } +void +PORT_SafeZero(void *p, size_t n) +{ + /* there are cases where the compiler optimizes away our attempt to clear + * out our stack variables. There are multiple solutions for this problem, + * but they aren't universally accepted on all platforms. This attempts + * to select the best solution available given our os, compilier, and + * libc */ +#ifdef __STDC_LIB_EXT1__ + /* if the os implements C11 annex K, use memset_s */ + memset_s(p, n, 0, n); +#else + /* _DEFAULT_SORUCE == BSD source in GCC based environments + * if other environmens support explicit_bzero, their defines + * should be added here */ +#if (defined(_DEFAULT_SOURCE) || defined(_BSD_SOURCE)) && (__GLIBC__ > 2 || (__GLIBC__ == 2 && __GLIBC_MINOR__ >= 25)) + explicit_bzero(p, n); +#else +#ifdef XP_WIN + /* windows has a secure zero funtion */ + SecureZeroMemory(p, n); +#else + /* if the os doesn't support one of the above, but does support + * memset_explicit, you can add the definition for memset with the + * appropriate define check here */ + /* define an explicitly implementated Safe zero if the OS + * doesn't provide one */ + if (p != NULL) { + volatile unsigned char *__vl = (unsigned char *)p; + size_t __nl = n; + while (__nl--) + *__vl++ = 0; + } +#endif /* no windows SecureZeroMemory */ +#endif /* no explicit_bzero */ +#endif /* no memset_s */ +} + /********************* Arena code follows ***************************** * ArenaPools are like heaps. The memory in them consists of large blocks, * called arenas, which are allocated from the/a system heap. Inside an diff --git a/nss/lib/util/secport.h b/nss/lib/util/secport.h index 56d945de..68834963 100644 --- a/nss/lib/util/secport.h +++ b/nss/lib/util/secport.h @@ -36,6 +36,9 @@ #include #include +/* ask for Annex K for memset_s. will set the appropriate #define + * if Annex K is supported */ +#define __STDC_WANT_LIB_EXT1__ 1 #include #include #include @@ -255,6 +258,7 @@ sec_port_iso88591_utf8_conversion_function( extern int NSS_PutEnv(const char *envVarName, const char *envValue); +extern void PORT_SafeZero(void *p, size_t n); extern int NSS_SecureMemcmp(const void *a, const void *b, size_t n); extern unsigned int NSS_SecureMemcmpZero(const void *mem, size_t n); extern void NSS_SecureSelect(void *dest, const void *src0, const void *src1, size_t n, unsigned char b); diff --git a/nss/lib/util/utilmod.c b/nss/lib/util/utilmod.c index 3ed7b3dd..e005ed7d 100644 --- a/nss/lib/util/utilmod.c +++ b/nss/lib/util/utilmod.c @@ -308,6 +308,7 @@ nssutil_growList(char ***pModuleList, int *useCount, int last) return SECSuccess; } +#ifndef NSS_DISABLE_DBM static char * _NSSUTIL_GetOldSecmodName(const char *dbname, const char *filename) { @@ -332,6 +333,7 @@ _NSSUTIL_GetOldSecmodName(const char *dbname, const char *filename) PORT_Free(dirPath); return file; } +#endif // NSS_DISABLE_DBM static SECStatus nssutil_AddSecmodDBEntry(const char *appName, const char *filename, @@ -567,6 +569,7 @@ nssutil_ReadSecmodDB(const char *appName, moduleString = NULL; } done: +#ifndef NSS_DISABLE_DBM /* if we couldn't open a pkcs11 database, look for the old one */ if (fd == NULL) { char *olddbname = _NSSUTIL_GetOldSecmodName(dbname, filename); @@ -591,6 +594,7 @@ nssutil_ReadSecmodDB(const char *appName, PR_smprintf_free(olddbname); } } +#endif // NSS_DISABLE_DBM return_default: diff --git a/nss/mach b/nss/mach index 3d72baa2..efd25781 100755 --- a/nss/mach +++ b/nss/mach @@ -213,7 +213,7 @@ class covAction(argparse.Action): # Don't exit immediately on error symbol_retcode = subprocess.call([ "sancov", - "-blacklist=" + os.path.join(cwd, ".sancov-blacklist"), + "-ignorelist=" + os.path.join(cwd, ".sancov-blacklist"), "-symbolize", sancov_file, os.path.join(cwd, "../dist/Debug/bin/ssl_gtest") ], stdout=out) diff --git a/nss/nss.gyp b/nss/nss.gyp index 9fd8b448..b8cdcd90 100644 --- a/nss/nss.gyp +++ b/nss/nss.gyp @@ -129,6 +129,7 @@ 'cmd/crlutil/crlutil.gyp:crlutil', 'cmd/dbtool/dbtool.gyp:dbtool', 'cmd/modutil/modutil.gyp:modutil', + 'cmd/nssdefaults/nssdefaults.gyp:nssdefaults', 'cmd/pwdecrypt/pwdecrypt.gyp:pwdecrypt', 'cmd/shlibsign/shlibsign.gyp:shlibsign', 'cmd/signtool/signtool.gyp:signtool', @@ -315,7 +316,7 @@ 'target_name': 'fuzz', 'type': 'none', 'dependencies': [ - 'fuzz/fuzz.gyp:nssfuzz', + 'fuzz/fuzz.gyp:fuzz', ], }, ], diff --git a/nss/taskcluster/config.yml b/nss/taskcluster/config.yml new file mode 100644 index 00000000..4412ec4b --- /dev/null +++ b/nss/taskcluster/config.yml @@ -0,0 +1,60 @@ +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +--- +trust-domain: nss + +task-priority: lowest + +workers: + aliases: + images: + provisioner: 'nss-{level}' + implementation: docker-worker + os: linux + worker-type: linux-gcp + b-linux: + provisioner: 'nss-{level}' + implementation: docker-worker + os: linux + worker-type: linux-gcp + b-win2022: + provisioner: 'nss-{level}' + implementation: generic-worker + os: windows + worker-type: b-win2022 + b-osx: + provisioner: releng-hardware + implementation: generic-worker + os: macosx + worker-type: 'nss-{level}-b-osx-1015' + t-linux: + provisioner: nss-t + implementation: docker-worker + os: linux + worker-type: t-linux-xlarge-gcp + +taskgraph: + repositories: + nss: + name: NSS + project-regex: nss + nspr: + name: NSPR + project-regex: nspr + default-repository: https://hg.mozilla.org/projects/nspr + default-ref: default + type: hg + + decision-parameters: 'nss_taskgraph:decision_parameters' + register: 'nss_taskgraph:register' + +treeherder: + group-names: + I: Docker image builds + Builds: Builds with alternative compilers + Cipher: Cipher tests + DBM: Legacy (DBM) database + FIPS: FIPS + SSL: SSL tests + TLS: TLS fuzzing diff --git a/nss/automation/taskcluster/docker-acvp/Dockerfile b/nss/taskcluster/docker/acvp/Dockerfile similarity index 88% rename from nss/automation/taskcluster/docker-acvp/Dockerfile rename to nss/taskcluster/docker/acvp/Dockerfile index af2a0e25..4f3f0c25 100644 --- a/nss/automation/taskcluster/docker-acvp/Dockerfile +++ b/nss/taskcluster/docker/acvp/Dockerfile @@ -2,6 +2,10 @@ FROM rust:1.74 LABEL maintainer="iaroslav.gridin@tuni.fi" +VOLUME /builds/worker/checkouts + +# %include-run-task + # for new clang/llvm RUN echo "deb http://ftp.debian.org/debian/ sid main" > /etc/apt/sources.list.d/sid.list \ && apt-get update \ @@ -17,7 +21,7 @@ RUN echo "deb http://ftp.debian.org/debian/ sid main" > /etc/apt/sources.list.d/ git \ gyp \ clang-15 \ - libclang-rt-15-dev \ + libclang-rt-19-dev \ llvm-15 \ ninja-build \ binutils \ @@ -27,7 +31,7 @@ RUN echo "deb http://ftp.debian.org/debian/ sid main" > /etc/apt/sources.list.d/ ENV SHELL /bin/bash ENV USER worker ENV LOGNAME $USER -ENV HOME /home/$USER +ENV HOME /builds/$USER ENV HOSTNAME taskcluster-worker ENV LANG en_US.UTF-8 ENV LC_ALL $LANG @@ -40,10 +44,10 @@ RUN locale-gen $LANG \ RUN useradd -d $HOME -s $SHELL -m $USER WORKDIR $HOME +RUN chown -R $USER: $HOME + ADD bin $HOME/bin RUN chmod +x $HOME/bin/* -USER $USER - # Set a default command for debugging. CMD ["/bin/bash", "--login"] diff --git a/nss/automation/taskcluster/docker-acvp/bin/run.sh b/nss/taskcluster/docker/acvp/bin/run.sh similarity index 88% rename from nss/automation/taskcluster/docker-acvp/bin/run.sh rename to nss/taskcluster/docker/acvp/bin/run.sh index f4c07818..e14fff38 100755 --- a/nss/automation/taskcluster/docker-acvp/bin/run.sh +++ b/nss/taskcluster/docker/acvp/bin/run.sh @@ -9,6 +9,15 @@ export NSS_PATH=$PWD NSS_SOURCES_PATH=$PWD/nss export LD_LIBRARY_PATH=$PWD/dist/Debug/lib/ export RUST_LOG=warn export RUSTFLAGS="-C instrument-coverage" + +cp -a "${VCS_PATH}/nss" "${VCS_PATH}/nspr" . + +if [[ -f nss/nspr.patch && "$ALLOW_NSPR_PATCH" == "1" ]]; then + cd nspr + patch -p1 < ../nss/nspr.patch + cd .. +fi + cd nss CC=clang-15 CXX=clang++-15 ./build.sh -g -v --sourcecov --static --disable-tests diff --git a/nss/automation/taskcluster/docker/Dockerfile b/nss/taskcluster/docker/base/Dockerfile similarity index 66% rename from nss/automation/taskcluster/docker/Dockerfile rename to nss/taskcluster/docker/base/Dockerfile index 45958e78..6b5418b5 100644 --- a/nss/automation/taskcluster/docker/Dockerfile +++ b/nss/taskcluster/docker/base/Dockerfile @@ -1,11 +1,18 @@ # Lean image for running the bulk of the NSS CI tests on taskcluster. -FROM ubuntu:bionic-20221215 -LABEL maintainer="Martin Thomson " +FROM ubuntu:focal +VOLUME /builds/worker/checkouts +VOLUME /builds/worker/.cache +VOLUME /builds/worker/workspace + +# %include-run-task + +ENV DEBIAN_FRONTEND noninteractive RUN dpkg --add-architecture i386 RUN apt-get update \ && apt-get install -y --no-install-recommends \ build-essential \ + python3 \ ca-certificates \ clang \ curl \ @@ -28,23 +35,20 @@ RUN apt-get update \ ENV SHELL /bin/bash ENV USER worker ENV LOGNAME $USER -ENV HOME /home/$USER +ENV HOME /builds/worker ENV LANG en_US.UTF-8 ENV LC_ALL $LANG ENV HOST localhost ENV DOMSUF localdomain RUN locale-gen $LANG \ - && DEBIAN_FRONTEND=noninteractive dpkg-reconfigure locales + && dpkg-reconfigure locales -RUN useradd -d $HOME -s $SHELL -m $USER +RUN useradd -d $HOME -s $SHELL -m $USER && \ + mkdir -p /builds/worker/workspace && \ + mkdir -p /builds/worker/artifacts && \ + chown -R $USER /builds/worker WORKDIR $HOME -# Add build and test scripts. -ADD bin $HOME/bin -RUN chmod +x $HOME/bin/* - -USER $USER - # Set a default command for debugging. CMD ["/bin/bash", "--login"] diff --git a/nss/automation/taskcluster/docker-builds/Dockerfile b/nss/taskcluster/docker/builds/Dockerfile similarity index 59% rename from nss/automation/taskcluster/docker-builds/Dockerfile rename to nss/taskcluster/docker/builds/Dockerfile index f7e22495..d520dff6 100644 --- a/nss/automation/taskcluster/docker-builds/Dockerfile +++ b/nss/taskcluster/docker/builds/Dockerfile @@ -2,40 +2,26 @@ # default image, so it's a fair bit bigger. Only use this for builds where # the smaller docker image is missing something. These builds will run on # the leaner configuration. -FROM ubuntu:bionic-20221215 -LABEL maintainer="Martin Thomson " +FROM $DOCKER_IMAGE_PARENT -RUN dpkg --add-architecture i386 +VOLUME /builds/worker/checkouts +VOLUME /builds/worker/workspace +VOLUME /builds/worker/.cache + +ADD bionic.list /etc/apt/sources.list.d/bionic.list RUN apt-get update \ && apt-get install -y --no-install-recommends \ - build-essential \ - ca-certificates \ clang-4.0 \ clang-10 \ - clang \ cmake \ - curl \ g++-4.8-multilib \ g++-5-multilib \ - g++-multilib \ - git \ - gyp \ libelf-dev \ libdw-dev \ libssl-dev \ libssl-dev:i386 \ - libxml2-utils \ - lib32z1-dev \ - linux-libc-dev:i386 \ - llvm-dev \ - locales \ - mercurial \ - ninja-build \ - pkg-config \ valgrind \ - zlib1g-dev \ clang-format-10 \ - sqlite3 \ libabigail-dev \ abigail-tools \ software-properties-common \ @@ -50,27 +36,6 @@ RUN apt-get update \ RUN update-alternatives --install /usr/bin/clang-format \ clang-format $(which clang-format-10) 10 -ENV SHELL /bin/bash -ENV USER worker -ENV LOGNAME $USER -ENV HOME /home/$USER -ENV LANG en_US.UTF-8 -ENV LC_ALL $LANG -ENV HOST localhost -ENV DOMSUF localdomain - -RUN locale-gen $LANG \ - && DEBIAN_FRONTEND=noninteractive dpkg-reconfigure locales - -RUN useradd -d $HOME -s $SHELL -m $USER -WORKDIR $HOME - -# Add build and test scripts. -ADD bin $HOME/bin -RUN chmod +x $HOME/bin/* - -USER $USER - # Install golang for bogo tests RUN curl https://dl.google.com/go/go1.23.1.linux-amd64.tar.gz -sLf | tar xzf - -C $HOME ENV PATH "$PATH:$HOME/go/bin" diff --git a/nss/taskcluster/docker/builds/bionic.list b/nss/taskcluster/docker/builds/bionic.list new file mode 100644 index 00000000..1656007f --- /dev/null +++ b/nss/taskcluster/docker/builds/bionic.list @@ -0,0 +1,5 @@ +deb http://archive.ubuntu.com/ubuntu/ bionic main restricted universe multiverse +deb http://archive.ubuntu.com/ubuntu/ bionic-updates main restricted universe multiverse +deb http://security.ubuntu.com/ubuntu/ bionic-security main restricted universe multiverse +deb http://archive.ubuntu.com/ubuntu/ bionic-backports main restricted universe multiverse + diff --git a/nss/automation/taskcluster/docker-clang-format/Dockerfile b/nss/taskcluster/docker/clang-format/Dockerfile similarity index 91% rename from nss/automation/taskcluster/docker-clang-format/Dockerfile rename to nss/taskcluster/docker/clang-format/Dockerfile index 7f2e0ca7..93b0e19b 100644 --- a/nss/automation/taskcluster/docker-clang-format/Dockerfile +++ b/nss/taskcluster/docker/clang-format/Dockerfile @@ -2,6 +2,10 @@ FROM debian:bookworm-20240904-slim LABEL maintainer="John Schanck " +VOLUME /builds/worker/checkouts + +# %include-run-task + RUN apt-get update \ && apt-get install -y --no-install-recommends \ ca-certificates \ @@ -29,10 +33,7 @@ RUN locale-gen $LANG \ RUN useradd -d $HOME -s $SHELL -m $USER WORKDIR $HOME -ADD bin $HOME/bin -RUN chmod +x $HOME/bin/* - -USER $USER +RUN chown -R $USER: $HOME # Set a default command for debugging. CMD ["/bin/bash", "--login"] diff --git a/nss/automation/taskcluster/docker-fuzz/Dockerfile b/nss/taskcluster/docker/fuzz/Dockerfile similarity index 70% rename from nss/automation/taskcluster/docker-fuzz/Dockerfile rename to nss/taskcluster/docker/fuzz/Dockerfile index b1f93461..8b9ad44e 100644 --- a/nss/automation/taskcluster/docker-fuzz/Dockerfile +++ b/nss/taskcluster/docker/fuzz/Dockerfile @@ -7,6 +7,13 @@ FROM ubuntu:noble-20240605 LABEL maintainer="Martin Thomson " +VOLUME /builds/worker/checkouts +VOLUME /builds/worker/workspace +VOLUME /builds/worker/.cache + +# %include-run-task + +ENV DEBIAN_FRONTEND noninteractive RUN dpkg --add-architecture i386 RUN apt-get update \ && apt-get install -y --no-install-recommends \ @@ -14,13 +21,16 @@ RUN apt-get update \ ca-certificates \ clang \ clang-tools \ + cmake \ curl \ g++-multilib \ git \ gyp \ + libboost-dev \ + libboost-dev:i386 \ libclang-rt-dev \ - libssl-dev \ - libssl-dev:i386 \ + libsqlite3-dev \ + libsqlite3-dev:i386 \ libxml2-utils \ lib32z1-dev \ linux-libc-dev:i386 \ @@ -31,6 +41,7 @@ RUN apt-get update \ pkg-config \ python-is-python3 \ python3-requests \ + python3-toml \ unzip \ valgrind \ zlib1g-dev \ @@ -40,27 +51,21 @@ RUN apt-get update \ ENV SHELL /bin/bash ENV USER worker ENV LOGNAME $USER -ENV HOME /home/$USER +ENV HOME /builds/worker ENV LANG en_US.UTF-8 ENV LC_ALL $LANG ENV HOST localhost ENV DOMSUF localdomain -# Bug 1904395 -ENV NSS_DISABLE_NSPR_TESTS 1 - RUN locale-gen $LANG \ - && DEBIAN_FRONTEND=noninteractive dpkg-reconfigure locales + && dpkg-reconfigure locales -RUN useradd -d $HOME -s $SHELL -m $USER +RUN userdel ubuntu && \ + useradd -d $HOME -s $SHELL -m $USER && \ + mkdir -p /builds/worker/workspace && \ + mkdir -p /builds/worker/artifacts && \ + chown -R $USER: /builds/worker WORKDIR $HOME -# Add build and test scripts. -ADD bin $HOME/bin -RUN chmod +x $HOME/bin/* - -# Change user. -USER $USER - # Set a default command for debugging. CMD ["/bin/bash", "--login"] diff --git a/nss/taskcluster/docker/gcc-4.4/Dockerfile b/nss/taskcluster/docker/gcc-4.4/Dockerfile new file mode 100644 index 00000000..ce6def8e --- /dev/null +++ b/nss/taskcluster/docker/gcc-4.4/Dockerfile @@ -0,0 +1,13 @@ +FROM $DOCKER_IMAGE_PARENT +LABEL maintainer="Martin Thomson " + +VOLUME /builds/worker/checkouts +VOLUME /builds/worker/.cache + +RUN sed -e 's/focal/trusty/' /etc/apt/sources.list > /etc/apt/sources.list.d/trusty.list \ + && apt-get update \ + && apt-get install -y --no-install-recommends \ + g++-4.4 \ + gcc-4.4 \ + && rm -rf /var/lib/apt/lists/* \ + && apt-get autoremove -y && apt-get clean -y diff --git a/nss/taskcluster/kinds/build/kind.yml b/nss/taskcluster/kinds/build/kind.yml new file mode 100644 index 00000000..f36c45d2 --- /dev/null +++ b/nss/taskcluster/kinds/build/kind.yml @@ -0,0 +1,30 @@ +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +loader: taskgraph.loader.transform:loader + +transforms: + - nss_taskgraph.transforms.build + - nss_taskgraph.transforms.platforms + - taskgraph.transforms.run + - taskgraph.transforms.task + +tasks-from: + - linux.yml + - windows.yml + - macosx.yml + +task-defaults: + run: + using: run-task + checkout: + nss: + path: nss + nspr: + path: nspr + worker: + max-run-time: 3600 + + treeherder: + kind: build diff --git a/nss/taskcluster/kinds/build/linux.yml b/nss/taskcluster/kinds/build/linux.yml new file mode 100644 index 00000000..78adbf81 --- /dev/null +++ b/nss/taskcluster/kinds/build/linux.yml @@ -0,0 +1,69 @@ +task-defaults: + run: + cwd: /builds/worker/workspace + worker-type: b-linux + worker: + artifacts: + - type: directory + path: /builds/worker/artifacts + name: public + +linux32/opt: + description: "Linux 32 (opt)" + +linux32/debug: + description: "Linux 32 (debug)" + +linux32/debug-make: + description: "Linux 32 (debug, make)" + attributes: + make: true + +linux32/debug-fuzz: + description: "Linux 32 (debug, fuzz)" + attributes: + fuzz: true + certs: false + +linux64/opt: + description: "Linux 64 (opt)" + +linux64-asan/debug: + description: "Linux 64 (ASan, debug)" + worker: + env: + UBSAN_OPTIONS: "print_stacktrace=1" + NSS_DISABLE_ARENA_FREE_LIST: "1" + NSS_DISABLE_UNLOAD: "1" + CC: "clang" + CCC: "clang++" + allow-ptrace: true + attributes: + asan: true + +linux64/debug: + description: "Linux 64 (debug)" + +linux64/debug-make: + description: "Linux 64 (debug, make)" + attributes: + make: true + +linux64/opt-make: + description: "Linux 64 (opt, make)" + attributes: + make: true + worker: + env: + BUILD_OPT: "1" + +linux64/opt-fips: + description: "Linux 64 (FIPS opt)" + +linux64/debug-fuzz: + description: "Linux 64 (debug, fuzz)" + attributes: + fuzz: true + certs: false + worker: + allow-ptrace: true diff --git a/nss/taskcluster/kinds/build/macosx.yml b/nss/taskcluster/kinds/build/macosx.yml new file mode 100644 index 00000000..2e8a770f --- /dev/null +++ b/nss/taskcluster/kinds/build/macosx.yml @@ -0,0 +1,17 @@ +task-defaults: + worker-type: b-osx + worker: + artifacts: + - type: directory + path: public + +macosx64/opt: + description: "Mac (opt)" + +macosx64/opt-static: + description: "Mac Static (opt)" + attributes: + static: true + +macosx64/debug: + description: "Mac (debug)" diff --git a/nss/taskcluster/kinds/build/windows.yml b/nss/taskcluster/kinds/build/windows.yml new file mode 100644 index 00000000..7ca40c5b --- /dev/null +++ b/nss/taskcluster/kinds/build/windows.yml @@ -0,0 +1,36 @@ +task-defaults: + worker-type: b-win2022 + worker: + taskcluster-proxy: true + artifacts: + - type: directory + path: public/build + scopes: ["project:releng:services/tooltool/api/download/internal"] + +windows2022-64/debug-make: + description: "Windows 2022 64 (debug, make)" + attributes: + make: true + +windows2022-32/debug-make: + description: "Windows 2022 32 (debug, make)" + attributes: + make: true + +windows2022-64/opt: + description: "Windows 2022 64 (opt)" + +windows2022-64/debug: + description: "Windows 2022 64 (debug)" + +windows2022-64/opt-static: + description: "Windows 2022 64 Static (opt)" + attributes: + static: true + +windows2022-32/opt: + description: "Windows 2022 32 (opt)" + +windows2022-32/debug: + description: "Windows 2022 32 (debug)" + diff --git a/nss/taskcluster/kinds/certs/kind.yml b/nss/taskcluster/kinds/certs/kind.yml new file mode 100644 index 00000000..0c241307 --- /dev/null +++ b/nss/taskcluster/kinds/certs/kind.yml @@ -0,0 +1,61 @@ +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +--- + +transforms: + - taskgraph.transforms.from_deps + - nss_taskgraph.transforms.treeherder + - nss_taskgraph.transforms.platforms + +kind-dependencies: + - build + +tasks: + certs: + description: Generate certificates + from-deps: + copy-attributes: true + with-attributes: + certs: [true] + run: + using: run-task + checkout: + nss: + path: nss + command: + by-platform: + win.*: $VCS_PATH/nss/automation/taskcluster/windows/gen_certs.sh + default: $VCS_PATH/nss/automation/taskcluster/scripts/gen_certs.sh + worker: + max-run-time: 3600 + env: + TC_PARENT_TASK_ID: {task-reference: ''} + artifacts: + by-platform: + linux.*: + - type: directory + path: /builds/worker/artifacts + name: public + win.*: + - type: directory + path: public/build + mac.*: + - type: directory + path: public + docker-image: {in-tree: base} + taskcluster-proxy: + by-platform: + win.*: true + default: false + worker-type: + by-platform: + linux.*: b-linux + win.*: b-win2022 + mac.*: b-osx + treeherder: + symbol: Certs + scopes: + by-platform: + win.*: ["project:releng:services/tooltool/api/download/internal"] + default: [] diff --git a/nss/taskcluster/kinds/docker-image/kind.yml b/nss/taskcluster/kinds/docker-image/kind.yml new file mode 100644 index 00000000..bd5e7951 --- /dev/null +++ b/nss/taskcluster/kinds/docker-image/kind.yml @@ -0,0 +1,27 @@ +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +--- + +loader: taskgraph.loader.transform:loader + +transforms: + - taskgraph.transforms.docker_image:transforms + - taskgraph.transforms.cached_tasks:transforms + - taskgraph.transforms.task:transforms + +tasks: + base: + symbol: I(base) + builds: + symbol: I(builds) + parent: base + acvp: + symbol: I(acvp) + clang-format: + symbol: I(clang-format) + gcc-4.4: + symbol: I(gcc-4.4) + parent: base + fuzz: + symbol: I(fuzz) diff --git a/nss/taskcluster/kinds/fuzz/kind.yml b/nss/taskcluster/kinds/fuzz/kind.yml new file mode 100644 index 00000000..cd16e474 --- /dev/null +++ b/nss/taskcluster/kinds/fuzz/kind.yml @@ -0,0 +1,422 @@ +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +--- + +transforms: + - taskgraph.transforms.task_context + +kind-dependencies: + - build + +task-defaults: + run: + using: run-task + checkout: + nss: + path: nss + command: "${{VCS_PATH}}/nss/automation/taskcluster/scripts/fuzz.sh {target} {corpus} -max_total_time={MAX_FUZZ_TIME}" + worker: + env: + GTESTFILTER: "*Fuzz*" + ASAN_OPTIONS: "allocator_may_return_null=1:detect_stack_use_after_return=1" + UBSAN_OPTIONS: "print_stacktrace=1" + NSS_DISABLE_ARENA_FREE_LIST: "1" + NSS_DISABLE_UNLOAD: "1" + CC: "clang" + CCC: "clang++" + TC_PARENT_TASK_ID: {task-reference: ""} + allow-ptrace: true + docker-image: {in-tree: fuzz} + max-run-time: 3600 + worker-type: t-linux + task-context: + from-object: + MAX_FUZZ_TIME: 300 + substitution-fields: + - run.command + attributes: + retrigger: true + treeherder: + kind: test + +tasks: + linux64-asn1: + description: Linux x64 ASN1 + dependencies: + build: build-linux64/debug-fuzz + treeherder: + symbol: ASN1 + platform: linux64/debug-fuzz + task-context: + from-object: + target: asn1 + corpus: asn1 + + linux64-certdn: + description: Linux x64 CertDN + dependencies: + build: build-linux64/debug-fuzz + treeherder: + symbol: CertDN + platform: linux64/debug-fuzz + task-context: + from-object: + target: certDN + corpus: certDN + + linux64-pkcs7: + description: Linux x64 PKCS7 + dependencies: + build: build-linux64/debug-fuzz + treeherder: + symbol: PKCS7 + platform: linux64/debug-fuzz + task-context: + from-object: + target: pkcs7 + corpus: pkcs7 + + linux64-pkcs8: + description: Linux x64 PKCS8 + dependencies: + build: build-linux64/debug-fuzz + treeherder: + symbol: PKCS8 + platform: linux64/debug-fuzz + task-context: + from-object: + target: pkcs8 + corpus: pkcs8 + + linux64-pkcs12: + description: Linux x64 PKCS12 + dependencies: + build: build-linux64/debug-fuzz + treeherder: + symbol: PKCS12 + platform: linux64/debug-fuzz + task-context: + from-object: + target: pkcs12 + corpus: pkcs12 + + linux64-quickder: + description: Linux x64 QuickDER + dependencies: + build: build-linux64/debug-fuzz + treeherder: + symbol: QuickDER + platform: linux64/debug-fuzz + task-context: + from-object: + target: quickder + corpus: quickder + + linux64-smime: + description: Linux x64 SMIME + dependencies: + build: build-linux64/debug-fuzz + treeherder: + symbol: SMIME + platform: linux64/debug-fuzz + task-context: + from-object: + target: smime + corpus: smime + + linux64-tls-client: + description: Linux x64 TLS Client + dependencies: + build: build-linux64/debug-fuzz + treeherder: + symbol: TLS-Client + platform: linux64/debug-fuzz + task-context: + from-object: + target: tls-client + corpus: tls-client-no_fuzzer_mode + + linux64-tls-server: + description: Linux x64 TLS Server + dependencies: + build: build-linux64/debug-fuzz + treeherder: + symbol: TLS-Server + platform: linux64/debug-fuzz + task-context: + from-object: + target: tls-server + corpus: tls-server-no_fuzzer_mode + + linux64-dtls-client: + description: Linux x64 DTLS Client + dependencies: + build: build-linux64/debug-fuzz + treeherder: + symbol: DTLS-Client + platform: linux64/debug-fuzz + task-context: + from-object: + target: dtls-client + corpus: dtls-client-no_fuzzer_mode + + linux64-dtls-server: + description: Linux x64 DTLS Server + dependencies: + build: build-linux64/debug-fuzz + treeherder: + symbol: DTLS-Server + platform: linux64/debug-fuzz + task-context: + from-object: + target: dtls-server + corpus: dtls-server-no_fuzzer_mode + + linux64-cryptofuzz: + description: Cryptofuzz + dependencies: + build: build-linux64/debug-fuzz + run: + command: "${{VCS_PATH}}/nss/automation/taskcluster/scripts/cryptofuzz.sh -max_total_time={MAX_FUZZ_TIME}" + treeherder: + symbol: Cryptofuzz + platform: linux64/debug-fuzz + + linux64-tlsfuzz-tls-client: + description: Linux x64 TLS Client + dependencies: + build: build-linux64/debug-tlsfuzz + treeherder: + symbol: TLS(TLS-Client) + platform: linux64/debug-fuzz + task-context: + from-object: + target: tls-client + corpus: tls-client + + linux64-tlsfuzz-tls-server: + description: Linux x64 TLS Server + dependencies: + build: build-linux64/debug-tlsfuzz + treeherder: + symbol: TLS(TLS-Server) + platform: linux64/debug-fuzz + task-context: + from-object: + target: tls-server + corpus: tls-server + + linux64-tlsfuzz-dtls-client: + description: Linux x64 DTLS Client + dependencies: + build: build-linux64/debug-tlsfuzz + treeherder: + symbol: TLS(DTLS-Client) + platform: linux64/debug-fuzz + task-context: + from-object: + target: dtls-client + corpus: dtls-client + + linux64-tlsfuzz-dtls-server: + description: Linux x64 DTLS Server + dependencies: + build: build-linux64/debug-tlsfuzz + treeherder: + symbol: TLS(DTLS-Server) + platform: linux64/debug-fuzz + task-context: + from-object: + target: dtls-server + corpus: dtls-server + + linux32-asn1: + description: Linux 32 ASN1 + dependencies: + build: build-linux32/debug-fuzz + treeherder: + symbol: ASN1 + platform: linux32/debug-fuzz + task-context: + from-object: + target: asn1 + corpus: asn1 + + linux32-certdn: + description: Linux 32 CertDN + dependencies: + build: build-linux32/debug-fuzz + treeherder: + symbol: CertDN + platform: linux32/debug-fuzz + task-context: + from-object: + target: certDN + corpus: certDN + + linux32-pkcs7: + description: Linux 32 PKCS7 + dependencies: + build: build-linux32/debug-fuzz + treeherder: + symbol: PKCS7 + platform: linux32/debug-fuzz + task-context: + from-object: + target: pkcs7 + corpus: pkcs7 + + linux32-pkcs8: + description: Linux 32 PKCS8 + dependencies: + build: build-linux32/debug-fuzz + treeherder: + symbol: PKCS8 + platform: linux32/debug-fuzz + task-context: + from-object: + target: pkcs8 + corpus: pkcs8 + + linux32-pkcs12: + description: Linux 32 PKCS12 + dependencies: + build: build-linux32/debug-fuzz + treeherder: + symbol: PKCS12 + platform: linux32/debug-fuzz + task-context: + from-object: + target: pkcs12 + corpus: pkcs12 + + linux32-quickder: + description: Linux 32 QuickDER + dependencies: + build: build-linux32/debug-fuzz + treeherder: + symbol: QuickDER + platform: linux32/debug-fuzz + task-context: + from-object: + target: quickder + corpus: quickder + + linux32-smime: + description: Linux 32 SMIME + dependencies: + build: build-linux32/debug-fuzz + treeherder: + symbol: SMIME + platform: linux32/debug-fuzz + task-context: + from-object: + target: smime + corpus: smime + + linux32-tls-client: + description: Linux 32 TLS Client + dependencies: + build: build-linux32/debug-fuzz + treeherder: + symbol: TLS-Client + platform: linux32/debug-fuzz + task-context: + from-object: + target: tls-client + corpus: tls-client-no_fuzzer_mode + + linux32-tls-server: + description: Linux 32 TLS Server + dependencies: + build: build-linux32/debug-fuzz + treeherder: + symbol: TLS-Server + platform: linux32/debug-fuzz + task-context: + from-object: + target: tls-server + corpus: tls-server-no_fuzzer_mode + + linux32-dtls-client: + description: Linux 32 DTLS Client + dependencies: + build: build-linux32/debug-fuzz + treeherder: + symbol: DTLS-Client + platform: linux32/debug-fuzz + task-context: + from-object: + target: dtls-client + corpus: dtls-client-no_fuzzer_mode + + linux32-dtls-server: + description: Linux 32 DTLS Server + dependencies: + build: build-linux32/debug-fuzz + treeherder: + symbol: DTLS-Server + platform: linux32/debug-fuzz + task-context: + from-object: + target: dtls-server + corpus: dtls-server-no_fuzzer_mode + + linux32-cryptofuzz: + description: Cryptofuzz + dependencies: + build: build-linux32/debug-fuzz + run: + command: "${{VCS_PATH}}/nss/automation/taskcluster/scripts/cryptofuzz.sh -max_total_time={MAX_FUZZ_TIME}" + treeherder: + symbol: Cryptofuzz + platform: linux32/debug-fuzz + + linux32-tlsfuzz-tls-client: + description: Linux 32 TLS Client + dependencies: + build: build-linux32/debug-tlsfuzz + treeherder: + symbol: TLS(TLS-Client) + platform: linux32/debug-fuzz + task-context: + from-object: + target: tls-client + corpus: tls-client + + linux32-tlsfuzz-tls-server: + description: Linux 32 TLS Server + dependencies: + build: build-linux32/debug-tlsfuzz + treeherder: + symbol: TLS(TLS-Server) + platform: linux32/debug-fuzz + task-context: + from-object: + target: tls-server + corpus: tls-server + + linux32-tlsfuzz-dtls-client: + description: Linux 32 DTLS Client + dependencies: + build: build-linux32/debug-tlsfuzz + treeherder: + symbol: TLS(DTLS-Client) + platform: linux32/debug-fuzz + task-context: + from-object: + target: dtls-client + corpus: dtls-client + + linux32-tlsfuzz-dtls-server: + description: Linux 32 DTLS Server + dependencies: + build: build-linux32/debug-tlsfuzz + treeherder: + symbol: TLS(DTLS-Server) + platform: linux32/debug-fuzz + task-context: + from-object: + target: dtls-server + corpus: dtls-server diff --git a/nss/taskcluster/kinds/test/cipher.yml b/nss/taskcluster/kinds/test/cipher.yml new file mode 100644 index 00000000..8d87c815 --- /dev/null +++ b/nss/taskcluster/kinds/test/cipher.yml @@ -0,0 +1,76 @@ +task-defaults: + worker: + env: + TC_PARENT_TASK_ID: {task-reference: ""} + NSS_TESTS: cipher + max-run-time: 7200 + from-deps: + kinds: [certs] + with-attributes: + nspr: [false] + dbm: [false] + cc: [false] + make-fips: [false] + +cipher: + description: Cipher tests + treeherder: + symbol: Cipher(Default) + +cipher-noaes: + description: Cipher tests, no AES + treeherder: + symbol: Cipher(NoAES) + worker: + env: + NSS_DISABLE_HW_AES: "1" + +cipher-nosha: + description: Cipher tests, no SHA + treeherder: + symbol: Cipher(NoSHA) + worker: + env: + NSS_DISABLE_HW_SHA1: "1" + NSS_DISABLE_HW_SHA2: "1" + +cipher-nopclmul: + description: Cipher tests, no PCLMUL + treeherder: + symbol: Cipher(NoPCLMUL) + worker: + env: + NSS_DISABLE_PCLMUL: "1" + +cipher-noavx: + description: Cipher tests, no AVX + treeherder: + symbol: Cipher(NoAVX) + worker: + env: + NSS_DISABLE_AVX: "1" + +cipher-noavx: + description: Cipher tests, no AVX2 + treeherder: + symbol: Cipher(NoAVX2) + worker: + env: + NSS_DISABLE_AVX2: "1" + +cipher-nossse3: + description: Cipher tests, no SSSE3|NEON + treeherder: + symbol: Cipher(NoSSSE3|NEON) + worker: + env: + NSS_DISABLE_ARM_NEON: "1" + NSS_DISABLE_SSSE3: "1" + +cipher-nosse41: + description: Cipher tests, no SSE4.1 + treeherder: + symbol: Cipher(NoSSE4.1) + worker: + env: + NSS_DISABLE_SSE4_1: "1" diff --git a/nss/taskcluster/kinds/test/kind.yml b/nss/taskcluster/kinds/test/kind.yml new file mode 100644 index 00000000..8aa3920b --- /dev/null +++ b/nss/taskcluster/kinds/test/kind.yml @@ -0,0 +1,355 @@ +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +--- + +transforms: + - taskgraph.transforms.from_deps + - nss_taskgraph.transforms.from_deps_task_name + - nss_taskgraph.transforms.platforms + - nss_taskgraph.transforms.treeherder + +kind-dependencies: + - build + - certs + +task-defaults: + from-deps: + copy-attributes: true + set-name: false + worker: + env: + NSS_MAX_MP_PBE_ITERATION_COUNT: "100" + max-run-time: 3600 + taskcluster-proxy: + by-platform: + win.*: true + default: false + docker-image: {in-tree: base} + run: + using: run-task + checkout: + nss: + path: nss + command: + by-platform: + win.*: "${VCS_PATH}/nss/automation/taskcluster/windows/run_tests.sh" + default: "${VCS_PATH}/nss/automation/taskcluster/scripts/run_tests.sh" + attributes: + retrigger: true + scopes: + by-platform: + win.*: ["project:releng:services/tooltool/api/download/internal"] + default: [] + worker-type: + by-platform: + linux.*: t-linux + mac.*: b-osx + win.*: b-win2022 + +tasks-from: + - cipher.yml + +tasks: + # Schedule tests that do NOT need certificates. This is defined as + # the test itself not needing certs AND not running under the upgradedb + # cycle (which itself needs certs). If cycle is not defined, default is all. + gtests: + description: Gtests + from-deps: + kinds: [build] + with-attributes: + nspr: [false] + dbm: [false] + cc: [false] + modular: [false] + fuzz: [false] + worker: + env: + NSS_CYCLES: standard + NSS_TESTS: ssl_gtests gtests + TC_PARENT_TASK_ID: {task-reference: ""} + treeherder: + symbol: Gtest + + gtests-tlsfuzz: + description: Gtests + from-deps: + kinds: [build] + with-attributes: + tlsfuzz: [true] + worker: + env: + NSS_CYCLES: standard + NSS_TESTS: ssl_gtests gtests + TC_PARENT_TASK_ID: {task-reference: ""} + GTESTFILTER: "*Fuzz*" + docker-image: {in-tree: fuzz} + treeherder: + symbol: Gtest + + bogo: + description: Bogo tests + from-deps: + kinds: [build] + with-attributes: + build_platform: + - linux32 + - linux32-make + - linux64 + - linux64-make + - linux64-asan + nspr: [false] + dbm: [false] + cc: [false] + modular: [false] + make-fips: [false] + fuzz: [false] + worker: + docker-image: {in-tree: builds} + env: + TC_PARENT_TASK_ID: {task-reference: ""} + NSS_CYCLES: standard + NSS_TESTS: bogo + treeherder: + symbol: Bogo + + tlsfuzzer: + description: tlsfuzzer tests + from-deps: + kinds: + - build + with-attributes: + build_platform: + - linux32 + - linux32-make + - linux64 + - linux64-make + - linux64-asan + nspr: [false] + dbm: [false] + cc: [false] + modular: [false] + fuzz: [false] + worker: + env: + TC_PARENT_TASK_ID: {task-reference: ""} + NSS_CYCLES: standard + NSS_TESTS: tlsfuzzer + treeherder: + symbol: tlsfuzzer + + mpi: + description: MPI tests + treeherder: + symbol: MPI + worker: + env: + TC_PARENT_TASK_ID: {task-reference: ""} + NSS_CYCLES: standard + NSS_TESTS: mpi + from-deps: + kinds: [build] + with-attributes: + nspr: [false] + dbm: [false] + cc: [false] + modular: [false] + fuzz: [false] + + # Schedule tests that need certificates. + chains: + description: Chains tests + from-deps: + kinds: [certs] + with-attributes: + dbm: [false] + make-fips: [false] + # Only old make builds have -Ddisable_libpkix=0 and can run chain tests. + make: [true] + worker: + env: + TC_PARENT_TASK_ID: {task-reference: ""} + NSS_TESTS: chains + max-run-time: + by-platform: + win.*: 7200 + default: 3600 + treeherder: + symbol: Chains + + ec: + description: EC tests + from-deps: + kinds: [certs] + with-attributes: + dbm: [false] + make-fips: [false] + treeherder: + symbol: EC + worker: + env: + TC_PARENT_TASK_ID: {task-reference: ""} + NSS_TESTS: ec + + lowhash: + description: Lowhash tests + from-deps: + kinds: [certs] + with-attributes: + dbm: [false] + make-fips: [false] + treeherder: + symbol: Lowhash + worker: + env: + TC_PARENT_TASK_ID: {task-reference: ""} + NSS_TESTS: lowhash + + sdr: + description: SDR tests + from-deps: + kinds: [certs] + with-attributes: + dbm: [false] + make-fips: [false] + treeherder: + symbol: SDR + worker: + env: + TC_PARENT_TASK_ID: {task-reference: ""} + NSS_TESTS: sdr + + policy: + description: Policy tests + from-deps: + kinds: [certs] + with-attributes: + dbm: [false] + make-fips: [false] + treeherder: + symbol: Policy + worker: + env: + TC_PARENT_TASK_ID: {task-reference: ""} + NSS_TESTS: policy + + crmf: + description: CRMF tests + from-deps: + kinds: [certs] + with-attributes: + dbm: [false] + make-fips: [false] + treeherder: + symbol: CRMF + worker: + env: + TC_PARENT_TASK_ID: {task-reference: ""} + NSS_TESTS: crmf + + db: + description: DB tests + from-deps: + kinds: [certs] + with-attributes: + dbm: [false] + make-fips: [false] + treeherder: + symbol: DB + worker: + env: + TC_PARENT_TASK_ID: {task-reference: ""} + NSS_TESTS: dbtests + + merge: + description: Merge tests + from-deps: + kinds: [certs] + with-attributes: + dbm: [false] + make-fips: [false] + treeherder: + symbol: Merge + worker: + env: + TC_PARENT_TASK_ID: {task-reference: ""} + NSS_TESTS: merge + + smime: + description: S/MIME tests + from-deps: + kinds: [certs] + with-attributes: + dbm: [false] + make-fips: [false] + treeherder: + symbol: SMIME + worker: + env: + TC_PARENT_TASK_ID: {task-reference: ""} + NSS_TESTS: smime + + tools: + description: Tools tests + from-deps: + kinds: [certs] + with-attributes: + dbm: [false] + make-fips: [false] + treeherder: + symbol: Tools + worker: + env: + TC_PARENT_TASK_ID: {task-reference: ""} + NSS_TESTS: tools + + # SSL tests, need certificates too. + ssl-standard: + description: SSL tests (standard) + from-deps: + kinds: [certs] + with-attributes: + dbm: [false] + make-fips: [false] + treeherder: + symbol: SSL(standard) + worker: + env: + TC_PARENT_TASK_ID: {task-reference: ""} + NSS_TESTS: ssl + NSS_CYCLES: standard + NSS_SSL_TESTS: crl iopr policy normal_normal + + ssl-pkix: + description: SSL tests (pkix) + from-deps: + kinds: [certs] + with-attributes: + dbm: [false] + make-fips: [false] + treeherder: + symbol: SSL(pkix) + worker: + env: + TC_PARENT_TASK_ID: {task-reference: ""} + NSS_TESTS: ssl + NSS_CYCLES: pkix + NSS_SSL_TESTS: crl iopr policy normal_normal + + ssl-stress: + description: SSL tests (stress) + from-deps: + kinds: [certs] + with-attributes: + dbm: [false] + make-fips: [false] + treeherder: + symbol: SSL(stress) + worker: + env: + TC_PARENT_TASK_ID: {task-reference: ""} + NSS_TESTS: ssl + NSS_CYCLES: sharedb + NSS_SSL_RUN: stress + NSS_SSL_TESTS: normal_normal diff --git a/nss/taskcluster/kinds/tools/kind.yml b/nss/taskcluster/kinds/tools/kind.yml new file mode 100644 index 00000000..38a348d4 --- /dev/null +++ b/nss/taskcluster/kinds/tools/kind.yml @@ -0,0 +1,89 @@ +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +--- + +task-defaults: + treeherder: + platform: nss-tools/opt + kind: test + worker-type: b-linux + run: + using: run-task + checkout: + nss: + path: nss + worker: + artifacts: + - path: /builds/worker/artifacts + type: directory + name: public + max-run-time: 3600 + +tasks: + abi: + description: ABI check + treeherder: + symbol: abi + worker: + docker-image: {in-tree: builds} + run: + command: "${VCS_PATH}/nss/automation/taskcluster/scripts/check_abi.sh" + checkout: + nspr: + path: nspr + + clang-format: + description: Run clang-format + treeherder: + symbol: clang-format + worker: + docker-image: {in-tree: clang-format} + run: + command: "${VCS_PATH}/nss/automation/clang-format/run_clang_format.sh" + + acvp: + description: ACVP + treeherder: + symbol: acvp + worker: + docker-image: {in-tree: acvp} + run: + command: "bin/run.sh" + + scan-build: + description: Run scan-build + treeherder: + symbol: scan-build + worker: + docker-image: {in-tree: fuzz} + env: + USE_64: "1" + CC: clang + CCC: clang++ + run: + command: "${VCS_PATH}/nss/automation/taskcluster/scripts/run_scan_build.sh" + checkout: + nspr: + path: nspr + + hacl: + description: HACL checks + treeherder: + symbol: hacl + worker: + docker-image: {in-tree: builds} + run: + command: "${VCS_PATH}/nss/automation/taskcluster/scripts/run_hacl.sh" + + coverage: + description: Generate coverage report + treeherder: + symbol: Coverage + worker: + docker-image: {in-tree: fuzz} + run: + command: "${VCS_PATH}/nss/automation/taskcluster/scripts/gen_coverage_report.sh" + checkout: + nspr: + path: nspr diff --git a/nss/taskcluster/nss_taskgraph/__init__.py b/nss/taskcluster/nss_taskgraph/__init__.py new file mode 100644 index 00000000..918ba0e8 --- /dev/null +++ b/nss/taskcluster/nss_taskgraph/__init__.py @@ -0,0 +1,90 @@ +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +import argparse +import os +import re +import shlex + +from taskgraph.decision import PER_PROJECT_PARAMETERS +from taskgraph.parameters import extend_parameters_schema +from taskgraph.util.vcs import get_repository +from voluptuous import Any, Optional, Required + + +TRY_SYNTAX_RE = re.compile(r"\btry:\s*(.*)\s*$", re.M) + +def parse_try_syntax(message): + parser = argparse.ArgumentParser() + parser.add_argument("--nspr-patch", action="store_true") + parser.add_argument("-b", "--build", default="do") + parser.add_argument("-p", "--platform", default="all") + parser.add_argument("-u", "--unittests", default="none") + parser.add_argument("-t", "--tools", default="none") + parser.add_argument("-e", "--extra-builds") + match = TRY_SYNTAX_RE.search(message) + if not match: + return + args = shlex.split(match.group(1)) + opts = parser.parse_args(args) + builds = [t for t in opts.build if t in ["d", "o"]] + # If the given value is nonsense default to debug and opt builds. + if not builds: + builds = ["d", "o"] + + platforms = opts.platform.split(",") + + unittests = opts.unittests.split(",") + if "gtests" in unittests: + unittests.append("gtest") + + tools = opts.tools.split(",") + return { + "nspr_patch": opts.nspr_patch, + "builds": builds, + "platforms": platforms, + "unittests": unittests, + "tools": tools, + "extra": opts.extra_builds == "all", + } + + +def decision_parameters(graph_config, parameters): + repo_path = os.getcwd() + repo = get_repository(repo_path) + try: + commit_message = repo.get_commit_message() + except UnicodeDecodeError: + commit_message = "" + parameters["try_options"] = {} + if parameters["project"] != "nss-try": + return + args = parse_try_syntax(commit_message) + if args: + parameters["try_options"] = args + + +def default_parameters(repo_root): + return { + "try_options": {}, + } + + +def register(graph_config): + schema = { + Optional("try_options"): { + Optional("nspr_patch"): bool, + Optional("builds"): [Any("d", "o")], + Optional("platforms"): [str], + Optional("unittests"): [str], + Optional("tools"): [str], + Optional("extra"): bool, + }, + } + extend_parameters_schema(schema, default_parameters) + + from . import target_tasks + + PER_PROJECT_PARAMETERS["nss-try"] = {"target_tasks_method": "nss_try_tasks"} + diff --git a/nss/taskcluster/nss_taskgraph/target_tasks.py b/nss/taskcluster/nss_taskgraph/target_tasks.py new file mode 100644 index 00000000..2c84b3bf --- /dev/null +++ b/nss/taskcluster/nss_taskgraph/target_tasks.py @@ -0,0 +1,91 @@ +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +from taskgraph.target_tasks import register_target_task, target_tasks_default + + +def filter_build_type(build_types, task): + if "o" in build_types and "opt" in task.attributes["build_type"]: + return True + if "d" in build_types and "debug" in task.attributes["build_type"]: + return True + + +PLATFORM_ALIASES = { + "aarch64-make": "aarch64", + "linux": "linux32", + "linux-fuzz": "linux32", + "linux64-fips": "linux64", + "linux64-fuzz": "linux64", + "linux64-make": "linux64", + "linux-make": "linux32", + "win64-make": "windows2022-64", + "win-make": "windows2022-32", + "win64": "windows2022-64", + "win": "windows2022-32", +} + + +def filter_platform(platform, task): + if "build_platform" not in task.attributes: + return False + if platform == "all": + return True + task_platform = task.attributes["build_platform"] + # Check the platform name. + keep = task_platform == PLATFORM_ALIASES.get(platform, platform) + # Additional checks. + if platform == "linux64-fips": + keep &= task.attributes["fips"] + elif ( + platform == "linux64-make" + or platform == "linux-make" + or platform == "win64-make" + or platform == "win-make" + or platform == "aarch64-make" + ): + keep &= task.attributes["make"] + elif platform == "linux64-fuzz" or platform == "linux-fuzz": + keep &= task.attributes["fuzz"] + return keep + + +def filter_try_syntax(options, task): + symbol = task.task["extra"]["treeherder"]["symbol"].lower() + group = task.task["extra"]["treeherder"].get("groupSymbol", "").lower() + + # Filter tools. We can immediately return here as those + # are not affected by platform or build type selectors. + if task.kind == "tools": + return any(t in options["tools"] for t in ["all", symbol]) + + # Filter unit tests. + if task.kind == "test": + tests = {"all", symbol} + if group in ("cipher", "ssl"): + tests.add(group) + if not any(t in options["unittests"] for t in tests): + return False + + # Filter extra builds. + if group == "builds" and not options["extra"]: + return False + + # Filter by platform. + if not any(filter_platform(platform, task) for platform in options["platforms"]): + return False + + # Finally, filter by build type. + return filter_build_type(options["builds"], task) + + +@register_target_task("nss_try_tasks") +def target_tasks_try(full_task_graph, parameters, graph_config): + if not parameters["try_options"]: + return target_tasks_default(full_task_graph, parameters, graph_config) + return [ + t.label + for t in full_task_graph + if filter_try_syntax(parameters["try_options"], t) + ] diff --git a/nss/taskcluster/nss_taskgraph/transforms/__init__.py b/nss/taskcluster/nss_taskgraph/transforms/__init__.py new file mode 100644 index 00000000..e69de29b diff --git a/nss/taskcluster/nss_taskgraph/transforms/build.py b/nss/taskcluster/nss_taskgraph/transforms/build.py new file mode 100644 index 00000000..19ef28dd --- /dev/null +++ b/nss/taskcluster/nss_taskgraph/transforms/build.py @@ -0,0 +1,225 @@ +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +from copy import deepcopy +from taskgraph.transforms.base import TransformSequence + +transforms = TransformSequence() + + +@transforms.add +def set_build_attributes(config, jobs): + """ + Set the build_platform and build_type attributes based on the job name. + """ + for job in jobs: + build_platform, build_type = job["name"].split("/") + attributes = job.setdefault("attributes", {}) + attributes.update( + { + "build_platform": build_platform, + "build_type": build_type, + } + ) + + yield job + + +EXTRA_COMPILERS = { + "clang-4": {"CC": "clang-4.0", "CCC": "clang++-4.0"}, + "clang-10": {"CC": "clang-10", "CCC": "clang++-10"}, + # gcc-4.6 introduced nullptr. + "gcc-4.4": {"CC": "gcc-4.4", "CCC": "g++-4.4", "NSS_DISABLE_GTESTS": "1"}, + # gcc-4.8 has incomplete c++11 support + "gcc-4.8": {"CC": "gcc-4.8", "CCC": "g++-4.8", "NSS_DISABLE_GTESTS": "1"}, + "gcc-5": {"CC": "gcc-5", "CCC": "g++-5"}, + "gcc-11": {"CC": "gcc-11", "CCC": "g++-11"}, +} + + +@transforms.add +def add_variants(config, jobs): + for job in jobs: + attributes = job["attributes"] + + # nspr + if not any(attributes.get(attr) for attr in ("make", "asan", "fuzz")): + nspr_job = deepcopy(job) + nspr_job["name"] = f"{attributes['build_platform']}-nspr/{attributes['build_type']}" + nspr_job["description"]+= " (NSPR only)" + nspr_job["attributes"]["nspr"] = True + yield nspr_job + + # base build + build_job = deepcopy(job) + build_job["attributes"].setdefault("certs", True) + yield build_job + + # fips + if attributes.get("make"): + fips_build = deepcopy(job) + fips_build["name"] = f"{attributes['build_platform']}-fips/{attributes['build_type']}" + fips_build["description"] += " w/ NSS_FORCE_FIPS" + fips_build.setdefault("worker", {}).setdefault("env", {})["NSS_FORCE_FIPS"] = "1" + fips_build["attributes"]["make-fips"] = True + fips_build["attributes"]["certs"] = True + yield fips_build + + if "linux" in attributes["build_platform"]: + # more compilers + if not attributes.get("asan") and not attributes.get("fuzz"): + for cc in EXTRA_COMPILERS: + if cc == "gcc-4.4" and not (attributes.get("make") and job["attributes"]["build_platform"].startswith("linux64")): + # Use the old Makefile-based build system, GYP doesn't have a proper GCC + # version check for __int128 support. It's mainly meant to cover RHEL6. + continue + if cc == "gcc-4.8" and not attributes.get("make"): + # Use -Ddisable-intelhw_sha=1, GYP doesn't have a proper GCC version + # check for Intel SHA support. + continue + cc_job = deepcopy(job) + cc_job["name"] += f"-{cc}" + cc_job["description"] += f" w/ {cc}" + cc_job["attributes"]["cc"] = cc + cc_job.setdefault("worker", {}).setdefault("env", {}).update(EXTRA_COMPILERS[cc]) + yield cc_job + + # modular + if attributes.get("make"): + modular_job = deepcopy(job) + modular_job["attributes"]["modular"] = True + modular_job.setdefault("worker", {}).setdefault("env", {})["NSS_BUILD_MODULAR"] = "1" + modular_job["name"] += "-modular" + modular_job["description"] += " w/ modular builds" + yield modular_job + + # dbm + if not attributes.get("make") and not attributes.get("fuzz"): + dbm_job = deepcopy(job) + dbm_job["attributes"]["dbm"] = True + dbm_job["attributes"].setdefault("certs", True) + dbm_job["name"] += "-dbm" + dbm_job["description"] += " w/ legacy-db" + yield dbm_job + + if attributes.get("fuzz"): + tlsfuzz_job = deepcopy(job) + tlsfuzz_job["attributes"]["tlsfuzz"] = True + tlsfuzz_job["name"] = job["name"].replace("-fuzz", "-tlsfuzz") + tlsfuzz_job["description"] = job["description"].replace("fuzz", "TLS fuzz") + yield tlsfuzz_job + + +@transforms.add +def set_attributes_defaults(config, jobs): + for job in jobs: + attributes = job["attributes"] + for attr in ("make", "asan", "make-fips", "fuzz", "certs", "nspr", "cc", "dbm", "modular", "tlsfuzz"): + attributes.setdefault(attr, False) + yield job + + +@transforms.add +def set_make_command(config, jobs): + for job in jobs: + if not job["attributes"].get("make"): + yield job + continue + platform = job["attributes"]["build_platform"] + if "win" in platform: + script = "${VCS_PATH}/nss/automation/taskcluster/windows/build.sh" + else: + script = "${VCS_PATH}/nss/automation/taskcluster/scripts/build.sh" + if "64" in job["attributes"]["build_platform"]: + job["worker"].setdefault("env", {})["USE_64"] = "1" + job["run"]["command"] = script + yield job + + +@transforms.add +def set_gyp_command(config, jobs): + for job in jobs: + attributes = job["attributes"] + if attributes.get("make"): + yield job + continue + platform = attributes["build_platform"] + if "win" in platform: + script = "${VCS_PATH}/nss/automation/taskcluster/windows/build_gyp.sh" + else: + script = "${VCS_PATH}/nss/automation/taskcluster/scripts/build_gyp.sh" + command = script + " --python=python3" + if "64" not in platform: + command += " -t ia32" + if attributes["build_type"] in ("opt", "opt-static"): + command += " --opt" + if "fips" in attributes["build_type"]: + command += " --enable-fips" + if attributes.get("asan"): + command += " --ubsan --asan" + if attributes.get("nspr"): + command += " --nspr-only --nspr-test-build --nspr-test-run" + if attributes.get("static"): + command += " --static -Ddisable_libpkix=1" + if attributes.get("fuzz"): + command += " --disable-tests -Ddisable_libpkix=1 --fuzz" + job.setdefault("worker", {}).setdefault("env", {}).update({ + "ASAN_OPTIONS": "allocator_may_return_null=1:detect_stack_use_after_return=1", + "UBSAN_OPTIONS": "print_stacktrace=1", + "NSS_DISABLE_ARENA_FREE_LIST": "1", + "NSS_DISABLE_UNLOAD": "1", + "CC": "clang", + "CCC": "clang++", + }) + if attributes.get("tlsfuzz"): + command += "=tls" + else: + command += " && nss/automation/taskcluster/scripts/build_cryptofuzz.sh" + if "64" not in platform: + command += " --i386" + job["run"]["command"] = command + yield job + +@transforms.add +def set_docker_image(config, jobs): + for job in jobs: + if "linux" not in job["attributes"]["build_platform"]: + yield job + continue + + if job["attributes"].get("cc") == "gcc-4.4": + image = "gcc-4.4" + elif job["attributes"].get("cc"): + image = "builds" + elif job["attributes"].get("fuzz"): + image = "fuzz" + else: + image = "base" + job["worker"]["docker-image"] = {"in-tree": image} + yield job + + +def get_job_symbol(job): + if job["attributes"].get("nspr"): + return "NSPR" + if job["attributes"].get("cc"): + return f"Builds({job['attributes']['cc']})" + if job["attributes"].get("tlsfuzz"): + return "TLS(B)" + if job["attributes"].get("dbm"): + return "DBM(B)" + if job["attributes"].get("make-fips"): + return "FIPS(B)" + if job["attributes"].get("modular"): + return "Builds(modular)" + return "B" + +@transforms.add +def set_treeherder_symbol(config, jobs): + for job in jobs: + job["treeherder"].update({ + "symbol": get_job_symbol(job), + "platform": f'{job["attributes"]["build_platform"]}/{job["attributes"]["build_type"]}', + }) + yield job diff --git a/nss/taskcluster/nss_taskgraph/transforms/from_deps_task_name.py b/nss/taskcluster/nss_taskgraph/transforms/from_deps_task_name.py new file mode 100644 index 00000000..7d1f36f9 --- /dev/null +++ b/nss/taskcluster/nss_taskgraph/transforms/from_deps_task_name.py @@ -0,0 +1,19 @@ +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +from taskgraph.transforms.base import TransformSequence +from taskgraph.util.set_name import set_name_strip_kind + +transforms = TransformSequence() + + +@transforms.add +def set_task_name(config, tasks): + # set the name of tasks created by the from_deps transforms by appending + # the primary dependency's label to the name from kind.yml + for task in tasks: + primary_kind = task["attributes"]["primary-kind-dependency"] + primary_dep = [dep for dep in config.kind_dependencies_tasks.values() if dep.label in task["dependencies"].values()][0] + task["name"] += f"-{set_name_strip_kind(config, [], primary_dep, primary_kind)}" + yield task diff --git a/nss/taskcluster/nss_taskgraph/transforms/platforms.py b/nss/taskcluster/nss_taskgraph/transforms/platforms.py new file mode 100644 index 00000000..a45dbfbf --- /dev/null +++ b/nss/taskcluster/nss_taskgraph/transforms/platforms.py @@ -0,0 +1,40 @@ +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +from taskgraph.transforms.base import TransformSequence +from taskgraph.util.schema import resolve_keyed_by + +transforms = TransformSequence() + + +@transforms.add +def resolve_platform_differences(config, tasks): + for task in tasks: + for key in ("worker-type", "run.command", "scopes", "worker.artifacts", "worker.taskcluster-proxy", "worker.max-run-time"): + resolve_keyed_by(task, key, task["name"], platform=task["attributes"]["build_platform"]) + yield task + + +@transforms.add +def add_env_vars(config, tasks): + for task in tasks: + env = task["worker"].setdefault("env", {}) + if task["attributes"]["build_platform"].startswith(("mac", "windows")): + env.update({"DOMSUF": "localdomain", "HOST": "localhost"}) + + if task["attributes"]["build_platform"].startswith("mac"): + env.update({"NSS_TASKCLUSTER_MAC": "1"}) + + if config.params["try_options"].get("allow_nspr_patch"): + env.update({"ALLOW_NSPR_PATCH": "1"}) + + yield task + + +@transforms.add +def remove_docker_image_for_gw(config, tasks): + for task in tasks: + if task["attributes"]["build_platform"].startswith(("mac", "windows")): + task["worker"].pop("docker-image", None) + yield task diff --git a/nss/taskcluster/nss_taskgraph/transforms/treeherder.py b/nss/taskcluster/nss_taskgraph/transforms/treeherder.py new file mode 100644 index 00000000..fb18a248 --- /dev/null +++ b/nss/taskcluster/nss_taskgraph/transforms/treeherder.py @@ -0,0 +1,15 @@ +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +from taskgraph.transforms.base import TransformSequence + +transforms = TransformSequence() + +@transforms.add +def set_treeherder_symbol(config, tasks): + for task in tasks: + dep = config.kind_dependencies_tasks[task["dependencies"][task["attributes"]["primary-kind-dependency"]]] + if dep.task["extra"]["treeherder"].get("groupSymbol"): + task["treeherder"]["symbol"] = f'{dep.task["extra"]["treeherder"].get("groupSymbol")}({task["treeherder"]["symbol"]})' + task["treeherder"]["platform"] = f'{task["attributes"]["build_platform"]}/{task["attributes"]["build_type"]}' + yield task diff --git a/nss/tests/cert/cert.sh b/nss/tests/cert/cert.sh index 67951f6e..c2161628 100755 --- a/nss/tests/cert/cert.sh +++ b/nss/tests/cert/cert.sh @@ -1688,7 +1688,7 @@ cert_inc_count() ######################################################################## cert_san_and_generic_extensions() { - EXTDUMP=${CERT_EXTENSIONS_DIR}/sanext.der + EXTDUMP=sanext.der DIR="-d ${CERT_EXTENSIONS_DIR} -f ${R_PWFILE}" CERTNAME="-n WithSAN" @@ -2662,7 +2662,7 @@ cert_test_password cert_test_distrust cert_test_ocspresp cert_test_rsapss -if [ "${TEST_MODE}" = "SHARED_DB" ] ; then +if using_sql ; then cert_test_rsapss_policy fi cert_test_token_uri diff --git a/nss/tests/chains/scenarios/nameconstraints.cfg b/nss/tests/chains/scenarios/nameconstraints.cfg index a2de4be4..cf264f5a 100644 --- a/nss/tests/chains/scenarios/nameconstraints.cfg +++ b/nss/tests/chains/scenarios/nameconstraints.cfg @@ -99,7 +99,7 @@ verify NameConstraints.server11:x cert NameConstraints.intermediate3:x result pass -# Subject: "C=US, ST=CA, O=Foo, CN=Honest Achmed" +# Subject: "C=US, ST=CA, O=Foo, CN=Certified pre-owned" # Fail: CN does not match DNS name constraints - even though is not 'DNS shaped' verify NameConstraints.server12:x cert NameConstraints.intermediate4:x diff --git a/nss/tests/common/init.sh b/nss/tests/common/init.sh index 0a085abf..cdf0a3c7 100644 --- a/nss/tests/common/init.sh +++ b/nss/tests/common/init.sh @@ -365,6 +365,15 @@ NSS=trustOrder=100 LC_ALL=C egrep -v '^[[:space:]]*(#|$)' "$1" } + using_sql() + { + dbtype=$(nssdefaults --dbtype) + if [ ${dbtype##*: } = "sql" ]; then + return 0; # success case for bash + fi + return 1; # fail case for bash + } + #directory name init SCRIPTNAME=init.sh @@ -390,6 +399,7 @@ NSS=trustOrder=100 if [ -z "${OBJDIR}" -o -z "${OS_ARCH}" -o -z "${DLL_PREFIX}" -o -z "${DLL_SUFFIX}" ]; then MAKE=gmake $MAKE -v >/dev/null 2>&1 || MAKE=make + $MAKE -v >/dev/null 2>&1 || MAKE=mozmake $MAKE -v >/dev/null 2>&1 || { echo "You are missing make."; exit 5; } MAKE="$MAKE --no-print-directory" fi @@ -410,7 +420,7 @@ NSS=trustOrder=100 if [ "${DLL_SUFFIX}" = "" ]; then DLL_SUFFIX=`(cd $COMMON; $MAKE dll_suffix)` fi - OS_NAME=`uname -s | sed -e "s/-[0-9]*\.[0-9]*//" | sed -e "s/-WOW64//"` + OS_NAME=`uname -s | sed -e "s/-[0-9.-]*//" | sed -e "s/-WOW64//"` BINDIR="${DIST}/${OBJDIR}/bin" @@ -441,7 +451,7 @@ NSS=trustOrder=100 #in case of backward comp. tests the calling scripts set the #PATH and LD_LIBRARY_PATH and do not want them to be changed if [ -z "${DON_T_SET_PATHS}" -o "${DON_T_SET_PATHS}" != "TRUE" ] ; then - if [ "${OS_ARCH}" = "WINNT" -a "$OS_NAME" != "CYGWIN_NT" -a "$OS_NAME" != "MINGW32_NT" ]; then + if [ "${OS_ARCH}" = "WINNT" -a "$OS_NAME" != "CYGWIN_NT" -a "$OS_NAME" != "MINGW32_NT" -a "$OS_NAME" != "MSYS_NT" ]; then PATH=.\;${DIST}/${OBJDIR}/bin\;${DIST}/${OBJDIR}/lib\;$PATH PATH=`perl ../path_uniq -d ';' "$PATH"` elif [ "${OS_ARCH}" = "Android" ]; then diff --git a/nss/tests/dbtests/dbtests.sh b/nss/tests/dbtests/dbtests.sh index c82ea85c..50270077 100755 --- a/nss/tests/dbtests/dbtests.sh +++ b/nss/tests/dbtests/dbtests.sh @@ -109,7 +109,7 @@ dbtest_main() Echo "test opening the database readonly in an empty directory" mkdir $EMPTY_DIR - ${BINDIR}/tstclnt -h ${HOST} -d $EMPTY_DIR + ${BINDIR}/tstclnt -h ${HOST} -d $EMPTY_DIR ret=$? if [ $ret -ne 1 ]; then html_failed "Tstclnt succeded in an empty directory $ret" diff --git a/nss/tests/fips/cavs_scripts/validate1.sh b/nss/tests/fips/cavs_scripts/validate1.sh index c4db8197..b61b032b 100755 --- a/nss/tests/fips/cavs_scripts/validate1.sh +++ b/nss/tests/fips/cavs_scripts/validate1.sh @@ -13,18 +13,20 @@ # The sed line always clears out Windows line endings, replaces tabs with # spaces, and removed comments. # +set -e + TESTDIR=${1-.} request=${2} extraneous_response=${3} extraneous_fax=${4} name=`basename $request .req` echo ">>>>> $name" -sed -e 's; ;;g' -e 's; ; ;g' -e '/^#/d' $extraneous_response ${TESTDIR}/resp/${name}.rsp > /tmp/y1 +sed -e 's;\r;;g' -e 's; ; ;g' -e '/^#/d' $extraneous_response ${TESTDIR}/resp/${name}.rsp > /tmp/y1 # if we didn't generate any output, flag that as an error -size=`sum /tmp/y1 | awk '{ print $NF }'` +size=`sum /tmp/y1 | awk '{ print $1 }'` if [ $size -eq 0 ]; then echo "${TESTDIR}/resp/${name}.rsp: empty" exit 1; fi -sed -e 's; ;;g' -e 's; ; ;g' -e '/^#/d' $extraneous_fax ${TESTDIR}/fax/${name}.fax > /tmp/y2 +sed -e 's;\r;;g' -e 's; ; ;g' -e '/^#/d' $extraneous_fax ${TESTDIR}/fax/${name}.fax > /tmp/y2 diff -i -w -B /tmp/y1 /tmp/y2 diff --git a/nss/tests/gtests/gtests.sh b/nss/tests/gtests/gtests.sh index 4e04b610..06219a82 100755 --- a/nss/tests/gtests/gtests.sh +++ b/nss/tests/gtests/gtests.sh @@ -65,11 +65,6 @@ gtest_start() pushd "$DIR" GTESTREPORT="$DIR/report.xml" PARSED_REPORT="$DIR/report.parsed" - # The mozilla::pkix gtests cause an ODR violation that we ignore. - # See bug 1588567. - if [ "$i" = "mozpkix_gtest" ]; then - EXTRA_ASAN_OPTIONS="detect_odr_violation=0" - fi # NSS CI sets a lower max for PBE iterations, otherwise cert.sh # is very slow. Unset this maxiumum for softoken_gtest, as it # needs to check the default value. @@ -78,10 +73,9 @@ gtest_start() unset NSS_MAX_MP_PBE_ITERATION_COUNT fi echo "executing $i" - ASAN_OPTIONS="$ASAN_OPTIONS:$EXTRA_ASAN_OPTIONS" "${BINDIR}/$i" \ - -s "${SOURCE_DIR}/gtests/$i" \ - -d "$DIR" -w --gtest_output=xml:"${GTESTREPORT}" \ - --gtest_filter="${GTESTFILTER:-*}" + "${BINDIR}/$i" -s "${SOURCE_DIR}/gtests/$i" -d "$DIR" -w \ + --gtest_output=xml:"${GTESTREPORT}" \ + --gtest_filter="${GTESTFILTER:-*}" html_msg $? 0 "$i run successfully" if [ "$i" = "softoken_gtest" ]; then export NSS_MAX_MP_PBE_ITERATION_COUNT=$OLD_MAX_PBE_ITERATIONS diff --git a/nss/tests/libpkix/certs/NameConstraints.server12.cert b/nss/tests/libpkix/certs/NameConstraints.server12.cert index 67f9a2c2..7f86b64f 100644 Binary files a/nss/tests/libpkix/certs/NameConstraints.server12.cert and b/nss/tests/libpkix/certs/NameConstraints.server12.cert differ diff --git a/nss/tests/libpkix/certs/make-nc b/nss/tests/libpkix/certs/make-nc index b6b0fdae..6f5ca8f9 100755 --- a/nss/tests/libpkix/certs/make-nc +++ b/nss/tests/libpkix/certs/make-nc @@ -277,7 +277,7 @@ y n CERTSCRIPT -certutil -S -z noise -g 1024 -d . -n server12 -s "CN=Honest Achmed,O=Foo,ST=CA,C=US" -t ,, -c ica4 -m 46 -v 235 -1 -2 -5 <&1 ret=$? + echo "return=$ret expect=${4}" html_msg $ret ${4} "Importing ${1} (pk12util -i)" check_tmpfile } @@ -207,6 +209,7 @@ export_p12_file() ${CERT_CIPHER_OPT} "${CERT_CIPHER}" \ ${HASH_ALG_OPT} "${HASH_ALG}" 2>&1 ret=$? + echo "return=$ret expect=${7}" html_msg $ret ${7} "Exporting with [${4}:${5}:${6}] (pk12util -o)" check_tmpfile if [ ${7} -eq 0 ]; then @@ -501,6 +504,12 @@ tools_p12_import_old_files() html_msg $ret 0 "Importing PKCS#12 file with and implicit KDF value" check_tmpfile + echo "pk12util -I -l corrupted_cert_bag.p12 -W start" + ${BINDIR}/pk12util -I -l ${TOOLSDIR}/data/corrupted_cert_bag.p12 -W start 2>&1 + ret=$? + html_msg $ret 17 "Listing a PKCS#12 file with corrupted certificate bag" + check_tmpfile + } tools_p12_import_rsa_pss_private_key() @@ -541,21 +550,21 @@ tools_p12_import_pbmac1_samples() html_msg $ret 0 "Importing private key pbmac1 hmac-sha-512 from PKCS#12 file" check_tmpfile - echo "${BINDIR}/pk12util -l ${TOOLSDIR}/data/pbmac1-invalid-bad-iter.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -W '1234'" - ${BINDIR}/pk12util -l ${TOOLSDIR}/data/pbmac1-invalid-bad-iter.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -W '1234' 2>&1 + echo "${BINDIR}/pk12util -l ${TOOLSDIR}/data/pbmac1-invalid-bad-iter.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -W '1234' -I" + ${BINDIR}/pk12util -l ${TOOLSDIR}/data/pbmac1-invalid-bad-iter.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -W '1234' -I 2>&1 ret=$? html_msg $ret 19 "Fail to list private key with bad iterator" check_tmpfile - echo "${BINDIR}/pk12util -l ${TOOLSDIR}/data/pbmac1-invalid-bad-salt.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -W '1234'" - ${BINDIR}/pk12util -l ${TOOLSDIR}/data/pbmac1-invalid-bad-salt.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -W '1234' 2>&1 + echo "${BINDIR}/pk12util -l ${TOOLSDIR}/data/pbmac1-invalid-bad-salt.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -W '1234' -I" + ${BINDIR}/pk12util -l ${TOOLSDIR}/data/pbmac1-invalid-bad-salt.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -W '1234' -I 2>&1 ret=$? echo "Fail to list private key with bad salt val=$ret" html_msg $ret 19 "Fail to import private key with bad salt" check_tmpfile - echo "${BINDIR}/pk12util -l ${TOOLSDIR}/data/pbmac1-invalid-no-length.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -W '1234'" - ${BINDIR}/pk12util -l ${TOOLSDIR}/data/pbmac1-invalid-no-length.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -W '1234' 2>&1 + echo "${BINDIR}/pk12util -l ${TOOLSDIR}/data/pbmac1-invalid-no-length.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -W '1234' -I " + ${BINDIR}/pk12util -l ${TOOLSDIR}/data/pbmac1-invalid-no-length.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -W '1234' -I 2>&1 ret=$? echo "Fail to import private key with no length val=$ret" html_msg $ret 19 "Fail to import private key with no length" @@ -584,7 +593,7 @@ tools_p12() tools_p12_export_with_invalid_ciphers tools_p12_import_old_files tools_p12_import_pbmac1_samples - if [ "${TEST_MODE}" = "SHARED_DB" ] ; then + if using_sql; then tools_p12_import_rsa_pss_private_key tools_p12_policy fi @@ -630,6 +639,8 @@ verify_p12() # p12util -l will verify that decryption works properly. pp -t pkcs12 -i ${1} -o ${TMP} while read line ; do + # strip trailing carriage return + line="${line%$'\r'}" # first up: if we see an unencrypted key bag, then we know that the key # was unencrypted (NOTE: pk12util currently can't generate these kinds of # files).