corysanin/tubestation
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Bug 1947535 - land NSS NSS_3_109_BETA2 UPGRADE_NSS_RELEASE, r=nss-reviewers,jschanck

Browse Source 
Differential Revision: https://phabricator.services.mozilla.com/D239314
This commit is contained in:
Anna
2025-02-26 18:08:26 +00:00
parent b39e826ce8
commit 8727755664
115 changed files with 2908 additions and 6131 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
build/moz.configure/nss.configure
View File

@@ -13,7 +13,7 @@ system_lib_option(
imply_option("--with-system-nspr", True, when="--with-system-nss")
nss_pkg = pkg_check_modules(
"NSS", "nss >= 3.108", when="--with-system-nss", config=False
"NSS", "nss >= 3.109", when="--with-system-nss", config=False
)
set_config("MOZ_SYSTEM_NSS", True, when="--with-system-nss")

252
security/nss/.taskcluster.yml
View File

@@ -1,3 +1,4 @@
# yamllint disable rule:line-length
# This file is rendered via JSON-e in a hook with context:
# {
# tasks_for: 'hg-push',
@@ -9,87 +10,192 @@
---
version: 1
tasks:
- $let:
# sometimes the push user is just `ffxbld` or the like, but we want an
# email-like field..
ownerEmail:
$if: '"@" in push.owner'
then: '${push.owner}'
else: '${push.owner}@noreply.mozilla.org'
# ensure there's no trailing `/` on the repo URL
repoUrl:
$if: 'repository.url[-1] == "/"'
then: {$eval: 'repository.url[:-1]'}
else: {$eval: 'repository.url'}
# scheduler id
schedulerId: 'nss-level-${repository.level}'
in:
taskId: '${ownTaskId}'
taskGroupId: '${ownTaskId}'
schedulerId: '${schedulerId}'
created: {$fromNow: ''}
deadline: {$fromNow: '1 day'}
expires: {$fromNow: '14 days'}
# NOTE: support for actions in ci-admin requires that the `tasks` property be
# an array *before* JSON-e rendering takes place.
- $if: 'tasks_for in ["hg-push", "action"]'
then:
$let:
# sometimes the push user is just `ffxbld` or the like, but we want an
# email-like field..
ownerEmail:
$if: '"@" in push.owner'
then: '${push.owner}'
else: '${push.owner}@noreply.mozilla.org'
# ensure there's no trailing `/` on the repo URL
repoUrl:
$if: 'repository.url[-1] == "/"'
then: {$eval: 'repository.url[:-1]'}
else: {$eval: 'repository.url'}
trustDomain: nss
treeherder_link: '[Treeherder job](https://treeherder.mozilla.org/#/jobs?repo=${repository.project}&revision=${push.revision}&selectedTaskRun=${ownTaskId})'
expires: {$fromNow: '14 days'}
in:
taskId: {$if: 'tasks_for != "action"', then: '${ownTaskId}'}
taskGroupId:
$if: 'tasks_for == "action"'
then: '${action.taskGroupId}'
else: '${ownTaskId}'
schedulerId: 'nss-level-${repository.level}'
created: {$fromNow: ''}
deadline: {$fromNow: '1 day'}
expires: {$eval: 'expires'}
metadata:
owner: mozilla-taskcluster-maintenance@mozilla.com
source: "${repository.url}"
name: "NSS Decision Task"
description: |
The task that creates all of the other tasks in the task graph
metadata:
$merge:
- owner: mozilla-taskcluster-maintenance@mozilla.com
source: "${repoUrl}/raw-file/${push.revision}/.taskcluster.yml"
- $if: 'tasks_for == "hg-push"'
then:
name: "NSS Decision Task"
description: The task that creates all of the other tasks in the task graph
else:
name: "Action: ${action.title}"
description: |
${action.description}
workerType: "linux-gcp"
provisionerId: "nss-${repository.level}"
${treeherder_link}
scopes:
- 'assume:repo:${repoUrl[8:]}:branch:default'
tags:
createdForUser: "${ownerEmail}"
Action triggered by clientID `${clientId}`
routes:
- "tc-treeherder-stage.v2.${repository.project}.${push.revision}.${push.pushlog_id}"
- "tc-treeherder.v2.${repository.project}.${push.revision}.${push.pushlog_id}"
provisionerId: "${trustDomain}-${repository.level}"
workerType: "decision-gcp"
payload:
# TODO: use nssdev org , not djmitche, once the image is pushed there
image: djmitche/nss-decision:0.0.3
tags:
$if: 'tasks_for == "hg-push"'
then:
createdForUser: "${ownerEmail}"
kind: decision-task
else:
createdForUser: '${ownerEmail}'
kind: action-callback
env:
TC_OWNER: "${ownerEmail}"
TC_SOURCE: "${repository.url}"
TC_PROJECT: ${repository.project}
TC_SCHEDULER_ID: "${schedulerId}"
MOZ_SCM_LEVEL: "${repository.level}"
NSS_PUSHLOG_ID: '${push.pushlog_id}'
NSS_HEAD_REPOSITORY: '${repository.url}'
NSS_HEAD_REVISION: '${push.revision}'
maxRunTime: 1800
routes:
$flattenDeep:
- "tc-treeherder.v2.${repository.project}.${push.revision}"
- $if: 'tasks_for == "hg-push"'
then:
- "index.${trustDomain}.v2.${repository.project}.latest.taskgraph.decision"
- "index.${trustDomain}.v2.${repository.project}.revision.${push.revision}.taskgraph.decision"
- "index.${trustDomain}.v2.${repository.project}.pushlog-id.${push.pushlog_id}.decision"
else:
- "index.${trustDomain}.v2.${repository.project}.revision.${push.revision}.taskgraph.actions.${ownTaskId}"
- "index.${trustDomain}.v2.${repository.project}.pushlog-id.${push.pushlog_id}.actions.${ownTaskId}"
command:
- bash
- -cx
- >
bin/checkout.sh &&
nss/automation/taskcluster/scripts/extend_task_graph.sh
scopes:
$if: 'tasks_for == "hg-push"'
then:
- 'assume:repo:${repoUrl[8:]}:branch:default'
- 'in-tree:hook-action:project-${trustDomain}/in-tree-action-${repository.level}-*'
- 'index:insert-task:${trustDomain}.v2.${repository.project}.*'
else:
- '${action.repo_scope}'
features:
taskclusterProxy: true
dependencies: []
requires: all-completed
artifacts:
'public/docker-contexts':
type: 'directory'
path: '/home/worker/docker-contexts'
# This needs to be at least the deadline of the
# decision task + the docker-image task deadlines.
# It is set to a week to allow for some time for
# debugging, but they are not useful long-term.
expires: {$fromNow: '7 day'}
priority: low
retries: 0
extra:
treeherder:
symbol: D
build:
platform: nss-decision
machine:
platform: nss-decision
payload:
image: mozillareleases/taskgraph:decision-v13.0.0@sha256:57e4c2d2ad92cea663dcc02cacbfd88b3506edde80e19fbd8a57b3dfe37ae9bd
env:
$merge:
- NSS_BASE_REPOSITORY: 'https://hg.mozilla.org/projects/nss'
NSS_REPOSITORY_TYPE: 'hg'
NSS_BASE_REV: '${push.base_revision}'
NSS_HEAD_REPOSITORY: '${repository.url}'
NSS_HEAD_REV: '${push.revision}'
HG_STORE_PATH: /builds/worker/checkouts/hg-store
TASKCLUSTER_CACHES: /builds/worker/checkouts
REPOSITORIES: {$json: {nss: NSS}}
- $if: 'tasks_for == "action"'
then:
ACTION_TASK_GROUP_ID: '${action.taskGroupId}'
ACTION_TASK_ID: {$json: {$eval: 'taskId'}}
ACTION_INPUT: {$json: {$eval: 'input'}}
ACTION_CALLBACK: '${action.cb_name}'
cache:
"${trustDomain}-level-${repository.level}-checkouts-sparse-v3": /builds/worker/checkouts
maxRunTime: 1800
command:
- /usr/local/bin/run-task
- '--nss-checkout=/builds/worker/checkouts/nss'
- '--'
- bash
- -cx
- $if: 'tasks_for == "action"'
then: >
cd /builds/worker/checkouts/nss &&
ln -s /builds/worker/artifacts artifacts &&
taskgraph action-callback
else: >
cd /builds/worker/checkouts/nss &&
ln -s /builds/worker/artifacts artifacts &&
taskgraph decision
--pushlog-id='${push.pushlog_id}'
--pushdate='${push.pushdate}'
--project='${repository.project}'
--owner='${ownerEmail}'
--level='${repository.level}'
--tasks-for='${tasks_for}'
--repository-type=hg
--base-repository="$NSS_BASE_REPOSITORY"
--base-rev="$NSS_BASE_REV"
--head-repository="$NSS_HEAD_REPOSITORY"
--head-ref="$NSS_HEAD_REF"
--head-rev="$NSS_HEAD_REV"
features:
taskclusterProxy: true
artifacts:
'public':
type: 'directory'
path: '/builds/worker/artifacts'
expires: {$eval: expires}
'public/docker-contexts':
type: 'directory'
path: '/builds/worker/checkouts/nss/docker-contexts'
# This needs to be at least the deadline of the
# decision task + the docker-image task deadlines.
# It is set to a week to allow for some time for
# debugging, but they are not useful long-term.
expires: {$fromNow: '7 day'}
extra:
$merge:
- treeherder:
$merge:
- machine:
platform: nss-decision
- $if: 'tasks_for == "hg-push"'
then:
symbol: D
else:
groupName: 'action-callback'
groupSymbol: 'AC'
symbol: "${action.symbol}"
- $if: 'tasks_for == "action"'
then:
parent: '${action.taskGroupId}'
action:
name: '${action.name}'
context:
taskGroupId: '${action.taskGroupId}'
taskId: {$eval: 'taskId'}
input: {$eval: 'input'}
clientId: {$eval: 'clientId'}
- tasks_for: '${tasks_for}'
- $if: 'tasks_for == "hg-push"'
then:
notify:
email:
$merge:
- link:
text: "Treeherder Jobs"
href: "https://treeherder.mozilla.org/#/jobs?repo=${repository.project}&revision=${push.revision}"

2
security/nss/TAG-INFO
View File

@@ -1 +1 @@
NSS_3_108_RTM
NSS_3_109_BETA2

3
security/nss/automation/abi-check/expected-report-libnss3.so.txt
View File

@@ -1,3 +0,0 @@
1 Added function:
'function SECMODModule* SECMOD_LoadUserModuleWithFunction(const char*, CK_C_GetFunctionList)' {SECMOD_LoadUserModuleWithFunction@@NSS_3.107}

5
security/nss/automation/abi-check/expected-report-libnssutil3.so.txt
View File

@@ -1,5 +0,0 @@
1 Added function:
'function void PORT_SafeZero(void*, size_t)' {PORT_SafeZero@@NSSUTIL_3.108}

2
security/nss/automation/abi-check/previous-nss-release
View File

@@ -1 +1 @@
NSS_3_107_BRANCH
NSS_3_108_BRANCH

29
security/nss/automation/taskcluster/docker-aarch64/Dockerfile
View File

@@ -1,29 +0,0 @@
FROM franziskus/xenial:aarch64
MAINTAINER Franziskus Kiefer <franziskuskiefer@gmail.com>
RUN useradd -d /home/worker -s /bin/bash -m worker
WORKDIR /home/worker
# Add build and test scripts.
ADD bin /home/worker/bin
RUN chmod +x /home/worker/bin/*
# Install dependencies.
ADD setup.sh /tmp/setup.sh
RUN bash /tmp/setup.sh
# Change user.
# USER worker # See bug 1347473.
# Env variables.
ENV HOME /home/worker
ENV SHELL /bin/bash
ENV USER worker
ENV LOGNAME worker
ENV LANG en_US.UTF-8
ENV LC_ALL en_US.UTF-8
ENV HOST localhost
ENV DOMSUF localdomain
# Set a default command for debugging.
CMD ["/bin/bash", "--login"]

20
security/nss/automation/taskcluster/docker-aarch64/bin/checkout.sh
View File

@@ -1,20 +0,0 @@
#!/usr/bin/env bash
set -v -e -x
if [ $(id -u) = 0 ]; then
# Drop privileges by re-running this script.
exec su worker $0
fi
# Default values for testing.
REVISION=${NSS_HEAD_REVISION:-default}
REPOSITORY=${NSS_HEAD_REPOSITORY:-https://hg.mozilla.org/projects/nss}
# Clone NSS.
for i in 0 2 5; do
sleep $i
hg clone -r $REVISION $REPOSITORY nss && exit 0
rm -rf nss
done
exit 1

42
security/nss/automation/taskcluster/docker-aarch64/setup.sh
View File

@@ -1,42 +0,0 @@
#!/usr/bin/env bash
set -v -e -x
export DEBIAN_FRONTEND=noninteractive
apt-get -y update
apt-get -y install software-properties-common
# Add more repos
add-apt-repository "deb http://ports.ubuntu.com/ xenial main restricted universe multiverse"
add-apt-repository "deb http://ports.ubuntu.com/ xenial-security main restricted universe multiverse"
add-apt-repository "deb http://ports.ubuntu.com/ xenial-updates main restricted universe multiverse"
add-apt-repository "deb http://ports.ubuntu.com/ xenial-backports main restricted universe multiverse"
# Update.
apt-get -y update
apt-get -y dist-upgrade
apt_packages=()
apt_packages+=('build-essential')
apt_packages+=('ca-certificates')
apt_packages+=('curl')
apt_packages+=('libxml2-utils')
apt_packages+=('zlib1g-dev')
apt_packages+=('ninja-build')
apt_packages+=('gyp')
apt_packages+=('mercurial')
apt_packages+=('locales')
# Install packages.
apt-get install -y --no-install-recommends ${apt_packages[@]}
locale-gen en_US.UTF-8
dpkg-reconfigure locales
# Cleanup.
rm -rf ~/.ccache ~/.cache
apt-get autoremove -y
apt-get clean
apt-get autoclean
rm $0

26
security/nss/automation/taskcluster/docker-acvp/bin/checkout.sh
View File

@@ -1,26 +0,0 @@
#!/usr/bin/env bash
set -v -e -x
if [ $(id -u) = 0 ]; then
# Drop privileges by re-running this script.
exec su worker $0
fi
# Default values for testing.
REVISION=${NSS_HEAD_REVISION:-default}
REPOSITORY=${NSS_HEAD_REPOSITORY:-https://hg.mozilla.org/projects/nss}
# Clone NSS.
hg clone -r $REVISION $REPOSITORY nss
# Clone NSPR if needed.
hg clone -r default https://hg.mozilla.org/projects/nspr
pushd nspr
hg revert --all
if [[ -f ../nss/nspr.patch && "$ALLOW_NSPR_PATCH" == "1" ]]; then
cat ../nss/nspr.patch | patch -p1
fi
popd

26
security/nss/automation/taskcluster/docker-arm/Dockerfile
View File

@@ -1,26 +0,0 @@
FROM armv7/armhf-ubuntu:16.04
MAINTAINER Franziskus Kiefer <franziskuskiefer@gmail.com>
RUN useradd -d /home/worker -s /bin/bash -m worker
WORKDIR /home/worker
# Add build and test scripts.
ADD bin /home/worker/bin
RUN chmod +x /home/worker/bin/*
# Install dependencies.
ADD setup.sh /tmp/setup.sh
RUN bash /tmp/setup.sh
# Env variables.
ENV HOME /home/worker
ENV SHELL /bin/bash
ENV USER worker
ENV LOGNAME worker
ENV LANG en_US.UTF-8
ENV LC_ALL en_US.UTF-8
ENV HOST localhost
ENV DOMSUF localdomain
# Set a default command for debugging.
CMD ["/bin/bash", "--login"]

25
security/nss/automation/taskcluster/docker-arm/bin/checkout.sh
View File

@@ -1,25 +0,0 @@
#!/usr/bin/env bash
set -v -e -x
if [ $(id -u) = 0 ]; then
# set up fake uname
if [ ! -f /bin/uname-real ]; then
mv /bin/uname /bin/uname-real
ln -s /home/worker/bin/uname.sh /bin/uname
fi
# Drop privileges by re-running this script.
exec su worker $0
fi
# Default values for testing.
REVISION=${NSS_HEAD_REVISION:-default}
REPOSITORY=${NSS_HEAD_REPOSITORY:-https://hg.mozilla.org/projects/nss}
# Clone NSS.
for i in 0 2 5; do
sleep $i
hg clone -r $REVISION $REPOSITORY nss && exit 0
rm -rf nss
done
exit 1

18
security/nss/automation/taskcluster/docker-arm/bin/uname.sh
View File

@@ -1,18 +0,0 @@
#!/bin/bash
args=`getopt rmvs $*`
set -- $args
for i
do
if [ "$i" == "-v" ]; then
/bin/uname-real -v
fi
if [ "$i" == "-r" ]; then
echo "4.4.16-v7+"
fi
if [ "$i" == "-m" ]; then
echo "armv7l"
fi
if [ "$i" == "-s" ]; then
echo "Linux"
fi
done

36
security/nss/automation/taskcluster/docker-arm/setup.sh
View File

@@ -1,36 +0,0 @@
#!/usr/bin/env bash
set -v -e -x
export DEBIAN_FRONTEND=noninteractive
# Update.
apt-get -y update
apt-get -y dist-upgrade
apt_packages=()
apt_packages+=('build-essential')
apt_packages+=('ca-certificates')
apt_packages+=('curl')
apt_packages+=('locales')
apt_packages+=('python-dev')
apt_packages+=('python-pip')
apt_packages+=('python-setuptools')
apt_packages+=('zlib1g-dev')
# Install packages.
apt-get install -y --no-install-recommends ${apt_packages[@]}
# Latest Mercurial.
pip install --upgrade pip
pip install Mercurial
locale-gen en_US.UTF-8
dpkg-reconfigure locales
# Cleanup.
rm -rf ~/.ccache ~/.cache
apt-get autoremove -y
apt-get clean
apt-get autoclean
rm $0

20
security/nss/automation/taskcluster/docker-builds/bin/checkout.sh
View File

@@ -1,20 +0,0 @@
#!/usr/bin/env bash
set -v -e -x
if [ $(id -u) = 0 ]; then
# Drop privileges by re-running this script.
exec su worker $0
fi
# Default values for testing.
REVISION=${NSS_HEAD_REVISION:-default}
REPOSITORY=${NSS_HEAD_REPOSITORY:-https://hg.mozilla.org/projects/nss}
# Clone NSS.
for i in 0 2 5; do
sleep $i
hg clone -r $REVISION $REPOSITORY nss && exit 0
rm -rf nss
done
exit 1

20
security/nss/automation/taskcluster/docker-clang-format/bin/checkout.sh
View File

@@ -1,20 +0,0 @@
#!/usr/bin/env bash
set -v -e -x
if [ $(id -u) = 0 ]; then
# Drop privileges by re-running this script.
exec su worker $0
fi
# Default values for testing.
REVISION=${NSS_HEAD_REVISION:-default}
REPOSITORY=${NSS_HEAD_REPOSITORY:-https://hg.mozilla.org/projects/nss}
# Clone NSS.
for i in 0 2 5; do
sleep $i
hg clone -r $REVISION $REPOSITORY nss && exit 0
rm -rf nss
done
exit 1

38
security/nss/automation/taskcluster/docker-decision/Dockerfile
View File

@@ -1,38 +0,0 @@
# Minimal image for running the decision task.
FROM ubuntu:bionic-20221215
LABEL maintainer="Martin Thomson <martin.thomson@gmail.com>"
RUN apt-get update \
&& apt-get install -y --no-install-recommends \
ca-certificates \
curl \
locales \
mercurial \
nodejs \
npm \
&& rm -rf /var/lib/apt/lists/* \
&& apt-get autoremove -y && apt-get clean -y
ENV SHELL /bin/bash
ENV USER worker
ENV LOGNAME $USER
ENV HOME /home/$USER
ENV LANG en_US.UTF-8
ENV LC_ALL $LANG
ENV HOST localhost
ENV DOMSUF localdomain
RUN locale-gen $LANG \
&& DEBIAN_FRONTEND=noninteractive dpkg-reconfigure locales
RUN useradd -d $HOME -s $SHELL -m $USER
WORKDIR $HOME
# Add build and test scripts.
ADD bin $HOME/bin
RUN chmod +x $HOME/bin/*
USER $USER
# Set a default command for debugging.
CMD ["/bin/bash", "--login"]

15
security/nss/automation/taskcluster/docker-decision/bin/checkout.sh
View File

@@ -1,15 +0,0 @@
#!/usr/bin/env bash
set -v -e -x
# Default values for testing.
REVISION=${NSS_HEAD_REVISION:-default}
REPOSITORY=${NSS_HEAD_REPOSITORY:-https://hg.mozilla.org/projects/nss}
# Clone NSS.
for i in 0 2 5; do
sleep $i
hg clone -r $REVISION $REPOSITORY nss && exit 0
rm -rf nss
done
exit 1

20
security/nss/automation/taskcluster/docker-fuzz/bin/checkout.sh
View File

@@ -1,20 +0,0 @@
#!/usr/bin/env bash
set -v -e -x
if [ $(id -u) = 0 ]; then
# Drop privileges by re-running this script.
exec su worker $0
fi
# Default values for testing.
REVISION=${NSS_HEAD_REVISION:-default}
REPOSITORY=${NSS_HEAD_REPOSITORY:-https://hg.mozilla.org/projects/nss}
# Clone NSS.
for i in 0 2 5; do
sleep $i
hg clone -r $REVISION $REPOSITORY nss && exit 0
rm -rf nss
done
exit 1

41
security/nss/automation/taskcluster/docker-gcc-4.4/Dockerfile
View File

@@ -1,41 +0,0 @@
FROM ubuntu:14.04
LABEL maintainer="Martin Thomson <martin.thomson@gmail.com>"
RUN dpkg --add-architecture i386
RUN apt-get update \
&& apt-get install -y --no-install-recommends \
ca-certificates \
g++-4.4 \
gcc-4.4 \
locales \
make \
patch \
mercurial \
sqlite3 \
zlib1g-dev \
&& rm -rf /var/lib/apt/lists/* \
&& apt-get autoremove -y && apt-get clean -y
ENV SHELL /bin/bash
ENV USER worker
ENV LOGNAME $USER
ENV HOME /home/$USER
ENV LANG en_US.UTF-8
ENV LC_ALL $LANG
ENV HOST localhost
ENV DOMSUF localdomain
RUN locale-gen $LANG \
&& DEBIAN_FRONTEND=noninteractive dpkg-reconfigure locales
RUN useradd -d $HOME -s $SHELL -m $USER
WORKDIR $HOME
# Add build and test scripts.
ADD bin $HOME/bin
RUN chmod +x $HOME/bin/*
USER $USER
# Set a default command for debugging.
CMD ["/bin/bash", "--login"]

20
security/nss/automation/taskcluster/docker-gcc-4.4/bin/checkout.sh
View File

@@ -1,20 +0,0 @@
#!/usr/bin/env bash
set -v -e -x
if [ $(id -u) = 0 ]; then
# Drop privileges by re-running this script.
exec su worker $0
fi
# Default values for testing.
REVISION=${NSS_HEAD_REVISION:-default}
REPOSITORY=${NSS_HEAD_REPOSITORY:-https://hg.mozilla.org/projects/nss}
# Clone NSS.
for i in 0 2 5; do
sleep $i
hg clone -r $REVISION $REPOSITORY nss && exit 0
rm -rf nss
done
exit 1

20
security/nss/automation/taskcluster/docker/bin/checkout.sh
View File

@@ -1,20 +0,0 @@
#!/usr/bin/env bash
set -v -e -x
if [ $(id -u) = 0 ]; then
# Drop privileges by re-running this script.
exec su worker $0
fi
# Default values for testing.
REVISION=${NSS_HEAD_REVISION:-default}
REPOSITORY=${NSS_HEAD_REPOSITORY:-https://hg.mozilla.org/projects/nss}
# Clone NSS.
for i in 0 2 5; do
sleep $i
hg clone -r $REVISION $REPOSITORY nss && exit 0
rm -rf nss
done
exit 1

2963
security/nss/automation/taskcluster/graph/npm-shrinkwrap.json generated
View File

File diff suppressed because it is too large Load Diff

25
security/nss/automation/taskcluster/graph/package.json
View File

@@ -1,25 +0,0 @@
{
"name": "decision-task",
"version": "0.0.1",
"private": true,
"author": "Tim Taubert <ttaubert@mozilla.com>",
"description": "Decision Task for NSS",
"scripts": {
"compile": "babel-compile -p taskcluster src:lib",
"install": "npm run compile"
},
"dependencies": {
"babel-cli": "^6.14.0",
"babel-compile": "^2.0.0",
"babel-preset-taskcluster": "^3.0.0",
"babel-runtime": "^6.11.6",
"flatmap": "0.0.3",
"intersect": "^1.0.1",
"js-yaml": "^3.6.1",
"merge": "^1.2.0",
"minimist": "^1.2.0",
"slugid": "^1.1.0",
"tar": "^6.2.1",
"taskcluster-client": "^22.0.0"
}
}

57
security/nss/automation/taskcluster/graph/src/context_hash.js
View File

@@ -1,57 +0,0 @@
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
import fs from "fs";
import path from "path";
import crypto from "crypto";
import flatmap from "flatmap";
// Compute the SHA-256 digest.
function sha256(data) {
let hash = crypto.createHash("sha256");
hash.update(data);
return hash.digest("hex");
}
// Recursively collect a list of all files of a given directory.
function collectFilesInDirectory(dir) {
if (fs.lstatSync(dir).isFile()) {
return [dir];
}
return flatmap(fs.readdirSync(dir), entry => {
let entry_path = path.join(dir, entry);
if (fs.lstatSync(entry_path).isDirectory()) {
return collectFilesInDirectory(entry_path);
}
return [entry_path];
});
}
// A list of hashes for each file in the given path.
function collectFileHashes(context_path) {
let root = path.join(__dirname, "../../../..");
let dir = path.join(root, context_path);
let files = collectFilesInDirectory(dir).sort();
return files.map(file => {
return sha256(file + "|" + fs.readFileSync(file, "utf-8"));
});
}
// Compute a context hash for the given context path.
export default function (context_path) {
// Regenerate when image_builder.js changes
let hashes = collectFileHashes("automation/taskcluster/graph/src/image_builder.js");
// Regenerate images when the image itself changes.
hashes = hashes.concat(collectFileHashes(context_path));
// Generate a new prefix every month to ensure the image stays buildable.
let now = new Date();
let prefix = `${now.getUTCFullYear()}-${now.getUTCMonth() + 1}:`;
return sha256(prefix + hashes.join(","));
}

1227
security/nss/automation/taskcluster/graph/src/extend.js
View File

File diff suppressed because it is too large Load Diff

69
security/nss/automation/taskcluster/graph/src/image_builder.js
View File

@@ -1,69 +0,0 @@
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
import * as queue from "./queue";
import context_hash from "./context_hash";
import taskcluster from "taskcluster-client";
const fs = require("fs");
const tar = require("tar");
async function taskHasImageArtifact(taskId) {
let queue = new taskcluster.Queue(taskcluster.fromEnvVars());
let {artifacts} = await queue.listLatestArtifacts(taskId);
return artifacts.some(artifact => artifact.name == "public/image.tar.zst");
}
async function findTaskWithImageArtifact(ns) {
let index = new taskcluster.Index(taskcluster.fromEnvVars());
let {taskId} = await index.findTask(ns);
let has_image = await taskHasImageArtifact(taskId);
return has_image ? taskId : null;
}
export async function findTask({name, path}) {
let hash = await context_hash(path);
let ns = `docker.images.v1.${process.env.TC_PROJECT}.${name}.hash.${hash}`;
return findTaskWithImageArtifact(ns).catch(() => null);
}
export async function buildTask({name, path}) {
let hash = await context_hash(path);
let ns = `docker.images.v1.${process.env.TC_PROJECT}.${name}.hash.${hash}`;
let fullPath = "/home/worker/nss/" + path
let contextName = name + ".tar.gz";
let contextRoot = "/home/worker/docker-contexts/";
let contextPath = contextRoot + contextName;
if (!fs.existsSync(contextRoot)) {
fs.mkdirSync(contextRoot);
}
await tar.create({gzip: true, file: contextPath, cwd: fullPath}, ["."]);
return {
name: `Image Builder (${name})`,
image: "mozillareleases/image_builder:5.0.0",
workerType: "images-gcp",
routes: ["index." + ns],
env: {
IMAGE_NAME: name,
CONTEXT_PATH: "public/docker-contexts/" + contextName,
CONTEXT_TASK_ID: process.env.TASK_ID,
HASH: hash
},
artifacts: {
"public/image.tar.zst": {
type: "file",
expires: 24 * 90,
path: "/workspace/image.tar.zst"
}
},
platform: "nss-decision",
features: ["allowPtrace", "chainOfTrust"],
maxRunTime: 7200,
kind: "build",
symbol: `I(${name})`
};
}

22
security/nss/automation/taskcluster/graph/src/index.js
View File

@@ -1,22 +0,0 @@
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
import * as try_syntax from "./try_syntax";
import * as queue from "./queue";
import extend from "./extend";
const main = async () => {
// Init try syntax filter.
if (process.env.TC_PROJECT == "nss-try") {
await try_syntax.initFilter();
}
// Extend the task graph.
await extend();
};
main().catch(err => {
console.error(err);
process.exit(1);
});

10
security/nss/automation/taskcluster/graph/src/merge.js
View File

@@ -1,10 +0,0 @@
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
import {recursive as merge} from "merge";
// We always want to clone.
export default function (...args) {
return merge(true, ...args);
}

308
security/nss/automation/taskcluster/graph/src/queue.js
View File

@@ -1,308 +0,0 @@
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
import {clone} from "merge";
import merge from "./merge";
import slugid from "slugid";
import taskcluster from "taskcluster-client";
import * as image_builder from "./image_builder";
let maps = [];
let filters = [];
let tasks = new Map();
let tags = new Map();
let image_tasks = new Map();
let parameters = {};
let queue = new taskcluster.Queue({
rootUrl: process.env.TASKCLUSTER_PROXY_URL,
});
function fromNow(hours) {
let d = new Date();
d.setHours(d.getHours() + (hours|0));
return d.toJSON();
}
function parseRoutes(routes) {
let rv = [
`tc-treeherder.v2.${process.env.TC_PROJECT}.${process.env.NSS_HEAD_REVISION}.${process.env.NSS_PUSHLOG_ID}`,
...routes
];
// Notify about failures (except on try).
// Turned off, too noisy.
/*if (process.env.TC_PROJECT != "nss-try") {
rv.push(`notify.email.${process.env.TC_OWNER}.on-failed`,
`notify.email.${process.env.TC_OWNER}.on-exception`);
}*/
return rv;
}
function parseFeatures(list) {
return list.reduce((map, feature) => {
map[feature] = true;
return map;
}, {});
}
function parseArtifacts(artifacts) {
let copy = clone(artifacts);
Object.keys(copy).forEach(key => {
copy[key].expires = fromNow(copy[key].expires);
});
return copy;
}
function parseCollection(name) {
let collection = {};
collection[name] = true;
return collection;
}
function parseTreeherder(def) {
let treeherder = {
build: {
platform: def.platform
},
machine: {
platform: def.platform
},
symbol: def.symbol,
jobKind: def.kind
};
if (def.group) {
treeherder.groupSymbol = def.group;
}
if (def.collection) {
treeherder.collection = parseCollection(def.collection);
}
if (def.tier) {
treeherder.tier = def.tier;
}
return treeherder;
}
function convertTask(def) {
let scopes = [];
let dependencies = [];
let env = merge({
NSS_HEAD_REPOSITORY: process.env.NSS_HEAD_REPOSITORY,
NSS_HEAD_REVISION: process.env.NSS_HEAD_REVISION,
NSS_MAX_MP_PBE_ITERATION_COUNT: "100",
}, def.env || {});
if (def.parent) {
dependencies.push(def.parent);
env.TC_PARENT_TASK_ID = def.parent;
}
if (def.parents) {
dependencies = dependencies.concat(def.parents);
}
if (dependencies.length === 0) {
// If task has no dependencies, make it depend on the Decision task.
dependencies.push(process.env.TASK_ID);
}
if (def.tests) {
env.NSS_TESTS = def.tests;
}
if (def.cycle) {
env.NSS_CYCLES = def.cycle;
}
if (def.kind === "build") {
// Disable leak checking during builds (bug 1579290).
if (env.ASAN_OPTIONS) {
env.ASAN_OPTIONS += ":detect_leaks=0";
} else {
env.ASAN_OPTIONS = "detect_leaks=0";
}
}
let payload = {
env,
command: def.command,
maxRunTime: def.maxRunTime || 3600
};
if (def.image) {
payload.image = def.image;
}
if (def.artifacts) {
payload.artifacts = parseArtifacts(def.artifacts);
}
if (def.features) {
payload.features = parseFeatures(def.features);
if (payload.features.allowPtrace) {
scopes.push("docker-worker:feature:allowPtrace");
}
}
if (def.scopes) {
// Need to add existing scopes in the task definition
scopes.push.apply(scopes, def.scopes)
}
let extra = Object.assign({
treeherder: parseTreeherder(def)
}, parameters);
return {
provisionerId: def.provisioner || `nss-${process.env.MOZ_SCM_LEVEL}`,
workerType: def.workerType || "linux-gcp",
schedulerId: process.env.TC_SCHEDULER_ID,
taskGroupId: process.env.TASK_ID,
scopes,
created: fromNow(0),
deadline: fromNow(24),
dependencies,
requires: def.requires || "all-completed",
routes: parseRoutes(def.routes || []),
metadata: {
name: def.name,
description: def.name,
owner: process.env.TC_OWNER,
source: process.env.TC_SOURCE
},
payload,
extra,
};
}
export function map(fun) {
maps.push(fun);
}
export function filter(fun) {
filters.push(fun);
}
export function addParameters(params) {
parameters = Object.assign(parameters, params);
}
export function clearFilters(fun) {
filters = [];
}
export function taggedTasks(tag) {
return tags[tag];
}
export function scheduleTask(def) {
let taskId = slugid.v4();
tasks.set(taskId, merge({}, def));
return taskId;
}
export async function submit() {
let promises = new Map();
for (let [taskId, task] of tasks) {
// Allow filtering tasks before we schedule them.
if (!filters.every(filter => filter(task))) {
continue;
}
// Allow changing tasks before we schedule them.
maps.forEach(map => { task = map(merge({}, task)) });
let log_id = `${task.name} @ ${task.platform}[${task.collection || "opt"}]`;
if (task.group) {
log_id = `${task.group}::${log_id}`;
}
console.log(`+ Submitting ${log_id}.`);
// Index that task for each tag specified
if(task.tags) {
task.tags.map(tag => {
if(!tags[tag]) {
tags[tag] = [];
}
tags[tag].push(taskId);
});
}
let parent = task.parent;
// Convert the task definition.
task = await convertTask(task);
// Convert the docker image definition.
let image_def = task.payload.image;
if (image_def && image_def.hasOwnProperty("path")) {
let key = `${image_def.name}:${image_def.path}`;
let data = {};
// Check the cache first.
if (image_tasks.has(key)) {
data = image_tasks.get(key);
} else {
data.taskId = await image_builder.findTask(image_def);
data.isPending = !data.taskId;
// No task found.
if (data.isPending) {
let image_task = await image_builder.buildTask(image_def);
// Schedule a new image builder task immediately.
data.taskId = slugid.v4();
try {
await queue.createTask(data.taskId, convertTask(image_task));
} catch (e) {
console.error("! FAIL: Scheduling image builder task failed.");
continue; /* Skip this task on failure. */
}
}
// Store in cache.
image_tasks.set(key, data);
}
if (data.isPending) {
task.dependencies.push(data.taskId);
}
task.payload.image = {
path: "public/image.tar.zst",
taskId: data.taskId,
type: "task-image"
};
}
// Wait for the parent task to be created before scheduling dependants.
let predecessor = parent ? promises.get(parent) : Promise.resolve();
promises.set(taskId, predecessor.then(() => {
// Schedule the task.
return queue.createTask(taskId, task).catch(err => {
console.error(`! FAIL: Scheduling ${log_id} failed.`, err);
});
}));
}
// Wait for all requests to finish.
if (promises.length) {
await Promise.all([...promises.values()]);
console.log("=== Total:", promises.length, "tasks. ===");
}
tasks.clear();
}

201
security/nss/automation/taskcluster/graph/src/try_syntax.js
View File

@@ -1,201 +0,0 @@
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
import * as queue from "./queue";
import path from 'path'
import fs from 'fs'
import intersect from "intersect";
import parse_args from "minimist";
import util from "util";
import child_process from 'child_process';
let execFile = util.promisify(child_process.execFile);
function parseOptions(opts) {
opts = parse_args(opts.split(/\s+/), {
default: {build: "do", platform: "all", unittests: "none", tools: "none"},
alias: {b: "build", p: "platform", u: "unittests", t: "tools", e: "extra-builds"},
string: ["build", "platform", "unittests", "tools", "extra-builds"]
});
// Parse build types (d=debug, o=opt).
let builds = intersect(opts.build.split(""), ["d", "o"]);
// If the given value is nonsense default to debug and opt builds.
if (builds.length == 0) {
builds = ["d", "o"];
}
// Parse platforms.
let allPlatforms = ["linux", "linux64", "linux64-asan", "linux64-fips",
"win", "win64", "win-make", "win64-make",
"linux64-make", "linux-make", "linux-fuzz",
"linux64-fuzz", "aarch64", "aarch64-make", "mac"];
let platforms = intersect(opts.platform.split(/\s*,\s*/), allPlatforms);
// If the given value is nonsense or "none" default to all platforms.
if (platforms.length == 0 && opts.platform != "none") {
platforms = allPlatforms;
}
// Parse unit tests.
let aliases = {"gtests": "gtest"};
let allUnitTests = ["bogo", "crmf", "chains", "cipher", "db", "ec", "fips",
"gtest", "lowhash", "merge", "sdr", "smime", "tools",
"ssl", "mpi", "scert", "spki", "policy", "tlsfuzzer"];
let unittests = intersect(opts.unittests.split(/\s*,\s*/).map(t => {
return aliases[t] || t;
}), allUnitTests);
// If the given value is "all" run all tests.
// If it's nonsense then don't run any tests.
if (opts.unittests == "all") {
unittests = allUnitTests;
} else if (unittests.length == 0) {
unittests = [];
}
// Parse tools.
let allTools = ["clang-format", "scan-build", "hacl", "acvp", "saw", "abi", "coverage"];
let tools = intersect(opts.tools.split(/\s*,\s*/), allTools);
// If the given value is "all" run all tools.
// If it's nonsense then don't run any tools.
if (opts.tools == "all") {
tools = allTools;
} else if (tools.length == 0) {
tools = [];
}
return {
builds: builds,
platforms: platforms,
unittests: unittests,
extra: (opts.e == "all"),
tools: tools
};
}
function filter(opts) {
return function (task) {
// Filter tools. We can immediately return here as those
// are not affected by platform or build type selectors.
if (task.platform == "nss-tools") {
return opts.tools.some(tool => {
return task.symbol.toLowerCase().startsWith(tool) ||
(task.group && task.group.toLowerCase().startsWith(tool));
});
}
// Filter unit tests.
if (task.tests) {
let found = opts.unittests.some(test => {
if (task.group && task.group.toLowerCase() == "ssl" && test == "ssl") {
return true;
}
if (task.group && task.group.toLowerCase() == "cipher" && test == "cipher") {
return true;
}
return task.symbol.toLowerCase().startsWith(test);
});
if (!found) {
return false;
}
}
// Filter extra builds.
if (task.group == "Builds" && !opts.extra) {
return false;
}
let coll = name => name == (task.collection || "opt");
// Filter by platform.
let found = opts.platforms.some(platform => {
let aliases = {
"aarch64-make": "aarch64",
"linux": "linux32",
"linux-fuzz": "linux32",
"linux64-asan": "linux64",
"linux64-fips": "linux64",
"linux64-fuzz": "linux64",
"linux64-make": "linux64",
"linux-make": "linux32",
"win64-make": "windows2022-64",
"win-make": "windows2022-32",
"win64": "windows2022-64",
"win": "windows2022-32"
};
// Check the platform name.
let keep = (task.platform == (aliases[platform] || platform));
// Additional checks.
if (platform == "linux64-asan") {
keep &= coll("asan");
} else if (platform == "linux64-fips") {
keep &= coll("fips");
} else if (platform == "linux64-make" || platform == "linux-make" ||
platform == "win64-make" || platform == "win-make" ||
platform == "aarch64-make") {
keep &= coll("make");
} else if (platform == "linux64-fuzz" || platform == "linux-fuzz") {
keep &= coll("fuzz");
} else {
keep &= coll("opt") || coll("debug");
}
return keep;
});
if (!found) {
return false;
}
// Finally, filter by build type.
let isDebug = coll("debug") || coll("asan") || coll("make") ||
coll("fuzz");
return (isDebug && opts.builds.includes("d")) ||
(!isDebug && opts.builds.includes("o"));
}
}
async function getCommitComment() {
const res = await execFile('hg', ['log', '-r', '.', '-T', '{desc}']);
return res.stdout;
};
export async function initFilter() {
let comment = await getCommitComment();
// Load try_task_config.json
// Add parameters to queue for created tasks
let config_path = path.normalize(path.join(__dirname, '../../../../try_task_config.json'))
if (fs.existsSync(config_path)) {
var payload = JSON.parse(fs.readFileSync(config_path));
if (payload['version'] == 2) {
queue.addParameters(payload['parameters']);
}
}
// Check for try syntax in changeset comment.
let match = comment.match(/\btry:\s*(.*)\s*$/m);
// Add try syntax filter.
if (match) {
let match1 = match[1];
queue.filter(filter(parseOptions(match1)));
if (match1.includes("--nspr-patch")) {
queue.map(task => {
if (!task.env) {
task.env = {};
}
task.env.ALLOW_NSPR_PATCH = "1";
return task;
});
}
}
}

25
security/nss/automation/taskcluster/scripts/build.sh
View File

@@ -1,8 +1,17 @@
#!/usr/bin/env bash
source $(dirname "$0")/tools.sh
. $(dirname "$0")/tools.sh
set -e
test -v VCS_PATH
# builds write to the source dir (and its parent), so move the source trees to
# our workspace from the (cached) checkout dir
cp -a "${VCS_PATH}/nss" "${VCS_PATH}/nspr" .
if [ -n "$NSS_BUILD_MODULAR" ]; then
ln -sf /builds/worker/artifacts artifacts
$(dirname "$0")/build_nspr.sh || exit $?
$(dirname "$0")/build_util.sh || exit $?
$(dirname "$0")/build_softoken.sh || exit $?
@@ -10,13 +19,10 @@ if [ -n "$NSS_BUILD_MODULAR" ]; then
exit
fi
# Clone NSPR if needed.
hg_clone https://hg.mozilla.org/projects/nspr ./nspr default
pushd nspr
hg revert --all
if [[ -f ../nss/nspr.patch && "$ALLOW_NSPR_PATCH" == "1" ]]; then
cat ../nss/nspr.patch | patch -p1
patch -p1 < ../nss/nspr.patch
fi
popd
@@ -24,5 +30,10 @@ popd
make -C nss nss_build_all
# Package.
mkdir artifacts
tar cvfjh artifacts/dist.tar.bz2 dist
if [ `uname` = Linux ]; then
artifacts=/builds/worker/artifacts
else
mkdir artifacts
artifacts=artifacts
fi
tar cvfjh ${artifacts}/dist.tar.bz2 dist

25
security/nss/automation/taskcluster/scripts/build_gyp.sh
View File

@@ -1,19 +1,24 @@
#!/usr/bin/env bash
source $(dirname "$0")/tools.sh
. $(dirname "$0")/tools.sh
# Clone NSPR if needed.
hg_clone https://hg.mozilla.org/projects/nspr ./nspr default
set -e
test -n "${VCS_PATH}"
# builds write to the source dir (and its parent), so move the source trees to
# our workspace from the (cached) checkout dir
cp -a "${VCS_PATH}/nspr" "${VCS_PATH}/nss" .
pushd nspr
hg revert --all
if [[ -f ../nss/nspr.patch && "$ALLOW_NSPR_PATCH" == "1" ]]; then
cat ../nss/nspr.patch | patch -p1
if [ -f "../nss/nspr.patch" ] && [ "$ALLOW_NSPR_PATCH" = "1" ]; then
patch -p1 < ../nss/nspr.patch
fi
popd
# Dependencies
# For MacOS we have hardware in the CI which doesn't allow us o deploy VMs.
# For MacOS we have hardware in the CI which doesn't allow us to deploy VMs.
# The setup is hardcoded and can't be changed easily.
# This part is a helper We install dependencies manually to help.
if [ "$(uname)" = "Darwin" ]; then
@@ -26,10 +31,14 @@ fi
nss/build.sh -g -v --enable-libpkix -Denable_draft_hpke=1 "$@"
# Package.
if [[ $(uname) = "Darwin" ]]; then
if [ "$(uname)" = "Darwin" ]; then
mkdir -p public
tar cvfjh public/dist.tar.bz2 dist
else
mkdir artifacts
if [ "$(uname)" = Linux ]; then
ln -s /builds/worker/artifacts artifacts
else
mkdir artifacts
fi
tar cvfjh artifacts/dist.tar.bz2 dist
fi

87
security/nss/automation/taskcluster/scripts/check_abi.sh
View File

@@ -2,8 +2,6 @@
set_env()
{
cd /home/worker
HGDIR=/home/worker
OUTPUTDIR=$(pwd)$(echo "/output")
DATE=$(date "+TB [%Y-%m-%d %H:%M:%S]")
@@ -12,80 +10,51 @@ set_env()
mkdir "${OUTPUTDIR}"
fi
if [ ! -d "nspr" ]; then
for i in 0 2 5; do
sleep $i
hg clone -r "default" "https://hg.mozilla.org/projects/nspr" "${HGDIR}/nspr" && break
rm -rf nspr
done
fi
cp -a ${VCS_PATH}/nss ${VCS_PATH}/nspr .
pushd nspr
hg revert --all
if [[ -f ../nss/nspr.patch && "$ALLOW_NSPR_PATCH" == "1" ]]; then
cat ../nss/nspr.patch | patch -p1
fi
popd
cd nss
./build.sh -v -c
./build.sh -v -c --python=python3
cd ..
}
check_abi()
{
set_env
set +e #reverses set -e from build.sh to allow possible hg clone failures
if [[ "$1" != --nobuild ]]; then # Start nobuild block
echo "######## NSS ABI CHECK ########"
echo "######## creating temporary HG clones ########"
rm -rf ${HGDIR}/baseline
mkdir ${HGDIR}/baseline
BASE_NSS=`cat ${HGDIR}/nss/automation/abi-check/previous-nss-release` #Reads the version number of the last release from the respective file
NSS_CLONE_RESULT=0
for i in 0 2 5; do
sleep $i
hg clone -u "${BASE_NSS}" "https://hg.mozilla.org/projects/nss" "${HGDIR}/baseline/nss"
if [ $? -eq 0 ]; then
NSS_CLONE_RESULT=0
break
fi
rm -rf "${HGDIR}/baseline/nss"
NSS_CLONE_RESULT=1
done
if [ ${NSS_CLONE_RESULT} -ne 0 ]; then
rm -rf baseline
mkdir baseline
BASE_NSS=`cat nss/automation/abi-check/previous-nss-release` #Reads the version number of the last release from the respective file
if ! hg clone -u "${BASE_NSS}" "${VCS_PATH}/nss" baseline/nss; then
echo "invalid tag in automation/abi-check/previous-nss-release"
return 1
fi
BASE_NSPR=NSPR_$(head -1 ${HGDIR}/baseline/nss/automation/release/nspr-version.txt | cut -d . -f 1-2 | tr . _)_BRANCH
hg clone -u "${BASE_NSPR}" "https://hg.mozilla.org/projects/nspr" "${HGDIR}/baseline/nspr"
NSPR_CLONE_RESULT=$?
if [ ${NSPR_CLONE_RESULT} -ne 0 ]; then
rm -rf "${HGDIR}/baseline/nspr"
for i in 0 2 5; do
sleep $i
hg clone -u "default" "https://hg.mozilla.org/projects/nspr" "${HGDIR}/baseline/nspr" && break
rm -rf "${HGDIR}/baseline/nspr"
done
BASE_NSPR=NSPR_$(head -1 baseline/nss/automation/release/nspr-version.txt | cut -d . -f 1-2 | tr . _)_BRANCH
if ! hg clone -u "${BASE_NSPR}" "${VCS_PATH}/nspr" baseline/nspr; then
rm -rf baseline/nspr
hg clone -u "default" "${VCS_PATH}/nspr" baseline/nspr
echo "Nonexisting tag ${BASE_NSPR} derived from ${BASE_NSS} automation/release/nspr-version.txt"
echo "Using default branch instead."
fi
echo "######## building baseline NSPR/NSS ########"
echo "${HGDIR}/baseline/nss/build.sh"
cd ${HGDIR}/baseline/nss
./build.sh -v -c
cd ${HGDIR}
echo "${PWD}/baseline/nss/build.sh"
cd baseline/nss
./build.sh -v -c --python=python3
cd -
else # Else nobuild block
echo "######## using existing baseline NSPR/NSS build ########"
fi # End nobuild block
set +e #reverses set -e from build.sh to allow abidiff failures
echo "######## Starting abidiff procedure ########"
abi_diff
}
@@ -96,24 +65,24 @@ abi_diff()
ABI_PROBLEM_FOUND=0
ABI_REPORT=${OUTPUTDIR}/abi-diff.txt
rm -f ${ABI_REPORT}
PREVDIST=${HGDIR}/baseline/dist
NEWDIST=${HGDIR}/dist
PREVDIST=baseline/dist
NEWDIST=dist
# libnssdbm3.so isn't built by default anymore, skip it.
ALL_SOs="libfreebl3.so libfreeblpriv3.so libnspr4.so libnss3.so libnssckbi.so libnsssysinit.so libnssutil3.so libplc4.so libplds4.so libsmime3.so libsoftokn3.so libssl3.so"
for SO in ${ALL_SOs}; do
if [ ! -f ${HGDIR}/nss/automation/abi-check/expected-report-$SO.txt ]; then
touch ${HGDIR}/nss/automation/abi-check/expected-report-$SO.txt
if [ ! -f nss/automation/abi-check/expected-report-$SO.txt ]; then
touch nss/automation/abi-check/expected-report-$SO.txt
fi
abidiff --hd1 $PREVDIST/public/ --hd2 $NEWDIST/public \
$PREVDIST/*/lib/$SO $NEWDIST/*/lib/$SO \
> ${HGDIR}/nss/automation/abi-check/new-report-temp$SO.txt
> nss/automation/abi-check/new-report-temp$SO.txt
RET=$?
cat ${HGDIR}/nss/automation/abi-check/new-report-temp$SO.txt \
cat nss/automation/abi-check/new-report-temp$SO.txt \
| grep -v "^Functions changes summary:" \
| grep -v "^Variables changes summary:" \
| sed -e 's/__anonymous_enum__[0-9]*/__anonymous_enum__/g' \
> ${HGDIR}/nss/automation/abi-check/new-report-$SO.txt
rm -f ${HGDIR}/nss/automation/abi-check/new-report-temp$SO.txt
> nss/automation/abi-check/new-report-$SO.txt
rm -f nss/automation/abi-check/new-report-temp$SO.txt
ABIDIFF_ERROR=$((($RET & 0x01) != 0))
ABIDIFF_USAGE_ERROR=$((($RET & 0x02) != 0))
@@ -150,18 +119,18 @@ abi_diff()
if [ $REPORT_RET_AS_FAILURE -ne 0 ]; then
ABI_PROBLEM_FOUND=1
echo "abidiff {$PREVDIST , $NEWDIST} for $SO FAILED with result $RET, or failed writing to ${HGDIR}/nss/automation/abi-check/new-report-$SO.txt"
echo "abidiff {$PREVDIST , $NEWDIST} for $SO FAILED with result $RET, or failed writing to nss/automation/abi-check/new-report-$SO.txt"
fi
if [ ! -f ${HGDIR}/nss/automation/abi-check/expected-report-$SO.txt ]; then
if [ ! -f nss/automation/abi-check/expected-report-$SO.txt ]; then
ABI_PROBLEM_FOUND=1
echo "FAILED to access report file: ${HGDIR}/nss/automation/abi-check/expected-report-$SO.txt"
echo "FAILED to access report file: nss/automation/abi-check/expected-report-$SO.txt"
fi
diff -wB -u ${HGDIR}/nss/automation/abi-check/expected-report-$SO.txt \
${HGDIR}/nss/automation/abi-check/new-report-$SO.txt >> ${ABI_REPORT}
diff -wB -u nss/automation/abi-check/expected-report-$SO.txt \
nss/automation/abi-check/new-report-$SO.txt >> ${ABI_REPORT}
if [ ! -f ${ABI_REPORT} ]; then
ABI_PROBLEM_FOUND=1
echo "FAILED to compare exepcted and new report: ${HGDIR}/nss/automation/abi-check/new-report-$SO.txt"
echo "FAILED to compare exepcted and new report: nss/automation/abi-check/new-report-$SO.txt"
fi
done

4
security/nss/automation/taskcluster/scripts/fuzz.sh
View File

@@ -9,6 +9,10 @@ shift 2
# Fetch artifact if needed.
fetch_dist
export DIST=${PWD}/dist
cp -a "${VCS_PATH}/nss" .
# Create and change to corpus directory.
mkdir -p "nss/fuzz/corpus/$corpus"
pushd "nss/fuzz/corpus/$corpus"

15
security/nss/automation/taskcluster/scripts/gen_certs.sh
View File

@@ -2,8 +2,9 @@
source $(dirname "$0")/tools.sh
# Fetch artifact if needed.
fetch_dist
set -e
test -n "${VCS_PATH}"
# Generate certificates.
NSS_TESTS=cert NSS_CYCLES="standard pkix sharedb" $(dirname $0)/run_tests.sh
@@ -12,10 +13,10 @@ NSS_TESTS=cert NSS_CYCLES="standard pkix sharedb" $(dirname $0)/run_tests.sh
echo 1 > tests_results/security/localhost
# Package.
if [[ $(uname) = "Darwin" ]]; then
mkdir -p public
tar cvfjh public/dist.tar.bz2 dist tests_results
if [ $(uname) = Linux ]; then
artifacts=/builds/worker/artifacts
else
mkdir artifacts
tar cvfjh artifacts/dist.tar.bz2 dist tests_results
mkdir public
artifacts=public
fi
tar cvfjh ${artifacts}/dist.tar.bz2 dist tests_results

5
security/nss/automation/taskcluster/scripts/gen_coverage_report.sh
View File

@@ -2,8 +2,7 @@
source $(dirname "$0")/tools.sh
# Clone NSPR.
hg_clone https://hg.mozilla.org/projects/nspr ./nspr default
cp -a ${VCS_PATH}/nss ${VCS_PATH}/nspr .
pushd nspr
hg revert --all
@@ -12,7 +11,7 @@ if [[ -f ../nss/nspr.patch && "$ALLOW_NSPR_PATCH" == "1" ]]; then
fi
popd
out=/home/worker/artifacts
out=/builds/worker/artifacts
mkdir -p $out
# Generate coverage report.

96
security/nss/automation/taskcluster/scripts/patches/01_ed25519.patch Normal file
View File

@@ -0,0 +1,96 @@
Bug 1325335
diff --git a/dist/gcc-compatible/Hacl_Ed25519.c b/dist/gcc-compatible/Hacl_Ed25519.c
index 2f6e0bc3ca..f7a5ea6d75 100644
--- a/dist/gcc-compatible/Hacl_Ed25519.c
+++ b/dist/gcc-compatible/Hacl_Ed25519.c
@@ -25,12 +25,13 @@
#include "internal/Hacl_Ed25519.h"
#include "internal/Hacl_Krmllib.h"
-#include "internal/Hacl_Hash_SHA2.h"
#include "internal/Hacl_Ed25519_PrecompTable.h"
#include "internal/Hacl_Curve25519_51.h"
#include "internal/Hacl_Bignum_Base.h"
#include "internal/Hacl_Bignum25519_51.h"
+#include "../Hacl_Hash_SHA2_shim.h"
+
static inline void
fsum(uint64_t *out, uint64_t *a, uint64_t *b)
{
@@ -1669,50 +1670,6 @@ load_32_bytes(uint64_t *out, uint8_t *b)
out[4U] = b41;
}
-static inline void
-sha512_pre_msg(uint8_t *hash, uint8_t *prefix, uint32_t len, uint8_t *input)
-{
- uint8_t buf[128U] = { 0U };
- uint64_t block_state[8U] = { 0U };
- Hacl_Streaming_MD_state_64
- s = { .block_state = block_state, .buf = buf, .total_len = (uint64_t)(uint32_t)0U };
- Hacl_Streaming_MD_state_64 p = s;
- Hacl_SHA2_Scalar32_sha512_init(block_state);
- Hacl_Streaming_MD_state_64 *st = &p;
- Hacl_Streaming_Types_error_code
- err0 = Hacl_Streaming_SHA2_update_512(st, prefix, (uint32_t)32U);
- Hacl_Streaming_Types_error_code err1 = Hacl_Streaming_SHA2_update_512(st, input, len);
- KRML_HOST_IGNORE(err0);
- KRML_HOST_IGNORE(err1);
- Hacl_Streaming_SHA2_finish_512(st, hash);
-}
-
-static inline void
-sha512_pre_pre2_msg(
- uint8_t *hash,
- uint8_t *prefix,
- uint8_t *prefix2,
- uint32_t len,
- uint8_t *input)
-{
- uint8_t buf[128U] = { 0U };
- uint64_t block_state[8U] = { 0U };
- Hacl_Streaming_MD_state_64
- s = { .block_state = block_state, .buf = buf, .total_len = (uint64_t)(uint32_t)0U };
- Hacl_Streaming_MD_state_64 p = s;
- Hacl_SHA2_Scalar32_sha512_init(block_state);
- Hacl_Streaming_MD_state_64 *st = &p;
- Hacl_Streaming_Types_error_code
- err0 = Hacl_Streaming_SHA2_update_512(st, prefix, (uint32_t)32U);
- Hacl_Streaming_Types_error_code
- err1 = Hacl_Streaming_SHA2_update_512(st, prefix2, (uint32_t)32U);
- Hacl_Streaming_Types_error_code err2 = Hacl_Streaming_SHA2_update_512(st, input, len);
- KRML_HOST_IGNORE(err0);
- KRML_HOST_IGNORE(err1);
- KRML_HOST_IGNORE(err2);
- Hacl_Streaming_SHA2_finish_512(st, hash);
-}
-
static inline void
sha512_modq_pre(uint64_t *out, uint8_t *prefix, uint32_t len, uint8_t *input)
{
diff --git a/dist/gcc-compatible/Hacl_Ed25519.h b/dist/gcc-compatible/Hacl_Ed25519.h
index 12e16e142c..7d6f87dff2 100644
--- a/dist/gcc-compatible/Hacl_Ed25519.h
+++ b/dist/gcc-compatible/Hacl_Ed25519.h
@@ -36,7 +36,6 @@ extern "C" {
#include "Hacl_Streaming_Types.h"
#include "Hacl_Krmllib.h"
-#include "Hacl_Hash_SHA2.h"
/********************************************************************************
Verified C library for EdDSA signing and verification on the edwards25519 curve.
diff --git a/dist/gcc-compatible/internal/Hacl_Ed25519.h b/dist/gcc-compatible/internal/Hacl_Ed25519.h
index ba77b6dc09..ad36672b92 100644
--- a/dist/gcc-compatible/internal/Hacl_Ed25519.h
+++ b/dist/gcc-compatible/internal/Hacl_Ed25519.h
@@ -35,7 +35,6 @@ extern "C" {
#include "krml/internal/target.h"
#include "internal/Hacl_Krmllib.h"
-#include "internal/Hacl_Hash_SHA2.h"
#include "internal/Hacl_Ed25519_PrecompTable.h"
#include "internal/Hacl_Curve25519_51.h"
#include "internal/Hacl_Bignum_Base.h"

15
security/nss/automation/taskcluster/scripts/patches/02_alloca.patch Normal file
View File

@@ -0,0 +1,15 @@
Bug 1857190 - include alloca.h on Solaris
diff --git a/dist/karamel/include/krml/internal/builtin.h b/dist/karamel/include/krml/internal/builtin.h
index f55e5f824e..07ff156788 100644
--- a/dist/karamel/include/krml/internal/builtin.h
+++ b/dist/karamel/include/krml/internal/builtin.h
@@ -7,6 +7,8 @@
/* For alloca, when using KaRaMeL's -falloca */
#if (defined(_WIN32) || defined(_WIN64))
#include <malloc.h>
+#elif (defined(sun))
+#include <alloca.h>
#endif
/* If some globals need to be initialized before the main, then karamel will

50
security/nss/automation/taskcluster/scripts/patches/Hacl_Ed25519.c.patch
View File

@@ -1,50 +0,0 @@
28d27
< #include "internal/Hacl_Hash_SHA2.h"
33a33,34
> #include "../Hacl_Hash_SHA2_shim.h"
>
1670,1713d1670
< }
<
< static inline void
< sha512_pre_msg(uint8_t *hash, uint8_t *prefix, uint32_t len, uint8_t *input)
< {
< uint8_t buf[128U] = { 0U };
< uint64_t block_state[8U] = { 0U };
< Hacl_Streaming_MD_state_64
< s = { .block_state = block_state, .buf = buf, .total_len = (uint64_t)(uint32_t)0U };
< Hacl_Streaming_MD_state_64 p = s;
< Hacl_SHA2_Scalar32_sha512_init(block_state);
< Hacl_Streaming_MD_state_64 *st = &p;
< Hacl_Streaming_Types_error_code
< err0 = Hacl_Streaming_SHA2_update_512(st, prefix, (uint32_t)32U);
< Hacl_Streaming_Types_error_code err1 = Hacl_Streaming_SHA2_update_512(st, input, len);
< KRML_HOST_IGNORE(err0);
< KRML_HOST_IGNORE(err1);
< Hacl_Streaming_SHA2_finish_512(st, hash);
< }
<
< static inline void
< sha512_pre_pre2_msg(
< uint8_t *hash,
< uint8_t *prefix,
< uint8_t *prefix2,
< uint32_t len,
< uint8_t *input)
< {
< uint8_t buf[128U] = { 0U };
< uint64_t block_state[8U] = { 0U };
< Hacl_Streaming_MD_state_64
< s = { .block_state = block_state, .buf = buf, .total_len = (uint64_t)(uint32_t)0U };
< Hacl_Streaming_MD_state_64 p = s;
< Hacl_SHA2_Scalar32_sha512_init(block_state);
< Hacl_Streaming_MD_state_64 *st = &p;
< Hacl_Streaming_Types_error_code
< err0 = Hacl_Streaming_SHA2_update_512(st, prefix, (uint32_t)32U);
< Hacl_Streaming_Types_error_code
< err1 = Hacl_Streaming_SHA2_update_512(st, prefix2, (uint32_t)32U);
< Hacl_Streaming_Types_error_code err2 = Hacl_Streaming_SHA2_update_512(st, input, len);
< KRML_HOST_IGNORE(err0);
< KRML_HOST_IGNORE(err1);
< KRML_HOST_IGNORE(err2);
< Hacl_Streaming_SHA2_finish_512(st, hash);

2
security/nss/automation/taskcluster/scripts/patches/Hacl_Ed25519.h.internal.patch
View File

@@ -1,2 +0,0 @@
38d37
< #include "internal/Hacl_Hash_SHA2.h"

2
security/nss/automation/taskcluster/scripts/patches/Hacl_Ed25519.h.patch
View File

@@ -1,2 +0,0 @@
39d38
< #include "Hacl_Hash_SHA2.h"

71
security/nss/automation/taskcluster/scripts/run_hacl.sh
View File

@@ -8,7 +8,6 @@ fi
set -e -x -v
# The docker image this is running in has NSS sources.
# Get the HACL* source, containing a snapshot of the C code, extracted on the
# HACL CI.
git clone -q "https://github.com/hacl-star/hacl-star" ~/hacl-star
@@ -16,11 +15,20 @@ git -C ~/hacl-star checkout -q 0f136f28935822579c244f287e1d2a1908a7e552
# Format the C snapshot.
cd ~/hacl-star/dist/mozilla
cp ~/nss/.clang-format .
cp ${VCS_PATH}/nss/.clang-format .
find . -type f -name '*.[ch]' -exec clang-format -i {} \+
cd ~/hacl-star/dist/karamel
cp ~/nss/.clang-format .
cp ${VCS_PATH}/nss/.clang-format .
find . -type f -name '*.[ch]' -exec clang-format -i {} \+
cd ~/hacl-star/dist/gcc-compatible
cp ${VCS_PATH}/nss/.clang-format .
find . -type f -name '*.[ch]' -exec clang-format -i {} \+
cd ~/hacl-star
patches=(${VCS_PATH}/nss/automation/taskcluster/scripts/patches/*.patch)
for f in "${patches[@]}"; do
git apply "$f"
done
# These diff commands will return 1 if there are differences and stop the script.
@@ -30,22 +38,19 @@ find . -type f -name '*.[ch]' -exec clang-format -i {} \+
# For instance, the files Hacl_Chacha20.h are present in both directories, but the content differs.
# TODO(Bug 1899443): remove these exceptions
files=($(find ~/nss/lib/freebl/verified/internal -type f -name '*.[ch]'))
files=($(find ${VCS_PATH}/nss/lib/freebl/verified/internal -type f -name '*.[ch]' -not -path "*/freebl/verified/internal/libcrux*"))
for f in "${files[@]}"; do
file_name=$(basename "$f")
hacl_file=($(find ~/hacl-star/dist/mozilla/internal/ -type f -name $file_name))
if [ $file_name == "Hacl_Ed25519.h" \
-o $file_name == "Hacl_Ed25519_PrecompTable.h" \
-o $file_name == "libcrux_sha3_internal.h" \
-o $file_name == "libcrux_core.h" \
-o $file_name == "libcrux_mlkem_portable.h" ]
-o $file_name == "Hacl_Ed25519_PrecompTable.h" ]
then
continue;
continue
fi
diff $hacl_file $f
diff -u $hacl_file $f
done
files=($(find ~/nss/lib/freebl/verified/ -type f -name '*.[ch]' -not -path "*/freebl/verified/internal/*" -not -path "*/freebl/verified/config.h"))
files=($(find ${VCS_PATH}/nss/lib/freebl/verified/ -type f -name '*.[ch]' -not -path "*/freebl/verified/internal/*" -not -path "*/freebl/verified/config.h" -not -path "*/freebl/verified/libcrux*"))
for f in "${files[@]}"; do
file_name=$(basename "$f")
hacl_file=($(find ~/hacl-star/dist/mozilla/ ~/hacl-star/dist/karamel/ -type f -name $file_name -not -path "*/hacl-star/dist/mozilla/internal/*"))
@@ -53,67 +58,43 @@ for f in "${files[@]}"; do
-o $file_name == "Hacl_P384.h" \
-o $file_name == "Hacl_P521.c" \
-o $file_name == "Hacl_P521.h" \
-o $file_name == "libcrux_mlkem_portable.c" \
-o $file_name == "libcrux_sha3_internal.h" \
-o $file_name == "libcrux_core.h" \
-o $file_name == "eurydice_glue.h" \
-o $file_name == "target.h" ]
then
continue;
continue
fi
if [ $file_name == "Hacl_Ed25519.h" \
-o $file_name == "Hacl_Ed25519.c" ]
then
continue;
continue
fi
diff $hacl_file $f
diff -u $hacl_file $f
done
# Here we process the code that's not located in /hacl-star/dist/mozilla/ but
# /hacl-star/dist/gcc-compatible.
cd ~/hacl-star/dist/gcc-compatible
cp ~/nss/.clang-format .
find . -type f -name '*.[ch]' -exec clang-format -i {} \+
patches=($(find ~/nss/automation/taskcluster/scripts/patches/ -type f -name '*.patch'))
for f in "${patches[@]}"; do
file_name=$(basename "$f")
file_name="${file_name%.*}"
if_internal="${file_name##*.}"
if [ $if_internal == "internal" ]
then
file_name="${file_name%.*}"
patch_file=($(find ~/hacl-star/dist/gcc-compatible/internal/ -type f -name $file_name))
else
patch_file=($(find ~/hacl-star/dist/gcc-compatible/ -type f -name $file_name -not -path "*/hacl-star/dist/gcc-compatible/internal/*"))
fi
if [ ! -z "$patch_file" ]
then
patch $patch_file $f
fi
done
files=($(find ~/nss/lib/freebl/verified/internal -type f -name '*.[ch]'))
files=($(find ${VCS_PATH}/nss/lib/freebl/verified/internal -type f -name '*.[ch]'))
for f in "${files[@]}"; do
file_name=$(basename "$f")
hacl_file=($(find ~/hacl-star/dist/gcc-compatible/internal/ -type f -name $file_name))
if [ $file_name != "Hacl_Ed25519.h" \
-a $file_name != "Hacl_Ed25519_PrecompTable.h" ]
then
continue;
continue
fi
diff $hacl_file $f
diff -u $hacl_file $f
done
files=($(find ~/nss/lib/freebl/verified/ -type f -name '*.[ch]' -not -path "*/freebl/verified/internal/*"))
files=($(find ${VCS_PATH}/nss/lib/freebl/verified/ -type f -name '*.[ch]' -not -path "*/freebl/verified/internal/*"))
for f in "${files[@]}"; do
file_name=$(basename "$f")
hacl_file=($(find ~/hacl-star/dist/gcc-compatible/ -type f -name $file_name -not -path "*/hacl-star/dist/gcc-compatible/internal/*"))
if [ $file_name != "Hacl_Ed25519.h" \
-a $file_name != "Hacl_Ed25519.c" ]
then
continue;
continue
fi
diff $hacl_file $f
diff -u $hacl_file $f
done

22
security/nss/automation/taskcluster/scripts/run_scan_build.sh
View File

@@ -2,17 +2,12 @@
source $(dirname "$0")/tools.sh
# Clone NSPR if needed.
if [ ! -d "nspr" ]; then
hg_clone https://hg.mozilla.org/projects/nspr ./nspr default
pushd nspr
hg revert --all
if [[ -f ../nss/nspr.patch && "$ALLOW_NSPR_PATCH" == "1" ]]; then
cat ../nss/nspr.patch | patch -p1
fi
popd
cp -a "${VCS_PATH}/nss" "${VCS_PATH}/nspr" .
cd nspr
if [[ -f ../nss/nspr.patch && "$ALLOW_NSPR_PATCH" == "1" ]]; then
cat ../nss/nspr.patch | patch -p1
fi
cd ..
# Build.
cd nss
@@ -41,13 +36,14 @@ for i in "${!scan[@]}"; do
done
# run scan-build (only building affected directories)
scan-build -o /home/worker/artifacts --use-cc=$CC --use-c++=$CCC make nss_build_all && cd ..
scan-build -o /builds/worker/artifacts --use-cc=$CC --use-c++=$CCC make nss_build_all
STATUS=$?
cd ..
# print errors we found
set +v +x
STATUS=0
for i in "${!scan[@]}"; do
n=$(grep -Rn "$i" /home/worker/artifacts/*/report-*.html | wc -l)
n=$(grep -Rn "$i" /builds/worker/artifacts/*/report-*.html | wc -l)
if [ $n -ne ${scan[$i]} ]; then
STATUS=1
echo "$(date '+%T') WARNING - TEST-UNEXPECTED-FAIL: $i contains $n scan-build errors"

6
security/nss/automation/taskcluster/scripts/run_tests.sh
View File

@@ -5,5 +5,11 @@ source $(dirname "$0")/tools.sh
# Fetch artifact if needed.
fetch_dist
export DIST=${PWD}/dist
# tests write to the source dir (and its parent), so move the source tree to
# our workspace from the (cached) checkout dir
cp -a "${VCS_PATH}/nss" .
# Run tests.
cd nss/tests && ./all.sh

9
security/nss/automation/taskcluster/windows/build.sh
View File

@@ -2,6 +2,12 @@
set -v -e -x
test -v VCS_PATH
# builds write to the source dir (and its parent), so move the source trees to
# our workspace from the (cached) checkout dir
cp -a "${VCS_PATH}/nss" "${VCS_PATH}/nspr" .
if [[ "$USE_64" == 1 ]]; then
m=x64
else
@@ -9,9 +15,6 @@ else
fi
source "$(dirname "$0")/setup.sh"
# Clone NSPR.
hg_clone https://hg.mozilla.org/projects/nspr nspr default
pushd nspr
hg revert --all
if [[ -f ../nss/nspr.patch && "$ALLOW_NSPR_PATCH" == "1" ]]; then

7
security/nss/automation/taskcluster/windows/build_gyp.sh
View File

@@ -30,8 +30,11 @@ popd
export PATH="${PATH}:${PWD}/ninja/bin:${PWD}/gyp/test-env/Scripts"
# Clone NSPR.
hg_clone https://hg.mozilla.org/projects/nspr nspr default
test -v VCS_PATH
# builds write to the source dir (and its parent), so move the source trees to
# our workspace from the (cached) checkout dir
cp -a "${VCS_PATH}/nspr" "${VCS_PATH}/nss" .
pushd nspr
hg revert --all

5
security/nss/automation/taskcluster/windows/gen_certs.sh
View File

@@ -15,6 +15,11 @@ fi
wget -t 3 --retry-connrefused -w 5 --random-wait $url -O dist.7z
7z x dist.7z
export DIST=${PWD}/dist
# tests write to the source dir (and its parent), so move the source tree to
# our workspace from the (cached) checkout dir
cp -a "${VCS_PATH}/nss" .
# Generate certificates.
NSS_TESTS=cert NSS_CYCLES="standard pkix sharedb" nss/tests/all.sh

4
security/nss/automation/taskcluster/windows/run_tests.sh
View File

@@ -15,5 +15,9 @@ fi
wget -t 3 --retry-connrefused -w 5 --random-wait $url -O dist.7z
7z x dist.7z
export DIST=${PWD}/dist
cp -a "${VCS_PATH}/nss" .
# Run tests.
cd nss/tests && ./all.sh

1
security/nss/build.sh
View File

@@ -111,7 +111,6 @@ while [ $# -gt 0 ]; do
--fuzz) fuzz=1 ;;
--fuzz=oss) fuzz=1; fuzz_oss=1 ;;
--fuzz=tls) fuzz=1; fuzz_tls=1 ;;
--gtests-corpus) gyp_params+=(-Dgtests_corpus=1) ;;
--sancov) enable_sancov; gyp_params+=(-Dcoverage=1) ;;
--sancov=?*) enable_sancov "${1#*=}"; gyp_params+=(-Dcoverage=1) ;;
--emit-llvm) gyp_params+=(-Demit_llvm=1 -Dsign_libs=0) ;;

1
security/nss/coreconf/config.gypi
View File

@@ -125,7 +125,6 @@
'fuzz%': 0,
'fuzz_tls%': 0,
'fuzz_oss%': 0,
'gtests_corpus%': 0,
'sign_libs%': 1,
'use_pprof%': 0,
'ct_verif%': 0,

1
security/nss/coreconf/coreconf.dep
View File

@@ -10,4 +10,3 @@
*/
#error "Do not include this header file."

69
security/nss/doc/rst/releases/index.rst
View File

@@ -8,6 +8,7 @@ Releases
:glob:
:hidden:
nss_3_108.rst
nss_3_101_3.rst
nss_3_107.rst
nss_3_106.rst
@@ -80,33 +81,55 @@ Releases
.. note::
**NSS 3.107** is the latest version of NSS.
Complete release notes are available here: :ref:`mozilla_projects_nss_nss_3_107_release_notes`
**NSS 3.108** is the latest version of NSS.
Complete release notes are available here: :ref:`mozilla_projects_nss_nss_3_108_release_notes`
**NSS 3.101.3 (ESR)** is the latest ESR version of NSS.
Complete release notes are available here: :ref:`mozilla_projects_nss_nss_3_101_3_release_notes`
.. container::
Changes in 3.107 included in this release:
Changes in 3.108 included in this release:
- Bug 1923038 - Remove MPI fuzz targets.
- Bug 1925512 - Remove globals `lockStatus` and `locksEverDisabled`.
- Bug 1919015 - Enable PKCS8 fuzz target.
- Bug 1923037 - Integrate Cryptofuzz in CI.
- Bug 1913677 - Part 2: Set tls server target socket options in config class.
- Bug 1913677 - Part 1: Set tls client target socket options in config class.
- Bug 1913680 - Support building with thread sanitizer.
- Bug 1922392 - set nssckbi version number to 2.72.
- Bug 1919913 - remove Websites Trust Bit from Entrust Root Certification Authority - G4.
- Bug 1920641 - remove Security Communication RootCA3 root cert.
- Bug 1918559 - remove SecureSign RootCA11 root cert.
- Bug 1922387 - Add distrust-after for TLS to Entrust Roots.
- Bug 1927096 - update expected error code in pk12util pbmac1 tests.
- Bug 1929041 - Use random tstclnt args with handshake collection script.
- Bug 1920466 - Remove extraneous assert in ssl3gthr.c.
- Bug 1928402 - Adding missing release notes for NSS_3_105.
- Bug 1874451 - Enable the disabled mlkem tests for dtls.
- Bug 1874451 - NSS gtests filter cleans up the constucted buffer before the use.
- Bug 1925505 - Make ssl_SetDefaultsFromEnvironment thread-safe.
- Bug 1925503 - Remove short circuit test from ssl_Init.
- Bug 1923285 - libclang-16 -> libclang-19
- Bug 1939086 - Turn off Secure Email Trust Bit for Security Communication ECC RootCA1.
- Bug 1937332 - Turn off Secure Email Trust Bit for BJCA Global Root CA1 and BJCA Global Root CA2.
- Bug 1915902 - Remove SwissSign Silver CA G2.
- Bug 1938245 - Add D-Trust 2023 TLS Roots to NSS
- Bug 1942301 - fix fips test failure on windows.
- Bug 1935925 - change default sensitivity of KEM keys.
- Bug 1936001 - Part 1: Introduce frida hooks and script,
- Bug 1942350 - add missing arm_neon.h include to gcm.c.
- Bug 1831552 - ci: update windows workers to win2022 r=nss-reviewers,nkulatova NSS_3_108_BETA2
- Bug 1831552 - strip trailing carriage returns in tools tests r=nss-reviewers,nkulatova
- Bug 1880256 - work around unix/windows path translation issues in cert test script r=nss-reviewers,nkulatova
- Bug 1831552 - ci: let the windows setup script work without $m r=nss-reviewers,nkulatova
- Bug 1880255 - detect msys r=nss-reviewers,nkulatova
- Bug 1936680 - add a specialized CTR_Update variant for AES-GCM. r=nss-reviewers,keeler
- Bug 1930807 NSS policy updates - cavs NSS_3_108_BETA1
- Bug 1930806 FIPS changes need to be upstreamed: FIPS 140-3 RNG
- Bug 1930806 FIPS changes need to be upstreamed: Add SafeZero
- Bug 1930806 FIPS changes need to be upstreamed - updated POST
- Bug 1933031 Segmentation fault in SECITEM_Hash during pkcs12 processing
- Bug 1929922 - Extending NSS with LoadModuleFromFunction functionality r=keeler,nss-reviewers
- Bug 1935984 - Ensure zero-initialization of collectArgs.cert, r=djackson,nss-reviewers
- Bug 1934526 - pkcs7 fuzz target use CERT_DestroyCertificate, r=djackson,nss-reviewers
- Bug 1915898 - Fix actual underlying ODR violations issue, r=djackson,nss-reviewers
- Bug 1184059 - mozilla::pkix: allow reference ID labels to begin and/or end with hyphens r=jschanck
- Bug 1927953 - don't look for secmod.db in nssutil_ReadSecmodDB if NSS_DISABLE_DBM is set r=jschanck
- Bug 1934526 - Fix memory leak in pkcs7 fuzz target, r=djackson,nss-reviewers
- Bug 1934529 - Set -O2 for ASan builds in CI, r=djackson,nss-reviewers
- Bug 1934543 - Change branch of tlsfuzzer dependency, r=djackson,nss-reviewers
- Bug 1915898 - Run tests in CI for ASan builds with detect_odr_violation=1, r=djackson,nss-reviewers
- Bug 1934241 - Fix coverage failure in CI, r=djackson,nss-reviewers
- Bug 1934213 - Add fuzzing for delegated credentials, DTLS short header and Tls13BackendEch, r=djackson,nss-reviewers
- Bug 1927142 - Add fuzzing for SSL_EnableTls13GreaseEch and SSL_SetDtls13VersionWorkaround, r=djackson,nss-reviewers
- Bug 1913677 - Part 3: Restructure fuzz/, r=djackson,nss-reviewers
- Bug 1931925 - Extract testcases from ssl gtests for fuzzing, r=djackson,nss-reviewers
- Bug 1923037 - Force Cryptofuzz to use NSS in CI, r=nss-reviewers,nkulatova
- Bug 1923037 - Fix Cryptofuzz on 32 bit in CI, r=nss-reviewers,nkulatova
- Bug 1933154 - Update Cryptofuzz repository link, r=nss-reviewers,nkulatova
- Bug 1926256 - fix build error from 9505f79d r=jschanck
- Bug 1926256 - simplify error handling in get_token_objects_for_cache. r=rrelyea
- Bug 1931973 - nss doc: fix a warning r=bbeurdouche
- Bug 1930797 pkcs12 fixes from RHEL need to be picked up.

75
security/nss/doc/rst/releases/nss_3_108.rst Normal file
View File

@@ -0,0 +1,75 @@
.. _mozilla_projects_nss_nss_3_108_release_notes:
NSS 3.108 release notes
========================
`Introduction <#introduction>`__
--------------------------------
.. container::
Network Security Services (NSS) 3.108 was released on *4 February 2024**.
`Distribution Information <#distribution_information>`__
--------------------------------------------------------
.. container::
The HG tag is NSS_3_108_RTM. NSS 3.108 requires NSPR 4.35 or newer. The latest version of NSPR is 4.36.
NSS 3.108 source distributions are available on ftp.mozilla.org for secure HTTPS download:
- Source tarballs:
https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_108_RTM/src/
Other releases are available :ref:`mozilla_projects_nss_releases`.
.. _changes_in_nss_3.108:
`Changes in NSS 3.108 <#changes_in_nss_3.108>`__
------------------------------------------------------------------
.. container::
- Bug 1923285 - libclang-16 -> libclang-19
- Bug 1939086 - Turn off Secure Email Trust Bit for Security Communication ECC RootCA1.
- Bug 1937332 - Turn off Secure Email Trust Bit for BJCA Global Root CA1 and BJCA Global Root CA2.
- Bug 1915902 - Remove SwissSign Silver CA G2.
- Bug 1938245 - Add D-Trust 2023 TLS Roots to NSS
- Bug 1942301 - fix fips test failure on windows.
- Bug 1935925 - change default sensitivity of KEM keys.
- Bug 1936001 - Part 1: Introduce frida hooks and script,
- Bug 1942350 - add missing arm_neon.h include to gcm.c.
- Bug 1831552 - ci: update windows workers to win2022 r=nss-reviewers,nkulatova NSS_3_108_BETA2
- Bug 1831552 - strip trailing carriage returns in tools tests r=nss-reviewers,nkulatova
- Bug 1880256 - work around unix/windows path translation issues in cert test script r=nss-reviewers,nkulatova
- Bug 1831552 - ci: let the windows setup script work without $m r=nss-reviewers,nkulatova
- Bug 1880255 - detect msys r=nss-reviewers,nkulatova
- Bug 1936680 - add a specialized CTR_Update variant for AES-GCM. r=nss-reviewers,keeler
- Bug 1930807 NSS policy updates - cavs NSS_3_108_BETA1
- Bug 1930806 FIPS changes need to be upstreamed: FIPS 140-3 RNG
- Bug 1930806 FIPS changes need to be upstreamed: Add SafeZero
- Bug 1930806 FIPS changes need to be upstreamed - updated POST
- Bug 1933031 Segmentation fault in SECITEM_Hash during pkcs12 processing
- Bug 1929922 - Extending NSS with LoadModuleFromFunction functionality r=keeler,nss-reviewers
- Bug 1935984 - Ensure zero-initialization of collectArgs.cert, r=djackson,nss-reviewers
- Bug 1934526 - pkcs7 fuzz target use CERT_DestroyCertificate, r=djackson,nss-reviewers
- Bug 1915898 - Fix actual underlying ODR violations issue, r=djackson,nss-reviewers
- Bug 1184059 - mozilla::pkix: allow reference ID labels to begin and/or end with hyphens r=jschanck
- Bug 1927953 - don't look for secmod.db in nssutil_ReadSecmodDB if NSS_DISABLE_DBM is set r=jschanck
- Bug 1934526 - Fix memory leak in pkcs7 fuzz target, r=djackson,nss-reviewers
- Bug 1934529 - Set -O2 for ASan builds in CI, r=djackson,nss-reviewers
- Bug 1934543 - Change branch of tlsfuzzer dependency, r=djackson,nss-reviewers
- Bug 1915898 - Run tests in CI for ASan builds with detect_odr_violation=1, r=djackson,nss-reviewers
- Bug 1934241 - Fix coverage failure in CI, r=djackson,nss-reviewers
- Bug 1934213 - Add fuzzing for delegated credentials, DTLS short header and Tls13BackendEch, r=djackson,nss-reviewers
- Bug 1927142 - Add fuzzing for SSL_EnableTls13GreaseEch and SSL_SetDtls13VersionWorkaround, r=djackson,nss-reviewers
- Bug 1913677 - Part 3: Restructure fuzz/, r=djackson,nss-reviewers
- Bug 1931925 - Extract testcases from ssl gtests for fuzzing, r=djackson,nss-reviewers
- Bug 1923037 - Force Cryptofuzz to use NSS in CI, r=nss-reviewers,nkulatova
- Bug 1923037 - Fix Cryptofuzz on 32 bit in CI, r=nss-reviewers,nkulatova
- Bug 1933154 - Update Cryptofuzz repository link, r=nss-reviewers,nkulatova
- Bug 1926256 - fix build error from 9505f79d r=jschanck
- Bug 1926256 - simplify error handling in get_token_objects_for_cache. r=rrelyea
- Bug 1931973 - nss doc: fix a warning r=bbeurdouche
- Bug 1930797 pkcs12 fixes from RHEL need to be picked up.

24
security/nss/fuzz/README.md Normal file
View File

@@ -0,0 +1,24 @@
# Build
The fuzz targets can be build with `./build.sh --fuzz [--disable-tests]`. They compile with ASan and UBSan by default, see `coreconf/fuzz.sh`.
# OSS-Fuzz
All fuzz targets run continuously on oss-fuzz, the respective `project.yaml` can be found at https://github.com/google/oss-fuzz/blob/master/projects/nss/project.yaml. An overview with code coverage is available at https://introspector.oss-fuzz.com/project-profile?project=nss, as well as a link to a more detailed fuzz introspector report.
# MozillaSecurity/orion
We regularly run two services, one to collect coverage information ourselves and another one to mirror the public oss-fuzz corpora and populate the private bucket with new testcases. Code coverage reports can be found at https://fuzzmanager.fuzzing.mozilla.org/covmanager/reports/.
- nss-coverage service: https://github.com/MozillaSecurity/orion/tree/master/services/nss-coverage
- nss-corpus-update service: https://github.com/MozillaSecurity/orion/tree/master/services/nss-corpus-update
# Adding a new fuzz target
The fuzz targets are located at `fuzz/targets`. Some additional things to keep in my mind when adding a new fuzz target:
- Every fuzz target needs a `.options` file at `fuzz/options`, other fuzz tooling depends on it.
- For CI integration, schedule the corresponding fuzzing runs at `automation/taskcluster/graph/src/extend.js`.
- Testcases can be extracted from the existing tests by adding hooks to `fuzz/config/frida_corpus/hooks.js` and `fuzz/config/frida_corpus/cli.py`.
# Useful Links
- https://oss-fuzz.com/
- https://introspector.oss-fuzz.com/project-profile?project=nss
- https://fuzzmanager.fuzzing.mozilla.org/covmanager/reports/
- https://github.com/MozillaSecurity/orion
- https://treeherder.mozilla.org/jobs?repo=nss-try

20
security/nss/fuzz/config/frida_corpus.py → security/nss/fuzz/config/frida_corpus/cli.py
View File

@@ -25,6 +25,16 @@ def store_for_target(target, data):
f.write(data)
# --- asn1 ---
def on_SEC_ASN1DecodeItem_Util(payload):
if not "data" in payload:
return
store_for_target("asn1", bytes(payload["data"].values()))
# --- certDN ---
@@ -75,6 +85,16 @@ def on_SEC_QuickDERDecodeItem_Util(payload):
store_for_target("quickder", bytes(payload["data"].values()))
# --- smime ---
def on_NSS_CMSDecoder_Update(payload):
if not "data" in payload:
return
store_for_target("smime", bytes(payload["data"].values()))
# --- TLS ---

33
security/nss/fuzz/config/frida_hooks.js → security/nss/fuzz/config/frida_corpus/hooks.js
View File

@@ -2,6 +2,25 @@
// License, v. 2.0. If a copy of the MPL was not distributed with this
// file, You can obtain one at https://mozilla.org/MPL/2.0/.
// --- asn1 ---
if (DebugSymbol.findFunctionsNamed("SEC_ASN1DecodeItem_Util").length) {
console.log("Attaching `SEC_ASN1DecodeItem_Util` interceptor...");
Interceptor.attach(DebugSymbol.fromName("SEC_ASN1DecodeItem_Util").address, {
onEnter: function (args) {
const secItem = args[3]; // { type(8), data(8), len(4) }
const len = secItem.add(8).add(8).readUInt();
const buf = secItem.add(8).readByteArray(len);
send({
func: "SEC_ASN1DecodeItem_Util",
data: new Uint8Array(buf),
});
},
});
}
// --- certDN ---
if (DebugSymbol.findFunctionsNamed("CERT_AsciiToName").length) {
@@ -96,6 +115,20 @@ if (DebugSymbol.findFunctionsNamed("SEC_QuickDERDecodeItem_Util").length) {
);
}
// -- smime --
if (DebugSymbol.findFunctionsNamed("NSS_CMSDecoder_Update").length) {
console.log("Attaching `NSS_CMSDecoder_Update` interceptor...");
Interceptor.attach(DebugSymbol.fromName("NSS_CMSDecoder_Update").address, {
onEnter: function (args) {
const len = args[2].toInt32();
const buf = args[1].readByteArray(len);
send({ func: "NSS_CMSDecoder_Update", data: new Uint8Array(buf) });
},
});
}
// --- TLS ---
if (DebugSymbol.findFunctionsNamed("ssl_DefClose").length) {

14
security/nss/fuzz/config/frida_corpus/pyproject.toml Normal file
View File

@@ -0,0 +1,14 @@
[build-system]
requires = ["setuptools>=64"]
build-backend = "setuptools.build_meta"
[project]
name = "frida-corpus"
requires-python = ">=3.9"
dependencies = [
"frida>=16.6.5"
]
dynamic = ["version"]
[project.scripts]
frida-corpus = "cli:main"

2
security/nss/fuzz/config/tstclnt_arguments.py
View File

@@ -16,7 +16,7 @@ def main():
# Configure a TLS 1.3 External PSK with the given hex string for a key.
if random.randint(0, 1):
print(f"-z 0x{''.join(random.choices(string.hexdigits, k=25))}")
print(f"-z 0x{''.join(random.choices(string.hexdigits, k=16))}")
# Enable the session ticket extension.
if random.randint(0, 1):

3
security/nss/fuzz/options/asn1.options Normal file
View File

@@ -0,0 +1,3 @@
[libfuzzer]
len_control = 100
max_len = 16777215

3
security/nss/fuzz/options/smime.options Normal file
View File

@@ -0,0 +1,3 @@
[libfuzzer]
len_control = 100
max_len = 16777215

94
security/nss/fuzz/targets/asn1.cc Normal file
View File

@@ -0,0 +1,94 @@
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#include <cstddef>
#include <cstdint>
#include "certt.h"
#include "keythi.h"
#include "secasn1.h"
#include "secdert.h"
#include "asn1/mutators.h"
#include "base/mutate.h"
const SEC_ASN1Template *templates[] = {CERT_AttributeTemplate,
CERT_CertExtensionTemplate,
CERT_CertificateRequestTemplate,
CERT_CertificateTemplate,
CERT_CrlTemplate,
CERT_IssuerAndSNTemplate,
CERT_NameTemplate,
CERT_PublicKeyAndChallengeTemplate,
CERT_RDNTemplate,
CERT_SequenceOfCertExtensionTemplate,
CERT_SetOfAttributeTemplate,
CERT_SetOfSignedCrlTemplate,
CERT_SignedCrlTemplate,
CERT_SignedDataTemplate,
CERT_SubjectPublicKeyInfoTemplate,
CERT_TimeChoiceTemplate,
CERT_ValidityTemplate,
SEC_AnyTemplate,
SEC_BitStringTemplate,
SEC_BMPStringTemplate,
SEC_BooleanTemplate,
SEC_CertSequenceTemplate,
SEC_EnumeratedTemplate,
SEC_GeneralizedTimeTemplate,
SEC_IA5StringTemplate,
SEC_IntegerTemplate,
SEC_NullTemplate,
SEC_ObjectIDTemplate,
SEC_OctetStringTemplate,
SEC_PointerToAnyTemplate,
SEC_PointerToEnumeratedTemplate,
SEC_PointerToGeneralizedTimeTemplate,
SEC_PointerToOctetStringTemplate,
SEC_PrintableStringTemplate,
SEC_SetOfAnyTemplate,
SEC_SetOfEnumeratedTemplate,
SEC_SequenceOfAnyTemplate,
SEC_SequenceOfObjectIDTemplate,
SEC_SignedCertificateTemplate,
SEC_SkipTemplate,
SEC_T61StringTemplate,
SEC_UniversalStringTemplate,
SEC_UTCTimeTemplate,
SEC_UTF8StringTemplate,
SEC_VisibleStringTemplate,
SECKEY_DHParamKeyTemplate,
SECKEY_DHPublicKeyTemplate,
SECKEY_DSAPrivateKeyExportTemplate,
SECKEY_DSAPublicKeyTemplate,
SECKEY_PQGParamsTemplate,
SECKEY_PrivateKeyInfoTemplate,
SECKEY_RSAPSSParamsTemplate,
SECKEY_RSAPublicKeyTemplate,
SECOID_AlgorithmIDTemplate};
extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
static char *dest[2048];
PORTCheapArenaPool pool;
PORT_InitCheapArena(&pool, DER_DEFAULT_CHUNKSIZE);
for (auto tpl : templates) {
memset(dest, 0, sizeof(dest));
SECItem buf = {siBuffer, (unsigned char *)data, (unsigned int)size};
(void)SEC_ASN1DecodeItem(&pool.arena, dest, tpl, &buf);
}
PORT_DestroyCheapArena(&pool);
return 0;
}
extern "C" size_t LLVMFuzzerCustomMutator(uint8_t *data, size_t size,
size_t max_size, unsigned int seed) {
return CustomMutate(
Mutators({ASN1Mutators::FlipConstructed, ASN1Mutators::ChangeType}), data,
size, max_size, seed);
}

3
security/nss/fuzz/targets/certDN.cc
View File

@@ -19,6 +19,7 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
CERTName* certName = CERT_AsciiToName(name.c_str());
if (certName) {
char* out;
TEST_FUNCTION(CERT_FormatName)
TEST_FUNCTION(CERT_NameToAscii)
TEST_FUNCTION(CERT_GetCertEmailAddress)
@@ -39,6 +40,8 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
free(out);
out = CERT_NameToAsciiInvertible(certName, CERT_N2A_INVERTIBLE);
free(out);
(void)CERT_CompareName(certName, certName);
}
CERT_DestroyName(certName);

11
security/nss/fuzz/targets/pkcs7.cc
View File

@@ -6,6 +6,7 @@
#include <cstdint>
#include "cert.h"
#include "prtypes.h"
#include "asn1/mutators.h"
#include "base/database.h"
@@ -15,7 +16,15 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
static NSSDatabase db = NSSDatabase();
CERTCertificate *cert = CERT_DecodeCertFromPackage((char *)data, (int)size);
CERT_DestroyCertificate(cert);
if (cert) {
SECCertificateUsage usage;
(void)CERT_VerifyCertificateNow(CERT_GetDefaultCertDB(), cert, PR_TRUE,
certificateUsageCheckAllUsages, nullptr,
&usage);
(void)CERT_VerifyCertName(cert, "fuzz.host");
CERT_DestroyCertificate(cert);
}
return 0;
}

32
security/nss/fuzz/targets/smime.cc Normal file
View File

@@ -0,0 +1,32 @@
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#include <cstddef>
#include <cstdint>
#include "scoped_ptrs_smime.h"
#include "smime.h"
#include "asn1/mutators.h"
#include "base/database.h"
#include "base/mutate.h"
extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
static NSSDatabase db = NSSDatabase();
SECItem buffer = {siBuffer, (unsigned char *)data, (unsigned int)size};
ScopedNSSCMSMessage cmsg(NSS_CMSMessage_CreateFromDER(
&buffer, nullptr, nullptr, nullptr, nullptr, nullptr, nullptr));
(void)NSS_CMSMessage_IsSigned(cmsg.get());
return 0;
}
extern "C" size_t LLVMFuzzerCustomMutator(uint8_t *data, size_t size,
size_t maxSize, unsigned int seed) {
return CustomMutate(
Mutators({ASN1Mutators::FlipConstructed, ASN1Mutators::ChangeType}), data,
size, maxSize, seed);
}

30
security/nss/fuzz/targets/targets.gyp
View File

@@ -38,6 +38,7 @@
'<(DEPTH)/lib/nss/nss.gyp:nss_static',
'<(DEPTH)/lib/pkcs7/pkcs7.gyp:pkcs7',
'<(DEPTH)/lib/pkcs12/pkcs12.gyp:pkcs12',
'<(DEPTH)/lib/smime/smime.gyp:smime',
# This is a static build of pk11wrap, softoken, and freebl.
'<(DEPTH)/lib/pk11wrap/pk11wrap.gyp:pk11wrap_static',
'<(DEPTH)/lib/libpkix/libpkix.gyp:libpkix',
@@ -59,6 +60,19 @@
}]
],
},
{
'target_name': 'nssfuzz-asn1',
'type': 'executable',
'sources': [
'asn1.cc',
],
'dependencies': [
'<(DEPTH)/exports.gyp:nss_exports',
'<(DEPTH)/fuzz/targets/lib/asn1/asn1.gyp:asn1',
'<(DEPTH)/fuzz/targets/lib/base/base.gyp:base',
'nssfuzz_base',
],
},
{
'target_name': 'nssfuzz-certDN',
'type': 'executable',
@@ -155,6 +169,20 @@
'nssfuzz_base',
],
},
{
'target_name': 'nssfuzz-smime',
'type': 'executable',
'sources': [
'smime.cc',
],
'dependencies': [
'<(DEPTH)/cpputil/cpputil.gyp:cpputil',
'<(DEPTH)/exports.gyp:nss_exports',
'<(DEPTH)/fuzz/targets/lib/asn1/asn1.gyp:asn1',
'<(DEPTH)/fuzz/targets/lib/base/base.gyp:base',
'nssfuzz_base',
],
},
{
'target_name': 'nssfuzz-tls-client',
'type': 'executable',
@@ -187,6 +215,7 @@
'target_name': 'nssfuzz',
'type': 'none',
'dependencies': [
'nssfuzz-asn1',
'nssfuzz-certDN',
'nssfuzz-dtls-client',
'nssfuzz-dtls-server',
@@ -194,6 +223,7 @@
'nssfuzz-pkcs8',
'nssfuzz-pkcs12',
'nssfuzz-quickder',
'nssfuzz-smime',
'nssfuzz-tls-client',
'nssfuzz-tls-server',
],

5
security/nss/gtests/common/gtest.gypi
View File

@@ -39,11 +39,6 @@
'UNSAFE_FUZZER_MODE',
],
}],
['gtests_corpus==1', {
'defines': [
'GTESTS_CORPUS',
]
}]
],
'msvs_settings': {
'VCCLCompilerTool': {

49
security/nss/gtests/ssl_gtest/test_io.cc
View File

@@ -8,14 +8,9 @@
#include <algorithm>
#include <cassert>
#include <fstream>
#include <iostream>
#include <iterator>
#include <memory>
#include <sstream>
#include <sys/stat.h>
#include "blapi.h"
#include "prerror.h"
#include "prlog.h"
#include "prthread.h"
@@ -30,45 +25,6 @@ namespace nss_test {
if (g_ssl_gtest_verbose) LOG(a); \
} while (false)
DummyPrSocket::~DummyPrSocket() {
#ifdef GTESTS_CORPUS
if (name_ != "client" && name_ != "server") {
return;
}
assert(variant_ == ssl_variant_stream || variant_ == ssl_variant_datagram);
assert(name_ == "client" || name_ == "server");
// We don't care if they already exist, just make sure they do at all.
mkdir("dtls-client-corpus", 0775);
mkdir("dtls-server-corpus", 0775);
mkdir("tls-client-corpus", 0775);
mkdir("tls-server-corpus", 0775);
std::stringstream filepath;
filepath << (variant_ == ssl_variant_stream ? "tls" : "dtls") << "-" << name_
<< "-corpus/";
unsigned char digest[20];
SHA1_HashBuf(digest, receivedData_.data(), receivedData_.size());
for (unsigned long i = 0; i < sizeof(digest); ++i) {
filepath << std::hex << std::setfill('0') << std::setw(2) << (int)digest[i];
}
std::ofstream file;
file.open(filepath.str(), std::ios::out | std::ofstream::binary);
if (file.fail()) {
std::cerr << "Failed to open file: " << filepath.str() << "\n";
abort();
}
std::copy(receivedData_.begin(), receivedData_.end(),
std::ostreambuf_iterator<char>(file));
#endif // GTESTS_CORPUS
}
PRDescIdentity DummyPrSocket::LayerId() {
static PRDescIdentity id = PR_GetUniqueIdentity("dummysocket");
return id;
@@ -93,11 +49,6 @@ void DummyPrSocket::Reset() {
}
void DummyPrSocket::PacketReceived(const DataBuffer &packet) {
#ifdef GTESTS_CORPUS
receivedData_.reserve(receivedData_.size() + packet.len());
std::copy(packet.data(), packet.data() + packet.len(),
std::back_inserter(receivedData_));
#endif // GTESTS_CORPUS
input_.push(Packet(packet));
}

7
security/nss/gtests/ssl_gtest/test_io.h
View File

@@ -67,9 +67,8 @@ class DummyPrSocket : public DummyIOLayerMethods {
peer_(),
input_(),
filter_(nullptr),
write_error_(0),
receivedData_() {}
virtual ~DummyPrSocket();
write_error_(0) {}
virtual ~DummyPrSocket() {}
static PRDescIdentity LayerId();
@@ -118,8 +117,6 @@ class DummyPrSocket : public DummyIOLayerMethods {
std::queue<Packet> input_;
std::shared_ptr<PacketFilter> filter_;
PRErrorCode write_error_;
std::vector<uint8_t> receivedData_;
};
// Marker interface.

7
security/nss/gtests/ssl_gtest/tls_subcerts_unittest.cc
View File

@@ -376,6 +376,12 @@ TEST_P(TlsConnectTls13, DCWeakKey) {
ssl_sig_rsa_pss_pss_sha256};
client_->SetSignatureSchemes(kSchemes, PR_ARRAY_SIZE(kSchemes));
server_->SetSignatureSchemes(kSchemes, PR_ARRAY_SIZE(kSchemes));
PRInt32 keySizeFlags;
ASSERT_EQ(SECSuccess,
NSS_OptionGet(NSS_KEY_SIZE_POLICY_FLAGS, &keySizeFlags));
// turn off the signing key sizes so we actually test the ssl tests
ASSERT_EQ(SECSuccess, NSS_OptionSet(NSS_KEY_SIZE_POLICY_FLAGS,
NSS_KEY_SIZE_POLICY_SSL_FLAG));
#if RSA_MIN_MODULUS_BITS > RSA_WEAK_KEY
// save the MIN POLICY length.
PRInt32 minRsa;
@@ -413,6 +419,7 @@ TEST_P(TlsConnectTls13, DCWeakKey) {
#if RSA_MIN_MODULUS_BITS > RSA_WEAK_KEY
ASSERT_EQ(SECSuccess, NSS_OptionSet(NSS_RSA_MIN_KEY_SIZE, minRsa));
#endif
ASSERT_EQ(SECSuccess, NSS_OptionSet(NSS_KEY_SIZE_POLICY_FLAGS, keySizeFlags));
}
class ReplaceDCSigScheme : public TlsHandshakeFilter {

19
security/nss/lib/cryptohi/seckey.c
View File

@@ -1139,12 +1139,21 @@ SECKEY_PrivateKeyStrengthInBits(const SECKEYPrivateKey *privk)
case rsaKey:
case rsaPssKey:
case rsaOaepKey:
/* some tokens don't export CKA_MODULUS on the private key,
* PK11_SignatureLen works around this if necessary */
bitSize = PK11_SignatureLen((SECKEYPrivateKey *)privk) * PR_BITS_PER_BYTE;
if (bitSize == -1) {
bitSize = 0;
rv = PK11_ReadAttribute(privk->pkcs11Slot, privk->pkcs11ID,
CKA_MODULUS, NULL, &params);
if ((rv != SECSuccess) || (params.data == NULL)) {
/* some tokens don't export CKA_MODULUS on the private key,
* PK11_SignatureLen works around this if necessary. This
* method is less percise because it returns bytes instead
* of bits, so we only do it if we can't get the modulus */
bitSize = PK11_SignatureLen((SECKEYPrivateKey *)privk) * PR_BITS_PER_BYTE;
if (bitSize == -1) {
return 0;
}
return bitSize;
}
bitSize = SECKEY_BigIntegerBitLength(&params);
PORT_Free(params.data);
return bitSize;
case dsaKey:
case fortezzaKey:

43
security/nss/lib/freebl/verified/karamel/include/krml/fstar_int.h
View File

@@ -12,62 +12,48 @@
*
* GCC, MSVC, and Clang implement a >> b as an arithmetic shift.
*
* GCC:
* https://gcc.gnu.org/onlinedocs/gcc-9.1.0/gcc/Integers-implementation.html#Integers-implementation
* MSVC:
* https://docs.microsoft.com/en-us/cpp/cpp/left-shift-and-right-shift-operators-input-and-output?view=vs-2019#right-shifts
* GCC: https://gcc.gnu.org/onlinedocs/gcc-9.1.0/gcc/Integers-implementation.html#Integers-implementation
* MSVC: https://docs.microsoft.com/en-us/cpp/cpp/left-shift-and-right-shift-operators-input-and-output?view=vs-2019#right-shifts
* Clang: tested that Clang 7, 8 and 9 compile this to an arithmetic shift
*
* We implement arithmetic shift right simply as >> in these compilers
* and bail out in others.
*/
#if !(defined(_MSC_VER) || defined(__GNUC__) || \
(defined(__clang__) && (__clang_major__ >= 7)))
#if !(defined(_MSC_VER) || defined(__GNUC__) || (defined(__clang__) && (__clang_major__ >= 7)))
static inline int8_t
FStar_Int8_shift_arithmetic_right(int8_t a, uint32_t b)
{
do {
KRML_HOST_EPRINTF(
"Could not identify compiler so could not provide an implementation of "
"signed arithmetic shift right.\n");
KRML_HOST_EPRINTF("Could not identify compiler so could not provide an implementation of signed arithmetic shift right.\n");
KRML_HOST_EXIT(255);
} while (0);
}
static inline int16_t
FStar_Int16_shift_arithmetic_right(int16_t a,
uint32_t b)
FStar_Int16_shift_arithmetic_right(int16_t a, uint32_t b)
{
do {
KRML_HOST_EPRINTF(
"Could not identify compiler so could not provide an implementation of "
"signed arithmetic shift right.\n");
KRML_HOST_EPRINTF("Could not identify compiler so could not provide an implementation of signed arithmetic shift right.\n");
KRML_HOST_EXIT(255);
} while (0);
}
static inline int32_t
FStar_Int32_shift_arithmetic_right(int32_t a,
uint32_t b)
FStar_Int32_shift_arithmetic_right(int32_t a, uint32_t b)
{
do {
KRML_HOST_EPRINTF(
"Could not identify compiler so could not provide an implementation of "
"signed arithmetic shift right.\n");
KRML_HOST_EPRINTF("Could not identify compiler so could not provide an implementation of signed arithmetic shift right.\n");
KRML_HOST_EXIT(255);
} while (0);
}
static inline int64_t
FStar_Int64_shift_arithmetic_right(int64_t a,
uint32_t b)
FStar_Int64_shift_arithmetic_right(int64_t a, uint32_t b)
{
do {
KRML_HOST_EPRINTF(
"Could not identify compiler so could not provide an implementation of "
"signed arithmetic shift right.\n");
KRML_HOST_EPRINTF("Could not identify compiler so could not provide an implementation of signed arithmetic shift right.\n");
KRML_HOST_EXIT(255);
} while (0);
}
@@ -81,22 +67,19 @@ FStar_Int8_shift_arithmetic_right(int8_t a, uint32_t b)
}
static inline int16_t
FStar_Int16_shift_arithmetic_right(int16_t a,
uint32_t b)
FStar_Int16_shift_arithmetic_right(int16_t a, uint32_t b)
{
return (a >> b);
}
static inline int32_t
FStar_Int32_shift_arithmetic_right(int32_t a,
uint32_t b)
FStar_Int32_shift_arithmetic_right(int32_t a, uint32_t b)
{
return (a >> b);
}
static inline int64_t
FStar_Int64_shift_arithmetic_right(int64_t a,
uint32_t b)
FStar_Int64_shift_arithmetic_right(int64_t a, uint32_t b)
{
return (a >> b);
}

19
security/nss/lib/freebl/verified/karamel/include/krml/internal/compat.h
View File

@@ -17,15 +17,16 @@ typedef struct {
typedef int32_t Prims_pos, Prims_nat, Prims_nonzero, Prims_int,
krml_checked_int_t;
#define RETURN_OR(x) \
do { \
int64_t __ret = x; \
if (__ret < INT32_MIN || INT32_MAX < __ret) { \
KRML_HOST_PRINTF("Prims.{int,nat,pos} integer overflow at %s:%d\n", \
__FILE__, __LINE__); \
KRML_HOST_EXIT(252); \
} \
return (int32_t)__ret; \
#define RETURN_OR(x) \
do { \
int64_t __ret = x; \
if (__ret < INT32_MIN || INT32_MAX < __ret) { \
KRML_HOST_PRINTF( \
"Prims.{int,nat,pos} integer overflow at %s:%d\n", __FILE__, \
__LINE__); \
KRML_HOST_EXIT(252); \
} \
return (int32_t)__ret; \
} while (0)
#endif

20
security/nss/lib/freebl/verified/karamel/include/krml/internal/types.h
View File

@@ -5,9 +5,9 @@
#define KRML_TYPES_H
#include <inttypes.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <stdint.h>
/* Types which are either abstract, meaning that have to be implemented in C, or
* which are models, meaning that they are swapped out at compile-time for
@@ -33,8 +33,7 @@ typedef FILE *FStar_IO_fd_read, *FStar_IO_fd_write;
typedef void *FStar_Dyn_dyn;
typedef const char *C_String_t, *C_String_t_, *C_Compat_String_t,
*C_Compat_String_t_;
typedef const char *C_String_t, *C_String_t_, *C_Compat_String_t, *C_Compat_String_t_;
typedef int exit_code;
typedef FILE *channel;
@@ -55,12 +54,15 @@ typedef const char *Prims_string;
/* This code makes a number of assumptions and should be refined. In particular,
* it assumes that: any non-MSVC amd64 compiler supports int128. Maybe it would
* be easier to just test for defined(__SIZEOF_INT128__) only? */
#if (defined(__x86_64__) || defined(__x86_64) || defined(__aarch64__) || \
(defined(__powerpc64__) && defined(__LITTLE_ENDIAN__)) || \
defined(__s390x__) || \
(defined(_MSC_VER) && defined(_M_X64) && defined(__clang__)) || \
(defined(__mips__) && defined(__LP64__)) || \
(defined(__riscv) && __riscv_xlen == 64) || defined(__SIZEOF_INT128__))
#if (defined(__x86_64__) || \
defined(__x86_64) || \
defined(__aarch64__) || \
(defined(__powerpc64__) && defined(__LITTLE_ENDIAN__)) || \
defined(__s390x__) || \
(defined(_MSC_VER) && defined(_M_X64) && defined(__clang__)) || \
(defined(__mips__) && defined(__LP64__)) || \
(defined(__riscv) && __riscv_xlen == 64) || \
defined(__SIZEOF_INT128__))
#define HAS_INT128 1
#endif

11
security/nss/lib/freebl/verified/karamel/include/krml/lowstar_endianness.h
View File

@@ -4,16 +4,15 @@
#ifndef __LOWSTAR_ENDIANNESS_H
#define __LOWSTAR_ENDIANNESS_H
#include <inttypes.h>
#include <string.h>
#include <inttypes.h>
/******************************************************************************/
/* Implementing C.fst (part 2: endian-ness macros) */
/******************************************************************************/
/* ... for Linux */
#if defined(__linux__) || defined(__CYGWIN__) || \
defined(__USE_SYSTEM_ENDIAN_H__) || defined(__GLIBC__)
#if defined(__linux__) || defined(__CYGWIN__) || defined(__USE_SYSTEM_ENDIAN_H__) || defined(__GLIBC__)
#include <endian.h>
/* ... for OSX */
@@ -97,10 +96,8 @@
#define le64toh(x) (x)
/* ... generic big-endian fallback code */
/* ... AIX doesn't have __BYTE_ORDER__ (with XLC compiler) & is always
* big-endian */
#elif (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == __ORDER_BIG_ENDIAN__) || \
defined(_AIX)
/* ... AIX doesn't have __BYTE_ORDER__ (with XLC compiler) & is always big-endian */
#elif (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == __ORDER_BIG_ENDIAN__) || defined(_AIX)
/* byte swapping code inspired by:
* https://github.com/rweather/arduinolibs/blob/master/libraries/Crypto/utility/EndianUtil.h

9
security/nss/lib/freebl/verified/karamel/include/krmllib.h
View File

@@ -16,12 +16,13 @@
* argument "-bundle FStar.*"). You can then include the headers of your choice
* one by one, using -add-early-include. */
#include "krml/fstar_int.h"
#include "krml/internal/builtin.h"
#include "krml/internal/callconv.h"
#include "krml/internal/debug.h"
#include "krml/internal/target.h"
#include "krml/internal/callconv.h"
#include "krml/internal/builtin.h"
#include "krml/internal/debug.h"
#include "krml/internal/types.h"
#include "krml/lowstar_endianness.h"
#include "krml/fstar_int.h"
#endif /* __KRMLLIB_H */

78
security/nss/lib/freebl/verified/karamel/krmllib/dist/minimal/FStar_UInt128.h vendored
View File

@@ -8,68 +8,61 @@
#include <inttypes.h>
#include <stdbool.h>
#include "krml/internal/compat.h"
#include "krml/internal/target.h"
#include "krml/internal/types.h"
#include "krml/lowstar_endianness.h"
#include "krml/internal/types.h"
#include "krml/internal/target.h"
static inline FStar_UInt128_uint128 FStar_UInt128_add(FStar_UInt128_uint128 a,
FStar_UInt128_uint128 b);
static inline FStar_UInt128_uint128
FStar_UInt128_add(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b);
static inline FStar_UInt128_uint128 FStar_UInt128_add_underspec(
FStar_UInt128_uint128 a, FStar_UInt128_uint128 b);
static inline FStar_UInt128_uint128
FStar_UInt128_add_underspec(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b);
static inline FStar_UInt128_uint128 FStar_UInt128_add_mod(
FStar_UInt128_uint128 a, FStar_UInt128_uint128 b);
static inline FStar_UInt128_uint128
FStar_UInt128_add_mod(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b);
static inline FStar_UInt128_uint128 FStar_UInt128_sub(FStar_UInt128_uint128 a,
FStar_UInt128_uint128 b);
static inline FStar_UInt128_uint128
FStar_UInt128_sub(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b);
static inline FStar_UInt128_uint128 FStar_UInt128_sub_underspec(
FStar_UInt128_uint128 a, FStar_UInt128_uint128 b);
static inline FStar_UInt128_uint128
FStar_UInt128_sub_underspec(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b);
static inline FStar_UInt128_uint128 FStar_UInt128_sub_mod(
FStar_UInt128_uint128 a, FStar_UInt128_uint128 b);
static inline FStar_UInt128_uint128
FStar_UInt128_sub_mod(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b);
static inline FStar_UInt128_uint128 FStar_UInt128_logand(
FStar_UInt128_uint128 a, FStar_UInt128_uint128 b);
static inline FStar_UInt128_uint128
FStar_UInt128_logand(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b);
static inline FStar_UInt128_uint128 FStar_UInt128_logxor(
FStar_UInt128_uint128 a, FStar_UInt128_uint128 b);
static inline FStar_UInt128_uint128
FStar_UInt128_logxor(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b);
static inline FStar_UInt128_uint128 FStar_UInt128_logor(
FStar_UInt128_uint128 a, FStar_UInt128_uint128 b);
static inline FStar_UInt128_uint128
FStar_UInt128_logor(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b);
static inline FStar_UInt128_uint128 FStar_UInt128_lognot(
FStar_UInt128_uint128 a);
static inline FStar_UInt128_uint128 FStar_UInt128_lognot(FStar_UInt128_uint128 a);
static inline FStar_UInt128_uint128 FStar_UInt128_shift_left(
FStar_UInt128_uint128 a, uint32_t s);
static inline FStar_UInt128_uint128
FStar_UInt128_shift_left(FStar_UInt128_uint128 a, uint32_t s);
static inline FStar_UInt128_uint128 FStar_UInt128_shift_right(
FStar_UInt128_uint128 a, uint32_t s);
static inline FStar_UInt128_uint128
FStar_UInt128_shift_right(FStar_UInt128_uint128 a, uint32_t s);
static inline bool FStar_UInt128_eq(FStar_UInt128_uint128 a,
FStar_UInt128_uint128 b);
static inline bool FStar_UInt128_eq(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b);
static inline bool FStar_UInt128_gt(FStar_UInt128_uint128 a,
FStar_UInt128_uint128 b);
static inline bool FStar_UInt128_gt(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b);
static inline bool FStar_UInt128_lt(FStar_UInt128_uint128 a,
FStar_UInt128_uint128 b);
static inline bool FStar_UInt128_lt(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b);
static inline bool FStar_UInt128_gte(FStar_UInt128_uint128 a,
FStar_UInt128_uint128 b);
static inline bool FStar_UInt128_gte(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b);
static inline bool FStar_UInt128_lte(FStar_UInt128_uint128 a,
FStar_UInt128_uint128 b);
static inline bool FStar_UInt128_lte(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b);
static inline FStar_UInt128_uint128 FStar_UInt128_eq_mask(
FStar_UInt128_uint128 a, FStar_UInt128_uint128 b);
static inline FStar_UInt128_uint128
FStar_UInt128_eq_mask(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b);
static inline FStar_UInt128_uint128 FStar_UInt128_gte_mask(
FStar_UInt128_uint128 a, FStar_UInt128_uint128 b);
static inline FStar_UInt128_uint128
FStar_UInt128_gte_mask(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b);
static inline FStar_UInt128_uint128 FStar_UInt128_uint64_to_uint128(uint64_t a);
@@ -77,8 +70,7 @@ static inline uint64_t FStar_UInt128_uint128_to_uint64(FStar_UInt128_uint128 a);
static inline FStar_UInt128_uint128 FStar_UInt128_mul32(uint64_t x, uint32_t y);
static inline FStar_UInt128_uint128 FStar_UInt128_mul_wide(uint64_t x,
uint64_t y);
static inline FStar_UInt128_uint128 FStar_UInt128_mul_wide(uint64_t x, uint64_t y);
#define __FStar_UInt128_H_DEFINED
#endif

192
security/nss/lib/freebl/verified/karamel/krmllib/dist/minimal/FStar_UInt128_Verified.h vendored
View File

@@ -6,18 +6,16 @@
#ifndef __FStar_UInt128_Verified_H
#define __FStar_UInt128_Verified_H
#include "FStar_UInt_8_16_32_64.h"
#include <inttypes.h>
#include <stdbool.h>
#include "FStar_UInt_8_16_32_64.h"
#include "krml/internal/target.h"
#include "krml/internal/types.h"
#include "krml/internal/target.h"
static inline uint64_t
FStar_UInt128_constant_time_carry(uint64_t a,
uint64_t b)
FStar_UInt128_constant_time_carry(uint64_t a, uint64_t b)
{
return (a ^ ((a ^ b) | ((a - b) ^ b))) >> 63U;
return (a ^ ((a ^ b) | ((a - b) ^ b))) >> (uint32_t)63U;
}
static inline uint64_t
@@ -27,8 +25,7 @@ FStar_UInt128_carry(uint64_t a, uint64_t b)
}
static inline FStar_UInt128_uint128
FStar_UInt128_add(FStar_UInt128_uint128 a,
FStar_UInt128_uint128 b)
FStar_UInt128_add(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b)
{
FStar_UInt128_uint128 lit;
lit.low = a.low + b.low;
@@ -37,8 +34,7 @@ FStar_UInt128_add(FStar_UInt128_uint128 a,
}
static inline FStar_UInt128_uint128
FStar_UInt128_add_underspec(
FStar_UInt128_uint128 a, FStar_UInt128_uint128 b)
FStar_UInt128_add_underspec(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b)
{
FStar_UInt128_uint128 lit;
lit.low = a.low + b.low;
@@ -47,8 +43,7 @@ FStar_UInt128_add_underspec(
}
static inline FStar_UInt128_uint128
FStar_UInt128_add_mod(
FStar_UInt128_uint128 a, FStar_UInt128_uint128 b)
FStar_UInt128_add_mod(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b)
{
FStar_UInt128_uint128 lit;
lit.low = a.low + b.low;
@@ -57,8 +52,7 @@ FStar_UInt128_add_mod(
}
static inline FStar_UInt128_uint128
FStar_UInt128_sub(FStar_UInt128_uint128 a,
FStar_UInt128_uint128 b)
FStar_UInt128_sub(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b)
{
FStar_UInt128_uint128 lit;
lit.low = a.low - b.low;
@@ -67,8 +61,7 @@ FStar_UInt128_sub(FStar_UInt128_uint128 a,
}
static inline FStar_UInt128_uint128
FStar_UInt128_sub_underspec(
FStar_UInt128_uint128 a, FStar_UInt128_uint128 b)
FStar_UInt128_sub_underspec(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b)
{
FStar_UInt128_uint128 lit;
lit.low = a.low - b.low;
@@ -77,8 +70,7 @@ FStar_UInt128_sub_underspec(
}
static inline FStar_UInt128_uint128
FStar_UInt128_sub_mod_impl(
FStar_UInt128_uint128 a, FStar_UInt128_uint128 b)
FStar_UInt128_sub_mod_impl(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b)
{
FStar_UInt128_uint128 lit;
lit.low = a.low - b.low;
@@ -87,15 +79,13 @@ FStar_UInt128_sub_mod_impl(
}
static inline FStar_UInt128_uint128
FStar_UInt128_sub_mod(
FStar_UInt128_uint128 a, FStar_UInt128_uint128 b)
FStar_UInt128_sub_mod(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b)
{
return FStar_UInt128_sub_mod_impl(a, b);
}
static inline FStar_UInt128_uint128
FStar_UInt128_logand(
FStar_UInt128_uint128 a, FStar_UInt128_uint128 b)
FStar_UInt128_logand(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b)
{
FStar_UInt128_uint128 lit;
lit.low = a.low & b.low;
@@ -104,8 +94,7 @@ FStar_UInt128_logand(
}
static inline FStar_UInt128_uint128
FStar_UInt128_logxor(
FStar_UInt128_uint128 a, FStar_UInt128_uint128 b)
FStar_UInt128_logxor(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b)
{
FStar_UInt128_uint128 lit;
lit.low = a.low ^ b.low;
@@ -114,8 +103,7 @@ FStar_UInt128_logxor(
}
static inline FStar_UInt128_uint128
FStar_UInt128_logor(
FStar_UInt128_uint128 a, FStar_UInt128_uint128 b)
FStar_UInt128_logor(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b)
{
FStar_UInt128_uint128 lit;
lit.low = a.low | b.low;
@@ -124,8 +112,7 @@ FStar_UInt128_logor(
}
static inline FStar_UInt128_uint128
FStar_UInt128_lognot(
FStar_UInt128_uint128 a)
FStar_UInt128_lognot(FStar_UInt128_uint128 a)
{
FStar_UInt128_uint128 lit;
lit.low = ~a.low;
@@ -133,29 +120,24 @@ FStar_UInt128_lognot(
return lit;
}
static uint32_t FStar_UInt128_u32_64 = 64U;
static uint32_t FStar_UInt128_u32_64 = (uint32_t)64U;
static inline uint64_t
FStar_UInt128_add_u64_shift_left(uint64_t hi,
uint64_t lo,
uint32_t s)
FStar_UInt128_add_u64_shift_left(uint64_t hi, uint64_t lo, uint32_t s)
{
return (hi << s) + (lo >> (FStar_UInt128_u32_64 - s));
}
static inline uint64_t
FStar_UInt128_add_u64_shift_left_respec(uint64_t hi,
uint64_t lo,
uint32_t s)
FStar_UInt128_add_u64_shift_left_respec(uint64_t hi, uint64_t lo, uint32_t s)
{
return FStar_UInt128_add_u64_shift_left(hi, lo, s);
}
static inline FStar_UInt128_uint128
FStar_UInt128_shift_left_small(
FStar_UInt128_uint128 a, uint32_t s)
FStar_UInt128_shift_left_small(FStar_UInt128_uint128 a, uint32_t s)
{
if (s == 0U) {
if (s == (uint32_t)0U) {
return a;
} else {
FStar_UInt128_uint128 lit;
@@ -166,18 +148,16 @@ FStar_UInt128_shift_left_small(
}
static inline FStar_UInt128_uint128
FStar_UInt128_shift_left_large(
FStar_UInt128_uint128 a, uint32_t s)
FStar_UInt128_shift_left_large(FStar_UInt128_uint128 a, uint32_t s)
{
FStar_UInt128_uint128 lit;
lit.low = 0ULL;
lit.low = (uint64_t)0U;
lit.high = a.low << (s - FStar_UInt128_u32_64);
return lit;
}
static inline FStar_UInt128_uint128
FStar_UInt128_shift_left(
FStar_UInt128_uint128 a, uint32_t s)
FStar_UInt128_shift_left(FStar_UInt128_uint128 a, uint32_t s)
{
if (s < FStar_UInt128_u32_64) {
return FStar_UInt128_shift_left_small(a, s);
@@ -187,26 +167,21 @@ FStar_UInt128_shift_left(
}
static inline uint64_t
FStar_UInt128_add_u64_shift_right(uint64_t hi,
uint64_t lo,
uint32_t s)
FStar_UInt128_add_u64_shift_right(uint64_t hi, uint64_t lo, uint32_t s)
{
return (lo >> s) + (hi << (FStar_UInt128_u32_64 - s));
}
static inline uint64_t
FStar_UInt128_add_u64_shift_right_respec(uint64_t hi,
uint64_t lo,
uint32_t s)
FStar_UInt128_add_u64_shift_right_respec(uint64_t hi, uint64_t lo, uint32_t s)
{
return FStar_UInt128_add_u64_shift_right(hi, lo, s);
}
static inline FStar_UInt128_uint128
FStar_UInt128_shift_right_small(
FStar_UInt128_uint128 a, uint32_t s)
FStar_UInt128_shift_right_small(FStar_UInt128_uint128 a, uint32_t s)
{
if (s == 0U) {
if (s == (uint32_t)0U) {
return a;
} else {
FStar_UInt128_uint128 lit;
@@ -217,18 +192,16 @@ FStar_UInt128_shift_right_small(
}
static inline FStar_UInt128_uint128
FStar_UInt128_shift_right_large(
FStar_UInt128_uint128 a, uint32_t s)
FStar_UInt128_shift_right_large(FStar_UInt128_uint128 a, uint32_t s)
{
FStar_UInt128_uint128 lit;
lit.low = a.high >> (s - FStar_UInt128_u32_64);
lit.high = 0ULL;
lit.high = (uint64_t)0U;
return lit;
}
static inline FStar_UInt128_uint128
FStar_UInt128_shift_right(
FStar_UInt128_uint128 a, uint32_t s)
FStar_UInt128_shift_right(FStar_UInt128_uint128 a, uint32_t s)
{
if (s < FStar_UInt128_u32_64) {
return FStar_UInt128_shift_right_small(a, s);
@@ -238,81 +211,66 @@ FStar_UInt128_shift_right(
}
static inline bool
FStar_UInt128_eq(FStar_UInt128_uint128 a,
FStar_UInt128_uint128 b)
FStar_UInt128_eq(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b)
{
return a.low == b.low && a.high == b.high;
}
static inline bool
FStar_UInt128_gt(FStar_UInt128_uint128 a,
FStar_UInt128_uint128 b)
FStar_UInt128_gt(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b)
{
return a.high > b.high || (a.high == b.high && a.low > b.low);
}
static inline bool
FStar_UInt128_lt(FStar_UInt128_uint128 a,
FStar_UInt128_uint128 b)
FStar_UInt128_lt(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b)
{
return a.high < b.high || (a.high == b.high && a.low < b.low);
}
static inline bool
FStar_UInt128_gte(FStar_UInt128_uint128 a,
FStar_UInt128_uint128 b)
FStar_UInt128_gte(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b)
{
return a.high > b.high || (a.high == b.high && a.low >= b.low);
}
static inline bool
FStar_UInt128_lte(FStar_UInt128_uint128 a,
FStar_UInt128_uint128 b)
FStar_UInt128_lte(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b)
{
return a.high < b.high || (a.high == b.high && a.low <= b.low);
}
static inline FStar_UInt128_uint128
FStar_UInt128_eq_mask(
FStar_UInt128_uint128 a, FStar_UInt128_uint128 b)
FStar_UInt128_eq_mask(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b)
{
FStar_UInt128_uint128 lit;
lit.low = FStar_UInt64_eq_mask(a.low, b.low) & FStar_UInt64_eq_mask(a.high, b.high);
lit.high = FStar_UInt64_eq_mask(a.low, b.low) & FStar_UInt64_eq_mask(a.high, b.high);
return lit;
}
static inline FStar_UInt128_uint128
FStar_UInt128_gte_mask(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b)
{
FStar_UInt128_uint128 lit;
lit.low =
FStar_UInt64_eq_mask(a.low, b.low) & FStar_UInt64_eq_mask(a.high, b.high);
(FStar_UInt64_gte_mask(a.high, b.high) & ~FStar_UInt64_eq_mask(a.high, b.high)) | (FStar_UInt64_eq_mask(a.high, b.high) & FStar_UInt64_gte_mask(a.low, b.low));
lit.high =
FStar_UInt64_eq_mask(a.low, b.low) & FStar_UInt64_eq_mask(a.high, b.high);
(FStar_UInt64_gte_mask(a.high, b.high) & ~FStar_UInt64_eq_mask(a.high, b.high)) | (FStar_UInt64_eq_mask(a.high, b.high) & FStar_UInt64_gte_mask(a.low, b.low));
return lit;
}
static inline FStar_UInt128_uint128
FStar_UInt128_gte_mask(
FStar_UInt128_uint128 a, FStar_UInt128_uint128 b)
{
FStar_UInt128_uint128 lit;
lit.low = (FStar_UInt64_gte_mask(a.high, b.high) &
~FStar_UInt64_eq_mask(a.high, b.high)) |
(FStar_UInt64_eq_mask(a.high, b.high) &
FStar_UInt64_gte_mask(a.low, b.low));
lit.high = (FStar_UInt64_gte_mask(a.high, b.high) &
~FStar_UInt64_eq_mask(a.high, b.high)) |
(FStar_UInt64_eq_mask(a.high, b.high) &
FStar_UInt64_gte_mask(a.low, b.low));
return lit;
}
static inline FStar_UInt128_uint128
FStar_UInt128_uint64_to_uint128(
uint64_t a)
FStar_UInt128_uint64_to_uint128(uint64_t a)
{
FStar_UInt128_uint128 lit;
lit.low = a;
lit.high = 0ULL;
lit.high = (uint64_t)0U;
return lit;
}
static inline uint64_t
FStar_UInt128_uint128_to_uint64(
FStar_UInt128_uint128 a)
FStar_UInt128_uint128_to_uint64(FStar_UInt128_uint128 a)
{
return a.low;
}
@@ -320,10 +278,10 @@ FStar_UInt128_uint128_to_uint64(
static inline uint64_t
FStar_UInt128_u64_mod_32(uint64_t a)
{
return a & 0xffffffffULL;
return a & (uint64_t)0xffffffffU;
}
static uint32_t FStar_UInt128_u32_32 = 32U;
static uint32_t FStar_UInt128_u32_32 = (uint32_t)32U;
static inline uint64_t
FStar_UInt128_u32_combine(uint64_t hi, uint64_t lo)
@@ -332,18 +290,14 @@ FStar_UInt128_u32_combine(uint64_t hi, uint64_t lo)
}
static inline FStar_UInt128_uint128
FStar_UInt128_mul32(uint64_t x,
uint32_t y)
FStar_UInt128_mul32(uint64_t x, uint32_t y)
{
FStar_UInt128_uint128 lit;
lit.low = FStar_UInt128_u32_combine(
(x >> FStar_UInt128_u32_32) * (uint64_t)y +
(FStar_UInt128_u64_mod_32(x) * (uint64_t)y >> FStar_UInt128_u32_32),
FStar_UInt128_u64_mod_32(FStar_UInt128_u64_mod_32(x) * (uint64_t)y));
lit.low =
FStar_UInt128_u32_combine((x >> FStar_UInt128_u32_32) * (uint64_t)y + (FStar_UInt128_u64_mod_32(x) * (uint64_t)y >> FStar_UInt128_u32_32),
FStar_UInt128_u64_mod_32(FStar_UInt128_u64_mod_32(x) * (uint64_t)y));
lit.high =
((x >> FStar_UInt128_u32_32) * (uint64_t)y +
(FStar_UInt128_u64_mod_32(x) * (uint64_t)y >> FStar_UInt128_u32_32)) >>
FStar_UInt128_u32_32;
((x >> FStar_UInt128_u32_32) * (uint64_t)y + (FStar_UInt128_u64_mod_32(x) * (uint64_t)y >> FStar_UInt128_u32_32)) >> FStar_UInt128_u32_32;
return lit;
}
@@ -354,29 +308,19 @@ FStar_UInt128_u32_combine_(uint64_t hi, uint64_t lo)
}
static inline FStar_UInt128_uint128
FStar_UInt128_mul_wide(uint64_t x,
uint64_t y)
FStar_UInt128_mul_wide(uint64_t x, uint64_t y)
{
FStar_UInt128_uint128 lit;
lit.low = FStar_UInt128_u32_combine_(
FStar_UInt128_u64_mod_32(x) * (y >> FStar_UInt128_u32_32) +
FStar_UInt128_u64_mod_32(
(x >> FStar_UInt128_u32_32) * FStar_UInt128_u64_mod_32(y) +
(FStar_UInt128_u64_mod_32(x) * FStar_UInt128_u64_mod_32(y) >>
FStar_UInt128_u32_32)),
FStar_UInt128_u64_mod_32(FStar_UInt128_u64_mod_32(x) *
FStar_UInt128_u64_mod_32(y)));
lit.high = (x >> FStar_UInt128_u32_32) * (y >> FStar_UInt128_u32_32) +
(((x >> FStar_UInt128_u32_32) * FStar_UInt128_u64_mod_32(y) +
(FStar_UInt128_u64_mod_32(x) * FStar_UInt128_u64_mod_32(y) >>
FStar_UInt128_u32_32)) >>
FStar_UInt128_u32_32) +
((FStar_UInt128_u64_mod_32(x) * (y >> FStar_UInt128_u32_32) +
FStar_UInt128_u64_mod_32(
(x >> FStar_UInt128_u32_32) * FStar_UInt128_u64_mod_32(y) +
(FStar_UInt128_u64_mod_32(x) * FStar_UInt128_u64_mod_32(y) >>
FStar_UInt128_u32_32))) >>
FStar_UInt128_u32_32);
lit.low =
FStar_UInt128_u32_combine_(FStar_UInt128_u64_mod_32(x) * (y >> FStar_UInt128_u32_32) +
FStar_UInt128_u64_mod_32((x >> FStar_UInt128_u32_32) * FStar_UInt128_u64_mod_32(y) + (FStar_UInt128_u64_mod_32(x) * FStar_UInt128_u64_mod_32(y) >> FStar_UInt128_u32_32)),
FStar_UInt128_u64_mod_32(FStar_UInt128_u64_mod_32(x) * FStar_UInt128_u64_mod_32(y)));
lit.high =
(x >> FStar_UInt128_u32_32) * (y >> FStar_UInt128_u32_32) +
(((x >> FStar_UInt128_u32_32) * FStar_UInt128_u64_mod_32(y) + (FStar_UInt128_u64_mod_32(x) * FStar_UInt128_u64_mod_32(y) >> FStar_UInt128_u32_32)) >> FStar_UInt128_u32_32) +
((FStar_UInt128_u64_mod_32(x) * (y >> FStar_UInt128_u32_32) +
FStar_UInt128_u64_mod_32((x >> FStar_UInt128_u32_32) * FStar_UInt128_u64_mod_32(y) + (FStar_UInt128_u64_mod_32(x) * FStar_UInt128_u64_mod_32(y) >> FStar_UInt128_u32_32))) >>
FStar_UInt128_u32_32);
return lit;
}

73
security/nss/lib/freebl/verified/karamel/krmllib/dist/minimal/FStar_UInt_8_16_32_64.h vendored
View File

@@ -8,11 +8,10 @@
#include <inttypes.h>
#include <stdbool.h>
#include "krml/internal/compat.h"
#include "krml/internal/target.h"
#include "krml/internal/types.h"
#include "krml/lowstar_endianness.h"
#include "krml/internal/types.h"
#include "krml/internal/target.h"
extern krml_checked_int_t FStar_UInt64_n;
@@ -36,10 +35,10 @@ static KRML_NOINLINE uint64_t
FStar_UInt64_eq_mask(uint64_t a, uint64_t b)
{
uint64_t x = a ^ b;
uint64_t minus_x = ~x + 1ULL;
uint64_t minus_x = ~x + (uint64_t)1U;
uint64_t x_or_minus_x = x | minus_x;
uint64_t xnx = x_or_minus_x >> 63U;
return xnx - 1ULL;
uint64_t xnx = x_or_minus_x >> (uint32_t)63U;
return xnx - (uint64_t)1U;
}
static KRML_NOINLINE uint64_t
@@ -52,8 +51,8 @@ FStar_UInt64_gte_mask(uint64_t a, uint64_t b)
uint64_t x_sub_y_xor_y = x_sub_y ^ y;
uint64_t q = x_xor_y | x_sub_y_xor_y;
uint64_t x_xor_q = x ^ q;
uint64_t x_xor_q_ = x_xor_q >> 63U;
return x_xor_q_ - 1ULL;
uint64_t x_xor_q_ = x_xor_q >> (uint32_t)63U;
return x_xor_q_ - (uint64_t)1U;
}
extern Prims_string FStar_UInt64_to_string(uint64_t uu___);
@@ -86,10 +85,10 @@ static KRML_NOINLINE uint32_t
FStar_UInt32_eq_mask(uint32_t a, uint32_t b)
{
uint32_t x = a ^ b;
uint32_t minus_x = ~x + 1U;
uint32_t minus_x = ~x + (uint32_t)1U;
uint32_t x_or_minus_x = x | minus_x;
uint32_t xnx = x_or_minus_x >> 31U;
return xnx - 1U;
uint32_t xnx = x_or_minus_x >> (uint32_t)31U;
return xnx - (uint32_t)1U;
}
static KRML_NOINLINE uint32_t
@@ -102,8 +101,8 @@ FStar_UInt32_gte_mask(uint32_t a, uint32_t b)
uint32_t x_sub_y_xor_y = x_sub_y ^ y;
uint32_t q = x_xor_y | x_sub_y_xor_y;
uint32_t x_xor_q = x ^ q;
uint32_t x_xor_q_ = x_xor_q >> 31U;
return x_xor_q_ - 1U;
uint32_t x_xor_q_ = x_xor_q >> (uint32_t)31U;
return x_xor_q_ - (uint32_t)1U;
}
extern Prims_string FStar_UInt32_to_string(uint32_t uu___);
@@ -135,11 +134,11 @@ extern uint32_t FStar_UInt16_n_minus_one;
static KRML_NOINLINE uint16_t
FStar_UInt16_eq_mask(uint16_t a, uint16_t b)
{
uint16_t x = (uint32_t)a ^ (uint32_t)b;
uint16_t minus_x = (uint32_t)~x + 1U;
uint16_t x_or_minus_x = (uint32_t)x | (uint32_t)minus_x;
uint16_t xnx = (uint32_t)x_or_minus_x >> 15U;
return (uint32_t)xnx - 1U;
uint16_t x = a ^ b;
uint16_t minus_x = ~x + (uint16_t)1U;
uint16_t x_or_minus_x = x | minus_x;
uint16_t xnx = x_or_minus_x >> (uint32_t)15U;
return xnx - (uint16_t)1U;
}
static KRML_NOINLINE uint16_t
@@ -147,13 +146,13 @@ FStar_UInt16_gte_mask(uint16_t a, uint16_t b)
{
uint16_t x = a;
uint16_t y = b;
uint16_t x_xor_y = (uint32_t)x ^ (uint32_t)y;
uint16_t x_sub_y = (uint32_t)x - (uint32_t)y;
uint16_t x_sub_y_xor_y = (uint32_t)x_sub_y ^ (uint32_t)y;
uint16_t q = (uint32_t)x_xor_y | (uint32_t)x_sub_y_xor_y;
uint16_t x_xor_q = (uint32_t)x ^ (uint32_t)q;
uint16_t x_xor_q_ = (uint32_t)x_xor_q >> 15U;
return (uint32_t)x_xor_q_ - 1U;
uint16_t x_xor_y = x ^ y;
uint16_t x_sub_y = x - y;
uint16_t x_sub_y_xor_y = x_sub_y ^ y;
uint16_t q = x_xor_y | x_sub_y_xor_y;
uint16_t x_xor_q = x ^ q;
uint16_t x_xor_q_ = x_xor_q >> (uint32_t)15U;
return x_xor_q_ - (uint16_t)1U;
}
extern Prims_string FStar_UInt16_to_string(uint16_t uu___);
@@ -185,11 +184,11 @@ extern uint32_t FStar_UInt8_n_minus_one;
static KRML_NOINLINE uint8_t
FStar_UInt8_eq_mask(uint8_t a, uint8_t b)
{
uint8_t x = (uint32_t)a ^ (uint32_t)b;
uint8_t minus_x = (uint32_t)~x + 1U;
uint8_t x_or_minus_x = (uint32_t)x | (uint32_t)minus_x;
uint8_t xnx = (uint32_t)x_or_minus_x >> 7U;
return (uint32_t)xnx - 1U;
uint8_t x = a ^ b;
uint8_t minus_x = ~x + (uint8_t)1U;
uint8_t x_or_minus_x = x | minus_x;
uint8_t xnx = x_or_minus_x >> (uint32_t)7U;
return xnx - (uint8_t)1U;
}
static KRML_NOINLINE uint8_t
@@ -197,13 +196,13 @@ FStar_UInt8_gte_mask(uint8_t a, uint8_t b)
{
uint8_t x = a;
uint8_t y = b;
uint8_t x_xor_y = (uint32_t)x ^ (uint32_t)y;
uint8_t x_sub_y = (uint32_t)x - (uint32_t)y;
uint8_t x_sub_y_xor_y = (uint32_t)x_sub_y ^ (uint32_t)y;
uint8_t q = (uint32_t)x_xor_y | (uint32_t)x_sub_y_xor_y;
uint8_t x_xor_q = (uint32_t)x ^ (uint32_t)q;
uint8_t x_xor_q_ = (uint32_t)x_xor_q >> 7U;
return (uint32_t)x_xor_q_ - 1U;
uint8_t x_xor_y = x ^ y;
uint8_t x_sub_y = x - y;
uint8_t x_sub_y_xor_y = x_sub_y ^ y;
uint8_t q = x_xor_y | x_sub_y_xor_y;
uint8_t x_xor_q = x ^ q;
uint8_t x_xor_q_ = x_xor_q >> (uint32_t)7U;
return x_xor_q_ - (uint8_t)1U;
}
extern Prims_string FStar_UInt8_to_string(uint8_t uu___);

5
security/nss/lib/freebl/verified/karamel/krmllib/dist/minimal/LowStar_Endianness.h vendored
View File

@@ -8,11 +8,10 @@
#include <inttypes.h>
#include <stdbool.h>
#include "krml/internal/compat.h"
#include "krml/internal/target.h"
#include "krml/internal/types.h"
#include "krml/lowstar_endianness.h"
#include "krml/internal/types.h"
#include "krml/internal/target.h"
static inline void store128_le(uint8_t *x0, FStar_UInt128_uint128 x1);

11
security/nss/lib/freebl/verified/karamel/krmllib/dist/minimal/fstar_uint128_gcc64.h vendored
View File

@@ -155,10 +155,10 @@ FStar_UInt128_eq_mask(uint128_t x, uint128_t y)
inline static uint128_t
FStar_UInt128_gte_mask(uint128_t x, uint128_t y)
{
uint64_t mask = (FStar_UInt64_gte_mask(x >> 64, y >> 64) &
~(FStar_UInt64_eq_mask(x >> 64, y >> 64))) |
(FStar_UInt64_eq_mask(x >> 64, y >> 64) &
FStar_UInt64_gte_mask((uint64_t)x, (uint64_t)y));
uint64_t mask =
(FStar_UInt64_gte_mask(x >> 64, y >> 64) &
~(FStar_UInt64_eq_mask(x >> 64, y >> 64))) |
(FStar_UInt64_eq_mask(x >> 64, y >> 64) & FStar_UInt64_gte_mask((uint64_t)x, (uint64_t)y));
return ((uint128_t)mask) << 64 | mask;
}
@@ -169,8 +169,7 @@ FStar_UInt128___proj__Mkuint128__item__low(uint128_t x)
}
inline static uint64_t
FStar_UInt128___proj__Mkuint128__item__high(
uint128_t x)
FStar_UInt128___proj__Mkuint128__item__high(uint128_t x)
{
return (uint64_t)(x >> 64);
}

160
security/nss/lib/freebl/verified/karamel/krmllib/dist/minimal/fstar_uint128_msvc.h vendored
View File

@@ -3,19 +3,17 @@
/* This file was generated by KaRaMeL <https://github.com/FStarLang/karamel>
* then hand-edited to use MSVC intrinsics KaRaMeL invocation:
* C:\users\barrybo\mitls2c\karamel\_build\src\Karamel.native -minimal
* -fnouint128 C:/users/barrybo/mitls2c/FStar/ulib/FStar.UInt128.fst -tmpdir
* ../secure_api/out/runtime_switch/uint128 -skip-compilation -add-include
* "krmllib0.h" -drop FStar.Int.Cast.Full -bundle FStar.UInt128=FStar.*,Prims F*
* version: 15104ff8 KaRaMeL version: 318b7fa8
* C:\users\barrybo\mitls2c\karamel\_build\src\Karamel.native -minimal -fnouint128 C:/users/barrybo/mitls2c/FStar/ulib/FStar.UInt128.fst -tmpdir ../secure_api/out/runtime_switch/uint128 -skip-compilation -add-include "krmllib0.h" -drop FStar.Int.Cast.Full -bundle FStar.UInt128=FStar.*,Prims
* F* version: 15104ff8
* KaRaMeL version: 318b7fa8
*/
#ifndef FSTAR_UINT128_MSVC
#define FSTAR_UINT128_MSVC
#include "krml/internal/types.h"
#include "FStar_UInt128.h"
#include "FStar_UInt_8_16_32_64.h"
#include "krml/internal/types.h"
#ifndef _MSC_VER
#error This file only works with the MSVC compiler
@@ -34,8 +32,8 @@
// Define .low and .high in terms of the __m128i fields, to reduce
// the amount of churn in this file.
#if HAS_OPTIMIZED
#include <immintrin.h>
#include <intrin.h>
#include <immintrin.h>
#define low m128i_u64[0]
#define high m128i_u64[1]
#endif
@@ -83,8 +81,7 @@ store128_be(uint8_t *b, uint128_t n)
}
inline static uint64_t
FStar_UInt128_constant_time_carry(uint64_t a,
uint64_t b)
FStar_UInt128_constant_time_carry(uint64_t a, uint64_t b)
{
return (a ^ (a ^ b | a - b ^ b)) >> (uint32_t)63U;
}
@@ -96,8 +93,7 @@ FStar_UInt128_carry(uint64_t a, uint64_t b)
}
inline static FStar_UInt128_uint128
FStar_UInt128_add(FStar_UInt128_uint128 a,
FStar_UInt128_uint128 b)
FStar_UInt128_add(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b)
{
#if HAS_OPTIMIZED
uint64_t l, h;
@@ -115,8 +111,7 @@ FStar_UInt128_add(FStar_UInt128_uint128 a,
}
inline static FStar_UInt128_uint128
FStar_UInt128_add_underspec(
FStar_UInt128_uint128 a, FStar_UInt128_uint128 b)
FStar_UInt128_add_underspec(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b)
{
#if HAS_OPTIMIZED
return FStar_UInt128_add(a, b);
@@ -129,8 +124,7 @@ FStar_UInt128_add_underspec(
}
inline static FStar_UInt128_uint128
FStar_UInt128_add_mod(
FStar_UInt128_uint128 a, FStar_UInt128_uint128 b)
FStar_UInt128_add_mod(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b)
{
#if HAS_OPTIMIZED
return FStar_UInt128_add(a, b);
@@ -143,8 +137,7 @@ FStar_UInt128_add_mod(
}
inline static FStar_UInt128_uint128
FStar_UInt128_sub(FStar_UInt128_uint128 a,
FStar_UInt128_uint128 b)
FStar_UInt128_sub(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b)
{
#if HAS_OPTIMIZED
uint64_t l, h;
@@ -161,8 +154,7 @@ FStar_UInt128_sub(FStar_UInt128_uint128 a,
}
inline static FStar_UInt128_uint128
FStar_UInt128_sub_underspec(
FStar_UInt128_uint128 a, FStar_UInt128_uint128 b)
FStar_UInt128_sub_underspec(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b)
{
#if HAS_OPTIMIZED
return FStar_UInt128_sub(a, b);
@@ -175,8 +167,7 @@ FStar_UInt128_sub_underspec(
}
inline static FStar_UInt128_uint128
FStar_UInt128_sub_mod_impl(
FStar_UInt128_uint128 a, FStar_UInt128_uint128 b)
FStar_UInt128_sub_mod_impl(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b)
{
FStar_UInt128_uint128 lit;
lit.low = a.low - b.low;
@@ -185,8 +176,7 @@ FStar_UInt128_sub_mod_impl(
}
inline static FStar_UInt128_uint128
FStar_UInt128_sub_mod(
FStar_UInt128_uint128 a, FStar_UInt128_uint128 b)
FStar_UInt128_sub_mod(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b)
{
#if HAS_OPTIMIZED
return FStar_UInt128_sub(a, b);
@@ -196,8 +186,7 @@ FStar_UInt128_sub_mod(
}
inline static FStar_UInt128_uint128
FStar_UInt128_logand(
FStar_UInt128_uint128 a, FStar_UInt128_uint128 b)
FStar_UInt128_logand(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b)
{
#if HAS_OPTIMIZED
return _mm_and_si128(a, b);
@@ -210,8 +199,7 @@ FStar_UInt128_logand(
}
inline static FStar_UInt128_uint128
FStar_UInt128_logxor(
FStar_UInt128_uint128 a, FStar_UInt128_uint128 b)
FStar_UInt128_logxor(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b)
{
#if HAS_OPTIMIZED
return _mm_xor_si128(a, b);
@@ -224,8 +212,7 @@ FStar_UInt128_logxor(
}
inline static FStar_UInt128_uint128
FStar_UInt128_logor(
FStar_UInt128_uint128 a, FStar_UInt128_uint128 b)
FStar_UInt128_logor(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b)
{
#if HAS_OPTIMIZED
return _mm_or_si128(a, b);
@@ -238,8 +225,7 @@ FStar_UInt128_logor(
}
inline static FStar_UInt128_uint128
FStar_UInt128_lognot(
FStar_UInt128_uint128 a)
FStar_UInt128_lognot(FStar_UInt128_uint128 a)
{
#if HAS_OPTIMIZED
return _mm_andnot_si128(a, a);
@@ -254,24 +240,19 @@ FStar_UInt128_lognot(
static const uint32_t FStar_UInt128_u32_64 = (uint32_t)64U;
inline static uint64_t
FStar_UInt128_add_u64_shift_left(uint64_t hi,
uint64_t lo,
uint32_t s)
FStar_UInt128_add_u64_shift_left(uint64_t hi, uint64_t lo, uint32_t s)
{
return (hi << s) + (lo >> (FStar_UInt128_u32_64 - s));
return (hi << s) + (lo >> FStar_UInt128_u32_64 - s);
}
inline static uint64_t
FStar_UInt128_add_u64_shift_left_respec(uint64_t hi,
uint64_t lo,
uint32_t s)
FStar_UInt128_add_u64_shift_left_respec(uint64_t hi, uint64_t lo, uint32_t s)
{
return FStar_UInt128_add_u64_shift_left(hi, lo, s);
}
inline static FStar_UInt128_uint128
FStar_UInt128_shift_left_small(
FStar_UInt128_uint128 a, uint32_t s)
FStar_UInt128_shift_left_small(FStar_UInt128_uint128 a, uint32_t s)
{
if (s == (uint32_t)0U)
return a;
@@ -284,18 +265,16 @@ FStar_UInt128_shift_left_small(
}
inline static FStar_UInt128_uint128
FStar_UInt128_shift_left_large(
FStar_UInt128_uint128 a, uint32_t s)
FStar_UInt128_shift_left_large(FStar_UInt128_uint128 a, uint32_t s)
{
FStar_UInt128_uint128 lit;
lit.low = (uint64_t)0U;
lit.high = a.low << (s - FStar_UInt128_u32_64);
lit.high = a.low << s - FStar_UInt128_u32_64;
return lit;
}
inline static FStar_UInt128_uint128
FStar_UInt128_shift_left(
FStar_UInt128_uint128 a, uint32_t s)
FStar_UInt128_shift_left(FStar_UInt128_uint128 a, uint32_t s)
{
#if HAS_OPTIMIZED
if (s == 0) {
@@ -316,24 +295,19 @@ FStar_UInt128_shift_left(
}
inline static uint64_t
FStar_UInt128_add_u64_shift_right(uint64_t hi,
uint64_t lo,
uint32_t s)
FStar_UInt128_add_u64_shift_right(uint64_t hi, uint64_t lo, uint32_t s)
{
return (lo >> s) + (hi << (FStar_UInt128_u32_64 - s));
return (lo >> s) + (hi << FStar_UInt128_u32_64 - s);
}
inline static uint64_t
FStar_UInt128_add_u64_shift_right_respec(uint64_t hi,
uint64_t lo,
uint32_t s)
FStar_UInt128_add_u64_shift_right_respec(uint64_t hi, uint64_t lo, uint32_t s)
{
return FStar_UInt128_add_u64_shift_right(hi, lo, s);
}
inline static FStar_UInt128_uint128
FStar_UInt128_shift_right_small(
FStar_UInt128_uint128 a, uint32_t s)
FStar_UInt128_shift_right_small(FStar_UInt128_uint128 a, uint32_t s)
{
if (s == (uint32_t)0U)
return a;
@@ -346,18 +320,16 @@ FStar_UInt128_shift_right_small(
}
inline static FStar_UInt128_uint128
FStar_UInt128_shift_right_large(
FStar_UInt128_uint128 a, uint32_t s)
FStar_UInt128_shift_right_large(FStar_UInt128_uint128 a, uint32_t s)
{
FStar_UInt128_uint128 lit;
lit.low = a.high >> (s - FStar_UInt128_u32_64);
lit.low = a.high >> s - FStar_UInt128_u32_64;
lit.high = (uint64_t)0U;
return lit;
}
inline static FStar_UInt128_uint128
FStar_UInt128_shift_right(
FStar_UInt128_uint128 a, uint32_t s)
FStar_UInt128_shift_right(FStar_UInt128_uint128 a, uint32_t s)
{
#if HAS_OPTIMIZED
if (s == 0) {
@@ -378,43 +350,37 @@ FStar_UInt128_shift_right(
}
inline static bool
FStar_UInt128_eq(FStar_UInt128_uint128 a,
FStar_UInt128_uint128 b)
FStar_UInt128_eq(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b)
{
return a.low == b.low && a.high == b.high;
}
inline static bool
FStar_UInt128_gt(FStar_UInt128_uint128 a,
FStar_UInt128_uint128 b)
FStar_UInt128_gt(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b)
{
return a.high > b.high || a.high == b.high && a.low > b.low;
}
inline static bool
FStar_UInt128_lt(FStar_UInt128_uint128 a,
FStar_UInt128_uint128 b)
FStar_UInt128_lt(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b)
{
return a.high < b.high || a.high == b.high && a.low < b.low;
}
inline static bool
FStar_UInt128_gte(FStar_UInt128_uint128 a,
FStar_UInt128_uint128 b)
FStar_UInt128_gte(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b)
{
return a.high > b.high || a.high == b.high && a.low >= b.low;
}
inline static bool
FStar_UInt128_lte(FStar_UInt128_uint128 a,
FStar_UInt128_uint128 b)
FStar_UInt128_lte(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b)
{
return a.high < b.high || a.high == b.high && a.low <= b.low;
}
inline static FStar_UInt128_uint128
FStar_UInt128_eq_mask(
FStar_UInt128_uint128 a, FStar_UInt128_uint128 b)
FStar_UInt128_eq_mask(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b)
{
#if HAS_OPTIMIZED
// PCMPW to produce 4 32-bit values, all either 0x0 or 0xffffffff
@@ -430,17 +396,14 @@ FStar_UInt128_eq_mask(
return _mm_and_si128(ret64, s64);
#else
FStar_UInt128_uint128 lit;
lit.low =
FStar_UInt64_eq_mask(a.low, b.low) & FStar_UInt64_eq_mask(a.high, b.high);
lit.high =
FStar_UInt64_eq_mask(a.low, b.low) & FStar_UInt64_eq_mask(a.high, b.high);
lit.low = FStar_UInt64_eq_mask(a.low, b.low) & FStar_UInt64_eq_mask(a.high, b.high);
lit.high = FStar_UInt64_eq_mask(a.low, b.low) & FStar_UInt64_eq_mask(a.high, b.high);
return lit;
#endif
}
inline static FStar_UInt128_uint128
FStar_UInt128_gte_mask(
FStar_UInt128_uint128 a, FStar_UInt128_uint128 b)
FStar_UInt128_gte_mask(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b)
{
#if HAS_OPTIMIZED && 0
// ge - compare 3,2,1,0 for >= and generating 0 or 0xffffffff for each
@@ -462,15 +425,15 @@ FStar_UInt128_gte_mask(
_mm_and_si128(eq0, _mm_and_si128(eq1, ge2)); // t2 = (eq0 & eq1 & ge2)
ret = _mm_or_si128(ret, t2);
__m128i eq2 = _mm_srli_si128(eq1, 4); // shift eq from 3,2,1,0 to 0x0,00,00,3
__m128i ge3 = _mm_srli_si128(
ge2, 4); // shift original ge from 3,2,1,0 to 0x0,0x0,0x0,3
__m128i ge3 =
_mm_srli_si128(ge2, 4); // shift original ge from 3,2,1,0 to 0x0,0x0,0x0,3
__m128i t3 = _mm_and_si128(
eq0, _mm_and_si128(
eq1, _mm_and_si128(eq2, ge3))); // t3 = (eq0 & eq1 & eq2 & ge3)
ret = _mm_or_si128(ret, t3);
return _mm_shuffle_epi32(
ret, _MM_SHUFFLE(0, 0, 0,
0)); // the result is in 0. Shuffle into all dwords.
ret,
_MM_SHUFFLE(0, 0, 0, 0)); // the result is in 0. Shuffle into all dwords.
#else
FStar_UInt128_uint128 lit;
lit.low = FStar_UInt64_gte_mask(a.high, b.high) &
@@ -486,8 +449,7 @@ FStar_UInt128_gte_mask(
}
inline static FStar_UInt128_uint128
FStar_UInt128_uint64_to_uint128(
uint64_t a)
FStar_UInt128_uint64_to_uint128(uint64_t a)
{
#if HAS_OPTIMIZED
return _mm_set_epi64x(0, a);
@@ -500,8 +462,7 @@ FStar_UInt128_uint64_to_uint128(
}
inline static uint64_t
FStar_UInt128_uint128_to_uint64(
FStar_UInt128_uint128 a)
FStar_UInt128_uint128_to_uint64(FStar_UInt128_uint128 a)
{
return a.low;
}
@@ -521,8 +482,7 @@ FStar_UInt128_u32_combine(uint64_t hi, uint64_t lo)
}
inline static FStar_UInt128_uint128
FStar_UInt128_mul32(uint64_t x,
uint32_t y)
FStar_UInt128_mul32(uint64_t x, uint32_t y)
{
#if HAS_OPTIMIZED
uint64_t l, h;
@@ -532,12 +492,13 @@ FStar_UInt128_mul32(uint64_t x,
FStar_UInt128_uint128 lit;
lit.low = FStar_UInt128_u32_combine(
(x >> FStar_UInt128_u32_32) * (uint64_t)y +
(FStar_UInt128_u64_mod_32(x) * (uint64_t)y >> FStar_UInt128_u32_32),
(FStar_UInt128_u64_mod_32(x) * (uint64_t)y >>
FStar_UInt128_u32_32),
FStar_UInt128_u64_mod_32(FStar_UInt128_u64_mod_32(x) * (uint64_t)y));
lit.high =
(x >> FStar_UInt128_u32_32) * (uint64_t)y +
(FStar_UInt128_u64_mod_32(x) * (uint64_t)y >> FStar_UInt128_u32_32) >>
FStar_UInt128_u32_32;
lit.high = (x >> FStar_UInt128_u32_32) * (uint64_t)y +
(FStar_UInt128_u64_mod_32(x) * (uint64_t)y >>
FStar_UInt128_u32_32) >>
FStar_UInt128_u32_32;
return lit;
#endif
}
@@ -558,8 +519,8 @@ FStar_UInt128_mul_wide_impl_t_(uint64_t x, uint64_t y)
{
K_quad tmp;
tmp.fst = FStar_UInt128_u64_mod_32(x);
tmp.snd = FStar_UInt128_u64_mod_32(FStar_UInt128_u64_mod_32(x) *
FStar_UInt128_u64_mod_32(y));
tmp.snd = FStar_UInt128_u64_mod_32(
FStar_UInt128_u64_mod_32(x) * FStar_UInt128_u64_mod_32(y));
tmp.thd = x >> FStar_UInt128_u32_32;
tmp.f3 = (x >> FStar_UInt128_u32_32) * FStar_UInt128_u64_mod_32(y) +
(FStar_UInt128_u64_mod_32(x) * FStar_UInt128_u64_mod_32(y) >>
@@ -574,10 +535,10 @@ FStar_UInt128_u32_combine_(uint64_t hi, uint64_t lo)
}
inline static FStar_UInt128_uint128
FStar_UInt128_mul_wide_impl(uint64_t x,
uint64_t y)
FStar_UInt128_mul_wide_impl(uint64_t x, uint64_t y)
{
K_quad scrut = FStar_UInt128_mul_wide_impl_t_(x, y);
K_quad scrut =
FStar_UInt128_mul_wide_impl_t_(x, y);
uint64_t u1 = scrut.fst;
uint64_t w3 = scrut.snd;
uint64_t x_ = scrut.thd;
@@ -587,14 +548,13 @@ FStar_UInt128_mul_wide_impl(uint64_t x,
u1 * (y >> FStar_UInt128_u32_32) + FStar_UInt128_u64_mod_32(t_), w3);
lit.high =
x_ * (y >> FStar_UInt128_u32_32) + (t_ >> FStar_UInt128_u32_32) +
((u1 * (y >> FStar_UInt128_u32_32) + FStar_UInt128_u64_mod_32(t_)) >>
(u1 * (y >> FStar_UInt128_u32_32) + FStar_UInt128_u64_mod_32(t_) >>
FStar_UInt128_u32_32);
return lit;
}
inline static FStar_UInt128_uint128
FStar_UInt128_mul_wide(uint64_t x,
uint64_t y)
FStar_UInt128_mul_wide(uint64_t x, uint64_t y)
{
#if HAS_OPTIMIZED
uint64_t l, h;

6
security/nss/lib/nss/nss.h
View File

@@ -22,12 +22,12 @@
* The format of the version string should be
* "<major version>.<minor version>[.<patch level>[.<build number>]][ <ECC>][ <Beta>]"
*/
#define NSS_VERSION "3.108" _NSS_CUSTOMIZED
#define NSS_VERSION "3.109" _NSS_CUSTOMIZED " Beta"
#define NSS_VMAJOR 3
#define NSS_VMINOR 108
#define NSS_VMINOR 109
#define NSS_VPATCH 0
#define NSS_VBUILD 0
#define NSS_BETA PR_FALSE
#define NSS_BETA PR_TRUE
#ifndef RC_INVOKED

1
security/nss/lib/pk11wrap/pk11obj.c
View File

@@ -555,6 +555,7 @@ PK11_SignatureLen(SECKEYPrivateKey *key)
switch (key->keyType) {
case rsaKey:
case rsaPssKey:
val = PK11_GetPrivateModulusLen(key);
if (val == -1) {
return pk11_backupGetSignLength(key);

5
security/nss/lib/softoken/pkcs11.c
View File

@@ -3486,12 +3486,13 @@ nsc_CommonInitialize(CK_VOID_PTR pReserved, PRBool isFIPS)
return crv;
}
rv = RNG_RNGInit(); /* initialize random number generator */
rv = BL_Init(); /* initialize freebl engine */
if (rv != SECSuccess) {
crv = CKR_DEVICE_ERROR;
return crv;
}
rv = BL_Init(); /* initialize freebl engine */
rv = RNG_RNGInit(); /* initialize random number generator */
if (rv != SECSuccess) {
crv = CKR_DEVICE_ERROR;
return crv;

6
security/nss/lib/softoken/softkver.h
View File

@@ -17,11 +17,11 @@
* The format of the version string should be
* "<major version>.<minor version>[.<patch level>[.<build number>]][ <ECC>][ <Beta>]"
*/
#define SOFTOKEN_VERSION "3.108" SOFTOKEN_ECC_STRING
#define SOFTOKEN_VERSION "3.109" SOFTOKEN_ECC_STRING " Beta"
#define SOFTOKEN_VMAJOR 3
#define SOFTOKEN_VMINOR 108
#define SOFTOKEN_VMINOR 109
#define SOFTOKEN_VPATCH 0
#define SOFTOKEN_VBUILD 0
#define SOFTOKEN_BETA PR_FALSE
#define SOFTOKEN_BETA PR_TRUE
#endif /* _SOFTKVER_H_ */

12
security/nss/lib/ssl/ssl3con.c
View File

@@ -1282,6 +1282,7 @@ ssl3_SignHashesWithPrivKey(SSL3Hashes *hash, SECKEYPrivateKey *key,
if (useRsaPss || hash->hashAlg == ssl_hash_none) {
CK_MECHANISM_TYPE mech = PK11_MapSignKeyType(key->keyType);
int signatureLen = PK11_SignatureLen(key);
PRInt32 optval;
SECItem *params = NULL;
CK_RSA_PKCS_PSS_PARAMS pssParams;
@@ -1293,6 +1294,17 @@ ssl3_SignHashesWithPrivKey(SSL3Hashes *hash, SECKEYPrivateKey *key,
PORT_SetError(SEC_ERROR_INVALID_KEY);
goto done;
}
/* since we are calling PK11_SignWithMechanism directly, we need to check the
* key policy ourselves (which is already checked in SGN_Digest */
rv = NSS_OptionGet(NSS_KEY_SIZE_POLICY_FLAGS, &optval);
if ((rv == SECSuccess) &&
((optval & NSS_KEY_SIZE_POLICY_SIGN_FLAG) == NSS_KEY_SIZE_POLICY_SIGN_FLAG)) {
rv = SECKEY_EnforceKeySize(key->keyType, SECKEY_PrivateKeyStrengthInBits(key),
SEC_ERROR_SIGNATURE_ALGORITHM_DISABLED);
if (rv != SECSuccess) {
goto done; /* error code already set */
}
}
buf->len = (unsigned)signatureLen;
buf->data = (unsigned char *)PORT_Alloc(signatureLen);

6
security/nss/lib/util/nssutil.h
View File

@@ -19,12 +19,12 @@
* The format of the version string should be
* "<major version>.<minor version>[.<patch level>[.<build number>]][ <Beta>]"
*/
#define NSSUTIL_VERSION "3.108"
#define NSSUTIL_VERSION "3.109 Beta"
#define NSSUTIL_VMAJOR 3
#define NSSUTIL_VMINOR 108
#define NSSUTIL_VMINOR 109
#define NSSUTIL_VPATCH 0
#define NSSUTIL_VBUILD 0
#define NSSUTIL_BETA PR_FALSE
#define NSSUTIL_BETA PR_TRUE
SEC_BEGIN_PROTOS

60
security/nss/taskcluster/config.yml Normal file
View File

@@ -0,0 +1,60 @@
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
---
trust-domain: nss
task-priority: lowest
workers:
aliases:
images:
provisioner: 'nss-{level}'
implementation: docker-worker
os: linux
worker-type: linux-gcp
b-linux:
provisioner: 'nss-{level}'
implementation: docker-worker
os: linux
worker-type: linux-gcp
b-win2022:
provisioner: 'nss-{level}'
implementation: generic-worker
os: windows
worker-type: b-win2022
b-osx:
provisioner: releng-hardware
implementation: generic-worker
os: macosx
worker-type: 'nss-{level}-b-osx-1015'
t-linux:
provisioner: nss-t
implementation: docker-worker
os: linux
worker-type: t-linux-xlarge-gcp
taskgraph:
repositories:
nss:
name: NSS
project-regex: nss
nspr:
name: NSPR
project-regex: nspr
default-repository: https://hg.mozilla.org/projects/nspr
default-ref: default
type: hg
decision-parameters: 'nss_taskgraph:decision_parameters'
register: 'nss_taskgraph:register'
treeherder:
group-names:
I: Docker image builds
Builds: Builds with alternative compilers
Cipher: Cipher tests
DBM: Legacy (DBM) database
FIPS: FIPS
SSL: SSL tests
TLS: TLS fuzzing

10
security/nss/automation/taskcluster/docker-acvp/Dockerfile → security/nss/taskcluster/docker/acvp/Dockerfile
View File

@@ -2,6 +2,10 @@
FROM rust:1.74
LABEL maintainer="iaroslav.gridin@tuni.fi"
VOLUME /builds/worker/checkouts
# %include-run-task
# for new clang/llvm
RUN echo "deb http://ftp.debian.org/debian/ sid main" > /etc/apt/sources.list.d/sid.list \
&& apt-get update \
@@ -27,7 +31,7 @@ RUN echo "deb http://ftp.debian.org/debian/ sid main" > /etc/apt/sources.list.d/
ENV SHELL /bin/bash
ENV USER worker
ENV LOGNAME $USER
ENV HOME /home/$USER
ENV HOME /builds/$USER
ENV HOSTNAME taskcluster-worker
ENV LANG en_US.UTF-8
ENV LC_ALL $LANG
@@ -40,10 +44,10 @@ RUN locale-gen $LANG \
RUN useradd -d $HOME -s $SHELL -m $USER
WORKDIR $HOME
RUN chown -R $USER: $HOME
ADD bin $HOME/bin
RUN chmod +x $HOME/bin/*
USER $USER
# Set a default command for debugging.
CMD ["/bin/bash", "--login"]

9
security/nss/automation/taskcluster/docker-acvp/bin/run.sh → security/nss/taskcluster/docker/acvp/bin/run.sh
View File

@@ -9,6 +9,15 @@ export NSS_PATH=$PWD NSS_SOURCES_PATH=$PWD/nss
export LD_LIBRARY_PATH=$PWD/dist/Debug/lib/
export RUST_LOG=warn
export RUSTFLAGS="-C instrument-coverage"
cp -a "${VCS_PATH}/nss" "${VCS_PATH}/nspr" .
if [[ -f nss/nspr.patch && "$ALLOW_NSPR_PATCH" == "1" ]]; then
cd nspr
patch -p1 < ../nss/nspr.patch
cd ..
fi
cd nss
CC=clang-15 CXX=clang++-15 ./build.sh -g -v --sourcecov --static --disable-tests

26
security/nss/automation/taskcluster/docker/Dockerfile → security/nss/taskcluster/docker/base/Dockerfile
View File

@@ -1,11 +1,18 @@
# Lean image for running the bulk of the NSS CI tests on taskcluster.
FROM ubuntu:bionic-20221215
LABEL maintainer="Martin Thomson <martin.thomson@gmail.com>"
FROM ubuntu:focal
VOLUME /builds/worker/checkouts
VOLUME /builds/worker/.cache
VOLUME /builds/worker/workspace
# %include-run-task
ENV DEBIAN_FRONTEND noninteractive
RUN dpkg --add-architecture i386
RUN apt-get update \
&& apt-get install -y --no-install-recommends \
build-essential \
python3 \
ca-certificates \
clang \
curl \
@@ -28,23 +35,20 @@ RUN apt-get update \
ENV SHELL /bin/bash
ENV USER worker
ENV LOGNAME $USER
ENV HOME /home/$USER
ENV HOME /builds/worker
ENV LANG en_US.UTF-8
ENV LC_ALL $LANG
ENV HOST localhost
ENV DOMSUF localdomain
RUN locale-gen $LANG \
&& DEBIAN_FRONTEND=noninteractive dpkg-reconfigure locales
&& dpkg-reconfigure locales
RUN useradd -d $HOME -s $SHELL -m $USER
RUN useradd -d $HOME -s $SHELL -m $USER && \
mkdir -p /builds/worker/workspace && \
mkdir -p /builds/worker/artifacts && \
chown -R $USER /builds/worker
WORKDIR $HOME
# Add build and test scripts.
ADD bin $HOME/bin
RUN chmod +x $HOME/bin/*
USER $USER
# Set a default command for debugging.
CMD ["/bin/bash", "--login"]

47
security/nss/automation/taskcluster/docker-builds/Dockerfile → security/nss/taskcluster/docker/builds/Dockerfile
View File

@@ -2,40 +2,26 @@
# default image, so it's a fair bit bigger. Only use this for builds where
# the smaller docker image is missing something. These builds will run on
# the leaner configuration.
FROM ubuntu:bionic-20221215
LABEL maintainer="Martin Thomson <martin.thomson@gmail.com>"
FROM $DOCKER_IMAGE_PARENT
RUN dpkg --add-architecture i386
VOLUME /builds/worker/checkouts
VOLUME /builds/worker/workspace
VOLUME /builds/worker/.cache
ADD bionic.list /etc/apt/sources.list.d/bionic.list
RUN apt-get update \
&& apt-get install -y --no-install-recommends \
build-essential \
ca-certificates \
clang-4.0 \
clang-10 \
clang \
cmake \
curl \
g++-4.8-multilib \
g++-5-multilib \
g++-multilib \
git \
gyp \
libelf-dev \
libdw-dev \
libssl-dev \
libssl-dev:i386 \
libxml2-utils \
lib32z1-dev \
linux-libc-dev:i386 \
llvm-dev \
locales \
mercurial \
ninja-build \
pkg-config \
valgrind \
zlib1g-dev \
clang-format-10 \
sqlite3 \
libabigail-dev \
abigail-tools \
software-properties-common \
@@ -50,27 +36,6 @@ RUN apt-get update \
RUN update-alternatives --install /usr/bin/clang-format \
clang-format $(which clang-format-10) 10
ENV SHELL /bin/bash
ENV USER worker
ENV LOGNAME $USER
ENV HOME /home/$USER
ENV LANG en_US.UTF-8
ENV LC_ALL $LANG
ENV HOST localhost
ENV DOMSUF localdomain
RUN locale-gen $LANG \
&& DEBIAN_FRONTEND=noninteractive dpkg-reconfigure locales
RUN useradd -d $HOME -s $SHELL -m $USER
WORKDIR $HOME
# Add build and test scripts.
ADD bin $HOME/bin
RUN chmod +x $HOME/bin/*
USER $USER
# Install golang for bogo tests
RUN curl https://dl.google.com/go/go1.23.1.linux-amd64.tar.gz -sLf | tar xzf - -C $HOME
ENV PATH "$PATH:$HOME/go/bin"

5
security/nss/taskcluster/docker/builds/bionic.list Normal file
View File

@@ -0,0 +1,5 @@
deb http://archive.ubuntu.com/ubuntu/ bionic main restricted universe multiverse
deb http://archive.ubuntu.com/ubuntu/ bionic-updates main restricted universe multiverse
deb http://security.ubuntu.com/ubuntu/ bionic-security main restricted universe multiverse
deb http://archive.ubuntu.com/ubuntu/ bionic-backports main restricted universe multiverse

9
security/nss/automation/taskcluster/docker-clang-format/Dockerfile → security/nss/taskcluster/docker/clang-format/Dockerfile
View File

@@ -2,6 +2,10 @@
FROM debian:bookworm-20240904-slim
LABEL maintainer="John Schanck <jschanck@mozilla.com>"
VOLUME /builds/worker/checkouts
# %include-run-task
RUN apt-get update \
&& apt-get install -y --no-install-recommends \
ca-certificates \
@@ -29,10 +33,7 @@ RUN locale-gen $LANG \
RUN useradd -d $HOME -s $SHELL -m $USER
WORKDIR $HOME
ADD bin $HOME/bin
RUN chmod +x $HOME/bin/*
USER $USER
RUN chown -R $USER: $HOME
# Set a default command for debugging.
CMD ["/bin/bash", "--login"]

27
security/nss/automation/taskcluster/docker-fuzz/Dockerfile → security/nss/taskcluster/docker/fuzz/Dockerfile
View File

@@ -7,6 +7,13 @@
FROM ubuntu:noble-20240605
LABEL maintainer="Martin Thomson <martin.thomson@gmail.com>"
VOLUME /builds/worker/checkouts
VOLUME /builds/worker/workspace
VOLUME /builds/worker/.cache
# %include-run-task
ENV DEBIAN_FRONTEND noninteractive
RUN dpkg --add-architecture i386
RUN apt-get update \
&& apt-get install -y --no-install-recommends \
@@ -44,27 +51,21 @@ RUN apt-get update \
ENV SHELL /bin/bash
ENV USER worker
ENV LOGNAME $USER
ENV HOME /home/$USER
ENV HOME /builds/worker
ENV LANG en_US.UTF-8
ENV LC_ALL $LANG
ENV HOST localhost
ENV DOMSUF localdomain
# Bug 1904395
ENV NSS_DISABLE_NSPR_TESTS 1
RUN locale-gen $LANG \
&& DEBIAN_FRONTEND=noninteractive dpkg-reconfigure locales
&& dpkg-reconfigure locales
RUN useradd -d $HOME -s $SHELL -m $USER
RUN userdel ubuntu && \
useradd -d $HOME -s $SHELL -m $USER && \
mkdir -p /builds/worker/workspace && \
mkdir -p /builds/worker/artifacts && \
chown -R $USER: /builds/worker
WORKDIR $HOME
# Add build and test scripts.
ADD bin $HOME/bin
RUN chmod +x $HOME/bin/*
# Change user.
USER $USER
# Set a default command for debugging.
CMD ["/bin/bash", "--login"]

13
security/nss/taskcluster/docker/gcc-4.4/Dockerfile Normal file
View File

@@ -0,0 +1,13 @@
FROM $DOCKER_IMAGE_PARENT
LABEL maintainer="Martin Thomson <martin.thomson@gmail.com>"
VOLUME /builds/worker/checkouts
VOLUME /builds/worker/.cache
RUN sed -e 's/focal/trusty/' /etc/apt/sources.list > /etc/apt/sources.list.d/trusty.list \
&& apt-get update \
&& apt-get install -y --no-install-recommends \
g++-4.4 \
gcc-4.4 \
&& rm -rf /var/lib/apt/lists/* \
&& apt-get autoremove -y && apt-get clean -y

30
security/nss/taskcluster/kinds/build/kind.yml Normal file
View File

@@ -0,0 +1,30 @@
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
loader: taskgraph.loader.transform:loader
transforms:
- nss_taskgraph.transforms.build
- nss_taskgraph.transforms.platforms
- taskgraph.transforms.run
- taskgraph.transforms.task
tasks-from:
- linux.yml
- windows.yml
- macosx.yml
task-defaults:
run:
using: run-task
checkout:
nss:
path: nss
nspr:
path: nspr
worker:
max-run-time: 3600
treeherder:
kind: build

66
security/nss/taskcluster/kinds/build/linux.yml Normal file
View File

@@ -0,0 +1,66 @@
task-defaults:
run:
cwd: /builds/worker/workspace
worker-type: b-linux
worker:
artifacts:
- type: directory
path: /builds/worker/artifacts
name: public
linux32/opt:
description: "Linux 32 (opt)"
linux32/debug:
description: "Linux 32 (debug)"
linux32/debug-make:
description: "Linux 32 (debug, make)"
attributes:
make: true
linux32/debug-fuzz:
description: "Linux 32 (debug, fuzz)"
attributes:
fuzz: true
certs: false
linux64/opt:
description: "Linux 64 (opt)"
linux64-asan/debug:
description: "Linux 64 (ASan, debug)"
worker:
env:
UBSAN_OPTIONS: "print_stacktrace=1"
NSS_DISABLE_ARENA_FREE_LIST: "1"
NSS_DISABLE_UNLOAD: "1"
CC: "clang"
CCC: "clang++"
allow-ptrace: true
attributes:
asan: true
linux64/debug:
description: "Linux 64 (debug)"
linux64/debug-make:
description: "Linux 64 (debug, make)"
attributes:
make: true
linux64/opt-make:
description: "Linux 64 (opt, make)"
attributes:
make: true
linux64/opt-fips:
description: "Linux 64 (FIPS opt)"
linux64/debug-fuzz:
description: "Linux 64 (debug, fuzz)"
attributes:
fuzz: true
certs: false
worker:
allow-ptrace: true

17
security/nss/taskcluster/kinds/build/macosx.yml Normal file
View File

@@ -0,0 +1,17 @@
task-defaults:
worker-type: b-osx
worker:
artifacts:
- type: directory
path: public
macosx64/opt:
description: "Mac (opt)"
macosx64/opt-static:
description: "Mac Static (opt)"
attributes:
static: true
macosx64/debug:
description: "Mac (debug)"

Some files were not shown because too many files have changed in this diff Show More