Bug 1345368 - land NSS 6fafb8fd9ff4, r=me

--HG--
extra : rebase_source : 947524eb4e61414a5809df3453946b32882fdf17
This commit is contained in:
Franziskus Kiefer 2017-03-08 08:40:46 +01:00
parent 990418f338
commit aa22632bd1
19 changed files with 62618 additions and 66 deletions

View File

@ -1 +1 @@
dec8c06d7ed9
6fafb8fd9ff4

View File

@ -19,43 +19,7 @@ source "$cwd"/coreconf/sanitizers.sh
# Usage info
show_help()
{
cat << EOF
Usage: ${0##*/} [-hcv] [-j <n>] [--nspr] [--gyp|-g] [--opt|-o] [-m32]
[--test] [--pprof] [--scan-build[=output]] [--ct-verif]
[--asan] [--ubsan] [--msan] [--sancov[=edge|bb|func|...]]
[--disable-tests] [--fuzz[=tls|oss]]
This script builds NSS with gyp and ninja.
This build system is still under development. It does not yet support all
the features or platforms that NSS supports.
NSS build tool options:
-h display this help and exit
-c clean before build
-v verbose build
-j <n> run at most <n> concurrent jobs
--nspr force a rebuild of NSPR
--gyp|-g force a rerun of gyp
--opt|-o do an opt build
-m32 do a 32-bit build on a 64-bit system
--test ignore map files and export everything we have
--fuzz build fuzzing targets (this always enables test builds)
--fuzz=tls to enable TLS fuzzing mode
--fuzz=oss to build for OSS-Fuzz
--pprof build with gperftool support
--ct-verif build with valgrind for ct-verif
--scan-build run the build with scan-build (scan-build has to be in the path)
--scan-build=/out/path sets the output path for scan-build
--asan do an asan build
--ubsan do an ubsan build
--ubsan=bool,shift,... sets specific UB sanitizers
--msan do an msan build
--sancov do sanitize coverage builds
--sancov=func sets coverage to function level for example
--disable-tests don't build tests and corresponding cmdline utils
EOF
cat "$cwd"/help.txt
}
run_verbose()
@ -84,6 +48,7 @@ verbose=0
fuzz=0
fuzz_tls=0
fuzz_oss=0
no_local_nspr=0
gyp_params=(--depth="$cwd" --generator-output=".")
nspr_params=()
@ -121,6 +86,9 @@ while [ $# -gt 0 ]; do
--ct-verif) gyp_params+=(-Dct_verif=1) ;;
--disable-tests) gyp_params+=(-Ddisable_tests=1) ;;
--no-zdefs) gyp_params+=(-Dno_zdefs=1) ;;
--system-sqlite) gyp_params+=(-Duse_system_sqlite=1) ;;
--with-nspr=?*) set_nspr_path "${1#*=}"; no_local_nspr=1 ;;
--system-nspr) set_nspr_path "/usr/include/nspr/:"; no_local_nspr=1 ;;
*) show_help; exit 2 ;;
esac
shift
@ -207,7 +175,7 @@ fi
mkdir -p "$dist_dir"
echo $target > "$dist_dir"/latest
if [ "$rebuild_nspr" = 1 ]; then
if [[ "$rebuild_nspr" = 1 && "$no_local_nspr" = 0 ]]; then
nspr_build "${nspr_params[@]}"
mv -f "$nspr_config".new "$nspr_config"
fi
@ -216,8 +184,9 @@ if [ "$rebuild_gyp" = 1 ]; then
# These extra arguments aren't used in determining whether to rebuild.
obj_dir="$dist_dir"/$target
gyp_params+=(-Dnss_dist_obj_dir=$obj_dir)
gyp_params+=(-Dnspr_lib_dir=$obj_dir/lib)
gyp_params+=(-Dnspr_include_dir=$obj_dir/include/nspr)
if [ "$no_local_nspr" = 0 ]; then
set_nspr_path "$obj_dir/include/nspr:$obj_dir/lib"
fi
run_verbose run_scanbuild gyp -f ninja "${gyp_params[@]}" "$cwd"/nss.gyp

View File

@ -494,7 +494,7 @@ static char *disableReasonStr[] = {
"could not verify token",
"token not present"
};
static int numDisableReasonStr =
static size_t numDisableReasonStr =
sizeof(disableReasonStr) / sizeof(disableReasonStr[0]);
/***********************************************************************
@ -513,7 +513,7 @@ ListModule(char *moduleName)
CK_SLOT_INFO slotinfo;
CK_TOKEN_INFO tokeninfo;
char *ciphers, *mechanisms;
PK11DisableReasons reason;
size_t reasonIdx;
Error rv = SUCCESS;
if (!moduleName) {
@ -604,10 +604,10 @@ ListModule(char *moduleName)
PR_fprintf(PR_STDOUT, PAD "Firmware Version: %d.%d\n",
slotinfo.firmwareVersion.major, slotinfo.firmwareVersion.minor);
if (PK11_IsDisabled(slot)) {
reason = PK11_GetDisabledReason(slot);
if (reason < numDisableReasonStr) {
reasonIdx = PK11_GetDisabledReason(slot);
if (reasonIdx < numDisableReasonStr) {
PR_fprintf(PR_STDOUT, PAD "Status: DISABLED (%s)\n",
disableReasonStr[reason]);
disableReasonStr[reasonIdx]);
} else {
PR_fprintf(PR_STDOUT, PAD "Status: DISABLED\n");
}

View File

@ -10,4 +10,3 @@
*/
#error "Do not include this header file."

View File

@ -49,3 +49,11 @@ nspr_clean()
{
rm -rf "$cwd"/../nspr/$target
}
set_nspr_path()
{
local include=$(echo "$1" | cut -d: -f1)
local lib=$(echo "$1" | cut -d: -f2)
gyp_params+=(-Dnspr_include_dir="$include")
gyp_params+=(-Dnspr_lib_dir="$lib")
}

View File

@ -10,8 +10,12 @@
int main(int argc, char **argv) {
::testing::InitGoogleTest(&argc, argv);
NSS_NoDB_Init(nullptr);
NSS_SetDomesticPolicy();
if (NSS_NoDB_Init(nullptr) != SECSuccess) {
return 1;
}
if (NSS_SetDomesticPolicy() != SECSuccess) {
return 1;
}
int rv = RUN_ALL_TESTS();
if (NSS_Shutdown() != SECSuccess) {

View File

@ -35,7 +35,28 @@
],
}],
],
}
},
{
'target_name': 'prng_gtest',
'type': 'executable',
'sources': [
'prng_kat_unittest.cc',
],
'dependencies': [
'<(DEPTH)/exports.gyp:nss_exports',
'<(DEPTH)/lib/util/util.gyp:nssutil3',
'<(DEPTH)/gtests/google_test/google_test.gyp:gtest',
'<(DEPTH)/lib/nss/nss.gyp:nss_static',
'<(DEPTH)/lib/pk11wrap/pk11wrap.gyp:pk11wrap_static',
'<(DEPTH)/lib/cryptohi/cryptohi.gyp:cryptohi',
'<(DEPTH)/lib/certhigh/certhigh.gyp:certhi',
'<(DEPTH)/lib/certdb/certdb.gyp:certdb',
'<(DEPTH)/lib/base/base.gyp:nssb',
'<(DEPTH)/lib/dev/dev.gyp:nssdev',
'<(DEPTH)/lib/pki/pki.gyp:nsspki',
'<(DEPTH)/lib/ssl/ssl.gyp:ssl',
],
},
],
'target_defaults': {
'include_dirs': [

File diff suppressed because it is too large Load Diff

File diff suppressed because it is too large Load Diff

View File

@ -0,0 +1,195 @@
// This Source Code Form is subject to the terms of the Mozilla Public
// License, v. 2.0. If a copy of the MPL was not distributed with this file,
// You can obtain one at http://mozilla.org/MPL/2.0/.
#include "nspr.h"
#include "nss.h"
#include "ssl.h"
#include <cstdlib>
#include <fstream>
#include <string>
#define GTEST_HAS_RTTI 0
#include "gtest/gtest.h"
#include "blapi.h"
namespace nss_test {
typedef struct PRNGTestValuesStr {
std::vector<uint8_t> entropy;
std::vector<uint8_t> nonce;
std::vector<uint8_t> personal;
std::vector<uint8_t> expected_result;
std::vector<uint8_t> additional_entropy;
std::vector<uint8_t> additional_input_reseed;
std::vector<std::vector<uint8_t>> additional_input;
} PRNGTestValues;
std::vector<PRNGTestValues> test_vector;
bool contains(std::string& s, const char* to_find) {
return s.find(to_find) != std::string::npos;
}
std::string trim(std::string str) {
std::string whitespace = " \t";
const auto strBegin = str.find_first_not_of(whitespace);
if (strBegin == std::string::npos) {
return "";
}
const auto strEnd = str.find_last_not_of(whitespace);
const auto strRange = strEnd - strBegin + 1;
return str.substr(strBegin, strRange);
}
std::vector<uint8_t> hex_string_to_bytes(std::string s) {
std::vector<uint8_t> bytes;
for (size_t i = 0; i < s.length() - 1; i += 2) {
bytes.push_back(std::stoul(s.substr(i, 2), nullptr, 16));
}
return bytes;
}
std::vector<uint8_t> read_option_s(std::string& s) {
size_t start = s.find("=") + 1;
assert(start > 0);
return hex_string_to_bytes(trim(s.substr(start, s.find("]", start))));
}
void print_bytes(std::vector<uint8_t> bytes, std::string name) {
std::cout << name << ": ";
for (auto b : bytes) {
std::cout << std::setfill('0') << std::setw(2) << std::hex
<< static_cast<int>(b);
}
std::cout << std::endl;
}
static void ReadFile(const std::string file_name) {
std::ifstream infile(file_name);
std::string line;
// Variables holding the input for each test.
bool valid_option = false;
// Read the file.
std::streampos pos;
while (std::getline(infile, line)) {
// We only implement SHA256. Skip all other tests.
if (contains(line, "[SHA-")) {
valid_option = contains(line, "[SHA-256]");
}
if (!valid_option) {
continue;
}
// We ignore the options and infer them from the test case.
PRNGTestValues test;
if (line.find("COUNT =")) {
continue;
}
// Read test input.
do {
pos = infile.tellg();
std::getline(infile, line);
if (contains(line, "EntropyInput ")) {
test.entropy = read_option_s(line);
continue;
}
if (contains(line, "Nonce")) {
test.nonce = read_option_s(line);
continue;
}
if (contains(line, "PersonalizationString")) {
test.personal = read_option_s(line);
continue;
}
if (contains(line, "AdditionalInput ")) {
test.additional_input.push_back(read_option_s(line));
continue;
}
if (contains(line, "EntropyInputReseed")) {
test.additional_entropy = read_option_s(line);
continue;
}
if (contains(line, "AdditionalInputReseed")) {
test.additional_input_reseed = read_option_s(line);
continue;
}
if (contains(line, "ReturnedBits")) {
test.expected_result = read_option_s(line);
continue;
}
} while (!infile.eof() && line.find("COUNT =") && line.find("["));
// Save test case.
test_vector.push_back(test);
test = {};
infile.seekg(pos);
}
}
class PRNGTest : public ::testing::TestWithParam<PRNGTestValues> {
protected:
void RunTest(PRNGTestValues test) {
ASSERT_EQ(2U, test.additional_input.size());
SECStatus rv = PRNGTEST_Instantiate_Kat(
test.entropy.data(), test.entropy.size(), test.nonce.data(),
test.nonce.size(), test.personal.data(), test.personal.size());
ASSERT_EQ(SECSuccess, rv);
rv = PRNGTEST_Reseed(test.additional_entropy.data(),
test.additional_entropy.size(),
test.additional_input_reseed.data(),
test.additional_input_reseed.size());
ASSERT_EQ(SECSuccess, rv);
// Generate bytes.
uint8_t bytes[128];
PRNGTEST_Generate(bytes, 128, test.additional_input[0].data(),
test.additional_input[0].size());
PRNGTEST_Generate(bytes, 128, test.additional_input[1].data(),
test.additional_input[1].size());
std::vector<uint8_t> result(bytes, bytes + 128);
if (result != test.expected_result) {
print_bytes(result, "result ");
print_bytes(test.expected_result, "expected");
}
ASSERT_EQ(test.expected_result, result);
rv = PRNGTEST_Uninstantiate();
ASSERT_EQ(SECSuccess, rv);
}
};
TEST_P(PRNGTest, HashDRBG) { RunTest(GetParam()); }
INSTANTIATE_TEST_CASE_P(NISTTestVector, PRNGTest,
::testing::ValuesIn(test_vector));
} // nss_test
int main(int argc, char** argv) {
if (argc < 2) {
std::cout << "usage: prng_gtest <.rsp file>" << std::endl;
return 1;
}
nss_test::ReadFile(argv[1]);
assert(!nss_test::test_vector.empty());
::testing::InitGoogleTest(&argc, argv);
if (NSS_NoDB_Init(nullptr) != SECSuccess) {
return 1;
}
int rv = RUN_ALL_TESTS();
if (NSS_Shutdown() != SECSuccess) {
return 1;
}
return rv;
}

View File

@ -31,12 +31,18 @@ int main(int argc, char** argv) {
}
}
NSS_Initialize(g_working_dir_path.c_str(), "", "", SECMOD_DB,
NSS_INIT_READONLY);
NSS_SetDomesticPolicy();
if (NSS_Initialize(g_working_dir_path.c_str(), "", "", SECMOD_DB,
NSS_INIT_READONLY) != SECSuccess) {
return 1;
}
if (NSS_SetDomesticPolicy() != SECSuccess) {
return 1;
}
int rv = RUN_ALL_TESTS();
NSS_Shutdown();
if (NSS_Shutdown() != SECSuccess) {
return 1;
}
nss_test::Poller::Shutdown();

42
security/nss/help.txt Normal file
View File

@ -0,0 +1,42 @@
Usage: ${0##*/} [-hcv] [-j <n>] [--nspr] [--gyp|-g] [--opt|-o] [-m32]
[--test] [--pprof] [--scan-build[=output]] [--ct-verif]
[--asan] [--ubsan] [--msan] [--sancov[=edge|bb|func|...]]
[--disable-tests] [--fuzz[=tls|oss]] [--system-sqlite]
[--no-zdefs] [--with-nspr] [--system-nspr]
This script builds NSS with gyp and ninja.
This build system is still under development. It does not yet support all
the features or platforms that NSS supports.
NSS build tool options:
-h display this help and exit
-c clean before build
-v verbose build
-j <n> run at most <n> concurrent jobs
--nspr force a rebuild of NSPR
--gyp|-g force a rerun of gyp
--opt|-o do an opt build
-m32 do a 32-bit build on a 64-bit system
--test ignore map files and export everything we have
--fuzz build fuzzing targets (this always enables test builds)
--fuzz=tls to enable TLS fuzzing mode
--fuzz=oss to build for OSS-Fuzz
--pprof build with gperftool support
--ct-verif build with valgrind for ct-verif
--scan-build run the build with scan-build (scan-build has to be in the path)
--scan-build=/out/path sets the output path for scan-build
--asan do an asan build
--ubsan do an ubsan build
--ubsan=bool,shift,... sets specific UB sanitizers
--msan do an msan build
--sancov do sanitize coverage builds
--sancov=func sets coverage to function level for example
--disable-tests don't build tests and corresponding cmdline utils
--system-sqlite use system sqlite
--no-zdefs don't set -Wl,-z,defs
--with-nspr don't build NSPR but use the one at the given location, e.g.
--with-nspr=/path/to/nspr/include:/path/to/nspr/lib
--system-nspr use system nspr. This requires an installation of NSPR and
might not work on all systems.

View File

@ -1469,6 +1469,12 @@ FIPS186Change_ReduceModQForDSA(const unsigned char *w,
const unsigned char *q,
unsigned char *xj);
/* To allow NIST KAT tests */
extern SECStatus
PRNGTEST_Instantiate_Kat(const PRUint8 *entropy, unsigned int entropy_len,
const PRUint8 *nonce, unsigned int nonce_len,
const PRUint8 *personal_string, unsigned int ps_len);
/*
* The following functions are for FIPS poweron self test and FIPS algorithm
* testing.

View File

@ -99,7 +99,8 @@ struct RNGContextStr {
* RNG_RandomUpdate. */
PRUint8 additionalDataCache[PRNG_ADDITONAL_DATA_CACHE_SIZE];
PRUint32 additionalAvail;
PRBool isValid; /* false if RNG reaches an invalid state */
PRBool isValid; /* false if RNG reaches an invalid state */
PRBool isKatTest; /* true if running NIST PRNG KAT tests */
};
typedef struct RNGContextStr RNGContext;
@ -150,7 +151,7 @@ prng_Hash_df(PRUint8 *requested_bytes, unsigned int no_of_bytes_to_return,
}
/*
* Hash_DRBG Instantiate NIST SP 800-80 10.1.1.2
* Hash_DRBG Instantiate NIST SP 800-90 10.1.1.2
*
* NOTE: bytes & len are entropy || nonce || personalization_string. In
* normal operation, NSS calculates them all together in a single call.
@ -158,9 +159,11 @@ prng_Hash_df(PRUint8 *requested_bytes, unsigned int no_of_bytes_to_return,
static SECStatus
prng_instantiate(RNGContext *rng, const PRUint8 *bytes, unsigned int len)
{
if (len < PRNG_SEEDLEN) {
/* if the seedlen is to small, it's probably because we failed to get
* enough random data */
if (!rng->isKatTest && len < PRNG_SEEDLEN) {
/* If the seedlen is too small, it's probably because we failed to get
* enough random data.
* This is stricter than NIST SP800-90A requires. Don't enforce it for
* tests. */
PORT_SetError(SEC_ERROR_NEED_RANDOM);
return SECFailure;
}
@ -272,7 +275,7 @@ prng_reseed_test(RNGContext *rng, const PRUint8 *entropy,
#define PRNG_ADD_BITS_AND_CARRY(dest, dest_len, add, len, carry) \
PRNG_ADD_BITS(dest, dest_len, add, len, carry) \
PRNG_ADD_CARRY_ONLY(dest, dest_len - len, carry)
PRNG_ADD_CARRY_ONLY(dest, dest_len - len - 1, carry)
/*
* This function expands the internal state of the prng to fulfill any number
@ -445,6 +448,7 @@ rng_init(void)
/* the RNG is in a valid state */
globalrng->isValid = PR_TRUE;
globalrng->isKatTest = PR_FALSE;
/* fetch one random value so that we can populate rng->oldV for our
* continous random number test. */
@ -700,6 +704,17 @@ RNG_RNGShutdown(void)
* entropy we may have previously collected. */
RNGContext testContext;
SECStatus
PRNGTEST_Instantiate_Kat(const PRUint8 *entropy, unsigned int entropy_len,
const PRUint8 *nonce, unsigned int nonce_len,
const PRUint8 *personal_string, unsigned int ps_len)
{
testContext.isKatTest = PR_TRUE;
return PRNGTEST_Instantiate(entropy, entropy_len,
nonce, nonce_len,
personal_string, ps_len);
}
/*
* Test vector API. Use NIST SP 800-90 general interface so one of the
* other NIST SP 800-90 algorithms may be used in the future.

View File

@ -24,7 +24,7 @@
*/
#define NSS_VERSION "3.30" _NSS_CUSTOMIZED " Beta"
#define NSS_VMAJOR 3
#define NSS_VMINOR 30
#define NSS_VMINOR 31
#define NSS_VPATCH 0
#define NSS_VBUILD 0
#define NSS_BETA PR_TRUE

View File

@ -23,7 +23,7 @@
*/
#define SOFTOKEN_VERSION "3.30" SOFTOKEN_ECC_STRING " Beta"
#define SOFTOKEN_VMAJOR 3
#define SOFTOKEN_VMINOR 30
#define SOFTOKEN_VMINOR 31
#define SOFTOKEN_VPATCH 0
#define SOFTOKEN_VBUILD 0
#define SOFTOKEN_BETA PR_TRUE

View File

@ -21,7 +21,7 @@
*/
#define NSSUTIL_VERSION "3.30 Beta"
#define NSSUTIL_VMAJOR 3
#define NSSUTIL_VMINOR 30
#define NSSUTIL_VMINOR 31
#define NSSUTIL_VPATCH 0
#define NSSUTIL_VBUILD 0
#define NSSUTIL_BETA PR_TRUE

View File

@ -178,10 +178,11 @@
'cmd/vfychain/vfychain.gyp:vfychain',
'cmd/vfyserv/vfyserv.gyp:vfyserv',
'gtests/der_gtest/der_gtest.gyp:der_gtest',
'gtests/freebl_gtest/freebl_gtest.gyp:prng_gtest',
'gtests/pk11_gtest/pk11_gtest.gyp:pk11_gtest',
'gtests/ssl_gtest/ssl_gtest.gyp:ssl_gtest',
'gtests/util_gtest/util_gtest.gyp:util_gtest',
'gtests/nss_bogo_shim/nss_bogo_shim.gyp:nss_bogo_shim'
'gtests/nss_bogo_shim/nss_bogo_shim.gyp:nss_bogo_shim',
],
'conditions': [
[ 'OS=="linux"', {

View File

@ -55,7 +55,8 @@ gtest_start()
GTESTREPORT="$GTESTDIR/report.xml"
PARSED_REPORT="$GTESTDIR/report.parsed"
echo "executing $i"
${BINDIR}/$i -d "$GTESTDIR" --gtest_output=xml:"${GTESTREPORT}" \
${BINDIR}/$i "${SOURCE_DIR}/gtests/freebl_gtest/kat/Hash_DRBG.rsp" \
-d "$GTESTDIR" --gtest_output=xml:"${GTESTREPORT}" \
--gtest_filter="${GTESTFILTER-*}"
html_msg $? 0 "$i run successfully"
echo "test output dir: ${GTESTREPORT}"
@ -82,7 +83,8 @@ gtest_cleanup()
}
################## main #################################################
GTESTS="der_gtest pk11_gtest util_gtest"
GTESTS="prng_gtest der_gtest pk11_gtest util_gtest"
SOURCE_DIR="$PWD"/../..
gtest_init $0
gtest_start
gtest_cleanup