diff options
| author | Martin Thomson <martin.thomson@gmail.com> | 2017-08-24 10:16:13 +1000 |
|---|---|---|
| committer | Martin Thomson <martin.thomson@gmail.com> | 2017-08-24 10:16:13 +1000 |
| commit | 0ec9a2703f77ec33765b318cc1ec519206faec26 (patch) | |
| tree | bae90a4678ce056d51fcf594c67fa16976a7b5b5 | |
| parent | daa71317c427f1e96ba7819df1b5e8dfbf0d39bb (diff) | |
| parent | ae7880aaf35321274152907955868ef50c0255d1 (diff) | |
| download | nss-hg-0ec9a2703f77ec33765b318cc1ec519206faec26.tar.gz | |
Merge NSS trunk to NSS_TLS13_DRAFT19_BRANCH, a=merge
33 files changed, 426 insertions, 120 deletions
diff --git a/automation/taskcluster/graph/src/extend.js b/automation/taskcluster/graph/src/extend.js index 3603afaa4..06e764261 100644 --- a/automation/taskcluster/graph/src/extend.js +++ b/automation/taskcluster/graph/src/extend.js @@ -91,11 +91,19 @@ queue.filter(task => { queue.map(task => { if (task.collection == "asan") { // CRMF and FIPS tests still leak, unfortunately. - if (task.tests == "crmf" || task.tests == "fips") { + if (task.tests == "crmf") { task.env.ASAN_OPTIONS = "detect_leaks=0"; } } + // We don't run FIPS SSL tests + if (task.tests == "ssl") { + if (!task.env) { + task.env = {}; + } + task.env.NSS_SSL_TESTS = "crl iopr policy"; + } + // Windows is slow. if (task.platform == "windows2012-64" && task.tests == "chains") { task.maxRunTime = 7200; @@ -320,6 +328,46 @@ async function scheduleLinux(name, base, args = "") { // The task that builds NSPR+NSS. let task_build = queue.scheduleTask(merge(build_base, {name})); + // Make builds run FIPS tests, which need an extra FIPS build. + if (base.collection == "make") { + let extra_build = queue.scheduleTask(merge(build_base, { + env: { NSS_FORCE_FIPS: "1" }, + group: "FIPS", + name: `${name} w/ NSS_FORCE_FIPS` + })); + + // The task that generates certificates. + let task_cert = queue.scheduleTask(merge(build_base, { + name: "Certificates", + command: [ + "/bin/bash", + "-c", + "bin/checkout.sh && nss/automation/taskcluster/scripts/gen_certs.sh" + ], + parent: extra_build, + symbol: "Certs-F", + group: "FIPS", + env: { NSS_TEST_ENABLE_FIPS: "1" } + })); + + // Schedule FIPS tests. + queue.scheduleTask(merge(base, { + parent: task_cert, + name: "FIPS", + command: [ + "/bin/bash", + "-c", + "bin/checkout.sh && nss/automation/taskcluster/scripts/run_tests.sh" + ], + cycle: "standard", + kind: "test", + name: "FIPS tests", + symbol: "Tests-F", + tests: "fips", + group: "FIPS" + })); + } + // The task that generates certificates. let task_cert = queue.scheduleTask(merge(build_base, { name: "Certificates", @@ -703,6 +751,44 @@ async function scheduleWindows(name, base, build_script) { symbol: "B" }); + // Make builds run FIPS tests, which need an extra FIPS build. + if (base.collection == "make") { + let extra_build = queue.scheduleTask(merge(build_base, { + env: { NSS_FORCE_FIPS: "1" }, + group: "FIPS", + name: `${name} w/ NSS_FORCE_FIPS` + })); + + // The task that generates certificates. + let task_cert = queue.scheduleTask(merge(build_base, { + name: "Certificates", + command: [ + WINDOWS_CHECKOUT_CMD, + "bash -c nss/automation/taskcluster/windows/gen_certs.sh" + ], + parent: extra_build, + symbol: "Certs-F", + group: "FIPS", + env: { NSS_TEST_ENABLE_FIPS: "1" } + })); + + // Schedule FIPS tests. + queue.scheduleTask(merge(base, { + parent: task_cert, + name: "FIPS", + command: [ + WINDOWS_CHECKOUT_CMD, + "bash -c nss/automation/taskcluster/windows/run_tests.sh" + ], + cycle: "standard", + kind: "test", + name: "FIPS tests", + symbol: "Tests-F", + tests: "fips", + group: "FIPS" + })); + } + // The task that builds NSPR+NSS. let task_build = queue.scheduleTask(merge(build_base, {name})); @@ -781,9 +867,6 @@ function scheduleTests(task_build, task_cert, test_base) { name: "DB tests", symbol: "DB", tests: "dbtests" })); queue.scheduleTask(merge(cert_base, { - name: "FIPS tests", symbol: "FIPS", tests: "fips" - })); - queue.scheduleTask(merge(cert_base, { name: "Merge tests", symbol: "Merge", tests: "merge" })); queue.scheduleTask(merge(cert_base, { diff --git a/automation/taskcluster/windows/setup.sh b/automation/taskcluster/windows/setup.sh index 7def50db4..23e99c602 100644 --- a/automation/taskcluster/windows/setup.sh +++ b/automation/taskcluster/windows/setup.sh @@ -23,4 +23,4 @@ hg_clone() { } hg_clone https://hg.mozilla.org/build/tools tools default -tools/scripts/tooltool/tooltool_wrapper.sh $(dirname $0)/releng.manifest https://api.pub.build.mozilla.org/tooltool/ non-existant-file.sh /c/mozilla-build/python/python.exe /c/builds/tooltool.py --authentication-file /c/builds/relengapi.tok -c /c/builds/tooltool_cache +tools/scripts/tooltool/tooltool_wrapper.sh $(dirname $0)/releng.manifest https://tooltool.mozilla-releng.net/ non-existant-file.sh /c/mozilla-build/python/python.exe /c/builds/tooltool.py --authentication-file /c/builds/relengapi.tok -c /c/builds/tooltool_cache @@ -73,6 +73,8 @@ while [ $# -gt 0 ]; do -j) ninja_params+=(-j "$2"); shift ;; -v) ninja_params+=(-v); verbose=1 ;; --test) gyp_params+=(-Dtest_build=1) ;; + --clang) export CC=clang; export CCC=clang++; export CXX=clang++ ;; + --gcc) export CC=gcc; export CCC=g++; export CXX=g++ ;; --fuzz) fuzz=1 ;; --fuzz=oss) fuzz=1; fuzz_oss=1 ;; --fuzz=tls) fuzz=1; fuzz_tls=1 ;; @@ -94,6 +96,7 @@ while [ $# -gt 0 ]; do --with-nspr=?*) set_nspr_path "${1#*=}"; no_local_nspr=1 ;; --system-nspr) set_nspr_path "/usr/include/nspr/:"; no_local_nspr=1 ;; --enable-libpkix) gyp_params+=(-Ddisable_libpkix=0) ;; + --enable-fips) gyp_params+=(-Ddisable_fips=0) ;; *) show_help; exit 2 ;; esac shift diff --git a/coreconf/config.gypi b/coreconf/config.gypi index 9ea528ae4..69f19fdf3 100644 --- a/coreconf/config.gypi +++ b/coreconf/config.gypi @@ -109,6 +109,7 @@ 'nss_public_dist_dir%': '<(nss_dist_dir)/public', 'nss_private_dist_dir%': '<(nss_dist_dir)/private', 'only_dev_random%': 1, + 'disable_fips%': 1, }, 'target_defaults': { # Settings specific to targets should go here. @@ -125,6 +126,11 @@ '<(nss_dist_dir)/private/<(module)', ], 'conditions': [ + [ 'disable_fips==1', { + 'defines': [ + 'NSS_FIPS_DISABLED', + ], + }], [ 'OS!="android" and OS!="mac" and OS!="win"', { 'libraries': [ '-lpthread', @@ -167,7 +173,7 @@ }, }, }], - [ 'target_arch=="arm64" or target_arch=="aarch64"', { + [ 'target_arch=="arm64" or target_arch=="aarch64" or target_arch=="sparc64"', { 'defines': [ 'NSS_USE_64', ], diff --git a/cpputil/scoped_ptrs.h b/cpputil/scoped_ptrs.h index 9f224dfc0..b92b8132b 100644 --- a/cpputil/scoped_ptrs.h +++ b/cpputil/scoped_ptrs.h @@ -36,6 +36,7 @@ struct ScopedDelete { void operator()(PK11URI* uri) { PK11URI_DestroyURI(uri); } void operator()(PLArenaPool* arena) { PORT_FreeArena(arena, PR_FALSE); } void operator()(PK11Context* context) { PK11_DestroyContext(context, true); } + void operator()(PK11GenericObject* obj) { PK11_DestroyGenericObject(obj); } }; template <class T> @@ -66,6 +67,7 @@ SCOPED(SECKEYPrivateKeyList); SCOPED(PK11URI); SCOPED(PLArenaPool); SCOPED(PK11Context); +SCOPED(PK11GenericObject); #undef SCOPED diff --git a/fuzz/config/git-copy.sh b/fuzz/config/git-copy.sh index a5c7d371d..a9e817e2a 100755 --- a/fuzz/config/git-copy.sh +++ b/fuzz/config/git-copy.sh @@ -7,18 +7,18 @@ if [ $# -lt 3 ]; then exit 2 fi -REPO=$1 -COMMIT=$2 -DIR=$3 +REPO="$1" +COMMIT="$2" +DIR="$3" echo "Copy '$COMMIT' from '$REPO' to '$DIR'" -if [ -f $DIR/.git-copy ]; then - CURRENT=$(cat $DIR/.git-copy) - if [ $(echo -n $COMMIT | wc -c) != "40" ]; then +if [ -f "$DIR"/.git-copy ]; then + CURRENT=$(cat "$DIR"/.git-copy) + if [ $(echo -n "$COMMIT" | wc -c) != "40" ]; then # On the off chance that $COMMIT is a remote head. - ACTUAL=$(git ls-remote $REPO $COMMIT | cut -c 1-40 -) + ACTUAL=$(git ls-remote "$REPO" "$COMMIT" | cut -c 1-40 -) else - ACTUAL=$COMMIT + ACTUAL="$COMMIT" fi if [ "$CURRENT" = "$ACTUAL" ]; then echo "Up to date." @@ -26,8 +26,9 @@ if [ -f $DIR/.git-copy ]; then fi fi -git init -q $DIR -git -C $DIR fetch -q --depth=1 $REPO $COMMIT:git-copy-tmp -git -C $DIR reset --hard git-copy-tmp -git -C $DIR rev-parse --verify HEAD > $DIR/.git-copy -rm -rf $DIR/.git +rm -rf "$DIR" +git init -q "$DIR" +git -C "$DIR" fetch -q --depth=1 "$REPO" "$COMMIT":git-copy-tmp +git -C "$DIR" reset --hard git-copy-tmp +git -C "$DIR" rev-parse --verify HEAD > "$DIR"/.git-copy +rm -rf "$DIR"/.git diff --git a/fuzz/mpi_expmod_target.cc b/fuzz/mpi_expmod_target.cc index ed31da354..23826e935 100644 --- a/fuzz/mpi_expmod_target.cc +++ b/fuzz/mpi_expmod_target.cc @@ -19,6 +19,12 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { auto modulus = get_modulus(data, size, ctx); // Compare with OpenSSL exp mod m1 = &std::get<1>(modulus); + print_bn("A", A); + print_bn("B", B); + print_bn("m", std::get<0>(modulus)); + check_equal(A, &a, max_size); + check_equal(B, &b, max_size); + check_equal(std::get<0>(modulus), m1, 3 * max_size); assert(mp_exptmod(&a, &b, m1, &c) == MP_OKAY); (void)BN_mod_exp(C, A, B, std::get<0>(modulus), ctx); check_equal(C, &c, 2 * max_size); diff --git a/fuzz/mpi_helper.cc b/fuzz/mpi_helper.cc index 65cf4b9cd..d092fdb11 100644 --- a/fuzz/mpi_helper.cc +++ b/fuzz/mpi_helper.cc @@ -12,6 +12,12 @@ char *to_char(const uint8_t *x) { return reinterpret_cast<char *>(const_cast<unsigned char *>(x)); } +void print_bn(std::string label, BIGNUM *x) { + char *xc = BN_bn2hex(x); + std::cout << label << ": " << std::hex << xc << std::endl; + OPENSSL_free(xc); +} + // Check that the two numbers are equal. void check_equal(BIGNUM *b, mp_int *m, size_t max_size) { char *bnBc = BN_bn2hex(b); diff --git a/fuzz/mpi_helper.h b/fuzz/mpi_helper.h index 17383744b..ef7041b25 100644 --- a/fuzz/mpi_helper.h +++ b/fuzz/mpi_helper.h @@ -23,6 +23,7 @@ void parse_input(const uint8_t *data, size_t size, BIGNUM *A, BIGNUM *B, void parse_input(const uint8_t *data, size_t size, BIGNUM *A, mp_int *a); std::tuple<BIGNUM *, mp_int> get_modulus(const uint8_t *data, size_t size, BN_CTX *ctx); +void print_bn(std::string label, BIGNUM *x); // Initialise MPI and BN variables // XXX: Also silence unused variable warnings for R. diff --git a/gtests/softoken_gtest/softoken_gtest.cc b/gtests/softoken_gtest/softoken_gtest.cc index 2cddaed50..23def6720 100644 --- a/gtests/softoken_gtest/softoken_gtest.cc +++ b/gtests/softoken_gtest/softoken_gtest.cc @@ -3,6 +3,7 @@ #include "nspr.h" #include "nss.h" #include "pk11pub.h" +#include "secerr.h" #include "scoped_ptrs.h" @@ -25,24 +26,24 @@ namespace nss_test { // this implementation. class ScopedUniqueDirectory { public: - explicit ScopedUniqueDirectory(const std::string& prefix); + explicit ScopedUniqueDirectory(const std::string &prefix); // NB: the directory must be empty upon destruction ~ScopedUniqueDirectory() { assert(rmdir(mPath.c_str()) == 0); } - const std::string& GetPath() { return mPath; } + const std::string &GetPath() { return mPath; } private: static const int RETRY_LIMIT = 5; - static void GenerateRandomName(/*in/out*/ std::string& prefix); - static bool TryMakingDirectory(/*in/out*/ std::string& prefix); + static void GenerateRandomName(/*in/out*/ std::string &prefix); + static bool TryMakingDirectory(/*in/out*/ std::string &prefix); std::string mPath; }; -ScopedUniqueDirectory::ScopedUniqueDirectory(const std::string& prefix) { +ScopedUniqueDirectory::ScopedUniqueDirectory(const std::string &prefix) { std::string path; - const char* workingDirectory = PR_GetEnvSecure("NSS_GTEST_WORKDIR"); + const char *workingDirectory = PR_GetEnvSecure("NSS_GTEST_WORKDIR"); if (workingDirectory) { path.assign(workingDirectory); } @@ -59,7 +60,7 @@ ScopedUniqueDirectory::ScopedUniqueDirectory(const std::string& prefix) { assert(mPath.length() > 0); } -void ScopedUniqueDirectory::GenerateRandomName(std::string& prefix) { +void ScopedUniqueDirectory::GenerateRandomName(std::string &prefix) { std::stringstream ss; ss << prefix; // RAND_MAX is at least 32767. @@ -69,7 +70,7 @@ void ScopedUniqueDirectory::GenerateRandomName(std::string& prefix) { ss >> prefix; } -bool ScopedUniqueDirectory::TryMakingDirectory(std::string& prefix) { +bool ScopedUniqueDirectory::TryMakingDirectory(std::string &prefix) { GenerateRandomName(prefix); #if defined(_WIN32) return _mkdir(prefix.c_str()) == 0; @@ -91,7 +92,7 @@ class SoftokenTest : public ::testing::Test { virtual void TearDown() { ASSERT_EQ(SECSuccess, NSS_Shutdown()); - const std::string& nssDBDirPath = mNSSDBDir.GetPath(); + const std::string &nssDBDirPath = mNSSDBDir.GetPath(); ASSERT_EQ(0, unlink((nssDBDirPath + "/cert9.db").c_str())); ASSERT_EQ(0, unlink((nssDBDirPath + "/key4.db").c_str())); ASSERT_EQ(0, unlink((nssDBDirPath + "/pkcs11.txt").c_str())); @@ -116,9 +117,105 @@ TEST_F(SoftokenTest, ResetSoftokenNonEmptyPassword) { EXPECT_EQ(SECSuccess, PK11_InitPin(slot.get(), nullptr, "password2")); } +// Test certificate to use in the CreateObject tests. +static const CK_OBJECT_CLASS cko_nss_trust = CKO_NSS_TRUST; +static const CK_BBOOL ck_false = CK_FALSE; +static const CK_BBOOL ck_true = CK_TRUE; +static const CK_TRUST ckt_nss_must_verify_trust = CKT_NSS_MUST_VERIFY_TRUST; +static const CK_TRUST ckt_nss_trusted_delegator = CKT_NSS_TRUSTED_DELEGATOR; +static const CK_ATTRIBUTE attributes[] = { + {CKA_CLASS, (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS)}, + {CKA_TOKEN, (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL)}, + {CKA_PRIVATE, (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL)}, + {CKA_MODIFIABLE, (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL)}, + {CKA_LABEL, + (void *)"Symantec Class 2 Public Primary Certification Authority - G4", + (PRUint32)61}, + {CKA_CERT_SHA1_HASH, + (void *)"\147\044\220\056\110\001\260\042\226\100\020\106\264\261\147\054" + "\251\165\375\053", + (PRUint32)20}, + {CKA_CERT_MD5_HASH, + (void *)"\160\325\060\361\332\224\227\324\327\164\337\276\355\150\336\226", + (PRUint32)16}, + {CKA_ISSUER, + (void *)"\060\201\224\061\013\060\011\006\003\125\004\006\023\002\125\123" + "\061\035\060\033\006\003\125\004\012\023\024\123\171\155\141\156" + "\164\145\143\040\103\157\162\160\157\162\141\164\151\157\156\061" + "\037\060\035\006\003\125\004\013\023\026\123\171\155\141\156\164" + "\145\143\040\124\162\165\163\164\040\116\145\164\167\157\162\153" + "\061\105\060\103\006\003\125\004\003\023\074\123\171\155\141\156" + "\164\145\143\040\103\154\141\163\163\040\062\040\120\165\142\154" + "\151\143\040\120\162\151\155\141\162\171\040\103\145\162\164\151" + "\146\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151" + "\164\171\040\055\040\107\064", + (PRUint32)151}, + {CKA_SERIAL_NUMBER, + (void *)"\002\020\064\027\145\022\100\073\267\126\200\055\200\313\171\125" + "\246\036", + (PRUint32)18}, + {CKA_TRUST_SERVER_AUTH, (void *)&ckt_nss_must_verify_trust, + (PRUint32)sizeof(CK_TRUST)}, + {CKA_TRUST_EMAIL_PROTECTION, (void *)&ckt_nss_trusted_delegator, + (PRUint32)sizeof(CK_TRUST)}, + {CKA_TRUST_CODE_SIGNING, (void *)&ckt_nss_must_verify_trust, + (PRUint32)sizeof(CK_TRUST)}, + {CKA_TRUST_STEP_UP_APPROVED, (void *)&ck_false, + (PRUint32)sizeof(CK_BBOOL)}}; + +TEST_F(SoftokenTest, CreateObjectNonEmptyPassword) { + ScopedPK11SlotInfo slot(PK11_GetInternalKeySlot()); + ASSERT_TRUE(slot); + EXPECT_EQ(SECSuccess, PK11_InitPin(slot.get(), nullptr, "password")); + EXPECT_EQ(SECSuccess, PK11_Logout(slot.get())); + ScopedPK11GenericObject obj(PK11_CreateGenericObject( + slot.get(), attributes, PR_ARRAY_SIZE(attributes), true)); + EXPECT_EQ(nullptr, obj); +} + +TEST_F(SoftokenTest, CreateObjectChangePassword) { + ScopedPK11SlotInfo slot(PK11_GetInternalKeySlot()); + ASSERT_TRUE(slot); + EXPECT_EQ(SECSuccess, PK11_InitPin(slot.get(), nullptr, nullptr)); + EXPECT_EQ(SECSuccess, PK11_ChangePW(slot.get(), "", "password")); + EXPECT_EQ(SECSuccess, PK11_Logout(slot.get())); + ScopedPK11GenericObject obj(PK11_CreateGenericObject( + slot.get(), attributes, PR_ARRAY_SIZE(attributes), true)); + EXPECT_EQ(nullptr, obj); +} + +TEST_F(SoftokenTest, CreateObjectChangeToEmptyPassword) { + ScopedPK11SlotInfo slot(PK11_GetInternalKeySlot()); + ASSERT_TRUE(slot); + EXPECT_EQ(SECSuccess, PK11_InitPin(slot.get(), nullptr, "password")); + EXPECT_EQ(SECSuccess, PK11_ChangePW(slot.get(), "password", "")); + // PK11_Logout returnes an error and SEC_ERROR_TOKEN_NOT_LOGGED_IN if the user + // is not "logged in". + EXPECT_EQ(SECFailure, PK11_Logout(slot.get())); + EXPECT_EQ(SEC_ERROR_TOKEN_NOT_LOGGED_IN, PORT_GetError()); + ScopedPK11GenericObject obj(PK11_CreateGenericObject( + slot.get(), attributes, PR_ARRAY_SIZE(attributes), true)); + // Because there's no password we can't logout and the operation should have + // succeeded. + EXPECT_NE(nullptr, obj); +} + +class SoftokenNoDBTest : public ::testing::Test {}; + +TEST_F(SoftokenNoDBTest, NeedUserInitNoDB) { + ASSERT_EQ(SECSuccess, NSS_NoDB_Init(".")); + ScopedPK11SlotInfo slot(PK11_GetInternalKeySlot()); + ASSERT_TRUE(slot); + EXPECT_EQ(PR_FALSE, PK11_NeedUserInit(slot.get())); + + // When shutting down in here we have to release the slot first. + slot = nullptr; + ASSERT_EQ(SECSuccess, NSS_Shutdown()); +} + } // namespace nss_test -int main(int argc, char** argv) { +int main(int argc, char **argv) { ::testing::InitGoogleTest(&argc, argv); return RUN_ALL_TESTS(); diff --git a/gtests/ssl_gtest/ssl_ecdh_unittest.cc b/gtests/ssl_gtest/ssl_ecdh_unittest.cc index 1e406b6c2..f14a49817 100644 --- a/gtests/ssl_gtest/ssl_ecdh_unittest.cc +++ b/gtests/ssl_gtest/ssl_ecdh_unittest.cc @@ -551,7 +551,7 @@ class ECCServerKEXFilter : public TlsHandshakeFilter { // Replace the server key exchange message with an empty point output->Allocate(4); output->Write(0, 3U, 1); // named curve - uint32_t curve; + uint32_t curve = 0; EXPECT_TRUE(input.Read(1, 2, &curve)); // get curve id output->Write(1, curve, 2); // write curve id output->Write(3, 0U, 1); // point length 0 @@ -3,6 +3,7 @@ Usage: build.sh [-hcv] [-j <n>] [--nspr] [--gyp|-g] [--opt|-o] [-m32] [--asan] [--ubsan] [--msan] [--sancov[=edge|bb|func|...]] [--disable-tests] [--fuzz[=tls|oss]] [--system-sqlite] [--no-zdefs] [--with-nspr] [--system-nspr] [--enable-libpkix] + [--enable-fips] This script builds NSS with gyp and ninja. @@ -19,6 +20,8 @@ NSS build tool options: --gyp|-g force a rerun of gyp --opt|-o do an opt build -m32 do a 32-bit build on a 64-bit system + --clang build with clang and clang++ + --gcc build with gcc and g++ --test ignore map files and export everything we have --fuzz build fuzzing targets (this always enables test builds) --fuzz=tls to enable TLS fuzzing mode @@ -41,3 +44,4 @@ NSS build tool options: --system-nspr use system nspr. This requires an installation of NSPR and might not work on all systems. --enable-libpkix make libpkix part of the build. + --enable-fips don't disable FIPS checks. diff --git a/lib/freebl/blapii.h b/lib/freebl/blapii.h index b1be7bedf..bcf62e9f3 100644 --- a/lib/freebl/blapii.h +++ b/lib/freebl/blapii.h @@ -22,8 +22,10 @@ typedef void (*freeblDestroyFunc)(void *cx, PRBool freeit); SEC_BEGIN_PROTOS +#ifndef NSS_FIPS_DISABLED SECStatus BL_FIPSEntryOK(PRBool freeblOnly); PRBool BL_POSTRan(PRBool freeblOnly); +#endif #if defined(XP_UNIX) && !defined(NO_FORK_CHECK) diff --git a/lib/freebl/det_rng.c b/lib/freebl/det_rng.c index 04fce30e8..53d48bc7c 100644 --- a/lib/freebl/det_rng.c +++ b/lib/freebl/det_rng.c @@ -8,19 +8,22 @@ #include "nssilock.h" #include "seccomon.h" #include "secerr.h" +#include "prinit.h" #define GLOBAL_BYTES_SIZE 100 static PRUint8 globalBytes[GLOBAL_BYTES_SIZE]; static unsigned long globalNumCalls = 0; static PZLock *rng_lock = NULL; +static PRCallOnceType coRNGInit; +static const PRCallOnceType pristineCallOnce; -SECStatus -RNG_RNGInit(void) +static PRStatus +rng_init(void) { rng_lock = PZ_NewLock(nssILockOther); if (!rng_lock) { PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); - return SECFailure; + return PR_FAILURE; } /* --- LOCKED --- */ PZ_Lock(rng_lock); @@ -28,6 +31,17 @@ RNG_RNGInit(void) PZ_Unlock(rng_lock); /* --- UNLOCKED --- */ + return PR_SUCCESS; +} + +SECStatus +RNG_RNGInit(void) +{ + /* Allow only one call to initialize the context */ + if (PR_CallOnce(&coRNGInit, rng_init) != PR_SUCCESS) { + return SECFailure; + } + return SECSuccess; } @@ -97,8 +111,11 @@ RNG_GenerateGlobalRandomBytes(void *dest, size_t len) void RNG_RNGShutdown(void) { - PZ_DestroyLock(rng_lock); - rng_lock = NULL; + if (rng_lock) { + PZ_DestroyLock(rng_lock); + rng_lock = NULL; + } + coRNGInit = pristineCallOnce; } /* Test functions are not implemented! */ diff --git a/lib/freebl/fipsfreebl.c b/lib/freebl/fipsfreebl.c index 094513560..a57de05e0 100644 --- a/lib/freebl/fipsfreebl.c +++ b/lib/freebl/fipsfreebl.c @@ -6,6 +6,7 @@ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ /* $Id: fipstest.c,v 1.31 2012/06/28 17:55:06 rrelyea%redhat.com Exp $ */ +#ifndef NSS_FIPS_DISABLED #ifdef FREEBL_NO_DEPEND #include "stubs.h" #endif @@ -1589,9 +1590,6 @@ static PRBool self_tests_freebl_ran = PR_FALSE; static PRBool self_tests_ran = PR_FALSE; static PRBool self_tests_freebl_success = PR_FALSE; static PRBool self_tests_success = PR_FALSE; -#if defined(DEBUG) -static PRBool fips_mode_available = PR_FALSE; -#endif /* * accessors for freebl @@ -1644,7 +1642,6 @@ bl_startup_tests(void) PORT_Assert(self_tests_freebl_ran == PR_FALSE); PORT_Assert(self_tests_success == PR_FALSE); - PORT_Assert(fips_mode_available == PR_FALSE); self_tests_freebl_ran = PR_TRUE; /* we are running the tests */ self_tests_success = PR_FALSE; /* force it just in case */ self_tests_freebl_success = PR_FALSE; /* force it just in case */ @@ -1713,3 +1710,4 @@ BL_FIPSEntryOK(PRBool freebl_only) PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); return SECFailure; } +#endif diff --git a/lib/freebl/gcm.c b/lib/freebl/gcm.c index 0fdb0fd48..34e034e24 100644 --- a/lib/freebl/gcm.c +++ b/lib/freebl/gcm.c @@ -574,7 +574,7 @@ GCM_CreateContext(void *context, freeblCipherFunc cipher, const unsigned char *params) { GCMContext *gcm = NULL; - gcmHashContext *ghash = NULL; + gcmHashContext *ghash = NULL, *ghashmem = NULL; unsigned char H[MAX_BLOCK_SIZE]; unsigned int tmp; PRBool freeCtr = PR_FALSE; @@ -596,13 +596,13 @@ GCM_CreateContext(void *context, freeblCipherFunc cipher, return NULL; } /* aligned_alloc is C11 so we have to do it the old way. */ - ghash = PORT_ZAlloc(sizeof(gcmHashContext) + 15); - if (ghash == NULL) { + ghashmem = PORT_ZAlloc(sizeof(gcmHashContext) + 15); + if (ghashmem == NULL) { PORT_SetError(SEC_ERROR_NO_MEMORY); goto loser; } - ghash->mem = ghash; - ghash = (gcmHashContext *)(((uintptr_t)ghash + 15) & ~(uintptr_t)0x0F); + ghash = (gcmHashContext *)(((uintptr_t)ghashmem + 15) & ~(uintptr_t)0x0F); + ghash->mem = ghashmem; /* first plug in the ghash context */ gcm->ghash_context = ghash; diff --git a/lib/freebl/ldvector.c b/lib/freebl/ldvector.c index 2447a0c9f..6897c7c50 100644 --- a/lib/freebl/ldvector.c +++ b/lib/freebl/ldvector.c @@ -320,8 +320,12 @@ FREEBL_GetVector(void) return NULL; } #endif - /* make sure the Full self tests have been run before continuing */ + +#ifndef NSS_FIPS_DISABLED + /* In FIPS mode make sure the Full self tests have been run before + * continuing. */ BL_POSTRan(PR_FALSE); +#endif return &vector; } diff --git a/lib/freebl/nsslowhash.c b/lib/freebl/nsslowhash.c index 5ed039689..22f97810f 100644 --- a/lib/freebl/nsslowhash.c +++ b/lib/freebl/nsslowhash.c @@ -22,6 +22,7 @@ struct NSSLOWHASHContextStr { void *hashCtxt; }; +#ifndef NSS_FIPS_DISABLED static int nsslow_GetFIPSEnabled(void) { @@ -40,9 +41,10 @@ nsslow_GetFIPSEnabled(void) return 0; if (d != '1') return 0; -#endif +#endif /* LINUX */ return 1; } +#endif /* NSS_FIPS_DISABLED */ static NSSLOWInitContext dummyContext = { 0 }; static PRBool post_failed = PR_TRUE; @@ -54,6 +56,7 @@ NSSLOW_Init(void) (void)FREEBL_InitStubs(); #endif +#ifndef NSS_FIPS_DISABLED /* make sure the FIPS product is installed if we are trying to * go into FIPS mode */ if (nsslow_GetFIPSEnabled()) { @@ -63,6 +66,7 @@ NSSLOW_Init(void) return NULL; } } +#endif post_failed = PR_FALSE; return &dummyContext; diff --git a/lib/freebl/rijndael.c b/lib/freebl/rijndael.c index e4ad60388..7381ea201 100644 --- a/lib/freebl/rijndael.c +++ b/lib/freebl/rijndael.c @@ -1018,13 +1018,15 @@ AESContext * AES_AllocateContext(void) { /* aligned_alloc is C11 so we have to do it the old way. */ - AESContext *ctx = PORT_ZAlloc(sizeof(AESContext) + 15); - if (ctx == NULL) { + AESContext *ctx, *ctxmem; + ctxmem = PORT_ZAlloc(sizeof(AESContext) + 15); + if (ctxmem == NULL) { PORT_SetError(SEC_ERROR_NO_MEMORY); return NULL; } - ctx->mem = ctx; - return (AESContext *)(((uintptr_t)ctx + 15) & ~(uintptr_t)0x0F); + ctx = (AESContext *)(((uintptr_t)ctxmem + 15) & ~(uintptr_t)0x0F); + ctx->mem = ctxmem; + return ctx; } /* diff --git a/lib/freebl/shvfy.c b/lib/freebl/shvfy.c index bd9cd1c94..98db4614b 100644 --- a/lib/freebl/shvfy.c +++ b/lib/freebl/shvfy.c @@ -19,6 +19,8 @@ #include "pqg.h" #include "blapii.h" +#ifndef NSS_FIPS_DISABLED + /* * Most modern version of Linux support a speed optimization scheme where an * application called prelink modifies programs and shared libraries to quickly @@ -537,3 +539,23 @@ BLAPI_VerifySelf(const char *name) } return blapi_SHVerify(name, (PRFuncPtr)decodeInt, PR_TRUE); } + +#else /* NSS_FIPS_DISABLED */ + +PRBool +BLAPI_SHVerifyFile(const char *shName) +{ + return PR_FALSE; +} +PRBool +BLAPI_SHVerify(const char *name, PRFuncPtr addr) +{ + return PR_FALSE; +} +PRBool +BLAPI_VerifySelf(const char *name) +{ + return PR_FALSE; +} + +#endif /* NSS_FIPS_DISABLED */ diff --git a/lib/pk11wrap/pk11skey.c b/lib/pk11wrap/pk11skey.c index 1ef53e1d7..cf2a40a2f 100644 --- a/lib/pk11wrap/pk11skey.c +++ b/lib/pk11wrap/pk11skey.c @@ -182,6 +182,10 @@ PK11_FreeSymKey(PK11SymKey *symKey) PK11SlotInfo *slot; PRBool freeit = PR_TRUE; + if (!symKey) { + return; + } + if (PR_ATOMIC_DECREMENT(&symKey->refCount) == 0) { PK11SymKey *parent = symKey->parent; diff --git a/lib/pk11wrap/pk11slot.c b/lib/pk11wrap/pk11slot.c index 0a6ed6c08..c39abe17e 100644 --- a/lib/pk11wrap/pk11slot.c +++ b/lib/pk11wrap/pk11slot.c @@ -1182,7 +1182,7 @@ PK11_InitToken(PK11SlotInfo *slot, PRBool loadCerts) /* set the slot flags to the current token values */ slot->series++; /* allow other objects to detect that the - * slot is different */ + * slot is different */ slot->flags = slot->tokenInfo.flags; slot->needLogin = ((slot->tokenInfo.flags & CKF_LOGIN_REQUIRED) ? PR_TRUE : PR_FALSE); slot->readOnly = ((slot->tokenInfo.flags & CKF_WRITE_PROTECTED) ? PR_TRUE : PR_FALSE); @@ -1471,6 +1471,9 @@ PK11_InitSlot(SECMODModule *mod, CK_SLOT_ID slotID, PK11SlotInfo *slot) slot->hasRootCerts = PR_TRUE; } } + if ((slotInfo.flags & CKF_USER_PIN_INITIALIZED) != 0) { + slot->flags |= CKF_USER_PIN_INITIALIZED; + } } /********************************************************************* diff --git a/lib/softoken/fipstest.c b/lib/softoken/fipstest.c index 3563bd2d2..0cca74d6e 100644 --- a/lib/softoken/fipstest.c +++ b/lib/softoken/fipstest.c @@ -5,6 +5,7 @@ * License, v. 2.0. If a copy of the MPL was not distributed with this * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ +#ifndef NSS_FIPS_DISABLED #include "seccomon.h" #include "blapi.h" #include "softoken.h" @@ -652,3 +653,11 @@ sftk_FIPSEntryOK() } return CKR_OK; } +#else +#include "pkcs11t.h" +CK_RV +sftk_FIPSEntryOK() +{ + return CKR_DEVICE_ERROR; +} +#endif /* NSS_FIPS_DISABLED */ diff --git a/lib/softoken/legacydb/lgfips.c b/lib/softoken/legacydb/lgfips.c index b017424db..b991dcf8e 100644 --- a/lib/softoken/legacydb/lgfips.c +++ b/lib/softoken/legacydb/lgfips.c @@ -6,6 +6,8 @@ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ /* $Id: fipstest.c,v 1.31 2012/06/28 17:55:06 rrelyea%redhat.com Exp $ */ +#ifndef NSS_FIPS_DISABLED + #include "seccomon.h" #include "lgdb.h" #include "blapi.h" @@ -113,3 +115,5 @@ lg_FIPSEntryOK() #endif return lg_self_tests_success; } + +#endif /* NSS_FIPS_DISABLED */ diff --git a/lib/softoken/legacydb/lginit.c b/lib/softoken/legacydb/lginit.c index 6913eea50..4f0b53f52 100644 --- a/lib/softoken/legacydb/lginit.c +++ b/lib/softoken/legacydb/lginit.c @@ -586,11 +586,15 @@ legacy_Open(const char *configdir, const char *certPrefix, #define NSS_VERSION_VARIABLE __nss_dbm_version #include "verref.h" +#ifndef NSS_FIPS_DISABLED if (flags & SDB_FIPS) { + /* We shouldn't get here when FIPS is not enabled on the database. But + * we also don't care when this NSS build doesn't support FIPS. */ if (!lg_FIPSEntryOK()) { return CKR_DEVICE_ERROR; } } +#endif rv = SECOID_Init(); if (SECSuccess != rv) { diff --git a/lib/softoken/pkcs11.c b/lib/softoken/pkcs11.c index 4e940990e..16caf24e7 100644 --- a/lib/softoken/pkcs11.c +++ b/lib/softoken/pkcs11.c @@ -3305,6 +3305,15 @@ NSC_GetSlotInfo(CK_SLOT_ID slotID, CK_SLOT_INFO_PTR pInfo) } } + /* If there is no key database, this is for example the case when NSS was + * initialized with NSS_NoDbInit(), then there won't be any point in + * requesting a PIN. Set the CKF_USER_PIN_INITIALIZED bit so that + * PK11_NeedUserInit() doesn't indicate that a PIN is needed. + */ + if (slot->keyDB == NULL) { + pInfo->flags |= CKF_USER_PIN_INITIALIZED; + } + /* ok we really should read it out of the keydb file. */ /* pInfo->hardwareVersion.major = NSSLOWKEY_DB_FILE_VERSION; */ pInfo->hardwareVersion.major = SOFTOKEN_VMAJOR; @@ -3788,7 +3797,10 @@ NSC_SetPIN(CK_SESSION_HANDLE hSession, CK_CHAR_PTR pOldPin, /* Now update our local copy of the pin */ if (rv == SECSuccess) { + PZ_Lock(slot->slotLock); slot->needLogin = (PRBool)(ulNewLen != 0); + slot->isLoggedIn = (PRBool)(sftkdb_PWCached(handle) == SECSuccess); + PZ_Unlock(slot->slotLock); /* Reset login flags. */ if (ulNewLen == 0) { PRBool tokenRemoved = PR_FALSE; @@ -3,7 +3,7 @@ # This Source Code Form is subject to the terms of the Mozilla Public # License, v. 2.0. If a copy of the MPL was not distributed with this # file, You can obtain one at http://mozilla.org/MPL/2.0/. -################################################################################ +########################################################################## # # This is a collection of helper tools to get stuff done in NSS. # @@ -23,13 +23,15 @@ class cfAction(argparse.Action): restorecon = None def __call__(self, parser, args, values, option_string=None): - if "noroot" not in values: + if not args.noroot: self.setDockerCommand() + + if values: + files = [os.path.abspath(x) for x in values] else: - values.remove("noroot") - files = [os.path.join('/home/worker/nss', - os.path.relpath(os.path.abspath(x), start=cwd)) - for x in values] + files = self.modifiedFiles() + files = [os.path.join('/home/worker/nss', os.path.relpath(x, start=cwd)) + for x in files] # First check if we can run docker. try: @@ -59,9 +61,10 @@ class cfAction(argparse.Action): self.buildImage(docker_image, cf_docker_folder) command = self.docker_command + [ - 'run', '-v', cwd + ':/home/worker/nss:Z', '--rm', '-ti', docker_image + 'run', '-v', cwd + ':/home/worker/nss:Z', '--rm', '-ti', docker_image ] - # The clang format script returns 1 if something's to do. We don't care. + # The clang format script returns 1 if something's to do. We don't + # care. subprocess.call(command + files) if self.restorecon is not None: subprocess.call([self.restorecon, '-R', cwd]) @@ -97,14 +100,40 @@ class cfAction(argparse.Action): self.restorecon = find_executable('restorecon') self.docker_command = ["sudo"] + self.docker_command + def modifiedFiles(self): + files = [] + if os.path.exists(os.path.join(cwd, '.hg')): + st = subprocess.Popen(['hg', 'status', '-m', '-a'], + cwd=cwd, stdout=subprocess.PIPE) + for line in iter(st.stdout.readline, ''): + files += [line[2:].rstrip()] + elif os.path.exists(os.path.join(cwd, '.git')): + st = subprocess.Popen(['git', 'status', '--porcelain'], + cwd=cwd, stdout=subprocess.PIPE) + for line in iter(st.stdout.readline, ''): + if line[1] == 'M' or line[1] != 'D' and \ + (line[0] == 'M' or line[0] == 'A' or + line[0] == 'C' or line[0] == 'U'): + files += [line[3:].rstrip()] + elif line[0] == 'R': + files += [line[line.index(' -> ', beg=4) + 4:]] + else: + print('Warning: neither mercurial nor git detected!') + + def isFormatted(x): + return x[-2:] == '.c' or x[-3:] == '.cc' or x[-2:] == '.h' + return [x for x in files if isFormatted(x)] + class buildAction(argparse.Action): + def __call__(self, parser, args, values, option_string=None): cwd = os.path.dirname(os.path.abspath(__file__)) subprocess.check_call([cwd + "/build.sh"] + values) class testAction(argparse.Action): + def runTest(self, test, cycles="standard"): cwd = os.path.dirname(os.path.abspath(__file__)) domsuf = os.getenv('DOMSUF', "localdomain") @@ -115,8 +144,10 @@ class testAction(argparse.Action): "DOMSUF": domsuf, "HOST": host } + os_env = os.environ + os_env.update(env) command = cwd + "/tests/all.sh" - subprocess.check_call(command, env=env) + subprocess.check_call(command, env=os_env) def __call__(self, parser, args, values, option_string=None): self.runTest(values) @@ -124,6 +155,7 @@ class testAction(argparse.Action): class commandsAction(argparse.Action): commands = [] + def __call__(self, parser, args, values, option_string=None): for c in commandsAction.commands: print(c) @@ -142,11 +174,20 @@ def parse_arguments(): parser_cf = subparsers.add_parser( 'clang-format', - help='Run clang-format on all folders or provide a folder to format.') + help=""" + Run clang-format. + + By default this runs against any files that you have modified. If + there are no modified files, it checks everything. + """) + parser_cf.add_argument( + '--noroot', + help='On linux, suppress the use of \'sudo\' for running docker.', + action='store_true') parser_cf.add_argument( - 'cf_args', + '<file/dir>', nargs='*', - help="clang-format folders and noroot if you don't want to use sudo", + help="Specify files or directories to run clang-format on", action=cfAction) parser_test = subparsers.add_parser( @@ -131,7 +131,6 @@ 'cmd/digest/digest.gyp:digest', 'cmd/ecperf/ecperf.gyp:ecperf', 'cmd/fbectest/fbectest.gyp:fbectest', - 'cmd/fipstest/fipstest.gyp:fipstest', 'cmd/httpserv/httpserv.gyp:httpserv', 'cmd/listsuites/listsuites.gyp:listsuites', 'cmd/makepqg/makepqg.gyp:makepqg', @@ -190,6 +189,11 @@ 'gtests/freebl_gtest/freebl_gtest.gyp:freebl_gtest', ], }], + [ 'disable_fips==0', { + 'dependencies': [ + 'cmd/fipstest/fipstest.gyp:fipstest', + ], + }], ], }, ], @@ -41,49 +41,8 @@ directory `lib`, and tools in directory `bin`. In order to run the tools, set your system environment to use the libraries of your build from the "lib" directory, e.g., using the `LD_LIBRARY_PATH` or `DYLD_LIBRARY_PATH`. - Usage: build.sh [-hcv] [-j <n>] [--nspr] [--gyp|-g] [--opt|-o] [-m32] - [--test] [--pprof] [--scan-build[=output]] [--ct-verif] - [--asan] [--ubsan] [--msan] [--sancov[=edge|bb|func|...]] - [--disable-tests] [--fuzz[=tls|oss]] [--system-sqlite] - [--no-zdefs] [--with-nspr] [--system-nspr] [--enable-libpkix] - - This script builds NSS with gyp and ninja. - - This build system is still under development. It does not yet support all - the features or platforms that NSS supports. - - NSS build tool options: - - -h display this help and exit - -c clean before build - -v verbose build - -j <n> run at most <n> concurrent jobs - --nspr force a rebuild of NSPR - --gyp|-g force a rerun of gyp - --opt|-o do an opt build - -m32 do a 32-bit build on a 64-bit system - --test ignore map files and export everything we have - --fuzz build fuzzing targets (this always enables test builds) - --fuzz=tls to enable TLS fuzzing mode - --fuzz=oss to build for OSS-Fuzz - --pprof build with gperftool support - --ct-verif build with valgrind for ct-verif - --scan-build run the build with scan-build (scan-build has to be in the path) - --scan-build=/out/path sets the output path for scan-build - --asan do an asan build - --ubsan do an ubsan build - --ubsan=bool,shift,... sets specific UB sanitizers - --msan do an msan build - --sancov do sanitize coverage builds - --sancov=func sets coverage to function level for example - --disable-tests don't build tests and corresponding cmdline utils - --system-sqlite use system sqlite - --no-zdefs don't set -Wl,-z,defs - --with-nspr don't build NSPR but use the one at the given location, e.g. - --with-nspr=/path/to/nspr/include:/path/to/nspr/lib - --system-nspr use system nspr. This requires an installation of NSPR and - might not work on all systems. - --enable-libpkix make libpkix part of the build. +See [help.txt](https://hg.mozilla.org/projects/nss/raw-file/tip/help.txt) for +more information on using build.sh. ## Building NSS (legacy build system) diff --git a/tests/all.sh b/tests/all.sh index 833817f4a..42ba7a6da 100755 --- a/tests/all.sh +++ b/tests/all.sh @@ -107,6 +107,8 @@ # ######################################################################## +RUN_FIPS="" + ############################## run_tests ############################### # run test suites defined in TESTS variable, skip scripts defined in # TESTS_SKIP variable @@ -187,7 +189,7 @@ run_cycle_upgrade_db() init_directories if [ -r "${OLDHOSTDIR}/cert.log" ]; then - DIRS="alicedir bobdir CA cert_extensions client clientCA dave eccurves eve ext_client ext_server fips SDR server serverCA stapling tools/copydir cert.log cert.done tests.*" + DIRS="alicedir bobdir CA cert_extensions client clientCA dave eccurves eve ext_client ext_server $RUN_FIPS SDR server serverCA stapling tools/copydir cert.log cert.done tests.*" for i in $DIRS do cp -r ${OLDHOSTDIR}/${i} ${HOSTDIR} #2> /dev/null @@ -273,7 +275,12 @@ run_cycles() cycles="standard pkix upgradedb sharedb" CYCLES=${NSS_CYCLES:-$cycles} -tests="cipher lowhash libpkix cert dbtests tools fips sdr crmf smime ssl ocsp merge pkits ec gtests ssl_gtests" +if [ -n "$NSS_FORCE_FIPS" ]; then + RUN_FIPS="fips" + export NSS_TEST_ENABLE_FIPS=1 +fi + +tests="cipher lowhash libpkix cert dbtests tools $RUN_FIPS sdr crmf smime ssl ocsp merge pkits ec gtests ssl_gtests" # Don't run chains tests when we have a gyp build. if [ "$OBJDIR" != "Debug" -a "$OBJDIR" != "Release" ]; then tests="$tests chains" diff --git a/tests/cert/cert.sh b/tests/cert/cert.sh index 9b3455747..be589ef7c 100755 --- a/tests/cert/cert.sh +++ b/tests/cert/cert.sh @@ -1975,19 +1975,19 @@ cert_test_ocspresp() cert_cleanup() { cert_log "$SCRIPTNAME: finished $SCRIPTNAME" - html "</TABLE><BR>" + html "</TABLE><BR>" cd ${QADIR} . common/cleanup.sh } ################## main ################################################# -cert_init +cert_init cert_all_CA -cert_extended_ssl -cert_ssl -cert_smime_client -if [ -z "$NSS_TEST_DISABLE_FIPS" ]; then +cert_extended_ssl +cert_ssl +cert_smime_client +if [[ -n "$NSS_TEST_ENABLE_FIPS" ]]; then cert_fips fi cert_eccurves @@ -2004,7 +2004,7 @@ else fi if [ -n "$DO_DIST_ST" -a "$DO_DIST_ST" = "TRUE" ] ; then - cert_stresscerts + cert_stresscerts fi cert_iopr_setup diff --git a/tests/fips/fips.sh b/tests/fips/fips.sh index 4153e61aa..11bd70b63 100755 --- a/tests/fips/fips.sh +++ b/tests/fips/fips.sh @@ -23,6 +23,7 @@ ######################################################################## fips_init() { + export NSS_TEST_ENABLE_FIPS=1 SCRIPTNAME=fips.sh # sourced - $0 would point to all.sh if [ -z "${CLEANUP}" ] ; then # if nobody else is responsible for diff --git a/tests/ssl/ssl.sh b/tests/ssl/ssl.sh index 1c58293f9..f1b263514 100755 --- a/tests/ssl/ssl.sh +++ b/tests/ssl/ssl.sh @@ -1172,8 +1172,8 @@ ssl_run_tests() ssl_set_fips server on ;; *) - echo "${SCRIPTNAME}: Error: Unknown server mode ${SERVER_MODE}" - continue + html_failed "${SCRIPTNAME}: Error: Unknown server mode ${SERVER_MODE}" + return 1 ;; esac @@ -1186,8 +1186,8 @@ ssl_run_tests() ssl_set_fips client on ;; *) - echo "${SCRIPTNAME}: Error: Unknown client mode ${CLIENT_MODE}" - continue + html_failed "${SCRIPTNAME}: Error: Unknown client mode ${CLIENT_MODE}" + return 1 ;; esac |