summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMartin Thomson <martin.thomson@gmail.com>2017-08-24 10:16:13 +1000
committerMartin Thomson <martin.thomson@gmail.com>2017-08-24 10:16:13 +1000
commit0ec9a2703f77ec33765b318cc1ec519206faec26 (patch)
treebae90a4678ce056d51fcf594c67fa16976a7b5b5
parentdaa71317c427f1e96ba7819df1b5e8dfbf0d39bb (diff)
parentae7880aaf35321274152907955868ef50c0255d1 (diff)
downloadnss-hg-0ec9a2703f77ec33765b318cc1ec519206faec26.tar.gz
Merge NSS trunk to NSS_TLS13_DRAFT19_BRANCH, a=merge
-rw-r--r--automation/taskcluster/graph/src/extend.js91
-rw-r--r--automation/taskcluster/windows/setup.sh2
-rwxr-xr-xbuild.sh3
-rw-r--r--coreconf/config.gypi8
-rw-r--r--cpputil/scoped_ptrs.h2
-rwxr-xr-xfuzz/config/git-copy.sh27
-rw-r--r--fuzz/mpi_expmod_target.cc6
-rw-r--r--fuzz/mpi_helper.cc6
-rw-r--r--fuzz/mpi_helper.h1
-rw-r--r--gtests/softoken_gtest/softoken_gtest.cc117
-rw-r--r--gtests/ssl_gtest/ssl_ecdh_unittest.cc2
-rw-r--r--help.txt4
-rw-r--r--lib/freebl/blapii.h2
-rw-r--r--lib/freebl/det_rng.c27
-rw-r--r--lib/freebl/fipsfreebl.c6
-rw-r--r--lib/freebl/gcm.c10
-rw-r--r--lib/freebl/ldvector.c6
-rw-r--r--lib/freebl/nsslowhash.c6
-rw-r--r--lib/freebl/rijndael.c10
-rw-r--r--lib/freebl/shvfy.c22
-rw-r--r--lib/pk11wrap/pk11skey.c4
-rw-r--r--lib/pk11wrap/pk11slot.c5
-rw-r--r--lib/softoken/fipstest.c9
-rw-r--r--lib/softoken/legacydb/lgfips.c4
-rw-r--r--lib/softoken/legacydb/lginit.c4
-rw-r--r--lib/softoken/pkcs11.c12
-rwxr-xr-xmach65
-rw-r--r--nss.gyp6
-rw-r--r--readme.md45
-rwxr-xr-xtests/all.sh11
-rwxr-xr-xtests/cert/cert.sh14
-rwxr-xr-xtests/fips/fips.sh1
-rwxr-xr-xtests/ssl/ssl.sh8
33 files changed, 426 insertions, 120 deletions
diff --git a/automation/taskcluster/graph/src/extend.js b/automation/taskcluster/graph/src/extend.js
index 3603afaa4..06e764261 100644
--- a/automation/taskcluster/graph/src/extend.js
+++ b/automation/taskcluster/graph/src/extend.js
@@ -91,11 +91,19 @@ queue.filter(task => {
queue.map(task => {
if (task.collection == "asan") {
// CRMF and FIPS tests still leak, unfortunately.
- if (task.tests == "crmf" || task.tests == "fips") {
+ if (task.tests == "crmf") {
task.env.ASAN_OPTIONS = "detect_leaks=0";
}
}
+ // We don't run FIPS SSL tests
+ if (task.tests == "ssl") {
+ if (!task.env) {
+ task.env = {};
+ }
+ task.env.NSS_SSL_TESTS = "crl iopr policy";
+ }
+
// Windows is slow.
if (task.platform == "windows2012-64" && task.tests == "chains") {
task.maxRunTime = 7200;
@@ -320,6 +328,46 @@ async function scheduleLinux(name, base, args = "") {
// The task that builds NSPR+NSS.
let task_build = queue.scheduleTask(merge(build_base, {name}));
+ // Make builds run FIPS tests, which need an extra FIPS build.
+ if (base.collection == "make") {
+ let extra_build = queue.scheduleTask(merge(build_base, {
+ env: { NSS_FORCE_FIPS: "1" },
+ group: "FIPS",
+ name: `${name} w/ NSS_FORCE_FIPS`
+ }));
+
+ // The task that generates certificates.
+ let task_cert = queue.scheduleTask(merge(build_base, {
+ name: "Certificates",
+ command: [
+ "/bin/bash",
+ "-c",
+ "bin/checkout.sh && nss/automation/taskcluster/scripts/gen_certs.sh"
+ ],
+ parent: extra_build,
+ symbol: "Certs-F",
+ group: "FIPS",
+ env: { NSS_TEST_ENABLE_FIPS: "1" }
+ }));
+
+ // Schedule FIPS tests.
+ queue.scheduleTask(merge(base, {
+ parent: task_cert,
+ name: "FIPS",
+ command: [
+ "/bin/bash",
+ "-c",
+ "bin/checkout.sh && nss/automation/taskcluster/scripts/run_tests.sh"
+ ],
+ cycle: "standard",
+ kind: "test",
+ name: "FIPS tests",
+ symbol: "Tests-F",
+ tests: "fips",
+ group: "FIPS"
+ }));
+ }
+
// The task that generates certificates.
let task_cert = queue.scheduleTask(merge(build_base, {
name: "Certificates",
@@ -703,6 +751,44 @@ async function scheduleWindows(name, base, build_script) {
symbol: "B"
});
+ // Make builds run FIPS tests, which need an extra FIPS build.
+ if (base.collection == "make") {
+ let extra_build = queue.scheduleTask(merge(build_base, {
+ env: { NSS_FORCE_FIPS: "1" },
+ group: "FIPS",
+ name: `${name} w/ NSS_FORCE_FIPS`
+ }));
+
+ // The task that generates certificates.
+ let task_cert = queue.scheduleTask(merge(build_base, {
+ name: "Certificates",
+ command: [
+ WINDOWS_CHECKOUT_CMD,
+ "bash -c nss/automation/taskcluster/windows/gen_certs.sh"
+ ],
+ parent: extra_build,
+ symbol: "Certs-F",
+ group: "FIPS",
+ env: { NSS_TEST_ENABLE_FIPS: "1" }
+ }));
+
+ // Schedule FIPS tests.
+ queue.scheduleTask(merge(base, {
+ parent: task_cert,
+ name: "FIPS",
+ command: [
+ WINDOWS_CHECKOUT_CMD,
+ "bash -c nss/automation/taskcluster/windows/run_tests.sh"
+ ],
+ cycle: "standard",
+ kind: "test",
+ name: "FIPS tests",
+ symbol: "Tests-F",
+ tests: "fips",
+ group: "FIPS"
+ }));
+ }
+
// The task that builds NSPR+NSS.
let task_build = queue.scheduleTask(merge(build_base, {name}));
@@ -781,9 +867,6 @@ function scheduleTests(task_build, task_cert, test_base) {
name: "DB tests", symbol: "DB", tests: "dbtests"
}));
queue.scheduleTask(merge(cert_base, {
- name: "FIPS tests", symbol: "FIPS", tests: "fips"
- }));
- queue.scheduleTask(merge(cert_base, {
name: "Merge tests", symbol: "Merge", tests: "merge"
}));
queue.scheduleTask(merge(cert_base, {
diff --git a/automation/taskcluster/windows/setup.sh b/automation/taskcluster/windows/setup.sh
index 7def50db4..23e99c602 100644
--- a/automation/taskcluster/windows/setup.sh
+++ b/automation/taskcluster/windows/setup.sh
@@ -23,4 +23,4 @@ hg_clone() {
}
hg_clone https://hg.mozilla.org/build/tools tools default
-tools/scripts/tooltool/tooltool_wrapper.sh $(dirname $0)/releng.manifest https://api.pub.build.mozilla.org/tooltool/ non-existant-file.sh /c/mozilla-build/python/python.exe /c/builds/tooltool.py --authentication-file /c/builds/relengapi.tok -c /c/builds/tooltool_cache
+tools/scripts/tooltool/tooltool_wrapper.sh $(dirname $0)/releng.manifest https://tooltool.mozilla-releng.net/ non-existant-file.sh /c/mozilla-build/python/python.exe /c/builds/tooltool.py --authentication-file /c/builds/relengapi.tok -c /c/builds/tooltool_cache
diff --git a/build.sh b/build.sh
index 2b377dec5..4960238ac 100755
--- a/build.sh
+++ b/build.sh
@@ -73,6 +73,8 @@ while [ $# -gt 0 ]; do
-j) ninja_params+=(-j "$2"); shift ;;
-v) ninja_params+=(-v); verbose=1 ;;
--test) gyp_params+=(-Dtest_build=1) ;;
+ --clang) export CC=clang; export CCC=clang++; export CXX=clang++ ;;
+ --gcc) export CC=gcc; export CCC=g++; export CXX=g++ ;;
--fuzz) fuzz=1 ;;
--fuzz=oss) fuzz=1; fuzz_oss=1 ;;
--fuzz=tls) fuzz=1; fuzz_tls=1 ;;
@@ -94,6 +96,7 @@ while [ $# -gt 0 ]; do
--with-nspr=?*) set_nspr_path "${1#*=}"; no_local_nspr=1 ;;
--system-nspr) set_nspr_path "/usr/include/nspr/:"; no_local_nspr=1 ;;
--enable-libpkix) gyp_params+=(-Ddisable_libpkix=0) ;;
+ --enable-fips) gyp_params+=(-Ddisable_fips=0) ;;
*) show_help; exit 2 ;;
esac
shift
diff --git a/coreconf/config.gypi b/coreconf/config.gypi
index 9ea528ae4..69f19fdf3 100644
--- a/coreconf/config.gypi
+++ b/coreconf/config.gypi
@@ -109,6 +109,7 @@
'nss_public_dist_dir%': '<(nss_dist_dir)/public',
'nss_private_dist_dir%': '<(nss_dist_dir)/private',
'only_dev_random%': 1,
+ 'disable_fips%': 1,
},
'target_defaults': {
# Settings specific to targets should go here.
@@ -125,6 +126,11 @@
'<(nss_dist_dir)/private/<(module)',
],
'conditions': [
+ [ 'disable_fips==1', {
+ 'defines': [
+ 'NSS_FIPS_DISABLED',
+ ],
+ }],
[ 'OS!="android" and OS!="mac" and OS!="win"', {
'libraries': [
'-lpthread',
@@ -167,7 +173,7 @@
},
},
}],
- [ 'target_arch=="arm64" or target_arch=="aarch64"', {
+ [ 'target_arch=="arm64" or target_arch=="aarch64" or target_arch=="sparc64"', {
'defines': [
'NSS_USE_64',
],
diff --git a/cpputil/scoped_ptrs.h b/cpputil/scoped_ptrs.h
index 9f224dfc0..b92b8132b 100644
--- a/cpputil/scoped_ptrs.h
+++ b/cpputil/scoped_ptrs.h
@@ -36,6 +36,7 @@ struct ScopedDelete {
void operator()(PK11URI* uri) { PK11URI_DestroyURI(uri); }
void operator()(PLArenaPool* arena) { PORT_FreeArena(arena, PR_FALSE); }
void operator()(PK11Context* context) { PK11_DestroyContext(context, true); }
+ void operator()(PK11GenericObject* obj) { PK11_DestroyGenericObject(obj); }
};
template <class T>
@@ -66,6 +67,7 @@ SCOPED(SECKEYPrivateKeyList);
SCOPED(PK11URI);
SCOPED(PLArenaPool);
SCOPED(PK11Context);
+SCOPED(PK11GenericObject);
#undef SCOPED
diff --git a/fuzz/config/git-copy.sh b/fuzz/config/git-copy.sh
index a5c7d371d..a9e817e2a 100755
--- a/fuzz/config/git-copy.sh
+++ b/fuzz/config/git-copy.sh
@@ -7,18 +7,18 @@ if [ $# -lt 3 ]; then
exit 2
fi
-REPO=$1
-COMMIT=$2
-DIR=$3
+REPO="$1"
+COMMIT="$2"
+DIR="$3"
echo "Copy '$COMMIT' from '$REPO' to '$DIR'"
-if [ -f $DIR/.git-copy ]; then
- CURRENT=$(cat $DIR/.git-copy)
- if [ $(echo -n $COMMIT | wc -c) != "40" ]; then
+if [ -f "$DIR"/.git-copy ]; then
+ CURRENT=$(cat "$DIR"/.git-copy)
+ if [ $(echo -n "$COMMIT" | wc -c) != "40" ]; then
# On the off chance that $COMMIT is a remote head.
- ACTUAL=$(git ls-remote $REPO $COMMIT | cut -c 1-40 -)
+ ACTUAL=$(git ls-remote "$REPO" "$COMMIT" | cut -c 1-40 -)
else
- ACTUAL=$COMMIT
+ ACTUAL="$COMMIT"
fi
if [ "$CURRENT" = "$ACTUAL" ]; then
echo "Up to date."
@@ -26,8 +26,9 @@ if [ -f $DIR/.git-copy ]; then
fi
fi
-git init -q $DIR
-git -C $DIR fetch -q --depth=1 $REPO $COMMIT:git-copy-tmp
-git -C $DIR reset --hard git-copy-tmp
-git -C $DIR rev-parse --verify HEAD > $DIR/.git-copy
-rm -rf $DIR/.git
+rm -rf "$DIR"
+git init -q "$DIR"
+git -C "$DIR" fetch -q --depth=1 "$REPO" "$COMMIT":git-copy-tmp
+git -C "$DIR" reset --hard git-copy-tmp
+git -C "$DIR" rev-parse --verify HEAD > "$DIR"/.git-copy
+rm -rf "$DIR"/.git
diff --git a/fuzz/mpi_expmod_target.cc b/fuzz/mpi_expmod_target.cc
index ed31da354..23826e935 100644
--- a/fuzz/mpi_expmod_target.cc
+++ b/fuzz/mpi_expmod_target.cc
@@ -19,6 +19,12 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
auto modulus = get_modulus(data, size, ctx);
// Compare with OpenSSL exp mod
m1 = &std::get<1>(modulus);
+ print_bn("A", A);
+ print_bn("B", B);
+ print_bn("m", std::get<0>(modulus));
+ check_equal(A, &a, max_size);
+ check_equal(B, &b, max_size);
+ check_equal(std::get<0>(modulus), m1, 3 * max_size);
assert(mp_exptmod(&a, &b, m1, &c) == MP_OKAY);
(void)BN_mod_exp(C, A, B, std::get<0>(modulus), ctx);
check_equal(C, &c, 2 * max_size);
diff --git a/fuzz/mpi_helper.cc b/fuzz/mpi_helper.cc
index 65cf4b9cd..d092fdb11 100644
--- a/fuzz/mpi_helper.cc
+++ b/fuzz/mpi_helper.cc
@@ -12,6 +12,12 @@ char *to_char(const uint8_t *x) {
return reinterpret_cast<char *>(const_cast<unsigned char *>(x));
}
+void print_bn(std::string label, BIGNUM *x) {
+ char *xc = BN_bn2hex(x);
+ std::cout << label << ": " << std::hex << xc << std::endl;
+ OPENSSL_free(xc);
+}
+
// Check that the two numbers are equal.
void check_equal(BIGNUM *b, mp_int *m, size_t max_size) {
char *bnBc = BN_bn2hex(b);
diff --git a/fuzz/mpi_helper.h b/fuzz/mpi_helper.h
index 17383744b..ef7041b25 100644
--- a/fuzz/mpi_helper.h
+++ b/fuzz/mpi_helper.h
@@ -23,6 +23,7 @@ void parse_input(const uint8_t *data, size_t size, BIGNUM *A, BIGNUM *B,
void parse_input(const uint8_t *data, size_t size, BIGNUM *A, mp_int *a);
std::tuple<BIGNUM *, mp_int> get_modulus(const uint8_t *data, size_t size,
BN_CTX *ctx);
+void print_bn(std::string label, BIGNUM *x);
// Initialise MPI and BN variables
// XXX: Also silence unused variable warnings for R.
diff --git a/gtests/softoken_gtest/softoken_gtest.cc b/gtests/softoken_gtest/softoken_gtest.cc
index 2cddaed50..23def6720 100644
--- a/gtests/softoken_gtest/softoken_gtest.cc
+++ b/gtests/softoken_gtest/softoken_gtest.cc
@@ -3,6 +3,7 @@
#include "nspr.h"
#include "nss.h"
#include "pk11pub.h"
+#include "secerr.h"
#include "scoped_ptrs.h"
@@ -25,24 +26,24 @@ namespace nss_test {
// this implementation.
class ScopedUniqueDirectory {
public:
- explicit ScopedUniqueDirectory(const std::string& prefix);
+ explicit ScopedUniqueDirectory(const std::string &prefix);
// NB: the directory must be empty upon destruction
~ScopedUniqueDirectory() { assert(rmdir(mPath.c_str()) == 0); }
- const std::string& GetPath() { return mPath; }
+ const std::string &GetPath() { return mPath; }
private:
static const int RETRY_LIMIT = 5;
- static void GenerateRandomName(/*in/out*/ std::string& prefix);
- static bool TryMakingDirectory(/*in/out*/ std::string& prefix);
+ static void GenerateRandomName(/*in/out*/ std::string &prefix);
+ static bool TryMakingDirectory(/*in/out*/ std::string &prefix);
std::string mPath;
};
-ScopedUniqueDirectory::ScopedUniqueDirectory(const std::string& prefix) {
+ScopedUniqueDirectory::ScopedUniqueDirectory(const std::string &prefix) {
std::string path;
- const char* workingDirectory = PR_GetEnvSecure("NSS_GTEST_WORKDIR");
+ const char *workingDirectory = PR_GetEnvSecure("NSS_GTEST_WORKDIR");
if (workingDirectory) {
path.assign(workingDirectory);
}
@@ -59,7 +60,7 @@ ScopedUniqueDirectory::ScopedUniqueDirectory(const std::string& prefix) {
assert(mPath.length() > 0);
}
-void ScopedUniqueDirectory::GenerateRandomName(std::string& prefix) {
+void ScopedUniqueDirectory::GenerateRandomName(std::string &prefix) {
std::stringstream ss;
ss << prefix;
// RAND_MAX is at least 32767.
@@ -69,7 +70,7 @@ void ScopedUniqueDirectory::GenerateRandomName(std::string& prefix) {
ss >> prefix;
}
-bool ScopedUniqueDirectory::TryMakingDirectory(std::string& prefix) {
+bool ScopedUniqueDirectory::TryMakingDirectory(std::string &prefix) {
GenerateRandomName(prefix);
#if defined(_WIN32)
return _mkdir(prefix.c_str()) == 0;
@@ -91,7 +92,7 @@ class SoftokenTest : public ::testing::Test {
virtual void TearDown() {
ASSERT_EQ(SECSuccess, NSS_Shutdown());
- const std::string& nssDBDirPath = mNSSDBDir.GetPath();
+ const std::string &nssDBDirPath = mNSSDBDir.GetPath();
ASSERT_EQ(0, unlink((nssDBDirPath + "/cert9.db").c_str()));
ASSERT_EQ(0, unlink((nssDBDirPath + "/key4.db").c_str()));
ASSERT_EQ(0, unlink((nssDBDirPath + "/pkcs11.txt").c_str()));
@@ -116,9 +117,105 @@ TEST_F(SoftokenTest, ResetSoftokenNonEmptyPassword) {
EXPECT_EQ(SECSuccess, PK11_InitPin(slot.get(), nullptr, "password2"));
}
+// Test certificate to use in the CreateObject tests.
+static const CK_OBJECT_CLASS cko_nss_trust = CKO_NSS_TRUST;
+static const CK_BBOOL ck_false = CK_FALSE;
+static const CK_BBOOL ck_true = CK_TRUE;
+static const CK_TRUST ckt_nss_must_verify_trust = CKT_NSS_MUST_VERIFY_TRUST;
+static const CK_TRUST ckt_nss_trusted_delegator = CKT_NSS_TRUSTED_DELEGATOR;
+static const CK_ATTRIBUTE attributes[] = {
+ {CKA_CLASS, (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS)},
+ {CKA_TOKEN, (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL)},
+ {CKA_PRIVATE, (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL)},
+ {CKA_MODIFIABLE, (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL)},
+ {CKA_LABEL,
+ (void *)"Symantec Class 2 Public Primary Certification Authority - G4",
+ (PRUint32)61},
+ {CKA_CERT_SHA1_HASH,
+ (void *)"\147\044\220\056\110\001\260\042\226\100\020\106\264\261\147\054"
+ "\251\165\375\053",
+ (PRUint32)20},
+ {CKA_CERT_MD5_HASH,
+ (void *)"\160\325\060\361\332\224\227\324\327\164\337\276\355\150\336\226",
+ (PRUint32)16},
+ {CKA_ISSUER,
+ (void *)"\060\201\224\061\013\060\011\006\003\125\004\006\023\002\125\123"
+ "\061\035\060\033\006\003\125\004\012\023\024\123\171\155\141\156"
+ "\164\145\143\040\103\157\162\160\157\162\141\164\151\157\156\061"
+ "\037\060\035\006\003\125\004\013\023\026\123\171\155\141\156\164"
+ "\145\143\040\124\162\165\163\164\040\116\145\164\167\157\162\153"
+ "\061\105\060\103\006\003\125\004\003\023\074\123\171\155\141\156"
+ "\164\145\143\040\103\154\141\163\163\040\062\040\120\165\142\154"
+ "\151\143\040\120\162\151\155\141\162\171\040\103\145\162\164\151"
+ "\146\151\143\141\164\151\157\156\040\101\165\164\150\157\162\151"
+ "\164\171\040\055\040\107\064",
+ (PRUint32)151},
+ {CKA_SERIAL_NUMBER,
+ (void *)"\002\020\064\027\145\022\100\073\267\126\200\055\200\313\171\125"
+ "\246\036",
+ (PRUint32)18},
+ {CKA_TRUST_SERVER_AUTH, (void *)&ckt_nss_must_verify_trust,
+ (PRUint32)sizeof(CK_TRUST)},
+ {CKA_TRUST_EMAIL_PROTECTION, (void *)&ckt_nss_trusted_delegator,
+ (PRUint32)sizeof(CK_TRUST)},
+ {CKA_TRUST_CODE_SIGNING, (void *)&ckt_nss_must_verify_trust,
+ (PRUint32)sizeof(CK_TRUST)},
+ {CKA_TRUST_STEP_UP_APPROVED, (void *)&ck_false,
+ (PRUint32)sizeof(CK_BBOOL)}};
+
+TEST_F(SoftokenTest, CreateObjectNonEmptyPassword) {
+ ScopedPK11SlotInfo slot(PK11_GetInternalKeySlot());
+ ASSERT_TRUE(slot);
+ EXPECT_EQ(SECSuccess, PK11_InitPin(slot.get(), nullptr, "password"));
+ EXPECT_EQ(SECSuccess, PK11_Logout(slot.get()));
+ ScopedPK11GenericObject obj(PK11_CreateGenericObject(
+ slot.get(), attributes, PR_ARRAY_SIZE(attributes), true));
+ EXPECT_EQ(nullptr, obj);
+}
+
+TEST_F(SoftokenTest, CreateObjectChangePassword) {
+ ScopedPK11SlotInfo slot(PK11_GetInternalKeySlot());
+ ASSERT_TRUE(slot);
+ EXPECT_EQ(SECSuccess, PK11_InitPin(slot.get(), nullptr, nullptr));
+ EXPECT_EQ(SECSuccess, PK11_ChangePW(slot.get(), "", "password"));
+ EXPECT_EQ(SECSuccess, PK11_Logout(slot.get()));
+ ScopedPK11GenericObject obj(PK11_CreateGenericObject(
+ slot.get(), attributes, PR_ARRAY_SIZE(attributes), true));
+ EXPECT_EQ(nullptr, obj);
+}
+
+TEST_F(SoftokenTest, CreateObjectChangeToEmptyPassword) {
+ ScopedPK11SlotInfo slot(PK11_GetInternalKeySlot());
+ ASSERT_TRUE(slot);
+ EXPECT_EQ(SECSuccess, PK11_InitPin(slot.get(), nullptr, "password"));
+ EXPECT_EQ(SECSuccess, PK11_ChangePW(slot.get(), "password", ""));
+ // PK11_Logout returnes an error and SEC_ERROR_TOKEN_NOT_LOGGED_IN if the user
+ // is not "logged in".
+ EXPECT_EQ(SECFailure, PK11_Logout(slot.get()));
+ EXPECT_EQ(SEC_ERROR_TOKEN_NOT_LOGGED_IN, PORT_GetError());
+ ScopedPK11GenericObject obj(PK11_CreateGenericObject(
+ slot.get(), attributes, PR_ARRAY_SIZE(attributes), true));
+ // Because there's no password we can't logout and the operation should have
+ // succeeded.
+ EXPECT_NE(nullptr, obj);
+}
+
+class SoftokenNoDBTest : public ::testing::Test {};
+
+TEST_F(SoftokenNoDBTest, NeedUserInitNoDB) {
+ ASSERT_EQ(SECSuccess, NSS_NoDB_Init("."));
+ ScopedPK11SlotInfo slot(PK11_GetInternalKeySlot());
+ ASSERT_TRUE(slot);
+ EXPECT_EQ(PR_FALSE, PK11_NeedUserInit(slot.get()));
+
+ // When shutting down in here we have to release the slot first.
+ slot = nullptr;
+ ASSERT_EQ(SECSuccess, NSS_Shutdown());
+}
+
} // namespace nss_test
-int main(int argc, char** argv) {
+int main(int argc, char **argv) {
::testing::InitGoogleTest(&argc, argv);
return RUN_ALL_TESTS();
diff --git a/gtests/ssl_gtest/ssl_ecdh_unittest.cc b/gtests/ssl_gtest/ssl_ecdh_unittest.cc
index 1e406b6c2..f14a49817 100644
--- a/gtests/ssl_gtest/ssl_ecdh_unittest.cc
+++ b/gtests/ssl_gtest/ssl_ecdh_unittest.cc
@@ -551,7 +551,7 @@ class ECCServerKEXFilter : public TlsHandshakeFilter {
// Replace the server key exchange message with an empty point
output->Allocate(4);
output->Write(0, 3U, 1); // named curve
- uint32_t curve;
+ uint32_t curve = 0;
EXPECT_TRUE(input.Read(1, 2, &curve)); // get curve id
output->Write(1, curve, 2); // write curve id
output->Write(3, 0U, 1); // point length 0
diff --git a/help.txt b/help.txt
index 30ebef6b1..15d0fe8ca 100644
--- a/help.txt
+++ b/help.txt
@@ -3,6 +3,7 @@ Usage: build.sh [-hcv] [-j <n>] [--nspr] [--gyp|-g] [--opt|-o] [-m32]
[--asan] [--ubsan] [--msan] [--sancov[=edge|bb|func|...]]
[--disable-tests] [--fuzz[=tls|oss]] [--system-sqlite]
[--no-zdefs] [--with-nspr] [--system-nspr] [--enable-libpkix]
+ [--enable-fips]
This script builds NSS with gyp and ninja.
@@ -19,6 +20,8 @@ NSS build tool options:
--gyp|-g force a rerun of gyp
--opt|-o do an opt build
-m32 do a 32-bit build on a 64-bit system
+ --clang build with clang and clang++
+ --gcc build with gcc and g++
--test ignore map files and export everything we have
--fuzz build fuzzing targets (this always enables test builds)
--fuzz=tls to enable TLS fuzzing mode
@@ -41,3 +44,4 @@ NSS build tool options:
--system-nspr use system nspr. This requires an installation of NSPR and
might not work on all systems.
--enable-libpkix make libpkix part of the build.
+ --enable-fips don't disable FIPS checks.
diff --git a/lib/freebl/blapii.h b/lib/freebl/blapii.h
index b1be7bedf..bcf62e9f3 100644
--- a/lib/freebl/blapii.h
+++ b/lib/freebl/blapii.h
@@ -22,8 +22,10 @@ typedef void (*freeblDestroyFunc)(void *cx, PRBool freeit);
SEC_BEGIN_PROTOS
+#ifndef NSS_FIPS_DISABLED
SECStatus BL_FIPSEntryOK(PRBool freeblOnly);
PRBool BL_POSTRan(PRBool freeblOnly);
+#endif
#if defined(XP_UNIX) && !defined(NO_FORK_CHECK)
diff --git a/lib/freebl/det_rng.c b/lib/freebl/det_rng.c
index 04fce30e8..53d48bc7c 100644
--- a/lib/freebl/det_rng.c
+++ b/lib/freebl/det_rng.c
@@ -8,19 +8,22 @@
#include "nssilock.h"
#include "seccomon.h"
#include "secerr.h"
+#include "prinit.h"
#define GLOBAL_BYTES_SIZE 100
static PRUint8 globalBytes[GLOBAL_BYTES_SIZE];
static unsigned long globalNumCalls = 0;
static PZLock *rng_lock = NULL;
+static PRCallOnceType coRNGInit;
+static const PRCallOnceType pristineCallOnce;
-SECStatus
-RNG_RNGInit(void)
+static PRStatus
+rng_init(void)
{
rng_lock = PZ_NewLock(nssILockOther);
if (!rng_lock) {
PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
- return SECFailure;
+ return PR_FAILURE;
}
/* --- LOCKED --- */
PZ_Lock(rng_lock);
@@ -28,6 +31,17 @@ RNG_RNGInit(void)
PZ_Unlock(rng_lock);
/* --- UNLOCKED --- */
+ return PR_SUCCESS;
+}
+
+SECStatus
+RNG_RNGInit(void)
+{
+ /* Allow only one call to initialize the context */
+ if (PR_CallOnce(&coRNGInit, rng_init) != PR_SUCCESS) {
+ return SECFailure;
+ }
+
return SECSuccess;
}
@@ -97,8 +111,11 @@ RNG_GenerateGlobalRandomBytes(void *dest, size_t len)
void
RNG_RNGShutdown(void)
{
- PZ_DestroyLock(rng_lock);
- rng_lock = NULL;
+ if (rng_lock) {
+ PZ_DestroyLock(rng_lock);
+ rng_lock = NULL;
+ }
+ coRNGInit = pristineCallOnce;
}
/* Test functions are not implemented! */
diff --git a/lib/freebl/fipsfreebl.c b/lib/freebl/fipsfreebl.c
index 094513560..a57de05e0 100644
--- a/lib/freebl/fipsfreebl.c
+++ b/lib/freebl/fipsfreebl.c
@@ -6,6 +6,7 @@
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
/* $Id: fipstest.c,v 1.31 2012/06/28 17:55:06 rrelyea%redhat.com Exp $ */
+#ifndef NSS_FIPS_DISABLED
#ifdef FREEBL_NO_DEPEND
#include "stubs.h"
#endif
@@ -1589,9 +1590,6 @@ static PRBool self_tests_freebl_ran = PR_FALSE;
static PRBool self_tests_ran = PR_FALSE;
static PRBool self_tests_freebl_success = PR_FALSE;
static PRBool self_tests_success = PR_FALSE;
-#if defined(DEBUG)
-static PRBool fips_mode_available = PR_FALSE;
-#endif
/*
* accessors for freebl
@@ -1644,7 +1642,6 @@ bl_startup_tests(void)
PORT_Assert(self_tests_freebl_ran == PR_FALSE);
PORT_Assert(self_tests_success == PR_FALSE);
- PORT_Assert(fips_mode_available == PR_FALSE);
self_tests_freebl_ran = PR_TRUE; /* we are running the tests */
self_tests_success = PR_FALSE; /* force it just in case */
self_tests_freebl_success = PR_FALSE; /* force it just in case */
@@ -1713,3 +1710,4 @@ BL_FIPSEntryOK(PRBool freebl_only)
PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
return SECFailure;
}
+#endif
diff --git a/lib/freebl/gcm.c b/lib/freebl/gcm.c
index 0fdb0fd48..34e034e24 100644
--- a/lib/freebl/gcm.c
+++ b/lib/freebl/gcm.c
@@ -574,7 +574,7 @@ GCM_CreateContext(void *context, freeblCipherFunc cipher,
const unsigned char *params)
{
GCMContext *gcm = NULL;
- gcmHashContext *ghash = NULL;
+ gcmHashContext *ghash = NULL, *ghashmem = NULL;
unsigned char H[MAX_BLOCK_SIZE];
unsigned int tmp;
PRBool freeCtr = PR_FALSE;
@@ -596,13 +596,13 @@ GCM_CreateContext(void *context, freeblCipherFunc cipher,
return NULL;
}
/* aligned_alloc is C11 so we have to do it the old way. */
- ghash = PORT_ZAlloc(sizeof(gcmHashContext) + 15);
- if (ghash == NULL) {
+ ghashmem = PORT_ZAlloc(sizeof(gcmHashContext) + 15);
+ if (ghashmem == NULL) {
PORT_SetError(SEC_ERROR_NO_MEMORY);
goto loser;
}
- ghash->mem = ghash;
- ghash = (gcmHashContext *)(((uintptr_t)ghash + 15) & ~(uintptr_t)0x0F);
+ ghash = (gcmHashContext *)(((uintptr_t)ghashmem + 15) & ~(uintptr_t)0x0F);
+ ghash->mem = ghashmem;
/* first plug in the ghash context */
gcm->ghash_context = ghash;
diff --git a/lib/freebl/ldvector.c b/lib/freebl/ldvector.c
index 2447a0c9f..6897c7c50 100644
--- a/lib/freebl/ldvector.c
+++ b/lib/freebl/ldvector.c
@@ -320,8 +320,12 @@ FREEBL_GetVector(void)
return NULL;
}
#endif
- /* make sure the Full self tests have been run before continuing */
+
+#ifndef NSS_FIPS_DISABLED
+ /* In FIPS mode make sure the Full self tests have been run before
+ * continuing. */
BL_POSTRan(PR_FALSE);
+#endif
return &vector;
}
diff --git a/lib/freebl/nsslowhash.c b/lib/freebl/nsslowhash.c
index 5ed039689..22f97810f 100644
--- a/lib/freebl/nsslowhash.c
+++ b/lib/freebl/nsslowhash.c
@@ -22,6 +22,7 @@ struct NSSLOWHASHContextStr {
void *hashCtxt;
};
+#ifndef NSS_FIPS_DISABLED
static int
nsslow_GetFIPSEnabled(void)
{
@@ -40,9 +41,10 @@ nsslow_GetFIPSEnabled(void)
return 0;
if (d != '1')
return 0;
-#endif
+#endif /* LINUX */
return 1;
}
+#endif /* NSS_FIPS_DISABLED */
static NSSLOWInitContext dummyContext = { 0 };
static PRBool post_failed = PR_TRUE;
@@ -54,6 +56,7 @@ NSSLOW_Init(void)
(void)FREEBL_InitStubs();
#endif
+#ifndef NSS_FIPS_DISABLED
/* make sure the FIPS product is installed if we are trying to
* go into FIPS mode */
if (nsslow_GetFIPSEnabled()) {
@@ -63,6 +66,7 @@ NSSLOW_Init(void)
return NULL;
}
}
+#endif
post_failed = PR_FALSE;
return &dummyContext;
diff --git a/lib/freebl/rijndael.c b/lib/freebl/rijndael.c
index e4ad60388..7381ea201 100644
--- a/lib/freebl/rijndael.c
+++ b/lib/freebl/rijndael.c
@@ -1018,13 +1018,15 @@ AESContext *
AES_AllocateContext(void)
{
/* aligned_alloc is C11 so we have to do it the old way. */
- AESContext *ctx = PORT_ZAlloc(sizeof(AESContext) + 15);
- if (ctx == NULL) {
+ AESContext *ctx, *ctxmem;
+ ctxmem = PORT_ZAlloc(sizeof(AESContext) + 15);
+ if (ctxmem == NULL) {
PORT_SetError(SEC_ERROR_NO_MEMORY);
return NULL;
}
- ctx->mem = ctx;
- return (AESContext *)(((uintptr_t)ctx + 15) & ~(uintptr_t)0x0F);
+ ctx = (AESContext *)(((uintptr_t)ctxmem + 15) & ~(uintptr_t)0x0F);
+ ctx->mem = ctxmem;
+ return ctx;
}
/*
diff --git a/lib/freebl/shvfy.c b/lib/freebl/shvfy.c
index bd9cd1c94..98db4614b 100644
--- a/lib/freebl/shvfy.c
+++ b/lib/freebl/shvfy.c
@@ -19,6 +19,8 @@
#include "pqg.h"
#include "blapii.h"
+#ifndef NSS_FIPS_DISABLED
+
/*
* Most modern version of Linux support a speed optimization scheme where an
* application called prelink modifies programs and shared libraries to quickly
@@ -537,3 +539,23 @@ BLAPI_VerifySelf(const char *name)
}
return blapi_SHVerify(name, (PRFuncPtr)decodeInt, PR_TRUE);
}
+
+#else /* NSS_FIPS_DISABLED */
+
+PRBool
+BLAPI_SHVerifyFile(const char *shName)
+{
+ return PR_FALSE;
+}
+PRBool
+BLAPI_SHVerify(const char *name, PRFuncPtr addr)
+{
+ return PR_FALSE;
+}
+PRBool
+BLAPI_VerifySelf(const char *name)
+{
+ return PR_FALSE;
+}
+
+#endif /* NSS_FIPS_DISABLED */
diff --git a/lib/pk11wrap/pk11skey.c b/lib/pk11wrap/pk11skey.c
index 1ef53e1d7..cf2a40a2f 100644
--- a/lib/pk11wrap/pk11skey.c
+++ b/lib/pk11wrap/pk11skey.c
@@ -182,6 +182,10 @@ PK11_FreeSymKey(PK11SymKey *symKey)
PK11SlotInfo *slot;
PRBool freeit = PR_TRUE;
+ if (!symKey) {
+ return;
+ }
+
if (PR_ATOMIC_DECREMENT(&symKey->refCount) == 0) {
PK11SymKey *parent = symKey->parent;
diff --git a/lib/pk11wrap/pk11slot.c b/lib/pk11wrap/pk11slot.c
index 0a6ed6c08..c39abe17e 100644
--- a/lib/pk11wrap/pk11slot.c
+++ b/lib/pk11wrap/pk11slot.c
@@ -1182,7 +1182,7 @@ PK11_InitToken(PK11SlotInfo *slot, PRBool loadCerts)
/* set the slot flags to the current token values */
slot->series++; /* allow other objects to detect that the
- * slot is different */
+ * slot is different */
slot->flags = slot->tokenInfo.flags;
slot->needLogin = ((slot->tokenInfo.flags & CKF_LOGIN_REQUIRED) ? PR_TRUE : PR_FALSE);
slot->readOnly = ((slot->tokenInfo.flags & CKF_WRITE_PROTECTED) ? PR_TRUE : PR_FALSE);
@@ -1471,6 +1471,9 @@ PK11_InitSlot(SECMODModule *mod, CK_SLOT_ID slotID, PK11SlotInfo *slot)
slot->hasRootCerts = PR_TRUE;
}
}
+ if ((slotInfo.flags & CKF_USER_PIN_INITIALIZED) != 0) {
+ slot->flags |= CKF_USER_PIN_INITIALIZED;
+ }
}
/*********************************************************************
diff --git a/lib/softoken/fipstest.c b/lib/softoken/fipstest.c
index 3563bd2d2..0cca74d6e 100644
--- a/lib/softoken/fipstest.c
+++ b/lib/softoken/fipstest.c
@@ -5,6 +5,7 @@
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+#ifndef NSS_FIPS_DISABLED
#include "seccomon.h"
#include "blapi.h"
#include "softoken.h"
@@ -652,3 +653,11 @@ sftk_FIPSEntryOK()
}
return CKR_OK;
}
+#else
+#include "pkcs11t.h"
+CK_RV
+sftk_FIPSEntryOK()
+{
+ return CKR_DEVICE_ERROR;
+}
+#endif /* NSS_FIPS_DISABLED */
diff --git a/lib/softoken/legacydb/lgfips.c b/lib/softoken/legacydb/lgfips.c
index b017424db..b991dcf8e 100644
--- a/lib/softoken/legacydb/lgfips.c
+++ b/lib/softoken/legacydb/lgfips.c
@@ -6,6 +6,8 @@
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
/* $Id: fipstest.c,v 1.31 2012/06/28 17:55:06 rrelyea%redhat.com Exp $ */
+#ifndef NSS_FIPS_DISABLED
+
#include "seccomon.h"
#include "lgdb.h"
#include "blapi.h"
@@ -113,3 +115,5 @@ lg_FIPSEntryOK()
#endif
return lg_self_tests_success;
}
+
+#endif /* NSS_FIPS_DISABLED */
diff --git a/lib/softoken/legacydb/lginit.c b/lib/softoken/legacydb/lginit.c
index 6913eea50..4f0b53f52 100644
--- a/lib/softoken/legacydb/lginit.c
+++ b/lib/softoken/legacydb/lginit.c
@@ -586,11 +586,15 @@ legacy_Open(const char *configdir, const char *certPrefix,
#define NSS_VERSION_VARIABLE __nss_dbm_version
#include "verref.h"
+#ifndef NSS_FIPS_DISABLED
if (flags & SDB_FIPS) {
+ /* We shouldn't get here when FIPS is not enabled on the database. But
+ * we also don't care when this NSS build doesn't support FIPS. */
if (!lg_FIPSEntryOK()) {
return CKR_DEVICE_ERROR;
}
}
+#endif
rv = SECOID_Init();
if (SECSuccess != rv) {
diff --git a/lib/softoken/pkcs11.c b/lib/softoken/pkcs11.c
index 4e940990e..16caf24e7 100644
--- a/lib/softoken/pkcs11.c
+++ b/lib/softoken/pkcs11.c
@@ -3305,6 +3305,15 @@ NSC_GetSlotInfo(CK_SLOT_ID slotID, CK_SLOT_INFO_PTR pInfo)
}
}
+ /* If there is no key database, this is for example the case when NSS was
+ * initialized with NSS_NoDbInit(), then there won't be any point in
+ * requesting a PIN. Set the CKF_USER_PIN_INITIALIZED bit so that
+ * PK11_NeedUserInit() doesn't indicate that a PIN is needed.
+ */
+ if (slot->keyDB == NULL) {
+ pInfo->flags |= CKF_USER_PIN_INITIALIZED;
+ }
+
/* ok we really should read it out of the keydb file. */
/* pInfo->hardwareVersion.major = NSSLOWKEY_DB_FILE_VERSION; */
pInfo->hardwareVersion.major = SOFTOKEN_VMAJOR;
@@ -3788,7 +3797,10 @@ NSC_SetPIN(CK_SESSION_HANDLE hSession, CK_CHAR_PTR pOldPin,
/* Now update our local copy of the pin */
if (rv == SECSuccess) {
+ PZ_Lock(slot->slotLock);
slot->needLogin = (PRBool)(ulNewLen != 0);
+ slot->isLoggedIn = (PRBool)(sftkdb_PWCached(handle) == SECSuccess);
+ PZ_Unlock(slot->slotLock);
/* Reset login flags. */
if (ulNewLen == 0) {
PRBool tokenRemoved = PR_FALSE;
diff --git a/mach b/mach
index 3592299e6..2620d134e 100755
--- a/mach
+++ b/mach
@@ -3,7 +3,7 @@
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
-################################################################################
+##########################################################################
#
# This is a collection of helper tools to get stuff done in NSS.
#
@@ -23,13 +23,15 @@ class cfAction(argparse.Action):
restorecon = None
def __call__(self, parser, args, values, option_string=None):
- if "noroot" not in values:
+ if not args.noroot:
self.setDockerCommand()
+
+ if values:
+ files = [os.path.abspath(x) for x in values]
else:
- values.remove("noroot")
- files = [os.path.join('/home/worker/nss',
- os.path.relpath(os.path.abspath(x), start=cwd))
- for x in values]
+ files = self.modifiedFiles()
+ files = [os.path.join('/home/worker/nss', os.path.relpath(x, start=cwd))
+ for x in files]
# First check if we can run docker.
try:
@@ -59,9 +61,10 @@ class cfAction(argparse.Action):
self.buildImage(docker_image, cf_docker_folder)
command = self.docker_command + [
- 'run', '-v', cwd + ':/home/worker/nss:Z', '--rm', '-ti', docker_image
+ 'run', '-v', cwd + ':/home/worker/nss:Z', '--rm', '-ti', docker_image
]
- # The clang format script returns 1 if something's to do. We don't care.
+ # The clang format script returns 1 if something's to do. We don't
+ # care.
subprocess.call(command + files)
if self.restorecon is not None:
subprocess.call([self.restorecon, '-R', cwd])
@@ -97,14 +100,40 @@ class cfAction(argparse.Action):
self.restorecon = find_executable('restorecon')
self.docker_command = ["sudo"] + self.docker_command
+ def modifiedFiles(self):
+ files = []
+ if os.path.exists(os.path.join(cwd, '.hg')):
+ st = subprocess.Popen(['hg', 'status', '-m', '-a'],
+ cwd=cwd, stdout=subprocess.PIPE)
+ for line in iter(st.stdout.readline, ''):
+ files += [line[2:].rstrip()]
+ elif os.path.exists(os.path.join(cwd, '.git')):
+ st = subprocess.Popen(['git', 'status', '--porcelain'],
+ cwd=cwd, stdout=subprocess.PIPE)
+ for line in iter(st.stdout.readline, ''):
+ if line[1] == 'M' or line[1] != 'D' and \
+ (line[0] == 'M' or line[0] == 'A' or
+ line[0] == 'C' or line[0] == 'U'):
+ files += [line[3:].rstrip()]
+ elif line[0] == 'R':
+ files += [line[line.index(' -> ', beg=4) + 4:]]
+ else:
+ print('Warning: neither mercurial nor git detected!')
+
+ def isFormatted(x):
+ return x[-2:] == '.c' or x[-3:] == '.cc' or x[-2:] == '.h'
+ return [x for x in files if isFormatted(x)]
+
class buildAction(argparse.Action):
+
def __call__(self, parser, args, values, option_string=None):
cwd = os.path.dirname(os.path.abspath(__file__))
subprocess.check_call([cwd + "/build.sh"] + values)
class testAction(argparse.Action):
+
def runTest(self, test, cycles="standard"):
cwd = os.path.dirname(os.path.abspath(__file__))
domsuf = os.getenv('DOMSUF', "localdomain")
@@ -115,8 +144,10 @@ class testAction(argparse.Action):
"DOMSUF": domsuf,
"HOST": host
}
+ os_env = os.environ
+ os_env.update(env)
command = cwd + "/tests/all.sh"
- subprocess.check_call(command, env=env)
+ subprocess.check_call(command, env=os_env)
def __call__(self, parser, args, values, option_string=None):
self.runTest(values)
@@ -124,6 +155,7 @@ class testAction(argparse.Action):
class commandsAction(argparse.Action):
commands = []
+
def __call__(self, parser, args, values, option_string=None):
for c in commandsAction.commands:
print(c)
@@ -142,11 +174,20 @@ def parse_arguments():
parser_cf = subparsers.add_parser(
'clang-format',
- help='Run clang-format on all folders or provide a folder to format.')
+ help="""
+ Run clang-format.
+
+ By default this runs against any files that you have modified. If
+ there are no modified files, it checks everything.
+ """)
+ parser_cf.add_argument(
+ '--noroot',
+ help='On linux, suppress the use of \'sudo\' for running docker.',
+ action='store_true')
parser_cf.add_argument(
- 'cf_args',
+ '<file/dir>',
nargs='*',
- help="clang-format folders and noroot if you don't want to use sudo",
+ help="Specify files or directories to run clang-format on",
action=cfAction)
parser_test = subparsers.add_parser(
diff --git a/nss.gyp b/nss.gyp
index 1727dbe0b..5a9baa537 100644
--- a/nss.gyp
+++ b/nss.gyp
@@ -131,7 +131,6 @@
'cmd/digest/digest.gyp:digest',
'cmd/ecperf/ecperf.gyp:ecperf',
'cmd/fbectest/fbectest.gyp:fbectest',
- 'cmd/fipstest/fipstest.gyp:fipstest',
'cmd/httpserv/httpserv.gyp:httpserv',
'cmd/listsuites/listsuites.gyp:listsuites',
'cmd/makepqg/makepqg.gyp:makepqg',
@@ -190,6 +189,11 @@
'gtests/freebl_gtest/freebl_gtest.gyp:freebl_gtest',
],
}],
+ [ 'disable_fips==0', {
+ 'dependencies': [
+ 'cmd/fipstest/fipstest.gyp:fipstest',
+ ],
+ }],
],
},
],
diff --git a/readme.md b/readme.md
index f04311df8..41e8b4b16 100644
--- a/readme.md
+++ b/readme.md
@@ -41,49 +41,8 @@ directory `lib`, and tools in directory `bin`. In order to run the tools, set
your system environment to use the libraries of your build from the "lib"
directory, e.g., using the `LD_LIBRARY_PATH` or `DYLD_LIBRARY_PATH`.
- Usage: build.sh [-hcv] [-j <n>] [--nspr] [--gyp|-g] [--opt|-o] [-m32]
- [--test] [--pprof] [--scan-build[=output]] [--ct-verif]
- [--asan] [--ubsan] [--msan] [--sancov[=edge|bb|func|...]]
- [--disable-tests] [--fuzz[=tls|oss]] [--system-sqlite]
- [--no-zdefs] [--with-nspr] [--system-nspr] [--enable-libpkix]
-
- This script builds NSS with gyp and ninja.
-
- This build system is still under development. It does not yet support all
- the features or platforms that NSS supports.
-
- NSS build tool options:
-
- -h display this help and exit
- -c clean before build
- -v verbose build
- -j <n> run at most <n> concurrent jobs
- --nspr force a rebuild of NSPR
- --gyp|-g force a rerun of gyp
- --opt|-o do an opt build
- -m32 do a 32-bit build on a 64-bit system
- --test ignore map files and export everything we have
- --fuzz build fuzzing targets (this always enables test builds)
- --fuzz=tls to enable TLS fuzzing mode
- --fuzz=oss to build for OSS-Fuzz
- --pprof build with gperftool support
- --ct-verif build with valgrind for ct-verif
- --scan-build run the build with scan-build (scan-build has to be in the path)
- --scan-build=/out/path sets the output path for scan-build
- --asan do an asan build
- --ubsan do an ubsan build
- --ubsan=bool,shift,... sets specific UB sanitizers
- --msan do an msan build
- --sancov do sanitize coverage builds
- --sancov=func sets coverage to function level for example
- --disable-tests don't build tests and corresponding cmdline utils
- --system-sqlite use system sqlite
- --no-zdefs don't set -Wl,-z,defs
- --with-nspr don't build NSPR but use the one at the given location, e.g.
- --with-nspr=/path/to/nspr/include:/path/to/nspr/lib
- --system-nspr use system nspr. This requires an installation of NSPR and
- might not work on all systems.
- --enable-libpkix make libpkix part of the build.
+See [help.txt](https://hg.mozilla.org/projects/nss/raw-file/tip/help.txt) for
+more information on using build.sh.
## Building NSS (legacy build system)
diff --git a/tests/all.sh b/tests/all.sh
index 833817f4a..42ba7a6da 100755
--- a/tests/all.sh
+++ b/tests/all.sh
@@ -107,6 +107,8 @@
#
########################################################################
+RUN_FIPS=""
+
############################## run_tests ###############################
# run test suites defined in TESTS variable, skip scripts defined in
# TESTS_SKIP variable
@@ -187,7 +189,7 @@ run_cycle_upgrade_db()
init_directories
if [ -r "${OLDHOSTDIR}/cert.log" ]; then
- DIRS="alicedir bobdir CA cert_extensions client clientCA dave eccurves eve ext_client ext_server fips SDR server serverCA stapling tools/copydir cert.log cert.done tests.*"
+ DIRS="alicedir bobdir CA cert_extensions client clientCA dave eccurves eve ext_client ext_server $RUN_FIPS SDR server serverCA stapling tools/copydir cert.log cert.done tests.*"
for i in $DIRS
do
cp -r ${OLDHOSTDIR}/${i} ${HOSTDIR} #2> /dev/null
@@ -273,7 +275,12 @@ run_cycles()
cycles="standard pkix upgradedb sharedb"
CYCLES=${NSS_CYCLES:-$cycles}
-tests="cipher lowhash libpkix cert dbtests tools fips sdr crmf smime ssl ocsp merge pkits ec gtests ssl_gtests"
+if [ -n "$NSS_FORCE_FIPS" ]; then
+ RUN_FIPS="fips"
+ export NSS_TEST_ENABLE_FIPS=1
+fi
+
+tests="cipher lowhash libpkix cert dbtests tools $RUN_FIPS sdr crmf smime ssl ocsp merge pkits ec gtests ssl_gtests"
# Don't run chains tests when we have a gyp build.
if [ "$OBJDIR" != "Debug" -a "$OBJDIR" != "Release" ]; then
tests="$tests chains"
diff --git a/tests/cert/cert.sh b/tests/cert/cert.sh
index 9b3455747..be589ef7c 100755
--- a/tests/cert/cert.sh
+++ b/tests/cert/cert.sh
@@ -1975,19 +1975,19 @@ cert_test_ocspresp()
cert_cleanup()
{
cert_log "$SCRIPTNAME: finished $SCRIPTNAME"
- html "</TABLE><BR>"
+ html "</TABLE><BR>"
cd ${QADIR}
. common/cleanup.sh
}
################## main #################################################
-cert_init
+cert_init
cert_all_CA
-cert_extended_ssl
-cert_ssl
-cert_smime_client
-if [ -z "$NSS_TEST_DISABLE_FIPS" ]; then
+cert_extended_ssl
+cert_ssl
+cert_smime_client
+if [[ -n "$NSS_TEST_ENABLE_FIPS" ]]; then
cert_fips
fi
cert_eccurves
@@ -2004,7 +2004,7 @@ else
fi
if [ -n "$DO_DIST_ST" -a "$DO_DIST_ST" = "TRUE" ] ; then
- cert_stresscerts
+ cert_stresscerts
fi
cert_iopr_setup
diff --git a/tests/fips/fips.sh b/tests/fips/fips.sh
index 4153e61aa..11bd70b63 100755
--- a/tests/fips/fips.sh
+++ b/tests/fips/fips.sh
@@ -23,6 +23,7 @@
########################################################################
fips_init()
{
+ export NSS_TEST_ENABLE_FIPS=1
SCRIPTNAME=fips.sh # sourced - $0 would point to all.sh
if [ -z "${CLEANUP}" ] ; then # if nobody else is responsible for
diff --git a/tests/ssl/ssl.sh b/tests/ssl/ssl.sh
index 1c58293f9..f1b263514 100755
--- a/tests/ssl/ssl.sh
+++ b/tests/ssl/ssl.sh
@@ -1172,8 +1172,8 @@ ssl_run_tests()
ssl_set_fips server on
;;
*)
- echo "${SCRIPTNAME}: Error: Unknown server mode ${SERVER_MODE}"
- continue
+ html_failed "${SCRIPTNAME}: Error: Unknown server mode ${SERVER_MODE}"
+ return 1
;;
esac
@@ -1186,8 +1186,8 @@ ssl_run_tests()
ssl_set_fips client on
;;
*)
- echo "${SCRIPTNAME}: Error: Unknown client mode ${CLIENT_MODE}"
- continue
+ html_failed "${SCRIPTNAME}: Error: Unknown client mode ${CLIENT_MODE}"
+ return 1
;;
esac