summaryrefslogtreecommitdiffstats
path: root/security/nss/automation
diff options
context:
space:
mode:
Diffstat (limited to 'security/nss/automation')
-rw-r--r--security/nss/automation/abi-check/expected-report-libnss3.so.txt15
-rw-r--r--security/nss/automation/abi-check/expected-report-libnssutil3.so.txt15
-rw-r--r--security/nss/automation/abi-check/expected-report-libsmime3.so.txt49
-rw-r--r--security/nss/automation/abi-check/previous-nss-release2
-rw-r--r--security/nss/automation/taskcluster/docker-acvp/Dockerfile3
-rw-r--r--security/nss/automation/taskcluster/graph/src/extend.js1
-rw-r--r--security/nss/automation/taskcluster/graph/src/try_syntax.js2
-rw-r--r--security/nss/automation/taskcluster/scripts/patches/Hacl_Ed25519.c.patch50
-rw-r--r--security/nss/automation/taskcluster/scripts/patches/Hacl_Ed25519.h.internal.patch2
-rw-r--r--security/nss/automation/taskcluster/scripts/patches/Hacl_Ed25519.h.patch2
-rwxr-xr-xsecurity/nss/automation/taskcluster/scripts/run_hacl.sh62
11 files changed, 197 insertions, 6 deletions
diff --git a/security/nss/automation/abi-check/expected-report-libnss3.so.txt b/security/nss/automation/abi-check/expected-report-libnss3.so.txt
index e69de29bb2..582afe387f 100644
--- a/security/nss/automation/abi-check/expected-report-libnss3.so.txt
+++ b/security/nss/automation/abi-check/expected-report-libnss3.so.txt
@@ -0,0 +1,15 @@
+
+1 function with some indirect sub-type change:
+
+ [C]'function SECStatus CERT_AddOCSPAcceptableResponses(CERTOCSPRequest*, SECOidTag, ...)' at ocsp.c:2202:1 has some indirect sub-type changes:
+ parameter 2 of type 'typedef SECOidTag' has sub-type changes:
+ underlying type 'enum __anonymous_enum__' at secoidt.h:34:1 changed:
+ type size hasn't changed
+ 2 enumerator insertions:
+ '__anonymous_enum__::SEC_OID_ED25519_SIGNATURE' value '373'
+ '__anonymous_enum__::SEC_OID_ED25519_PUBLIC_KEY' value '374'
+
+ 1 enumerator change:
+ '__anonymous_enum__::SEC_OID_TOTAL' from value '373' to '375' at secoidt.h:34:1
+
+
diff --git a/security/nss/automation/abi-check/expected-report-libnssutil3.so.txt b/security/nss/automation/abi-check/expected-report-libnssutil3.so.txt
index e69de29bb2..ed076df300 100644
--- a/security/nss/automation/abi-check/expected-report-libnssutil3.so.txt
+++ b/security/nss/automation/abi-check/expected-report-libnssutil3.so.txt
@@ -0,0 +1,15 @@
+
+1 function with some indirect sub-type change:
+
+ [C]'function SECStatus NSS_GetAlgorithmPolicy(SECOidTag, PRUint32*)' at secoid.c:2291:1 has some indirect sub-type changes:
+ parameter 1 of type 'typedef SECOidTag' has sub-type changes:
+ underlying type 'enum __anonymous_enum__' at secoidt.h:34:1 changed:
+ type size hasn't changed
+ 2 enumerator insertions:
+ '__anonymous_enum__::SEC_OID_ED25519_SIGNATURE' value '373'
+ '__anonymous_enum__::SEC_OID_ED25519_PUBLIC_KEY' value '374'
+
+ 1 enumerator change:
+ '__anonymous_enum__::SEC_OID_TOTAL' from value '373' to '375' at secoidt.h:34:1
+
+
diff --git a/security/nss/automation/abi-check/expected-report-libsmime3.so.txt b/security/nss/automation/abi-check/expected-report-libsmime3.so.txt
index e69de29bb2..69cd2ae3a9 100644
--- a/security/nss/automation/abi-check/expected-report-libsmime3.so.txt
+++ b/security/nss/automation/abi-check/expected-report-libsmime3.so.txt
@@ -0,0 +1,49 @@
+
+1 Added function:
+
+ 'function PRBool NSS_CMSRecipient_IsSupported(CERTCertificate*)' {NSS_CMSRecipient_IsSupported@@NSS_3.99}
+
+1 function with some indirect sub-type change:
+
+ [C]'function PK11SymKey* NSS_CMSContentInfo_GetBulkKey(NSSCMSContentInfo*)' at cmscinfo.c:426:1 has some indirect sub-type changes:
+ parameter 1 of type 'NSSCMSContentInfo*' has sub-type changes:
+ in pointed to type 'typedef NSSCMSContentInfo' at cmst.h:54:1:
+ underlying type 'struct NSSCMSContentInfoStr' at cmst.h:126:1 changed:
+ type size hasn't changed
+ 1 data member changes (2 filtered):
+ type of 'NSSCMSContent NSSCMSContentInfoStr::content' changed:
+ underlying type 'union NSSCMSContentUnion' at cmst.h:113:1 changed:
+ type size hasn't changed
+ 1 data member changes (3 filtered):
+ type of 'NSSCMSEncryptedData* NSSCMSContentUnion::encryptedData' changed:
+ in pointed to type 'typedef NSSCMSEncryptedData' at cmst.h:65:1:
+ underlying type 'struct NSSCMSEncryptedDataStr' at cmst.h:463:1 changed:
+ type size hasn't changed
+ 1 data member changes (1 filtered):
+ type of 'NSSCMSAttribute** NSSCMSEncryptedDataStr::unprotectedAttr' changed:
+ in pointed to type 'NSSCMSAttribute*':
+ in pointed to type 'typedef NSSCMSAttribute' at cmst.h:69:1:
+ underlying type 'struct NSSCMSAttributeStr' at cmst.h:482:1 changed:
+ type size hasn't changed
+ 1 data member change:
+ type of 'SECOidData* NSSCMSAttributeStr::typeTag' changed:
+ in pointed to type 'typedef SECOidData' at secoidt.h:16:1:
+ underlying type 'struct SECOidDataStr' at secoidt.h:536:1 changed:
+ type size hasn't changed
+ 1 data member change:
+ type of 'SECOidTag SECOidDataStr::offset' changed:
+ underlying type 'enum __anonymous_enum__' at secoidt.h:34:1 changed:
+ type size hasn't changed
+ 2 enumerator insertions:
+ '__anonymous_enum__::SEC_OID_ED25519_SIGNATURE' value '373'
+ '__anonymous_enum__::SEC_OID_ED25519_PUBLIC_KEY' value '374'
+
+ 1 enumerator change:
+ '__anonymous_enum__::SEC_OID_TOTAL' from value '373' to '375' at secoidt.h:34:1
+
+
+
+
+
+
+
diff --git a/security/nss/automation/abi-check/previous-nss-release b/security/nss/automation/abi-check/previous-nss-release
index b99c3e7670..0dea1b7b74 100644
--- a/security/nss/automation/abi-check/previous-nss-release
+++ b/security/nss/automation/abi-check/previous-nss-release
@@ -1 +1 @@
-NSS_3_97_BRANCH
+NSS_3_98_BRANCH
diff --git a/security/nss/automation/taskcluster/docker-acvp/Dockerfile b/security/nss/automation/taskcluster/docker-acvp/Dockerfile
index 5012bc4209..af2a0e25fa 100644
--- a/security/nss/automation/taskcluster/docker-acvp/Dockerfile
+++ b/security/nss/automation/taskcluster/docker-acvp/Dockerfile
@@ -1,5 +1,5 @@
# Minimal image with clang-format 3.9.
-FROM rust:1.70
+FROM rust:1.74
LABEL maintainer="iaroslav.gridin@tuni.fi"
# for new clang/llvm
@@ -11,7 +11,6 @@ RUN echo "deb http://ftp.debian.org/debian/ sid main" > /etc/apt/sources.list.d/
python-dev-is-python3 \
mercurial \
python3-pip \
- python-setuptools \
build-essential \
cargo \
rustc \
diff --git a/security/nss/automation/taskcluster/graph/src/extend.js b/security/nss/automation/taskcluster/graph/src/extend.js
index 599bed5a4b..318d935b16 100644
--- a/security/nss/automation/taskcluster/graph/src/extend.js
+++ b/security/nss/automation/taskcluster/graph/src/extend.js
@@ -1146,7 +1146,6 @@ async function scheduleTools() {
]
}));
-
queue.scheduleTask(merge(base, {
symbol: "scan-build",
name: "scan-build",
diff --git a/security/nss/automation/taskcluster/graph/src/try_syntax.js b/security/nss/automation/taskcluster/graph/src/try_syntax.js
index b93dbabd15..591cea6c18 100644
--- a/security/nss/automation/taskcluster/graph/src/try_syntax.js
+++ b/security/nss/automation/taskcluster/graph/src/try_syntax.js
@@ -57,7 +57,7 @@ function parseOptions(opts) {
}
// Parse tools.
- let allTools = ["clang-format", "scan-build", "hacl", "ecckiila", "saw", "abi", "coverage"];
+ let allTools = ["clang-format", "scan-build", "hacl", "acvp", "ecckiila", "saw", "abi", "coverage"];
let tools = intersect(opts.tools.split(/\s*,\s*/), allTools);
// If the given value is "all" run all tools.
diff --git a/security/nss/automation/taskcluster/scripts/patches/Hacl_Ed25519.c.patch b/security/nss/automation/taskcluster/scripts/patches/Hacl_Ed25519.c.patch
new file mode 100644
index 0000000000..dc2ffc04a7
--- /dev/null
+++ b/security/nss/automation/taskcluster/scripts/patches/Hacl_Ed25519.c.patch
@@ -0,0 +1,50 @@
+28d27
+< #include "internal/Hacl_Hash_SHA2.h"
+33a33,34
+> #include "../Hacl_Hash_SHA2_shim.h"
+>
+1670,1713d1670
+< }
+<
+< static inline void
+< sha512_pre_msg(uint8_t *hash, uint8_t *prefix, uint32_t len, uint8_t *input)
+< {
+< uint8_t buf[128U] = { 0U };
+< uint64_t block_state[8U] = { 0U };
+< Hacl_Streaming_MD_state_64
+< s = { .block_state = block_state, .buf = buf, .total_len = (uint64_t)(uint32_t)0U };
+< Hacl_Streaming_MD_state_64 p = s;
+< Hacl_SHA2_Scalar32_sha512_init(block_state);
+< Hacl_Streaming_MD_state_64 *st = &p;
+< Hacl_Streaming_Types_error_code
+< err0 = Hacl_Streaming_SHA2_update_512(st, prefix, (uint32_t)32U);
+< Hacl_Streaming_Types_error_code err1 = Hacl_Streaming_SHA2_update_512(st, input, len);
+< KRML_HOST_IGNORE(err0);
+< KRML_HOST_IGNORE(err1);
+< Hacl_Streaming_SHA2_finish_512(st, hash);
+< }
+<
+< static inline void
+< sha512_pre_pre2_msg(
+< uint8_t *hash,
+< uint8_t *prefix,
+< uint8_t *prefix2,
+< uint32_t len,
+< uint8_t *input)
+< {
+< uint8_t buf[128U] = { 0U };
+< uint64_t block_state[8U] = { 0U };
+< Hacl_Streaming_MD_state_64
+< s = { .block_state = block_state, .buf = buf, .total_len = (uint64_t)(uint32_t)0U };
+< Hacl_Streaming_MD_state_64 p = s;
+< Hacl_SHA2_Scalar32_sha512_init(block_state);
+< Hacl_Streaming_MD_state_64 *st = &p;
+< Hacl_Streaming_Types_error_code
+< err0 = Hacl_Streaming_SHA2_update_512(st, prefix, (uint32_t)32U);
+< Hacl_Streaming_Types_error_code
+< err1 = Hacl_Streaming_SHA2_update_512(st, prefix2, (uint32_t)32U);
+< Hacl_Streaming_Types_error_code err2 = Hacl_Streaming_SHA2_update_512(st, input, len);
+< KRML_HOST_IGNORE(err0);
+< KRML_HOST_IGNORE(err1);
+< KRML_HOST_IGNORE(err2);
+< Hacl_Streaming_SHA2_finish_512(st, hash);
diff --git a/security/nss/automation/taskcluster/scripts/patches/Hacl_Ed25519.h.internal.patch b/security/nss/automation/taskcluster/scripts/patches/Hacl_Ed25519.h.internal.patch
new file mode 100644
index 0000000000..f79016fcf9
--- /dev/null
+++ b/security/nss/automation/taskcluster/scripts/patches/Hacl_Ed25519.h.internal.patch
@@ -0,0 +1,2 @@
+38d37
+< #include "internal/Hacl_Hash_SHA2.h"
diff --git a/security/nss/automation/taskcluster/scripts/patches/Hacl_Ed25519.h.patch b/security/nss/automation/taskcluster/scripts/patches/Hacl_Ed25519.h.patch
new file mode 100644
index 0000000000..781bde532e
--- /dev/null
+++ b/security/nss/automation/taskcluster/scripts/patches/Hacl_Ed25519.h.patch
@@ -0,0 +1,2 @@
+39d38
+< #include "Hacl_Hash_SHA2.h"
diff --git a/security/nss/automation/taskcluster/scripts/run_hacl.sh b/security/nss/automation/taskcluster/scripts/run_hacl.sh
index f9831d24fd..f2c20a0ae3 100755
--- a/security/nss/automation/taskcluster/scripts/run_hacl.sh
+++ b/security/nss/automation/taskcluster/scripts/run_hacl.sh
@@ -12,7 +12,7 @@ set -e -x -v
# Get the HACL* source, containing a snapshot of the C code, extracted on the
# HACL CI.
git clone -q "https://github.com/hacl-star/hacl-star" ~/hacl-star
-git -C ~/hacl-star checkout -q 72f9d0c783cb716add714344604d591106dfbf7f
+git -C ~/hacl-star checkout -q 0f136f28935822579c244f287e1d2a1908a7e552
# Format the C snapshot.
cd ~/hacl-star/dist/mozilla
@@ -33,6 +33,11 @@ files=($(find ~/nss/lib/freebl/verified/internal -type f -name '*.[ch]'))
for f in "${files[@]}"; do
file_name=$(basename "$f")
hacl_file=($(find ~/hacl-star/dist/mozilla/internal/ -type f -name $file_name))
+ if [ $file_name == "Hacl_Ed25519.h" \
+ -o $file_name == "Hacl_Ed25519_PrecompTable.h" ]
+ then
+ continue;
+ fi
diff $hacl_file $f
done
@@ -49,5 +54,60 @@ for f in "${files[@]}"; do
then
continue;
fi
+
+ if [ $file_name == "Hacl_Ed25519.h" \
+ -o $file_name == "Hacl_Ed25519.c" ]
+ then
+ continue;
+ fi
diff $hacl_file $f
done
+
+# Here we process the code that's not located in /hacl-star/dist/mozilla/ but
+# /hacl-star/dist/gcc-compatible.
+
+cd ~/hacl-star/dist/gcc-compatible
+cp ~/nss/.clang-format .
+find . -type f -name '*.[ch]' -exec clang-format -i {} \+
+
+patches=($(find ~/nss/automation/taskcluster/scripts/patches/ -type f -name '*.patch'))
+for f in "${patches[@]}"; do
+ file_name=$(basename "$f")
+ file_name="${file_name%.*}"
+ if_internal="${file_name##*.}"
+ if [ $if_internal == "internal" ]
+ then
+ file_name="${file_name%.*}"
+ patch_file=($(find ~/hacl-star/dist/gcc-compatible/internal/ -type f -name $file_name))
+ else
+ patch_file=($(find ~/hacl-star/dist/gcc-compatible/ -type f -name $file_name -not -path "*/hacl-star/dist/gcc-compatible/internal/*"))
+ fi
+ if [ ! -z "$patch_file" ]
+ then
+ patch $patch_file $f
+ fi
+done
+
+files=($(find ~/nss/lib/freebl/verified/internal -type f -name '*.[ch]'))
+for f in "${files[@]}"; do
+ file_name=$(basename "$f")
+ hacl_file=($(find ~/hacl-star/dist/gcc-compatible/internal/ -type f -name $file_name))
+ if [ $file_name != "Hacl_Ed25519.h" \
+ -a $file_name != "Hacl_Ed25519_PrecompTable.h" ]
+ then
+ continue;
+ fi
+ diff $hacl_file $f
+done
+
+files=($(find ~/nss/lib/freebl/verified/ -type f -name '*.[ch]' -not -path "*/freebl/verified/internal/*"))
+for f in "${files[@]}"; do
+ file_name=$(basename "$f")
+ hacl_file=($(find ~/hacl-star/dist/gcc-compatible/ -type f -name $file_name -not -path "*/hacl-star/dist/gcc-compatible/internal/*"))
+ if [ $file_name != "Hacl_Ed25519.h" \
+ -a $file_name != "Hacl_Ed25519.c" ]
+ then
+ continue;
+ fi
+ diff $hacl_file $f
+done \ No newline at end of file