From 086c044dc34dfc0f74fbe41f4ecb402b2cd34884 Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Fri, 19 Apr 2024 03:13:33 +0200 Subject: Merging upstream version 125.0.1. Signed-off-by: Daniel Baumann --- .../automation/taskcluster/docker-acvp/Dockerfile | 3 +- .../nss/automation/taskcluster/graph/src/extend.js | 1 - .../automation/taskcluster/graph/src/try_syntax.js | 2 +- .../scripts/patches/Hacl_Ed25519.c.patch | 50 +++++++++++++++++ .../scripts/patches/Hacl_Ed25519.h.internal.patch | 2 + .../scripts/patches/Hacl_Ed25519.h.patch | 2 + .../nss/automation/taskcluster/scripts/run_hacl.sh | 62 +++++++++++++++++++++- 7 files changed, 117 insertions(+), 5 deletions(-) create mode 100644 security/nss/automation/taskcluster/scripts/patches/Hacl_Ed25519.c.patch create mode 100644 security/nss/automation/taskcluster/scripts/patches/Hacl_Ed25519.h.internal.patch create mode 100644 security/nss/automation/taskcluster/scripts/patches/Hacl_Ed25519.h.patch (limited to 'security/nss/automation/taskcluster') diff --git a/security/nss/automation/taskcluster/docker-acvp/Dockerfile b/security/nss/automation/taskcluster/docker-acvp/Dockerfile index 5012bc4209..af2a0e25fa 100644 --- a/security/nss/automation/taskcluster/docker-acvp/Dockerfile +++ b/security/nss/automation/taskcluster/docker-acvp/Dockerfile @@ -1,5 +1,5 @@ # Minimal image with clang-format 3.9. -FROM rust:1.70 +FROM rust:1.74 LABEL maintainer="iaroslav.gridin@tuni.fi" # for new clang/llvm @@ -11,7 +11,6 @@ RUN echo "deb http://ftp.debian.org/debian/ sid main" > /etc/apt/sources.list.d/ python-dev-is-python3 \ mercurial \ python3-pip \ - python-setuptools \ build-essential \ cargo \ rustc \ diff --git a/security/nss/automation/taskcluster/graph/src/extend.js b/security/nss/automation/taskcluster/graph/src/extend.js index 599bed5a4b..318d935b16 100644 --- a/security/nss/automation/taskcluster/graph/src/extend.js +++ b/security/nss/automation/taskcluster/graph/src/extend.js @@ -1146,7 +1146,6 @@ async function scheduleTools() { ] })); - queue.scheduleTask(merge(base, { symbol: "scan-build", name: "scan-build", diff --git a/security/nss/automation/taskcluster/graph/src/try_syntax.js b/security/nss/automation/taskcluster/graph/src/try_syntax.js index b93dbabd15..591cea6c18 100644 --- a/security/nss/automation/taskcluster/graph/src/try_syntax.js +++ b/security/nss/automation/taskcluster/graph/src/try_syntax.js @@ -57,7 +57,7 @@ function parseOptions(opts) { } // Parse tools. - let allTools = ["clang-format", "scan-build", "hacl", "ecckiila", "saw", "abi", "coverage"]; + let allTools = ["clang-format", "scan-build", "hacl", "acvp", "ecckiila", "saw", "abi", "coverage"]; let tools = intersect(opts.tools.split(/\s*,\s*/), allTools); // If the given value is "all" run all tools. diff --git a/security/nss/automation/taskcluster/scripts/patches/Hacl_Ed25519.c.patch b/security/nss/automation/taskcluster/scripts/patches/Hacl_Ed25519.c.patch new file mode 100644 index 0000000000..dc2ffc04a7 --- /dev/null +++ b/security/nss/automation/taskcluster/scripts/patches/Hacl_Ed25519.c.patch @@ -0,0 +1,50 @@ +28d27 +< #include "internal/Hacl_Hash_SHA2.h" +33a33,34 +> #include "../Hacl_Hash_SHA2_shim.h" +> +1670,1713d1670 +< } +< +< static inline void +< sha512_pre_msg(uint8_t *hash, uint8_t *prefix, uint32_t len, uint8_t *input) +< { +< uint8_t buf[128U] = { 0U }; +< uint64_t block_state[8U] = { 0U }; +< Hacl_Streaming_MD_state_64 +< s = { .block_state = block_state, .buf = buf, .total_len = (uint64_t)(uint32_t)0U }; +< Hacl_Streaming_MD_state_64 p = s; +< Hacl_SHA2_Scalar32_sha512_init(block_state); +< Hacl_Streaming_MD_state_64 *st = &p; +< Hacl_Streaming_Types_error_code +< err0 = Hacl_Streaming_SHA2_update_512(st, prefix, (uint32_t)32U); +< Hacl_Streaming_Types_error_code err1 = Hacl_Streaming_SHA2_update_512(st, input, len); +< KRML_HOST_IGNORE(err0); +< KRML_HOST_IGNORE(err1); +< Hacl_Streaming_SHA2_finish_512(st, hash); +< } +< +< static inline void +< sha512_pre_pre2_msg( +< uint8_t *hash, +< uint8_t *prefix, +< uint8_t *prefix2, +< uint32_t len, +< uint8_t *input) +< { +< uint8_t buf[128U] = { 0U }; +< uint64_t block_state[8U] = { 0U }; +< Hacl_Streaming_MD_state_64 +< s = { .block_state = block_state, .buf = buf, .total_len = (uint64_t)(uint32_t)0U }; +< Hacl_Streaming_MD_state_64 p = s; +< Hacl_SHA2_Scalar32_sha512_init(block_state); +< Hacl_Streaming_MD_state_64 *st = &p; +< Hacl_Streaming_Types_error_code +< err0 = Hacl_Streaming_SHA2_update_512(st, prefix, (uint32_t)32U); +< Hacl_Streaming_Types_error_code +< err1 = Hacl_Streaming_SHA2_update_512(st, prefix2, (uint32_t)32U); +< Hacl_Streaming_Types_error_code err2 = Hacl_Streaming_SHA2_update_512(st, input, len); +< KRML_HOST_IGNORE(err0); +< KRML_HOST_IGNORE(err1); +< KRML_HOST_IGNORE(err2); +< Hacl_Streaming_SHA2_finish_512(st, hash); diff --git a/security/nss/automation/taskcluster/scripts/patches/Hacl_Ed25519.h.internal.patch b/security/nss/automation/taskcluster/scripts/patches/Hacl_Ed25519.h.internal.patch new file mode 100644 index 0000000000..f79016fcf9 --- /dev/null +++ b/security/nss/automation/taskcluster/scripts/patches/Hacl_Ed25519.h.internal.patch @@ -0,0 +1,2 @@ +38d37 +< #include "internal/Hacl_Hash_SHA2.h" diff --git a/security/nss/automation/taskcluster/scripts/patches/Hacl_Ed25519.h.patch b/security/nss/automation/taskcluster/scripts/patches/Hacl_Ed25519.h.patch new file mode 100644 index 0000000000..781bde532e --- /dev/null +++ b/security/nss/automation/taskcluster/scripts/patches/Hacl_Ed25519.h.patch @@ -0,0 +1,2 @@ +39d38 +< #include "Hacl_Hash_SHA2.h" diff --git a/security/nss/automation/taskcluster/scripts/run_hacl.sh b/security/nss/automation/taskcluster/scripts/run_hacl.sh index f9831d24fd..f2c20a0ae3 100755 --- a/security/nss/automation/taskcluster/scripts/run_hacl.sh +++ b/security/nss/automation/taskcluster/scripts/run_hacl.sh @@ -12,7 +12,7 @@ set -e -x -v # Get the HACL* source, containing a snapshot of the C code, extracted on the # HACL CI. git clone -q "https://github.com/hacl-star/hacl-star" ~/hacl-star -git -C ~/hacl-star checkout -q 72f9d0c783cb716add714344604d591106dfbf7f +git -C ~/hacl-star checkout -q 0f136f28935822579c244f287e1d2a1908a7e552 # Format the C snapshot. cd ~/hacl-star/dist/mozilla @@ -33,6 +33,11 @@ files=($(find ~/nss/lib/freebl/verified/internal -type f -name '*.[ch]')) for f in "${files[@]}"; do file_name=$(basename "$f") hacl_file=($(find ~/hacl-star/dist/mozilla/internal/ -type f -name $file_name)) + if [ $file_name == "Hacl_Ed25519.h" \ + -o $file_name == "Hacl_Ed25519_PrecompTable.h" ] + then + continue; + fi diff $hacl_file $f done @@ -49,5 +54,60 @@ for f in "${files[@]}"; do then continue; fi + + if [ $file_name == "Hacl_Ed25519.h" \ + -o $file_name == "Hacl_Ed25519.c" ] + then + continue; + fi diff $hacl_file $f done + +# Here we process the code that's not located in /hacl-star/dist/mozilla/ but +# /hacl-star/dist/gcc-compatible. + +cd ~/hacl-star/dist/gcc-compatible +cp ~/nss/.clang-format . +find . -type f -name '*.[ch]' -exec clang-format -i {} \+ + +patches=($(find ~/nss/automation/taskcluster/scripts/patches/ -type f -name '*.patch')) +for f in "${patches[@]}"; do + file_name=$(basename "$f") + file_name="${file_name%.*}" + if_internal="${file_name##*.}" + if [ $if_internal == "internal" ] + then + file_name="${file_name%.*}" + patch_file=($(find ~/hacl-star/dist/gcc-compatible/internal/ -type f -name $file_name)) + else + patch_file=($(find ~/hacl-star/dist/gcc-compatible/ -type f -name $file_name -not -path "*/hacl-star/dist/gcc-compatible/internal/*")) + fi + if [ ! -z "$patch_file" ] + then + patch $patch_file $f + fi +done + +files=($(find ~/nss/lib/freebl/verified/internal -type f -name '*.[ch]')) +for f in "${files[@]}"; do + file_name=$(basename "$f") + hacl_file=($(find ~/hacl-star/dist/gcc-compatible/internal/ -type f -name $file_name)) + if [ $file_name != "Hacl_Ed25519.h" \ + -a $file_name != "Hacl_Ed25519_PrecompTable.h" ] + then + continue; + fi + diff $hacl_file $f +done + +files=($(find ~/nss/lib/freebl/verified/ -type f -name '*.[ch]' -not -path "*/freebl/verified/internal/*")) +for f in "${files[@]}"; do + file_name=$(basename "$f") + hacl_file=($(find ~/hacl-star/dist/gcc-compatible/ -type f -name $file_name -not -path "*/hacl-star/dist/gcc-compatible/internal/*")) + if [ $file_name != "Hacl_Ed25519.h" \ + -a $file_name != "Hacl_Ed25519.c" ] + then + continue; + fi + diff $hacl_file $f +done \ No newline at end of file -- cgit v1.2.3