From fbaf0bb26397aa498eb9156f06d5a6fe34dd7dd8 Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Fri, 19 Apr 2024 03:14:29 +0200 Subject: Merging upstream version 125.0.1. Signed-off-by: Daniel Baumann --- .../abi-check/expected-report-libnss3.so.txt | 15 ++++++ .../abi-check/expected-report-libnssutil3.so.txt | 15 ++++++ .../abi-check/expected-report-libsmime3.so.txt | 49 +++++++++++++++++ .../nss/automation/abi-check/previous-nss-release | 2 +- .../automation/taskcluster/docker-acvp/Dockerfile | 3 +- .../nss/automation/taskcluster/graph/src/extend.js | 1 - .../automation/taskcluster/graph/src/try_syntax.js | 2 +- .../scripts/patches/Hacl_Ed25519.c.patch | 50 +++++++++++++++++ .../scripts/patches/Hacl_Ed25519.h.internal.patch | 2 + .../scripts/patches/Hacl_Ed25519.h.patch | 2 + .../nss/automation/taskcluster/scripts/run_hacl.sh | 62 +++++++++++++++++++++- 11 files changed, 197 insertions(+), 6 deletions(-) create mode 100644 security/nss/automation/taskcluster/scripts/patches/Hacl_Ed25519.c.patch create mode 100644 security/nss/automation/taskcluster/scripts/patches/Hacl_Ed25519.h.internal.patch create mode 100644 security/nss/automation/taskcluster/scripts/patches/Hacl_Ed25519.h.patch (limited to 'security/nss/automation') diff --git a/security/nss/automation/abi-check/expected-report-libnss3.so.txt b/security/nss/automation/abi-check/expected-report-libnss3.so.txt index e69de29bb2..582afe387f 100644 --- a/security/nss/automation/abi-check/expected-report-libnss3.so.txt +++ b/security/nss/automation/abi-check/expected-report-libnss3.so.txt @@ -0,0 +1,15 @@ + +1 function with some indirect sub-type change: + + [C]'function SECStatus CERT_AddOCSPAcceptableResponses(CERTOCSPRequest*, SECOidTag, ...)' at ocsp.c:2202:1 has some indirect sub-type changes: + parameter 2 of type 'typedef SECOidTag' has sub-type changes: + underlying type 'enum __anonymous_enum__' at secoidt.h:34:1 changed: + type size hasn't changed + 2 enumerator insertions: + '__anonymous_enum__::SEC_OID_ED25519_SIGNATURE' value '373' + '__anonymous_enum__::SEC_OID_ED25519_PUBLIC_KEY' value '374' + + 1 enumerator change: + '__anonymous_enum__::SEC_OID_TOTAL' from value '373' to '375' at secoidt.h:34:1 + + diff --git a/security/nss/automation/abi-check/expected-report-libnssutil3.so.txt b/security/nss/automation/abi-check/expected-report-libnssutil3.so.txt index e69de29bb2..ed076df300 100644 --- a/security/nss/automation/abi-check/expected-report-libnssutil3.so.txt +++ b/security/nss/automation/abi-check/expected-report-libnssutil3.so.txt @@ -0,0 +1,15 @@ + +1 function with some indirect sub-type change: + + [C]'function SECStatus NSS_GetAlgorithmPolicy(SECOidTag, PRUint32*)' at secoid.c:2291:1 has some indirect sub-type changes: + parameter 1 of type 'typedef SECOidTag' has sub-type changes: + underlying type 'enum __anonymous_enum__' at secoidt.h:34:1 changed: + type size hasn't changed + 2 enumerator insertions: + '__anonymous_enum__::SEC_OID_ED25519_SIGNATURE' value '373' + '__anonymous_enum__::SEC_OID_ED25519_PUBLIC_KEY' value '374' + + 1 enumerator change: + '__anonymous_enum__::SEC_OID_TOTAL' from value '373' to '375' at secoidt.h:34:1 + + diff --git a/security/nss/automation/abi-check/expected-report-libsmime3.so.txt b/security/nss/automation/abi-check/expected-report-libsmime3.so.txt index e69de29bb2..69cd2ae3a9 100644 --- a/security/nss/automation/abi-check/expected-report-libsmime3.so.txt +++ b/security/nss/automation/abi-check/expected-report-libsmime3.so.txt @@ -0,0 +1,49 @@ + +1 Added function: + + 'function PRBool NSS_CMSRecipient_IsSupported(CERTCertificate*)' {NSS_CMSRecipient_IsSupported@@NSS_3.99} + +1 function with some indirect sub-type change: + + [C]'function PK11SymKey* NSS_CMSContentInfo_GetBulkKey(NSSCMSContentInfo*)' at cmscinfo.c:426:1 has some indirect sub-type changes: + parameter 1 of type 'NSSCMSContentInfo*' has sub-type changes: + in pointed to type 'typedef NSSCMSContentInfo' at cmst.h:54:1: + underlying type 'struct NSSCMSContentInfoStr' at cmst.h:126:1 changed: + type size hasn't changed + 1 data member changes (2 filtered): + type of 'NSSCMSContent NSSCMSContentInfoStr::content' changed: + underlying type 'union NSSCMSContentUnion' at cmst.h:113:1 changed: + type size hasn't changed + 1 data member changes (3 filtered): + type of 'NSSCMSEncryptedData* NSSCMSContentUnion::encryptedData' changed: + in pointed to type 'typedef NSSCMSEncryptedData' at cmst.h:65:1: + underlying type 'struct NSSCMSEncryptedDataStr' at cmst.h:463:1 changed: + type size hasn't changed + 1 data member changes (1 filtered): + type of 'NSSCMSAttribute** NSSCMSEncryptedDataStr::unprotectedAttr' changed: + in pointed to type 'NSSCMSAttribute*': + in pointed to type 'typedef NSSCMSAttribute' at cmst.h:69:1: + underlying type 'struct NSSCMSAttributeStr' at cmst.h:482:1 changed: + type size hasn't changed + 1 data member change: + type of 'SECOidData* NSSCMSAttributeStr::typeTag' changed: + in pointed to type 'typedef SECOidData' at secoidt.h:16:1: + underlying type 'struct SECOidDataStr' at secoidt.h:536:1 changed: + type size hasn't changed + 1 data member change: + type of 'SECOidTag SECOidDataStr::offset' changed: + underlying type 'enum __anonymous_enum__' at secoidt.h:34:1 changed: + type size hasn't changed + 2 enumerator insertions: + '__anonymous_enum__::SEC_OID_ED25519_SIGNATURE' value '373' + '__anonymous_enum__::SEC_OID_ED25519_PUBLIC_KEY' value '374' + + 1 enumerator change: + '__anonymous_enum__::SEC_OID_TOTAL' from value '373' to '375' at secoidt.h:34:1 + + + + + + + diff --git a/security/nss/automation/abi-check/previous-nss-release b/security/nss/automation/abi-check/previous-nss-release index b99c3e7670..0dea1b7b74 100644 --- a/security/nss/automation/abi-check/previous-nss-release +++ b/security/nss/automation/abi-check/previous-nss-release @@ -1 +1 @@ -NSS_3_97_BRANCH +NSS_3_98_BRANCH diff --git a/security/nss/automation/taskcluster/docker-acvp/Dockerfile b/security/nss/automation/taskcluster/docker-acvp/Dockerfile index 5012bc4209..af2a0e25fa 100644 --- a/security/nss/automation/taskcluster/docker-acvp/Dockerfile +++ b/security/nss/automation/taskcluster/docker-acvp/Dockerfile @@ -1,5 +1,5 @@ # Minimal image with clang-format 3.9. -FROM rust:1.70 +FROM rust:1.74 LABEL maintainer="iaroslav.gridin@tuni.fi" # for new clang/llvm @@ -11,7 +11,6 @@ RUN echo "deb http://ftp.debian.org/debian/ sid main" > /etc/apt/sources.list.d/ python-dev-is-python3 \ mercurial \ python3-pip \ - python-setuptools \ build-essential \ cargo \ rustc \ diff --git a/security/nss/automation/taskcluster/graph/src/extend.js b/security/nss/automation/taskcluster/graph/src/extend.js index 599bed5a4b..318d935b16 100644 --- a/security/nss/automation/taskcluster/graph/src/extend.js +++ b/security/nss/automation/taskcluster/graph/src/extend.js @@ -1146,7 +1146,6 @@ async function scheduleTools() { ] })); - queue.scheduleTask(merge(base, { symbol: "scan-build", name: "scan-build", diff --git a/security/nss/automation/taskcluster/graph/src/try_syntax.js b/security/nss/automation/taskcluster/graph/src/try_syntax.js index b93dbabd15..591cea6c18 100644 --- a/security/nss/automation/taskcluster/graph/src/try_syntax.js +++ b/security/nss/automation/taskcluster/graph/src/try_syntax.js @@ -57,7 +57,7 @@ function parseOptions(opts) { } // Parse tools. - let allTools = ["clang-format", "scan-build", "hacl", "ecckiila", "saw", "abi", "coverage"]; + let allTools = ["clang-format", "scan-build", "hacl", "acvp", "ecckiila", "saw", "abi", "coverage"]; let tools = intersect(opts.tools.split(/\s*,\s*/), allTools); // If the given value is "all" run all tools. diff --git a/security/nss/automation/taskcluster/scripts/patches/Hacl_Ed25519.c.patch b/security/nss/automation/taskcluster/scripts/patches/Hacl_Ed25519.c.patch new file mode 100644 index 0000000000..dc2ffc04a7 --- /dev/null +++ b/security/nss/automation/taskcluster/scripts/patches/Hacl_Ed25519.c.patch @@ -0,0 +1,50 @@ +28d27 +< #include "internal/Hacl_Hash_SHA2.h" +33a33,34 +> #include "../Hacl_Hash_SHA2_shim.h" +> +1670,1713d1670 +< } +< +< static inline void +< sha512_pre_msg(uint8_t *hash, uint8_t *prefix, uint32_t len, uint8_t *input) +< { +< uint8_t buf[128U] = { 0U }; +< uint64_t block_state[8U] = { 0U }; +< Hacl_Streaming_MD_state_64 +< s = { .block_state = block_state, .buf = buf, .total_len = (uint64_t)(uint32_t)0U }; +< Hacl_Streaming_MD_state_64 p = s; +< Hacl_SHA2_Scalar32_sha512_init(block_state); +< Hacl_Streaming_MD_state_64 *st = &p; +< Hacl_Streaming_Types_error_code +< err0 = Hacl_Streaming_SHA2_update_512(st, prefix, (uint32_t)32U); +< Hacl_Streaming_Types_error_code err1 = Hacl_Streaming_SHA2_update_512(st, input, len); +< KRML_HOST_IGNORE(err0); +< KRML_HOST_IGNORE(err1); +< Hacl_Streaming_SHA2_finish_512(st, hash); +< } +< +< static inline void +< sha512_pre_pre2_msg( +< uint8_t *hash, +< uint8_t *prefix, +< uint8_t *prefix2, +< uint32_t len, +< uint8_t *input) +< { +< uint8_t buf[128U] = { 0U }; +< uint64_t block_state[8U] = { 0U }; +< Hacl_Streaming_MD_state_64 +< s = { .block_state = block_state, .buf = buf, .total_len = (uint64_t)(uint32_t)0U }; +< Hacl_Streaming_MD_state_64 p = s; +< Hacl_SHA2_Scalar32_sha512_init(block_state); +< Hacl_Streaming_MD_state_64 *st = &p; +< Hacl_Streaming_Types_error_code +< err0 = Hacl_Streaming_SHA2_update_512(st, prefix, (uint32_t)32U); +< Hacl_Streaming_Types_error_code +< err1 = Hacl_Streaming_SHA2_update_512(st, prefix2, (uint32_t)32U); +< Hacl_Streaming_Types_error_code err2 = Hacl_Streaming_SHA2_update_512(st, input, len); +< KRML_HOST_IGNORE(err0); +< KRML_HOST_IGNORE(err1); +< KRML_HOST_IGNORE(err2); +< Hacl_Streaming_SHA2_finish_512(st, hash); diff --git a/security/nss/automation/taskcluster/scripts/patches/Hacl_Ed25519.h.internal.patch b/security/nss/automation/taskcluster/scripts/patches/Hacl_Ed25519.h.internal.patch new file mode 100644 index 0000000000..f79016fcf9 --- /dev/null +++ b/security/nss/automation/taskcluster/scripts/patches/Hacl_Ed25519.h.internal.patch @@ -0,0 +1,2 @@ +38d37 +< #include "internal/Hacl_Hash_SHA2.h" diff --git a/security/nss/automation/taskcluster/scripts/patches/Hacl_Ed25519.h.patch b/security/nss/automation/taskcluster/scripts/patches/Hacl_Ed25519.h.patch new file mode 100644 index 0000000000..781bde532e --- /dev/null +++ b/security/nss/automation/taskcluster/scripts/patches/Hacl_Ed25519.h.patch @@ -0,0 +1,2 @@ +39d38 +< #include "Hacl_Hash_SHA2.h" diff --git a/security/nss/automation/taskcluster/scripts/run_hacl.sh b/security/nss/automation/taskcluster/scripts/run_hacl.sh index f9831d24fd..f2c20a0ae3 100755 --- a/security/nss/automation/taskcluster/scripts/run_hacl.sh +++ b/security/nss/automation/taskcluster/scripts/run_hacl.sh @@ -12,7 +12,7 @@ set -e -x -v # Get the HACL* source, containing a snapshot of the C code, extracted on the # HACL CI. git clone -q "https://github.com/hacl-star/hacl-star" ~/hacl-star -git -C ~/hacl-star checkout -q 72f9d0c783cb716add714344604d591106dfbf7f +git -C ~/hacl-star checkout -q 0f136f28935822579c244f287e1d2a1908a7e552 # Format the C snapshot. cd ~/hacl-star/dist/mozilla @@ -33,6 +33,11 @@ files=($(find ~/nss/lib/freebl/verified/internal -type f -name '*.[ch]')) for f in "${files[@]}"; do file_name=$(basename "$f") hacl_file=($(find ~/hacl-star/dist/mozilla/internal/ -type f -name $file_name)) + if [ $file_name == "Hacl_Ed25519.h" \ + -o $file_name == "Hacl_Ed25519_PrecompTable.h" ] + then + continue; + fi diff $hacl_file $f done @@ -49,5 +54,60 @@ for f in "${files[@]}"; do then continue; fi + + if [ $file_name == "Hacl_Ed25519.h" \ + -o $file_name == "Hacl_Ed25519.c" ] + then + continue; + fi diff $hacl_file $f done + +# Here we process the code that's not located in /hacl-star/dist/mozilla/ but +# /hacl-star/dist/gcc-compatible. + +cd ~/hacl-star/dist/gcc-compatible +cp ~/nss/.clang-format . +find . -type f -name '*.[ch]' -exec clang-format -i {} \+ + +patches=($(find ~/nss/automation/taskcluster/scripts/patches/ -type f -name '*.patch')) +for f in "${patches[@]}"; do + file_name=$(basename "$f") + file_name="${file_name%.*}" + if_internal="${file_name##*.}" + if [ $if_internal == "internal" ] + then + file_name="${file_name%.*}" + patch_file=($(find ~/hacl-star/dist/gcc-compatible/internal/ -type f -name $file_name)) + else + patch_file=($(find ~/hacl-star/dist/gcc-compatible/ -type f -name $file_name -not -path "*/hacl-star/dist/gcc-compatible/internal/*")) + fi + if [ ! -z "$patch_file" ] + then + patch $patch_file $f + fi +done + +files=($(find ~/nss/lib/freebl/verified/internal -type f -name '*.[ch]')) +for f in "${files[@]}"; do + file_name=$(basename "$f") + hacl_file=($(find ~/hacl-star/dist/gcc-compatible/internal/ -type f -name $file_name)) + if [ $file_name != "Hacl_Ed25519.h" \ + -a $file_name != "Hacl_Ed25519_PrecompTable.h" ] + then + continue; + fi + diff $hacl_file $f +done + +files=($(find ~/nss/lib/freebl/verified/ -type f -name '*.[ch]' -not -path "*/freebl/verified/internal/*")) +for f in "${files[@]}"; do + file_name=$(basename "$f") + hacl_file=($(find ~/hacl-star/dist/gcc-compatible/ -type f -name $file_name -not -path "*/hacl-star/dist/gcc-compatible/internal/*")) + if [ $file_name != "Hacl_Ed25519.h" \ + -a $file_name != "Hacl_Ed25519.c" ] + then + continue; + fi + diff $hacl_file $f +done \ No newline at end of file -- cgit v1.2.3