2008-08-15 08:12:54 +04:00
#!/bin/bash
2008-06-06 16:40:11 +04:00
#
2012-10-01 22:02:15 +04:00
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
2008-06-06 16:40:11 +04:00
########################################################################
#
# mozilla/security/nss/tests/all.sh
#
2008-10-23 04:38:29 +04:00
# Script to start selected available NSS QA suites on one machine
2016-01-25 18:14:18 +03:00
# this script is called or sourced by NSS QA which runs on all required
2008-06-06 16:40:11 +04:00
# platforms
#
2008-10-23 04:38:29 +04:00
# Needs to work on all Unix and Windows platforms
#
# Currently available NSS QA suites:
# ----------------------------------
# cipher.sh - tests NSS ciphers
# libpkix.sh - tests PKIX functionality
2016-01-25 18:14:18 +03:00
# cert.sh - exercises certutil and creates certs necessary for
2008-10-23 04:38:29 +04:00
# all other tests
# dbtests.sh - tests related to certificate databases
# tools.sh - tests the majority of the NSS tools
2016-01-25 18:14:18 +03:00
# fips.sh - tests basic functionallity of NSS in FIPS-compliant
2008-10-23 04:38:29 +04:00
# - mode
# sdr.sh - tests NSS SDR
# crmf.sh - CRMF/CMMF testing
# smime.sh - S/MIME testing
# ssl.sh - tests SSL V2 SSL V3 and TLS
# ocsp.sh - OCSP testing
# merge.sh - tests merging old and new shareable databases
2016-01-25 18:14:18 +03:00
# pkits.sh - NIST/PKITS tests
# chains.sh - PKIX cert chains tests
2008-10-23 04:38:29 +04:00
# dbupgrade.sh - upgrade databases to new shareable version (used
# only in upgrade test cycle)
# memleak.sh - memory leak testing (optional)
2016-01-25 18:14:18 +03:00
# ssl_gtests.sh- Gtest based unit tests for ssl
2016-06-02 23:33:04 +03:00
# gtests.sh - Gtest based unit tests for everything else
2018-07-25 16:17:58 +03:00
# policy.sh - Crypto Policy tests
2016-09-26 03:47:58 +03:00
# bogo.sh - Bogo interop tests (disabled by default)
# https://boringssl.googlesource.com/boringssl/+/master/ssl/test/PORTING.md
2017-01-21 16:23:56 +03:00
# interop.sh - Interoperability tests (disabled by default)
# https://github.com/ekr/tls_interop
2018-09-28 19:17:37 +03:00
# tlsfuzzer.sh - tlsfuzzer interop tests (disabled by default)
# https://github.com/tomato42/tlsfuzzer/
2008-10-23 04:38:29 +04:00
#
# NSS testing is now devided to 4 cycles:
# ---------------------------------------
# standard - run test suites with defaults settings
# pkix - run test suites with PKIX enabled
2016-01-25 18:14:18 +03:00
# upgradedb - upgrade existing certificate databases to shareable
# format (creates them if doesn't exist yet) and run
Bug 1602020 - land NSS c46bc59ce7d4 UPGRADE_NSS_RELEASE, r=kjacobs
2019-12-06 Daiki Ueno <dueno@redhat.com>
* lib/pki/pki3hack.c:
Bug 1593167, certdb: propagate trust information if trust module is
loaded afterwards, r=rrelyea,keeler
Summary: When the builtin trust module is loaded after some temp
certs being created, these temp certs are usually not accompanied by
trust information. This causes a problem in Firefox as it loads the
module from a separate thread while accessing the network cache
which populates temp certs.
This change makes it properly roll up the trust information, if a
temp cert doesn't have trust information.
Reviewers: rrelyea, keeler
Reviewed By: rrelyea, keeler
Subscribers: reviewbot, heftig
Bug #: 1593167
[c46bc59ce7d4] [tip]
2019-11-08 Martin Thomson <mt@lowentropy.net>
* lib/ssl/tls13subcerts.c:
Bug 1594965 - Include saltLength in DC SPKI, r=kjacobs
Summary: I discovered this when validating new additions to our root
store policy. The encodings there didn't line up with what we were
producing with DC.
[661058254ade]
2019-12-04 J.C. Jones <jjones@mozilla.com>
* automation/release/nss-release-helper.py:
Bug 1535787 - Further improvements to the release-helper API r=mt
[7baba392bf8b]
* automation/release/nss-release-helper.py:
Bug 1535787 - flake8 style updates to nss-release-helper.py
r=kjacobs
Depends on D23757
[b31e68a789fa]
* automation/release/nss-release-helper.py:
Bug 1535787 - Use Python for the regexes in nss-release-helper
r=keeler,kjacobs
automation/release/nss-release-helper.py doesn't actually edit the
files correctly on MacOS due to differences between GNU and BSD sed.
It's python, so let's just use python regexes.
[92271739e848]
2019-12-04 Franziskus Kiefer <franziskuskiefer@gmail.com>
* automation/taskcluster/graph/src/extend.js,
automation/taskcluster/graph/src/queue.js,
automation/taskcluster/scripts/check_abi.sh, build.sh,
coreconf/config.gypi, help.txt, lib/freebl/freebl_base.gypi, mach,
tests/all.sh, tests/common/init.sh, tests/remote/Makefile:
Bug 1594933 - disable libnssdbm by default; keep build on CI, r=jcj
Disale libnssdbm by default and add flag to enable it in builds. On
CI a build and certs test with enabled legacy DB are added.
Note that for some reason the coverage build fails. I have no idea
why. I'm open for ideas.
[c1fad130dce2]
2019-12-03 Makoto Kato <m_kato@ga2.so-net.ne.jp>
* lib/freebl/Makefile, lib/freebl/freebl.gyp, lib/freebl/gcm-
arm32-neon.c, lib/freebl/gcm.c:
Bug 1562548 - Improve GCM perfomance on aarch32 using NEON.
r=kjacobs
Optimize GCM perfomance using
https://conradoplg.cryptoland.net/files/2010/12/gcm14.pdf via ARM's
NEON.
[a9ba652046e6]
2019-12-03 J.C. Jones <jjones@mozilla.com>
* automation/abi-check/expected-report-libssl3.so.txt, automation/abi-
check/previous-nss-release, lib/nss/nss.h, lib/softoken/softkver.h,
lib/util/nssutil.h:
Set version numbers to 3.49 beta
[3051793c68fc]
2019-12-02 J.C. Jones <jjones@mozilla.com>
* .hgtags:
Added tag NSS_3_48_BETA1 for changeset 77976f3fefca
[06d5b4f91a9c]
Differential Revision: https://phabricator.services.mozilla.com/D56378
--HG--
extra : moz-landing-system : lando
2019-12-16 23:53:59 +03:00
# test suites with those databases. Requires to enable libdm.
2016-01-25 18:14:18 +03:00
# sharedb - run test suites with shareable database format
# enabled (databases are created directly to this
Bug 1602020 - land NSS c46bc59ce7d4 UPGRADE_NSS_RELEASE, r=kjacobs
2019-12-06 Daiki Ueno <dueno@redhat.com>
* lib/pki/pki3hack.c:
Bug 1593167, certdb: propagate trust information if trust module is
loaded afterwards, r=rrelyea,keeler
Summary: When the builtin trust module is loaded after some temp
certs being created, these temp certs are usually not accompanied by
trust information. This causes a problem in Firefox as it loads the
module from a separate thread while accessing the network cache
which populates temp certs.
This change makes it properly roll up the trust information, if a
temp cert doesn't have trust information.
Reviewers: rrelyea, keeler
Reviewed By: rrelyea, keeler
Subscribers: reviewbot, heftig
Bug #: 1593167
[c46bc59ce7d4] [tip]
2019-11-08 Martin Thomson <mt@lowentropy.net>
* lib/ssl/tls13subcerts.c:
Bug 1594965 - Include saltLength in DC SPKI, r=kjacobs
Summary: I discovered this when validating new additions to our root
store policy. The encodings there didn't line up with what we were
producing with DC.
[661058254ade]
2019-12-04 J.C. Jones <jjones@mozilla.com>
* automation/release/nss-release-helper.py:
Bug 1535787 - Further improvements to the release-helper API r=mt
[7baba392bf8b]
* automation/release/nss-release-helper.py:
Bug 1535787 - flake8 style updates to nss-release-helper.py
r=kjacobs
Depends on D23757
[b31e68a789fa]
* automation/release/nss-release-helper.py:
Bug 1535787 - Use Python for the regexes in nss-release-helper
r=keeler,kjacobs
automation/release/nss-release-helper.py doesn't actually edit the
files correctly on MacOS due to differences between GNU and BSD sed.
It's python, so let's just use python regexes.
[92271739e848]
2019-12-04 Franziskus Kiefer <franziskuskiefer@gmail.com>
* automation/taskcluster/graph/src/extend.js,
automation/taskcluster/graph/src/queue.js,
automation/taskcluster/scripts/check_abi.sh, build.sh,
coreconf/config.gypi, help.txt, lib/freebl/freebl_base.gypi, mach,
tests/all.sh, tests/common/init.sh, tests/remote/Makefile:
Bug 1594933 - disable libnssdbm by default; keep build on CI, r=jcj
Disale libnssdbm by default and add flag to enable it in builds. On
CI a build and certs test with enabled legacy DB are added.
Note that for some reason the coverage build fails. I have no idea
why. I'm open for ideas.
[c1fad130dce2]
2019-12-03 Makoto Kato <m_kato@ga2.so-net.ne.jp>
* lib/freebl/Makefile, lib/freebl/freebl.gyp, lib/freebl/gcm-
arm32-neon.c, lib/freebl/gcm.c:
Bug 1562548 - Improve GCM perfomance on aarch32 using NEON.
r=kjacobs
Optimize GCM perfomance using
https://conradoplg.cryptoland.net/files/2010/12/gcm14.pdf via ARM's
NEON.
[a9ba652046e6]
2019-12-03 J.C. Jones <jjones@mozilla.com>
* automation/abi-check/expected-report-libssl3.so.txt, automation/abi-
check/previous-nss-release, lib/nss/nss.h, lib/softoken/softkver.h,
lib/util/nssutil.h:
Set version numbers to 3.49 beta
[3051793c68fc]
2019-12-02 J.C. Jones <jjones@mozilla.com>
* .hgtags:
Added tag NSS_3_48_BETA1 for changeset 77976f3fefca
[06d5b4f91a9c]
Differential Revision: https://phabricator.services.mozilla.com/D56378
--HG--
extra : moz-landing-system : lando
2019-12-16 23:53:59 +03:00
# format). This is the default and doesn't need to be run separately.
2008-10-23 04:38:29 +04:00
#
# Mandatory environment variables (to be set before testing):
# -----------------------------------------------------------
# HOST - test machine host name
# DOMSUF - test machine domain name
#
# Optional environment variables to specify build to use:
# -------------------------------------------------------
2016-01-25 18:14:18 +03:00
# BUILT_OPT - use optimized/debug build
2008-10-23 04:38:29 +04:00
# USE_64 - use 64bit/32bit build
#
# Optional environment variables to select which cycles/suites to test:
# ---------------------------------------------------------------------
2016-01-25 18:14:18 +03:00
# NSS_CYCLES - list of cycles to run (separated by space
2008-10-23 04:38:29 +04:00
# character)
# - by default all cycles are tested
#
# NSS_TESTS - list of all test suites to run (separated by space
2016-01-25 18:14:18 +03:00
# character, without trailing .sh)
2008-10-23 04:38:29 +04:00
# - this list can be reduced for individual test cycles
#
# NSS_SSL_TESTS - list of ssl tests to run (see ssl.sh)
2010-02-07 14:54:28 +03:00
# NSS_SSL_RUN - list of ssl sub-tests to run (see ssl.sh)
2008-10-23 04:38:29 +04:00
#
# Testing schema:
2008-06-06 16:40:11 +04:00
# ---------------
2016-01-25 18:14:18 +03:00
# all.sh ~ (main)
2008-10-23 04:38:29 +04:00
# | |
# +------------+------------+-----------+ ~ run_cycles
# | | | | |
# standard pkix upgradedb sharedb ~ run_cycle_*
Bug 1564499 - land NSS NSS_3_46_BETA2 UPGRADE_NSS_RELEASE, r=kjacobs
2019-08-27 Kevin Jacobs <kjacobs@mozilla.com>
* automation/taskcluster/graph/src/extend.js,
automation/taskcluster/scripts/build_gyp.sh,
automation/taskcluster/windows/build_gyp.sh, fuzz/fuzz.gyp,
gtests/pk11_gtest/pk11_gtest.gyp,
gtests/softoken_gtest/softoken_gtest.gyp, tests/all.sh,
tests/ssl/ssl.sh:
Bug 1485533 - Close gaps in taskcluster SSL testing. r=mt
This patch increases SSL testing on taskcluster, specifically,
running an additional 395 tests on each SSL cycle (more for FIPS
targets), and adding a new 'stress' cycle.
Notable changes:
1) This patch removes SSL stress tests from the default
`NSS_SSL_RUN` list in all.sh and ssl.sh. If stress tests are needed,
this variable must be set to include.
2) The "normal_normal" case is added to `NSS_SSL_TESTS` for all
targets. FIPS targets also run "normal_fips", "fips_normal", and
"fips_fips".
3) `--enable-libpkix` is now set for all taskcluster "build.sh"
builds in order to support a number of OCSP tests that were
previously not run.
[24b0fc700203] [NSS_3_46_BETA2]
2019-08-23 Edouard Oger <eoger@fastmail.com>
* lib/sqlite/Makefile, lib/sqlite/sqlite.gyp:
Bug 1549847 - Ignore sqlite compilation warnings. r=mt
[7f146eb7adac]
2019-08-23 J.C. Jones <jjones@mozilla.com>
* .hgtags:
Added tag NSS_3_46_BETA1 for changeset 44aa330de2aa
[d3035cc9dc73]
Differential Revision: https://phabricator.services.mozilla.com/D43724
--HG--
extra : moz-landing-system : lando
2019-08-28 17:30:55 +03:00
# ... | ... ... |
2008-10-23 04:38:29 +04:00
# +------+------+------+-----> ~ run_tests
# | | | | |
# cert tools fips ssl ... ~ . *.sh
#
# Special strings:
# ----------------
2008-06-06 16:40:11 +04:00
# FIXME ... known problems, search for this string
# NOTE .... unexpected behavior
#
# NOTE:
# -----
2008-10-23 04:38:29 +04:00
# Unlike the old QA this is based on files sourcing each other
# This is done to save time, since a great portion of time is lost
# in calling and sourcing the same things multiple times over the
2016-01-25 18:14:18 +03:00
# network. Also, this way all scripts have all shell function
2008-10-23 04:38:29 +04:00
# available and a completely common environment
2008-06-06 16:40:11 +04:00
#
########################################################################
2017-08-25 10:37:32 +03:00
RUN_FIPS = ""
2008-10-23 04:38:29 +04:00
############################## run_tests ###############################
# run test suites defined in TESTS variable, skip scripts defined in
# TESTS_SKIP variable
########################################################################
2008-06-06 16:40:11 +04:00
run_tests( )
{
2017-12-19 17:26:12 +03:00
echo " Running test cycle: ${ TEST_MODE } ---------------------- "
echo " List of tests that will be executed: ${ TESTS } "
2008-10-23 04:38:29 +04:00
for TEST in ${ TESTS }
do
2016-01-25 18:14:18 +03:00
# NOTE: the spaces are important. If you don't include
# the spaces, then turning off ssl_gtests will also turn off ssl
# tests.
echo " ${ TESTS_SKIP } " | grep " ${ TEST } " > /dev/null
2008-10-23 04:38:29 +04:00
if [ $? -eq 0 ] ; then
continue
fi
SCRIPTNAME = ${ TEST } .sh
echo " Running tests for ${ TEST } "
2016-01-25 18:14:18 +03:00
echo " TIMESTAMP ${ TEST } BEGIN: `date` "
2008-10-23 04:38:29 +04:00
( cd ${ QADIR } /${ TEST } ; . ./${ SCRIPTNAME } 2>& 1)
echo " TIMESTAMP ${ TEST } END: `date` "
done
}
########################## run_cycle_standard ##########################
Bug 1602020 - land NSS c46bc59ce7d4 UPGRADE_NSS_RELEASE, r=kjacobs
2019-12-06 Daiki Ueno <dueno@redhat.com>
* lib/pki/pki3hack.c:
Bug 1593167, certdb: propagate trust information if trust module is
loaded afterwards, r=rrelyea,keeler
Summary: When the builtin trust module is loaded after some temp
certs being created, these temp certs are usually not accompanied by
trust information. This causes a problem in Firefox as it loads the
module from a separate thread while accessing the network cache
which populates temp certs.
This change makes it properly roll up the trust information, if a
temp cert doesn't have trust information.
Reviewers: rrelyea, keeler
Reviewed By: rrelyea, keeler
Subscribers: reviewbot, heftig
Bug #: 1593167
[c46bc59ce7d4] [tip]
2019-11-08 Martin Thomson <mt@lowentropy.net>
* lib/ssl/tls13subcerts.c:
Bug 1594965 - Include saltLength in DC SPKI, r=kjacobs
Summary: I discovered this when validating new additions to our root
store policy. The encodings there didn't line up with what we were
producing with DC.
[661058254ade]
2019-12-04 J.C. Jones <jjones@mozilla.com>
* automation/release/nss-release-helper.py:
Bug 1535787 - Further improvements to the release-helper API r=mt
[7baba392bf8b]
* automation/release/nss-release-helper.py:
Bug 1535787 - flake8 style updates to nss-release-helper.py
r=kjacobs
Depends on D23757
[b31e68a789fa]
* automation/release/nss-release-helper.py:
Bug 1535787 - Use Python for the regexes in nss-release-helper
r=keeler,kjacobs
automation/release/nss-release-helper.py doesn't actually edit the
files correctly on MacOS due to differences between GNU and BSD sed.
It's python, so let's just use python regexes.
[92271739e848]
2019-12-04 Franziskus Kiefer <franziskuskiefer@gmail.com>
* automation/taskcluster/graph/src/extend.js,
automation/taskcluster/graph/src/queue.js,
automation/taskcluster/scripts/check_abi.sh, build.sh,
coreconf/config.gypi, help.txt, lib/freebl/freebl_base.gypi, mach,
tests/all.sh, tests/common/init.sh, tests/remote/Makefile:
Bug 1594933 - disable libnssdbm by default; keep build on CI, r=jcj
Disale libnssdbm by default and add flag to enable it in builds. On
CI a build and certs test with enabled legacy DB are added.
Note that for some reason the coverage build fails. I have no idea
why. I'm open for ideas.
[c1fad130dce2]
2019-12-03 Makoto Kato <m_kato@ga2.so-net.ne.jp>
* lib/freebl/Makefile, lib/freebl/freebl.gyp, lib/freebl/gcm-
arm32-neon.c, lib/freebl/gcm.c:
Bug 1562548 - Improve GCM perfomance on aarch32 using NEON.
r=kjacobs
Optimize GCM perfomance using
https://conradoplg.cryptoland.net/files/2010/12/gcm14.pdf via ARM's
NEON.
[a9ba652046e6]
2019-12-03 J.C. Jones <jjones@mozilla.com>
* automation/abi-check/expected-report-libssl3.so.txt, automation/abi-
check/previous-nss-release, lib/nss/nss.h, lib/softoken/softkver.h,
lib/util/nssutil.h:
Set version numbers to 3.49 beta
[3051793c68fc]
2019-12-02 J.C. Jones <jjones@mozilla.com>
* .hgtags:
Added tag NSS_3_48_BETA1 for changeset 77976f3fefca
[06d5b4f91a9c]
Differential Revision: https://phabricator.services.mozilla.com/D56378
--HG--
extra : moz-landing-system : lando
2019-12-16 23:53:59 +03:00
# run test suites with sql database (no PKIX)
2008-10-23 04:38:29 +04:00
########################################################################
run_cycle_standard( )
{
TEST_MODE = STANDARD
TESTS = " ${ ALL_TESTS } "
Bug 1649545 - land NSS 58c2abd7404e UPGRADE_NSS_RELEASE, r=jcj
2020-06-26 Kevin Jacobs <kjacobs@mozilla.com>
* automation/abi-check/expected-report-libssl3.so.txt, automation/abi-
check/previous-nss-release, lib/nss/nss.h, lib/softoken/softkver.h,
lib/util/nssutil.h:
Set version numbers to 3.55 beta
[332ab7db68ba]
2020-06-25 Kevin Jacobs <kjacobs@mozilla.com>
* tests/all.sh:
Bug 1649190 - Run cipher, sdr, and ocsp tests under standard test
cycle.
[f373809abfc0]
2020-06-15 Kevin Jacobs <kjacobs@mozilla.com>
* gtests/common/testvectors/p256ecdsa-sha256-vectors.h,
gtests/common/testvectors/p384ecdsa-sha384-vectors.h,
gtests/common/testvectors/p521ecdsa-sha512-vectors.h,
gtests/common/testvectors_base/test-structs.h,
gtests/common/wycheproof/genTestVectors.py,
gtests/pk11_gtest/pk11_ecdsa_unittest.cc:
Bug 1649226 - Add Wycheproof ECDSA tests.
[41292ff7f545]
2020-06-30 Benjamin Beurdouche <bbeurdouche@mozilla.com>
* lib/pkcs12/p12d.c:
Bug 1649322 - Fix null pointer passed as argument in
pk11wrap/pk11pbe.c:1246 r=kjacobs
[cc43ebf5bf88]
2020-06-30 Danh <congdanhqx@gmail.com>
* coreconf/arch.mk, coreconf/config.mk, lib/freebl/Makefile:
Bug 1646594 - Enable AVX2 if applicable on x86_64 with make 4.3
r=bbeurdouche
[b579895aceb0]
2020-07-02 Benjamin Beurdouche <bbeurdouche@mozilla.com>
* lib/ssl/ssl3con.c:
Bug 1649316 - Prevent memcmp to be called with a zero length in
ssl/ssl3con.c:6621 r=kjacobs
[8fe9213d0551]
2020-07-02 Alexander Scheel <ascheel@redhat.com>
* lib/cryptohi/secvfy.c:
Bug 1649487 - Fix bad assert in VFY_EndWithSignature. r=jcj
[c9438b528103]
2020-07-06 Dana Keeler <dkeeler@mozilla.com>
* automation/abi-check/expected-report-libnss3.so.txt,
gtests/pk11_gtest/pk11_find_certs_unittest.cc, lib/nss/nss.def,
lib/pk11wrap/pk11cert.c, lib/pk11wrap/pk11pub.h:
Bug 1649633 - add PK11_FindEncodedCertInSlot r=kjacobs,jcj
PK11_FindEncodedCertInSlot can be used to determine the PKCS#11
object handle of an encoded certificate in a given slot. If the
given certificate does not exist in that slot, CK_INVALID_HANDLE is
returned.
[32fe710a942f]
* gtests/pk11_gtest/pk11_find_certs_unittest.cc:
Bug 1649633 - follow-up to make test comparisons in
pk11_find_certs_unittest.cc yoda comparisons r=kjacobs
[424dae31a1c1]
2020-07-07 Kevin Jacobs <kjacobs@mozilla.com>
* gtests/pk11_gtest/pk11_rsapkcs1_unittest.cc, lib/freebl/rsapkcs.c:
Bug 1067214 - Check minimum padding in RSA_CheckSignRecover.
r=rrelyea
This patch adds a check to `RSA_CheckSignRecover` enforcing a
minimum padding length of 8 bytes for PKCS #1 v1.5-formatted
signatures. In practice, RSA key size requirements already ensure
this requirement is met, but smaller (read: broken) key sizes can be
used via configuration overrides, and NSS should just follow the
spec.
[e5324bd5a885]
2020-07-08 Kevin Jacobs <kjacobs@mozilla.com>
* gtests/ssl_gtest/libssl_internals.c,
gtests/ssl_gtest/libssl_internals.h,
gtests/ssl_gtest/ssl_record_unittest.cc,
gtests/ssl_gtest/tls_agent.cc, gtests/ssl_gtest/tls_agent.h,
lib/ssl/dtls13con.c, lib/ssl/dtls13con.h, lib/ssl/ssl3con.c,
lib/ssl/ssl3prot.h, lib/ssl/sslspec.h, lib/ssl/sslt.h,
lib/ssl/tls13con.c, lib/ssl/tls13exthandle.c:
Bug 1647752 - Update DTLS 1.3 implementation to draft-38. r=mt
This patch updates DTLS 1.3 to draft-38. Specifically:
# `ssl_ct_ack` value changes from 25 to 26. # AEAD limits in
`tls13_UnprotectRecord` enforce a maximum of 2^36-1 (as we only
support GCM/ChaCha20 AEADs) decryption failures before the
connection is closed. # Post-handshake authentication will no longer
be negotiated in DTLS 1.3. This allows us to side-step the more
convoluted state machine requirements.
[132a87fc8689]
2020-07-09 Benjamin Beurdouche <bbeurdouche@mozilla.com>
* lib/pk11wrap/pk11pbe.c, lib/pkcs12/p12d.c:
Bug 1649322 - Fix null pointer passed as argument in
pk11wrap/pk11pbe.c:1246 r=kjacobs
This is a fixup patch that reverts https://hg.mozilla.org/projects/n
ss/rev/cc43ebf5bf88355837c5fafa2f3c46e37626707a and adds a null
check around the memcpy in question.
[80bea0e22b20]
2020-07-09 J.C. Jones <jjones@mozilla.com>
* lib/softoken/pkcs11.c:
Bug 1651520 - slotLock race in NSC_GetTokenInfo r=kjacobs
Basically, NSC_GetTokenInfo doesn't lock slot->slotLock before
accessing slot after obtaining it, even though slotLock is defined
as its lock. [0]
[0] https://searchfox.org/nss/rev/a412e70e55218aaf670f1f10322fa734d8
a9fbde/lib/softoken/pkcs11i.h#320-321
[58c2abd7404e] [tip]
Differential Revision: https://phabricator.services.mozilla.com/D82466
2020-07-10 02:05:48 +03:00
TESTS_SKIP = "libpkix pkits"
2017-11-01 17:38:36 +03:00
Bug 1602020 - land NSS c46bc59ce7d4 UPGRADE_NSS_RELEASE, r=kjacobs
2019-12-06 Daiki Ueno <dueno@redhat.com>
* lib/pki/pki3hack.c:
Bug 1593167, certdb: propagate trust information if trust module is
loaded afterwards, r=rrelyea,keeler
Summary: When the builtin trust module is loaded after some temp
certs being created, these temp certs are usually not accompanied by
trust information. This causes a problem in Firefox as it loads the
module from a separate thread while accessing the network cache
which populates temp certs.
This change makes it properly roll up the trust information, if a
temp cert doesn't have trust information.
Reviewers: rrelyea, keeler
Reviewed By: rrelyea, keeler
Subscribers: reviewbot, heftig
Bug #: 1593167
[c46bc59ce7d4] [tip]
2019-11-08 Martin Thomson <mt@lowentropy.net>
* lib/ssl/tls13subcerts.c:
Bug 1594965 - Include saltLength in DC SPKI, r=kjacobs
Summary: I discovered this when validating new additions to our root
store policy. The encodings there didn't line up with what we were
producing with DC.
[661058254ade]
2019-12-04 J.C. Jones <jjones@mozilla.com>
* automation/release/nss-release-helper.py:
Bug 1535787 - Further improvements to the release-helper API r=mt
[7baba392bf8b]
* automation/release/nss-release-helper.py:
Bug 1535787 - flake8 style updates to nss-release-helper.py
r=kjacobs
Depends on D23757
[b31e68a789fa]
* automation/release/nss-release-helper.py:
Bug 1535787 - Use Python for the regexes in nss-release-helper
r=keeler,kjacobs
automation/release/nss-release-helper.py doesn't actually edit the
files correctly on MacOS due to differences between GNU and BSD sed.
It's python, so let's just use python regexes.
[92271739e848]
2019-12-04 Franziskus Kiefer <franziskuskiefer@gmail.com>
* automation/taskcluster/graph/src/extend.js,
automation/taskcluster/graph/src/queue.js,
automation/taskcluster/scripts/check_abi.sh, build.sh,
coreconf/config.gypi, help.txt, lib/freebl/freebl_base.gypi, mach,
tests/all.sh, tests/common/init.sh, tests/remote/Makefile:
Bug 1594933 - disable libnssdbm by default; keep build on CI, r=jcj
Disale libnssdbm by default and add flag to enable it in builds. On
CI a build and certs test with enabled legacy DB are added.
Note that for some reason the coverage build fails. I have no idea
why. I'm open for ideas.
[c1fad130dce2]
2019-12-03 Makoto Kato <m_kato@ga2.so-net.ne.jp>
* lib/freebl/Makefile, lib/freebl/freebl.gyp, lib/freebl/gcm-
arm32-neon.c, lib/freebl/gcm.c:
Bug 1562548 - Improve GCM perfomance on aarch32 using NEON.
r=kjacobs
Optimize GCM perfomance using
https://conradoplg.cryptoland.net/files/2010/12/gcm14.pdf via ARM's
NEON.
[a9ba652046e6]
2019-12-03 J.C. Jones <jjones@mozilla.com>
* automation/abi-check/expected-report-libssl3.so.txt, automation/abi-
check/previous-nss-release, lib/nss/nss.h, lib/softoken/softkver.h,
lib/util/nssutil.h:
Set version numbers to 3.49 beta
[3051793c68fc]
2019-12-02 J.C. Jones <jjones@mozilla.com>
* .hgtags:
Added tag NSS_3_48_BETA1 for changeset 77976f3fefca
[06d5b4f91a9c]
Differential Revision: https://phabricator.services.mozilla.com/D56378
--HG--
extra : moz-landing-system : lando
2019-12-16 23:53:59 +03:00
NSS_DEFAULT_DB_TYPE = ${ NSS_DEFAULT_DB_TYPE :- "sql" }
2017-11-01 17:38:36 +03:00
export NSS_DEFAULT_DB_TYPE
2008-10-23 04:38:29 +04:00
run_tests
}
############################ run_cycle_pkix ############################
# run test suites with PKIX enabled
########################################################################
run_cycle_pkix( )
{
TEST_MODE = PKIX
TABLE_ARGS = "bgcolor=cyan"
html_head "Testing with PKIX"
html "</TABLE><BR>"
HOSTDIR = " ${ HOSTDIR } /pkix "
mkdir -p " ${ HOSTDIR } "
init_directories
NSS_ENABLE_PKIX_VERIFY = "1"
export NSS_ENABLE_PKIX_VERIFY
TESTS = " ${ ALL_TESTS } "
2016-06-02 23:33:04 +03:00
TESTS_SKIP = "cipher dbtests sdr crmf smime merge multinit"
2017-11-01 17:38:36 +03:00
export -n NSS_SSL_RUN
2017-12-19 17:26:12 +03:00
# use the default format. (unset for the shell, export -n for binaries)
2017-11-01 17:38:36 +03:00
export -n NSS_DEFAULT_DB_TYPE
2017-12-19 17:26:12 +03:00
unset NSS_DEFAULT_DB_TYPE
2008-10-23 04:38:29 +04:00
run_tests
}
######################### run_cycle_upgrade_db #########################
# upgrades certificate database to shareable format and run test suites
# with those databases
########################################################################
run_cycle_upgrade_db( )
{
TEST_MODE = UPGRADE_DB
TABLE_ARGS = "bgcolor=pink"
html_head "Testing with upgraded library"
html "</TABLE><BR>"
OLDHOSTDIR = " ${ HOSTDIR } "
HOSTDIR = " ${ HOSTDIR } /upgradedb "
mkdir -p " ${ HOSTDIR } "
init_directories
if [ -r " ${ OLDHOSTDIR } /cert.log " ] ; then
2017-08-25 10:37:32 +03:00
DIRS = " alicedir bobdir CA cert_extensions client clientCA dave eccurves eve ext_client ext_server $RUN_FIPS SDR server serverCA stapling tools/copydir cert.log cert.done tests.* "
2008-10-23 04:38:29 +04:00
for i in $DIRS
do
cp -r ${ OLDHOSTDIR } /${ i } ${ HOSTDIR } #2> /dev/null
done
fi
2016-01-25 18:14:18 +03:00
# upgrade certs dbs to shared db
2008-10-23 04:38:29 +04:00
TESTS = "dbupgrade"
TESTS_SKIP =
run_tests
NSS_DEFAULT_DB_TYPE = "sql"
export NSS_DEFAULT_DB_TYPE
# run the subset of tests with the upgraded database
TESTS = " ${ ALL_TESTS } "
2016-06-02 23:33:04 +03:00
TESTS_SKIP = "cipher libpkix cert dbtests sdr ocsp pkits chains"
2008-10-23 04:38:29 +04:00
run_tests
}
########################## run_cycle_shared_db #########################
# run test suites with certificate databases set to shareable format
########################################################################
run_cycle_shared_db( )
{
TEST_MODE = SHARED_DB
TABLE_ARGS = "bgcolor=yellow"
html_head "Testing with shared library"
html "</TABLE><BR>"
HOSTDIR = " ${ HOSTDIR } /sharedb "
mkdir -p " ${ HOSTDIR } "
init_directories
NSS_DEFAULT_DB_TYPE = "sql"
export NSS_DEFAULT_DB_TYPE
# run the tests for native sharedb support
TESTS = " ${ ALL_TESTS } "
2017-11-01 17:38:36 +03:00
TESTS_SKIP = "dbupgrade"
2008-10-23 04:38:29 +04:00
2017-11-01 17:38:36 +03:00
export -n NSS_SSL_TESTS
export -n NSS_SSL_RUN
2008-10-23 04:38:29 +04:00
run_tests
2008-06-06 16:40:11 +04:00
}
2008-10-23 04:38:29 +04:00
############################# run_cycles ###############################
# run test cycles defined in CYCLES variable
########################################################################
run_cycles( )
{
for CYCLE in ${ CYCLES }
do
2016-01-25 18:14:18 +03:00
case " ${ CYCLE } " in
2008-10-23 04:38:29 +04:00
"standard" )
run_cycle_standard
; ;
"pkix" )
2016-06-30 09:42:30 +03:00
if [ -z " $NSS_DISABLE_LIBPKIX " ] ; then
run_cycle_pkix
fi
2008-10-23 04:38:29 +04:00
; ;
"upgradedb" )
run_cycle_upgrade_db
; ;
"sharedb" )
run_cycle_shared_db
; ;
2016-01-25 18:14:18 +03:00
esac
2008-10-23 04:38:29 +04:00
. ${ ENV_BACKUP }
done
}
############################## main code ###############################
2017-11-24 11:00:26 +03:00
SCRIPTNAME = all.sh
CLEANUP = " ${ SCRIPTNAME } "
cd ` dirname $0 `
# all.sh should be the first one to try to source the init
if [ -z " ${ INIT_SOURCED } " -o " ${ INIT_SOURCED } " != "TRUE" ] ; then
cd common
. ./init.sh
fi
Bug 1602020 - land NSS c46bc59ce7d4 UPGRADE_NSS_RELEASE, r=kjacobs
2019-12-06 Daiki Ueno <dueno@redhat.com>
* lib/pki/pki3hack.c:
Bug 1593167, certdb: propagate trust information if trust module is
loaded afterwards, r=rrelyea,keeler
Summary: When the builtin trust module is loaded after some temp
certs being created, these temp certs are usually not accompanied by
trust information. This causes a problem in Firefox as it loads the
module from a separate thread while accessing the network cache
which populates temp certs.
This change makes it properly roll up the trust information, if a
temp cert doesn't have trust information.
Reviewers: rrelyea, keeler
Reviewed By: rrelyea, keeler
Subscribers: reviewbot, heftig
Bug #: 1593167
[c46bc59ce7d4] [tip]
2019-11-08 Martin Thomson <mt@lowentropy.net>
* lib/ssl/tls13subcerts.c:
Bug 1594965 - Include saltLength in DC SPKI, r=kjacobs
Summary: I discovered this when validating new additions to our root
store policy. The encodings there didn't line up with what we were
producing with DC.
[661058254ade]
2019-12-04 J.C. Jones <jjones@mozilla.com>
* automation/release/nss-release-helper.py:
Bug 1535787 - Further improvements to the release-helper API r=mt
[7baba392bf8b]
* automation/release/nss-release-helper.py:
Bug 1535787 - flake8 style updates to nss-release-helper.py
r=kjacobs
Depends on D23757
[b31e68a789fa]
* automation/release/nss-release-helper.py:
Bug 1535787 - Use Python for the regexes in nss-release-helper
r=keeler,kjacobs
automation/release/nss-release-helper.py doesn't actually edit the
files correctly on MacOS due to differences between GNU and BSD sed.
It's python, so let's just use python regexes.
[92271739e848]
2019-12-04 Franziskus Kiefer <franziskuskiefer@gmail.com>
* automation/taskcluster/graph/src/extend.js,
automation/taskcluster/graph/src/queue.js,
automation/taskcluster/scripts/check_abi.sh, build.sh,
coreconf/config.gypi, help.txt, lib/freebl/freebl_base.gypi, mach,
tests/all.sh, tests/common/init.sh, tests/remote/Makefile:
Bug 1594933 - disable libnssdbm by default; keep build on CI, r=jcj
Disale libnssdbm by default and add flag to enable it in builds. On
CI a build and certs test with enabled legacy DB are added.
Note that for some reason the coverage build fails. I have no idea
why. I'm open for ideas.
[c1fad130dce2]
2019-12-03 Makoto Kato <m_kato@ga2.so-net.ne.jp>
* lib/freebl/Makefile, lib/freebl/freebl.gyp, lib/freebl/gcm-
arm32-neon.c, lib/freebl/gcm.c:
Bug 1562548 - Improve GCM perfomance on aarch32 using NEON.
r=kjacobs
Optimize GCM perfomance using
https://conradoplg.cryptoland.net/files/2010/12/gcm14.pdf via ARM's
NEON.
[a9ba652046e6]
2019-12-03 J.C. Jones <jjones@mozilla.com>
* automation/abi-check/expected-report-libssl3.so.txt, automation/abi-
check/previous-nss-release, lib/nss/nss.h, lib/softoken/softkver.h,
lib/util/nssutil.h:
Set version numbers to 3.49 beta
[3051793c68fc]
2019-12-02 J.C. Jones <jjones@mozilla.com>
* .hgtags:
Added tag NSS_3_48_BETA1 for changeset 77976f3fefca
[06d5b4f91a9c]
Differential Revision: https://phabricator.services.mozilla.com/D56378
--HG--
extra : moz-landing-system : lando
2019-12-16 23:53:59 +03:00
cycles = "standard pkix"
2008-10-23 04:38:29 +04:00
CYCLES = ${ NSS_CYCLES :- $cycles }
2018-01-11 16:09:34 +03:00
NO_INIT_SUPPORT = ` certutil --build-flags | grep -cw NSS_NO_INIT_SUPPORT`
if [ $NO_INIT_SUPPORT -eq 0 ] ; then
2017-08-25 10:37:32 +03:00
RUN_FIPS = "fips"
fi
2018-07-25 16:17:58 +03:00
tests = " cipher lowhash libpkix cert dbtests tools $RUN_FIPS sdr crmf smime ssl ocsp merge pkits ec gtests ssl_gtests policy "
2017-03-24 10:38:05 +03:00
# Don't run chains tests when we have a gyp build.
if [ " $OBJDIR " != "Debug" -a " $OBJDIR " != "Release" ] ; then
tests = " $tests chains "
fi
2008-10-23 04:38:29 +04:00
TESTS = ${ NSS_TESTS :- $tests }
2008-06-06 16:40:11 +04:00
ALL_TESTS = ${ TESTS }
2018-03-15 19:00:48 +03:00
nss_ssl_tests = "crl iopr policy normal_normal"
2018-01-11 16:09:34 +03:00
if [ $NO_INIT_SUPPORT -eq 0 ] ; then
2017-09-12 15:46:59 +03:00
nss_ssl_tests = " $nss_ssl_tests fips_normal normal_fips "
fi
2008-10-23 04:38:29 +04:00
NSS_SSL_TESTS = " ${ NSS_SSL_TESTS :- $nss_ssl_tests } "
Bug 1564499 - land NSS NSS_3_46_BETA2 UPGRADE_NSS_RELEASE, r=kjacobs
2019-08-27 Kevin Jacobs <kjacobs@mozilla.com>
* automation/taskcluster/graph/src/extend.js,
automation/taskcluster/scripts/build_gyp.sh,
automation/taskcluster/windows/build_gyp.sh, fuzz/fuzz.gyp,
gtests/pk11_gtest/pk11_gtest.gyp,
gtests/softoken_gtest/softoken_gtest.gyp, tests/all.sh,
tests/ssl/ssl.sh:
Bug 1485533 - Close gaps in taskcluster SSL testing. r=mt
This patch increases SSL testing on taskcluster, specifically,
running an additional 395 tests on each SSL cycle (more for FIPS
targets), and adding a new 'stress' cycle.
Notable changes:
1) This patch removes SSL stress tests from the default
`NSS_SSL_RUN` list in all.sh and ssl.sh. If stress tests are needed,
this variable must be set to include.
2) The "normal_normal" case is added to `NSS_SSL_TESTS` for all
targets. FIPS targets also run "normal_fips", "fips_normal", and
"fips_fips".
3) `--enable-libpkix` is now set for all taskcluster "build.sh"
builds in order to support a number of OCSP tests that were
previously not run.
[24b0fc700203] [NSS_3_46_BETA2]
2019-08-23 Edouard Oger <eoger@fastmail.com>
* lib/sqlite/Makefile, lib/sqlite/sqlite.gyp:
Bug 1549847 - Ignore sqlite compilation warnings. r=mt
[7f146eb7adac]
2019-08-23 J.C. Jones <jjones@mozilla.com>
* .hgtags:
Added tag NSS_3_46_BETA1 for changeset 44aa330de2aa
[d3035cc9dc73]
Differential Revision: https://phabricator.services.mozilla.com/D43724
--HG--
extra : moz-landing-system : lando
2019-08-28 17:30:55 +03:00
# NOTE: 'stress' run is omitted by default
nss_ssl_run = "cov auth stapling signed_cert_timestamps scheme"
2008-10-23 04:38:29 +04:00
NSS_SSL_RUN = " ${ NSS_SSL_RUN :- $nss_ssl_run } "
# NOTE:
# Lists of enabled tests and other settings are stored to ${ENV_BACKUP}
# file and are are restored after every test cycle.
2008-06-06 16:40:11 +04:00
ENV_BACKUP = ${ HOSTDIR } /env.sh
env_backup > ${ ENV_BACKUP }
2018-02-28 13:13:28 +03:00
# Print hardware support if we built it.
if [ -f ${ BINDIR } /hw-support ] ; then
${ BINDIR } /hw-support
fi
2008-10-23 04:38:29 +04:00
if [ " ${ O_CRON } " = "ON" ] ; then
run_cycles >> ${ LOGFILE }
2016-01-25 18:14:18 +03:00
else
2008-10-23 04:38:29 +04:00
run_cycles | tee -a ${ LOGFILE }
2008-06-06 16:40:11 +04:00
fi
SCRIPTNAME = all.sh
. ${ QADIR } /common/cleanup.sh
