Backed out changeset bf6ee973f04e because of Android bustage UPGRADE_NSS_RELEASE

--HG--
extra : amend_source : 6502b79382c14536c060c03b428172cb6edc9d3f

security/nss/TAG-INFO

@@ -1 +1 @@
-0c3800b6eaba
+57e38a8407b3

security/nss/automation/abi-check/expected-report-libnss3.so.txt

@@ -1,12 +0,0 @@
-Functions changes summary: 0 Removed, 0 Changed, 6 Added functions
-Variables changes summary: 0 Removed, 0 Changed, 0 Added variable
-
-6 Added functions:
-
-  'function SECStatus CERT_GetCertIsPerm(const CERTCertificate*, PRBool*)'    {CERT_GetCertIsPerm@@NSS_3.31}
-  'function SECStatus CERT_GetCertIsTemp(const CERTCertificate*, PRBool*)'    {CERT_GetCertIsTemp@@NSS_3.31}
-  'function CERTCertificate* PK11_FindCertFromURI(const char*, void*)'    {PK11_FindCertFromURI@@NSS_3.31}
-  'function CERTCertList* PK11_FindCertsFromURI(const char*, void*)'    {PK11_FindCertsFromURI@@NSS_3.31}
-  'function char* PK11_GetModuleURI(SECMODModule*)'    {PK11_GetModuleURI@@NSS_3.31}
-  'function char* PK11_GetTokenURI()'    {PK11_GetTokenURI@@NSS_3.31}
-

security/nss/automation/abi-check/expected-report-libnssutil3.so.txt

@@ -1,12 +0,0 @@
-Functions changes summary: 0 Removed, 0 Changed, 6 Added functions
-Variables changes summary: 0 Removed, 0 Changed, 0 Added variable
-
-6 Added functions:
-
-  'function void PK11URI_CreateURI(size_t, size_t)'    {PK11URI_CreateURI@@NSSUTIL_3.31}
-  'function void PK11URI_DestroyURI()'    {PK11URI_DestroyURI@@NSSUTIL_3.31}
-  'function char* PK11URI_FormatURI()'    {PK11URI_FormatURI@@NSSUTIL_3.31}
-  'function const char* PK11URI_GetPathAttribute(const char*)'    {PK11URI_GetPathAttribute@@NSSUTIL_3.31}
-  'function const char* PK11URI_GetQueryAttribute(const char*)'    {PK11URI_GetQueryAttribute@@NSSUTIL_3.31}
-  'function void PK11URI_ParseURI(const char*)'    {PK11URI_ParseURI@@NSSUTIL_3.31}
-

security/nss/automation/abi-check/expected-report-libssl3.so.txt

@@ -1,14 +0,0 @@
-Functions changes summary: 0 Removed, 1 Changed, 0 Added function
-Variables changes summary: 0 Removed, 0 Changed, 0 Added variable
-
-1 function with some indirect sub-type change:
-
-  [C]'function SECStatus SSL_GetPreliminaryChannelInfo(SSLPreliminaryChannelInfo*, PRUintn)' at sslinfo.c:115:1 has some indirect sub-type changes:
-    parameter 1 of type 'SSLPreliminaryChannelInfo*' has sub-type changes:
-      in pointed to type 'typedef SSLPreliminaryChannelInfo' at sslt.h:318:1:
-        underlying type 'struct SSLPreliminaryChannelInfoStr' at sslt.h:287:1 changed:
-          type size changed from 128 to 160 bits
-          1 data member insertion:
-            'PRUint32 SSLPreliminaryChannelInfoStr::maxEarlyDataSize', at offset 128 (in bits) at sslt.h:314:1
-
-

security/nss/automation/abi-check/previous-nspr-release

@@ -1 +0,0 @@
-NSPR_4_14_BRANCH

security/nss/automation/abi-check/previous-nss-release

@@ -1 +0,0 @@
-NSS_3_30_BRANCH

security/nss/automation/buildbot-slave/build.sh

@@ -19,9 +19,6 @@ proc_args()
             "--test-nss")
                 TEST_NSS=1
                 ;;
-            "--check-abi")
-                CHECK_ABI=1
-                ;;
             "--build-jss")
                 BUILD_JSS=1
                 ;;
@@ -43,7 +40,6 @@ proc_args()
                 echo "    --build-jss"
                 echo "    --test-nss"
                 echo "    --test-jss"
-                echo "    --check-abi"
                 exit 1
                 ;;
         esac 
@@ -219,71 +215,6 @@ test_nss()
     return ${RET}
 }
 
-check_abi()
-{
-    print_log "######## NSS ABI CHECK - ${BITS} bits - ${OPT} ########"
-    rm -rf ${HGDIR}/baseline
-    mkdir ${HGDIR}/baseline
-    BASE_NSPR=`cat ${HGDIR}/nss/automation/abi-check/previous-nspr-release`
-    BASE_NSS=`cat ${HGDIR}/nss/automation/abi-check/previous-nss-release`
-
-    print_log "######## creating temporary HG clones ########"
-
-    hg clone -u "${BASE_NSPR}" "${HGDIR}/nspr" "${HGDIR}/baseline/nspr"
-    if [ $? -ne 0 ]; then
-        echo "invalid tag in automation/abi-check/previous-nspr-release"
-        return 1
-    fi
-    hg clone -u "${BASE_NSS}" "${HGDIR}/nss" "${HGDIR}/baseline/nss"
-    if [ $? -ne 0 ]; then
-        echo "invalid tag in automation/abi-check/previous-nss-release"
-        return 1
-    fi
-
-    print_log "######## building older NSPR/NSS ########"
-
-    print_log "$ pushd ${HGDIR}/baseline/nss"
-    pushd ${HGDIR}/baseline/nss
-
-    print_log "$ ${MAKE} ${NSS_BUILD_TARGET}"
-    #${MAKE} ${NSS_BUILD_TARGET} 2>&1 | tee -a ${LOG_ALL} | grep ${GREP_BUFFER} "^${MAKE}"
-    ${MAKE} ${NSS_BUILD_TARGET} 2>&1 | tee -a ${LOG_ALL}
-    RET=$?
-    print_result "NSS - build - ${BITS} bits - ${OPT}" ${RET} 0
-
-    if [ ${RET} -ne 0 ]; then
-        tail -100 ${LOG_ALL}
-        return ${RET}
-    fi
-
-    print_log "$ popd"
-    popd
-
-    ABI_REPORT=${OUTPUTDIR}/abi-diff.txt
-    rm -f ${ABI_REPORT}
-    PREVDIST=${HGDIR}/baseline/dist
-    NEWDIST=${HGDIR}/dist
-    ALL_SOs="libfreebl3.so libfreeblpriv3.so libnspr4.so libnss3.so libnssckbi.so libnssdbm3.so libnsssysinit.so libnssutil3.so libplc4.so libplds4.so libsmime3.so libsoftokn3.so libssl3.so"
-    for SO in ${ALL_SOs}; do
-        if [ ! -f nss/automation/abi-check/expected-report-$SO.txt ]; then
-            touch nss/automation/abi-check/expected-report-$SO.txt
-        fi
-        abidiff --hd1 $PREVDIST/public/ --hd2 $NEWDIST/public \
-            $PREVDIST/*/lib/$SO $NEWDIST/*/lib/$SO \
-            > nss/automation/abi-check/new-report-$SO.txt
-        diff -u nss/automation/abi-check/expected-report-$SO.txt \
-                nss/automation/abi-check/new-report-$SO.txt >> ${ABI_REPORT}
-    done
-
-    if [ -s ${ABI_REPORT} ]; then
-        print_log "FAILED: there are new unexpected ABI changes"
-        cat ${ABI_REPORT}
-        return 1
-    fi
-
-    return 0
-}
-
 test_jss()
 {
     print_log "######## JSS - tests - ${BITS} bits - ${OPT} ########"
@@ -357,11 +288,6 @@ build_and_test()
         [ $? -eq 0 ] || return 1
     fi
 
-    if [ -n "${CHECK_ABI}" ]; then
-        check_abi
-        [ $? -eq 0 ] || return 1
-    fi
-
     if [ -n "${BUILD_JSS}" ]; then
         create_objdir_dist_link
         build_jss
@@ -434,7 +360,6 @@ main()
 {
     VALID=0
     RET=1
-    FAIL=0
 
     for BITS in 32 64; do
         echo ${RUN_BITS} | grep ${BITS} > /dev/null
@@ -447,10 +372,7 @@ main()
             set_env
             run_all
             RET=$?
-            print_log "### result of run_all is ${RET}"
-            if [ ${RET} -ne 0 ]; then
-                FAIL=${RET}
-            fi
+	    print_log "### result of run_all is ${RET}"
         done
     done
 
@@ -459,7 +381,7 @@ main()
         return 1
     fi
 
-    return ${FAIL}
+    return ${RET}
 }
 
 #function killallsub()
@@ -487,8 +409,6 @@ echo "tinderbox args: $0 $@"
 proc_args "$@"
 main
 
-RET=$?
-print_log "### result of main is ${RET}"
-
+#RET=$?
 #rm $IS_RUNNING_FILE
-exit ${RET}
+#exit ${RET}

security/nss/automation/release/nspr-version.txt

@@ -1,10 +0,0 @@
-4.15
-
-# The first line of this file must contain the human readable NSPR
-# version number, which is the minimum required version of NSPR
-# that is supported by this version of NSS.
-#
-# This information is used by release automation,
-# when creating an NSS source archive.
-#
-# All other lines in this file are ignored.

security/nss/automation/release/nss-release-helper.py

@@ -171,13 +171,11 @@ def set_4_digit_release_number():
     set_all_lib_versions(version, major, minor, patch, build)
 
 def create_nss_release_archive():
-    ensure_arguments_after_action(3, "nss_release_version  nss_hg_release_tag  path_to_stage_directory")
+    ensure_arguments_after_action(4, "nss_release_version  nss_hg_release_tag  nspr_release_version  path_to_stage_directory")
     nssrel = args[1].strip() #e.g. 3.19.3
     nssreltag = args[2].strip() #e.g. NSS_3_19_3_RTM
-    stagedir = args[3].strip() #e.g. ../stage
-
-    with open('automation/release/nspr-version.txt') as nspr_version_file:
-        nsprrel = next(nspr_version_file).strip()
+    nsprrel = args[3].strip() #e.g. 4.10.8
+    stagedir = args[4].strip() #e.g. ../stage
 
     nspr_tar = "nspr-" + nsprrel + ".tar.gz"
     nsprtar_with_path= stagedir + "/v" + nsprrel + "/src/" + nspr_tar

security/nss/automation/taskcluster/docker-fuzz/setup.sh

@@ -22,10 +22,6 @@ apt_packages+=('ninja-build')
 apt_packages+=('pkg-config')
 apt_packages+=('zlib1g-dev')
 
-# 32-bit builds
-apt_packages+=('gcc-multilib')
-apt_packages+=('g++-multilib')
-
 # Latest Mercurial.
 apt_packages+=('mercurial')
 apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 41BD8711B1F0EC2B0D85B91CF59CE3A8323293EE
@@ -35,11 +31,6 @@ echo "deb http://ppa.launchpad.net/mercurial-ppa/releases/ubuntu xenial main" >
 apt-get -y update
 apt-get install -y --no-install-recommends ${apt_packages[@]}
 
-# 32-bit builds
-dpkg --add-architecture i386
-apt-get -y update
-apt-get install -y --no-install-recommends libssl-dev:i386
-
 # Install LLVM/clang-4.0.
 mkdir clang-tmp
 git clone -n --depth 1 https://chromium.googlesource.com/chromium/src/tools/clang clang-tmp/clang

security/nss/automation/taskcluster/graph/src/extend.js

@@ -63,6 +63,11 @@ queue.filter(task => {
     if (task.collection == "make") {
       return false;
     }
+
+    // Disable mpi tests for now on 32-bit builds (bug 1362392)
+    if (task.platform == "linux32") {
+      return false;
+    }
   }
 
 
@@ -163,7 +168,6 @@ export default async function main() {
   });
 
   await scheduleFuzzing();
-  await scheduleFuzzing32();
 
   await scheduleTools();
 
@@ -411,110 +415,6 @@ async function scheduleFuzzing() {
   return queue.submit();
 }
 
-async function scheduleFuzzing32() {
-  let base = {
-    env: {
-      ASAN_OPTIONS: "allocator_may_return_null=1:detect_stack_use_after_return=1",
-      UBSAN_OPTIONS: "print_stacktrace=1",
-      NSS_DISABLE_ARENA_FREE_LIST: "1",
-      NSS_DISABLE_UNLOAD: "1",
-      CC: "clang",
-      CCC: "clang++"
-    },
-    features: ["allowPtrace"],
-    platform: "linux32",
-    collection: "fuzz",
-    image: FUZZ_IMAGE
-  };
-
-  // Build base definition.
-  let build_base = merge({
-    command: [
-      "/bin/bash",
-      "-c",
-      "bin/checkout.sh && " +
-      "nss/automation/taskcluster/scripts/build_gyp.sh -g -v --fuzz -m32"
-    ],
-    artifacts: {
-      public: {
-        expires: 24 * 7,
-        type: "directory",
-        path: "/home/worker/artifacts"
-      }
-    },
-    kind: "build",
-    symbol: "B"
-  }, base);
-
-  // The task that builds NSPR+NSS.
-  let task_build = queue.scheduleTask(merge(build_base, {
-    name: "Linux 32 (debug, fuzz)"
-  }));
-
-  // The task that builds NSPR+NSS (TLS fuzzing mode).
-  let task_build_tls = queue.scheduleTask(merge(build_base, {
-    name: "Linux 32 (debug, TLS fuzz)",
-    symbol: "B",
-    group: "TLS",
-    command: [
-      "/bin/bash",
-      "-c",
-      "bin/checkout.sh && " +
-      "nss/automation/taskcluster/scripts/build_gyp.sh -g -v --fuzz=tls -m32"
-    ],
-  }));
-
-  // Schedule tests.
-  queue.scheduleTask(merge(base, {
-    parent: task_build_tls,
-    name: "Gtests",
-    command: [
-      "/bin/bash",
-      "-c",
-      "bin/checkout.sh && nss/automation/taskcluster/scripts/run_tests.sh"
-    ],
-    env: {GTESTFILTER: "*Fuzz*"},
-    tests: "ssl_gtests gtests",
-    cycle: "standard",
-    symbol: "Gtest",
-    kind: "test"
-  }));
-
-  // Schedule fuzzing runs.
-  let run_base = merge(base, {parent: task_build, kind: "test"});
-  scheduleFuzzingRun(run_base, "CertDN", "certDN", 4096);
-  scheduleFuzzingRun(run_base, "QuickDER", "quickder", 10000);
-
-  // Schedule MPI fuzzing runs.
-  let mpi_base = merge(run_base, {group: "MPI"});
-  let mpi_names = ["add", "addmod", "div", "expmod", "mod", "mulmod", "sqr",
-                   "sqrmod", "sub", "submod"];
-  for (let name of mpi_names) {
-    scheduleFuzzingRun(mpi_base, `MPI (${name})`, `mpi-${name}`, 4096, name);
-  }
-  scheduleFuzzingRun(mpi_base, `MPI (invmod)`, `mpi-invmod`, 256, "invmod");
-
-  // Schedule TLS fuzzing runs (non-fuzzing mode).
-  let tls_base = merge(run_base, {group: "TLS"});
-  scheduleFuzzingRun(tls_base, "TLS Client", "tls-client", 20000, "client-nfm",
-                     "tls-client-no_fuzzer_mode");
-  scheduleFuzzingRun(tls_base, "TLS Server", "tls-server", 20000, "server-nfm",
-                     "tls-server-no_fuzzer_mode");
-  scheduleFuzzingRun(tls_base, "DTLS Client", "dtls-client", 20000,
-                     "dtls-client-nfm", "dtls-client-no_fuzzer_mode");
-  scheduleFuzzingRun(tls_base, "DTLS Server", "dtls-server", 20000,
-                     "dtls-server-nfm", "dtls-server-no_fuzzer_mode");
-
-  // Schedule TLS fuzzing runs (fuzzing mode).
-  let tls_fm_base = merge(tls_base, {parent: task_build_tls});
-  scheduleFuzzingRun(tls_fm_base, "TLS Client", "tls-client", 20000, "client");
-  scheduleFuzzingRun(tls_fm_base, "TLS Server", "tls-server", 20000, "server");
-  scheduleFuzzingRun(tls_fm_base, "DTLS Client", "dtls-client", 20000, "dtls-client");
-  scheduleFuzzingRun(tls_fm_base, "DTLS Server", "dtls-server", 20000, "dtls-server");
-
-  return queue.submit();
-}
-
 /*****************************************************************************/
 
 async function scheduleTestBuilds(base, args = "") {

security/nss/automation/taskcluster/graph/src/try_syntax.js

@@ -23,7 +23,7 @@ function parseOptions(opts) {
 
   // Parse platforms.
   let allPlatforms = ["linux", "linux64", "linux64-asan", "win64",
-                      "linux64-make", "linux-make", "linux-fuzz", "linux64-fuzz", "aarch64"];
+                      "linux64-make", "linux-make", "linux64-fuzz", "aarch64"];
   let platforms = intersect(opts.platform.split(/\s*,\s*/), allPlatforms);
 
   // If the given value is nonsense or "none" default to all platforms.
@@ -104,7 +104,6 @@ function filter(opts) {
     let found = opts.platforms.some(platform => {
       let aliases = {
         "linux": "linux32",
-        "linux-fuzz": "linux32",
         "linux64-asan": "linux64",
         "linux64-fuzz": "linux64",
         "linux64-make": "linux64",
@@ -120,7 +119,7 @@ function filter(opts) {
         keep &= coll("asan");
       } else if (platform == "linux64-make" || platform == "linux-make") {
         keep &= coll("make");
-      } else if (platform == "linux64-fuzz" || platform == "linux-fuzz") {
+      } else if (platform == "linux64-fuzz") {
         keep &= coll("fuzz");
       } else {
         keep &= coll("opt") || coll("debug");

security/nss/cmd/crmftest/testcrmf.c

@@ -1261,13 +1261,11 @@ DoChallengeResponse(SECKEYPrivateKey *privKey,
             return 908;
         }
         keyID = PK11_MakeIDFromPubKey(publicValue);
-        SECITEM_FreeItem(publicValue, PR_TRUE);
         if (keyID == NULL) {
             printf("Could not make the keyID from the public value\n");
             return 909;
         }
         foundPrivKey = PK11_FindKeyByKeyID(privKey->pkcs11Slot, keyID, &pwdata);
-        SECITEM_FreeItem(keyID, PR_TRUE);
         if (foundPrivKey == NULL) {
             printf("Could not find the private key corresponding to the public"
                    " value.\n");

security/nss/cmd/mpitests/mpitests.gyp

@@ -31,18 +31,7 @@
     'include_dirs': [
       '<(DEPTH)/lib/freebl/mpi',
       '<(DEPTH)/lib/util',
-    ],
-    # This uses test builds and has to set defines for MPI.
-    'conditions': [
-      [ 'target_arch=="ia32"', {
-        'defines': [
-          'MP_USE_UINT_DIGIT',
-          'MP_ASSEMBLY_MULTIPLY',
-          'MP_ASSEMBLY_SQUARE',
-          'MP_ASSEMBLY_DIV_2DX1D',
-        ],
-      }],
-    ],
+    ]
   },
   'variables': {
     'module': 'nss'

security/nss/coreconf/coreconf.dep

@@ -10,3 +10,4 @@
  */
 
 #error "Do not include this header file."
+

security/nss/coreconf/fuzz.sh

@@ -24,10 +24,7 @@ if [ "$fuzz_oss" = 1 ]; then
   gyp_params+=(-Dno_zdefs=1 -Dfuzz_oss=1)
 else
   enable_sanitizer asan
-  # Ubsan doesn't build on 32-bit at the moment. Disable it.
-  if [ "$build_64" = 1 ]; then
-    enable_ubsan
-  fi
+  enable_ubsan
   enable_sancov
 fi
 

security/nss/fuzz/fuzz.gyp

@@ -88,15 +88,6 @@
               '-lcrypto',
             ],
           }],
-          # For test builds we have to set MPI defines.
-          [ 'target_arch=="ia32"', {
-            'defines': [
-              'MP_USE_UINT_DIGIT',
-              'MP_ASSEMBLY_MULTIPLY',
-              'MP_ASSEMBLY_SQUARE',
-              'MP_ASSEMBLY_DIV_2DX1D',
-            ],
-          }],
         ],
       },
     },

security/nss/gtests/freebl_gtest/freebl_gtest.gyp

@@ -29,6 +29,13 @@
         '<(DEPTH)/lib/pki/pki.gyp:nsspki',
         '<(DEPTH)/lib/ssl/ssl.gyp:ssl',
       ],
+      'conditions': [
+        [ 'ct_verif==1', {
+          'defines': [
+            'CT_VERIF',
+          ],
+        }],
+      ],
     },
     {
       'target_name': 'prng_gtest',
@@ -55,23 +62,7 @@
   'target_defaults': {
     'include_dirs': [
       '<(DEPTH)/lib/freebl/mpi',
-    ],
-    # For test builds we have to set MPI defines.
-    'conditions': [
-      [ 'ct_verif==1', {
-        'defines': [
-          'CT_VERIF',
-        ],
-      }],
-      [ 'target_arch=="ia32"', {
-        'defines': [
-          'MP_USE_UINT_DIGIT',
-          'MP_ASSEMBLY_MULTIPLY',
-          'MP_ASSEMBLY_SQUARE',
-          'MP_ASSEMBLY_DIV_2DX1D',
-        ],
-      }],
-    ],
+    ]
   },
   'variables': {
     'module': 'nss'

security/nss/gtests/freebl_gtest/mpi_unittest.cc

@@ -53,39 +53,13 @@ class MPITest : public ::testing::Test {
     mp_clear(&a);
     mp_clear(&b);
   }
-
-  void TestDiv(const std::string a_string, const std::string b_string,
-               const std::string result) {
-    mp_int a, b, c;
-    MP_DIGITS(&a) = 0;
-    MP_DIGITS(&b) = 0;
-    MP_DIGITS(&c) = 0;
-    ASSERT_EQ(MP_OKAY, mp_init(&a));
-    ASSERT_EQ(MP_OKAY, mp_init(&b));
-    ASSERT_EQ(MP_OKAY, mp_init(&c));
-
-    mp_read_radix(&a, a_string.c_str(), 16);
-    mp_read_radix(&b, b_string.c_str(), 16);
-    mp_read_radix(&c, result.c_str(), 16);
-    EXPECT_EQ(MP_OKAY, mp_div(&a, &b, &a, &b));
-    EXPECT_EQ(0, mp_cmp(&a, &c));
-
-    mp_clear(&a);
-    mp_clear(&b);
-    mp_clear(&c);
-  }
 };
 
 TEST_F(MPITest, MpiCmp01Test) { TestCmp("0", "1", -1); }
 TEST_F(MPITest, MpiCmp10Test) { TestCmp("1", "0", 1); }
 TEST_F(MPITest, MpiCmp00Test) { TestCmp("0", "0", 0); }
 TEST_F(MPITest, MpiCmp11Test) { TestCmp("1", "1", 0); }
-TEST_F(MPITest, MpiDiv32ErrorTest) {
-  TestDiv("FFFF00FFFFFFFF000000000000", "FFFF00FFFFFFFFFF", "FFFFFFFFFF");
-}
 
-#ifdef NSS_X64
-// This tests assumes 64-bit mp_digits.
 TEST_F(MPITest, MpiCmpUnalignedTest) {
   mp_int a, b, c;
   MP_DIGITS(&a) = 0;
@@ -116,7 +90,6 @@ TEST_F(MPITest, MpiCmpUnalignedTest) {
   mp_clear(&b);
   mp_clear(&c);
 }
-#endif
 
 // This test is slow. Disable it by default so we can run these tests on CI.
 class DISABLED_MPITest : public ::testing::Test {};

security/nss/gtests/util_gtest/util_pkcs11uri_unittest.cc

@@ -31,17 +31,13 @@ class PK11URITest : public ::testing::Test {
     size_t i;
     for (i = 0; i < num_pattrs; i++) {
       const char *value = PK11URI_GetPathAttribute(tmp.get(), pattrs[i].name);
-      EXPECT_TRUE(value);
-      if (value) {
-        EXPECT_EQ(std::string(value), std::string(pattrs[i].value));
-      }
+      ASSERT_TRUE(value);
+      ASSERT_EQ(std::string(value), std::string(pattrs[i].value));
     }
     for (i = 0; i < num_qattrs; i++) {
       const char *value = PK11URI_GetQueryAttribute(tmp.get(), qattrs[i].name);
-      EXPECT_TRUE(value);
-      if (value) {
-        EXPECT_EQ(std::string(value), std::string(qattrs[i].value));
-      }
+      ASSERT_TRUE(value);
+      ASSERT_EQ(std::string(value), std::string(qattrs[i].value));
     }
   }
 
@@ -52,10 +48,8 @@ class PK11URITest : public ::testing::Test {
         PK11URI_CreateURI(pattrs, num_pattrs, qattrs, num_qattrs));
     ASSERT_TRUE(tmp);
     char *out = PK11URI_FormatURI(nullptr, tmp.get());
-    EXPECT_TRUE(out);
-    if (out) {
-      EXPECT_EQ(std::string(out), formatted);
-    }
+    ASSERT_TRUE(out);
+    ASSERT_EQ(std::string(out), formatted);
     PORT_Free(out);
   }
 
@@ -73,17 +67,13 @@ class PK11URITest : public ::testing::Test {
     size_t i;
     for (i = 0; i < num_pattrs; i++) {
       const char *value = PK11URI_GetPathAttribute(tmp.get(), pattrs[i].name);
-      EXPECT_TRUE(value);
-      if (value) {
-        EXPECT_EQ(std::string(value), std::string(pattrs[i].value));
-      }
+      ASSERT_TRUE(value);
+      ASSERT_EQ(std::string(value), std::string(pattrs[i].value));
     }
     for (i = 0; i < num_qattrs; i++) {
       const char *value = PK11URI_GetQueryAttribute(tmp.get(), qattrs[i].name);
-      EXPECT_TRUE(value);
-      if (value) {
-        EXPECT_EQ(std::string(value), std::string(qattrs[i].value));
-      }
+      ASSERT_TRUE(value);
+      ASSERT_EQ(std::string(value), std::string(qattrs[i].value));
     }
   }
 
@@ -91,11 +81,9 @@ class PK11URITest : public ::testing::Test {
     ScopedPK11URI tmp(PK11URI_ParseURI(str.c_str()));
     ASSERT_TRUE(tmp);
     char *out = PK11URI_FormatURI(nullptr, tmp.get());
-    EXPECT_TRUE(out);
-    if (out) {
-      EXPECT_EQ(std::string(out), formatted);
-      PORT_Free(out);
-    }
+    ASSERT_TRUE(out);
+    ASSERT_EQ(std::string(out), formatted);
+    PORT_Free(out);
   }
 
  protected:

security/nss/lib/freebl/mpi/mpi.c

@@ -2859,9 +2859,6 @@ void
 s_mp_exch(mp_int *a, mp_int *b)
 {
     mp_int tmp;
-    if (!a || !b) {
-        return;
-    }
 
     tmp = *a;
     *a = *b;
@@ -4167,7 +4164,11 @@ mp_err s_mp_div(mp_int *rem,  /* i: dividend, o: remainder */
                 mp_int *quot) /* i: 0;        o: quotient  */
 {
     mp_int part, t;
+#if !defined(MP_NO_MP_WORD) && !defined(MP_NO_DIV_WORD)
+    mp_word q_msd;
+#else
     mp_digit q_msd;
+#endif
     mp_err res;
     mp_digit d;
     mp_digit div_msd;
@@ -4212,7 +4213,7 @@ mp_err s_mp_div(mp_int *rem,  /* i: dividend, o: remainder */
         MP_USED(&part) = MP_USED(div);
 
         /* We have now truncated the part of the remainder to the same length as
-         * the divisor. If part is smaller than div, extend part by one digit. */
+     * the divisor. If part is smaller than div, extend part by one digit. */
         if (s_mp_cmp(&part, div) < 0) {
             --unusedRem;
 #if MP_ARGCHK == 2
@@ -4229,12 +4230,18 @@ mp_err s_mp_div(mp_int *rem,  /* i: dividend, o: remainder */
         div_msd = MP_DIGIT(div, MP_USED(div) - 1);
         if (!partExtended) {
             /* In this case, q_msd /= div_msd is always 1. First, since div_msd is
-             * normalized to have the high bit set, 2*div_msd > MP_DIGIT_MAX. Since
-             * we didn't extend part, q_msd >= div_msd. Therefore we know that
-             * div_msd <= q_msd <= MP_DIGIT_MAX < 2*div_msd. Dividing by div_msd we
-             * get 1 <= q_msd/div_msd < 2. So q_msd /= div_msd must be 1. */
+       * normalized to have the high bit set, 2*div_msd > MP_DIGIT_MAX. Since
+       * we didn't extend part, q_msd >= div_msd. Therefore we know that
+       * div_msd <= q_msd <= MP_DIGIT_MAX < 2*div_msd. Dividing by div_msd we
+       * get 1 <= q_msd/div_msd < 2. So q_msd /= div_msd must be 1. */
             q_msd = 1;
         } else {
+#if !defined(MP_NO_MP_WORD) && !defined(MP_NO_DIV_WORD)
+            q_msd = (q_msd << MP_DIGIT_BIT) | MP_DIGIT(&part, MP_USED(&part) - 2);
+            q_msd /= div_msd;
+            if (q_msd == RADIX)
+                --q_msd;
+#else
             if (q_msd == div_msd) {
                 q_msd = MP_DIGIT_MAX;
             } else {
@@ -4242,6 +4249,7 @@ mp_err s_mp_div(mp_int *rem,  /* i: dividend, o: remainder */
                 MP_CHECKOK(s_mpv_div_2dx1d(q_msd, MP_DIGIT(&part, MP_USED(&part) - 2),
                                            div_msd, &q_msd, &r));
             }
+#endif
         }
 #if MP_ARGCHK == 2
         assert(q_msd > 0); /* This case should never occur any more. */
@@ -4251,15 +4259,15 @@ mp_err s_mp_div(mp_int *rem,  /* i: dividend, o: remainder */
 
         /* See what that multiplies out to                   */
         mp_copy(div, &t);
-        MP_CHECKOK(s_mp_mul_d(&t, q_msd));
+        MP_CHECKOK(s_mp_mul_d(&t, (mp_digit)q_msd));
 
         /*
-           If it's too big, back it off.  We should not have to do this
-           more than once, or, in rare cases, twice.  Knuth describes a
-           method by which this could be reduced to a maximum of once, but
-           I didn't implement that here.
-           When using s_mpv_div_2dx1d, we may have to do this 3 times.
-         */
+       If it's too big, back it off.  We should not have to do this
+       more than once, or, in rare cases, twice.  Knuth describes a
+       method by which this could be reduced to a maximum of once, but
+       I didn't implement that here.
+     * When using s_mpv_div_2dx1d, we may have to do this 3 times.
+     */
         for (i = 4; s_mp_cmp(&t, &part) > 0 && i > 0; --i) {
             --q_msd;
             MP_CHECKOK(s_mp_sub(&t, div)); /* t -= div */
@@ -4274,11 +4282,11 @@ mp_err s_mp_div(mp_int *rem,  /* i: dividend, o: remainder */
         s_mp_clamp(rem);
 
         /*
-          Include the digit in the quotient.  We allocated enough memory
-          for any quotient we could ever possibly get, so we should not
-          have to check for failures here
-         */
-        MP_DIGIT(quot, unusedRem) = q_msd;
+      Include the digit in the quotient.  We allocated enough memory
+      for any quotient we could ever possibly get, so we should not
+      have to check for failures here
+     */
+        MP_DIGIT(quot, unusedRem) = (mp_digit)q_msd;
     }
 
     /* Denormalize remainder                */

security/nss/lib/pk11wrap/pk11cert.c

@@ -765,12 +765,7 @@ find_certs_from_nickname(const char *nickname, void *wincx)
         *delimit = ':';
     } else {
         slot = PK11_GetInternalKeySlot();
-        token = PK11Slot_GetNSSToken(slot);
-        if (token) {
-            nssToken_AddRef(token);
-        } else {
-            PORT_SetError(SEC_ERROR_NO_TOKEN);
-        }
+        token = nssToken_AddRef(PK11Slot_GetNSSToken(slot));
     }
     if (token) {
         nssList *certList;

security/nss/lib/ssl/ssl3con.c

@@ -38,6 +38,13 @@
 #include "zlib.h"
 #endif
 
+#ifndef PK11_SETATTRS
+#define PK11_SETATTRS(x, id, v, l) \
+    (x)->type = (id);              \
+    (x)->pValue = (v);             \
+    (x)->ulValueLen = (l);
+#endif
+
 static PK11SymKey *ssl3_GenerateRSAPMS(sslSocket *ss, ssl3CipherSpec *spec,
                                        PK11SlotInfo *serverKeySlot);
 static SECStatus ssl3_DeriveMasterSecret(sslSocket *ss, PK11SymKey *pms);

security/nss/lib/ssl/ssl3ecc.c

@@ -31,6 +31,13 @@
 
 #include <stdio.h>
 
+#ifndef PK11_SETATTRS
+#define PK11_SETATTRS(x, id, v, l) \
+    (x)->type = (id);              \
+    (x)->pValue = (v);             \
+    (x)->ulValueLen = (l);
+#endif
+
 SECStatus
 ssl_NamedGroup2ECParams(PLArenaPool *arena, const sslNamedGroupDef *ecGroup,
                         SECKEYECParams *params)

security/nss/lib/ssl/ssl3prot.h

@@ -305,6 +305,13 @@ typedef enum {
     CLIENT_AUTH_CERTIFICATE = 1
 } ClientAuthenticationType;
 
+typedef struct {
+    ClientAuthenticationType client_auth_type;
+    union {
+        SSL3Opaque *certificate_list;
+    } identity;
+} ClientIdentity;
+
 #define SESS_TICKET_KEY_NAME_LEN 16
 #define SESS_TICKET_KEY_NAME_PREFIX "NSS!"
 #define SESS_TICKET_KEY_NAME_PREFIX_LEN 4
@@ -317,4 +324,8 @@ typedef struct {
     unsigned char *mac;
 } EncryptedSessionTicket;
 
+#define TLS_EX_SESS_TICKET_MAC_LENGTH 32
+
+#define TLS_STE_NO_SERVER_NAME -1
+
 #endif /* __ssl3proto_h_ */

security/nss/lib/ssl/sslimpl.h

@@ -992,7 +992,7 @@ typedef struct SSLWrappedSymWrappingKeyStr {
 } SSLWrappedSymWrappingKey;
 
 typedef struct SessionTicketStr {
-    PRBool valid;
+    PRUint16 ticket_version;
     SSL3ProtocolVersion ssl_version;
     ssl3CipherSuite cipher_suite;
     SSLCompressionMethod compression_method;
@@ -1010,7 +1010,7 @@ typedef struct SessionTicketStr {
     PRUint16 ms_length;
     SSL3Opaque master_secret[48];
     PRBool extendedMasterSecretUsed;
-    ClientAuthenticationType client_auth_type;
+    ClientIdentity client_identity;
     SECItem peer_cert;
     PRUint32 timestamp;
     PRUint32 flags;

security/nss/lib/ssl/sslsnce.c

@@ -1808,7 +1808,6 @@ ssl_GetSessionTicketKeys(sslSocket *ss, unsigned char *keyName,
     }
 
     if (!ssl_session_ticket_keys.encKey || !ssl_session_ticket_keys.macKey) {
-        PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
         return SECFailure;
     }
 

security/nss/lib/util/pkcs11uri.c

@@ -681,7 +681,7 @@ PK11URI_ParseURI(const char *string)
 
     result = pk11uri_AllocURI();
     if (result == NULL) {
-        return NULL;
+        goto fail;
     }
 
     /* Parse the path component and its attributes. */