Bug 1493788 - remove other mozilla-specific dependencies from certificate transparency implementation r=jcj

This patch removes the remaining mozilla-specific dependencies from the certificate transparency implementation. Depends on D6845 Differential Revision: https://phabricator.services.mozilla.com/D6846 --HG-- extra : moz-landing-system : lando
2018-10-01 16:20:57 +00:00 · 2018-10-01 16:20:57 +00:00 · 0c4b612622
--- a/security/certverifier/CertVerifier.cpp
+++ b/security/certverifier/CertVerifier.cpp
@ -390,7 +390,7 @@ CertVerifier::VerifyCertificateTransparencyPolicy(
  GetCTLogOperatorsFromVerifiedSCTList(result.verifiedScts, allOperators);

  CTLogOperatorList dependentOperators;
-  rv = mCTDiversityPolicy->GetDependentOperators(builtChain, allOperators,
+  rv = mCTDiversityPolicy->GetDependentOperators(builtChain.get(), allOperators,
                                                 dependentOperators);
  if (rv != Success) {
    return rv;
--- a/security/ct/BTVerifier.cpp
+++ b/security/ct/BTVerifier.cpp
@ -10,10 +10,6 @@

 #include <stdint.h>

-#include "mozilla/Assertions.h"
-#include "mozilla/Move.h"
-#include "mozilla/TypeTraits.h"
-
 namespace mozilla { namespace ct {

 using namespace mozilla::pkix;
--- a/security/ct/Buffer.cpp
+++ b/security/ct/Buffer.cpp
@ -6,6 +6,8 @@

 #include "Buffer.h"

+#include <string.h>
+
 namespace mozilla {

 bool
--- a/security/ct/Buffer.h
+++ b/security/ct/Buffer.h
@ -8,6 +8,7 @@
 #define Buffer_h

 #include <vector>
+#include <cstdint>

 namespace mozilla { namespace ct {

--- a/security/ct/CTDiversityPolicy.cpp
+++ b/security/ct/CTDiversityPolicy.cpp
@ -31,7 +31,7 @@ GetCTLogOperatorsFromVerifiedSCTList(const VerifiedSCTList& list,
 }

 Result
-CTDiversityPolicy::GetDependentOperators(const UniqueCERTCertList& builtChain,
+CTDiversityPolicy::GetDependentOperators(const CERTCertList* builtChain,
                                         const CTLogOperatorList& operators,
                                         CTLogOperatorList& dependentOperators)
 {
--- a/security/ct/CTDiversityPolicy.h
+++ b/security/ct/CTDiversityPolicy.h
@ -9,8 +9,8 @@

 #include "CTLog.h"
 #include "CTVerifyResult.h"
+#include "certt.h"
 #include "pkix/Result.h"
-#include "ScopedNSSTypes.h"

 namespace mozilla { namespace ct {

@ -30,7 +30,7 @@ public:
  // issuing the certificate (as defined by the CT Policy).
  //
  // NOTE: TBD, PENDING FINALIZATION OF MOZILLA CT POLICY.
-  pkix::Result GetDependentOperators(const UniqueCERTCertList& builtChain,
+  pkix::Result GetDependentOperators(const CERTCertList* builtChain,
                                     const CTLogOperatorList& operators,
                                     CTLogOperatorList& dependentOperators);
 };
--- a/security/ct/CTLogVerifier.cpp
+++ b/security/ct/CTLogVerifier.cpp
@ -10,8 +10,6 @@

 #include "CTSerialization.h"
 #include "hasht.h"
-#include "mozilla/ArrayUtils.h"
-#include "mozilla/Assertions.h"
 #include "pkix/pkixnss.h"
 #include "pkixutil.h"

@ -68,7 +66,7 @@ public:

  Result CheckECDSACurveIsAcceptable(EndEntityOrCA, NamedCurve curve) override
  {
-    MOZ_ASSERT(mSignatureAlgorithm ==
+    assert(mSignatureAlgorithm ==
      DigitallySigned::SignatureAlgorithm::Anonymous);
    if (curve != NamedCurve::secp256r1) {
      return Result::ERROR_UNSUPPORTED_ELLIPTIC_CURVE;
@ -86,7 +84,7 @@ public:
                                            unsigned int modulusSizeInBits)
                                            override
  {
-    MOZ_ASSERT(mSignatureAlgorithm ==
+    assert(mSignatureAlgorithm ==
      DigitallySigned::SignatureAlgorithm::Anonymous);
    // Require RSA keys of at least 2048 bits. See RFC 6962, Section 2.1.4.
    if (modulusSizeInBits < 2048) {
@ -145,7 +143,7 @@ CTLogVerifier::Init(Input subjectPublicKeyInfo,
      break;
    case CTLogStatus::Unknown:
    default:
-      MOZ_ASSERT_UNREACHABLE("Unsupported CTLogStatus");
+      assert(false);
      return Result::FATAL_ERROR_INVALID_ARGS;
  }

@ -266,7 +264,7 @@ static Result
 FasterVerifyECDSASignedDigestNSS(const SignedDigest& sd,
                                 UniqueSECKEYPublicKey& pubkey)
 {
-  MOZ_ASSERT(pubkey);
+  assert(pubkey);
  if (!pubkey) {
    return Result::FATAL_ERROR_LIBRARY_FAILURE;
  }
@ -299,14 +297,14 @@ CTLogVerifier::VerifySignature(Input data, Input signature)
 {
  uint8_t digest[SHA256_LENGTH];
  Result rv = DigestBufNSS(data, DigestAlgorithm::sha256, digest,
-                           ArrayLength(digest));
+                           MOZILLA_CT_ARRAY_LENGTH(digest));
  if (rv != Success) {
    return rv;
  }

  SignedDigest signedDigest;
  signedDigest.digestAlgorithm = DigestAlgorithm::sha256;
-  rv = signedDigest.digest.Init(digest, ArrayLength(digest));
+  rv = signedDigest.digest.Init(digest, MOZILLA_CT_ARRAY_LENGTH(digest));
  if (rv != Success) {
    return rv;
  }
@ -335,7 +333,7 @@ CTLogVerifier::VerifySignature(Input data, Input signature)
    case DigitallySigned::SignatureAlgorithm::Anonymous:
    case DigitallySigned::SignatureAlgorithm::DSA:
    default:
-      MOZ_ASSERT_UNREACHABLE("RSA/ECDSA expected");
+      assert(false);
      return Result::FATAL_ERROR_INVALID_ARGS;
  }
  if (rv != Success) {
--- a/security/ct/CTLogVerifier.h
+++ b/security/ct/CTLogVerifier.h
@ -7,13 +7,15 @@
 #ifndef CTLogVerifier_h
 #define CTLogVerifier_h

+#include <memory>
+
 #include "CTLog.h"
-#include "pkix/Input.h"
-#include "pkix/pkix.h"
-#include "pkix/Result.h"
-#include "ScopedNSSTypes.h"
+#include "CTUtils.h"
 #include "SignedCertificateTimestamp.h"
 #include "SignedTreeHead.h"
+#include "pkix/Input.h"
+#include "pkix/Result.h"
+#include "pkix/pkix.h"

 namespace mozilla { namespace ct {

--- a/security/ct/CTObjectsExtractor.cpp
+++ b/security/ct/CTObjectsExtractor.cpp
@ -6,14 +6,10 @@

 #include "CTObjectsExtractor.h"

+#include <limits>
 #include <vector>

 #include "hasht.h"
-#include "mozilla/Assertions.h"
-#include "mozilla/Casting.h"
-#include "mozilla/Move.h"
-#include "mozilla/PodOperations.h"
-#include "mozilla/RangedPtr.h"
 #include "pkix/pkixnss.h"
 #include "pkixutil.h"

@ -33,7 +29,7 @@ public:
  Output(uint8_t* buffer, size_t length)
    : begin(buffer)
    , end(buffer + length)
-    , current(buffer, begin, end)
+    , current(begin)
    , overflowed(false)
  {
  }
@ -58,17 +54,17 @@ public:

  Result GetInput(/*out*/ Input& input) const
  {
-    if (overflowed) {
+    if (overflowed || current < begin) {
      return Result::FATAL_ERROR_INVALID_STATE;
    }
-    size_t length = AssertedCast<size_t>(current.get() - begin);
+    size_t length = static_cast<size_t>(current - begin);
    return input.Init(begin, length);
  }

 private:
  uint8_t* begin;
  uint8_t* end;
-  RangedPtr<uint8_t> current;
+  uint8_t* current;
  bool overflowed;

  Output(const Output&) = delete;
@ -76,14 +72,17 @@ private:

  void Write(const uint8_t* data, size_t length)
  {
-    size_t available = AssertedCast<size_t>(end - current.get());
+    if (end < current) {
+      overflowed = true;
+    }
+    size_t available = static_cast<size_t>(end - current);
    if (available < length) {
      overflowed = true;
    }
    if (overflowed) {
      return;
    }
-    PodCopy(current.get(), data, length);
+    memcpy(current, data, length);
    current += length;
  }
 };
@ -122,6 +121,15 @@ static const size_t MAX_TLV_HEADER_LENGTH = 4;
 static const uint8_t EXTENSIONS_CONTEXT_TAG =
  der::CONTEXT_SPECIFIC | der::CONSTRUCTED | 3;

+Result
+CheckForInputSizeTypeOverflow(size_t length)
+{
+  if (length > std::numeric_limits<Input::size_type>::max()) {
+    return Result::FATAL_ERROR_INVALID_STATE;
+  }
+  return Success;
+}
+
 // Given a leaf certificate, extracts the DER-encoded TBSCertificate component
 // of the corresponding Precertificate.
 // Basically, the extractor needs to remove the embedded SCTs extension
@ -278,9 +286,17 @@ private:
      if (rv != Success) {
        return rv;
      }
+      // Since we're getting these extensions from a certificate that has
+      // already fit in an Input, this shouldn't overflow.
+      size_t extensionsContextLengthAsSizeT =
+        static_cast<size_t>(extensionsHeader.GetLength()) +
+        static_cast<size_t>(extensionsValueLength);
+      rv = CheckForInputSizeTypeOverflow(extensionsContextLengthAsSizeT);
+      if (rv != Success) {
+        return rv;
+      }
      Input::size_type extensionsContextLength =
-        AssertedCast<Input::size_type>(extensionsHeader.GetLength() +
-                                       extensionsValueLength);
+        static_cast<Input::size_type>(extensionsContextLengthAsSizeT);
      rv = MakeTLVHeader(EXTENSIONS_CONTEXT_TAG,
                         extensionsContextLength,
                         extensionsContextHeaderBuffer,
@ -288,11 +304,17 @@ private:
      if (rv != Success) {
        return rv;
      }
+      size_t tbsLengthAsSizeT =
+        static_cast<size_t>(mTLVsBeforeExtensions.GetLength()) +
+        static_cast<size_t>(extensionsContextHeader.GetLength()) +
+        static_cast<size_t>(extensionsHeader.GetLength()) +
+        static_cast<size_t>(extensionsValueLength);
+      rv = CheckForInputSizeTypeOverflow(tbsLengthAsSizeT);
+      if (rv != Success) {
+        return rv;
+      }
      Input::size_type tbsLength =
-        AssertedCast<Input::size_type>(mTLVsBeforeExtensions.GetLength() +
-                                       extensionsContextHeader.GetLength() +
-                                       extensionsHeader.GetLength() +
-                                       extensionsValueLength);
+        static_cast<Input::size_type>(tbsLengthAsSizeT);
      rv = MakeTLVHeader(der::SEQUENCE, tbsLength, tbsHeaderBuffer, tbsHeader);
      if (rv != Success) {
        return rv;
@ -327,14 +349,14 @@ private:
    Output output(buffer);
    output.Write(tag);
    if (length < 128) {
-      output.Write(AssertedCast<uint8_t>(length));
+      output.Write(static_cast<uint8_t>(length));
    } else if (length < 256) {
      output.Write(0x81u);
-      output.Write(AssertedCast<uint8_t>(length));
+      output.Write(static_cast<uint8_t>(length));
    } else if (length < 65536) {
      output.Write(0x82u);
-      output.Write(AssertedCast<uint8_t>(length / 256));
-      output.Write(AssertedCast<uint8_t>(length % 256));
+      output.Write(static_cast<uint8_t>(length / 256));
+      output.Write(static_cast<uint8_t>(length % 256));
    } else {
      return Result::FATAL_ERROR_INVALID_ARGS;
    }
@ -352,8 +374,8 @@ Result
 GetPrecertLogEntry(Input leafCertificate, Input issuerSubjectPublicKeyInfo,
                   LogEntry& output)
 {
-  MOZ_ASSERT(leafCertificate.GetLength() > 0);
-  MOZ_ASSERT(issuerSubjectPublicKeyInfo.GetLength() > 0);
+  assert(leafCertificate.GetLength() > 0);
+  assert(issuerSubjectPublicKeyInfo.GetLength() > 0);
  output.Reset();

  Buffer precertTBSBuffer;
@ -367,8 +389,8 @@ GetPrecertLogEntry(Input leafCertificate, Input issuerSubjectPublicKeyInfo,
    return rv;
  }
  Input precertTBS(extractor.GetPrecertTBS());
-  MOZ_ASSERT(precertTBS.UnsafeGetData() == precertTBSBuffer.data());
-  MOZ_ASSERT(precertTBS.GetLength() <= precertTBSBuffer.size());
+  assert(precertTBS.UnsafeGetData() == precertTBSBuffer.data());
+  assert(precertTBS.GetLength() <= precertTBSBuffer.size());
  precertTBSBuffer.resize(precertTBS.GetLength());

  output.type = LogEntry::Type::Precert;
@ -383,7 +405,7 @@ GetPrecertLogEntry(Input leafCertificate, Input issuerSubjectPublicKeyInfo,
 void
 GetX509LogEntry(Input leafCertificate, LogEntry& output)
 {
-  MOZ_ASSERT(leafCertificate.GetLength() > 0);
+  assert(leafCertificate.GetLength() > 0);
  output.Reset();
  output.type = LogEntry::Type::X509;
  InputToBuffer(leafCertificate, output.leafCertificate);
--- a/security/ct/CTPolicyEnforcer.cpp
+++ b/security/ct/CTPolicyEnforcer.cpp
@ -10,12 +10,6 @@
 #include <stdint.h>
 #include <vector>

-#include "mozilla/ArrayUtils.h"
-#include "mozilla/Assertions.h"
-#include "mozilla/Logging.h"
-
-extern mozilla::LazyLogModule gCertVerifierLog;
-
 namespace mozilla { namespace ct {

 using namespace mozilla::pkix;
@ -222,9 +216,6 @@ CheckNonEmbeddedCompliance(const VerifiedSCTList& verifiedScts, bool& compliant)
      return verifiedSct.status == VerifiedSCT::Status::Valid;
    });

-  MOZ_LOG(gCertVerifierLog, LogLevel::Debug,
-          ("CT Policy non-embedded case status: validSCTs=%zu\n",
-           validSctsCount));
  compliant = validSctsCount >= 2;
 }

@ -259,11 +250,6 @@ CheckEmbeddedCompliance(const VerifiedSCTList& verifiedScts,
  size_t requiredSctsCount =
    GetRequiredEmbeddedSctsCount(certLifetimeInCalendarMonths);

-  MOZ_LOG(gCertVerifierLog, LogLevel::Debug,
-          ("CT Policy embedded case status: "
-           "requiredSCTs=%zu embeddedSCTs=%zu\n",
-           requiredSctsCount, embeddedSctsCount));
-
  compliant = embeddedSctsCount >= requiredSctsCount;
 }

@ -278,25 +264,13 @@ CTPolicyEnforcer::CheckCompliance(const VerifiedSCTList& verifiedScts,
  bool diversityOK;
  CheckOperatorDiversityCompliance(verifiedScts, certIssuanceTime,
                                   dependentOperators, diversityOK);
-  if (diversityOK) {
-    MOZ_LOG(gCertVerifierLog, LogLevel::Debug,
-            ("CT Policy: diversity satisfied\n"));
-  }

  bool nonEmbeddedCaseOK;
  CheckNonEmbeddedCompliance(verifiedScts, nonEmbeddedCaseOK);
-  if (nonEmbeddedCaseOK) {
-    MOZ_LOG(gCertVerifierLog, LogLevel::Debug,
-            ("CT Policy: non-embedded case satisfied)\n"));
-  }

  bool embeddedCaseOK;
  CheckEmbeddedCompliance(verifiedScts, certLifetimeInCalendarMonths,
                          certIssuanceTime, embeddedCaseOK);
-  if (embeddedCaseOK) {
-    MOZ_LOG(gCertVerifierLog, LogLevel::Debug,
-            ("CT Policy: embedded case satisfied\n"));
-  }

  if (nonEmbeddedCaseOK || embeddedCaseOK) {
    compliance = diversityOK ? CTPolicyCompliance::Compliant
@ -308,20 +282,12 @@ CTPolicyEnforcer::CheckCompliance(const VerifiedSCTList& verifiedScts,

  switch (compliance) {
    case CTPolicyCompliance::Compliant:
-      MOZ_LOG(gCertVerifierLog, LogLevel::Debug,
-                ("CT Policy compliance: Compliant\n"));
-      break;
    case CTPolicyCompliance::NotEnoughScts:
-      MOZ_LOG(gCertVerifierLog, LogLevel::Debug,
-                ("CT Policy compliance: NotEnoughScts\n"));
-      break;
    case CTPolicyCompliance::NotDiverseScts:
-      MOZ_LOG(gCertVerifierLog, LogLevel::Debug,
-                ("CT Policy compliance: NotDiverseScts\n"));
      break;
    case CTPolicyCompliance::Unknown:
    default:
-      MOZ_ASSERT_UNREACHABLE("Unexpected CTPolicyCompliance type");
+      assert(false);
  }
 }

--- a/security/ct/CTSerialization.cpp
+++ b/security/ct/CTSerialization.cpp
@ -8,10 +8,7 @@
 #include "CTUtils.h"

 #include <stdint.h>
-
-#include "mozilla/Assertions.h"
-#include "mozilla/Move.h"
-#include "mozilla/TypeTraits.h"
+#include <type_traits>

 namespace mozilla { namespace ct {

@ -77,7 +74,7 @@ Result
 ReadUint(Reader& in, T& out)
 {
  uint64_t value;
-  static_assert(mozilla::IsUnsigned<T>::value, "T must be unsigned");
+  static_assert(std::is_unsigned<T>::value, "T must be unsigned");
  static_assert(length <= 8, "At most 8 byte integers can be read");
  static_assert(sizeof(T) >= length, "T must be able to hold <length> bytes");
  Result rv = UncheckedReadUint(length, in, value);
@ -198,7 +195,7 @@ WriteUint(T value, Buffer& output)
 {
  static_assert(length <= 8, "At most 8 byte integers can be written");
  static_assert(sizeof(T) >= length, "T must be able to hold <length> bytes");
-  if (mozilla::IsSigned<T>::value) {
+  if (std::is_signed<T>::value) {
    // We accept signed integer types assuming the actual value is non-negative.
    if (value < 0) {
      return Result::FATAL_ERROR_INVALID_ARGS;
@ -363,7 +360,7 @@ EncodeLogEntry(const LogEntry& entry, Buffer& output)
    case LogEntry::Type::Precert:
      return EncodePrecertLogEntry(entry, output);
    default:
-      MOZ_ASSERT_UNREACHABLE("Unexpected LogEntry type");
+      assert(false);
  }
  return Result::ERROR_BAD_DER;
 }
--- a/security/ct/CTUtils.h
+++ b/security/ct/CTUtils.h
@ -7,9 +7,48 @@
 #ifndef CTUtils_h
 #define CTUtils_h

+#include <memory>
+
+#include "cryptohi.h"
+#include "keyhi.h"
+#include "keythi.h"
+#include "pk11pub.h"
 #include "pkix/Input.h"
 #include "pkix/Result.h"

+#define MOZILLA_CT_ARRAY_LENGTH(x) (sizeof(x) / sizeof((x)[0]))
+
+struct DeleteHelper
+{
+  void operator()(CERTSubjectPublicKeyInfo* value)
+  {
+    SECKEY_DestroySubjectPublicKeyInfo(value);
+  }
+  void operator()(PK11SlotInfo* value) { PK11_FreeSlot(value); }
+  void operator()(SECKEYPublicKey* value) { SECKEY_DestroyPublicKey(value); }
+  void operator()(SECItem* value) { SECITEM_FreeItem(value, true); }
+};
+
+template <class T>
+struct MaybeDeleteHelper
+{
+  void operator()(T* ptr)
+  {
+    if (ptr) {
+      DeleteHelper del;
+      del(ptr);
+    }
+  }
+};
+
+typedef std::unique_ptr<CERTSubjectPublicKeyInfo, MaybeDeleteHelper<CERTSubjectPublicKeyInfo>>
+  UniqueCERTSubjectPublicKeyInfo;
+typedef std::unique_ptr<PK11SlotInfo, MaybeDeleteHelper<PK11SlotInfo>>
+  UniquePK11SlotInfo;
+typedef std::unique_ptr<SECKEYPublicKey, MaybeDeleteHelper<SECKEYPublicKey>>
+  UniqueSECKEYPublicKey;
+typedef std::unique_ptr<SECItem, MaybeDeleteHelper<SECItem>> UniqueSECItem;
+
 namespace mozilla { namespace ct {

 // Reads a TLS-encoded variable length unsigned integer from |in|.
--- a/security/ct/MultiLogCTVerifier.cpp
+++ b/security/ct/MultiLogCTVerifier.cpp
@ -8,8 +8,6 @@

 #include "CTObjectsExtractor.h"
 #include "CTSerialization.h"
-#include "mozilla/Assertions.h"
-#include "mozilla/Move.h"

 namespace mozilla { namespace ct {

@ -40,7 +38,7 @@ MultiLogCTVerifier::Verify(Input cert,
                           Time time,
                           CTVerifyResult& result)
 {
-  MOZ_ASSERT(cert.GetLength() > 0);
+  assert(cert.GetLength() > 0);
  result.Reset();

  Result rv;
--- a/security/ct/moz.build
+++ b/security/ct/moz.build
@ -44,6 +44,9 @@ TEST_DIRS += [
    'tests/gtest',
 ]

+if not CONFIG['MOZ_DEBUG']:
+    DEFINES['NDEBUG'] = True
+
 if CONFIG['CC_TYPE'] == 'clang-cl':
    # -Wall on clang-cl maps to -Weverything, which turns on way too
    # much, so we're passing through -Wall using -Xclang.
@ -71,11 +74,6 @@ if CONFIG['CC_TYPE'] == 'msvc':
                   # class copy constructor is inaccessible or deleted
        '-wd4626', # assignment operator could not be generated because a base
                   # class assignment operator is inaccessible or deleted
-        '-wd4628', # digraphs not supported with -Ze (nsThreadUtils.h includes
-                   # what would be the digraph "<:" in the expression
-                   # "mozilla::EnableIf<::detail::...". Since we don't want it
-                   # interpreted as a digraph anyway, we can disable the
-                   # warning.)
        '-wd4640', # construction of local static object is not thread-safe
        '-wd4710', # 'function': function not inlined
        '-wd4711', # function 'function' selected for inline expansion
--- a/security/ct/tests/gtest/CTLogVerifierTest.cpp
+++ b/security/ct/tests/gtest/CTLogVerifierTest.cpp
@ -20,7 +20,9 @@ public:
  void SetUp() override
  {
    // Does nothing if NSS is already initialized.
-    MOZ_RELEASE_ASSERT(NSS_NoDB_Init(nullptr) == SECSuccess);
+    if (NSS_NoDB_Init(nullptr) != SECSuccess) {
+      abort();
+    }

    ASSERT_EQ(Success, mLog.Init(InputForBuffer(GetTestPublicKey()),
                                 -1 /*operator id*/,
--- a/security/ct/tests/gtest/CTObjectsExtractorTest.cpp
+++ b/security/ct/tests/gtest/CTObjectsExtractorTest.cpp
@ -21,7 +21,9 @@ public:
  void SetUp() override
  {
    // Does nothing if NSS is already initialized.
-    MOZ_RELEASE_ASSERT(NSS_NoDB_Init(nullptr) == SECSuccess);
+    if (NSS_NoDB_Init(nullptr) != SECSuccess) {
+      abort();
+    }

    mTestCert = GetDEREncodedX509Cert();
    mEmbeddedCert = GetDEREncodedTestEmbeddedCert();
--- a/security/ct/tests/gtest/CTPolicyEnforcerTest.cpp
+++ b/security/ct/tests/gtest/CTPolicyEnforcerTest.cpp
@ -10,13 +10,12 @@
 #include <stdint.h>
 #include <stdio.h>

+#include "CTLogVerifier.h"
 #include "CTVerifyResult.h"
+#include "SignedCertificateTimestamp.h"
 #include "gtest/gtest.h"
 #include "hasht.h"
-#include "mozilla/ArrayUtils.h"
-#include "mozilla/Assertions.h"
 #include "prtime.h"
-#include "SignedCertificateTimestamp.h"

 // Implemented in CertVerifier.cpp.
 extern mozilla::pkix::Result
@ -42,7 +41,7 @@ public:
    logId.resize(SHA256_LENGTH);
    std::fill(logId.begin(), logId.end(), 0);
    // Just raw-copy |logId| into the output buffer.
-    MOZ_ASSERT(sizeof(logNo) <= logId.size());
+    assert(sizeof(logNo) <= logId.size());
    memcpy(logId.data(), &logNo, sizeof(logNo));
  }

@ -341,7 +340,7 @@ TEST_F(CTPolicyEnforcerTest,
    { 3*12 + 4, 5 }
  };

-  for (size_t i = 0; i < ArrayLength(kTestData); ++i) {
+  for (size_t i = 0; i < MOZILLA_CT_ARRAY_LENGTH(kTestData); ++i) {
    SCOPED_TRACE(i);

    size_t months = kTestData[i].certLifetimeInCalendarMonths;
@ -401,7 +400,7 @@ TEST_F(CTPolicyEnforcerTest, TestEdgeCasesOfGetCertLifetimeInFullMonths)
      12 }
  };

-  for (size_t i = 0; i < ArrayLength(kTestData); ++i) {
+  for (size_t i = 0; i < MOZILLA_CT_ARRAY_LENGTH(kTestData); ++i) {
    SCOPED_TRACE(i);

    size_t months;
--- a/security/ct/tests/gtest/CTSerializationTest.cpp
+++ b/security/ct/tests/gtest/CTSerializationTest.cpp
@ -7,7 +7,6 @@
 #include "CTSerialization.h"
 #include "CTTestUtils.h"
 #include "gtest/gtest.h"
-#include "mozilla/Move.h"

 namespace mozilla { namespace ct {

--- a/security/ct/tests/gtest/CTTestUtils.cpp
+++ b/security/ct/tests/gtest/CTTestUtils.cpp
@ -12,9 +12,6 @@
 #include "BTInclusionProof.h"
 #include "CTSerialization.h"
 #include "gtest/gtest.h"
-#include "mozilla/Assertions.h"
-#include "mozilla/Move.h"
-#include "mozilla/Vector.h"
 #include "pkix/Input.h"
 #include "pkix/pkix.h"
 #include "pkix/pkixnss.h"
@ -435,15 +432,16 @@ CharToByte(char c)
  } else if (c >= 'A' && c <= 'F') {
    return c - 'A' + 10;
  }
-  MOZ_RELEASE_ASSERT(false);
-  return 0;
+  abort();
 }

 static Buffer
 HexToBytes(const char* hexData)
 {
  size_t hexLen = strlen(hexData);
-  MOZ_RELEASE_ASSERT(hexLen > 0 && (hexLen % 2 == 0));
+  if (!(hexLen > 0 && (hexLen % 2 == 0))) {
+    abort();
+  }
  size_t resultLen = hexLen / 2;
  Buffer result;
  result.reserve(resultLen);
@ -715,7 +713,9 @@ Buffer
 ExtractCertSPKI(Input cert)
 {
  BackCert backCert(cert, EndEntityOrCA::MustBeEndEntity, nullptr);
-  MOZ_RELEASE_ASSERT(backCert.Init() == Success);
+  if (backCert.Init() != Success) {
+    abort();
+  }

  Input spkiInput = backCert.GetSubjectPublicKeyInfo();
  Buffer spki;
@ -874,15 +874,18 @@ Input
 InputForBuffer(const Buffer& buffer)
 {
  Input input;
-  MOZ_RELEASE_ASSERT(Success == input.Init(buffer.data(), buffer.size()));
+  if (input.Init(buffer.data(), buffer.size()) != Success) {
+    abort();
+  }
  return input;
 }

 Input InputForSECItem(const SECItem& item)
 {
  Input input;
-  MOZ_RELEASE_ASSERT(Success ==
-                     input.Init(item.data, item.len));
+  if (input.Init(item.data, item.len) != Success) {
+    abort();
+  }
  return input;
 }

--- a/security/ct/tests/gtest/MultiLogCTVerifierTest.cpp
+++ b/security/ct/tests/gtest/MultiLogCTVerifierTest.cpp
@ -13,8 +13,6 @@
 #include "CTSerialization.h"
 #include "CTTestUtils.h"
 #include "gtest/gtest.h"
-#include "mozilla/EnumSet.h"
-#include "mozilla/Move.h"
 #include "nss.h"

 namespace mozilla { namespace ct {
@ -32,7 +30,9 @@ public:
  void SetUp() override
  {
    // Does nothing if NSS is already initialized.
-    MOZ_RELEASE_ASSERT(NSS_NoDB_Init(nullptr) == SECSuccess);
+    if (NSS_NoDB_Init(nullptr) != SECSuccess) {
+      abort();
+    }

    CTLogVerifier log;
    ASSERT_EQ(Success, log.Init(InputForBuffer(GetTestPublicKey()),
@ -203,14 +203,23 @@ TEST_F(MultiLogCTVerifierTest, VerifiesSCTFromMultipleSources)
                             mNow, result));

  // The result should contain verified SCTs from TLS and OCSP origins.
-  EnumSet<VerifiedSCT::Origin> origins;
+  size_t embeddedCount = 0;
+  size_t tlsExtensionCount = 0;
+  size_t ocspResponseCount = 0;
  for (const VerifiedSCT& verifiedSct : result.verifiedScts) {
    EXPECT_EQ(VerifiedSCT::Status::Valid, verifiedSct.status);
-    origins += verifiedSct.origin;
+    switch (verifiedSct.origin) {
+      case VerifiedSCT::Origin::Embedded: embeddedCount++; break;
+      case VerifiedSCT::Origin::TLSExtension: tlsExtensionCount++; break;
+      case VerifiedSCT::Origin::OCSPResponse: ocspResponseCount++; break;
+      case VerifiedSCT::Origin::Unknown:
+      default:
+        ASSERT_TRUE(false);
+    }
  }
-  EXPECT_FALSE(origins.contains(VerifiedSCT::Origin::Embedded));
-  EXPECT_TRUE(origins.contains(VerifiedSCT::Origin::OCSPResponse));
-  EXPECT_TRUE(origins.contains(VerifiedSCT::Origin::TLSExtension));
+  EXPECT_EQ(embeddedCount, 0u);
+  EXPECT_TRUE(tlsExtensionCount > 0);
+  EXPECT_TRUE(ocspResponseCount > 0);
 }

 TEST_F(MultiLogCTVerifierTest, IdentifiesSCTFromUnknownLog)
--- a/security/ct/tests/gtest/moz.build
+++ b/security/ct/tests/gtest/moz.build
@ -21,4 +21,7 @@ LOCAL_INCLUDES += [
    '/security/pkix/lib',
 ]

+if not CONFIG['MOZ_DEBUG']:
+    DEFINES['NDEBUG'] = True
+
 FINAL_LIBRARY = 'xul-gtest'