Bug 1345368 - land NSS 0c3800b6eaba UPGRADE_NSS_RELEASE, r=me

security/nss/TAG-INFO

@@ -1 +1 @@
-57e38a8407b3
+0c3800b6eaba

security/nss/automation/abi-check/expected-report-libnss3.so.txt

@@ -0,0 +1,12 @@
+Functions changes summary: 0 Removed, 0 Changed, 6 Added functions
+Variables changes summary: 0 Removed, 0 Changed, 0 Added variable
+
+6 Added functions:
+
+  'function SECStatus CERT_GetCertIsPerm(const CERTCertificate*, PRBool*)'    {CERT_GetCertIsPerm@@NSS_3.31}
+  'function SECStatus CERT_GetCertIsTemp(const CERTCertificate*, PRBool*)'    {CERT_GetCertIsTemp@@NSS_3.31}
+  'function CERTCertificate* PK11_FindCertFromURI(const char*, void*)'    {PK11_FindCertFromURI@@NSS_3.31}
+  'function CERTCertList* PK11_FindCertsFromURI(const char*, void*)'    {PK11_FindCertsFromURI@@NSS_3.31}
+  'function char* PK11_GetModuleURI(SECMODModule*)'    {PK11_GetModuleURI@@NSS_3.31}
+  'function char* PK11_GetTokenURI()'    {PK11_GetTokenURI@@NSS_3.31}
+

security/nss/automation/abi-check/expected-report-libnssutil3.so.txt

@@ -0,0 +1,12 @@
+Functions changes summary: 0 Removed, 0 Changed, 6 Added functions
+Variables changes summary: 0 Removed, 0 Changed, 0 Added variable
+
+6 Added functions:
+
+  'function void PK11URI_CreateURI(size_t, size_t)'    {PK11URI_CreateURI@@NSSUTIL_3.31}
+  'function void PK11URI_DestroyURI()'    {PK11URI_DestroyURI@@NSSUTIL_3.31}
+  'function char* PK11URI_FormatURI()'    {PK11URI_FormatURI@@NSSUTIL_3.31}
+  'function const char* PK11URI_GetPathAttribute(const char*)'    {PK11URI_GetPathAttribute@@NSSUTIL_3.31}
+  'function const char* PK11URI_GetQueryAttribute(const char*)'    {PK11URI_GetQueryAttribute@@NSSUTIL_3.31}
+  'function void PK11URI_ParseURI(const char*)'    {PK11URI_ParseURI@@NSSUTIL_3.31}
+

security/nss/automation/abi-check/expected-report-libssl3.so.txt

@@ -0,0 +1,14 @@
+Functions changes summary: 0 Removed, 1 Changed, 0 Added function
+Variables changes summary: 0 Removed, 0 Changed, 0 Added variable
+
+1 function with some indirect sub-type change:
+
+  [C]'function SECStatus SSL_GetPreliminaryChannelInfo(SSLPreliminaryChannelInfo*, PRUintn)' at sslinfo.c:115:1 has some indirect sub-type changes:
+    parameter 1 of type 'SSLPreliminaryChannelInfo*' has sub-type changes:
+      in pointed to type 'typedef SSLPreliminaryChannelInfo' at sslt.h:318:1:
+        underlying type 'struct SSLPreliminaryChannelInfoStr' at sslt.h:287:1 changed:
+          type size changed from 128 to 160 bits
+          1 data member insertion:
+            'PRUint32 SSLPreliminaryChannelInfoStr::maxEarlyDataSize', at offset 128 (in bits) at sslt.h:314:1
+
+

security/nss/automation/abi-check/previous-nspr-release

@@ -0,0 +1 @@
+NSPR_4_14_BRANCH

security/nss/automation/abi-check/previous-nss-release

@@ -0,0 +1 @@
+NSS_3_30_BRANCH

security/nss/automation/buildbot-slave/build.sh

@@ -19,6 +19,9 @@ proc_args()
             "--test-nss")
                 TEST_NSS=1
                 ;;
+            "--check-abi")
+                CHECK_ABI=1
+                ;;
             "--build-jss")
                 BUILD_JSS=1
                 ;;
@@ -40,6 +43,7 @@ proc_args()
                 echo "    --build-jss"
                 echo "    --test-nss"
                 echo "    --test-jss"
+                echo "    --check-abi"
                 exit 1
                 ;;
         esac 
@@ -215,6 +219,71 @@ test_nss()
     return ${RET}
 }
 
+check_abi()
+{
+    print_log "######## NSS ABI CHECK - ${BITS} bits - ${OPT} ########"
+    rm -rf ${HGDIR}/baseline
+    mkdir ${HGDIR}/baseline
+    BASE_NSPR=`cat ${HGDIR}/nss/automation/abi-check/previous-nspr-release`
+    BASE_NSS=`cat ${HGDIR}/nss/automation/abi-check/previous-nss-release`
+
+    print_log "######## creating temporary HG clones ########"
+
+    hg clone -u "${BASE_NSPR}" "${HGDIR}/nspr" "${HGDIR}/baseline/nspr"
+    if [ $? -ne 0 ]; then
+        echo "invalid tag in automation/abi-check/previous-nspr-release"
+        return 1
+    fi
+    hg clone -u "${BASE_NSS}" "${HGDIR}/nss" "${HGDIR}/baseline/nss"
+    if [ $? -ne 0 ]; then
+        echo "invalid tag in automation/abi-check/previous-nss-release"
+        return 1
+    fi
+
+    print_log "######## building older NSPR/NSS ########"
+
+    print_log "$ pushd ${HGDIR}/baseline/nss"
+    pushd ${HGDIR}/baseline/nss
+
+    print_log "$ ${MAKE} ${NSS_BUILD_TARGET}"
+    #${MAKE} ${NSS_BUILD_TARGET} 2>&1 | tee -a ${LOG_ALL} | grep ${GREP_BUFFER} "^${MAKE}"
+    ${MAKE} ${NSS_BUILD_TARGET} 2>&1 | tee -a ${LOG_ALL}
+    RET=$?
+    print_result "NSS - build - ${BITS} bits - ${OPT}" ${RET} 0
+
+    if [ ${RET} -ne 0 ]; then
+        tail -100 ${LOG_ALL}
+        return ${RET}
+    fi
+
+    print_log "$ popd"
+    popd
+
+    ABI_REPORT=${OUTPUTDIR}/abi-diff.txt
+    rm -f ${ABI_REPORT}
+    PREVDIST=${HGDIR}/baseline/dist
+    NEWDIST=${HGDIR}/dist
+    ALL_SOs="libfreebl3.so libfreeblpriv3.so libnspr4.so libnss3.so libnssckbi.so libnssdbm3.so libnsssysinit.so libnssutil3.so libplc4.so libplds4.so libsmime3.so libsoftokn3.so libssl3.so"
+    for SO in ${ALL_SOs}; do
+        if [ ! -f nss/automation/abi-check/expected-report-$SO.txt ]; then
+            touch nss/automation/abi-check/expected-report-$SO.txt
+        fi
+        abidiff --hd1 $PREVDIST/public/ --hd2 $NEWDIST/public \
+            $PREVDIST/*/lib/$SO $NEWDIST/*/lib/$SO \
+            > nss/automation/abi-check/new-report-$SO.txt
+        diff -u nss/automation/abi-check/expected-report-$SO.txt \
+                nss/automation/abi-check/new-report-$SO.txt >> ${ABI_REPORT}
+    done
+
+    if [ -s ${ABI_REPORT} ]; then
+        print_log "FAILED: there are new unexpected ABI changes"
+        cat ${ABI_REPORT}
+        return 1
+    fi
+
+    return 0
+}
+
 test_jss()
 {
     print_log "######## JSS - tests - ${BITS} bits - ${OPT} ########"
@@ -288,6 +357,11 @@ build_and_test()
         [ $? -eq 0 ] || return 1
     fi
 
+    if [ -n "${CHECK_ABI}" ]; then
+        check_abi
+        [ $? -eq 0 ] || return 1
+    fi
+
     if [ -n "${BUILD_JSS}" ]; then
         create_objdir_dist_link
         build_jss
@@ -360,6 +434,7 @@ main()
 {
     VALID=0
     RET=1
+    FAIL=0
 
     for BITS in 32 64; do
         echo ${RUN_BITS} | grep ${BITS} > /dev/null
@@ -372,7 +447,10 @@ main()
             set_env
             run_all
             RET=$?
-	    print_log "### result of run_all is ${RET}"
+            print_log "### result of run_all is ${RET}"
+            if [ ${RET} -ne 0 ]; then
+                FAIL=${RET}
+            fi
         done
     done
 
@@ -381,7 +459,7 @@ main()
         return 1
     fi
 
-    return ${RET}
+    return ${FAIL}
 }
 
 #function killallsub()
@@ -409,6 +487,8 @@ echo "tinderbox args: $0 $@"
 proc_args "$@"
 main
 
-#RET=$?
+RET=$?
+print_log "### result of main is ${RET}"
+
 #rm $IS_RUNNING_FILE
-#exit ${RET}
+exit ${RET}

security/nss/automation/release/nspr-version.txt

@@ -0,0 +1,10 @@
+4.15
+
+# The first line of this file must contain the human readable NSPR
+# version number, which is the minimum required version of NSPR
+# that is supported by this version of NSS.
+#
+# This information is used by release automation,
+# when creating an NSS source archive.
+#
+# All other lines in this file are ignored.

security/nss/automation/release/nss-release-helper.py

@@ -171,11 +171,13 @@ def set_4_digit_release_number():
     set_all_lib_versions(version, major, minor, patch, build)
 
 def create_nss_release_archive():
-    ensure_arguments_after_action(4, "nss_release_version  nss_hg_release_tag  nspr_release_version  path_to_stage_directory")
+    ensure_arguments_after_action(3, "nss_release_version  nss_hg_release_tag  path_to_stage_directory")
     nssrel = args[1].strip() #e.g. 3.19.3
     nssreltag = args[2].strip() #e.g. NSS_3_19_3_RTM
-    nsprrel = args[3].strip() #e.g. 4.10.8
-    stagedir = args[4].strip() #e.g. ../stage
+    stagedir = args[3].strip() #e.g. ../stage
+
+    with open('automation/release/nspr-version.txt') as nspr_version_file:
+        nsprrel = next(nspr_version_file).strip()
 
     nspr_tar = "nspr-" + nsprrel + ".tar.gz"
     nsprtar_with_path= stagedir + "/v" + nsprrel + "/src/" + nspr_tar

security/nss/automation/taskcluster/docker-fuzz/setup.sh

@@ -22,6 +22,10 @@ apt_packages+=('ninja-build')
 apt_packages+=('pkg-config')
 apt_packages+=('zlib1g-dev')
 
+# 32-bit builds
+apt_packages+=('gcc-multilib')
+apt_packages+=('g++-multilib')
+
 # Latest Mercurial.
 apt_packages+=('mercurial')
 apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 41BD8711B1F0EC2B0D85B91CF59CE3A8323293EE
@@ -31,6 +35,11 @@ echo "deb http://ppa.launchpad.net/mercurial-ppa/releases/ubuntu xenial main" >
 apt-get -y update
 apt-get install -y --no-install-recommends ${apt_packages[@]}
 
+# 32-bit builds
+dpkg --add-architecture i386
+apt-get -y update
+apt-get install -y --no-install-recommends libssl-dev:i386
+
 # Install LLVM/clang-4.0.
 mkdir clang-tmp
 git clone -n --depth 1 https://chromium.googlesource.com/chromium/src/tools/clang clang-tmp/clang

security/nss/automation/taskcluster/graph/src/extend.js

@@ -63,11 +63,6 @@ queue.filter(task => {
     if (task.collection == "make") {
       return false;
     }
-
-    // Disable mpi tests for now on 32-bit builds (bug 1362392)
-    if (task.platform == "linux32") {
-      return false;
-    }
   }
 
 
@@ -168,6 +163,7 @@ export default async function main() {
   });
 
   await scheduleFuzzing();
+  await scheduleFuzzing32();
 
   await scheduleTools();
 
@@ -415,6 +411,110 @@ async function scheduleFuzzing() {
   return queue.submit();
 }
 
+async function scheduleFuzzing32() {
+  let base = {
+    env: {
+      ASAN_OPTIONS: "allocator_may_return_null=1:detect_stack_use_after_return=1",
+      UBSAN_OPTIONS: "print_stacktrace=1",
+      NSS_DISABLE_ARENA_FREE_LIST: "1",
+      NSS_DISABLE_UNLOAD: "1",
+      CC: "clang",
+      CCC: "clang++"
+    },
+    features: ["allowPtrace"],
+    platform: "linux32",
+    collection: "fuzz",
+    image: FUZZ_IMAGE
+  };
+
+  // Build base definition.
+  let build_base = merge({
+    command: [
+      "/bin/bash",
+      "-c",
+      "bin/checkout.sh && " +
+      "nss/automation/taskcluster/scripts/build_gyp.sh -g -v --fuzz -m32"
+    ],
+    artifacts: {
+      public: {
+        expires: 24 * 7,
+        type: "directory",
+        path: "/home/worker/artifacts"
+      }
+    },
+    kind: "build",
+    symbol: "B"
+  }, base);
+
+  // The task that builds NSPR+NSS.
+  let task_build = queue.scheduleTask(merge(build_base, {
+    name: "Linux 32 (debug, fuzz)"
+  }));
+
+  // The task that builds NSPR+NSS (TLS fuzzing mode).
+  let task_build_tls = queue.scheduleTask(merge(build_base, {
+    name: "Linux 32 (debug, TLS fuzz)",
+    symbol: "B",
+    group: "TLS",
+    command: [
+      "/bin/bash",
+      "-c",
+      "bin/checkout.sh && " +
+      "nss/automation/taskcluster/scripts/build_gyp.sh -g -v --fuzz=tls -m32"
+    ],
+  }));
+
+  // Schedule tests.
+  queue.scheduleTask(merge(base, {
+    parent: task_build_tls,
+    name: "Gtests",
+    command: [
+      "/bin/bash",
+      "-c",
+      "bin/checkout.sh && nss/automation/taskcluster/scripts/run_tests.sh"
+    ],
+    env: {GTESTFILTER: "*Fuzz*"},
+    tests: "ssl_gtests gtests",
+    cycle: "standard",
+    symbol: "Gtest",
+    kind: "test"
+  }));
+
+  // Schedule fuzzing runs.
+  let run_base = merge(base, {parent: task_build, kind: "test"});
+  scheduleFuzzingRun(run_base, "CertDN", "certDN", 4096);
+  scheduleFuzzingRun(run_base, "QuickDER", "quickder", 10000);
+
+  // Schedule MPI fuzzing runs.
+  let mpi_base = merge(run_base, {group: "MPI"});
+  let mpi_names = ["add", "addmod", "div", "expmod", "mod", "mulmod", "sqr",
+                   "sqrmod", "sub", "submod"];
+  for (let name of mpi_names) {
+    scheduleFuzzingRun(mpi_base, `MPI (${name})`, `mpi-${name}`, 4096, name);
+  }
+  scheduleFuzzingRun(mpi_base, `MPI (invmod)`, `mpi-invmod`, 256, "invmod");
+
+  // Schedule TLS fuzzing runs (non-fuzzing mode).
+  let tls_base = merge(run_base, {group: "TLS"});
+  scheduleFuzzingRun(tls_base, "TLS Client", "tls-client", 20000, "client-nfm",
+                     "tls-client-no_fuzzer_mode");
+  scheduleFuzzingRun(tls_base, "TLS Server", "tls-server", 20000, "server-nfm",
+                     "tls-server-no_fuzzer_mode");
+  scheduleFuzzingRun(tls_base, "DTLS Client", "dtls-client", 20000,
+                     "dtls-client-nfm", "dtls-client-no_fuzzer_mode");
+  scheduleFuzzingRun(tls_base, "DTLS Server", "dtls-server", 20000,
+                     "dtls-server-nfm", "dtls-server-no_fuzzer_mode");
+
+  // Schedule TLS fuzzing runs (fuzzing mode).
+  let tls_fm_base = merge(tls_base, {parent: task_build_tls});
+  scheduleFuzzingRun(tls_fm_base, "TLS Client", "tls-client", 20000, "client");
+  scheduleFuzzingRun(tls_fm_base, "TLS Server", "tls-server", 20000, "server");
+  scheduleFuzzingRun(tls_fm_base, "DTLS Client", "dtls-client", 20000, "dtls-client");
+  scheduleFuzzingRun(tls_fm_base, "DTLS Server", "dtls-server", 20000, "dtls-server");
+
+  return queue.submit();
+}
+
 /*****************************************************************************/
 
 async function scheduleTestBuilds(base, args = "") {

security/nss/automation/taskcluster/graph/src/try_syntax.js

@@ -23,7 +23,7 @@ function parseOptions(opts) {
 
   // Parse platforms.
   let allPlatforms = ["linux", "linux64", "linux64-asan", "win64",
-                      "linux64-make", "linux-make", "linux64-fuzz", "aarch64"];
+                      "linux64-make", "linux-make", "linux-fuzz", "linux64-fuzz", "aarch64"];
   let platforms = intersect(opts.platform.split(/\s*,\s*/), allPlatforms);
 
   // If the given value is nonsense or "none" default to all platforms.
@@ -104,6 +104,7 @@ function filter(opts) {
     let found = opts.platforms.some(platform => {
       let aliases = {
         "linux": "linux32",
+        "linux-fuzz": "linux32",
         "linux64-asan": "linux64",
         "linux64-fuzz": "linux64",
         "linux64-make": "linux64",
@@ -119,7 +120,7 @@ function filter(opts) {
         keep &= coll("asan");
       } else if (platform == "linux64-make" || platform == "linux-make") {
         keep &= coll("make");
-      } else if (platform == "linux64-fuzz") {
+      } else if (platform == "linux64-fuzz" || platform == "linux-fuzz") {
         keep &= coll("fuzz");
       } else {
         keep &= coll("opt") || coll("debug");

security/nss/cmd/crmftest/testcrmf.c

@@ -1261,11 +1261,13 @@ DoChallengeResponse(SECKEYPrivateKey *privKey,
             return 908;
         }
         keyID = PK11_MakeIDFromPubKey(publicValue);
+        SECITEM_FreeItem(publicValue, PR_TRUE);
         if (keyID == NULL) {
             printf("Could not make the keyID from the public value\n");
             return 909;
         }
         foundPrivKey = PK11_FindKeyByKeyID(privKey->pkcs11Slot, keyID, &pwdata);
+        SECITEM_FreeItem(keyID, PR_TRUE);
         if (foundPrivKey == NULL) {
             printf("Could not find the private key corresponding to the public"
                    " value.\n");

security/nss/cmd/mpitests/mpitests.gyp

@@ -31,7 +31,18 @@
     'include_dirs': [
       '<(DEPTH)/lib/freebl/mpi',
       '<(DEPTH)/lib/util',
-    ]
+    ],
+    # This uses test builds and has to set defines for MPI.
+    'conditions': [
+      [ 'target_arch=="ia32"', {
+        'defines': [
+          'MP_USE_UINT_DIGIT',
+          'MP_ASSEMBLY_MULTIPLY',
+          'MP_ASSEMBLY_SQUARE',
+          'MP_ASSEMBLY_DIV_2DX1D',
+        ],
+      }],
+    ],
   },
   'variables': {
     'module': 'nss'

security/nss/coreconf/coreconf.dep

@@ -10,4 +10,3 @@
  */
 
 #error "Do not include this header file."
-

security/nss/coreconf/fuzz.sh

@@ -24,7 +24,10 @@ if [ "$fuzz_oss" = 1 ]; then
   gyp_params+=(-Dno_zdefs=1 -Dfuzz_oss=1)
 else
   enable_sanitizer asan
-  enable_ubsan
+  # Ubsan doesn't build on 32-bit at the moment. Disable it.
+  if [ "$build_64" = 1 ]; then
+    enable_ubsan
+  fi
   enable_sancov
 fi
 

security/nss/fuzz/fuzz.gyp

@@ -88,6 +88,15 @@
               '-lcrypto',
             ],
           }],
+          # For test builds we have to set MPI defines.
+          [ 'target_arch=="ia32"', {
+            'defines': [
+              'MP_USE_UINT_DIGIT',
+              'MP_ASSEMBLY_MULTIPLY',
+              'MP_ASSEMBLY_SQUARE',
+              'MP_ASSEMBLY_DIV_2DX1D',
+            ],
+          }],
         ],
       },
     },

security/nss/gtests/freebl_gtest/freebl_gtest.gyp

@@ -29,13 +29,6 @@
         '<(DEPTH)/lib/pki/pki.gyp:nsspki',
         '<(DEPTH)/lib/ssl/ssl.gyp:ssl',
       ],
-      'conditions': [
-        [ 'ct_verif==1', {
-          'defines': [
-            'CT_VERIF',
-          ],
-        }],
-      ],
     },
     {
       'target_name': 'prng_gtest',
@@ -62,7 +55,23 @@
   'target_defaults': {
     'include_dirs': [
       '<(DEPTH)/lib/freebl/mpi',
-    ]
+    ],
+    # For test builds we have to set MPI defines.
+    'conditions': [
+      [ 'ct_verif==1', {
+        'defines': [
+          'CT_VERIF',
+        ],
+      }],
+      [ 'target_arch=="ia32"', {
+        'defines': [
+          'MP_USE_UINT_DIGIT',
+          'MP_ASSEMBLY_MULTIPLY',
+          'MP_ASSEMBLY_SQUARE',
+          'MP_ASSEMBLY_DIV_2DX1D',
+        ],
+      }],
+    ],
   },
   'variables': {
     'module': 'nss'

security/nss/gtests/freebl_gtest/mpi_unittest.cc

@@ -53,13 +53,39 @@ class MPITest : public ::testing::Test {
     mp_clear(&a);
     mp_clear(&b);
   }
+
+  void TestDiv(const std::string a_string, const std::string b_string,
+               const std::string result) {
+    mp_int a, b, c;
+    MP_DIGITS(&a) = 0;
+    MP_DIGITS(&b) = 0;
+    MP_DIGITS(&c) = 0;
+    ASSERT_EQ(MP_OKAY, mp_init(&a));
+    ASSERT_EQ(MP_OKAY, mp_init(&b));
+    ASSERT_EQ(MP_OKAY, mp_init(&c));
+
+    mp_read_radix(&a, a_string.c_str(), 16);
+    mp_read_radix(&b, b_string.c_str(), 16);
+    mp_read_radix(&c, result.c_str(), 16);
+    EXPECT_EQ(MP_OKAY, mp_div(&a, &b, &a, &b));
+    EXPECT_EQ(0, mp_cmp(&a, &c));
+
+    mp_clear(&a);
+    mp_clear(&b);
+    mp_clear(&c);
+  }
 };
 
 TEST_F(MPITest, MpiCmp01Test) { TestCmp("0", "1", -1); }
 TEST_F(MPITest, MpiCmp10Test) { TestCmp("1", "0", 1); }
 TEST_F(MPITest, MpiCmp00Test) { TestCmp("0", "0", 0); }
 TEST_F(MPITest, MpiCmp11Test) { TestCmp("1", "1", 0); }
+TEST_F(MPITest, MpiDiv32ErrorTest) {
+  TestDiv("FFFF00FFFFFFFF000000000000", "FFFF00FFFFFFFFFF", "FFFFFFFFFF");
+}
 
+#ifdef NSS_X64
+// This tests assumes 64-bit mp_digits.
 TEST_F(MPITest, MpiCmpUnalignedTest) {
   mp_int a, b, c;
   MP_DIGITS(&a) = 0;
@@ -90,6 +116,7 @@ TEST_F(MPITest, MpiCmpUnalignedTest) {
   mp_clear(&b);
   mp_clear(&c);
 }
+#endif
 
 // This test is slow. Disable it by default so we can run these tests on CI.
 class DISABLED_MPITest : public ::testing::Test {};

security/nss/gtests/util_gtest/util_pkcs11uri_unittest.cc

@@ -31,13 +31,17 @@ class PK11URITest : public ::testing::Test {
     size_t i;
     for (i = 0; i < num_pattrs; i++) {
       const char *value = PK11URI_GetPathAttribute(tmp.get(), pattrs[i].name);
-      ASSERT_TRUE(value);
-      ASSERT_EQ(std::string(value), std::string(pattrs[i].value));
+      EXPECT_TRUE(value);
+      if (value) {
+        EXPECT_EQ(std::string(value), std::string(pattrs[i].value));
+      }
     }
     for (i = 0; i < num_qattrs; i++) {
       const char *value = PK11URI_GetQueryAttribute(tmp.get(), qattrs[i].name);
-      ASSERT_TRUE(value);
-      ASSERT_EQ(std::string(value), std::string(qattrs[i].value));
+      EXPECT_TRUE(value);
+      if (value) {
+        EXPECT_EQ(std::string(value), std::string(qattrs[i].value));
+      }
     }
   }
 
@@ -48,8 +52,10 @@ class PK11URITest : public ::testing::Test {
         PK11URI_CreateURI(pattrs, num_pattrs, qattrs, num_qattrs));
     ASSERT_TRUE(tmp);
     char *out = PK11URI_FormatURI(nullptr, tmp.get());
-    ASSERT_TRUE(out);
-    ASSERT_EQ(std::string(out), formatted);
+    EXPECT_TRUE(out);
+    if (out) {
+      EXPECT_EQ(std::string(out), formatted);
+    }
     PORT_Free(out);
   }
 
@@ -67,13 +73,17 @@ class PK11URITest : public ::testing::Test {
     size_t i;
     for (i = 0; i < num_pattrs; i++) {
       const char *value = PK11URI_GetPathAttribute(tmp.get(), pattrs[i].name);
-      ASSERT_TRUE(value);
-      ASSERT_EQ(std::string(value), std::string(pattrs[i].value));
+      EXPECT_TRUE(value);
+      if (value) {
+        EXPECT_EQ(std::string(value), std::string(pattrs[i].value));
+      }
     }
     for (i = 0; i < num_qattrs; i++) {
       const char *value = PK11URI_GetQueryAttribute(tmp.get(), qattrs[i].name);
-      ASSERT_TRUE(value);
-      ASSERT_EQ(std::string(value), std::string(qattrs[i].value));
+      EXPECT_TRUE(value);
+      if (value) {
+        EXPECT_EQ(std::string(value), std::string(qattrs[i].value));
+      }
     }
   }
 
@@ -81,9 +91,11 @@ class PK11URITest : public ::testing::Test {
     ScopedPK11URI tmp(PK11URI_ParseURI(str.c_str()));
     ASSERT_TRUE(tmp);
     char *out = PK11URI_FormatURI(nullptr, tmp.get());
-    ASSERT_TRUE(out);
-    ASSERT_EQ(std::string(out), formatted);
-    PORT_Free(out);
+    EXPECT_TRUE(out);
+    if (out) {
+      EXPECT_EQ(std::string(out), formatted);
+      PORT_Free(out);
+    }
   }
 
  protected:

security/nss/lib/freebl/mpi/mpi.c

@@ -2859,6 +2859,9 @@ void
 s_mp_exch(mp_int *a, mp_int *b)
 {
     mp_int tmp;
+    if (!a || !b) {
+        return;
+    }
 
     tmp = *a;
     *a = *b;
@@ -4164,11 +4167,7 @@ mp_err s_mp_div(mp_int *rem,  /* i: dividend, o: remainder */
                 mp_int *quot) /* i: 0;        o: quotient  */
 {
     mp_int part, t;
-#if !defined(MP_NO_MP_WORD) && !defined(MP_NO_DIV_WORD)
-    mp_word q_msd;
-#else
     mp_digit q_msd;
-#endif
     mp_err res;
     mp_digit d;
     mp_digit div_msd;
@@ -4213,7 +4212,7 @@ mp_err s_mp_div(mp_int *rem,  /* i: dividend, o: remainder */
         MP_USED(&part) = MP_USED(div);
 
         /* We have now truncated the part of the remainder to the same length as
-     * the divisor. If part is smaller than div, extend part by one digit. */
+         * the divisor. If part is smaller than div, extend part by one digit. */
         if (s_mp_cmp(&part, div) < 0) {
             --unusedRem;
 #if MP_ARGCHK == 2
@@ -4230,18 +4229,12 @@ mp_err s_mp_div(mp_int *rem,  /* i: dividend, o: remainder */
         div_msd = MP_DIGIT(div, MP_USED(div) - 1);
         if (!partExtended) {
             /* In this case, q_msd /= div_msd is always 1. First, since div_msd is
-       * normalized to have the high bit set, 2*div_msd > MP_DIGIT_MAX. Since
-       * we didn't extend part, q_msd >= div_msd. Therefore we know that
-       * div_msd <= q_msd <= MP_DIGIT_MAX < 2*div_msd. Dividing by div_msd we
-       * get 1 <= q_msd/div_msd < 2. So q_msd /= div_msd must be 1. */
+             * normalized to have the high bit set, 2*div_msd > MP_DIGIT_MAX. Since
+             * we didn't extend part, q_msd >= div_msd. Therefore we know that
+             * div_msd <= q_msd <= MP_DIGIT_MAX < 2*div_msd. Dividing by div_msd we
+             * get 1 <= q_msd/div_msd < 2. So q_msd /= div_msd must be 1. */
             q_msd = 1;
         } else {
-#if !defined(MP_NO_MP_WORD) && !defined(MP_NO_DIV_WORD)
-            q_msd = (q_msd << MP_DIGIT_BIT) | MP_DIGIT(&part, MP_USED(&part) - 2);
-            q_msd /= div_msd;
-            if (q_msd == RADIX)
-                --q_msd;
-#else
             if (q_msd == div_msd) {
                 q_msd = MP_DIGIT_MAX;
             } else {
@@ -4249,7 +4242,6 @@ mp_err s_mp_div(mp_int *rem,  /* i: dividend, o: remainder */
                 MP_CHECKOK(s_mpv_div_2dx1d(q_msd, MP_DIGIT(&part, MP_USED(&part) - 2),
                                            div_msd, &q_msd, &r));
             }
-#endif
         }
 #if MP_ARGCHK == 2
         assert(q_msd > 0); /* This case should never occur any more. */
@@ -4259,15 +4251,15 @@ mp_err s_mp_div(mp_int *rem,  /* i: dividend, o: remainder */
 
         /* See what that multiplies out to                   */
         mp_copy(div, &t);
-        MP_CHECKOK(s_mp_mul_d(&t, (mp_digit)q_msd));
+        MP_CHECKOK(s_mp_mul_d(&t, q_msd));
 
         /*
-       If it's too big, back it off.  We should not have to do this
-       more than once, or, in rare cases, twice.  Knuth describes a
-       method by which this could be reduced to a maximum of once, but
-       I didn't implement that here.
-     * When using s_mpv_div_2dx1d, we may have to do this 3 times.
-     */
+           If it's too big, back it off.  We should not have to do this
+           more than once, or, in rare cases, twice.  Knuth describes a
+           method by which this could be reduced to a maximum of once, but
+           I didn't implement that here.
+           When using s_mpv_div_2dx1d, we may have to do this 3 times.
+         */
         for (i = 4; s_mp_cmp(&t, &part) > 0 && i > 0; --i) {
             --q_msd;
             MP_CHECKOK(s_mp_sub(&t, div)); /* t -= div */
@@ -4282,11 +4274,11 @@ mp_err s_mp_div(mp_int *rem,  /* i: dividend, o: remainder */
         s_mp_clamp(rem);
 
         /*
-      Include the digit in the quotient.  We allocated enough memory
-      for any quotient we could ever possibly get, so we should not
-      have to check for failures here
-     */
-        MP_DIGIT(quot, unusedRem) = (mp_digit)q_msd;
+          Include the digit in the quotient.  We allocated enough memory
+          for any quotient we could ever possibly get, so we should not
+          have to check for failures here
+         */
+        MP_DIGIT(quot, unusedRem) = q_msd;
     }
 
     /* Denormalize remainder                */

security/nss/lib/pk11wrap/pk11cert.c

@@ -765,7 +765,12 @@ find_certs_from_nickname(const char *nickname, void *wincx)
         *delimit = ':';
     } else {
         slot = PK11_GetInternalKeySlot();
-        token = nssToken_AddRef(PK11Slot_GetNSSToken(slot));
+        token = PK11Slot_GetNSSToken(slot);
+        if (token) {
+            nssToken_AddRef(token);
+        } else {
+            PORT_SetError(SEC_ERROR_NO_TOKEN);
+        }
     }
     if (token) {
         nssList *certList;

security/nss/lib/ssl/ssl3con.c

@@ -38,13 +38,6 @@
 #include "zlib.h"
 #endif
 
-#ifndef PK11_SETATTRS
-#define PK11_SETATTRS(x, id, v, l) \
-    (x)->type = (id);              \
-    (x)->pValue = (v);             \
-    (x)->ulValueLen = (l);
-#endif
-
 static PK11SymKey *ssl3_GenerateRSAPMS(sslSocket *ss, ssl3CipherSpec *spec,
                                        PK11SlotInfo *serverKeySlot);
 static SECStatus ssl3_DeriveMasterSecret(sslSocket *ss, PK11SymKey *pms);

security/nss/lib/ssl/ssl3ecc.c

@@ -31,13 +31,6 @@
 
 #include <stdio.h>
 
-#ifndef PK11_SETATTRS
-#define PK11_SETATTRS(x, id, v, l) \
-    (x)->type = (id);              \
-    (x)->pValue = (v);             \
-    (x)->ulValueLen = (l);
-#endif
-
 SECStatus
 ssl_NamedGroup2ECParams(PLArenaPool *arena, const sslNamedGroupDef *ecGroup,
                         SECKEYECParams *params)

security/nss/lib/ssl/ssl3prot.h

@@ -305,13 +305,6 @@ typedef enum {
     CLIENT_AUTH_CERTIFICATE = 1
 } ClientAuthenticationType;
 
-typedef struct {
-    ClientAuthenticationType client_auth_type;
-    union {
-        SSL3Opaque *certificate_list;
-    } identity;
-} ClientIdentity;
-
 #define SESS_TICKET_KEY_NAME_LEN 16
 #define SESS_TICKET_KEY_NAME_PREFIX "NSS!"
 #define SESS_TICKET_KEY_NAME_PREFIX_LEN 4
@@ -324,8 +317,4 @@ typedef struct {
     unsigned char *mac;
 } EncryptedSessionTicket;
 
-#define TLS_EX_SESS_TICKET_MAC_LENGTH 32
-
-#define TLS_STE_NO_SERVER_NAME -1
-
 #endif /* __ssl3proto_h_ */

security/nss/lib/ssl/sslimpl.h

@@ -992,7 +992,7 @@ typedef struct SSLWrappedSymWrappingKeyStr {
 } SSLWrappedSymWrappingKey;
 
 typedef struct SessionTicketStr {
-    PRUint16 ticket_version;
+    PRBool valid;
     SSL3ProtocolVersion ssl_version;
     ssl3CipherSuite cipher_suite;
     SSLCompressionMethod compression_method;
@@ -1010,7 +1010,7 @@ typedef struct SessionTicketStr {
     PRUint16 ms_length;
     SSL3Opaque master_secret[48];
     PRBool extendedMasterSecretUsed;
-    ClientIdentity client_identity;
+    ClientAuthenticationType client_auth_type;
     SECItem peer_cert;
     PRUint32 timestamp;
     PRUint32 flags;

security/nss/lib/ssl/sslsnce.c

@@ -1808,6 +1808,7 @@ ssl_GetSessionTicketKeys(sslSocket *ss, unsigned char *keyName,
     }
 
     if (!ssl_session_ticket_keys.encKey || !ssl_session_ticket_keys.macKey) {
+        PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
         return SECFailure;
     }
 

security/nss/lib/util/pkcs11uri.c

@@ -681,7 +681,7 @@ PK11URI_ParseURI(const char *string)
 
     result = pk11uri_AllocURI();
     if (result == NULL) {
-        goto fail;
+        return NULL;
     }
 
     /* Parse the path component and its attributes. */