Bug 1345368 - land NSS 848abc2061a4, r=me

--HG-- rename : security/nss/fuzz/git-copy.sh => security/nss/fuzz/config/git-copy.sh rename : security/nss/fuzz/certDN.options => security/nss/fuzz/options/certDN.options rename : security/nss/fuzz/mpi-mod.options => security/nss/fuzz/options/mpi-add.options rename : security/nss/fuzz/mpi-mod.options => security/nss/fuzz/options/mpi-addmod.options rename : security/nss/fuzz/mpi-mod.options => security/nss/fuzz/options/mpi-div.options rename : security/nss/fuzz/mpi-expmod.options => security/nss/fuzz/options/mpi-expmod.options rename : security/nss/fuzz/mpi-invmod.options => security/nss/fuzz/options/mpi-invmod.options rename : security/nss/fuzz/mpi-mod.options => security/nss/fuzz/options/mpi-mod.options rename : security/nss/fuzz/mpi-mod.options => security/nss/fuzz/options/mpi-mulmod.options rename : security/nss/fuzz/mpi-mod.options => security/nss/fuzz/options/mpi-sqr.options rename : security/nss/fuzz/mpi-mod.options => security/nss/fuzz/options/mpi-sqrmod.options rename : security/nss/fuzz/mpi-mod.options => security/nss/fuzz/options/mpi-sub.options rename : security/nss/fuzz/mpi-mod.options => security/nss/fuzz/options/mpi-submod.options rename : security/nss/fuzz/quickder.options => security/nss/fuzz/options/quickder.options rename : security/nss/fuzz/tls-client.options => security/nss/fuzz/options/tls-client-no_fuzzer_mode.options rename : security/nss/fuzz/tls-client.options => security/nss/fuzz/options/tls-client.options
2017-03-10 06:01:18 +01:00 · 2017-03-10 06:01:18 +01:00 · 83cdc02ec0
--- a/security/nss/TAG-INFO
+++ b/security/nss/TAG-INFO
@ -1 +1 @@
-6fafb8fd9ff4
+848abc2061a4
--- a/security/nss/automation/ossfuzz/build.sh
+++ b/security/nss/automation/ossfuzz/build.sh
@ -30,7 +30,7 @@ copy_fuzzer()
 }

 # Copy libFuzzer options
-cp fuzz/*.options $OUT/
+cp fuzz/options/*.options $OUT/

 # Build the library (non-TLS fuzzing mode).
 CXX="$CXX -stdlib=libc++" LDFLAGS="$CFLAGS" \
--- a/security/nss/automation/taskcluster/scripts/fuzz.sh
+++ b/security/nss/automation/taskcluster/scripts/fuzz.sh
@ -9,7 +9,7 @@ shift
 fetch_dist

 # Clone corpus.
-./nss/fuzz/clone_corpus.sh
+./nss/fuzz/config/clone_corpus.sh

 # Ensure we have a corpus.
 if [ ! -d "nss/fuzz/corpus/$type" ]; then
--- a/security/nss/cmd/smimetools/cmsutil.c
+++ b/security/nss/cmd/smimetools/cmsutil.c
@ -84,7 +84,7 @@ Usage(char *progName)
            "               where id can be a certificate nickname or email address\n"
            " -S            create a CMS signed data message\n"
            "  -G           include a signing time attribute\n"
-            "  -H hash      use hash (default:SHA1)\n"
+            "  -H hash      use hash (default:SHA256)\n"
            "  -N nick      use certificate named \"nick\" for signing\n"
            "  -P           include a SMIMECapabilities attribute\n"
            "  -T           do not include content in CMS message\n"
@ -1097,7 +1097,7 @@ main(int argc, char **argv)
    signOptions.signingTime = PR_FALSE;
    signOptions.smimeProfile = PR_FALSE;
    signOptions.encryptionKeyPreferenceNick = NULL;
-    signOptions.hashAlgTag = SEC_OID_SHA1;
+    signOptions.hashAlgTag = SEC_OID_SHA256;
    envelopeOptions.recipients = NULL;
    encryptOptions.recipients = NULL;
    encryptOptions.envmsg = NULL;
--- a/security/nss/cmd/smimetools/smime
+++ b/security/nss/cmd/smimetools/smime
@ -199,8 +199,8 @@ sub signentity($$)
    # construct a new multipart/signed MIME entity consisting of the original content and
    # the signature
    #
-    # (we assume that cmsutil generates a SHA1 digest)
-    $out .= "Content-Type: multipart/signed; protocol=\"application/pkcs7-signature\"; micalg=sha1; boundary=\"${boundary}\"\n";
+    # (we assume that cmsutil generates a SHA256 digest)
+    $out .= "Content-Type: multipart/signed; protocol=\"application/pkcs7-signature\"; micalg=sha256; boundary=\"${boundary}\"\n";
    $out .= "\n";		# end of entity header
    $out .= "This is a cryptographically signed message in MIME format.\n"; # explanatory comment
    $out .= "\n--${boundary}\n";
--- a/security/nss/coreconf/coreconf.dep
+++ b/security/nss/coreconf/coreconf.dep
@ -10,3 +10,4 @@
 */

 #error "Do not include this header file."
+
--- a/security/nss/coreconf/fuzz.sh
+++ b/security/nss/coreconf/fuzz.sh
@ -34,5 +34,5 @@ fi

 if [ ! -f "/usr/lib/libFuzzingEngine.a" ]; then
  echo "Cloning libFuzzer files ..."
-  run_verbose "$cwd"/fuzz/clone_libfuzzer.sh
+  run_verbose "$cwd"/fuzz/config/clone_libfuzzer.sh
 fi
--- a/security/nss/fuzz/config/clone_corpus.sh
+++ b/security/nss/fuzz/config/clone_corpus.sh
@ -1,4 +1,4 @@
 #!/bin/sh

 d=$(dirname $0)
-$d/git-copy.sh https://github.com/mozilla/nss-fuzzing-corpus master $d/corpus
+$d/git-copy.sh https://github.com/mozilla/nss-fuzzing-corpus master $d/../corpus
--- a/security/nss/fuzz/config/clone_libfuzzer.sh
+++ b/security/nss/fuzz/config/clone_libfuzzer.sh
@ -1,13 +1,13 @@
 #!/bin/sh

 d=$(dirname $0)
-$d/git-copy.sh https://chromium.googlesource.com/chromium/llvm-project/llvm/lib/Fuzzer b96a41ac6bbc3824fc7c7977662bebacac8f0983 $d/libFuzzer
+$d/git-copy.sh https://chromium.googlesource.com/chromium/llvm-project/llvm/lib/Fuzzer b96a41ac6bbc3824fc7c7977662bebacac8f0983 $d/../libFuzzer

 # [https://llvm.org/bugs/show_bug.cgi?id=31318]
 # This prevents a known buffer overrun that won't be fixed as the affected code
 # will go away in the near future. Until that is we have to patch it as we seem
 # to constantly run into it.
-cat <<EOF | patch -p0 -d $d
+cat <<EOF | patch -p0 -d $d/..
 diff --git libFuzzer/FuzzerLoop.cpp libFuzzer/FuzzerLoop.cpp
 --- libFuzzer/FuzzerLoop.cpp
 +++ libFuzzer/FuzzerLoop.cpp
@ -26,7 +26,7 @@ EOF
 # Latest Libfuzzer uses __sanitizer_dump_coverage(), a symbol to be introduced
 # with LLVM 4.0. To keep our code working with LLVM 3.x to simplify development
 # of fuzzers we'll just provide it ourselves.
-cat <<EOF | patch -p0 -d $d
+cat <<EOF | patch -p0 -d $d/..
 diff --git libFuzzer/FuzzerTracePC.cpp libFuzzer/FuzzerTracePC.cpp
 --- libFuzzer/FuzzerTracePC.cpp
 +++ libFuzzer/FuzzerTracePC.cpp
--- a/security/nss/fuzz/config/git-copy.sh
+++ b/security/nss/fuzz/config/git-copy.sh
--- a/security/nss/fuzz/options/certDN.options
+++ b/security/nss/fuzz/options/certDN.options
--- a/security/nss/fuzz/options/mpi-add.options
+++ b/security/nss/fuzz/options/mpi-add.options
--- a/security/nss/fuzz/options/mpi-addmod.options
+++ b/security/nss/fuzz/options/mpi-addmod.options
--- a/security/nss/fuzz/options/mpi-div.options
+++ b/security/nss/fuzz/options/mpi-div.options
--- a/security/nss/fuzz/options/mpi-expmod.options
+++ b/security/nss/fuzz/options/mpi-expmod.options
--- a/security/nss/fuzz/options/mpi-invmod.options
+++ b/security/nss/fuzz/options/mpi-invmod.options
--- a/security/nss/fuzz/options/mpi-mod.options
+++ b/security/nss/fuzz/options/mpi-mod.options
--- a/security/nss/fuzz/options/mpi-mulmod.options
+++ b/security/nss/fuzz/options/mpi-mulmod.options
--- a/security/nss/fuzz/options/mpi-sqr.options
+++ b/security/nss/fuzz/options/mpi-sqr.options
--- a/security/nss/fuzz/options/mpi-sqrmod.options
+++ b/security/nss/fuzz/options/mpi-sqrmod.options
--- a/security/nss/fuzz/options/mpi-sub.options
+++ b/security/nss/fuzz/options/mpi-sub.options
--- a/security/nss/fuzz/options/mpi-submod.options
+++ b/security/nss/fuzz/options/mpi-submod.options
--- a/security/nss/fuzz/options/quickder.options
+++ b/security/nss/fuzz/options/quickder.options
--- a/security/nss/fuzz/options/tls-client-no_fuzzer_mode.options
+++ b/security/nss/fuzz/options/tls-client-no_fuzzer_mode.options
--- a/security/nss/fuzz/options/tls-client.options
+++ b/security/nss/fuzz/options/tls-client.options
--- a/security/nss/lib/cryptohi/keythi.h
+++ b/security/nss/lib/cryptohi/keythi.h
@ -209,7 +209,7 @@ typedef struct SECKEYPublicKeyStr SECKEYPublicKey;
    (0 != (key->staticflags & SECKEY_Attributes_Cached)) ? (0 != (key->staticflags & SECKEY_##attribute)) : PK11_HasAttributeSet(key->pkcs11Slot, key->pkcs11ID, attribute, PR_FALSE)

 #define SECKEY_HAS_ATTRIBUTE_SET_LOCK(key, attribute, haslock) \
-    (0 != (key->staticflags & SECKEY_Attributes_Cached)) ? (0 != (key->staticflags & SECKEY_##attribute)) : PK11_HasAttributeSet(key->pkcs11Slot, key->pkcs11ID, attribute, haslock)
+    (0 != (key->staticflags & SECKEY_Attributes_Cached)) ? (0 != (key->staticflags & SECKEY_##attribute)) : pk11_HasAttributeSet_Lock(key->pkcs11Slot, key->pkcs11ID, attribute, haslock)

 /*
 ** A generic key structure
--- a/security/nss/lib/cryptohi/secsign.c
+++ b/security/nss/lib/cryptohi/secsign.c
@ -312,24 +312,25 @@ SEC_DerSignData(PLArenaPool *arena, SECItem *result,
    if (algID == SEC_OID_UNKNOWN) {
        switch (pk->keyType) {
            case rsaKey:
-                algID = SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION;
+                algID = SEC_OID_PKCS1_SHA256_WITH_RSA_ENCRYPTION;
                break;
            case dsaKey:
                /* get Signature length (= q_len*2) and work from there */
                switch (PK11_SignatureLen(pk)) {
+                    case 320:
+                        algID = SEC_OID_ANSIX9_DSA_SIGNATURE_WITH_SHA1_DIGEST;
+                        break;
                    case 448:
                        algID = SEC_OID_NIST_DSA_SIGNATURE_WITH_SHA224_DIGEST;
                        break;
                    case 512:
-                        algID = SEC_OID_NIST_DSA_SIGNATURE_WITH_SHA256_DIGEST;
-                        break;
                    default:
-                        algID = SEC_OID_ANSIX9_DSA_SIGNATURE_WITH_SHA1_DIGEST;
+                        algID = SEC_OID_NIST_DSA_SIGNATURE_WITH_SHA256_DIGEST;
                        break;
                }
                break;
            case ecKey:
-                algID = SEC_OID_ANSIX962_ECDSA_SIGNATURE_WITH_SHA1_DIGEST;
+                algID = SEC_OID_ANSIX962_ECDSA_SHA256_SIGNATURE;
                break;
            default:
                PORT_SetError(SEC_ERROR_INVALID_KEY);
@ -468,13 +469,13 @@ SEC_GetSignatureAlgorithmOidTag(KeyType keyType, SECOidTag hashAlgTag)
            break;
        case dsaKey:
            switch (hashAlgTag) {
-                case SEC_OID_UNKNOWN: /* default for DSA if not specified */
                case SEC_OID_SHA1:
                    sigTag = SEC_OID_ANSIX9_DSA_SIGNATURE_WITH_SHA1_DIGEST;
                    break;
                case SEC_OID_SHA224:
                    sigTag = SEC_OID_NIST_DSA_SIGNATURE_WITH_SHA224_DIGEST;
                    break;
+                case SEC_OID_UNKNOWN: /* default for DSA if not specified */
                case SEC_OID_SHA256:
                    sigTag = SEC_OID_NIST_DSA_SIGNATURE_WITH_SHA256_DIGEST;
                    break;
@ -484,13 +485,13 @@ SEC_GetSignatureAlgorithmOidTag(KeyType keyType, SECOidTag hashAlgTag)
            break;
        case ecKey:
            switch (hashAlgTag) {
-                case SEC_OID_UNKNOWN: /* default for ECDSA if not specified */
                case SEC_OID_SHA1:
                    sigTag = SEC_OID_ANSIX962_ECDSA_SHA1_SIGNATURE;
                    break;
                case SEC_OID_SHA224:
                    sigTag = SEC_OID_ANSIX962_ECDSA_SHA224_SIGNATURE;
                    break;
+                case SEC_OID_UNKNOWN: /* default for ECDSA if not specified */
                case SEC_OID_SHA256:
                    sigTag = SEC_OID_ANSIX962_ECDSA_SHA256_SIGNATURE;
                    break;
--- a/security/nss/lib/pk11wrap/pk11obj.c
+++ b/security/nss/lib/pk11wrap/pk11obj.c
@ -156,8 +156,8 @@ PK11_ReadULongAttribute(PK11SlotInfo *slot, CK_OBJECT_HANDLE id,
 * check to see if a bool has been set.
 */
 CK_BBOOL
-PK11_HasAttributeSet(PK11SlotInfo *slot, CK_OBJECT_HANDLE id,
-                     CK_ATTRIBUTE_TYPE type, PRBool haslock)
+pk11_HasAttributeSet_Lock(PK11SlotInfo *slot, CK_OBJECT_HANDLE id,
+                          CK_ATTRIBUTE_TYPE type, PRBool haslock)
 {
    CK_BBOOL ckvalue = CK_FALSE;
    CK_ATTRIBUTE theTemplate;
@ -181,6 +181,14 @@ PK11_HasAttributeSet(PK11SlotInfo *slot, CK_OBJECT_HANDLE id,
    return ckvalue;
 }

+CK_BBOOL
+PK11_HasAttributeSet(PK11SlotInfo *slot, CK_OBJECT_HANDLE id,
+                     CK_ATTRIBUTE_TYPE type, PRBool haslock)
+{
+    PR_ASSERT(haslock == PR_FALSE);
+    return pk11_HasAttributeSet_Lock(slot, id, type, PR_FALSE);
+}
+
 /*
 * returns a full list of attributes. Allocate space for them. If an arena is
 * provided, allocate space out of the arena.
--- a/security/nss/lib/pk11wrap/pk11priv.h
+++ b/security/nss/lib/pk11wrap/pk11priv.h
@ -118,10 +118,10 @@ CK_OBJECT_HANDLE *PK11_FindObjectsFromNickname(char *nickname,
                                               void *wincx);
 CK_OBJECT_HANDLE PK11_MatchItem(PK11SlotInfo *slot, CK_OBJECT_HANDLE peer,
                                CK_OBJECT_CLASS o_class);
-CK_BBOOL PK11_HasAttributeSet(PK11SlotInfo *slot,
-                              CK_OBJECT_HANDLE id,
-                              CK_ATTRIBUTE_TYPE type,
-                              PRBool haslock);
+CK_BBOOL pk11_HasAttributeSet_Lock(PK11SlotInfo *slot,
+                                   CK_OBJECT_HANDLE id,
+                                   CK_ATTRIBUTE_TYPE type,
+                                   PRBool haslock);
 CK_RV PK11_GetAttributes(PLArenaPool *arena, PK11SlotInfo *slot,
                         CK_OBJECT_HANDLE obj, CK_ATTRIBUTE *attr, int count);
 int PK11_NumberCertsForCertSubject(CERTCertificate *cert);
--- a/security/nss/lib/pk11wrap/pk11pub.h
+++ b/security/nss/lib/pk11wrap/pk11pub.h
@ -686,6 +686,10 @@ CERTCertList *PK11_ListCerts(PK11CertListType type, void *pwarg);
 CERTCertList *PK11_ListCertsInSlot(PK11SlotInfo *slot);
 CERTSignedCrl *PK11_ImportCRL(PK11SlotInfo *slot, SECItem *derCRL, char *url,
                              int type, void *wincx, PRInt32 importOptions, PLArenaPool *arena, PRInt32 decodeOptions);
+CK_BBOOL PK11_HasAttributeSet(PK11SlotInfo *slot,
+                              CK_OBJECT_HANDLE id,
+                              CK_ATTRIBUTE_TYPE type,
+                              PRBool haslock /* must be set to PR_FALSE */);

 /**********************************************************************
 *                   Sign/Verify