Bug 1345368 - land NSS 848abc2061a4, r=me

--HG--
rename : security/nss/fuzz/git-copy.sh => security/nss/fuzz/config/git-copy.sh
rename : security/nss/fuzz/certDN.options => security/nss/fuzz/options/certDN.options
rename : security/nss/fuzz/mpi-mod.options => security/nss/fuzz/options/mpi-add.options
rename : security/nss/fuzz/mpi-mod.options => security/nss/fuzz/options/mpi-addmod.options
rename : security/nss/fuzz/mpi-mod.options => security/nss/fuzz/options/mpi-div.options
rename : security/nss/fuzz/mpi-expmod.options => security/nss/fuzz/options/mpi-expmod.options
rename : security/nss/fuzz/mpi-invmod.options => security/nss/fuzz/options/mpi-invmod.options
rename : security/nss/fuzz/mpi-mod.options => security/nss/fuzz/options/mpi-mod.options
rename : security/nss/fuzz/mpi-mod.options => security/nss/fuzz/options/mpi-mulmod.options
rename : security/nss/fuzz/mpi-mod.options => security/nss/fuzz/options/mpi-sqr.options
rename : security/nss/fuzz/mpi-mod.options => security/nss/fuzz/options/mpi-sqrmod.options
rename : security/nss/fuzz/mpi-mod.options => security/nss/fuzz/options/mpi-sub.options
rename : security/nss/fuzz/mpi-mod.options => security/nss/fuzz/options/mpi-submod.options
rename : security/nss/fuzz/quickder.options => security/nss/fuzz/options/quickder.options
rename : security/nss/fuzz/tls-client.options => security/nss/fuzz/options/tls-client-no_fuzzer_mode.options
rename : security/nss/fuzz/tls-client.options => security/nss/fuzz/options/tls-client.options
This commit is contained in:
Franziskus Kiefer 2017-03-10 06:01:18 +01:00
Родитель dcb0bf572d
Коммит 83cdc02ec0
30 изменённых файлов: 40 добавлений и 26 удалений

Просмотреть файл

@ -1 +1 @@
6fafb8fd9ff4
848abc2061a4

Просмотреть файл

@ -30,7 +30,7 @@ copy_fuzzer()
}
# Copy libFuzzer options
cp fuzz/*.options $OUT/
cp fuzz/options/*.options $OUT/
# Build the library (non-TLS fuzzing mode).
CXX="$CXX -stdlib=libc++" LDFLAGS="$CFLAGS" \

Просмотреть файл

@ -9,7 +9,7 @@ shift
fetch_dist
# Clone corpus.
./nss/fuzz/clone_corpus.sh
./nss/fuzz/config/clone_corpus.sh
# Ensure we have a corpus.
if [ ! -d "nss/fuzz/corpus/$type" ]; then

Просмотреть файл

@ -84,7 +84,7 @@ Usage(char *progName)
" where id can be a certificate nickname or email address\n"
" -S create a CMS signed data message\n"
" -G include a signing time attribute\n"
" -H hash use hash (default:SHA1)\n"
" -H hash use hash (default:SHA256)\n"
" -N nick use certificate named \"nick\" for signing\n"
" -P include a SMIMECapabilities attribute\n"
" -T do not include content in CMS message\n"
@ -1097,7 +1097,7 @@ main(int argc, char **argv)
signOptions.signingTime = PR_FALSE;
signOptions.smimeProfile = PR_FALSE;
signOptions.encryptionKeyPreferenceNick = NULL;
signOptions.hashAlgTag = SEC_OID_SHA1;
signOptions.hashAlgTag = SEC_OID_SHA256;
envelopeOptions.recipients = NULL;
encryptOptions.recipients = NULL;
encryptOptions.envmsg = NULL;

Просмотреть файл

@ -199,8 +199,8 @@ sub signentity($$)
# construct a new multipart/signed MIME entity consisting of the original content and
# the signature
#
# (we assume that cmsutil generates a SHA1 digest)
$out .= "Content-Type: multipart/signed; protocol=\"application/pkcs7-signature\"; micalg=sha1; boundary=\"${boundary}\"\n";
# (we assume that cmsutil generates a SHA256 digest)
$out .= "Content-Type: multipart/signed; protocol=\"application/pkcs7-signature\"; micalg=sha256; boundary=\"${boundary}\"\n";
$out .= "\n"; # end of entity header
$out .= "This is a cryptographically signed message in MIME format.\n"; # explanatory comment
$out .= "\n--${boundary}\n";

Просмотреть файл

@ -10,3 +10,4 @@
*/
#error "Do not include this header file."

Просмотреть файл

@ -34,5 +34,5 @@ fi
if [ ! -f "/usr/lib/libFuzzingEngine.a" ]; then
echo "Cloning libFuzzer files ..."
run_verbose "$cwd"/fuzz/clone_libfuzzer.sh
run_verbose "$cwd"/fuzz/config/clone_libfuzzer.sh
fi

Просмотреть файл

@ -1,4 +1,4 @@
#!/bin/sh
d=$(dirname $0)
$d/git-copy.sh https://github.com/mozilla/nss-fuzzing-corpus master $d/corpus
$d/git-copy.sh https://github.com/mozilla/nss-fuzzing-corpus master $d/../corpus

Просмотреть файл

@ -1,13 +1,13 @@
#!/bin/sh
d=$(dirname $0)
$d/git-copy.sh https://chromium.googlesource.com/chromium/llvm-project/llvm/lib/Fuzzer b96a41ac6bbc3824fc7c7977662bebacac8f0983 $d/libFuzzer
$d/git-copy.sh https://chromium.googlesource.com/chromium/llvm-project/llvm/lib/Fuzzer b96a41ac6bbc3824fc7c7977662bebacac8f0983 $d/../libFuzzer
# [https://llvm.org/bugs/show_bug.cgi?id=31318]
# This prevents a known buffer overrun that won't be fixed as the affected code
# will go away in the near future. Until that is we have to patch it as we seem
# to constantly run into it.
cat <<EOF | patch -p0 -d $d
cat <<EOF | patch -p0 -d $d/..
diff --git libFuzzer/FuzzerLoop.cpp libFuzzer/FuzzerLoop.cpp
--- libFuzzer/FuzzerLoop.cpp
+++ libFuzzer/FuzzerLoop.cpp
@ -26,7 +26,7 @@ EOF
# Latest Libfuzzer uses __sanitizer_dump_coverage(), a symbol to be introduced
# with LLVM 4.0. To keep our code working with LLVM 3.x to simplify development
# of fuzzers we'll just provide it ourselves.
cat <<EOF | patch -p0 -d $d
cat <<EOF | patch -p0 -d $d/..
diff --git libFuzzer/FuzzerTracePC.cpp libFuzzer/FuzzerTracePC.cpp
--- libFuzzer/FuzzerTracePC.cpp
+++ libFuzzer/FuzzerTracePC.cpp

Просмотреть файл

Просмотреть файл

@ -209,7 +209,7 @@ typedef struct SECKEYPublicKeyStr SECKEYPublicKey;
(0 != (key->staticflags & SECKEY_Attributes_Cached)) ? (0 != (key->staticflags & SECKEY_##attribute)) : PK11_HasAttributeSet(key->pkcs11Slot, key->pkcs11ID, attribute, PR_FALSE)
#define SECKEY_HAS_ATTRIBUTE_SET_LOCK(key, attribute, haslock) \
(0 != (key->staticflags & SECKEY_Attributes_Cached)) ? (0 != (key->staticflags & SECKEY_##attribute)) : PK11_HasAttributeSet(key->pkcs11Slot, key->pkcs11ID, attribute, haslock)
(0 != (key->staticflags & SECKEY_Attributes_Cached)) ? (0 != (key->staticflags & SECKEY_##attribute)) : pk11_HasAttributeSet_Lock(key->pkcs11Slot, key->pkcs11ID, attribute, haslock)
/*
** A generic key structure

Просмотреть файл

@ -312,24 +312,25 @@ SEC_DerSignData(PLArenaPool *arena, SECItem *result,
if (algID == SEC_OID_UNKNOWN) {
switch (pk->keyType) {
case rsaKey:
algID = SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION;
algID = SEC_OID_PKCS1_SHA256_WITH_RSA_ENCRYPTION;
break;
case dsaKey:
/* get Signature length (= q_len*2) and work from there */
switch (PK11_SignatureLen(pk)) {
case 320:
algID = SEC_OID_ANSIX9_DSA_SIGNATURE_WITH_SHA1_DIGEST;
break;
case 448:
algID = SEC_OID_NIST_DSA_SIGNATURE_WITH_SHA224_DIGEST;
break;
case 512:
algID = SEC_OID_NIST_DSA_SIGNATURE_WITH_SHA256_DIGEST;
break;
default:
algID = SEC_OID_ANSIX9_DSA_SIGNATURE_WITH_SHA1_DIGEST;
algID = SEC_OID_NIST_DSA_SIGNATURE_WITH_SHA256_DIGEST;
break;
}
break;
case ecKey:
algID = SEC_OID_ANSIX962_ECDSA_SIGNATURE_WITH_SHA1_DIGEST;
algID = SEC_OID_ANSIX962_ECDSA_SHA256_SIGNATURE;
break;
default:
PORT_SetError(SEC_ERROR_INVALID_KEY);
@ -468,13 +469,13 @@ SEC_GetSignatureAlgorithmOidTag(KeyType keyType, SECOidTag hashAlgTag)
break;
case dsaKey:
switch (hashAlgTag) {
case SEC_OID_UNKNOWN: /* default for DSA if not specified */
case SEC_OID_SHA1:
sigTag = SEC_OID_ANSIX9_DSA_SIGNATURE_WITH_SHA1_DIGEST;
break;
case SEC_OID_SHA224:
sigTag = SEC_OID_NIST_DSA_SIGNATURE_WITH_SHA224_DIGEST;
break;
case SEC_OID_UNKNOWN: /* default for DSA if not specified */
case SEC_OID_SHA256:
sigTag = SEC_OID_NIST_DSA_SIGNATURE_WITH_SHA256_DIGEST;
break;
@ -484,13 +485,13 @@ SEC_GetSignatureAlgorithmOidTag(KeyType keyType, SECOidTag hashAlgTag)
break;
case ecKey:
switch (hashAlgTag) {
case SEC_OID_UNKNOWN: /* default for ECDSA if not specified */
case SEC_OID_SHA1:
sigTag = SEC_OID_ANSIX962_ECDSA_SHA1_SIGNATURE;
break;
case SEC_OID_SHA224:
sigTag = SEC_OID_ANSIX962_ECDSA_SHA224_SIGNATURE;
break;
case SEC_OID_UNKNOWN: /* default for ECDSA if not specified */
case SEC_OID_SHA256:
sigTag = SEC_OID_ANSIX962_ECDSA_SHA256_SIGNATURE;
break;

Просмотреть файл

@ -156,8 +156,8 @@ PK11_ReadULongAttribute(PK11SlotInfo *slot, CK_OBJECT_HANDLE id,
* check to see if a bool has been set.
*/
CK_BBOOL
PK11_HasAttributeSet(PK11SlotInfo *slot, CK_OBJECT_HANDLE id,
CK_ATTRIBUTE_TYPE type, PRBool haslock)
pk11_HasAttributeSet_Lock(PK11SlotInfo *slot, CK_OBJECT_HANDLE id,
CK_ATTRIBUTE_TYPE type, PRBool haslock)
{
CK_BBOOL ckvalue = CK_FALSE;
CK_ATTRIBUTE theTemplate;
@ -181,6 +181,14 @@ PK11_HasAttributeSet(PK11SlotInfo *slot, CK_OBJECT_HANDLE id,
return ckvalue;
}
CK_BBOOL
PK11_HasAttributeSet(PK11SlotInfo *slot, CK_OBJECT_HANDLE id,
CK_ATTRIBUTE_TYPE type, PRBool haslock)
{
PR_ASSERT(haslock == PR_FALSE);
return pk11_HasAttributeSet_Lock(slot, id, type, PR_FALSE);
}
/*
* returns a full list of attributes. Allocate space for them. If an arena is
* provided, allocate space out of the arena.

Просмотреть файл

@ -118,10 +118,10 @@ CK_OBJECT_HANDLE *PK11_FindObjectsFromNickname(char *nickname,
void *wincx);
CK_OBJECT_HANDLE PK11_MatchItem(PK11SlotInfo *slot, CK_OBJECT_HANDLE peer,
CK_OBJECT_CLASS o_class);
CK_BBOOL PK11_HasAttributeSet(PK11SlotInfo *slot,
CK_OBJECT_HANDLE id,
CK_ATTRIBUTE_TYPE type,
PRBool haslock);
CK_BBOOL pk11_HasAttributeSet_Lock(PK11SlotInfo *slot,
CK_OBJECT_HANDLE id,
CK_ATTRIBUTE_TYPE type,
PRBool haslock);
CK_RV PK11_GetAttributes(PLArenaPool *arena, PK11SlotInfo *slot,
CK_OBJECT_HANDLE obj, CK_ATTRIBUTE *attr, int count);
int PK11_NumberCertsForCertSubject(CERTCertificate *cert);

Просмотреть файл

@ -686,6 +686,10 @@ CERTCertList *PK11_ListCerts(PK11CertListType type, void *pwarg);
CERTCertList *PK11_ListCertsInSlot(PK11SlotInfo *slot);
CERTSignedCrl *PK11_ImportCRL(PK11SlotInfo *slot, SECItem *derCRL, char *url,
int type, void *wincx, PRInt32 importOptions, PLArenaPool *arena, PRInt32 decodeOptions);
CK_BBOOL PK11_HasAttributeSet(PK11SlotInfo *slot,
CK_OBJECT_HANDLE id,
CK_ATTRIBUTE_TYPE type,
PRBool haslock /* must be set to PR_FALSE */);
/**********************************************************************
* Sign/Verify