diff --git a/security/nss/TAG-INFO b/security/nss/TAG-INFO index 6e3967d4f57f..519bc2c84140 100644 --- a/security/nss/TAG-INFO +++ b/security/nss/TAG-INFO @@ -1 +1 @@ -b1eac8c86e99 \ No newline at end of file +8f41147c2192 \ No newline at end of file diff --git a/security/nss/cmd/manifest.mn b/security/nss/cmd/manifest.mn index 695177c9dccf..bb5319a0f56e 100644 --- a/security/nss/cmd/manifest.mn +++ b/security/nss/cmd/manifest.mn @@ -65,6 +65,7 @@ NSS_SRCDIRS = \ pwdecrypt \ rsaperf \ rsapoptst \ + sdbthreadtst \ sdrtest \ selfserv \ signtool \ diff --git a/security/nss/cmd/sdbthreadtst/Makefile b/security/nss/cmd/sdbthreadtst/Makefile new file mode 100644 index 000000000000..d7c879aec286 --- /dev/null +++ b/security/nss/cmd/sdbthreadtst/Makefile @@ -0,0 +1,48 @@ +#! gmake +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +####################################################################### +# (1) Include initial platform-independent assignments (MANDATORY). # +####################################################################### + +include manifest.mn + +####################################################################### +# (2) Include "global" configuration information. (OPTIONAL) # +####################################################################### + +include $(CORE_DEPTH)/coreconf/config.mk + +####################################################################### +# (3) Include "component" configuration information. (OPTIONAL) # +####################################################################### + +####################################################################### +# (4) Include "local" platform-dependent assignments (OPTIONAL). # +####################################################################### + +include ../platlibs.mk + + +####################################################################### +# (5) Execute "global" rules. (OPTIONAL) # +####################################################################### + +include $(CORE_DEPTH)/coreconf/rules.mk + +####################################################################### +# (6) Execute "component" rules. (OPTIONAL) # +####################################################################### + + + +####################################################################### +# (7) Execute "local" rules. (OPTIONAL). # +####################################################################### + + +include ../platrules.mk + diff --git a/security/nss/cmd/sdbthreadtst/manifest.mn b/security/nss/cmd/sdbthreadtst/manifest.mn new file mode 100644 index 000000000000..cf9766003182 --- /dev/null +++ b/security/nss/cmd/sdbthreadtst/manifest.mn @@ -0,0 +1,22 @@ +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +CORE_DEPTH = ../.. + +DEFINES += -DNSPR20 + +# MODULE public and private header directories are implicitly REQUIRED. +MODULE = nss + +CSRCS = \ + sdbthreadtst.c \ + $(NULL) + +# The MODULE is always implicitly required. +# Listing it here in REQUIRES makes it appear twice in the cc command line. + +PROGRAM = sdbthreadtst + +# USE_STATIC_LIBS = 1 diff --git a/security/nss/cmd/sdbthreadtst/sdbthreadtst.c b/security/nss/cmd/sdbthreadtst/sdbthreadtst.c new file mode 100644 index 000000000000..32f839c9af70 --- /dev/null +++ b/security/nss/cmd/sdbthreadtst/sdbthreadtst.c @@ -0,0 +1,213 @@ +#if defined(XP_UNIX) +#include +#endif +#include +#include +#include +#include +#include +#include +#include +#include + +#define MAX_THREAD_COUNT 100 + +/* globals */ +int THREAD_COUNT = 30; +int FAILED = 0; +int ERROR = 0; +int LOOP_COUNT = 100; +int KEY_SIZE = 3072; +int STACK_SIZE = 0; +int VERBOSE = 0; +char *NSSDIR = "."; +PRBool ISTOKEN = PR_TRUE; +CK_MECHANISM_TYPE MECHANISM = CKM_RSA_PKCS_KEY_PAIR_GEN; + +void +usage(char *prog, char *error) +{ + if (error) { + fprintf(stderr, "Bad Arguments: %s", error); + } + fprintf(stderr, "usage: %s [-l loop_count] [-t thread_count] " + "[-k key_size] [-s stack_size] [-d nss_dir] [-e] [-v] [-h]\n", + prog); + fprintf(stderr, " loop_count -- " + "number of keys to generate on each thread (default=%d)\n", + LOOP_COUNT); + fprintf(stderr, " thread_count -- " + "number of of concurrent threads to run (def=%d,max=%d)\n", + THREAD_COUNT, MAX_THREAD_COUNT); + fprintf(stderr, " key_size -- " + "rsa key size in bits (default=%d)\n", + KEY_SIZE); + fprintf(stderr, " stack_size -- " + "thread stack size in bytes, 0=optimal (default=%d)\n", + STACK_SIZE); + fprintf(stderr, " nss_dir -- " + "location of the nss directory (default=%s)\n", + NSSDIR); + fprintf(stderr, " -e use session keys rather than token keys\n"); + fprintf(stderr, " -v verbose, print progress indicators\n"); + fprintf(stderr, " -h print this message\n"); + exit(2); +} + +void +create_key_loop(void *arg) +{ + int i; + PK11SlotInfo *slot = PK11_GetInternalKeySlot(); + PK11RSAGenParams param; + int threadnumber = *(int *)arg; + int failures = 0; + int progress = 5; + PRIntervalTime epoch = PR_IntervalNow(); + param.keySizeInBits = KEY_SIZE; + param.pe = 0x10001L; + printf(" - thread %d starting\n", threadnumber); + progress = 30 / THREAD_COUNT; + if (progress < 2) + progress = 2; + for (i = 0; i < LOOP_COUNT; i++) { + SECKEYPrivateKey *privKey; + SECKEYPublicKey *pubKey; + privKey = PK11_GenerateKeyPair(slot, MECHANISM, ¶m, &pubKey, + ISTOKEN, PR_TRUE, NULL); + if (privKey == NULL) { + fprintf(stderr, + "keypair gen in thread %d failed %s\n", threadnumber, + PORT_ErrorToString(PORT_GetError())); + FAILED++; + failures++; + } + if (VERBOSE && (i % progress) == 0) { + PRIntervalTime current = PR_IntervalNow(); + PRIntervalTime interval = current - epoch; + int seconds = (interval / PR_TicksPerSecond()); + int mseconds = ((interval * 1000) / PR_TicksPerSecond()) - (seconds * 1000); + epoch = current; + printf(" - thread %d @ %d iterations %d.%03d sec\n", threadnumber, + i, seconds, mseconds); + } + if (ISTOKEN && privKey) { + SECKEY_DestroyPublicKey(pubKey); + SECKEY_DestroyPrivateKey(privKey); + } + } + PK11_FreeSlot(slot); + printf(" * thread %d ending with %d failures\n", threadnumber, failures); + return; +} + +int +main(int argc, char **argv) +{ + PRThread *thread[MAX_THREAD_COUNT]; + int threadnumber[MAX_THREAD_COUNT]; + int i; + PRStatus status; + SECStatus rv; + char *prog = *argv++; + char buf[2048]; + char *arg; + + while ((arg = *argv++) != NULL) { + if (*arg == '-') { + switch (arg[1]) { + case 'l': + if (*argv == NULL) + usage(prog, "missing loop count"); + LOOP_COUNT = atoi(*argv++); + break; + case 'k': + if (*argv == NULL) + usage(prog, "missing key size"); + KEY_SIZE = atoi(*argv++); + break; + case 's': + if (*argv == NULL) + usage(prog, "missing stack size"); + STACK_SIZE = atoi(*argv++); + break; + case 't': + if (*argv == NULL) + usage(prog, "missing thread count"); + THREAD_COUNT = atoi(*argv++); + if (THREAD_COUNT > MAX_THREAD_COUNT) { + usage(prog, "max thread count exceeded"); + } + break; + case 'v': + VERBOSE = 1; + break; + case 'd': + if (*argv == NULL) + usage(prog, "missing directory"); + NSSDIR = *argv++; + break; + case 'e': + ISTOKEN = PR_FALSE; + break; + case 'h': + usage(prog, NULL); + break; + default: + sprintf(buf, "unknown option %c", arg[1]); + usage(prog, buf); + } + } else { + sprintf(buf, "unknown argument %s", arg); + usage(prog, buf); + } + } + /* initialize NSS */ + rv = NSS_InitReadWrite(NSSDIR); + if (rv != SECSuccess) { + fprintf(stderr, + "NSS_InitReadWrite(%s) failed(%s)\n", NSSDIR, + PORT_ErrorToString(PORT_GetError())); + exit(2); + } + + /* need to initialize the database here if it's not already */ + + printf("creating %d threads\n", THREAD_COUNT); + for (i = 0; i < THREAD_COUNT; i++) { + threadnumber[i] = i; + thread[i] = PR_CreateThread(PR_USER_THREAD, create_key_loop, + &threadnumber[i], PR_PRIORITY_NORMAL, + PR_GLOBAL_THREAD, + PR_JOINABLE_THREAD, STACK_SIZE); + if (thread[i] == NULL) { + ERROR++; + fprintf(stderr, + "PR_CreateThread failed iteration %d, %s\n", i, + PORT_ErrorToString(PORT_GetError())); + } + } + printf("waiting on %d threads\n", THREAD_COUNT); + for (i = 0; i < THREAD_COUNT; i++) { + if (thread[i] == NULL) { + continue; + } + status = PR_JoinThread(thread[i]); + if (status != PR_SUCCESS) { + ERROR++; + fprintf(stderr, + "PR_CreateThread filed iteration %d, %s]n", i, + PORT_ErrorToString(PORT_GetError())); + } + } + printf("%d failures and %d errors found\n", FAILED, ERROR); + /* clean up */ + NSS_Shutdown(); + if (FAILED) { + exit(1); + } + if (ERROR) { + exit(2); + } + exit(0); +} diff --git a/security/nss/cmd/sdbthreadtst/sdbthreadtst.gyp b/security/nss/cmd/sdbthreadtst/sdbthreadtst.gyp new file mode 100644 index 000000000000..e801b16ac17c --- /dev/null +++ b/security/nss/cmd/sdbthreadtst/sdbthreadtst.gyp @@ -0,0 +1,29 @@ +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +{ + 'includes': [ + '../../coreconf/config.gypi', + '../../cmd/platlibs.gypi' + ], + 'targets': [ + { + 'target_name': 'sdbthreadtst', + 'type': 'executable', + 'sources': [ + 'sdbthreadtst.c' + ], + 'dependencies': [ + '<(DEPTH)/exports.gyp:nss_exports' + ] + } + ], + 'target_defaults': { + 'defines': [ + 'NSPR20' + ] + }, + 'variables': { + 'module': 'nss' + } +} diff --git a/security/nss/coreconf/coreconf.dep b/security/nss/coreconf/coreconf.dep index 5182f75552c8..590d1bfaeee3 100644 --- a/security/nss/coreconf/coreconf.dep +++ b/security/nss/coreconf/coreconf.dep @@ -10,3 +10,4 @@ */ #error "Do not include this header file." + diff --git a/security/nss/doc/rst/index.rst b/security/nss/doc/rst/index.rst index 486a99446491..a4eba24ddfa4 100644 --- a/security/nss/doc/rst/index.rst +++ b/security/nss/doc/rst/index.rst @@ -12,6 +12,10 @@ Network Security Services introduction_to_network_security_services/index.rst More documentation + +.. warning:: + This NSS documentation was just imported from our legacy MDN repository. It currently is very deprecated and likely incorrect or broken in many places. + `Documentation <#documentation>`__ ---------------------------------- diff --git a/security/nss/gtests/softoken_gtest/softoken_dh_vectors.h b/security/nss/gtests/softoken_gtest/softoken_dh_vectors.h index f2e4514cf219..306aded47007 100644 --- a/security/nss/gtests/softoken_gtest/softoken_dh_vectors.h +++ b/security/nss/gtests/softoken_gtest/softoken_dh_vectors.h @@ -2872,7 +2872,7 @@ static const DhTestVector DH_TEST_VECTORS[] = { {siBuffer, (unsigned char *)g2, sizeof(g2)}, {siBuffer, NULL, 0}, {siBuffer, NULL, 0}, - IKE_APPROVED, + SAFE_PRIME, CLASS_1536}, {"IKE 2048", {siBuffer, (unsigned char *)prime_ike_2048, sizeof(prime_ike_2048)}, @@ -2952,7 +2952,7 @@ static const DhTestVector DH_TEST_VECTORS[] = { {siBuffer, (unsigned char *)sub2_prime_ike_1536, sizeof(sub2_prime_ike_1536)}, {siBuffer, NULL, 0}, - IKE_APPROVED, + SAFE_PRIME, CLASS_1536}, {"IKE 2048 with subprime", {siBuffer, (unsigned char *)prime_ike_2048, sizeof(prime_ike_2048)}, diff --git a/security/nss/lib/pk11wrap/pk11cxt.c b/security/nss/lib/pk11wrap/pk11cxt.c index d94d6fc6802d..0f170c352bcb 100644 --- a/security/nss/lib/pk11wrap/pk11cxt.c +++ b/security/nss/lib/pk11wrap/pk11cxt.c @@ -382,7 +382,7 @@ pk11_CreateNewContextInSlot(CK_MECHANISM_TYPE type, * of the connection.*/ context->fortezzaHack = PR_FALSE; if (type == CKM_SKIPJACK_CBC64) { - if (symKey->origin == PK11_OriginFortezzaHack) { + if (symKey && (symKey->origin == PK11_OriginFortezzaHack)) { context->fortezzaHack = PR_TRUE; } } diff --git a/security/nss/lib/pk11wrap/pk11hpke.c b/security/nss/lib/pk11wrap/pk11hpke.c index d867e1b6a02f..7c4bfc3cdc23 100644 --- a/security/nss/lib/pk11wrap/pk11hpke.c +++ b/security/nss/lib/pk11wrap/pk11hpke.c @@ -1164,8 +1164,6 @@ PK11_HPKE_Seal(HpkeContext *cx, const SECItem *aad, const SECItem *pt, unsigned char tagBuf[HASH_LENGTH_MAX]; size_t tagLen; unsigned int fixedBits; - PORT_Assert(cx->baseNonce->len == sizeof(ivOut)); - PORT_Memcpy(ivOut, cx->baseNonce->data, cx->baseNonce->len); /* aad may be NULL, PT may be zero-length but not NULL. */ if (!cx || !cx->aeadContext || @@ -1176,6 +1174,9 @@ PK11_HPKE_Seal(HpkeContext *cx, const SECItem *aad, const SECItem *pt, return SECFailure; } + PORT_Assert(cx->baseNonce->len == sizeof(ivOut)); + PORT_Memcpy(ivOut, cx->baseNonce->data, cx->baseNonce->len); + tagLen = cx->aeadParams->tagLen; maxOut = pt->len + tagLen; fixedBits = (cx->baseNonce->len - 8) * 8; diff --git a/security/nss/lib/softoken/kbkdf.c b/security/nss/lib/softoken/kbkdf.c index b4544c4320d1..57cce7017802 100644 --- a/security/nss/lib/softoken/kbkdf.c +++ b/security/nss/lib/softoken/kbkdf.c @@ -613,6 +613,10 @@ kbkdf_CreateKey(CK_MECHANISM_TYPE kdf_mech, CK_SESSION_HANDLE hSession, CK_DERIV PR_ASSERT(derived_key != NULL); PR_ASSERT(derived_key->phKey != NULL); + if (slot == NULL) { + return CKR_SESSION_HANDLE_INVALID; + } + /* Create the new key object for this additional derived key. */ key = sftk_NewObject(slot); if (key == NULL) { @@ -678,7 +682,9 @@ done: sftk_FreeObject(key); /* Doesn't do anything. */ - sftk_FreeSession(session); + if (session) { + sftk_FreeSession(session); + } return ret; } diff --git a/security/nss/lib/softoken/pkcs11c.c b/security/nss/lib/softoken/pkcs11c.c index c3216b3fdd16..201a0c7281fd 100644 --- a/security/nss/lib/softoken/pkcs11c.c +++ b/security/nss/lib/softoken/pkcs11c.c @@ -5193,7 +5193,7 @@ sftk_PairwiseConsistencyCheck(CK_SESSION_HANDLE hSession, SFTKSlot *slot, /* subprime not supplied, In this case look it up. * This only works with approved primes, but in FIPS mode * that's the only kine of prime that will get here */ - subPrimePtr = sftk_VerifyDH_Prime(&prime); + subPrimePtr = sftk_VerifyDH_Prime(&prime, isFIPS); if (subPrimePtr == NULL) { crv = CKR_GENERAL_ERROR; goto done; @@ -8351,7 +8351,7 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession, /* if the prime is an approved prime, we can skip all the other * checks. */ - subPrime = sftk_VerifyDH_Prime(&dhPrime); + subPrime = sftk_VerifyDH_Prime(&dhPrime, isFIPS); if (subPrime == NULL) { SECItem dhSubPrime; /* If the caller set the subprime value, it means that diff --git a/security/nss/lib/softoken/pkcs11i.h b/security/nss/lib/softoken/pkcs11i.h index aa212f09efc9..032e85fee2f1 100644 --- a/security/nss/lib/softoken/pkcs11i.h +++ b/security/nss/lib/softoken/pkcs11i.h @@ -946,7 +946,7 @@ char **NSC_ModuleDBFunc(unsigned long function, char *parameters, void *args); /* dh verify functions */ /* verify that dhPrime matches one of our known primes, and if so return * it's subprime value */ -const SECItem *sftk_VerifyDH_Prime(SECItem *dhPrime); +const SECItem *sftk_VerifyDH_Prime(SECItem *dhPrime, PRBool isFIPS); /* check if dhSubPrime claims dhPrime is a safe prime. */ SECStatus sftk_IsSafePrime(SECItem *dhPrime, SECItem *dhSubPrime, PRBool *isSafe); /* map an operation Attribute to a Mechanism flag */ diff --git a/security/nss/lib/softoken/pkcs11u.c b/security/nss/lib/softoken/pkcs11u.c index 43d4ba9d5ebc..f37aab92f7e5 100644 --- a/security/nss/lib/softoken/pkcs11u.c +++ b/security/nss/lib/softoken/pkcs11u.c @@ -2312,7 +2312,7 @@ sftk_handleSpecial(SFTKSlot *slot, CK_MECHANISM *mech, if (crv != CKR_OK) { return PR_FALSE; } - dhSubPrime = sftk_VerifyDH_Prime(&dhPrime); + dhSubPrime = sftk_VerifyDH_Prime(&dhPrime, PR_TRUE); SECITEM_ZfreeItem(&dhPrime, PR_FALSE); return (dhSubPrime) ? PR_TRUE : PR_FALSE; } diff --git a/security/nss/lib/softoken/sdb.c b/security/nss/lib/softoken/sdb.c index 50625ab947c9..548cf4253761 100644 --- a/security/nss/lib/softoken/sdb.c +++ b/security/nss/lib/softoken/sdb.c @@ -82,12 +82,12 @@ typedef enum { * total wait time for automatic operations: * 1 second (SDB_SQLITE_BUSY_TIMEOUT/1000). * total wait time for manual operations: - * (1 second + 5 seconds) * 10 = 60 seconds. + * (1 second + SDB_BUSY_RETRY_TIME) * 30 = 30 seconds. * (SDB_SQLITE_BUSY_TIMEOUT/1000 + SDB_BUSY_RETRY_TIME)*SDB_MAX_BUSY_RETRIES */ #define SDB_SQLITE_BUSY_TIMEOUT 1000 /* milliseconds */ -#define SDB_BUSY_RETRY_TIME 5 /* seconds */ -#define SDB_MAX_BUSY_RETRIES 10 +#define SDB_BUSY_RETRY_TIME 5 /* 'ticks', varies by platforms */ +#define SDB_MAX_BUSY_RETRIES 30 /* * known attributes @@ -690,6 +690,11 @@ sdb_openDB(const char *name, sqlite3 **sqlDB, int flags) openFlags = SQLITE_OPEN_READONLY; } else { openFlags = SQLITE_OPEN_READWRITE | SQLITE_OPEN_CREATE; + /* sqlite 3.34 seem to incorrectly open readwrite. + * when the file is readonly. Explicitly reject that issue here */ + if ((_NSSUTIL_Access(name, PR_ACCESS_EXISTS) == PR_SUCCESS) && (_NSSUTIL_Access(name, PR_ACCESS_WRITE_OK) != PR_SUCCESS)) { + return SQLITE_READONLY; + } } /* Requires SQLite 3.5.0 or newer. */ @@ -1001,6 +1006,7 @@ sdb_GetValidAttributeValueNoLock(SDB *sdb, CK_OBJECT_HANDLE object_id, found = 1; } } while (!sdb_done(sqlerr, &retry)); + sqlite3_reset(stmt); sqlite3_finalize(stmt); stmt = NULL; @@ -1524,6 +1530,8 @@ sdb_Begin(SDB *sdb) if (sqlerr == SQLITE_BUSY) { PR_Sleep(SDB_BUSY_RETRY_TIME); } + /* don't retry BEGIN transaction*/ + retry = 0; } while (!sdb_done(sqlerr, &retry)); if (stmt) { @@ -2261,6 +2269,7 @@ sdb_init(char *dbname, char *table, sdbDataType type, int *inUpdate, } } } while (!sdb_done(sqlerr, &retry)); + if (sqlerr != SQLITE_DONE) { goto loser; } diff --git a/security/nss/lib/softoken/sftkdb.c b/security/nss/lib/softoken/sftkdb.c index cfa056396320..7c1001be8fb6 100644 --- a/security/nss/lib/softoken/sftkdb.c +++ b/security/nss/lib/softoken/sftkdb.c @@ -1526,7 +1526,7 @@ sftkdb_DestroyObject(SFTKDBHandle *handle, CK_OBJECT_HANDLE objectID, crv = (*db->sdb_Begin)(db); if (crv != CKR_OK) { - goto loser; + return crv; } crv = (*db->sdb_DestroyObject)(db, objectID); if (crv != CKR_OK) { @@ -2461,7 +2461,7 @@ sftkdb_Update(SFTKDBHandle *handle, SECItem *key) */ crv = (*handle->db->sdb_Begin)(handle->db); if (crv != CKR_OK) { - goto loser; + return crv; } inTransaction = PR_TRUE; diff --git a/security/nss/lib/softoken/sftkdhverify.c b/security/nss/lib/softoken/sftkdhverify.c index d85fba94fecd..6ac5e852ac50 100644 --- a/security/nss/lib/softoken/sftkdhverify.c +++ b/security/nss/lib/softoken/sftkdhverify.c @@ -1171,11 +1171,15 @@ static const SECItem subprime_tls_8192 = * verify that dhPrime matches one of our known primes */ const SECItem * -sftk_VerifyDH_Prime(SECItem *dhPrime) +sftk_VerifyDH_Prime(SECItem *dhPrime, PRBool isFIPS) { /* use the length to decide which primes to check */ switch (dhPrime->len) { case 1536 / PR_BITS_PER_BYTE: + /* don't accept 1536 bit primes in FIPS mode */ + if (isFIPS) { + break; + } if (PORT_Memcmp(dhPrime->data, prime_ike_1536, sizeof(prime_ike_1536)) == 0) { return &subprime_ike_1536; diff --git a/security/nss/lib/softoken/sftkhmac.c b/security/nss/lib/softoken/sftkhmac.c index 1b38b06f9a2a..bec2df79f167 100644 --- a/security/nss/lib/softoken/sftkhmac.c +++ b/security/nss/lib/softoken/sftkhmac.c @@ -234,7 +234,9 @@ sftk_MAC_Init(sftk_MACCtx *ctx, CK_MECHANISM_TYPE mech, SFTKObject *key) keyval->attrib.ulValueLen, isFIPS); done: - sftk_FreeAttribute(keyval); + if (keyval) { + sftk_FreeAttribute(keyval); + } return ret; } diff --git a/security/nss/lib/softoken/sftkike.c b/security/nss/lib/softoken/sftkike.c index 2183add69a45..6756040b6419 100644 --- a/security/nss/lib/softoken/sftkike.c +++ b/security/nss/lib/softoken/sftkike.c @@ -1411,7 +1411,6 @@ sftk_fips_IKE_PowerUpSelfTests(void) (outKeySize != sizeof(ike_known_sha256_prf_plus)) || (PORT_Memcmp(outKeyData, ike_known_sha256_prf_plus, sizeof(ike_known_sha256_prf_plus)) != 0)) { - PORT_ZFree(outKeyData, outKeySize); PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); return SECFailure; } diff --git a/security/nss/nss.gyp b/security/nss/nss.gyp index 5d8d63658045..1fb1883896b6 100644 --- a/security/nss/nss.gyp +++ b/security/nss/nss.gyp @@ -189,6 +189,7 @@ 'cmd/pp/pp.gyp:pp', 'cmd/rsaperf/rsaperf.gyp:rsaperf', 'cmd/rsapoptst/rsapoptst.gyp:rsapoptst', + 'cmd/sdbthreadtst/sdbthreadtst.gyp:sdbthreadtst', 'cmd/sdrtest/sdrtest.gyp:sdrtest', 'cmd/selfserv/selfserv.gyp:selfserv', 'cmd/shlibsign/mangle/mangle.gyp:mangle', diff --git a/security/nss/tests/common/init.sh b/security/nss/tests/common/init.sh index 658023d83409..8c10bdd2a801 100644 --- a/security/nss/tests/common/init.sh +++ b/security/nss/tests/common/init.sh @@ -253,6 +253,72 @@ if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then HTML_UNKNOWN='Unknown' TABLE_ARGS= + gtest_parse_report_helper() + { + # Check XML reports for normal test runs and failures. + local successes=$(gtest_parse_report_xpath "//testcase[@status='run'][count(*)=0]" "$@" ) + local failures=$(gtest_parse_report_xpath "//failure/.." "$@" ) + + # Print all tests that succeeded. + while read result name; do + html_passed_ignore_core "$name" + done <<< "$successes" + + # Print failing tests. + if [ -n "$failures" ]; then + printf "\nFAILURES:\n=========\n" + + while read result name; do + html_failed_ignore_core "$name" + done <<< "$failures" + + printf "\n" + fi + } + + # This legacy report parser can't actually detect failures. It always relied + # on the binary's exit code. Print the tests we ran to keep the old behavior. + gtest_parse_report_legacy() + { + while read result name && [ -n "$name" ]; do + if [ "$result" = "notrun" ]; then + echo "$name" SKIPPED + elif [ "$result" = "run" ]; then + html_passed_ignore_core "$name" + else + html_failed_ignore_core "$name" + fi + done <<< "$(sed -f "${COMMON}/parsegtestreport.sed" "$@" )" + # here's how we would use bash if it wasn't so slow + # done <<< "$(sh "${COMMON}/parsegtestreport.sh" "$@" )" + } + + gtest_parse_report_xpath() + { + # Query the XML report with the given XPath pattern. + xpath="$1" + shift + xmllint --xpath "${xpath}" "$@" 2>/dev/null | \ + # Insert newlines to help sed. + sed $'s//dev/null; then + echo "DEBUG: Using xmllint to parse GTest XML report(s)" + gtest_parse_report_helper "$@" + else + echo "DEBUG: Falling back to legacy XML report parsing using only sed" + gtest_parse_report_legacy "$@" + fi + } + + #directory name init SCRIPTNAME=init.sh diff --git a/security/nss/tests/common/parsegtestreport.sed b/security/nss/tests/common/parsegtestreport.sed index 11bd1d6af9f0..4b6226248c4b 100644 --- a/security/nss/tests/common/parsegtestreport.sed +++ b/security/nss/tests/common/parsegtestreport.sed @@ -1,8 +1,12 @@ /\ +# which value is selected from the label , which is specified +# as the 2nd parameter. The line to parse is the first parameter. +getvalue() +{ + pattern1='*'${2}'="' + pattern2='"*' + front=${1#${pattern1}} + if [[ "${front}" != "${1}" ]]; then + val=${front%%${pattern2}} + # as we output the result, restore any quotes that may have + # been in the original test names. + echo ${val//"/\"} + fi +} + +parse() +{ + while read line + do + if [[ "${line}" =~ "
" + html "
" cd ${QADIR} chmod a+rw $RONLY_DIR . common/cleanup.sh @@ -78,21 +79,21 @@ dbtest_main() { cd ${HOSTDIR} - + Echo "test opening the database read/write in a nonexisting directory" ${BINDIR}/certutil -L -X -d ./non_existent_dir ret=$? if [ $ret -ne 255 ]; then html_failed "Certutil succeeded in a nonexisting directory $ret" else - html_passed "Certutil didn't work in a nonexisting dir $ret" + html_passed "Certutil didn't work in a nonexisting dir $ret" fi ${BINDIR}/dbtest -r -d ./non_existent_dir ret=$? if [ $ret -ne 46 ]; then html_failed "Dbtest readonly succeeded in a nonexisting directory $ret" else - html_passed "Dbtest readonly didn't work in a nonexisting dir $ret" + html_passed "Dbtest readonly didn't work in a nonexisting dir $ret" fi Echo "test force opening the database in a nonexisting directory" @@ -106,7 +107,7 @@ dbtest_main() Echo "test opening the database readonly in an empty directory" mkdir $EMPTY_DIR - ${BINDIR}/tstclnt -h ${HOST} -d $EMPTY_DIR + ${BINDIR}/tstclnt -h ${HOST} -d $EMPTY_DIR ret=$? if [ $ret -ne 1 ]; then html_failed "Tstclnt succeded in an empty directory $ret" @@ -118,7 +119,7 @@ dbtest_main() if [ $ret -ne 46 ]; then html_failed "Dbtest readonly succeeded in an empty directory $ret" else - html_passed "Dbtest readonly didn't work in an empty dir $ret" + html_passed "Dbtest readonly didn't work in an empty dir $ret" fi rm -rf $EMPTY_DIR/* 2>/dev/null ${BINDIR}/dbtest -i -d $EMPTY_DIR @@ -126,7 +127,7 @@ dbtest_main() if [ $ret -ne 0 ]; then html_failed "Dbtest logout after empty DB Init loses key $ret" else - html_passed "Dbtest logout after empty DB Init has key" + html_passed "Dbtest logout after empty DB Init has key" fi rm -rf $EMPTY_DIR/* 2>/dev/null ${BINDIR}/dbtest -i -p pass -d $EMPTY_DIR @@ -134,12 +135,12 @@ dbtest_main() if [ $ret -ne 0 ]; then html_failed "Dbtest password DB Init loses needlogin state $ret" else - html_passed "Dbtest password DB Init maintains needlogin state" + html_passed "Dbtest password DB Init maintains needlogin state" fi rm -rf $EMPTY_DIR/* 2>/dev/null ${BINDIR}/certutil -D -n xxxx -d $EMPTY_DIR #created DB ret=$? - if [ $ret -ne 255 ]; then + if [ $ret -ne 255 ]; then html_failed "Certutil succeeded in deleting a cert in an empty directory $ret" else html_passed "Certutil didn't work in an empty dir $ret" @@ -176,7 +177,7 @@ dbtest_main() if [ $ret -ne 46 ]; then html_failed "Dbtest r/w succeeded in a readonly directory $ret" else - html_passed "Dbtest r/w didn't work in an readonly dir $ret" + html_passed "Dbtest r/w didn't work in an readonly dir $ret" fi else html_passed "Skipping Dbtest r/w in a readonly dir because user is root" @@ -190,9 +191,9 @@ dbtest_main() html_passed "Certutil didn't work in an readonly dir $ret" fi else - html_passed "Skipping Certutil delete cert in a readonly directory test because user is root" + html_passed "Skipping Certutil delete cert in a readonly directory test because user is root" fi - + Echo "test opening the database ronly in a readonly directory" ${BINDIR}/dbtest -d $RONLY_DIR -r @@ -200,7 +201,7 @@ dbtest_main() if [ $ret -ne 0 ]; then html_failed "Dbtest readonly failed in a readonly directory $ret" else - html_passed "Dbtest readonly succeeded in a readonly dir $ret" + html_passed "Dbtest readonly succeeded in a readonly dir $ret" fi Echo "test force opening the database r/w in a readonly directory" @@ -223,7 +224,7 @@ dbtest_main() ret=$? if [ $ret -ne 0 ]; then html_failed "Nicknane conflict test failed, couldn't create database $ret" - else + else ${BINDIR}/certutil -A -n alice -t ,, -i ${R_ALICEDIR}/Alice.cert -d ${CONFLICT_DIR} ret=$? if [ $ret -ne 0 ]; then @@ -252,7 +253,7 @@ dbtest_main() else html_passed "Nicknane conflict test-setting nickname conflict was correctly rejected" fi - # import a token private key and make sure the corresponding public key is + # import a token private key and make sure the corresponding public key is # created ${BINDIR}/pk11importtest -d ${CONFLICT_DIR} -f ${R_PWFILE} ret=$? @@ -261,10 +262,34 @@ dbtest_main() else html_passed "Importing Token Private Key correctly creates the corrresponding Public Key" fi + + + if [ "${NSS_DEFAULT_DB_TYPE}" = "sql" ] ; then + LOOPS=${NSS_SDB_THREAD_LOOPS-7} + THREADS=${NSS_SDB_THREAD_THREADS-30} + mkdir -p ${THREAD_DIR} + Echo "testing for thread starvation while creating keys" + ${BINDIR}/certutil -N -d ${THREAD_DIR} --empty-password + ${BINDIR}/sdbthreadtst -l ${LOOPS} -t ${THREADS} -d ${THREAD_DIR} + ret=$? + case "$ret" in + "0") + html_passed "Successfully completed ${LOOPS} loops in ${THREADS} threads without failure." + ;; + "2") + html_failed "sdbthreadtst failed for some environment reason (like lack of memory)" + ;; + "1") + html_failed "sdbthreadtst failed do to starvation using ${LOOPS} loops and ${THREADS} threads." + ;; + *) + html_failed "sdbthreadtst failed with an unrecognized error code." + esac + fi } ################## main ################################################# -dbtest_init +dbtest_init dbtest_main 2>&1 dbtest_cleanup diff --git a/security/nss/tests/gtests/gtests.sh b/security/nss/tests/gtests/gtests.sh index 4005a16a6aa4..8c6047736dc4 100755 --- a/security/nss/tests/gtests/gtests.sh +++ b/security/nss/tests/gtests/gtests.sh @@ -86,18 +86,8 @@ gtest_start() fi echo "test output dir: ${GTESTREPORT}" - echo "executing sed to parse the xml report" - sed -f "${COMMON}/parsegtestreport.sed" "$GTESTREPORT" > "$PARSED_REPORT" echo "processing the parsed report" - cat "$PARSED_REPORT" | while read result name; do - if [ "$result" = "notrun" ]; then - echo "$name" SKIPPED - elif [ "$result" = "run" ]; then - html_passed_ignore_core "$name" - else - html_failed_ignore_core "$name" - fi - done + gtest_parse_report ${GTESTREPORT} popd done } diff --git a/security/nss/tests/ssl_gtests/ssl_gtests.sh b/security/nss/tests/ssl_gtests/ssl_gtests.sh index 1783ef43665d..d2e8c7a4f38d 100755 --- a/security/nss/tests/ssl_gtests/ssl_gtests.sh +++ b/security/nss/tests/ssl_gtests/ssl_gtests.sh @@ -133,13 +133,7 @@ ssl_gtest_start() html_msg $? 0 "ssl_gtests ran successfully" # Parse XML report(s). - if type xmllint &>/dev/null; then - echo "DEBUG: Using xmllint to parse GTest XML report(s)" - parse_report - else - echo "DEBUG: Falling back to legacy XML report parsing using only sed" - parse_report_legacy - fi + gtest_parse_report "${SSLGTESTREPORT}".* } # Helper function used when 'parallel' isn't available. @@ -148,50 +142,6 @@ parallel_fallback() eval "${@//\{\}/0}" } -parse_report() -{ - # Check XML reports for normal test runs and failures. - local successes=$(parse_report_xpath "//testcase[@status='run'][count(*)=0]") - local failures=$(parse_report_xpath "//failure/..") - - # Print all tests that succeeded. - while read result name; do - html_passed_ignore_core "$name" - done <<< "$successes" - - # Print failing tests. - if [ -n "$failures" ]; then - printf "\nFAILURES:\n=========\n" - - while read result name; do - html_failed_ignore_core "$name" - done <<< "$failures" - - printf "\n" - fi -} - -parse_report_xpath() -{ - # Query the XML report with the given XPath pattern. - xmllint --xpath "$1" "${SSLGTESTREPORT}".* 2>/dev/null | \ - # Insert newlines to help sed. - sed $'s/