summaryrefslogtreecommitdiffstats
path: root/security/nss/automation
diff options
context:
space:
mode:
authorwolfbeast <mcwerewolf@gmail.com>2018-08-14 07:52:35 +0200
committerwolfbeast <mcwerewolf@gmail.com>2018-08-14 16:42:52 +0200
commitab1060037931158d3a8bf4c8f9f6cb4dbfe916e9 (patch)
tree5e4677e52b9a349602f04135a44b3000c8baa97b /security/nss/automation
parentf44e99950fc25d16a3cdaffe26dadf7b58a9d38c (diff)
downloadUXP-ab1060037931158d3a8bf4c8f9f6cb4dbfe916e9.tar
UXP-ab1060037931158d3a8bf4c8f9f6cb4dbfe916e9.tar.gz
UXP-ab1060037931158d3a8bf4c8f9f6cb4dbfe916e9.tar.lz
UXP-ab1060037931158d3a8bf4c8f9f6cb4dbfe916e9.tar.xz
UXP-ab1060037931158d3a8bf4c8f9f6cb4dbfe916e9.zip
Update NSS to 3.38
- Added HACL*Poly1305 32-bit (INRIA/Microsoft) - Updated to final TLS 1.3 draft version (28) - Removed TLS 1.3 prerelease draft limit check - Removed NPN code - Enabled dev/urandom-only RNG on Linux with NSS_SEED_ONLY_DEV_URANDOM for non-standard environments - Fixed several bugs with TLS 1.3 negotiation - Updated internal certificate store - Added support for the TLS Record Size Limit Extension. - Fixed CVE-2018-0495 - Various security fixes in the ASN.1 code.
Diffstat (limited to 'security/nss/automation')
-rw-r--r--security/nss/automation/abi-check/expected-report-libnssutil3.so.txt4
-rw-r--r--security/nss/automation/abi-check/expected-report-libssl3.so.txt28
-rw-r--r--security/nss/automation/abi-check/previous-nss-release2
-rw-r--r--security/nss/automation/taskcluster/docker-hacl/Dockerfile6
-rw-r--r--security/nss/automation/taskcluster/docker-hacl/setup-user.sh1
-rw-r--r--security/nss/automation/taskcluster/docker-saw/Dockerfile2
-rw-r--r--security/nss/automation/taskcluster/docker/Dockerfile3
-rw-r--r--security/nss/automation/taskcluster/graph/src/extend.js22
-rw-r--r--security/nss/automation/taskcluster/graph/src/try_syntax.js2
-rw-r--r--security/nss/automation/taskcluster/scripts/gen_coverage_report.sh12
-rw-r--r--security/nss/automation/taskcluster/scripts/run_hacl.sh4
-rw-r--r--security/nss/automation/taskcluster/scripts/tools.sh5
12 files changed, 46 insertions, 45 deletions
diff --git a/security/nss/automation/abi-check/expected-report-libnssutil3.so.txt b/security/nss/automation/abi-check/expected-report-libnssutil3.so.txt
index e69de29bb..efc7d6d67 100644
--- a/security/nss/automation/abi-check/expected-report-libnssutil3.so.txt
+++ b/security/nss/automation/abi-check/expected-report-libnssutil3.so.txt
@@ -0,0 +1,4 @@
+
+1 Added function:
+
+ 'function SECStatus SECITEM_MakeItem(PLArenaPool*, SECItem*, unsigned char*, unsigned int)' {SECITEM_MakeItem@@NSSUTIL_3.38}
diff --git a/security/nss/automation/abi-check/expected-report-libssl3.so.txt b/security/nss/automation/abi-check/expected-report-libssl3.so.txt
index ad818d0aa..e69de29bb 100644
--- a/security/nss/automation/abi-check/expected-report-libssl3.so.txt
+++ b/security/nss/automation/abi-check/expected-report-libssl3.so.txt
@@ -1,28 +0,0 @@
-
-1 function with some indirect sub-type change:
-
- [C]'function SECStatus SSL_GetChannelInfo(PRFileDesc*, SSLChannelInfo*, PRUintn)' at sslinfo.c:12:1 has some indirect sub-type changes:
- parameter 2 of type 'SSLChannelInfo*' has sub-type changes:
- in pointed to type 'typedef SSLChannelInfo' at sslt.h:318:1:
- underlying type 'struct SSLChannelInfoStr' at sslt.h:251:1 changed:
- type size hasn't changed
- 1 data member change:
- type of 'SSLSignatureScheme SSLChannelInfoStr::signatureScheme' changed:
- underlying type 'enum __anonymous_enum__' at sslt.h:115:1 changed:
- type size hasn't changed
- 3 enumerator deletions:
- '__anonymous_enum__::ssl_sig_rsa_pss_sha256' value '2052'
- '__anonymous_enum__::ssl_sig_rsa_pss_sha384' value '2053'
- '__anonymous_enum__::ssl_sig_rsa_pss_sha512' value '2054'
-
- 6 enumerator insertions:
- '__anonymous_enum__::ssl_sig_rsa_pss_rsae_sha256' value '2052'
- '__anonymous_enum__::ssl_sig_rsa_pss_rsae_sha384' value '2053'
- '__anonymous_enum__::ssl_sig_rsa_pss_rsae_sha512' value '2054'
- '__anonymous_enum__::ssl_sig_rsa_pss_pss_sha256' value '2057'
- '__anonymous_enum__::ssl_sig_rsa_pss_pss_sha384' value '2058'
- '__anonymous_enum__::ssl_sig_rsa_pss_pss_sha512' value '2059'
-
-
-
-
diff --git a/security/nss/automation/abi-check/previous-nss-release b/security/nss/automation/abi-check/previous-nss-release
index c213ca3f8..c52061e7e 100644
--- a/security/nss/automation/abi-check/previous-nss-release
+++ b/security/nss/automation/abi-check/previous-nss-release
@@ -1 +1 @@
-NSS_3_35_BRANCH
+NSS_3_37_BRANCH
diff --git a/security/nss/automation/taskcluster/docker-hacl/Dockerfile b/security/nss/automation/taskcluster/docker-hacl/Dockerfile
index 63f9a24e2..50f2be239 100644
--- a/security/nss/automation/taskcluster/docker-hacl/Dockerfile
+++ b/security/nss/automation/taskcluster/docker-hacl/Dockerfile
@@ -5,11 +5,11 @@ MAINTAINER Franziskus Kiefer <franziskuskiefer@gmail.com>
# the original F* formula with Daniel Fabian
# Pinned versions of HACL* (F* and KreMLin are pinned as submodules)
-ENV haclrepo https://github.com/franziskuskiefer/hacl-star.git
+ENV haclrepo https://github.com/mitls/hacl-star.git
# Define versions of dependencies
-ENV opamv 4.04.2
-ENV haclversion 668d6cf274c33bbe2e951e3a84b73f2b6442a51f
+ENV opamv 4.05.0
+ENV haclversion 1da331f9ef30e13269e45ae73bbe4a4bca679ae6
# Install required packages and set versions
ADD setup.sh /tmp/setup.sh
diff --git a/security/nss/automation/taskcluster/docker-hacl/setup-user.sh b/security/nss/automation/taskcluster/docker-hacl/setup-user.sh
index b8accaf58..e2c0b857b 100644
--- a/security/nss/automation/taskcluster/docker-hacl/setup-user.sh
+++ b/security/nss/automation/taskcluster/docker-hacl/setup-user.sh
@@ -16,7 +16,6 @@ git -C hacl-star checkout ${haclversion}
# This caches the extracted c code (pins the HACL* version). All we need to do
# on CI now is comparing the code in this docker image with the one in NSS.
opam config exec -- make -C hacl-star prepare -j$(nproc)
-make -C hacl-star verify-nss -j$(nproc)
make -C hacl-star -f Makefile.build snapshots/nss -j$(nproc)
KOPTS="-funroll-loops 5" make -C hacl-star/code/curve25519 test -j$(nproc)
make -C hacl-star/code/salsa-family test -j$(nproc)
diff --git a/security/nss/automation/taskcluster/docker-saw/Dockerfile b/security/nss/automation/taskcluster/docker-saw/Dockerfile
index a481ba048..d67787010 100644
--- a/security/nss/automation/taskcluster/docker-saw/Dockerfile
+++ b/security/nss/automation/taskcluster/docker-saw/Dockerfile
@@ -1,4 +1,4 @@
-FROM ubuntu:latest
+FROM ubuntu:16.04
MAINTAINER Tim Taubert <ttaubert@mozilla.com>
RUN useradd -d /home/worker -s /bin/bash -m worker
diff --git a/security/nss/automation/taskcluster/docker/Dockerfile b/security/nss/automation/taskcluster/docker/Dockerfile
index 8a2256d12..b3c2516ba 100644
--- a/security/nss/automation/taskcluster/docker/Dockerfile
+++ b/security/nss/automation/taskcluster/docker/Dockerfile
@@ -12,9 +12,6 @@ RUN chmod +x /home/worker/bin/*
ADD setup.sh /tmp/setup.sh
RUN bash /tmp/setup.sh
-# Change user.
-USER worker
-
# Env variables.
ENV HOME /home/worker
ENV SHELL /bin/bash
diff --git a/security/nss/automation/taskcluster/graph/src/extend.js b/security/nss/automation/taskcluster/graph/src/extend.js
index ee9ac9b74..5305325c5 100644
--- a/security/nss/automation/taskcluster/graph/src/extend.js
+++ b/security/nss/automation/taskcluster/graph/src/extend.js
@@ -995,13 +995,13 @@ async function scheduleTools() {
}));
queue.scheduleTask(merge(base, {
- symbol: "scan-build-5.0",
- name: "scan-build-5.0",
- image: LINUX_IMAGE,
+ symbol: "scan-build",
+ name: "scan-build",
+ image: FUZZ_IMAGE,
env: {
USE_64: "1",
- CC: "clang-5.0",
- CCC: "clang++-5.0",
+ CC: "clang",
+ CCC: "clang++",
},
artifacts: {
public: {
@@ -1092,5 +1092,17 @@ async function scheduleTools() {
]
}));
+ queue.scheduleTask(merge(base, {
+ symbol: "Coverage",
+ name: "Coverage",
+ image: FUZZ_IMAGE,
+ features: ["allowPtrace"],
+ command: [
+ "/bin/bash",
+ "-c",
+ "bin/checkout.sh && nss/automation/taskcluster/scripts/gen_coverage_report.sh"
+ ]
+ }));
+
return queue.submit();
}
diff --git a/security/nss/automation/taskcluster/graph/src/try_syntax.js b/security/nss/automation/taskcluster/graph/src/try_syntax.js
index 1c06dde13..214793bd5 100644
--- a/security/nss/automation/taskcluster/graph/src/try_syntax.js
+++ b/security/nss/automation/taskcluster/graph/src/try_syntax.js
@@ -51,7 +51,7 @@ function parseOptions(opts) {
}
// Parse tools.
- let allTools = ["clang-format", "scan-build", "hacl", "saw", "abi"];
+ let allTools = ["clang-format", "scan-build", "hacl", "saw", "abi", "coverage"];
let tools = intersect(opts.tools.split(/\s*,\s*/), allTools);
// If the given value is "all" run all tools.
diff --git a/security/nss/automation/taskcluster/scripts/gen_coverage_report.sh b/security/nss/automation/taskcluster/scripts/gen_coverage_report.sh
new file mode 100644
index 000000000..3907c72e8
--- /dev/null
+++ b/security/nss/automation/taskcluster/scripts/gen_coverage_report.sh
@@ -0,0 +1,12 @@
+#!/usr/bin/env bash
+
+source $(dirname "$0")/tools.sh
+
+# Clone NSPR.
+hg_clone https://hg.mozilla.org/projects/nspr ./nspr default
+
+out=/home/worker/artifacts
+mkdir -p $out
+
+# Generate coverage report.
+cd nss && ./mach coverage --outdir=$out ssl_gtests
diff --git a/security/nss/automation/taskcluster/scripts/run_hacl.sh b/security/nss/automation/taskcluster/scripts/run_hacl.sh
index 281075eef..6cbda49b4 100644
--- a/security/nss/automation/taskcluster/scripts/run_hacl.sh
+++ b/security/nss/automation/taskcluster/scripts/run_hacl.sh
@@ -12,8 +12,8 @@ set -e -x -v
# The extracted C code from HACL* is already generated and the HACL* tests were
# successfully executed.
-# Verify Poly1305 (doesn't work in docker image build)
-make verify -C ~/hacl-star/code/poly1305 -j$(nproc)
+# Verify HACL*. Taskcluster fails when we do this in the image build.
+make -C hacl-star verify-nss -j$(nproc)
# Add license header to specs
spec_files=($(find ~/hacl-star/specs -type f -name '*.fst'))
diff --git a/security/nss/automation/taskcluster/scripts/tools.sh b/security/nss/automation/taskcluster/scripts/tools.sh
index 46d567e3a..534cb32ce 100644
--- a/security/nss/automation/taskcluster/scripts/tools.sh
+++ b/security/nss/automation/taskcluster/scripts/tools.sh
@@ -3,11 +3,16 @@
set -v -e -x
if [[ $(id -u) -eq 0 ]]; then
+ # Stupid Docker. It works without sometimes... But not always.
+ echo "127.0.0.1 localhost.localdomain" >> /etc/hosts
+
# Drop privileges by re-running this script.
# Note: this mangles arguments, better to avoid running scripts as root.
exec su worker -c "$0 $*"
fi
+export PATH="${PATH}:/home/worker/.cargo/bin/:/usr/lib/go-1.6/bin"
+
# Usage: hg_clone repo dir [revision=@]
hg_clone() {
repo=$1