diff options
Diffstat (limited to 'security/nss/automation')
25 files changed, 282 insertions, 1048 deletions
diff --git a/security/nss/automation/abi-check/expected-report-libnss3.so.txt b/security/nss/automation/abi-check/expected-report-libnss3.so.txt index e69de29bb..36059f505 100644 --- a/security/nss/automation/abi-check/expected-report-libnss3.so.txt +++ b/security/nss/automation/abi-check/expected-report-libnss3.so.txt @@ -0,0 +1,8 @@ + +4 Added functions: + + [A] 'function SECStatus CERT_AddCertToListHeadWithData(CERTCertList*, CERTCertificate*, void*)' {CERT_AddCertToListHeadWithData@@NSS_3.59} + [A] 'function SECStatus CERT_AddCertToListTailWithData(CERTCertList*, CERTCertificate*, void*)' {CERT_AddCertToListTailWithData@@NSS_3.59} + [A] 'function PK11SymKey* PK11_PubUnwrapSymKeyWithMechanism(SECKEYPrivateKey*, CK_MECHANISM_TYPE, SECItem*, SECItem*, CK_MECHANISM_TYPE, CK_ATTRIBUTE_TYPE, int)' {PK11_PubUnwrapSymKeyWithMechanism@@NSS_3.59} + [A] 'function SECStatus PK11_PubWrapSymKeyWithMechanism(SECKEYPublicKey*, CK_MECHANISM_TYPE, SECItem*, PK11SymKey*, SECItem*)' {PK11_PubWrapSymKeyWithMechanism@@NSS_3.59} + diff --git a/security/nss/automation/abi-check/expected-report-libnssutil3.so.txt b/security/nss/automation/abi-check/expected-report-libnssutil3.so.txt index e69de29bb..92961214f 100644 --- a/security/nss/automation/abi-check/expected-report-libnssutil3.so.txt +++ b/security/nss/automation/abi-check/expected-report-libnssutil3.so.txt @@ -0,0 +1,6 @@ + +2 Added functions: + + [A] 'function PRBool NSS_IsPolicyLocked()' {NSS_IsPolicyLocked@@NSSUTIL_3.59} + [A] 'function void NSS_LockPolicy()' {NSS_LockPolicy@@NSSUTIL_3.59} + diff --git a/security/nss/automation/abi-check/expected-report-libssl3.so.txt b/security/nss/automation/abi-check/expected-report-libssl3.so.txt index bf902d170..e69de29bb 100644 --- a/security/nss/automation/abi-check/expected-report-libssl3.so.txt +++ b/security/nss/automation/abi-check/expected-report-libssl3.so.txt @@ -1,13 +0,0 @@ - -1 function with some indirect sub-type change: - - [C]'function SECStatus SSL_GetPreliminaryChannelInfo(PRFileDesc*, SSLPreliminaryChannelInfo*, PRUintn)' at sslinfo.c:113:1 has some indirect sub-type changes: - parameter 2 of type 'SSLPreliminaryChannelInfo*' has sub-type changes: - in pointed to type 'typedef SSLPreliminaryChannelInfo' at sslt.h:424:1: - underlying type 'struct SSLPreliminaryChannelInfoStr' at sslt.h:373:1 changed: - type size changed from 192 to 288 (in bits) - 3 data member insertions: - 'PRBool SSLPreliminaryChannelInfoStr::peerDelegCred', at offset 192 (in bits) at sslt.h:418:1 - 'PRUint32 SSLPreliminaryChannelInfoStr::authKeyBits', at offset 224 (in bits) at sslt.h:419:1 - 'SSLSignatureScheme SSLPreliminaryChannelInfoStr::signatureScheme', at offset 256 (in bits) at sslt.h:420:1 - diff --git a/security/nss/automation/abi-check/previous-nss-release b/security/nss/automation/abi-check/previous-nss-release index 29989e5f3..a37de0565 100644 --- a/security/nss/automation/abi-check/previous-nss-release +++ b/security/nss/automation/abi-check/previous-nss-release @@ -1 +1 @@ -NSS_3_47_BRANCH +NSS_3_58_BRANCH diff --git a/security/nss/automation/buildbot-slave/bbenv-example.sh b/security/nss/automation/buildbot-slave/bbenv-example.sh deleted file mode 100644 index c76e5d6ab..000000000 --- a/security/nss/automation/buildbot-slave/bbenv-example.sh +++ /dev/null @@ -1,67 +0,0 @@ -#! /bin/bash - -# Each buildbot-slave requires a bbenv.sh file that defines -# machine specific variables. This is an example file. - - -HOST=$(hostname | cut -d. -f1) -export HOST - -# if your machine's IP isn't registered in DNS, -# you must set appropriate environment variables -# that can be resolved locally. -# For example, if localhost.localdomain works on your system, set: -#HOST=localhost -#DOMSUF=localdomain -#export DOMSUF - -ARCH=$(uname -s) - -ulimit -c unlimited 2> /dev/null - -export NSPR_LOG_MODULES="pkix:1" - -#export JAVA_HOME_32= -#export JAVA_HOME_64= - -#enable if you have PKITS data -#export PKITS_DATA=$HOME/pkits/data/ - -NSS_BUILD_TARGET="clean nss_build_all" -JSS_BUILD_TARGET="clean all" - -MAKE=gmake -AWK=awk -PATCH=patch - -if [ "${ARCH}" = "SunOS" ]; then - AWK=nawk - PATCH=gpatch - ARCH=SunOS/$(uname -p) -fi - -if [ "${ARCH}" = "Linux" -a -f /etc/system-release ]; then - VERSION=`sed -e 's; release ;;' -e 's; (.*)$;;' -e 's;Red Hat Enterprise Linux Server;RHEL;' -e 's;Red Hat Enterprise Linux Workstation;RHEL;' /etc/system-release` - ARCH=Linux/${VERSION} - echo ${ARCH} -fi - -PROCESSOR=$(uname -p) -if [ "${PROCESSOR}" = "ppc64" ]; then - ARCH="${ARCH}/ppc64" -fi -if [ "${PROCESSOR}" = "powerpc" ]; then - ARCH="${ARCH}/ppc" -fi - -PORT_64_DBG=8543 -PORT_64_OPT=8544 -PORT_32_DBG=8545 -PORT_32_OPT=8546 - -if [ "${NSS_TESTS}" = "memleak" ]; then - PORT_64_DBG=8547 - PORT_64_OPT=8548 - PORT_32_DBG=8549 - PORT_32_OPT=8550 -fi diff --git a/security/nss/automation/buildbot-slave/build.sh b/security/nss/automation/buildbot-slave/build.sh deleted file mode 100755 index 00e749672..000000000 --- a/security/nss/automation/buildbot-slave/build.sh +++ /dev/null @@ -1,548 +0,0 @@ -#! /bin/bash - -# Ensure a failure of the first command inside a pipe -# won't be hidden by commands later in the pipe. -# (e.g. as in ./dosomething | grep) - -set -o pipefail - -proc_args() -{ - while [ -n "$1" ]; do - OPT=$(echo $1 | cut -d= -f1) - VAL=$(echo $1 | cut -d= -f2) - - case $OPT in - "--build-nss") - BUILD_NSS=1 - ;; - "--test-nss") - TEST_NSS=1 - ;; - "--check-abi") - CHECK_ABI=1 - ;; - "--build-jss") - BUILD_JSS=1 - ;; - "--test-jss") - TEST_JSS=1 - ;; - "--memtest") - NSS_TESTS="memleak" - export NSS_TESTS - ;; - "--nojsssign") - NO_JSS_SIGN=1 - ;; - *) - echo "Usage: $0 ..." - echo " --memtest - run the memory leak tests" - echo " --nojsssign - try to sign jss" - echo " --build-nss" - echo " --build-jss" - echo " --test-nss" - echo " --test-jss" - echo " --check-abi" - exit 1 - ;; - esac - - shift - done -} - -set_env() -{ - TOPDIR=$(pwd) - HGDIR=$(pwd)$(echo "/hg") - OUTPUTDIR=$(pwd)$(echo "/output") - LOG_ALL="${OUTPUTDIR}/all.log" - LOG_TMP="${OUTPUTDIR}/tmp.log" - - echo "hello" |grep --line-buffered hello >/dev/null 2>&1 - [ $? -eq 0 ] && GREP_BUFFER="--line-buffered" -} - -print_log() -{ - DATE=$(date "+TB [%Y-%m-%d %H:%M:%S]") - echo "${DATE} $*" - echo "${DATE} $*" >> ${LOG_ALL} -} - -print_result() -{ - TESTNAME=$1 - RET=$2 - EXP=$3 - - if [ ${RET} -eq ${EXP} ]; then - print_log "${TESTNAME} PASSED" - else - print_log "${TESTNAME} FAILED" - fi -} - -print_env() -{ - print_log "######## Environment variables ########" - - uname -a | tee -a ${LOG_ALL} - if [ -e "/etc/redhat-release" ]; then - cat "/etc/redhat-release" | tee -a ${LOG_ALL} - fi - # don't print the MAIL command, it might contain a password - env | grep -v "^MAIL=" | tee -a ${LOG_ALL} -} - -set_cycle() -{ - BITS=$1 - OPT=$2 - - if [ "${BITS}" = "64" ]; then - USE_64=1 - JAVA_HOME=${JAVA_HOME_64} - PORT_DBG=${PORT_64_DBG} - PORT_OPT=${PORT_64_OPT} - else - USE_64= - JAVA_HOME=${JAVA_HOME_32} - PORT_DBG=${PORT_32_DBG} - PORT_OPT=${PORT_32_OPT} - fi - export USE_64 - export JAVA_HOME - - BUILD_OPT= - if [ "${OPT}" = "OPT" ]; then - BUILD_OPT=1 - XPCLASS=xpclass.jar - PORT=${PORT_OPT} - else - BUILD_OPT= - XPCLASS=xpclass_dbg.jar - PORT=${PORT_DBG} - fi - export BUILD_OPT - - PORT_JSS_SERVER=$(expr ${PORT} + 20) - PORT_JSSE_SERVER=$(expr ${PORT} + 40) - - export PORT - export PORT_JSS_SERVER - export PORT_JSSE_SERVER -} - -build_nss() -{ - print_log "######## NSS - build - ${BITS} bits - ${OPT} ########" - - print_log "$ cd ${HGDIR}/nss" - cd ${HGDIR}/nss - - print_log "$ ${MAKE} ${NSS_BUILD_TARGET}" - #${MAKE} ${NSS_BUILD_TARGET} 2>&1 | tee -a ${LOG_ALL} | grep ${GREP_BUFFER} "^${MAKE}" - ${MAKE} ${NSS_BUILD_TARGET} 2>&1 | tee -a ${LOG_ALL} - RET=$? - print_result "NSS - build - ${BITS} bits - ${OPT}" ${RET} 0 - - if [ ${RET} -eq 0 ]; then - return 0 - else - tail -100 ${LOG_ALL} - return ${RET} - fi -} - -build_jss() -{ - print_log "######## JSS - build - ${BITS} bits - ${OPT} ########" - - print_log "$ cd ${HGDIR}/jss" - cd ${HGDIR}/jss - - print_log "$ ${MAKE} ${JSS_BUILD_TARGET}" - #${MAKE} ${JSS_BUILD_TARGET} 2>&1 | tee -a ${LOG_ALL} | grep ${GREP_BUFFER} "^${MAKE}" - ${MAKE} ${JSS_BUILD_TARGET} 2>&1 | tee -a ${LOG_ALL} - RET=$? - print_result "JSS build - ${BITS} bits - ${OPT}" ${RET} 0 - [ ${RET} -eq 0 ] || return ${RET} - - print_log "$ cd ${HGDIR}/dist" - cd ${HGDIR}/dist - - if [ -z "${NO_JSS_SIGN}" ]; then - print_log "cat ${TOPDIR}/keystore.pw | ${JAVA_HOME}/bin/jarsigner -keystore ${TOPDIR}/keystore -internalsf ${XPCLASS} jssdsa" - cat ${TOPDIR}/keystore.pw | ${JAVA_HOME}/bin/jarsigner -keystore ${TOPDIR}/keystore -internalsf ${XPCLASS} jssdsa >> ${LOG_ALL} 2>&1 - RET=$? - print_result "JSS - sign JAR files - ${BITS} bits - ${OPT}" ${RET} 0 - [ ${RET} -eq 0 ] || return ${RET} - fi - print_log "${JAVA_HOME}/bin/jarsigner -verify -certs ${XPCLASS}" - ${JAVA_HOME}/bin/jarsigner -verify -certs ${XPCLASS} >> ${LOG_ALL} 2>&1 - RET=$? - print_result "JSS - verify JAR files - ${BITS} bits - ${OPT}" ${RET} 0 - [ ${RET} -eq 0 ] || return ${RET} - - return 0 -} - -test_nss() -{ - print_log "######## NSS - tests - ${BITS} bits - ${OPT} ########" - - if [ "${OS_TARGET}" = "Android" ]; then - print_log "$ cd ${HGDIR}/nss/tests/remote" - cd ${HGDIR}/nss/tests/remote - print_log "$ make test_android" - make test_android 2>&1 | tee ${LOG_TMP} | grep ${GREP_BUFFER} ": #" - OUTPUTFILE=${HGDIR}/tests_results/security/*.1/output.log - else - print_log "$ cd ${HGDIR}/nss/tests" - cd ${HGDIR}/nss/tests - print_log "$ ./all.sh" - ./all.sh 2>&1 | tee ${LOG_TMP} | egrep ${GREP_BUFFER} ": #|^\[.{10}\] " - OUTPUTFILE=${LOG_TMP} - fi - - cat ${LOG_TMP} >> ${LOG_ALL} - tail -n2 ${HGDIR}/tests_results/security/*.1/results.html | grep END_OF_TEST >> ${LOG_ALL} - RET=$? - - print_log "######## details of detected failures (if any) ########" - grep -B50 -w FAILED ${OUTPUTFILE} - [ $? -eq 1 ] || RET=1 - - print_result "NSS - tests - ${BITS} bits - ${OPT}" ${RET} 0 - return ${RET} -} - -check_abi() -{ - print_log "######## NSS ABI CHECK - ${BITS} bits - ${OPT} ########" - print_log "######## creating temporary HG clones ########" - - rm -rf ${HGDIR}/baseline - mkdir ${HGDIR}/baseline - BASE_NSS=`cat ${HGDIR}/nss/automation/abi-check/previous-nss-release` - hg clone -u "${BASE_NSS}" "${HGDIR}/nss" "${HGDIR}/baseline/nss" - if [ $? -ne 0 ]; then - echo "invalid tag in automation/abi-check/previous-nss-release" - return 1 - fi - - BASE_NSPR=NSPR_$(head -1 ${HGDIR}/baseline/nss/automation/release/nspr-version.txt | cut -d . -f 1-2 | tr . _)_BRANCH - hg clone -u "${BASE_NSPR}" "${HGDIR}/nspr" "${HGDIR}/baseline/nspr" - if [ $? -ne 0 ]; then - echo "nonexisting tag ${BASE_NSPR} derived from ${BASE_NSS} automation/release/nspr-version.txt" - # Assume that version hasn't been released yet, fall back to trunk - pushd "${HGDIR}/baseline/nspr" - hg update default - popd - fi - - print_log "######## building baseline NSPR/NSS ########" - pushd ${HGDIR}/baseline/nss - - print_log "$ ${MAKE} ${NSS_BUILD_TARGET}" - ${MAKE} ${NSS_BUILD_TARGET} 2>&1 | tee -a ${LOG_ALL} - RET=$? - print_result "NSS - build - ${BITS} bits - ${OPT}" ${RET} 0 - if [ ${RET} -ne 0 ]; then - tail -100 ${LOG_ALL} - return ${RET} - fi - popd - - ABI_PROBLEM_FOUND=0 - ABI_REPORT=${OUTPUTDIR}/abi-diff.txt - rm -f ${ABI_REPORT} - PREVDIST=${HGDIR}/baseline/dist - NEWDIST=${HGDIR}/dist - ALL_SOs="libfreebl3.so libfreeblpriv3.so libnspr4.so libnss3.so libnssckbi.so libnssdbm3.so libnsssysinit.so libnssutil3.so libplc4.so libplds4.so libsmime3.so libsoftokn3.so libssl3.so" - for SO in ${ALL_SOs}; do - if [ ! -f ${HGDIR}/nss/automation/abi-check/expected-report-$SO.txt ]; then - touch ${HGDIR}/nss/automation/abi-check/expected-report-$SO.txt - fi - abidiff --hd1 $PREVDIST/public/ --hd2 $NEWDIST/public \ - $PREVDIST/*/lib/$SO $NEWDIST/*/lib/$SO \ - > ${HGDIR}/nss/automation/abi-check/new-report-temp$SO.txt - RET=$? - cat ${HGDIR}/nss/automation/abi-check/new-report-temp$SO.txt \ - | grep -v "^Functions changes summary:" \ - | grep -v "^Variables changes summary:" \ - > ${HGDIR}/nss/automation/abi-check/new-report-$SO.txt - rm -f ${HGDIR}/nss/automation/abi-check/new-report-temp$SO.txt - ABIDIFF_ERROR=$((($RET & 0x01) != 0)) - ABIDIFF_USAGE_ERROR=$((($RET & 0x02) != 0)) - ABIDIFF_ABI_CHANGE=$((($RET & 0x04) != 0)) - ABIDIFF_ABI_INCOMPATIBLE_CHANGE=$((($RET & 0x08) != 0)) - ABIDIFF_UNKNOWN_BIT_SET=$((($RET & 0xf0) != 0)) - - # If abidiff reports an error, or a usage error, or if it sets a result - # bit value this script doesn't know yet about, we'll report failure. - # For ABI changes, we don't yet report an error. We'll compare the - # result report with our whitelist. This allows us to silence changes - # that we're already aware of and have been declared acceptable. - - REPORT_RET_AS_FAILURE=0 - if [ $ABIDIFF_ERROR -ne 0 ]; then - print_log "abidiff reported ABIDIFF_ERROR." - REPORT_RET_AS_FAILURE=1 - fi - if [ $ABIDIFF_USAGE_ERROR -ne 0 ]; then - print_log "abidiff reported ABIDIFF_USAGE_ERROR." - REPORT_RET_AS_FAILURE=1 - fi - if [ $ABIDIFF_UNKNOWN_BIT_SET -ne 0 ]; then - print_log "abidiff reported ABIDIFF_UNKNOWN_BIT_SET." - REPORT_RET_AS_FAILURE=1 - fi - - if [ $ABIDIFF_ABI_CHANGE -ne 0 ]; then - print_log "Ignoring abidiff result ABI_CHANGE, instead we'll check for non-whitelisted differences." - fi - if [ $ABIDIFF_ABI_INCOMPATIBLE_CHANGE -ne 0 ]; then - print_log "Ignoring abidiff result ABIDIFF_ABI_INCOMPATIBLE_CHANGE, instead we'll check for non-whitelisted differences." - fi - - if [ $REPORT_RET_AS_FAILURE -ne 0 ]; then - ABI_PROBLEM_FOUND=1 - print_log "abidiff {$PREVDIST , $NEWDIST} for $SO FAILED with result $RET, or failed writing to ${HGDIR}/nss/automation/abi-check/new-report-$SO.txt" - fi - if [ ! -f ${HGDIR}/nss/automation/abi-check/expected-report-$SO.txt ]; then - ABI_PROBLEM_FOUND=1 - print_log "FAILED to access report file: ${HGDIR}/nss/automation/abi-check/expected-report-$SO.txt" - fi - - diff -wB -u ${HGDIR}/nss/automation/abi-check/expected-report-$SO.txt \ - ${HGDIR}/nss/automation/abi-check/new-report-$SO.txt >> ${ABI_REPORT} - if [ ! -f ${ABI_REPORT} ]; then - ABI_PROBLEM_FOUND=1 - print_log "FAILED to compare exepcted and new report: ${HGDIR}/nss/automation/abi-check/new-report-$SO.txt" - fi - done - - if [ -s ${ABI_REPORT} ]; then - print_log "FAILED: there are new unexpected ABI changes" - cat ${ABI_REPORT} - return 1 - elif [ $ABI_PROBLEM_FOUND -ne 0 ]; then - print_log "FAILED: failure executing the ABI checks" - cat ${ABI_REPORT} - return 1 - fi - - return 0 -} - -test_jss() -{ - print_log "######## JSS - tests - ${BITS} bits - ${OPT} ########" - - print_log "$ cd ${HGDIR}/jss" - cd ${HGDIR}/jss - - print_log "$ ${MAKE} platform" - PLATFORM=$(${MAKE} platform) - print_log "PLATFORM=${PLATFORM}" - - print_log "$ cd ${HGDIR}/jss/org/mozilla/jss/tests" - cd ${HGDIR}/jss/org/mozilla/jss/tests - - print_log "$ perl all.pl dist ${HGDIR}/dist/${PLATFORM}" - perl all.pl dist ${HGDIR}/dist/${PLATFORM} 2>&1 | tee ${LOG_TMP} - cat ${LOG_TMP} >> ${LOG_ALL} - - tail -n2 ${LOG_TMP} | grep JSSTEST_RATE > /dev/null - RET=$? - - grep FAIL ${LOG_TMP} - [ $? -eq 1 ] || RET=1 - - print_result "JSS - tests - ${BITS} bits - ${OPT}" ${RET} 0 - return ${RET} -} - -create_objdir_dist_link() -{ - # compute relevant 'dist' OBJDIR_NAME subdirectory names for JSS and NSS - OS_TARGET=`uname -s` - OS_RELEASE=`uname -r | sed 's/-.*//' | sed 's/-.*//' | cut -d . -f1,2` - CPU_TAG=_`uname -m` - # OBJDIR_NAME_COMPILER appears to be defined for NSS but not JSS - OBJDIR_NAME_COMPILER=_cc - LIBC_TAG=_glibc - IMPL_STRATEGY=_PTH - if [ "${RUN_BITS}" = "64" ]; then - OBJDIR_TAG=_${RUN_BITS}_${RUN_OPT}.OBJ - else - OBJDIR_TAG=_${RUN_OPT}.OBJ - fi - - # define NSS_OBJDIR_NAME - NSS_OBJDIR_NAME=${OS_TARGET}${OS_RELEASE}${CPU_TAG}${OBJDIR_NAME_COMPILER} - NSS_OBJDIR_NAME=${NSS_OBJDIR_NAME}${LIBC_TAG}${IMPL_STRATEGY}${OBJDIR_TAG} - print_log "create_objdir_dist_link(): NSS_OBJDIR_NAME='${NSS_OBJDIR_NAME}'" - - # define JSS_OBJDIR_NAME - JSS_OBJDIR_NAME=${OS_TARGET}${OS_RELEASE}${CPU_TAG} - JSS_OBJDIR_NAME=${JSS_OBJDIR_NAME}${LIBC_TAG}${IMPL_STRATEGY}${OBJDIR_TAG} - print_log "create_objdir_dist_link(): JSS_OBJDIR_NAME='${JSS_OBJDIR_NAME}'" - - if [ -e "${HGDIR}/dist/${NSS_OBJDIR_NAME}" ]; then - SOURCE=${HGDIR}/dist/${NSS_OBJDIR_NAME} - TARGET=${HGDIR}/dist/${JSS_OBJDIR_NAME} - ln -s ${SOURCE} ${TARGET} >/dev/null 2>&1 - fi -} - -build_and_test() -{ - if [ -n "${BUILD_NSS}" ]; then - build_nss - [ $? -eq 0 ] || return 1 - fi - - if [ -n "${TEST_NSS}" ]; then - test_nss - [ $? -eq 0 ] || return 1 - fi - - if [ -n "${CHECK_ABI}" ]; then - check_abi - [ $? -eq 0 ] || return 1 - fi - - if [ -n "${BUILD_JSS}" ]; then - create_objdir_dist_link - build_jss - [ $? -eq 0 ] || return 1 - fi - - if [ -n "${TEST_JSS}" ]; then - test_jss - [ $? -eq 0 ] || return 1 - fi - - return 0 -} - -run_cycle() -{ - print_env - build_and_test - RET=$? - - grep ^TinderboxPrint ${LOG_ALL} - - return ${RET} -} - -prepare() -{ - rm -rf ${OUTPUTDIR}.oldest >/dev/null 2>&1 - mv ${OUTPUTDIR}.older ${OUTPUTDIR}.oldest >/dev/null 2>&1 - mv ${OUTPUTDIR}.old ${OUTPUTDIR}.older >/dev/null 2>&1 - mv ${OUTPUTDIR}.last ${OUTPUTDIR}.old >/dev/null 2>&1 - mv ${OUTPUTDIR} ${OUTPUTDIR}.last >/dev/null 2>&1 - mkdir -p ${OUTPUTDIR} - - # Remove temporary test files from previous jobs, that weren't cleaned up - # by move_results(), e.g. caused by unexpected interruptions. - rm -rf ${HGDIR}/tests_results/ - - cd ${HGDIR}/nss - - if [ -n "${FEWER_STRESS_ITERATIONS}" ]; then - sed -i 's/-c_1000_/-c_500_/g' tests/ssl/sslstress.txt - fi - - return 0 -} - -move_results() -{ - cd ${HGDIR} - if [ -n "${TEST_NSS}" ]; then - mv -f tests_results ${OUTPUTDIR} - fi - tar -c -z --dereference -f ${OUTPUTDIR}/dist.tgz dist - rm -rf dist -} - -run_all() -{ - set_cycle ${BITS} ${OPT} - prepare - run_cycle - RESULT=$? - print_log "### result of run_cycle is ${RESULT}" - move_results - return ${RESULT} -} - -main() -{ - VALID=0 - RET=1 - FAIL=0 - - for BITS in 32 64; do - echo ${RUN_BITS} | grep ${BITS} > /dev/null - [ $? -eq 0 ] || continue - for OPT in DBG OPT; do - echo ${RUN_OPT} | grep ${OPT} > /dev/null - [ $? -eq 0 ] || continue - - VALID=1 - set_env - run_all - RET=$? - print_log "### result of run_all is ${RET}" - if [ ${RET} -ne 0 ]; then - FAIL=${RET} - fi - done - done - - if [ ${VALID} -ne 1 ]; then - echo "Need to set valid bits/opt values." - return 1 - fi - - return ${FAIL} -} - -#function killallsub() -#{ -# FINAL_RET=$? -# for proc in `jobs -p` -# do -# kill -9 $proc -# done -# return ${FINAL_RET} -#} -#trap killallsub EXIT - -#IS_RUNNING_FILE="./build-is-running" - -#if [ -a $IS_RUNNING_FILE ]; then -# echo "exiting, because old job is still running" -# exit 1 -#fi - -#touch $IS_RUNNING_FILE - -echo "tinderbox args: $0 $@" -. ${ENVVARS} -proc_args "$@" -main - -RET=$? -print_log "### result of main is ${RET}" - -#rm $IS_RUNNING_FILE -exit ${RET} diff --git a/security/nss/automation/buildbot-slave/reboot.bat b/security/nss/automation/buildbot-slave/reboot.bat deleted file mode 100644 index c6a5c7b43..000000000 --- a/security/nss/automation/buildbot-slave/reboot.bat +++ /dev/null @@ -1,6 +0,0 @@ -IF EXIST ..\buildbot-is-building ( - del ..\buildbot-is-building - shutdown /r /t 0 - - timeout /t 120 -) diff --git a/security/nss/automation/buildbot-slave/startbuild.bat b/security/nss/automation/buildbot-slave/startbuild.bat deleted file mode 100644 index ba06834f1..000000000 --- a/security/nss/automation/buildbot-slave/startbuild.bat +++ /dev/null @@ -1,14 +0,0 @@ -echo running > ..\buildbot-is-building - -echo running: "%MOZILLABUILD%\msys\bin\bash" -c "hg/nss/automation/buildbot-slave/build.sh %*" -"%MOZILLABUILD%\msys\bin\bash" -c "hg/nss/automation/buildbot-slave/build.sh %*" - -if %errorlevel% neq 0 ( - set EXITCODE=1 -) else ( - set EXITCODE=0 -) - -del ..\buildbot-is-building - -exit /b %EXITCODE% diff --git a/security/nss/automation/release/nspr-version.txt b/security/nss/automation/release/nspr-version.txt index c37e9097c..c9ab0b03f 100644 --- a/security/nss/automation/release/nspr-version.txt +++ b/security/nss/automation/release/nspr-version.txt @@ -1,4 +1,4 @@ -4.24 +4.29 # The first line of this file must contain the human readable NSPR # version number, which is the minimum required version of NSPR diff --git a/security/nss/automation/release/nss-release-helper.py b/security/nss/automation/release/nss-release-helper.py index 31ea41966..8cc0a725e 100644 --- a/security/nss/automation/release/nss-release-helper.py +++ b/security/nss/automation/release/nss-release-helper.py @@ -5,9 +5,9 @@ import os import sys -import datetime import shutil -import glob +import re +import tempfile from optparse import OptionParser from subprocess import check_call from subprocess import check_output @@ -32,136 +32,203 @@ abi_report_files = ['automation/abi-check/expected-report-libfreebl3.so.txt', 'automation/abi-check/expected-report-libsoftokn3.so.txt', 'automation/abi-check/expected-report-libssl3.so.txt'] + def check_call_noisy(cmd, *args, **kwargs): - print "Executing command:", cmd + print("Executing command: {}".format(cmd)) check_call(cmd, *args, **kwargs) -o = OptionParser(usage="client.py [options] remove_beta | set_beta | print_library_versions | print_root_ca_version | set_root_ca_version | set_version_to_minor_release | set_version_to_patch_release | set_release_candidate_number | set_4_digit_release_number | create_nss_release_archive") - -try: - options, args = o.parse_args() - action = args[0] -except IndexError: - o.print_help() - sys.exit(2) def exit_with_failure(what): - print "failure: ", what + print("failure: {}".format(what)) sys.exit(2) + def check_files_exist(): if (not os.path.exists(nssutil_h) or not os.path.exists(softkver_h) - or not os.path.exists(nss_h) or not os.path.exists(nssckbi_h)): + or not os.path.exists(nss_h) or not os.path.exists(nssckbi_h)): exit_with_failure("cannot find expected header files, must run from inside NSS hg directory") -def sed_inplace(sed_expression, filename): - backup_file = filename + '.tmp' - check_call_noisy(["sed", "-i.tmp", sed_expression, filename]) - os.remove(backup_file) + +class Replacement(): + def __init__(self, regex="", repl=""): + self.regex = regex + self.repl = repl + self.matcher = re.compile(self.regex) + + def replace(self, line): + return self.matcher.sub(self.repl, line) + + +def inplace_replace(replacements=[], filename=""): + for r in replacements: + if not isinstance(r, Replacement): + raise TypeError("Expecting a list of Replacement objects") + + with tempfile.NamedTemporaryFile(mode="w", delete=False) as tmp_file: + with open(filename) as in_file: + for line in in_file: + for r in replacements: + line = r.replace(line) + tmp_file.write(line) + + shutil.copystat(filename, tmp_file.name) + shutil.move(tmp_file.name, filename) + def toggle_beta_status(is_beta): check_files_exist() if (is_beta): - print "adding Beta status to version numbers" - sed_inplace('s/^\(#define *NSSUTIL_VERSION *\"[0-9.]\+\)\" *$/\\1 Beta\"/', nssutil_h) - sed_inplace('s/^\(#define *NSSUTIL_BETA *\)PR_FALSE *$/\\1PR_TRUE/', nssutil_h) - sed_inplace('s/^\(#define *SOFTOKEN_VERSION *\"[0-9.]\+\" *SOFTOKEN_ECC_STRING\) *$/\\1 \" Beta"/', softkver_h) - sed_inplace('s/^\(#define *SOFTOKEN_BETA *\)PR_FALSE *$/\\1PR_TRUE/', softkver_h) - sed_inplace('s/^\(#define *NSS_VERSION *\"[0-9.]\+\" *_NSS_CUSTOMIZED\) *$/\\1 \" Beta"/', nss_h) - sed_inplace('s/^\(#define *NSS_BETA *\)PR_FALSE *$/\\1PR_TRUE/', nss_h) + print("adding Beta status to version numbers") + inplace_replace(filename=nssutil_h, replacements=[ + Replacement(regex=r'^(#define *NSSUTIL_VERSION *\"[0-9.]+)\" *$', + repl=r'\g<1> Beta"'), + Replacement(regex=r'^(#define *NSSUTIL_BETA *)PR_FALSE *$', + repl=r'\g<1>PR_TRUE')]) + inplace_replace(filename=softkver_h, replacements=[ + Replacement(regex=r'^(#define *SOFTOKEN_VERSION *\"[0-9.]+\" *SOFTOKEN_ECC_STRING) *$', + repl=r'\g<1> " Beta"'), + Replacement(regex=r'^(#define *SOFTOKEN_BETA *)PR_FALSE *$', + repl=r'\g<1>PR_TRUE')]) + inplace_replace(filename=nss_h, replacements=[ + Replacement(regex=r'^(#define *NSS_VERSION *\"[0-9.]+\" *_NSS_CUSTOMIZED) *$', + repl=r'\g<1> " Beta"'), + Replacement(regex=r'^(#define *NSS_BETA *)PR_FALSE *$', + repl=r'\g<1>PR_TRUE')]) else: - print "removing Beta status from version numbers" - sed_inplace('s/^\(#define *NSSUTIL_VERSION *\"[0-9.]\+\) *Beta\" *$/\\1\"/', nssutil_h) - sed_inplace('s/^\(#define *NSSUTIL_BETA *\)PR_TRUE *$/\\1PR_FALSE/', nssutil_h) - sed_inplace('s/^\(#define *SOFTOKEN_VERSION *\"[0-9.]\+\" *SOFTOKEN_ECC_STRING\) *\" *Beta\" *$/\\1/', softkver_h) - sed_inplace('s/^\(#define *SOFTOKEN_BETA *\)PR_TRUE *$/\\1PR_FALSE/', softkver_h) - sed_inplace('s/^\(#define *NSS_VERSION *\"[0-9.]\+\" *_NSS_CUSTOMIZED\) *\" *Beta\" *$/\\1/', nss_h) - sed_inplace('s/^\(#define *NSS_BETA *\)PR_TRUE *$/\\1PR_FALSE/', nss_h) - print "please run 'hg stat' and 'hg diff' to verify the files have been verified correctly" + print("removing Beta status from version numbers") + inplace_replace(filename=nssutil_h, replacements=[ + Replacement(regex=r'^(#define *NSSUTIL_VERSION *\"[0-9.]+) *Beta\" *$', + repl=r'\g<1>"'), + Replacement(regex=r'^(#define *NSSUTIL_BETA *)PR_TRUE *$', + repl=r'\g<1>PR_FALSE')]) + inplace_replace(filename=softkver_h, replacements=[ + Replacement(regex=r'^(#define *SOFTOKEN_VERSION *\"[0-9.]+\" *SOFTOKEN_ECC_STRING) *\" *Beta\" *$', + repl=r'\g<1>'), + Replacement(regex=r'^(#define *SOFTOKEN_BETA *)PR_TRUE *$', + repl=r'\g<1>PR_FALSE')]) + inplace_replace(filename=nss_h, replacements=[ + Replacement(regex=r'^(#define *NSS_VERSION *\"[0-9.]+\" *_NSS_CUSTOMIZED) *\" *Beta\" *$', + repl=r'\g<1>'), + Replacement(regex=r'^(#define *NSS_BETA *)PR_TRUE *$', + repl=r'\g<1>PR_FALSE')]) + + print("please run 'hg stat' and 'hg diff' to verify the files have been verified correctly") + def print_beta_versions(): check_call_noisy(["egrep", "#define *NSSUTIL_VERSION|#define *NSSUTIL_BETA", nssutil_h]) check_call_noisy(["egrep", "#define *SOFTOKEN_VERSION|#define *SOFTOKEN_BETA", softkver_h]) check_call_noisy(["egrep", "#define *NSS_VERSION|#define *NSS_BETA", nss_h]) + def remove_beta_status(): - print "--- removing beta flags. Existing versions were:" + print("--- removing beta flags. Existing versions were:") print_beta_versions() toggle_beta_status(False) - print "--- finished modifications, new versions are:" + print("--- finished modifications, new versions are:") print_beta_versions() + def set_beta_status(): - print "--- adding beta flags. Existing versions were:" + print("--- adding beta flags. Existing versions were:") print_beta_versions() toggle_beta_status(True) - print "--- finished modifications, new versions are:" + print("--- finished modifications, new versions are:") print_beta_versions() + def print_library_versions(): check_files_exist() check_call_noisy(["egrep", "#define *NSSUTIL_VERSION|#define NSSUTIL_VMAJOR|#define *NSSUTIL_VMINOR|#define *NSSUTIL_VPATCH|#define *NSSUTIL_VBUILD|#define *NSSUTIL_BETA", nssutil_h]) check_call_noisy(["egrep", "#define *SOFTOKEN_VERSION|#define SOFTOKEN_VMAJOR|#define *SOFTOKEN_VMINOR|#define *SOFTOKEN_VPATCH|#define *SOFTOKEN_VBUILD|#define *SOFTOKEN_BETA", softkver_h]) check_call_noisy(["egrep", "#define *NSS_VERSION|#define NSS_VMAJOR|#define *NSS_VMINOR|#define *NSS_VPATCH|#define *NSS_VBUILD|#define *NSS_BETA", nss_h]) + def print_root_ca_version(): check_files_exist() check_call_noisy(["grep", "define *NSS_BUILTINS_LIBRARY_VERSION", nssckbi_h]) def ensure_arguments_after_action(how_many, usage): - if (len(sys.argv) != (2+how_many)): + if (len(sys.argv) != (2 + how_many)): exit_with_failure("incorrect number of arguments, expected parameters are:\n" + usage) + def set_major_versions(major): - sed_inplace('s/^\(#define *NSSUTIL_VMAJOR *\).*$/\\1' + major + '/', nssutil_h) - sed_inplace('s/^\(#define *SOFTOKEN_VMAJOR *\).*$/\\1' + major + '/', softkver_h) - sed_inplace('s/^\(#define *NSS_VMAJOR *\).*$/\\1' + major + '/', nss_h) + for name, file in [["NSSUTIL_VMAJOR", nssutil_h], + ["SOFTOKEN_VMAJOR", softkver_h], + ["NSS_VMAJOR", nss_h]]: + inplace_replace(filename=file, replacements=[ + Replacement(regex=r'^(#define *{} ?).*$'.format(name), + repl=r'\g<1>{}'.format(major))]) + def set_minor_versions(minor): - sed_inplace('s/^\(#define *NSSUTIL_VMINOR *\).*$/\\1' + minor + '/', nssutil_h) - sed_inplace('s/^\(#define *SOFTOKEN_VMINOR *\).*$/\\1' + minor + '/', softkver_h) - sed_inplace('s/^\(#define *NSS_VMINOR *\).*$/\\1' + minor + '/', nss_h) + for name, file in [["NSSUTIL_VMINOR", nssutil_h], + ["SOFTOKEN_VMINOR", softkver_h], + ["NSS_VMINOR", nss_h]]: + inplace_replace(filename=file, replacements=[ + Replacement(regex=r'^(#define *{} ?).*$'.format(name), + repl=r'\g<1>{}'.format(minor))]) + def set_patch_versions(patch): - sed_inplace('s/^\(#define *NSSUTIL_VPATCH *\).*$/\\1' + patch + '/', nssutil_h) - sed_inplace('s/^\(#define *SOFTOKEN_VPATCH *\).*$/\\1' + patch + '/', softkver_h) - sed_inplace('s/^\(#define *NSS_VPATCH *\).*$/\\1' + patch + '/', nss_h) + for name, file in [["NSSUTIL_VPATCH", nssutil_h], + ["SOFTOKEN_VPATCH", softkver_h], + ["NSS_VPATCH", nss_h]]: + inplace_replace(filename=file, replacements=[ + Replacement(regex=r'^(#define *{} ?).*$'.format(name), + repl=r'\g<1>{}'.format(patch))]) + def set_build_versions(build): - sed_inplace('s/^\(#define *NSSUTIL_VBUILD *\).*$/\\1' + build + '/', nssutil_h) - sed_inplace('s/^\(#define *SOFTOKEN_VBUILD *\).*$/\\1' + build + '/', softkver_h) - sed_inplace('s/^\(#define *NSS_VBUILD *\).*$/\\1' + build + '/', nss_h) + for name, file in [["NSSUTIL_VBUILD", nssutil_h], + ["SOFTOKEN_VBUILD", softkver_h], + ["NSS_VBUILD", nss_h]]: + inplace_replace(filename=file, replacements=[ + Replacement(regex=r'^(#define *{} ?).*$'.format(name), + repl=r'\g<1>{}'.format(build))]) + def set_full_lib_versions(version): - sed_inplace('s/^\(#define *NSSUTIL_VERSION *\"\)\([0-9.]\+\)\(.*\)$/\\1' + version + '\\3/', nssutil_h) - sed_inplace('s/^\(#define *SOFTOKEN_VERSION *\"\)\([0-9.]\+\)\(.*\)$/\\1' + version + '\\3/', softkver_h) - sed_inplace('s/^\(#define *NSS_VERSION *\"\)\([0-9.]\+\)\(.*\)$/\\1' + version + '\\3/', nss_h) + for name, file in [["NSSUTIL_VERSION", nssutil_h], + ["SOFTOKEN_VERSION", softkver_h], + ["NSS_VERSION", nss_h]]: + inplace_replace(filename=file, replacements=[ + Replacement(regex=r'^(#define *{} *\")([0-9.]+)(.*)$'.format(name), + repl=r'\g<1>{}\g<3>'.format(version))]) + def set_root_ca_version(): ensure_arguments_after_action(2, "major_version minor_version") major = args[1].strip() minor = args[2].strip() version = major + '.' + minor - sed_inplace('s/^\(#define *NSS_BUILTINS_LIBRARY_VERSION *\"\).*$/\\1' + version + '/', nssckbi_h) - sed_inplace('s/^\(#define *NSS_BUILTINS_LIBRARY_VERSION_MAJOR *\).*$/\\1' + major + '/', nssckbi_h) - sed_inplace('s/^\(#define *NSS_BUILTINS_LIBRARY_VERSION_MINOR *\).*$/\\1' + minor + '/', nssckbi_h) + + inplace_replace(filename=nssckbi_h, replacements=[ + Replacement(regex=r'^(#define *NSS_BUILTINS_LIBRARY_VERSION *\").*$', + repl=r'\g<1>{}"'.format(version)), + Replacement(regex=r'^(#define *NSS_BUILTINS_LIBRARY_VERSION_MAJOR ?).*$', + repl=r'\g<1>{}'.format(major)), + Replacement(regex=r'^(#define *NSS_BUILTINS_LIBRARY_VERSION_MINOR ?).*$', + repl=r'\g<1>{}'.format(minor))]) + def set_all_lib_versions(version, major, minor, patch, build): grep_major = check_output(['grep', 'define.*NSS_VMAJOR', nss_h]) grep_minor = check_output(['grep', 'define.*NSS_VMINOR', nss_h]) - old_major = int(grep_major.split()[2]); - old_minor = int(grep_minor.split()[2]); + old_major = int(grep_major.split()[2]) + old_minor = int(grep_minor.split()[2]) new_major = int(major) new_minor = int(minor) if (old_major < new_major or (old_major == new_major and old_minor < new_minor)): - print "You're increasing the minor (or major) version:" - print "- erasing ABI comparison expectations" + print("You're increasing the minor (or major) version:") + print("- erasing ABI comparison expectations") new_branch = "NSS_" + str(old_major) + "_" + str(old_minor) + "_BRANCH" - print "- setting reference branch to the branch of the previous version: " + new_branch + print("- setting reference branch to the branch of the previous version: " + new_branch) with open(abi_base_version_file, "w") as abi_base: abi_base.write("%s\n" % new_branch) for report_file in abi_report_files: @@ -174,6 +241,7 @@ def set_all_lib_versions(version, major, minor, patch, build): set_patch_versions(patch) set_build_versions(build) + def set_version_to_minor_release(): ensure_arguments_after_action(2, "major_version minor_version") major = args[1].strip() @@ -183,6 +251,7 @@ def set_version_to_minor_release(): build = "0" set_all_lib_versions(version, major, minor, patch, build) + def set_version_to_patch_release(): ensure_arguments_after_action(3, "major_version minor_version patch_release") major = args[1].strip() @@ -192,11 +261,13 @@ def set_version_to_patch_release(): build = "0" set_all_lib_versions(version, major, minor, patch, build) + def set_release_candidate_number(): ensure_arguments_after_action(1, "release_candidate_number") build = args[1].strip() set_build_versions(build) + def set_4_digit_release_number(): ensure_arguments_after_action(4, "major_version minor_version patch_release 4th_digit_release_number") major = args[1].strip() @@ -206,21 +277,22 @@ def set_4_digit_release_number(): version = major + '.' + minor + '.' + patch + '.' + build set_all_lib_versions(version, major, minor, patch, build) + def create_nss_release_archive(): ensure_arguments_after_action(3, "nss_release_version nss_hg_release_tag path_to_stage_directory") - nssrel = args[1].strip() #e.g. 3.19.3 - nssreltag = args[2].strip() #e.g. NSS_3_19_3_RTM - stagedir = args[3].strip() #e.g. ../stage + nssrel = args[1].strip() # e.g. 3.19.3 + nssreltag = args[2].strip() # e.g. NSS_3_19_3_RTM + stagedir = args[3].strip() # e.g. ../stage with open('automation/release/nspr-version.txt') as nspr_version_file: nsprrel = next(nspr_version_file).strip() nspr_tar = "nspr-" + nsprrel + ".tar.gz" - nsprtar_with_path= stagedir + "/v" + nsprrel + "/src/" + nspr_tar + nsprtar_with_path = stagedir + "/v" + nsprrel + "/src/" + nspr_tar if (not os.path.exists(nsprtar_with_path)): exit_with_failure("cannot find nspr archive at expected location " + nsprtar_with_path) - nss_stagedir= stagedir + "/" + nssreltag + "/src" + nss_stagedir = stagedir + "/" + nssreltag + "/src" if (os.path.exists(nss_stagedir)): exit_with_failure("nss stage directory already exists: " + nss_stagedir) @@ -230,7 +302,7 @@ def create_nss_release_archive(): check_call_noisy(["hg", "archive", "-r", nssreltag, "--prefix=nss-" + nssrel + "/nss", stagedir + "/" + nssreltag + "/src/" + nss_tar, "-X", ".hgtags"]) check_call_noisy(["tar", "-xz", "-C", nss_stagedir, "-f", nsprtar_with_path]) - print "changing to directory " + nss_stagedir + print("changing to directory " + nss_stagedir) os.chdir(nss_stagedir) check_call_noisy(["tar", "-xz", "-f", nss_tar]) check_call_noisy(["mv", "-i", "nspr-" + nsprrel + "/nspr", "nss-" + nssrel + "/"]) @@ -241,9 +313,23 @@ def create_nss_release_archive(): check_call_noisy(["tar", "-cz", "--remove-files", "-f", nss_nspr_tar, "nss-" + nssrel]) check_call("sha1sum " + nss_tar + " " + nss_nspr_tar + " > SHA1SUMS", shell=True) check_call("sha256sum " + nss_tar + " " + nss_nspr_tar + " > SHA256SUMS", shell=True) - print "created directory " + nss_stagedir + " with files:" + print("created directory " + nss_stagedir + " with files:") check_call_noisy(["ls", "-l"]) + +o = OptionParser(usage="client.py [options] " + " | ".join([ + "remove_beta", "set_beta", "print_library_versions", "print_root_ca_version", + "set_root_ca_version", "set_version_to_minor_release", + "set_version_to_patch_release", "set_release_candidate_number", + "set_4_digit_release_number", "create_nss_release_archive"])) + +try: + options, args = o.parse_args() + action = args[0] +except IndexError: + o.print_help() + sys.exit(2) + if action in ('remove_beta'): remove_beta_status() diff --git a/security/nss/automation/saw/chacha20.saw b/security/nss/automation/saw/chacha20.saw index 92145ab74..cf98466b2 100644 --- a/security/nss/automation/saw/chacha20.saw +++ b/security/nss/automation/saw/chacha20.saw @@ -34,7 +34,7 @@ let SpecChaCha20 n = do { }; print "Proving equality for a single block..."; -time (llvm_verify m "Hacl_Chacha20_chacha20" [] (SpecChaCha20 64)); +time (llvm_verify m "Hacl_Chacha20_chacha20_encrypt" [] (SpecChaCha20 64)); print "Proving equality for multiple blocks..."; -time (llvm_verify m "Hacl_Chacha20_chacha20" [] (SpecChaCha20 256)); +time (llvm_verify m "Hacl_Chacha20_chacha20_encrypt" [] (SpecChaCha20 256)); diff --git a/security/nss/automation/taskcluster/docker-builds/Dockerfile b/security/nss/automation/taskcluster/docker-builds/Dockerfile index 9f0bb2034..0ce4e80c6 100644 --- a/security/nss/automation/taskcluster/docker-builds/Dockerfile +++ b/security/nss/automation/taskcluster/docker-builds/Dockerfile @@ -34,9 +34,13 @@ RUN apt-get update \ pkg-config \ valgrind \ zlib1g-dev \ + clang-format-3.9 \ && rm -rf /var/lib/apt/lists/* \ && apt-get autoremove -y && apt-get clean -y +RUN update-alternatives --install /usr/bin/clang-format \ + clang-format $(which clang-format-3.9) 10 + # Latest version of abigail-tools RUN apt-get update \ && apt-get install -y --no-install-recommends automake libtool libxml2-dev \ diff --git a/security/nss/automation/taskcluster/docker-fuzz32/Dockerfile b/security/nss/automation/taskcluster/docker-fuzz32/Dockerfile index f5fd3cfd5..e80b94d5f 100644 --- a/security/nss/automation/taskcluster/docker-fuzz32/Dockerfile +++ b/security/nss/automation/taskcluster/docker-fuzz32/Dockerfile @@ -10,6 +10,8 @@ LABEL maintainer="Martin Thomson <martin.thomson@gmail.com>" RUN dpkg --add-architecture i386 RUN apt-get update \ && apt-get install -y --no-install-recommends \ + apt-transport-https \ + apt-utils \ build-essential \ ca-certificates \ curl \ diff --git a/security/nss/automation/taskcluster/docker-hacl/B6C8F98282B944E3B0D5C2530FC3042E345AD05D.asc b/security/nss/automation/taskcluster/docker-hacl/B6C8F98282B944E3B0D5C2530FC3042E345AD05D.asc deleted file mode 100644 index 513dcd410..000000000 --- a/security/nss/automation/taskcluster/docker-hacl/B6C8F98282B944E3B0D5C2530FC3042E345AD05D.asc +++ /dev/null @@ -1,143 +0,0 @@ ------BEGIN PGP PUBLIC KEY BLOCK----- - -mQINBFS+1SABEACnmkESkY7eZq0GhDjbkWpKmURGk9+ycsfAhA44NqUvf4tk1GPM -5SkJ/fYedYZJaDVhIp98fHgucD0O+vjOzghtgwtITusYjiPHPFBd/MN+MQqSEAP+ -LUa/kjHLjgyXxKhFUIDGVaDWL5tKOA7/AQKl1TyJ8lz89NHQoUHFsF/hu10+qhJe -V65d32MXFehIUSvegh8DrPuExrliSiORO4HOhuc6151dWA4YBWVg4rX5kfKrGMMT -pTWnSSZtgoRhkKW2Ey8cmZUqPuUJIfWyeNVu1e4SFtAivLvu/Ymz2WBJcNA1ZlTr -RCOR5SIRgZ453pQnI/Bzna2nnJ/TV1gGJIGRahj/ini0cs2x1CILfS/YJQ3rWGGo -OxwG0BVmPk0cmLVtyTq8gUPwxcPUd6WcBKhot3TDMlrffZACnQwQjlVjk5S1dEEz -atUfpEuNitU9WOM4jr/gjv36ZNCOWm95YwLhsuci/NddBN8HXhyvs+zYTVZEXa2W -l/FqOdQsQqZBcJjjWckGKhESdd7934+cesGD3O8KaeSGxww7slJrS0+6QJ8oBoAB -P/WCn/y2AiY2syEKp3wYIGJyAbsm542zMZ4nc7pYfSu49mcyhQQICmqN5QvOyYUx -OSqwbAOUNtlOyeRLZNIKoXtTqWDEu5aEiDROTw6Rkq+dIcxPNgOLdeQ3HwARAQAB -tCFIYW5zIFdlbm5ib3JnIDxoYW5zQGNocm9taXVtLm9yZz6JARwEEAECAAYFAlT2 -MQAACgkQVfXNcLtaBWnDKgf/fjusXk+kh1zuyn5eOCe16+2vV1lmXZrDIGdJtXDW -ZtHKele1Yv1BA3kUi5tKQi+VOOrvHL0+TMjFWFiCy1sYJS9qgkS08kReI2nAnhZ7 -INdqEVxtVk1TTOhtYjOPy6txwujoICuPv5F4rHVhn1LPKGTLtYD2LOwf/8eKYQox -51gaJ8dNxpcHE/iFOIDXdebJPufo3EhqDRihchxb8AVLhrNss7pGGG/tVfichmHK -djPT2KfSh14pq1ahFOz0zH4nmTu7CCLnLAdRBHuhL8HVDbi0vKBtCiSmQggdxvoj -u+hpXiiDFQoCjLh0zVCwtFqWDZbnKMTBNNF26aTmQ+2fiYkBMwQQAQgAHRYhBB/m -NI7eqCWiKXDlxI3TBA8SPMP0BQJbcLU1AAoJEI3TBA8SPMP021sH/jD1m7azNCN6 -DVL1iDJT6uIIYCTylygH5XI46CRoWaz/LwdFnUqWHHTcQxJ5pIkWV9KF+SIgMT42 -brdZZmNvvSdX0odjFKqj5UR6w+wDN+uZ6Q40zu4pNoNzbk7pRpbFf1XIfGB1liyu -m28EJ58IXu/0AV7FiDAHGGBqppK/cwQN8pGLwmz1n6YELtXeFmtOGnusO6iLYOE7 -3ByFCCqJB6twT5+7dDqFYqqQJgQ6jDTy19dDZ1vDhDttL+2Rn0OYXqPw7gy/1D2p -Y1cM9PgPBsR4EXhbtV0uKUNomk8tM/HnGMFT0KirI/tSwEP3v9g5YH992mrvNuIV -TkyQn0jGeMeJATMEEAEIAB0WIQRswFHTwdmkr54mDFjT45SsdE4uuwUCW3haCQAK -CRDT45SsdE4uu4JjCACppkreiMrpJSREKbUscdOvFxFRYzkTFeSCwX9Ih7r5ENpa -zjczfIqCCfWzioV6y4K0V04y8CXt/5S5a9vfW801pBUdF9nG4X8YbUn/xSe+8A9m -MsfDjMNcF7Cp5czVoSS4/4oHm9mQUMYQsn3AwwCPDKFORRRv5Eb0om9JawKtt++7 -ZW0fOgDkvOCm14SN0UtVc4mxTx6iyxdMDgrKinBZVjxEh5oeqUyXh5TYM+XyWFVh -/gDUvUWwLI0GUWNTyOyUQU1oPVp+sWqrEe1BXLVCKFVWaSTtgJtJ5FyP+z2uzRcv -aanPOj/ohHAo8VBq9QbefYVAkShNBEuJkATnXhcGiQEzBBABCAAdFiEEvlzFWRM6 -4JjNAb2a+j2ZL9Cqr7wFAlkBCcIACgkQ+j2ZL9Cqr7yB9AgArj+0+i0DCo1nm4MF -TLnW1Y9GF/Hq/mBva1MhkT0j3BzENK3xgqrqac8KqupsporNEmJ0ZbZzilJdZImb -o4X5BFdmmnjMiGaH6GAiPqRBBHGvLV2r2pG467J4tOMWO3XipFRf7FibbfhAU1lV -/GLWYTSwLqwWwBE8u5rriEvDngWUJw2Yd4Yqwduef7O6F+JfsGPRXFomR3387II0 -8AXo/C+P5cl64llaxV6BmkJhQ6ydL0/KwSkHVdlXugk1sPtV/qOyPQ5L1Ibqbsvh -lLq/jhHlUUNLFjlQ2lrS9bhHGw9OIHTMJvS8RDrk0yAmoHAyRWNgbFN7aA62vBhq -pcUVzokBMwQQAQgAHRYhBPZ+fW6ADyQOg+vIZ/9qyaZGTfCcBQJa+ZAwAAoJEP9q -yaZGTfCcKMgH/jRxGfYhhGnlMnDLAEpYC+TGSDLMgmg9cOZbonqyMv+7Kts+pV03 -KUr9SPV+VtGtOxRNiqwFt6V2MHcwPJfTXuH/bBW/HCCpr6UlOVWqIiCNK0Gnpcj5 -rRt5unjG9CwsgyaK9QPI8bGin/c6m8BjwmEdfJ01ATLiUb8WuDHQy9OCyrEAnzSq -FD5ZtFmAFxvzm2x1nwb5HPuqkOqbRatp8aRJzTxIeSJPpgLw0PawHKGN3Ckp7REc -g26P1spkPe7SIVRsobH3al4uw7mgs7wiDWN3t8CdmuHAzmB2UrsR84JMTb45GboO -Bc1CX8xZcHyNaDEpyWHav+P8nZqwfBm+cLiJAjMEEAEIAB0WIQSawVDb4dGOtiX0 -+gWyD0lU8+/LPwUCW/4O9QAKCRCyD0lU8+/LPyI7EACWtj0GEb1VT02gKwtKwgFn -RJ2pz8vYm188wgJwCJaL04d2D/VwE0jMvmfH80hSKgSLPAVMG06RIOb/tGhHsQKU -zBlHiAFmfjlJo1FC/Mp44RrERRsFAWBg0/URIs4vP8+5Vl+5m70sZrQpKeq+6TLM -1dQ0Ohz+QkQ04Z+DTroChWU8/7Uw0E3CqGGKYqPvDh54T1q4s8FoN0no8ZUlt/O+ -r/3c7awr85ZnxqtnHIcuMbVyIZ+gOqXdrLa85yZITsh4zQrjYuyTEg7dpziReyiZ -+rkpdIdFKl8YeD+d0JWzVm7kq9D4K3+x9C509z0IgJUT3bhsX/N0Yf/QUtUW5oxI -T7fod86B/Q2M7zBTttFhd1vAjiSjEalK48SjTzWqTDYVIkea1+f1kZK5A0QlthqG -P2zy5GUjZVzOiCSOhyEOvAorU3zKD2s84VFKlayZEqlHJh8u5U59TWBdkW3qZUJd -ewW31xt0s8IovYSgOwX3wbsClQs6eVwNuCZT2yQAgAyXA5iFztBvDRQ0qmetvzV2 -Ay9SrjvkQ3qr/eZmbMErEwEUxIO4b1rctCQ6jcbyVxMTAZAfaDoVKWEMXNiF2KSw -F9SSzGPIZDgiEXUlgaJBlUIYSFxrPuE+da0CM5RixyYIinU6AER6crl9C4C9XL6a -u3jf+5MTGxviRGn2oQzSCYkCMwQQAQgAHRYhBKeHFU4z7cw4HFbYuaxFYRTTj42I -BQJboq6kAAoJEKxFYRTTj42IWIAP/3rc9GjDTM4nI6Oi4OzLkwm/I2Vr7LUKG8oX -8E4Nj3amvNGupzGySjB+vrM6APrMSScXunvM0f19LV84EnNrUQ3KFZcSC6r5WC0B -2+TVRYGpY+6R9AQpqnuxicW0sa/AlV9WSEb4fDavCel2nW0arH4wkkCzTThUxoBB -X4I9nf4ZzGoUnnDAwTD9rN0gpI6Td/7faa3t99dRLb6AHJ1KhvyiiV3lr0xtTssD -xVHo0SpzQTnOcRJnYf/2rTny8bVfROPWieh6HuEiP7SxT1HyeTr4WSAjSCoG95O2 -b3OgSMl0Z82FRMoJYmxID/V5YqH7015SjCxKdYhEZVp9YwWruEJIH8r6MGbWYNAl -REnyDvfGzAF0L0+gAUymDRmtp1jeXLo+HmLgVEUWegafs1TPfCWS/H9n10Upjmuq -akituzacz6Kjleq9qbnl81Xmh4AKmOILRwE7Pmcbl8HATOrmi5EaKffjMdWFzOWh -3U4/VsNDujqSTXD88EjGcpLiIiYefGy0sURJbIMTkfXVt3ruHLyuvhsRE/2QEAi7 -gWB0zuBV8iGBaag+6RQkxGdpemPiogzuDijqZHoUXlp7Q6IYLanXeweyivdrSyTB -4HOECDbWEPZwk6tCxnuklW5iJndxBmxjSxefIMGU7G2JS9quppCVFCrKUjIWnf7b -gXnNji5JiQIzBBABCAAdFiEExZuSbLy7rtFhdiOuHt8NuZ2LeoQFAluirpUACgkQ -Ht8NuZ2LeoR/gQ/6A71JxUavzyBlCXlMy2Hx2+gOfy68b8UWl7DwKTOBSoZOzPC7 -dVCSTzoK8dRELqsp7CkFImWcEwLJWMptuH2I1nK+Ua8bvxJSMJnOlPxYE8Wz5EK3 -SQ2mQvifRezQTe8zjdpxEDSR6xocSiigvJow4X+Mivrxxj8sMgu1KA1ud2VGX/IR -wMbwuBTH9YydgvzmFzTxdlJHEYmsI8koHrVWPHm//QqqPBn+qz2z9uAzDmGAiDYg -qtQijo5IJC8ZjxgdcTfCkN6he+GhHtOhyP/KF/FcRHY83DoNCtqexQZWGuKtbd8o -nQYtmemRFob5kR7GxuNdAqF74oQfXcvXZNtHSuN3VtLqkB4fzW+21JBJCsP3XCzd -nKjR4erXNrQycmp3shSoJbnVvdbDwaVlWhDen1DvJb0Lj2sO3PQPcwVQbf5XHWR/ -ZCf2OQTfVgwFEB4/0Twv70XwYIui2Ry9hmTPbD4Nn+UXbMQ3SOp90tj/e2yY/MFt -FvcIYcJTk9LM5IsnKgh+fSWDmdS3HD5Kjv2EPUHTNalruwwfmhS+ScJwM4XqHTJY -JkB16j/Xv2FTF+6KlbA1zdOVycPzoFKjAENYccQBVo2B+WQac7dFDqGEVNal9z66 -DyU4ciAHl6PsbuN7DWeuScLoqq5jwx61bZgn71mUOYC1/47ypat2BKCOXZ2JAjME -EgEIAB0WIQSm5op4O95BdGcqQkHwXKpE5VGK/wUCWie53AAKCRDwXKpE5VGK/3rM -D/9jcYKOjYaPJh3Q7wNC1HjjUa73eo5GvJqyXbsXufIh/RAYgQkD08P5JgzfXvQ0 -zOQTtDlDTVG8VMFoBYeMJVDd0k9LBbaljxcttMPfOll+AlQGAL7iQIqTAndknkJL -CFdl0ypa5GVsl1tzqmNC5fuMJ3vBoRtYbMitlHQkO0vLjZ7yl9fz+7YkREpEo/d5 -Ya8t4+L6el6lrETYaiGCTxHcbYD7VdiJxpxFQlpgl+XKtobrj70RocGQ5JwUNilC -nRJKUb33lbmntwDwQ1y1AjCnhB++3GHjJDXBPgYFDCSZPCndKeOXhxmB2psFf41i -8foJPJXuh1vWOqArdwseFCRM6W2deF1utZmROMSkUo6IC8dYlucO/hjpjhG+C8Zv -QiM5uLylD3IPMX9wCz1tAhMNs3v4pEPo/4A//1cdLkor9cQVLFj3+TkS888EWZdj -Y8mUTIXU6yL1DXcj8CfDPS29fMpDorDpK1swl4pN5qgGfsL5BSAXUf1AZDWbxnEY -xf5rakfHDzrfbtbTSSfrBxS8gdW2vBKM+3nL21BeP8hQ0tkLA7bn2fNGz3aCOw46 -XeVJdBk1gVTwazspylqrh1ljr0hQEN4gs/8kM645BRdD0IyAFFcI44VmuVwd8+2g -5miAGmVKSqN77w2cgMRnF7xpUsanv+3zKzaTnG+2liTeCokCPgQTAQIAKAUCVL7V -IAIbAwUJBaOagAYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AACgkQD8MELjRa0F1m -RhAAj9X+/4iiQsN888dNW/H1wEFFTd/1vqb2j0sHP3t02LkEPN5Ii9u71TSD2gSD -WTu1Eb46nRDcapFNv5M0vXcWrEt7PK9b51Kuj4KpP5IjJHpTl2g7umaYQWC8fqcY -TJTH0guMSCzZlsP0xGLbAj3cG6X5OPzCO+IxEafXmE//SfS9w46n1OC57ca1Y0Fp -WXfjA0sJrcozgNchsptu3jg/oEteYJoxDAzNO45O4geNONq5D9PUQPb+H5Vv5zpy -MI7iUJhVnTOFvnoUgRS7v6pWiA3flh5FelK8tYPCzEfvxfe7EB5GO7MaJEO3ZLni -COaAZ3Nfn6Tt28tCOgd052W4FeGWow7iYCS1Wgd30bq/FNgnl+tKv2woxmWt4jJv -ioBHQ4PbUnap2RCmBFaG7llRkrKP8nhWSUdwSS3OmDwAfxTTXjPaESK9EX9OV9Xo -or07thq+7OMs+2cyiy2jSfIau0SELy/tVioZBhoB7hzAJUB8sGHOxMPlVDFdUr3x -F/cgCclWANhw2xvgPim1wQ0XpeZe6w9RpmjZR7ReMYwxn8APBDP/e9R5aLDUQAep -2hrJUPK38D0L69RnpWQsR9hZ2hEOrMV2M6ChlvhwHbGSdJ2CcqG5Jx4ZAP23DK3A -N26TB88H9F7IMrM0REZeu7KzvYwCWlpg0zMXXKQ/2vovoe2JAlUEEwECAD8CGwMG -CwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAFiEEtsj5goK5ROOw1cJTD8MELjRa0F0F -Alpd+i0FCQ8FJo0ACgkQD8MELjRa0F3X3A//dBQLm6GmXlQFjxZbukTw0lZsevFR -M/6ljZTxp7bsC+HFzYoaCKv6rikaWzytxk//SOaLKrB4Z9HjAlpBMtyLl2Hk7tcZ -bPpFafNmQ+4KgWNjLXCvt9se8BGrQvGQUrbE6YowbXa2YIgxIVEncFzIECAsp/+N -xbMcZN5/X1PJxKi/N22gP4nn47muN6L3pKez3CXgWnhGYSc7BuD5ALWYH7yMYUem -d4jlXfu5xkBIqirj1arIYC9wmF4ldbLNDPuracc8LmXcSqa5Rpao0s4iVzAD+tkX -vE/73m3rhepwBXxrfk0McXuI9aucf5h4/KkIBzZsaJ6JM1tzlrJzzjaBKJF9OI5T -jA0qTxdGzdPztS8gPaPcMkRFfh9ti0ZDx4VeF3s8sOtmMRHeGEWfxqUAbBUbwFsa -JDu/+8/VO4KijfcuUi8tqJ/JHeosCuGE7TM93LwJu6ZcqMYOPDROE/hsnGm0ZU92 -xedu+07/X1ESHkSFPoaSHD5/DCNa/tXIyJZ8X7gF3eoDP5mSmrJqIqsOBR9WOVYv -dI8i0GHTXbrZj8WXdoS+N8wlyMLLbAS2jvTe7M5RoqbLz4ABOUUnLVoEE0CiccVZ -bW75BPxOfaD0szbinAeX6HDPI7St0MbKrRPjuDXjD0JVkLqFINtZfYLGMLss4tgn -suefr0Bo9ISwG3u5Ag0EVL7VIAEQAOxBxrQesChjrCqKjY5PnSsSYpeb4froucrC -898AFw2DgN/Zz+W7wtSTbtz/GRcCurjzZvN7o2rCuNk0j0+s1sgZZm2BdldlabLy -+UF/kSW1rb5qhfXcGGubu48OMdtSfok9lOc0Q1L4HNlGE4lUBkZzmI7Ykqfl+Bwr -m9rpi54g4ua9PIiiHIAmMoZIcbtOG1KaDr6CoXRk/3g2ZiGUwhq3jFGroiBsKEap -2FJ1bh5NJk2Eg8pV7fMOF7hUQKBZrNOtIPu8hA5WEgku3U3VYjRSI3SDi6QXnDL+ -xHxajiWpKtF3JjZh8y/CCTD8PyP34YjfZuFmkdske5cdx6H0V2UCiH453ncgFVdQ -DXkY4n+0MTzhy2xu0IVVnBxYDYNhi+3MjTHJd9C4xMi9t+5IuEvDAPhgfZjDpQak -EPz6hVmgj0mlKIgRilBRK9/kOxky9utBpGk3jEJGru/hKNloFNspoYtY6zATAr8E -cOgoCFQE0nIktcg3wF9+OCEnV28/a7XZwUZ7Gl/qfOHtdr374wo8kd8R3V8d2G9q -5w0/uCV9NNQ0fGWZDPDoYt6wnPL6gZv/nJM8oZY+u0rC24WwScZIniaryC4JHDas -Ahr2S2CtgCvBgslK6f3gD16KHxPZMBpX73TzOYIhMEP/vXgVJbUD6dYht+U9c4Oh -EDJown0dABEBAAGJAjwEGAECACYCGwwWIQS2yPmCgrlE47DVwlMPwwQuNFrQXQUC -Wl36SwUJDwUmqwAKCRAPwwQuNFrQXT1/D/9YpRDNgaJl3YVDtVZoeQwh7BQ6ULZT -eXFPogYkF2j3VWg8s9UmAs4sg/4a+9KLSantXjX+JFsRv0lQe5Gr/Vl8VQ4LKEXB -fiGmSivjIZ7eopdd3YP2w6G5T3SA4d2CQfsg4rnJPnXIjzKNiSOi368ybnt9fL0Y -2r2aqLTmP6Y7issDUO+J1TW1XHm349JPR0Hl4cTuNnWm4JuX2m2CJEc5XBlDAha9 -pUVs+J5C2D0UFFkyeOzeJPwy6x5ApWHm84n8AjhQSpu1qRKxKXdwei6tkQWWMHui -+TgSY/zCkmD9/oY15Ei5avJ4WgIbTLJUoZMi70riPmU8ThjpzA7S+Nk0g7rMPq+X -l1whjKU/u0udlsrIJjzkh6ftqKUmIkbxYTpjhnEujNrEr5m2S6Z6x3y9E5QagBMR -dxRhfk+HbyACcP/p9rXOzl4M291DoKeAAH70GHniGxyNs9rAoMr/hD5XW/Wrz3dc -KMc2s555E6MZILE2ZiolcRn+bYOMPZtWlbx98t8uqMf49gY4FGQBZAwPglMrx7mr -m7HTIiXahThQGOJg6izJDAD5RwSEGlAcL28T8KAuM6CLLkhlBfQwiKsUBNnh9r8w -V3lB+pV0GhL+3i077gTYfZBRwLzjFdhm9xUKEaZ6rN1BX9lzix4eSNK5nln0jUq1 -67H2IH//2sf8dw== -=fTDu ------END PGP PUBLIC KEY BLOCK-----
\ No newline at end of file diff --git a/security/nss/automation/taskcluster/docker-hacl/Dockerfile b/security/nss/automation/taskcluster/docker-hacl/Dockerfile deleted file mode 100644 index 168be1c41..000000000 --- a/security/nss/automation/taskcluster/docker-hacl/Dockerfile +++ /dev/null @@ -1,31 +0,0 @@ -FROM ubuntu:xenial - -MAINTAINER Franziskus Kiefer <franziskuskiefer@gmail.com> -# Based on the HACL* image from Benjamin Beurdouche and -# the original F* formula with Daniel Fabian - -# Pinned versions of HACL* (F* and KreMLin are pinned as submodules) -ENV haclrepo https://github.com/mitls/hacl-star.git - -# Define versions of dependencies -ENV opamv 4.05.0 -ENV haclversion 1442c015dab97cdf203ae238b1f3aeccf511bd1e - -# Install required packages and set versions -ADD B6C8F98282B944E3B0D5C2530FC3042E345AD05D.asc /tmp/B6C8F98282B944E3B0D5C2530FC3042E345AD05D.asc -ADD setup.sh /tmp/setup.sh -RUN bash /tmp/setup.sh - -# Create user, add scripts. -RUN useradd -ms /bin/bash worker -WORKDIR /home/worker -ADD bin /home/worker/bin -RUN chmod +x /home/worker/bin/* -USER worker - -# Build F*, HACL*, verify. Install a few more dependencies. -ENV OPAMYES true -ENV PATH "/home/worker/hacl-star/dependencies/z3/bin:$PATH" -ADD setup-user.sh /tmp/setup-user.sh -ADD license.txt /tmp/license.txt -RUN bash /tmp/setup-user.sh diff --git a/security/nss/automation/taskcluster/docker-hacl/bin/checkout.sh b/security/nss/automation/taskcluster/docker-hacl/bin/checkout.sh deleted file mode 100644 index 9167f6bda..000000000 --- a/security/nss/automation/taskcluster/docker-hacl/bin/checkout.sh +++ /dev/null @@ -1,20 +0,0 @@ -#!/usr/bin/env bash - -set -v -e -x - -if [ $(id -u) = 0 ]; then - # Drop privileges by re-running this script. - exec su worker $0 -fi - -# Default values for testing. -REVISION=${NSS_HEAD_REVISION:-default} -REPOSITORY=${NSS_HEAD_REPOSITORY:-https://hg.mozilla.org/projects/nss} - -# Clone NSS. -for i in 0 2 5; do - sleep $i - hg clone -r $REVISION $REPOSITORY nss && exit 0 - rm -rf nss -done -exit 1 diff --git a/security/nss/automation/taskcluster/docker-hacl/license.txt b/security/nss/automation/taskcluster/docker-hacl/license.txt deleted file mode 100644 index 03d25c4d3..000000000 --- a/security/nss/automation/taskcluster/docker-hacl/license.txt +++ /dev/null @@ -1,15 +0,0 @@ -/* Copyright 2016-2017 INRIA and Microsoft Corporation - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - diff --git a/security/nss/automation/taskcluster/docker-hacl/setup-user.sh b/security/nss/automation/taskcluster/docker-hacl/setup-user.sh deleted file mode 100644 index e2c0b857b..000000000 --- a/security/nss/automation/taskcluster/docker-hacl/setup-user.sh +++ /dev/null @@ -1,25 +0,0 @@ -#!/usr/bin/env bash - -set -v -e -x - -# Prepare build (OCaml packages) -opam init -echo ". /home/worker/.opam/opam-init/init.sh > /dev/null 2> /dev/null || true" >> .bashrc -opam switch -v ${opamv} -opam install ocamlfind batteries sqlite3 fileutils yojson ppx_deriving_yojson zarith pprint menhir ulex process fix wasm stdint - -# Get the HACL* code -git clone ${haclrepo} hacl-star -git -C hacl-star checkout ${haclversion} - -# Prepare submodules, and build, verify, test, and extract c code -# This caches the extracted c code (pins the HACL* version). All we need to do -# on CI now is comparing the code in this docker image with the one in NSS. -opam config exec -- make -C hacl-star prepare -j$(nproc) -make -C hacl-star -f Makefile.build snapshots/nss -j$(nproc) -KOPTS="-funroll-loops 5" make -C hacl-star/code/curve25519 test -j$(nproc) -make -C hacl-star/code/salsa-family test -j$(nproc) -make -C hacl-star/code/poly1305 test -j$(nproc) - -# Cleanup. -rm -rf ~/.ccache ~/.cache diff --git a/security/nss/automation/taskcluster/docker-hacl/setup.sh b/security/nss/automation/taskcluster/docker-hacl/setup.sh deleted file mode 100644 index 491342e14..000000000 --- a/security/nss/automation/taskcluster/docker-hacl/setup.sh +++ /dev/null @@ -1,34 +0,0 @@ -#!/usr/bin/env bash - -set -v -e -x - -# Update packages. -export DEBIAN_FRONTEND=noninteractive -apt-get -qq update -apt-get install --yes libssl-dev libsqlite3-dev g++-5 gcc-5 m4 make opam pkg-config python libgmp3-dev cmake curl libtool-bin autoconf wget locales -update-alternatives --install /usr/bin/gcc gcc /usr/bin/gcc-5 200 -update-alternatives --install /usr/bin/g++ g++ /usr/bin/g++-5 200 - -# Get clang-format-3.9 -curl -LO https://releases.llvm.org/3.9.1/clang+llvm-3.9.1-x86_64-linux-gnu-ubuntu-16.04.tar.xz -curl -LO https://releases.llvm.org/3.9.1/clang+llvm-3.9.1-x86_64-linux-gnu-ubuntu-16.04.tar.xz.sig - -# Verify the signature. The key used for verification was fetched via: -# gpg --keyserver pgp.key-server.io --recv-keys B6C8F98282B944E3B0D5C2530FC3042E345AD05D -# Use a local copy to workaround bug 1565013. -gpg --no-default-keyring --keyring tmp.keyring --import /tmp/B6C8F98282B944E3B0D5C2530FC3042E345AD05D.asc -gpg --no-default-keyring --keyring tmp.keyring --verify clang+llvm-3.9.1-x86_64-linux-gnu-ubuntu-16.04.tar.xz.sig - -# Install into /usr/local/. -tar xJvf *.tar.xz -C /usr/local --strip-components=1 -# Cleanup. -rm *.tar.xz* - -locale-gen en_US.UTF-8 -dpkg-reconfigure locales - -# Cleanup. -rm -rf ~/.ccache ~/.cache -apt-get autoremove -y -apt-get clean -apt-get autoclean diff --git a/security/nss/automation/taskcluster/graph/src/extend.js b/security/nss/automation/taskcluster/graph/src/extend.js index 2a1a13835..658f06ab1 100644 --- a/security/nss/automation/taskcluster/graph/src/extend.js +++ b/security/nss/automation/taskcluster/graph/src/extend.js @@ -41,11 +41,6 @@ const FUZZ_IMAGE_32 = { path: "automation/taskcluster/docker-fuzz32" }; -const HACL_GEN_IMAGE = { - name: "hacl", - path: "automation/taskcluster/docker-hacl" -}; - const SAW_IMAGE = { name: "saw", path: "automation/taskcluster/docker-saw" @@ -105,8 +100,20 @@ queue.filter(task => { // Don't run all additional hardware tests on ARM. if (task.group == "Cipher" && task.platform == "aarch64" && task.env && - (task.env.NSS_DISABLE_PCLMUL == "1" || task.env.NSS_DISABLE_HW_AES == "1" - || task.env.NSS_DISABLE_AVX == "1")) { + (task.env.NSS_DISABLE_PCLMUL == "1" || task.env.NSS_DISABLE_SSE4_1 == "1" + || task.env.NSS_DISABLE_AVX == "1" || task.env.NSS_DISABLE_AVX2 == "1")) { + return false; + } + + // Don't run ARM specific hardware tests on non-ARM. + // TODO: our server that runs task cluster doesn't support Intel SHA extensions. + if (task.group == "Cipher" && task.platform != "aarch64" && task.env && + (task.env.NSS_DISABLE_HW_SHA1 == "1" || task.env.NSS_DISABLE_HW_SHA2 == "1")) { + return false; + } + + // Don't run DBM builds on aarch64. + if (task.group == "DBM" && task.platform == "aarch64") { return false; } @@ -500,7 +507,7 @@ async function scheduleLinux(name, overrides, args = "") { } // The task that generates certificates. - let task_cert = queue.scheduleTask(merge(build_base, { + let cert_base = merge(build_base, { name: "Certificates", command: [ "/bin/bash", @@ -509,7 +516,8 @@ async function scheduleLinux(name, overrides, args = "") { ], parent: task_build, symbol: "Certs" - })); + }); + let task_cert = queue.scheduleTask(cert_base); // Schedule tests. scheduleTests(task_build, task_cert, merge(base, { @@ -592,6 +600,25 @@ async function scheduleLinux(name, overrides, args = "") { symbol: "modular" })); + if (base.collection != "make") { + let task_build_dbm = queue.scheduleTask(merge(extra_base, { + name: `${name} w/ legacy-db`, + command: [ + "/bin/bash", + "-c", + checkout_and_gyp + "--enable-legacy-db" + ], + symbol: "B", + group: "DBM", + })); + + let task_cert_dbm = queue.scheduleTask(merge(cert_base, { + parent: task_build_dbm, + group: "DBM", + symbol: "Certs" + })); + } + return queue.submit(); } @@ -830,11 +857,11 @@ async function scheduleWindows(name, base, build_script) { workerType: "win2012r2", env: { PATH: "c:\\mozilla-build\\bin;c:\\mozilla-build\\python;" + - "c:\\mozilla-build\\msys\\local\\bin;c:\\mozilla-build\\7zip;" + - "c:\\mozilla-build\\info-zip;c:\\mozilla-build\\python\\Scripts;" + - "c:\\mozilla-build\\yasm;c:\\mozilla-build\\msys\\bin;" + - "c:\\Windows\\system32;c:\\mozilla-build\\upx391w;" + - "c:\\mozilla-build\\moztools-x64\\bin;c:\\mozilla-build\\wget", + "c:\\mozilla-build\\msys\\local\\bin;c:\\mozilla-build\\7zip;" + + "c:\\mozilla-build\\info-zip;c:\\mozilla-build\\python\\Scripts;" + + "c:\\mozilla-build\\yasm;c:\\mozilla-build\\msys\\bin;" + + "c:\\Windows\\system32;c:\\mozilla-build\\upx391w;" + + "c:\\mozilla-build\\moztools-x64\\bin;c:\\mozilla-build\\wget", DOMSUF: "localdomain", HOST: "localhost", }, @@ -983,10 +1010,17 @@ function scheduleTests(task_build, task_cert, test_base) { name: "Cipher tests", symbol: "Default", tests: "cipher", group: "Cipher" })); queue.scheduleTask(merge(cert_base_long, { - name: "Cipher tests", symbol: "NoAESNI", tests: "cipher", + name: "Cipher tests", symbol: "NoAES", tests: "cipher", env: {NSS_DISABLE_HW_AES: "1"}, group: "Cipher" })); queue.scheduleTask(merge(cert_base_long, { + name: "Cipher tests", symbol: "NoSHA", tests: "cipher", + env: { + NSS_DISABLE_HW_SHA1: "1", + NSS_DISABLE_HW_SHA2: "1" + }, group: "Cipher" + })); + queue.scheduleTask(merge(cert_base_long, { name: "Cipher tests", symbol: "NoPCLMUL", tests: "cipher", env: {NSS_DISABLE_PCLMUL: "1"}, group: "Cipher" })); @@ -995,12 +1029,20 @@ function scheduleTests(task_build, task_cert, test_base) { env: {NSS_DISABLE_AVX: "1"}, group: "Cipher" })); queue.scheduleTask(merge(cert_base_long, { + name: "Cipher tests", symbol: "NoAVX2", tests: "cipher", + env: {NSS_DISABLE_AVX2: "1"}, group: "Cipher" + })); + queue.scheduleTask(merge(cert_base_long, { name: "Cipher tests", symbol: "NoSSSE3|NEON", tests: "cipher", env: { NSS_DISABLE_ARM_NEON: "1", NSS_DISABLE_SSSE3: "1" }, group: "Cipher" })); + queue.scheduleTask(merge(cert_base_long, { + name: "Cipher tests", symbol: "NoSSE4.1", tests: "cipher", + env: {NSS_DISABLE_SSE4_1: "1"}, group: "Cipher" + })); queue.scheduleTask(merge(cert_base, { name: "EC tests", symbol: "EC", tests: "ec" })); @@ -1040,12 +1082,6 @@ function scheduleTests(task_build, task_cert, test_base) { name: "SSL tests (pkix)", symbol: "pkix", cycle: "pkix" })); queue.scheduleTask(merge(ssl_base, { - name: "SSL tests (sharedb)", symbol: "sharedb", cycle: "sharedb" - })); - queue.scheduleTask(merge(ssl_base, { - name: "SSL tests (upgradedb)", symbol: "upgradedb", cycle: "upgradedb" - })); - queue.scheduleTask(merge(ssl_base, { name: "SSL tests (stress)", symbol: "stress", cycle: "sharedb", env: {NSS_SSL_RUN: "stress"} })); @@ -1135,7 +1171,7 @@ async function scheduleTools() { queue.scheduleTask(merge(base, { symbol: "hacl", name: "hacl", - image: HACL_GEN_IMAGE, + image: LINUX_BUILDS_IMAGE, command: [ "/bin/bash", "-c", @@ -1181,18 +1217,22 @@ async function scheduleTools() { ] })); - queue.scheduleTask(merge(base, { - parent: task_saw, - symbol: "ChaCha20", - group: "SAW", - name: "chacha20.saw", - image: SAW_IMAGE, - command: [ - "/bin/bash", - "-c", - "bin/checkout.sh && nss/automation/taskcluster/scripts/run_saw.sh chacha20" - ] - })); + // TODO: The ChaCha20 saw verification is currently disabled because the new + // HACL 32-bit code can't be verified by saw right now to the best of + // my knowledge. + // Bug 1604130 + // queue.scheduleTask(merge(base, { + // parent: task_saw, + // symbol: "ChaCha20", + // group: "SAW", + // name: "chacha20.saw", + // image: SAW_IMAGE, + // command: [ + // "/bin/bash", + // "-c", + // "bin/checkout.sh && nss/automation/taskcluster/scripts/run_saw.sh chacha20" + // ] + // })); queue.scheduleTask(merge(base, { parent: task_saw, @@ -1211,7 +1251,15 @@ async function scheduleTools() { symbol: "Coverage", name: "Coverage", image: FUZZ_IMAGE, + type: "other", features: ["allowPtrace"], + artifacts: { + public: { + expires: 24 * 7, + type: "directory", + path: "/home/worker/artifacts" + } + }, command: [ "/bin/bash", "-c", diff --git a/security/nss/automation/taskcluster/graph/src/queue.js b/security/nss/automation/taskcluster/graph/src/queue.js index fd5be2050..851bc669a 100644 --- a/security/nss/automation/taskcluster/graph/src/queue.js +++ b/security/nss/automation/taskcluster/graph/src/queue.js @@ -220,6 +220,9 @@ export async function submit() { maps.forEach(map => { task = map(merge({}, task)) }); let log_id = `${task.name} @ ${task.platform}[${task.collection || "opt"}]`; + if (task.group) { + log_id = `${task.group}::${log_id}`; + } console.log(`+ Submitting ${log_id}.`); // Index that task for each tag specified diff --git a/security/nss/automation/taskcluster/scripts/build_gyp.sh b/security/nss/automation/taskcluster/scripts/build_gyp.sh index e19a6362f..2cb0deb01 100755 --- a/security/nss/automation/taskcluster/scripts/build_gyp.sh +++ b/security/nss/automation/taskcluster/scripts/build_gyp.sh @@ -12,7 +12,7 @@ if [[ -f nss/nspr.patch && "$ALLOW_NSPR_PATCH" == "1" ]]; then fi # Build. -nss/build.sh -g -v --enable-libpkix "$@" +nss/build.sh -g -v --enable-libpkix -Denable_draft_hpke=1 "$@" # Package. if [[ $(uname) = "Darwin" ]]; then diff --git a/security/nss/automation/taskcluster/scripts/check_abi.sh b/security/nss/automation/taskcluster/scripts/check_abi.sh index 5cd587a6b..da610955f 100644 --- a/security/nss/automation/taskcluster/scripts/check_abi.sh +++ b/security/nss/automation/taskcluster/scripts/check_abi.sh @@ -97,7 +97,8 @@ abi_diff() rm -f ${ABI_REPORT} PREVDIST=${HGDIR}/baseline/dist NEWDIST=${HGDIR}/dist - ALL_SOs="libfreebl3.so libfreeblpriv3.so libnspr4.so libnss3.so libnssckbi.so libnssdbm3.so libnsssysinit.so libnssutil3.so libplc4.so libplds4.so libsmime3.so libsoftokn3.so libssl3.so" + # libnssdbm3.so isn't built by default anymore, skip it. + ALL_SOs="libfreebl3.so libfreeblpriv3.so libnspr4.so libnss3.so libnssckbi.so libnsssysinit.so libnssutil3.so libplc4.so libplds4.so libsmime3.so libsoftokn3.so libssl3.so" for SO in ${ALL_SOs}; do if [ ! -f ${HGDIR}/nss/automation/abi-check/expected-report-$SO.txt ]; then touch ${HGDIR}/nss/automation/abi-check/expected-report-$SO.txt diff --git a/security/nss/automation/taskcluster/scripts/run_hacl.sh b/security/nss/automation/taskcluster/scripts/run_hacl.sh index 6cbda49b4..84dc9dbc3 100644 --- a/security/nss/automation/taskcluster/scripts/run_hacl.sh +++ b/security/nss/automation/taskcluster/scripts/run_hacl.sh @@ -8,33 +8,25 @@ fi set -e -x -v -# The docker image this is running in has the HACL* and NSS sources. -# The extracted C code from HACL* is already generated and the HACL* tests were -# successfully executed. - -# Verify HACL*. Taskcluster fails when we do this in the image build. -make -C hacl-star verify-nss -j$(nproc) - -# Add license header to specs -spec_files=($(find ~/hacl-star/specs -type f -name '*.fst')) -for f in "${spec_files[@]}"; do - cat /tmp/license.txt "$f" > /tmp/tmpfile && mv /tmp/tmpfile "$f" -done - -# Format the extracted C code. -cd ~/hacl-star/snapshots/nss +# The docker image this is running in has NSS sources. +# Get the HACL* source, containing a snapshot of the C code, extracted on the +# HACL CI. +# When bug 1593647 is resolved, extract the code on CI again. +git clone -q "https://github.com/project-everest/hacl-star" ~/hacl-star +git -C ~/hacl-star checkout -q e4311991b1526734f99f4e3a0058895a46c63e5c + +# Format the C snapshot. +cd ~/hacl-star/dist/mozilla +cp ~/nss/.clang-format . +find . -type f -name '*.[ch]' -exec clang-format -i {} \+ +cd ~/hacl-star/dist/kremlin cp ~/nss/.clang-format . find . -type f -name '*.[ch]' -exec clang-format -i {} \+ # These diff commands will return 1 if there are differences and stop the script. files=($(find ~/nss/lib/freebl/verified/ -type f -name '*.[ch]')) for f in "${files[@]}"; do - diff $f $(basename "$f") -done - -# Check that the specs didn't change either. -cd ~/hacl-star/specs -files=($(find ~/nss/lib/freebl/verified/specs -type f)) -for f in "${files[@]}"; do - diff $f $(basename "$f") + file_name=$(basename "$f") + hacl_file=($(find ~/hacl-star/dist/mozilla/ ~/hacl-star/dist/kremlin/ -type f -name $file_name)) + diff $hacl_file $f done diff --git a/security/nss/automation/taskcluster/windows/build_gyp.sh b/security/nss/automation/taskcluster/windows/build_gyp.sh index 1a78d44a7..d7072ebbf 100644 --- a/security/nss/automation/taskcluster/windows/build_gyp.sh +++ b/security/nss/automation/taskcluster/windows/build_gyp.sh @@ -19,7 +19,7 @@ pushd gyp python -m virtualenv test-env test-env/Scripts/python setup.py install test-env/Scripts/python -m pip install --upgrade pip -test-env/Scripts/pip install --upgrade setuptools +test-env/Scripts/pip install --upgrade 'setuptools<45.0.0' # Fool GYP. touch "${VSPATH}/VC/vcvarsall.bat" export GYP_MSVS_OVERRIDE_PATH="${VSPATH}" @@ -38,7 +38,7 @@ if [[ -f nss/nspr.patch && "$ALLOW_NSPR_PATCH" == "1" ]]; then fi # Build with gyp. -./nss/build.sh -g -v --enable-libpkix "$@" +./nss/build.sh -g -v --enable-libpkix -Denable_draft_hpke=1 "$@" # Package. 7z a public/build/dist.7z dist |