From ab1060037931158d3a8bf4c8f9f6cb4dbfe916e9 Mon Sep 17 00:00:00 2001 From: wolfbeast Date: Tue, 14 Aug 2018 07:52:35 +0200 Subject: Update NSS to 3.38 - Added HACL*Poly1305 32-bit (INRIA/Microsoft) - Updated to final TLS 1.3 draft version (28) - Removed TLS 1.3 prerelease draft limit check - Removed NPN code - Enabled dev/urandom-only RNG on Linux with NSS_SEED_ONLY_DEV_URANDOM for non-standard environments - Fixed several bugs with TLS 1.3 negotiation - Updated internal certificate store - Added support for the TLS Record Size Limit Extension. - Fixed CVE-2018-0495 - Various security fixes in the ASN.1 code. --- CLOBBER | 2 +- config/external/nss/nss.symbols | 16 +- security/nss/TAG-INFO | 2 +- .../abi-check/expected-report-libnssutil3.so.txt | 4 + .../abi-check/expected-report-libssl3.so.txt | 28 - .../nss/automation/abi-check/previous-nss-release | 2 +- .../automation/taskcluster/docker-hacl/Dockerfile | 6 +- .../taskcluster/docker-hacl/setup-user.sh | 1 - .../automation/taskcluster/docker-saw/Dockerfile | 2 +- .../nss/automation/taskcluster/docker/Dockerfile | 3 - .../nss/automation/taskcluster/graph/src/extend.js | 22 +- .../automation/taskcluster/graph/src/try_syntax.js | 2 +- .../taskcluster/scripts/gen_coverage_report.sh | 12 + .../nss/automation/taskcluster/scripts/run_hacl.sh | 4 +- .../nss/automation/taskcluster/scripts/tools.sh | 5 + security/nss/cmd/bltest/blapitest.c | 6 +- security/nss/cmd/certutil/certutil.c | 156 +- security/nss/cmd/crlutil/crlutil.c | 14 +- security/nss/cmd/crmftest/testcrmf.c | 1 - security/nss/cmd/dbtest/dbtest.c | 7 +- security/nss/cmd/httpserv/httpserv.c | 10 +- security/nss/cmd/lib/secutil.c | 8 +- security/nss/cmd/listsuites/listsuites.c | 2 - security/nss/cmd/lowhashtest/lowhashtest.c | 4 +- security/nss/cmd/modutil/install-ds.c | 10 +- security/nss/cmd/mpitests/mpi-test.c | 16 +- security/nss/cmd/ocspclnt/ocspclnt.c | 24 +- security/nss/cmd/ocspresp/ocspresp.c | 6 +- security/nss/cmd/pk12util/pk12util.c | 12 +- security/nss/cmd/pk1sign/pk1sign.c | 2 +- security/nss/cmd/rsaperf/rsaperf.c | 32 +- security/nss/cmd/selfserv/selfserv.c | 59 +- security/nss/cmd/shlibsign/shlibsign.c | 2 +- security/nss/cmd/signtool/javascript.c | 8 +- security/nss/cmd/signtool/sign.c | 68 +- security/nss/cmd/signtool/zip.c | 4 +- security/nss/cmd/smimetools/cmsutil.c | 37 +- security/nss/cmd/strsclnt/strsclnt.c | 16 +- security/nss/cmd/symkeyutil/symkeyutil.c | 5 +- security/nss/cmd/tstclnt/tstclnt.c | 225 ++- security/nss/cmd/vfyserv/vfyserv.c | 6 +- security/nss/cmd/vfyserv/vfyutil.c | 4 +- security/nss/coreconf/Werror.mk | 6 +- security/nss/coreconf/config.mk | 4 + security/nss/coreconf/coreconf.dep | 1 + security/nss/coreconf/nsinstall/pathsub.c | 2 +- security/nss/coreconf/werror.py | 2 +- security/nss/cpputil/databuffer.cc | 10 +- security/nss/cpputil/databuffer.h | 14 +- security/nss/cpputil/scoped_ptrs.h | 2 + security/nss/cpputil/tls_parser.cc | 15 + security/nss/cpputil/tls_parser.h | 1 + security/nss/fuzz/fuzz.gyp | 3 + security/nss/fuzz/tls_client_target.cc | 8 +- .../nss/gtests/freebl_gtest/blake2b_unittest.cc | 4 +- security/nss/gtests/freebl_gtest/kat/blake2b_kat.h | 2 +- security/nss/gtests/nss_bogo_shim/config.cc | 35 +- security/nss/gtests/nss_bogo_shim/config.h | 17 +- security/nss/gtests/nss_bogo_shim/config.json | 74 +- security/nss/gtests/nss_bogo_shim/nss_bogo_shim.cc | 59 +- .../nss/gtests/pk11_gtest/pk11_signature_test.h | 4 +- security/nss/gtests/ssl_gtest/libssl_internals.c | 13 +- security/nss/gtests/ssl_gtest/manifest.mn | 1 + security/nss/gtests/ssl_gtest/rsa8193.h | 209 +++ security/nss/gtests/ssl_gtest/ssl_0rtt_unittest.cc | 4 +- .../nss/gtests/ssl_gtest/ssl_agent_unittest.cc | 78 +- security/nss/gtests/ssl_gtest/ssl_auth_unittest.cc | 48 +- .../gtests/ssl_gtest/ssl_ciphersuite_unittest.cc | 11 +- .../nss/gtests/ssl_gtest/ssl_custext_unittest.cc | 1 + security/nss/gtests/ssl_gtest/ssl_dhe_unittest.cc | 73 +- security/nss/gtests/ssl_gtest/ssl_drop_unittest.cc | 126 +- security/nss/gtests/ssl_gtest/ssl_ecdh_unittest.cc | 111 +- .../nss/gtests/ssl_gtest/ssl_extension_unittest.cc | 35 +- .../nss/gtests/ssl_gtest/ssl_fragment_unittest.cc | 28 +- security/nss/gtests/ssl_gtest/ssl_fuzz_unittest.cc | 4 +- security/nss/gtests/ssl_gtest/ssl_gtest.gyp | 1 + security/nss/gtests/ssl_gtest/ssl_hrr_unittest.cc | 136 +- .../nss/gtests/ssl_gtest/ssl_loopback_unittest.cc | 71 +- .../nss/gtests/ssl_gtest/ssl_record_unittest.cc | 57 +- .../gtests/ssl_gtest/ssl_recordsize_unittest.cc | 431 +++++ .../gtests/ssl_gtest/ssl_resumption_unittest.cc | 6 +- security/nss/gtests/ssl_gtest/ssl_skip_unittest.cc | 6 +- .../nss/gtests/ssl_gtest/ssl_staticrsa_unittest.cc | 36 + .../gtests/ssl_gtest/ssl_tls13compat_unittest.cc | 92 + .../gtests/ssl_gtest/ssl_versionpolicy_unittest.cc | 12 +- security/nss/gtests/ssl_gtest/test_io.cc | 8 +- security/nss/gtests/ssl_gtest/test_io.h | 6 +- security/nss/gtests/ssl_gtest/tls_agent.cc | 131 +- security/nss/gtests/ssl_gtest/tls_agent.h | 24 +- security/nss/gtests/ssl_gtest/tls_connect.cc | 49 +- security/nss/gtests/ssl_gtest/tls_connect.h | 4 +- security/nss/gtests/ssl_gtest/tls_filter.cc | 234 ++- security/nss/gtests/ssl_gtest/tls_filter.h | 149 +- security/nss/gtests/ssl_gtest/tls_protect.cc | 35 +- security/nss/gtests/ssl_gtest/tls_protect.h | 15 +- security/nss/lib/certdb/crl.c | 8 +- security/nss/lib/ckfw/Makefile | 4 - security/nss/lib/ckfw/builtins/certdata.txt | 467 ----- security/nss/lib/ckfw/builtins/nssckbi.h | 6 +- security/nss/lib/ckfw/nssmkey/Makefile | 72 - security/nss/lib/ckfw/nssmkey/README | 21 - security/nss/lib/ckfw/nssmkey/ckmk.h | 182 -- security/nss/lib/ckfw/nssmkey/ckmkver.c | 17 - security/nss/lib/ckfw/nssmkey/config.mk | 24 - security/nss/lib/ckfw/nssmkey/manchor.c | 17 - security/nss/lib/ckfw/nssmkey/manifest.mn | 33 - security/nss/lib/ckfw/nssmkey/mconstants.c | 61 - security/nss/lib/ckfw/nssmkey/mfind.c | 352 ---- security/nss/lib/ckfw/nssmkey/minst.c | 97 - security/nss/lib/ckfw/nssmkey/mobject.c | 1861 -------------------- security/nss/lib/ckfw/nssmkey/mrsa.c | 479 ----- security/nss/lib/ckfw/nssmkey/msession.c | 87 - security/nss/lib/ckfw/nssmkey/mslot.c | 81 - security/nss/lib/ckfw/nssmkey/mtoken.c | 184 -- security/nss/lib/ckfw/nssmkey/nssmkey.def | 26 - security/nss/lib/ckfw/nssmkey/nssmkey.h | 41 - security/nss/lib/ckfw/nssmkey/staticobj.c | 36 - security/nss/lib/ckfw/session.c | 3 +- security/nss/lib/dev/devtoken.c | 4 +- security/nss/lib/freebl/Makefile | 10 +- security/nss/lib/freebl/blake2b.c | 2 +- security/nss/lib/freebl/chacha20poly1305.c | 88 +- security/nss/lib/freebl/dsa.c | 37 +- security/nss/lib/freebl/ec.c | 29 +- security/nss/lib/freebl/freebl.gyp | 36 +- security/nss/lib/freebl/freebl_base.gypi | 15 +- security/nss/lib/freebl/loader.c | 4 +- security/nss/lib/freebl/mpi/mpi.c | 13 +- .../poly1305-donna-x64-sse2-incremental-source.c | 881 --------- security/nss/lib/freebl/poly1305.c | 314 ---- security/nss/lib/freebl/poly1305.h | 30 - security/nss/lib/freebl/unix_urandom.c | 33 + .../nss/lib/freebl/verified/Hacl_Poly1305_32.c | 578 ++++++ .../nss/lib/freebl/verified/Hacl_Poly1305_32.h | 103 ++ .../pkix_pl_nss/module/pkix_pl_httpdefaultclient.c | 130 +- .../libpkix/pkix_pl_nss/pki/pkix_pl_infoaccess.c | 20 +- security/nss/lib/nss/nss.h | 6 +- security/nss/lib/pk11wrap/pk11akey.c | 18 + security/nss/lib/pk11wrap/pk11pars.c | 8 +- security/nss/lib/pkcs12/p12e.c | 5 +- security/nss/lib/pkcs7/p7decode.c | 1 - security/nss/lib/pki/pki3hack.c | 4 +- security/nss/lib/smime/cmsrecinfo.c | 2 +- security/nss/lib/softoken/legacydb/pcertdb.c | 3 +- security/nss/lib/softoken/lowkey.c | 24 + security/nss/lib/softoken/lowkeyi.h | 1 + security/nss/lib/softoken/lowkeyti.h | 9 + security/nss/lib/softoken/lowpbe.c | 10 +- security/nss/lib/softoken/pkcs11.c | 72 +- security/nss/lib/softoken/pkcs11c.c | 116 +- security/nss/lib/softoken/pkcs11u.c | 4 +- security/nss/lib/softoken/sdb.c | 69 +- security/nss/lib/softoken/sftkdb.c | 3 +- security/nss/lib/softoken/sftkpars.c | 34 +- security/nss/lib/softoken/sftkpwd.c | 6 +- security/nss/lib/softoken/softkver.h | 6 +- security/nss/lib/ssl/SSLerrs.h | 11 +- security/nss/lib/ssl/dtls13con.c | 59 +- security/nss/lib/ssl/dtls13con.h | 4 + security/nss/lib/ssl/dtlscon.c | 116 +- security/nss/lib/ssl/dtlscon.h | 2 + security/nss/lib/ssl/ssl.h | 81 +- security/nss/lib/ssl/ssl3con.c | 430 ++--- security/nss/lib/ssl/ssl3ecc.c | 6 +- security/nss/lib/ssl/ssl3ext.c | 13 +- security/nss/lib/ssl/ssl3ext.h | 3 + security/nss/lib/ssl/ssl3exthandle.c | 181 +- security/nss/lib/ssl/ssl3exthandle.h | 7 + security/nss/lib/ssl/ssl3gthr.c | 109 +- security/nss/lib/ssl/ssl3prot.h | 2 +- security/nss/lib/ssl/sslcert.c | 3 +- security/nss/lib/ssl/sslerr.h | 2 + security/nss/lib/ssl/sslimpl.h | 39 +- security/nss/lib/ssl/sslsecur.c | 19 +- security/nss/lib/ssl/sslsock.c | 123 +- security/nss/lib/ssl/sslspec.c | 1 + security/nss/lib/ssl/sslspec.h | 8 +- security/nss/lib/ssl/sslt.h | 3 +- security/nss/lib/ssl/tls13con.c | 262 ++- security/nss/lib/ssl/tls13con.h | 2 + security/nss/lib/ssl/tls13exthandle.c | 4 +- security/nss/lib/util/nssutil.def | 7 +- security/nss/lib/util/nssutil.h | 6 +- security/nss/lib/util/pkcs11t.h | 2 + security/nss/lib/util/secasn1d.c | 4 +- security/nss/lib/util/secitem.c | 9 + security/nss/lib/util/secitem.h | 8 + security/nss/nss-tool/enc/enctool.cc | 1 - security/nss/tests/all.sh | 2 +- security/nss/tests/bogo/bogo.sh | 9 +- security/nss/tests/cert/cert.sh | 76 + security/nss/tests/common/init.sh | 7 +- security/nss/tests/interop/interop.sh | 2 +- security/nss/tests/ssl/ssl.sh | 122 +- security/nss/tests/ssl_gtests/ssl_gtests.sh | 2 + security/nss/tests/tools/TestRSAPSS.p12 | Bin 0 -> 2554 bytes security/nss/tests/tools/tools.sh | 21 + 197 files changed, 4873 insertions(+), 7145 deletions(-) create mode 100644 security/nss/automation/taskcluster/scripts/gen_coverage_report.sh create mode 100644 security/nss/gtests/ssl_gtest/rsa8193.h create mode 100644 security/nss/gtests/ssl_gtest/ssl_recordsize_unittest.cc delete mode 100644 security/nss/lib/ckfw/nssmkey/Makefile delete mode 100644 security/nss/lib/ckfw/nssmkey/README delete mode 100644 security/nss/lib/ckfw/nssmkey/ckmk.h delete mode 100644 security/nss/lib/ckfw/nssmkey/ckmkver.c delete mode 100644 security/nss/lib/ckfw/nssmkey/config.mk delete mode 100644 security/nss/lib/ckfw/nssmkey/manchor.c delete mode 100644 security/nss/lib/ckfw/nssmkey/manifest.mn delete mode 100644 security/nss/lib/ckfw/nssmkey/mconstants.c delete mode 100644 security/nss/lib/ckfw/nssmkey/mfind.c delete mode 100644 security/nss/lib/ckfw/nssmkey/minst.c delete mode 100644 security/nss/lib/ckfw/nssmkey/mobject.c delete mode 100644 security/nss/lib/ckfw/nssmkey/mrsa.c delete mode 100644 security/nss/lib/ckfw/nssmkey/msession.c delete mode 100644 security/nss/lib/ckfw/nssmkey/mslot.c delete mode 100644 security/nss/lib/ckfw/nssmkey/mtoken.c delete mode 100644 security/nss/lib/ckfw/nssmkey/nssmkey.def delete mode 100644 security/nss/lib/ckfw/nssmkey/nssmkey.h delete mode 100644 security/nss/lib/ckfw/nssmkey/staticobj.c delete mode 100644 security/nss/lib/freebl/poly1305-donna-x64-sse2-incremental-source.c delete mode 100644 security/nss/lib/freebl/poly1305.c delete mode 100644 security/nss/lib/freebl/poly1305.h create mode 100644 security/nss/lib/freebl/verified/Hacl_Poly1305_32.c create mode 100644 security/nss/lib/freebl/verified/Hacl_Poly1305_32.h create mode 100644 security/nss/tests/tools/TestRSAPSS.p12 diff --git a/CLOBBER b/CLOBBER index fd0b25967..76ebbb54b 100644 --- a/CLOBBER +++ b/CLOBBER @@ -22,4 +22,4 @@ # changes to stick? As of bug 928195, this shouldn't be necessary! Please # don't change CLOBBER for WebIDL changes any more. -Clobber for updating NSPR+NSS +Clobber required for updating NSS to 3.38 (poly1305 symbol changes) diff --git a/config/external/nss/nss.symbols b/config/external/nss/nss.symbols index ba5492c37..3239d3119 100644 --- a/config/external/nss/nss.symbols +++ b/config/external/nss/nss.symbols @@ -271,7 +271,6 @@ NSS_IsInitialized NSS_OptionSet NSS_NoDB_Init NSS_SecureMemcmp -NSS_SecureMemcmpZero NSS_SetAlgorithmPolicy NSS_SetDomesticPolicy NSS_Shutdown @@ -490,7 +489,6 @@ PORT_UCS2_ASCIIConversion_Util PORT_UCS2_UTF8Conversion PORT_UCS2_UTF8Conversion_Util PORT_ZAlloc -PORT_ZAllocAlignedOffset_Util PORT_ZAlloc_Util PORT_ZFree_Util SEC_AnyTemplate_Util @DATA@ @@ -725,9 +723,17 @@ VFY_VerifyDataWithAlgorithmID VFY_VerifyDigestDirect _SGN_VerifyPKCS1DigestInfo __PK11_SetCertificateNickname -# These symbols are not used by Firefox itself, but are used by Java's security -# libraries, which in turn are used by Java applets/plugins/etc. Provide them -# to make Java code happy. +# These symbols are not used by applications but are possibly used across +# NSS library boundaries. +NSS_SecureMemcmpZero +PORT_ZAllocAlignedOffset_Util +CERT_FindCertByNicknameOrEmailAddrCX +SECKEY_GetPrivateKeyType +SEC_DerSignDataWithAlgorithmID +SEC_CreateSignatureAlgorithmParameters +# These symbols are not used by applicatons themselves, but are used by +# Java's security libraries, which in turn are used by Java +# applets/plugins/etc. Provide them to make Java code happy. NSS_VersionCheck NSS_Initialize #ifdef NSS_EXTRA_SYMBOLS_FILE diff --git a/security/nss/TAG-INFO b/security/nss/TAG-INFO index 1d96321b3..a004fa449 100644 --- a/security/nss/TAG-INFO +++ b/security/nss/TAG-INFO @@ -1 +1 @@ -NSS_3_36_4_RTM +NSS_3_38_RTM diff --git a/security/nss/automation/abi-check/expected-report-libnssutil3.so.txt b/security/nss/automation/abi-check/expected-report-libnssutil3.so.txt index e69de29bb..efc7d6d67 100644 --- a/security/nss/automation/abi-check/expected-report-libnssutil3.so.txt +++ b/security/nss/automation/abi-check/expected-report-libnssutil3.so.txt @@ -0,0 +1,4 @@ + +1 Added function: + + 'function SECStatus SECITEM_MakeItem(PLArenaPool*, SECItem*, unsigned char*, unsigned int)' {SECITEM_MakeItem@@NSSUTIL_3.38} diff --git a/security/nss/automation/abi-check/expected-report-libssl3.so.txt b/security/nss/automation/abi-check/expected-report-libssl3.so.txt index ad818d0aa..e69de29bb 100644 --- a/security/nss/automation/abi-check/expected-report-libssl3.so.txt +++ b/security/nss/automation/abi-check/expected-report-libssl3.so.txt @@ -1,28 +0,0 @@ - -1 function with some indirect sub-type change: - - [C]'function SECStatus SSL_GetChannelInfo(PRFileDesc*, SSLChannelInfo*, PRUintn)' at sslinfo.c:12:1 has some indirect sub-type changes: - parameter 2 of type 'SSLChannelInfo*' has sub-type changes: - in pointed to type 'typedef SSLChannelInfo' at sslt.h:318:1: - underlying type 'struct SSLChannelInfoStr' at sslt.h:251:1 changed: - type size hasn't changed - 1 data member change: - type of 'SSLSignatureScheme SSLChannelInfoStr::signatureScheme' changed: - underlying type 'enum __anonymous_enum__' at sslt.h:115:1 changed: - type size hasn't changed - 3 enumerator deletions: - '__anonymous_enum__::ssl_sig_rsa_pss_sha256' value '2052' - '__anonymous_enum__::ssl_sig_rsa_pss_sha384' value '2053' - '__anonymous_enum__::ssl_sig_rsa_pss_sha512' value '2054' - - 6 enumerator insertions: - '__anonymous_enum__::ssl_sig_rsa_pss_rsae_sha256' value '2052' - '__anonymous_enum__::ssl_sig_rsa_pss_rsae_sha384' value '2053' - '__anonymous_enum__::ssl_sig_rsa_pss_rsae_sha512' value '2054' - '__anonymous_enum__::ssl_sig_rsa_pss_pss_sha256' value '2057' - '__anonymous_enum__::ssl_sig_rsa_pss_pss_sha384' value '2058' - '__anonymous_enum__::ssl_sig_rsa_pss_pss_sha512' value '2059' - - - - diff --git a/security/nss/automation/abi-check/previous-nss-release b/security/nss/automation/abi-check/previous-nss-release index c213ca3f8..c52061e7e 100644 --- a/security/nss/automation/abi-check/previous-nss-release +++ b/security/nss/automation/abi-check/previous-nss-release @@ -1 +1 @@ -NSS_3_35_BRANCH +NSS_3_37_BRANCH diff --git a/security/nss/automation/taskcluster/docker-hacl/Dockerfile b/security/nss/automation/taskcluster/docker-hacl/Dockerfile index 63f9a24e2..50f2be239 100644 --- a/security/nss/automation/taskcluster/docker-hacl/Dockerfile +++ b/security/nss/automation/taskcluster/docker-hacl/Dockerfile @@ -5,11 +5,11 @@ MAINTAINER Franziskus Kiefer # the original F* formula with Daniel Fabian # Pinned versions of HACL* (F* and KreMLin are pinned as submodules) -ENV haclrepo https://github.com/franziskuskiefer/hacl-star.git +ENV haclrepo https://github.com/mitls/hacl-star.git # Define versions of dependencies -ENV opamv 4.04.2 -ENV haclversion 668d6cf274c33bbe2e951e3a84b73f2b6442a51f +ENV opamv 4.05.0 +ENV haclversion 1da331f9ef30e13269e45ae73bbe4a4bca679ae6 # Install required packages and set versions ADD setup.sh /tmp/setup.sh diff --git a/security/nss/automation/taskcluster/docker-hacl/setup-user.sh b/security/nss/automation/taskcluster/docker-hacl/setup-user.sh index b8accaf58..e2c0b857b 100644 --- a/security/nss/automation/taskcluster/docker-hacl/setup-user.sh +++ b/security/nss/automation/taskcluster/docker-hacl/setup-user.sh @@ -16,7 +16,6 @@ git -C hacl-star checkout ${haclversion} # This caches the extracted c code (pins the HACL* version). All we need to do # on CI now is comparing the code in this docker image with the one in NSS. opam config exec -- make -C hacl-star prepare -j$(nproc) -make -C hacl-star verify-nss -j$(nproc) make -C hacl-star -f Makefile.build snapshots/nss -j$(nproc) KOPTS="-funroll-loops 5" make -C hacl-star/code/curve25519 test -j$(nproc) make -C hacl-star/code/salsa-family test -j$(nproc) diff --git a/security/nss/automation/taskcluster/docker-saw/Dockerfile b/security/nss/automation/taskcluster/docker-saw/Dockerfile index a481ba048..d67787010 100644 --- a/security/nss/automation/taskcluster/docker-saw/Dockerfile +++ b/security/nss/automation/taskcluster/docker-saw/Dockerfile @@ -1,4 +1,4 @@ -FROM ubuntu:latest +FROM ubuntu:16.04 MAINTAINER Tim Taubert RUN useradd -d /home/worker -s /bin/bash -m worker diff --git a/security/nss/automation/taskcluster/docker/Dockerfile b/security/nss/automation/taskcluster/docker/Dockerfile index 8a2256d12..b3c2516ba 100644 --- a/security/nss/automation/taskcluster/docker/Dockerfile +++ b/security/nss/automation/taskcluster/docker/Dockerfile @@ -12,9 +12,6 @@ RUN chmod +x /home/worker/bin/* ADD setup.sh /tmp/setup.sh RUN bash /tmp/setup.sh -# Change user. -USER worker - # Env variables. ENV HOME /home/worker ENV SHELL /bin/bash diff --git a/security/nss/automation/taskcluster/graph/src/extend.js b/security/nss/automation/taskcluster/graph/src/extend.js index ee9ac9b74..5305325c5 100644 --- a/security/nss/automation/taskcluster/graph/src/extend.js +++ b/security/nss/automation/taskcluster/graph/src/extend.js @@ -995,13 +995,13 @@ async function scheduleTools() { })); queue.scheduleTask(merge(base, { - symbol: "scan-build-5.0", - name: "scan-build-5.0", - image: LINUX_IMAGE, + symbol: "scan-build", + name: "scan-build", + image: FUZZ_IMAGE, env: { USE_64: "1", - CC: "clang-5.0", - CCC: "clang++-5.0", + CC: "clang", + CCC: "clang++", }, artifacts: { public: { @@ -1092,5 +1092,17 @@ async function scheduleTools() { ] })); + queue.scheduleTask(merge(base, { + symbol: "Coverage", + name: "Coverage", + image: FUZZ_IMAGE, + features: ["allowPtrace"], + command: [ + "/bin/bash", + "-c", + "bin/checkout.sh && nss/automation/taskcluster/scripts/gen_coverage_report.sh" + ] + })); + return queue.submit(); } diff --git a/security/nss/automation/taskcluster/graph/src/try_syntax.js b/security/nss/automation/taskcluster/graph/src/try_syntax.js index 1c06dde13..214793bd5 100644 --- a/security/nss/automation/taskcluster/graph/src/try_syntax.js +++ b/security/nss/automation/taskcluster/graph/src/try_syntax.js @@ -51,7 +51,7 @@ function parseOptions(opts) { } // Parse tools. - let allTools = ["clang-format", "scan-build", "hacl", "saw", "abi"]; + let allTools = ["clang-format", "scan-build", "hacl", "saw", "abi", "coverage"]; let tools = intersect(opts.tools.split(/\s*,\s*/), allTools); // If the given value is "all" run all tools. diff --git a/security/nss/automation/taskcluster/scripts/gen_coverage_report.sh b/security/nss/automation/taskcluster/scripts/gen_coverage_report.sh new file mode 100644 index 000000000..3907c72e8 --- /dev/null +++ b/security/nss/automation/taskcluster/scripts/gen_coverage_report.sh @@ -0,0 +1,12 @@ +#!/usr/bin/env bash + +source $(dirname "$0")/tools.sh + +# Clone NSPR. +hg_clone https://hg.mozilla.org/projects/nspr ./nspr default + +out=/home/worker/artifacts +mkdir -p $out + +# Generate coverage report. +cd nss && ./mach coverage --outdir=$out ssl_gtests diff --git a/security/nss/automation/taskcluster/scripts/run_hacl.sh b/security/nss/automation/taskcluster/scripts/run_hacl.sh index 281075eef..6cbda49b4 100644 --- a/security/nss/automation/taskcluster/scripts/run_hacl.sh +++ b/security/nss/automation/taskcluster/scripts/run_hacl.sh @@ -12,8 +12,8 @@ set -e -x -v # The extracted C code from HACL* is already generated and the HACL* tests were # successfully executed. -# Verify Poly1305 (doesn't work in docker image build) -make verify -C ~/hacl-star/code/poly1305 -j$(nproc) +# Verify HACL*. Taskcluster fails when we do this in the image build. +make -C hacl-star verify-nss -j$(nproc) # Add license header to specs spec_files=($(find ~/hacl-star/specs -type f -name '*.fst')) diff --git a/security/nss/automation/taskcluster/scripts/tools.sh b/security/nss/automation/taskcluster/scripts/tools.sh index 46d567e3a..534cb32ce 100644 --- a/security/nss/automation/taskcluster/scripts/tools.sh +++ b/security/nss/automation/taskcluster/scripts/tools.sh @@ -3,11 +3,16 @@ set -v -e -x if [[ $(id -u) -eq 0 ]]; then + # Stupid Docker. It works without sometimes... But not always. + echo "127.0.0.1 localhost.localdomain" >> /etc/hosts + # Drop privileges by re-running this script. # Note: this mangles arguments, better to avoid running scripts as root. exec su worker -c "$0 $*" fi +export PATH="${PATH}:/home/worker/.cargo/bin/:/usr/lib/go-1.6/bin" + # Usage: hg_clone repo dir [revision=@] hg_clone() { repo=$1 diff --git a/security/nss/cmd/bltest/blapitest.c b/security/nss/cmd/bltest/blapitest.c index ca3d6f314..ef8fdd802 100644 --- a/security/nss/cmd/bltest/blapitest.c +++ b/security/nss/cmd/bltest/blapitest.c @@ -3724,7 +3724,7 @@ main(int argc, char **argv) /* test the RSA_PopulatePrivateKey function */ if (bltest.commands[cmd_RSAPopulate].activated) { unsigned int keySize = 1024; - unsigned long exponent = 65537; + unsigned long keyExponent = 65537; int rounds = 1; int ret = -1; @@ -3735,12 +3735,12 @@ main(int argc, char **argv) rounds = PORT_Atoi(bltest.options[opt_Rounds].arg); } if (bltest.options[opt_Exponent].activated) { - exponent = PORT_Atoi(bltest.options[opt_Exponent].arg); + keyExponent = PORT_Atoi(bltest.options[opt_Exponent].arg); } for (i = 0; i < rounds; i++) { printf("Running RSA Populate test round %d\n", i); - ret = doRSAPopulateTest(keySize, exponent); + ret = doRSAPopulateTest(keySize, keyExponent); if (ret != 0) { break; } diff --git a/security/nss/cmd/certutil/certutil.c b/security/nss/cmd/certutil/certutil.c index 20722ae78..dbb93c922 100644 --- a/security/nss/cmd/certutil/certutil.c +++ b/security/nss/cmd/certutil/certutil.c @@ -36,9 +36,11 @@ #include "certdb.h" #include "nss.h" #include "certutil.h" +#include "basicutil.h" +#include "ssl.h" #define MIN_KEY_BITS 512 -/* MAX_KEY_BITS should agree with MAX_RSA_MODULUS in freebl */ +/* MAX_KEY_BITS should agree with RSA_MAX_MODULUS_BITS in freebl */ #define MAX_KEY_BITS 8192 #define DEFAULT_KEY_BITS 2048 @@ -447,7 +449,8 @@ ChangeTrustAttributes(CERTCertDBHandle *handle, PK11SlotInfo *slot, } static SECStatus -DumpChain(CERTCertDBHandle *handle, char *name, PRBool ascii) +DumpChain(CERTCertDBHandle *handle, char *name, PRBool ascii, + PRBool simpleSelfSigned) { CERTCertificate *the_cert; CERTCertificateList *chain; @@ -458,6 +461,14 @@ DumpChain(CERTCertDBHandle *handle, char *name, PRBool ascii) SECU_PrintError(progName, "Could not find: %s\n", name); return SECFailure; } + if (simpleSelfSigned && + SECEqual == SECITEM_CompareItem(&the_cert->derIssuer, + &the_cert->derSubject)) { + printf("\"%s\" [%s]\n\n", the_cert->nickname, the_cert->subjectName); + CERT_DestroyCertificate(the_cert); + return SECSuccess; + } + chain = CERT_CertChainFromCert(the_cert, 0, PR_TRUE); CERT_DestroyCertificate(the_cert); if (!chain) { @@ -782,17 +793,17 @@ ValidateCert(CERTCertDBHandle *handle, char *name, char *date, fprintf(stdout, "%s: certificate is valid\n", progName); GEN_BREAK(SECSuccess) } else { - char *name; + char *nick; CERTVerifyLogNode *node; node = log->head; while (node) { if (node->cert->nickname != NULL) { - name = node->cert->nickname; + nick = node->cert->nickname; } else { - name = node->cert->subjectName; + nick = node->cert->subjectName; } - fprintf(stderr, "%s : %s\n", name, + fprintf(stderr, "%s : %s\n", nick, SECU_Strerror(node->error)); CERT_DestroyCertificate(node->cert); node = node->next; @@ -845,7 +856,7 @@ SECItemToHex(const SECItem *item, char *dst) } static const char *const keyTypeName[] = { - "null", "rsa", "dsa", "fortezza", "dh", "kea", "ec" + "null", "rsa", "dsa", "fortezza", "dh", "kea", "ec", "rsaPss" }; #define MAX_CKA_ID_BIN_LEN 20 @@ -999,7 +1010,7 @@ DeleteKey(char *nickname, secuPWData *pwdata) slot = PK11_GetInternalKeySlot(); if (PK11_NeedLogin(slot)) { - SECStatus rv = PK11_Authenticate(slot, PR_TRUE, pwdata); + rv = PK11_Authenticate(slot, PR_TRUE, pwdata); if (rv != SECSuccess) { SECU_PrintError(progName, "could not authenticate to token %s.", PK11_GetTokenName(slot)); @@ -1066,7 +1077,7 @@ PrintBuildFlags() } static void -PrintSyntax(char *progName) +PrintSyntax() { #define FPS fprintf(stderr, FPS "Type %s -H for more detailed descriptions\n", progName); @@ -1115,7 +1126,9 @@ PrintSyntax(char *progName) FPS "\t%s --build-flags\n", progName); FPS "\t%s -M -n cert-name -t trustargs [-d certdir] [-P dbprefix]\n", progName); - FPS "\t%s -O -n cert-name [-X] [-d certdir] [-a] [-P dbprefix]\n", progName); + FPS "\t%s -O -n cert-name [-X] [-d certdir] [-a] [-P dbprefix]\n" + "\t\t [--simple-self-signed]\n", + progName); FPS "\t%s -R -s subj -o cert-request-file [-d certdir] [-P dbprefix] [-p phone] [-a]\n" "\t\t [-7 emailAddrs] [-k key-type-or-id] [-h token-name] [-f pwfile]\n" "\t\t [-g key-size] [-Z hashAlg]\n", @@ -1542,6 +1555,8 @@ luO(enum usage_level ul, const char *command) " -P dbprefix"); FPS "%-20s force the database to open R/W\n", " -X"); + FPS "%-20s don't search for a chain if issuer name equals subject name\n", + " --simple-self-signed"); FPS "\n"); } @@ -1560,7 +1575,7 @@ luR(enum usage_level ul, const char *command) " -o output-req"); FPS "%-20s Type of key pair to generate (\"dsa\", \"ec\", \"rsa\" (default))\n", " -k key-type-or-id"); - FPS "%-20s or nickname of the cert key to use \n", + FPS "%-20s or nickname of the cert key to use, or key id obtained using -K\n", ""); FPS "%-20s Name of token in which to generate key (default is internal)\n", " -h token-name"); @@ -1838,7 +1853,7 @@ luBuildFlags(enum usage_level ul, const char *command) } static void -LongUsage(char *progName, enum usage_level ul, const char *command) +LongUsage(enum usage_level ul, const char *command) { luA(ul, command); luB(ul, command); @@ -1866,14 +1881,14 @@ LongUsage(char *progName, enum usage_level ul, const char *command) } static void -Usage(char *progName) +Usage() { PR_fprintf(PR_STDERR, "%s - Utility to manipulate NSS certificate databases\n\n" "Usage: %s -d \n\n" "Valid commands:\n", progName, progName); - LongUsage(progName, usage_selected, NULL); + LongUsage(usage_selected, NULL); PR_fprintf(PR_STDERR, "\n" "%s -H : Print available options for the given command\n" "%s -H : Print complete help output of all commands and options\n" @@ -2269,10 +2284,10 @@ flagArray opFlagsArray[] = { NAME_SIZE(verify_recover), CKF_VERIFY_RECOVER }, { NAME_SIZE(wrap), CKF_WRAP }, { NAME_SIZE(unwrap), CKF_UNWRAP }, - { NAME_SIZE(derive), CKF_DERIVE }, + { NAME_SIZE(derive), CKF_DERIVE } }; -int opFlagsCount = sizeof(opFlagsArray) / sizeof(flagArray); +int opFlagsCount = PR_ARRAY_SIZE(opFlagsArray); flagArray attrFlagsArray[] = { @@ -2286,14 +2301,13 @@ flagArray attrFlagsArray[] = { NAME_SIZE(insensitive), PK11_ATTR_INSENSITIVE }, { NAME_SIZE(extractable), PK11_ATTR_EXTRACTABLE }, { NAME_SIZE(unextractable), PK11_ATTR_UNEXTRACTABLE } - }; -int attrFlagsCount = sizeof(attrFlagsArray) / sizeof(flagArray); +int attrFlagsCount = PR_ARRAY_SIZE(attrFlagsArray); #define MAX_STRING 30 CK_ULONG -GetFlags(char *flagsString, flagArray *flagArray, int count) +GetFlags(char *flagsString, flagArray *flags, int count) { CK_ULONG flagsValue = strtol(flagsString, NULL, 0); int i; @@ -2303,10 +2317,10 @@ GetFlags(char *flagsString, flagArray *flagArray, int count) } while (*flagsString) { for (i = 0; i < count; i++) { - if (strncmp(flagsString, flagArray[i].name, flagArray[i].nameSize) == + if (strncmp(flagsString, flags[i].name, flags[i].nameSize) == 0) { - flagsValue |= flagArray[i].value; - flagsString += flagArray[i].nameSize; + flagsValue |= flags[i].value; + flagsString += flags[i].nameSize; if (*flagsString != 0) { flagsString++; } @@ -2499,6 +2513,7 @@ enum certutilOpts { opt_NewNickname, opt_Pss, opt_PssSign, + opt_SimpleSelfSigned, opt_Help }; @@ -2623,6 +2638,8 @@ static const secuCommandFlag options_init[] = "pss" }, { /* opt_PssSign */ 0, PR_FALSE, 0, PR_FALSE, "pss-sign" }, + { /* opt_SimpleSelfSigned */ 0, PR_FALSE, 0, PR_FALSE, + "simple-self-signed" }, }; #define NUM_OPTIONS ((sizeof options_init) / (sizeof options_init[0])) @@ -2691,14 +2708,13 @@ certutil_main(int argc, char **argv, PRBool initialize) rv = SECU_ParseCommandLine(argc, argv, progName, &certutil); if (rv != SECSuccess) - Usage(progName); + Usage(); if (certutil.commands[cmd_PrintSyntax].activated) { - PrintSyntax(progName); + PrintSyntax(); } if (certutil.commands[cmd_PrintHelp].activated) { - int i; char buf[2]; const char *command = NULL; for (i = 0; i < max_cmd; i++) { @@ -2715,7 +2731,7 @@ certutil_main(int argc, char **argv, PRBool initialize) break; } } - LongUsage(progName, (command ? usage_selected : usage_all), command); + LongUsage((command ? usage_selected : usage_all), command); exit(1); } @@ -2823,7 +2839,7 @@ certutil_main(int argc, char **argv, PRBool initialize) if (certutil.options[opt_DBPrefix].arg) { certPrefix = certutil.options[opt_DBPrefix].arg; } else { - Usage(progName); + Usage(); } } @@ -2832,7 +2848,7 @@ certutil_main(int argc, char **argv, PRBool initialize) if (certutil.options[opt_SourcePrefix].arg) { srcCertPrefix = certutil.options[opt_SourcePrefix].arg; } else { - Usage(progName); + Usage(); } } @@ -2916,7 +2932,7 @@ certutil_main(int argc, char **argv, PRBool initialize) return 255; } if (commandsEntered == 0) { - Usage(progName); + Usage(); } if (certutil.commands[cmd_ListCerts].activated || @@ -3124,6 +3140,8 @@ certutil_main(int argc, char **argv, PRBool initialize) } initialized = PR_TRUE; SECU_RegisterDynamicOids(); + /* Ensure the SSL error code table has been registered. Bug 1460284. */ + SSL_OptionSetDefault(-1, 0); } certHandle = CERT_GetDefaultCertDB(); @@ -3350,7 +3368,8 @@ certutil_main(int argc, char **argv, PRBool initialize) } if (certutil.commands[cmd_DumpChain].activated) { rv = DumpChain(certHandle, name, - certutil.options[opt_ASCIIForIO].activated); + certutil.options[opt_ASCIIForIO].activated, + certutil.options[opt_SimpleSelfSigned].activated); goto shutdown; } /* XXX needs work */ @@ -3444,37 +3463,80 @@ certutil_main(int argc, char **argv, PRBool initialize) keycert = CERT_FindCertByNicknameOrEmailAddr(certHandle, keysource); if (!keycert) { keycert = PK11_FindCertFromNickname(keysource, NULL); - if (!keycert) { - SECU_PrintError(progName, - "%s is neither a key-type nor a nickname", keysource); + } + + if (keycert) { + privkey = PK11_FindKeyByDERCert(slot, keycert, &pwdata); + } else { + PLArenaPool *arena = NULL; + SECItem keyidItem = { 0 }; + char *keysourcePtr = keysource; + /* Interpret keysource as CKA_ID */ + if (PK11_NeedLogin(slot)) { + rv = PK11_Authenticate(slot, PR_TRUE, &pwdata); + if (rv != SECSuccess) { + SECU_PrintError(progName, "could not authenticate to token %s.", + PK11_GetTokenName(slot)); + return SECFailure; + } + } + if (0 == PL_strncasecmp("0x", keysource, 2)) { + keysourcePtr = keysource + 2; // skip leading "0x" + } + arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); + if (!arena) { + SECU_PrintError(progName, "unable to allocate arena"); return SECFailure; } + if (SECU_HexString2SECItem(arena, &keyidItem, keysourcePtr)) { + privkey = PK11_FindKeyByKeyID(slot, &keyidItem, &pwdata); + } + PORT_FreeArena(arena, PR_FALSE); + } + + if (!privkey) { + SECU_PrintError( + progName, + "%s is neither a key-type nor a nickname nor a key-id", keysource); + return SECFailure; } - privkey = PK11_FindKeyByDERCert(slot, keycert, &pwdata); - if (privkey) - pubkey = CERT_ExtractPublicKey(keycert); + + pubkey = SECKEY_ConvertToPublicKey(privkey); if (!pubkey) { SECU_PrintError(progName, "Could not get keys from cert %s", keysource); + if (keycert) { + CERT_DestroyCertificate(keycert); + } rv = SECFailure; - CERT_DestroyCertificate(keycert); goto shutdown; } keytype = privkey->keyType; + /* On CertReq for renewal if no subject has been * specified obtain it from the certificate. */ if (certutil.commands[cmd_CertReq].activated && !subject) { - subject = CERT_AsciiToName(keycert->subjectName); - if (!subject) { - SECU_PrintError(progName, - "Could not get subject from certificate %s", keysource); - CERT_DestroyCertificate(keycert); + if (keycert) { + subject = CERT_AsciiToName(keycert->subjectName); + if (!subject) { + SECU_PrintError( + progName, + "Could not get subject from certificate %s", + keysource); + CERT_DestroyCertificate(keycert); + rv = SECFailure; + goto shutdown; + } + } else { + SECU_PrintError(progName, "Subject name not provided"); rv = SECFailure; goto shutdown; } } - CERT_DestroyCertificate(keycert); + if (keycert) { + CERT_DestroyCertificate(keycert); + } } else { privkey = CERTUTIL_GeneratePrivateKey(keytype, slot, keysize, @@ -3537,6 +3599,14 @@ certutil_main(int argc, char **argv, PRBool initialize) } } + if (certutil.options[opt_SimpleSelfSigned].activated && + !certutil.commands[cmd_DumpChain].activated) { + PR_fprintf(PR_STDERR, + "%s -%c: --simple-self-signed only works with -O.\n", + progName, commandToRun); + return 255; + } + /* If we need a list of extensions convert the flags into list format */ if (certutil.commands[cmd_CertReq].activated || certutil.commands[cmd_CreateAndAddCert].activated || diff --git a/security/nss/cmd/crlutil/crlutil.c b/security/nss/cmd/crlutil/crlutil.c index c008ecc01..c5527fc93 100644 --- a/security/nss/cmd/crlutil/crlutil.c +++ b/security/nss/cmd/crlutil/crlutil.c @@ -770,7 +770,7 @@ loser: } static void -Usage(char *progName) +Usage() { fprintf(stderr, "Usage: %s -L [-n nickname] [-d keydir] [-P dbprefix] [-t crlType]\n" @@ -908,7 +908,7 @@ main(int argc, char **argv) while ((status = PL_GetNextOpt(optstate)) == PL_OPT_OK) { switch (optstate->option) { case '?': - Usage(progName); + Usage(); break; case 'T': @@ -1038,17 +1038,17 @@ main(int argc, char **argv) } if (deleteCRL && !nickName) - Usage(progName); + Usage(); if (importCRL && !inFile) - Usage(progName); + Usage(); if (showFileCRL && !inFile) - Usage(progName); + Usage(); if ((generateCRL && !nickName) || (modifyCRL && !inFile && !nickName)) - Usage(progName); + Usage(); if (!(listCRL || deleteCRL || importCRL || showFileCRL || generateCRL || modifyCRL || test || erase)) - Usage(progName); + Usage(); if (listCRL || showFileCRL) { readonly = PR_TRUE; diff --git a/security/nss/cmd/crmftest/testcrmf.c b/security/nss/cmd/crmftest/testcrmf.c index cbc680b08..1c1359b1b 100644 --- a/security/nss/cmd/crmftest/testcrmf.c +++ b/security/nss/cmd/crmftest/testcrmf.c @@ -577,7 +577,6 @@ Decode(void) printf("WARNING: The DER contained %d messages.\n", numMsgs); } for (i = 0; i < numMsgs; i++) { - SECStatus rv; printf("crmftest: Processing cert request %d\n", i); certReqMsg = CRMF_CertReqMessagesGetCertReqMsgAtIndex(certReqMsgs, i); if (certReqMsg == NULL) { diff --git a/security/nss/cmd/dbtest/dbtest.c b/security/nss/cmd/dbtest/dbtest.c index 9a6a034a6..11713c23f 100644 --- a/security/nss/cmd/dbtest/dbtest.c +++ b/security/nss/cmd/dbtest/dbtest.c @@ -58,7 +58,7 @@ getPassword(PK11SlotInfo *slot, PRBool retry, void *arg) } static void -Usage(const char *progName) +Usage() { printf("Usage: %s [-r] [-f] [-i] [-d dbdir ] \n", progName); @@ -96,7 +96,7 @@ main(int argc, char **argv) switch (optstate->option) { case 'h': default: - Usage(progName); + Usage(); break; case 'r': @@ -122,7 +122,7 @@ main(int argc, char **argv) } PL_DestroyOptState(optstate); if (optstatus == PL_OPT_BAD) - Usage(progName); + Usage(); if (dbDir) { char *tmp = dbDir; @@ -181,7 +181,6 @@ main(int argc, char **argv) ret = SUCCESS; if (doInitTest) { PK11SlotInfo *slot = PK11_GetInternalKeySlot(); - SECStatus rv; int passwordSuccess = 0; int type = CKM_DES3_CBC; SECItem keyid = { 0, NULL, 0 }; diff --git a/security/nss/cmd/httpserv/httpserv.c b/security/nss/cmd/httpserv/httpserv.c index 7cf28c65a..71e2ab88d 100644 --- a/security/nss/cmd/httpserv/httpserv.c +++ b/security/nss/cmd/httpserv/httpserv.c @@ -682,6 +682,7 @@ handle_connection( } if (arena) { PORT_FreeArena(arena, PR_FALSE); + arena = NULL; } if (!request || !request->tbsRequest || !request->tbsRequest->requestList || @@ -753,11 +754,11 @@ handle_connection( { PRTime now = PR_Now(); - PLArenaPool *arena = NULL; CERTOCSPSingleResponse *sr; CERTOCSPSingleResponse **singleResponses; SECItem *ocspResponse; + PORT_Assert(!arena); arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); if (unknown) { @@ -787,8 +788,8 @@ handle_connection( } else { PR_Write(ssl_sock, outOcspHeader, strlen(outOcspHeader)); PR_Write(ssl_sock, ocspResponse->data, ocspResponse->len); - PORT_FreeArena(arena, PR_FALSE); } + PORT_FreeArena(arena, PR_FALSE); } CERT_DestroyOCSPRequest(request); break; @@ -1357,7 +1358,6 @@ main(int argc, char **argv) caRevoIter = &caRevoInfos->link; do { PRFileDesc *inFile; - int rv = SECFailure; SECItem crlDER; crlDER.data = NULL; @@ -1413,11 +1413,9 @@ main(int argc, char **argv) if (provideOcsp) { if (caRevoInfos) { - PRCList *caRevoIter; - caRevoIter = &caRevoInfos->link; do { - caRevoInfo *revoInfo = (caRevoInfo *)caRevoIter; + revoInfo = (caRevoInfo *)caRevoIter; if (revoInfo->nickname) PORT_Free(revoInfo->nickname); if (revoInfo->crlFilename) diff --git a/security/nss/cmd/lib/secutil.c b/security/nss/cmd/lib/secutil.c index 2b33f8963..6be2df432 100644 --- a/security/nss/cmd/lib/secutil.c +++ b/security/nss/cmd/lib/secutil.c @@ -1528,9 +1528,9 @@ SECU_PrintDumpDerIssuerAndSerial(FILE *out, SECItem *der, char *m, unsigned int i; for (i = 0; i < c->serialNumber.len; ++i) { unsigned char *chardata = (unsigned char *)(c->serialNumber.data); - unsigned char c = *(chardata + i); + unsigned char ch = *(chardata + i); - fprintf(out, "\\x%02x", c); + fprintf(out, "\\x%02x", ch); } fprintf(out, "\" }\n"); } @@ -3137,7 +3137,7 @@ typedef enum { static int secu_PrintSignedDataSigOpt(FILE *out, SECItem *der, const char *m, int level, SECU_PPFunc inner, - SignatureOptionType withSignature) + SignatureOptionType signatureOption) { PLArenaPool *arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); CERTSignedData *sd; @@ -3164,7 +3164,7 @@ secu_PrintSignedDataSigOpt(FILE *out, SECItem *der, const char *m, } rv = (*inner)(out, &sd->data, "Data", level + 1); - if (withSignature) { + if (signatureOption == withSignature) { SECU_PrintAlgorithmID(out, &sd->signatureAlgorithm, "Signature Algorithm", level + 1); DER_ConvertBitString(&sd->signature); diff --git a/security/nss/cmd/listsuites/listsuites.c b/security/nss/cmd/listsuites/listsuites.c index 8eb2c3553..b49f2d8cf 100644 --- a/security/nss/cmd/listsuites/listsuites.c +++ b/security/nss/cmd/listsuites/listsuites.c @@ -64,9 +64,7 @@ main(int argc, char **argv) /* disable all the SSL3 cipher suites */ for (i = 0; i < SSL_NumImplementedCiphers; i++) { PRUint16 suite = cipherSuites[i]; - SECStatus rv; PRBool enabled; - PRErrorCode err; SSLCipherSuiteInfo info; rv = SSL_CipherPrefGetDefault(suite, &enabled); diff --git a/security/nss/cmd/lowhashtest/lowhashtest.c b/security/nss/cmd/lowhashtest/lowhashtest.c index 29d6ff4fd..fcc06a86e 100644 --- a/security/nss/cmd/lowhashtest/lowhashtest.c +++ b/security/nss/cmd/lowhashtest/lowhashtest.c @@ -390,7 +390,7 @@ testSHA512(NSSLOWInitContext *initCtx) } static void -Usage(char *progName) +Usage() { fprintf(stderr, "Usage: %s [algorithm]\n", progName); @@ -436,7 +436,7 @@ main(int argc, char **argv) rv += testSHA512(initCtx); } else { SECU_PrintError(progName, "Unsupported hash type %s\n", argv[0]); - Usage(progName); + Usage(); } NSSLOW_Shutdown(initCtx); diff --git a/security/nss/cmd/modutil/install-ds.c b/security/nss/cmd/modutil/install-ds.c index 030568762..576839f8f 100644 --- a/security/nss/cmd/modutil/install-ds.c +++ b/security/nss/cmd/modutil/install-ds.c @@ -88,11 +88,11 @@ static const char* errString[] = { static char* PR_Strdup(const char* str); -#define PAD(x) \ - { \ - int i; \ - for (i = 0; i < x; i++) \ - printf(" "); \ +#define PAD(x) \ + { \ + int pad_i; \ + for (pad_i = 0; pad_i < (x); pad_i++) \ + printf(" "); \ } #define PADINC 4 diff --git a/security/nss/cmd/mpitests/mpi-test.c b/security/nss/cmd/mpitests/mpi-test.c index 3a1f5d6c2..b7953b6f6 100644 --- a/security/nss/cmd/mpitests/mpi-test.c +++ b/security/nss/cmd/mpitests/mpi-test.c @@ -375,14 +375,14 @@ void reason(char *fmt, ...); char g_intbuf[4096]; /* buffer for integer comparison */ char a_intbuf[4096]; /* buffer for integer comparison */ int g_verbose = 1; /* print out reasons for failure? */ -int res; - -#define IFOK(x) \ - { \ - if (MP_OKAY > (res = (x))) { \ - reason("test %s failed: error %d\n", #x, res); \ - return 1; \ - } \ + +#define IFOK(x) \ + { \ + int ifok_res = (x); \ + if (MP_OKAY > ifok_res) { \ + reason("test %s failed: error %d\n", #x, ifok_res); \ + return 1; \ + } \ } int diff --git a/security/nss/cmd/ocspclnt/ocspclnt.c b/security/nss/cmd/ocspclnt/ocspclnt.c index afcb7e13f..0927f8ef6 100644 --- a/security/nss/cmd/ocspclnt/ocspclnt.c +++ b/security/nss/cmd/ocspclnt/ocspclnt.c @@ -38,7 +38,7 @@ char *program_name; static void -synopsis(char *program_name) +synopsis(char *progname) { PRFileDesc *pr_stderr; @@ -46,44 +46,44 @@ synopsis(char *program_name) PR_fprintf(pr_stderr, "Usage:"); PR_fprintf(pr_stderr, "\t%s -p [-d ]\n", - program_name); + progname); PR_fprintf(pr_stderr, "\t%s -P [-d ]\n", - program_name); + progname); PR_fprintf(pr_stderr, "\t%s -r [-a] [-L] [-s ] [-d ]\n", - program_name); + progname); PR_fprintf(pr_stderr, "\t%s -R [-a] [-l ] [-s ] [-d ]\n", - program_name); + progname); PR_fprintf(pr_stderr, "\t%s -S [-a] [-l -t ]\n", - program_name); + progname); PR_fprintf(pr_stderr, "\t\t [-s ] [-w