Merge NSS trunk to NSS_TLS13_DRAFT19_BRANCH

--HG--
branch : NSS_TLS13_DRAFT19_BRANCH
rename : gtests/util_gtest/Makefile => gtests/softoken_gtest/Makefile
rename : gtests/util_gtest/manifest.mn => gtests/softoken_gtest/manifest.mn
rename : gtests/common/gtests.cc => gtests/softoken_gtest/softoken_gtest.cc
rename : gtests/util_gtest/util_gtest.gyp => gtests/softoken_gtest/softoken_gtest.gyp
extra : amend_source : 2a6170838236230942f04f53c73b831692cfa2b0

automation/taskcluster/graph/src/extend.js

@@ -24,6 +24,10 @@ const WINDOWS_CHECKOUT_CMD =
   "bash -c \"hg clone -r $NSS_HEAD_REVISION $NSS_HEAD_REPOSITORY nss || " +
     "(sleep 2; hg clone -r $NSS_HEAD_REVISION $NSS_HEAD_REPOSITORY nss) || " +
     "(sleep 5; hg clone -r $NSS_HEAD_REVISION $NSS_HEAD_REPOSITORY nss)\"";
+const MAC_CHECKOUT_CMD = ["bash", "-c",
+            "hg clone -r $NSS_HEAD_REVISION $NSS_HEAD_REPOSITORY nss || " +
+            "(sleep 2; hg clone -r $NSS_HEAD_REVISION $NSS_HEAD_REPOSITORY nss) || " +
+            "(sleep 5; hg clone -r $NSS_HEAD_REVISION $NSS_HEAD_REPOSITORY nss)"];
 
 /*****************************************************************************/
 
@@ -51,6 +55,15 @@ queue.filter(task => {
     if (task.platform == "aarch64") {
       return false;
     }
+
+    // No mac
+    if (task.platform == "mac") {
+      return false;
+    }
+  }
+
+  if (task.tests == "fips" && task.platform == "mac") {
+    return false;
   }
 
   // Only old make builds have -Ddisable_libpkix=0 and can run chain tests.
@@ -216,6 +229,71 @@ export default async function main() {
       collection: "opt",
     }, aarch64_base)
   );
+
+  await scheduleMac("Mac (opt)", {collection: "opt"}, "--opt");
+  await scheduleMac("Mac (debug)", {collection: "debug"});
+}
+
+
+async function scheduleMac(name, base, args = "") {
+  let mac_base = merge(base, {
+    env: {
+      PATH: "/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin",
+      NSS_TASKCLUSTER_MAC: "1",
+      DOMSUF: "localdomain",
+      HOST: "localhost",
+    },
+    provisioner: "localprovisioner",
+    workerType: "nss-macos-10-12",
+    platform: "mac",
+    tier: 3
+  });
+
+  // Build base definition.
+  let build_base = merge({
+    command: [
+      MAC_CHECKOUT_CMD,
+      ["bash", "-c",
+       "nss/automation/taskcluster/scripts/build_gyp.sh", args]
+    ],
+    provisioner: "localprovisioner",
+    workerType: "nss-macos-10-12",
+    platform: "mac",
+    maxRunTime: 7200,
+    artifacts: [{
+      expires: 24 * 7,
+      type: "directory",
+      path: "public"
+    }],
+    kind: "build",
+    symbol: "B"
+  }, mac_base);
+
+  // The task that builds NSPR+NSS.
+  let task_build = queue.scheduleTask(merge(build_base, {name}));
+
+  // The task that generates certificates.
+  let task_cert = queue.scheduleTask(merge(build_base, {
+    name: "Certificates",
+    command: [
+      MAC_CHECKOUT_CMD,
+      ["bash", "-c",
+       "nss/automation/taskcluster/scripts/gen_certs.sh"]
+    ],
+    parent: task_build,
+    symbol: "Certs"
+  }));
+
+  // Schedule tests.
+  scheduleTests(task_build, task_cert, merge(mac_base, {
+    command: [
+      MAC_CHECKOUT_CMD,
+      ["bash", "-c",
+       "nss/automation/taskcluster/scripts/run_tests.sh"]
+    ]
+  }));
+
+  return queue.submit();
 }
 
 /*****************************************************************************/

automation/taskcluster/graph/src/try_syntax.js

@@ -25,7 +25,7 @@ function parseOptions(opts) {
   let allPlatforms = ["linux", "linux64", "linux64-asan",
                       "win", "win64", "win-make", "win64-make",
                       "linux64-make", "linux-make", "linux-fuzz",
-                      "linux64-fuzz", "aarch64"];
+                      "linux64-fuzz", "aarch64", "mac"];
   let platforms = intersect(opts.platform.split(/\s*,\s*/), allPlatforms);
 
   // If the given value is nonsense or "none" default to all platforms.

automation/taskcluster/scripts/build_gyp.sh

@@ -9,5 +9,10 @@ hg_clone https://hg.mozilla.org/projects/nspr ./nspr default
 nss/build.sh -g -v "$@"
 
 # Package.
-mkdir artifacts
-tar cvfjh artifacts/dist.tar.bz2 dist
+if [[ $(uname) = "Darwin" ]]; then
+  mkdir -p public
+  tar cvfjh public/dist.tar.bz2 dist
+else
+  mkdir artifacts
+  tar cvfjh artifacts/dist.tar.bz2 dist
+fi

automation/taskcluster/scripts/gen_certs.sh

@@ -12,5 +12,10 @@ NSS_TESTS=cert NSS_CYCLES="standard pkix sharedb" $(dirname $0)/run_tests.sh
 echo 1 > tests_results/security/localhost
 
 # Package.
-mkdir artifacts
-tar cvfjh artifacts/dist.tar.bz2 dist tests_results
+if [[ $(uname) = "Darwin" ]]; then
+  mkdir -p public
+  tar cvfjh public/dist.tar.bz2 dist tests_results
+else
+  mkdir artifacts
+  tar cvfjh artifacts/dist.tar.bz2 dist tests_results
+fi

automation/taskcluster/scripts/split.sh

@@ -23,16 +23,10 @@ split_util() {
   # Copy everything.
   cp -R $nssdir $dstdir
 
-  # Skip gtests when building.
-  sed '/^DIRS = /s/ cpputil gtests$//' $nssdir/manifest.mn > $dstdir/manifest.mn-t && mv $dstdir/manifest.mn-t $dstdir/manifest.mn
-
   # Remove subdirectories that we don't want.
   rm -rf $dstdir/cmd
-  rm -rf $dstdir/tests
   rm -rf $dstdir/lib
   rm -rf $dstdir/automation
-  rm -rf $dstdir/gtests
-  rm -rf $dstdir/cpputil
   rm -rf $dstdir/doc
 
   # Start with an empty cmd lib directories to be filled selectively.

cmd/lib/secutil.c

@@ -991,7 +991,7 @@ secu_PrintUniversalString(FILE *out, const SECItem *i, const char *m, int level)
     for (s = my.data, d = tmp.data; len > 0; len--) {
         PRUint32 bmpChar = (s[0] << 24) | (s[1] << 16) | (s[2] << 8) | s[3];
         s += 4;
-        if (!isprint(bmpChar))
+        if (!isprint(bmpChar & 0xFF))
             goto loser;
         *d++ = (unsigned char)bmpChar;
     }

cmd/modutil/error.h

@@ -109,7 +109,7 @@ static char *errStrings[] = {
     "ERROR: Failed to change default.\n",
     "ERROR: Unable to read from standard input.\n",
     "ERROR: Unknown error occurred.\n",
-    "ERROR: -nocertdb option can only be used with the -jar command.\n"
+    "ERROR: -nocertdb option can only be used with the -jar command.\n",
     "ERROR: NSS_Initialize() failed.\n"
 };
 

cmd/pp/pp.c

@@ -84,6 +84,8 @@ main(int argc, char **argv)
                 if (!inFile) {
                     fprintf(stderr, "%s: unable to open \"%s\" for reading\n",
                             progName, optstate->value);
+                    PORT_Free(typeTag);
+                    PL_DestroyOptState(optstate);
                     return -1;
                 }
                 break;
@@ -93,6 +95,8 @@ main(int argc, char **argv)
                 if (!outFile) {
                     fprintf(stderr, "%s: unable to open \"%s\" for writing\n",
                             progName, optstate->value);
+                    PORT_Free(typeTag);
+                    PL_DestroyOptState(optstate);
                     return -1;
                 }
                 break;

cmd/tstclnt/tstclnt.c

@@ -31,6 +31,7 @@
 #include "ocsp.h"
 #include "ssl.h"
 #include "sslproto.h"
+#include "sslexp.h"
 #include "pk11func.h"
 #include "secmod.h"
 #include "plgetopt.h"
@@ -251,6 +252,7 @@ PrintParameterUsage(void)
                     "%-20s The following values are valid:\n"
                     "%-20s P256, P384, P521, x25519, FF2048, FF3072, FF4096, FF6144, FF8192\n",
             "-I", "", "");
+    fprintf(stderr, "%-20s Enable alternate content type for TLS 1.3 ServerHello\n", "-X alt-server-hello");
 }
 
 static void
@@ -914,6 +916,7 @@ char *requestString = NULL;
 PRInt32 requestStringLen = 0;
 PRBool requestSent = PR_FALSE;
 PRBool enableZeroRtt = PR_FALSE;
+PRBool enableAltServerHello = PR_FALSE;
 
 static int
 writeBytesToServer(PRFileDesc *s, const char *buf, int nb)
@@ -1178,6 +1181,16 @@ run_client(void)
         }
     }
 
+    /* Alternate ServerHello content type (TLS 1.3 only) */
+    if (enableAltServerHello) {
+        rv = SSL_UseAltServerHelloType(s, PR_TRUE);
+        if (rv != SECSuccess) {
+            SECU_PrintError(progName, "error enabling alternate ServerHello type");
+            error = 1;
+            goto done;
+        }
+    }
+
     /* require the use of fixed finite-field DH groups */
     if (requireDHNamedGroups) {
         rv = SSL_OptionSet(s, SSL_REQUIRE_DH_NAMED_GROUPS, PR_TRUE);
@@ -1512,7 +1525,7 @@ main(int argc, char **argv)
     /* XXX: 'B' was used in the past but removed in 3.28,
      *      please leave some time before resuing it. */
     optstate = PL_CreateOptState(argc, argv,
-                                 "46A:CDFGHI:KL:M:OR:STUV:W:YZa:bc:d:fgh:m:n:op:qr:st:uvw:z");
+                                 "46A:CDFGHI:KL:M:OR:STUV:W:X:YZa:bc:d:fgh:m:n:op:qr:st:uvw:z");
     while ((optstatus = PL_GetNextOpt(optstate)) == PL_OPT_OK) {
         switch (optstate->option) {
             case '?':
@@ -1618,6 +1631,13 @@ main(int argc, char **argv)
                 }
                 break;
 
+            case 'X':
+                if (!strcmp(optstate->value, "alt-server-hello")) {
+                    enableAltServerHello = PR_TRUE;
+                } else {
+                    Usage(progName);
+                }
+                break;
             case 'Y':
                 PrintCipherUsage(progName);
                 exit(0);

cpputil/manifest.mn

@@ -8,11 +8,16 @@ DEPTH      = ..
 MODULE = nss
 LIBRARY_NAME = cpputil
 
+ifeq ($(NSS_BUILD_UTIL_ONLY),1)
+CPPSRCS = \
+      $(NULL)
+else
 CPPSRCS = \
       dummy_io.cc \
       dummy_io_fwd.cc \
       tls_parser.cc \
       $(NULL)
+endif
 
 EXPORTS = \
       $(NULL)

cpputil/tls_parser.h

@@ -24,6 +24,7 @@ const uint8_t kTlsChangeCipherSpecType = 20;
 const uint8_t kTlsAlertType = 21;
 const uint8_t kTlsHandshakeType = 22;
 const uint8_t kTlsApplicationDataType = 23;
+const uint8_t kTlsAltHandshakeType = 24;
 
 const uint8_t kTlsHandshakeClientHello = 1;
 const uint8_t kTlsHandshakeServerHello = 2;

fuzz/config/clone_libfuzzer.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 
-LIBFUZZER_REVISION=56bd1d43451cca4b6a11d3be316bb77ab159b09d
+LIBFUZZER_REVISION=6937e68f927b6aefe526fcb9db8953f497e6e74d
 
 d=$(dirname $0)
 $d/git-copy.sh https://chromium.googlesource.com/chromium/llvm-project/llvm/lib/Fuzzer $LIBFUZZER_REVISION $d/../libFuzzer

gtests/certdb_gtest/alg1485_unittest.cc

@@ -10,6 +10,7 @@
 
 #include "nss.h"
 #include "scoped_ptrs.h"
+#include "prprf.h"
 
 namespace nss_test {
 
@@ -89,4 +90,23 @@ INSTANTIATE_TEST_CASE_P(ParseAVAStrings, Alg1485ParseTest,
                         ::testing::ValuesIn(kAVATestStrings));
 INSTANTIATE_TEST_CASE_P(CompareAVAStrings, Alg1485CompareTest,
                         ::testing::ValuesIn(kAVACompareStrings));
+
+TEST_F(Alg1485Test, ShortOIDTest) {
+  // This is not a valid OID (too short). CERT_GetOidString should return 0.
+  unsigned char data[] = {0x05};
+  const SECItem oid = {siBuffer, data, sizeof(data)};
+  char* result = CERT_GetOidString(&oid);
+  EXPECT_EQ(result, nullptr);
+}
+
+TEST_F(Alg1485Test, BrokenOIDTest) {
+  // This is not a valid OID (first bit of last byte is not set).
+  // CERT_GetOidString should return 0.
+  unsigned char data[] = {0x81, 0x82, 0x83, 0x84};
+  const SECItem oid = {siBuffer, data, sizeof(data)};
+  char* result = CERT_GetOidString(&oid);
+  EXPECT_EQ(15U, strlen(result));
+  EXPECT_EQ(0, strncmp("OID.UNSUPPORTED", result, 15));
+  PR_smprintf_free(result);
+}
 }

gtests/manifest.mn

@@ -13,7 +13,6 @@ LIB_SRCDIRS = \
 ifneq ($(NSS_BUILD_WITHOUT_UTIL),1)
 UTIL_SRCDIRS = \
 	util_gtest \
-	der_gtest \
 	$(NULL)
 endif
 
@@ -22,9 +21,11 @@ ifneq ($(NSS_BUILD_UTIL_ONLY),1)
 NSS_SRCDIRS = \
 	certdb_gtest \
 	certhigh_gtest \
+	der_gtest \
 	pk11_gtest \
+	softoken_gtest \
 	ssl_gtest \
-        nss_bogo_shim \
+	nss_bogo_shim \
 	$(NULL)
 endif
 endif

gtests/softoken_gtest/Makefile

@@ -0,0 +1,45 @@
+#! gmake
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+#######################################################################
+# (1) Include initial platform-independent assignments (MANDATORY).   #
+#######################################################################
+
+include manifest.mn
+
+#######################################################################
+# (2) Include "global" configuration information. (OPTIONAL)          #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/config.mk
+
+#######################################################################
+# (3) Include "component" configuration information. (OPTIONAL)       #
+#######################################################################
+
+
+#######################################################################
+# (4) Include "local" platform-dependent assignments (OPTIONAL).      #
+#######################################################################
+
+include ../common/gtest.mk
+
+CFLAGS += -I$(CORE_DEPTH)/lib/util
+
+#######################################################################
+# (5) Execute "global" rules. (OPTIONAL)                              #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/rules.mk
+
+#######################################################################
+# (6) Execute "component" rules. (OPTIONAL)                           #
+#######################################################################
+
+
+#######################################################################
+# (7) Execute "local" rules. (OPTIONAL).                              #
+#######################################################################