Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
Bug 1370667 - don't do startup tests when not in fips mode, r=ttauber…
…t,rrelyea

Differential Revision: https://nss-review.dev.mozaws.net/D348

--HG--
extra : amend_source : 6c59a3a559e43bd6f9845779e75c0c6ddbe1eb36
  • Loading branch information
franziskuskiefer committed Aug 18, 2017
1 parent 77f8cc1 commit e7099fb
Show file tree
Hide file tree
Showing 16 changed files with 165 additions and 19 deletions.
91 changes: 87 additions & 4 deletions automation/taskcluster/graph/src/extend.js
Expand Up @@ -91,11 +91,19 @@ queue.filter(task => {
queue.map(task => {
if (task.collection == "asan") {
// CRMF and FIPS tests still leak, unfortunately.
if (task.tests == "crmf" || task.tests == "fips") {
if (task.tests == "crmf") {
task.env.ASAN_OPTIONS = "detect_leaks=0";
}
}

// We don't run FIPS SSL tests
if (task.tests == "ssl") {
if (!task.env) {
task.env = {};
}
task.env.NSS_SSL_TESTS = "1";
}

// Windows is slow.
if (task.platform == "windows2012-64" && task.tests == "chains") {
task.maxRunTime = 7200;
Expand Down Expand Up @@ -320,6 +328,46 @@ async function scheduleLinux(name, base, args = "") {
// The task that builds NSPR+NSS.
let task_build = queue.scheduleTask(merge(build_base, {name}));

// Make builds run FIPS tests, which need an extra FIPS build.
if (base.collection == "make") {
let extra_build = queue.scheduleTask(merge(build_base, {
env: { NSS_FORCE_FIPS: "1" },
group: "FIPS",
name: `${name} w/ NSS_FORCE_FIPS`
}));

// The task that generates certificates.
let task_cert = queue.scheduleTask(merge(build_base, {
name: "Certificates",
command: [
"/bin/bash",
"-c",
"bin/checkout.sh && nss/automation/taskcluster/scripts/gen_certs.sh"
],
parent: extra_build,
symbol: "Certs-F",
group: "FIPS",
env: { NSS_TEST_ENABLE_FIPS: "1" }
}));

// Schedule FIPS tests.
queue.scheduleTask(merge(base, {
parent: task_cert,
name: "FIPS",
command: [
"/bin/bash",
"-c",
"bin/checkout.sh && nss/automation/taskcluster/scripts/run_tests.sh"
],
cycle: "standard",
kind: "test",
name: "FIPS tests",
symbol: "Tests-F",
tests: "fips",
group: "FIPS"
}));
}

// The task that generates certificates.
let task_cert = queue.scheduleTask(merge(build_base, {
name: "Certificates",
Expand Down Expand Up @@ -703,6 +751,44 @@ async function scheduleWindows(name, base, build_script) {
symbol: "B"
});

// Make builds run FIPS tests, which need an extra FIPS build.
if (base.collection == "make") {
let extra_build = queue.scheduleTask(merge(build_base, {
env: { NSS_FORCE_FIPS: "1" },
group: "FIPS",
name: `${name} w/ NSS_FORCE_FIPS`
}));

// The task that generates certificates.
let task_cert = queue.scheduleTask(merge(build_base, {
name: "Certificates",
command: [
WINDOWS_CHECKOUT_CMD,
"bash -c nss/automation/taskcluster/windows/gen_certs.sh"
],
parent: extra_build,
symbol: "Certs-F",
group: "FIPS",
env: { NSS_TEST_ENABLE_FIPS: "1" }
}));

// Schedule FIPS tests.
queue.scheduleTask(merge(base, {
parent: task_cert,
name: "FIPS",
command: [
WINDOWS_CHECKOUT_CMD,
"bash -c nss/automation/taskcluster/windows/run_tests.sh"
],
cycle: "standard",
kind: "test",
name: "FIPS tests",
symbol: "Tests-F",
tests: "fips",
group: "FIPS"
}));
}

// The task that builds NSPR+NSS.
let task_build = queue.scheduleTask(merge(build_base, {name}));

Expand Down Expand Up @@ -780,9 +866,6 @@ function scheduleTests(task_build, task_cert, test_base) {
queue.scheduleTask(merge(cert_base, {
name: "DB tests", symbol: "DB", tests: "dbtests"
}));
queue.scheduleTask(merge(cert_base, {
name: "FIPS tests", symbol: "FIPS", tests: "fips"
}));
queue.scheduleTask(merge(cert_base, {
name: "Merge tests", symbol: "Merge", tests: "merge"
}));
Expand Down
1 change: 1 addition & 0 deletions build.sh
Expand Up @@ -96,6 +96,7 @@ while [ $# -gt 0 ]; do
--with-nspr=?*) set_nspr_path "${1#*=}"; no_local_nspr=1 ;;
--system-nspr) set_nspr_path "/usr/include/nspr/:"; no_local_nspr=1 ;;
--enable-libpkix) gyp_params+=(-Ddisable_libpkix=0) ;;
--enable-fips) gyp_params+=(-Ddisable_fips=0) ;;
*) show_help; exit 2 ;;
esac
shift
Expand Down
6 changes: 6 additions & 0 deletions coreconf/config.gypi
Expand Up @@ -109,6 +109,7 @@
'nss_public_dist_dir%': '<(nss_dist_dir)/public',
'nss_private_dist_dir%': '<(nss_dist_dir)/private',
'only_dev_random%': 1,
'disable_fips%': 1,
},
'target_defaults': {
# Settings specific to targets should go here.
Expand All @@ -125,6 +126,11 @@
'<(nss_dist_dir)/private/<(module)',
],
'conditions': [
[ 'disable_fips==1', {
'defines': [
'NSS_FIPS_DISABLED',
],
}],
[ 'OS!="android" and OS!="mac" and OS!="win"', {
'libraries': [
'-lpthread',
Expand Down
2 changes: 2 additions & 0 deletions help.txt
Expand Up @@ -3,6 +3,7 @@ Usage: build.sh [-hcv] [-j <n>] [--nspr] [--gyp|-g] [--opt|-o] [-m32]
[--asan] [--ubsan] [--msan] [--sancov[=edge|bb|func|...]]
[--disable-tests] [--fuzz[=tls|oss]] [--system-sqlite]
[--no-zdefs] [--with-nspr] [--system-nspr] [--enable-libpkix]
[--enable-fips]

This script builds NSS with gyp and ninja.

Expand Down Expand Up @@ -43,3 +44,4 @@ NSS build tool options:
--system-nspr use system nspr. This requires an installation of NSPR and
might not work on all systems.
--enable-libpkix make libpkix part of the build.
--enable-fips don't disable FIPS checks.
2 changes: 2 additions & 0 deletions lib/freebl/blapii.h
Expand Up @@ -22,8 +22,10 @@ typedef void (*freeblDestroyFunc)(void *cx, PRBool freeit);

SEC_BEGIN_PROTOS

#ifndef NSS_FIPS_DISABLED
SECStatus BL_FIPSEntryOK(PRBool freeblOnly);
PRBool BL_POSTRan(PRBool freeblOnly);
#endif

#if defined(XP_UNIX) && !defined(NO_FORK_CHECK)

Expand Down
6 changes: 2 additions & 4 deletions lib/freebl/fipsfreebl.c
Expand Up @@ -6,6 +6,7 @@
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
/* $Id: fipstest.c,v 1.31 2012/06/28 17:55:06 rrelyea%redhat.com Exp $ */

#ifndef NSS_FIPS_DISABLED
#ifdef FREEBL_NO_DEPEND
#include "stubs.h"
#endif
Expand Down Expand Up @@ -1589,9 +1590,6 @@ static PRBool self_tests_freebl_ran = PR_FALSE;
static PRBool self_tests_ran = PR_FALSE;
static PRBool self_tests_freebl_success = PR_FALSE;
static PRBool self_tests_success = PR_FALSE;
#if defined(DEBUG)
static PRBool fips_mode_available = PR_FALSE;
#endif

/*
* accessors for freebl
Expand Down Expand Up @@ -1644,7 +1642,6 @@ bl_startup_tests(void)

PORT_Assert(self_tests_freebl_ran == PR_FALSE);
PORT_Assert(self_tests_success == PR_FALSE);
PORT_Assert(fips_mode_available == PR_FALSE);
self_tests_freebl_ran = PR_TRUE; /* we are running the tests */
self_tests_success = PR_FALSE; /* force it just in case */
self_tests_freebl_success = PR_FALSE; /* force it just in case */
Expand Down Expand Up @@ -1713,3 +1710,4 @@ BL_FIPSEntryOK(PRBool freebl_only)
PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
return SECFailure;
}
#endif
6 changes: 5 additions & 1 deletion lib/freebl/ldvector.c
Expand Up @@ -320,8 +320,12 @@ FREEBL_GetVector(void)
return NULL;
}
#endif
/* make sure the Full self tests have been run before continuing */

#ifndef NSS_FIPS_DISABLED
/* In FIPS mode make sure the Full self tests have been run before
* continuing. */
BL_POSTRan(PR_FALSE);
#endif

return &vector;
}
Expand Down
6 changes: 5 additions & 1 deletion lib/freebl/nsslowhash.c
Expand Up @@ -22,6 +22,7 @@ struct NSSLOWHASHContextStr {
void *hashCtxt;
};

#ifndef NSS_FIPS_DISABLED
static int
nsslow_GetFIPSEnabled(void)
{
Expand All @@ -40,9 +41,10 @@ nsslow_GetFIPSEnabled(void)
return 0;
if (d != '1')
return 0;
#endif
#endif /* LINUX */
return 1;
}
#endif /* NSS_FIPS_DISABLED */

static NSSLOWInitContext dummyContext = { 0 };
static PRBool post_failed = PR_TRUE;
Expand All @@ -54,6 +56,7 @@ NSSLOW_Init(void)
(void)FREEBL_InitStubs();
#endif

#ifndef NSS_FIPS_DISABLED
/* make sure the FIPS product is installed if we are trying to
* go into FIPS mode */
if (nsslow_GetFIPSEnabled()) {
Expand All @@ -63,6 +66,7 @@ NSSLOW_Init(void)
return NULL;
}
}
#endif
post_failed = PR_FALSE;

return &dummyContext;
Expand Down
22 changes: 22 additions & 0 deletions lib/freebl/shvfy.c
Expand Up @@ -19,6 +19,8 @@
#include "pqg.h"
#include "blapii.h"

#ifndef NSS_FIPS_DISABLED

/*
* Most modern version of Linux support a speed optimization scheme where an
* application called prelink modifies programs and shared libraries to quickly
Expand Down Expand Up @@ -537,3 +539,23 @@ BLAPI_VerifySelf(const char *name)
}
return blapi_SHVerify(name, (PRFuncPtr)decodeInt, PR_TRUE);
}

#else /* NSS_FIPS_DISABLED */

PRBool
BLAPI_SHVerifyFile(const char *shName)
{
return PR_FALSE;
}
PRBool
BLAPI_SHVerify(const char *name, PRFuncPtr addr)
{
return PR_FALSE;
}
PRBool
BLAPI_VerifySelf(const char *name)
{
return PR_FALSE;
}

#endif /* NSS_FIPS_DISABLED */
9 changes: 9 additions & 0 deletions lib/softoken/fipstest.c
Expand Up @@ -5,6 +5,7 @@
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */

#ifndef NSS_FIPS_DISABLED
#include "seccomon.h"
#include "blapi.h"
#include "softoken.h"
Expand Down Expand Up @@ -652,3 +653,11 @@ sftk_FIPSEntryOK()
}
return CKR_OK;
}
#else
#include "pkcs11t.h"
CK_RV
sftk_FIPSEntryOK()
{
return CKR_DEVICE_ERROR;
}
#endif /* NSS_FIPS_DISABLED */
4 changes: 4 additions & 0 deletions lib/softoken/legacydb/lgfips.c
Expand Up @@ -6,6 +6,8 @@
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
/* $Id: fipstest.c,v 1.31 2012/06/28 17:55:06 rrelyea%redhat.com Exp $ */

#ifndef NSS_FIPS_DISABLED

#include "seccomon.h"
#include "lgdb.h"
#include "blapi.h"
Expand Down Expand Up @@ -113,3 +115,5 @@ lg_FIPSEntryOK()
#endif
return lg_self_tests_success;
}

#endif /* NSS_FIPS_DISABLED */
4 changes: 4 additions & 0 deletions lib/softoken/legacydb/lginit.c
Expand Up @@ -586,11 +586,15 @@ legacy_Open(const char *configdir, const char *certPrefix,
#define NSS_VERSION_VARIABLE __nss_dbm_version
#include "verref.h"

#ifndef NSS_FIPS_DISABLED
if (flags & SDB_FIPS) {
/* We shouldn't get here when FIPS is not enabled on the database. But
* we also don't care when this NSS build doesn't support FIPS. */
if (!lg_FIPSEntryOK()) {
return CKR_DEVICE_ERROR;
}
}
#endif

rv = SECOID_Init();
if (SECSuccess != rv) {
Expand Down
4 changes: 3 additions & 1 deletion mach
Expand Up @@ -115,8 +115,10 @@ class testAction(argparse.Action):
"DOMSUF": domsuf,
"HOST": host
}
os_env = os.environ
os_env.update(env)
command = cwd + "/tests/all.sh"
subprocess.check_call(command, env=env)
subprocess.check_call(command, env=os_env)

def __call__(self, parser, args, values, option_string=None):
self.runTest(values)
Expand Down
6 changes: 5 additions & 1 deletion nss.gyp
Expand Up @@ -131,7 +131,6 @@
'cmd/digest/digest.gyp:digest',
'cmd/ecperf/ecperf.gyp:ecperf',
'cmd/fbectest/fbectest.gyp:fbectest',
'cmd/fipstest/fipstest.gyp:fipstest',
'cmd/httpserv/httpserv.gyp:httpserv',
'cmd/listsuites/listsuites.gyp:listsuites',
'cmd/makepqg/makepqg.gyp:makepqg',
Expand Down Expand Up @@ -190,6 +189,11 @@
'gtests/freebl_gtest/freebl_gtest.gyp:freebl_gtest',
],
}],
[ 'disable_fips==0', {
'dependencies': [
'cmd/fipstest/fipstest.gyp:fipstest',
],
}],
],
},
],
Expand Down

0 comments on commit e7099fb

Please sign in to comment.