Merging from main NSS branch

--HG--
branch : NSS_TLS13_DRAFT19_BRANCH

automation/ossfuzz/build.sh

@@ -10,7 +10,7 @@
 declare -A disabled=([pkcs8]=1)
 
 # List of targets we want to fuzz in TLS and non-TLS mode.
-declare -A tls_targets=([tls-client]=1 [tls-server]=1)
+declare -A tls_targets=([tls-client]=1 [tls-server]=1 [dtls-client]=1 [dtls-server]=1)
 
 # Helper function that copies a fuzzer binary and its seed corpus.
 copy_fuzzer()

automation/taskcluster/graph/src/extend.js

@@ -383,11 +383,17 @@ async function scheduleFuzzing() {
                      "tls-client-no_fuzzer_mode");
   scheduleFuzzingRun(tls_base, "TLS Server", "tls-server", 20000, "server-nfm",
                      "tls-server-no_fuzzer_mode");
+  scheduleFuzzingRun(tls_base, "DTLS Client", "dtls-client", 20000,
+                     "dtls-client-nfm", "dtls-client-no_fuzzer_mode");
+  scheduleFuzzingRun(tls_base, "DTLS Server", "dtls-server", 20000,
+                     "dtls-server-nfm", "dtls-server-no_fuzzer_mode");
 
   // Schedule TLS fuzzing runs (fuzzing mode).
   let tls_fm_base = merge(tls_base, {parent: task_build_tls});
   scheduleFuzzingRun(tls_fm_base, "TLS Client", "tls-client", 20000, "client");
   scheduleFuzzingRun(tls_fm_base, "TLS Server", "tls-server", 20000, "server");
+  scheduleFuzzingRun(tls_fm_base, "DTLS Client", "dtls-client", 20000, "dtls-client");
+  scheduleFuzzingRun(tls_fm_base, "DTLS Server", "dtls-server", 20000, "dtls-server");
 
   return queue.submit();
 }

build.sh

@@ -49,6 +49,7 @@ fuzz=0
 fuzz_tls=0
 fuzz_oss=0
 no_local_nspr=0
+armhf=0
 
 gyp_params=(--depth="$cwd" --generator-output=".")
 nspr_params=()
@@ -58,6 +59,8 @@ ninja_params=()
 arch=$(python "$cwd"/coreconf/detect_host_arch.py)
 if [ "$arch" = "x64" -o "$arch" = "aarch64" ]; then
     build_64=1
+elif [ "$arch" = "arm" ]; then
+    armhf=1
 fi
 
 # parse command line arguments
@@ -101,7 +104,7 @@ else
 fi
 if [ "$build_64" = 1 ]; then
     nspr_params+=(--enable-64bit)
-else
+elif [ ! "$armhf" = 1 ]; then
     gyp_params+=(-Dtarget_arch=ia32)
 fi
 if [ "$fuzz" = 1 ]; then

cmd/certutil/certext.c

@@ -980,8 +980,6 @@ AddNameConstraints(void *extHandle)
             GEN_BREAK(SECFailure);
         }
 
-        (void)SEC_ASN1EncodeInteger(arena, &current->min, 0);
-
         if (!GetGeneralName(arena, &current->name, PR_TRUE)) {
             GEN_BREAK(SECFailure);
         }

cmd/pk12util/pk12util.c

@@ -1058,7 +1058,7 @@ main(int argc, char **argv)
             certCipher = PKCS12U_MapCipherFromString(cipherString, certKeyLen);
             /* If the user requested a cipher and we didn't find it, then
 	     * don't just silently not encrypt. */
-            if (cipher == SEC_OID_UNKNOWN) {
+            if (certCipher == SEC_OID_UNKNOWN) {
                 PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
                 SECU_PrintError(progName, "Algorithm: \"%s\"", cipherString);
                 pk12uErrno = PK12UERR_INVALIDALGORITHM;

coreconf/Linux.mk

@@ -148,7 +148,7 @@ DSO_LDOPTS		= -shared $(ARCHFLAG) -Wl,--gc-sections
 # against the libsanitizer runtime built into the main executable.
 ZDEFS_FLAG		= -Wl,-z,defs
 DSO_LDOPTS		+= $(if $(findstring 2.11.90.0.8,$(shell ld -v)),,$(ZDEFS_FLAG))
-LDFLAGS			+= $(ARCHFLAG)
+LDFLAGS			+= $(ARCHFLAG) -z noexecstack
 
 # On Maemo, we need to use the -rpath-link flag for even the standard system
 # library directories.

coreconf/config.gypi

@@ -141,6 +141,52 @@
           'debug_optimization_level%': '1',
         },
       }],
+      [ 'target_arch=="ia32" or target_arch=="x64"', {
+        'defines': [
+          'NSS_X86_OR_X64',
+        ],
+        # For Windows.
+        'msvs_settings': {
+          'VCCLCompilerTool': {
+            'PreprocessorDefinitions': [
+              'NSS_X86_OR_X64',
+            ],
+          },
+        },
+      }],
+      [ 'target_arch=="ia32"', {
+        'defines': [
+          'NSS_X86',
+        ],
+        # For Windows.
+        'msvs_settings': {
+          'VCCLCompilerTool': {
+            'PreprocessorDefinitions': [
+              'NSS_X86',
+            ],
+          },
+        },
+      }],
+      [ 'target_arch=="arm64" or target_arch=="aarch64"', {
+        'defines': [
+          'NSS_USE_64',
+        ],
+      }],
+      [ 'target_arch=="x64"', {
+        'defines': [
+          'NSS_X64',
+          'NSS_USE_64',
+        ],
+        # For Windows.
+        'msvs_settings': {
+          'VCCLCompilerTool': {
+            'PreprocessorDefinitions': [
+              'NSS_X64',
+              'NSS_USE_64',
+            ],
+          },
+        },
+      }],
     ],
     'target_conditions': [
       # If we want to properly export a static library, and copy it to lib,
@@ -315,6 +361,9 @@
             'cflags_cc': [
               '-std=c++0x',
             ],
+            'ldflags': [
+              '-z', 'noexecstack',
+            ],
             'conditions': [
               [ 'target_arch=="ia32"', {
                 'cflags': ['-m32'],

cpputil/databuffer.h

@@ -46,7 +46,7 @@ class DataBuffer {
     len_ = len;
   }
 
-  void Truncate(size_t len) { len_ = std::min(len_, len); }
+  void Truncate(size_t len) { len_ = (std::min)(len_, len); }
 
   void Assign(const DataBuffer& other) { Assign(other.data(), other.len()); }
 
@@ -126,14 +126,14 @@ class DataBuffer {
     size_t old_len = len_;
 
     // The amount of stuff remaining from the tail of the old.
-    size_t tail_len = old_len - std::min(old_len, index + remove);
+    size_t tail_len = old_len - (std::min)(old_len, index + remove);
     // The new length: the head of the old, the new, and the tail of the old.
     len_ = index + ins_len + tail_len;
     data_ = new uint8_t[len_ ? len_ : 1];
 
     // The head of the old.
     if (old_value) {
-      Write(0, old_value, std::min(old_len, index));
+      Write(0, old_value, (std::min)(old_len, index));
     }
     // Maybe a gap.
     if (old_value && index > old_len) {

fuzz/config/clone_libfuzzer.sh

@@ -1,46 +1,6 @@
 #!/bin/sh
 
-d=$(dirname $0)
-$d/git-copy.sh https://chromium.googlesource.com/chromium/llvm-project/llvm/lib/Fuzzer b96a41ac6bbc3824fc7c7977662bebacac8f0983 $d/../libFuzzer
-
-# [https://llvm.org/bugs/show_bug.cgi?id=31318]
-# This prevents a known buffer overrun that won't be fixed as the affected code
-# will go away in the near future. Until that is we have to patch it as we seem
-# to constantly run into it.
-cat <<EOF | patch -p0 -d $d/..
-diff --git libFuzzer/FuzzerLoop.cpp libFuzzer/FuzzerLoop.cpp
---- libFuzzer/FuzzerLoop.cpp
-+++ libFuzzer/FuzzerLoop.cpp
-@@ -476,6 +476,9 @@
-   uint8_t dummy;
-   ExecuteCallback(&dummy, 0);
-
-+  // Number of counters might have changed.
-+  PrepareCounters(&MaxCoverage);
-+
-   for (const auto &U : *InitialCorpus) {
-     if (size_t NumFeatures = RunOne(U)) {
-       CheckExitOnSrcPosOrItem();
-EOF
+LIBFUZZER_REVISION=8837e6cbbc842ab7524b06a2f7360c36add316b3
 
-# Latest Libfuzzer uses __sanitizer_dump_coverage(), a symbol to be introduced
-# with LLVM 4.0. To keep our code working with LLVM 3.x to simplify development
-# of fuzzers we'll just provide it ourselves.
-cat <<EOF | patch -p0 -d $d/..
-diff --git libFuzzer/FuzzerTracePC.cpp libFuzzer/FuzzerTracePC.cpp
---- libFuzzer/FuzzerTracePC.cpp
-+++ libFuzzer/FuzzerTracePC.cpp
-@@ -33,6 +33,12 @@
- ATTRIBUTE_INTERFACE
- uintptr_t __sancov_trace_pc_pcs[fuzzer::TracePC::kNumPCs];
-
-+#if defined(__clang_major__) && (__clang_major__ == 3)
-+void __sanitizer_dump_coverage(const uintptr_t *pcs, uintptr_t len) {
-+  // SanCov in LLVM 4.x will provide this symbol. Make 3.x work.
-+}
-+#endif
-+
- namespace fuzzer {
-
- TracePC TPC;
-EOF
+d=$(dirname $0)
+$d/git-copy.sh https://chromium.googlesource.com/chromium/llvm-project/llvm/lib/Fuzzer $LIBFUZZER_REVISION $d/../libFuzzer

fuzz/fuzz.gyp

@@ -300,11 +300,46 @@
         'nssfuzz-tls-base',
       ],
     },
+    {
+      'target_name': 'nssfuzz-dtls-client',
+      'type': 'executable',
+      'sources': [
+        'tls_client_config.cc',
+        'tls_client_target.cc',
+      ],
+      'defines': [
+        'IS_DTLS'
+      ],
+      'dependencies': [
+        '<(DEPTH)/exports.gyp:nss_exports',
+        '<(DEPTH)/cpputil/cpputil.gyp:cpputil',
+        'nssfuzz-tls-base',
+      ],
+    },
+    {
+      'target_name': 'nssfuzz-dtls-server',
+      'type': 'executable',
+      'sources': [
+        'tls_server_certs.cc',
+        'tls_server_config.cc',
+        'tls_server_target.cc',
+      ],
+      'defines': [
+        'IS_DTLS'
+      ],
+      'dependencies': [
+        '<(DEPTH)/exports.gyp:nss_exports',
+        '<(DEPTH)/cpputil/cpputil.gyp:cpputil',
+        'nssfuzz-tls-base',
+      ],
+    },
     {
       'target_name': 'nssfuzz',
       'type': 'none',
       'dependencies': [
         'nssfuzz-certDN',
+        'nssfuzz-dtls-client',
+        'nssfuzz-dtls-server',
         'nssfuzz-pkcs8',
         'nssfuzz-quickder',
         'nssfuzz-tls-client',

fuzz/options/dtls-client-no_fuzzer_mode.options

@@ -0,0 +1,3 @@
+[libfuzzer]
+max_len = 20000
+

fuzz/options/dtls-client.options

@@ -0,0 +1,3 @@
+[libfuzzer]
+max_len = 20000
+

fuzz/options/dtls-server-no_fuzzer_mode.options

@@ -0,0 +1,3 @@
+[libfuzzer]
+max_len = 20000
+

fuzz/options/dtls-server.options

@@ -0,0 +1,3 @@
+[libfuzzer]
+max_len = 20000
+

fuzz/tls_client_target.cc

@@ -16,6 +16,20 @@
 #include "tls_mutators.h"
 #include "tls_socket.h"
 
+#ifdef IS_DTLS
+__attribute__((constructor)) static void set_is_dtls() {
+  TlsMutators::SetIsDTLS();
+}
+#endif
+
+PRFileDesc* ImportFD(PRFileDesc* model, PRFileDesc* fd) {
+#ifdef IS_DTLS
+  return DTLS_ImportFD(model, fd);
+#else
+  return SSL_ImportFD(model, fd);
+#endif
+}
+
 static SECStatus AuthCertificateHook(void* arg, PRFileDesc* fd, PRBool checksig,
                                      PRBool isServer) {
   assert(!isServer);
@@ -49,9 +63,11 @@ static void SetSocketOptions(PRFileDesc* fd,
                      config->RequireSafeNegotiation());
   assert(rv == SECSuccess);
 
+#ifndef IS_DTLS
   rv =
       SSL_OptionSet(fd, SSL_ENABLE_RENEGOTIATION, SSL_RENEGOTIATE_UNRESTRICTED);
   assert(rv == SECSuccess);
+#endif
 }
 
 // This is only called when we set SSL_ENABLE_FALSE_START=1,
@@ -87,7 +103,7 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t len) {
   std::unique_ptr<DummyPrSocket> socket(new DummyPrSocket(data, len));
   static PRDescIdentity id = PR_GetUniqueIdentity("fuzz-client");
   ScopedPRFileDesc fd(DummyIOLayerMethods::CreateFD(id, socket.get()));
-  PRFileDesc* ssl_fd = SSL_ImportFD(nullptr, fd.get());
+  PRFileDesc* ssl_fd = ImportFD(nullptr, fd.get());
   assert(ssl_fd == fd.get());
 
   // Probably not too important for clients.
@@ -103,15 +119,16 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t len) {
 
 extern "C" size_t LLVMFuzzerCustomMutator(uint8_t* data, size_t size,
                                           size_t max_size, unsigned int seed) {
-  return CustomMutate({TlsMutatorDropRecord, TlsMutatorShuffleRecords,
-                       TlsMutatorDuplicateRecord, TlsMutatorTruncateRecord,
-                       TlsMutatorFragmentRecord},
+  using namespace TlsMutators;
+  return CustomMutate({DropRecord, ShuffleRecords, DuplicateRecord,
+                       TruncateRecord, FragmentRecord},
                       data, size, max_size, seed);
 }
 
 extern "C" size_t LLVMFuzzerCustomCrossOver(const uint8_t* data1, size_t size1,
                                             const uint8_t* data2, size_t size2,
                                             uint8_t* out, size_t max_out_size,
                                             unsigned int seed) {
-  return TlsCrossOver(data1, size1, data2, size2, out, max_out_size, seed);
+  return TlsMutators::CrossOver(data1, size1, data2, size2, out, max_out_size,
+                                seed);
 }