diff options
Diffstat (limited to 'security/nss/automation')
25 files changed, 1048 insertions, 282 deletions
diff --git a/security/nss/automation/abi-check/expected-report-libnss3.so.txt b/security/nss/automation/abi-check/expected-report-libnss3.so.txt index 36059f505..e69de29bb 100644 --- a/security/nss/automation/abi-check/expected-report-libnss3.so.txt +++ b/security/nss/automation/abi-check/expected-report-libnss3.so.txt @@ -1,8 +0,0 @@ - -4 Added functions: - - [A] 'function SECStatus CERT_AddCertToListHeadWithData(CERTCertList*, CERTCertificate*, void*)' {CERT_AddCertToListHeadWithData@@NSS_3.59} - [A] 'function SECStatus CERT_AddCertToListTailWithData(CERTCertList*, CERTCertificate*, void*)' {CERT_AddCertToListTailWithData@@NSS_3.59} - [A] 'function PK11SymKey* PK11_PubUnwrapSymKeyWithMechanism(SECKEYPrivateKey*, CK_MECHANISM_TYPE, SECItem*, SECItem*, CK_MECHANISM_TYPE, CK_ATTRIBUTE_TYPE, int)' {PK11_PubUnwrapSymKeyWithMechanism@@NSS_3.59} - [A] 'function SECStatus PK11_PubWrapSymKeyWithMechanism(SECKEYPublicKey*, CK_MECHANISM_TYPE, SECItem*, PK11SymKey*, SECItem*)' {PK11_PubWrapSymKeyWithMechanism@@NSS_3.59} - diff --git a/security/nss/automation/abi-check/expected-report-libnssutil3.so.txt b/security/nss/automation/abi-check/expected-report-libnssutil3.so.txt index 92961214f..e69de29bb 100644 --- a/security/nss/automation/abi-check/expected-report-libnssutil3.so.txt +++ b/security/nss/automation/abi-check/expected-report-libnssutil3.so.txt @@ -1,6 +0,0 @@ - -2 Added functions: - - [A] 'function PRBool NSS_IsPolicyLocked()' {NSS_IsPolicyLocked@@NSSUTIL_3.59} - [A] 'function void NSS_LockPolicy()' {NSS_LockPolicy@@NSSUTIL_3.59} - diff --git a/security/nss/automation/abi-check/expected-report-libssl3.so.txt b/security/nss/automation/abi-check/expected-report-libssl3.so.txt index e69de29bb..bf902d170 100644 --- a/security/nss/automation/abi-check/expected-report-libssl3.so.txt +++ b/security/nss/automation/abi-check/expected-report-libssl3.so.txt @@ -0,0 +1,13 @@ + +1 function with some indirect sub-type change: + + [C]'function SECStatus SSL_GetPreliminaryChannelInfo(PRFileDesc*, SSLPreliminaryChannelInfo*, PRUintn)' at sslinfo.c:113:1 has some indirect sub-type changes: + parameter 2 of type 'SSLPreliminaryChannelInfo*' has sub-type changes: + in pointed to type 'typedef SSLPreliminaryChannelInfo' at sslt.h:424:1: + underlying type 'struct SSLPreliminaryChannelInfoStr' at sslt.h:373:1 changed: + type size changed from 192 to 288 (in bits) + 3 data member insertions: + 'PRBool SSLPreliminaryChannelInfoStr::peerDelegCred', at offset 192 (in bits) at sslt.h:418:1 + 'PRUint32 SSLPreliminaryChannelInfoStr::authKeyBits', at offset 224 (in bits) at sslt.h:419:1 + 'SSLSignatureScheme SSLPreliminaryChannelInfoStr::signatureScheme', at offset 256 (in bits) at sslt.h:420:1 + diff --git a/security/nss/automation/abi-check/previous-nss-release b/security/nss/automation/abi-check/previous-nss-release index a37de0565..29989e5f3 100644 --- a/security/nss/automation/abi-check/previous-nss-release +++ b/security/nss/automation/abi-check/previous-nss-release @@ -1 +1 @@ -NSS_3_58_BRANCH +NSS_3_47_BRANCH diff --git a/security/nss/automation/buildbot-slave/bbenv-example.sh b/security/nss/automation/buildbot-slave/bbenv-example.sh new file mode 100644 index 000000000..c76e5d6ab --- /dev/null +++ b/security/nss/automation/buildbot-slave/bbenv-example.sh @@ -0,0 +1,67 @@ +#! /bin/bash + +# Each buildbot-slave requires a bbenv.sh file that defines +# machine specific variables. This is an example file. + + +HOST=$(hostname | cut -d. -f1) +export HOST + +# if your machine's IP isn't registered in DNS, +# you must set appropriate environment variables +# that can be resolved locally. +# For example, if localhost.localdomain works on your system, set: +#HOST=localhost +#DOMSUF=localdomain +#export DOMSUF + +ARCH=$(uname -s) + +ulimit -c unlimited 2> /dev/null + +export NSPR_LOG_MODULES="pkix:1" + +#export JAVA_HOME_32= +#export JAVA_HOME_64= + +#enable if you have PKITS data +#export PKITS_DATA=$HOME/pkits/data/ + +NSS_BUILD_TARGET="clean nss_build_all" +JSS_BUILD_TARGET="clean all" + +MAKE=gmake +AWK=awk +PATCH=patch + +if [ "${ARCH}" = "SunOS" ]; then + AWK=nawk + PATCH=gpatch + ARCH=SunOS/$(uname -p) +fi + +if [ "${ARCH}" = "Linux" -a -f /etc/system-release ]; then + VERSION=`sed -e 's; release ;;' -e 's; (.*)$;;' -e 's;Red Hat Enterprise Linux Server;RHEL;' -e 's;Red Hat Enterprise Linux Workstation;RHEL;' /etc/system-release` + ARCH=Linux/${VERSION} + echo ${ARCH} +fi + +PROCESSOR=$(uname -p) +if [ "${PROCESSOR}" = "ppc64" ]; then + ARCH="${ARCH}/ppc64" +fi +if [ "${PROCESSOR}" = "powerpc" ]; then + ARCH="${ARCH}/ppc" +fi + +PORT_64_DBG=8543 +PORT_64_OPT=8544 +PORT_32_DBG=8545 +PORT_32_OPT=8546 + +if [ "${NSS_TESTS}" = "memleak" ]; then + PORT_64_DBG=8547 + PORT_64_OPT=8548 + PORT_32_DBG=8549 + PORT_32_OPT=8550 +fi diff --git a/security/nss/automation/buildbot-slave/build.sh b/security/nss/automation/buildbot-slave/build.sh new file mode 100755 index 000000000..00e749672 --- /dev/null +++ b/security/nss/automation/buildbot-slave/build.sh @@ -0,0 +1,548 @@ +#! /bin/bash + +# Ensure a failure of the first command inside a pipe +# won't be hidden by commands later in the pipe. +# (e.g. as in ./dosomething | grep) + +set -o pipefail + +proc_args() +{ + while [ -n "$1" ]; do + OPT=$(echo $1 | cut -d= -f1) + VAL=$(echo $1 | cut -d= -f2) + + case $OPT in + "--build-nss") + BUILD_NSS=1 + ;; + "--test-nss") + TEST_NSS=1 + ;; + "--check-abi") + CHECK_ABI=1 + ;; + "--build-jss") + BUILD_JSS=1 + ;; + "--test-jss") + TEST_JSS=1 + ;; + "--memtest") + NSS_TESTS="memleak" + export NSS_TESTS + ;; + "--nojsssign") + NO_JSS_SIGN=1 + ;; + *) + echo "Usage: $0 ..." + echo " --memtest - run the memory leak tests" + echo " --nojsssign - try to sign jss" + echo " --build-nss" + echo " --build-jss" + echo " --test-nss" + echo " --test-jss" + echo " --check-abi" + exit 1 + ;; + esac + + shift + done +} + +set_env() +{ + TOPDIR=$(pwd) + HGDIR=$(pwd)$(echo "/hg") + OUTPUTDIR=$(pwd)$(echo "/output") + LOG_ALL="${OUTPUTDIR}/all.log" + LOG_TMP="${OUTPUTDIR}/tmp.log" + + echo "hello" |grep --line-buffered hello >/dev/null 2>&1 + [ $? -eq 0 ] && GREP_BUFFER="--line-buffered" +} + +print_log() +{ + DATE=$(date "+TB [%Y-%m-%d %H:%M:%S]") + echo "${DATE} $*" + echo "${DATE} $*" >> ${LOG_ALL} +} + +print_result() +{ + TESTNAME=$1 + RET=$2 + EXP=$3 + + if [ ${RET} -eq ${EXP} ]; then + print_log "${TESTNAME} PASSED" + else + print_log "${TESTNAME} FAILED" + fi +} + +print_env() +{ + print_log "######## Environment variables ########" + + uname -a | tee -a ${LOG_ALL} + if [ -e "/etc/redhat-release" ]; then + cat "/etc/redhat-release" | tee -a ${LOG_ALL} + fi + # don't print the MAIL command, it might contain a password + env | grep -v "^MAIL=" | tee -a ${LOG_ALL} +} + +set_cycle() +{ + BITS=$1 + OPT=$2 + + if [ "${BITS}" = "64" ]; then + USE_64=1 + JAVA_HOME=${JAVA_HOME_64} + PORT_DBG=${PORT_64_DBG} + PORT_OPT=${PORT_64_OPT} + else + USE_64= + JAVA_HOME=${JAVA_HOME_32} + PORT_DBG=${PORT_32_DBG} + PORT_OPT=${PORT_32_OPT} + fi + export USE_64 + export JAVA_HOME + + BUILD_OPT= + if [ "${OPT}" = "OPT" ]; then + BUILD_OPT=1 + XPCLASS=xpclass.jar + PORT=${PORT_OPT} + else + BUILD_OPT= + XPCLASS=xpclass_dbg.jar + PORT=${PORT_DBG} + fi + export BUILD_OPT + + PORT_JSS_SERVER=$(expr ${PORT} + 20) + PORT_JSSE_SERVER=$(expr ${PORT} + 40) + + export PORT + export PORT_JSS_SERVER + export PORT_JSSE_SERVER +} + +build_nss() +{ + print_log "######## NSS - build - ${BITS} bits - ${OPT} ########" + + print_log "$ cd ${HGDIR}/nss" + cd ${HGDIR}/nss + + print_log "$ ${MAKE} ${NSS_BUILD_TARGET}" + #${MAKE} ${NSS_BUILD_TARGET} 2>&1 | tee -a ${LOG_ALL} | grep ${GREP_BUFFER} "^${MAKE}" + ${MAKE} ${NSS_BUILD_TARGET} 2>&1 | tee -a ${LOG_ALL} + RET=$? + print_result "NSS - build - ${BITS} bits - ${OPT}" ${RET} 0 + + if [ ${RET} -eq 0 ]; then + return 0 + else + tail -100 ${LOG_ALL} + return ${RET} + fi +} + +build_jss() +{ + print_log "######## JSS - build - ${BITS} bits - ${OPT} ########" + + print_log "$ cd ${HGDIR}/jss" + cd ${HGDIR}/jss + + print_log "$ ${MAKE} ${JSS_BUILD_TARGET}" + #${MAKE} ${JSS_BUILD_TARGET} 2>&1 | tee -a ${LOG_ALL} | grep ${GREP_BUFFER} "^${MAKE}" + ${MAKE} ${JSS_BUILD_TARGET} 2>&1 | tee -a ${LOG_ALL} + RET=$? + print_result "JSS build - ${BITS} bits - ${OPT}" ${RET} 0 + [ ${RET} -eq 0 ] || return ${RET} + + print_log "$ cd ${HGDIR}/dist" + cd ${HGDIR}/dist + + if [ -z "${NO_JSS_SIGN}" ]; then + print_log "cat ${TOPDIR}/keystore.pw | ${JAVA_HOME}/bin/jarsigner -keystore ${TOPDIR}/keystore -internalsf ${XPCLASS} jssdsa" + cat ${TOPDIR}/keystore.pw | ${JAVA_HOME}/bin/jarsigner -keystore ${TOPDIR}/keystore -internalsf ${XPCLASS} jssdsa >> ${LOG_ALL} 2>&1 + RET=$? + print_result "JSS - sign JAR files - ${BITS} bits - ${OPT}" ${RET} 0 + [ ${RET} -eq 0 ] || return ${RET} + fi + print_log "${JAVA_HOME}/bin/jarsigner -verify -certs ${XPCLASS}" + ${JAVA_HOME}/bin/jarsigner -verify -certs ${XPCLASS} >> ${LOG_ALL} 2>&1 + RET=$? + print_result "JSS - verify JAR files - ${BITS} bits - ${OPT}" ${RET} 0 + [ ${RET} -eq 0 ] || return ${RET} + + return 0 +} + +test_nss() +{ + print_log "######## NSS - tests - ${BITS} bits - ${OPT} ########" + + if [ "${OS_TARGET}" = "Android" ]; then + print_log "$ cd ${HGDIR}/nss/tests/remote" + cd ${HGDIR}/nss/tests/remote + print_log "$ make test_android" + make test_android 2>&1 | tee ${LOG_TMP} | grep ${GREP_BUFFER} ": #" + OUTPUTFILE=${HGDIR}/tests_results/security/*.1/output.log + else + print_log "$ cd ${HGDIR}/nss/tests" + cd ${HGDIR}/nss/tests + print_log "$ ./all.sh" + ./all.sh 2>&1 | tee ${LOG_TMP} | egrep ${GREP_BUFFER} ": #|^\[.{10}\] " + OUTPUTFILE=${LOG_TMP} + fi + + cat ${LOG_TMP} >> ${LOG_ALL} + tail -n2 ${HGDIR}/tests_results/security/*.1/results.html | grep END_OF_TEST >> ${LOG_ALL} + RET=$? + + print_log "######## details of detected failures (if any) ########" + grep -B50 -w FAILED ${OUTPUTFILE} + [ $? -eq 1 ] || RET=1 + + print_result "NSS - tests - ${BITS} bits - ${OPT}" ${RET} 0 + return ${RET} +} + +check_abi() +{ + print_log "######## NSS ABI CHECK - ${BITS} bits - ${OPT} ########" + print_log "######## creating temporary HG clones ########" + + rm -rf ${HGDIR}/baseline + mkdir ${HGDIR}/baseline + BASE_NSS=`cat ${HGDIR}/nss/automation/abi-check/previous-nss-release` + hg clone -u "${BASE_NSS}" "${HGDIR}/nss" "${HGDIR}/baseline/nss" + if [ $? -ne 0 ]; then + echo "invalid tag in automation/abi-check/previous-nss-release" + return 1 + fi + + BASE_NSPR=NSPR_$(head -1 ${HGDIR}/baseline/nss/automation/release/nspr-version.txt | cut -d . -f 1-2 | tr . _)_BRANCH + hg clone -u "${BASE_NSPR}" "${HGDIR}/nspr" "${HGDIR}/baseline/nspr" + if [ $? -ne 0 ]; then + echo "nonexisting tag ${BASE_NSPR} derived from ${BASE_NSS} automation/release/nspr-version.txt" + # Assume that version hasn't been released yet, fall back to trunk + pushd "${HGDIR}/baseline/nspr" + hg update default + popd + fi + + print_log "######## building baseline NSPR/NSS ########" + pushd ${HGDIR}/baseline/nss + + print_log "$ ${MAKE} ${NSS_BUILD_TARGET}" + ${MAKE} ${NSS_BUILD_TARGET} 2>&1 | tee -a ${LOG_ALL} + RET=$? + print_result "NSS - build - ${BITS} bits - ${OPT}" ${RET} 0 + if [ ${RET} -ne 0 ]; then + tail -100 ${LOG_ALL} + return ${RET} + fi + popd + + ABI_PROBLEM_FOUND=0 + ABI_REPORT=${OUTPUTDIR}/abi-diff.txt + rm -f ${ABI_REPORT} + PREVDIST=${HGDIR}/baseline/dist + NEWDIST=${HGDIR}/dist + ALL_SOs="libfreebl3.so libfreeblpriv3.so libnspr4.so libnss3.so libnssckbi.so libnssdbm3.so libnsssysinit.so libnssutil3.so libplc4.so libplds4.so libsmime3.so libsoftokn3.so libssl3.so" + for SO in ${ALL_SOs}; do + if [ ! -f ${HGDIR}/nss/automation/abi-check/expected-report-$SO.txt ]; then + touch ${HGDIR}/nss/automation/abi-check/expected-report-$SO.txt + fi + abidiff --hd1 $PREVDIST/public/ --hd2 $NEWDIST/public \ + $PREVDIST/*/lib/$SO $NEWDIST/*/lib/$SO \ + > ${HGDIR}/nss/automation/abi-check/new-report-temp$SO.txt + RET=$? + cat ${HGDIR}/nss/automation/abi-check/new-report-temp$SO.txt \ + | grep -v "^Functions changes summary:" \ + | grep -v "^Variables changes summary:" \ + > ${HGDIR}/nss/automation/abi-check/new-report-$SO.txt + rm -f ${HGDIR}/nss/automation/abi-check/new-report-temp$SO.txt + ABIDIFF_ERROR=$((($RET & 0x01) != 0)) + ABIDIFF_USAGE_ERROR=$((($RET & 0x02) != 0)) + ABIDIFF_ABI_CHANGE=$((($RET & 0x04) != 0)) + ABIDIFF_ABI_INCOMPATIBLE_CHANGE=$((($RET & 0x08) != 0)) + ABIDIFF_UNKNOWN_BIT_SET=$((($RET & 0xf0) != 0)) + + # If abidiff reports an error, or a usage error, or if it sets a result + # bit value this script doesn't know yet about, we'll report failure. + # For ABI changes, we don't yet report an error. We'll compare the + # result report with our whitelist. This allows us to silence changes + # that we're already aware of and have been declared acceptable. + + REPORT_RET_AS_FAILURE=0 + if [ $ABIDIFF_ERROR -ne 0 ]; then + print_log "abidiff reported ABIDIFF_ERROR." + REPORT_RET_AS_FAILURE=1 + fi + if [ $ABIDIFF_USAGE_ERROR -ne 0 ]; then + print_log "abidiff reported ABIDIFF_USAGE_ERROR." + REPORT_RET_AS_FAILURE=1 + fi + if [ $ABIDIFF_UNKNOWN_BIT_SET -ne 0 ]; then + print_log "abidiff reported ABIDIFF_UNKNOWN_BIT_SET." + REPORT_RET_AS_FAILURE=1 + fi + + if [ $ABIDIFF_ABI_CHANGE -ne 0 ]; then + print_log "Ignoring abidiff result ABI_CHANGE, instead we'll check for non-whitelisted differences." + fi + if [ $ABIDIFF_ABI_INCOMPATIBLE_CHANGE -ne 0 ]; then + print_log "Ignoring abidiff result ABIDIFF_ABI_INCOMPATIBLE_CHANGE, instead we'll check for non-whitelisted differences." + fi + + if [ $REPORT_RET_AS_FAILURE -ne 0 ]; then + ABI_PROBLEM_FOUND=1 + print_log "abidiff {$PREVDIST , $NEWDIST} for $SO FAILED with result $RET, or failed writing to ${HGDIR}/nss/automation/abi-check/new-report-$SO.txt" + fi + if [ ! -f ${HGDIR}/nss/automation/abi-check/expected-report-$SO.txt ]; then + ABI_PROBLEM_FOUND=1 + print_log "FAILED to access report file: ${HGDIR}/nss/automation/abi-check/expected-report-$SO.txt" + fi + + diff -wB -u ${HGDIR}/nss/automation/abi-check/expected-report-$SO.txt \ + ${HGDIR}/nss/automation/abi-check/new-report-$SO.txt >> ${ABI_REPORT} + if [ ! -f ${ABI_REPORT} ]; then + ABI_PROBLEM_FOUND=1 + print_log "FAILED to compare exepcted and new report: ${HGDIR}/nss/automation/abi-check/new-report-$SO.txt" + fi + done + + if [ -s ${ABI_REPORT} ]; then + print_log "FAILED: there are new unexpected ABI changes" + cat ${ABI_REPORT} + return 1 + elif [ $ABI_PROBLEM_FOUND -ne 0 ]; then + print_log "FAILED: failure executing the ABI checks" + cat ${ABI_REPORT} + return 1 + fi + + return 0 +} + +test_jss() +{ + print_log "######## JSS - tests - ${BITS} bits - ${OPT} ########" + + print_log "$ cd ${HGDIR}/jss" + cd ${HGDIR}/jss + + print_log "$ ${MAKE} platform" + PLATFORM=$(${MAKE} platform) + print_log "PLATFORM=${PLATFORM}" + + print_log "$ cd ${HGDIR}/jss/org/mozilla/jss/tests" + cd ${HGDIR}/jss/org/mozilla/jss/tests + + print_log "$ perl all.pl dist ${HGDIR}/dist/${PLATFORM}" + perl all.pl dist ${HGDIR}/dist/${PLATFORM} 2>&1 | tee ${LOG_TMP} + cat ${LOG_TMP} >> ${LOG_ALL} + + tail -n2 ${LOG_TMP} | grep JSSTEST_RATE > /dev/null + RET=$? + + grep FAIL ${LOG_TMP} + [ $? -eq 1 ] || RET=1 + + print_result "JSS - tests - ${BITS} bits - ${OPT}" ${RET} 0 + return ${RET} +} + +create_objdir_dist_link() +{ + # compute relevant 'dist' OBJDIR_NAME subdirectory names for JSS and NSS + OS_TARGET=`uname -s` + OS_RELEASE=`uname -r | sed 's/-.*//' | sed 's/-.*//' | cut -d . -f1,2` + CPU_TAG=_`uname -m` + # OBJDIR_NAME_COMPILER appears to be defined for NSS but not JSS + OBJDIR_NAME_COMPILER=_cc + LIBC_TAG=_glibc + IMPL_STRATEGY=_PTH + if [ "${RUN_BITS}" = "64" ]; then + OBJDIR_TAG=_${RUN_BITS}_${RUN_OPT}.OBJ + else + OBJDIR_TAG=_${RUN_OPT}.OBJ + fi + + # define NSS_OBJDIR_NAME + NSS_OBJDIR_NAME=${OS_TARGET}${OS_RELEASE}${CPU_TAG}${OBJDIR_NAME_COMPILER} + NSS_OBJDIR_NAME=${NSS_OBJDIR_NAME}${LIBC_TAG}${IMPL_STRATEGY}${OBJDIR_TAG} + print_log "create_objdir_dist_link(): NSS_OBJDIR_NAME='${NSS_OBJDIR_NAME}'" + + # define JSS_OBJDIR_NAME + JSS_OBJDIR_NAME=${OS_TARGET}${OS_RELEASE}${CPU_TAG} + JSS_OBJDIR_NAME=${JSS_OBJDIR_NAME}${LIBC_TAG}${IMPL_STRATEGY}${OBJDIR_TAG} + print_log "create_objdir_dist_link(): JSS_OBJDIR_NAME='${JSS_OBJDIR_NAME}'" + + if [ -e "${HGDIR}/dist/${NSS_OBJDIR_NAME}" ]; then + SOURCE=${HGDIR}/dist/${NSS_OBJDIR_NAME} + TARGET=${HGDIR}/dist/${JSS_OBJDIR_NAME} + ln -s ${SOURCE} ${TARGET} >/dev/null 2>&1 + fi +} + +build_and_test() +{ + if [ -n "${BUILD_NSS}" ]; then + build_nss + [ $? -eq 0 ] || return 1 + fi + + if [ -n "${TEST_NSS}" ]; then + test_nss + [ $? -eq 0 ] || return 1 + fi + + if [ -n "${CHECK_ABI}" ]; then + check_abi + [ $? -eq 0 ] || return 1 + fi + + if [ -n "${BUILD_JSS}" ]; then + create_objdir_dist_link + build_jss + [ $? -eq 0 ] || return 1 + fi + + if [ -n "${TEST_JSS}" ]; then + test_jss + [ $? -eq 0 ] || return 1 + fi + + return 0 +} + +run_cycle() +{ + print_env + build_and_test + RET=$? + + grep ^TinderboxPrint ${LOG_ALL} + + return ${RET} +} + +prepare() +{ + rm -rf ${OUTPUTDIR}.oldest >/dev/null 2>&1 + mv ${OUTPUTDIR}.older ${OUTPUTDIR}.oldest >/dev/null 2>&1 + mv ${OUTPUTDIR}.old ${OUTPUTDIR}.older >/dev/null 2>&1 + mv ${OUTPUTDIR}.last ${OUTPUTDIR}.old >/dev/null 2>&1 + mv ${OUTPUTDIR} ${OUTPUTDIR}.last >/dev/null 2>&1 + mkdir -p ${OUTPUTDIR} + + # Remove temporary test files from previous jobs, that weren't cleaned up + # by move_results(), e.g. caused by unexpected interruptions. + rm -rf ${HGDIR}/tests_results/ + + cd ${HGDIR}/nss + + if [ -n "${FEWER_STRESS_ITERATIONS}" ]; then + sed -i 's/-c_1000_/-c_500_/g' tests/ssl/sslstress.txt + fi + + return 0 +} + +move_results() +{ + cd ${HGDIR} + if [ -n "${TEST_NSS}" ]; then + mv -f tests_results ${OUTPUTDIR} + fi + tar -c -z --dereference -f ${OUTPUTDIR}/dist.tgz dist + rm -rf dist +} + +run_all() +{ + set_cycle ${BITS} ${OPT} + prepare + run_cycle + RESULT=$? + print_log "### result of run_cycle is ${RESULT}" + move_results + return ${RESULT} +} + +main() +{ + VALID=0 + RET=1 + FAIL=0 + + for BITS in 32 64; do + echo ${RUN_BITS} | grep ${BITS} > /dev/null + [ $? -eq 0 ] || continue + for OPT in DBG OPT; do + echo ${RUN_OPT} | grep ${OPT} > /dev/null + [ $? -eq 0 ] || continue + + VALID=1 + set_env + run_all + RET=$? + print_log "### result of run_all is ${RET}" + if [ ${RET} -ne 0 ]; then + FAIL=${RET} + fi + done + done + + if [ ${VALID} -ne 1 ]; then + echo "Need to set valid bits/opt values." + return 1 + fi + + return ${FAIL} +} + +#function killallsub() +#{ +# FINAL_RET=$? +# for proc in `jobs -p` +# do +# kill -9 $proc +# done +# return ${FINAL_RET} +#} +#trap killallsub EXIT + +#IS_RUNNING_FILE="./build-is-running" + +#if [ -a $IS_RUNNING_FILE ]; then +# echo "exiting, because old job is still running" +# exit 1 +#fi + +#touch $IS_RUNNING_FILE + +echo "tinderbox args: $0 $@" +. ${ENVVARS} +proc_args "$@" +main + +RET=$? +print_log "### result of main is ${RET}" + +#rm $IS_RUNNING_FILE +exit ${RET} diff --git a/security/nss/automation/buildbot-slave/reboot.bat b/security/nss/automation/buildbot-slave/reboot.bat new file mode 100644 index 000000000..c6a5c7b43 --- /dev/null +++ b/security/nss/automation/buildbot-slave/reboot.bat @@ -0,0 +1,6 @@ +IF EXIST ..\buildbot-is-building ( + del ..\buildbot-is-building + shutdown /r /t 0 + + timeout /t 120 +) diff --git a/security/nss/automation/buildbot-slave/startbuild.bat b/security/nss/automation/buildbot-slave/startbuild.bat new file mode 100644 index 000000000..ba06834f1 --- /dev/null +++ b/security/nss/automation/buildbot-slave/startbuild.bat @@ -0,0 +1,14 @@ +echo running > ..\buildbot-is-building + +echo running: "%MOZILLABUILD%\msys\bin\bash" -c "hg/nss/automation/buildbot-slave/build.sh %*" +"%MOZILLABUILD%\msys\bin\bash" -c "hg/nss/automation/buildbot-slave/build.sh %*" + +if %errorlevel% neq 0 ( + set EXITCODE=1 +) else ( + set EXITCODE=0 +) + +del ..\buildbot-is-building + +exit /b %EXITCODE% diff --git a/security/nss/automation/release/nspr-version.txt b/security/nss/automation/release/nspr-version.txt index c9ab0b03f..c37e9097c 100644 --- a/security/nss/automation/release/nspr-version.txt +++ b/security/nss/automation/release/nspr-version.txt @@ -1,4 +1,4 @@ -4.29 +4.24 # The first line of this file must contain the human readable NSPR # version number, which is the minimum required version of NSPR diff --git a/security/nss/automation/release/nss-release-helper.py b/security/nss/automation/release/nss-release-helper.py index 8cc0a725e..31ea41966 100644 --- a/security/nss/automation/release/nss-release-helper.py +++ b/security/nss/automation/release/nss-release-helper.py @@ -5,9 +5,9 @@ import os import sys +import datetime import shutil -import re -import tempfile +import glob from optparse import OptionParser from subprocess import check_call from subprocess import check_output @@ -32,203 +32,136 @@ abi_report_files = ['automation/abi-check/expected-report-libfreebl3.so.txt', 'automation/abi-check/expected-report-libsoftokn3.so.txt', 'automation/abi-check/expected-report-libssl3.so.txt'] - def check_call_noisy(cmd, *args, **kwargs): - print("Executing command: {}".format(cmd)) + print "Executing command:", cmd check_call(cmd, *args, **kwargs) +o = OptionParser(usage="client.py [options] remove_beta | set_beta | print_library_versions | print_root_ca_version | set_root_ca_version | set_version_to_minor_release | set_version_to_patch_release | set_release_candidate_number | set_4_digit_release_number | create_nss_release_archive") -def exit_with_failure(what): - print("failure: {}".format(what)) +try: + options, args = o.parse_args() + action = args[0] +except IndexError: + o.print_help() sys.exit(2) +def exit_with_failure(what): + print "failure: ", what + sys.exit(2) def check_files_exist(): if (not os.path.exists(nssutil_h) or not os.path.exists(softkver_h) - or not os.path.exists(nss_h) or not os.path.exists(nssckbi_h)): + or not os.path.exists(nss_h) or not os.path.exists(nssckbi_h)): exit_with_failure("cannot find expected header files, must run from inside NSS hg directory") - -class Replacement(): - def __init__(self, regex="", repl=""): - self.regex = regex - self.repl = repl - self.matcher = re.compile(self.regex) - - def replace(self, line): - return self.matcher.sub(self.repl, line) - - -def inplace_replace(replacements=[], filename=""): - for r in replacements: - if not isinstance(r, Replacement): - raise TypeError("Expecting a list of Replacement objects") - - with tempfile.NamedTemporaryFile(mode="w", delete=False) as tmp_file: - with open(filename) as in_file: - for line in in_file: - for r in replacements: - line = r.replace(line) - tmp_file.write(line) - - shutil.copystat(filename, tmp_file.name) - shutil.move(tmp_file.name, filename) - +def sed_inplace(sed_expression, filename): + backup_file = filename + '.tmp' + check_call_noisy(["sed", "-i.tmp", sed_expression, filename]) + os.remove(backup_file) def toggle_beta_status(is_beta): check_files_exist() if (is_beta): - print("adding Beta status to version numbers") - inplace_replace(filename=nssutil_h, replacements=[ - Replacement(regex=r'^(#define *NSSUTIL_VERSION *\"[0-9.]+)\" *$', - repl=r'\g<1> Beta"'), - Replacement(regex=r'^(#define *NSSUTIL_BETA *)PR_FALSE *$', - repl=r'\g<1>PR_TRUE')]) - inplace_replace(filename=softkver_h, replacements=[ - Replacement(regex=r'^(#define *SOFTOKEN_VERSION *\"[0-9.]+\" *SOFTOKEN_ECC_STRING) *$', - repl=r'\g<1> " Beta"'), - Replacement(regex=r'^(#define *SOFTOKEN_BETA *)PR_FALSE *$', - repl=r'\g<1>PR_TRUE')]) - inplace_replace(filename=nss_h, replacements=[ - Replacement(regex=r'^(#define *NSS_VERSION *\"[0-9.]+\" *_NSS_CUSTOMIZED) *$', - repl=r'\g<1> " Beta"'), - Replacement(regex=r'^(#define *NSS_BETA *)PR_FALSE *$', - repl=r'\g<1>PR_TRUE')]) + print "adding Beta status to version numbers" + sed_inplace('s/^\(#define *NSSUTIL_VERSION *\"[0-9.]\+\)\" *$/\\1 Beta\"/', nssutil_h) + sed_inplace('s/^\(#define *NSSUTIL_BETA *\)PR_FALSE *$/\\1PR_TRUE/', nssutil_h) + sed_inplace('s/^\(#define *SOFTOKEN_VERSION *\"[0-9.]\+\" *SOFTOKEN_ECC_STRING\) *$/\\1 \" Beta"/', softkver_h) + sed_inplace('s/^\(#define *SOFTOKEN_BETA *\)PR_FALSE *$/\\1PR_TRUE/', softkver_h) + sed_inplace('s/^\(#define *NSS_VERSION *\"[0-9.]\+\" *_NSS_CUSTOMIZED\) *$/\\1 \" Beta"/', nss_h) + sed_inplace('s/^\(#define *NSS_BETA *\)PR_FALSE *$/\\1PR_TRUE/', nss_h) else: - print("removing Beta status from version numbers") - inplace_replace(filename=nssutil_h, replacements=[ - Replacement(regex=r'^(#define *NSSUTIL_VERSION *\"[0-9.]+) *Beta\" *$', - repl=r'\g<1>"'), - Replacement(regex=r'^(#define *NSSUTIL_BETA *)PR_TRUE *$', - repl=r'\g<1>PR_FALSE')]) - inplace_replace(filename=softkver_h, replacements=[ - Replacement(regex=r'^(#define *SOFTOKEN_VERSION *\"[0-9.]+\" *SOFTOKEN_ECC_STRING) *\" *Beta\" *$', - repl=r'\g<1>'), - Replacement(regex=r'^(#define *SOFTOKEN_BETA *)PR_TRUE *$', - repl=r'\g<1>PR_FALSE')]) - inplace_replace(filename=nss_h, replacements=[ - Replacement(regex=r'^(#define *NSS_VERSION *\"[0-9.]+\" *_NSS_CUSTOMIZED) *\" *Beta\" *$', - repl=r'\g<1>'), - Replacement(regex=r'^(#define *NSS_BETA *)PR_TRUE *$', - repl=r'\g<1>PR_FALSE')]) - - print("please run 'hg stat' and 'hg diff' to verify the files have been verified correctly") - + print "removing Beta status from version numbers" + sed_inplace('s/^\(#define *NSSUTIL_VERSION *\"[0-9.]\+\) *Beta\" *$/\\1\"/', nssutil_h) + sed_inplace('s/^\(#define *NSSUTIL_BETA *\)PR_TRUE *$/\\1PR_FALSE/', nssutil_h) + sed_inplace('s/^\(#define *SOFTOKEN_VERSION *\"[0-9.]\+\" *SOFTOKEN_ECC_STRING\) *\" *Beta\" *$/\\1/', softkver_h) + sed_inplace('s/^\(#define *SOFTOKEN_BETA *\)PR_TRUE *$/\\1PR_FALSE/', softkver_h) + sed_inplace('s/^\(#define *NSS_VERSION *\"[0-9.]\+\" *_NSS_CUSTOMIZED\) *\" *Beta\" *$/\\1/', nss_h) + sed_inplace('s/^\(#define *NSS_BETA *\)PR_TRUE *$/\\1PR_FALSE/', nss_h) + print "please run 'hg stat' and 'hg diff' to verify the files have been verified correctly" def print_beta_versions(): check_call_noisy(["egrep", "#define *NSSUTIL_VERSION|#define *NSSUTIL_BETA", nssutil_h]) check_call_noisy(["egrep", "#define *SOFTOKEN_VERSION|#define *SOFTOKEN_BETA", softkver_h]) check_call_noisy(["egrep", "#define *NSS_VERSION|#define *NSS_BETA", nss_h]) - def remove_beta_status(): - print("--- removing beta flags. Existing versions were:") + print "--- removing beta flags. Existing versions were:" print_beta_versions() toggle_beta_status(False) - print("--- finished modifications, new versions are:") + print "--- finished modifications, new versions are:" print_beta_versions() - def set_beta_status(): - print("--- adding beta flags. Existing versions were:") + print "--- adding beta flags. Existing versions were:" print_beta_versions() toggle_beta_status(True) - print("--- finished modifications, new versions are:") + print "--- finished modifications, new versions are:" print_beta_versions() - def print_library_versions(): check_files_exist() check_call_noisy(["egrep", "#define *NSSUTIL_VERSION|#define NSSUTIL_VMAJOR|#define *NSSUTIL_VMINOR|#define *NSSUTIL_VPATCH|#define *NSSUTIL_VBUILD|#define *NSSUTIL_BETA", nssutil_h]) check_call_noisy(["egrep", "#define *SOFTOKEN_VERSION|#define SOFTOKEN_VMAJOR|#define *SOFTOKEN_VMINOR|#define *SOFTOKEN_VPATCH|#define *SOFTOKEN_VBUILD|#define *SOFTOKEN_BETA", softkver_h]) check_call_noisy(["egrep", "#define *NSS_VERSION|#define NSS_VMAJOR|#define *NSS_VMINOR|#define *NSS_VPATCH|#define *NSS_VBUILD|#define *NSS_BETA", nss_h]) - def print_root_ca_version(): check_files_exist() check_call_noisy(["grep", "define *NSS_BUILTINS_LIBRARY_VERSION", nssckbi_h]) def ensure_arguments_after_action(how_many, usage): - if (len(sys.argv) != (2 + how_many)): + if (len(sys.argv) != (2+how_many)): exit_with_failure("incorrect number of arguments, expected parameters are:\n" + usage) - def set_major_versions(major): - for name, file in [["NSSUTIL_VMAJOR", nssutil_h], - ["SOFTOKEN_VMAJOR", softkver_h], - ["NSS_VMAJOR", nss_h]]: - inplace_replace(filename=file, replacements=[ - Replacement(regex=r'^(#define *{} ?).*$'.format(name), - repl=r'\g<1>{}'.format(major))]) - + sed_inplace('s/^\(#define *NSSUTIL_VMAJOR *\).*$/\\1' + major + '/', nssutil_h) + sed_inplace('s/^\(#define *SOFTOKEN_VMAJOR *\).*$/\\1' + major + '/', softkver_h) + sed_inplace('s/^\(#define *NSS_VMAJOR *\).*$/\\1' + major + '/', nss_h) def set_minor_versions(minor): - for name, file in [["NSSUTIL_VMINOR", nssutil_h], - ["SOFTOKEN_VMINOR", softkver_h], - ["NSS_VMINOR", nss_h]]: - inplace_replace(filename=file, replacements=[ - Replacement(regex=r'^(#define *{} ?).*$'.format(name), - repl=r'\g<1>{}'.format(minor))]) - + sed_inplace('s/^\(#define *NSSUTIL_VMINOR *\).*$/\\1' + minor + '/', nssutil_h) + sed_inplace('s/^\(#define *SOFTOKEN_VMINOR *\).*$/\\1' + minor + '/', softkver_h) + sed_inplace('s/^\(#define *NSS_VMINOR *\).*$/\\1' + minor + '/', nss_h) def set_patch_versions(patch): - for name, file in [["NSSUTIL_VPATCH", nssutil_h], - ["SOFTOKEN_VPATCH", softkver_h], - ["NSS_VPATCH", nss_h]]: - inplace_replace(filename=file, replacements=[ - Replacement(regex=r'^(#define *{} ?).*$'.format(name), - repl=r'\g<1>{}'.format(patch))]) - + sed_inplace('s/^\(#define *NSSUTIL_VPATCH *\).*$/\\1' + patch + '/', nssutil_h) + sed_inplace('s/^\(#define *SOFTOKEN_VPATCH *\).*$/\\1' + patch + '/', softkver_h) + sed_inplace('s/^\(#define *NSS_VPATCH *\).*$/\\1' + patch + '/', nss_h) def set_build_versions(build): - for name, file in [["NSSUTIL_VBUILD", nssutil_h], - ["SOFTOKEN_VBUILD", softkver_h], - ["NSS_VBUILD", nss_h]]: - inplace_replace(filename=file, replacements=[ - Replacement(regex=r'^(#define *{} ?).*$'.format(name), - repl=r'\g<1>{}'.format(build))]) - + sed_inplace('s/^\(#define *NSSUTIL_VBUILD *\).*$/\\1' + build + '/', nssutil_h) + sed_inplace('s/^\(#define *SOFTOKEN_VBUILD *\).*$/\\1' + build + '/', softkver_h) + sed_inplace('s/^\(#define *NSS_VBUILD *\).*$/\\1' + build + '/', nss_h) def set_full_lib_versions(version): - for name, file in [["NSSUTIL_VERSION", nssutil_h], - ["SOFTOKEN_VERSION", softkver_h], - ["NSS_VERSION", nss_h]]: - inplace_replace(filename=file, replacements=[ - Replacement(regex=r'^(#define *{} *\")([0-9.]+)(.*)$'.format(name), - repl=r'\g<1>{}\g<3>'.format(version))]) - + sed_inplace('s/^\(#define *NSSUTIL_VERSION *\"\)\([0-9.]\+\)\(.*\)$/\\1' + version + '\\3/', nssutil_h) + sed_inplace('s/^\(#define *SOFTOKEN_VERSION *\"\)\([0-9.]\+\)\(.*\)$/\\1' + version + '\\3/', softkver_h) + sed_inplace('s/^\(#define *NSS_VERSION *\"\)\([0-9.]\+\)\(.*\)$/\\1' + version + '\\3/', nss_h) def set_root_ca_version(): ensure_arguments_after_action(2, "major_version minor_version") major = args[1].strip() minor = args[2].strip() version = major + '.' + minor - - inplace_replace(filename=nssckbi_h, replacements=[ - Replacement(regex=r'^(#define *NSS_BUILTINS_LIBRARY_VERSION *\").*$', - repl=r'\g<1>{}"'.format(version)), - Replacement(regex=r'^(#define *NSS_BUILTINS_LIBRARY_VERSION_MAJOR ?).*$', - repl=r'\g<1>{}'.format(major)), - Replacement(regex=r'^(#define *NSS_BUILTINS_LIBRARY_VERSION_MINOR ?).*$', - repl=r'\g<1>{}'.format(minor))]) - + sed_inplace('s/^\(#define *NSS_BUILTINS_LIBRARY_VERSION *\"\).*$/\\1' + version + '/', nssckbi_h) + sed_inplace('s/^\(#define *NSS_BUILTINS_LIBRARY_VERSION_MAJOR *\).*$/\\1' + major + '/', nssckbi_h) + sed_inplace('s/^\(#define *NSS_BUILTINS_LIBRARY_VERSION_MINOR *\).*$/\\1' + minor + '/', nssckbi_h) def set_all_lib_versions(version, major, minor, patch, build): grep_major = check_output(['grep', 'define.*NSS_VMAJOR', nss_h]) grep_minor = check_output(['grep', 'define.*NSS_VMINOR', nss_h]) - old_major = int(grep_major.split()[2]) - old_minor = int(grep_minor.split()[2]) + old_major = int(grep_major.split()[2]); + old_minor = int(grep_minor.split()[2]); new_major = int(major) new_minor = int(minor) if (old_major < new_major or (old_major == new_major and old_minor < new_minor)): - print("You're increasing the minor (or major) version:") - print("- erasing ABI comparison expectations") + print "You're increasing the minor (or major) version:" + print "- erasing ABI comparison expectations" new_branch = "NSS_" + str(old_major) + "_" + str(old_minor) + "_BRANCH" - print("- setting reference branch to the branch of the previous version: " + new_branch) + print "- setting reference branch to the branch of the previous version: " + new_branch with open(abi_base_version_file, "w") as abi_base: abi_base.write("%s\n" % new_branch) for report_file in abi_report_files: @@ -241,7 +174,6 @@ def set_all_lib_versions(version, major, minor, patch, build): set_patch_versions(patch) set_build_versions(build) - def set_version_to_minor_release(): ensure_arguments_after_action(2, "major_version minor_version") major = args[1].strip() @@ -251,7 +183,6 @@ def set_version_to_minor_release(): build = "0" set_all_lib_versions(version, major, minor, patch, build) - def set_version_to_patch_release(): ensure_arguments_after_action(3, "major_version minor_version patch_release") major = args[1].strip() @@ -261,13 +192,11 @@ def set_version_to_patch_release(): build = "0" set_all_lib_versions(version, major, minor, patch, build) - def set_release_candidate_number(): ensure_arguments_after_action(1, "release_candidate_number") build = args[1].strip() set_build_versions(build) - def set_4_digit_release_number(): ensure_arguments_after_action(4, "major_version minor_version patch_release 4th_digit_release_number") major = args[1].strip() @@ -277,22 +206,21 @@ def set_4_digit_release_number(): version = major + '.' + minor + '.' + patch + '.' + build set_all_lib_versions(version, major, minor, patch, build) - def create_nss_release_archive(): ensure_arguments_after_action(3, "nss_release_version nss_hg_release_tag path_to_stage_directory") - nssrel = args[1].strip() # e.g. 3.19.3 - nssreltag = args[2].strip() # e.g. NSS_3_19_3_RTM - stagedir = args[3].strip() # e.g. ../stage + nssrel = args[1].strip() #e.g. 3.19.3 + nssreltag = args[2].strip() #e.g. NSS_3_19_3_RTM + stagedir = args[3].strip() #e.g. ../stage with open('automation/release/nspr-version.txt') as nspr_version_file: nsprrel = next(nspr_version_file).strip() nspr_tar = "nspr-" + nsprrel + ".tar.gz" - nsprtar_with_path = stagedir + "/v" + nsprrel + "/src/" + nspr_tar + nsprtar_with_path= stagedir + "/v" + nsprrel + "/src/" + nspr_tar if (not os.path.exists(nsprtar_with_path)): exit_with_failure("cannot find nspr archive at expected location " + nsprtar_with_path) - nss_stagedir = stagedir + "/" + nssreltag + "/src" + nss_stagedir= stagedir + "/" + nssreltag + "/src" if (os.path.exists(nss_stagedir)): exit_with_failure("nss stage directory already exists: " + nss_stagedir) @@ -302,7 +230,7 @@ def create_nss_release_archive(): check_call_noisy(["hg", "archive", "-r", nssreltag, "--prefix=nss-" + nssrel + "/nss", stagedir + "/" + nssreltag + "/src/" + nss_tar, "-X", ".hgtags"]) check_call_noisy(["tar", "-xz", "-C", nss_stagedir, "-f", nsprtar_with_path]) - print("changing to directory " + nss_stagedir) + print "changing to directory " + nss_stagedir os.chdir(nss_stagedir) check_call_noisy(["tar", "-xz", "-f", nss_tar]) check_call_noisy(["mv", "-i", "nspr-" + nsprrel + "/nspr", "nss-" + nssrel + "/"]) @@ -313,23 +241,9 @@ def create_nss_release_archive(): check_call_noisy(["tar", "-cz", "--remove-files", "-f", nss_nspr_tar, "nss-" + nssrel]) check_call("sha1sum " + nss_tar + " " + nss_nspr_tar + " > SHA1SUMS", shell=True) check_call("sha256sum " + nss_tar + " " + nss_nspr_tar + " > SHA256SUMS", shell=True) - print("created directory " + nss_stagedir + " with files:") + print "created directory " + nss_stagedir + " with files:" check_call_noisy(["ls", "-l"]) - -o = OptionParser(usage="client.py [options] " + " | ".join([ - "remove_beta", "set_beta", "print_library_versions", "print_root_ca_version", - "set_root_ca_version", "set_version_to_minor_release", - "set_version_to_patch_release", "set_release_candidate_number", - "set_4_digit_release_number", "create_nss_release_archive"])) - -try: - options, args = o.parse_args() - action = args[0] -except IndexError: - o.print_help() - sys.exit(2) - if action in ('remove_beta'): remove_beta_status() diff --git a/security/nss/automation/saw/chacha20.saw b/security/nss/automation/saw/chacha20.saw index cf98466b2..92145ab74 100644 --- a/security/nss/automation/saw/chacha20.saw +++ b/security/nss/automation/saw/chacha20.saw @@ -34,7 +34,7 @@ let SpecChaCha20 n = do { }; print "Proving equality for a single block..."; -time (llvm_verify m "Hacl_Chacha20_chacha20_encrypt" [] (SpecChaCha20 64)); +time (llvm_verify m "Hacl_Chacha20_chacha20" [] (SpecChaCha20 64)); print "Proving equality for multiple blocks..."; -time (llvm_verify m "Hacl_Chacha20_chacha20_encrypt" [] (SpecChaCha20 256)); +time (llvm_verify m "Hacl_Chacha20_chacha20" [] (SpecChaCha20 256)); diff --git a/security/nss/automation/taskcluster/docker-builds/Dockerfile b/security/nss/automation/taskcluster/docker-builds/Dockerfile index 0ce4e80c6..9f0bb2034 100644 --- a/security/nss/automation/taskcluster/docker-builds/Dockerfile +++ b/security/nss/automation/taskcluster/docker-builds/Dockerfile @@ -34,13 +34,9 @@ RUN apt-get update \ pkg-config \ valgrind \ zlib1g-dev \ - clang-format-3.9 \ && rm -rf /var/lib/apt/lists/* \ && apt-get autoremove -y && apt-get clean -y -RUN update-alternatives --install /usr/bin/clang-format \ - clang-format $(which clang-format-3.9) 10 - # Latest version of abigail-tools RUN apt-get update \ && apt-get install -y --no-install-recommends automake libtool libxml2-dev \ diff --git a/security/nss/automation/taskcluster/docker-fuzz32/Dockerfile b/security/nss/automation/taskcluster/docker-fuzz32/Dockerfile index e80b94d5f..f5fd3cfd5 100644 --- a/security/nss/automation/taskcluster/docker-fuzz32/Dockerfile +++ b/security/nss/automation/taskcluster/docker-fuzz32/Dockerfile @@ -10,8 +10,6 @@ LABEL maintainer="Martin Thomson <martin.thomson@gmail.com>" RUN dpkg --add-architecture i386 RUN apt-get update \ && apt-get install -y --no-install-recommends \ - apt-transport-https \ - apt-utils \ build-essential \ ca-certificates \ curl \ diff --git a/security/nss/automation/taskcluster/docker-hacl/B6C8F98282B944E3B0D5C2530FC3042E345AD05D.asc b/security/nss/automation/taskcluster/docker-hacl/B6C8F98282B944E3B0D5C2530FC3042E345AD05D.asc new file mode 100644 index 000000000..513dcd410 --- /dev/null +++ b/security/nss/automation/taskcluster/docker-hacl/B6C8F98282B944E3B0D5C2530FC3042E345AD05D.asc @@ -0,0 +1,143 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQINBFS+1SABEACnmkESkY7eZq0GhDjbkWpKmURGk9+ycsfAhA44NqUvf4tk1GPM +5SkJ/fYedYZJaDVhIp98fHgucD0O+vjOzghtgwtITusYjiPHPFBd/MN+MQqSEAP+ +LUa/kjHLjgyXxKhFUIDGVaDWL5tKOA7/AQKl1TyJ8lz89NHQoUHFsF/hu10+qhJe +V65d32MXFehIUSvegh8DrPuExrliSiORO4HOhuc6151dWA4YBWVg4rX5kfKrGMMT +pTWnSSZtgoRhkKW2Ey8cmZUqPuUJIfWyeNVu1e4SFtAivLvu/Ymz2WBJcNA1ZlTr +RCOR5SIRgZ453pQnI/Bzna2nnJ/TV1gGJIGRahj/ini0cs2x1CILfS/YJQ3rWGGo +OxwG0BVmPk0cmLVtyTq8gUPwxcPUd6WcBKhot3TDMlrffZACnQwQjlVjk5S1dEEz +atUfpEuNitU9WOM4jr/gjv36ZNCOWm95YwLhsuci/NddBN8HXhyvs+zYTVZEXa2W +l/FqOdQsQqZBcJjjWckGKhESdd7934+cesGD3O8KaeSGxww7slJrS0+6QJ8oBoAB +P/WCn/y2AiY2syEKp3wYIGJyAbsm542zMZ4nc7pYfSu49mcyhQQICmqN5QvOyYUx +OSqwbAOUNtlOyeRLZNIKoXtTqWDEu5aEiDROTw6Rkq+dIcxPNgOLdeQ3HwARAQAB +tCFIYW5zIFdlbm5ib3JnIDxoYW5zQGNocm9taXVtLm9yZz6JARwEEAECAAYFAlT2 +MQAACgkQVfXNcLtaBWnDKgf/fjusXk+kh1zuyn5eOCe16+2vV1lmXZrDIGdJtXDW +ZtHKele1Yv1BA3kUi5tKQi+VOOrvHL0+TMjFWFiCy1sYJS9qgkS08kReI2nAnhZ7 +INdqEVxtVk1TTOhtYjOPy6txwujoICuPv5F4rHVhn1LPKGTLtYD2LOwf/8eKYQox +51gaJ8dNxpcHE/iFOIDXdebJPufo3EhqDRihchxb8AVLhrNss7pGGG/tVfichmHK +djPT2KfSh14pq1ahFOz0zH4nmTu7CCLnLAdRBHuhL8HVDbi0vKBtCiSmQggdxvoj +u+hpXiiDFQoCjLh0zVCwtFqWDZbnKMTBNNF26aTmQ+2fiYkBMwQQAQgAHRYhBB/m +NI7eqCWiKXDlxI3TBA8SPMP0BQJbcLU1AAoJEI3TBA8SPMP021sH/jD1m7azNCN6 +DVL1iDJT6uIIYCTylygH5XI46CRoWaz/LwdFnUqWHHTcQxJ5pIkWV9KF+SIgMT42 +brdZZmNvvSdX0odjFKqj5UR6w+wDN+uZ6Q40zu4pNoNzbk7pRpbFf1XIfGB1liyu +m28EJ58IXu/0AV7FiDAHGGBqppK/cwQN8pGLwmz1n6YELtXeFmtOGnusO6iLYOE7 +3ByFCCqJB6twT5+7dDqFYqqQJgQ6jDTy19dDZ1vDhDttL+2Rn0OYXqPw7gy/1D2p +Y1cM9PgPBsR4EXhbtV0uKUNomk8tM/HnGMFT0KirI/tSwEP3v9g5YH992mrvNuIV +TkyQn0jGeMeJATMEEAEIAB0WIQRswFHTwdmkr54mDFjT45SsdE4uuwUCW3haCQAK +CRDT45SsdE4uu4JjCACppkreiMrpJSREKbUscdOvFxFRYzkTFeSCwX9Ih7r5ENpa +zjczfIqCCfWzioV6y4K0V04y8CXt/5S5a9vfW801pBUdF9nG4X8YbUn/xSe+8A9m +MsfDjMNcF7Cp5czVoSS4/4oHm9mQUMYQsn3AwwCPDKFORRRv5Eb0om9JawKtt++7 +ZW0fOgDkvOCm14SN0UtVc4mxTx6iyxdMDgrKinBZVjxEh5oeqUyXh5TYM+XyWFVh +/gDUvUWwLI0GUWNTyOyUQU1oPVp+sWqrEe1BXLVCKFVWaSTtgJtJ5FyP+z2uzRcv +aanPOj/ohHAo8VBq9QbefYVAkShNBEuJkATnXhcGiQEzBBABCAAdFiEEvlzFWRM6 +4JjNAb2a+j2ZL9Cqr7wFAlkBCcIACgkQ+j2ZL9Cqr7yB9AgArj+0+i0DCo1nm4MF +TLnW1Y9GF/Hq/mBva1MhkT0j3BzENK3xgqrqac8KqupsporNEmJ0ZbZzilJdZImb +o4X5BFdmmnjMiGaH6GAiPqRBBHGvLV2r2pG467J4tOMWO3XipFRf7FibbfhAU1lV +/GLWYTSwLqwWwBE8u5rriEvDngWUJw2Yd4Yqwduef7O6F+JfsGPRXFomR3387II0 +8AXo/C+P5cl64llaxV6BmkJhQ6ydL0/KwSkHVdlXugk1sPtV/qOyPQ5L1Ibqbsvh +lLq/jhHlUUNLFjlQ2lrS9bhHGw9OIHTMJvS8RDrk0yAmoHAyRWNgbFN7aA62vBhq +pcUVzokBMwQQAQgAHRYhBPZ+fW6ADyQOg+vIZ/9qyaZGTfCcBQJa+ZAwAAoJEP9q +yaZGTfCcKMgH/jRxGfYhhGnlMnDLAEpYC+TGSDLMgmg9cOZbonqyMv+7Kts+pV03 +KUr9SPV+VtGtOxRNiqwFt6V2MHcwPJfTXuH/bBW/HCCpr6UlOVWqIiCNK0Gnpcj5 +rRt5unjG9CwsgyaK9QPI8bGin/c6m8BjwmEdfJ01ATLiUb8WuDHQy9OCyrEAnzSq +FD5ZtFmAFxvzm2x1nwb5HPuqkOqbRatp8aRJzTxIeSJPpgLw0PawHKGN3Ckp7REc +g26P1spkPe7SIVRsobH3al4uw7mgs7wiDWN3t8CdmuHAzmB2UrsR84JMTb45GboO +Bc1CX8xZcHyNaDEpyWHav+P8nZqwfBm+cLiJAjMEEAEIAB0WIQSawVDb4dGOtiX0 ++gWyD0lU8+/LPwUCW/4O9QAKCRCyD0lU8+/LPyI7EACWtj0GEb1VT02gKwtKwgFn +RJ2pz8vYm188wgJwCJaL04d2D/VwE0jMvmfH80hSKgSLPAVMG06RIOb/tGhHsQKU +zBlHiAFmfjlJo1FC/Mp44RrERRsFAWBg0/URIs4vP8+5Vl+5m70sZrQpKeq+6TLM +1dQ0Ohz+QkQ04Z+DTroChWU8/7Uw0E3CqGGKYqPvDh54T1q4s8FoN0no8ZUlt/O+ +r/3c7awr85ZnxqtnHIcuMbVyIZ+gOqXdrLa85yZITsh4zQrjYuyTEg7dpziReyiZ ++rkpdIdFKl8YeD+d0JWzVm7kq9D4K3+x9C509z0IgJUT3bhsX/N0Yf/QUtUW5oxI +T7fod86B/Q2M7zBTttFhd1vAjiSjEalK48SjTzWqTDYVIkea1+f1kZK5A0QlthqG +P2zy5GUjZVzOiCSOhyEOvAorU3zKD2s84VFKlayZEqlHJh8u5U59TWBdkW3qZUJd +ewW31xt0s8IovYSgOwX3wbsClQs6eVwNuCZT2yQAgAyXA5iFztBvDRQ0qmetvzV2 +Ay9SrjvkQ3qr/eZmbMErEwEUxIO4b1rctCQ6jcbyVxMTAZAfaDoVKWEMXNiF2KSw +F9SSzGPIZDgiEXUlgaJBlUIYSFxrPuE+da0CM5RixyYIinU6AER6crl9C4C9XL6a +u3jf+5MTGxviRGn2oQzSCYkCMwQQAQgAHRYhBKeHFU4z7cw4HFbYuaxFYRTTj42I +BQJboq6kAAoJEKxFYRTTj42IWIAP/3rc9GjDTM4nI6Oi4OzLkwm/I2Vr7LUKG8oX +8E4Nj3amvNGupzGySjB+vrM6APrMSScXunvM0f19LV84EnNrUQ3KFZcSC6r5WC0B +2+TVRYGpY+6R9AQpqnuxicW0sa/AlV9WSEb4fDavCel2nW0arH4wkkCzTThUxoBB +X4I9nf4ZzGoUnnDAwTD9rN0gpI6Td/7faa3t99dRLb6AHJ1KhvyiiV3lr0xtTssD +xVHo0SpzQTnOcRJnYf/2rTny8bVfROPWieh6HuEiP7SxT1HyeTr4WSAjSCoG95O2 +b3OgSMl0Z82FRMoJYmxID/V5YqH7015SjCxKdYhEZVp9YwWruEJIH8r6MGbWYNAl +REnyDvfGzAF0L0+gAUymDRmtp1jeXLo+HmLgVEUWegafs1TPfCWS/H9n10Upjmuq +akituzacz6Kjleq9qbnl81Xmh4AKmOILRwE7Pmcbl8HATOrmi5EaKffjMdWFzOWh +3U4/VsNDujqSTXD88EjGcpLiIiYefGy0sURJbIMTkfXVt3ruHLyuvhsRE/2QEAi7 +gWB0zuBV8iGBaag+6RQkxGdpemPiogzuDijqZHoUXlp7Q6IYLanXeweyivdrSyTB +4HOECDbWEPZwk6tCxnuklW5iJndxBmxjSxefIMGU7G2JS9quppCVFCrKUjIWnf7b +gXnNji5JiQIzBBABCAAdFiEExZuSbLy7rtFhdiOuHt8NuZ2LeoQFAluirpUACgkQ +Ht8NuZ2LeoR/gQ/6A71JxUavzyBlCXlMy2Hx2+gOfy68b8UWl7DwKTOBSoZOzPC7 +dVCSTzoK8dRELqsp7CkFImWcEwLJWMptuH2I1nK+Ua8bvxJSMJnOlPxYE8Wz5EK3 +SQ2mQvifRezQTe8zjdpxEDSR6xocSiigvJow4X+Mivrxxj8sMgu1KA1ud2VGX/IR +wMbwuBTH9YydgvzmFzTxdlJHEYmsI8koHrVWPHm//QqqPBn+qz2z9uAzDmGAiDYg +qtQijo5IJC8ZjxgdcTfCkN6he+GhHtOhyP/KF/FcRHY83DoNCtqexQZWGuKtbd8o +nQYtmemRFob5kR7GxuNdAqF74oQfXcvXZNtHSuN3VtLqkB4fzW+21JBJCsP3XCzd +nKjR4erXNrQycmp3shSoJbnVvdbDwaVlWhDen1DvJb0Lj2sO3PQPcwVQbf5XHWR/ +ZCf2OQTfVgwFEB4/0Twv70XwYIui2Ry9hmTPbD4Nn+UXbMQ3SOp90tj/e2yY/MFt +FvcIYcJTk9LM5IsnKgh+fSWDmdS3HD5Kjv2EPUHTNalruwwfmhS+ScJwM4XqHTJY +JkB16j/Xv2FTF+6KlbA1zdOVycPzoFKjAENYccQBVo2B+WQac7dFDqGEVNal9z66 +DyU4ciAHl6PsbuN7DWeuScLoqq5jwx61bZgn71mUOYC1/47ypat2BKCOXZ2JAjME +EgEIAB0WIQSm5op4O95BdGcqQkHwXKpE5VGK/wUCWie53AAKCRDwXKpE5VGK/3rM +D/9jcYKOjYaPJh3Q7wNC1HjjUa73eo5GvJqyXbsXufIh/RAYgQkD08P5JgzfXvQ0 +zOQTtDlDTVG8VMFoBYeMJVDd0k9LBbaljxcttMPfOll+AlQGAL7iQIqTAndknkJL +CFdl0ypa5GVsl1tzqmNC5fuMJ3vBoRtYbMitlHQkO0vLjZ7yl9fz+7YkREpEo/d5 +Ya8t4+L6el6lrETYaiGCTxHcbYD7VdiJxpxFQlpgl+XKtobrj70RocGQ5JwUNilC +nRJKUb33lbmntwDwQ1y1AjCnhB++3GHjJDXBPgYFDCSZPCndKeOXhxmB2psFf41i +8foJPJXuh1vWOqArdwseFCRM6W2deF1utZmROMSkUo6IC8dYlucO/hjpjhG+C8Zv +QiM5uLylD3IPMX9wCz1tAhMNs3v4pEPo/4A//1cdLkor9cQVLFj3+TkS888EWZdj +Y8mUTIXU6yL1DXcj8CfDPS29fMpDorDpK1swl4pN5qgGfsL5BSAXUf1AZDWbxnEY +xf5rakfHDzrfbtbTSSfrBxS8gdW2vBKM+3nL21BeP8hQ0tkLA7bn2fNGz3aCOw46 +XeVJdBk1gVTwazspylqrh1ljr0hQEN4gs/8kM645BRdD0IyAFFcI44VmuVwd8+2g +5miAGmVKSqN77w2cgMRnF7xpUsanv+3zKzaTnG+2liTeCokCPgQTAQIAKAUCVL7V +IAIbAwUJBaOagAYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AACgkQD8MELjRa0F1m +RhAAj9X+/4iiQsN888dNW/H1wEFFTd/1vqb2j0sHP3t02LkEPN5Ii9u71TSD2gSD +WTu1Eb46nRDcapFNv5M0vXcWrEt7PK9b51Kuj4KpP5IjJHpTl2g7umaYQWC8fqcY +TJTH0guMSCzZlsP0xGLbAj3cG6X5OPzCO+IxEafXmE//SfS9w46n1OC57ca1Y0Fp +WXfjA0sJrcozgNchsptu3jg/oEteYJoxDAzNO45O4geNONq5D9PUQPb+H5Vv5zpy +MI7iUJhVnTOFvnoUgRS7v6pWiA3flh5FelK8tYPCzEfvxfe7EB5GO7MaJEO3ZLni +COaAZ3Nfn6Tt28tCOgd052W4FeGWow7iYCS1Wgd30bq/FNgnl+tKv2woxmWt4jJv +ioBHQ4PbUnap2RCmBFaG7llRkrKP8nhWSUdwSS3OmDwAfxTTXjPaESK9EX9OV9Xo +or07thq+7OMs+2cyiy2jSfIau0SELy/tVioZBhoB7hzAJUB8sGHOxMPlVDFdUr3x +F/cgCclWANhw2xvgPim1wQ0XpeZe6w9RpmjZR7ReMYwxn8APBDP/e9R5aLDUQAep +2hrJUPK38D0L69RnpWQsR9hZ2hEOrMV2M6ChlvhwHbGSdJ2CcqG5Jx4ZAP23DK3A +N26TB88H9F7IMrM0REZeu7KzvYwCWlpg0zMXXKQ/2vovoe2JAlUEEwECAD8CGwMG +CwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAFiEEtsj5goK5ROOw1cJTD8MELjRa0F0F +Alpd+i0FCQ8FJo0ACgkQD8MELjRa0F3X3A//dBQLm6GmXlQFjxZbukTw0lZsevFR +M/6ljZTxp7bsC+HFzYoaCKv6rikaWzytxk//SOaLKrB4Z9HjAlpBMtyLl2Hk7tcZ +bPpFafNmQ+4KgWNjLXCvt9se8BGrQvGQUrbE6YowbXa2YIgxIVEncFzIECAsp/+N +xbMcZN5/X1PJxKi/N22gP4nn47muN6L3pKez3CXgWnhGYSc7BuD5ALWYH7yMYUem +d4jlXfu5xkBIqirj1arIYC9wmF4ldbLNDPuracc8LmXcSqa5Rpao0s4iVzAD+tkX +vE/73m3rhepwBXxrfk0McXuI9aucf5h4/KkIBzZsaJ6JM1tzlrJzzjaBKJF9OI5T +jA0qTxdGzdPztS8gPaPcMkRFfh9ti0ZDx4VeF3s8sOtmMRHeGEWfxqUAbBUbwFsa +JDu/+8/VO4KijfcuUi8tqJ/JHeosCuGE7TM93LwJu6ZcqMYOPDROE/hsnGm0ZU92 +xedu+07/X1ESHkSFPoaSHD5/DCNa/tXIyJZ8X7gF3eoDP5mSmrJqIqsOBR9WOVYv +dI8i0GHTXbrZj8WXdoS+N8wlyMLLbAS2jvTe7M5RoqbLz4ABOUUnLVoEE0CiccVZ +bW75BPxOfaD0szbinAeX6HDPI7St0MbKrRPjuDXjD0JVkLqFINtZfYLGMLss4tgn +suefr0Bo9ISwG3u5Ag0EVL7VIAEQAOxBxrQesChjrCqKjY5PnSsSYpeb4froucrC +898AFw2DgN/Zz+W7wtSTbtz/GRcCurjzZvN7o2rCuNk0j0+s1sgZZm2BdldlabLy ++UF/kSW1rb5qhfXcGGubu48OMdtSfok9lOc0Q1L4HNlGE4lUBkZzmI7Ykqfl+Bwr +m9rpi54g4ua9PIiiHIAmMoZIcbtOG1KaDr6CoXRk/3g2ZiGUwhq3jFGroiBsKEap +2FJ1bh5NJk2Eg8pV7fMOF7hUQKBZrNOtIPu8hA5WEgku3U3VYjRSI3SDi6QXnDL+ +xHxajiWpKtF3JjZh8y/CCTD8PyP34YjfZuFmkdske5cdx6H0V2UCiH453ncgFVdQ +DXkY4n+0MTzhy2xu0IVVnBxYDYNhi+3MjTHJd9C4xMi9t+5IuEvDAPhgfZjDpQak +EPz6hVmgj0mlKIgRilBRK9/kOxky9utBpGk3jEJGru/hKNloFNspoYtY6zATAr8E +cOgoCFQE0nIktcg3wF9+OCEnV28/a7XZwUZ7Gl/qfOHtdr374wo8kd8R3V8d2G9q +5w0/uCV9NNQ0fGWZDPDoYt6wnPL6gZv/nJM8oZY+u0rC24WwScZIniaryC4JHDas +Ahr2S2CtgCvBgslK6f3gD16KHxPZMBpX73TzOYIhMEP/vXgVJbUD6dYht+U9c4Oh +EDJown0dABEBAAGJAjwEGAECACYCGwwWIQS2yPmCgrlE47DVwlMPwwQuNFrQXQUC +Wl36SwUJDwUmqwAKCRAPwwQuNFrQXT1/D/9YpRDNgaJl3YVDtVZoeQwh7BQ6ULZT +eXFPogYkF2j3VWg8s9UmAs4sg/4a+9KLSantXjX+JFsRv0lQe5Gr/Vl8VQ4LKEXB +fiGmSivjIZ7eopdd3YP2w6G5T3SA4d2CQfsg4rnJPnXIjzKNiSOi368ybnt9fL0Y +2r2aqLTmP6Y7issDUO+J1TW1XHm349JPR0Hl4cTuNnWm4JuX2m2CJEc5XBlDAha9 +pUVs+J5C2D0UFFkyeOzeJPwy6x5ApWHm84n8AjhQSpu1qRKxKXdwei6tkQWWMHui ++TgSY/zCkmD9/oY15Ei5avJ4WgIbTLJUoZMi70riPmU8ThjpzA7S+Nk0g7rMPq+X +l1whjKU/u0udlsrIJjzkh6ftqKUmIkbxYTpjhnEujNrEr5m2S6Z6x3y9E5QagBMR +dxRhfk+HbyACcP/p9rXOzl4M291DoKeAAH70GHniGxyNs9rAoMr/hD5XW/Wrz3dc +KMc2s555E6MZILE2ZiolcRn+bYOMPZtWlbx98t8uqMf49gY4FGQBZAwPglMrx7mr +m7HTIiXahThQGOJg6izJDAD5RwSEGlAcL28T8KAuM6CLLkhlBfQwiKsUBNnh9r8w +V3lB+pV0GhL+3i077gTYfZBRwLzjFdhm9xUKEaZ6rN1BX9lzix4eSNK5nln0jUq1 +67H2IH//2sf8dw== +=fTDu +-----END PGP PUBLIC KEY BLOCK-----
\ No newline at end of file diff --git a/security/nss/automation/taskcluster/docker-hacl/Dockerfile b/security/nss/automation/taskcluster/docker-hacl/Dockerfile new file mode 100644 index 000000000..168be1c41 --- /dev/null +++ b/security/nss/automation/taskcluster/docker-hacl/Dockerfile @@ -0,0 +1,31 @@ +FROM ubuntu:xenial + +MAINTAINER Franziskus Kiefer <franziskuskiefer@gmail.com> +# Based on the HACL* image from Benjamin Beurdouche and +# the original F* formula with Daniel Fabian + +# Pinned versions of HACL* (F* and KreMLin are pinned as submodules) +ENV haclrepo https://github.com/mitls/hacl-star.git + +# Define versions of dependencies +ENV opamv 4.05.0 +ENV haclversion 1442c015dab97cdf203ae238b1f3aeccf511bd1e + +# Install required packages and set versions +ADD B6C8F98282B944E3B0D5C2530FC3042E345AD05D.asc /tmp/B6C8F98282B944E3B0D5C2530FC3042E345AD05D.asc +ADD setup.sh /tmp/setup.sh +RUN bash /tmp/setup.sh + +# Create user, add scripts. +RUN useradd -ms /bin/bash worker +WORKDIR /home/worker +ADD bin /home/worker/bin +RUN chmod +x /home/worker/bin/* +USER worker + +# Build F*, HACL*, verify. Install a few more dependencies. +ENV OPAMYES true +ENV PATH "/home/worker/hacl-star/dependencies/z3/bin:$PATH" +ADD setup-user.sh /tmp/setup-user.sh +ADD license.txt /tmp/license.txt +RUN bash /tmp/setup-user.sh diff --git a/security/nss/automation/taskcluster/docker-hacl/bin/checkout.sh b/security/nss/automation/taskcluster/docker-hacl/bin/checkout.sh new file mode 100644 index 000000000..9167f6bda --- /dev/null +++ b/security/nss/automation/taskcluster/docker-hacl/bin/checkout.sh @@ -0,0 +1,20 @@ +#!/usr/bin/env bash + +set -v -e -x + +if [ $(id -u) = 0 ]; then + # Drop privileges by re-running this script. + exec su worker $0 +fi + +# Default values for testing. +REVISION=${NSS_HEAD_REVISION:-default} +REPOSITORY=${NSS_HEAD_REPOSITORY:-https://hg.mozilla.org/projects/nss} + +# Clone NSS. +for i in 0 2 5; do + sleep $i + hg clone -r $REVISION $REPOSITORY nss && exit 0 + rm -rf nss +done +exit 1 diff --git a/security/nss/automation/taskcluster/docker-hacl/license.txt b/security/nss/automation/taskcluster/docker-hacl/license.txt new file mode 100644 index 000000000..03d25c4d3 --- /dev/null +++ b/security/nss/automation/taskcluster/docker-hacl/license.txt @@ -0,0 +1,15 @@ +/* Copyright 2016-2017 INRIA and Microsoft Corporation + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + diff --git a/security/nss/automation/taskcluster/docker-hacl/setup-user.sh b/security/nss/automation/taskcluster/docker-hacl/setup-user.sh new file mode 100644 index 000000000..e2c0b857b --- /dev/null +++ b/security/nss/automation/taskcluster/docker-hacl/setup-user.sh @@ -0,0 +1,25 @@ +#!/usr/bin/env bash + +set -v -e -x + +# Prepare build (OCaml packages) +opam init +echo ". /home/worker/.opam/opam-init/init.sh > /dev/null 2> /dev/null || true" >> .bashrc +opam switch -v ${opamv} +opam install ocamlfind batteries sqlite3 fileutils yojson ppx_deriving_yojson zarith pprint menhir ulex process fix wasm stdint + +# Get the HACL* code +git clone ${haclrepo} hacl-star +git -C hacl-star checkout ${haclversion} + +# Prepare submodules, and build, verify, test, and extract c code +# This caches the extracted c code (pins the HACL* version). All we need to do +# on CI now is comparing the code in this docker image with the one in NSS. +opam config exec -- make -C hacl-star prepare -j$(nproc) +make -C hacl-star -f Makefile.build snapshots/nss -j$(nproc) +KOPTS="-funroll-loops 5" make -C hacl-star/code/curve25519 test -j$(nproc) +make -C hacl-star/code/salsa-family test -j$(nproc) +make -C hacl-star/code/poly1305 test -j$(nproc) + +# Cleanup. +rm -rf ~/.ccache ~/.cache diff --git a/security/nss/automation/taskcluster/docker-hacl/setup.sh b/security/nss/automation/taskcluster/docker-hacl/setup.sh new file mode 100644 index 000000000..491342e14 --- /dev/null +++ b/security/nss/automation/taskcluster/docker-hacl/setup.sh @@ -0,0 +1,34 @@ +#!/usr/bin/env bash + +set -v -e -x + +# Update packages. +export DEBIAN_FRONTEND=noninteractive +apt-get -qq update +apt-get install --yes libssl-dev libsqlite3-dev g++-5 gcc-5 m4 make opam pkg-config python libgmp3-dev cmake curl libtool-bin autoconf wget locales +update-alternatives --install /usr/bin/gcc gcc /usr/bin/gcc-5 200 +update-alternatives --install /usr/bin/g++ g++ /usr/bin/g++-5 200 + +# Get clang-format-3.9 +curl -LO https://releases.llvm.org/3.9.1/clang+llvm-3.9.1-x86_64-linux-gnu-ubuntu-16.04.tar.xz +curl -LO https://releases.llvm.org/3.9.1/clang+llvm-3.9.1-x86_64-linux-gnu-ubuntu-16.04.tar.xz.sig + +# Verify the signature. The key used for verification was fetched via: +# gpg --keyserver pgp.key-server.io --recv-keys B6C8F98282B944E3B0D5C2530FC3042E345AD05D +# Use a local copy to workaround bug 1565013. +gpg --no-default-keyring --keyring tmp.keyring --import /tmp/B6C8F98282B944E3B0D5C2530FC3042E345AD05D.asc +gpg --no-default-keyring --keyring tmp.keyring --verify clang+llvm-3.9.1-x86_64-linux-gnu-ubuntu-16.04.tar.xz.sig + +# Install into /usr/local/. +tar xJvf *.tar.xz -C /usr/local --strip-components=1 +# Cleanup. +rm *.tar.xz* + +locale-gen en_US.UTF-8 +dpkg-reconfigure locales + +# Cleanup. +rm -rf ~/.ccache ~/.cache +apt-get autoremove -y +apt-get clean +apt-get autoclean diff --git a/security/nss/automation/taskcluster/graph/src/extend.js b/security/nss/automation/taskcluster/graph/src/extend.js index 658f06ab1..2a1a13835 100644 --- a/security/nss/automation/taskcluster/graph/src/extend.js +++ b/security/nss/automation/taskcluster/graph/src/extend.js @@ -41,6 +41,11 @@ const FUZZ_IMAGE_32 = { path: "automation/taskcluster/docker-fuzz32" }; +const HACL_GEN_IMAGE = { + name: "hacl", + path: "automation/taskcluster/docker-hacl" +}; + const SAW_IMAGE = { name: "saw", path: "automation/taskcluster/docker-saw" @@ -100,20 +105,8 @@ queue.filter(task => { // Don't run all additional hardware tests on ARM. if (task.group == "Cipher" && task.platform == "aarch64" && task.env && - (task.env.NSS_DISABLE_PCLMUL == "1" || task.env.NSS_DISABLE_SSE4_1 == "1" - || task.env.NSS_DISABLE_AVX == "1" || task.env.NSS_DISABLE_AVX2 == "1")) { - return false; - } - - // Don't run ARM specific hardware tests on non-ARM. - // TODO: our server that runs task cluster doesn't support Intel SHA extensions. - if (task.group == "Cipher" && task.platform != "aarch64" && task.env && - (task.env.NSS_DISABLE_HW_SHA1 == "1" || task.env.NSS_DISABLE_HW_SHA2 == "1")) { - return false; - } - - // Don't run DBM builds on aarch64. - if (task.group == "DBM" && task.platform == "aarch64") { + (task.env.NSS_DISABLE_PCLMUL == "1" || task.env.NSS_DISABLE_HW_AES == "1" + || task.env.NSS_DISABLE_AVX == "1")) { return false; } @@ -507,7 +500,7 @@ async function scheduleLinux(name, overrides, args = "") { } // The task that generates certificates. - let cert_base = merge(build_base, { + let task_cert = queue.scheduleTask(merge(build_base, { name: "Certificates", command: [ "/bin/bash", @@ -516,8 +509,7 @@ async function scheduleLinux(name, overrides, args = "") { ], parent: task_build, symbol: "Certs" - }); - let task_cert = queue.scheduleTask(cert_base); + })); // Schedule tests. scheduleTests(task_build, task_cert, merge(base, { @@ -600,25 +592,6 @@ async function scheduleLinux(name, overrides, args = "") { symbol: "modular" })); - if (base.collection != "make") { - let task_build_dbm = queue.scheduleTask(merge(extra_base, { - name: `${name} w/ legacy-db`, - command: [ - "/bin/bash", - "-c", - checkout_and_gyp + "--enable-legacy-db" - ], - symbol: "B", - group: "DBM", - })); - - let task_cert_dbm = queue.scheduleTask(merge(cert_base, { - parent: task_build_dbm, - group: "DBM", - symbol: "Certs" - })); - } - return queue.submit(); } @@ -857,11 +830,11 @@ async function scheduleWindows(name, base, build_script) { workerType: "win2012r2", env: { PATH: "c:\\mozilla-build\\bin;c:\\mozilla-build\\python;" + - "c:\\mozilla-build\\msys\\local\\bin;c:\\mozilla-build\\7zip;" + - "c:\\mozilla-build\\info-zip;c:\\mozilla-build\\python\\Scripts;" + - "c:\\mozilla-build\\yasm;c:\\mozilla-build\\msys\\bin;" + - "c:\\Windows\\system32;c:\\mozilla-build\\upx391w;" + - "c:\\mozilla-build\\moztools-x64\\bin;c:\\mozilla-build\\wget", + "c:\\mozilla-build\\msys\\local\\bin;c:\\mozilla-build\\7zip;" + + "c:\\mozilla-build\\info-zip;c:\\mozilla-build\\python\\Scripts;" + + "c:\\mozilla-build\\yasm;c:\\mozilla-build\\msys\\bin;" + + "c:\\Windows\\system32;c:\\mozilla-build\\upx391w;" + + "c:\\mozilla-build\\moztools-x64\\bin;c:\\mozilla-build\\wget", DOMSUF: "localdomain", HOST: "localhost", }, @@ -1010,17 +983,10 @@ function scheduleTests(task_build, task_cert, test_base) { name: "Cipher tests", symbol: "Default", tests: "cipher", group: "Cipher" })); queue.scheduleTask(merge(cert_base_long, { - name: "Cipher tests", symbol: "NoAES", tests: "cipher", + name: "Cipher tests", symbol: "NoAESNI", tests: "cipher", env: {NSS_DISABLE_HW_AES: "1"}, group: "Cipher" })); queue.scheduleTask(merge(cert_base_long, { - name: "Cipher tests", symbol: "NoSHA", tests: "cipher", - env: { - NSS_DISABLE_HW_SHA1: "1", - NSS_DISABLE_HW_SHA2: "1" - }, group: "Cipher" - })); - queue.scheduleTask(merge(cert_base_long, { name: "Cipher tests", symbol: "NoPCLMUL", tests: "cipher", env: {NSS_DISABLE_PCLMUL: "1"}, group: "Cipher" })); @@ -1029,20 +995,12 @@ function scheduleTests(task_build, task_cert, test_base) { env: {NSS_DISABLE_AVX: "1"}, group: "Cipher" })); queue.scheduleTask(merge(cert_base_long, { - name: "Cipher tests", symbol: "NoAVX2", tests: "cipher", - env: {NSS_DISABLE_AVX2: "1"}, group: "Cipher" - })); - queue.scheduleTask(merge(cert_base_long, { name: "Cipher tests", symbol: "NoSSSE3|NEON", tests: "cipher", env: { NSS_DISABLE_ARM_NEON: "1", NSS_DISABLE_SSSE3: "1" }, group: "Cipher" })); - queue.scheduleTask(merge(cert_base_long, { - name: "Cipher tests", symbol: "NoSSE4.1", tests: "cipher", - env: {NSS_DISABLE_SSE4_1: "1"}, group: "Cipher" - })); queue.scheduleTask(merge(cert_base, { name: "EC tests", symbol: "EC", tests: "ec" })); @@ -1082,6 +1040,12 @@ function scheduleTests(task_build, task_cert, test_base) { name: "SSL tests (pkix)", symbol: "pkix", cycle: "pkix" })); queue.scheduleTask(merge(ssl_base, { + name: "SSL tests (sharedb)", symbol: "sharedb", cycle: "sharedb" + })); + queue.scheduleTask(merge(ssl_base, { + name: "SSL tests (upgradedb)", symbol: "upgradedb", cycle: "upgradedb" + })); + queue.scheduleTask(merge(ssl_base, { name: "SSL tests (stress)", symbol: "stress", cycle: "sharedb", env: {NSS_SSL_RUN: "stress"} })); @@ -1171,7 +1135,7 @@ async function scheduleTools() { queue.scheduleTask(merge(base, { symbol: "hacl", name: "hacl", - image: LINUX_BUILDS_IMAGE, + image: HACL_GEN_IMAGE, command: [ "/bin/bash", "-c", @@ -1217,22 +1181,18 @@ async function scheduleTools() { ] })); - // TODO: The ChaCha20 saw verification is currently disabled because the new - // HACL 32-bit code can't be verified by saw right now to the best of - // my knowledge. - // Bug 1604130 - // queue.scheduleTask(merge(base, { - // parent: task_saw, - // symbol: "ChaCha20", - // group: "SAW", - // name: "chacha20.saw", - // image: SAW_IMAGE, - // command: [ - // "/bin/bash", - // "-c", - // "bin/checkout.sh && nss/automation/taskcluster/scripts/run_saw.sh chacha20" - // ] - // })); + queue.scheduleTask(merge(base, { + parent: task_saw, + symbol: "ChaCha20", + group: "SAW", + name: "chacha20.saw", + image: SAW_IMAGE, + command: [ + "/bin/bash", + "-c", + "bin/checkout.sh && nss/automation/taskcluster/scripts/run_saw.sh chacha20" + ] + })); queue.scheduleTask(merge(base, { parent: task_saw, @@ -1251,15 +1211,7 @@ async function scheduleTools() { symbol: "Coverage", name: "Coverage", image: FUZZ_IMAGE, - type: "other", features: ["allowPtrace"], - artifacts: { - public: { - expires: 24 * 7, - type: "directory", - path: "/home/worker/artifacts" - } - }, command: [ "/bin/bash", "-c", diff --git a/security/nss/automation/taskcluster/graph/src/queue.js b/security/nss/automation/taskcluster/graph/src/queue.js index 851bc669a..fd5be2050 100644 --- a/security/nss/automation/taskcluster/graph/src/queue.js +++ b/security/nss/automation/taskcluster/graph/src/queue.js @@ -220,9 +220,6 @@ export async function submit() { maps.forEach(map => { task = map(merge({}, task)) }); let log_id = `${task.name} @ ${task.platform}[${task.collection || "opt"}]`; - if (task.group) { - log_id = `${task.group}::${log_id}`; - } console.log(`+ Submitting ${log_id}.`); // Index that task for each tag specified diff --git a/security/nss/automation/taskcluster/scripts/build_gyp.sh b/security/nss/automation/taskcluster/scripts/build_gyp.sh index 2cb0deb01..e19a6362f 100755 --- a/security/nss/automation/taskcluster/scripts/build_gyp.sh +++ b/security/nss/automation/taskcluster/scripts/build_gyp.sh @@ -12,7 +12,7 @@ if [[ -f nss/nspr.patch && "$ALLOW_NSPR_PATCH" == "1" ]]; then fi # Build. -nss/build.sh -g -v --enable-libpkix -Denable_draft_hpke=1 "$@" +nss/build.sh -g -v --enable-libpkix "$@" # Package. if [[ $(uname) = "Darwin" ]]; then diff --git a/security/nss/automation/taskcluster/scripts/check_abi.sh b/security/nss/automation/taskcluster/scripts/check_abi.sh index da610955f..5cd587a6b 100644 --- a/security/nss/automation/taskcluster/scripts/check_abi.sh +++ b/security/nss/automation/taskcluster/scripts/check_abi.sh @@ -97,8 +97,7 @@ abi_diff() rm -f ${ABI_REPORT} PREVDIST=${HGDIR}/baseline/dist NEWDIST=${HGDIR}/dist - # libnssdbm3.so isn't built by default anymore, skip it. - ALL_SOs="libfreebl3.so libfreeblpriv3.so libnspr4.so libnss3.so libnssckbi.so libnsssysinit.so libnssutil3.so libplc4.so libplds4.so libsmime3.so libsoftokn3.so libssl3.so" + ALL_SOs="libfreebl3.so libfreeblpriv3.so libnspr4.so libnss3.so libnssckbi.so libnssdbm3.so libnsssysinit.so libnssutil3.so libplc4.so libplds4.so libsmime3.so libsoftokn3.so libssl3.so" for SO in ${ALL_SOs}; do if [ ! -f ${HGDIR}/nss/automation/abi-check/expected-report-$SO.txt ]; then touch ${HGDIR}/nss/automation/abi-check/expected-report-$SO.txt diff --git a/security/nss/automation/taskcluster/scripts/run_hacl.sh b/security/nss/automation/taskcluster/scripts/run_hacl.sh index 84dc9dbc3..6cbda49b4 100644 --- a/security/nss/automation/taskcluster/scripts/run_hacl.sh +++ b/security/nss/automation/taskcluster/scripts/run_hacl.sh @@ -8,25 +8,33 @@ fi set -e -x -v -# The docker image this is running in has NSS sources. -# Get the HACL* source, containing a snapshot of the C code, extracted on the -# HACL CI. -# When bug 1593647 is resolved, extract the code on CI again. -git clone -q "https://github.com/project-everest/hacl-star" ~/hacl-star -git -C ~/hacl-star checkout -q e4311991b1526734f99f4e3a0058895a46c63e5c - -# Format the C snapshot. -cd ~/hacl-star/dist/mozilla -cp ~/nss/.clang-format . -find . -type f -name '*.[ch]' -exec clang-format -i {} \+ -cd ~/hacl-star/dist/kremlin +# The docker image this is running in has the HACL* and NSS sources. +# The extracted C code from HACL* is already generated and the HACL* tests were +# successfully executed. + +# Verify HACL*. Taskcluster fails when we do this in the image build. +make -C hacl-star verify-nss -j$(nproc) + +# Add license header to specs +spec_files=($(find ~/hacl-star/specs -type f -name '*.fst')) +for f in "${spec_files[@]}"; do + cat /tmp/license.txt "$f" > /tmp/tmpfile && mv /tmp/tmpfile "$f" +done + +# Format the extracted C code. +cd ~/hacl-star/snapshots/nss cp ~/nss/.clang-format . find . -type f -name '*.[ch]' -exec clang-format -i {} \+ # These diff commands will return 1 if there are differences and stop the script. files=($(find ~/nss/lib/freebl/verified/ -type f -name '*.[ch]')) for f in "${files[@]}"; do - file_name=$(basename "$f") - hacl_file=($(find ~/hacl-star/dist/mozilla/ ~/hacl-star/dist/kremlin/ -type f -name $file_name)) - diff $hacl_file $f + diff $f $(basename "$f") +done + +# Check that the specs didn't change either. +cd ~/hacl-star/specs +files=($(find ~/nss/lib/freebl/verified/specs -type f)) +for f in "${files[@]}"; do + diff $f $(basename "$f") done diff --git a/security/nss/automation/taskcluster/windows/build_gyp.sh b/security/nss/automation/taskcluster/windows/build_gyp.sh index d7072ebbf..1a78d44a7 100644 --- a/security/nss/automation/taskcluster/windows/build_gyp.sh +++ b/security/nss/automation/taskcluster/windows/build_gyp.sh @@ -19,7 +19,7 @@ pushd gyp python -m virtualenv test-env test-env/Scripts/python setup.py install test-env/Scripts/python -m pip install --upgrade pip -test-env/Scripts/pip install --upgrade 'setuptools<45.0.0' +test-env/Scripts/pip install --upgrade setuptools # Fool GYP. touch "${VSPATH}/VC/vcvarsall.bat" export GYP_MSVS_OVERRIDE_PATH="${VSPATH}" @@ -38,7 +38,7 @@ if [[ -f nss/nspr.patch && "$ALLOW_NSPR_PATCH" == "1" ]]; then fi # Build with gyp. -./nss/build.sh -g -v --enable-libpkix -Denable_draft_hpke=1 "$@" +./nss/build.sh -g -v --enable-libpkix "$@" # Package. 7z a public/build/dist.7z dist |