Merge pull request #428 from pabuhler/ci-nss-valgrind

enable valgrind in nss builds

Author: pabuhler

.travis.yml

@@ -9,40 +9,44 @@ env:
 matrix:
   include:
 
-    # default linux build with gcc
+    # linux build
     - os: linux
       env:
-        - TEST="linux gcc"
+        - TEST="linux (gcc / valgrind)"
       addons:
         apt:
           sources:
             - ubuntu-toolchain-r-test
           packages:
-          - gcc-6
+            - gcc-6
+            - valgrind
       script:
         - CC=gcc-6 EXTRA_CFLAGS=-Werror ./configure
         - make
         - make runtest
+        - make runtest-valgrind
 
-    # linux build with openssl and gcc
+    # linux build with openssl
     - os: linux
       env:
-        - TEST="linux gcc (openssl)"
+        - TEST="linux openssl (gcc / valgrind)"
       addons:
         apt:
           sources:
             - ubuntu-toolchain-r-test
           packages:
             - gcc-6
+            - valgrind
       script:
         - CC=gcc-6 EXTRA_CFLAGS=-Werror ./configure --enable-openssl
         - make
         - make runtest
+        - make runtest-valgrind
 
     # linux build with openssl and clang
     - os: linux
       env:
-        - TEST="linux clang (openssl)"
+        - TEST="linux openssl (clang)"
       addons:
         apt:
           packages:
@@ -55,18 +59,20 @@ matrix:
     # linux build with nss
     - os: linux
       env:
-        - TEST="linux gcc (nss)"
+        - TEST="linux nss (gcc / valgrind)"
       addons:
         apt:
           sources:
             - ubuntu-toolchain-r-test
           packages:
             - gcc-6
+            - valgrind
             - libnss3-dev
       script:
         - CC=gcc-6 EXTRA_CFLAGS=-Werror ./configure --enable-nss
         - make
         - make runtest
+        - make runtest-valgrind
 
     # default osx build with xcode (clang)
     - os: osx
@@ -101,22 +107,6 @@ matrix:
       script:
         - CLANG_FORMAT=clang-format-3.9 ./format.sh -d
 
-    # valgrind
-    - os: linux
-      env:
-        - TEST="valgrind (openssl)"
-      addons:
-        apt:
-          sources:
-            - ubuntu-toolchain-r-test
-          packages:
-            - gcc-6
-            - valgrind
-      script:
-        - CC=gcc-6 ./configure --enable-openssl
-        - make
-        - make runtest-valgrind
-
     # big-endian
     - os: linux
       sudo: true

crypto/cipher/aes_gcm_nss.c

@@ -53,7 +53,6 @@
 #include "err.h" /* for srtp_debug */
 #include "crypto_types.h"
 #include "cipher_types.h"
-#include <nss.h>
 #include <secerr.h>
 #include <nspr.h>
 
@@ -82,6 +81,7 @@ static srtp_err_status_t srtp_aes_gcm_nss_alloc(srtp_cipher_t **c,
                                                 int tlen)
 {
     srtp_aes_gcm_ctx_t *gcm;
+    NSSInitContext *nss;
 
     debug_print(srtp_mod_aes_gcm, "allocating cipher with key length %d",
                 key_len);
@@ -99,24 +99,32 @@ static srtp_err_status_t srtp_aes_gcm_nss_alloc(srtp_cipher_t **c,
         return (srtp_err_status_bad_param);
     }
 
-    /* Initialize NSS */
-    if (!NSS_IsInitialized() && NSS_NoDB_Init(NULL) != SECSuccess) {
+    /* Initialize NSS equiv of NSS_NoDB_Init(NULL) */
+    nss = NSS_InitContext("", "", "", "", NULL,
+                          NSS_INIT_READONLY | NSS_INIT_NOCERTDB |
+                              NSS_INIT_NOMODDB | NSS_INIT_FORCEOPEN |
+                              NSS_INIT_OPTIMIZESPACE);
+    if (!nss) {
         return (srtp_err_status_cipher_fail);
     }
 
     /* allocate memory a cipher of type aes_gcm */
     *c = (srtp_cipher_t *)srtp_crypto_alloc(sizeof(srtp_cipher_t));
     if (*c == NULL) {
+        NSS_ShutdownContext(nss);
         return (srtp_err_status_alloc_fail);
     }
 
     gcm = (srtp_aes_gcm_ctx_t *)srtp_crypto_alloc(sizeof(srtp_aes_gcm_ctx_t));
     if (gcm == NULL) {
+        NSS_ShutdownContext(nss);
         srtp_crypto_free(*c);
         *c = NULL;
         return (srtp_err_status_alloc_fail);
     }
 
+    gcm->nss = nss;
+
     /* set pointers */
     (*c)->state = gcm;
 
@@ -161,6 +169,11 @@ static srtp_err_status_t srtp_aes_gcm_nss_dealloc(srtp_cipher_t *c)
             PK11_FreeSymKey(ctx->key);
         }
 
+        if (ctx->nss) {
+            NSS_ShutdownContext(ctx->nss);
+            ctx->nss = NULL;
+        }
+
         /* zeroize the key material */
         octet_string_set_to_zero(ctx, sizeof(srtp_aes_gcm_ctx_t));
         srtp_crypto_free(ctx);

crypto/cipher/aes_icm_nss.c

@@ -52,7 +52,6 @@
 #include "err.h" /* for srtp_debug */
 #include "alloc.h"
 #include "cipher_types.h"
-#include <nss.h>
 
 srtp_debug_module_t srtp_mod_aes_icm = {
     0,            /* debugging is off by default */
@@ -106,6 +105,7 @@ static srtp_err_status_t srtp_aes_icm_nss_alloc(srtp_cipher_t **c,
                                                 int tlen)
 {
     srtp_aes_icm_ctx_t *icm;
+    NSSInitContext *nss;
 
     debug_print(srtp_mod_aes_icm, "allocating cipher with key length %d",
                 key_len);
@@ -119,26 +119,33 @@ static srtp_err_status_t srtp_aes_icm_nss_alloc(srtp_cipher_t **c,
         return srtp_err_status_bad_param;
     }
 
-    /* Initialize NSS */
-    if (!NSS_IsInitialized() && NSS_NoDB_Init(NULL) != SECSuccess) {
+    /* Initialize NSS equiv of NSS_NoDB_Init(NULL) */
+    nss = NSS_InitContext("", "", "", "", NULL,
+                          NSS_INIT_READONLY | NSS_INIT_NOCERTDB |
+                              NSS_INIT_NOMODDB | NSS_INIT_FORCEOPEN |
+                              NSS_INIT_OPTIMIZESPACE);
+    if (!nss) {
         return (srtp_err_status_cipher_fail);
     }
 
     /* allocate memory a cipher of type aes_icm */
     *c = (srtp_cipher_t *)srtp_crypto_alloc(sizeof(srtp_cipher_t));
     if (*c == NULL) {
+        NSS_ShutdownContext(nss);
         return srtp_err_status_alloc_fail;
     }
 
     icm = (srtp_aes_icm_ctx_t *)srtp_crypto_alloc(sizeof(srtp_aes_icm_ctx_t));
     if (icm == NULL) {
+        NSS_ShutdownContext(nss);
         srtp_crypto_free(*c);
         *c = NULL;
         return srtp_err_status_alloc_fail;
     }
 
     icm->key = NULL;
     icm->ctx = NULL;
+    icm->nss = nss;
 
     /* set pointers */
     (*c)->state = icm;
@@ -188,6 +195,11 @@ static srtp_err_status_t srtp_aes_icm_nss_dealloc(srtp_cipher_t *c)
             ctx->ctx = NULL;
         }
 
+        if (ctx->nss) {
+            NSS_ShutdownContext(ctx->nss);
+            ctx->nss = NULL;
+        }
+
         /* zeroize everything */
         octet_string_set_to_zero(ctx, sizeof(srtp_aes_icm_ctx_t));
         srtp_crypto_free(ctx);

crypto/include/aes_gcm.h

@@ -66,6 +66,7 @@ typedef struct {
 
 #ifdef NSS
 
+#include <nss.h>
 #include <pk11pub.h>
 
 #define MAX_AD_SIZE 2048
@@ -74,6 +75,7 @@ typedef struct {
     int key_size;
     int tag_size;
     srtp_cipher_direction_t dir;
+    NSSInitContext *nss;
     PK11SymKey *key;
     uint8_t iv[12];
     uint8_t aad[MAX_AD_SIZE];

crypto/include/aes_icm_ext.h

@@ -65,13 +65,15 @@ typedef struct {
 
 #ifdef NSS
 
+#include <nss.h>
 #include <pk11pub.h>
 
 typedef struct {
     v128_t counter;
     v128_t offset;
     int key_size;
     uint8_t iv[16];
+    NSSInitContext *nss;
     PK11SymKey *key;
     PK11Context *ctx;
 } srtp_aes_icm_ctx_t;