diff --git a/security/nss/cmd/lib/derprint.c b/security/nss/cmd/lib/derprint.c index 285eb036..75811df3 100644 --- a/security/nss/cmd/lib/derprint.c +++ b/security/nss/cmd/lib/derprint.c @@ -503,10 +503,9 @@ prettyPrintItem(FILE *out, const unsigned char *data, const unsigned char *end, data += lenLen; /* - * Just quit now if slen more bytes puts us off the end, - * or if there's no more data to process. + * Just quit now if slen more bytes puts us off the end. */ - if ((data + slen) >= end) { + if ((data + slen) > end) { PORT_SetError(SEC_ERROR_BAD_DER); return -1; } diff --git a/security/nss/cmd/modutil/install-ds.c b/security/nss/cmd/modutil/install-ds.c index efa3c168..2ae376dd 100644 --- a/security/nss/cmd/modutil/install-ds.c +++ b/security/nss/cmd/modutil/install-ds.c @@ -1470,7 +1470,6 @@ Pk11Install_Pair_delete(Pk11Install_Pair* _this) { PR_Free(_this->key); Pk11Install_ValueList_delete(_this->list); - PR_Free(_this->list); } /*************************************************************************/ diff --git a/security/nss/cmd/modutil/pk11.c b/security/nss/cmd/modutil/pk11.c index d630e4ee..c0a6ccb7 100644 --- a/security/nss/cmd/modutil/pk11.c +++ b/security/nss/cmd/modutil/pk11.c @@ -712,6 +712,8 @@ ChangePW(char *tokenName, char *pwFile, char *newpwFile) newpw2 = SECU_GetPasswordString(NULL, "Re-enter new password: "); if(strcmp(newpw, newpw2)) { PR_fprintf(PR_STDOUT, msgStrings[PW_MATCH_MSG]); + PORT_ZFree(newpw, strlen(newpw)); + PORT_ZFree(newpw2, strlen(newpw2)); } else { matching = PR_TRUE; } @@ -738,16 +740,13 @@ ChangePW(char *tokenName, char *pwFile, char *newpwFile) loser: if(oldpw) { - memset(oldpw, 0, strlen(oldpw)); - PORT_Free(oldpw); + PORT_ZFree(oldpw, strlen(oldpw)); } if(newpw) { - memset(newpw, 0, strlen(newpw)); - PORT_Free(newpw); + PORT_ZFree(newpw, strlen(newpw)); } if(newpw2) { - memset(newpw2, 0, strlen(newpw2)); - PORT_Free(newpw2); + PORT_ZFree(newpw2, strlen(newpw2)); } PK11_FreeSlot(slot); diff --git a/security/nss/coreconf/Darwin.mk b/security/nss/coreconf/Darwin.mk index 786825c7..9c992289 100644 --- a/security/nss/coreconf/Darwin.mk +++ b/security/nss/coreconf/Darwin.mk @@ -4,6 +4,7 @@ # file, You can obtain one at http://mozilla.org/MPL/2.0/. include $(CORE_DEPTH)/coreconf/UNIX.mk +include $(CORE_DEPTH)/coreconf/Werror.mk DEFAULT_COMPILER = gcc @@ -81,27 +82,7 @@ endif # definitions so that the linker can catch multiply-defined symbols. # Also, common symbols are not allowed with Darwin dynamic libraries. -OS_CFLAGS = $(DSO_CFLAGS) $(OS_REL_CFLAGS) -Wall -fno-common -pipe -DDARWIN -DHAVE_STRERROR -DHAVE_BSD_FLOCK $(DARWIN_SDK_CFLAGS) - -ifeq (clang,$(shell $(CC) -? 2>&1 >/dev/null | sed -e 's/:.*//;1q')) -NSS_HAS_GCC48 = true -endif -ifndef NSS_HAS_GCC48 -NSS_HAS_GCC48 := $(shell \ - [ `$(CC) -dumpversion | cut -f 1 -d . -` -gt 4 -a \ - `$(CC) -dumpversion | cut -f 2 -d . -` -ge 8 -o \ - `$(CC) -dumpversion | cut -f 1 -d . -` -ge 5 ] && \ - echo true || echo false) -export NSS_HAS_GCC48 -endif -ifeq (true,$(NSS_HAS_GCC48)) -OS_CFLAGS += -Werror -else -# Old versions of gcc (< 4.8) don't support #pragma diagnostic in functions. -# Use this to disable use of that #pragma and the warnings it suppresses. -OS_CFLAGS += -DNSS_NO_GCC48 -Wno-unused-variable -Wno-strict-aliasing -$(warning Unable to find gcc >= 4.8 disabling -Werror) -endif +OS_CFLAGS = $(DSO_CFLAGS) $(OS_REL_CFLAGS) $(WARNING_CFLAGS) -fno-common -pipe -DDARWIN -DHAVE_STRERROR -DHAVE_BSD_FLOCK $(DARWIN_SDK_CFLAGS) ifdef BUILD_OPT ifeq (11,$(ALLOW_OPT_CODE_SIZE)$(OPT_CODE_SIZE)) diff --git a/security/nss/coreconf/Linux.mk b/security/nss/coreconf/Linux.mk index 0e083f14..dfe29ae9 100644 --- a/security/nss/coreconf/Linux.mk +++ b/security/nss/coreconf/Linux.mk @@ -4,6 +4,7 @@ # file, You can obtain one at http://mozilla.org/MPL/2.0/. include $(CORE_DEPTH)/coreconf/UNIX.mk +include $(CORE_DEPTH)/coreconf/Werror.mk # # The default implementation strategy for Linux is now pthreads @@ -36,9 +37,12 @@ endif ANDROID_TOOLCHAIN=$(ANDROID_NDK)/toolchains/$(ANDROID_TARGET)/prebuilt/linux-x86 ANDROID_SYSROOT=$(ANDROID_NDK)/platforms/android-$(OS_TARGET_RELEASE)/arch-$(OS_TEST) ANDROID_CC=$(ANDROID_TOOLCHAIN)/bin/$(ANDROID_PREFIX)-gcc + ANDROID_CCC=$(ANDROID_TOOLCHAIN)/bin/$(ANDROID_PREFIX)-g++ + NSS_DISABLE_GTESTS=1 # internal tools need to be built with the native compiler ifndef INTERNAL_TOOLS CC = $(ANDROID_CC) --sysroot=$(ANDROID_SYSROOT) + CCC = $(ANDROID_CCC) --sysroot=$(ANDROID_SYSROOT) DEFAULT_COMPILER=$(ANDROID_PREFIX)-gcc ARCHFLAG = --sysroot=$(ANDROID_SYSROOT) DEFINES += -DNO_SYSINFO -DNO_FORK_CHECK -DANDROID @@ -129,49 +133,16 @@ endif endif ifndef COMPILER_TAG -COMPILER_TAG = _$(shell $(CC) -? 2>&1 >/dev/null | sed -e 's/:.*//;1q') -CCC_COMPILER_TAG = _$(shell $(CCC) -? 2>&1 >/dev/null | sed -e 's/:.*//;1q') +COMPILER_TAG := _$(CC_NAME) endif ifeq ($(USE_PTHREADS),1) OS_PTHREAD = -lpthread endif -OS_CFLAGS = $(DSO_CFLAGS) $(OS_REL_CFLAGS) $(ARCHFLAG) -Wall -pipe -ffunction-sections -fdata-sections -DLINUX -Dlinux -DHAVE_STRERROR +OS_CFLAGS = $(DSO_CFLAGS) $(OS_REL_CFLAGS) $(ARCHFLAG) $(WARNING_CFLAGS) -pipe -ffunction-sections -fdata-sections -DLINUX -Dlinux -DHAVE_STRERROR OS_LIBS = $(OS_PTHREAD) -ldl -lc -ifeq ($(COMPILER_TAG),_clang) -# -Qunused-arguments : clang objects to arguments that it doesn't understand -# and fixing this would require rearchitecture -# -Wno-parentheses-equality : because clang warns about macro expansions -OS_CFLAGS += -Qunused-arguments -Wno-parentheses-equality -ifdef BUILD_OPT -# clang is unable to handle glib's expansion of strcmp and similar for optimized -# builds, so ignore the resulting errors. -# See https://llvm.org/bugs/show_bug.cgi?id=20144 -OS_CFLAGS += -Wno-array-bounds -Wno-unevaluated-expression -endif -# Clang reports its version as an older gcc, but it's OK -NSS_HAS_GCC48 = true -endif - -ifndef NSS_HAS_GCC48 -NSS_HAS_GCC48 := $(shell \ - [ `$(CC) -dumpversion | cut -f 1 -d . -` -gt 4 -a \ - `$(CC) -dumpversion | cut -f 2 -d . -` -ge 8 -o \ - `$(CC) -dumpversion | cut -f 1 -d . -` -ge 5 ] && \ - echo true || echo false) -export NSS_HAS_GCC48 -endif -ifeq (true,$(NSS_HAS_GCC48)) -OS_CFLAGS += -Werror -else -# Old versions of gcc (< 4.8) don't support #pragma diagnostic in functions. -# Use this to disable use of that #pragma and the warnings it suppresses. -OS_CFLAGS += -DNSS_NO_GCC48 -$(warning Unable to find gcc >= 4.8 disabling -Werror) -endif - ifdef USE_PTHREADS DEFINES += -D_REENTRANT endif diff --git a/security/nss/coreconf/WIN32.mk b/security/nss/coreconf/WIN32.mk index b73e815c..7f810fd3 100644 --- a/security/nss/coreconf/WIN32.mk +++ b/security/nss/coreconf/WIN32.mk @@ -113,19 +113,25 @@ ifdef NS_USE_GCC else OPTIMIZER += -O2 endif - DEFINES += -UDEBUG -U_DEBUG -DNDEBUG + DEFINES += -UDEBUG -DNDEBUG else OPTIMIZER += -g NULLSTRING := SPACE := $(NULLSTRING) # end of the line USERNAME := $(subst $(SPACE),_,$(USERNAME)) USERNAME := $(subst -,_,$(USERNAME)) - DEFINES += -DDEBUG -D_DEBUG -UNDEBUG -DDEBUG_$(USERNAME) + DEFINES += -DDEBUG -UNDEBUG -DDEBUG_$(USERNAME) endif else # !NS_USE_GCC OS_CFLAGS += -W3 -nologo -D_CRT_SECURE_NO_WARNINGS \ -D_CRT_NONSTDC_NO_WARNINGS OS_DLLFLAGS += -nologo -DLL -SUBSYSTEM:WINDOWS + ifndef NSS_ENABLE_WERROR + NSS_ENABLE_WERROR = 1 + endif + ifeq ($(NSS_ENABLE_WERROR),1) + OS_CFLAGS += -WX + endif ifeq ($(_MSC_VER),$(_MSC_VER_6)) ifndef MOZ_DEBUG_SYMBOLS OS_DLLFLAGS += -PDB:NONE @@ -159,7 +165,7 @@ else # !NS_USE_GCC else OPTIMIZER += -O2 endif - DEFINES += -UDEBUG -U_DEBUG -DNDEBUG + DEFINES += -UDEBUG -DNDEBUG DLLFLAGS += -OUT:$@ ifdef MOZ_DEBUG_SYMBOLS ifdef MOZ_DEBUG_FLAGS @@ -176,7 +182,7 @@ else # !NS_USE_GCC SPACE := $(NULLSTRING) # end of the line USERNAME := $(subst $(SPACE),_,$(USERNAME)) USERNAME := $(subst -,_,$(USERNAME)) - DEFINES += -DDEBUG -D_DEBUG -UNDEBUG -DDEBUG_$(USERNAME) + DEFINES += -DDEBUG -UNDEBUG -DDEBUG_$(USERNAME) DLLFLAGS += -DEBUG -OUT:$@ LDFLAGS += -DEBUG ifeq ($(_MSC_VER),$(_MSC_VER_6)) diff --git a/security/nss/coreconf/Werror.mk b/security/nss/coreconf/Werror.mk new file mode 100644 index 00000000..6e2588ce --- /dev/null +++ b/security/nss/coreconf/Werror.mk @@ -0,0 +1,70 @@ +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +# This sets warning flags for unix-like operating systems. + +ifndef CC_NAME + CC_NAME := $(shell $(CC) -? 2>&1 >/dev/null | sed -e 's/:.*//;1q') + export CC_NAME +endif + +ifndef WARNING_CFLAGS + # This tests to see if enabling the warning is possible before + # setting an option to disable it. + disable_warning = $(shell $(CC) -x c -E -Werror -W$(1) /dev/null >/dev/null 2>&1 && echo -Wno-$(1)) + + WARNING_CFLAGS = -Wall + ifeq ($(CC_NAME),clang) + # -Qunused-arguments : clang objects to arguments that it doesn't understand + # and fixing this would require rearchitecture + WARNING_CFLAGS += -Qunused-arguments + # -Wno-parentheses-equality : because clang warns about macro expansions + OS_CFLAGS += $(call disable_warning,parentheses-equality) + ifdef BUILD_OPT + # clang is unable to handle glib's expansion of strcmp and similar for optimized + # builds, so ignore the resulting errors. + # See https://llvm.org/bugs/show_bug.cgi?id=20144 + WARNING_CFLAGS += $(call disable_warning,array-bounds) + WARNING_CFLAGS += $(call disable_warning,unevaluated-expression) + endif + endif # if clang + + ifndef NSS_ENABLE_WERROR + ifeq ($(OS_TARGET),Android) + # Android lollipop generates the following warning: + # error: call to 'sprintf' declared with attribute warning: + # sprintf is often misused; please use snprintf [-Werror] + # So, just suppress -Werror entirely on Android + NSS_ENABLE_WERROR = 0 + $(warning OS_TARGET is Android, disabling -Werror) + else + ifeq ($(CC_NAME),clang) + # Clang reports its version as an older gcc, but it's OK + NSS_ENABLE_WERROR = 1 + else + CC_VERSION := $(subst ., ,$(shell $(CC) -dumpversion)) + ifneq (,$(filter 4.8 4.9,$(word 1,$(CC_VERSION)).$(word 2,$(CC_VERSION)))) + NSS_ENABLE_WERROR = 1 + endif + ifeq (,$(filter 0 1 2 3 4,$(word 1,$(CC_VERSION)))) + NSS_ENABLE_WERROR = 1 + endif + ifndef NSS_ENABLE_WERROR + $(warning Unable to find gcc 4.8 or greater, disabling -Werror) + NSS_ENABLE_WERROR = 0 + endif + endif + endif + endif #ndef NSS_ENABLE_WERROR + + ifeq ($(NSS_ENABLE_WERROR),1) + WARNING_CFLAGS += -Werror + else + # Old versions of gcc (< 4.8) don't support #pragma diagnostic in functions. + # Use this to disable use of that #pragma and the warnings it suppresses. + WARNING_CFLAGS += -DNSS_NO_GCC48 + endif + export WARNING_CFLAGS +endif # ndef WARNING_CFLAGS diff --git a/security/nss/lib/certhigh/ocspsig.c b/security/nss/lib/certhigh/ocspsig.c index 16cd1e0e..0c4c2019 100644 --- a/security/nss/lib/certhigh/ocspsig.c +++ b/security/nss/lib/certhigh/ocspsig.c @@ -543,7 +543,7 @@ CERT_CreateEncodedOCSPSuccessResponse( done: if (privKey) SECKEY_DestroyPrivateKey(privKey); - if (br->responseSignature.signature.data) + if (br && br->responseSignature.signature.data) SECITEM_FreeItem(&br->responseSignature.signature, PR_FALSE); PORT_FreeArena(tmpArena, PR_FALSE); diff --git a/security/nss/lib/ckfw/builtins/nssckbi.h b/security/nss/lib/ckfw/builtins/nssckbi.h index 1d261dff..5ef3a49f 100644 --- a/security/nss/lib/ckfw/builtins/nssckbi.h +++ b/security/nss/lib/ckfw/builtins/nssckbi.h @@ -45,8 +45,8 @@ * of the comment in the CK_VERSION type definition. */ #define NSS_BUILTINS_LIBRARY_VERSION_MAJOR 2 -#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 5 -#define NSS_BUILTINS_LIBRARY_VERSION "2.5" +#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 6 +#define NSS_BUILTINS_LIBRARY_VERSION "2.6" /* These version numbers detail the semantic changes to the ckfw engine. */ #define NSS_BUILTINS_HARDWARE_VERSION_MAJOR 1 diff --git a/security/nss/lib/ckfw/hash.c b/security/nss/lib/ckfw/hash.c index e4f6ce2b..7d21084b 100644 --- a/security/nss/lib/ckfw/hash.c +++ b/security/nss/lib/ckfw/hash.c @@ -85,9 +85,9 @@ nssCKFWHash_Create rv->mutex = nssCKFWInstance_CreateMutex(fwInstance, arena, pError); if (!rv->mutex) { if( CKR_OK == *pError ) { - (void)nss_ZFreeIf(rv); *pError = CKR_GENERAL_ERROR; } + (void)nss_ZFreeIf(rv); return (nssCKFWHash *)NULL; } diff --git a/security/nss/lib/ckfw/object.c b/security/nss/lib/ckfw/object.c index bc829179..661977e6 100644 --- a/security/nss/lib/ckfw/object.c +++ b/security/nss/lib/ckfw/object.c @@ -171,6 +171,7 @@ nssCKFWObject_Create if( CKR_OK == *pError ) { *pError = CKR_GENERAL_ERROR; } + nss_ZFreeIf(fwObject); return (NSSCKFWObject *)NULL; } diff --git a/security/nss/lib/cryptohi/secsign.c b/security/nss/lib/cryptohi/secsign.c index f2bd229f..fa4bf5ff 100644 --- a/security/nss/lib/cryptohi/secsign.c +++ b/security/nss/lib/cryptohi/secsign.c @@ -413,6 +413,7 @@ SGN_Digest(SECKEYPrivateKey *privKey, } result->len = modulusLen; result->data = (unsigned char*) PORT_Alloc(modulusLen); + result->type = siBuffer; if (result->data == NULL) { rv = SECFailure; diff --git a/security/nss/lib/freebl/desblapi.c b/security/nss/lib/freebl/desblapi.c index 6a547af6..04a07cae 100644 --- a/security/nss/lib/freebl/desblapi.c +++ b/security/nss/lib/freebl/desblapi.c @@ -22,28 +22,8 @@ #define COPY8B(to, from, ptr) \ HALFPTR(to)[0] = HALFPTR(from)[0]; \ HALFPTR(to)[1] = HALFPTR(from)[1]; -#elif defined(USE_MEMCPY) -#define COPY8B(to, from, ptr) memcpy(to, from, 8) #else -#define COPY8B(to, from, ptr) \ - if (((ptrdiff_t)(ptr) & 0x3) == 0) { \ - HALFPTR(to)[0] = HALFPTR(from)[0]; \ - HALFPTR(to)[1] = HALFPTR(from)[1]; \ - } else if (((ptrdiff_t)(ptr) & 0x1) == 0) { \ - SHORTPTR(to)[0] = SHORTPTR(from)[0]; \ - SHORTPTR(to)[1] = SHORTPTR(from)[1]; \ - SHORTPTR(to)[2] = SHORTPTR(from)[2]; \ - SHORTPTR(to)[3] = SHORTPTR(from)[3]; \ - } else { \ - BYTEPTR(to)[0] = BYTEPTR(from)[0]; \ - BYTEPTR(to)[1] = BYTEPTR(from)[1]; \ - BYTEPTR(to)[2] = BYTEPTR(from)[2]; \ - BYTEPTR(to)[3] = BYTEPTR(from)[3]; \ - BYTEPTR(to)[4] = BYTEPTR(from)[4]; \ - BYTEPTR(to)[5] = BYTEPTR(from)[5]; \ - BYTEPTR(to)[6] = BYTEPTR(from)[6]; \ - BYTEPTR(to)[7] = BYTEPTR(from)[7]; \ - } +#define COPY8B(to, from, ptr) memcpy(to, from, 8) #endif #define COPY8BTOHALF(to, from) COPY8B(to, from, from) #define COPY8BFROMHALF(to, from) COPY8B(to, from, to) diff --git a/security/nss/lib/freebl/intel-gcm.h b/security/nss/lib/freebl/intel-gcm.h index 22f364db..6dfbc3c4 100644 --- a/security/nss/lib/freebl/intel-gcm.h +++ b/security/nss/lib/freebl/intel-gcm.h @@ -7,15 +7,15 @@ /* Copyright(c) 2013, Intel Corp. */ /******************************************************************************/ /* Reference: */ -/* [1] Shay Gueron, Michael E. Kounavis: Intel® Carry-Less Multiplication */ +/* [1] Shay Gueron, Michael E. Kounavis: Intel(R) Carry-Less Multiplication */ /* Instruction and its Usage for Computing the GCM Mode (Rev. 2.01) */ /* http://software.intel.com/sites/default/files/article/165685/clmul-wp-r*/ /*ev-2.01-2012-09-21.pdf */ /* [2] S. Gueron, M. E. Kounavis: Efficient Implementation of the Galois */ /* Counter Mode Using a Carry-less Multiplier and a Fast Reduction */ -/* Algorithm. Information Processing Letters 110: 549–553 (2010). */ -/* [3] S. Gueron: AES Performance on the 2nd Generation Intel® Core™ Processor*/ -/* Family (to be posted) (2012). */ +/* Algorithm. Information Processing Letters 110: 549-553 (2010). */ +/* [3] S. Gueron: AES Performance on the 2nd Generation Intel(R) Core(TM) */ +/* Processor Family (to be posted) (2012). */ /* [4] S. Gueron: Fast GHASH computations for speeding up AES-GCM (to be */ /* published) (2012). */ @@ -41,9 +41,9 @@ SECStatus intel_AES_GCM_DecryptUpdate(intel_AES_GCMContext *gcm, unsigned char * const unsigned char *inbuf, unsigned int inlen, unsigned int blocksize); -/* Prorotypes of functions in the assembler file for fast AES-GCM, using +/* Prototypes of functions in the assembler file for fast AES-GCM, using Intel AES-NI and CLMUL-NI, as described in [1] - [1] Shay Gueron, Michael E. Kounavis: Intel® Carry-Less Multiplication + [1] Shay Gueron, Michael E. Kounavis: Intel(R) Carry-Less Multiplication Instruction and its Usage for Computing the GCM Mode */ /* Prepares the constants used in the aggregated reduction method */ diff --git a/security/nss/lib/nss/nss.h b/security/nss/lib/nss/nss.h index 2ca262e7..70951fa6 100644 --- a/security/nss/lib/nss/nss.h +++ b/security/nss/lib/nss/nss.h @@ -26,6 +26,9 @@ #define _NSS_CUSTOMIZED #endif +#undef _NSS_CUSTOMIZED +#define _NSS_CUSTOMIZED " (RetroZilla)" + /* * NSS's major version, minor version, patch level, build number, and whether * this is a beta release. @@ -33,11 +36,11 @@ * The format of the version string should be * ".[.[.]][ ][ ]" */ -#define NSS_VERSION "3.20.0.1" _NSS_ECC_STRING _NSS_CUSTOMIZED +#define NSS_VERSION "3.21" _NSS_ECC_STRING _NSS_CUSTOMIZED #define NSS_VMAJOR 3 -#define NSS_VMINOR 20 +#define NSS_VMINOR 21 #define NSS_VPATCH 0 -#define NSS_VBUILD 1 +#define NSS_VBUILD 0 #define NSS_BETA PR_FALSE #ifndef RC_INVOKED diff --git a/security/nss/lib/pk11wrap/pk11akey.c b/security/nss/lib/pk11wrap/pk11akey.c index 1361bc1f..b0604de3 100644 --- a/security/nss/lib/pk11wrap/pk11akey.c +++ b/security/nss/lib/pk11wrap/pk11akey.c @@ -1515,6 +1515,7 @@ PK11_MakeKEAPubKey(unsigned char *keyData,int length) pkData.data = keyData; pkData.len = length; + pkData.type = siBuffer; arena = PORT_NewArena (DER_DEFAULT_CHUNKSIZE); if (arena == NULL) diff --git a/security/nss/lib/pkcs12/p12d.c b/security/nss/lib/pkcs12/p12d.c index 51bf0f7f..ac678271 100644 --- a/security/nss/lib/pkcs12/p12d.c +++ b/security/nss/lib/pkcs12/p12d.c @@ -1983,6 +1983,7 @@ gatherNicknames(CERTCertificate *cert, void *arg) tempNick.data = (unsigned char *)cert->nickname; tempNick.len = PORT_Strlen(cert->nickname) + 1; + tempNick.type = siAsciiString; /* do we already have the nickname in the list? */ if(nickArg->nNicks > 0) { diff --git a/security/nss/lib/softoken/legacydb/lgattr.c b/security/nss/lib/softoken/legacydb/lgattr.c index 7c80c568..429ef872 100644 --- a/security/nss/lib/softoken/legacydb/lgattr.c +++ b/security/nss/lib/softoken/legacydb/lgattr.c @@ -1776,6 +1776,7 @@ lg_SetAttributeValue(SDB *sdb, CK_OBJECT_HANDLE handle, if (rv != SECSuccess) { crv = CKR_DEVICE_ERROR; } + PORT_Free(label); } lg_DestroyObjectCache(obj); diff --git a/security/nss/lib/softoken/pkcs11c.c b/security/nss/lib/softoken/pkcs11c.c index 434e7bdb..b0e9a6e6 100644 --- a/security/nss/lib/softoken/pkcs11c.c +++ b/security/nss/lib/softoken/pkcs11c.c @@ -3698,6 +3698,7 @@ nsc_SetupHMACKeyGen(CK_MECHANISM_PTR pMechanism, NSSPKCS5PBEParameter **pbe) salt.data = (unsigned char *)pbe_params->pSalt; salt.len = (unsigned int)pbe_params->ulSaltLen; + salt.type = siBuffer; rv = SECITEM_CopyItem(arena,¶ms->salt,&salt); if (rv != SECSuccess) { PORT_FreeArena(arena,PR_TRUE); diff --git a/security/nss/lib/softoken/softkver.h b/security/nss/lib/softoken/softkver.h index c7adc4bb..c7e25e1b 100644 --- a/security/nss/lib/softoken/softkver.h +++ b/security/nss/lib/softoken/softkver.h @@ -25,11 +25,11 @@ * The format of the version string should be * ".[.[.]][ ][ ]" */ -#define SOFTOKEN_VERSION "3.20.0.1" SOFTOKEN_ECC_STRING +#define SOFTOKEN_VERSION "3.21" SOFTOKEN_ECC_STRING #define SOFTOKEN_VMAJOR 3 -#define SOFTOKEN_VMINOR 20 +#define SOFTOKEN_VMINOR 21 #define SOFTOKEN_VPATCH 0 -#define SOFTOKEN_VBUILD 1 +#define SOFTOKEN_VBUILD 0 #define SOFTOKEN_BETA PR_FALSE #endif /* _SOFTKVER_H_ */ diff --git a/security/nss/lib/ssl/ssl3con.c b/security/nss/lib/ssl/ssl3con.c index f6b57dee..ead786cf 100644 --- a/security/nss/lib/ssl/ssl3con.c +++ b/security/nss/lib/ssl/ssl3con.c @@ -63,7 +63,6 @@ static SECStatus ssl3_SendServerKeyExchange( sslSocket *ss); static SECStatus ssl3_UpdateHandshakeHashes( sslSocket *ss, const unsigned char *b, unsigned int l); -static SECOidTag ssl3_TLSHashAlgorithmToOID(SSLHashType hashFunc); static SECStatus ssl3_ComputeHandshakeHashes(sslSocket *ss, ssl3CipherSpec *spec, SSL3Hashes *hashes, @@ -4553,7 +4552,7 @@ static const struct { * If the hash is not recognised, SEC_OID_UNKNOWN is returned. * * See https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1 */ -static SECOidTag +SECOidTag ssl3_TLSHashAlgorithmToOID(SSLHashType hashFunc) { unsigned int i; @@ -9220,6 +9219,7 @@ ssl3_PickSignatureHashAlgorithm(sslSocket *ss, SSLSignatureAndHashAlg* out) { SSLSignType sigAlg; + PRUint32 policy; unsigned int i, j; switch (ss->ssl3.hs.kea_def->kea) { @@ -9271,9 +9271,16 @@ ssl3_PickSignatureHashAlgorithm(sslSocket *ss, for (i = 0; i < ss->ssl3.signatureAlgorithmCount; ++i) { const SSLSignatureAndHashAlg *serverPref = &ss->ssl3.signatureAlgorithms[i]; + SECOidTag hashOID; if (serverPref->sigAlg != sigAlg) { continue; } + hashOID = ssl3_TLSHashAlgorithmToOID(serverPref->hashAlg); + if ((NSS_GetAlgorithmPolicy(hashOID, &policy) != SECSuccess) + || !(policy & NSS_USE_ALG_IN_SSL_KX)) { + /* we ignore hashes we don't support */ + continue; + } for (j = 0; j < ss->ssl3.hs.numClientSigAndHash; j++) { const SSLSignatureAndHashAlg *clientPref = &ss->ssl3.hs.clientSigAndHash[j]; diff --git a/security/nss/lib/ssl/ssl3ext.c b/security/nss/lib/ssl/ssl3ext.c index e86834a3..cf04abae 100644 --- a/security/nss/lib/ssl/ssl3ext.c +++ b/security/nss/lib/ssl/ssl3ext.c @@ -2410,17 +2410,29 @@ ssl3_ClientSendSigAlgsXtn(sslSocket *ss, PRBool append, PRUint32 maxBytes) { PRInt32 extension_length; unsigned int i; + PRInt32 pos=0; + PRUint32 policy; PRUint8 buf[MAX_SIGNATURE_ALGORITHMS * 2]; if (ss->version < SSL_LIBRARY_VERSION_TLS_1_2) { return 0; } + for (i=0; i < ss->ssl3.signatureAlgorithmCount; i++) { + SECOidTag hashOID = ssl3_TLSHashAlgorithmToOID( + ss->ssl3.signatureAlgorithms[i].hashAlg); + if ((NSS_GetAlgorithmPolicy(hashOID, & policy) != SECSuccess) || + (policy & NSS_USE_ALG_IN_SSL_KX)) { + buf[pos++] = ss->ssl3.signatureAlgorithms[i].hashAlg; + buf[pos++] = ss->ssl3.signatureAlgorithms[i].sigAlg; + } + } + extension_length = 2 /* extension type */ + 2 /* extension length */ + 2 /* supported_signature_algorithms length */ + - ss->ssl3.signatureAlgorithmCount * 2; + pos; if (maxBytes < extension_length) { PORT_Assert(0); @@ -2438,10 +2450,6 @@ ssl3_ClientSendSigAlgsXtn(sslSocket *ss, PRBool append, PRUint32 maxBytes) return -1; } - for (i = 0; i < ss->ssl3.signatureAlgorithmCount; ++i) { - buf[i * 2] = ss->ssl3.signatureAlgorithms[i].hashAlg; - buf[i * 2 + 1] = ss->ssl3.signatureAlgorithms[i].sigAlg; - } rv = ssl3_AppendHandshakeVariable(ss, buf, extension_length - 6, 2); if (rv != SECSuccess) { return -1; diff --git a/security/nss/lib/ssl/sslimpl.h b/security/nss/lib/ssl/sslimpl.h index aac223f7..de4f64db 100644 --- a/security/nss/lib/ssl/sslimpl.h +++ b/security/nss/lib/ssl/sslimpl.h @@ -1954,6 +1954,8 @@ ssl3_TLSPRFWithMasterSecret(ssl3CipherSpec *spec, const char *label, unsigned int labelLen, const unsigned char *val, unsigned int valLen, unsigned char *out, unsigned int outLen); +extern SECOidTag +ssl3_TLSHashAlgorithmToOID(SSLHashType hashFunc); #ifdef TRACE #define SSL_TRACE(msg) ssl_Trace msg diff --git a/security/nss/lib/util/nssutil.h b/security/nss/lib/util/nssutil.h index df476920..0c8b480f 100644 --- a/security/nss/lib/util/nssutil.h +++ b/security/nss/lib/util/nssutil.h @@ -19,11 +19,11 @@ * The format of the version string should be * ".[.[.]][ ]" */ -#define NSSUTIL_VERSION "3.20.0.1" +#define NSSUTIL_VERSION "3.21" #define NSSUTIL_VMAJOR 3 -#define NSSUTIL_VMINOR 20 +#define NSSUTIL_VMINOR 21 #define NSSUTIL_VPATCH 0 -#define NSSUTIL_VBUILD 1 +#define NSSUTIL_VBUILD 0 #define NSSUTIL_BETA PR_FALSE SEC_BEGIN_PROTOS diff --git a/security/nss/lib/util/secoid.c b/security/nss/lib/util/secoid.c index 5068b238..942abab9 100644 --- a/security/nss/lib/util/secoid.c +++ b/security/nss/lib/util/secoid.c @@ -1887,14 +1887,14 @@ handleHashAlgSupport(char * envVal) *nextArg++ = '\0'; } } - notEnable = (*arg == '-') ? NSS_USE_ALG_IN_CERT_SIGNATURE : 0; + notEnable = (*arg == '-') ? (NSS_USE_ALG_IN_CERT_SIGNATURE|NSS_USE_ALG_IN_SSL_KX) : 0; if ((*arg == '+' || *arg == '-') && *++arg) { int i; for (i = 1; i < SEC_OID_TOTAL; i++) { if (oids[i].desc && strstr(arg, oids[i].desc)) { xOids[i].notPolicyFlags = notEnable | - (xOids[i].notPolicyFlags & ~NSS_USE_ALG_IN_CERT_SIGNATURE); + (xOids[i].notPolicyFlags & ~(NSS_USE_ALG_IN_CERT_SIGNATURE|NSS_USE_ALG_IN_SSL_KX)); } } } diff --git a/security/nss/lib/util/secoidt.h b/security/nss/lib/util/secoidt.h index ff0f5276..747450ed 100644 --- a/security/nss/lib/util/secoidt.h +++ b/security/nss/lib/util/secoidt.h @@ -476,6 +476,7 @@ struct SECOidDataStr { */ #define NSS_USE_ALG_IN_CERT_SIGNATURE 0x00000001 /* CRLs and OCSP, too */ #define NSS_USE_ALG_IN_CMS_SIGNATURE 0x00000002 /* used in S/MIME */ +#define NSS_USE_ALG_IN_SSL_KX 0x00000004 /* used in SSL key exchange */ #define NSS_USE_ALG_RESERVED 0xfffffffc /* may be used in future */ /* Code MUST NOT SET or CLEAR reserved bits, and must NOT depend on them