From ab1060037931158d3a8bf4c8f9f6cb4dbfe916e9 Mon Sep 17 00:00:00 2001 From: wolfbeast Date: Tue, 14 Aug 2018 07:52:35 +0200 Subject: Update NSS to 3.38 - Added HACL*Poly1305 32-bit (INRIA/Microsoft) - Updated to final TLS 1.3 draft version (28) - Removed TLS 1.3 prerelease draft limit check - Removed NPN code - Enabled dev/urandom-only RNG on Linux with NSS_SEED_ONLY_DEV_URANDOM for non-standard environments - Fixed several bugs with TLS 1.3 negotiation - Updated internal certificate store - Added support for the TLS Record Size Limit Extension. - Fixed CVE-2018-0495 - Various security fixes in the ASN.1 code. --- security/nss/cmd/signtool/javascript.c | 8 ++-- security/nss/cmd/signtool/sign.c | 68 +++++++++++++++++----------------- security/nss/cmd/signtool/zip.c | 4 +- 3 files changed, 41 insertions(+), 39 deletions(-) (limited to 'security/nss/cmd/signtool') diff --git a/security/nss/cmd/signtool/javascript.c b/security/nss/cmd/signtool/javascript.c index ffff2db59..58869aa61 100644 --- a/security/nss/cmd/signtool/javascript.c +++ b/security/nss/cmd/signtool/javascript.c @@ -1300,7 +1300,6 @@ extract_js(char *filename) * Now we have a stream of tags and text. Go through and deal with each. */ for (curitem = head; curitem; curitem = curitem->next) { - TagItem *tagp = NULL; AVPair *pairp = NULL; char *src = NULL, *id = NULL, *codebase = NULL; PRBool hasEventHandler = PR_FALSE; @@ -1669,11 +1668,14 @@ loser: * Returns PR_SUCCESS if the directory is present, PR_FAILURE otherwise. */ static PRStatus -ensureExists(char *base, char *path) +ensureExists(char *basepath, char *path) { char fn[FNSIZE]; PRDir *dir; - sprintf(fn, "%s/%s", base, path); + int c = snprintf(fn, sizeof(fn), "%s/%s", basepath, path); + if (c >= sizeof(fn)) { + return PR_FAILURE; + } /*PR_fprintf(outputFD, "Trying to open directory %s.\n", fn);*/ diff --git a/security/nss/cmd/signtool/sign.c b/security/nss/cmd/signtool/sign.c index 6f8e43946..534530947 100644 --- a/security/nss/cmd/signtool/sign.c +++ b/security/nss/cmd/signtool/sign.c @@ -175,16 +175,16 @@ typedef struct { * */ int -SignAllArc(char *jartree, char *keyName, int javascript, char *metafile, - char *install_script, int optimize, PRBool recurse) +SignAllArc(char *jartree, char *keyName, int javascript, char *metafilename, + char *install_script, int optimize_level, PRBool recurse) { SignArcInfo info; info.keyName = keyName; info.javascript = javascript; - info.metafile = metafile; + info.metafile = metafilename; info.install_script = install_script; - info.optimize = optimize; + info.optimize = optimize_level; return foreach (jartree, "", sign_all_arc_fn, recurse, PR_TRUE /*include dirs*/, (void *)&info); @@ -194,7 +194,7 @@ static int sign_all_arc_fn(char *relpath, char *basedir, char *reldir, char *filename, void *arg) { - char *zipfile = NULL; + char *zipfilename = NULL; char *arc = NULL, *archive = NULL; int retval = 0; SignArcInfo *infop = (SignArcInfo *)arg; @@ -212,8 +212,8 @@ sign_all_arc_fn(char *relpath, char *basedir, char *reldir, char *filename, } archive = PR_smprintf("%s/%s", basedir, relpath); - zipfile = PL_strdup(archive); - arc = PORT_Strrchr(zipfile, '.'); + zipfilename = PL_strdup(archive); + arc = PORT_Strrchr(zipfilename, '.'); if (arc == NULL) { PR_fprintf(errorFD, "%s: Internal failure\n", PROGRAM_NAME); @@ -225,17 +225,17 @@ sign_all_arc_fn(char *relpath, char *basedir, char *reldir, char *filename, PL_strcpy(arc, ".jar"); if (verbosity >= 0) { - PR_fprintf(outputFD, "\nsigning: %s\n", zipfile); + PR_fprintf(outputFD, "\nsigning: %s\n", zipfilename); } - retval = SignArchive(archive, infop->keyName, zipfile, + retval = SignArchive(archive, infop->keyName, zipfilename, infop->javascript, infop->metafile, infop->install_script, infop->optimize, PR_TRUE /* recurse */); } finish: if (archive) PR_Free(archive); - if (zipfile) - PR_Free(zipfile); + if (zipfilename) + PR_Free(zipfilename); return retval; } @@ -707,8 +707,8 @@ SignFile(FILE *outFile, FILE *inFile, CERTCertificate *cert) static int generate_SF_file(char *manifile, char *who) { - FILE *sf; - FILE *mf; + FILE *sfFile; + FILE *mfFile; long r1, r2, r3; char whofile[FNSIZE]; char *buf, *name = NULL; @@ -718,12 +718,12 @@ generate_SF_file(char *manifile, char *who) strcpy(whofile, who); - if ((mf = fopen(manifile, "rb")) == NULL) { + if ((mfFile = fopen(manifile, "rb")) == NULL) { perror(manifile); exit(ERRX); } - if ((sf = fopen(whofile, "wb")) == NULL) { + if ((sfFile = fopen(whofile, "wb")) == NULL) { perror(who); exit(ERRX); } @@ -736,11 +736,11 @@ generate_SF_file(char *manifile, char *who) if (buf == NULL || name == NULL) out_of_memory(); - fprintf(sf, "Signature-Version: 1.0\n"); - fprintf(sf, "Created-By: %s\n", CREATOR); - fprintf(sf, "Comments: %s\n", BREAKAGE); + fprintf(sfFile, "Signature-Version: 1.0\n"); + fprintf(sfFile, "Created-By: %s\n", CREATOR); + fprintf(sfFile, "Comments: %s\n", BREAKAGE); - if (fgets(buf, BUFSIZ, mf) == NULL) { + if (fgets(buf, BUFSIZ, mfFile) == NULL) { PR_fprintf(errorFD, "%s: empty manifest file!\n", PROGRAM_NAME); errorCount++; exit(ERRX); @@ -752,15 +752,15 @@ generate_SF_file(char *manifile, char *who) exit(ERRX); } - fseek(mf, 0L, SEEK_SET); + fseek(mfFile, 0L, SEEK_SET); /* Process blocks of headers, and calculate their hashen */ while (1) { /* Beginning range */ - r1 = ftell(mf); + r1 = ftell(mfFile); - if (fgets(name, BUFSIZ, mf) == NULL) + if (fgets(name, BUFSIZ, mfFile) == NULL) break; line++; @@ -774,46 +774,46 @@ generate_SF_file(char *manifile, char *who) } r2 = r1; - while (fgets(buf, BUFSIZ, mf)) { + while (fgets(buf, BUFSIZ, mfFile)) { if (*buf == 0 || *buf == '\n' || *buf == '\r') break; line++; /* Ending range for hashing */ - r2 = ftell(mf); + r2 = ftell(mfFile); } - r3 = ftell(mf); + r3 = ftell(mfFile); if (r1) { - fprintf(sf, "\n"); - fprintf(sf, "%s", name); + fprintf(sfFile, "\n"); + fprintf(sfFile, "%s", name); } - calculate_MD5_range(mf, r1, r2, &dig); + calculate_MD5_range(mfFile, r1, r2, &dig); if (optimize == 0) { - fprintf(sf, "Digest-Algorithms: MD5 SHA1\n"); + fprintf(sfFile, "Digest-Algorithms: MD5 SHA1\n"); md5 = BTOA_DataToAscii(dig.md5, MD5_LENGTH); - fprintf(sf, "MD5-Digest: %s\n", md5); + fprintf(sfFile, "MD5-Digest: %s\n", md5); PORT_Free(md5); } sha1 = BTOA_DataToAscii(dig.sha1, SHA1_LENGTH); - fprintf(sf, "SHA1-Digest: %s\n", sha1); + fprintf(sfFile, "SHA1-Digest: %s\n", sha1); PORT_Free(sha1); /* restore normalcy after changing offset position */ - fseek(mf, r3, SEEK_SET); + fseek(mfFile, r3, SEEK_SET); } PORT_Free(buf); PORT_Free(name); - fclose(sf); - fclose(mf); + fclose(sfFile); + fclose(mfFile); return 0; } diff --git a/security/nss/cmd/signtool/zip.c b/security/nss/cmd/signtool/zip.c index 35d5f5733..aeb5d6c54 100644 --- a/security/nss/cmd/signtool/zip.c +++ b/security/nss/cmd/signtool/zip.c @@ -129,7 +129,7 @@ handle_zerror(int err, char *msg) * been opened with JzipOpen. */ int -JzipAdd(char *fullname, char *filename, ZIPfile *zipfile, int compression_level) +JzipAdd(char *fullname, char *filename, ZIPfile *zipfile, int lvl) { ZIPentry *entry; PRFileDesc *readfp; @@ -319,7 +319,7 @@ JzipAdd(char *fullname, char *filename, ZIPfile *zipfile, int compression_level) * It causes zlib to leave out its headers and footers, which don't * work in PKZIP files. */ - err = deflateInit2(&zstream, compression_level, Z_DEFLATED, + err = deflateInit2(&zstream, lvl, Z_DEFLATED, -MAX_WBITS, 8 /*default*/, Z_DEFAULT_STRATEGY); if (err != Z_OK) { handle_zerror(err, zstream.msg); -- cgit v1.2.3