From f017b749ea9f1586d2308504553d40bf4cc5439d Mon Sep 17 00:00:00 2001 From: wolfbeast Date: Tue, 6 Feb 2018 11:46:26 +0100 Subject: Update NSS to 3.32.1-RTM --- security/nss/lib/certhigh/certhigh.c | 18 ++++++++++++------ security/nss/lib/certhigh/certhtml.c | 25 +++++++++++++++++++++++-- security/nss/lib/certhigh/ocsp.c | 4 ++-- 3 files changed, 37 insertions(+), 10 deletions(-) (limited to 'security/nss/lib/certhigh') diff --git a/security/nss/lib/certhigh/certhigh.c b/security/nss/lib/certhigh/certhigh.c index 55259898b..7ae80b193 100644 --- a/security/nss/lib/certhigh/certhigh.c +++ b/security/nss/lib/certhigh/certhigh.c @@ -11,6 +11,7 @@ #include "cert.h" #include "certxutl.h" +#include "certi.h" #include "nsspki.h" #include "pki.h" #include "pkit.h" @@ -289,7 +290,7 @@ CERT_FindUserCertByUsage(CERTCertDBHandle *handle, goto loser; } - if (!CERT_LIST_END(CERT_LIST_HEAD(certList), certList)) { + if (!CERT_LIST_EMPTY(certList)) { cert = CERT_DupCertificate(CERT_LIST_HEAD(certList)->cert); } @@ -872,6 +873,7 @@ cert_ImportCAChain(SECItem *certs, int numcerts, SECCertUsage certUsage, PRBool PRBool isca; char *nickname; unsigned int certtype; + PRBool istemp = PR_FALSE; handle = CERT_GetDefaultCertDB(); @@ -949,7 +951,11 @@ cert_ImportCAChain(SECItem *certs, int numcerts, SECCertUsage certUsage, PRBool } /* if the cert is temp, make it perm; otherwise we're done */ - if (cert->istemp) { + rv = CERT_GetCertIsTemp(cert, &istemp); + if (rv != SECSuccess) { + goto loser; + } + if (istemp) { /* get a default nickname for it */ nickname = CERT_MakeCANickname(cert); @@ -963,9 +969,6 @@ cert_ImportCAChain(SECItem *certs, int numcerts, SECCertUsage certUsage, PRBool rv = SECSuccess; } - CERT_DestroyCertificate(cert); - cert = NULL; - if (rv != SECSuccess) { goto loser; } @@ -1080,7 +1083,10 @@ CERT_CertChainFromCert(CERTCertificate *cert, SECCertUsage usage, derCert.len = (unsigned int)stanCert->encoding.size; derCert.data = (unsigned char *)stanCert->encoding.data; derCert.type = siBuffer; - SECITEM_CopyItem(arena, &chain->certs[i], &derCert); + if (SECITEM_CopyItem(arena, &chain->certs[i], &derCert) != SECSuccess) { + CERT_DestroyCertificate(cCert); + goto loser; + } stanCert = stanChain[++i]; if (!stanCert && !cCert->isRoot) { /* reached the end of the chain, but the final cert is diff --git a/security/nss/lib/certhigh/certhtml.c b/security/nss/lib/certhigh/certhtml.c index a522f6925..2d708cc95 100644 --- a/security/nss/lib/certhigh/certhtml.c +++ b/security/nss/lib/certhigh/certhtml.c @@ -102,6 +102,8 @@ CERT_FormatName(CERTName *name) goto loser; } len += cn->len; + // cn will always have BREAK after it + len += BREAKLEN; break; case SEC_OID_AVA_COUNTRY_NAME: if (country) { @@ -112,6 +114,10 @@ CERT_FormatName(CERTName *name) goto loser; } len += country->len; + // country may have COMMA after it (if we over-count len, + // that's fine - we'll just allocate a buffer larger than we + // need) + len += COMMALEN; break; case SEC_OID_AVA_LOCALITY: if (loc) { @@ -122,6 +128,8 @@ CERT_FormatName(CERTName *name) goto loser; } len += loc->len; + // loc may have COMMA after it + len += COMMALEN; break; case SEC_OID_AVA_STATE_OR_PROVINCE: if (state) { @@ -132,6 +140,9 @@ CERT_FormatName(CERTName *name) goto loser; } len += state->len; + // state currently won't have COMMA after it, but this is a + // (probably vain) attempt to future-proof this code + len += COMMALEN; break; case SEC_OID_AVA_ORGANIZATION_NAME: if (org) { @@ -142,6 +153,8 @@ CERT_FormatName(CERTName *name) goto loser; } len += org->len; + // org will have BREAK after it + len += BREAKLEN; break; case SEC_OID_AVA_DN_QUALIFIER: if (dq) { @@ -152,6 +165,8 @@ CERT_FormatName(CERTName *name) goto loser; } len += dq->len; + // dq will have BREAK after it + len += BREAKLEN; break; case SEC_OID_AVA_ORGANIZATIONAL_UNIT_NAME: if (ou_count < MAX_OUS) { @@ -160,6 +175,8 @@ CERT_FormatName(CERTName *name) goto loser; } len += orgunit[ou_count++]->len; + // each ou will have BREAK after it + len += BREAKLEN; } break; case SEC_OID_AVA_DC: @@ -169,6 +186,8 @@ CERT_FormatName(CERTName *name) goto loser; } len += dc[dc_count++]->len; + // each dc will have BREAK after it + len += BREAKLEN; } break; case SEC_OID_PKCS9_EMAIL_ADDRESS: @@ -181,6 +200,8 @@ CERT_FormatName(CERTName *name) goto loser; } len += email->len; + // email will have BREAK after it + len += BREAKLEN; break; default: break; @@ -188,8 +209,8 @@ CERT_FormatName(CERTName *name) } } - /* XXX - add some for formatting */ - len += 128; + // there may be a final BREAK + len += BREAKLEN; /* allocate buffer */ buf = (char *)PORT_Alloc(len); diff --git a/security/nss/lib/certhigh/ocsp.c b/security/nss/lib/certhigh/ocsp.c index 10485137b..cea845660 100644 --- a/security/nss/lib/certhigh/ocsp.c +++ b/security/nss/lib/certhigh/ocsp.c @@ -2195,7 +2195,7 @@ SetRequestExts(void *object, CERTCertExtension **exts) request->tbsRequest->requestExtensions = exts; } -#if defined(__GNUC__) +#if defined(__GNUC__) && !defined(NSS_NO_GCC48) #pragma GCC diagnostic push #pragma GCC diagnostic ignored "-Wvarargs" #endif @@ -2265,7 +2265,7 @@ loser: (void)CERT_FinishExtensions(extHandle); return rv; } -#if defined(__GNUC__) +#if defined(__GNUC__) && !defined(NSS_NO_GCC48) #pragma GCC diagnostic pop #endif -- cgit v1.2.3