From e10349ab8dda8a3f11be6aa19f2b6e29fe814044 Mon Sep 17 00:00:00 2001 From: wolfbeast Date: Fri, 23 Feb 2018 11:04:39 +0100 Subject: Update NSS to 3.35-RTM --- security/nss/lib/util/nssb64d.c | 2 +- security/nss/lib/util/nssrwlk.c | 2 + security/nss/lib/util/nssutil.def | 16 ++++ security/nss/lib/util/nssutil.h | 6 +- security/nss/lib/util/pkcs11uri.c | 2 +- security/nss/lib/util/quickder.c | 3 +- security/nss/lib/util/secasn1d.c | 4 +- security/nss/lib/util/secoid.c | 20 ++-- security/nss/lib/util/secport.c | 62 ++++++++++++ security/nss/lib/util/secport.h | 7 ++ security/nss/lib/util/utilmod.c | 190 +++++++++++++++++++++++++++++++++++-- security/nss/lib/util/utilpars.c | 7 +- security/nss/lib/util/utilpars.h | 6 ++ security/nss/lib/util/utilparst.h | 2 +- security/nss/lib/util/utilrename.h | 2 + 15 files changed, 294 insertions(+), 37 deletions(-) (limited to 'security/nss/lib/util') diff --git a/security/nss/lib/util/nssb64d.c b/security/nss/lib/util/nssb64d.c index 886ce21c0..e4bb20a3e 100644 --- a/security/nss/lib/util/nssb64d.c +++ b/security/nss/lib/util/nssb64d.c @@ -249,7 +249,7 @@ pl_base64_decode_buffer(PLBase64Decoder *data, const unsigned char *in, } i = 0; - PR_ASSERT((out - data->output_buffer + 3) <= data->output_buflen); + PR_ASSERT((PRUint32)(out - data->output_buffer + 3) <= data->output_buflen); /* * Assume we are not at the end; the following function only works diff --git a/security/nss/lib/util/nssrwlk.c b/security/nss/lib/util/nssrwlk.c index dbaeca24b..5af021762 100644 --- a/security/nss/lib/util/nssrwlk.c +++ b/security/nss/lib/util/nssrwlk.c @@ -120,6 +120,8 @@ NSSRWLock_Destroy(NSSRWLock *rwlock) { PR_ASSERT(rwlock != NULL); PR_ASSERT(rwlock->rw_waiting_readers == 0); + PR_ASSERT(rwlock->rw_writer_locks == 0); + PR_ASSERT(rwlock->rw_reader_locks == 0); /* XXX Shouldn't we lock the PZLock before destroying this?? */ diff --git a/security/nss/lib/util/nssutil.def b/security/nss/lib/util/nssutil.def index f4b9ef7ba..936455f6e 100644 --- a/security/nss/lib/util/nssutil.def +++ b/security/nss/lib/util/nssutil.def @@ -307,3 +307,19 @@ PK11URI_GetQueryAttribute; ;+ local: ;+ *; ;+}; +;+NSSUTIL_3.33 { # NSS Utilities 3.33 release +;+ global: +PORT_ZAllocAligned_Util; +PORT_ZAllocAlignedOffset_Util; +NSS_SecureMemcmpZero; +;+ local: +;+ *; +;+}; +;-NSSUTIL_3.35 { # NSS Utilities 3.35 release +;- global: +;-# private exports for softoken +_NSSUTIL_UTF8ToWide;- +_NSSUTIL_Access;- +;- local: +;- *; +;-}; diff --git a/security/nss/lib/util/nssutil.h b/security/nss/lib/util/nssutil.h index e8cb52aed..f86dfa91e 100644 --- a/security/nss/lib/util/nssutil.h +++ b/security/nss/lib/util/nssutil.h @@ -19,10 +19,10 @@ * The format of the version string should be * ".[.[.]][ ]" */ -#define NSSUTIL_VERSION "3.32.1" +#define NSSUTIL_VERSION "3.35" #define NSSUTIL_VMAJOR 3 -#define NSSUTIL_VMINOR 32 -#define NSSUTIL_VPATCH 1 +#define NSSUTIL_VMINOR 35 +#define NSSUTIL_VPATCH 0 #define NSSUTIL_VBUILD 0 #define NSSUTIL_BETA PR_FALSE diff --git a/security/nss/lib/util/pkcs11uri.c b/security/nss/lib/util/pkcs11uri.c index 453440293..94b00171e 100644 --- a/security/nss/lib/util/pkcs11uri.c +++ b/security/nss/lib/util/pkcs11uri.c @@ -242,7 +242,7 @@ static int pk11uri_CompareByPosition(const char *a, const char *b, const char **attr_names, size_t num_attr_names) { - int i, j; + size_t i, j; for (i = 0; i < num_attr_names; i++) { if (strcmp(a, attr_names[i]) == 0) { diff --git a/security/nss/lib/util/quickder.c b/security/nss/lib/util/quickder.c index 1b474822e..7a6ac1c53 100644 --- a/security/nss/lib/util/quickder.c +++ b/security/nss/lib/util/quickder.c @@ -520,8 +520,7 @@ DecodeGroup(void* dest, if (SECSuccess == rv) { /* allocate room for pointer array and entries */ /* we want to allocate the array even if there is 0 entry */ - entries = (void**)PORT_ArenaZAlloc(arena, sizeof(void*) * - (totalEntries + 1) + /* the extra one is for NULL termination */ + entries = (void**)PORT_ArenaZAlloc(arena, sizeof(void*) * (totalEntries + 1) + /* the extra one is for NULL termination */ subTemplate->size * totalEntries); if (entries) { diff --git a/security/nss/lib/util/secasn1d.c b/security/nss/lib/util/secasn1d.c index e6abb5fd5..4c5f0ce4b 100644 --- a/security/nss/lib/util/secasn1d.c +++ b/security/nss/lib/util/secasn1d.c @@ -2721,9 +2721,7 @@ dump_states(SEC_ASN1DecoderContext *cx) (state == cx->current) ? "STATE" : "State", state->theTemplate, kindBuf); - printf(" %s", (state->place >= 0 && state->place <= notInUse) - ? place_names[state->place] - : "(undefined)"); + printf(" %s", (state->place >= 0 && state->place <= notInUse) ? place_names[state->place] : "(undefined)"); if (!i) printf(", expect 0x%02x", state->expect_tag_number | state->expect_tag_modifiers); diff --git a/security/nss/lib/util/secoid.c b/security/nss/lib/util/secoid.c index da03b7c06..a05621c59 100644 --- a/security/nss/lib/util/secoid.c +++ b/security/nss/lib/util/secoid.c @@ -1841,13 +1841,11 @@ secoid_FindDynamic(const SECItem *key) { SECOidData *ret = NULL; + NSSRWLock_LockRead(dynOidLock); if (dynOidHash) { - NSSRWLock_LockRead(dynOidLock); - if (dynOidHash) { /* must check it again with lock held. */ - ret = (SECOidData *)PL_HashTableLookup(dynOidHash, key); - } - NSSRWLock_UnlockRead(dynOidLock); + ret = (SECOidData *)PL_HashTableLookup(dynOidHash, key); } + NSSRWLock_UnlockRead(dynOidLock); if (ret == NULL) { PORT_SetError(SEC_ERROR_UNRECOGNIZED_OID); } @@ -1866,14 +1864,12 @@ secoid_FindDynamicByTag(SECOidTag tagnum) } tagNumDiff = tagnum - SEC_OID_TOTAL; - if (dynOidTable) { - NSSRWLock_LockRead(dynOidLock); - if (dynOidTable != NULL && /* must check it again with lock held. */ - tagNumDiff < dynOidEntriesUsed) { - dxo = dynOidTable[tagNumDiff]; - } - NSSRWLock_UnlockRead(dynOidLock); + NSSRWLock_LockRead(dynOidLock); + if (dynOidTable != NULL && + tagNumDiff < dynOidEntriesUsed) { + dxo = dynOidTable[tagNumDiff]; } + NSSRWLock_UnlockRead(dynOidLock); if (dxo == NULL) { PORT_SetError(SEC_ERROR_UNRECOGNIZED_OID); } diff --git a/security/nss/lib/util/secport.c b/security/nss/lib/util/secport.c index 01a7d0834..e5bd4c1bb 100644 --- a/security/nss/lib/util/secport.c +++ b/security/nss/lib/util/secport.c @@ -21,6 +21,8 @@ #include "prenv.h" #include "prinit.h" +#include + #ifdef DEBUG #define THREADMARK #endif /* DEBUG */ @@ -119,6 +121,51 @@ PORT_ZAlloc(size_t bytes) return rv; } +/* aligned_alloc is C11. This is an alternative to get aligned memory. */ +void * +PORT_ZAllocAligned(size_t bytes, size_t alignment, void **mem) +{ + size_t x = alignment - 1; + + /* This only works if alignment is a power of 2. */ + if ((alignment == 0) || (alignment & (alignment - 1))) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return NULL; + } + + if (!mem) { + return NULL; + } + + /* Always allocate a non-zero amount of bytes */ + *mem = PORT_ZAlloc((bytes ? bytes : 1) + x); + if (!*mem) { + PORT_SetError(SEC_ERROR_NO_MEMORY); + return NULL; + } + + return (void *)(((uintptr_t)*mem + x) & ~(uintptr_t)x); +} + +void * +PORT_ZAllocAlignedOffset(size_t size, size_t alignment, size_t offset) +{ + PORT_Assert(offset < size); + if (offset > size) { + return NULL; + } + + void *mem = NULL; + void *v = PORT_ZAllocAligned(size, alignment, &mem); + if (!v) { + return NULL; + } + + PORT_Assert(mem); + *((void **)((uintptr_t)v + offset)) = mem; + return v; +} + void PORT_Free(void *ptr) { @@ -733,3 +780,18 @@ NSS_SecureMemcmp(const void *ia, const void *ib, size_t n) return r; } + +/* + * Perform a constant-time check if a memory region is all 0. The return value + * is 0 if the memory region is all zero. + */ +unsigned int +NSS_SecureMemcmpZero(const void *mem, size_t n) +{ + PRUint8 zero = 0; + size_t i; + for (i = 0; i < n; ++i) { + zero |= *(PRUint8 *)((uintptr_t)mem + i); + } + return zero; +} diff --git a/security/nss/lib/util/secport.h b/security/nss/lib/util/secport.h index fb9ff4ebb..f1665a2f5 100644 --- a/security/nss/lib/util/secport.h +++ b/security/nss/lib/util/secport.h @@ -45,6 +45,7 @@ #include #include #include +#include #include "prtypes.h" #include "prlog.h" /* for PR_ASSERT */ #include "plarena.h" @@ -88,6 +89,9 @@ SEC_BEGIN_PROTOS extern void *PORT_Alloc(size_t len); extern void *PORT_Realloc(void *old, size_t len); extern void *PORT_ZAlloc(size_t len); +extern void *PORT_ZAllocAligned(size_t bytes, size_t alignment, void **mem); +extern void *PORT_ZAllocAlignedOffset(size_t bytes, size_t alignment, + size_t offset); extern void PORT_Free(void *ptr); extern void PORT_ZFree(void *ptr, size_t len); extern char *PORT_Strdup(const char *s); @@ -131,6 +135,8 @@ SEC_END_PROTOS #define PORT_CheckSuccess(f) (f) #endif #define PORT_ZNew(type) (type *)PORT_ZAlloc(sizeof(type)) +#define PORT_ZNewAligned(type, alignment, mem) \ + (type *)PORT_ZAllocAlignedOffset(sizeof(type), alignment, offsetof(type, mem)) #define PORT_New(type) (type *)PORT_Alloc(sizeof(type)) #define PORT_ArenaNew(poolp, type) \ (type *)PORT_ArenaAlloc(poolp, sizeof(type)) @@ -246,6 +252,7 @@ sec_port_iso88591_utf8_conversion_function( extern int NSS_PutEnv(const char *envVarName, const char *envValue); extern int NSS_SecureMemcmp(const void *a, const void *b, size_t n); +extern unsigned int NSS_SecureMemcmpZero(const void *mem, size_t n); /* * Load a shared library called "newShLibName" in the same directory as diff --git a/security/nss/lib/util/utilmod.c b/security/nss/lib/util/utilmod.c index 971b6c1dc..7d3fcda81 100644 --- a/security/nss/lib/util/utilmod.c +++ b/security/nss/lib/util/utilmod.c @@ -24,6 +24,7 @@ #if defined(_WIN32) #include +#include #endif #ifdef XP_UNIX #include @@ -34,15 +35,184 @@ #include #if defined(_WIN32) -#define os_open _open #define os_fdopen _fdopen -#define os_stat _stat #define os_truncate_open_flags _O_CREAT | _O_RDWR | _O_TRUNC #define os_append_open_flags _O_CREAT | _O_RDWR | _O_APPEND #define os_open_permissions_type int #define os_open_permissions_default _S_IREAD | _S_IWRITE #define os_stat_type struct _stat + +/* + * Convert a UTF8 string to Unicode wide character + */ +LPWSTR +_NSSUTIL_UTF8ToWide(const char *buf) +{ + DWORD size; + LPWSTR wide; + + if (!buf) { + return NULL; + } + + size = MultiByteToWideChar(CP_UTF8, 0, buf, -1, NULL, 0); + if (size == 0) { + return NULL; + } + wide = PORT_Alloc(sizeof(WCHAR) * size); + if (!wide) { + return NULL; + } + size = MultiByteToWideChar(CP_UTF8, 0, buf, -1, wide, size); + if (size == 0) { + PORT_Free(wide); + return NULL; + } + return wide; +} + +static int +os_open(const char *filename, int oflag, int pmode) +{ + int fd; + + if (!filename) { + return -1; + } + + wchar_t *filenameWide = _NSSUTIL_UTF8ToWide(filename); + if (!filenameWide) { + return -1; + } + fd = _wopen(filenameWide, oflag, pmode); + PORT_Free(filenameWide); + + return fd; +} + +static int +os_stat(const char *path, os_stat_type *buffer) +{ + int result; + + if (!path) { + return -1; + } + + wchar_t *pathWide = _NSSUTIL_UTF8ToWide(path); + if (!pathWide) { + return -1; + } + result = _wstat(pathWide, buffer); + PORT_Free(pathWide); + + return result; +} + +static FILE * +os_fopen(const char *filename, const char *mode) +{ + FILE *fp; + + if (!filename || !mode) { + return NULL; + } + + wchar_t *filenameWide = _NSSUTIL_UTF8ToWide(filename); + if (!filenameWide) { + return NULL; + } + wchar_t *modeWide = _NSSUTIL_UTF8ToWide(mode); + if (!modeWide) { + PORT_Free(filenameWide); + return NULL; + } + fp = _wfopen(filenameWide, modeWide); + PORT_Free(filenameWide); + PORT_Free(modeWide); + + return fp; +} + +PRStatus +_NSSUTIL_Access(const char *path, PRAccessHow how) +{ + int result; + + if (!path) { + return PR_FAILURE; + } + + int mode; + switch (how) { + case PR_ACCESS_WRITE_OK: + mode = 2; + break; + case PR_ACCESS_READ_OK: + mode = 4; + break; + case PR_ACCESS_EXISTS: + mode = 0; + break; + default: + return PR_FAILURE; + } + + wchar_t *pathWide = _NSSUTIL_UTF8ToWide(path); + if (!pathWide) { + return PR_FAILURE; + } + result = _waccess(pathWide, mode); + PORT_Free(pathWide); + + return result < 0 ? PR_FAILURE : PR_SUCCESS; +} + +static PRStatus +nssutil_Delete(const char *name) +{ + BOOL result; + + if (!name) { + return PR_FAILURE; + } + + wchar_t *nameWide = _NSSUTIL_UTF8ToWide(name); + if (!nameWide) { + return PR_FAILURE; + } + result = DeleteFileW(nameWide); + PORT_Free(nameWide); + + return result ? PR_SUCCESS : PR_FAILURE; +} + +static PRStatus +nssutil_Rename(const char *from, const char *to) +{ + BOOL result; + + if (!from || !to) { + return PR_FAILURE; + } + + wchar_t *fromWide = _NSSUTIL_UTF8ToWide(from); + if (!fromWide) { + return PR_FAILURE; + } + wchar_t *toWide = _NSSUTIL_UTF8ToWide(to); + if (!toWide) { + PORT_Free(fromWide); + return PR_FAILURE; + } + result = MoveFileW(fromWide, toWide); + PORT_Free(fromWide); + PORT_Free(toWide); + + return result ? PR_SUCCESS : PR_FAILURE; +} #else +#define os_fopen fopen #define os_open open #define os_fdopen fdopen #define os_stat stat @@ -51,6 +221,8 @@ #define os_open_permissions_type mode_t #define os_open_permissions_default 0600 #define os_stat_type struct stat +#define nssutil_Delete PR_Delete +#define nssutil_Rename PR_Rename #endif /**************************************************************** @@ -219,7 +391,7 @@ nssutil_ReadSecmodDB(const char *appName, } /* do we really want to use streams here */ - fd = fopen(dbname, "r"); + fd = os_fopen(dbname, "r"); if (fd == NULL) goto done; @@ -403,7 +575,7 @@ done: } /* old one exists */ - status = PR_Access(olddbname, PR_ACCESS_EXISTS); + status = _NSSUTIL_Access(olddbname, PR_ACCESS_EXISTS); if (status == PR_SUCCESS) { PR_smprintf_free(olddbname); PORT_ZFree(moduleList, useCount * sizeof(char *)); @@ -532,7 +704,7 @@ nssutil_DeleteSecmodDBEntry(const char *appName, } /* do we really want to use streams here */ - fd = fopen(dbname, "r"); + fd = os_fopen(dbname, "r"); if (fd == NULL) goto loser; @@ -602,10 +774,10 @@ nssutil_DeleteSecmodDBEntry(const char *appName, fclose(fd2); if (found) { /* rename dbname2 to dbname */ - PR_Delete(dbname); - PR_Rename(dbname2, dbname); + nssutil_Delete(dbname); + nssutil_Rename(dbname2, dbname); } else { - PR_Delete(dbname2); + nssutil_Delete(dbname2); } PORT_Free(dbname2); PORT_Free(lib); @@ -621,7 +793,7 @@ loser: fclose(fd2); } if (dbname2) { - PR_Delete(dbname2); + nssutil_Delete(dbname2); PORT_Free(dbname2); } PORT_Free(lib); diff --git a/security/nss/lib/util/utilpars.c b/security/nss/lib/util/utilpars.c index 7116d26f3..e7435bfcc 100644 --- a/security/nss/lib/util/utilpars.c +++ b/security/nss/lib/util/utilpars.c @@ -589,6 +589,7 @@ struct nssutilArgSlotFlagTable { } static struct nssutilArgSlotFlagTable nssutil_argSlotFlagTable[] = { NSSUTIL_ARG_ENTRY(RSA, SECMOD_RSA_FLAG), + NSSUTIL_ARG_ENTRY(ECC, SECMOD_ECC_FLAG), NSSUTIL_ARG_ENTRY(DSA, SECMOD_RSA_FLAG), NSSUTIL_ARG_ENTRY(RC2, SECMOD_RC4_FLAG), NSSUTIL_ARG_ENTRY(RC4, SECMOD_RC2_FLAG), @@ -1110,12 +1111,8 @@ _NSSUTIL_EvaluateConfigDir(const char *configdir, NSSDBType dbType; PRBool checkEnvDefaultDB = PR_FALSE; *appName = NULL; -/* force the default */ -#ifdef NSS_DISABLE_DBM + /* force the default */ dbType = NSS_DB_TYPE_SQL; -#else - dbType = NSS_DB_TYPE_LEGACY; -#endif if (configdir == NULL) { checkEnvDefaultDB = PR_TRUE; } else if (PORT_Strncmp(configdir, MULTIACCESS, sizeof(MULTIACCESS) - 1) == 0) { diff --git a/security/nss/lib/util/utilpars.h b/security/nss/lib/util/utilpars.h index 70767263a..1b0b1ff1c 100644 --- a/security/nss/lib/util/utilpars.h +++ b/security/nss/lib/util/utilpars.h @@ -59,5 +59,11 @@ char *NSSUTIL_MkNSSString(char **slotStrings, int slotCount, PRBool internal, char *_NSSUTIL_GetSecmodName(const char *param, NSSDBType *dbType, char **appName, char **filename, PRBool *rw); const char *_NSSUTIL_EvaluateConfigDir(const char *configdir, NSSDBType *dbType, char **app); +#if defined(_WIN32) +wchar_t *_NSSUTIL_UTF8ToWide(const char *buf); +PRStatus _NSSUTIL_Access(const char *path, PRAccessHow how); +#else +#define _NSSUTIL_Access(path, how) PR_Access((path), (how)) +#endif #endif /* _UTILPARS_H_ */ diff --git a/security/nss/lib/util/utilparst.h b/security/nss/lib/util/utilparst.h index f2148e6e3..5dda09028 100644 --- a/security/nss/lib/util/utilparst.h +++ b/security/nss/lib/util/utilparst.h @@ -43,7 +43,7 @@ #define NSSUTIL_DEFAULT_INTERNAL_INIT3 \ " askpw=any timeout=30})\"" #define NSSUTIL_DEFAULT_SFTKN_FLAGS \ - "slotFlags=[RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512]" + "slotFlags=[ECC,RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512]" #define NSSUTIL_DEFAULT_CIPHER_ORDER 0 #define NSSUTIL_DEFAULT_TRUST_ORDER 50 diff --git a/security/nss/lib/util/utilrename.h b/security/nss/lib/util/utilrename.h index 1aea3d284..19ddba666 100644 --- a/security/nss/lib/util/utilrename.h +++ b/security/nss/lib/util/utilrename.h @@ -70,6 +70,8 @@ #define PORT_UCS2_ASCIIConversion PORT_UCS2_ASCIIConversion_Util #define PORT_UCS2_UTF8Conversion PORT_UCS2_UTF8Conversion_Util #define PORT_ZAlloc PORT_ZAlloc_Util +#define PORT_ZAllocAligned PORT_ZAllocAligned_Util +#define PORT_ZAllocAlignedOffset PORT_ZAllocAlignedOffset_Util #define PORT_ZFree PORT_ZFree_Util #define SEC_ASN1Decode SEC_ASN1Decode_Util #define SEC_ASN1DecodeInteger SEC_ASN1DecodeInteger_Util -- cgit v1.2.3