--- a/old-configure.in
+++ b/old-configure.in
@@ -1733,17 +1733,17 @@ dnl = If NSS was not detected in the sys
dnl = use the one in the source tree (mozilla/security/nss)
dnl ========================================================
MOZ_ARG_WITH_BOOL(system-nss,
[ --with-system-nss Use system installed NSS],
_USE_SYSTEM_NSS=1 )
if test -n "$_USE_SYSTEM_NSS"; then
- AM_PATH_NSS(3.40, [MOZ_SYSTEM_NSS=1], [AC_MSG_ERROR([you don't have NSS installed or your version is too old])])
+ AM_PATH_NSS(3.40.1, [MOZ_SYSTEM_NSS=1], [AC_MSG_ERROR([you don't have NSS installed or your version is too old])])
fi
NSS_CFLAGS="$NSS_CFLAGS -I${DIST}/include/nss"
if test -z "$MOZ_SYSTEM_NSS"; then
case "${OS_ARCH}" in
# Only few platforms have been tested with GYP
WINNT|Darwin|Linux|DragonFly|FreeBSD|NetBSD|OpenBSD|SunOS)
;;
--- a/security/nss/TAG-INFO
+++ b/security/nss/TAG-INFO
@@ -1,1 +1,1 @@
-704d253fa016
+NSS_3_40_1_RTM
--- a/security/nss/coreconf/coreconf.dep
+++ b/security/nss/coreconf/coreconf.dep
@@ -5,9 +5,8 @@
/*
* A dummy header file that is a dependency for all the object files.
* Used to force a full recompilation of NSS in Mozilla's Tinderbox
* depend builds. See comments in rules.mk.
*/
#error "Do not include this header file."
-
--- a/security/nss/gtests/freebl_gtest/mpi_unittest.cc
+++ b/security/nss/gtests/freebl_gtest/mpi_unittest.cc
@@ -10,17 +10,17 @@
#ifdef __MACH__
#include <mach/clock.h>
#include <mach/mach.h>
#endif
#include "mpi.h"
namespace nss_test {
-void gettime(struct timespec *tp) {
+void gettime(struct timespec* tp) {
#ifdef __MACH__
clock_serv_t cclock;
mach_timespec_t mts;
host_get_clock_service(mach_host_self(), SYSTEM_CLOCK, &cclock);
clock_get_time(cclock, &mts);
mach_port_deallocate(mach_task_self(), cclock);
@@ -64,16 +64,49 @@ class MPITest : public ::testing::Test {
mp_read_radix(&c, result.c_str(), 16);
EXPECT_EQ(MP_OKAY, mp_div(&a, &b, &a, &b));
EXPECT_EQ(0, mp_cmp(&a, &c));
mp_clear(&a);
mp_clear(&b);
mp_clear(&c);
}
+
+ void dump(const std::string& prefix, const uint8_t* buf, size_t len) {
+ auto flags = std::cerr.flags();
+ std::cerr << prefix << ": [" << std::dec << len << "] ";
+ for (size_t i = 0; i < len; ++i) {
+ std::cerr << std::hex << std::setw(2) << std::setfill('0')
+ << static_cast<int>(buf[i]);
+ }
+ std::cerr << std::endl << std::resetiosflags(flags);
+ }
+
+ void TestToFixedOctets(const std::vector<uint8_t>& ref, size_t len) {
+ mp_int a;
+ ASSERT_EQ(MP_OKAY, mp_init(&a));
+ ASSERT_EQ(MP_OKAY, mp_read_unsigned_octets(&a, ref.data(), ref.size()));
+ uint8_t buf[len];
+ ASSERT_EQ(MP_OKAY, mp_to_fixlen_octets(&a, buf, len));
+ size_t compare;
+ if (len > ref.size()) {
+ for (size_t i = 0; i < len - ref.size(); ++i) {
+ ASSERT_EQ(0U, buf[i]) << "index " << i << " should be zero";
+ }
+ compare = ref.size();
+ } else {
+ compare = len;
+ }
+ dump("value", ref.data(), ref.size());
+ dump("output", buf, len);
+ ASSERT_EQ(0, memcmp(buf + len - compare, ref.data() + ref.size() - compare,
+ compare))
+ << "comparing " << compare << " octets";
+ mp_clear(&a);
+ }
};
TEST_F(MPITest, MpiCmp01Test) { TestCmp("0", "1", -1); }
TEST_F(MPITest, MpiCmp10Test) { TestCmp("1", "0", 1); }
TEST_F(MPITest, MpiCmp00Test) { TestCmp("0", "0", 0); }
TEST_F(MPITest, MpiCmp11Test) { TestCmp("1", "1", 0); }
TEST_F(MPITest, MpiDiv32ErrorTest) {
TestDiv("FFFF00FFFFFFFF000000000000", "FFFF00FFFFFFFFFF", "FFFFFFFFFF");
@@ -108,41 +141,82 @@ TEST_F(MPITest, MpiCmpUnalignedTest) {
ASSERT_TRUE(strncmp(c_tmp, "feffffffffffffff100000000000000", 31));
mp_clear(&a);
mp_clear(&b);
mp_clear(&c);
}
#endif
+TEST_F(MPITest, MpiFixlenOctetsZero) {
+ std::vector<uint8_t> zero = {0};
+ TestToFixedOctets(zero, 1);
+ TestToFixedOctets(zero, 2);
+ TestToFixedOctets(zero, sizeof(mp_digit));
+ TestToFixedOctets(zero, sizeof(mp_digit) + 1);
+}
+
+TEST_F(MPITest, MpiFixlenOctetsVarlen) {
+ std::vector<uint8_t> packed;
+ for (size_t i = 0; i < sizeof(mp_digit) * 2; ++i) {
+ packed.push_back(0xa4); // Any non-zero value will do.
+ TestToFixedOctets(packed, packed.size());
+ TestToFixedOctets(packed, packed.size() + 1);
+ TestToFixedOctets(packed, packed.size() + sizeof(mp_digit));
+ }
+}
+
+TEST_F(MPITest, MpiFixlenOctetsTooSmall) {
+ uint8_t buf[sizeof(mp_digit) * 3];
+ std::vector<uint8_t> ref;
+ for (size_t i = 0; i < sizeof(mp_digit) * 2; i++) {
+ ref.push_back(3); // Any non-zero value will do.
+ dump("ref", ref.data(), ref.size());
+
+ mp_int a;
+ ASSERT_EQ(MP_OKAY, mp_init(&a));
+ ASSERT_EQ(MP_OKAY, mp_read_unsigned_octets(&a, ref.data(), ref.size()));
+#ifdef DEBUG
+ // ARGCHK maps to assert() in a debug build.
+ EXPECT_DEATH(mp_to_fixlen_octets(&a, buf, ref.size() - 1), "");
+#else
+ EXPECT_EQ(MP_BADARG, mp_to_fixlen_octets(&a, buf, ref.size() - 1));
+#endif
+ ASSERT_EQ(MP_OKAY, mp_to_fixlen_octets(&a, buf, ref.size()));
+ ASSERT_EQ(0, memcmp(buf, ref.data(), ref.size()));
+
+ mp_clear(&a);
+ }
+}
+
// This test is slow. Disable it by default so we can run these tests on CI.
class DISABLED_MPITest : public ::testing::Test {};
TEST_F(DISABLED_MPITest, MpiCmpConstTest) {
mp_int a, b, c;
MP_DIGITS(&a) = 0;
MP_DIGITS(&b) = 0;
MP_DIGITS(&c) = 0;
ASSERT_EQ(MP_OKAY, mp_init(&a));
ASSERT_EQ(MP_OKAY, mp_init(&b));
ASSERT_EQ(MP_OKAY, mp_init(&c));
mp_read_radix(
&a,
- const_cast<char *>(
+ const_cast<char*>(
"FFFFFFFF00000000FFFFFFFFFFFFFFFFBCE6FAADA7179E84F3B9CAC2FC632551"),
16);
mp_read_radix(
&b,
- const_cast<char *>(
+ const_cast<char*>(
"FF0FFFFF00000000FFFFFFFFFFFFFFFFBCE6FAADA7179E84F3B9CAC2FC632551"),
16);
mp_read_radix(
&c,
- const_cast<char *>(
+ const_cast<char*>(
"FFFFFFFF00000000FFFFFFFFFFFFFFFFBCE6FAADA7179E84F3B9CAC2FC632550"),
16);
#ifdef CT_VERIF
mp_taint(&b);
mp_taint(&c);
#endif
--- a/security/nss/gtests/freebl_gtest/rsa_unittest.cc
+++ b/security/nss/gtests/freebl_gtest/rsa_unittest.cc
@@ -16,46 +16,82 @@ struct ScopedDelete {
PORT_FreeArena(ptr->arena, PR_TRUE);
}
}
};
typedef std::unique_ptr<RSAPrivateKey, ScopedDelete<RSAPrivateKey>>
ScopedRSAPrivateKey;
-class RSANewKeyTest : public ::testing::Test {
+class RSATest : public ::testing::Test {
protected:
RSAPrivateKey* CreateKeyWithExponent(int keySizeInBits,
unsigned char publicExponent) {
SECItem exp = {siBuffer, 0, 0};
unsigned char pubExp[1] = {publicExponent};
exp.data = pubExp;
exp.len = 1;
return RSA_NewKey(keySizeInBits, &exp);
}
};
-TEST_F(RSANewKeyTest, expOneTest) {
+TEST_F(RSATest, expOneTest) {
ScopedRSAPrivateKey key(CreateKeyWithExponent(2048, 0x01));
ASSERT_TRUE(key == nullptr);
}
-TEST_F(RSANewKeyTest, expTwoTest) {
+TEST_F(RSATest, expTwoTest) {
ScopedRSAPrivateKey key(CreateKeyWithExponent(2048, 0x02));
ASSERT_TRUE(key == nullptr);
}
-TEST_F(RSANewKeyTest, expFourTest) {
+TEST_F(RSATest, expFourTest) {
ScopedRSAPrivateKey key(CreateKeyWithExponent(2048, 0x04));
ASSERT_TRUE(key == nullptr);
}
-TEST_F(RSANewKeyTest, WrongKeysizeTest) {
+TEST_F(RSATest, WrongKeysizeTest) {
ScopedRSAPrivateKey key(CreateKeyWithExponent(2047, 0x03));
ASSERT_TRUE(key == nullptr);
}
-TEST_F(RSANewKeyTest, expThreeTest) {
+TEST_F(RSATest, expThreeTest) {
ScopedRSAPrivateKey key(CreateKeyWithExponent(2048, 0x03));
#ifdef NSS_FIPS_DISABLED
ASSERT_TRUE(key != nullptr);
#else
ASSERT_TRUE(key == nullptr);
#endif
}
+
+TEST_F(RSATest, DecryptBlockTestErrors) {
+ unsigned char pubExp[3] = {0x01, 0x00, 0x01};
+ SECItem exp = {siBuffer, pubExp, 3};
+ ScopedRSAPrivateKey key(RSA_NewKey(2048, &exp));
+ ASSERT_TRUE(key);
+ uint8_t out[10] = {0};
+ uint8_t in_small[100] = {0};
+ unsigned int outputLen = 0;
+ unsigned int maxOutputLen = sizeof(out);
+
+ // This should fail because input the same size as the modulus (256).
+ SECStatus rv = RSA_DecryptBlock(key.get(), out, &outputLen, maxOutputLen,
+ in_small, sizeof(in_small));
+ EXPECT_EQ(SECFailure, rv);
+
+ uint8_t in[256] = {0};
+ // This should fail because the padding checks will fail.
+ rv = RSA_DecryptBlock(key.get(), out, &outputLen, maxOutputLen, in,
+ sizeof(in));
+ EXPECT_EQ(SECFailure, rv);
+ // outputLen should be maxOutputLen.
+ EXPECT_EQ(maxOutputLen, outputLen);
+
+ // This should fail because the padding checks will fail.
+ uint8_t out_long[260] = {0};
+ maxOutputLen = sizeof(out_long);
+ rv = RSA_DecryptBlock(key.get(), out_long, &outputLen, maxOutputLen, in,
+ sizeof(in));
+ EXPECT_EQ(SECFailure, rv);
+ // outputLen should <= 256-11=245.
+ EXPECT_LE(outputLen, 245u);
+ // Everything over 256 must be 0 in the output.
+ uint8_t out_long_test[4] = {0};
+ EXPECT_EQ(0, memcmp(out_long_test, &out_long[256], 4));
+}
--- a/security/nss/lib/freebl/mpi/mpi.c
+++ b/security/nss/lib/freebl/mpi/mpi.c
@@ -4770,46 +4770,69 @@ mp_to_signed_octets(const mp_int *mp, un
}
if (!pos)
str[pos++] = 0;
return pos;
} /* end mp_to_signed_octets() */
/* }}} */
/* {{{ mp_to_fixlen_octets(mp, str) */
-/* output a buffer of big endian octets exactly as long as requested. */
+/* output a buffer of big endian octets exactly as long as requested.
+ constant time on the value of mp. */
mp_err
mp_to_fixlen_octets(const mp_int *mp, unsigned char *str, mp_size length)
{
- int ix, pos = 0;
+ int ix, jx;
unsigned int bytes;
- ARGCHK(mp != NULL && str != NULL && !SIGN(mp), MP_BADARG);
-
- bytes = mp_unsigned_octet_size(mp);
- ARGCHK(bytes <= length, MP_BADARG);
-
- /* place any needed leading zeros */
- for (; length > bytes; --length) {
- *str++ = 0;
+ ARGCHK(mp != NULL, MP_BADARG);
+ ARGCHK(str != NULL, MP_BADARG);
+ ARGCHK(!SIGN(mp), MP_BADARG);
+ ARGCHK(length > 0, MP_BADARG);
+
+ /* Constant time on the value of mp. Don't use mp_unsigned_octet_size. */
+ bytes = USED(mp) * MP_DIGIT_SIZE;
+
+ /* If the output is shorter than the native size of mp, then check that any
+ * bytes not written have zero values. This check isn't constant time on
+ * the assumption that timing-sensitive callers can guarantee that mp fits
+ * in the allocated space. */
+ ix = USED(mp) - 1;
+ if (bytes > length) {
+ unsigned int zeros = bytes - length;
+
+ while (zeros >= MP_DIGIT_SIZE) {
+ ARGCHK(DIGIT(mp, ix) == 0, MP_BADARG);
+ zeros -= MP_DIGIT_SIZE;
+ ix--;
+ }
+
+ if (zeros > 0) {
+ mp_digit d = DIGIT(mp, ix);
+ mp_digit m = ~0ULL << ((MP_DIGIT_SIZE - zeros) * CHAR_BIT);
+ ARGCHK((d & m) == 0, MP_BADARG);
+ for (jx = MP_DIGIT_SIZE - zeros - 1; jx >= 0; jx--) {
+ *str++ = d >> (jx * CHAR_BIT);
+ }
+ ix--;
+ }
+ } else if (bytes < length) {
+ /* Place any needed leading zeros. */
+ unsigned int zeros = length - bytes;
+ memset(str, 0, zeros);
+ str += zeros;
}
- /* Iterate over each digit... */
- for (ix = USED(mp) - 1; ix >= 0; ix--) {
+ /* Iterate over each whole digit... */
+ for (; ix >= 0; ix--) {
mp_digit d = DIGIT(mp, ix);
- int jx;
/* Unpack digit bytes, high order first */
- for (jx = sizeof(mp_digit) - 1; jx >= 0; jx--) {
- unsigned char x = (unsigned char)(d >> (jx * CHAR_BIT));
- if (!pos && !x) /* suppress leading zeros */
- continue;
- str[pos++] = x;
+ for (jx = MP_DIGIT_SIZE - 1; jx >= 0; jx--) {
+ *str++ = d >> (jx * CHAR_BIT);
}
}
- if (!pos)
- str[pos++] = 0;
return MP_OKAY;
} /* end mp_to_fixlen_octets() */
/* }}} */
/*------------------------------------------------------------------------*/
/* HERE THERE BE DRAGONS */
--- a/security/nss/lib/freebl/mpi/mpi.h
+++ b/security/nss/lib/freebl/mpi/mpi.h
@@ -123,17 +123,18 @@ typedef long long mp_sword;
#endif /* !defined(MP_NO_MP_WORD) */
#if !defined(MP_WORD_MAX) && defined(MP_DEFINE_SMALL_WORD)
typedef unsigned int mp_word;
typedef int mp_sword;
#define MP_WORD_MAX UINT_MAX
#endif
-#define MP_DIGIT_BIT (CHAR_BIT * sizeof(mp_digit))
+#define MP_DIGIT_SIZE sizeof(mp_digit)
+#define MP_DIGIT_BIT (CHAR_BIT * MP_DIGIT_SIZE)
#define MP_WORD_BIT (CHAR_BIT * sizeof(mp_word))
#define MP_RADIX (1 + (mp_word)MP_DIGIT_MAX)
#define MP_HALF_DIGIT_BIT (MP_DIGIT_BIT / 2)
#define MP_HALF_RADIX (1 + (mp_digit)MP_HALF_DIGIT_MAX)
/* MP_HALF_RADIX really ought to be called MP_SQRT_RADIX, but it's named
** MP_HALF_RADIX because it's the radix for MP_HALF_DIGITs, and it's
** consistent with the other _HALF_ names.
--- a/security/nss/lib/freebl/rsapkcs.c
+++ b/security/nss/lib/freebl/rsapkcs.c
@@ -933,58 +933,66 @@ failure:
SECStatus
RSA_DecryptBlock(RSAPrivateKey *key,
unsigned char *output,
unsigned int *outputLen,
unsigned int maxOutputLen,
const unsigned char *input,
unsigned int inputLen)
{
- SECStatus rv;
+ PRInt8 rv;
unsigned int modulusLen = rsa_modulusLen(&key->modulus);
unsigned int i;
- unsigned char *buffer;
+ unsigned char *buffer = NULL;
+ unsigned int outLen = 0;
+ unsigned int copyOutLen = modulusLen - 11;
- if (inputLen != modulusLen)
- goto failure;
+ if (inputLen != modulusLen || modulusLen < 10) {
+ return SECFailure;
+ }
- buffer = (unsigned char *)PORT_Alloc(modulusLen + 1);
- if (!buffer)
- goto failure;
+ if (copyOutLen > maxOutputLen) {
+ copyOutLen = maxOutputLen;
+ }
- rv = RSA_PrivateKeyOp(key, buffer, input);
- if (rv != SECSuccess)
- goto loser;
+ // Allocate enough space to decrypt + copyOutLen to allow copying outLen later.
+ buffer = PORT_ZAlloc(modulusLen + 1 + copyOutLen);
+ if (!buffer) {
+ return SECFailure;
+ }
- /* XXX(rsleevi): Constant time */
- if (buffer[0] != RSA_BLOCK_FIRST_OCTET ||
- buffer[1] != (unsigned char)RSA_BlockPublic) {
- goto loser;
+ // rv is 0 if everything is going well and 1 if an error occurs.
+ rv = RSA_PrivateKeyOp(key, buffer, input) != SECSuccess;
+ rv |= (buffer[0] != RSA_BLOCK_FIRST_OCTET) |
+ (buffer[1] != (unsigned char)RSA_BlockPublic);
+
+ // There have to be at least 8 bytes of padding.
+ for (i = 2; i < 10; i++) {
+ rv |= buffer[i] == RSA_BLOCK_AFTER_PAD_OCTET;
}
- *outputLen = 0;
- for (i = 2; i < modulusLen; i++) {
- if (buffer[i] == RSA_BLOCK_AFTER_PAD_OCTET) {
- *outputLen = modulusLen - i - 1;
- break;
- }
+
+ for (i = 10; i < modulusLen; i++) {
+ unsigned int newLen = modulusLen - i - 1;
+ unsigned int c = (buffer[i] == RSA_BLOCK_AFTER_PAD_OCTET) & (outLen == 0);
+ outLen = constantTimeCondition(c, newLen, outLen);
}
- if (*outputLen == 0)
- goto loser;
- if (*outputLen > maxOutputLen)
- goto loser;
+ rv |= outLen == 0;
+ rv |= outLen > maxOutputLen;
- PORT_Memcpy(output, buffer + modulusLen - *outputLen, *outputLen);
+ // Note that output is set even if SECFailure is returned.
+ PORT_Memcpy(output, buffer + modulusLen - outLen, copyOutLen);
+ *outputLen = constantTimeCondition(outLen > maxOutputLen, maxOutputLen,
+ outLen);
PORT_Free(buffer);
- return SECSuccess;
-loser:
- PORT_Free(buffer);
-failure:
- return SECFailure;
+ for (i = 1; i < sizeof(rv) * 8; i <<= 1) {
+ rv |= rv << i;
+ }
+ return (SECStatus)rv;
}
/*
* Encode a RSA-PSS signature.
* Described in RFC 3447, section 9.1.1.
* We use mHash instead of M as input.
* emBits from the RFC is just modBits - 1, see section 8.1.1.
* We only support MGF1 as the MGF.
--- a/security/nss/lib/nss/nss.h
+++ b/security/nss/lib/nss/nss.h
@@ -17,20 +17,20 @@
/*
* NSS's major version, minor version, patch level, build number, and whether
* this is a beta release.
*
* The format of the version string should be
* "<major version>.<minor version>[.<patch level>[.<build number>]][ <ECC>][ <Beta>]"
*/
-#define NSS_VERSION "3.40" _NSS_CUSTOMIZED
+#define NSS_VERSION "3.40.1" _NSS_CUSTOMIZED
#define NSS_VMAJOR 3
#define NSS_VMINOR 40
-#define NSS_VPATCH 0
+#define NSS_VPATCH 1
#define NSS_VBUILD 0
#define NSS_BETA PR_FALSE
#ifndef RC_INVOKED
#include "seccomon.h"
typedef struct NSSInitParametersStr NSSInitParameters;
--- a/security/nss/lib/softoken/softkver.h
+++ b/security/nss/lib/softoken/softkver.h
@@ -12,16 +12,16 @@
/*
* Softoken's major version, minor version, patch level, build number,
* and whether this is a beta release.
*
* The format of the version string should be
* "<major version>.<minor version>[.<patch level>[.<build number>]][ <ECC>][ <Beta>]"
*/
-#define SOFTOKEN_VERSION "3.40" SOFTOKEN_ECC_STRING
+#define SOFTOKEN_VERSION "3.40.1" SOFTOKEN_ECC_STRING
#define SOFTOKEN_VMAJOR 3
#define SOFTOKEN_VMINOR 40
-#define SOFTOKEN_VPATCH 0
+#define SOFTOKEN_VPATCH 1
#define SOFTOKEN_VBUILD 0
#define SOFTOKEN_BETA PR_FALSE
#endif /* _SOFTKVER_H_ */
--- a/security/nss/lib/ssl/ssl3con.c
+++ b/security/nss/lib/ssl/ssl3con.c
@@ -9771,16 +9771,33 @@ ssl3_GenerateRSAPMS(sslSocket *ss, ssl3C
if (!serverKeySlot)
PK11_FreeSlot(slot);
if (pms == NULL) {
ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE);
}
return pms;
}
+static void
+ssl3_CSwapPK11SymKey(PK11SymKey **x, PK11SymKey **y, PRBool c)
+{
+ uintptr_t mask = (uintptr_t)c;
+ unsigned int i;
+ for (i = 1; i < sizeof(uintptr_t) * 8; i <<= 1) {
+ mask |= mask << i;
+ }
+ uintptr_t x_ptr = (uintptr_t)*x;
+ uintptr_t y_ptr = (uintptr_t)*y;
+ uintptr_t tmp = (x_ptr ^ y_ptr) & mask;
+ x_ptr = x_ptr ^ tmp;
+ y_ptr = y_ptr ^ tmp;
+ *x = (PK11SymKey *)x_ptr;
+ *y = (PK11SymKey *)y_ptr;
+}
+
/* Note: The Bleichenbacher attack on PKCS#1 necessitates that we NEVER
* return any indication of failure of the Client Key Exchange message,
* where that failure is caused by the content of the client's message.
* This function must not return SECFailure for any reason that is directly
* or indirectly caused by the content of the client's encrypted PMS.
* We must not send an alert and also not drop the connection.
* Instead, we generate a random PMS. This will cause a failure
* in the processing the finished message, which is exactly where
@@ -9791,19 +9808,19 @@ ssl3_GenerateRSAPMS(sslSocket *ss, ssl3C
static SECStatus
ssl3_HandleRSAClientKeyExchange(sslSocket *ss,
PRUint8 *b,
PRUint32 length,
sslKeyPair *serverKeyPair)
{
SECStatus rv;
SECItem enc_pms;
- PK11SymKey *tmpPms[2] = { NULL, NULL };
- PK11SlotInfo *slot;
- int useFauxPms = 0;
+ PK11SymKey *pms = NULL;
+ PK11SymKey *fauxPms = NULL;
+ PK11SlotInfo *slot = NULL;
PORT_Assert(ss->opt.noLocks || ssl_HaveRecvBufLock(ss));
PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
PORT_Assert(ss->ssl3.prSpec->epoch == ss->ssl3.pwSpec->epoch);
enc_pms.data = b;
enc_pms.len = length;
@@ -9814,21 +9831,16 @@ ssl3_HandleRSAClientKeyExchange(sslSocke
PORT_SetError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE);
return SECFailure;
}
if ((unsigned)kLen < enc_pms.len) {
enc_pms.len = kLen;
}
}
-#define currentPms tmpPms[!useFauxPms]
-#define unusedPms tmpPms[useFauxPms]
-#define realPms tmpPms[1]
-#define fauxPms tmpPms[0]
-
/*
* Get as close to algorithm 2 from RFC 5246; Section 7.4.7.1
* as we can within the constraints of the PKCS#11 interface.
*
* 1. Unconditionally generate a bogus PMS (what RFC 5246
* calls R).
* 2. Attempt the RSA decryption to recover the PMS (what
* RFC 5246 calls M).
@@ -9873,50 +9885,43 @@ ssl3_HandleRSAClientKeyExchange(sslSocke
}
/*
* unwrap pms out of the incoming buffer
* Note: CKM_SSL3_MASTER_KEY_DERIVE is NOT the mechanism used to do
* the unwrap. Rather, it is the mechanism with which the
* unwrapped pms will be used.
*/
- realPms = PK11_PubUnwrapSymKey(serverKeyPair->privKey, &enc_pms,
- CKM_SSL3_MASTER_KEY_DERIVE, CKA_DERIVE, 0);
+ pms = PK11_PubUnwrapSymKey(serverKeyPair->privKey, &enc_pms,
+ CKM_SSL3_MASTER_KEY_DERIVE, CKA_DERIVE, 0);
/* Temporarily use the PMS if unwrapping the real PMS fails. */
- useFauxPms |= (realPms == NULL);
+ ssl3_CSwapPK11SymKey(&pms, &fauxPms, pms == NULL);
/* Attempt to derive the MS from the PMS. This is the only way to
* check the version field in the RSA PMS. If this fails, we
* then use the faux PMS in place of the PMS. Note that this
* operation should never fail if we are using the faux PMS
* since it is correctly formatted. */
- rv = ssl3_ComputeMasterSecret(ss, currentPms, NULL);
-
- /* If we succeeded, then select the true PMS and discard the
- * FPMS. Else, select the FPMS and select the true PMS */
- useFauxPms |= (rv != SECSuccess);
-
- if (unusedPms) {
- PK11_FreeSymKey(unusedPms);
- }
+ rv = ssl3_ComputeMasterSecret(ss, pms, NULL);
+
+ /* If we succeeded, then select the true PMS, else select the FPMS. */
+ ssl3_CSwapPK11SymKey(&pms, &fauxPms, (rv != SECSuccess) & (fauxPms != NULL));
/* This step will derive the MS from the PMS, among other things. */
- rv = ssl3_InitPendingCipherSpecs(ss, currentPms, PR_TRUE);
- PK11_FreeSymKey(currentPms);
+ rv = ssl3_InitPendingCipherSpecs(ss, pms, PR_TRUE);
+
+ /* Clear both PMS. */
+ PK11_FreeSymKey(pms);
+ PK11_FreeSymKey(fauxPms);
if (rv != SECSuccess) {
(void)SSL3_SendAlert(ss, alert_fatal, handshake_failure);
return SECFailure; /* error code set by ssl3_InitPendingCipherSpec */
}
-#undef currentPms
-#undef unusedPms
-#undef realPms
-#undef fauxPms
-
return SECSuccess;
}
static SECStatus
ssl3_HandleDHClientKeyExchange(sslSocket *ss,
PRUint8 *b,
PRUint32 length,
sslKeyPair *serverKeyPair)
--- a/security/nss/lib/util/nssutil.h
+++ b/security/nss/lib/util/nssutil.h
@@ -14,20 +14,20 @@
/*
* NSS utilities's major version, minor version, patch level, build number,
* and whether this is a beta release.
*
* The format of the version string should be
* "<major version>.<minor version>[.<patch level>[.<build number>]][ <Beta>]"
*/
-#define NSSUTIL_VERSION "3.40"
+#define NSSUTIL_VERSION "3.40.1"
#define NSSUTIL_VMAJOR 3
#define NSSUTIL_VMINOR 40
-#define NSSUTIL_VPATCH 0
+#define NSSUTIL_VPATCH 1
#define NSSUTIL_VBUILD 0
#define NSSUTIL_BETA PR_FALSE
SEC_BEGIN_PROTOS
/*
* Returns a const string of the UTIL library version.
*/