1.3.10

CHANGELOG.md

@@ -1,3 +1,7 @@
+== 1.3.10
+
+* Update to latest jsbn to fix global variable leak (issue #11)
+
 == 1.3.9
 
 * Fix issue #14 in safari where an svg element in a form would prevent submission. Thanks to @oveddan (Dan Oved) for the fix (pull request #15)

LICENSE

@@ -1,4 +1,4 @@
-Copyright (c) 2009-2013 Braintree Payment Solutions
+Copyright (c) 2009-2014 Braintree, a division of PayPal, Inc.
 
 Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
 

build/minified_header.js

@@ -1,7 +1,7 @@
 /*!
  * Braintree End-to-End Encryption Library
  * https://www.braintreepayments.com
- * Copyright (c) 2009-2013 Braintree Payment Solutions
+ * Copyright (c) 2009-2014 Braintree, a division of PayPal, Inc.
  *
  * JSBN
  * Copyright (c) 2005  Tom Wu

lib/braintree.js

@@ -8,7 +8,7 @@
 
 var Braintree = {
   sjcl: sjcl,
-  version: "1.3.9"
+  version: "1.3.10"
 };
 
 Braintree.generateAesKey = function () {
@@ -148,8 +148,13 @@ Braintree.EncryptionClient = function (publicKey) {
         signature = hmac.sign(sjcl.codec.base64.toBits(ciphertext)),
         combinedKey = sjcl.bitArray.concat(aes.key, hmac.key),
         encodedKey = sjcl.codec.base64.fromBits(combinedKey),
-        encryptedKey = rsa.encrypt_b64(encodedKey),
-        prefix = "$bt4|javascript_" + self.version.replace(/\./g, "_") + "$";
+        hexEncryptedKey = rsa.encrypt(encodedKey),
+        prefix = "$bt4|javascript_" + self.version.replace(/\./g, "_") + "$",
+        encryptedKey = null;
+
+    if(hexEncryptedKey) {
+      encryptedKey = hex2b64(hexEncryptedKey);
+    }
 
     return prefix + encryptedKey + "$" + ciphertext + "$" + signature;
   };

lib/jsbn/base64.js

@@ -1,5 +1,5 @@
 var b64map="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
-var b64pad="=";
+var b64padchar="=";
 
 function hex2b64(h) {
   var i;
@@ -17,18 +17,19 @@ function hex2b64(h) {
     c = parseInt(h.substring(i,i+2),16);
     ret += b64map.charAt(c >> 2) + b64map.charAt((c & 3) << 4);
   }
-  while((ret.length & 3) > 0) ret += b64pad;
+  while((ret.length & 3) > 0) ret += b64padchar;
   return ret;
 }
 
 // convert a base64 string to hex
 function b64tohex(s) {
-  var ret = ""
+  var ret = "";
   var i;
   var k = 0; // b64 state, 0-3
   var slop;
+  var v;
   for(i = 0; i < s.length; ++i) {
-    if(s.charAt(i) == b64pad) break;
+    if(s.charAt(i) == b64padchar) break;
     v = b64map.indexOf(s.charAt(i));
     if(v < 0) continue;
     if(k == 0) {

lib/jsbn/jsbn.js

@@ -118,7 +118,7 @@ function bnpFromInt(x) {
   this.t = 1;
   this.s = (x<0)?-1:0;
   if(x > 0) this[0] = x;
-  else if(x < -1) this[0] = x+DV;
+  else if(x < -1) this[0] = x+this.DV;
   else this.t = 0;
 }
 

lib/jsbn/rsa.js

@@ -27,8 +27,7 @@ function byte2Hex(b) {
 // PKCS#1 (type 2, random) pad input string s to n bytes, and return a bigint
 function pkcs1pad2(s,n) {
   if(n < s.length + 11) { // TODO: fix for utf-8
-    alert("Message too long for RSA");
-    return null;
+    throw new Error("Message too long for RSA");
   }
   var ba = new Array();
   var i = s.length - 1;
@@ -86,7 +85,7 @@ function RSASetPublic(N,E) {
     this.e = parseInt(E,16);
   }
   else
-    alert("Invalid RSA public key");
+    throw new Error("Invalid RSA public key");
 }
 
 // Perform raw public operation on "x": return x^e (mod n)
@@ -105,10 +104,10 @@ function RSAEncrypt(text) {
 }
 
 // Return the PKCS#1 RSA encryption of "text" as a Base64-encoded string
-function RSAEncryptB64(text) {
- var h = this.encrypt(text);
- if(h) return hex2b64(h); else return null;
-}
+//function RSAEncryptB64(text) {
+//  var h = this.encrypt(text);
+//  if(h) return hex2b64(h); else return null;
+//}
 
 // protected
 RSAKey.prototype.doPublic = RSADoPublic;
@@ -116,4 +115,4 @@ RSAKey.prototype.doPublic = RSADoPublic;
 // public
 RSAKey.prototype.setPublic = RSASetPublic;
 RSAKey.prototype.encrypt = RSAEncrypt;
-RSAKey.prototype.encrypt_b64 = RSAEncryptB64;
+//RSAKey.prototype.encrypt_b64 = RSAEncryptB64;

spec/infrastructure/rsa2.js

@@ -38,7 +38,7 @@ function RSASetPrivate(N,E,D) {
     this.d = parseBigInt(D,16);
   }
   else
-    alert("Invalid RSA private key");
+    throw new Error("Invalid RSA private key");
 }
 
 // Set the private key fields N, e, d and CRT params from hex strings
@@ -54,7 +54,7 @@ function RSASetPrivateEx(N,E,D,P,Q,DP,DQ,C) {
     this.coeff = parseBigInt(C,16);
   }
   else
-    alert("Invalid RSA private key");
+    throw new Error("Invalid RSA private key");
 }
 
 // Generate a new random private key B bits long, using public expt E
@@ -116,10 +116,10 @@ function RSADecrypt(ctext) {
 
 // Return the PKCS#1 RSA decryption of "ctext".
 // "ctext" is a Base64-encoded string and the output is a plain string.
-function RSAB64Decrypt(ctext) {
-  var h = b64tohex(ctext);
-  if(h) return this.decrypt(h); else return null;
-}
+//function RSAB64Decrypt(ctext) {
+//  var h = b64tohex(ctext);
+//  if(h) return this.decrypt(h); else return null;
+//}
 
 // protected
 RSAKey.prototype.doPrivate = RSADoPrivate;
@@ -129,4 +129,4 @@ RSAKey.prototype.setPrivate = RSASetPrivate;
 RSAKey.prototype.setPrivateEx = RSASetPrivateEx;
 RSAKey.prototype.generate = RSAGenerate;
 RSAKey.prototype.decrypt = RSADecrypt;
-RSAKey.prototype.b64_decrypt = RSAB64Decrypt;
+//RSAKey.prototype.b64_decrypt = RSAB64Decrypt;