NSS 3.12.4 release notes¶
Newsgroup:mozilla.dev.tech.crypto .. rubric:: Introduction
Network Security Services (NSS) 3.12.4 is a patch release for NSS 3.12. The bug fixes in NSS 3.12.4 are described in the “Bugs Fixed” section below.
NSS 3.12.4 is tri-licensed under the MPL 1.1/GPL 2.0/LGPL 2.1.
This release is built from the source, at the CVS repository rooted at cvs.mozilla.org:/cvsroot,
with the CVS tag
NSS 3.12.4 requires NSPR 4.8. This is not a hard requirement. Our QA tested NSS 3.12.4 with NSPR 4.8, but it should work with NSPR 4.7.1 or later.
You can check out the source from CVS by
cvs co -r NSPR_4_8_RTM NSPR cvs co -r NSS_3_12_4_RTM NSS
See the Documentation section for the build instructions.
NSS 3.12.4 source is also available on
ftp.mozilla.org for secure HTTPS download:
Major changes in NSS 3.12.4
NSS 3.12.4 is the version that we submitted to NIST for FIPS 140-2 validation. Currently NSS 3.12.4 is in the “Review Pending” state in the FIPS 140-2 pre-validation list at http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140InProcess.pdf
Added CRL Distribution Point support (see cert.h). CERT_DecodeCRLIssuingDistributionPoint CERT_FindCRLIssuingDistPointExten
The old documentation of the expression matching syntax rules was incorrect, and the new corrected documentation is as follows for public nssutil functions (see portreq.h):
These functions will match a string with a shell expression. The expressions accepted are based loosely on the expressions accepted by zsh. Expected return values:
NON_SXP if exp is a standard string
INVALID_SXP if exp is a shell expression, but invalid
VALID_SXP if exp is a valid shell expression
Expression matching rules:
* matches anything
? matches one character
\ will escape a special character
$ matches the end of the string
Bracketed expressions: [abc] matches one occurrence of a, b, or c. [^abc] matches any character except a, b, or c. To be matched between [ and ], these characters must be escaped: \ ] No other characters need be escaped between brackets. Unnecessary escaping is permitted.
[a-z] matches any character between a and z, inclusive. The two range-definition characters must be alphanumeric ASCII. If one is upper case and the other is lower case, then the ASCII non-alphanumeric characters between Z and a will also be in range.
[^a-z] matches any character except those between a and z, inclusive. These forms cannot be combined, e.g [a-gp-z] does not work.
Exclusions: As a top level, outter-most expression only, the expression foo~bar will match the expression foo, provided it does not also match the expression bar. Either expression or both may be a union. Except between brackets, any unescaped ~ is an exclusion. At most one exclusion is permitted. Exclusions cannot be nested (contain other exclusions). example: *~abc will match any string except abc
Unions: (foo|bar) will match either the expression foo, or the expression bar. At least one ‘|’ separator is required. More are permitted. Expressions inside unions may not include unions or exclusions. Inside a union, to be matched and not treated as a special character, these characters must be escaped: \ ( | ) [ ~ except when they occur inside a bracketed expression, where only \ and ] require escaping.
New functions in the nss shared library:
PK11_IsInternalKeySlot (see pk11pub.h)
SECMOD_OpenNewSlot (see pk11pub.h)
New error codes (see secerr.h):
New OIDs (see secoidt.h)
The nssckbi PKCS #11 module’s version changed to 1.75.
Obsolete code for Win16 has been removed.
Support for OpenVMS has been removed.
The following bugs have been fixed in NSS 3.12.4.
Bug 321755: implement crlDistributionPoint extension in libPKIX
Bug 391434: avoid multiple encoding/decoding of PKIX_PL_OID to and from ascii string
Bug 405297: Problems building nss/lib/ckfw/capi/ with MingW GCC
Bug 420991: libPKIX returns wrong NSS error code
Bug 427135: Add super-H (sh3,4) architecture support
Bug 431958: Improve DES and SHA512 for x86_64 platform
Bug 433791: Win16 support should be deleted from NSS
Bug 449332: SECU_ParseCommandLine does not validate its inputs
Bug 453735: When using cert9 (SQLite3) DB, set or change master password fails
Bug 463544: warning: passing enum* for an int* argument in pkix_validate.c
Bug 469588: Coverity errors reported for softoken
Bug 470055: pkix_HttpCertStore_FindSocketConnection reuses closed socket
Bug 470070: Multiple object leaks reported by tinderbox
Bug 470479: IO timeout during cert fetching makes libpkix abort validation.
Bug 482742: Enable building util independently of the rest of nss
Bug 483653: unable to build certutil.exe for fennec/wince
Bug 485145: Miscellaneous crashes in signtool on Windows
Bug 485155: NSS_ENABLE_PKIX_VERIFY=1 causes sec_error_unknown_issuer errors
Bug 485527: Rename the _X86_ macro in lib/freebl
Bug 485658: vfychain -p reports revoked cert
Bug 485745: modify fipstest.c to support CAVS 7.1 DRBG testing
Bug 486304: cert7.db/cert8.db corruption when importing a large certificate (>64K)
Bug 486405: Allocator mismatches in pk12util.c
Bug 486537: Disable execstack in freebl x86_64 builds on Linux
Bug 486698: Facilitate the building of major components independently and in a chain manner by downstream distributions
Bug 486999: Calling SSL_SetSockPeerID a second time leaks the previous value
Bug 487007: Make lib/jar conform to NSS coding style
Bug 487162: ckfw/capi build failure on windows
Bug 487239: nssutil.rc doesn’t compile on WinCE
Bug 487254: sftkmod.c uses POSIX file IO Functions on WinCE
Bug 487255: sdb.c uses POSIX file IO Functions on WinCE
Bug 487487: CERT_NameToAscii reports !Invalid AVA! whenever value exceeds 384 bytes
Bug 487736: libpkix passes wrong argument to DER_DecodeTimeChoice and crashes
Bug 487858: Remove obsolete build options MOZILLA_SECURITY_BUILD and MOZILLA_BSAFE_BUILD
Bug 487884: object leak in libpkix library upon error
Bug 488067: PK11_ImportCRL reports SEC_ERROR_CRL_NOT_FOUND when it fails to import a CRL
Bug 488350: NSPR-free freebl interface need to do post tests only in fips mode.
Bug 488396: DBM needs to be FIPS certifiable.
Bug 488550: crash in certutil or pp when printing cert with empty subject name
Bug 488992: Fix lib/freebl/win_rand.c warnings
Bug 489010: stop exporting mktemp and dbopen (again)
Bug 489287: Resolve a few remaining issues with NSS’s new revocation flags
Bug 489710: byteswap optimize for MSVC++
Bug 490154: Cryptokey framework requires module to implement GenerateKey when they support KeyPairGeneration
Bug 491044: Remove support for VMS (a.k.a., OpenVMS) from NSS
Bug 491174: CERT_PKIXVerifyCert reports wrong error code when EE cert is expired
Bug 491919: cert.h doesn’t have valid functions prototypes
Bug 492131: A failure to import a cert from a P12 file leaves error code set to zero
Bug 492385: crash freeing named CRL entry on shutdown
Bug 493135: bltest crashes if it can’t open the input file
Bug 493364: can’t build with –disable-dbm option when not cross-compiling
Bug 493693: SSE2 instructions for bignum are not implemented on OS/2
Bug 493912: sqlite3_reset should be invoked in sdb_FindObjectsInit when error occurs
Bug 494073: update RSA/DSA powerupself tests to be compliant for 2011
Bug 494087: Passing NULL as the value of cert_pi_trustAnchors causes a crash in cert_pkixSetParam
Bug 494107: During NSS_NoDB_Init(), softoken tries but fails to load libsqlite3.so crash [@ @0x0 ]
Bug 495097: sdb_mapSQLError returns signed int
Bug 495103: NSS_InitReadWrite(sql:<dbdir>) causes NSS to look for sql:<dbdir>/libnssckbi.so
Bug 495365: Add const to the ‘nickname’ parameter of SEC_CertNicknameConflict
Bug 495656: NSS_InitReadWrite(sql:<configdir>) leaves behind a pkcs11.txu file if libnssckbi.so is in <configdir>.
Bug 495717: Unable to compile nss/cmd/certutil/keystuff.c on WinCE
Bug 496961: provide truncated HMAC support for testing tool fipstest
Bug 497002: Lab required nspr-free freebl changes.
Bug 497217: The first random value ever generated by the RNG should be discarded
Bug 498163: assert if profile path contains cyrillic chars. [[@isspace - secmod_argIsBlank - secmod_argHasBlanks - secmod_formatPair - secmod_mkNewModuleSpec]
Bug 498509: Produce debuggable optimized builds for Mozilla on MacOSX
Bug 498511: Produce debuggable optimized NSS builds for Mozilla on Linux
Bug 499385: DRBG Reseed function needs to be tested on POST
Bug 499825: utilrename.h is missing from Solaris packages
Bug 502961: Allocator mismatch in pk11mode
Bug 502965: Allocator mismatch in sdrtest
Bug 502972: Another allocator mismatch in sdrtest
Bug 504398: pkix_pl_AIAMgr_GetHTTPCerts could crash if SEC_GetRegisteredHttpClient fails
Bug 504405: pkix_pl_CrlDp_Create will fail on alloc success because of a missing !
Bug 504408: pkix_pl_CrlDp_Create will always fail if dp->distPointType != generalName
Bug 504456: Exploitable heap overflow in NSS shell expression (filename globbing) parsing
Bug 505559: Need function to identify the one and only default internal private key slot.
Bug 505561: Need a generic function a la SECMOD_OpenUserDB() that can be used on non-softoken modules.
Bug 505858: NSS_RegisterShutdown can return without unlocking nssShutdownList.lock
Bug 507041: Invalid build options for VC6
Bug 507228: coreconf.dep doesn’t need to contain the NSS version number
Bug 507422: crash [[@ PORT_FreeArena - lg_mkSecretKeyRep] when PORT_NewArena fails
Bug 507482: NSS 3.12.3 (and later) doesn’t build on AIX 5.1
Bug 507937: pwdecrypt program problems
Bug 508259: Pk11mode crashed on Linux2.4
Bug 508467: libpkix ocsp checker should use date argument to obtain the time for cert validity verification
Bug 510367: Fix the UTF8 characters in the nickname string for AC Raíz Certicamara S.A.
For a list of the primary NSS documentation pages on developer.mozilla.org, see NSS. New and revised documents available since the release of NSS 3.12 include the following:
NSS 3.12.4 shared libraries are backward compatible with all older NSS 3.x shared libraries. A program linked with older NSS 3.x shared libraries will work with NSS 3.12.4 shared libraries without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs to the functions listed in NSS Public Functions will remain compatible with future versions of the NSS shared libraries.
Bugs discovered should be reported by filing a bug report with mozilla.org Bugzilla (product NSS).