NSS 3.12 Release Notes

17 June 2008

Newsgroup: mozilla.dev.tech.crypto

Contents

• Introduction
• Distribution Information
• New in NSS 3.12
• Bugs Fixed
• Documentation
• Compatibility
• Feedback

Introduction

• SQLite-Based Shareable Certificate and Key Databases
• libpkix: an RFC 3280 Compliant Certificate Path Validation Library
• Camellia cipher support
• TLS session ticket extension (RFC 5077)

Note: Firefox 3 uses NSS 3.12, but not the new SQLite-based shareable certificate and key databases. We missed the deadline to enable that feature in Firefox 3.

Distribution Information

NSS 3.12 source and binary distributions are also available on ftp.mozilla.org for secure HTTPS download:

• Source tarballs: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_12_RTM/src/.
• Binary distributions: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_12_RTM/. Both debug and optimized builds are provided. Go to the subdirectory for your platform, DBG (debug) or OPT (optimized), to get the tar.gz or zip file. The tar.gz or zip file expands to an nss-3.12 directory containing three subdirectories:
  • include - NSS header files
  • lib - NSS shared libraries
  • bin - NSS Tools and test programs

NSS 3.12 libraries have the following versions:

• sqlite3: 3.3.17
• nssckbi: 1.70
• softokn3 and freebl3: 3.12.0.3
• other NSS libraries: 3.12.0.3

New in NSS 3.12

• 3 new shared library are shipped with NSS 3.12:
  • nssutil
  • sqlite
  • nssdbm
• 1 new include file is shipped with NSS3.12:
  • utilrename.h
• New functions in the nss shared library:
  • CERT_CheckNameSpace (see cert.h)
  • CERT_EncodeCertPoliciesExtension (see cert.h)
  • CERT_EncodeInfoAccessExtension (see cert.h)
  • CERT_EncodeInhibitAnyExtension (see cert.h)
  • CERT_EncodeNoticeReference (see cert.h)
  • CERT_EncodePolicyConstraintsExtension (see cert.h)
  • CERT_EncodePolicyMappingExtension (see cert.h)
  • CERT_EncodeSubjectKeyID (see certdb/cert.h)
  • CERT_EncodeUserNotice (see cert.h)
  • CERT_FindCRLEntryReasonExten (see cert.h)
  • CERT_FindCRLNumberExten (see cert.h)
  • CERT_FindNameConstraintsExten (see cert.h)
  • CERT_GetClassicOCSPDisabledPolicy (see cert.h)
  • CERT_GetClassicOCSPEnabledHardFailurePolicy (see cert.h)
  • CERT_GetClassicOCSPEnabledSoftFailurePolicy (see cert.h)
  • CERT_GetPKIXVerifyNistRevocationPolicy (see cert.h)
  • CERT_GetUsePKIXForValidation (see cert.h)
  • CERT_GetValidDNSPatternsFromCert (see cert.h)
  • CERT_NewTempCertificate (see cert.h)
  • CERT_SetOCSPTimeout (see certhigh/ocsp.h)
  • CERT_SetUsePKIXForValidation (see cert.h)
  • CERT_PKIXVerifyCert (see cert.h)
  • HASH_GetType (see sechash.h)
  • NSS_InitWithMerge (see nss.h)
  • PK11_CreateMergeLog (see pk11pub.h)
  • PK11_CreateGenericObject (see pk11pub.h)
  • PK11_CreatePBEV2AlgorithmID (see pk11pub.h)
  • PK11_DestroyMergeLog (see pk11pub.h)
  • PK11_GenerateKeyPairWithOpFlags (see pk11pub.h)
  • PK11_GetPBECryptoMechanism (see pk11pub.h)
  • PK11_IsRemovable (see pk11pub.h)
  • PK11_MergeTokens (see pk11pub.h)
  • PK11_WriteRawAttribute (see pk11pub.h)
  • SECKEY_ECParamsToBasePointOrderLen (see keyhi.h)
  • SECKEY_ECParamsToKeySize (see keyhi.h)
  • SECMOD_DeleteModuleEx (see secmod.h)
  • SEC_GetRegisteredHttpClient (see ocsp.h)
  • SEC_PKCS5IsAlgorithmPBEAlgTag (see secpkcs5.h)
  • VFY_CreateContextDirect (see cryptohi.h)
  • VFY_CreateContextWithAlgorithmID (see cryptohi.h)
  • VFY_VerifyDataDirect (see cryptohi.h)
  • VFY_VerifyDataWithAlgorithmID (see cryptohi.h)
  • VFY_VerifyDigestDirect (see cryptohi.h)
  • VFY_VerifyDigestWithAlgorithmID (see cryptohi.h)
• New macros for Camellia support (see blapit.h):
  • NSS_CAMELLIA
  • NSS_CAMELLIA_CBC
  • CAMELLIA_BLOCK_SIZE
• New macros for RSA (see blapit.h):
  • RSA_MAX_MODULUS_BITS
  • RSA_MAX_EXPONENT_BITS
• New macros in certt.h:
  • X.509 v3
    • KU_ENCIPHER_ONLY
    • CERT_MAX_SERIAL_NUMBER_BYTES
    • CERT_MAX_DN_BYTES
  • PKIX
    • CERT_REV_M_DO_NOT_TEST_USING_THIS_METHOD
    • CERT_REV_M_TEST_USING_THIS_METHOD
    • CERT_REV_M_ALLOW_NETWORK_FETCHING
    • CERT_REV_M_FORBID_NETWORK_FETCHING
    • CERT_REV_M_ALLOW_IMPLICIT_DEFAULT_SOURCE
    • CERT_REV_M_IGNORE_IMPLICIT_DEFAULT_SOURCE
    • CERT_REV_M_SKIP_TEST_ON_MISSING_SOURCE
    • CERT_REV_M_REQUIRE_INFO_ON_MISSING_SOURCE
    • CERT_REV_M_IGNORE_MISSING_FRESH_INFO
    • CERT_REV_M_FAIL_ON_MISSING_FRESH_INFO
    • CERT_REV_M_STOP_TESTING_ON_FRESH_INFO
    • CERT_REV_M_CONTINUE_TESTING_ON_FRESH_INFO
    • CERT_REV_MI_TEST_EACH_METHOD_SEPARATELY
    • CERT_REV_MI_TEST_ALL_LOCAL_INFORMATION_FIRST
    • CERT_REV_MI_NO_OVERALL_INFO_REQUIREMENT
    • CERT_REV_MI_REQUIRE_SOME_FRESH_INFO_AVAILABLE
    • CERT_POLICY_FLAG_NO_MAPPING
    • CERT_POLICY_FLAG_EXPLICIT
    • CERT_POLICY_FLAG_NO_ANY
    • CERT_ENABLE_LDAP_FETCH
    • CERT_ENABLE_HTTP_FETCH
• New macro in utilrename.h:
  • SMIME_AES_CBC_128
• The nssckbi PKCS #11 module's version changed to 1.70.
• In pkcs11n.h, all the _NETSCAPE_ macros are renamed with _NSS_
  • For example, CKO_NETSCAPE_CRL becomes CKO_NSS_CRL.
• New for PKCS #11 (see pkcs11t.h for details):
  • CKK: Keys
    • CKK_CAMELLIA
  • CKM: Mechanisms
    • CKM_SHA224_RSA_PKCS
    • CKM_SHA224_RSA_PKCS_PSS
    • CKM_SHA224
    • CKM_SHA224_HMAC
    • CKM_SHA224_HMAC_GENERAL
    • CKM_SHA224_KEY_DERIVATION
    • CKM_CAMELLIA_KEY_GEN
    • CKM_CAMELLIA_ECB
    • CKM_CAMELLIA_CBC
    • CKM_CAMELLIA_MAC
    • CKM_CAMELLIA_MAC_GENERAL
    • CKM_CAMELLIA_CBC_PAD
    • CKM_CAMELLIA_ECB_ENCRYPT_DATA
    • CKM_CAMELLIA_CBC_ENCRYPT_DATA
  • CKG: MFGs
    • CKG_MGF1_SHA224
• New error codes (see secerr.h):
  • SEC_ERROR_NOT_INITIALIZED
  • SEC_ERROR_TOKEN_NOT_LOGGED_IN
  • SEC_ERROR_OCSP_RESPONDER_CERT_INVALID
  • SEC_ERROR_OCSP_BAD_SIGNATURE
  • SEC_ERROR_OUT_OF_SEARCH_LIMITS
  • SEC_ERROR_INVALID_POLICY_MAPPING
  • SEC_ERROR_POLICY_VALIDATION_FAILED
  • SEC_ERROR_UNKNOWN_AIA_LOCATION_TYPE
  • SEC_ERROR_BAD_HTTP_RESPONSE
  • SEC_ERROR_BAD_LDAP_RESPONSE
  • SEC_ERROR_FAILED_TO_ENCODE_DATA
  • SEC_ERROR_BAD_INFO_ACCESS_LOCATION
  • SEC_ERROR_LIBPKIX_INTERNAL
• New mechanism flags (see secmod.h)
  • PUBLIC_MECH_AES_FLAG
  • PUBLIC_MECH_SHA256_FLAG
  • PUBLIC_MECH_SHA512_FLAG
  • PUBLIC_MECH_CAMELLIA_FLAG
• New OIDs (see secoidt.h)
  • new EC Signature oids
    • SEC_OID_ANSIX962_ECDSA_SIGNATURE_RECOMMENDED_DIGEST
    • SEC_OID_ANSIX962_ECDSA_SIGNATURE_SPECIFIED_DIGEST
    • SEC_OID_ANSIX962_ECDSA_SHA224_SIGNATURE
    • SEC_OID_ANSIX962_ECDSA_SHA256_SIGNATURE
    • SEC_OID_ANSIX962_ECDSA_SHA384_SIGNATURE
    • SEC_OID_ANSIX962_ECDSA_SHA512_SIGNATURE
  • More id-ce and id-pe OIDs from RFC 3280
    • SEC_OID_X509_HOLD_INSTRUCTION_CODE
    • SEC_OID_X509_DELTA_CRL_INDICATOR
    • SEC_OID_X509_ISSUING_DISTRIBUTION_POINT
    • SEC_OID_X509_CERT_ISSUER
    • SEC_OID_X509_FRESHEST_CRL
    • SEC_OID_X509_INHIBIT_ANY_POLICY
    • SEC_OID_X509_SUBJECT_INFO_ACCESS
  • Camellia OIDs (RFC3657)
    • SEC_OID_CAMELLIA_128_CBC
    • SEC_OID_CAMELLIA_192_CBC
    • SEC_OID_CAMELLIA_256_CBC
  • PKCS 5 V2 OIDS
    • SEC_OID_PKCS5_PBKDF2
    • SEC_OID_PKCS5_PBES2
    • SEC_OID_PKCS5_PBMAC1
    • SEC_OID_HMAC_SHA1
    • SEC_OID_HMAC_SHA224
    • SEC_OID_HMAC_SHA256
    • SEC_OID_HMAC_SHA384
    • SEC_OID_HMAC_SHA512
    • SEC_OID_PKIX_TIMESTAMPING
    • SEC_OID_PKIX_CA_REPOSITORY
    • SEC_OID_ISO_SHA1_WITH_RSA_SIGNATURE
• Changed OIDs (see secoidt.h)
  • SEC_OID_PKCS12_KEY_USAGE changed to SEC_OID_BOGUS_KEY_USAGE
  • SEC_OID_ANSIX962_ECDSA_SIGNATURE_WITH_SHA1_DIGEST changed to SEC_OID_ANSIX962_ECDSA_SHA1_SIGNATURE
  • Note: SEC_OID_ANSIX962_ECDSA_SIGNATURE_WITH_SHA1_DIGEST is also kept for compatibility reasons.
• TLS Session ticket extension (off by default)
  • See SSL_ENABLE_SESSION_TICKETS in ssl.h
• New SSL error codes (see sslerr.h)
  • SSL_ERROR_UNSUPPORTED_EXTENSION_ALERT
  • SSL_ERROR_CERTIFICATE_UNOBTAINABLE_ALERT
  • SSL_ERROR_UNRECOGNIZED_NAME_ALERT
  • SSL_ERROR_BAD_CERT_STATUS_RESPONSE_ALERT
  • SSL_ERROR_BAD_CERT_HASH_VALUE_ALERT
  • SSL_ERROR_RX_UNEXPECTED_NEW_SESSION_TICKET
  • SSL_ERROR_RX_MALFORMED_NEW_SESSION_TICKET
• New TLS cipher suites (see sslproto.h):
  • TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
  • TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA
  • TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA
  • TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
  • TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA
  • TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA
• Note: the following TLS cipher suites are declared but are not yet implemented:
  • TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA
  • TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA
  • TLS_DH_ANON_WITH_CAMELLIA_128_CBC_SHA
  • TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA
  • TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA
  • TLS_DH_ANON_WITH_CAMELLIA_256_CBC_SHA
  • TLS_ECDH_anon_WITH_NULL_SHA
  • TLS_ECDH_anon_WITH_RC4_128_SHA
  • TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA
  • TLS_ECDH_anon_WITH_AES_128_CBC_SHA
  • TLS_ECDH_anon_WITH_AES_256_CBC_SHA

Bugs Fixed

• Bug 354403: nssList_CreateIterator returns pointer to a freed memory if the function fails to allocate a lock
• Bug 399236: pkix wrapper must print debug output into stderr
• Bug 399300: PKIX error results not freed after use.
• Bug 414985: Crash in pkix_pl_OcspRequest_Destroy
• Bug 421870: Strsclnt crashed in PKIX tests.
• Bug 429388: vfychain.main leaks memory
• Bug 396044: Warning: usage of uninitialized variable in ckfw/object.c(174)
• Bug 396045: Warning: usage of uninitialized variable in ckfw/mechanism.c(719)
• Bug 401986: Mac OS X leopard build failure in legacydb
• Bug 325805: diff considers mozilla/security/nss/cmd/pk11util/scripts/pkey a binary file
• Bug 385151: Remove the link time dependency from NSS to Softoken
• Bug 387892: Add Entrust root CA certificate(s) to NSS
• Bug 433386: when system clock is off by more than two days, OSCP check fails, can result in crash if user tries to view certificate [[@ SECITEM_CompareItem_Util] [[@ memcmp]
• Bug 396256: certutil and pp do not print all the GeneralNames in a CRLDP extension
• Bug 398019: correct confusing and erroneous comments in DER_AsciiToTime
• Bug 422866: vfychain -pp command crashes in NSS_shutdown
• Bug 345779: Useless assignment statements in ec_GF2m_pt_mul_mont
• Bug 349011: please stop exporting these crmf_ symbols
• Bug 397178: Crash when entering chrome://pippki/content/resetpassword.xul in URL bar
• Bug 403822: pkix_pl_OcspRequest_Create can leave some members uninitialized
• Bug 403910: CERT_FindUserCertByUsage() returns wrong certificate if multiple certs with same subject available
• Bug 404919: memory leak in sftkdb_ReadSecmodDB() (sftkmod.c)
• Bug 406120: Allow application to specify OCSP timeout
• Bug 361025: Support for Camellia Cipher Suites to TLS RFC4132
• Bug 376417: PK11_GenerateKeyPair needs to get the key usage from the caller.
• Bug 391291: Shared Database Integrity checks not yet implemented.
• Bug 391292: Shared Database implementation slow
• Bug 391294: Shared Database implementation really slow on network file systems
• Bug 392521: Automatic shared db update fails if user opens database R/W but never supplies a password
• Bug 392522: Integrity hashes must be updated when passwords are changed.
• Bug 401610: Shared DB fails on IOPR tests
• Bug 388120: build error due to SEC_BEGIN_PROTOS / SEC_END_PROTOS are undefined
• Bug 415264: Make Security use of new NSPR rotate macros
• Bug 317052: lib/base/whatnspr.c is obsolete
• Bug 317323: Set NSPR31_LIB_PREFIX to empty explicitly for WIN95 and WINCE builds
• Bug 320336: SECITEM_AllocItem returns a non-NULL pointer if the allocation of its 'data' buffer fails
• Bug 327529: Can't pass 0 as an unnamed null pointer argument to CERT_CreateRDN
• Bug 334683: Extraneous semicolons cause Empty declaration compiler warnings
• Bug 335275: Compile with the GCC flag -Werror-implicit-function-declaration
• Bug 354565: fipstest sha_test needs to detect SHA tests that are incorrectly configured for BIT oriented implementations
• Bug 356595: On Windows, RNG_SystemInfoForRNG calls GetCurrentProcess, which returns the constant (HANDLE)-1.
• Bug 357015: On Windows, ReadSystemFiles reads 21 files as opposed to 10 files in C:\WINDOWS\system32.
• Bug 361076: Clean up the USE_PTHREADS related code in coreconf/SunOS5.mk.
• Bug 361077: Clean up the USE_PTHREADS related code in coreconf/HP-UX*.mk.
• Bug 402114: Fix the incorrect function prototypes of SSL handshake callbacks
• Bug 402308: Fix miscellaneous compiler warnings in nss/cmd
• Bug 402777: lib/util can't be built stand-alone.
• Bug 407866: Contributed improvement to security/nss/lib/freebl/mpi/mp_comba.c
• Bug 410587: SSL_GetChannelInfo returns SECSuccess on invalid arguments
• Bug 416508: Fix a _MSC_VER typo in sha512.c, and use SEC_BEGIN_PROTOS/SEC_END_PROTOS in secport.h
• Bug 419242: 'all' is not the default makefile target in lib/softoken and lib/softoken/legacydb
• Bug 419523: Export Cert_NewTempCertificate.
• Bug 287061: CRL number should be a big integer, not ulong
• Bug 301213: Combine internal libpkix function tests into a single statically linked program
• Bug 324740: add generation of SIA and AIA extensions to certutil
• Bug 339737: LIBPKIX OCSP checking calls CERT_VerifyCert
• Bug 358785: Merge NSS_LIBPKIX_BRANCH back to trunk
• Bug 365966: infinite recursive call in VFY_VerifyDigestDirect
• Bug 382078: pkix default http client returns error when try to get an ocsp response.
• Bug 384926: libpkix build problems
• Bug 389411: Mingw build error - undefined reference to `_imp__PKIX_ERRORNAMES'
• Bug 389904: avoid multiple decoding/encoding while creating and using PKIX_PL_X500Name
• Bug 390209: pkix AIA manager tries to get certs using AIA url with OCSP access method
• Bug 390233: umbrella bug for libPKIX cert validation failures discovered from running vfyserv
• Bug 390499: libpkix does not check cached cert chain for revocation
• Bug 390502: libpkix fails cert validation when no valid CRL (NIST validation policy is always enforced)
• Bug 390530: libpkix does not support time override
• Bug 390536: Cert validation functions must validate leaf cert themselves
• Bug 390554: all PKIX_NULLCHECK_ errors are reported as PKIX ALLOC ERROR
• Bug 390888: CERT_Verify* functions should be able to use libPKIX
• Bug 391457: libpkix does not check for object ref leak at shutdown
• Bug 391774: PKIX_Shutdown is not called by nssinit.c
• Bug 393174: Memory leaks in ocspclnt/PKIX.
• Bug 395093: pkix_pl_HttpCertStore_ProcessCertResponse is unable to process certs in DER format
• Bug 395224: Don't reject certs with critical NetscapeCertType extensions in libPKIX
• Bug 395427: PKIX_PL_Initialize must not call NSS_Init
• Bug 395850: build of libpkix tests creates links to nonexistant shared libraries and breaks windows build
• Bug 398401: Memory leak in PKIX init.
• Bug 399326: libpkix is unable to validate cert for certUsageStatusResponder
• Bug 400947: thread unsafe operation in PKIX_PL_HashTable_Add cause selfserv to crash.
• Bug 402773: Verify the list of public header files in NSS 3.12
• Bug 403470: Strsclnt + tstclnt crashes when PKIX enabled.
• Bug 403685: Application crashes after having called CERT_PKIXVerifyCert
• Bug 408434: Crash with PKIX based verify
• Bug 411614: Explicit Policy does not seem to work.
• Bug 417024: Convert libpkix error code into nss error code
• Bug 422859: libPKIX builds & validates chain to root not in the caller-provided anchor list
• Bug 425516: need to destroy data pointed by CERTValOutParam array in case of error
• Bug 426450: PKIX_PL_HashTable_Remove leaks hashtable key object
• Bug 429230: memory leak in pkix_CheckCert function
• Bug 392696: Fix copyright boilerplate in all new PKIX code
• Bug 300928: Integrate libpkix to NSS
• Bug 303457: extensions newly supported in libpkix must be marked supported
• Bug 331096: NSS Softoken must detect forks on all unix-ish platforms
• Bug 390710: CERTNameConstraintsTemplate is incorrect
• Bug 416928: DER decode error on this policy extension
• Bug 375019: Cache-enable pkix_OcspChecker_Check
• Bug 391454: libPKIX does not honor NSS's override trust flags
• Bug 403682: CERT_PKIXVerifyCert never succeeds
• Bug 324744: add generation of policy extensions to certutil
• Bug 390973: Add long option names to SECU_ParseCommandLine
• Bug 161326: need API to convert dotted OID format to/from octet representation
• Bug 376737: CERT_ImportCerts routinely sets VALID_PEER or VALID_CA OVERRIDE trust flags
• Bug 390381: libpkix rejects cert chain when root CA cert has no basic constraints
• Bug 391183: rename libPKIX error string number type to pkix error number types
• Bug 397122: NSS 3.12 alpha treats a key3.db with no global salt as having no password
• Bug 405966: Unknown signature OID 1.3.14.3.2.29 causes sec_error_bad_signature, 3.11 ignores it
• Bug 413010: CERT_CompareRDN may return a false match
• Bug 417664: false positive crl revocation test on ppc/ppc64 NSS_ENABLE_PKIX_VERIFY=1
• Bug 404526: glibc detected free(): invalid pointer
• Bug 300929: Certificate Policy extensions not supported
• Bug 129303: NSS needs to expose interfaces to deal with multiple token sources of certs.
• Bug 217538: softoken databases cannot be shared between multiple processes
• Bug 294531: Design new interfaces for certificate path building and verification for libPKIX
• Bug 326482: NSS ECC performance problems (intel)
• Bug 391296: Need an update helper for Shared Databases
• Bug 395090: remove duplication of pkcs7 code from pkix_pl_httpcertstore.c
• Bug 401026: Need to provide a way to modify and create new PKCS #11 objects.
• Bug 403680: CERT_PKIXVerifyCert fails if CRLs are missing, implement cert_pi_revocationFlags
• Bug 427706: NSS_3_12_RC1 crashes in passwordmgr tests
• Bug 426245: Assertion failure went undetected by tinderbox
• Bug 158242: PK11_PutCRL is very memory inefficient
• Bug 287563: Please make cert_CompareNameWithConstraints a non-static function
• Bug 301496: NSS_Shutdown failure in p7sign
• Bug 324878: crlutil -L outputs false CRL names
• Bug 337010: OOM crash [[@ NSC_DigestKey] Dereferencing possibly NULL att
• Bug 343231: certutil issues certs for invalid requests
• Bug 353371: Klocwork 91117 - Null Pointer Dereference in CERT_CertChainFromCert
• Bug 353374: Klocwork 76494 - Null ptr derefs in CERT_FormatName
• Bug 353375: Klocwork 76513 - Null ptr deref in nssCertificateList_DoCallback
• Bug 353413: Klocwork 76541 free uninitialized pointer in CERT_FindCertURLExtension
• Bug 353416: Klocwork 76593 null ptr deref in nssCryptokiPrivateKey_SetCertificate
• Bug 353423: Klocwork bugs in nss/lib/pk11wrap/dev3hack.c
• Bug 353739: Klocwork Null ptr dereferences in instance.c
• Bug 353741: klocwork cascading memory leak in mpp_make_prime
• Bug 353742: klocwork null ptr dereference in ocsp_DecodeResponseBytes
• Bug 353748: klocwork null ptr dereferences in pki3hack.c
• Bug 353760: klocwork null pointer dereference in p7decode.c
• Bug 353763: klocwork Null ptr dereferences in pk11cert.c
• Bug 353773: klocwork Null ptr dereferences in pk11nobj.c
• Bug 353777: Klocwork Null ptr dereferences in pk11obj.c
• Bug 353780: Klocwork NULL ptr dereferences in pkcs11.c
• Bug 353865: klocwork Null ptr deref in softoken/pk11db.c
• Bug 353888: klockwork IDs for ssl3con.c
• Bug 353895: klocwork Null ptr derefs in pki/pkibase.c
• Bug 353902: klocwork bugs in stanpcertdb.c
• Bug 353903: klocwork oom crash in softoken/keydb.c
• Bug 353908: klocwork OOM crash in tdcache.c
• Bug 353909: klocwork ptr dereference before NULL check in devutil.c
• Bug 353912: Misc klocwork bugs in lib/ckfw
• Bug 354008: klocwork bugs in freebl
• Bug 359331: modutil -changepw strict shutdown failure
• Bug 373367: verify OCSP response signature in libpkix without decoding and reencoding
• Bug 390542: libpkix fails to validate a chain that consists only of one self issued, trusted cert
• Bug 390728: pkix_pl_OcspRequest_Create throws an error if it was not able to get AIA location
• Bug 397825: libpkix: ifdef code that uses user object types
• Bug 397832: libpkix leaks memory if a macro calls a function that returns an error
• Bug 402727: functions responsible for creating an object leak if subsequent function code produces an error
• Bug 402731: pkix_pl_Pk11CertStore_CrlQuery will crash if fails to acquire DP cache.
• Bug 406647: libpkix does not use user defined revocation checkers
• Bug 407064: pkix_pl_LdapCertStore_BuildCrlList should not fail if a crl fails to be decoded
• Bug 421216: libpkix test nss_thread leaks a test certificate
• Bug 301259: signtool Usage message is unhelpful
• Bug 389781: NSS should be built size-optimized in browser builds on Linux, Windows, and Mac
• Bug 90426: use of obsolete typedefs in public NSS headers
• Bug 113323: The first argument to PK11_FindCertFromNickname should be const.
• Bug 132485: built-in root certs slot description is empty
• Bug 177184: NSS_CMSDecoder_Cancel might have a leak
• Bug 232392: Erroneous root CA tests in NSS Libraries
• Bug 286642: util should be in a shared library
• Bug 287052: Function to get CRL Entry reason code has incorrect prototype and implementation
• Bug 299308: Need additional APIs in the CRL cache for libpkix
• Bug 335039: nssCKFWCryptoOperation_UpdateCombo is not declared
• Bug 340917: crlutil should init NSS read-only for some options
• Bug 350948: freebl macro change can give 1% improvement in RSA performance on amd64
• Bug 352439: Reference leaks in modutil
• Bug 369144: certutil needs option to generate SubjectKeyID extension
• Bug 391771: pk11_config_name and pk11_config_strings leaked on shutdown
• Bug 401194: crash in lg_FindObjects on win64
• Bug 405652: In the TLS ClientHello message the gmt_unix_time is incorrect
• Bug 424917: Performance regression with studio 12 compiler
• Bug 391770: OCSP_Global.monitor is leaked on shutdown
• Bug 403687: move pkix functions to certvfypkix.c, turn off EV_TEST_HACK
• Bug 428105: CERT_SetOCSPTimeout is not defined in any public header file
• Bug 213359: enhance PK12util to extract certs from p12 file
• Bug 329067: NSS encodes cert distinguished name attributes with wrong string type
• Bug 339906: sec_pkcs12_install_bags passes uninitialized variables to functions
• Bug 396484: certutil doesn't truncate existing temporary files when writing them
• Bug 251594: Certificate from PKCS#12 file with colon in friendlyName not selectable for signing/encryption
• Bug 321584: NSS PKCS12 decoder fails to import bags without nicknames
• Bug 332633: remove duplicate header files in nss/cmd/sslsample
• Bug 335019: pk12util takes friendly name from key, not cert
• Bug 339173: mem leak whenever SECMOD_HANDLE_STRING_ARG called in loop
• Bug 353904: klocwork Null ptr deref in secasn1d.c
• Bug 366390: correct misleading function names in fipstest
• Bug 370536: Memory leaks in pointer tracker code in DEBUG builds only
• Bug 372242: CERT_CompareRDN uses incorrect algorithm
• Bug 379753: S/MIME should support AES
• Bug 381375: ocspclnt doesn't work on Windows
• Bug 398693: DER_AsciiToTime produces incorrect output for dates 1950-1970
• Bug 420212: Empty cert DNs handled badly, display as !INVALID AVA!
• Bug 420979: vfychain ignores -b TIME option when -p option is present
• Bug 403563: Implement the TLS session ticket extension (STE)
• Bug 400917: Want exported function that outputs all host names for DNS name matching
• Bug 315643: test_buildchain_resourcelimits won't build
• Bug 353745: klocwork null ptr dereference in PKCS12 decoder
• Bug 338367: The GF2M_POPULATE and GFP_POPULATE should check the ecCurve_map array index bounds before use
• Bug 201139: SSLTap should display plain text for NULL cipher suites
• Bug 233806: Support NIST CRL policy
• Bug 279085: NSS tools display public exponent as negative number
• Bug 363480: ocspclnt needs option to take cert from specified file
• Bug 265715: remove unused hsearch.c DBM code
• Bug 337361: Leaks in jar_parse_any (security/nss/lib/jar/jarver.c)
• Bug 338453: Leaks in security/nss/lib/jar/jarfile.c
• Bug 351408: Leaks in JAR_JAR_sign_archive (security/nss/lib/jar/jarjart.c)
• Bug 351443: Remove unused code from mozilla/security/nss/lib/jar
• Bug 351510: Remove USE_MOZ_THREAD code from mozilla/security/lib/jar
• Bug 118830: NSS public header files should be C++ safe
• Bug 123996: certutil -H doesn't document certutil -C -a
• Bug 178894: Quick decoder updates for lib/certdb and lib/certhigh
• Bug 220115: CKM_INVALID_MECHANISM should be an unsigned long constant.
• Bug 330721: Remove OS/2 VACPP compiler support from NSS
• Bug 408260: certutil usage doesn't give enough information about trust arguments
• Bug 410226: leak in create_objects_from_handles
• Bug 415007: PK11_FindCertFromDERSubjectAndNickname is dead code
• Bug 416267: compiler warnings on solaris due to extra semicolon in SEC_ASN1_MKSUB
• Bug 419763: logger thread should be joined on exit
• Bug 424471: counter overflow in bltest
• Bug 229335: Remove certificates that expired in August 2004 from tree
• Bug 346551: init SECItem derTemp in crmf_encode_popoprivkey
• Bug 395080: Double backslash in sysDir filenames causes problems on OS/2
• Bug 341371: certutil lacks a way to request a certificate with an existing key
• Bug 382292: add support for Camellia to cmd/symkeyutil
• Bug 385642: Add additional cert usage(s) for certutil's -V -u option
• Bug 175741: strict aliasing bugs in mozilla/dbm
• Bug 210584: CERT_AsciiToName doesn't accept all valid values
• Bug 298540: vfychain usage option should be improved and documented
• Bug 323570: Make dbck Debug mode work with Softoken
• Bug 371470: vfychain needs option to verify for specific date
• Bug 387621: certutil's random noise generator isn't very efficient
• Bug 390185: signtool error message wrongly uses the term database
• Bug 391651: Need config.mk file for Windows Vista
• Bug 396322: Fix secutil's code and NSS tools that print public keys
• Bug 417641: miscellaneous minor NSS bugs
• Bug 334914: hopefully useless null check of out it in JAR_find_next
• Bug 95323: ckfw should support cipher operations.
• Bug 337088: Coverity 405, PK11_ParamToAlgid() in mozilla/security/nss/lib/pk11wrap/pk11mech.c
• Bug 339907: oaep_xor_with_h1 allocates and leaks sha1cx
• Bug 341122: Coverity 633 SFTK_DestroySlotData uses slot->slotLock then checks it for NULL
• Bug 351140: Coverity 995, potential crash in ecgroup_fromNameAndHex
• Bug 362278: lib/util includes header files from other NSS directories
• Bug 228190: Remove unnecessary NSS_ENABLE_ECC defines from manifest.mn
• Bug 412906: remove sha.c and sha.h from lib/freebl
• Bug 353543: valgrind uninitialized memory read in nssPKIObjectCollection_AddInstances
• Bug 377548: NSS QA test program certutil's default DSA prime is only 512 bits
• Bug 333405: item cleanup is unused DEADCODE in SECITEM_AllocItem loser
• Bug 288730: compiler warnings in certutil
• Bug 337251: warning: /* within comment
• Bug 362967: export SECMOD_DeleteModuleEx
• Bug 389248: NSS build failure when NSS_ENABLE_ECC is not defined
• Bug 390451: Remembered passwords lost when changing Master Password
• Bug 418546: reference leak in CERT_PKIXVerifyCert
• Bug 390074: OS/2 sign.cmd doesn't find sqlite3.dll
• Bug 417392: certutil -L -n reports bogus trust flags

Documentation

• Build Instructions for NSS 3.11.4 and above
• NSS Shared DB
• NSS environment variables

Compatibility

Feedback