NSS_3.12_release_notes.html

NSS 3.12 Release Notes

17 June 2008

Introduction
Distribution Information
New in NSS 3.12
Bugs Fixed
Documentation
Compatibility
Feedback

Introduction

Network Security Services (NSS) 3.12 is a minor release with the following new features:

SQLite-Based Shareable Certificate and Key Databases
libpkix: an RFC 3280 Compliant Certificate Path Validation Library
Camellia cipher support
TLS session ticket extension (RFC 5077)

NSS 3.12 is tri-licensed under the MPL 1.1/GPL 2.0/LGPL 2.1.

Note: Firefox 3 uses NSS 3.12, but not the new SQLite-based shareable certificate and key databases. We missed the deadline to enable that feature in Firefox 3.

Distribution Information

The CVS tag for the NSS 3.12 release is NSS_3_12_RTM. NSS 3.12 requires NSPR 4.7.1.

See the Documentation section for the build instructions.

NSS 3.12 source and binary distributions are also available on ftp.mozilla.org for secure HTTPS download:

Source tarballs: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_12_RTM/src/.
Binary distributions: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_12_RTM/. Both debug and optimized builds are provided. Go to the subdirectory for your platform, DBG (debug) or OPT (optimized), to get the tar.gz or zip file. The tar.gz or zip file expands to an nss-3.12 directory containing three subdirectories:

include - NSS header files
lib - NSS shared libraries
bin - NSS Tools and test programs

You also need to download the NSPR 4.7.1 binary distributions to get the NSPR 4.7.1 header files and shared libraries, which NSS 3.12 requires. NSPR 4.7.1 binary distributions are in https://ftp.mozilla.org/pub/mozilla.org/nspr/releases/v4.7.1/.

NSS 3.12 libraries have the following versions:

sqlite3: 3.3.17
nssckbi: 1.70
softokn3 and freebl3: 3.12.0.3
other NSS libraries: 3.12.0.3

New in NSS 3.12

3 new shared library are shipped with NSS 3.12:

1 new include file is shipped with NSS3.12:

New functions in the nss shared library:

New macros for Camellia support (see blapit.h):

New macros for RSA (see blapit.h):

New macros in certt.h:

X.509 v3

PKIX

New macro in utilrename.h:

The nssckbi PKCS #11 module's version changed to 1.70.
In pkcs11n.h, all the _NETSCAPE_ macros are renamed with _NSS_

New for PKCS #11 (see pkcs11t.h for details):

CKK: Keys

CKM: Mechanisms

CKG: MFGs

New error codes (see secerr.h):

New mechanism flags (see secmod.h)

New OIDs (see secoidt.h)

new EC Signature oids

More id-ce and id-pe OIDs from RFC 3280

Camellia OIDs (RFC3657)

PKCS 5 V2 OIDS

Changed OIDs (see secoidt.h)

TLS Session ticket extension (off by default)

New SSL error codes (see sslerr.h)

New TLS cipher suites (see sslproto.h):

Note: the following TLS cipher suites are declared but are not yet implemented:

Bugs Fixed

The following bugs have been fixed in NSS 3.12.

Bug 354403: nssList_CreateIterator returns pointer to a freed memory if the function fails to allocate a lock
Bug 399236: pkix wrapper must print debug output into stderr
Bug 399300: PKIX error results not freed after use.
Bug 414985: Crash in pkix_pl_OcspRequest_Destroy
Bug 421870: Strsclnt crashed in PKIX tests.
Bug 429388: vfychain.main leaks memory
Bug 396044: Warning: usage of uninitialized variable in ckfw/object.c(174)
Bug 396045: Warning: usage of uninitialized variable in ckfw/mechanism.c(719)
Bug 401986: Mac OS X leopard build failure in legacydb
Bug 325805: diff considers mozilla/security/nss/cmd/pk11util/scripts/pkey a binary file
Bug 385151: Remove the link time dependency from NSS to Softoken
Bug 387892: Add Entrust root CA certificate(s) to NSS
Bug 433386: when system clock is off by more than two days, OSCP check fails, can result in crash if user tries to view certificate [[@ SECITEM_CompareItem_Util] [[@ memcmp]
Bug 396256: certutil and pp do not print all the GeneralNames in a CRLDP extension
Bug 398019: correct confusing and erroneous comments in DER_AsciiToTime
Bug 422866: vfychain -pp command crashes in NSS_shutdown
Bug 345779: Useless assignment statements in ec_GF2m_pt_mul_mont
Bug 349011: please stop exporting these crmf_ symbols
Bug 397178: Crash when entering chrome://pippki/content/resetpassword.xul in URL bar
Bug 403822: pkix_pl_OcspRequest_Create can leave some members uninitialized
Bug 403910: CERT_FindUserCertByUsage() returns wrong certificate if multiple certs with same subject available
Bug 404919: memory leak in sftkdb_ReadSecmodDB() (sftkmod.c)
Bug 406120: Allow application to specify OCSP timeout
Bug 361025: Support for Camellia Cipher Suites to TLS RFC4132
Bug 376417: PK11_GenerateKeyPair needs to get the key usage from the caller.
Bug 391291: Shared Database Integrity checks not yet implemented.
Bug 391292: Shared Database implementation slow
Bug 391294: Shared Database implementation really slow on network file systems
Bug 392521: Automatic shared db update fails if user opens database R/W but never supplies a password
Bug 392522: Integrity hashes must be updated when passwords are changed.
Bug 401610: Shared DB fails on IOPR tests
Bug 388120: build error due to SEC_BEGIN_PROTOS / SEC_END_PROTOS are undefined
Bug 415264: Make Security use of new NSPR rotate macros
Bug 317052: lib/base/whatnspr.c is obsolete
Bug 317323: Set NSPR31_LIB_PREFIX to empty explicitly for WIN95 and WINCE builds
Bug 320336: SECITEM_AllocItem returns a non-NULL pointer if the allocation of its 'data' buffer fails
Bug 327529: Can't pass 0 as an unnamed null pointer argument to CERT_CreateRDN
Bug 334683: Extraneous semicolons cause Empty declaration compiler warnings
Bug 335275: Compile with the GCC flag -Werror-implicit-function-declaration
Bug 354565: fipstest sha_test needs to detect SHA tests that are incorrectly configured for BIT oriented implementations
Bug 356595: On Windows, RNG_SystemInfoForRNG calls GetCurrentProcess, which returns the constant (HANDLE)-1.
Bug 357015: On Windows, ReadSystemFiles reads 21 files as opposed to 10 files in C:\WINDOWS\system32.
Bug 361076: Clean up the USE_PTHREADS related code in coreconf/SunOS5.mk.
Bug 361077: Clean up the USE_PTHREADS related code in coreconf/HP-UX*.mk.
Bug 402114: Fix the incorrect function prototypes of SSL handshake callbacks
Bug 402308: Fix miscellaneous compiler warnings in nss/cmd
Bug 402777: lib/util can't be built stand-alone.
Bug 407866: Contributed improvement to security/nss/lib/freebl/mpi/mp_comba.c
Bug 410587: SSL_GetChannelInfo returns SECSuccess on invalid arguments
Bug 416508: Fix a _MSC_VER typo in sha512.c, and use SEC_BEGIN_PROTOS/SEC_END_PROTOS in secport.h
Bug 419242: 'all' is not the default makefile target in lib/softoken and lib/softoken/legacydb
Bug 419523: Export Cert_NewTempCertificate.
Bug 287061: CRL number should be a big integer, not ulong
Bug 301213: Combine internal libpkix function tests into a single statically linked program
Bug 324740: add generation of SIA and AIA extensions to certutil
Bug 339737: LIBPKIX OCSP checking calls CERT_VerifyCert
Bug 358785: Merge NSS_LIBPKIX_BRANCH back to trunk
Bug 365966: infinite recursive call in VFY_VerifyDigestDirect
Bug 382078: pkix default http client returns error when try to get an ocsp response.
Bug 384926: libpkix build problems
Bug 389411: Mingw build error - undefined reference to `_imp__PKIX_ERRORNAMES'
Bug 389904: avoid multiple decoding/encoding while creating and using PKIX_PL_X500Name
Bug 390209: pkix AIA manager tries to get certs using AIA url with OCSP access method
Bug 390233: umbrella bug for libPKIX cert validation failures discovered from running vfyserv
Bug 390499: libpkix does not check cached cert chain for revocation
Bug 390502: libpkix fails cert validation when no valid CRL (NIST validation policy is always enforced)
Bug 390530: libpkix does not support time override
Bug 390536: Cert validation functions must validate leaf cert themselves
Bug 390554: all PKIX_NULLCHECK_ errors are reported as PKIX ALLOC ERROR
Bug 390888: CERT_Verify* functions should be able to use libPKIX
Bug 391457: libpkix does not check for object ref leak at shutdown
Bug 391774: PKIX_Shutdown is not called by nssinit.c
Bug 393174: Memory leaks in ocspclnt/PKIX.
Bug 395093: pkix_pl_HttpCertStore_ProcessCertResponse is unable to process certs in DER format
Bug 395224: Don't reject certs with critical NetscapeCertType extensions in libPKIX
Bug 395427: PKIX_PL_Initialize must not call NSS_Init
Bug 395850: build of libpkix tests creates links to nonexistant shared libraries and breaks windows build
Bug 398401: Memory leak in PKIX init.
Bug 399326: libpkix is unable to validate cert for certUsageStatusResponder
Bug 400947: thread unsafe operation in PKIX_PL_HashTable_Add cause selfserv to crash.
Bug 402773: Verify the list of public header files in NSS 3.12
Bug 403470: Strsclnt + tstclnt crashes when PKIX enabled.
Bug 403685: Application crashes after having called CERT_PKIXVerifyCert
Bug 408434: Crash with PKIX based verify
Bug 411614: Explicit Policy does not seem to work.
Bug 417024: Convert libpkix error code into nss error code
Bug 422859: libPKIX builds & validates chain to root not in the caller-provided anchor list
Bug 425516: need to destroy data pointed by CERTValOutParam array in case of error
Bug 426450: PKIX_PL_HashTable_Remove leaks hashtable key object
Bug 429230: memory leak in pkix_CheckCert function
Bug 392696: Fix copyright boilerplate in all new PKIX code
Bug 300928: Integrate libpkix to NSS
Bug 303457: extensions newly supported in libpkix must be marked supported
Bug 331096: NSS Softoken must detect forks on all unix-ish platforms
Bug 390710: CERTNameConstraintsTemplate is incorrect
Bug 416928: DER decode error on this policy extension
Bug 375019: Cache-enable pkix_OcspChecker_Check
Bug 391454: libPKIX does not honor NSS's override trust flags
Bug 403682: CERT_PKIXVerifyCert never succeeds
Bug 324744: add generation of policy extensions to certutil
Bug 390973: Add long option names to SECU_ParseCommandLine
Bug 161326: need API to convert dotted OID format to/from octet representation
Bug 376737: CERT_ImportCerts routinely sets VALID_PEER or VALID_CA OVERRIDE trust flags
Bug 390381: libpkix rejects cert chain when root CA cert has no basic constraints
Bug 391183: rename libPKIX error string number type to pkix error number types
Bug 397122: NSS 3.12 alpha treats a key3.db with no global salt as having no password
Bug 405966: Unknown signature OID 1.3.14.3.2.29 causes sec_error_bad_signature, 3.11 ignores it
Bug 413010: CERT_CompareRDN may return a false match
Bug 417664: false positive crl revocation test on ppc/ppc64 NSS_ENABLE_PKIX_VERIFY=1
Bug 404526: glibc detected free(): invalid pointer
Bug 300929: Certificate Policy extensions not supported
Bug 129303: NSS needs to expose interfaces to deal with multiple token sources of certs.
Bug 217538: softoken databases cannot be shared between multiple processes
Bug 294531: Design new interfaces for certificate path building and verification for libPKIX
Bug 326482: NSS ECC performance problems (intel)
Bug 391296: Need an update helper for Shared Databases
Bug 395090: remove duplication of pkcs7 code from pkix_pl_httpcertstore.c
Bug 401026: Need to provide a way to modify and create new PKCS #11 objects.
Bug 403680: CERT_PKIXVerifyCert fails if CRLs are missing, implement cert_pi_revocationFlags
Bug 427706: NSS_3_12_RC1 crashes in passwordmgr tests
Bug 426245: Assertion failure went undetected by tinderbox
Bug 158242: PK11_PutCRL is very memory inefficient
Bug 287563: Please make cert_CompareNameWithConstraints a non-static function
Bug 301496: NSS_Shutdown failure in p7sign
Bug 324878: crlutil -L outputs false CRL names
Bug 337010: OOM crash [[@ NSC_DigestKey] Dereferencing possibly NULL att
Bug 343231: certutil issues certs for invalid requests
Bug 353371: Klocwork 91117 - Null Pointer Dereference in CERT_CertChainFromCert
Bug 353374: Klocwork 76494 - Null ptr derefs in CERT_FormatName
Bug 353375: Klocwork 76513 - Null ptr deref in nssCertificateList_DoCallback
Bug 353413: Klocwork 76541 free uninitialized pointer in CERT_FindCertURLExtension
Bug 353416: Klocwork 76593 null ptr deref in nssCryptokiPrivateKey_SetCertificate
Bug 353423: Klocwork bugs in nss/lib/pk11wrap/dev3hack.c
Bug 353739: Klocwork Null ptr dereferences in instance.c
Bug 353741: klocwork cascading memory leak in mpp_make_prime
Bug 353742: klocwork null ptr dereference in ocsp_DecodeResponseBytes
Bug 353748: klocwork null ptr dereferences in pki3hack.c
Bug 353760: klocwork null pointer dereference in p7decode.c
Bug 353763: klocwork Null ptr dereferences in pk11cert.c
Bug 353773: klocwork Null ptr dereferences in pk11nobj.c
Bug 353777: Klocwork Null ptr dereferences in pk11obj.c
Bug 353780: Klocwork NULL ptr dereferences in pkcs11.c
Bug 353865: klocwork Null ptr deref in softoken/pk11db.c
Bug 353888: klockwork IDs for ssl3con.c
Bug 353895: klocwork Null ptr derefs in pki/pkibase.c
Bug 353902: klocwork bugs in stanpcertdb.c
Bug 353903: klocwork oom crash in softoken/keydb.c
Bug 353908: klocwork OOM crash in tdcache.c
Bug 353909: klocwork ptr dereference before NULL check in devutil.c
Bug 353912: Misc klocwork bugs in lib/ckfw
Bug 354008: klocwork bugs in freebl
Bug 359331: modutil -changepw strict shutdown failure
Bug 373367: verify OCSP response signature in libpkix without decoding and reencoding
Bug 390542: libpkix fails to validate a chain that consists only of one self issued, trusted cert
Bug 390728: pkix_pl_OcspRequest_Create throws an error if it was not able to get AIA location
Bug 397825: libpkix: ifdef code that uses user object types
Bug 397832: libpkix leaks memory if a macro calls a function that returns an error
Bug 402727: functions responsible for creating an object leak if subsequent function code produces an error
Bug 402731: pkix_pl_Pk11CertStore_CrlQuery will crash if fails to acquire DP cache.
Bug 406647: libpkix does not use user defined revocation checkers
Bug 407064: pkix_pl_LdapCertStore_BuildCrlList should not fail if a crl fails to be decoded
Bug 421216: libpkix test nss_thread leaks a test certificate
Bug 301259: signtool Usage message is unhelpful
Bug 389781: NSS should be built size-optimized in browser builds on Linux, Windows, and Mac
Bug 90426: use of obsolete typedefs in public NSS headers
Bug 113323: The first argument to PK11_FindCertFromNickname should be const.
Bug 132485: built-in root certs slot description is empty
Bug 177184: NSS_CMSDecoder_Cancel might have a leak
Bug 232392: Erroneous root CA tests in NSS Libraries
Bug 286642: util should be in a shared library
Bug 287052: Function to get CRL Entry reason code has incorrect prototype and implementation
Bug 299308: Need additional APIs in the CRL cache for libpkix
Bug 335039: nssCKFWCryptoOperation_UpdateCombo is not declared
Bug 340917: crlutil should init NSS read-only for some options
Bug 350948: freebl macro change can give 1% improvement in RSA performance on amd64
Bug 352439: Reference leaks in modutil
Bug 369144: certutil needs option to generate SubjectKeyID extension
Bug 391771: pk11_config_name and pk11_config_strings leaked on shutdown
Bug 401194: crash in lg_FindObjects on win64
Bug 405652: In the TLS ClientHello message the gmt_unix_time is incorrect
Bug 424917: Performance regression with studio 12 compiler
Bug 391770: OCSP_Global.monitor is leaked on shutdown
Bug 403687: move pkix functions to certvfypkix.c, turn off EV_TEST_HACK
Bug 428105: CERT_SetOCSPTimeout is not defined in any public header file
Bug 213359: enhance PK12util to extract certs from p12 file
Bug 329067: NSS encodes cert distinguished name attributes with wrong string type
Bug 339906: sec_pkcs12_install_bags passes uninitialized variables to functions
Bug 396484: certutil doesn't truncate existing temporary files when writing them
Bug 251594: Certificate from PKCS#12 file with colon in friendlyName not selectable for signing/encryption
Bug 321584: NSS PKCS12 decoder fails to import bags without nicknames
Bug 332633: remove duplicate header files in nss/cmd/sslsample
Bug 335019: pk12util takes friendly name from key, not cert
Bug 339173: mem leak whenever SECMOD_HANDLE_STRING_ARG called in loop
Bug 353904: klocwork Null ptr deref in secasn1d.c
Bug 366390: correct misleading function names in fipstest
Bug 370536: Memory leaks in pointer tracker code in DEBUG builds only
Bug 372242: CERT_CompareRDN uses incorrect algorithm
Bug 379753: S/MIME should support AES
Bug 381375: ocspclnt doesn't work on Windows
Bug 398693: DER_AsciiToTime produces incorrect output for dates 1950-1970
Bug 420212: Empty cert DNs handled badly, display as !INVALID AVA!
Bug 420979: vfychain ignores -b TIME option when -p option is present
Bug 403563: Implement the TLS session ticket extension (STE)
Bug 400917: Want exported function that outputs all host names for DNS name matching
Bug 315643: test_buildchain_resourcelimits won't build
Bug 353745: klocwork null ptr dereference in PKCS12 decoder
Bug 338367: The GF2M_POPULATE and GFP_POPULATE should check the ecCurve_map array index bounds before use
Bug 201139: SSLTap should display plain text for NULL cipher suites
Bug 233806: Support NIST CRL policy
Bug 279085: NSS tools display public exponent as negative number
Bug 363480: ocspclnt needs option to take cert from specified file
Bug 265715: remove unused hsearch.c DBM code
Bug 337361: Leaks in jar_parse_any (security/nss/lib/jar/jarver.c)
Bug 338453: Leaks in security/nss/lib/jar/jarfile.c
Bug 351408: Leaks in JAR_JAR_sign_archive (security/nss/lib/jar/jarjart.c)
Bug 351443: Remove unused code from mozilla/security/nss/lib/jar
Bug 351510: Remove USE_MOZ_THREAD code from mozilla/security/lib/jar
Bug 118830: NSS public header files should be C++ safe
Bug 123996: certutil -H doesn't document certutil -C -a
Bug 178894: Quick decoder updates for lib/certdb and lib/certhigh
Bug 220115: CKM_INVALID_MECHANISM should be an unsigned long constant.
Bug 330721: Remove OS/2 VACPP compiler support from NSS
Bug 408260: certutil usage doesn't give enough information about trust arguments
Bug 410226: leak in create_objects_from_handles
Bug 415007: PK11_FindCertFromDERSubjectAndNickname is dead code
Bug 416267: compiler warnings on solaris due to extra semicolon in SEC_ASN1_MKSUB
Bug 419763: logger thread should be joined on exit
Bug 424471: counter overflow in bltest
Bug 229335: Remove certificates that expired in August 2004 from tree
Bug 346551: init SECItem derTemp in crmf_encode_popoprivkey
Bug 395080: Double backslash in sysDir filenames causes problems on OS/2
Bug 341371: certutil lacks a way to request a certificate with an existing key
Bug 382292: add support for Camellia to cmd/symkeyutil
Bug 385642: Add additional cert usage(s) for certutil's -V -u option
Bug 175741: strict aliasing bugs in mozilla/dbm
Bug 210584: CERT_AsciiToName doesn't accept all valid values
Bug 298540: vfychain usage option should be improved and documented
Bug 323570: Make dbck Debug mode work with Softoken
Bug 371470: vfychain needs option to verify for specific date
Bug 387621: certutil's random noise generator isn't very efficient
Bug 390185: signtool error message wrongly uses the term database
Bug 391651: Need config.mk file for Windows Vista
Bug 396322: Fix secutil's code and NSS tools that print public keys
Bug 417641: miscellaneous minor NSS bugs
Bug 334914: hopefully useless null check of out it in JAR_find_next
Bug 95323: ckfw should support cipher operations.
Bug 337088: Coverity 405, PK11_ParamToAlgid() in mozilla/security/nss/lib/pk11wrap/pk11mech.c
Bug 339907: oaep_xor_with_h1 allocates and leaks sha1cx
Bug 341122: Coverity 633 SFTK_DestroySlotData uses slot->slotLock then checks it for NULL
Bug 351140: Coverity 995, potential crash in ecgroup_fromNameAndHex
Bug 362278: lib/util includes header files from other NSS directories
Bug 228190: Remove unnecessary NSS_ENABLE_ECC defines from manifest.mn
Bug 412906: remove sha.c and sha.h from lib/freebl
Bug 353543: valgrind uninitialized memory read in nssPKIObjectCollection_AddInstances
Bug 377548: NSS QA test program certutil's default DSA prime is only 512 bits
Bug 333405: item cleanup is unused DEADCODE in SECITEM_AllocItem loser
Bug 288730: compiler warnings in certutil
Bug 337251: warning: /* within comment
Bug 362967: export SECMOD_DeleteModuleEx
Bug 389248: NSS build failure when NSS_ENABLE_ECC is not defined
Bug 390451: Remembered passwords lost when changing Master Password
Bug 418546: reference leak in CERT_PKIXVerifyCert
Bug 390074: OS/2 sign.cmd doesn't find sqlite3.dll
Bug 417392: certutil -L -n reports bogus trust flags

Documentation

For a list of the primary NSS documentation pages on mozilla.org, see NSS Documentation. New and revised documents available since the release of NSS 3.11 include the following:

Compatibility

NSS 3.12 shared libraries are backward compatible with all older NSS 3.x shared libraries. A program linked with older NSS 3.x shared libraries will work with NSS 3.12 shared libraries without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs to the functions listed in NSS Public Functions will remain compatible with future versions of the NSS shared libraries.

Feedback

Bugs discovered should be reported by filing a bug report with mozilla.org Bugzilla(product NSS).