Magic-Mirror/gecko-dev
1
0
Fork 0
mirror of https://github.com/mozilla/gecko-dev.git synced 2024-11-26 22:32:46 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Bug 1927888 - land NSS NSS_3_107_BETA1 UPGRADE_NSS_RELEASE, r=keeler

Browse Source 
Differential Revision: https://phabricator.services.mozilla.com/D229396
This commit is contained in:
John Schanck 2024-11-18 20:02:58 +00:00
parent 3d15470850
commit 2f9dddb161
22 changed files with 333 additions and 460 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
build/moz.configure/nss.configure
View File

@ -13,7 +13,7 @@ system_lib_option(
imply_option("--with-system-nspr", True, when="--with-system-nss")
nss_pkg = pkg_check_modules(
"NSS", "nss >= 3.106", when="--with-system-nss", config=False
"NSS", "nss >= 3.107", when="--with-system-nss", config=False
)
set_config("MOZ_SYSTEM_NSS", True, when="--with-system-nss")

2
security/nss/TAG-INFO
View File

@ -1 +1 @@
NSS_3_106_RTM
NSS_3_107_BETA1

2
security/nss/automation/abi-check/previous-nss-release
View File

@ -1 +1 @@
NSS_3_105_BRANCH
NSS_3_106_BRANCH

14
security/nss/automation/taskcluster/graph/src/extend.js
View File

@ -339,7 +339,7 @@ async function scheduleMac(name, base, args = "") {
let build_base_without_command_symbol = merge(mac_base, {
maxRunTime: 7200,
artifacts: [{
expires: 24 * 7,
expires: 24 * (process.env.MOZ_SCM_LEVEL == "3" ? 90 : 7),
type: "directory",
path: "public"
}],
@ -409,7 +409,7 @@ async function scheduleLinux(name, overrides, args = "") {
let artifacts_and_kind = {
artifacts: {
public: {
expires: 24 * 7,
expires: 24 * (process.env.MOZ_SCM_LEVEL == "3" ? 90 : 7),
type: "directory",
path: "/home/worker/artifacts"
}
@ -679,7 +679,7 @@ async function scheduleFuzzing() {
],
artifacts: {
public: {
expires: 24 * 7,
expires: 24 * (process.env.MOZ_SCM_LEVEL == "3" ? 90 : 7),
type: "directory",
path: "/home/worker/artifacts"
}
@ -786,7 +786,7 @@ async function scheduleFuzzing32() {
],
artifacts: {
public: {
expires: 24 * 7,
expires: 24 * (process.env.MOZ_SCM_LEVEL == "3" ? 90 : 7),
type: "directory",
path: "/home/worker/artifacts"
}
@ -887,7 +887,7 @@ async function scheduleWindows(name, base, build_script) {
let artifacts_and_kind = {
artifacts: [{
expires: 24 * 7,
expires: 24 * (process.env.MOZ_SCM_LEVEL == "3" ? 90 : 7),
type: "directory",
path: "public\\build"
}],
@ -1149,7 +1149,7 @@ async function scheduleTools() {
},
artifacts: {
public: {
expires: 24 * 7,
expires: 24 * (process.env.MOZ_SCM_LEVEL == "3" ? 90 : 7),
type: "directory",
path: "/home/worker/artifacts"
}
@ -1180,7 +1180,7 @@ async function scheduleTools() {
features: ["allowPtrace"],
artifacts: {
public: {
expires: 24 * 7,
expires: 24 * (process.env.MOZ_SCM_LEVEL == "3" ? 90 : 7),
type: "directory",
path: "/home/worker/artifacts"
}

1
security/nss/coreconf/coreconf.dep
View File

@ -10,4 +10,3 @@
*/
#error "Do not include this header file."

1
security/nss/doc/rst/releases/index.rst
View File

@ -9,6 +9,7 @@ Releases
:hidden:
nss_3_106.rst
nss_3_105.rst
nss_3_104.rst
nss_3_103.rst
nss_3_102_1.rst

69
security/nss/doc/rst/releases/nss_3_105.rst Normal file
View File

@ -0,0 +1,69 @@
.. _mozilla_projects_nss_nss_3_105_release_notes:
NSS 3.105 release notes
========================
`Introduction <#introduction>`__
--------------------------------
.. container::
Network Security Services (NSS) 3.105 was released on *26 September 2024**.
`Distribution Information <#distribution_information>`__
--------------------------------------------------------
.. container::
The HG tag is NSS_3_105_RTM. NSS 3.105 requires NSPR 4.35 or newer.
NSS 3.105 source distributions are available on ftp.mozilla.org for secure HTTPS download:
- Source tarballs:
https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_105_RTM/src/
Other releases are available :ref:`mozilla_projects_nss_releases`.
.. _changes_in_nss_3.105:
`Changes in NSS 3.105 <#changes_in_nss_3.105>`__
------------------------------------------------------------------
.. container::
- Bug 1915792 - Allow importing PKCS#8 private EC keys missing public key
- Bug 1909768 - UBSAN fix: applying zero offset to null pointer in sslsnce.c
- Bug 1919577 - set KRML_MUSTINLINE=inline in makefile builds
- Bug 1918965 - Don't set CKA_SIGN for CKK_EC_MONTGOMERY private keys
- Bug 1918767 - override default definition of KRML_MUSTINLINE
- Bug 1916525 - libssl support for mlkem768x25519
- Bug 1916524 - support for ML-KEM-768 in softoken and pk11wrap
- Bug 1866841 - Add Libcrux implementation of ML-KEM 768 to FreeBL
- Bug 1911912 - Avoid misuse of ctype(3) functions
- Bug 1917311 - part 2: run clang-format
- Bug 1917311 - part 1: upgrade to clang-format 13
- Bug 1916953 - clang-format fuzz
- Bug 1910370 - DTLS client message buffer may not empty be on retransmit
- Bug 1916413 - Optionally print config for TLS client and server fuzz target
- Bug 1916059 - Fix some simple documentation issues in NSS.
- Bug 1915439 - improve performance of NSC_FindObjectsInit when template has CKA_TOKEN attr
- Bug 1912828 - define CKM_NSS_ECDHE_NO_PAIRWISE_CHECK_KEY_PAIR_GEN
`Compatibility <#compatibility>`__
----------------------------------
.. container::
NSS 3.105 shared libraries are backwards-compatible with all older NSS 3.x shared
libraries. A program linked with older NSS 3.x shared libraries will work with
this new version of the shared libraries without recompiling or
relinking. Furthermore, applications that restrict their use of NSS APIs to the
functions listed in NSS Public Functions will remain compatible with future
versions of the NSS shared libraries.
`Feedback <#feedback>`__
------------------------
.. container::
Bugs discovered should be reported by filing a bug report on
`bugzilla.mozilla.org <https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS>`__ (product NSS).

65
security/nss/fuzz/config/collect_handshakes.py
View File

@ -10,6 +10,7 @@ import dataclasses
import hashlib
import itertools
import os
import random
import re
import subprocess
import sys
@ -18,19 +19,12 @@ import threading
EXTERNAL_PSK = "0x783666676F55306932745A32303354442B394A3271735A7A30714B464B645943"
ECH_CONFIGS = "AEX+DQBBcQAgACDh4IuiuhhInUcKZx5uYcehlG9PQ1ZlzhvVZyjJl7dscQAEAAEAAQASY2xvdWRmbGFyZS1lY2guY29tAAA="
TSTCLNT_ARGS = [
DEFAULT_TSTCLNT_ARGS = [
"-o", # Override bad server cert. Make it OK.
"-D", # Run without a cert database
"-Q", # Quit after handshake
"-b", # Load the default "builtins" root CA module
"-CCC", # Include PEM format certificate dumps
"--enable-rfc8701-grease",
"--enable-ch-extension-permutation",
"--zlib-certificate-compression",
"-z",
EXTERNAL_PSK,
"-N",
ECH_CONFIGS,
]
NS_CERT_HEADER = "-----BEGIN CERTIFICATE-----"
@ -84,16 +78,64 @@ def parse_tstclnt_output(output):
return hs_data
def get_random_tstclnt_args():
tstclnt_args = []
# Use Encrypted Client Hello with the given Base64-encoded ECHConfigs.
if random.randint(0, 1):
tstclnt_args += ["-N", ECH_CONFIGS]
# Configure a TLS 1.3 External PSK with the given hex string for a key.
if random.randint(0, 1):
tstclnt_args += ["-z", EXTERNAL_PSK]
# Enable the session ticket extension.
if random.randint(0, 1):
tstclnt_args += ["-u"]
# Enable the signed_certificate_timestamp extension.
if random.randint(0, 1):
tstclnt_args += ["-U"]
# Enable the delegated credentials extension.
if random.randint(0, 1):
tstclnt_args += ["-B"]
# Enable the extended master secret extension [RFC7627].
if random.randint(0, 1):
tstclnt_args += ["-G"]
# Allow 0-RTT data (TLS 1.3 only).
if random.randint(0, 1):
tstclnt_args += ["-Z"]
# Enable middlebox compatibility mode (TLS 1.3 only).
if random.randint(0, 1):
tstclnt_args += ["-e"]
if random.randint(0, 1):
tstclnt_args += ["--enable-rfc8701-grease"]
if random.randint(0, 1):
tstclnt_args += ["--enable-ch-extension-permutation"]
if random.randint(0, 1):
tstclnt_args += ["--zlib-certificate-compression"]
return tstclnt_args
def brrrrr(hosts, args):
tstclnt_bin = os.path.join(args.nss_build, "bin/tstclnt")
ld_libary_path = os.path.join(args.nss_build, "lib")
for host in hosts:
tstclnt_args = get_random_tstclnt_args()
try:
result = subprocess.run([
"strace", "-f", "-x", "-s", "65535", "-e", "trace=network",
tstclnt_bin, "-h", host
] + TSTCLNT_ARGS,
] + DEFAULT_TSTCLNT_ARGS + tstclnt_args,
env={
"LD_LIBRARY_PATH": ld_libary_path,
},
@ -130,10 +172,11 @@ def main():
parser = argparse.ArgumentParser()
parser.add_argument("--nss-build",
required=True,
type=str,
help="e.g. /path/to/dist/Debug")
parser.add_argument("--hosts", required=True)
parser.add_argument("--hosts", required=True, type=str)
parser.add_argument("--threads", required=True, type=int)
parser.add_argument("--output", required=True)
parser.add_argument("--output", required=True, type=str)
args = parser.parse_args()

38
security/nss/gtests/ssl_gtest/ssl_drop_unittest.cc
View File

@ -916,4 +916,42 @@ INSTANTIATE_TEST_SUITE_P(DatagramReorder13, TlsReorderDatagram13,
INSTANTIATE_TEST_SUITE_P(DatagramFragment13, TlsFragmentationAndRecoveryTest,
::testing::Values(true, false));
class FirstDropThenKeepHandshakeFilter : public TlsHandshakeFilter {
public:
FirstDropThenKeepHandshakeFilter(const std::shared_ptr<TlsAgent>& a)
: TlsHandshakeFilter(a) {}
virtual PacketFilter::Action FilterHandshake(
const TlsHandshakeFilter::HandshakeHeader& header,
const DataBuffer& input, DataBuffer* output) {
if (enabled) {
return KEEP;
} else {
enabled = true;
return DROP;
}
}
private:
bool enabled = false;
};
// This test is responsible for checking that when DTLS fragments the message,
// the hanshake will be successfully reconstructed, but if one of handshakes
// was dropped, they are not going to be glued all together.
// See: https://bugzilla.mozilla.org/show_bug.cgi?id=1874451
TEST_F(TlsConnectDatagram13, PreviousHandshakeRemovedWhenDropped) {
EnsureTlsSetup();
static const std::vector<SSLNamedGroup> client_groups = {
ssl_grp_ec_secp384r1, ssl_grp_ec_secp521r1, ssl_grp_ec_curve25519};
client_->ConfigNamedGroups(client_groups);
// Ensure that the message is indeed longer than the MTU we install.
EXPECT_EQ(SECSuccess, SSL_SendAdditionalKeyShares(client_->ssl_fd(), 2));
SSLInt_SetMTU(client_->ssl_fd(), 150);
auto filter = MakeTlsFilter<FirstDropThenKeepHandshakeFilter>(client_);
Connect();
}
} // namespace nss_test

15
security/nss/gtests/ssl_gtest/ssl_gather_unittest.cc
View File

@ -43,6 +43,21 @@ TEST_F(TlsConnectTest, GatherExcessiveV3Record) {
2000);
}
TEST_P(TlsConnectDatagram, DtlsGatherCIDRecord) {
TlsRecordHeader cidRecordHeader(ssl_variant_datagram, version_, 0x30, 0);
DataBuffer buffer = DataBuffer(10);
TlsRecord cidRecord = {cidRecordHeader, buffer};
EnsureTlsSetup();
Connect();
client_->SendRecordDirect(cidRecord);
// CIDs are not supported, invalid records in DTLS should be silently
// discarded.
server_->WaitForErrorCode(0, 1000);
client_->WaitForErrorCode(0, 1000);
}
// Gather a 3-byte v2 header, with a fragment length of 2.
TEST_F(GatherV2ClientHelloTest, GatherV2RecordLongHeader) {
DataBuffer buffer;

3
security/nss/gtests/ssl_gtest/tls_filter.cc
View File

@ -643,7 +643,6 @@ PacketFilter::Action TlsHandshakeFilter::FilterRecord(
preceding_fragment_.Assign(handshake);
continue;
}
preceding_fragment_.Truncate(0);
DataBuffer filtered;
PacketFilter::Action action;
@ -653,6 +652,7 @@ PacketFilter::Action TlsHandshakeFilter::FilterRecord(
action = FilterHandshake(header, handshake, &filtered);
}
if (action == DROP) {
preceding_fragment_.Truncate(0);
changed = true;
std::cerr << "handshake drop: " << handshake << std::endl;
continue;
@ -669,6 +669,7 @@ PacketFilter::Action TlsHandshakeFilter::FilterRecord(
changed = true;
}
preceding_fragment_.Truncate(0);
offset = header.Write(output, offset, *source);
}
output->Truncate(offset);

13
security/nss/gtests/ssl_gtest/tls_mlkem_unittest.cc
View File

@ -51,11 +51,6 @@ TEST_P(TlsKeyExchangeTest, Tls12ClientMlkem768x25519NotSupported) {
}
TEST_P(TlsKeyExchangeTest13, Tls12ServerMlkem768x25519NotSupported) {
if (variant_ == ssl_variant_datagram) {
/* Bug 1874451 - reenable this test */
return;
}
EnsureKeyShareSetup();
client_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_2,
@ -137,10 +132,6 @@ static void CheckECDHShareReuse(
}
TEST_P(TlsKeyExchangeTest13, Mlkem768x25519ShareReuseFirst) {
if (variant_ == ssl_variant_datagram) {
/* Bug 1874451 - reenable this test */
return;
}
EnsureKeyShareSetup();
ConfigNamedGroups({ssl_grp_kem_mlkem768x25519, ssl_grp_ec_curve25519});
EXPECT_EQ(SECSuccess, SSL_SendAdditionalKeyShares(client_->ssl_fd(), 1));
@ -153,10 +144,6 @@ TEST_P(TlsKeyExchangeTest13, Mlkem768x25519ShareReuseFirst) {
}
TEST_P(TlsKeyExchangeTest13, Mlkem768x25519ShareReuseSecond) {
if (variant_ == ssl_variant_datagram) {
/* Bug 1874451 - reenable this test */
return;
}
EnsureKeyShareSetup();
ConfigNamedGroups({ssl_grp_ec_curve25519, ssl_grp_kem_mlkem768x25519});
EXPECT_EQ(SECSuccess, SSL_SendAdditionalKeyShares(client_->ssl_fd(), 1));

343
security/nss/lib/ckfw/builtins/certdata.txt
View File

@ -323,7 +323,10 @@ CKA_VALUE MULTILINE_OCTAL
\174\136\232\166\351\131\220\305\174\203\065\021\145\121
END
CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE
# For Server Distrust After: Sat Nov 30 23:59:59 2024
CKA_NSS_SERVER_DISTRUST_AFTER MULTILINE_OCTAL
\062\064\061\061\063\060\062\063\065\071\065\071\132
END
CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE
# Trust for "Entrust.net Premium 2048 Secure Server CA"
@ -627,7 +630,10 @@ CKA_VALUE MULTILINE_OCTAL
\036\177\132\264\074
END
CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE
# For Server Distrust After: Sat Nov 30 23:59:59 2024
CKA_NSS_SERVER_DISTRUST_AFTER MULTILINE_OCTAL
\062\064\061\061\063\060\062\063\065\071\065\071\132
END
CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE
# Trust for "Entrust Root Certification Authority"
@ -3808,140 +3814,6 @@ CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
#
# Certificate "SecureSign RootCA11"
#
# Issuer: CN=SecureSign RootCA11,O="Japan Certification Services, Inc.",C=JP
# Serial Number: 1 (0x1)
# Subject: CN=SecureSign RootCA11,O="Japan Certification Services, Inc.",C=JP
# Not Valid Before: Wed Apr 08 04:56:47 2009
# Not Valid After : Sun Apr 08 04:56:47 2029
# Fingerprint (SHA-256): BF:0F:EE:FB:9E:3A:58:1A:D5:F9:E9:DB:75:89:98:57:43:D2:61:08:5C:4D:31:4F:6F:5D:72:59:AA:42:16:12
# Fingerprint (SHA1): 3B:C4:9F:48:F8:F3:73:A0:9C:1E:BD:F8:5B:B1:C3:65:C7:D8:11:B3
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
CKA_MODIFIABLE CK_BBOOL CK_FALSE
CKA_LABEL UTF8 "SecureSign RootCA11"
CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
CKA_SUBJECT MULTILINE_OCTAL
\060\130\061\013\060\011\006\003\125\004\006\023\002\112\120\061
\053\060\051\006\003\125\004\012\023\042\112\141\160\141\156\040
\103\145\162\164\151\146\151\143\141\164\151\157\156\040\123\145
\162\166\151\143\145\163\054\040\111\156\143\056\061\034\060\032
\006\003\125\004\003\023\023\123\145\143\165\162\145\123\151\147
\156\040\122\157\157\164\103\101\061\061
END
CKA_ID UTF8 "0"
CKA_ISSUER MULTILINE_OCTAL
\060\130\061\013\060\011\006\003\125\004\006\023\002\112\120\061
\053\060\051\006\003\125\004\012\023\042\112\141\160\141\156\040
\103\145\162\164\151\146\151\143\141\164\151\157\156\040\123\145
\162\166\151\143\145\163\054\040\111\156\143\056\061\034\060\032
\006\003\125\004\003\023\023\123\145\143\165\162\145\123\151\147
\156\040\122\157\157\164\103\101\061\061
END
CKA_SERIAL_NUMBER MULTILINE_OCTAL
\002\001\001
END
CKA_VALUE MULTILINE_OCTAL
\060\202\003\155\060\202\002\125\240\003\002\001\002\002\001\001
\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060
\130\061\013\060\011\006\003\125\004\006\023\002\112\120\061\053
\060\051\006\003\125\004\012\023\042\112\141\160\141\156\040\103
\145\162\164\151\146\151\143\141\164\151\157\156\040\123\145\162
\166\151\143\145\163\054\040\111\156\143\056\061\034\060\032\006
\003\125\004\003\023\023\123\145\143\165\162\145\123\151\147\156
\040\122\157\157\164\103\101\061\061\060\036\027\015\060\071\060
\064\060\070\060\064\065\066\064\067\132\027\015\062\071\060\064
\060\070\060\064\065\066\064\067\132\060\130\061\013\060\011\006
\003\125\004\006\023\002\112\120\061\053\060\051\006\003\125\004
\012\023\042\112\141\160\141\156\040\103\145\162\164\151\146\151
\143\141\164\151\157\156\040\123\145\162\166\151\143\145\163\054
\040\111\156\143\056\061\034\060\032\006\003\125\004\003\023\023
\123\145\143\165\162\145\123\151\147\156\040\122\157\157\164\103
\101\061\061\060\202\001\042\060\015\006\011\052\206\110\206\367
\015\001\001\001\005\000\003\202\001\017\000\060\202\001\012\002
\202\001\001\000\375\167\252\245\034\220\005\073\313\114\233\063
\213\132\024\105\244\347\220\026\321\337\127\322\041\020\244\027
\375\337\254\326\037\247\344\333\174\367\354\337\270\003\332\224
\130\375\135\162\174\214\077\137\001\147\164\025\226\343\002\074
\207\333\256\313\001\216\302\363\146\306\205\105\364\002\306\072
\265\142\262\257\372\234\277\244\346\324\200\060\230\363\015\266
\223\217\251\324\330\066\362\260\374\212\312\054\241\025\063\225
\061\332\300\033\362\356\142\231\206\143\077\277\335\223\052\203
\250\166\271\023\037\267\316\116\102\205\217\042\347\056\032\362
\225\011\262\005\265\104\116\167\241\040\275\251\362\116\012\175
\120\255\365\005\015\105\117\106\161\375\050\076\123\373\004\330
\055\327\145\035\112\033\372\317\073\260\061\232\065\156\310\213
\006\323\000\221\362\224\010\145\114\261\064\006\000\172\211\342
\360\307\003\131\317\325\326\350\247\062\263\346\230\100\206\305
\315\047\022\213\314\173\316\267\021\074\142\140\007\043\076\053
\100\156\224\200\011\155\266\263\157\167\157\065\010\120\373\002
\207\305\076\211\002\003\001\000\001\243\102\060\100\060\035\006
\003\125\035\016\004\026\004\024\133\370\115\117\262\245\206\324
\072\322\361\143\232\240\276\011\366\127\267\336\060\016\006\003
\125\035\017\001\001\377\004\004\003\002\001\006\060\017\006\003
\125\035\023\001\001\377\004\005\060\003\001\001\377\060\015\006
\011\052\206\110\206\367\015\001\001\005\005\000\003\202\001\001
\000\240\241\070\026\146\056\247\126\037\041\234\006\372\035\355
\271\042\305\070\046\330\116\117\354\243\177\171\336\106\041\241
\207\167\217\007\010\232\262\244\305\257\017\062\230\013\174\146
\051\266\233\175\045\122\111\103\253\114\056\053\156\172\160\257
\026\016\343\002\154\373\102\346\030\235\105\330\125\310\350\073
\335\347\341\364\056\013\034\064\134\154\130\112\373\214\210\120
\137\225\034\277\355\253\042\265\145\263\205\272\236\017\270\255
\345\172\033\212\120\072\035\275\015\274\173\124\120\013\271\102
\257\125\240\030\201\255\145\231\357\276\344\234\277\304\205\253
\101\262\124\157\334\045\315\355\170\342\216\014\215\011\111\335
\143\173\132\151\226\002\041\250\275\122\131\351\175\065\313\310
\122\312\177\201\376\331\153\323\367\021\355\045\337\370\347\371
\244\372\162\227\204\123\015\245\320\062\030\121\166\131\024\154
\017\353\354\137\200\214\165\103\203\303\205\230\377\114\236\055
\015\344\167\203\223\116\265\226\007\213\050\023\233\214\031\215
\101\047\111\100\356\336\346\043\104\071\334\241\042\326\272\003
\362
END
CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE
CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE
# Trust for "SecureSign RootCA11"
# Issuer: CN=SecureSign RootCA11,O="Japan Certification Services, Inc.",C=JP
# Serial Number: 1 (0x1)
# Subject: CN=SecureSign RootCA11,O="Japan Certification Services, Inc.",C=JP
# Not Valid Before: Wed Apr 08 04:56:47 2009
# Not Valid After : Sun Apr 08 04:56:47 2029
# Fingerprint (SHA-256): BF:0F:EE:FB:9E:3A:58:1A:D5:F9:E9:DB:75:89:98:57:43:D2:61:08:5C:4D:31:4F:6F:5D:72:59:AA:42:16:12
# Fingerprint (SHA1): 3B:C4:9F:48:F8:F3:73:A0:9C:1E:BD:F8:5B:B1:C3:65:C7:D8:11:B3
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
CKA_MODIFIABLE CK_BBOOL CK_FALSE
CKA_LABEL UTF8 "SecureSign RootCA11"
CKA_CERT_SHA1_HASH MULTILINE_OCTAL
\073\304\237\110\370\363\163\240\234\036\275\370\133\261\303\145
\307\330\021\263
END
CKA_CERT_MD5_HASH MULTILINE_OCTAL
\267\122\164\342\222\264\200\223\362\165\344\314\327\362\352\046
END
CKA_ISSUER MULTILINE_OCTAL
\060\130\061\013\060\011\006\003\125\004\006\023\002\112\120\061
\053\060\051\006\003\125\004\012\023\042\112\141\160\141\156\040
\103\145\162\164\151\146\151\143\141\164\151\157\156\040\123\145
\162\166\151\143\145\163\054\040\111\156\143\056\061\034\060\032
\006\003\125\004\003\023\023\123\145\143\165\162\145\123\151\147
\156\040\122\157\157\164\103\101\061\061
END
CKA_SERIAL_NUMBER MULTILINE_OCTAL
\002\001\001
END
CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
#
# Certificate "Microsec e-Szigno Root CA 2009"
#
@ -4939,7 +4811,10 @@ CKA_VALUE MULTILINE_OCTAL
\007\072\027\144\265\004\265\043\041\231\012\225\073\227\174\357
END
CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE
# For Server Distrust After: Sat Nov 30 23:59:59 2024
CKA_NSS_SERVER_DISTRUST_AFTER MULTILINE_OCTAL
\062\064\061\061\063\060\062\063\065\071\065\071\132
END
CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE
# Trust for "AffirmTrust Commercial"
@ -5067,7 +4942,10 @@ CKA_VALUE MULTILINE_OCTAL
\355\132\000\124\205\034\026\066\222\014\134\372\246\255\277\333
END
CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE
# For Server Distrust After: Sat Nov 30 23:59:59 2024
CKA_NSS_SERVER_DISTRUST_AFTER MULTILINE_OCTAL
\062\064\061\061\063\060\062\063\065\071\065\071\132
END
CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE
# Trust for "AffirmTrust Networking"
@ -5227,7 +5105,10 @@ CKA_VALUE MULTILINE_OCTAL
\051\340\266\270\011\150\031\034\030\103
END
CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE
# For Server Distrust After: Sat Nov 30 23:59:59 2024
CKA_NSS_SERVER_DISTRUST_AFTER MULTILINE_OCTAL
\062\064\061\061\063\060\062\063\065\071\065\071\132
END
CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE
# Trust for "AffirmTrust Premium"
@ -5335,7 +5216,10 @@ CKA_VALUE MULTILINE_OCTAL
\214\171
END
CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE
# For Server Distrust After: Sat Nov 30 23:59:59 2024
CKA_NSS_SERVER_DISTRUST_AFTER MULTILINE_OCTAL
\062\064\061\061\063\060\062\063\065\071\065\071\132
END
CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE
# Trust for "AffirmTrust Premium ECC"
@ -10269,7 +10153,10 @@ CKA_VALUE MULTILINE_OCTAL
\105\366
END
CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE
# For Server Distrust After: Sat Nov 30 23:59:59 2024
CKA_NSS_SERVER_DISTRUST_AFTER MULTILINE_OCTAL
\062\064\061\061\063\060\062\063\065\071\065\071\132
END
CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE
# Trust for "Entrust Root Certification Authority - G2"
@ -10416,7 +10303,10 @@ CKA_VALUE MULTILINE_OCTAL
\231\267\046\101\133\045\140\256\320\110\032\356\006
END
CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE
# For Server Distrust After: Sat Nov 30 23:59:59 2024
CKA_NSS_SERVER_DISTRUST_AFTER MULTILINE_OCTAL
\062\064\061\061\063\060\062\063\065\071\065\071\132
END
CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE
# Trust for "Entrust Root Certification Authority - EC1"
@ -15014,7 +14904,7 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL
\002\021\000\331\265\103\177\257\251\071\017\000\000\000\000\125
\145\255\130
END
CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
@ -21228,173 +21118,6 @@ CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
#
# Certificate "Security Communication RootCA3"
#
# Issuer: CN=Security Communication RootCA3,O="SECOM Trust Systems CO.,LTD.",C=JP
# Serial Number:00:e1:7c:37:40:fd:1b:fe:67
# Subject: CN=Security Communication RootCA3,O="SECOM Trust Systems CO.,LTD.",C=JP
# Not Valid Before: Thu Jun 16 06:17:16 2016
# Not Valid After : Mon Jan 18 06:17:16 2038
# Fingerprint (SHA-256): 24:A5:5C:2A:B0:51:44:2D:06:17:76:65:41:23:9A:4A:D0:32:D7:C5:51:75:AA:34:FF:DE:2F:BC:4F:5C:52:94
# Fingerprint (SHA1): C3:03:C8:22:74:92:E5:61:A2:9C:5F:79:91:2B:1E:44:13:91:30:3A
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
CKA_MODIFIABLE CK_BBOOL CK_FALSE
CKA_LABEL UTF8 "Security Communication RootCA3"
CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
CKA_SUBJECT MULTILINE_OCTAL
\060\135\061\013\060\011\006\003\125\004\006\023\002\112\120\061
\045\060\043\006\003\125\004\012\023\034\123\105\103\117\115\040
\124\162\165\163\164\040\123\171\163\164\145\155\163\040\103\117
\056\054\114\124\104\056\061\047\060\045\006\003\125\004\003\023
\036\123\145\143\165\162\151\164\171\040\103\157\155\155\165\156
\151\143\141\164\151\157\156\040\122\157\157\164\103\101\063
END
CKA_ID UTF8 "0"
CKA_ISSUER MULTILINE_OCTAL
\060\135\061\013\060\011\006\003\125\004\006\023\002\112\120\061
\045\060\043\006\003\125\004\012\023\034\123\105\103\117\115\040
\124\162\165\163\164\040\123\171\163\164\145\155\163\040\103\117
\056\054\114\124\104\056\061\047\060\045\006\003\125\004\003\023
\036\123\145\143\165\162\151\164\171\040\103\157\155\155\165\156
\151\143\141\164\151\157\156\040\122\157\157\164\103\101\063
END
CKA_SERIAL_NUMBER MULTILINE_OCTAL
\002\011\000\341\174\067\100\375\033\376\147
END
CKA_VALUE MULTILINE_OCTAL
\060\202\005\177\060\202\003\147\240\003\002\001\002\002\011\000
\341\174\067\100\375\033\376\147\060\015\006\011\052\206\110\206
\367\015\001\001\014\005\000\060\135\061\013\060\011\006\003\125
\004\006\023\002\112\120\061\045\060\043\006\003\125\004\012\023
\034\123\105\103\117\115\040\124\162\165\163\164\040\123\171\163
\164\145\155\163\040\103\117\056\054\114\124\104\056\061\047\060
\045\006\003\125\004\003\023\036\123\145\143\165\162\151\164\171
\040\103\157\155\155\165\156\151\143\141\164\151\157\156\040\122
\157\157\164\103\101\063\060\036\027\015\061\066\060\066\061\066
\060\066\061\067\061\066\132\027\015\063\070\060\061\061\070\060
\066\061\067\061\066\132\060\135\061\013\060\011\006\003\125\004
\006\023\002\112\120\061\045\060\043\006\003\125\004\012\023\034
\123\105\103\117\115\040\124\162\165\163\164\040\123\171\163\164
\145\155\163\040\103\117\056\054\114\124\104\056\061\047\060\045
\006\003\125\004\003\023\036\123\145\143\165\162\151\164\171\040
\103\157\155\155\165\156\151\143\141\164\151\157\156\040\122\157
\157\164\103\101\063\060\202\002\042\060\015\006\011\052\206\110
\206\367\015\001\001\001\005\000\003\202\002\017\000\060\202\002
\012\002\202\002\001\000\343\311\162\111\367\060\336\011\174\251
\100\201\130\323\264\072\335\272\141\017\223\120\156\151\074\065
\302\356\133\163\220\033\147\114\041\354\137\065\273\071\076\053
\012\140\357\273\155\053\206\373\161\242\310\254\344\126\224\371
\311\257\261\162\324\040\254\164\322\270\025\255\121\376\205\164
\241\271\020\376\005\200\371\122\223\263\100\075\165\020\254\300
\226\267\247\176\166\274\343\033\122\031\316\021\037\013\004\064
\365\330\365\151\074\167\363\144\364\015\252\205\336\340\011\120
\004\027\226\204\267\310\212\274\115\162\374\034\273\317\363\006
\115\371\237\144\367\176\246\146\206\065\161\310\021\200\114\301
\161\100\130\036\276\240\163\366\374\076\120\341\340\057\046\075
\176\134\043\265\171\160\336\372\340\321\245\326\014\101\161\173
\367\352\214\034\210\307\354\213\365\321\057\125\226\106\174\132
\073\130\073\373\272\330\055\265\045\332\172\116\317\104\256\041
\246\236\230\312\040\156\174\273\210\205\133\373\300\020\142\273
\362\371\047\107\357\321\211\071\103\304\337\336\341\101\277\124
\163\040\227\055\154\332\363\324\007\243\346\271\330\157\256\374
\214\031\056\323\147\147\053\225\333\130\134\265\152\002\363\270
\203\136\264\153\276\101\176\127\011\165\104\120\125\315\132\021
\141\041\012\141\302\251\210\375\023\274\055\211\057\315\141\340
\225\276\312\265\173\341\173\064\147\013\037\266\014\307\174\036
\031\123\312\247\261\112\025\040\126\024\160\075\053\202\054\017
\235\025\035\107\200\107\377\170\231\016\061\257\157\076\217\355
\206\151\036\173\030\210\024\262\302\374\202\063\056\234\113\055
\373\160\073\161\252\053\173\046\047\363\032\302\334\373\027\270
\241\352\313\240\264\256\323\224\176\172\320\253\303\354\070\055
\021\056\210\277\324\077\255\022\073\102\254\217\002\156\175\314
\321\137\141\276\241\274\072\152\110\352\046\125\042\026\135\137
\015\377\047\063\237\030\003\164\212\133\122\040\107\153\105\115
\042\167\214\125\047\360\257\036\214\311\203\042\124\267\232\320
\117\331\316\374\331\056\034\226\050\261\002\323\003\275\045\122
\034\064\146\117\043\253\364\167\202\226\035\321\127\060\010\021
\005\375\127\321\331\307\002\003\001\000\001\243\102\060\100\060
\035\006\003\125\035\016\004\026\004\024\144\024\174\374\130\162
\026\246\012\051\064\025\157\052\313\274\374\257\250\253\060\016
\006\003\125\035\017\001\001\377\004\004\003\002\001\006\060\017
\006\003\125\035\023\001\001\377\004\005\060\003\001\001\377\060
\015\006\011\052\206\110\206\367\015\001\001\014\005\000\003\202
\002\001\000\334\002\043\010\342\357\041\072\307\015\267\046\322
\142\223\247\245\043\162\007\040\202\140\337\030\327\124\255\151
\045\222\236\331\024\317\231\271\122\201\317\256\154\212\073\132
\071\310\154\001\103\302\042\155\002\360\142\315\116\143\103\300
\024\332\364\143\360\352\364\161\356\116\207\343\161\251\364\311
\127\345\056\137\034\171\273\043\252\207\104\127\351\275\065\115
\101\273\113\050\243\230\262\033\331\013\027\007\345\367\352\235
\365\166\327\277\304\266\201\130\377\310\377\144\151\142\171\255
\156\016\037\177\356\035\151\345\267\162\161\263\376\245\001\065
\224\124\053\300\122\155\217\125\304\311\322\270\313\312\064\010
\121\205\240\365\274\264\027\130\352\012\134\172\275\143\306\072
\057\377\226\111\031\204\352\147\330\004\261\141\364\000\133\112
\267\234\161\067\031\205\171\277\201\260\307\023\016\166\161\076
\072\200\006\256\006\026\247\215\265\302\304\313\377\100\245\134
\215\245\311\072\355\162\201\312\134\230\074\322\064\003\167\010
\375\360\051\131\135\041\010\307\140\277\244\161\173\270\331\036
\202\276\011\257\145\157\050\253\277\113\265\356\076\010\107\047
\240\017\157\017\213\077\254\225\030\363\271\016\334\147\125\156
\142\236\106\016\321\004\170\312\162\256\166\331\245\370\262\337
\210\011\141\213\357\044\116\321\131\077\132\324\075\311\223\074
\053\144\365\201\015\026\226\367\222\303\376\061\157\350\052\062
\164\016\364\114\230\112\030\016\060\124\325\305\353\274\305\025
\236\350\231\041\353\047\053\011\012\333\361\346\160\030\126\273
\014\344\276\371\350\020\244\023\222\270\034\340\333\147\035\123
\003\244\042\247\334\135\222\020\074\352\377\374\033\020\032\303
\330\320\234\235\145\313\320\053\047\061\003\036\066\341\075\166
\165\014\377\105\046\271\335\121\274\043\307\137\330\330\207\020
\100\022\015\075\070\067\347\104\074\030\300\123\011\144\217\377
\325\232\246\174\160\056\163\125\041\350\337\377\203\271\035\076
\062\036\326\246\175\054\361\146\351\134\035\247\243\316\136\045
\062\053\343\225\254\052\007\316\264\050\170\206\074\055\246\235
\115\322\164\060\335\144\121\025\333\203\203\121\327\257\375\063
\235\115\146
END
CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE
CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE
# Trust for "Security Communication RootCA3"
# Issuer: CN=Security Communication RootCA3,O="SECOM Trust Systems CO.,LTD.",C=JP
# Serial Number:00:e1:7c:37:40:fd:1b:fe:67
# Subject: CN=Security Communication RootCA3,O="SECOM Trust Systems CO.,LTD.",C=JP
# Not Valid Before: Thu Jun 16 06:17:16 2016
# Not Valid After : Mon Jan 18 06:17:16 2038
# Fingerprint (SHA-256): 24:A5:5C:2A:B0:51:44:2D:06:17:76:65:41:23:9A:4A:D0:32:D7:C5:51:75:AA:34:FF:DE:2F:BC:4F:5C:52:94
# Fingerprint (SHA1): C3:03:C8:22:74:92:E5:61:A2:9C:5F:79:91:2B:1E:44:13:91:30:3A
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
CKA_MODIFIABLE CK_BBOOL CK_FALSE
CKA_LABEL UTF8 "Security Communication RootCA3"
CKA_CERT_SHA1_HASH MULTILINE_OCTAL
\303\003\310\042\164\222\345\141\242\234\137\171\221\053\036\104
\023\221\060\072
END
CKA_CERT_MD5_HASH MULTILINE_OCTAL
\034\232\026\377\236\134\340\115\212\024\001\364\065\135\051\046
END
CKA_ISSUER MULTILINE_OCTAL
\060\135\061\013\060\011\006\003\125\004\006\023\002\112\120\061
\045\060\043\006\003\125\004\012\023\034\123\105\103\117\115\040
\124\162\165\163\164\040\123\171\163\164\145\155\163\040\103\117
\056\054\114\124\104\056\061\047\060\045\006\003\125\004\003\023
\036\123\145\143\165\162\151\164\171\040\103\157\155\155\165\156
\151\143\141\164\151\157\156\040\122\157\157\164\103\101\063
END
CKA_SERIAL_NUMBER MULTILINE_OCTAL
\002\011\000\341\174\067\100\375\033\376\147
END
CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
#
# Certificate "Security Communication ECC RootCA1"
#

4
security/nss/lib/ckfw/builtins/nssckbi.h
View File

@ -46,8 +46,8 @@
* It's recommend to switch back to 0 after having reached version 98/99.
*/
#define NSS_BUILTINS_LIBRARY_VERSION_MAJOR 2
#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 70
#define NSS_BUILTINS_LIBRARY_VERSION "2.70"
#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 72
#define NSS_BUILTINS_LIBRARY_VERSION "2.72"
/* These version numbers detail the semantic changes to the ckfw engine. */
#define NSS_BUILTINS_HARDWARE_VERSION_MAJOR 1

7
security/nss/lib/dev/devutil.c
View File

@ -359,6 +359,7 @@ create_object(
* in it should not hold references to the token.
*/
(void)nssToken_Destroy(object->token);
object->token = NULL;
rvCachedObject->object = object;
rvCachedObject->attributes = nss_ZNEWARRAY(arena, CK_ATTRIBUTE, numTypes);
if (!rvCachedObject->attributes) {
@ -577,9 +578,9 @@ get_token_objects_for_cache(
} else {
PRUint32 j;
for (j = 0; j < i; j++) {
/* Any token references that were removed in successful loop iterations
* need to be restored before we call nssCryptokiObjectArray_Destroy */
nssToken_AddRef(cache->objects[objectType][j]->object->token);
/* create_object() allocates an arena into
* cache->objects[objectType][j]->arena on success.
*/
nssArena_Destroy(cache->objects[objectType][j]->arena);
}
nss_ZFreeIf(cache->objects[objectType]);

6
security/nss/lib/nss/nss.h
View File

@ -22,12 +22,12 @@
* The format of the version string should be
* "<major version>.<minor version>[.<patch level>[.<build number>]][ <ECC>][ <Beta>]"
*/
#define NSS_VERSION "3.106" _NSS_CUSTOMIZED
#define NSS_VERSION "3.107" _NSS_CUSTOMIZED " Beta"
#define NSS_VMAJOR 3
#define NSS_VMINOR 106
#define NSS_VMINOR 107
#define NSS_VPATCH 0
#define NSS_VBUILD 0
#define NSS_BETA PR_FALSE
#define NSS_BETA PR_TRUE
#ifndef RC_INVOKED

6
security/nss/lib/softoken/softkver.h
View File

@ -17,11 +17,11 @@
* The format of the version string should be
* "<major version>.<minor version>[.<patch level>[.<build number>]][ <ECC>][ <Beta>]"
*/
#define SOFTOKEN_VERSION "3.106" SOFTOKEN_ECC_STRING
#define SOFTOKEN_VERSION "3.107" SOFTOKEN_ECC_STRING " Beta"
#define SOFTOKEN_VMAJOR 3
#define SOFTOKEN_VMINOR 106
#define SOFTOKEN_VMINOR 107
#define SOFTOKEN_VPATCH 0
#define SOFTOKEN_VBUILD 0
#define SOFTOKEN_BETA PR_FALSE
#define SOFTOKEN_BETA PR_TRUE
#endif /* _SOFTKVER_H_ */

1
security/nss/lib/ssl/ssl3gthr.c
View File

@ -358,7 +358,6 @@ dtls_GatherData(sslSocket *ss, sslGather *gs, int flags)
* no alert is sent [RFC6347, Section 4.1.2.7].
*/
if (contentType & 0x10) {
PORT_Assert(PR_FALSE);
PORT_SetError(SSL_ERROR_RX_UNKNOWN_RECORD_TYPE);
gs->dtlsPacketOffset = 0;
gs->dtlsPacket.len = 0;

18
security/nss/lib/ssl/sslinit.c
View File

@ -14,7 +14,6 @@
#include "sslimpl.h"
#include "sslproto.h"
static int ssl_isInited = 0;
static PRCallOnceType ssl_init = { 0 };
PR_STATIC_ASSERT(sizeof(unsigned long) <= sizeof(PRUint64));
@ -57,18 +56,11 @@ ssl_InitCallOnce(void *arg)
SECStatus
ssl_Init(void)
{
PRStatus nrv;
/* short circuit test if we are already inited */
if (!ssl_isInited) {
int error;
/* only do this once at init time, block all others until we are done */
nrv = PR_CallOnceWithArg(&ssl_init, ssl_InitCallOnce, &error);
if (nrv != PR_SUCCESS) {
PORT_SetError(error);
return SECFailure;
}
ssl_isInited = 1;
int error;
PRStatus nrv = PR_CallOnceWithArg(&ssl_init, ssl_InitCallOnce, &error);
if (nrv != PR_SUCCESS) {
PORT_SetError(error);
return SECFailure;
}
return SECSuccess;
}

171
security/nss/lib/ssl/sslsock.c
View File

@ -124,6 +124,8 @@ sslSessionIDLookupFunc ssl_sid_lookup;
static PRDescIdentity ssl_layer_id;
static PRCallOnceType ssl_setDefaultsFromEnvironment = { 0 };
PRBool locksEverDisabled; /* implicitly PR_FALSE */
PRBool ssl_force_locks; /* implicitly PR_FALSE */
int ssl_lock_readers = 1; /* default true. */
@ -205,6 +207,7 @@ PR_STATIC_ASSERT(SSL_NAMED_GROUP_COUNT == PR_ARRAY_SIZE(ssl_named_groups));
/* forward declarations. */
static sslSocket *ssl_NewSocket(PRBool makeLocks, SSLProtocolVariant variant);
static SECStatus ssl_MakeLocks(sslSocket *ss);
static PRStatus ssl_SetDefaultsFromEnvironmentCallOnce(void);
static void ssl_SetDefaultsFromEnvironment(void);
static PRStatus ssl_PushIOLayer(sslSocket *ns, PRFileDesc *stack,
PRDescIdentity id);
@ -3908,92 +3911,94 @@ loser:
#define LOWER(x) (x | 0x20) /* cheap ToLower function ignores LOCALE */
static PRStatus
ssl_SetDefaultsFromEnvironmentCallOnce(void)
{
#if defined(NSS_HAVE_GETENV)
char *ev;
#ifdef DEBUG
ssl_trace_iob = NULL;
ev = PR_GetEnvSecure("SSLDEBUGFILE");
if (ev && ev[0]) {
ssl_trace_iob = fopen(ev, "w");
}
if (!ssl_trace_iob) {
ssl_trace_iob = stderr;
}
#ifdef TRACE
ev = PR_GetEnvSecure("SSLTRACE");
if (ev && ev[0]) {
ssl_trace = atoi(ev);
SSL_TRACE(("SSL: tracing set to %d", ssl_trace));
}
#endif /* TRACE */
ev = PR_GetEnvSecure("SSLDEBUG");
if (ev && ev[0]) {
ssl_debug = atoi(ev);
SSL_TRACE(("SSL: debugging set to %d", ssl_debug));
}
#endif /* DEBUG */
#ifdef NSS_ALLOW_SSLKEYLOGFILE
ssl_keylog_iob = NULL;
ev = PR_GetEnvSecure("SSLKEYLOGFILE");
if (ev && ev[0]) {
ssl_keylog_iob = fopen(ev, "a");
if (!ssl_keylog_iob) {
SSL_TRACE(("SSL: failed to open key log file"));
} else {
if (ftell(ssl_keylog_iob) == 0) {
fputs("# SSL/TLS secrets log file, generated by NSS\n",
ssl_keylog_iob);
}
SSL_TRACE(("SSL: logging SSL/TLS secrets to %s", ev));
ssl_keylog_lock = PR_NewLock();
if (!ssl_keylog_lock) {
SSL_TRACE(("SSL: failed to create key log lock"));
fclose(ssl_keylog_iob);
ssl_keylog_iob = NULL;
}
}
}
#endif
ev = PR_GetEnvSecure("SSLFORCELOCKS");
if (ev && ev[0] == '1') {
ssl_force_locks = PR_TRUE;
ssl_defaults.noLocks = 0;
strcpy(lockStatus + LOCKSTATUS_OFFSET, "FORCED. ");
SSL_TRACE(("SSL: force_locks set to %d", ssl_force_locks));
}
ev = PR_GetEnvSecure("NSS_SSL_ENABLE_RENEGOTIATION");
if (ev) {
if (ev[0] == '1' || LOWER(ev[0]) == 'u')
ssl_defaults.enableRenegotiation = SSL_RENEGOTIATE_UNRESTRICTED;
else if (ev[0] == '0' || LOWER(ev[0]) == 'n')
ssl_defaults.enableRenegotiation = SSL_RENEGOTIATE_NEVER;
else if (ev[0] == '2' || LOWER(ev[0]) == 'r')
ssl_defaults.enableRenegotiation = SSL_RENEGOTIATE_REQUIRES_XTN;
else if (ev[0] == '3' || LOWER(ev[0]) == 't')
ssl_defaults.enableRenegotiation = SSL_RENEGOTIATE_TRANSITIONAL;
SSL_TRACE(("SSL: enableRenegotiation set to %d",
ssl_defaults.enableRenegotiation));
}
ev = PR_GetEnvSecure("NSS_SSL_REQUIRE_SAFE_NEGOTIATION");
if (ev && ev[0] == '1') {
ssl_defaults.requireSafeNegotiation = PR_TRUE;
SSL_TRACE(("SSL: requireSafeNegotiation set to %d",
PR_TRUE));
}
ev = PR_GetEnvSecure("NSS_SSL_CBC_RANDOM_IV");
if (ev && ev[0] == '0') {
ssl_defaults.cbcRandomIV = PR_FALSE;
SSL_TRACE(("SSL: cbcRandomIV set to 0"));
}
#endif /* NSS_HAVE_GETENV */
return PR_SUCCESS;
}
static void
ssl_SetDefaultsFromEnvironment(void)
{
#if defined(NSS_HAVE_GETENV)
static int firsttime = 1;
if (firsttime) {
char *ev;
firsttime = 0;
#ifdef DEBUG
ssl_trace_iob = NULL;
ev = PR_GetEnvSecure("SSLDEBUGFILE");
if (ev && ev[0]) {
ssl_trace_iob = fopen(ev, "w");
}
if (!ssl_trace_iob) {
ssl_trace_iob = stderr;
}
#ifdef TRACE
ev = PR_GetEnvSecure("SSLTRACE");
if (ev && ev[0]) {
ssl_trace = atoi(ev);
SSL_TRACE(("SSL: tracing set to %d", ssl_trace));
}
#endif /* TRACE */
ev = PR_GetEnvSecure("SSLDEBUG");
if (ev && ev[0]) {
ssl_debug = atoi(ev);
SSL_TRACE(("SSL: debugging set to %d", ssl_debug));
}
#endif /* DEBUG */
#ifdef NSS_ALLOW_SSLKEYLOGFILE
ssl_keylog_iob = NULL;
ev = PR_GetEnvSecure("SSLKEYLOGFILE");
if (ev && ev[0]) {
ssl_keylog_iob = fopen(ev, "a");
if (!ssl_keylog_iob) {
SSL_TRACE(("SSL: failed to open key log file"));
} else {
if (ftell(ssl_keylog_iob) == 0) {
fputs("# SSL/TLS secrets log file, generated by NSS\n",
ssl_keylog_iob);
}
SSL_TRACE(("SSL: logging SSL/TLS secrets to %s", ev));
ssl_keylog_lock = PR_NewLock();
if (!ssl_keylog_lock) {
SSL_TRACE(("SSL: failed to create key log lock"));
fclose(ssl_keylog_iob);
ssl_keylog_iob = NULL;
}
}
}
#endif
ev = PR_GetEnvSecure("SSLFORCELOCKS");
if (ev && ev[0] == '1') {
ssl_force_locks = PR_TRUE;
ssl_defaults.noLocks = 0;
strcpy(lockStatus + LOCKSTATUS_OFFSET, "FORCED. ");
SSL_TRACE(("SSL: force_locks set to %d", ssl_force_locks));
}
ev = PR_GetEnvSecure("NSS_SSL_ENABLE_RENEGOTIATION");
if (ev) {
if (ev[0] == '1' || LOWER(ev[0]) == 'u')
ssl_defaults.enableRenegotiation = SSL_RENEGOTIATE_UNRESTRICTED;
else if (ev[0] == '0' || LOWER(ev[0]) == 'n')
ssl_defaults.enableRenegotiation = SSL_RENEGOTIATE_NEVER;
else if (ev[0] == '2' || LOWER(ev[0]) == 'r')
ssl_defaults.enableRenegotiation = SSL_RENEGOTIATE_REQUIRES_XTN;
else if (ev[0] == '3' || LOWER(ev[0]) == 't')
ssl_defaults.enableRenegotiation = SSL_RENEGOTIATE_TRANSITIONAL;
SSL_TRACE(("SSL: enableRenegotiation set to %d",
ssl_defaults.enableRenegotiation));
}
ev = PR_GetEnvSecure("NSS_SSL_REQUIRE_SAFE_NEGOTIATION");
if (ev && ev[0] == '1') {
ssl_defaults.requireSafeNegotiation = PR_TRUE;
SSL_TRACE(("SSL: requireSafeNegotiation set to %d",
PR_TRUE));
}
ev = PR_GetEnvSecure("NSS_SSL_CBC_RANDOM_IV");
if (ev && ev[0] == '0') {
ssl_defaults.cbcRandomIV = PR_FALSE;
SSL_TRACE(("SSL: cbcRandomIV set to 0"));
}
}
#endif /* NSS_HAVE_GETENV */
PR_CallOnce(&ssl_setDefaultsFromEnvironment, ssl_SetDefaultsFromEnvironmentCallOnce);
}
const sslNamedGroupDef *

6
security/nss/lib/util/nssutil.h
View File

@ -19,12 +19,12 @@
* The format of the version string should be
* "<major version>.<minor version>[.<patch level>[.<build number>]][ <Beta>]"
*/
#define NSSUTIL_VERSION "3.106"
#define NSSUTIL_VERSION "3.107 Beta"
#define NSSUTIL_VMAJOR 3
#define NSSUTIL_VMINOR 106
#define NSSUTIL_VMINOR 107
#define NSSUTIL_VPATCH 0
#define NSSUTIL_VBUILD 0
#define NSSUTIL_BETA PR_FALSE
#define NSSUTIL_BETA PR_TRUE
SEC_BEGIN_PROTOS

6
security/nss/tests/tools/tools.sh
View File

@ -544,21 +544,21 @@ tools_p12_import_pbmac1_samples()
echo "${BINDIR}/pk12util -l ${TOOLSDIR}/data/pbmac1-invalid-bad-iter.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -W '1234'"
${BINDIR}/pk12util -l ${TOOLSDIR}/data/pbmac1-invalid-bad-iter.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -W '1234' 2>&1
ret=$?
html_msg $ret 19 "Fail to list private key with bad iterator"
html_msg $ret 17 "Fail to list private key with bad iterator"
check_tmpfile
echo "${BINDIR}/pk12util -l ${TOOLSDIR}/data/pbmac1-invalid-bad-salt.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -W '1234'"
${BINDIR}/pk12util -l ${TOOLSDIR}/data/pbmac1-invalid-bad-salt.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -W '1234' 2>&1
ret=$?
echo "Fail to list private key with bad salt val=$ret"
html_msg $ret 19 "Fail to import private key with bad salt"
html_msg $ret 17 "Fail to import private key with bad salt"
check_tmpfile
echo "${BINDIR}/pk12util -l ${TOOLSDIR}/data/pbmac1-invalid-no-length.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -W '1234'"
${BINDIR}/pk12util -l ${TOOLSDIR}/data/pbmac1-invalid-no-length.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -W '1234' 2>&1
ret=$?
echo "Fail to import private key with no length val=$ret"
html_msg $ret 19 "Fail to import private key with no length"
html_msg $ret 17 "Fail to import private key with no length"
check_tmpfile
}