Bug 738458 - Upgrade Mozilla to NSS 3.13.5 - starting with BETA1, r=wtc

2012-04-27 01:47:19 +02:00 · 2012-04-27 01:47:19 +02:00 · b60bdce8f8
--- a/security/coreconf/coreconf.dep
+++ b/security/coreconf/coreconf.dep
@ -43,3 +43,4 @@

 #error "Do not include this header file."

+
--- a/security/nss/TAG-INFO
+++ b/security/nss/TAG-INFO
@ -1 +1 @@
-NSS_3_13_4_RTM
+NSS_3_13_5_BETA1
--- a/security/nss/TAG-INFO-CKBI
+++ b/security/nss/TAG-INFO-CKBI
@ -1 +1 @@
-NSS_3_13_4_RTM
+NSS_3_13_5_BETA1
--- a/security/nss/lib/certhigh/certvfy.c
+++ b/security/nss/lib/certhigh/certvfy.c
@ -96,7 +96,7 @@ CERT_VerifySignedDataWithPublicKey(CERTSignedData *sd,
 	rv = NSS_GetAlgorithmPolicy(hashAlg, &policyFlags);
 	if (rv == SECSuccess && 
 	    !(policyFlags & NSS_USE_ALG_IN_CERT_SIGNATURE)) {
-	    PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
+	    PORT_SetError(SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED);
 	    rv = SECFailure;
 	}
    }
@ -496,7 +496,10 @@ cert_VerifyCertChainOld(CERTCertDBHandle *handle, CERTCertificate *cert,
 		    PORT_SetError(SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE);
 		    LOG_ERROR_OR_EXIT(log,issuerCert,count+1,0);
 		} else {
-		    PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
+		    if (PORT_GetError() !=
+			SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED) {
+			PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
+		    }
 		    LOG_ERROR_OR_EXIT(log,subjectCert,count,0);
 		}
 	    }
--- a/security/nss/lib/libpkix/include/pkix_errorstrings.h
+++ b/security/nss/lib/libpkix/include/pkix_errorstrings.h
@ -997,7 +997,7 @@ PKIX_ERRORENTRY(SETPOLICIESFAILED,Fail to set cert validation policies,0),
 PKIX_ERRORENTRY(SHUTDOWNFAILED,PKIX_PL_Shutdown failed,0),
 PKIX_ERRORENTRY(SIGNATURECHECKERINITIALIZEFAILED,pkix_SignatureChecker_Initialize failed,0),
 PKIX_ERRORENTRY(SIGNATURECHECKERSTATECREATEFAILED,pkix_SignatureCheckerState_Create failed,0),
-PKIX_ERRORENTRY(SIGNATUREDIDNOTVERIFYWITHTHEPUBLICKEY,Signature did not verify with the public key,SEC_ERROR_BAD_SIGNATURE),
+PKIX_ERRORENTRY(SIGNATUREDIDNOTVERIFYWITHTHEPUBLICKEY,Signature did not verify with the public key,0),
 PKIX_ERRORENTRY(SINGLEPOLICYNODEEQUALSFAILED,PKIX_PL_SinglePolicyNode_Equals failed,0),
 PKIX_ERRORENTRY(SINGLEPOLICYNODEHASHCODEFAILED,pkix_SinglePolicyNode_Hashcode failed,0),
 PKIX_ERRORENTRY(SINGLEPOLICYNODETOSTRINGFAILED,pkix_SinglePolicyNode_ToString failed,0),
@ -1100,7 +1100,7 @@ PKIX_ERRORENTRY(VALIDATEPARAMSGETPROCESSINGPARAMSFAILED,PKIX_ValidateParams_GetP
 PKIX_ERRORENTRY(VALIDATERESULTCREATEFAILED,pkix_ValidateResult_Create failed,0),
 PKIX_ERRORENTRY(VALIDATERESULTGETPOLICYTREEFAILED,PKIX_ValidateResult_GetPolicyTree failed,0),
 PKIX_ERRORENTRY(VALIDATERESULTGETTRUSTANCHORFAILED,PKIX_ValidateResult_GetTrustAnchor failed,0),
-PKIX_ERRORENTRY(VALIDATIONFAILEDCERTSIGNATURECHECKING,Validation failed: Cert Signature checking,SEC_ERROR_BAD_SIGNATURE),
+PKIX_ERRORENTRY(VALIDATIONFAILEDCERTSIGNATURECHECKING,Validation failed: Cert Signature checking,0),
 PKIX_ERRORENTRY(VALIDATIONFAILEDNULLCERTPOINTER,Validation failed: NULL Cert pointer,0),
 PKIX_ERRORENTRY(VALIDATIONFAILEDPATHTONAMECHECKFAILED,Validation failed: PathToName check failed,SEC_ERROR_CERT_NOT_IN_NAME_SPACE),
 PKIX_ERRORENTRY(VALUEINESCAPEDASCII,value in EscapedASCII,0),
--- a/security/nss/lib/libpkix/pkix/checker/pkix_signaturechecker.c
+++ b/security/nss/lib/libpkix/pkix/checker/pkix_signaturechecker.c
@ -245,7 +245,6 @@ pkix_SignatureChecker_Check(
                        certVerified = PKIX_TRUE;
                } else {
                        certVerified = PKIX_FALSE;
-                        PKIX_DECREF(verifyFail);
                }
        }

@ -292,6 +291,7 @@ pkix_SignatureChecker_Check(
                                plContext),
                                PKIX_LISTGETITEMFAILED);

+                        PKIX_DECREF(verifyFail);
                        verifyFail = PKIX_PL_Cert_VerifySignature
                                (cert, pKey, plContext);

@ -300,7 +300,6 @@ pkix_SignatureChecker_Check(
                                break;
                        } else {
                                certVerified = PKIX_FALSE;
-                                PKIX_DECREF(verifyFail);
                        }

                        PKIX_DECREF(pKey);
@ -309,6 +308,8 @@ pkix_SignatureChecker_Check(
 #endif

        if (certVerified == PKIX_FALSE) {
+                pkixErrorResult = verifyFail;
+                verifyFail = NULL;
                PKIX_ERROR(PKIX_VALIDATIONFAILEDCERTSIGNATURECHECKING);
        }

--- a/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_cert.c
+++ b/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_cert.c
@ -2889,6 +2889,9 @@ PKIX_PL_Cert_VerifySignature(
        status = CERT_VerifySignedDataWithPublicKey(tbsCert, nssPubKey, wincx);

        if (status != SECSuccess) {
+                if (PORT_GetError() != SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED) {
+                        PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
+                }
                PKIX_ERROR(PKIX_SIGNATUREDIDNOTVERIFYWITHTHEPUBLICKEY);
        }

--- a/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_crl.c
+++ b/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_crl.c
@ -1043,6 +1043,7 @@ PKIX_PL_CRL_VerifySignature(
        status = CERT_VerifySignedDataWithPublicKey(tbsCrl, nssPubKey, wincx);

        if (status != SECSuccess) {
+                PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
                PKIX_ERROR(PKIX_SIGNATUREDIDNOTVERIFYWITHTHEPUBLICKEY);
        }

--- a/security/nss/lib/nss/nss.h
+++ b/security/nss/lib/nss/nss.h
@ -36,7 +36,7 @@
 * the terms of any one of the MPL, the GPL or the LGPL.
 *
 * ***** END LICENSE BLOCK ***** */
-/* $Id: nss.h,v 1.92.2.1 2012/04/06 15:20:43 kaie%kuix.de Exp $ */
+/* $Id: nss.h,v 1.92.2.2 2012/04/24 01:22:22 kaie%kuix.de Exp $ */

 #ifndef __nss_h_
 #define __nss_h_
@ -66,12 +66,12 @@
 * The format of the version string should be
 *     "<major version>.<minor version>[.<patch level>[.<build number>]][ <ECC>][ <Beta>]"
 */
-#define NSS_VERSION  "3.13.4.0" _NSS_ECC_STRING _NSS_CUSTOMIZED
+#define NSS_VERSION  "3.13.5.0" _NSS_ECC_STRING _NSS_CUSTOMIZED
 #define NSS_VMAJOR   3
 #define NSS_VMINOR   13
-#define NSS_VPATCH   4
+#define NSS_VPATCH   5
 #define NSS_VBUILD   0
-#define NSS_BETA     PR_FALSE
+#define NSS_BETA     PR_TRUE

 #ifndef RC_INVOKED

--- a/security/nss/lib/softoken/softkver.h
+++ b/security/nss/lib/softoken/softkver.h
@ -57,11 +57,11 @@
 * The format of the version string should be
 *     "<major version>.<minor version>[.<patch level>[.<build number>]][ <ECC>][ <Beta>]"
 */
-#define SOFTOKEN_VERSION  "3.13.4.0" SOFTOKEN_ECC_STRING
+#define SOFTOKEN_VERSION  "3.13.5.0" SOFTOKEN_ECC_STRING
 #define SOFTOKEN_VMAJOR   3
 #define SOFTOKEN_VMINOR   13
-#define SOFTOKEN_VPATCH   4
+#define SOFTOKEN_VPATCH   5
 #define SOFTOKEN_VBUILD   0
-#define SOFTOKEN_BETA     PR_FALSE
+#define SOFTOKEN_BETA     PR_TRUE

 #endif /* _SOFTKVER_H_ */
--- a/security/nss/lib/ssl/derive.c
+++ b/security/nss/lib/ssl/derive.c
@ -36,7 +36,7 @@
 * the terms of any one of the MPL, the GPL or the LGPL.
 *
 * ***** END LICENSE BLOCK ***** */
-/* $Id: derive.c,v 1.13 2011/03/22 22:15:22 alexei.volkov.bugs%sun.com Exp $ */
+/* $Id: derive.c,v 1.13.2.2 2012/04/20 00:37:53 emaldona%redhat.com Exp $ */

 #include "ssl.h" 	/* prereq to sslimpl.h */
 #include "certt.h"	/* prereq to sslimpl.h */
--- a/security/nss/lib/ssl/ssl3con.c
+++ b/security/nss/lib/ssl/ssl3con.c
@ -40,7 +40,7 @@
 * the terms of any one of the MPL, the GPL or the LGPL.
 *
 * ***** END LICENSE BLOCK ***** */
-/* $Id: ssl3con.c,v 1.167 2012/03/06 02:23:25 wtc%google.com Exp $ */
+/* $Id: ssl3con.c,v 1.167.2.2 2012/04/20 00:37:53 emaldona%redhat.com Exp $ */

 #include "cert.h"
 #include "ssl.h"
--- a/security/nss/lib/ssl/ssl3ext.c
+++ b/security/nss/lib/ssl/ssl3ext.c
@ -41,7 +41,7 @@
 * ***** END LICENSE BLOCK ***** */

 /* TLS extension code moved here from ssl3ecc.c */
-/* $Id: ssl3ext.c,v 1.22 2012/03/12 19:14:12 wtc%google.com Exp $ */
+/* $Id: ssl3ext.c,v 1.22.2.2 2012/04/20 00:37:53 emaldona%redhat.com Exp $ */

 #include "nssrenam.h"
 #include "nss.h"
--- a/security/nss/lib/ssl/sslsock.c
+++ b/security/nss/lib/ssl/sslsock.c
@ -40,7 +40,7 @@
 * the terms of any one of the MPL, the GPL or the LGPL.
 *
 * ***** END LICENSE BLOCK ***** */
-/* $Id: sslsock.c,v 1.82.2.1 2012/03/31 23:16:38 wtc%google.com Exp $ */
+/* $Id: sslsock.c,v 1.82.2.3 2012/04/20 00:37:53 emaldona%redhat.com Exp $ */
 #include "seccomon.h"
 #include "cert.h"
 #include "keyhi.h"
--- a/security/nss/lib/util/SECerrs.h
+++ b/security/nss/lib/util/SECerrs.h
@ -573,3 +573,6 @@ ER3(SEC_ERROR_UNKNOWN_PKCS11_ERROR,        		(SEC_ERROR_BASE + 174),

 ER3(SEC_ERROR_BAD_CRL_DP_URL,			(SEC_ERROR_BASE + 175),
 "Invalid or unsupported URL in CRL distribution point name.")
+
+ER3(SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED,	(SEC_ERROR_BASE + 176),
+"The certificate was signed using an signature algorithm that is disabled because it is not secure.")
--- a/security/nss/lib/util/nssutil.h
+++ b/security/nss/lib/util/nssutil.h
@ -51,12 +51,12 @@
 * The format of the version string should be
 *     "<major version>.<minor version>[.<patch level>[.<build number>]][ <Beta>]"
 */
-#define NSSUTIL_VERSION  "3.13.4.0"
+#define NSSUTIL_VERSION  "3.13.5.0"
 #define NSSUTIL_VMAJOR   3
 #define NSSUTIL_VMINOR   13
-#define NSSUTIL_VPATCH   4
+#define NSSUTIL_VPATCH   5
 #define NSSUTIL_VBUILD   0
-#define NSSUTIL_BETA     PR_FALSE
+#define NSSUTIL_BETA     PR_TRUE

 SEC_BEGIN_PROTOS

--- a/security/nss/lib/util/secerr.h
+++ b/security/nss/lib/util/secerr.h
@ -236,6 +236,8 @@ SEC_ERROR_UNKNOWN_PKCS11_ERROR             =	(SEC_ERROR_BASE + 174),

 SEC_ERROR_BAD_CRL_DP_URL                   =	(SEC_ERROR_BASE + 175),

+SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED =    (SEC_ERROR_BASE + 176),
+
 /* Add new error codes above here. */
 SEC_ERROR_END_OF_LIST 
 } SECErrorCodes;
				`@ -43,3 +43,4 @@`

				`#error "Do not include this header file."`