Bug 728617, Update Mozilla to NSS 3.13.3, r=rrelyea

2012-02-22 11:02:38 +01:00 · 2012-02-22 11:02:38 +01:00 · bbb9a8c4a4
--- a/security/nss/TAG-INFO
+++ b/security/nss/TAG-INFO
@ -1 +1 @@
-NSS_3_13_2_RTM
+NSS_3_13_3_RTM
--- a/security/nss/TAG-INFO-CKBI
+++ b/security/nss/TAG-INFO-CKBI
@ -0,0 +1 @@
+NSS_3_13_3_RTM
--- a/security/nss/lib/certhigh/certvfypkix.c
+++ b/security/nss/lib/certhigh/certvfypkix.c
@ -859,7 +859,7 @@ cert_PkixErrorToNssCode(
    void *plContext)
 {
    int errLevel = 0;
-    PKIX_UInt32 nssErr = 0;
+    PKIX_Int32 nssErr = 0;
    PKIX_Error *errPtr = error;

    PKIX_ENTER(CERTVFYPKIX, "cert_PkixErrorToNssCode");
--- a/security/nss/lib/ckfw/builtins/certdata.c
+++ b/security/nss/lib/ckfw/builtins/certdata.c
@ -35,7 +35,7 @@
 *
 * ***** END LICENSE BLOCK ***** */
 #ifdef DEBUG
-static const char CVS_ID[] = "@(#) $RCSfile: certdata.c,v $ $Revision: 1.84 $ $Date: 2012/01/17 22:02:37 $""; @(#) $RCSfile: certdata.c,v $ $Revision: 1.84 $ $Date: 2012/01/17 22:02:37 $";
+static const char CVS_ID[] = "@(#) $RCSfile: certdata.c,v $ $Revision: 1.85 $ $Date: 2012/02/18 21:41:45 $""; @(#) $RCSfile: certdata.c,v $ $Revision: 1.85 $ $Date: 2012/02/18 21:41:45 $";
 #endif /* DEBUG */

 #ifndef BUILTINS_H
@ -1075,6 +1075,12 @@ static const CK_ATTRIBUTE_TYPE nss_builtins_types_338 [] = {
 static const CK_ATTRIBUTE_TYPE nss_builtins_types_339 [] = {
 CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_CERT_SHA1_HASH,  CKA_CERT_MD5_HASH,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING,  CKA_TRUST_STEP_UP_APPROVED
 };
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_340 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING,  CKA_TRUST_STEP_UP_APPROVED
+};
+static const CK_ATTRIBUTE_TYPE nss_builtins_types_341 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL,  CKA_ISSUER,  CKA_SERIAL_NUMBER,  CKA_TRUST_SERVER_AUTH,  CKA_TRUST_EMAIL_PROTECTION,  CKA_TRUST_CODE_SIGNING,  CKA_TRUST_STEP_UP_APPROVED
+};
 #ifdef DEBUG
 static const NSSItem nss_builtins_items_0 [] = {
  { (void *)&cko_data, (PRUint32)sizeof(CK_OBJECT_CLASS) },
@ -1083,7 +1089,7 @@ static const NSSItem nss_builtins_items_0 [] = {
  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
  { (void *)"CVS ID", (PRUint32)7 },
  { (void *)"NSS", (PRUint32)4 },
-  { (void *)"@(#) $RCSfile: certdata.c,v $ $Revision: 1.84 $ $Date: 2012/01/17 22:02:37 $""; @(#) $RCSfile: certdata.c,v $ $Revision: 1.84 $ $Date: 2012/01/17 22:02:37 $", (PRUint32)160 }
+  { (void *)"@(#) $RCSfile: certdata.c,v $ $Revision: 1.85 $ $Date: 2012/02/18 21:41:45 $""; @(#) $RCSfile: certdata.c,v $ $Revision: 1.85 $ $Date: 2012/02/18 21:41:45 $", (PRUint32)160 }
 };
 #endif /* DEBUG */
 static const NSSItem nss_builtins_items_1 [] = {
@ -22713,6 +22719,56 @@ static const NSSItem nss_builtins_items_339 [] = {
  { (void *)&ckt_nss_trusted_delegator, (PRUint32)sizeof(CK_TRUST) },
  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
 };
+static const NSSItem nss_builtins_items_340 [] = {
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"MITM subCA 1 issued by Trustwave", (PRUint32)33 },
+  { (void *)"\060\201\253\061\013\060\011\006\003\125\004\006\023\002\125\123"
+"\061\021\060\017\006\003\125\004\010\023\010\111\154\154\151\156"
+"\157\151\163\061\020\060\016\006\003\125\004\007\023\007\103\150"
+"\151\143\141\147\157\061\041\060\037\006\003\125\004\012\023\030"
+"\124\162\165\163\164\167\141\166\145\040\110\157\154\144\151\156"
+"\147\163\054\040\111\156\143\056\061\063\060\061\006\003\125\004"
+"\003\023\052\124\162\165\163\164\167\141\166\145\040\117\162\147"
+"\141\156\151\172\141\164\151\157\156\040\111\163\163\165\151\156"
+"\147\040\103\101\054\040\114\145\166\145\154\040\062\061\037\060"
+"\035\006\011\052\206\110\206\367\015\001\011\001\026\020\143\141"
+"\100\164\162\165\163\164\167\141\166\145\056\143\157\155"
+, (PRUint32)174 },
+  { (void *)"\002\004\153\111\322\005"
+, (PRUint32)6 },
+  { (void *)&ckt_nss_not_trusted, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_not_trusted, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_not_trusted, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
+};
+static const NSSItem nss_builtins_items_341 [] = {
+  { (void *)&cko_nss_trust, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"MITM subCA 2 issued by Trustwave", (PRUint32)33 },
+  { (void *)"\060\201\253\061\013\060\011\006\003\125\004\006\023\002\125\123"
+"\061\021\060\017\006\003\125\004\010\023\010\111\154\154\151\156"
+"\157\151\163\061\020\060\016\006\003\125\004\007\023\007\103\150"
+"\151\143\141\147\157\061\041\060\037\006\003\125\004\012\023\030"
+"\124\162\165\163\164\167\141\166\145\040\110\157\154\144\151\156"
+"\147\163\054\040\111\156\143\056\061\063\060\061\006\003\125\004"
+"\003\023\052\124\162\165\163\164\167\141\166\145\040\117\162\147"
+"\141\156\151\172\141\164\151\157\156\040\111\163\163\165\151\156"
+"\147\040\103\101\054\040\114\145\166\145\154\040\062\061\037\060"
+"\035\006\011\052\206\110\206\367\015\001\011\001\026\020\143\141"
+"\100\164\162\165\163\164\167\141\166\145\056\143\157\155"
+, (PRUint32)174 },
+  { (void *)"\002\004\153\111\322\006"
+, (PRUint32)6 },
+  { (void *)&ckt_nss_not_trusted, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_not_trusted, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ckt_nss_not_trusted, (PRUint32)sizeof(CK_TRUST) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) }
+};

 builtinsInternalObject
 nss_builtins_data[] = {
@ -23057,11 +23113,13 @@ nss_builtins_data[] = {
  { 11, nss_builtins_types_336, nss_builtins_items_336, {NULL} },
  { 13, nss_builtins_types_337, nss_builtins_items_337, {NULL} },
  { 11, nss_builtins_types_338, nss_builtins_items_338, {NULL} },
-  { 13, nss_builtins_types_339, nss_builtins_items_339, {NULL} }
+  { 13, nss_builtins_types_339, nss_builtins_items_339, {NULL} },
+  { 11, nss_builtins_types_340, nss_builtins_items_340, {NULL} },
+  { 11, nss_builtins_types_341, nss_builtins_items_341, {NULL} }
 };
 const PRUint32
 #ifdef DEBUG
-  nss_builtins_nObjects = 339+1;
+  nss_builtins_nObjects = 341+1;
 #else
-  nss_builtins_nObjects = 339;
+  nss_builtins_nObjects = 341;
 #endif /* DEBUG */
--- a/security/nss/lib/ckfw/builtins/certdata.txt
+++ b/security/nss/lib/ckfw/builtins/certdata.txt
@ -34,7 +34,7 @@
 # the terms of any one of the MPL, the GPL or the LGPL.
 #
 # ***** END LICENSE BLOCK *****
-CVS_ID "@(#) $RCSfile: certdata.txt,v $ $Revision: 1.81 $ $Date: 2012/01/17 22:02:37 $"
+CVS_ID "@(#) $RCSfile: certdata.txt,v $ $Revision: 1.82 $ $Date: 2012/02/18 21:41:46 $"

 #
 # certdata.txt
@ -23413,3 +23413,65 @@ CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
+
+# Explicitly Distrust "MITM subCA 1 issued by Trustwave", Bug 724929
+# Issuer: E=ca@trustwave.com,CN="Trustwave Organization Issuing CA, Level 2",O="Trustwave Holdings, Inc.",L=Chicago,ST=Illinois,C=US
+# Serial Number: 1800000005 (0x6b49d205)
+# Not Before: Apr  7 15:37:15 2011 GMT
+# Not After : Apr  4 15:37:15 2021 GMT
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "MITM subCA 1 issued by Trustwave"
+CKA_ISSUER MULTILINE_OCTAL
+\060\201\253\061\013\060\011\006\003\125\004\006\023\002\125\123
+\061\021\060\017\006\003\125\004\010\023\010\111\154\154\151\156
+\157\151\163\061\020\060\016\006\003\125\004\007\023\007\103\150
+\151\143\141\147\157\061\041\060\037\006\003\125\004\012\023\030
+\124\162\165\163\164\167\141\166\145\040\110\157\154\144\151\156
+\147\163\054\040\111\156\143\056\061\063\060\061\006\003\125\004
+\003\023\052\124\162\165\163\164\167\141\166\145\040\117\162\147
+\141\156\151\172\141\164\151\157\156\040\111\163\163\165\151\156
+\147\040\103\101\054\040\114\145\166\145\154\040\062\061\037\060
+\035\006\011\052\206\110\206\367\015\001\011\001\026\020\143\141
+\100\164\162\165\163\164\167\141\166\145\056\143\157\155
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\004\153\111\322\005
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_NOT_TRUSTED
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_NOT_TRUSTED
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_NOT_TRUSTED
+CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
+
+# Explicitly Distrust "MITM subCA 2 issued by Trustwave", Bug 724929
+# Issuer: E=ca@trustwave.com,CN="Trustwave Organization Issuing CA, Level 2",O="Trustwave Holdings, Inc.",L=Chicago,ST=Illinois,C=US
+# Serial Number: 1800000006 (0x6b49d206)
+# Not Before: Apr 18 21:09:30 2011 GMT
+# Not After : Apr 15 21:09:30 2021 GMT
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+CKA_TOKEN CK_BBOOL CK_TRUE
+CKA_PRIVATE CK_BBOOL CK_FALSE
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
+CKA_LABEL UTF8 "MITM subCA 2 issued by Trustwave"
+CKA_ISSUER MULTILINE_OCTAL
+\060\201\253\061\013\060\011\006\003\125\004\006\023\002\125\123
+\061\021\060\017\006\003\125\004\010\023\010\111\154\154\151\156
+\157\151\163\061\020\060\016\006\003\125\004\007\023\007\103\150
+\151\143\141\147\157\061\041\060\037\006\003\125\004\012\023\030
+\124\162\165\163\164\167\141\166\145\040\110\157\154\144\151\156
+\147\163\054\040\111\156\143\056\061\063\060\061\006\003\125\004
+\003\023\052\124\162\165\163\164\167\141\166\145\040\117\162\147
+\141\156\151\172\141\164\151\157\156\040\111\163\163\165\151\156
+\147\040\103\101\054\040\114\145\166\145\154\040\062\061\037\060
+\035\006\011\052\206\110\206\367\015\001\011\001\026\020\143\141
+\100\164\162\165\163\164\167\141\166\145\056\143\157\155
+END
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
+\002\004\153\111\322\006
+END
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_NOT_TRUSTED
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_NOT_TRUSTED
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_NOT_TRUSTED
+CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
--- a/security/nss/lib/ckfw/builtins/nssckbi.h
+++ b/security/nss/lib/ckfw/builtins/nssckbi.h
@ -77,8 +77,8 @@
 * of the comment in the CK_VERSION type definition.
 */
 #define NSS_BUILTINS_LIBRARY_VERSION_MAJOR 1
-#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 89
-#define NSS_BUILTINS_LIBRARY_VERSION "1.89"
+#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 90
+#define NSS_BUILTINS_LIBRARY_VERSION "1.90"

 /* These version numbers detail the semantic changes to the ckfw engine. */
 #define NSS_BUILTINS_HARDWARE_VERSION_MAJOR 1
--- a/security/nss/lib/libpkix/pkix/util/pkix_error.c
+++ b/security/nss/lib/libpkix/pkix/util/pkix_error.c
@ -60,7 +60,7 @@ const char * const PKIX_ErrorText[] =

 #endif /* PKIX_ERROR_DESCRIPTION */

-extern const int PKIX_PLErrorIndex[];
+extern const PKIX_Int32 PKIX_PLErrorIndex[];

 /* --Private-Functions-------------------------------------------- */

--- a/security/nss/lib/libpkix/pkix/util/pkix_error.h
+++ b/security/nss/lib/libpkix/pkix/util/pkix_error.h
@ -53,7 +53,7 @@ extern "C" {
 struct PKIX_ErrorStruct {
        PKIX_ERRORCODE errCode;
        PKIX_ERRORCLASS errClass;  /* was formerly "code" */
-        PKIX_UInt32 plErr;
+        PKIX_Int32 plErr;
        PKIX_Error *cause;
        PKIX_PL_Object *info;
 };
--- a/security/nss/lib/libpkix/pkix_pl_nss/system/pkix_pl_error.c
+++ b/security/nss/lib/libpkix/pkix_pl_nss/system/pkix_pl_error.c
@ -47,7 +47,7 @@

 #define PKIX_ERRORENTRY(name,desc,plerr) plerr

-const SECErrorCodes PKIX_PLErrorIndex[] =
+const PKIX_Int32 PKIX_PLErrorIndex[] =
 {
 #include "pkix_errorstrings.h"
 };
--- a/security/nss/lib/nss/nss.h
+++ b/security/nss/lib/nss/nss.h
@ -36,7 +36,7 @@
 * the terms of any one of the MPL, the GPL or the LGPL.
 *
 * ***** END LICENSE BLOCK ***** */
-/* $Id: nss.h,v 1.89 2012/02/15 21:56:55 kaie%kuix.de Exp $ */
+/* $Id: nss.h,v 1.91 2012/02/18 23:22:43 kaie%kuix.de Exp $ */

 #ifndef __nss_h_
 #define __nss_h_
@ -66,11 +66,11 @@
 * The format of the version string should be
 *     "<major version>.<minor version>[.<patch level>[.<build number>]][ <ECC>][ <Beta>]"
 */
-#define NSS_VERSION  "3.13.2.1" _NSS_ECC_STRING _NSS_CUSTOMIZED
+#define NSS_VERSION  "3.13.3.0" _NSS_ECC_STRING _NSS_CUSTOMIZED
 #define NSS_VMAJOR   3
 #define NSS_VMINOR   13
-#define NSS_VPATCH   2
-#define NSS_VBUILD   1
+#define NSS_VPATCH   3
+#define NSS_VBUILD   0
 #define NSS_BETA     PR_FALSE

 #ifndef RC_INVOKED
--- a/security/nss/lib/pkcs12/p12d.c
+++ b/security/nss/lib/pkcs12/p12d.c
@ -931,7 +931,7 @@ sec_pkcs12_decode_start_asafes_cinfo(SEC_PKCS12DecoderContext *p12dcx)
 	goto loser;
    }
  
-    /* open the temp file for writing, if the filter functions were set */ 
+    /* open the temp file for writing, if the digest functions were set */ 
    if(p12dcx->dOpen && (*p12dcx->dOpen)(p12dcx->dArg, PR_FALSE) 
 				!= SECSuccess) {
 	p12dcx->errorValue = PORT_GetError();
--- a/security/nss/lib/pki/pki3hack.c
+++ b/security/nss/lib/pki/pki3hack.c
@ -35,7 +35,7 @@
 * ***** END LICENSE BLOCK ***** */

 #ifdef DEBUG
-static const char CVS_ID[] = "@(#) $RCSfile: pki3hack.c,v $ $Revision: 1.105 $ $Date: 2011/11/17 00:20:21 $";
+static const char CVS_ID[] = "@(#) $RCSfile: pki3hack.c,v $ $Revision: 1.106 $ $Date: 2012/02/17 22:44:56 $";
 #endif /* DEBUG */

 /*
@ -768,6 +768,22 @@ fill_CERTCertificateFields(NSSCertificate *c, CERTCertificate *cc, PRBool forced
    if (context) {
 	/* trust */
 	nssTrust = nssCryptoContext_FindTrustForCertificate(context, c);
+	if (!nssTrust) {
+	    /* chicken and egg issue:
+	     *
+	     * c->issuer and c->serial are empty at this point, but
+	     * nssTrustDomain_FindTrustForCertificate use them to look up
+	     * up the trust object, so we point them to cc->derIssuer and
+	     * cc->serialNumber.
+	     *
+	     * Our caller will fill these in with proper arena copies when we
+	     * return. */
+	    c->issuer.data = cc->derIssuer.data;
+	    c->issuer.size = cc->derIssuer.len;
+	    c->serial.data = cc->serialNumber.data;
+	    c->serial.size = cc->serialNumber.len;
+	    nssTrust = nssTrustDomain_FindTrustForCertificate(context->td, c);
+	}
 	if (nssTrust) {
            trust = cert_trust_from_stan_trust(nssTrust, cc->arena);
            if (trust) {
--- a/security/nss/lib/softoken/secmodt.h
+++ b/security/nss/lib/softoken/secmodt.h
@ -42,15 +42,19 @@
 #include "secasn1.h"
 #include "pkcs11t.h"

+SEC_BEGIN_PROTOS
+
 /* find a better home for these... */
 extern const SEC_ASN1Template SECKEY_PointerToEncryptedPrivateKeyInfoTemplate[];
-extern SEC_ASN1TemplateChooser NSS_Get_SECKEY_PointerToEncryptedPrivateKeyInfoTemplate;
+SEC_ASN1_CHOOSER_DECLARE(SECKEY_PointerToEncryptedPrivateKeyInfoTemplate)
 extern const SEC_ASN1Template SECKEY_EncryptedPrivateKeyInfoTemplate[];
-extern SEC_ASN1TemplateChooser NSS_Get_SECKEY_EncryptedPrivateKeyInfoTemplate;
+SEC_ASN1_CHOOSER_DECLARE(SECKEY_EncryptedPrivateKeyInfoTemplate)
 extern const SEC_ASN1Template SECKEY_PrivateKeyInfoTemplate[];
-extern SEC_ASN1TemplateChooser NSS_Get_SECKEY_PrivateKeyInfoTemplate;
+SEC_ASN1_CHOOSER_DECLARE(SECKEY_PrivateKeyInfoTemplate)
 extern const SEC_ASN1Template SECKEY_PointerToPrivateKeyInfoTemplate[];
-extern SEC_ASN1TemplateChooser NSS_Get_SECKEY_PointerToPrivateKeyInfoTemplate;
+SEC_ASN1_CHOOSER_DECLARE(SECKEY_PointerToPrivateKeyInfoTemplate)
+
+SEC_END_PROTOS

 /* PKCS11 needs to be included */
 typedef struct SECMODModuleStr SECMODModule;
--- a/security/nss/lib/softoken/sftkmod.c
+++ b/security/nss/lib/softoken/sftkmod.c
@ -54,6 +54,7 @@
 #include "prprf.h" 
 #include "prsystem.h"
 #include "lgglue.h"
+#include "secerr.h"
 #include "secmodt.h"
 #if defined (_WIN32)
 #include <io.h>
@ -562,6 +563,7 @@ sftkdb_DeleteSecmodDB(SDBType dbType, const char *appName,
    PRBool found = PR_FALSE;

    if (dbname == NULL) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
 	return SECFailure;
    }

@ -570,6 +572,7 @@ sftkdb_DeleteSecmodDB(SDBType dbType, const char *appName,
    }

    if (!rw) {
+	PORT_SetError(SEC_ERROR_READ_ONLY);
 	return SECFailure;
    }

@ -689,6 +692,7 @@ sftkdb_AddSecmodDB(SDBType dbType, const char *appName,
    PRBool libFound = PR_FALSE;

    if (dbname == NULL) {
+	PORT_SetError(SEC_ERROR_INVALID_ARGS);
 	return SECFailure;
    }

@ -698,6 +702,7 @@ sftkdb_AddSecmodDB(SDBType dbType, const char *appName,

    /* can't write to a read only module */
    if (!rw) {
+	PORT_SetError(SEC_ERROR_READ_ONLY);
 	return SECFailure;
    }

--- a/security/nss/lib/softoken/softkver.h
+++ b/security/nss/lib/softoken/softkver.h
@ -57,11 +57,11 @@
 * The format of the version string should be
 *     "<major version>.<minor version>[.<patch level>[.<build number>]][ <ECC>][ <Beta>]"
 */
-#define SOFTOKEN_VERSION  "3.13.2.1" SOFTOKEN_ECC_STRING
+#define SOFTOKEN_VERSION  "3.13.3.0" SOFTOKEN_ECC_STRING
 #define SOFTOKEN_VMAJOR   3
 #define SOFTOKEN_VMINOR   13
-#define SOFTOKEN_VPATCH   2
-#define SOFTOKEN_VBUILD   1
+#define SOFTOKEN_VPATCH   3
+#define SOFTOKEN_VBUILD   0
 #define SOFTOKEN_BETA     PR_FALSE

 #endif /* _SOFTKVER_H_ */
--- a/security/nss/lib/ssl/ssl3con.c
+++ b/security/nss/lib/ssl/ssl3con.c
@ -39,7 +39,7 @@
 * the terms of any one of the MPL, the GPL or the LGPL.
 *
 * ***** END LICENSE BLOCK ***** */
-/* $Id: ssl3con.c,v 1.163 2012/02/15 21:52:08 kaie%kuix.de Exp $ */
+/* $Id: ssl3con.c,v 1.164 2012/02/17 09:50:04 kaie%kuix.de Exp $ */

 #include "cert.h"
 #include "ssl.h"
@ -4363,6 +4363,12 @@ getWrappingKey( sslSocket *       ss,
    SECStatus                rv;
    SECItem                  wrappedKey;
    SSLWrappedSymWrappingKey wswk;
+#ifdef NSS_ENABLE_ECC
+    PK11SymKey *      Ks = NULL;
+    SECKEYPublicKey   *pubWrapKey = NULL;
+    SECKEYPrivateKey  *privWrapKey = NULL;
+    ECCWrappedKeyInfo *ecWrapped;
+#endif /* NSS_ENABLE_ECC */

    svrPrivKey  = ss->serverCerts[exchKeyType].SERVERKEY;
    PORT_Assert(svrPrivKey != NULL);
@ -4439,13 +4445,6 @@ getWrappingKey( sslSocket *       ss,

    /* wrap symmetric wrapping key in server's public key. */
    switch (exchKeyType) {
-#ifdef NSS_ENABLE_ECC
-    PK11SymKey *      Ks = NULL;
-    SECKEYPublicKey   *pubWrapKey = NULL;
-    SECKEYPrivateKey  *privWrapKey = NULL;
-    ECCWrappedKeyInfo *ecWrapped;
-#endif /* NSS_ENABLE_ECC */
-
    case kt_rsa:
 	asymWrapMechanism = CKM_RSA_PKCS;
 	rv = PK11_PubWrapSymKey(asymWrapMechanism, svrPubKey,
--- a/security/nss/lib/util/nssutil.h
+++ b/security/nss/lib/util/nssutil.h
@ -51,11 +51,11 @@
 * The format of the version string should be
 *     "<major version>.<minor version>[.<patch level>[.<build number>]][ <Beta>]"
 */
-#define NSSUTIL_VERSION  "3.13.2.1"
+#define NSSUTIL_VERSION  "3.13.3.0"
 #define NSSUTIL_VMAJOR   3
 #define NSSUTIL_VMINOR   13
-#define NSSUTIL_VPATCH   2
-#define NSSUTIL_VBUILD   1
+#define NSSUTIL_VPATCH   3
+#define NSSUTIL_VBUILD   0
 #define NSSUTIL_BETA     PR_FALSE

 SEC_BEGIN_PROTOS