Bug 1174102 - Update to NSS 3.19.2, landing NSS_3_19_2_BETA1, r=nss-confcall

security/nss/TAG-INFO

@@ -1 +1 @@
-NSS_3_19_1_RTM
+NSS_3_19_2_BETA1

security/nss/cmd/certutil/certutil.c

@@ -2420,10 +2420,10 @@ certutil_main(int argc, char **argv, PRBool initialize)
     PRFileDesc *outFile         = PR_STDOUT;
     SECItem     certReqDER      = { siBuffer, NULL, 0 };
     SECItem     certDER         = { siBuffer, NULL, 0 };
-    char *      slotname        = "internal";
-    char *      certPrefix      = "";
+    const char *slotname        = "internal";
+    const char *certPrefix      = "";
     char *      sourceDir       = "";
-    char *      srcCertPrefix   = "";
+    const char *srcCertPrefix   = "";
     char *      upgradeID        = "";
     char *      upgradeTokenName     = "";
     KeyType     keytype         = rsaKey;
@@ -2534,7 +2534,7 @@ certutil_main(int argc, char **argv, PRBool initialize)
 	if (PL_strcmp(certutil.options[opt_TokenName].arg, "all") == 0)
 	    slotname = NULL;
 	else
-	    slotname = PL_strdup(certutil.options[opt_TokenName].arg);
+	    slotname = certutil.options[opt_TokenName].arg;
     }
 
     /*  -Z hash type  */
@@ -2594,7 +2594,7 @@ certutil_main(int argc, char **argv, PRBool initialize)
     /*  -P certdb name prefix */
     if (certutil.options[opt_DBPrefix].activated) {
         if (certutil.options[opt_DBPrefix].arg) {
-            certPrefix = strdup(certutil.options[opt_DBPrefix].arg);
+            certPrefix = certutil.options[opt_DBPrefix].arg;
         } else {
             Usage(progName);
         }
@@ -2603,7 +2603,7 @@ certutil_main(int argc, char **argv, PRBool initialize)
     /*  --source-prefix certdb name prefix */
     if (certutil.options[opt_SourcePrefix].activated) {
         if (certutil.options[opt_SourcePrefix].arg) {
-            srcCertPrefix = strdup(certutil.options[opt_SourcePrefix].arg);
+            srcCertPrefix = certutil.options[opt_SourcePrefix].arg;
         } else {
             Usage(progName);
         }

security/nss/coreconf/coreconf.dep

@@ -10,3 +10,4 @@
  */
 
 #error "Do not include this header file."
+

security/nss/lib/freebl/blapit.h

@@ -138,13 +138,10 @@ typedef int __BLAPI_DEPRECATED __attribute__((deprecated));
  * These values come from the initial key size limits from the PKCS #11
  * module. They may be arbitrarily adjusted to any value freebl supports.
  */
-#define RSA_MIN_MODULUS_BITS   512
+#define RSA_MIN_MODULUS_BITS   128
 #define RSA_MAX_MODULUS_BITS 16384
 #define RSA_MAX_EXPONENT_BITS   64
-/* 1023 to avoid cases where p = 2q+1 for a 512-bit q turns out to be
- * only 1023 bits and similar.  We don't have good data on whether this
- * happens because NSS used to count bit lengths incorrectly. */
-#define DH_MIN_P_BITS	      1023
+#define DH_MIN_P_BITS	       128
 #define DH_MAX_P_BITS        16384
 
 /*
@@ -184,7 +181,7 @@ typedef int __BLAPI_DEPRECATED __attribute__((deprecated));
 
 #define DSA1_Q_BITS      160
 #define DSA_MAX_P_BITS	3072
-#define DSA_MIN_P_BITS  1023
+#define DSA_MIN_P_BITS	 512
 #define DSA_MAX_Q_BITS   256
 #define DSA_MIN_Q_BITS   160
 

security/nss/lib/nss/nss.h

@@ -33,12 +33,12 @@
  * The format of the version string should be
  *     "<major version>.<minor version>[.<patch level>[.<build number>]][ <ECC>][ <Beta>]"
  */
-#define NSS_VERSION  "3.19.1" _NSS_ECC_STRING _NSS_CUSTOMIZED
+#define NSS_VERSION  "3.19.2" _NSS_ECC_STRING _NSS_CUSTOMIZED " Beta"
 #define NSS_VMAJOR   3
 #define NSS_VMINOR   19
-#define NSS_VPATCH   1
+#define NSS_VPATCH   2
 #define NSS_VBUILD   0
-#define NSS_BETA     PR_FALSE
+#define NSS_BETA     PR_TRUE
 
 #ifndef RC_INVOKED
 

security/nss/lib/softoken/softkver.h

@@ -25,11 +25,11 @@
  * The format of the version string should be
  *     "<major version>.<minor version>[.<patch level>[.<build number>]][ <ECC>][ <Beta>]"
  */
-#define SOFTOKEN_VERSION  "3.19.1" SOFTOKEN_ECC_STRING
+#define SOFTOKEN_VERSION  "3.19.2" SOFTOKEN_ECC_STRING " Beta"
 #define SOFTOKEN_VMAJOR   3
 #define SOFTOKEN_VMINOR   19
-#define SOFTOKEN_VPATCH   1
+#define SOFTOKEN_VPATCH   2
 #define SOFTOKEN_VBUILD   0
-#define SOFTOKEN_BETA     PR_FALSE
+#define SOFTOKEN_BETA     PR_TRUE
 
 #endif /* _SOFTKVER_H_ */

security/nss/lib/ssl/dtlscon.c

@@ -229,7 +229,7 @@ dtls_HandleHandshake(sslSocket *ss, sslBuffer *origBuf)
 #define MAX_HANDSHAKE_MSG_LEN 0x1ffff   /* 128k - 1 */
         if (message_length > MAX_HANDSHAKE_MSG_LEN) {
             (void)ssl3_DecodeError(ss);
-            PORT_SetError(SSL_ERROR_RX_RECORD_TOO_LONG);
+            PORT_SetError(SSL_ERROR_RX_MALFORMED_HANDSHAKE);
             return SECFailure;
         }
 #undef MAX_HANDSHAKE_MSG_LEN

security/nss/lib/ssl/ssl3con.c

@@ -6743,7 +6743,7 @@ ssl3_HandleServerKeyExchange(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
 	    goto loser;		/* malformed. */
 	}
         dh_p_bits = SECKEY_BigIntegerBitLength(&dh_p);
-        if (dh_p_bits < DH_MIN_P_BITS) {
+        if (dh_p_bits < SSL_DH_MIN_P_BITS) {
 	    errCode = SSL_ERROR_WEAK_SERVER_EPHEMERAL_DH_KEY;
 	    goto alert_loser;
 	}
@@ -10050,15 +10050,15 @@ ssl3_AuthCertificate(sslSocket *ss)
 		SECKEY_PublicKeyStrengthInBits(pubKey);
             pubKeyType = SECKEY_GetPublicKeyType(pubKey);
             /* Too small: not good enough. Send a fatal alert. */
-            /* TODO: Use 1023 for RSA because a higher RSA_MIN_MODULUS_BITS
-             * breaks export cipher suites, not 1024 to be conservative; when
-             * export removed, increase RSA_MIN_MODULUS_BITS and use that. */
             /* We aren't checking EC here on the understanding that we only
              * support curves we like, a decision that might need revisiting. */
             if (((pubKeyType == rsaKey || pubKeyType == rsaPssKey ||
-                  pubKeyType == rsaOaepKey) && ss->sec.authKeyBits < 1023) ||
-                (pubKeyType == dsaKey && ss->sec.authKeyBits < DSA_MIN_P_BITS) ||
-                (pubKeyType == dhKey && ss->sec.authKeyBits < DH_MIN_P_BITS)) {
+                  pubKeyType == rsaOaepKey) &&
+                  ss->sec.authKeyBits < SSL_RSA_MIN_MODULUS_BITS) ||
+                (pubKeyType == dsaKey &&
+                 ss->sec.authKeyBits < SSL_DSA_MIN_P_BITS) ||
+                (pubKeyType == dhKey &&
+                 ss->sec.authKeyBits < SSL_DH_MIN_P_BITS)) {
                 PORT_SetError(SSL_ERROR_WEAK_SERVER_CERT_KEY);
                 (void)SSL3_SendAlert(ss, alert_fatal,
                                      ss->version >= SSL_LIBRARY_VERSION_TLS_1_0
@@ -10998,7 +10998,7 @@ ssl3_HandleHandshake(sslSocket *ss, sslBuffer *origBuf)
 #define MAX_HANDSHAKE_MSG_LEN 0x1ffff	/* 128k - 1 */
 	    if (ss->ssl3.hs.msg_len > MAX_HANDSHAKE_MSG_LEN) {
 		(void)ssl3_DecodeError(ss);
-		PORT_SetError(SSL_ERROR_RX_RECORD_TOO_LONG);
+		PORT_SetError(SSL_ERROR_RX_MALFORMED_HANDSHAKE);
 		return SECFailure;
 	    }
 #undef MAX_HANDSHAKE_MSG_LEN

security/nss/lib/ssl/sslimpl.h

@@ -153,6 +153,15 @@ typedef enum { SSLAppOpRead = 0,
 
 #define EXPORT_RSA_KEY_LENGTH 64	/* bytes */
 
+/* The minimum server key sizes accepted by the clients.
+ * Not 1024 to be conservative. */
+#define SSL_RSA_MIN_MODULUS_BITS 1023
+/* 1023 to avoid cases where p = 2q+1 for a 512-bit q turns out to be
+ * only 1023 bits and similar.  We don't have good data on whether this
+ * happens because NSS used to count bit lengths incorrectly. */
+#define SSL_DH_MIN_P_BITS 1023
+#define SSL_DSA_MIN_P_BITS 1023
+
 #define INITIAL_DTLS_TIMEOUT_MS   1000  /* Default value from RFC 4347 = 1s*/
 #define MAX_DTLS_TIMEOUT_MS      60000  /* 1 minute */
 #define DTLS_FINISHED_TIMER_MS  120000  /* Time to wait in FINISHED state */

security/nss/lib/util/nssutil.h

@@ -19,12 +19,12 @@
  * The format of the version string should be
  *     "<major version>.<minor version>[.<patch level>[.<build number>]][ <Beta>]"
  */
-#define NSSUTIL_VERSION  "3.19.1"
+#define NSSUTIL_VERSION  "3.19.2 Beta"
 #define NSSUTIL_VMAJOR   3
 #define NSSUTIL_VMINOR   19
-#define NSSUTIL_VPATCH   1
+#define NSSUTIL_VPATCH   2
 #define NSSUTIL_VBUILD   0
-#define NSSUTIL_BETA     PR_FALSE
+#define NSSUTIL_BETA     PR_TRUE
 
 SEC_BEGIN_PROTOS