Closed Bug 145836 Opened 22 years ago Closed 22 years ago

NSS bug fixes for Mozilla

Categories

(SeaMonkey :: General, defect, P1)

Product:
SeaMonkey
Component:
General
Type:
defect

Tracking

(Not tracked)

Status:
VERIFIED FIXED
Milestone:
mozilla1.0.1

People

(Reporter: wtc, Assigned: wtc)

References

Details

(Keywords: topembed+) 

We have several NSS bug fixes that missed the Mozilla 1.0 cut-off
date but should be checked into Mozilla 1.0 branch as soon as
possible.

The bug fixes are listed below.

Certificate Management

- Bug 138626: Deleted certs delivered by PK11_ListCerts.  Blocks PSM bug
  129067.
- Bug 142868: CA certificates are imported with NULL nicknames.
- Bug 128586: Can't restore cert exported by IE.
- Bug 133643: Unable to import P12 file.
- Bug 135871: NSS 3.4 RC2 crashes when CERT_VerifyCertNow is called.
- Bug 136279: NSS 3.4 RC2 cannot see CA certs on Builtin Object Token.
- Bug 141936: Crash in NSS searching for certificates with zero length
  nicknames.
- Bug 137645: Cached public certificate does not get its nickname updated
  after P12 import of matching user certificate.


Leaks of NSS Object References

- Bug 133584: SECMOD_DestroyModule fails during NSS_Shutdown.  This blocks
  switching user profiles.  See also: bug 135339, bug 135340, bug 135058,
  bug 135069, bug 135808, bug 135809, bug 135818, bug 135821, bug 135052.

Smartcard

- Bug 137172: have to explicitly log into smartcard to use its certs.
- Bug 135429: redesign smart card cache.
- Bug 135521: redesign token searching and object creation in Stan code.


Robustness

- Bug 140474: PK11_FindCertsFromNickname may cause an assertion failure in
  nssList_GetArray.
- Bug 145128: a typo error in sec_pkcs5_rc4(), lib/softoken/lowpbe.c
- Bug 133397: Bug in SECMOD_UpdateModule.
- Bug 144309: STAN_GetCERTCertificate return value not checked.

Performance

- Bug 126087: Hot lock (PK11SymKey->refLock)
Status: NEW → ASSIGNED
QA Contact: imajes-qa → junruh
Target Milestone: --- → mozilla1.0.1
adding the nsbeta1+ and topembed keywords, and [adt2 RTM], as per conversations
with the ADT team today.
Keywords: nsbeta1+, topembed
Whiteboard: [adt2 RTM]
Keywords: mozilla1.0.1
Priority: -- → P1
I missed one bug.

Certificate Management

- Bug 141355: Importing Certs which already exist in the database
  may cause acrash.
Kai produced two test builds for QA (John and Charles).

The test builds are under /u/kaie:
20020522-linux-100-nss35.tar.gz
20020522-win32-100-nss35.zip

The test builds consist of
- 1.0.0 branch build
- NSS_3_5_BRANCH
- patches to PSM
  - bug 143532
  - bug 129067
  - bug 125561
Keywords: topembedtopembed+
Testing today and tomorrow.  Should have results by the end of Friday, the 24th.
 Hopefully checkin can proceed on Monday or over the weekend.
Charles, John, can you report the results of testing the NSS3.5 branch build?
Keywords: adt1.0.1
Blocks: 125561
Blocks: 143532
Blocks: 129067
The test build underwent three days of testing on Mac, Win2k, and Linux7.3.  All
said, there are no regressions that are noteworthy, and the overall build is
much more stable than before.

Original status specific to this bug below:
---------
Bugs Verified fixed in test build:
138626

128586 - Still get bogus error if wrong password entered ('unknown reasons'). 
But if correct passwords entered, .p12,.pfx files (with and without chains) are
imported successfully.  Which leads to a strange situation when importing a cert
signed by verisign without the CA chain.  The chain is not rebuilt even though
it could be so the cert shows up as unverifiable and there is no way to edit the
trust settings on the cert directly.

133643 - same as above, except once I did see an error message about
corruption,incorrect passwords.  From then on it was for unknown reasons
whenever I tested a negative condition.

135871 - Slightly impaired from the CA side due to 137874 needing to move to
branch, but users, other people, and servers (see doublecheck) all work without
problems, so I would assume the CA import will work as well.

137645 - Import works.  Delete has a caveat (correct behavior)  After importing
the user cert, the cert still remains in the 'other peoples' tab.  Deleting the
cert from either tab (dual key - encryption cert or dual use cert) removes it
from the other.  Kind of disconcerting when I removed the cert from 'other
peoples' tab and found it missing from the user cert tab.  perhaps the delete
code should remove the peer attribute instead of yanking the cert?

133584 - I verified that the certificate/key databases indeed switch while quick
launch is running and I swap between four different user profiles.

137172 - If not logged in, there is now a login prompt.  Note I used a fresh
load of the activcard module.
133397 - checked my code tree
145128 - checked my code tree
144309 - Xref'd LXR and spot checked files
141355

143532 - It disables, but it never reenables(?) until after client restart

129067 - deletes refresh.

125561 - related to 133584.  Verified client auth, ssl, and s/mime all function
while quick launch is running.

142868

Not Applicable to client:
136279

Not verified:
141936 - client code has error handling to avoid this.  looked at the patches -
look correct anyway.
135429 - Partially verified.  
135521
126087
We now need to land this on the branch so that we can open the gate to migrate
corresponding PSM fixes that have some dependencies on NSS3.5.
After one day of testing I have not found any regressions using kaie's test 
build on Win2000, Mac OSX or Linux.
Can you verify that all these bugs are fixed in the test build?
or rather, on the trunk?
Peter, because the trunk also changes often, we decided that we wanted to test
our changes as good as possible. The best test of our intended changes is using
a special test build, that uses the changes we are intending to land on the
branch, in combination with what is currently on the branch.

Because of that, we have done the extra work of producing such special test builds.

By using that special builds instead of the trunk, we can be sure that our test
results can not be influenced by other regressions that might or might have not
occurred on the trunk.

Marked the bug fixed because all the bugs listed in
this tracking bug have been fixed on the Mozilla trunk
(NSS_CLIENT_TAG).

Removed the target Mozilla version (1.0.1) from the
bug's summary to avoid confusion.
Status: ASSIGNED → RESOLVED
Closed: 22 years ago
Resolution: --- → FIXED
Summary: NSS bug fixes for Mozilla 1.0.1 → NSS bug fixes for Mozilla
We actually already verified these on the trunk.  We went through the additional
QA on the test build to ensure that it did not regress the branch.
Depends on: 135052, 135058, 135069, 135339, 135340, 135808, 135809, 135818, 135821
Removing nsbeta1+/[adt2 RTM] as this is a meta tracking bug.
Whiteboard: [adt2 RTM]
I made a mistake.  Bug 128586 is already fixed in mozilla1.0.0.
It should be removed from this list of bugs that need 1.0.1
approvals.
No longer depends on: 128586
Blocks: 143047
Keywords: adt1.0.1
Verified.
Status: RESOLVED → VERIFIED
please land in the mozilla1.0.1 branch. once there, remove the "mozilla1.0.1+"
keyword and add the "fixed1.0.1" keyword.
Keywords: mozilla1.0.1mozilla1.0.1+
I checked in these NSS bug fixes on the MOZILLA_1_0_BRANCH today.
Keywords: mozilla1.0.1+fixed1.0.1
Verified on branch.
Keywords: fixed1.0.1verified1.0.1
Product: Browser → Seamonkey
You need to log in before you can comment on or make changes to this bug.