Up to [cvs.NetBSD.org] / pkgsrc / devel / nss
Request diff between arbitrary revisions
Keyword substitution: kv
Default branch: MAIN
nss: update to 3.107. - Bug 1923038 - Remove MPI fuzz targets. - Bug 1925512 - Remove globals `lockStatus` and `locksEverDisabled`. - Bug 1919015 - Enable PKCS8 fuzz target. - Bug 1923037 - Integrate Cryptofuzz in CI. - Bug 1913677 - Part 2: Set tls server target socket options in config class. - Bug 1913677 - Part 1: Set tls client target socket options in config class. - Bug 1913680 - Support building with thread sanitizer. - Bug 1922392 - set nssckbi version number to 2.72. - Bug 1919913 - remove Websites Trust Bit from Entrust Root Certification Authority - G4. - Bug 1920641 - remove Security Communication RootCA3 root cert. - Bug 1918559 - remove SecureSign RootCA11 root cert. - Bug 1922387 - Add distrust-after for TLS to Entrust Roots. - Bug 1927096 - update expected error code in pk12util pbmac1 tests. - Bug 1929041 - Use random tstclnt args with handshake collection script. - Bug 1920466 - Remove extraneous assert in ssl3gthr.c. - Bug 1928402 - Adding missing release notes for NSS_3_105. - Bug 1874451 - Enable the disabled mlkem tests for dtls. - Bug 1874451 - NSS gtests filter cleans up the constucted buffer before the use. - Bug 1925505 - Make ssl_SetDefaultsFromEnvironment thread-safe. - Bug 1925503 - Remove short circuit test from ssl_Init.
*: recursive bump for icu 76 shlib major version bump
*: revbump for icu downgrade
*: recursive bump for icu 76.1 shlib bump
nss: update to 3.106. Changes: - Bug 1925975 - NSS 3.106 should be distributed with NSPR 4.36. - Bug 1923767 - pk12util: improve error handling in p12U_ReadPKCS12File. - Bug 1899402 - Correctly destroy bulkkey in error scenario. - Bug 1919997 - PKCS7 fuzz target, r=djackson,nss-reviewers. - Bug 1923002 - Extract certificates with handshake collection script. - Bug 1923006 - Specify len_control for fuzz targets. - Bug 1923280 - Fix memory leak in dumpCertificatePEM. - Bug 1102981 - Fix UBSan errors for SECU_PrintCertificate and SECU_PrintCertificateBasicInfo. - Bug 1921528 - add new error codes to mozilla::pkix for Firefox to use. - Bug 1921768 - allow null phKey in NSC_DeriveKey. - Bug 1921801 - Only create seed corpus zip from existing corpus. - Bug 1826035 - Use explicit allowlist for for KDF PRFS. - Bug 1920138 - Increase optimization level for fuzz builds. - Bug 1920470 - Remove incorrect assert. - Bug 1914870 - Use libFuzzer options from fuzz/options/\*.options in CI. - Bug 1920945 - Polish corpus collection for automation. - Bug 1917572 - Detect new and unfuzzed SSL options. - Bug 1804646 - PKCS12 fuzzing target.
nss: update to 3.105. Bug 1915792 - Allow importing PKCS#8 private EC keys missing public key Bug 1909768 - UBSAN fix: applying zero offset to null pointer in sslsnce.c Bug 1919577 - set KRML_MUSTINLINE=inline in makefile builds Bug 1918965 - Don't set CKA_SIGN for CKK_EC_MONTGOMERY private keys Bug 1918767 - override default definition of KRML_MUSTINLINE Bug 1916525 - libssl support for mlkem768x25519 Bug 1916524 - support for ML-KEM-768 in softoken and pk11wrap Bug 1866841 - Add Libcrux implementation of ML-KEM 768 to FreeBL Bug 1911912 - Avoid misuse of ctype(3) functions Bug 1917311 - part 2: run clang-format Bug 1917311 - part 1: upgrade to clang-format 13 Bug 1916953 - clang-format fuzz Bug 1910370 - DTLS client message buffer may not empty be on retransmit Bug 1916413 - Optionally print config for TLS client and server fuzz target Bug 1916059 - Fix some simple documentation issues in NSS. Bug 1915439 - improve performance of NSC_FindObjectsInit when template has CKA_TOKEN attr Bug 1912828 - define CKM_NSS_ECDHE_NO_PAIRWISE_CHECK_KEY_PAIR_GEN
devel/nss: Update to 3.104 Changelog: 3.104: Changes: - Bug 1910071 - Copy original corpus to heap-allocated buffer - Bug 1910079 - Fix min ssl version for DTLS client fuzzer - Bug 1908990 - Remove OS2 support just like we did on NSPR - Bug 1910605 - clang-format NSS improvements - Bug 1902078 - Adding basicutil.h to use HexString2SECItem function - Bug 1908990 - removing dirent.c from build - Bug 1902078 - Allow handing in keymaterial to shlibsign to make the output reproducible ( - Bug 1908990 - remove nec4.3, sunos4, riscos and SNI references - Bug 1908990 - remove other old OS (BSDI, old HP UX, NCR, openunix, sco, unixware or reliantUnix - Bug 1908990 - remove mentions of WIN95 - Bug 1908990 - remove mentions of WIN16 - Bug 1913750 - More explicit directory naming - Bug 1913755 - Add more options to TLS server fuzz target - Bug 1913675 - Add more options to TLS client fuzz target - Bug 1835240 - Use OSS-Fuzz corpus in NSS CI - Bug 1908012 - set nssckbi version number to 2.70. - Bug 1914499 - Remove Email Trust bit from ACCVRAIZ1 root cert. - Bug 1908009 - Remove Email Trust bit from certSIGN ROOT CA. - Bug 1908006 - Add Cybertrust Japan Roots to NSS. - Bug 1908004 - Add Taiwan CA Roots to NSS. - Bug 1911354 - remove search by decoded serial in nssToken_FindCertificateByIssuerAndSerialNumber. - Bug 1913132 - Fix tstclnt CI build failure - Bug 1913047 - vfyserv: ensure peer cert chain is in db for CERT_VerifyCertificateNow. - Bug 1912427 - Enable all supported protocol versions for UDP - Bug 1910361 - Actually use random PSK hash type - Bug 1911576: Initialize NSS DB once - Bug 1910361 - Additional ECH cipher suites and PSK hash types - Bug 1903604: Automate corpus file generation for TLS client Fuzzer - Bug 1910364 - Fix crash with UNSAFE_FUZZER_MODE - Bug 1910605 - clang-format shlibsign.c NSS 3.104 shared libraries are backwards-compatible with all older NSS 3.x shared libraries. A program linked with older NSS 3.x shared libraries will work with this new version of the shared libraries without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs to the functions listed in NSS Public Functions will remain compatible with future versions of the NSS shared libraries.
nss: update to 3.103. Changes: - Bug 1908623 - move list size check after lock acquisition in sftk_PutObjectToList. - Bug 1899542 - Add fuzzing support for SSL_ENABLE_POST_HANDSHAKE_AUTH. - Bug 1909638 - Follow-up to fix test for presence of file nspr.patch. - Bug 1903783 - Adjust libFuzzer size limits. - Bug 1899542 - Add fuzzing support for SSL_SetCertificateCompressionAlgorithm, SSL_SetClientEchConfigs, SSL_VersionRangeSet and SSL_AddExternalPsk. - Bug 1899542 - Add fuzzing support for SSL_ENABLE_GREASE and SSL_ENABLE_CH_EXTENSION_PERMUTATION. - Bug 1909638 - NSS automation should always cleanup the NSPR tree. - Bug 590806 - Freeing symKey in pk11_PubDeriveECKeyWithKDF when a key_size is 0 and wrong kd. - Bug 1908831 - Don't link zlib where it's not needed. - Bug 1908597 - Removing dead code from X25519 seckey. - Bug 1905691 - ChaChaXor to return after the functio. - Bug 1900416 - NSS Support of X25519 import/export functionalit. - Bug 1890618 - add PeerCertificateChainDER function to libssl. - Bug 1908190 - fix definitions of freeblCipher_native_aes_*_worker on arm. - Bug 1907743 - pk11mode: avoid passing null phKey to C_DeriveKey. - Bug 1902119 - reuse X25519 share when offering both X25519 and Xyber768d00. - Set nssckbi version number to 2.69. - Bug 1904404 - add NSS_DISABLE_NSPR_TESTS option to makefile. - Bug 1905746 - avoid calling functions through pointers of incompatible type. - Bug 1905783 - merge docker-fuzz32 and docker-fuzz images. - Bug 1903373 - fix several scan-build warnings.
nss: update to 3.102.1. Changes: - Bug 1905691 - ChaChaXor to return after the function - nobug - Set nssckbi version number to 2.69
nss: update to 3.102. Changes: - Bug 1880351 - Add Valgrind annotations to freebl Chacha20-Poly1305. - Bug 1901932 - missing sqlite header. - Bug 1901080 - GLOBALTRUST 2020: Set Distrust After for TLS and S/MIME. - Bug 1615298 - improve certutil keyUsage, extKeyUsage, and nsCertType keyword handling. - Bug 1660676 - correct length of raw SPKI data before printing in pp utility.
nss: update to 3.101.1. Changes: - Bug 1901932 - missing sqlite header. - Bug 1901080 - GLOBALTRUST 2020: Set Distrust After for TLS and S/MIME.
nss: update to 3.101. Changes: - Bug 1900413 - add diagnostic assertions for SFTKObject refcount. - Bug 1899759 - freeing the slot in DeleteCertAndKey if authentication failed - Bug 1899883 - fix formatting issues. - Bug 1889671 - Add Firmaprofesional CA Root-A Web to NSS. - Bug 1899593 - remove invalid acvp fuzz test vectors. - Bug 1898830 - pad short P-384 and P-521 signatures gtests. - Bug 1898627 - remove unused FreeBL ECC code. - Bug 1898830 - pad short P-384 and P-521 signatures. - Bug 1898825 - be less strict about ECDSA private key length. - Bug 1854439 - Integrate HACL* P-521. - Bug 1854438 - Integrate HACL* P-384. - Bug 1898074 - memory leak in create_objects_from_handles. - Bug 1898858 - ensure all input is consumed in a few places in mozilla::pkix - Bug 1884444 - SMIME/CMS and PKCS #12 do not integrate with modern NSS policy - Bug 1748105 - clean up escape handling - Bug 1896353 - Use lib::pkix as default validator instead of the old-one - Bug 1827444 - Need to add high level support for PQ signing. - Bug 1548723 - Certificate Compression: changing the allocation/freeing of buffer + Improving the documentation - Bug 1884444 - SMIME/CMS and PKCS #12 do not integrate with modern NSS policy - Bug 1893404 - Allow for non-full length ecdsa signature when using softoken - Bug 1830415 - Modification of .taskcluster.yml due to mozlint indent defects - Bug 1793811 - Implement support for PBMAC1 in PKCS#12 - Bug 1897487 - disable VLA warnings for fuzz builds. - Bug 1895032 - remove redundant AllocItem implementation. - Bug 1893334 - add PK11_ReadDistrustAfterAttribute. - Bug 215997 - Clang-formatting of SEC_GetMgfTypeByOidTag update - Bug 1895012 - Set SEC_ERROR_LIBRARY_FAILURE on self-test failure - Bug 1894572 - sftk_getParameters(): Fix fallback to default variable after error with configfile. - Bug 1830415 - Switch to the mozillareleases/image_builder image
devel/nss: Update HOMEPAGE
revbump after icu and protobuf updates
nss: update to 3.100. Changes: - Bug 1893029 - merge pk11_kyberSlotList into pk11_ecSlotList for faster Xyber operations. - Bug 1893752 - remove ckcapi. - Bug 1893162 - avoid a potential PK11GenericObject memory leak. - Bug 671060 - Remove incomplete ESDH code. - Bug 215997 - Decrypt RSA OAEP encrypted messages. - Bug 1887996 - Fix certutil CRLDP URI code. - Bug 1890069 - Don't set CKA_DERIVE for CKK_EC_EDWARDS private keys. - Bug 676118: Add ability to encrypt and decrypt CMS messages using ECDH. - Bug 676100 - Correct Templates for key agreement in smime/cmsasn.c. - Bug 1548723 - Moving the decodedCert allocation to NSS. - Bug 1885404 - Allow developers to speed up repeated local execution of NSS tests that depend on certificates.
nss: update to 3.99. Changes: - Bug 1325335 - Removing check for message len in ed25519 - Bug 1884276 - add ed25519 to SECU_ecName2params. - Bug 1325335 - add EdDSA wycheproof tests. - Bug 1325335 - nss/lib layer code for EDDSA. - Bug 1325335 - Adding EdDSA implementation. - Bug 1881027 - Exporting Certificate Compression types - Bug 1880857 - Updating ACVP docker to rust 1.74 - Bug 1325335 - Updating HACL* to 0f136f28935822579c244f287e1d2a1908a7e552 - Bug 1877730 - Add NSS_CMSRecipient_IsSupported.
nss: update to 3.98. Changes: - Bug 1780432 - (CVE-2023-5388) Timing attack against RSA decryption in TLS. - Bug 1879513 - Certificate Compression: enabling the check that the compression was advertised. - Bug 1831552 - Move Windows workers to nss-1/b-win2022-alpha. - Bug 1879945 - Remove Email trust bit from OISTE WISeKey Global Root GC CA. - Bug 1877344 - Replace `distutils.spawn.find_executable` with `shutil.which` within `mach` in `nss`. - Bug 1548723 - Certificate Compression: Updating nss_bogo_shim to support Certificate compression. - Bug 1548723 - TLS Certificate Compression (RFC 8879) Implementation. - Bug 1875356 - Add valgrind annotations to freebl kyber operations for constant-time execution tests. - Bug 1870673 - Set nssckbi version number to 2.66. - Bug 1874017 - Add Telekom Security roots. - Bug 1873095 - Add D-Trust 2022 S/MIME roots. - Bug 1865450 - Remove expired Security Communication RootCA1 root. - Bug 1876179 - move keys to a slot that supports concatenation in PK11_ConcatSymKeys. - Bug 1876800 - remove unmaintained tls-interop tests. - Bug 1874937 - bogo: add support for the -ipv6 and -shim-id shim flags. - Bug 1874937 - bogo: add support for the -curves shim flag and update Kyber expectations. - Bug 1874937 - bogo: adjust expectation for a key usage bit test. - Bug 1757758 - mozpkix: add option to ignore invalid subject alternative names. - Bug 1841029 - Fix selfserv not stripping `publicname:` from -X value. - Bug 1876390 - take ownership of ecckilla shims. - Bug 1874458 - add valgrind annotations to freebl/ec.c. - Bug 864039 - PR_INADDR_ANY needs PR_htonl before assignment to inet.ip. - Bug 1875965 - Update zlib to 1.3.1.
nss: update to 3.97. Changes: - Bug 1875506 - make Xyber768d00 opt-in by policy. - Bug 1871631 - add libssl support for xyber768d00. - Bug 1871630 - add PK11_ConcatSymKeys. - Bug 1775046 - add Kyber and a PKCS#11 KEM interface to softoken. - Bug 1871152 - add a FreeBL API for Kyber. - Bug 1826451 - part 2: vendor github.com/pq-crystals/kyber/commit/e0d1c6ff. - Bug 1826451 - part 1: add a script for vendoring kyber from pq-crystals repo. - Bug 1835828 - Removing the calls to RSA Blind from loader.* - Bug 1874111 - fix worker type for level3 mac tasks. - Bug 1835828 - RSA Blind implementation. - Bug 1869642 - Remove DSA selftests. - Bug 1873296 - read KWP testvectors from JSON. - Bug 1822450 - Backed out changeset dcb174139e4f - Bug 1822450 - Fix CKM_PBE_SHA1_DES2_EDE_CBC derivation. - Bug 1871219 - Wrap CC shell commands in gyp expansions.
nss: update to 3.96.1. There was no 3.96.0 release. Changes: Bug 1869408 - Use pypi dependencies for MacOS worker in ./build_gyp.sh <https://hg.mozilla.org/projects/nss/rev/16ccde14ea6714ee0e6a602379194141578859a8> Bug 1830978 - p7sign: add -a hash and -u certusage (also p7verify cleanups). <https://hg.mozilla.org/projects/nss/rev/425660da5f297d7583783eb27f877865289efc29> Bug 1867408 - add a defensive check for large ssl_DefSend return values. <https://hg.mozilla.org/projects/nss/rev/1bda168c0da97e19e5f14bc4227c15c0a9f493bf> Bug 1869378 - Add dependency to the taskcluster script for Darwin <https://hg.mozilla.org/projects/nss/rev/e934c6d1d4366d152e3307cb76af4c02667c9147> Bug 1869378 - Upgrade version of the MacOS worker for the CI <https://hg.mozilla.org/projects/nss/rev/5463f2a14bd430fc793e29a07854dc647f61eae8>
nss: update to 3.95 Changelog: Changes: - Bug 1842932 - Bump builtins version number. - Bug 1851044: Remove Email trust bit from Autoridad de Certificacion Firmaprofesional CIF A62634068 root cert. - Bug 1855318: Remove 4 DigiCert (Symantec/Verisign) Root Certificates from NSS. - Bug 1851049: Remove 3 TrustCor Root Certificates from NSS. - Bug 1850982 - Remove Camerfirma root certificates from NSS. - Bug 1842935 - Remove old Autoridad de Certificacion Firmaprofesional Certificate. - Bug 1860670 - Add four Commscope root certificates to NSS. - Bug 1850598 - Add TrustAsia Global Root CA G3 and G4 root certificates. - Bug 1863605 - Include P-384 and P-521 Scalar Validation from HACL* - Bug 1861728 - Include P-256 Scalar Validation from HACL*. - Bug 1861265 After the HACL 256 ECC patch, NSS incorrectly encodes 256 ECC without DER wrapping at the softoken level - Bug 1837987:Add means to provide library parameters to C_Initialize - Bug 1573097 - clang format - Bug 1854795 - add OSXSAVE and XCR0 tests to AVX2 detection. - Bug 1858241 - Typo in ssl3_AppendHandshakeNumber - Bug 1858241 - Introducing input check of ssl3_AppendHandshakeNumber - Bug 1573097 - Fix Invalid casts in instance.c
*: recursive bump for icu 74.1
nss: update to 3.94. Changes: - Bug 1853737 - Updated code and commit ID for HACL*. - Bug 1840510 - update ACVP fuzzed test vector: refuzzed with current NSS. - Bug 1827303 - Softoken C_ calls should use system FIPS setting to select NSC_ or FC_ variants. - Bug 1774659 - NSS needs a database tool that can dump the low level representation of the database. - Bug 1852179 - declare string literals using char in pkixnames_tests.cpp. - Bug 1852179 - avoid implicit conversion for ByteString. - Bug 1818766 - update rust version for acvp docker. - Bug 1852011 - Moving the init function of the mpi_ints before clean-up in ec.c - Bug 1615555 - P-256 ECDH and ECDSA from HACL*. - Bug 1840510 - Add ACVP test vectors to the repository - Bug 1849077 - Stop relying on std::basic_string<uint8_t>. - Bug 1847845 - Transpose the PPC_ABI check from Makefile to gyp.
nss: update to 3.93. - Bug 1849471 - Update zlib in NSS to 1.3. - Bug 1848183 - softoken: iterate hashUpdate calls for long inputs. - Bug 1813401 - regenerate NameConstraints test certificates.
nss: update to 3.92. Changes: - Bug 1822935 - Set nssckbi version number to 2.62. - Bug 1833270 - Add 4 Atos TrustedRoot Root CA certificates to NSS. - Bug 1839992 - Add 4 SSL.com Root CA certificates. - Bug 1840429 - Add Sectigo E46 and R46 Root CA certificates. - Bug 1840437 - Add LAWtrust Root CA2 (4096). - Bug 1822936 - Remove E-Tugra Certification Authority root. - Bug 1827224 - Remove Camerfirma Chambers of Commerce Root. - Bug 1840505 - Remove Hongkong Post Root CA 1. - Bug 1842928 - Remove E-Tugra Global Root CA ECC v3 and RSA v3. - Bug 1842937 - Avoid redefining BYTE_ORDER on hppa Linux.
nss: update to 3.91. Bugfix release.
devel/nss: Fix cross-build under TOOLBASE/LOCALBASE split. Omit needless TOOL_DEPENDS on nspr; patch the problem away instead.
nss: update to 3.89.1. Changes: - Bug 1804505 - Update the technical constraints for KamuSM. - Bug 1822921 - Add BJCA Global Root CA1 and CA2 root certificates.
revbump after textproc/icu update
nss: update to 3.89. Changes: - Bug 1820834 - revert freebl/softoken RSA_MIN_MODULUS_BITS increase. - Bug 1820175 - PR_STATIC_ASSERT is cursed. - Bug 1767883 - Need to add policy control to keys lengths for signatures. - Bug 1820175 - Fix unreachable code warning in fuzz builds. - Bug 1820175 - Fix various compiler warnings in NSS. - Bug 1820175 - Enable various compiler warnings for clang builds. - Bug 1815136 - set PORT error after sftk_HMACCmp failure. - Bug 1767883 - Need to add policy control to keys lengths for signatures. - Bug 1804662 - remove data length assertion in sec_PKCS7Decrypt. - Bug 1804660 - Make high tag number assertion failure an error. - Bug 1817513 - CKM_SHA384_KEY_DERIVATION correction maximum key length from 284 to 384. - Bug 1815167 - Tolerate certificate_authorities xtn in ClientHello. - Bug 1789436 - Fix build failure on Windows. - Bug 1811337 - migrate Win 2012 tasks to Azure. - Bug 1810702 - fix title length in doc. - Bug 1570615 - Add interop tests for HRR and PSK to GREASE suite. - Bug 1570615 - Add presence/absence tests for TLS GREASE. - Bug 1804688 - Correct addition of GREASE value to ALPN xtn. - Bug 1789436 - CH extension permutation. - Bug 1570615 - TLS GREASE (RFC8701). - Bug 1804640 - improve handling of unknown PKCS#12 safe bag types. - Bug 1815870 - use a different treeherder symbol for each docker image build task. - Bug 1815868 - pin an older version of the ubuntu:18.04 and 20.04 docker images. - Bug 1810702 - remove nested table in rst doc. - Bug 1815246 - Export NSS_CMSSignerInfo_GetDigestAlgTag. - Bug 1812671 - build failure while implicitly casting SECStatus to PRUInt32.
nss: update to 3.88.1. - Bug 1804640 - improve handling of unknown PKCS#12 safe bag types.
nss: update to 3.88. Changes: - Bug 1815870 - use a different treeherder symbol for each docker image build task. - Bug 1815868 - pin an older version of the ubuntu:18.04 and 20.04 docker images - Bug 1810702 - remove nested table in rst doc - Bug 1815246 - Export NSS_CMSSignerInfo_GetDigestAlgTag. - Bug 1812671 - build failure while implicitly casting SECStatus to PRUInt32. r=nss-reviewers,mt - Bug 1212915 - Add check for ClientHello SID max length. This is tested by Bogo tests - Bug 1771100 - Added EarlyData ALPN test support to BoGo shim. - Bug 1790357 - ECH client - Discard resumption TLS < 1.3 Session(IDs|Tickets) if ECH configs are setup. - Bug 1714245 - On HRR skip PSK incompatible with negotiated ciphersuites hash algorithm. - Bug 1789410 - ECH client: Send ech_required alert on server negotiating TLS 1.2. Fixed misleading Gtest, enabled corresponding BoGo test. - Bug 1771100 - Added Bogo ECH rejection test support. - Bug 1771100 - Added ECH 0Rtt support to BoGo shim. - Bug 1747957 - RSA OAEP Wycheproof JSON - Bug 1747957 - RSA decrypt Wycheproof JSON - Bug 1747957 - ECDSA Wycheproof JSON - Bug 1747957 - ECDH Wycheproof JSON - Bug 1747957 - PKCS#1v1.5 wycheproof json - Bug 1747957 - Use X25519 wycheproof json - Bug 1766767 - Move scripts to python3 - Bug 1809627 - Properly link FuzzingEngine for oss-fuzz. - Bug 1805907 - Extending RSA-PSS bltest test coverage (Adding SHA-256 and SHA-384) - Bug 1804091 NSS needs to move off of DSA for integrity checks - Bug 1805815 - Add initial testing with ACVP vector sets using acvp-rust - Bug 1806369 - Don't clone libFuzzer, rely on clang instead
nss: update to 3.87. Changes: - Bug 1803226 - NULL password encoding incorrect. - Bug 1804071 - Fix rng stub signature for fuzzing builds. - Bug 1803595 - Updating the compiler parsing for build. - Bug 1749030 - Modification of supported compilers. - Bug 1774654 tstclnt crashes when accessing gnutls server without a user cert in the database. - Bug 1751707 - Add configuration option to enable source-based coverage sanitizer. - Bug 1751705 - Update ECCKiila generated files. - Bug 1730353 - Add support for the LoongArch 64-bit architecture. - Bug 1798823 - add checks for zero-length RSA modulus to avoid memory errors and failed assertions later. - Bug 1798823 - Additional zero-length RSA modulus checks.
nss: update to 3.86. Changes: - Bug 1803190 - conscious language removal in NSS. - Bug 1794506 - Set nssckbi version number to 2.60. - Bug 1803453 - Set CKA_NSS_SERVER_DISTRUST_AFTER and CKA_NSS_EMAIL_DISTRUST_AFTER for 3 TrustCor Root Certificates. - Bug 1799038 - Remove Staat der Nederlanden EV Root CA from NSS. - Bug 1797559 - Remove EC-ACC root cert from NSS. - Bug 1794507 - Remove SwissSign Platinum CA - G2 from NSS. - Bug 1794495 - Remove Network Solutions Certificate Authority. - Bug 1802331 - compress docker image artifact with zstd. - Bug 1799315 - Migrate nss from AWS to GCP. - Bug 1800989 - Enable static builds in the CI. - Bug 1765759 - Removing SAW docker from the NSS build system. - Bug 1783231 - Initialising variables in the rsa blinding code. - Bug 320582 - Implementation of the double-signing of the message for ECDSA. - Bug 1783231 - Adding exponent blinding for RSA.
massive revision bump after textproc/icu update
nss: update to 3.85. Changes: - Bug 1792821 - Modification of the primes.c and dhe-params.c in order to have better looking tables. - Bug 1796815 - Update zlib in NSS to 1.2.13. - Bug 1796504 - Skip building modutil and shlibsign when building in Firefox. - Bug 1796504 - Use __STDC_VERSION__ rather than __STDC__ as a guard. - Bug 1796407 - Fix -Wunused-but-set-variable warning from clang 15. - Bug 1796308 - Fix -Wtautological-constant-out-of-range-compare and -Wtype-limits warnings. - Bug 1796281 - Followup: add missing stdint.h include. - Bug 1796281 - Fix -Wint-to-void-pointer-cast warnings. - Bug 1796280 - Fix -Wunused-{function,variable,but-set-variable} warnings on Windows. - Bug 1796079 - Fix -Wstring-conversion warnings. - Bug 1796075 - Fix -Wempty-body warnings. - Bug 1795242 - Fix unused-but-set-parameter warning. - Bug 1795241 - Fix unreachable-code warnings. - Bug 1795222 - Mark _nss_version_c unused on clang-cl. - Bug 1795668 - Remove redundant variable definitions in lowhashtest. - No bug - Add note about python executable to build instructions.
nss: update to 3.84. Changes: - Bug 1791699 - Bump minimum NSPR version to 4.35. - Bug 1792103 - Add a flag to disable building libnssckbi.
nss: update to 3.83. Changes: - Bug 1788875 - Remove set-but-unused variables from SEC_PKCS12DecoderValidateBags - Bug 1563221 - remove older oses that are unused part3/ BeOS - Bug 1563221 - remove older unix support in NSS part 3 Irix - Bug 1563221 - remove support for older unix in NSS part 2 DGUX - Bug 1563221 - remove support for older unix in NSS part 1 OSF - Bug 1778413 - Set nssckbi version number to 2.58 - Bug 1785297 - Add two SECOM root certificates to NSS - Bug 1787075 - Add two DigitalSign root certificates to NSS - Bug 1778412 - Remove Camerfirma Global Chambersign Root from NSS - Bug 1771100 - Added bug reference and description to disabled UnsolicitedServerNameAck bogo ECH test - Bug 1779361 - Removed skipping of ECH on equality of private and public server name - Bug 1779357 - Added comment and bug reference to ECHRandomHRRExtension bogo test - Bug 1779370 - Added Bogo shim client HRR test support. Fixed overwriting of CHInner.random on HRR - Bug 1779234 - Added check for server only sending ECH extension with retry configs in EncryptedExtensions and if not accepting ECH. Changed config setting behavior to skip configs with unsupported mandatory extensions instead of failing - Bug 1771100 - Added ECH client support to BoGo shim. Changed CHInner creation to skip TLS 1.2 only extensions to comply with BoGo - Bug 1771100 - Added ECH server support to BoGo shim. Fixed NSS ECH server accept_confirmation bugs - Bug 1771100 - Update BoGo tests to recent BoringSSL version - Bug 1785846 - Bump minimum NSPR version to 4.34.1
nss: update to 3.82. Changes: - Bug 1330271 - check for null template in sec_asn1{d,e}_push_state - Bug 1735925 - QuickDER: Forbid NULL tags with non-zero length - Bug 1784724 - Initialize local variables in TlsConnectTestBase::ConnectAndCheckCipherSuite - Bug 1784191 - Cast the result of GetProcAddress - Bug 1681099 - pk11wrap: Tighten certificate lookup based on PKCS #11 URI.
nss: set MAKE_JOBS_SAFE=no and this time explain why
nss: update to 3.81. Changes: - Bug 1762831: Enable aarch64 hardware crypto support on OpenBSD. - Bug 1775359 - make NSS_SecureMemcmp 0/1 valued. - Bug 1779285: Add no_application_protocol alert handler and test client error code is set. - Bug 1777672 - Gracefully handle null nickname in CERT_GetCertNicknameWithValidity.
nss: drop MAKE_JOBS_SAFE=no I cannot recall the reason it was set; seems to work without it now.
*: recursive bump for perl 5.36
nss: update to 3.80. Ok during freeze: gdt@ Changes: - Bug 1774720 - Fix SEC_ERROR_ALGORITHM_MISMATCH entry in SECerrs.h. - Bug 1617956 - Add support for asynchronous client auth hooks. - Bug 1497537 - nss-policy-check: make unknown keyword check optional. - Bug 1765383 - GatherBuffer: Reduced plaintext buffer allocations by allocating it on initialization. Replaced redundant code with assert. Debug builds: Added buffer freeing/allocation for each record. - Bug 1773022 - Mark 3.79 as an ESR release. - Bug 1764206 - Bump nssckbi version number for June. - Bug 1759815 - Remove Hellenic Academic 2011 Root. - Bug 1770267 - Add E-Tugra Roots. - Bug 1768970 - Add Certainly Roots. - Bug 1764392 - Add DigitCert Roots. - Bug 1759794 - Protect SFTKSlot needLogin with slotLock. - Bug 1366464 - Compare signature and signatureAlgorithm fields in legacy certificate verifier. - Bug 1771497 - Uninitialized value in cert_VerifyCertChainOld. - Bug 1771495 - Unchecked return code in sec_DecodeSigAlg. - Bug 1771498 - Uninitialized value in cert_ComputeCertType. - Bug 1760998 - Avoid data race on primary password change. - Bug 1769063 - Replace ppc64 dcbzl intrinisic. - Bug 1771036 - Allow LDFLAGS override in makefile builds.
nss: update to 3.79. This release fixes memory safety violations that can occur when parsing CMS data. We presume that with enough effort these memory safety violations are exploitable. Change: - Bug 205717 - Use PK11_GetSlotInfo instead of raw C_GetSlotInfo calls. - Bug 1766907 - Update mercurial in clang-format docker image. - Bug 1454072 - Use of uninitialized pointer in lg_init after alloc fail. - Bug 1769295 - selfserv and tstclnt should use PR_GetPrefLoopbackAddrInfo. - Bug 1753315 - Add SECMOD_LockedModuleHasRemovableSlots. - Bug 1387919 - Fix secasn1d parsing of indefinite SEQUENCE inside indefinite GROUP. - Bug 1765753 - Added RFC8422 compliant TLS <= 1.2 undefined/compressed ECPointFormat extension alerts. - Bug 1765753 - TLS 1.3 Server: Send protocol_version alert on unsupported ClientHello.legacy_version. - Bug 1764788 - Correct invalid record inner and outer content type alerts. - Bug 1757075 - NSS does not properly import or export pkcs12 files with large passwords and pkcs5v2 encoding. - Bug 1766978 - improve error handling after nssCKFWInstance_CreateObjectHandle. - Bug 1767590 - Initialize pointers passed to NSS_CMSDigestContext_FinishMultiple. - Bug 1769302 - NSS 3.79 should depend on NSPR 4.34
nss: update to 3.78. Change: - Bug 1755264 - Added TLS 1.3 zero-length inner plaintext checks and tests, zero-length record/fragment handling tests. - Bug 1294978 - Reworked overlong record size checks and added TLS1.3 specific boundaries. - Bug 1763120 - Add ECH Grease Support to tstclnt - Bug 1765003 - Add a strict variant of moz::pkix::CheckCertHostname. - Bug 1166338 - Change SSL_REUSE_SERVER_ECDHE_KEY default to false. - Bug 1760813 - Make SEC_PKCS12EnableCipher succeed - Bug 1762489 - Update zlib in NSS to 1.2.12.
revbump for textproc/icu update
devel/nss: Patch ctype(3) abuse.
devel/nss: Fix cross-compilation.
nss: update to 3.77. Changes: - Bug 1762244 - resolve mpitests build failure on Windows. - Bug 1761779 - Fix link to TLS page on wireshark wiki - Bug 1754890 - Add two D-TRUST 2020 root certificates. - Bug 1751298 - Add Telia Root CA v2 root certificate. - Bug 1751305 - Remove expired explicitly distrusted certificates from certdata.txt. - Bug 1005084 - support specific RSA-PSS parameters in mozilla::pkix - Bug 1753535 - Remove obsolete stateEnd check in SEC_ASN1DecoderUpdate. - Bug 1756271 - Remove token member from NSSSlot struct. - Bug 1602379 - Provide secure variants of mpp_pprime and mpp_make_prime. - Bug 1757279 - Support UTF-8 library path in the module spec string. - Bug 1396616 - Update nssUTF8_Length to RFC 3629 and fix buffer overrun. - Bug 1760827 - Add a CI Target for gcc-11. - Bug 1760828 - Change to makefiles for gcc-4.8. - Bug 1741688 - Update googletest to 1.11.0 - Bug 1759525 - Add SetTls13GreaseEchSize to experimental API. - Bug 1755264 - TLS 1.3 Illegal legacy_version handling/alerts. - Bug 1755904 - Fix calculation of ECH HRR Transcript. - Bug 1758741 - Allow ld path to be set as environment variable. - Bug 1760653 - Ensure we don't read uninitialized memory in ssl gtests. - Bug 1758478 - Fix DataBuffer Move Assignment. - Bug 1552254 - internal_error alert on Certificate Request with sha1+ecdsa in TLS 1.3 - Bug 1755092 - rework signature verification in mozilla::pkix
nss: Update to 3.76.1 Changelog: Change: - Bug 1756271 - Remove token member from NSSSlot struct.
nss: update to 3.76. Changes: - Bug 1755555 - Hold tokensLock through nssToken_GetSlot calls in nssTrustDomain_GetActiveSlots. - Bug 1370866 - Check return value of PK11Slot_GetNSSToken. - Bug 1747957 - Use Wycheproof JSON for RSASSA-PSS - Bug 1679803 - Add SHA256 fingerprint comments to old certdata.txt entries. - Bug 1753505 - Avoid truncating files in nss-release-helper.py. - Bug 1751157 - Throw illegal_parameter alert for illegal extensions in handshake message.
nss: update to 3.75. Changes: - Bug 1749030 - This patch adds gcc-9 and gcc-10 to the CI. - Bug 1749794 - Make DottedOIDToCode.py compatible with python3. - Bug 1749475 - Avoid undefined shift in SSL_CERT_IS while fuzzing. - Bug 1748386 - Remove redundant key type check. - Bug 1749869 - Update ABI expectations to match ECH changes. - Bug 1748386 - Enable CKM_CHACHA20. - Bug 1747327 - check return on NSS_NoDB_Init and NSS_Shutdown. - Bug 1747310 - real move assignment operator. - Bug 1748245 - Run ECDSA test vectors from bltest as part of the CI tests. - Bug 1743302 - Add ECDSA test vectors to the bltest command line tool. - Bug 1747772 - Allow to build using clang's integrated assembler. - Bug 1321398 - Allow to override python for the build. - Bug 1747317 - test HKDF output rather than input. - Bug 1747316 - Use ASSERT macros to end failed tests early. - Bug 1747310 - move assignment operator for DataBuffer. - Bug 1712879 - Add test cases for ECH compression and unexpected extensions in SH. - Bug 1725938 - Update tests for ECH-13. - Bug 1725938 - Tidy up error handling. - Bug 1728281 - Add tests for ECH HRR Changes. - Bug 1728281 - Server only sends GREASE HRR extension if enabled by preference. - Bug 1725938 - Update generation of the Associated Data for ECH-13. - Bug 1712879 - When ECH is accepted, reject extensions which were only advertised in the Outer Client Hello. - Bug 1712879 - Allow for compressed, non-contiguous, extensions. - Bug 1712879 - Scramble the PSK extension in CHOuter. - Bug 1712647 - Split custom extension handling for ECH. - Bug 1728281 - Add ECH-13 HRR Handling. - Bug 1677181 - Client side ECH padding. - Bug 1725938 - Stricter ClientHelloInner Decompression. - Bug 1725938 - Remove ECH_inner extension, use new enum format. - Bug 1725938 - Update the version number for ECH-13 and adjust the ECHConfig size.
nss: update to 3.74. Changes: • Bug 966856 - mozilla::pkix: support SHA-2 hashes in CertIDs in OCSP responses. • Bug 1553612 - Ensure clients offer consistent ciphersuites after HRR. • Bug 1721426 - NSS does not properly restrict server keys based on policy. • Bug 1733003 - Set nssckbi version number to 2.54. • Bug 1735407 - Replace Google Trust Services LLC (GTS) R4 root certificate in NSS. • Bug 1735407 - Replace Google Trust Services LLC (GTS) R3 root certificate in NSS. • Bug 1735407 - Replace Google Trust Services LLC (GTS) R2 root certificate in NSS. • Bug 1735407 - Replace Google Trust Services LLC (GTS) R1 root certificate in NSS. • Bug 1735407 - Replace GlobalSign ECC Root CA R4 in NSS. • Bug 1733560 - Remove Expired Root Certificates from NSS - DST Root CA X3. • Bug 1740807 - Remove Expiring Cybertrust Global Root and GlobalSign root certificates from NSS. • Bug 1741930 - Add renewed Autoridad de Certificacion Firmaprofesional CIF A62634068 root certificate to NSS. • Bug 1740095 - Add iTrusChina ECC root certificate to NSS. • Bug 1740095 - Add iTrusChina RSA root certificate to NSS. • Bug 1738805 - Add ISRG Root X2 root certificate to NSS. • Bug 1733012 - Add Chunghwa Telecom's HiPKI Root CA - G1 root certificate to NSS. • Bug 1738028 - Avoid a clang 13 unused variable warning in opt build. • Bug 1735028 - Check for missing signedData field. • Bug 1737470 - Ensure DER encoded signatures are within size limits.
nss: Update to 3.73.1 Changelog: Change: - Add SHA-2 support to mozilla::pkix's OCSP implementation
revbump for icu and libffi
Pullup ticket #6548 - requested by mlelstv devel/nss: security-update Revisions pulled up: - devel/nss/Makefile 1.215-1.217 - devel/nss/distinfo 1.139,1.142-1.143 ------------------------------------------------------------------- Module Name: pkgsrc Committed By: wiz Date: Thu Sep 30 21:39:55 UTC 2021 Modified Files: pkgsrc/devel/nss: Makefile distinfo Log Message: nss: update to 3.71. Changes: - Bug 1717716 - Set nssckbi version number to 2.52. - Bug 1667000 - Respect server requirements of tlsfuzzer/test-tls13-signature-algorithms.py - Bug 1373716 - Import of PKCS#12 files with Camellia encryption is not supported - Bug 1717707 - Add HARICA Client ECC Root CA 2021. - Bug 1717707 - Add HARICA Client RSA Root CA 2021. - Bug 1717707 - Add HARICA TLS ECC Root CA 2021. - Bug 1717707 - Add HARICA TLS RSA Root CA 2021. - Bug 1728394 - Add TunTrust Root CA certificate to NSS. To generate a diff of this commit: cvs rdiff -u -r1.214 -r1.215 pkgsrc/devel/nss/Makefile cvs rdiff -u -r1.138 -r1.139 pkgsrc/devel/nss/distinfo ------------------------------------------------------------------- Module Name: pkgsrc Committed By: wiz Date: Thu Oct 28 10:03:13 UTC 2021 Modified Files: pkgsrc/devel/nss: Makefile distinfo Log Message: nss: update to 3.72. Changes: - Documentation: release notes for NSS 3.72 - Documentation: release notes for NSS 3.71 - Remove newline at the end of coreconf.dep - Bug 1731911 - Fix nsinstall parallel failure. - Bug 1729930 - Increase KDF cache size to mitigate perf regression in about:logins. To generate a diff of this commit: cvs rdiff -u -r1.215 -r1.216 pkgsrc/devel/nss/Makefile cvs rdiff -u -r1.141 -r1.142 pkgsrc/devel/nss/distinfo ------------------------------------------------------------------- Module Name: pkgsrc Committed By: wiz Date: Wed Dec 1 17:04:11 UTC 2021 Modified Files: pkgsrc/devel/nss: Makefile distinfo Log Message: nss: update to 3.73. This contains the fix for CVE-2021-43527. To generate a diff of this commit: cvs rdiff -u -r1.216 -r1.217 pkgsrc/devel/nss/Makefile cvs rdiff -u -r1.142 -r1.143 pkgsrc/devel/nss/distinfo
nss: update to 3.73. This contains the fix for CVE-2021-43527.
nss: update to 3.72. Changes: - Documentation: release notes for NSS 3.72 - Documentation: release notes for NSS 3.71 - Remove newline at the end of coreconf.dep - Bug 1731911 - Fix nsinstall parallel failure. - Bug 1729930 - Increase KDF cache size to mitigate perf regression in about:logins.
nss: update to 3.71. Changes: - Bug 1717716 - Set nssckbi version number to 2.52. - Bug 1667000 - Respect server requirements of tlsfuzzer/test-tls13-signature-algorithms.py - Bug 1373716 - Import of PKCS#12 files with Camellia encryption is not supported - Bug 1717707 - Add HARICA Client ECC Root CA 2021. - Bug 1717707 - Add HARICA Client RSA Root CA 2021. - Bug 1717707 - Add HARICA TLS ECC Root CA 2021. - Bug 1717707 - Add HARICA TLS RSA Root CA 2021. - Bug 1728394 - Add TunTrust Root CA certificate to NSS.
nss: update to 3.70. Changes: - Documentation: release notes for NSS 3.70. - Documentation: release notes for NSS 3.69.1. - Bug 1726022 - Update test case to verify fix. - Bug 1714579 - Explicitly disable downgrade check in TlsConnectStreamTls13.EchOuterWith12Max - Bug 1714579 - Explicitly disable downgrade check in TlsConnectTest.DisableFalseStartOnFallback - Formatting for lib/util - Bug 1681975 - Avoid using a lookup table in nssb64d. - Bug 1724629 - Use HW accelerated SHA2 on AArch64 Big Endian. - Bug 1714579 - Change default value of enableHelloDowngradeCheck to true. - Formatting for gtests/pk11_gtest/pk11_hpke_unittest.cc - Bug 1726022 - Cache additional PBE entries. - Bug 1709750 - Read HPKE vectors from official JSON. - Documentation: update for NSS 3.69 release.
nss: add link to release notes
nss: update to 3.69.1. Bugs fixed: - Bug 1722613 (Backout) - Disable DTLS 1.0 and 1.1 by default - Bug 1720226 (Backout) - integrity checks in key4.db not happening on private components with AES_CBC
nss: skip portability checks for all unit tests
nss: update to 3.69. Bugs fixed: - Bug 1722613 - Disable DTLS 1.0 and 1.1 by default - Bug 1720226 - integrity checks in key4.db not happening on private components with AES_CBC - Bug 1720235 - SSL handling of signature algorithms ignores environmental invalid algorithms. - Bug 1721476 - sqlite 3.34 changed it's open semantics, causing nss failures. - Bug 1720230 - Gtest update changed the gtest reports, losing gtest details in all.sh reports. - Bug 1720228 - NSS incorrectly accepting 1536 bit DH primes in FIPS mode - Bug 1720232 - SQLite calls could timeout in starvation situations. - Bug 1720225 - Coverity/cpp scanner errors found in nss 3.67 - Bug 1709817 - Import the NSS documentation from MDN in nss/doc. - Bug 1720227 - NSS using a tempdir to measure sql performance not active
nss: update to 3.67. Bugs fixed: * Bug 1683710 - Add a means to disable ALPN. * Bug 1715720 - Fix nssckbi version number in NSS 3.67 (was supposed to be incremented in 3.66). * Bug 1714719 - Set NSS_USE_64 on riscv64 target when using GYP/Ninja. * Bug 1566124 - Fix counter increase in ppc-gcm-wrap.c. * Bug 1566124 - Fix AES_GCM mode on ppc64le for messages of length more than 255-byte.
nss: update to 3.66. Bugs fixed: * Bug 1710716 - Remove Expired Sonera Class2 CA from NSS. * Bug 1710716 - Remove Expired Root Certificates from NSS - QuoVadis Root Certification Authority. * Bug 1708307 - Remove Trustis FPS Root CA from NSS. * Bug 1707097 - Add Certum Trusted Root CA to NSS. * Bug 1707097 - Add Certum EC-384 CA to NSS. * Bug 1703942 - Add ANF Secure Server Root CA to NSS. * Bug 1697071 - Add GLOBALTRUST 2020 root cert to NSS. * Bug 1712184 - NSS tools manpages need to be updated to reflect that sqlite is the default database. * Bug 1712230 - Don't build ppc-gcm.s with clang integrated assembler. * Bug 1712211 - Strict prototype error when trying to compile nss code that includes blapi.h. * Bug 1710773 - NSS needs FIPS 180-3 FIPS indicators. * Bug 1709291 - Add VerifyCodeSigningCertificateChain. * Use GNU tar for the release helper script.
*: recursive bump for perl 5.34
nss: update to 3.65. Bugs fixed in NSS 3.65: * Bug 1709654 - Update for NetBSD configuration. * Bug 1709750 - Disable HPKE test when fuzzing. * Bug 1566124 - Optimize AES-GCM for ppc64le. * Bug 1699021 - Add AES-256-GCM to HPKE. * Bug 1698419 - ECH -10 updates. * Bug 1692930 - Update HPKE to final version. * Bug 1707130 - NSS should use modern algorithms in PKCS#12 files by default. * Bug 1703936 - New coverity/cpp scanner errors. * Bug 1697303 - NSS needs to update it's csp clearing to FIPS 180-3 standards. * Bug 1702663 - Need to support RSA PSS with Hashing PKCS #11 Mechanisms. * Bug 1705119 - Deadlock when using GCM and non-thread safe tokens.
nss: hide symbols on NetBSD like on other platforms Remove local workarounds again Bump PKGREVISION.
nss: Fix support for NetBSD/aarch64eb. Bump revision.
revbump for textproc/icu
nss: Update to 3.64 Changelog: Bugs fixed in NSS 3.64: * Bug 1705286 - Properly detect mips64. * Bug 1687164 - Introduce NSS_DISABLE_CRYPTO_VSX and disable_crypto_vsx. * Bug 1698320 - replace __builtin_cpu_supports("vsx") with ppc_crypto_support() for clang. * Bug 1613235 - Add POWER ChaCha20 stream cipher vector acceleration.
nss: restore symbol rename patches While the link fix did fix the case of openssl calling nss code, the other way round still happens, e.g. in libreoffice (since fixed to not use nss) and konqueror. Bump PKGREVISION.
nss: fix interoperability with openssl For a long time now (at least 15 years), the installed pkg-config file also linked against libsoftokn3, which is wrong according to upstream. This library is only intended to be loaded as a module. Having this library linked added symbols to the namespace that conflict with openssl symbols. This had caused problems before, and patches had been added to rename symbols to avoid this conflict. Instead, fix this correctly by not linking against libsoftokn3. Switch to using the pkg-config and nss-config files provided in the distfiles instead of pkgsrc-specific ones. Remove now unneeded symbol-renaming patches. Remove DragonFly patches while here. Bump PKGREVISION.
nss: Update to 3.63 Changelog: Bugs fixed in NSS 3.63: * Bug 1697380 - Make a clang-format run on top of helpful contributions. * Bug 1683520 - ECCKiila P384, change syntax of nested structs initialization to prevent build isses with GCC 4.8. * Bug 1683520 - [lib/freebl/ecl] P-384: allow zero scalars in dual scalar multiplication. * Bug 1683520 - ECCKiila P521, change syntax of nested structs initialization to prevent build isses with GCC 4.8. * Bug 1683520 - [lib/freebl/ecl] P-521: allow zero scalars in dual scalar multiplication. * Bug 1696800 - HACL* update March 2021 - c95ab70fcb2bc21025d8845281bc4bc8987ca683. * Bug 1694214 - tstclnt can't enable middlebox compat mode. * Bug 1694392 - NSS does not work with PKCS #11 modules not supporting profiles. * Bug 1685880 - Minor fix to prevent unused variable on early return. * Bug 1685880 - Fix for the gcc compiler version 7 to support setenv with nss build. * Bug 1693217 - Increase nssckbi.h version number for March 2021 batch of root CA changes, CA list version 2.48. * Bug 1692094 - Set email distrust after to 21-03-01 for Camerfirma's 'Chambers of Commerce' and 'Global Chambersign' roots. * Bug 1618407 - Symantec root certs - Set CKA_NSS_EMAIL_DISTRUST_AFTER. * Bug 1693173 - Add GlobalSign R45, E45, R46, and E46 root certs to NSS. * Bug 1683738 - Add AC RAIZ FNMT-RCM SERVIDORES SEGUROS root cert to NSS. * Bug 1686854 - Remove GeoTrust PCA-G2 and VeriSign Universal root certs from NSS. * Bug 1687822 - Turn off Websites trust bit for the “Staat der Nederlanden Root CA - G3” root cert in NSS. * Bug 1692094 - Turn off Websites Trust Bit for 'Chambers of Commerce Root - 2008' and 'Global Chambersign Root - 2008’. * Bug 1694291 - Tracing fixes for ECH.
nss: Update to 3.62 * Change header files installation suggested by markd@. Do not install dbm header files and install nss header files under nss, not nss/nss. Changelog: Bugs fixed in NSS 3.62 Bug 1688374 - Fix parallel build NSS-3.61 with make. Bug 1682044 - pkix_Build_GatherCerts() + pkix_CacheCert_Add() can corrupt "cachedCertTable". Bug 1690583 - Fix CH padding extension size calculation. Bug 1690421 - Adjust 3.62 ABI report formatting for new libabigail. Bug 1690421 - Install packaged libabigail in docker-builds image. Bug 1689228 - Minor ECH -09 fixes for interop testing, fuzzing. Bug 1674819 - Fixup a51fae403328, enum type may be signed. Bug 1681585 - Add ECH support to selfserv. Bug 1681585 - Update ECH to Draft-09. Bug 1678398 - Add Export/Import functions for HPKE context. Bug 1678398 - Update HPKE to draft-07.
nss: Update to 3.61 Changelog: Bugs fixed in NSS 3.61: * Bug 1682071 - Fix issue with IKE Quick mode deriving incorrect key values under certain conditions. * Bug 1684300 - Fix default PBE iteration count when NSS is compiled with NSS_DISABLE_DBM. * Bug 1651411 - Improve constant-timeness in RSA operations. * Bug 1677207 - Upgrade Google Test version to latest release. * Bug 1654332 - Add aarch64-make target to nss-try.
nss: Update to 3.60 Changelog: Notable changes in NSS 3.60: * TLS 1.3 Encrypted Client Hello (draft-ietf-tls-esni-08) support has been added, replacing the previous ESNI (draft-ietf-tls-esni-01) implementation. See bug 1654332 for more information. * December 2020 batch of Root CA changes, builtins library updated to version 2.46. See bugs 1678189, 1678166, and 1670769 for more information. Bugs fixed in NSS 3.60: * Bug 1654332 - Implement Encrypted Client Hello (draft-ietf-tls-esni-08). * Bug 1678189 - Update CA list version to 2.46. * Bug 1670769 - Remove 10 GeoTrust, thawte, and VeriSign root certs from NSS. * Bug 1678166 - Add NAVER Global Root Certification Authority root cert to NSS. * Bug 1678384 - Add a build flag to allow building nssckbi-testlib in mozilla-central. * Bug 1570539 - Remove -X alt-server-hello option from tstclnt. * Bug 1675523 - Fix incorrect pkcs11t.h value CKR_PUBLIC_KEY_INVALID. * Bug 1642174 - Fix PowerPC ABI version 1 build failure. * Bug 1674819 - Fix undefined shift in fuzzer mode. * Bug 1678990 - Fix ARM crypto extensions detection on macOS. * Bug 1679290 - Fix lock order inversion and potential deadlock with libnsspem. * Bug 1680400 - Fix memory leak in PK11_UnwrapPrivKey.
nss: Update to 3.59 Changelog: Notable Changes in NSS 3.59 Exported two existing functions from libnss, CERT_AddCertToListHeadWithData and CERT_AddCertToListTailWithData NOTE: NSS will soon require GCC 4.8 or newer. Gyp-based builds will stop supporting older GCC versions first, followed a few releases later by the make-based builds. Users of older GCC versions can continue to use the make-based build system while they upgrade to newer versions of GCC. Bugs fixed in NSS 3.59 * Bug 1607449 - Lock cert->nssCertificate to prevent a potential data race * Bug 1672823 - Add Wycheproof test cases for HMAC, HKDF, and DSA * Bug 1663661 - Guard against NULL token in nssSlot_IsTokenPresent * Bug 1670835 - Support enabling and disabling signatures via Crypto Policy * Bug 1672291 - Resolve libpkix OCSP failures on SHA1 self-signed root certs when SHA1 signatures are disabled. * Bug 1644209 - Fix broken SelectedCipherSuiteReplacer filter to solve some test intermittents * Bug 1672703 - Tolerate the first CCS in TLS 1.3 to fix a regression in our CVE-2020-25648 fix that broke purple-discord * Bug 1666891 - Support key wrap/unwrap with RSA-OAEP * Bug 1667989 - Fix gyp linking on Solaris * Bug 1668123 - Export CERT_AddCertToListHeadWithData and CERT_AddCertToListTailWithData from libnss * Bug 1634584 - Set CKA_NSS_SERVER_DISTRUST_AFTER for Trustis FPS Root CA * Bug 1663091 - Remove unnecessary assertions in the streaming ASN.1 decoder that affected decoding certain PKCS8 private keys when using NSS debug builds * Bug 1670839 - Use ARM crypto extension for AES, SHA1 and SHA2 on MacOS.
*: Recursive revbump from textproc/icu-68.1
nss: update to 3.58nb1. Add a post-release patch that broke some applications https://hg.mozilla.org/projects/nss/rev/b03a4fc5b902498414b02640dcb2717dfef9682f Changes nout found.
nss: Update to 3.57 Changelog: Notable Changes in NSS 3.57 * NSPR dependency updated to 4.29. * The following CA certificates were Added: Bug 1663049 - CN=Trustwave Global Certification Authority SHA-256 Fingerprint: 97552015F5DDFC3C8788C006944555408894450084F100867086BC1A2BB58DC8 Bug 1663049 - CN=Trustwave Global ECC P256 Certification Authority SHA-256 Fingerprint: 945BBC825EA554F489D1FD51A73DDF2EA624AC7019A05205225C22A78CCFA8B4 Bug 1663049 - CN=Trustwave Global ECC P384 Certification Authority SHA-256 Fingerprint: 55903859C8C0C3EBB8759ECE4E2557225FF5758BBD38EBD48276601E1BD58097 * The following CA certificates were Removed: Bug 1651211 - CN=EE Certification Centre Root CA SHA-256 Fingerprint: 3E84BA4342908516E77573C0992F0979CA084E4685681FF195CCBA8A229B8A76 Bug 1656077 - O=Government Root Certification Authority; C=TW SHA-256 Fingerprint: 7600295EEFE85B9E1FD624DB76062AAAAE59818A54D2774CD4C0B2C01131E1B3 * Trust settings for the following CA certificates were Modified: Bug 1653092 - CN=OISTE WISeKey Global Root GA CA Websites (server authentication) trust bit removed. Bugs fixed in NSS 3.57 * Bug 1651211 - Remove EE Certification Centre Root CA certificate. * Bug 1653092 - Turn off Websites Trust Bit for OISTE WISeKey Global Root GA CA. * Bug 1656077 - Remove Taiwan Government Root Certification Authority certificate. * Bug 1663049 - Add SecureTrust's Trustwave Global root certificates to NSS. * Bug 1659256 - AArch64 AES optimization shouldn't be enabled with gcc 4.8. * Bug 1651834 - Fix Clang static analyzer warnings. * Bug 1661378 - Fix Build failure with Clang 11. * Bug 1659727 - Fix mpcpucache.c invalid output constraint on Linux/ARM. * Bug 1662738 - Only run freebl_fips_RNG_PowerUpSelfTest when linked with NSPR. * Bug 1661810 - Fix Crash @ arm_aes_encrypt_ecb_128 when building with Clang 11. * Bug 1659252 - Fix Make build with NSS_DISABLE_DBM=1. * Bug 1660304 - Add POST tests for KDFs as required by FIPS. * Bug 1663346 - Use 64-bit compilation on e2k architecture. * Bug 1605922 - Account for negative sign in mp_radix_size. * Bug 1653641 - Cleanup inaccurate DTLS comments, code review fixes. * Bug 1660372 - NSS 3.57 should depend on NSPR 4.29 * Bug 1660734 - Fix Makefile typos. * Bug 1660735 - Fix Makefile typos.
*: bump PKGREVISION for perl-5.32.
nss: fix NetBSD/aarch64 build NS_USE_GCC and CC_IS_CLANG are not SunOS specific makeflags, they are used to toggle if gcm-aarch64.c gets built and probably for other stuff too ...
nss: Update to 3.56 CHangelog: Notable Changes in NSS 3.56 * The known issue where Makefile builds failed to locate seccomon.h was fixed in Bug 1653975. * NSPR dependency updated to 4.28. Bugs fixed in NSS 3.56 * Bug 1650702 - Support SHA-1 HW acceleration on ARMv8 * Bug 1656981 - Use MPI comba and mulq optimizations on x86-64 MacOS. * Bug 1654142 - Add CPU feature detection for Intel SHA extension. * Bug 1648822 - Add stricter validation of DH keys in FIPS mode. * Bug 1656986 - Properly detect arm64 during GYP build architecture detection. * Bug 1652729 - Add build flag to disable RC2 and relocate to lib/freebl/deprecated. * Bug 1656429 - Correct RTT estimate used in 0-RTT anti-replay. * Bug 1588941 - Send empty certificate message when scheme selection fails. * Bug 1652032 - Fix failure to build in Windows arm64 makefile cross-compilation. * Bug 1625791 - Fix deadlock issue in nssSlot_IsTokenPresent. * Bug 1653975 - Fix 3.53 regression by setting "all" as the default makefile target. * Bug 1659792 - Fix broken libpkix tests with unexpired PayPal cert. * Bug 1659814 - Fix interop.sh failures with newer tls-interop commit and dependencies. * Bug 1656519 - Update NSPR dependency to 4.28.
nss: update to 3.55 Note that this says the NSPR dependency is bumped. I didn't encounter any problems with 2.46. It seems to be a change that their automation was updated to the newer version. NSS 3.55 P384 and P521 elliptic curve implementations are replaced with verifiable implementations from Fiat-Crypto and ECCKiila. Special thanks to the Network and Information Security Group (NISEC) at Tampere University. PK11_FindCertInSlot is added. With this function, a given slot can be queried with a DER-Encoded certificate, providing performance and usability improvements over other mechanisms. See Bug 1649633 for more details. DTLS 1.3 implementation is updated to draft-38. See Bug 1647752 for details. NSPR dependency updated to 4.27. NSS 3.54 Support for TLS 1.3 external pre-shared keys (Bug 1603042). Use ARM Cryptography Extension for SHA256, when available. (Bug 1528113).
nss: Update to 3.53.1 Changelog: Bugs fixed in NSS 3.53.1 - Bug 1631597 (CVE-2020-12402) - Use constant-time GCD and modular inversion in MPI.
nss: use INSTALL_DATA for static libs
nss: Update to 3.53 Changelog: Notable Changes in NSS 3.53 * When using the Makefiles, NSS can be built in parallel, speeding up those builds to more similar performance as the build.sh/ninja/gyp system. (Bug 290526) * SEED is now moved into a new freebl directory freebl/deprecated (Bug 1636389). - SEED will be disabled by default in a future release of NSS. At that time, users will need to set the compile-time flag (Bug 1622033) to disable that deprecation in order to use the algorithm. - Algorithms marked as deprecated will ultimately be removed. * Several root certificates in the Mozilla program now set the CKA_NSS_SERVER_DISTRUST_AFTER attribute, which NSS consumers can query to further refine trust decisions. (Bug 1618404, Bug 1621159) If a builtin certificate has a CKA_NSS_SERVER_DISTRUST_AFTER timestamp before the SCT or NotBefore date of a certificate that builtin issued, then clients can elect not to trust it. - This attribute provides a more graceful phase-out for certificate authorities than complete removal from the root certificate builtin store. Bugs fixed in NSS 3.53 * Bug 1640260 - Initialize PBE params (ASAN fix) * Bug 1618404 - Set CKA_NSS_SERVER_DISTRUST_AFTER for Symantec root certs * Bug 1621159 - Set CKA_NSS_SERVER_DISTRUST_AFTER for Consorci AOC, GRCA, and SK ID root certs * Bug 1629414 - PPC64: Correct compilation error between VMX vs. VSX vector instructions * Bug 1639033 - Fix various compile warnings in NSS * Bug 1640041 - Fix a null pointer in security/nss/lib/ssl/sslencode.c:67 * Bug 1640042 - Fix a null pointer in security/nss/lib/ssl/sslsock.c:4460 * Bug 1638289 - Avoid multiple definitions of SHA{256,384,512}_* symbols when linking libfreeblpriv3.so in Firefox on ppc64le * Bug 1636389 - Relocate deprecated SEED algorithm * Bug 1637083 - lib/ckfw: No such file or directory. Stop. * Bug 1561331 - Additional modular inverse test * Bug 1629553 - Rework and cleanup gmake builds * Bug 1438431 - Remove mkdepend and "depend" make target * Bug 290526 - Support parallel building of NSS when using the Makefiles * Bug 1636206 - HACL* update after changes in libintvector.h * Bug 1636058 - Fix building NSS on Debian s390x, mips64el, and riscv64 * Bug 1622033 - Add option to build without SEED
Revbump for icu
nss: Update to 3.52 Changelog: Notable Changes in NSS 3.52 Bug 1603628 - Update NSS to support PKCS #11 v3.0. Bug 1623374 - Support new PKCS #11 v3.0 Message Interface for AES-GCM and ChaChaPoly. Bug 1612493 - Integrate AVX2 ChaCha20, Poly1305, and ChaCha20Poly1305 from HACL*. Bugs fixed in NSS 3.52 Bug 1633498 - Fix unused variable 'getauxval' error on iOS compilation. Bug 1630721 - Add Softoken functions for FIPS. Bug 1630458 - Fix problem of GYP MSVC builds not producing debug symbol files. Bug 1629663 - Add IKEv1 Quick Mode KDF. Bug 1629661 - MPConfig calls in SSL initialize policy before NSS is initialized. Bug 1629655 - Support temporary session objects in ckfw. Bug 1629105 - Add PKCS11 v3.0 functions to module debug logger. Bug 1626751 - Fix error in generation of fuzz32 docker image after updates. Bug 1625133 - Fix implicit declaration of function 'getopt' error. Bug 1624864 - Allow building of gcm-arm32-neon on non-armv7 architectures. Bug 1624402 - Fix compilation error in Firefox Android. Bug 1624130 - Require CK_FUNCTION_LIST structs to be packed. Bug 1624377 - Fix clang warning for unknown argument '-msse4'. Bug 1623374 - Support new PKCS #11 v3.0 Message Interface for AES-GCM and ChaChaPoly. Bug 1623184 - Fix freebl_cpuid for querying Extended Features. Bug 1622555 - Fix argument parsing in lowhashtest. Bug 1620799 - Introduce NSS_DISABLE_GCM_ARM32_NEON to build on arm32 without NEON support. Bug 1619102 - Add workaround option to include both DTLS and TLS versions in DTLS supported_versions. Bug 1619056 - Update README: TLS 1.3 is not experimental anymore. Bug 1618915 - Fix UBSAN issue in ssl_ParseSessionTicket. Bug 1618739 - Don't assert fuzzer behavior in SSL_ParseSessionTicket. Bug 1617968 - Update Delegated Credentials implementation to draft-07. Bug 1617533 - Update HACL* dependencies for libintvector.h Bug 1613238 - Add vector accelerated SHA2 for POWER 8+. Bug 1612493 - Integrate AVX2 ChaCha20, Poly1305, and ChaCha20Poly1305 from HACL*. Bug 1612281 - Maintain PKCS11 C_GetAttributeValue semantics on attributes that lack NSS database columns. Bug 1612260 - Add Wycheproof RSA test vectors. Bug 1608250 - broken fipstest handling of KI_len. Bug 1608245 - Consistently handle NULL slot/session. Bug 1603801 - Avoid dcache pollution from sdb_measureAccess(). Bug 1603628 - Update NSS to support PKCS #11 v3.0. Bug 1561637 - TLS 1.3 does not work in FIPS mode. Bug 1531906 - Fix overzealous assertion when evicting a cached sessionID or using external cache. Bug 1465613 - Fix issue where testlib makefile build produced extraneous object files. Bug 1619959 - Properly handle multi-block SEED ECB inputs. Bug 1630925 - Guard all instances of NSSCMSSignedData.signerInfo to avoid a CMS crash Bug 1571677 - Name Constraints validation: CN treated as DNS name even when syntactically invalid as DNS name Compatibility NSS 3.52 shared libraries are backward compatible with all older NSS 3.x shared libraries. A program linked with older NSS 3.x shared libraries will work with NSS 3.52 shared libraries without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs to the functions listed in NSS Public Functions will remain compatible with future versions of the NSS shared libraries.
Recursive revision bump after textproc/icu update
nss: Add -lrt for sem_wait(3) on NetBSD * Fix build under NetBSD/amd64-current with binutils 2.34.
nss: Update to 3.51 Changelog: Notable Changes in NSS 3.51 * Updated DTLS 1.3 implementation to Draft-34. See Bug 1608892 for details. Bugs fixed in NSS 3.51 * Bug 1608892 - Update DTLS 1.3 implementation to draft-34. * Bug 1611209 - Correct swapped PKCS11 values of CKM_AES_CMAC and CKM_AES_CMAC_GENERAL * Bug 1612259 - Complete integration of Wycheproof ECDH test cases * Bug 1614183 - Check if PPC __has_include(<sys/auxv.h>) * Bug 1614786 - Fix a compilation error for ‘getFIPSEnv’ "defined but not used" * Bug 1615208 - Send DTLS version numbers in DTLS 1.3 supported_versions extension to avoid an incompatibility. * Bug 1538980 - SECU_ReadDERFromFile calls strstr on a string that isn't guaranteed to be null-terminated * Bug 1561337 - Correct a warning for comparison of integers of different signs: 'int' and 'unsigned long' in security/nss/lib/freebl/ecl/ecp_25519.c:88 * Bug 1609751 - Add test for mp_int clamping * Bug 1582169 - Don't attempt to read the fips_enabled flag on the machine unless NSS was built with FIPS enabled * Bug 1431940 - Fix a null pointer dereference in BLAKE2B_Update * Bug 1617387 - Fix compiler warning in secsign.c * Bug 1618400 - Fix a OpenBSD/arm64 compilation error: unused variable 'getauxval' * Bug 1610687 - Fix a crash on unaligned CMACContext.aes.keySchedule when using AES-NI intrinsics
nss: Update to 3.50 Changelog: Notable Changes in NSS 3.50 * Verified primitives from HACL* were updated, bringing performance improvements for several platforms. Note that Intel processors with SSE4 but without AVX are currently unable to use the improved ChaCha20/Poly1305 due to a build issue; such platforms will fall-back to less optimized algorithms. See Bug 1609569 for details. * Updated DTLS 1.3 implementation to Draft-30. See Bug 1599514 for details. * Added NIST SP800-108 KBKDF - PKCS#11 implementation. See Bug 1599603 for details. Bugs fixed in NSS 3.50 * Bug 1599514 - Update DTLS 1.3 implementation to Draft-30 * Bug 1603438 - Fix native tools build failure due to lack of zlib include dir if external * Bug 1599603 - NIST SP800-108 KBKDF - PKCS#11 implementation * Bug 1606992 - Cache the most recent PBKDF1 password hash, to speed up repeated SDR operations, important with the increased KDF iteration counts. NSS 3.49.1 sped up PBKDF2 operations, though PBKDF1 operations are also relevant for older NSS databases (also included in NSS 3.49.2) * Bug 1608895 - Gyp builds on taskcluster broken by Setuptools v45.0.0 (for lacking Python3) * Bug 1574643 - Upgrade HACL* verified implementations of ChaCha20, Poly1305, and 64-bit Curve25519 * Bug 1608327 - Two problems with NEON-specific code in freebl * Bug 1575843 - Detect AArch64 CPU features on FreeBSD * Bug 1607099 - Remove the buildbot configuration * Bug 1585429 - Add more HKDF test vectors * Bug 1573911 - Add more RSA test vectors * Bug 1605314 - Compare all 8 bytes of an mp_digit when clamping in Windows assembly/mp_comba * Bug 1604596 - Update Wycheproof vectors and add support for CBC, P256-ECDH, and CMAC tests * Bug 1608493 - Use AES-NI for non-GCM AES ciphers on platforms with no assembly-optimized implementation, such as macOS. * Bug 1547639 - Update zlib in NSS to 1.2.11 * Bug 1609181 - Detect ARM (32-bit) CPU features on FreeBSD * Bug 1602386 - Fix build on FreeBSD/powerpc* * Bug 1608151 - Introduce NSS_DISABLE_ALTIVEC * Bug 1612623 - Depend on NSPR 4.25 * Bug 1609673 - Fix a crash when NSS is compiled without libnssdbm support, but the nssdbm shared object is available anyway.
nss: Update to 4.49.2 Changelog: No new functionality is introduced in this release. This release fixes several issues: - Bug 1606992 - Cache the most recent PBKDF1 password hash, to speed up repeated SDR operations when using profiles using that hash. This is covering additional cases not covered by NSS 3.49.1, important with the increased KDF iteration counts. - Bug 1608327 - Fix compilation problems with NEON-specific code in freebl - Bug 1608895 - Fix a taskcluster issue with Python 2 / Python 3 NSS 3.49.2 requires NSPR 4.24 or newer.
Pullup ticket #6117 - requested by nia devel/nss: dependent update (for Firefox) Revisions pulled up: - devel/nss/Makefile 1.175-1.177 - devel/nss/distinfo 1.103-1.105 - devel/nss/patches/patch-me 1.6 - devel/nss/patches/patch-nss_coreconf_command.mk 1.4 --- Module Name: pkgsrc Committed By: ryoon Date: Sat Dec 28 23:04:05 UTC 2019 Modified Files: pkgsrc/devel/nss: Makefile distinfo pkgsrc/devel/nss/patches: patch-nss_coreconf_command.mk Log Message: Update to 3.48 Changelog: Notable Changes in NSS 3.48 * TLS 1.3 is the default maximum TLS version. See Bug 1573118 for details. * TLS extended master secret is enabled by default, where possible. See Bug 1575411 for details. * The master password PBE now uses 10,000 iterations by default when using the default sql (key4.db) storage. Because using an iteration count higher than 1 with the legacy dbm (key3.db) storage creates files that are incompatible with previous versions of NSS, applications that wish to enable it for key3.db are required to set environment variable NSS_ALLOW_LEGACY_DBM_ITERATION_COUNT=1. Applications may set environment variable NSS_MIN_MP_PBE_ITERATION_COUNT to request a higher iteration count than the library's default, or NSS_MAX_MP_PBE_ITERATION_COUNT to request a lower iteration count for test environments. See Bug 1562671 for details. Certificate Authority Changes The following CA certificates were Added: * Bug 1591178 - Entrust Root Certification Authority - G4 Cert SHA-256 Fingerprint: DB3517D1F6732A2D5AB97C533EC70779EE3270A62FB4AC4238372460E6F01E88 Bugs fixed in NSS 3.48 * Bug 1586176 - EncryptUpdate should use maxout not block size (CVE-2019-11745) -- Note that this was previously fixed in NSS 3.44.3 and 3.47.1. * Bug 1600775 - Require NSPR 4.24 for NSS 3.48 * Bug 1593401 - Fix race condition in self-encrypt functions * Bug 1599545 - Fix assertion and add test for early Key Update * Bug 1597799 - Fix a crash in nssCKFWObject_GetAttributeSize * Bug 1591178 - Add Entrust Root Certification Authority - G4 certificate to NSS * Bug 1590001 - Prevent negotiation of versions lower than 1.3 after HelloRetryRequest * Bug 1596450 - Added a simplified and unified MAC implementation for HMAC and CMAC behind PKCS#11 * Bug 1522203 - Remove an old Pentium Pro performance workaround * Bug 1592557 - Fix PRNG known-answer-test scripts * Bug 1593141 - add `notBefore` or similar "beginning-of-validity-period" parameter to mozilla::pkix::TrustDomain::CheckRevocation * Bug 1591363 - Fix a PBKDF2 memory leak in NSC_GenerateKey if key length > MAX_KEY_LEN (256) * Bug 1592869 - Use ARM NEON for ctr_xor * Bug 1566131 - Ensure SHA-1 fallback disabled in TLS 1.2 * Bug 1577803 - Mark PKCS#11 token as friendly if it implements CKP_PUBLIC_CERTIFICATES_TOKEN * Bug 1566126 - POWER GHASH Vector Acceleration * Bug 1589073 - Use of new PR_ASSERT_ARG in certdb.c * Bug 1590495 - Fix a crash in PK11_MakeCertFromHandle * Bug 1591742 - Ensure DES IV length is valid before usage from PKCS#11 * Bug 1588567 - Enable mozilla::pkix gtests in NSS CI * Bug 1591315 - Update NSC_Decrypt length in constant time * Bug 1562671 - Increase NSS MP KDF default iteration count, by default for modern key4 storage, optionally for legacy key3.db storage * Bug 1590972 - Use -std=c99 rather than -std=gnu99 * Bug 1590676 - Fix build if ARM doesn't support NEON * Bug 1575411 - Enable TLS extended master secret by default * Bug 1590970 - SSL_SetTimeFunc has incomplete coverage * Bug 1590678 - Remove -Wmaybe-uninitialized warning in tls13esni.c * Bug 1588244 - NSS changes for Delegated Credential key strength checks * Bug 1459141 - Add more CBC padding tests that missed NSS 3.47 * Bug 1590339 - Fix a memory leak in btoa.c * Bug 1589810 - fix uninitialized variable warnings from certdata.perl * Bug 1573118 - Enable TLS 1.3 by default in NSS --- Module Name: pkgsrc Committed By: ryoon Date: Fri Jan 10 03:43:20 UTC 2020 Modified Files: pkgsrc/devel/nss: Makefile distinfo pkgsrc/devel/nss/patches: patch-me Log Message: nss: Update to 3.49 Changelog: Notable Changes in NSS 3.49 * The legacy DBM database, libnssdbm, is no longer built by default when using gyp builds. See Bug 1594933 for details. Bugs fixed in NSS 3.49 * Bug 1513586 - Set downgrade sentinel for client TLS versions lower than 1.2. * Bug 1606025 - Remove -Wmaybe-uninitialized warning in sslsnce.c * Bug 1606119 - Fix PPC HW Crypto build failure * Bug 1605545 - Memory leak in Pk11Install_Platform_Generate * Bug 1602288 - Fix build failure due to missing posix signal.h * Bug 1588714 - Implement CheckARMSupport for Win64/aarch64 * Bug 1585189 - NSS database uses 3DES instead of AES to encrypt DB entries * Bug 1603257 - Fix UBSAN issue in softoken CKM_NSS_CHACHA20_CTR initialization * Bug 1590001 - Additional HRR Tests (CVE-2019-17023) * Bug 1600144 - Treat ClientHello with message_seq of 1 as a second ClientHello * Bug 1603027 - Test that ESNI is regenerated after HelloRetryRequest * Bug 1593167 - Intermittent mis-reporting potential security risk SEC_ERROR_UNKNOWN_ISSUER * Bug 1535787 - Fix automation/release/nss-release-helper.py on MacOS * Bug 1594933 - Disable building DBM by default * Bug 1562548 - Improve GCM perfomance on aarch32 --- Module Name: pkgsrc Committed By: ryoon Date: Tue Jan 14 12:58:08 UTC 2020 Modified Files: pkgsrc/devel/nss: Makefile distinfo Log Message: nss: Update to 3.49.1 * Bump nspr requirement Changelog: No new functionality is introduced in these releases. These releases fix a performance issue: - Bug 1606992 - Cache the most recent PBKDF2 password hash, to speed up repeated SDR operations, important with the increased KDF iteration counts.
nss: Update to 3.49.1 * Bump nspr requirement Changelog: No new functionality is introduced in these releases. These releases fix a performance issue: - Bug 1606992 - Cache the most recent PBKDF2 password hash, to speed up repeated SDR operations, important with the increased KDF iteration counts.
nss: Update to 3.49 Changelog: Notable Changes in NSS 3.49 * The legacy DBM database, libnssdbm, is no longer built by default when using gyp builds. See Bug 1594933 for details. Bugs fixed in NSS 3.49 * Bug 1513586 - Set downgrade sentinel for client TLS versions lower than 1.2. * Bug 1606025 - Remove -Wmaybe-uninitialized warning in sslsnce.c * Bug 1606119 - Fix PPC HW Crypto build failure * Bug 1605545 - Memory leak in Pk11Install_Platform_Generate * Bug 1602288 - Fix build failure due to missing posix signal.h * Bug 1588714 - Implement CheckARMSupport for Win64/aarch64 * Bug 1585189 - NSS database uses 3DES instead of AES to encrypt DB entries * Bug 1603257 - Fix UBSAN issue in softoken CKM_NSS_CHACHA20_CTR initialization * Bug 1590001 - Additional HRR Tests (CVE-2019-17023) * Bug 1600144 - Treat ClientHello with message_seq of 1 as a second ClientHello * Bug 1603027 - Test that ESNI is regenerated after HelloRetryRequest * Bug 1593167 - Intermittent mis-reporting potential security risk SEC_ERROR_UNKNOWN_ISSUER * Bug 1535787 - Fix automation/release/nss-release-helper.py on MacOS * Bug 1594933 - Disable building DBM by default * Bug 1562548 - Improve GCM perfomance on aarch32
Update to 3.48 Changelog: Notable Changes in NSS 3.48 * TLS 1.3 is the default maximum TLS version. See Bug 1573118 for details. * TLS extended master secret is enabled by default, where possible. See Bug 1575411 for details. * The master password PBE now uses 10,000 iterations by default when using the default sql (key4.db) storage. Because using an iteration count higher than 1 with the legacy dbm (key3.db) storage creates files that are incompatible with previous versions of NSS, applications that wish to enable it for key3.db are required to set environment variable NSS_ALLOW_LEGACY_DBM_ITERATION_COUNT=1. Applications may set environment variable NSS_MIN_MP_PBE_ITERATION_COUNT to request a higher iteration count than the library's default, or NSS_MAX_MP_PBE_ITERATION_COUNT to request a lower iteration count for test environments. See Bug 1562671 for details. Certificate Authority Changes The following CA certificates were Added: * Bug 1591178 - Entrust Root Certification Authority - G4 Cert SHA-256 Fingerprint: DB3517D1F6732A2D5AB97C533EC70779EE3270A62FB4AC4238372460E6F01E88 Bugs fixed in NSS 3.48 * Bug 1586176 - EncryptUpdate should use maxout not block size (CVE-2019-11745) -- Note that this was previously fixed in NSS 3.44.3 and 3.47.1. * Bug 1600775 - Require NSPR 4.24 for NSS 3.48 * Bug 1593401 - Fix race condition in self-encrypt functions * Bug 1599545 - Fix assertion and add test for early Key Update * Bug 1597799 - Fix a crash in nssCKFWObject_GetAttributeSize * Bug 1591178 - Add Entrust Root Certification Authority - G4 certificate to NSS * Bug 1590001 - Prevent negotiation of versions lower than 1.3 after HelloRetryRequest * Bug 1596450 - Added a simplified and unified MAC implementation for HMAC and CMAC behind PKCS#11 * Bug 1522203 - Remove an old Pentium Pro performance workaround * Bug 1592557 - Fix PRNG known-answer-test scripts * Bug 1593141 - add `notBefore` or similar "beginning-of-validity-period" parameter to mozilla::pkix::TrustDomain::CheckRevocation * Bug 1591363 - Fix a PBKDF2 memory leak in NSC_GenerateKey if key length > MAX_KEY_LEN (256) * Bug 1592869 - Use ARM NEON for ctr_xor * Bug 1566131 - Ensure SHA-1 fallback disabled in TLS 1.2 * Bug 1577803 - Mark PKCS#11 token as friendly if it implements CKP_PUBLIC_CERTIFICATES_TOKEN * Bug 1566126 - POWER GHASH Vector Acceleration * Bug 1589073 - Use of new PR_ASSERT_ARG in certdb.c * Bug 1590495 - Fix a crash in PK11_MakeCertFromHandle * Bug 1591742 - Ensure DES IV length is valid before usage from PKCS#11 * Bug 1588567 - Enable mozilla::pkix gtests in NSS CI * Bug 1591315 - Update NSC_Decrypt length in constant time * Bug 1562671 - Increase NSS MP KDF default iteration count, by default for modern key4 storage, optionally for legacy key3.db storage * Bug 1590972 - Use -std=c99 rather than -std=gnu99 * Bug 1590676 - Fix build if ARM doesn't support NEON * Bug 1575411 - Enable TLS extended master secret by default * Bug 1590970 - SSL_SetTimeFunc has incomplete coverage * Bug 1590678 - Remove -Wmaybe-uninitialized warning in tls13esni.c * Bug 1588244 - NSS changes for Delegated Credential key strength checks * Bug 1459141 - Add more CBC padding tests that missed NSS 3.47 * Bug 1590339 - Fix a memory leak in btoa.c * Bug 1589810 - fix uninitialized variable warnings from certdata.perl * Bug 1573118 - Enable TLS 1.3 by default in NSS
Update to 3.47.1 Changelog: NSS 3.47.1 includes: * CVE-2019-11745 - EncryptUpdate should use maxout, not block size * Bug 1590495 - Fix a crash that could be caused by client certificates during startup * Bug 1589810 - Fix compile-time warnings from uninitialized variables in a perl script NSS 3.47.1 requires NSPR 4.23 or newer. The HG tag is NSS_3_47_1_RTM.
Update to 3.46.1 Changelog: * 1582343 - Soft token MAC verification not constant time * 1577953 - Remove arbitrary HKDF output limit by allocating space as needed
Update to 3.46 Changelog: Notable Changes: * The following CA certificates were Removed: - 1574670 - Remove expired Class 2 Primary root certificate - 1574670 - Remove expired UTN-USERFirst-Client root certificat - 1574670 - Remove expired Deutsche Telekom Root CA 2 root certificate - 1566569 - Remove Swisscom Root CA 2 root certificate * Significant improvements to AES-GCM performance on ARM Bugs fixed in NSS 3.46: * 1572164 - Don't unnecessarily free session in NSC_WrapKey * 1574220 - Improve controls after errors in tstcln, selfserv and vfyserv cmds * 1550636 - Upgrade SQLite in NSS to a 2019 version * 1572593 - Reset advertised extensions in ssl_ConstructExtensions * 1415118 - NSS build with ./build.sh --enable-libpkix fails * 1539788 - Add length checks for cryptographic primitives * 1542077 - mp_set_ulong and mp_set_int should return errors on bad values * 1572791 - Read out-of-bounds in DER_DecodeTimeChoice_Util from SSLExp_DelegateCredential * 1560593 - Cleanup.sh script does not set error exit code for tests that "Failed with core" * 1566601 - Add Wycheproof test vectors for AES-KW * 1571316 - curve25519_32.c:280: undefined reference to `PR_Assert' when building NSS 3.45 on armhf-linux * 1516593 - Client to generate new random during renegotiation * 1563258 - fips.sh fails due to non-existent "resp" directories * 1561598 - Remove -Wmaybe-uninitialized warning in pqg.c * 1560806 - Increase softoken password max size to 500 characters * 1568776 - Output paths relative to repository in NSS coverity * 1453408 - modutil -changepw fails in FIPS mode if password is an empty string * 1564727 - Use a PSS SPKI when possible for delegated credentials * 1493916 - fix ppc64 inline assembler for clang * 1561588 - Remove -Wmaybe-uninitialized warning in p7env.c * 1561548 - Remove -Wmaybe-uninitialized warning in pkix_pl_ldapdefaultclient.c * 1512605 - Incorrect alert description after unencrypted Finished msg * 1564715 - Read /proc/cpuinfo when AT_HWCAP2 returns 0 * 1532194 - Remove or fix -DDEBUG_$USER from make builds * 1565577 - Visual Studio's cl.exe -? hangs on Windows x64 when building nss since changeset 9162c654d06915f0f15948fbf67d4103a229226f * 1564875 - Improve rebuilding with build.sh * 1565243 - Support TC_OWNER without email address in nss taskgraph * 1563778 - Increase maxRunTime on Mac taskcluster Tools, SSL tests * 1561591 - Remove -Wmaybe-uninitialized warning in tstclnt.c * 1561587 - Remove -Wmaybe-uninitialized warning in lgattr.c * 1561558 - Remove -Wmaybe-uninitialized warning in httpserv.c * 1561556 - Remove -Wmaybe-uninitialized warning in tls13esni.c * 1561332 - ec.c:28 warning: comparison of integers of different signs: 'int' and 'unsigned long' * 1564714 - Print certutil commands during setup * 1565013 - HACL image builder times out while fetching gpg key * 1563786 - Update hacl-star docker image to pull specific commit * 1559012 - Improve GCM perfomance using PMULL2 * 1528666 - Correct resumption validation checks * 1568803 - More tests for client certificate authentication * 1564284 - Support profile mobility across Windows and Linux * 1573942 - Gtest for pkcs11.txt with different breaking line formats * 1575968 - Add strsclnt option to enforce the use of either IPv4 or IPv6 * 1549847 - Fix NSS builds on iOS * 1485533 - Enable NSS_SSL_TESTS on taskcluster
Bump PKGREVISIONs for perl 5.30.0
Update HOMEPAGE
Update to 3.45 Changelog: New Functions in pk11pub.h: PK11_FindRawCertsWithSubject - Finds all certificates on the given slot with the given subject distinguished name and returns them as DER bytes. If no such certificates can be found, returns SECSuccess and sets *results to NULL. If a failure is encountered while fetching any of the matching certificates, SECFailure is returned and *results will be NULL. Notable Changes in NSS 3.45 Bug 1540403 - Implement Delegated Credentials (draft-ietf-tls-subcerts) This adds a new experimental function: SSL_DelegateCredential Note: In 3.45, selfserv does not yet support delegated credentials. See Bug 1548360. Note: In 3.45 the SSLChannelInfo is left unmodified, while an upcoming change in 3.46 will set SSLChannelInfo.authKeyBits to that of the delegated credential for better policy enforcement. See Bug 1563078. Bug 1550579 - Replace ARM32 Curve25519 implementation with one from fiat-crypto Bug 1551129 - Support static linking on Windows Bug 1552262 - Expose a function PK11_FindRawCertsWithSubject for finding certificates with a given subject on a given slot Bug 1546229 - Add IPSEC IKE support to softoken Bug 1554616 - Add support for the Elbrus lcc compiler (<=1.23) Bug 1543874 - Expose an external clock for SSL This adds new experimental functions: SSL_SetTimeFunc, SSL_CreateAntiReplayContext, SSL_SetAntiReplayContext, and SSL_ReleaseAntiReplayContext. The experimental function SSL_InitAntiReplay is removed. Bug 1546477 - Various changes in response to the ongoing FIPS review Note: The source package size has increased substantially due to the new FIPS test vectors. This will likely prompt follow-on work, but please accept our apologies in the meantime. Certificate Authority Changes The following CA certificates were Removed: Bug 1552374 - CN = Certinomis - Root CA SHA-256 Fingerprint: 2A99F5BC1174B73CBB1D620884E01C34E51CCB3978DA125F0E33268883BF4158 Bugs fixed in NSS 3.45 Bug 1540541 - Don't unnecessarily strip leading 0's from key material during PKCS11 import (CVE-2019-11719) Bug 1515342 - More thorough input checking (CVE-2019-11729) Bug 1552208 - Prohibit use of RSASSA-PKCS1-v1_5 algorithms in TLS 1.3 (CVE-2019-11727) Bug 1227090 - Fix a potential divide-by-zero in makePfromQandSeed from lib/freebl/pqg.c (static analysis) Bug 1227096 - Fix a potential divide-by-zero in PQG_VerifyParams from lib/freebl/pqg.c (static analysis) Bug 1509432 - De-duplicate code between mp_set_long and mp_set_ulong Bug 1515011 - Fix a mistake with ChaCha20-Poly1305 test code where tags could be faked. Only relevant for clients that might have copied the unit test code verbatim Bug 1550022 - Ensure nssutil3 gets built on Android Bug 1528174 - ChaCha20Poly1305 should no longer modify output length on failure Bug 1549382 - Don't leak in PKCS#11 modules if C_GetSlotInfo() returns error Bug 1551041 - Fix builds using GCC < 4.3 on big-endian architectures Bug 1554659 - Add versioning to OpenBSD builds to fix link time errors using NSS Bug 1553443 - Send session ticket only after handshake is marked as finished Bug 1550708 - Fix gyp scripts on Solaris SPARC so that libfreebl_64fpu_3.so builds Bug 1554336 - Optimize away unneeded loop in mpi.c Bug 1559906 - fipstest: use CKM_TLS12_MASTER_KEY_DERIVE instead of vendor specific mechanism Bug 1558126 - TLS_AES_256_GCM_SHA384 should be marked as FIPS compatible Bug 1555207 - HelloRetryRequestCallback return code for rejecting 0-RTT Bug 1556591 - Eliminate races in uses of PK11_SetWrapKey Bug 1558681 - Stop using a global for anti-replay of TLS 1.3 early data Bug 1561510 - Fix a bug where removing -arch XXX args from CC didn't work Bug 1561523 - Add a string for the new-ish error SSL_ERROR_MISSING_POST_HANDSHAKE_AUTH_EXTENSION
Update to 3.44.1 Changelog: 3.44.1: * 1554336 - Optimize away unneeded loop in mpi.c * 1515342 - More thorough input checking * 1540541 - Don't unnecessarily strip leading 0's from key material during PKCS11 import * 1515236 - Add a SSLKEYLOGFILE enable/disable flag at build.sh * 1546229 - Add IPSEC IKE support to softoken * 1473806 - Fix SECKEY_ConvertToPublicKey handling of non-RSA keys * 1546477 - Updates to testing for FIPS validation * 1552208 - Prohibit use of RSASSA-PKCS1-v1_5 algorithms in TLS 1.3 * 1551041 - Unbreak build on GCC < 4.3 big-endian
all: replace SUBST_SED with the simpler SUBST_VARS pkglint -Wall -r --only "substitution command" -F With manual review and indentation fixes since pkglint doesn't get that part correct in every case.
Update to 3.44 Changelog: New Functions: in lib/certdb/cert.h CERT_GetCertificateDer - Access the DER-encoded form of a CERTCertificate. Notable Changes in NSS 3.44: * It is now possible to build NSS as a static library (Bug 1543545) * Initial support for building for iOS. Bugs fixed in NSS 3.44: * 1501542 - Implement CheckARMSupport for Android * 1531244 - Use __builtin_bswap64 in crypto_primitives.h * 1533216 - CERT_DecodeCertPackage() crash with Netscape Certificate Sequences * 1533616 - sdb_GetAttributeValueNoLock should make at most one sql query, rather than one for each attribute * 1531236 - Provide accessor for CERTCertificate.derCert * 1536734 - lib/freebl/crypto_primitives.c assumes a big endian machine * 1532384 - In NSS test certificates, use @example.com (not @bogus.com) * 1538479 - Post-Handshake messages after async server authentication break when using record layer separation * 1521578 - x25519 support in pk11pars.c * 1540205 - freebl build fails with -DNSS_DISABLE_CHACHAPOLY * 1532312 - post-handshake auth doesn't interoperate with OpenSSL * 1542741 - certutil -F crashes with segmentation fault * 1546925 - Allow preceding text in try comment * 1534468 - Expose ChaCha20 primitive * 1418944 - Quote CC/CXX variables passed to nspr * 1543545 - Allow to build NSS as a static library * 1487597 - Early data that arrives before the handshake completes can be read afterwards * 1548398 - freebl_gtest not building on Linux/Mac * 1548722 - Fix some Coverity warnings * 1540652 - softoken/sdb.c: Logically dead code * 1549413 - Android log lib is not included in build * 1537927 - IPsec usage is too restrictive for existing deployments * 1549608 - Signature fails with dbm disabled * 1549848 - Allow building NSS for iOS using gyp * 1549847 - NSS's SQLite compilation warnings make the build fail on iOS * 1550041 - freebl not building on iOS simulator * 1542950 - MacOS cipher test timeouts
Do not conflict with MD5_Update from OpenSSL Like SHA1_Update, define another name, NSS_MD5_Update and use via CPP macto. This change fixes PDF export of misc/libreoffice. And make pkglint happier.
Recursive revbump from textproc/icu
Update to 3.43 Changelog: New Functionality: * in sechash.h HASH_GetHashOidTagByHashType - convert type HASH_HashType to type SECOidTag * in sslexp.h SSL_SendCertificateRequest - allow server to request post-handshake client authentication. To use this both peers need to enable the SSL_ENABLE_POST_HANDSHAKE_AUTH option. Note that while the mechanism is present, post-handshake authentication is currently not TLS 1.3 compliant due to Bug 1532312 Notable changes: * The following CA certificates were Added: - CN = emSign Root CA - G1 SHA-256 Fingerprint: 40F6AF0346A99AA1CD1D555A4E9CCE62C7F9634603EE406615833DC8C8D00367 - CN = emSign ECC Root CA - G3 SHA-256 Fingerprint: 86A1ECBA089C4A8D3BBE2734C612BA341D813E043CF9E8A862CD5C57A36BBE6B - CN = emSign Root CA - C1 SHA-256 Fingerprint: 125609AA301DA0A249B97A8239CB6A34216F44DCAC9F3954B14292F2E8C8608F - CN = emSign ECC Root CA - C3 SHA-256 Fingerprint: BC4D809B15189D78DB3E1D8CF4F9726A795DA1643CA5F1358E1DDB0EDC0D7EB3 - CN = Hongkong Post Root CA 3 SHA-256 Fingerprint: 5A2FC03F0C83B090BBFA40604B0988446C7636183DF9846E17101A447FB8EFD6 Bugs fixed in NSS 3.43 * Bug 1528669 and Bug 1529308 - Improve Gyp build system handling * Bug 1529950 and Bug 1521174 - Improve NSS S/MIME tests for Thunderbird * Bug 1530134 - If Docker isn't installed, try running a local clang-format as a fallback * Bug 1531267 - Enable FIPS mode automatically if the system FIPS mode flag is set * Bug 1528262 - Add a -J option to the strsclnt command to specify sigschemes * Bug 1513909 - Add manual for nss-policy-check * Bug 1531074 - Fix a deref after a null check in SECKEY_SetPublicValue * Bug 1517714 - Properly handle ESNI with HRR * Bug 1529813 - Expose HKDF-Expand-Label with mechanism * Bug 1535122 - Align TLS 1.3 HKDF trace levels * Bug 1530102 - Use getentropy on compatible versions of FreeBSD
Update to 3.42 Changelog: New Functionality: * Bug 818686 - Support XDG basedir specification Notable changes: * Added support for some of the testcases from the Wycheproof project: - Bug 1508666 - Added AES-GCM test cases - Bug 1508673 - Added ChaCha20-Poly1305 test cases - Bug 1514999 - Added the Curve25519 test cases - Thanks to Jonas Allmann for adapting these tests. Bugs fixed in NSS 3.42: * Bug 1490006 - Reject invalid CH.legacy_version in TLS 1.3 * Bug 1507135 and Bug 1507174 - Add additional null checks to several CMS functions to fix a rare CMS crash. Thanks to Hanno Böck and Damian Poddebniak for the discovery and fixes. * Bug 1513913 - A fix for Solaris where Firefox 60 core dumps during start when using profile from version 52
Update to 3.41 New functionality: * Bug 1252891 - Implemented EKU handling for IPsec IKE. * Bug 1423043 - Enable half-closed states for TLS. * Bug 1493215 - Enabled the following ciphersuites by default: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 TLS_RSA_WITH_AES_256_GCM_SHA384 Notable changes: * The following CA certificates were added: CN = Certigna Root CA CN = GTS Root R1 CN = GTS Root R2 CN = GTS Root R3 CN = GTS Root R4 CN = UCA Global G2 Root CN = UCA Extended Validation Root * The following CA certificates were removed: CN = AC Raíz Certicámara S.A. CN = Certplus Root CA G1 CN = Certplus Root CA G2 CN = OpenTrust Root CA G1 CN = OpenTrust Root CA G2 CN = OpenTrust Root CA G3 Bugs fixed in NSS 3.41: * Bug 1412829, Reject empty supported_signature_algorithms in Certificate Request in TLS 1.2 * Bug 1485864 - Cache side-channel variant of the Bleichenbacher attack (CVE-2018-12404) * Bug 1481271 - Resend the same ticket in ClientHello after HelloRetryRequest * Bug 1493769 - Set session_id for external resumption tokens * Bug 1507179 - Reject CCS after handshake is complete in TLS 1.3
revbump after updating textproc/icu
*: Add CTF_SUPPORTED/CTF_FILES_SKIP where necessary.
Update to 3.40 Changelog: Notable bug fixes: * Bug 1478698 - FFDHE key exchange sometimes fails with decryption failure New functionality: * The draft-00 version of encrypted SNI support is implemented * tstclnt now takes -N option to specify encrypted SNI key Notable changes: * The mozilla::pkix library has been ported from Mozilla PSM to NSS. This is a C++ library for building certification paths. mozilla::pkix APIs are not exposed in the libraries NSS builds. * It is easier to build NSS on Windows in mozilla-build environments. * The following CA certificates were Removed: CN = Visa eCommerce Root
Update to 3.39 Changelog: Notable bug fixes: * Bug 1483128 - NSS responded to an SSLv2-compatible ClientHello with a ServerHello that had an all-zero random (CVE-2018-12384) New functionality: * The tstclnt and selfserv utilities added support for configuring the enabled TLS signature schemes using the -J parameter. * NSS will use RSA-PSS keys to authenticate in TLS. Support for these keys is disabled by default but can be enabled using SSL_SignatureSchemePrefSet(). * certutil added the ability to delete an orphan private key from an NSS key database. * Added the nss-policy-check utility, which can be used to check an NSS policy configuration for problems. * A PKCS#11 URI can be used as an identifier for a PKCS#11 token. Notable changes: * The TLS 1.3 implementation uses the final version number from RFC 8446. * Previous versions of NSS accepted an RSA PKCS#1 v1.5 signature where the DigestInfo structure was missing the NULL parameter. Starting with version 3.39, NSS requires the encoding to contain the NULL parameter. * The tstclnt and selfserv test utilities no longer accept the -z parameter, as support for TLS compression was removed in a previous NSS version. * The CA certificates list was updated to version 2.26. * The following CA certificates were Added: - OU = GlobalSign Root CA - R6 - CN = OISTE WISeKey Global Root GC CA The following CA certificate was Removed: - CN = ComSign The following CA certificates had the Websites trust bit disabled: - CN = Certplus Root CA G1 - CN = Certplus Root CA G2 - CN = OpenTrust Root CA G1 - CN = OpenTrust Root CA G2 - CN = OpenTrust Root CA G3
Recursive bump for perl5-5.28.0
Recursive revbump from textproc/icu-62.1
*: Move SUBST_STAGE from post-patch to pre-configure Performing substitutions during post-patch breaks tools such as mkpatches, making it very difficult to regenerate correct patches after making changes, and often leading to substituted string replacements being committed.
Update to 3.37.3 Changelog: No new functionality is introduced in these releases. The following compatibility fixes are included. Users are encouraged to upgrade. * Bug 1462303 - Connecting to a server that was recently upgraded to TLS 1.3 would result in a SSL_RX_MALFORMED_SERVER_HELLO error. * Bug 1460673 - Fix a rare bug with PKCS#12 files.
Update to 3.37.1 Changelog: No new functionality is introduced in these releases. The following compatibility fixes are included. Users are encouraged to upgrade. * Bug 1462303 - Connecting to a server that was recently upgraded to TLS 1.3 would result in a SSL_RX_MALFORMED_SERVER_HELLO error. * Bug 1460673 - Fix a rare bug with PKCS#12 files.
Update to 3.37 Changelog: * The TLS 1.3 implementation was updated to Draft 28. * An issue where NSS erroneously accepted HRR requests was resolved. * Added HACL* Poly1305 32-bit * The code to support the NPN protocol has been fully removed. * NSS allows servers now to register ALPN handling callbacks to select a protocol. * NSS supports opening SQL databases in read-only mode. * On Linux, some build configurations can use glibc's function getentropy(), which uses the kernel's getrandom() function. * The CA list was updated to version 2.24, which removed the following CA certificates: - CN = S-TRUST Universal Root CA - CN = TC TrustCenter Class 3 CA II - CN = TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H5
revbump after icu update
Pullup ticket #5735 - requested by maya devel/nss: bugfix Revisions pulled up: - devel/nss/Makefile 1.149 - devel/nss/distinfo 1.84 --- Module Name: pkgsrc Committed By: maya Date: Tue Apr 10 15:21:30 UTC 2018 Modified Files: pkgsrc/devel/nss: Makefile distinfo Log Message: nss: update to 3.36.1 No new functionality is introduced in this release. This is a patch release to fix regression bugs. In NSS version 3.35 the iteration count in optimized builds, which is used for password based encryption algorithm related to encrypted PKCS#7 or PKCS#12 data, was increased to one million iterations. That change had caused an interoperability regression with operating systems that are limited to 600 K iterations. NSS 3.36.1 has been changed to use the same 600 K limit. Certain smartcard operations could result in a deadlock This Bugzilla query returns all the bugs fixed in NSS 3.36.1: https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&product=NSS&target_milestone=3.36.1
nss: update to 3.36.1 No new functionality is introduced in this release. This is a patch release to fix regression bugs. In NSS version 3.35 the iteration count in optimized builds, which is used for password based encryption algorithm related to encrypted PKCS#7 or PKCS#12 data, was increased to one million iterations. That change had caused an interoperability regression with operating systems that are limited to 600 K iterations. NSS 3.36.1 has been changed to use the same 600 K limit. Certain smartcard operations could result in a deadlock This Bugzilla query returns all the bugs fixed in NSS 3.36.1: https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&product=NSS&target_milestone=3.36.1
Pullup ticket #5728 - requested by maya devel/nspr: dependency update devel/nss: dependency update www/firefox-l10n: dependent update www/firefox: security update Revisions pulled up: - devel/nspr/Makefile 1.94-1.95 - devel/nspr/distinfo 1.48-1.49 - devel/nspr/patches/patch-az deleted - devel/nspr/patches/patch-nspr_pr_include_md___pth.h 1.1 - devel/nspr/patches/patch-nspr_pr_src_pthreads_ptthread.c 1.1 - devel/nspr/patches/patch-nsprpub_pr_include_md__pth.h deleted - devel/nss/Makefile 1.146,1.148 - devel/nss/PLIST 1.24 - devel/nss/distinfo 1.81,1.83 - devel/nss/patches/patch-nss_lib_freebl_config.mk deleted - devel/nss/patches/patch-nss_lib_freebl_verified_kremlib.h deleted - www/firefox-l10n/Makefile 1.121-1.123 - www/firefox-l10n/distinfo 1.111-1.113 - www/firefox/Makefile 1.320-1.321,1.324 - www/firefox/PLIST 1.127 - www/firefox/distinfo 1.307-1.309 - www/firefox/mozilla-common.mk 1.105-1.106 - www/firefox/patches/patch-aa 1.56 - www/firefox/patches/patch-build_gyp.mozbuild 1.8 - www/firefox/patches/patch-build_moz.configure_keyfiles.configure 1.5 - www/firefox/patches/patch-build_moz.configure_memory.configure deleted - www/firefox/patches/patch-config_baseconfig.mk deleted - www/firefox/patches/patch-config_external_moz.build 1.17 - www/firefox/patches/patch-dom_media_moz.build 1.9 - www/firefox/patches/patch-gfx_skia_generate__mozbuild.py 1.8 - www/firefox/patches/patch-gfx_skia_moz.build 1.15 - www/firefox/patches/patch-gfx_thebes_moz.build 1.9 - www/firefox/patches/patch-media_libcubeb_gtest_moz.build 1.2 - www/firefox/patches/patch-media_libtheora_moz.build 1.8 - www/firefox/patches/patch-media_libvorbis_moz.build 1.4 - www/firefox/patches/patch-media_webrtc_trunk_webrtc_modules_audio__device_linux_audio__device__alsa__linux.cc 1.1 - www/firefox/patches/patch-modules_libpref_init_all.js 1.7 - www/firefox/patches/patch-modules_pdfium_update.sh 1.2 - www/firefox/patches/patch-netwerk_dns_moz.build 1.8 - www/firefox/patches/patch-netwerk_srtp_src_crypto_hash_hmac.c deleted - www/firefox/patches/patch-netwerk_srtp_src_crypto_kernel_crypto__kernel.c deleted - www/firefox/patches/patch-servo_components_style_properties_helpers_animated__properties.mako.rs deleted - www/firefox/patches/patch-third__party_rust_simd_.cargo-checksum.json 1.1 - www/firefox/patches/patch-third__party_rust_simd_src_x86_avx2.rs 1.1 - www/firefox/patches/patch-toolkit_crashreporter_google-breakpad_src_third_party_curl_curlbuild.h deleted - www/firefox/patches/patch-toolkit_moz.configure 1.10 - www/firefox/patches/patch-toolkit_xre_nsEmbedFunctions.cpp deleted - www/firefox/patches/patch-xpcom_build_BinaryPath.h 1.3-1.4 ------------------------------------------------------------------- Module Name: pkgsrc Committed By: ryoon Date: Wed Jan 24 16:21:43 UTC 2018 Modified Files: pkgsrc/devel/nspr: Makefile distinfo Added Files: pkgsrc/devel/nspr/patches: patch-nspr_pr_include_md___pth.h patch-nspr_pr_src_pthreads_ptthread.c Removed Files: pkgsrc/devel/nspr/patches: patch-az patch-nsprpub_pr_include_md__pth.h Log Message: Update to 4.18 Changelog: NSPR 4.18 contains the following changes: - removed HP-UX DCE threads support - improvements for the Windows implementation of PR_SetCurrentThreadName - fixes for the Windows implementation of TCP Fast Open To generate a diff of this commit: cvs rdiff -u -r1.93 -r1.94 pkgsrc/devel/nspr/Makefile cvs rdiff -u -r1.47 -r1.48 pkgsrc/devel/nspr/distinfo cvs rdiff -u -r1.4 -r0 pkgsrc/devel/nspr/patches/patch-az cvs rdiff -u -r0 -r1.1 \ pkgsrc/devel/nspr/patches/patch-nspr_pr_include_md___pth.h \ pkgsrc/devel/nspr/patches/patch-nspr_pr_src_pthreads_ptthread.c cvs rdiff -u -r1.3 -r0 \ pkgsrc/devel/nspr/patches/patch-nsprpub_pr_include_md__pth.h ------------------------------------------------------------------- Module Name: pkgsrc Committed By: ryoon Date: Sat Mar 17 01:06:18 UTC 2018 Modified Files: pkgsrc/devel/nspr: Makefile distinfo Log Message: Update to 4.29 Changelog: NSPR 4.19 contains the following changes: - changed order of shutdown cleanup to avoid a crash on Mac OSX - build compatibility with Android NDK r16 and glibc 2.26 To generate a diff of this commit: cvs rdiff -u -r1.94 -r1.95 pkgsrc/devel/nspr/Makefile cvs rdiff -u -r1.48 -r1.49 pkgsrc/devel/nspr/distinfo ------------------------------------------------------------------- Module Name: pkgsrc Committed By: ryoon Date: Wed Jan 24 16:23:52 UTC 2018 Modified Files: pkgsrc/devel/nss: Makefile distinfo Removed Files: pkgsrc/devel/nss/patches: patch-nss_lib_freebl_config.mk patch-nss_lib_freebl_verified_kremlib.h Log Message: Update to 3.35 Changelog: The NSS team has released Network Security Services (NSS) 3.35, which is a minor release. Summary of the major changes included in this release: - The default database storage format has been changed to SQL, using filenames cert9.db, key4.db, pkcs11.txt. - TLS 1.3 support has been updated to draft -23, along with additional significant changes. - Support for TLS compression was removed. - Added formally verified implementations of non-vectorized Chacha20 and non-vectorized Poly1305 64-bit. - When creating encrypted PKCS#7 or PKCS#12 data, NSS uses a higher iteration count for stronger security. - The CA trust list was updated to version 2.22. To generate a diff of this commit: cvs rdiff -u -r1.145 -r1.146 pkgsrc/devel/nss/Makefile cvs rdiff -u -r1.80 -r1.81 pkgsrc/devel/nss/distinfo cvs rdiff -u -r1.2 -r0 \ pkgsrc/devel/nss/patches/patch-nss_lib_freebl_config.mk cvs rdiff -u -r1.1 -r0 \ pkgsrc/devel/nss/patches/patch-nss_lib_freebl_verified_kremlib.h ------------------------------------------------------------------- Module Name: pkgsrc Committed By: ryoon Date: Sat Mar 17 01:07:15 UTC 2018 Modified Files: pkgsrc/devel/nss: Makefile PLIST distinfo Log Message: Update to 3.36 * Require devel/nspr-4.19 Changelog: The NSS team has released Network Security Services (NSS) 3.36, which is a minor release. Summary of the major changes included in this release: - Replaced existing vectorized ChaCha20 code with verified HACL* implementation. - Experimental APIs for TLS session cache handling. To generate a diff of this commit: cvs rdiff -u -r1.147 -r1.148 pkgsrc/devel/nss/Makefile cvs rdiff -u -r1.23 -r1.24 pkgsrc/devel/nss/PLIST cvs rdiff -u -r1.82 -r1.83 pkgsrc/devel/nss/distinfo ------------------------------------------------------------------- Module Name: pkgsrc Committed By: ryoon Date: Wed Jan 31 14:02:18 UTC 2018 Modified Files: pkgsrc/www/firefox: Makefile distinfo Added Files: pkgsrc/www/firefox/patches: patch-xpcom_build_BinaryPath.h Log Message: Update to 58.0.1 * Fix build under netbsd-7, PR pkg/52956 Changelog: Fix Mozilla Foundation Security Advisory 2018-05: Arbitrary code execution through unsanitized browser UI When using certain non-default security policies on Windows (for example with Windows Defender Exploit Protection or Webroot security products), Firefox 58.0 would fail to load pages (bug 1433065). To generate a diff of this commit: cvs rdiff -u -r1.319 -r1.320 pkgsrc/www/firefox/Makefile cvs rdiff -u -r1.306 -r1.307 pkgsrc/www/firefox/distinfo cvs rdiff -u -r0 -r1.3 \ pkgsrc/www/firefox/patches/patch-xpcom_build_BinaryPath.h ------------------------------------------------------------------- Module Name: pkgsrc Committed By: ryoon Date: Sat Feb 10 07:02:47 UTC 2018 Modified Files: pkgsrc/www/firefox: Makefile distinfo mozilla-common.mk pkgsrc/www/firefox/patches: patch-xpcom_build_BinaryPath.h Log Message: Update to 58.0.2 * Fix segfault on netbsd-7 Changelog: Fix Avoid a signature validation issue during update on macOS Blocklisted graphics drivers related to off main thread painting crashes Tab crash during printing Fix clicking links and scrolling emails on Microsoft Hotmail and Outlook (OWA) webmail To generate a diff of this commit: cvs rdiff -u -r1.320 -r1.321 pkgsrc/www/firefox/Makefile cvs rdiff -u -r1.307 -r1.308 pkgsrc/www/firefox/distinfo cvs rdiff -u -r1.104 -r1.105 pkgsrc/www/firefox/mozilla-common.mk cvs rdiff -u -r1.3 -r1.4 \ pkgsrc/www/firefox/patches/patch-xpcom_build_BinaryPath.h ------------------------------------------------------------------- Module Name: pkgsrc Committed By: ryoon Date: Sat Mar 17 00:59:03 UTC 2018 Modified Files: pkgsrc/www/firefox: Makefile PLIST distinfo mozilla-common.mk pkgsrc/www/firefox/patches: patch-aa patch-build_gyp.mozbuild patch-config_external_moz.build patch-dom_media_moz.build patch-gfx_skia_generate__mozbuild.py patch-gfx_skia_moz.build patch-gfx_thebes_moz.build patch-media_libcubeb_gtest_moz.build patch-media_libtheora_moz.build patch-media_libvorbis_moz.build patch-modules_pdfium_update.sh patch-netwerk_dns_moz.build patch-toolkit_moz.configure Added Files: pkgsrc/www/firefox/patches: patch-build_moz.configure_keyfiles.configure patch-media_webrtc_trunk_webrtc_modules_audio__device_linux_audio__device__alsa__linux.cc patch-modules_libpref_init_all.js patch-third__party_rust_simd_.cargo-checksum.json patch-third__party_rust_simd_src_x86_avx2.rs Removed Files: pkgsrc/www/firefox/patches: patch-build_moz.configure_memory.configure patch-config_baseconfig.mk patch-netwerk_srtp_src_crypto_hash_hmac.c patch-netwerk_srtp_src_crypto_kernel_crypto__kernel.c patch-servo_components_style_properties_helpers_animated__properties.mako.rs patch-toolkit_crashreporter_google-breakpad_src_third_party_curl_curlbuild.h patch-toolkit_xre_nsEmbedFunctions.cpp Log Message: Update to 59.0.1 Changelog: 59.0.1 Security fix #CVE-2018-5146: Out of bounds memory write in libvorbis 59.0 New Performance enhancements: - Faster load times for content on the Firefox Home page - Faster page load times by loading either from the networked cache or the cache on the user's hard drive (Race Cache With Network) - Improved graphics rendering using Off-Main-Thread Painting (OMTP) for Mac users (OMTP for Windows was released in Firefox 58) Drag-and-drop to rearrange Top Sites on the Firefox Home page, and customize new windows and tabs in other ways Added features for Firefox Screenshots: - Basic annotation lets the user draw on and highlight saved screenshots - Recropping to change the viewable area of saved screenshots Enhanced WebExtensions API including better support for decentralized protocols and the ability to dynamically register content scripts Improved Real-Time Communications (RTC) capabilities. - Implemented RTP Transceiver to give pages more fine grained control over calls - Implemented features to support large scale conferences Added support for W3C specs for pointer events and improved platform integration with added device support for mouse, pen, and touch screen pointer input Added the Ecosia search engine as an option for German Firefox Added the Qwant search engine as an option for French Firefox Added settings in about:preferences to stop websites from asking to send notifications or access your device's camera, microphone, and location, while still allowing trusted websites to use these features Fixed Various security fixes Changed Firefox Private Browsing Mode will remove path information from referrers to prevent cross-site tracking Security fixes: #CVE-2018-5127: Buffer overflow manipulating SVG animatedPathSegList #CVE-2018-5128: Use-after-free manipulating editor selection ranges #CVE-2018-5129: Out-of-bounds write with malformed IPC messages #CVE-2018-5130: Mismatched RTP payload type can trigger memory corruption #CVE-2018-5131: Fetch API improperly returns cached copies of no-store/no-cache resources #CVE-2018-5132: WebExtension Find API can search privileged pages #CVE-2018-5133: Value of the app.support.baseURL preference is not properly sanitized #CVE-2018-5134: WebExtensions may use view-source: URLs to bypass content restrictions #CVE-2018-5135: WebExtension browserAction can inject scripts into unintended contexts #CVE-2018-5136: Same-origin policy violation with data: URL shared workers #CVE-2018-5137: Script content can access legacy extension non-contentaccessible resources #CVE-2018-5138: Android Custom Tab address spoofing through long domain names #CVE-2018-5140: Moz-icon images accessible to web content through moz-icon: protocol #CVE-2018-5141: DOS attack through notifications Push API #CVE-2018-5142: Media Capture and Streams API permissions display incorrect origin with data: and blob: URLs #CVE-2018-5143: Self-XSS pasting javascript: URL with embedded tab into addressbar #CVE-2018-5126: Memory safety bugs fixed in Firefox 59 #CVE-2018-5125: Memory safety bugs fixed in Firefox 59 and Firefox ESR 52.7 To generate a diff of this commit: cvs rdiff -u -r1.323 -r1.324 pkgsrc/www/firefox/Makefile cvs rdiff -u -r1.126 -r1.127 pkgsrc/www/firefox/PLIST cvs rdiff -u -r1.308 -r1.309 pkgsrc/www/firefox/distinfo cvs rdiff -u -r1.105 -r1.106 pkgsrc/www/firefox/mozilla-common.mk cvs rdiff -u -r1.55 -r1.56 pkgsrc/www/firefox/patches/patch-aa cvs rdiff -u -r1.7 -r1.8 pkgsrc/www/firefox/patches/patch-build_gyp.mozbuild \ pkgsrc/www/firefox/patches/patch-gfx_skia_generate__mozbuild.py \ pkgsrc/www/firefox/patches/patch-media_libtheora_moz.build \ pkgsrc/www/firefox/patches/patch-netwerk_dns_moz.build cvs rdiff -u -r0 -r1.5 \ pkgsrc/www/firefox/patches/patch-build_moz.configure_keyfiles.configure cvs rdiff -u -r1.2 -r0 \ pkgsrc/www/firefox/patches/patch-build_moz.configure_memory.configure \ pkgsrc/www/firefox/patches/patch-toolkit_crashreporter_google-breakpad_src_third_party_curl_curlbuild.h cvs rdiff -u -r1.10 -r0 pkgsrc/www/firefox/patches/patch-config_baseconfig.mk cvs rdiff -u -r1.16 -r1.17 \ pkgsrc/www/firefox/patches/patch-config_external_moz.build cvs rdiff -u -r1.8 -r1.9 pkgsrc/www/firefox/patches/patch-dom_media_moz.build \ pkgsrc/www/firefox/patches/patch-gfx_thebes_moz.build cvs rdiff -u -r1.14 -r1.15 \ pkgsrc/www/firefox/patches/patch-gfx_skia_moz.build cvs rdiff -u -r1.1 -r1.2 \ pkgsrc/www/firefox/patches/patch-media_libcubeb_gtest_moz.build \ pkgsrc/www/firefox/patches/patch-modules_pdfium_update.sh cvs rdiff -u -r1.3 -r1.4 \ pkgsrc/www/firefox/patches/patch-media_libvorbis_moz.build cvs rdiff -u -r0 -r1.1 \ pkgsrc/www/firefox/patches/patch-media_webrtc_trunk_webrtc_modules_audio__device_linux_audio__device__alsa__linux.cc \ pkgsrc/www/firefox/patches/patch-third__party_rust_simd_.cargo-checksum.json \ pkgsrc/www/firefox/patches/patch-third__party_rust_simd_src_x86_avx2.rs cvs rdiff -u -r0 -r1.7 \ pkgsrc/www/firefox/patches/patch-modules_libpref_init_all.js cvs rdiff -u -r1.4 -r0 \ pkgsrc/www/firefox/patches/patch-netwerk_srtp_src_crypto_hash_hmac.c cvs rdiff -u -r1.3 -r0 \ pkgsrc/www/firefox/patches/patch-netwerk_srtp_src_crypto_kernel_crypto__kernel.c cvs rdiff -u -r1.1 -r0 \ pkgsrc/www/firefox/patches/patch-servo_components_style_properties_helpers_animated__properties.mako.rs cvs rdiff -u -r1.9 -r1.10 \ pkgsrc/www/firefox/patches/patch-toolkit_moz.configure cvs rdiff -u -r1.7 -r0 \ pkgsrc/www/firefox/patches/patch-toolkit_xre_nsEmbedFunctions.cpp ------------------------------------------------------------------- Module Name: pkgsrc Committed By: ryoon Date: Wed Jan 31 14:03:25 UTC 2018 Modified Files: pkgsrc/www/firefox-l10n: Makefile distinfo Log Message: Update to 58.0.1 * Sync with www/firefox-58.0.1 To generate a diff of this commit: cvs rdiff -u -r1.120 -r1.121 pkgsrc/www/firefox-l10n/Makefile cvs rdiff -u -r1.110 -r1.111 pkgsrc/www/firefox-l10n/distinfo ------------------------------------------------------------------- Module Name: pkgsrc Committed By: ryoon Date: Sat Feb 10 07:05:20 UTC 2018 Modified Files: pkgsrc/www/firefox-l10n: Makefile distinfo Log Message: Update to 58.0.2 * Sync with www/firefox-58.0.2 To generate a diff of this commit: cvs rdiff -u -r1.121 -r1.122 pkgsrc/www/firefox-l10n/Makefile cvs rdiff -u -r1.111 -r1.112 pkgsrc/www/firefox-l10n/distinfo ------------------------------------------------------------------- Module Name: pkgsrc Committed By: ryoon Date: Sat Mar 17 01:00:20 UTC 2018 Modified Files: pkgsrc/www/firefox-l10n: Makefile distinfo Log Message: Update to 59.0.1 * Sync with www/firefox-59.0.1 To generate a diff of this commit: cvs rdiff -u -r1.122 -r1.123 pkgsrc/www/firefox-l10n/Makefile cvs rdiff -u -r1.112 -r1.113 pkgsrc/www/firefox-l10n/distinfo
Update to 3.36 * Require devel/nspr-4.19 Changelog: The NSS team has released Network Security Services (NSS) 3.36, which is a minor release. Summary of the major changes included in this release: - Replaced existing vectorized ChaCha20 code with verified HACL* implementation. - Experimental APIs for TLS session cache handling.
Change default file type back to DBM from SQL. Bump PKGREVISION This back out fixes XML-based files open of misc/libreoffice. The problem is reported by Mustafa Dogan via private e-mail.
Update to 3.35 Changelog: The NSS team has released Network Security Services (NSS) 3.35, which is a minor release. Summary of the major changes included in this release: - The default database storage format has been changed to SQL, using filenames cert9.db, key4.db, pkcs11.txt. - TLS 1.3 support has been updated to draft -23, along with additional significant changes. - Support for TLS compression was removed. - Added formally verified implementations of non-vectorized Chacha20 and non-vectorized Poly1305 64-bit. - When creating encrypted PKCS#7 or PKCS#12 data, NSS uses a higher iteration count for stronger security. - The CA trust list was updated to version 2.22.
nss: Fix build on SunOS with clang.
Revbump after textproc/icu update
Update to 3.34.1 Changelog: The following CA certificate was Re-Added. It was removed in NSS 3.34, but has been re-added with only the Email trust bit set. (bug 1418678) CN = Certum CA, O=Unizeto Sp. z o.o. SHA-256 Fingerprint: D8:E0:FE:BC:1D:B2:E3:8D:00:94:0F:37:D2:7D:41:34:4D:99:3E:73:4B:99:D5:65:6D:97:78:D4:D8:14:36:24 Removed entries from certdata.txt for actively distrusted certificates that have expired (bug 1409872). The version of the CA list was set to 2.20.
Update to 3.34 The following CA certificates were Added: CN = GDCA TrustAUTH R5 ROOT SHA-256 Fingerprint: BF:FF:8F:D0:44:33:48:7D:6A:8A:A6:0C:1A:29:76:7A:9F:C2:BB:B0:5E:42:0F:71:3A:13:B9:92:89:1D:38:93 Trust Flags: Websites CN = SSL.com Root Certification Authority RSA SHA-256 Fingerprint: 85:66:6A:56:2E:E0:BE:5C:E9:25:C1:D8:89:0A:6F:76:A8:7E:C1:6D:4D:7D:5F:29:EA:74:19:CF:20:12:3B:69 Trust Flags: Websites, Email CN = SSL.com Root Certification Authority ECC SHA-256 Fingerprint: 34:17:BB:06:CC:60:07:DA:1B:96:1C:92:0B:8A:B4:CE:3F:AD:82:0E:4A:A3:0B:9A:CB:C4:A7:4E:BD:CE:BC:65 Trust Flags: Websites, Email CN = SSL.com EV Root Certification Authority RSA R2 SHA-256 Fingerprint: 2E:7B:F1:6C:C2:24:85:A7:BB:E2:AA:86:96:75:07:61:B0:AE:39:BE:3B:2F:E9:D0:CC:6D:4E:F7:34:91:42:5C Trust Flags: Websites CN = SSL.com EV Root Certification Authority ECC SHA-256 Fingerprint: 22:A2:C1:F7:BD:ED:70:4C:C1:E7:01:B5:F4:08:C3:10:88:0F:E9:56:B5:DE:2A:4A:44:F9:9C:87:3A:25:A7:C8 Trust Flags: Websites CN = TrustCor RootCert CA-1 SHA-256 Fingerprint: D4:0E:9C:86:CD:8F:E4:68:C1:77:69:59:F4:9E:A7:74:FA:54:86:84:B6:C4:06:F3:90:92:61:F4:DC:E2:57:5C Trust Flags: Websites, Email CN = TrustCor RootCert CA-2 SHA-256 Fingerprint: 07:53:E9:40:37:8C:1B:D5:E3:83:6E:39:5D:AE:A5:CB:83:9E:50:46:F1:BD:0E:AE:19:51:CF:10:FE:C7:C9:65 Trust Flags: Websites, Email CN = TrustCor ECA-1 SHA-256 Fingerprint: 5A:88:5D:B1:9C:01:D9:12:C5:75:93:88:93:8C:AF:BB:DF:03:1A:B2:D4:8E:91:EE:15:58:9B:42:97:1D:03:9C Trust Flags: Websites, Email The following CA certificates were Removed: CN = Certum CA, O=Unizeto Sp. z o.o. SHA-256 Fingerprint: D8:E0:FE:BC:1D:B2:E3:8D:00:94:0F:37:D2:7D:41:34:4D:99:3E:73:4B:99:D5:65:6D:97:78:D4:D8:14:36:24 CN = StartCom Certification Authority SHA-256 Fingerprint: C7:66:A9:BE:F2:D4:07:1C:86:3A:31:AA:49:20:E8:13:B2:D1:98:60:8C:B7:B7:CF:E2:11:43:B8:36:DF:09:EA CN = StartCom Certification Authority SHA-256 Fingerprint: E1:78:90:EE:09:A3:FB:F4:F4:8B:9C:41:4A:17:D6:37:B7:A5:06:47:E9:BC:75:23:22:72:7F:CC:17:42:A9:11 CN = StartCom Certification Authority G2 SHA-256 Fingerprint: C7:BA:65:67:DE:93:A7:98:AE:1F:AA:79:1E:71:2D:37:8F:AE:1F:93:C4:39:7F:EA:44:1B:B7:CB:E6:FD:59:95 CN = TÜBİTAK UEKAE Kök Sertifika Hizmet Sağlayıcısı - Sürüm 3 SHA-256 Fingerprint: E4:C7:34:30:D7:A5:B5:09:25:DF:43:37:0A:0D:21:6E:9A:79:B9:D6:DB:83:73:A0:C6:9E:B1:CC:31:C7:C5:2A CN = ACEDICOM Root SHA-256 Fingerprint: 03:95:0F:B4:9A:53:1F:3E:19:91:94:23:98:DF:A9:E0:EA:32:D7:BA:1C:DD:9B:C8:5D:B5:7E:D9:40:0B:43:4A CN = Certinomis - Autorité Racine SHA-256 Fingerprint: FC:BF:E2:88:62:06:F7:2B:27:59:3C:8B:07:02:97:E1:2D:76:9E:D1:0E:D7:93:07:05:A8:09:8E:FF:C1:4D:17 CN = TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı SHA-256 Fingerprint: 97:8C:D9:66:F2:FA:A0:7B:A7:AA:95:00:D9:C0:2E:9D:77:F2:CD:AD:A6:AD:6B:A7:4A:F4:B9:1C:66:59:3C:50 CN = PSCProcert SHA-256 Fingerprint: 3C:FC:3C:14:D1:F6:84:FF:17:E3:8C:43:CA:44:0C:00:B9:67:EC:93:3E:8B:FE:06:4C:A1:D7:2C:90:F2:AD:B0 CN = CA 沃通根证书, O=WoSign CA Limited SHA-256 Fingerprint: D6:F0:34:BD:94:AA:23:3F:02:97:EC:A4:24:5B:28:39:73:E4:47:AA:59:0F:31:0C:77:F4:8F:DF:83:11:22:54 CN = Certification Authority of WoSign SHA-256 Fingerprint: 4B:22:D5:A6:AE:C9:9F:3C:DB:79:AA:5E:C0:68:38:47:9C:D5:EC:BA:71:64:F7:F2:2D:C1:D6:5F:63:D8:57:08 CN = Certification Authority of WoSign G2 SHA-256 Fingerprint: D4:87:A5:6F:83:B0:74:82:E8:5E:96:33:94:C1:EC:C2:C9:E5:1D:09:03:EE:94:6B:02:C3:01:58:1E:D9:9E:16 CN = CA WoSign ECC Root SHA-256 Fingerprint: 8B:45:DA:1C:06:F7:91:EB:0C:AB:F2:6B:E5:88:F5:FB:23:16:5C:2E:61:4B:F8:85:56:2D:0D:CE:50:B2:9B:02 libfreebl no longer requires SSE2 instructions. New in NSS 3.34 New Functionality When listing an NSS database using certutil -L, but the database hasn't yet been initialized with any non-empty or empty password, the text "Database needs user init" will be included in the listing. When using certutil to set an inacceptable password in FIPS mode, a correct explanation of acceptable passwords will be printed. SSLKEYLOGFILE is now supported with TLS 1.3, see Bug 1287711 for details. SSLChannelInfo has two new fields (Bug 1396525) SSLNamedGroup originalKeaGroup holds the key exchange group of the original handshake when the session was resumed. PRBool resumed is PR_TRUE when the session is resumed and PR_FALSE otherwise. RSA-PSS signatures are now supported on certificates. Certificates with RSA-PSS or RSA-PKCS#1v1.5 keys can be used to create an RSA-PSS signature on a certificate using the --pss-sign argument to certutil. New Functions Compatibility NSS 3.34 shared libraries are backward compatible with all older NSS 3.x shared libraries. A program linked with older NSS 3.x shared libraries will work with NSS 3.34 shared libraries without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs to the functions listed in NSS Public Functions will remain compatible with future versions of the NSS shared libraries.
nss: needs c99 Noticed by Riccardo Mottola via netbsd-users@: <http://mail-index.netbsd.org/netbsd-users/2017/09/29/msg020182.html> Thanks!
Update to 3.33 Changelog: Notable Changes in NSS 3.33 TLS compression is no longer supported. API calls that attempt to enable compression are accepted without failure. However, TLS compression will remain disabled. This version of NSS uses a formally verified implementation of Curve25519 on 64-bit systems. The compile time flag DISABLE_ECC has been removed. When NSS is compiled without NSS_FORCE_FIPS=1 startup checks are not performed anymore. Various minor improvements and correctness fixes.
revbump for requiring ICU 59.x
Update to 3.32 Changelog: Notable Changes: ================ * Various minor improvements and correctness fixes. * The Code Signing trust bit was turned off for all included root certificates. * The Websites (TLS/SSL) trust bit was turned off for the following root certificates: - CN = AddTrust Class 1 CA Root - CN = Swisscom Root CA 2 * The following CA certificates were Removed: - CN = AddTrust Public CA Root - CN = AddTrust Qualified CA Root - CN = China Internet Network Information Center EV Certificates Root - CN = CNNIC ROOT - CN = ComSign Secured CA - CN = GeoTrust Global CA 2 - CN = Secure Certificate Services - CN = Swisscom Root CA 1 - CN = Swisscom Root EV CA 2 - CN = Trusted Certificate Services - CN = UTN-USERFirst-Hardware - CN = UTN-USERFirst-Object
Honor LDFLAGS. Fix a pkglint warning for better ccache support.
Update to 3.31 Changelog: New functionality: ================== * Allow certificates to be specified by RFC7512 PKCS#11 URIs. * Allow querying a certificate object for its temporary or permanent storage status in a thread safe way. New Functions: ============== * CERT_GetCertIsPerm - retrieve the permanent storage status attribute of a certificate in a thread safe way. * CERT_GetCertIsTemp - retrieve the temporary storage status attribute of a certificate in a thread safe way. * PK11_FindCertFromURI - find a certificate identified by the given URI. * PK11_FindCertsFromURI - find a list of certificates identified by the given URI. * PK11_GetModuleURI - retrieve the URI of the given module. * PK11_GetTokenURI - retrieve the URI of a token based on the given slot information. * PK11URI_CreateURI - create a new PK11URI object from a set of attributes. * PK11URI_DestroyURI - destroy a PK11URI object. * PK11URI_FormatURI - format a PK11URI object to a string. * PK11URI_GetPathAttribute - retrieve a path attribute with the given name. * PK11URI_GetQueryAttribute - retrieve a query attribute with the given name. * PK11URI_ParseURI - parse PKCS#11 URI and return a new PK11URI object. New Macros: =========== * Several new macros that start with PK11URI_PATTR_ for path attributes defined in RFC7512. * Several new macros that start with PK11URI_QATTR_ for query attributes defined in RFC7512. Notable Changes: ================ * The APIs that set a TLS version range have been changed to trim the requested range to the overlap with a systemwide crypto policy, if configured. SSL_VersionRangeGetSupported can be used to query the overlap between the library's supported range of TLS versions and the systemwide policy. * Previously, SSL_VersionRangeSet and SSL_VersionRangeSetDefault returned a failure if the requested version range wasn't fully allowed by the systemwide crypto policy. They have been changed to return success, if at least one TLS version overlaps between the requested range and the systemwide policy. An application may call SSL_VersionRangeGet and SSL_VersionRangeGetDefault to query the TLS version range that was effectively activated. * Corrected the encoding of Domain Name Constraints extensions created by certutil. * NSS supports a clean seeding mechanism for *NIX systems now using only /dev/urandom. This is used only when SEED_ONLY_DEV_URANDOM is set at compile time. * CERT_AsciiToName can handle OIDs in dotted decimal form now. The HG tag is NSS_3_31_RTM. NSS 3.31 requires NSPR 4.15 or newer.
Update to 3.30.2 Changelog: The NSS team has released Network Security Services (NSS) 3.30.2, which is a patch release to update the list of root CA certificates. Below is a summary of the changes. Please refer to the full release notes for additional details, including the SHA256 fingerprints of the changed CA certificates. Notable Changes: * The following CA certificates were Removed - O = Japanese Government, OU = ApplicationCA - CN = WellsSecure Public Root Certificate Authority - CN = TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H6 - CN = Microsec e-Szigno Root * The following CA certificates were Added - CN = D-TRUST Root CA 3 2013 - CN = TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1 * The version number of the updated root CA list has been set to 2.14 (Bug 1350859) * Domain name constraints for one of the new CAs have been added to the NSS code (Bug 1349705)
Revbump after icu update
Update to 3.30.1 Changelog: Not available.
Update to 3.30 Changelog: New in NSS 3.30: ================ * In the PKCS#11 root CA module (nssckbi), CAs with positive trust are marked with a new boolean attribute, CKA_NSS_MOZILLA_CA_POLICY, set to true. Applications that need to distinguish them from other other root CAs may use the exported function PK11_HasAttributeSet. * Support for callback functions that can be used to monitor SSL/TLS alerts that are sent or received. Notable Changes: ================ * The TLS server code has been enhanced to support session tickets when no RSA certificate is configured. * RSA-PSS signatures produced by key pairs with a modulus bit length that is not a multiple of 8 are now supported. * The pk12util tool now supports importing and exporting data encrypted in the AES based schemes defined in PKCS#5 v2.1.
Update to 3.29.3 Changelog: The NSS team has released Network Security Services (NSS) 3.29.3 No new functionality is introduced in this release. This is a patch release to fix a rare crash when initializing an SSL socket fails. The NSS team has released Network Security Services (NSS) 3.29.2 No new functionality is introduced in this release. This is a patch release to fix an issue with TLS session tickets.
Update to 3.29.1 Changelog: Fix binary compatibility issues in 3.29
Update to 3.29 Changelog: Notable Changes: ================ * Fixed a NSS 3.28 regression in the signature scheme flexibility that causes connectivity issues between iOS 8 clients and NSS servers with ECDSA certificates (bug1334114 <https://bugzilla.mozilla.org/show_bug.cgi?id=1334114>).
Disable internal sqlite3. Bump PKGREVISION It is my mistake. Builds confirmed on NetBSD/amd64 current and macOS Sierra.
Update to 3.28.1 * Bump nspr requirement Changelog: 3.28.1: The NSS team has released Network Security Services (NSS) 3.28.1, which is a patch release. Below is a summary of the changes. Please refer to the full release notes for additional details, including the SHA256 fingerprints of the changed CA certificates. No new functionality is introduced in this release. This is a patch release to update the list of root CA certificates and address a minor TLS compatibility issue that some applications experienced with NSS 3.28. Notable Changes: * The following CA certificates were Removed - CN = Buypass Class 2 CA 1 - CN = Root CA Generalitat Valenciana - OU = RSA Security 2048 V3 * The following CA certificates were Added - OU = AC RAIZ FNMT-RCM - CN = Amazon Root CA 1 - CN = Amazon Root CA 2 - CN = Amazon Root CA 3 - CN = Amazon Root CA 4 - CN = LuxTrust Global Root 2 - CN = Symantec Class 1 Public Primary Certification Authority - G4 - CN = Symantec Class 1 Public Primary Certification Authority - G6 - CN = Symantec Class 2 Public Primary Certification Authority - G4 - CN = Symantec Class 2 Public Primary Certification Authority - G6 * The version number of the updated root CA list has been set to 2.11 * A misleading assertion/alert has been removed when NSS tries to flush data to the peer but the connection was already reset. 3.28: The NSS team has released Network Security Services (NSS) 3.28, which is a minor release. Below is a summary of the changes. Please refer to the full release notes for additional details: https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.28_release_notes Request to test and prepare for TLS 1.3 (draft): ================================================ To prepare for a change of default build options, which is planned for the future NSS 3.29 release, we'd like to encourage all users of NSS 3.28 to override the standard NSS build configuration to enable support for (draft ) TLS 1.3 by defining NSS_ENABLE_TLS_1_3=1 at build time. We'd like to ask you to please give feedback to the NSS developers for any compatibility issues that you might encounter in your tests. For providing feedback, you may send a message to this mailing list, see: https://lists.mozilla.org/listinfo/dev-tech-crypto or please report a bug here: https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS New functionality: ================== * NSS includes support for TLS 1.3 draft -18. This includes a number of improvements to TLS 1.3: - The signed certificate timestamp, used in certificate transparency, is supported in TLS 1.3. - Key exporters for TLS 1.3 are supported. This includes the early key exporter, which can be used if 0-RTT is enabled. Note that there is a difference between TLS 1.3 and key exporters in older versions of TLS. TLS 1.3 does not distinguish between an empty context and no context. - The TLS 1.3 (draft) protocol can be enabled, by defining NSS_ENABLE_TLS_1_3=1 when building NSS. * NSS includes support for the X25519 key exchange algorithm, which is supported and enabled by default in all versions of TLS. New Functions: ============== * SSL_ExportEarlyKeyingMaterial * SSL_SendAdditionalKeyShares * SSL_SignatureSchemePrefSet * SSL_SignatureSchemePrefGet Notable Changes: ================ * NSS can no longer be compiled with support for additional elliptic curves. This was previously possible by replacing certain NSS source files. * NSS will now detect the presence of tokens that support additional elliptic curves and enable those curves for use in TLS. Note that this detection has a one-off performance cost, which can be avoided by using the SSL_NamedGroupConfig function to limit supported groups to those that NSS provides. * PKCS#11 bypass for TLS is no longer supported and has been removed. * Support for "export" grade SSL/TLS cipher suites has been removed. * NSS now uses the signature schemes definition in TLS 1.3. This also affects TLS 1.2. NSS will now only generate signatures with the combinations of hash and signature scheme that are defined in TLS 1.3, even when negotiating TLS 1.2. - This means that SHA-256 will only be used with P-256 ECDSA certificates, SHA-384 with P-384 certificates, and SHA-512 with P-521 certificates. SHA-1 is permitted (in TLS 1.2 only) with any certificate for backward compatibility reasons. - New functions to configure signature schemes are provided: SSL_SignatureSchemePrefSet, SSL_SignatureSchemePrefGet. The old SSL_SignaturePrefSet and SSL_SignaturePrefSet functions are now deprecated. - NSS will now no longer assume that default signature schemes are supported by a peer if there was no commonly supported signature scheme. * NSS will now check if RSA-PSS signing is supported by the token that holds the private key prior to using it for TLS. * The certificate validation code contains checks to no longer trust certificates that are issued by old WoSign and StartCom CAs after October 21, 2016. This is equivalent to the behavior that Mozilla will release with Firefox 51.
Remove GnuTLS dependency and bump PKGREVISION GnuTLS is not required really.
Recursive revbump from textproc/icu 58.1
simplify installation of commandline utilities, fixes SunOS
Update to 3.27.2 Changelog: The NSS Development Team announces the release of NSS 3.27.2, which is a patch release to address a memory leak in the TLS implementation. No new functionality is introduced in this release. Notable Changes: * Bug 1318561 - SSL_SetTrustAnchors leaks
Bump PKGREVISION. Some commandline utilities require gnutls
Bump PKGREVISION. Install commandline utilities
Update to 3.27.1 Changelog: The NSS team has released Network Security Services (NSS) 3.27.1. This is a patch release to address a TLS compatibility issue that some applications experienced with NSS 3.27. Notable Changes: Availability of the TLS 1.3 (draft) implementation has been re-disabled in the default build. Previous versions of NSS made TLS 1.3 (draft) available only when compiled with NSS_ENABLE_TLS_1_3. NSS 3.27 set this value on by default, allowing TLS 1.3 (draft) to be disabled using NSS_DISABLE_TLS_1_3, although the maximum version used by default remained TLS 1.2. However, some applications query the list of protocol versions that are supported by the NSS library, and enable all supported TLS protocol versions. Because NSS 3.27 enabled compilation of TLS 1.3 (draft) by default, it caused those applications to enable TLS 1.3 (draft). This resulted in connectivity failures, as some TLS servers are version 1.3 intolerant, and failed to negotiate an earlier TLS version with NSS 3.27 clients.
nss: replace USE_NSS_64 with _LP64 builtin. fixes build for 32bit when passing USE_64 (which is questionable)... in pkgsrc we declare all mips64* platforms as 64bit, and use USE_64. However, netbsd/mips64 is using a 32bit ABI, so it is akin to passing USE_64=1 for 32bit. perhaps not declaring it a 64bit platform is correct, but this package is one of the only few using this logic, and it's unfeasible to have correct logic for 32bit/64bit. this package has considerably more logic for USE_64 than for USE_NSS_64, so to avoid inadvertent damage to other platforms, retain the USE_64=1 logic. feel free to object to this option in the discussion on tech-pkg.
Update to 3.27 Changelog: The NSS team has released Network Security Services (NSS) 3.27, which is a minor release. Below is a summary of the changes. Please refer to the full release notes for additional details, including the SHA256 fingerprints of the changed CA certificates. New functionality: * Allow custom named group priorities for TLS key exchange handshake (SSL_NamedGroupConfig). * Added support for RSA-PSS signatures in TLS 1.2 and TLS 1.3 New Functions: * SSL_NamedGroupConfig Notable Changes: * NPN can not be enabled anymore. * Hard limits on the maximum number of TLS records encrypted with the same key are enforced. * Disabled renegotiation in DTLS. * The following CA certificates were Removed - CN = IGC/A, O = PM/SGDN, OU = DCSSI - CN = Juur-SK, O = AS Sertifitseerimiskeskus - CN = EBG Elektronik Sertifika Hizmet Sağlayıcısı - CN = S-TRUST Authentication and Encryption Root CA 2005:PN - O = VeriSign, Inc., OU = Class 1 Public Primary Certification Authority - O = VeriSign, Inc., OU = Class 2 Public Primary Certification Authority - G2 - O = VeriSign, Inc., OU = Class 3 Public Primary Certification Authority - O = Equifax, OU = Equifax Secure Certificate Authority - CN = Equifax Secure eBusiness CA-1 - CN = Equifax Secure Global eBusiness CA-1 The full release notes are available at https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.27_release_notes
Bump PKGREVISION for perl-5.24.0 for everything mentioning perl.
Update to 3.25 Changelog: The NSS team has released Network Security Services (NSS) 3.25, which is a minor release. Below is a short summary of the changes. Please refer to the full release notes for additional details. New functionality: * Implemented DHE key agreement for TLS 1.3 * Added support for ChaCha with TLS 1.3 * Added support for TLS 1.2 ciphersuites that use SHA384 as the PRF * In previous versions, when using client authentication with TLS 1.2, NSS only supported certificate_verify messages that used the same signature hash algorithm as used by the PRF. This limitation has been removed. * Several functions have been added to the public API of the NSS Cryptoki Framework. New Functions: * NSSCKFWSlot_GetSlotID * NSSCKFWSession_GetFWSlot * NSSCKFWInstance_DestroySessionHandle * NSSCKFWInstance_FindSessionHandle Notable Changes: * An SSL socket can no longer be configured to allow both TLS 1.3 and SSL v3 * Regression fix: NSS no longer reports a failure if an application attempts to disable the SSL v2 protocol. * The list of trusted CA certificates has been updated to version 2.8 * The following CA certificate was Removed - CN = Sonera Class1 CA * The following CA certificates were Added - CN = Hellenic Academic and Research Institutions RootCA 2015 - CN = Hellenic Academic and Research Institutions ECC RootCA 2015 - CN = Certplus Root CA G1 - CN = Certplus Root CA G2 - CN = OpenTrust Root CA G1 - CN = OpenTrust Root CA G2 - CN = OpenTrust Root CA G3
Update to 3.24 * Require nspr 4.12 or later, from he@. Thank you. Changelog: The NSS team has released Network Security Services (NSS) 3.24, which is a minor release. Below is a short summary of the changes. Please refer to the full release notes for additional details. New functionality: * NSS softoken has been updated with the latest NIST guidance (as of 2015) * NSS softoken has also been updated to allow NSS to run in FIPS level-1 (no password). * SSL_ConfigServerCert function has been added for configuring SSL/TLS server sockets with a certificate and private key. This method should be used in preference to SSL_ConfigSecureServer, SSL_ConfigSecureServerWithCertChain, SSL_SetStapledOCSPResponses, and SSL_SetSignedCertTimestamps. * Added PORTCheapArena for temporary arenas allocated on the stack. New Functions: * SSL_ConfigServerCert - Configures an SSL/TLS socket with a certificate, private key and other information. * PORT_InitCheapArena - This initializes an arena that was created on the stack. See PORTCheapArenaPool. * PORT_DestroyCheapArena - This destroys an arena that was created on the stack. See PORTCheapArenaPool. New Types * SSLExtraServerCertData - This struct is optionally passed as an argument to SSL_ConfigServerCert. It contains supplementary information about a certificate, such as the intended type of the certificate, stapled OCSP responses, or signed certificate timestamps (used for certificate transparency). * PORTCheapArenaPool - A stack-allocated arena pool, to be used for temporary arena allocations. New Macros * CKM_TLS12_MAC * SEC_OID_TLS_ECDHE_PSK - This OID is used to govern use of the TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256 cipher suite, which is only used for session resumption in TLS 1.3. Notable Changes: * The following functions have been deprecated (applications should use the new SSL_ConfigServerCert function instead): * SSL_SetStapledOCSPResponses * SSL_SetSignedCertTimestamps * SSL_ConfigSecureServer * SSL_ConfigSecureServerWithCertChain * Function NSS_FindCertKEAType is now deprecated, as it reports a misleading value for certificates that might be used for signing rather than key exchange. * SSLAuthType has been updated to define a larger number of authentication key types. * The member attribute authAlgorithm of type SSLCipherSuiteInfo has been deprecated. Instead, applications should use the newly added attribute authType. * ssl_auth_rsa has been renamed to ssl_auth_rsa_decrypt. * On Linux platforms that define FREEBL_LOWHASH, a shared library has been added: libfreeblpriv3 * Most code related to the SSL v2 has been removed, including the ability to actively send a SSL v2 compatible client hello. However, the server side implementation of the SSL/TLS protocol continues to support processing of received v2 compatible client hello messages. * NSS supports a mechanism to log SSL/TLS key material to a logfile if the environment variable named SSLKEYLOGFILE is set. NSS has been changed to disable this functionality in optimized builds by default. In order to enable the functionality in optimized builds, the symbol NSS_ALLOW_SSLKEYLOGFILE must be defined when building NSS. * NSS has been updated to be protected against the Cachebleed attack. * Support for DTLS compression has been disabled. * Support for TLS 1.3 has been improved. This includes support for DTLS 1.3. Note that TLS 1.3 support is experimental and is not suitable for production use.
Add nss-config script to match most Linux distributions. Create nss.pc file earlier, not during installation. Bump PKGREVISION.
Update to 3.23 Changelog: The NSS team has released Network Security Services (NSS) 3.23, which is a minor release. The following security-relevant bug has been resolved in NSS 3.23. Users are encouraged to upgrade immediately. * Bug 1245528 (CVE-2016-1950): Fixed a heap-based buffer overflow related to the parsing of certain ASN.1 structures. An attacker could create a specially-crafted certificate which, when parsed by NSS, would cause a crash or execution of arbitrary code with the permissions of the user. New functionality: * ChaCha20/Poly1305 cipher and TLS cipher suites now supported (bug 917571, bug 1227905) * Experimental-only support TLS 1.3 1-RTT mode (draft-11). This code is not ready for production use. New Functions: * SSL_SetDowngradeCheckVersion - Set maximum version for new ServerRandom anti-downgrade mechanism Notable Changes: * The copy of SQLite shipped with NSS has been updated to version 3.10.2 (bug 1234698) * The list of TLS extensions sent in the TLS handshake has been reordered to improve compatibility of the Extended Master Secret feature with servers (bug 1243641) * The build time environment variable NSS_ENABLE_ZLIB has been renamed to NSS_SSL_ENABLE_ZLIB (Bug 1243872). * The build time environment variable NSS_DISABLE_CHACHAPOLY was added, which can be used to prevent compilation of the ChaCha20/Poly1305 code. * The following CA certificates were Removed - Staat der Nederlanden Root CA - NetLock Minositett Kozjegyzoi (Class QA) Tanusitvanykiado - NetLock Kozjegyzoi (Class A) Tanusitvanykiado - NetLock Uzleti (Class B) Tanusitvanykiado - NetLock Expressz (Class C) Tanusitvanykiado - VeriSign Class 1 Public PCA – G2 - VeriSign Class 3 Public PCA - VeriSign Class 3 Public PCA – G2 - CA Disig * The following CA certificates were Added - SZAFIR ROOT CA2 - Certum Trusted Network CA 2 * The following CA certificate had the Email trust bit turned on - Actalis Authentication Root CA The full release notes, including the SHA256 fingerprints of the changed CA certificates, are available at https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.23_release_notes
Recursive revbump from textproc/icu 57.1
Pullup ticket #4952 - requested by bsiegert devel/nss: security update Revisions pulled up: - devel/nss/Makefile 1.106 - devel/nss/distinfo 1.55 ------------------------------------------------------------------- Module Name: pkgsrc Committed By: ryoon Date: Sat Feb 6 22:09:56 UTC 2016 Modified Files: pkgsrc/devel/nss: Makefile distinfo Log Message: Update to 3.22 Changelog: The NSS team has released Network Security Services (NSS) 3.22, which is a minor release. New functionality: * RSA-PSS signatures are now supported (bug 1215295) * Pseudorandom functions based on hashes other than SHA-1 are now supported * Enforce an External Policy on NSS from a config file (bug 1009429) New Functions: * PK11_SignWithMechanism - an extended version PK11_Sign() * PK11_VerifyWithMechanism - an extended version of PK11_Verify() * SSL_PeerSignedCertTimestamps - Get signed_certificate_timestamp TLS extension data * SSL_SetSignedCertTimestamps - Set signed_certificate_timestamp TLS extension data New Types: * ssl_signed_cert_timestamp_xtn is added to SSLExtensionType * Constants for several object IDs are added to SECOidTag New Macros: * SSL_ENABLE_SIGNED_CERT_TIMESTAMPS * NSS_USE_ALG_IN_SSL * NSS_USE_POLICY_IN_SSL * NSS_RSA_MIN_KEY_SIZE * NSS_DH_MIN_KEY_SIZE * NSS_DSA_MIN_KEY_SIZE * NSS_TLS_VERSION_MIN_POLICY * NSS_TLS_VERSION_MAX_POLICY * NSS_DTLS_VERSION_MIN_POLICY * NSS_DTLS_VERSION_MAX_POLICY * CKP_PKCS5_PBKD2_HMAC_SHA224 * CKP_PKCS5_PBKD2_HMAC_SHA256 * CKP_PKCS5_PBKD2_HMAC_SHA384 * CKP_PKCS5_PBKD2_HMAC_SHA512 * CKP_PKCS5_PBKD2_HMAC_GOSTR3411 - (not supported) * CKP_PKCS5_PBKD2_HMAC_SHA512_224 - (not supported) * CKP_PKCS5_PBKD2_HMAC_SHA512_256 - (not supported) table Changes: * NSS C++ tests are built by default, requiring a C++11 compiler. Set the NSS_DISABLE_GTESTS variable to 1 to disable building these tests. The HG tag is NSS_3_22_RTM. NSS 3.22 requires NSPR 4.11 or newer. To generate a diff of this commit: cvs rdiff -u -r1.105 -r1.106 pkgsrc/devel/nss/Makefile cvs rdiff -u -r1.54 -r1.55 pkgsrc/devel/nss/distinfo
Update to 3.22.3 Changelog: The NSS Development Team announces the release of NSS 3.22.3, which is a patch release for NSS 3.22. No new functionality is introduced in this release. The following bugs have been resolved in NSS 3.22.3 * Bug 1243641 - Increase compatibility of TLS extended master secret, don't send an empty TLS extension last in the handshake
Don't arbitrarily use bundled zlib on some platforms and system's on others. We do include zlib.buildlink3.mk, so make sure we always use that zlib. Remove manual do-build target and set BUILD_DIRS instead. Set MAKE_JOBS_SAFE=no. The previous do-build target didn't respect MAKE_JOBS. Bump PKGREVISON.
Update to 3.22.2 Changelog: New root certificates backported from 3.23.
Use OPSYSVARS.
Update to 3.22.1 Changelog: The NSS Development Team announces the release of NSS 3.22.1 No new functionality is introduced in this release. Notable Changes: * NSS has been changed to use the PR_GetEnvSecure function that was made available in NSPR 4.12
Update to 3.22 Changelog: The NSS team has released Network Security Services (NSS) 3.22, which is a minor release. New functionality: * RSA-PSS signatures are now supported (bug 1215295) * Pseudorandom functions based on hashes other than SHA-1 are now supported * Enforce an External Policy on NSS from a config file (bug 1009429) New Functions: * PK11_SignWithMechanism - an extended version PK11_Sign() * PK11_VerifyWithMechanism - an extended version of PK11_Verify() * SSL_PeerSignedCertTimestamps - Get signed_certificate_timestamp TLS extension data * SSL_SetSignedCertTimestamps - Set signed_certificate_timestamp TLS extension data New Types: * ssl_signed_cert_timestamp_xtn is added to SSLExtensionType * Constants for several object IDs are added to SECOidTag New Macros: * SSL_ENABLE_SIGNED_CERT_TIMESTAMPS * NSS_USE_ALG_IN_SSL * NSS_USE_POLICY_IN_SSL * NSS_RSA_MIN_KEY_SIZE * NSS_DH_MIN_KEY_SIZE * NSS_DSA_MIN_KEY_SIZE * NSS_TLS_VERSION_MIN_POLICY * NSS_TLS_VERSION_MAX_POLICY * NSS_DTLS_VERSION_MIN_POLICY * NSS_DTLS_VERSION_MAX_POLICY * CKP_PKCS5_PBKD2_HMAC_SHA224 * CKP_PKCS5_PBKD2_HMAC_SHA256 * CKP_PKCS5_PBKD2_HMAC_SHA384 * CKP_PKCS5_PBKD2_HMAC_SHA512 * CKP_PKCS5_PBKD2_HMAC_GOSTR3411 - (not supported) * CKP_PKCS5_PBKD2_HMAC_SHA512_224 - (not supported) * CKP_PKCS5_PBKD2_HMAC_SHA512_256 - (not supported) table Changes: * NSS C++ tests are built by default, requiring a C++11 compiler. Set the NSS_DISABLE_GTESTS variable to 1 to disable building these tests. The HG tag is NSS_3_22_RTM. NSS 3.22 requires NSPR 4.11 or newer.
Fix build under GCC 4.5.3 (NetBSD 6)
Update to 3.21 * Disable gtest option Changelog: The NSS team has released Network Security Services (NSS) 3.21, which is a minor release. New functionality: * certutil now supports a --rename option to change a nickname (bug 1142209) * TLS extended master secret extension (RFC 7627) is supported (bug 1117022) * New info functions added for use during mid-handshake callbacks (bug 1084669) New Functions: * NSS_OptionSet - sets NSS global options * NSS_OptionGet - gets the current value of NSS global options * SECMOD_CreateModuleEx - Create a new SECMODModule structure from module name string, module parameters string, NSS specific parameters string, and NSS configuration parameter string. The module represented by the module structure is not loaded. The difference with SECMOD_CreateModule is the new function handles NSS configuration parameter strings. * SSL_GetPreliminaryChannelInfo - obtains information about a TLS channel prior to the handshake being completed, for use with the callbacks that are invoked during the handshake * SSL_SignaturePrefSet - configures the enabled signature and hash algorithms for TLS * SSL_SignaturePrefGet - retrieves the currently configured signature and hash algorithms * SSL_SignatureMaxCount - obtains the maximum number signature algorithms that can be configured with SSL_SignaturePrefSet * NSSUTIL_ArgParseModuleSpecEx - takes a module spec and breaks it into shared library string, module name string, module parameters string, NSS specific parameters string, and NSS configuration parameter strings. The returned strings must be freed by the caller. The difference with NSS_ArgParseModuleSpec is the new function handles NSS configuration parameter strings. * NSSUTIL_MkModuleSpecEx - take a shared library string, module name string, module parameters string, NSS specific parameters string, and NSS configuration parameter string and returns a module string which the caller must free when it is done. The difference with NSS_MkModuleSpec is the new function handles NSS configuration parameter strings. New Types: * CK_TLS12_MASTER_KEY_DERIVE_PARAMS{_PTR} - parameters {or pointer} for CKM_TLS12_MASTER_KEY_DERIVE * CK_TLS12_KEY_MAT_PARAMS{_PTR} - parameters {or pointer} for CKM_TLS12_KEY_AND_MAC_DERIVE * CK_TLS_KDF_PARAMS{_PTR} - parameters {or pointer} for CKM_TLS_KDF * CK_TLS_MAC_PARAMS{_PTR} - parameters {or pointer} for CKM_TLS_MAC * SSLHashType - identifies a hash function * SSLSignatureAndHashAlg - identifies a signature and hash function * SSLPreliminaryChannelInfo - provides information about the session state prior to handshake completion New Macros: * NSS_RSA_MIN_KEY_SIZE - used with NSS_OptionSet and NSS_OptionGet to set or get the minimum RSA key size * NSS_DH_MIN_KEY_SIZE - used with NSS_OptionSet and NSS_OptionGet to set or get the minimum DH key size * NSS_DSA_MIN_KEY_SIZE - used with NSS_OptionSet and NSS_OptionGet to set or get the minimum DSA key size * CKM_TLS12_MASTER_KEY_DERIVE - derives TLS 1.2 master secret * CKM_TLS12_KEY_AND_MAC_DERIVE - derives TLS 1.2 traffic key and IV * CKM_TLS12_MASTER_KEY_DERIVE_DH - derives TLS 1.2 master secret for DH (and ECDH) cipher suites * CKM_TLS12_KEY_SAFE_DERIVE and CKM_TLS_KDF are identifiers for additional PKCS#12 mechanisms for TLS 1.2 that are currently unused in NSS. * CKM_TLS_MAC - computes TLS Finished MAC * NSS_USE_ALG_IN_SSL_KX - policy flag indicating that keys are used in TLS key exchange * SSL_ERROR_RX_SHORT_DTLS_READ - error code for failure to include a complete DTLS record in a UDP packet * SSL_ERROR_NO_SUPPORTED_SIGNATURE_ALGORITHM - error code for when no valid signature and hash algorithm is available * SSL_ERROR_UNSUPPORTED_SIGNATURE_ALGORITHM - error code for when an unsupported signature and hash algorithm is configured * SSL_ERROR_MISSING_EXTENDED_MASTER_SECRET - error code for when the extended master secret is missing after having been negotiated * SSL_ERROR_UNEXPECTED_EXTENDED_MASTER_SECRET - error code for receiving an extended master secret when previously not negotiated * SSL_ENABLE_EXTENDED_MASTER_SECRET - configuration to enable the TLS extended master secret extension (RFC 7627) * ssl_preinfo_version - used with SSLPreliminaryChannelInfo to indicate that a TLS version has been selected * ssl_preinfo_cipher_suite - used with SSLPreliminaryChannelInfo to indicate that a TLS cipher suite has been selected * ssl_preinfo_all - used with SSLPreliminaryChannelInfo to indicate that all preliminary information has been set Notable Changes: * NSS now builds with elliptic curve ciphers enabled by default (bug 1205688) * NSS now builds with warnings as errors (bug 1182667) * The following CA certificates were Removed - CN = VeriSign Class 4 Public Primary Certification Authority - G3 - CN = UTN-USERFirst-Network Applications - CN = TC TrustCenter Universal CA III - CN = A-Trust-nQual-03 - CN = USERTrust Legacy Secure Server CA - Friendly Name: Digital Signature Trust Co. Global CA 1 - Friendly Name: Digital Signature Trust Co. Global CA 3 - CN = UTN - DATACorp SGC - O = TÜRKTRUST Bilgi İletişim ve Bilişim Güvenliği Hizmetleri A.Ş. (c) Kasım 2\ 005 * The following CA certificate had the Websites trust bit turned off - OU = Equifax Secure Certificate Authority * The following CA certificates were Added - CN = Certification Authority of WoSign G2 - CN = CA WoSign ECC Root - CN = OISTE WISeKey Global Root GB CA
Pullup ticket #4853 - requested by he devel/nss: security fix Revisions pulled up: - devel/nss/Makefile 1.103 - devel/nss/distinfo 1.52 --- Module Name: pkgsrc Committed By: ryoon Date: Tue Nov 3 16:55:07 UTC 2015 Modified Files: pkgsrc/devel/nss: Makefile distinfo Log Message: Update to 3.20.1 Changelog: The following security-relevant bugs have been resolved in NSS 3.20.1. Users are encouraged to upgrade immediately. * Bug 1192028 (CVE-2015-7181) and Bug 1202868 (CVE-2015-7182): Several issues existed within the ASN.1 decoder used by NSS for handling streaming BER data. While the majority of NSS uses a separate, unaffected DER decoder, several public routines also accept BER data, and thus are affected. An attacker that successfully exploited these issues can overflow the heap and may be able to obtain remote code execution.
Update to 3.20.1 Changelog: The following security-relevant bugs have been resolved in NSS 3.20.1. Users are encouraged to upgrade immediately. * Bug 1192028 (CVE-2015-7181) and Bug 1202868 (CVE-2015-7182): Several issues existed within the ASN.1 decoder used by NSS for handling streaming BER data. While the majority of NSS uses a separate, unaffected DER decoder, several public routines also accept BER data, and thus are affected. An attacker that successfully exploited these issues can overflow the heap and may be able to obtain remote code execution.
Support SunOS/clang.
Recursive revbump from textproc/icu
Update to 3.20 Changelog: The NSS team has released Network Security Services (NSS) 3.20, which is a minor release. New functionality: * The TLS library has been extended to support DHE ciphersuites in server applications. New Functions: * SSL_DHEGroupPrefSet - Configure the set of allowed/enabled DHE group parameters that can be used by NSS for a server socket. * SSL_EnableWeakDHEPrimeGroup - Enable the use of weak DHE group parameters that are smaller than the library default's minimum size. New Types: * SSLDHEGroupType - Enumerates the set of DHE parameters embedded in NSS that can be used with function SSL_DHEGroupPrefSet. New Macros: * SSL_ENABLE_SERVER_DHE - A socket option user to enable or disable DHE ciphersuites for a server socket. Notable Changes: * The TLS library has been extended to support DHE ciphersuites in server applications. * For backwards compatibility reasons, the server side implementation of the TLS library keeps all DHE ciphersuites disabled by default. They can be enabled with the new socket option SSL_ENABLE_SERVER_DHE and the SSL_OptionSet or the SSL_OptionSetDefault API. * The server side implementation of the TLS implementation does not support session tickets when using a DHE ciphersuite (see bug 1174677). * Support for the following ciphersuites has been added: - TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 - TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 - TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 * By default, the server side TLS implementation will use DHE parameters with a size of 2048 bits when using DHE ciphersuites. * NSS embeds fixed DHE parameters sized 2048, 3072, 4096, 6144 and 8192 bits, which were copied from version 08 of the Internet-Draft "Negotiated Finite Field Diffie-Hellman Ephemeral Parameters for TLS", Appendix A. * A new API SSL_DHEGroupPrefSet has been added to NSS, which allows a server application to select one or multiple of the embedded DHE parameters as the preferred parameters. The current implementation of NSS will always use the first entry in the array that is passed as a parameter to the SSL_DHEGroupPrefSet API. In future versions of the TLS implementation, a TLS client might signal a preference for certain DHE parameters, and the NSS TLS server side implementation might select a matching entry from the set of parameters that have been configured as preferred on the server side. * NSS optionally supports the use of weak DHE parameters with DHE ciphersuites to support legacy clients. In order to enable this support, the new API SSL_EnableWeakDHEPrimeGroup must be used. Each time this API is called for the first time in a process, a fresh set of weak DHE parameters will be randomly created, which may take a long amount of time. Please refer to the comments in the header file that declares the SSL_EnableWeakDHEPrimeGroup API for additional details. * The size of the default PQG parameters used by certutil when creating DSA keys has been increased to use 2048 bit parameters. * The selfserv utility has been enhanced to support the new DHE features. * NSS no longer supports C compilers that predate the ANSI C standard (C89).
Update to 3.19.2 * Approved by wiz@. Changelog: Network Security Services (NSS) is a patch release for NSS 3.19. No new functionality is introduced in this release. This release addresses a backwards compatibility issue with the NSS 3.19.1 release. Notable Changes: * In NSS 3.19.1, the minimum key sizes that the freebl cryptographic implementation (part of the softoken cryptographic module used by default by NSS) was willing to generate or use was increased - for RSA keys, to 512 bits, and for DH keys, 1023 bits. This was done as part of a security fix for Bug 1138554 / CVE-2015-4000. Applications that requested or attempted to use keys smaller then the minimum size would fail. However, this change in behaviour unintentionally broke existing NSS applications that need to generate or use such keys, via APIs such as SECKEY_CreateRSAPrivateKey or SECKEY_CreateDHPrivateKey. In NSS 3.19.2, this change in freebl behaviour has been reverted. The fix for Bug 1138554 has been moved to libssl, and will now only affect the minimum keystrengths used in SSL/TLS.
Recursive PKGREVISION bump for all packages mentioning 'perl', having a PKGNAME of p5-*, or depending such a package, for perl-5.22.0.
Update to 3.19.1 Changelog: Network Security Services (NSS) 3.19.1 is a patch release for NSS 3.19. No new functionality is introduced in this release. This patch release includes a fix for the recently published logjam attack. Notable Changes: * The minimum strength of keys that libssl will accept for finite field algorithms (RSA, Diffie-Hellman, and DSA) have been increased to 1023 bits (bug 1138554). * NSS reports the bit length of keys more accurately. Thus, the SECKEY_PublicKeyStrength and SECKEY_PublicKeyStrengthInBits functions could report smaller values for values that have leading zero values. This affects the key strength values that are reported by SSL_GetChannelInfo. The NSS development team would like to thank Matthew Green and Karthikeyan Bhargavan for responsibly disclosing the issue in bug 1138554. The HG tag is NSS_3_19_1_RTM. NSS 3.19.1 requires NSPR 4.10.8 or newer.
Update to 3.19 Changelog: The NSS team has released Network Security Services (NSS) 3.19, which is a minor release. New functionality: * For some certificates, such as root CA certificates, that don't embed any constraints, NSS might impose additional constraints, such as name constraints. A new API has been added that allows to lookup imposed constraints. * It is possible to override the directory in which the NSS build system will look for the sqlite library. New Functions: * CERT_GetImposedNameConstraints Notable Changes: * The SSL 3 protocol has been disabled by default. * NSS now more strictly validates TLS extensions and will fail a handshake that contains malformed extensions. * Fixed a bug related to the ordering of TLS handshake messages. * In TLS 1.2 handshakes, NSS advertises support for the SHA512 hash algorithm, in order to be compatible with TLS servers that use certificates with a SHA512 signature.
Update to 3.18.1 Changelog: The NSS Development Team announces the release of NSS 3.18.1 Network Security Services (NSS) 3.18.1 is a patch release for NSS 3.18 to update the list of root CA certificates. No new functionality is introduced in this release. Notable Changes: * The following CA certificate had the Websites and Code Signing trust bits restored to their original state to allow more time to develop a better transition strategy for affected sites: - OU = Equifax Secure Certificate Authority * The following CA certificate was removed: - CN = e-Guven Kok Elektronik Sertifika Hizmet Saglayicisi * The following intermediate CA certificate has been added as actively distrusted because it was mis-used to issue certificates for domain names the holder did not own or control: - CN=MCSHOLDING TEST, O=MCSHOLDING, C=EG * The version number of the updated root CA list has been set to 2.4 The full release notes, including further details and the SHA1 fingerprints of the changed CA certificates, are available at https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.18.1_release_notes
Revbump after updating textproc/icu
Update to 3.18 Changelog: The NSS team has released Network Security Services (NSS) 3.18, which is a minor release. New functionality: * When importing certificates and keys from a PKCS#12 source, it's now possible to override the nicknames, prior to importing them into the NSS database, using new API SEC_PKCS12DecoderRenameCertNicknames. * The tstclnt test utility program has new command-line options -C, -D, -b and -R. Use -C one, two or three times to print information about the certificates received from a server, and information about the locally found and trusted issuer certificates, to diagnose server side configuration issues. It is possible to run tstclnt without providing a database (-D). A PKCS#11 library that contains root CA certificates can be loaded by tstclnt, which may either be the nssckbi library provided by NSS (-b) or another compatible library (-R). New Functions: * SEC_CheckCrlTimes * SEC_GetCrlTimes * SEC_PKCS12DecoderRenameCertNicknames New Types * SEC_PKCS12NicknameRenameCallback Notable Changes: * The highest TLS protocol version enabled by default has been increased from TLS 1.0 to TLS 1.2. Similarly, the highest DTLS protocol version enabled by default has been increased from DTLS 1.0 to DTLS 1.2. * The default key size used by certutil when creating an RSA key pair has been increased from 1024 bits to 2048 bits. * On Mac OS X, by default the softokn shared library will link with the sqlite library installed by the operating system, if it is version 3.5 or newer. * The following CA certificates had the Websites and Code Signing trust bits turned off: - Equifax Secure Certificate Authority - Equifax Secure Global eBusiness CA-1 - TC TrustCenter Class 3 CA II * The following CA certificates were Added: - Staat der Nederlanden Root CA - G3 - Staat der Nederlanden EV Root CA - IdenTrust Commercial Root CA 1 - IdenTrust Public Sector Root CA 1 - S-TRUST Universal Root CA - Entrust Root Certification Authority - G2 - Entrust Root Certification Authority - EC1 - CFCA EV ROOT * The version number of the updated root CA list has been set to 2.3
Update to 3.17.4 Changelog: Network Security Services (NSS) 3.17.4 is a patch release for NSS 3.17. No new functionality is introduced in this release. Notable Changes: * If an SSL/TLS connection fails, because client and server don't have any common protocol version enabled, NSS has been changed to report error code SSL_ERROR_UNSUPPORTED_VERSION (instead of reporting SSL_ERROR_NO_CYPHER_OVERLAP). * libpkix was fixed to prefer the newest certificate, if multiple certificates match. * fixed a memory corruption issue during failure of keypair generation. * fixed a failure to reload a PKCS#11 module in FIPS mode. * fixed interoperability of NSS server code with a LibreSSL client.
Fix build of www/firefox. The build breakage is caused from inconsistent use of sqlite3 from NetBSD base and pkgsrc. Bump PKGREVISION.
Update to 3.17.3 Changelog: New functionality: * Support for TLS_FALLBACK_SCSV has been added to the ssltap and tstclnt utilities Notable Changes: * The QuickDER decoder now decodes lengths robustly (CVE-2014-1569) * The following 1024-bit CA certificates were Removed: - GTE CyberTrust Global Root - Thawte Server CA - Thawte Premium Server CA - America Online Root Certification Authority 1 - America Online Root Certification Authority 2 * The following CA certificates had the Websites and Code Signing trust bits turned off: - Class 3 Public Primary Certification Authority - G2 - Equifax Secure eBusiness CA-1 * The following CA certificates were Added: - COMODO RSA Certification Authority - USERTrust RSA Certification Authority - USERTrust ECC Certification Authority - GlobalSign ECC Root CA - R4 - GlobalSign ECC Root CA - R5 * The version number of the updated root CA list has been set to 2.2
Update to 3.17.2 Changelog: New in NSS 3.17.2 New Functionality No new functionality is introduced in this release. This is a patch release to fix a regression and other bugs. Notable Changes in NSS 3.17.2 Bug 1049435: Change RSA_PrivateKeyCheck to not require p > q. This fixes a regression introduced in NSS 3.16.2 that prevented NSS from importing some RSA private keys (such as in PKCS #12 files) generated by other crypto libraries. Bug 1057161: Check that an imported elliptic curve public key is valid. Previously NSS would only validate the peer's public key before performing ECDH key agreement. Now EC public keys are validated at import time. Bug 1078669: certutil crashes when an argument is passed to the --certVersion option. Bugs fixed in NSS 3.17.2 This Bugzilla query returns all the bugs fixed in NSS 3.17.2: https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&product=NSS&target_milestone=3.17.2 Compatibility NSS 3.17.2 shared libraries are backward compatible with all older NSS 3.x shared libraries. A program linked with older NSS 3.x shared libraries will work with NSS 3.17.2 shared libraries without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs to the functions listed in NSS Public Functions will remain compatible with future versions of the NSS shared libraries.
Revbump after updating libwebp and icu
security update fixing: - Incorrect DigestInfo validation in NSS (CVE-2014-1568) - RSA signature verification vulnerabilities in parsing of DigestInfo (see https://www.mozilla.org/security/announce/2014/mfsa2014-73.html)
Update to nss 3.16.4 This release consists primarily of CA certificate changes as listed below, and includes a small number of bug fixes. Notable Changes: * The following 1024-bit root CA certificate was restored to allow more time to develop a better transition strategy for affected sites. It was removed in NSS 3.16.3, but discussion in the mozilla.dev.security.policy forum led to the decision to keep this root included longer in order to give website administrators more time to update their web servers. - CN = GTE CyberTrust Global Root * In NSS 3.16.3, the 1024-bit "Entrust.net Secure Server Certification Authority" root CA certificate was removed. In NSS 3.16.4, a 2048-bit intermediate CA certificate has been included, without explicit trust. The intention is to mitigate the effects of the previous removal of the 1024-bit Entrust.net root certificate, because many public Internet sites still use the "USERTrust Legacy Secure Server CA" intermediate certificate that is signed by the 1024-bit Entrust.net root certificate. The inclusion of the intermediate certificate is a temporary measure to allow those sites to function, by allowing them to find a trust path to another 2048-bit root CA certificate. The temporarily included intermediate certificate expires November 1, 2015.
Update to 3.16.2 Changelog: Network Security Services (NSS) 3.16.3 is a patch release for NSS 3.16. This release consists primarily of CA certificate changes as listed below, and fixes an issue with a recently added utility function. New Functions: * CERT_GetGeneralNameTypeFromString (This function was already added in NSS 3.16.2, however, it wasn't declared in a public header file.) Notable Changes: * The following 1024-bit CA certificates were Removed - Entrust.net Secure Server Certification Authority - GTE CyberTrust Global Root - ValiCert Class 1 Policy Validation Authority - ValiCert Class 2 Policy Validation Authority - ValiCert Class 3 Policy Validation Authority * Additionally, the following CA certificate was Removed as requested by the CA: - TDC Internet Root CA * The following CA certificates were Added: - Certification Authority of WoSign - CA 沃通根证书 - DigiCert Assured ID Root G2 - DigiCert Assured ID Root G3 - DigiCert Global Root G2 - DigiCert Global Root G3 - DigiCert Trusted Root G4 - QuoVadis Root CA 1 G3 - QuoVadis Root CA 2 G3 - QuoVadis Root CA 3 G3 * The Trust Bits were changed for the following CA certificates - Class 3 Public Primary Certification Authority - Class 3 Public Primary Certification Authority - Class 2 Public Primary Certification Authority - G2 - VeriSign Class 2 Public Primary Certification Authority - G3 - AC Raíz Certicámara S.A. - NetLock Uzleti (Class B) Tanusitvanykiado - NetLock Expressz (Class C) Tanusitvanykiado
Update to 3.16.2 Changelog: Network Security Services (NSS) 3.16.2 is a patch release for NSS 3.16. New functionality: * DTLS 1.2 is supported. * The TLS application layer protocol negotiation (ALPN) extension is also supported on the server side. * RSA-OEAP is supported. Use the new PK11_PrivDecrypt and PK11_PubEncrypt functions with the CKM_RSA_PKCS_OAEP mechanism. * New Intel AES assembly code for 32-bit and 64-bit Windows, contributed by Shay Gueron and Vlad Krasnov of Intel. New Functions: * CERT_AddExtensionByOID * PK11_PrivDecrypt * PK11_PubEncrypt New Macros * SSL_ERROR_NEXT_PROTOCOL_NO_CALLBACK * SSL_ERROR_NEXT_PROTOCOL_NO_PROTOCOL Notable Changes: * The btoa command has a new command-line option -w suffix, which causes the output to be wrapped in BEGIN/END lines with the given suffix * The certutil commands supports additionals types of subject alt name extensions. * The certutil command supports generic certificate extensions, by loading binary data from files, which have been prepared using external tools, or which have been extracted from other existing certificates and dumped to file. * The certutil command supports three new certificate usage specifiers. * The pp command supports printing UTF-8 (-u). * On Linux, NSS is built with the -ffunction-sections -fdata-sections compiler flags and the --gc-sections linker flag to allow unused functions to be discarded.
Bump for perl-5.20.0. Do it for all packages that * mention perl, or * have a directory name starting with p5-*, or * depend on a package starting with p5- like last time, for 5.18, where this didn't lead to complaints. Let me know if you have any this time.
Correct wrong install_name for Darwin. Makefile had a SUBST for this but it wasn't working.
Update to 3.16.1 Changelog: Network Security Services (NSS) 3.16.1 is a patch release for NSS 3.16. New functionality: * Added the "ECC" flag for modutil to select the module used for elliptic curve cryptography (ECC) operations. New Functions: * PK11_ExportDERPrivateKeyInfo * PK11_ExportPrivKeyInfo * SECMOD_InternalToPubMechFlags New Types: * ssl_padding_xtn New Macros * PUBLIC_MECH_ECC_FLAG * SECMOD_ECC_FLAG Notable Changes: * Imposed name constraints on the French government root CA ANSSI (DCISS).
recursive bump from icu shlib major bump.
fixup nss fetch location
Update to 3.16 * Improve 3.16 like 2 number version support (firefox etc. requires 3 number version string) Changelog: From https://developer.mozilla.org/en-US/docs/NSS/NSS_3.16_release_notes The following security-relevant bug has been resolved. Users are encouraged to upgrade immediately. * Bug 903885 - (CVE-2014-1492) In a wildcard certificate, the wildcard character should not be embedded within the U-label of an internationalized domain name. See the last bullet point in RFC 6125, Section 7.2. New functionality: * Supports the Linux x32 ABI. To build for the Linux x32 target, set the environment variable USE_X32=1 when building NSS. New Functions: * NSS_CMSSignerInfo_Verify New Macros * TLS_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_3DES_EDE_CBC_SHA, etc., cipher suites that were first defined in SSL 3.0 can now be referred to with their official IANA names in TLS, with the TLS_ prefix. Previously, they had to be referred to with their names in SSL 3.0, with the SSL_ prefix. Notable Changes: * ECC is enabled by default. It is no longer necessary to set the environment variable NSS_ENABLE_ECC=1 when building NSS. To disable ECC, set the environment variable NSS_DISABLE_ECC=1 when building NSS. * libpkix should not include the common name of CA as DNS names when evaluating name constraints. * AESKeyWrap_Decrypt should not return SECSuccess for invalid keys. * Fix a memory corruption in sec_pkcs12_new_asafe. * If the NSS_SDB_USE_CACHE environment variable is set, skip the runtime test sdb_measureAccess. * The built-in roots module has been updated to version 1.97, which adds, removes, and distrusts several certificates. * The atob utility has been improved to automatically ignore lines of text that aren't in base64 format. * The certutil utility has been improved to support creation of version 1 and version 2 certificates, in addition to the existing version 3 support.
Set USE_GCC_RUNTIME=yes for packages which build shared libraries but do not use libtool to do so. This is required to correctly depend upon a gcc runtime package (e.g. gcc47-libs) when using USE_PKGSRC_GCC_RUNTIME.
Update to 3.15.5 Changelog: From: https://developer.mozilla.org/en-US/docs/NSS/NSS_3.15.5_release_notes Network Security Services (NSS) 3.15.5 is a patch release for NSS 3.15. New functionality: * Added support for the TLS application layer protocol negotiation (ALPN) extension. Two SSL socket options, SSL_ENABLE_NPN and SSL_ENABLE_ALPN, can be used to control whether NPN or ALPN (or both) should be used for application layer protocol negotiation. * Added the TLS padding extension. The extension type value is 35655, which may change when an official extension type value is assigned by IANA. NSS automatically adds the padding extension to ClientHello when necessary. * Added a new macro CERT_LIST_TAIL, defined in certt.h, for getting the tail of a CERTCertList. Notable Changes: * Bug 950129: Improve the OCSP fetching policy when verifying OCSP responses * Bug 949060: Validate the iov input argument (an array of PRIOVec structures) of ssl_WriteV (called via PR_Writev). Applications should still take care when converting struct iov to PRIOVec because the iov_len members of the two structures have different types (size_t vs. int). size_t is unsigned and may be larger than int.
Pullup ticket #4301 - requested by ryoon devel/nss: security update Revisions pulled up: - devel/nss/Makefile 1.75 - devel/nss/distinfo 1.32 --- Module Name: pkgsrc Committed By: ryoon Date: Wed Jan 15 14:38:53 UTC 2014 Modified Files: pkgsrc/devel/nss: Makefile distinfo Log Message: Update to 3.15.4 Changelog: from: https://developer.mozilla.org/en-US/docs/NSS/NSS_3.15.4_release_notes Security Advisories The following security-relevant bugs have been resolved in NSS 3.15.4. Users are encouraged to upgrade immediately. Bug 919877 - (CVE-2013-1740) When false start is enabled, libssl will sometimes return unencrypted, unauthenticated data from PR_Recv New in NSS 3.15.4 New Functionality Implemented OCSP querying using the HTTP GET method, which is the new default, and will fall back to the HTTP POST method. Implemented OCSP server functionality for testing purposes (httpserv utility). Support SHA-1 signatures with TLS 1.2 client authentication. Added the --empty-password command-line option to certutil, to be used with -N: use an empty password when creating a new database. Added the -w command-line option to pp: don't wrap long output lines. New Functions CERT_ForcePostMethodForOCSP CERT_GetSubjectNameDigest CERT_GetSubjectPublicKeyDigest SSL_PeerCertificateChain SSL_RecommendedCanFalseStart SSL_SetCanFalseStartCallback New Types CERT_REV_M_FORCE_POST_METHOD_FOR_OCSP: When this flag is used, libpkix will never attempt to use the HTTP GET method for OCSP requests; it will always use POST. New PKCS #11 Mechanisms None. Notable Changes in NSS 3.15.4 Reordered the cipher suites offered in SSL/TLS client hello messages to match modern best practices. Updated the set of root CA certificates (version 1.96). Improved SSL/TLS false start. In addition to enabling the SSL_ENABLE_FALSE_START option, an application must now register a callback using the SSL_SetCanFalseStartCallback function. When building on Windows, OS_TARGET now defaults to WIN95. To use the WINNT build configuration, specify OS_TARGET=WINNT. Bugs fixed in NSS 3.15.4 A complete list of all bugs resolved in this release can be obtained at https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&target_milestone=3.15.4&product=NSS Compatibility NSS 3.15.4 shared libraries are backward compatible with all older NSS 3.x shared libraries. A program linked with older NSS 3.x shared libraries will work with NSS 3.15.4 shared libraries without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs to the functions listed in NSS Public Functions will remain compatible with future versions of the NSS shared libraries.
Update to 3.15.4 Changelog: from: https://developer.mozilla.org/en-US/docs/NSS/NSS_3.15.4_release_notes Security Advisories The following security-relevant bugs have been resolved in NSS 3.15.4. Users are encouraged to upgrade immediately. Bug 919877 - (CVE-2013-1740) When false start is enabled, libssl will sometimes return unencrypted, unauthenticated data from PR_Recv New in NSS 3.15.4 New Functionality Implemented OCSP querying using the HTTP GET method, which is the new default, and will fall back to the HTTP POST method. Implemented OCSP server functionality for testing purposes (httpserv utility). Support SHA-1 signatures with TLS 1.2 client authentication. Added the --empty-password command-line option to certutil, to be used with -N: use an empty password when creating a new database. Added the -w command-line option to pp: don't wrap long output lines. New Functions CERT_ForcePostMethodForOCSP CERT_GetSubjectNameDigest CERT_GetSubjectPublicKeyDigest SSL_PeerCertificateChain SSL_RecommendedCanFalseStart SSL_SetCanFalseStartCallback New Types CERT_REV_M_FORCE_POST_METHOD_FOR_OCSP: When this flag is used, libpkix will never attempt to use the HTTP GET method for OCSP requests; it will always use POST. New PKCS #11 Mechanisms None. Notable Changes in NSS 3.15.4 Reordered the cipher suites offered in SSL/TLS client hello messages to match modern best practices. Updated the set of root CA certificates (version 1.96). Improved SSL/TLS false start. In addition to enabling the SSL_ENABLE_FALSE_START option, an application must now register a callback using the SSL_SetCanFalseStartCallback function. When building on Windows, OS_TARGET now defaults to WIN95. To use the WINNT build configuration, specify OS_TARGET=WINNT. Bugs fixed in NSS 3.15.4 A complete list of all bugs resolved in this release can be obtained at https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&target_milestone=3.15.4&product=NSS Compatibility NSS 3.15.4 shared libraries are backward compatible with all older NSS 3.x shared libraries. A program linked with older NSS 3.x shared libraries will work with NSS 3.15.4 shared libraries without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs to the functions listed in NSS Public Functions will remain compatible with future versions of the NSS shared libraries.
whitespace
Update to 3.15.3.1 Changelog: New in NSS 3.15.3.1 New Functionality No new major functionality is introduced in this release. This is a patch release to revoke trust of a subordinate CA certificate that was mis-used to generate a certificate used by a network appliance. Bugs fixed in NSS 3.15.3.1 Bug 946351 - Misissued Google certificates from DCSSI A complete list of all bugs resolved in this release can be obtained at https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&target_milestone=3.15.3.1&product=NSS Compatibility NSS 3.15.3.1 shared libraries are backward compatible with all older NSS 3.x shared libraries. A program linked with older NSS 3.x shared libraries will work with NSS 3.15.3.1 shared libraries without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs to the functions listed in NSS Public Functions will remain compatible with future versions of the NSS shared libraries.
Update to 3.15.3 Changelog: Security Advisories The following security-relevant bugs have been resolved in NSS 3.15.3. Users are encouraged to upgrade immediately. Bug 925100 - (CVE-2013-1741) Ensure a size is <= half of the maximum PRUint32 value Bug 934016 - (CVE-2013-5605) Handle invalid handshake packets Bug 910438 - (CVE-2013-5606) Return the correct result in CERT_VerifyCert on failure, if a verifyLog isn't used New in NSS 3.15.3 New Functionality No new major functionality is introduced in this release. This release is a patch release to address CVE-2013-1741, CVE-2013-5605 and CVE-2013-5606. Bugs fixed in NSS 3.15.3 Bug 850478 - List RC4_128 cipher suites after AES_128 cipher suites Bug 919677 - Don't advertise TLS 1.2-only ciphersuites in a TLS 1.1 ClientHello A complete list of all bugs resolved in this release can be obtained at https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&target_milestone=3.15.3&product=NSS Compatibility NSS 3.15.3 shared libraries are backward compatible with all older NSS 3.x shared libraries. A program linked with older NSS 3.x shared libraries will work with NSS 3.15.3 shared libraries without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs to the functions listed in NSS Public Functions will remain compatible with future versions of the NSS shared libraries.
Revbump after updating textproc/icu
Update to 3.15.2 Changelog: Security Advisories The following security-relevant bugs have been resolved in NSS 3.15.2. Users are encouraged to upgrade immediately. Bug 894370 - (CVE-2013-1739) Avoid uninitialized data read in the event of a decryption failure. New in NSS 3.15.2 New Functionality AES-GCM Ciphersuites: AES-GCM cipher suite (RFC 5288 and RFC 5289) support has been added when TLS 1.2 is negotiated. Specifically, the following cipher suites are now supported: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 TLS_RSA_WITH_AES_128_GCM_SHA256 New Functions PK11_CipherFinal has been introduced, which is a simple alias for PK11_DigestFinal. New Types No new types have been introduced. New PKCS #11 Mechanisms No new PKCS#11 mechanisms have been introduced Notable Changes in NSS 3.15.2 Bug 880543 - Support for AES-GCM ciphersuites that use the SHA-256 PRF Bug 663313 - MD2, MD4, and MD5 signatures are no longer accepted for OCSP or CRLs, consistent with their handling for general certificate signatures. Bug 884178 - Add PK11_CipherFinal macro Bugs fixed in NSS 3.15.2 Bug 734007 - sizeof() used incorrectly Bug 900971 - nssutil_ReadSecmodDB() leaks memory Bug 681839 - Allow SSL_HandshakeNegotiatedExtension to be called before the handshake is finished. Bug 848384 - Deprecate the SSL cipher policy code, as it's no longer relevant. It is no longer necessary to call NSS_SetDomesticPolicy because all cipher suites are now allowed by default. A complete list of all bugs resolved in this release can be obtained at https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&target_milestone=3.15.2&product=NSS&list_id=7982238 Compatibility NSS 3.15.2 shared libraries are backward compatible with all older NSS 3.x shared libraries. A program linked with older NSS 3.x shared libraries will work with NSS 3.15.2 shared libraries without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs to the functions listed in NSS Public Functions will remain compatible with future versions of the NSS shared libraries.
Update to 3.15.1 Changelog: NSS 3.15.1 release notes Introduction Network Security Services (NSS) 3.15.1 is a patch release for NSS 3.15. The bug fixes in NSS 3.15.1 are described in the "Bugs Fixed" section below. Distribution Information NSS 3.15.1 source distributions are also available on ftp.mozilla.org for secure HTTPS download: Source tarballs: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_15_1_RTM/src/ New in NSS 3.15.1 New Functionality TLS 1.2: TLS 1.2 (RFC 5246) is supported. HMAC-SHA256 cipher suites (RFC 5246 and RFC 5289) are supported, allowing TLS to be used without MD5 and SHA-1. Note the following limitations. The hash function used in the signature for TLS 1.2 client authentication must be the hash function of the TLS 1.2 PRF, which is always SHA-256 in NSS 3.15.1. AES GCM cipher suites are not yet supported. New Functions None. New Types in sslprot.h SSL_LIBRARY_VERSION_TLS_1_2 - The protocol version of TLS 1.2 on the wire, value 0x0303. TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_NULL_SHA256 - New TLS 1.2 only HMAC-SHA256 cipher suites. in sslerr.h SSL_ERROR_UNSUPPORTED_HASH_ALGORITHM, SSL_ERROR_DIGEST_FAILURE, SSL_ERROR_INCORRECT_SIGNATURE_ALGORITHM - New error codes for TLS 1.2. in sslt.h ssl_hmac_sha256 - A new value in the SSLMACAlgorithm enum type. ssl_signature_algorithms_xtn - A new value in the SSLExtensionType enum type. New PKCS #11 Mechanisms None. Notable Changes in NSS 3.15.1 Bug 856060 - Enforce name constraints on the common name in libpkix when no subjectAltName is present. Bug 875156 - Add const to the function arguments of SEC_CertNicknameConflict. Bug 877798 - Fix ssltap to print the certificate_status handshake message correctly. Bug 882829 - On Windows, NSS initialization fails if NSS cannot call the RtlGenRandom function. Bug 875601 - SECMOD_CloseUserDB/SECMOD_OpenUserDB fails to reset the token delay, leading to spurious failures. Bug 884072 - Fix a typo in the header include guard macro of secmod.h. Bug 876352 - certutil now warns if importing a PEM file that contains a private key. Bug 565296 - Fix the bug that shlibsign exited with status 0 even though it failed. The NSS_SURVIVE_DOUBLE_BYPASS_FAILURE build option is removed. Bugs fixed in NSS 3.15.1 https://bugzilla.mozilla.org/buglist.cgi?list_id=5689256;resolution=FIXED;classification=Components;query_format=advanced;target_milestone=3.15.1;product=NSS Compatibility NSS 3.15.1 shared libraries are backward compatible with all older NSS 3.x shared libraries. A program linked with older NSS 3.x shared libraries will work with NSS 3.15.1 shared libraries without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs to the functions listed in NSS Public Functions will remain compatible with future versions of the NSS shared libraries. NSS 3.15 release notes Introduction The NSS team has released Network Security Services (NSS) 3.15, which is a minor release. Distribution Information The HG tag is NSS_3_15_RTM. NSS 3.15 requires NSPR 4.10 or newer. NSS 3.15 source distributions are available on ftp.mozilla.org for secure HTTPS download: Source tarballs: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_15_RTM/src/ New in NSS 3.15 New Functionality Support for OCSP Stapling (RFC 6066, Certificate Status Request) has been added for both client and server sockets. TLS client applications may enable this via a call to SSL_OptionSetDefault(SSL_ENABLE_OCSP_STAPLING, PR_TRUE); Added function SECITEM_ReallocItemV2. It replaces function SECITEM_ReallocItem, which is now declared as obsolete. Support for single-operation (eg: not multi-part) symmetric key encryption and decryption, via PK11_Encrypt and PK11_Decrypt. certutil has been updated to support creating name constraints extensions. New Functions in ssl.h SSL_PeerStapledOCSPResponse - Returns the server's stapled OCSP response, when used with a TLS client socket that negotiated the status_request extension. SSL_SetStapledOCSPResponses - Set's a stapled OCSP response for a TLS server socket to return when clients send the status_request extension. in ocsp.h CERT_PostOCSPRequest - Primarily intended for testing, permits the sending and receiving of raw OCSP request/responses. in secpkcs7.h SEC_PKCS7VerifyDetachedSignatureAtTime - Verifies a PKCS#7 signature at a specific time other than the present time. in xconst.h CERT_EncodeNameConstraintsExtension - Matching function for CERT_DecodeNameConstraintsExtension, added in NSS 3.10. in secitem.h SECITEM_AllocArray SECITEM_DupArray SECITEM_FreeArray SECITEM_ZfreeArray - Utility functions to handle the allocation and deallocation of SECItemArrays SECITEM_ReallocItemV2 - Replaces SECITEM_ReallocItem, which is now obsolete. SECITEM_ReallocItemV2 better matches caller expectations, in that it updates item->len on allocation. For more details of the issues with SECITEM_ReallocItem, see Bug 298649 and Bug 298938. in pk11pub.h PK11_Decrypt - Performs decryption as a single PKCS#11 operation (eg: not multi-part). This is necessary for AES-GCM. PK11_Encrypt - Performs encryption as a single PKCS#11 operation (eg: not multi-part). This is necessary for AES-GCM. New Types in secitem.h SECItemArray - Represents a variable-length array of SECItems. New Macros in ssl.h SSL_ENABLE_OCSP_STAPLING - Used with SSL_OptionSet to configure TLS client sockets to request the certificate_status extension (eg: OCSP stapling) when set to PR_TRUE Notable Changes in NSS 3.15 SECITEM_ReallocItem is now deprecated. Please consider using SECITEM_ReallocItemV2 in all future code. NSS has migrated from CVS to the Mercurial source control management system. Updated build instructions are available at Migration to HG As part of this migration, the source code directory layout has been re-organized. The list of root CA certificates in the nssckbi module has been updated. The default implementation of SSL_AuthCertificate has been updated to add certificate status responses stapled by the TLS server to the OCSP cache. Applications that use SSL_AuthCertificateHook to override the default handler should add appropriate calls to SSL_PeerStapledOCSPResponse and CERT_CacheOCSPResponseFromSideChannel. Bug 554369: Fixed correctness of CERT_CacheOCSPResponseFromSideChannel and other OCSP caching behaviour. Bug 853285: Fixed bugs in AES GCM. Bug 341127: Fix the invalid read in rc4_wordconv. Faster NIST curve P-256 implementation. Dropped (32-bit) SPARC V8 processor support on Solaris. The shared library libfreebl_32int_3.so is no longer produced. Bugs fixed in NSS 3.15 This Bugzilla query returns all the bugs fixed in NSS 3.15: https://bugzilla.mozilla.org/buglist.cgi?list_id=6278317&resolution=FIXED&classification=Components&query_format=advanced&product=NSS&target_milestone=3.15
Bump all packages for perl-5.18, that a) refer 'perl' in their Makefile, or b) have a directory name of p5-*, or c) have any dependency on any p5-* package Like last time, where this caused no complaints.
Massive revbump after updating graphics/ilmbase, graphics/openexr, textproc/icu.
Update to 3.14.3 Changelog: * Bugfixes * Fix CVE-2013-1620.
Reset MAINTAINER/OWNER (became observers)
Revbump after graphics/jpeg and textproc/icu
Udate to 3.14.1 Changelog unknown.
Set LICENSE as MPL 2.0.
Update to 3.14.0 Changelog: The NSS team has released Network Security Services (NSS) 3.14, which is a minor release with the following new features: Support for TLS 1.1 (RFC 4346) Experimental support for DTLS 1.0 (RFC 4347) and DTLS-SRTP (RFC 5764) Support for AES-CTR, AES-CTS, and AES-GCM Support for Keying Material Exporters for TLS (RFC 5705) In addition to the above new features, the following major changes have been introduced: Support for certificate signatures using the MD5 hash algorithm is now disabled by default. The NSS license has changed to MPL 2.0. Previous releases were released under a MPL 1.1/GPL 2.0/LGPL 2.1 tri-license. For more information about MPL 2.0, please see http://www.mozilla.org/MPL/2.0/FAQ.html. For an additional explantation on GPL/LGPL compatibility, see security/nss/COPYING in the source code. Export and DES cipher suites are disabled by default. Non-ECC AES and Triple DES cipher suites are enabled by default.
Drop superfluous PKG_DESTDIR_SUPPORT, "user-destdir" is default these days.
Bump all packages that use perl, or depend on a p5-* package, or are called p5-*. I hope that's all of them.
Fix build on OS X/Darwin. Fix embedding @executable_path, and make package errors.
Replace WRKDIR with WRKSRC in post-extract target. Thanks to Krister Walfridsson on pkgsrc-bulk@NetBSD.org.
Add -lnssutil3 to the nss.pc library list. Other libraries (E.g. nss3) have dependencies on utilities in nssutil3. Libs.private was insufficient to fix the xulrunner build on Linux (CentOS 6.3). Bump PKGREVISION.
Bump PKGREVISION * Fix permission problem of distfile Thank you, wiz@
Update to 3.13.6 * No API and ABI changes Changelog: unknown
Update to 3.13.5 No ChangeLog is provided.
Recursive bump from icu shlib major bumped to 49.
Update 3.13.4 * Change distfile to separated source. Changelog is not shown. Probably some bugs are fixed. Tested on NetBSD/i386 6.99.4 and DragonFly/i386 3.0.1.
Update to 3.13.3 * Extract from xulrunner-11.0.
* Fix version number in nss.pc (remove PKGREVISION from nss.pc). * This ensure that xulrunner uses external devel/nss. Bump PKGREVISION.
Recursive PKGREVISION bump for xulrunner, nss, and nspr.
Update xulrunner 10.0.2 and corresponding nspr and nss. * Improve sparc64 support. * Use external libraries (for example cairo, libvpx etc.) Thank you, martin@ Changelog: * Fix security bugs * Other improvements and bugfixes
Bump version for firefox-8.0.
Avoid version going backwards due to reset of MOZ_BRANCH_MINOR.
Add CHECK_PORTABILITY_SKIP. This configure script is not run for nss, and is regenerated with autoconf in the normal firefox build.
Version bump due to firefox update.
recursive bump from textproc/icu shlib major bump.
bump version for mozilla 2.0 branch update
set FREEBL_NO_DEPEND=0 in MAKE_ENV otherwise Linux2.6 defaults to FREEBL_NO_DEPEND=1 and files not in PLIST are installed. OKed by tnn.
Pullup ticket #3256 - requested by tnn devel/nss: security update Revisions pulled up: - devel/nss/Makefile 1.39 --- Module Name: pkgsrc Committed By: tnn Date: Thu Oct 21 10:31:00 UTC 2010 Modified Files: pkgsrc/devel/nss: Makefile Log Message: Update to nss-3.12.8 (catch up w/ firefox) Various bug fixes, including a security fix: 578697: (CVE-2010-3170) Browser Wildcard Certificate Validation Issue
Update to nss-3.12.8 (catch up w/ firefox) Various bug fixes, including a security fix: 578697: (CVE-2010-3170) Browser Wildcard Certificate Validation Issue
Pullup ticket 3219 - requested by tnn security update Revisions pulled up: - pkgsrc/devel/nspr/Makefile 1.37 - pkgsrc/devel/nspr/PLIST 1.11 - pkgsrc/devel/nss/Makefile 1.38 - pkgsrc/devel/xulrunner/PLIST 1.24 - pkgsrc/devel/xulrunner/dist.mk 1.14 - pkgsrc/devel/xulrunner/distinfo 1.36 - pkgsrc/devel/xulrunner/mozilla-common.mk 1.16 - pkgsrc/devel/xulrunner/patches/patch-ag 1.2 - pkgsrc/devel/xulrunner/patches/patch-al 1.2 - pkgsrc/devel/xulrunner/patches/patch-ap 1.4 - pkgsrc/devel/xulrunner/patches/patch-mc 1.2 - pkgsrc/devel/xulrunner/patches/patch-mm 1.3 - pkgsrc/devel/xulrunner/patches/patch-mn 1.3 ------------------------------------------------------------------------- Modified Files: pkgsrc/devel/nspr: Makefile PLIST Log Message: Update to nspr-4.8.6 (via firefox-3.6.9). Changes unknown. To generate a diff of this commit: cvs rdiff -u -r1.36 -r1.37 pkgsrc/devel/nspr/Makefile cvs rdiff -u -r1.10 -r1.11 pkgsrc/devel/nspr/PLIST ------------------------------------------------------------------------- Modified Files: pkgsrc/devel/nss: Makefile Log Message: Update to nss-3.12.7.0 (via firefox-3.6.9). Changes unknown. To generate a diff of this commit: cvs rdiff -u -r1.37 -r1.38 pkgsrc/devel/nss/Makefile ------------------------------------------------------------------------- Modified Files: pkgsrc/devel/xulrunner: PLIST dist.mk distinfo mozilla-common.mk pkgsrc/devel/xulrunner/patches: patch-ag patch-al patch-ap patch-mc patch-mm patch-mn Log Message: Update to firefox-3.6.9 (xulrunner-1.9.2.9) MFSA 2010-63 Information leak via XMLHttpRequest statusText MFSA 2010-62 Copy-and-paste or drag-and-drop into designMode document allows XSS MFSA 2010-61 UTF-7 XSS by overriding document charset using <object> type attribute MFSA 2010-59 SJOW creates scope chains ending in outer object MFSA 2010-58 Crash on Mac using fuzzed font in data: URL MFSA 2010-57 Crash and remote code execution in normalizeDocument MFSA 2010-56 Dangling pointer vulnerability in nsTreeContentView MFSA 2010-55 XUL tree removal crash and remote code execution MFSA 2010-54 Dangling pointer vulnerability in nsTreeSelection MFSA 2010-53 Heap buffer overflow in nsTextFrameUtils::TransformText MFSA 2010-52 Windows XP DLL loading vulnerability MFSA 2010-51 Dangling pointer vulnerability using DOM plugin array MFSA 2010-50 Frameset integer overflow vulnerability MFSA 2010-49 Miscellaneous memory safety hazards (rv:1.9.2.9/ 1.9.1.12) To generate a diff of this commit: cvs rdiff -u -r1.23 -r1.24 pkgsrc/devel/xulrunner/PLIST cvs rdiff -u -r1.13 -r1.14 pkgsrc/devel/xulrunner/dist.mk cvs rdiff -u -r1.35 -r1.36 pkgsrc/devel/xulrunner/distinfo cvs rdiff -u -r1.15 -r1.16 pkgsrc/devel/xulrunner/mozilla-common.mk cvs rdiff -u -r1.1.1.1 -r1.2 pkgsrc/devel/xulrunner/patches/patch-ag \ pkgsrc/devel/xulrunner/patches/patch-al cvs rdiff -u -r1.3 -r1.4 pkgsrc/devel/xulrunner/patches/patch-ap cvs rdiff -u -r1.1 -r1.2 pkgsrc/devel/xulrunner/patches/patch-mc cvs rdiff -u -r1.2 -r1.3 pkgsrc/devel/xulrunner/patches/patch-mm \ pkgsrc/devel/xulrunner/patches/patch-mn
Update to nss-3.12.7.0 (via firefox-3.6.9). Changes unknown.
NSS wants to use libz. Buildlink in devel/zlib. Fixes build on some Linux systems.
fix build breakage
Needs pkg-config to locate sqlite3
- update to 3.12.4.5 - reach over to xulrunner, track the stable gecko release - use external sqlite3 - cleanup - take maintainership This is the second part of PR pkg/42277.
Explicit request 64bit mode on Linux, if ABI=64. From Evaldo Gardenali.
Drop MAINTAINER as per request from existing MAINTAINER.
Second round of explicit pax dependencies. As reminded by tnn@, many packages used to use ${PAX}. Use the common way of directly calling pax, it is created as tool after all.
Add missing ${DESTDIR} at creating PLIST.
Fix DESTDIR installation.
Mechanical changes to add DESTDIR support to packages that install their files via a custom do-install target.
Fix more cases of non-chainable PKGSRC_COMPILER tests.
Change MOZILLA master sites difinitions, related to PR 37379. There are three types Mozilla mirrors. (http://www.mozilla.org/mirroring.html) * mozilla-current contains only the current version of Firefox and Thunderbird * mozilla-release contains Firefox, Thunderbird, and Sunbird releases * mozilla-all complete archive Define following variables for mozilla master sites: MASTER_SITE_MOZILLA_ALL = mozilla-all MASTER_SITE_MOZILLA = mozilla-release and change some packages to use appropriate variable. Update contents of MASTER_SITE_MOZILLA with master and primary mirrors taken from http://www.mozilla.org/mirrors.html and add some sample definitions.
Remove trailing spaces.
Add MAKE_JOBS_SAFE=no because a build with MAKE_JOBS=2 failed for me.
Update to 3.11.5, security fix.
Rather than trying to enumerate all object directories, notice that they all match *_OPT.OBJ so use that for the install target and simplyfy things quite a bit. This should also fix build problems noted on solaris/x86. Also dynamically add the libfreebl part to the PLIST. This should make things more robust as the exact set of libfreebl*.so libs depends on the OS and hardward platform.
Do not use MASTER_SITE_MOZILLA -- the mirrors do not have this distfile.
Update to 3.11.4: The following bugs have been fixed in NSS 3.11.4. * Bug 115951: freebl dynamic library is never unloaded by libsoftoken or libssl. Also tiny one-time leak in freebl's loader.c. * Bug 127960: SSL force handshake function should take a timeout. * Bug 335454: Unable to find library 'libsoftokn3.sl' on HP-UX 64 bit. * Bug 350200: Implement DHMAC based POP (ProofOfPossession). * Bug 351482: audit_log_user_message doesn't exist in all versions of libaudit.so.0. (the "paranoia patch") * Bug 352041: oom [@ CERT_DecodeDERCrlWithFlags] "extended" tracked as NULL was dereferenced. * Bug 353422: Klocwork bugs in nss/lib/crmf. * Bug 353475: Cannot run cmd tools compiled with VC++ 2005. * Bug 353572: leak in sftk_OpenCertDB. * Bug 353608: NSS_RegisterShutdown may fail, and appData argument to callbacks is always NULL. * Bug 353749: PowerUpSelf tests update for DSA and ECDSA KAT. * Bug 353896: Building tip with NSS_ECC_MORE_THAN_SUITE_B causes crashes in all.sh. * Bug 353910: memory leak in RNG_RNGInit. * Bug 354313: STAN_GetCERTCertificateName leaks "instance" struct. * Bug 354384: vfyserv shutdown failure when client auth requested. * Bug 354900: Audit modifications, accesses, deletions, and additions of cryptographic keys. * Bug 355297: Improve the very first RNG_RandomUpdate call. * Bug 356073: C_GetTokenInfo should return CKR_CRYPTOKI_NOT_INITIALIZED if not initialized. * Bug 356309: CertVerifyLog in CERT_VerifyCertificate terminates early on expired certs. * Bug 357197: OCSP response code fails to match CERTIds. (hot fix only) * Bug 359484: FireFox 2 tries to negotiate ECC cipher suites using ssl2 client hello. (hot fix only) * Bug 360818: No RPATH set for signtool and signver.
fix builds on !Solaris
Various solaris fixes. In particular: - when building with gcc, the solaris /usr/ccs/bin/as assembler is still used in a couple of places but the correct flags aren't set. - The object directory has a different name when building with gcc instead of the sun studio compilers. - There are a couple of libs which are installed that aren't part of the install for other systems (freebl).
Fixed the build on Solaris, for which NSS_OBJ_DIR was not set before.
Updated nss to 3.11. No ChangeLog available, but some libraries have changed: - removed libfort - added libfreebl3 - removed libswft
Oops. I had accidentally commented out ONLY_FOR_PLATFORM.
Fixed most pkglint warnings.
Over 1200 files touched but no revisions bumped :) RECOMMENDED is removed. It becomes ABI_DEPENDS. BUILDLINK_RECOMMENDED.foo becomes BUILDLINK_ABI_DEPENDS.foo. BUILDLINK_DEPENDS.foo becomes BUILDLINK_API_DEPENDS.foo. BUILDLINK_DEPENDS does not change. IGNORE_RECOMMENDED (which defaulted to "no") becomes USE_ABI_DEPENDS which defaults to "yes". Added to obsolete.mk checking for IGNORE_RECOMMENDED. I did not manually go through and fix any aesthetic tab/spacing issues. I have tested the above patch on DragonFly building and packaging subversion and pkglint and their many dependencies. I have also tested USE_ABI_DEPENDS=no on my NetBSD workstation (where I have used IGNORE_RECOMMENDED for a long time). I have been an active user of IGNORE_RECOMMENDED since it was available. As suggested, I removed the documentation sentences suggesting bumping for "security" issues. As discussed on tech-pkg. I will commit to revbump, pkglint, pkg_install, createbuildlink separately. Note that if you use wip, it will fail! I will commit to pkgsrc-wip later (within day).
Recursive revision bump / recommended bump for gettext ABI change.
Fixed pkglint warnings. The warnings are mostly quoting issues, for example MAKE_ENV+=FOO=${BAR} is changed to MAKE_ENV+=FOO=${BAR:Q}. Some other changes are outlined in http://mail-index.netbsd.org/tech-pkg/2005/12/02/0034.html
Make nss and nspr install pkg-config files. Bump their PKGREVISION.
set NS_USE_GCC on solaris when using gcc. This gets past most of the makefile issues. There are still some problems on solaris, but this gets you further. Don't mark as available yet on solaris since it still doesn't compile.
Only for Linux, FreeBSD, DragonFly and NetBSD for now. NSS will build and run on other platforms when MAINTAINER knows what magic Makefile glue is required. This is from maintainer's discussion on tech-pkg. Remove patch-af. Use LD_LIBS instead, which the build already knows about. Add custom settings for above platforms so they install correctly. Idea provided by maintainer on tech-pkg. I tweaked it more. I tested on NetBSD 2.0.2, Linux and DragonFly. Also remove blank line from end of Makefile.
Add DragonFly.mk file and now support DragonFly. This is from PR #30711. Thank you Joerg. Approved by maintainer (in PR).
Get rid of USE_PERL5. The new way to express needing the Perl executable around at either build-time or at run-time is: USE_TOOLS+= perl # build-time USE_TOOLS+= perl:run # run-time Also remove some places where perl5/buildlink3.mk was being included by a package Makefile, but all that the package wanted was the Perl executable.
Remove USE_GNU_TOOLS and replace with the correct USE_TOOLS definitions: USE_GNU_TOOLS -> USE_TOOLS awk -> gawk m4 -> gm4 make -> gmake sed -> gsed yacc -> bison
Remove USE_BUILDLINK3 and NO_BUILDLINK; these are no longer used.
Add a patch needed on OS/versions that don't have native pthreads. Patch provided by Matthew Luckie Bump PKGREVISION.
We can't install these libraries into ${PREFIX}/lib, since mozilla browsers might then falsely load these instead of their own. So: Install the libraries into their own directory. Bump PKGREVISION.
Initial import of devel/nss from pkgsrc-wip, provided by matthewluckie: Network Security Services (NSS) is a set of libraries designed to support cross-platform development of security-enabled server applications. Applications built with NSS can support SSL v2 and v3, TLS, PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME, X.509 v3 certificates, and other security standards.
Initial revision