./devel/nss, Libraries to support development of security-enabled applications

[ CVSweb ] [ Homepage ] [ RSS ] [ Required by ] [ Add to tracker ]


Branch: CURRENT, Version: 3.46.1, Package name: nss-3.46.1, Maintainer: pkgsrc-users

Network Security Services (NSS) is a set of libraries designed to support
cross-platform development of security-enabled server applications.
Applications built with NSS can support SSL v2 and v3, TLS, PKCS #5, PKCS #7,
PKCS #11, PKCS #12, S/MIME, X.509 v3 certificates, and other security
standards.


Required to run:
[databases/sqlite3] [devel/nspr]

Required to build:
[pkgtools/cwrappers]

Master sites:

SHA1: d287396e2225bb8b1abcdf7929829ba85d6eba53
RMD160: 92b3fa81c5810cfe9cee81c30073abe0f3e704c2
Filesize: 74626.755 KB

Version history: (Expand)


CVS history: (Expand)


   2019-10-04 14:35:15 by Ryo ONODERA | Files touched by this commit (2) | Package updated
Log message:
Update to 3.46.1

Changelog:
* 1582343 - Soft token MAC verification not constant time
* 1577953 - Remove arbitrary HKDF output limit by allocating space as needed
   2019-09-19 21:14:39 by Tobias Nygren | Files touched by this commit (2)
Log message:
nss: aarch64 build fix

From OpenBSD. Similar to PR pkg/53353 for ARM. Although different symbols
missing in that case and that's believed to be fixed already.
   2019-09-06 04:54:47 by Ryo ONODERA | Files touched by this commit (3) | Package updated
Log message:
Update to 3.46

Changelog:
Notable Changes:
 * The following CA certificates were Removed:
  - 1574670 - Remove expired Class 2 Primary root certificate
  - 1574670 - Remove expired UTN-USERFirst-Client root certificat
  - 1574670 - Remove expired Deutsche Telekom Root CA 2 root certificate
  - 1566569 - Remove Swisscom Root CA 2 root certificate
 * Significant improvements to AES-GCM performance on ARM

Bugs fixed in NSS 3.46:

 * 1572164 - Don't unnecessarily free session in NSC_WrapKey
 * 1574220 - Improve controls after errors in tstcln, selfserv and vfyserv
cmds
 * 1550636 - Upgrade SQLite in NSS to a 2019 version
 * 1572593 - Reset advertised extensions in ssl_ConstructExtensions
 * 1415118 - NSS build with ./build.sh --enable-libpkix fails
 * 1539788 - Add length checks for cryptographic primitives
 * 1542077 - mp_set_ulong and mp_set_int should return errors on bad values
 * 1572791 - Read out-of-bounds in DER_DecodeTimeChoice_Util from
SSLExp_DelegateCredential
 * 1560593 - Cleanup.sh script does not set error exit code for tests that
"Failed with core"
 * 1566601 - Add Wycheproof test vectors for AES-KW
 * 1571316 - curve25519_32.c:280: undefined reference to `PR_Assert' when
building NSS 3.45 on armhf-linux
 * 1516593 - Client to generate new random during renegotiation
 * 1563258 - fips.sh fails due to non-existent "resp" directories
 * 1561598 - Remove -Wmaybe-uninitialized warning in pqg.c
 * 1560806 - Increase softoken password max size to 500 characters
 * 1568776 - Output paths relative to repository in NSS coverity
 * 1453408 - modutil -changepw fails in FIPS mode if password is an empty
string
 * 1564727 - Use a PSS SPKI when possible for delegated credentials
 * 1493916 - fix ppc64 inline assembler for clang
 * 1561588 - Remove -Wmaybe-uninitialized warning in p7env.c
 * 1561548 - Remove -Wmaybe-uninitialized warning in
pkix_pl_ldapdefaultclient.c
 * 1512605 - Incorrect alert description after unencrypted Finished msg
 * 1564715 - Read /proc/cpuinfo when AT_HWCAP2 returns 0
 * 1532194 - Remove or fix -DDEBUG_$USER from make builds
 * 1565577 - Visual Studio's cl.exe -? hangs on Windows x64 when building nss
since changeset 9162c654d06915f0f15948fbf67d4103a229226f
 * 1564875 - Improve rebuilding with build.sh
 * 1565243 - Support TC_OWNER without email address in nss taskgraph
 * 1563778 - Increase maxRunTime on Mac taskcluster Tools, SSL tests
 * 1561591 - Remove -Wmaybe-uninitialized warning in tstclnt.c
 * 1561587 - Remove -Wmaybe-uninitialized warning in lgattr.c
 * 1561558 - Remove -Wmaybe-uninitialized warning in httpserv.c
 * 1561556 - Remove -Wmaybe-uninitialized warning in tls13esni.c
 * 1561332 - ec.c:28 warning: comparison of integers of different signs: 'int'
and 'unsigned long'
 * 1564714 - Print certutil commands during setup
 * 1565013 - HACL image builder times out while fetching gpg key
 * 1563786 - Update hacl-star docker image to pull specific commit
 * 1559012 - Improve GCM perfomance using PMULL2
 * 1528666 - Correct resumption validation checks
 * 1568803 - More tests for client certificate authentication
 * 1564284 - Support profile mobility across Windows and Linux
 * 1573942 - Gtest for pkcs11.txt with different breaking line formats
 * 1575968 - Add strsclnt option to enforce the use of either IPv4 or IPv6
 * 1549847 - Fix NSS builds on iOS
 * 1485533 - Enable NSS_SSL_TESTS on taskcluster
   2019-08-11 15:25:21 by Thomas Klausner | Files touched by this commit (3557) | Package updated
Log message:
Bump PKGREVISIONs for perl 5.30.0
   2019-08-02 05:25:34 by Ryo ONODERA | Files touched by this commit (1) | Package updated
Log message:
Update HOMEPAGE
   2019-07-30 14:18:43 by Ryo ONODERA | Files touched by this commit (2) | Package updated
Log message:
Update to 3.45

Changelog:
New Functions

    in pk11pub.h:
	PK11_FindRawCertsWithSubject - Finds all certificates on the given
slot with the given subject distinguished name and returns them as DER bytes.
If no such certificates can be found, returns SECSuccess and sets *results to
NULL. If a failure is encountered while fetching any of the matching
certificates, SECFailure is returned and *results will be NULL.

Notable Changes in NSS 3.45

    Bug 1540403 - Implement Delegated Credentials (draft-ietf-tls-subcerts)
	This adds a new experimental function: SSL_DelegateCredential
	Note: In 3.45, selfserv does not yet support delegated credentials.
See Bug 1548360.
	Note: In 3.45 the SSLChannelInfo is left unmodified, while an upcoming
change in 3.46 will set SSLChannelInfo.authKeyBits to that of the delegated
credential for better policy enforcement. See Bug 1563078.
    Bug 1550579 - Replace ARM32 Curve25519 implementation with one from
fiat-crypto
    Bug 1551129 - Support static linking on Windows
    Bug 1552262 - Expose a function PK11_FindRawCertsWithSubject for finding
certificates with a given subject on a given slot
    Bug 1546229 - Add IPSEC IKE support to softoken
    Bug 1554616 - Add support for the Elbrus lcc compiler (<=1.23)
    Bug 1543874 - Expose an external clock for SSL
	This adds new experimental functions: SSL_SetTimeFunc,
SSL_CreateAntiReplayContext, SSL_SetAntiReplayContext, and
SSL_ReleaseAntiReplayContext.
	The experimental function SSL_InitAntiReplay is removed.
    Bug 1546477 - Various changes in response to the ongoing FIPS review
	Note: The source package size has increased substantially due to the
new FIPS test vectors. This will likely prompt follow-on work, but please
accept our apologies in the meantime.

Certificate Authority Changes

    The following CA certificates were Removed:
	Bug 1552374 - CN = Certinomis - Root CA
	    SHA-256 Fingerprint:
2A99F5BC1174B73CBB1D620884E01C34E51CCB3978DA125F0E33268883BF4158

Bugs fixed in NSS 3.45

    Bug 1540541 - Don't unnecessarily strip leading 0's from key material
during PKCS11 import (CVE-2019-11719)
    Bug 1515342 - More thorough input checking (CVE-2019-11729)
    Bug 1552208 - Prohibit use of RSASSA-PKCS1-v1_5 algorithms in TLS 1.3
(CVE-2019-11727)
    Bug 1227090 - Fix a potential divide-by-zero in makePfromQandSeed from
lib/freebl/pqg.c (static analysis)
    Bug 1227096 - Fix a potential divide-by-zero in PQG_VerifyParams from
lib/freebl/pqg.c  (static analysis)
    Bug 1509432 - De-duplicate code between mp_set_long and mp_set_ulong
    Bug 1515011 - Fix a mistake with ChaCha20-Poly1305 test code where tags
could be faked. Only relevant for clients that might have copied the unit test
code verbatim
    Bug 1550022 - Ensure nssutil3 gets built on Android
    Bug 1528174 - ChaCha20Poly1305 should no longer modify output length on
failure
    Bug 1549382 - Don't leak in PKCS#11 modules if C_GetSlotInfo() returns
error
    Bug 1551041 - Fix builds using GCC < 4.3 on big-endian architectures
    Bug 1554659 - Add versioning to OpenBSD builds to fix link time errors
using NSS
    Bug 1553443 - Send session ticket only after handshake is marked as
finished
    Bug 1550708 - Fix gyp scripts on Solaris SPARC so that
libfreebl_64fpu_3.so builds
    Bug 1554336 - Optimize away unneeded loop in mpi.c
    Bug 1559906 - fipstest: use CKM_TLS12_MASTER_KEY_DERIVE instead of vendor
specific mechanism
    Bug 1558126 - TLS_AES_256_GCM_SHA384 should be marked as FIPS compatible
    Bug 1555207 - HelloRetryRequestCallback return code for rejecting 0-RTT
    Bug 1556591 - Eliminate races in uses of PK11_SetWrapKey
    Bug 1558681 - Stop using a global for anti-replay of TLS 1.3 early data
    Bug 1561510 - Fix a bug where removing -arch XXX args from CC didn't work
    Bug 1561523 - Add a string for the new-ish error
SSL_ERROR_MISSING_POST_HANDSHAKE_AUTH_EXTENSION
   2019-06-22 05:54:04 by Ryo ONODERA | Files touched by this commit (2) | Package updated
Log message:
Update to 3.44.1

Changelog:
3.44.1:
* 1554336 - Optimize away unneeded loop in mpi.c
* 1515342 - More thorough input checking
* 1540541 - Don't unnecessarily strip leading 0's from key material during
PKCS11 import
* 1515236 - Add a SSLKEYLOGFILE enable/disable flag at build.sh
* 1546229 - Add IPSEC IKE support to softoken
* 1473806 - Fix SECKEY_ConvertToPublicKey handling of non-RSA keys
* 1546477 - Updates to testing for FIPS validation
* 1552208 - Prohibit use of RSASSA-PKCS1-v1_5 algorithms in TLS 1.3
* 1551041 - Unbreak build on GCC < 4.3 big-endian
   2019-05-23 21:23:24 by Roland Illig | Files touched by this commit (242)
Log message:
all: replace SUBST_SED with the simpler SUBST_VARS

pkglint -Wall -r --only "substitution command" -F

With manual review and indentation fixes since pkglint doesn't get that
part correct in every case.