Log message:
Recursive revbump from textproc/icu 57.1

Log message:
Update to 3.22.3

Changelog:
The NSS Development Team announces the release of NSS 3.22.3,
which is a patch release for NSS 3.22.

No new functionality is introduced in this release.

The following bugs have been resolved in NSS 3.22.3

* Bug 1243641 - Increase compatibility of TLS extended master secret,
  don't send an empty TLS extension last in the handshake

Log message:
Don't arbitrarily use bundled zlib on some platforms and system's on others.
We do include zlib.buildlink3.mk, so make sure we always use that zlib.

Remove manual do-build target and set BUILD_DIRS instead.
Set MAKE_JOBS_SAFE=no. The previous do-build target didn't respect MAKE_JOBS.

Bump PKGREVISON.

Log message:
Update to 3.22.2

Changelog:
New root certificates backported from 3.23.

Log message:
Use OPSYSVARS.

Log message:
Update to 3.22.1

Changelog:
The NSS Development Team announces the release of NSS 3.22.1

No new functionality is introduced in this release.

Notable Changes:
* NSS has been changed to use the PR_GetEnvSecure function that
  was made available in NSPR 4.12

Log message:
Update to 3.22

Changelog:
The NSS team has released Network Security Services (NSS) 3.22,
which is a minor release.

New functionality:
* RSA-PSS signatures are now supported (bug 1215295)
* Pseudorandom functions based on hashes other than SHA-1 are now supported
* Enforce an External Policy on NSS from a config file (bug 1009429)

New Functions:
* PK11_SignWithMechanism - an extended version PK11_Sign()
* PK11_VerifyWithMechanism - an extended version of PK11_Verify()
* SSL_PeerSignedCertTimestamps - Get signed_certificate_timestamp
  TLS extension data
* SSL_SetSignedCertTimestamps - Set signed_certificate_timestamp
  TLS extension data

New Types:
* ssl_signed_cert_timestamp_xtn is added to SSLExtensionType
* Constants for several object IDs are added to SECOidTag

New Macros:
* SSL_ENABLE_SIGNED_CERT_TIMESTAMPS
* NSS_USE_ALG_IN_SSL
* NSS_USE_POLICY_IN_SSL
* NSS_RSA_MIN_KEY_SIZE
* NSS_DH_MIN_KEY_SIZE
* NSS_DSA_MIN_KEY_SIZE
* NSS_TLS_VERSION_MIN_POLICY
* NSS_TLS_VERSION_MAX_POLICY
* NSS_DTLS_VERSION_MIN_POLICY
* NSS_DTLS_VERSION_MAX_POLICY
* CKP_PKCS5_PBKD2_HMAC_SHA224
* CKP_PKCS5_PBKD2_HMAC_SHA256
* CKP_PKCS5_PBKD2_HMAC_SHA384
* CKP_PKCS5_PBKD2_HMAC_SHA512
* CKP_PKCS5_PBKD2_HMAC_GOSTR3411 - (not supported)
* CKP_PKCS5_PBKD2_HMAC_SHA512_224 - (not supported)
* CKP_PKCS5_PBKD2_HMAC_SHA512_256 - (not supported)

table Changes:
* NSS C++ tests are built by default, requiring a C++11 compiler.
  Set the NSS_DISABLE_GTESTS variable to 1 to disable building these tests.

The HG tag is NSS_3_22_RTM. NSS 3.22 requires NSPR 4.11 or newer.

Log message:
Fix build under GCC 4.5.3 (NetBSD 6)

Log message:
Update to 3.21

* Disable gtest option

Changelog:
The NSS team has released Network Security Services (NSS) 3.21,
which is a minor release.

New functionality:
* certutil now supports a --rename option to change a nickname (bug 1142209)
* TLS extended master secret extension (RFC 7627) is supported (bug 1117022)
* New info functions added for use during mid-handshake callbacks (bug 1084669)

New Functions:
* NSS_OptionSet - sets NSS global options
* NSS_OptionGet - gets the current value of NSS global options
* SECMOD_CreateModuleEx - Create a new SECMODModule structure from module name
  string, module parameters string, NSS specific parameters string, and NSS
  configuration parameter string. The module represented by the module
  structure is not loaded. The difference with SECMOD_CreateModule is the new
  function handles NSS configuration parameter strings.
* SSL_GetPreliminaryChannelInfo - obtains information about a TLS channel prior
  to the handshake being completed, for use with the callbacks that are invoked
  during the handshake
* SSL_SignaturePrefSet - configures the enabled signature and hash algorithms
  for TLS
* SSL_SignaturePrefGet - retrieves the currently configured signature and hash
  algorithms
* SSL_SignatureMaxCount - obtains the maximum number signature algorithms that
  can be configured with SSL_SignaturePrefSet
* NSSUTIL_ArgParseModuleSpecEx - takes a module spec and breaks it into shared
  library string, module name string, module parameters string, NSS specific
  parameters string, and NSS configuration parameter strings. The returned
  strings must be freed by the caller. The difference with
  NSS_ArgParseModuleSpec is the new function handles NSS configuration
  parameter strings.
* NSSUTIL_MkModuleSpecEx - take a shared library string, module name string,
  module parameters string, NSS specific parameters string, and NSS
  configuration parameter string and returns a module string which the caller
  must free when it is done. The difference with NSS_MkModuleSpec is the new
  function handles NSS configuration parameter strings.

New Types:
* CK_TLS12_MASTER_KEY_DERIVE_PARAMS{_PTR} - parameters {or pointer} for
  CKM_TLS12_MASTER_KEY_DERIVE
* CK_TLS12_KEY_MAT_PARAMS{_PTR} - parameters {or pointer} for
  CKM_TLS12_KEY_AND_MAC_DERIVE
* CK_TLS_KDF_PARAMS{_PTR} - parameters {or pointer} for CKM_TLS_KDF
* CK_TLS_MAC_PARAMS{_PTR} - parameters {or pointer} for CKM_TLS_MAC
* SSLHashType - identifies a hash function
* SSLSignatureAndHashAlg - identifies a signature and hash function
* SSLPreliminaryChannelInfo - provides information about the session state
  prior to handshake completion

New Macros:
* NSS_RSA_MIN_KEY_SIZE - used with NSS_OptionSet and NSS_OptionGet to set or
  get the minimum RSA key size
* NSS_DH_MIN_KEY_SIZE - used with NSS_OptionSet and NSS_OptionGet to set or
  get the minimum DH key size
* NSS_DSA_MIN_KEY_SIZE - used with NSS_OptionSet and NSS_OptionGet to set or
  get the minimum DSA key size
* CKM_TLS12_MASTER_KEY_DERIVE - derives TLS 1.2 master secret
* CKM_TLS12_KEY_AND_MAC_DERIVE - derives TLS 1.2 traffic key and IV
* CKM_TLS12_MASTER_KEY_DERIVE_DH - derives TLS 1.2 master secret for DH (and
  ECDH) cipher suites
* CKM_TLS12_KEY_SAFE_DERIVE and CKM_TLS_KDF are identifiers for additional
  PKCS#12 mechanisms for TLS 1.2 that are currently unused in NSS.
* CKM_TLS_MAC - computes TLS Finished MAC
* NSS_USE_ALG_IN_SSL_KX - policy flag indicating that keys are used in TLS key
  exchange
* SSL_ERROR_RX_SHORT_DTLS_READ - error code for failure to include a complete
  DTLS record in a UDP packet
* SSL_ERROR_NO_SUPPORTED_SIGNATURE_ALGORITHM - error code for when no valid
  signature and hash algorithm is available
* SSL_ERROR_UNSUPPORTED_SIGNATURE_ALGORITHM - error code for when an
  unsupported signature and hash algorithm is configured
* SSL_ERROR_MISSING_EXTENDED_MASTER_SECRET - error code for when the extended
  master secret is missing after having been negotiated
* SSL_ERROR_UNEXPECTED_EXTENDED_MASTER_SECRET - error code for receiving an
  extended master secret when previously not negotiated
* SSL_ENABLE_EXTENDED_MASTER_SECRET - configuration to enable the TLS extended
  master secret extension (RFC 7627)
* ssl_preinfo_version - used with SSLPreliminaryChannelInfo to indicate that a
  TLS version has been selected
* ssl_preinfo_cipher_suite - used with SSLPreliminaryChannelInfo to indicate
  that a TLS cipher suite has been selected
* ssl_preinfo_all - used with SSLPreliminaryChannelInfo to indicate that all
  preliminary information has been set

Notable Changes:
* NSS now builds with elliptic curve ciphers enabled by default (bug 1205688)
* NSS now builds with warnings as errors (bug 1182667)
* The following CA certificates were Removed
- CN = VeriSign Class 4 Public Primary Certification Authority - G3
- CN = UTN-USERFirst-Network Applications
- CN = TC TrustCenter Universal CA III
- CN = A-Trust-nQual-03
- CN = USERTrust Legacy Secure Server CA
- Friendly Name: Digital Signature Trust Co. Global CA 1
- Friendly Name: Digital Signature Trust Co. Global CA 3
- CN = UTN - DATACorp SGC
- O = TÜRKTRUST Bilgi İletişim ve Bilişim Güvenliği Hizmetleri \ 
A.Ş. (c) Kasım 2\
005
* The following CA certificate had the Websites trust bit turned off
- OU = Equifax Secure Certificate Authority
* The following CA certificates were Added
- CN = Certification Authority of WoSign G2
- CN = CA WoSign ECC Root
- CN = OISTE WISeKey Global Root GB CA

Log message:
Update to 3.20.1

Changelog:
The following security-relevant bugs have been resolved in NSS 3.20.1.
Users are encouraged to upgrade immediately.

* Bug 1192028 (CVE-2015-7181) and
  Bug 1202868 (CVE-2015-7182):
  Several issues existed within the ASN.1 decoder used by NSS for handling
  streaming BER data. While the majority of NSS uses a separate, unaffected
  DER decoder, several public routines also accept BER data, and thus are
  affected. An attacker that successfully exploited these issues can overflow
  the heap and may be able to obtain remote code execution.