diff options
| author | ryoon <ryoon@pkgsrc.org> | 2019-07-30 12:18:43 +0000 |
|---|---|---|
| committer | ryoon <ryoon@pkgsrc.org> | 2019-07-30 12:18:43 +0000 |
| commit | 6f66a6a028b009d0fddc51378a91c32d4d4ee1b3 (patch) | |
| tree | 9cae5c804025e5b5ac0275d7bb3ff90591f0b13d /devel/nss | |
| parent | adbbed397a28c0a0a06b4413828e45f81f823e74 (diff) | |
| download | pkgsrc-6f66a6a028b009d0fddc51378a91c32d4d4ee1b3.tar.gz | |
Update to 3.45
Changelog:
New Functions
in pk11pub.h:
PK11_FindRawCertsWithSubject - Finds all certificates on the given
slot with the given subject distinguished name and returns them as DER bytes.
If no such certificates can be found, returns SECSuccess and sets *results to
NULL. If a failure is encountered while fetching any of the matching
certificates, SECFailure is returned and *results will be NULL.
Notable Changes in NSS 3.45
Bug 1540403 - Implement Delegated Credentials (draft-ietf-tls-subcerts)
This adds a new experimental function: SSL_DelegateCredential
Note: In 3.45, selfserv does not yet support delegated credentials.
See Bug 1548360.
Note: In 3.45 the SSLChannelInfo is left unmodified, while an upcoming
change in 3.46 will set SSLChannelInfo.authKeyBits to that of the delegated
credential for better policy enforcement. See Bug 1563078.
Bug 1550579 - Replace ARM32 Curve25519 implementation with one from
fiat-crypto
Bug 1551129 - Support static linking on Windows
Bug 1552262 - Expose a function PK11_FindRawCertsWithSubject for finding
certificates with a given subject on a given slot
Bug 1546229 - Add IPSEC IKE support to softoken
Bug 1554616 - Add support for the Elbrus lcc compiler (<=1.23)
Bug 1543874 - Expose an external clock for SSL
This adds new experimental functions: SSL_SetTimeFunc,
SSL_CreateAntiReplayContext, SSL_SetAntiReplayContext, and
SSL_ReleaseAntiReplayContext.
The experimental function SSL_InitAntiReplay is removed.
Bug 1546477 - Various changes in response to the ongoing FIPS review
Note: The source package size has increased substantially due to the
new FIPS test vectors. This will likely prompt follow-on work, but please
accept our apologies in the meantime.
Certificate Authority Changes
The following CA certificates were Removed:
Bug 1552374 - CN = Certinomis - Root CA
SHA-256 Fingerprint:
2A99F5BC1174B73CBB1D620884E01C34E51CCB3978DA125F0E33268883BF4158
Bugs fixed in NSS 3.45
Bug 1540541 - Don't unnecessarily strip leading 0's from key material
during PKCS11 import (CVE-2019-11719)
Bug 1515342 - More thorough input checking (CVE-2019-11729)
Bug 1552208 - Prohibit use of RSASSA-PKCS1-v1_5 algorithms in TLS 1.3
(CVE-2019-11727)
Bug 1227090 - Fix a potential divide-by-zero in makePfromQandSeed from
lib/freebl/pqg.c (static analysis)
Bug 1227096 - Fix a potential divide-by-zero in PQG_VerifyParams from
lib/freebl/pqg.c (static analysis)
Bug 1509432 - De-duplicate code between mp_set_long and mp_set_ulong
Bug 1515011 - Fix a mistake with ChaCha20-Poly1305 test code where tags
could be faked. Only relevant for clients that might have copied the unit test
code verbatim
Bug 1550022 - Ensure nssutil3 gets built on Android
Bug 1528174 - ChaCha20Poly1305 should no longer modify output length on
failure
Bug 1549382 - Don't leak in PKCS#11 modules if C_GetSlotInfo() returns
error
Bug 1551041 - Fix builds using GCC < 4.3 on big-endian architectures
Bug 1554659 - Add versioning to OpenBSD builds to fix link time errors
using NSS
Bug 1553443 - Send session ticket only after handshake is marked as
finished
Bug 1550708 - Fix gyp scripts on Solaris SPARC so that
libfreebl_64fpu_3.so builds
Bug 1554336 - Optimize away unneeded loop in mpi.c
Bug 1559906 - fipstest: use CKM_TLS12_MASTER_KEY_DERIVE instead of vendor
specific mechanism
Bug 1558126 - TLS_AES_256_GCM_SHA384 should be marked as FIPS compatible
Bug 1555207 - HelloRetryRequestCallback return code for rejecting 0-RTT
Bug 1556591 - Eliminate races in uses of PK11_SetWrapKey
Bug 1558681 - Stop using a global for anti-replay of TLS 1.3 early data
Bug 1561510 - Fix a bug where removing -arch XXX args from CC didn't work
Bug 1561523 - Add a string for the new-ish error
SSL_ERROR_MISSING_POST_HANDSHAKE_AUTH_EXTENSION
Diffstat (limited to 'devel/nss')
| -rw-r--r-- | devel/nss/Makefile | 4 | ||||
| -rw-r--r-- | devel/nss/distinfo | 10 |
2 files changed, 7 insertions, 7 deletions
diff --git a/devel/nss/Makefile b/devel/nss/Makefile index c8eaa2a2999..b66074fa12f 100644 --- a/devel/nss/Makefile +++ b/devel/nss/Makefile @@ -1,7 +1,7 @@ -# $NetBSD: Makefile,v 1.168 2019/06/22 03:54:04 ryoon Exp $ +# $NetBSD: Makefile,v 1.169 2019/07/30 12:18:43 ryoon Exp $ DISTNAME= nss-${NSS_RELEASE:S/.0$//} -NSS_RELEASE= 3.44.1 +NSS_RELEASE= 3.45.0 CATEGORIES= security MASTER_SITES= ${MASTER_SITE_MOZILLA_ALL:=security/nss/releases/NSS_${NSS_DIST_DIR_VERSION:S/_0$//}_RTM/src/} diff --git a/devel/nss/distinfo b/devel/nss/distinfo index a7ecb7c1759..f4056e09d5b 100644 --- a/devel/nss/distinfo +++ b/devel/nss/distinfo @@ -1,9 +1,9 @@ -$NetBSD: distinfo,v 1.97 2019/06/22 03:54:04 ryoon Exp $ +$NetBSD: distinfo,v 1.98 2019/07/30 12:18:43 ryoon Exp $ -SHA1 (nss-3.44.1.tar.gz) = 75c05f0a0677f47d8fd3848c8b8daa72c7e0b58a -RMD160 (nss-3.44.1.tar.gz) = ecc7be154ece25fa55fe5f4dc221a97b94337395 -SHA512 (nss-3.44.1.tar.gz) = eb8777701a25b54377026633b6bf284e4c62308012058355f348a7c57525afe96db74a07de41ba01754e316a7dff06689de527359a5474ed7ab606779c4cf169 -Size (nss-3.44.1.tar.gz) = 75986343 bytes +SHA1 (nss-3.45.tar.gz) = bfbb1b7b429c4dbe649ded90f73ec9dac6cd54b8 +RMD160 (nss-3.45.tar.gz) = 610ee052bdcba83f1d5d47c8fa20bb9947c820fa +SHA512 (nss-3.45.tar.gz) = 33360a1bb4e0a0a974070c354ee82c515d5cfa2a12c9c96817a9fdb3e4ca1ad62eb95886b9b0d60e2f69efda964376d0671c1e3c920b2ea614aeecb719c6ff29 +Size (nss-3.45.tar.gz) = 76017462 bytes SHA1 (patch-am) = fea682bf03bc8b645049f93ed58554ca45f47aca SHA1 (patch-an) = 4ab22f2a575676b5b640bc9a760b83eb05c75e69 SHA1 (patch-md) = 8547c9414332c02221b96719dea1e09cb741f4d1 |