ryoon 12982d4c82 Update to 3.45 ... Changelog: New Functions in pk11pub.h: PK11_FindRawCertsWithSubject - Finds all certificates on the given slot with the given subject distinguished name and returns them as DER bytes. If no such certificates can be found, returns SECSuccess and sets *results to NULL. If a failure is encountered while fetching any of the matching certificates, SECFailure is returned and *results will be NULL. Notable Changes in NSS 3.45 Bug 1540403 - Implement Delegated Credentials (draft-ietf-tls-subcerts) This adds a new experimental function: SSL_DelegateCredential Note: In 3.45, selfserv does not yet support delegated credentials. See Bug 1548360. Note: In 3.45 the SSLChannelInfo is left unmodified, while an upcoming change in 3.46 will set SSLChannelInfo.authKeyBits to that of the delegated credential for better policy enforcement. See Bug 1563078. Bug 1550579 - Replace ARM32 Curve25519 implementation with one from fiat-crypto Bug 1551129 - Support static linking on Windows Bug 1552262 - Expose a function PK11_FindRawCertsWithSubject for finding certificates with a given subject on a given slot Bug 1546229 - Add IPSEC IKE support to softoken Bug 1554616 - Add support for the Elbrus lcc compiler (<=1.23) Bug 1543874 - Expose an external clock for SSL This adds new experimental functions: SSL_SetTimeFunc, SSL_CreateAntiReplayContext, SSL_SetAntiReplayContext, and SSL_ReleaseAntiReplayContext. The experimental function SSL_InitAntiReplay is removed. Bug 1546477 - Various changes in response to the ongoing FIPS review Note: The source package size has increased substantially due to the new FIPS test vectors. This will likely prompt follow-on work, but please accept our apologies in the meantime. Certificate Authority Changes The following CA certificates were Removed: Bug 1552374 - CN = Certinomis - Root CA SHA-256 Fingerprint: 2A99F5BC1174B73CBB1D620884E01C34E51CCB3978DA125F0E33268883BF4158 Bugs fixed in NSS 3.45 Bug 1540541 - Don't unnecessarily strip leading 0's from key material during PKCS11 import (CVE-2019-11719) Bug 1515342 - More thorough input checking (CVE-2019-11729) Bug 1552208 - Prohibit use of RSASSA-PKCS1-v1_5 algorithms in TLS 1.3 (CVE-2019-11727) Bug 1227090 - Fix a potential divide-by-zero in makePfromQandSeed from lib/freebl/pqg.c (static analysis) Bug 1227096 - Fix a potential divide-by-zero in PQG_VerifyParams from lib/freebl/pqg.c (static analysis) Bug 1509432 - De-duplicate code between mp_set_long and mp_set_ulong Bug 1515011 - Fix a mistake with ChaCha20-Poly1305 test code where tags could be faked. Only relevant for clients that might have copied the unit test code verbatim Bug 1550022 - Ensure nssutil3 gets built on Android Bug 1528174 - ChaCha20Poly1305 should no longer modify output length on failure Bug 1549382 - Don't leak in PKCS#11 modules if C_GetSlotInfo() returns error Bug 1551041 - Fix builds using GCC < 4.3 on big-endian architectures Bug 1554659 - Add versioning to OpenBSD builds to fix link time errors using NSS Bug 1553443 - Send session ticket only after handshake is marked as finished Bug 1550708 - Fix gyp scripts on Solaris SPARC so that libfreebl_64fpu_3.so builds Bug 1554336 - Optimize away unneeded loop in mpi.c Bug 1559906 - fipstest: use CKM_TLS12_MASTER_KEY_DERIVE instead of vendor specific mechanism Bug 1558126 - TLS_AES_256_GCM_SHA384 should be marked as FIPS compatible Bug 1555207 - HelloRetryRequestCallback return code for rejecting 0-RTT Bug 1556591 - Eliminate races in uses of PK11_SetWrapKey Bug 1558681 - Stop using a global for anti-replay of TLS 1.3 early data Bug 1561510 - Fix a bug where removing -arch XXX args from CC didn't work Bug 1561523 - Add a string for the new-ish error SSL_ERROR_MISSING_POST_HANDSHAKE_AUTH_EXTENSION		2019-07-30 12:18:43 +00:00
..
files
patches	Update to 3.44	2019-05-16 14:08:16 +00:00
buildlink3.mk	Do not conflict with MD5_Update from OpenSSL	2019-05-05 22:47:27 +00:00
DESCR
distinfo	Update to 3.45	2019-07-30 12:18:43 +00:00
Makefile	Update to 3.45	2019-07-30 12:18:43 +00:00
PLIST