* required for Firefox 77.0
Notable changes
* Update NSS to support PKCS#11 v3.0 (bmo#1603628)
* Support new PKCS #11 v3.0 Message Interface for AES-GCM and
ChaChaPoly (bmo#1623374)
* Integrate AVX2 ChaCha20, Poly1305, and ChaCha20Poly1305 from HACL*
(bmo#1612493)
- Add patch nss-kremlin-ppc64le.patch to fix ppc and s390x builds
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=319
* Updated DTLS 1.3 implementation to Draft-34. (bmo#1608892)
* Correct swapped PKCS11 values of CKM_AES_CMAC and
CKM_AES_CMAC_GENERAL (bmo#1611209)
* Complete integration of Wycheproof ECDH test cases (bmo#1612259)
* Check if PPC __has_include(<sys/auxv.h>) (bmo#1614183)
* Fix a compilation error for ‘getFIPSEnv’ "defined but not used"
(bmo#1614786)
* Send DTLS version numbers in DTLS 1.3 supported_versions extension
to avoid an incompatibility. (bmo#1615208)
* SECU_ReadDERFromFile calls strstr on a string that isn't guaranteed
to be null-terminated (bmo#1538980)
* Correct a warning for comparison of integers of different signs:
'int' and 'unsigned long' in security/nss/lib/freebl/ecl/ecp_25519.c:88
(bmo#1561337)
* Add test for mp_int clamping (bmo#1609751)
* Don't attempt to read the fips_enabled flag on the machine unless
NSS was built with FIPS enabled (bmo#1582169)
* Fix a null pointer dereference in BLAKE2B_Update (bmo#1431940)
* Fix compiler warning in secsign.c (bmo#1617387)
* Fix a OpenBSD/arm64 compilation error: unused variable 'getauxval'
(bmo#1618400)
* Fix a crash on unaligned CMACContext.aes.keySchedule when using
AES-NI intrinsics (bmo#1610687)
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=311
* Verified primitives from HACL* were updated, bringing performance
improvements for several platforms.
Note that Intel processors with SSE4 but without AVX are currently
unable to use the improved ChaCha20/Poly1305 due to a build issue;
such platforms will fall-back to less optimized algorithms.
See bmo#1609569 for details
* Updated DTLS 1.3 implementation to Draft-30.
See bmo#1599514 for details.
* Added NIST SP800-108 KBKDF - PKCS#11 implementation.
See bmo#1599603 for details.
* Several bugfixes and minor changes
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=308
- update to NSS 3.46.1
* required by Firefox 70.0
Notable changes in 3.46
* The following CA certificates were Removed:
expired Class 2 Primary root certificate
expired UTN-USERFirst-Client root certificate
expired Deutsche Telekom Root CA 2 root certificate
Swisscom Root CA 2 root certificate
* Significant improvements to AES-GCM performance on ARM
Many bugfixes
Bug fixes in 3.46.1
* Soft token MAC verification not constant time (bmo#1582343)
* Remove arbitrary HKDF output limit by allocating space as needed
(bmo#1577953)
- requires NSPR 4.22
OBS-URL: https://build.opensuse.org/request/show/742855
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/mozilla-nss?expand=0&rev=148
* required by Firefox 70.0
Notable changes in 3.46
* The following CA certificates were Removed:
expired Class 2 Primary root certificate
expired UTN-USERFirst-Client root certificate
expired Deutsche Telekom Root CA 2 root certificate
Swisscom Root CA 2 root certificate
* Significant improvements to AES-GCM performance on ARM
Many bugfixes
Bug fixes in 3.46.1
* Soft token MAC verification not constant time (bmo#1582343)
* Remove arbitrary HKDF output limit by allocating space as needed
(bmo#1577953)
- requires NSPR 4.22
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=293
- update to NSS 3.45 (bsc#1141322)
* required by Firefox 69.0
New functions
* PK11_FindRawCertsWithSubject - Finds all certificates on the
given slot with the given subject distinguished name and returns
them as DER bytes. If no such certificates can be found, returns
SECSuccess and sets *results to NULL. If a failure is encountered
while fetching any of the matching certificates, SECFailure is
returned and *results will be NULL.
Notable changes
* bmo#1540403 - Implement Delegated Credentials
* bmo#1550579 - Replace ARM32 Curve25519 implementation with one
from fiat-crypto
* bmo#1551129 - Support static linking on Windows
* bmo#1552262 - Expose a function PK11_FindRawCertsWithSubject for
finding certificates with a given subject on a given slot
* bmo#1546229 - Add IPSEC IKE support to softoken
* bmo#1554616 - Add support for the Elbrus lcc compiler (<=1.23)
* bmo#1543874 - Expose an external clock for SSL
* bmo#1546477 - Various changes in response to the ongoing FIPS review
Certificate Authority Changes
* The following CA certificates were Removed:
bmo#1552374 - CN = Certinomis - Root CA
Bugs fixed
* bmo#1540541 - Don't unnecessarily strip leading 0's from key material
during PKCS11 import (CVE-2019-11719)
* bmo#1515342 - More thorough input checking (CVE-2019-11729)
* bmo#1552208 - Prohibit use of RSASSA-PKCS1-v1_5 algorithms in
TLS 1.3 (CVE-2019-11727)
* bmo#1227090 - Fix a potential divide-by-zero in makePfromQandSeed
OBS-URL: https://build.opensuse.org/request/show/720828
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/mozilla-nss?expand=0&rev=146
* required by Firefox 69.0
New functions
* PK11_FindRawCertsWithSubject - Finds all certificates on the
given slot with the given subject distinguished name and returns
them as DER bytes. If no such certificates can be found, returns
SECSuccess and sets *results to NULL. If a failure is encountered
while fetching any of the matching certificates, SECFailure is
returned and *results will be NULL.
Notable changes
* bmo#1540403 - Implement Delegated Credentials
* bmo#1550579 - Replace ARM32 Curve25519 implementation with one
from fiat-crypto
* bmo#1551129 - Support static linking on Windows
* bmo#1552262 - Expose a function PK11_FindRawCertsWithSubject for
finding certificates with a given subject on a given slot
* bmo#1546229 - Add IPSEC IKE support to softoken
* bmo#1554616 - Add support for the Elbrus lcc compiler (<=1.23)
* bmo#1543874 - Expose an external clock for SSL
* bmo#1546477 - Various changes in response to the ongoing FIPS review
Certificate Authority Changes
* The following CA certificates were Removed:
bmo#1552374 - CN = Certinomis - Root CA
Bugs fixed
* bmo#1540541 - Don't unnecessarily strip leading 0's from key material
during PKCS11 import (CVE-2019-11719)
* bmo#1515342 - More thorough input checking (CVE-2019-11729)
* bmo#1552208 - Prohibit use of RSASSA-PKCS1-v1_5 algorithms in
TLS 1.3 (CVE-2019-11727)
* bmo#1227090 - Fix a potential divide-by-zero in makePfromQandSeed
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=287
- update to NSS 3.44.1
* required by Firefox 68.0
Bugs fixed
* bmo#1554336 - Optimize away unneeded loop in mpi.c
* bmo#1515342 - More thorough input checking
* bmo#1540541 - Don't unnecessarily strip leading 0's from key material
during PKCS11 import
* bmo#1515236 - Add a SSLKEYLOGFILE enable/disable flag at build.sh
* bmo#1546229 - Add IPSEC IKE support to softoken
* bmo#1473806 - Fix SECKEY_ConvertToPublicKey handling of non-RSA keys
* bmo#1546477 - Updates to testing for FIPS validation
* bmo#1552208 - Prohibit use of RSASSA-PKCS1-v1_5 algorithms in TLS 1.3
* bmo#1551041 - Unbreak build on GCC < 4.3 big-endian
- update to NSS 3.44
* required by Firefox 68.0
New functions
* CERT_GetCertificateDer - Access the DER-encoded form of a CERTCertificate
Notable changes
* It is now possible to build NSS as a static library (bmo#1543545)
* Initial support for building for iOS
Bugs fixed
* full list
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.44_release_notes
- merge some baselibs fixes from SLE
OBS-URL: https://build.opensuse.org/request/show/713969
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/mozilla-nss?expand=0&rev=145
* required by Firefox 68.0
Bugs fixed
* bmo#1554336 - Optimize away unneeded loop in mpi.c
* bmo#1515342 - More thorough input checking
* bmo#1540541 - Don't unnecessarily strip leading 0's from key material
during PKCS11 import
* bmo#1515236 - Add a SSLKEYLOGFILE enable/disable flag at build.sh
* bmo#1546229 - Add IPSEC IKE support to softoken
* bmo#1473806 - Fix SECKEY_ConvertToPublicKey handling of non-RSA keys
* bmo#1546477 - Updates to testing for FIPS validation
* bmo#1552208 - Prohibit use of RSASSA-PKCS1-v1_5 algorithms in TLS 1.3
* bmo#1551041 - Unbreak build on GCC < 4.3 big-endian
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=283
- update to NSS 3.43
* required by Firefox 67.0
New functions
* HASH_GetHashOidTagByHashType - convert type HASH_HashType to type SECOidTag
* SSL_SendCertificateRequest - allow server to request post-handshake
client authentication. To use this both peers need to enable the
SSL_ENABLE_POST_HANDSHAKE_AUTH option. Note that while the mechanism
is present, post-handshake authentication is currently not TLS 1.3
compliant due to bug 1532312
Notable changes
* The following CA certificates were Added:
- emSign Root CA - G1
- emSign ECC Root CA - G3
- emSign Root CA - C1
- emSign ECC Root CA - C3
- Hongkong Post Root CA 3
Bugs fixed
* Improve Gyp build system handling (bmo#1528669, bmo#1529308)
* Improve NSS S/MIME tests for Thunderbird (bmo#1529950, bmo#1521174)
* If Docker isn't installed, try running a local clang-format as a
fallback (bmo#1530134)
* Enable FIPS mode automatically if the system FIPS mode flag is set
(bmo#1531267)
* Add a -J option to the strsclnt command to specify sigschemes
(bmo#1528262)
* Add manual for nss-policy-check (bmo#1513909)
* Fix a deref after a null check in SECKEY_SetPublicValue (bmo#1531074)
* Properly handle ESNI with HRR (bmo#1517714)
* Expose HKDF-Expand-Label with mechanism (bmo#1529813)
* Align TLS 1.3 HKDF trace levels (bmo#1535122)
OBS-URL: https://build.opensuse.org/request/show/702840
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/mozilla-nss?expand=0&rev=144
* required by Firefox 67.0
New functions
* HASH_GetHashOidTagByHashType - convert type HASH_HashType to type SECOidTag
* SSL_SendCertificateRequest - allow server to request post-handshake
client authentication. To use this both peers need to enable the
SSL_ENABLE_POST_HANDSHAKE_AUTH option. Note that while the mechanism
is present, post-handshake authentication is currently not TLS 1.3
compliant due to bug 1532312
Notable changes
* The following CA certificates were Added:
- emSign Root CA - G1
- emSign ECC Root CA - G3
- emSign Root CA - C1
- emSign ECC Root CA - C3
- Hongkong Post Root CA 3
Bugs fixed
* Improve Gyp build system handling (bmo#1528669, bmo#1529308)
* Improve NSS S/MIME tests for Thunderbird (bmo#1529950, bmo#1521174)
* If Docker isn't installed, try running a local clang-format as a
fallback (bmo#1530134)
* Enable FIPS mode automatically if the system FIPS mode flag is set
(bmo#1531267)
* Add a -J option to the strsclnt command to specify sigschemes
(bmo#1528262)
* Add manual for nss-policy-check (bmo#1513909)
* Fix a deref after a null check in SECKEY_SetPublicValue (bmo#1531074)
* Properly handle ESNI with HRR (bmo#1517714)
* Expose HKDF-Expand-Label with mechanism (bmo#1529813)
* Align TLS 1.3 HKDF trace levels (bmo#1535122)
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=280
will be required by FF66 to be submitted soon
- update to NSS 3.42.1
* required by Firefox 66.0
New functionality
* Support XDG basedir specification (bmo#818686)
Notable changes
* added some testcases from the Wycheproof project
Bugs fixed
* Reject invalid CH.legacy_version in TLS 1.3 (bmo#1490006)
* A fix for Solaris where Firefox 60 core dumps during start when
using profile from version 52 (bmo#1513913)
OBS-URL: https://build.opensuse.org/request/show/686019
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/mozilla-nss?expand=0&rev=143
* required by Firefox 66.0
New functionality
* Support XDG basedir specification (bmo#818686)
Notable changes
* added some testcases from the Wycheproof project
Bugs fixed
* Reject invalid CH.legacy_version in TLS 1.3 (bmo#1490006)
* A fix for Solaris where Firefox 60 core dumps during start when
using profile from version 52 (bmo#1513913)
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=278
- update to NSS 3.41.1
* (3.41) required by Firefox 65.0
New functionality
* Implemented EKU handling for IPsec IKE. (bmo#1252891)
* Enable half-closed states for TLS. (bmo#1423043)
* Enabled the following ciphersuites by default: (bmo#1493215)
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_256_GCM_SHA384
Notable changes
* The following CA certificates were added:
CN = Certigna Root CA
CN = GTS Root R1
CN = GTS Root R2
CN = GTS Root R3
CN = GTS Root R4
CN = UCA Global G2 Root
CN = UCA Extended Validation Root
* The following CA certificates were removed:
CN = AC Raíz Certicámara S.A.
CN = Certplus Root CA G1
CN = Certplus Root CA G2
CN = OpenTrust Root CA G1
CN = OpenTrust Root CA G2
CN = OpenTrust Root CA G3
Bugs fixed
* Reject empty supported_signature_algorithms in Certificate
Request in TLS 1.2 (bmo#1412829)
* Cache side-channel variant of the Bleichenbacher attack (bmo#1485864)
OBS-URL: https://build.opensuse.org/request/show/669997
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/mozilla-nss?expand=0&rev=142
* (3.41) required by Firefox 65.0
New functionality
* Implemented EKU handling for IPsec IKE. (bmo#1252891)
* Enable half-closed states for TLS. (bmo#1423043)
* Enabled the following ciphersuites by default: (bmo#1493215)
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_256_GCM_SHA384
Notable changes
* The following CA certificates were added:
CN = Certigna Root CA
CN = GTS Root R1
CN = GTS Root R2
CN = GTS Root R3
CN = GTS Root R4
CN = UCA Global G2 Root
CN = UCA Extended Validation Root
* The following CA certificates were removed:
CN = AC Raíz Certicámara S.A.
CN = Certplus Root CA G1
CN = Certplus Root CA G2
CN = OpenTrust Root CA G1
CN = OpenTrust Root CA G2
CN = OpenTrust Root CA G3
Bugs fixed
* Reject empty supported_signature_algorithms in Certificate
Request in TLS 1.2 (bmo#1412829)
* Cache side-channel variant of the Bleichenbacher attack (bmo#1485864)
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=276
