head 1.11; access; symbols pkgsrc-2026Q2:1.11.0.2 pkgsrc-2026Q2-base:1.11 pkgsrc-2026Q1:1.10.0.2 pkgsrc-2026Q1-base:1.10 pkgsrc-2025Q4:1.9.0.38 pkgsrc-2025Q4-base:1.9 pkgsrc-2025Q3:1.9.0.36 pkgsrc-2025Q3-base:1.9 pkgsrc-2025Q2:1.9.0.34 pkgsrc-2025Q2-base:1.9 pkgsrc-2025Q1:1.9.0.32 pkgsrc-2025Q1-base:1.9 pkgsrc-2024Q4:1.9.0.30 pkgsrc-2024Q4-base:1.9 pkgsrc-2024Q3:1.9.0.28 pkgsrc-2024Q3-base:1.9 pkgsrc-2024Q2:1.9.0.26 pkgsrc-2024Q2-base:1.9 pkgsrc-2024Q1:1.9.0.24 pkgsrc-2024Q1-base:1.9 pkgsrc-2023Q4:1.9.0.22 pkgsrc-2023Q4-base:1.9 pkgsrc-2023Q3:1.9.0.20 pkgsrc-2023Q3-base:1.9 pkgsrc-2023Q2:1.9.0.18 pkgsrc-2023Q2-base:1.9 pkgsrc-2023Q1:1.9.0.16 pkgsrc-2023Q1-base:1.9 pkgsrc-2022Q4:1.9.0.14 pkgsrc-2022Q4-base:1.9 pkgsrc-2022Q3:1.9.0.12 pkgsrc-2022Q3-base:1.9 pkgsrc-2022Q2:1.9.0.10 pkgsrc-2022Q2-base:1.9 pkgsrc-2022Q1:1.9.0.8 pkgsrc-2022Q1-base:1.9 pkgsrc-2021Q4:1.9.0.6 pkgsrc-2021Q4-base:1.9 pkgsrc-2021Q3:1.9.0.4 pkgsrc-2021Q3-base:1.9 pkgsrc-2021Q2:1.9.0.2 pkgsrc-2021Q2-base:1.9 pkgsrc-2021Q1:1.8.0.8 pkgsrc-2021Q1-base:1.8 pkgsrc-2020Q4:1.8.0.6 pkgsrc-2020Q4-base:1.8 pkgsrc-2020Q3:1.8.0.4 pkgsrc-2020Q3-base:1.8 pkgsrc-2020Q2:1.8.0.2 pkgsrc-2020Q2-base:1.8 pkgsrc-2020Q1:1.6.0.2 pkgsrc-2020Q1-base:1.6 pkgsrc-2019Q4:1.5.0.4 pkgsrc-2019Q4-base:1.5 pkgsrc-2019Q3:1.4.0.2 pkgsrc-2019Q3-base:1.4 pkgsrc-2019Q2:1.3.0.12 pkgsrc-2019Q2-base:1.3 pkgsrc-2019Q1:1.3.0.10 pkgsrc-2019Q1-base:1.3 pkgsrc-2018Q4:1.3.0.8 pkgsrc-2018Q4-base:1.3 pkgsrc-2018Q3:1.3.0.6 pkgsrc-2018Q3-base:1.3 pkgsrc-2018Q2:1.3.0.4 pkgsrc-2018Q2-base:1.3 pkgsrc-2018Q1:1.3.0.2 pkgsrc-2018Q1-base:1.3 pkgsrc-2017Q4:1.2.0.38 pkgsrc-2017Q4-base:1.2 pkgsrc-2017Q3:1.2.0.36 pkgsrc-2017Q3-base:1.2 pkgsrc-2017Q2:1.2.0.32 pkgsrc-2017Q2-base:1.2 pkgsrc-2017Q1:1.2.0.30 pkgsrc-2017Q1-base:1.2 pkgsrc-2016Q4:1.2.0.28 pkgsrc-2016Q4-base:1.2 pkgsrc-2016Q3:1.2.0.26 pkgsrc-2016Q3-base:1.2 pkgsrc-2016Q2:1.2.0.24 pkgsrc-2016Q2-base:1.2 pkgsrc-2016Q1:1.2.0.22 pkgsrc-2016Q1-base:1.2 pkgsrc-2015Q4:1.2.0.20 pkgsrc-2015Q4-base:1.2 pkgsrc-2015Q3:1.2.0.18 pkgsrc-2015Q3-base:1.2 pkgsrc-2015Q2:1.2.0.16 pkgsrc-2015Q2-base:1.2 pkgsrc-2015Q1:1.2.0.14 pkgsrc-2015Q1-base:1.2 pkgsrc-2014Q4:1.2.0.12 pkgsrc-2014Q4-base:1.2 pkgsrc-2014Q3:1.2.0.10 pkgsrc-2014Q3-base:1.2 pkgsrc-2014Q2:1.2.0.8 pkgsrc-2014Q2-base:1.2 pkgsrc-2014Q1:1.2.0.6 pkgsrc-2014Q1-base:1.2 pkgsrc-2013Q4:1.2.0.4 pkgsrc-2013Q4-base:1.2 pkgsrc-2013Q3:1.2.0.2 pkgsrc-2013Q3-base:1.2 pkgsrc-2013Q2:1.1.0.10 pkgsrc-2013Q2-base:1.1 pkgsrc-2013Q1:1.1.0.8 pkgsrc-2013Q1-base:1.1 pkgsrc-2012Q4:1.1.0.6 pkgsrc-2012Q4-base:1.1 pkgsrc-2012Q3:1.1.0.4 pkgsrc-2012Q3-base:1.1 pkgsrc-2012Q2:1.1.0.2 pkgsrc-2012Q2-base:1.1; locks; strict; comment @# @; 1.11 date 2026.03.25.22.48.10; author wiz; state Exp; branches; next 1.10; commitid cb5Btf41DFbarpzG; 1.10 date 2026.02.25.21.35.03; author wiz; state Exp; branches; next 1.9; commitid dO2dxQ5iJM9RVNvG; 1.9 date 2021.04.09.06.40.59; author wiz; state Exp; branches; next 1.8; commitid LyiaXY3PbpR7hAOC; 1.8 date 2020.04.12.15.13.34; author tnn; state Exp; branches; next 1.7; commitid 4eQcleLSsoDLL64C; 1.7 date 2020.04.12.10.25.17; author tnn; state Exp; branches; next 1.6; commitid UdgDlAARLVUMa54C; 1.6 date 2020.01.10.03.43.20; author ryoon; state Exp; branches; next 1.5; commitid 7DacMtbSgsZjW5SB; 1.5 date 2019.12.03.14.29.21; author ryoon; state Exp; branches 1.5.4.1; next 1.4; commitid klMwkDA10WWFJgNB; 1.4 date 2019.09.19.19.14.39; author tnn; state Exp; branches; next 1.3; commitid jg5k3GKIsFwCIEDB; 1.3 date 2018.01.22.11.43.14; author jperkin; state Exp; branches; next 1.2; commitid TQpETcP3OFBOFRnA; 1.2 date 2013.07.20.09.28.12; author ryoon; state Exp; branches; next 1.1; commitid vGlStYxlQ9FPRbYw; 1.1 date 2012.04.18.21.01.42; author ryoon; state Exp; branches; next ; 1.5.4.1 date 2020.01.18.22.29.05; author bsiegert; state Exp; branches; next ; commitid CvjHj18UGlbBUdTB; desc @@ 1.11 log @nss: update to 3.122.0. - Bug 2023209 - ensure permittedSubtrees don't match wildcards that could be outside the permitted tree. - Bug 2023664 - run mach doc-lint from generate_release_doc.py. - Bug 2023207 - Fix integer underflow in tls13_AEAD when ciphertext is shorter than tag. - Bug 2020614 - tls13_CopyEchConfigs uses PR_LIST_TAIL instead of loop variable. - Bug 2021911 - fix cipher spec count intermittent CI failures. - Bug 2021913 - fix Mlkem768x25519ShareDamager intermittent CI failures. - Bug 2023437 - lint the legacy documentation. - Bug 2023437 - lint the NSS 3.112.3 release notes. - Bug 2023437 - add a doc-lint CI job. - Bug 2020224 - Add more useful coverage reports to CI and fail if new commit isn't tested. - Bug 1472747 - wrong alert for malformed TLS 1.3 Finished. - Bug 1916429 - Swap order of asserts and state check. - Bug 2022149 - set correct value of unused curve parameters in tls13_HandleKeyShare. - Bug 2017929 - GCM needs to check for various limits in FIPS mode. - Bug 2017938 - Get Key Length not working from ED and Montgomery keys. - Bug 2017927 - Not all ike modes are FIPS approved. Adjust the indicators when they aren't. - Bug 2020721 - fix intermittent ssl.sh test failures on windows runners. - Bug 2017918 - FIPS indicators on HKDF needs to be restricted to TLS usage. - Bug 2017920 - Generate keys not getting indicators. - Bug 2020612 - improve error handling in smime_init_once. - Bug 1987288 - Detect CPU features on OpenBSD using elf_aux_info. - Bug 2019357 - RSA_EMSAEncodePSS should validate the length of mHash. - Bug 2020442 - more robustly distinguish SFTKSessionObject and SFTKTokenObjects. - Bug 2019194 - fix missing .S file error in Solaris Makefile builds. - Bug 2020486 - fix memory leak in NSC_GenerateKey error path. - Bug 2020615 - Missing SECFailure return after FATAL_ERROR in tls13_HandleEncryptedExtensions. - Bug 2020613 - release xmit buf lock on dtls13_MaybeSendKeyUpdate error paths. - Bug 2020849 - release 1stHandshakeLock on SSL_ResetHandshake error path. - Bug 2020188 - avoid null deref in mp_div_d sign normalization. - Bug 2017945 - Temp private key lifecycle is broken. - Bug 1851073 - protect rwSessionCount with slotLock. - Bug 2019224 - Remove invalid PORT_Free(). - Bug 1828713 - Fix intermittent ClientGreaseKeyShare test failure. - Bug 2018200 - Fix kCtxStr len passed to tls_SignOrVerifyUpdate. - Bug 2019760 - patch upstream acvp-rust during checkout to avoid build failures. - Bug 2019760 - update acvp Dockerfile. - Bug 2017997 - CKA_PARAM_SET missing from the CK_ULONG list in softoken. - Bug 2018000 - CKA_SEED missing from isPrivate in the database. - Bug 2019717 - update abicheck expectation for __nss_InitLock. - Bug 2019327 - taskcluster: set NSS_DISABLE_LIBPKIX=1 in test env for static builds. - Bug 2019327 - tests: fix setup_policy to use ROOTCERTSFILE for root cert module path. - Bug 2019327 - tests: fix selfserv/httpserv PID handling and wait exit code for MSYS_NT. - Bug 2019327 - tests: add native_path helper for cross-platform path conversion. - Bug 2019327 - tstclnt, strsclnt: avoid DNS lookup for loopback addresses on Windows. - Bug 2019090 - avoid platform GCM for x64 iOS emulator builds. - Bug 2012002 - remove lock instrumentation feature. - Bug 2017923 - Move FIPS indicator structures out of fips_algorithms.h. - Bug 2018064 - all.sh is failing in FIPS SSL test in main tree. - Bug 1975973 - fix memory leaks in crmf tests. - Bug 2012547 - fix unsatisfiable condition in lg_getTrust. - Bug 2006218 - allow selfserv makefile build to use system zlib. - Bug 2002247 - Add allocation limit to pkcs12 decoding. - Bug 2012406 - Add text/html single-line example emails to NSS S/SMIME CMS tests. @ text @$NetBSD: patch-me,v 1.10 2026/02/25 21:35:03 wiz Exp $ clang for SunOS(?) --- nss/lib/freebl/Makefile.orig 2026-02-19 09:30:44.000000000 +0000 +++ nss/lib/freebl/Makefile @@@@ -508,7 +508,11 @@@@ else ifdef NS_USE_GCC LD = gcc AS = gcc + ifdef CC_IS_CLANG + ASFLAGS = -no-integrated-as + else ASFLAGS = -x assembler-with-cpp + endif endif ifeq ($(USE_64),1) # Solaris for AMD64 @ 1.10 log @nss: try fixing Solaris build using upstream suggestion @ text @d1 1 a1 1 $NetBSD: patch-me,v 1.9 2021/04/09 06:40:59 wiz Exp $ a4 3 Try using preprocessed assembler file https://bugzilla.mozilla.org/show_bug.cgi?id=2019194 a18 9 @@@@ -517,7 +521,7 @@@@ else ASFLAGS += -march=opteron -m64 -fPIC MPI_SRCS += mp_comba.c # comment the next four lines to turn off Intel HW acceleration - ASFILES += intel-gcm.S + ASFILES += intel-gcm.s EXTRA_SRCS += intel-gcm-wrap.c DEFINES += -DHAVE_PLATFORM_GCM INTEL_GCM = 1 @ 1.9 log @nss: fix interoperability with openssl For a long time now (at least 15 years), the installed pkg-config file also linked against libsoftokn3, which is wrong according to upstream. This library is only intended to be loaded as a module. Having this library linked added symbols to the namespace that conflict with openssl symbols. This had caused problems before, and patches had been added to rename symbols to avoid this conflict. Instead, fix this correctly by not linking against libsoftokn3. Switch to using the pkg-config and nss-config files provided in the distfiles instead of pkgsrc-specific ones. Remove now unneeded symbol-renaming patches. Remove DragonFly patches while here. Bump PKGREVISION. @ text @d1 1 a1 1 $NetBSD: patch-me,v 1.8 2020/04/12 15:13:34 tnn Exp $ d5 4 a8 1 --- nss/lib/freebl/Makefile.orig 2020-03-06 18:44:20.000000000 +0000 d10 1 a10 1 @@@@ -472,7 +472,11 @@@@ else d22 9 @ 1.8 log @g/c stale comment @ text @d1 1 a1 1 $NetBSD: patch-me,v 1.7 2020/04/12 10:25:17 tnn Exp $ d3 1 a3 1 Add DragonFly support. a6 9 @@@@ -320,7 +320,7 @@@@ endif # to bind the blapi function references in FREEBLVector vector # (ldvector.c) to the blapi functions defined in the freebl # shared libraries. -ifeq (,$(filter-out BSD_OS FreeBSD Linux NetBSD OpenBSD, $(OS_TARGET))) +ifeq (,$(filter-out BSD_OS DragonFly FreeBSD Linux NetBSD OpenBSD, $(OS_TARGET))) MKSHLIB += -Wl,-Bsymbolic endif @ 1.7 log @nss: delete patch hunk which should no longer be necessary @ text @d1 1 a1 1 $NetBSD: patch-me,v 1.6 2020/01/10 03:43:20 ryoon Exp $ a3 1 Always include GCM for aarch64. @ 1.6 log @nss: Update to 3.49 Changelog: Notable Changes in NSS 3.49 * The legacy DBM database, libnssdbm, is no longer built by default when using gyp builds. See Bug 1594933 for details. Bugs fixed in NSS 3.49 * Bug 1513586 - Set downgrade sentinel for client TLS versions lower than 1.2. * Bug 1606025 - Remove -Wmaybe-uninitialized warning in sslsnce.c * Bug 1606119 - Fix PPC HW Crypto build failure * Bug 1605545 - Memory leak in Pk11Install_Platform_Generate * Bug 1602288 - Fix build failure due to missing posix signal.h * Bug 1588714 - Implement CheckARMSupport for Win64/aarch64 * Bug 1585189 - NSS database uses 3DES instead of AES to encrypt DB entries * Bug 1603257 - Fix UBSAN issue in softoken CKM_NSS_CHACHA20_CTR initialization * Bug 1590001 - Additional HRR Tests (CVE-2019-17023) * Bug 1600144 - Treat ClientHello with message_seq of 1 as a second ClientHello * Bug 1603027 - Test that ESNI is regenerated after HelloRetryRequest * Bug 1593167 - Intermittent mis-reporting potential security risk SEC_ERROR_UNKNOWN_ISSUER * Bug 1535787 - Fix automation/release/nss-release-helper.py on MacOS * Bug 1594933 - Disable building DBM by default * Bug 1562548 - Improve GCM perfomance on aarch32 @ text @d1 1 a1 1 $NetBSD: patch-me,v 1.5 2019/12/03 14:29:21 ryoon Exp $ d6 1 a6 1 --- nss/lib/freebl/Makefile.orig 2020-01-03 20:27:43.000000000 +0000 d8 1 a8 20 @@@@ -101,6 +101,9 @@@@ endif ifdef NSS_NO_INIT_SUPPORT DEFINES += -DNSS_NO_INIT_SUPPORT endif +ifeq ($(CPU_ARCH),aarch64) + EXTRA_SRCS += gcm-aarch64.c +endif ifdef FREEBL_PRELINK_COMMAND DEFINES +=-DFREEBL_PRELINK_COMMAND=\"$(FREEBL_PRELINK_COMMAND)\" @@@@ -121,7 +124,7 @@@@ endif endif ifeq ($(CPU_ARCH),aarch64) DEFINES += -DUSE_HW_AES - EXTRA_SRCS += aes-armv8.c gcm-aarch64.c + EXTRA_SRCS += aes-armv8.c endif ifeq ($(CPU_ARCH),arm) EXTRA_SRCS += gcm-arm32-neon.c @@@@ -320,7 +323,7 @@@@ endif d17 1 a17 1 @@@@ -472,7 +475,11 @@@@ else @ 1.5 log @Update to 3.47.1 Changelog: NSS 3.47.1 includes: * CVE-2019-11745 - EncryptUpdate should use maxout, not block size * Bug 1590495 - Fix a crash that could be caused by client certificates during startup * Bug 1589810 - Fix compile-time warnings from uninitialized variables in a perl script NSS 3.47.1 requires NSPR 4.23 or newer. The HG tag is NSS_3_47_1_RTM. @ text @d1 1 a1 1 $NetBSD: patch-me,v 1.4 2019/09/19 19:14:39 tnn Exp $ d6 1 a6 1 --- nss/lib/freebl/Makefile.orig 2019-11-19 19:55:30.000000000 +0000 d26 2 a27 2 ifdef CC_IS_CLANG @@@@ -318,7 +321,7 @@@@ endif d36 1 a36 1 @@@@ -470,7 +473,11 @@@@ else @ 1.5.4.1 log @Pullup ticket #6117 - requested by nia devel/nss: dependent update (for Firefox) Revisions pulled up: - devel/nss/Makefile 1.175-1.177 - devel/nss/distinfo 1.103-1.105 - devel/nss/patches/patch-me 1.6 - devel/nss/patches/patch-nss_coreconf_command.mk 1.4 --- Module Name: pkgsrc Committed By: ryoon Date: Sat Dec 28 23:04:05 UTC 2019 Modified Files: pkgsrc/devel/nss: Makefile distinfo pkgsrc/devel/nss/patches: patch-nss_coreconf_command.mk Log Message: Update to 3.48 Changelog: Notable Changes in NSS 3.48 * TLS 1.3 is the default maximum TLS version. See Bug 1573118 for details. * TLS extended master secret is enabled by default, where possible. See Bug 1575411 for details. * The master password PBE now uses 10,000 iterations by default when using the default sql (key4.db) storage. Because using an iteration count higher than 1 with the legacy dbm (key3.db) storage creates files that are incompatible with previous versions of NSS, applications that wish to enable it for key3.db are required to set environment variable NSS_ALLOW_LEGACY_DBM_ITERATION_COUNT=1. Applications may set environment variable NSS_MIN_MP_PBE_ITERATION_COUNT to request a higher iteration count than the library's default, or NSS_MAX_MP_PBE_ITERATION_COUNT to request a lower iteration count for test environments. See Bug 1562671 for details. Certificate Authority Changes The following CA certificates were Added: * Bug 1591178 - Entrust Root Certification Authority - G4 Cert SHA-256 Fingerprint: DB3517D1F6732A2D5AB97C533EC70779EE3270A62FB4AC4238372460E6F01E88 Bugs fixed in NSS 3.48 * Bug 1586176 - EncryptUpdate should use maxout not block size (CVE-2019-11745) -- Note that this was previously fixed in NSS 3.44.3 and 3.47.1. * Bug 1600775 - Require NSPR 4.24 for NSS 3.48 * Bug 1593401 - Fix race condition in self-encrypt functions * Bug 1599545 - Fix assertion and add test for early Key Update * Bug 1597799 - Fix a crash in nssCKFWObject_GetAttributeSize * Bug 1591178 - Add Entrust Root Certification Authority - G4 certificate to NSS * Bug 1590001 - Prevent negotiation of versions lower than 1.3 after HelloRetryRequest * Bug 1596450 - Added a simplified and unified MAC implementation for HMAC and CMAC behind PKCS#11 * Bug 1522203 - Remove an old Pentium Pro performance workaround * Bug 1592557 - Fix PRNG known-answer-test scripts * Bug 1593141 - add `notBefore` or similar "beginning-of-validity-period" parameter to mozilla::pkix::TrustDomain::CheckRevocation * Bug 1591363 - Fix a PBKDF2 memory leak in NSC_GenerateKey if key length > MAX_KEY_LEN (256) * Bug 1592869 - Use ARM NEON for ctr_xor * Bug 1566131 - Ensure SHA-1 fallback disabled in TLS 1.2 * Bug 1577803 - Mark PKCS#11 token as friendly if it implements CKP_PUBLIC_CERTIFICATES_TOKEN * Bug 1566126 - POWER GHASH Vector Acceleration * Bug 1589073 - Use of new PR_ASSERT_ARG in certdb.c * Bug 1590495 - Fix a crash in PK11_MakeCertFromHandle * Bug 1591742 - Ensure DES IV length is valid before usage from PKCS#11 * Bug 1588567 - Enable mozilla::pkix gtests in NSS CI * Bug 1591315 - Update NSC_Decrypt length in constant time * Bug 1562671 - Increase NSS MP KDF default iteration count, by default for modern key4 storage, optionally for legacy key3.db storage * Bug 1590972 - Use -std=c99 rather than -std=gnu99 * Bug 1590676 - Fix build if ARM doesn't support NEON * Bug 1575411 - Enable TLS extended master secret by default * Bug 1590970 - SSL_SetTimeFunc has incomplete coverage * Bug 1590678 - Remove -Wmaybe-uninitialized warning in tls13esni.c * Bug 1588244 - NSS changes for Delegated Credential key strength checks * Bug 1459141 - Add more CBC padding tests that missed NSS 3.47 * Bug 1590339 - Fix a memory leak in btoa.c * Bug 1589810 - fix uninitialized variable warnings from certdata.perl * Bug 1573118 - Enable TLS 1.3 by default in NSS --- Module Name: pkgsrc Committed By: ryoon Date: Fri Jan 10 03:43:20 UTC 2020 Modified Files: pkgsrc/devel/nss: Makefile distinfo pkgsrc/devel/nss/patches: patch-me Log Message: nss: Update to 3.49 Changelog: Notable Changes in NSS 3.49 * The legacy DBM database, libnssdbm, is no longer built by default when using gyp builds. See Bug 1594933 for details. Bugs fixed in NSS 3.49 * Bug 1513586 - Set downgrade sentinel for client TLS versions lower than 1.2. * Bug 1606025 - Remove -Wmaybe-uninitialized warning in sslsnce.c * Bug 1606119 - Fix PPC HW Crypto build failure * Bug 1605545 - Memory leak in Pk11Install_Platform_Generate * Bug 1602288 - Fix build failure due to missing posix signal.h * Bug 1588714 - Implement CheckARMSupport for Win64/aarch64 * Bug 1585189 - NSS database uses 3DES instead of AES to encrypt DB entries * Bug 1603257 - Fix UBSAN issue in softoken CKM_NSS_CHACHA20_CTR initialization * Bug 1590001 - Additional HRR Tests (CVE-2019-17023) * Bug 1600144 - Treat ClientHello with message_seq of 1 as a second ClientHello * Bug 1603027 - Test that ESNI is regenerated after HelloRetryRequest * Bug 1593167 - Intermittent mis-reporting potential security risk SEC_ERROR_UNKNOWN_ISSUER * Bug 1535787 - Fix automation/release/nss-release-helper.py on MacOS * Bug 1594933 - Disable building DBM by default * Bug 1562548 - Improve GCM perfomance on aarch32 --- Module Name: pkgsrc Committed By: ryoon Date: Tue Jan 14 12:58:08 UTC 2020 Modified Files: pkgsrc/devel/nss: Makefile distinfo Log Message: nss: Update to 3.49.1 * Bump nspr requirement Changelog: No new functionality is introduced in these releases. These releases fix a performance issue: - Bug 1606992 - Cache the most recent PBKDF2 password hash, to speed up repeated SDR operations, important with the increased KDF iteration counts. @ text @d1 1 a1 1 $NetBSD$ d6 1 a6 1 --- nss/lib/freebl/Makefile.orig 2020-01-03 20:27:43.000000000 +0000 d26 2 a27 2 EXTRA_SRCS += gcm-arm32-neon.c @@@@ -320,7 +323,7 @@@@ endif d36 1 a36 1 @@@@ -472,7 +475,11 @@@@ else @ 1.4 log @nss: aarch64 build fix From OpenBSD. Similar to PR pkg/53353 for ARM. Although different symbols missing in that case and that's believed to be fixed already. @ text @d1 1 a1 1 $NetBSD: patch-me,v 1.3 2018/01/22 11:43:14 jperkin Exp $ d6 1 a6 1 --- nss/lib/freebl/Makefile.orig 2019-08-30 15:46:32.000000000 +0000 d8 3 a10 3 @@@@ -119,6 +119,9 @@@@ else DEFINES += -DNSS_X86 endif d16 3 a18 5 ifeq ($(OS_TARGET),OSF1) DEFINES += -DMP_ASSEMBLY_MULTIPLY -DMP_NO_MP_WORD @@@@ -242,9 +245,6 @@@@ ifeq ($(CPU_ARCH),arm) DEFINES += -DSHA_NO_LONG_LONG # avoid 64-bit arithmetic in SHA512 MPI_SRCS += mpi_arm.c d20 8 a27 7 -ifeq ($(CPU_ARCH),aarch64) - EXTRA_SRCS += gcm-aarch64.c -endif ifeq ($(CPU_ARCH),ppc) ifdef USE_64 DEFINES += -DNSS_NO_INIT_SUPPORT @@@@ -301,7 +301,7 @@@@ endif d36 1 a36 1 @@@@ -453,7 +453,11 @@@@ else @ 1.3 log @nss: Fix build on SunOS with clang. @ text @d1 1 a1 1 $NetBSD: patch-me,v 1.2 2013/07/20 09:28:12 ryoon Exp $ d4 1 d6 1 a6 1 --- nss/lib/freebl/Makefile.orig 2018-01-22 11:22:38.812914721 +0000 d8 21 a28 1 @@@@ -298,7 +298,7 @@@@ endif d37 1 a37 1 @@@@ -450,7 +450,11 @@@@ else @ 1.2 log @Update to 3.15.1 Changelog: NSS 3.15.1 release notes Introduction Network Security Services (NSS) 3.15.1 is a patch release for NSS 3.15. The bug fixes in NSS 3.15.1 are described in the "Bugs Fixed" section below. Distribution Information NSS 3.15.1 source distributions are also available on ftp.mozilla.org for secure HTTPS download: Source tarballs: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_15_1_RTM/src/ New in NSS 3.15.1 New Functionality TLS 1.2: TLS 1.2 (RFC 5246) is supported. HMAC-SHA256 cipher suites (RFC 5246 and RFC 5289) are supported, allowing TLS to be used without MD5 and SHA-1. Note the following limitations. The hash function used in the signature for TLS 1.2 client authentication must be the hash function of the TLS 1.2 PRF, which is always SHA-256 in NSS 3.15.1. AES GCM cipher suites are not yet supported. New Functions None. New Types in sslprot.h SSL_LIBRARY_VERSION_TLS_1_2 - The protocol version of TLS 1.2 on the wire, value 0x0303. TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_NULL_SHA256 - New TLS 1.2 only HMAC-SHA256 cipher suites. in sslerr.h SSL_ERROR_UNSUPPORTED_HASH_ALGORITHM, SSL_ERROR_DIGEST_FAILURE, SSL_ERROR_INCORRECT_SIGNATURE_ALGORITHM - New error codes for TLS 1.2. in sslt.h ssl_hmac_sha256 - A new value in the SSLMACAlgorithm enum type. ssl_signature_algorithms_xtn - A new value in the SSLExtensionType enum type. New PKCS #11 Mechanisms None. Notable Changes in NSS 3.15.1 Bug 856060 - Enforce name constraints on the common name in libpkix when no subjectAltName is present. Bug 875156 - Add const to the function arguments of SEC_CertNicknameConflict. Bug 877798 - Fix ssltap to print the certificate_status handshake message correctly. Bug 882829 - On Windows, NSS initialization fails if NSS cannot call the RtlGenRandom function. Bug 875601 - SECMOD_CloseUserDB/SECMOD_OpenUserDB fails to reset the token delay, leading to spurious failures. Bug 884072 - Fix a typo in the header include guard macro of secmod.h. Bug 876352 - certutil now warns if importing a PEM file that contains a private key. Bug 565296 - Fix the bug that shlibsign exited with status 0 even though it failed. The NSS_SURVIVE_DOUBLE_BYPASS_FAILURE build option is removed. Bugs fixed in NSS 3.15.1 https://bugzilla.mozilla.org/buglist.cgi?list_id=5689256;resolution=FIXED;classification=Components;query_format=advanced;target_milestone=3.15.1;product=NSS Compatibility NSS 3.15.1 shared libraries are backward compatible with all older NSS 3.x shared libraries. A program linked with older NSS 3.x shared libraries will work with NSS 3.15.1 shared libraries without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs to the functions listed in NSS Public Functions will remain compatible with future versions of the NSS shared libraries. NSS 3.15 release notes Introduction The NSS team has released Network Security Services (NSS) 3.15, which is a minor release. Distribution Information The HG tag is NSS_3_15_RTM. NSS 3.15 requires NSPR 4.10 or newer. NSS 3.15 source distributions are available on ftp.mozilla.org for secure HTTPS download: Source tarballs: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_15_RTM/src/ New in NSS 3.15 New Functionality Support for OCSP Stapling (RFC 6066, Certificate Status Request) has been added for both client and server sockets. TLS client applications may enable this via a call to SSL_OptionSetDefault(SSL_ENABLE_OCSP_STAPLING, PR_TRUE); Added function SECITEM_ReallocItemV2. It replaces function SECITEM_ReallocItem, which is now declared as obsolete. Support for single-operation (eg: not multi-part) symmetric key encryption and decryption, via PK11_Encrypt and PK11_Decrypt. certutil has been updated to support creating name constraints extensions. New Functions in ssl.h SSL_PeerStapledOCSPResponse - Returns the server's stapled OCSP response, when used with a TLS client socket that negotiated the status_request extension. SSL_SetStapledOCSPResponses - Set's a stapled OCSP response for a TLS server socket to return when clients send the status_request extension. in ocsp.h CERT_PostOCSPRequest - Primarily intended for testing, permits the sending and receiving of raw OCSP request/responses. in secpkcs7.h SEC_PKCS7VerifyDetachedSignatureAtTime - Verifies a PKCS#7 signature at a specific time other than the present time. in xconst.h CERT_EncodeNameConstraintsExtension - Matching function for CERT_DecodeNameConstraintsExtension, added in NSS 3.10. in secitem.h SECITEM_AllocArray SECITEM_DupArray SECITEM_FreeArray SECITEM_ZfreeArray - Utility functions to handle the allocation and deallocation of SECItemArrays SECITEM_ReallocItemV2 - Replaces SECITEM_ReallocItem, which is now obsolete. SECITEM_ReallocItemV2 better matches caller expectations, in that it updates item->len on allocation. For more details of the issues with SECITEM_ReallocItem, see Bug 298649 and Bug 298938. in pk11pub.h PK11_Decrypt - Performs decryption as a single PKCS#11 operation (eg: not multi-part). This is necessary for AES-GCM. PK11_Encrypt - Performs encryption as a single PKCS#11 operation (eg: not multi-part). This is necessary for AES-GCM. New Types in secitem.h SECItemArray - Represents a variable-length array of SECItems. New Macros in ssl.h SSL_ENABLE_OCSP_STAPLING - Used with SSL_OptionSet to configure TLS client sockets to request the certificate_status extension (eg: OCSP stapling) when set to PR_TRUE Notable Changes in NSS 3.15 SECITEM_ReallocItem is now deprecated. Please consider using SECITEM_ReallocItemV2 in all future code. NSS has migrated from CVS to the Mercurial source control management system. Updated build instructions are available at Migration to HG As part of this migration, the source code directory layout has been re-organized. The list of root CA certificates in the nssckbi module has been updated. The default implementation of SSL_AuthCertificate has been updated to add certificate status responses stapled by the TLS server to the OCSP cache. Applications that use SSL_AuthCertificateHook to override the default handler should add appropriate calls to SSL_PeerStapledOCSPResponse and CERT_CacheOCSPResponseFromSideChannel. Bug 554369: Fixed correctness of CERT_CacheOCSPResponseFromSideChannel and other OCSP caching behaviour. Bug 853285: Fixed bugs in AES GCM. Bug 341127: Fix the invalid read in rc4_wordconv. Faster NIST curve P-256 implementation. Dropped (32-bit) SPARC V8 processor support on Solaris. The shared library libfreebl_32int_3.so is no longer produced. Bugs fixed in NSS 3.15 This Bugzilla query returns all the bugs fixed in NSS 3.15: https://bugzilla.mozilla.org/buglist.cgi?list_id=6278317&resolution=FIXED&classification=Components&query_format=advanced&product=NSS&target_milestone=3.15 @ text @d1 1 a1 1 $NetBSD: patch-me,v 1.1 2012/04/18 21:01:42 ryoon Exp $ d5 1 a5 1 --- nss/lib/freebl/Makefile.orig 2009-06-29 18:15:13.000000000 +0200 d7 1 a7 1 @@@@ -212,7 +212,7 @@@@ endif d16 12 @ 1.1 log @Update 3.13.4 * Change distfile to separated source. Changelog is not shown. Probably some bugs are fixed. Tested on NetBSD/i386 6.99.4 and DragonFly/i386 3.0.1. @ text @d1 1 a1 1 $NetBSD: patch-me,v 1.5 2012/03/06 12:34:09 ryoon Exp $ d5 2 a6 2 --- security/nss/lib/freebl/Makefile.orig 2009-06-29 18:15:13.000000000 +0200 +++ security/nss/lib/freebl/Makefile @