doc/rst/legacy/nss_releases/nss_3.22_release_notes/index.rst


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196

.. _mozilla_projects_nss_nss_3_22_release_notes:

NSS 3.22 release notes
======================

`Introduction <#introduction>`__
--------------------------------

.. container::

   The NSS team has released Network Security Services (NSS) 3.22, which is a minor release.

.. _distribution_information:

`Distribution Information <#distribution_information>`__
--------------------------------------------------------

.. container::

   The HG tag is NSS_3_22_RTM. NSS 3.22 requires NSPR 4.11 or newer.

   NSS 3.22 source distributions are available on ftp.mozilla.org for secure HTTPS download:

   -  Source tarballs:
      https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_22_RTM/src/

.. _new_in_nss_3.22:

`New in NSS 3.22 <#new_in_nss_3.22>`__
--------------------------------------

.. container::

.. _new_functionality:

`New Functionality <#new_functionality>`__
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

.. container::

   -  RSA-PSS signatures are now supported (`bug
      1215295 <https://bugzilla.mozilla.org/show_bug.cgi?id=1215295>`__)

      -  New functions ``PK11_SignWithMechanism()`` and ``PK11_SignWithMechanism()`` are provided to
         allow RSA keys to be used with PSS.

   -  Pseudorandom functions based on hashes other than SHA-1 are now supported with PBKDF (`bug
      554827 <https://bugzilla.mozilla.org/show_bug.cgi?id=554827>`__).

      -  ``PK11_CreatePBEV2AlgorithmID()`` now supports ``SEC_OID_PKCS5_PBKDF2`` with
         ``cipherAlgTag`` and ``prfAlgTag`` set to ``SEC_OID_HMAC_SHA256``, ``SEC_OID_HMAC_SHA224``,
         ``SEC_OID_HMAC_SHA384``, or ``SEC_OID_HMAC_SHA512``.

   -  Enforce an External Policy on NSS from a config file (`bug
      1009429 <https://bugzilla.mozilla.org/show_bug.cgi?id=1009429>`__)

      -  you can now add a config= line to pkcs11.txt (assuming you are using sql databases), which
         will force NSS to restrict the application to certain cryptographic algorithms and
         protocols. A complete list can be found in :ref:`mozilla_projects_nss_nss_config_options`.

   .. rubric:: New Functions
      :name: new_functions

   -  *in pk11pub.h*

      -  **PK11_SignWithMechanism** - This function is an extended version ``PK11_Sign()``.
      -  **PK11_VerifyWithMechanism** - This function is an extended version of ``PK11_Verify()``.

         -  These functions take an explicit mechanism and parameters as arguments rather than
            inferring it from the key type using ``PK11_MapSignKeyType()``.  The mechanism type
            CKM_RSA_PKCS_PSS is now supported for RSA in addition to CKM_RSA_PKCS.  The
            CK_RSA_PKCS_PSS mechanism takes a parameter of type CK_RSA_PKCS_PSS_PARAMS.

   -  *in ssl.h*

      -  **SSL_PeerSignedCertTimestamps** - Get signed_certificate_timestamp TLS extension data
      -  **SSL_SetSignedCertTimestamps** - Set signed_certificate_timestamp TLS extension data

   .. rubric:: New Types
      :name: new_types

   -  *in secoidt.h*

      -  The following are added to SECOidTag:

         -  SEC_OID_AES_128_GCM
         -  SEC_OID_AES_192_GCM
         -  SEC_OID_AES_256_GCM
         -  SEC_OID_IDEA_CBC
         -  SEC_OID_RC2_40_CBC
         -  SEC_OID_DES_40_CBC
         -  SEC_OID_RC4_40
         -  SEC_OID_RC4_56
         -  SEC_OID_NULL_CIPHER
         -  SEC_OID_HMAC_MD5
         -  SEC_OID_TLS_RSA
         -  SEC_OID_TLS_DHE_RSA
         -  SEC_OID_TLS_DHE_DSS
         -  SEC_OID_TLS_DH_RSA
         -  SEC_OID_TLS_DH_DSS
         -  SEC_OID_TLS_DH_ANON
         -  SEC_OID_TLS_ECDHE_ECDSA
         -  SEC_OID_TLS_ECDHE_RSA
         -  SEC_OID_TLS_ECDH_ECDSA
         -  SEC_OID_TLS_ECDH_RSA
         -  SEC_OID_TLS_ECDH_ANON
         -  SEC_OID_TLS_RSA_EXPORT
         -  SEC_OID_TLS_DHE_RSA_EXPORT
         -  SEC_OID_TLS_DHE_DSS_EXPORT
         -  SEC_OID_TLS_DH_RSA_EXPORT
         -  SEC_OID_TLS_DH_DSS_EXPORT
         -  SEC_OID_TLS_DH_ANON_EXPORT
         -  SEC_OID_APPLY_SSL_POLICY

   -  in sslt.h

      -  **ssl_signed_cert_timestamp_xtn** is added to ``SSLExtensionType``.

   .. rubric:: New Macros
      :name: new_macros

   -  in nss.h

      -  NSS_RSA_MIN_KEY_SIZE
      -  NSS_DH_MIN_KEY_SIZE
      -  NSS_DSA_MIN_KEY_SIZE
      -  NSS_TLS_VERSION_MIN_POLICY
      -  NSS_TLS_VERSION_MAX_POLICY
      -  NSS_DTLS_VERSION_MIN_POLICY
      -  NSS_DTLS_VERSION_MAX_POLICY

   -  *in pkcs11t.h*

      -  **CKP_PKCS5_PBKD2_HMAC_GOSTR3411** - PRF based on HMAC with GOSTR3411 for PBKDF (not
         supported)
      -  **CKP_PKCS5_PBKD2_HMAC_SHA224** - PRF based on HMAC with SHA-224 for PBKDF
      -  **CKP_PKCS5_PBKD2_HMAC_SHA256** - PRF based on HMAC with SHA-256 for PBKDF
      -  **CKP_PKCS5_PBKD2_HMAC_SHA384** - PRF based on HMAC with SHA-256 for PBKDF
      -  **CKP_PKCS5_PBKD2_HMAC_SHA512** - PRF based on HMAC with SHA-256 for PBKDF
      -  **CKP_PKCS5_PBKD2_HMAC_SHA512_224** - PRF based on HMAC with SHA-512 truncated to 224 bits
         for PBKDF (not supported)
      -  **CKP_PKCS5_PBKD2_HMAC_SHA512_256** - PRF based on HMAC with SHA-512 truncated to 256 bits
         for PBKDF (not supported)

   -  *in secoidt.h*

      -  NSS_USE_ALG_IN_SSL
      -  NSS_USE_POLICY_IN_SSL

   -  *in ssl.h*

      -  **SSL_ENABLE_SIGNED_CERT_TIMESTAMPS**

   -  *in sslt.h*

      -  **SSL_MAX_EXTENSIONS** is updated to 13

.. _notable_changes_in_nss_3.22:

`Notable Changes in NSS 3.22 <#notable_changes_in_nss_3.22>`__
--------------------------------------------------------------

.. container::

   -  NSS C++ tests are built by default, requiring a C++11 compiler.  Set the NSS_DISABLE_GTESTS
      variable to 1 to disable building these tests.

.. _bugs_fixed_in_nss_3.22:

`Bugs fixed in NSS 3.22 <#bugs_fixed_in_nss_3.22>`__
----------------------------------------------------

.. container::

   This Bugzilla query returns all the bugs fixed in NSS 3.22:

   https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&product=NSS&target_milestone=3.22

`Compatibility <#compatibility>`__
----------------------------------

.. container::

   NSS 3.22 shared libraries are backward compatible with all older NSS 3.x shared libraries. A
   program linked with older NSS 3.x shared libraries will work with NSS 3.22 shared libraries
   without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs
   to the functions listed in NSS Public Functions will remain compatible with future versions of
   the NSS shared libraries.

`Feedback <#feedback>`__
------------------------

.. container::

   Bugs discovered should be reported by filing a bug report with
   `bugzilla.mozilla.org <https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS>`__ (product NSS).