blob: 0936a87b4debf66a77e8d8ce82620d8aab6415f0 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
|
.. _mozilla_projects_nss_nss_3_52_release_notes:
NSS 3.52 release notes
======================
`Introduction <#introduction>`__
--------------------------------
.. container::
The NSS team has released Network Security Services (NSS) 3.52 on **1 May 2020**.
The NSS team would like to recognize first-time contributors:
- zhujianwei7
- Hans Petter Jansson
.. _distribution_information:
`Distribution Information <#distribution_information>`__
--------------------------------------------------------
.. container::
The HG tag is NSS_3_52_RTM. NSS 3.52 requires NSPR 4.25 or newer.
NSS 3.52 source distributions are available on ftp.mozilla.org for secure HTTPS download:
- Source tarballs:
https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_52_RTM/src/
Other releases are available :ref:`mozilla_projects_nss_nss_releases`.
.. _notable_changes_in_nss_3.52:
`Notable Changes in NSS 3.52 <#notable_changes_in_nss_3.52>`__
--------------------------------------------------------------
.. container::
- `Bug 1603628 <https://bugzilla.mozilla.org/show_bug.cgi?id=1603628>`__ - Update NSS to support
PKCS #11 v3.0.
- Note: This change modifies the CK_GCM_PARAMS struct to include the ulIvBits field which,
prior to PKCS #11 v3.0, was ambiguously defined and not included in the NSS definition. If
an application is recompiled with NSS 3.52+, this field must be initialized to a value
corresponding to ulIvLen. Alternatively, defining NSS_PKCS11_2_0_COMPAT will yield the old
definition. See the bug for more information.
- `Bug 1623374 <https://bugzilla.mozilla.org/show_bug.cgi?id=1623374>`__ - Support new PKCS #11
v3.0 Message Interface for AES-GCM and ChaChaPoly.
- `Bug 1612493 <https://bugzilla.mozilla.org/show_bug.cgi?id=1612493>`__ - Integrate AVX2
ChaCha20, Poly1305, and ChaCha20Poly1305 from HACL*.
.. _bugs_fixed_in_nss_3.52:
`Bugs fixed in NSS 3.52 <#bugs_fixed_in_nss_3.52>`__
----------------------------------------------------
.. container::
- `Bug 1633498 <https://bugzilla.mozilla.org/show_bug.cgi?id=1633498>`__ - Fix unused variable
'getauxval' error on iOS compilation.
- `Bug 1630721 <https://bugzilla.mozilla.org/show_bug.cgi?id=1630721>`__ - Add Softoken
functions for FIPS.
- `Bug 1630458 <https://bugzilla.mozilla.org/show_bug.cgi?id=1630458>`__ - Fix problem of GYP
MSVC builds not producing debug symbol files.
- `Bug 1629663 <https://bugzilla.mozilla.org/show_bug.cgi?id=1629663>`__ - Add IKEv1 Quick Mode
KDF.
- `Bug 1629661 <https://bugzilla.mozilla.org/show_bug.cgi?id=1629661>`__ - MPConfig calls in SSL
initialize policy before NSS is initialized.
- `Bug 1629655 <https://bugzilla.mozilla.org/show_bug.cgi?id=1629655>`__ - Support temporary
session objects in ckfw.
- `Bug 1629105 <https://bugzilla.mozilla.org/show_bug.cgi?id=1629105>`__ - Add PKCS11 v3.0
functions to module debug logger.
- `Bug 1626751 <https://bugzilla.mozilla.org/show_bug.cgi?id=1626751>`__ - Fix error in
generation of fuzz32 docker image after updates.
- `Bug 1625133 <https://bugzilla.mozilla.org/show_bug.cgi?id=1625133>`__ - Fix implicit
declaration of function 'getopt' error.
- `Bug 1624864 <https://bugzilla.mozilla.org/show_bug.cgi?id=1624864>`__ - Allow building of
gcm-arm32-neon on non-armv7 architectures.
- `Bug 1624402 <https://bugzilla.mozilla.org/show_bug.cgi?id=1624402>`__ - Fix compilation error
in Firefox Android.
- `Bug 1624130 <https://bugzilla.mozilla.org/show_bug.cgi?id=1624130>`__ - Require
CK_FUNCTION_LIST structs to be packed.
- `Bug 1624377 <https://bugzilla.mozilla.org/show_bug.cgi?id=1624377>`__ - Fix clang warning for
unknown argument '-msse4'.
- `Bug 1623374 <https://bugzilla.mozilla.org/show_bug.cgi?id=1623374>`__ - Support new PKCS #11
v3.0 Message Interface for AES-GCM and ChaChaPoly.
- `Bug 1623184 <https://bugzilla.mozilla.org/show_bug.cgi?id=1623184>`__ - Fix freebl_cpuid for
querying Extended Features.
- `Bug 1622555 <https://bugzilla.mozilla.org/show_bug.cgi?id=1622555>`__ - Fix argument parsing
in lowhashtest.
- `Bug 1620799 <https://bugzilla.mozilla.org/show_bug.cgi?id=1620799>`__ - Introduce
NSS_DISABLE_GCM_ARM32_NEON to build on arm32 without NEON support.
- `Bug 1619102 <https://bugzilla.mozilla.org/show_bug.cgi?id=1619102>`__ - Add workaround option
to include both DTLS and TLS versions in DTLS supported_versions.
- `Bug 1619056 <https://bugzilla.mozilla.org/show_bug.cgi?id=1619056>`__ - Update README: TLS
1.3 is not experimental anymore.
- `Bug 1618915 <https://bugzilla.mozilla.org/show_bug.cgi?id=1618915>`__ - Fix UBSAN issue in
ssl_ParseSessionTicket.
- `Bug 1618739 <https://bugzilla.mozilla.org/show_bug.cgi?id=1618739>`__ - Don't assert fuzzer
behavior in SSL_ParseSessionTicket.
- `Bug 1617968 <https://bugzilla.mozilla.org/show_bug.cgi?id=1617968>`__ - Update Delegated
Credentials implementation to draft-07.
- `Bug 1617533 <https://bugzilla.mozilla.org/show_bug.cgi?id=1617533>`__ - Update HACL\*
dependencies for libintvector.h
- `Bug 1613238 <https://bugzilla.mozilla.org/show_bug.cgi?id=1613238>`__ - Add vector
accelerated SHA2 for POWER 8+.
- `Bug 1612493 <https://bugzilla.mozilla.org/show_bug.cgi?id=1612493>`__ - Integrate AVX2
ChaCha20, Poly1305, and ChaCha20Poly1305 from HACL*.
- `Bug 1612281 <https://bugzilla.mozilla.org/show_bug.cgi?id=1612281>`__ - Maintain PKCS11
C_GetAttributeValue semantics on attributes that lack NSS database columns.
- `Bug 1612260 <https://bugzilla.mozilla.org/show_bug.cgi?id=1612260>`__ - Add Wycheproof RSA
test vectors.
- `Bug 1608250 <https://bugzilla.mozilla.org/show_bug.cgi?id=1608250>`__ - broken fipstest
handling of KI_len.
- `Bug 1608245 <https://bugzilla.mozilla.org/show_bug.cgi?id=1608245>`__ - Consistently handle
NULL slot/session.
- `Bug 1603801 <https://bugzilla.mozilla.org/show_bug.cgi?id=1603801>`__ - Avoid dcache
pollution from sdb_measureAccess().
- `Bug 1603628 <https://bugzilla.mozilla.org/show_bug.cgi?id=1603628>`__ - Update NSS to support
PKCS #11 v3.0.
- `Bug 1561637 <https://bugzilla.mozilla.org/show_bug.cgi?id=1561637>`__ - TLS 1.3 does not work
in FIPS mode.
- `Bug 1531906 <https://bugzilla.mozilla.org/show_bug.cgi?id=1531906>`__ - Fix overzealous
assertion when evicting a cached sessionID or using external cache.
- `Bug 1465613 <https://bugzilla.mozilla.org/show_bug.cgi?id=1465613>`__ - Fix issue where
testlib makefile build produced extraneous object files.
- `Bug 1619959 <https://bugzilla.mozilla.org/show_bug.cgi?id=1619959>`__ - Properly handle
multi-block SEED ECB inputs.
- `Bug 1630925 <https://bugzilla.mozilla.org/show_bug.cgi?id=1630925>`__ - Guard all instances
of NSSCMSSignedData.signerInfo to avoid a CMS crash
- `Bug 1571677 <https://bugzilla.mozilla.org/show_bug.cgi?id=1571677>`__ - Name Constraints
validation: CN treated as DNS name even when syntactically invalid as DNS name
This Bugzilla query returns all the bugs fixed in NSS 3.52:
https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&product=NSS&target_milestone=3.52
`Compatibility <#compatibility>`__
----------------------------------
.. container::
NSS 3.52 shared libraries are backward compatible with all older NSS 3.x shared libraries. A
program linked with older NSS 3.x shared libraries will work with NSS 3.52 shared libraries
without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs
to the functions listed in NSS Public Functions will remain compatible with future versions of
the NSS shared libraries.
`Feedback <#feedback>`__
------------------------
.. container::
Bugs discovered should be reported by filing a bug report with
`bugzilla.mozilla.org <https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS>`__ (product NSS).
|
