[ANNOUNCE] NSS 3.45 Release

The NSS team has released Network Security Services (NSS) 3.45 on 5 July 2019, 
which is a minor release.

The NSS team would like to recognize first-time contributors:

    Bastien Abadie
    Christopher Patton
    Jeremie Courreges-Anglas
    Marcus Burghardt
    Michael Shigorin
    Tomas Mraz

The HG tag is NSS_3_45_RTM. NSS 3.45 requires NSPR 4.21 or newer.

NSS 3.45 source distributions are available on ftp.mozilla.org for secure HTTPS 
download:

    
https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_45_RTM/src/


New Functions

    in pk11pub.h:
        PK11_FindRawCertsWithSubject - Finds all certificates on the given slot 
with the given subject distinguished name and returns them as DER bytes. If no 
such certificates can be found, returns SECSuccess and sets *results to NULL. 
If a failure is encountered while fetching any of the matching certificates, 
SECFailure is returned and *results will be NULL.


Notable Changes in NSS 3.45

    Bug 1540403 - Implement Delegated Credentials (draft-ietf-tls-subcerts)
        This adds a new experimental function: SSL_DelegateCredential
        Note: In 3.45, selfserv does not yet support delegated credentials. See 
Bug 1548360.
        Note: In 3.45 the SSLChannelInfo is left unmodified, while an upcoming 
change in 3.46 will set SSLChannelInfo.authKeyBits to that of the delegated 
credential for better policy enforcement. See Bug 1563078.
    Bug 1550579 - Replace ARM32 Curve25519 implementation with one from 
fiat-crypto
    Bug 1551129 - Support static linking on Windows
    Bug 1552262 - Expose a function PK11_FindRawCertsWithSubject for finding 
certificates with a given subject on a given slot
    Bug 1546229 - Add IPSEC IKE support to softoken
    Bug 1554616 - Add support for the Elbrus lcc compiler (<=1.23)
    Bug 1543874 - Expose an external clock for SSL
        This adds new experimental functions: SSL_SetTimeFunc, 
SSL_CreateAntiReplayContext, SSL_SetAntiReplayContext, and 
SSL_ReleaseAntiReplayContext.
        The experimental function SSL_InitAntiReplay is removed.
    Bug 1546477 - Various changes in response to the ongoing FIPS review
        Note: The source package size has increased substantially due to the 
new FIPS test vectors. This will likely prompt follow-on work, but please 
accept our apologies in the meantime.


Certificate Authority Changes

    The following CA certificates were Removed:
        Bug 1552374 - CN = Certinomis - Root CA
            SHA-256 Fingerprint: 
2A99F5BC1174B73CBB1D620884E01C34E51CCB3978DA125F0E33268883BF4158


Bugs fixed in NSS 3.45

    Bug 1540541 - Don't unnecessarily strip leading 0's from key material 
during PKCS11 import (CVE-2019-11719)
    Bug 1515342 - More thorough input checking (CVE-2019-11729)
    Bug 1552208 - Prohibit use of RSASSA-PKCS1-v1_5 algorithms in TLS 1.3 
(CVE-2019-11727)
    Bug 1227090 - Fix a potential divide-by-zero in makePfromQandSeed from 
lib/freebl/pqg.c (static analysis)
    Bug 1227096 - Fix a potential divide-by-zero in PQG_VerifyParams from 
lib/freebl/pqg.c  (static analysis)
    Bug 1509432 - De-duplicate code between mp_set_long and mp_set_ulong
    Bug 1515011 - Fix a mistake with ChaCha20-Poly1305 test code where tags 
could be faked. Only relevant for clients that might have copied the unit test 
code verbatim
    Bug 1550022 - Ensure nssutil3 gets built on Android
    Bug 1528174 - ChaCha20Poly1305 should no longer modify output length on 
failure
    Bug 1549382 - Don't leak in PKCS#11 modules if C_GetSlotInfo() returns error
    Bug 1551041 - Fix builds using GCC < 4.3 on big-endian architectures
    Bug 1554659 - Add versioning to OpenBSD builds to fix link time errors 
using NSS
    Bug 1553443 - Send session ticket only after handshake is marked as finished
    Bug 1550708 - Fix gyp scripts on Solaris SPARC so that libfreebl_64fpu_3.so 
builds
    Bug 1554336 - Optimize away unneeded loop in mpi.c
    Bug 1559906 - fipstest: use CKM_TLS12_MASTER_KEY_DERIVE instead of vendor 
specific mechanism
    Bug 1558126 - TLS_AES_256_GCM_SHA384 should be marked as FIPS compatible
    Bug 1555207 - HelloRetryRequestCallback return code for rejecting 0-RTT
    Bug 1556591 - Eliminate races in uses of PK11_SetWrapKey
    Bug 1558681 - Stop using a global for anti-replay of TLS 1.3 early data
    Bug 1561510 - Fix a bug where removing -arch XXX args from CC didn't work
    Bug 1561523 - Add a string for the new-ish error 
SSL_ERROR_MISSING_POST_HANDSHAKE_AUTH_EXTENSION


This Bugzilla query returns all the bugs fixed in NSS 3.45:

https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&product=NSS&target_milestone=3.45


Please refer to the release notes for the complete list of changes:
  
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.45_release_notes
-- 
dev-tech-crypto mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-tech-crypto