NSS 3.22 release notes

Introduction

The NSS team has released Network Security Services (NSS) 3.22, which is a minor release.

Distribution Information

The HG tag is NSS_3_22_RTM. NSS 3.22 requires NSPR 4.11 or newer.

NSS 3.22 source distributions are available on ftp.mozilla.org for secure HTTPS download:

New in NSS 3.22

New Functionality

  • RSA-PSS signatures are now supported (bug 1215295)

    • New functions PK11_SignWithMechanism() and PK11_SignWithMechanism() are provided to allow RSA keys to be used with PSS.

  • Pseudorandom functions based on hashes other than SHA-1 are now supported with PBKDF (bug 554827).

    • PK11_CreatePBEV2AlgorithmID() now supports SEC_OID_PKCS5_PBKDF2 with cipherAlgTag and prfAlgTag set to SEC_OID_HMAC_SHA256, SEC_OID_HMAC_SHA224, SEC_OID_HMAC_SHA384, or SEC_OID_HMAC_SHA512.

  • Enforce an External Policy on NSS from a config file (bug 1009429)

    • you can now add a config= line to pkcs11.txt (assuming you are using sql databases), which will force NSS to restrict the application to certain cryptographic algorithms and protocols. A complete list can be found in NSS Config Options.

New Functions

  • in pk11pub.h

    • PK11_SignWithMechanism - This function is an extended version PK11_Sign().

    • PK11_VerifyWithMechanism - This function is an extended version of PK11_Verify().

      • These functions take an explicit mechanism and parameters as arguments rather than inferring it from the key type using PK11_MapSignKeyType(). The mechanism type CKM_RSA_PKCS_PSS is now supported for RSA in addition to CKM_RSA_PKCS. The CK_RSA_PKCS_PSS mechanism takes a parameter of type CK_RSA_PKCS_PSS_PARAMS.

  • in ssl.h

    • SSL_PeerSignedCertTimestamps - Get signed_certificate_timestamp TLS extension data

    • SSL_SetSignedCertTimestamps - Set signed_certificate_timestamp TLS extension data

New Types

  • in secoidt.h

    • The following are added to SECOidTag:

      • SEC_OID_AES_128_GCM

      • SEC_OID_AES_192_GCM

      • SEC_OID_AES_256_GCM

      • SEC_OID_IDEA_CBC

      • SEC_OID_RC2_40_CBC

      • SEC_OID_DES_40_CBC

      • SEC_OID_RC4_40

      • SEC_OID_RC4_56

      • SEC_OID_NULL_CIPHER

      • SEC_OID_HMAC_MD5

      • SEC_OID_TLS_RSA

      • SEC_OID_TLS_DHE_RSA

      • SEC_OID_TLS_DHE_DSS

      • SEC_OID_TLS_DH_RSA

      • SEC_OID_TLS_DH_DSS

      • SEC_OID_TLS_DH_ANON

      • SEC_OID_TLS_ECDHE_ECDSA

      • SEC_OID_TLS_ECDHE_RSA

      • SEC_OID_TLS_ECDH_ECDSA

      • SEC_OID_TLS_ECDH_RSA

      • SEC_OID_TLS_ECDH_ANON

      • SEC_OID_TLS_RSA_EXPORT

      • SEC_OID_TLS_DHE_RSA_EXPORT

      • SEC_OID_TLS_DHE_DSS_EXPORT

      • SEC_OID_TLS_DH_RSA_EXPORT

      • SEC_OID_TLS_DH_DSS_EXPORT

      • SEC_OID_TLS_DH_ANON_EXPORT

      • SEC_OID_APPLY_SSL_POLICY

  • in sslt.h

    • ssl_signed_cert_timestamp_xtn is added to SSLExtensionType.

New Macros

  • in nss.h

    • NSS_RSA_MIN_KEY_SIZE

    • NSS_DH_MIN_KEY_SIZE

    • NSS_DSA_MIN_KEY_SIZE

    • NSS_TLS_VERSION_MIN_POLICY

    • NSS_TLS_VERSION_MAX_POLICY

    • NSS_DTLS_VERSION_MIN_POLICY

    • NSS_DTLS_VERSION_MAX_POLICY

  • in pkcs11t.h

    • CKP_PKCS5_PBKD2_HMAC_GOSTR3411 - PRF based on HMAC with GOSTR3411 for PBKDF (not supported)

    • CKP_PKCS5_PBKD2_HMAC_SHA224 - PRF based on HMAC with SHA-224 for PBKDF

    • CKP_PKCS5_PBKD2_HMAC_SHA256 - PRF based on HMAC with SHA-256 for PBKDF

    • CKP_PKCS5_PBKD2_HMAC_SHA384 - PRF based on HMAC with SHA-256 for PBKDF

    • CKP_PKCS5_PBKD2_HMAC_SHA512 - PRF based on HMAC with SHA-256 for PBKDF

    • CKP_PKCS5_PBKD2_HMAC_SHA512_224 - PRF based on HMAC with SHA-512 truncated to 224 bits for PBKDF (not supported)

    • CKP_PKCS5_PBKD2_HMAC_SHA512_256 - PRF based on HMAC with SHA-512 truncated to 256 bits for PBKDF (not supported)

  • in secoidt.h

    • NSS_USE_ALG_IN_SSL

    • NSS_USE_POLICY_IN_SSL

  • in ssl.h

    • SSL_ENABLE_SIGNED_CERT_TIMESTAMPS

  • in sslt.h

    • SSL_MAX_EXTENSIONS is updated to 13

Notable Changes in NSS 3.22

  • NSS C++ tests are built by default, requiring a C++11 compiler. Set the NSS_DISABLE_GTESTS variable to 1 to disable building these tests.

Bugs fixed in NSS 3.22

Compatibility

NSS 3.22 shared libraries are backward compatible with all older NSS 3.x shared libraries. A program linked with older NSS 3.x shared libraries will work with NSS 3.22 shared libraries without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs to the functions listed in NSS Public Functions will remain compatible with future versions of the NSS shared libraries.

Feedback

Bugs discovered should be reported by filing a bug report with bugzilla.mozilla.org (product NSS).