| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
For some purposes it's useful to be able to build the ca_root_nss with a
custom certctl command. It may be desireable for instance to run
certctl rehash at the end of a package upgrade rather than in the
middle, in which case it's sufficient to substitute CERTCTL_CMD=:.
Make the certctl command name a variable so that one can override it at
port build time. No functional change intended.
PR: 290115
Approved by: maintainer (timeout, 1 month)
Sponsored by: OPNsense
Sponsored by: Klara, Inc.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The handling of @sample with regard to no-root installation was
recently fixed, by 452309533805 (in ports) plus changes in pkg 2.4.
These need new packages built before they will correctly install,
including into VM images generated as part of the FreeBSD release
process.
Unfortunately with the release scheduled for just a few weeks away
and generally slow arm64 package building, there isn't time for a
full pkg set rebuild; so bump a handful of ports which are used in
the release process so that they will be rebuilt.
Users who are not building VM images using the "no-root" pathway
(aka using a METALOG index of the disk image) are not affected by
this; we doubt anyone other than re@ will notice.
With hat: re@
Discussed with: bapt, antoine
|
| |
|
|
|
|
| |
ChangeLog: https://groups.google.com/a/mozilla.org/g/dev-tech-crypto/c/egxX4WpHbuE
PR: 289985
Approved by: fernape (ports-secteam)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The post-install and post-deinstall scripts simply invoke "certctl
rehash", which of course requires root privileges. Modify them to
enable unprivileged installation, useful for building VM images. For
instance, FreeBSD's EC2 image builder wants to install amazon-ssm-agent,
which depends on ca_root_nss.
Modify the scripts to:
1. Use PKG_ROOTDIR as the root instead of assuming the default.
2. When installing, and PKG_METALOG is set, assume we're doing an
unprivileged build and tell certctl to write updates to the
configured METALOG.
Note, the use of PKG_METALOG depends on a new pkg feature:
https://github.com/freebsd/pkg/pull/2476
If an updated ca_root_nss is installed using an old pkg(8), then the
PKG_METALOG variable will not be set, so there are no compatibility
issues.
Sponsored by: The FreeBSD Foundation
Sponsored by: Klara, Inc.
PR: 288243
|
| | |
|
| |
|
|
|
| |
Reviewed by: michaelo, fluffy
Differential Revision: https://reviews.freebsd.org/D52398
|
| |
|
|
|
|
| |
ChangeLog: https://groups.google.com/a/mozilla.org/g/dev-tech-crypto/c/Ztj7XiauJMM
PR: 288891
Approved by: joneum (ports-secteam)
|
| |
|
|
|
|
| |
PR: 284745
Approved by: fernape (ports-secteam)
ChangeLog: https://groups.google.com/a/mozilla.org/g/dev-tech-crypto/c/EOiJTUdpzuo
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
/usr/local/openssl/cert.pem is the default location for security/openssl
so it should be handled just like /etc/ssl/cert.pem base OpenSSL. To
avoid having samples and copies with differing contents point both files
to the actual /usr/local/etc/ssl/cert.pem created by the sample. If users
have set their own content that is likely intended and should be enforced
across all three files.
MFH: 2025Q1
PR: 283161
Differential Revision: https://reviews.freebsd.org/D47908
|
| |
|
|
|
|
| |
ChangeLog: https://groups.google.com/a/mozilla.org/g/dev-tech-crypto/c/icdrHgrR9hs
PR: 281578
Approved by: maintainer timeout
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
It turns out that some ports have an undisclosed dependency on the
symlink and cannot be trivially changed to use the system trust
store instead.
Amend the package message to make it clear that software which relies
on this symlink is not following recommended practice.
I will look into getting certctl(8) to provide cert.pem instead, but
it may take a while until we can rely on this being in place on all
supported releases.
This partly reverts commit 483e74f44b82.
PR: 274322
MFH: 2023Q4
Reviewed by: fluffy
Differential Revision: https://reviews.freebsd.org/D42120
|
| |
|
|
|
|
| |
MFH: 2023Q4
Reviewed by: fluffy, sunpoet
Differential Revision: https://reviews.freebsd.org/D42045
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
These 2 files are already handled by @sample.
===> Deinstalling for ca_root_nss
===> Deinstalling ca_root_nss-3.93
Updating database digests format: 100%
Checking integrity... done (0 conflicting)
Deinstallation has been requested for the following 1 packages (of 0 packages in the universe):
Installed packages to be REMOVED:
ca_root_nss: 3.93
Number of packages to be removed: 1
[1/1] Deinstalling ca_root_nss-3.93...
[1/1] Deleting files for ca_root_nss-3.93: 11%
ca_root_nss-3.93: missing file /usr/local/etc/ssl/cert.pem
[1/1] Deleting files for ca_root_nss-3.93: 33%
ca_root_nss-3.93: missing file /usr/local/openssl/cert.pem
[1/1] Deleting files for ca_root_nss-3.93: 100%
Approved by: portmgr (blanket)
|
| |
|
|
|
|
| |
Changelog: https://groups.google.com/a/mozilla.org/g/dev-tech-crypto/c/aC5r1-9zPWI
Sponsored by: Netzkommune GmbH
|
| |
|
|
|
|
| |
Changelog: https://groups.google.com/a/mozilla.org/g/dev-tech-crypto/c/oNYCNPU21k0
Sponsored by: Netzkommune GmbH
|
| |
|
|
|
|
| |
Changelog: https://groups.google.com/a/mozilla.org/g/dev-tech-crypto/c/i-wiqdBIjMI
Sponsored by: Netzkommune GmbH
|
| |
|
|
|
|
| |
Changelog: https://groups.google.com/a/mozilla.org/g/dev-tech-crypto/c/tZjTXdS8GQs
Sponsored by: Netzkommune GmbH
|
| |
|
|
|
|
| |
Changelog: https://groups.google.com/a/mozilla.org/g/dev-tech-crypto/c/HcRrYgEdGIo
Sponsored by: Netzkommune GmbH
|
| |
|
|
| |
Sponsored by: Netzkommune GmbH
|
| |
|
|
|
|
| |
Changelog: https://groups.google.com/a/mozilla.org/g/dev-tech-crypto/c/7D6OeqrEDcE
Sponsored by: Netzkommune GmbH
|
| |
|
|
|
|
| |
Changelog: https://groups.google.com/a/mozilla.org/g/dev-tech-crypto/c/NqCkaX216zY
Sponsored by: Netzkommune GmbH
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Changes:
- Bug 1792821 - Modification of the primes.c and dhe-params.c in order to have better looking tables.
- Bug 1796815 - Update zlib in NSS to 1.2.13.
- Bug 1796504 - Skip building modutil and shlibsign when building in Firefox.
- Bug 1796504 - Use __STDC_VERSION__ rather than __STDC__ as a guard.
- Bug 1796407 - Fix -Wunused-but-set-variable warning from clang 15.
- Bug 1796308 - Fix -Wtautological-constant-out-of-range-compare and -Wtype-limits warnings.
- Bug 1796281 - Followup: add missing stdint.h include.
- Bug 1796281 - Fix -Wint-to-void-pointer-cast warnings.
- Bug 1796280 - Fix -Wunused-{function,variable,but-set-variable} warnings on Windows.
- Bug 1796079 - Fix -Wstring-conversion warnings.
- Bug 1796075 - Fix -Wempty-body warnings.
- Bug 1795242 - Fix unused-but-set-parameter warning.
- Bug 1795241 - Fix unreachable-code warnings.
- Bug 1795222 - Mark _nss_version_c unused on clang-cl.
- Bug 1795668 - Remove redundant variable definitions in lowhashtest.
- No bug - Add note about python executable to build instructions.
Changelog see: https://groups.google.com/a/mozilla.org/g/dev-tech-crypto/c/fHvKAhUTnLs
Sponsored by: Netzkommune GmbH
|
| |
|
|
|
|
| |
Changelog: https://groups.google.com/a/mozilla.org/g/dev-tech-crypto/c/uV-FYp6SUr8
Sponsored by: Netzkommune GmbH
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Changelog:
Network Security Services (NSS) 3.83 was released on 15 September 2022.
The HG tag is NSS_3_83_RTM. This version of NSS requires NSPR 4.34.1 or
newer.
Changes:
- Bug 1788875 - Remove set-but-unused variables from
SEC_PKCS12DecoderValidateBags
- Bug 1563221 - remove older oses that are unused part3/ BeOS
- Bug 1563221 - remove older unix support in NSS part 3 Irix
- Bug 1563221 - remove support for older unix in NSS part 2 DGUX
- Bug 1563221 - remove support for older unix in NSS part 1 OSF
- Bug 1778413 - Set nssckbi version number to 2.58
- Bug 1785297 - Add two SECOM root certificates to NSS
- Bug 1787075 - Add two DigitalSign root certificates to NSS
- Bug 1778412 - Remove Camerfirma Global Chambersign Root from NSS
- Bug 1771100 - Added bug reference and description to disabled
UnsolicitedServerNameAck bogo ECH test
- Bug 1779361 - Removed skipping of ECH on equality of private and
public server name
- Bug 1779357 - Added comment and bug reference to
ECHRandomHRRExtension bogo test
- Bug 1779370 - Added Bogo shim client HRR test support. Fixed
overwriting of CHInner.random on HRR
- Bug 1779234 - Added check for server only sending ECH extension
with retry configs in EncryptedExtensions and if not
accepting ECH. Changed config setting behavior to
skip configs with unsupported mandatory extensions
instead of failing
- Bug 1771100 - Added ECH client support to BoGo shim. Changed
CHInner creation to skip TLS 1.2 only extensions to
comply with BoGo
- Bug 1771100 - Added ECH server support to BoGo shim. Fixed NSS ECH
server accept_confirmation bugs
- Bug 1771100 - Update BoGo tests to recent BoringSSL version
- Bug 1785846 - Bump minimum NSPR version to 4.34.1
NSS 3.83 shared libraries are backwards-compatible with all older NSS
3.x shared libraries. A program linked with older NSS 3.x shared
libraries will work with this new version of the shared libraries
without recompiling or relinking. Furthermore, applications that
restrict their use of NSS APIs to the functions listed in NSS Public
Functions will remain compatible with future versions of the NSS
shared libraries.
Sponsored by: Netzkommune GmbH
|
| |
|
|
|
|
|
|
|
|
|
| |
Changes:
- Bug 1330271 - check for null template in sec_asn1{d,e}_push_state
- Bug 1735925 - QuickDER: Forbid NULL tags with non-zero length
- Bug 1784724 - Initialize local variables in TlsConnectTestBase::ConnectAndCheckCipherSuite
- Bug 1784191 - Cast the result of GetProcAddress
- Bug 1681099 - pk11wrap: Tighten certificate lookup based on PKCS #11 URI.
Sponsored by: Netzkommune GmbH
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Changelog:
- Bug 1762831: Enable aarch64 hardware crypto support on OpenBSD.
- Bug 1775359 - make NSS_SecureMemcmp 0/1 valued.
- Bug 1779285: Add no_application_protocol alert handler and test client error code is set.
- Bug 1777672 - Gracefully handle null nickname in CERT_GetCertNicknameWithValidity.
NSS 3.81 shared libraries are backwards-compatible with all older NSS
3.x shared libraries. A program linked with older NSS 3.x shared
libraries will work with this new version of the shared libraries
without recompiling or relinking. Furthermore, applications that
restrict their use of NSS APIs to the functions listed in NSS Public
Functions will remain compatible with future versions of the NSS
shared libraries.
Sponsored by: Netzkommune GmbH
|
| |
|
|
|
|
|
|
| |
Changelog:
https://groups.google.com/a/mozilla.org/g/dev-tech-crypto/c/EvvZnF-wh14
https://groups.google.com/a/mozilla.org/g/dev-tech-crypto/c/ZghhNaaxnUA
Sponsored by: Netzkommune GmbH
|
| |
|
|
|
|
|
|
|
|
| |
Update to 3.78
changelog: https://groups.google.com/a/mozilla.org/g/dev-tech-crypto/c/hQUjX_jwbEk
While here, fix a problem with ETCSYMLINK (1)
PR: 262755 (1)
Sponsored by: Netzkommune GmbH
|
| |
|
|
|
|
|
|
| |
Changelog: https://groups.google.com/a/mozilla.org/g/dev-tech-crypto/c/zOd5WWPcPkc
PR: 263018
Approved by: ports-secteam (with hat)
Sponsored by: Netzkommune GmbH
|
| |
|
|
|
|
|
|
| |
Update to 3.76 and fix do-install (1)
PR: 228550 (1)
Approved by: ports-secteam (with hat)
Sponsored by: Netzkommune GmbH
|
| |
|
|
|
| |
With hat: ports-secteam
Sponsored by: Netzkommune GmbH
|
| |
|
|
|
| |
With hat: ports-secteam
Sponsored by: Netzkommune GmbH
|
| |
|
|
|
|
|
| |
PR: 258995
Reported by: Yasuhiro Kimura <yasu@freebsd.org>
Approved: ports-secteam (with hat)
Sponsored by: Netzkommune GmbH
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
and support CKA_NSS_SERVER_DISTRUST_AFTER to not include
certificates if the extracted bundle of certificates
is generated later than the expiration date.
This script no longer emits trust certificates for
* EMAIL_PROTECTION
* CODE_SIGNING
because the default certificate bundle in FreeBSD is supposed to
be used for server authentication.
Reported by: Christian Heimes <christian@python.org>
via: Gordon Tetlow
Approved by: ports-secteam (riggs@) (maintainer)
|
| |
|
|
| |
Approved by: delphij (ports-secteam)
|
| |
|
|
|
|
|
| |
I erroneously got the tarball packaed by jbeich@ for nss.
Reported by: tcberner
Reference: https://cgit.freebsd.org/ports/commit/?id=0743b1f6b868fb0926d053469250d9479c86ba4e
|
| |
|
|
| |
Approved by: delphij (ports-secteam)
|
| |
|
|
|
|
| |
PR: 257029
Approved by: ports-secteam (with hat)
Sponsored by: Netzkommune GmbH
|
| | |
|
| |
|
|
| |
Reported by: lwhsu
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Changelog: https://developer.mozilla.org/docs/Mozilla/Projects/NSS/NSS_3.63_release_notes
PR: 254394
Reported by: Yasuhiro Kimura <yasu@utahime.org>
Approved by: ports-secteam (with hat)
Sponsored by: Netzkommune GmbH
Notes:
svn path=/head/; revision=568775
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Changelog: https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.62_release_notes
PR: 253731
Reported by: Yasuhiro Kimura <yasu@utahime.org>
Approved by: ports-secteam (with hat)
Sponsored by: Netzkommune GmbH
Notes:
svn path=/head/; revision=568264
|
| |
|
|
|
|
|
|
|
|
| |
PR: 251282
Reported by: Yasuhiro Kimura <yasu@utahime.org>
Approved by: ports-secteam (with hat)
Sponsored by: Netzkommune GmbH
Notes:
svn path=/head/; revision=564061
|
| |
|
|
|
|
|
|
|
| |
Changes: https://developer.mozilla.org/docs/Mozilla/Projects/NSS/NSS_3.58_release_notes
Changes: https://hg.mozilla.org/projects/nss/shortlog/NSS_3_58_RTM
ABI: https://abi-laboratory.pro/tracker/timeline/nss/
Notes:
svn path=/head/; revision=552532
|
| |
|
|
|
|
|
|
|
|
| |
Changes: https://developer.mozilla.org/docs/Mozilla/Projects/NSS/NSS_3.57_release_notes
Changes: https://hg.mozilla.org/projects/nss/shortlog/NSS_3_57_RTM
ABI: https://abi-laboratory.pro/tracker/timeline/nss/
Reported by: Repology
Notes:
svn path=/head/; revision=549537
|
| |
|
|
|
|
|
|
|
|
| |
Changes: https://developer.mozilla.org/docs/Mozilla/Projects/NSS/NSS_3.56_release_notes
Changes: https://hg.mozilla.org/projects/nss/shortlog/NSS_3_56_RTM
ABI: https://abi-laboratory.pro/tracker/timeline/nss/
Reported by: Repology
Notes:
svn path=/head/; revision=546114
|
| |
|
|
|
|
|
|
|
|
| |
Changes: https://developer.mozilla.org/docs/Mozilla/Projects/NSS/NSS_3.55_release_notes
Changes: https://hg.mozilla.org/projects/nss/shortlog/NSS_3_55_RTM
ABI: https://abi-laboratory.pro/tracker/timeline/nss/
Reported by: Repology
Notes:
svn path=/head/; revision=543387
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
- Remove NO_WRKSUBDIR and do-extract target because there isn't special reason requiring them.
- Some cosmetics fixes
PR: 222262
Reported by: Yasuhiro KIMURA <yasu@utahime.org>
Approved by: ports-secteam (with hat)
Sponsored by: Netzkommune GmbH
Notes:
svn path=/head/; revision=542936
|
