- update to NSS 3.24

New functionality:
  * NSS softoken has been updated with the latest National Institute
    of Standards and Technology (NIST) guidance (as of 2015):
    - Software integrity checks and POST functions are executed on
      shared library load. These checks have been disabled by default,
      as they can cause a performance regression. To enable these
      checks, you must define symbol NSS_FORCE_FIPS when building NSS.
    - Counter mode and Galois/Counter Mode (GCM) have checks to
      prevent counter overflow.
    - Additional CSPs are zeroed in the code.
    - NSS softoken uses new guidance for how many Rabin-Miller tests
      are needed to verify a prime based on prime size.
  * NSS softoken has also been updated to allow NSS to run in FIPS
    Level 1 (no password). This mode is triggered by setting the
    database password to the empty string. In FIPS mode, you may move
    from Level 1 to Level 2 (by setting an appropriate password),
    but not the reverse.
  * A SSL_ConfigServerCert function has been added for configuring
    SSL/TLS server sockets with a certificate and private key. Use
    this new function in place of SSL_ConfigSecureServer,
    SSL_ConfigSecureServerWithCertChain, SSL_SetStapledOCSPResponses,
    and SSL_SetSignedCertTimestamps. SSL_ConfigServerCert automatically
    determines the certificate type from the certificate and private key.
    The caller is no longer required to use SSLKEAType explicitly to
    select a "slot" into which the certificate is configured (which
    incorrectly identifies a key agreement type rather than a certificate).
    Separate functions for configuring Online Certificate Status Protocol
    (OCSP) responses or Signed Certificate Timestamps are not needed,
    since these can be added to the optional SSLExtraServerCertData struct

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=216

mozilla-nss.changes

@@ -1,3 +1,91 @@
+-------------------------------------------------------------------
+Sat Jul 30 08:53:02 UTC 2016 - wr@rosenauer.org
+
+- update to NSS 3.24
+  New functionality:
+  * NSS softoken has been updated with the latest National Institute
+    of Standards and Technology (NIST) guidance (as of 2015):
+    - Software integrity checks and POST functions are executed on
+      shared library load. These checks have been disabled by default,
+      as they can cause a performance regression. To enable these
+      checks, you must define symbol NSS_FORCE_FIPS when building NSS.
+    - Counter mode and Galois/Counter Mode (GCM) have checks to
+      prevent counter overflow.
+    - Additional CSPs are zeroed in the code.
+    - NSS softoken uses new guidance for how many Rabin-Miller tests
+      are needed to verify a prime based on prime size.
+  * NSS softoken has also been updated to allow NSS to run in FIPS
+    Level 1 (no password). This mode is triggered by setting the
+    database password to the empty string. In FIPS mode, you may move
+    from Level 1 to Level 2 (by setting an appropriate password),
+    but not the reverse.
+  * A SSL_ConfigServerCert function has been added for configuring
+    SSL/TLS server sockets with a certificate and private key. Use
+    this new function in place of SSL_ConfigSecureServer,
+    SSL_ConfigSecureServerWithCertChain, SSL_SetStapledOCSPResponses,
+    and SSL_SetSignedCertTimestamps. SSL_ConfigServerCert automatically
+    determines the certificate type from the certificate and private key.
+    The caller is no longer required to use SSLKEAType explicitly to
+    select a "slot" into which the certificate is configured (which
+    incorrectly identifies a key agreement type rather than a certificate).
+    Separate functions for configuring Online Certificate Status Protocol
+    (OCSP) responses or Signed Certificate Timestamps are not needed,
+    since these can be added to the optional SSLExtraServerCertData struct
+    provided to SSL_ConfigServerCert.  Also, partial support for RSA
+    Probabilistic Signature Scheme (RSA-PSS) certificates has been added.
+    Although these certificates can be configured, they will not be
+    used by NSS in this version.
+  New functions
+  * SSL_ConfigServerCert - Configures an SSL/TLS socket with a
+    certificate, private key, and other information.
+  * PORT_InitCheapArena - Initializes an arena that was created on
+    the stack. (See PORTCheapArenaPool.=
+  * PORT_DestroyCheapArena - Destroys an arena that was created on
+    the stack. (See PORTCheapArenaPool.)
+  New types
+  * SSLExtraServerCertData - Optionally passed as an argument to
+    SSL_ConfigServerCert. This struct contains supplementary information
+    about a certificate, such as the intended type of the certificate,
+    stapled OCSP responses, or Signed Certificate Timestamps (used for
+    certificate transparency).
+  * PORTCheapArenaPool - A stack-allocated arena pool, to be used for
+    temporary arena allocations.
+  New macros
+  * CKM_TLS12_MAC
+  * SEC_OID_TLS_ECDHE_PSK - This OID governs the use of the
+    TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256 cipher suite, which is used
+    only for session resumption in TLS 1.3.
+  Notable changes:
+  * Deprecate the following functions. (Applications should instead use the new
+    SSL_ConfigServerCert function.):
+    - SSL_SetStapledOCSPResponses
+    - SSL_SetSignedCertTimestamps
+    - SSL_ConfigSecureServer
+    - SSL_ConfigSecureServerWithCertChain
+  * Deprecate the NSS_FindCertKEAType function, as it reports a misleading
+    value for certificates that might be used for signing rather than
+    key exchange.
+  * Update SSLAuthType to define a larger number of authentication key types.
+  * Deprecate the member attribute authAlgorithm of type SSLCipherSuiteInfo.
+    Instead, applications should use the newly added attribute authType.
+  * Rename ssl_auth_rsa to ssl_auth_rsa_decrypt.
+  * Add a shared library (libfreeblpriv3) on Linux platforms that
+    define FREEBL_LOWHASH.
+  * Remove most code related to SSL v2, including the ability to actively
+    send a SSLv2-compatible client hello. However, the server-side
+    implementation of the SSL/TLS protocol still supports processing
+    of received v2-compatible client hello messages.
+  * Disable (by default) NSS support in optimized builds for logging SSL/TLS
+    key material to a logfile if the SSLKEYLOGFILE environment variable
+    is set. To enable the functionality in optimized builds, you must define
+    the symbol NSS_ALLOW_SSLKEYLOGFILE when building NSS.
+  * Update NSS to protect it against the Cachebleed attack.
+  * Disable support for DTLS compression.
+  * Improve support for TLS 1.3. This includes support for DTLS 1.3.
+    Note that TLS 1.3 support is experimental and not suitable for
+    production use.
+- removed obsolete nss-bmo1236011.patch
+
 -------------------------------------------------------------------
 Thu May 26 05:59:03 UTC 2016 - wr@rosenauer.org
 

mozilla-nss.spec

@@ -25,7 +25,7 @@ BuildRequires:  mozilla-nspr-devel >= 4.12
 BuildRequires:  pkg-config
 BuildRequires:  sqlite-devel
 BuildRequires:  zlib-devel
-Version:        3.23
+Version:        3.24
 Release:        0
 # bug437293
 %ifarch ppc64
@@ -36,8 +36,8 @@ Summary:        Network Security Services
 License:        MPL-2.0
 Group:          System/Libraries
 Url:            http://www.mozilla.org/projects/security/pki/nss/
-Source:         https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_23_RTM/src/nss-%{version}.tar.gz
-# hg clone https://hg.mozilla.org/projects/nss nss-3.23/nss ; cd nss-3.23/nss ; hg up NSS_3_23_RTM
+Source:         https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_24_RTM/src/nss-%{version}.tar.gz
+# hg clone https://hg.mozilla.org/projects/nss nss-3.24/nss ; cd nss-3.24/nss ; hg up NSS_3_24_RTM
 #Source:         nss-%{version}.tar.gz
 Source1:        nss.pc.in
 Source3:        nss-config.in
@@ -56,7 +56,6 @@ Patch5:         renegotiate-transitional.patch
 Patch6:         malloc.patch
 Patch7:         nss-disable-ocsp-test.patch
 Patch8:         nss-sqlitename.patch
-Patch9:         nss-bmo1236011.patch
 %define nspr_ver %(rpm -q --queryformat '%{VERSION}' mozilla-nspr)
 PreReq:         mozilla-nspr >= %nspr_ver
 PreReq:         libfreebl3 >= %{nss_softokn_fips_version}
@@ -177,7 +176,6 @@ cd nss
 %endif
 %patch7 -p1
 %patch8 -p1
-%patch9 -p1
 # additional CA certificates
 #cd security/nss/lib/ckfw/builtins
 #cat %{SOURCE2} >> certdata.txt
@@ -249,6 +247,8 @@ cp -L  lib/libnss3.so \
        $RPM_BUILD_ROOT%{_libdir}
 cp -L  lib/libfreebl3.so \
        lib/libfreebl3.chk \
+       lib/libfreeblpriv3.so \
+       lib/libfreeblpriv3.chk \
        $RPM_BUILD_ROOT/%{_lib}
 #cp -L  lib/libnsssqlite3.so \
 #       $RPM_BUILD_ROOT%{_libdir}
@@ -388,6 +388,8 @@ rm -rf $RPM_BUILD_ROOT
 %defattr(-, root, root)
 /%{_lib}/libfreebl3.so
 /%{_lib}/libfreebl3.chk
+/%{_lib}/libfreeblpriv3.so
+/%{_lib}/libfreeblpriv3.chk
 
 %files -n libsoftokn3
 %defattr(-, root, root)

nss-3.23.tar.gz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:94b383e31c9671e9dfcca81084a8a813817e8f05a57f54533509b318d26e11cf
-size 7467001

nss-3.24.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:2f0841492f91cca473b73dec6cab9cf765a485e032d48d2e8ae7261e54c419ed
+size 7307782

nss-bmo1236011.patch

@@ -1,22 +0,0 @@
-diff --git a/cmd/modutil/install-ds.h b/nss/cmd/modutil/install-ds.h
---- a/cmd/modutil/install-ds.h
-+++ b/cmd/modutil/install-ds.h
-@@ -238,17 +238,17 @@ struct Pk11Install_Info_str {
- 	int numPlatforms;
- 	Pk11Install_PlatformName *forwardCompatible;
- 	int numForwardCompatible;
- };
- 
- Pk11Install_Info*
- Pk11Install_Info_new();
- void
--Pk11Install_Info_init();
-+Pk11Install_Info_init(Pk11Install_Info* _this);
- void
- Pk11Install_Info_delete(Pk11Install_Info* _this);
- /*// Returns NULL for success, error message if parse error.*/
- char* 
- Pk11Install_Info_Generate(Pk11Install_Info* _this, 
-                           const Pk11Install_ValueList *list);
- 	/*// Returns NULL if there is no matching platform*/
- Pk11Install_Platform*