From 05db00320536ec68747204ccdf2c0100f8ca85afb8653cbd9e0b24ba075434b0 Mon Sep 17 00:00:00 2001
From: Wolfgang Rosenauer <wolfgang@rosenauer.org>
Date: Sun, 31 Jul 2016 10:48:39 +0000
Subject: [PATCH] - update to NSS 3.24   New functionality:   * NSS softoken
 has been updated with the latest National Institute     of Standards and
 Technology (NIST) guidance (as of 2015):     - Software integrity checks and
 POST functions are executed on       shared library load. These checks have
 been disabled by default,       as they can cause a performance regression.
 To enable these       checks, you must define symbol NSS_FORCE_FIPS when
 building NSS.     - Counter mode and Galois/Counter Mode (GCM) have checks to
       prevent counter overflow.     - Additional CSPs are zeroed in the code.
     - NSS softoken uses new guidance for how many Rabin-Miller tests      
 are needed to verify a prime based on prime size.   * NSS softoken has also
 been updated to allow NSS to run in FIPS     Level 1 (no password). This mode
 is triggered by setting the     database password to the empty string. In
 FIPS mode, you may move     from Level 1 to Level 2 (by setting an
 appropriate password),     but not the reverse.   * A SSL_ConfigServerCert
 function has been added for configuring     SSL/TLS server sockets with a
 certificate and private key. Use     this new function in place of
 SSL_ConfigSecureServer,     SSL_ConfigSecureServerWithCertChain,
 SSL_SetStapledOCSPResponses,     and SSL_SetSignedCertTimestamps.
 SSL_ConfigServerCert automatically     determines the certificate type from
 the certificate and private key.     The caller is no longer required to use
 SSLKEAType explicitly to     select a "slot" into which the certificate is
 configured (which     incorrectly identifies a key agreement type rather than
 a certificate).     Separate functions for configuring Online Certificate
 Status Protocol     (OCSP) responses or Signed Certificate Timestamps are not
 needed,     since these can be added to the optional SSLExtraServerCertData
 struct

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=216
---
 mozilla-nss.changes  | 88 ++++++++++++++++++++++++++++++++++++++++++++
 mozilla-nss.spec     | 12 +++---
 nss-3.23.tar.gz      |  3 --
 nss-3.24.tar.gz      |  3 ++
 nss-bmo1236011.patch | 22 -----------
 5 files changed, 98 insertions(+), 30 deletions(-)
 delete mode 100644 nss-3.23.tar.gz
 create mode 100644 nss-3.24.tar.gz
 delete mode 100644 nss-bmo1236011.patch

diff --git a/mozilla-nss.changes b/mozilla-nss.changes
index 38b4416..d5d3ee0 100644
--- a/mozilla-nss.changes
+++ b/mozilla-nss.changes
@@ -1,3 +1,91 @@
+-------------------------------------------------------------------
+Sat Jul 30 08:53:02 UTC 2016 - wr@rosenauer.org
+
+- update to NSS 3.24
+  New functionality:
+  * NSS softoken has been updated with the latest National Institute
+    of Standards and Technology (NIST) guidance (as of 2015):
+    - Software integrity checks and POST functions are executed on
+      shared library load. These checks have been disabled by default,
+      as they can cause a performance regression. To enable these
+      checks, you must define symbol NSS_FORCE_FIPS when building NSS.
+    - Counter mode and Galois/Counter Mode (GCM) have checks to
+      prevent counter overflow.
+    - Additional CSPs are zeroed in the code.
+    - NSS softoken uses new guidance for how many Rabin-Miller tests
+      are needed to verify a prime based on prime size.
+  * NSS softoken has also been updated to allow NSS to run in FIPS
+    Level 1 (no password). This mode is triggered by setting the
+    database password to the empty string. In FIPS mode, you may move
+    from Level 1 to Level 2 (by setting an appropriate password),
+    but not the reverse.
+  * A SSL_ConfigServerCert function has been added for configuring
+    SSL/TLS server sockets with a certificate and private key. Use
+    this new function in place of SSL_ConfigSecureServer,
+    SSL_ConfigSecureServerWithCertChain, SSL_SetStapledOCSPResponses,
+    and SSL_SetSignedCertTimestamps. SSL_ConfigServerCert automatically
+    determines the certificate type from the certificate and private key.
+    The caller is no longer required to use SSLKEAType explicitly to
+    select a "slot" into which the certificate is configured (which
+    incorrectly identifies a key agreement type rather than a certificate).
+    Separate functions for configuring Online Certificate Status Protocol
+    (OCSP) responses or Signed Certificate Timestamps are not needed,
+    since these can be added to the optional SSLExtraServerCertData struct
+    provided to SSL_ConfigServerCert.  Also, partial support for RSA
+    Probabilistic Signature Scheme (RSA-PSS) certificates has been added.
+    Although these certificates can be configured, they will not be
+    used by NSS in this version.
+  New functions
+  * SSL_ConfigServerCert - Configures an SSL/TLS socket with a
+    certificate, private key, and other information.
+  * PORT_InitCheapArena - Initializes an arena that was created on
+    the stack. (See PORTCheapArenaPool.=
+  * PORT_DestroyCheapArena - Destroys an arena that was created on
+    the stack. (See PORTCheapArenaPool.)
+  New types
+  * SSLExtraServerCertData - Optionally passed as an argument to
+    SSL_ConfigServerCert. This struct contains supplementary information
+    about a certificate, such as the intended type of the certificate,
+    stapled OCSP responses, or Signed Certificate Timestamps (used for
+    certificate transparency).
+  * PORTCheapArenaPool - A stack-allocated arena pool, to be used for
+    temporary arena allocations.
+  New macros
+  * CKM_TLS12_MAC
+  * SEC_OID_TLS_ECDHE_PSK - This OID governs the use of the
+    TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256 cipher suite, which is used
+    only for session resumption in TLS 1.3.
+  Notable changes:
+  * Deprecate the following functions. (Applications should instead use the new
+    SSL_ConfigServerCert function.):
+    - SSL_SetStapledOCSPResponses
+    - SSL_SetSignedCertTimestamps
+    - SSL_ConfigSecureServer
+    - SSL_ConfigSecureServerWithCertChain
+  * Deprecate the NSS_FindCertKEAType function, as it reports a misleading
+    value for certificates that might be used for signing rather than
+    key exchange.
+  * Update SSLAuthType to define a larger number of authentication key types.
+  * Deprecate the member attribute authAlgorithm of type SSLCipherSuiteInfo.
+    Instead, applications should use the newly added attribute authType.
+  * Rename ssl_auth_rsa to ssl_auth_rsa_decrypt.
+  * Add a shared library (libfreeblpriv3) on Linux platforms that
+    define FREEBL_LOWHASH.
+  * Remove most code related to SSL v2, including the ability to actively
+    send a SSLv2-compatible client hello. However, the server-side
+    implementation of the SSL/TLS protocol still supports processing
+    of received v2-compatible client hello messages.
+  * Disable (by default) NSS support in optimized builds for logging SSL/TLS
+    key material to a logfile if the SSLKEYLOGFILE environment variable
+    is set. To enable the functionality in optimized builds, you must define
+    the symbol NSS_ALLOW_SSLKEYLOGFILE when building NSS.
+  * Update NSS to protect it against the Cachebleed attack.
+  * Disable support for DTLS compression.
+  * Improve support for TLS 1.3. This includes support for DTLS 1.3.
+    Note that TLS 1.3 support is experimental and not suitable for
+    production use.
+- removed obsolete nss-bmo1236011.patch
+
 -------------------------------------------------------------------
 Thu May 26 05:59:03 UTC 2016 - wr@rosenauer.org
 
diff --git a/mozilla-nss.spec b/mozilla-nss.spec
index 11b0801..11d839a 100644
--- a/mozilla-nss.spec
+++ b/mozilla-nss.spec
@@ -25,7 +25,7 @@ BuildRequires:  mozilla-nspr-devel >= 4.12
 BuildRequires:  pkg-config
 BuildRequires:  sqlite-devel
 BuildRequires:  zlib-devel
-Version:        3.23
+Version:        3.24
 Release:        0
 # bug437293
 %ifarch ppc64
@@ -36,8 +36,8 @@ Summary:        Network Security Services
 License:        MPL-2.0
 Group:          System/Libraries
 Url:            http://www.mozilla.org/projects/security/pki/nss/
-Source:         https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_23_RTM/src/nss-%{version}.tar.gz
-# hg clone https://hg.mozilla.org/projects/nss nss-3.23/nss ; cd nss-3.23/nss ; hg up NSS_3_23_RTM
+Source:         https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_24_RTM/src/nss-%{version}.tar.gz
+# hg clone https://hg.mozilla.org/projects/nss nss-3.24/nss ; cd nss-3.24/nss ; hg up NSS_3_24_RTM
 #Source:         nss-%{version}.tar.gz
 Source1:        nss.pc.in
 Source3:        nss-config.in
@@ -56,7 +56,6 @@ Patch5:         renegotiate-transitional.patch
 Patch6:         malloc.patch
 Patch7:         nss-disable-ocsp-test.patch
 Patch8:         nss-sqlitename.patch
-Patch9:         nss-bmo1236011.patch
 %define nspr_ver %(rpm -q --queryformat '%{VERSION}' mozilla-nspr)
 PreReq:         mozilla-nspr >= %nspr_ver
 PreReq:         libfreebl3 >= %{nss_softokn_fips_version}
@@ -177,7 +176,6 @@ cd nss
 %endif
 %patch7 -p1
 %patch8 -p1
-%patch9 -p1
 # additional CA certificates
 #cd security/nss/lib/ckfw/builtins
 #cat %{SOURCE2} >> certdata.txt
@@ -249,6 +247,8 @@ cp -L  lib/libnss3.so \
        $RPM_BUILD_ROOT%{_libdir}
 cp -L  lib/libfreebl3.so \
        lib/libfreebl3.chk \
+       lib/libfreeblpriv3.so \
+       lib/libfreeblpriv3.chk \
        $RPM_BUILD_ROOT/%{_lib}
 #cp -L  lib/libnsssqlite3.so \
 #       $RPM_BUILD_ROOT%{_libdir}
@@ -388,6 +388,8 @@ rm -rf $RPM_BUILD_ROOT
 %defattr(-, root, root)
 /%{_lib}/libfreebl3.so
 /%{_lib}/libfreebl3.chk
+/%{_lib}/libfreeblpriv3.so
+/%{_lib}/libfreeblpriv3.chk
 
 %files -n libsoftokn3
 %defattr(-, root, root)
diff --git a/nss-3.23.tar.gz b/nss-3.23.tar.gz
deleted file mode 100644
index f61c991..0000000
--- a/nss-3.23.tar.gz
+++ /dev/null
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:94b383e31c9671e9dfcca81084a8a813817e8f05a57f54533509b318d26e11cf
-size 7467001
diff --git a/nss-3.24.tar.gz b/nss-3.24.tar.gz
new file mode 100644
index 0000000..94ac2cc
--- /dev/null
+++ b/nss-3.24.tar.gz
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:2f0841492f91cca473b73dec6cab9cf765a485e032d48d2e8ae7261e54c419ed
+size 7307782
diff --git a/nss-bmo1236011.patch b/nss-bmo1236011.patch
deleted file mode 100644
index 0bf3ad4..0000000
--- a/nss-bmo1236011.patch
+++ /dev/null
@@ -1,22 +0,0 @@
-diff --git a/cmd/modutil/install-ds.h b/nss/cmd/modutil/install-ds.h
---- a/cmd/modutil/install-ds.h
-+++ b/cmd/modutil/install-ds.h
-@@ -238,17 +238,17 @@ struct Pk11Install_Info_str {
- 	int numPlatforms;
- 	Pk11Install_PlatformName *forwardCompatible;
- 	int numForwardCompatible;
- };
- 
- Pk11Install_Info*
- Pk11Install_Info_new();
- void
--Pk11Install_Info_init();
-+Pk11Install_Info_init(Pk11Install_Info* _this);
- void
- Pk11Install_Info_delete(Pk11Install_Info* _this);
- /*// Returns NULL for success, error message if parse error.*/
- char* 
- Pk11Install_Info_Generate(Pk11Install_Info* _this, 
-                           const Pk11Install_ValueList *list);
- 	/*// Returns NULL if there is no matching platform*/
- Pk11Install_Platform*