Accepting request 574217 from mozilla:Factory

- update to NSS 3.35
  New functionality
  * TLS 1.3 support has been updated to draft -23. This includes a
    large number of changes since 3.34, which supported only draft
    -18. See below for details.
  New Types
  * SSLHandshakeType - The type of a TLS handshake message.
  * For the SSLSignatureScheme enum, the enumerated values
    ssl_sig_rsa_pss_sha* are deprecated in response to a change in
    TLS 1.3.  Please use the equivalent ssl_sig_rsa_pss_rsae_sha*
    for rsaEncryption keys, or ssl_sig_rsa_pss_pss_sha* for PSS keys.
    Note that this release does not include support for the latter.
  Notable Changes
  * Previously, NSS used the DBM file format by default. Starting
    with version 3.35, NSS uses the SQL file format by default.
    Additional information can be found on this Fedora Linux project
    page: https://fedoraproject.org/wiki/Changes/NSSDefaultFileFormatSql
  * Added formally verified implementations of non-vectorized Chacha20
    and non-vectorized Poly1305 64-bit.
  * For stronger security, when creating encrypted PKCS#7 or PKCS#12 data,
    the iteration count for the password based encryption algorithm
    has been increased to one million iterations. Note that debug builds
    will use a lower count, for better performance in test environments.
  * NSS 3.30 had introduced a regression, preventing NSS from reading
    some AES encrypted data, produced by older versions of NSS.
    NSS 3.35 fixes this regression and restores the ability to read
    affected data.
  * The following CA certificates were Removed:
    OU = Security Communication EV RootCA1
    CN = CA Disig Root R1

OBS-URL: https://build.opensuse.org/request/show/574217
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/mozilla-nss?expand=0&rev=133

mozilla-nss.changes

@@ -1,3 +1,58 @@
+-------------------------------------------------------------------
+Thu Feb  8 06:11:12 UTC 2018 - wr@rosenauer.org
+
+- update to NSS 3.35
+  New functionality
+  * TLS 1.3 support has been updated to draft -23. This includes a
+    large number of changes since 3.34, which supported only draft
+    -18. See below for details.
+  New Types
+  * SSLHandshakeType - The type of a TLS handshake message.
+  * For the SSLSignatureScheme enum, the enumerated values
+    ssl_sig_rsa_pss_sha* are deprecated in response to a change in
+    TLS 1.3.  Please use the equivalent ssl_sig_rsa_pss_rsae_sha*
+    for rsaEncryption keys, or ssl_sig_rsa_pss_pss_sha* for PSS keys.
+    Note that this release does not include support for the latter.
+  Notable Changes
+  * Previously, NSS used the DBM file format by default. Starting
+    with version 3.35, NSS uses the SQL file format by default.
+    Additional information can be found on this Fedora Linux project
+    page: https://fedoraproject.org/wiki/Changes/NSSDefaultFileFormatSql
+  * Added formally verified implementations of non-vectorized Chacha20
+    and non-vectorized Poly1305 64-bit.
+  * For stronger security, when creating encrypted PKCS#7 or PKCS#12 data,
+    the iteration count for the password based encryption algorithm
+    has been increased to one million iterations. Note that debug builds
+    will use a lower count, for better performance in test environments.
+  * NSS 3.30 had introduced a regression, preventing NSS from reading
+    some AES encrypted data, produced by older versions of NSS.
+    NSS 3.35 fixes this regression and restores the ability to read
+    affected data.
+  * The following CA certificates were Removed:
+    OU = Security Communication EV RootCA1
+    CN = CA Disig Root R1
+    CN = DST ACES CA X6
+    Subject CN = VeriSign Class 3 Secure Server CA - G2
+  * The Websites (TLS/SSL) trust bit was turned off for the following
+    CA certificates:
+    CN = Chambers of Commerce Root
+    CN = Global Chambersign Root
+  * TLS servers are able to handle a ClientHello statelessly, if the
+    client supports TLS 1.3.  If the server sends a HelloRetryRequest,
+    it is possible to discard the server socket, and make a new socket
+    to handle any subsequent ClientHello. This better enables stateless
+    server operation. (This feature is added in support of QUIC, but it
+    also has utility for DTLS 1.3 servers.)
+  * The tstclnt utility now supports DTLS, using the -P option.  Note that
+    a DTLS server is also provided in tstclnt.
+  * TLS compression is no longer possible with NSS. The option can be
+    enabled, but NSS will no longer negotiate compression.
+  * The signatures of functions SSL_OptionSet, SSL_OptionGet,
+    SSL_OptionSetDefault and SSL_OptionGetDefault have been modified,
+    to take a PRIntn argument rather than PRBool. This makes it clearer,
+    that options can have values other than 0 or 1.  Note this does
+    not affect ABI compatibility, because PRBool is a typedef for PRIntn.
+
 -------------------------------------------------------------------
 Tue Jan  9 12:50:19 UTC 2018 - wr@rosenauer.org
 

mozilla-nss.spec

@@ -2,7 +2,7 @@
 # spec file for package mozilla-nss
 #
 # Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany.
-# Copyright (c) 2006-2017 Wolfgang Rosenauer
+# Copyright (c) 2006-2018 Wolfgang Rosenauer
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -17,15 +17,15 @@
 #
 
 
-%global nss_softokn_fips_version 3.34.1
+%global nss_softokn_fips_version 3.35
 
 Name:           mozilla-nss
 BuildRequires:  gcc-c++
-BuildRequires:  mozilla-nspr-devel >= 4.17
+BuildRequires:  mozilla-nspr-devel >= 4.18
 BuildRequires:  pkg-config
 BuildRequires:  sqlite-devel
 BuildRequires:  zlib-devel
-Version:        3.34.1
+Version:        3.35
 Release:        0
 # bug437293
 %ifarch ppc64
@@ -36,8 +36,8 @@ Summary:        Network Security Services
 License:        MPL-2.0
 Group:          System/Libraries
 Url:            http://www.mozilla.org/projects/security/pki/nss/
-Source:         https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_34_1_RTM/src/nss-%{version}.tar.gz
-# hg clone https://hg.mozilla.org/projects/nss nss-3.34.1/nss ; cd nss-3.34.1/nss ; hg up NSS_3_34_1_RTM
+Source:         https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_35_RTM/src/nss-%{version}.tar.gz
+# hg clone https://hg.mozilla.org/projects/nss nss-3.35/nss ; cd nss-3.35/nss ; hg up NSS_3_35_RTM
 #Source:         nss-%{version}.tar.gz
 Source1:        nss.pc.in
 Source3:        nss-config.in
@@ -88,7 +88,7 @@ Summary:        Network (Netscape) Security Services development files
 Group:          Development/Libraries/C and C++
 Requires:       libfreebl3
 Requires:       libsoftokn3
-Requires:       mozilla-nspr-devel >= 4.17
+Requires:       mozilla-nspr-devel >= 4.18
 Requires:       mozilla-nss = %{version}-%{release}
 # bug437293
 %ifarch ppc64

nss-3.34.1.tar.gz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:a3c15d367caf784f33d96dbafbdffc16a8e42fb8c8aedfce97bf92a9f918dda0
-size 9562876

nss-3.35.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:f4127de09bede39f5fd0f789d33c3504c5d261e69ea03022d46b319b3e32f6fa
+size 9620041