Accepting request 417032 from mozilla:Factory

- also sign libfreeblpriv3.so to allow FIPS mode again (boo#992236)

- update to NSS 3.24
  New functionality:
  * NSS softoken has been updated with the latest National Institute
    of Standards and Technology (NIST) guidance (as of 2015):
    - Software integrity checks and POST functions are executed on
      shared library load. These checks have been disabled by default,
      as they can cause a performance regression. To enable these
      checks, you must define symbol NSS_FORCE_FIPS when building NSS.
    - Counter mode and Galois/Counter Mode (GCM) have checks to
      prevent counter overflow.
    - Additional CSPs are zeroed in the code.
    - NSS softoken uses new guidance for how many Rabin-Miller tests
      are needed to verify a prime based on prime size.
  * NSS softoken has also been updated to allow NSS to run in FIPS
    Level 1 (no password). This mode is triggered by setting the
    database password to the empty string. In FIPS mode, you may move
    from Level 1 to Level 2 (by setting an appropriate password),
    but not the reverse.
  * A SSL_ConfigServerCert function has been added for configuring
    SSL/TLS server sockets with a certificate and private key. Use
    this new function in place of SSL_ConfigSecureServer,
    SSL_ConfigSecureServerWithCertChain, SSL_SetStapledOCSPResponses,
    and SSL_SetSignedCertTimestamps. SSL_ConfigServerCert automatically
    determines the certificate type from the certificate and private key.
    The caller is no longer required to use SSLKEAType explicitly to
    select a "slot" into which the certificate is configured (which
    incorrectly identifies a key agreement type rather than a certificate).
    Separate functions for configuring Online Certificate Status Protocol

OBS-URL: https://build.opensuse.org/request/show/417032
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/mozilla-nss?expand=0&rev=116
This commit is contained in:
Dominique Leuenberger 2016-08-12 13:33:38 +00:00 committed by Git OBS Bridge
commit 1fc885e369
5 changed files with 104 additions and 30 deletions

View File

@ -1,3 +1,96 @@
-------------------------------------------------------------------
Thu Aug 4 20:28:32 UTC 2016 - wr@rosenauer.org
- also sign libfreeblpriv3.so to allow FIPS mode again (boo#992236)
-------------------------------------------------------------------
Sat Jul 30 08:53:02 UTC 2016 - wr@rosenauer.org
- update to NSS 3.24
New functionality:
* NSS softoken has been updated with the latest National Institute
of Standards and Technology (NIST) guidance (as of 2015):
- Software integrity checks and POST functions are executed on
shared library load. These checks have been disabled by default,
as they can cause a performance regression. To enable these
checks, you must define symbol NSS_FORCE_FIPS when building NSS.
- Counter mode and Galois/Counter Mode (GCM) have checks to
prevent counter overflow.
- Additional CSPs are zeroed in the code.
- NSS softoken uses new guidance for how many Rabin-Miller tests
are needed to verify a prime based on prime size.
* NSS softoken has also been updated to allow NSS to run in FIPS
Level 1 (no password). This mode is triggered by setting the
database password to the empty string. In FIPS mode, you may move
from Level 1 to Level 2 (by setting an appropriate password),
but not the reverse.
* A SSL_ConfigServerCert function has been added for configuring
SSL/TLS server sockets with a certificate and private key. Use
this new function in place of SSL_ConfigSecureServer,
SSL_ConfigSecureServerWithCertChain, SSL_SetStapledOCSPResponses,
and SSL_SetSignedCertTimestamps. SSL_ConfigServerCert automatically
determines the certificate type from the certificate and private key.
The caller is no longer required to use SSLKEAType explicitly to
select a "slot" into which the certificate is configured (which
incorrectly identifies a key agreement type rather than a certificate).
Separate functions for configuring Online Certificate Status Protocol
(OCSP) responses or Signed Certificate Timestamps are not needed,
since these can be added to the optional SSLExtraServerCertData struct
provided to SSL_ConfigServerCert. Also, partial support for RSA
Probabilistic Signature Scheme (RSA-PSS) certificates has been added.
Although these certificates can be configured, they will not be
used by NSS in this version.
New functions
* SSL_ConfigServerCert - Configures an SSL/TLS socket with a
certificate, private key, and other information.
* PORT_InitCheapArena - Initializes an arena that was created on
the stack. (See PORTCheapArenaPool.=
* PORT_DestroyCheapArena - Destroys an arena that was created on
the stack. (See PORTCheapArenaPool.)
New types
* SSLExtraServerCertData - Optionally passed as an argument to
SSL_ConfigServerCert. This struct contains supplementary information
about a certificate, such as the intended type of the certificate,
stapled OCSP responses, or Signed Certificate Timestamps (used for
certificate transparency).
* PORTCheapArenaPool - A stack-allocated arena pool, to be used for
temporary arena allocations.
New macros
* CKM_TLS12_MAC
* SEC_OID_TLS_ECDHE_PSK - This OID governs the use of the
TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256 cipher suite, which is used
only for session resumption in TLS 1.3.
Notable changes:
* Deprecate the following functions. (Applications should instead use the new
SSL_ConfigServerCert function.):
- SSL_SetStapledOCSPResponses
- SSL_SetSignedCertTimestamps
- SSL_ConfigSecureServer
- SSL_ConfigSecureServerWithCertChain
* Deprecate the NSS_FindCertKEAType function, as it reports a misleading
value for certificates that might be used for signing rather than
key exchange.
* Update SSLAuthType to define a larger number of authentication key types.
* Deprecate the member attribute authAlgorithm of type SSLCipherSuiteInfo.
Instead, applications should use the newly added attribute authType.
* Rename ssl_auth_rsa to ssl_auth_rsa_decrypt.
* Add a shared library (libfreeblpriv3) on Linux platforms that
define FREEBL_LOWHASH.
* Remove most code related to SSL v2, including the ability to actively
send a SSLv2-compatible client hello. However, the server-side
implementation of the SSL/TLS protocol still supports processing
of received v2-compatible client hello messages.
* Disable (by default) NSS support in optimized builds for logging SSL/TLS
key material to a logfile if the SSLKEYLOGFILE environment variable
is set. To enable the functionality in optimized builds, you must define
the symbol NSS_ALLOW_SSLKEYLOGFILE when building NSS.
* Update NSS to protect it against the Cachebleed attack.
* Disable support for DTLS compression.
* Improve support for TLS 1.3. This includes support for DTLS 1.3.
Note that TLS 1.3 support is experimental and not suitable for
production use.
- removed obsolete nss-bmo1236011.patch
-------------------------------------------------------------------
Thu May 26 05:59:03 UTC 2016 - wr@rosenauer.org

View File

@ -25,7 +25,7 @@ BuildRequires: mozilla-nspr-devel >= 4.12
BuildRequires: pkg-config
BuildRequires: sqlite-devel
BuildRequires: zlib-devel
Version: 3.23
Version: 3.24
Release: 0
# bug437293
%ifarch ppc64
@ -36,8 +36,8 @@ Summary: Network Security Services
License: MPL-2.0
Group: System/Libraries
Url: http://www.mozilla.org/projects/security/pki/nss/
Source: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_23_RTM/src/nss-%{version}.tar.gz
# hg clone https://hg.mozilla.org/projects/nss nss-3.23/nss ; cd nss-3.23/nss ; hg up NSS_3_23_RTM
Source: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_24_RTM/src/nss-%{version}.tar.gz
# hg clone https://hg.mozilla.org/projects/nss nss-3.24/nss ; cd nss-3.24/nss ; hg up NSS_3_24_RTM
#Source: nss-%{version}.tar.gz
Source1: nss.pc.in
Source3: nss-config.in
@ -56,7 +56,6 @@ Patch5: renegotiate-transitional.patch
Patch6: malloc.patch
Patch7: nss-disable-ocsp-test.patch
Patch8: nss-sqlitename.patch
Patch9: nss-bmo1236011.patch
%define nspr_ver %(rpm -q --queryformat '%{VERSION}' mozilla-nspr)
PreReq: mozilla-nspr >= %nspr_ver
PreReq: libfreebl3 >= %{nss_softokn_fips_version}
@ -177,7 +176,6 @@ cd nss
%endif
%patch7 -p1
%patch8 -p1
%patch9 -p1
# additional CA certificates
#cd security/nss/lib/ckfw/builtins
#cat %{SOURCE2} >> certdata.txt
@ -249,6 +247,8 @@ cp -L lib/libnss3.so \
$RPM_BUILD_ROOT%{_libdir}
cp -L lib/libfreebl3.so \
lib/libfreebl3.chk \
lib/libfreeblpriv3.so \
lib/libfreeblpriv3.chk \
$RPM_BUILD_ROOT/%{_lib}
#cp -L lib/libnsssqlite3.so \
# $RPM_BUILD_ROOT%{_libdir}
@ -325,6 +325,7 @@ install -m 644 %{SOURCE9} $RPM_BUILD_ROOT%{nssdbdir}
LD_LIBRARY_PATH=$RPM_BUILD_ROOT/%{_lib}:$RPM_BUILD_ROOT%{_libdir} $RPM_BUILD_ROOT%{_libexecdir}/nss/shlibsign -i $RPM_BUILD_ROOT%{_libdir}/libsoftokn3.so \
LD_LIBRARY_PATH=$RPM_BUILD_ROOT/%{_lib}:$RPM_BUILD_ROOT%{_libdir} $RPM_BUILD_ROOT%{_libexecdir}/nss/shlibsign -i $RPM_BUILD_ROOT%{_libdir}/libnssdbm3.so \
LD_LIBRARY_PATH=$RPM_BUILD_ROOT/%{_lib}:$RPM_BUILD_ROOT%{_libdir} $RPM_BUILD_ROOT%{_libexecdir}/nss/shlibsign -i $RPM_BUILD_ROOT/%{_lib}/libfreebl3.so \
LD_LIBRARY_PATH=$RPM_BUILD_ROOT/%{_lib}:$RPM_BUILD_ROOT%{_libdir} $RPM_BUILD_ROOT%{_libexecdir}/nss/shlibsign -i $RPM_BUILD_ROOT/%{_lib}/libfreeblpriv3.so \
%{nil}
%post -p /sbin/ldconfig
@ -388,6 +389,8 @@ rm -rf $RPM_BUILD_ROOT
%defattr(-, root, root)
/%{_lib}/libfreebl3.so
/%{_lib}/libfreebl3.chk
/%{_lib}/libfreeblpriv3.so
/%{_lib}/libfreeblpriv3.chk
%files -n libsoftokn3
%defattr(-, root, root)

View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:94b383e31c9671e9dfcca81084a8a813817e8f05a57f54533509b318d26e11cf
size 7467001

3
nss-3.24.tar.gz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:2f0841492f91cca473b73dec6cab9cf765a485e032d48d2e8ae7261e54c419ed
size 7307782

View File

@ -1,22 +0,0 @@
diff --git a/cmd/modutil/install-ds.h b/nss/cmd/modutil/install-ds.h
--- a/cmd/modutil/install-ds.h
+++ b/cmd/modutil/install-ds.h
@@ -238,17 +238,17 @@ struct Pk11Install_Info_str {
int numPlatforms;
Pk11Install_PlatformName *forwardCompatible;
int numForwardCompatible;
};
Pk11Install_Info*
Pk11Install_Info_new();
void
-Pk11Install_Info_init();
+Pk11Install_Info_init(Pk11Install_Info* _this);
void
Pk11Install_Info_delete(Pk11Install_Info* _this);
/*// Returns NULL for success, error message if parse error.*/
char*
Pk11Install_Info_Generate(Pk11Install_Info* _this,
const Pk11Install_ValueList *list);
/*// Returns NULL if there is no matching platform*/
Pk11Install_Platform*