Accepting request 417032 from mozilla:Factory
- also sign libfreeblpriv3.so to allow FIPS mode again (boo#992236) - update to NSS 3.24 New functionality: * NSS softoken has been updated with the latest National Institute of Standards and Technology (NIST) guidance (as of 2015): - Software integrity checks and POST functions are executed on shared library load. These checks have been disabled by default, as they can cause a performance regression. To enable these checks, you must define symbol NSS_FORCE_FIPS when building NSS. - Counter mode and Galois/Counter Mode (GCM) have checks to prevent counter overflow. - Additional CSPs are zeroed in the code. - NSS softoken uses new guidance for how many Rabin-Miller tests are needed to verify a prime based on prime size. * NSS softoken has also been updated to allow NSS to run in FIPS Level 1 (no password). This mode is triggered by setting the database password to the empty string. In FIPS mode, you may move from Level 1 to Level 2 (by setting an appropriate password), but not the reverse. * A SSL_ConfigServerCert function has been added for configuring SSL/TLS server sockets with a certificate and private key. Use this new function in place of SSL_ConfigSecureServer, SSL_ConfigSecureServerWithCertChain, SSL_SetStapledOCSPResponses, and SSL_SetSignedCertTimestamps. SSL_ConfigServerCert automatically determines the certificate type from the certificate and private key. The caller is no longer required to use SSLKEAType explicitly to select a "slot" into which the certificate is configured (which incorrectly identifies a key agreement type rather than a certificate). Separate functions for configuring Online Certificate Status Protocol OBS-URL: https://build.opensuse.org/request/show/417032 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/mozilla-nss?expand=0&rev=116
This commit is contained in:
commit
1fc885e369
@ -1,3 +1,96 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Thu Aug 4 20:28:32 UTC 2016 - wr@rosenauer.org
|
||||||
|
|
||||||
|
- also sign libfreeblpriv3.so to allow FIPS mode again (boo#992236)
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Sat Jul 30 08:53:02 UTC 2016 - wr@rosenauer.org
|
||||||
|
|
||||||
|
- update to NSS 3.24
|
||||||
|
New functionality:
|
||||||
|
* NSS softoken has been updated with the latest National Institute
|
||||||
|
of Standards and Technology (NIST) guidance (as of 2015):
|
||||||
|
- Software integrity checks and POST functions are executed on
|
||||||
|
shared library load. These checks have been disabled by default,
|
||||||
|
as they can cause a performance regression. To enable these
|
||||||
|
checks, you must define symbol NSS_FORCE_FIPS when building NSS.
|
||||||
|
- Counter mode and Galois/Counter Mode (GCM) have checks to
|
||||||
|
prevent counter overflow.
|
||||||
|
- Additional CSPs are zeroed in the code.
|
||||||
|
- NSS softoken uses new guidance for how many Rabin-Miller tests
|
||||||
|
are needed to verify a prime based on prime size.
|
||||||
|
* NSS softoken has also been updated to allow NSS to run in FIPS
|
||||||
|
Level 1 (no password). This mode is triggered by setting the
|
||||||
|
database password to the empty string. In FIPS mode, you may move
|
||||||
|
from Level 1 to Level 2 (by setting an appropriate password),
|
||||||
|
but not the reverse.
|
||||||
|
* A SSL_ConfigServerCert function has been added for configuring
|
||||||
|
SSL/TLS server sockets with a certificate and private key. Use
|
||||||
|
this new function in place of SSL_ConfigSecureServer,
|
||||||
|
SSL_ConfigSecureServerWithCertChain, SSL_SetStapledOCSPResponses,
|
||||||
|
and SSL_SetSignedCertTimestamps. SSL_ConfigServerCert automatically
|
||||||
|
determines the certificate type from the certificate and private key.
|
||||||
|
The caller is no longer required to use SSLKEAType explicitly to
|
||||||
|
select a "slot" into which the certificate is configured (which
|
||||||
|
incorrectly identifies a key agreement type rather than a certificate).
|
||||||
|
Separate functions for configuring Online Certificate Status Protocol
|
||||||
|
(OCSP) responses or Signed Certificate Timestamps are not needed,
|
||||||
|
since these can be added to the optional SSLExtraServerCertData struct
|
||||||
|
provided to SSL_ConfigServerCert. Also, partial support for RSA
|
||||||
|
Probabilistic Signature Scheme (RSA-PSS) certificates has been added.
|
||||||
|
Although these certificates can be configured, they will not be
|
||||||
|
used by NSS in this version.
|
||||||
|
New functions
|
||||||
|
* SSL_ConfigServerCert - Configures an SSL/TLS socket with a
|
||||||
|
certificate, private key, and other information.
|
||||||
|
* PORT_InitCheapArena - Initializes an arena that was created on
|
||||||
|
the stack. (See PORTCheapArenaPool.=
|
||||||
|
* PORT_DestroyCheapArena - Destroys an arena that was created on
|
||||||
|
the stack. (See PORTCheapArenaPool.)
|
||||||
|
New types
|
||||||
|
* SSLExtraServerCertData - Optionally passed as an argument to
|
||||||
|
SSL_ConfigServerCert. This struct contains supplementary information
|
||||||
|
about a certificate, such as the intended type of the certificate,
|
||||||
|
stapled OCSP responses, or Signed Certificate Timestamps (used for
|
||||||
|
certificate transparency).
|
||||||
|
* PORTCheapArenaPool - A stack-allocated arena pool, to be used for
|
||||||
|
temporary arena allocations.
|
||||||
|
New macros
|
||||||
|
* CKM_TLS12_MAC
|
||||||
|
* SEC_OID_TLS_ECDHE_PSK - This OID governs the use of the
|
||||||
|
TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256 cipher suite, which is used
|
||||||
|
only for session resumption in TLS 1.3.
|
||||||
|
Notable changes:
|
||||||
|
* Deprecate the following functions. (Applications should instead use the new
|
||||||
|
SSL_ConfigServerCert function.):
|
||||||
|
- SSL_SetStapledOCSPResponses
|
||||||
|
- SSL_SetSignedCertTimestamps
|
||||||
|
- SSL_ConfigSecureServer
|
||||||
|
- SSL_ConfigSecureServerWithCertChain
|
||||||
|
* Deprecate the NSS_FindCertKEAType function, as it reports a misleading
|
||||||
|
value for certificates that might be used for signing rather than
|
||||||
|
key exchange.
|
||||||
|
* Update SSLAuthType to define a larger number of authentication key types.
|
||||||
|
* Deprecate the member attribute authAlgorithm of type SSLCipherSuiteInfo.
|
||||||
|
Instead, applications should use the newly added attribute authType.
|
||||||
|
* Rename ssl_auth_rsa to ssl_auth_rsa_decrypt.
|
||||||
|
* Add a shared library (libfreeblpriv3) on Linux platforms that
|
||||||
|
define FREEBL_LOWHASH.
|
||||||
|
* Remove most code related to SSL v2, including the ability to actively
|
||||||
|
send a SSLv2-compatible client hello. However, the server-side
|
||||||
|
implementation of the SSL/TLS protocol still supports processing
|
||||||
|
of received v2-compatible client hello messages.
|
||||||
|
* Disable (by default) NSS support in optimized builds for logging SSL/TLS
|
||||||
|
key material to a logfile if the SSLKEYLOGFILE environment variable
|
||||||
|
is set. To enable the functionality in optimized builds, you must define
|
||||||
|
the symbol NSS_ALLOW_SSLKEYLOGFILE when building NSS.
|
||||||
|
* Update NSS to protect it against the Cachebleed attack.
|
||||||
|
* Disable support for DTLS compression.
|
||||||
|
* Improve support for TLS 1.3. This includes support for DTLS 1.3.
|
||||||
|
Note that TLS 1.3 support is experimental and not suitable for
|
||||||
|
production use.
|
||||||
|
- removed obsolete nss-bmo1236011.patch
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Thu May 26 05:59:03 UTC 2016 - wr@rosenauer.org
|
Thu May 26 05:59:03 UTC 2016 - wr@rosenauer.org
|
||||||
|
|
||||||
|
@ -25,7 +25,7 @@ BuildRequires: mozilla-nspr-devel >= 4.12
|
|||||||
BuildRequires: pkg-config
|
BuildRequires: pkg-config
|
||||||
BuildRequires: sqlite-devel
|
BuildRequires: sqlite-devel
|
||||||
BuildRequires: zlib-devel
|
BuildRequires: zlib-devel
|
||||||
Version: 3.23
|
Version: 3.24
|
||||||
Release: 0
|
Release: 0
|
||||||
# bug437293
|
# bug437293
|
||||||
%ifarch ppc64
|
%ifarch ppc64
|
||||||
@ -36,8 +36,8 @@ Summary: Network Security Services
|
|||||||
License: MPL-2.0
|
License: MPL-2.0
|
||||||
Group: System/Libraries
|
Group: System/Libraries
|
||||||
Url: http://www.mozilla.org/projects/security/pki/nss/
|
Url: http://www.mozilla.org/projects/security/pki/nss/
|
||||||
Source: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_23_RTM/src/nss-%{version}.tar.gz
|
Source: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_24_RTM/src/nss-%{version}.tar.gz
|
||||||
# hg clone https://hg.mozilla.org/projects/nss nss-3.23/nss ; cd nss-3.23/nss ; hg up NSS_3_23_RTM
|
# hg clone https://hg.mozilla.org/projects/nss nss-3.24/nss ; cd nss-3.24/nss ; hg up NSS_3_24_RTM
|
||||||
#Source: nss-%{version}.tar.gz
|
#Source: nss-%{version}.tar.gz
|
||||||
Source1: nss.pc.in
|
Source1: nss.pc.in
|
||||||
Source3: nss-config.in
|
Source3: nss-config.in
|
||||||
@ -56,7 +56,6 @@ Patch5: renegotiate-transitional.patch
|
|||||||
Patch6: malloc.patch
|
Patch6: malloc.patch
|
||||||
Patch7: nss-disable-ocsp-test.patch
|
Patch7: nss-disable-ocsp-test.patch
|
||||||
Patch8: nss-sqlitename.patch
|
Patch8: nss-sqlitename.patch
|
||||||
Patch9: nss-bmo1236011.patch
|
|
||||||
%define nspr_ver %(rpm -q --queryformat '%{VERSION}' mozilla-nspr)
|
%define nspr_ver %(rpm -q --queryformat '%{VERSION}' mozilla-nspr)
|
||||||
PreReq: mozilla-nspr >= %nspr_ver
|
PreReq: mozilla-nspr >= %nspr_ver
|
||||||
PreReq: libfreebl3 >= %{nss_softokn_fips_version}
|
PreReq: libfreebl3 >= %{nss_softokn_fips_version}
|
||||||
@ -177,7 +176,6 @@ cd nss
|
|||||||
%endif
|
%endif
|
||||||
%patch7 -p1
|
%patch7 -p1
|
||||||
%patch8 -p1
|
%patch8 -p1
|
||||||
%patch9 -p1
|
|
||||||
# additional CA certificates
|
# additional CA certificates
|
||||||
#cd security/nss/lib/ckfw/builtins
|
#cd security/nss/lib/ckfw/builtins
|
||||||
#cat %{SOURCE2} >> certdata.txt
|
#cat %{SOURCE2} >> certdata.txt
|
||||||
@ -249,6 +247,8 @@ cp -L lib/libnss3.so \
|
|||||||
$RPM_BUILD_ROOT%{_libdir}
|
$RPM_BUILD_ROOT%{_libdir}
|
||||||
cp -L lib/libfreebl3.so \
|
cp -L lib/libfreebl3.so \
|
||||||
lib/libfreebl3.chk \
|
lib/libfreebl3.chk \
|
||||||
|
lib/libfreeblpriv3.so \
|
||||||
|
lib/libfreeblpriv3.chk \
|
||||||
$RPM_BUILD_ROOT/%{_lib}
|
$RPM_BUILD_ROOT/%{_lib}
|
||||||
#cp -L lib/libnsssqlite3.so \
|
#cp -L lib/libnsssqlite3.so \
|
||||||
# $RPM_BUILD_ROOT%{_libdir}
|
# $RPM_BUILD_ROOT%{_libdir}
|
||||||
@ -325,6 +325,7 @@ install -m 644 %{SOURCE9} $RPM_BUILD_ROOT%{nssdbdir}
|
|||||||
LD_LIBRARY_PATH=$RPM_BUILD_ROOT/%{_lib}:$RPM_BUILD_ROOT%{_libdir} $RPM_BUILD_ROOT%{_libexecdir}/nss/shlibsign -i $RPM_BUILD_ROOT%{_libdir}/libsoftokn3.so \
|
LD_LIBRARY_PATH=$RPM_BUILD_ROOT/%{_lib}:$RPM_BUILD_ROOT%{_libdir} $RPM_BUILD_ROOT%{_libexecdir}/nss/shlibsign -i $RPM_BUILD_ROOT%{_libdir}/libsoftokn3.so \
|
||||||
LD_LIBRARY_PATH=$RPM_BUILD_ROOT/%{_lib}:$RPM_BUILD_ROOT%{_libdir} $RPM_BUILD_ROOT%{_libexecdir}/nss/shlibsign -i $RPM_BUILD_ROOT%{_libdir}/libnssdbm3.so \
|
LD_LIBRARY_PATH=$RPM_BUILD_ROOT/%{_lib}:$RPM_BUILD_ROOT%{_libdir} $RPM_BUILD_ROOT%{_libexecdir}/nss/shlibsign -i $RPM_BUILD_ROOT%{_libdir}/libnssdbm3.so \
|
||||||
LD_LIBRARY_PATH=$RPM_BUILD_ROOT/%{_lib}:$RPM_BUILD_ROOT%{_libdir} $RPM_BUILD_ROOT%{_libexecdir}/nss/shlibsign -i $RPM_BUILD_ROOT/%{_lib}/libfreebl3.so \
|
LD_LIBRARY_PATH=$RPM_BUILD_ROOT/%{_lib}:$RPM_BUILD_ROOT%{_libdir} $RPM_BUILD_ROOT%{_libexecdir}/nss/shlibsign -i $RPM_BUILD_ROOT/%{_lib}/libfreebl3.so \
|
||||||
|
LD_LIBRARY_PATH=$RPM_BUILD_ROOT/%{_lib}:$RPM_BUILD_ROOT%{_libdir} $RPM_BUILD_ROOT%{_libexecdir}/nss/shlibsign -i $RPM_BUILD_ROOT/%{_lib}/libfreeblpriv3.so \
|
||||||
%{nil}
|
%{nil}
|
||||||
|
|
||||||
%post -p /sbin/ldconfig
|
%post -p /sbin/ldconfig
|
||||||
@ -388,6 +389,8 @@ rm -rf $RPM_BUILD_ROOT
|
|||||||
%defattr(-, root, root)
|
%defattr(-, root, root)
|
||||||
/%{_lib}/libfreebl3.so
|
/%{_lib}/libfreebl3.so
|
||||||
/%{_lib}/libfreebl3.chk
|
/%{_lib}/libfreebl3.chk
|
||||||
|
/%{_lib}/libfreeblpriv3.so
|
||||||
|
/%{_lib}/libfreeblpriv3.chk
|
||||||
|
|
||||||
%files -n libsoftokn3
|
%files -n libsoftokn3
|
||||||
%defattr(-, root, root)
|
%defattr(-, root, root)
|
||||||
|
@ -1,3 +0,0 @@
|
|||||||
version https://git-lfs.github.com/spec/v1
|
|
||||||
oid sha256:94b383e31c9671e9dfcca81084a8a813817e8f05a57f54533509b318d26e11cf
|
|
||||||
size 7467001
|
|
3
nss-3.24.tar.gz
Normal file
3
nss-3.24.tar.gz
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
version https://git-lfs.github.com/spec/v1
|
||||||
|
oid sha256:2f0841492f91cca473b73dec6cab9cf765a485e032d48d2e8ae7261e54c419ed
|
||||||
|
size 7307782
|
@ -1,22 +0,0 @@
|
|||||||
diff --git a/cmd/modutil/install-ds.h b/nss/cmd/modutil/install-ds.h
|
|
||||||
--- a/cmd/modutil/install-ds.h
|
|
||||||
+++ b/cmd/modutil/install-ds.h
|
|
||||||
@@ -238,17 +238,17 @@ struct Pk11Install_Info_str {
|
|
||||||
int numPlatforms;
|
|
||||||
Pk11Install_PlatformName *forwardCompatible;
|
|
||||||
int numForwardCompatible;
|
|
||||||
};
|
|
||||||
|
|
||||||
Pk11Install_Info*
|
|
||||||
Pk11Install_Info_new();
|
|
||||||
void
|
|
||||||
-Pk11Install_Info_init();
|
|
||||||
+Pk11Install_Info_init(Pk11Install_Info* _this);
|
|
||||||
void
|
|
||||||
Pk11Install_Info_delete(Pk11Install_Info* _this);
|
|
||||||
/*// Returns NULL for success, error message if parse error.*/
|
|
||||||
char*
|
|
||||||
Pk11Install_Info_Generate(Pk11Install_Info* _this,
|
|
||||||
const Pk11Install_ValueList *list);
|
|
||||||
/*// Returns NULL if there is no matching platform*/
|
|
||||||
Pk11Install_Platform*
|
|
Loading…
Reference in New Issue
Block a user