- update to NSS 3.31

New functionality * Allow certificates to be specified by RFC7512 PKCS#11 URIs. * Allow querying a certificate object for its temporary or permanent storage status in a thread safe way. New functions * CERT_GetCertIsPerm - retrieve the permanent storage status attribute of a certificate in a thread safe way. * CERT_GetCertIsTemp - retrieve the temporary storage status attribute of a certificate in a thread safe way. * PK11_FindCertFromURI - find a certificate identified by the given URI. * PK11_FindCertsFromURI - find a list of certificates identified by the given URI. * PK11_GetModuleURI - retrieve the URI of the given module. * PK11_GetTokenURI - retrieve the URI of a token based on the given slot information. * PK11URI_CreateURI - create a new PK11URI object from a set of attributes. * PK11URI_DestroyURI - destroy a PK11URI object. * PK11URI_FormatURI - format a PK11URI object to a string. * PK11URI_GetPathAttribute - retrieve a path attribute with the given name. * PK11URI_GetQueryAttribute - retrieve a query attribute with the given name. * PK11URI_ParseURI - parse PKCS#11 URI and return a new PK11URI object. New macros * Several new macros that start with PK11URI_PATTR_ for path attributes defined in RFC7512. * Several new macros that start with PK11URI_QATTR_ for query attributes defined in RFC7512. Notable changes * The APIs that set a TLS version range have been changed to trim the requested range to the overlap with a systemwide crypto policy, if configured. OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=243
2017-08-08 18:40:45 +00:00 · 2017-08-08 18:40:45 +00:00 · 3acc6b79e5
commit 3acc6b79e5
parent 8a54093a7b
5 changed files with 54 additions and 21 deletions
--- a/mozilla-nss.changes
+++ b/mozilla-nss.changes
@ -1,3 +1,51 @@
+-------------------------------------------------------------------
+Sat Aug  5 13:15:09 UTC 2017 - wr@rosenauer.org
+
+- update to NSS 3.31
+  New functionality
+  * Allow certificates to be specified by RFC7512 PKCS#11 URIs.
+  * Allow querying a certificate object for its temporary or permanent
+    storage status in a thread safe way.
+  New functions
+  * CERT_GetCertIsPerm - retrieve the permanent storage status attribute of a
+    certificate in a thread safe way.
+  * CERT_GetCertIsTemp - retrieve the temporary storage status attribute of a
+    certificate in a thread safe way.
+  * PK11_FindCertFromURI - find a certificate identified by the given URI.
+  * PK11_FindCertsFromURI - find a list of certificates identified by the given
+    URI.
+  * PK11_GetModuleURI - retrieve the URI of the given module.
+  * PK11_GetTokenURI - retrieve the URI of a token based on the given slot
+    information.
+  * PK11URI_CreateURI - create a new PK11URI object from a set of attributes.
+  * PK11URI_DestroyURI - destroy a PK11URI object.
+  * PK11URI_FormatURI - format a PK11URI object to a string.
+  * PK11URI_GetPathAttribute - retrieve a path attribute with the given name.
+  * PK11URI_GetQueryAttribute - retrieve a query attribute with the given name.
+  * PK11URI_ParseURI - parse PKCS#11 URI and return a new PK11URI object.
+  New macros
+  * Several new macros that start with PK11URI_PATTR_ for path attributes defined
+    in RFC7512.
+  * Several new macros that start with PK11URI_QATTR_ for query attributes defined
+    in RFC7512.
+  Notable changes
+  * The APIs that set a TLS version range have been changed to trim the requested
+    range to the overlap with a systemwide crypto policy, if configured.
+    SSL_VersionRangeGetSupported can be used to query the overlap between the
+    library's supported range of TLS versions and the systemwide policy.
+  * Previously, SSL_VersionRangeSet and SSL_VersionRangeSetDefault returned a
+    failure if the requested version range wasn't fully allowed by the systemwide
+    crypto policy. They have been changed to return success, if at least one TLS
+    version overlaps between the requested range and the systemwide policy. An
+    application may call SSL_VersionRangeGet and SSL_VersionRangeGetDefault to
+    query the TLS version range that was effectively activated.
+  * Corrected the encoding of Domain Name Constraints extensions created by
+    certutil.
+  * NSS supports a clean seeding mechanism for *NIX systems now using only
+    /dev/urandom. This is used only when SEED_ONLY_DEV_URANDOM is set at compile
+    time.
+  * CERT_AsciiToName can handle OIDs in dotted decimal form now.
+
 -------------------------------------------------------------------
 Wed Apr 26 21:30:30 UTC 2017 - wr@rosenauer.org

--- a/mozilla-nss.spec
+++ b/mozilla-nss.spec
@ -25,7 +25,7 @@ BuildRequires:  mozilla-nspr-devel >= 4.14
 BuildRequires:  pkg-config
 BuildRequires:  sqlite-devel
 BuildRequires:  zlib-devel
-Version:        3.30.2
+Version:        3.31
 Release:        0
 # bug437293
 %ifarch ppc64
@ -36,8 +36,8 @@ Summary:        Network Security Services
 License:        MPL-2.0
 Group:          System/Libraries
 Url:            http://www.mozilla.org/projects/security/pki/nss/
-Source:         https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_30_2_RTM/src/nss-%{version}.tar.gz
-# hg clone https://hg.mozilla.org/projects/nss nss-3.30.2/nss ; cd nss-3.30.2/nss ; hg up NSS_3_30_2_RTM
+Source:         https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_31_RTM/src/nss-%{version}.tar.gz
+# hg clone https://hg.mozilla.org/projects/nss nss-3.31/nss ; cd nss-3.31/nss ; hg up NSS_3_31_RTM
 #Source:         nss-%{version}.tar.gz
 Source1:        nss.pc.in
 Source3:        nss-config.in
@ -56,7 +56,6 @@ Patch4:         renegotiate-transitional.patch
 Patch5:         malloc.patch
 Patch6:         nss-disable-ocsp-test.patch
 Patch7:         nss-sqlitename.patch
-Patch8:         nss-fix-hash.patch
 %define nspr_ver %(rpm -q --queryformat '%{VERSION}' mozilla-nspr)
 PreReq:         mozilla-nspr >= %nspr_ver
 PreReq:         libfreebl3 >= %{nss_softokn_fips_version}
@ -177,7 +176,6 @@ cd nss
 %endif
 %patch6 -p1
 %patch7 -p1
-%patch8 -p1
 # additional CA certificates
 #cd security/nss/lib/ckfw/builtins
 #cat %{SOURCE2} >> certdata.txt
--- a/nss-3.30.2.tar.gz
+++ b/nss-3.30.2.tar.gz
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:0d4a77ff26bcee79fa8afe0125e0df6ae9e798b6b36782fa29e28febf7cfce24
-size 9499119
--- a/nss-3.31.tar.gz
+++ b/nss-3.31.tar.gz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:e90561256a3271486162c1fbe8d614d118c333d36a4455be2af8688bd420a65d
+size 9537011
--- a/nss-fix-hash.patch
+++ b/nss-fix-hash.patch
@ -1,13 +0,0 @@
--- nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_ocsprequest.c.orig	2017-03-16 09:01:59.024372645 +0000
-+++ nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_ocsprequest.c	2017-03-16 09:02:37.280938434 +0000
-@@ -89,8 +89,8 @@
-         PKIX_HASHCODE(ocspRq->signerCert, &signerHash, plContext,
-                 PKIX_CERTHASHCODEFAILED);
- 
-        *pHashcode = (((((extensionHash << 8) || certHash) << 8) ||
-                dateHash) << 8) || signerHash;
-+        *pHashcode = (((((extensionHash << 8) | certHash) << 8) |
-+                dateHash) << 8) | signerHash;
- 
- cleanup:
-