From 3acc6b79e589737aaddb0e3d9c938595cc46f570ec7b2f1a473fe628536e368e Mon Sep 17 00:00:00 2001 From: Wolfgang Rosenauer Date: Tue, 8 Aug 2017 18:40:45 +0000 Subject: [PATCH] - update to NSS 3.31 New functionality * Allow certificates to be specified by RFC7512 PKCS#11 URIs. * Allow querying a certificate object for its temporary or permanent storage status in a thread safe way. New functions * CERT_GetCertIsPerm - retrieve the permanent storage status attribute of a certificate in a thread safe way. * CERT_GetCertIsTemp - retrieve the temporary storage status attribute of a certificate in a thread safe way. * PK11_FindCertFromURI - find a certificate identified by the given URI. * PK11_FindCertsFromURI - find a list of certificates identified by the given URI. * PK11_GetModuleURI - retrieve the URI of the given module. * PK11_GetTokenURI - retrieve the URI of a token based on the given slot information. * PK11URI_CreateURI - create a new PK11URI object from a set of attributes. * PK11URI_DestroyURI - destroy a PK11URI object. * PK11URI_FormatURI - format a PK11URI object to a string. * PK11URI_GetPathAttribute - retrieve a path attribute with the given name. * PK11URI_GetQueryAttribute - retrieve a query attribute with the given name. * PK11URI_ParseURI - parse PKCS#11 URI and return a new PK11URI object. New macros * Several new macros that start with PK11URI_PATTR_ for path attributes defined in RFC7512. * Several new macros that start with PK11URI_QATTR_ for query attributes defined in RFC7512. Notable changes * The APIs that set a TLS version range have been changed to trim the requested range to the overlap with a systemwide crypto policy, if configured. OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=243 --- mozilla-nss.changes | 48 +++++++++++++++++++++++++++++++++++++++++++++ mozilla-nss.spec | 8 +++----- nss-3.30.2.tar.gz | 3 --- nss-3.31.tar.gz | 3 +++ nss-fix-hash.patch | 13 ------------ 5 files changed, 54 insertions(+), 21 deletions(-) delete mode 100644 nss-3.30.2.tar.gz create mode 100644 nss-3.31.tar.gz delete mode 100644 nss-fix-hash.patch diff --git a/mozilla-nss.changes b/mozilla-nss.changes index ddb4a2f..7c53915 100644 --- a/mozilla-nss.changes +++ b/mozilla-nss.changes @@ -1,3 +1,51 @@ +------------------------------------------------------------------- +Sat Aug 5 13:15:09 UTC 2017 - wr@rosenauer.org + +- update to NSS 3.31 + New functionality + * Allow certificates to be specified by RFC7512 PKCS#11 URIs. + * Allow querying a certificate object for its temporary or permanent + storage status in a thread safe way. + New functions + * CERT_GetCertIsPerm - retrieve the permanent storage status attribute of a + certificate in a thread safe way. + * CERT_GetCertIsTemp - retrieve the temporary storage status attribute of a + certificate in a thread safe way. + * PK11_FindCertFromURI - find a certificate identified by the given URI. + * PK11_FindCertsFromURI - find a list of certificates identified by the given + URI. + * PK11_GetModuleURI - retrieve the URI of the given module. + * PK11_GetTokenURI - retrieve the URI of a token based on the given slot + information. + * PK11URI_CreateURI - create a new PK11URI object from a set of attributes. + * PK11URI_DestroyURI - destroy a PK11URI object. + * PK11URI_FormatURI - format a PK11URI object to a string. + * PK11URI_GetPathAttribute - retrieve a path attribute with the given name. + * PK11URI_GetQueryAttribute - retrieve a query attribute with the given name. + * PK11URI_ParseURI - parse PKCS#11 URI and return a new PK11URI object. + New macros + * Several new macros that start with PK11URI_PATTR_ for path attributes defined + in RFC7512. + * Several new macros that start with PK11URI_QATTR_ for query attributes defined + in RFC7512. + Notable changes + * The APIs that set a TLS version range have been changed to trim the requested + range to the overlap with a systemwide crypto policy, if configured. + SSL_VersionRangeGetSupported can be used to query the overlap between the + library's supported range of TLS versions and the systemwide policy. + * Previously, SSL_VersionRangeSet and SSL_VersionRangeSetDefault returned a + failure if the requested version range wasn't fully allowed by the systemwide + crypto policy. They have been changed to return success, if at least one TLS + version overlaps between the requested range and the systemwide policy. An + application may call SSL_VersionRangeGet and SSL_VersionRangeGetDefault to + query the TLS version range that was effectively activated. + * Corrected the encoding of Domain Name Constraints extensions created by + certutil. + * NSS supports a clean seeding mechanism for *NIX systems now using only + /dev/urandom. This is used only when SEED_ONLY_DEV_URANDOM is set at compile + time. + * CERT_AsciiToName can handle OIDs in dotted decimal form now. + ------------------------------------------------------------------- Wed Apr 26 21:30:30 UTC 2017 - wr@rosenauer.org diff --git a/mozilla-nss.spec b/mozilla-nss.spec index a53ffb2..5872939 100644 --- a/mozilla-nss.spec +++ b/mozilla-nss.spec @@ -25,7 +25,7 @@ BuildRequires: mozilla-nspr-devel >= 4.14 BuildRequires: pkg-config BuildRequires: sqlite-devel BuildRequires: zlib-devel -Version: 3.30.2 +Version: 3.31 Release: 0 # bug437293 %ifarch ppc64 @@ -36,8 +36,8 @@ Summary: Network Security Services License: MPL-2.0 Group: System/Libraries Url: http://www.mozilla.org/projects/security/pki/nss/ -Source: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_30_2_RTM/src/nss-%{version}.tar.gz -# hg clone https://hg.mozilla.org/projects/nss nss-3.30.2/nss ; cd nss-3.30.2/nss ; hg up NSS_3_30_2_RTM +Source: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_31_RTM/src/nss-%{version}.tar.gz +# hg clone https://hg.mozilla.org/projects/nss nss-3.31/nss ; cd nss-3.31/nss ; hg up NSS_3_31_RTM #Source: nss-%{version}.tar.gz Source1: nss.pc.in Source3: nss-config.in @@ -56,7 +56,6 @@ Patch4: renegotiate-transitional.patch Patch5: malloc.patch Patch6: nss-disable-ocsp-test.patch Patch7: nss-sqlitename.patch -Patch8: nss-fix-hash.patch %define nspr_ver %(rpm -q --queryformat '%{VERSION}' mozilla-nspr) PreReq: mozilla-nspr >= %nspr_ver PreReq: libfreebl3 >= %{nss_softokn_fips_version} @@ -177,7 +176,6 @@ cd nss %endif %patch6 -p1 %patch7 -p1 -%patch8 -p1 # additional CA certificates #cd security/nss/lib/ckfw/builtins #cat %{SOURCE2} >> certdata.txt diff --git a/nss-3.30.2.tar.gz b/nss-3.30.2.tar.gz deleted file mode 100644 index 37e96d1..0000000 --- a/nss-3.30.2.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:0d4a77ff26bcee79fa8afe0125e0df6ae9e798b6b36782fa29e28febf7cfce24 -size 9499119 diff --git a/nss-3.31.tar.gz b/nss-3.31.tar.gz new file mode 100644 index 0000000..19450ae --- /dev/null +++ b/nss-3.31.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:e90561256a3271486162c1fbe8d614d118c333d36a4455be2af8688bd420a65d +size 9537011 diff --git a/nss-fix-hash.patch b/nss-fix-hash.patch deleted file mode 100644 index 235cb5b..0000000 --- a/nss-fix-hash.patch +++ /dev/null @@ -1,13 +0,0 @@ ---- nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_ocsprequest.c.orig 2017-03-16 09:01:59.024372645 +0000 -+++ nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_ocsprequest.c 2017-03-16 09:02:37.280938434 +0000 -@@ -89,8 +89,8 @@ - PKIX_HASHCODE(ocspRq->signerCert, &signerHash, plContext, - PKIX_CERTHASHCODEFAILED); - -- *pHashcode = (((((extensionHash << 8) || certHash) << 8) || -- dateHash) << 8) || signerHash; -+ *pHashcode = (((((extensionHash << 8) | certHash) << 8) | -+ dateHash) << 8) | signerHash; - - cleanup: -