- update to NSS 3.31

New functionality
  * Allow certificates to be specified by RFC7512 PKCS#11 URIs.
  * Allow querying a certificate object for its temporary or permanent
    storage status in a thread safe way.
  New functions
  * CERT_GetCertIsPerm - retrieve the permanent storage status attribute of a
    certificate in a thread safe way.
  * CERT_GetCertIsTemp - retrieve the temporary storage status attribute of a
    certificate in a thread safe way.
  * PK11_FindCertFromURI - find a certificate identified by the given URI.
  * PK11_FindCertsFromURI - find a list of certificates identified by the given
    URI.
  * PK11_GetModuleURI - retrieve the URI of the given module.
  * PK11_GetTokenURI - retrieve the URI of a token based on the given slot
    information.
  * PK11URI_CreateURI - create a new PK11URI object from a set of attributes.
  * PK11URI_DestroyURI - destroy a PK11URI object.
  * PK11URI_FormatURI - format a PK11URI object to a string.
  * PK11URI_GetPathAttribute - retrieve a path attribute with the given name.
  * PK11URI_GetQueryAttribute - retrieve a query attribute with the given name.
  * PK11URI_ParseURI - parse PKCS#11 URI and return a new PK11URI object.
  New macros
  * Several new macros that start with PK11URI_PATTR_ for path attributes defined
    in RFC7512.
  * Several new macros that start with PK11URI_QATTR_ for query attributes defined
    in RFC7512.
  Notable changes
  * The APIs that set a TLS version range have been changed to trim the requested
    range to the overlap with a systemwide crypto policy, if configured.

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=243
This commit is contained in:
Wolfgang Rosenauer 2017-08-08 18:40:45 +00:00 committed by Git OBS Bridge
parent 8a54093a7b
commit 3acc6b79e5
5 changed files with 54 additions and 21 deletions

View File

@ -1,3 +1,51 @@
-------------------------------------------------------------------
Sat Aug 5 13:15:09 UTC 2017 - wr@rosenauer.org
- update to NSS 3.31
New functionality
* Allow certificates to be specified by RFC7512 PKCS#11 URIs.
* Allow querying a certificate object for its temporary or permanent
storage status in a thread safe way.
New functions
* CERT_GetCertIsPerm - retrieve the permanent storage status attribute of a
certificate in a thread safe way.
* CERT_GetCertIsTemp - retrieve the temporary storage status attribute of a
certificate in a thread safe way.
* PK11_FindCertFromURI - find a certificate identified by the given URI.
* PK11_FindCertsFromURI - find a list of certificates identified by the given
URI.
* PK11_GetModuleURI - retrieve the URI of the given module.
* PK11_GetTokenURI - retrieve the URI of a token based on the given slot
information.
* PK11URI_CreateURI - create a new PK11URI object from a set of attributes.
* PK11URI_DestroyURI - destroy a PK11URI object.
* PK11URI_FormatURI - format a PK11URI object to a string.
* PK11URI_GetPathAttribute - retrieve a path attribute with the given name.
* PK11URI_GetQueryAttribute - retrieve a query attribute with the given name.
* PK11URI_ParseURI - parse PKCS#11 URI and return a new PK11URI object.
New macros
* Several new macros that start with PK11URI_PATTR_ for path attributes defined
in RFC7512.
* Several new macros that start with PK11URI_QATTR_ for query attributes defined
in RFC7512.
Notable changes
* The APIs that set a TLS version range have been changed to trim the requested
range to the overlap with a systemwide crypto policy, if configured.
SSL_VersionRangeGetSupported can be used to query the overlap between the
library's supported range of TLS versions and the systemwide policy.
* Previously, SSL_VersionRangeSet and SSL_VersionRangeSetDefault returned a
failure if the requested version range wasn't fully allowed by the systemwide
crypto policy. They have been changed to return success, if at least one TLS
version overlaps between the requested range and the systemwide policy. An
application may call SSL_VersionRangeGet and SSL_VersionRangeGetDefault to
query the TLS version range that was effectively activated.
* Corrected the encoding of Domain Name Constraints extensions created by
certutil.
* NSS supports a clean seeding mechanism for *NIX systems now using only
/dev/urandom. This is used only when SEED_ONLY_DEV_URANDOM is set at compile
time.
* CERT_AsciiToName can handle OIDs in dotted decimal form now.
------------------------------------------------------------------- -------------------------------------------------------------------
Wed Apr 26 21:30:30 UTC 2017 - wr@rosenauer.org Wed Apr 26 21:30:30 UTC 2017 - wr@rosenauer.org

View File

@ -25,7 +25,7 @@ BuildRequires: mozilla-nspr-devel >= 4.14
BuildRequires: pkg-config BuildRequires: pkg-config
BuildRequires: sqlite-devel BuildRequires: sqlite-devel
BuildRequires: zlib-devel BuildRequires: zlib-devel
Version: 3.30.2 Version: 3.31
Release: 0 Release: 0
# bug437293 # bug437293
%ifarch ppc64 %ifarch ppc64
@ -36,8 +36,8 @@ Summary: Network Security Services
License: MPL-2.0 License: MPL-2.0
Group: System/Libraries Group: System/Libraries
Url: http://www.mozilla.org/projects/security/pki/nss/ Url: http://www.mozilla.org/projects/security/pki/nss/
Source: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_30_2_RTM/src/nss-%{version}.tar.gz Source: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_31_RTM/src/nss-%{version}.tar.gz
# hg clone https://hg.mozilla.org/projects/nss nss-3.30.2/nss ; cd nss-3.30.2/nss ; hg up NSS_3_30_2_RTM # hg clone https://hg.mozilla.org/projects/nss nss-3.31/nss ; cd nss-3.31/nss ; hg up NSS_3_31_RTM
#Source: nss-%{version}.tar.gz #Source: nss-%{version}.tar.gz
Source1: nss.pc.in Source1: nss.pc.in
Source3: nss-config.in Source3: nss-config.in
@ -56,7 +56,6 @@ Patch4: renegotiate-transitional.patch
Patch5: malloc.patch Patch5: malloc.patch
Patch6: nss-disable-ocsp-test.patch Patch6: nss-disable-ocsp-test.patch
Patch7: nss-sqlitename.patch Patch7: nss-sqlitename.patch
Patch8: nss-fix-hash.patch
%define nspr_ver %(rpm -q --queryformat '%{VERSION}' mozilla-nspr) %define nspr_ver %(rpm -q --queryformat '%{VERSION}' mozilla-nspr)
PreReq: mozilla-nspr >= %nspr_ver PreReq: mozilla-nspr >= %nspr_ver
PreReq: libfreebl3 >= %{nss_softokn_fips_version} PreReq: libfreebl3 >= %{nss_softokn_fips_version}
@ -177,7 +176,6 @@ cd nss
%endif %endif
%patch6 -p1 %patch6 -p1
%patch7 -p1 %patch7 -p1
%patch8 -p1
# additional CA certificates # additional CA certificates
#cd security/nss/lib/ckfw/builtins #cd security/nss/lib/ckfw/builtins
#cat %{SOURCE2} >> certdata.txt #cat %{SOURCE2} >> certdata.txt

View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:0d4a77ff26bcee79fa8afe0125e0df6ae9e798b6b36782fa29e28febf7cfce24
size 9499119

3
nss-3.31.tar.gz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:e90561256a3271486162c1fbe8d614d118c333d36a4455be2af8688bd420a65d
size 9537011

View File

@ -1,13 +0,0 @@
--- nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_ocsprequest.c.orig 2017-03-16 09:01:59.024372645 +0000
+++ nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_ocsprequest.c 2017-03-16 09:02:37.280938434 +0000
@@ -89,8 +89,8 @@
PKIX_HASHCODE(ocspRq->signerCert, &signerHash, plContext,
PKIX_CERTHASHCODEFAILED);
- *pHashcode = (((((extensionHash << 8) || certHash) << 8) ||
- dateHash) << 8) || signerHash;
+ *pHashcode = (((((extensionHash << 8) | certHash) << 8) |
+ dateHash) << 8) | signerHash;
cleanup: