Accepting request 835234 from mozilla:Factory

OBS-URL: https://build.opensuse.org/request/show/835234
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/mozilla-nss?expand=0&rev=162

baselibs.conf

@@ -2,7 +2,7 @@ mozilla-nss
   requires "mozilla-nspr-<targettype> >= 4.25"
   requires "libfreebl3-<targettype>"
   requires "libsoftokn3-<targettype>"
-  requires "mozilla-nss-certs-<targettype>"
+  requires "libnssckbi.so"
 libsoftokn3
   requires "libfreebl3-<targettype> = <version>"
 libsoftokn3-hmac

mozilla-nss.changes

@@ -1,3 +1,39 @@
+-------------------------------------------------------------------
+Thu Sep 17 13:57:18 UTC 2020 - Hans Petter Jansson <hpj@suse.com>
+
+- Update nss-fips-approved-crypto-non-ec.patch to match RC2 code
+  being moved to deprecated/.
+- Remove nss-fix-dh-pkcs-derive-inverted-logic.patch. This was made
+  obsolete by upstream changes.
+
+-------------------------------------------------------------------
+Tue Sep  8 20:17:19 UTC 2020 - Wolfgang Rosenauer <wr@rosenauer.org>
+
+- update to NSS 3.56
+  Notable changes
+  * bmo#1650702 - Support SHA-1 HW acceleration on ARMv8
+  * bmo#1656981 - Use MPI comba and mulq optimizations on x86-64 MacOS.
+  * bmo#1654142 - Add CPU feature detection for Intel SHA extension.
+  * bmo#1648822 - Add stricter validation of DH keys in FIPS mode.
+  * bmo#1656986 - Properly detect arm64 during GYP build architecture
+                  detection.
+  * bmo#1652729 - Add build flag to disable RC2 and relocate to
+                  lib/freebl/deprecated.
+  * bmo#1656429 - Correct RTT estimate used in 0-RTT anti-replay.
+  * bmo#1588941 - Send empty certificate message when scheme selection
+                  fails.
+  * bmo#1652032 - Fix failure to build in Windows arm64 makefile
+                  cross-compilation.
+  * bmo#1625791 - Fix deadlock issue in nssSlot_IsTokenPresent.
+  * bmo#1653975 - Fix 3.53 regression by setting "all" as the default
+                  makefile target.
+  * bmo#1659792 - Fix broken libpkix tests with unexpired PayPal cert.
+  * bmo#1659814 - Fix interop.sh failures with newer tls-interop
+                  commit and dependencies.
+  * bmo#1656519 - NSPR dependency updated to 4.28
+- do not hard require mozilla-nss-certs-32bit via baselibs
+  (boo#1176206)
+
 -------------------------------------------------------------------
 Sat Aug 22 06:41:15 UTC 2020 - Wolfgang Rosenauer <wr@rosenauer.org>
 

mozilla-nss.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package mozilla-nss
 #
-# Copyright (c) 2020 SUSE LLC
+# Copyright (c) 2020 SUSE LINUX GmbH, Nuernberg, Germany.
 # Copyright (c) 2006-2020 Wolfgang Rosenauer
 #
 # All modifications and additions to the file contributed by third parties
@@ -17,14 +17,14 @@
 #
 
 
-%global nss_softokn_fips_version 3.55
-%define NSPR_min_version 4.27
+%global nss_softokn_fips_version 3.56
+%define NSPR_min_version 4.28
 %define nspr_ver %(rpm -q --queryformat '%%{VERSION}' mozilla-nspr)
 %define nssdbdir %{_sysconfdir}/pki/nssdb
 Name:           mozilla-nss
-Version:        3.55
+Version:        3.56
 Release:        0
-%define underscore_version 3_55
+%define underscore_version 3_56
 Summary:        Network Security Services
 License:        MPL-2.0
 Group:          System/Libraries
@@ -68,7 +68,6 @@ Patch30:        nss-fips-tls-allow-md5-prf.patch
 Patch31:        nss-fips-use-strong-random-pool.patch
 Patch32:        nss-fips-detect-fips-mode-fixes.patch
 Patch34:        nss-fips-combined-hash-sign-dsa-ecdsa.patch
-Patch35:        nss-fix-dh-pkcs-derive-inverted-logic.patch
 Patch36:        nss-fips-aes-keywrap-post.patch
 %if 0%{?sle_version} >= 120000 && 0%{?sle_version} < 150000
 # aarch64 + gcc4.8 fails to build on SLE-12 due to undefined references
@@ -226,7 +225,6 @@ cd nss
 %patch31 -p1
 %patch32 -p1
 %patch34 -p1
-%patch35 -p1
 %patch36 -p1
 
 # additional CA certificates

nss-3.55.tar.gz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:fc692e3db45a082ee6328cd989e795c171a00df9c518df090937f7604f850004
-size 81759883

nss-3.56.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:f875e0e8ed3b5ce92d675be4a55aa25a8c1199789a4a01f69b5f2327e2048e9c
+size 81706176

nss-fips-approved-crypto-non-ec.patch

@@ -6,14 +6,14 @@
 # Parent  3f4d682c9a1e8b3d939c744ee249e23179db5191
 imported patch nss-fips-approved-crypto-non-ec.patch
 
-diff --git a/lib/freebl/alg2268.c b/lib/freebl/alg2268.c
---- a/lib/freebl/alg2268.c
-+++ b/lib/freebl/alg2268.c
+diff --git a/lib/freebl/deprecated/alg2268.c b/lib/freebl/deprecated/alg2268.c
+--- a/lib/freebl/deprecated/alg2268.c
++++ b/lib/freebl/deprecated/alg2268.c
 @@ -16,6 +16,8 @@
  #include <stddef.h> /* for ptrdiff_t */
  #endif
  
-+#include "fips.h"
++#include "../fips.h"
 +
  /*
  ** RC2 symmetric block cypher

nss-fix-dh-pkcs-derive-inverted-logic.patch

@@ -1,20 +0,0 @@
-# HG changeset patch
-# User M. Sirringhaus <msirringhaus@suse.de>
-# Date 1590586654 -7200
-#      Wed May 27 15:37:34 2020 +0200
-# Node ID 582ed54a5cda147cd5996603d6066817edb687fa
-# Parent  ce99bba6375432c55a73c1367f619dfef7c7e9fc
-imported patch nss-fix-dh-pkcs-derive-inverted-logic.patch
-
-diff --git a/lib/softoken/pkcs11c.c b/lib/softoken/pkcs11c.c
---- a/lib/softoken/pkcs11c.c
-+++ b/lib/softoken/pkcs11c.c
-@@ -8316,7 +8316,7 @@
-             if (crv == CKR_OK) {
-                 rv = KEA_Verify(&dhPublic, &dhPrime, &dhSubPrime);
-                 PORT_Free(dhSubPrime.data);
--                if (rv != SECSuccess) {
-+                if (rv == PR_FALSE) {
-                     crv = CKR_ARGUMENTS_BAD;
-                     PORT_Free(dhPrime.data);
-                     PORT_Free(dhValue.data);