- update to NSS 3.21

* required for Firefox 44.0 New functionality: * certutil now supports a --rename option to change a nickname (bmo#1142209) * TLS extended master secret extension (RFC 7627) is supported (bmo#1117022) * New info functions added for use during mid-handshake callbacks (bmo#1084669) New Functions: * NSS_OptionSet - sets NSS global options * NSS_OptionGet - gets the current value of NSS global options * SECMOD_CreateModuleEx - Create a new SECMODModule structure from module name string, module parameters string, NSS specific parameters string, and NSS configuration parameter string. The module represented by the module structure is not loaded. The difference with SECMOD_CreateModule is the new function handles NSS configuration parameter strings. * SSL_GetPreliminaryChannelInfo - obtains information about a TLS channel prior to the handshake being completed, for use with the callbacks that are invoked during the handshake * SSL_SignaturePrefSet - configures the enabled signature and hash algorithms for TLS * SSL_SignaturePrefGet - retrieves the currently configured signature and hash algorithms * SSL_SignatureMaxCount - obtains the maximum number signature algorithms that can be configured with SSL_SignaturePrefSet * NSSUTIL_ArgParseModuleSpecEx - takes a module spec and breaks it into shared library string, module name string, module parameters string, NSS specific parameters string, and NSS configuration parameter strings. The returned strings must be freed by the caller. The difference with NSS_ArgParseModuleSpec is the new function handles NSS configuration parameter strings. * NSSUTIL_MkModuleSpecEx - take a shared library string, module name string, OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=203
2016-01-26 06:30:20 +00:00 · 2016-01-26 06:30:20 +00:00 · a13639ab95
commit a13639ab95
parent 016b870c09
5 changed files with 139 additions and 10 deletions
--- a/mozilla-nss.changes
+++ b/mozilla-nss.changes
@ -1,3 +1,107 @@
+-------------------------------------------------------------------
+Sun Dec 20 10:12:35 UTC 2015 - wr@rosenauer.org
+
+- update to NSS 3.21
+  * required for Firefox 44.0
+  New functionality:
+  * certutil now supports a --rename option to change a nickname (bmo#1142209)
+  * TLS extended master secret extension (RFC 7627) is supported (bmo#1117022)
+  * New info functions added for use during mid-handshake callbacks (bmo#1084669)
+  New Functions:
+  * NSS_OptionSet - sets NSS global options
+  * NSS_OptionGet - gets the current value of NSS global options
+  * SECMOD_CreateModuleEx - Create a new SECMODModule structure from module name
+    string, module parameters string, NSS specific parameters string, and NSS
+    configuration parameter string. The module represented by the module
+    structure is not loaded. The difference with SECMOD_CreateModule is the new
+    function handles NSS configuration parameter strings.
+  * SSL_GetPreliminaryChannelInfo - obtains information about a TLS channel prior
+    to the handshake being completed, for use with the callbacks that are invoked
+    during the handshake
+  * SSL_SignaturePrefSet - configures the enabled signature and hash algorithms
+    for TLS
+  * SSL_SignaturePrefGet - retrieves the currently configured signature and hash
+    algorithms
+  * SSL_SignatureMaxCount - obtains the maximum number signature algorithms that
+    can be configured with SSL_SignaturePrefSet
+  * NSSUTIL_ArgParseModuleSpecEx - takes a module spec and breaks it into shared
+    library string, module name string, module parameters string, NSS specific
+    parameters string, and NSS configuration parameter strings. The returned
+    strings must be freed by the caller. The difference with
+    NSS_ArgParseModuleSpec is the new function handles NSS configuration
+    parameter strings.
+  * NSSUTIL_MkModuleSpecEx - take a shared library string, module name string,
+    module parameters string, NSS specific parameters string, and NSS
+    configuration parameter string and returns a module string which the caller
+    must free when it is done. The difference with NSS_MkModuleSpec is the new
+    function handles NSS configuration parameter strings.
+  New Types:
+  * CK_TLS12_MASTER_KEY_DERIVE_PARAMS{_PTR} - parameters {or pointer} for
+    CKM_TLS12_MASTER_KEY_DERIVE
+  * CK_TLS12_KEY_MAT_PARAMS{_PTR} - parameters {or pointer} for
+    CKM_TLS12_KEY_AND_MAC_DERIVE
+  * CK_TLS_KDF_PARAMS{_PTR} - parameters {or pointer} for CKM_TLS_KDF
+  * CK_TLS_MAC_PARAMS{_PTR} - parameters {or pointer} for CKM_TLS_MAC
+  * SSLHashType - identifies a hash function
+  * SSLSignatureAndHashAlg - identifies a signature and hash function
+  * SSLPreliminaryChannelInfo - provides information about the session state
+    prior to handshake completion
+  New Macros:
+  * NSS_RSA_MIN_KEY_SIZE - used with NSS_OptionSet and NSS_OptionGet to set or
+    get the minimum RSA key size
+  * NSS_DH_MIN_KEY_SIZE - used with NSS_OptionSet and NSS_OptionGet to set or
+    get the minimum DH key size
+  * NSS_DSA_MIN_KEY_SIZE - used with NSS_OptionSet and NSS_OptionGet to set or
+    get the minimum DSA key size
+  * CKM_TLS12_MASTER_KEY_DERIVE - derives TLS 1.2 master secret
+  * CKM_TLS12_KEY_AND_MAC_DERIVE - derives TLS 1.2 traffic key and IV
+  * CKM_TLS12_MASTER_KEY_DERIVE_DH - derives TLS 1.2 master secret for DH (and
+    ECDH) cipher suites
+  * CKM_TLS12_KEY_SAFE_DERIVE and CKM_TLS_KDF are identifiers for additional
+    PKCS#12 mechanisms for TLS 1.2 that are currently unused in NSS.
+  * CKM_TLS_MAC - computes TLS Finished MAC
+  * NSS_USE_ALG_IN_SSL_KX - policy flag indicating that keys are used in TLS key
+    exchange
+  * SSL_ERROR_RX_SHORT_DTLS_READ - error code for failure to include a complete
+    DTLS record in a UDP packet
+  * SSL_ERROR_NO_SUPPORTED_SIGNATURE_ALGORITHM - error code for when no valid
+    signature and hash algorithm is available
+  * SSL_ERROR_UNSUPPORTED_SIGNATURE_ALGORITHM - error code for when an
+    unsupported signature and hash algorithm is configured
+  * SSL_ERROR_MISSING_EXTENDED_MASTER_SECRET - error code for when the extended
+    master secret is missing after having been negotiated
+  * SSL_ERROR_UNEXPECTED_EXTENDED_MASTER_SECRET - error code for receiving an
+    extended master secret when previously not negotiated
+  * SSL_ENABLE_EXTENDED_MASTER_SECRET - configuration to enable the TLS extended
+    master secret extension (RFC 7627)
+  * ssl_preinfo_version - used with SSLPreliminaryChannelInfo to indicate that a
+    TLS version has been selected
+  * ssl_preinfo_cipher_suite - used with SSLPreliminaryChannelInfo to indicate
+    that a TLS cipher suite has been selected
+  * ssl_preinfo_all - used with SSLPreliminaryChannelInfo to indicate that all
+    preliminary information has been set
+  Notable Changes:
+  * NSS now builds with elliptic curve ciphers enabled by default (bmo#1205688)
+  * NSS now builds with warnings as errors (bmo#1182667)
+  * The following CA certificates were Removed
+    - CN = VeriSign Class 4 Public Primary Certification Authority - G3
+    - CN = UTN-USERFirst-Network Applications
+    - CN = TC TrustCenter Universal CA III
+    - CN = A-Trust-nQual-03
+    - CN = USERTrust Legacy Secure Server CA
+    - Friendly Name: Digital Signature Trust Co. Global CA 1
+    - Friendly Name: Digital Signature Trust Co. Global CA 3
+    - CN = UTN - DATACorp SGC
+    - O = TÜRKTRUST Bilgi İletişim ve Bilişim Güvenliği Hizmetleri A.Ş. (c) Kasım 2005
+  * The following CA certificate had the Websites trust bit turned off
+    - OU = Equifax Secure Certificate Authority
+  * The following CA certificates were Added
+    - CN = Certification Authority of WoSign G2
+    - CN = CA WoSign ECC Root
+    - CN = OISTE WISeKey Global Root GB CA
+- increased the minimum level of possible mixed installations
+  (softokn3, freebl3) to 3.21
+
 -------------------------------------------------------------------
 Sat Dec 19 17:13:21 UTC 2015 - wr@rosenauer.org

--- a/mozilla-nss.spec
+++ b/mozilla-nss.spec
@ -1,8 +1,8 @@
 #
 # spec file for package mozilla-nss
 #
-# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany.
-# Copyright (c) 2006-2014 Wolfgang Rosenauer
+# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2006-2015 Wolfgang Rosenauer
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@ -17,7 +17,7 @@
 #


-%global nss_softokn_fips_version 3.18
+%global nss_softokn_fips_version 3.21

 Name:           mozilla-nss
 BuildRequires:  gcc-c++
@ -25,7 +25,7 @@ BuildRequires:  mozilla-nspr-devel >= 4.10.10
 BuildRequires:  pkg-config
 BuildRequires:  sqlite-devel
 BuildRequires:  zlib-devel
-Version:        3.20.2
+Version:        3.21
 Release:        0
 # bug437293
 %ifarch ppc64
@ -36,8 +36,8 @@ Summary:        Network Security Services
 License:        MPL-2.0
 Group:          System/Libraries
 Url:            http://www.mozilla.org/projects/security/pki/nss/
-Source:         https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_20_2_RTM/src/nss-%{version}.tar.gz
-# hg clone https://hg.mozilla.org/projects/nss nss-3.20.2/nss ; cd nss-3.20.2/nss ; hg up NSS_3_20_2_RTM
+Source:         https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_21_RTM/src/nss-%{version}.tar.gz
+# hg clone https://hg.mozilla.org/projects/nss nss-3.21/nss ; cd nss-3.21/nss ; hg up NSS_3_21_RTM
 #Source:         nss-%{version}.tar.gz
 Source1:        nss.pc.in
 Source3:        nss-config.in
@ -56,6 +56,7 @@ Patch5:         renegotiate-transitional.patch
 Patch6:         malloc.patch
 Patch7:         nss-disable-ocsp-test.patch
 Patch8:         nss-sqlitename.patch
+Patch9:         nss-bmo1236011.patch
 %define nspr_ver %(rpm -q --queryformat '%{VERSION}' mozilla-nspr)
 PreReq:         mozilla-nspr >= %nspr_ver
 PreReq:         libfreebl3 >= %{nss_softokn_fips_version}
@ -69,7 +70,8 @@ BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 %define nssdbdir %{_sysconfdir}/pki/nssdb
 %ifnarch %sparc
 %if ! 0%{?qemu_user_space_build}
-%define run_testsuite 1
+# disabled temporarily bmo#1236340
+%define run_testsuite 0
 %endif
 %endif

@ -175,6 +177,7 @@ cd nss
 %endif
 %patch7 -p1
 %patch8 -p1
+%patch9 -p1
 # additional CA certificates
 #cd security/nss/lib/ckfw/builtins
 #cat %{SOURCE2} >> certdata.txt
--- a/nss-3.20.2.tar.gz
+++ b/nss-3.20.2.tar.gz
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:141a3a59d57fbcd00b669bcaa4ccd2fd632a9306e2fb4623e89eed0a2e93f286
-size 6959455
--- a/nss-3.21.tar.gz
+++ b/nss-3.21.tar.gz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:3f7a5b027d7cdd5c0e4ff7544da33fdc6f56c2f8c27fff02938fd4a6fbe87239
+size 6978112
--- a/nss-bmo1236011.patch
+++ b/nss-bmo1236011.patch
@ -0,0 +1,22 @@
+diff --git a/cmd/modutil/install-ds.h b/nss/cmd/modutil/install-ds.h
+--- a/cmd/modutil/install-ds.h
+++ b/cmd/modutil/install-ds.h
+@@ -238,17 +238,17 @@ struct Pk11Install_Info_str {
+ 	int numPlatforms;
+ 	Pk11Install_PlatformName *forwardCompatible;
+ 	int numForwardCompatible;
+ };
+ 
+ Pk11Install_Info*
+ Pk11Install_Info_new();
+ void
+-Pk11Install_Info_init();
+Pk11Install_Info_init(Pk11Install_Info* _this);
+ void
+ Pk11Install_Info_delete(Pk11Install_Info* _this);
+ /*// Returns NULL for success, error message if parse error.*/
+ char* 
+ Pk11Install_Info_Generate(Pk11Install_Info* _this, 
+                           const Pk11Install_ValueList *list);
+ 	/*// Returns NULL if there is no matching platform*/
+ Pk11Install_Platform*