diff --git a/mozilla-nss.changes b/mozilla-nss.changes index fcce538..03ae4b4 100644 --- a/mozilla-nss.changes +++ b/mozilla-nss.changes @@ -1,3 +1,107 @@ +------------------------------------------------------------------- +Sun Dec 20 10:12:35 UTC 2015 - wr@rosenauer.org + +- update to NSS 3.21 + * required for Firefox 44.0 + New functionality: + * certutil now supports a --rename option to change a nickname (bmo#1142209) + * TLS extended master secret extension (RFC 7627) is supported (bmo#1117022) + * New info functions added for use during mid-handshake callbacks (bmo#1084669) + New Functions: + * NSS_OptionSet - sets NSS global options + * NSS_OptionGet - gets the current value of NSS global options + * SECMOD_CreateModuleEx - Create a new SECMODModule structure from module name + string, module parameters string, NSS specific parameters string, and NSS + configuration parameter string. The module represented by the module + structure is not loaded. The difference with SECMOD_CreateModule is the new + function handles NSS configuration parameter strings. + * SSL_GetPreliminaryChannelInfo - obtains information about a TLS channel prior + to the handshake being completed, for use with the callbacks that are invoked + during the handshake + * SSL_SignaturePrefSet - configures the enabled signature and hash algorithms + for TLS + * SSL_SignaturePrefGet - retrieves the currently configured signature and hash + algorithms + * SSL_SignatureMaxCount - obtains the maximum number signature algorithms that + can be configured with SSL_SignaturePrefSet + * NSSUTIL_ArgParseModuleSpecEx - takes a module spec and breaks it into shared + library string, module name string, module parameters string, NSS specific + parameters string, and NSS configuration parameter strings. The returned + strings must be freed by the caller. The difference with + NSS_ArgParseModuleSpec is the new function handles NSS configuration + parameter strings. + * NSSUTIL_MkModuleSpecEx - take a shared library string, module name string, + module parameters string, NSS specific parameters string, and NSS + configuration parameter string and returns a module string which the caller + must free when it is done. The difference with NSS_MkModuleSpec is the new + function handles NSS configuration parameter strings. + New Types: + * CK_TLS12_MASTER_KEY_DERIVE_PARAMS{_PTR} - parameters {or pointer} for + CKM_TLS12_MASTER_KEY_DERIVE + * CK_TLS12_KEY_MAT_PARAMS{_PTR} - parameters {or pointer} for + CKM_TLS12_KEY_AND_MAC_DERIVE + * CK_TLS_KDF_PARAMS{_PTR} - parameters {or pointer} for CKM_TLS_KDF + * CK_TLS_MAC_PARAMS{_PTR} - parameters {or pointer} for CKM_TLS_MAC + * SSLHashType - identifies a hash function + * SSLSignatureAndHashAlg - identifies a signature and hash function + * SSLPreliminaryChannelInfo - provides information about the session state + prior to handshake completion + New Macros: + * NSS_RSA_MIN_KEY_SIZE - used with NSS_OptionSet and NSS_OptionGet to set or + get the minimum RSA key size + * NSS_DH_MIN_KEY_SIZE - used with NSS_OptionSet and NSS_OptionGet to set or + get the minimum DH key size + * NSS_DSA_MIN_KEY_SIZE - used with NSS_OptionSet and NSS_OptionGet to set or + get the minimum DSA key size + * CKM_TLS12_MASTER_KEY_DERIVE - derives TLS 1.2 master secret + * CKM_TLS12_KEY_AND_MAC_DERIVE - derives TLS 1.2 traffic key and IV + * CKM_TLS12_MASTER_KEY_DERIVE_DH - derives TLS 1.2 master secret for DH (and + ECDH) cipher suites + * CKM_TLS12_KEY_SAFE_DERIVE and CKM_TLS_KDF are identifiers for additional + PKCS#12 mechanisms for TLS 1.2 that are currently unused in NSS. + * CKM_TLS_MAC - computes TLS Finished MAC + * NSS_USE_ALG_IN_SSL_KX - policy flag indicating that keys are used in TLS key + exchange + * SSL_ERROR_RX_SHORT_DTLS_READ - error code for failure to include a complete + DTLS record in a UDP packet + * SSL_ERROR_NO_SUPPORTED_SIGNATURE_ALGORITHM - error code for when no valid + signature and hash algorithm is available + * SSL_ERROR_UNSUPPORTED_SIGNATURE_ALGORITHM - error code for when an + unsupported signature and hash algorithm is configured + * SSL_ERROR_MISSING_EXTENDED_MASTER_SECRET - error code for when the extended + master secret is missing after having been negotiated + * SSL_ERROR_UNEXPECTED_EXTENDED_MASTER_SECRET - error code for receiving an + extended master secret when previously not negotiated + * SSL_ENABLE_EXTENDED_MASTER_SECRET - configuration to enable the TLS extended + master secret extension (RFC 7627) + * ssl_preinfo_version - used with SSLPreliminaryChannelInfo to indicate that a + TLS version has been selected + * ssl_preinfo_cipher_suite - used with SSLPreliminaryChannelInfo to indicate + that a TLS cipher suite has been selected + * ssl_preinfo_all - used with SSLPreliminaryChannelInfo to indicate that all + preliminary information has been set + Notable Changes: + * NSS now builds with elliptic curve ciphers enabled by default (bmo#1205688) + * NSS now builds with warnings as errors (bmo#1182667) + * The following CA certificates were Removed + - CN = VeriSign Class 4 Public Primary Certification Authority - G3 + - CN = UTN-USERFirst-Network Applications + - CN = TC TrustCenter Universal CA III + - CN = A-Trust-nQual-03 + - CN = USERTrust Legacy Secure Server CA + - Friendly Name: Digital Signature Trust Co. Global CA 1 + - Friendly Name: Digital Signature Trust Co. Global CA 3 + - CN = UTN - DATACorp SGC + - O = TÜRKTRUST Bilgi İletişim ve Bilişim Güvenliği Hizmetleri A.Ş. (c) Kasım 2005 + * The following CA certificate had the Websites trust bit turned off + - OU = Equifax Secure Certificate Authority + * The following CA certificates were Added + - CN = Certification Authority of WoSign G2 + - CN = CA WoSign ECC Root + - CN = OISTE WISeKey Global Root GB CA +- increased the minimum level of possible mixed installations + (softokn3, freebl3) to 3.21 + ------------------------------------------------------------------- Sat Dec 19 17:13:21 UTC 2015 - wr@rosenauer.org diff --git a/mozilla-nss.spec b/mozilla-nss.spec index 8b0fb44..e20d3af 100644 --- a/mozilla-nss.spec +++ b/mozilla-nss.spec @@ -1,8 +1,8 @@ # # spec file for package mozilla-nss # -# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany. -# Copyright (c) 2006-2014 Wolfgang Rosenauer +# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2006-2015 Wolfgang Rosenauer # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -17,7 +17,7 @@ # -%global nss_softokn_fips_version 3.18 +%global nss_softokn_fips_version 3.21 Name: mozilla-nss BuildRequires: gcc-c++ @@ -25,7 +25,7 @@ BuildRequires: mozilla-nspr-devel >= 4.10.10 BuildRequires: pkg-config BuildRequires: sqlite-devel BuildRequires: zlib-devel -Version: 3.20.2 +Version: 3.21 Release: 0 # bug437293 %ifarch ppc64 @@ -36,8 +36,8 @@ Summary: Network Security Services License: MPL-2.0 Group: System/Libraries Url: http://www.mozilla.org/projects/security/pki/nss/ -Source: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_20_2_RTM/src/nss-%{version}.tar.gz -# hg clone https://hg.mozilla.org/projects/nss nss-3.20.2/nss ; cd nss-3.20.2/nss ; hg up NSS_3_20_2_RTM +Source: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_21_RTM/src/nss-%{version}.tar.gz +# hg clone https://hg.mozilla.org/projects/nss nss-3.21/nss ; cd nss-3.21/nss ; hg up NSS_3_21_RTM #Source: nss-%{version}.tar.gz Source1: nss.pc.in Source3: nss-config.in @@ -56,6 +56,7 @@ Patch5: renegotiate-transitional.patch Patch6: malloc.patch Patch7: nss-disable-ocsp-test.patch Patch8: nss-sqlitename.patch +Patch9: nss-bmo1236011.patch %define nspr_ver %(rpm -q --queryformat '%{VERSION}' mozilla-nspr) PreReq: mozilla-nspr >= %nspr_ver PreReq: libfreebl3 >= %{nss_softokn_fips_version} @@ -69,7 +70,8 @@ BuildRoot: %{_tmppath}/%{name}-%{version}-build %define nssdbdir %{_sysconfdir}/pki/nssdb %ifnarch %sparc %if ! 0%{?qemu_user_space_build} -%define run_testsuite 1 +# disabled temporarily bmo#1236340 +%define run_testsuite 0 %endif %endif @@ -175,6 +177,7 @@ cd nss %endif %patch7 -p1 %patch8 -p1 +%patch9 -p1 # additional CA certificates #cd security/nss/lib/ckfw/builtins #cat %{SOURCE2} >> certdata.txt diff --git a/nss-3.20.2.tar.gz b/nss-3.20.2.tar.gz deleted file mode 100644 index c244347..0000000 --- a/nss-3.20.2.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:141a3a59d57fbcd00b669bcaa4ccd2fd632a9306e2fb4623e89eed0a2e93f286 -size 6959455 diff --git a/nss-3.21.tar.gz b/nss-3.21.tar.gz new file mode 100644 index 0000000..cd83df0 --- /dev/null +++ b/nss-3.21.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:3f7a5b027d7cdd5c0e4ff7544da33fdc6f56c2f8c27fff02938fd4a6fbe87239 +size 6978112 diff --git a/nss-bmo1236011.patch b/nss-bmo1236011.patch new file mode 100644 index 0000000..0bf3ad4 --- /dev/null +++ b/nss-bmo1236011.patch @@ -0,0 +1,22 @@ +diff --git a/cmd/modutil/install-ds.h b/nss/cmd/modutil/install-ds.h +--- a/cmd/modutil/install-ds.h ++++ b/cmd/modutil/install-ds.h +@@ -238,17 +238,17 @@ struct Pk11Install_Info_str { + int numPlatforms; + Pk11Install_PlatformName *forwardCompatible; + int numForwardCompatible; + }; + + Pk11Install_Info* + Pk11Install_Info_new(); + void +-Pk11Install_Info_init(); ++Pk11Install_Info_init(Pk11Install_Info* _this); + void + Pk11Install_Info_delete(Pk11Install_Info* _this); + /*// Returns NULL for success, error message if parse error.*/ + char* + Pk11Install_Info_Generate(Pk11Install_Info* _this, + const Pk11Install_ValueList *list); + /*// Returns NULL if there is no matching platform*/ + Pk11Install_Platform*