Accepting request 720828 from mozilla:Factory

- update to NSS 3.45 (bsc#1141322) * required by Firefox 69.0 New functions * PK11_FindRawCertsWithSubject - Finds all certificates on the given slot with the given subject distinguished name and returns them as DER bytes. If no such certificates can be found, returns SECSuccess and sets *results to NULL. If a failure is encountered while fetching any of the matching certificates, SECFailure is returned and *results will be NULL. Notable changes * bmo#1540403 - Implement Delegated Credentials * bmo#1550579 - Replace ARM32 Curve25519 implementation with one from fiat-crypto * bmo#1551129 - Support static linking on Windows * bmo#1552262 - Expose a function PK11_FindRawCertsWithSubject for finding certificates with a given subject on a given slot * bmo#1546229 - Add IPSEC IKE support to softoken * bmo#1554616 - Add support for the Elbrus lcc compiler (<=1.23) * bmo#1543874 - Expose an external clock for SSL * bmo#1546477 - Various changes in response to the ongoing FIPS review Certificate Authority Changes * The following CA certificates were Removed: bmo#1552374 - CN = Certinomis - Root CA Bugs fixed * bmo#1540541 - Don't unnecessarily strip leading 0's from key material during PKCS11 import (CVE-2019-11719) * bmo#1515342 - More thorough input checking (CVE-2019-11729) * bmo#1552208 - Prohibit use of RSASSA-PKCS1-v1_5 algorithms in TLS 1.3 (CVE-2019-11727) * bmo#1227090 - Fix a potential divide-by-zero in makePfromQandSeed OBS-URL: https://build.opensuse.org/request/show/720828 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/mozilla-nss?expand=0&rev=146
2019-09-05 10:07:05 +00:00 · 2019-09-05 10:07:05 +00:00 · c3513b6180
commit c3513b6180
parent c02833f6f9 78519384c7
5 changed files with 113 additions and 11 deletions
--- a/baselibs.conf
+++ b/baselibs.conf
@ -5,9 +5,11 @@ mozilla-nss
  requires "mozilla-nss-certs-<targettype>"
 libsoftokn3
  requires "libfreebl3-<targettype> = <version>"
+libsoftokn3-hmac
  +/usr/lib/libsoftokn3.chk
  +/usr/lib/libnssdbm3.chk
 libfreebl3
+libfreebl3-hmac
  +/lib/libfreebl3.chk
  +/lib/libfreeblpriv3.chk
 mozilla-nss-sysinit
--- a/mozilla-nss.changes
+++ b/mozilla-nss.changes
@ -1,3 +1,76 @@
+-------------------------------------------------------------------
+Sat Aug  3 21:12:12 UTC 2019 - Wolfgang Rosenauer <wr@rosenauer.org>
+
+- update to NSS 3.45 (bsc#1141322)
+  * required by Firefox 69.0
+  New functions
+  * PK11_FindRawCertsWithSubject - Finds all certificates on the
+    given slot with the given subject distinguished name and returns
+    them as DER bytes. If no such certificates can be found, returns
+    SECSuccess and sets *results to NULL. If a failure is encountered
+    while fetching any of the matching certificates, SECFailure is
+    returned and *results will be NULL.
+  Notable changes
+  * bmo#1540403 - Implement Delegated Credentials
+  * bmo#1550579 - Replace ARM32 Curve25519 implementation with one
+    from fiat-crypto
+  * bmo#1551129 - Support static linking on Windows
+  * bmo#1552262 - Expose a function PK11_FindRawCertsWithSubject for
+    finding certificates with a given subject on a given slot
+  * bmo#1546229 - Add IPSEC IKE support to softoken
+  * bmo#1554616 - Add support for the Elbrus lcc compiler (<=1.23)
+  * bmo#1543874 - Expose an external clock for SSL
+  * bmo#1546477 - Various changes in response to the ongoing FIPS review
+  Certificate Authority Changes
+  * The following CA certificates were Removed:
+    bmo#1552374 - CN = Certinomis - Root CA
+  Bugs fixed
+  * bmo#1540541 - Don't unnecessarily strip leading 0's from key material
+    during PKCS11 import (CVE-2019-11719)
+  * bmo#1515342 - More thorough input checking (CVE-2019-11729)
+  * bmo#1552208 - Prohibit use of RSASSA-PKCS1-v1_5 algorithms in
+    TLS 1.3 (CVE-2019-11727)
+  * bmo#1227090 - Fix a potential divide-by-zero in makePfromQandSeed
+    from lib/freebl/pqg.c (static analysis)
+  * bmo#1227096 - Fix a potential divide-by-zero in PQG_VerifyParams
+    from lib/freebl/pqg.c  (static analysis)
+  * bmo#1509432 - De-duplicate code between mp_set_long and mp_set_ulong
+  * bmo#1515011 - Fix a mistake with ChaCha20-Poly1305 test code where
+    tags could be faked. Only relevant for clients that might have copied
+    the unit test code verbatim
+  * bmo#1550022 - Ensure nssutil3 gets built on Android
+  * bmo#1528174 - ChaCha20Poly1305 should no longer modify output
+    length on failure
+  * bmo#1549382 - Don't leak in PKCS#11 modules if C_GetSlotInfo()
+    returns error
+  * bmo#1551041 - Fix builds using GCC < 4.3 on big-endian architectures
+  * bmo#1554659 - Add versioning to OpenBSD builds to fix link time
+    errors using NSS
+  * bmo#1553443 - Send session ticket only after handshake is marked
+    as finished
+  * bmo#1550708 - Fix gyp scripts on Solaris SPARC so that libfreebl_64fpu_3.so
+    builds
+  * bmo#1554336 - Optimize away unneeded loop in mpi.c
+  * bmo#1559906 - fipstest: use CKM_TLS12_MASTER_KEY_DERIVE instead of vendor
+    specific mechanism
+  * bmo#1558126 - TLS_AES_256_GCM_SHA384 should be marked as FIPS compatible
+  * bmo#1555207 - HelloRetryRequestCallback return code for rejecting 0-RTT
+  * bmo#1556591 - Eliminate races in uses of PK11_SetWrapKey
+  * bmo#1558681 - Stop using a global for anti-replay of TLS 1.3 early data
+  * bmo#1561510 - Fix a bug where removing -arch XXX args from CC didn't work
+  * bmo#1561523 - Add a string for the new-ish error
+    SSL_ERROR_MISSING_POST_HANDSHAKE_AUTH_EXTENSION
+
+-------------------------------------------------------------------
+Fri Aug  2 14:43:24 UTC 2019 - Wolfgang Rosenauer <wr@rosenauer.org>
+
+- split hmac subpackages to match SLE's packaging
+
+-------------------------------------------------------------------
+Mon Jul 22 07:13:42 UTC 2019 - Martin Liška <mliska@suse.cz>
+
+- Use -ffat-lto-objects in order to provide assembly for static libs.
+
 -------------------------------------------------------------------
 Mon Jul  8 07:14:57 UTC 2019 - Wolfgang Rosenauer <wr@rosenauer.org>

--- a/mozilla-nss.spec
+++ b/mozilla-nss.spec
@ -2,7 +2,7 @@
 # spec file for package mozilla-nss
 #
 # Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany.
-# Copyright (c) 2006-2018 Wolfgang Rosenauer
+# Copyright (c) 2006-2019 Wolfgang Rosenauer
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@ -17,7 +17,7 @@
 #


-%global nss_softokn_fips_version 3.36
+%global nss_softokn_fips_version 3.45
 %define NSPR_min_version 4.21

 Name:           mozilla-nss
@ -26,9 +26,9 @@ BuildRequires:  mozilla-nspr-devel >= %{NSPR_min_version}
 BuildRequires:  pkg-config
 BuildRequires:  sqlite-devel
 BuildRequires:  zlib-devel
-Version:        3.44.1
+Version:        3.45
 Release:        0
-%define underscore_version 3_44_1
+%define underscore_version 3_45
 # bug437293
 %ifarch ppc64
 Obsoletes:      mozilla-nss-64bit
@ -129,7 +129,7 @@ any system or user configured modules.
 %package -n libfreebl3
 Summary:        Freebl library for the Network Security Services
 Group:          System/Libraries
-Provides:       libfreebl3-hmac
+Recommends:     libfreebl3-hmac = %{version}-%{release}

 %description -n libfreebl3
 Network Security Services (NSS) is a set of libraries designed to
@ -141,11 +141,21 @@ certificates, and other security standards.
 This package installs the freebl library from NSS.


+%package -n libfreebl3-hmac
+Summary:        Freebl library checksums for the Network Security Services
+Group:          System/Libraries
+Requires:       libfreebl3 = %{version}-%{release}
+
+%description -n libfreebl3-hmac
+Checksums for libraries contained in the libfreebl3 package
+used in the FIPS 140-2 mode.
+
+
 %package -n libsoftokn3
 Summary:        Network Security Services Softoken Module
 Group:          System/Libraries
 Requires:       libfreebl3 = %{version}-%{release}
-Provides:       libsoftokn3-hmac
+Recommends:     libsoftokn3-hmac = %{version}-%{release}

 %description -n libsoftokn3
 Network Security Services (NSS) is a set of libraries designed to
@ -157,6 +167,16 @@ certificates, and other security standards.
 Network Security Services Softoken Cryptographic Module


+%package -n libsoftokn3-hmac
+Summary:        Network Security Services Softoken Module checksums
+Group:          System/Libraries
+Requires:       libsoftokn3 = %{version}-%{release}
+
+%description -n libsoftokn3-hmac
+Checksums for libraries contained in the libsoftokn3 package
+used in the FIPS 140-2 mode.
+
+
 %package certs
 Summary:        CA certificates for NSS
 Group:          Productivity/Networking/Security
@ -184,6 +204,7 @@ cd nss
 #make generate

 %build
+%global _lto_cflags %{_lto_cflags} -ffat-lto-objects
 cd nss
 modified="$(sed -n '/^----/n;s/ - .*$//;p;q' "%{S:99}")"
 DATE="\"$(date -d "${modified}" "+%%b %%e %%Y")\""
@ -389,15 +410,21 @@ fi
 %files -n libfreebl3
 %defattr(-, root, root)
 /%{_lib}/libfreebl3.so
-/%{_lib}/libfreebl3.chk
 /%{_lib}/libfreeblpriv3.so
+
+%files -n libfreebl3-hmac
+%defattr(-, root, root)
+/%{_lib}/libfreebl3.chk
 /%{_lib}/libfreeblpriv3.chk

 %files -n libsoftokn3
 %defattr(-, root, root)
 %{_libdir}/libsoftokn3.so
-%{_libdir}/libsoftokn3.chk
 %{_libdir}/libnssdbm3.so
+
+%files -n libsoftokn3-hmac
+%defattr(-, root, root)
+%{_libdir}/libsoftokn3.chk
 %{_libdir}/libnssdbm3.chk

 %files certs
--- a/nss-3.44.1.tar.gz
+++ b/nss-3.44.1.tar.gz
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:fce4cb80c989cde35416ecbe55920856015a35151c4f21be64470e4dd4de12f8
-size 75986343
--- a/nss-3.45.tar.gz
+++ b/nss-3.45.tar.gz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:112f05223d1fde902c170966bfc6f011b24a838be16969b110ecf2bb7bc24e8b
+size 76017462