From a83d017926c5d58082902632e41453e317277ffd1c07da1a1f5a731732ab7487 Mon Sep 17 00:00:00 2001 From: Wolfgang Rosenauer Date: Mon, 22 Jul 2019 07:16:21 +0000 Subject: [PATCH 1/3] Accepting request 717448 from home:marxin:branches:mozilla:Factory - Use -ffat-lto-objects in order to provide assembly for static libs. OBS-URL: https://build.opensuse.org/request/show/717448 OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=284 --- mozilla-nss.changes | 5 +++++ mozilla-nss.spec | 1 + 2 files changed, 6 insertions(+) diff --git a/mozilla-nss.changes b/mozilla-nss.changes index 7b8fbfc..808e9fa 100644 --- a/mozilla-nss.changes +++ b/mozilla-nss.changes @@ -1,3 +1,8 @@ +------------------------------------------------------------------- +Mon Jul 22 07:13:42 UTC 2019 - Martin Liška + +- Use -ffat-lto-objects in order to provide assembly for static libs. + ------------------------------------------------------------------- Mon Jul 8 07:14:57 UTC 2019 - Wolfgang Rosenauer diff --git a/mozilla-nss.spec b/mozilla-nss.spec index b98c8c7..d4a897c 100644 --- a/mozilla-nss.spec +++ b/mozilla-nss.spec @@ -184,6 +184,7 @@ cd nss #make generate %build +%global _lto_cflags %{_lto_cflags} -ffat-lto-objects cd nss modified="$(sed -n '/^----/n;s/ - .*$//;p;q' "%{S:99}")" DATE="\"$(date -d "${modified}" "+%%b %%e %%Y")\"" From 0c5b62120425e7746c759e84c6a61f8638ee6c2f4ed2a73b20fc02047c10799d Mon Sep 17 00:00:00 2001 From: Wolfgang Rosenauer Date: Sat, 3 Aug 2019 08:03:51 +0000 Subject: [PATCH 2/3] - split hmac subpackages to match SLE's packaging OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=286 --- baselibs.conf | 2 ++ mozilla-nss.changes | 5 +++++ mozilla-nss.spec | 36 +++++++++++++++++++++++++++++++----- 3 files changed, 38 insertions(+), 5 deletions(-) diff --git a/baselibs.conf b/baselibs.conf index c5f3914..63dcb8f 100644 --- a/baselibs.conf +++ b/baselibs.conf @@ -5,9 +5,11 @@ mozilla-nss requires "mozilla-nss-certs-" libsoftokn3 requires "libfreebl3- = " +libsoftokn3-hmac +/usr/lib/libsoftokn3.chk +/usr/lib/libnssdbm3.chk libfreebl3 +libfreebl3-hmac +/lib/libfreebl3.chk +/lib/libfreeblpriv3.chk mozilla-nss-sysinit diff --git a/mozilla-nss.changes b/mozilla-nss.changes index 808e9fa..334c1fe 100644 --- a/mozilla-nss.changes +++ b/mozilla-nss.changes @@ -1,3 +1,8 @@ +------------------------------------------------------------------- +Fri Aug 2 14:43:24 UTC 2019 - Wolfgang Rosenauer + +- split hmac subpackages to match SLE's packaging + ------------------------------------------------------------------- Mon Jul 22 07:13:42 UTC 2019 - Martin Liška diff --git a/mozilla-nss.spec b/mozilla-nss.spec index d4a897c..0d0d292 100644 --- a/mozilla-nss.spec +++ b/mozilla-nss.spec @@ -2,7 +2,7 @@ # spec file for package mozilla-nss # # Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany. -# Copyright (c) 2006-2018 Wolfgang Rosenauer +# Copyright (c) 2006-2019 Wolfgang Rosenauer # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -129,7 +129,7 @@ any system or user configured modules. %package -n libfreebl3 Summary: Freebl library for the Network Security Services Group: System/Libraries -Provides: libfreebl3-hmac +Recommends: libfreebl3-hmac = %{version}-%{release} %description -n libfreebl3 Network Security Services (NSS) is a set of libraries designed to @@ -141,11 +141,21 @@ certificates, and other security standards. This package installs the freebl library from NSS. +%package -n libfreebl3-hmac +Summary: Freebl library checksums for the Network Security Services +Group: System/Libraries +Requires: libfreebl3 = %{version}-%{release} + +%description -n libfreebl3-hmac +Checksums for libraries contained in the libfreebl3 package +used in the FIPS 140-2 mode. + + %package -n libsoftokn3 Summary: Network Security Services Softoken Module Group: System/Libraries Requires: libfreebl3 = %{version}-%{release} -Provides: libsoftokn3-hmac +Recommends: libsoftokn3-hmac = %{version}-%{release} %description -n libsoftokn3 Network Security Services (NSS) is a set of libraries designed to @@ -157,6 +167,16 @@ certificates, and other security standards. Network Security Services Softoken Cryptographic Module +%package -n libsoftokn3-hmac +Summary: Network Security Services Softoken Module checksums +Group: System/Libraries +Requires: libsoftokn3 = %{version}-%{release} + +%description -n libsoftokn3-hmac +Checksums for libraries contained in the libsoftokn3 package +used in the FIPS 140-2 mode. + + %package certs Summary: CA certificates for NSS Group: Productivity/Networking/Security @@ -390,15 +410,21 @@ fi %files -n libfreebl3 %defattr(-, root, root) /%{_lib}/libfreebl3.so -/%{_lib}/libfreebl3.chk /%{_lib}/libfreeblpriv3.so + +%files -n libfreebl3-hmac +%defattr(-, root, root) +/%{_lib}/libfreebl3.chk /%{_lib}/libfreeblpriv3.chk %files -n libsoftokn3 %defattr(-, root, root) %{_libdir}/libsoftokn3.so -%{_libdir}/libsoftokn3.chk %{_libdir}/libnssdbm3.so + +%files -n libsoftokn3-hmac +%defattr(-, root, root) +%{_libdir}/libsoftokn3.chk %{_libdir}/libnssdbm3.chk %files certs From 78519384c79485dccb4237975f37cf1bee45f079f073cf2cbb3d69902a7b0392 Mon Sep 17 00:00:00 2001 From: Wolfgang Rosenauer Date: Sat, 3 Aug 2019 21:32:27 +0000 Subject: [PATCH 3/3] - update to NSS 3.45 (bsc#1141322) * required by Firefox 69.0 New functions * PK11_FindRawCertsWithSubject - Finds all certificates on the given slot with the given subject distinguished name and returns them as DER bytes. If no such certificates can be found, returns SECSuccess and sets *results to NULL. If a failure is encountered while fetching any of the matching certificates, SECFailure is returned and *results will be NULL. Notable changes * bmo#1540403 - Implement Delegated Credentials * bmo#1550579 - Replace ARM32 Curve25519 implementation with one from fiat-crypto * bmo#1551129 - Support static linking on Windows * bmo#1552262 - Expose a function PK11_FindRawCertsWithSubject for finding certificates with a given subject on a given slot * bmo#1546229 - Add IPSEC IKE support to softoken * bmo#1554616 - Add support for the Elbrus lcc compiler (<=1.23) * bmo#1543874 - Expose an external clock for SSL * bmo#1546477 - Various changes in response to the ongoing FIPS review Certificate Authority Changes * The following CA certificates were Removed: bmo#1552374 - CN = Certinomis - Root CA Bugs fixed * bmo#1540541 - Don't unnecessarily strip leading 0's from key material during PKCS11 import (CVE-2019-11719) * bmo#1515342 - More thorough input checking (CVE-2019-11729) * bmo#1552208 - Prohibit use of RSASSA-PKCS1-v1_5 algorithms in TLS 1.3 (CVE-2019-11727) * bmo#1227090 - Fix a potential divide-by-zero in makePfromQandSeed OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=287 --- mozilla-nss.changes | 63 +++++++++++++++++++++++++++++++++++++++++++++ mozilla-nss.spec | 6 ++--- nss-3.44.1.tar.gz | 3 --- nss-3.45.tar.gz | 3 +++ 4 files changed, 69 insertions(+), 6 deletions(-) delete mode 100644 nss-3.44.1.tar.gz create mode 100644 nss-3.45.tar.gz diff --git a/mozilla-nss.changes b/mozilla-nss.changes index 334c1fe..8772143 100644 --- a/mozilla-nss.changes +++ b/mozilla-nss.changes @@ -1,3 +1,66 @@ +------------------------------------------------------------------- +Sat Aug 3 21:12:12 UTC 2019 - Wolfgang Rosenauer + +- update to NSS 3.45 (bsc#1141322) + * required by Firefox 69.0 + New functions + * PK11_FindRawCertsWithSubject - Finds all certificates on the + given slot with the given subject distinguished name and returns + them as DER bytes. If no such certificates can be found, returns + SECSuccess and sets *results to NULL. If a failure is encountered + while fetching any of the matching certificates, SECFailure is + returned and *results will be NULL. + Notable changes + * bmo#1540403 - Implement Delegated Credentials + * bmo#1550579 - Replace ARM32 Curve25519 implementation with one + from fiat-crypto + * bmo#1551129 - Support static linking on Windows + * bmo#1552262 - Expose a function PK11_FindRawCertsWithSubject for + finding certificates with a given subject on a given slot + * bmo#1546229 - Add IPSEC IKE support to softoken + * bmo#1554616 - Add support for the Elbrus lcc compiler (<=1.23) + * bmo#1543874 - Expose an external clock for SSL + * bmo#1546477 - Various changes in response to the ongoing FIPS review + Certificate Authority Changes + * The following CA certificates were Removed: + bmo#1552374 - CN = Certinomis - Root CA + Bugs fixed + * bmo#1540541 - Don't unnecessarily strip leading 0's from key material + during PKCS11 import (CVE-2019-11719) + * bmo#1515342 - More thorough input checking (CVE-2019-11729) + * bmo#1552208 - Prohibit use of RSASSA-PKCS1-v1_5 algorithms in + TLS 1.3 (CVE-2019-11727) + * bmo#1227090 - Fix a potential divide-by-zero in makePfromQandSeed + from lib/freebl/pqg.c (static analysis) + * bmo#1227096 - Fix a potential divide-by-zero in PQG_VerifyParams + from lib/freebl/pqg.c (static analysis) + * bmo#1509432 - De-duplicate code between mp_set_long and mp_set_ulong + * bmo#1515011 - Fix a mistake with ChaCha20-Poly1305 test code where + tags could be faked. Only relevant for clients that might have copied + the unit test code verbatim + * bmo#1550022 - Ensure nssutil3 gets built on Android + * bmo#1528174 - ChaCha20Poly1305 should no longer modify output + length on failure + * bmo#1549382 - Don't leak in PKCS#11 modules if C_GetSlotInfo() + returns error + * bmo#1551041 - Fix builds using GCC < 4.3 on big-endian architectures + * bmo#1554659 - Add versioning to OpenBSD builds to fix link time + errors using NSS + * bmo#1553443 - Send session ticket only after handshake is marked + as finished + * bmo#1550708 - Fix gyp scripts on Solaris SPARC so that libfreebl_64fpu_3.so + builds + * bmo#1554336 - Optimize away unneeded loop in mpi.c + * bmo#1559906 - fipstest: use CKM_TLS12_MASTER_KEY_DERIVE instead of vendor + specific mechanism + * bmo#1558126 - TLS_AES_256_GCM_SHA384 should be marked as FIPS compatible + * bmo#1555207 - HelloRetryRequestCallback return code for rejecting 0-RTT + * bmo#1556591 - Eliminate races in uses of PK11_SetWrapKey + * bmo#1558681 - Stop using a global for anti-replay of TLS 1.3 early data + * bmo#1561510 - Fix a bug where removing -arch XXX args from CC didn't work + * bmo#1561523 - Add a string for the new-ish error + SSL_ERROR_MISSING_POST_HANDSHAKE_AUTH_EXTENSION + ------------------------------------------------------------------- Fri Aug 2 14:43:24 UTC 2019 - Wolfgang Rosenauer diff --git a/mozilla-nss.spec b/mozilla-nss.spec index 0d0d292..1c21cdd 100644 --- a/mozilla-nss.spec +++ b/mozilla-nss.spec @@ -17,7 +17,7 @@ # -%global nss_softokn_fips_version 3.36 +%global nss_softokn_fips_version 3.45 %define NSPR_min_version 4.21 Name: mozilla-nss @@ -26,9 +26,9 @@ BuildRequires: mozilla-nspr-devel >= %{NSPR_min_version} BuildRequires: pkg-config BuildRequires: sqlite-devel BuildRequires: zlib-devel -Version: 3.44.1 +Version: 3.45 Release: 0 -%define underscore_version 3_44_1 +%define underscore_version 3_45 # bug437293 %ifarch ppc64 Obsoletes: mozilla-nss-64bit diff --git a/nss-3.44.1.tar.gz b/nss-3.44.1.tar.gz deleted file mode 100644 index c02d305..0000000 --- a/nss-3.44.1.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:fce4cb80c989cde35416ecbe55920856015a35151c4f21be64470e4dd4de12f8 -size 75986343 diff --git a/nss-3.45.tar.gz b/nss-3.45.tar.gz new file mode 100644 index 0000000..dd9bf1c --- /dev/null +++ b/nss-3.45.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:112f05223d1fde902c170966bfc6f011b24a838be16969b110ecf2bb7bc24e8b +size 76017462