Commit Graph

405 Commits

Author SHA256 Message Date
Wolfgang Rosenauer
6364ad3ae6 - update to NSS 3.55
Notable changes
  * P384 and P521 elliptic curve implementations are replaced with
    verifiable implementations from Fiat-Crypto [0] and ECCKiila [1].
  * PK11_FindCertInSlot is added. With this function, a given slot
    can be queried with a DER-Encoded certificate, providing performance
    and usability improvements over other mechanisms. (bmo#1649633)
  * DTLS 1.3 implementation is updated to draft-38. (bmo#1647752)
  Relevant Bugfixes
  * bmo#1631583 (CVE-2020-6829, CVE-2020-12400) - Replace P384 and
    P521 with new, verifiable implementations from Fiat-Crypto and ECCKiila.
  * bmo#1649487 - Move overzealous assertion in VFY_EndWithSignature.
  * bmo#1631573 (CVE-2020-12401) - Remove unnecessary scalar padding.
  * bmo#1636771 (CVE-2020-12403) - Explicitly disable multi-part
    ChaCha20 (which was not functioning correctly) and more strictly
    enforce tag length.
  * bmo#1649648 - Don't memcpy zero bytes (sanitizer fix).
  * bmo#1649316 - Don't memcpy zero bytes (sanitizer fix).
  * bmo#1649322 - Don't memcpy zero bytes (sanitizer fix).
  * bmo#1653202 - Fix initialization bug in blapitest when compiled
    with NSS_DISABLE_DEPRECATED_SEED.
  * bmo#1646594 - Fix AVX2 detection in makefile builds.
  * bmo#1649633 - Add PK11_FindCertInSlot to search a given slot
    for a DER-encoded certificate.
  * bmo#1651520 - Fix slotLock race in NSC_GetTokenInfo.
  * bmo#1647752 - Update DTLS 1.3 implementation to draft-38.
  * bmo#1649190 - Run cipher, sdr, and ocsp tests under standard test cycle in CI.
  * bmo#1649226 - Add Wycheproof ECDSA tests.
  * bmo#1637222 - Consistently enforce IV requirements for DES and 3DES.
  * bmo#1067214 - Enforce minimum PKCS#1 v1.5 padding length in

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=330
2020-08-22 07:01:08 +00:00
Dominique Leuenberger
1ce163d005 Accepting request 823327 from mozilla:Factory
- update to NSS 3.54
  Notable changes
  * Support for TLS 1.3 external pre-shared keys (bmo#1603042).
  * Use ARM Cryptography Extension for SHA256, when available
    (bmo#1528113)
  * The following CA certificates were Added:
    bmo#1645186 - certSIGN Root CA G2.
    bmo#1645174 - e-Szigno Root CA 2017.
    bmo#1641716 - Microsoft ECC Root Certificate Authority 2017.
    bmo#1641716 - Microsoft RSA Root Certificate Authority 2017.
  * The following CA certificates were Removed:
    bmo#1645199 - AddTrust Class 1 CA Root.
    bmo#1645199 - AddTrust External CA Root.
    bmo#1641718 - LuxTrust Global Root 2.
    bmo#1639987 - Staat der Nederlanden Root CA - G2.
    bmo#1618402 - Symantec Class 2 Public Primary Certification Authority - G4.
    bmo#1618402 - Symantec Class 1 Public Primary Certification Authority - G4.
    bmo#1618402 - VeriSign Class 3 Public Primary Certification Authority - G3.
  * A number of certificates had their Email trust bit disabled.
    See bmo#1618402 for a complete list.
  Bugs fixed
  * bmo#1528113 - Use ARM Cryptography Extension for SHA256.
  * bmo#1603042 - Add TLS 1.3 external PSK support.
  * bmo#1642802 - Add uint128 support for HACL* curve25519 on Windows.
  * bmo#1645186 - Add "certSIGN Root CA G2" root certificate.
  * bmo#1645174 - Add Microsec's "e-Szigno Root CA 2017" root certificate.
  * bmo#1641716 - Add Microsoft's non-EV root certificates.
  * bmo1621151 - Disable email trust bit for "O=Government
                 Root Certification Authority; C=TW" root.
  * bmo#1645199 - Remove AddTrust root certificates.

OBS-URL: https://build.opensuse.org/request/show/823327
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/mozilla-nss?expand=0&rev=160
2020-07-30 07:57:44 +00:00
Wolfgang Rosenauer
8581fb64fb - update to NSS 3.54
Notable changes
  * Support for TLS 1.3 external pre-shared keys (bmo#1603042).
  * Use ARM Cryptography Extension for SHA256, when available
    (bmo#1528113)
  * The following CA certificates were Added:
    bmo#1645186 - certSIGN Root CA G2.
    bmo#1645174 - e-Szigno Root CA 2017.
    bmo#1641716 - Microsoft ECC Root Certificate Authority 2017.
    bmo#1641716 - Microsoft RSA Root Certificate Authority 2017.
  * The following CA certificates were Removed:
    bmo#1645199 - AddTrust Class 1 CA Root.
    bmo#1645199 - AddTrust External CA Root.
    bmo#1641718 - LuxTrust Global Root 2.
    bmo#1639987 - Staat der Nederlanden Root CA - G2.
    bmo#1618402 - Symantec Class 2 Public Primary Certification Authority - G4.
    bmo#1618402 - Symantec Class 1 Public Primary Certification Authority - G4.
    bmo#1618402 - VeriSign Class 3 Public Primary Certification Authority - G3.
  * A number of certificates had their Email trust bit disabled.
    See bmo#1618402 for a complete list.
  Bugs fixed
  * bmo#1528113 - Use ARM Cryptography Extension for SHA256.
  * bmo#1603042 - Add TLS 1.3 external PSK support.
  * bmo#1642802 - Add uint128 support for HACL* curve25519 on Windows.
  * bmo#1645186 - Add "certSIGN Root CA G2" root certificate.
  * bmo#1645174 - Add Microsec's "e-Szigno Root CA 2017" root certificate.
  * bmo#1641716 - Add Microsoft's non-EV root certificates.
  * bmo1621151 - Disable email trust bit for "O=Government
                 Root Certification Authority; C=TW" root.
  * bmo#1645199 - Remove AddTrust root certificates.

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=328
2020-07-23 16:12:42 +00:00
Dominique Leuenberger
62b6732e56 Accepting request 817441 from mozilla:Factory
- add FIPS mode patches from SLE stream
  nss-fips-aes-keywrap-post.patch
  nss-fips-approved-crypto-non-ec.patch
  nss-fips-cavs-dsa-fixes.patch
  nss-fips-cavs-general.patch
  nss-fips-cavs-kas-ecc.patch
  nss-fips-cavs-kas-ffc.patch
  nss-fips-cavs-keywrap.patch
  nss-fips-cavs-rsa-fixes.patch
  nss-fips-combined-hash-sign-dsa-ecdsa.patch
  nss-fips-constructor-self-tests.patch
  nss-fips-detect-fips-mode-fixes.patch
  nss-fips-dsa-kat.patch
  nss-fips-gcm-ctr.patch
  nss-fips-pairwise-consistency-check.patch
  nss-fips-rsa-keygen-strictness.patch
  nss-fips-tls-allow-md5-prf.patch
  nss-fips-use-getrandom.patch
  nss-fips-use-strong-random-pool.patch
  nss-fips-zeroization.patch
  nss-fix-dh-pkcs-derive-inverted-logic.patch
- update to NSS 3.53.1
  * required for Firefox 78
  * CVE-2020-12402 - Use constant-time GCD and modular inversion in MPI.
    (bmo#1631597, bsc#1173032)
- Add ppc-old-abi-v3.patch as per upstream bug
  https://bugzilla.mozilla.org/show_bug.cgi?id=1642174
- update to NSS 3.53
  Notable changes
  * SEED is now moved into a new freebl directory freebl/deprecated
    bmo#1636389
  * SEED will be disabled by default in a future release of NSS. At
    that time, users will need to set the compile-time flag
    (bmo#1622033) to disable that deprecation in order to use the
    algorithm.
  * Algorithms marked as deprecated will ultimately be removed
  * Several root certificates in the Mozilla program now set the
    CKA_NSS_SERVER_DISTRUST_AFTER attribute, which NSS consumers
    can query to further refine trust decisions. (bmo#1618404,
    bmo#1621159). If a builtin certificate has a
    CKA_NSS_SERVER_DISTRUST_AFTER timestamp before the SCT or
    NotBefore date of a certificate that builtin issued, then clients
    can elect not to trust it.

OBS-URL: https://build.opensuse.org/request/show/817441
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/mozilla-nss?expand=0&rev=159
2020-06-30 19:52:57 +00:00
Wolfgang Rosenauer
194c062b5d - add FIPS mode patches from SLE stream
nss-fips-aes-keywrap-post.patch
  nss-fips-approved-crypto-non-ec.patch
  nss-fips-cavs-dsa-fixes.patch
  nss-fips-cavs-general.patch
  nss-fips-cavs-kas-ecc.patch
  nss-fips-cavs-kas-ffc.patch
  nss-fips-cavs-keywrap.patch
  nss-fips-cavs-rsa-fixes.patch
  nss-fips-combined-hash-sign-dsa-ecdsa.patch
  nss-fips-constructor-self-tests.patch
  nss-fips-detect-fips-mode-fixes.patch
  nss-fips-dsa-kat.patch
  nss-fips-gcm-ctr.patch
  nss-fips-pairwise-consistency-check.patch
  nss-fips-rsa-keygen-strictness.patch
  nss-fips-tls-allow-md5-prf.patch
  nss-fips-use-getrandom.patch
  nss-fips-use-strong-random-pool.patch
  nss-fips-zeroization.patch
  nss-fix-dh-pkcs-derive-inverted-logic.patch

- update to NSS 3.53.1
  * required for Firefox 78
  * CVE-2020-12402 - Use constant-time GCD and modular inversion in MPI.
    (bmo#1631597, bsc#1173032)

- update to NSS 3.53
  Notable changes
  * SEED is now moved into a new freebl directory freebl/deprecated

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=326
2020-06-27 21:18:50 +00:00
Wolfgang Rosenauer
c4ac198bc6 Accepting request 816170 from home:michel_mno:branches:mozilla:Factory
- Add ppc-old-abi-v3.patch as per upstream bug
  https://bugzilla.mozilla.org/show_bug.cgi?id=1642174

OBS-URL: https://build.opensuse.org/request/show/816170
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=325
2020-06-23 05:37:44 +00:00
Dominique Leuenberger
1c02c4f2d6 Accepting request 810949 from mozilla:Factory
OBS-URL: https://build.opensuse.org/request/show/810949
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/mozilla-nss?expand=0&rev=158
2020-06-05 18:02:24 +00:00
Wolfgang Rosenauer
51c5e75fe8 Accepting request 810947 from home:AndreasStieger:branches:mozilla:Factory
CVE-2020-12399 boo#1171978

OBS-URL: https://build.opensuse.org/request/show/810947
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=323
2020-06-02 20:01:34 +00:00
Wolfgang Rosenauer
29468ba107 OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=322 2020-06-02 10:48:22 +00:00
Wolfgang Rosenauer
c9da1099a1 - removed obsolete nss-kremlin-ppc64le.patch
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=321
2020-05-26 13:56:16 +00:00
Wolfgang Rosenauer
6553d00ceb * CVE-2020-12399 - Force a fixed length for DSA exponentiation
(bmo#1631576)

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=320
2020-05-26 09:14:39 +00:00
Wolfgang Rosenauer
e33a5800ee - update to NSS 3.52.1
* required for Firefox 77.0
  Notable changes
  * Update NSS to support PKCS#11 v3.0 (bmo#1603628)
  * Support new PKCS #11 v3.0 Message Interface for AES-GCM and
    ChaChaPoly (bmo#1623374)
  * Integrate AVX2 ChaCha20, Poly1305, and ChaCha20Poly1305 from HACL*
    (bmo#1612493)
- Add patch nss-kremlin-ppc64le.patch to fix ppc and s390x builds

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=319
2020-05-26 09:12:44 +00:00
Dominique Leuenberger
a00e1cb470 Accepting request 799040 from mozilla:Factory
OBS-URL: https://build.opensuse.org/request/show/799040
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/mozilla-nss?expand=0&rev=157
2020-05-02 20:14:59 +00:00
Wolfgang Rosenauer
f615b8c01b Accepting request 798944 from home:marxin:branches:mozilla:Factory
- Set NSS_ENABLE_WERROR=0 in order to fix boo#1169746.

OBS-URL: https://build.opensuse.org/request/show/798944
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=317
2020-04-29 21:43:25 +00:00
Dominique Leuenberger
ea7949cb9d Accepting request 793077 from mozilla:Factory
OBS-URL: https://build.opensuse.org/request/show/793077
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/mozilla-nss?expand=0&rev=156
2020-04-15 17:52:12 +00:00
Wolfgang Rosenauer
6ea59419f5 Accepting request 793073 from home:AndreasStieger:branches:mozilla:Factory
NSS 3.51.1

OBS-URL: https://build.opensuse.org/request/show/793073
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=315
2020-04-11 10:30:25 +00:00
Dominique Leuenberger
0c74453c3f Accepting request 790238 from mozilla:Factory
OBS-URL: https://build.opensuse.org/request/show/790238
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/mozilla-nss?expand=0&rev=155
2020-04-04 10:05:24 +00:00
Wolfgang Rosenauer
507c7ec45b Accepting request 790234 from home:michel_mno:branches:mozilla:Factory
- Update previous patch nss-kremlin-ppc64le.patch
  slightly modified to support also ppc64 (BE) versus initial
  https://github.com/FStarLang/kremlin/issues/166

OBS-URL: https://build.opensuse.org/request/show/790234
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=313
2020-03-31 15:31:21 +00:00
Wolfgang Rosenauer
5c3b101fcb Accepting request 790066 from home:MSirringhaus:branches:mozilla:Factory
- Add patch nss-kremlin-ppc64le.patch to fix ppc and s390x builds

OBS-URL: https://build.opensuse.org/request/show/790066
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=312
2020-03-31 14:28:37 +00:00
Wolfgang Rosenauer
ab72679b5e - update to NSS 3.51
* Updated DTLS 1.3 implementation to Draft-34. (bmo#1608892)
  * Correct swapped PKCS11 values of CKM_AES_CMAC and
    CKM_AES_CMAC_GENERAL (bmo#1611209)
  * Complete integration of Wycheproof ECDH test cases (bmo#1612259)
  * Check if PPC __has_include(<sys/auxv.h>) (bmo#1614183)
  * Fix a compilation error for ‘getFIPSEnv’ "defined but not used"
    (bmo#1614786)
  * Send DTLS version numbers in DTLS 1.3 supported_versions extension
    to avoid an incompatibility. (bmo#1615208)
  * SECU_ReadDERFromFile calls strstr on a string that isn't guaranteed
    to be null-terminated (bmo#1538980)
  * Correct a warning for comparison of integers of different signs:
    'int' and 'unsigned long' in security/nss/lib/freebl/ecl/ecp_25519.c:88
    (bmo#1561337)
  * Add test for mp_int clamping (bmo#1609751)
  * Don't attempt to read the fips_enabled flag on the machine unless
    NSS was built with FIPS enabled (bmo#1582169)
  * Fix a null pointer dereference in BLAKE2B_Update (bmo#1431940)
  * Fix compiler warning in secsign.c (bmo#1617387)
  * Fix a OpenBSD/arm64 compilation error: unused variable 'getauxval'
    (bmo#1618400)
  * Fix a crash on unaligned CMACContext.aes.keySchedule when using
    AES-NI intrinsics (bmo#1610687)

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=311
2020-03-30 13:40:12 +00:00
Dominique Leuenberger
9b381f8d16 Accepting request 783555 from mozilla:Factory
Automatic submission by obs-autosubmit

OBS-URL: https://build.opensuse.org/request/show/783555
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/mozilla-nss?expand=0&rev=154
2020-03-14 08:54:00 +00:00
Wolfgang Rosenauer
1816e8360d OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=309 2020-03-03 21:25:27 +00:00
Wolfgang Rosenauer
14bbc2e047 - update to NSS 3.50
* Verified primitives from HACL* were updated, bringing performance
    improvements for several platforms.
    Note that Intel processors with SSE4 but without AVX are currently
    unable to use the improved ChaCha20/Poly1305 due to a build issue;
    such platforms will fall-back to less optimized algorithms.
    See bmo#1609569 for details
  * Updated DTLS 1.3 implementation to Draft-30.
    See bmo#1599514 for details.
  * Added NIST SP800-108 KBKDF - PKCS#11 implementation.
    See bmo#1599603 for details.
  * Several bugfixes and minor changes

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=308
2020-03-03 21:21:24 +00:00
Dominique Leuenberger
deaa59ba87 Accepting request 780186 from mozilla:Factory
OBS-URL: https://build.opensuse.org/request/show/780186
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/mozilla-nss?expand=0&rev=153
2020-02-29 20:20:04 +00:00
Wolfgang Rosenauer
b1721753f1 Accepting request 779969 from home:fstrba:branches:mozilla:Factory
Package missing header

OBS-URL: https://build.opensuse.org/request/show/779969
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=306
2020-02-28 09:07:15 +00:00
Wolfgang Rosenauer
478511aedc Accepting request 779080 from home:Guillaume_G:branches:openSUSE:Factory:ARM
- Disable LTO on %arm as LTO fails on neon errors

OBS-URL: https://build.opensuse.org/request/show/779080
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=305
2020-02-25 13:41:19 +00:00
Oliver Kurz
75fb6f4946 Accepting request 772451 from mozilla:Factory
Update in preparation for Firefox 73
- update to NSS 3.49.2
  Fixed bugs:
  * Fix compilation problems with NEON-specific code in freebl
    (bmo#1608327)
  * Fix a taskcluster issue with Python 2 / Python 3 (bmo#1608895)
- update to NSS 3.49.1
  3.49.1
  https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.49.1_release_notes
  * Cache the most recent PBKDF2 password hash, to speed up repeated
    SDR operations, important with the increased KDF iteration counts (bmo#1606992)
  3.49
  https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.49_release_notes
  * The legacy DBM database, libnssdbm, is no longer built by default
    when using gyp builds (bmo#1594933)
  * several bugfixes

OBS-URL: https://build.opensuse.org/request/show/772451
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/mozilla-nss?expand=0&rev=152
2020-02-14 15:27:50 +00:00
Wolfgang Rosenauer
2e89924539 - update to NSS 3.49.2
Fixed bugs:
  * Fix compilation problems with NEON-specific code in freebl
    (bmo#1608327)
  * Fix a taskcluster issue with Python 2 / Python 3 (bmo#1608895)

- update to NSS 3.49.1
  3.49.1
  https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.49.1_release_notes
  * Cache the most recent PBKDF2 password hash, to speed up repeated
    SDR operations, important with the increased KDF iteration counts (bmo#1606992)
  3.49
  https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.49_release_notes
  * The legacy DBM database, libnssdbm, is no longer built by default
    when using gyp builds (bmo#1594933)
  * several bugfixes

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=303
2020-02-08 16:32:51 +00:00
Dominique Leuenberger
93fc73f5eb Accepting request 761944 from mozilla:Factory
- update to NSS 3.48
  https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.48_release_notes
  Notable Changes
  * TLS 1.3 is the default maximum TLS version (bmo#1573118)
  * TLS extended master secret is enabled by default, where possible
    (bmo#1575411)
  * The master password PBE now uses 10,000 iterations by default when
    using the default sql (key4.db) storage (bmo#1562671)
  Certificate Authority Changes
  * Added Entrust Root Certification Authority - G4 Cert (bmo#1591178)
  Bugfixes
- requires NSPR 4.24

  * CVE-2019-17006 Add length checks for cryptographic primitives
    (bmo#1539788)

OBS-URL: https://build.opensuse.org/request/show/761944
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/mozilla-nss?expand=0&rev=151
2020-01-11 13:37:50 +00:00
Wolfgang Rosenauer
715468ec8f - update to NSS 3.48
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.48_release_notes
  Notable Changes
  * TLS 1.3 is the default maximum TLS version (bmo#1573118)
  * TLS extended master secret is enabled by default, where possible
    (bmo#1575411)
  * The master password PBE now uses 10,000 iterations by default when
    using the default sql (key4.db) storage (bmo#1562671)
  Certificate Authority Changes
  * Added Entrust Root Certification Authority - G4 Cert (bmo#1591178)
  Bugfixes
- requires NSPR 4.24
  * CVE-2019-17006 Add length checks for cryptographic primitives
    (bmo#1539788)

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=301
2020-01-07 08:45:34 +00:00
Dominique Leuenberger
6ffb12d365 Accepting request 754368 from mozilla:Factory
changelog addition

OBS-URL: https://build.opensuse.org/request/show/754368
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/mozilla-nss?expand=0&rev=150
2019-12-11 11:01:08 +00:00
Wolfgang Rosenauer
c25abe1d62 OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=299 2019-12-05 12:38:05 +00:00
Wolfgang Rosenauer
0f7b852964 Accepting request 754355 from home:AndreasStieger:branches:mozilla:Factory
Add boo#1158527 for CVE-2019-11745

OBS-URL: https://build.opensuse.org/request/show/754355
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=298
2019-12-05 12:37:31 +00:00
Dominique Leuenberger
15aca89c40 Accepting request 750687 from mozilla:Factory
- update to NSS 3.47.1
  * CVE-2019-11745 - EncryptUpdate should use maxout, not block size
  * Fix a crash that could be caused by client certificates during startup
    (bmo#1590495)
  * Fix compile-time warnings from uninitialized variables in a perl script
    (bmo#1589810)

- update to NSS 3.47
  * required by Firefox 71.0
  Notable changes
  * Support AES HW acceleration on ARMv8 (bmo#1152625)
  * Allow per-socket run-time ordering of the cipher suites presented
    in ClientHello (bmo#1267894)
  * Add CMAC to FreeBL and PKCS #11 libraries (bmo#1570501)
  Bugfixes
  https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.47_release_notes
  - requires NSPR 4.23

OBS-URL: https://build.opensuse.org/request/show/750687
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/mozilla-nss?expand=0&rev=149
2019-12-02 10:29:10 +00:00
Wolfgang Rosenauer
52a07131b8 - update to NSS 3.47.1
* CVE-2019-11745 - EncryptUpdate should use maxout, not block size
  * Fix a crash that could be caused by client certificates during startup
    (bmo#1590495)
  * Fix compile-time warnings from uninitialized variables in a perl script
    (bmo#1589810)
  Notable changes
  * Support AES HW acceleration on ARMv8 (bmo#1152625)
  * Allow per-socket run-time ordering of the cipher suites presented
    in ClientHello (bmo#1267894)
  * Add CMAC to FreeBL and PKCS #11 libraries (bmo#1570501)
  Bugfixes
  https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.47_release_notes
  - requires NSPR 4.23

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=296
2019-11-24 07:38:02 +00:00
Wolfgang Rosenauer
d2868a861e - update to NSS 3.47
* required by Firefox 71.0
  * no upstream release notes available (yet)
- requires NSPR 4.23

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=295
2019-11-17 06:35:18 +00:00
Dominique Leuenberger
e1514e2df5 Accepting request 742855 from mozilla:Factory
- update to NSS 3.46.1
  * required by Firefox 70.0
  Notable changes in 3.46
  * The following CA certificates were Removed:
    expired Class 2 Primary root certificate
    expired UTN-USERFirst-Client root certificate
    expired Deutsche Telekom Root CA 2 root certificate
    Swisscom Root CA 2 root certificate
  * Significant improvements to AES-GCM performance on ARM
  Many bugfixes
  Bug fixes in 3.46.1
  * Soft token MAC verification not constant time (bmo#1582343)
  * Remove arbitrary HKDF output limit by allocating space as needed
    (bmo#1577953)
- requires NSPR 4.22

OBS-URL: https://build.opensuse.org/request/show/742855
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/mozilla-nss?expand=0&rev=148
2019-11-04 16:01:15 +00:00
Wolfgang Rosenauer
62605b96c6 - update to NSS 3.46.1
* required by Firefox 70.0
  Notable changes in 3.46
  * The following CA certificates were Removed:
    expired Class 2 Primary root certificate
    expired UTN-USERFirst-Client root certificate
    expired Deutsche Telekom Root CA 2 root certificate
    Swisscom Root CA 2 root certificate
  * Significant improvements to AES-GCM performance on ARM
  Many bugfixes
  Bug fixes in 3.46.1
  * Soft token MAC verification not constant time (bmo#1582343)
  * Remove arbitrary HKDF output limit by allocating space as needed
    (bmo#1577953)
- requires NSPR 4.22

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=293
2019-10-18 20:55:17 +00:00
Dominique Leuenberger
d16200034f Accepting request 733663 from mozilla:Factory
Automatic submission by obs-autosubmit

OBS-URL: https://build.opensuse.org/request/show/733663
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/mozilla-nss?expand=0&rev=147
2019-10-02 09:56:05 +00:00
Wolfgang Rosenauer
dc9396e654 OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=291 2019-09-20 10:14:35 +00:00
Dominique Leuenberger
c3513b6180 Accepting request 720828 from mozilla:Factory
- update to NSS 3.45 (bsc#1141322)
  * required by Firefox 69.0
  New functions
  * PK11_FindRawCertsWithSubject - Finds all certificates on the
    given slot with the given subject distinguished name and returns
    them as DER bytes. If no such certificates can be found, returns
    SECSuccess and sets *results to NULL. If a failure is encountered
    while fetching any of the matching certificates, SECFailure is
    returned and *results will be NULL.
  Notable changes
  * bmo#1540403 - Implement Delegated Credentials
  * bmo#1550579 - Replace ARM32 Curve25519 implementation with one
    from fiat-crypto
  * bmo#1551129 - Support static linking on Windows
  * bmo#1552262 - Expose a function PK11_FindRawCertsWithSubject for
    finding certificates with a given subject on a given slot
  * bmo#1546229 - Add IPSEC IKE support to softoken
  * bmo#1554616 - Add support for the Elbrus lcc compiler (<=1.23)
  * bmo#1543874 - Expose an external clock for SSL
  * bmo#1546477 - Various changes in response to the ongoing FIPS review
  Certificate Authority Changes
  * The following CA certificates were Removed:
    bmo#1552374 - CN = Certinomis - Root CA
  Bugs fixed
  * bmo#1540541 - Don't unnecessarily strip leading 0's from key material
    during PKCS11 import (CVE-2019-11719)
  * bmo#1515342 - More thorough input checking (CVE-2019-11729)
  * bmo#1552208 - Prohibit use of RSASSA-PKCS1-v1_5 algorithms in
    TLS 1.3 (CVE-2019-11727)
  * bmo#1227090 - Fix a potential divide-by-zero in makePfromQandSeed

OBS-URL: https://build.opensuse.org/request/show/720828
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/mozilla-nss?expand=0&rev=146
2019-09-05 10:07:05 +00:00
Wolfgang Rosenauer
da65ab3299 - Require exact version libsoftokn3/libfreebl3 as there seems to
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=289
2019-08-30 07:14:36 +00:00
Wolfgang Rosenauer
2af2e412d2 Accepting request 726875 from home:pluskalm:branches:mozilla:Factory
- Requiere exact version libsoftokn3/libfreebl3 as there seems to
  be rather tight dependency - bsc#1138384 bsc#1135478
- Small packaging cleanup

OBS-URL: https://build.opensuse.org/request/show/726875
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=288
2019-08-30 06:37:13 +00:00
Wolfgang Rosenauer
78519384c7 - update to NSS 3.45 (bsc#1141322)
* required by Firefox 69.0
  New functions
  * PK11_FindRawCertsWithSubject - Finds all certificates on the
    given slot with the given subject distinguished name and returns
    them as DER bytes. If no such certificates can be found, returns
    SECSuccess and sets *results to NULL. If a failure is encountered
    while fetching any of the matching certificates, SECFailure is
    returned and *results will be NULL.
  Notable changes
  * bmo#1540403 - Implement Delegated Credentials
  * bmo#1550579 - Replace ARM32 Curve25519 implementation with one
    from fiat-crypto
  * bmo#1551129 - Support static linking on Windows
  * bmo#1552262 - Expose a function PK11_FindRawCertsWithSubject for
    finding certificates with a given subject on a given slot
  * bmo#1546229 - Add IPSEC IKE support to softoken
  * bmo#1554616 - Add support for the Elbrus lcc compiler (<=1.23)
  * bmo#1543874 - Expose an external clock for SSL
  * bmo#1546477 - Various changes in response to the ongoing FIPS review
  Certificate Authority Changes
  * The following CA certificates were Removed:
    bmo#1552374 - CN = Certinomis - Root CA
  Bugs fixed
  * bmo#1540541 - Don't unnecessarily strip leading 0's from key material
    during PKCS11 import (CVE-2019-11719)
  * bmo#1515342 - More thorough input checking (CVE-2019-11729)
  * bmo#1552208 - Prohibit use of RSASSA-PKCS1-v1_5 algorithms in
    TLS 1.3 (CVE-2019-11727)
  * bmo#1227090 - Fix a potential divide-by-zero in makePfromQandSeed

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=287
2019-08-03 21:32:27 +00:00
Wolfgang Rosenauer
0c5b621204 - split hmac subpackages to match SLE's packaging
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=286
2019-08-03 08:03:51 +00:00
Dominique Leuenberger
c02833f6f9 Accepting request 713969 from mozilla:Factory
- update to NSS 3.44.1
  * required by Firefox 68.0
  Bugs fixed
  * bmo#1554336 - Optimize away unneeded loop in mpi.c
  * bmo#1515342 - More thorough input checking
  * bmo#1540541 - Don't unnecessarily strip leading 0's from key material
                  during PKCS11 import
  * bmo#1515236 - Add a SSLKEYLOGFILE enable/disable flag at build.sh
  * bmo#1546229 - Add IPSEC IKE support to softoken
  * bmo#1473806 - Fix SECKEY_ConvertToPublicKey handling of non-RSA keys
  * bmo#1546477 - Updates to testing for FIPS validation
  * bmo#1552208 - Prohibit use of RSASSA-PKCS1-v1_5 algorithms in TLS 1.3
  * bmo#1551041 - Unbreak build on GCC < 4.3 big-endian

- update to NSS 3.44
  * required by Firefox 68.0
  New functions
  * CERT_GetCertificateDer - Access the DER-encoded form of a CERTCertificate
  Notable changes
  * It is now possible to build NSS as a static library (bmo#1543545)
  * Initial support for building for iOS
  Bugs fixed
  * full list
    https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.44_release_notes
- merge some baselibs fixes from SLE

OBS-URL: https://build.opensuse.org/request/show/713969
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/mozilla-nss?expand=0&rev=145
2019-07-22 10:16:01 +00:00
Wolfgang Rosenauer
a83d017926 Accepting request 717448 from home:marxin:branches:mozilla:Factory
- Use -ffat-lto-objects in order to provide assembly for static libs.

OBS-URL: https://build.opensuse.org/request/show/717448
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=284
2019-07-22 07:16:21 +00:00
Wolfgang Rosenauer
f1ad8afe76 - update to NSS 3.44.1
* required by Firefox 68.0
  Bugs fixed
  * bmo#1554336 - Optimize away unneeded loop in mpi.c
  * bmo#1515342 - More thorough input checking
  * bmo#1540541 - Don't unnecessarily strip leading 0's from key material
                  during PKCS11 import
  * bmo#1515236 - Add a SSLKEYLOGFILE enable/disable flag at build.sh
  * bmo#1546229 - Add IPSEC IKE support to softoken
  * bmo#1473806 - Fix SECKEY_ConvertToPublicKey handling of non-RSA keys
  * bmo#1546477 - Updates to testing for FIPS validation
  * bmo#1552208 - Prohibit use of RSASSA-PKCS1-v1_5 algorithms in TLS 1.3
  * bmo#1551041 - Unbreak build on GCC < 4.3 big-endian

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=283
2019-07-08 07:31:28 +00:00
Wolfgang Rosenauer
0945bd4d97 - update to NSS 3.44
* required by Firefox 68.0
  New functions
  * CERT_GetCertificateDer - Access the DER-encoded form of a CERTCertificate
  Notable changes
  * It is now possible to build NSS as a static library (bmo#1543545)
  * Initial support for building for iOS
  Bugs fixed
  * full list
    https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.44_release_notes
- merge some baselibs fixes from SLE

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=282
2019-06-12 21:59:32 +00:00
Dominique Leuenberger
55ad12fb68 Accepting request 702840 from mozilla:Factory
- update to NSS 3.43
  * required by Firefox 67.0
  New functions
  * HASH_GetHashOidTagByHashType - convert type HASH_HashType to type SECOidTag
  * SSL_SendCertificateRequest - allow server to request post-handshake
    client authentication. To use this both peers need to enable the
    SSL_ENABLE_POST_HANDSHAKE_AUTH option. Note that while the mechanism
    is present, post-handshake authentication is currently not TLS 1.3
    compliant due to bug 1532312
  Notable changes
  * The following CA certificates were Added:
    - emSign Root CA - G1
    - emSign ECC Root CA - G3
    - emSign Root CA - C1
    - emSign ECC Root CA - C3
    - Hongkong Post Root CA 3
  Bugs fixed
  * Improve Gyp build system handling (bmo#1528669, bmo#1529308)
  * Improve NSS S/MIME tests for Thunderbird (bmo#1529950, bmo#1521174)
  * If Docker isn't installed, try running a local clang-format as a
    fallback (bmo#1530134)
  * Enable FIPS mode automatically if the system FIPS mode flag is set
    (bmo#1531267)
  * Add a -J option to the strsclnt command to specify sigschemes
    (bmo#1528262)
  * Add manual for nss-policy-check (bmo#1513909)
  * Fix a deref after a null check in SECKEY_SetPublicValue (bmo#1531074)
  * Properly handle ESNI with HRR (bmo#1517714)
  * Expose HKDF-Expand-Label with mechanism (bmo#1529813)
  * Align TLS 1.3 HKDF trace levels (bmo#1535122)

OBS-URL: https://build.opensuse.org/request/show/702840
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/mozilla-nss?expand=0&rev=144
2019-05-17 21:37:55 +00:00