Commit Graph

237 Commits

Author SHA256 Message Date
Wolfgang Rosenauer
8ce8182c65 - update to NSS 3.78.1
* bmo#1767590 - Initialize pointers passed to
                  NSS_CMSDigestContext_FinishMultiple

- update to NSS 3.78
  * bmo#1755264 - Added TLS 1.3 zero-length inner plaintext checks and
                  tests, zero-length record/fragment handling tests.
  * bmo#1294978 - Reworked overlong record size checks and added TLS1.3
                  specific boundaries.
  * bmo#1763120 - Add ECH Grease Support to tstclnt
  * bmo#1765003 - Add a strict variant of moz::pkix::CheckCertHostname.
  * bmo#1166338 - Change SSL_REUSE_SERVER_ECDHE_KEY default to false.
  * bmo#1760813 - Make SEC_PKCS12EnableCipher succeed
  * bmo#1762489 - Update zlib in NSS to 1.2.12.

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=384
2022-05-31 19:26:50 +00:00
Wolfgang Rosenauer
66ec2a7e6f - update to NSS 3.77
* Bug 1762244 - resolve mpitests build failure on Windows.
  * bmo#1761779 - Fix link to TLS page on wireshark wiki
  * bmo#1754890 - Add two D-TRUST 2020 root certificates.
  * bmo#1751298 - Add Telia Root CA v2 root certificate.
  * bmo#1751305 - Remove expired explicitly distrusted certificates
                  from certdata.txt.
  * bmo#1005084 - support specific RSA-PSS parameters in mozilla::pkix
  * bmo#1753535 - Remove obsolete stateEnd check in SEC_ASN1DecoderUpdate.
  * bmo#1756271 - Remove token member from NSSSlot struct.
  * bmo#1602379 - Provide secure variants of mpp_pprime and mpp_make_prime.
  * bmo#1757279 - Support UTF-8 library path in the module spec string.
  * bmo#1396616 - Update nssUTF8_Length to RFC 3629 and fix buffer overrun.
  * bmo#1760827 - Add a CI Target for gcc-11.
  * bmo#1760828 - Change to makefiles for gcc-4.8.
  * bmo#1741688 - Update googletest to 1.11.0
  * bmo#1759525 - Add SetTls13GreaseEchSize to experimental API.
  * bmo#1755264 - TLS 1.3 Illegal legacy_version handling/alerts.
  * bmo#1755904 - Fix calculation of ECH HRR Transcript.
  * bmo#1758741 - Allow ld path to be set as environment variable.
  * bmo#1760653 - Ensure we don't read uninitialized memory in ssl gtests.
  * bmo#1758478 - Fix DataBuffer Move Assignment.
  * bmo#1552254 - internal_error alert on Certificate Request with
                  sha1+ecdsa in TLS 1.3
  * bmo#1755092 - rework signature verification in mozilla::pkix

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=382
2022-05-04 12:54:27 +00:00
Wolfgang Rosenauer
a55c72c60d Accepting request 968285 from home:gmbr3:Active
- Require nss-util in nss.pc and subsequently remove -lnssutil3

OBS-URL: https://build.opensuse.org/request/show/968285
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=380
2022-04-10 19:12:35 +00:00
Wolfgang Rosenauer
da5d18a546 - update to NSS 3.76.1
NSS 3.76.1
  * bmo#1756271 - Remove token member from NSSSlot struct.
  NSS 3.76
  * bmo#1755555 - Hold tokensLock through nssToken_GetSlot calls in
                  nssTrustDomain_GetActiveSlots.
  * bmo#1370866 - Check return value of PK11Slot_GetNSSToken.
  * bmo#1747957 - Use Wycheproof JSON for RSASSA-PSS
  * bmo#1679803 - Add SHA256 fingerprint comments to old
                  certdata.txt entries.
  * bmo#1753505 - Avoid truncating files in nss-release-helper.py.
  * bmo#1751157 - Throw illegal_parameter alert for illegal extensions
                  in handshake message.

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=378
2022-04-02 18:00:25 +00:00
Wolfgang Rosenauer
7f79f8bf08 Accepting request 964904 from home:gmbr3:Active
- Add nss-util pkgconfig and config files (copied from RH/Fedora)

OBS-URL: https://build.opensuse.org/request/show/964904
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=376
2022-03-27 19:24:54 +00:00
Wolfgang Rosenauer
c3a6e0b1c1 - update to NSS 3.75
* bmo#1749030 - This patch adds gcc-9 and gcc-10 to the CI.
  * bmo#1749794 - Make DottedOIDToCode.py compatible with python3.
  * bmo#1749475 - Avoid undefined shift in SSL_CERT_IS while fuzzing.
  * bmo#1748386 - Remove redundant key type check.
  * bmo#1749869 - Update ABI expectations to match ECH changes.
  * bmo#1748386 - Enable CKM_CHACHA20.
  * bmo#1747327 - check return on NSS_NoDB_Init and NSS_Shutdown.
  * bmo#1747310 - real move assignment operator.
  * bmo#1748245 - Run ECDSA test vectors from bltest as part of the CI tests.
  * bmo#1743302 - Add ECDSA test vectors to the bltest command line tool.
  * bmo#1747772 - Allow to build using clang's integrated assembler.
  * bmo#1321398 - Allow to override python for the build.
  * bmo#1747317 - test HKDF output rather than input.
  * bmo#1747316 - Use ASSERT macros to end failed tests early.
  * bmo#1747310 - move assignment operator for DataBuffer.
  * bmo#1712879 - Add test cases for ECH compression and unexpected
                  extensions in SH.
  * bmo#1725938 - Update tests for ECH-13.
  * bmo#1725938 - Tidy up error handling.
  * bmo#1728281 - Add tests for ECH HRR Changes.
  * bmo#1728281 - Server only sends GREASE HRR extension if enabled
                  by preference.
  * bmo#1725938 - Update generation of the Associated Data for ECH-13.
  * bmo#1712879 - When ECH is accepted, reject extensions which were
                  only advertised in the Outer Client Hello.
  * bmo#1712879 - Allow for compressed, non-contiguous, extensions.
  * bmo#1712879 - Scramble the PSK extension in CHOuter.
  * bmo#1712647 - Split custom extension handling for ECH.
  * bmo#1728281 - Add ECH-13 HRR Handling.

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=374
2022-03-09 07:41:18 +00:00
Wolfgang Rosenauer
3adcfa1059 - update to NSS 3.74
* bmo#966856 - mozilla::pkix: support SHA-2 hashes in CertIDs in
                 OCSP responses
  * bmo#1553612 - Ensure clients offer consistent ciphersuites after HRR
  * bmo#1721426 - NSS does not properly restrict server keys based on policy
  * bmo#1733003 - Set nssckbi version number to 2.54
  * bmo#1735407 - Replace Google Trust Services LLC (GTS) R4 root certificate
  * bmo#1735407 - Replace Google Trust Services LLC (GTS) R3 root certificate
  * bmo#1735407 - Replace Google Trust Services LLC (GTS) R2 root certificate
  * bmo#1735407 - Replace Google Trust Services LLC (GTS) R1 root certificate
  * bmo#1735407 - Replace GlobalSign ECC Root CA R4
  * bmo#1733560 - Remove Expired Root Certificates - DST Root CA X3
  * bmo#1740807 - Remove Expiring Cybertrust Global Root and GlobalSign root
                  certificates
  * bmo#1741930 - Add renewed Autoridad de Certificacion Firmaprofesional
                  CIF A62634068 root certificate
  * bmo#1740095 - Add iTrusChina ECC root certificate
  * bmo#1740095 - Add iTrusChina RSA root certificate
  * bmo#1738805 - Add ISRG Root X2 root certificate
  * bmo#1733012 - Add Chunghwa Telecom's HiPKI Root CA - G1 root certificate
  * bmo#1738028 - Avoid a clang 13 unused variable warning in opt build
  * bmo#1735028 - Check for missing signedData field
  * bmo#1737470 - Ensure DER encoded signatures are within size limits
- enable key logging option (boo#1195040)

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=373
2022-01-24 08:20:50 +00:00
Wolfgang Rosenauer
8b25050daa Accepting request 943053 from home:AndreasStieger:branches:mozilla:Factory
NSS 3.73.1

OBS-URL: https://build.opensuse.org/request/show/943053
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=372
2021-12-29 15:49:46 +00:00
Wolfgang Rosenauer
6d2b744a69 MFSA 2021-51 (bsc#1193170)
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=371
2021-12-01 18:36:14 +00:00
Wolfgang Rosenauer
c2c03087b1 - update to NSS 3.73
* bmo#1735028 - check for missing signedData field.
  * bmo#1737470 - Ensure DER encoded signatures are within size limits.
  * bmo#1729550 - NSS needs FiPS 140-3 version indicators.
  * bmo#1692132 - pkix_CacheCert_Lookup doesn't return cached certs
  * bmo#1738600 - sunset Coverity from NSS
  MFSA 2021-51
  * CVE-2021-43527 (bmo#1737470)
    Memory corruption via DER-encoded DSA and RSA-PSS signatures

- update to NSS 3.72
  * Remove newline at the end of coreconf.dep
  * bmo#1731911 - Fix nsinstall parallel failure.
  * bmo#1729930 - Increase KDF cache size to mitigate perf
                  regression in about:logins

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=370
2021-12-01 17:50:06 +00:00
Wolfgang Rosenauer
0a23e7af46 - update to NSS 3.71
* bmo#1717716 - Set nssckbi version number to 2.52.
  * bmo#1667000 - Respect server requirements of tlsfuzzer/test-tls13-signature-algorithms.py
  * bmo#1373716 - Import of PKCS#12 files with Camellia encryption is not supported
  * bmo#1717707 - Add HARICA Client ECC Root CA 2021.
  * bmo#1717707 - Add HARICA Client RSA Root CA 2021.
  * bmo#1717707 - Add HARICA TLS ECC Root CA 2021.
  * bmo#1717707 - Add HARICA TLS RSA Root CA 2021.
  * bmo#1728394 - Add TunTrust Root CA certificate to NSS.
- required for Firefox 94

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=369
2021-11-02 13:45:59 +00:00
Wolfgang Rosenauer
b88778e620 - update to NSS 3.70
* bmo#1726022 - Update test case to verify fix.
  * bmo#1714579 - Explicitly disable downgrade check in TlsConnectStreamTls13.EchOuterWith12Max
  * bmo#1714579 - Explicitly disable downgrade check in TlsConnectTest.DisableFalseStartOnFallback
  * bmo#1681975 - Avoid using a lookup table in nssb64d.
  * bmo#1724629 - Use HW accelerated SHA2 on AArch64 Big Endian.
  * bmo#1714579 - Change default value of enableHelloDowngradeCheck to true.
  * bmo#1726022 - Cache additional PBE entries.
  * bmo#1709750 - Read HPKE vectors from official JSON.
- required for Firefox 93

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=367
2021-10-05 13:51:16 +00:00
Wolfgang Rosenauer
4d1c1437e6 - Update to NSS 3.69.1
* bmo#1722613 (Backout) - Disable DTLS 1.0 and 1.1 by default
  * bmo#1720226 (Backout) - integrity checks in key4.db not happening
                            on private components with AES_CBC
  NSS 3.69
  * bmo#1722613 - Disable DTLS 1.0 and 1.1 by default (backed out again)
  * bmo#1720226 - integrity checks in key4.db not happening on private
                  components with AES_CBC (backed out again)
  * bmo#1720235 - SSL handling of signature algorithms ignores
                  environmental invalid algorithms.
  * bmo#1721476 - sqlite 3.34 changed it's open semantics, causing
                  nss failures.
                  (removed obsolete nss-btrfs-sqlite.patch)
  * bmo#1720230 - Gtest update changed the gtest reports, losing gtest
                  details in all.sh reports.
  * bmo#1720228 - NSS incorrectly accepting 1536 bit DH primes in FIPS mode
  * bmo#1720232 - SQLite calls could timeout in starvation situations.
  * bmo#1720225 - Coverity/cpp scanner errors found in nss 3.67
  * bmo#1709817 - Import the NSS documentation from MDN in nss/doc.
  * bmo#1720227 - NSS using a tempdir to measure sql performance not active
- add nss-fips-stricter-dh.patch
- updated existing patches with latest SLE

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=366
2021-09-03 11:26:43 +00:00
Wolfgang Rosenauer
230a70c6b1 - Update nss-fips-constructor-self-tests.patch to fix crashes
reported by upstream. This was likely affecting WebRTC calls.

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=364
2021-08-18 17:08:41 +00:00
Wolfgang Rosenauer
90a37e3936 - added nss-fips-fix-missing-nspr.patch (via SLE sync)
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=363
2021-08-09 12:40:49 +00:00
Wolfgang Rosenauer
f1644f1832 - update to NSS 3.68
* bmo#1713562 - Fix test leak.
  * bmo#1717452 - NSS 3.68 should depend on NSPR 4.32.
  * bmo#1693206 - Implement PKCS8 export of ECDSA keys.
  * bmo#1712883 - DTLS 1.3 draft-43.
  * bmo#1655493 - Support SHA2 HW acceleration using Intel SHA Extension.
  * bmo#1713562 - Validate ECH public names.
  * bmo#1717610 - Add function to get seconds from epoch from pkix::Time.
- required by Firefox 91.0

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=362
2021-08-09 12:31:34 +00:00
Wolfgang Rosenauer
009bd2b01c - update to NSS 3.66
* no releasenotes available yet
    https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.66_release_notes
- update to NSS 3.65
  * bmo#1709654 - Update for NetBSD configuration.
  * bmo#1709750 - Disable HPKE test when fuzzing.
  * bmo#1566124 - Optimize AES-GCM for ppc64le.
  * bmo#1699021 - Add AES-256-GCM to HPKE.
  * bmo#1698419 - ECH -10 updates.
  * bmo#1692930 - Update HPKE to final version.
  * bmo#1707130 - NSS should use modern algorithms in PKCS#12 files by default.
  * bmo#1703936 - New coverity/cpp scanner errors.
  * bmo#1697303 - NSS needs to update it's csp clearing to FIPS 180-3 standards.
  * bmo#1702663 - Need to support RSA PSS with Hashing PKCS #11 Mechanisms.
  * bmo#1705119 - Deadlock when using GCM and non-thread safe tokens.
- refreshed patches
- Firefox 90.0 requires NSS 3.66

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=361
2021-07-14 16:20:34 +00:00
Wolfgang Rosenauer
2607747af9 Accepting request 895809 from home:AndreasStieger:branches:mozilla:Factory
mozilla-nss 3.64

OBS-URL: https://build.opensuse.org/request/show/895809
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=359
2021-05-27 17:36:07 +00:00
Wolfgang Rosenauer
eba5fa49ec - update to NSS 3.63.1
* no upstream release notes for 3.63.1 (yet)
  Fixed in 3.63
  * bmo#1697380 - Make a clang-format run on top of helpful contributions.
  * bmo#1683520 - ECCKiila P384, change syntax of nested structs
                  initialization to prevent build isses with GCC 4.8.
  * bmo#1683520 - [lib/freebl/ecl] P-384: allow zero scalars in dual
                  scalar multiplication.
  * bmo#1683520 - ECCKiila P521, change syntax of nested structs
                  initialization to prevent build isses with GCC 4.8.
  * bmo#1683520 - [lib/freebl/ecl] P-521: allow zero scalars in dual
                  scalar multiplication.
  * bmo#1696800 - HACL* update March 2021 - c95ab70fcb2bc21025d8845281bc4bc8987ca683.
  * bmo#1694214 - tstclnt can't enable middlebox compat mode.
  * bmo#1694392 - NSS does not work with PKCS #11 modules not supporting
                  profiles.
  * bmo#1685880 - Minor fix to prevent unused variable on early return.
  * bmo#1685880 - Fix for the gcc compiler version 7 to support setenv
                  with nss build.
  * bmo#1693217 - Increase nssckbi.h version number for March 2021 batch
                  of root CA changes, CA list version 2.48.
  * bmo#1692094 - Set email distrust after to 21-03-01 for Camerfirma's
                  'Chambers of Commerce' and 'Global Chambersign' roots.
  * bmo#1618407 - Symantec root certs - Set CKA_NSS_EMAIL_DISTRUST_AFTER.
  * bmo#1693173 - Add GlobalSign R45, E45, R46, and E46 root certs to NSS.
  * bmo#1683738 - Add AC RAIZ FNMT-RCM SERVIDORES SEGUROS root cert to NSS.
  * bmo#1686854 - Remove GeoTrust PCA-G2 and VeriSign Universal root certs
                  from NSS.
  * bmo#1687822 - Turn off Websites trust bit for the “Staat der
                  Nederlanden Root CA - G3” root cert in NSS.

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=357
2021-04-18 07:40:17 +00:00
Wolfgang Rosenauer
2e8ea1e384 - update to NSS 3.62
* bmo#1688374 - Fix parallel build NSS-3.61 with make
  * bmo#1682044 - pkix_Build_GatherCerts() + pkix_CacheCert_Add()
                  can corrupt "cachedCertTable"
  * bmo#1690583 - Fix CH padding extension size calculation
  * bmo#1690421 - Adjust 3.62 ABI report formatting for new libabigail
  * bmo#1690421 - Install packaged libabigail in docker-builds image
  * bmo#1689228 - Minor ECH -09 fixes for interop testing, fuzzing
  * bmo#1674819 - Fixup a51fae403328, enum type may be signed
  * bmo#1681585 - Add ECH support to selfserv
  * bmo#1681585 - Update ECH to Draft-09
  * bmo#1678398 - Add Export/Import functions for HPKE context
  * bmo#1678398 - Update HPKE to draft-07
- required for Firefox 87

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=355
2021-03-17 08:44:35 +00:00
Wolfgang Rosenauer
bac7e766cb Accepting request 875772 from home:hellcp:branches:security:idm
- Add nss-btrfs-sqlite.patch to address bmo#1690232

OBS-URL: https://build.opensuse.org/request/show/875772
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=353
2021-02-28 12:47:39 +00:00
Wolfgang Rosenauer
5de44ac988 - Mozilla Thunderbird 78.8.0
* various bugfixes
  MFSA 2021-09 (bsc#1182614)
  * CVE-2021-23969 (bmo#1542194)
    Content Security Policy violation report could have contained
    the destination of a redirect
  * CVE-2021-23968 (bmo#1687342)
    Content Security Policy violation report could have contained
    the destination of a redirect
  * CVE-2021-23973 (bmo#1690976)
    MediaError message property could have leaked information
    about cross-origin resources
  * CVE-2021-23978 (bmo#786797, bmo#1682928, bmo#1687391,
    bmo#1687597)
    Memory safety bugs fixed in Firefox 86 and Firefox ESR 78.8

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=352
2021-02-24 08:07:17 +00:00
Wolfgang Rosenauer
56558e6d23 - update to NSS 3.60.1
Notable changes in NSS 3.60:
  * TLS 1.3 Encrypted Client Hello (draft-ietf-tls-esni-08) support
    has been added, replacing the previous ESNI (draft-ietf-tls-esni-01)
    implementation. See bmo#1654332 for more information.
  * December 2020 batch of Root CA changes, builtins library updated
    to version 2.46. See bmo#1678189, bmo#1678166, and bmo#1670769
    for more information.
- removed obsolete ppc-old-abi-v3.patch

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=350
2021-01-26 21:30:37 +00:00
Wolfgang Rosenauer
691fd0a9fa - update to NSS 3.59.1
* bmo#1679290 - Fix potential deadlock with certain third-party
                  PKCS11 modules

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=348
2020-12-31 12:04:59 +00:00
Wolfgang Rosenauer
95bb1123a7 - update to NSS 3.59
Notable changes
  * Exported two existing functions from libnss:
    CERT_AddCertToListHeadWithData and CERT_AddCertToListTailWithData
  Bugfixes
  * bmo#1607449 - Lock cert->nssCertificate to prevent a potential data race
  * bmo#1672823 - Add Wycheproof test cases for HMAC, HKDF, and DSA
  * bmo#1663661 - Guard against NULL token in nssSlot_IsTokenPresent
  * bmo#1670835 - Support enabling and disabling signatures via Crypto Policy
  * bmo#1672291 - Resolve libpkix OCSP failures on SHA1 self-signed
                  root certs when SHA1 signatures are disabled.
  * bmo#1644209 - Fix broken SelectedCipherSuiteReplacer filter to
                  solve some test intermittents
  * bmo#1672703 - Tolerate the first CCS in TLS 1.3 to fix a regression in
                  our CVE-2020-25648 fix that broke purple-discord
                  (boo#1179382)
  * bmo#1666891 - Support key wrap/unwrap with RSA-OAEP
  * bmo#1667989 - Fix gyp linking on Solaris
  * bmo#1668123 - Export CERT_AddCertToListHeadWithData and
                  CERT_AddCertToListTailWithData from libnss
  * bmo#1634584 - Set CKA_NSS_SERVER_DISTRUST_AFTER for Trustis FPS Root CA
  * bmo#1663091 - Remove unnecessary assertions in the streaming
                  ASN.1 decoder that affected decoding certain PKCS8
                  private keys when using NSS debug builds
  *  bmo#670839 - Use ARM crypto extension for AES, SHA1 and SHA2 on MacOS.

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=345
2020-12-01 13:33:23 +00:00
Wolfgang Rosenauer
694386f519 Accepting request 849662 from home:lnussel:usrmove
- install libraries in %{_libdir} (boo#1029961)

OBS-URL: https://build.opensuse.org/request/show/849662
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=344
2020-11-30 10:24:31 +00:00
Wolfgang Rosenauer
de30840f35 - update to NSS 3.58
Bugs fixed:
  * bmo#1641480 (CVE-2020-25648)
    Tighten CCS handling for middlebox compatibility mode.
  * bmo#1631890 - Add support for Hybrid Public Key Encryption
    (draft-irtf-cfrg-hpke) support for TLS Encrypted Client Hello
    (draft-ietf-tls-esni).
  * bmo#1657255 - Add CI tests that disable SHA1/SHA2 ARM crypto
    extensions.
  * bmo#1668328 - Handle spaces in the Python path name when using
    gyp on Windows.
  * bmo#1667153 - Add PK11_ImportDataKey for data object import.
  * bmo#1665715 - Pass the embedded SCT list extension (if present)
    to TrustDomain::CheckRevocation instead of the notBefore value.

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=342
2020-11-17 13:50:18 +00:00
Wolfgang Rosenauer
da00e5afd0 Accepting request 841320 from home:dimstar:Factory
- Fix build with RPM 4.16: error: bare words are no longer
  supported, please use "...":  lib64 == lib64.

OBS-URL: https://build.opensuse.org/request/show/841320
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=340
2020-10-12 15:35:14 +00:00
Wolfgang Rosenauer
f6aa3fb9fb - update to NSS 3.57
* The following CA certificates were Added:
    bmo#1663049 - CN=Trustwave Global Certification Authority
        SHA-256 Fingerprint: 97552015F5DDFC3C8788C006944555408894450084F100867086BC1A2BB58DC8
    bmo#1663049 - CN=Trustwave Global ECC P256 Certification Authority
        SHA-256 Fingerprint: 945BBC825EA554F489D1FD51A73DDF2EA624AC7019A05205225C22A78CCFA8B4
    bmo#1663049 - CN=Trustwave Global ECC P384 Certification Authority
        SHA-256 Fingerprint: 55903859C8C0C3EBB8759ECE4E2557225FF5758BBD38EBD48276601E1BD58097
  * The following CA certificates were Removed:
    bmo#1651211 - CN=EE Certification Centre Root CA
        SHA-256 Fingerprint: 3E84BA4342908516E77573C0992F0979CA084E4685681FF195CCBA8A229B8A76
    bmo#1656077 - O=Government Root Certification Authority; C=TW
        SHA-256 Fingerprint: 7600295EEFE85B9E1FD624DB76062AAAAE59818A54D2774CD4C0B2C01131E1B3
  * Trust settings for the following CA certificates were Modified:
    bmo#1653092 - CN=OISTE WISeKey Global Root GA CA
        Websites (server authentication) trust bit removed.
  * https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.57_release_notes
- requires NSPR 4.29
- removed obsolete nss-freebl-fix-aarch64.patch (bmo#1659256)
- introduced _constraints due to high memory requirements especially
  for LTO on Tumbleweed

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=337
2020-10-07 08:15:55 +00:00
Wolfgang Rosenauer
e43a7b9e4b Accepting request 837280 from home:Guillaume_G:branches:mozilla:Factory
- Add patch to fix build on aarch64 - boo#1176934:
  * nss-freebl-fix-aarch64.patch

OBS-URL: https://build.opensuse.org/request/show/837280
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=335
2020-09-25 06:58:55 +00:00
Wolfgang Rosenauer
50269fd3cd Accepting request 835218 from home:hpjansson:nss-tw
- Update nss-fips-approved-crypto-non-ec.patch to match RC2 code
  being moved to deprecated/.
- Remove nss-fix-dh-pkcs-derive-inverted-logic.patch. This was made
  obsolete by upstream changes.

OBS-URL: https://build.opensuse.org/request/show/835218
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=333
2020-09-17 14:55:31 +00:00
Wolfgang Rosenauer
cd3540b0de - update to NSS 3.56
Notable changes
  * bmo#1650702 - Support SHA-1 HW acceleration on ARMv8
  * bmo#1656981 - Use MPI comba and mulq optimizations on x86-64 MacOS.
  * bmo#1654142 - Add CPU feature detection for Intel SHA extension.
  * bmo#1648822 - Add stricter validation of DH keys in FIPS mode.
  * bmo#1656986 - Properly detect arm64 during GYP build architecture
                  detection.
  * bmo#1652729 - Add build flag to disable RC2 and relocate to
                  lib/freebl/deprecated.
  * bmo#1656429 - Correct RTT estimate used in 0-RTT anti-replay.
  * bmo#1588941 - Send empty certificate message when scheme selection
                  fails.
  * bmo#1652032 - Fix failure to build in Windows arm64 makefile
                  cross-compilation.
  * bmo#1625791 - Fix deadlock issue in nssSlot_IsTokenPresent.
  * bmo#1653975 - Fix 3.53 regression by setting "all" as the default
                  makefile target.
  * bmo#1659792 - Fix broken libpkix tests with unexpired PayPal cert.
  * bmo#1659814 - Fix interop.sh failures with newer tls-interop
                  commit and dependencies.
  * bmo#1656519 - NSPR dependency updated to 4.28
- do not hard require mozilla-nss-certs-32bit via baselibs
  (boo#1176206)

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=332
2020-09-08 20:23:09 +00:00
Wolfgang Rosenauer
6364ad3ae6 - update to NSS 3.55
Notable changes
  * P384 and P521 elliptic curve implementations are replaced with
    verifiable implementations from Fiat-Crypto [0] and ECCKiila [1].
  * PK11_FindCertInSlot is added. With this function, a given slot
    can be queried with a DER-Encoded certificate, providing performance
    and usability improvements over other mechanisms. (bmo#1649633)
  * DTLS 1.3 implementation is updated to draft-38. (bmo#1647752)
  Relevant Bugfixes
  * bmo#1631583 (CVE-2020-6829, CVE-2020-12400) - Replace P384 and
    P521 with new, verifiable implementations from Fiat-Crypto and ECCKiila.
  * bmo#1649487 - Move overzealous assertion in VFY_EndWithSignature.
  * bmo#1631573 (CVE-2020-12401) - Remove unnecessary scalar padding.
  * bmo#1636771 (CVE-2020-12403) - Explicitly disable multi-part
    ChaCha20 (which was not functioning correctly) and more strictly
    enforce tag length.
  * bmo#1649648 - Don't memcpy zero bytes (sanitizer fix).
  * bmo#1649316 - Don't memcpy zero bytes (sanitizer fix).
  * bmo#1649322 - Don't memcpy zero bytes (sanitizer fix).
  * bmo#1653202 - Fix initialization bug in blapitest when compiled
    with NSS_DISABLE_DEPRECATED_SEED.
  * bmo#1646594 - Fix AVX2 detection in makefile builds.
  * bmo#1649633 - Add PK11_FindCertInSlot to search a given slot
    for a DER-encoded certificate.
  * bmo#1651520 - Fix slotLock race in NSC_GetTokenInfo.
  * bmo#1647752 - Update DTLS 1.3 implementation to draft-38.
  * bmo#1649190 - Run cipher, sdr, and ocsp tests under standard test cycle in CI.
  * bmo#1649226 - Add Wycheproof ECDSA tests.
  * bmo#1637222 - Consistently enforce IV requirements for DES and 3DES.
  * bmo#1067214 - Enforce minimum PKCS#1 v1.5 padding length in

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=330
2020-08-22 07:01:08 +00:00
Wolfgang Rosenauer
8581fb64fb - update to NSS 3.54
Notable changes
  * Support for TLS 1.3 external pre-shared keys (bmo#1603042).
  * Use ARM Cryptography Extension for SHA256, when available
    (bmo#1528113)
  * The following CA certificates were Added:
    bmo#1645186 - certSIGN Root CA G2.
    bmo#1645174 - e-Szigno Root CA 2017.
    bmo#1641716 - Microsoft ECC Root Certificate Authority 2017.
    bmo#1641716 - Microsoft RSA Root Certificate Authority 2017.
  * The following CA certificates were Removed:
    bmo#1645199 - AddTrust Class 1 CA Root.
    bmo#1645199 - AddTrust External CA Root.
    bmo#1641718 - LuxTrust Global Root 2.
    bmo#1639987 - Staat der Nederlanden Root CA - G2.
    bmo#1618402 - Symantec Class 2 Public Primary Certification Authority - G4.
    bmo#1618402 - Symantec Class 1 Public Primary Certification Authority - G4.
    bmo#1618402 - VeriSign Class 3 Public Primary Certification Authority - G3.
  * A number of certificates had their Email trust bit disabled.
    See bmo#1618402 for a complete list.
  Bugs fixed
  * bmo#1528113 - Use ARM Cryptography Extension for SHA256.
  * bmo#1603042 - Add TLS 1.3 external PSK support.
  * bmo#1642802 - Add uint128 support for HACL* curve25519 on Windows.
  * bmo#1645186 - Add "certSIGN Root CA G2" root certificate.
  * bmo#1645174 - Add Microsec's "e-Szigno Root CA 2017" root certificate.
  * bmo#1641716 - Add Microsoft's non-EV root certificates.
  * bmo1621151 - Disable email trust bit for "O=Government
                 Root Certification Authority; C=TW" root.
  * bmo#1645199 - Remove AddTrust root certificates.

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=328
2020-07-23 16:12:42 +00:00
Wolfgang Rosenauer
194c062b5d - add FIPS mode patches from SLE stream
nss-fips-aes-keywrap-post.patch
  nss-fips-approved-crypto-non-ec.patch
  nss-fips-cavs-dsa-fixes.patch
  nss-fips-cavs-general.patch
  nss-fips-cavs-kas-ecc.patch
  nss-fips-cavs-kas-ffc.patch
  nss-fips-cavs-keywrap.patch
  nss-fips-cavs-rsa-fixes.patch
  nss-fips-combined-hash-sign-dsa-ecdsa.patch
  nss-fips-constructor-self-tests.patch
  nss-fips-detect-fips-mode-fixes.patch
  nss-fips-dsa-kat.patch
  nss-fips-gcm-ctr.patch
  nss-fips-pairwise-consistency-check.patch
  nss-fips-rsa-keygen-strictness.patch
  nss-fips-tls-allow-md5-prf.patch
  nss-fips-use-getrandom.patch
  nss-fips-use-strong-random-pool.patch
  nss-fips-zeroization.patch
  nss-fix-dh-pkcs-derive-inverted-logic.patch

- update to NSS 3.53.1
  * required for Firefox 78
  * CVE-2020-12402 - Use constant-time GCD and modular inversion in MPI.
    (bmo#1631597, bsc#1173032)

- update to NSS 3.53
  Notable changes
  * SEED is now moved into a new freebl directory freebl/deprecated

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=326
2020-06-27 21:18:50 +00:00
Wolfgang Rosenauer
c4ac198bc6 Accepting request 816170 from home:michel_mno:branches:mozilla:Factory
- Add ppc-old-abi-v3.patch as per upstream bug
  https://bugzilla.mozilla.org/show_bug.cgi?id=1642174

OBS-URL: https://build.opensuse.org/request/show/816170
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=325
2020-06-23 05:37:44 +00:00
Wolfgang Rosenauer
51c5e75fe8 Accepting request 810947 from home:AndreasStieger:branches:mozilla:Factory
CVE-2020-12399 boo#1171978

OBS-URL: https://build.opensuse.org/request/show/810947
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=323
2020-06-02 20:01:34 +00:00
Wolfgang Rosenauer
c9da1099a1 - removed obsolete nss-kremlin-ppc64le.patch
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=321
2020-05-26 13:56:16 +00:00
Wolfgang Rosenauer
6553d00ceb * CVE-2020-12399 - Force a fixed length for DSA exponentiation
(bmo#1631576)

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=320
2020-05-26 09:14:39 +00:00
Wolfgang Rosenauer
e33a5800ee - update to NSS 3.52.1
* required for Firefox 77.0
  Notable changes
  * Update NSS to support PKCS#11 v3.0 (bmo#1603628)
  * Support new PKCS #11 v3.0 Message Interface for AES-GCM and
    ChaChaPoly (bmo#1623374)
  * Integrate AVX2 ChaCha20, Poly1305, and ChaCha20Poly1305 from HACL*
    (bmo#1612493)
- Add patch nss-kremlin-ppc64le.patch to fix ppc and s390x builds

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=319
2020-05-26 09:12:44 +00:00
Wolfgang Rosenauer
f615b8c01b Accepting request 798944 from home:marxin:branches:mozilla:Factory
- Set NSS_ENABLE_WERROR=0 in order to fix boo#1169746.

OBS-URL: https://build.opensuse.org/request/show/798944
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=317
2020-04-29 21:43:25 +00:00
Wolfgang Rosenauer
6ea59419f5 Accepting request 793073 from home:AndreasStieger:branches:mozilla:Factory
NSS 3.51.1

OBS-URL: https://build.opensuse.org/request/show/793073
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=315
2020-04-11 10:30:25 +00:00
Wolfgang Rosenauer
507c7ec45b Accepting request 790234 from home:michel_mno:branches:mozilla:Factory
- Update previous patch nss-kremlin-ppc64le.patch
  slightly modified to support also ppc64 (BE) versus initial
  https://github.com/FStarLang/kremlin/issues/166

OBS-URL: https://build.opensuse.org/request/show/790234
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=313
2020-03-31 15:31:21 +00:00
Wolfgang Rosenauer
5c3b101fcb Accepting request 790066 from home:MSirringhaus:branches:mozilla:Factory
- Add patch nss-kremlin-ppc64le.patch to fix ppc and s390x builds

OBS-URL: https://build.opensuse.org/request/show/790066
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=312
2020-03-31 14:28:37 +00:00
Wolfgang Rosenauer
ab72679b5e - update to NSS 3.51
* Updated DTLS 1.3 implementation to Draft-34. (bmo#1608892)
  * Correct swapped PKCS11 values of CKM_AES_CMAC and
    CKM_AES_CMAC_GENERAL (bmo#1611209)
  * Complete integration of Wycheproof ECDH test cases (bmo#1612259)
  * Check if PPC __has_include(<sys/auxv.h>) (bmo#1614183)
  * Fix a compilation error for ‘getFIPSEnv’ "defined but not used"
    (bmo#1614786)
  * Send DTLS version numbers in DTLS 1.3 supported_versions extension
    to avoid an incompatibility. (bmo#1615208)
  * SECU_ReadDERFromFile calls strstr on a string that isn't guaranteed
    to be null-terminated (bmo#1538980)
  * Correct a warning for comparison of integers of different signs:
    'int' and 'unsigned long' in security/nss/lib/freebl/ecl/ecp_25519.c:88
    (bmo#1561337)
  * Add test for mp_int clamping (bmo#1609751)
  * Don't attempt to read the fips_enabled flag on the machine unless
    NSS was built with FIPS enabled (bmo#1582169)
  * Fix a null pointer dereference in BLAKE2B_Update (bmo#1431940)
  * Fix compiler warning in secsign.c (bmo#1617387)
  * Fix a OpenBSD/arm64 compilation error: unused variable 'getauxval'
    (bmo#1618400)
  * Fix a crash on unaligned CMACContext.aes.keySchedule when using
    AES-NI intrinsics (bmo#1610687)

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=311
2020-03-30 13:40:12 +00:00
Wolfgang Rosenauer
14bbc2e047 - update to NSS 3.50
* Verified primitives from HACL* were updated, bringing performance
    improvements for several platforms.
    Note that Intel processors with SSE4 but without AVX are currently
    unable to use the improved ChaCha20/Poly1305 due to a build issue;
    such platforms will fall-back to less optimized algorithms.
    See bmo#1609569 for details
  * Updated DTLS 1.3 implementation to Draft-30.
    See bmo#1599514 for details.
  * Added NIST SP800-108 KBKDF - PKCS#11 implementation.
    See bmo#1599603 for details.
  * Several bugfixes and minor changes

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=308
2020-03-03 21:21:24 +00:00
Wolfgang Rosenauer
b1721753f1 Accepting request 779969 from home:fstrba:branches:mozilla:Factory
Package missing header

OBS-URL: https://build.opensuse.org/request/show/779969
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=306
2020-02-28 09:07:15 +00:00
Wolfgang Rosenauer
478511aedc Accepting request 779080 from home:Guillaume_G:branches:openSUSE:Factory:ARM
- Disable LTO on %arm as LTO fails on neon errors

OBS-URL: https://build.opensuse.org/request/show/779080
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=305
2020-02-25 13:41:19 +00:00
Wolfgang Rosenauer
2e89924539 - update to NSS 3.49.2
Fixed bugs:
  * Fix compilation problems with NEON-specific code in freebl
    (bmo#1608327)
  * Fix a taskcluster issue with Python 2 / Python 3 (bmo#1608895)

- update to NSS 3.49.1
  3.49.1
  https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.49.1_release_notes
  * Cache the most recent PBKDF2 password hash, to speed up repeated
    SDR operations, important with the increased KDF iteration counts (bmo#1606992)
  3.49
  https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.49_release_notes
  * The legacy DBM database, libnssdbm, is no longer built by default
    when using gyp builds (bmo#1594933)
  * several bugfixes

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=303
2020-02-08 16:32:51 +00:00
Wolfgang Rosenauer
715468ec8f - update to NSS 3.48
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.48_release_notes
  Notable Changes
  * TLS 1.3 is the default maximum TLS version (bmo#1573118)
  * TLS extended master secret is enabled by default, where possible
    (bmo#1575411)
  * The master password PBE now uses 10,000 iterations by default when
    using the default sql (key4.db) storage (bmo#1562671)
  Certificate Authority Changes
  * Added Entrust Root Certification Authority - G4 Cert (bmo#1591178)
  Bugfixes
- requires NSPR 4.24
  * CVE-2019-17006 Add length checks for cryptographic primitives
    (bmo#1539788)

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=301
2020-01-07 08:45:34 +00:00