buildservice-autocommit accepted request 852633 from Wolfgang Rosenauer (wrosenauer) over 3 years ago (revision 347)

baserev update by copy to link target

• Files Changed
• Browse Source

buildservice-autocommit accepted request 851799 from Wolfgang Rosenauer (wrosenauer) over 3 years ago (revision 346)

baserev update by copy to link target

• Files Changed
• Browse Source

Wolfgang Rosenauer (wrosenauer) committed over 3 years ago (revision 345)

- update to NSS 3.59
  Notable changes
  * Exported two existing functions from libnss:
    CERT_AddCertToListHeadWithData and CERT_AddCertToListTailWithData
  Bugfixes
  * bmo#1607449 - Lock cert->nssCertificate to prevent a potential data race
  * bmo#1672823 - Add Wycheproof test cases for HMAC, HKDF, and DSA
  * bmo#1663661 - Guard against NULL token in nssSlot_IsTokenPresent
  * bmo#1670835 - Support enabling and disabling signatures via Crypto Policy
  * bmo#1672291 - Resolve libpkix OCSP failures on SHA1 self-signed
                  root certs when SHA1 signatures are disabled.
  * bmo#1644209 - Fix broken SelectedCipherSuiteReplacer filter to
                  solve some test intermittents
  * bmo#1672703 - Tolerate the first CCS in TLS 1.3 to fix a regression in
                  our CVE-2020-25648 fix that broke purple-discord
                  (boo#1179382)
  * bmo#1666891 - Support key wrap/unwrap with RSA-OAEP
  * bmo#1667989 - Fix gyp linking on Solaris
  * bmo#1668123 - Export CERT_AddCertToListHeadWithData and
                  CERT_AddCertToListTailWithData from libnss
  * bmo#1634584 - Set CKA_NSS_SERVER_DISTRUST_AFTER for Trustis FPS Root CA
  * bmo#1663091 - Remove unnecessary assertions in the streaming
                  ASN.1 decoder that affected decoding certain PKCS8
                  private keys when using NSS debug builds
  *  bmo#670839 - Use ARM crypto extension for AES, SHA1 and SHA2 on MacOS.

• Files Changed
• Browse Source

Wolfgang Rosenauer (wrosenauer) accepted request 849662 from Ludwig Nussel (lnussel) over 3 years ago (revision 344)

- install libraries in %{_libdir} (boo#1029961)

• Files Changed
• Browse Source

buildservice-autocommit accepted request 849114 from Wolfgang Rosenauer (wrosenauer) over 3 years ago (revision 343)

baserev update by copy to link target

• Files Changed
• Browse Source

Wolfgang Rosenauer (wrosenauer) committed over 3 years ago (revision 342)

- update to NSS 3.58
  Bugs fixed:
  * bmo#1641480 (CVE-2020-25648)
    Tighten CCS handling for middlebox compatibility mode.
  * bmo#1631890 - Add support for Hybrid Public Key Encryption
    (draft-irtf-cfrg-hpke) support for TLS Encrypted Client Hello
    (draft-ietf-tls-esni).
  * bmo#1657255 - Add CI tests that disable SHA1/SHA2 ARM crypto
    extensions.
  * bmo#1668328 - Handle spaces in the Python path name when using
    gyp on Windows.
  * bmo#1667153 - Add PK11_ImportDataKey for data object import.
  * bmo#1665715 - Pass the embedded SCT list extension (if present)
    to TrustDomain::CheckRevocation instead of the notBefore value.

• Files Changed
• Browse Source

buildservice-autocommit accepted request 841322 from Wolfgang Rosenauer (wrosenauer) over 3 years ago (revision 341)

baserev update by copy to link target

• Files Changed
• Browse Source

Wolfgang Rosenauer (wrosenauer) accepted request 841320 from Dominique Leuenberger (dimstar) over 3 years ago (revision 340)

- Fix build with RPM 4.16: error: bare words are no longer
  supported, please use "...":  lib64 == lib64.

• Files Changed
• Browse Source

buildservice-autocommit accepted request 840031 from Wolfgang Rosenauer (wrosenauer) over 3 years ago (revision 339)

baserev update by copy to link target

• Files Changed
• Browse Source

Wolfgang Rosenauer (wrosenauer) committed over 3 years ago (revision 338)

• Files Changed
• Browse Source

Wolfgang Rosenauer (wrosenauer) committed over 3 years ago (revision 337)

- update to NSS 3.57
  * The following CA certificates were Added:
    bmo#1663049 - CN=Trustwave Global Certification Authority
        SHA-256 Fingerprint: 97552015F5DDFC3C8788C006944555408894450084F100867086BC1A2BB58DC8
    bmo#1663049 - CN=Trustwave Global ECC P256 Certification Authority
        SHA-256 Fingerprint: 945BBC825EA554F489D1FD51A73DDF2EA624AC7019A05205225C22A78CCFA8B4
    bmo#1663049 - CN=Trustwave Global ECC P384 Certification Authority
        SHA-256 Fingerprint: 55903859C8C0C3EBB8759ECE4E2557225FF5758BBD38EBD48276601E1BD58097
  * The following CA certificates were Removed:
    bmo#1651211 - CN=EE Certification Centre Root CA
        SHA-256 Fingerprint: 3E84BA4342908516E77573C0992F0979CA084E4685681FF195CCBA8A229B8A76
    bmo#1656077 - O=Government Root Certification Authority; C=TW
        SHA-256 Fingerprint: 7600295EEFE85B9E1FD624DB76062AAAAE59818A54D2774CD4C0B2C01131E1B3
  * Trust settings for the following CA certificates were Modified:
    bmo#1653092 - CN=OISTE WISeKey Global Root GA CA
        Websites (server authentication) trust bit removed.
  * https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.57_release_notes
- requires NSPR 4.29
- removed obsolete nss-freebl-fix-aarch64.patch (bmo#1659256)
- introduced _constraints due to high memory requirements especially
  for LTO on Tumbleweed

• Files Changed
• Browse Source

buildservice-autocommit accepted request 837281 from Wolfgang Rosenauer (wrosenauer) over 3 years ago (revision 336)

baserev update by copy to link target

• Files Changed
• Browse Source

Wolfgang Rosenauer (wrosenauer) accepted request 837280 from Guillaume GARDET (Guillaume_G) over 3 years ago (revision 335)

- Add patch to fix build on aarch64 - boo#1176934:
  * nss-freebl-fix-aarch64.patch

• Files Changed
• Browse Source

buildservice-autocommit accepted request 835234 from Wolfgang Rosenauer (wrosenauer) over 3 years ago (revision 334)

baserev update by copy to link target

• Files Changed
• Browse Source

Wolfgang Rosenauer (wrosenauer) accepted request 835218 from Hans Petter Jansson (hpjansson) over 3 years ago (revision 333)

- Update nss-fips-approved-crypto-non-ec.patch to match RC2 code
  being moved to deprecated/.
- Remove nss-fix-dh-pkcs-derive-inverted-logic.patch. This was made
  obsolete by upstream changes.

• Files Changed
• Browse Source

Wolfgang Rosenauer (wrosenauer) committed over 3 years ago (revision 332)

- update to NSS 3.56
  Notable changes
  * bmo#1650702 - Support SHA-1 HW acceleration on ARMv8
  * bmo#1656981 - Use MPI comba and mulq optimizations on x86-64 MacOS.
  * bmo#1654142 - Add CPU feature detection for Intel SHA extension.
  * bmo#1648822 - Add stricter validation of DH keys in FIPS mode.
  * bmo#1656986 - Properly detect arm64 during GYP build architecture
                  detection.
  * bmo#1652729 - Add build flag to disable RC2 and relocate to
                  lib/freebl/deprecated.
  * bmo#1656429 - Correct RTT estimate used in 0-RTT anti-replay.
  * bmo#1588941 - Send empty certificate message when scheme selection
                  fails.
  * bmo#1652032 - Fix failure to build in Windows arm64 makefile
                  cross-compilation.
  * bmo#1625791 - Fix deadlock issue in nssSlot_IsTokenPresent.
  * bmo#1653975 - Fix 3.53 regression by setting "all" as the default
                  makefile target.
  * bmo#1659792 - Fix broken libpkix tests with unexpired PayPal cert.
  * bmo#1659814 - Fix interop.sh failures with newer tls-interop
                  commit and dependencies.
  * bmo#1656519 - NSPR dependency updated to 4.28
- do not hard require mozilla-nss-certs-32bit via baselibs
  (boo#1176206)

• Files Changed
• Browse Source

buildservice-autocommit accepted request 829609 from Wolfgang Rosenauer (wrosenauer) over 3 years ago (revision 331)

baserev update by copy to link target

• Files Changed
• Browse Source

Wolfgang Rosenauer (wrosenauer) committed over 3 years ago (revision 330)

- update to NSS 3.55
  Notable changes
  * P384 and P521 elliptic curve implementations are replaced with
    verifiable implementations from Fiat-Crypto [0] and ECCKiila [1].
  * PK11_FindCertInSlot is added. With this function, a given slot
    can be queried with a DER-Encoded certificate, providing performance
    and usability improvements over other mechanisms. (bmo#1649633)
  * DTLS 1.3 implementation is updated to draft-38. (bmo#1647752)
  Relevant Bugfixes
  * bmo#1631583 (CVE-2020-6829, CVE-2020-12400) - Replace P384 and
    P521 with new, verifiable implementations from Fiat-Crypto and ECCKiila.
  * bmo#1649487 - Move overzealous assertion in VFY_EndWithSignature.
  * bmo#1631573 (CVE-2020-12401) - Remove unnecessary scalar padding.
  * bmo#1636771 (CVE-2020-12403) - Explicitly disable multi-part
    ChaCha20 (which was not functioning correctly) and more strictly
    enforce tag length.
  * bmo#1649648 - Don't memcpy zero bytes (sanitizer fix).
  * bmo#1649316 - Don't memcpy zero bytes (sanitizer fix).
  * bmo#1649322 - Don't memcpy zero bytes (sanitizer fix).
  * bmo#1653202 - Fix initialization bug in blapitest when compiled
    with NSS_DISABLE_DEPRECATED_SEED.
  * bmo#1646594 - Fix AVX2 detection in makefile builds.
  * bmo#1649633 - Add PK11_FindCertInSlot to search a given slot
    for a DER-encoded certificate.
  * bmo#1651520 - Fix slotLock race in NSC_GetTokenInfo.
  * bmo#1647752 - Update DTLS 1.3 implementation to draft-38.
  * bmo#1649190 - Run cipher, sdr, and ocsp tests under standard test cycle in CI.
  * bmo#1649226 - Add Wycheproof ECDSA tests.
  * bmo#1637222 - Consistently enforce IV requirements for DES and 3DES.
  * bmo#1067214 - Enforce minimum PKCS#1 v1.5 padding length in

• Files Changed
• Browse Source

buildservice-autocommit accepted request 823327 from Wolfgang Rosenauer (wrosenauer) almost 4 years ago (revision 329)

baserev update by copy to link target

• Files Changed
• Browse Source

Wolfgang Rosenauer (wrosenauer) committed almost 4 years ago (revision 328)

- update to NSS 3.54
  Notable changes
  * Support for TLS 1.3 external pre-shared keys (bmo#1603042).
  * Use ARM Cryptography Extension for SHA256, when available
    (bmo#1528113)
  * The following CA certificates were Added:
    bmo#1645186 - certSIGN Root CA G2.
    bmo#1645174 - e-Szigno Root CA 2017.
    bmo#1641716 - Microsoft ECC Root Certificate Authority 2017.
    bmo#1641716 - Microsoft RSA Root Certificate Authority 2017.
  * The following CA certificates were Removed:
    bmo#1645199 - AddTrust Class 1 CA Root.
    bmo#1645199 - AddTrust External CA Root.
    bmo#1641718 - LuxTrust Global Root 2.
    bmo#1639987 - Staat der Nederlanden Root CA - G2.
    bmo#1618402 - Symantec Class 2 Public Primary Certification Authority - G4.
    bmo#1618402 - Symantec Class 1 Public Primary Certification Authority - G4.
    bmo#1618402 - VeriSign Class 3 Public Primary Certification Authority - G3.
  * A number of certificates had their Email trust bit disabled.
    See bmo#1618402 for a complete list.
  Bugs fixed
  * bmo#1528113 - Use ARM Cryptography Extension for SHA256.
  * bmo#1603042 - Add TLS 1.3 external PSK support.
  * bmo#1642802 - Add uint128 support for HACL* curve25519 on Windows.
  * bmo#1645186 - Add "certSIGN Root CA G2" root certificate.
  * bmo#1645174 - Add Microsec's "e-Szigno Root CA 2017" root certificate.
  * bmo#1641716 - Add Microsoft's non-EV root certificates.
  * bmo1621151 - Disable email trust bit for "O=Government
                 Root Certification Authority; C=TW" root.
  * bmo#1645199 - Remove AddTrust root certificates.

• Files Changed
• Browse Source