From 0bcbceb5250826282d3278a0aa75d7bc1e53e203 Mon Sep 17 00:00:00 2001
From: Daiki Ueno <dueno@redhat.com>
Date: Mon, 3 Sep 2018 14:45:19 +0200
Subject: [PATCH] Update to NSS 3.39

---
 .gitignore                  |  1 +
 nss-check-policy-file.patch | 49 -------------------------------------
 nss-p11-kit.config          |  4 +++
 nss.spec                    | 37 ++++++++++++++++++----------
 sources                     |  2 +-
 5 files changed, 30 insertions(+), 63 deletions(-)
 delete mode 100644 nss-check-policy-file.patch
 create mode 100644 nss-p11-kit.config

diff --git a/.gitignore b/.gitignore
index ce1abc1..46aed9f 100644
--- a/.gitignore
+++ b/.gitignore
@@ -29,3 +29,4 @@ TestUser51.cert
 /nss-3.37.1.tar.gz
 /nss-3.37.3.tar.gz
 /nss-3.38.0.tar.gz
+/nss-3.39.tar.gz
diff --git a/nss-check-policy-file.patch b/nss-check-policy-file.patch
deleted file mode 100644
index 1898173..0000000
--- a/nss-check-policy-file.patch
+++ /dev/null
@@ -1,49 +0,0 @@
-diff -up nss/lib/pk11wrap/pk11pars.c.check_policy_file nss/lib/pk11wrap/pk11pars.c
---- nss/lib/pk11wrap/pk11pars.c.check_policy_file	2017-01-06 13:21:47.002952050 +0100
-+++ nss/lib/pk11wrap/pk11pars.c	2017-01-06 13:28:18.972536334 +0100
-@@ -109,6 +109,7 @@ secmod_NewModule(void)
-                                                  *other flags are set */
- #define SECMOD_FLAG_MODULE_DB_SKIP_FIRST 0x02
- #define SECMOD_FLAG_MODULE_DB_DEFAULT_MODDB 0x04
-+#define SECMOD_FLAG_MODULE_DB_POLICY_ONLY 0x08
- 
- /* private flags for internal (field in SECMODModule). */
- /* The meaing of these flags is as follows:
-@@ -704,6 +705,9 @@ SECMOD_CreateModuleEx(const char *librar
-         if (NSSUTIL_ArgHasFlag("flags", "defaultModDB", nssc)) {
-             flags |= SECMOD_FLAG_MODULE_DB_DEFAULT_MODDB;
-         }
-+	if (NSSUTIL_ArgHasFlag("flags", "policyOnly", nssc)) {
-+	    flags |= SECMOD_FLAG_MODULE_DB_POLICY_ONLY;
-+	}
-         /* additional moduleDB flags could be added here in the future */
-         mod->isModuleDB = (PRBool)flags;
-     }
-@@ -744,6 +748,14 @@ SECMOD_GetDefaultModDBFlag(SECMODModule
- }
- 
- PRBool
-+secmod_PolicyOnly(SECMODModule *mod)
-+{
-+   char flags = (char) mod->isModuleDB;
-+
-+   return (flags & SECMOD_FLAG_MODULE_DB_POLICY_ONLY) ? PR_TRUE : PR_FALSE;
-+}
-+
-+PRBool
- secmod_IsInternalKeySlot(SECMODModule *mod)
- {
-     char flags = (char)mod->internal;
-@@ -1661,6 +1673,12 @@ SECMOD_LoadModule(char *modulespec, SECM
-     if (!module) {
-         goto loser;
-     }
-+
-+    /* a policy only stanza doesn't actually get 'loaded'. policy has already
-+     * been parsed as a side effect of the CreateModuleEx call */
-+    if (secmod_PolicyOnly(module)) {
-+	return module;
-+    }
-     if (parent) {
-         module->parent = SECMOD_ReferenceModule(parent);
-         if (module->internal && secmod_IsInternalKeySlot(parent)) {
diff --git a/nss-p11-kit.config b/nss-p11-kit.config
new file mode 100644
index 0000000..0ebf073
--- /dev/null
+++ b/nss-p11-kit.config
@@ -0,0 +1,4 @@
+name=p11-kit-proxy
+library=p11-kit-proxy.so
+
+
diff --git a/nss.spec b/nss.spec
index ab06671..678a1d1 100644
--- a/nss.spec
+++ b/nss.spec
@@ -1,12 +1,21 @@
-%global nspr_version 4.19.0
-%global nss_util_version 3.38.0
-%global nss_softokn_version 3.38.0
+%global nspr_version 4.20.0
+%global nss_util_version 3.39.0
+%global nss_softokn_version 3.39.0
+%global nss_version 3.39.0
 %global unsupported_tools_directory %{_libdir}/nss/unsupported-tools
 %global allTools "certutil cmsutil crlutil derdump modutil pk12util signtool signver ssltap vfychain vfyserv"
 
+# The upstream omits the trailing ".0", while we need it for
+# consistency with the pkg-config version:
+# https://bugzilla.redhat.com/show_bug.cgi?id=1578106
+%{lua:
+rpm.define(string.format("nss_archive_version %s",
+           string.gsub(rpm.expand("%nss_version"), "(.*)%.0$", "%1")))
+}
+
 Summary:          Network Security Services
 Name:             nss
-Version:          3.38.0
+Version:          %{nss_version}
 # for Rawhide, please always use release >= 2
 # for Fedora release branches, please use release < 2 (1.0, 1.1, ...)
 Release:          1.0%{?dist}
@@ -45,7 +54,7 @@ Conflicts:        seamonkey < 2.46-2
 # https://bugzilla.redhat.com/show_bug.cgi?id=1414987
 # Conflicts:        icecat < 45.5.1-5
 
-Source0:          %{name}-%{version}.tar.gz
+Source0:          %{name}-%{nss_archive_version}.tar.gz
 Source1:          nss.pc.in
 Source2:          nss-config.in
 Source3:          blank-cert8.db
@@ -86,9 +95,6 @@ Patch49:          nss-skip-bltest-and-fipstest.patch
 Patch50:          iquote.patch
 # Local patch for TLS_ECDHE_{ECDSA|RSA}_WITH_3DES_EDE_CBC_SHA ciphers
 Patch58: rhbz1185708-enable-ecc-3des-ciphers-by-default.patch
-# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1279520
-Patch59: nss-check-policy-file.patch
-Patch60: nss-load-policy-file.patch
 Patch62: nss-skip-util-gtest.patch
 
 %description
@@ -159,8 +165,7 @@ low level services.
 
 
 %prep
-%setup -q
-%setup -q -T -D -n %{name}-%{version}
+%setup -q -n %{name}-%{nss_archive_version}
 
 %patch2 -p0 -b .relro
 %patch3 -p0 -b .transitional
@@ -170,8 +175,6 @@ low level services.
 %patch50 -p0 -b .iquote
 %patch58 -p0 -b .1185708_3des
 pushd nss
-%patch59 -p1 -b .check_policy_file
-%patch60 -p1 -b .load_policy_file
 %patch62 -p1 -b .skip_util_gtest
 popd
 
@@ -532,7 +535,7 @@ do
 done
 
 # Copy the binaries we want
-for file in certutil cmsutil crlutil modutil pk12util signver ssltap
+for file in certutil cmsutil crlutil modutil nss-policy-check pk12util signver ssltap
 do
   %{__install} -p -m 755 dist/*.OBJ/bin/$file $RPM_BUILD_ROOT/%{_bindir}
 done
@@ -587,6 +590,9 @@ for f in cert8.db cert9.db key3.db key4.db secmod.db; do
    install -c -m 644 ${f}.5 $RPM_BUILD_ROOT%{_mandir}/man5/${f}.5
 done
 
+# Copy the crypto-policies configuration file
+%{__install} -p -m 644 %{SOURCE28} $RPM_BUILD_ROOT/%{_sysconfdir}/crypto-policies/local.d
+
 %triggerpostun -n nss-sysinit -- nss-sysinit < 3.12.8-3
 # Reverse unwanted disabling of sysinit by faulty preun sysinit scriplet
 # from previous versions of nss.spec
@@ -634,6 +640,7 @@ done
 %{_bindir}/cmsutil
 %{_bindir}/crlutil
 %{_bindir}/modutil
+%{_bindir}/nss-policy-check
 %{_bindir}/pk12util
 %{_bindir}/signver
 %{_bindir}/ssltap
@@ -746,6 +753,10 @@ done
 
 
 %changelog
+* Mon Sep  3 2018 Daiki Ueno <dueno@redhat.com> - 3.39.0-1.0
+- Update to NSS 3.39
+- Use the upstream tarball as it is (rhbz#1578106)
+
 * Tue Jul  3 2018 Daiki Ueno <dueno@redhat.com> - 3.38.0-1.0
 - Update to NSS 3.38
 
diff --git a/sources b/sources
index 8c91f7f..bc02822 100644
--- a/sources
+++ b/sources
@@ -3,4 +3,4 @@ SHA512 (blank-cert9.db) = 2f8eab4c0612210ee47db8a3a80c1b58a0b43849551af78c7da403
 SHA512 (blank-key3.db) = 01f7314e9fc8a7c9aa997652624cfcde213d18a6b3bb31840c1a60bbd662e56b5bc3221d13874abb42ce78163b225a6dfce2e1326cf6dd29366ad9c28ba5a71c
 SHA512 (blank-key4.db) = 8fedae93af7163da23fe9492ea8e785a44c291604fa98e58438448efb69c85d3253fc22b926d5c3209c62e58a86038fd4d78a1c4c068bc00600a7f3e5382ebe7
 SHA512 (blank-secmod.db) = 06a2dbd861839ef6315093459328b500d3832333a34b30e6fac4a2503af337f014a4d319f0f93322409e719142904ce8bc08252ae9a4f37f30d4c3312e900310
-SHA512 (nss-3.38.0.tar.gz) = eb63f1c44adbbd97dc766e8545c72303f3cb18f1bfb2af67c33cdb1a1a9a1cc432a64afbafabd7a5bb3f08cb36db74ed81e5cfa1fc4bd35ae76e183f3205afed
+SHA512 (nss-3.39.tar.gz) = 16358c2d8660ca301410b1d39b2eae64fe2ebbbfab797872410e5fcc67f802ef48f4e362edeecb0591626c77013537019094a6a5dfc8d24487b6b6e54564da8f