Enable ECC cipher-suites by default [hrbz#1185708]

- Split the enabling patch in two for easier maintenance
- The first patch hase been accepted upstream and will be included in next rebase
- The second patch will be a local patch to be carried forward as we rebase
- Remove unused patches

dummy-sources-for-testing

@@ -1,2 +0,0 @@
-Dummy source file that we by uploading it lets us verify that nss builds
-do not cause the 'fedpkg upload' or 'fedpg new-sources' commands to hang.

nss-ssl-enforce-no-pkcs11-bypass.path

@@ -1,16 +0,0 @@
-diff -up nss/lib/ssl/sslsock.c.nobypass nss/lib/ssl/sslsock.c
---- nss/lib/ssl/sslsock.c.nobypass	2013-05-30 22:23:37.305583715 -0700
-+++ nss/lib/ssl/sslsock.c	2013-05-30 22:23:37.311583762 -0700
-@@ -553,8 +553,10 @@ static PRStatus SSL_BypassRegisterShutdo
- static PRStatus SSL_BypassSetup(void)
- {
- #ifdef NO_PKCS11_BYPASS
--    /* Guarantee binary compatibility */
--    return PR_SUCCESS;
-+    /* No need in our case to guarantee binary compatibility and
-+     * we can safely return failure as we have never supported it
-+     */
-+    return PR_FAILURE;
- #else
-     return PR_CallOnce(&setupBypassOnce, &SSL_BypassRegisterShutdown);
- #endif

nss.spec

@@ -21,7 +21,7 @@ Name:             nss
 Version:          3.20.0
 # for Rawhide, please always use release >= 2
 # for Fedora release branches, please use release < 2 (1.0, 1.1, ...)
-Release:          1.2%{?dist}
+Release:          1.3%{?dist}
 License:          MPLv2.0
 URL:              http://www.mozilla.org/projects/security/pki/nss/
 Group:            System Environment/Libraries
@@ -96,8 +96,10 @@ Patch55:          skip_stress_TLS_RC4_128_with_MD5.patch
 # Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1009429
 # See https://hg.mozilla.org/projects/nss/raw-rev/dc7bb2f8cc50
 Patch56: ocsp_stapling_sslauth_sni_tests_client_side_fixes.patch
-# TODO: File a bug usptream
+# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1205688
 Patch57: rhbz1185708-enable-ecc-ciphers-by-default.patch
+# Local patch for TLS_ECDHE_{ECDSA|RSA}_WITH_3DES_EDE_CBC_SHA ciphers
+Patch58: rhbz1185708-enable-ecc-3des-ciphers-by-default.patch
 
 %description
 Network Security Services (NSS) is a set of libraries designed to
@@ -190,6 +192,7 @@ popd
 pushd nss
 %patch57 -p1 -b .1185708
 popd
+%patch58 -p0 -b .1185708_3des
 
 #########################################################
 # Higher-level libraries and test tools need access to
@@ -803,6 +806,11 @@ fi
 
 
 %changelog
+* Sun Oct 04 2015 Elio Maldonado <emaldona@redhat.com> - 3.20.0-1.3
+- Enable ECC cipher-suites by default [hrbz#1185708]
+- Split the enabling patch in two for easier maintenance
+- Remove unused patches
+
 * Wed Sep 16 2015 Elio Maldonado <emaldona@redhat.com> - 3.20.0-1.2
 - Enable ECC cipher-suites by default [hrbz#1185708]
 - Implement corrections requested in code review

rhbz1185708-enable-ecc-3des-ciphers-by-default.patch

@@ -0,0 +1,14 @@
+diff -up ./nss/lib/ssl/ssl3con.c.1185708_3des ./nss/lib/ssl/ssl3con.c
+--- ./nss/lib/ssl/ssl3con.c.1185708_3des	2015-09-29 16:24:18.717593591 -0700
++++ ./nss/lib/ssl/ssl3con.c	2015-09-29 16:25:22.672879926 -0700
+@@ -101,8 +101,8 @@ static ssl3CipherSuiteCfg cipherSuites[s
+  { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+  { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,   SSL_ALLOWED, PR_TRUE, PR_FALSE},
+  { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,      SSL_ALLOWED, PR_TRUE, PR_FALSE},
+- { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,   SSL_ALLOWED, PR_FALSE, PR_FALSE},
+- { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,     SSL_ALLOWED, PR_FALSE, PR_FALSE},
++ { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,   SSL_ALLOWED, PR_TRUE, PR_FALSE},
++ { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,     SSL_ALLOWED, PR_TRUE, PR_FALSE},
+  { TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,        SSL_ALLOWED, PR_FALSE, PR_FALSE},
+  { TLS_ECDHE_RSA_WITH_RC4_128_SHA,          SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ #endif /* NSS_DISABLE_ECC */

rhbz1185708-enable-ecc-ciphers-by-default.patch

@@ -1,7 +1,7 @@
 diff --git a/lib/ssl/ssl3con.c b/lib/ssl/ssl3con.c
 --- a/lib/ssl/ssl3con.c
 +++ b/lib/ssl/ssl3con.c
-@@ -85,29 +85,29 @@ static SECStatus ssl3_AESGCMBypass(ssl3K
+@@ -85,27 +85,27 @@ static SECStatus ssl3_AESGCMBypass(ssl3K
   *
   * Important: See bug 946147 before enabling, reordering, or adding any cipher
   * suites to this list.
@@ -23,21 +23,17 @@ diff --git a/lib/ssl/ssl3con.c b/lib/ssl/ssl3con.c
 - { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE},
 - { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,   SSL_ALLOWED, PR_FALSE, PR_FALSE},
 - { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,      SSL_ALLOWED, PR_FALSE, PR_FALSE},
-- { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,   SSL_ALLOWED, PR_FALSE, PR_FALSE},
-- { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,     SSL_ALLOWED, PR_FALSE, PR_FALSE},
 + { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,    SSL_ALLOWED, PR_TRUE, PR_FALSE},
 + { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,    SSL_ALLOWED, PR_TRUE, PR_FALSE},
 + { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,      SSL_ALLOWED, PR_TRUE, PR_FALSE},
 + { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
 + { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,   SSL_ALLOWED, PR_TRUE, PR_FALSE},
 + { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,      SSL_ALLOWED, PR_TRUE, PR_FALSE},
-+ { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,   SSL_ALLOWED, PR_TRUE, PR_FALSE},
-+ { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,     SSL_ALLOWED, PR_TRUE, PR_FALSE},
+  { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,   SSL_ALLOWED, PR_FALSE, PR_FALSE},
+  { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,     SSL_ALLOWED, PR_FALSE, PR_FALSE},
   { TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,        SSL_ALLOWED, PR_FALSE, PR_FALSE},
   { TLS_ECDHE_RSA_WITH_RC4_128_SHA,          SSL_ALLOWED, PR_FALSE, PR_FALSE},
  #endif /* NSS_DISABLE_ECC */
  
   { TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,     SSL_ALLOWED, PR_TRUE,  PR_FALSE},
   { TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,     SSL_ALLOWED, PR_FALSE, PR_FALSE},
-  { TLS_DHE_RSA_WITH_AES_128_CBC_SHA,        SSL_ALLOWED, PR_TRUE,  PR_FALSE},
-  { TLS_DHE_DSS_WITH_AES_128_CBC_SHA,        SSL_ALLOWED, PR_TRUE,  PR_FALSE},