Disable SSL2 support and fix syntax errors in various shell scripts

- sync. up with latest changes for rawhide

.gitignore

@@ -8,4 +8,4 @@ TestCA.ca.cert
 TestUser50.cert
 TestUser51.cert
 /nss-pem-20140125.tar.bz2
-/nss-3.16.2.tar.gz
+/nss-3.17.4.tar.gz

iquote.patch

@@ -9,6 +9,32 @@ diff -up nss/cmd/bltest/Makefile.iquote nss/cmd/bltest/Makefile
  
  
  #######################################################################
+diff -up nss/cmd/certcgi/Makefile.iquote nss/cmd/certcgi/Makefile
+--- nss/cmd/certcgi/Makefile.iquote	2014-08-19 10:18:35.713017904 -0700
++++ nss/cmd/certcgi/Makefile	2014-08-19 10:19:36.106528087 -0700
+@@ -36,7 +36,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk
+ # (6) Execute "component" rules. (OPTIONAL)                           #
+ #######################################################################
+ 
+-
++INCLUDES += -iquote $(DIST)/../public/nss
++INCLUDES += -iquote $(DIST)/../private/nss
+ 
+ #######################################################################
+ # (7) Execute "local" rules. (OPTIONAL).                              #
+diff -up nss/cmd/certutil/Makefile.iquote nss/cmd/certutil/Makefile
+--- nss/cmd/certutil/Makefile.iquote	2014-08-19 10:23:39.697585905 -0700
++++ nss/cmd/certutil/Makefile	2014-08-19 10:24:31.060019803 -0700
+@@ -37,7 +37,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk
+ # (6) Execute "component" rules. (OPTIONAL)                           #
+ #######################################################################
+ 
+-
++INCLUDES += -iquote $(DIST)/../public/nss
++INCLUDES += -iquote $(DIST)/../private/nss
+ 
+ #######################################################################
+ # (7) Execute "local" rules. (OPTIONAL).                              #
 diff -up nss/cmd/lib/Makefile.iquote nss/cmd/lib/Makefile
 --- nss/cmd/lib/Makefile.iquote	2014-05-01 20:27:18.000000000 -0700
 +++ nss/cmd/lib/Makefile	2014-05-06 07:15:41.174387806 -0700

nss.spec

@@ -1,8 +1,8 @@
-%global nspr_version 4.10.6
-%global nss_util_version 3.16.2
-%global nss_softokn_version 3.16.2
+%global nspr_version 4.10.7
+%global nss_util_version 3.17.4
+%global nss_softokn_version 3.17.4
 %global unsupported_tools_directory %{_libdir}/nss/unsupported-tools
-%global allTools "certutil cmsutil crlutil derdump modutil pk12util pp signtool signver ssltap vfychain vfyserv"
+%global allTools "certutil cmsutil crlutil derdump modutil pk12util signtool signver ssltap vfychain vfyserv"
 
 # solution taken from icedtea-web.spec
 %define multilib_arches %{power64} sparc64 x86_64
@@ -18,7 +18,7 @@
 
 Summary:          Network Security Services
 Name:             nss
-Version:          3.16.2
+Version:          3.17.4
 Release:          2%{?dist}
 License:          MPLv2.0
 URL:              http://www.mozilla.org/projects/security/pki/nss/
@@ -74,7 +74,6 @@ Patch2:           add-relro-linker-option.patch
 Patch3:           renegotiate-transitional.patch
 Patch6:           nss-enable-pem.patch
 Patch16:          nss-539183.patch
-Patch18:          nss-646045.patch
 # must statically link pem against the freebl in the buildroot
 # Needed only when freebl on tree has new APIS
 Patch25:          nsspem-use-system-freebl.patch
@@ -91,8 +90,15 @@ Patch49:          nss-skip-bltest-and-fipstest.patch
 # headers are older. Such is the case when starting an update with API changes or even private export changes.
 # Once the buildroot aha been bootstrapped the patch may be removed but it doesn't hurt to keep it.
 Patch50:          iquote.patch
-Patch52:          disable-sslv2-libssl.patch
-Patch53:          disable-sslv2-tests.patch
+# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1083900
+Patch51:          tls12.patch
+# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1057463
+# Implementing TLS 1.3 is a tracking bug and it's possible that
+# it may necessitate disabling SSL2 support. SSL2 support has been
+# disabled downstream in Red Hat Enterprise Linux since RHEL-7.0
+Patch52:          disableSSL2.patch
+# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1128367
+Patch92:          scripts-syntax-errors.patch
 
 %description
 Network Security Services (NSS) is a set of libraries designed to
@@ -173,15 +179,17 @@ low level services.
 %patch3 -p0 -b .transitional
 %patch6 -p0 -b .libpem
 %patch16 -p0 -b .539183
-%patch18 -p0 -b .646045
 # link pem against buildroot's freebl, essential when mixing and matching
 %patch25 -p0 -b .systemfreebl
 %patch40 -p0 -b .noocsptest
 %patch47 -p0 -b .templates
 %patch49 -p0 -b .skipthem
 %patch50 -p0 -b .iquote
-%patch52 -p0 -b .disableSSL2
-%patch53 -p0 -b .disableSSL2
+pushd nss
+%patch51 -p1 -b .994599
+%patch52 -p1 -b .disableSSL2
+%patch92 -p1 -b .syntax
+popd
 
 #########################################################
 # Higher-level libraries and test tools need access to
@@ -433,7 +441,13 @@ nss_tests="libpkix cert dbtests tools fips sdr crmf smime ssl ocsp merge pkits c
 # global nss_ssl_tests "normal_fips"
 # global nss_ssl_run "cov auth"
 
-HOST=localhost DOMSUF=localdomain PORT=$MYRAND NSS_CYCLES=%{?nss_cycles} NSS_TESTS=%{?nss_tests} NSS_SSL_TESTS=%{?nss_ssl_tests} NSS_SSL_RUN=%{?nss_ssl_run} ./all.sh
+SKIP_NSS_TEST_SUITE=`echo $SKIP_NSS_TEST_SUITE`
+
+if [ "x$SKIP_NSS_TEST_SUITE" == "x" ]; then
+  HOST=localhost DOMSUF=localdomain PORT=$MYRAND NSS_CYCLES=%{?nss_cycles} NSS_TESTS=%{?nss_tests} NSS_SSL_TESTS=%{?nss_ssl_tests} NSS_SSL_RUN=%{?nss_ssl_run} ./all.sh
+else
+  echo "skipped test suite"
+fi
 
 popd
 
@@ -444,7 +458,13 @@ popd
 # GREP_EXIT_STATUS > 1 would indicate an error in grep such as failure to find the log file.
 killall $RANDSERV || :
 
-TEST_FAILURES=$(grep -c FAILED ./tests_results/security/localhost.1/output.log) || GREP_EXIT_STATUS=$?
+if [ "x$SKIP_NSS_TEST_SUITE" == "x" ]; then
+  TEST_FAILURES=$(grep -c FAILED ./tests_results/security/localhost.1/output.log) || GREP_EXIT_STATUS=$?
+else
+  TEST_FAILURES=0
+  GREP_EXIT_STATUS=1
+fi
+
 if [ ${GREP_EXIT_STATUS:-0} -eq 1 ]; then
   echo "okay: test suite detected no failures"
 else
@@ -478,6 +498,12 @@ echo "test suite completed"
 %{__mkdir_p} $RPM_BUILD_ROOT/%{_libdir}
 %{__mkdir_p} $RPM_BUILD_ROOT/%{unsupported_tools_directory}
 %{__mkdir_p} $RPM_BUILD_ROOT/%{_libdir}/pkgconfig
+%if %{defined rhel}
+# not needed for rhel and its derivatives only fedora
+%else
+# because of the pp.1 conflict with perl-PAR-Packer
+%{__mkdir_p} $RPM_BUILD_ROOT%{_datadir}/doc/nss-tools
+%endif
 
 mkdir -p $RPM_BUILD_ROOT%{_mandir}/man1
 mkdir -p $RPM_BUILD_ROOT%{_mandir}/man5
@@ -549,6 +575,12 @@ done
 for f in "%{allTools}"; do 
   install -c -m 644 ./dist/docs/nroff/${f}.1 $RPM_BUILD_ROOT%{_mandir}/man1/${f}.1
 done
+%if %{defined rhel}
+install -c -m 644 ./dist/docs/nroff/pp.1 $RPM_BUILD_ROOT%{_mandir}/man1/pp.1
+%else
+install -c -m 644 ./dist/docs/nroff/pp.1 $RPM_BUILD_ROOT%{_datadir}/doc/nss-tools/pp.1
+%endif
+
 # Copy the man pages for the configuration files
 for f in pkcs11.txt; do 
    install -c -m 644 ${f}.5 $RPM_BUILD_ROOT%{_mandir}/man5/${f}.5
@@ -617,6 +649,8 @@ fi
 
 %files
 %defattr(-,root,root)
+%{!?_licensedir:%global license %%doc}
+%license nss/COPYING
 %{_libdir}/libnss3.so
 %{_libdir}/libssl3.so
 %{_libdir}/libsmime3.so
@@ -630,12 +664,12 @@ fi
 %config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/cert9.db
 %config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/key4.db
 %config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/pkcs11.txt
-%attr(0644,root,root) %doc /usr/share/man/man5/cert8.db.5.gz
-%attr(0644,root,root) %doc /usr/share/man/man5/key3.db.5.gz
-%attr(0644,root,root) %doc /usr/share/man/man5/secmod.db.5.gz
-%attr(0644,root,root) %doc /usr/share/man/man5/cert9.db.5.gz
-%attr(0644,root,root) %doc /usr/share/man/man5/key4.db.5.gz
-%attr(0644,root,root) %doc /usr/share/man/man5/pkcs11.txt.5.gz
+%attr(0644,root,root) %doc %{_mandir}/man5/cert8.db.5.gz
+%attr(0644,root,root) %doc %{_mandir}/man5/key3.db.5.gz
+%attr(0644,root,root) %doc %{_mandir}/man5/secmod.db.5.gz
+%attr(0644,root,root) %doc %{_mandir}/man5/cert9.db.5.gz
+%attr(0644,root,root) %doc %{_mandir}/man5/key4.db.5.gz
+%attr(0644,root,root) %doc %{_mandir}/man5/pkcs11.txt.5.gz
 
 %files sysinit
 %defattr(-,root,root)
@@ -643,7 +677,7 @@ fi
 %{_bindir}/setup-nsssysinit.sh
 # symbolic link to setup-nsssysinit.sh
 %{_bindir}/setup-nsssysinit
-%attr(0644,root,root) %doc /usr/share/man/man1/setup-nsssysinit.1.gz
+%attr(0644,root,root) %doc %{_mandir}/man1/setup-nsssysinit.1.gz
 
 %files tools
 %defattr(-,root,root)
@@ -668,26 +702,31 @@ fi
 %{unsupported_tools_directory}/vfychain
 # instead of %%{_mandir}/man*/* let's list them explicitely
 # supported tools
-%attr(0644,root,root) %doc /usr/share/man/man1/certutil.1.gz
-%attr(0644,root,root) %doc /usr/share/man/man1/cmsutil.1.gz
-%attr(0644,root,root) %doc /usr/share/man/man1/crlutil.1.gz
-%attr(0644,root,root) %doc /usr/share/man/man1/modutil.1.gz
-%attr(0644,root,root) %doc /usr/share/man/man1/pk12util.1.gz
-%attr(0644,root,root) %doc /usr/share/man/man1/signtool.1.gz
-%attr(0644,root,root) %doc /usr/share/man/man1/signver.1.gz
+%attr(0644,root,root) %doc %{_mandir}/man1/certutil.1.gz
+%attr(0644,root,root) %doc %{_mandir}/man1/cmsutil.1.gz
+%attr(0644,root,root) %doc %{_mandir}/man1/crlutil.1.gz
+%attr(0644,root,root) %doc %{_mandir}/man1/modutil.1.gz
+%attr(0644,root,root) %doc %{_mandir}/man1/pk12util.1.gz
+%attr(0644,root,root) %doc %{_mandir}/man1/signtool.1.gz
+%attr(0644,root,root) %doc %{_mandir}/man1/signver.1.gz
 # unsupported tools
-%attr(0644,root,root) %doc /usr/share/man/man1/derdump.1.gz
-%attr(0644,root,root) %doc /usr/share/man/man1/pp.1.gz
-%attr(0644,root,root) %doc /usr/share/man/man1/ssltap.1.gz
-%attr(0644,root,root) %doc /usr/share/man/man1/vfychain.1.gz
-%attr(0644,root,root) %doc /usr/share/man/man1/vfyserv.1.gz
+%attr(0644,root,root) %doc %{_mandir}/man1/derdump.1.gz
+%if %{defined rhel}
+%attr(0644,root,root) %doc %{_mandir}/man1/pp.1.gz
+%else
+%dir %{_datadir}/doc/nss-tools
+%attr(0644,root,root) %doc %{_datadir}/doc/nss-tools/pp.1
+%endif
+%attr(0644,root,root) %doc %{_mandir}/man1/ssltap.1.gz
+%attr(0644,root,root) %doc %{_mandir}/man1/vfychain.1.gz
+%attr(0644,root,root) %doc %{_mandir}/man1/vfyserv.1.gz
 
 %files devel
 %defattr(-,root,root)
 %{_libdir}/libcrmf.a
 %{_libdir}/pkgconfig/nss.pc
 %{_bindir}/nss-config
-%attr(0644,root,root) %doc /usr/share/man/man1/nss-config.1.gz
+%attr(0644,root,root) %doc %{_mandir}/man1/nss-config.1.gz
 
 %dir %{_includedir}/nss3
 %{_includedir}/nss3/cert.h
@@ -757,8 +796,52 @@ fi
 
 
 %changelog
-* Fri Jul 18 2014 Elio Maldonado <emaldona@redhat.com> - 3.16.2-2
-- Disable support for ssl2
+* Wed Feb 04 2015 Elio Maldonado <emaldona@redhat.com> - 3.17.4-2
+- Disable SSL2 support and fix syntax errors in various shell scripts
+
+* Wed Jan 28 2015 Elio Maldonado <emaldona@redhat.com> - 3.17.4-1
+- Update to nss-3.17.4
+
+* Sat Jan 24 2015 Ville Skyttä <ville.skytta@iki.fi> - 3.17.3-4
+- Own the %%{_datadir}/doc/nss-tools dir
+
+* Tue Dec 16 2014 Elio Maldonado <emaldona@redhat.com> - 3.17.3-3
+- Resolves: Bug 987189 - nss-tools RPM conflicts with perl-PAR-Packer
+- Install pp man page in %%{_datadir}/doc/nss-tools/pp.1
+- Use %%{_mandir} instead of /usr/share/man as more generic
+
+* Mon Dec 15 2014 Elio Maldonado <emaldona@redhat.com> - 3.17.3-2
+- Install pp man page in alternative location
+- Resolves: Bug 987189 - nss-tools RPM conflicts with perl-PAR-Packer
+
+* Fri Dec 05 2014 Elio Maldonado <emaldona@redhat.com> - 3.17.3-1
+- Update to nss-3.17.3
+- Resolves: Bug 1171012 - nss-3.17.3 is available
+
+* Thu Oct 16 2014 Elio Maldonado <emaldona@redhat.com> - 3.17.2-2
+- Resolves: Bug 994599 - Enable TLS 1.2 by default
+
+* Sun Oct 12 2014 Elio Maldonado <emaldona@redhat.com> - 3.17.2-1
+- Update to nss-3.17.2
+
+* Wed Sep 24 2014 Kai Engert <kaie@redhat.com> - 3.17.1-1
+- Update to nss-3.17.1
+- Add a mechanism to skip test suite execution during development work
+
+* Thu Aug 21 2014 Kevin Fenzi <kevin@scrye.com> - 3.17.0-2
+- Rebuild for rpm bug 1131960
+
+* Tue Aug 19 2014 Elio Maldonado <emaldona@redhat.com> - 3.17.0-1
+- Update to nss-3.17.0
+
+* Sun Aug 17 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 3.16.2-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
+
+* Wed Jul 30 2014 Elio Maldonado <emaldona@redhat.com> - 3.16.2-3
+- Replace expired PayPal test cert with current one to prevent build failure
+
+* Fri Jul 18 2014 Tom Callaway <spot@fedoraproject.org> - 3.16.2-2
+- fix license handling
 
 * Sun Jun 29 2014 Elio Maldonado <emaldona@redhat.com> - 3.16.2-1
 - Update to nss-3.16.2

scripts-syntax-errors.patch

@@ -0,0 +1,87 @@
+diff --git a/tests/all.sh b/tests/all.sh
+--- a/tests/all.sh
++++ b/tests/all.sh
+@@ -296,17 +296,17 @@ fi
+ 
+ # NOTE:
+ # Since in make at the top level, modutil is the last file
+ # created, we check for modutil to know whether the build
+ # is complete. If a new file is created after that, the 
+ # following test for modutil should check for that instead.
+ # Exception: when building softoken only, shlibsign is the
+ # last file created.
+-if [ ${NSS_BUILD_SOFTOKEN_ONLY} -eq "1" ]; then
++if [ ${NSS_BUILD_SOFTOKEN_ONLY} = "1" ]; then
+   LAST_FILE_BUILT=shlibsign
+ else
+   LAST_FILE_BUILT=modutil
+ fi
+ 
+ if [ ! -f ${DIST}/${OBJDIR}/bin/${LAST_FILE_BUILT}${PROG_SUFFIX} ]; then
+     echo "Build Incomplete. Aborting test." >> ${LOGFILE}
+     html_head "Testing Initialization"
+diff --git a/tests/cipher/cipher.sh b/tests/cipher/cipher.sh
+--- a/tests/cipher/cipher.sh
++++ b/tests/cipher/cipher.sh
+@@ -119,17 +119,17 @@ cipher_cleanup()
+ }
+ 
+ ################## main #################################################
+ 
+ # When building without softoken, bltest isn't built. It was already
+ # built and the cipher suite run as part of an nss-softoken build. 
+ if [ ! -x ${DIST}/${OBJDIR}/bin/bltest${PROG_SUFFIX} ]; then
+     echo "bltest not built, skipping this test." >> ${LOGFILE}
+-    res = 0
++    #res = 0
+     html_msg $res $EXP_RET "$TESTNAME"
+     return 0
+ fi
+ cipher_init
+ # Skip cipher_main if this an NSS without softoken build.
+ if [ "${NSS_BUILD_WITHOUT_SOFTOKEN}" != "1" ]; then
+     cipher_main
+ fi
+diff --git a/tests/common/init.sh b/tests/common/init.sh
+--- a/tests/common/init.sh
++++ b/tests/common/init.sh
+@@ -220,17 +220,17 @@ if [ -z "${INIT_SOURCED}" -o "${INIT_SOU
+     {
+ 	
+         html "<TABLE BORDER=1 ${TABLE_ARGS}><TR><TH COLSPAN=3>$*</TH></TR>"
+         html "<TR><TH width=500>Test Case</TH><TH width=50>Result</TH></TR>" 
+         echo "$SCRIPTNAME: $* ==============================="
+     }
+     html_msg()
+     {
+-        if [ "$1" -ne "$2" ] ; then
++        if [ "$1" != "$2" ] ; then
+             html_failed "$3" "$4"
+         else
+             html_passed "$3" "$4"
+         fi
+     }
+     HTML_FAILED='</TD><TD bgcolor=red>Failed</TD><TR>'
+     HTML_FAILED_CORE='</TD><TD bgcolor=red>Failed Core</TD><TR>'
+     HTML_PASSED='</TD><TD bgcolor=lightGreen>Passed</TD><TR>'
+diff --git a/tests/dbtests/dbtests.sh b/tests/dbtests/dbtests.sh
+--- a/tests/dbtests/dbtests.sh
++++ b/tests/dbtests/dbtests.sh
+@@ -170,7 +170,7 @@ dbtest_main()
+ 
+     # skipping the next two tests when user is root,
+     # otherwise they would fail due to rooty powers
+-    if [ $UID -ne 0 ] then
++    if [[ $UID -ne 0 ]]; then
+       ${BINDIR}/dbtest -d $RONLY_DIR
+     ret=$?
+     if [ $ret -ne 46 ]; then
+@@ -181,7 +181,7 @@ dbtest_main()
+     else
+       html_passed "Skipping Dbtest r/w in a readonly dir because user is root"
+     fi
+-    if [ $UID -ne 0 ] then
++    if [[ $UID -ne 0 ]]; then
+       ${BINDIR}/certutil -D -n "TestUser" -d .
+     ret=$?
+     if [ $ret -ne 255 ]; then

sources

@@ -3,9 +3,9 @@ a5ae49867124ac75f029a9a33af31bad  blank-cert8.db
 73bc040a0542bba387e6dd7fb9fd7d23  blank-secmod.db
 691e663ccc07b7a1eaa6f088e03bf8e2  blank-cert9.db
 2ec9e0606ba40fe65196545564b7cc2a  blank-key4.db
-838b7b6e0c3563059f6e77d149666448  PayPalEE.cert
+c9fefa97dc184a5857f12d938517ed81  PayPalEE.cert
 f998b70c1be25e8bb9f5fdb5d50eb6f2  TestCA.ca.cert
 1b7b6808cd77d5df29bf5bb9e5fac967  TestUser50.cert
 ab0b56dd505a995425c03e5266f7c8d6  TestUser51.cert
 b8a94e863c852e1f8b75e930e76f8640  nss-pem-20140125.tar.bz2
-afc6789c9d805db5be1e5f3c533394f1  nss-3.16.2.tar.gz
+a77df26072cabf8afb26911b6fa9b755  nss-3.17.4.tar.gz

tls12.patch

@@ -0,0 +1,36 @@
+# HG changeset patch
+# User Martin Thomson <martin.thomson@gmail.com>
+# Date 1413479112 25200
+#      Thu Oct 16 10:05:12 2014 -0700
+# Node ID f7e1c2c652f4c2522a0a5ec232ecebae1983053d
+# Parent  24852c6f89ea7ed2b8f231320d9a0a03bdd706d4
+Bug 1083900 - Updating default maximum version to 1.2
+
+diff --git a/lib/ssl/sslsock.c b/lib/ssl/sslsock.c
+--- a/lib/ssl/sslsock.c
++++ b/lib/ssl/sslsock.c
+@@ -85,22 +85,22 @@ static sslOptions ssl_defaults = {
+     PR_FALSE    /* enableFallbackSCSV */
+ };
+ 
+ /*
+  * default range of enabled SSL/TLS protocols
+  */
+ static SSLVersionRange versions_defaults_stream = {
+     SSL_LIBRARY_VERSION_3_0,
+-    SSL_LIBRARY_VERSION_TLS_1_0
++    SSL_LIBRARY_VERSION_TLS_1_2
+ };
+ 
+ static SSLVersionRange versions_defaults_datagram = {
+     SSL_LIBRARY_VERSION_TLS_1_1,
+-    SSL_LIBRARY_VERSION_TLS_1_1
++    SSL_LIBRARY_VERSION_TLS_1_2
+ };
+ 
+ #define VERSIONS_DEFAULTS(variant) \
+     (variant == ssl_variant_stream ? &versions_defaults_stream : \
+                                      &versions_defaults_datagram)
+ 
+ sslSessionIDLookupFunc  ssl_sid_lookup;
+ sslSessionIDCacheFunc   ssl_sid_cache;