Rebase to NSS 3.15

- Remove three patches obsolted by the rebase and updated two
- Temporarily not building the ecperf tool
- ecperef requires freebl/ec.h and ecl-curve.h and the latter
- causes compile failure because it requires that
- NSS_ECC_MORE_THAN_SUITE_B not be defined yet this is
- required for nss builds to allow external pkcs #11 providers
- to support curves beyond suite-b, such restriction only applies
- to the internal crypto module

.gitignore

@@ -9,4 +9,4 @@ TestUser50.cert
 TestUser51.cert
 /PayPalRootCA.cert
 /PayPalICA.cert
-/nss-3.24.0.tar.gz
+/nss-3.25.0.tar.gz

mozbz1277569backport.patch

@@ -1,102 +0,0 @@
---- ./lib/ssl/sslsock.c.compatibility	2016-06-02 10:59:07.188831825 -0700
-+++ ./lib/ssl/sslsock.c	2016-06-02 10:59:07.205831404 -0700
-@@ -675,16 +675,28 @@
-                     PORT_SetError(SEC_ERROR_INVALID_ARGS);
-                     rv = SECFailure; /* not allowed */
-                 }
-                 break;
-             }
-             ssl_EnableSSL3(&ss->vrange, on);
-             break;
- 
-+        case SSL_ENABLE_SSL2:
-+        case SSL_V2_COMPATIBLE_HELLO:
-+            /* We no longer support SSL v2.
-+             * However, if an old application requests to disable SSL v2,
-+             * we shouldn't fail.
-+             */
-+            if (on) {
-+                PORT_SetError(SEC_ERROR_INVALID_ARGS);
-+                rv = SECFailure;
-+            }
-+            break;
-+
-         case SSL_NO_CACHE:
-             ss->opt.noCache = on;
-             break;
- 
-         case SSL_ENABLE_FDX:
-             if (on && ss->opt.noLocks) {
-                 PORT_SetError(SEC_ERROR_INVALID_ARGS);
-                 rv = SECFailure;
-@@ -856,16 +868,20 @@
-             on = ss->opt.handshakeAsServer;
-             break;
-         case SSL_ENABLE_TLS:
-             on = ss->vrange.max >= SSL_LIBRARY_VERSION_TLS_1_0;
-             break;
-         case SSL_ENABLE_SSL3:
-             on = ss->vrange.min == SSL_LIBRARY_VERSION_3_0;
-             break;
-+        case SSL_ENABLE_SSL2:
-+        case SSL_V2_COMPATIBLE_HELLO:
-+            on = PR_FALSE;
-+            break;
-         case SSL_NO_CACHE:
-             on = ss->opt.noCache;
-             break;
-         case SSL_ENABLE_FDX:
-             on = ss->opt.fdx;
-             break;
-         case SSL_ROLLBACK_DETECTION:
-             on = ss->opt.detectRollBack;
-@@ -967,16 +983,20 @@
-             on = ssl_defaults.handshakeAsServer;
-             break;
-         case SSL_ENABLE_TLS:
-             on = versions_defaults_stream.max >= SSL_LIBRARY_VERSION_TLS_1_0;
-             break;
-         case SSL_ENABLE_SSL3:
-             on = versions_defaults_stream.min == SSL_LIBRARY_VERSION_3_0;
-             break;
-+        case SSL_ENABLE_SSL2:
-+        case SSL_V2_COMPATIBLE_HELLO:
-+            on = PR_FALSE;
-+            break;
-         case SSL_NO_CACHE:
-             on = ssl_defaults.noCache;
-             break;
-         case SSL_ENABLE_FDX:
-             on = ssl_defaults.fdx;
-             break;
-         case SSL_ROLLBACK_DETECTION:
-             on = ssl_defaults.detectRollBack;
-@@ -1100,16 +1120,28 @@
-         case SSL_ENABLE_TLS:
-             ssl_EnableTLS(&versions_defaults_stream, on);
-             break;
- 
-         case SSL_ENABLE_SSL3:
-             ssl_EnableSSL3(&versions_defaults_stream, on);
-             break;
- 
-+        case SSL_ENABLE_SSL2:
-+        case SSL_V2_COMPATIBLE_HELLO:
-+            /* We no longer support SSL v2.
-+             * However, if an old application requests to disable SSL v2,
-+             * we shouldn't fail.
-+             */
-+            if (on) {
-+                PORT_SetError(SEC_ERROR_INVALID_ARGS);
-+                return SECFailure;
-+            }
-+            break;
-+
-         case SSL_NO_CACHE:
-             ssl_defaults.noCache = on;
-             break;
- 
-         case SSL_ENABLE_FDX:
-             if (on && ssl_defaults.noLocks) {
-                 PORT_SetError(SEC_ERROR_INVALID_ARGS);
-                 return SECFailure;

nss-enable-pem.patch

@@ -1,12 +0,0 @@
-diff -up nss/lib/ckfw/manifest.mn.libpem nss/lib/ckfw/manifest.mn
---- nss/lib/ckfw/manifest.mn.libpem	2013-05-28 14:43:24.000000000 -0700
-+++ nss/lib/ckfw/manifest.mn	2013-05-30 22:14:49.247459672 -0700
-@@ -5,7 +5,7 @@
- 
- CORE_DEPTH = ../..
- 
--DIRS = builtins 
-+DIRS = builtins pem
- 
- PRIVATE_EXPORTS = \
- 	ck.h		  \

nss-skip-bltest-and-fipstest.patch

@@ -1,17 +1,15 @@
-diff -up nss/cmd/Makefile.skipthem nss/cmd/Makefile
---- nss/cmd/Makefile.nobltest	2013-05-28 14:43:24.000000000 -0700
-+++ nss/cmd/Makefile	2013-06-15 11:51:11.669655168 -0700
-@@ -14,10 +14,10 @@ ifdef BUILD_LIBPKIX_TESTS
- DIRS += libpkix
- endif
- 
--ifeq ($(NSS_BUILD_WITHOUT_SOFTOKEN),1)
-+ifeq ($(NSS_BLTEST_NOT_AVAILABLE),1)
+diff -up ./nss/cmd/Makefile.skipthem ./nss/cmd/Makefile
+--- ./nss/cmd/Makefile.skipem	2016-06-24 10:10:38.143165159 -0700
++++ ./nss/cmd/Makefile	2016-06-24 10:13:08.566457400 -0700
+@@ -17,7 +17,11 @@ endif
+ ifeq ($(NSS_BUILD_WITHOUT_SOFTOKEN),1)
  BLTEST_SRCDIR =
--FIPSTEST_SRCDIR =
--SHLIBSIGN_SRCDIR =
-+FIPSTEST_SRCDIR =
+ FIPSTEST_SRCDIR =
++ifeq ($(NSS_BLTEST_NOT_AVAILABLE),1)
 +SHLIBSIGN_SRCDIR = shlibsign
++else
+ SHLIBSIGN_SRCDIR =
++endif
  else
  BLTEST_SRCDIR = bltest
  FIPSTEST_SRCDIR = fipstest

nss-skip-ecperf.patch

@@ -0,0 +1,11 @@
+diff -up ./nss/cmd/manifest.mn.skip_ecperf ./nss/cmd/manifest.mn
+--- ./nss/cmd/manifest.mn.noecperf	2016-06-24 08:04:53.891106841 -0700
++++ ./nss/cmd/manifest.mn	2016-06-24 08:06:57.186887403 -0700
+@@ -42,7 +42,6 @@ NSS_SRCDIRS = \
+  dbtest \
+  derdump  \
+  digest  \
+- ecperf \
+  httpserv  \
+  listsuites \
+  makepqg  \

nss.spec

@@ -1,6 +1,6 @@
 %global nspr_version 4.12.0
-%global nss_util_version 3.24.0
-%global nss_softokn_version 3.24.0
+%global nss_util_version 3.25.0
+%global nss_softokn_version 3.25.0
 %global unsupported_tools_directory %{_libdir}/nss/unsupported-tools
 %global allTools "certutil cmsutil crlutil derdump modutil pk12util signtool signver ssltap vfychain vfyserv"
 
@@ -18,10 +18,10 @@
 
 Summary:          Network Security Services
 Name:             nss
-Version:          3.24.0
+Version:          3.25.0
 # for Rawhide, please always use release >= 2
 # for Fedora release branches, please use release < 2 (1.0, 1.1, ...)
-Release:          3%{?dist}
+Release:          2%{?dist}
 License:          MPLv2.0
 URL:              http://www.mozilla.org/projects/security/pki/nss/
 Group:            System Environment/Libraries
@@ -94,14 +94,14 @@ Patch50:          iquote.patch
 Patch58: rhbz1185708-enable-ecc-3des-ciphers-by-default.patch
 # TODO: file a bug usptream
 Patch59: nss-check-policy-file.patch
-# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1277569
-Patch61: mozbz1277569backport.patch
 # TODO: file a bug usptream
 Patch62: nss-skip-util-gtest.patch
 # TODO: file a bug usptream when enough tests are run
 Patch63: tests-check-policy-file.patch
 # TODO: file a bug usptream when enough tests are run
 Patch64: tests-data-adjust-for-policy.patch
+# TODO: file a bug upstream
+Patch70: nss-skip-ecperf.patch
 
 %description
 Network Security Services (NSS) is a set of libraries designed to
@@ -185,11 +185,12 @@ low level services.
 %patch58 -p0 -b .1185708_3des
 pushd nss
 %patch59 -p1 -b .check_policy_file
-%patch61 -p1 -b .compatibility
-%patch62 -p0 -b .skip_util_gtest
+#%patch62 -p0 -b .skip_util_gtest
 %patch63 -p1 -b .check_policy
 %patch64 -p1 -b .expected_result
 popd
+# temporary
+%patch70 -p0 -b .skip_ecperf
 
 #########################################################
 # Higher-level libraries and test tools need access to
@@ -197,10 +198,13 @@ popd
 # until fixed upstream we must copy some headers locally
 #########################################################
 
-# Copying these header until the upstream bug is accepted
+# Copying these headers until the upstream bug is accepted
 # Upstream https://bugzilla.mozilla.org/show_bug.cgi?id=820207
 %{__cp} ./nss/lib/softoken/lowkeyi.h ./nss/cmd/rsaperf
 %{__cp} ./nss/lib/softoken/lowkeyti.h ./nss/cmd/rsaperf
+# TODO: similar problem as descrived above
+# ./nss/lib/freebl/ec.h, ./nss/lib/freebl/ecl/ecl-curve.h
+# the last one requires that NSS_ECC_MORE_THAN_SUITE_B not be defined
 
 # Before removing util directory we must save verref.h
 # as it will be needed later during the build phase.
@@ -230,6 +234,8 @@ popd
 
 %build
 
+# TODO: remove this when we solve the problems
+export NSS_DISABLE_GTESTS=1
 
 NSS_NO_PKCS11_BYPASS=1
 export NSS_NO_PKCS11_BYPASS
@@ -457,7 +463,9 @@ pushd ./nss/tests/
 
 #  don't need to run all the tests when testing packaging
 #  nss_cycles: standard pkix upgradedb sharedb
-%define nss_tests "libpkix cert dbtests tools fips sdr crmf smime ssl ocsp merge pkits chains"
+#  the full list from all.sh is:
+#  "cipher lowhash libpkix cert dbtests tools fips sdr crmf smime ssl ocsp merge pkits chains ec gtests ssl_gtests"
+%define nss_tests "libpkix cert dbtests tools fips sdr crmf smime ssl ocsp merge pkits chains ec gtests ssl_gtests"
 #  nss_ssl_tests: crl bypass_normal normal_bypass normal_fips fips_normal iopr
 #  nss_ssl_run: cov auth stress
 #
@@ -802,6 +810,9 @@ fi
 
 
 %changelog
+* Fri Jun 24 2016 Elio Maldonado <emaldona@redhat.com> - 3.25.0-2
+- Rebase to nss 3.25
+
 * Thu Jun 16 2016 Kamil Dudka <kdudka@redhat.com> - 3.24.0-3
 - decouple nss-pem from the nss package (#1347336)
 

nsspem-use-system-freebl.patch

@@ -1,80 +0,0 @@
-diff -up nss/lib/ckfw/pem/config.mk.systemfreebl nss/lib/ckfw/pem/config.mk
---- nss/lib/ckfw/pem/config.mk.systemfreebl	2012-08-11 09:06:59.000000000 -0700
-+++ nss/lib/ckfw/pem/config.mk	2013-04-04 16:02:33.805744145 -0700
-@@ -41,6 +41,11 @@ CONFIG_CVS_ID = "@(#) $RCSfile: config.m
- #  are specifed as dependencies within rules.mk.
- #
- 
-+
-+EXTRA_LIBS += \
-+	$(SOFTOKEN_LIB_DIR)/$(LIB_PREFIX)freebl.$(LIB_SUFFIX) \
-+	$(NULL)
-+
- TARGETS        = $(SHARED_LIBRARY)
- LIBRARY        =
- IMPORT_LIBRARY =
-@@ -69,3 +74,22 @@ ifeq ($(OS_TARGET),SunOS)
- MKSHLIB += -R '$$ORIGIN'
- endif
- 
-+# If a platform has a system nssutil, set USE_SYSTEM_NSSUTIL to 1 and
-+# NSSUTIL_LIBS to the linker command-line arguments for the system nssutil
-+# (for example, -lnssutil3 on fedora) in the platform's config file in coreconf.
-+ifdef USE_SYSTEM_NSSUTIL
-+OS_LIBS += $(NSSUTIL_LIBS)
-+else
-+NSSUTIL_LIBS = $(DIST)/lib/$(LIB_PREFIX)nssutil3.$(LIB_SUFFIX)
-+EXTRA_LIBS += $(NSSUTIL_LIBS)
-+endif
-+# If a platform has a system freebl, set USE_SYSTEM_FREEBL to 1 and
-+# FREEBL_LIBS to the linker command-line arguments for the system nssutil
-+# (for example, -lfreebl3 on fedora) in the platform's config file in coreconf.
-+ifdef USE_SYSTEM_FREEBL
-+OS_LIBS += $(FREEBL_LIBS)
-+else
-+FREEBL_LIBS = $(DIST)/lib/$(LIB_PREFIX)freebl3.$(LIB_SUFFIX)
-+EXTRA_LIBS += $(FREEBL_LIBS)
-+endif
-+
-diff -up nss/lib/ckfw/pem/Makefile.systemfreebl nss/lib/ckfw/pem/Makefile
---- nss/lib/ckfw/pem/Makefile.systemfreebl	2012-08-11 09:06:59.000000000 -0700
-+++ nss/lib/ckfw/pem/Makefile	2013-04-04 16:02:33.806744154 -0700
-@@ -43,8 +43,7 @@ include config.mk
- EXTRA_LIBS = \
- 	$(DIST)/lib/$(LIB_PREFIX)nssckfw.$(LIB_SUFFIX) \
- 	$(DIST)/lib/$(LIB_PREFIX)nssb.$(LIB_SUFFIX) \
--	$(DIST)/lib/$(LIB_PREFIX)freebl.$(LIB_SUFFIX) \
--	$(DIST)/lib/$(LIB_PREFIX)nssutil.$(LIB_SUFFIX) \
-+	$(FREEBL_LIB_DIR)/$(LIB_PREFIX)freebl.$(LIB_SUFFIX) \
- 	$(NULL)
- 
- # can't do this in manifest.mn because OS_TARGET isn't defined there.
-@@ -56,6 +55,9 @@ EXTRA_LIBS += \
- 	-lplc4 \
- 	-lplds4 \
- 	-lnspr4 \
-+	-L$(NSSUTIL_LIB_DIR) \
-+	-lnssutil3 \
-+	-lfreebl3
- 	$(NULL)
- else 
- EXTRA_SHARED_LIBS += \
-@@ -74,6 +76,9 @@ EXTRA_LIBS += \
- 	-lplc4 \
- 	-lplds4 \
- 	-lnspr4 \
-+	-L$(NSSUTIL_LIB_DIR) \
-+	-lnssutil3 \
-+	-lfreebl3 \
- 	$(NULL)
- endif
- 
-diff -up nss/lib/ckfw/pem/manifest.mn.systemfreebl nss/lib/ckfw/pem/manifest.mn
---- nss/lib/ckfw/pem/manifest.mn.systemfreebl	2012-08-11 09:06:59.000000000 -0700
-+++ nss/lib/ckfw/pem/manifest.mn	2013-04-04 16:02:33.807744163 -0700
-@@ -65,4 +65,4 @@ REQUIRES = nspr
- 
- LIBRARY_NAME = nsspem
- 
--#EXTRA_SHARED_LIBS = -L$(DIST)/lib -lnssckfw -lnssb -lplc4 -lplds4
-+EXTRA_SHARED_LIBS = -L$(DIST)/lib -lnssckfw -lnssb -lplc4 -lplds4 -L$(NSS_LIB_DIR) -lnssutil3 -lfreebl3 -lsoftokn3

renegotiate-transitional.patch

@@ -1,12 +1,12 @@
 diff -up ./nss/lib/ssl/sslsock.c.transitional ./nss/lib/ssl/sslsock.c
---- ./nss/lib/ssl/sslsock.c.transitional	2016-03-05 08:54:13.871412639 -0800
-+++ ./nss/lib/ssl/sslsock.c	2016-03-05 09:00:27.721889811 -0800
-@@ -77,7 +77,7 @@ static sslOptions ssl_defaults = {
-     PR_FALSE,                /* noLocks            */
-     PR_FALSE,                /* enableSessionTickets */
-     PR_FALSE,                /* enableDeflate      */
--    2,                       /* enableRenegotiation (default: requires extension) */
-+    3,                       /* enableRenegotiation (default: transitional) */
-     PR_FALSE,                /* requireSafeNegotiation */
-     PR_FALSE,                /* enableFalseStart   */
-     PR_TRUE,                 /* cbcRandomIV        */
+--- ./nss/lib/ssl/sslsock.c.transitional	2016-06-23 21:03:16.316480089 -0400
++++ ./nss/lib/ssl/sslsock.c	2016-06-23 21:08:07.290202477 -0400
+@@ -72,7 +72,7 @@ static sslOptions ssl_defaults = {
+     PR_FALSE,              /* noLocks            */
+     PR_FALSE,              /* enableSessionTickets */
+     PR_FALSE,              /* enableDeflate      */
+-    2,                     /* enableRenegotiation (default: requires extension) */
++    3,                     /* enableRenegotiation (default: transitional) */
+     PR_FALSE,              /* requireSafeNegotiation */
+     PR_FALSE,              /* enableFalseStart   */
+     PR_TRUE,               /* cbcRandomIV        */

rhbz1185708-enable-ecc-3des-ciphers-by-default.patch

@@ -1,14 +1,23 @@
-diff -up ./nss/lib/ssl/ssl3con.c.1185708_3des ./nss/lib/ssl/ssl3con.c
---- ./nss/lib/ssl/ssl3con.c.1185708_3des	2015-09-29 16:24:18.717593591 -0700
-+++ ./nss/lib/ssl/ssl3con.c	2015-09-29 16:25:22.672879926 -0700
-@@ -101,8 +101,8 @@ static ssl3CipherSuiteCfg cipherSuites[s
+--- ./nss/lib/ssl/ssl3con.c.1185708_3des	2016-06-23 21:10:09.765992512 -0400
++++ ./nss/lib/ssl/ssl3con.c	2016-06-23 22:58:39.121398601 -0400
+@@ -118,18 +118,18 @@
+  { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,    SSL_ALLOWED, PR_TRUE, PR_FALSE},
+  { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,    SSL_ALLOWED, PR_TRUE, PR_FALSE},
+  { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,      SSL_ALLOWED, PR_TRUE, PR_FALSE},
   { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
   { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,   SSL_ALLOWED, PR_TRUE, PR_FALSE},
   { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,      SSL_ALLOWED, PR_TRUE, PR_FALSE},
+  { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+  { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,   SSL_ALLOWED, PR_FALSE, PR_FALSE},
 - { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,   SSL_ALLOWED, PR_FALSE, PR_FALSE},
 - { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,     SSL_ALLOWED, PR_FALSE, PR_FALSE},
-+ { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,   SSL_ALLOWED, PR_TRUE, PR_FALSE},
-+ { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,     SSL_ALLOWED, PR_TRUE, PR_FALSE},
++ { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,   SSL_ALLOWED, PR_TRUE,  PR_FALSE},
++ { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,     SSL_ALLOWED, PR_TRUE,  PR_FALSE},
   { TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,        SSL_ALLOWED, PR_FALSE, PR_FALSE},
   { TLS_ECDHE_RSA_WITH_RC4_128_SHA,          SSL_ALLOWED, PR_FALSE, PR_FALSE},
- #endif /* NSS_DISABLE_ECC */
+ 
+  { TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,     SSL_ALLOWED, PR_TRUE,  PR_FALSE},
+  { TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256,SSL_ALLOWED,PR_TRUE,  PR_FALSE},
+  { TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,     SSL_ALLOWED, PR_FALSE, PR_FALSE},
+  { TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,     SSL_ALLOWED, PR_FALSE, PR_FALSE},
+  { TLS_DHE_DSS_WITH_AES_256_GCM_SHA384,     SSL_ALLOWED, PR_FALSE, PR_FALSE},

sources

@@ -3,4 +3,4 @@ a5ae49867124ac75f029a9a33af31bad  blank-cert8.db
 73bc040a0542bba387e6dd7fb9fd7d23  blank-secmod.db
 691e663ccc07b7a1eaa6f088e03bf8e2  blank-cert9.db
 2ec9e0606ba40fe65196545564b7cc2a  blank-key4.db
-2a3ffd2f46b60ecc116ac086343a537a  nss-3.24.0.tar.gz
+950263d15d1f055605bfb6e634a1a019  nss-3.25.0.tar.gz