From 3edcb8bd09bc0f594557cc66af8a0758ebfe59eb Mon Sep 17 00:00:00 2001
From: Daiki Ueno <dueno@redhat.com>
Date: Fri, 9 Mar 2018 13:59:41 +0100
Subject: [PATCH] Update to NSS 3.36.0

---
 .gitignore                     |  1 +
 nss.spec                       | 15 ++++-----
 renegotiate-transitional.patch | 24 +++++++--------
 sign-sprintf-check.patch       | 56 ----------------------------------
 sources                        |  2 +-
 5 files changed, 22 insertions(+), 76 deletions(-)
 delete mode 100644 sign-sprintf-check.patch

diff --git a/.gitignore b/.gitignore
index 6851b31..78580fc 100644
--- a/.gitignore
+++ b/.gitignore
@@ -24,3 +24,4 @@ TestUser51.cert
 /nss-3.33.0.tar.gz
 /nss-3.34.0.tar.gz
 /nss-3.35.0.tar.gz
+/nss-3.36.0.tar.gz
diff --git a/nss.spec b/nss.spec
index 31b3054..778d6bd 100644
--- a/nss.spec
+++ b/nss.spec
@@ -1,15 +1,15 @@
-%global nspr_version 4.18.0
-%global nss_util_version 3.35.0
-%global nss_softokn_version 3.35.0
+%global nspr_version 4.19.0
+%global nss_util_version 3.36.0
+%global nss_softokn_version 3.36.0
 %global unsupported_tools_directory %{_libdir}/nss/unsupported-tools
 %global allTools "certutil cmsutil crlutil derdump modutil pk12util signtool signver ssltap vfychain vfyserv"
 
 Summary:          Network Security Services
 Name:             nss
-Version:          3.35.0
+Version:          3.36.0
 # for Rawhide, please always use release >= 2
 # for Fedora release branches, please use release < 2 (1.0, 1.1, ...)
-Release:          5%{?dist}
+Release:          2%{?dist}
 License:          MPLv2.0
 URL:              http://www.mozilla.org/projects/security/pki/nss/
 Group:            System Environment/Libraries
@@ -90,7 +90,6 @@ Patch58: rhbz1185708-enable-ecc-3des-ciphers-by-default.patch
 # Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1279520
 Patch59: nss-check-policy-file.patch
 Patch62: nss-skip-util-gtest.patch
-Patch63: sign-sprintf-check.patch
 
 %description
 Network Security Services (NSS) is a set of libraries designed to
@@ -174,7 +173,6 @@ low level services.
 pushd nss
 %patch59 -p1 -b .check_policy_file
 %patch62 -p1 -b .skip_util_gtest
-%patch63 -p2 -b .sign-sprintf-check
 popd
 
 #########################################################
@@ -748,6 +746,9 @@ done
 
 
 %changelog
+* Fri Mar  9 2018 Daiki Ueno <dueno@redhat.com> - 3.36.0-2
+- Update to NSS 3.36.0
+
 * Thu Feb 08 2018 Fedora Release Engineering <releng@fedoraproject.org> - 3.35.0-5
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
 
diff --git a/renegotiate-transitional.patch b/renegotiate-transitional.patch
index 73b366b..d3aa3bd 100644
--- a/renegotiate-transitional.patch
+++ b/renegotiate-transitional.patch
@@ -1,12 +1,12 @@
-diff -up ./nss/lib/ssl/sslsock.c.transitional ./nss/lib/ssl/sslsock.c
---- ./nss/lib/ssl/sslsock.c.transitional	2016-06-23 21:03:16.316480089 -0400
-+++ ./nss/lib/ssl/sslsock.c	2016-06-23 21:08:07.290202477 -0400
-@@ -72,7 +72,7 @@ static sslOptions ssl_defaults = {
-     PR_FALSE,              /* noLocks            */
-     PR_FALSE,              /* enableSessionTickets */
-     PR_FALSE,              /* enableDeflate      */
--    2,                     /* enableRenegotiation (default: requires extension) */
-+    3,                     /* enableRenegotiation (default: transitional) */
-     PR_FALSE,              /* requireSafeNegotiation */
-     PR_FALSE,              /* enableFalseStart   */
-     PR_TRUE,               /* cbcRandomIV        */
+diff -up nss/lib/ssl/sslsock.c.transitional nss/lib/ssl/sslsock.c
+--- nss/lib/ssl/sslsock.c.transitional	2018-03-09 13:57:50.615706802 +0100
++++ nss/lib/ssl/sslsock.c	2018-03-09 13:58:23.708974970 +0100
+@@ -67,7 +67,7 @@ static sslOptions ssl_defaults = {
+     .noLocks = PR_FALSE,
+     .enableSessionTickets = PR_FALSE,
+     .enableDeflate = PR_FALSE,
+-    .enableRenegotiation = SSL_RENEGOTIATE_REQUIRES_XTN,
++    .enableRenegotiation = SSL_RENEGOTIATE_TRANSITIONAL,
+     .requireSafeNegotiation = PR_FALSE,
+     .enableFalseStart = PR_FALSE,
+     .cbcRandomIV = PR_TRUE,
diff --git a/sign-sprintf-check.patch b/sign-sprintf-check.patch
deleted file mode 100644
index c213946..0000000
--- a/sign-sprintf-check.patch
+++ /dev/null
@@ -1,56 +0,0 @@
-diff -up ./nss/cmd/signtool/sign.c.org ./nss/cmd/signtool/sign.c
---- ./nss/cmd/signtool/sign.c.org	2018-01-18 15:19:59.000000000 +0100
-+++ ./nss/cmd/signtool/sign.c	2018-01-29 22:46:32.599450048 +0100
-@@ -83,7 +83,12 @@ SignArchive(char *tree, char *keyName, c
-         /* rsa/dsa to zip */
-         sprintf(tempfn, "META-INF/%s.%s", base, (keyType == dsaKey ? "dsa"
-                                                                    : "rsa"));
--        sprintf(fullfn, "%s/%s", tree, tempfn);
-+        if (snprintf(fullfn, FNSIZE, "%s/%s", tree, tempfn) >= FNSIZE) {
-+            PR_fprintf(errorFD, "buffer overflow, the tree \"%s\" was NOT SUCCESSFULLY SIGNED\n",
-+                       tree);
-+            errorCount++;
-+            exit(ERRX);
-+        }
-         JzipAdd(fullfn, tempfn, zipfile, compression_level);
- 
-         /* Loop through all files & subdirectories, add to archive */
-@@ -93,12 +98,22 @@ SignArchive(char *tree, char *keyName, c
-     }
-     /* mf to zip */
-     strcpy(tempfn, "META-INF/manifest.mf");
--    sprintf(fullfn, "%s/%s", tree, tempfn);
-+    if (snprintf(fullfn, FNSIZE, "%s/%s", tree, tempfn) >= FNSIZE) {
-+        PR_fprintf(errorFD, "buffer overflow, the tree \"%s\" was NOT SUCCESSFULLY SIGNED\n",
-+                   tree);
-+        errorCount++;
-+        exit(ERRX);
-+    }
-     JzipAdd(fullfn, tempfn, zipfile, compression_level);
- 
-     /* sf to zip */
-     sprintf(tempfn, "META-INF/%s.sf", base);
--    sprintf(fullfn, "%s/%s", tree, tempfn);
-+    if (snprintf(fullfn, FNSIZE, "%s/%s", tree, tempfn) >= FNSIZE) {
-+        PR_fprintf(errorFD, "buffer overflow, the tree \"%s\" was NOT SUCCESSFULLY SIGNED\n",
-+                   tree);
-+        errorCount++;
-+        exit(ERRX);
-+    }
-     JzipAdd(fullfn, tempfn, zipfile, compression_level);
- 
-     /* Add the rsa/dsa file to the zip archive normally */
-@@ -106,7 +121,12 @@ SignArchive(char *tree, char *keyName, c
-         /* rsa/dsa to zip */
-         sprintf(tempfn, "META-INF/%s.%s", base, (keyType == dsaKey ? "dsa"
-                                                                    : "rsa"));
--        sprintf(fullfn, "%s/%s", tree, tempfn);
-+        if (snprintf(fullfn, FNSIZE, "%s/%s", tree, tempfn) >= FNSIZE) {
-+            PR_fprintf(errorFD, "buffer overflow, the tree \"%s\" was NOT SUCCESSFULLY SIGNED\n",
-+                       tree);
-+            errorCount++;
-+            exit(ERRX);
-+        }
-         JzipAdd(fullfn, tempfn, zipfile, compression_level);
-     }
- 
diff --git a/sources b/sources
index 9e54a2c..844333f 100644
--- a/sources
+++ b/sources
@@ -3,4 +3,4 @@ SHA512 (blank-cert9.db) = 2f8eab4c0612210ee47db8a3a80c1b58a0b43849551af78c7da403
 SHA512 (blank-key3.db) = 01f7314e9fc8a7c9aa997652624cfcde213d18a6b3bb31840c1a60bbd662e56b5bc3221d13874abb42ce78163b225a6dfce2e1326cf6dd29366ad9c28ba5a71c
 SHA512 (blank-key4.db) = 8fedae93af7163da23fe9492ea8e785a44c291604fa98e58438448efb69c85d3253fc22b926d5c3209c62e58a86038fd4d78a1c4c068bc00600a7f3e5382ebe7
 SHA512 (blank-secmod.db) = 06a2dbd861839ef6315093459328b500d3832333a34b30e6fac4a2503af337f014a4d319f0f93322409e719142904ce8bc08252ae9a4f37f30d4c3312e900310
-SHA512 (nss-3.35.0.tar.gz) = a9865fd11d8b2ab83b57b1b50fe6f0d3a6d936f7ae4d0817e9dd1bf3e5182ff7f26ebc21fe7490c3dea2b792e4e4302af876ac70750e8e1f4da6bb710fd3002e
+SHA512 (nss-3.36.0.tar.gz) = 02559b724d1665be495e52155242a154f9d18c985ff6c180db8ee99460ead12d6a4059f13a8a0b0b6864b643f2435b2e0b45de023c678a4514833f1795c4d6fe