From 40928cb8e33ef2b3cc7adc988f87fa36e7f00261 Mon Sep 17 00:00:00 2001
From: Elio Maldonado <emaldonado@localhost.localdomain>
Date: Fri, 6 Jan 2012 15:50:45 -0800
Subject: [PATCH] - Resolves: Bug 770682 - nss update breaks pidgin-sipe
 connectivity

- Set NSS_SSL_CBC_RANDOM_IV to 0 by default and change to 1 on user request
---
 nss-ssl-cbc-random-iv-off-by-default.patch | 25 ++++++++++++++++++++++
 nss.spec                                   |  8 ++++++-
 2 files changed, 32 insertions(+), 1 deletion(-)
 create mode 100644 nss-ssl-cbc-random-iv-off-by-default.patch

diff --git a/nss-ssl-cbc-random-iv-off-by-default.patch b/nss-ssl-cbc-random-iv-off-by-default.patch
new file mode 100644
index 0000000..28dfa48
--- /dev/null
+++ b/nss-ssl-cbc-random-iv-off-by-default.patch
@@ -0,0 +1,25 @@
+diff -up ./mozilla/security/nss/lib/ssl/sslsock.c.compatible ./mozilla/security/nss/lib/ssl/sslsock.c
+--- ./mozilla/security/nss/lib/ssl/sslsock.c.compatible	2012-01-05 13:54:36.430389994 -0800
++++ ./mozilla/security/nss/lib/ssl/sslsock.c	2012-01-05 13:55:25.810750394 -0800
+@@ -184,7 +184,7 @@ static sslOptions ssl_defaults = {
+     3,          /* enableRenegotiation (default: transitional) */
+     PR_FALSE,   /* requireSafeNegotiation */
+     PR_FALSE,   /* enableFalseStart   */
+-    PR_TRUE     /* cbcRandomIV        */
++    PR_FALSE    /* cbcRandomIV        */ /* defaults to off for compatibility */
+ };
+ 
+ sslSessionIDLookupFunc  ssl_sid_lookup;
+@@ -2359,9 +2359,9 @@ ssl_SetDefaultsFromEnvironment(void)
+ 	                PR_TRUE));
+ 	}
+ 	ev = getenv("NSS_SSL_CBC_RANDOM_IV");
+-	if (ev && ev[0] == '0') {
+-	    ssl_defaults.cbcRandomIV = PR_FALSE;
+-	    SSL_TRACE(("SSL: cbcRandomIV set to 0"));
++	if (ev && ev[0] == '1') {
++	    ssl_defaults.cbcRandomIV = PR_TRUE;
++	    SSL_TRACE(("SSL: cbcRandomIV set to 1"));
+ 	}
+     }
+ #endif /* NSS_HAVE_GETENV */
diff --git a/nss.spec b/nss.spec
index 2817b79..88abe25 100644
--- a/nss.spec
+++ b/nss.spec
@@ -7,7 +7,7 @@
 Summary:          Network Security Services
 Name:             nss
 Version:          3.13.1
-Release:          9%{?dist}
+Release:          10%{?dist}
 License:          MPLv1.1 or GPLv2+ or LGPLv2+
 URL:              http://www.mozilla.org/projects/security/pki/nss/
 Group:            System Environment/Libraries
@@ -70,6 +70,7 @@ Patch25:          nsspem-use-system-freebl.patch
 Patch26:          nofipstest.patch
 # include this patch in the upstream pem review
 Patch28:          nsspem-bz754771.patch
+Patch29:          nss-ssl-cbc-random-iv-off-by-default.patch
 
 
 %description
@@ -158,6 +159,7 @@ low level services.
 %patch25 -p0 -b .systemfreebl
 %patch26 -p0 -b .nofipstest
 %patch28 -p0 -b .754771
+%patch29 -p0 -b .770682
 
 
 %build
@@ -572,6 +574,10 @@ rm -rf $RPM_BUILD_ROOT/%{_includedir}/nss3/nsslowhash.h
 
 
 %changelog
+* Fri Jan 06 2012 Elio Maldonado <emaldona@redhat.com> - 3.13.1-10
+- Resolves: Bug 770682 - nss update breaks pidgin-sipe connectivity
+- NSS_SSL_CBC_RANDOM_IV set to 0 by default and changed to 1 on user request
+
 * Tue Dec 13 2011 elio maldonado <emaldona@redhat.com> - 3.13.1-9
 - Revert to using current nss_softokn_version
 - Patch to deal with lack of sha224 is no longer needed