Update to NSS 3.38

.gitignore

@@ -26,3 +26,4 @@ TestUser51.cert
 /nss-3.36.0.tar.gz
 /nss-3.36.1.tar.gz
 /nss-3.37.3.tar.gz
+/nss-3.38.0.tar.gz

nss-load-policy-file.patch

@@ -0,0 +1,79 @@
+# HG changeset patch
+# User David Woodhouse <David.Woodhouse@intel.com>
+# Date 1529655250 -7200
+#      Fri Jun 22 10:14:10 2018 +0200
+# Node ID d99e54ca9b6df33025ee9a196b8b942428bbff91
+# Parent  1a13c19d7fab53fd62786e05d6546a4abf66e48d
+Bug 1296263 - Fix loading of PKCS#11 modules from system policy file, r=rrelyea
+
+We currently load the policy file after calling
+STAN_LoadDefaultNSS3TrustDomain(), which causes problems because any
+tokens in the newly-added modules don't get initialised.
+
+Move it up by a few lines and fix up the indentation while we're at it.
+
+diff --git a/lib/nss/nssinit.c b/lib/nss/nssinit.c
+--- a/lib/nss/nssinit.c
++++ b/lib/nss/nssinit.c
+@@ -702,6 +702,30 @@ nss_Init(const char *configdir, const ch
+         if (SECOID_Init() != SECSuccess) {
+             goto loser;
+         }
++#ifdef POLICY_FILE
++        /* Load the system crypto policy file if it exists,
++         * unless the NSS_IGNORE_SYSTEM_POLICY environment
++         * variable has been set to 1. */
++        ignoreVar = PR_GetEnvSecure("NSS_IGNORE_SYSTEM_POLICY");
++        if (ignoreVar == NULL || strncmp(ignoreVar, "1", sizeof("1")) != 0) {
++            if (PR_Access(POLICY_PATH "/" POLICY_FILE, PR_ACCESS_READ_OK) == PR_SUCCESS) {
++                SECMODModule *module = SECMOD_LoadModule(
++                    "name=\"Policy File\" "
++                    "parameters=\"configdir='sql:" POLICY_PATH "' "
++                    "secmod='" POLICY_FILE "' "
++                    "flags=readOnly,noCertDB,forceSecmodChoice,forceOpen\" "
++                    "NSS=\"flags=internal,moduleDB,skipFirst,moduleDBOnly,critical\"",
++                    parent, PR_TRUE);
++                if (module) {
++                    PRBool isLoaded = module->loaded;
++                    SECMOD_DestroyModule(module);
++                    if (!isLoaded) {
++                        goto loser;
++                    }
++                }
++            }
++        }
++#endif
+         if (STAN_LoadDefaultNSS3TrustDomain() != PR_SUCCESS) {
+             goto loser;
+         }
+@@ -730,30 +754,6 @@ nss_Init(const char *configdir, const ch
+                 }
+             }
+         }
+-#ifdef POLICY_FILE
+-        /* Load the system crypto policy file if it exists,
+-         * unless the NSS_IGNORE_SYSTEM_POLICY environment
+-         * variable has been set to 1. */
+-        ignoreVar = PR_GetEnvSecure("NSS_IGNORE_SYSTEM_POLICY");
+-        if (ignoreVar == NULL || strncmp(ignoreVar, "1", sizeof("1")) != 0) {
+-            if (PR_Access(POLICY_PATH "/" POLICY_FILE, PR_ACCESS_READ_OK) == PR_SUCCESS) {
+-                SECMODModule *module = SECMOD_LoadModule(
+-                    "name=\"Policy File\" "
+-                    "parameters=\"configdir='sql:" POLICY_PATH "' "
+-                    "secmod='" POLICY_FILE "' "
+-                    "flags=readOnly,noCertDB,forceSecmodChoice,forceOpen\" "
+-                    "NSS=\"flags=internal,moduleDB,skipFirst,moduleDBOnly,critical\"",
+-                    parent, PR_TRUE);
+-                if (module) {
+-                    PRBool isLoaded = module->loaded;
+-                    SECMOD_DestroyModule(module);
+-                    if (!isLoaded) {
+-                        goto loser;
+-                    }
+-                }
+-            }
+-        }
+-#endif
+         pk11sdr_Init();
+         cert_CreateSubjectKeyIDHashTable();
+ 

nss.spec

@@ -1,6 +1,6 @@
 %global nspr_version 4.19.0
-%global nss_util_version 3.37.3
-%global nss_softokn_version 3.37.3
+%global nss_util_version 3.38.0
+%global nss_softokn_version 3.38.0
 %global unsupported_tools_directory %{_libdir}/nss/unsupported-tools
 %global allTools "certutil cmsutil crlutil derdump modutil pk12util signtool signver ssltap vfychain vfyserv"
 
@@ -18,7 +18,7 @@
 
 Summary:          Network Security Services
 Name:             nss
-Version:          3.37.3
+Version:          3.38.0
 # for Rawhide, please always use release >= 2
 # for Fedora release branches, please use release < 2 (1.0, 1.1, ...)
 Release:          1.0%{?dist}
@@ -116,6 +116,7 @@ Patch50:          iquote.patch
 Patch58: rhbz1185708-enable-ecc-3des-ciphers-by-default.patch
 # Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1279520
 Patch59: nss-check-policy-file.patch
+Patch60: nss-load-policy-file.patch
 Patch62: nss-skip-util-gtest.patch
 Patch63: nss-sql-default.patch
 
@@ -200,6 +201,7 @@ low level services.
 %patch58 -p0 -b .1185708_3des
 pushd nss
 %patch59 -p1 -b .check_policy_file
+%patch60 -p1 -b .load_policy_file
 %patch62 -p1 -b .skip_util_gtest
 %patch63 -p1 -R -b .sql-default
 popd
@@ -809,6 +811,9 @@ fi
 
 
 %changelog
+* Tue Jul  3 2018 Daiki Ueno <dueno@redhat.com> - 3.38.0-1.0
+- Update to NSS 3.38
+
 * Tue Jun  5 2018 Daiki Ueno <dueno@redhat.com> - 3.37.3-1.0
 - Update to NSS 3.37.3
 

sources

@@ -3,4 +3,4 @@ SHA512 (blank-cert9.db) = 2f8eab4c0612210ee47db8a3a80c1b58a0b43849551af78c7da403
 SHA512 (blank-key3.db) = 01f7314e9fc8a7c9aa997652624cfcde213d18a6b3bb31840c1a60bbd662e56b5bc3221d13874abb42ce78163b225a6dfce2e1326cf6dd29366ad9c28ba5a71c
 SHA512 (blank-key4.db) = 8fedae93af7163da23fe9492ea8e785a44c291604fa98e58438448efb69c85d3253fc22b926d5c3209c62e58a86038fd4d78a1c4c068bc00600a7f3e5382ebe7
 SHA512 (blank-secmod.db) = 06a2dbd861839ef6315093459328b500d3832333a34b30e6fac4a2503af337f014a4d319f0f93322409e719142904ce8bc08252ae9a4f37f30d4c3312e900310
-SHA512 (nss-3.37.3.tar.gz) = 11b21818f9fcff11d0e7f4c066ae9fbce0052a30a6b30df9a20022792039b5348554834a472e1b1195e467b9902067f9719678d5ca32efb4e60f1df161feed6f
+SHA512 (nss-3.38.0.tar.gz) = eb63f1c44adbbd97dc766e8545c72303f3cb18f1bfb2af67c33cdb1a1a9a1cc432a64afbafabd7a5bb3f08cb36db74ed81e5cfa1fc4bd35ae76e183f3205afed