Update several patches on account of the new sources

disableSSL2libssl.patch

@@ -1,7 +1,12 @@
-diff -up ./nss/lib/ssl/config.mk.disableSSL2libssl ./nss/lib/ssl/config.mk
---- ./nss/lib/ssl/config.mk.disableSSL2libssl	2015-12-16 14:41:26.611408723 -0800
-+++ ./nss/lib/ssl/config.mk	2015-12-16 14:41:45.048957300 -0800
-@@ -7,6 +7,10 @@ ifdef NISCC_TEST
+diff --git a/lib/ssl/config.mk b/lib/ssl/config.mk
+--- a/lib/ssl/config.mk
++++ b/lib/ssl/config.mk
+@@ -2,16 +2,20 @@
+ # This Source Code Form is subject to the terms of the Mozilla Public
+ # License, v. 2.0. If a copy of the MPL was not distributed with this
+ # file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ 
+ ifdef NISCC_TEST
  DEFINES += -DNISCC_TEST
  endif
  
@@ -12,10 +17,20 @@ diff -up ./nss/lib/ssl/config.mk.disableSSL2libssl ./nss/lib/ssl/config.mk
  # Allow build-time configuration of TLS 1.3 (Experimental)
  ifdef NSS_ENABLE_TLS_1_3
  DEFINES += -DNSS_ENABLE_TLS_1_3
-diff -up ./nss/lib/ssl/sslsock.c.disableSSL2libssl ./nss/lib/ssl/sslsock.c
---- ./nss/lib/ssl/sslsock.c.disableSSL2libssl	2015-12-16 14:41:15.573678468 -0800
-+++ ./nss/lib/ssl/sslsock.c	2015-12-16 14:57:21.139885163 -0800
-@@ -710,6 +710,12 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 wh
+ endif
+ 
+ ifdef NSS_NO_PKCS11_BYPASS
+ DEFINES += -DNO_PKCS11_BYPASS
+ else
+diff --git a/lib/ssl/sslsock.c b/lib/ssl/sslsock.c
+--- a/lib/ssl/sslsock.c
++++ b/lib/ssl/sslsock.c
+@@ -705,16 +705,22 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 wh
+         if (ss->cipherSpecs) {
+             PORT_Free(ss->cipherSpecs);
+             ss->cipherSpecs     = NULL;
+             ss->sizeCipherSpecs = 0;
+         }
          break;
  
        case SSL_ENABLE_SSL2:
@@ -28,7 +43,17 @@ diff -up ./nss/lib/ssl/sslsock.c.disableSSL2libssl ./nss/lib/ssl/sslsock.c
          if (IS_DTLS(ss)) {
              if (on) {
                  PORT_SetError(SEC_ERROR_INVALID_ARGS);
-@@ -734,6 +740,7 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 wh
+                 rv = SECFailure; /* not allowed */
+             }
+             break;
+         }
+         if (on) {
+@@ -729,52 +735,67 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 wh
+             ss->opt.v2CompatibleHello = on;
+         }
+         ss->preferredCipher     = NULL;
+         if (ss->cipherSpecs) {
+             PORT_Free(ss->cipherSpecs);
              ss->cipherSpecs     = NULL;
              ss->sizeCipherSpecs = 0;
          }
@@ -36,7 +61,15 @@ diff -up ./nss/lib/ssl/sslsock.c.disableSSL2libssl ./nss/lib/ssl/sslsock.c
          break;
  
        case SSL_NO_CACHE:
-@@ -749,6 +756,12 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 wh
+         ss->opt.noCache = on;
+         break;
+ 
+       case SSL_ENABLE_FDX:
+         if (on && ss->opt.noLocks) {
+             PORT_SetError(SEC_ERROR_INVALID_ARGS);
+             rv = SECFailure;
+         }
+         ss->opt.fdx = on;
          break;
  
        case SSL_V2_COMPATIBLE_HELLO:
@@ -49,7 +82,11 @@ diff -up ./nss/lib/ssl/sslsock.c.disableSSL2libssl ./nss/lib/ssl/sslsock.c
          if (IS_DTLS(ss)) {
              if (on) {
                  PORT_SetError(SEC_ERROR_INVALID_ARGS);
-@@ -760,6 +773,7 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 wh
+                 rv = SECFailure; /* not allowed */
+             }
+             break;
+         }
+         ss->opt.v2CompatibleHello = on;
          if (!on) {
              ss->opt.enableSSL2    = on;
          }
@@ -57,7 +94,7 @@ diff -up ./nss/lib/ssl/sslsock.c.disableSSL2libssl ./nss/lib/ssl/sslsock.c
          break;
  
        case SSL_ROLLBACK_DETECTION:
-@@ -767,9 +781,16 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 wh
+         ss->opt.detectRollBack = on;
          break;
  
        case SSL_NO_STEP_DOWN:
@@ -74,7 +111,17 @@ diff -up ./nss/lib/ssl/sslsock.c.disableSSL2libssl ./nss/lib/ssl/sslsock.c
          break;
  
        case SSL_BYPASS_PKCS11:
-@@ -1240,6 +1261,22 @@ SSL_OptionSetDefault(PRInt32 which, PRBo
+         if (ss->handshakeBegun) {
+             PORT_SetError(PR_INVALID_STATE_ERROR);
+             rv = SECFailure;
+         } else {
+             if (PR_FALSE != on) {
+@@ -1235,16 +1256,32 @@ SSL_OptionSetDefault(PRInt32 which, PRBo
+     }
+     return SECSuccess;
+ }
+ 
+ /* function tells us if the cipher suite is one that we no longer support. */
  static PRBool
  ssl_IsRemovedCipherSuite(PRInt32 suite)
  {
@@ -97,3 +144,8 @@ diff -up ./nss/lib/ssl/sslsock.c.disableSSL2libssl ./nss/lib/ssl/sslsock.c
      switch (suite) {
      case SSL_FORTEZZA_DMS_WITH_NULL_SHA:
      case SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA:
+     case SSL_FORTEZZA_DMS_WITH_RC4_128_SHA:
+         return PR_TRUE;
+     default:
+         return PR_FALSE;
+     }

disableSSL2tests.patch

@@ -1,7 +1,12 @@
-diff -up ./nss/tests/ssl/ssl.sh.disableSSL2tests ./nss/tests/ssl/ssl.sh
---- ./nss/tests/ssl/ssl.sh.disableSSL2tests	2015-12-16 13:32:08.000000000 -0800
-+++ ./nss/tests/ssl/ssl.sh	2015-12-16 15:15:48.353748930 -0800
-@@ -62,9 +62,14 @@ ssl_init()
+diff --git a/tests/ssl/ssl.sh b/tests/ssl/ssl.sh
+--- a/tests/ssl/ssl.sh
++++ b/tests/ssl/ssl.sh
+@@ -57,19 +57,24 @@ ssl_init()
+   fi
+ 
+   PORT=${PORT-8443}
+   NSS_SSL_TESTS=${NSS_SSL_TESTS:-normal_normal}
+   nss_ssl_run="stapling signed_cert_timestamps cov auth stress"
    NSS_SSL_RUN=${NSS_SSL_RUN:-$nss_ssl_run}
  
    # Test case files
@@ -18,7 +23,17 @@ diff -up ./nss/tests/ssl/ssl.sh.disableSSL2tests ./nss/tests/ssl/ssl.sh
    SSLPOLICY=${QADIR}/ssl/sslpolicy.txt
    REQUEST_FILE=${QADIR}/ssl/sslreq.dat
  
-@@ -121,7 +126,11 @@ is_selfserv_alive()
+   #temparary files
+   SERVEROUTFILE=${TMP}/tests_server.$$
+   SERVERPID=${TMP}/tests_pid.$$
+ 
+   R_SERVERPID=../tests_pid.$$
+@@ -116,17 +121,21 @@ is_selfserv_alive()
+   if [ "${OS_ARCH}" = "WINNT" ] && \
+      [ "$OS_NAME" = "CYGWIN_NT" -o "$OS_NAME" = "MINGW32_NT" ]; then
+       PID=${SHELL_SERVERPID}
+   else
+       PID=`cat ${SERVERPID}`
    fi
  
    echo "kill -0 ${PID} >/dev/null 2>/dev/null" 
@@ -31,7 +46,17 @@ diff -up ./nss/tests/ssl/ssl.sh.disableSSL2tests ./nss/tests/ssl/ssl.sh
  
    echo "selfserv with PID ${PID} found at `date`"
  }
-@@ -144,7 +153,11 @@ wait_for_selfserv()
+ 
+ ########################### wait_for_selfserv ##########################
+ # local shell function to wait until selfserver is running and initialized
+ ########################################################################
+ wait_for_selfserv()
+@@ -139,17 +148,21 @@ wait_for_selfserv()
+   if [ $? -ne 0 ]; then
+       sleep 5
+       echo "retrying to connect to selfserv at `date`"
+       echo "tstclnt -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \\"
+       echo "        -d ${P_R_CLIENTDIR} -v < ${REQUEST_FILE}"
        ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \
                -d ${P_R_CLIENTDIR} -v < ${REQUEST_FILE}
        if [ $? -ne 0 ]; then
@@ -44,7 +69,17 @@ diff -up ./nss/tests/ssl/ssl.sh.disableSSL2tests ./nss/tests/ssl/ssl.sh
        fi
    fi
    is_selfserv_alive
-@@ -215,15 +228,16 @@ start_selfserv()
+ }
+ 
+ ########################### kill_selfserv ##############################
+ # local shell function to kill the selfserver after the tests are done
+ ########################################################################
+@@ -210,25 +223,26 @@ start_selfserv()
+       ECC_OPTIONS=""
+   fi
+   if [ "$1" = "mixed" ]; then
+       ECC_OPTIONS="-e ${HOSTADDR}-ecmixed"
+   fi
    echo "selfserv starting at `date`"
    echo "selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} -n ${HOSTADDR} ${SERVER_OPTIONS} \\"
    echo "         ${ECC_OPTIONS} -S ${HOSTADDR}-dsa -w nss ${sparam} -i ${R_SERVERPID}\\"
@@ -64,7 +99,17 @@ diff -up ./nss/tests/ssl/ssl.sh.disableSSL2tests ./nss/tests/ssl/ssl.sh
        RET=$?
    fi
  
-@@ -280,6 +294,12 @@ ssl_cov()
+   # The PID $! returned by the MKS or Cygwin shell is not the PID of
+   # the real background process, but rather the PID of a helper
+   # process (sh.exe).  MKS's kill command has a bug: invoking kill
+   # on the helper process does not terminate the real background
+   # process.  Our workaround has been to have selfserv save its PID
+@@ -275,16 +289,22 @@ ssl_cov()
+   exec < ${SSLCOV}
+   while read ectype testmax param testname
+   do
+       echo "${testname}" | grep "EXPORT" > /dev/null 
+       EXP=$?
        echo "${testname}" | grep "SSL2" > /dev/null
        SSL2=$?
  
@@ -77,3 +122,8 @@ diff -up ./nss/tests/ssl/ssl.sh.disableSSL2tests ./nss/tests/ssl/ssl.sh
        if [ "${SSL2}" -eq 0 ] ; then
            # We cannot use asynchronous cert verification with SSL2
            SSL2_FLAGS=-O
+           VMIN="ssl2"
+       else
+           # Do not enable SSL2 for non-SSL2-specific tests. SSL2 is disabled by
+           # default in libssl but it is enabled by default in tstclnt; we want
+           # to test the libssl default whenever possible.

nss.spec

@@ -21,7 +21,7 @@ Name:             nss
 Version:          3.21.6
 # for Rawhide, please always use release >= 2
 # for Fedora release branches, please use release < 2 (1.0, 1.1, ...)
-Release:          1%{?dist}
+Release:          1.0%{?dist}
 License:          MPLv2.0
 URL:              http://www.mozilla.org/projects/security/pki/nss/
 Group:            System Environment/Libraries
@@ -191,8 +191,10 @@ low level services.
 %patch55 -p1 -b .skip_stress_tls_rc4_128_with_md5
 %patch58 -p0 -b .1185708_3des
 %patch59 -p0 -b .compile_Werror
-%patch52 -p0 -b .disableSSL2libssl
+pushd nss
+%patch52 -p1 -b .disableSSL2libssl
 %patch53 -p1 -b .disableSSL2tests
+popd
 
 #########################################################
 # Higher-level libraries and test tools need access to
@@ -826,9 +828,10 @@ fi
 
 
 %changelog
-* Wed Dec 16 2015 Elio Maldonado <emaldona@redhat.com> - 3.21.5-2
+* Wed Dec 16 2015 Elio Maldonado <emaldona@redhat.com> - 3.21.6-1.0
 - Update sources to new version from upstream BUG1168917_BRANCH 
 - Includes latest checkin for policy work
+- Update several patches on account of the new sources
 
 * Fri Nov 20 2015 Elio Maldonado <emaldona@redhat.com> - 3.21.0-4
 - Update %%{nss_util_version} and %%{nss_softokn_version} to 3.21.0