Rebase to NSS 3.81

.gitignore

@@ -72,3 +72,4 @@ TestUser51.cert
 /nss-3.77.tar.gz
 /nss-3.79.tar.gz
 /nspr-4.34.tar.gz
+/nss-3.81.tar.gz

nss-3.79-fix-client-cert-crash.patch

@@ -0,0 +1,23 @@
+diff --git a/lib/ssl/authcert.c b/lib/ssl/authcert.c
+--- a/lib/ssl/authcert.c
++++ b/lib/ssl/authcert.c
+@@ -212,17 +212,17 @@ NSS_GetClientAuthData(void *arg,
+                                                pw_arg);
+         } else {
+             int nnames = 0;
+             char **names = ssl_DistNamesToStrings(caNames, &nnames);
+             rv = CERT_FilterCertListByCANames(certList, nnames, names,
+                                               certUsageSSLClient);
+             ssl_FreeDistNamesStrings(names, nnames);
+         }
+-        if ((rv != SECSuccess) || CERT_LIST_EMPTY(certList)) {
++        if ((rv != SECSuccess) || (certList && CERT_LIST_EMPTY(certList))) {
+             CERT_DestroyCertList(certList);
+             certList = NULL;
+         }
+     }
+     if (certList == NULL) {
+         /* no user certs meeting the nickname/usage requirements found */
+         return SECFailure;
+     }
+

nss.spec

@@ -1,5 +1,5 @@
 %global nspr_version 4.34.0
-%global nss_version 3.79.0
+%global nss_version 3.81.0
 # NOTE: To avoid NVR clashes of nspr* packages:
 # - reset %%{nspr_release} to 1, when updating %%{nspr_version}
 # - increment %%{nspr_version}, when updating the NSS part only
@@ -7,7 +7,7 @@
 %global nss_release %baserelease
 # use "%%global nspr_release %%[%%baserelease+n]" to handle offsets when
 # release number between nss and nspr are different.
-%global nspr_release %baserelease
+%global nspr_release [%baserelease+2]
 # only need to update this as we added new
 # algorithms under nss policy control
 %global crypto_policies_version 20210118
@@ -131,6 +131,9 @@ Patch12:          nss-signtool-format.patch
 # fedora disabled dbm by default
 Patch40:          nss-no-dbm-man-page.patch
 
+# upstream bug https://bugzilla.mozilla.org/show_bug.cgi?id=1774654
+Patch50:	nss-3.79-fix-client-cert-crash.patch
+
 Patch100:         nspr-config-pc.patch
 Patch101:         nspr-gcc-atomics.patch
 
@@ -1087,11 +1090,17 @@ update-crypto-policies &> /dev/null || :
 
 
 %changelog
+* Thu Jun 21 2022 Bob Relyea <rrelyea@redhat.com> - 3.81.0-1
+- udpate to NSS 3.81
+
+* Thu Jun 16 2022 Bob Relyea <rrelyea@redhat.com> - 3.79.0-2
+- Fix crash when getting client cert and there is none in the database.
+
 * Tue May 31 2022 Bob Relyea <rrelyea@redhat.com> - 3.79.0-1
 - Update to NSS 3.79
 - Update to NSPR 4.34
 
-* Tue Apr 5 2022 Bob Relyea <rrelyea@redhat.com> - 3.77.0-1
+* Mon Apr 4 2022 Bob Relyea <rrelyea@redhat.com> - 3.77.0-1
 - Update to 3.77
 
 * Fri Feb 4 2022 Bob Relyea <rrelyea@redhat.com> - 3.75.0-1
@@ -1178,7 +1187,7 @@ update-crypto-policies &> /dev/null || :
 - Consolidate NSPR package with this package
 
 * Mon Oct 26 2020 Bob Relyea <rrelyea@redhat.com> - 3.58.0-4
-- fix pkix ocsp to tolerate OCSP checking on intermediates 
+- fix pkix ocsp to tolerate OCSP checking on intermediates
   when the root is signed by sha1 and sha1 is disabled by
   policy
 

sources

@@ -1,4 +1,4 @@
 SHA512 (blank-cert9.db) = 2f8eab4c0612210ee47db8a3a80c1b58a0b43849551af78c7da403fda3e3d4e7757838061ae56ccf5aac335cb54f254f0a9e6e9c0dd5920b4155a39264525b06
 SHA512 (blank-key4.db) = 8fedae93af7163da23fe9492ea8e785a44c291604fa98e58438448efb69c85d3253fc22b926d5c3209c62e58a86038fd4d78a1c4c068bc00600a7f3e5382ebe7
 SHA512 (nspr-4.34.tar.gz) = 4cfac886c14cf7df4c4b79fa1c3bc92e1b14260c9c3018fa2562060d62fecb4e66c0b4e8f7edf4f4823def784a919d99dde88a89674f0cd8a644310b0569ead4
-SHA512 (nss-3.79.tar.gz) = d3311da3bd0e6907760390221c1307a63d84dd8ad9b85dbfdbf59fe4678341c9856b6f93235731999a1236c98dc0ac66d2dc023eb439cb696f73509dae70c41d
+SHA512 (nss-3.81.tar.gz) = 206faa29ff9fc9c70f85cbb86690b55bd11003a1a5b1d49f5f3731fdd1221690f957a17d912ee5272505afb938968327f4532ae8f5d2d77e6e13370768229747