Update to NSS 3.26.0

.gitignore

@@ -9,4 +9,4 @@ TestUser50.cert
 TestUser51.cert
 /PayPalRootCA.cert
 /PayPalICA.cert
-/nss-3.25.0.tar.gz
+/nss-3.26.0.tar.gz

nss-check-policy-file.patch

@@ -0,0 +1,89 @@
+diff --git a/lib/pk11wrap/pk11pars.c b/lib/pk11wrap/pk11pars.c
+--- a/lib/pk11wrap/pk11pars.c
++++ b/lib/pk11wrap/pk11pars.c
+@@ -105,16 +105,17 @@ secmod_NewModule(void)
+  *   This  allows system NSS to delegate those changes to the user's module DB, 
+  *   preserving the user's ability to load new PKCS #11 modules (which only 
+  *   affect him), from existing applications like Firefox.
+  */
+ #define SECMOD_FLAG_MODULE_DB_IS_MODULE_DB  0x01 /* must be set if any of the 
+ 						  *other flags are set */
+ #define SECMOD_FLAG_MODULE_DB_SKIP_FIRST    0x02
+ #define SECMOD_FLAG_MODULE_DB_DEFAULT_MODDB 0x04
++#define SECMOD_FLAG_MODULE_DB_POLICY_ONLY   0x08
+ 
+ 
+ /* private flags for internal (field in SECMODModule). */
+ /* The meaing of these flags is as follows:
+  *
+  * SECMOD_FLAG_INTERNAL_IS_INTERNAL - This is a marks the the module is
+  *   the internal module (that is, softoken). This bit is the same as the 
+  *   already existing meaning of internal = PR_TRUE. None of the other 
+@@ -699,16 +700,19 @@ SECMOD_CreateModuleEx(const char *librar
+     if (mod->isModuleDB) {
+ 	char flags = SECMOD_FLAG_MODULE_DB_IS_MODULE_DB;
+ 	if (NSSUTIL_ArgHasFlag("flags","skipFirst",nssc)) {
+ 	    flags |= SECMOD_FLAG_MODULE_DB_SKIP_FIRST;
+ 	}
+ 	if (NSSUTIL_ArgHasFlag("flags","defaultModDB",nssc)) {
+ 	    flags |= SECMOD_FLAG_MODULE_DB_DEFAULT_MODDB;
+ 	}
++	if (NSSUTIL_ArgHasFlag("flags", "policyOnly", nssc)) {
++	    flags |= SECMOD_FLAG_MODULE_DB_POLICY_ONLY;
++	}
+ 	/* additional moduleDB flags could be added here in the future */
+ 	mod->isModuleDB = (PRBool) flags;
+     }
+ 
+     if (mod->internal) {
+ 	char flags = SECMOD_FLAG_INTERNAL_IS_INTERNAL;
+ 
+ 	if (NSSUTIL_ArgHasFlag("flags", "internalKeySlot", nssc)) {
+@@ -738,16 +742,24 @@ PRBool
+ SECMOD_GetDefaultModDBFlag(SECMODModule *mod)
+ {
+    char flags = (char) mod->isModuleDB;
+ 
+    return (flags & SECMOD_FLAG_MODULE_DB_DEFAULT_MODDB) ? PR_TRUE : PR_FALSE;
+ }
+ 
+ PRBool
++secmod_PolicyOnly(SECMODModule *mod)
++{
++   char flags = (char) mod->isModuleDB;
++
++   return (flags & SECMOD_FLAG_MODULE_DB_POLICY_ONLY) ? PR_TRUE : PR_FALSE;
++}
++
++PRBool
+ secmod_IsInternalKeySlot(SECMODModule *mod)
+ {
+    char flags = (char) mod->internal;
+ 
+    return (flags & SECMOD_FLAG_INTERNAL_KEY_SLOT) ? PR_TRUE : PR_FALSE;
+ }
+ 
+ void
+@@ -1521,16 +1533,22 @@ SECMOD_LoadModule(char *modulespec,SECMO
+     if (library) PORT_Free(library);
+     if (moduleName) PORT_Free(moduleName);
+     if (parameters) PORT_Free(parameters);
+     if (nss) PORT_Free(nss);
+     if (config) PORT_Free(config);
+     if (!module) {
+ 	goto loser;
+     }
++
++    /* a policy only stanza doesn't actually get 'loaded'. policy has already
++     * been parsed as a side effect of the CreateModuleEx call */
++    if (secmod_PolicyOnly(module)) {
++	return module;
++    }
+     if (parent) {
+     	module->parent = SECMOD_ReferenceModule(parent);
+ 	if (module->internal && secmod_IsInternalKeySlot(parent)) {
+ 	    module->internal = parent->internal;
+ 	}
+     }
+ 
+     /* load it */

nss-skip-ecperf.patch

@@ -1,11 +1,12 @@
 diff -up ./cmd/manifest.mn.skip_ecperf ./cmd/manifest.mn
---- ./cmd/manifest.mn.noecperf	2016-06-24 08:04:53.891106841 -0700
-+++ ./cmd/manifest.mn	2016-06-24 08:06:57.186887403 -0700
-@@ -42,7 +42,6 @@ NSS_SRCDIRS = \
+--- ./cmd/manifest.mn.skip_ecperf	2016-08-05 17:43:39.000000000 +0200
++++ ./cmd/manifest.mn	2016-08-10 13:11:02.416273517 +0200
+@@ -42,8 +42,6 @@ NSS_SRCDIRS = \
   dbtest \
   derdump  \
   digest  \
 - ecperf \
+- ectest \
   httpserv  \
   listsuites \
   makepqg  \

nss.spec

@@ -1,6 +1,6 @@
 %global nspr_version 4.12.0
-%global nss_util_version 3.25.0
-%global nss_softokn_version 3.25.0
+%global nss_util_version 3.26.0
+%global nss_softokn_version 3.26.0
 %global unsupported_tools_directory %{_libdir}/nss/unsupported-tools
 %global allTools "certutil cmsutil crlutil derdump modutil pk12util signtool signver ssltap vfychain vfyserv"
 
@@ -18,10 +18,10 @@
 
 Summary:          Network Security Services
 Name:             nss
-Version:          3.25.0
+Version:          3.26.0
 # for Rawhide, please always use release >= 2
 # for Fedora release branches, please use release < 2 (1.0, 1.1, ...)
-Release:          1.2%{?dist}
+Release:          1.0%{?dist}
 License:          MPLv2.0
 URL:              http://www.mozilla.org/projects/security/pki/nss/
 Group:            System Environment/Libraries
@@ -51,8 +51,11 @@ BuildRequires:    perl
 # removed.  See https://bugzilla.redhat.com/1346806 for details.
 Requires:         nss-pem
 
-%{!?nss_ckbi_suffix:%define full_nss_version %{version}}
-%{?nss_ckbi_suffix:%define full_nss_version %{version}%{nss_ckbi_suffix}}
+%if %{defined nss_ckbi_suffix}
+%define full_nss_version %{version}%{nss_ckbi_suffix}
+%else
+%define full_nss_version %{version}
+%endif
 
 Source0:          %{name}-%{full_nss_version}.tar.gz
 Source1:          nss.pc.in
@@ -92,8 +95,11 @@ Patch49:          nss-skip-bltest-and-fipstest.patch
 Patch50:          iquote.patch
 # Local patch for TLS_ECDHE_{ECDSA|RSA}_WITH_3DES_EDE_CBC_SHA ciphers
 Patch58: rhbz1185708-enable-ecc-3des-ciphers-by-default.patch
-Patch61: nss-skip-util-gtest.patch
-# TODO: file a bug upstream similar to the one for rsaperf
+# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1279520
+Patch59: nss-check-policy-file.patch
+# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1280846
+Patch62: nss-skip-util-gtest.patch
+# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1293944
 Patch70: nss-skip-ecperf.patch
 
 %description
@@ -165,6 +171,7 @@ low level services.
 
 %prep
 %setup -q
+%setup -q -T -D -n %{name}-%{version}
 
 %patch2 -p0 -b .relro
 %patch3 -p0 -b .transitional
@@ -175,7 +182,8 @@ low level services.
 %patch50 -p0 -b .iquote
 %patch58 -p0 -b .1185708_3des
 pushd nss
-%patch61 -p1 -b .skip_util_gtest
+%patch59 -p1 -b .check_policy_file
+%patch62 -p0 -b .skip_util_gtest
 %patch70 -p1 -b .skip_ecperf
 popd
 
@@ -185,7 +193,7 @@ popd
 # until fixed upstream we must copy some headers locally
 #########################################################
 
-# Copying these header until the upstream bug is accepted
+# Copying these headers until the upstream bug is accepted
 # Upstream https://bugzilla.mozilla.org/show_bug.cgi?id=820207
 %{__cp} ./nss/lib/softoken/lowkeyi.h ./nss/cmd/rsaperf
 %{__cp} ./nss/lib/softoken/lowkeyti.h ./nss/cmd/rsaperf
@@ -208,12 +216,6 @@ popd
 ######## Remove portions that need to statically link with libnssutil.a
 %{__rm} -rf ./nss/external_tests/util_gtests
 
-pushd nss/tests/ssl
-# Create versions of sslcov.txt and sslstress.txt that disable tests
-# for non policy compliant ciphers.
-cat sslcov.txt| sed -r "s/^([^#].*EXPORT|^[^#].*_WITH_DES_*)/#disabled \1/" > sslcov.noPolicy.txt
-cat sslstress.txt| sed -r "s/^([^#].*EXPORT|^[^#].*with MD5)/#disabled \1/" > sslstress.noPolicy.txt
-popd
 
 %build
 
@@ -287,6 +289,12 @@ export NSS_BLTEST_NOT_AVAILABLE=1
 %{__make} -C ./nss/coreconf
 %{__make} -C ./nss/lib/dbm
 
+# Set the policy file location
+# if set NSS will always check for the policy file and load if it exists
+export POLICY_FILE="nss.config"
+# location of the policy file
+export POLICY_PATH="/etc/crypto-policies/back-ends"
+
 # nss/nssinit.c, ssl/sslcon.c, smime/smimeutil.c and ckfw/builtins/binst.c
 # need nss/lib/util/verref.h which is exported privately,
 # copy the one we saved during prep so it they can find it.
@@ -391,6 +399,8 @@ export SOFTOKEN_LIB_DIR=%{_libdir}
 
 # End -- copied from the build section
 
+export NSS_IGNORE_SYSTEM_POLICY=1
+
 # enable the following line to force a test failure
 # find ./nss -name \*.chk | xargs rm -f
 
@@ -435,13 +445,13 @@ pushd ./nss/tests/
 #  the full list from all.sh is:
 #  "cipher lowhash libpkix cert dbtests tools fips sdr crmf smime ssl ocsp merge pkits chains ec gtests ssl_gtests"
 %define nss_tests "libpkix cert dbtests tools fips sdr crmf smime ssl ocsp merge pkits chains ec gtests ssl_gtests"
-#  nss_ssl_tests: crl bypass_normal normal_bypass normal_fips fips_normal iopr
-#  nss_ssl_run: cov auth stress
+#  nss_ssl_tests: crl bypass_normal normal_bypass normal_fips fips_normal iopr policy
+#  nss_ssl_run: cov auth stapling stress
 #
 # Uncomment these lines if you need to temporarily
 # disable some test suites for faster test builds
-# global nss_ssl_tests "normal_fips"
-# global nss_ssl_run "cov auth"
+# % define nss_ssl_tests "normal_fips"
+# % define nss_ssl_run "cov"
 
 SKIP_NSS_TEST_SUITE=`echo $SKIP_NSS_TEST_SUITE`
 
@@ -779,6 +789,13 @@ fi
 
 
 %changelog
+* Mon Aug  8 2016 Daiki Ueno <dueno@redhat.com> - 3.26.0-1.0
+- Rebase to NSS 3.26.0
+- Update check policy file patch to better match what was upstreamed
+- Remove conditionally ignore system policy patch as it has been upstreamed
+- Skip ectest as well as ecperf, which are built as part of nss-softokn
+- Fix rpmlint error regarding %%define usage
+
 * Wed Jul 20 2016 Kamil Dudka <kdudka@redhat.com> - 3.25.0-1.2
 - decouple nss-pem from the nss package (#1347336)
 

sources

@@ -3,4 +3,4 @@ a5ae49867124ac75f029a9a33af31bad  blank-cert8.db
 73bc040a0542bba387e6dd7fb9fd7d23  blank-secmod.db
 691e663ccc07b7a1eaa6f088e03bf8e2  blank-cert9.db
 2ec9e0606ba40fe65196545564b7cc2a  blank-key4.db
-950263d15d1f055605bfb6e634a1a019  nss-3.25.0.tar.gz
+6afba822ab9da3ae4e948a9fd5501289  nss-3.26.0.tar.gz