From a046ce773a88393f9529282dcdd0acfa2fcd9065 Mon Sep 17 00:00:00 2001
From: Elio Maldonado <emaldona@redhat.com>
Date: Tue, 15 Sep 2015 16:21:10 -0700
Subject: [PATCH] Enable ECC cipher-suites by default [hrbz#1185708]

---
 nss.spec                                      | 15 +++-
 ..._sslauth_sni_tests_client_side_fixes.patch | 38 +++++++++
 ...185708-enable-ecc-ciphers-by-default.patch | 77 +++++++++++++++++++
 3 files changed, 129 insertions(+), 1 deletion(-)
 create mode 100644 ocsp_stapling_sslauth_sni_tests_client_side_fixes.patch
 create mode 100644 rhbz1185708-enable-ecc-ciphers-by-default.patch

diff --git a/nss.spec b/nss.spec
index 3e1dd03..d414942 100644
--- a/nss.spec
+++ b/nss.spec
@@ -21,7 +21,7 @@ Name:             nss
 Version:          3.20.0
 # for Rawhide, please always use release >= 2
 # for Fedora release branches, please use release < 2 (1.0, 1.1, ...)
-Release:          3%{?dist}
+Release:          4%{?dist}
 License:          MPLv2.0
 URL:              http://www.mozilla.org/projects/security/pki/nss/
 Group:            System Environment/Libraries
@@ -92,6 +92,12 @@ Patch52:          disableSSL2libssl.patch
 Patch53:          disableSSL2tests.patch
 Patch54:          tstclnt-ssl2-off-by-default.patch
 Patch55:          skip_stress_TLS_RC4_128_with_MD5.patch
+# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=923089
+# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1009429
+# See https://hg.mozilla.org/projects/nss/raw-rev/dc7bb2f8cc50
+Patch56: ocsp_stapling_sslauth_sni_tests_client_side_fixes.patch
+# TODO: File a bug usptream
+Patch57: rhbz1185708-enable-ecc-ciphers-by-default.patch
 
 %description
 Network Security Services (NSS) is a set of libraries designed to
@@ -180,6 +186,10 @@ pushd nss
 popd
 %patch54 -p0 -b .ssl2_off
 %patch55 -p1 -b .skip_stress_tls_rc4_128_with_md5
+%patch56 -p1 -b .ocsp_sni
+pushd nss
+%patch57 -p1 -b .1185708
+popd
 
 #########################################################
 # Higher-level libraries and test tools need access to
@@ -793,6 +803,9 @@ fi
 
 
 %changelog
+* Tue Sep 15 2015 Elio Maldonado <emaldona@redhat.com> - 3.20.0-4
+- Enable ECC cipher-suites by default [hrbz#1185708]
+
 * Mon Sep 14 2015 Elio Maldonado <emaldona@redhat.com> - 3.20.0-3
 - Fix patches that disable ssl2 and export cipher suites support
 - Fix libssl patch that disable ssl2 & export cipher suites to not disable RSA_WITH_NULL ciphers
diff --git a/ocsp_stapling_sslauth_sni_tests_client_side_fixes.patch b/ocsp_stapling_sslauth_sni_tests_client_side_fixes.patch
new file mode 100644
index 0000000..3ba7ae1
--- /dev/null
+++ b/ocsp_stapling_sslauth_sni_tests_client_side_fixes.patch
@@ -0,0 +1,38 @@
+diff -up ./nss/tests/ssl/sslauth.txt.ocsp_sni ./nss/tests/ssl/sslauth.txt
+--- ./nss/tests/ssl/sslauth.txt.ocsp_sni	2015-05-28 10:50:45.000000000 -0700
++++ ./nss/tests/ssl/sslauth.txt	2015-08-30 08:49:22.025299419 -0700
+@@ -65,12 +65,12 @@
+ # SNI Tests
+ #
+   SNI     0       -r_-a_Host-sni.Dom       -V_ssl3:_-w_nss_-n_TestUser                     TLS Server hello response without SNI
+-  SNI     0       -r_-a_Host-sni.Dom       -V_ssl3:_-w_nss_-n_TestUser_-a_Host-sni.Dom     TLS Server hello response with SNI
+-  SNI     1       -r_-a_Host-sni.Dom       -V_ssl3:_-w_nss_-n_TestUser_-a_Host-sni1.Dom    TLS Server response with alert
++  SNI     0       -r_-a_Host-sni.Dom       -V_ssl3:_-c_v_-w_nss_-n_TestUser_-a_Host-sni.Dom     TLS Server hello response with SNI
++  SNI     1       -r_-a_Host-sni.Dom       -V_ssl3:_-c_v_-w_nss_-n_TestUser_-a_Host-sni1.Dom    TLS Server response with alert
+   SNI     0       -r_-a_Host-sni.Dom       -V_ssl3:ssl3_-w_nss_-n_TestUser                  SSL3 Server hello response without SNI
+-  SNI     1       -r_-a_Host-sni.Dom       -V_ssl3:ssl3_-w_nss_-n_TestUser_-a_Host-sni.Dom  SSL3 Server hello response with SNI: SSL don't have SH extensions
++  SNI     1       -r_-a_Host-sni.Dom       -V_ssl3:_-c_vssl3_-w_nss_-n_TestUser_-a_Host-sni.Dom  SSL3 Server hello response with SNI: SSL don't have SH extensions
+   SNI     0       -r_-r_-r_-a_Host-sni.Dom -V_ssl3:_-w_nss_-n_TestUser                     TLS Server hello response without SNI
+-  SNI     0       -r_-r_-r_-a_Host-sni.Dom -V_ssl3:_-w_nss_-n_TestUser_-a_Host-sni.Dom     TLS Server hello response with SNI
++  SNI     0       -r_-r_-r_-a_Host-sni.Dom -V_ssl3:_-c_v_-w_nss_-n_TestUser_-a_Host-sni.Dom     TLS Server hello response with SNI
+   SNI     1       -r_-r_-r_-a_Host-sni.Dom -V_ssl3:_-w_nss_-n_TestUser_-a_Host-sni.Dom_-a_Host.Dom TLS Server hello response with SNI: Change name on 2d HS
+-  SNI     1       -r_-r_-r_-a_Host-sni.Dom -V_ssl3:_-w_nss_-n_TestUser_-a_Host-sni.Dom_-a_Host-sni1.Dom TLS Server hello response with SNI: Change name to invalid 2d HS
+-  SNI     1       -r_-r_-r_-a_Host-sni.Dom -V_ssl3:_-w_nss_-n_TestUser_-a_Host-sni1.Dom    TLS Server response with alert
++  SNI     1       -r_-r_-r_-a_Host-sni.Dom -V_ssl3:_-c_v_-w_nss_-n_TestUser_-a_Host-sni.Dom_-a_Host-sni1.Dom TLS Server hello response with SNI: Change name to invalid 2d HS
++  SNI     1       -r_-r_-r_-a_Host-sni.Dom -V_ssl3:_-c_v_-w_nss_-n_TestUser_-a_Host-sni1.Dom    TLS Server response with alert
+diff -up ./nss/tests/ssl/ssl.sh.ocsp_sni ./nss/tests/ssl/ssl.sh
+--- ./nss/tests/ssl/ssl.sh.ocsp_sni	2015-08-30 08:49:21.905301105 -0700
++++ ./nss/tests/ssl/ssl.sh	2015-08-30 08:49:22.017299531 -0700
+@@ -457,10 +457,10 @@ ssl_stapling_sub()
+     start_selfserv
+ 
+     echo "tstclnt -p ${PORT} -h ${HOSTADDR} -f -d ${P_R_CLIENTDIR} -v ${CLIENT_OPTIONS} \\"
+-    echo "        -T -O -F -M 1 -V ssl3: < ${REQUEST_FILE}"
++    echo "        -c v -T -O -F -M 1 -V ssl3: < ${REQUEST_FILE}"
+     rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
+     ${PROFTOOL} ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} -f ${CLIENT_OPTIONS} \
+-	    -d ${P_R_CLIENTDIR} -v -T -O -F -M 1 -V ssl3: < ${REQUEST_FILE} \
++	    -d ${P_R_CLIENTDIR} -v -c v -T -O -F -M 1 -V ssl3: < ${REQUEST_FILE} \
+ 	    >${TMP}/$HOST.tmp.$$  2>&1
+     ret=$?
+     cat ${TMP}/$HOST.tmp.$$
diff --git a/rhbz1185708-enable-ecc-ciphers-by-default.patch b/rhbz1185708-enable-ecc-ciphers-by-default.patch
new file mode 100644
index 0000000..109feaf
--- /dev/null
+++ b/rhbz1185708-enable-ecc-ciphers-by-default.patch
@@ -0,0 +1,77 @@
+diff --git a/lib/ssl/ssl3con.c b/lib/ssl/ssl3con.c
+--- a/lib/ssl/ssl3con.c
++++ b/lib/ssl/ssl3con.c
+@@ -90,30 +90,30 @@ static ssl3CipherSuiteCfg cipherSuites[s
+    /*      cipher_suite                     policy       enabled   isPresent */
+ 
+ #ifndef NSS_DISABLE_ECC
+  { TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+  { TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,   SSL_ALLOWED, PR_FALSE, PR_FALSE},
+    /* TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA is out of order to work around
+     * bug 946147.
+     */
+- { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,    SSL_ALLOWED, PR_FALSE, PR_FALSE},
+- { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,    SSL_ALLOWED, PR_FALSE, PR_FALSE},
+- { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,      SSL_ALLOWED, PR_FALSE, PR_FALSE},
+- { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+- { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,   SSL_ALLOWED, PR_FALSE, PR_FALSE},
+- { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,      SSL_ALLOWED, PR_FALSE, PR_FALSE},
+- { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,   SSL_ALLOWED, PR_FALSE, PR_FALSE},
+- { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,     SSL_ALLOWED, PR_FALSE, PR_FALSE},
+- { TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,        SSL_ALLOWED, PR_FALSE, PR_FALSE},
++ { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,    SSL_ALLOWED, PR_TRUE, PR_FALSE},
++ { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,    SSL_ALLOWED, PR_TRUE, PR_FALSE},
++ { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,      SSL_ALLOWED, PR_TRUE, PR_FALSE},
++ { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
++ { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,   SSL_ALLOWED, PR_TRUE, PR_FALSE},
++ { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,      SSL_ALLOWED, PR_TRUE, PR_FALSE},
++ { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,   SSL_ALLOWED, PR_TRUE, PR_FALSE},
++ { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,     SSL_ALLOWED, PR_TRUE, PR_FALSE},
++ { TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,        SSL_ALLOWED, PR_TRUE, PR_FALSE},
+  { TLS_ECDHE_RSA_WITH_RC4_128_SHA,          SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ #endif /* NSS_DISABLE_ECC */
+ 
+  { TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,     SSL_ALLOWED, PR_TRUE,  PR_FALSE},
+- { TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,     SSL_ALLOWED, PR_FALSE, PR_FALSE},
++ { TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,     SSL_ALLOWED, PR_TRUE, PR_FALSE},
+  { TLS_DHE_RSA_WITH_AES_128_CBC_SHA,        SSL_ALLOWED, PR_TRUE,  PR_FALSE},
+  { TLS_DHE_DSS_WITH_AES_128_CBC_SHA,        SSL_ALLOWED, PR_TRUE,  PR_FALSE},
+  { TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,     SSL_ALLOWED, PR_TRUE,  PR_FALSE},
+  { TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,     SSL_ALLOWED, PR_FALSE, PR_FALSE},
+  { TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,   SSL_ALLOWED, PR_FALSE, PR_FALSE},
+  { TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA,   SSL_ALLOWED, PR_FALSE, PR_FALSE},
+  { TLS_DHE_RSA_WITH_AES_256_CBC_SHA,        SSL_ALLOWED, PR_TRUE,  PR_FALSE},
+  { TLS_DHE_DSS_WITH_AES_256_CBC_SHA,        SSL_ALLOWED, PR_TRUE,  PR_FALSE},
+@@ -121,24 +121,24 @@ static ssl3CipherSuiteCfg cipherSuites[s
+  { TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,     SSL_ALLOWED, PR_FALSE, PR_FALSE},
+  { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,   SSL_ALLOWED, PR_FALSE, PR_FALSE},
+  { TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA,   SSL_ALLOWED, PR_FALSE, PR_FALSE},
+  { TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,       SSL_ALLOWED, PR_TRUE,  PR_FALSE},
+  { TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,       SSL_ALLOWED, PR_TRUE,  PR_FALSE},
+  { TLS_DHE_DSS_WITH_RC4_128_SHA,            SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ 
+ #ifndef NSS_DISABLE_ECC
+- { TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,     SSL_ALLOWED, PR_FALSE, PR_FALSE},
+- { TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,       SSL_ALLOWED, PR_FALSE, PR_FALSE},
+- { TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,     SSL_ALLOWED, PR_FALSE, PR_FALSE},
+- { TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,       SSL_ALLOWED, PR_FALSE, PR_FALSE},
+- { TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,    SSL_ALLOWED, PR_FALSE, PR_FALSE},
+- { TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,      SSL_ALLOWED, PR_FALSE, PR_FALSE},
+- { TLS_ECDH_ECDSA_WITH_RC4_128_SHA,         SSL_ALLOWED, PR_FALSE, PR_FALSE},
+- { TLS_ECDH_RSA_WITH_RC4_128_SHA,           SSL_ALLOWED, PR_FALSE, PR_FALSE},
++ { TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,     SSL_ALLOWED, PR_TRUE, PR_FALSE},
++ { TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,       SSL_ALLOWED, PR_TRUE, PR_FALSE},
++ { TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,     SSL_ALLOWED, PR_TRUE, PR_FALSE},
++ { TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,       SSL_ALLOWED, PR_TRUE, PR_FALSE},
++ { TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,    SSL_ALLOWED, PR_TRUE, PR_FALSE},
++ { TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,      SSL_ALLOWED, PR_TRUE, PR_FALSE},
++ { TLS_ECDH_ECDSA_WITH_RC4_128_SHA,         SSL_ALLOWED, PR_TRUE, PR_FALSE},
++ { TLS_ECDH_RSA_WITH_RC4_128_SHA,           SSL_ALLOWED, PR_TRUE, PR_FALSE},
+ #endif /* NSS_DISABLE_ECC */
+ 
+  /* RSA */
+  { TLS_RSA_WITH_AES_128_GCM_SHA256,         SSL_ALLOWED, PR_TRUE,  PR_FALSE},
+  { TLS_RSA_WITH_AES_128_CBC_SHA,            SSL_ALLOWED, PR_TRUE,  PR_FALSE},
+  { TLS_RSA_WITH_AES_128_CBC_SHA256,         SSL_ALLOWED, PR_TRUE,  PR_FALSE},
+  { TLS_RSA_WITH_CAMELLIA_128_CBC_SHA,       SSL_ALLOWED, PR_FALSE, PR_FALSE},
+  { TLS_RSA_WITH_AES_256_CBC_SHA,            SSL_ALLOWED, PR_TRUE,  PR_FALSE},