From e557c2c2a153ff3ec2b7752174f43eb09d2d3261 Mon Sep 17 00:00:00 2001
From: Daiki Ueno <dueno@redhat.com>
Date: Mon, 10 Dec 2018 10:45:52 +0100
Subject: [PATCH] Update to NSS 3.41

---
 .gitignore                                    |   1 +
 PayPalEE.cert                                 | Bin 2012 -> 0 bytes
 PayPalICA.cert                                | Bin 1210 -> 0 bytes
 nss-tests-paypal-certs-v2.patch               |  29 ------------------
 nss.spec                                      |  14 +++------
 ...8-enable-ecc-3des-ciphers-by-default.patch |  23 --------------
 sources                                       |   2 +-
 7 files changed, 7 insertions(+), 62 deletions(-)
 delete mode 100644 PayPalEE.cert
 delete mode 100644 PayPalICA.cert
 delete mode 100644 nss-tests-paypal-certs-v2.patch
 delete mode 100644 rhbz1185708-enable-ecc-3des-ciphers-by-default.patch

diff --git a/.gitignore b/.gitignore
index b0fa934..357bdc5 100644
--- a/.gitignore
+++ b/.gitignore
@@ -31,3 +31,4 @@ TestUser51.cert
 /nss-3.38.0.tar.gz
 /nss-3.39.tar.gz
 /nss-3.40.1.tar.gz
+/nss-3.41.tar.gz
diff --git a/PayPalEE.cert b/PayPalEE.cert
deleted file mode 100644
index aef4086762a88dd5d7df06a7f4e23ea2f502c83c..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 2012
zcma)7c~BE)6yMz}3j_$n4H6M#6-4Fy5+UM+a*9wWg5WuYkgOq@n1mz{5wsEnuX>b2
z@j|GmpaWh=Wx#r&SQW$ziwDYhR4WzH3W%cJMbTjY>CR*}@4er<zwfs|Z~O<)W2cH3
z2#g?B@PgZm;_AYZZK_tgjW}@QF0jB%U9v;6yDebY%m@O>JTqX5F=9{*M`EIR)&Qpk
zCT<=ml}H0fwU(Hv5b=fq8(M9KTj_K<4>4sDQ6>+Oaxu>f@M#kRcm3iK9pc9)f|h7W
zg_sl*u|m02EYwPs3L=_Rr;utQzz>YDvEcatAIiJ`nQvpk2bAc;qh0{a2N`#H_Fy<2
z*wUO6sg|Y)wIuPqS|U_Pm-ffv;ed^qxneL1>nBV>U`BuWbe#rD1UCsJ<wBiMP4cV&
ziw<Xm8;=J(FTP;H;Ku22l-UGl22k}bQmPeFA&(6#X{9l45-n5^p-K&DFrY|bYNSx^
zM$gBC#{olVq#14&5Ewy3C#zISwU%cCtZ6L+XVGI*2~$-<IXyI>hesJM0ycsede{=8
z^h`t#!%$;!?}K6MZmpkHe=}iaCSHB3t0DKC>Z)`e!?ki9#EGoZZ96jM9e!v<M2xLT
zd@(k4`Zeg9B*^!$a}Wn2my{o!8204K*qlb+%7v%x(q`_9@59_?xmvN|-btE5_v)@S
zQI&k+vg>VGoV=IUx_Qs0imL^>gso@y9}9UH;B<1{=}!K4Tkc~g(xMWr91_!it|)0a
z(;b$b$=x%zrm^bBt`64Heev8)`-j*XwR^Ky{^@kMu;JIkxusQTVYtn)rxmvzZ9h8o
zbh%i>K0nV|hRG{-xeDrgWaYqRx+v$3CiGQwB0q{%?4A|3wMd+mu*24ld2{Uvw=v~)
zefz7zPo^OZ7=m}}8NEQy=mHMZ5bYgNE*QFkGxd7pp5~(R7q3I(ndJ46H+p)SErC4^
zV4*`%PR*nzrQ@K2mHgC3-Aj0J95Yo^4Knu7b~c)^6J%`Df3pkykVL6Qt5l~N>_=~|
z9VCeiB@2<jP~?co6jH8Kk!nM&xyn$o{<?l;f{YYtHS{UavqXzE2C)7EYHta{A5oNn
z7!`eLYcx6(a4-|<q#GF-GvF`(5RgoF<$x-H9C#J+i$JzVqE@S#<mo9=%f}D8q@J2Y
zA>W-$ao6-;Kz9k>gTnmR%j^Gmh0$pVG!XcM37Bbob_kr^Cr4o50>%y$hrmPa=vp*X
zG2aq~XFy~$Fvg4|8RjqyGFA`xz%ZH)mI9{%8Nk`x&;2Mx8r7i6K-3o$k{vwIwUFi{
z%^;xX04LFuG{8t-3F#9b1^7|Z&;oP1FPxq}0_dB#9Aoy=OLHoMBB&l#P(K-*2<f1b
zYST@X+_{`pHTW-=B`W3=?*jDg@cYLf>Ka%VEbdxC5KK<02uOz@lmUf+U}Pk8sU^=P
zewy;&EBO5#_bdLH7BNAQUflB!1nL(hLD+gz3X;on5X=y~cc|^0t@EE;zOy*lzu+JL
zz*24Jic0%;e+NOyP%H=A=6UN(`}H?%CjyW7)(59l*KTDmJk^m`5YxP->E7qWE&Yju
zK_Eh?JR54bSx5O#yloqOx3tDz-Z16Bg;u}u*jZx1+s<hcgh*=eXNUKE829|yHR*<l
z9kQnfALTt3<jhvYO5EDzFJD3_P)*DIT8Fhs$8z%=x9rbJo8dDjpLrnasqLoCV!?(H
zSF=8)4NUA$I|BsK{k~T1n7BD}SFEam6Wa5(k^kX2bUT0I_?kAmrry_KGZ11(X?NN<
z&3tdZ9NiU?jxQZUzT_5kCe^9myjs}(m`E_>N9sdG@gocsKQH{T-o|6BXSkV9e$9f5
zg&d!s+V?s-J4}`tw?>5du|K@%>(1NI<nHW0`PI~?Wye@^S9LVbcFF&1=hl*8Ihtqt
zp4@#nO?`WgEq|lQ$o1tD3YzBlO2k$fzs)(xI$5xK`+-jGvZPR6`{B4zKjfFTBFpQR
zJ*sH-Mp}qF>wnK=_&cV@?+cFshn#EIbwre{9@l37`ka%d%s6Q~y3x*E;M!a-eSGtB
zW=&J_shmp7To1zffjnw&Sx9VN(ABjvVeP{RCrMg!Nncy#$G692cP?W2ZEx})b(Fo+
qE}vG|SJCQVuejF*)!p3fg*ZFf21kzuGv^DsEzby736eZcT>2NRS<mbM

diff --git a/PayPalICA.cert b/PayPalICA.cert
deleted file mode 100644
index dd14c1b21886d9e63559403e819aa2ac2b516b9b..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 1210
zcmXqLV%cWU#5`{SGZP~dlK@ZUN|y~if>RYHCB{F>mTflRW#iOp^Jx3d%gD&h%3zRV
z$Zf#M#vIDRCd?EXY$$3V4B~JJ^SETDXF8`Al_+@TB^yc_h=YW=g$2sX%k@%#QprFm
zz2y8{Lu~_1kQB495?qHzW_pH#V{vh5QDR<ls)B2nLQsBwiGs7Eft)z6p|PQXk&&U1
z0T4uq^BP$oaSci-b&ZLE5yUmxaMuKTI2tLqR+OaXrKF}PgeB%=rX-eR=I1E{rxul^
z7J;1A#HfTEE{v=U%uS5^3_x)%rY1&4hU>vgSOR~{Tqfq>ovyxWvgZZMw>%p*FtmS6
z*Jx|)=}W$~XQP9~qsw34EM=A0VQY7Ernu1?iJo5{d6uOpww`7eFxe2)p)H>=`_jgK
zp$(faJ@1g0e{WG95**)9X|E@>YK5G)Ht*`~$vaKA*NW_k^u8bHb!p)vo<|d!+OyWZ
zx}I`vM(B&b>!kv6LiPxL`s?*+?(TZNFIV^ViFFEv-Z)Tb^6uLm-8V<tRoi-RC_dTX
z%hP$sQce8sx9d|{Z?Gs9%+1gLAG1sHq3h|eaE&?{UdQlN+jpq%-uUE~)_X<eQmM7N
zv)fF2=9F(OUVCGT?vu|vbKf2GOR5t;P&iNL-p8K;8j{9L%!~|-i<=ldfg$2*AOs9y
zSz$)T|12B^Y(R>Mk->luB*qUCV*#eSHUn7@UzJ77K!lA$n~jl`m7SRp&SEk!fw37G
zSu_mP3{+rz1I9LqjFOT9D}DX^<l+L9q-Nj^GE|<$#lXqHVS(KOn>H(`(&VBX6BMQT
zu-FGBMR-bd4Fjb^XGcAtdIMXKVG1l}2B0Lv0%S56Xc=h0+`+^sCId3O80Zl6B(Lur
z5Df7kABz}^i0$QorPmg$efQZbfh+a0;*}piuJIelgG^UukuVTz5ZP#VIFtFues{(z
zGt{IwnBFI+XdgySZoq5^Om2(}bGKcX(Dty6>Fv=4A53IQ4)&IvY2#Y)!K=&Zn*E8D
zzH4hZ);`-7uw#*wZwLEEO~pIUZymEyeDGM%vtUh?EaQ?>f>z<HYs0l1O8#D!ZIuYP
zAMRedur^dd&)qzrsHeV3`chKAE_2ka!zUJ=(+OI{ko>xMSK$dyb>-<Pt@AAS)+T4z
z><Vg(s9dbWbN^oMYr{{w7S!Z?)VcC-Z+VM3^EsofCuTKDc}?=OcAM4uuX)kWc|D8I
z@WySnJ<n3nFCtQHH0L<OvX~=V7l!smg=H*JDp+OHSa@^p3RmkdProe+ynDPl=|w(I
i$?F}re(Z1OtqhnrVYY<z#7OmzrW(Sl)#|Q(uL1xCVyYGZ

diff --git a/nss-tests-paypal-certs-v2.patch b/nss-tests-paypal-certs-v2.patch
deleted file mode 100644
index 8f37f8c..0000000
--- a/nss-tests-paypal-certs-v2.patch
+++ /dev/null
@@ -1,29 +0,0 @@
-# HG changeset patch
-# User Daiki Ueno <dueno@redhat.com>
-# Date 1541595734 -3600
-#      Wed Nov 07 14:02:14 2018 +0100
-# Node ID 19fd907784e38a5febb54588353368af91b12551
-# Parent  3b79af0fa294b4b1c009c1c0b659bb72b4d2c1c8
-Bug 1505317, update PayPal test certs
-
-diff --git a/tests/chains/scenarios/realcerts.cfg b/tests/chains/scenarios/realcerts.cfg
---- a/tests/chains/scenarios/realcerts.cfg
-+++ b/tests/chains/scenarios/realcerts.cfg
-@@ -21,7 +21,7 @@ verify TestUser51:x
-   result pass
- 
- verify PayPalEE:x
--  policy OID.2.16.840.1.114412.1.1 
-+  policy OID.2.16.840.1.114412.2.1 
-   result pass
- 
- verify BrAirWaysBadSig:x
-diff --git a/tests/libpkix/vfychain_test.lst b/tests/libpkix/vfychain_test.lst
---- a/tests/libpkix/vfychain_test.lst
-+++ b/tests/libpkix/vfychain_test.lst
-@@ -1,4 +1,4 @@
- # Status | Leaf Cert | Policies | Others(undef)
- 0 TestUser50 undef
- 0 TestUser51 undef
--0 PayPalEE OID.2.16.840.1.114412.1.1
-+0 PayPalEE OID.2.16.840.1.114412.2.1
diff --git a/nss.spec b/nss.spec
index 7990c04..f17220e 100644
--- a/nss.spec
+++ b/nss.spec
@@ -1,5 +1,5 @@
 %global nspr_version 4.20.0
-%global nss_version 3.40.1
+%global nss_version 3.41.0
 %global unsupported_tools_directory %{_libdir}/nss/unsupported-tools
 %global saved_files_dir %{_libdir}/nss/saved
 %global prelink_conf_dir %{_sysconfdir}/prelink.conf.d/
@@ -44,7 +44,7 @@ rpm.define(string.format("nss_release_tag NSS_%s_RTM",
 Summary:          Network Security Services
 Name:             nss
 Version:          %{nss_version}
-Release:          3%{?dist}
+Release:          1%{?dist}
 License:          MPLv2.0
 URL:              http://www.mozilla.org/projects/security/pki/nss/
 Requires:         nspr >= %{nspr_version}
@@ -94,15 +94,9 @@ Source25:         key3.db.xml
 Source26:         key4.db.xml
 Source27:         secmod.db.xml
 Source28:         nss-p11-kit.config
-Source29:         PayPalICA.cert
-Source30:         PayPalEE.cert
 
 # Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=617723
 Patch2:           nss-539183.patch
-# Local patch for TLS_ECDHE_{ECDSA|RSA}_WITH_3DES_EDE_CBC_SHA ciphers
-Patch5:           rhbz1185708-enable-ecc-3des-ciphers-by-default.patch
-# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1505317
-Patch6:           nss-tests-paypal-certs-v2.patch
 
 %description
 Network Security Services (NSS) is a set of libraries designed to
@@ -234,7 +228,6 @@ Header and library files for doing development with Network Security Services.
 %setup -q -n %{name}-%{nss_archive_version}
 pushd nss
 %autopatch -p1
-cp %{SOURCE29} %{SOURCE30} tests/libpkix/certs
 popd
 
 
@@ -854,6 +847,9 @@ update-crypto-policies
 
 
 %changelog
+* Mon Dec 10 2018 Daiki Ueno <dueno@redhat.com> - 3.41.0-1
+- Update to NSS 3.41
+
 * Thu Dec  6 2018 Daiki Ueno <dueno@redhat.com> - 3.40.1-3
 - Switch to gyp buildsystem
 - Remove unnecessary patches
diff --git a/rhbz1185708-enable-ecc-3des-ciphers-by-default.patch b/rhbz1185708-enable-ecc-3des-ciphers-by-default.patch
deleted file mode 100644
index 2fbdbe9..0000000
--- a/rhbz1185708-enable-ecc-3des-ciphers-by-default.patch
+++ /dev/null
@@ -1,23 +0,0 @@
---- nss/lib/ssl/ssl3con.c.1185708_3des	2016-06-23 21:10:09.765992512 -0400
-+++ nss/lib/ssl/ssl3con.c	2016-06-23 22:58:39.121398601 -0400
-@@ -118,18 +118,18 @@
-  { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,    SSL_ALLOWED, PR_TRUE, PR_FALSE},
-  { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,    SSL_ALLOWED, PR_TRUE, PR_FALSE},
-  { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,      SSL_ALLOWED, PR_TRUE, PR_FALSE},
-  { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
-  { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,   SSL_ALLOWED, PR_TRUE, PR_FALSE},
-  { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,      SSL_ALLOWED, PR_TRUE, PR_FALSE},
-  { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE},
-  { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,   SSL_ALLOWED, PR_FALSE, PR_FALSE},
-- { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,   SSL_ALLOWED, PR_FALSE, PR_FALSE},
-- { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,     SSL_ALLOWED, PR_FALSE, PR_FALSE},
-+ { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,   SSL_ALLOWED, PR_TRUE,  PR_FALSE},
-+ { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,     SSL_ALLOWED, PR_TRUE,  PR_FALSE},
-  { TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,        SSL_ALLOWED, PR_FALSE, PR_FALSE},
-  { TLS_ECDHE_RSA_WITH_RC4_128_SHA,          SSL_ALLOWED, PR_FALSE, PR_FALSE},
- 
-  { TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,     SSL_ALLOWED, PR_TRUE,  PR_FALSE},
-  { TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256,SSL_ALLOWED,PR_TRUE,  PR_FALSE},
-  { TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,     SSL_ALLOWED, PR_FALSE, PR_FALSE},
-  { TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,     SSL_ALLOWED, PR_FALSE, PR_FALSE},
-  { TLS_DHE_DSS_WITH_AES_256_GCM_SHA384,     SSL_ALLOWED, PR_FALSE, PR_FALSE},
diff --git a/sources b/sources
index bd84a22..d5a8214 100644
--- a/sources
+++ b/sources
@@ -3,4 +3,4 @@ SHA512 (blank-cert9.db) = 2f8eab4c0612210ee47db8a3a80c1b58a0b43849551af78c7da403
 SHA512 (blank-key3.db) = 01f7314e9fc8a7c9aa997652624cfcde213d18a6b3bb31840c1a60bbd662e56b5bc3221d13874abb42ce78163b225a6dfce2e1326cf6dd29366ad9c28ba5a71c
 SHA512 (blank-key4.db) = 8fedae93af7163da23fe9492ea8e785a44c291604fa98e58438448efb69c85d3253fc22b926d5c3209c62e58a86038fd4d78a1c4c068bc00600a7f3e5382ebe7
 SHA512 (blank-secmod.db) = 06a2dbd861839ef6315093459328b500d3832333a34b30e6fac4a2503af337f014a4d319f0f93322409e719142904ce8bc08252ae9a4f37f30d4c3312e900310
-SHA512 (nss-3.40.1.tar.gz) = 464ae843161e8deb911975d2117e8bf1194a968689b4ce70f9a12d5a33dba7ddd69f1248ec45244139c30fcc87678b206a4e124f032b26ead8bf894e4e8d0564
+SHA512 (nss-3.41.tar.gz) = b5a43fe86ded664002fd714c493d9222a64539cd6139b64720625d1742fec5100712cbe401c90c79196e9cbad9ec07d9b4f0f517ce34e4b207beaa3e01c9e114