Incorporate some upstream review suggestions

- Includes latest checkins for policy work on the branch
- Update several patches on account of the new sources

listsuites-do-queries.patch

@@ -0,0 +1,111 @@
+--- ./cmd/listsuites/listsuites.c.do_queries	2016-05-17 00:58:45.000000000 -0700
++++ ./cmd/listsuites/listsuites.c	2016-06-23 09:39:10.563925342 -0700
+@@ -7,19 +7,48 @@
+  *
+  * Try: ./listsuites | grep -v : | sort -b +4rn -5 +1 -2 +2 -3 +3 -4 +5r -6
+  */
+ 
+ #include <errno.h>
+ #include <stdio.h>
+ #include "secport.h"
+ #include "ssl.h"
++#include "plgetopt.h"
++#include "secutil.h"
++#include "utilpars.h"
++#include "nspr.h"
++#include "nss.h"
++
++static const char *progName = "listsuites";
++char *ignoreVar;
++
++static char *policy_file_path(char *path)
++{
++    return (PR_Access(path, PR_ACCESS_READ_OK) == PR_SUCCESS) ? path : "";
++}
++
++static char *ignore_system_policy_value(char *var)
++{
++    ignoreVar = PR_GetEnvSecure(var);
++    return ignoreVar != NULL ? ignoreVar : "";
++}
++
++void Usage(const char *progName)
++{
++    fprintf(stderr,
++            "\nList cipher suites or parse a policy file or query\n"
++            "Usage: %s [-i policy_file] file to parse (default is list)\n",
++            progName);
++    exit(1);
++}
++
+ 
+ int
+-main(int argc, char **argv)
++list_suites(void)
+ {
+     const PRUint16 *cipherSuites = SSL_ImplementedCiphers;
+     int i;
+     int errCount = 0;
+ 
+     fputs("This version of libSSL supports these cipher suites:\n\n", stdout);
+ 
+     /* disable all the SSL3 cipher suites */
+@@ -56,8 +85,58 @@
+                 info.effectiveKeyBits, info.macAlgorithmName,
+                 enabled ? "Enabled" : "Disabled",
+                 info.isFIPS ? "FIPS" : "",
+                 info.isExportable ? "Export" : "Domestic",
+                 info.nonStandard ? "nonStandard" : "");
+     }
+     return errCount;
+ }
++
++int
++main(int argc, char **argv)
++{
++    PLOptState *optstate = NULL;
++    PLOptStatus status;
++    SECStatus rv;
++    FILE *inFile;
++    char *ev, *path;
++
++    optstate = PL_CreateOptState(argc, argv, "?hi:p:q:lL");
++    while ((status = PL_GetNextOpt(optstate)) == PL_OPT_OK) {
++        switch (optstate->option) {
++            case '?':
++            case 'h':
++                Usage(progName);
++                break;
++            case 'p':
++                path = (char *)optstate->value;
++                fprintf(stdout, "%s=%s\n", path, policy_file_path(path));
++                break;
++            case 'q':
++                ev = (char *)optstate->value;
++                fprintf(stdout, "%s=%s\n", ev, ignore_system_policy_value(ev));
++                break;
++            case 'i':
++                rv = SECSuccess;
++                inFile = fopen(optstate->value, "r");
++                if (!inFile) {
++                    fprintf(stderr,
++                            "%s: unable to open \"%s\" for reading\n",
++                            progName, optstate->value);
++                            return -1;
++                }
++                rv = SECFailure;/*ParseCryptoPolicy(optstate->value);*/
++                fclose(inFile);
++                return (rv == SECSuccess) ? 0 : 1;
++                break;
++            case 'l':
++            case 'L':
++                return list_suites();
++                break;
++            default:
++                Usage(progName);
++             break;
++        }
++    }
++
++    return 0;
++}

nss-check-policy-file.patch

@@ -1,7 +1,6 @@
-diff --git a/lib/nss/config.mk b/lib/nss/config.mk
---- a/lib/nss/config.mk
-+++ b/lib/nss/config.mk
-@@ -95,8 +95,12 @@ SHARED_LIBRARY_DIRS = \
+--- ./lib/nss/config.mk.check_policy_file	2016-07-12 09:11:01.198867052 -0700
++++ ./lib/nss/config.mk	2016-07-12 09:15:58.739946540 -0700
+@@ -99,8 +99,15 @@
  ifeq (,$(filter-out WINNT WIN95,$(OS_TARGET)))
  ifndef NS_USE_GCC
  # Export 'mktemp' to be backward compatible with NSS 3.2.x and 3.3.x
@@ -12,12 +11,14 @@ diff --git a/lib/nss/config.mk b/lib/nss/config.mk
  endif
 +
 +ifdef POLICY_FILE
++ifndef POLICY_PATH
++$(error You must define POLICY_PATH if you set POLICY_FILE)
++endif
 +DEFINES += -DPOLICY_FILE=\"$(POLICY_FILE)\" -DPOLICY_PATH=\"$(POLICY_PATH)\"
 +endif
-diff --git a/lib/nss/nssinit.c b/lib/nss/nssinit.c
---- a/lib/nss/nssinit.c
-+++ b/lib/nss/nssinit.c
-@@ -330,47 +330,47 @@ nss_FindExternalRoot(const char *dbpath,
+--- ./lib/nss/nssinit.c.check_policy_file	2016-06-20 10:11:28.000000000 -0700
++++ ./lib/nss/nssinit.c	2016-07-12 09:18:14.821671331 -0700
+@@ -330,47 +330,47 @@
  
  /*
   * see nss_Init for definitions of the various options.
@@ -69,7 +70,7 @@ diff --git a/lib/nss/nssinit.c b/lib/nss/nssinit.c
      lconfigdir = NSSUTIL_DoubleEscape(configdir, '\'', '\"');
      if (lconfigdir == NULL) {
  	goto loser;
-@@ -427,24 +427,26 @@ loser:
+@@ -427,24 +427,24 @@
      if (lsecmodName) PORT_Free(lsecmodName);
      if (lupdateDir) PORT_Free(lupdateDir);
      if (lupdCertPrefix) PORT_Free(lupdCertPrefix);
@@ -79,15 +80,13 @@ diff --git a/lib/nss/nssinit.c b/lib/nss/nssinit.c
  
      if (moduleSpec) {
 -	SECMODModule *module = SECMOD_LoadModule(moduleSpec,NULL,PR_TRUE);
-+	module = SECMOD_LoadModule(moduleSpec,NULL,PR_TRUE);
++	module = SECMOD_LoadModule(moduleSpec, NULL, PR_TRUE);
  	PR_smprintf_free(moduleSpec);
- 	if (module) {
+-	if (module) {
 -	    if (module->loaded) rv=SECSuccess;
--	    SECMOD_DestroyModule(module);
-+	    if (!module->loaded) {
-+	        SECMOD_DestroyModule(module);
-+		module = NULL;
-+	    }
++	if (module && !module->loaded) {
+ 	    SECMOD_DestroyModule(module);
++	    return NULL;
  	}
      }
 -    return rv;
@@ -100,10 +99,23 @@ diff --git a/lib/nss/nssinit.c b/lib/nss/nssinit.c
   * configdir - base directory where all the cert, key, and module datbases live.
   * certPrefix - prefix added to the beginning of the cert database example: "
   * 			"https-server1-"
-@@ -520,17 +522,17 @@ nss_Init(const char *configdir, const ch
+@@ -509,41 +509,44 @@
+ 	return PR_FAILURE;
+     }
+     return PR_SUCCESS;
+ }
+ 
+ 
+ static SECStatus
+ nss_Init(const char *configdir, const char *certPrefix, const char *keyPrefix,
+-		 const char *secmodName, const char *updateDir, 
++		 const char *secmodName, const char *updateDir,
+ 		 const char *updCertPrefix, const char *updKeyPrefix,
+ 		 const char *updateID, const char *updateName,
  		 NSSInitContext ** initContextPtr,
  		 NSSInitParameters *initParams,
- 		 PRBool readOnly, PRBool noCertDB, 
+-		 PRBool readOnly, PRBool noCertDB, 
++		 PRBool readOnly, PRBool noCertDB,
  		 PRBool noModDB, PRBool forceOpen, PRBool noRootInit,
  		 PRBool optimizeSpace, PRBool noSingleThreadedModules,
  		 PRBool allowAlreadyInitializedModules,
@@ -117,9 +129,26 @@ diff --git a/lib/nss/nssinit.c b/lib/nss/nssinit.c
      char *configStrings = NULL;
      char *configName = NULL;
      PRBool passwordRequired = PR_FALSE;
++#ifdef POLICY_FILE
++    char *ignoreVar;
++#endif
  
      /* if we are trying to init with a traditional NSS_Init call, maintain
-@@ -630,23 +632,23 @@ nss_Init(const char *configdir, const ch
+      * the traditional idempotent behavior. */
+     if (!initContextPtr && nssIsInitted) {
+ 	return SECSuccess;
+     }
+-  
++
+     /* make sure our lock and condition variable are initialized one and only
+      * one time */ 
+     if (PR_CallOnce(&nssInitOnce, nss_doLockInit) != PR_SUCCESS) {
+ 	return SECFailure;
+     }
+ 
+     /*
+      * if we haven't done basic initialization, single thread the 
+@@ -630,23 +633,23 @@
  	configStrings = pk11_config_strings;
  	configName = pk11_config_name;
  	passwordRequired = pk11_password_required;
@@ -129,10 +158,12 @@ diff --git a/lib/nss/nssinit.c b/lib/nss/nssinit.c
       * to init with noCertDB and noModDB */
      if (!(isReallyInitted && noCertDB && noModDB)) {
 -	rv = nss_InitModules(configdir, certPrefix, keyPrefix, secmodName, 
+-		updateDir, updCertPrefix, updKeyPrefix, updateID, 
 +	parent = nss_InitModules(configdir, certPrefix, keyPrefix, secmodName, 
- 		updateDir, updCertPrefix, updKeyPrefix, updateID, 
++		updateDir, updCertPrefix, updKeyPrefix, updateID,
  		updateName, configName, configStrings, passwordRequired,
- 		readOnly, noCertDB, noModDB, forceOpen, optimizeSpace, 
+-		readOnly, noCertDB, noModDB, forceOpen, optimizeSpace, 
++		readOnly, noCertDB, noModDB, forceOpen, optimizeSpace,
  		(initContextPtr != NULL));
  
 -	if (rv != SECSuccess) {
@@ -145,7 +176,7 @@ diff --git a/lib/nss/nssinit.c b/lib/nss/nssinit.c
      /* finish up initialization */
      if (!isReallyInitted) {
  	if (SECOID_Init() != SECSuccess) {
-@@ -675,17 +677,34 @@ nss_Init(const char *configdir, const ch
+@@ -675,17 +678,40 @@
  		     * path. Skip it */
  		    dbpath = NULL;
  		}
@@ -156,7 +187,12 @@ diff --git a/lib/nss/nssinit.c b/lib/nss/nssinit.c
  	}
 -
 +#ifdef POLICY_FILE
-+        if (PR_Access(POLICY_PATH "/" POLICY_FILE, PR_ACCESS_READ_OK) == PR_SUCCESS ) {
++	/* Load the system crypto policy file if it exists,
++	 * unless the NSS_IGNORE_SYSTEM_POLICY environment
++	 * variable has been set to 1. */
++	ignoreVar = PR_GetEnvSecure("NSS_IGNORE_SYSTEM_POLICY");
++	if (ignoreVar == NULL || strncmp(ignoreVar, "1", sizeof("1")) != 0) {
++	    if (PR_Access(POLICY_PATH "/" POLICY_FILE, PR_ACCESS_READ_OK) == PR_SUCCESS) {
 +	    SECMODModule *module = SECMOD_LoadModule(
 +		"name=\"Policy File\" "
 +		"parameters=\"configdir='sql:" POLICY_PATH "' "
@@ -172,6 +208,7 @@ diff --git a/lib/nss/nssinit.c b/lib/nss/nssinit.c
 +		}
 +	    }
 +	}
++    }
 +#endif
  	pk11sdr_Init();
  	cert_CreateSubjectKeyIDHashTable();
@@ -181,7 +218,7 @@ diff --git a/lib/nss/nssinit.c b/lib/nss/nssinit.c
  	    PKIX_MINOR_VERSION, &actualMinorVersion, &plContext);
  
  	if (pkixError != NULL) {
-@@ -716,32 +735,38 @@ nss_Init(const char *configdir, const ch
+@@ -716,32 +742,38 @@
      nssIsInInit--;
      /* now that we are inited, all waiters can move forward */
      PZ_NotifyAllCondVar(nssInitCondition);

nss-conditionally-ignore-system-policy.patch

@@ -0,0 +1,63 @@
+--- ./lib/nss/nssinit.c.cond_ignore	2016-07-01 16:09:21.187499579 -0700
++++ ./lib/nss/nssinit.c	2016-07-01 16:19:16.095862425 -0700
+@@ -529,16 +529,19 @@
+ {
+     SECMODModule *parent = NULL;
+     PKIX_UInt32 actualMinorVersion = 0;
+     PKIX_Error *pkixError = NULL;
+     PRBool isReallyInitted;
+     char *configStrings = NULL;
+     char *configName = NULL;
+     PRBool passwordRequired = PR_FALSE;
++#ifdef POLICY_FILE
++    char *ignoreVar;
++#endif
+ 
+     /* if we are trying to init with a traditional NSS_Init call, maintain
+      * the traditional idempotent behavior. */
+     if (!initContextPtr && nssIsInitted) {
+ 	return SECSuccess;
+     }
+   
+     /* make sure our lock and condition variable are initialized one and only
+@@ -678,32 +681,38 @@
+ 		    dbpath = NULL;
+ 		}
+ 		if (dbpath) {
+ 		    nss_FindExternalRoot(dbpath, secmodName);
+ 		}
+ 	    }
+ 	}
+ #ifdef POLICY_FILE
+-        if (PR_Access(POLICY_PATH "/" POLICY_FILE, PR_ACCESS_READ_OK) == PR_SUCCESS ) {
++	/* Load the system crypo policy file if it exists,
++	 * unless the NSS_IGNORE_SYSTEM_POLICY environment
++	 * variable has been set to 1. */
++	ignoreVar = PR_GetEnvSecure("NSS_IGNORE_SYSTEM_POLICY");
++	if (ignoreVar == NULL || strncmp(ignoreVar, "1", strlen("1")) != 0) {
++	    if (PR_Access(POLICY_PATH "/" POLICY_FILE, PR_ACCESS_READ_OK) == PR_SUCCESS ) {
+ 	    SECMODModule *module = SECMOD_LoadModule(
+ 		"name=\"Policy File\" "
+ 		"parameters=\"configdir='sql:" POLICY_PATH "' "
+ 		"secmod='" POLICY_FILE "' "
+ 		"flags=readOnly,noCertDB,forceSecmodChoice,forceOpen\" "
+ 		"NSS=\"flags=internal,moduleDB,skipFirst,moduleDBOnly,critical\"",
+-		parent, PR_TRUE); 
++		parent, PR_TRUE);
+ 	    if (module) {
+ 		PRBool isLoaded = module->loaded;
+ 		SECMOD_DestroyModule(module);
+ 		if (!isLoaded) {
+ 		    goto loser;
+ 		}
+ 	    }
+ 	}
++    }
+ #endif
+ 	pk11sdr_Init();
+ 	cert_CreateSubjectKeyIDHashTable();
+ 
+ 	pkixError = PKIX_Initialize
+ 	    (PKIX_FALSE, PKIX_MAJOR_VERSION, PKIX_MINOR_VERSION,
+ 	    PKIX_MINOR_VERSION, &actualMinorVersion, &plContext);
+ 

nss-skip-ecperf.patch

@@ -1,6 +1,6 @@
-diff -up ./nss/cmd/manifest.mn.skip_ecperf ./nss/cmd/manifest.mn
---- ./nss/cmd/manifest.mn.noecperf	2016-06-24 08:04:53.891106841 -0700
-+++ ./nss/cmd/manifest.mn	2016-06-24 08:06:57.186887403 -0700
+diff -up ./cmd/manifest.mn.skip_ecperf ./cmd/manifest.mn
+--- ./cmd/manifest.mn.noecperf	2016-06-24 08:04:53.891106841 -0700
++++ ./cmd/manifest.mn	2016-06-24 08:06:57.186887403 -0700
 @@ -42,7 +42,6 @@ NSS_SRCDIRS = \
   dbtest \
   derdump  \

nss-skip-util-gtest.patch

@@ -1,11 +1,11 @@
-diff -up ./external_tests/manifest.mn.skip_util_gtest ./external_tests/manifest.mn
---- ./external_tests/manifest.mn.skip_util_gtest	2016-05-21 21:34:56.156346633 -0700
-+++ ./external_tests/manifest.mn	2016-05-21 21:35:23.408854282 -0700
-@@ -8,7 +8,6 @@ DEPTH      = ..
- DIRS = \
+diff -up ./external_tests/manifest.mn.skip_util_pk11_ssl_gtest ./external_tests/manifest.mn
+--- ./external_tests/manifest.mn.skip_util_pk11_ssl_gtest	2016-06-20 10:11:28.000000000 -0700
++++ ./external_tests/manifest.mn	2016-06-26 10:09:55.429858648 -0700
+@@ -9,7 +9,4 @@ DIRS = \
  	google_test \
+ 	common \
  	der_gtest \
 -	util_gtest \
-         pk11_gtest \
-         ssl_gtest \
+-	pk11_gtest \
+-	ssl_gtest \
  	$(NULL)

nss.spec

@@ -21,7 +21,7 @@ Name:             nss
 Version:          3.25.0
 # for Rawhide, please always use release >= 2
 # for Fedora release branches, please use release < 2 (1.0, 1.1, ...)
-Release:          2%{?dist}
+Release:          6%{?dist}
 License:          MPLv2.0
 URL:              http://www.mozilla.org/projects/security/pki/nss/
 Group:            System Environment/Libraries
@@ -92,16 +92,15 @@ Patch49:          nss-skip-bltest-and-fipstest.patch
 Patch50:          iquote.patch
 # Local patch for TLS_ECDHE_{ECDSA|RSA}_WITH_3DES_EDE_CBC_SHA ciphers
 Patch58: rhbz1185708-enable-ecc-3des-ciphers-by-default.patch
-# TODO: file a bug usptream
+# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1279520
 Patch59: nss-check-policy-file.patch
-# TODO: file a bug usptream
+# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1279520
+Patch60: nss-conditionally-ignore-system-policy.patch
+# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1280846
 Patch62: nss-skip-util-gtest.patch
-# TODO: file a bug usptream when enough tests are run
-Patch63: tests-check-policy-file.patch
-# TODO: file a bug usptream when enough tests are run
-Patch64: tests-data-adjust-for-policy.patch
-# TODO: file a bug upstream
+# TODO: file a bug upstream similar to the one for rsaperf
 Patch70: nss-skip-ecperf.patch
+Patch71: listsuites-do-queries.patch
 
 %description
 Network Security Services (NSS) is a set of libraries designed to
@@ -177,7 +176,6 @@ low level services.
 %patch2 -p0 -b .relro
 %patch3 -p0 -b .transitional
 %patch16 -p0 -b .539183
-# link pem against buildroot's freebl, essential when mixing and matching
 %patch40 -p0 -b .noocsptest
 %patch47 -p0 -b .templates
 %patch49 -p0 -b .skipthem
@@ -185,12 +183,10 @@ low level services.
 %patch58 -p0 -b .1185708_3des
 pushd nss
 %patch59 -p1 -b .check_policy_file
-#%patch62 -p0 -b .skip_util_gtest
-%patch63 -p1 -b .check_policy
-%patch64 -p1 -b .expected_result
+%patch62 -p0 -b .skip_util_gtest
+%patch70 -p1 -b .skip_ecperf
+%patch71 -p1 -b .do_queries
 popd
-# temporary
-%patch70 -p0 -b .skip_ecperf
 
 #########################################################
 # Higher-level libraries and test tools need access to
@@ -202,9 +198,11 @@ popd
 # Upstream https://bugzilla.mozilla.org/show_bug.cgi?id=820207
 %{__cp} ./nss/lib/softoken/lowkeyi.h ./nss/cmd/rsaperf
 %{__cp} ./nss/lib/softoken/lowkeyti.h ./nss/cmd/rsaperf
-# TODO: similar problem as descrived above
+# similar problem to the one described above
 # ./nss/lib/freebl/ec.h, ./nss/lib/freebl/ecl/ecl-curve.h
 # the last one requires that NSS_ECC_MORE_THAN_SUITE_B not be defined
+%{__cp} ./nss/lib/freebl/ec.h ./nss/cmd/ecperf
+%{__cp} ./nss/lib/freebl/ecl/ecl-curve.h ./nss/cmd/ecperf
 
 # Before removing util directory we must save verref.h
 # as it will be needed later during the build phase.
@@ -224,19 +222,9 @@ popd
 ######## Remove portions that need to statically link with libnssutil.a
 %{__rm} -rf ./nss/external_tests/util_gtests
 
-pushd nss/tests/ssl
-# Create versions of ssauth.txt, sslcov.txt and sslstress.txt that disable
-# tests for non policy compliant ciphers.
-cat sslauth.txt| sed -r "s/^([^#].*EXPORT|^[^#].*MD5)/#disabled \1/" > sslauth.noPolicy.txt
-cat sslcov.txt| sed -r "s/^([^#].*EXPORT|^[^#].*_WITH_DES_*)/#disabled \1/" > sslcov.noPolicy.txt
-cat sslstress.txt| sed -r "s/^([^#].*EXPORT|^[^#].*with MD5)/#disabled \1/" > sslstress.noPolicy.txt
-popd
 
 %build
 
-# TODO: remove this when we solve the problems
-export NSS_DISABLE_GTESTS=1
-
 NSS_NO_PKCS11_BYPASS=1
 export NSS_NO_PKCS11_BYPASS
 
@@ -244,7 +232,7 @@ FREEBL_NO_DEPEND=1
 export FREEBL_NO_DEPEND
 
 # Enable compiler optimizations and disable debugging code
-export BUILD_OPT=1
+#export BUILD_OPT=1
 
 # Uncomment to disable optimizations
 #RPM_OPT_FLAGS=`echo $RPM_OPT_FLAGS | sed -e 's/-O2/-O0/g'`
@@ -308,8 +296,7 @@ export NSS_BLTEST_NOT_AVAILABLE=1
 %{__make} -C ./nss/lib/dbm
 
 # Set the policy file location
-# if set NSS will always check for the policy file and load it if it exists
-# TODO: restore the POLICY_FILE and POLICY_PATH exports
+# if set NSS will always check for the policy file and load if it exists
 export POLICY_FILE="nss.config"
 # location of the policy file
 export POLICY_PATH="/etc/crypto-policies/back-ends"
@@ -399,14 +386,10 @@ fi
 
 # Begin -- copied from the build section
 
-# inform the ssl test scripts that policy is enabled
-export POLICY_FILE="nss.config"
-export POLICY_PATH="/etc/crypto-policies/back-ends"
-
 FREEBL_NO_DEPEND=1
 export FREEBL_NO_DEPEND
 
-export BUILD_OPT=1
+#export BUILD_OPT=1
 
 %ifnarch noarch
 %if 0%{__isa_bits} == 64
@@ -422,6 +405,8 @@ export SOFTOKEN_LIB_DIR=%{_libdir}
 
 # End -- copied from the build section
 
+export NSS_IGNORE_SYSTEM_POLICY=1
+
 # enable the following line to force a test failure
 # find ./nss -name \*.chk | xargs rm -f
 
@@ -466,13 +451,13 @@ pushd ./nss/tests/
 #  the full list from all.sh is:
 #  "cipher lowhash libpkix cert dbtests tools fips sdr crmf smime ssl ocsp merge pkits chains ec gtests ssl_gtests"
 %define nss_tests "libpkix cert dbtests tools fips sdr crmf smime ssl ocsp merge pkits chains ec gtests ssl_gtests"
-#  nss_ssl_tests: crl bypass_normal normal_bypass normal_fips fips_normal iopr
-#  nss_ssl_run: cov auth stress
+#  nss_ssl_tests: crl bypass_normal normal_bypass normal_fips fips_normal iopr policy
+#  nss_ssl_run: cov auth stapling stress
 #
 # Uncomment these lines if you need to temporarily
 # disable some test suites for faster test builds
-# global nss_ssl_tests "normal_fips"
-# global nss_ssl_run "cov auth"
+# % define nss_ssl_tests "normal_fips"
+# % define nss_ssl_run "cov"
 
 SKIP_NSS_TEST_SUITE=`echo $SKIP_NSS_TEST_SUITE`
 
@@ -810,12 +795,27 @@ fi
 
 
 %changelog
+* Tue Jul 12 2016 Elio Maldonado <emaldona@redhat.com> - 3.25.0-6
+- Cherry-pick merge from master branch
+- Add support for conditionally ignoring the system policy (#1157720)
+- Remove unneeded test scripts patches in order to run more tests
+- Remove unneeded test data modifications from the spec file
+- Remove obsolete patch and spurious lines from the spec file (#1347336)
+- Add support to listsuites to list ciphers allowed by policy
+- Incorporate some upstream review suggestions
+
+* Sun Jun 26 2016 Elio Maldonado <emaldona@redhat.com> - 3.25.0-3
+- Cleanup spec file and patches and add references to bugs filed upstream
+
 * Fri Jun 24 2016 Elio Maldonado <emaldona@redhat.com> - 3.25.0-2
 - Rebase to nss 3.25
 
 * Thu Jun 16 2016 Kamil Dudka <kdudka@redhat.com> - 3.24.0-3
 - decouple nss-pem from the nss package (#1347336)
 
+* Mon Jun 13 2016 Elio Maldonado <emaldona@redhat.com> - 3.24.0-2.4
+- Add support for conditionally ignoring the system policy
+
 * Fri Jun 03 2016 Elio Maldonado <emaldona@redhat.com> - 3.24.0-2.3
 - Apply the patch that was last introduced
 - Renumber and reorder some of the patches

sslauth-data-change-expected.patch

@@ -0,0 +1,79 @@
+diff -up ./tests/ssl/sslauth.txt.expect_other ./tests/ssl/sslauth.txt
+--- ./tests/ssl/sslauth.txt.expect_other	2016-06-04 12:39:37.866869160 -0700
++++ ./tests/ssl/sslauth.txt	2016-06-04 16:00:45.007632304 -0700
+@@ -9,17 +9,17 @@
+ #  ECC     value  params     params
+ # ------- ------  ------     ------                         ---------------
+   noECC     0       -r           -w_nss_-n_none           TLS Request don't require client auth (client does not provide auth)
+-  noECC     0       -r           -w_bogus_-n_TestUser     TLS Request don't require client auth (bad password)
++  noECC     1       -r           -w_bogus_-n_TestUser     TLS Request don't require client auth (bad password)
+   noECC     0       -r           -w_nss_-n_TestUser       TLS Request don't require client auth (client auth)
+-  noECC    254      -r_-r        -w_nss_-n_none           TLS Require client auth (client does not provide auth)
+-  noECC    254      -r_-r        -w_bogus_-n_TestUser     TLS Require client auth (bad password)
++  noECC     1       -r_-r        -w_nss_-n_none           TLS Require client auth (client does not provide auth)
++  noECC     1       -r_-r        -w_bogus_-n_TestUser     TLS Require client auth (bad password)
+   noECC     0       -r_-r        -w_nss_-n_TestUser_      TLS Require client auth (client auth)
+-  noECC    254      -r           -V_:ssl3_-w_nss_-n_none        SSL3 Request don't require client auth (client does not provide auth)
+-  noECC    254      -r           -V_:ssl3_-n_TestUser_-w_bogus  SSL3 Request don't require client auth (bad password)
+-  noECC    254      -r           -V_:ssl3_-n_TestUser_-w_nss    SSL3 Request don't require client auth (client auth)
+-  noECC    254      -r_-r        -V_:ssl3_-w_nss_-n_none        SSL3 Require client auth (client does not provide auth)
+-  noECC    254      -r_-r        -V_:ssl3_-n_TestUser_-w_bogus  SSL3 Require client auth (bad password)
+-  noECC    254      -r_-r        -V_:ssl3_-n_TestUser_-w_nss    SSL3 Require client auth (client auth)
++  noECC     1       -r           -V_:ssl3_-w_nss_-n_none        SSL3 Request don't require client auth (client does not provide auth)
++  noECC     1       -r           -V_:ssl3_-n_TestUser_-w_bogus  SSL3 Request don't require client auth (bad password)
++  noECC     1       -r           -V_:ssl3_-n_TestUser_-w_nss    SSL3 Request don't require client auth (client auth)
++  noECC     1       -r_-r        -V_:ssl3_-w_nss_-n_none        SSL3 Require client auth (client does not provide auth)
++  noECC     1       -r_-r        -V_:ssl3_-n_TestUser_-w_bogus  SSL3 Require client auth (bad password)
++  noECC     1       -r_-r        -V_:ssl3_-n_TestUser_-w_nss    SSL3 Require client auth (client auth)
+   noECC     0       -r_-r_-r     -V_ssl3:_-w_nss_-n_none        TLS Request don't require client auth on 2nd hs (client does not provide auth)
+   noECC     0       -r_-r_-r     -V_ssl3:_-w_bogus_-n_TestUser  TLS Request don't require client auth on 2nd hs (bad password)
+   noECC     0       -r_-r_-r     -V_ssl3:_-w_nss_-n_TestUser    TLS Request don't require client auth on 2nd hs (client auth)
+@@ -32,9 +32,9 @@
+   noECC     1       -r_-r_-r_-r  -V_ssl3:tls1.0_-w_nss_-n_none        TLS 1.0 Require client auth on 2nd hs (client does not provide auth)
+   noECC     1       -r_-r_-r_-r  -V_ssl3:tls1.0_-w_bogus_-n_TestUser  TLS 1.0 Require client auth on 2nd hs (bad password)
+   noECC     0       -r_-r_-r_-r  -V_ssl3:tls1.0_-w_nss_-n_TestUser    TLS 1.0 Require client auth on 2nd hs (client auth)
+-  noECC    254      -r_-r_-r     -V_ssl3:ssl3_-w_nss_-n_none     SSL3 Request don't require client auth on 2nd hs (client does not provide auth)
+-  noECC    254      -r_-r_-r     -V_ssl3:ssl3_-n_TestUser_-w_bogus SSL3 Request don't require client auth on 2nd hs (bad password)
+-  noECC    254      -r_-r_-r     -V_ssl3:ssl3_-n_TestUser_-w_nss SSL3 Request don't require client auth on 2nd hs (client auth)
++  noECC     1       -r_-r_-r     -V_ssl3:ssl3_-w_nss_-n_none     SSL3 Request don't require client auth on 2nd hs (client does not provide auth)
++  noECC     1       -r_-r_-r     -V_ssl3:ssl3_-n_TestUser_-w_bogus SSL3 Request don't require client auth on 2nd hs (bad password)
++  noECC     1       -r_-r_-r     -V_ssl3:ssl3_-n_TestUser_-w_nss SSL3 Request don't require client auth on 2nd hs (client auth)
+   noECC     1       -r_-r_-r_-r  -V_ssl3:ssl3_-w_nss_-n_none     SSL3 Require client auth on 2nd hs (client does not provide auth)
+   noECC     1       -r_-r_-r_-r  -V_ssl3:ssl3_-n_TestUser_-w_bogus SSL3 Require client auth on 2nd hs (bad password)
+   noECC     0       -r_-r_-r_-r  -V_ssl3:ssl3_-n_TestUser_-w_nss SSL3 Require client auth on 2nd hs (client auth)
+@@ -43,11 +43,11 @@
+ #
+    ECC      0       -r           -w_bogus_-n_TestUser-ec     TLS Request don't require client auth (EC) (bad password)
+    ECC      0       -r           -w_nss_-n_TestUser-ec       TLS Request don't require client auth (EC) (client auth)
+-   ECC     254      -r_-r        -w_bogus_-n_TestUser-ec     TLS Require client auth (EC) (bad password)
++   ECC      1       -r_-r        -w_bogus_-n_TestUser-ec     TLS Require client auth (EC) (bad password)
+    ECC      0       -r_-r        -w_nss_-n_TestUser-ec_      TLS Require client auth (EC) (client auth)
+    ECC      0       -r           -V_:ssl3_-n_TestUser-ec_-w_bogus  SSL3 Request don't require client auth (EC) (bad password)
+    ECC      0       -r           -V_:ssl3_-n_TestUser-ec_-w_nss    SSL3 Request don't require client auth (EC) (client auth)
+-   ECC     254      -r_-r        -V_:ssl3_-n_TestUser-ec_-w_bogus  SSL3 Require client auth (EC) (bad password)
++   ECC      1       -r_-r        -V_:ssl3_-n_TestUser-ec_-w_bogus  SSL3 Require client auth (EC) (bad password)
+    ECC      0       -r_-r        -V_:ssl3_-n_TestUser-ec_-w_nss    SSL3 Require client auth (EC) (client auth)
+    ECC      0       -r_-r_-r     -V_ssl3:_-w_bogus_-n_TestUser-ec  TLS Request don't require client auth on 2nd hs (EC) (bad password)
+    ECC      0       -r_-r_-r     -V_ssl3:_-w_nss_-n_TestUser-ec    TLS Request don't require client auth on 2nd hs (EC) (client auth)
+@@ -57,17 +57,17 @@
+    ECC      0       -r_-r_-r     -V_ssl3:tls1.0_-w_nss_-n_TestUser-ec    TLS 1.0 Request don't require client auth on 2nd hs (EC) (client auth)
+    ECC      1       -r_-r_-r_-r  -V_ssl3:tls1.0_-w_bogus_-n_TestUser-ec  TLS 1.0 Require client auth on 2nd hs (EC) (bad password)
+    ECC      0       -r_-r_-r_-r  -V_ssl3:tls1.0_-w_nss_-n_TestUser-ec_   TLS 1.0 Require client auth on 2nd hs (EC) (client auth)
+-   ECC     254      -r_-r_-r     -V_ssl3:ssl3_-n_TestUser-ec_-w_bogus SSL3 Request don't require client auth on 2nd hs (EC) (bad password)
+-   ECC     254      -r_-r_-r     -V_ssl3:ssl3_-n_TestUser-ec_-w_nss SSL3 Request don't require client auth on 2nd hs (EC) (client auth)
++   ECC      1       -r_-r_-r     -V_ssl3:ssl3_-n_TestUser-ec_-w_bogus SSL3 Request don't require client auth on 2nd hs (EC) (bad password)
++   ECC      1       -r_-r_-r     -V_ssl3:ssl3_-n_TestUser-ec_-w_nss SSL3 Request don't require client auth on 2nd hs (EC) (client auth)
+    ECC      1       -r_-r_-r_-r  -V_ssl3:ssl3_-n_TestUser-ec_-w_bogus SSL3 Require client auth on 2nd hs (EC) (bad password)
+-   ECC     254      -r_-r_-r_-r  -V_ssl3:ssl3_-n_TestUser-ec_-w_nss SSL3 Require client auth on 2nd hs (EC) (client auth)
++   ECC      1       -r_-r_-r_-r  -V_ssl3:ssl3_-n_TestUser-ec_-w_nss SSL3 Require client auth on 2nd hs (EC) (client auth)
+ #
+ # SNI Tests
+ #
+   SNI     0       -r_-a_Host-sni.Dom       -V_ssl3:_-w_nss_-n_TestUser                     TLS Server hello response without SNI
+   SNI     0       -r_-a_Host-sni.Dom       -V_ssl3:_-c_v_-w_nss_-n_TestUser_-a_Host-sni.Dom     TLS Server hello response with SNI
+   SNI     1       -r_-a_Host-sni.Dom       -V_ssl3:_-c_v_-w_nss_-n_TestUser_-a_Host-sni1.Dom    TLS Server response with alert
+-  SNI    254      -r_-a_Host-sni.Dom       -V_ssl3:ssl3_-w_nss_-n_TestUser                  SSL3 Server hello response without SNI
++  SNI     1       -r_-a_Host-sni.Dom       -V_ssl3:ssl3_-w_nss_-n_TestUser                  SSL3 Server hello response without SNI
+   SNI     1       -r_-a_Host-sni.Dom       -V_ssl3:ssl3_-c_v_-w_nss_-n_TestUser_-a_Host-sni.Dom  SSL3 Server hello response with SNI: SSL don't have SH extensions
+   SNI     0       -r_-r_-r_-a_Host-sni.Dom -V_ssl3:_-w_nss_-n_TestUser                     TLS Server hello response without SNI
+   SNI     0       -r_-r_-r_-a_Host-sni.Dom -V_ssl3:_-c_v_-w_nss_-n_TestUser_-a_Host-sni.Dom     TLS Server hello response with SNI

tests-check-policy-file.patch

@@ -1,35 +1,40 @@
-diff -up ./tests/ssl/sslauth.txt.check_policy ./tests/ssl/sslauth.txt
-diff -up ./tests/ssl/ssl.sh.check_policy ./tests/ssl/ssl.sh
 --- ./tests/ssl/ssl.sh.check_policy	2016-05-17 00:58:45.000000000 -0700
-+++ ./tests/ssl/ssl.sh	2016-05-28 15:45:07.645964005 -0700
-@@ -61,10 +61,19 @@ ssl_init()
++++ ./tests/ssl/ssl.sh	2016-06-10 10:06:40.715661079 -0700
+@@ -56,16 +56,24 @@
+       }
+   fi
+ 
+   PORT=${PORT-8443}
+   NSS_SSL_TESTS=${NSS_SSL_TESTS:-normal_normal}
    nss_ssl_run="stapling signed_cert_timestamps cov auth stress"
    NSS_SSL_RUN=${NSS_SSL_RUN:-$nss_ssl_run}
  
 +  NSS_POLICY_FILE=[ -f ${POLICY_PATH}/${POLICY_FILE} ] \
 +    ? "${POLICY_PATH}/${POLICY_FILE}" \
++    : ""
++  # Means that will use test data that compliant with policy
++  # and will invoke selfserv nd tstclnt with the proper range
++  ADJUST_FOR_POLICY=[ -n "${NSS_POLICY_FILE}" -a -z "${NSS_IGNORE_SYSTEM_POLICY}" ] \
++    ? "1" \
 +    : ""
    # Test case files
--  SSLCOV=${QADIR}/ssl/sslcov.txt
--  SSLAUTH=${QADIR}/ssl/sslauth.txt
--  SSLSTRESS=${QADIR}/ssl/sslstress.txt
-+  if [ -n ${NSS_POLICY_FILE} ]; then
-+    SSLAUTH=${QADIR}/ssl/sslauth.byPolicy.txt
-+    SSLCOV=${QADIR}/ssl/sslcov.byPolicy.txt
-+    SSLSTRESS=${QADIR}/ssl/sslstress.byPolicy.txt
-+  else
-+    SSLAUTH=${QADIR}/ssl/sslauth.txt
-+    SSLCOV=${QADIR}/ssl/sslcov.txt
-+    SSLSTRESS=${QADIR}/ssl/sslstress.txt
-+  fi
+   SSLCOV=${QADIR}/ssl/sslcov.txt
+   SSLAUTH=${QADIR}/ssl/sslauth.txt
+   SSLSTRESS=${QADIR}/ssl/sslstress.txt
    SSLPOLICY=${QADIR}/ssl/sslpolicy.txt
    REQUEST_FILE=${QADIR}/ssl/sslreq.dat
  
-@@ -122,7 +131,11 @@ is_selfserv_alive()
+   #temparary files
+@@ -117,17 +125,21 @@
+   if [ "${OS_ARCH}" = "WINNT" ] && \
+      [ "$OS_NAME" = "CYGWIN_NT" -o "$OS_NAME" = "MINGW32_NT" ]; then
+       PID=${SHELL_SERVERPID}
+   else
+       PID=`cat ${SERVERPID}`
    fi
  
    echo "kill -0 ${PID} >/dev/null 2>/dev/null" 
-+  if [ -n ${NSS_POLICY_FILE}" ] && [[ ${EXP} -eq 0 || ${SSL2} -eq 0 ]]; then
++  if [ -n "${ADJUST_FOR_POLICY}" ] && [ ${EXP} -eq 0 ]; then
 +  echo "No server to kill"
 +  else
    kill -0 ${PID} >/dev/null 2>/dev/null || Exit 10 "Fatal - selfserv process not detectable"
@@ -37,11 +42,21 @@ diff -up ./tests/ssl/ssl.sh.check_policy ./tests/ssl/ssl.sh
  
    echo "selfserv with PID ${PID} found at `date`"
  }
-@@ -145,7 +158,11 @@ wait_for_selfserv()
+ 
+ ########################### wait_for_selfserv ##########################
+ # local shell function to wait until selfserver is running and initialized
+ ########################################################################
+ wait_for_selfserv()
+@@ -140,17 +152,21 @@
+   if [ $? -ne 0 ]; then
+       sleep 5
+       echo "retrying to connect to selfserv at `date`"
+       echo "tstclnt -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \\"
+       echo "        -d ${P_R_CLIENTDIR} -v < ${REQUEST_FILE}"
        ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \
                -d ${P_R_CLIENTDIR} -v < ${REQUEST_FILE}
        if [ $? -ne 0 ]; then
-+          if [ -n ${NSS_POLICY_FILE} ] && [[ ${EXP} -eq 0 || ${SSL2} -eq 0 ]]; then
++          if [ -n "${ADJUST_FOR_POLICY}" ] && [ ${EXP} -eq 0 ]; then
 +              html_passed "Server never started"
 +          else
            html_failed "Waiting for Server"
@@ -49,12 +64,31 @@ diff -up ./tests/ssl/ssl.sh.check_policy ./tests/ssl/ssl.sh
        fi
    fi
    is_selfserv_alive
-@@ -216,15 +233,16 @@ start_selfserv()
+ }
+ 
+ ########################### kill_selfserv ##############################
+ # local shell function to kill the selfserver after the tests are done
+ ########################################################################
+@@ -208,28 +224,35 @@
+      [ -z "$NO_ECC_CERTS" -o "$NO_ECC_CERTS" != "1"  ] ; then
+       ECC_OPTIONS="-e ${HOSTADDR}-ec"
+   else
+       ECC_OPTIONS=""
+   fi
+   if [ "$1" = "mixed" ]; then
+       ECC_OPTIONS="-e ${HOSTADDR}-ecmixed"
+   fi
++
++  if [ -n "${ADJUST_FOR_POLICY}" ]; then
++     VMIN_OPT="-V tls1.0:"
++  else
++     VMIN_OPT=""
++  fi
++
    echo "selfserv starting at `date`"
    echo "selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} -n ${HOSTADDR} ${SERVER_OPTIONS} \\"
    echo "         ${ECC_OPTIONS} -S ${HOSTADDR}-dsa -w nss ${sparam} -i ${R_SERVERPID}\\"
 -  echo "         $verbose -H 1 &"
-+  VMIN_OPT=[ -n ${NSS_POLICY_FILE} ] ? "-V ssl3:" : ""
 +  echo "         $verbose -H 1 ${VMIN_OPT} &"
    if [ ${fileout} -eq 1 ]; then
        ${PROFTOOL} ${BINDIR}/selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} -n ${HOSTADDR} ${SERVER_OPTIONS} \
@@ -69,16 +103,30 @@ diff -up ./tests/ssl/ssl.sh.check_policy ./tests/ssl/ssl.sh
        RET=$?
    fi
  
-@@ -275,6 +293,12 @@ ssl_cov()
+   # The PID $! returned by the MKS or Cygwin shell is not the PID of
+   # the real background process, but rather the PID of a helper
+   # process (sh.exe).  MKS's kill command has a bug: invoking kill
+   # on the helper process does not terminate the real background
+   # process.  Our workaround has been to have selfserv save its PID
+@@ -270,16 +293,21 @@
+   VMAX="tls1.1"
+                
+   exec < ${SSLCOV}
+   while read ectype testmax param testname
+   do
        echo "${testname}" | grep "EXPORT" > /dev/null 
        EXP=$?
  
 +      #  trace these types of tests when build has policy enabled
-+      if [ -n ${NSS_POLICY_FILE} ] &&
-+         [[ ${EXP} -eq 0 || ${SSL2} -eq 0 ] || ${SSL3} -eq 0 ]]; then
-+            echo "exp/ssl2/ssl3 test should fail: (NSS_NO_SSL2,EXP,SSL2,SSL3)=(${NSS_NO_SSL2},${EXP},${SSL2},${SSL3})"
++      if [ -n "${ADJUST_FOR_POLICY}" ] && [ ${EXP} -eq 0 ]; then
++            echo "$testname has legacy ciphers"
 +      fi
 +
        if [ "$ectype" = "ECC" -a -n "$NSS_DISABLE_ECC" ] ; then
            echo "$SCRIPTNAME: skipping  $testname (ECC only)"
        elif [ "$SERVER_MODE" = "fips" -o "$CLIENT_MODE" = "fips" ] && [ "$EXP" -eq 0 ] ; then
+           echo "$SCRIPTNAME: skipping  $testname (non-FIPS only)"
+       elif [ "`echo $ectype | cut -b 1`" != "#" ] ; then
+           echo "$SCRIPTNAME: running $testname ----------------------------"
+           VMAX="ssl3"
+           if [ "$testmax" = "TLS10" ]; then