Complete the commits to update to NSS 3.21

- Add files missed in previous commit as they weren't staged
- Package listsuites as part of the unsupported tools set
- Resolves: Bug 1279912 - nss-3.21 is available
- Resolves: Bug 1258425 - Use __isa_bits macro instead of list of 64-bit
- Resolves: Bug 1280032 - Package listsuites as part of the nss unsupported tools set

.gitignore

@@ -10,4 +10,4 @@ TestUser51.cert
 /nss-pem-20140125.tar.bz2
 /PayPalRootCA.cert
 /PayPalICA.cert
-/nss-3.20.1.tar.gz
+/nss-3.21.0.tar.gz

iquote.patch

@@ -173,3 +173,15 @@ diff -up nss/lib/nss/Makefile.iquote nss/lib/nss/Makefile
  
  #######################################################################
  # (7) Execute "local" rules. (OPTIONAL).                              #
+diff -up nss/lib/ssl/Makefile.iquote nss/lib/ssl/Makefile
+--- nss/lib/ssl/Makefile.iquote	2015-11-13 09:23:41.653738563 -0800
++++ nss/lib/ssl/Makefile	2015-11-13 09:25:25.121415348 -0800
+@@ -49,7 +49,7 @@ include $(CORE_DEPTH)/coreconf/rules.mk
+ # (6) Execute "component" rules. (OPTIONAL)                           #
+ #######################################################################
+ 
+-
++INCLUDES += -iquote $(DIST)/../public/nss
+ 
+ #######################################################################
+ # (7) Execute "local" rules. (OPTIONAL).                              #

nss-539183.patch

@@ -1,11 +1,9 @@
-diff -up nss/cmd/httpserv/httpserv.c.539183 nss/cmd/httpserv/httpserv.c
+diff -up ./nss/cmd/httpserv/httpserv.c.539183 ./nss/cmd/httpserv/httpserv.c
---- nss/cmd/httpserv/httpserv.c.539183	2013-05-28 14:43:24.000000000 -0700
+--- ./nss/cmd/httpserv/httpserv.c.539183	2015-11-08 21:12:59.000000000 -0800
-+++ nss/cmd/httpserv/httpserv.c	2013-05-30 22:16:46.685373471 -0700
++++ ./nss/cmd/httpserv/httpserv.c	2015-11-12 13:28:01.574855325 -0800
-@@ -661,14 +661,18 @@ getBoundListenSocket(unsigned short port
+@@ -938,13 +938,13 @@ getBoundListenSocket(unsigned short port
-     PRStatus	       prStatus;
      PRNetAddr          addr;
      PRSocketOptionData opt;
-+    PRUint16           socketDomain = PR_AF_INET;
  
 -    addr.inet.family = PR_AF_INET;
 -    addr.inet.ip     = PR_INADDR_ANY;
@@ -15,9 +13,6 @@ diff -up nss/cmd/httpserv/httpserv.c.539183 nss/cmd/httpserv/httpserv.c
 +    }
  
 -    listen_sock = PR_NewTCPSocket();
-+    if (PR_GetEnv("NSS_USE_SDP")) {
-+        socketDomain = PR_AF_INET_SDP;
-+    }
 +    listen_sock = PR_OpenTCPSocket(PR_AF_INET6);
      if (listen_sock == NULL) {
 -	errExit("PR_NewTCPSocket");
@@ -25,14 +20,12 @@ diff -up nss/cmd/httpserv/httpserv.c.539183 nss/cmd/httpserv/httpserv.c
      }
  
      opt.option = PR_SockOpt_Nonblocking;
-diff -up nss/cmd/selfserv/selfserv.c.539183 nss/cmd/selfserv/selfserv.c
+diff -up ./nss/cmd/selfserv/selfserv.c.539183 ./nss/cmd/selfserv/selfserv.c
---- nss/cmd/selfserv/selfserv.c.539183	2013-05-28 14:43:24.000000000 -0700
+--- ./nss/cmd/selfserv/selfserv.c.539183	2015-11-08 21:12:59.000000000 -0800
-+++ nss/cmd/selfserv/selfserv.c	2013-05-30 22:16:46.688373495 -0700
++++ ./nss/cmd/selfserv/selfserv.c	2015-11-12 13:26:40.498345875 -0800
-@@ -1687,14 +1687,18 @@ getBoundListenSocket(unsigned short port
+@@ -1707,13 +1707,13 @@ getBoundListenSocket(unsigned short port
-     PRStatus	       prStatus;
      PRNetAddr          addr;
      PRSocketOptionData opt;
-+    PRUint16           socketDomain = PR_AF_INET;
  
 -    addr.inet.family = PR_AF_INET;
 -    addr.inet.ip     = PR_INADDR_ANY;
@@ -42,9 +35,6 @@ diff -up nss/cmd/selfserv/selfserv.c.539183 nss/cmd/selfserv/selfserv.c
 +    }
  
 -    listen_sock = PR_NewTCPSocket();
-+    if (PR_GetEnv("NSS_USE_SDP")) {
-+        socketDomain = PR_AF_INET_SDP;
-+    }
 +    listen_sock = PR_OpenTCPSocket(PR_AF_INET6);
      if (listen_sock == NULL) {
 -	errExit("PR_NewTCPSocket");

nss.spec

@@ -18,7 +18,7 @@
 
 Summary:          Network Security Services
 Name:             nss
-Version:          3.20.1
+Version:          3.21.0
 # for Rawhide, please always use release >= 2
 # for Fedora release branches, please use release < 2 (1.0, 1.1, ...)
 Release:          2%{?dist}
@@ -92,15 +92,17 @@ Patch52:          disableSSL2libssl.patch
 Patch53:          disableSSL2tests.patch
 Patch54:          tstclnt-ssl2-off-by-default.patch
 Patch55:          skip_stress_TLS_RC4_128_with_MD5.patch
-# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=923089
-# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1009429
-# See https://hg.mozilla.org/projects/nss/raw-rev/dc7bb2f8cc50
-Patch56: ocsp_stapling_sslauth_sni_tests_client_side_fixes.patch
-# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1205688
-Patch57: rhbz1185708-enable-ecc-ciphers-by-default.patch
 # Local patch for TLS_ECDHE_{ECDSA|RSA}_WITH_3DES_EDE_CBC_SHA ciphers
 Patch58: rhbz1185708-enable-ecc-3des-ciphers-by-default.patch
 
+# As of nss-3.21 we compile NSS with -Werror.
+# see https://bugzilla.mozilla.org/show_bug.cgi?id=1182667
+# This requires a cleanup of the PEM module as we have it here.
+# TODO: submit a patch to the interim nss-pem upstream project
+# The submission will be very different from this patch as
+# cleanup there is already in progress there.
+Patch59: pem-compile-with-Werror.patch
+
 %description
 Network Security Services (NSS) is a set of libraries designed to
 support cross-platform development of security-enabled client and
@@ -188,11 +190,8 @@ pushd nss
 popd
 %patch54 -p0 -b .ssl2_off
 %patch55 -p1 -b .skip_stress_tls_rc4_128_with_md5
-%patch56 -p1 -b .ocsp_sni
-pushd nss
-%patch57 -p1 -b .1185708
-popd
 %patch58 -p0 -b .1185708_3des
+%patch59 -p0 -b .compile_Werror
 
 #########################################################
 # Higher-level libraries and test tools need access to
@@ -210,6 +209,10 @@ done
 %{__cp} ./nss/lib/softoken/lowkeyi.h ./nss/cmd/rsaperf
 %{__cp} ./nss/lib/softoken/lowkeyti.h ./nss/cmd/rsaperf
 
+# Before removing util directory we must save verref.h
+# as it will be needed later during the build phase.
+%{__mv} ./nss/lib/util/verref.h ./nss/verref.h
+
 ##### Remove util/freebl/softoken and low level tools
 ######## Remove freebl, softoken and util
 %{__rm} -rf ./nss/lib/freebl
@@ -285,7 +288,11 @@ export NSS_BUILD_WITHOUT_SOFTOKEN=1
 NSS_USE_SYSTEM_SQLITE=1
 export NSS_USE_SYSTEM_SQLITE
 
-%ifarch x86_64 %{power64} ia64 s390x sparc64 aarch64
+# external tests are causing build problems because they access ssl internal types
+# TODO: Investigate as there may be a better solution
+export NSS_DISABLE_GTESTS=1
+
+%if %{__isa_bits} == 64
 USE_64=1
 export USE_64
 %endif
@@ -301,6 +308,13 @@ export NSS_ECC_MORE_THAN_SUITE_B
 export NSS_BLTEST_NOT_AVAILABLE=1
 %{__make} -C ./nss/coreconf
 %{__make} -C ./nss/lib/dbm
+
+# nss/nssinit.c, ssl/sslcon.c, smime/smimeutil.c and ckfw/builtins/binst.c
+# need nss/lib/util/verref.h which is which is exported privately,
+# copy the one we saved during prep so it they can find it.
+%{__mkdir_p} ./dist/private/nss
+%{__mv} ./nss/verref.h ./dist/private/nss/verref.h
+
 %{__make} -C ./nss
 unset NSS_BLTEST_NOT_AVAILABLE
 
@@ -389,7 +403,7 @@ export FREEBL_NO_DEPEND
 BUILD_OPT=1
 export BUILD_OPT
 
-%ifarch x86_64 %{power64} ia64 s390x sparc64 aarch64
+%if %{__isa_bits} == 64
 USE_64=1
 export USE_64
 %endif
@@ -551,7 +565,7 @@ do
 done
 
 # Copy the binaries we ship as unsupported
-for file in atob btoa derdump ocspclnt pp selfserv strsclnt symkeyutil tstclnt vfyserv vfychain
+for file in atob btoa derdump listsuites ocspclnt pp selfserv strsclnt symkeyutil tstclnt vfyserv vfychain
 do
   %{__install} -p -m 755 dist/*.OBJ/bin/$file $RPM_BUILD_ROOT/%{unsupported_tools_directory}
 done
@@ -702,6 +716,7 @@ fi
 %{unsupported_tools_directory}/atob
 %{unsupported_tools_directory}/btoa
 %{unsupported_tools_directory}/derdump
+%{unsupported_tools_directory}/listsuites
 %{unsupported_tools_directory}/ocspclnt
 %{unsupported_tools_directory}/pp
 %{unsupported_tools_directory}/selfserv
@@ -806,6 +821,13 @@ fi
 
 
 %changelog
+* Fri Nov 13 2015 Elio Maldonado Batiz <emaldona@redhat.com> - 3.21.1-2
+- Update to NSS 3.21
+- Package listsuites as part of the unsupported tools set
+- Resolves: Bug 1279912 - nss-3.21 is available
+- Resolves: Bug 1258425 - Use __isa_bits macro instead of list of 64-bit
+- Resolves: Bug 1280032 - Package listsuites as part of the nss unsupported tools set
+
 * Fri Oct 30 2015 Elio Maldonado <emaldona@redhat.com> - 3.20.1-2
 - Update to NSS 3.20.1
 

sources

@@ -4,4 +4,4 @@ a5ae49867124ac75f029a9a33af31bad  blank-cert8.db
 691e663ccc07b7a1eaa6f088e03bf8e2  blank-cert9.db
 2ec9e0606ba40fe65196545564b7cc2a  blank-key4.db
 b8a94e863c852e1f8b75e930e76f8640  nss-pem-20140125.tar.bz2
-c285ef92de0031cb0a8caa60d396d618  nss-3.20.1.tar.gz
+f53ffa490133d29ff930fa4b29bade90  nss-3.21.0.tar.gz