Update to NSS_3_15_RTM

- manual merge from master
2013-06-17 16:17:29 -07:00 · 2013-06-17 16:17:29 -07:00 · b70c8423a2
parent 68c8f5228f
commit b70c8423a2
23 changed files with 277 additions and 248 deletions
--- a/.gitignore
+++ b/.gitignore
@ -7,6 +7,5 @@ PayPalEE.cert
 TestCA.ca.cert
 TestUser50.cert
 TestUser51.cert
-/nss-pem-20120811.tar.bz2
-/dummy-sources-for-testing
-/nss-3.14.3-stripped.tar.bz2
+/nss-pem-20130405.tar.bz2
+/nss-3.15-stripped.tar.bz2
--- a/0001-sync-up-with-upstream-softokn-changes.patch
+++ b/0001-sync-up-with-upstream-softokn-changes.patch
@ -10,10 +10,10 @@ Subject: [PATCH] Sync up with upstream softokn changes
 mozilla/security/nss/lib/ckfw/pem/rsawrapr.c |  338 +++++++-------------------
 1 files changed, 82 insertions(+), 256 deletions(-)

-diff --git a/mozilla/security/nss/lib/ckfw/pem/rsawrapr.c b/mozilla/security/nss/lib/ckfw/pem/rsawrapr.c
+diff --git a/nss/lib/ckfw/pem/rsawrapr.c b/nss/lib/ckfw/pem/rsawrapr.c
 index 5ac4f39..3780d30 100644
--- a/mozilla/security/nss/lib/ckfw/pem/rsawrapr.c
-+++ b/mozilla/security/nss/lib/ckfw/pem/rsawrapr.c
+--- a/nss/lib/ckfw/pem/rsawrapr.c
+++ b/nss/lib/ckfw/pem/rsawrapr.c
@@ -46,6 +46,7 @@
 #include "sechash.h"
 #include "base.h"
--- a/Bug-896651-pem-dont-trash-keys-on-failed-login.patch
+++ b/Bug-896651-pem-dont-trash-keys-on-failed-login.patch
@ -1,5 +1,5 @@
--- mozilla/security/nss/lib/ckfw/pem/psession.c
-+++ mozilla/security/nss/lib/ckfw/pem/psession.c
+--- nss/lib/ckfw/pem/psession.c
+++ nss/lib/ckfw/pem/psession.c
@@ -230,6 +230,7 @@ pem_mdSession_Login
     unsigned int len = 0;
     NSSLOWKEYPrivateKey *lpk = NULL;
--- a/add-relro-linker-option.patch
+++ b/add-relro-linker-option.patch
@ -1,7 +1,7 @@
-diff -up mozilla/security/coreconf/Linux.mk.relro mozilla/security/coreconf/Linux.mk
--- mozilla/security/coreconf/Linux.mk.relro	2010-08-12 18:32:29.000000000 -0700
-+++ mozilla/security/coreconf/Linux.mk	2011-09-27 16:12:22.234743170 -0700
-@@ -179,6 +179,12 @@ FREEBL_NO_DEPEND = 1
+diff -up nss/coreconf/Linux.mk.relro nss/coreconf/Linux.mk
+--- nss/coreconf/Linux.mk.relro	2013-04-09 14:29:45.943228682 -0700
+++ nss/coreconf/Linux.mk	2013-04-09 14:31:26.194953927 -0700
+@@ -174,6 +174,12 @@ endif
 endif
 endif
 
--- a/disable-ocsp-stapling-tests.patch
+++ b/disable-ocsp-stapling-tests.patch
@ -0,0 +1,9 @@
+diff -up nss/tests/ocsp/ocsp.sh.skipoutbound nss/tests/ocsp/ocsp.sh
+--- nss/tests/ocsp/ocsp.sh.skipoutbound	2013-04-24 18:04:30.203307355 -0700
+++ nss/tests/ocsp/ocsp.sh	2013-04-24 18:06:27.967176794 -0700
+@@ -115,4 +115,4 @@ ocsp_stapling()
+ ################## main #################################################
+ ocsp_init
+ ocsp_iopr_run
+-ocsp_stapling
+#ocsp_stapling
--- a/2
+++ b/2
@ -0,0 +1,2 @@
+Dummy source file that we by uploading it lets us verify that nss builds
+do not cause the 'fedpkg upload' or 'fedpg new-sources' commands to hang.
--- a/iquote.patch
+++ b/iquote.patch
@ -0,0 +1,25 @@
+diff -up nss/cmd/bltest/Makefile.iquote nss/cmd/bltest/Makefile
+--- nss/cmd/bltest/Makefile.iquote	2013-04-04 21:56:59.329249213 -0700
+++ nss/cmd/bltest/Makefile	2013-04-04 21:57:47.583579084 -0700
+@@ -45,6 +45,7 @@ include $(CORE_DEPTH)/coreconf/rules.mk
+ # (6) Execute "component" rules. (OPTIONAL)                           #
+ #######################################################################
+ 
+INCLUDES += -iquote $(DIST)/../private/nss
+ 
+ 
+ #######################################################################
+diff -up nss/coreconf/location.mk.iquote nss/coreconf/location.mk
+--- nss/coreconf/location.mk.iquote	2013-04-04 21:54:59.710477106 -0700
+++ nss/coreconf/location.mk	2013-04-04 21:56:21.091163121 -0700
+@@ -45,6 +45,10 @@ endif
+ 
+ ifdef NSS_INCLUDE_DIR
+     INCLUDES += -I$(NSS_INCLUDE_DIR)
+    ifdef IN_TREE_FREEBL_HEADERS_FIRST
+        INCLUDES += -iquote $(DIST)/../public/nss
+        INCLUDES += -iquote $(DIST)/../private/nss
+    endif
+ endif
+ 
+ ifndef NSS_LIB_DIR
--- a/mozilla-crypto-strip.sh
+++ b/mozilla-crypto-strip.sh
@ -50,9 +50,9 @@ then
 fi

 TOPDIR=`ls -1`
-if test "x$TOPDIR" != "xmozilla"
+if test "x$TOPDIR" != "xnss"
 then
-  # try to deal with a single additional subdirectory above "mozilla"
+  # try to deal with a single additional subdirectory above "nss"
  echo "== skipping toplevel directory $TOPDIR"
  cd $TOPDIR
 fi
@ -65,18 +65,18 @@ then
 fi

 SINGLEDIR=`ls -1`
-if test "x$SINGLEDIR" != "xmozilla"
+if test "x$SINGLEDIR" != "xnss"
 then
-  echo "unable to process, first or second level directory is not mozilla"
+  echo "unable to process, first or second level directory is not nss"
  exit
 fi

 echo "== input archive accepted, now processing"

-REALFREEBLDIR=mozilla/security/nss/lib/freebl
+REALFREEBLDIR=nss/lib/freebl
 FREEBLDIR=./$REALFREEBLDIR

-rm -rf ./mozilla/security/nss/cmd/ecperf
+rm -rf ./nss/cmd/ecperf

 mv ${FREEBLDIR}/ecl/ecl-exp.h ${FREEBLDIR}/save
 rm -rf ${FREEBLDIR}/ecl/tests
--- a/no-softoken-freebl-tests.patch
+++ b/no-softoken-freebl-tests.patch
@ -1,39 +1,19 @@
-diff -up ./mozilla/security/nss/cmd/Makefile.nosoftokentests ./mozilla/security/nss/cmd/Makefile
--- ./mozilla/security/nss/cmd/Makefile.nosoftokentests	2012-12-22 14:06:13.193304912 -0800
-+++ ./mozilla/security/nss/cmd/Makefile	2012-12-22 14:10:04.942248630 -0800
-@@ -14,6 +14,14 @@ ifdef BUILD_LIBPKIX_TESTS
- DIRS += libpkix
+diff -up nss/cmd/Makefile.nosoftokentests nss/cmd/Makefile
+--- nss/cmd/Makefile.nosoftokentests	2013-05-30 23:43:20.982027783 -0700
+++ nss/cmd/Makefile	2013-05-30 23:47:11.865874884 -0700
+@@ -19,9 +19,15 @@ BLTEST_SRCDIR =
+ FIPSTEST_SRCDIR =
+ SHLIBSIGN_SRCDIR =
+ else
+ifeq ($(NSS_BUILD_WITHOUT_SOFTOKEN),1)
+BLTEST_SRCDIR =
+FIPSTEST_SRCDIR =
+SHLIBSIGN_SRCDIR =
+else
+ BLTEST_SRCDIR = bltest
+ FIPSTEST_SRCDIR = fipstest
+ SHLIBSIGN_SRCDIR = shlibsign
+endif
 endif
 
-+# nss-softoken only tests
-+BLTEST_SRCDIR=
-+FIPSTEST_SRCDIR=
-+ifeq ($(NSS_BUILD_SOFTOKEN_ONLY),1)
-+BLTEST_SRCDIR=bltest              # Add the bltest directory to DIRS.
-+FIPSTEST_SRCDIR=fipstest          # Add the fipstest directory to DIRS.
-+endif
-+
 LOWHASHTEST_SRCDIR=
- ifeq ($(FREEBL_LOWHASH),1)
- LOWHASHTEST_SRCDIR = lowhashtest  # Add the lowhashtest directory to DIRS.
-diff -up ./mozilla/security/nss/cmd/manifest.mn.nosoftokentests ./mozilla/security/nss/cmd/manifest.mn
--- ./mozilla/security/nss/cmd/manifest.mn.nosoftokentests	2012-12-22 14:06:35.191293837 -0800
-+++ ./mozilla/security/nss/cmd/manifest.mn	2012-12-22 14:11:22.342263467 -0800
-@@ -11,7 +11,7 @@ REQUIRES = nss nspr libdbm
- DIRS = lib  \
-  addbuiltin \
-  atob  \
- bltest \
-+ $(BLTEST_SRCDIR) \
-  btoa  \
-  certcgi \
-  certutil  \
-@@ -23,7 +23,7 @@ DIRS = lib  \
-  derdump  \
-  digest  \
-  httpserv  \
- fipstest  \
-+ $(FIPSTEST_SRCDIR)  \
-  $(LOWHASHTEST_SRCDIR)  \
-  listsuites \
-  makepqg  \
--- a/nss-3.14.0.0-disble-ocsp-test.patch
+++ b/nss-3.14.0.0-disble-ocsp-test.patch
@ -1,6 +1,6 @@
-diff -up ./mozilla/security/nss/tests/chains/scenarios/scenarios.noocsptest ./mozilla/security/nss/tests/chains/scenarios/scenarios
--- ./mozilla/security/nss/tests/chains/scenarios/scenarios.noocsptest	2013-01-06 19:56:15.000000000 -0800
-+++ ./mozilla/security/nss/tests/chains/scenarios/scenarios	2013-02-01 08:38:28.140615299 -0800
+diff -up nss/tests/chains/scenarios/scenarios.noocsptest nss/tests/chains/scenarios/scenarios
+--- nss/tests/chains/scenarios/scenarios.noocsptest	2013-01-06 19:56:15.000000000 -0800
+++ nss/tests/chains/scenarios/scenarios	2013-02-01 08:38:28.140615299 -0800
@@ -50,6 +50,5 @@ bridgewithpolicyextensionandmapping.cfg
 realcerts.cfg
 dsa.cfg
--- a/nss-539183.patch
+++ b/nss-539183.patch
@ -1,10 +1,6 @@
-Index: ./mozilla/security/nss/cmd/httpserv/httpserv.c
-===================================================================
-RCS file: /cvsroot/mozilla/security/nss/cmd/httpserv/httpserv.c,v
-retrieving revision 1.1
-diff -u -p -r1.1 httpserv.c
--- ./mozilla/security/nss/cmd/httpserv/httpserv.c	28 Jun 2012 11:11:06 -0000	1.1
-+++ ./mozilla/security/nss/cmd/httpserv/httpserv.c	21 Oct 2012 22:22:10 -0000
+diff -up nss/cmd/httpserv/httpserv.c.539183 nss/cmd/httpserv/httpserv.c
+--- nss/cmd/httpserv/httpserv.c.539183	2013-05-28 14:43:24.000000000 -0700
+++ nss/cmd/httpserv/httpserv.c	2013-05-30 22:16:46.685373471 -0700
@@ -661,14 +661,18 @@ getBoundListenSocket(unsigned short port
     PRStatus	       prStatus;
     PRNetAddr          addr;
@ -29,14 +25,10 @@ diff -u -p -r1.1 httpserv.c
     }
 
     opt.option = PR_SockOpt_Nonblocking;
-Index: ./mozilla/security/nss/cmd/selfserv/selfserv.c
-===================================================================
-RCS file: /cvsroot/mozilla/security/nss/cmd/selfserv/selfserv.c,v
-retrieving revision 1.102
-diff -u -p -r1.102 selfserv.c
--- ./mozilla/security/nss/cmd/selfserv/selfserv.c	27 Sep 2012 17:13:34 -0000	1.102
-+++ ./mozilla/security/nss/cmd/selfserv/selfserv.c	21 Oct 2012 22:22:10 -0000
-@@ -1483,14 +1483,18 @@ getBoundListenSocket(unsigned short port
+diff -up nss/cmd/selfserv/selfserv.c.539183 nss/cmd/selfserv/selfserv.c
+--- nss/cmd/selfserv/selfserv.c.539183	2013-05-28 14:43:24.000000000 -0700
+++ nss/cmd/selfserv/selfserv.c	2013-05-30 22:16:46.688373495 -0700
+@@ -1687,14 +1687,18 @@ getBoundListenSocket(unsigned short port
     PRStatus	       prStatus;
     PRNetAddr          addr;
     PRSocketOptionData opt;
--- a/nss-646045.patch
+++ b/nss-646045.patch
@ -1,7 +1,7 @@
-diff -up ./mozilla/security/nss/tests/dbtests/dbtests.sh.noroot ./mozilla/security/nss/tests/dbtests/dbtests.sh
--- ./mozilla/security/nss/tests/dbtests/dbtests.sh.noroot	2011-04-06 09:56:07.207701000 -0700
-+++ ./mozilla/security/nss/tests/dbtests/dbtests.sh	2011-04-06 10:19:54.159552000 -0700
-@@ -201,6 +201,9 @@ dbtest_main()
+diff -up nss/tests/dbtests/dbtests.sh.646045 nss/tests/dbtests/dbtests.sh
+--- nss/tests/dbtests/dbtests.sh.646045	2013-04-04 13:31:55.000000000 -0700
+++ nss/tests/dbtests/dbtests.sh	2013-04-04 15:57:46.298127149 -0700
+@@ -168,6 +168,9 @@ dbtest_main()
         cat $RONLY_DIR/* > /dev/null
     fi
 
@ -11,7 +11,7 @@ diff -up ./mozilla/security/nss/tests/dbtests/dbtests.sh.noroot ./mozilla/securi
     ${BINDIR}/dbtest -d $RONLY_DIR
     ret=$?
     if [ $ret -ne 46 ]; then
-@@ -208,6 +211,10 @@ dbtest_main()
+@@ -175,6 +178,10 @@ dbtest_main()
     else
       html_passed "Dbtest r/w didn't work in an readonly dir $ret" 
     fi
@ -22,7 +22,7 @@ diff -up ./mozilla/security/nss/tests/dbtests/dbtests.sh.noroot ./mozilla/securi
     ${BINDIR}/certutil -D -n "TestUser" -d .
     ret=$?
     if [ $ret -ne 255 ]; then
-@@ -215,6 +222,9 @@ dbtest_main()
+@@ -182,6 +189,9 @@ dbtest_main()
     else
         html_passed "Certutil didn't work in an readonly dir $ret"
     fi
--- a/nss-872761.patch
+++ b/nss-872761.patch
@ -1,58 +0,0 @@
-Index: mozilla/security/nss/cmd/lib/secutil.c
-===================================================================
-RCS file: /cvsroot/mozilla/security/nss/cmd/lib/secutil.c,v
-retrieving revision 1.126
-diff -u -u -r1.126 secutil.c
--- mozilla/security/nss/cmd/lib/secutil.c	7 Jan 2013 04:11:49 -0000	1.126
-+++ mozilla/security/nss/cmd/lib/secutil.c	19 Apr 2013 22:43:02 -0000
-@@ -504,6 +504,8 @@
- 
- 	/* Read in ascii data */
- 	rv = SECU_FileToItem(&filedata, inFile);
-+	if (rv != SECSuccess)
-+	    return rv;
- 	asc = (char *)filedata.data;
- 	if (!asc) {
- 	    fprintf(stderr, "unable to read data from input file\n");
-@@ -519,20 +521,28 @@
- 		body = PORT_Strchr(asc, '\r'); /* maybe this is a MAC file */
- 	    if (body)
- 		trailer = strstr(++body, "-----END");
-	    if (trailer != NULL) {
-+	    if (trailer != NULL)
- 		*trailer = '\0';
-	    } else {
-+	    if (!body || !trailer) {
- 		fprintf(stderr, "input has header but no trailer\n");
- 		PORT_Free(filedata.data);
- 		return SECFailure;
- 	    }
- 	} else {
-	    body = asc;
-+	    /* need one additional byte for zero terminator */
-+	    rv = SECITEM_ReallocItem(NULL, &filedata, filedata.len, filedata.len+1);
-+	    if (rv != SECSuccess) {
-+		PORT_Free(filedata.data);
-+		return rv;
-+	    }
-+	    filedata.len = filedata.len+1;
-+	    body = (char*)filedata.data;
-+	    body[filedata.len-1] = '\0';
- 	}
-      
- 	/* Convert to binary */
- 	rv = ATOB_ConvertAsciiToItem(der, body);
-	if (rv) {
-+	if (rv != SECSuccess) {
- 	    fprintf(stderr, "error converting ascii to binary (%s)\n",
- 		    SECU_Strerror(PORT_GetError()));
- 	    PORT_Free(filedata.data);
-@@ -543,7 +553,7 @@
-     } else {
- 	/* Read in binary der */
- 	rv = SECU_FileToItem(der, inFile);
-	if (rv) {
-+	if (rv != SECSuccess) {
- 	    fprintf(stderr, "error converting der (%s)\n", 
- 		    SECU_Strerror(PORT_GetError()));
- 	    return SECFailure;
--- a/nss-enable-pem.patch
+++ b/nss-enable-pem.patch
@ -1,9 +1,9 @@
-diff -up ./mozilla/security/nss/lib/ckfw/manifest.mn.prepem ./mozilla/security/nss/lib/ckfw/manifest.mn
--- ./mozilla/security/nss/lib/ckfw/manifest.mn.prepem	2008-08-05 16:34:23.000000000 -0700
-+++ ./mozilla/security/nss/lib/ckfw/manifest.mn	2008-08-05 16:34:30.000000000 -0700
-@@ -38,7 +38,7 @@ MANIFEST_CVS_ID = "@(#) $RCSfile: manife
+diff -up nss/lib/ckfw/manifest.mn.libpem nss/lib/ckfw/manifest.mn
+--- nss/lib/ckfw/manifest.mn.libpem	2013-05-28 14:43:24.000000000 -0700
+++ nss/lib/ckfw/manifest.mn	2013-05-30 22:14:49.247459672 -0700
+@@ -5,7 +5,7 @@
 
- CORE_DEPTH = ../../..
+ CORE_DEPTH = ../..
 
 -DIRS = builtins 
 +DIRS = builtins pem
--- a/nss-skip-bltest-and-fipstest.patch
+++ b/nss-skip-bltest-and-fipstest.patch
@ -0,0 +1,17 @@
+diff -up nss/cmd/Makefile.skipthem nss/cmd/Makefile
+--- nss/cmd/Makefile.nobltest	2013-05-28 14:43:24.000000000 -0700
+++ nss/cmd/Makefile	2013-06-15 11:51:11.669655168 -0700
+@@ -14,10 +14,10 @@ ifdef BUILD_LIBPKIX_TESTS
+ DIRS += libpkix
+ endif
+ 
+-ifeq ($(NSS_BUILD_WITHOUT_SOFTOKEN),1)
+ifeq ($(NSS_BLTEST_NOT_AVAILABLE),1)
+ BLTEST_SRCDIR =
+-FIPSTEST_SRCDIR =
+-SHLIBSIGN_SRCDIR =
+FIPSTEST_SRCDIR =
+SHLIBSIGN_SRCDIR = shlibsign
+ else
+ BLTEST_SRCDIR = bltest
+ FIPSTEST_SRCDIR = fipstest
--- a/nss-ssl-cbc-random-iv-off-by-default.patch
+++ b/nss-ssl-cbc-random-iv-off-by-default.patch
@ -1,16 +1,16 @@
-diff -up ./mozilla/security/nss/lib/ssl/sslsock.c.cbcrandomivoff ./mozilla/security/nss/lib/ssl/sslsock.c
--- ./mozilla/security/nss/lib/ssl/sslsock.c.cbcrandomivoff	2013-02-01 10:14:36.960458329 -0800
-+++ ./mozilla/security/nss/lib/ssl/sslsock.c	2013-02-01 10:17:16.532265855 -0800
-@@ -153,7 +153,7 @@ static sslOptions ssl_defaults = {
+diff -up nss/lib/ssl/sslsock.c.cbcrandomivoff nss/lib/ssl/sslsock.c
+--- nss/lib/ssl/sslsock.c.cbcrandomivoff	2013-05-30 22:20:52.181292812 -0700
+++ nss/lib/ssl/sslsock.c	2013-05-30 22:20:52.194292913 -0700
+@@ -152,7 +152,7 @@ static sslOptions ssl_defaults = {
     3,          /* enableRenegotiation (default: transitional) */
     PR_FALSE,   /* requireSafeNegotiation */
     PR_FALSE,   /* enableFalseStart   */
-    PR_TRUE     /* cbcRandomIV        */
-+    PR_FALSE    /* cbcRandomIV        */ /* defaults to off for compatibility */
+-    PR_TRUE,    /* cbcRandomIV        */
+    PR_FALSE,    /* cbcRandomIV        */ /* defaults to off for compatibility */
+     PR_FALSE    /* enableOCSPStapling */
 };
 
- /*
-@@ -2837,9 +2837,9 @@ ssl_SetDefaultsFromEnvironment(void)
+@@ -2906,9 +2906,9 @@ ssl_SetDefaultsFromEnvironment(void)
 	                PR_TRUE));
 	}
 	ev = getenv("NSS_SSL_CBC_RANDOM_IV");
--- a/nss-ssl-enforce-no-pkcs11-bypass.path
+++ b/nss-ssl-enforce-no-pkcs11-bypass.path
@ -1,15 +1,16 @@
-diff -up ./mozilla/security/nss/lib/ssl/derive.c.nobypass ./mozilla/security/nss/lib/ssl/derive.c
-diff -up ./mozilla/security/nss/lib/ssl/sslsock.c.nobypass ./mozilla/security/nss/lib/ssl/sslsock.c
--- ./mozilla/security/nss/lib/ssl/sslsock.c.nobypass	2012-10-07 15:12:25.455307540 -0700
-+++ ./mozilla/security/nss/lib/ssl/sslsock.c	2012-10-07 15:21:27.229346754 -0700
-@@ -547,8 +547,8 @@ static PRStatus SSL_BypassRegisterShutdo
+diff -up nss/lib/ssl/sslsock.c.nobypass nss/lib/ssl/sslsock.c
+--- nss/lib/ssl/sslsock.c.nobypass	2013-05-30 22:23:37.305583715 -0700
+++ nss/lib/ssl/sslsock.c	2013-05-30 22:23:37.311583762 -0700
+@@ -553,8 +553,10 @@ static PRStatus SSL_BypassRegisterShutdo
 static PRStatus SSL_BypassSetup(void)
 {
 #ifdef NO_PKCS11_BYPASS
 -    /* Guarantee binary compatibility */
 -    return PR_SUCCESS;
-+    /* We can safely return failure as we have never supported it */
-+    return PR_FALSE;
+    /* No need in our case to guarantee binary compatibility and
+     * we can safely return failure as we have never supported it
+     */
+    return PR_FAILURE;
 #else
     return PR_CallOnce(&setupBypassOnce, &SSL_BypassRegisterShutdown);
 #endif
--- a/nss-versus-softoken-tests.patch
+++ b/nss-versus-softoken-tests.patch
@ -0,0 +1,38 @@
+diff -up nss/tests/all.sh.crypto nss/tests/all.sh
+--- nss/tests/all.sh.crypto	2013-05-28 14:43:24.000000000 -0700
+++ nss/tests/all.sh	2013-06-13 12:14:12.741082184 -0700
+@@ -299,9 +299,10 @@ fi
+ # created, we check for modutil to know whether the build
+ # is complete. If a new file is created after that, the 
+ # following test for modutil should check for that instead.
+# Except when building softoken only where shlibsign is the last one built.
+export LAST_BUILT=[ ${NSS_BUILD_SOFTOKEN_ONLY} -eq "1" ] && shlibsign || modutil
+ 
+-if [ ! -f ${DIST}/${OBJDIR}/bin/modutil -a  \
+-     ! -f ${DIST}/${OBJDIR}/bin/modutil.exe ]; then
+if [ ! -f ${DIST}/${OBJDIR}/bin/${LAST_BUILT}${PROG_SUFFIX} -a ]; then
+     echo "Build Incomplete. Aborting test." >> ${LOGFILE}
+     html_head "Testing Initialization"
+     Exit "Checking for build"
+diff -up nss/tests/cipher/cipher.sh.crypto nss/tests/cipher/cipher.sh
+--- nss/tests/cipher/cipher.sh.crypto	2013-05-28 14:43:24.000000000 -0700
+++ nss/tests/cipher/cipher.sh	2013-06-13 11:58:00.956064976 -0700
+@@ -129,6 +129,16 @@ if [ ! -x ${DIST}/${OBJDIR}/bin/bltest${
+     return 0
+ fi
+ cipher_init
+-cipher_main
+-cipher_gcm
+if [ "${NSS_BUILD_SOFTOKEN_ONLY}" = "1" ]; then
+    echo "Skipping cipher_gcm because this is a softoken only build"
+    cipher_main
+elif [ "${NSS_BUILD_WITHOUT_SOFTOKEN}" = "1" ]; then
+    echo "Skipping cipher_main because this an nss without softoken build"
+    cipher_gcm
+else
+    # default is to run both
+    cipher_init
+    cipher_main
+    cipher_gcm
+fi
+ cipher_cleanup
--- a/nss.spec
+++ b/nss.spec
@ -1,7 +1,7 @@
-%global nspr_version 4.9.5
-%global nss_util_version 3.14.3
+%global nspr_version 4.10
+%global nss_util_version 3.15
 %global nss_softokn_fips_version 3.12.9
-%global nss_softokn_version 3.14.3
+%global nss_softokn_version 3.15
 %global unsupported_tools_directory %{_libdir}/nss/unsupported-tools

 # solution taken from icedtea-web.spec
@ -18,8 +18,8 @@

 Summary:          Network Security Services
 Name:             nss
-Version:          3.14.3
-Release:          13.0%{?dist}
+Version:          3.15
+Release:          2%{?dist}
 License:          MPLv2.0
 URL:              http://www.mozilla.org/projects/security/pki/nss/
 Group:            System Environment/Libraries
@ -70,7 +70,7 @@ Source7:          blank-key4.db
 Source8:          system-pkcs11.txt
 Source9:          setup-nsssysinit.sh
 Source10:         PayPalEE.cert
-Source12:         %{name}-pem-20120811.tar.bz2
+Source12:         %{name}-pem-20130405.tar.bz2
 Source17:         TestCA.ca.cert
 Source18:         TestUser50.cert
 Source19:         TestUser51.cert
@ -80,7 +80,6 @@ Patch3:           renegotiate-transitional.patch
 Patch6:           nss-enable-pem.patch
 Patch16:          nss-539183.patch
 Patch18:          nss-646045.patch
-Patch19:          nss-872761.patch
 # must statically link pem against the freebl in the buildroot
 # Needed only when freebl on tree has new APIS
 Patch25:          nsspem-use-system-freebl.patch
@ -94,6 +93,14 @@ Patch40:          nss-3.14.0.0-disble-ocsp-test.patch
 Patch43:          no-softoken-freebl-tests.patch
 Patch44:          0001-sync-up-with-upstream-softokn-changes.patch
 Patch45:          Bug-896651-pem-dont-trash-keys-on-failed-login.patch
+# The ocsp stapling tests currently require access to the
+# kuix.de test server but koji forbids outbount connections
+Patch46:          disable-ocsp-stapling-tests.patch
+Patch47:          utilwrap-include-templates.patch
+Patch48:          nss-versus-softoken-tests.patch
+# TODO remove when we switch to building nss without softoken
+Patch49:  nss-skip-bltest-and-fipstest.patch
+Patch50:  iquote.patch

 %description
 Network Security Services (NSS) is a set of libraries designed to
@ -163,10 +170,10 @@ low level services.

 %prep
 %setup -q
-%{__cp} %{SOURCE10} -f ./mozilla/security/nss/tests/libpkix/certs
-%{__cp} %{SOURCE17} -f ./mozilla/security/nss/tests/libpkix/certs
-%{__cp} %{SOURCE18} -f ./mozilla/security/nss/tests/libpkix/certs
-%{__cp} %{SOURCE19} -f ./mozilla/security/nss/tests/libpkix/certs
+%{__cp} %{SOURCE10} -f ./nss/tests/libpkix/certs
+%{__cp} %{SOURCE17} -f ./nss/tests/libpkix/certs
+%{__cp} %{SOURCE18} -f ./nss/tests/libpkix/certs
+%{__cp} %{SOURCE19} -f ./nss/tests/libpkix/certs
 %setup -q -T -D -n %{name}-%{version} -a 12

 %patch2 -p0 -b .relro
@ -174,16 +181,20 @@ low level services.
 %patch6 -p0 -b .libpem
 %patch16 -p0 -b .539183
 %patch18 -p0 -b .646045
-%patch19 -p0 -b .872761
 # link pem against buildroot's freebl, essential when mixing and matching
 %patch25 -p0 -b .systemfreebl
 # activate for stable and beta branches
 %patch29 -p0 -b .cbcrandomivoff
-%patch39 -p1 -b .nobypass
-%patch40 -p1 -b .noocsptest
-%patch43 -p0 -b .nosoftokentests
+%patch39 -p0 -b .nobypass
+%patch40 -p0 -b .noocsptest
+#%patch43 -p0 -b .nosoftokentests
 %patch44 -p1 -b .syncupwithupstream
 %patch45 -p0 -b .notrash
+%patch46 -p0 -b .skipoutbound
+#%patch47 -p0 -b .templates
+%patch48 -p0 -b .crypto
+%patch49 -p0 -b .skipthem
+%patch50 -p0 -b .iquote

 %build

@ -229,25 +240,27 @@ USE_64=1
 export USE_64
 %endif

+# uncomment if the iquote patch is activated
+export IN_TREE_FREEBL_HEADERS_FIRST=1
+
 ##### phase 1: build freebl/softokn shared libraries
 # there no ecc in freebl
 unset NSS_ENABLE_ECC
 # Compile softoken plus needed support
-%{__make} -C ./mozilla/security/coreconf
-%{__make} -C ./mozilla/security/dbm
+%{__make} -C ./nss/coreconf

-%{__make} -C ./mozilla/security/nss/lib/util export
-%{__make} -C ./mozilla/security/nss/lib/freebl export
-%{__make} -C ./mozilla/security/nss/lib/softoken export
+%{__make} -C ./nss/lib/util export
+%{__make} -C ./nss/lib/freebl export
+%{__make} -C ./nss/lib/softoken export

-%{__make} -C ./mozilla/security/nss/lib/util
-%{__make} -C ./mozilla/security/nss/lib/freebl
-%{__make} -C ./mozilla/security/nss/lib/softoken
+%{__make} -C ./nss/lib/util
+%{__make} -C ./nss/lib/dbm
+%{__make} -C ./nss/lib/freebl
+%{__make} -C ./nss/lib/softoken

 # stash away the bltest and fipstest to build them last
-tar cf build_these_later.tar ./mozilla/security/nss/cmd/bltest ./mozilla/security/nss/cmd/fipstest
-rm -rf ./mozilla/security/nss/cmd/bltest
-rm -rf ./mozilla/security/nss/cmd/fipstest
+tar cf build_these_later.tar ./nss/cmd/bltest ./nss/cmd/fipstest
+rm -rf ./nss/cmd/bltest ./nss/cmd/fipstest

 ##### phase 2: build the rest of nss
 # nss supports pluggable ecc
@ -261,21 +274,23 @@ export NSS_ECC_MORE_THAN_SUITE_B
 # private exports from util. The install section will ensure not
 # to override nss-util and nss-softoken headers already installed.
 #     
-%{__make} -C ./mozilla/security/coreconf
-%{__make} -C ./mozilla/security/dbm
-%{__make} -C ./mozilla/security/nss
+export NSS_BLTEST_NOT_AVAILABLE=1
+%{__make} -C ./nss/coreconf
+%{__make} -C ./nss/lib/dbm
+%{__make} -C ./nss
+unset NSS_BLTEST_NOT_AVAILABLE

 ##### phase 3: build bltest and fipstest
 tar xf build_these_later.tar
-unset NSS_ENABLE_ECC; %{__make} -C ./mozilla/security/nss/cmd/bltest
-unset NSS_ENABLE_ECC; %{__make} -C ./mozilla/security/nss/cmd/fipstest
+unset NSS_ENABLE_ECC; %{__make} -C ./nss/cmd/bltest
+unset NSS_ENABLE_ECC; %{__make} -C ./nss/cmd/fipstest
 %{__rm} -f build_these_later.tar

 # Set up our package file
 # The nspr_version and nss_{util|softokn}_version globals used
 # here match the ones nss has for its Requires. 
 # Using the current %%{nss_softokn_version} for fedora again
-%{__mkdir_p} ./mozilla/dist/pkgconfig
+%{__mkdir_p} ./dist/pkgconfig
 %{__cat} %{SOURCE1} | sed -e "s,%%libdir%%,%{_libdir},g" \
                          -e "s,%%prefix%%,%{_prefix},g" \
                          -e "s,%%exec_prefix%%,%{_prefix},g" \
@ -284,14 +299,14 @@ unset NSS_ENABLE_ECC; %{__make} -C ./mozilla/security/nss/cmd/fipstest
                          -e "s,%%NSPR_VERSION%%,%{nspr_version},g" \
                          -e "s,%%NSSUTIL_VERSION%%,%{nss_util_version},g" \
                          -e "s,%%SOFTOKEN_VERSION%%,%{nss_softokn_version},g" > \
-                          ./mozilla/dist/pkgconfig/nss.pc
+                          ./dist/pkgconfig/nss.pc

-NSS_VMAJOR=`cat mozilla/security/nss/lib/nss/nss.h | grep "#define.*NSS_VMAJOR" | awk '{print $3}'`
-NSS_VMINOR=`cat mozilla/security/nss/lib/nss/nss.h | grep "#define.*NSS_VMINOR" | awk '{print $3}'`
-NSS_VPATCH=`cat mozilla/security/nss/lib/nss/nss.h | grep "#define.*NSS_VPATCH" | awk '{print $3}'`
+NSS_VMAJOR=`cat nss/lib/nss/nss.h | grep "#define.*NSS_VMAJOR" | awk '{print $3}'`
+NSS_VMINOR=`cat nss/lib/nss/nss.h | grep "#define.*NSS_VMINOR" | awk '{print $3}'`
+NSS_VPATCH=`cat nss/lib/nss/nss.h | grep "#define.*NSS_VPATCH" | awk '{print $3}'`

-export NSS_VMAJOR 
-export NSS_VMINOR 
+export NSS_VMAJOR
+export NSS_VMINOR
 export NSS_VPATCH

 %{__cat} %{SOURCE2} | sed -e "s,@libdir@,%{_libdir},g" \
@ -301,14 +316,14 @@ export NSS_VPATCH
                          -e "s,@MOD_MAJOR_VERSION@,$NSS_VMAJOR,g" \
                          -e "s,@MOD_MINOR_VERSION@,$NSS_VMINOR,g" \
                          -e "s,@MOD_PATCH_VERSION@,$NSS_VPATCH,g" \
-                          > ./mozilla/dist/pkgconfig/nss-config
+                          > ./dist/pkgconfig/nss-config

-chmod 755 ./mozilla/dist/pkgconfig/nss-config
+chmod 755 ./dist/pkgconfig/nss-config

-%{__cat} %{SOURCE9} > ./mozilla/dist/pkgconfig/setup-nsssysinit.sh
-chmod 755 ./mozilla/dist/pkgconfig/setup-nsssysinit.sh
+%{__cat} %{SOURCE9} > ./dist/pkgconfig/setup-nsssysinit.sh
+chmod 755 ./dist/pkgconfig/setup-nsssysinit.sh

-%{__cp} ./mozilla/security/nss/lib/ckfw/nssck.api ./mozilla/dist/private/nss/
+%{__cp} ./nss/lib/ckfw/nssck.api ./dist/private/nss/

 %check
 if [ $DISABLETEST -eq 1 ]; then
@ -327,10 +342,13 @@ export BUILD_OPT
 USE_64=1
 export USE_64
 %endif
+
+export NSS_BLTEST_NOT_AVAILABLE=1
+
 # End -- copied from the build section

 # enable the following line to force a test failure
-# find ./mozilla -name \*.chk | xargs rm -f
+# find ./nss -name \*.chk | xargs rm -f

 # Run test suite.
 # In order to support multiple concurrent executions of the test suite
@ -343,34 +361,34 @@ export USE_64
 # Using xargs doesn't mix well with spaces in filenames, in order to
 # avoid weird quoting we'll require that no spaces are being used.

-SPACEISBAD=`find ./mozilla/security/nss/tests | grep -c ' '` ||:
+SPACEISBAD=`find ./nss/tests | grep -c ' '` ||:
 if [ $SPACEISBAD -ne 0 ]; then
  echo "error: filenames containing space are not supported (xargs)"
  exit 1
 fi
 MYRAND=`perl -e 'print 9000 + int rand 1000'`; echo $MYRAND ||:
 RANDSERV=selfserv_${MYRAND}; echo $RANDSERV ||:
-DISTBINDIR=`ls -d ./mozilla/dist/*.OBJ/bin`; echo $DISTBINDIR ||:
+DISTBINDIR=`ls -d ./dist/*.OBJ/bin`; echo $DISTBINDIR ||:
 pushd `pwd`
 cd $DISTBINDIR
 ln -s selfserv $RANDSERV
 popd
 # man perlrun, man perlrequick
 # replace word-occurrences of selfserv with selfserv_$MYRAND
-find ./mozilla/security/nss/tests -type f |\
+find ./nss/tests -type f |\
  grep -v "\.db$" |grep -v "\.crl$" | grep -v "\.crt$" |\
  grep -vw CVS  |xargs grep -lw selfserv |\
  xargs -l perl -pi -e "s/\bselfserv\b/$RANDSERV/g" ||:

 killall $RANDSERV || :

-rm -rf ./mozilla/tests_results
-cd ./mozilla/security/nss/tests/
+rm -rf ./tests_results
+cd ./nss/tests/
 # all.sh is the test suite script

 #  don't need to run all the tests when testing packaging
 #  nss_cycles: standard pkix upgradedb sharedb
-nss_tests="cipher libpkix cert dbtests tools fips sdr crmf smime ssl merge pkits chains"
+nss_tests="cipher libpkix cert dbtests tools fips sdr crmf smime ssl ocsp merge pkits chains"
 #  nss_ssl_tests: crl bypass_normal normal_bypass normal_fips fips_normal iopr
 #  nss_ssl_run: cov auth stress
 #
@ -381,11 +399,11 @@ nss_tests="cipher libpkix cert dbtests tools fips sdr crmf smime ssl merge pkits

 HOST=localhost DOMSUF=localdomain PORT=$MYRAND NSS_CYCLES=%{?nss_cycles} NSS_TESTS=%{?nss_tests} NSS_SSL_TESTS=%{?nss_ssl_tests} NSS_SSL_RUN=%{?nss_ssl_run} ./all.sh

-cd ../../../../
+cd ../../

 killall $RANDSERV || :

-TEST_FAILURES=`grep -c FAILED ./mozilla/tests_results/security/localhost.1/output.log` || :
+TEST_FAILURES=`grep -c FAILED ./tests_results/security/localhost.1/output.log` || :
 # test suite is failing on arm and has for awhile let's run the test suite but make it non fatal on arm
 %ifnarch %{arm}
 if [ $TEST_FAILURES -ne 0 ]; then
@ -409,12 +427,12 @@ echo "test suite completed"
 %{__mkdir_p} $RPM_BUILD_ROOT/%{_libdir}/pkgconfig

 touch $RPM_BUILD_ROOT%{_libdir}/libnssckbi.so
-%{__install} -p -m 755 mozilla/dist/*.OBJ/lib/libnssckbi.so $RPM_BUILD_ROOT/%{_libdir}/nss/libnssckbi.so
+%{__install} -p -m 755 dist/*.OBJ/lib/libnssckbi.so $RPM_BUILD_ROOT/%{_libdir}/nss/libnssckbi.so

 # Copy the binary libraries we want
 for file in libnss3.so libnsspem.so libnsssysinit.so libsmime3.so libssl3.so
 do
-  %{__install} -p -m 755 mozilla/dist/*.OBJ/lib/$file $RPM_BUILD_ROOT/%{_libdir}
+  %{__install} -p -m 755 dist/*.OBJ/lib/$file $RPM_BUILD_ROOT/%{_libdir}
 done

 # Install the empty NSS db files
@ -431,38 +449,38 @@ done
 # Copy the development libraries we want
 for file in libcrmf.a libnssb.a libnssckfw.a
 do
-  %{__install} -p -m 644 mozilla/dist/*.OBJ/lib/$file $RPM_BUILD_ROOT/%{_libdir}
+  %{__install} -p -m 644 dist/*.OBJ/lib/$file $RPM_BUILD_ROOT/%{_libdir}
 done

 # Copy the binaries we want
 for file in certutil cmsutil crlutil modutil pk12util signtool signver ssltap
 do
-  %{__install} -p -m 755 mozilla/dist/*.OBJ/bin/$file $RPM_BUILD_ROOT/%{_bindir}
+  %{__install} -p -m 755 dist/*.OBJ/bin/$file $RPM_BUILD_ROOT/%{_bindir}
 done

 # Copy the binaries we ship as unsupported
 for file in atob btoa derdump ocspclnt pp selfserv strsclnt symkeyutil tstclnt vfyserv vfychain
 do
-  %{__install} -p -m 755 mozilla/dist/*.OBJ/bin/$file $RPM_BUILD_ROOT/%{unsupported_tools_directory}
+  %{__install} -p -m 755 dist/*.OBJ/bin/$file $RPM_BUILD_ROOT/%{unsupported_tools_directory}
 done

 # Copy the include files we want
-for file in mozilla/dist/public/nss/*.h
+for file in dist/public/nss/*.h
 do
  %{__install} -p -m 644 $file $RPM_BUILD_ROOT/%{_includedir}/nss3
 done

 # Copy the template files we want
-for file in mozilla/dist/private/nss/nssck.api
+for file in dist/private/nss/nssck.api
 do
  %{__install} -p -m 644 $file $RPM_BUILD_ROOT/%{_includedir}/nss3/templates
 done

 # Copy the package configuration files
-%{__install} -p -m 644 ./mozilla/dist/pkgconfig/nss.pc $RPM_BUILD_ROOT/%{_libdir}/pkgconfig/nss.pc
-%{__install} -p -m 755 ./mozilla/dist/pkgconfig/nss-config $RPM_BUILD_ROOT/%{_bindir}/nss-config
+%{__install} -p -m 644 ./dist/pkgconfig/nss.pc $RPM_BUILD_ROOT/%{_libdir}/pkgconfig/nss.pc
+%{__install} -p -m 755 ./dist/pkgconfig/nss-config $RPM_BUILD_ROOT/%{_bindir}/nss-config
 # Copy the pkcs #11 configuration script
-%{__install} -p -m 755 ./mozilla/dist/pkgconfig/setup-nsssysinit.sh $RPM_BUILD_ROOT/%{_bindir}/setup-nsssysinit.sh
+%{__install} -p -m 755 ./dist/pkgconfig/setup-nsssysinit.sh $RPM_BUILD_ROOT/%{_bindir}/setup-nsssysinit.sh

 #remove the nss-util-devel headers
 rm -f $RPM_BUILD_ROOT/%{_includedir}/nss3/base64.h
@ -681,6 +699,8 @@ fi


 %changelog
+* Mon Jun 17 2013 Elio Maldonado <emaldona@redhat.com> - 3.15-2
+
 * Tue May 14 2013 Elio Maldonado <emaldona@redhat.com> - 3.14.3-13.0
 - Reactivate nss-ssl-cbc-random-iv-off-by-default.patch

--- a/nsspem-use-system-freebl.patch
+++ b/nsspem-use-system-freebl.patch
@ -1,19 +1,6 @@
-diff -up ./mozilla/security/coreconf/Linux.mk.sytemfreebl ./mozilla/security/coreconf/Linux.mk
--- ./mozilla/security/coreconf/Linux.mk.sytemfreebl	2011-12-03 22:07:23.924156119 -0800
-+++ ./mozilla/security/coreconf/Linux.mk	2011-12-03 22:08:28.322328345 -0800
-@@ -182,6 +182,9 @@ endif
- USE_SYSTEM_ZLIB = 1
- ZLIB_LIBS = -lz
- 
-+USE_SYSTEM_FREEBL = 1
-+FREEBL_LIBS = -lfreebl3
-+
- # The -rpath '$$ORIGIN' linker option instructs this library to search for its
- # dependencies in the same directory where it resides.
- ifeq ($(BUILD_SUN_PKG), 1)
-diff -up ./mozilla/security/nss/lib/ckfw/pem/config.mk.extras ./mozilla/security/nss/lib/ckfw/pem/config.mk
--- ./mozilla/security/nss/lib/ckfw/pem/config.mk.extras	2010-11-25 10:01:17.000000000 -0800
-+++ ./mozilla/security/nss/lib/ckfw/pem/config.mk	2011-06-21 18:20:04.484985568 -0700
+diff -up nss/lib/ckfw/pem/config.mk.systemfreebl nss/lib/ckfw/pem/config.mk
+--- nss/lib/ckfw/pem/config.mk.systemfreebl	2012-08-11 09:06:59.000000000 -0700
+++ nss/lib/ckfw/pem/config.mk	2013-04-04 16:02:33.805744145 -0700
@@ -41,6 +41,11 @@ CONFIG_CVS_ID = "@(#) $RCSfile: config.m
 #  are specifed as dependencies within rules.mk.
 #
@ -49,9 +36,9 @@ diff -up ./mozilla/security/nss/lib/ckfw/pem/config.mk.extras ./mozilla/security
 +EXTRA_LIBS += $(FREEBL_LIBS)
 +endif
 +
-diff -up ./mozilla/security/nss/lib/ckfw/pem/Makefile.extras ./mozilla/security/nss/lib/ckfw/pem/Makefile
--- ./mozilla/security/nss/lib/ckfw/pem/Makefile.extras	2010-11-25 10:01:17.000000000 -0800
-+++ ./mozilla/security/nss/lib/ckfw/pem/Makefile	2011-06-21 18:25:25.959136920 -0700
+diff -up nss/lib/ckfw/pem/Makefile.systemfreebl nss/lib/ckfw/pem/Makefile
+--- nss/lib/ckfw/pem/Makefile.systemfreebl	2012-08-11 09:06:59.000000000 -0700
+++ nss/lib/ckfw/pem/Makefile	2013-04-04 16:02:33.806744154 -0700
@@ -43,8 +43,7 @@ include config.mk
 EXTRA_LIBS = \
 	$(DIST)/lib/$(LIB_PREFIX)nssckfw.$(LIB_SUFFIX) \
@ -82,9 +69,9 @@ diff -up ./mozilla/security/nss/lib/ckfw/pem/Makefile.extras ./mozilla/security/
 	$(NULL)
 endif
 
-diff -up ./mozilla/security/nss/lib/ckfw/pem/manifest.mn.extras ./mozilla/security/nss/lib/ckfw/pem/manifest.mn
--- ./mozilla/security/nss/lib/ckfw/pem/manifest.mn.extras	2010-11-25 10:01:17.000000000 -0800
-+++ ./mozilla/security/nss/lib/ckfw/pem/manifest.mn	2011-06-21 18:20:04.485985661 -0700
+diff -up nss/lib/ckfw/pem/manifest.mn.systemfreebl nss/lib/ckfw/pem/manifest.mn
+--- nss/lib/ckfw/pem/manifest.mn.systemfreebl	2012-08-11 09:06:59.000000000 -0700
+++ nss/lib/ckfw/pem/manifest.mn	2013-04-04 16:02:33.807744163 -0700
@@ -65,4 +65,4 @@ REQUIRES = nspr
 
 LIBRARY_NAME = nsspem
--- a/renegotiate-transitional.patch
+++ b/renegotiate-transitional.patch
@ -1,7 +1,7 @@
-diff -up mozilla/security/nss/lib/ssl/sslsock.c.transitional mozilla/security/nss/lib/ssl/sslsock.c
--- mozilla/security/nss/lib/ssl/sslsock.c.transitional	2011-10-06 10:37:47.156659000 -0700
-+++ mozilla/security/nss/lib/ssl/sslsock.c	2011-10-06 10:38:32.276704000 -0700
-@@ -182,7 +182,7 @@ static sslOptions ssl_defaults = {
+diff -up nss/lib/ssl/sslsock.c.transitional nss/lib/ssl/sslsock.c
+--- nss/lib/ssl/sslsock.c.transitional	2013-05-30 22:10:54.882675807 -0700
+++ nss/lib/ssl/sslsock.c	2013-05-30 22:12:11.909260024 -0700
+@@ -149,7 +149,7 @@ static sslOptions ssl_defaults = {
     PR_FALSE,   /* noLocks            */
     PR_FALSE,   /* enableSessionTickets */
     PR_FALSE,   /* enableDeflate      */
@ -9,4 +9,4 @@ diff -up mozilla/security/nss/lib/ssl/sslsock.c.transitional mozilla/security/ns
 +    3,          /* enableRenegotiation (default: transitional) */
     PR_FALSE,   /* requireSafeNegotiation */
     PR_FALSE,   /* enableFalseStart   */
-     PR_TRUE     /* cbcRandomIV        */
+     PR_TRUE,    /* cbcRandomIV        */
--- a/5
+++ b/5
@ -7,6 +7,5 @@ a5ae49867124ac75f029a9a33af31bad  blank-cert8.db
 f998b70c1be25e8bb9f5fdb5d50eb6f2  TestCA.ca.cert
 1b7b6808cd77d5df29bf5bb9e5fac967  TestUser50.cert
 ab0b56dd505a995425c03e5266f7c8d6  TestUser51.cert
-2a06bf7b815d1a666cc3587b895506ce  nss-pem-20120811.tar.bz2
-0be54f196b5da7e9008eb13a71bc2cb0  dummy-sources-for-testing
-43be35fcc852361748b59ba8ecd2e239  nss-3.14.3-stripped.tar.bz2
+496ef1cf07cf38bf0c1a8dae2d880a5e  nss-3.15-stripped.tar.bz2
+8b9cf94e7ed23586ab3f618366b6acb6  nss-pem-20130405.tar.bz2
--- a/utilwrap-include-templates.patch
+++ b/utilwrap-include-templates.patch
@ -0,0 +1,18 @@
+Index: ./nss/lib/nss/config.mk
+===================================================================
+RCS file: /cvsroot/nss/lib/nss/config.mk,v
+retrieving revision 1.37
+diff -u -p -r1.37 config.mk
+--- ./nss/lib/nss/config.mk	25 Apr 2012 14:50:03 -0000	1.37
+++ ./nss/lib/nss/config.mk	7 Feb 2013 02:22:58 -0000
+@@ -3,6 +3,10 @@
+ # License, v. 2.0. If a copy of the MPL was not distributed with this
+ # file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ 
+ifeq ($(NSS_BUILD_WITHOUT_SOFTOKEN),1)
+INCLUDES += -I/usr/include/nss3/templates
+endif
+
+ # can't do this in manifest.mn because OS_TARGET isn't defined there.
+ ifeq (,$(filter-out WIN%,$(OS_TARGET)))
+