Delay new CK_GCM_PARAMS semantics until fedora 34 unless explicitly enabled.

Also disable building DBM backend

.gitignore

@@ -4,6 +4,48 @@ blank-secmod.db
 blank-cert9.db
 blank-key4.db
 PayPalEE.cert
-/nss-pem-20120811.tar.bz2
-/dummy-sources-for-testing
-/nss-3.14.2-stripped.tar.bz2
+TestCA.ca.cert
+TestUser50.cert
+TestUser51.cert
+/PayPalRootCA.cert
+/PayPalICA.cert
+/nss-3.25.0.tar.gz
+/nss-3.26.0.tar.gz
+/nss-3.27.0.tar.gz
+/nss-3.27.2.tar.gz
+/nss-3.28.1.tar.gz
+/nss-3.29.0.tar.gz
+/nss-3.29.1.tar.gz
+/nss-3.30.0.tar.gz
+/nss-3.30.2.tar.gz
+/nss-3.31.0.tar.gz
+/nss-3.32.0.tar.gz
+/nss-3.32.1.tar.gz
+/nss-3.33.0.tar.gz
+/nss-3.34.0.tar.gz
+/nss-3.35.0.tar.gz
+/nss-3.36.0.tar.gz
+/nss-3.36.1.tar.gz
+/nss-3.37.1.tar.gz
+/nss-3.37.3.tar.gz
+/nss-3.38.0.tar.gz
+/nss-3.39.tar.gz
+/nss-3.40.1.tar.gz
+/nss-3.41.tar.gz
+/nss-3.42.tar.gz
+/nss-3.42.1.tar.gz
+/nss-3.43.tar.gz
+/nss-3.44.tar.gz
+/nss-3.44.1.tar.gz
+/nss-3.45.tar.gz
+/nss-3.46.tar.gz
+/nss-3.46.1.tar.gz
+/nss-3.47.tar.gz
+/nss-3.47.1.tar.gz
+/nss-3.48.tar.gz
+/nss-3.49.tar.gz
+/nss-3.49.2.tar.gz
+/nss-3.50.tar.gz
+/nss-3.51.tar.gz
+/nss-3.51.1.tar.gz
+/nss-3.52.tar.gz

STAGE2-nss

@@ -0,0 +1,68 @@
+#requires nspr
+#requires perl
+#requires nss-util
+#requires nss-softokn
+
+mcd $BUILDDIR/nss
+
+export BUILD_OPT=1
+export PKG_CONFIG_ALLOW_SYSTEM_LIBS=1
+export PKG_CONFIG_ALLOW_SYSTEM_CFLAGS=1
+export NSPR_INCLUDE_DIR=/usr/include/nspr
+export NSPR_LIB_DIR=/usr/lib${SUFFIX}
+export NSS_USE_SYSTEM_SQLITE=1
+export NSS_BUILD_WITHOUT_SOFTOKEN=1
+export USE_SYSTEM_SOFTOKEN=1
+export SOFTOKEN_LIB_DIR=/usr/lib${SUFFIX}
+export NSSUTIL_INCLUDE_DIR=/usr/include/nss3
+export NSSUTIL_LIB_DIR=/usr/lib${SUFFIX}
+export USE_SYSTEM_NSSUTIL=1
+export FREEBL_INCLUDE_DIR=/usr/include/nss3
+export FREEBL_LIB_DIR=/usr/lib${SUFFIX}
+export USE_SYSTEM_FREEBL=1
+export NSS_USE_SYSTEM_FREEBL=1
+export FREEBL_NO_DEPEND=1
+export IN_TREE_FREEBL_HEADERS_FIRST=1
+export NSS_BLTEST_NOT_AVAILABLE=1
+export NSS_NO_SSL2_NO_EXPORT=1
+export NSS_ECC_MORE_THAN_SUITE_B=1
+export NSS_NO_PKCS11_BYPASS=1
+#export NSDISTMODE="copy"
+
+if [ "$SUFFIX" = "64" ]; then
+  USE_64=1
+  export USE_64
+fi
+
+(cd $SRC/nss-3.* && mkdir -p dist/private/nss && cp nss/lib/ckfw/nssck.api dist/private/nss/)
+
+make -C $SRC/nss-3.*/nss/coreconf
+make -C $SRC/nss-3.*/nss/lib/dbm
+
+# nss/nssinit.c, ssl/sslcon.c, smime/smimeutil.c and ckfw/builtins/binst.c
+# need nss/verref.h which is exported privately, move it to where it can be found.
+(cd $SRC/nss-3.* && mkdir -p dist/private/nss && cp -a nss/verref.h dist/private/nss/)
+
+make -C $SRC/nss-3.*/nss
+cd $SRC/nss-3.*/nss/coreconf
+make install
+cd $SRC/nss-3.*/nss/lib/dbm
+make install
+cd $SRC/nss-3.*/nss
+make install
+# Copy the binary libraries we want
+NSSLIBS="libnss3.so libnssckbi.so libnsspem.so libnsssysinit.so libsmime3.so libssl3.so"
+# BOZO: temporarily disable FIPS140 support
+#NSSLIBCHKS="libnssdbm3.chk libfreebl3.chk libsoftokn3.chk"
+NSSLIBCHKS=""
+# END BOZO
+cd $SRC/nss-3.*
+for file in $NSSLIBS $NSSLIBCHKS
+do
+  install -p -m 755 dist/*.OBJ/lib/$file /usr/lib${SUFFIX}/
+done
+# Copy the include files we want
+for file in $SRC/nss-*/dist/public/nss/*.h
+do
+  install -p -m 644 $file /usr/include/nss3/
+done

add-relro-linker-option.patch

@@ -1,16 +0,0 @@
-diff -up mozilla/security/coreconf/Linux.mk.relro mozilla/security/coreconf/Linux.mk
---- mozilla/security/coreconf/Linux.mk.relro	2010-08-12 18:32:29.000000000 -0700
-+++ mozilla/security/coreconf/Linux.mk	2011-09-27 16:12:22.234743170 -0700
-@@ -179,6 +179,12 @@ FREEBL_NO_DEPEND = 1
- endif
- endif
- 
-+# harden DSOs/executables a bit against exploits
-+ifeq (2.6,$(firstword $(sort 2.6 $(OS_RELEASE))))
-+DSO_LDOPTS+=-Wl,-z,relro
-+LDFLAGS	+= -Wl,-z,relro
-+endif
-+
- USE_SYSTEM_ZLIB = 1
- ZLIB_LIBS = -lz
- 

allow-building-nss-against-older-sqlite.patch

@@ -1,20 +0,0 @@
-Index: ./mozilla/security/nss/lib/softoken/sdb.c
-===================================================================
-RCS file: /cvsroot/mozilla/security/nss/lib/softoken/sdb.c,v
-retrieving revision 1.30
-retrieving revision 1.31
-diff -u -p -r1.30 -r1.31
---- ./mozilla/security/nss/lib/softoken/sdb.c	16 Jan 2013 18:13:25 -0000	1.30
-+++ ./mozilla/security/nss/lib/softoken/sdb.c	4 Feb 2013 19:58:20 -0000	1.31
-@@ -254,6 +254,11 @@ sdb_getFallbackTempDir(void)
- #error "sdb_getFallbackTempDir not implemented"
- #endif
- 
-+#ifndef SQLITE_FCNTL_TEMPFILENAME
-+/* SQLITE_FCNTL_TEMPFILENAME was added in SQLite 3.7.15 */
-+#define SQLITE_FCNTL_TEMPFILENAME 16
-+#endif
-+
- static char *
- sdb_getTempDir(sqlite3 *sqlDB)
- {

cert8.db.xml

@@ -0,0 +1,59 @@
+<?xml version='1.0' encoding='utf-8'?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
+  "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
+<!ENTITY date SYSTEM "date.xml">
+<!ENTITY version SYSTEM "version.xml">
+]>
+
+<refentry id="cert8.db">
+
+  <refentryinfo>
+    <date>&date;</date>
+    <title>Network Security Services</title>
+    <productname>nss</productname>
+    <productnumber>&version;</productnumber>
+  </refentryinfo>
+
+  <refmeta>
+    <refentrytitle>cert8.db</refentrytitle>
+    <manvolnum>5</manvolnum>
+  </refmeta>
+
+  <refnamediv>
+    <refname>cert8.db</refname>
+    <refpurpose>Legacy NSS certificate database</refpurpose>
+  </refnamediv>
+
+<refsection id="description">
+    <title>Description</title>
+    <para><emphasis>cert8.db</emphasis> is an NSS certificate database.</para>
+  <para>This certificate database is in the legacy database format. Consider migrating to cert9.db and key4.db which are the new sqlite-based shared database format with support for concurrent access.
+  </para>
+  </refsection>
+
+  <refsection>
+    <title>Files</title>
+    <para><filename>/etc/pki/nssdb/cert8.db</filename></para>
+  </refsection>
+
+  <refsection>
+    <title>See also</title>
+    <para>cert9.db(5), key4.db(5), pkcs11.txt(5), </para>
+  </refsection>
+
+  <refsection id="authors">
+    <title>Authors</title>
+    <para>The nss libraries were written and maintained by developers with Netscape, Red Hat,  Sun, Oracle, Mozilla, and Google.</para>
+    <para>Authors: Elio Maldonado &lt;emaldona@redhat.com>.</para>
+  </refsection>
+
+<!-- don't change -->
+  <refsection id="license">
+    <title>LICENSE</title>
+    <para>Licensed under the Mozilla Public License, v. 2.0.  If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/.
+    </para>
+
+  </refsection>
+
+
+</refentry>

cert9.db.xml

@@ -0,0 +1,59 @@
+<?xml version='1.0' encoding='utf-8'?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
+  "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
+<!ENTITY date SYSTEM "date.xml">
+<!ENTITY version SYSTEM "version.xml">
+]>
+
+<refentry id="cert9.db">
+
+  <refentryinfo>
+    <date>&date;</date>
+    <title>Network Security Services</title>
+    <productname>nss</productname>
+    <productnumber>&version;</productnumber>
+  </refentryinfo>
+
+  <refmeta>
+    <refentrytitle>cert9.db</refentrytitle>
+    <manvolnum>5</manvolnum>
+  </refmeta>
+
+  <refnamediv>
+    <refname>cert9.db</refname>
+    <refpurpose>NSS certificate database</refpurpose>
+  </refnamediv>
+
+<refsection id="description">
+    <title>Description</title>
+    <para><emphasis>cert9.db</emphasis> is an NSS certificate database.</para>
+  <para>This certificate database is the sqlite-based shared database with support for concurrent access.
+  </para>
+  </refsection>
+
+  <refsection>
+    <title>Files</title>
+    <para><filename>/etc/pki/nssdb/cert9.db</filename></para>
+  </refsection>
+
+  <refsection>
+    <title>See also</title>
+    <para>pkcs11.txt(5)</para>
+  </refsection>
+
+  <refsection id="authors">
+    <title>Authors</title>
+    <para>The nss libraries were written and maintained by developers with Netscape, Red Hat,  Sun, Oracle, Mozilla, and Google.</para>
+    <para>Authors: Elio Maldonado &lt;emaldona@redhat.com>.</para>
+  </refsection>
+
+<!-- don't change -->
+  <refsection id="license">
+    <title>LICENSE</title>
+    <para>Licensed under the Mozilla Public License, v. 2.0.  If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/.
+    </para>
+
+  </refsection>
+
+
+</refentry>

iquote.patch

@@ -0,0 +1,13 @@
+diff -up nss/coreconf/location.mk.iquote nss/coreconf/location.mk
+--- nss/coreconf/location.mk.iquote	2017-07-27 16:09:32.000000000 +0200
++++ nss/coreconf/location.mk	2017-09-06 13:23:14.633611555 +0200
+@@ -75,4 +75,9 @@ ifndef SQLITE_LIB_NAME
+     SQLITE_LIB_NAME = sqlite3
+ endif
+ 
++# Prefer in-tree headers over system headers
++ifdef IN_TREE_FREEBL_HEADERS_FIRST
++    INCLUDES += -iquote $(DIST)/../public/nss -iquote $(DIST)/../private/nss
++endif
++
+ MK_LOCATION = included

key3.db.xml

@@ -0,0 +1,59 @@
+<?xml version='1.0' encoding='utf-8'?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
+  "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
+<!ENTITY date SYSTEM "date.xml">
+<!ENTITY version SYSTEM "version.xml">
+]>
+
+<refentry id="key3.db">
+
+  <refentryinfo>
+    <date>&date;</date>
+    <title>Network Security Services</title>
+    <productname>nss</productname>
+    <productnumber>&version;</productnumber>
+  </refentryinfo>
+
+  <refmeta>
+    <refentrytitle>key3.db</refentrytitle>
+    <manvolnum>5</manvolnum>
+  </refmeta>
+
+  <refnamediv>
+    <refname>key3.db</refname>
+    <refpurpose>Legacy NSS certificate database</refpurpose>
+  </refnamediv>
+
+<refsection id="description">
+    <title>Description</title>
+    <para><emphasis>key3.db</emphasis> is an NSS certificate database.</para>
+  <para>This is a key database in the legacy database format. Consider migrating to cert9.db and key4.db which  which are the new sqlite-based shared database format with support for concurrent access.
+  </para>
+  </refsection>
+
+  <refsection>
+    <title>Files</title>
+    <para><filename>/etc/pki/nssdb/key3.db</filename></para>
+  </refsection>
+
+  <refsection>
+    <title>See also</title>
+    <para>cert9.db(5), key4.db(5), pkcs11.txt(5), </para>
+  </refsection>
+
+  <refsection id="authors">
+    <title>Authors</title>
+    <para>The nss libraries were written and maintained by developers with Netscape, Red Hat,  Sun, Oracle, Mozilla, and Google.</para>
+    <para>Authors: Elio Maldonado &lt;emaldona@redhat.com>.</para>
+  </refsection>
+
+<!-- don't change -->
+  <refsection id="license">
+    <title>LICENSE</title>
+    <para>Licensed under the Mozilla Public License, v. 2.0.  If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/.
+    </para>
+
+  </refsection>
+
+
+</refentry>

key4.db.xml

@@ -0,0 +1,59 @@
+<?xml version='1.0' encoding='utf-8'?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
+  "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
+<!ENTITY date SYSTEM "date.xml">
+<!ENTITY version SYSTEM "version.xml">
+]>
+
+<refentry id="key4.db">
+
+  <refentryinfo>
+    <date>&date;</date>
+    <title>Network Security Services</title>
+    <productname>nss</productname>
+    <productnumber>&version;</productnumber>
+  </refentryinfo>
+
+  <refmeta>
+    <refentrytitle>key4.db</refentrytitle>
+    <manvolnum>5</manvolnum>
+  </refmeta>
+
+  <refnamediv>
+    <refname>key4.db</refname>
+    <refpurpose>NSS certificate database</refpurpose>
+  </refnamediv>
+
+<refsection id="description">
+    <title>Description</title>
+    <para><emphasis>key4.db</emphasis> is an NSS key database.</para>
+  <para>This key database is the sqlite-based shared database format with support for concurrent access.
+  </para>
+  </refsection>
+
+  <refsection>
+    <title>Files</title>
+    <para><filename>/etc/pki/nssdb/key4.db</filename></para>
+  </refsection>
+
+  <refsection>
+    <title>See also</title>
+    <para>pkcs11.txt(5)</para>
+  </refsection>
+
+  <refsection id="authors">
+    <title>Authors</title>
+    <para>The nss libraries were written and maintained by developers with Netscape, Red Hat,  Sun, Oracle, Mozilla, and Google.</para>
+    <para>Authors: Elio Maldonado &lt;emaldona@redhat.com>.</para>
+  </refsection>
+
+<!-- don't change -->
+  <refsection id="license">
+    <title>LICENSE</title>
+    <para>Licensed under the Mozilla Public License, v. 2.0.  If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/.
+    </para>
+
+  </refsection>
+
+
+</refentry>

mozilla-crypto-strip.sh

@@ -1,128 +0,0 @@
-#!/bin/sh
-set -e
-
-if test -z $1
-then
-  echo "usage: $0 <input-tarball>"
-  exit
-fi
-
-ORIGDIR=`pwd`
-WORKDIR=nss_ecc_strip_working_dir
-EXTENSION=`echo $1 | sed -r 's#^(.*)(.tar.bz2|.tbz2|.tar.gz|.tgz)$#\2#'`
-BASE=`echo $1 | sed -r 's#^(.*)(.tar.bz2|.tbz2|.tar.gz|.tgz)$#\1#'`
-COMPRESS=""
-
-if test "x$EXTENSION" = "x.tar.bz2" || test "x$EXTENSION" = "x.tbz2"
-then
-  COMPRESS="j"
-fi
-
-if test "x$EXTENSION" = "x.tar.gz" || test "x$EXTENSION" = "x.tgz"
-then
-  COMPRESS="z"
-fi
-
-if test "x$COMPRESS" = "x"
-then
-  echo "unable to process, input file $1 has unsupported extension"
-  exit
-fi
-
-echo "== extension is $EXTENSION - ok"
-echo "== new extension will be $JEXTENSION"
-echo "== cleaning old workdir $WORKDIR"
-
-rm -rf $WORKDIR
-mkdir $WORKDIR
-
-echo "== extracting input archive $1"
-tar -x -$COMPRESS -C $WORKDIR -f $1
-
-echo "changing into $WORKDIR"
-pushd $WORKDIR
-
-DIRCOUNT=`ls -1 | wc -l`
-if test $DIRCOUNT -ne 1
-then
-  echo "unable to process, $1 contains more than one toplevel directory"
-  exit
-fi
-
-TOPDIR=`ls -1`
-if test "x$TOPDIR" != "xmozilla"
-then
-  # try to deal with a single additional subdirectory above "mozilla"
-  echo "== skipping toplevel directory $TOPDIR"
-  cd $TOPDIR
-fi
-
-DIRCOUNT=`ls -1 | wc -l`
-if test $DIRCOUNT -ne 1
-then
-  echo "unable to process, $1 contains more than one second level directory"
-  exit
-fi
-
-SINGLEDIR=`ls -1`
-if test "x$SINGLEDIR" != "xmozilla"
-then
-  echo "unable to process, first or second level directory is not mozilla"
-  exit
-fi
-
-echo "== input archive accepted, now processing"
-
-REALFREEBLDIR=mozilla/security/nss/lib/freebl
-FREEBLDIR=./$REALFREEBLDIR
-
-rm -rf ./mozilla/security/nss/cmd/ecperf
-
-mv ${FREEBLDIR}/ecl/ecl-exp.h ${FREEBLDIR}/save
-rm -rf ${FREEBLDIR}/ecl/tests
-rm -rf ${FREEBLDIR}/ecl/CVS
-for i in ${FREEBLDIR}/ecl/* ; do
-echo clobbering $i
- > $i
-done
-mv ${FREEBLDIR}/save ${FREEBLDIR}/ecl/ecl-exp.h
-
-for j in ${FREEBLDIR}/ec.*; do
-        echo unifdef $j
-        cat $j | \
-        awk    'BEGIN {ech=1; prt=0;} \
-                /^#[ \t]*ifdef.*NSS_ENABLE_ECC/ {ech--; next;} \
-                /^#[ \t]*if/ {if(ech < 1) ech--;} \
-                {if(ech>0) {;print $0};} \
-                /^#[ \t]*endif/ {if(ech < 1) ech++;} \
-                {if (prt && (ech<=0)) {;print $0}; } \
-                {if (ech>0) {prt=0;} } \
-                /^#[ \t]*else/ {if (ech == 0) prt=1;}' > $j.hobbled && \
-        mv $j.hobbled $j
-done
-
-echo "== returning to original directory"
-popd
-
-JCOMPRESS=j
-JEXTENSION=.tar.bz2
-NEWARCHIVE=$BASE-stripped$JEXTENSION
-echo "== finally producing new archive $NEWARCHIVE"
-tar -c -$JCOMPRESS -C $WORKDIR -f $NEWARCHIVE $TOPDIR
-
-echo "== all done, listing of old and new archive:"
-ls -l $1
-ls -l $NEWARCHIVE
-
-LISTING_DIR=""
-if test "x$TOPDIR" != "xmozilla"
-then
-  LISTING_DIR="$TOPDIR/$REALFREEBLDIR/ecl"
-else
-  LISTING_DIR="$REALFREEBLDIR/ecl"
-fi
-
-echo "== FYI, producing listing of stripped dir in new archive"
-tar -t -v -$JCOMPRESS -C $WORKDIR -f $NEWARCHIVE $LISTING_DIR
-
-

no-softoken-freebl-tests.patch

@@ -1,39 +0,0 @@
-diff -up ./mozilla/security/nss/cmd/Makefile.nosoftokentests ./mozilla/security/nss/cmd/Makefile
---- ./mozilla/security/nss/cmd/Makefile.nosoftokentests	2012-12-22 14:06:13.193304912 -0800
-+++ ./mozilla/security/nss/cmd/Makefile	2012-12-22 14:10:04.942248630 -0800
-@@ -14,6 +14,14 @@ ifdef BUILD_LIBPKIX_TESTS
- DIRS += libpkix
- endif
- 
-+# nss-softoken only tests
-+BLTEST_SRCDIR=
-+FIPSTEST_SRCDIR=
-+ifeq ($(NSS_BUILD_SOFTOKEN_ONLY),1)
-+BLTEST_SRCDIR=bltest              # Add the bltest directory to DIRS.
-+FIPSTEST_SRCDIR=fipstest          # Add the fipstest directory to DIRS.
-+endif
-+
- LOWHASHTEST_SRCDIR=
- ifeq ($(FREEBL_LOWHASH),1)
- LOWHASHTEST_SRCDIR = lowhashtest  # Add the lowhashtest directory to DIRS.
-diff -up ./mozilla/security/nss/cmd/manifest.mn.nosoftokentests ./mozilla/security/nss/cmd/manifest.mn
---- ./mozilla/security/nss/cmd/manifest.mn.nosoftokentests	2012-12-22 14:06:35.191293837 -0800
-+++ ./mozilla/security/nss/cmd/manifest.mn	2012-12-22 14:11:22.342263467 -0800
-@@ -11,7 +11,7 @@ REQUIRES = nss nspr libdbm
- DIRS = lib  \
-  addbuiltin \
-  atob  \
-- bltest \
-+ $(BLTEST_SRCDIR) \
-  btoa  \
-  certcgi \
-  certutil  \
-@@ -23,7 +23,7 @@ DIRS = lib  \
-  derdump  \
-  digest  \
-  httpserv  \
-- fipstest  \
-+ $(FIPSTEST_SRCDIR)  \
-  $(LOWHASHTEST_SRCDIR)  \
-  listsuites \
-  makepqg  \

nss-3.14.0.0-disble-ocsp-test.patch

@@ -1,10 +0,0 @@
-diff -up ./mozilla/security/nss/tests/chains/scenarios/scenarios.noocsptest ./mozilla/security/nss/tests/chains/scenarios/scenarios
---- ./mozilla/security/nss/tests/chains/scenarios/scenarios.noocsptest	2013-01-06 19:56:15.000000000 -0800
-+++ ./mozilla/security/nss/tests/chains/scenarios/scenarios	2013-02-01 08:38:28.140615299 -0800
-@@ -50,6 +50,5 @@ bridgewithpolicyextensionandmapping.cfg
- realcerts.cfg
- dsa.cfg
- revoc.cfg
--ocsp.cfg
- crldp.cfg
- trustanchors.cfg

nss-539183.patch

@@ -1,62 +1,62 @@
-Index: ./mozilla/security/nss/cmd/httpserv/httpserv.c
-===================================================================
-RCS file: /cvsroot/mozilla/security/nss/cmd/httpserv/httpserv.c,v
-retrieving revision 1.1
-diff -u -p -r1.1 httpserv.c
---- ./mozilla/security/nss/cmd/httpserv/httpserv.c	28 Jun 2012 11:11:06 -0000	1.1
-+++ ./mozilla/security/nss/cmd/httpserv/httpserv.c	21 Oct 2012 22:22:10 -0000
-@@ -661,14 +661,18 @@ getBoundListenSocket(unsigned short port
-     PRStatus	       prStatus;
-     PRNetAddr          addr;
+--- nss/cmd/httpserv/httpserv.c.539183	2016-05-21 18:31:39.879585420 -0700
++++ nss/cmd/httpserv/httpserv.c	2016-05-21 18:37:22.374464057 -0700
+@@ -953,23 +953,23 @@
+ getBoundListenSocket(unsigned short port)
+ {
+     PRFileDesc *listen_sock;
+     int listenQueueDepth = 5 + (2 * maxThreads);
+     PRStatus prStatus;
+     PRNetAddr addr;
      PRSocketOptionData opt;
-+    PRUint16           socketDomain = PR_AF_INET;
  
 -    addr.inet.family = PR_AF_INET;
--    addr.inet.ip     = PR_INADDR_ANY;
--    addr.inet.port   = PR_htons(port);
+-    addr.inet.ip = PR_INADDR_ANY;
+-    addr.inet.port = PR_htons(port);
 +    if (PR_SetNetAddr(PR_IpAddrAny, PR_AF_INET6, port, &addr) != PR_SUCCESS) {
-+	errExit("PR_SetNetAddr");
++        errExit("PR_SetNetAddr");
 +    }
  
 -    listen_sock = PR_NewTCPSocket();
-+    if (PR_GetEnv("NSS_USE_SDP")) {
-+        socketDomain = PR_AF_INET_SDP;
-+    }
 +    listen_sock = PR_OpenTCPSocket(PR_AF_INET6);
      if (listen_sock == NULL) {
--	errExit("PR_NewTCPSocket");
-+	errExit("PR_OpenTCPSocket error");
+-        errExit("PR_NewTCPSocket");
++        errExit("PR_OpenTCPSockett");
      }
  
      opt.option = PR_SockOpt_Nonblocking;
-Index: ./mozilla/security/nss/cmd/selfserv/selfserv.c
-===================================================================
-RCS file: /cvsroot/mozilla/security/nss/cmd/selfserv/selfserv.c,v
-retrieving revision 1.102
-diff -u -p -r1.102 selfserv.c
---- ./mozilla/security/nss/cmd/selfserv/selfserv.c	27 Sep 2012 17:13:34 -0000	1.102
-+++ ./mozilla/security/nss/cmd/selfserv/selfserv.c	21 Oct 2012 22:22:10 -0000
-@@ -1483,14 +1483,18 @@ getBoundListenSocket(unsigned short port
-     PRStatus	       prStatus;
-     PRNetAddr          addr;
+     opt.value.non_blocking = PR_FALSE;
+     prStatus = PR_SetSocketOption(listen_sock, &opt);
+     if (prStatus < 0) {
+         PR_Close(listen_sock);
+         errExit("PR_SetSocketOption(PR_SockOpt_Nonblocking)");
+--- nss/cmd/selfserv/selfserv.c.539183	2016-05-21 18:31:39.882585367 -0700
++++ nss/cmd/selfserv/selfserv.c	2016-05-21 18:41:43.092801174 -0700
+@@ -1711,23 +1711,23 @@
+ getBoundListenSocket(unsigned short port)
+ {
+     PRFileDesc *listen_sock;
+     int listenQueueDepth = 5 + (2 * maxThreads);
+     PRStatus prStatus;
+     PRNetAddr addr;
      PRSocketOptionData opt;
-+    PRUint16           socketDomain = PR_AF_INET;
  
 -    addr.inet.family = PR_AF_INET;
--    addr.inet.ip     = PR_INADDR_ANY;
--    addr.inet.port   = PR_htons(port);
+-    addr.inet.ip = PR_INADDR_ANY;
+-    addr.inet.port = PR_htons(port);
 +    if (PR_SetNetAddr(PR_IpAddrAny, PR_AF_INET6, port, &addr) != PR_SUCCESS) {
-+	errExit("PR_SetNetAddr");
++        errExit("PR_SetNetAddr");
 +    }
  
 -    listen_sock = PR_NewTCPSocket();
-+    if (PR_GetEnv("NSS_USE_SDP")) {
-+        socketDomain = PR_AF_INET_SDP;
-+    }
 +    listen_sock = PR_OpenTCPSocket(PR_AF_INET6);
      if (listen_sock == NULL) {
--	errExit("PR_NewTCPSocket");
+-        errExit("PR_NewTCPSocket");
 +        errExit("PR_OpenTCPSocket error");
      }
  
      opt.option = PR_SockOpt_Nonblocking;
+     opt.value.non_blocking = PR_FALSE;
+     prStatus = PR_SetSocketOption(listen_sock, &opt);
+     if (prStatus < 0) {
+         PR_Close(listen_sock);
+         errExit("PR_SetSocketOption(PR_SockOpt_Nonblocking)");

nss-646045.patch

@@ -1,34 +0,0 @@
-diff -up ./mozilla/security/nss/tests/dbtests/dbtests.sh.noroot ./mozilla/security/nss/tests/dbtests/dbtests.sh
---- ./mozilla/security/nss/tests/dbtests/dbtests.sh.noroot	2011-04-06 09:56:07.207701000 -0700
-+++ ./mozilla/security/nss/tests/dbtests/dbtests.sh	2011-04-06 10:19:54.159552000 -0700
-@@ -201,6 +201,9 @@ dbtest_main()
-         cat $RONLY_DIR/* > /dev/null
-     fi
- 
-+    # skipping the next two tests when user is root,
-+    # otherwise they would fail due to rooty powers
-+    if [[ $EUID -ne 0 ]] then
-     ${BINDIR}/dbtest -d $RONLY_DIR
-     ret=$?
-     if [ $ret -ne 46 ]; then
-@@ -208,6 +211,10 @@ dbtest_main()
-     else
-       html_passed "Dbtest r/w didn't work in an readonly dir $ret" 
-     fi
-+    else
-+      html_passed "Skipping Dbtest r/w in a readonly dir because user is root" 
-+    fi
-+    if [[ $EUID -ne 0 ]] then
-     ${BINDIR}/certutil -D -n "TestUser" -d .
-     ret=$?
-     if [ $ret -ne 255 ]; then
-@@ -215,6 +222,9 @@ dbtest_main()
-     else
-         html_passed "Certutil didn't work in an readonly dir $ret"
-     fi
-+    else
-+      html_passed "Skipping Certutil delete cert in an readonly directory test because user is root" 
-+    fi
-     
-     Echo "test opening the database ronly in a readonly directory"
- 

nss-config.xml

@@ -0,0 +1,132 @@
+<?xml version='1.0' encoding='utf-8'?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
+  "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
+<!ENTITY date SYSTEM "date.xml">
+<!ENTITY version SYSTEM "version.xml">
+]>
+
+<refentry id="nss-config">
+
+  <refentryinfo>
+    <date>&date;</date>
+    <title>Network Security Services</title>
+    <productname>nss</productname>
+    <productnumber>&version;</productnumber>
+  </refentryinfo>
+
+  <refmeta>
+    <refentrytitle>nss-config</refentrytitle>
+    <manvolnum>1</manvolnum>
+  </refmeta>
+
+  <refnamediv>
+    <refname>nss-config</refname>
+    <refpurpose>Return meta information about nss libraries</refpurpose>
+  </refnamediv>
+
+  <refsynopsisdiv>
+    <cmdsynopsis>
+      <command>nss-config</command>
+      <arg><option>--prefix</option></arg>
+      <arg><option>--exec-prefix</option></arg>
+      <arg><option>--includedir</option></arg>
+      <arg><option>--libs</option></arg>
+      <arg><option>--cflags</option></arg>
+      <arg><option>--libdir</option></arg>
+      <arg><option>--version</option></arg>
+    </cmdsynopsis>
+  </refsynopsisdiv>
+
+<refsection id="description">
+    <title>Description</title>
+
+    <para><command>nss-config</command> is a shell scrip
+    tool which can be used to obtain gcc options for building client pacakges of nspt. </para>
+
+  </refsection>
+  
+  <refsection>
+    <title>Options</title>
+    
+    <variablelist>
+      <varlistentry>
+        <term><option>--prefix</option></term>
+        <listitem><simpara>Returns the top level system directory under which the nss libraries are installed.</simpara></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><option>--exec-prefix</option></term>
+        <listitem><simpara>returns the top level system directory under which any nss binaries would be installed.</simpara></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><option>--includedir</option> <replaceable>count</replaceable></term>
+        <listitem><simpara>returns the path to the directory were the nss libraries are installed.</simpara></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><option>--version</option></term>
+        <listitem><simpara>returns the upstream version of nss in the form major_version-minor_version-patch_version.</simpara></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><option>--libs</option></term>
+        <listitem><simpara>returns the compiler linking flags.</simpara></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><option>--cflags</option></term>
+        <listitem><simpara>returns the compiler include flags.</simpara></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><option>--libdir</option></term>
+        <listitem><simpara>returns the path to the directory were the nss libraries are installed.</simpara></listitem>
+      </varlistentry>
+
+    </variablelist>
+  </refsection>
+
+  <refsection>
+    <title>Examples</title>
+
+    <para>The following example will query for both include path and linkage flags:
+    
+      <programlisting>
+        /usr/bin/nss-config --cflags --libs
+      </programlisting>
+
+    </para>
+
+   
+  </refsection>
+
+  <refsection>
+    <title>Files</title>
+
+    <para><filename>/usr/bin/nss-config</filename></para>
+
+  </refsection>
+
+  <refsection>
+    <title>See also</title>
+    <para>pkg-config(1)</para>
+  </refsection>
+
+  <refsection id="authors">
+    <title>Authors</title>
+    <para>The nss liraries were written and maintained by developers with Netscape, Red Hat,  Sun, Oracle, Mozilla, and Google.</para>
+    <para>
+	Authors: Elio Maldonado &lt;emaldona@redhat.com>.
+    </para>
+  </refsection>
+
+<!-- don't change -->
+  <refsection id="license">
+    <title>LICENSE</title>
+    <para>Licensed under the Mozilla Public License, v. 2.0.  If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/.
+    </para>
+  </refsection>
+
+</refentry>
+

nss-enable-pem.patch

@@ -1,12 +0,0 @@
-diff -up ./mozilla/security/nss/lib/ckfw/manifest.mn.prepem ./mozilla/security/nss/lib/ckfw/manifest.mn
---- ./mozilla/security/nss/lib/ckfw/manifest.mn.prepem	2008-08-05 16:34:23.000000000 -0700
-+++ ./mozilla/security/nss/lib/ckfw/manifest.mn	2008-08-05 16:34:30.000000000 -0700
-@@ -38,7 +38,7 @@ MANIFEST_CVS_ID = "@(#) $RCSfile: manife
- 
- CORE_DEPTH = ../../..
- 
--DIRS = builtins 
-+DIRS = builtins pem
- 
- PRIVATE_EXPORTS = \
- 	ck.h		  \

nss-gcm-param-default-pkcs11v2.patch

@@ -0,0 +1,21 @@
+diff -up ./lib/util/pkcs11n.h.aes_gcm_pkcs11_v2 ./lib/util/pkcs11n.h
+--- ./lib/util/pkcs11n.h.aes_gcm_pkcs11_v2	2020-05-13 13:44:11.312405744 -0700
++++ ./lib/util/pkcs11n.h	2020-05-13 13:45:23.951723660 -0700
+@@ -605,7 +605,7 @@ typedef struct CK_NSS_GCM_PARAMS {
+ typedef CK_NSS_GCM_PARAMS CK_PTR CK_NSS_GCM_PARAMS_PTR;
+ 
+ /* deprecated #defines. Drop in future NSS releases */
+-#ifdef NSS_PKCS11_2_0_COMPAT
++#ifndef NSS_PKCS11_3_0_STRICT
+ 
+ /* defines that were changed between NSS's PKCS #11 and the Oasis headers */
+ #define CKF_EC_FP CKF_EC_F_P
+@@ -664,7 +664,7 @@ typedef CK_NSS_GCM_PARAMS CK_PTR CK_GCM_
+ #define CKT_NETSCAPE_VALID CKT_NSS_VALID
+ #define CKT_NETSCAPE_VALID_DELEGATOR CKT_NSS_VALID_DELEGATOR
+ #else
+-/* use the new CK_GCM_PARAMS if NSS_PKCS11_2_0_COMPAT is not defined */
++/* use the new CK_GCM_PARAMS if NSS_PKCS11_3_0_STRICT is defined */
+ typedef struct CK_GCM_PARAMS_V3 CK_GCM_PARAMS;
+ typedef CK_GCM_PARAMS_V3 CK_PTR CK_GCM_PARAMS_PTR;
+ #endif

nss-kremlin-ppc64le.patch

@@ -0,0 +1,31 @@
+Index: nss/lib/freebl/verified/kremlin/include/kremlin/internal/types.h
+===================================================================
+--- nss.orig/lib/freebl/verified/kremlin/include/kremlin/internal/types.h
++++ nss/lib/freebl/verified/kremlin/include/kremlin/internal/types.h
+@@ -56,9 +56,10 @@ typedef const char *Prims_string;
+     !defined(__clang__)
+ #include <emmintrin.h>
+ typedef __m128i FStar_UInt128_uint128;
+-#elif !defined(KRML_VERIFIED_UINT128) && !defined(_MSC_VER) &&           \
++#elif !defined(KRML_VERIFIED_UINT128) && !defined(_MSC_VER) && \
+     (defined(__x86_64__) || defined(__x86_64) || defined(__aarch64__) || \
+-     (defined(__powerpc64__) && defined(__LITTLE_ENDIAN__)))
++    (defined(__powerpc64__) && defined(__LITTLE_ENDIAN__)) || \
++     defined(__s390x__))
+ typedef unsigned __int128 FStar_UInt128_uint128;
+ #elif !defined(KRML_VERIFIED_UINT128) && defined(_MSC_VER) && defined(__clang__)
+ typedef __uint128_t FStar_UInt128_uint128;
+Index: nss/lib/freebl/verified/kremlin/kremlib/dist/minimal/fstar_uint128_gcc64.h
+===================================================================
+--- nss.orig/lib/freebl/verified/kremlin/kremlib/dist/minimal/fstar_uint128_gcc64.h
++++ nss/lib/freebl/verified/kremlin/kremlib/dist/minimal/fstar_uint128_gcc64.h
+@@ -26,7 +26,8 @@
+ 
+ #if !defined(KRML_VERIFIED_UINT128) && (!defined(_MSC_VER) || defined(__clang__)) && \
+     (defined(__x86_64__) || defined(__x86_64) || defined(__aarch64__) ||             \
+-     (defined(__powerpc64__) && defined(__LITTLE_ENDIAN__)))
++    (defined(__powerpc64__) && defined(__LITTLE_ENDIAN__)) || \
++     defined(__s390x__))
+ 
+ /* GCC + using native unsigned __int128 support */
+ 

nss-p11-kit.config

@@ -0,0 +1,4 @@
+name=p11-kit-proxy
+library=p11-kit-proxy.so
+
+

nss-signtool-format.patch

@@ -0,0 +1,94 @@
+diff --git a/cmd/modutil/install.c b/cmd/modutil/install.c
+--- a/cmd/modutil/install.c
++++ b/cmd/modutil/install.c
+@@ -825,17 +825,20 @@ rm_dash_r(char *path)
+ 
+         dir = PR_OpenDir(path);
+         if (!dir) {
+             return -1;
+         }
+ 
+         /* Recursively delete all entries in the directory */
+         while ((entry = PR_ReadDir(dir, PR_SKIP_BOTH)) != NULL) {
+-            sprintf(filename, "%s/%s", path, entry->name);
++            if (snprintf(filename, sizeof(filename), "%s/%s", path, entry->name) >= sizeof(filename)) {
++                PR_CloseDir(dir);
++                return -1;
++            }
+             if (rm_dash_r(filename)) {
+                 PR_CloseDir(dir);
+                 return -1;
+             }
+         }
+ 
+         if (PR_CloseDir(dir) != PR_SUCCESS) {
+             return -1;
+diff --git a/cmd/signtool/util.c b/cmd/signtool/util.c
+--- a/cmd/signtool/util.c
++++ b/cmd/signtool/util.c
+@@ -132,17 +132,20 @@ rm_dash_r(char *path)
+         if (!dir) {
+             PR_fprintf(errorFD, "Error: Unable to open directory %s.\n", path);
+             errorCount++;
+             return -1;
+         }
+ 
+         /* Recursively delete all entries in the directory */
+         while ((entry = PR_ReadDir(dir, PR_SKIP_BOTH)) != NULL) {
+-            sprintf(filename, "%s/%s", path, entry->name);
++            if (snprintf(filename, sizeof(filename), "%s/%s", path, entry->name) >= sizeof(filename)) {
++                errorCount++;
++                return -1;
++            }
+             if (rm_dash_r(filename))
+                 return -1;
+         }
+ 
+         if (PR_CloseDir(dir) != PR_SUCCESS) {
+             PR_fprintf(errorFD, "Error: Could not close %s.\n", path);
+             errorCount++;
+             return -1;
+diff --git a/lib/libpkix/pkix/util/pkix_list.c b/lib/libpkix/pkix/util/pkix_list.c
+--- a/lib/libpkix/pkix/util/pkix_list.c
++++ b/lib/libpkix/pkix/util/pkix_list.c
+@@ -1530,17 +1530,17 @@ cleanup:
+  */
+ PKIX_Error *
+ PKIX_List_SetItem(
+         PKIX_List *list,
+         PKIX_UInt32 index,
+         PKIX_PL_Object *item,
+         void *plContext)
+ {
+-        PKIX_List *element;
++        PKIX_List *element = NULL;
+ 
+         PKIX_ENTER(LIST, "PKIX_List_SetItem");
+         PKIX_NULLCHECK_ONE(list);
+ 
+         if (list->immutable){
+                 PKIX_ERROR(PKIX_OPERATIONNOTPERMITTEDONIMMUTABLELIST);
+         }
+ 
+diff --git a/lib/libpkix/pkix_pl_nss/system/pkix_pl_oid.c b/lib/libpkix/pkix_pl_nss/system/pkix_pl_oid.c
+--- a/lib/libpkix/pkix_pl_nss/system/pkix_pl_oid.c
++++ b/lib/libpkix/pkix_pl_nss/system/pkix_pl_oid.c
+@@ -102,17 +102,17 @@ cleanup:
+  */
+ static PKIX_Error *
+ pkix_pl_OID_Equals(
+         PKIX_PL_Object *first,
+         PKIX_PL_Object *second,
+         PKIX_Boolean *pResult,
+         void *plContext)
+ {
+-        PKIX_Int32 cmpResult;
++        PKIX_Int32 cmpResult = 0;
+ 
+         PKIX_ENTER(OID, "pkix_pl_OID_Equals");
+         PKIX_NULLCHECK_THREE(first, second, pResult);
+ 
+         PKIX_CHECK(pkix_pl_OID_Comparator
+                     (first, second, &cmpResult, plContext),
+                     PKIX_OIDCOMPARATORFAILED);
+ 

nss-softokn-config.in

@@ -0,0 +1,116 @@
+#!/bin/sh
+
+prefix=@prefix@
+
+major_version=@MOD_MAJOR_VERSION@
+minor_version=@MOD_MINOR_VERSION@
+patch_version=@MOD_PATCH_VERSION@
+
+usage()
+{
+	cat <<EOF
+Usage: nss-softokn-config [OPTIONS] [LIBRARIES]
+Options:
+	[--prefix[=DIR]]
+	[--exec-prefix[=DIR]]
+	[--includedir[=DIR]]
+	[--libdir[=DIR]]
+	[--version]
+	[--libs]
+	[--cflags]
+Dynamic Libraries:
+	softokn3 - Requires full dynamic linking
+	freebl3  - for internal use only (and glibc for self-integrity check)
+	nssdbm3  - for internal use only
+Dymamically linked
+EOF
+	exit $1
+}
+
+if test $# -eq 0; then
+	usage 1 1>&2
+fi
+
+while test $# -gt 0; do
+  case "$1" in
+  -*=*) optarg=`echo "$1" | sed 's/[-_a-zA-Z0-9]*=//'` ;;
+  *) optarg= ;;
+  esac
+
+  case $1 in
+    --prefix=*)
+      prefix=$optarg
+      ;;
+    --prefix)
+      echo_prefix=yes
+      ;;
+    --exec-prefix=*)
+      exec_prefix=$optarg
+      ;;
+    --exec-prefix)
+      echo_exec_prefix=yes
+      ;;
+    --includedir=*)
+      includedir=$optarg
+      ;;
+    --includedir)
+      echo_includedir=yes
+      ;;
+    --libdir=*)
+      libdir=$optarg
+      ;;
+    --libdir)
+      echo_libdir=yes
+      ;;
+    --version)
+      echo ${major_version}.${minor_version}.${patch_version}
+      ;;
+    --cflags)
+      echo_cflags=yes
+      ;;
+    --libs)
+      echo_libs=yes
+      ;;
+    *)
+      usage 1 1>&2
+      ;;
+  esac
+  shift
+done
+
+# Set variables that may be dependent upon other variables
+if test -z "$exec_prefix"; then
+    exec_prefix=`pkg-config --variable=exec_prefix nss-softokn`
+fi
+if test -z "$includedir"; then
+    includedir=`pkg-config --variable=includedir nss-softokn`
+fi
+if test -z "$libdir"; then
+    libdir=`pkg-config --variable=libdir nss-softokn`
+fi
+
+if test "$echo_prefix" = "yes"; then
+    echo $prefix
+fi
+
+if test "$echo_exec_prefix" = "yes"; then
+    echo $exec_prefix
+fi
+
+if test "$echo_includedir" = "yes"; then
+    echo $includedir
+fi
+
+if test "$echo_libdir" = "yes"; then
+    echo $libdir
+fi
+
+if test "$echo_cflags" = "yes"; then
+    echo -I$includedir
+fi
+
+if test "$echo_libs" = "yes"; then
+      libdirs="-Wl,-rpath-link,$libdir -L$libdir"
+      echo $libdirs
+fi
+

nss-softokn-dracut-module-setup.sh

@@ -0,0 +1,18 @@
+#!/bin/bash
+# -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*-
+# ex: ts=8 sw=4 sts=4 et filetype=sh
+
+check() {
+    return 255
+}
+
+depends() {
+    return 0
+}
+
+install() {
+    local _dir
+
+    inst_libdir_file libfreeblpriv3.so libfreeblpriv3.chk \
+        libfreebl3.so
+}

nss-softokn-dracut.conf

@@ -0,0 +1,3 @@
+# turn on nss-softokn module
+
+add_dracutmodules+=" nss-softokn "

nss-softokn.pc.in

@@ -0,0 +1,11 @@
+prefix=%prefix%
+exec_prefix=%exec_prefix%
+libdir=%libdir%
+includedir=%includedir%
+
+Name: NSS-SOFTOKN
+Description: Network Security Services Softoken PKCS #11 Module
+Version: %SOFTOKEN_VERSION%
+Requires: nspr >= %NSPR_VERSION%, nss-util >= %NSSUTIL_VERSION%
+Libs: -L${libdir} -lfreebl3 -lnssdbm3 -lsoftokn3
+Cflags: -I${includedir}

nss-ssl-cbc-random-iv-off-by-default.patch

@@ -1,25 +0,0 @@
-diff -up ./mozilla/security/nss/lib/ssl/sslsock.c.cbcrandomivoff ./mozilla/security/nss/lib/ssl/sslsock.c
---- ./mozilla/security/nss/lib/ssl/sslsock.c.cbcrandomivoff	2013-02-01 10:14:36.960458329 -0800
-+++ ./mozilla/security/nss/lib/ssl/sslsock.c	2013-02-01 10:17:16.532265855 -0800
-@@ -153,7 +153,7 @@ static sslOptions ssl_defaults = {
-     3,          /* enableRenegotiation (default: transitional) */
-     PR_FALSE,   /* requireSafeNegotiation */
-     PR_FALSE,   /* enableFalseStart   */
--    PR_TRUE     /* cbcRandomIV        */
-+    PR_FALSE    /* cbcRandomIV        */ /* defaults to off for compatibility */
- };
- 
- /*
-@@ -2837,9 +2837,9 @@ ssl_SetDefaultsFromEnvironment(void)
- 	                PR_TRUE));
- 	}
- 	ev = getenv("NSS_SSL_CBC_RANDOM_IV");
--	if (ev && ev[0] == '0') {
--	    ssl_defaults.cbcRandomIV = PR_FALSE;
--	    SSL_TRACE(("SSL: cbcRandomIV set to 0"));
-+	if (ev && ev[0] == '1') {
-+	    ssl_defaults.cbcRandomIV = PR_TRUE;
-+	    SSL_TRACE(("SSL: cbcRandomIV set to 1"));
- 	}
-     }
- #endif /* NSS_HAVE_GETENV */

nss-ssl-enforce-no-pkcs11-bypass.path

@@ -1,15 +0,0 @@
-diff -up ./mozilla/security/nss/lib/ssl/derive.c.nobypass ./mozilla/security/nss/lib/ssl/derive.c
-diff -up ./mozilla/security/nss/lib/ssl/sslsock.c.nobypass ./mozilla/security/nss/lib/ssl/sslsock.c
---- ./mozilla/security/nss/lib/ssl/sslsock.c.nobypass	2012-10-07 15:12:25.455307540 -0700
-+++ ./mozilla/security/nss/lib/ssl/sslsock.c	2012-10-07 15:21:27.229346754 -0700
-@@ -547,8 +547,8 @@ static PRStatus SSL_BypassRegisterShutdo
- static PRStatus SSL_BypassSetup(void)
- {
- #ifdef NO_PKCS11_BYPASS
--    /* Guarantee binary compatibility */
--    return PR_SUCCESS;
-+    /* We can safely return failure as we have never supported it */
-+    return PR_FALSE;
- #else
-     return PR_CallOnce(&setupBypassOnce, &SSL_BypassRegisterShutdown);
- #endif

nss-util-config.in

@@ -0,0 +1,118 @@
+#!/bin/sh
+
+prefix=@prefix@
+
+major_version=@MOD_MAJOR_VERSION@
+minor_version=@MOD_MINOR_VERSION@
+patch_version=@MOD_PATCH_VERSION@
+
+usage()
+{
+	cat <<EOF
+Usage: nss-util-config [OPTIONS] [LIBRARIES]
+Options:
+	[--prefix[=DIR]]
+	[--exec-prefix[=DIR]]
+	[--includedir[=DIR]]
+	[--libdir[=DIR]]
+	[--version]
+	[--libs]
+	[--cflags]
+Dynamic Libraries:
+	nssutil
+EOF
+	exit $1
+}
+
+if test $# -eq 0; then
+	usage 1 1>&2
+fi
+
+lib_nssutil=yes
+
+while test $# -gt 0; do
+  case "$1" in
+  -*=*) optarg=`echo "$1" | sed 's/[-_a-zA-Z0-9]*=//'` ;;
+  *) optarg= ;;
+  esac
+
+  case $1 in
+    --prefix=*)
+      prefix=$optarg
+      ;;
+    --prefix)
+      echo_prefix=yes
+      ;;
+    --exec-prefix=*)
+      exec_prefix=$optarg
+      ;;
+    --exec-prefix)
+      echo_exec_prefix=yes
+      ;;
+    --includedir=*)
+      includedir=$optarg
+      ;;
+    --includedir)
+      echo_includedir=yes
+      ;;
+    --libdir=*)
+      libdir=$optarg
+      ;;
+    --libdir)
+      echo_libdir=yes
+      ;;
+    --version)
+      echo ${major_version}.${minor_version}.${patch_version}
+      ;;
+    --cflags)
+      echo_cflags=yes
+      ;;
+    --libs)
+      echo_libs=yes
+      ;;
+    *)
+      usage 1 1>&2
+      ;;
+  esac
+  shift
+done
+
+# Set variables that may be dependent upon other variables
+if test -z "$exec_prefix"; then
+    exec_prefix=`pkg-config --variable=exec_prefix nss-util`
+fi
+if test -z "$includedir"; then
+    includedir=`pkg-config --variable=includedir nss-util`
+fi
+if test -z "$libdir"; then
+    libdir=`pkg-config --variable=libdir nss-util`
+fi
+
+if test "$echo_prefix" = "yes"; then
+    echo $prefix
+fi
+
+if test "$echo_exec_prefix" = "yes"; then
+    echo $exec_prefix
+fi
+
+if test "$echo_includedir" = "yes"; then
+    echo $includedir
+fi
+
+if test "$echo_libdir" = "yes"; then
+    echo $libdir
+fi
+
+if test "$echo_cflags" = "yes"; then
+    echo -I$includedir
+fi
+
+if test "$echo_libs" = "yes"; then
+      libdirs="-Wl,-rpath-link,$libdir -L$libdir"
+      if test -n "$lib_nssutil"; then
+	libdirs="$libdirs -lnssutil${major_version}"
+      fi
+      echo $libdirs
+fi
+

nss-util.pc.in

@@ -0,0 +1,11 @@
+prefix=%prefix%
+exec_prefix=%exec_prefix%
+libdir=%libdir%
+includedir=%includedir%
+
+Name: NSS-UTIL
+Description: Network Security Services Utility Library
+Version: %NSSUTIL_VERSION%
+Requires: nspr >= %NSPR_VERSION%
+Libs: -L${libdir} -lnssutil3
+Cflags: -I${includedir}

nsspem-use-system-freebl.patch

@@ -1,93 +0,0 @@
-diff -up ./mozilla/security/coreconf/Linux.mk.sytemfreebl ./mozilla/security/coreconf/Linux.mk
---- ./mozilla/security/coreconf/Linux.mk.sytemfreebl	2011-12-03 22:07:23.924156119 -0800
-+++ ./mozilla/security/coreconf/Linux.mk	2011-12-03 22:08:28.322328345 -0800
-@@ -182,6 +182,9 @@ endif
- USE_SYSTEM_ZLIB = 1
- ZLIB_LIBS = -lz
- 
-+USE_SYSTEM_FREEBL = 1
-+FREEBL_LIBS = -lfreebl3
-+
- # The -rpath '$$ORIGIN' linker option instructs this library to search for its
- # dependencies in the same directory where it resides.
- ifeq ($(BUILD_SUN_PKG), 1)
-diff -up ./mozilla/security/nss/lib/ckfw/pem/config.mk.extras ./mozilla/security/nss/lib/ckfw/pem/config.mk
---- ./mozilla/security/nss/lib/ckfw/pem/config.mk.extras	2010-11-25 10:01:17.000000000 -0800
-+++ ./mozilla/security/nss/lib/ckfw/pem/config.mk	2011-06-21 18:20:04.484985568 -0700
-@@ -41,6 +41,11 @@ CONFIG_CVS_ID = "@(#) $RCSfile: config.m
- #  are specifed as dependencies within rules.mk.
- #
- 
-+
-+EXTRA_LIBS += \
-+	$(SOFTOKEN_LIB_DIR)/$(LIB_PREFIX)freebl.$(LIB_SUFFIX) \
-+	$(NULL)
-+
- TARGETS        = $(SHARED_LIBRARY)
- LIBRARY        =
- IMPORT_LIBRARY =
-@@ -69,3 +74,22 @@ ifeq ($(OS_TARGET),SunOS)
- MKSHLIB += -R '$$ORIGIN'
- endif
- 
-+# If a platform has a system nssutil, set USE_SYSTEM_NSSUTIL to 1 and
-+# NSSUTIL_LIBS to the linker command-line arguments for the system nssutil
-+# (for example, -lnssutil3 on fedora) in the platform's config file in coreconf.
-+ifdef USE_SYSTEM_NSSUTIL
-+OS_LIBS += $(NSSUTIL_LIBS)
-+else
-+NSSUTIL_LIBS = $(DIST)/lib/$(LIB_PREFIX)nssutil3.$(LIB_SUFFIX)
-+EXTRA_LIBS += $(NSSUTIL_LIBS)
-+endif
-+# If a platform has a system freebl, set USE_SYSTEM_FREEBL to 1 and
-+# FREEBL_LIBS to the linker command-line arguments for the system nssutil
-+# (for example, -lfreebl3 on fedora) in the platform's config file in coreconf.
-+ifdef USE_SYSTEM_FREEBL
-+OS_LIBS += $(FREEBL_LIBS)
-+else
-+FREEBL_LIBS = $(DIST)/lib/$(LIB_PREFIX)freebl3.$(LIB_SUFFIX)
-+EXTRA_LIBS += $(FREEBL_LIBS)
-+endif
-+
-diff -up ./mozilla/security/nss/lib/ckfw/pem/Makefile.extras ./mozilla/security/nss/lib/ckfw/pem/Makefile
---- ./mozilla/security/nss/lib/ckfw/pem/Makefile.extras	2010-11-25 10:01:17.000000000 -0800
-+++ ./mozilla/security/nss/lib/ckfw/pem/Makefile	2011-06-21 18:25:25.959136920 -0700
-@@ -43,8 +43,7 @@ include config.mk
- EXTRA_LIBS = \
- 	$(DIST)/lib/$(LIB_PREFIX)nssckfw.$(LIB_SUFFIX) \
- 	$(DIST)/lib/$(LIB_PREFIX)nssb.$(LIB_SUFFIX) \
--	$(DIST)/lib/$(LIB_PREFIX)freebl.$(LIB_SUFFIX) \
--	$(DIST)/lib/$(LIB_PREFIX)nssutil.$(LIB_SUFFIX) \
-+	$(FREEBL_LIB_DIR)/$(LIB_PREFIX)freebl.$(LIB_SUFFIX) \
- 	$(NULL)
- 
- # can't do this in manifest.mn because OS_TARGET isn't defined there.
-@@ -56,6 +55,9 @@ EXTRA_LIBS += \
- 	-lplc4 \
- 	-lplds4 \
- 	-lnspr4 \
-+	-L$(NSSUTIL_LIB_DIR) \
-+	-lnssutil3 \
-+	-lfreebl3
- 	$(NULL)
- else 
- EXTRA_SHARED_LIBS += \
-@@ -74,6 +76,9 @@ EXTRA_LIBS += \
- 	-lplc4 \
- 	-lplds4 \
- 	-lnspr4 \
-+	-L$(NSSUTIL_LIB_DIR) \
-+	-lnssutil3 \
-+	-lfreebl3 \
- 	$(NULL)
- endif
- 
-diff -up ./mozilla/security/nss/lib/ckfw/pem/manifest.mn.extras ./mozilla/security/nss/lib/ckfw/pem/manifest.mn
---- ./mozilla/security/nss/lib/ckfw/pem/manifest.mn.extras	2010-11-25 10:01:17.000000000 -0800
-+++ ./mozilla/security/nss/lib/ckfw/pem/manifest.mn	2011-06-21 18:20:04.485985661 -0700
-@@ -65,4 +65,4 @@ REQUIRES = nspr
- 
- LIBRARY_NAME = nsspem
- 
--#EXTRA_SHARED_LIBS = -L$(DIST)/lib -lnssckfw -lnssb -lplc4 -lplds4
-+EXTRA_SHARED_LIBS = -L$(DIST)/lib -lnssckfw -lnssb -lplc4 -lplds4 -L$(NSS_LIB_DIR) -lnssutil3 -lfreebl3 -lsoftokn3

pkcs11.txt.xml

@@ -0,0 +1,56 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
+  "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
+<!ENTITY date SYSTEM "date.xml">
+<!ENTITY version SYSTEM "version.xml">
+]>
+
+<refentry id="pkcs11.txt">
+
+  <refentryinfo>
+    <date>&date;</date>
+    <title>Network Security Services</title>
+    <productname>nss</productname>
+    <productnumber>&version;</productnumber>
+  </refentryinfo>
+
+  <refmeta>
+    <refentrytitle>pkcs11.txt</refentrytitle>
+    <manvolnum>5</manvolnum>
+  </refmeta>
+
+  <refnamediv>
+    <refname>pkcs11.txt</refname>
+    <refpurpose>NSS PKCS #11 module configuration file</refpurpose>
+  </refnamediv>
+
+  <refsection id="description">
+    <title>Description</title>
+    <para>
+The pkcs11.txt file is used to configure initialization parameters for the nss security module and optionally other pkcs #11 modules.
+    </para>
+    <para>
+For full documentation visit <ulink url="https://developer.mozilla.org/en-US/docs/PKCS11_Module_Specs">PKCS #11 Module Specs</ulink>.
+    </para>
+  </refsection>
+
+  <refsection>
+    <title>Files</title>
+    <para><filename>/etc/pki/nssdb/pkcs11.txt</filename></para>
+  </refsection>
+
+  <refsection id="authors">
+    <title>Authors</title>
+    <para>The nss libraries were written and maintained by developers with Netscape, Red Hat,  Sun, Oracle, Mozilla, and Google.</para>
+    <para>Authors: Elio Maldonado &lt;emaldona@redhat.com>.</para>
+  </refsection>
+
+<!-- don't change -->
+  <refsection id="license">
+    <title>LICENSE</title>
+    <para>Licensed under the Mozilla Public License, v. 2.0.  If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/.
+    </para>
+  </refsection>
+
+</refentry>
+

renegotiate-transitional.patch

@@ -1,12 +0,0 @@
-diff -up mozilla/security/nss/lib/ssl/sslsock.c.transitional mozilla/security/nss/lib/ssl/sslsock.c
---- mozilla/security/nss/lib/ssl/sslsock.c.transitional	2011-10-06 10:37:47.156659000 -0700
-+++ mozilla/security/nss/lib/ssl/sslsock.c	2011-10-06 10:38:32.276704000 -0700
-@@ -182,7 +182,7 @@ static sslOptions ssl_defaults = {
-     PR_FALSE,   /* noLocks            */
-     PR_FALSE,   /* enableSessionTickets */
-     PR_FALSE,   /* enableDeflate      */
--    2,          /* enableRenegotiation (default: requires extension) */
-+    3,          /* enableRenegotiation (default: transitional) */
-     PR_FALSE,   /* requireSafeNegotiation */
-     PR_FALSE,   /* enableFalseStart   */
-     PR_TRUE     /* cbcRandomIV        */

secmod.db.xml

@@ -0,0 +1,63 @@
+<?xml version='1.0' encoding='utf-8'?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
+  "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
+<!ENTITY date SYSTEM "date.xml">
+<!ENTITY version SYSTEM "version.xml">
+]>
+
+<refentry id="secmod.db">
+
+  <refentryinfo>
+    <date>&date;</date>
+    <title>Network Security Services</title>
+    <productname>nss</productname>
+    <productnumber>&version;</productnumber>
+  </refentryinfo>
+
+  <refmeta>
+    <refentrytitle>secmod.db</refentrytitle>
+    <manvolnum>5</manvolnum>
+  </refmeta>
+
+  <refnamediv>
+    <refname>secmod.db</refname>
+    <refpurpose>Legacy NSS security modules database</refpurpose>
+  </refnamediv>
+
+<refsection id="description">
+    <title>Description</title>
+    <para><emphasis>secmod.db</emphasis> is an NSS security modules database.</para>
+  <para>The security modules database is used to keep track of the NSS security modules. The NSS security modules export their services via the PKCS #11 API which NSS uses as its Services Provider Interface.
+  </para>
+  <para>The command line utility <emphasis>modutil</emphasis> is used for managing PKCS #11 module information both within secmod.db files and within hardware tokens.
+  </para>
+  <para>For new applications the recommended way of tracking security modules is via the pkcs11.txt configuration file used in conjunction the new sqlite-based shared database format for certificate and key databases.
+  </para>
+  </refsection>
+
+  <refsection>
+    <title>Files</title>
+    <para><filename>/etc/pki/nssdb/secmod.db</filename></para>
+  </refsection>
+
+  <refsection>
+    <title>See also</title>
+    <para>modutil(1), cert8.db(5), cert9.db(5), key3.db(5), key4.db(5), pkcs11.txt(5)</para>
+  </refsection>
+
+  <refsection id="authors">
+    <title>Authors</title>
+    <para>The nss libraries were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google.</para>
+    <para>Authors: Elio Maldonado &lt;emaldona@redhat.com>.</para>
+  </refsection>
+
+<!-- don't change -->
+  <refsection id="license">
+    <title>LICENSE</title>
+    <para>Licensed under the Mozilla Public License, v. 2.0.  If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/.
+    </para>
+
+  </refsection>
+
+
+</refentry>

setup-nsssysinit.xml

@@ -0,0 +1,106 @@
+<?xml version='1.0' encoding='utf-8'?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
+  "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
+<!ENTITY date SYSTEM "date.xml">
+<!ENTITY version SYSTEM "version.xml">
+]>
+
+<refentry id="setup-nsssysinit">
+
+  <refentryinfo>
+    <date>&date;</date>
+    <title>Network Security Services</title>
+    <productname>nss</productname>
+    <productnumber>&version;</productnumber>
+  </refentryinfo>
+
+  <refmeta>
+    <refentrytitle>setup-nsssysinit</refentrytitle>
+    <manvolnum>1</manvolnum>
+  </refmeta>
+
+  <refnamediv>
+    <refname>setup-nsssysinit</refname>
+    <refpurpose>Query or enable the nss-sysinit module</refpurpose>
+  </refnamediv>
+
+  <refsynopsisdiv>
+    <cmdsynopsis>
+      <command>setup-nsssysinit</command>
+      <arg><option>on</option></arg>
+      <arg><option>off</option></arg>
+      <arg><option>status</option></arg>
+    </cmdsynopsis>
+  </refsynopsisdiv>
+
+<refsection id="description">
+    <title>Description</title>
+    <para><command>setup-nsssysinit</command> is a shell script to query the status of the nss-sysinit module and when run with root priviledge it can enable or disable it. </para>
+  <para>Turns on or off the nss-sysinit module db by editing the global PKCS #11 configuration file. Displays the status. This script can be invoked by the user as super user. It is invoked at nss-sysinit post install time with argument on.
+  </para>
+  </refsection>
+  
+  <refsection>
+    <title>Options</title>
+    
+    <variablelist>
+      <varlistentry>
+        <term><option>on</option></term>
+        <listitem><simpara>Turn on nss-sysinit.</simpara></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><option>off</option></term>
+        <listitem><simpara>Turn on nss-sysinit.</simpara></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><option>status</option></term>
+        <listitem><simpara>returns whether nss-syinit is enabled or not.</simpara></listitem>
+      </varlistentry>
+
+    </variablelist>
+  </refsection>
+
+  <refsection>
+    <title>Examples</title>
+
+    <para>The following example will query for the status of nss-sysinit:
+      <programlisting>
+        /usr/bin/setup-nsssysinit status
+      </programlisting>
+    </para>
+
+    <para>The following example, when run as superuser, will turn on nss-sysinit:
+      <programlisting>
+        /usr/bin/setup-nsssysinit on
+      </programlisting>
+    </para>
+
+  </refsection>
+
+  <refsection>
+    <title>Files</title>
+    <para><filename>/usr/bin/setup-nsssysinit</filename></para>
+  </refsection>
+
+  <refsection>
+    <title>See also</title>
+    <para>pkg-config(1)</para>
+  </refsection>
+
+  <refsection id="authors">
+    <title>Authors</title>
+    <para>The nss libraries were written and maintained by developers with Netscape, Red Hat,  Sun, Oracle, Mozilla, and Google.</para>
+    <para>Authors: Elio Maldonado &lt;emaldona@redhat.com>.</para>
+  </refsection>
+
+<!-- don't change -->
+  <refsection id="license">
+    <title>LICENSE</title>
+    <para>Licensed under the Mozilla Public License, v. 2.0.  If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/.
+    </para>
+  </refsection>
+
+</refentry>
+

sources

@@ -1,9 +1,6 @@
-a5ae49867124ac75f029a9a33af31bad  blank-cert8.db
-9315689bbd9f28ceebd47894f99fccbd  blank-key3.db
-73bc040a0542bba387e6dd7fb9fd7d23  blank-secmod.db
-691e663ccc07b7a1eaa6f088e03bf8e2  blank-cert9.db
-2ec9e0606ba40fe65196545564b7cc2a  blank-key4.db
-bf47cecad861efa77d1488ad4a73cb5b  PayPalEE.cert
-2a06bf7b815d1a666cc3587b895506ce  nss-pem-20120811.tar.bz2
-0be54f196b5da7e9008eb13a71bc2cb0  dummy-sources-for-testing
-828c6949bd348684b15237f8796f54c1  nss-3.14.2-stripped.tar.bz2
+SHA512 (blank-cert8.db) = ac131d15708c5f1b5e467831f919f4fc4ba13b60a4bb5fe260c845fa9afcd899a588d21ed52060abaa1bbb29f2b53af8b495d28407183cb03aff1974f95f1d3d
+SHA512 (blank-cert9.db) = 2f8eab4c0612210ee47db8a3a80c1b58a0b43849551af78c7da403fda3e3d4e7757838061ae56ccf5aac335cb54f254f0a9e6e9c0dd5920b4155a39264525b06
+SHA512 (blank-key3.db) = 01f7314e9fc8a7c9aa997652624cfcde213d18a6b3bb31840c1a60bbd662e56b5bc3221d13874abb42ce78163b225a6dfce2e1326cf6dd29366ad9c28ba5a71c
+SHA512 (blank-key4.db) = 8fedae93af7163da23fe9492ea8e785a44c291604fa98e58438448efb69c85d3253fc22b926d5c3209c62e58a86038fd4d78a1c4c068bc00600a7f3e5382ebe7
+SHA512 (blank-secmod.db) = 06a2dbd861839ef6315093459328b500d3832333a34b30e6fac4a2503af337f014a4d319f0f93322409e719142904ce8bc08252ae9a4f37f30d4c3312e900310
+SHA512 (nss-3.52.tar.gz) = a45baf38717bceda03c292b2c01def680a24a846327e17d36044a85e30ed40c68220c78c0a2c3025c11778ee58f5d5eb0fff1b4cd274b95c408fb59e394e62c6

tests/NSS-tools-should-not-use-SHA1-by-default-when/Makefile

@@ -0,0 +1,64 @@
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+#   Makefile of /CoreOS/nss/Regression/NSS-tools-should-not-use-SHA1-by-default-when
+#   Description: NSS tools should not use SHA1 by default when
+#   Author: Hubert Kario <hkario@redhat.com>
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+#   Copyright (c) 2016 Red Hat, Inc.
+#
+#   This copyrighted material is made available to anyone wishing
+#   to use, modify, copy, or redistribute it subject to the terms
+#   and conditions of the GNU General Public License version 2.
+#
+#   This program is distributed in the hope that it will be
+#   useful, but WITHOUT ANY WARRANTY; without even the implied
+#   warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
+#   PURPOSE. See the GNU General Public License for more details.
+#
+#   You should have received a copy of the GNU General Public
+#   License along with this program; if not, write to the Free
+#   Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
+#   Boston, MA 02110-1301, USA.
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+export TEST=/CoreOS/nss/Regression/NSS-tools-should-not-use-SHA1-by-default-when
+export TESTVERSION=1.0
+
+BUILT_FILES=
+
+FILES=$(METADATA) runtest.sh Makefile PURPOSE
+
+.PHONY: all install download clean
+
+run: $(FILES) build
+	./runtest.sh
+
+build: $(BUILT_FILES)
+	test -x runtest.sh || chmod a+x runtest.sh
+
+clean:
+	rm -f *~ $(BUILT_FILES)
+
+
+include /usr/share/rhts/lib/rhts-make.include
+
+$(METADATA): Makefile
+	@echo "Owner:           Hubert Kario <hkario@redhat.com>" > $(METADATA)
+	@echo "Name:            $(TEST)" >> $(METADATA)
+	@echo "TestVersion:     $(TESTVERSION)" >> $(METADATA)
+	@echo "Path:            $(TEST_DIR)" >> $(METADATA)
+	@echo "Description:     NSS tools should not use SHA1 by default when" >> $(METADATA)
+	@echo "Type:            Regression" >> $(METADATA)
+	@echo "TestTime:        10m" >> $(METADATA)
+	@echo "RunFor:          nss openssl" >> $(METADATA)
+	@echo "Requires:        nss nss-tools openssl" >> $(METADATA)
+	@echo "Priority:        Normal" >> $(METADATA)
+	@echo "License:         GPLv2" >> $(METADATA)
+	@echo "Confidential:    no" >> $(METADATA)
+	@echo "Destructive:     no" >> $(METADATA)
+	@echo "Releases:        -RHEL4 -RHELClient5 -RHELServer5" >> $(METADATA)
+
+	rhts-lint $(METADATA)

tests/NSS-tools-should-not-use-SHA1-by-default-when/PURPOSE

@@ -0,0 +1,4 @@
+PURPOSE of NSS-tools-should-not-use-SHA1-by-default-when
+Description: NSS tools should not use SHA1 by default when
+Author: Hubert Kario <hkario@redhat.com>
+Summary: NSS tools should not use SHA1 by default when generating digital signatures/certificates

tests/NSS-tools-should-not-use-SHA1-by-default-when/runtest.sh

@@ -0,0 +1,125 @@
+#!/bin/bash
+# vim: dict+=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+#   runtest.sh of NSS-tools-should-not-use-SHA1-by-default-when
+#   Description: NSS tools should not use SHA1 by default when
+#   Author: Hubert Kario <hkario@redhat.com>
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+#   Copyright (c) 2016 Red Hat, Inc.
+#
+#   This copyrighted material is made available to anyone wishing
+#   to use, modify, copy, or redistribute it subject to the terms
+#   and conditions of the GNU General Public License version 2.
+#
+#   This program is distributed in the hope that it will be
+#   useful, but WITHOUT ANY WARRANTY; without even the implied
+#   warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
+#   PURPOSE. See the GNU General Public License for more details.
+#
+#   You should have received a copy of the GNU General Public
+#   License along with this program; if not, write to the Free
+#   Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
+#   Boston, MA 02110-1301, USA.
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+# Include Beaker environment
+. /usr/share/beakerlib/beakerlib.sh || exit 1
+
+PACKAGE="nss"
+PACKAGES="nss openssl"
+DBDIR="nssdb"
+
+rlJournalStart
+    rlPhaseStartSetup
+        rlAssertRpm --all
+        rlRun "TmpDir=\$(mktemp -d)" 0 "Creating tmp directory"
+        rlRun "pushd $TmpDir"
+        rlRun "mkdir nssdb"
+        rlRun "certutil -N -d $DBDIR --empty-password"
+        rlLogInfo "Create a JAR file"
+        rlRun "mkdir java-dir"
+        rlRun "pushd java-dir"
+        rlRun "mkdir META-INF mypackage"
+        rlRun "echo 'Main-Class: mypackage/MyMainFile' > META-INF/MANIFEST.MF"
+        rlRun "echo 'Those are not the droids you are looking for' > mypackage/MyMainFile.class"
+        #rlRun "jar -cfe package.jar mypackage/MyMainFile mypackage/MyMainFile.class"
+        rlRun "popd"
+        #rlRun "mv java-dir/package.jar ."
+    rlPhaseEnd
+
+    rlPhaseStartTest "Self signing certificates"
+        rlRun "dd if=/dev/urandom of=noise bs=1 count=32 >/dev/null"
+        rlRun "certutil -d $DBDIR -S -n 'CA' -t 'cTC,cTC,cTC' -s 'CN=CA' -x -z noise"
+        rlRun -s "certutil -d $DBDIR -L -n 'CA' -a | openssl x509 -noout -text"
+        rlAssertGrep "Signature Algorithm: sha256WithRSAEncryption" "$rlRun_LOG"
+        rlAssertNotGrep "Signature Algorithm: sha1WithRSAEncryption" $rlRun_LOG
+    rlPhaseEnd
+
+    rlPhaseStartTest "Signing certificates"
+        rlRun "dd if=/dev/urandom of=noise bs=1 count=32 >/dev/null"
+        rlRun "certutil -d $DBDIR -S -n 'server' -t 'u,u,u' -s 'CN=server.example.com' -c 'CA' -z noise --nsCertType sslClient,sslServer,objectSigning,smime"
+        rlRun -s "certutil -d $DBDIR -L -n 'server' -a | openssl x509 -noout -text"
+        rlAssertGrep "Signature Algorithm: sha256WithRSAEncryption" "$rlRun_LOG"
+        rlAssertNotGrep "Signature Algorithm: sha1WithRSAEncryption" $rlRun_LOG
+    rlPhaseEnd
+
+    rlPhaseStartTest "Certificate request"
+        rlRun "dd if=/dev/urandom of=noise bs=1 count=32 >/dev/null"
+        rlRun "mkdir srv2db"
+        rlRun "certutil -d srv2db -N --empty-password"
+        rlRun "certutil -d srv2db -R -s CN=www.example.com -o srv2.req -a -z noise"
+        rlRun -s "openssl req -noout -text -in srv2.req"
+        rlAssertGrep "Signature Algorithm: sha256WithRSAEncryption" "$rlRun_LOG"
+        rlAssertNotGrep "Signature Algorithm: sha1WithRSAEncryption" $rlRun_LOG
+        rlRun "certutil -d $DBDIR -C -c 'CA' -i srv2.req -a -o srv2.crt"
+        rlRun -s "openssl x509 -in srv2.crt -noout -text"
+        rlAssertGrep "Signature Algorithm: sha256WithRSAEncryption" "$rlRun_LOG"
+        rlAssertNotGrep "Signature Algorithm: sha1WithRSAEncryption" $rlRun_LOG
+        rlRun "rm -rf srv2db"
+    rlPhaseEnd
+
+    rlPhaseStartTest "Certificate request with SHA1"
+        rlRun "dd if=/dev/urandom of=noise bs=1 count=32 >/dev/null"
+        rlRun "mkdir srv2db"
+        rlRun "certutil -d srv2db -N --empty-password"
+        rlRun "certutil -d srv2db -R -s CN=www.example.com -o srv2.req -a -z noise -Z SHA1"
+        rlRun -s "openssl req -noout -text -in srv2.req"
+        rlAssertGrep "Signature Algorithm: sha1WithRSAEncryption" "$rlRun_LOG"
+        rlRun "certutil -d $DBDIR -C -c 'CA' -i srv2.req -a -o srv2.crt"
+        rlRun -s "openssl x509 -in srv2.crt -noout -text"
+        rlAssertGrep "Signature Algorithm: sha256WithRSAEncryption" "$rlRun_LOG"
+        rlAssertNotGrep "Signature Algorithm: sha1WithRSAEncryption" $rlRun_LOG
+        rlRun "rm -rf srv2db"
+    rlPhaseEnd
+
+    rlPhaseStartTest "Signing CMS messages"
+        rlRun "echo 'This is a document' > document.txt"
+        rlRun "cmsutil -S -d $DBDIR -N 'server' -i document.txt -o document.cms"
+        rlRun -s "openssl cms -in document.cms -inform der -noout -cmsout -print"
+        rlAssertGrep "algorithm: sha256" $rlRun_LOG
+        rlAssertNotGrep "algorithm: sha1" $rlRun_LOG
+    rlPhaseEnd
+
+    rlPhaseStartTest "CRL signing"
+        rlRun "echo $(date --utc +update=%Y%m%d%H%M%SZ) > script"
+        rlRun "echo $(date -d 'next week' --utc +nextupdate=%Y%m%d%H%M%SZ) >> script"
+        rlRun "echo addext crlNumber 0 1245 >>script"
+        rlRun "echo addcert 12 $(date -d 'yesterday' --utc +%Y%m%d%H%M%SZ) >>script"
+        rlRun "echo addext reasonCode 0 0 >>script"
+        rlRun "cat script"
+        rlRun "crlutil -G -c script -d $DBDIR -n CA -o ca.crl"
+        rlRun -s "openssl crl -in ca.crl -inform der -noout -text"
+        rlAssertGrep "Signature Algorithm: sha256WithRSAEncryption" $rlRun_LOG
+        rlAssertNotGrep "Signature Algorithm: sha1WithRSAEncryption" $rlRun_LOG
+    rlPhaseEnd
+
+    rlPhaseStartCleanup
+        rlRun "popd"
+        rlRun "rm -r $TmpDir" 0 "Removing tmp directory"
+    rlPhaseEnd
+rlJournalPrintText
+rlJournalEnd

tests/tests.yml

@@ -0,0 +1,12 @@
+---
+# This first play always runs on the local staging system
+- hosts: localhost
+  roles:
+  - role: standard-test-beakerlib
+    tags:
+    - classic
+    tests:
+    - NSS-tools-should-not-use-SHA1-by-default-when
+    required_packages:
+    - nss-tools
+    - nss