Fix the commit message

- Bug 1284095 - all https fails with sec_error_no_token

.gitignore

@@ -8,4 +8,6 @@ TestCA.ca.cert
 TestUser50.cert
 TestUser51.cert
 /nss-pem-20140125.tar.bz2
-/nss-3.17.4.tar.gz
+/PayPalRootCA.cert
+/PayPalICA.cert
+/nss-3.21.0.tar.gz

STAGE2-nss

@@ -0,0 +1,63 @@
+#requires nspr
+#requires perl
+#requires nss-util
+#requires nss-softokn
+
+mcd $BUILDDIR/nss
+
+export BUILD_OPT=1
+export PKG_CONFIG_ALLOW_SYSTEM_LIBS=1
+export PKG_CONFIG_ALLOW_SYSTEM_CFLAGS=1
+export NSPR_INCLUDE_DIR=/usr/include/nspr
+export NSPR_LIB_DIR=/usr/lib${SUFFIX}
+export NSS_USE_SYSTEM_SQLITE=1
+export NSS_BUILD_WITHOUT_SOFTOKEN=1
+export USE_SYSTEM_SOFTOKEN=1
+export SOFTOKEN_LIB_DIR=/usr/lib${SUFFIX}
+export NSSUTIL_INCLUDE_DIR=/usr/include/nss3
+export NSSUTIL_LIB_DIR=/usr/lib${SUFFIX}
+export USE_SYSTEM_NSSUTIL=1
+export FREEBL_INCLUDE_DIR=/usr/include/nss3
+export FREEBL_LIB_DIR=/usr/lib${SUFFIX}
+export USE_SYSTEM_FREEBL=1
+export NSS_USE_SYSTEM_FREEBL=1
+export FREEBL_NO_DEPEND=1
+export IN_TREE_FREEBL_HEADERS_FIRST=1
+export NSS_BLTEST_NOT_AVAILABLE=1
+export NSS_NO_SSL2_NO_EXPORT=1
+export NSS_ECC_MORE_THAN_SUITE_B=1
+export NSS_NO_PKCS11_BYPASS=1
+#export NSDISTMODE="copy"
+
+if [ "$SUFFIX" = "64" ]; then
+  USE_64=1
+  export USE_64
+fi
+
+(cd $SRC/nss-3.* && mkdir -p dist/private/nss && cp nss/lib/ckfw/nssck.api dist/private/nss/)
+
+make -C $SRC/nss-3.*/nss/coreconf
+make -C $SRC/nss-3.*/nss/lib/dbm
+make -C $SRC/nss-3.*/nss
+cd $SRC/nss-3.*/nss/coreconf
+make install
+cd $SRC/nss-3.*/nss/lib/dbm
+make install
+cd $SRC/nss-3.*/nss
+make install
+# Copy the binary libraries we want
+NSSLIBS="libnss3.so libnssckbi.so libnsspem.so libnsssysinit.so libsmime3.so libssl3.so"
+# BOZO: temporarily disable FIPS140 support
+#NSSLIBCHKS="libnssdbm3.chk libfreebl3.chk libsoftokn3.chk"
+NSSLIBCHKS=""
+# END BOZO
+cd $SRC/nss-3.*
+for file in $NSSLIBS $NSSLIBCHKS
+do
+  install -p -m 755 dist/*.OBJ/lib/$file /usr/lib${SUFFIX}/
+done
+# Copy the include files we want
+for file in $SRC/nss-*/dist/public/nss/*.h
+do
+  install -p -m 644 $file /usr/include/nss3/
+done

iquote.patch

@@ -173,3 +173,15 @@ diff -up nss/lib/nss/Makefile.iquote nss/lib/nss/Makefile
  
  #######################################################################
  # (7) Execute "local" rules. (OPTIONAL).                              #
+diff -up nss/lib/ssl/Makefile.iquote nss/lib/ssl/Makefile
+--- nss/lib/ssl/Makefile.iquote	2015-11-13 09:23:41.653738563 -0800
++++ nss/lib/ssl/Makefile	2015-11-13 09:25:25.121415348 -0800
+@@ -49,7 +49,7 @@ include $(CORE_DEPTH)/coreconf/rules.mk
+ # (6) Execute "component" rules. (OPTIONAL)                           #
+ #######################################################################
+ 
+-
++INCLUDES += -iquote $(DIST)/../public/nss
+ 
+ #######################################################################
+ # (7) Execute "local" rules. (OPTIONAL).                              #

nss-539183.patch

@@ -1,11 +1,9 @@
-diff -up nss/cmd/httpserv/httpserv.c.539183 nss/cmd/httpserv/httpserv.c
---- nss/cmd/httpserv/httpserv.c.539183	2013-05-28 14:43:24.000000000 -0700
-+++ nss/cmd/httpserv/httpserv.c	2013-05-30 22:16:46.685373471 -0700
-@@ -661,14 +661,18 @@ getBoundListenSocket(unsigned short port
-     PRStatus	       prStatus;
+diff -up ./nss/cmd/httpserv/httpserv.c.539183 ./nss/cmd/httpserv/httpserv.c
+--- ./nss/cmd/httpserv/httpserv.c.539183	2015-11-08 21:12:59.000000000 -0800
++++ ./nss/cmd/httpserv/httpserv.c	2015-11-12 13:28:01.574855325 -0800
+@@ -938,13 +938,13 @@ getBoundListenSocket(unsigned short port
      PRNetAddr          addr;
      PRSocketOptionData opt;
-+    PRUint16           socketDomain = PR_AF_INET;
  
 -    addr.inet.family = PR_AF_INET;
 -    addr.inet.ip     = PR_INADDR_ANY;
@@ -15,9 +13,6 @@ diff -up nss/cmd/httpserv/httpserv.c.539183 nss/cmd/httpserv/httpserv.c
 +    }
  
 -    listen_sock = PR_NewTCPSocket();
-+    if (PR_GetEnv("NSS_USE_SDP")) {
-+        socketDomain = PR_AF_INET_SDP;
-+    }
 +    listen_sock = PR_OpenTCPSocket(PR_AF_INET6);
      if (listen_sock == NULL) {
 -	errExit("PR_NewTCPSocket");
@@ -25,14 +20,12 @@ diff -up nss/cmd/httpserv/httpserv.c.539183 nss/cmd/httpserv/httpserv.c
      }
  
      opt.option = PR_SockOpt_Nonblocking;
-diff -up nss/cmd/selfserv/selfserv.c.539183 nss/cmd/selfserv/selfserv.c
---- nss/cmd/selfserv/selfserv.c.539183	2013-05-28 14:43:24.000000000 -0700
-+++ nss/cmd/selfserv/selfserv.c	2013-05-30 22:16:46.688373495 -0700
-@@ -1687,14 +1687,18 @@ getBoundListenSocket(unsigned short port
-     PRStatus	       prStatus;
+diff -up ./nss/cmd/selfserv/selfserv.c.539183 ./nss/cmd/selfserv/selfserv.c
+--- ./nss/cmd/selfserv/selfserv.c.539183	2015-11-08 21:12:59.000000000 -0800
++++ ./nss/cmd/selfserv/selfserv.c	2015-11-12 13:26:40.498345875 -0800
+@@ -1707,13 +1707,13 @@ getBoundListenSocket(unsigned short port
      PRNetAddr          addr;
      PRSocketOptionData opt;
-+    PRUint16           socketDomain = PR_AF_INET;
  
 -    addr.inet.family = PR_AF_INET;
 -    addr.inet.ip     = PR_INADDR_ANY;
@@ -42,9 +35,6 @@ diff -up nss/cmd/selfserv/selfserv.c.539183 nss/cmd/selfserv/selfserv.c
 +    }
  
 -    listen_sock = PR_NewTCPSocket();
-+    if (PR_GetEnv("NSS_USE_SDP")) {
-+        socketDomain = PR_AF_INET_SDP;
-+    }
 +    listen_sock = PR_OpenTCPSocket(PR_AF_INET6);
      if (listen_sock == NULL) {
 -	errExit("PR_NewTCPSocket");

nss.spec

@@ -1,6 +1,6 @@
-%global nspr_version 4.10.7
-%global nss_util_version 3.17.4
-%global nss_softokn_version 3.17.4
+%global nspr_version 4.10.10
+%global nss_util_version 3.21.0
+%global nss_softokn_version 3.21.0
 %global unsupported_tools_directory %{_libdir}/nss/unsupported-tools
 %global allTools "certutil cmsutil crlutil derdump modutil pk12util signtool signver ssltap vfychain vfyserv"
 
@@ -18,8 +18,10 @@
 
 Summary:          Network Security Services
 Name:             nss
-Version:          3.17.4
-Release:          1%{?dist}
+Version:          3.21.0
+# for Rawhide, please always use release >= 2
+# for Fedora release branches, please use release < 2 (1.0, 1.1, ...)
+Release:          1.1%{?dist}
 License:          MPLv2.0
 URL:              http://www.mozilla.org/projects/security/pki/nss/
 Group:            System Environment/Libraries
@@ -56,11 +58,7 @@ Source6:          blank-cert9.db
 Source7:          blank-key4.db
 Source8:          system-pkcs11.txt
 Source9:          setup-nsssysinit.sh
-Source10:         PayPalEE.cert
 Source12:         %{name}-pem-20140125.tar.bz2
-Source17:         TestCA.ca.cert
-Source18:         TestUser50.cert
-Source19:         TestUser51.cert
 Source20:         nss-config.xml
 Source21:         setup-nsssysinit.xml
 Source22:         pkcs11.txt.xml
@@ -90,8 +88,18 @@ Patch49:          nss-skip-bltest-and-fipstest.patch
 # headers are older. Such is the case when starting an update with API changes or even private export changes.
 # Once the buildroot aha been bootstrapped the patch may be removed but it doesn't hurt to keep it.
 Patch50:          iquote.patch
-# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1083900
-Patch51:          tls12.patch
+# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=923089
+# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1009429
+# Local patch for TLS_ECDHE_{ECDSA|RSA}_WITH_3DES_EDE_CBC_SHA ciphers
+Patch58: rhbz1185708-enable-ecc-3des-ciphers-by-default.patch
+
+# As of nss-3.21 we compile NSS with -Werror.
+# see https://bugzilla.mozilla.org/show_bug.cgi?id=1182667
+# This requires a cleanup of the PEM module as we have it here.
+# TODO: submit a patch to the interim nss-pem upstream project
+# The submission will be very different from this patch as
+# cleanup there is already in progress there.
+Patch59: pem-compile-with-Werror.patch
 
 %description
 Network Security Services (NSS) is a set of libraries designed to
@@ -162,10 +170,6 @@ low level services.
 
 %prep
 %setup -q
-%{__cp} %{SOURCE10} -f ./nss/tests/libpkix/certs
-%{__cp} %{SOURCE17} -f ./nss/tests/libpkix/certs
-%{__cp} %{SOURCE18} -f ./nss/tests/libpkix/certs
-%{__cp} %{SOURCE19} -f ./nss/tests/libpkix/certs
 %setup -q -T -D -n %{name}-%{version} -a 12
 
 %patch2 -p0 -b .relro
@@ -179,8 +183,9 @@ low level services.
 %patch49 -p0 -b .skipthem
 %patch50 -p0 -b .iquote
 pushd nss
-%patch51 -p1 -b .994599
 popd
+%patch58 -p0 -b .1185708_3des
+%patch59 -p0 -b .compile_Werror
 
 #########################################################
 # Higher-level libraries and test tools need access to
@@ -193,11 +198,15 @@ for file in ${pemNeedsFromSoftoken}; do
     %{__cp} ./nss/lib/softoken/${file}.h ./nss/lib/ckfw/pem/
 done
 
-# Copying these header util the upstream bug is accepted
+# Copying these header until the upstream bug is accepted
 # Upstream https://bugzilla.mozilla.org/show_bug.cgi?id=820207
 %{__cp} ./nss/lib/softoken/lowkeyi.h ./nss/cmd/rsaperf
 %{__cp} ./nss/lib/softoken/lowkeyti.h ./nss/cmd/rsaperf
 
+# Before removing util directory we must save verref.h
+# as it will be needed later during the build phase.
+%{__mv} ./nss/lib/util/verref.h ./nss/verref.h
+
 ##### Remove util/freebl/softoken and low level tools
 ######## Remove freebl, softoken and util
 %{__rm} -rf ./nss/lib/freebl
@@ -264,10 +273,16 @@ export NSS_BUILD_WITHOUT_SOFTOKEN=1
 NSS_USE_SYSTEM_SQLITE=1
 export NSS_USE_SYSTEM_SQLITE
 
-%ifarch x86_64 %{power64} ia64 s390x sparc64 aarch64
+# external tests are causing build problems because they access ssl internal types
+# TODO: Investigate as there may be a better solution
+export NSS_DISABLE_GTESTS=1
+
+%ifnarch noarch
+%if 0%{__isa_bits} == 64
 USE_64=1
 export USE_64
 %endif
+%endif
 
 # uncomment if the iquote patch is activated
 export IN_TREE_FREEBL_HEADERS_FIRST=1
@@ -280,6 +295,13 @@ export NSS_ECC_MORE_THAN_SUITE_B
 export NSS_BLTEST_NOT_AVAILABLE=1
 %{__make} -C ./nss/coreconf
 %{__make} -C ./nss/lib/dbm
+
+# nss/nssinit.c, ssl/sslcon.c, smime/smimeutil.c and ckfw/builtins/binst.c
+# need nss/lib/util/verref.h which is which is exported privately,
+# copy the one we saved during prep so it they can find it.
+%{__mkdir_p} ./dist/private/nss
+%{__mv} ./nss/verref.h ./dist/private/nss/verref.h
+
 %{__make} -C ./nss
 unset NSS_BLTEST_NOT_AVAILABLE
 
@@ -364,10 +386,12 @@ export FREEBL_NO_DEPEND
 BUILD_OPT=1
 export BUILD_OPT
 
-%ifarch x86_64 %{power64} ia64 s390x sparc64 aarch64
+%ifnarch noarch
+%if 0%{__isa_bits} == 64
 USE_64=1
 export USE_64
 %endif
+%endif
 
 export NSS_BLTEST_NOT_AVAILABLE=1
 
@@ -512,7 +536,7 @@ done
 %{__install} -p -m 644 %{SOURCE6} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/cert9.db
 %{__install} -p -m 644 %{SOURCE7} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/key4.db
 %{__install} -p -m 644 %{SOURCE8} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/pkcs11.txt
-     
+
 # Copy the development libraries we want
 for file in libcrmf.a libnssb.a libnssckfw.a
 do
@@ -526,7 +550,7 @@ do
 done
 
 # Copy the binaries we ship as unsupported
-for file in atob btoa derdump ocspclnt pp selfserv strsclnt symkeyutil tstclnt vfyserv vfychain
+for file in atob btoa derdump listsuites ocspclnt pp selfserv strsclnt symkeyutil tstclnt vfyserv vfychain
 do
   %{__install} -p -m 755 dist/*.OBJ/bin/$file $RPM_BUILD_ROOT/%{unsupported_tools_directory}
 done
@@ -558,7 +582,7 @@ for f in nss-config setup-nsssysinit; do
 done
 # Copy the man pages for the nss tools
 for f in "%{allTools}"; do 
-   install -c -m 644 ./dist/docs/nroff/${f}.1 $RPM_BUILD_ROOT%{_mandir}/man1/${f}.1
+  install -c -m 644 ./dist/docs/nroff/${f}.1 $RPM_BUILD_ROOT%{_mandir}/man1/${f}.1
 done
 %if %{defined rhel}
 install -c -m 644 ./dist/docs/nroff/pp.1 $RPM_BUILD_ROOT%{_mandir}/man1/pp.1
@@ -677,6 +701,7 @@ fi
 %{unsupported_tools_directory}/atob
 %{unsupported_tools_directory}/btoa
 %{unsupported_tools_directory}/derdump
+%{unsupported_tools_directory}/listsuites
 %{unsupported_tools_directory}/ocspclnt
 %{unsupported_tools_directory}/pp
 %{unsupported_tools_directory}/selfserv
@@ -781,21 +806,56 @@ fi
 
 
 %changelog
+* Fri Nov 20 2015 Elio Maldonado <emaldona@redhat.com> - 3.21.0-1.1
+- Update %%{nss_util_version} and %%{nss_softokn_version} to 3.21.0
+- Resolves: Bug 1284095 - all https fails with sec_error_no_token
+
+* Mon Nov 16 2015 Elio Maldonado <emaldona@redhat.com> - 3.21.0-1.0
+- Update to NSS 3.21
+- Package listsuites as part of the unsupported tools set
+- Resolves: Bug 1279912 - nss-3.21 is available
+- Resolves: Bug 1258425 - Use __isa_bits macro instead of list of 64-bit
+- Resolves: Bug 1280032 - Package listsuites as part of the nss unsupported tools set
+
+* Mon Nov 02 2015 Elio Maldonado <emaldona@redhat.com> - 3.20.1-1.0
+- Update to NSS 3.20.1
+
+* Mon Oct 05 2015 Elio Maldonado <emaldona@redhat.com> - 3.20.0-1.1.1
+- Enable ECC cipher-suites by default [hrbz#1185708]
+- Split the enabling patch in two for easier maintenance
+
+* Thu Sep 17 2015 Elio Maldonado <emaldona@redhat.com> - 3.20.0-1.1
+- Enable ECC cipher-suites by default [rhbz#1185708]
+
+* Sat Aug 22 2015 Elio Maldonado <emaldona@redhat.com> - 3.19.3-2.0
+- Update to NSS 3.20
+
+* Wed Aug 12 2015 Elio Maldonado <emaldona@redhat.com> - 3.19.2-2.0
+- Update to NSS 3.19.3
+
+* Thu Jun 18 2015 Elio Maldonado <emaldona@redhat.com> - 3.19.2-1.0
+- Update to NSS 3.19.2
+
+* Thu May 28 2015 Kai Engert <kaie@redhat.com> - 3.19.1-1.0
+- Update to NSS 3.19.1
+
+* Tue May 19 2015 Kai Engert <kaie@redhat.com> - 3.19.0-1.0
+- Update to NSS 3.19
+
+* Mon Mar 23 2015 Elio Maldonado <emaldona@redhat.com> - 3.18.0-1
+- Update to nss-3.18.0
+
 * Wed Jan 28 2015 Elio Maldonado <emaldona@redhat.com> - 3.17.4-1
 - Update to nss-3.17.4
 
 * Sat Jan 24 2015 Ville Skyttä <ville.skytta@iki.fi> - 3.17.3-4
 - Own the %%{_datadir}/doc/nss-tools dir
 
-* Tue Dec 16 2014 Elio Maldonado <emaldona@redhat.com> - 3.17.3-3
+* Mon Dec 15 2014 Elio Maldonado <emaldona@redhat.com> - 3.17.3-2
 - Resolves: Bug 987189 - nss-tools RPM conflicts with perl-PAR-Packer
 - Install pp man page in %%{_datadir}/doc/nss-tools/pp.1
 - Use %%{_mandir} instead of /usr/share/man as more generic
 
-* Mon Dec 15 2014 Elio Maldonado <emaldona@redhat.com> - 3.17.3-2
-- Install pp man page in alternative location
-- Resolves: Bug 987189 - nss-tools RPM conflicts with perl-PAR-Packer
-
 * Fri Dec 05 2014 Elio Maldonado <emaldona@redhat.com> - 3.17.3-1
 - Update to nss-3.17.3
 - Resolves: Bug 1171012 - nss-3.17.3 is available

pem-compile-with-Werror.patch

@@ -0,0 +1,146 @@
+diff -up ./nss/lib/ckfw/pem/ckpem.h.compile_Werror ./nss/lib/ckfw/pem/ckpem.h
+--- ./nss/lib/ckfw/pem/ckpem.h.compile_Werror	2014-01-23 06:28:18.000000000 -0800
++++ ./nss/lib/ckfw/pem/ckpem.h	2015-11-13 12:07:29.219887390 -0800
+@@ -233,6 +233,9 @@ struct pemLOWKEYPrivateKeyStr {
+ };
+ typedef struct pemLOWKEYPrivateKeyStr pemLOWKEYPrivateKey;
+ 
++/* NOTE: Discrepancy with the the way callers use of the return value as a count
++ * Fix this when we sync. up with the cleanup work being done at nss-pem project.
++ */
+ SECStatus ReadDERFromFile(SECItem ***derlist, char *filename, PRBool ascii, int *cipher, char **ivstring, PRBool certsonly);
+ const NSSItem * pem_FetchAttribute ( pemInternalObject *io, CK_ATTRIBUTE_TYPE type);
+ void pem_PopulateModulusExponent(pemInternalObject *io);
+diff -up ./nss/lib/ckfw/pem/pinst.c.compile_Werror ./nss/lib/ckfw/pem/pinst.c
+--- ./nss/lib/ckfw/pem/pinst.c.compile_Werror	2014-01-23 06:28:18.000000000 -0800
++++ ./nss/lib/ckfw/pem/pinst.c	2015-11-13 12:07:29.219887390 -0800
+@@ -472,7 +472,9 @@ AddCertificate(char *certfile, char *key
+     char *ivstring = NULL;
+     int cipher;
+ 
+-    nobjs = ReadDERFromFile(&objs, certfile, PR_TRUE, &cipher, &ivstring, PR_TRUE /* certs only */);
++    /* TODO: Fix discrepancy between our usage of the return value as
++     * as an int (a count) and the declaration as a SECStatus. */
++    nobjs = (int) ReadDERFromFile(&objs, certfile, PR_TRUE, &cipher, &ivstring, PR_TRUE /* certs only */);
+     if (nobjs <= 0) {
+         nss_ZFreeIf(objs);
+         return CKR_GENERAL_ERROR;
+@@ -515,8 +517,10 @@ AddCertificate(char *certfile, char *key
+         if (keyfile) {          /* add the private key */
+             SECItem **keyobjs = NULL;
+             int kobjs = 0;
++            /* TODO: Fix discrepancy between our usage of the return value as
++             * as an int and the declaration as a SECStatus. */
+             kobjs =
+-                ReadDERFromFile(&keyobjs, keyfile, PR_TRUE, &cipher,
++                (int) ReadDERFromFile(&keyobjs, keyfile, PR_TRUE, &cipher,
+                                 &ivstring, PR_FALSE);
+             if (kobjs < 1) {
+                 error = CKR_GENERAL_ERROR;
+diff -up ./nss/lib/ckfw/pem/pobject.c.compile_Werror ./nss/lib/ckfw/pem/pobject.c
+--- ./nss/lib/ckfw/pem/pobject.c.compile_Werror	2014-01-23 06:28:18.000000000 -0800
++++ ./nss/lib/ckfw/pem/pobject.c	2015-11-13 12:07:29.220887368 -0800
+@@ -630,6 +630,11 @@ pem_DestroyInternalObject
+         if (io->u.key.ivstring)
+             free(io->u.key.ivstring);
+         break;
++    case pemAll:
++        /* pemAll is not used, keep the compiler happy
++         * TODO: investigate a proper solution
++         */
++        return;
+     }
+ 
+     if (NULL != gobj)
+@@ -1044,7 +1049,9 @@ pem_CreateObject
+     int nobjs = 0;
+     int i;
+     int objid;
++#if 0
+     pemToken *token;
++#endif
+     int cipher;
+     char *ivstring = NULL;
+     pemInternalObject *listObj = NULL;
+@@ -1073,7 +1080,9 @@ pem_CreateObject
+     }
+     slotID = nssCKFWSlot_GetSlotID(fwSlot);
+ 
++#if 0
+     token = (pemToken *) mdToken->etc;
++#endif
+ 
+     /*
+      * only create keys and certs.
+@@ -1114,7 +1123,11 @@ pem_CreateObject
+     }
+ 
+     if (objClass == CKO_CERTIFICATE) {
+-        nobjs = ReadDERFromFile(&derlist, filename, PR_TRUE, &cipher, &ivstring, PR_TRUE /* certs only */);
++        /* TODO: Fix discrepancy between our usage of the return value as
++         * as an int and the declaration as a SECStatus. Typecasting as a
++         * temporary workaround.
++         */
++        nobjs = (int) ReadDERFromFile(&derlist, filename, PR_TRUE, &cipher, &ivstring, PR_TRUE /* certs only */);
+         if (nobjs < 1)
+             goto loser;
+ 
+diff -up ./nss/lib/ckfw/pem/rsawrapr.c.compile_Werror ./nss/lib/ckfw/pem/rsawrapr.c
+--- ./nss/lib/ckfw/pem/rsawrapr.c.compile_Werror	2014-01-23 06:28:18.000000000 -0800
++++ ./nss/lib/ckfw/pem/rsawrapr.c	2015-11-13 12:07:29.220887368 -0800
+@@ -93,6 +93,8 @@ pem_PublicModulusLen(NSSLOWKEYPublicKey
+     return 0;
+ }
+ 
++/* unused functions */
++#if 0
+ static SHA1Context *SHA1_CloneContext(SHA1Context * original)
+ {
+     SHA1Context *clone = NULL;
+@@ -215,6 +217,7 @@ oaep_xor_with_h2(unsigned char *salt, un
+ 
+     return SECSuccess;
+ }
++#endif /* unused functions */
+ 
+ /*
+  * Format one block of data for public/private key encryption using
+diff -up ./nss/lib/ckfw/pem/util.c.compile_Werror ./nss/lib/ckfw/pem/util.c
+--- ./nss/lib/ckfw/pem/util.c.compile_Werror	2014-01-23 06:28:18.000000000 -0800
++++ ./nss/lib/ckfw/pem/util.c	2015-11-13 12:22:52.282196306 -0800
+@@ -131,7 +131,8 @@ static SECStatus FileToItem(SECItem * ds
+     return SECFailure;
+ }
+ 
+-int
++/* FIX: Returns a SECStatus yet callers take result as a count */
++SECStatus
+ ReadDERFromFile(SECItem *** derlist, char *filename, PRBool ascii,
+ 		int *cipher, char **ivstring, PRBool certsonly)
+ {
+@@ -237,7 +238,12 @@ ReadDERFromFile(SECItem *** derlist, cha
+ 		    goto loser;
+ 		}
+                 if ((certsonly && !key) || (!certsonly && key)) {
++		    error = CKR_OK;
+ 		    PUT_Object(der, error);
++		    if (error != CKR_OK) {
++			free(der);
++			goto loser;
++		    }
+                 } else {
+                     free(der->data);
+                     free(der);
+@@ -255,7 +261,12 @@ ReadDERFromFile(SECItem *** derlist, cha
+ 	    }
+ 
+ 	    /* NOTE: This code path has never been tested. */
++	    error = CKR_OK;
+ 	    PUT_Object(der, error);
++	    if (error != CKR_OK) {
++		free(der);
++		goto loser;
++	    }
+ 	}
+ 
+ 	nss_ZFreeIf(filedata.data);

rhbz1185708-enable-ecc-3des-ciphers-by-default.patch

@@ -0,0 +1,14 @@
+diff -up ./nss/lib/ssl/ssl3con.c.1185708_3des ./nss/lib/ssl/ssl3con.c
+--- ./nss/lib/ssl/ssl3con.c.1185708_3des	2015-09-29 16:24:18.717593591 -0700
++++ ./nss/lib/ssl/ssl3con.c	2015-09-29 16:25:22.672879926 -0700
+@@ -101,8 +101,8 @@ static ssl3CipherSuiteCfg cipherSuites[s
+  { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+  { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,   SSL_ALLOWED, PR_TRUE, PR_FALSE},
+  { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,      SSL_ALLOWED, PR_TRUE, PR_FALSE},
+- { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,   SSL_ALLOWED, PR_FALSE, PR_FALSE},
+- { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,     SSL_ALLOWED, PR_FALSE, PR_FALSE},
++ { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,   SSL_ALLOWED, PR_TRUE, PR_FALSE},
++ { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,     SSL_ALLOWED, PR_TRUE, PR_FALSE},
+  { TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,        SSL_ALLOWED, PR_FALSE, PR_FALSE},
+  { TLS_ECDHE_RSA_WITH_RC4_128_SHA,          SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ #endif /* NSS_DISABLE_ECC */

sources

@@ -3,9 +3,5 @@ a5ae49867124ac75f029a9a33af31bad  blank-cert8.db
 73bc040a0542bba387e6dd7fb9fd7d23  blank-secmod.db
 691e663ccc07b7a1eaa6f088e03bf8e2  blank-cert9.db
 2ec9e0606ba40fe65196545564b7cc2a  blank-key4.db
-c9fefa97dc184a5857f12d938517ed81  PayPalEE.cert
-f998b70c1be25e8bb9f5fdb5d50eb6f2  TestCA.ca.cert
-1b7b6808cd77d5df29bf5bb9e5fac967  TestUser50.cert
-ab0b56dd505a995425c03e5266f7c8d6  TestUser51.cert
 b8a94e863c852e1f8b75e930e76f8640  nss-pem-20140125.tar.bz2
-a77df26072cabf8afb26911b6fa9b755  nss-3.17.4.tar.gz
+f53ffa490133d29ff930fa4b29bade90  nss-3.21.0.tar.gz

tls12.patch

@@ -1,36 +0,0 @@
-# HG changeset patch
-# User Martin Thomson <martin.thomson@gmail.com>
-# Date 1413479112 25200
-#      Thu Oct 16 10:05:12 2014 -0700
-# Node ID f7e1c2c652f4c2522a0a5ec232ecebae1983053d
-# Parent  24852c6f89ea7ed2b8f231320d9a0a03bdd706d4
-Bug 1083900 - Updating default maximum version to 1.2
-
-diff --git a/lib/ssl/sslsock.c b/lib/ssl/sslsock.c
---- a/lib/ssl/sslsock.c
-+++ b/lib/ssl/sslsock.c
-@@ -85,22 +85,22 @@ static sslOptions ssl_defaults = {
-     PR_FALSE    /* enableFallbackSCSV */
- };
- 
- /*
-  * default range of enabled SSL/TLS protocols
-  */
- static SSLVersionRange versions_defaults_stream = {
-     SSL_LIBRARY_VERSION_3_0,
--    SSL_LIBRARY_VERSION_TLS_1_0
-+    SSL_LIBRARY_VERSION_TLS_1_2
- };
- 
- static SSLVersionRange versions_defaults_datagram = {
-     SSL_LIBRARY_VERSION_TLS_1_1,
--    SSL_LIBRARY_VERSION_TLS_1_1
-+    SSL_LIBRARY_VERSION_TLS_1_2
- };
- 
- #define VERSIONS_DEFAULTS(variant) \
-     (variant == ssl_variant_stream ? &versions_defaults_stream : \
-                                      &versions_defaults_datagram)
- 
- sslSessionIDLookupFunc  ssl_sid_lookup;
- sslSessionIDCacheFunc   ssl_sid_cache;