Update to NSS 3.34.0

See https://bugzilla.redhat.com/show_bug.cgi?id=1422046#c6

.gitignore

@@ -10,3 +10,14 @@ TestUser51.cert
 /PayPalRootCA.cert
 /PayPalICA.cert
 /nss-3.25.0.tar.gz
+/nss-3.26.0.tar.gz
+/nss-3.27.0.tar.gz
+/nss-3.28.1.tar.gz
+/nss-3.28.3.tar.gz
+/nss-3.29.3.tar.gz
+/nss-3.30.2.tar.gz
+/nss-3.31.0.tar.gz
+/nss-3.32.0.tar.gz
+/nss-3.32.1.tar.gz
+/nss-3.33.0.tar.gz
+/nss-3.34.0.tar.gz

iquote.patch

@@ -1,211 +1,13 @@
-diff -up ./nss/cmd/certcgi/Makefile.iquote ./nss/cmd/certcgi/Makefile
---- ./nss/cmd/certcgi/Makefile.iquote	2016-02-26 12:51:11.000000000 -0800
-+++ ./nss/cmd/certcgi/Makefile	2016-03-05 12:04:06.216474144 -0800
-@@ -36,7 +36,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk
- # (6) Execute "component" rules. (OPTIONAL)                           #
- #######################################################################
- 
--
-+INCLUDES += -iquote $(DIST)/../public/nss
-+INCLUDES += -iquote $(DIST)/../private/nss
- 
- #######################################################################
- # (7) Execute "local" rules. (OPTIONAL).                              #
-diff -up ./nss/cmd/certutil/Makefile.iquote ./nss/cmd/certutil/Makefile
---- ./nss/cmd/certutil/Makefile.iquote	2016-02-26 12:51:11.000000000 -0800
-+++ ./nss/cmd/certutil/Makefile	2016-03-05 12:04:06.216474144 -0800
-@@ -37,7 +37,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk
- # (6) Execute "component" rules. (OPTIONAL)                           #
- #######################################################################
- 
--
-+INCLUDES += -iquote $(DIST)/../public/nss
-+INCLUDES += -iquote $(DIST)/../private/nss
- 
- #######################################################################
- # (7) Execute "local" rules. (OPTIONAL).                              #
-diff -up ./nss/cmd/lib/Makefile.iquote ./nss/cmd/lib/Makefile
---- ./nss/cmd/lib/Makefile.iquote	2016-02-26 12:51:11.000000000 -0800
-+++ ./nss/cmd/lib/Makefile	2016-03-05 12:04:06.216474144 -0800
-@@ -38,7 +38,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk
- # (6) Execute "component" rules. (OPTIONAL)                           #
- #######################################################################
- 
--
-+INCLUDES += -iquote $(DIST)/../private/nss
-+INCLUDES += -iquote $(DIST)/../public/nss
- 
- #######################################################################
- # (7) Execute "local" rules. (OPTIONAL).                              #
-diff -up ./nss/cmd/modutil/Makefile.iquote ./nss/cmd/modutil/Makefile
---- ./nss/cmd/modutil/Makefile.iquote	2016-02-26 12:51:11.000000000 -0800
-+++ ./nss/cmd/modutil/Makefile	2016-03-05 12:04:06.216474144 -0800
-@@ -37,6 +37,7 @@ include $(CORE_DEPTH)/coreconf/rules.mk
- # (6) Execute "component" rules. (OPTIONAL)                           #
- #######################################################################
- 
-+INCLUDES += -iquote $(DIST)/../public/nss
- 
- 
- #######################################################################
-diff -up ./nss/cmd/selfserv/Makefile.iquote ./nss/cmd/selfserv/Makefile
---- ./nss/cmd/selfserv/Makefile.iquote	2016-02-26 12:51:11.000000000 -0800
-+++ ./nss/cmd/selfserv/Makefile	2016-03-05 12:04:06.216474144 -0800
-@@ -35,7 +35,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk
- # (6) Execute "component" rules. (OPTIONAL)                           #
- #######################################################################
- 
--
-+INCLUDES += -iquote $(DIST)/../public/nss
-+INCLUDES += -iquote $(DIST)/../private/nss
- 
- #######################################################################
- # (7) Execute "local" rules. (OPTIONAL).                              #
-diff -up ./nss/cmd/ssltap/Makefile.iquote ./nss/cmd/ssltap/Makefile
---- ./nss/cmd/ssltap/Makefile.iquote	2016-02-26 12:51:11.000000000 -0800
-+++ ./nss/cmd/ssltap/Makefile	2016-03-05 12:04:06.216474144 -0800
-@@ -39,7 +39,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk
- # (6) Execute "component" rules. (OPTIONAL)                           #
- #######################################################################
- 
--
-+INCLUDES += -iquote $(DIST)/../private/nss
-+INCLUDES += -iquote $(DIST)/../public/nss
- 
- #######################################################################
- # (7) Execute "local" rules. (OPTIONAL).                              #
-diff -up ./nss/cmd/strsclnt/Makefile.iquote ./nss/cmd/strsclnt/Makefile
---- ./nss/cmd/strsclnt/Makefile.iquote	2016-02-26 12:51:11.000000000 -0800
-+++ ./nss/cmd/strsclnt/Makefile	2016-03-05 12:04:06.217474124 -0800
-@@ -36,7 +36,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk
- # (6) Execute "component" rules. (OPTIONAL)                           #
- #######################################################################
- 
--
-+INCLUDES += -iquote $(DIST)/../public/nss
-+INCLUDES += -iquote $(DIST)/../private/nss
- 
- #######################################################################
- # (7) Execute "local" rules. (OPTIONAL).                              #
-diff -up ./nss/cmd/tstclnt/Makefile.iquote ./nss/cmd/tstclnt/Makefile
---- ./nss/cmd/tstclnt/Makefile.iquote	2016-02-26 12:51:11.000000000 -0800
-+++ ./nss/cmd/tstclnt/Makefile	2016-03-05 12:04:06.217474124 -0800
-@@ -37,6 +37,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk
- #######################################################################
- 
- #include ../platlibs.mk
-+INCLUDES += -iquote $(DIST)/../public/nss
-+INCLUDES += -iquote $(DIST)/../private/nss
- 
- #######################################################################
- # (7) Execute "local" rules. (OPTIONAL).                              #
-diff -up ./nss/cmd/vfyserv/Makefile.iquote ./nss/cmd/vfyserv/Makefile
---- ./nss/cmd/vfyserv/Makefile.iquote	2016-02-26 12:51:11.000000000 -0800
-+++ ./nss/cmd/vfyserv/Makefile	2016-03-05 12:04:06.217474124 -0800
-@@ -37,6 +37,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk
- #######################################################################
- 
- #include ../platlibs.mk
-+INCLUDES += -iquote $(DIST)/../public/nss
-+INCLUDES += -iquote $(DIST)/../private/nss
- 
- #######################################################################
- # (7) Execute "local" rules. (OPTIONAL).                              #
-diff -up ./nss/coreconf/location.mk.iquote ./nss/coreconf/location.mk
---- ./nss/coreconf/location.mk.iquote	2016-02-26 12:51:11.000000000 -0800
-+++ ./nss/coreconf/location.mk	2016-03-05 12:04:06.217474124 -0800
-@@ -45,6 +45,10 @@ endif
- 
- ifdef NSS_INCLUDE_DIR
-     INCLUDES += -I$(NSS_INCLUDE_DIR)
-+    ifdef IN_TREE_FREEBL_HEADERS_FIRST
-+        INCLUDES += -iquote $(DIST)/../public/nss
-+        INCLUDES += -iquote $(DIST)/../private/nss
-+    endif
+diff -up nss/coreconf/location.mk.iquote nss/coreconf/location.mk
+--- nss/coreconf/location.mk.iquote	2017-07-27 16:09:32.000000000 +0200
++++ nss/coreconf/location.mk	2017-09-06 13:23:14.633611555 +0200
+@@ -75,4 +75,9 @@ ifndef SQLITE_LIB_NAME
+     SQLITE_LIB_NAME = sqlite3
  endif
  
- ifndef NSS_LIB_DIR
-diff -up ./nss/external_tests/pk11_gtest/Makefile.iquote ./nss/external_tests/pk11_gtest/Makefile
---- ./nss/external_tests/pk11_gtest/Makefile.iquote	2016-02-26 12:51:11.000000000 -0800
-+++ ./nss/external_tests/pk11_gtest/Makefile	2016-03-05 12:04:06.217474124 -0800
-@@ -37,6 +37,7 @@ include $(CORE_DEPTH)/coreconf/rules.mk
- # (6) Execute "component" rules. (OPTIONAL)                           #
- #######################################################################
- 
-+INCLUDES += -iquote $(DIST)/../public/nss
- 
- #######################################################################
- # (7) Execute "local" rules. (OPTIONAL).                              #
-diff -up ./nss/external_tests/ssl_gtest/Makefile.iquote ./nss/external_tests/ssl_gtest/Makefile
---- ./nss/external_tests/ssl_gtest/Makefile.iquote	2016-02-26 12:51:11.000000000 -0800
-+++ ./nss/external_tests/ssl_gtest/Makefile	2016-03-05 12:05:17.208082475 -0800
-@@ -43,6 +43,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk
- # (6) Execute "component" rules. (OPTIONAL)                           #
- #######################################################################
- 
-+INCLUDES += -iquote $(DIST)/../public/nss
-+INCLUDES += -iquote $(DIST)/../public/nss
- 
- #######################################################################
- # (7) Execute "local" rules. (OPTIONAL).                              #
-diff -up ./nss/lib/certhigh/Makefile.iquote ./nss/lib/certhigh/Makefile
---- ./nss/lib/certhigh/Makefile.iquote	2016-02-26 12:51:11.000000000 -0800
-+++ ./nss/lib/certhigh/Makefile	2016-03-05 12:04:06.217474124 -0800
-@@ -38,7 +38,7 @@ include $(CORE_DEPTH)/coreconf/rules.mk
- # (6) Execute "component" rules. (OPTIONAL)                           #
- #######################################################################
- 
--
-+INCLUDES += -iquote $(DIST)/../public/nss
- 
- #######################################################################
- # (7) Execute "local" rules. (OPTIONAL).                              #
-diff -up ./nss/lib/cryptohi/Makefile.iquote ./nss/lib/cryptohi/Makefile
---- ./nss/lib/cryptohi/Makefile.iquote	2016-02-26 12:51:11.000000000 -0800
-+++ ./nss/lib/cryptohi/Makefile	2016-03-05 12:04:06.217474124 -0800
-@@ -38,7 +38,7 @@ include $(CORE_DEPTH)/coreconf/rules.mk
- # (6) Execute "component" rules. (OPTIONAL)                           #
- #######################################################################
- 
--
-+INCLUDES += -iquote $(DIST)/../public/nss
- 
- #######################################################################
- # (7) Execute "local" rules. (OPTIONAL).                              #
-diff -up ./nss/lib/nss/Makefile.iquote ./nss/lib/nss/Makefile
---- ./nss/lib/nss/Makefile.iquote	2016-02-26 12:51:11.000000000 -0800
-+++ ./nss/lib/nss/Makefile	2016-03-05 12:04:06.217474124 -0800
-@@ -37,7 +37,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk
- # (6) Execute "component" rules. (OPTIONAL)                           #
- #######################################################################
- 
--
-+INCLUDES += -iquote $(DIST)/../public/nss
-+INCLUDES += -iquote $(DIST)/../private/nss
- 
- #######################################################################
- # (7) Execute "local" rules. (OPTIONAL).                              #
-diff -up ./nss/lib/pk11wrap/Makefile.iquote ./nss/lib/pk11wrap/Makefile
---- ./nss/lib/pk11wrap/Makefile.iquote	2016-02-26 12:51:11.000000000 -0800
-+++ ./nss/lib/pk11wrap/Makefile	2016-03-05 12:04:06.217474124 -0800
-@@ -38,7 +38,7 @@ include $(CORE_DEPTH)/coreconf/rules.mk
- # (6) Execute "component" rules. (OPTIONAL)                           #
- #######################################################################
- 
--
-+INCLUDES += -iquote $(DIST)/../public/nss
- 
- #######################################################################
- # (7) Execute "local" rules. (OPTIONAL).                              #
-diff -up ./nss/lib/ssl/Makefile.iquote ./nss/lib/ssl/Makefile
---- ./nss/lib/ssl/Makefile.iquote	2016-02-26 12:51:11.000000000 -0800
-+++ ./nss/lib/ssl/Makefile	2016-03-05 12:04:06.217474124 -0800
-@@ -49,7 +49,7 @@ include $(CORE_DEPTH)/coreconf/rules.mk
- # (6) Execute "component" rules. (OPTIONAL)                           #
- #######################################################################
- 
--
-+INCLUDES += -iquote $(DIST)/../public/nss
- 
- #######################################################################
- # (7) Execute "local" rules. (OPTIONAL).                              #
++# Prefer in-tree headers over system headers
++ifdef IN_TREE_FREEBL_HEADERS_FIRST
++    INCLUDES += -iquote $(DIST)/../public/nss -iquote $(DIST)/../private/nss
++endif
++
+ MK_LOCATION = included

nss-check-policy-file.patch

@@ -1,275 +1,25 @@
-diff --git a/lib/nss/config.mk b/lib/nss/config.mk
---- a/lib/nss/config.mk
-+++ b/lib/nss/config.mk
-@@ -95,8 +95,15 @@ SHARED_LIBRARY_DIRS = \
- ifeq (,$(filter-out WINNT WIN95,$(OS_TARGET)))
- ifndef NS_USE_GCC
- # Export 'mktemp' to be backward compatible with NSS 3.2.x and 3.3.x
- # but do not put it in the import library.  See bug 142575.
- DEFINES += -DWIN32_NSS3_DLL_COMPAT
- DLLFLAGS += -EXPORT:mktemp=nss_mktemp,PRIVATE
- endif
- endif
-+
-+ifdef POLICY_FILE
-+ifndef POLICY_PATH
-+$(error You must define POLICY_PATH if you set POLICY_FILE)
-+endif
-+DEFINES += -DPOLICY_FILE=\"$(POLICY_FILE)\" -DPOLICY_PATH=\"$(POLICY_PATH)\"
-+endif
-diff --git a/lib/nss/nssinit.c b/lib/nss/nssinit.c
---- a/lib/nss/nssinit.c
-+++ b/lib/nss/nssinit.c
-@@ -330,47 +330,47 @@ nss_FindExternalRoot(const char *dbpath,
- 
- /*
-  * see nss_Init for definitions of the various options.
-  *
-  * this function builds a moduleSpec string from the options and previously
-  * set statics (from PKCS11_Configure, for instance), and uses it to kick off
-  * the loading of the various PKCS #11 modules.
-  */
--static SECStatus
-+static SECMODModule *
- nss_InitModules(const char *configdir, const char *certPrefix, 
- 		const char *keyPrefix, const char *secmodName, 
- 		const char *updateDir, const char *updCertPrefix, 
- 		const char *updKeyPrefix, const char *updateID, 
- 		const char *updateName, char *configName, char *configStrings,
- 		PRBool pwRequired, PRBool readOnly, PRBool noCertDB,
- 		PRBool noModDB, PRBool forceOpen, PRBool optimizeSpace,
- 		PRBool isContextInit)
- {
--    SECStatus rv = SECFailure;
-+    SECMODModule *module = NULL;
-     char *moduleSpec = NULL;
-     char *flags = NULL;
-     char *lconfigdir = NULL;
-     char *lcertPrefix = NULL;
-     char *lkeyPrefix = NULL;
-     char *lsecmodName = NULL;
-     char *lupdateDir = NULL;
-     char *lupdCertPrefix = NULL;
-     char *lupdKeyPrefix = NULL;
-     char *lupdateID = NULL;
-     char *lupdateName = NULL;
- 
-     if (NSS_InitializePRErrorTable() != SECSuccess) {
- 	PORT_SetError(SEC_ERROR_NO_MEMORY);
--	return rv;
-+	return NULL;
-     }
- 
-     flags = nss_makeFlags(readOnly,noCertDB,noModDB,forceOpen,
- 					pwRequired, optimizeSpace);
--    if (flags == NULL) return rv;
-+    if (flags == NULL) return NULL;
- 
-     /*
-      * configdir is double nested, and Windows uses the same character
-      * for file seps as we use for escapes! (sigh).
-      */
-     lconfigdir = NSSUTIL_DoubleEscape(configdir, '\'', '\"');
-     if (lconfigdir == NULL) {
- 	goto loser;
-@@ -427,24 +427,26 @@ loser:
-     if (lsecmodName) PORT_Free(lsecmodName);
-     if (lupdateDir) PORT_Free(lupdateDir);
-     if (lupdCertPrefix) PORT_Free(lupdCertPrefix);
-     if (lupdKeyPrefix) PORT_Free(lupdKeyPrefix);
-     if (lupdateID) PORT_Free(lupdateID);
-     if (lupdateName) PORT_Free(lupdateName);
- 
-     if (moduleSpec) {
--	SECMODModule *module = SECMOD_LoadModule(moduleSpec,NULL,PR_TRUE);
-+	module = SECMOD_LoadModule(moduleSpec,NULL,PR_TRUE);
- 	PR_smprintf_free(moduleSpec);
- 	if (module) {
--	    if (module->loaded) rv=SECSuccess;
--	    SECMOD_DestroyModule(module);
-+	    if (!module->loaded) {
-+	        SECMOD_DestroyModule(module);
-+		module = NULL;
-+	    }
- 	}
-     }
--    return rv;
-+    return module;
- }
- 
- /*
-  * OK there are now lots of options here, lets go through them all:
-  *
-  * configdir - base directory where all the cert, key, and module datbases live.
-  * certPrefix - prefix added to the beginning of the cert database example: "
-  * 			"https-server1-"
-@@ -520,17 +522,17 @@ nss_Init(const char *configdir, const ch
- 		 NSSInitContext ** initContextPtr,
- 		 NSSInitParameters *initParams,
- 		 PRBool readOnly, PRBool noCertDB, 
- 		 PRBool noModDB, PRBool forceOpen, PRBool noRootInit,
- 		 PRBool optimizeSpace, PRBool noSingleThreadedModules,
- 		 PRBool allowAlreadyInitializedModules,
- 		 PRBool dontFinalizeModules)
- {
--    SECStatus rv = SECFailure;
-+    SECMODModule *parent = NULL;
-     PKIX_UInt32 actualMinorVersion = 0;
-     PKIX_Error *pkixError = NULL;
-     PRBool isReallyInitted;
-     char *configStrings = NULL;
-     char *configName = NULL;
-     PRBool passwordRequired = PR_FALSE;
- 
-     /* if we are trying to init with a traditional NSS_Init call, maintain
-@@ -630,23 +632,23 @@ nss_Init(const char *configdir, const ch
- 	configStrings = pk11_config_strings;
- 	configName = pk11_config_name;
- 	passwordRequired = pk11_password_required;
-     }
- 
-     /* Skip the module init if we are already initted and we are trying
-      * to init with noCertDB and noModDB */
-     if (!(isReallyInitted && noCertDB && noModDB)) {
--	rv = nss_InitModules(configdir, certPrefix, keyPrefix, secmodName, 
-+	parent = nss_InitModules(configdir, certPrefix, keyPrefix, secmodName, 
- 		updateDir, updCertPrefix, updKeyPrefix, updateID, 
- 		updateName, configName, configStrings, passwordRequired,
- 		readOnly, noCertDB, noModDB, forceOpen, optimizeSpace, 
- 		(initContextPtr != NULL));
- 
--	if (rv != SECSuccess) {
-+	if (parent == NULL) {
- 	    goto loser;
- 	}
-     }
- 
- 
-     /* finish up initialization */
-     if (!isReallyInitted) {
- 	if (SECOID_Init() != SECSuccess) {
-@@ -675,17 +677,34 @@ nss_Init(const char *configdir, const ch
- 		     * path. Skip it */
- 		    dbpath = NULL;
- 		}
- 		if (dbpath) {
- 		    nss_FindExternalRoot(dbpath, secmodName);
- 		}
- 	    }
- 	}
--
-+#ifdef POLICY_FILE
-+        if (PR_Access(POLICY_PATH "/" POLICY_FILE, PR_ACCESS_READ_OK) == PR_SUCCESS ) {
-+	    SECMODModule *module = SECMOD_LoadModule(
-+		"name=\"Policy File\" "
-+		"parameters=\"configdir='sql:" POLICY_PATH "' "
-+		"secmod='" POLICY_FILE "' "
-+		"flags=readOnly,noCertDB,forceSecmodChoice,forceOpen\" "
-+		"NSS=\"flags=internal,moduleDB,skipFirst,moduleDBOnly,critical\"",
-+		parent, PR_TRUE); 
-+	    if (module) {
-+		PRBool isLoaded = module->loaded;
-+		SECMOD_DestroyModule(module);
-+		if (!isLoaded) {
-+		    goto loser;
-+		}
-+	    }
-+	}
-+#endif
- 	pk11sdr_Init();
- 	cert_CreateSubjectKeyIDHashTable();
- 
- 	pkixError = PKIX_Initialize
- 	    (PKIX_FALSE, PKIX_MAJOR_VERSION, PKIX_MINOR_VERSION,
- 	    PKIX_MINOR_VERSION, &actualMinorVersion, &plContext);
- 
- 	if (pkixError != NULL) {
-@@ -716,32 +735,38 @@ nss_Init(const char *configdir, const ch
-     nssIsInInit--;
-     /* now that we are inited, all waiters can move forward */
-     PZ_NotifyAllCondVar(nssInitCondition);
-     PZ_Unlock(nssInitLock);
- 
-     if (initContextPtr && configStrings) {
- 	PR_smprintf_free(configStrings);
-     }
-+    if (parent) {
-+	SECMOD_DestroyModule(parent);
-+    }
- 
-     return SECSuccess;
- 
- loser:
-     if (initContextPtr && *initContextPtr) {
- 	PORT_Free(*initContextPtr);
- 	*initContextPtr = NULL;
- 	if (configStrings) {
- 	   PR_smprintf_free(configStrings);
- 	}
-     }
-     PZ_Lock(nssInitLock);
-     nssIsInInit--;
-     /* We failed to init, allow one to move forward */
-     PZ_NotifyCondVar(nssInitCondition);
-     PZ_Unlock(nssInitLock);
-+    if (parent) {
-+	SECMOD_DestroyModule(parent);
-+    }
-     return SECFailure;
- }
- 
- 
- SECStatus
- NSS_Init(const char *configdir)
- {
-     return nss_Init(configdir, "", "", SECMOD_DB, "", "", "", "", "", NULL,
-diff --git a/lib/pk11wrap/pk11pars.c b/lib/pk11wrap/pk11pars.c
---- a/lib/pk11wrap/pk11pars.c
-+++ b/lib/pk11wrap/pk11pars.c
-@@ -105,16 +105,17 @@ secmod_NewModule(void)
-  *   This  allows system NSS to delegate those changes to the user's module DB, 
-  *   preserving the user's ability to load new PKCS #11 modules (which only 
-  *   affect him), from existing applications like Firefox.
-  */
- #define SECMOD_FLAG_MODULE_DB_IS_MODULE_DB  0x01 /* must be set if any of the 
- 						  *other flags are set */
- #define SECMOD_FLAG_MODULE_DB_SKIP_FIRST    0x02
+diff -up nss/lib/pk11wrap/pk11pars.c.check_policy_file nss/lib/pk11wrap/pk11pars.c
+--- nss/lib/pk11wrap/pk11pars.c.check_policy_file	2017-01-06 13:21:47.002952050 +0100
++++ nss/lib/pk11wrap/pk11pars.c	2017-01-06 13:28:18.972536334 +0100
+@@ -109,6 +109,7 @@ secmod_NewModule(void)
+                                                  *other flags are set */
+ #define SECMOD_FLAG_MODULE_DB_SKIP_FIRST 0x02
  #define SECMOD_FLAG_MODULE_DB_DEFAULT_MODDB 0x04
-+#define SECMOD_FLAG_MODULE_DB_POLICY_ONLY   0x08
- 
++#define SECMOD_FLAG_MODULE_DB_POLICY_ONLY 0x08
  
  /* private flags for internal (field in SECMODModule). */
  /* The meaing of these flags is as follows:
-  *
-  * SECMOD_FLAG_INTERNAL_IS_INTERNAL - This is a marks the the module is
-  *   the internal module (that is, softoken). This bit is the same as the 
-  *   already existing meaning of internal = PR_TRUE. None of the other 
-@@ -699,16 +700,19 @@ SECMOD_CreateModuleEx(const char *librar
-     if (mod->isModuleDB) {
- 	char flags = SECMOD_FLAG_MODULE_DB_IS_MODULE_DB;
- 	if (NSSUTIL_ArgHasFlag("flags","skipFirst",nssc)) {
- 	    flags |= SECMOD_FLAG_MODULE_DB_SKIP_FIRST;
- 	}
- 	if (NSSUTIL_ArgHasFlag("flags","defaultModDB",nssc)) {
- 	    flags |= SECMOD_FLAG_MODULE_DB_DEFAULT_MODDB;
- 	}
+@@ -704,6 +705,9 @@ SECMOD_CreateModuleEx(const char *librar
+         if (NSSUTIL_ArgHasFlag("flags", "defaultModDB", nssc)) {
+             flags |= SECMOD_FLAG_MODULE_DB_DEFAULT_MODDB;
+         }
 +	if (NSSUTIL_ArgHasFlag("flags", "policyOnly", nssc)) {
 +	    flags |= SECMOD_FLAG_MODULE_DB_POLICY_ONLY;
 +	}
- 	/* additional moduleDB flags could be added here in the future */
- 	mod->isModuleDB = (PRBool) flags;
+         /* additional moduleDB flags could be added here in the future */
+         mod->isModuleDB = (PRBool)flags;
      }
- 
-     if (mod->internal) {
- 	char flags = SECMOD_FLAG_INTERNAL_IS_INTERNAL;
- 
- 	if (NSSUTIL_ArgHasFlag("flags", "internalKeySlot", nssc)) {
-@@ -738,16 +742,24 @@ PRBool
- SECMOD_GetDefaultModDBFlag(SECMODModule *mod)
- {
-    char flags = (char) mod->isModuleDB;
- 
-    return (flags & SECMOD_FLAG_MODULE_DB_DEFAULT_MODDB) ? PR_TRUE : PR_FALSE;
+@@ -744,6 +748,14 @@ SECMOD_GetDefaultModDBFlag(SECMODModule
  }
  
  PRBool
@@ -283,20 +33,10 @@ diff --git a/lib/pk11wrap/pk11pars.c b/lib/pk11wrap/pk11pars.c
 +PRBool
  secmod_IsInternalKeySlot(SECMODModule *mod)
  {
-    char flags = (char) mod->internal;
- 
-    return (flags & SECMOD_FLAG_INTERNAL_KEY_SLOT) ? PR_TRUE : PR_FALSE;
- }
- 
- void
-@@ -1521,16 +1533,22 @@ SECMOD_LoadModule(char *modulespec,SECMO
-     if (library) PORT_Free(library);
-     if (moduleName) PORT_Free(moduleName);
-     if (parameters) PORT_Free(parameters);
-     if (nss) PORT_Free(nss);
-     if (config) PORT_Free(config);
+     char flags = (char)mod->internal;
+@@ -1661,6 +1673,12 @@ SECMOD_LoadModule(char *modulespec, SECM
      if (!module) {
- 	goto loser;
+         goto loser;
      }
 +
 +    /* a policy only stanza doesn't actually get 'loaded'. policy has already
@@ -305,33 +45,5 @@ diff --git a/lib/pk11wrap/pk11pars.c b/lib/pk11wrap/pk11pars.c
 +	return module;
 +    }
      if (parent) {
-     	module->parent = SECMOD_ReferenceModule(parent);
- 	if (module->internal && secmod_IsInternalKeySlot(parent)) {
- 	    module->internal = parent->internal;
- 	}
-     }
- 
-     /* load it */
-diff --git a/lib/util/utilpars.c b/lib/util/utilpars.c
---- a/lib/util/utilpars.c
-+++ b/lib/util/utilpars.c
-@@ -1139,17 +1139,18 @@ char *
- 	*dbType = NSS_DB_TYPE_SQL;
- 	PORT_Free(*filename);
- 	*filename = NULL;
-         *rw = PR_FALSE;
-    }
- 
-    /* only use the renamed secmod for legacy databases */
-    if ((*dbType != NSS_DB_TYPE_LEGACY) && 
--	(*dbType != NSS_DB_TYPE_MULTIACCESS)) {
-+	(*dbType != NSS_DB_TYPE_MULTIACCESS) &&
-+	  !NSSUTIL_ArgHasFlag("flags", "forceSecmodChoice", save_params)) {
- 	secmodName="pkcs11.txt";
-    }
- 
-    if (noModDB) {
- 	value = NULL;
-    } else if (lconfigdir && lconfigdir[0] != '\0') {
- 	value = PR_smprintf("%s" NSSUTIL_PATH_SEPARATOR "%s",
- 			lconfigdir,secmodName);
+         module->parent = SECMOD_ReferenceModule(parent);
+         if (module->internal && secmod_IsInternalKeySlot(parent)) {

nss-conditionally-ignore-system-policy.patch

@@ -1,161 +0,0 @@
---- ./lib/nss/nssinit.c.cond_ignore	2016-07-14 06:07:08.607951998 -0700
-+++ ./lib/nss/nssinit.c	2016-07-14 06:11:07.698966728 -0700
-@@ -427,23 +427,21 @@
-     if (lsecmodName) PORT_Free(lsecmodName);
-     if (lupdateDir) PORT_Free(lupdateDir);
-     if (lupdCertPrefix) PORT_Free(lupdCertPrefix);
-     if (lupdKeyPrefix) PORT_Free(lupdKeyPrefix);
-     if (lupdateID) PORT_Free(lupdateID);
-     if (lupdateName) PORT_Free(lupdateName);
- 
-     if (moduleSpec) {
--	module = SECMOD_LoadModule(moduleSpec,NULL,PR_TRUE);
-+	module = SECMOD_LoadModule(moduleSpec, NULL, PR_TRUE);
- 	PR_smprintf_free(moduleSpec);
--	if (module) {
--	    if (!module->loaded) {
--	        SECMOD_DestroyModule(module);
--		module = NULL;
--	    }
-+	if (module && !module->loaded) {
-+	    SECMOD_DestroyModule(module);
-+	    return NULL;
- 	}
-     }
-     return module;
- }
- 
- /*
-  * OK there are now lots of options here, lets go through them all:
-  *
-@@ -511,41 +509,44 @@
- 	return PR_FAILURE;
-     }
-     return PR_SUCCESS;
- }
- 
- 
- static SECStatus
- nss_Init(const char *configdir, const char *certPrefix, const char *keyPrefix,
--		 const char *secmodName, const char *updateDir, 
-+		 const char *secmodName, const char *updateDir,
- 		 const char *updCertPrefix, const char *updKeyPrefix,
- 		 const char *updateID, const char *updateName,
- 		 NSSInitContext ** initContextPtr,
- 		 NSSInitParameters *initParams,
--		 PRBool readOnly, PRBool noCertDB, 
-+		 PRBool readOnly, PRBool noCertDB,
- 		 PRBool noModDB, PRBool forceOpen, PRBool noRootInit,
- 		 PRBool optimizeSpace, PRBool noSingleThreadedModules,
- 		 PRBool allowAlreadyInitializedModules,
- 		 PRBool dontFinalizeModules)
- {
-     SECMODModule *parent = NULL;
-     PKIX_UInt32 actualMinorVersion = 0;
-     PKIX_Error *pkixError = NULL;
-     PRBool isReallyInitted;
-     char *configStrings = NULL;
-     char *configName = NULL;
-     PRBool passwordRequired = PR_FALSE;
-+#ifdef POLICY_FILE
-+    char *ignoreVar;
-+#endif
- 
-     /* if we are trying to init with a traditional NSS_Init call, maintain
-      * the traditional idempotent behavior. */
-     if (!initContextPtr && nssIsInitted) {
- 	return SECSuccess;
-     }
--  
-+
-     /* make sure our lock and condition variable are initialized one and only
-      * one time */ 
-     if (PR_CallOnce(&nssInitOnce, nss_doLockInit) != PR_SUCCESS) {
- 	return SECFailure;
-     }
- 
-     /*
-      * if we haven't done basic initialization, single thread the 
-@@ -632,20 +633,20 @@
- 	configStrings = pk11_config_strings;
- 	configName = pk11_config_name;
- 	passwordRequired = pk11_password_required;
-     }
- 
-     /* Skip the module init if we are already initted and we are trying
-      * to init with noCertDB and noModDB */
-     if (!(isReallyInitted && noCertDB && noModDB)) {
--	parent = nss_InitModules(configdir, certPrefix, keyPrefix, secmodName, 
--		updateDir, updCertPrefix, updKeyPrefix, updateID, 
-+	parent = nss_InitModules(configdir, certPrefix, keyPrefix, secmodName,
-+		updateDir, updCertPrefix, updKeyPrefix, updateID,
- 		updateName, configName, configStrings, passwordRequired,
--		readOnly, noCertDB, noModDB, forceOpen, optimizeSpace, 
-+		readOnly, noCertDB, noModDB, forceOpen, optimizeSpace,
- 		(initContextPtr != NULL));
- 
- 	if (parent == NULL) {
- 	    goto loser;
- 	}
-     }
- 
- 
-@@ -678,50 +679,54 @@
- 		    dbpath = NULL;
- 		}
- 		if (dbpath) {
- 		    nss_FindExternalRoot(dbpath, secmodName);
- 		}
- 	    }
- 	}
- #ifdef POLICY_FILE
--        if (PR_Access(POLICY_PATH "/" POLICY_FILE, PR_ACCESS_READ_OK) == PR_SUCCESS ) {
-+	/* Load the system crypto policy file if it exists,
-+	 * unless the NSS_IGNORE_SYSTEM_POLICY environment
-+	 * variable has been set to 1. */
-+	ignoreVar = PR_GetEnvSecure("NSS_IGNORE_SYSTEM_POLICY");
-+	if (ignoreVar == NULL || strncmp(ignoreVar, "1", sizeof("1")) != 0) {
-+	    if (PR_Access(POLICY_PATH "/" POLICY_FILE, PR_ACCESS_READ_OK) == PR_SUCCESS) {
- 	    SECMODModule *module = SECMOD_LoadModule(
- 		"name=\"Policy File\" "
- 		"parameters=\"configdir='sql:" POLICY_PATH "' "
- 		"secmod='" POLICY_FILE "' "
- 		"flags=readOnly,noCertDB,forceSecmodChoice,forceOpen\" "
- 		"NSS=\"flags=internal,moduleDB,skipFirst,moduleDBOnly,critical\"",
--		parent, PR_TRUE); 
-+		parent, PR_TRUE);
- 	    if (module) {
- 		PRBool isLoaded = module->loaded;
- 		SECMOD_DestroyModule(module);
- 		if (!isLoaded) {
- 		    goto loser;
- 		}
- 	    }
- 	}
-+    }
- #endif
- 	pk11sdr_Init();
- 	cert_CreateSubjectKeyIDHashTable();
- 
- 	pkixError = PKIX_Initialize
- 	    (PKIX_FALSE, PKIX_MAJOR_VERSION, PKIX_MINOR_VERSION,
- 	    PKIX_MINOR_VERSION, &actualMinorVersion, &plContext);
- 
- 	if (pkixError != NULL) {
- 	    goto loser;
- 	} else {
-             char *ev = PR_GetEnvSecure("NSS_ENABLE_PKIX_VERIFY");
-             if (ev && ev[0]) {
-                 CERT_SetUsePKIXForValidation(PR_TRUE);
-             }
-         }
--
--
-     }
- 
-     /*
-      * Now mark the appropriate init state. If initContextPtr was passed
-      * in, then return the new context pointer and add it to the
-      * nssInitContextList. Otherwise set the global nss_isInitted flag
-      */
-     PZ_Lock(nssInitLock);

nss-skip-bltest-and-fipstest.patch

@@ -1,9 +1,9 @@
 diff -up ./nss/cmd/Makefile.skipthem ./nss/cmd/Makefile
---- ./nss/cmd/Makefile.skipem	2016-06-24 10:10:38.143165159 -0700
-+++ ./nss/cmd/Makefile	2016-06-24 10:13:08.566457400 -0700
-@@ -17,7 +17,11 @@ endif
- ifeq ($(NSS_BUILD_WITHOUT_SOFTOKEN),1)
- BLTEST_SRCDIR =
+--- ./nss/cmd/Makefile.skipthem	2017-01-06 13:17:27.477848351 +0100
++++ ./nss/cmd/Makefile	2017-01-06 13:19:30.244586100 +0100
+@@ -19,7 +19,11 @@ BLTEST_SRCDIR =
+ ECPERF_SRCDIR =
+ FREEBL_ECTEST_SRCDIR =
  FIPSTEST_SRCDIR =
 +ifeq ($(NSS_BLTEST_NOT_AVAILABLE),1)
 +SHLIBSIGN_SRCDIR = shlibsign
@@ -12,4 +12,4 @@ diff -up ./nss/cmd/Makefile.skipthem ./nss/cmd/Makefile
 +endif
  else
  BLTEST_SRCDIR = bltest
- FIPSTEST_SRCDIR = fipstest
+ ECPERF_SRCDIR = ecperf

nss-skip-ecperf.patch

@@ -1,11 +0,0 @@
-diff -up ./cmd/manifest.mn.skip_ecperf ./cmd/manifest.mn
---- ./cmd/manifest.mn.noecperf	2016-06-24 08:04:53.891106841 -0700
-+++ ./cmd/manifest.mn	2016-06-24 08:06:57.186887403 -0700
-@@ -42,7 +42,6 @@ NSS_SRCDIRS = \
-  dbtest \
-  derdump  \
-  digest  \
-- ecperf \
-  httpserv  \
-  listsuites \
-  makepqg  \

nss-skip-util-gtest.patch

@@ -1,11 +1,10 @@
-diff -up ./external_tests/manifest.mn.skip_util_pk11_ssl_gtest ./external_tests/manifest.mn
---- ./external_tests/manifest.mn.skip_util_pk11_ssl_gtest	2016-06-20 10:11:28.000000000 -0700
-+++ ./external_tests/manifest.mn	2016-06-26 10:09:55.429858648 -0700
-@@ -9,7 +9,4 @@ DIRS = \
- 	google_test \
- 	common \
- 	der_gtest \
--	util_gtest \
--	pk11_gtest \
--	ssl_gtest \
+diff -up nss/gtests/manifest.mn.skip_util_gtest nss/gtests/manifest.mn
+--- nss/gtests/manifest.mn.skip_util_gtest	2017-08-08 12:45:57.598801125 +0200
++++ nss/gtests/manifest.mn	2017-08-08 12:46:59.682419852 +0200
+@@ -31,6 +31,5 @@ endif
+ 
+ DIRS = \
+ 	$(LIB_SRCDIRS) \
+-	$(UTIL_SRCDIRS) \
+ 	$(NSS_SRCDIRS) \
  	$(NULL)

nss.spec

@@ -1,6 +1,6 @@
-%global nspr_version 4.12.0
-%global nss_util_version 3.25.0
-%global nss_softokn_version 3.25.0
+%global nspr_version 4.17.0
+%global nss_util_version 3.34.0
+%global nss_softokn_version 3.34.0
 %global unsupported_tools_directory %{_libdir}/nss/unsupported-tools
 %global allTools "certutil cmsutil crlutil derdump modutil pk12util signtool signver ssltap vfychain vfyserv"
 
@@ -18,10 +18,10 @@
 
 Summary:          Network Security Services
 Name:             nss
-Version:          3.25.0
+Version:          3.34.0
 # for Rawhide, please always use release >= 2
 # for Fedora release branches, please use release < 2 (1.0, 1.1, ...)
-Release:          6%{?dist}
+Release:          1.0%{?dist}
 License:          MPLv2.0
 URL:              http://www.mozilla.org/projects/security/pki/nss/
 Group:            System Environment/Libraries
@@ -43,16 +43,32 @@ BuildRequires:    zlib-devel
 BuildRequires:    pkgconfig
 BuildRequires:    gawk
 BuildRequires:    psmisc
-BuildRequires:    perl
+BuildRequires:    perl-interpreter
 
 # nss-pem used to be bundled with the nss package on Fedora -- make sure that
 # programs relying on that continue to work until they are fixed to require
 # nss-pem instead.  Once all of them are fixed, the following line can be
 # removed.  See https://bugzilla.redhat.com/1346806 for details.
-Requires:         nss-pem
+Requires:         nss-pem%{?_isa}
 
-%{!?nss_ckbi_suffix:%define full_nss_version %{version}}
-%{?nss_ckbi_suffix:%define full_nss_version %{version}%{nss_ckbi_suffix}}
+# NSS 3.28.1 introduced a curve, that is smaller than a check in old
+# Mozilla code allows.
+# https://bugzilla.redhat.com/show_bug.cgi?id=1413182
+Conflicts:        firefox < 50.1.0-3
+# https://bugzilla.redhat.com/show_bug.cgi?id=1414983
+Conflicts:        xulrunner < 44.0-9
+# https://bugzilla.redhat.com/show_bug.cgi?id=1414929
+Conflicts:        thunderbird < 45.6.0-5
+# https://bugzilla.redhat.com/show_bug.cgi?id=1414982
+Conflicts:        seamonkey < 2.46-2
+# https://bugzilla.redhat.com/show_bug.cgi?id=1414987
+Conflicts:        icecat < 45.5.1-5
+
+%if %{defined nss_ckbi_suffix}
+%define full_nss_version %{version}%{nss_ckbi_suffix}
+%else
+%define full_nss_version %{version}
+%endif
 
 Source0:          %{name}-%{full_nss_version}.tar.gz
 Source1:          nss.pc.in
@@ -83,23 +99,23 @@ Patch40:          nss-3.14.0.0-disble-ocsp-test.patch
 Patch47:          utilwrap-include-templates.patch
 # TODO remove when we switch to building nss without softoken
 Patch49:          nss-skip-bltest-and-fipstest.patch
-# This patch uses the gcc-iquote dir option documented at
+# This patch uses the GCC -iquote option documented at
 # http://gcc.gnu.org/onlinedocs/gcc/Directory-Options.html#Directory-Options
-# to place the in-tree directories at the head of the list of list of directories
-# to be searched for for header files. This ensures a build even when system
-# headers are older. Such is the case when starting an update with API changes or even private export changes.
-# Once the buildroot aha been bootstrapped the patch may be removed but it doesn't hurt to keep it.
+# to give the in-tree headers a higher priority over the system headers,
+# when they are included through the quote form (#include "file.h").
+#
+# This ensures a build even when system headers are older. Such is the
+# case when starting an update with API changes or even private export
+# changes.
+#
+# Once the buildroot aha been bootstrapped the patch may be removed
+# but it doesn't hurt to keep it.
 Patch50:          iquote.patch
 # Local patch for TLS_ECDHE_{ECDSA|RSA}_WITH_3DES_EDE_CBC_SHA ciphers
 Patch58: rhbz1185708-enable-ecc-3des-ciphers-by-default.patch
 # Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1279520
 Patch59: nss-check-policy-file.patch
-# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1279520
-Patch60: nss-conditionally-ignore-system-policy.patch
-# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1280846
 Patch62: nss-skip-util-gtest.patch
-# TODO: file a bug upstream similar to the one for rsaperf
-Patch70: nss-skip-ecperf.patch
 
 %description
 Network Security Services (NSS) is a set of libraries designed to
@@ -182,9 +198,7 @@ low level services.
 %patch58 -p0 -b .1185708_3des
 pushd nss
 %patch59 -p1 -b .check_policy_file
-%patch60 -p1 -b .cond_ignore
-%patch62 -p0 -b .skip_util_gtest
-%patch70 -p1 -b .skip_ecperf
+%patch62 -p1 -b .skip_util_gtest
 popd
 
 #########################################################
@@ -197,11 +211,6 @@ popd
 # Upstream https://bugzilla.mozilla.org/show_bug.cgi?id=820207
 %{__cp} ./nss/lib/softoken/lowkeyi.h ./nss/cmd/rsaperf
 %{__cp} ./nss/lib/softoken/lowkeyti.h ./nss/cmd/rsaperf
-# similar problem to the one descrived above
-# ./nss/lib/freebl/ec.h, ./nss/lib/freebl/ecl/ecl-curve.h
-# the last one requires that NSS_ECC_MORE_THAN_SUITE_B not be defined
-%{__cp} ./nss/lib/freebl/ec.h ./nss/cmd/ecperf
-%{__cp} ./nss/lib/freebl/ecl/ecl-curve.h ./nss/cmd/ecperf
 
 # Before removing util directory we must save verref.h
 # as it will be needed later during the build phase.
@@ -218,9 +227,6 @@ popd
 %{__rm} -rf ./nss/cmd/fipstest
 %{__rm} -rf ./nss/cmd/rsaperf_low
 
-######## Remove portions that need to statically link with libnssutil.a
-%{__rm} -rf ./nss/external_tests/util_gtests
-
 
 %build
 
@@ -287,10 +293,8 @@ export USE_64
 export IN_TREE_FREEBL_HEADERS_FIRST=1
 
 ##### phase 2: build the rest of nss
-# nss supports pluggable ecc with more than suite-b
-export NSS_ECC_MORE_THAN_SUITE_B=1
-
 export NSS_BLTEST_NOT_AVAILABLE=1
+
 %{__make} -C ./nss/coreconf
 %{__make} -C ./nss/lib/dbm
 
@@ -404,8 +408,12 @@ export SOFTOKEN_LIB_DIR=%{_libdir}
 
 # End -- copied from the build section
 
+# This is necessary because the test suite tests algorithms that are
+# disabled by the system policy.
 export NSS_IGNORE_SYSTEM_POLICY=1
 
+export NSS_FORCE_FIPS=1
+
 # enable the following line to force a test failure
 # find ./nss -name \*.chk | xargs rm -f
 
@@ -772,6 +780,7 @@ fi
 %{_includedir}/nss3/smime.h
 %{_includedir}/nss3/ssl.h
 %{_includedir}/nss3/sslerr.h
+%{_includedir}/nss3/sslexp.h
 %{_includedir}/nss3/sslproto.h
 %{_includedir}/nss3/sslt.h
 
@@ -794,6 +803,94 @@ fi
 
 
 %changelog
+* Tue Nov 14 2017 Daiki Ueno <dueno@redhat.com> - 3.34.0-1.0
+- Update to NSS 3.34.0
+
+* Fri Nov 10 2017 Daiki Ueno <dueno@redhat.com> - 3.33.0-1.1
+- Make sure 32bit nss-pem always be installed with 32bit nss in
+  multlib environment, patch by Kamil Dudka
+
+* Tue Oct  3 2017 Daiki Ueno <dueno@redhat.com> - 3.33.0-1.0
+- Update to NSS 3.33.0
+
+* Tue Oct  3 2017 Daiki Ueno <dueno@redhat.com> - 3.32.1-1.1
+- Update iquote.patch to really prefer in-tree headers over system headers
+
+* Fri Sep 15 2017 Daiki Ueno <dueno@redhat.com> - 3.32.1-1.0
+- Update to NSS 3.32.1
+
+* Fri Aug 18 2017 Daiki Ueno <dueno@redhat.com> - 3.32.0-1.1
+- Revert signtool deprecation, which was only targeting F27
+
+* Mon Aug  7 2017 Daiki Ueno <dueno@redhat.com> - 3.32.0-1.0
+- Update to NSS 3.32.0
+
+* Tue Jul 18 2017 Daiki Ueno <dueno@redhat.com> - 3.31.0-1.1
+- Backport mozbz#1381784 to avoid deadlock in dnf
+
+* Wed Jun 21 2017 Daiki Ueno <dueno@redhat.com> - 3.31.0-1.0
+- Rebase to NSS 3.31.0
+
+* Wed May 10 2017 Daiki Ueno <dueno@redhat.com> - 3.30.2-1.1
+- Re-enable tests on armv7hl
+- Enable TLS 1.3 again
+
+* Mon Apr 24 2017 Daiki Ueno <dueno@redhat.com> - 3.30.2-2
+- Rebase to NSS 3.30.2
+
+* Wed Mar 29 2017 Daiki Ueno <dueno@redhat.com> - 3.29.3-1.1
+- Backport mozbz#1334976 and mozbz#1336487, from F26
+
+* Mon Mar 20 2017 Daiki Ueno <dueno@redhat.com> - 3.29.3-1.0
+- Rebase to NSS 3.29.3
+- Remove upstreamed patch for fixing crash in tls13_DestroyKeyShares
+
+* Thu Mar 16 2017 Daiki Ueno <dueno@redhat.com> - 3.28.3-1.1
+- Fix crash in tls13_DestroyKeyShares
+
+* Tue Feb 21 2017 Daiki Ueno <dueno@redhat.com> - 3.28.3-1.0
+- Rebase to NSS 3.28.3
+
+* Fri Jan 20 2017 Daiki Ueno <dueno@redhat.com> - 3.28.1-1.3
+- Disable TLS 1.3
+- Add "Conflicts" with packages using older Mozilla codebase, which is
+  not compatible with NSS 3.28.1
+- Remove NSS_ECC_MORE_THAN_SUITE_B setting, as it was removed in upstream
+
+* Tue Jan 17 2017 Daiki Ueno <dueno@redhat.com> - 3.28.1-1.2
+- Add "Conflicts" with older firefox packages which don't have support
+  for smaller curves added in NSS 3.28.1
+
+* Fri Jan 13 2017 Daiki Ueno <dueno@redhat.com> - 3.28.1-1.1
+- Fix incorrect version specification in %%nss_{util,softokn}_version,
+  pointed by Elio Maldonado
+
+* Thu Jan 12 2017 Daiki Ueno <dueno@redhat.com> - 3.28.1-1.0
+- Rebase to NSS 3.28.1
+- Remove upstreamed patch for disabling RSA-PSS
+- Re-enable TLS 1.3
+
+* Tue Nov 15 2016 Daiki Ueno <dueno@redhat.com> - 3.27.0-1.3
+- Revert the previous fix for RSA-PSS and use the upstream fix instead
+
+* Wed Nov 02 2016 Kai Engert <kaie@redhat.com> - 3.27.0-1.2
+- Disable the use of RSA-PSS with SSL/TLS. #1383809
+
+* Sun Oct  2 2016 Daiki Ueno <dueno@redhat.com> - 3.27.0-1.1
+- Disable TLS 1.3 for now, to avoid reported regression with TLS to
+  version intolerant servers
+
+* Thu Sep 29 2016 Daiki Ueno <dueno@redhat.com> - 3.27.0-1.0
+- Rebase to NSS 3.27.0
+- Remove upstreamed ectest patch
+
+* Mon Aug  8 2016 Daiki Ueno <dueno@redhat.com> - 3.26.0-1.0
+- Rebase to NSS 3.26.0
+- Update check policy file patch to better match what was upstreamed
+- Remove conditionally ignore system policy patch as it has been upstreamed
+- Skip ectest as well as ecperf, which are built as part of nss-softokn
+- Fix rpmlint error regarding %%define usage
+
 * Thu Jul 14 2016 Elio Maldonado <emaldona@redhat.com> - 3.25.0-6
 - Incorporate some changes requested in upstream review and commited upstream (#1157720)
 

sources

@@ -1,6 +1,6 @@
-a5ae49867124ac75f029a9a33af31bad  blank-cert8.db
-9315689bbd9f28ceebd47894f99fccbd  blank-key3.db
-73bc040a0542bba387e6dd7fb9fd7d23  blank-secmod.db
-691e663ccc07b7a1eaa6f088e03bf8e2  blank-cert9.db
-2ec9e0606ba40fe65196545564b7cc2a  blank-key4.db
-950263d15d1f055605bfb6e634a1a019  nss-3.25.0.tar.gz
+SHA512 (blank-cert8.db) = ac131d15708c5f1b5e467831f919f4fc4ba13b60a4bb5fe260c845fa9afcd899a588d21ed52060abaa1bbb29f2b53af8b495d28407183cb03aff1974f95f1d3d
+SHA512 (blank-cert9.db) = 2f8eab4c0612210ee47db8a3a80c1b58a0b43849551af78c7da403fda3e3d4e7757838061ae56ccf5aac335cb54f254f0a9e6e9c0dd5920b4155a39264525b06
+SHA512 (blank-key3.db) = 01f7314e9fc8a7c9aa997652624cfcde213d18a6b3bb31840c1a60bbd662e56b5bc3221d13874abb42ce78163b225a6dfce2e1326cf6dd29366ad9c28ba5a71c
+SHA512 (blank-key4.db) = 8fedae93af7163da23fe9492ea8e785a44c291604fa98e58438448efb69c85d3253fc22b926d5c3209c62e58a86038fd4d78a1c4c068bc00600a7f3e5382ebe7
+SHA512 (blank-secmod.db) = 06a2dbd861839ef6315093459328b500d3832333a34b30e6fac4a2503af337f014a4d319f0f93322409e719142904ce8bc08252ae9a4f37f30d4c3312e900310
+SHA512 (nss-3.34.0.tar.gz) = 2826e3d327af34714d521edac0fba4da6e14c7a28750ccfeeba8259b0a1954233fc47dcbec47b6aeb96f53de501adc15adf130379efa503b00677a924eb50080