Update to NSS 3.36.1

See https://bugzilla.redhat.com/show_bug.cgi?id=1422046#c6

.gitignore

@@ -16,3 +16,13 @@ TestUser51.cert
 /nss-3.28.1.tar.gz
 /nss-3.29.0.tar.gz
 /nss-3.29.1.tar.gz
+/nss-3.29.3.tar.gz
+/nss-3.30.2.tar.gz
+/nss-3.31.0.tar.gz
+/nss-3.32.0.tar.gz
+/nss-3.32.1.tar.gz
+/nss-3.33.0.tar.gz
+/nss-3.34.0.tar.gz
+/nss-3.35.0.tar.gz
+/nss-3.36.0.tar.gz
+/nss-3.36.1.tar.gz

iquote.patch

@@ -1,211 +1,13 @@
-diff -up ./nss/cmd/certcgi/Makefile.iquote ./nss/cmd/certcgi/Makefile
---- ./nss/cmd/certcgi/Makefile.iquote	2016-02-26 12:51:11.000000000 -0800
-+++ ./nss/cmd/certcgi/Makefile	2016-03-05 12:04:06.216474144 -0800
-@@ -36,7 +36,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk
- # (6) Execute "component" rules. (OPTIONAL)                           #
- #######################################################################
- 
--
-+INCLUDES += -iquote $(DIST)/../public/nss
-+INCLUDES += -iquote $(DIST)/../private/nss
- 
- #######################################################################
- # (7) Execute "local" rules. (OPTIONAL).                              #
-diff -up ./nss/cmd/certutil/Makefile.iquote ./nss/cmd/certutil/Makefile
---- ./nss/cmd/certutil/Makefile.iquote	2016-02-26 12:51:11.000000000 -0800
-+++ ./nss/cmd/certutil/Makefile	2016-03-05 12:04:06.216474144 -0800
-@@ -37,7 +37,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk
- # (6) Execute "component" rules. (OPTIONAL)                           #
- #######################################################################
- 
--
-+INCLUDES += -iquote $(DIST)/../public/nss
-+INCLUDES += -iquote $(DIST)/../private/nss
- 
- #######################################################################
- # (7) Execute "local" rules. (OPTIONAL).                              #
-diff -up ./nss/cmd/lib/Makefile.iquote ./nss/cmd/lib/Makefile
---- ./nss/cmd/lib/Makefile.iquote	2016-02-26 12:51:11.000000000 -0800
-+++ ./nss/cmd/lib/Makefile	2016-03-05 12:04:06.216474144 -0800
-@@ -38,7 +38,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk
- # (6) Execute "component" rules. (OPTIONAL)                           #
- #######################################################################
- 
--
-+INCLUDES += -iquote $(DIST)/../private/nss
-+INCLUDES += -iquote $(DIST)/../public/nss
- 
- #######################################################################
- # (7) Execute "local" rules. (OPTIONAL).                              #
-diff -up ./nss/cmd/modutil/Makefile.iquote ./nss/cmd/modutil/Makefile
---- ./nss/cmd/modutil/Makefile.iquote	2016-02-26 12:51:11.000000000 -0800
-+++ ./nss/cmd/modutil/Makefile	2016-03-05 12:04:06.216474144 -0800
-@@ -37,6 +37,7 @@ include $(CORE_DEPTH)/coreconf/rules.mk
- # (6) Execute "component" rules. (OPTIONAL)                           #
- #######################################################################
- 
-+INCLUDES += -iquote $(DIST)/../public/nss
- 
- 
- #######################################################################
-diff -up ./nss/cmd/selfserv/Makefile.iquote ./nss/cmd/selfserv/Makefile
---- ./nss/cmd/selfserv/Makefile.iquote	2016-02-26 12:51:11.000000000 -0800
-+++ ./nss/cmd/selfserv/Makefile	2016-03-05 12:04:06.216474144 -0800
-@@ -35,7 +35,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk
- # (6) Execute "component" rules. (OPTIONAL)                           #
- #######################################################################
- 
--
-+INCLUDES += -iquote $(DIST)/../public/nss
-+INCLUDES += -iquote $(DIST)/../private/nss
- 
- #######################################################################
- # (7) Execute "local" rules. (OPTIONAL).                              #
-diff -up ./nss/cmd/ssltap/Makefile.iquote ./nss/cmd/ssltap/Makefile
---- ./nss/cmd/ssltap/Makefile.iquote	2016-02-26 12:51:11.000000000 -0800
-+++ ./nss/cmd/ssltap/Makefile	2016-03-05 12:04:06.216474144 -0800
-@@ -39,7 +39,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk
- # (6) Execute "component" rules. (OPTIONAL)                           #
- #######################################################################
- 
--
-+INCLUDES += -iquote $(DIST)/../private/nss
-+INCLUDES += -iquote $(DIST)/../public/nss
- 
- #######################################################################
- # (7) Execute "local" rules. (OPTIONAL).                              #
-diff -up ./nss/cmd/strsclnt/Makefile.iquote ./nss/cmd/strsclnt/Makefile
---- ./nss/cmd/strsclnt/Makefile.iquote	2016-02-26 12:51:11.000000000 -0800
-+++ ./nss/cmd/strsclnt/Makefile	2016-03-05 12:04:06.217474124 -0800
-@@ -36,7 +36,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk
- # (6) Execute "component" rules. (OPTIONAL)                           #
- #######################################################################
- 
--
-+INCLUDES += -iquote $(DIST)/../public/nss
-+INCLUDES += -iquote $(DIST)/../private/nss
- 
- #######################################################################
- # (7) Execute "local" rules. (OPTIONAL).                              #
-diff -up ./nss/cmd/tstclnt/Makefile.iquote ./nss/cmd/tstclnt/Makefile
---- ./nss/cmd/tstclnt/Makefile.iquote	2016-02-26 12:51:11.000000000 -0800
-+++ ./nss/cmd/tstclnt/Makefile	2016-03-05 12:04:06.217474124 -0800
-@@ -37,6 +37,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk
- #######################################################################
- 
- #include ../platlibs.mk
-+INCLUDES += -iquote $(DIST)/../public/nss
-+INCLUDES += -iquote $(DIST)/../private/nss
- 
- #######################################################################
- # (7) Execute "local" rules. (OPTIONAL).                              #
-diff -up ./nss/cmd/vfyserv/Makefile.iquote ./nss/cmd/vfyserv/Makefile
---- ./nss/cmd/vfyserv/Makefile.iquote	2016-02-26 12:51:11.000000000 -0800
-+++ ./nss/cmd/vfyserv/Makefile	2016-03-05 12:04:06.217474124 -0800
-@@ -37,6 +37,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk
- #######################################################################
- 
- #include ../platlibs.mk
-+INCLUDES += -iquote $(DIST)/../public/nss
-+INCLUDES += -iquote $(DIST)/../private/nss
- 
- #######################################################################
- # (7) Execute "local" rules. (OPTIONAL).                              #
-diff -up ./nss/coreconf/location.mk.iquote ./nss/coreconf/location.mk
---- ./nss/coreconf/location.mk.iquote	2016-02-26 12:51:11.000000000 -0800
-+++ ./nss/coreconf/location.mk	2016-03-05 12:04:06.217474124 -0800
-@@ -45,6 +45,10 @@ endif
- 
- ifdef NSS_INCLUDE_DIR
-     INCLUDES += -I$(NSS_INCLUDE_DIR)
-+    ifdef IN_TREE_FREEBL_HEADERS_FIRST
-+        INCLUDES += -iquote $(DIST)/../public/nss
-+        INCLUDES += -iquote $(DIST)/../private/nss
-+    endif
+diff -up nss/coreconf/location.mk.iquote nss/coreconf/location.mk
+--- nss/coreconf/location.mk.iquote	2017-07-27 16:09:32.000000000 +0200
++++ nss/coreconf/location.mk	2017-09-06 13:23:14.633611555 +0200
+@@ -75,4 +75,9 @@ ifndef SQLITE_LIB_NAME
+     SQLITE_LIB_NAME = sqlite3
  endif
  
- ifndef NSS_LIB_DIR
-diff -up ./nss/gtests/pk11_gtest/Makefile.iquote ./nss/gtests/pk11_gtest/Makefile
---- ./nss/gtests/pk11_gtest/Makefile.iquote	2016-02-26 12:51:11.000000000 -0800
-+++ ./nss/gtests/pk11_gtest/Makefile	2016-03-05 12:04:06.217474124 -0800
-@@ -37,6 +37,7 @@ include $(CORE_DEPTH)/coreconf/rules.mk
- # (6) Execute "component" rules. (OPTIONAL)                           #
- #######################################################################
- 
-+INCLUDES += -iquote $(DIST)/../public/nss
- 
- #######################################################################
- # (7) Execute "local" rules. (OPTIONAL).                              #
-diff -up ./nss/gtests/ssl_gtest/Makefile.iquote ./nss/gtests/ssl_gtest/Makefile
---- ./nss/gtests/ssl_gtest/Makefile.iquote	2016-02-26 12:51:11.000000000 -0800
-+++ ./nss/gtests/ssl_gtest/Makefile	2016-03-05 12:05:17.208082475 -0800
-@@ -43,6 +43,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk
- # (6) Execute "component" rules. (OPTIONAL)                           #
- #######################################################################
- 
-+INCLUDES += -iquote $(DIST)/../public/nss
-+INCLUDES += -iquote $(DIST)/../public/nss
- 
- #######################################################################
- # (7) Execute "local" rules. (OPTIONAL).                              #
-diff -up ./nss/lib/certhigh/Makefile.iquote ./nss/lib/certhigh/Makefile
---- ./nss/lib/certhigh/Makefile.iquote	2016-02-26 12:51:11.000000000 -0800
-+++ ./nss/lib/certhigh/Makefile	2016-03-05 12:04:06.217474124 -0800
-@@ -38,7 +38,7 @@ include $(CORE_DEPTH)/coreconf/rules.mk
- # (6) Execute "component" rules. (OPTIONAL)                           #
- #######################################################################
- 
--
-+INCLUDES += -iquote $(DIST)/../public/nss
- 
- #######################################################################
- # (7) Execute "local" rules. (OPTIONAL).                              #
-diff -up ./nss/lib/cryptohi/Makefile.iquote ./nss/lib/cryptohi/Makefile
---- ./nss/lib/cryptohi/Makefile.iquote	2016-02-26 12:51:11.000000000 -0800
-+++ ./nss/lib/cryptohi/Makefile	2016-03-05 12:04:06.217474124 -0800
-@@ -38,7 +38,7 @@ include $(CORE_DEPTH)/coreconf/rules.mk
- # (6) Execute "component" rules. (OPTIONAL)                           #
- #######################################################################
- 
--
-+INCLUDES += -iquote $(DIST)/../public/nss
- 
- #######################################################################
- # (7) Execute "local" rules. (OPTIONAL).                              #
-diff -up ./nss/lib/nss/Makefile.iquote ./nss/lib/nss/Makefile
---- ./nss/lib/nss/Makefile.iquote	2016-02-26 12:51:11.000000000 -0800
-+++ ./nss/lib/nss/Makefile	2016-03-05 12:04:06.217474124 -0800
-@@ -37,7 +37,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk
- # (6) Execute "component" rules. (OPTIONAL)                           #
- #######################################################################
- 
--
-+INCLUDES += -iquote $(DIST)/../public/nss
-+INCLUDES += -iquote $(DIST)/../private/nss
- 
- #######################################################################
- # (7) Execute "local" rules. (OPTIONAL).                              #
-diff -up ./nss/lib/pk11wrap/Makefile.iquote ./nss/lib/pk11wrap/Makefile
---- ./nss/lib/pk11wrap/Makefile.iquote	2016-02-26 12:51:11.000000000 -0800
-+++ ./nss/lib/pk11wrap/Makefile	2016-03-05 12:04:06.217474124 -0800
-@@ -38,7 +38,7 @@ include $(CORE_DEPTH)/coreconf/rules.mk
- # (6) Execute "component" rules. (OPTIONAL)                           #
- #######################################################################
- 
--
-+INCLUDES += -iquote $(DIST)/../public/nss
- 
- #######################################################################
- # (7) Execute "local" rules. (OPTIONAL).                              #
-diff -up ./nss/lib/ssl/Makefile.iquote ./nss/lib/ssl/Makefile
---- ./nss/lib/ssl/Makefile.iquote	2016-02-26 12:51:11.000000000 -0800
-+++ ./nss/lib/ssl/Makefile	2016-03-05 12:04:06.217474124 -0800
-@@ -49,7 +49,7 @@ include $(CORE_DEPTH)/coreconf/rules.mk
- # (6) Execute "component" rules. (OPTIONAL)                           #
- #######################################################################
- 
--
-+INCLUDES += -iquote $(DIST)/../public/nss
- 
- #######################################################################
- # (7) Execute "local" rules. (OPTIONAL).                              #
++# Prefer in-tree headers over system headers
++ifdef IN_TREE_FREEBL_HEADERS_FIRST
++    INCLUDES += -iquote $(DIST)/../public/nss -iquote $(DIST)/../private/nss
++endif
++
+ MK_LOCATION = included

nss-gcc7.patch

@@ -1,12 +0,0 @@
-diff -up nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_ocsprequest.c.gcc7 nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_ocsprequest.c
---- nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_ocsprequest.c.gcc7	2017-02-08 14:34:04.212655936 +0100
-+++ nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_ocsprequest.c	2017-02-08 14:37:33.326388891 +0100
-@@ -89,7 +89,7 @@ pkix_pl_OcspRequest_Hashcode(
-         PKIX_HASHCODE(ocspRq->signerCert, &signerHash, plContext,
-                 PKIX_CERTHASHCODEFAILED);
- 
--        *pHashcode = (((((extensionHash << 8) || certHash) << 8) ||
-+        *pHashcode = ((PKIX_UInt32)(((PKIX_UInt32)((extensionHash << 8) || certHash) << 8) ||
-                 dateHash) << 8) || signerHash;
- 
- cleanup:

nss-skip-util-gtest.patch

@@ -1,12 +1,10 @@
-diff -up ./gtests/manifest.mn.skip_util_gtest ./gtests/manifest.mn
---- ./gtests/manifest.mn.skip_util_gtest	2016-09-29 12:05:28.858019733 +0200
-+++ ./gtests/manifest.mn	2016-09-29 12:06:17.298681765 +0200
-@@ -9,8 +9,5 @@ DIRS = \
- 	google_test \
- 	common \
- 	der_gtest \
--	util_gtest \
--	pk11_gtest \
--	ssl_gtest \
-         nss_bogo_shim \
+diff -up nss/gtests/manifest.mn.skip_util_gtest nss/gtests/manifest.mn
+--- nss/gtests/manifest.mn.skip_util_gtest	2017-08-08 12:45:57.598801125 +0200
++++ nss/gtests/manifest.mn	2017-08-08 12:46:59.682419852 +0200
+@@ -31,6 +31,5 @@ endif
+ 
+ DIRS = \
+ 	$(LIB_SRCDIRS) \
+-	$(UTIL_SRCDIRS) \
+ 	$(NSS_SRCDIRS) \
  	$(NULL)

nss-sql-default.patch

@@ -0,0 +1,42 @@
+# HG changeset patch
+# User Kai Engert <kaie@kuix.de>
+# Date 1511548994 -3600
+#      Fri Nov 24 19:43:14 2017 +0100
+# Node ID b0658ed367633e505d38c0c0f63b801ddbbb21a4
+# Parent  807662e6ba57db5be05036511ac8634466ed473f
+Bug 1377940, Change NSS default storage file format (currently DBM), when no prefix is given, to SQL, r=rrelyea, r=fkiefer
+
+--- a/tests/all.sh
++++ b/tests/all.sh
+@@ -111,6 +111,8 @@ RUN_FIPS=""
+ ########################################################################
+ run_tests()
+ {
++    echo "Running test cycle: ${TEST_MODE} ----------------------"
++    echo "List of tests that will be executed: ${TESTS}"
+     for TEST in ${TESTS}
+     do
+         # NOTE: the spaces are important. If you don't include
+@@ -172,8 +174,9 @@ run_cycle_pkix()
+     NSS_SSL_TESTS=`echo "${NSS_SSL_TESTS}" | sed -e "s/normal//g" -e "s/fips//g" -e "s/_//g"`
+     export -n NSS_SSL_RUN
+ 
+-    # use the default format
++    # use the default format. (unset for the shell, export -n for binaries)
+     export -n NSS_DEFAULT_DB_TYPE
++    unset NSS_DEFAULT_DB_TYPE
+ 
+     run_tests
+ }
+diff --git a/tests/merge/merge.sh b/tests/merge/merge.sh
+--- a/tests/merge/merge.sh
++++ b/tests/merge/merge.sh
+@@ -98,7 +98,7 @@ merge_init()
+   # are dbm databases.
+   if [ "${TEST_MODE}" = "UPGRADE_DB" ]; then
+ 	save=${NSS_DEFAULT_DB_TYPE}
+-	NSS_DEFAULT_DB_TYPE= ; export NSS_DEFAULT_DB_TYPE
++	NSS_DEFAULT_DB_TYPE=dbm ; export NSS_DEFAULT_DB_TYPE
+   fi
+ 
+   certutil -N -d ${CONFLICT1DIR} -f ${R_PWFILE}

nss.spec

@@ -1,6 +1,6 @@
-%global nspr_version 4.13.0
-%global nss_util_version 3.29.1
-%global nss_softokn_version 3.29.1
+%global nspr_version 4.19.0
+%global nss_util_version 3.36.1
+%global nss_softokn_version 3.36.1
 %global unsupported_tools_directory %{_libdir}/nss/unsupported-tools
 %global allTools "certutil cmsutil crlutil derdump modutil pk12util signtool signver ssltap vfychain vfyserv"
 
@@ -18,10 +18,10 @@
 
 Summary:          Network Security Services
 Name:             nss
-Version:          3.29.1
+Version:          3.36.1
 # for Rawhide, please always use release >= 2
 # for Fedora release branches, please use release < 2 (1.0, 1.1, ...)
-Release:          2%{?dist}
+Release:          1.0%{?dist}
 License:          MPLv2.0
 URL:              http://www.mozilla.org/projects/security/pki/nss/
 Group:            System Environment/Libraries
@@ -40,17 +40,17 @@ BuildRequires:    nss-softokn-devel >= %{nss_softokn_version}
 BuildRequires:    nss-util-devel >= %{nss_util_version}
 BuildRequires:    sqlite-devel
 BuildRequires:    zlib-devel
-# TODO: revert to "pkgconfig" once pkgconf transition has been settled
-BuildRequires:    /usr/bin/pkg-config
+BuildRequires:    pkgconfig
 BuildRequires:    gawk
 BuildRequires:    psmisc
-BuildRequires:    perl
+BuildRequires:    perl-interpreter
+BuildRequires:    gcc-c++
 
 # nss-pem used to be bundled with the nss package on Fedora -- make sure that
 # programs relying on that continue to work until they are fixed to require
 # nss-pem instead.  Once all of them are fixed, the following line can be
 # removed.  See https://bugzilla.redhat.com/1346806 for details.
-Requires:         nss-pem
+Requires:         nss-pem%{?_isa}
 
 # NSS 3.28.1 introduced a curve, that is smaller than a check in old
 # Mozilla code allows.
@@ -100,20 +100,24 @@ Patch40:          nss-3.14.0.0-disble-ocsp-test.patch
 Patch47:          utilwrap-include-templates.patch
 # TODO remove when we switch to building nss without softoken
 Patch49:          nss-skip-bltest-and-fipstest.patch
-# This patch uses the gcc-iquote dir option documented at
+# This patch uses the GCC -iquote option documented at
 # http://gcc.gnu.org/onlinedocs/gcc/Directory-Options.html#Directory-Options
-# to place the in-tree directories at the head of the list of list of directories
-# to be searched for for header files. This ensures a build even when system
-# headers are older. Such is the case when starting an update with API changes or even private export changes.
-# Once the buildroot aha been bootstrapped the patch may be removed but it doesn't hurt to keep it.
+# to give the in-tree headers a higher priority over the system headers,
+# when they are included through the quote form (#include "file.h").
+#
+# This ensures a build even when system headers are older. Such is the
+# case when starting an update with API changes or even private export
+# changes.
+#
+# Once the buildroot aha been bootstrapped the patch may be removed
+# but it doesn't hurt to keep it.
 Patch50:          iquote.patch
 # Local patch for TLS_ECDHE_{ECDSA|RSA}_WITH_3DES_EDE_CBC_SHA ciphers
 Patch58: rhbz1185708-enable-ecc-3des-ciphers-by-default.patch
 # Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1279520
 Patch59: nss-check-policy-file.patch
-# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1280846
 Patch62: nss-skip-util-gtest.patch
-Patch63: nss-gcc7.patch
+Patch63: nss-sql-default.patch
 
 %description
 Network Security Services (NSS) is a set of libraries designed to
@@ -196,8 +200,8 @@ low level services.
 %patch58 -p0 -b .1185708_3des
 pushd nss
 %patch59 -p1 -b .check_policy_file
-%patch62 -p0 -b .skip_util_gtest
-%patch63 -p1 -b .gcc7
+%patch62 -p1 -b .skip_util_gtest
+%patch63 -p1 -R -b .sql-default
 popd
 
 #########################################################
@@ -226,9 +230,6 @@ popd
 %{__rm} -rf ./nss/cmd/fipstest
 %{__rm} -rf ./nss/cmd/rsaperf_low
 
-######## Remove portions that need to statically link with libnssutil.a
-%{__rm} -rf ./nss/external_tests/util_gtests
-
 
 %build
 
@@ -238,6 +239,9 @@ export NSS_NO_PKCS11_BYPASS
 FREEBL_NO_DEPEND=1
 export FREEBL_NO_DEPEND
 
+NSS_FORCE_FIPS=1
+export NSS_FORCE_FIPS
+
 # Enable compiler optimizations and disable debugging code
 export BUILD_OPT=1
 
@@ -297,8 +301,6 @@ export IN_TREE_FREEBL_HEADERS_FIRST=1
 ##### phase 2: build the rest of nss
 export NSS_BLTEST_NOT_AVAILABLE=1
 
-export NSS_DISABLE_TLS_1_3=1
-
 %{__make} -C ./nss/coreconf
 %{__make} -C ./nss/lib/dbm
 
@@ -407,8 +409,6 @@ export USE_64
 
 export NSS_BLTEST_NOT_AVAILABLE=1
 
-export NSS_DISABLE_TLS_1_3=1
-
 # needed for the fips mangling test
 export SOFTOKEN_LIB_DIR=%{_libdir}
 
@@ -418,6 +418,8 @@ export SOFTOKEN_LIB_DIR=%{_libdir}
 # disabled by the system policy.
 export NSS_IGNORE_SYSTEM_POLICY=1
 
+export NSS_FORCE_FIPS=1
+
 # enable the following line to force a test failure
 # find ./nss -name \*.chk | xargs rm -f
 
@@ -488,7 +490,7 @@ popd
 killall $RANDSERV || :
 
 if [ "x$SKIP_NSS_TEST_SUITE" == "x" ]; then
-  TEST_FAILURES=$(grep -c FAILED ./tests_results/security/localhost.1/output.log) || GREP_EXIT_STATUS=$?
+  TEST_FAILURES=$(grep -c -- '- FAILED$' ./tests_results/security/localhost.1/output.log) || GREP_EXIT_STATUS=$?
 else
   TEST_FAILURES=0
   GREP_EXIT_STATUS=1
@@ -784,6 +786,7 @@ fi
 %{_includedir}/nss3/smime.h
 %{_includedir}/nss3/ssl.h
 %{_includedir}/nss3/sslerr.h
+%{_includedir}/nss3/sslexp.h
 %{_includedir}/nss3/sslproto.h
 %{_includedir}/nss3/sslt.h
 
@@ -806,6 +809,69 @@ fi
 
 
 %changelog
+* Thu Apr 19 2018 Daiki Ueno <dueno@redhat.com> - 3.36.1-1.0
+- Update to NSS 3.36.1
+
+* Fri Mar  9 2018 Daiki Ueno <dueno@redhat.com> - 3.36.0-1.0
+- Update to NSS 3.36.0
+- Add gcc-c++ to BuildRequires (C++ is needed for gtests)
+- Make test failure detection robuster
+
+* Wed Feb  7 2018 Daiki Ueno <dueno@redhat.com> - 3.35.0-1.0
+- Update to NSS 3.35.0
+
+* Tue Nov 14 2017 Daiki Ueno <dueno@redhat.com> - 3.34.0-1.0
+- Update to NSS 3.34.0
+
+* Fri Nov 10 2017 Daiki Ueno <dueno@redhat.com> - 3.33.0-1.1
+- Make sure 32bit nss-pem always be installed with 32bit nss in
+  multlib environment, patch by Kamil Dudka
+
+* Tue Oct  3 2017 Daiki Ueno <dueno@redhat.com> - 3.33.0-1.0
+- Update to NSS 3.33.0
+
+* Tue Oct  3 2017 Daiki Ueno <dueno@redhat.com> - 3.32.1-1.1
+- Update iquote.patch to really prefer in-tree headers over system headers
+
+* Fri Sep 15 2017 Daiki Ueno <dueno@redhat.com> - 3.32.1-1.0
+- Update to NSS 3.32.1
+
+* Fri Aug 18 2017 Daiki Ueno <dueno@redhat.com> - 3.32.0-1.1
+- Revert signtool deprecation, which was only targeting F27
+
+* Mon Aug  7 2017 Daiki Ueno <dueno@redhat.com> - 3.32.0-1.0
+- Update to NSS 3.32.0
+
+* Tue Jul 18 2017 Daiki Ueno <dueno@redhat.com> - 3.31.0-1.1
+- Backport mozbz#1381784 to avoid deadlock in dnf
+
+* Wed Jun 21 2017 Daiki Ueno <dueno@redhat.com> - 3.31.0-1.0
+- Rebase to NSS 3.31.0
+
+* Wed May 10 2017 Daiki Ueno <dueno@redhat.com> - 3.30.2-1.1
+- Re-enable tests on armv7hl
+- Enable TLS 1.3 again
+
+* Mon Apr 24 2017 Daiki Ueno <dueno@redhat.com> - 3.30.2-2
+- Rebase to NSS 3.30.2
+
+* Wed Mar 29 2017 Kai Engert <kaie@redhat.com> - 3.29.3-1.3
+- temporarily disable tests on armv7hl because of infrastructure timeouts
+
+* Wed Mar 29 2017 Kai Engert <kaie@redhat.com> - 3.29.3-1.2
+- Backport upstream mozbz#1328318 to support crypto policy FUTURE.
+
+* Wed Mar 22 2017 Daiki Ueno <dueno@redhat.com> - 3.29.3-1.1
+- Re-add patch to check CKA_NSS_MOZILLA_CA_POLICY, which was
+  mistakenly removed in the previous update
+
+* Mon Mar 20 2017 Daiki Ueno <dueno@redhat.com> - 3.29.3-1.0
+- Rebase to NSS 3.29.3
+- Remove upstreamed patch for fixing crash in tls13_DestroyKeyShares
+
+* Thu Mar 02 2017 Kai Engert <kaie@redhat.com> - 3.29.1-2.1
+- Backport mozbz#1334976 and mozbz#1336487.
+
 * Fri Feb 17 2017 Daiki Ueno <dueno@redhat.com> - 3.29.1-2
 - Rebase to NSS 3.29.1
 

renegotiate-transitional.patch

@@ -1,12 +1,12 @@
-diff -up ./nss/lib/ssl/sslsock.c.transitional ./nss/lib/ssl/sslsock.c
---- ./nss/lib/ssl/sslsock.c.transitional	2016-06-23 21:03:16.316480089 -0400
-+++ ./nss/lib/ssl/sslsock.c	2016-06-23 21:08:07.290202477 -0400
-@@ -72,7 +72,7 @@ static sslOptions ssl_defaults = {
-     PR_FALSE,              /* noLocks            */
-     PR_FALSE,              /* enableSessionTickets */
-     PR_FALSE,              /* enableDeflate      */
--    2,                     /* enableRenegotiation (default: requires extension) */
-+    3,                     /* enableRenegotiation (default: transitional) */
-     PR_FALSE,              /* requireSafeNegotiation */
-     PR_FALSE,              /* enableFalseStart   */
-     PR_TRUE,               /* cbcRandomIV        */
+diff -up nss/lib/ssl/sslsock.c.transitional nss/lib/ssl/sslsock.c
+--- nss/lib/ssl/sslsock.c.transitional	2018-03-09 13:57:50.615706802 +0100
++++ nss/lib/ssl/sslsock.c	2018-03-09 13:58:23.708974970 +0100
+@@ -67,7 +67,7 @@ static sslOptions ssl_defaults = {
+     .noLocks = PR_FALSE,
+     .enableSessionTickets = PR_FALSE,
+     .enableDeflate = PR_FALSE,
+-    .enableRenegotiation = SSL_RENEGOTIATE_REQUIRES_XTN,
++    .enableRenegotiation = SSL_RENEGOTIATE_TRANSITIONAL,
+     .requireSafeNegotiation = PR_FALSE,
+     .enableFalseStart = PR_FALSE,
+     .cbcRandomIV = PR_TRUE,

sources

@@ -3,4 +3,4 @@ SHA512 (blank-cert9.db) = 2f8eab4c0612210ee47db8a3a80c1b58a0b43849551af78c7da403
 SHA512 (blank-key3.db) = 01f7314e9fc8a7c9aa997652624cfcde213d18a6b3bb31840c1a60bbd662e56b5bc3221d13874abb42ce78163b225a6dfce2e1326cf6dd29366ad9c28ba5a71c
 SHA512 (blank-key4.db) = 8fedae93af7163da23fe9492ea8e785a44c291604fa98e58438448efb69c85d3253fc22b926d5c3209c62e58a86038fd4d78a1c4c068bc00600a7f3e5382ebe7
 SHA512 (blank-secmod.db) = 06a2dbd861839ef6315093459328b500d3832333a34b30e6fac4a2503af337f014a4d319f0f93322409e719142904ce8bc08252ae9a4f37f30d4c3312e900310
-SHA512 (nss-3.29.1.tar.gz) = c060f568a3243343b5a1315d632015373dc7dfd2ca9567fb484190dd56f87b1bc977539b9e28fe4fbfc6ee25409e69b1192a2b590031257dd8c89d162332e050
+SHA512 (nss-3.36.1.tar.gz) = 096fe4360b6d584a746ac6156830f8cff821fd173bd889d7a396238919328a227fa4ebb46f738970a4001773046f3dd4f4675b85ff6de8420a4a7657b3ba0c65