Remove unused configuration file meant for nss-util and nss-softokn

- One patch has been accepted upstream
- Other patch will be removed when we rebase to nss-3.23

.gitignore

@@ -10,4 +10,4 @@ TestUser51.cert
 /nss-pem-20140125.tar.bz2
 /PayPalRootCA.cert
 /PayPalICA.cert
-/nss-3.21.0.tar.gz
+/nss-3.22.0.tar.gz

disableSSL2libssl.patch

@@ -1,6 +1,5 @@
-diff --git a/lib/ssl/config.mk b/lib/ssl/config.mk
---- a/lib/ssl/config.mk
-+++ b/lib/ssl/config.mk
+--- ./lib/ssl/config.mk.disableSSL2libssl	2016-01-29 02:30:10.000000000 -0800
++++ ./lib/ssl/config.mk	2016-02-06 11:20:50.322990421 -0800
 @@ -2,16 +2,20 @@
  # This Source Code Form is subject to the terms of the Mozilla Public
  # License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -22,10 +21,9 @@ diff --git a/lib/ssl/config.mk b/lib/ssl/config.mk
  ifdef NSS_NO_PKCS11_BYPASS
  DEFINES += -DNO_PKCS11_BYPASS
  else
-diff --git a/lib/ssl/sslsock.c b/lib/ssl/sslsock.c
---- a/lib/ssl/sslsock.c
-+++ b/lib/ssl/sslsock.c
-@@ -674,16 +674,22 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 wh
+--- ./lib/ssl/sslsock.c.disableSSL2libssl	2016-02-06 11:20:50.312990617 -0800
++++ ./lib/ssl/sslsock.c	2016-02-06 11:26:04.123828138 -0800
+@@ -705,16 +705,22 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 wh
          if (ss->cipherSpecs) {
              PORT_Free(ss->cipherSpecs);
              ss->cipherSpecs     = NULL;
@@ -47,8 +45,8 @@ diff --git a/lib/ssl/sslsock.c b/lib/ssl/sslsock.c
              }
              break;
          }
-         ss->opt.enableSSL2       = on;
-@@ -691,52 +697,67 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 wh
+         if (on) {
+@@ -729,52 +735,67 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 wh
              ss->opt.v2CompatibleHello = on;
          }
          ss->preferredCipher     = NULL;
@@ -116,7 +114,7 @@ diff --git a/lib/ssl/sslsock.c b/lib/ssl/sslsock.c
              rv = SECFailure;
          } else {
              if (PR_FALSE != on) {
-@@ -1163,16 +1184,32 @@ SSL_OptionSetDefault(PRInt32 which, PRBo
+@@ -1235,16 +1256,32 @@ SSL_OptionSetDefault(PRInt32 which, PRBo
      }
      return SECSuccess;
  }

disableSSL2tests.patch

@@ -1,12 +1,11 @@
-diff --git a/tests/ssl/ssl.sh b/tests/ssl/ssl.sh
---- a/tests/ssl/ssl.sh
-+++ b/tests/ssl/ssl.sh
+--- ./tests/ssl/ssl.sh.disableSSL2tests	2016-01-29 02:30:10.000000000 -0800
++++ ./tests/ssl/ssl.sh	2016-02-06 11:50:26.496668124 -0800
 @@ -57,19 +57,24 @@ ssl_init()
    fi
  
    PORT=${PORT-8443}
    NSS_SSL_TESTS=${NSS_SSL_TESTS:-normal_normal}
-   nss_ssl_run="stapling cov auth stress"
+   nss_ssl_run="stapling signed_cert_timestamps cov auth stress"
    NSS_SSL_RUN=${NSS_SSL_RUN:-$nss_ssl_run}
  
    # Test case files
@@ -20,6 +19,7 @@ diff --git a/tests/ssl/ssl.sh b/tests/ssl/ssl.sh
 +  fi
    SSLAUTH=${QADIR}/ssl/sslauth.txt
 -  SSLSTRESS=${QADIR}/ssl/sslstress.txt
+   SSLPOLICY=${QADIR}/ssl/sslpolicy.txt
    REQUEST_FILE=${QADIR}/ssl/sslreq.dat
  
    #temparary files
@@ -27,8 +27,7 @@ diff --git a/tests/ssl/ssl.sh b/tests/ssl/ssl.sh
    SERVERPID=${TMP}/tests_pid.$$
  
    R_SERVERPID=../tests_pid.$$
- 
-@@ -115,17 +120,21 @@ is_selfserv_alive()
+@@ -116,17 +121,21 @@ is_selfserv_alive()
    if [ "${OS_ARCH}" = "WINNT" ] && \
       [ "$OS_NAME" = "CYGWIN_NT" -o "$OS_NAME" = "MINGW32_NT" ]; then
        PID=${SHELL_SERVERPID}
@@ -50,7 +49,7 @@ diff --git a/tests/ssl/ssl.sh b/tests/ssl/ssl.sh
  # local shell function to wait until selfserver is running and initialized
  ########################################################################
  wait_for_selfserv()
-@@ -138,17 +147,21 @@ wait_for_selfserv()
+@@ -139,17 +148,21 @@ wait_for_selfserv()
    if [ $? -ne 0 ]; then
        sleep 5
        echo "retrying to connect to selfserv at `date`"
@@ -72,7 +71,7 @@ diff --git a/tests/ssl/ssl.sh b/tests/ssl/ssl.sh
  ########################### kill_selfserv ##############################
  # local shell function to kill the selfserver after the tests are done
  ########################################################################
-@@ -209,25 +222,26 @@ start_selfserv()
+@@ -210,25 +223,26 @@ start_selfserv()
        ECC_OPTIONS=""
    fi
    if [ "$1" = "mixed" ]; then
@@ -102,7 +101,7 @@ diff --git a/tests/ssl/ssl.sh b/tests/ssl/ssl.sh
    # process (sh.exe).  MKS's kill command has a bug: invoking kill
    # on the helper process does not terminate the real background
    # process.  Our workaround has been to have selfserv save its PID
-@@ -274,16 +288,22 @@ ssl_cov()
+@@ -275,16 +289,22 @@ ssl_cov()
    exec < ${SSLCOV}
    while read ectype testmax param testname
    do

fix_warnings_treated_as_errors.patch

@@ -0,0 +1,124 @@
+diff -up ./cmd/p7sign/p7sign.c.fix_warnings ./cmd/p7sign/p7sign.c
+--- ./cmd/p7sign/p7sign.c.fix_warnings	2016-02-07 15:29:48.459494920 -0800
++++ ./cmd/p7sign/p7sign.c	2016-02-07 15:55:04.920963101 -0800
+@@ -92,21 +92,24 @@ SignFile(FILE *outFile, PRFileDesc *inFi
+     SEC_PKCS7ContentInfo *cinfo;
+     SECStatus rv;
+ 
+-    if (outFile == NULL || inFile == NULL || cert == NULL)
+-	return -1;
++    if (outFile == NULL || inFile == NULL || cert == NULL) {
++        return -1;
++	}
+ 
+     /* suck the file in */
+-	if (SECU_ReadDERFromFile(&data2sign, inFile, PR_FALSE,
+-	                         PR_FALSE) != SECSuccess)
+-	return -1;
++    if (SECU_ReadDERFromFile(&data2sign, inFile, PR_FALSE,
++	                         PR_FALSE) != SECSuccess) {
++        return -1;
++    }
+ 
+     if (!encapsulated) {
+ 	/* unfortunately, we must create the digest ourselves */
+ 	/* SEC_PKCS7CreateSignedData should have a flag to not include */
+ 	/* the content for non-encapsulated content at encode time, but */
+ 	/* should always compute the hash itself */
+-	if (CreateDigest(&data2sign, digestdata, &len, 32) < 0)
+-	    return -1;
++	if (CreateDigest(&data2sign, digestdata, &len, 32) < 0) {
++		return -1;
++	}
+ 	digest.data = (unsigned char *)digestdata;
+ 	digest.len = len;
+     }
+@@ -116,9 +119,9 @@ SignFile(FILE *outFile, PRFileDesc *inFi
+ 				       SEC_OID_SHA1,
+ 				       encapsulated ? NULL : &digest,
+ 				       NULL, NULL);
+-    if (cinfo == NULL)
++    if (cinfo == NULL) {
+ 	return -1;
+-
++	}
+     if (encapsulated) {
+ 	SEC_PKCS7SetContent(cinfo, (char *)data2sign.data, data2sign.len);
+     }
+@@ -134,8 +137,9 @@ SignFile(FILE *outFile, PRFileDesc *inFi
+ 
+     SEC_PKCS7DestroyContentInfo (cinfo);
+ 
+-    if (rv != SECSuccess)
++    if (rv != SECSuccess) {
+ 	return -1;
++    }
+ 
+     return 0;
+ }
+diff -up ./cmd/vfychain/vfychain.c.fix_warnings ./cmd/vfychain/vfychain.c
+--- ./cmd/vfychain/vfychain.c.fix_warnings	2016-02-07 16:03:13.189775733 -0800
++++ ./cmd/vfychain/vfychain.c	2016-02-07 16:22:33.709073372 -0800
+@@ -439,7 +439,7 @@ main(int argc, char *argv[], char *envp[
+ 	case  0  : /* positional parameter */  goto breakout;
+ 	case 'a' : isAscii  = PR_TRUE;                        break;
+ 	case 'b' : secStatus = DER_AsciiToTime(&time, optstate->value);
+-	           if (secStatus != SECSuccess) Usage(progName); break;
++	           if (secStatus != SECSuccess) { Usage(progName); } break;
+ 	case 'd' : certDir  = PL_strdup(optstate->value);     break;
+ 	case 'e' : ocsp_fetchingFailureIsAFailure = PR_FALSE;  break;
+ 	case 'f' : certFetching = PR_TRUE;                    break;
+@@ -484,9 +484,9 @@ main(int argc, char *argv[], char *envp[
+ 	case 't' : trusted  = PR_TRUE;                        break;
+ 	case 'T' : onlyTrustAnchors = PR_FALSE;               break;
+ 	case 'u' : usage    = PORT_Atoi(optstate->value);
+-	           if (usage < 0 || usage > 62) Usage(progName);
++	           if (usage < 0 || usage > 62) { Usage(progName); }
+ 		   certUsage = ((SECCertificateUsage)1) << usage; 
+-		   if (certUsage > certificateUsageHighest) Usage(progName);
++		   if (certUsage > certificateUsageHighest) { Usage(progName); }
+ 		   break;
+         case 'w':
+                   pwdata.source = PW_PLAINTEXT;
+diff -up ./lib/dbm/src/hash.c.fix_warnings ./lib/dbm/src/hash.c
+--- ./lib/dbm/src/hash.c.fix_warnings	2016-02-07 15:18:54.006925157 -0800
++++ ./lib/dbm/src/hash.c	2016-02-07 15:21:02.151491099 -0800
+@@ -815,9 +815,9 @@ hash_access(
+ 			}
+ 
+             ovfl_loop_count++;
+-            if(ovfl_loop_count > MAX_OVERFLOW_HASH_ACCESS_LOOPS)
++            if(ovfl_loop_count > MAX_OVERFLOW_HASH_ACCESS_LOOPS) {
+     			return (DATABASE_CORRUPTED_ERROR);
+-
++    		}
+ 			/* FOR LOOP INIT */
+ 			bp = (uint16 *)rbufp->page;
+ 			n = *bp++;
+@@ -825,8 +825,9 @@ hash_access(
+ 			off = hashp->BSIZE;
+ 		} else if (bp[1] < REAL_KEY) {
+ 			if ((ndx =
+-			    __find_bigpair(hashp, rbufp, ndx, kp, (int)size)) > 0)
++			    __find_bigpair(hashp, rbufp, ndx, kp, (int)size)) > 0) {
+ 				goto found;
++			}
+ 			if (ndx == -2) {
+ 				bufp = rbufp;
+ 				if (!(pageno =
+diff -up ./lib/dbm/src/h_page.c.fix_warnings ./lib/dbm/src/h_page.c
+--- ./lib/dbm/src/h_page.c.fix_warnings	2016-01-29 02:30:10.000000000 -0800
++++ ./lib/dbm/src/h_page.c	2016-02-07 15:10:42.439250993 -0800
+@@ -114,9 +114,9 @@ long new_lseek(int fd, long offset, int
+ 
+ 	if(origin == SEEK_CUR)
+       {	
+-      	if(offset < 1)							  
+-	    	return(lseek(fd, offset, SEEK_CUR));
+-
++		if(offset < 1) {						  
++			return(lseek(fd, offset, SEEK_CUR));
++		}
+ 		cur_pos = lseek(fd, 0, SEEK_CUR);
+ 
+ 		if(cur_pos < 0)

iquote.patch

@@ -171,6 +171,18 @@ diff -up nss/lib/nss/Makefile.iquote nss/lib/nss/Makefile
 +INCLUDES += -iquote $(DIST)/../public/nss
 +INCLUDES += -iquote $(DIST)/../private/nss
  
+ #######################################################################
+ # (7) Execute "local" rules. (OPTIONAL).                              #
+diff -up ./nss/lib/pk11wrap/Makefile.iquote ./nss/lib/pk11wrap/Makefile
+--- ./nss/lib/pk11wrap/Makefile.iquote	2016-02-07 09:49:33.310455054 -0800
++++ ./nss/lib/pk11wrap/Makefile	2016-02-07 09:51:38.830881330 -0800
+@@ -38,7 +38,7 @@ include $(CORE_DEPTH)/coreconf/rules.mk
+ # (6) Execute "component" rules. (OPTIONAL)                           #
+ #######################################################################
+ 
+-
++INCLUDES += -iquote $(DIST)/../public/nss
+ 
  #######################################################################
  # (7) Execute "local" rules. (OPTIONAL).                              #
 diff -up nss/lib/ssl/Makefile.iquote nss/lib/ssl/Makefile
@@ -185,3 +197,25 @@ diff -up nss/lib/ssl/Makefile.iquote nss/lib/ssl/Makefile
  
  #######################################################################
  # (7) Execute "local" rules. (OPTIONAL).                              #
+diff -up ./nss/external_tests/pk11_gtest/Makefile.iquote ./nss/external_tests/pk11_gtest/Makefile
+--- ./nss/external_tests/pk11_gtest/Makefile.iquote	2016-02-07 10:07:49.163055808 -0800
++++ ./nss/external_tests/pk11_gtest/Makefile	2016-02-07 10:09:07.463478307 -0800
+@@ -37,6 +37,7 @@ include $(CORE_DEPTH)/coreconf/rules.mk
+ # (6) Execute "component" rules. (OPTIONAL)                           #
+ #######################################################################
+ 
++INCLUDES += -iquote $(DIST)/../public/nss
+ 
+ #######################################################################
+ # (7) Execute "local" rules. (OPTIONAL).                              #
+diff -up ./nss/external_tests/ssl_gtest/Makefile.iquote ./nss/external_tests/ssl_gtest/Makefile
+--- ./nss/external_tests/ssl_gtest/Makefile.iquote	2016-02-07 10:19:57.132763142 -0800
++++ ./nss/external_tests/ssl_gtest/Makefile	2016-02-07 10:20:42.346957530 -0800
+@@ -37,6 +37,7 @@ include $(CORE_DEPTH)/coreconf/rules.mk
+ # (6) Execute "component" rules. (OPTIONAL)                           #
+ #######################################################################
+ 
+++INCLUDES += -iquote $(DIST)/../public/nss
+ 
+ #######################################################################
+ # (7) Execute "local" rules. (OPTIONAL).                              #

nss.spec

@@ -1,6 +1,6 @@
-%global nspr_version 4.10.10
-%global nss_util_version 3.21.0
-%global nss_softokn_version 3.21.0
+%global nspr_version 4.11.0
+%global nss_util_version 3.22.0
+%global nss_softokn_version 3.22.0
 %global unsupported_tools_directory %{_libdir}/nss/unsupported-tools
 %global allTools "certutil cmsutil crlutil derdump modutil pk12util signtool signver ssltap vfychain vfyserv"
 
@@ -18,10 +18,10 @@
 
 Summary:          Network Security Services
 Name:             nss
-Version:          3.21.0
+Version:          3.22.0
 # for Rawhide, please always use release >= 2
 # for Fedora release branches, please use release < 2 (1.0, 1.1, ...)
-Release:          7%{?dist}
+Release:          2%{?dist}
 License:          MPLv2.0
 URL:              http://www.mozilla.org/projects/security/pki/nss/
 Group:            System Environment/Libraries
@@ -105,6 +105,10 @@ Patch58: rhbz1185708-enable-ecc-3des-ciphers-by-default.patch
 # The submission will be very different from this patch as
 # cleanup there is already in progress there.
 Patch59: pem-compile-with-Werror.patch
+# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1246499
+Patch60: vfyserv-defined-but-not-used.patch
+# TODO: Util we rebase to nss-3.23 which already has this fixed
+Patch61: fix_warnings_treated_as_errors.patch
 
 %description
 Network Security Services (NSS) is a set of libraries designed to
@@ -195,6 +199,10 @@ popd
 %patch55 -p1 -b .skip_stress_tls_rc4_128_with_md5
 %patch58 -p0 -b .1185708_3des
 %patch59 -p0 -b .compile_Werror
+pushd nss
+%patch60 -p1 -b .defined_not_used
+%patch61 -p1 -b .fix_warnings
+popd
 
 #########################################################
 # Higher-level libraries and test tools need access to
@@ -236,6 +244,9 @@ popd
 
 %build
 
+# FIXME comment out once we figure out why the tests file to compile
+# export NSS_DISABLE_GTESTS=1
+
 export NSS_NO_SSL2_NO_EXPORT=1
 
 NSS_NO_PKCS11_BYPASS=1
@@ -303,8 +314,7 @@ export IN_TREE_FREEBL_HEADERS_FIRST=1
 
 ##### phase 2: build the rest of nss
 # nss supports pluggable ecc with more than suite-b
-NSS_ECC_MORE_THAN_SUITE_B=1
-export NSS_ECC_MORE_THAN_SUITE_B
+export NSS_ECC_MORE_THAN_SUITE_B=1
 
 export NSS_BLTEST_NOT_AVAILABLE=1
 %{__make} -C ./nss/coreconf
@@ -824,6 +834,9 @@ fi
 
 
 %changelog
+* Sat Feb 06 2016 Elio Maldonado <emaldona@redhat.com> - 3.22.0-2
+- Rebase to nss 3.22
+
 * Thu Feb 04 2016 Fedora Release Engineering <releng@fedoraproject.org> - 3.21.0-7
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
 

ocsp_stapling_sslauth_sni_tests_client_side_fixes.patch

@@ -1,38 +0,0 @@
-diff -up ./nss/tests/ssl/sslauth.txt.ocsp_sni ./nss/tests/ssl/sslauth.txt
---- ./nss/tests/ssl/sslauth.txt.ocsp_sni	2015-05-28 10:50:45.000000000 -0700
-+++ ./nss/tests/ssl/sslauth.txt	2015-08-30 08:49:22.025299419 -0700
-@@ -65,12 +65,12 @@
- # SNI Tests
- #
-   SNI     0       -r_-a_Host-sni.Dom       -V_ssl3:_-w_nss_-n_TestUser                     TLS Server hello response without SNI
--  SNI     0       -r_-a_Host-sni.Dom       -V_ssl3:_-w_nss_-n_TestUser_-a_Host-sni.Dom     TLS Server hello response with SNI
--  SNI     1       -r_-a_Host-sni.Dom       -V_ssl3:_-w_nss_-n_TestUser_-a_Host-sni1.Dom    TLS Server response with alert
-+  SNI     0       -r_-a_Host-sni.Dom       -V_ssl3:_-c_v_-w_nss_-n_TestUser_-a_Host-sni.Dom     TLS Server hello response with SNI
-+  SNI     1       -r_-a_Host-sni.Dom       -V_ssl3:_-c_v_-w_nss_-n_TestUser_-a_Host-sni1.Dom    TLS Server response with alert
-   SNI     0       -r_-a_Host-sni.Dom       -V_ssl3:ssl3_-w_nss_-n_TestUser                  SSL3 Server hello response without SNI
--  SNI     1       -r_-a_Host-sni.Dom       -V_ssl3:ssl3_-w_nss_-n_TestUser_-a_Host-sni.Dom  SSL3 Server hello response with SNI: SSL don't have SH extensions
-+  SNI     1       -r_-a_Host-sni.Dom       -V_ssl3:_-c_vssl3_-w_nss_-n_TestUser_-a_Host-sni.Dom  SSL3 Server hello response with SNI: SSL don't have SH extensions
-   SNI     0       -r_-r_-r_-a_Host-sni.Dom -V_ssl3:_-w_nss_-n_TestUser                     TLS Server hello response without SNI
--  SNI     0       -r_-r_-r_-a_Host-sni.Dom -V_ssl3:_-w_nss_-n_TestUser_-a_Host-sni.Dom     TLS Server hello response with SNI
-+  SNI     0       -r_-r_-r_-a_Host-sni.Dom -V_ssl3:_-c_v_-w_nss_-n_TestUser_-a_Host-sni.Dom     TLS Server hello response with SNI
-   SNI     1       -r_-r_-r_-a_Host-sni.Dom -V_ssl3:_-w_nss_-n_TestUser_-a_Host-sni.Dom_-a_Host.Dom TLS Server hello response with SNI: Change name on 2d HS
--  SNI     1       -r_-r_-r_-a_Host-sni.Dom -V_ssl3:_-w_nss_-n_TestUser_-a_Host-sni.Dom_-a_Host-sni1.Dom TLS Server hello response with SNI: Change name to invalid 2d HS
--  SNI     1       -r_-r_-r_-a_Host-sni.Dom -V_ssl3:_-w_nss_-n_TestUser_-a_Host-sni1.Dom    TLS Server response with alert
-+  SNI     1       -r_-r_-r_-a_Host-sni.Dom -V_ssl3:_-c_v_-w_nss_-n_TestUser_-a_Host-sni.Dom_-a_Host-sni1.Dom TLS Server hello response with SNI: Change name to invalid 2d HS
-+  SNI     1       -r_-r_-r_-a_Host-sni.Dom -V_ssl3:_-c_v_-w_nss_-n_TestUser_-a_Host-sni1.Dom    TLS Server response with alert
-diff -up ./nss/tests/ssl/ssl.sh.ocsp_sni ./nss/tests/ssl/ssl.sh
---- ./nss/tests/ssl/ssl.sh.ocsp_sni	2015-08-30 08:49:21.905301105 -0700
-+++ ./nss/tests/ssl/ssl.sh	2015-08-30 08:49:22.017299531 -0700
-@@ -457,10 +457,10 @@ ssl_stapling_sub()
-     start_selfserv
- 
-     echo "tstclnt -p ${PORT} -h ${HOSTADDR} -f -d ${P_R_CLIENTDIR} -v ${CLIENT_OPTIONS} \\"
--    echo "        -T -O -F -M 1 -V ssl3: < ${REQUEST_FILE}"
-+    echo "        -c v -T -O -F -M 1 -V ssl3: < ${REQUEST_FILE}"
-     rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
-     ${PROFTOOL} ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} -f ${CLIENT_OPTIONS} \
--	    -d ${P_R_CLIENTDIR} -v -T -O -F -M 1 -V ssl3: < ${REQUEST_FILE} \
-+	    -d ${P_R_CLIENTDIR} -v -c v -T -O -F -M 1 -V ssl3: < ${REQUEST_FILE} \
- 	    >${TMP}/$HOST.tmp.$$  2>&1
-     ret=$?
-     cat ${TMP}/$HOST.tmp.$$

rhbz1185708-enable-ecc-ciphers-by-default.patch

@@ -1,39 +0,0 @@
-diff --git a/lib/ssl/ssl3con.c b/lib/ssl/ssl3con.c
---- a/lib/ssl/ssl3con.c
-+++ b/lib/ssl/ssl3con.c
-@@ -85,27 +85,27 @@ static SECStatus ssl3_AESGCMBypass(ssl3K
-  *
-  * Important: See bug 946147 before enabling, reordering, or adding any cipher
-  * suites to this list.
-  */
- static ssl3CipherSuiteCfg cipherSuites[ssl_V3_SUITES_IMPLEMENTED] = {
-    /*      cipher_suite                     policy       enabled   isPresent */
- 
- #ifndef NSS_DISABLE_ECC
-- { TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE},
-- { TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,   SSL_ALLOWED, PR_FALSE, PR_FALSE},
-+ { TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
-+ { TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,   SSL_ALLOWED, PR_TRUE, PR_FALSE},
-    /* TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA is out of order to work around
-     * bug 946147.
-     */
-- { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,    SSL_ALLOWED, PR_FALSE, PR_FALSE},
-- { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,    SSL_ALLOWED, PR_FALSE, PR_FALSE},
-- { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,      SSL_ALLOWED, PR_FALSE, PR_FALSE},
-- { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE},
-- { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,   SSL_ALLOWED, PR_FALSE, PR_FALSE},
-- { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,      SSL_ALLOWED, PR_FALSE, PR_FALSE},
-+ { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,    SSL_ALLOWED, PR_TRUE, PR_FALSE},
-+ { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,    SSL_ALLOWED, PR_TRUE, PR_FALSE},
-+ { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,      SSL_ALLOWED, PR_TRUE, PR_FALSE},
-+ { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
-+ { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,   SSL_ALLOWED, PR_TRUE, PR_FALSE},
-+ { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,      SSL_ALLOWED, PR_TRUE, PR_FALSE},
-  { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,   SSL_ALLOWED, PR_FALSE, PR_FALSE},
-  { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,     SSL_ALLOWED, PR_FALSE, PR_FALSE},
-  { TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,        SSL_ALLOWED, PR_FALSE, PR_FALSE},
-  { TLS_ECDHE_RSA_WITH_RC4_128_SHA,          SSL_ALLOWED, PR_FALSE, PR_FALSE},
- #endif /* NSS_DISABLE_ECC */
- 
-  { TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,     SSL_ALLOWED, PR_TRUE,  PR_FALSE},
-  { TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,     SSL_ALLOWED, PR_FALSE, PR_FALSE},

sources

@@ -4,4 +4,4 @@ a5ae49867124ac75f029a9a33af31bad  blank-cert8.db
 691e663ccc07b7a1eaa6f088e03bf8e2  blank-cert9.db
 2ec9e0606ba40fe65196545564b7cc2a  blank-key4.db
 b8a94e863c852e1f8b75e930e76f8640  nss-pem-20140125.tar.bz2
-f53ffa490133d29ff930fa4b29bade90  nss-3.21.0.tar.gz
+a0ae9d27c0261716648e49e3be33badd  nss-3.22.0.tar.gz

vfyserv-defined-but-not-used.patch

@@ -0,0 +1,18 @@
+diff -up ./cmd/vfyserv/vfyserv.h.defined_not_used ./cmd/vfyserv/vfyserv.h
+--- ./cmd/vfyserv/vfyserv.h.defined_not_used	2016-02-06 18:32:54.143216370 -0800
++++ ./cmd/vfyserv/vfyserv.h	2016-02-06 18:33:24.943636231 -0800
+@@ -135,14 +135,4 @@ void lockedVars_WaitForDone(lockedVars *
+ 
+ int lockedVars_AddToCount(lockedVars *lv, int addend);
+ 
+-/* Buffer stuff. */
+-
+-static const char stopCmd[] = { "GET /stop " };
+-static const char defaultHeader[] = {
+-	"HTTP/1.0 200 OK\r\n"
+-	"Server: SSL sample server\r\n"
+-	"Content-type: text/plain\r\n"
+-	"\r\n"
+-};
+-
+ #endif