Revert the previous fix for RSA-PSS and use the upstream fix instead

Both f23 and f24 branches had identical nss.spec except the change log
part.  Make it more obvious by unifying the release number and the last
change log entry.

.gitignore

@@ -9,43 +9,4 @@ TestUser50.cert
 TestUser51.cert
 /PayPalRootCA.cert
 /PayPalICA.cert
-/nss-3.25.0.tar.gz
-/nss-3.26.0.tar.gz
 /nss-3.27.0.tar.gz
-/nss-3.27.2.tar.gz
-/nss-3.28.1.tar.gz
-/nss-3.29.0.tar.gz
-/nss-3.29.1.tar.gz
-/nss-3.30.0.tar.gz
-/nss-3.30.2.tar.gz
-/nss-3.31.0.tar.gz
-/nss-3.32.0.tar.gz
-/nss-3.32.1.tar.gz
-/nss-3.33.0.tar.gz
-/nss-3.34.0.tar.gz
-/nss-3.35.0.tar.gz
-/nss-3.36.0.tar.gz
-/nss-3.36.1.tar.gz
-/nss-3.37.1.tar.gz
-/nss-3.37.3.tar.gz
-/nss-3.38.0.tar.gz
-/nss-3.39.tar.gz
-/nss-3.40.1.tar.gz
-/nss-3.41.tar.gz
-/nss-3.42.tar.gz
-/nss-3.42.1.tar.gz
-/nss-3.43.tar.gz
-/nss-3.44.tar.gz
-/nss-3.44.1.tar.gz
-/nss-3.45.tar.gz
-/nss-3.46.tar.gz
-/nss-3.46.1.tar.gz
-/nss-3.47.tar.gz
-/nss-3.47.1.tar.gz
-/nss-3.48.tar.gz
-/nss-3.49.tar.gz
-/nss-3.49.2.tar.gz
-/nss-3.50.tar.gz
-/nss-3.51.tar.gz
-/nss-3.51.1.tar.gz
-/nss-3.52.tar.gz

add-relro-linker-option.patch

@@ -0,0 +1,16 @@
+diff -up nss/coreconf/Linux.mk.relro nss/coreconf/Linux.mk
+--- nss/coreconf/Linux.mk.relro	2013-04-09 14:29:45.943228682 -0700
++++ nss/coreconf/Linux.mk	2013-04-09 14:31:26.194953927 -0700
+@@ -174,6 +174,12 @@ endif
+ endif
+ endif
+ 
++# harden DSOs/executables a bit against exploits
++ifeq (2.6,$(firstword $(sort 2.6 $(OS_RELEASE))))
++DSO_LDOPTS+=-Wl,-z,relro
++LDFLAGS	+= -Wl,-z,relro
++endif
++
+ USE_SYSTEM_ZLIB = 1
+ ZLIB_LIBS = -lz
+ 

iquote.patch

@@ -1,13 +1,211 @@
-diff -up nss/coreconf/location.mk.iquote nss/coreconf/location.mk
---- nss/coreconf/location.mk.iquote	2017-07-27 16:09:32.000000000 +0200
-+++ nss/coreconf/location.mk	2017-09-06 13:23:14.633611555 +0200
-@@ -75,4 +75,9 @@ ifndef SQLITE_LIB_NAME
-     SQLITE_LIB_NAME = sqlite3
+diff -up ./nss/cmd/certcgi/Makefile.iquote ./nss/cmd/certcgi/Makefile
+--- ./nss/cmd/certcgi/Makefile.iquote	2016-02-26 12:51:11.000000000 -0800
++++ ./nss/cmd/certcgi/Makefile	2016-03-05 12:04:06.216474144 -0800
+@@ -36,7 +36,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk
+ # (6) Execute "component" rules. (OPTIONAL)                           #
+ #######################################################################
+ 
+-
++INCLUDES += -iquote $(DIST)/../public/nss
++INCLUDES += -iquote $(DIST)/../private/nss
+ 
+ #######################################################################
+ # (7) Execute "local" rules. (OPTIONAL).                              #
+diff -up ./nss/cmd/certutil/Makefile.iquote ./nss/cmd/certutil/Makefile
+--- ./nss/cmd/certutil/Makefile.iquote	2016-02-26 12:51:11.000000000 -0800
++++ ./nss/cmd/certutil/Makefile	2016-03-05 12:04:06.216474144 -0800
+@@ -37,7 +37,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk
+ # (6) Execute "component" rules. (OPTIONAL)                           #
+ #######################################################################
+ 
+-
++INCLUDES += -iquote $(DIST)/../public/nss
++INCLUDES += -iquote $(DIST)/../private/nss
+ 
+ #######################################################################
+ # (7) Execute "local" rules. (OPTIONAL).                              #
+diff -up ./nss/cmd/lib/Makefile.iquote ./nss/cmd/lib/Makefile
+--- ./nss/cmd/lib/Makefile.iquote	2016-02-26 12:51:11.000000000 -0800
++++ ./nss/cmd/lib/Makefile	2016-03-05 12:04:06.216474144 -0800
+@@ -38,7 +38,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk
+ # (6) Execute "component" rules. (OPTIONAL)                           #
+ #######################################################################
+ 
+-
++INCLUDES += -iquote $(DIST)/../private/nss
++INCLUDES += -iquote $(DIST)/../public/nss
+ 
+ #######################################################################
+ # (7) Execute "local" rules. (OPTIONAL).                              #
+diff -up ./nss/cmd/modutil/Makefile.iquote ./nss/cmd/modutil/Makefile
+--- ./nss/cmd/modutil/Makefile.iquote	2016-02-26 12:51:11.000000000 -0800
++++ ./nss/cmd/modutil/Makefile	2016-03-05 12:04:06.216474144 -0800
+@@ -37,6 +37,7 @@ include $(CORE_DEPTH)/coreconf/rules.mk
+ # (6) Execute "component" rules. (OPTIONAL)                           #
+ #######################################################################
+ 
++INCLUDES += -iquote $(DIST)/../public/nss
+ 
+ 
+ #######################################################################
+diff -up ./nss/cmd/selfserv/Makefile.iquote ./nss/cmd/selfserv/Makefile
+--- ./nss/cmd/selfserv/Makefile.iquote	2016-02-26 12:51:11.000000000 -0800
++++ ./nss/cmd/selfserv/Makefile	2016-03-05 12:04:06.216474144 -0800
+@@ -35,7 +35,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk
+ # (6) Execute "component" rules. (OPTIONAL)                           #
+ #######################################################################
+ 
+-
++INCLUDES += -iquote $(DIST)/../public/nss
++INCLUDES += -iquote $(DIST)/../private/nss
+ 
+ #######################################################################
+ # (7) Execute "local" rules. (OPTIONAL).                              #
+diff -up ./nss/cmd/ssltap/Makefile.iquote ./nss/cmd/ssltap/Makefile
+--- ./nss/cmd/ssltap/Makefile.iquote	2016-02-26 12:51:11.000000000 -0800
++++ ./nss/cmd/ssltap/Makefile	2016-03-05 12:04:06.216474144 -0800
+@@ -39,7 +39,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk
+ # (6) Execute "component" rules. (OPTIONAL)                           #
+ #######################################################################
+ 
+-
++INCLUDES += -iquote $(DIST)/../private/nss
++INCLUDES += -iquote $(DIST)/../public/nss
+ 
+ #######################################################################
+ # (7) Execute "local" rules. (OPTIONAL).                              #
+diff -up ./nss/cmd/strsclnt/Makefile.iquote ./nss/cmd/strsclnt/Makefile
+--- ./nss/cmd/strsclnt/Makefile.iquote	2016-02-26 12:51:11.000000000 -0800
++++ ./nss/cmd/strsclnt/Makefile	2016-03-05 12:04:06.217474124 -0800
+@@ -36,7 +36,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk
+ # (6) Execute "component" rules. (OPTIONAL)                           #
+ #######################################################################
+ 
+-
++INCLUDES += -iquote $(DIST)/../public/nss
++INCLUDES += -iquote $(DIST)/../private/nss
+ 
+ #######################################################################
+ # (7) Execute "local" rules. (OPTIONAL).                              #
+diff -up ./nss/cmd/tstclnt/Makefile.iquote ./nss/cmd/tstclnt/Makefile
+--- ./nss/cmd/tstclnt/Makefile.iquote	2016-02-26 12:51:11.000000000 -0800
++++ ./nss/cmd/tstclnt/Makefile	2016-03-05 12:04:06.217474124 -0800
+@@ -37,6 +37,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk
+ #######################################################################
+ 
+ #include ../platlibs.mk
++INCLUDES += -iquote $(DIST)/../public/nss
++INCLUDES += -iquote $(DIST)/../private/nss
+ 
+ #######################################################################
+ # (7) Execute "local" rules. (OPTIONAL).                              #
+diff -up ./nss/cmd/vfyserv/Makefile.iquote ./nss/cmd/vfyserv/Makefile
+--- ./nss/cmd/vfyserv/Makefile.iquote	2016-02-26 12:51:11.000000000 -0800
++++ ./nss/cmd/vfyserv/Makefile	2016-03-05 12:04:06.217474124 -0800
+@@ -37,6 +37,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk
+ #######################################################################
+ 
+ #include ../platlibs.mk
++INCLUDES += -iquote $(DIST)/../public/nss
++INCLUDES += -iquote $(DIST)/../private/nss
+ 
+ #######################################################################
+ # (7) Execute "local" rules. (OPTIONAL).                              #
+diff -up ./nss/coreconf/location.mk.iquote ./nss/coreconf/location.mk
+--- ./nss/coreconf/location.mk.iquote	2016-02-26 12:51:11.000000000 -0800
++++ ./nss/coreconf/location.mk	2016-03-05 12:04:06.217474124 -0800
+@@ -45,6 +45,10 @@ endif
+ 
+ ifdef NSS_INCLUDE_DIR
+     INCLUDES += -I$(NSS_INCLUDE_DIR)
++    ifdef IN_TREE_FREEBL_HEADERS_FIRST
++        INCLUDES += -iquote $(DIST)/../public/nss
++        INCLUDES += -iquote $(DIST)/../private/nss
++    endif
  endif
  
-+# Prefer in-tree headers over system headers
-+ifdef IN_TREE_FREEBL_HEADERS_FIRST
-+    INCLUDES += -iquote $(DIST)/../public/nss -iquote $(DIST)/../private/nss
-+endif
-+
- MK_LOCATION = included
+ ifndef NSS_LIB_DIR
+diff -up ./nss/external_tests/pk11_gtest/Makefile.iquote ./nss/external_tests/pk11_gtest/Makefile
+--- ./nss/external_tests/pk11_gtest/Makefile.iquote	2016-02-26 12:51:11.000000000 -0800
++++ ./nss/external_tests/pk11_gtest/Makefile	2016-03-05 12:04:06.217474124 -0800
+@@ -37,6 +37,7 @@ include $(CORE_DEPTH)/coreconf/rules.mk
+ # (6) Execute "component" rules. (OPTIONAL)                           #
+ #######################################################################
+ 
++INCLUDES += -iquote $(DIST)/../public/nss
+ 
+ #######################################################################
+ # (7) Execute "local" rules. (OPTIONAL).                              #
+diff -up ./nss/external_tests/ssl_gtest/Makefile.iquote ./nss/external_tests/ssl_gtest/Makefile
+--- ./nss/external_tests/ssl_gtest/Makefile.iquote	2016-02-26 12:51:11.000000000 -0800
++++ ./nss/external_tests/ssl_gtest/Makefile	2016-03-05 12:05:17.208082475 -0800
+@@ -43,6 +43,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk
+ # (6) Execute "component" rules. (OPTIONAL)                           #
+ #######################################################################
+ 
++INCLUDES += -iquote $(DIST)/../public/nss
++INCLUDES += -iquote $(DIST)/../public/nss
+ 
+ #######################################################################
+ # (7) Execute "local" rules. (OPTIONAL).                              #
+diff -up ./nss/lib/certhigh/Makefile.iquote ./nss/lib/certhigh/Makefile
+--- ./nss/lib/certhigh/Makefile.iquote	2016-02-26 12:51:11.000000000 -0800
++++ ./nss/lib/certhigh/Makefile	2016-03-05 12:04:06.217474124 -0800
+@@ -38,7 +38,7 @@ include $(CORE_DEPTH)/coreconf/rules.mk
+ # (6) Execute "component" rules. (OPTIONAL)                           #
+ #######################################################################
+ 
+-
++INCLUDES += -iquote $(DIST)/../public/nss
+ 
+ #######################################################################
+ # (7) Execute "local" rules. (OPTIONAL).                              #
+diff -up ./nss/lib/cryptohi/Makefile.iquote ./nss/lib/cryptohi/Makefile
+--- ./nss/lib/cryptohi/Makefile.iquote	2016-02-26 12:51:11.000000000 -0800
++++ ./nss/lib/cryptohi/Makefile	2016-03-05 12:04:06.217474124 -0800
+@@ -38,7 +38,7 @@ include $(CORE_DEPTH)/coreconf/rules.mk
+ # (6) Execute "component" rules. (OPTIONAL)                           #
+ #######################################################################
+ 
+-
++INCLUDES += -iquote $(DIST)/../public/nss
+ 
+ #######################################################################
+ # (7) Execute "local" rules. (OPTIONAL).                              #
+diff -up ./nss/lib/nss/Makefile.iquote ./nss/lib/nss/Makefile
+--- ./nss/lib/nss/Makefile.iquote	2016-02-26 12:51:11.000000000 -0800
++++ ./nss/lib/nss/Makefile	2016-03-05 12:04:06.217474124 -0800
+@@ -37,7 +37,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk
+ # (6) Execute "component" rules. (OPTIONAL)                           #
+ #######################################################################
+ 
+-
++INCLUDES += -iquote $(DIST)/../public/nss
++INCLUDES += -iquote $(DIST)/../private/nss
+ 
+ #######################################################################
+ # (7) Execute "local" rules. (OPTIONAL).                              #
+diff -up ./nss/lib/pk11wrap/Makefile.iquote ./nss/lib/pk11wrap/Makefile
+--- ./nss/lib/pk11wrap/Makefile.iquote	2016-02-26 12:51:11.000000000 -0800
++++ ./nss/lib/pk11wrap/Makefile	2016-03-05 12:04:06.217474124 -0800
+@@ -38,7 +38,7 @@ include $(CORE_DEPTH)/coreconf/rules.mk
+ # (6) Execute "component" rules. (OPTIONAL)                           #
+ #######################################################################
+ 
+-
++INCLUDES += -iquote $(DIST)/../public/nss
+ 
+ #######################################################################
+ # (7) Execute "local" rules. (OPTIONAL).                              #
+diff -up ./nss/lib/ssl/Makefile.iquote ./nss/lib/ssl/Makefile
+--- ./nss/lib/ssl/Makefile.iquote	2016-02-26 12:51:11.000000000 -0800
++++ ./nss/lib/ssl/Makefile	2016-03-05 12:04:06.217474124 -0800
+@@ -49,7 +49,7 @@ include $(CORE_DEPTH)/coreconf/rules.mk
+ # (6) Execute "component" rules. (OPTIONAL)                           #
+ #######################################################################
+ 
+-
++INCLUDES += -iquote $(DIST)/../public/nss
+ 
+ #######################################################################
+ # (7) Execute "local" rules. (OPTIONAL).                              #

nss-3.14.0.0-disble-ocsp-test.patch

@@ -0,0 +1,11 @@
+diff -up nss/tests/chains/scenarios/scenarios.noocsptest nss/tests/chains/scenarios/scenarios
+--- nss/tests/chains/scenarios/scenarios.noocsptest	2013-06-27 10:58:08.000000000 -0700
++++ nss/tests/chains/scenarios/scenarios	2013-07-02 16:13:27.075038930 -0700
+@@ -50,7 +50,6 @@ bridgewithpolicyextensionandmapping.cfg
+ realcerts.cfg
+ dsa.cfg
+ revoc.cfg
+-ocsp.cfg
+ crldp.cfg
+ trustanchors.cfg
+ nameconstraints.cfg

nss-539183.patch

@@ -1,5 +1,5 @@
---- nss/cmd/httpserv/httpserv.c.539183	2016-05-21 18:31:39.879585420 -0700
-+++ nss/cmd/httpserv/httpserv.c	2016-05-21 18:37:22.374464057 -0700
+--- ./nss/cmd/httpserv/httpserv.c.539183	2016-05-21 18:31:39.879585420 -0700
++++ ./nss/cmd/httpserv/httpserv.c	2016-05-21 18:37:22.374464057 -0700
 @@ -953,23 +953,23 @@
  getBoundListenSocket(unsigned short port)
  {
@@ -29,8 +29,8 @@
      if (prStatus < 0) {
          PR_Close(listen_sock);
          errExit("PR_SetSocketOption(PR_SockOpt_Nonblocking)");
---- nss/cmd/selfserv/selfserv.c.539183	2016-05-21 18:31:39.882585367 -0700
-+++ nss/cmd/selfserv/selfserv.c	2016-05-21 18:41:43.092801174 -0700
+--- ./nss/cmd/selfserv/selfserv.c.539183	2016-05-21 18:31:39.882585367 -0700
++++ ./nss/cmd/selfserv/selfserv.c	2016-05-21 18:41:43.092801174 -0700
 @@ -1711,23 +1711,23 @@
  getBoundListenSocket(unsigned short port)
  {

nss-check-policy-file.patch

@@ -0,0 +1,89 @@
+diff --git a/lib/pk11wrap/pk11pars.c b/lib/pk11wrap/pk11pars.c
+--- a/lib/pk11wrap/pk11pars.c
++++ b/lib/pk11wrap/pk11pars.c
+@@ -105,16 +105,17 @@ secmod_NewModule(void)
+  *   This  allows system NSS to delegate those changes to the user's module DB, 
+  *   preserving the user's ability to load new PKCS #11 modules (which only 
+  *   affect him), from existing applications like Firefox.
+  */
+ #define SECMOD_FLAG_MODULE_DB_IS_MODULE_DB  0x01 /* must be set if any of the 
+ 						  *other flags are set */
+ #define SECMOD_FLAG_MODULE_DB_SKIP_FIRST    0x02
+ #define SECMOD_FLAG_MODULE_DB_DEFAULT_MODDB 0x04
++#define SECMOD_FLAG_MODULE_DB_POLICY_ONLY   0x08
+ 
+ 
+ /* private flags for internal (field in SECMODModule). */
+ /* The meaing of these flags is as follows:
+  *
+  * SECMOD_FLAG_INTERNAL_IS_INTERNAL - This is a marks the the module is
+  *   the internal module (that is, softoken). This bit is the same as the 
+  *   already existing meaning of internal = PR_TRUE. None of the other 
+@@ -699,16 +700,19 @@ SECMOD_CreateModuleEx(const char *librar
+     if (mod->isModuleDB) {
+ 	char flags = SECMOD_FLAG_MODULE_DB_IS_MODULE_DB;
+ 	if (NSSUTIL_ArgHasFlag("flags","skipFirst",nssc)) {
+ 	    flags |= SECMOD_FLAG_MODULE_DB_SKIP_FIRST;
+ 	}
+ 	if (NSSUTIL_ArgHasFlag("flags","defaultModDB",nssc)) {
+ 	    flags |= SECMOD_FLAG_MODULE_DB_DEFAULT_MODDB;
+ 	}
++	if (NSSUTIL_ArgHasFlag("flags", "policyOnly", nssc)) {
++	    flags |= SECMOD_FLAG_MODULE_DB_POLICY_ONLY;
++	}
+ 	/* additional moduleDB flags could be added here in the future */
+ 	mod->isModuleDB = (PRBool) flags;
+     }
+ 
+     if (mod->internal) {
+ 	char flags = SECMOD_FLAG_INTERNAL_IS_INTERNAL;
+ 
+ 	if (NSSUTIL_ArgHasFlag("flags", "internalKeySlot", nssc)) {
+@@ -738,16 +742,24 @@ PRBool
+ SECMOD_GetDefaultModDBFlag(SECMODModule *mod)
+ {
+    char flags = (char) mod->isModuleDB;
+ 
+    return (flags & SECMOD_FLAG_MODULE_DB_DEFAULT_MODDB) ? PR_TRUE : PR_FALSE;
+ }
+ 
+ PRBool
++secmod_PolicyOnly(SECMODModule *mod)
++{
++   char flags = (char) mod->isModuleDB;
++
++   return (flags & SECMOD_FLAG_MODULE_DB_POLICY_ONLY) ? PR_TRUE : PR_FALSE;
++}
++
++PRBool
+ secmod_IsInternalKeySlot(SECMODModule *mod)
+ {
+    char flags = (char) mod->internal;
+ 
+    return (flags & SECMOD_FLAG_INTERNAL_KEY_SLOT) ? PR_TRUE : PR_FALSE;
+ }
+ 
+ void
+@@ -1521,16 +1533,22 @@ SECMOD_LoadModule(char *modulespec,SECMO
+     if (library) PORT_Free(library);
+     if (moduleName) PORT_Free(moduleName);
+     if (parameters) PORT_Free(parameters);
+     if (nss) PORT_Free(nss);
+     if (config) PORT_Free(config);
+     if (!module) {
+ 	goto loser;
+     }
++
++    /* a policy only stanza doesn't actually get 'loaded'. policy has already
++     * been parsed as a side effect of the CreateModuleEx call */
++    if (secmod_PolicyOnly(module)) {
++	return module;
++    }
+     if (parent) {
+     	module->parent = SECMOD_ReferenceModule(parent);
+ 	if (module->internal && secmod_IsInternalKeySlot(parent)) {
+ 	    module->internal = parent->internal;
+ 	}
+     }
+ 
+     /* load it */

nss-check-pss.patch

@@ -0,0 +1,167 @@
+diff --git a/lib/ssl/ssl3con.c b/lib/ssl/ssl3con.c
+--- a/lib/ssl/ssl3con.c
++++ b/lib/ssl/ssl3con.c
+@@ -7061,49 +7061,68 @@ ssl3_SendClientKeyExchange(sslSocket *ss
+ 
+ loser:
+     if (serverKey)
+         SECKEY_DestroyPublicKey(serverKey);
+     return rv; /* err code already set. */
+ }
+ 
+ static SECStatus
+-ssl_PickSignatureScheme(sslSocket *ss, SECKEYPublicKey *key,
++ssl_PickSignatureScheme(sslSocket *ss,
++                        SECKEYPublicKey *pubKey,
++                        SECKEYPrivateKey *privKey,
+                         const SignatureScheme *peerSchemes,
+                         unsigned int peerSchemeCount,
+                         PRBool requireSha1)
+ {
+     unsigned int i, j;
+     const namedGroupDef *group = NULL;
+     KeyType keyType;
++    PK11SlotInfo *slot;
++    PRBool slotDoesPss;
+     PRBool isTLS13 = ss->version == SSL_LIBRARY_VERSION_TLS_1_3;
+ 
+-    if (!key) {
++    if (!pubKey || !privKey) {
+         PORT_Assert(0);
+         PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+         return SECFailure;
+     }
+-    keyType = SECKEY_GetPublicKeyType(key);
++    slot = PK11_GetSlotFromPrivateKey(privKey);
++    if (!slot) {
++        PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
++        return SECFailure;
++    }
++    slotDoesPss = PK11_DoesMechanism(slot, auth_alg_defs[ssl_auth_rsa_pss]);
++    PK11_FreeSlot(slot);
++
++    keyType = SECKEY_GetPublicKeyType(pubKey);
++
+     if (keyType == ecKey) {
+-        group = ssl_ECPubKey2NamedGroup(key);
++        group = ssl_ECPubKey2NamedGroup(pubKey);
+     }
+ 
+     /* Here we look for the first local preference that the client has
+      * indicated support for in their signature_algorithms extension. */
+     for (i = 0; i < ss->ssl3.signatureSchemeCount; ++i) {
+         SSLHashType hashType;
+         SECOidTag hashOID;
+         SignatureScheme preferred = ss->ssl3.signatureSchemes[i];
+         PRUint32 policy;
+ 
+         if (!ssl_SignatureSchemeValidForKey(isTLS13, keyType, group,
+                                             preferred)) {
+             continue;
+         }
+ 
++        /* Skip RSA-PSS schemes when the certificate's private key slot does
++         * not support this signature mechanism. */
++        if (ssl_IsRsaPssSignatureScheme(preferred) && !slotDoesPss) {
++            continue;
++        }
++
+         hashType = ssl_SignatureSchemeToHashType(preferred);
+         hashOID = ssl3_HashTypeToOID(hashType);
+         if (requireSha1 && hashOID != SEC_OID_SHA1) {
+             continue;
+         }
+         if ((NSS_GetAlgorithmPolicy(hashOID, &policy) == SECSuccess) &&
+             !(policy & NSS_USE_ALG_IN_SSL_KX)) {
+             /* we ignore hashes we don't support */
+@@ -7148,51 +7167,54 @@ ssl3_PickServerSignatureScheme(sslSocket
+                 PORT_Assert(0);
+                 PORT_SetError(SEC_ERROR_INVALID_KEY);
+                 return SECFailure;
+         }
+         return SECSuccess;
+     }
+ 
+     /* Sets error code, if needed. */
+-    return ssl_PickSignatureScheme(ss, keyPair->pubKey,
++    return ssl_PickSignatureScheme(ss, keyPair->pubKey, keyPair->privKey,
+                                    ss->ssl3.hs.clientSigSchemes,
+                                    ss->ssl3.hs.numClientSigScheme,
+-                                   PR_FALSE);
++                                   PR_FALSE /* requireSha1 */);
+ }
+ 
+ static SECStatus
+ ssl_PickClientSignatureScheme(sslSocket *ss, const SignatureScheme *schemes,
+                               unsigned int numSchemes)
+ {
+-    SECKEYPublicKey *key;
++    SECKEYPrivateKey *privKey = ss->ssl3.clientPrivateKey;
++    SECKEYPublicKey *pubKey;
+     SECStatus rv;
+ 
+-    key = CERT_ExtractPublicKey(ss->ssl3.clientCertificate);
+-    PORT_Assert(key);
++    pubKey = CERT_ExtractPublicKey(ss->ssl3.clientCertificate);
++    PORT_Assert(pubKey);
+     if (ss->version < SSL_LIBRARY_VERSION_TLS_1_3 &&
+-        (SECKEY_GetPublicKeyType(key) == rsaKey ||
+-         SECKEY_GetPublicKeyType(key) == dsaKey) &&
+-        SECKEY_PublicKeyStrengthInBits(key) <= 1024) {
++        (SECKEY_GetPublicKeyType(pubKey) == rsaKey ||
++         SECKEY_GetPublicKeyType(pubKey) == dsaKey) &&
++        SECKEY_PublicKeyStrengthInBits(pubKey) <= 1024) {
+         /* If the key is a 1024-bit RSA or DSA key, assume conservatively that
+          * it may be unable to sign SHA-256 hashes. This is the case for older
+          * Estonian ID cards that have 1024-bit RSA keys. In FIPS 186-2 and
+          * older, DSA key size is at most 1024 bits and the hash function must
+          * be SHA-1.
+          */
+-        rv = ssl_PickSignatureScheme(ss, key, schemes, numSchemes, PR_TRUE);
++        rv = ssl_PickSignatureScheme(ss, pubKey, privKey, schemes, numSchemes,
++                                     PR_TRUE /* requireSha1 */);
+         if (rv == SECSuccess) {
+-            SECKEY_DestroyPublicKey(key);
++            SECKEY_DestroyPublicKey(pubKey);
+             return SECSuccess;
+         }
+         /* If this fails, that's because the peer doesn't advertise SHA-1,
+          * so fall back to the full negotiation. */
+     }
+-    rv = ssl_PickSignatureScheme(ss, key, schemes, numSchemes, PR_FALSE);
+-    SECKEY_DestroyPublicKey(key);
++    rv = ssl_PickSignatureScheme(ss, pubKey, privKey, schemes, numSchemes,
++                                 PR_FALSE /* requireSha1 */);
++    SECKEY_DestroyPublicKey(pubKey);
+     return rv;
+ }
+ 
+ /* Called from ssl3_HandleServerHelloDone(). */
+ static SECStatus
+ ssl3_SendCertificateVerify(sslSocket *ss, SECKEYPrivateKey *privKey)
+ {
+     SECStatus rv = SECFailure;
+@@ -10593,16 +10615,23 @@ ssl3_EncodeSigAlgs(sslSocket *ss, PRUint
+         return SECFailure;
+     }
+ 
+     for (i = 0; i < ss->ssl3.signatureSchemeCount; ++i) {
+         PRUint32 policy = 0;
+         SSLHashType hashType = ssl_SignatureSchemeToHashType(
+             ss->ssl3.signatureSchemes[i]);
+         SECOidTag hashOID = ssl3_HashTypeToOID(hashType);
++
++        /* Skip RSA-PSS schemes if there are no tokens to verify them. */
++        if (ssl_IsRsaPssSignatureScheme(ss->ssl3.signatureSchemes[i]) &&
++            !PK11_TokenExists(auth_alg_defs[ssl_auth_rsa_pss])) {
++            continue;
++        }
++
+         if ((NSS_GetAlgorithmPolicy(hashOID, &policy) != SECSuccess) ||
+             (policy & NSS_USE_ALG_IN_SSL_KX)) {
+             p = ssl_EncodeUintX((PRUint32)ss->ssl3.signatureSchemes[i], 2, p);
+         }
+     }
+ 
+     if (p == buf) {
+         PORT_SetError(SSL_ERROR_NO_SUPPORTED_SIGNATURE_ALGORITHM);

nss-gcm-param-default-pkcs11v2.patch

@@ -1,21 +0,0 @@
-diff -up ./lib/util/pkcs11n.h.aes_gcm_pkcs11_v2 ./lib/util/pkcs11n.h
---- ./lib/util/pkcs11n.h.aes_gcm_pkcs11_v2	2020-05-13 13:44:11.312405744 -0700
-+++ ./lib/util/pkcs11n.h	2020-05-13 13:45:23.951723660 -0700
-@@ -605,7 +605,7 @@ typedef struct CK_NSS_GCM_PARAMS {
- typedef CK_NSS_GCM_PARAMS CK_PTR CK_NSS_GCM_PARAMS_PTR;
- 
- /* deprecated #defines. Drop in future NSS releases */
--#ifdef NSS_PKCS11_2_0_COMPAT
-+#ifndef NSS_PKCS11_3_0_STRICT
- 
- /* defines that were changed between NSS's PKCS #11 and the Oasis headers */
- #define CKF_EC_FP CKF_EC_F_P
-@@ -664,7 +664,7 @@ typedef CK_NSS_GCM_PARAMS CK_PTR CK_GCM_
- #define CKT_NETSCAPE_VALID CKT_NSS_VALID
- #define CKT_NETSCAPE_VALID_DELEGATOR CKT_NSS_VALID_DELEGATOR
- #else
--/* use the new CK_GCM_PARAMS if NSS_PKCS11_2_0_COMPAT is not defined */
-+/* use the new CK_GCM_PARAMS if NSS_PKCS11_3_0_STRICT is defined */
- typedef struct CK_GCM_PARAMS_V3 CK_GCM_PARAMS;
- typedef CK_GCM_PARAMS_V3 CK_PTR CK_GCM_PARAMS_PTR;
- #endif

nss-kremlin-ppc64le.patch

@@ -1,31 +0,0 @@
-Index: nss/lib/freebl/verified/kremlin/include/kremlin/internal/types.h
-===================================================================
---- nss.orig/lib/freebl/verified/kremlin/include/kremlin/internal/types.h
-+++ nss/lib/freebl/verified/kremlin/include/kremlin/internal/types.h
-@@ -56,9 +56,10 @@ typedef const char *Prims_string;
-     !defined(__clang__)
- #include <emmintrin.h>
- typedef __m128i FStar_UInt128_uint128;
--#elif !defined(KRML_VERIFIED_UINT128) && !defined(_MSC_VER) &&           \
-+#elif !defined(KRML_VERIFIED_UINT128) && !defined(_MSC_VER) && \
-     (defined(__x86_64__) || defined(__x86_64) || defined(__aarch64__) || \
--     (defined(__powerpc64__) && defined(__LITTLE_ENDIAN__)))
-+    (defined(__powerpc64__) && defined(__LITTLE_ENDIAN__)) || \
-+     defined(__s390x__))
- typedef unsigned __int128 FStar_UInt128_uint128;
- #elif !defined(KRML_VERIFIED_UINT128) && defined(_MSC_VER) && defined(__clang__)
- typedef __uint128_t FStar_UInt128_uint128;
-Index: nss/lib/freebl/verified/kremlin/kremlib/dist/minimal/fstar_uint128_gcc64.h
-===================================================================
---- nss.orig/lib/freebl/verified/kremlin/kremlib/dist/minimal/fstar_uint128_gcc64.h
-+++ nss/lib/freebl/verified/kremlin/kremlib/dist/minimal/fstar_uint128_gcc64.h
-@@ -26,7 +26,8 @@
- 
- #if !defined(KRML_VERIFIED_UINT128) && (!defined(_MSC_VER) || defined(__clang__)) && \
-     (defined(__x86_64__) || defined(__x86_64) || defined(__aarch64__) ||             \
--     (defined(__powerpc64__) && defined(__LITTLE_ENDIAN__)))
-+    (defined(__powerpc64__) && defined(__LITTLE_ENDIAN__)) || \
-+     defined(__s390x__))
- 
- /* GCC + using native unsigned __int128 support */
- 

nss-p11-kit.config

@@ -1,4 +0,0 @@
-name=p11-kit-proxy
-library=p11-kit-proxy.so
-
-

nss-signtool-format.patch

@@ -1,94 +0,0 @@
-diff --git a/cmd/modutil/install.c b/cmd/modutil/install.c
---- a/cmd/modutil/install.c
-+++ b/cmd/modutil/install.c
-@@ -825,17 +825,20 @@ rm_dash_r(char *path)
- 
-         dir = PR_OpenDir(path);
-         if (!dir) {
-             return -1;
-         }
- 
-         /* Recursively delete all entries in the directory */
-         while ((entry = PR_ReadDir(dir, PR_SKIP_BOTH)) != NULL) {
--            sprintf(filename, "%s/%s", path, entry->name);
-+            if (snprintf(filename, sizeof(filename), "%s/%s", path, entry->name) >= sizeof(filename)) {
-+                PR_CloseDir(dir);
-+                return -1;
-+            }
-             if (rm_dash_r(filename)) {
-                 PR_CloseDir(dir);
-                 return -1;
-             }
-         }
- 
-         if (PR_CloseDir(dir) != PR_SUCCESS) {
-             return -1;
-diff --git a/cmd/signtool/util.c b/cmd/signtool/util.c
---- a/cmd/signtool/util.c
-+++ b/cmd/signtool/util.c
-@@ -132,17 +132,20 @@ rm_dash_r(char *path)
-         if (!dir) {
-             PR_fprintf(errorFD, "Error: Unable to open directory %s.\n", path);
-             errorCount++;
-             return -1;
-         }
- 
-         /* Recursively delete all entries in the directory */
-         while ((entry = PR_ReadDir(dir, PR_SKIP_BOTH)) != NULL) {
--            sprintf(filename, "%s/%s", path, entry->name);
-+            if (snprintf(filename, sizeof(filename), "%s/%s", path, entry->name) >= sizeof(filename)) {
-+                errorCount++;
-+                return -1;
-+            }
-             if (rm_dash_r(filename))
-                 return -1;
-         }
- 
-         if (PR_CloseDir(dir) != PR_SUCCESS) {
-             PR_fprintf(errorFD, "Error: Could not close %s.\n", path);
-             errorCount++;
-             return -1;
-diff --git a/lib/libpkix/pkix/util/pkix_list.c b/lib/libpkix/pkix/util/pkix_list.c
---- a/lib/libpkix/pkix/util/pkix_list.c
-+++ b/lib/libpkix/pkix/util/pkix_list.c
-@@ -1530,17 +1530,17 @@ cleanup:
-  */
- PKIX_Error *
- PKIX_List_SetItem(
-         PKIX_List *list,
-         PKIX_UInt32 index,
-         PKIX_PL_Object *item,
-         void *plContext)
- {
--        PKIX_List *element;
-+        PKIX_List *element = NULL;
- 
-         PKIX_ENTER(LIST, "PKIX_List_SetItem");
-         PKIX_NULLCHECK_ONE(list);
- 
-         if (list->immutable){
-                 PKIX_ERROR(PKIX_OPERATIONNOTPERMITTEDONIMMUTABLELIST);
-         }
- 
-diff --git a/lib/libpkix/pkix_pl_nss/system/pkix_pl_oid.c b/lib/libpkix/pkix_pl_nss/system/pkix_pl_oid.c
---- a/lib/libpkix/pkix_pl_nss/system/pkix_pl_oid.c
-+++ b/lib/libpkix/pkix_pl_nss/system/pkix_pl_oid.c
-@@ -102,17 +102,17 @@ cleanup:
-  */
- static PKIX_Error *
- pkix_pl_OID_Equals(
-         PKIX_PL_Object *first,
-         PKIX_PL_Object *second,
-         PKIX_Boolean *pResult,
-         void *plContext)
- {
--        PKIX_Int32 cmpResult;
-+        PKIX_Int32 cmpResult = 0;
- 
-         PKIX_ENTER(OID, "pkix_pl_OID_Equals");
-         PKIX_NULLCHECK_THREE(first, second, pResult);
- 
-         PKIX_CHECK(pkix_pl_OID_Comparator
-                     (first, second, &cmpResult, plContext),
-                     PKIX_OIDCOMPARATORFAILED);
- 

nss-skip-bltest-and-fipstest.patch

@@ -0,0 +1,15 @@
+diff -up ./nss/cmd/Makefile.skipthem ./nss/cmd/Makefile
+--- ./nss/cmd/Makefile.skipthem	2016-09-29 12:02:16.143413684 +0200
++++ ./nss/cmd/Makefile	2016-09-29 12:03:58.776522901 +0200
+@@ -19,7 +19,11 @@ BLTEST_SRCDIR =
+ ECPERF_SRCDIR =
+ ECTEST_SRCDIR =
+ FIPSTEST_SRCDIR =
++ifeq ($(NSS_BLTEST_NOT_AVAILABLE),1)
++SHLIBSIGN_SRCDIR = shlibsign
++else
+ SHLIBSIGN_SRCDIR =
++endif
+ else
+ BLTEST_SRCDIR = bltest
+ ECPERF_SRCDIR = ecperf

nss-skip-util-gtest.patch

@@ -0,0 +1,12 @@
+diff -up ./external_tests/manifest.mn.skip_util_gtest ./external_tests/manifest.mn
+--- ./external_tests/manifest.mn.skip_util_gtest	2016-09-29 12:05:28.858019733 +0200
++++ ./external_tests/manifest.mn	2016-09-29 12:06:17.298681765 +0200
+@@ -9,8 +9,5 @@ DIRS = \
+ 	google_test \
+ 	common \
+ 	der_gtest \
+-	util_gtest \
+-	pk11_gtest \
+-	ssl_gtest \
+         nss_bogo_shim \
+ 	$(NULL)

nss-softokn-config.in

@@ -1,116 +0,0 @@
-#!/bin/sh
-
-prefix=@prefix@
-
-major_version=@MOD_MAJOR_VERSION@
-minor_version=@MOD_MINOR_VERSION@
-patch_version=@MOD_PATCH_VERSION@
-
-usage()
-{
-	cat <<EOF
-Usage: nss-softokn-config [OPTIONS] [LIBRARIES]
-Options:
-	[--prefix[=DIR]]
-	[--exec-prefix[=DIR]]
-	[--includedir[=DIR]]
-	[--libdir[=DIR]]
-	[--version]
-	[--libs]
-	[--cflags]
-Dynamic Libraries:
-	softokn3 - Requires full dynamic linking
-	freebl3  - for internal use only (and glibc for self-integrity check)
-	nssdbm3  - for internal use only
-Dymamically linked
-EOF
-	exit $1
-}
-
-if test $# -eq 0; then
-	usage 1 1>&2
-fi
-
-while test $# -gt 0; do
-  case "$1" in
-  -*=*) optarg=`echo "$1" | sed 's/[-_a-zA-Z0-9]*=//'` ;;
-  *) optarg= ;;
-  esac
-
-  case $1 in
-    --prefix=*)
-      prefix=$optarg
-      ;;
-    --prefix)
-      echo_prefix=yes
-      ;;
-    --exec-prefix=*)
-      exec_prefix=$optarg
-      ;;
-    --exec-prefix)
-      echo_exec_prefix=yes
-      ;;
-    --includedir=*)
-      includedir=$optarg
-      ;;
-    --includedir)
-      echo_includedir=yes
-      ;;
-    --libdir=*)
-      libdir=$optarg
-      ;;
-    --libdir)
-      echo_libdir=yes
-      ;;
-    --version)
-      echo ${major_version}.${minor_version}.${patch_version}
-      ;;
-    --cflags)
-      echo_cflags=yes
-      ;;
-    --libs)
-      echo_libs=yes
-      ;;
-    *)
-      usage 1 1>&2
-      ;;
-  esac
-  shift
-done
-
-# Set variables that may be dependent upon other variables
-if test -z "$exec_prefix"; then
-    exec_prefix=`pkg-config --variable=exec_prefix nss-softokn`
-fi
-if test -z "$includedir"; then
-    includedir=`pkg-config --variable=includedir nss-softokn`
-fi
-if test -z "$libdir"; then
-    libdir=`pkg-config --variable=libdir nss-softokn`
-fi
-
-if test "$echo_prefix" = "yes"; then
-    echo $prefix
-fi
-
-if test "$echo_exec_prefix" = "yes"; then
-    echo $exec_prefix
-fi
-
-if test "$echo_includedir" = "yes"; then
-    echo $includedir
-fi
-
-if test "$echo_libdir" = "yes"; then
-    echo $libdir
-fi
-
-if test "$echo_cflags" = "yes"; then
-    echo -I$includedir
-fi
-
-if test "$echo_libs" = "yes"; then
-      libdirs="-Wl,-rpath-link,$libdir -L$libdir"
-      echo $libdirs
-fi
-

nss-softokn-dracut-module-setup.sh

@@ -1,18 +0,0 @@
-#!/bin/bash
-# -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*-
-# ex: ts=8 sw=4 sts=4 et filetype=sh
-
-check() {
-    return 255
-}
-
-depends() {
-    return 0
-}
-
-install() {
-    local _dir
-
-    inst_libdir_file libfreeblpriv3.so libfreeblpriv3.chk \
-        libfreebl3.so
-}

nss-softokn-dracut.conf

@@ -1,3 +0,0 @@
-# turn on nss-softokn module
-
-add_dracutmodules+=" nss-softokn "

nss-softokn.pc.in

@@ -1,11 +0,0 @@
-prefix=%prefix%
-exec_prefix=%exec_prefix%
-libdir=%libdir%
-includedir=%includedir%
-
-Name: NSS-SOFTOKN
-Description: Network Security Services Softoken PKCS #11 Module
-Version: %SOFTOKEN_VERSION%
-Requires: nspr >= %NSPR_VERSION%, nss-util >= %NSSUTIL_VERSION%
-Libs: -L${libdir} -lfreebl3 -lnssdbm3 -lsoftokn3
-Cflags: -I${includedir}

nss-util-config.in

@@ -1,118 +0,0 @@
-#!/bin/sh
-
-prefix=@prefix@
-
-major_version=@MOD_MAJOR_VERSION@
-minor_version=@MOD_MINOR_VERSION@
-patch_version=@MOD_PATCH_VERSION@
-
-usage()
-{
-	cat <<EOF
-Usage: nss-util-config [OPTIONS] [LIBRARIES]
-Options:
-	[--prefix[=DIR]]
-	[--exec-prefix[=DIR]]
-	[--includedir[=DIR]]
-	[--libdir[=DIR]]
-	[--version]
-	[--libs]
-	[--cflags]
-Dynamic Libraries:
-	nssutil
-EOF
-	exit $1
-}
-
-if test $# -eq 0; then
-	usage 1 1>&2
-fi
-
-lib_nssutil=yes
-
-while test $# -gt 0; do
-  case "$1" in
-  -*=*) optarg=`echo "$1" | sed 's/[-_a-zA-Z0-9]*=//'` ;;
-  *) optarg= ;;
-  esac
-
-  case $1 in
-    --prefix=*)
-      prefix=$optarg
-      ;;
-    --prefix)
-      echo_prefix=yes
-      ;;
-    --exec-prefix=*)
-      exec_prefix=$optarg
-      ;;
-    --exec-prefix)
-      echo_exec_prefix=yes
-      ;;
-    --includedir=*)
-      includedir=$optarg
-      ;;
-    --includedir)
-      echo_includedir=yes
-      ;;
-    --libdir=*)
-      libdir=$optarg
-      ;;
-    --libdir)
-      echo_libdir=yes
-      ;;
-    --version)
-      echo ${major_version}.${minor_version}.${patch_version}
-      ;;
-    --cflags)
-      echo_cflags=yes
-      ;;
-    --libs)
-      echo_libs=yes
-      ;;
-    *)
-      usage 1 1>&2
-      ;;
-  esac
-  shift
-done
-
-# Set variables that may be dependent upon other variables
-if test -z "$exec_prefix"; then
-    exec_prefix=`pkg-config --variable=exec_prefix nss-util`
-fi
-if test -z "$includedir"; then
-    includedir=`pkg-config --variable=includedir nss-util`
-fi
-if test -z "$libdir"; then
-    libdir=`pkg-config --variable=libdir nss-util`
-fi
-
-if test "$echo_prefix" = "yes"; then
-    echo $prefix
-fi
-
-if test "$echo_exec_prefix" = "yes"; then
-    echo $exec_prefix
-fi
-
-if test "$echo_includedir" = "yes"; then
-    echo $includedir
-fi
-
-if test "$echo_libdir" = "yes"; then
-    echo $libdir
-fi
-
-if test "$echo_cflags" = "yes"; then
-    echo -I$includedir
-fi
-
-if test "$echo_libs" = "yes"; then
-      libdirs="-Wl,-rpath-link,$libdir -L$libdir"
-      if test -n "$lib_nssutil"; then
-	libdirs="$libdirs -lnssutil${major_version}"
-      fi
-      echo $libdirs
-fi
-

nss-util.pc.in

@@ -1,11 +0,0 @@
-prefix=%prefix%
-exec_prefix=%exec_prefix%
-libdir=%libdir%
-includedir=%includedir%
-
-Name: NSS-UTIL
-Description: Network Security Services Utility Library
-Version: %NSSUTIL_VERSION%
-Requires: nspr >= %NSPR_VERSION%
-Libs: -L${libdir} -lnssutil3
-Cflags: -I${includedir}

renegotiate-transitional.patch

@@ -0,0 +1,12 @@
+diff -up ./nss/lib/ssl/sslsock.c.transitional ./nss/lib/ssl/sslsock.c
+--- ./nss/lib/ssl/sslsock.c.transitional	2016-06-23 21:03:16.316480089 -0400
++++ ./nss/lib/ssl/sslsock.c	2016-06-23 21:08:07.290202477 -0400
+@@ -72,7 +72,7 @@ static sslOptions ssl_defaults = {
+     PR_FALSE,              /* noLocks            */
+     PR_FALSE,              /* enableSessionTickets */
+     PR_FALSE,              /* enableDeflate      */
+-    2,                     /* enableRenegotiation (default: requires extension) */
++    3,                     /* enableRenegotiation (default: transitional) */
+     PR_FALSE,              /* requireSafeNegotiation */
+     PR_FALSE,              /* enableFalseStart   */
+     PR_TRUE,               /* cbcRandomIV        */

rhbz1185708-enable-ecc-3des-ciphers-by-default.patch

@@ -0,0 +1,23 @@
+--- ./nss/lib/ssl/ssl3con.c.1185708_3des	2016-06-23 21:10:09.765992512 -0400
++++ ./nss/lib/ssl/ssl3con.c	2016-06-23 22:58:39.121398601 -0400
+@@ -118,18 +118,18 @@
+  { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,    SSL_ALLOWED, PR_TRUE, PR_FALSE},
+  { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,    SSL_ALLOWED, PR_TRUE, PR_FALSE},
+  { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,      SSL_ALLOWED, PR_TRUE, PR_FALSE},
+  { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+  { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,   SSL_ALLOWED, PR_TRUE, PR_FALSE},
+  { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,      SSL_ALLOWED, PR_TRUE, PR_FALSE},
+  { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+  { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,   SSL_ALLOWED, PR_FALSE, PR_FALSE},
+- { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,   SSL_ALLOWED, PR_FALSE, PR_FALSE},
+- { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,     SSL_ALLOWED, PR_FALSE, PR_FALSE},
++ { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,   SSL_ALLOWED, PR_TRUE,  PR_FALSE},
++ { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,     SSL_ALLOWED, PR_TRUE,  PR_FALSE},
+  { TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,        SSL_ALLOWED, PR_FALSE, PR_FALSE},
+  { TLS_ECDHE_RSA_WITH_RC4_128_SHA,          SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ 
+  { TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,     SSL_ALLOWED, PR_TRUE,  PR_FALSE},
+  { TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256,SSL_ALLOWED,PR_TRUE,  PR_FALSE},
+  { TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,     SSL_ALLOWED, PR_FALSE, PR_FALSE},
+  { TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,     SSL_ALLOWED, PR_FALSE, PR_FALSE},
+  { TLS_DHE_DSS_WITH_AES_256_GCM_SHA384,     SSL_ALLOWED, PR_FALSE, PR_FALSE},

sources

@@ -1,6 +1,6 @@
-SHA512 (blank-cert8.db) = ac131d15708c5f1b5e467831f919f4fc4ba13b60a4bb5fe260c845fa9afcd899a588d21ed52060abaa1bbb29f2b53af8b495d28407183cb03aff1974f95f1d3d
-SHA512 (blank-cert9.db) = 2f8eab4c0612210ee47db8a3a80c1b58a0b43849551af78c7da403fda3e3d4e7757838061ae56ccf5aac335cb54f254f0a9e6e9c0dd5920b4155a39264525b06
-SHA512 (blank-key3.db) = 01f7314e9fc8a7c9aa997652624cfcde213d18a6b3bb31840c1a60bbd662e56b5bc3221d13874abb42ce78163b225a6dfce2e1326cf6dd29366ad9c28ba5a71c
-SHA512 (blank-key4.db) = 8fedae93af7163da23fe9492ea8e785a44c291604fa98e58438448efb69c85d3253fc22b926d5c3209c62e58a86038fd4d78a1c4c068bc00600a7f3e5382ebe7
-SHA512 (blank-secmod.db) = 06a2dbd861839ef6315093459328b500d3832333a34b30e6fac4a2503af337f014a4d319f0f93322409e719142904ce8bc08252ae9a4f37f30d4c3312e900310
-SHA512 (nss-3.52.tar.gz) = a45baf38717bceda03c292b2c01def680a24a846327e17d36044a85e30ed40c68220c78c0a2c3025c11778ee58f5d5eb0fff1b4cd274b95c408fb59e394e62c6
+a5ae49867124ac75f029a9a33af31bad  blank-cert8.db
+9315689bbd9f28ceebd47894f99fccbd  blank-key3.db
+73bc040a0542bba387e6dd7fb9fd7d23  blank-secmod.db
+691e663ccc07b7a1eaa6f088e03bf8e2  blank-cert9.db
+2ec9e0606ba40fe65196545564b7cc2a  blank-key4.db
+e980f7c3bb70ca122e0f6f5e914ec29a  nss-3.27.0.tar.gz

tests/NSS-tools-should-not-use-SHA1-by-default-when/Makefile

@@ -1,64 +0,0 @@
-# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-#
-#   Makefile of /CoreOS/nss/Regression/NSS-tools-should-not-use-SHA1-by-default-when
-#   Description: NSS tools should not use SHA1 by default when
-#   Author: Hubert Kario <hkario@redhat.com>
-#
-# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-#
-#   Copyright (c) 2016 Red Hat, Inc.
-#
-#   This copyrighted material is made available to anyone wishing
-#   to use, modify, copy, or redistribute it subject to the terms
-#   and conditions of the GNU General Public License version 2.
-#
-#   This program is distributed in the hope that it will be
-#   useful, but WITHOUT ANY WARRANTY; without even the implied
-#   warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
-#   PURPOSE. See the GNU General Public License for more details.
-#
-#   You should have received a copy of the GNU General Public
-#   License along with this program; if not, write to the Free
-#   Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
-#   Boston, MA 02110-1301, USA.
-#
-# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-export TEST=/CoreOS/nss/Regression/NSS-tools-should-not-use-SHA1-by-default-when
-export TESTVERSION=1.0
-
-BUILT_FILES=
-
-FILES=$(METADATA) runtest.sh Makefile PURPOSE
-
-.PHONY: all install download clean
-
-run: $(FILES) build
-	./runtest.sh
-
-build: $(BUILT_FILES)
-	test -x runtest.sh || chmod a+x runtest.sh
-
-clean:
-	rm -f *~ $(BUILT_FILES)
-
-
-include /usr/share/rhts/lib/rhts-make.include
-
-$(METADATA): Makefile
-	@echo "Owner:           Hubert Kario <hkario@redhat.com>" > $(METADATA)
-	@echo "Name:            $(TEST)" >> $(METADATA)
-	@echo "TestVersion:     $(TESTVERSION)" >> $(METADATA)
-	@echo "Path:            $(TEST_DIR)" >> $(METADATA)
-	@echo "Description:     NSS tools should not use SHA1 by default when" >> $(METADATA)
-	@echo "Type:            Regression" >> $(METADATA)
-	@echo "TestTime:        10m" >> $(METADATA)
-	@echo "RunFor:          nss openssl" >> $(METADATA)
-	@echo "Requires:        nss nss-tools openssl" >> $(METADATA)
-	@echo "Priority:        Normal" >> $(METADATA)
-	@echo "License:         GPLv2" >> $(METADATA)
-	@echo "Confidential:    no" >> $(METADATA)
-	@echo "Destructive:     no" >> $(METADATA)
-	@echo "Releases:        -RHEL4 -RHELClient5 -RHELServer5" >> $(METADATA)
-
-	rhts-lint $(METADATA)

tests/NSS-tools-should-not-use-SHA1-by-default-when/PURPOSE

@@ -1,4 +0,0 @@
-PURPOSE of NSS-tools-should-not-use-SHA1-by-default-when
-Description: NSS tools should not use SHA1 by default when
-Author: Hubert Kario <hkario@redhat.com>
-Summary: NSS tools should not use SHA1 by default when generating digital signatures/certificates

tests/NSS-tools-should-not-use-SHA1-by-default-when/runtest.sh

@@ -1,125 +0,0 @@
-#!/bin/bash
-# vim: dict+=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k
-# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-#
-#   runtest.sh of NSS-tools-should-not-use-SHA1-by-default-when
-#   Description: NSS tools should not use SHA1 by default when
-#   Author: Hubert Kario <hkario@redhat.com>
-#
-# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-#
-#   Copyright (c) 2016 Red Hat, Inc.
-#
-#   This copyrighted material is made available to anyone wishing
-#   to use, modify, copy, or redistribute it subject to the terms
-#   and conditions of the GNU General Public License version 2.
-#
-#   This program is distributed in the hope that it will be
-#   useful, but WITHOUT ANY WARRANTY; without even the implied
-#   warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
-#   PURPOSE. See the GNU General Public License for more details.
-#
-#   You should have received a copy of the GNU General Public
-#   License along with this program; if not, write to the Free
-#   Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
-#   Boston, MA 02110-1301, USA.
-#
-# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-# Include Beaker environment
-. /usr/share/beakerlib/beakerlib.sh || exit 1
-
-PACKAGE="nss"
-PACKAGES="nss openssl"
-DBDIR="nssdb"
-
-rlJournalStart
-    rlPhaseStartSetup
-        rlAssertRpm --all
-        rlRun "TmpDir=\$(mktemp -d)" 0 "Creating tmp directory"
-        rlRun "pushd $TmpDir"
-        rlRun "mkdir nssdb"
-        rlRun "certutil -N -d $DBDIR --empty-password"
-        rlLogInfo "Create a JAR file"
-        rlRun "mkdir java-dir"
-        rlRun "pushd java-dir"
-        rlRun "mkdir META-INF mypackage"
-        rlRun "echo 'Main-Class: mypackage/MyMainFile' > META-INF/MANIFEST.MF"
-        rlRun "echo 'Those are not the droids you are looking for' > mypackage/MyMainFile.class"
-        #rlRun "jar -cfe package.jar mypackage/MyMainFile mypackage/MyMainFile.class"
-        rlRun "popd"
-        #rlRun "mv java-dir/package.jar ."
-    rlPhaseEnd
-
-    rlPhaseStartTest "Self signing certificates"
-        rlRun "dd if=/dev/urandom of=noise bs=1 count=32 >/dev/null"
-        rlRun "certutil -d $DBDIR -S -n 'CA' -t 'cTC,cTC,cTC' -s 'CN=CA' -x -z noise"
-        rlRun -s "certutil -d $DBDIR -L -n 'CA' -a | openssl x509 -noout -text"
-        rlAssertGrep "Signature Algorithm: sha256WithRSAEncryption" "$rlRun_LOG"
-        rlAssertNotGrep "Signature Algorithm: sha1WithRSAEncryption" $rlRun_LOG
-    rlPhaseEnd
-
-    rlPhaseStartTest "Signing certificates"
-        rlRun "dd if=/dev/urandom of=noise bs=1 count=32 >/dev/null"
-        rlRun "certutil -d $DBDIR -S -n 'server' -t 'u,u,u' -s 'CN=server.example.com' -c 'CA' -z noise --nsCertType sslClient,sslServer,objectSigning,smime"
-        rlRun -s "certutil -d $DBDIR -L -n 'server' -a | openssl x509 -noout -text"
-        rlAssertGrep "Signature Algorithm: sha256WithRSAEncryption" "$rlRun_LOG"
-        rlAssertNotGrep "Signature Algorithm: sha1WithRSAEncryption" $rlRun_LOG
-    rlPhaseEnd
-
-    rlPhaseStartTest "Certificate request"
-        rlRun "dd if=/dev/urandom of=noise bs=1 count=32 >/dev/null"
-        rlRun "mkdir srv2db"
-        rlRun "certutil -d srv2db -N --empty-password"
-        rlRun "certutil -d srv2db -R -s CN=www.example.com -o srv2.req -a -z noise"
-        rlRun -s "openssl req -noout -text -in srv2.req"
-        rlAssertGrep "Signature Algorithm: sha256WithRSAEncryption" "$rlRun_LOG"
-        rlAssertNotGrep "Signature Algorithm: sha1WithRSAEncryption" $rlRun_LOG
-        rlRun "certutil -d $DBDIR -C -c 'CA' -i srv2.req -a -o srv2.crt"
-        rlRun -s "openssl x509 -in srv2.crt -noout -text"
-        rlAssertGrep "Signature Algorithm: sha256WithRSAEncryption" "$rlRun_LOG"
-        rlAssertNotGrep "Signature Algorithm: sha1WithRSAEncryption" $rlRun_LOG
-        rlRun "rm -rf srv2db"
-    rlPhaseEnd
-
-    rlPhaseStartTest "Certificate request with SHA1"
-        rlRun "dd if=/dev/urandom of=noise bs=1 count=32 >/dev/null"
-        rlRun "mkdir srv2db"
-        rlRun "certutil -d srv2db -N --empty-password"
-        rlRun "certutil -d srv2db -R -s CN=www.example.com -o srv2.req -a -z noise -Z SHA1"
-        rlRun -s "openssl req -noout -text -in srv2.req"
-        rlAssertGrep "Signature Algorithm: sha1WithRSAEncryption" "$rlRun_LOG"
-        rlRun "certutil -d $DBDIR -C -c 'CA' -i srv2.req -a -o srv2.crt"
-        rlRun -s "openssl x509 -in srv2.crt -noout -text"
-        rlAssertGrep "Signature Algorithm: sha256WithRSAEncryption" "$rlRun_LOG"
-        rlAssertNotGrep "Signature Algorithm: sha1WithRSAEncryption" $rlRun_LOG
-        rlRun "rm -rf srv2db"
-    rlPhaseEnd
-
-    rlPhaseStartTest "Signing CMS messages"
-        rlRun "echo 'This is a document' > document.txt"
-        rlRun "cmsutil -S -d $DBDIR -N 'server' -i document.txt -o document.cms"
-        rlRun -s "openssl cms -in document.cms -inform der -noout -cmsout -print"
-        rlAssertGrep "algorithm: sha256" $rlRun_LOG
-        rlAssertNotGrep "algorithm: sha1" $rlRun_LOG
-    rlPhaseEnd
-
-    rlPhaseStartTest "CRL signing"
-        rlRun "echo $(date --utc +update=%Y%m%d%H%M%SZ) > script"
-        rlRun "echo $(date -d 'next week' --utc +nextupdate=%Y%m%d%H%M%SZ) >> script"
-        rlRun "echo addext crlNumber 0 1245 >>script"
-        rlRun "echo addcert 12 $(date -d 'yesterday' --utc +%Y%m%d%H%M%SZ) >>script"
-        rlRun "echo addext reasonCode 0 0 >>script"
-        rlRun "cat script"
-        rlRun "crlutil -G -c script -d $DBDIR -n CA -o ca.crl"
-        rlRun -s "openssl crl -in ca.crl -inform der -noout -text"
-        rlAssertGrep "Signature Algorithm: sha256WithRSAEncryption" $rlRun_LOG
-        rlAssertNotGrep "Signature Algorithm: sha1WithRSAEncryption" $rlRun_LOG
-    rlPhaseEnd
-
-    rlPhaseStartCleanup
-        rlRun "popd"
-        rlRun "rm -r $TmpDir" 0 "Removing tmp directory"
-    rlPhaseEnd
-rlJournalPrintText
-rlJournalEnd

tests/tests.yml

@@ -1,12 +0,0 @@
----
-# This first play always runs on the local staging system
-- hosts: localhost
-  roles:
-  - role: standard-test-beakerlib
-    tags:
-    - classic
-    tests:
-    - NSS-tools-should-not-use-SHA1-by-default-when
-    required_packages:
-    - nss-tools
-    - nss

utilwrap-include-templates.patch

@@ -0,0 +1,14 @@
+diff -up nss/lib/nss/config.mk.templates nss/lib/nss/config.mk
+--- nss/lib/nss/config.mk.templates	2013-06-18 11:32:07.590089155 -0700
++++ nss/lib/nss/config.mk	2013-06-18 11:33:28.732763345 -0700
+@@ -3,6 +3,10 @@
+ # License, v. 2.0. If a copy of the MPL was not distributed with this
+ # file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ 
++#ifeq ($(NSS_BUILD_WITHOUT_SOFTOKEN),1)
++INCLUDES += -I/usr/include/nss3/templates
++#endif
++
+ # can't do this in manifest.mn because OS_TARGET isn't defined there.
+ ifeq (,$(filter-out WIN%,$(OS_TARGET)))
+