Update to NSS 3.36.1

Update to NSS 3.36.0
Revert changes to test cases regarding NSS default DB format change
2018-04-19 17:34:31 +02:00 · 2018-03-09 17:04:04 +01:00 · 2018-02-07 18:52:40 +01:00 · 2018-02-07 18:52:33 +01:00 · 2018-02-07 13:14:52 +01:00 · 2017-11-15 11:12:18 +01:00
27 changed files with 575 additions and 1312 deletions
--- a/.gitignore
+++ b/.gitignore
@ -16,7 +16,7 @@ TestUser51.cert
 /nss-3.28.1.tar.gz
 /nss-3.29.0.tar.gz
 /nss-3.29.1.tar.gz
-/nss-3.30.0.tar.gz
+/nss-3.29.3.tar.gz
 /nss-3.30.2.tar.gz
 /nss-3.31.0.tar.gz
 /nss-3.32.0.tar.gz
@ -26,26 +26,3 @@ TestUser51.cert
 /nss-3.35.0.tar.gz
 /nss-3.36.0.tar.gz
 /nss-3.36.1.tar.gz
-/nss-3.37.1.tar.gz
-/nss-3.37.3.tar.gz
-/nss-3.38.0.tar.gz
-/nss-3.39.tar.gz
-/nss-3.40.1.tar.gz
-/nss-3.41.tar.gz
-/nss-3.42.tar.gz
-/nss-3.42.1.tar.gz
-/nss-3.43.tar.gz
-/nss-3.44.tar.gz
-/nss-3.44.1.tar.gz
-/nss-3.45.tar.gz
-/nss-3.46.tar.gz
-/nss-3.46.1.tar.gz
-/nss-3.47.tar.gz
-/nss-3.47.1.tar.gz
-/nss-3.48.tar.gz
-/nss-3.49.tar.gz
-/nss-3.49.2.tar.gz
-/nss-3.50.tar.gz
-/nss-3.51.tar.gz
-/nss-3.51.1.tar.gz
-/nss-3.52.tar.gz
--- a/add-relro-linker-option.patch
+++ b/add-relro-linker-option.patch
@ -0,0 +1,16 @@
+diff -up nss/coreconf/Linux.mk.relro nss/coreconf/Linux.mk
+--- nss/coreconf/Linux.mk.relro	2013-04-09 14:29:45.943228682 -0700
+++ nss/coreconf/Linux.mk	2013-04-09 14:31:26.194953927 -0700
+@@ -174,6 +174,12 @@ endif
+ endif
+ endif
+ 
+# harden DSOs/executables a bit against exploits
+ifeq (2.6,$(firstword $(sort 2.6 $(OS_RELEASE))))
+DSO_LDOPTS+=-Wl,-z,relro
+LDFLAGS	+= -Wl,-z,relro
+endif
+
+ USE_SYSTEM_ZLIB = 1
+ ZLIB_LIBS = -lz
+ 
--- a/nss-3.14.0.0-disble-ocsp-test.patch
+++ b/nss-3.14.0.0-disble-ocsp-test.patch
@ -0,0 +1,11 @@
+diff -up nss/tests/chains/scenarios/scenarios.noocsptest nss/tests/chains/scenarios/scenarios
+--- nss/tests/chains/scenarios/scenarios.noocsptest	2013-06-27 10:58:08.000000000 -0700
+++ nss/tests/chains/scenarios/scenarios	2013-07-02 16:13:27.075038930 -0700
+@@ -50,7 +50,6 @@ bridgewithpolicyextensionandmapping.cfg
+ realcerts.cfg
+ dsa.cfg
+ revoc.cfg
+-ocsp.cfg
+ crldp.cfg
+ trustanchors.cfg
+ nameconstraints.cfg
--- a/nss-539183.patch
+++ b/nss-539183.patch
@ -1,5 +1,5 @@
--- nss/cmd/httpserv/httpserv.c.539183	2016-05-21 18:31:39.879585420 -0700
-+++ nss/cmd/httpserv/httpserv.c	2016-05-21 18:37:22.374464057 -0700
+--- ./nss/cmd/httpserv/httpserv.c.539183	2016-05-21 18:31:39.879585420 -0700
+++ ./nss/cmd/httpserv/httpserv.c	2016-05-21 18:37:22.374464057 -0700
@@ -953,23 +953,23 @@
 getBoundListenSocket(unsigned short port)
 {
@ -29,8 +29,8 @@
     if (prStatus < 0) {
         PR_Close(listen_sock);
         errExit("PR_SetSocketOption(PR_SockOpt_Nonblocking)");
--- nss/cmd/selfserv/selfserv.c.539183	2016-05-21 18:31:39.882585367 -0700
-+++ nss/cmd/selfserv/selfserv.c	2016-05-21 18:41:43.092801174 -0700
+--- ./nss/cmd/selfserv/selfserv.c.539183	2016-05-21 18:31:39.882585367 -0700
+++ ./nss/cmd/selfserv/selfserv.c	2016-05-21 18:41:43.092801174 -0700
@@ -1711,23 +1711,23 @@
 getBoundListenSocket(unsigned short port)
 {
--- a/nss-check-policy-file.patch
+++ b/nss-check-policy-file.patch
@ -0,0 +1,49 @@
+diff -up nss/lib/pk11wrap/pk11pars.c.check_policy_file nss/lib/pk11wrap/pk11pars.c
+--- nss/lib/pk11wrap/pk11pars.c.check_policy_file	2017-01-06 13:21:47.002952050 +0100
+++ nss/lib/pk11wrap/pk11pars.c	2017-01-06 13:28:18.972536334 +0100
+@@ -109,6 +109,7 @@ secmod_NewModule(void)
+                                                  *other flags are set */
+ #define SECMOD_FLAG_MODULE_DB_SKIP_FIRST 0x02
+ #define SECMOD_FLAG_MODULE_DB_DEFAULT_MODDB 0x04
+#define SECMOD_FLAG_MODULE_DB_POLICY_ONLY 0x08
+ 
+ /* private flags for internal (field in SECMODModule). */
+ /* The meaing of these flags is as follows:
+@@ -704,6 +705,9 @@ SECMOD_CreateModuleEx(const char *librar
+         if (NSSUTIL_ArgHasFlag("flags", "defaultModDB", nssc)) {
+             flags |= SECMOD_FLAG_MODULE_DB_DEFAULT_MODDB;
+         }
+	if (NSSUTIL_ArgHasFlag("flags", "policyOnly", nssc)) {
+	    flags |= SECMOD_FLAG_MODULE_DB_POLICY_ONLY;
+	}
+         /* additional moduleDB flags could be added here in the future */
+         mod->isModuleDB = (PRBool)flags;
+     }
+@@ -744,6 +748,14 @@ SECMOD_GetDefaultModDBFlag(SECMODModule
+ }
+ 
+ PRBool
+secmod_PolicyOnly(SECMODModule *mod)
+{
+   char flags = (char) mod->isModuleDB;
+
+   return (flags & SECMOD_FLAG_MODULE_DB_POLICY_ONLY) ? PR_TRUE : PR_FALSE;
+}
+
+PRBool
+ secmod_IsInternalKeySlot(SECMODModule *mod)
+ {
+     char flags = (char)mod->internal;
+@@ -1661,6 +1673,12 @@ SECMOD_LoadModule(char *modulespec, SECM
+     if (!module) {
+         goto loser;
+     }
+
+    /* a policy only stanza doesn't actually get 'loaded'. policy has already
+     * been parsed as a side effect of the CreateModuleEx call */
+    if (secmod_PolicyOnly(module)) {
+	return module;
+    }
+     if (parent) {
+         module->parent = SECMOD_ReferenceModule(parent);
+         if (module->internal && secmod_IsInternalKeySlot(parent)) {
--- a/nss-gcm-param-default-pkcs11v2.patch
+++ b/nss-gcm-param-default-pkcs11v2.patch
@ -1,21 +0,0 @@
-diff -up ./lib/util/pkcs11n.h.aes_gcm_pkcs11_v2 ./lib/util/pkcs11n.h
--- ./lib/util/pkcs11n.h.aes_gcm_pkcs11_v2	2020-05-13 13:44:11.312405744 -0700
-+++ ./lib/util/pkcs11n.h	2020-05-13 13:45:23.951723660 -0700
-@@ -605,7 +605,7 @@ typedef struct CK_NSS_GCM_PARAMS {
- typedef CK_NSS_GCM_PARAMS CK_PTR CK_NSS_GCM_PARAMS_PTR;
- 
- /* deprecated #defines. Drop in future NSS releases */
-#ifdef NSS_PKCS11_2_0_COMPAT
-+#ifndef NSS_PKCS11_3_0_STRICT
- 
- /* defines that were changed between NSS's PKCS #11 and the Oasis headers */
- #define CKF_EC_FP CKF_EC_F_P
-@@ -664,7 +664,7 @@ typedef CK_NSS_GCM_PARAMS CK_PTR CK_GCM_
- #define CKT_NETSCAPE_VALID CKT_NSS_VALID
- #define CKT_NETSCAPE_VALID_DELEGATOR CKT_NSS_VALID_DELEGATOR
- #else
-/* use the new CK_GCM_PARAMS if NSS_PKCS11_2_0_COMPAT is not defined */
-+/* use the new CK_GCM_PARAMS if NSS_PKCS11_3_0_STRICT is defined */
- typedef struct CK_GCM_PARAMS_V3 CK_GCM_PARAMS;
- typedef CK_GCM_PARAMS_V3 CK_PTR CK_GCM_PARAMS_PTR;
- #endif
--- a/nss-kremlin-ppc64le.patch
+++ b/nss-kremlin-ppc64le.patch
@ -1,31 +0,0 @@
-Index: nss/lib/freebl/verified/kremlin/include/kremlin/internal/types.h
-===================================================================
--- nss.orig/lib/freebl/verified/kremlin/include/kremlin/internal/types.h
-+++ nss/lib/freebl/verified/kremlin/include/kremlin/internal/types.h
-@@ -56,9 +56,10 @@ typedef const char *Prims_string;
-     !defined(__clang__)
- #include <emmintrin.h>
- typedef __m128i FStar_UInt128_uint128;
-#elif !defined(KRML_VERIFIED_UINT128) && !defined(_MSC_VER) &&           \
-+#elif !defined(KRML_VERIFIED_UINT128) && !defined(_MSC_VER) && \
-     (defined(__x86_64__) || defined(__x86_64) || defined(__aarch64__) || \
-     (defined(__powerpc64__) && defined(__LITTLE_ENDIAN__)))
-+    (defined(__powerpc64__) && defined(__LITTLE_ENDIAN__)) || \
-+     defined(__s390x__))
- typedef unsigned __int128 FStar_UInt128_uint128;
- #elif !defined(KRML_VERIFIED_UINT128) && defined(_MSC_VER) && defined(__clang__)
- typedef __uint128_t FStar_UInt128_uint128;
-Index: nss/lib/freebl/verified/kremlin/kremlib/dist/minimal/fstar_uint128_gcc64.h
-===================================================================
--- nss.orig/lib/freebl/verified/kremlin/kremlib/dist/minimal/fstar_uint128_gcc64.h
-+++ nss/lib/freebl/verified/kremlin/kremlib/dist/minimal/fstar_uint128_gcc64.h
-@@ -26,7 +26,8 @@
- 
- #if !defined(KRML_VERIFIED_UINT128) && (!defined(_MSC_VER) || defined(__clang__)) && \
-     (defined(__x86_64__) || defined(__x86_64) || defined(__aarch64__) ||             \
-     (defined(__powerpc64__) && defined(__LITTLE_ENDIAN__)))
-+    (defined(__powerpc64__) && defined(__LITTLE_ENDIAN__)) || \
-+     defined(__s390x__))
- 
- /* GCC + using native unsigned __int128 support */
- 
--- a/nss-p11-kit.config
+++ b/nss-p11-kit.config
@ -1,4 +0,0 @@
-name=p11-kit-proxy
-library=p11-kit-proxy.so
-
-
--- a/nss-signtool-format.patch
+++ b/nss-signtool-format.patch
@ -1,94 +0,0 @@
-diff --git a/cmd/modutil/install.c b/cmd/modutil/install.c
--- a/cmd/modutil/install.c
-+++ b/cmd/modutil/install.c
-@@ -825,17 +825,20 @@ rm_dash_r(char *path)
- 
-         dir = PR_OpenDir(path);
-         if (!dir) {
-             return -1;
-         }
- 
-         /* Recursively delete all entries in the directory */
-         while ((entry = PR_ReadDir(dir, PR_SKIP_BOTH)) != NULL) {
-            sprintf(filename, "%s/%s", path, entry->name);
-+            if (snprintf(filename, sizeof(filename), "%s/%s", path, entry->name) >= sizeof(filename)) {
-+                PR_CloseDir(dir);
-+                return -1;
-+            }
-             if (rm_dash_r(filename)) {
-                 PR_CloseDir(dir);
-                 return -1;
-             }
-         }
- 
-         if (PR_CloseDir(dir) != PR_SUCCESS) {
-             return -1;
-diff --git a/cmd/signtool/util.c b/cmd/signtool/util.c
--- a/cmd/signtool/util.c
-+++ b/cmd/signtool/util.c
-@@ -132,17 +132,20 @@ rm_dash_r(char *path)
-         if (!dir) {
-             PR_fprintf(errorFD, "Error: Unable to open directory %s.\n", path);
-             errorCount++;
-             return -1;
-         }
- 
-         /* Recursively delete all entries in the directory */
-         while ((entry = PR_ReadDir(dir, PR_SKIP_BOTH)) != NULL) {
-            sprintf(filename, "%s/%s", path, entry->name);
-+            if (snprintf(filename, sizeof(filename), "%s/%s", path, entry->name) >= sizeof(filename)) {
-+                errorCount++;
-+                return -1;
-+            }
-             if (rm_dash_r(filename))
-                 return -1;
-         }
- 
-         if (PR_CloseDir(dir) != PR_SUCCESS) {
-             PR_fprintf(errorFD, "Error: Could not close %s.\n", path);
-             errorCount++;
-             return -1;
-diff --git a/lib/libpkix/pkix/util/pkix_list.c b/lib/libpkix/pkix/util/pkix_list.c
--- a/lib/libpkix/pkix/util/pkix_list.c
-+++ b/lib/libpkix/pkix/util/pkix_list.c
-@@ -1530,17 +1530,17 @@ cleanup:
-  */
- PKIX_Error *
- PKIX_List_SetItem(
-         PKIX_List *list,
-         PKIX_UInt32 index,
-         PKIX_PL_Object *item,
-         void *plContext)
- {
-        PKIX_List *element;
-+        PKIX_List *element = NULL;
- 
-         PKIX_ENTER(LIST, "PKIX_List_SetItem");
-         PKIX_NULLCHECK_ONE(list);
- 
-         if (list->immutable){
-                 PKIX_ERROR(PKIX_OPERATIONNOTPERMITTEDONIMMUTABLELIST);
-         }
- 
-diff --git a/lib/libpkix/pkix_pl_nss/system/pkix_pl_oid.c b/lib/libpkix/pkix_pl_nss/system/pkix_pl_oid.c
--- a/lib/libpkix/pkix_pl_nss/system/pkix_pl_oid.c
-+++ b/lib/libpkix/pkix_pl_nss/system/pkix_pl_oid.c
-@@ -102,17 +102,17 @@ cleanup:
-  */
- static PKIX_Error *
- pkix_pl_OID_Equals(
-         PKIX_PL_Object *first,
-         PKIX_PL_Object *second,
-         PKIX_Boolean *pResult,
-         void *plContext)
- {
-        PKIX_Int32 cmpResult;
-+        PKIX_Int32 cmpResult = 0;
- 
-         PKIX_ENTER(OID, "pkix_pl_OID_Equals");
-         PKIX_NULLCHECK_THREE(first, second, pResult);
- 
-         PKIX_CHECK(pkix_pl_OID_Comparator
-                     (first, second, &cmpResult, plContext),
-                     PKIX_OIDCOMPARATORFAILED);
- 
--- a/nss-skip-bltest-and-fipstest.patch
+++ b/nss-skip-bltest-and-fipstest.patch
@ -0,0 +1,15 @@
+diff -up ./nss/cmd/Makefile.skipthem ./nss/cmd/Makefile
+--- ./nss/cmd/Makefile.skipthem	2017-01-06 13:17:27.477848351 +0100
+++ ./nss/cmd/Makefile	2017-01-06 13:19:30.244586100 +0100
+@@ -19,7 +19,11 @@ BLTEST_SRCDIR =
+ ECPERF_SRCDIR =
+ FREEBL_ECTEST_SRCDIR =
+ FIPSTEST_SRCDIR =
+ifeq ($(NSS_BLTEST_NOT_AVAILABLE),1)
+SHLIBSIGN_SRCDIR = shlibsign
+else
+ SHLIBSIGN_SRCDIR =
+endif
+ else
+ BLTEST_SRCDIR = bltest
+ ECPERF_SRCDIR = ecperf
--- a/nss-skip-util-gtest.patch
+++ b/nss-skip-util-gtest.patch
@ -0,0 +1,10 @@
+diff -up nss/gtests/manifest.mn.skip_util_gtest nss/gtests/manifest.mn
+--- nss/gtests/manifest.mn.skip_util_gtest	2017-08-08 12:45:57.598801125 +0200
+++ nss/gtests/manifest.mn	2017-08-08 12:46:59.682419852 +0200
+@@ -31,6 +31,5 @@ endif
+ 
+ DIRS = \
+ 	$(LIB_SRCDIRS) \
+-	$(UTIL_SRCDIRS) \
+ 	$(NSS_SRCDIRS) \
+ 	$(NULL)
--- a/nss-softokn-config.in
+++ b/nss-softokn-config.in
@ -1,116 +0,0 @@
-#!/bin/sh
-
-prefix=@prefix@
-
-major_version=@MOD_MAJOR_VERSION@
-minor_version=@MOD_MINOR_VERSION@
-patch_version=@MOD_PATCH_VERSION@
-
-usage()
-{
-	cat <<EOF
-Usage: nss-softokn-config [OPTIONS] [LIBRARIES]
-Options:
-	[--prefix[=DIR]]
-	[--exec-prefix[=DIR]]
-	[--includedir[=DIR]]
-	[--libdir[=DIR]]
-	[--version]
-	[--libs]
-	[--cflags]
-Dynamic Libraries:
-	softokn3 - Requires full dynamic linking
-	freebl3  - for internal use only (and glibc for self-integrity check)
-	nssdbm3  - for internal use only
-Dymamically linked
-EOF
-	exit $1
-}
-
-if test $# -eq 0; then
-	usage 1 1>&2
-fi
-
-while test $# -gt 0; do
-  case "$1" in
-  -*=*) optarg=`echo "$1" | sed 's/[-_a-zA-Z0-9]*=//'` ;;
-  *) optarg= ;;
-  esac
-
-  case $1 in
-    --prefix=*)
-      prefix=$optarg
-      ;;
-    --prefix)
-      echo_prefix=yes
-      ;;
-    --exec-prefix=*)
-      exec_prefix=$optarg
-      ;;
-    --exec-prefix)
-      echo_exec_prefix=yes
-      ;;
-    --includedir=*)
-      includedir=$optarg
-      ;;
-    --includedir)
-      echo_includedir=yes
-      ;;
-    --libdir=*)
-      libdir=$optarg
-      ;;
-    --libdir)
-      echo_libdir=yes
-      ;;
-    --version)
-      echo ${major_version}.${minor_version}.${patch_version}
-      ;;
-    --cflags)
-      echo_cflags=yes
-      ;;
-    --libs)
-      echo_libs=yes
-      ;;
-    *)
-      usage 1 1>&2
-      ;;
-  esac
-  shift
-done
-
-# Set variables that may be dependent upon other variables
-if test -z "$exec_prefix"; then
-    exec_prefix=`pkg-config --variable=exec_prefix nss-softokn`
-fi
-if test -z "$includedir"; then
-    includedir=`pkg-config --variable=includedir nss-softokn`
-fi
-if test -z "$libdir"; then
-    libdir=`pkg-config --variable=libdir nss-softokn`
-fi
-
-if test "$echo_prefix" = "yes"; then
-    echo $prefix
-fi
-
-if test "$echo_exec_prefix" = "yes"; then
-    echo $exec_prefix
-fi
-
-if test "$echo_includedir" = "yes"; then
-    echo $includedir
-fi
-
-if test "$echo_libdir" = "yes"; then
-    echo $libdir
-fi
-
-if test "$echo_cflags" = "yes"; then
-    echo -I$includedir
-fi
-
-if test "$echo_libs" = "yes"; then
-      libdirs="-Wl,-rpath-link,$libdir -L$libdir"
-      echo $libdirs
-fi
-
--- a/nss-softokn-dracut-module-setup.sh
+++ b/nss-softokn-dracut-module-setup.sh
@ -1,18 +0,0 @@
-#!/bin/bash
-# -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*-
-# ex: ts=8 sw=4 sts=4 et filetype=sh
-
-check() {
-    return 255
-}
-
-depends() {
-    return 0
-}
-
-install() {
-    local _dir
-
-    inst_libdir_file libfreeblpriv3.so libfreeblpriv3.chk \
-        libfreebl3.so
-}
--- a/nss-softokn-dracut.conf
+++ b/nss-softokn-dracut.conf
@ -1,3 +0,0 @@
-# turn on nss-softokn module
-
-add_dracutmodules+=" nss-softokn "
--- a/nss-softokn.pc.in
+++ b/nss-softokn.pc.in
@ -1,11 +0,0 @@
-prefix=%prefix%
-exec_prefix=%exec_prefix%
-libdir=%libdir%
-includedir=%includedir%
-
-Name: NSS-SOFTOKN
-Description: Network Security Services Softoken PKCS #11 Module
-Version: %SOFTOKEN_VERSION%
-Requires: nspr >= %NSPR_VERSION%, nss-util >= %NSSUTIL_VERSION%
-Libs: -L${libdir} -lfreebl3 -lnssdbm3 -lsoftokn3
-Cflags: -I${includedir}
--- a/nss-sql-default.patch
+++ b/nss-sql-default.patch
@ -0,0 +1,42 @@
+# HG changeset patch
+# User Kai Engert <kaie@kuix.de>
+# Date 1511548994 -3600
+#      Fri Nov 24 19:43:14 2017 +0100
+# Node ID b0658ed367633e505d38c0c0f63b801ddbbb21a4
+# Parent  807662e6ba57db5be05036511ac8634466ed473f
+Bug 1377940, Change NSS default storage file format (currently DBM), when no prefix is given, to SQL, r=rrelyea, r=fkiefer
+
+--- a/tests/all.sh
+++ b/tests/all.sh
+@@ -111,6 +111,8 @@ RUN_FIPS=""
+ ########################################################################
+ run_tests()
+ {
+    echo "Running test cycle: ${TEST_MODE} ----------------------"
+    echo "List of tests that will be executed: ${TESTS}"
+     for TEST in ${TESTS}
+     do
+         # NOTE: the spaces are important. If you don't include
+@@ -172,8 +174,9 @@ run_cycle_pkix()
+     NSS_SSL_TESTS=`echo "${NSS_SSL_TESTS}" | sed -e "s/normal//g" -e "s/fips//g" -e "s/_//g"`
+     export -n NSS_SSL_RUN
+ 
+-    # use the default format
+    # use the default format. (unset for the shell, export -n for binaries)
+     export -n NSS_DEFAULT_DB_TYPE
+    unset NSS_DEFAULT_DB_TYPE
+ 
+     run_tests
+ }
+diff --git a/tests/merge/merge.sh b/tests/merge/merge.sh
+--- a/tests/merge/merge.sh
+++ b/tests/merge/merge.sh
+@@ -98,7 +98,7 @@ merge_init()
+   # are dbm databases.
+   if [ "${TEST_MODE}" = "UPGRADE_DB" ]; then
+ 	save=${NSS_DEFAULT_DB_TYPE}
+-	NSS_DEFAULT_DB_TYPE= ; export NSS_DEFAULT_DB_TYPE
+	NSS_DEFAULT_DB_TYPE=dbm ; export NSS_DEFAULT_DB_TYPE
+   fi
+ 
+   certutil -N -d ${CONFLICT1DIR} -f ${R_PWFILE}
--- a/nss-util-config.in
+++ b/nss-util-config.in
@ -1,118 +0,0 @@
-#!/bin/sh
-
-prefix=@prefix@
-
-major_version=@MOD_MAJOR_VERSION@
-minor_version=@MOD_MINOR_VERSION@
-patch_version=@MOD_PATCH_VERSION@
-
-usage()
-{
-	cat <<EOF
-Usage: nss-util-config [OPTIONS] [LIBRARIES]
-Options:
-	[--prefix[=DIR]]
-	[--exec-prefix[=DIR]]
-	[--includedir[=DIR]]
-	[--libdir[=DIR]]
-	[--version]
-	[--libs]
-	[--cflags]
-Dynamic Libraries:
-	nssutil
-EOF
-	exit $1
-}
-
-if test $# -eq 0; then
-	usage 1 1>&2
-fi
-
-lib_nssutil=yes
-
-while test $# -gt 0; do
-  case "$1" in
-  -*=*) optarg=`echo "$1" | sed 's/[-_a-zA-Z0-9]*=//'` ;;
-  *) optarg= ;;
-  esac
-
-  case $1 in
-    --prefix=*)
-      prefix=$optarg
-      ;;
-    --prefix)
-      echo_prefix=yes
-      ;;
-    --exec-prefix=*)
-      exec_prefix=$optarg
-      ;;
-    --exec-prefix)
-      echo_exec_prefix=yes
-      ;;
-    --includedir=*)
-      includedir=$optarg
-      ;;
-    --includedir)
-      echo_includedir=yes
-      ;;
-    --libdir=*)
-      libdir=$optarg
-      ;;
-    --libdir)
-      echo_libdir=yes
-      ;;
-    --version)
-      echo ${major_version}.${minor_version}.${patch_version}
-      ;;
-    --cflags)
-      echo_cflags=yes
-      ;;
-    --libs)
-      echo_libs=yes
-      ;;
-    *)
-      usage 1 1>&2
-      ;;
-  esac
-  shift
-done
-
-# Set variables that may be dependent upon other variables
-if test -z "$exec_prefix"; then
-    exec_prefix=`pkg-config --variable=exec_prefix nss-util`
-fi
-if test -z "$includedir"; then
-    includedir=`pkg-config --variable=includedir nss-util`
-fi
-if test -z "$libdir"; then
-    libdir=`pkg-config --variable=libdir nss-util`
-fi
-
-if test "$echo_prefix" = "yes"; then
-    echo $prefix
-fi
-
-if test "$echo_exec_prefix" = "yes"; then
-    echo $exec_prefix
-fi
-
-if test "$echo_includedir" = "yes"; then
-    echo $includedir
-fi
-
-if test "$echo_libdir" = "yes"; then
-    echo $libdir
-fi
-
-if test "$echo_cflags" = "yes"; then
-    echo -I$includedir
-fi
-
-if test "$echo_libs" = "yes"; then
-      libdirs="-Wl,-rpath-link,$libdir -L$libdir"
-      if test -n "$lib_nssutil"; then
-	libdirs="$libdirs -lnssutil${major_version}"
-      fi
-      echo $libdirs
-fi
-
--- a/nss-util.pc.in
+++ b/nss-util.pc.in
@ -1,11 +0,0 @@
-prefix=%prefix%
-exec_prefix=%exec_prefix%
-libdir=%libdir%
-includedir=%includedir%
-
-Name: NSS-UTIL
-Description: Network Security Services Utility Library
-Version: %NSSUTIL_VERSION%
-Requires: nspr >= %NSPR_VERSION%
-Libs: -L${libdir} -lnssutil3
-Cflags: -I${includedir}
--- a/nss.spec
+++ b/nss.spec
--- a/renegotiate-transitional.patch
+++ b/renegotiate-transitional.patch
@ -0,0 +1,12 @@
+diff -up nss/lib/ssl/sslsock.c.transitional nss/lib/ssl/sslsock.c
+--- nss/lib/ssl/sslsock.c.transitional	2018-03-09 13:57:50.615706802 +0100
+++ nss/lib/ssl/sslsock.c	2018-03-09 13:58:23.708974970 +0100
+@@ -67,7 +67,7 @@ static sslOptions ssl_defaults = {
+     .noLocks = PR_FALSE,
+     .enableSessionTickets = PR_FALSE,
+     .enableDeflate = PR_FALSE,
+-    .enableRenegotiation = SSL_RENEGOTIATE_REQUIRES_XTN,
+    .enableRenegotiation = SSL_RENEGOTIATE_TRANSITIONAL,
+     .requireSafeNegotiation = PR_FALSE,
+     .enableFalseStart = PR_FALSE,
+     .cbcRandomIV = PR_TRUE,
--- a/rhbz1185708-enable-ecc-3des-ciphers-by-default.patch
+++ b/rhbz1185708-enable-ecc-3des-ciphers-by-default.patch
@ -0,0 +1,23 @@
+--- ./nss/lib/ssl/ssl3con.c.1185708_3des	2016-06-23 21:10:09.765992512 -0400
+++ ./nss/lib/ssl/ssl3con.c	2016-06-23 22:58:39.121398601 -0400
+@@ -118,18 +118,18 @@
+  { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,    SSL_ALLOWED, PR_TRUE, PR_FALSE},
+  { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,    SSL_ALLOWED, PR_TRUE, PR_FALSE},
+  { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,      SSL_ALLOWED, PR_TRUE, PR_FALSE},
+  { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+  { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,   SSL_ALLOWED, PR_TRUE, PR_FALSE},
+  { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,      SSL_ALLOWED, PR_TRUE, PR_FALSE},
+  { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+  { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,   SSL_ALLOWED, PR_FALSE, PR_FALSE},
+- { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,   SSL_ALLOWED, PR_FALSE, PR_FALSE},
+- { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,     SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,   SSL_ALLOWED, PR_TRUE,  PR_FALSE},
+ { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,     SSL_ALLOWED, PR_TRUE,  PR_FALSE},
+  { TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,        SSL_ALLOWED, PR_FALSE, PR_FALSE},
+  { TLS_ECDHE_RSA_WITH_RC4_128_SHA,          SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ 
+  { TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,     SSL_ALLOWED, PR_TRUE,  PR_FALSE},
+  { TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256,SSL_ALLOWED,PR_TRUE,  PR_FALSE},
+  { TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,     SSL_ALLOWED, PR_FALSE, PR_FALSE},
+  { TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,     SSL_ALLOWED, PR_FALSE, PR_FALSE},
+  { TLS_DHE_DSS_WITH_AES_256_GCM_SHA384,     SSL_ALLOWED, PR_FALSE, PR_FALSE},
--- a/2
+++ b/2
@ -3,4 +3,4 @@ SHA512 (blank-cert9.db) = 2f8eab4c0612210ee47db8a3a80c1b58a0b43849551af78c7da403
 SHA512 (blank-key3.db) = 01f7314e9fc8a7c9aa997652624cfcde213d18a6b3bb31840c1a60bbd662e56b5bc3221d13874abb42ce78163b225a6dfce2e1326cf6dd29366ad9c28ba5a71c
 SHA512 (blank-key4.db) = 8fedae93af7163da23fe9492ea8e785a44c291604fa98e58438448efb69c85d3253fc22b926d5c3209c62e58a86038fd4d78a1c4c068bc00600a7f3e5382ebe7
 SHA512 (blank-secmod.db) = 06a2dbd861839ef6315093459328b500d3832333a34b30e6fac4a2503af337f014a4d319f0f93322409e719142904ce8bc08252ae9a4f37f30d4c3312e900310
-SHA512 (nss-3.52.tar.gz) = a45baf38717bceda03c292b2c01def680a24a846327e17d36044a85e30ed40c68220c78c0a2c3025c11778ee58f5d5eb0fff1b4cd274b95c408fb59e394e62c6
+SHA512 (nss-3.36.1.tar.gz) = 096fe4360b6d584a746ac6156830f8cff821fd173bd889d7a396238919328a227fa4ebb46f738970a4001773046f3dd4f4675b85ff6de8420a4a7657b3ba0c65
--- a/tests/NSS-tools-should-not-use-SHA1-by-default-when/Makefile
+++ b/tests/NSS-tools-should-not-use-SHA1-by-default-when/Makefile
@ -1,64 +0,0 @@
-# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-#
-#   Makefile of /CoreOS/nss/Regression/NSS-tools-should-not-use-SHA1-by-default-when
-#   Description: NSS tools should not use SHA1 by default when
-#   Author: Hubert Kario <hkario@redhat.com>
-#
-# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-#
-#   Copyright (c) 2016 Red Hat, Inc.
-#
-#   This copyrighted material is made available to anyone wishing
-#   to use, modify, copy, or redistribute it subject to the terms
-#   and conditions of the GNU General Public License version 2.
-#
-#   This program is distributed in the hope that it will be
-#   useful, but WITHOUT ANY WARRANTY; without even the implied
-#   warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
-#   PURPOSE. See the GNU General Public License for more details.
-#
-#   You should have received a copy of the GNU General Public
-#   License along with this program; if not, write to the Free
-#   Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
-#   Boston, MA 02110-1301, USA.
-#
-# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-export TEST=/CoreOS/nss/Regression/NSS-tools-should-not-use-SHA1-by-default-when
-export TESTVERSION=1.0
-
-BUILT_FILES=
-
-FILES=$(METADATA) runtest.sh Makefile PURPOSE
-
-.PHONY: all install download clean
-
-run: $(FILES) build
-	./runtest.sh
-
-build: $(BUILT_FILES)
-	test -x runtest.sh || chmod a+x runtest.sh
-
-clean:
-	rm -f *~ $(BUILT_FILES)
-
-
-include /usr/share/rhts/lib/rhts-make.include
-
-$(METADATA): Makefile
-	@echo "Owner:           Hubert Kario <hkario@redhat.com>" > $(METADATA)
-	@echo "Name:            $(TEST)" >> $(METADATA)
-	@echo "TestVersion:     $(TESTVERSION)" >> $(METADATA)
-	@echo "Path:            $(TEST_DIR)" >> $(METADATA)
-	@echo "Description:     NSS tools should not use SHA1 by default when" >> $(METADATA)
-	@echo "Type:            Regression" >> $(METADATA)
-	@echo "TestTime:        10m" >> $(METADATA)
-	@echo "RunFor:          nss openssl" >> $(METADATA)
-	@echo "Requires:        nss nss-tools openssl" >> $(METADATA)
-	@echo "Priority:        Normal" >> $(METADATA)
-	@echo "License:         GPLv2" >> $(METADATA)
-	@echo "Confidential:    no" >> $(METADATA)
-	@echo "Destructive:     no" >> $(METADATA)
-	@echo "Releases:        -RHEL4 -RHELClient5 -RHELServer5" >> $(METADATA)
-
-	rhts-lint $(METADATA)
--- a/tests/NSS-tools-should-not-use-SHA1-by-default-when/PURPOSE
+++ b/tests/NSS-tools-should-not-use-SHA1-by-default-when/PURPOSE
@ -1,4 +0,0 @@
-PURPOSE of NSS-tools-should-not-use-SHA1-by-default-when
-Description: NSS tools should not use SHA1 by default when
-Author: Hubert Kario <hkario@redhat.com>
-Summary: NSS tools should not use SHA1 by default when generating digital signatures/certificates
--- a/tests/NSS-tools-should-not-use-SHA1-by-default-when/runtest.sh
+++ b/tests/NSS-tools-should-not-use-SHA1-by-default-when/runtest.sh
@ -1,125 +0,0 @@
-#!/bin/bash
-# vim: dict+=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k
-# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-#
-#   runtest.sh of NSS-tools-should-not-use-SHA1-by-default-when
-#   Description: NSS tools should not use SHA1 by default when
-#   Author: Hubert Kario <hkario@redhat.com>
-#
-# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-#
-#   Copyright (c) 2016 Red Hat, Inc.
-#
-#   This copyrighted material is made available to anyone wishing
-#   to use, modify, copy, or redistribute it subject to the terms
-#   and conditions of the GNU General Public License version 2.
-#
-#   This program is distributed in the hope that it will be
-#   useful, but WITHOUT ANY WARRANTY; without even the implied
-#   warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
-#   PURPOSE. See the GNU General Public License for more details.
-#
-#   You should have received a copy of the GNU General Public
-#   License along with this program; if not, write to the Free
-#   Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
-#   Boston, MA 02110-1301, USA.
-#
-# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-# Include Beaker environment
-. /usr/share/beakerlib/beakerlib.sh || exit 1
-
-PACKAGE="nss"
-PACKAGES="nss openssl"
-DBDIR="nssdb"
-
-rlJournalStart
-    rlPhaseStartSetup
-        rlAssertRpm --all
-        rlRun "TmpDir=\$(mktemp -d)" 0 "Creating tmp directory"
-        rlRun "pushd $TmpDir"
-        rlRun "mkdir nssdb"
-        rlRun "certutil -N -d $DBDIR --empty-password"
-        rlLogInfo "Create a JAR file"
-        rlRun "mkdir java-dir"
-        rlRun "pushd java-dir"
-        rlRun "mkdir META-INF mypackage"
-        rlRun "echo 'Main-Class: mypackage/MyMainFile' > META-INF/MANIFEST.MF"
-        rlRun "echo 'Those are not the droids you are looking for' > mypackage/MyMainFile.class"
-        #rlRun "jar -cfe package.jar mypackage/MyMainFile mypackage/MyMainFile.class"
-        rlRun "popd"
-        #rlRun "mv java-dir/package.jar ."
-    rlPhaseEnd
-
-    rlPhaseStartTest "Self signing certificates"
-        rlRun "dd if=/dev/urandom of=noise bs=1 count=32 >/dev/null"
-        rlRun "certutil -d $DBDIR -S -n 'CA' -t 'cTC,cTC,cTC' -s 'CN=CA' -x -z noise"
-        rlRun -s "certutil -d $DBDIR -L -n 'CA' -a | openssl x509 -noout -text"
-        rlAssertGrep "Signature Algorithm: sha256WithRSAEncryption" "$rlRun_LOG"
-        rlAssertNotGrep "Signature Algorithm: sha1WithRSAEncryption" $rlRun_LOG
-    rlPhaseEnd
-
-    rlPhaseStartTest "Signing certificates"
-        rlRun "dd if=/dev/urandom of=noise bs=1 count=32 >/dev/null"
-        rlRun "certutil -d $DBDIR -S -n 'server' -t 'u,u,u' -s 'CN=server.example.com' -c 'CA' -z noise --nsCertType sslClient,sslServer,objectSigning,smime"
-        rlRun -s "certutil -d $DBDIR -L -n 'server' -a | openssl x509 -noout -text"
-        rlAssertGrep "Signature Algorithm: sha256WithRSAEncryption" "$rlRun_LOG"
-        rlAssertNotGrep "Signature Algorithm: sha1WithRSAEncryption" $rlRun_LOG
-    rlPhaseEnd
-
-    rlPhaseStartTest "Certificate request"
-        rlRun "dd if=/dev/urandom of=noise bs=1 count=32 >/dev/null"
-        rlRun "mkdir srv2db"
-        rlRun "certutil -d srv2db -N --empty-password"
-        rlRun "certutil -d srv2db -R -s CN=www.example.com -o srv2.req -a -z noise"
-        rlRun -s "openssl req -noout -text -in srv2.req"
-        rlAssertGrep "Signature Algorithm: sha256WithRSAEncryption" "$rlRun_LOG"
-        rlAssertNotGrep "Signature Algorithm: sha1WithRSAEncryption" $rlRun_LOG
-        rlRun "certutil -d $DBDIR -C -c 'CA' -i srv2.req -a -o srv2.crt"
-        rlRun -s "openssl x509 -in srv2.crt -noout -text"
-        rlAssertGrep "Signature Algorithm: sha256WithRSAEncryption" "$rlRun_LOG"
-        rlAssertNotGrep "Signature Algorithm: sha1WithRSAEncryption" $rlRun_LOG
-        rlRun "rm -rf srv2db"
-    rlPhaseEnd
-
-    rlPhaseStartTest "Certificate request with SHA1"
-        rlRun "dd if=/dev/urandom of=noise bs=1 count=32 >/dev/null"
-        rlRun "mkdir srv2db"
-        rlRun "certutil -d srv2db -N --empty-password"
-        rlRun "certutil -d srv2db -R -s CN=www.example.com -o srv2.req -a -z noise -Z SHA1"
-        rlRun -s "openssl req -noout -text -in srv2.req"
-        rlAssertGrep "Signature Algorithm: sha1WithRSAEncryption" "$rlRun_LOG"
-        rlRun "certutil -d $DBDIR -C -c 'CA' -i srv2.req -a -o srv2.crt"
-        rlRun -s "openssl x509 -in srv2.crt -noout -text"
-        rlAssertGrep "Signature Algorithm: sha256WithRSAEncryption" "$rlRun_LOG"
-        rlAssertNotGrep "Signature Algorithm: sha1WithRSAEncryption" $rlRun_LOG
-        rlRun "rm -rf srv2db"
-    rlPhaseEnd
-
-    rlPhaseStartTest "Signing CMS messages"
-        rlRun "echo 'This is a document' > document.txt"
-        rlRun "cmsutil -S -d $DBDIR -N 'server' -i document.txt -o document.cms"
-        rlRun -s "openssl cms -in document.cms -inform der -noout -cmsout -print"
-        rlAssertGrep "algorithm: sha256" $rlRun_LOG
-        rlAssertNotGrep "algorithm: sha1" $rlRun_LOG
-    rlPhaseEnd
-
-    rlPhaseStartTest "CRL signing"
-        rlRun "echo $(date --utc +update=%Y%m%d%H%M%SZ) > script"
-        rlRun "echo $(date -d 'next week' --utc +nextupdate=%Y%m%d%H%M%SZ) >> script"
-        rlRun "echo addext crlNumber 0 1245 >>script"
-        rlRun "echo addcert 12 $(date -d 'yesterday' --utc +%Y%m%d%H%M%SZ) >>script"
-        rlRun "echo addext reasonCode 0 0 >>script"
-        rlRun "cat script"
-        rlRun "crlutil -G -c script -d $DBDIR -n CA -o ca.crl"
-        rlRun -s "openssl crl -in ca.crl -inform der -noout -text"
-        rlAssertGrep "Signature Algorithm: sha256WithRSAEncryption" $rlRun_LOG
-        rlAssertNotGrep "Signature Algorithm: sha1WithRSAEncryption" $rlRun_LOG
-    rlPhaseEnd
-
-    rlPhaseStartCleanup
-        rlRun "popd"
-        rlRun "rm -r $TmpDir" 0 "Removing tmp directory"
-    rlPhaseEnd
-rlJournalPrintText
-rlJournalEnd
--- a/tests/tests.yml
+++ b/tests/tests.yml
@ -1,12 +0,0 @@
---
-# This first play always runs on the local staging system
- hosts: localhost
-  roles:
-  - role: standard-test-beakerlib
-    tags:
-    - classic
-    tests:
-    - NSS-tools-should-not-use-SHA1-by-default-when
-    required_packages:
-    - nss-tools
-    - nss
--- a/utilwrap-include-templates.patch
+++ b/utilwrap-include-templates.patch
@ -0,0 +1,14 @@
+diff -up nss/lib/nss/config.mk.templates nss/lib/nss/config.mk
+--- nss/lib/nss/config.mk.templates	2013-06-18 11:32:07.590089155 -0700
+++ nss/lib/nss/config.mk	2013-06-18 11:33:28.732763345 -0700
+@@ -3,6 +3,10 @@
+ # License, v. 2.0. If a copy of the MPL was not distributed with this
+ # file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ 
+#ifeq ($(NSS_BUILD_WITHOUT_SOFTOKEN),1)
+INCLUDES += -I/usr/include/nss3/templates
+#endif
+
+ # can't do this in manifest.mn because OS_TARGET isn't defined there.
+ ifeq (,$(filter-out WIN%,$(OS_TARGET)))
+
Author	SHA1	Message	Date
Daiki Ueno	0ab3a46ebc	Update to NSS 3.36.1	2018-04-19 17:34:31 +02:00
Daiki Ueno	9fd0ac8dd6	Update to NSS 3.36.0	2018-03-09 17:04:04 +01:00
Daiki Ueno	aacd33862f	Revert changes to test cases regarding NSS default DB format change	2018-02-07 18:52:40 +01:00
Daiki Ueno	7fa771c766	Fix NSS_FORCE_FIPS setting	2018-02-07 18:52:33 +01:00
Daiki Ueno	8a6d20c74c	Update to NSS 3.35.0	2018-02-07 13:14:52 +01:00
Daiki Ueno	aee750e01b	Update to NSS 3.34.0	2017-11-15 11:12:18 +01:00
Daiki Ueno	0d1848dba5	Fix nss-pem requirement on multilib	2017-11-10 15:24:12 +01:00
Daiki Ueno	f387ed5732	Update to NSS 3.33.0	2017-10-03 16:16:35 +02:00
Daiki Ueno	7ad6dae11e	Prefer in-tree headers over system headers See https://bugzilla.redhat.com/show_bug.cgi?id=1422046#c6	2017-10-03 16:14:50 +02:00
Daiki Ueno	31a84b766b	Remove F27 entries from %changelog	2017-09-15 14:55:27 +02:00
Daiki Ueno	50c937a105	Update to NSS 3.32.1	2017-09-15 14:52:53 +02:00
Daiki Ueno	0c8f2e4aef	Revert signtool deprecation, which was only targeting F27	2017-08-18 09:52:41 +02:00
Daiki Ueno	b0d9716431	Update to NSS 3.32.0	2017-08-09 10:17:14 +02:00
Daiki Ueno	10a811eb16	Backport mozbz#1381784 to avoid deadlock in dnf	2017-07-18 14:02:02 +02:00
Daiki Ueno	c51947784e	Remove upstreamed patches	2017-07-11 14:27:48 +02:00
Daiki Ueno	60379b1140	Rebase to NSS 3.31.0	2017-07-11 14:17:26 +02:00
Daiki Ueno	c02a92318d	Enable TLS 1.3 again Also re-enable tests on armv7hl.	2017-05-10 13:28:12 +02:00
Daiki Ueno	8a895b4021	Rebase to NSS 3.30.2	2017-04-24 11:07:51 +02:00
Kai Engert	00dec8e43f	temporarily disable tests on armv7hl because of infrastructure timeouts	2017-03-29 17:39:12 +02:00
Kai Engert	f1ccf9b47a	Backport upstream mozbz#1328318 to support crypto policy FUTURE.	2017-03-29 14:11:21 +02:00
Daiki Ueno	6870a8a378	Re-add patch to check CKA_NSS_MOZILLA_CA_POLICY	2017-03-22 13:59:37 +01:00
Daiki Ueno	fe7dcb8310	Update to NSS 3.29.3	2017-03-21 16:47:43 +01:00
Kai Engert	571d09fa9e	Backport mozbz#1334976 and mozbz#1336487.	2017-03-02 14:10:09 +01:00