Require nss-softoken-version 3.12.6 and fix pem seg violation within

CreateObject (#596674)

.cvsignore

@@ -0,0 +1,8 @@
+nss-3.12.6-stripped.tar.bz2
+nss-pem-20100412.tar.bz2
+blank-cert8.db
+blank-key3.db
+blank-secmod.db
+blank-cert9.db
+blank-key4.db
+PayPalEE.cert

.gitignore

@@ -1,51 +0,0 @@
-blank-cert8.db
-blank-key3.db
-blank-secmod.db
-blank-cert9.db
-blank-key4.db
-PayPalEE.cert
-TestCA.ca.cert
-TestUser50.cert
-TestUser51.cert
-/PayPalRootCA.cert
-/PayPalICA.cert
-/nss-3.25.0.tar.gz
-/nss-3.26.0.tar.gz
-/nss-3.27.0.tar.gz
-/nss-3.27.2.tar.gz
-/nss-3.28.1.tar.gz
-/nss-3.29.0.tar.gz
-/nss-3.29.1.tar.gz
-/nss-3.30.0.tar.gz
-/nss-3.30.2.tar.gz
-/nss-3.31.0.tar.gz
-/nss-3.32.0.tar.gz
-/nss-3.32.1.tar.gz
-/nss-3.33.0.tar.gz
-/nss-3.34.0.tar.gz
-/nss-3.35.0.tar.gz
-/nss-3.36.0.tar.gz
-/nss-3.36.1.tar.gz
-/nss-3.37.1.tar.gz
-/nss-3.37.3.tar.gz
-/nss-3.38.0.tar.gz
-/nss-3.39.tar.gz
-/nss-3.40.1.tar.gz
-/nss-3.41.tar.gz
-/nss-3.42.tar.gz
-/nss-3.42.1.tar.gz
-/nss-3.43.tar.gz
-/nss-3.44.tar.gz
-/nss-3.44.1.tar.gz
-/nss-3.45.tar.gz
-/nss-3.46.tar.gz
-/nss-3.46.1.tar.gz
-/nss-3.47.tar.gz
-/nss-3.47.1.tar.gz
-/nss-3.48.tar.gz
-/nss-3.49.tar.gz
-/nss-3.49.2.tar.gz
-/nss-3.50.tar.gz
-/nss-3.51.tar.gz
-/nss-3.51.1.tar.gz
-/nss-3.52.tar.gz

Makefile

@@ -0,0 +1,21 @@
+# Makefile for source rpm: nss
+# $Id: Makefile,v 1.2 2007/10/15 19:11:25 notting Exp $
+NAME := nss
+SPECFILE = $(firstword $(wildcard *.spec))
+
+define find-makefile-common
+for d in common ../common ../../common ; do if [ -f $$d/Makefile.common ] ; then if [ -f $$d/CVS/Root -a -w $$d/Makefile.common ] ; then cd $$d ; cvs -Q update ; fi ; echo "$$d/Makefile.common" ; break ; fi ; done
+endef
+
+MAKEFILE_COMMON := $(shell $(find-makefile-common))
+
+ifeq ($(MAKEFILE_COMMON),)
+# attempt a checkout
+define checkout-makefile-common
+test -f CVS/Root && { cvs -Q -d $$(cat CVS/Root) checkout common && echo "common/Makefile.common" ; } || { echo "ERROR: I can't figure out how to checkout the 'common' module." ; exit -1 ; } >&2
+endef
+
+MAKEFILE_COMMON := $(shell $(checkout-makefile-common))
+endif
+
+include $(MAKEFILE_COMMON)

STAGE2-nss

@@ -1,68 +0,0 @@
-#requires nspr
-#requires perl
-#requires nss-util
-#requires nss-softokn
-
-mcd $BUILDDIR/nss
-
-export BUILD_OPT=1
-export PKG_CONFIG_ALLOW_SYSTEM_LIBS=1
-export PKG_CONFIG_ALLOW_SYSTEM_CFLAGS=1
-export NSPR_INCLUDE_DIR=/usr/include/nspr
-export NSPR_LIB_DIR=/usr/lib${SUFFIX}
-export NSS_USE_SYSTEM_SQLITE=1
-export NSS_BUILD_WITHOUT_SOFTOKEN=1
-export USE_SYSTEM_SOFTOKEN=1
-export SOFTOKEN_LIB_DIR=/usr/lib${SUFFIX}
-export NSSUTIL_INCLUDE_DIR=/usr/include/nss3
-export NSSUTIL_LIB_DIR=/usr/lib${SUFFIX}
-export USE_SYSTEM_NSSUTIL=1
-export FREEBL_INCLUDE_DIR=/usr/include/nss3
-export FREEBL_LIB_DIR=/usr/lib${SUFFIX}
-export USE_SYSTEM_FREEBL=1
-export NSS_USE_SYSTEM_FREEBL=1
-export FREEBL_NO_DEPEND=1
-export IN_TREE_FREEBL_HEADERS_FIRST=1
-export NSS_BLTEST_NOT_AVAILABLE=1
-export NSS_NO_SSL2_NO_EXPORT=1
-export NSS_ECC_MORE_THAN_SUITE_B=1
-export NSS_NO_PKCS11_BYPASS=1
-#export NSDISTMODE="copy"
-
-if [ "$SUFFIX" = "64" ]; then
-  USE_64=1
-  export USE_64
-fi
-
-(cd $SRC/nss-3.* && mkdir -p dist/private/nss && cp nss/lib/ckfw/nssck.api dist/private/nss/)
-
-make -C $SRC/nss-3.*/nss/coreconf
-make -C $SRC/nss-3.*/nss/lib/dbm
-
-# nss/nssinit.c, ssl/sslcon.c, smime/smimeutil.c and ckfw/builtins/binst.c
-# need nss/verref.h which is exported privately, move it to where it can be found.
-(cd $SRC/nss-3.* && mkdir -p dist/private/nss && cp -a nss/verref.h dist/private/nss/)
-
-make -C $SRC/nss-3.*/nss
-cd $SRC/nss-3.*/nss/coreconf
-make install
-cd $SRC/nss-3.*/nss/lib/dbm
-make install
-cd $SRC/nss-3.*/nss
-make install
-# Copy the binary libraries we want
-NSSLIBS="libnss3.so libnssckbi.so libnsspem.so libnsssysinit.so libsmime3.so libssl3.so"
-# BOZO: temporarily disable FIPS140 support
-#NSSLIBCHKS="libnssdbm3.chk libfreebl3.chk libsoftokn3.chk"
-NSSLIBCHKS=""
-# END BOZO
-cd $SRC/nss-3.*
-for file in $NSSLIBS $NSSLIBCHKS
-do
-  install -p -m 755 dist/*.OBJ/lib/$file /usr/lib${SUFFIX}/
-done
-# Copy the include files we want
-for file in $SRC/nss-*/dist/public/nss/*.h
-do
-  install -p -m 644 $file /usr/include/nss3/
-done

branch

@@ -0,0 +1 @@
+F-12

cert8.db.xml

@@ -1,59 +0,0 @@
-<?xml version='1.0' encoding='utf-8'?>
-<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
-  "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
-<!ENTITY date SYSTEM "date.xml">
-<!ENTITY version SYSTEM "version.xml">
-]>
-
-<refentry id="cert8.db">
-
-  <refentryinfo>
-    <date>&date;</date>
-    <title>Network Security Services</title>
-    <productname>nss</productname>
-    <productnumber>&version;</productnumber>
-  </refentryinfo>
-
-  <refmeta>
-    <refentrytitle>cert8.db</refentrytitle>
-    <manvolnum>5</manvolnum>
-  </refmeta>
-
-  <refnamediv>
-    <refname>cert8.db</refname>
-    <refpurpose>Legacy NSS certificate database</refpurpose>
-  </refnamediv>
-
-<refsection id="description">
-    <title>Description</title>
-    <para><emphasis>cert8.db</emphasis> is an NSS certificate database.</para>
-  <para>This certificate database is in the legacy database format. Consider migrating to cert9.db and key4.db which are the new sqlite-based shared database format with support for concurrent access.
-  </para>
-  </refsection>
-
-  <refsection>
-    <title>Files</title>
-    <para><filename>/etc/pki/nssdb/cert8.db</filename></para>
-  </refsection>
-
-  <refsection>
-    <title>See also</title>
-    <para>cert9.db(5), key4.db(5), pkcs11.txt(5), </para>
-  </refsection>
-
-  <refsection id="authors">
-    <title>Authors</title>
-    <para>The nss libraries were written and maintained by developers with Netscape, Red Hat,  Sun, Oracle, Mozilla, and Google.</para>
-    <para>Authors: Elio Maldonado &lt;emaldona@redhat.com>.</para>
-  </refsection>
-
-<!-- don't change -->
-  <refsection id="license">
-    <title>LICENSE</title>
-    <para>Licensed under the Mozilla Public License, v. 2.0.  If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/.
-    </para>
-
-  </refsection>
-
-
-</refentry>

cert9.db.xml

@@ -1,59 +0,0 @@
-<?xml version='1.0' encoding='utf-8'?>
-<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
-  "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
-<!ENTITY date SYSTEM "date.xml">
-<!ENTITY version SYSTEM "version.xml">
-]>
-
-<refentry id="cert9.db">
-
-  <refentryinfo>
-    <date>&date;</date>
-    <title>Network Security Services</title>
-    <productname>nss</productname>
-    <productnumber>&version;</productnumber>
-  </refentryinfo>
-
-  <refmeta>
-    <refentrytitle>cert9.db</refentrytitle>
-    <manvolnum>5</manvolnum>
-  </refmeta>
-
-  <refnamediv>
-    <refname>cert9.db</refname>
-    <refpurpose>NSS certificate database</refpurpose>
-  </refnamediv>
-
-<refsection id="description">
-    <title>Description</title>
-    <para><emphasis>cert9.db</emphasis> is an NSS certificate database.</para>
-  <para>This certificate database is the sqlite-based shared database with support for concurrent access.
-  </para>
-  </refsection>
-
-  <refsection>
-    <title>Files</title>
-    <para><filename>/etc/pki/nssdb/cert9.db</filename></para>
-  </refsection>
-
-  <refsection>
-    <title>See also</title>
-    <para>pkcs11.txt(5)</para>
-  </refsection>
-
-  <refsection id="authors">
-    <title>Authors</title>
-    <para>The nss libraries were written and maintained by developers with Netscape, Red Hat,  Sun, Oracle, Mozilla, and Google.</para>
-    <para>Authors: Elio Maldonado &lt;emaldona@redhat.com>.</para>
-  </refsection>
-
-<!-- don't change -->
-  <refsection id="license">
-    <title>LICENSE</title>
-    <para>Licensed under the Mozilla Public License, v. 2.0.  If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/.
-    </para>
-
-  </refsection>
-
-
-</refentry>

iquote.patch

@@ -1,13 +0,0 @@
-diff -up nss/coreconf/location.mk.iquote nss/coreconf/location.mk
---- nss/coreconf/location.mk.iquote	2017-07-27 16:09:32.000000000 +0200
-+++ nss/coreconf/location.mk	2017-09-06 13:23:14.633611555 +0200
-@@ -75,4 +75,9 @@ ifndef SQLITE_LIB_NAME
-     SQLITE_LIB_NAME = sqlite3
- endif
- 
-+# Prefer in-tree headers over system headers
-+ifdef IN_TREE_FREEBL_HEADERS_FIRST
-+    INCLUDES += -iquote $(DIST)/../public/nss -iquote $(DIST)/../private/nss
-+endif
-+
- MK_LOCATION = included

key3.db.xml

@@ -1,59 +0,0 @@
-<?xml version='1.0' encoding='utf-8'?>
-<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
-  "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
-<!ENTITY date SYSTEM "date.xml">
-<!ENTITY version SYSTEM "version.xml">
-]>
-
-<refentry id="key3.db">
-
-  <refentryinfo>
-    <date>&date;</date>
-    <title>Network Security Services</title>
-    <productname>nss</productname>
-    <productnumber>&version;</productnumber>
-  </refentryinfo>
-
-  <refmeta>
-    <refentrytitle>key3.db</refentrytitle>
-    <manvolnum>5</manvolnum>
-  </refmeta>
-
-  <refnamediv>
-    <refname>key3.db</refname>
-    <refpurpose>Legacy NSS certificate database</refpurpose>
-  </refnamediv>
-
-<refsection id="description">
-    <title>Description</title>
-    <para><emphasis>key3.db</emphasis> is an NSS certificate database.</para>
-  <para>This is a key database in the legacy database format. Consider migrating to cert9.db and key4.db which  which are the new sqlite-based shared database format with support for concurrent access.
-  </para>
-  </refsection>
-
-  <refsection>
-    <title>Files</title>
-    <para><filename>/etc/pki/nssdb/key3.db</filename></para>
-  </refsection>
-
-  <refsection>
-    <title>See also</title>
-    <para>cert9.db(5), key4.db(5), pkcs11.txt(5), </para>
-  </refsection>
-
-  <refsection id="authors">
-    <title>Authors</title>
-    <para>The nss libraries were written and maintained by developers with Netscape, Red Hat,  Sun, Oracle, Mozilla, and Google.</para>
-    <para>Authors: Elio Maldonado &lt;emaldona@redhat.com>.</para>
-  </refsection>
-
-<!-- don't change -->
-  <refsection id="license">
-    <title>LICENSE</title>
-    <para>Licensed under the Mozilla Public License, v. 2.0.  If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/.
-    </para>
-
-  </refsection>
-
-
-</refentry>

key4.db.xml

@@ -1,59 +0,0 @@
-<?xml version='1.0' encoding='utf-8'?>
-<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
-  "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
-<!ENTITY date SYSTEM "date.xml">
-<!ENTITY version SYSTEM "version.xml">
-]>
-
-<refentry id="key4.db">
-
-  <refentryinfo>
-    <date>&date;</date>
-    <title>Network Security Services</title>
-    <productname>nss</productname>
-    <productnumber>&version;</productnumber>
-  </refentryinfo>
-
-  <refmeta>
-    <refentrytitle>key4.db</refentrytitle>
-    <manvolnum>5</manvolnum>
-  </refmeta>
-
-  <refnamediv>
-    <refname>key4.db</refname>
-    <refpurpose>NSS certificate database</refpurpose>
-  </refnamediv>
-
-<refsection id="description">
-    <title>Description</title>
-    <para><emphasis>key4.db</emphasis> is an NSS key database.</para>
-  <para>This key database is the sqlite-based shared database format with support for concurrent access.
-  </para>
-  </refsection>
-
-  <refsection>
-    <title>Files</title>
-    <para><filename>/etc/pki/nssdb/key4.db</filename></para>
-  </refsection>
-
-  <refsection>
-    <title>See also</title>
-    <para>pkcs11.txt(5)</para>
-  </refsection>
-
-  <refsection id="authors">
-    <title>Authors</title>
-    <para>The nss libraries were written and maintained by developers with Netscape, Red Hat,  Sun, Oracle, Mozilla, and Google.</para>
-    <para>Authors: Elio Maldonado &lt;emaldona@redhat.com>.</para>
-  </refsection>
-
-<!-- don't change -->
-  <refsection id="license">
-    <title>LICENSE</title>
-    <para>Licensed under the Mozilla Public License, v. 2.0.  If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/.
-    </para>
-
-  </refsection>
-
-
-</refentry>

nss-539183.patch

@@ -1,62 +0,0 @@
---- nss/cmd/httpserv/httpserv.c.539183	2016-05-21 18:31:39.879585420 -0700
-+++ nss/cmd/httpserv/httpserv.c	2016-05-21 18:37:22.374464057 -0700
-@@ -953,23 +953,23 @@
- getBoundListenSocket(unsigned short port)
- {
-     PRFileDesc *listen_sock;
-     int listenQueueDepth = 5 + (2 * maxThreads);
-     PRStatus prStatus;
-     PRNetAddr addr;
-     PRSocketOptionData opt;
- 
--    addr.inet.family = PR_AF_INET;
--    addr.inet.ip = PR_INADDR_ANY;
--    addr.inet.port = PR_htons(port);
-+    if (PR_SetNetAddr(PR_IpAddrAny, PR_AF_INET6, port, &addr) != PR_SUCCESS) {
-+        errExit("PR_SetNetAddr");
-+    }
- 
--    listen_sock = PR_NewTCPSocket();
-+    listen_sock = PR_OpenTCPSocket(PR_AF_INET6);
-     if (listen_sock == NULL) {
--        errExit("PR_NewTCPSocket");
-+        errExit("PR_OpenTCPSockett");
-     }
- 
-     opt.option = PR_SockOpt_Nonblocking;
-     opt.value.non_blocking = PR_FALSE;
-     prStatus = PR_SetSocketOption(listen_sock, &opt);
-     if (prStatus < 0) {
-         PR_Close(listen_sock);
-         errExit("PR_SetSocketOption(PR_SockOpt_Nonblocking)");
---- nss/cmd/selfserv/selfserv.c.539183	2016-05-21 18:31:39.882585367 -0700
-+++ nss/cmd/selfserv/selfserv.c	2016-05-21 18:41:43.092801174 -0700
-@@ -1711,23 +1711,23 @@
- getBoundListenSocket(unsigned short port)
- {
-     PRFileDesc *listen_sock;
-     int listenQueueDepth = 5 + (2 * maxThreads);
-     PRStatus prStatus;
-     PRNetAddr addr;
-     PRSocketOptionData opt;
- 
--    addr.inet.family = PR_AF_INET;
--    addr.inet.ip = PR_INADDR_ANY;
--    addr.inet.port = PR_htons(port);
-+    if (PR_SetNetAddr(PR_IpAddrAny, PR_AF_INET6, port, &addr) != PR_SUCCESS) {
-+        errExit("PR_SetNetAddr");
-+    }
- 
--    listen_sock = PR_NewTCPSocket();
-+    listen_sock = PR_OpenTCPSocket(PR_AF_INET6);
-     if (listen_sock == NULL) {
--        errExit("PR_NewTCPSocket");
-+        errExit("PR_OpenTCPSocket error");
-     }
- 
-     opt.option = PR_SockOpt_Nonblocking;
-     opt.value.non_blocking = PR_FALSE;
-     prStatus = PR_SetSocketOption(listen_sock, &opt);
-     if (prStatus < 0) {
-         PR_Close(listen_sock);
-         errExit("PR_SetSocketOption(PR_SockOpt_Nonblocking)");

nss-config.xml

@@ -1,132 +0,0 @@
-<?xml version='1.0' encoding='utf-8'?>
-<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
-  "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
-<!ENTITY date SYSTEM "date.xml">
-<!ENTITY version SYSTEM "version.xml">
-]>
-
-<refentry id="nss-config">
-
-  <refentryinfo>
-    <date>&date;</date>
-    <title>Network Security Services</title>
-    <productname>nss</productname>
-    <productnumber>&version;</productnumber>
-  </refentryinfo>
-
-  <refmeta>
-    <refentrytitle>nss-config</refentrytitle>
-    <manvolnum>1</manvolnum>
-  </refmeta>
-
-  <refnamediv>
-    <refname>nss-config</refname>
-    <refpurpose>Return meta information about nss libraries</refpurpose>
-  </refnamediv>
-
-  <refsynopsisdiv>
-    <cmdsynopsis>
-      <command>nss-config</command>
-      <arg><option>--prefix</option></arg>
-      <arg><option>--exec-prefix</option></arg>
-      <arg><option>--includedir</option></arg>
-      <arg><option>--libs</option></arg>
-      <arg><option>--cflags</option></arg>
-      <arg><option>--libdir</option></arg>
-      <arg><option>--version</option></arg>
-    </cmdsynopsis>
-  </refsynopsisdiv>
-
-<refsection id="description">
-    <title>Description</title>
-
-    <para><command>nss-config</command> is a shell scrip
-    tool which can be used to obtain gcc options for building client pacakges of nspt. </para>
-
-  </refsection>
-  
-  <refsection>
-    <title>Options</title>
-    
-    <variablelist>
-      <varlistentry>
-        <term><option>--prefix</option></term>
-        <listitem><simpara>Returns the top level system directory under which the nss libraries are installed.</simpara></listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term><option>--exec-prefix</option></term>
-        <listitem><simpara>returns the top level system directory under which any nss binaries would be installed.</simpara></listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term><option>--includedir</option> <replaceable>count</replaceable></term>
-        <listitem><simpara>returns the path to the directory were the nss libraries are installed.</simpara></listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term><option>--version</option></term>
-        <listitem><simpara>returns the upstream version of nss in the form major_version-minor_version-patch_version.</simpara></listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term><option>--libs</option></term>
-        <listitem><simpara>returns the compiler linking flags.</simpara></listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term><option>--cflags</option></term>
-        <listitem><simpara>returns the compiler include flags.</simpara></listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term><option>--libdir</option></term>
-        <listitem><simpara>returns the path to the directory were the nss libraries are installed.</simpara></listitem>
-      </varlistentry>
-
-    </variablelist>
-  </refsection>
-
-  <refsection>
-    <title>Examples</title>
-
-    <para>The following example will query for both include path and linkage flags:
-    
-      <programlisting>
-        /usr/bin/nss-config --cflags --libs
-      </programlisting>
-
-    </para>
-
-   
-  </refsection>
-
-  <refsection>
-    <title>Files</title>
-
-    <para><filename>/usr/bin/nss-config</filename></para>
-
-  </refsection>
-
-  <refsection>
-    <title>See also</title>
-    <para>pkg-config(1)</para>
-  </refsection>
-
-  <refsection id="authors">
-    <title>Authors</title>
-    <para>The nss liraries were written and maintained by developers with Netscape, Red Hat,  Sun, Oracle, Mozilla, and Google.</para>
-    <para>
-	Authors: Elio Maldonado &lt;emaldona@redhat.com>.
-    </para>
-  </refsection>
-
-<!-- don't change -->
-  <refsection id="license">
-    <title>LICENSE</title>
-    <para>Licensed under the Mozilla Public License, v. 2.0.  If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/.
-    </para>
-  </refsection>
-
-</refentry>
-

nss-enable-pem.patch

@@ -0,0 +1,12 @@
+diff -up ./mozilla/security/nss/lib/ckfw/manifest.mn.prepem ./mozilla/security/nss/lib/ckfw/manifest.mn
+--- ./mozilla/security/nss/lib/ckfw/manifest.mn.prepem	2008-08-05 16:34:23.000000000 -0700
++++ ./mozilla/security/nss/lib/ckfw/manifest.mn	2008-08-05 16:34:30.000000000 -0700
+@@ -38,7 +38,7 @@ MANIFEST_CVS_ID = "@(#) $RCSfile: manife
+ 
+ CORE_DEPTH = ../../..
+ 
+-DIRS = builtins 
++DIRS = builtins pem
+ 
+ PRIVATE_EXPORTS = \
+ 	ck.h		  \

nss-gcm-param-default-pkcs11v2.patch

@@ -1,21 +0,0 @@
-diff -up ./lib/util/pkcs11n.h.aes_gcm_pkcs11_v2 ./lib/util/pkcs11n.h
---- ./lib/util/pkcs11n.h.aes_gcm_pkcs11_v2	2020-05-13 13:44:11.312405744 -0700
-+++ ./lib/util/pkcs11n.h	2020-05-13 13:45:23.951723660 -0700
-@@ -605,7 +605,7 @@ typedef struct CK_NSS_GCM_PARAMS {
- typedef CK_NSS_GCM_PARAMS CK_PTR CK_NSS_GCM_PARAMS_PTR;
- 
- /* deprecated #defines. Drop in future NSS releases */
--#ifdef NSS_PKCS11_2_0_COMPAT
-+#ifndef NSS_PKCS11_3_0_STRICT
- 
- /* defines that were changed between NSS's PKCS #11 and the Oasis headers */
- #define CKF_EC_FP CKF_EC_F_P
-@@ -664,7 +664,7 @@ typedef CK_NSS_GCM_PARAMS CK_PTR CK_GCM_
- #define CKT_NETSCAPE_VALID CKT_NSS_VALID
- #define CKT_NETSCAPE_VALID_DELEGATOR CKT_NSS_VALID_DELEGATOR
- #else
--/* use the new CK_GCM_PARAMS if NSS_PKCS11_2_0_COMPAT is not defined */
-+/* use the new CK_GCM_PARAMS if NSS_PKCS11_3_0_STRICT is defined */
- typedef struct CK_GCM_PARAMS_V3 CK_GCM_PARAMS;
- typedef CK_GCM_PARAMS_V3 CK_PTR CK_GCM_PARAMS_PTR;
- #endif

nss-kremlin-ppc64le.patch

@@ -1,31 +0,0 @@
-Index: nss/lib/freebl/verified/kremlin/include/kremlin/internal/types.h
-===================================================================
---- nss.orig/lib/freebl/verified/kremlin/include/kremlin/internal/types.h
-+++ nss/lib/freebl/verified/kremlin/include/kremlin/internal/types.h
-@@ -56,9 +56,10 @@ typedef const char *Prims_string;
-     !defined(__clang__)
- #include <emmintrin.h>
- typedef __m128i FStar_UInt128_uint128;
--#elif !defined(KRML_VERIFIED_UINT128) && !defined(_MSC_VER) &&           \
-+#elif !defined(KRML_VERIFIED_UINT128) && !defined(_MSC_VER) && \
-     (defined(__x86_64__) || defined(__x86_64) || defined(__aarch64__) || \
--     (defined(__powerpc64__) && defined(__LITTLE_ENDIAN__)))
-+    (defined(__powerpc64__) && defined(__LITTLE_ENDIAN__)) || \
-+     defined(__s390x__))
- typedef unsigned __int128 FStar_UInt128_uint128;
- #elif !defined(KRML_VERIFIED_UINT128) && defined(_MSC_VER) && defined(__clang__)
- typedef __uint128_t FStar_UInt128_uint128;
-Index: nss/lib/freebl/verified/kremlin/kremlib/dist/minimal/fstar_uint128_gcc64.h
-===================================================================
---- nss.orig/lib/freebl/verified/kremlin/kremlib/dist/minimal/fstar_uint128_gcc64.h
-+++ nss/lib/freebl/verified/kremlin/kremlib/dist/minimal/fstar_uint128_gcc64.h
-@@ -26,7 +26,8 @@
- 
- #if !defined(KRML_VERIFIED_UINT128) && (!defined(_MSC_VER) || defined(__clang__)) && \
-     (defined(__x86_64__) || defined(__x86_64) || defined(__aarch64__) ||             \
--     (defined(__powerpc64__) && defined(__LITTLE_ENDIAN__)))
-+    (defined(__powerpc64__) && defined(__LITTLE_ENDIAN__)) || \
-+     defined(__s390x__))
- 
- /* GCC + using native unsigned __int128 support */
- 

nss-nolocalsql.patch

@@ -0,0 +1,52 @@
+diff -up ./mozilla/security/nss/lib/Makefile.nolocalsql ./mozilla/security/nss/lib/Makefile
+--- ./mozilla/security/nss/lib/Makefile.nolocalsql	2010-02-27 16:40:25.891777537 -0800
++++ ./mozilla/security/nss/lib/Makefile	2010-02-27 16:41:59.175902327 -0800
+@@ -62,11 +62,11 @@ ifndef USE_SYSTEM_ZLIB
+ ZLIB_SRCDIR = zlib  # Add the zlib directory to DIRS.
+ endif
+ 
+-ifndef MOZILLA_CLIENT
+-ifndef NSS_USE_SYSTEM_SQLITE
+-SQLITE_SRCDIR = sqlite  # Add the sqlite directory to DIRS.
+-endif
+-endif
++#ifndef MOZILLA_CLIENT
++#ifndef NSS_USE_SYSTEM_SQLITE
++#SQLITE_SRCDIR = sqlite  # Add the sqlite directory to DIRS.
++#endif
++#endif
+ 
+ ifndef MOZILLA_CLIENT
+ ifeq ($(OS_ARCH),Linux)
+diff -up ./mozilla/security/nss/lib/softoken/legacydb/manifest.mn.nolocalsql ./mozilla/security/nss/lib/softoken/legacydb/manifest.mn
+--- ./mozilla/security/nss/lib/softoken/legacydb/manifest.mn.nolocalsql	2010-02-27 16:44:24.998777709 -0800
++++ ./mozilla/security/nss/lib/softoken/legacydb/manifest.mn	2010-02-27 16:45:08.533803472 -0800
+@@ -46,9 +46,9 @@ MAPFILE = $(OBJDIR)/nssdbm.def
+ 
+ DEFINES += -DSHLIB_SUFFIX=\"$(DLL_SUFFIX)\" -DSHLIB_PREFIX=\"$(DLL_PREFIX)\" -DSOFTOKEN_LIB_NAME=\"$(notdir $(SHARED_LIBRARY))\"
+ 
+-ifdef MOZILLA_CLIENT
+-INCLUDES += -I$(DIST)/include/sqlite3
+-endif
++#ifdef MOZILLA_CLIENT
++#INCLUDES += -I$(DIST)/include/sqlite3
++#endif
+ 
+ CSRCS = \
+ 	dbmshim.c \
+diff -up ./mozilla/security/nss/lib/softoken/manifest.mn.nolocalsql ./mozilla/security/nss/lib/softoken/manifest.mn
+--- ./mozilla/security/nss/lib/softoken/manifest.mn.nolocalsql	2010-02-27 16:42:52.213902231 -0800
++++ ./mozilla/security/nss/lib/softoken/manifest.mn	2010-02-27 16:43:34.040776788 -0800
+@@ -47,9 +47,9 @@ MAPFILE = $(OBJDIR)/softokn.def
+ 
+ DEFINES += -DSHLIB_SUFFIX=\"$(DLL_SUFFIX)\" -DSHLIB_PREFIX=\"$(DLL_PREFIX)\" -DSOFTOKEN_LIB_NAME=\"$(notdir $(SHARED_LIBRARY))\" -DSHLIB_VERSION=\"$(LIBRARY_VERSION)\"
+ 
+-ifdef MOZILLA_CLIENT
+-INCLUDES += -I$(DIST)/include/sqlite3
+-endif
++#ifdef MOZILLA_CLIENT
++#INCLUDES += -I$(DIST)/include/sqlite3
++#endif
+ 
+ EXPORTS = \
+ 	secmodt.h \

nss-p11-kit.config

@@ -1,4 +0,0 @@
-name=p11-kit-proxy
-library=p11-kit-proxy.so
-
-

nss-signtool-format.patch

@@ -1,94 +0,0 @@
-diff --git a/cmd/modutil/install.c b/cmd/modutil/install.c
---- a/cmd/modutil/install.c
-+++ b/cmd/modutil/install.c
-@@ -825,17 +825,20 @@ rm_dash_r(char *path)
- 
-         dir = PR_OpenDir(path);
-         if (!dir) {
-             return -1;
-         }
- 
-         /* Recursively delete all entries in the directory */
-         while ((entry = PR_ReadDir(dir, PR_SKIP_BOTH)) != NULL) {
--            sprintf(filename, "%s/%s", path, entry->name);
-+            if (snprintf(filename, sizeof(filename), "%s/%s", path, entry->name) >= sizeof(filename)) {
-+                PR_CloseDir(dir);
-+                return -1;
-+            }
-             if (rm_dash_r(filename)) {
-                 PR_CloseDir(dir);
-                 return -1;
-             }
-         }
- 
-         if (PR_CloseDir(dir) != PR_SUCCESS) {
-             return -1;
-diff --git a/cmd/signtool/util.c b/cmd/signtool/util.c
---- a/cmd/signtool/util.c
-+++ b/cmd/signtool/util.c
-@@ -132,17 +132,20 @@ rm_dash_r(char *path)
-         if (!dir) {
-             PR_fprintf(errorFD, "Error: Unable to open directory %s.\n", path);
-             errorCount++;
-             return -1;
-         }
- 
-         /* Recursively delete all entries in the directory */
-         while ((entry = PR_ReadDir(dir, PR_SKIP_BOTH)) != NULL) {
--            sprintf(filename, "%s/%s", path, entry->name);
-+            if (snprintf(filename, sizeof(filename), "%s/%s", path, entry->name) >= sizeof(filename)) {
-+                errorCount++;
-+                return -1;
-+            }
-             if (rm_dash_r(filename))
-                 return -1;
-         }
- 
-         if (PR_CloseDir(dir) != PR_SUCCESS) {
-             PR_fprintf(errorFD, "Error: Could not close %s.\n", path);
-             errorCount++;
-             return -1;
-diff --git a/lib/libpkix/pkix/util/pkix_list.c b/lib/libpkix/pkix/util/pkix_list.c
---- a/lib/libpkix/pkix/util/pkix_list.c
-+++ b/lib/libpkix/pkix/util/pkix_list.c
-@@ -1530,17 +1530,17 @@ cleanup:
-  */
- PKIX_Error *
- PKIX_List_SetItem(
-         PKIX_List *list,
-         PKIX_UInt32 index,
-         PKIX_PL_Object *item,
-         void *plContext)
- {
--        PKIX_List *element;
-+        PKIX_List *element = NULL;
- 
-         PKIX_ENTER(LIST, "PKIX_List_SetItem");
-         PKIX_NULLCHECK_ONE(list);
- 
-         if (list->immutable){
-                 PKIX_ERROR(PKIX_OPERATIONNOTPERMITTEDONIMMUTABLELIST);
-         }
- 
-diff --git a/lib/libpkix/pkix_pl_nss/system/pkix_pl_oid.c b/lib/libpkix/pkix_pl_nss/system/pkix_pl_oid.c
---- a/lib/libpkix/pkix_pl_nss/system/pkix_pl_oid.c
-+++ b/lib/libpkix/pkix_pl_nss/system/pkix_pl_oid.c
-@@ -102,17 +102,17 @@ cleanup:
-  */
- static PKIX_Error *
- pkix_pl_OID_Equals(
-         PKIX_PL_Object *first,
-         PKIX_PL_Object *second,
-         PKIX_Boolean *pResult,
-         void *plContext)
- {
--        PKIX_Int32 cmpResult;
-+        PKIX_Int32 cmpResult = 0;
- 
-         PKIX_ENTER(OID, "pkix_pl_OID_Equals");
-         PKIX_NULLCHECK_THREE(first, second, pResult);
- 
-         PKIX_CHECK(pkix_pl_OID_Comparator
-                     (first, second, &cmpResult, plContext),
-                     PKIX_OIDCOMPARATORFAILED);
- 

nss-softokn-config.in

@@ -1,116 +0,0 @@
-#!/bin/sh
-
-prefix=@prefix@
-
-major_version=@MOD_MAJOR_VERSION@
-minor_version=@MOD_MINOR_VERSION@
-patch_version=@MOD_PATCH_VERSION@
-
-usage()
-{
-	cat <<EOF
-Usage: nss-softokn-config [OPTIONS] [LIBRARIES]
-Options:
-	[--prefix[=DIR]]
-	[--exec-prefix[=DIR]]
-	[--includedir[=DIR]]
-	[--libdir[=DIR]]
-	[--version]
-	[--libs]
-	[--cflags]
-Dynamic Libraries:
-	softokn3 - Requires full dynamic linking
-	freebl3  - for internal use only (and glibc for self-integrity check)
-	nssdbm3  - for internal use only
-Dymamically linked
-EOF
-	exit $1
-}
-
-if test $# -eq 0; then
-	usage 1 1>&2
-fi
-
-while test $# -gt 0; do
-  case "$1" in
-  -*=*) optarg=`echo "$1" | sed 's/[-_a-zA-Z0-9]*=//'` ;;
-  *) optarg= ;;
-  esac
-
-  case $1 in
-    --prefix=*)
-      prefix=$optarg
-      ;;
-    --prefix)
-      echo_prefix=yes
-      ;;
-    --exec-prefix=*)
-      exec_prefix=$optarg
-      ;;
-    --exec-prefix)
-      echo_exec_prefix=yes
-      ;;
-    --includedir=*)
-      includedir=$optarg
-      ;;
-    --includedir)
-      echo_includedir=yes
-      ;;
-    --libdir=*)
-      libdir=$optarg
-      ;;
-    --libdir)
-      echo_libdir=yes
-      ;;
-    --version)
-      echo ${major_version}.${minor_version}.${patch_version}
-      ;;
-    --cflags)
-      echo_cflags=yes
-      ;;
-    --libs)
-      echo_libs=yes
-      ;;
-    *)
-      usage 1 1>&2
-      ;;
-  esac
-  shift
-done
-
-# Set variables that may be dependent upon other variables
-if test -z "$exec_prefix"; then
-    exec_prefix=`pkg-config --variable=exec_prefix nss-softokn`
-fi
-if test -z "$includedir"; then
-    includedir=`pkg-config --variable=includedir nss-softokn`
-fi
-if test -z "$libdir"; then
-    libdir=`pkg-config --variable=libdir nss-softokn`
-fi
-
-if test "$echo_prefix" = "yes"; then
-    echo $prefix
-fi
-
-if test "$echo_exec_prefix" = "yes"; then
-    echo $exec_prefix
-fi
-
-if test "$echo_includedir" = "yes"; then
-    echo $includedir
-fi
-
-if test "$echo_libdir" = "yes"; then
-    echo $libdir
-fi
-
-if test "$echo_cflags" = "yes"; then
-    echo -I$includedir
-fi
-
-if test "$echo_libs" = "yes"; then
-      libdirs="-Wl,-rpath-link,$libdir -L$libdir"
-      echo $libdirs
-fi
-

nss-softokn-dracut-module-setup.sh

@@ -1,18 +0,0 @@
-#!/bin/bash
-# -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*-
-# ex: ts=8 sw=4 sts=4 et filetype=sh
-
-check() {
-    return 255
-}
-
-depends() {
-    return 0
-}
-
-install() {
-    local _dir
-
-    inst_libdir_file libfreeblpriv3.so libfreeblpriv3.chk \
-        libfreebl3.so
-}

nss-softokn-dracut.conf

@@ -1,3 +0,0 @@
-# turn on nss-softokn module
-
-add_dracutmodules+=" nss-softokn "

nss-softokn.pc.in

@@ -1,11 +0,0 @@
-prefix=%prefix%
-exec_prefix=%exec_prefix%
-libdir=%libdir%
-includedir=%includedir%
-
-Name: NSS-SOFTOKN
-Description: Network Security Services Softoken PKCS #11 Module
-Version: %SOFTOKEN_VERSION%
-Requires: nspr >= %NSPR_VERSION%, nss-util >= %NSSUTIL_VERSION%
-Libs: -L${libdir} -lfreebl3 -lnssdbm3 -lsoftokn3
-Cflags: -I${includedir}

nss-util-config.in

@@ -1,118 +0,0 @@
-#!/bin/sh
-
-prefix=@prefix@
-
-major_version=@MOD_MAJOR_VERSION@
-minor_version=@MOD_MINOR_VERSION@
-patch_version=@MOD_PATCH_VERSION@
-
-usage()
-{
-	cat <<EOF
-Usage: nss-util-config [OPTIONS] [LIBRARIES]
-Options:
-	[--prefix[=DIR]]
-	[--exec-prefix[=DIR]]
-	[--includedir[=DIR]]
-	[--libdir[=DIR]]
-	[--version]
-	[--libs]
-	[--cflags]
-Dynamic Libraries:
-	nssutil
-EOF
-	exit $1
-}
-
-if test $# -eq 0; then
-	usage 1 1>&2
-fi
-
-lib_nssutil=yes
-
-while test $# -gt 0; do
-  case "$1" in
-  -*=*) optarg=`echo "$1" | sed 's/[-_a-zA-Z0-9]*=//'` ;;
-  *) optarg= ;;
-  esac
-
-  case $1 in
-    --prefix=*)
-      prefix=$optarg
-      ;;
-    --prefix)
-      echo_prefix=yes
-      ;;
-    --exec-prefix=*)
-      exec_prefix=$optarg
-      ;;
-    --exec-prefix)
-      echo_exec_prefix=yes
-      ;;
-    --includedir=*)
-      includedir=$optarg
-      ;;
-    --includedir)
-      echo_includedir=yes
-      ;;
-    --libdir=*)
-      libdir=$optarg
-      ;;
-    --libdir)
-      echo_libdir=yes
-      ;;
-    --version)
-      echo ${major_version}.${minor_version}.${patch_version}
-      ;;
-    --cflags)
-      echo_cflags=yes
-      ;;
-    --libs)
-      echo_libs=yes
-      ;;
-    *)
-      usage 1 1>&2
-      ;;
-  esac
-  shift
-done
-
-# Set variables that may be dependent upon other variables
-if test -z "$exec_prefix"; then
-    exec_prefix=`pkg-config --variable=exec_prefix nss-util`
-fi
-if test -z "$includedir"; then
-    includedir=`pkg-config --variable=includedir nss-util`
-fi
-if test -z "$libdir"; then
-    libdir=`pkg-config --variable=libdir nss-util`
-fi
-
-if test "$echo_prefix" = "yes"; then
-    echo $prefix
-fi
-
-if test "$echo_exec_prefix" = "yes"; then
-    echo $exec_prefix
-fi
-
-if test "$echo_includedir" = "yes"; then
-    echo $includedir
-fi
-
-if test "$echo_libdir" = "yes"; then
-    echo $libdir
-fi
-
-if test "$echo_cflags" = "yes"; then
-    echo -I$includedir
-fi
-
-if test "$echo_libs" = "yes"; then
-      libdirs="-Wl,-rpath-link,$libdir -L$libdir"
-      if test -n "$lib_nssutil"; then
-	libdirs="$libdirs -lnssutil${major_version}"
-      fi
-      echo $libdirs
-fi
-

nss-util.pc.in

@@ -1,11 +0,0 @@
-prefix=%prefix%
-exec_prefix=%exec_prefix%
-libdir=%libdir%
-includedir=%includedir%
-
-Name: NSS-UTIL
-Description: Network Security Services Utility Library
-Version: %NSSUTIL_VERSION%
-Requires: nspr >= %NSPR_VERSION%
-Libs: -L${libdir} -lnssutil3
-Cflags: -I${includedir}

nss.pc.in

@@ -7,5 +7,5 @@ Name: NSS
 Description: Network Security Services
 Version: %NSS_VERSION%
 Requires: nspr >= %NSPR_VERSION%, nss-util >= %NSSUTIL_VERSION%
-Libs: -L${libdir} -lssl3 -lsmime3 -lnss3
+Libs: -lssl3 -lsmime3 -lnss3
 Cflags: -I${includedir}

nsspem-596674.patch

@@ -0,0 +1,127 @@
+diff -up ./mozilla/security/nss/lib/ckfw/pem/pinst.c.596783 ./mozilla/security/nss/lib/ckfw/pem/pinst.c
+--- ./mozilla/security/nss/lib/ckfw/pem/pinst.c.596783	2010-06-06 18:27:27.256318318 -0700
++++ ./mozilla/security/nss/lib/ckfw/pem/pinst.c	2010-06-06 20:45:28.158442982 -0700
+@@ -151,7 +151,7 @@ GetCertFields(unsigned char *cert, int c
+     buf = issuer->data + issuer->len;
+ 
+     /* only wanted issuer/SN */
+-    if (valid == NULL) {
++    if (subject == NULL || valid == NULL || subjkey == NULL) {
+         return SECSuccess;
+     }
+     /* validity */
+@@ -219,53 +219,93 @@ CreateObject(CK_OBJECT_CLASS objClass,
+         memset(&o->u.trust, 0, sizeof(o->u.trust));
+         break;
+     }
++
++    o->nickname = (char *) nss_ZAlloc(NULL, strlen(nickname) + 1);
++    if (o->nickname == NULL)
++        goto fail;
++    strcpy(o->nickname, nickname);
++
++    sprintf(id, "%d", objid);
++    len = strlen(id) + 1;       /* zero terminate */
++    o->id.data = (void *) nss_ZAlloc(NULL, len);
++    if (o->id.data == NULL)
++        goto fail;
++    (void) nsslibc_memcpy(o->id.data, id, len);
++    o->id.size = len;
++
+     o->objClass = objClass;
+     o->type = type;
+     o->slotID = slotID;
++
+     o->derCert = nss_ZNEW(NULL, SECItem);
++    if (o->derCert == NULL)
++        goto fail;
+     o->derCert->data = (void *) nss_ZAlloc(NULL, certDER->len);
++    if (o->derCert->data == NULL)
++        goto fail;
+     o->derCert->len = certDER->len;
+     nsslibc_memcpy(o->derCert->data, certDER->data, certDER->len);
+ 
+     switch (objClass) {
+     case CKO_CERTIFICATE:
+     case CKO_NETSCAPE_TRUST:
+-        GetCertFields(o->derCert->data,
+-                      o->derCert->len, &issuer, &serial,
+-                      &derSN, &subject, &valid, &subjkey);
++        if (SECSuccess != GetCertFields(o->derCert->data, o->derCert->len,
++                                        &issuer, &serial, &derSN, &subject,
++                                        &valid, &subjkey))
++            goto fail;
+ 
+         o->u.cert.subject.data = (void *) nss_ZAlloc(NULL, subject.len);
++        if (o->u.cert.subject.data == NULL)
++            goto fail;
+         o->u.cert.subject.size = subject.len;
+         nsslibc_memcpy(o->u.cert.subject.data, subject.data, subject.len);
+ 
+         o->u.cert.issuer.data = (void *) nss_ZAlloc(NULL, issuer.len);
++        if (o->u.cert.issuer.data == NULL) {
++            nss_ZFreeIf(o->u.cert.subject.data);
++            goto fail;
++        }
+         o->u.cert.issuer.size = issuer.len;
+         nsslibc_memcpy(o->u.cert.issuer.data, issuer.data, issuer.len);
+ 
+         o->u.cert.serial.data = (void *) nss_ZAlloc(NULL, serial.len);
++        if (o->u.cert.serial.data == NULL) {
++            nss_ZFreeIf(o->u.cert.issuer.data);
++            nss_ZFreeIf(o->u.cert.subject.data);
++            goto fail;
++        }
+         o->u.cert.serial.size = serial.len;
+         nsslibc_memcpy(o->u.cert.serial.data, serial.data, serial.len);
+         break;
+     case CKO_PRIVATE_KEY:
+         o->u.key.key.privateKey = nss_ZNEW(NULL, SECItem);
++        if (o->u.key.key.privateKey == NULL)
++            goto fail;
+         o->u.key.key.privateKey->data =
+             (void *) nss_ZAlloc(NULL, keyDER->len);
++        if (o->u.key.key.privateKey->data == NULL) {
++            nss_ZFreeIf(o->u.key.key.privateKey);
++            goto fail;
++        }
+         o->u.key.key.privateKey->len = keyDER->len;
+         nsslibc_memcpy(o->u.key.key.privateKey->data, keyDER->data,
+                        keyDER->len);
+     }
+ 
+-    o->nickname = (char *) nss_ZAlloc(NULL, strlen(nickname) + 1);
+-    strcpy(o->nickname, nickname);
+-
+-    sprintf(id, "%d", objid);
+-
+-    len = strlen(id) + 1;       /* zero terminate */
+-    o->id.data = (void *) nss_ZAlloc(NULL, len);
+-    (void) nsslibc_memcpy(o->id.data, id, len);
+-    o->id.size = len;
+ 
+     return o;
++
++fail:
++    if (o) {
++        if (o->derCert) {
++            nss_ZFreeIf(o->derCert->data);
++            nss_ZFreeIf(o->derCert);
++        }
++        nss_ZFreeIf(o->id.data);
++        nss_ZFreeIf(o->nickname);
++        nss_ZFreeIf(o);
++    }
++    return NULL;
+ }
+ 
+ pemInternalObject *
+@@ -306,6 +346,8 @@ AddObjectIfNeeded(CK_OBJECT_CLASS objCla
+     /* object not found, we need to create it */
+     pemInternalObject *io = CreateObject(objClass, type, certDER, keyDER,
+                                          filename, objid, slotID);
++    if (io == NULL)
++        return NULL;
+ 
+     io->gobjIndex = count;
+ 

pkcs11.txt.xml

@@ -1,56 +0,0 @@
-<?xml version='1.0' encoding='UTF-8'?>
-<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
-  "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
-<!ENTITY date SYSTEM "date.xml">
-<!ENTITY version SYSTEM "version.xml">
-]>
-
-<refentry id="pkcs11.txt">
-
-  <refentryinfo>
-    <date>&date;</date>
-    <title>Network Security Services</title>
-    <productname>nss</productname>
-    <productnumber>&version;</productnumber>
-  </refentryinfo>
-
-  <refmeta>
-    <refentrytitle>pkcs11.txt</refentrytitle>
-    <manvolnum>5</manvolnum>
-  </refmeta>
-
-  <refnamediv>
-    <refname>pkcs11.txt</refname>
-    <refpurpose>NSS PKCS #11 module configuration file</refpurpose>
-  </refnamediv>
-
-  <refsection id="description">
-    <title>Description</title>
-    <para>
-The pkcs11.txt file is used to configure initialization parameters for the nss security module and optionally other pkcs #11 modules.
-    </para>
-    <para>
-For full documentation visit <ulink url="https://developer.mozilla.org/en-US/docs/PKCS11_Module_Specs">PKCS #11 Module Specs</ulink>.
-    </para>
-  </refsection>
-
-  <refsection>
-    <title>Files</title>
-    <para><filename>/etc/pki/nssdb/pkcs11.txt</filename></para>
-  </refsection>
-
-  <refsection id="authors">
-    <title>Authors</title>
-    <para>The nss libraries were written and maintained by developers with Netscape, Red Hat,  Sun, Oracle, Mozilla, and Google.</para>
-    <para>Authors: Elio Maldonado &lt;emaldona@redhat.com>.</para>
-  </refsection>
-
-<!-- don't change -->
-  <refsection id="license">
-    <title>LICENSE</title>
-    <para>Licensed under the Mozilla Public License, v. 2.0.  If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/.
-    </para>
-  </refsection>
-
-</refentry>
-

renegotiate-transitional.patch

@@ -0,0 +1,16 @@
+Index: ./mozilla/security/nss/lib/ssl/sslsock.c
+===================================================================
+RCS file: /cvsroot/mozilla/security/nss/lib/ssl/sslsock.c,v
+retrieving revision 1.66
+diff -u -p -r1.66 sslsock.c
+--- ./mozilla/security/nss/lib/ssl/sslsock.c	26 Feb 2010 20:44:54 -0000	1.66
++++ ./mozilla/security/nss/lib/ssl/sslsock.c	1 Mar 2010 18:05:10 -0000
+@@ -181,7 +181,7 @@ static sslOptions ssl_defaults = {
+     PR_FALSE,   /* noLocks            */
+     PR_FALSE,   /* enableSessionTickets */
+     PR_FALSE,   /* enableDeflate      */
+-    2,          /* enableRenegotiation (default: requires extension) */
++    3,          /* enableRenegotiation (default: transitional)
+     PR_FALSE,   /* requireSafeNegotiation */
+ };
+ 

secmod.db.xml

@@ -1,63 +0,0 @@
-<?xml version='1.0' encoding='utf-8'?>
-<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
-  "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
-<!ENTITY date SYSTEM "date.xml">
-<!ENTITY version SYSTEM "version.xml">
-]>
-
-<refentry id="secmod.db">
-
-  <refentryinfo>
-    <date>&date;</date>
-    <title>Network Security Services</title>
-    <productname>nss</productname>
-    <productnumber>&version;</productnumber>
-  </refentryinfo>
-
-  <refmeta>
-    <refentrytitle>secmod.db</refentrytitle>
-    <manvolnum>5</manvolnum>
-  </refmeta>
-
-  <refnamediv>
-    <refname>secmod.db</refname>
-    <refpurpose>Legacy NSS security modules database</refpurpose>
-  </refnamediv>
-
-<refsection id="description">
-    <title>Description</title>
-    <para><emphasis>secmod.db</emphasis> is an NSS security modules database.</para>
-  <para>The security modules database is used to keep track of the NSS security modules. The NSS security modules export their services via the PKCS #11 API which NSS uses as its Services Provider Interface.
-  </para>
-  <para>The command line utility <emphasis>modutil</emphasis> is used for managing PKCS #11 module information both within secmod.db files and within hardware tokens.
-  </para>
-  <para>For new applications the recommended way of tracking security modules is via the pkcs11.txt configuration file used in conjunction the new sqlite-based shared database format for certificate and key databases.
-  </para>
-  </refsection>
-
-  <refsection>
-    <title>Files</title>
-    <para><filename>/etc/pki/nssdb/secmod.db</filename></para>
-  </refsection>
-
-  <refsection>
-    <title>See also</title>
-    <para>modutil(1), cert8.db(5), cert9.db(5), key3.db(5), key4.db(5), pkcs11.txt(5)</para>
-  </refsection>
-
-  <refsection id="authors">
-    <title>Authors</title>
-    <para>The nss libraries were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google.</para>
-    <para>Authors: Elio Maldonado &lt;emaldona@redhat.com>.</para>
-  </refsection>
-
-<!-- don't change -->
-  <refsection id="license">
-    <title>LICENSE</title>
-    <para>Licensed under the Mozilla Public License, v. 2.0.  If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/.
-    </para>
-
-  </refsection>
-
-
-</refentry>

setup-nsssysinit.sh

@@ -1,24 +1,24 @@
 #!/bin/sh
 #
 # Turns on or off the nss-sysinit module db by editing the
-# global PKCS #11 congiguration file. Displays the status.
+# global PKCS #11 congiguration file.
 #
 # This script can be invoked by the user as super user.
-# It is invoked at nss-sysinit post install time with argument on.
+# It is invoked at nss-sysinit post install time with argument on
+# and at nss-sysinit pre uninstall with argument off. 
 #
 usage()
 {
   cat <<EOF
 Usage: setup-nsssysinit [on|off]
-  on     - turns on nsssysinit
-  off    - turns off nsssysinit
-  status - reports whether nsssysinit is turned on or off
+  on  - turns on nsssysinit
+  off - turns off nsssysinit
 EOF
   exit $1
 }
 
 # validate
-if [ $# -eq 0 ]; then
+if test $# -eq 0; then
   usage 1 1>&2
 fi
 
@@ -30,26 +30,17 @@ if [ ! -f $p11conf ]; then
   exit 1
 fi
 
-# check if nsssysinit is currently enabled or disabled
-sysinit_enabled()
-{
-  grep -q '^library=libnsssysinit' ${p11conf}
-}
-
-umask 022
+on="1"
 case "$1" in
   on | ON )
-    if sysinit_enabled; then 
-      exit 0 
-    fi
     cat ${p11conf} | \
-    sed -e 's/^library=$/library=libnsssysinit.so/' \
-        -e '/^NSS/s/\(Flags=internal\)\(,[^m]\)/\1,moduleDBOnly\2/' > \
-        ${p11conf}.on
+     sed -e 's/^library=$/library=libnsssysinit.so/' \
+         -e '/^NSS/s/\(Flags=internal\)\(,[^m]\)/\1,moduleDBOnly\2/' > \
+    ${p11conf}.on
     mv ${p11conf}.on ${p11conf}
     ;;
   off | OFF )
-    if ! sysinit_enabled; then
+    if [ ! `grep "^library=libnsssysinit" ${p11conf}` ]; then
       exit 0
     fi
     cat ${p11conf} | \
@@ -58,10 +49,6 @@ case "$1" in
         ${p11conf}.off
     mv ${p11conf}.off ${p11conf}
     ;;
-  status )
-    echo -n 'NSS sysinit is '
-    sysinit_enabled && echo 'enabled' || echo 'disabled'
-    ;;
   * )
     usage 1 1>&2
     ;;

setup-nsssysinit.xml

@@ -1,106 +0,0 @@
-<?xml version='1.0' encoding='utf-8'?>
-<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
-  "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
-<!ENTITY date SYSTEM "date.xml">
-<!ENTITY version SYSTEM "version.xml">
-]>
-
-<refentry id="setup-nsssysinit">
-
-  <refentryinfo>
-    <date>&date;</date>
-    <title>Network Security Services</title>
-    <productname>nss</productname>
-    <productnumber>&version;</productnumber>
-  </refentryinfo>
-
-  <refmeta>
-    <refentrytitle>setup-nsssysinit</refentrytitle>
-    <manvolnum>1</manvolnum>
-  </refmeta>
-
-  <refnamediv>
-    <refname>setup-nsssysinit</refname>
-    <refpurpose>Query or enable the nss-sysinit module</refpurpose>
-  </refnamediv>
-
-  <refsynopsisdiv>
-    <cmdsynopsis>
-      <command>setup-nsssysinit</command>
-      <arg><option>on</option></arg>
-      <arg><option>off</option></arg>
-      <arg><option>status</option></arg>
-    </cmdsynopsis>
-  </refsynopsisdiv>
-
-<refsection id="description">
-    <title>Description</title>
-    <para><command>setup-nsssysinit</command> is a shell script to query the status of the nss-sysinit module and when run with root priviledge it can enable or disable it. </para>
-  <para>Turns on or off the nss-sysinit module db by editing the global PKCS #11 configuration file. Displays the status. This script can be invoked by the user as super user. It is invoked at nss-sysinit post install time with argument on.
-  </para>
-  </refsection>
-  
-  <refsection>
-    <title>Options</title>
-    
-    <variablelist>
-      <varlistentry>
-        <term><option>on</option></term>
-        <listitem><simpara>Turn on nss-sysinit.</simpara></listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term><option>off</option></term>
-        <listitem><simpara>Turn on nss-sysinit.</simpara></listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term><option>status</option></term>
-        <listitem><simpara>returns whether nss-syinit is enabled or not.</simpara></listitem>
-      </varlistentry>
-
-    </variablelist>
-  </refsection>
-
-  <refsection>
-    <title>Examples</title>
-
-    <para>The following example will query for the status of nss-sysinit:
-      <programlisting>
-        /usr/bin/setup-nsssysinit status
-      </programlisting>
-    </para>
-
-    <para>The following example, when run as superuser, will turn on nss-sysinit:
-      <programlisting>
-        /usr/bin/setup-nsssysinit on
-      </programlisting>
-    </para>
-
-  </refsection>
-
-  <refsection>
-    <title>Files</title>
-    <para><filename>/usr/bin/setup-nsssysinit</filename></para>
-  </refsection>
-
-  <refsection>
-    <title>See also</title>
-    <para>pkg-config(1)</para>
-  </refsection>
-
-  <refsection id="authors">
-    <title>Authors</title>
-    <para>The nss libraries were written and maintained by developers with Netscape, Red Hat,  Sun, Oracle, Mozilla, and Google.</para>
-    <para>Authors: Elio Maldonado &lt;emaldona@redhat.com>.</para>
-  </refsection>
-
-<!-- don't change -->
-  <refsection id="license">
-    <title>LICENSE</title>
-    <para>Licensed under the Mozilla Public License, v. 2.0.  If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/.
-    </para>
-  </refsection>
-
-</refentry>
-

sources

@@ -1,6 +1,8 @@
-SHA512 (blank-cert8.db) = ac131d15708c5f1b5e467831f919f4fc4ba13b60a4bb5fe260c845fa9afcd899a588d21ed52060abaa1bbb29f2b53af8b495d28407183cb03aff1974f95f1d3d
-SHA512 (blank-cert9.db) = 2f8eab4c0612210ee47db8a3a80c1b58a0b43849551af78c7da403fda3e3d4e7757838061ae56ccf5aac335cb54f254f0a9e6e9c0dd5920b4155a39264525b06
-SHA512 (blank-key3.db) = 01f7314e9fc8a7c9aa997652624cfcde213d18a6b3bb31840c1a60bbd662e56b5bc3221d13874abb42ce78163b225a6dfce2e1326cf6dd29366ad9c28ba5a71c
-SHA512 (blank-key4.db) = 8fedae93af7163da23fe9492ea8e785a44c291604fa98e58438448efb69c85d3253fc22b926d5c3209c62e58a86038fd4d78a1c4c068bc00600a7f3e5382ebe7
-SHA512 (blank-secmod.db) = 06a2dbd861839ef6315093459328b500d3832333a34b30e6fac4a2503af337f014a4d319f0f93322409e719142904ce8bc08252ae9a4f37f30d4c3312e900310
-SHA512 (nss-3.52.tar.gz) = a45baf38717bceda03c292b2c01def680a24a846327e17d36044a85e30ed40c68220c78c0a2c3025c11778ee58f5d5eb0fff1b4cd274b95c408fb59e394e62c6
+3902499c8e02b02d4944f21d3c6a839f  nss-3.12.6-stripped.tar.bz2
+f32d884d178082ce8201f01e21f0d050  nss-pem-20100412.tar.bz2
+a5ae49867124ac75f029a9a33af31bad  blank-cert8.db
+9315689bbd9f28ceebd47894f99fccbd  blank-key3.db
+73bc040a0542bba387e6dd7fb9fd7d23  blank-secmod.db
+691e663ccc07b7a1eaa6f088e03bf8e2  blank-cert9.db
+2ec9e0606ba40fe65196545564b7cc2a  blank-key4.db
+9bbc62615e6b2b22547375b5d39ddfe7  PayPalEE.cert

system-pkcs11.txt

@@ -1,5 +1,5 @@
-library=libnsssysinit.so
+library=
 name=NSS Internal PKCS #11 Module
 parameters=configdir='sql:/etc/pki/nssdb'  certPrefix='' keyPrefix='' secmod='secmod.db' flags= updatedir='' updateCertPrefix='' updateKeyPrefix='' updateid='' updateTokenDescription='' 
-NSS=Flags=internal,moduleDBOnly,critical trustOrder=75 cipherOrder=100 slotParams=(1={slotFlags=[RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512] askpw=any timeout=30})
+NSS=Flags=internal,critical trustOrder=75 cipherOrder=100 slotParams=(1={slotFlags=[RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512] askpw=any timeout=30})
 

tests/NSS-tools-should-not-use-SHA1-by-default-when/Makefile

@@ -1,64 +0,0 @@
-# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-#
-#   Makefile of /CoreOS/nss/Regression/NSS-tools-should-not-use-SHA1-by-default-when
-#   Description: NSS tools should not use SHA1 by default when
-#   Author: Hubert Kario <hkario@redhat.com>
-#
-# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-#
-#   Copyright (c) 2016 Red Hat, Inc.
-#
-#   This copyrighted material is made available to anyone wishing
-#   to use, modify, copy, or redistribute it subject to the terms
-#   and conditions of the GNU General Public License version 2.
-#
-#   This program is distributed in the hope that it will be
-#   useful, but WITHOUT ANY WARRANTY; without even the implied
-#   warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
-#   PURPOSE. See the GNU General Public License for more details.
-#
-#   You should have received a copy of the GNU General Public
-#   License along with this program; if not, write to the Free
-#   Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
-#   Boston, MA 02110-1301, USA.
-#
-# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-export TEST=/CoreOS/nss/Regression/NSS-tools-should-not-use-SHA1-by-default-when
-export TESTVERSION=1.0
-
-BUILT_FILES=
-
-FILES=$(METADATA) runtest.sh Makefile PURPOSE
-
-.PHONY: all install download clean
-
-run: $(FILES) build
-	./runtest.sh
-
-build: $(BUILT_FILES)
-	test -x runtest.sh || chmod a+x runtest.sh
-
-clean:
-	rm -f *~ $(BUILT_FILES)
-
-
-include /usr/share/rhts/lib/rhts-make.include
-
-$(METADATA): Makefile
-	@echo "Owner:           Hubert Kario <hkario@redhat.com>" > $(METADATA)
-	@echo "Name:            $(TEST)" >> $(METADATA)
-	@echo "TestVersion:     $(TESTVERSION)" >> $(METADATA)
-	@echo "Path:            $(TEST_DIR)" >> $(METADATA)
-	@echo "Description:     NSS tools should not use SHA1 by default when" >> $(METADATA)
-	@echo "Type:            Regression" >> $(METADATA)
-	@echo "TestTime:        10m" >> $(METADATA)
-	@echo "RunFor:          nss openssl" >> $(METADATA)
-	@echo "Requires:        nss nss-tools openssl" >> $(METADATA)
-	@echo "Priority:        Normal" >> $(METADATA)
-	@echo "License:         GPLv2" >> $(METADATA)
-	@echo "Confidential:    no" >> $(METADATA)
-	@echo "Destructive:     no" >> $(METADATA)
-	@echo "Releases:        -RHEL4 -RHELClient5 -RHELServer5" >> $(METADATA)
-
-	rhts-lint $(METADATA)

tests/NSS-tools-should-not-use-SHA1-by-default-when/PURPOSE

@@ -1,4 +0,0 @@
-PURPOSE of NSS-tools-should-not-use-SHA1-by-default-when
-Description: NSS tools should not use SHA1 by default when
-Author: Hubert Kario <hkario@redhat.com>
-Summary: NSS tools should not use SHA1 by default when generating digital signatures/certificates

tests/NSS-tools-should-not-use-SHA1-by-default-when/runtest.sh

@@ -1,125 +0,0 @@
-#!/bin/bash
-# vim: dict+=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k
-# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-#
-#   runtest.sh of NSS-tools-should-not-use-SHA1-by-default-when
-#   Description: NSS tools should not use SHA1 by default when
-#   Author: Hubert Kario <hkario@redhat.com>
-#
-# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-#
-#   Copyright (c) 2016 Red Hat, Inc.
-#
-#   This copyrighted material is made available to anyone wishing
-#   to use, modify, copy, or redistribute it subject to the terms
-#   and conditions of the GNU General Public License version 2.
-#
-#   This program is distributed in the hope that it will be
-#   useful, but WITHOUT ANY WARRANTY; without even the implied
-#   warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
-#   PURPOSE. See the GNU General Public License for more details.
-#
-#   You should have received a copy of the GNU General Public
-#   License along with this program; if not, write to the Free
-#   Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
-#   Boston, MA 02110-1301, USA.
-#
-# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-# Include Beaker environment
-. /usr/share/beakerlib/beakerlib.sh || exit 1
-
-PACKAGE="nss"
-PACKAGES="nss openssl"
-DBDIR="nssdb"
-
-rlJournalStart
-    rlPhaseStartSetup
-        rlAssertRpm --all
-        rlRun "TmpDir=\$(mktemp -d)" 0 "Creating tmp directory"
-        rlRun "pushd $TmpDir"
-        rlRun "mkdir nssdb"
-        rlRun "certutil -N -d $DBDIR --empty-password"
-        rlLogInfo "Create a JAR file"
-        rlRun "mkdir java-dir"
-        rlRun "pushd java-dir"
-        rlRun "mkdir META-INF mypackage"
-        rlRun "echo 'Main-Class: mypackage/MyMainFile' > META-INF/MANIFEST.MF"
-        rlRun "echo 'Those are not the droids you are looking for' > mypackage/MyMainFile.class"
-        #rlRun "jar -cfe package.jar mypackage/MyMainFile mypackage/MyMainFile.class"
-        rlRun "popd"
-        #rlRun "mv java-dir/package.jar ."
-    rlPhaseEnd
-
-    rlPhaseStartTest "Self signing certificates"
-        rlRun "dd if=/dev/urandom of=noise bs=1 count=32 >/dev/null"
-        rlRun "certutil -d $DBDIR -S -n 'CA' -t 'cTC,cTC,cTC' -s 'CN=CA' -x -z noise"
-        rlRun -s "certutil -d $DBDIR -L -n 'CA' -a | openssl x509 -noout -text"
-        rlAssertGrep "Signature Algorithm: sha256WithRSAEncryption" "$rlRun_LOG"
-        rlAssertNotGrep "Signature Algorithm: sha1WithRSAEncryption" $rlRun_LOG
-    rlPhaseEnd
-
-    rlPhaseStartTest "Signing certificates"
-        rlRun "dd if=/dev/urandom of=noise bs=1 count=32 >/dev/null"
-        rlRun "certutil -d $DBDIR -S -n 'server' -t 'u,u,u' -s 'CN=server.example.com' -c 'CA' -z noise --nsCertType sslClient,sslServer,objectSigning,smime"
-        rlRun -s "certutil -d $DBDIR -L -n 'server' -a | openssl x509 -noout -text"
-        rlAssertGrep "Signature Algorithm: sha256WithRSAEncryption" "$rlRun_LOG"
-        rlAssertNotGrep "Signature Algorithm: sha1WithRSAEncryption" $rlRun_LOG
-    rlPhaseEnd
-
-    rlPhaseStartTest "Certificate request"
-        rlRun "dd if=/dev/urandom of=noise bs=1 count=32 >/dev/null"
-        rlRun "mkdir srv2db"
-        rlRun "certutil -d srv2db -N --empty-password"
-        rlRun "certutil -d srv2db -R -s CN=www.example.com -o srv2.req -a -z noise"
-        rlRun -s "openssl req -noout -text -in srv2.req"
-        rlAssertGrep "Signature Algorithm: sha256WithRSAEncryption" "$rlRun_LOG"
-        rlAssertNotGrep "Signature Algorithm: sha1WithRSAEncryption" $rlRun_LOG
-        rlRun "certutil -d $DBDIR -C -c 'CA' -i srv2.req -a -o srv2.crt"
-        rlRun -s "openssl x509 -in srv2.crt -noout -text"
-        rlAssertGrep "Signature Algorithm: sha256WithRSAEncryption" "$rlRun_LOG"
-        rlAssertNotGrep "Signature Algorithm: sha1WithRSAEncryption" $rlRun_LOG
-        rlRun "rm -rf srv2db"
-    rlPhaseEnd
-
-    rlPhaseStartTest "Certificate request with SHA1"
-        rlRun "dd if=/dev/urandom of=noise bs=1 count=32 >/dev/null"
-        rlRun "mkdir srv2db"
-        rlRun "certutil -d srv2db -N --empty-password"
-        rlRun "certutil -d srv2db -R -s CN=www.example.com -o srv2.req -a -z noise -Z SHA1"
-        rlRun -s "openssl req -noout -text -in srv2.req"
-        rlAssertGrep "Signature Algorithm: sha1WithRSAEncryption" "$rlRun_LOG"
-        rlRun "certutil -d $DBDIR -C -c 'CA' -i srv2.req -a -o srv2.crt"
-        rlRun -s "openssl x509 -in srv2.crt -noout -text"
-        rlAssertGrep "Signature Algorithm: sha256WithRSAEncryption" "$rlRun_LOG"
-        rlAssertNotGrep "Signature Algorithm: sha1WithRSAEncryption" $rlRun_LOG
-        rlRun "rm -rf srv2db"
-    rlPhaseEnd
-
-    rlPhaseStartTest "Signing CMS messages"
-        rlRun "echo 'This is a document' > document.txt"
-        rlRun "cmsutil -S -d $DBDIR -N 'server' -i document.txt -o document.cms"
-        rlRun -s "openssl cms -in document.cms -inform der -noout -cmsout -print"
-        rlAssertGrep "algorithm: sha256" $rlRun_LOG
-        rlAssertNotGrep "algorithm: sha1" $rlRun_LOG
-    rlPhaseEnd
-
-    rlPhaseStartTest "CRL signing"
-        rlRun "echo $(date --utc +update=%Y%m%d%H%M%SZ) > script"
-        rlRun "echo $(date -d 'next week' --utc +nextupdate=%Y%m%d%H%M%SZ) >> script"
-        rlRun "echo addext crlNumber 0 1245 >>script"
-        rlRun "echo addcert 12 $(date -d 'yesterday' --utc +%Y%m%d%H%M%SZ) >>script"
-        rlRun "echo addext reasonCode 0 0 >>script"
-        rlRun "cat script"
-        rlRun "crlutil -G -c script -d $DBDIR -n CA -o ca.crl"
-        rlRun -s "openssl crl -in ca.crl -inform der -noout -text"
-        rlAssertGrep "Signature Algorithm: sha256WithRSAEncryption" $rlRun_LOG
-        rlAssertNotGrep "Signature Algorithm: sha1WithRSAEncryption" $rlRun_LOG
-    rlPhaseEnd
-
-    rlPhaseStartCleanup
-        rlRun "popd"
-        rlRun "rm -r $TmpDir" 0 "Removing tmp directory"
-    rlPhaseEnd
-rlJournalPrintText
-rlJournalEnd

tests/tests.yml

@@ -1,12 +0,0 @@
----
-# This first play always runs on the local staging system
-- hosts: localhost
-  roles:
-  - role: standard-test-beakerlib
-    tags:
-    - classic
-    tests:
-    - NSS-tools-should-not-use-SHA1-by-default-when
-    required_packages:
-    - nss-tools
-    - nss

validate-arguments.patch

@@ -0,0 +1,720 @@
+Index: ./mozilla/security/nss/cmd/p7content/p7content.c
+===================================================================
+RCS file: /cvsroot/mozilla/security/nss/cmd/p7content/p7content.c,v
+retrieving revision 1.12
+diff -u -p -r1.12 p7content.c
+--- ./mozilla/security/nss/cmd/p7content/p7content.c	4 Aug 2008 22:58:31 -0000	1.12
++++ ./mozilla/security/nss/cmd/p7content/p7content.c	2 Mar 2010 18:29:48 -0000
+@@ -64,7 +64,7 @@ extern int fprintf(FILE *, char *, ...);
+ 
+ 
+ static void
+-Usage(char *progName)
++Usage(const char *progName)
+ {
+     fprintf(stderr,
+ 	    "Usage:  %s [-d dbdir] [-i input] [-o output]\n",
+@@ -195,6 +195,15 @@ DecodeAndPrintFile(FILE *out, PRFileDesc
+     return 0;
+ }
+ 
++static void
++PrintMsgAndExit(const char *progName, char opt)
++{
++    fprintf(stderr, "%s: option -%c requires argument\n", progName, opt);
++    Usage(progName);	
++}
++
++#define REQUIRE_ARG(opt,value) if (!(value)) PrintMsgAndExit(progName, opt)
++
+ /*
+  * Print the contents of a PKCS7 message, indicating signatures, etc.
+  */
+@@ -222,10 +231,12 @@ main(int argc, char **argv)
+     while ((status = PL_GetNextOpt(optstate)) == PL_OPT_OK) {
+ 	switch (optstate->option) {
+ 	  case 'd':
++           REQUIRE_ARG(optstate->option, optstate->value);
+ 	    SECU_ConfigDirectory(optstate->value);
+ 	    break;
+ 
+ 	  case 'i':
++           REQUIRE_ARG(optstate->option, optstate->value);
+ 	    inFile = PR_Open(optstate->value, PR_RDONLY, 0);
+ 	    if (!inFile) {
+ 		fprintf(stderr, "%s: unable to open \"%s\" for reading\n",
+@@ -235,6 +246,7 @@ main(int argc, char **argv)
+ 	    break;
+ 
+ 	  case 'o':
++           REQUIRE_ARG(optstate->option, optstate->value);
+ 	    outFile = fopen(optstate->value, "w");
+ 	    if (!outFile) {
+ 		fprintf(stderr, "%s: unable to open \"%s\" for writing\n",
+@@ -244,11 +256,13 @@ main(int argc, char **argv)
+ 	    break;
+ 
+ 	  case 'p':
++            REQUIRE_ARG(optstate->option, optstate->value);
+             pwdata.source = PW_PLAINTEXT;
+             pwdata.data = PORT_Strdup (optstate->value);
+             break;
+ 
+           case 'f':
++            REQUIRE_ARG(optstate->option, optstate->value);
+             pwdata.source = PW_FROMFILE;
+             pwdata.data = PORT_Strdup (optstate->value);
+             break;
+Index: ./mozilla/security/nss/cmd/p7env/p7env.c
+===================================================================
+RCS file: /cvsroot/mozilla/security/nss/cmd/p7env/p7env.c,v
+retrieving revision 1.10
+diff -u -p -r1.10 p7env.c
+--- ./mozilla/security/nss/cmd/p7env/p7env.c	11 Feb 2010 02:39:47 -0000	1.10
++++ ./mozilla/security/nss/cmd/p7env/p7env.c	2 Mar 2010 18:29:48 -0000
+@@ -63,7 +63,7 @@ extern int fprintf(FILE *, char *, ...);
+ 
+ 
+ static void
+-Usage(char *progName)
++Usage(const char *progName)
+ {
+     fprintf(stderr,
+ 	    "Usage:  %s -r recipient [-d dbdir] [-i input] [-o output]\n",
+@@ -159,6 +159,15 @@ EncryptFile(FILE *outFile, FILE *inFile,
+     return 0;
+ }
+ 
++static void
++PrintMsgAndExit(const char *progName, char opt)
++{
++    fprintf(stderr, "%s: option -%c requires argument\n", progName, opt);
++    Usage(progName);	
++}
++
++#define REQUIRE_ARG(opt,value) if (!(value)) PrintMsgAndExit(progName, opt)
++
+ int
+ main(int argc, char **argv)
+ {
+@@ -194,10 +203,12 @@ main(int argc, char **argv)
+ 	    break;
+ 
+ 	  case 'd':
++	    REQUIRE_ARG(optstate->option, optstate->value);
+ 	    SECU_ConfigDirectory(optstate->value);
+ 	    break;
+ 
+ 	  case 'i':
++	    REQUIRE_ARG(optstate->option, optstate->value);
+ 	    inFile = fopen(optstate->value, "r");
+ 	    if (!inFile) {
+ 		fprintf(stderr, "%s: unable to open \"%s\" for reading\n",
+@@ -207,6 +218,7 @@ main(int argc, char **argv)
+ 	    break;
+ 
+ 	  case 'o':
++	    REQUIRE_ARG(optstate->option, optstate->value);
+ 	    outFile = fopen(optstate->value, "wb");
+ 	    if (!outFile) {
+ 		fprintf(stderr, "%s: unable to open \"%s\" for writing\n",
+@@ -216,6 +228,7 @@ main(int argc, char **argv)
+ 	    break;
+ 
+ 	  case 'r':
++	    REQUIRE_ARG(optstate->option, optstate->value);
+ 	    if (rcpt == NULL) {
+ 		recipients = rcpt = PORT_Alloc (sizeof(struct recipient));
+ 	    } else {
+Index: ./mozilla/security/nss/cmd/p7sign/p7sign.c
+===================================================================
+RCS file: /cvsroot/mozilla/security/nss/cmd/p7sign/p7sign.c,v
+retrieving revision 1.14
+diff -u -p -r1.14 p7sign.c
+--- ./mozilla/security/nss/cmd/p7sign/p7sign.c	4 Aug 2008 22:58:28 -0000	1.14
++++ ./mozilla/security/nss/cmd/p7sign/p7sign.c	2 Mar 2010 18:29:48 -0000
+@@ -67,7 +67,7 @@ extern int fprintf(FILE *, char *, ...);
+ static secuPWData  pwdata          = { PW_NONE, 0 };
+ 
+ static void
+-Usage(char *progName)
++Usage(const char *progName)
+ {
+     fprintf(stderr,
+ 	    "Usage:  %s -k keyname [-d keydir] [-i input] [-o output]\n",
+@@ -173,6 +173,15 @@ SignFile(FILE *outFile, PRFileDesc *inFi
+     return 0;
+ }
+ 
++static void
++PrintMsgAndExit(const char *progName, char opt)
++{
++    fprintf(stderr, "%s: option -%c requires argument\n", progName, opt);
++    Usage(progName);	
++}
++
++#define REQUIRE_ARG(opt,value) if (!(value)) PrintMsgAndExit(progName, opt)
++
+ int
+ main(int argc, char **argv)
+ {
+@@ -210,10 +219,12 @@ main(int argc, char **argv)
+ 	    break;
+ 
+ 	  case 'd':
++	    REQUIRE_ARG(optstate->option, optstate->value);
+ 	    SECU_ConfigDirectory(optstate->value);
+ 	    break;
+ 
+ 	  case 'i':
++	    REQUIRE_ARG(optstate->option, optstate->value);
+ 	    inFile = PR_Open(optstate->value, PR_RDONLY, 0);
+ 	    if (!inFile) {
+ 		fprintf(stderr, "%s: unable to open \"%s\" for reading\n",
+@@ -223,10 +234,12 @@ main(int argc, char **argv)
+ 	    break;
+ 
+ 	  case 'k':
++	    REQUIRE_ARG(optstate->option, optstate->value);
+ 	    keyName = strdup(optstate->value);
+ 	    break;
+ 
+ 	  case 'o':
++	    REQUIRE_ARG(optstate->option, optstate->value);
+ 	    outFile = fopen(optstate->value, "wb");
+ 	    if (!outFile) {
+ 		fprintf(stderr, "%s: unable to open \"%s\" for writing\n",
+@@ -235,11 +248,13 @@ main(int argc, char **argv)
+ 	    }
+ 	    break;
+ 	  case 'p':
++            REQUIRE_ARG(optstate->option, optstate->value);
+             pwdata.source = PW_PLAINTEXT;
+             pwdata.data = strdup (optstate->value);
+             break;
+ 
+ 	  case 'f':
++              REQUIRE_ARG(optstate->option, optstate->value);
+               pwdata.source = PW_FROMFILE;
+               pwdata.data = PORT_Strdup (optstate->value);
+               break;
+Index: ./mozilla/security/nss/cmd/p7verify/p7verify.c
+===================================================================
+RCS file: /cvsroot/mozilla/security/nss/cmd/p7verify/p7verify.c,v
+retrieving revision 1.10
+diff -u -p -r1.10 p7verify.c
+--- ./mozilla/security/nss/cmd/p7verify/p7verify.c	8 Aug 2008 23:47:57 -0000	1.10
++++ ./mozilla/security/nss/cmd/p7verify/p7verify.c	2 Mar 2010 18:29:48 -0000
+@@ -126,7 +126,7 @@ DigestFile(unsigned char *digest, unsign
+ 
+ 
+ static void
+-Usage(char *progName)
++Usage(const char *progName)
+ {
+     fprintf(stderr,
+ 	    "Usage:  %s -c content -s signature [-d dbdir] [-u certusage]\n",
+@@ -209,6 +209,14 @@ HashDecodeAndVerify(FILE *out, FILE *con
+     return 0;
+ }
+ 
++static void
++PrintMsgAndExit(const char *progName, char opt)
++{
++    fprintf(stderr, "%s: option -%c requires argument\n", progName, opt);
++    Usage(progName);	
++}
++
++#define REQUIRE_ARG(opt,arg) if (!(arg)) PrintMsgAndExit(progName, opt)
+ 
+ int
+ main(int argc, char **argv)
+@@ -239,6 +247,7 @@ main(int argc, char **argv)
+ 	    break;
+ 
+ 	  case 'c':
++        REQUIRE_ARG(optstate->option, optstate->value);
+ 	    contentFile = fopen(optstate->value, "r");
+ 	    if (!contentFile) {
+ 		fprintf(stderr, "%s: unable to open \"%s\" for reading\n",
+@@ -248,10 +257,12 @@ main(int argc, char **argv)
+ 	    break;
+ 
+ 	  case 'd':
++	    REQUIRE_ARG(optstate->option, optstate->value);
+ 	    SECU_ConfigDirectory(optstate->value);
+ 	    break;
+ 
+ 	  case 'o':
++	    REQUIRE_ARG(optstate->option, optstate->value);
+ 	    outFile = fopen(optstate->value, "w");
+ 	    if (!outFile) {
+ 		fprintf(stderr, "%s: unable to open \"%s\" for writing\n",
+@@ -261,6 +272,7 @@ main(int argc, char **argv)
+ 	    break;
+ 
+ 	  case 's':
++	    REQUIRE_ARG(optstate->option, optstate->value);
+ 	    signatureFile = PR_Open(optstate->value, PR_RDONLY, 0);
+ 	    if (!signatureFile) {
+ 		fprintf(stderr, "%s: unable to open \"%s\" for reading\n",
+@@ -271,7 +283,7 @@ main(int argc, char **argv)
+ 
+ 	  case 'u': {
+ 	    int usageType;
+-
++	    REQUIRE_ARG(optstate->option, optstate->value);
+ 	    usageType = atoi (strdup(optstate->value));
+ 	    if (usageType < certUsageSSLClient || usageType > certUsageAnyCA)
+ 		return -1;
+Index: ./mozilla/security/nss/cmd/strsclnt/strsclnt.c
+===================================================================
+RCS file: /cvsroot/mozilla/security/nss/cmd/strsclnt/strsclnt.c,v
+retrieving revision 1.66
+diff -u -p -r1.66 strsclnt.c
+--- ./mozilla/security/nss/cmd/strsclnt/strsclnt.c	10 Feb 2010 18:07:20 -0000	1.66
++++ ./mozilla/security/nss/cmd/strsclnt/strsclnt.c	2 Mar 2010 18:29:51 -0000
+@@ -1325,6 +1325,15 @@ done:
+     return rv;
+ }
+ 
++static void
++PrintMsgAndExit(const char *progName, char opt)
++{
++    fprintf(stderr, "%s: option -%c requires argument\n", progName, opt);
++    Usage(progName);	
++}
++
++#define REQUIRE_ARG(opt,value) if (!(value)) PrintMsgAndExit(progName, opt)
++
+ int
+ main(int argc, char **argv)
+ {
+@@ -1364,33 +1373,57 @@ main(int argc, char **argv)
+ 
+ 	case 'B': bypassPKCS11 = PR_TRUE; break;
+ 
+-	case 'C': cipherString = optstate->value; break;
++	case 'C': 
++	    REQUIRE_ARG(optstate->option, optstate->value);
++	    cipherString = optstate->value;
++	    break;
+ 
+ 	case 'D': NoDelay = PR_TRUE; break;
+ 
+ 	case 'N': NoReuse = 1; break;
+         
+-	case 'P': fullhs = PORT_Atoi(optstate->value); break;
++	case 'P': 
++	    REQUIRE_ARG(optstate->option, optstate->value);
++	    fullhs = PORT_Atoi(optstate->value);
++	    break;
+ 
+ 	case 'T': disableTLS = PR_TRUE; break;
+             
+ 	case 'U': ThrottleUp = PR_TRUE; break;
+ 
+-	case 'a': sniHostName = PL_strdup(optstate->value); break;
++	case 'a': 
++	    REQUIRE_ARG(optstate->option, optstate->value);
++	    sniHostName = PL_strdup(optstate->value);
++	    break;
+ 
+-	case 'c': connections = PORT_Atoi(optstate->value); break;
++	case 'c': 
++	    REQUIRE_ARG(optstate->option, optstate->value);
++	    connections = PORT_Atoi(optstate->value); 
++	    break;
+ 
+-	case 'd': dir = optstate->value; break;
++	case 'd': 
++	    REQUIRE_ARG(optstate->option, optstate->value);
++	    dir = optstate->value;
++	    break;
+ 
+-	case 'f': fileName = optstate->value; break;
++	case 'f': 
++	    REQUIRE_ARG(optstate->option, optstate->value);
++	    fileName = optstate->value;
++	    break;
+ 
+ 	case 'i': ignoreErrors = PR_TRUE; break;
+ 
+-        case 'n': nickName = PL_strdup(optstate->value); break;
++        case 'n': 
++	    REQUIRE_ARG(optstate->option, optstate->value);
++	    nickName = PL_strdup(optstate->value);
++	    break;
+ 
+ 	case 'o': MakeCertOK++; break;
+ 
+-	case 'p': port = PORT_Atoi(optstate->value); break;
++	case 'p': 
++	    REQUIRE_ARG(optstate->option, optstate->value);
++	    port = PORT_Atoi(optstate->value);
++	    break;
+ 
+ 	case 'q': QuitOnTimeout = PR_TRUE; break;
+ 
+@@ -1407,11 +1440,13 @@ main(int argc, char **argv)
+ 	case 'v': verbose++; break;
+ 
+         case 'w':
++	    REQUIRE_ARG(optstate->option, optstate->value);
+             pwdata.source = PW_PLAINTEXT;
+             pwdata.data = PL_strdup(optstate->value);
+             break;
+ 
+         case 'W':
++	    REQUIRE_ARG(optstate->option, optstate->value);
+             pwdata.source = PW_FROMFILE;
+             pwdata.data = PL_strdup(optstate->value);
+             break;
+@@ -1419,6 +1454,7 @@ main(int argc, char **argv)
+ 	case 'z': enableCompression = PR_TRUE; break;
+ 
+ 	case 0:   /* positional parameter */
++	    REQUIRE_ARG(optstate->option, optstate->value);
+ 	    if (hostName) {
+ 		Usage(progName);
+ 	    }
+Index: ./mozilla/security/nss/cmd/tests/remtest.c
+===================================================================
+RCS file: /cvsroot/mozilla/security/nss/cmd/tests/remtest.c,v
+retrieving revision 1.5
+diff -u -p -r1.5 remtest.c
+--- ./mozilla/security/nss/cmd/tests/remtest.c	8 Aug 2008 23:48:09 -0000	1.5
++++ ./mozilla/security/nss/cmd/tests/remtest.c	2 Mar 2010 18:29:51 -0000
+@@ -69,6 +69,15 @@ Usage(char *progName) 
+     exit(1);
+ }
+ 
++static void
++PrintMsgAndExit(const char *progName, char opt)
++{
++    fprintf(stderr, "%s: option -%c requires argument\n", progName, opt);
++    Usage(progName);	
++}
++
++#define REQUIRE_ARG(opt,value) if (!(value)) PrintMsgAndExit(progName, opt)
++
+ int main(int argc, char **argv)
+ {
+     char *             certDir  =  NULL;
+@@ -92,10 +101,12 @@ int main(int argc, char **argv)
+ 	switch (optstate->option) {
+ 
+ 	  case 'd':
++	    REQUIRE_ARG(optstate->option, optstate->value);
+ 	    certDir = strdup(optstate->value);
+ 	    certDir = SECU_ConfigDirectory(certDir);
+ 	    break;
+ 	  case 't':
++	    REQUIRE_ARG(optstate->option, optstate->value);
+ 	    tokenName = strdup(optstate->value);
+ 	    break;
+ 	  case 'r':
+Index: ./mozilla/security/nss/cmd/tstclnt/tstclnt.c
+===================================================================
+RCS file: /cvsroot/mozilla/security/nss/cmd/tstclnt/tstclnt.c,v
+retrieving revision 1.62
+diff -u -p -r1.62 tstclnt.c
+--- ./mozilla/security/nss/cmd/tstclnt/tstclnt.c	10 Feb 2010 18:07:21 -0000	1.62
++++ ./mozilla/security/nss/cmd/tstclnt/tstclnt.c	2 Mar 2010 18:29:51 -0000
+@@ -497,6 +497,15 @@ separateReqHeader(const PRFileDesc* outF
+ 	Usage(progName); \
+     }
+ 
++static void
++PrintMsgAndExit(const char *progName, char opt)
++{
++    fprintf(stderr, "%s: option -%c requires argument\n", progName, opt);
++    Usage(progName);	
++}
++
++#define REQUIRE_ARG(opt,value) if (!(value)) PrintMsgAndExit(progName, opt)
++
+ int main(int argc, char **argv)
+ {
+     PRFileDesc *       s;
+@@ -563,38 +572,56 @@ int main(int argc, char **argv)
+ 
+           case 'B': bypassPKCS11 = 1; 			break;
+ 
+-          case 'S': skipProtoHeader = PR_TRUE;                 break;
++          case 'S': skipProtoHeader = PR_TRUE;  break;
+ 
+           case 'T': disableTLS  = 1; 			break;
+ 
+-          case 'a': if (!hs1SniHostName) {
+-                        hs1SniHostName = PORT_Strdup(optstate->value);
+-                    } else if (!hs2SniHostName) {
+-                        hs2SniHostName =  PORT_Strdup(optstate->value);
+-                    } else {
+-                        Usage(progName);
+-                    }
+-                    break;
+-
+-          case 'c': cipherString = PORT_Strdup(optstate->value); break;
+-
+-          case 'd': certDir = PORT_Strdup(optstate->value);   break;
++          case 'a':
++              REQUIRE_ARG(optstate->option, optstate->value);
++              if (!hs1SniHostName) {
++                  hs1SniHostName = PORT_Strdup(optstate->value);
++              } else if (!hs2SniHostName) {
++                  hs2SniHostName =  PORT_Strdup(optstate->value);
++              } else {
++                  Usage(progName);
++              }
++              break;
++
++          case 'c':
++              REQUIRE_ARG(optstate->option,optstate->value);
++              cipherString = PORT_Strdup(optstate->value);
++              break;
++
++          case 'd':
++              REQUIRE_ARG(optstate->option,optstate->value);
++              certDir = PORT_Strdup(optstate->value);
++              break;
+ 
+           case 'f': clientSpeaksFirst = PR_TRUE;        break;
+ 
+-          case 'h': host = PORT_Strdup(optstate->value);	break;
++          case 'h':
++              REQUIRE_ARG(optstate->option,optstate->value);
++              host = PORT_Strdup(optstate->value);
++              break;
+ 
+ 	  case 'm':
++	    REQUIRE_ARG(optstate->option,optstate->value);
+ 	    multiplier = atoi(optstate->value);
+ 	    if (multiplier < 0)
+ 	    	multiplier = 0;
+ 	    break;
+ 
+-	  case 'n': nickname = PORT_Strdup(optstate->value);	break;
++	  case 'n':
++	      REQUIRE_ARG(optstate->option,optstate->value);
++          nickname = PORT_Strdup(optstate->value);
++          break;
+ 
+ 	  case 'o': override = 1; 			break;
+ 
+-	  case 'p': portno = (PRUint16)atoi(optstate->value);	break;
++	  case 'p':
++	      REQUIRE_ARG(optstate->option,optstate->value);
++          portno = (PRUint16)atoi(optstate->value);
++          break;
+ 
+ 	  case 'q': pingServerFirst = PR_TRUE;          break;
+ 
+@@ -604,17 +631,22 @@ int main(int argc, char **argv)
+ 
+ 	  case 'v': verbose++;	 			break;
+ 
+-	  case 'r': renegotiationsToDo = atoi(optstate->value);	break;
+-
+-          case 'w':
+-                pwdata.source = PW_PLAINTEXT;
+-		pwdata.data = PORT_Strdup(optstate->value);
+-		break;
+-
+-          case 'W':
+-                pwdata.source = PW_FROMFILE;
+-                pwdata.data = PORT_Strdup(optstate->value);
+-                break;
++	  case 'r':
++	      REQUIRE_ARG(optstate->option,optstate->value);
++          renegotiationsToDo = atoi(optstate->value);
++          break;
++
++      case 'w':
++          REQUIRE_ARG(optstate->option,optstate->value);
++          pwdata.source = PW_PLAINTEXT;
++          pwdata.data = PORT_Strdup(optstate->value);
++          break;
++
++      case 'W':
++          REQUIRE_ARG(optstate->option,optstate->value);
++          pwdata.source = PW_FROMFILE;
++          pwdata.data = PORT_Strdup(optstate->value);
++          break;
+ 
+ 	  case 'x': useExportPolicy = 1; 		break;
+ 
+Index: ./mozilla/security/nss/cmd/vfychain/vfychain.c
+===================================================================
+RCS file: /cvsroot/mozilla/security/nss/cmd/vfychain/vfychain.c,v
+retrieving revision 1.30
+diff -u -p -r1.30 vfychain.c
+--- ./mozilla/security/nss/cmd/vfychain/vfychain.c	1 Apr 2009 20:41:29 -0000	1.30
++++ ./mozilla/security/nss/cmd/vfychain/vfychain.c	2 Mar 2010 18:29:52 -0000
+@@ -432,6 +432,15 @@ isOCSPEnabled()
+     return PR_FALSE;
+ }
+ 
++static void
++PrintMsgAndExit(const char *progName, char opt)
++{
++    fprintf(stderr, "%s: option -%c requires argument\n", progName, opt);
++    Usage(progName);	
++}
++
++#define REQUIRE_ARG(opt,value) if (!(value)) PrintMsgAndExit(progName, opt)
++
+ int
+ main(int argc, char *argv[], char *envp[])
+ {
+@@ -469,12 +478,19 @@ main(int argc, char *argv[], char *envp[
+ 	switch(optstate->option) {
+ 	case  0  : /* positional parameter */  goto breakout;
+ 	case 'a' : isAscii  = PR_TRUE;                        break;
+-	case 'b' : secStatus = DER_AsciiToTime(&time, optstate->value);
+-	           if (secStatus != SECSuccess) Usage(progName); break;
+-	case 'd' : certDir  = PL_strdup(optstate->value);     break;
++	case 'b' : 
++	           REQUIRE_ARG(optstate->option, optstate->value);
++	           secStatus = DER_AsciiToTime(&time, optstate->value);
++	           if (secStatus != SECSuccess) Usage(progName);
++	           break;
++	case 'd' : 
++	           REQUIRE_ARG(optstate->option, optstate->value);
++	           certDir  = PL_strdup(optstate->value);
++	           break;
+ 	case 'e' : ocsp_fetchingFailureIsAFailure = PR_FALSE;  break;
+ 	case 'f' : certFetching = PR_TRUE;                    break;
+ 	case 'g' : 
++	           REQUIRE_ARG(optstate->option, optstate->value);
+                    if (revMethodsData[revDataIndex].testTypeStr ||
+                        revMethodsData[revDataIndex].methodTypeStr) {
+                        revDataIndex += 1;
+@@ -489,11 +505,13 @@ main(int argc, char *argv[], char *envp[
+                    revMethodsData[revDataIndex].
+                        testTypeStr = PL_strdup(optstate->value); break;
+ 	case 'h' : 
++	           REQUIRE_ARG(optstate->option, optstate->value);
+                    revMethodsData[revDataIndex].
+                        testFlagsStr = PL_strdup(optstate->value);break;
+         case 'i' : vfyCounts = PORT_Atoi(optstate->value);       break;
+                    break;
+ 	case 'm' : 
++	           REQUIRE_ARG(optstate->option, optstate->value);
+                    if (revMethodsData[revDataIndex].methodTypeStr) {
+                        revDataIndex += 1;
+                        if (revDataIndex == REV_METHOD_INDEX_MAX) {
+@@ -506,24 +524,33 @@ main(int argc, char *argv[], char *envp[
+                    useDefaultRevFlags = PR_FALSE;
+                    revMethodsData[revDataIndex].
+                        methodTypeStr = PL_strdup(optstate->value); break;
+-	case 'o' : oidStr = PL_strdup(optstate->value);       break;
++	case 'o' : 
++	           REQUIRE_ARG(optstate->option, optstate->value);
++	           oidStr = PL_strdup(optstate->value);
++	           break;
+ 	case 'p' : usePkix += 1;                              break;
+ 	case 'r' : isAscii  = PR_FALSE;                       break;
+ 	case 's' : 
++	           REQUIRE_ARG(optstate->option, optstate->value);
+                    revMethodsData[revDataIndex].
+-                       methodFlagsStr = PL_strdup(optstate->value); break;
++                       methodFlagsStr = PL_strdup(optstate->value);
++	           break;
+ 	case 't' : trusted  = PR_TRUE;                        break;
+-	case 'u' : usage    = PORT_Atoi(optstate->value);
++	case 'u' : 
++	           REQUIRE_ARG(optstate->option,optstate->value);
++	           usage    = PORT_Atoi(optstate->value);
+ 	           if (usage < 0 || usage > 62) Usage(progName);
+ 		   certUsage = ((SECCertificateUsage)1) << usage; 
+ 		   if (certUsage > certificateUsageHighest) Usage(progName);
+ 		   break;
+         case 'w':
++	          REQUIRE_ARG(optstate->option,optstate->value);
+                   pwdata.source = PW_PLAINTEXT;
+                   pwdata.data = PORT_Strdup(optstate->value);
+                   break;
+ 
+         case 'W':
++	          REQUIRE_ARG(optstate->option, optstate->value);
+                   pwdata.source = PW_FROMFILE;
+                   pwdata.data = PORT_Strdup(optstate->value);
+                   break;
+Index: ./mozilla/security/nss/cmd/vfyserv/vfyserv.c
+===================================================================
+RCS file: /cvsroot/mozilla/security/nss/cmd/vfyserv/vfyserv.c,v
+retrieving revision 1.17
+diff -u -p -r1.17 vfyserv.c
+--- ./mozilla/security/nss/cmd/vfyserv/vfyserv.c	8 Aug 2008 23:48:12 -0000	1.17
++++ ./mozilla/security/nss/cmd/vfyserv/vfyserv.c	2 Mar 2010 18:29:52 -0000
+@@ -419,6 +419,15 @@ client_main(unsigned short      port, 
+ 	Usage(progName); \
+     }
+ 
++static void
++PrintMsgAndExit(const char *progName, char opt)
++{
++    fprintf(stderr, "%s: option -%c requires argument\n", progName, opt);
++    Usage(progName);	
++}
++
++#define REQUIRE_ARG(opt,value) if (!(value)) PrintMsgAndExit(progName, opt)
++
+ int
+ main(int argc, char **argv)
+ {
+@@ -442,23 +451,43 @@ main(int argc, char **argv)
+ 	optstate = PL_CreateOptState(argc, argv, "C:cd:f:l:n:p:ot:w:");
+ 	while ((status = PL_GetNextOpt(optstate)) == PL_OPT_OK) {
+ 		switch(optstate->option) {
+-		case 'C' : cipherString = PL_strdup(optstate->value); break;
+- 		case 'c' : dumpChain = PR_TRUE;                       break;
+-		case 'd' : certDir = PL_strdup(optstate->value);      break;
+-		case 'l' : respUrl = PL_strdup(optstate->value);      break;
+-		case 'p' : port = PORT_Atoi(optstate->value);         break;
+-		case 'o' : doOcspCheck = PR_TRUE;                     break;
+-		case 't' : respCertName = PL_strdup(optstate->value); break;
+-                case 'w':
++		case 'C' : 
++                           REQUIRE_ARG(optstate->option, optstate->value);
++                           cipherString = PL_strdup(optstate->value);
++                           break;
++ 		case 'c' : dumpChain = PR_TRUE;
++                           break;
++		case 'd' : 
++                           REQUIRE_ARG(optstate->option, optstate->value);
++                           certDir = PL_strdup(optstate->value);
++                           break;
++		case 'l' : 
++                           REQUIRE_ARG(optstate->option, optstate->value);
++                           respUrl = PL_strdup(optstate->value);
++                           break;
++		case 'p' : 
++                           REQUIRE_ARG(optstate->option,optstate->value);
++                           port = PORT_Atoi(optstate->value);
++                           break;
++		case 'o' : doOcspCheck = PR_TRUE;
++                           break;
++		case 't' : 
++                           REQUIRE_ARG(optstate->option, optstate->value);
++                           respCertName = PL_strdup(optstate->value);
++                           break;
++                case 'w' :
++                           REQUIRE_ARG(optstate->option, optstate->value);
+                            pwdata.source = PW_PLAINTEXT;
+                            pwdata.data = PORT_Strdup(optstate->value);
+                            break;
+-
+                 case 'f':
++                           REQUIRE_ARG(optstate->option, optstate->value);
+                            pwdata.source = PW_FROMFILE;
+                            pwdata.data = PORT_Strdup(optstate->value);
+                            break;
+-		case '\0': hostName = PL_strdup(optstate->value);     break;
++		case '\0': 
++                           REQUIRE_ARG(optstate->option,optstate->value);
++                           hostName = PL_strdup(optstate->value);     break;
+ 		default  : Usage(progName);
+ 		}
+ 	}