Add support to listsuites to list ciphers allowed by policy

2016-07-08 12:07:05 -07:00
30 changed files with 1193 additions and 1451 deletions
--- a/.gitignore
+++ b/.gitignore
@ -10,42 +10,3 @@ TestUser51.cert
 /PayPalRootCA.cert
 /PayPalICA.cert
 /nss-3.25.0.tar.gz
-/nss-3.26.0.tar.gz
-/nss-3.27.0.tar.gz
-/nss-3.27.2.tar.gz
-/nss-3.28.1.tar.gz
-/nss-3.29.0.tar.gz
-/nss-3.29.1.tar.gz
-/nss-3.30.0.tar.gz
-/nss-3.30.2.tar.gz
-/nss-3.31.0.tar.gz
-/nss-3.32.0.tar.gz
-/nss-3.32.1.tar.gz
-/nss-3.33.0.tar.gz
-/nss-3.34.0.tar.gz
-/nss-3.35.0.tar.gz
-/nss-3.36.0.tar.gz
-/nss-3.36.1.tar.gz
-/nss-3.37.1.tar.gz
-/nss-3.37.3.tar.gz
-/nss-3.38.0.tar.gz
-/nss-3.39.tar.gz
-/nss-3.40.1.tar.gz
-/nss-3.41.tar.gz
-/nss-3.42.tar.gz
-/nss-3.42.1.tar.gz
-/nss-3.43.tar.gz
-/nss-3.44.tar.gz
-/nss-3.44.1.tar.gz
-/nss-3.45.tar.gz
-/nss-3.46.tar.gz
-/nss-3.46.1.tar.gz
-/nss-3.47.tar.gz
-/nss-3.47.1.tar.gz
-/nss-3.48.tar.gz
-/nss-3.49.tar.gz
-/nss-3.49.2.tar.gz
-/nss-3.50.tar.gz
-/nss-3.51.tar.gz
-/nss-3.51.1.tar.gz
-/nss-3.52.tar.gz
--- a/add-relro-linker-option.patch
+++ b/add-relro-linker-option.patch
@ -0,0 +1,16 @@
+diff -up nss/coreconf/Linux.mk.relro nss/coreconf/Linux.mk
+--- nss/coreconf/Linux.mk.relro	2013-04-09 14:29:45.943228682 -0700
+++ nss/coreconf/Linux.mk	2013-04-09 14:31:26.194953927 -0700
+@@ -174,6 +174,12 @@ endif
+ endif
+ endif
+ 
+# harden DSOs/executables a bit against exploits
+ifeq (2.6,$(firstword $(sort 2.6 $(OS_RELEASE))))
+DSO_LDOPTS+=-Wl,-z,relro
+LDFLAGS	+= -Wl,-z,relro
+endif
+
+ USE_SYSTEM_ZLIB = 1
+ ZLIB_LIBS = -lz
+ 
--- a/iquote.patch
+++ b/iquote.patch
@ -1,13 +1,211 @@
-diff -up nss/coreconf/location.mk.iquote nss/coreconf/location.mk
--- nss/coreconf/location.mk.iquote	2017-07-27 16:09:32.000000000 +0200
-+++ nss/coreconf/location.mk	2017-09-06 13:23:14.633611555 +0200
-@@ -75,4 +75,9 @@ ifndef SQLITE_LIB_NAME
-     SQLITE_LIB_NAME = sqlite3
+diff -up ./nss/cmd/certcgi/Makefile.iquote ./nss/cmd/certcgi/Makefile
+--- ./nss/cmd/certcgi/Makefile.iquote	2016-02-26 12:51:11.000000000 -0800
+++ ./nss/cmd/certcgi/Makefile	2016-03-05 12:04:06.216474144 -0800
+@@ -36,7 +36,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk
+ # (6) Execute "component" rules. (OPTIONAL)                           #
+ #######################################################################
+ 
+-
+INCLUDES += -iquote $(DIST)/../public/nss
+INCLUDES += -iquote $(DIST)/../private/nss
+ 
+ #######################################################################
+ # (7) Execute "local" rules. (OPTIONAL).                              #
+diff -up ./nss/cmd/certutil/Makefile.iquote ./nss/cmd/certutil/Makefile
+--- ./nss/cmd/certutil/Makefile.iquote	2016-02-26 12:51:11.000000000 -0800
+++ ./nss/cmd/certutil/Makefile	2016-03-05 12:04:06.216474144 -0800
+@@ -37,7 +37,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk
+ # (6) Execute "component" rules. (OPTIONAL)                           #
+ #######################################################################
+ 
+-
+INCLUDES += -iquote $(DIST)/../public/nss
+INCLUDES += -iquote $(DIST)/../private/nss
+ 
+ #######################################################################
+ # (7) Execute "local" rules. (OPTIONAL).                              #
+diff -up ./nss/cmd/lib/Makefile.iquote ./nss/cmd/lib/Makefile
+--- ./nss/cmd/lib/Makefile.iquote	2016-02-26 12:51:11.000000000 -0800
+++ ./nss/cmd/lib/Makefile	2016-03-05 12:04:06.216474144 -0800
+@@ -38,7 +38,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk
+ # (6) Execute "component" rules. (OPTIONAL)                           #
+ #######################################################################
+ 
+-
+INCLUDES += -iquote $(DIST)/../private/nss
+INCLUDES += -iquote $(DIST)/../public/nss
+ 
+ #######################################################################
+ # (7) Execute "local" rules. (OPTIONAL).                              #
+diff -up ./nss/cmd/modutil/Makefile.iquote ./nss/cmd/modutil/Makefile
+--- ./nss/cmd/modutil/Makefile.iquote	2016-02-26 12:51:11.000000000 -0800
+++ ./nss/cmd/modutil/Makefile	2016-03-05 12:04:06.216474144 -0800
+@@ -37,6 +37,7 @@ include $(CORE_DEPTH)/coreconf/rules.mk
+ # (6) Execute "component" rules. (OPTIONAL)                           #
+ #######################################################################
+ 
+INCLUDES += -iquote $(DIST)/../public/nss
+ 
+ 
+ #######################################################################
+diff -up ./nss/cmd/selfserv/Makefile.iquote ./nss/cmd/selfserv/Makefile
+--- ./nss/cmd/selfserv/Makefile.iquote	2016-02-26 12:51:11.000000000 -0800
+++ ./nss/cmd/selfserv/Makefile	2016-03-05 12:04:06.216474144 -0800
+@@ -35,7 +35,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk
+ # (6) Execute "component" rules. (OPTIONAL)                           #
+ #######################################################################
+ 
+-
+INCLUDES += -iquote $(DIST)/../public/nss
+INCLUDES += -iquote $(DIST)/../private/nss
+ 
+ #######################################################################
+ # (7) Execute "local" rules. (OPTIONAL).                              #
+diff -up ./nss/cmd/ssltap/Makefile.iquote ./nss/cmd/ssltap/Makefile
+--- ./nss/cmd/ssltap/Makefile.iquote	2016-02-26 12:51:11.000000000 -0800
+++ ./nss/cmd/ssltap/Makefile	2016-03-05 12:04:06.216474144 -0800
+@@ -39,7 +39,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk
+ # (6) Execute "component" rules. (OPTIONAL)                           #
+ #######################################################################
+ 
+-
+INCLUDES += -iquote $(DIST)/../private/nss
+INCLUDES += -iquote $(DIST)/../public/nss
+ 
+ #######################################################################
+ # (7) Execute "local" rules. (OPTIONAL).                              #
+diff -up ./nss/cmd/strsclnt/Makefile.iquote ./nss/cmd/strsclnt/Makefile
+--- ./nss/cmd/strsclnt/Makefile.iquote	2016-02-26 12:51:11.000000000 -0800
+++ ./nss/cmd/strsclnt/Makefile	2016-03-05 12:04:06.217474124 -0800
+@@ -36,7 +36,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk
+ # (6) Execute "component" rules. (OPTIONAL)                           #
+ #######################################################################
+ 
+-
+INCLUDES += -iquote $(DIST)/../public/nss
+INCLUDES += -iquote $(DIST)/../private/nss
+ 
+ #######################################################################
+ # (7) Execute "local" rules. (OPTIONAL).                              #
+diff -up ./nss/cmd/tstclnt/Makefile.iquote ./nss/cmd/tstclnt/Makefile
+--- ./nss/cmd/tstclnt/Makefile.iquote	2016-02-26 12:51:11.000000000 -0800
+++ ./nss/cmd/tstclnt/Makefile	2016-03-05 12:04:06.217474124 -0800
+@@ -37,6 +37,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk
+ #######################################################################
+ 
+ #include ../platlibs.mk
+INCLUDES += -iquote $(DIST)/../public/nss
+INCLUDES += -iquote $(DIST)/../private/nss
+ 
+ #######################################################################
+ # (7) Execute "local" rules. (OPTIONAL).                              #
+diff -up ./nss/cmd/vfyserv/Makefile.iquote ./nss/cmd/vfyserv/Makefile
+--- ./nss/cmd/vfyserv/Makefile.iquote	2016-02-26 12:51:11.000000000 -0800
+++ ./nss/cmd/vfyserv/Makefile	2016-03-05 12:04:06.217474124 -0800
+@@ -37,6 +37,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk
+ #######################################################################
+ 
+ #include ../platlibs.mk
+INCLUDES += -iquote $(DIST)/../public/nss
+INCLUDES += -iquote $(DIST)/../private/nss
+ 
+ #######################################################################
+ # (7) Execute "local" rules. (OPTIONAL).                              #
+diff -up ./nss/coreconf/location.mk.iquote ./nss/coreconf/location.mk
+--- ./nss/coreconf/location.mk.iquote	2016-02-26 12:51:11.000000000 -0800
+++ ./nss/coreconf/location.mk	2016-03-05 12:04:06.217474124 -0800
+@@ -45,6 +45,10 @@ endif
+ 
+ ifdef NSS_INCLUDE_DIR
+     INCLUDES += -I$(NSS_INCLUDE_DIR)
+    ifdef IN_TREE_FREEBL_HEADERS_FIRST
+        INCLUDES += -iquote $(DIST)/../public/nss
+        INCLUDES += -iquote $(DIST)/../private/nss
+    endif
 endif
 
-+# Prefer in-tree headers over system headers
-+ifdef IN_TREE_FREEBL_HEADERS_FIRST
-+    INCLUDES += -iquote $(DIST)/../public/nss -iquote $(DIST)/../private/nss
-+endif
-+
- MK_LOCATION = included
+ ifndef NSS_LIB_DIR
+diff -up ./nss/external_tests/pk11_gtest/Makefile.iquote ./nss/external_tests/pk11_gtest/Makefile
+--- ./nss/external_tests/pk11_gtest/Makefile.iquote	2016-02-26 12:51:11.000000000 -0800
+++ ./nss/external_tests/pk11_gtest/Makefile	2016-03-05 12:04:06.217474124 -0800
+@@ -37,6 +37,7 @@ include $(CORE_DEPTH)/coreconf/rules.mk
+ # (6) Execute "component" rules. (OPTIONAL)                           #
+ #######################################################################
+ 
+INCLUDES += -iquote $(DIST)/../public/nss
+ 
+ #######################################################################
+ # (7) Execute "local" rules. (OPTIONAL).                              #
+diff -up ./nss/external_tests/ssl_gtest/Makefile.iquote ./nss/external_tests/ssl_gtest/Makefile
+--- ./nss/external_tests/ssl_gtest/Makefile.iquote	2016-02-26 12:51:11.000000000 -0800
+++ ./nss/external_tests/ssl_gtest/Makefile	2016-03-05 12:05:17.208082475 -0800
+@@ -43,6 +43,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk
+ # (6) Execute "component" rules. (OPTIONAL)                           #
+ #######################################################################
+ 
+INCLUDES += -iquote $(DIST)/../public/nss
+INCLUDES += -iquote $(DIST)/../public/nss
+ 
+ #######################################################################
+ # (7) Execute "local" rules. (OPTIONAL).                              #
+diff -up ./nss/lib/certhigh/Makefile.iquote ./nss/lib/certhigh/Makefile
+--- ./nss/lib/certhigh/Makefile.iquote	2016-02-26 12:51:11.000000000 -0800
+++ ./nss/lib/certhigh/Makefile	2016-03-05 12:04:06.217474124 -0800
+@@ -38,7 +38,7 @@ include $(CORE_DEPTH)/coreconf/rules.mk
+ # (6) Execute "component" rules. (OPTIONAL)                           #
+ #######################################################################
+ 
+-
+INCLUDES += -iquote $(DIST)/../public/nss
+ 
+ #######################################################################
+ # (7) Execute "local" rules. (OPTIONAL).                              #
+diff -up ./nss/lib/cryptohi/Makefile.iquote ./nss/lib/cryptohi/Makefile
+--- ./nss/lib/cryptohi/Makefile.iquote	2016-02-26 12:51:11.000000000 -0800
+++ ./nss/lib/cryptohi/Makefile	2016-03-05 12:04:06.217474124 -0800
+@@ -38,7 +38,7 @@ include $(CORE_DEPTH)/coreconf/rules.mk
+ # (6) Execute "component" rules. (OPTIONAL)                           #
+ #######################################################################
+ 
+-
+INCLUDES += -iquote $(DIST)/../public/nss
+ 
+ #######################################################################
+ # (7) Execute "local" rules. (OPTIONAL).                              #
+diff -up ./nss/lib/nss/Makefile.iquote ./nss/lib/nss/Makefile
+--- ./nss/lib/nss/Makefile.iquote	2016-02-26 12:51:11.000000000 -0800
+++ ./nss/lib/nss/Makefile	2016-03-05 12:04:06.217474124 -0800
+@@ -37,7 +37,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk
+ # (6) Execute "component" rules. (OPTIONAL)                           #
+ #######################################################################
+ 
+-
+INCLUDES += -iquote $(DIST)/../public/nss
+INCLUDES += -iquote $(DIST)/../private/nss
+ 
+ #######################################################################
+ # (7) Execute "local" rules. (OPTIONAL).                              #
+diff -up ./nss/lib/pk11wrap/Makefile.iquote ./nss/lib/pk11wrap/Makefile
+--- ./nss/lib/pk11wrap/Makefile.iquote	2016-02-26 12:51:11.000000000 -0800
+++ ./nss/lib/pk11wrap/Makefile	2016-03-05 12:04:06.217474124 -0800
+@@ -38,7 +38,7 @@ include $(CORE_DEPTH)/coreconf/rules.mk
+ # (6) Execute "component" rules. (OPTIONAL)                           #
+ #######################################################################
+ 
+-
+INCLUDES += -iquote $(DIST)/../public/nss
+ 
+ #######################################################################
+ # (7) Execute "local" rules. (OPTIONAL).                              #
+diff -up ./nss/lib/ssl/Makefile.iquote ./nss/lib/ssl/Makefile
+--- ./nss/lib/ssl/Makefile.iquote	2016-02-26 12:51:11.000000000 -0800
+++ ./nss/lib/ssl/Makefile	2016-03-05 12:04:06.217474124 -0800
+@@ -49,7 +49,7 @@ include $(CORE_DEPTH)/coreconf/rules.mk
+ # (6) Execute "component" rules. (OPTIONAL)                           #
+ #######################################################################
+ 
+-
+INCLUDES += -iquote $(DIST)/../public/nss
+ 
+ #######################################################################
+ # (7) Execute "local" rules. (OPTIONAL).                              #
--- a/listsuites-do-queries.patch
+++ b/listsuites-do-queries.patch
@ -0,0 +1,111 @@
+--- ./cmd/listsuites/listsuites.c.do_queries	2016-05-17 00:58:45.000000000 -0700
+++ ./cmd/listsuites/listsuites.c	2016-06-23 09:39:10.563925342 -0700
+@@ -7,19 +7,48 @@
+  *
+  * Try: ./listsuites | grep -v : | sort -b +4rn -5 +1 -2 +2 -3 +3 -4 +5r -6
+  */
+ 
+ #include <errno.h>
+ #include <stdio.h>
+ #include "secport.h"
+ #include "ssl.h"
+#include "plgetopt.h"
+#include "secutil.h"
+#include "utilpars.h"
+#include "nspr.h"
+#include "nss.h"
+
+static const char *progName = "listsuites";
+char *ignoreVar;
+
+static char *policy_file_path(char *path)
+{
+    return (PR_Access(path, PR_ACCESS_READ_OK) == PR_SUCCESS) ? path : "";
+}
+
+static char *ignore_system_policy_value(char *var)
+{
+    ignoreVar = PR_GetEnvSecure(var);
+    return ignoreVar != NULL ? ignoreVar : "";
+}
+
+void Usage(const char *progName)
+{
+    fprintf(stderr,
+            "\nList cipher suites or parse a policy file or query\n"
+            "Usage: %s [-i policy_file] file to parse (default is list)\n",
+            progName);
+    exit(1);
+}
+
+ 
+ int
+-main(int argc, char **argv)
+list_suites(void)
+ {
+     const PRUint16 *cipherSuites = SSL_ImplementedCiphers;
+     int i;
+     int errCount = 0;
+ 
+     fputs("This version of libSSL supports these cipher suites:\n\n", stdout);
+ 
+     /* disable all the SSL3 cipher suites */
+@@ -56,8 +85,58 @@
+                 info.effectiveKeyBits, info.macAlgorithmName,
+                 enabled ? "Enabled" : "Disabled",
+                 info.isFIPS ? "FIPS" : "",
+                 info.isExportable ? "Export" : "Domestic",
+                 info.nonStandard ? "nonStandard" : "");
+     }
+     return errCount;
+ }
+
+int
+main(int argc, char **argv)
+{
+    PLOptState *optstate = NULL;
+    PLOptStatus status;
+    SECStatus rv;
+    FILE *inFile;
+    char *ev, *path;
+
+    optstate = PL_CreateOptState(argc, argv, "?hi:p:q:lL");
+    while ((status = PL_GetNextOpt(optstate)) == PL_OPT_OK) {
+        switch (optstate->option) {
+            case '?':
+            case 'h':
+                Usage(progName);
+                break;
+            case 'p':
+                path = (char *)optstate->value;
+                fprintf(stdout, "%s=%s\n", path, policy_file_path(path));
+                break;
+            case 'q':
+                ev = (char *)optstate->value;
+                fprintf(stdout, "%s=%s\n", ev, ignore_system_policy_value(ev));
+                break;
+            case 'i':
+                rv = SECSuccess;
+                inFile = fopen(optstate->value, "r");
+                if (!inFile) {
+                    fprintf(stderr,
+                            "%s: unable to open \"%s\" for reading\n",
+                            progName, optstate->value);
+                            return -1;
+                }
+                rv = SECFailure;/*ParseCryptoPolicy(optstate->value);*/
+                fclose(inFile);
+                return (rv == SECSuccess) ? 0 : 1;
+                break;
+            case 'l':
+            case 'L':
+                return list_suites();
+                break;
+            default:
+                Usage(progName);
+             break;
+        }
+    }
+
+    return 0;
+}
--- a/nss-3.14.0.0-disble-ocsp-test.patch
+++ b/nss-3.14.0.0-disble-ocsp-test.patch
@ -0,0 +1,11 @@
+diff -up nss/tests/chains/scenarios/scenarios.noocsptest nss/tests/chains/scenarios/scenarios
+--- nss/tests/chains/scenarios/scenarios.noocsptest	2013-06-27 10:58:08.000000000 -0700
+++ nss/tests/chains/scenarios/scenarios	2013-07-02 16:13:27.075038930 -0700
+@@ -50,7 +50,6 @@ bridgewithpolicyextensionandmapping.cfg
+ realcerts.cfg
+ dsa.cfg
+ revoc.cfg
+-ocsp.cfg
+ crldp.cfg
+ trustanchors.cfg
+ nameconstraints.cfg
--- a/nss-539183.patch
+++ b/nss-539183.patch
@ -1,5 +1,5 @@
--- nss/cmd/httpserv/httpserv.c.539183	2016-05-21 18:31:39.879585420 -0700
-+++ nss/cmd/httpserv/httpserv.c	2016-05-21 18:37:22.374464057 -0700
+--- ./nss/cmd/httpserv/httpserv.c.539183	2016-05-21 18:31:39.879585420 -0700
+++ ./nss/cmd/httpserv/httpserv.c	2016-05-21 18:37:22.374464057 -0700
@@ -953,23 +953,23 @@
 getBoundListenSocket(unsigned short port)
 {
@ -29,8 +29,8 @@
     if (prStatus < 0) {
         PR_Close(listen_sock);
         errExit("PR_SetSocketOption(PR_SockOpt_Nonblocking)");
--- nss/cmd/selfserv/selfserv.c.539183	2016-05-21 18:31:39.882585367 -0700
-+++ nss/cmd/selfserv/selfserv.c	2016-05-21 18:41:43.092801174 -0700
+--- ./nss/cmd/selfserv/selfserv.c.539183	2016-05-21 18:31:39.882585367 -0700
+++ ./nss/cmd/selfserv/selfserv.c	2016-05-21 18:41:43.092801174 -0700
@@ -1711,23 +1711,23 @@
 getBoundListenSocket(unsigned short port)
 {
--- a/nss-check-policy-file.patch
+++ b/nss-check-policy-file.patch
@ -0,0 +1,334 @@
+diff --git a/lib/nss/config.mk b/lib/nss/config.mk
+--- a/lib/nss/config.mk
+++ b/lib/nss/config.mk
+@@ -95,8 +95,12 @@ SHARED_LIBRARY_DIRS = \
+ ifeq (,$(filter-out WINNT WIN95,$(OS_TARGET)))
+ ifndef NS_USE_GCC
+ # Export 'mktemp' to be backward compatible with NSS 3.2.x and 3.3.x
+ # but do not put it in the import library.  See bug 142575.
+ DEFINES += -DWIN32_NSS3_DLL_COMPAT
+ DLLFLAGS += -EXPORT:mktemp=nss_mktemp,PRIVATE
+ endif
+ endif
+
+ifdef POLICY_FILE
+DEFINES += -DPOLICY_FILE=\"$(POLICY_FILE)\" -DPOLICY_PATH=\"$(POLICY_PATH)\"
+endif
+diff --git a/lib/nss/nssinit.c b/lib/nss/nssinit.c
+--- a/lib/nss/nssinit.c
+++ b/lib/nss/nssinit.c
+@@ -330,47 +330,47 @@ nss_FindExternalRoot(const char *dbpath,
+ 
+ /*
+  * see nss_Init for definitions of the various options.
+  *
+  * this function builds a moduleSpec string from the options and previously
+  * set statics (from PKCS11_Configure, for instance), and uses it to kick off
+  * the loading of the various PKCS #11 modules.
+  */
+-static SECStatus
+static SECMODModule *
+ nss_InitModules(const char *configdir, const char *certPrefix, 
+ 		const char *keyPrefix, const char *secmodName, 
+ 		const char *updateDir, const char *updCertPrefix, 
+ 		const char *updKeyPrefix, const char *updateID, 
+ 		const char *updateName, char *configName, char *configStrings,
+ 		PRBool pwRequired, PRBool readOnly, PRBool noCertDB,
+ 		PRBool noModDB, PRBool forceOpen, PRBool optimizeSpace,
+ 		PRBool isContextInit)
+ {
+-    SECStatus rv = SECFailure;
+    SECMODModule *module = NULL;
+     char *moduleSpec = NULL;
+     char *flags = NULL;
+     char *lconfigdir = NULL;
+     char *lcertPrefix = NULL;
+     char *lkeyPrefix = NULL;
+     char *lsecmodName = NULL;
+     char *lupdateDir = NULL;
+     char *lupdCertPrefix = NULL;
+     char *lupdKeyPrefix = NULL;
+     char *lupdateID = NULL;
+     char *lupdateName = NULL;
+ 
+     if (NSS_InitializePRErrorTable() != SECSuccess) {
+ 	PORT_SetError(SEC_ERROR_NO_MEMORY);
+-	return rv;
+	return NULL;
+     }
+ 
+     flags = nss_makeFlags(readOnly,noCertDB,noModDB,forceOpen,
+ 					pwRequired, optimizeSpace);
+-    if (flags == NULL) return rv;
+    if (flags == NULL) return NULL;
+ 
+     /*
+      * configdir is double nested, and Windows uses the same character
+      * for file seps as we use for escapes! (sigh).
+      */
+     lconfigdir = NSSUTIL_DoubleEscape(configdir, '\'', '\"');
+     if (lconfigdir == NULL) {
+ 	goto loser;
+@@ -427,24 +427,26 @@ loser:
+     if (lsecmodName) PORT_Free(lsecmodName);
+     if (lupdateDir) PORT_Free(lupdateDir);
+     if (lupdCertPrefix) PORT_Free(lupdCertPrefix);
+     if (lupdKeyPrefix) PORT_Free(lupdKeyPrefix);
+     if (lupdateID) PORT_Free(lupdateID);
+     if (lupdateName) PORT_Free(lupdateName);
+ 
+     if (moduleSpec) {
+-	SECMODModule *module = SECMOD_LoadModule(moduleSpec,NULL,PR_TRUE);
+	module = SECMOD_LoadModule(moduleSpec,NULL,PR_TRUE);
+ 	PR_smprintf_free(moduleSpec);
+ 	if (module) {
+-	    if (module->loaded) rv=SECSuccess;
+-	    SECMOD_DestroyModule(module);
+	    if (!module->loaded) {
+	        SECMOD_DestroyModule(module);
+		module = NULL;
+	    }
+ 	}
+     }
+-    return rv;
+    return module;
+ }
+ 
+ /*
+  * OK there are now lots of options here, lets go through them all:
+  *
+  * configdir - base directory where all the cert, key, and module datbases live.
+  * certPrefix - prefix added to the beginning of the cert database example: "
+  * 			"https-server1-"
+@@ -520,17 +522,17 @@ nss_Init(const char *configdir, const ch
+ 		 NSSInitContext ** initContextPtr,
+ 		 NSSInitParameters *initParams,
+ 		 PRBool readOnly, PRBool noCertDB, 
+ 		 PRBool noModDB, PRBool forceOpen, PRBool noRootInit,
+ 		 PRBool optimizeSpace, PRBool noSingleThreadedModules,
+ 		 PRBool allowAlreadyInitializedModules,
+ 		 PRBool dontFinalizeModules)
+ {
+-    SECStatus rv = SECFailure;
+    SECMODModule *parent = NULL;
+     PKIX_UInt32 actualMinorVersion = 0;
+     PKIX_Error *pkixError = NULL;
+     PRBool isReallyInitted;
+     char *configStrings = NULL;
+     char *configName = NULL;
+     PRBool passwordRequired = PR_FALSE;
+ 
+     /* if we are trying to init with a traditional NSS_Init call, maintain
+@@ -630,23 +632,23 @@ nss_Init(const char *configdir, const ch
+ 	configStrings = pk11_config_strings;
+ 	configName = pk11_config_name;
+ 	passwordRequired = pk11_password_required;
+     }
+ 
+     /* Skip the module init if we are already initted and we are trying
+      * to init with noCertDB and noModDB */
+     if (!(isReallyInitted && noCertDB && noModDB)) {
+-	rv = nss_InitModules(configdir, certPrefix, keyPrefix, secmodName, 
+	parent = nss_InitModules(configdir, certPrefix, keyPrefix, secmodName, 
+ 		updateDir, updCertPrefix, updKeyPrefix, updateID, 
+ 		updateName, configName, configStrings, passwordRequired,
+ 		readOnly, noCertDB, noModDB, forceOpen, optimizeSpace, 
+ 		(initContextPtr != NULL));
+ 
+-	if (rv != SECSuccess) {
+	if (parent == NULL) {
+ 	    goto loser;
+ 	}
+     }
+ 
+ 
+     /* finish up initialization */
+     if (!isReallyInitted) {
+ 	if (SECOID_Init() != SECSuccess) {
+@@ -675,17 +677,34 @@ nss_Init(const char *configdir, const ch
+ 		     * path. Skip it */
+ 		    dbpath = NULL;
+ 		}
+ 		if (dbpath) {
+ 		    nss_FindExternalRoot(dbpath, secmodName);
+ 		}
+ 	    }
+ 	}
+-
+#ifdef POLICY_FILE
+        if (PR_Access(POLICY_PATH "/" POLICY_FILE, PR_ACCESS_READ_OK) == PR_SUCCESS ) {
+	    SECMODModule *module = SECMOD_LoadModule(
+		"name=\"Policy File\" "
+		"parameters=\"configdir='sql:" POLICY_PATH "' "
+		"secmod='" POLICY_FILE "' "
+		"flags=readOnly,noCertDB,forceSecmodChoice,forceOpen\" "
+		"NSS=\"flags=internal,moduleDB,skipFirst,moduleDBOnly,critical\"",
+		parent, PR_TRUE); 
+	    if (module) {
+		PRBool isLoaded = module->loaded;
+		SECMOD_DestroyModule(module);
+		if (!isLoaded) {
+		    goto loser;
+		}
+	    }
+	}
+#endif
+ 	pk11sdr_Init();
+ 	cert_CreateSubjectKeyIDHashTable();
+ 
+ 	pkixError = PKIX_Initialize
+ 	    (PKIX_FALSE, PKIX_MAJOR_VERSION, PKIX_MINOR_VERSION,
+ 	    PKIX_MINOR_VERSION, &actualMinorVersion, &plContext);
+ 
+ 	if (pkixError != NULL) {
+@@ -716,32 +735,38 @@ nss_Init(const char *configdir, const ch
+     nssIsInInit--;
+     /* now that we are inited, all waiters can move forward */
+     PZ_NotifyAllCondVar(nssInitCondition);
+     PZ_Unlock(nssInitLock);
+ 
+     if (initContextPtr && configStrings) {
+ 	PR_smprintf_free(configStrings);
+     }
+    if (parent) {
+	SECMOD_DestroyModule(parent);
+    }
+ 
+     return SECSuccess;
+ 
+ loser:
+     if (initContextPtr && *initContextPtr) {
+ 	PORT_Free(*initContextPtr);
+ 	*initContextPtr = NULL;
+ 	if (configStrings) {
+ 	   PR_smprintf_free(configStrings);
+ 	}
+     }
+     PZ_Lock(nssInitLock);
+     nssIsInInit--;
+     /* We failed to init, allow one to move forward */
+     PZ_NotifyCondVar(nssInitCondition);
+     PZ_Unlock(nssInitLock);
+    if (parent) {
+	SECMOD_DestroyModule(parent);
+    }
+     return SECFailure;
+ }
+ 
+ 
+ SECStatus
+ NSS_Init(const char *configdir)
+ {
+     return nss_Init(configdir, "", "", SECMOD_DB, "", "", "", "", "", NULL,
+diff --git a/lib/pk11wrap/pk11pars.c b/lib/pk11wrap/pk11pars.c
+--- a/lib/pk11wrap/pk11pars.c
+++ b/lib/pk11wrap/pk11pars.c
+@@ -105,16 +105,17 @@ secmod_NewModule(void)
+  *   This  allows system NSS to delegate those changes to the user's module DB, 
+  *   preserving the user's ability to load new PKCS #11 modules (which only 
+  *   affect him), from existing applications like Firefox.
+  */
+ #define SECMOD_FLAG_MODULE_DB_IS_MODULE_DB  0x01 /* must be set if any of the 
+ 						  *other flags are set */
+ #define SECMOD_FLAG_MODULE_DB_SKIP_FIRST    0x02
+ #define SECMOD_FLAG_MODULE_DB_DEFAULT_MODDB 0x04
+#define SECMOD_FLAG_MODULE_DB_POLICY_ONLY   0x08
+ 
+ 
+ /* private flags for internal (field in SECMODModule). */
+ /* The meaing of these flags is as follows:
+  *
+  * SECMOD_FLAG_INTERNAL_IS_INTERNAL - This is a marks the the module is
+  *   the internal module (that is, softoken). This bit is the same as the 
+  *   already existing meaning of internal = PR_TRUE. None of the other 
+@@ -699,16 +700,19 @@ SECMOD_CreateModuleEx(const char *librar
+     if (mod->isModuleDB) {
+ 	char flags = SECMOD_FLAG_MODULE_DB_IS_MODULE_DB;
+ 	if (NSSUTIL_ArgHasFlag("flags","skipFirst",nssc)) {
+ 	    flags |= SECMOD_FLAG_MODULE_DB_SKIP_FIRST;
+ 	}
+ 	if (NSSUTIL_ArgHasFlag("flags","defaultModDB",nssc)) {
+ 	    flags |= SECMOD_FLAG_MODULE_DB_DEFAULT_MODDB;
+ 	}
+	if (NSSUTIL_ArgHasFlag("flags", "policyOnly", nssc)) {
+	    flags |= SECMOD_FLAG_MODULE_DB_POLICY_ONLY;
+	}
+ 	/* additional moduleDB flags could be added here in the future */
+ 	mod->isModuleDB = (PRBool) flags;
+     }
+ 
+     if (mod->internal) {
+ 	char flags = SECMOD_FLAG_INTERNAL_IS_INTERNAL;
+ 
+ 	if (NSSUTIL_ArgHasFlag("flags", "internalKeySlot", nssc)) {
+@@ -738,16 +742,24 @@ PRBool
+ SECMOD_GetDefaultModDBFlag(SECMODModule *mod)
+ {
+    char flags = (char) mod->isModuleDB;
+ 
+    return (flags & SECMOD_FLAG_MODULE_DB_DEFAULT_MODDB) ? PR_TRUE : PR_FALSE;
+ }
+ 
+ PRBool
+secmod_PolicyOnly(SECMODModule *mod)
+{
+   char flags = (char) mod->isModuleDB;
+
+   return (flags & SECMOD_FLAG_MODULE_DB_POLICY_ONLY) ? PR_TRUE : PR_FALSE;
+}
+
+PRBool
+ secmod_IsInternalKeySlot(SECMODModule *mod)
+ {
+    char flags = (char) mod->internal;
+ 
+    return (flags & SECMOD_FLAG_INTERNAL_KEY_SLOT) ? PR_TRUE : PR_FALSE;
+ }
+ 
+ void
+@@ -1521,16 +1533,22 @@ SECMOD_LoadModule(char *modulespec,SECMO
+     if (library) PORT_Free(library);
+     if (moduleName) PORT_Free(moduleName);
+     if (parameters) PORT_Free(parameters);
+     if (nss) PORT_Free(nss);
+     if (config) PORT_Free(config);
+     if (!module) {
+ 	goto loser;
+     }
+
+    /* a policy only stanza doesn't actually get 'loaded'. policy has already
+     * been parsed as a side effect of the CreateModuleEx call */
+    if (secmod_PolicyOnly(module)) {
+	return module;
+    }
+     if (parent) {
+     	module->parent = SECMOD_ReferenceModule(parent);
+ 	if (module->internal && secmod_IsInternalKeySlot(parent)) {
+ 	    module->internal = parent->internal;
+ 	}
+     }
+ 
+     /* load it */
+diff --git a/lib/util/utilpars.c b/lib/util/utilpars.c
+--- a/lib/util/utilpars.c
+++ b/lib/util/utilpars.c
+@@ -1139,17 +1139,18 @@ char *
+ 	*dbType = NSS_DB_TYPE_SQL;
+ 	PORT_Free(*filename);
+ 	*filename = NULL;
+         *rw = PR_FALSE;
+    }
+ 
+    /* only use the renamed secmod for legacy databases */
+    if ((*dbType != NSS_DB_TYPE_LEGACY) && 
+-	(*dbType != NSS_DB_TYPE_MULTIACCESS)) {
+	(*dbType != NSS_DB_TYPE_MULTIACCESS) &&
+	  !NSSUTIL_ArgHasFlag("flags", "forceSecmodChoice", save_params)) {
+ 	secmodName="pkcs11.txt";
+    }
+ 
+    if (noModDB) {
+ 	value = NULL;
+    } else if (lconfigdir && lconfigdir[0] != '\0') {
+ 	value = PR_smprintf("%s" NSSUTIL_PATH_SEPARATOR "%s",
+ 			lconfigdir,secmodName);
--- a/nss-conditionally-ignore-system-policy.patch
+++ b/nss-conditionally-ignore-system-policy.patch
@ -0,0 +1,63 @@
+--- ./lib/nss/nssinit.c.cond_ignore	2016-07-01 16:09:21.187499579 -0700
+++ ./lib/nss/nssinit.c	2016-07-01 16:19:16.095862425 -0700
+@@ -529,16 +529,19 @@
+ {
+     SECMODModule *parent = NULL;
+     PKIX_UInt32 actualMinorVersion = 0;
+     PKIX_Error *pkixError = NULL;
+     PRBool isReallyInitted;
+     char *configStrings = NULL;
+     char *configName = NULL;
+     PRBool passwordRequired = PR_FALSE;
+#ifdef POLICY_FILE
+    char *ignoreVar;
+#endif
+ 
+     /* if we are trying to init with a traditional NSS_Init call, maintain
+      * the traditional idempotent behavior. */
+     if (!initContextPtr && nssIsInitted) {
+ 	return SECSuccess;
+     }
+   
+     /* make sure our lock and condition variable are initialized one and only
+@@ -678,32 +681,38 @@
+ 		    dbpath = NULL;
+ 		}
+ 		if (dbpath) {
+ 		    nss_FindExternalRoot(dbpath, secmodName);
+ 		}
+ 	    }
+ 	}
+ #ifdef POLICY_FILE
+-        if (PR_Access(POLICY_PATH "/" POLICY_FILE, PR_ACCESS_READ_OK) == PR_SUCCESS ) {
+	/* Load the system crypo policy file if it exists,
+	 * unless the NSS_IGNORE_SYSTEM_POLICY environment
+	 * variable has been set to 1. */
+	ignoreVar = PR_GetEnvSecure("NSS_IGNORE_SYSTEM_POLICY");
+	if (ignoreVar == NULL || strncmp(ignoreVar, "1", strlen("1")) != 0) {
+	    if (PR_Access(POLICY_PATH "/" POLICY_FILE, PR_ACCESS_READ_OK) == PR_SUCCESS ) {
+ 	    SECMODModule *module = SECMOD_LoadModule(
+ 		"name=\"Policy File\" "
+ 		"parameters=\"configdir='sql:" POLICY_PATH "' "
+ 		"secmod='" POLICY_FILE "' "
+ 		"flags=readOnly,noCertDB,forceSecmodChoice,forceOpen\" "
+ 		"NSS=\"flags=internal,moduleDB,skipFirst,moduleDBOnly,critical\"",
+-		parent, PR_TRUE); 
+		parent, PR_TRUE);
+ 	    if (module) {
+ 		PRBool isLoaded = module->loaded;
+ 		SECMOD_DestroyModule(module);
+ 		if (!isLoaded) {
+ 		    goto loser;
+ 		}
+ 	    }
+ 	}
+    }
+ #endif
+ 	pk11sdr_Init();
+ 	cert_CreateSubjectKeyIDHashTable();
+ 
+ 	pkixError = PKIX_Initialize
+ 	    (PKIX_FALSE, PKIX_MAJOR_VERSION, PKIX_MINOR_VERSION,
+ 	    PKIX_MINOR_VERSION, &actualMinorVersion, &plContext);
+ 
--- a/nss-gcm-param-default-pkcs11v2.patch
+++ b/nss-gcm-param-default-pkcs11v2.patch
@ -1,21 +0,0 @@
-diff -up ./lib/util/pkcs11n.h.aes_gcm_pkcs11_v2 ./lib/util/pkcs11n.h
--- ./lib/util/pkcs11n.h.aes_gcm_pkcs11_v2	2020-05-13 13:44:11.312405744 -0700
-+++ ./lib/util/pkcs11n.h	2020-05-13 13:45:23.951723660 -0700
-@@ -605,7 +605,7 @@ typedef struct CK_NSS_GCM_PARAMS {
- typedef CK_NSS_GCM_PARAMS CK_PTR CK_NSS_GCM_PARAMS_PTR;
- 
- /* deprecated #defines. Drop in future NSS releases */
-#ifdef NSS_PKCS11_2_0_COMPAT
-+#ifndef NSS_PKCS11_3_0_STRICT
- 
- /* defines that were changed between NSS's PKCS #11 and the Oasis headers */
- #define CKF_EC_FP CKF_EC_F_P
-@@ -664,7 +664,7 @@ typedef CK_NSS_GCM_PARAMS CK_PTR CK_GCM_
- #define CKT_NETSCAPE_VALID CKT_NSS_VALID
- #define CKT_NETSCAPE_VALID_DELEGATOR CKT_NSS_VALID_DELEGATOR
- #else
-/* use the new CK_GCM_PARAMS if NSS_PKCS11_2_0_COMPAT is not defined */
-+/* use the new CK_GCM_PARAMS if NSS_PKCS11_3_0_STRICT is defined */
- typedef struct CK_GCM_PARAMS_V3 CK_GCM_PARAMS;
- typedef CK_GCM_PARAMS_V3 CK_PTR CK_GCM_PARAMS_PTR;
- #endif
--- a/nss-kremlin-ppc64le.patch
+++ b/nss-kremlin-ppc64le.patch
@ -1,31 +0,0 @@
-Index: nss/lib/freebl/verified/kremlin/include/kremlin/internal/types.h
-===================================================================
--- nss.orig/lib/freebl/verified/kremlin/include/kremlin/internal/types.h
-+++ nss/lib/freebl/verified/kremlin/include/kremlin/internal/types.h
-@@ -56,9 +56,10 @@ typedef const char *Prims_string;
-     !defined(__clang__)
- #include <emmintrin.h>
- typedef __m128i FStar_UInt128_uint128;
-#elif !defined(KRML_VERIFIED_UINT128) && !defined(_MSC_VER) &&           \
-+#elif !defined(KRML_VERIFIED_UINT128) && !defined(_MSC_VER) && \
-     (defined(__x86_64__) || defined(__x86_64) || defined(__aarch64__) || \
-     (defined(__powerpc64__) && defined(__LITTLE_ENDIAN__)))
-+    (defined(__powerpc64__) && defined(__LITTLE_ENDIAN__)) || \
-+     defined(__s390x__))
- typedef unsigned __int128 FStar_UInt128_uint128;
- #elif !defined(KRML_VERIFIED_UINT128) && defined(_MSC_VER) && defined(__clang__)
- typedef __uint128_t FStar_UInt128_uint128;
-Index: nss/lib/freebl/verified/kremlin/kremlib/dist/minimal/fstar_uint128_gcc64.h
-===================================================================
--- nss.orig/lib/freebl/verified/kremlin/kremlib/dist/minimal/fstar_uint128_gcc64.h
-+++ nss/lib/freebl/verified/kremlin/kremlib/dist/minimal/fstar_uint128_gcc64.h
-@@ -26,7 +26,8 @@
- 
- #if !defined(KRML_VERIFIED_UINT128) && (!defined(_MSC_VER) || defined(__clang__)) && \
-     (defined(__x86_64__) || defined(__x86_64) || defined(__aarch64__) ||             \
-     (defined(__powerpc64__) && defined(__LITTLE_ENDIAN__)))
-+    (defined(__powerpc64__) && defined(__LITTLE_ENDIAN__)) || \
-+     defined(__s390x__))
- 
- /* GCC + using native unsigned __int128 support */
- 
--- a/nss-p11-kit.config
+++ b/nss-p11-kit.config
@ -1,4 +0,0 @@
-name=p11-kit-proxy
-library=p11-kit-proxy.so
-
-
--- a/nss-signtool-format.patch
+++ b/nss-signtool-format.patch
@ -1,94 +0,0 @@
-diff --git a/cmd/modutil/install.c b/cmd/modutil/install.c
--- a/cmd/modutil/install.c
-+++ b/cmd/modutil/install.c
-@@ -825,17 +825,20 @@ rm_dash_r(char *path)
- 
-         dir = PR_OpenDir(path);
-         if (!dir) {
-             return -1;
-         }
- 
-         /* Recursively delete all entries in the directory */
-         while ((entry = PR_ReadDir(dir, PR_SKIP_BOTH)) != NULL) {
-            sprintf(filename, "%s/%s", path, entry->name);
-+            if (snprintf(filename, sizeof(filename), "%s/%s", path, entry->name) >= sizeof(filename)) {
-+                PR_CloseDir(dir);
-+                return -1;
-+            }
-             if (rm_dash_r(filename)) {
-                 PR_CloseDir(dir);
-                 return -1;
-             }
-         }
- 
-         if (PR_CloseDir(dir) != PR_SUCCESS) {
-             return -1;
-diff --git a/cmd/signtool/util.c b/cmd/signtool/util.c
--- a/cmd/signtool/util.c
-+++ b/cmd/signtool/util.c
-@@ -132,17 +132,20 @@ rm_dash_r(char *path)
-         if (!dir) {
-             PR_fprintf(errorFD, "Error: Unable to open directory %s.\n", path);
-             errorCount++;
-             return -1;
-         }
- 
-         /* Recursively delete all entries in the directory */
-         while ((entry = PR_ReadDir(dir, PR_SKIP_BOTH)) != NULL) {
-            sprintf(filename, "%s/%s", path, entry->name);
-+            if (snprintf(filename, sizeof(filename), "%s/%s", path, entry->name) >= sizeof(filename)) {
-+                errorCount++;
-+                return -1;
-+            }
-             if (rm_dash_r(filename))
-                 return -1;
-         }
- 
-         if (PR_CloseDir(dir) != PR_SUCCESS) {
-             PR_fprintf(errorFD, "Error: Could not close %s.\n", path);
-             errorCount++;
-             return -1;
-diff --git a/lib/libpkix/pkix/util/pkix_list.c b/lib/libpkix/pkix/util/pkix_list.c
--- a/lib/libpkix/pkix/util/pkix_list.c
-+++ b/lib/libpkix/pkix/util/pkix_list.c
-@@ -1530,17 +1530,17 @@ cleanup:
-  */
- PKIX_Error *
- PKIX_List_SetItem(
-         PKIX_List *list,
-         PKIX_UInt32 index,
-         PKIX_PL_Object *item,
-         void *plContext)
- {
-        PKIX_List *element;
-+        PKIX_List *element = NULL;
- 
-         PKIX_ENTER(LIST, "PKIX_List_SetItem");
-         PKIX_NULLCHECK_ONE(list);
- 
-         if (list->immutable){
-                 PKIX_ERROR(PKIX_OPERATIONNOTPERMITTEDONIMMUTABLELIST);
-         }
- 
-diff --git a/lib/libpkix/pkix_pl_nss/system/pkix_pl_oid.c b/lib/libpkix/pkix_pl_nss/system/pkix_pl_oid.c
--- a/lib/libpkix/pkix_pl_nss/system/pkix_pl_oid.c
-+++ b/lib/libpkix/pkix_pl_nss/system/pkix_pl_oid.c
-@@ -102,17 +102,17 @@ cleanup:
-  */
- static PKIX_Error *
- pkix_pl_OID_Equals(
-         PKIX_PL_Object *first,
-         PKIX_PL_Object *second,
-         PKIX_Boolean *pResult,
-         void *plContext)
- {
-        PKIX_Int32 cmpResult;
-+        PKIX_Int32 cmpResult = 0;
- 
-         PKIX_ENTER(OID, "pkix_pl_OID_Equals");
-         PKIX_NULLCHECK_THREE(first, second, pResult);
- 
-         PKIX_CHECK(pkix_pl_OID_Comparator
-                     (first, second, &cmpResult, plContext),
-                     PKIX_OIDCOMPARATORFAILED);
- 
--- a/nss-skip-bltest-and-fipstest.patch
+++ b/nss-skip-bltest-and-fipstest.patch
@ -0,0 +1,15 @@
+diff -up ./nss/cmd/Makefile.skipthem ./nss/cmd/Makefile
+--- ./nss/cmd/Makefile.skipem	2016-06-24 10:10:38.143165159 -0700
+++ ./nss/cmd/Makefile	2016-06-24 10:13:08.566457400 -0700
+@@ -17,7 +17,11 @@ endif
+ ifeq ($(NSS_BUILD_WITHOUT_SOFTOKEN),1)
+ BLTEST_SRCDIR =
+ FIPSTEST_SRCDIR =
+ifeq ($(NSS_BLTEST_NOT_AVAILABLE),1)
+SHLIBSIGN_SRCDIR = shlibsign
+else
+ SHLIBSIGN_SRCDIR =
+endif
+ else
+ BLTEST_SRCDIR = bltest
+ FIPSTEST_SRCDIR = fipstest
--- a/nss-skip-ecperf.patch
+++ b/nss-skip-ecperf.patch
@ -0,0 +1,11 @@
+diff -up ./cmd/manifest.mn.skip_ecperf ./cmd/manifest.mn
+--- ./cmd/manifest.mn.noecperf	2016-06-24 08:04:53.891106841 -0700
+++ ./cmd/manifest.mn	2016-06-24 08:06:57.186887403 -0700
+@@ -42,7 +42,6 @@ NSS_SRCDIRS = \
+  dbtest \
+  derdump  \
+  digest  \
+- ecperf \
+  httpserv  \
+  listsuites \
+  makepqg  \
--- a/nss-skip-util-gtest.patch
+++ b/nss-skip-util-gtest.patch
@ -0,0 +1,11 @@
+diff -up ./external_tests/manifest.mn.skip_util_pk11_ssl_gtest ./external_tests/manifest.mn
+--- ./external_tests/manifest.mn.skip_util_pk11_ssl_gtest	2016-06-20 10:11:28.000000000 -0700
+++ ./external_tests/manifest.mn	2016-06-26 10:09:55.429858648 -0700
+@@ -9,7 +9,4 @@ DIRS = \
+ 	google_test \
+ 	common \
+ 	der_gtest \
+-	util_gtest \
+-	pk11_gtest \
+-	ssl_gtest \
+ 	$(NULL)
--- a/nss-softokn-config.in
+++ b/nss-softokn-config.in
@ -1,116 +0,0 @@
-#!/bin/sh
-
-prefix=@prefix@
-
-major_version=@MOD_MAJOR_VERSION@
-minor_version=@MOD_MINOR_VERSION@
-patch_version=@MOD_PATCH_VERSION@
-
-usage()
-{
-	cat <<EOF
-Usage: nss-softokn-config [OPTIONS] [LIBRARIES]
-Options:
-	[--prefix[=DIR]]
-	[--exec-prefix[=DIR]]
-	[--includedir[=DIR]]
-	[--libdir[=DIR]]
-	[--version]
-	[--libs]
-	[--cflags]
-Dynamic Libraries:
-	softokn3 - Requires full dynamic linking
-	freebl3  - for internal use only (and glibc for self-integrity check)
-	nssdbm3  - for internal use only
-Dymamically linked
-EOF
-	exit $1
-}
-
-if test $# -eq 0; then
-	usage 1 1>&2
-fi
-
-while test $# -gt 0; do
-  case "$1" in
-  -*=*) optarg=`echo "$1" | sed 's/[-_a-zA-Z0-9]*=//'` ;;
-  *) optarg= ;;
-  esac
-
-  case $1 in
-    --prefix=*)
-      prefix=$optarg
-      ;;
-    --prefix)
-      echo_prefix=yes
-      ;;
-    --exec-prefix=*)
-      exec_prefix=$optarg
-      ;;
-    --exec-prefix)
-      echo_exec_prefix=yes
-      ;;
-    --includedir=*)
-      includedir=$optarg
-      ;;
-    --includedir)
-      echo_includedir=yes
-      ;;
-    --libdir=*)
-      libdir=$optarg
-      ;;
-    --libdir)
-      echo_libdir=yes
-      ;;
-    --version)
-      echo ${major_version}.${minor_version}.${patch_version}
-      ;;
-    --cflags)
-      echo_cflags=yes
-      ;;
-    --libs)
-      echo_libs=yes
-      ;;
-    *)
-      usage 1 1>&2
-      ;;
-  esac
-  shift
-done
-
-# Set variables that may be dependent upon other variables
-if test -z "$exec_prefix"; then
-    exec_prefix=`pkg-config --variable=exec_prefix nss-softokn`
-fi
-if test -z "$includedir"; then
-    includedir=`pkg-config --variable=includedir nss-softokn`
-fi
-if test -z "$libdir"; then
-    libdir=`pkg-config --variable=libdir nss-softokn`
-fi
-
-if test "$echo_prefix" = "yes"; then
-    echo $prefix
-fi
-
-if test "$echo_exec_prefix" = "yes"; then
-    echo $exec_prefix
-fi
-
-if test "$echo_includedir" = "yes"; then
-    echo $includedir
-fi
-
-if test "$echo_libdir" = "yes"; then
-    echo $libdir
-fi
-
-if test "$echo_cflags" = "yes"; then
-    echo -I$includedir
-fi
-
-if test "$echo_libs" = "yes"; then
-      libdirs="-Wl,-rpath-link,$libdir -L$libdir"
-      echo $libdirs
-fi
-
--- a/nss-softokn-dracut-module-setup.sh
+++ b/nss-softokn-dracut-module-setup.sh
@ -1,18 +0,0 @@
-#!/bin/bash
-# -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*-
-# ex: ts=8 sw=4 sts=4 et filetype=sh
-
-check() {
-    return 255
-}
-
-depends() {
-    return 0
-}
-
-install() {
-    local _dir
-
-    inst_libdir_file libfreeblpriv3.so libfreeblpriv3.chk \
-        libfreebl3.so
-}
--- a/nss-softokn-dracut.conf
+++ b/nss-softokn-dracut.conf
@ -1,3 +0,0 @@
-# turn on nss-softokn module
-
-add_dracutmodules+=" nss-softokn "
--- a/nss-softokn.pc.in
+++ b/nss-softokn.pc.in
@ -1,11 +0,0 @@
-prefix=%prefix%
-exec_prefix=%exec_prefix%
-libdir=%libdir%
-includedir=%includedir%
-
-Name: NSS-SOFTOKN
-Description: Network Security Services Softoken PKCS #11 Module
-Version: %SOFTOKEN_VERSION%
-Requires: nspr >= %NSPR_VERSION%, nss-util >= %NSSUTIL_VERSION%
-Libs: -L${libdir} -lfreebl3 -lnssdbm3 -lsoftokn3
-Cflags: -I${includedir}
--- a/nss-util-config.in
+++ b/nss-util-config.in
@ -1,118 +0,0 @@
-#!/bin/sh
-
-prefix=@prefix@
-
-major_version=@MOD_MAJOR_VERSION@
-minor_version=@MOD_MINOR_VERSION@
-patch_version=@MOD_PATCH_VERSION@
-
-usage()
-{
-	cat <<EOF
-Usage: nss-util-config [OPTIONS] [LIBRARIES]
-Options:
-	[--prefix[=DIR]]
-	[--exec-prefix[=DIR]]
-	[--includedir[=DIR]]
-	[--libdir[=DIR]]
-	[--version]
-	[--libs]
-	[--cflags]
-Dynamic Libraries:
-	nssutil
-EOF
-	exit $1
-}
-
-if test $# -eq 0; then
-	usage 1 1>&2
-fi
-
-lib_nssutil=yes
-
-while test $# -gt 0; do
-  case "$1" in
-  -*=*) optarg=`echo "$1" | sed 's/[-_a-zA-Z0-9]*=//'` ;;
-  *) optarg= ;;
-  esac
-
-  case $1 in
-    --prefix=*)
-      prefix=$optarg
-      ;;
-    --prefix)
-      echo_prefix=yes
-      ;;
-    --exec-prefix=*)
-      exec_prefix=$optarg
-      ;;
-    --exec-prefix)
-      echo_exec_prefix=yes
-      ;;
-    --includedir=*)
-      includedir=$optarg
-      ;;
-    --includedir)
-      echo_includedir=yes
-      ;;
-    --libdir=*)
-      libdir=$optarg
-      ;;
-    --libdir)
-      echo_libdir=yes
-      ;;
-    --version)
-      echo ${major_version}.${minor_version}.${patch_version}
-      ;;
-    --cflags)
-      echo_cflags=yes
-      ;;
-    --libs)
-      echo_libs=yes
-      ;;
-    *)
-      usage 1 1>&2
-      ;;
-  esac
-  shift
-done
-
-# Set variables that may be dependent upon other variables
-if test -z "$exec_prefix"; then
-    exec_prefix=`pkg-config --variable=exec_prefix nss-util`
-fi
-if test -z "$includedir"; then
-    includedir=`pkg-config --variable=includedir nss-util`
-fi
-if test -z "$libdir"; then
-    libdir=`pkg-config --variable=libdir nss-util`
-fi
-
-if test "$echo_prefix" = "yes"; then
-    echo $prefix
-fi
-
-if test "$echo_exec_prefix" = "yes"; then
-    echo $exec_prefix
-fi
-
-if test "$echo_includedir" = "yes"; then
-    echo $includedir
-fi
-
-if test "$echo_libdir" = "yes"; then
-    echo $libdir
-fi
-
-if test "$echo_cflags" = "yes"; then
-    echo -I$includedir
-fi
-
-if test "$echo_libs" = "yes"; then
-      libdirs="-Wl,-rpath-link,$libdir -L$libdir"
-      if test -n "$lib_nssutil"; then
-	libdirs="$libdirs -lnssutil${major_version}"
-      fi
-      echo $libdirs
-fi
-
--- a/nss-util.pc.in
+++ b/nss-util.pc.in
@ -1,11 +0,0 @@
-prefix=%prefix%
-exec_prefix=%exec_prefix%
-libdir=%libdir%
-includedir=%includedir%
-
-Name: NSS-UTIL
-Description: Network Security Services Utility Library
-Version: %NSSUTIL_VERSION%
-Requires: nspr >= %NSPR_VERSION%
-Libs: -L${libdir} -lnssutil3
-Cflags: -I${includedir}
--- a/nss.spec
+++ b/nss.spec
--- a/renegotiate-transitional.patch
+++ b/renegotiate-transitional.patch
@ -0,0 +1,12 @@
+diff -up ./nss/lib/ssl/sslsock.c.transitional ./nss/lib/ssl/sslsock.c
+--- ./nss/lib/ssl/sslsock.c.transitional	2016-06-23 21:03:16.316480089 -0400
+++ ./nss/lib/ssl/sslsock.c	2016-06-23 21:08:07.290202477 -0400
+@@ -72,7 +72,7 @@ static sslOptions ssl_defaults = {
+     PR_FALSE,              /* noLocks            */
+     PR_FALSE,              /* enableSessionTickets */
+     PR_FALSE,              /* enableDeflate      */
+-    2,                     /* enableRenegotiation (default: requires extension) */
+    3,                     /* enableRenegotiation (default: transitional) */
+     PR_FALSE,              /* requireSafeNegotiation */
+     PR_FALSE,              /* enableFalseStart   */
+     PR_TRUE,               /* cbcRandomIV        */
--- a/rhbz1185708-enable-ecc-3des-ciphers-by-default.patch
+++ b/rhbz1185708-enable-ecc-3des-ciphers-by-default.patch
@ -0,0 +1,23 @@
+--- ./nss/lib/ssl/ssl3con.c.1185708_3des	2016-06-23 21:10:09.765992512 -0400
+++ ./nss/lib/ssl/ssl3con.c	2016-06-23 22:58:39.121398601 -0400
+@@ -118,18 +118,18 @@
+  { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,    SSL_ALLOWED, PR_TRUE, PR_FALSE},
+  { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,    SSL_ALLOWED, PR_TRUE, PR_FALSE},
+  { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,      SSL_ALLOWED, PR_TRUE, PR_FALSE},
+  { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+  { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,   SSL_ALLOWED, PR_TRUE, PR_FALSE},
+  { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,      SSL_ALLOWED, PR_TRUE, PR_FALSE},
+  { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+  { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,   SSL_ALLOWED, PR_FALSE, PR_FALSE},
+- { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,   SSL_ALLOWED, PR_FALSE, PR_FALSE},
+- { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,     SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,   SSL_ALLOWED, PR_TRUE,  PR_FALSE},
+ { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,     SSL_ALLOWED, PR_TRUE,  PR_FALSE},
+  { TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,        SSL_ALLOWED, PR_FALSE, PR_FALSE},
+  { TLS_ECDHE_RSA_WITH_RC4_128_SHA,          SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ 
+  { TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,     SSL_ALLOWED, PR_TRUE,  PR_FALSE},
+  { TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256,SSL_ALLOWED,PR_TRUE,  PR_FALSE},
+  { TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,     SSL_ALLOWED, PR_FALSE, PR_FALSE},
+  { TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,     SSL_ALLOWED, PR_FALSE, PR_FALSE},
+  { TLS_DHE_DSS_WITH_AES_256_GCM_SHA384,     SSL_ALLOWED, PR_FALSE, PR_FALSE},
--- a/12
+++ b/12
@ -1,6 +1,6 @@
-SHA512 (blank-cert8.db) = ac131d15708c5f1b5e467831f919f4fc4ba13b60a4bb5fe260c845fa9afcd899a588d21ed52060abaa1bbb29f2b53af8b495d28407183cb03aff1974f95f1d3d
-SHA512 (blank-cert9.db) = 2f8eab4c0612210ee47db8a3a80c1b58a0b43849551af78c7da403fda3e3d4e7757838061ae56ccf5aac335cb54f254f0a9e6e9c0dd5920b4155a39264525b06
-SHA512 (blank-key3.db) = 01f7314e9fc8a7c9aa997652624cfcde213d18a6b3bb31840c1a60bbd662e56b5bc3221d13874abb42ce78163b225a6dfce2e1326cf6dd29366ad9c28ba5a71c
-SHA512 (blank-key4.db) = 8fedae93af7163da23fe9492ea8e785a44c291604fa98e58438448efb69c85d3253fc22b926d5c3209c62e58a86038fd4d78a1c4c068bc00600a7f3e5382ebe7
-SHA512 (blank-secmod.db) = 06a2dbd861839ef6315093459328b500d3832333a34b30e6fac4a2503af337f014a4d319f0f93322409e719142904ce8bc08252ae9a4f37f30d4c3312e900310
-SHA512 (nss-3.52.tar.gz) = a45baf38717bceda03c292b2c01def680a24a846327e17d36044a85e30ed40c68220c78c0a2c3025c11778ee58f5d5eb0fff1b4cd274b95c408fb59e394e62c6
+a5ae49867124ac75f029a9a33af31bad  blank-cert8.db
+9315689bbd9f28ceebd47894f99fccbd  blank-key3.db
+73bc040a0542bba387e6dd7fb9fd7d23  blank-secmod.db
+691e663ccc07b7a1eaa6f088e03bf8e2  blank-cert9.db
+2ec9e0606ba40fe65196545564b7cc2a  blank-key4.db
+950263d15d1f055605bfb6e634a1a019  nss-3.25.0.tar.gz
--- a/tests/NSS-tools-should-not-use-SHA1-by-default-when/Makefile
+++ b/tests/NSS-tools-should-not-use-SHA1-by-default-when/Makefile
@ -1,64 +0,0 @@
-# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-#
-#   Makefile of /CoreOS/nss/Regression/NSS-tools-should-not-use-SHA1-by-default-when
-#   Description: NSS tools should not use SHA1 by default when
-#   Author: Hubert Kario <hkario@redhat.com>
-#
-# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-#
-#   Copyright (c) 2016 Red Hat, Inc.
-#
-#   This copyrighted material is made available to anyone wishing
-#   to use, modify, copy, or redistribute it subject to the terms
-#   and conditions of the GNU General Public License version 2.
-#
-#   This program is distributed in the hope that it will be
-#   useful, but WITHOUT ANY WARRANTY; without even the implied
-#   warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
-#   PURPOSE. See the GNU General Public License for more details.
-#
-#   You should have received a copy of the GNU General Public
-#   License along with this program; if not, write to the Free
-#   Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
-#   Boston, MA 02110-1301, USA.
-#
-# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-export TEST=/CoreOS/nss/Regression/NSS-tools-should-not-use-SHA1-by-default-when
-export TESTVERSION=1.0
-
-BUILT_FILES=
-
-FILES=$(METADATA) runtest.sh Makefile PURPOSE
-
-.PHONY: all install download clean
-
-run: $(FILES) build
-	./runtest.sh
-
-build: $(BUILT_FILES)
-	test -x runtest.sh || chmod a+x runtest.sh
-
-clean:
-	rm -f *~ $(BUILT_FILES)
-
-
-include /usr/share/rhts/lib/rhts-make.include
-
-$(METADATA): Makefile
-	@echo "Owner:           Hubert Kario <hkario@redhat.com>" > $(METADATA)
-	@echo "Name:            $(TEST)" >> $(METADATA)
-	@echo "TestVersion:     $(TESTVERSION)" >> $(METADATA)
-	@echo "Path:            $(TEST_DIR)" >> $(METADATA)
-	@echo "Description:     NSS tools should not use SHA1 by default when" >> $(METADATA)
-	@echo "Type:            Regression" >> $(METADATA)
-	@echo "TestTime:        10m" >> $(METADATA)
-	@echo "RunFor:          nss openssl" >> $(METADATA)
-	@echo "Requires:        nss nss-tools openssl" >> $(METADATA)
-	@echo "Priority:        Normal" >> $(METADATA)
-	@echo "License:         GPLv2" >> $(METADATA)
-	@echo "Confidential:    no" >> $(METADATA)
-	@echo "Destructive:     no" >> $(METADATA)
-	@echo "Releases:        -RHEL4 -RHELClient5 -RHELServer5" >> $(METADATA)
-
-	rhts-lint $(METADATA)
--- a/tests/NSS-tools-should-not-use-SHA1-by-default-when/PURPOSE
+++ b/tests/NSS-tools-should-not-use-SHA1-by-default-when/PURPOSE
@ -1,4 +0,0 @@
-PURPOSE of NSS-tools-should-not-use-SHA1-by-default-when
-Description: NSS tools should not use SHA1 by default when
-Author: Hubert Kario <hkario@redhat.com>
-Summary: NSS tools should not use SHA1 by default when generating digital signatures/certificates
--- a/tests/NSS-tools-should-not-use-SHA1-by-default-when/runtest.sh
+++ b/tests/NSS-tools-should-not-use-SHA1-by-default-when/runtest.sh
@ -1,125 +0,0 @@
-#!/bin/bash
-# vim: dict+=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k
-# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-#
-#   runtest.sh of NSS-tools-should-not-use-SHA1-by-default-when
-#   Description: NSS tools should not use SHA1 by default when
-#   Author: Hubert Kario <hkario@redhat.com>
-#
-# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-#
-#   Copyright (c) 2016 Red Hat, Inc.
-#
-#   This copyrighted material is made available to anyone wishing
-#   to use, modify, copy, or redistribute it subject to the terms
-#   and conditions of the GNU General Public License version 2.
-#
-#   This program is distributed in the hope that it will be
-#   useful, but WITHOUT ANY WARRANTY; without even the implied
-#   warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
-#   PURPOSE. See the GNU General Public License for more details.
-#
-#   You should have received a copy of the GNU General Public
-#   License along with this program; if not, write to the Free
-#   Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
-#   Boston, MA 02110-1301, USA.
-#
-# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-# Include Beaker environment
-. /usr/share/beakerlib/beakerlib.sh || exit 1
-
-PACKAGE="nss"
-PACKAGES="nss openssl"
-DBDIR="nssdb"
-
-rlJournalStart
-    rlPhaseStartSetup
-        rlAssertRpm --all
-        rlRun "TmpDir=\$(mktemp -d)" 0 "Creating tmp directory"
-        rlRun "pushd $TmpDir"
-        rlRun "mkdir nssdb"
-        rlRun "certutil -N -d $DBDIR --empty-password"
-        rlLogInfo "Create a JAR file"
-        rlRun "mkdir java-dir"
-        rlRun "pushd java-dir"
-        rlRun "mkdir META-INF mypackage"
-        rlRun "echo 'Main-Class: mypackage/MyMainFile' > META-INF/MANIFEST.MF"
-        rlRun "echo 'Those are not the droids you are looking for' > mypackage/MyMainFile.class"
-        #rlRun "jar -cfe package.jar mypackage/MyMainFile mypackage/MyMainFile.class"
-        rlRun "popd"
-        #rlRun "mv java-dir/package.jar ."
-    rlPhaseEnd
-
-    rlPhaseStartTest "Self signing certificates"
-        rlRun "dd if=/dev/urandom of=noise bs=1 count=32 >/dev/null"
-        rlRun "certutil -d $DBDIR -S -n 'CA' -t 'cTC,cTC,cTC' -s 'CN=CA' -x -z noise"
-        rlRun -s "certutil -d $DBDIR -L -n 'CA' -a | openssl x509 -noout -text"
-        rlAssertGrep "Signature Algorithm: sha256WithRSAEncryption" "$rlRun_LOG"
-        rlAssertNotGrep "Signature Algorithm: sha1WithRSAEncryption" $rlRun_LOG
-    rlPhaseEnd
-
-    rlPhaseStartTest "Signing certificates"
-        rlRun "dd if=/dev/urandom of=noise bs=1 count=32 >/dev/null"
-        rlRun "certutil -d $DBDIR -S -n 'server' -t 'u,u,u' -s 'CN=server.example.com' -c 'CA' -z noise --nsCertType sslClient,sslServer,objectSigning,smime"
-        rlRun -s "certutil -d $DBDIR -L -n 'server' -a | openssl x509 -noout -text"
-        rlAssertGrep "Signature Algorithm: sha256WithRSAEncryption" "$rlRun_LOG"
-        rlAssertNotGrep "Signature Algorithm: sha1WithRSAEncryption" $rlRun_LOG
-    rlPhaseEnd
-
-    rlPhaseStartTest "Certificate request"
-        rlRun "dd if=/dev/urandom of=noise bs=1 count=32 >/dev/null"
-        rlRun "mkdir srv2db"
-        rlRun "certutil -d srv2db -N --empty-password"
-        rlRun "certutil -d srv2db -R -s CN=www.example.com -o srv2.req -a -z noise"
-        rlRun -s "openssl req -noout -text -in srv2.req"
-        rlAssertGrep "Signature Algorithm: sha256WithRSAEncryption" "$rlRun_LOG"
-        rlAssertNotGrep "Signature Algorithm: sha1WithRSAEncryption" $rlRun_LOG
-        rlRun "certutil -d $DBDIR -C -c 'CA' -i srv2.req -a -o srv2.crt"
-        rlRun -s "openssl x509 -in srv2.crt -noout -text"
-        rlAssertGrep "Signature Algorithm: sha256WithRSAEncryption" "$rlRun_LOG"
-        rlAssertNotGrep "Signature Algorithm: sha1WithRSAEncryption" $rlRun_LOG
-        rlRun "rm -rf srv2db"
-    rlPhaseEnd
-
-    rlPhaseStartTest "Certificate request with SHA1"
-        rlRun "dd if=/dev/urandom of=noise bs=1 count=32 >/dev/null"
-        rlRun "mkdir srv2db"
-        rlRun "certutil -d srv2db -N --empty-password"
-        rlRun "certutil -d srv2db -R -s CN=www.example.com -o srv2.req -a -z noise -Z SHA1"
-        rlRun -s "openssl req -noout -text -in srv2.req"
-        rlAssertGrep "Signature Algorithm: sha1WithRSAEncryption" "$rlRun_LOG"
-        rlRun "certutil -d $DBDIR -C -c 'CA' -i srv2.req -a -o srv2.crt"
-        rlRun -s "openssl x509 -in srv2.crt -noout -text"
-        rlAssertGrep "Signature Algorithm: sha256WithRSAEncryption" "$rlRun_LOG"
-        rlAssertNotGrep "Signature Algorithm: sha1WithRSAEncryption" $rlRun_LOG
-        rlRun "rm -rf srv2db"
-    rlPhaseEnd
-
-    rlPhaseStartTest "Signing CMS messages"
-        rlRun "echo 'This is a document' > document.txt"
-        rlRun "cmsutil -S -d $DBDIR -N 'server' -i document.txt -o document.cms"
-        rlRun -s "openssl cms -in document.cms -inform der -noout -cmsout -print"
-        rlAssertGrep "algorithm: sha256" $rlRun_LOG
-        rlAssertNotGrep "algorithm: sha1" $rlRun_LOG
-    rlPhaseEnd
-
-    rlPhaseStartTest "CRL signing"
-        rlRun "echo $(date --utc +update=%Y%m%d%H%M%SZ) > script"
-        rlRun "echo $(date -d 'next week' --utc +nextupdate=%Y%m%d%H%M%SZ) >> script"
-        rlRun "echo addext crlNumber 0 1245 >>script"
-        rlRun "echo addcert 12 $(date -d 'yesterday' --utc +%Y%m%d%H%M%SZ) >>script"
-        rlRun "echo addext reasonCode 0 0 >>script"
-        rlRun "cat script"
-        rlRun "crlutil -G -c script -d $DBDIR -n CA -o ca.crl"
-        rlRun -s "openssl crl -in ca.crl -inform der -noout -text"
-        rlAssertGrep "Signature Algorithm: sha256WithRSAEncryption" $rlRun_LOG
-        rlAssertNotGrep "Signature Algorithm: sha1WithRSAEncryption" $rlRun_LOG
-    rlPhaseEnd
-
-    rlPhaseStartCleanup
-        rlRun "popd"
-        rlRun "rm -r $TmpDir" 0 "Removing tmp directory"
-    rlPhaseEnd
-rlJournalPrintText
-rlJournalEnd
--- a/tests/tests.yml
+++ b/tests/tests.yml
@ -1,12 +0,0 @@
---
-# This first play always runs on the local staging system
- hosts: localhost
-  roles:
-  - role: standard-test-beakerlib
-    tags:
-    - classic
-    tests:
-    - NSS-tools-should-not-use-SHA1-by-default-when
-    required_packages:
-    - nss-tools
-    - nss
--- a/utilwrap-include-templates.patch
+++ b/utilwrap-include-templates.patch
@ -0,0 +1,14 @@
+diff -up nss/lib/nss/config.mk.templates nss/lib/nss/config.mk
+--- nss/lib/nss/config.mk.templates	2013-06-18 11:32:07.590089155 -0700
+++ nss/lib/nss/config.mk	2013-06-18 11:33:28.732763345 -0700
+@@ -3,6 +3,10 @@
+ # License, v. 2.0. If a copy of the MPL was not distributed with this
+ # file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ 
+#ifeq ($(NSS_BUILD_WITHOUT_SOFTOKEN),1)
+INCLUDES += -I/usr/include/nss3/templates
+#endif
+
+ # can't do this in manifest.mn because OS_TARGET isn't defined there.
+ ifeq (,$(filter-out WIN%,$(OS_TARGET)))
+