Merge branch 'f20' into private_pem_cleanup

- Remove unneeded global declarations
- Remove extrenal declarations, keep the ones in ckpem.h
- Rename some globals: gobj -> pem_objs ...

.gitignore

@@ -7,45 +7,5 @@ PayPalEE.cert
 TestCA.ca.cert
 TestUser50.cert
 TestUser51.cert
-/PayPalRootCA.cert
-/PayPalICA.cert
-/nss-3.25.0.tar.gz
-/nss-3.26.0.tar.gz
-/nss-3.27.0.tar.gz
-/nss-3.27.2.tar.gz
-/nss-3.28.1.tar.gz
-/nss-3.29.0.tar.gz
-/nss-3.29.1.tar.gz
-/nss-3.30.0.tar.gz
-/nss-3.30.2.tar.gz
-/nss-3.31.0.tar.gz
-/nss-3.32.0.tar.gz
-/nss-3.32.1.tar.gz
-/nss-3.33.0.tar.gz
-/nss-3.34.0.tar.gz
-/nss-3.35.0.tar.gz
-/nss-3.36.0.tar.gz
-/nss-3.36.1.tar.gz
-/nss-3.37.1.tar.gz
-/nss-3.37.3.tar.gz
-/nss-3.38.0.tar.gz
-/nss-3.39.tar.gz
-/nss-3.40.1.tar.gz
-/nss-3.41.tar.gz
-/nss-3.42.tar.gz
-/nss-3.42.1.tar.gz
-/nss-3.43.tar.gz
-/nss-3.44.tar.gz
-/nss-3.44.1.tar.gz
-/nss-3.45.tar.gz
-/nss-3.46.tar.gz
-/nss-3.46.1.tar.gz
-/nss-3.47.tar.gz
-/nss-3.47.1.tar.gz
-/nss-3.48.tar.gz
-/nss-3.49.tar.gz
-/nss-3.49.2.tar.gz
-/nss-3.50.tar.gz
-/nss-3.51.tar.gz
-/nss-3.51.1.tar.gz
-/nss-3.52.tar.gz
+/nss-pem-20130828.tar.bz2
+/nss-3.15.3.1.tar.gz

0001-sync-up-with-upstream-softokn-changes.patch

@@ -0,0 +1,406 @@
+From d6dbecfea317a468be12423595e584f43d84d8ec Mon Sep 17 00:00:00 2001
+From: Elio Maldonado <emaldona@redhat.com>
+Date: Sat, 9 Feb 2013 17:11:00 -0500
+Subject: [PATCH] Sync up with upstream softokn changes
+
+- Disable RSA OEP case in FormatBlock, RSA_OAEP support is experimental and in a state of flux
+- Numerous change upstream due to the work for TLS/DTLS 'Lucky 13' vulnerability CVE-2013-0169
+- It now compiles with the NSS_3_14_3_BETA1 source
+---
+ mozilla/security/nss/lib/ckfw/pem/rsawrapr.c |  338 +++++++-------------------
+ 1 files changed, 82 insertions(+), 256 deletions(-)
+
+diff --git a/nss/lib/ckfw/pem/rsawrapr.c b/nss/lib/ckfw/pem/rsawrapr.c
+index 5ac4f39..3780d30 100644
+--- a/nss/lib/ckfw/pem/rsawrapr.c
++++ b/nss/lib/ckfw/pem/rsawrapr.c
+@@ -46,6 +46,7 @@
+ #include "sechash.h"
+ #include "base.h"
+ 
++#include "lowkeyi.h"
+ #include "secerr.h"
+ 
+ #define RSA_BLOCK_MIN_PAD_LEN		8
+@@ -54,9 +55,8 @@
+ #define RSA_BLOCK_PRIVATE_PAD_OCTET	0xff
+ #define RSA_BLOCK_AFTER_PAD_OCTET	0x00
+ 
+-#define OAEP_SALT_LEN		8
+-#define OAEP_PAD_LEN		8
+-#define OAEP_PAD_OCTET		0x00
++/* Needed for RSA-PSS functions */
++static const unsigned char eightZeros[] = { 0, 0, 0, 0, 0, 0, 0, 0 };
+ 
+ #define FLAT_BUFSIZE 512        /* bytes to hold flattened SHA1Context. */
+ 
+@@ -78,127 +78,39 @@ pem_PublicModulusLen(NSSLOWKEYPublicKey *pubk)
+     return 0;
+ }
+ 
+-static SHA1Context *SHA1_CloneContext(SHA1Context * original)
+-{
+-    SHA1Context *clone = NULL;
+-    unsigned char *pBuf;
+-    int sha1ContextSize = SHA1_FlattenSize(original);
+-    SECStatus frv;
+-    unsigned char buf[FLAT_BUFSIZE];
+-
+-    PORT_Assert(sizeof buf >= sha1ContextSize);
+-    if (sizeof buf >= sha1ContextSize) {
+-        pBuf = buf;
+-    } else {
+-        pBuf = nss_ZAlloc(NULL, sha1ContextSize);
+-        if (!pBuf)
+-            goto done;
+-    }
+-
+-    frv = SHA1_Flatten(original, pBuf);
+-    if (frv == SECSuccess) {
+-        clone = SHA1_Resurrect(pBuf, NULL);
+-        memset(pBuf, 0, sha1ContextSize);
+-    }
+-  done:
+-    if (pBuf != buf)
+-        nss_ZFreeIf(pBuf);
+-    return clone;
++/* Constant time comparison of a single byte.
++ * Returns 1 iff a == b, otherwise returns 0.
++ * Note: For ranges of bytes, use constantTimeCompare.
++ */
++static unsigned char constantTimeEQ8(unsigned char a, unsigned char b) {
++    unsigned char c = ~(a - b | b - a);
++    c >>= 7;
++    return c;
+ }
+ 
+-/*
+- * Modify data by XORing it with a special hash of salt.
++/* Constant time comparison of a range of bytes.
++ * Returns 1 iff len bytes of a are identical to len bytes of b, otherwise
++ * returns 0.
+  */
+-static SECStatus
+-oaep_xor_with_h1(unsigned char *data, unsigned int datalen,
+-                 unsigned char *salt, unsigned int saltlen)
+-{
+-    SHA1Context *sha1cx;
+-    unsigned char *dp, *dataend;
+-    unsigned char end_octet;
+-
+-    sha1cx = SHA1_NewContext();
+-    if (sha1cx == NULL) {
+-        return SECFailure;
+-    }
+-
+-    /*
+-     * Get a hash of salt started; we will use it several times,
+-     * adding in a different end octet (x00, x01, x02, ...).
+-     */
+-    SHA1_Begin(sha1cx);
+-    SHA1_Update(sha1cx, salt, saltlen);
+-    end_octet = 0;
+-
+-    dp = data;
+-    dataend = data + datalen;
+-
+-    while (dp < dataend) {
+-        SHA1Context *sha1cx_h1;
+-        unsigned int sha1len, sha1off;
+-        unsigned char sha1[SHA1_LENGTH];
+-
+-        /*
+-         * Create hash of (salt || end_octet)
+-         */
+-        sha1cx_h1 = SHA1_CloneContext(sha1cx);
+-        SHA1_Update(sha1cx_h1, &end_octet, 1);
+-        SHA1_End(sha1cx_h1, sha1, &sha1len, sizeof(sha1));
+-        SHA1_DestroyContext(sha1cx_h1, PR_TRUE);
+-        PORT_Assert(sha1len == SHA1_LENGTH);
+-
+-        /*
+-         * XOR that hash with the data.
+-         * When we have fewer than SHA1_LENGTH octets of data
+-         * left to xor, use just the low-order ones of the hash.
+-         */
+-        sha1off = 0;
+-        if ((dataend - dp) < SHA1_LENGTH)
+-            sha1off = SHA1_LENGTH - (dataend - dp);
+-        while (sha1off < SHA1_LENGTH)
+-            *dp++ ^= sha1[sha1off++];
+-
+-        /*
+-         * Bump for next hash chunk.
+-         */
+-        end_octet++;
+-    }
+-
+-    SHA1_DestroyContext(sha1cx, PR_TRUE);
+-    return SECSuccess;
++static unsigned char constantTimeCompare(const unsigned char *a,
++                                         const unsigned char *b,
++                                         unsigned int len) {
++    unsigned char tmp = 0;
++    unsigned int i;
++    for (i = 0; i < len; ++i, ++a, ++b)
++        tmp |= *a ^ *b;
++    return constantTimeEQ8(0x00, tmp);
+ }
+ 
+-/*
+- * Modify salt by XORing it with a special hash of data.
++/* Constant time conditional.
++ * Returns a if c is 1, or b if c is 0. The result is undefined if c is
++ * not 0 or 1.
+  */
+-static SECStatus
+-oaep_xor_with_h2(unsigned char *salt, unsigned int saltlen,
+-                 unsigned char *data, unsigned int datalen)
++static unsigned int constantTimeCondition(unsigned int c,
++                                          unsigned int a,
++                                          unsigned int b)
+ {
+-    unsigned char sha1[SHA1_LENGTH];
+-    unsigned char *psalt, *psha1, *saltend;
+-    SECStatus rv;
+-
+-    /*
+-     * Create a hash of data.
+-     */
+-    rv = SHA1_HashBuf(sha1, data, datalen);
+-    if (rv != SECSuccess) {
+-        return rv;
+-    }
+-
+-    /*
+-     * XOR the low-order octets of that hash with salt.
+-     */
+-    PORT_Assert(saltlen <= SHA1_LENGTH);
+-    saltend = salt + saltlen;
+-    psalt = salt;
+-    psha1 = sha1 + SHA1_LENGTH - saltlen;
+-    while (psalt < saltend) {
+-        *psalt++ ^= *psha1++;
+-    }
+-
+-    return SECSuccess;
++    return (~(c - 1) & a) | ((c - 1) & b);
+ }
+ 
+ /*
+@@ -212,7 +124,7 @@ static unsigned char *rsa_FormatOneBlock(unsigned modulusLen,
+     unsigned char *block;
+     unsigned char *bp;
+     int padLen;
+-    int i;
++    int i, j;
+     SECStatus rv;
+ 
+     block = (unsigned char *) nss_ZAlloc(NULL, modulusLen);
+@@ -260,124 +172,58 @@ static unsigned char *rsa_FormatOneBlock(unsigned modulusLen,
+          */
+     case RSA_BlockPublic:
+ 
+-        /*
+-         * 0x00 || BT || Pad || 0x00 || ActualData
+-         *   1      1   padLen    1      data->len
+-         * Pad is all non-zero random bytes.
+-         */
+-        padLen = modulusLen - data->len - 3;
+-        PORT_Assert(padLen >= RSA_BLOCK_MIN_PAD_LEN);
+-        if (padLen < RSA_BLOCK_MIN_PAD_LEN) {
+-            nss_ZFreeIf(block);
+-            return NULL;
+-        }
+-        for (i = 0; i < padLen; i++) {
+-            /* Pad with non-zero random data. */
+-            do {
+-                rv = RNG_GenerateGlobalRandomBytes(bp + i, 1);
+-            } while (rv == SECSuccess
+-                     && bp[i] == RSA_BLOCK_AFTER_PAD_OCTET);
+-            if (rv != SECSuccess) {
+-                nss_ZFreeIf(block);
+-                return NULL;
+-            }
+-        }
+-        bp += padLen;
+-        *bp++ = RSA_BLOCK_AFTER_PAD_OCTET;
+-        nsslibc_memcpy(bp, data->data, data->len);
+-
+-        break;
+-
+-        /*
+-         * Blocks intended for public-key operation, using
+-         * Optimal Asymmetric Encryption Padding (OAEP).
+-         */
+-    case RSA_BlockOAEP:
+-        /*
+-         * 0x00 || BT || Modified2(Salt) || Modified1(PaddedData)
+-         *   1      1     OAEP_SALT_LEN     OAEP_PAD_LEN + data->len [+ N]
+-         *
+-         * where:
+-         *   PaddedData is "Pad1 || ActualData [|| Pad2]"
+-         *   Salt is random data.
+-         *   Pad1 is all zeros.
+-         *   Pad2, if present, is random data.
+-         *   (The "modified" fields are all the same length as the original
+-         * unmodified values; they are just xor'd with other values.)
+-         *
+-         *   Modified1 is an XOR of PaddedData with a special octet
+-         * string constructed of iterated hashing of Salt (see below).
+-         *   Modified2 is an XOR of Salt with the low-order octets of
+-         * the hash of Modified1 (see farther below ;-).
+-         *
+-         * Whew!
+-         */
+-
+-
+-        /*
+-         * Salt
+-         */
+-        rv = RNG_GenerateGlobalRandomBytes(bp, OAEP_SALT_LEN);
+-        if (rv != SECSuccess) {
+-            nss_ZFreeIf(block);
+-            return NULL;
+-        }
+-        bp += OAEP_SALT_LEN;
+-
+-        /*
+-         * Pad1
+-         */
+-        nsslibc_memset(bp, OAEP_PAD_OCTET, OAEP_PAD_LEN);
+-        bp += OAEP_PAD_LEN;
+-
+-        /*
+-         * Data
+-         */
+-        nsslibc_memcpy(bp, data->data, data->len);
+-        bp += data->len;
+-
+-        /*
+-         * Pad2
+-         */
+-        if (bp < (block + modulusLen)) {
+-            rv = RNG_GenerateGlobalRandomBytes(bp,
+-                                               block - bp + modulusLen);
+-            if (rv != SECSuccess) {
+-                nss_ZFreeIf(block);
+-                return NULL;
+-            }
+-        }
+-
+-        /*
+-         * Now we have the following:
+-         * 0x00 || BT || Salt || PaddedData
+-         * (From this point on, "Pad1 || Data [|| Pad2]" is treated
+-         * as the one entity PaddedData.)
+-         *
+-         * We need to turn PaddedData into Modified1.
+-         */
+-        if (oaep_xor_with_h1(block + 2 + OAEP_SALT_LEN,
+-                             modulusLen - 2 - OAEP_SALT_LEN,
+-                             block + 2, OAEP_SALT_LEN) != SECSuccess) {
+-            nss_ZFreeIf(block);
+-            return NULL;
+-        }
+-
+-        /*
+-         * Now we have:
+-         * 0x00 || BT || Salt || Modified1(PaddedData)
+-         *
+-         * The remaining task is to turn Salt into Modified2.
+-         */
+-        if (oaep_xor_with_h2(block + 2, OAEP_SALT_LEN,
+-                             block + 2 + OAEP_SALT_LEN,
+-                             modulusLen - 2 - OAEP_SALT_LEN) !=
+-            SECSuccess) {
+-            nss_ZFreeIf(block);
+-            return NULL;
+-        }
+-
+-        break;
++	/*
++	 * 0x00 || BT || Pad || 0x00 || ActualData
++	 *   1      1   padLen    1      data->len
++	 * Pad is all non-zero random bytes.
++	 *
++	 * Build the block left to right.
++	 * Fill the entire block from Pad to the end with random bytes.
++	 * Use the bytes after Pad as a supply of extra random bytes from 
++	 * which to find replacements for the zero bytes in Pad.
++	 * If we need more than that, refill the bytes after Pad with 
++	 * new random bytes as necessary.
++	 */
++	padLen = modulusLen - (data->len + 3);
++	PORT_Assert (padLen >= RSA_BLOCK_MIN_PAD_LEN);
++	if (padLen < RSA_BLOCK_MIN_PAD_LEN) {
++	    nss_ZFreeIf (block);
++	    return NULL;
++	}
++	j = modulusLen - 2;
++	rv = RNG_GenerateGlobalRandomBytes(bp, j);
++	if (rv == SECSuccess) {
++	    for (i = 0; i < padLen; ) {
++		unsigned char repl;
++		/* Pad with non-zero random data. */
++		if (bp[i] != RSA_BLOCK_AFTER_PAD_OCTET) {
++		    ++i;
++		    continue;
++		}
++		if (j <= padLen) {
++		    rv = RNG_GenerateGlobalRandomBytes(bp + padLen,
++					  modulusLen - (2 + padLen));
++		    if (rv != SECSuccess)
++		    	break;
++		    j = modulusLen - 2;
++		}
++		do {
++		    repl = bp[--j];
++		} while (repl == RSA_BLOCK_AFTER_PAD_OCTET && j > padLen);
++		if (repl != RSA_BLOCK_AFTER_PAD_OCTET) {
++		    bp[i++] = repl;
++		}
++	    }
++	}
++	if (rv != SECSuccess) {
++	    /*sftk_fatalError = PR_TRUE;*/
++	    nss_ZFreeIf (block);
++	    return NULL;
++	}
++	bp += padLen;
++	*bp++ = RSA_BLOCK_AFTER_PAD_OCTET;
++	nsslibc_memcpy(bp, data->data, data->len);
++	break;
+ 
+     default:
+         PORT_Assert(0);
+@@ -427,26 +273,6 @@ rsa_FormatBlock(SECItem * result, unsigned modulusLen,
+ 
+         break;
+ 
+-    case RSA_BlockOAEP:
+-        /*
+-         * 0x00 || BT || M1(Salt) || M2(Pad1||ActualData[||Pad2])
+-         *
+-         * The "2" below is the first octet + the second octet.
+-         * (The other fields do not contain the clear values, but are
+-         * the same length as the clear values.)
+-         */
+-        PORT_Assert(data->len <= (modulusLen - (2 + OAEP_SALT_LEN
+-                                                + OAEP_PAD_LEN)));
+-
+-        result->data = rsa_FormatOneBlock(modulusLen, blockType, data);
+-        if (result->data == NULL) {
+-            result->len = 0;
+-            return SECFailure;
+-        }
+-        result->len = modulusLen;
+-
+-        break;
+-
+     case RSA_BlockRaw:
+         /*
+          * Pad || ActualData
+-- 
+1.7.1
+

Bug-896651-pem-dont-trash-keys-on-failed-login.patch

@@ -0,0 +1,44 @@
+--- nss/lib/ckfw/pem/psession.c
++++ nss/lib/ckfw/pem/psession.c
+@@ -230,6 +230,7 @@ pem_mdSession_Login
+     unsigned int len = 0;
+     NSSLOWKEYPrivateKey *lpk = NULL;
+     PLArenaPool *arena;
++    SECItem plain;
+     int i;
+ 
+     fwSlot = NSSCKFWToken_GetFWSlot(fwToken);
+@@ -306,23 +321,27 @@ pem_mdSession_Login
+     lpk->keyType = NSSLOWKEYRSAKey;
+     prepare_low_rsa_priv_key_for_asn1(lpk);
+ 
+-    nss_ZFreeIf(io->u.key.key.privateKey->data);
+-    io->u.key.key.privateKey->len = len - output[len - 1];
+-    io->u.key.key.privateKey->data =
+-        (void *) nss_ZAlloc(NULL, io->u.key.key.privateKey->len);
+-    memcpy(io->u.key.key.privateKey->data, output, len - output[len - 1]);
+ 
+     /* Decode the resulting blob and see if it is a decodable DER that fits
+      * our private key template. If so we declare success and move on. If not
+      * then we return an error.
+      */
++    memset(&plain, 0, sizeof(plain));
++    plain.data = output;
++    plain.len = len - output[len - 1];
+     rv = SEC_QuickDERDecodeItem(arena, lpk, pem_RSAPrivateKeyTemplate,
+-                                io->u.key.key.privateKey);
++                                &plain);
+     pem_DestroyPrivateKey(lpk);
+     arena = NULL;
+     if (rv != SECSuccess)
+         goto loser;
+ 
++    nss_ZFreeIf(io->u.key.key.privateKey->data);
++    io->u.key.key.privateKey->len = len - output[len - 1];
++    io->u.key.key.privateKey->data =
++        (void *) nss_ZAlloc(NULL, io->u.key.key.privateKey->len);
++    memcpy(io->u.key.key.privateKey->data, output, len - output[len - 1]);
++
+     rv = CKR_OK;
+ 
+   loser:

STAGE2-nss

@@ -1,68 +0,0 @@
-#requires nspr
-#requires perl
-#requires nss-util
-#requires nss-softokn
-
-mcd $BUILDDIR/nss
-
-export BUILD_OPT=1
-export PKG_CONFIG_ALLOW_SYSTEM_LIBS=1
-export PKG_CONFIG_ALLOW_SYSTEM_CFLAGS=1
-export NSPR_INCLUDE_DIR=/usr/include/nspr
-export NSPR_LIB_DIR=/usr/lib${SUFFIX}
-export NSS_USE_SYSTEM_SQLITE=1
-export NSS_BUILD_WITHOUT_SOFTOKEN=1
-export USE_SYSTEM_SOFTOKEN=1
-export SOFTOKEN_LIB_DIR=/usr/lib${SUFFIX}
-export NSSUTIL_INCLUDE_DIR=/usr/include/nss3
-export NSSUTIL_LIB_DIR=/usr/lib${SUFFIX}
-export USE_SYSTEM_NSSUTIL=1
-export FREEBL_INCLUDE_DIR=/usr/include/nss3
-export FREEBL_LIB_DIR=/usr/lib${SUFFIX}
-export USE_SYSTEM_FREEBL=1
-export NSS_USE_SYSTEM_FREEBL=1
-export FREEBL_NO_DEPEND=1
-export IN_TREE_FREEBL_HEADERS_FIRST=1
-export NSS_BLTEST_NOT_AVAILABLE=1
-export NSS_NO_SSL2_NO_EXPORT=1
-export NSS_ECC_MORE_THAN_SUITE_B=1
-export NSS_NO_PKCS11_BYPASS=1
-#export NSDISTMODE="copy"
-
-if [ "$SUFFIX" = "64" ]; then
-  USE_64=1
-  export USE_64
-fi
-
-(cd $SRC/nss-3.* && mkdir -p dist/private/nss && cp nss/lib/ckfw/nssck.api dist/private/nss/)
-
-make -C $SRC/nss-3.*/nss/coreconf
-make -C $SRC/nss-3.*/nss/lib/dbm
-
-# nss/nssinit.c, ssl/sslcon.c, smime/smimeutil.c and ckfw/builtins/binst.c
-# need nss/verref.h which is exported privately, move it to where it can be found.
-(cd $SRC/nss-3.* && mkdir -p dist/private/nss && cp -a nss/verref.h dist/private/nss/)
-
-make -C $SRC/nss-3.*/nss
-cd $SRC/nss-3.*/nss/coreconf
-make install
-cd $SRC/nss-3.*/nss/lib/dbm
-make install
-cd $SRC/nss-3.*/nss
-make install
-# Copy the binary libraries we want
-NSSLIBS="libnss3.so libnssckbi.so libnsspem.so libnsssysinit.so libsmime3.so libssl3.so"
-# BOZO: temporarily disable FIPS140 support
-#NSSLIBCHKS="libnssdbm3.chk libfreebl3.chk libsoftokn3.chk"
-NSSLIBCHKS=""
-# END BOZO
-cd $SRC/nss-3.*
-for file in $NSSLIBS $NSSLIBCHKS
-do
-  install -p -m 755 dist/*.OBJ/lib/$file /usr/lib${SUFFIX}/
-done
-# Copy the include files we want
-for file in $SRC/nss-*/dist/public/nss/*.h
-do
-  install -p -m 644 $file /usr/include/nss3/
-done

add-relro-linker-option.patch

@@ -0,0 +1,16 @@
+diff -up nss/coreconf/Linux.mk.relro nss/coreconf/Linux.mk
+--- nss/coreconf/Linux.mk.relro	2013-04-09 14:29:45.943228682 -0700
++++ nss/coreconf/Linux.mk	2013-04-09 14:31:26.194953927 -0700
+@@ -174,6 +174,12 @@ endif
+ endif
+ endif
+ 
++# harden DSOs/executables a bit against exploits
++ifeq (2.6,$(firstword $(sort 2.6 $(OS_RELEASE))))
++DSO_LDOPTS+=-Wl,-z,relro
++LDFLAGS	+= -Wl,-z,relro
++endif
++
+ USE_SYSTEM_ZLIB = 1
+ ZLIB_LIBS = -lz
+ 

certutil_keyOpFlagsFix.patch

@@ -0,0 +1,24 @@
+diff --git a/doc/certutil.xml b/doc/certutil.xml
+--- a/doc/certutil.xml
++++ b/doc/certutil.xml
+@@ -655,18 +655,18 @@ of the attribute codes:
+ 
+       <varlistentry>
+         <term>--keyAttrFlags attrflags</term>
+         <listitem><para>
+ PKCS #11 key Attributes. Comma separated list of key attribute flags, selected from the following list of choices: {token | session} {public | private} {sensitive | insensitive} {modifiable | unmodifiable} {extractable | unextractable}</para></listitem>
+       </varlistentry>
+ 
+       <varlistentry>
+-        <term>--keyFlagsOn opflags</term>
+-        <term>--keyFlagsOff opflags</term>
++        <term>--keyOpFlagsOn opflags</term>
++        <term>--keyOpFlagsOff opflags</term>
+         <listitem><para>
+ PKCS #11 key Operation Flags.
+ Comma separated list of one or more of the following:
+ {token | session} {public | private} {sensitive | insensitive} {modifiable | unmodifiable} {extractable | unextractable}
+           </para></listitem>
+       </varlistentry>
+ 
+       <varlistentry>

disable-ocsp-stapling-tests.patch

@@ -0,0 +1,9 @@
+diff -up nss/tests/ocsp/ocsp.sh.skipoutbound nss/tests/ocsp/ocsp.sh
+--- nss/tests/ocsp/ocsp.sh.skipoutbound	2013-04-24 18:04:30.203307355 -0700
++++ nss/tests/ocsp/ocsp.sh	2013-04-24 18:06:27.967176794 -0700
+@@ -115,4 +115,4 @@ ocsp_stapling()
+ ################## main #################################################
+ ocsp_init
+ ocsp_iopr_run
+-ocsp_stapling
++#ocsp_stapling

document-certutil-email-option.patch

@@ -0,0 +1,25 @@
+diff --git a/doc/certutil.xml b/doc/certutil.xml
+--- a/doc/certutil.xml
++++ b/doc/certutil.xml
+@@ -204,16 +204,21 @@ If this option is not used, the validity
+       </varlistentry>
+ 
+       <varlistentry>
+         <term>-e </term>
+         <listitem><para>Check a certificate's signature during the process of validating a certificate.</para></listitem>
+       </varlistentry>
+ 
+       <varlistentry>
++        <term>--email email-address</term>
++        <listitem><para>Specify the email address, used with the -L command option to print a single named certificate.</para></listitem>
++      </varlistentry>
++
++      <varlistentry>
+         <term>-f password-file</term>
+         <listitem><para>Specify a file that will automatically supply the password to include in a certificate 
+  or to access a certificate database. This is a plain-text file containing one password. Be sure to prevent 
+  unauthorized access to this file.</para></listitem>
+       </varlistentry>
+ 
+       <varlistentry>
+         <term>-g keysize</term>

dummy-sources-for-testing

@@ -0,0 +1,2 @@
+Dummy source file that we by uploading it lets us verify that nss builds
+do not cause the 'fedpkg upload' or 'fedpg new-sources' commands to hang.

iquote.patch

@@ -1,13 +1,62 @@
+diff -up nss/cmd/bltest/Makefile.iquote nss/cmd/bltest/Makefile
+--- nss/cmd/bltest/Makefile.iquote	2013-06-27 10:58:08.000000000 -0700
++++ nss/cmd/bltest/Makefile	2013-07-02 15:02:26.656643246 -0700
+@@ -45,6 +45,7 @@ include $(CORE_DEPTH)/coreconf/rules.mk
+ # (6) Execute "component" rules. (OPTIONAL)                           #
+ #######################################################################
+ 
++INCLUDES += -iquote $(DIST)/../private/nss
+ 
+ 
+ #######################################################################
+diff -up nss/cmd/lib/Makefile.iquote nss/cmd/lib/Makefile
+--- nss/cmd/lib/Makefile.iquote	2013-07-02 15:07:47.260622471 -0700
++++ nss/cmd/lib/Makefile	2013-07-02 15:08:47.219179157 -0700
+@@ -38,7 +38,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk
+ # (6) Execute "component" rules. (OPTIONAL)                           #
+ #######################################################################
+ 
+-
++INCLUDES += -iquote $(DIST)/../private/nss
++INCLUDES += -iquote $(DIST)/../public/nss
+ 
+ #######################################################################
+ # (7) Execute "local" rules. (OPTIONAL).                              #
 diff -up nss/coreconf/location.mk.iquote nss/coreconf/location.mk
---- nss/coreconf/location.mk.iquote	2017-07-27 16:09:32.000000000 +0200
-+++ nss/coreconf/location.mk	2017-09-06 13:23:14.633611555 +0200
-@@ -75,4 +75,9 @@ ifndef SQLITE_LIB_NAME
-     SQLITE_LIB_NAME = sqlite3
+--- nss/coreconf/location.mk.iquote	2013-06-27 10:58:08.000000000 -0700
++++ nss/coreconf/location.mk	2013-07-02 15:02:26.656643246 -0700
+@@ -45,6 +45,10 @@ endif
+ 
+ ifdef NSS_INCLUDE_DIR
+     INCLUDES += -I$(NSS_INCLUDE_DIR)
++    ifdef IN_TREE_FREEBL_HEADERS_FIRST
++        INCLUDES += -iquote $(DIST)/../public/nss
++        INCLUDES += -iquote $(DIST)/../private/nss
++    endif
  endif
  
-+# Prefer in-tree headers over system headers
-+ifdef IN_TREE_FREEBL_HEADERS_FIRST
-+    INCLUDES += -iquote $(DIST)/../public/nss -iquote $(DIST)/../private/nss
-+endif
-+
- MK_LOCATION = included
+ ifndef NSS_LIB_DIR
+diff -up nss/lib/certhigh/Makefile.iquote nss/lib/certhigh/Makefile
+--- nss/lib/certhigh/Makefile.iquote	2013-09-27 11:13:55.158689314 -0700
++++ nss/lib/certhigh/Makefile	2013-09-27 11:14:38.181042336 -0700
+@@ -38,7 +38,7 @@ include $(CORE_DEPTH)/coreconf/rules.mk
+ # (6) Execute "component" rules. (OPTIONAL)                           #
+ #######################################################################
+ 
+-
++INCLUDES += -iquote $(DIST)/../public/nss
+ 
+ #######################################################################
+ # (7) Execute "local" rules. (OPTIONAL).                              #
+diff -up nss/lib/cryptohi/Makefile.iquote nss/lib/cryptohi/Makefile
+--- nss/lib/cryptohi/Makefile.iquote	2013-09-27 11:11:30.117494489 -0700
++++ nss/lib/cryptohi/Makefile	2013-09-27 11:12:54.704194915 -0700
+@@ -38,7 +38,7 @@ include $(CORE_DEPTH)/coreconf/rules.mk
+ # (6) Execute "component" rules. (OPTIONAL)                           #
+ #######################################################################
+ 
+-
++INCLUDES += -iquote $(DIST)/../public/nss
+ 
+ #######################################################################
+ # (7) Execute "local" rules. (OPTIONAL).                              #

nss-3.14.0.0-disble-ocsp-test.patch

@@ -0,0 +1,11 @@
+diff -up nss/tests/chains/scenarios/scenarios.noocsptest nss/tests/chains/scenarios/scenarios
+--- nss/tests/chains/scenarios/scenarios.noocsptest	2013-06-27 10:58:08.000000000 -0700
++++ nss/tests/chains/scenarios/scenarios	2013-07-02 16:13:27.075038930 -0700
+@@ -50,7 +50,6 @@ bridgewithpolicyextensionandmapping.cfg
+ realcerts.cfg
+ dsa.cfg
+ revoc.cfg
+-ocsp.cfg
+ crldp.cfg
+ trustanchors.cfg
+ nameconstraints.cfg

nss-539183.patch

@@ -1,62 +1,54 @@
---- nss/cmd/httpserv/httpserv.c.539183	2016-05-21 18:31:39.879585420 -0700
-+++ nss/cmd/httpserv/httpserv.c	2016-05-21 18:37:22.374464057 -0700
-@@ -953,23 +953,23 @@
- getBoundListenSocket(unsigned short port)
- {
-     PRFileDesc *listen_sock;
-     int listenQueueDepth = 5 + (2 * maxThreads);
-     PRStatus prStatus;
-     PRNetAddr addr;
+diff -up nss/cmd/httpserv/httpserv.c.539183 nss/cmd/httpserv/httpserv.c
+--- nss/cmd/httpserv/httpserv.c.539183	2013-05-28 14:43:24.000000000 -0700
++++ nss/cmd/httpserv/httpserv.c	2013-05-30 22:16:46.685373471 -0700
+@@ -661,14 +661,18 @@ getBoundListenSocket(unsigned short port
+     PRStatus	       prStatus;
+     PRNetAddr          addr;
      PRSocketOptionData opt;
++    PRUint16           socketDomain = PR_AF_INET;
  
 -    addr.inet.family = PR_AF_INET;
--    addr.inet.ip = PR_INADDR_ANY;
--    addr.inet.port = PR_htons(port);
+-    addr.inet.ip     = PR_INADDR_ANY;
+-    addr.inet.port   = PR_htons(port);
 +    if (PR_SetNetAddr(PR_IpAddrAny, PR_AF_INET6, port, &addr) != PR_SUCCESS) {
-+        errExit("PR_SetNetAddr");
++	errExit("PR_SetNetAddr");
 +    }
  
 -    listen_sock = PR_NewTCPSocket();
++    if (PR_GetEnv("NSS_USE_SDP")) {
++        socketDomain = PR_AF_INET_SDP;
++    }
 +    listen_sock = PR_OpenTCPSocket(PR_AF_INET6);
      if (listen_sock == NULL) {
--        errExit("PR_NewTCPSocket");
-+        errExit("PR_OpenTCPSockett");
+-	errExit("PR_NewTCPSocket");
++	errExit("PR_OpenTCPSocket error");
      }
  
      opt.option = PR_SockOpt_Nonblocking;
-     opt.value.non_blocking = PR_FALSE;
-     prStatus = PR_SetSocketOption(listen_sock, &opt);
-     if (prStatus < 0) {
-         PR_Close(listen_sock);
-         errExit("PR_SetSocketOption(PR_SockOpt_Nonblocking)");
---- nss/cmd/selfserv/selfserv.c.539183	2016-05-21 18:31:39.882585367 -0700
-+++ nss/cmd/selfserv/selfserv.c	2016-05-21 18:41:43.092801174 -0700
-@@ -1711,23 +1711,23 @@
- getBoundListenSocket(unsigned short port)
- {
-     PRFileDesc *listen_sock;
-     int listenQueueDepth = 5 + (2 * maxThreads);
-     PRStatus prStatus;
-     PRNetAddr addr;
+diff -up nss/cmd/selfserv/selfserv.c.539183 nss/cmd/selfserv/selfserv.c
+--- nss/cmd/selfserv/selfserv.c.539183	2013-05-28 14:43:24.000000000 -0700
++++ nss/cmd/selfserv/selfserv.c	2013-05-30 22:16:46.688373495 -0700
+@@ -1687,14 +1687,18 @@ getBoundListenSocket(unsigned short port
+     PRStatus	       prStatus;
+     PRNetAddr          addr;
      PRSocketOptionData opt;
++    PRUint16           socketDomain = PR_AF_INET;
  
 -    addr.inet.family = PR_AF_INET;
--    addr.inet.ip = PR_INADDR_ANY;
--    addr.inet.port = PR_htons(port);
+-    addr.inet.ip     = PR_INADDR_ANY;
+-    addr.inet.port   = PR_htons(port);
 +    if (PR_SetNetAddr(PR_IpAddrAny, PR_AF_INET6, port, &addr) != PR_SUCCESS) {
-+        errExit("PR_SetNetAddr");
++	errExit("PR_SetNetAddr");
 +    }
  
 -    listen_sock = PR_NewTCPSocket();
++    if (PR_GetEnv("NSS_USE_SDP")) {
++        socketDomain = PR_AF_INET_SDP;
++    }
 +    listen_sock = PR_OpenTCPSocket(PR_AF_INET6);
      if (listen_sock == NULL) {
--        errExit("PR_NewTCPSocket");
+-	errExit("PR_NewTCPSocket");
 +        errExit("PR_OpenTCPSocket error");
      }
  
      opt.option = PR_SockOpt_Nonblocking;
-     opt.value.non_blocking = PR_FALSE;
-     prStatus = PR_SetSocketOption(listen_sock, &opt);
-     if (prStatus < 0) {
-         PR_Close(listen_sock);
-         errExit("PR_SetSocketOption(PR_SockOpt_Nonblocking)");

nss-646045.patch

@@ -0,0 +1,34 @@
+diff -up nss/tests/dbtests/dbtests.sh.646045 nss/tests/dbtests/dbtests.sh
+--- nss/tests/dbtests/dbtests.sh.646045	2013-04-04 13:31:55.000000000 -0700
++++ nss/tests/dbtests/dbtests.sh	2013-04-04 15:57:46.298127149 -0700
+@@ -168,6 +168,9 @@ dbtest_main()
+         cat $RONLY_DIR/* > /dev/null
+     fi
+ 
++    # skipping the next two tests when user is root,
++    # otherwise they would fail due to rooty powers
++    if [[ $EUID -ne 0 ]] then
+     ${BINDIR}/dbtest -d $RONLY_DIR
+     ret=$?
+     if [ $ret -ne 46 ]; then
+@@ -175,6 +178,10 @@ dbtest_main()
+     else
+       html_passed "Dbtest r/w didn't work in an readonly dir $ret" 
+     fi
++    else
++      html_passed "Skipping Dbtest r/w in a readonly dir because user is root" 
++    fi
++    if [[ $EUID -ne 0 ]] then
+     ${BINDIR}/certutil -D -n "TestUser" -d .
+     ret=$?
+     if [ $ret -ne 255 ]; then
+@@ -182,6 +189,9 @@ dbtest_main()
+     else
+         html_passed "Certutil didn't work in an readonly dir $ret"
+     fi
++    else
++      html_passed "Skipping Certutil delete cert in an readonly directory test because user is root" 
++    fi
+     
+     Echo "test opening the database ronly in a readonly directory"
+ 

nss-enable-pem.patch

@@ -0,0 +1,12 @@
+diff -up nss/lib/ckfw/manifest.mn.libpem nss/lib/ckfw/manifest.mn
+--- nss/lib/ckfw/manifest.mn.libpem	2013-05-28 14:43:24.000000000 -0700
++++ nss/lib/ckfw/manifest.mn	2013-05-30 22:14:49.247459672 -0700
+@@ -5,7 +5,7 @@
+ 
+ CORE_DEPTH = ../..
+ 
+-DIRS = builtins 
++DIRS = builtins pem
+ 
+ PRIVATE_EXPORTS = \
+ 	ck.h		  \

nss-gcm-param-default-pkcs11v2.patch

@@ -1,21 +0,0 @@
-diff -up ./lib/util/pkcs11n.h.aes_gcm_pkcs11_v2 ./lib/util/pkcs11n.h
---- ./lib/util/pkcs11n.h.aes_gcm_pkcs11_v2	2020-05-13 13:44:11.312405744 -0700
-+++ ./lib/util/pkcs11n.h	2020-05-13 13:45:23.951723660 -0700
-@@ -605,7 +605,7 @@ typedef struct CK_NSS_GCM_PARAMS {
- typedef CK_NSS_GCM_PARAMS CK_PTR CK_NSS_GCM_PARAMS_PTR;
- 
- /* deprecated #defines. Drop in future NSS releases */
--#ifdef NSS_PKCS11_2_0_COMPAT
-+#ifndef NSS_PKCS11_3_0_STRICT
- 
- /* defines that were changed between NSS's PKCS #11 and the Oasis headers */
- #define CKF_EC_FP CKF_EC_F_P
-@@ -664,7 +664,7 @@ typedef CK_NSS_GCM_PARAMS CK_PTR CK_GCM_
- #define CKT_NETSCAPE_VALID CKT_NSS_VALID
- #define CKT_NETSCAPE_VALID_DELEGATOR CKT_NSS_VALID_DELEGATOR
- #else
--/* use the new CK_GCM_PARAMS if NSS_PKCS11_2_0_COMPAT is not defined */
-+/* use the new CK_GCM_PARAMS if NSS_PKCS11_3_0_STRICT is defined */
- typedef struct CK_GCM_PARAMS_V3 CK_GCM_PARAMS;
- typedef CK_GCM_PARAMS_V3 CK_PTR CK_GCM_PARAMS_PTR;
- #endif

nss-kremlin-ppc64le.patch

@@ -1,31 +0,0 @@
-Index: nss/lib/freebl/verified/kremlin/include/kremlin/internal/types.h
-===================================================================
---- nss.orig/lib/freebl/verified/kremlin/include/kremlin/internal/types.h
-+++ nss/lib/freebl/verified/kremlin/include/kremlin/internal/types.h
-@@ -56,9 +56,10 @@ typedef const char *Prims_string;
-     !defined(__clang__)
- #include <emmintrin.h>
- typedef __m128i FStar_UInt128_uint128;
--#elif !defined(KRML_VERIFIED_UINT128) && !defined(_MSC_VER) &&           \
-+#elif !defined(KRML_VERIFIED_UINT128) && !defined(_MSC_VER) && \
-     (defined(__x86_64__) || defined(__x86_64) || defined(__aarch64__) || \
--     (defined(__powerpc64__) && defined(__LITTLE_ENDIAN__)))
-+    (defined(__powerpc64__) && defined(__LITTLE_ENDIAN__)) || \
-+     defined(__s390x__))
- typedef unsigned __int128 FStar_UInt128_uint128;
- #elif !defined(KRML_VERIFIED_UINT128) && defined(_MSC_VER) && defined(__clang__)
- typedef __uint128_t FStar_UInt128_uint128;
-Index: nss/lib/freebl/verified/kremlin/kremlib/dist/minimal/fstar_uint128_gcc64.h
-===================================================================
---- nss.orig/lib/freebl/verified/kremlin/kremlib/dist/minimal/fstar_uint128_gcc64.h
-+++ nss/lib/freebl/verified/kremlin/kremlib/dist/minimal/fstar_uint128_gcc64.h
-@@ -26,7 +26,8 @@
- 
- #if !defined(KRML_VERIFIED_UINT128) && (!defined(_MSC_VER) || defined(__clang__)) && \
-     (defined(__x86_64__) || defined(__x86_64) || defined(__aarch64__) ||             \
--     (defined(__powerpc64__) && defined(__LITTLE_ENDIAN__)))
-+    (defined(__powerpc64__) && defined(__LITTLE_ENDIAN__)) || \
-+     defined(__s390x__))
- 
- /* GCC + using native unsigned __int128 support */
- 

nss-p11-kit.config

@@ -1,4 +0,0 @@
-name=p11-kit-proxy
-library=p11-kit-proxy.so
-
-

nss-pem-globals-cleanup.patch

@@ -0,0 +1,424 @@
+diff -up ./nss/lib/ckfw/pem/ckpem.h.cleanup1 ./nss/lib/ckfw/pem/ckpem.h
+--- ./nss/lib/ckfw/pem/ckpem.h.cleanup1	2013-08-28 10:38:15.000000000 -0700
++++ ./nss/lib/ckfw/pem/ckpem.h	2013-12-24 10:58:31.266105990 -0800
+@@ -152,18 +152,14 @@ struct pemTokenStr {
+ };
+ typedef struct pemTokenStr pemToken;
+ 
+-/* our raw object data array */
+-NSS_EXTERN_DATA pemInternalObject nss_pem_data[];
+-NSS_EXTERN_DATA const PRUint32               nss_pem_nObjects;
+-
+-  PRBool          logged_in;
+ 
+ /* our raw object data array */
+-NSS_EXTERN_DATA pemInternalObject nss_pem_data[];
+-NSS_EXTERN_DATA const PRUint32               nss_pem_nObjects;
++NSS_EXTERN_DATA pemInternalObject **pem_objs;
++NSS_EXTERN_DATA int pem_nobjs;
++NSS_EXTERN_DATA PRLock *pem_objsLock;
+ 
+-NSS_EXTERN_DATA pemInternalObject pem_data[];
+-NSS_EXTERN_DATA const PRUint32               pem_nObjects;
++NSS_EXTERN_DATA int token_needsLogin[];
++NSS_EXTERN_DATA const SEC_ASN1Template pem_RSAPrivateKeyTemplate[];
+ 
+ NSS_EXTERN_DATA const CK_VERSION   pem_CryptokiVersion;
+ NSS_EXTERN_DATA const NSSUTF8 *    pem_ManufacturerID;
+diff -up ./nss/lib/ckfw/pem/pfind.c.cleanup1 ./nss/lib/ckfw/pem/pfind.c
+--- ./nss/lib/ckfw/pem/pfind.c.cleanup1	2013-08-28 10:38:15.000000000 -0700
++++ ./nss/lib/ckfw/pem/pfind.c	2013-12-24 10:47:59.190166135 -0800
+@@ -36,6 +36,7 @@
+  * ***** END LICENSE BLOCK ***** */
+ 
+ #include "ckpem.h"
++#include "prlock.h"
+ 
+ /*
+  * pfind.c
+@@ -44,9 +45,6 @@
+  * "PEM objects" cryptoki module.
+  */
+ 
+-NSS_EXTERN_DATA pemInternalObject **gobj;
+-NSS_EXTERN_DATA int pem_nobjs;
+-
+ struct pemFOStr {
+     NSSArena *arena;
+     CK_ULONG n;
+@@ -59,7 +57,8 @@ struct pemFOStr {
+ #define PUT_Object(obj,err) \
+   { \
+     if (count >= size) { \
+-    *listp = *listp ? \
++    pemInternalObject **list; \
++    list = *listp ? \
+                 nss_ZREALLOCARRAY(*listp, pemInternalObject *, \
+                                (size+PEM_ITEM_CHUNK) ) : \
+                 nss_ZNEWARRAY(NULL, pemInternalObject *, \
+@@ -69,6 +68,7 @@ struct pemFOStr {
+         goto loser; \
+       } \
+       size += PEM_ITEM_CHUNK; \
++      *listp = list; \
+     } \
+     (*listp)[ count ] = (obj); \
+     count++; \
+@@ -141,36 +141,6 @@ pem_mdFindObjects_Next
+     return pem_CreateMDObject(arena, io, pError);
+ }
+ 
+-#if 0
+-static int
+-pem_derUnwrapInt(unsigned char *src, int size, unsigned char **dest)
+-{
+-    unsigned char *start = src;
+-    int len = 0;
+-
+-    if (*src++ != 2) {
+-        return 0;
+-    }
+-    len = *src++;
+-    if (len & 0x80) {
+-        int count = len & 0x7f;
+-        len = 0;
+-
+-        if (count + 2 > size) {
+-            return 0;
+-        }
+-        while (count-- > 0) {
+-            len = (len << 8) | *src++;
+-        }
+-    }
+-    if (len + (src - start) != size) {
+-        return 0;
+-    }
+-    *dest = src;
+-    return len;
+-}
+-#endif
+-
+ static char * pem_attr_name(CK_ATTRIBUTE_TYPE type) {
+     switch(type) {
+     case CKA_CLASS:
+@@ -321,27 +291,28 @@ collect_objects(CK_ATTRIBUTE_PTR pTempla
+         goto done; /* no other object types we understand in this module */
+     }
+ 
++    PR_Lock(pem_objsLock);
+     /* find objects */
+     for (i = 0; i < pem_nobjs; i++) {
+         int match = 1; /* matches type if type not specified */
+-        if (NULL == gobj[i])
++        if (NULL == pem_objs[i])
+             continue;
+ 
+-        plog("  %d type = %d\n", i, gobj[i]->type);
++        plog("  %d type = %d\n", i, pem_objs[i]->type);
+         if (type != pemAll) {
+             /* type specified - must match given type */
+-            match = (type == gobj[i]->type);
++            match = (type == pem_objs[i]->type);
+         }
+         if (match) {
+-            match = (slotID == gobj[i]->slotID) &&
+-                (CK_TRUE == pem_match(pTemplate, ulAttributeCount, gobj[i]));
++            match = (slotID == pem_objs[i]->slotID) &&
++                (CK_TRUE == pem_match(pTemplate, ulAttributeCount, pem_objs[i]));
+         }
+         if (match) {
+-            pemInternalObject *o = gobj[i];
++            pemInternalObject *o = pem_objs[i];
+             PUT_Object(o, *pError);
+         }
+     }
+-
++    PR_Unlock(pem_objsLock);
+     if (CKR_OK != *pError) {
+         goto loser;
+     }
+diff -up ./nss/lib/ckfw/pem/pinst.c.cleanup1 ./nss/lib/ckfw/pem/pinst.c
+--- ./nss/lib/ckfw/pem/pinst.c.cleanup1	2013-08-28 10:42:56.000000000 -0700
++++ ./nss/lib/ckfw/pem/pinst.c	2013-12-24 10:55:28.283689308 -0800
+@@ -37,6 +37,7 @@
+ #include <stdlib.h>
+ #include "ckpem.h"
+ #include "blapi.h"
++#include "prlock.h"
+ 
+ /*
+  * pinstance.c
+@@ -47,12 +48,12 @@
+ 
+ static PRBool pemInitialized = PR_FALSE;
+ 
+-pemInternalObject **gobj;
++pemInternalObject **pem_objs;
+ int pem_nobjs = 0;
++int pem_objects_capacity = 0;
++PRLock *pem_objsLock;
+ int token_needsLogin[NUM_SLOTS];
+ 
+-PRInt32 size = 0;
+-PRInt32 count = 0;
+ 
+ #define PEM_ITEM_CHUNK  512
+ 
+@@ -357,7 +358,7 @@ LinkSharedKeyObject(int oldKeyIdx, int n
+     int i;
+     for (i = 0; i < pem_nobjs; i++) {
+         CK_RV rv;
+-        const pemInternalObject *obj = gobj[i];
++        pemInternalObject *obj = pem_objs[i];
+         if (NULL == obj)
+             continue;
+ 
+@@ -380,40 +381,50 @@ AddObjectIfNeeded(CK_OBJECT_CLASS objCla
+                   int objid, CK_SLOT_ID slotID)
+ {
+     int i;
++    PRBool found;
+ 
+     /* FIXME: copy-pasted from CreateObject */
+     const char *nickname = strrchr(filename, '/');
++
+     if (nickname && CKO_PRIVATE_KEY != objClass)
+         nickname++;
+     else
+         nickname = filename;
+ 
+-    /* first look for the object in gobj, it might be already there */
+-    for (i = 0; i < pem_nobjs; i++) {
+-        if (NULL == gobj[i])
++    /* first look for the object in pem_objs, it might be already there */
++    PR_Lock(pem_objsLock);
++    found = PR_FALSE;
++    for (i = 0; i < pem_nobjs && !found; i++) {
++        if (NULL == pem_objs[i])
+             continue;
+ 
+         /* Comparing DER encodings is dependable and frees the PEM module
+          * from having to require clients to provide unique nicknames.
+          */
+-        if ((gobj[i]->objClass == objClass)
+-                && (gobj[i]->type == type)
+-                && (gobj[i]->slotID == slotID)
+-                && derEncodingsMatch(objClass, gobj[i], certDER, keyDER)) {
+-
+-            /* While adding a client certificate we (wrongly?) assumed that the
+-             * key object will follow right after the cert object.  However, if
+-             * the key object is shared by multiple client certificates, such
+-             * an assumption does not hold.  We have to update the references.
+-             */
+-            LinkSharedKeyObject(pem_nobjs, i);
+-
+-            plog("AddObjectIfNeeded: re-using internal object #%i\n", i);
+-            gobj[i]->refCount ++;
+-            return gobj[i];
++        if ((pem_objs[i]->objClass == objClass)
++                && (pem_objs[i]->type == type)
++                && (pem_objs[i]->slotID == slotID)
++                && derEncodingsMatch(objClass, pem_objs[i], certDER, keyDER)) {
++
++            found = PR_TRUE;
++            pem_objs[i]->refCount++;
++            break;
+         }
+     }
+ 
++    PR_Unlock(pem_objsLock);
++    if (found) {
++	/* While adding a client certificate we (wrongly?) assumed that the
++	 * key object will follow right after the cert object.  However, if
++	 * the key object is shared by multiple client certificates, such
++	 * an assumption does not hold.  We have to update the references.
++	 */
++	LinkSharedKeyObject(pem_nobjs, i);
++
++	plog("AddObjectIfNeeded: re-using internal object #%i\n", i);
++	return pem_objs[i];
++    }
++
+     /* object not found, we need to create it */
+     pemInternalObject *io = CreateObject(objClass, type, certDER, keyDER,
+                                          filename, objid, slotID);
+@@ -423,25 +434,28 @@ AddObjectIfNeeded(CK_OBJECT_CLASS objCla
+     /* initialize pointers to functions */
+     pem_CreateMDObject(NULL, io, NULL);
+ 
+-    io->gobjIndex = count;
++    io->gobjIndex = pem_nobjs;
+ 
+     /* add object to global array */
+-    if (count >= size) {
+-        gobj = gobj ?
+-            nss_ZREALLOCARRAY(gobj, pemInternalObject *,
+-                    (size+PEM_ITEM_CHUNK) ) :
++    PR_Lock(pem_objsLock);
++
++    if (pem_nobjs >= pem_objects_capacity) {
++        pem_objs = pem_objs ?
++            nss_ZREALLOCARRAY(pem_objs, pemInternalObject *,
++                    (pem_objects_capacity+PEM_ITEM_CHUNK) ) :
+             nss_ZNEWARRAY(NULL, pemInternalObject *,
+-                    (size+PEM_ITEM_CHUNK) ) ;
++                    (pem_objects_capacity+PEM_ITEM_CHUNK) ) ;
+ 
+-        if ((pemInternalObject **)NULL == gobj)
++        if ((pemInternalObject **)NULL == pem_objs)
+             return NULL;
+-        size += PEM_ITEM_CHUNK;
++        pem_objects_capacity += PEM_ITEM_CHUNK;
+     }
+-    gobj[count] = io;
+-    count++;
++    pem_objs[pem_nobjs] = io;
+     pem_nobjs++;
+ 
+     io->refCount ++;
++    PR_Unlock(pem_objsLock);
++
+     return io;
+ }
+ 
+@@ -636,12 +650,10 @@ pem_Finalize
+     if (!pemInitialized)
+         return;
+ 
+-    nss_ZFreeIf(gobj);
+-    gobj = NULL;
++    nss_ZFreeIf(pem_objs);
++    pem_objs = NULL;
+ 
+     pem_nobjs = 0;
+-    size = 0;
+-    count = 0;
+ 
+     PR_AtomicSet(&pemInitialized, PR_FALSE);
+ 
+diff -up ./nss/lib/ckfw/pem/pobject.c.cleanup1 ./nss/lib/ckfw/pem/pobject.c
+--- ./nss/lib/ckfw/pem/pobject.c.cleanup1	2013-08-28 10:38:15.000000000 -0700
++++ ./nss/lib/ckfw/pem/pobject.c	2013-12-24 10:47:59.190166135 -0800
+@@ -36,6 +36,7 @@
+  * ***** END LICENSE BLOCK ***** */
+ 
+ #include "ckpem.h"
++#include "prlock.h"
+ #include "secasn1.h"
+ #include "certt.h"
+ #include "pk11pub.h"
+@@ -47,8 +48,6 @@
+  * "PEM objects" cryptoki module.
+  */
+ 
+-NSS_EXTERN_DATA pemInternalObject **gobj;
+-NSS_EXTERN_DATA int pem_nobjs;
+ NSS_EXTERN_DATA int token_needsLogin[NUM_SLOTS];
+ 
+ #define APPEND_LIST_ITEM(item) do { \
+@@ -631,9 +630,9 @@ pem_DestroyInternalObject
+         break;
+     }
+ 
+-    if (NULL != gobj)
++    if (NULL != pem_objs)
+         /* remove reference to self from the global array */
+-        gobj[io->gobjIndex] = NULL;
++        pem_objs[io->gobjIndex] = NULL;
+ 
+     nss_ZFreeIf(io);
+     return;
+@@ -1167,20 +1166,20 @@ pem_CreateObject
+ 
+         objid = -1;
+         for (i = 0; i < pem_nobjs; i++) {
+-            if (NULL == gobj[i])
++            if (NULL == pem_objs[i])
+                 continue;
+ 
+-            if ((slotID == gobj[i]->slotID) && (gobj[i]->type == pemCert)) {
+-                objid = atoi(gobj[i]->id.data);
++            if ((slotID == pem_objs[i]->slotID) && (pem_objs[i]->type == pemCert)) {
++                objid = atoi(pem_objs[i]->id.data);
+                 certDER.data =
+-                    (void *) nss_ZAlloc(NULL, gobj[i]->derCert->len);
++                    (void *) nss_ZAlloc(NULL, pem_objs[i]->derCert->len);
+ 
+                 if (certDER.data == NULL)
+                     goto loser;
+ 
+-                certDER.len = gobj[i]->derCert->len;
+-                nsslibc_memcpy(certDER.data, gobj[i]->derCert->data,
+-                               gobj[i]->derCert->len);
++                certDER.len = pem_objs[i]->derCert->len;
++                nsslibc_memcpy(certDER.data, pem_objs[i]->derCert->data,
++                               pem_objs[i]->derCert->len);
+             }
+         }
+ 
+diff -up ./nss/lib/ckfw/pem/psession.c.cleanup1 ./nss/lib/ckfw/pem/psession.c
+--- ./nss/lib/ckfw/pem/psession.c.cleanup1	2013-12-24 10:47:59.107165482 -0800
++++ ./nss/lib/ckfw/pem/psession.c	2013-12-24 10:57:08.906467702 -0800
+@@ -40,6 +40,7 @@
+ #include "pk11pub.h"
+ #include "base64.h"
+ #include "blapi.h"
++#include "prlock.h"
+ 
+ /*
+  * psession.c
+@@ -48,10 +49,6 @@
+  * "PEM objects" cryptoki module.
+  */
+ 
+-NSS_EXTERN_DATA pemInternalObject **gobj;
+-NSS_EXTERN_DATA int pem_nobjs;
+-NSS_EXTERN_DATA int token_needsLogin[NUM_SLOTS];
+-NSS_EXTERN_DATA const SEC_ASN1Template pem_RSAPrivateKeyTemplate[];
+ 
+ void prepare_low_rsa_priv_key_for_asn1(NSSLOWKEYPrivateKey * key);
+ void pem_DestroyPrivateKey(NSSLOWKEYPrivateKey * privk);
+@@ -188,6 +185,7 @@ pem_mdSession_CopyObject
+         return (NSSCKMDObject *) NULL;
+     }
+ 
++    PR_Lock(pem_objsLock);
+     if (NULL == io->list) {
+         io->refCount ++;
+     } else {
+@@ -200,7 +198,7 @@ pem_mdSession_CopyObject
+     }
+     /* struct (shallow) copy the old one */
+     *rvmdObject = *mdOldObject;
+-
++    PR_Unlock(pem_objsLock);
+     return rvmdObject;
+ }
+ 
+@@ -245,13 +243,15 @@ pem_mdSession_Login
+ 
+     token_needsLogin[slotID - 1] = PR_FALSE;
+ 
++    PR_Lock(pem_objsLock);
++
+     /* Find the right key object */
+     for (i = 0; i < pem_nobjs; i++) {
+-        if (NULL == gobj[i])
++        if (NULL == pem_objs[i])
+             continue;
+ 
+-        if ((slotID == gobj[i]->slotID) && (gobj[i]->type == pemBareKey)) {
+-            io = gobj[i];
++        if ((slotID == pem_objs[i]->slotID) && (pem_objs[i]->type == pemBareKey)) {
++            io = pem_objs[i];
+             break;
+         }
+     }
+@@ -331,6 +331,7 @@ pem_mdSession_Login
+     rv = CKR_OK;
+ 
+   loser:
++    PR_Unlock(pem_objsLock);
+     if (arena)
+         PORT_FreeArena(arena, PR_FALSE);
+     if (iv)

nss-signtool-format.patch

@@ -1,94 +0,0 @@
-diff --git a/cmd/modutil/install.c b/cmd/modutil/install.c
---- a/cmd/modutil/install.c
-+++ b/cmd/modutil/install.c
-@@ -825,17 +825,20 @@ rm_dash_r(char *path)
- 
-         dir = PR_OpenDir(path);
-         if (!dir) {
-             return -1;
-         }
- 
-         /* Recursively delete all entries in the directory */
-         while ((entry = PR_ReadDir(dir, PR_SKIP_BOTH)) != NULL) {
--            sprintf(filename, "%s/%s", path, entry->name);
-+            if (snprintf(filename, sizeof(filename), "%s/%s", path, entry->name) >= sizeof(filename)) {
-+                PR_CloseDir(dir);
-+                return -1;
-+            }
-             if (rm_dash_r(filename)) {
-                 PR_CloseDir(dir);
-                 return -1;
-             }
-         }
- 
-         if (PR_CloseDir(dir) != PR_SUCCESS) {
-             return -1;
-diff --git a/cmd/signtool/util.c b/cmd/signtool/util.c
---- a/cmd/signtool/util.c
-+++ b/cmd/signtool/util.c
-@@ -132,17 +132,20 @@ rm_dash_r(char *path)
-         if (!dir) {
-             PR_fprintf(errorFD, "Error: Unable to open directory %s.\n", path);
-             errorCount++;
-             return -1;
-         }
- 
-         /* Recursively delete all entries in the directory */
-         while ((entry = PR_ReadDir(dir, PR_SKIP_BOTH)) != NULL) {
--            sprintf(filename, "%s/%s", path, entry->name);
-+            if (snprintf(filename, sizeof(filename), "%s/%s", path, entry->name) >= sizeof(filename)) {
-+                errorCount++;
-+                return -1;
-+            }
-             if (rm_dash_r(filename))
-                 return -1;
-         }
- 
-         if (PR_CloseDir(dir) != PR_SUCCESS) {
-             PR_fprintf(errorFD, "Error: Could not close %s.\n", path);
-             errorCount++;
-             return -1;
-diff --git a/lib/libpkix/pkix/util/pkix_list.c b/lib/libpkix/pkix/util/pkix_list.c
---- a/lib/libpkix/pkix/util/pkix_list.c
-+++ b/lib/libpkix/pkix/util/pkix_list.c
-@@ -1530,17 +1530,17 @@ cleanup:
-  */
- PKIX_Error *
- PKIX_List_SetItem(
-         PKIX_List *list,
-         PKIX_UInt32 index,
-         PKIX_PL_Object *item,
-         void *plContext)
- {
--        PKIX_List *element;
-+        PKIX_List *element = NULL;
- 
-         PKIX_ENTER(LIST, "PKIX_List_SetItem");
-         PKIX_NULLCHECK_ONE(list);
- 
-         if (list->immutable){
-                 PKIX_ERROR(PKIX_OPERATIONNOTPERMITTEDONIMMUTABLELIST);
-         }
- 
-diff --git a/lib/libpkix/pkix_pl_nss/system/pkix_pl_oid.c b/lib/libpkix/pkix_pl_nss/system/pkix_pl_oid.c
---- a/lib/libpkix/pkix_pl_nss/system/pkix_pl_oid.c
-+++ b/lib/libpkix/pkix_pl_nss/system/pkix_pl_oid.c
-@@ -102,17 +102,17 @@ cleanup:
-  */
- static PKIX_Error *
- pkix_pl_OID_Equals(
-         PKIX_PL_Object *first,
-         PKIX_PL_Object *second,
-         PKIX_Boolean *pResult,
-         void *plContext)
- {
--        PKIX_Int32 cmpResult;
-+        PKIX_Int32 cmpResult = 0;
- 
-         PKIX_ENTER(OID, "pkix_pl_OID_Equals");
-         PKIX_NULLCHECK_THREE(first, second, pResult);
- 
-         PKIX_CHECK(pkix_pl_OID_Comparator
-                     (first, second, &cmpResult, plContext),
-                     PKIX_OIDCOMPARATORFAILED);
- 

nss-skip-bltest-and-fipstest.patch

@@ -0,0 +1,17 @@
+diff -up nss/cmd/Makefile.skipthem nss/cmd/Makefile
+--- nss/cmd/Makefile.nobltest	2013-05-28 14:43:24.000000000 -0700
++++ nss/cmd/Makefile	2013-06-15 11:51:11.669655168 -0700
+@@ -14,10 +14,10 @@ ifdef BUILD_LIBPKIX_TESTS
+ DIRS += libpkix
+ endif
+ 
+-ifeq ($(NSS_BUILD_WITHOUT_SOFTOKEN),1)
++ifeq ($(NSS_BLTEST_NOT_AVAILABLE),1)
+ BLTEST_SRCDIR =
+-FIPSTEST_SRCDIR =
+-SHLIBSIGN_SRCDIR =
++FIPSTEST_SRCDIR =
++SHLIBSIGN_SRCDIR = shlibsign
+ else
+ BLTEST_SRCDIR = bltest
+ FIPSTEST_SRCDIR = fipstest

nss-softokn-config.in

@@ -1,116 +0,0 @@
-#!/bin/sh
-
-prefix=@prefix@
-
-major_version=@MOD_MAJOR_VERSION@
-minor_version=@MOD_MINOR_VERSION@
-patch_version=@MOD_PATCH_VERSION@
-
-usage()
-{
-	cat <<EOF
-Usage: nss-softokn-config [OPTIONS] [LIBRARIES]
-Options:
-	[--prefix[=DIR]]
-	[--exec-prefix[=DIR]]
-	[--includedir[=DIR]]
-	[--libdir[=DIR]]
-	[--version]
-	[--libs]
-	[--cflags]
-Dynamic Libraries:
-	softokn3 - Requires full dynamic linking
-	freebl3  - for internal use only (and glibc for self-integrity check)
-	nssdbm3  - for internal use only
-Dymamically linked
-EOF
-	exit $1
-}
-
-if test $# -eq 0; then
-	usage 1 1>&2
-fi
-
-while test $# -gt 0; do
-  case "$1" in
-  -*=*) optarg=`echo "$1" | sed 's/[-_a-zA-Z0-9]*=//'` ;;
-  *) optarg= ;;
-  esac
-
-  case $1 in
-    --prefix=*)
-      prefix=$optarg
-      ;;
-    --prefix)
-      echo_prefix=yes
-      ;;
-    --exec-prefix=*)
-      exec_prefix=$optarg
-      ;;
-    --exec-prefix)
-      echo_exec_prefix=yes
-      ;;
-    --includedir=*)
-      includedir=$optarg
-      ;;
-    --includedir)
-      echo_includedir=yes
-      ;;
-    --libdir=*)
-      libdir=$optarg
-      ;;
-    --libdir)
-      echo_libdir=yes
-      ;;
-    --version)
-      echo ${major_version}.${minor_version}.${patch_version}
-      ;;
-    --cflags)
-      echo_cflags=yes
-      ;;
-    --libs)
-      echo_libs=yes
-      ;;
-    *)
-      usage 1 1>&2
-      ;;
-  esac
-  shift
-done
-
-# Set variables that may be dependent upon other variables
-if test -z "$exec_prefix"; then
-    exec_prefix=`pkg-config --variable=exec_prefix nss-softokn`
-fi
-if test -z "$includedir"; then
-    includedir=`pkg-config --variable=includedir nss-softokn`
-fi
-if test -z "$libdir"; then
-    libdir=`pkg-config --variable=libdir nss-softokn`
-fi
-
-if test "$echo_prefix" = "yes"; then
-    echo $prefix
-fi
-
-if test "$echo_exec_prefix" = "yes"; then
-    echo $exec_prefix
-fi
-
-if test "$echo_includedir" = "yes"; then
-    echo $includedir
-fi
-
-if test "$echo_libdir" = "yes"; then
-    echo $libdir
-fi
-
-if test "$echo_cflags" = "yes"; then
-    echo -I$includedir
-fi
-
-if test "$echo_libs" = "yes"; then
-      libdirs="-Wl,-rpath-link,$libdir -L$libdir"
-      echo $libdirs
-fi
-

nss-softokn-dracut-module-setup.sh

@@ -1,18 +0,0 @@
-#!/bin/bash
-# -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*-
-# ex: ts=8 sw=4 sts=4 et filetype=sh
-
-check() {
-    return 255
-}
-
-depends() {
-    return 0
-}
-
-install() {
-    local _dir
-
-    inst_libdir_file libfreeblpriv3.so libfreeblpriv3.chk \
-        libfreebl3.so
-}

nss-softokn-dracut.conf

@@ -1,3 +0,0 @@
-# turn on nss-softokn module
-
-add_dracutmodules+=" nss-softokn "

nss-softokn.pc.in

@@ -1,11 +0,0 @@
-prefix=%prefix%
-exec_prefix=%exec_prefix%
-libdir=%libdir%
-includedir=%includedir%
-
-Name: NSS-SOFTOKN
-Description: Network Security Services Softoken PKCS #11 Module
-Version: %SOFTOKEN_VERSION%
-Requires: nspr >= %NSPR_VERSION%, nss-util >= %NSSUTIL_VERSION%
-Libs: -L${libdir} -lfreebl3 -lnssdbm3 -lsoftokn3
-Cflags: -I${includedir}

nss-ssl-enforce-no-pkcs11-bypass.path

@@ -0,0 +1,16 @@
+diff -up nss/lib/ssl/sslsock.c.nobypass nss/lib/ssl/sslsock.c
+--- nss/lib/ssl/sslsock.c.nobypass	2013-05-30 22:23:37.305583715 -0700
++++ nss/lib/ssl/sslsock.c	2013-05-30 22:23:37.311583762 -0700
+@@ -553,8 +553,10 @@ static PRStatus SSL_BypassRegisterShutdo
+ static PRStatus SSL_BypassSetup(void)
+ {
+ #ifdef NO_PKCS11_BYPASS
+-    /* Guarantee binary compatibility */
+-    return PR_SUCCESS;
++    /* No need in our case to guarantee binary compatibility and
++     * we can safely return failure as we have never supported it
++     */
++    return PR_FAILURE;
+ #else
+     return PR_CallOnce(&setupBypassOnce, &SSL_BypassRegisterShutdown);
+ #endif

nss-util-config.in

@@ -1,118 +0,0 @@
-#!/bin/sh
-
-prefix=@prefix@
-
-major_version=@MOD_MAJOR_VERSION@
-minor_version=@MOD_MINOR_VERSION@
-patch_version=@MOD_PATCH_VERSION@
-
-usage()
-{
-	cat <<EOF
-Usage: nss-util-config [OPTIONS] [LIBRARIES]
-Options:
-	[--prefix[=DIR]]
-	[--exec-prefix[=DIR]]
-	[--includedir[=DIR]]
-	[--libdir[=DIR]]
-	[--version]
-	[--libs]
-	[--cflags]
-Dynamic Libraries:
-	nssutil
-EOF
-	exit $1
-}
-
-if test $# -eq 0; then
-	usage 1 1>&2
-fi
-
-lib_nssutil=yes
-
-while test $# -gt 0; do
-  case "$1" in
-  -*=*) optarg=`echo "$1" | sed 's/[-_a-zA-Z0-9]*=//'` ;;
-  *) optarg= ;;
-  esac
-
-  case $1 in
-    --prefix=*)
-      prefix=$optarg
-      ;;
-    --prefix)
-      echo_prefix=yes
-      ;;
-    --exec-prefix=*)
-      exec_prefix=$optarg
-      ;;
-    --exec-prefix)
-      echo_exec_prefix=yes
-      ;;
-    --includedir=*)
-      includedir=$optarg
-      ;;
-    --includedir)
-      echo_includedir=yes
-      ;;
-    --libdir=*)
-      libdir=$optarg
-      ;;
-    --libdir)
-      echo_libdir=yes
-      ;;
-    --version)
-      echo ${major_version}.${minor_version}.${patch_version}
-      ;;
-    --cflags)
-      echo_cflags=yes
-      ;;
-    --libs)
-      echo_libs=yes
-      ;;
-    *)
-      usage 1 1>&2
-      ;;
-  esac
-  shift
-done
-
-# Set variables that may be dependent upon other variables
-if test -z "$exec_prefix"; then
-    exec_prefix=`pkg-config --variable=exec_prefix nss-util`
-fi
-if test -z "$includedir"; then
-    includedir=`pkg-config --variable=includedir nss-util`
-fi
-if test -z "$libdir"; then
-    libdir=`pkg-config --variable=libdir nss-util`
-fi
-
-if test "$echo_prefix" = "yes"; then
-    echo $prefix
-fi
-
-if test "$echo_exec_prefix" = "yes"; then
-    echo $exec_prefix
-fi
-
-if test "$echo_includedir" = "yes"; then
-    echo $includedir
-fi
-
-if test "$echo_libdir" = "yes"; then
-    echo $libdir
-fi
-
-if test "$echo_cflags" = "yes"; then
-    echo -I$includedir
-fi
-
-if test "$echo_libs" = "yes"; then
-      libdirs="-Wl,-rpath-link,$libdir -L$libdir"
-      if test -n "$lib_nssutil"; then
-	libdirs="$libdirs -lnssutil${major_version}"
-      fi
-      echo $libdirs
-fi
-

nss-util.pc.in

@@ -1,11 +0,0 @@
-prefix=%prefix%
-exec_prefix=%exec_prefix%
-libdir=%libdir%
-includedir=%includedir%
-
-Name: NSS-UTIL
-Description: Network Security Services Utility Library
-Version: %NSSUTIL_VERSION%
-Requires: nspr >= %NSPR_VERSION%
-Libs: -L${libdir} -lnssutil3
-Cflags: -I${includedir}

nss-versus-softoken-tests.patch

@@ -0,0 +1,38 @@
+diff -up nss/tests/all.sh.crypto nss/tests/all.sh
+--- nss/tests/all.sh.crypto	2013-05-28 14:43:24.000000000 -0700
++++ nss/tests/all.sh	2013-06-13 12:14:12.741082184 -0700
+@@ -299,9 +299,10 @@ fi
+ # created, we check for modutil to know whether the build
+ # is complete. If a new file is created after that, the 
+ # following test for modutil should check for that instead.
++# Except when building softoken only where shlibsign is the last one built.
++export LAST_BUILT=[ ${NSS_BUILD_SOFTOKEN_ONLY} -eq "1" ] && shlibsign || modutil
+ 
+-if [ ! -f ${DIST}/${OBJDIR}/bin/modutil -a  \
+-     ! -f ${DIST}/${OBJDIR}/bin/modutil.exe ]; then
++if [ ! -f ${DIST}/${OBJDIR}/bin/${LAST_BUILT}${PROG_SUFFIX} -a ]; then
+     echo "Build Incomplete. Aborting test." >> ${LOGFILE}
+     html_head "Testing Initialization"
+     Exit "Checking for build"
+diff -up nss/tests/cipher/cipher.sh.crypto nss/tests/cipher/cipher.sh
+--- nss/tests/cipher/cipher.sh.crypto	2013-05-28 14:43:24.000000000 -0700
++++ nss/tests/cipher/cipher.sh	2013-06-13 11:58:00.956064976 -0700
+@@ -129,6 +129,16 @@ if [ ! -x ${DIST}/${OBJDIR}/bin/bltest${
+     return 0
+ fi
+ cipher_init
+-cipher_main
+-cipher_gcm
++if [ "${NSS_BUILD_SOFTOKEN_ONLY}" = "1" ]; then
++    echo "Skipping cipher_gcm because this is a softoken only build"
++    cipher_main
++elif [ "${NSS_BUILD_WITHOUT_SOFTOKEN}" = "1" ]; then
++    echo "Skipping cipher_main because this an nss without softoken build"
++    cipher_gcm
++else
++    # default is to run both
++    cipher_init
++    cipher_main
++    cipher_gcm
++fi
+ cipher_cleanup

nsspem-use-system-freebl.patch

@@ -0,0 +1,80 @@
+diff -up nss/lib/ckfw/pem/config.mk.systemfreebl nss/lib/ckfw/pem/config.mk
+--- nss/lib/ckfw/pem/config.mk.systemfreebl	2012-08-11 09:06:59.000000000 -0700
++++ nss/lib/ckfw/pem/config.mk	2013-04-04 16:02:33.805744145 -0700
+@@ -41,6 +41,11 @@ CONFIG_CVS_ID = "@(#) $RCSfile: config.m
+ #  are specifed as dependencies within rules.mk.
+ #
+ 
++
++EXTRA_LIBS += \
++	$(SOFTOKEN_LIB_DIR)/$(LIB_PREFIX)freebl.$(LIB_SUFFIX) \
++	$(NULL)
++
+ TARGETS        = $(SHARED_LIBRARY)
+ LIBRARY        =
+ IMPORT_LIBRARY =
+@@ -69,3 +74,22 @@ ifeq ($(OS_TARGET),SunOS)
+ MKSHLIB += -R '$$ORIGIN'
+ endif
+ 
++# If a platform has a system nssutil, set USE_SYSTEM_NSSUTIL to 1 and
++# NSSUTIL_LIBS to the linker command-line arguments for the system nssutil
++# (for example, -lnssutil3 on fedora) in the platform's config file in coreconf.
++ifdef USE_SYSTEM_NSSUTIL
++OS_LIBS += $(NSSUTIL_LIBS)
++else
++NSSUTIL_LIBS = $(DIST)/lib/$(LIB_PREFIX)nssutil3.$(LIB_SUFFIX)
++EXTRA_LIBS += $(NSSUTIL_LIBS)
++endif
++# If a platform has a system freebl, set USE_SYSTEM_FREEBL to 1 and
++# FREEBL_LIBS to the linker command-line arguments for the system nssutil
++# (for example, -lfreebl3 on fedora) in the platform's config file in coreconf.
++ifdef USE_SYSTEM_FREEBL
++OS_LIBS += $(FREEBL_LIBS)
++else
++FREEBL_LIBS = $(DIST)/lib/$(LIB_PREFIX)freebl3.$(LIB_SUFFIX)
++EXTRA_LIBS += $(FREEBL_LIBS)
++endif
++
+diff -up nss/lib/ckfw/pem/Makefile.systemfreebl nss/lib/ckfw/pem/Makefile
+--- nss/lib/ckfw/pem/Makefile.systemfreebl	2012-08-11 09:06:59.000000000 -0700
++++ nss/lib/ckfw/pem/Makefile	2013-04-04 16:02:33.806744154 -0700
+@@ -43,8 +43,7 @@ include config.mk
+ EXTRA_LIBS = \
+ 	$(DIST)/lib/$(LIB_PREFIX)nssckfw.$(LIB_SUFFIX) \
+ 	$(DIST)/lib/$(LIB_PREFIX)nssb.$(LIB_SUFFIX) \
+-	$(DIST)/lib/$(LIB_PREFIX)freebl.$(LIB_SUFFIX) \
+-	$(DIST)/lib/$(LIB_PREFIX)nssutil.$(LIB_SUFFIX) \
++	$(FREEBL_LIB_DIR)/$(LIB_PREFIX)freebl.$(LIB_SUFFIX) \
+ 	$(NULL)
+ 
+ # can't do this in manifest.mn because OS_TARGET isn't defined there.
+@@ -56,6 +55,9 @@ EXTRA_LIBS += \
+ 	-lplc4 \
+ 	-lplds4 \
+ 	-lnspr4 \
++	-L$(NSSUTIL_LIB_DIR) \
++	-lnssutil3 \
++	-lfreebl3
+ 	$(NULL)
+ else 
+ EXTRA_SHARED_LIBS += \
+@@ -74,6 +76,9 @@ EXTRA_LIBS += \
+ 	-lplc4 \
+ 	-lplds4 \
+ 	-lnspr4 \
++	-L$(NSSUTIL_LIB_DIR) \
++	-lnssutil3 \
++	-lfreebl3 \
+ 	$(NULL)
+ endif
+ 
+diff -up nss/lib/ckfw/pem/manifest.mn.systemfreebl nss/lib/ckfw/pem/manifest.mn
+--- nss/lib/ckfw/pem/manifest.mn.systemfreebl	2012-08-11 09:06:59.000000000 -0700
++++ nss/lib/ckfw/pem/manifest.mn	2013-04-04 16:02:33.807744163 -0700
+@@ -65,4 +65,4 @@ REQUIRES = nspr
+ 
+ LIBRARY_NAME = nsspem
+ 
+-#EXTRA_SHARED_LIBS = -L$(DIST)/lib -lnssckfw -lnssb -lplc4 -lplds4
++EXTRA_SHARED_LIBS = -L$(DIST)/lib -lnssckfw -lnssb -lplc4 -lplds4 -L$(NSS_LIB_DIR) -lnssutil3 -lfreebl3 -lsoftokn3

renegotiate-transitional.patch

@@ -0,0 +1,12 @@
+diff -up nss/lib/ssl/sslsock.c.transitional nss/lib/ssl/sslsock.c
+--- nss/lib/ssl/sslsock.c.transitional	2013-05-30 22:10:54.882675807 -0700
++++ nss/lib/ssl/sslsock.c	2013-05-30 22:12:11.909260024 -0700
+@@ -149,7 +149,7 @@ static sslOptions ssl_defaults = {
+     PR_FALSE,   /* noLocks            */
+     PR_FALSE,   /* enableSessionTickets */
+     PR_FALSE,   /* enableDeflate      */
+-    2,          /* enableRenegotiation (default: requires extension) */
++    3,          /* enableRenegotiation (default: transitional) */
+     PR_FALSE,   /* requireSafeNegotiation */
+     PR_FALSE,   /* enableFalseStart   */
+     PR_TRUE,    /* cbcRandomIV        */

sources

@@ -1,6 +1,11 @@
-SHA512 (blank-cert8.db) = ac131d15708c5f1b5e467831f919f4fc4ba13b60a4bb5fe260c845fa9afcd899a588d21ed52060abaa1bbb29f2b53af8b495d28407183cb03aff1974f95f1d3d
-SHA512 (blank-cert9.db) = 2f8eab4c0612210ee47db8a3a80c1b58a0b43849551af78c7da403fda3e3d4e7757838061ae56ccf5aac335cb54f254f0a9e6e9c0dd5920b4155a39264525b06
-SHA512 (blank-key3.db) = 01f7314e9fc8a7c9aa997652624cfcde213d18a6b3bb31840c1a60bbd662e56b5bc3221d13874abb42ce78163b225a6dfce2e1326cf6dd29366ad9c28ba5a71c
-SHA512 (blank-key4.db) = 8fedae93af7163da23fe9492ea8e785a44c291604fa98e58438448efb69c85d3253fc22b926d5c3209c62e58a86038fd4d78a1c4c068bc00600a7f3e5382ebe7
-SHA512 (blank-secmod.db) = 06a2dbd861839ef6315093459328b500d3832333a34b30e6fac4a2503af337f014a4d319f0f93322409e719142904ce8bc08252ae9a4f37f30d4c3312e900310
-SHA512 (nss-3.52.tar.gz) = a45baf38717bceda03c292b2c01def680a24a846327e17d36044a85e30ed40c68220c78c0a2c3025c11778ee58f5d5eb0fff1b4cd274b95c408fb59e394e62c6
+a5ae49867124ac75f029a9a33af31bad  blank-cert8.db
+9315689bbd9f28ceebd47894f99fccbd  blank-key3.db
+73bc040a0542bba387e6dd7fb9fd7d23  blank-secmod.db
+691e663ccc07b7a1eaa6f088e03bf8e2  blank-cert9.db
+2ec9e0606ba40fe65196545564b7cc2a  blank-key4.db
+838b7b6e0c3563059f6e77d149666448  PayPalEE.cert
+f998b70c1be25e8bb9f5fdb5d50eb6f2  TestCA.ca.cert
+1b7b6808cd77d5df29bf5bb9e5fac967  TestUser50.cert
+ab0b56dd505a995425c03e5266f7c8d6  TestUser51.cert
+e82dd2b9520f9d0f5d101e7710d59656  nss-pem-20130828.tar.bz2
+1d444fffdb1f890a000003b50295b5aa  nss-3.15.3.1.tar.gz

tests/NSS-tools-should-not-use-SHA1-by-default-when/Makefile

@@ -1,64 +0,0 @@
-# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-#
-#   Makefile of /CoreOS/nss/Regression/NSS-tools-should-not-use-SHA1-by-default-when
-#   Description: NSS tools should not use SHA1 by default when
-#   Author: Hubert Kario <hkario@redhat.com>
-#
-# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-#
-#   Copyright (c) 2016 Red Hat, Inc.
-#
-#   This copyrighted material is made available to anyone wishing
-#   to use, modify, copy, or redistribute it subject to the terms
-#   and conditions of the GNU General Public License version 2.
-#
-#   This program is distributed in the hope that it will be
-#   useful, but WITHOUT ANY WARRANTY; without even the implied
-#   warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
-#   PURPOSE. See the GNU General Public License for more details.
-#
-#   You should have received a copy of the GNU General Public
-#   License along with this program; if not, write to the Free
-#   Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
-#   Boston, MA 02110-1301, USA.
-#
-# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-export TEST=/CoreOS/nss/Regression/NSS-tools-should-not-use-SHA1-by-default-when
-export TESTVERSION=1.0
-
-BUILT_FILES=
-
-FILES=$(METADATA) runtest.sh Makefile PURPOSE
-
-.PHONY: all install download clean
-
-run: $(FILES) build
-	./runtest.sh
-
-build: $(BUILT_FILES)
-	test -x runtest.sh || chmod a+x runtest.sh
-
-clean:
-	rm -f *~ $(BUILT_FILES)
-
-
-include /usr/share/rhts/lib/rhts-make.include
-
-$(METADATA): Makefile
-	@echo "Owner:           Hubert Kario <hkario@redhat.com>" > $(METADATA)
-	@echo "Name:            $(TEST)" >> $(METADATA)
-	@echo "TestVersion:     $(TESTVERSION)" >> $(METADATA)
-	@echo "Path:            $(TEST_DIR)" >> $(METADATA)
-	@echo "Description:     NSS tools should not use SHA1 by default when" >> $(METADATA)
-	@echo "Type:            Regression" >> $(METADATA)
-	@echo "TestTime:        10m" >> $(METADATA)
-	@echo "RunFor:          nss openssl" >> $(METADATA)
-	@echo "Requires:        nss nss-tools openssl" >> $(METADATA)
-	@echo "Priority:        Normal" >> $(METADATA)
-	@echo "License:         GPLv2" >> $(METADATA)
-	@echo "Confidential:    no" >> $(METADATA)
-	@echo "Destructive:     no" >> $(METADATA)
-	@echo "Releases:        -RHEL4 -RHELClient5 -RHELServer5" >> $(METADATA)
-
-	rhts-lint $(METADATA)

tests/NSS-tools-should-not-use-SHA1-by-default-when/PURPOSE

@@ -1,4 +0,0 @@
-PURPOSE of NSS-tools-should-not-use-SHA1-by-default-when
-Description: NSS tools should not use SHA1 by default when
-Author: Hubert Kario <hkario@redhat.com>
-Summary: NSS tools should not use SHA1 by default when generating digital signatures/certificates

tests/NSS-tools-should-not-use-SHA1-by-default-when/runtest.sh

@@ -1,125 +0,0 @@
-#!/bin/bash
-# vim: dict+=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k
-# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-#
-#   runtest.sh of NSS-tools-should-not-use-SHA1-by-default-when
-#   Description: NSS tools should not use SHA1 by default when
-#   Author: Hubert Kario <hkario@redhat.com>
-#
-# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-#
-#   Copyright (c) 2016 Red Hat, Inc.
-#
-#   This copyrighted material is made available to anyone wishing
-#   to use, modify, copy, or redistribute it subject to the terms
-#   and conditions of the GNU General Public License version 2.
-#
-#   This program is distributed in the hope that it will be
-#   useful, but WITHOUT ANY WARRANTY; without even the implied
-#   warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
-#   PURPOSE. See the GNU General Public License for more details.
-#
-#   You should have received a copy of the GNU General Public
-#   License along with this program; if not, write to the Free
-#   Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
-#   Boston, MA 02110-1301, USA.
-#
-# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-# Include Beaker environment
-. /usr/share/beakerlib/beakerlib.sh || exit 1
-
-PACKAGE="nss"
-PACKAGES="nss openssl"
-DBDIR="nssdb"
-
-rlJournalStart
-    rlPhaseStartSetup
-        rlAssertRpm --all
-        rlRun "TmpDir=\$(mktemp -d)" 0 "Creating tmp directory"
-        rlRun "pushd $TmpDir"
-        rlRun "mkdir nssdb"
-        rlRun "certutil -N -d $DBDIR --empty-password"
-        rlLogInfo "Create a JAR file"
-        rlRun "mkdir java-dir"
-        rlRun "pushd java-dir"
-        rlRun "mkdir META-INF mypackage"
-        rlRun "echo 'Main-Class: mypackage/MyMainFile' > META-INF/MANIFEST.MF"
-        rlRun "echo 'Those are not the droids you are looking for' > mypackage/MyMainFile.class"
-        #rlRun "jar -cfe package.jar mypackage/MyMainFile mypackage/MyMainFile.class"
-        rlRun "popd"
-        #rlRun "mv java-dir/package.jar ."
-    rlPhaseEnd
-
-    rlPhaseStartTest "Self signing certificates"
-        rlRun "dd if=/dev/urandom of=noise bs=1 count=32 >/dev/null"
-        rlRun "certutil -d $DBDIR -S -n 'CA' -t 'cTC,cTC,cTC' -s 'CN=CA' -x -z noise"
-        rlRun -s "certutil -d $DBDIR -L -n 'CA' -a | openssl x509 -noout -text"
-        rlAssertGrep "Signature Algorithm: sha256WithRSAEncryption" "$rlRun_LOG"
-        rlAssertNotGrep "Signature Algorithm: sha1WithRSAEncryption" $rlRun_LOG
-    rlPhaseEnd
-
-    rlPhaseStartTest "Signing certificates"
-        rlRun "dd if=/dev/urandom of=noise bs=1 count=32 >/dev/null"
-        rlRun "certutil -d $DBDIR -S -n 'server' -t 'u,u,u' -s 'CN=server.example.com' -c 'CA' -z noise --nsCertType sslClient,sslServer,objectSigning,smime"
-        rlRun -s "certutil -d $DBDIR -L -n 'server' -a | openssl x509 -noout -text"
-        rlAssertGrep "Signature Algorithm: sha256WithRSAEncryption" "$rlRun_LOG"
-        rlAssertNotGrep "Signature Algorithm: sha1WithRSAEncryption" $rlRun_LOG
-    rlPhaseEnd
-
-    rlPhaseStartTest "Certificate request"
-        rlRun "dd if=/dev/urandom of=noise bs=1 count=32 >/dev/null"
-        rlRun "mkdir srv2db"
-        rlRun "certutil -d srv2db -N --empty-password"
-        rlRun "certutil -d srv2db -R -s CN=www.example.com -o srv2.req -a -z noise"
-        rlRun -s "openssl req -noout -text -in srv2.req"
-        rlAssertGrep "Signature Algorithm: sha256WithRSAEncryption" "$rlRun_LOG"
-        rlAssertNotGrep "Signature Algorithm: sha1WithRSAEncryption" $rlRun_LOG
-        rlRun "certutil -d $DBDIR -C -c 'CA' -i srv2.req -a -o srv2.crt"
-        rlRun -s "openssl x509 -in srv2.crt -noout -text"
-        rlAssertGrep "Signature Algorithm: sha256WithRSAEncryption" "$rlRun_LOG"
-        rlAssertNotGrep "Signature Algorithm: sha1WithRSAEncryption" $rlRun_LOG
-        rlRun "rm -rf srv2db"
-    rlPhaseEnd
-
-    rlPhaseStartTest "Certificate request with SHA1"
-        rlRun "dd if=/dev/urandom of=noise bs=1 count=32 >/dev/null"
-        rlRun "mkdir srv2db"
-        rlRun "certutil -d srv2db -N --empty-password"
-        rlRun "certutil -d srv2db -R -s CN=www.example.com -o srv2.req -a -z noise -Z SHA1"
-        rlRun -s "openssl req -noout -text -in srv2.req"
-        rlAssertGrep "Signature Algorithm: sha1WithRSAEncryption" "$rlRun_LOG"
-        rlRun "certutil -d $DBDIR -C -c 'CA' -i srv2.req -a -o srv2.crt"
-        rlRun -s "openssl x509 -in srv2.crt -noout -text"
-        rlAssertGrep "Signature Algorithm: sha256WithRSAEncryption" "$rlRun_LOG"
-        rlAssertNotGrep "Signature Algorithm: sha1WithRSAEncryption" $rlRun_LOG
-        rlRun "rm -rf srv2db"
-    rlPhaseEnd
-
-    rlPhaseStartTest "Signing CMS messages"
-        rlRun "echo 'This is a document' > document.txt"
-        rlRun "cmsutil -S -d $DBDIR -N 'server' -i document.txt -o document.cms"
-        rlRun -s "openssl cms -in document.cms -inform der -noout -cmsout -print"
-        rlAssertGrep "algorithm: sha256" $rlRun_LOG
-        rlAssertNotGrep "algorithm: sha1" $rlRun_LOG
-    rlPhaseEnd
-
-    rlPhaseStartTest "CRL signing"
-        rlRun "echo $(date --utc +update=%Y%m%d%H%M%SZ) > script"
-        rlRun "echo $(date -d 'next week' --utc +nextupdate=%Y%m%d%H%M%SZ) >> script"
-        rlRun "echo addext crlNumber 0 1245 >>script"
-        rlRun "echo addcert 12 $(date -d 'yesterday' --utc +%Y%m%d%H%M%SZ) >>script"
-        rlRun "echo addext reasonCode 0 0 >>script"
-        rlRun "cat script"
-        rlRun "crlutil -G -c script -d $DBDIR -n CA -o ca.crl"
-        rlRun -s "openssl crl -in ca.crl -inform der -noout -text"
-        rlAssertGrep "Signature Algorithm: sha256WithRSAEncryption" $rlRun_LOG
-        rlAssertNotGrep "Signature Algorithm: sha1WithRSAEncryption" $rlRun_LOG
-    rlPhaseEnd
-
-    rlPhaseStartCleanup
-        rlRun "popd"
-        rlRun "rm -r $TmpDir" 0 "Removing tmp directory"
-    rlPhaseEnd
-rlJournalPrintText
-rlJournalEnd

tests/tests.yml

@@ -1,12 +0,0 @@
----
-# This first play always runs on the local staging system
-- hosts: localhost
-  roles:
-  - role: standard-test-beakerlib
-    tags:
-    - classic
-    tests:
-    - NSS-tools-should-not-use-SHA1-by-default-when
-    required_packages:
-    - nss-tools
-    - nss

utilwrap-include-templates.patch

@@ -0,0 +1,14 @@
+diff -up nss/lib/nss/config.mk.templates nss/lib/nss/config.mk
+--- nss/lib/nss/config.mk.templates	2013-06-18 11:32:07.590089155 -0700
++++ nss/lib/nss/config.mk	2013-06-18 11:33:28.732763345 -0700
+@@ -3,6 +3,10 @@
+ # License, v. 2.0. If a copy of the MPL was not distributed with this
+ # file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ 
++#ifeq ($(NSS_BUILD_WITHOUT_SOFTOKEN),1)
++INCLUDES += -I/usr/include/nss3/templates
++#endif
++
+ # can't do this in manifest.mn because OS_TARGET isn't defined there.
+ ifeq (,$(filter-out WIN%,$(OS_TARGET)))
+