Delay new CK_GCM_PARAMS semantics until fedora 34 unless explicitly enabled.

Also disable building DBM backend

.cvsignore

@@ -1,7 +0,0 @@
-nss-3.12.5-stripped.tar.bz2
-nss-pem-20091210.tar.bz2
-blank-cert8.db
-blank-key3.db
-blank-secmod.db
-blank-cert9.db
-blank-key4.db

.gitignore

@@ -0,0 +1,51 @@
+blank-cert8.db
+blank-key3.db
+blank-secmod.db
+blank-cert9.db
+blank-key4.db
+PayPalEE.cert
+TestCA.ca.cert
+TestUser50.cert
+TestUser51.cert
+/PayPalRootCA.cert
+/PayPalICA.cert
+/nss-3.25.0.tar.gz
+/nss-3.26.0.tar.gz
+/nss-3.27.0.tar.gz
+/nss-3.27.2.tar.gz
+/nss-3.28.1.tar.gz
+/nss-3.29.0.tar.gz
+/nss-3.29.1.tar.gz
+/nss-3.30.0.tar.gz
+/nss-3.30.2.tar.gz
+/nss-3.31.0.tar.gz
+/nss-3.32.0.tar.gz
+/nss-3.32.1.tar.gz
+/nss-3.33.0.tar.gz
+/nss-3.34.0.tar.gz
+/nss-3.35.0.tar.gz
+/nss-3.36.0.tar.gz
+/nss-3.36.1.tar.gz
+/nss-3.37.1.tar.gz
+/nss-3.37.3.tar.gz
+/nss-3.38.0.tar.gz
+/nss-3.39.tar.gz
+/nss-3.40.1.tar.gz
+/nss-3.41.tar.gz
+/nss-3.42.tar.gz
+/nss-3.42.1.tar.gz
+/nss-3.43.tar.gz
+/nss-3.44.tar.gz
+/nss-3.44.1.tar.gz
+/nss-3.45.tar.gz
+/nss-3.46.tar.gz
+/nss-3.46.1.tar.gz
+/nss-3.47.tar.gz
+/nss-3.47.1.tar.gz
+/nss-3.48.tar.gz
+/nss-3.49.tar.gz
+/nss-3.49.2.tar.gz
+/nss-3.50.tar.gz
+/nss-3.51.tar.gz
+/nss-3.51.1.tar.gz
+/nss-3.52.tar.gz

533125-ammend.patch

@@ -1,23 +0,0 @@
-Index: mozilla/security/nss/lib/ssl/ssl3con.c
-===================================================================
-RCS file: /cvsroot/mozilla/security/nss/lib/ssl/ssl3con.c,v
-retrieving revision 1.121
-diff -u -p -r1.121 ssl3con.c
---- mozilla/security/nss/lib/ssl/ssl3con.c	12 Nov 2009 05:08:27 -0000	1.121
-+++ mozilla/security/nss/lib/ssl/ssl3con.c	20 Nov 2009 19:36:30 -0000
-@@ -4004,6 +4004,7 @@ ssl3_HandleHelloRequest(sslSocket *ss)
- 	PORT_SetError(SSL_ERROR_RX_UNEXPECTED_HELLO_REQUEST);
- 	return SECFailure;
-     }
-+    /*
-     if (ss->opt.enableRenegotiation == SSL_RENEGOTIATE_NEVER) {
- 	ssl_GetXmitBufLock(ss);
- 	rv = SSL3_SendAlert(ss, alert_warning, no_renegotiation);
-@@ -4011,6 +4012,7 @@ ssl3_HandleHelloRequest(sslSocket *ss)
- 	PORT_SetError(SSL_ERROR_RENEGOTIATION_NOT_ALLOWED);
- 	return SECFailure;
-     }
-+    */
- 
-     if (sid) {
- 	ss->sec.uncache(sid);

540387.patch

@@ -1,17 +0,0 @@
-diff --git a/mozilla/security/nss/lib/pk11wrap/pk11pars.c b/mozilla/security/nss/lib/pk11wrap/pk11pars.c
-index c36cd25..5855084 100644
---- a/mozilla/security/nss/lib/pk11wrap/pk11pars.c
-+++ b/mozilla/security/nss/lib/pk11wrap/pk11pars.c
-@@ -1134,6 +1134,12 @@ SECMOD_LoadModule(char *modulespec,SECMODModule *parent, PRBool recurse)
- 
- 	    for (; *index; index++) {
- 		SECMODModule *child;
-+		if (0 == PORT_Strcmp(*index, modulespec)) {
-+		    /* avoid trivial infinite recursion */
-+		    PORT_SetError(SEC_ERROR_NO_MODULE);
-+		    rv = SECFailure;
-+		    break;
-+		}
- 		child = SECMOD_LoadModule(*index,module,PR_TRUE);
- 		if (!child) break;
- 		if (child->isCritical && !child->loaded) {

545779.patch

@@ -1,49 +0,0 @@
-Index: mozilla/security/nss/lib/sysinit/nsssysinit.c
-===================================================================
-RCS file: /cvsroot/mozilla/security/nss/lib/sysinit/nsssysinit.c,v
-retrieving revision 1.1
-diff -u -p -r1.1 nsssysinit.c
---- mozilla/security/nss/lib/sysinit/nsssysinit.c	8 Oct 2009 17:08:36 -0000	1.1
-+++ mozilla/security/nss/lib/sysinit/nsssysinit.c	12 Dec 2009 03:34:17 -0000
-@@ -198,11 +198,20 @@ getFIPSMode(void)
-  * the decision making process.
-  *
-  */
-+static const char *nssDefaultFlags = "trustOrder=75 cipherOrder=100 \
-+slotParams={0x00000001=[slotFlags=RSA,RC4,RC2,DES,DH,SHA1,MD5,MD2,SSL,TLS,AES,RANDOM \
-+askpw=any timeout=30 ] }  ";
-+static const char *nssDefaultFIPSFlags = "trustOrder=75 cipherOrder=100 \
-+slotParams={0x00000003=[slotFlags=RSA,RC4,RC2,DES,DH,SHA1,MD5,MD2,SSL,TLS,AES,RANDOM \
-+askpw=any timeout=30 ] }  ";
-+
- static char **
- get_list(char *filename, char *stripped_parameters)
- {
-     char **module_list = PORT_ZNewArray(char *, 4);
-     char *userdb;
-+    int isFIPS = getFIPSMode();
-+    const char *nssflags = isFIPS ? nssDefaultFIPSFlags : nssDefaultFlags;
-     int next = 0;
- 
-     /* can't get any space */
-@@ -217,8 +226,9 @@ get_list(char *filename, char *stripped_
- 	    "library= "
- 	    "module=\"NSS User database\" "
- 	    "parameters=\"configdir='sql:%s' %s\" "
--	    "NSS=\"flags=internal%s\"", 
--		userdb, stripped_parameters, getFIPSMode() ? ",FIPS" : "");
-+        "NSS=\"%sflags=internal%s\"",
-+        userdb, stripped_parameters, nssflags,
-+        isFIPS ? ",FIPS" : "");
- 
- 	/* now open the user's defined PKCS #11 modules */
- 	/* skip the local user DB entry */
-@@ -235,7 +245,7 @@ get_list(char *filename, char *stripped_
- 	"library= "
- 	"module=\"NSS system database\" "
- 	"parameters=\"configdir='sql:%s' tokenDescription='NSS system database' flags=readonly\" "
--	"NSS=\"flags=internal,critical\"",filename);
-+    "NSS=\"%sflags=internal,critical\"",filename, nssDefaultFlags);
- 
-     /* that was the last module */
-     module_list[next] = 0;

546221.patch

@@ -1,85 +0,0 @@
-diff -up nss-3.12.5/mozilla/security/nss/lib/sysinit/nsssysinit.c.546221 nss-3.12.5/mozilla/security/nss/lib/sysinit/nsssysinit.c
---- nss-3.12.5/mozilla/security/nss/lib/sysinit/nsssysinit.c.546221	2009-12-19 21:11:06.590930221 -0800
-+++ nss-3.12.5/mozilla/security/nss/lib/sysinit/nsssysinit.c	2009-12-19 21:17:29.019931181 -0800
-@@ -37,8 +37,6 @@
- #include "prio.h"
- #include "prprf.h"
- 
--
--
- /*
-  * The following provides a default example for operating systems to set up
-  * and manage applications loading NSS on their OS globally.
-@@ -208,8 +206,8 @@ askpw=any timeout=30 ] }  ";
- static char **
- get_list(char *filename, char *stripped_parameters)
- {
--    char **module_list = PORT_ZNewArray(char *, 4);
--    char *userdb;
-+    char **module_list = PORT_ZNewArray(char *, 5);
-+    char *userdb, *sysdb;
-     int isFIPS = getFIPSMode();
-     const char *nssflags = isFIPS ? nssDefaultFIPSFlags : nssDefaultFlags;
-     int next = 0;
-@@ -219,13 +217,20 @@ get_list(char *filename, char *stripped_
- 	return NULL;
-     }
- 
--    userdb  = getUserDB();
-+    sysdb = getSystemDB();
-+    userdb = getUserDB();
-+
-+    if (sysdb && !strcmp(filename, sysdb))
-+	    filename = NULL;
-+    if (userdb && !strcmp(filename, userdb))
-+	    filename = NULL;
-+
-     if (userdb != NULL) {
- 	/* return a list of databases to open. First the user Database */
- 	module_list[next++] = PR_smprintf(
- 	    "library= "
- 	    "module=\"NSS User database\" "
--	    "parameters=\"configdir='sql:%s' %s\" "
-+	    "parameters=\"configdir='sql:%s' %s tokenDescription='NSS user database'\" "
-         "NSS=\"%sflags=internal%s\"",
-         userdb, stripped_parameters, nssflags,
-         isFIPS ? ",FIPS" : "");
-@@ -238,19 +243,32 @@ get_list(char *filename, char *stripped_
- 	    "parameters=\"configdir='sql:%s' %s\" "
- 	    "NSS=\"flags=internal,moduleDBOnly,defaultModDB,skipFirst\"", 
- 		userdb, stripped_parameters);
--   }
-+	}
-+
-+    if (filename && 0 /* This doesn't actually work. If we register
-+			 both this and the sysdb (in either order)
-+			 then only one of them actually shows up */) {
-+	    module_list[next++] = PR_smprintf(
-+	      "library= "
-+	      "module=\"NSS database\" "
-+	      "parameters=\"configdir='sql:%s' tokenDescription='NSS database sql:%s'\" "
-+	      "NSS=\"%sflags=internal\"",filename, filename, nssflags);
-+    }
- 
-     /* now the system database (always read only) */
--    module_list[next++] = PR_smprintf(
--	"library= "
--	"module=\"NSS system database\" "
--	"parameters=\"configdir='sql:%s' tokenDescription='NSS system database' flags=readonly\" "
--    "NSS=\"%sflags=internal,critical\"",filename, nssDefaultFlags);
-+    if (sysdb) {
-+	    module_list[next++] = PR_smprintf(
-+	      "library= "
-+	      "module=\"NSS system database\" "
-+	      "parameters=\"configdir='sql:%s' tokenDescription='NSS system database' flags=readonly\" "
-+	      "NSS=\"%sflags=internal,critical\"",sysdb, nssflags);
-+    }
- 
-     /* that was the last module */
-     module_list[next] = 0;
- 
-     PORT_Free(userdb);
-+    PORT_Free(sysdb);
- 
-     return module_list;
- }

547860.patch

@@ -1,109 +0,0 @@
-diff -up nss-3.12.5/mozilla/security/nss/lib/sysinit/nsssysinit.c.547860 nss-3.12.5/mozilla/security/nss/lib/sysinit/nsssysinit.c
---- nss-3.12.5/mozilla/security/nss/lib/sysinit/nsssysinit.c.547860	2010-01-06 17:57:30.722388282 -0800
-+++ nss-3.12.5/mozilla/security/nss/lib/sysinit/nsssysinit.c	2010-01-06 18:20:59.713397530 -0800
-@@ -50,6 +50,7 @@
-  */
- 
- #ifdef XP_UNIX
-+#include <unistd.h>
- #include <sys/stat.h>
- #include <sys/types.h>
- 
-@@ -108,12 +109,26 @@ getSystemDB(void) {
-    return PORT_Strdup(NSS_DEFAULT_SYSTEM);
- }
- 
-+static PRBool
-+userIsRoot()
-+{
-+   /* this works for linux and all unixes that we know off
-+	  though it isn't stated as such in POSIX documentation */
-+   return getuid() == 0;
-+}
-+
-+static PRBool
-+userCanModifySystemDB()
-+{
-+   return (access(NSS_DEFAULT_SYSTEM, W_OK) == 0);
-+}
-+
- #else
- #ifdef XP_WIN
- static char *
- getUserDB(void)
- {
--   /* use the registry to find the user's NSS_DIR. if no entry exists, creaate
-+   /* use the registry to find the user's NSS_DIR. if no entry exists, create
-     * one in the users Appdir location */
-    return NULL;
- }
-@@ -121,13 +136,28 @@ getUserDB(void)
- static char *
- getSystemDB(void)
- {
--   /* use the registry to find the system's NSS_DIR. if no entry exists, creaate
-+   /* use the registry to find the system's NSS_DIR. if no entry exists, create
-     * one based on the windows system data area */
-    return NULL;
- }
- 
-+static PRBool
-+userIsRoot()
-+{
-+   /* use the registry to find if the user is the system administrator. */
-+   return PR_FALSE;
-+}
-+
-+static PRBool
-+userCanModifySystemDB()
-+{
-+   /* use the registry to find if the user has administrative privilege 
-+    * to modify the system's nss database. */
-+   return PR_FALSE;
-+}
-+
- #else
--#error "Need to write getUserDB and get SystemDB functions"
-+#error "Need to write getUserDB, SystemDB, userIsRoot, and userCanModifySystemDB functions"
- #endif
- #endif
- 
-@@ -225,7 +255,8 @@ get_list(char *filename, char *stripped_
-     if (userdb && !strcmp(filename, userdb))
- 	    filename = NULL;
- 
--    if (userdb != NULL) {
-+    /* Don't open root's user DB */
-+    if (userdb != NULL && !userIsRoot()) {
- 	/* return a list of databases to open. First the user Database */
- 	module_list[next++] = PR_smprintf(
- 	    "library= "
-@@ -245,7 +276,8 @@ get_list(char *filename, char *stripped_
- 		userdb, stripped_parameters);
- 	}
- 
--    if (filename && 0 /* This doesn't actually work. If we register
-+    if (filename && !userIsRoot() && 0
-+		/* This doesn't actually work. If we register
- 			 both this and the sysdb (in either order)
- 			 then only one of them actually shows up */) {
- 	    module_list[next++] = PR_smprintf(
-@@ -255,13 +287,14 @@ get_list(char *filename, char *stripped_
- 	      "NSS=\"%sflags=internal\"",filename, filename, nssflags);
-     }
- 
--    /* now the system database (always read only) */
-+    /* now the system database (always read only unless it's root) */
-     if (sysdb) {
--	    module_list[next++] = PR_smprintf(
-+	const char *readonly = userCanModifySystemDB() ? "" : "flags=readonly";
-+	module_list[next++] = PR_smprintf(
- 	      "library= "
- 	      "module=\"NSS system database\" "
--	      "parameters=\"configdir='sql:%s' tokenDescription='NSS system database' flags=readonly\" "
--	      "NSS=\"%sflags=internal,critical\"",sysdb, nssflags);
-+	      "parameters=\"configdir='sql:%s' tokenDescription='NSS system database' %s\" "
-+	      "NSS=\"%sflags=internal,critical\"",sysdb, readonly, nssflags);
-     }
- 
-     /* that was the last module */

553638.patch

@@ -1,97 +0,0 @@
-diff -up nss-3.12.5/mozilla/security/nss/lib/sysinit/nsssysinit.c.553638 nss-3.12.5/mozilla/security/nss/lib/sysinit/nsssysinit.c
---- nss-3.12.5/mozilla/security/nss/lib/sysinit/nsssysinit.c.553638	2010-01-25 08:58:42.358325102 -0800
-+++ nss-3.12.5/mozilla/security/nss/lib/sysinit/nsssysinit.c	2010-01-25 09:07:20.028324059 -0800
-@@ -36,6 +36,7 @@
- #include "seccomon.h"
- #include "prio.h"
- #include "prprf.h"
-+#include "plhash.h"
- 
- /*
-  * The following provides a default example for operating systems to set up
-@@ -212,6 +213,25 @@ getFIPSMode(void)
- 
- #define NSS_DEFAULT_FLAGS "flags=readonly"
- 
-+/* configuration flags according to
-+ * https://developer.mozilla.org/en/PKCS11_Module_Specs
-+ * As stated there the slotParams start with a slot name which is a slotID
-+ * Slots 1 through 3 are reserved for the nss internal modules as follows:
-+ * 1 for crypto operations slot non-fips,
-+ * 2 for the key slot, and
-+ * 3 for the crypto operations slot fips
-+ */
-+#define ORDER_FLAGS "trustOrder=75 cipherOrder=100"
-+#define SLOT_FLAGS \
-+	"[slotFlags=RSA,RC4,RC2,DES,DH,SHA1,MD5,MD2,SSL,TLS,AES,RANDOM" \
-+	" askpw=any timeout=30 ]"
-+ 
-+static const char *nssDefaultFlags =
-+	ORDER_FLAGS " slotParams={0x00000001=" SLOT_FLAGS " }  ";
-+
-+static const char *nssDefaultFIPSFlags =
-+	ORDER_FLAGS " slotParams={0x00000003=" SLOT_FLAGS " }  ";
-+
- /*
-  * This function builds the list of databases and modules to load, and sets
-  * their configuration. For the sample we have a fixed set.
-@@ -226,13 +246,6 @@ getFIPSMode(void)
-  * the decision making process.
-  *
-  */
--static const char *nssDefaultFlags = "trustOrder=75 cipherOrder=100 \
--slotParams={0x00000001=[slotFlags=RSA,RC4,RC2,DES,DH,SHA1,MD5,MD2,SSL,TLS,AES,RANDOM \
--askpw=any timeout=30 ] }  ";
--static const char *nssDefaultFIPSFlags = "trustOrder=75 cipherOrder=100 \
--slotParams={0x00000003=[slotFlags=RSA,RC4,RC2,DES,DH,SHA1,MD5,MD2,SSL,TLS,AES,RANDOM \
--askpw=any timeout=30 ] }  ";
--
- static char **
- get_list(char *filename, char *stripped_parameters)
- {
-@@ -250,11 +263,6 @@ get_list(char *filename, char *stripped_
-     sysdb = getSystemDB();
-     userdb = getUserDB();
- 
--    if (sysdb && !strcmp(filename, sysdb))
--	    filename = NULL;
--    if (userdb && !strcmp(filename, userdb))
--	    filename = NULL;
--
-     /* Don't open root's user DB */
-     if (userdb != NULL && !userIsRoot()) {
- 	/* return a list of databases to open. First the user Database */
-@@ -276,16 +284,29 @@ get_list(char *filename, char *stripped_
- 		userdb, stripped_parameters);
- 	}
- 
--    if (filename && !userIsRoot() && 0
--		/* This doesn't actually work. If we register
--			 both this and the sysdb (in either order)
--			 then only one of them actually shows up */) {
-+#if 0
-+	/* This doesn't actually work. If we register
-+		both this and the sysdb (in either order)
-+		then only one of them actually shows up */
-+
-+    /* Using a NULL filename as a Boolean flag to
-+     * prevent registering both an application-defined
-+     * db and the system db. rhbz #546211.
-+     */
-+    PORT_Assert(filename);
-+    if (sysdb && PL_CompareStrings(filename, sysdb))
-+	    filename = NULL;
-+    else if (userdb && PL_CompareStrings(filename, userdb))
-+	    filename = NULL;
-+
-+    if (filename && !userIsRoot()) {
- 	    module_list[next++] = PR_smprintf(
- 	      "library= "
- 	      "module=\"NSS database\" "
- 	      "parameters=\"configdir='sql:%s' tokenDescription='NSS database sql:%s'\" "
- 	      "NSS=\"%sflags=internal\"",filename, filename, nssflags);
-     }
-+#endif
- 
-     /* now the system database (always read only unless it's root) */
-     if (sysdb) {

Makefile

@@ -1,21 +0,0 @@
-# Makefile for source rpm: nss
-# $Id: Makefile,v 1.2 2007/10/15 19:11:25 notting Exp $
-NAME := nss
-SPECFILE = $(firstword $(wildcard *.spec))
-
-define find-makefile-common
-for d in common ../common ../../common ; do if [ -f $$d/Makefile.common ] ; then if [ -f $$d/CVS/Root -a -w $$d/Makefile.common ] ; then cd $$d ; cvs -Q update ; fi ; echo "$$d/Makefile.common" ; break ; fi ; done
-endef
-
-MAKEFILE_COMMON := $(shell $(find-makefile-common))
-
-ifeq ($(MAKEFILE_COMMON),)
-# attempt a checkout
-define checkout-makefile-common
-test -f CVS/Root && { cvs -Q -d $$(cat CVS/Root) checkout common && echo "common/Makefile.common" ; } || { echo "ERROR: I can't figure out how to checkout the 'common' module." ; exit -1 ; } >&2
-endef
-
-MAKEFILE_COMMON := $(shell $(checkout-makefile-common))
-endif
-
-include $(MAKEFILE_COMMON)

STAGE2-nss

@@ -0,0 +1,68 @@
+#requires nspr
+#requires perl
+#requires nss-util
+#requires nss-softokn
+
+mcd $BUILDDIR/nss
+
+export BUILD_OPT=1
+export PKG_CONFIG_ALLOW_SYSTEM_LIBS=1
+export PKG_CONFIG_ALLOW_SYSTEM_CFLAGS=1
+export NSPR_INCLUDE_DIR=/usr/include/nspr
+export NSPR_LIB_DIR=/usr/lib${SUFFIX}
+export NSS_USE_SYSTEM_SQLITE=1
+export NSS_BUILD_WITHOUT_SOFTOKEN=1
+export USE_SYSTEM_SOFTOKEN=1
+export SOFTOKEN_LIB_DIR=/usr/lib${SUFFIX}
+export NSSUTIL_INCLUDE_DIR=/usr/include/nss3
+export NSSUTIL_LIB_DIR=/usr/lib${SUFFIX}
+export USE_SYSTEM_NSSUTIL=1
+export FREEBL_INCLUDE_DIR=/usr/include/nss3
+export FREEBL_LIB_DIR=/usr/lib${SUFFIX}
+export USE_SYSTEM_FREEBL=1
+export NSS_USE_SYSTEM_FREEBL=1
+export FREEBL_NO_DEPEND=1
+export IN_TREE_FREEBL_HEADERS_FIRST=1
+export NSS_BLTEST_NOT_AVAILABLE=1
+export NSS_NO_SSL2_NO_EXPORT=1
+export NSS_ECC_MORE_THAN_SUITE_B=1
+export NSS_NO_PKCS11_BYPASS=1
+#export NSDISTMODE="copy"
+
+if [ "$SUFFIX" = "64" ]; then
+  USE_64=1
+  export USE_64
+fi
+
+(cd $SRC/nss-3.* && mkdir -p dist/private/nss && cp nss/lib/ckfw/nssck.api dist/private/nss/)
+
+make -C $SRC/nss-3.*/nss/coreconf
+make -C $SRC/nss-3.*/nss/lib/dbm
+
+# nss/nssinit.c, ssl/sslcon.c, smime/smimeutil.c and ckfw/builtins/binst.c
+# need nss/verref.h which is exported privately, move it to where it can be found.
+(cd $SRC/nss-3.* && mkdir -p dist/private/nss && cp -a nss/verref.h dist/private/nss/)
+
+make -C $SRC/nss-3.*/nss
+cd $SRC/nss-3.*/nss/coreconf
+make install
+cd $SRC/nss-3.*/nss/lib/dbm
+make install
+cd $SRC/nss-3.*/nss
+make install
+# Copy the binary libraries we want
+NSSLIBS="libnss3.so libnssckbi.so libnsspem.so libnsssysinit.so libsmime3.so libssl3.so"
+# BOZO: temporarily disable FIPS140 support
+#NSSLIBCHKS="libnssdbm3.chk libfreebl3.chk libsoftokn3.chk"
+NSSLIBCHKS=""
+# END BOZO
+cd $SRC/nss-3.*
+for file in $NSSLIBS $NSSLIBCHKS
+do
+  install -p -m 755 dist/*.OBJ/lib/$file /usr/lib${SUFFIX}/
+done
+# Copy the include files we want
+for file in $SRC/nss-*/dist/public/nss/*.h
+do
+  install -p -m 644 $file /usr/include/nss3/
+done

cert8.db.xml

@@ -0,0 +1,59 @@
+<?xml version='1.0' encoding='utf-8'?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
+  "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
+<!ENTITY date SYSTEM "date.xml">
+<!ENTITY version SYSTEM "version.xml">
+]>
+
+<refentry id="cert8.db">
+
+  <refentryinfo>
+    <date>&date;</date>
+    <title>Network Security Services</title>
+    <productname>nss</productname>
+    <productnumber>&version;</productnumber>
+  </refentryinfo>
+
+  <refmeta>
+    <refentrytitle>cert8.db</refentrytitle>
+    <manvolnum>5</manvolnum>
+  </refmeta>
+
+  <refnamediv>
+    <refname>cert8.db</refname>
+    <refpurpose>Legacy NSS certificate database</refpurpose>
+  </refnamediv>
+
+<refsection id="description">
+    <title>Description</title>
+    <para><emphasis>cert8.db</emphasis> is an NSS certificate database.</para>
+  <para>This certificate database is in the legacy database format. Consider migrating to cert9.db and key4.db which are the new sqlite-based shared database format with support for concurrent access.
+  </para>
+  </refsection>
+
+  <refsection>
+    <title>Files</title>
+    <para><filename>/etc/pki/nssdb/cert8.db</filename></para>
+  </refsection>
+
+  <refsection>
+    <title>See also</title>
+    <para>cert9.db(5), key4.db(5), pkcs11.txt(5), </para>
+  </refsection>
+
+  <refsection id="authors">
+    <title>Authors</title>
+    <para>The nss libraries were written and maintained by developers with Netscape, Red Hat,  Sun, Oracle, Mozilla, and Google.</para>
+    <para>Authors: Elio Maldonado &lt;emaldona@redhat.com>.</para>
+  </refsection>
+
+<!-- don't change -->
+  <refsection id="license">
+    <title>LICENSE</title>
+    <para>Licensed under the Mozilla Public License, v. 2.0.  If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/.
+    </para>
+
+  </refsection>
+
+
+</refentry>

cert9.db.xml

@@ -0,0 +1,59 @@
+<?xml version='1.0' encoding='utf-8'?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
+  "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
+<!ENTITY date SYSTEM "date.xml">
+<!ENTITY version SYSTEM "version.xml">
+]>
+
+<refentry id="cert9.db">
+
+  <refentryinfo>
+    <date>&date;</date>
+    <title>Network Security Services</title>
+    <productname>nss</productname>
+    <productnumber>&version;</productnumber>
+  </refentryinfo>
+
+  <refmeta>
+    <refentrytitle>cert9.db</refentrytitle>
+    <manvolnum>5</manvolnum>
+  </refmeta>
+
+  <refnamediv>
+    <refname>cert9.db</refname>
+    <refpurpose>NSS certificate database</refpurpose>
+  </refnamediv>
+
+<refsection id="description">
+    <title>Description</title>
+    <para><emphasis>cert9.db</emphasis> is an NSS certificate database.</para>
+  <para>This certificate database is the sqlite-based shared database with support for concurrent access.
+  </para>
+  </refsection>
+
+  <refsection>
+    <title>Files</title>
+    <para><filename>/etc/pki/nssdb/cert9.db</filename></para>
+  </refsection>
+
+  <refsection>
+    <title>See also</title>
+    <para>pkcs11.txt(5)</para>
+  </refsection>
+
+  <refsection id="authors">
+    <title>Authors</title>
+    <para>The nss libraries were written and maintained by developers with Netscape, Red Hat,  Sun, Oracle, Mozilla, and Google.</para>
+    <para>Authors: Elio Maldonado &lt;emaldona@redhat.com>.</para>
+  </refsection>
+
+<!-- don't change -->
+  <refsection id="license">
+    <title>LICENSE</title>
+    <para>Licensed under the Mozilla Public License, v. 2.0.  If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/.
+    </para>
+
+  </refsection>
+
+
+</refentry>

iquote.patch

@@ -0,0 +1,13 @@
+diff -up nss/coreconf/location.mk.iquote nss/coreconf/location.mk
+--- nss/coreconf/location.mk.iquote	2017-07-27 16:09:32.000000000 +0200
++++ nss/coreconf/location.mk	2017-09-06 13:23:14.633611555 +0200
+@@ -75,4 +75,9 @@ ifndef SQLITE_LIB_NAME
+     SQLITE_LIB_NAME = sqlite3
+ endif
+ 
++# Prefer in-tree headers over system headers
++ifdef IN_TREE_FREEBL_HEADERS_FIRST
++    INCLUDES += -iquote $(DIST)/../public/nss -iquote $(DIST)/../private/nss
++endif
++
+ MK_LOCATION = included

key3.db.xml

@@ -0,0 +1,59 @@
+<?xml version='1.0' encoding='utf-8'?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
+  "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
+<!ENTITY date SYSTEM "date.xml">
+<!ENTITY version SYSTEM "version.xml">
+]>
+
+<refentry id="key3.db">
+
+  <refentryinfo>
+    <date>&date;</date>
+    <title>Network Security Services</title>
+    <productname>nss</productname>
+    <productnumber>&version;</productnumber>
+  </refentryinfo>
+
+  <refmeta>
+    <refentrytitle>key3.db</refentrytitle>
+    <manvolnum>5</manvolnum>
+  </refmeta>
+
+  <refnamediv>
+    <refname>key3.db</refname>
+    <refpurpose>Legacy NSS certificate database</refpurpose>
+  </refnamediv>
+
+<refsection id="description">
+    <title>Description</title>
+    <para><emphasis>key3.db</emphasis> is an NSS certificate database.</para>
+  <para>This is a key database in the legacy database format. Consider migrating to cert9.db and key4.db which  which are the new sqlite-based shared database format with support for concurrent access.
+  </para>
+  </refsection>
+
+  <refsection>
+    <title>Files</title>
+    <para><filename>/etc/pki/nssdb/key3.db</filename></para>
+  </refsection>
+
+  <refsection>
+    <title>See also</title>
+    <para>cert9.db(5), key4.db(5), pkcs11.txt(5), </para>
+  </refsection>
+
+  <refsection id="authors">
+    <title>Authors</title>
+    <para>The nss libraries were written and maintained by developers with Netscape, Red Hat,  Sun, Oracle, Mozilla, and Google.</para>
+    <para>Authors: Elio Maldonado &lt;emaldona@redhat.com>.</para>
+  </refsection>
+
+<!-- don't change -->
+  <refsection id="license">
+    <title>LICENSE</title>
+    <para>Licensed under the Mozilla Public License, v. 2.0.  If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/.
+    </para>
+
+  </refsection>
+
+
+</refentry>

key4.db.xml

@@ -0,0 +1,59 @@
+<?xml version='1.0' encoding='utf-8'?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
+  "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
+<!ENTITY date SYSTEM "date.xml">
+<!ENTITY version SYSTEM "version.xml">
+]>
+
+<refentry id="key4.db">
+
+  <refentryinfo>
+    <date>&date;</date>
+    <title>Network Security Services</title>
+    <productname>nss</productname>
+    <productnumber>&version;</productnumber>
+  </refentryinfo>
+
+  <refmeta>
+    <refentrytitle>key4.db</refentrytitle>
+    <manvolnum>5</manvolnum>
+  </refmeta>
+
+  <refnamediv>
+    <refname>key4.db</refname>
+    <refpurpose>NSS certificate database</refpurpose>
+  </refnamediv>
+
+<refsection id="description">
+    <title>Description</title>
+    <para><emphasis>key4.db</emphasis> is an NSS key database.</para>
+  <para>This key database is the sqlite-based shared database format with support for concurrent access.
+  </para>
+  </refsection>
+
+  <refsection>
+    <title>Files</title>
+    <para><filename>/etc/pki/nssdb/key4.db</filename></para>
+  </refsection>
+
+  <refsection>
+    <title>See also</title>
+    <para>pkcs11.txt(5)</para>
+  </refsection>
+
+  <refsection id="authors">
+    <title>Authors</title>
+    <para>The nss libraries were written and maintained by developers with Netscape, Red Hat,  Sun, Oracle, Mozilla, and Google.</para>
+    <para>Authors: Elio Maldonado &lt;emaldona@redhat.com>.</para>
+  </refsection>
+
+<!-- don't change -->
+  <refsection id="license">
+    <title>LICENSE</title>
+    <para>Licensed under the Mozilla Public License, v. 2.0.  If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/.
+    </para>
+
+  </refsection>
+
+
+</refentry>

nss-539183.patch

@@ -0,0 +1,62 @@
+--- nss/cmd/httpserv/httpserv.c.539183	2016-05-21 18:31:39.879585420 -0700
++++ nss/cmd/httpserv/httpserv.c	2016-05-21 18:37:22.374464057 -0700
+@@ -953,23 +953,23 @@
+ getBoundListenSocket(unsigned short port)
+ {
+     PRFileDesc *listen_sock;
+     int listenQueueDepth = 5 + (2 * maxThreads);
+     PRStatus prStatus;
+     PRNetAddr addr;
+     PRSocketOptionData opt;
+ 
+-    addr.inet.family = PR_AF_INET;
+-    addr.inet.ip = PR_INADDR_ANY;
+-    addr.inet.port = PR_htons(port);
++    if (PR_SetNetAddr(PR_IpAddrAny, PR_AF_INET6, port, &addr) != PR_SUCCESS) {
++        errExit("PR_SetNetAddr");
++    }
+ 
+-    listen_sock = PR_NewTCPSocket();
++    listen_sock = PR_OpenTCPSocket(PR_AF_INET6);
+     if (listen_sock == NULL) {
+-        errExit("PR_NewTCPSocket");
++        errExit("PR_OpenTCPSockett");
+     }
+ 
+     opt.option = PR_SockOpt_Nonblocking;
+     opt.value.non_blocking = PR_FALSE;
+     prStatus = PR_SetSocketOption(listen_sock, &opt);
+     if (prStatus < 0) {
+         PR_Close(listen_sock);
+         errExit("PR_SetSocketOption(PR_SockOpt_Nonblocking)");
+--- nss/cmd/selfserv/selfserv.c.539183	2016-05-21 18:31:39.882585367 -0700
++++ nss/cmd/selfserv/selfserv.c	2016-05-21 18:41:43.092801174 -0700
+@@ -1711,23 +1711,23 @@
+ getBoundListenSocket(unsigned short port)
+ {
+     PRFileDesc *listen_sock;
+     int listenQueueDepth = 5 + (2 * maxThreads);
+     PRStatus prStatus;
+     PRNetAddr addr;
+     PRSocketOptionData opt;
+ 
+-    addr.inet.family = PR_AF_INET;
+-    addr.inet.ip = PR_INADDR_ANY;
+-    addr.inet.port = PR_htons(port);
++    if (PR_SetNetAddr(PR_IpAddrAny, PR_AF_INET6, port, &addr) != PR_SUCCESS) {
++        errExit("PR_SetNetAddr");
++    }
+ 
+-    listen_sock = PR_NewTCPSocket();
++    listen_sock = PR_OpenTCPSocket(PR_AF_INET6);
+     if (listen_sock == NULL) {
+-        errExit("PR_NewTCPSocket");
++        errExit("PR_OpenTCPSocket error");
+     }
+ 
+     opt.option = PR_SockOpt_Nonblocking;
+     opt.value.non_blocking = PR_FALSE;
+     prStatus = PR_SetSocketOption(listen_sock, &opt);
+     if (prStatus < 0) {
+         PR_Close(listen_sock);
+         errExit("PR_SetSocketOption(PR_SockOpt_Nonblocking)");

nss-config.xml

@@ -0,0 +1,132 @@
+<?xml version='1.0' encoding='utf-8'?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
+  "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
+<!ENTITY date SYSTEM "date.xml">
+<!ENTITY version SYSTEM "version.xml">
+]>
+
+<refentry id="nss-config">
+
+  <refentryinfo>
+    <date>&date;</date>
+    <title>Network Security Services</title>
+    <productname>nss</productname>
+    <productnumber>&version;</productnumber>
+  </refentryinfo>
+
+  <refmeta>
+    <refentrytitle>nss-config</refentrytitle>
+    <manvolnum>1</manvolnum>
+  </refmeta>
+
+  <refnamediv>
+    <refname>nss-config</refname>
+    <refpurpose>Return meta information about nss libraries</refpurpose>
+  </refnamediv>
+
+  <refsynopsisdiv>
+    <cmdsynopsis>
+      <command>nss-config</command>
+      <arg><option>--prefix</option></arg>
+      <arg><option>--exec-prefix</option></arg>
+      <arg><option>--includedir</option></arg>
+      <arg><option>--libs</option></arg>
+      <arg><option>--cflags</option></arg>
+      <arg><option>--libdir</option></arg>
+      <arg><option>--version</option></arg>
+    </cmdsynopsis>
+  </refsynopsisdiv>
+
+<refsection id="description">
+    <title>Description</title>
+
+    <para><command>nss-config</command> is a shell scrip
+    tool which can be used to obtain gcc options for building client pacakges of nspt. </para>
+
+  </refsection>
+  
+  <refsection>
+    <title>Options</title>
+    
+    <variablelist>
+      <varlistentry>
+        <term><option>--prefix</option></term>
+        <listitem><simpara>Returns the top level system directory under which the nss libraries are installed.</simpara></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><option>--exec-prefix</option></term>
+        <listitem><simpara>returns the top level system directory under which any nss binaries would be installed.</simpara></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><option>--includedir</option> <replaceable>count</replaceable></term>
+        <listitem><simpara>returns the path to the directory were the nss libraries are installed.</simpara></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><option>--version</option></term>
+        <listitem><simpara>returns the upstream version of nss in the form major_version-minor_version-patch_version.</simpara></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><option>--libs</option></term>
+        <listitem><simpara>returns the compiler linking flags.</simpara></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><option>--cflags</option></term>
+        <listitem><simpara>returns the compiler include flags.</simpara></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><option>--libdir</option></term>
+        <listitem><simpara>returns the path to the directory were the nss libraries are installed.</simpara></listitem>
+      </varlistentry>
+
+    </variablelist>
+  </refsection>
+
+  <refsection>
+    <title>Examples</title>
+
+    <para>The following example will query for both include path and linkage flags:
+    
+      <programlisting>
+        /usr/bin/nss-config --cflags --libs
+      </programlisting>
+
+    </para>
+
+   
+  </refsection>
+
+  <refsection>
+    <title>Files</title>
+
+    <para><filename>/usr/bin/nss-config</filename></para>
+
+  </refsection>
+
+  <refsection>
+    <title>See also</title>
+    <para>pkg-config(1)</para>
+  </refsection>
+
+  <refsection id="authors">
+    <title>Authors</title>
+    <para>The nss liraries were written and maintained by developers with Netscape, Red Hat,  Sun, Oracle, Mozilla, and Google.</para>
+    <para>
+	Authors: Elio Maldonado &lt;emaldona@redhat.com>.
+    </para>
+  </refsection>
+
+<!-- don't change -->
+  <refsection id="license">
+    <title>LICENSE</title>
+    <para>Licensed under the Mozilla Public License, v. 2.0.  If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/.
+    </para>
+  </refsection>
+
+</refentry>
+

nss-enable-pem.patch

@@ -1,12 +0,0 @@
-diff -up ./mozilla/security/nss/lib/ckfw/manifest.mn.prepem ./mozilla/security/nss/lib/ckfw/manifest.mn
---- ./mozilla/security/nss/lib/ckfw/manifest.mn.prepem	2008-08-05 16:34:23.000000000 -0700
-+++ ./mozilla/security/nss/lib/ckfw/manifest.mn	2008-08-05 16:34:30.000000000 -0700
-@@ -38,7 +38,7 @@ MANIFEST_CVS_ID = "@(#) $RCSfile: manife
- 
- CORE_DEPTH = ../../..
- 
--DIRS = builtins 
-+DIRS = builtins pem
- 
- PRIVATE_EXPORTS = \
- 	ck.h		  \

nss-gcm-param-default-pkcs11v2.patch

@@ -0,0 +1,21 @@
+diff -up ./lib/util/pkcs11n.h.aes_gcm_pkcs11_v2 ./lib/util/pkcs11n.h
+--- ./lib/util/pkcs11n.h.aes_gcm_pkcs11_v2	2020-05-13 13:44:11.312405744 -0700
++++ ./lib/util/pkcs11n.h	2020-05-13 13:45:23.951723660 -0700
+@@ -605,7 +605,7 @@ typedef struct CK_NSS_GCM_PARAMS {
+ typedef CK_NSS_GCM_PARAMS CK_PTR CK_NSS_GCM_PARAMS_PTR;
+ 
+ /* deprecated #defines. Drop in future NSS releases */
+-#ifdef NSS_PKCS11_2_0_COMPAT
++#ifndef NSS_PKCS11_3_0_STRICT
+ 
+ /* defines that were changed between NSS's PKCS #11 and the Oasis headers */
+ #define CKF_EC_FP CKF_EC_F_P
+@@ -664,7 +664,7 @@ typedef CK_NSS_GCM_PARAMS CK_PTR CK_GCM_
+ #define CKT_NETSCAPE_VALID CKT_NSS_VALID
+ #define CKT_NETSCAPE_VALID_DELEGATOR CKT_NSS_VALID_DELEGATOR
+ #else
+-/* use the new CK_GCM_PARAMS if NSS_PKCS11_2_0_COMPAT is not defined */
++/* use the new CK_GCM_PARAMS if NSS_PKCS11_3_0_STRICT is defined */
+ typedef struct CK_GCM_PARAMS_V3 CK_GCM_PARAMS;
+ typedef CK_GCM_PARAMS_V3 CK_PTR CK_GCM_PARAMS_PTR;
+ #endif

nss-kremlin-ppc64le.patch

@@ -0,0 +1,31 @@
+Index: nss/lib/freebl/verified/kremlin/include/kremlin/internal/types.h
+===================================================================
+--- nss.orig/lib/freebl/verified/kremlin/include/kremlin/internal/types.h
++++ nss/lib/freebl/verified/kremlin/include/kremlin/internal/types.h
+@@ -56,9 +56,10 @@ typedef const char *Prims_string;
+     !defined(__clang__)
+ #include <emmintrin.h>
+ typedef __m128i FStar_UInt128_uint128;
+-#elif !defined(KRML_VERIFIED_UINT128) && !defined(_MSC_VER) &&           \
++#elif !defined(KRML_VERIFIED_UINT128) && !defined(_MSC_VER) && \
+     (defined(__x86_64__) || defined(__x86_64) || defined(__aarch64__) || \
+-     (defined(__powerpc64__) && defined(__LITTLE_ENDIAN__)))
++    (defined(__powerpc64__) && defined(__LITTLE_ENDIAN__)) || \
++     defined(__s390x__))
+ typedef unsigned __int128 FStar_UInt128_uint128;
+ #elif !defined(KRML_VERIFIED_UINT128) && defined(_MSC_VER) && defined(__clang__)
+ typedef __uint128_t FStar_UInt128_uint128;
+Index: nss/lib/freebl/verified/kremlin/kremlib/dist/minimal/fstar_uint128_gcc64.h
+===================================================================
+--- nss.orig/lib/freebl/verified/kremlin/kremlib/dist/minimal/fstar_uint128_gcc64.h
++++ nss/lib/freebl/verified/kremlin/kremlib/dist/minimal/fstar_uint128_gcc64.h
+@@ -26,7 +26,8 @@
+ 
+ #if !defined(KRML_VERIFIED_UINT128) && (!defined(_MSC_VER) || defined(__clang__)) && \
+     (defined(__x86_64__) || defined(__x86_64) || defined(__aarch64__) ||             \
+-     (defined(__powerpc64__) && defined(__LITTLE_ENDIAN__)))
++    (defined(__powerpc64__) && defined(__LITTLE_ENDIAN__)) || \
++     defined(__s390x__))
+ 
+ /* GCC + using native unsigned __int128 support */
+ 

nss-no-rpath.patch

@@ -1,14 +0,0 @@
---- ./mozilla/security/nss/cmd/platlibs.mk.withrpath	2007-02-19 07:17:06.000000000 +0100
-+++ ./mozilla/security/nss/cmd/platlibs.mk	2007-02-19 07:18:07.000000000 +0100
-@@ -52,9 +52,9 @@
- 
- ifeq ($(OS_ARCH), Linux)
- ifeq ($(USE_64), 1)
--EXTRA_SHARED_LIBS += -Wl,-rpath,'$$ORIGIN/../lib64:$$ORIGIN/../lib'
-+#EXTRA_SHARED_LIBS += -Wl,-rpath,'$$ORIGIN/../lib64:$$ORIGIN/../lib'
- else
--EXTRA_SHARED_LIBS += -Wl,-rpath,'$$ORIGIN/../lib'
-+#EXTRA_SHARED_LIBS += -Wl,-rpath,'$$ORIGIN/../lib'
- endif
- endif
- 

nss-nolocalsql.patch

@@ -1,52 +0,0 @@
-diff -up ./mozilla/security/nss/lib/Makefile.nolocalsql ./mozilla/security/nss/lib/Makefile
---- ./mozilla/security/nss/lib/Makefile.nolocalsql	2007-07-19 23:36:49.000000000 +0200
-+++ ./mozilla/security/nss/lib/Makefile	2009-04-14 17:07:40.000000000 +0200
-@@ -62,11 +62,11 @@ ifeq ($(OS_TARGET), WINCE)
- DIRS := $(filter-out fortcrypt,$(DIRS))
- endif
- 
--ifndef MOZILLA_CLIENT
--ifndef NSS_USE_SYSTEM_SQLITE
--DIRS := sqlite $(DIRS)
--endif
--endif
-+#ifndef MOZILLA_CLIENT
-+#ifndef NSS_USE_SYSTEM_SQLITE
-+#DIRS := sqlite $(DIRS)
-+#endif
-+#endif
- 
- #######################################################################
- # (5) Execute "global" rules. (OPTIONAL)                              #
-diff -up ./mozilla/security/nss/lib/softoken/legacydb/manifest.mn.nolocalsql ./mozilla/security/nss/lib/softoken/legacydb/manifest.mn
---- ./mozilla/security/nss/lib/softoken/legacydb/manifest.mn.nolocalsql	2007-07-19 23:36:50.000000000 +0200
-+++ ./mozilla/security/nss/lib/softoken/legacydb/manifest.mn	2009-04-14 17:07:40.000000000 +0200
-@@ -46,9 +46,9 @@ MAPFILE = $(OBJDIR)/nssdbm.def
- 
- DEFINES += -DSHLIB_SUFFIX=\"$(DLL_SUFFIX)\" -DSHLIB_PREFIX=\"$(DLL_PREFIX)\" -DSOFTOKEN_LIB_NAME=\"$(notdir $(SHARED_LIBRARY))\"
- 
--ifdef MOZILLA_CLIENT
--INCLUDES += -I$(DIST)/include/sqlite3
--endif
-+#ifdef MOZILLA_CLIENT
-+#INCLUDES += -I$(DIST)/include/sqlite3
-+#endif
- 
- CSRCS = \
- 	dbmshim.c \
-diff -up ./mozilla/security/nss/lib/softoken/manifest.mn.nolocalsql ./mozilla/security/nss/lib/softoken/manifest.mn
---- ./mozilla/security/nss/lib/softoken/manifest.mn.nolocalsql	2009-03-25 17:21:37.000000000 +0100
-+++ ./mozilla/security/nss/lib/softoken/manifest.mn	2009-04-14 17:07:40.000000000 +0200
-@@ -47,9 +47,9 @@ MAPFILE = $(OBJDIR)/softokn.def
- 
- DEFINES += -DSHLIB_SUFFIX=\"$(DLL_SUFFIX)\" -DSHLIB_PREFIX=\"$(DLL_PREFIX)\" -DSOFTOKEN_LIB_NAME=\"$(notdir $(SHARED_LIBRARY))\" -DSHLIB_VERSION=\"$(LIBRARY_VERSION)\"
- 
--ifdef MOZILLA_CLIENT
--INCLUDES += -I$(DIST)/include/sqlite3
--endif
-+#ifdef MOZILLA_CLIENT
-+#INCLUDES += -I$(DIST)/include/sqlite3
-+#endif
- 
- EXPORTS = \
- 	secmodt.h \

nss-p11-kit.config

@@ -0,0 +1,4 @@
+name=p11-kit-proxy
+library=p11-kit-proxy.so
+
+

nss-signtool-format.patch

@@ -0,0 +1,94 @@
+diff --git a/cmd/modutil/install.c b/cmd/modutil/install.c
+--- a/cmd/modutil/install.c
++++ b/cmd/modutil/install.c
+@@ -825,17 +825,20 @@ rm_dash_r(char *path)
+ 
+         dir = PR_OpenDir(path);
+         if (!dir) {
+             return -1;
+         }
+ 
+         /* Recursively delete all entries in the directory */
+         while ((entry = PR_ReadDir(dir, PR_SKIP_BOTH)) != NULL) {
+-            sprintf(filename, "%s/%s", path, entry->name);
++            if (snprintf(filename, sizeof(filename), "%s/%s", path, entry->name) >= sizeof(filename)) {
++                PR_CloseDir(dir);
++                return -1;
++            }
+             if (rm_dash_r(filename)) {
+                 PR_CloseDir(dir);
+                 return -1;
+             }
+         }
+ 
+         if (PR_CloseDir(dir) != PR_SUCCESS) {
+             return -1;
+diff --git a/cmd/signtool/util.c b/cmd/signtool/util.c
+--- a/cmd/signtool/util.c
++++ b/cmd/signtool/util.c
+@@ -132,17 +132,20 @@ rm_dash_r(char *path)
+         if (!dir) {
+             PR_fprintf(errorFD, "Error: Unable to open directory %s.\n", path);
+             errorCount++;
+             return -1;
+         }
+ 
+         /* Recursively delete all entries in the directory */
+         while ((entry = PR_ReadDir(dir, PR_SKIP_BOTH)) != NULL) {
+-            sprintf(filename, "%s/%s", path, entry->name);
++            if (snprintf(filename, sizeof(filename), "%s/%s", path, entry->name) >= sizeof(filename)) {
++                errorCount++;
++                return -1;
++            }
+             if (rm_dash_r(filename))
+                 return -1;
+         }
+ 
+         if (PR_CloseDir(dir) != PR_SUCCESS) {
+             PR_fprintf(errorFD, "Error: Could not close %s.\n", path);
+             errorCount++;
+             return -1;
+diff --git a/lib/libpkix/pkix/util/pkix_list.c b/lib/libpkix/pkix/util/pkix_list.c
+--- a/lib/libpkix/pkix/util/pkix_list.c
++++ b/lib/libpkix/pkix/util/pkix_list.c
+@@ -1530,17 +1530,17 @@ cleanup:
+  */
+ PKIX_Error *
+ PKIX_List_SetItem(
+         PKIX_List *list,
+         PKIX_UInt32 index,
+         PKIX_PL_Object *item,
+         void *plContext)
+ {
+-        PKIX_List *element;
++        PKIX_List *element = NULL;
+ 
+         PKIX_ENTER(LIST, "PKIX_List_SetItem");
+         PKIX_NULLCHECK_ONE(list);
+ 
+         if (list->immutable){
+                 PKIX_ERROR(PKIX_OPERATIONNOTPERMITTEDONIMMUTABLELIST);
+         }
+ 
+diff --git a/lib/libpkix/pkix_pl_nss/system/pkix_pl_oid.c b/lib/libpkix/pkix_pl_nss/system/pkix_pl_oid.c
+--- a/lib/libpkix/pkix_pl_nss/system/pkix_pl_oid.c
++++ b/lib/libpkix/pkix_pl_nss/system/pkix_pl_oid.c
+@@ -102,17 +102,17 @@ cleanup:
+  */
+ static PKIX_Error *
+ pkix_pl_OID_Equals(
+         PKIX_PL_Object *first,
+         PKIX_PL_Object *second,
+         PKIX_Boolean *pResult,
+         void *plContext)
+ {
+-        PKIX_Int32 cmpResult;
++        PKIX_Int32 cmpResult = 0;
+ 
+         PKIX_ENTER(OID, "pkix_pl_OID_Equals");
+         PKIX_NULLCHECK_THREE(first, second, pResult);
+ 
+         PKIX_CHECK(pkix_pl_OID_Comparator
+                     (first, second, &cmpResult, plContext),
+                     PKIX_OIDCOMPARATORFAILED);
+ 

nss-softokn-config.in

@@ -0,0 +1,116 @@
+#!/bin/sh
+
+prefix=@prefix@
+
+major_version=@MOD_MAJOR_VERSION@
+minor_version=@MOD_MINOR_VERSION@
+patch_version=@MOD_PATCH_VERSION@
+
+usage()
+{
+	cat <<EOF
+Usage: nss-softokn-config [OPTIONS] [LIBRARIES]
+Options:
+	[--prefix[=DIR]]
+	[--exec-prefix[=DIR]]
+	[--includedir[=DIR]]
+	[--libdir[=DIR]]
+	[--version]
+	[--libs]
+	[--cflags]
+Dynamic Libraries:
+	softokn3 - Requires full dynamic linking
+	freebl3  - for internal use only (and glibc for self-integrity check)
+	nssdbm3  - for internal use only
+Dymamically linked
+EOF
+	exit $1
+}
+
+if test $# -eq 0; then
+	usage 1 1>&2
+fi
+
+while test $# -gt 0; do
+  case "$1" in
+  -*=*) optarg=`echo "$1" | sed 's/[-_a-zA-Z0-9]*=//'` ;;
+  *) optarg= ;;
+  esac
+
+  case $1 in
+    --prefix=*)
+      prefix=$optarg
+      ;;
+    --prefix)
+      echo_prefix=yes
+      ;;
+    --exec-prefix=*)
+      exec_prefix=$optarg
+      ;;
+    --exec-prefix)
+      echo_exec_prefix=yes
+      ;;
+    --includedir=*)
+      includedir=$optarg
+      ;;
+    --includedir)
+      echo_includedir=yes
+      ;;
+    --libdir=*)
+      libdir=$optarg
+      ;;
+    --libdir)
+      echo_libdir=yes
+      ;;
+    --version)
+      echo ${major_version}.${minor_version}.${patch_version}
+      ;;
+    --cflags)
+      echo_cflags=yes
+      ;;
+    --libs)
+      echo_libs=yes
+      ;;
+    *)
+      usage 1 1>&2
+      ;;
+  esac
+  shift
+done
+
+# Set variables that may be dependent upon other variables
+if test -z "$exec_prefix"; then
+    exec_prefix=`pkg-config --variable=exec_prefix nss-softokn`
+fi
+if test -z "$includedir"; then
+    includedir=`pkg-config --variable=includedir nss-softokn`
+fi
+if test -z "$libdir"; then
+    libdir=`pkg-config --variable=libdir nss-softokn`
+fi
+
+if test "$echo_prefix" = "yes"; then
+    echo $prefix
+fi
+
+if test "$echo_exec_prefix" = "yes"; then
+    echo $exec_prefix
+fi
+
+if test "$echo_includedir" = "yes"; then
+    echo $includedir
+fi
+
+if test "$echo_libdir" = "yes"; then
+    echo $libdir
+fi
+
+if test "$echo_cflags" = "yes"; then
+    echo -I$includedir
+fi
+
+if test "$echo_libs" = "yes"; then
+      libdirs="-Wl,-rpath-link,$libdir -L$libdir"
+      echo $libdirs
+fi
+

nss-softokn-dracut-module-setup.sh

@@ -0,0 +1,18 @@
+#!/bin/bash
+# -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*-
+# ex: ts=8 sw=4 sts=4 et filetype=sh
+
+check() {
+    return 255
+}
+
+depends() {
+    return 0
+}
+
+install() {
+    local _dir
+
+    inst_libdir_file libfreeblpriv3.so libfreeblpriv3.chk \
+        libfreebl3.so
+}

nss-softokn-dracut.conf

@@ -0,0 +1,3 @@
+# turn on nss-softokn module
+
+add_dracutmodules+=" nss-softokn "

nss-softokn.pc.in

@@ -0,0 +1,11 @@
+prefix=%prefix%
+exec_prefix=%exec_prefix%
+libdir=%libdir%
+includedir=%includedir%
+
+Name: NSS-SOFTOKN
+Description: Network Security Services Softoken PKCS #11 Module
+Version: %SOFTOKEN_VERSION%
+Requires: nspr >= %NSPR_VERSION%, nss-util >= %NSSUTIL_VERSION%
+Libs: -L${libdir} -lfreebl3 -lnssdbm3 -lsoftokn3
+Cflags: -I${includedir}

nss-sysinit.patch

@@ -1,15 +0,0 @@
-Index: mozilla/security/nss/lib/manifest.mn
-===================================================================
-RCS file: /cvsroot/mozilla/security/nss/lib/manifest.mn,v
-retrieving revision 1.20
-diff -u -p -r1.20 manifest.mn
---- mozilla/security/nss/lib/manifest.mn	7 Nov 2009 05:57:41 -0000	1.20
-+++ mozilla/security/nss/lib/manifest.mn	4 Dec 2009 02:27:20 -0000
-@@ -56,6 +56,7 @@ DIRS =  util freebl softoken \
- 	pkcs12 pkcs7 smime \
- 	crmf jar \
- 	ckfw      \
-+	sysinit \
- 	$(NULL)
- 
- #  fortcrypt  is no longer built

nss-util-config.in

@@ -0,0 +1,118 @@
+#!/bin/sh
+
+prefix=@prefix@
+
+major_version=@MOD_MAJOR_VERSION@
+minor_version=@MOD_MINOR_VERSION@
+patch_version=@MOD_PATCH_VERSION@
+
+usage()
+{
+	cat <<EOF
+Usage: nss-util-config [OPTIONS] [LIBRARIES]
+Options:
+	[--prefix[=DIR]]
+	[--exec-prefix[=DIR]]
+	[--includedir[=DIR]]
+	[--libdir[=DIR]]
+	[--version]
+	[--libs]
+	[--cflags]
+Dynamic Libraries:
+	nssutil
+EOF
+	exit $1
+}
+
+if test $# -eq 0; then
+	usage 1 1>&2
+fi
+
+lib_nssutil=yes
+
+while test $# -gt 0; do
+  case "$1" in
+  -*=*) optarg=`echo "$1" | sed 's/[-_a-zA-Z0-9]*=//'` ;;
+  *) optarg= ;;
+  esac
+
+  case $1 in
+    --prefix=*)
+      prefix=$optarg
+      ;;
+    --prefix)
+      echo_prefix=yes
+      ;;
+    --exec-prefix=*)
+      exec_prefix=$optarg
+      ;;
+    --exec-prefix)
+      echo_exec_prefix=yes
+      ;;
+    --includedir=*)
+      includedir=$optarg
+      ;;
+    --includedir)
+      echo_includedir=yes
+      ;;
+    --libdir=*)
+      libdir=$optarg
+      ;;
+    --libdir)
+      echo_libdir=yes
+      ;;
+    --version)
+      echo ${major_version}.${minor_version}.${patch_version}
+      ;;
+    --cflags)
+      echo_cflags=yes
+      ;;
+    --libs)
+      echo_libs=yes
+      ;;
+    *)
+      usage 1 1>&2
+      ;;
+  esac
+  shift
+done
+
+# Set variables that may be dependent upon other variables
+if test -z "$exec_prefix"; then
+    exec_prefix=`pkg-config --variable=exec_prefix nss-util`
+fi
+if test -z "$includedir"; then
+    includedir=`pkg-config --variable=includedir nss-util`
+fi
+if test -z "$libdir"; then
+    libdir=`pkg-config --variable=libdir nss-util`
+fi
+
+if test "$echo_prefix" = "yes"; then
+    echo $prefix
+fi
+
+if test "$echo_exec_prefix" = "yes"; then
+    echo $exec_prefix
+fi
+
+if test "$echo_includedir" = "yes"; then
+    echo $includedir
+fi
+
+if test "$echo_libdir" = "yes"; then
+    echo $libdir
+fi
+
+if test "$echo_cflags" = "yes"; then
+    echo -I$includedir
+fi
+
+if test "$echo_libs" = "yes"; then
+      libdirs="-Wl,-rpath-link,$libdir -L$libdir"
+      if test -n "$lib_nssutil"; then
+	libdirs="$libdirs -lnssutil${major_version}"
+      fi
+      echo $libdirs
+fi
+

nss-util.pc.in

@@ -0,0 +1,11 @@
+prefix=%prefix%
+exec_prefix=%exec_prefix%
+libdir=%libdir%
+includedir=%includedir%
+
+Name: NSS-UTIL
+Description: Network Security Services Utility Library
+Version: %NSSUTIL_VERSION%
+Requires: nspr >= %NSPR_VERSION%
+Libs: -L${libdir} -lnssutil3
+Cflags: -I${includedir}

nss.pc.in

@@ -6,6 +6,6 @@ includedir=%includedir%
 Name: NSS
 Description: Network Security Services
 Version: %NSS_VERSION%
-Requires: nspr >= %NSPR_VERSION%, nss-util >= %NSSUTIL_VERSION%, nss-softokn >= %SOFTOKEN_VERSION%
-Libs: -lssl3 -lsmime3 -lnss3
+Requires: nspr >= %NSPR_VERSION%, nss-util >= %NSSUTIL_VERSION%
+Libs: -L${libdir} -lssl3 -lsmime3 -lnss3
 Cflags: -I${includedir}

pkcs11.txt.xml

@@ -0,0 +1,56 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
+  "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
+<!ENTITY date SYSTEM "date.xml">
+<!ENTITY version SYSTEM "version.xml">
+]>
+
+<refentry id="pkcs11.txt">
+
+  <refentryinfo>
+    <date>&date;</date>
+    <title>Network Security Services</title>
+    <productname>nss</productname>
+    <productnumber>&version;</productnumber>
+  </refentryinfo>
+
+  <refmeta>
+    <refentrytitle>pkcs11.txt</refentrytitle>
+    <manvolnum>5</manvolnum>
+  </refmeta>
+
+  <refnamediv>
+    <refname>pkcs11.txt</refname>
+    <refpurpose>NSS PKCS #11 module configuration file</refpurpose>
+  </refnamediv>
+
+  <refsection id="description">
+    <title>Description</title>
+    <para>
+The pkcs11.txt file is used to configure initialization parameters for the nss security module and optionally other pkcs #11 modules.
+    </para>
+    <para>
+For full documentation visit <ulink url="https://developer.mozilla.org/en-US/docs/PKCS11_Module_Specs">PKCS #11 Module Specs</ulink>.
+    </para>
+  </refsection>
+
+  <refsection>
+    <title>Files</title>
+    <para><filename>/etc/pki/nssdb/pkcs11.txt</filename></para>
+  </refsection>
+
+  <refsection id="authors">
+    <title>Authors</title>
+    <para>The nss libraries were written and maintained by developers with Netscape, Red Hat,  Sun, Oracle, Mozilla, and Google.</para>
+    <para>Authors: Elio Maldonado &lt;emaldona@redhat.com>.</para>
+  </refsection>
+
+<!-- don't change -->
+  <refsection id="license">
+    <title>LICENSE</title>
+    <para>Licensed under the Mozilla Public License, v. 2.0.  If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/.
+    </para>
+  </refsection>
+
+</refentry>
+

secmod.db.xml

@@ -0,0 +1,63 @@
+<?xml version='1.0' encoding='utf-8'?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
+  "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
+<!ENTITY date SYSTEM "date.xml">
+<!ENTITY version SYSTEM "version.xml">
+]>
+
+<refentry id="secmod.db">
+
+  <refentryinfo>
+    <date>&date;</date>
+    <title>Network Security Services</title>
+    <productname>nss</productname>
+    <productnumber>&version;</productnumber>
+  </refentryinfo>
+
+  <refmeta>
+    <refentrytitle>secmod.db</refentrytitle>
+    <manvolnum>5</manvolnum>
+  </refmeta>
+
+  <refnamediv>
+    <refname>secmod.db</refname>
+    <refpurpose>Legacy NSS security modules database</refpurpose>
+  </refnamediv>
+
+<refsection id="description">
+    <title>Description</title>
+    <para><emphasis>secmod.db</emphasis> is an NSS security modules database.</para>
+  <para>The security modules database is used to keep track of the NSS security modules. The NSS security modules export their services via the PKCS #11 API which NSS uses as its Services Provider Interface.
+  </para>
+  <para>The command line utility <emphasis>modutil</emphasis> is used for managing PKCS #11 module information both within secmod.db files and within hardware tokens.
+  </para>
+  <para>For new applications the recommended way of tracking security modules is via the pkcs11.txt configuration file used in conjunction the new sqlite-based shared database format for certificate and key databases.
+  </para>
+  </refsection>
+
+  <refsection>
+    <title>Files</title>
+    <para><filename>/etc/pki/nssdb/secmod.db</filename></para>
+  </refsection>
+
+  <refsection>
+    <title>See also</title>
+    <para>modutil(1), cert8.db(5), cert9.db(5), key3.db(5), key4.db(5), pkcs11.txt(5)</para>
+  </refsection>
+
+  <refsection id="authors">
+    <title>Authors</title>
+    <para>The nss libraries were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google.</para>
+    <para>Authors: Elio Maldonado &lt;emaldona@redhat.com>.</para>
+  </refsection>
+
+<!-- don't change -->
+  <refsection id="license">
+    <title>LICENSE</title>
+    <para>Licensed under the Mozilla Public License, v. 2.0.  If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/.
+    </para>
+
+  </refsection>
+
+
+</refentry>

setup-nsssysinit.sh

@@ -1,24 +1,24 @@
 #!/bin/sh
 #
 # Turns on or off the nss-sysinit module db by editing the
-# global PKCS #11 congiguration file.
+# global PKCS #11 congiguration file. Displays the status.
 #
 # This script can be invoked by the user as super user.
-# It is invoked at nss-sysinit post install time with argument on
-# and at nss-sysinit pre uninstall with argument off. 
+# It is invoked at nss-sysinit post install time with argument on.
 #
 usage()
 {
   cat <<EOF
 Usage: setup-nsssysinit [on|off]
-  on  - turns on nsssysinit
-  off - turns off nsssysinit
+  on     - turns on nsssysinit
+  off    - turns off nsssysinit
+  status - reports whether nsssysinit is turned on or off
 EOF
   exit $1
 }
 
 # validate
-if test $# -eq 0; then
+if [ $# -eq 0 ]; then
   usage 1 1>&2
 fi
 
@@ -30,17 +30,26 @@ if [ ! -f $p11conf ]; then
   exit 1
 fi
 
-on="1"
+# check if nsssysinit is currently enabled or disabled
+sysinit_enabled()
+{
+  grep -q '^library=libnsssysinit' ${p11conf}
+}
+
+umask 022
 case "$1" in
   on | ON )
+    if sysinit_enabled; then 
+      exit 0 
+    fi
     cat ${p11conf} | \
-     sed -e 's/^library=$/library=libnsssysinit.so/' \
-         -e '/^NSS/s/\(Flags=internal\)\(,[^m]\)/\1,moduleDBOnly\2/' > \
-    ${p11conf}.on
+    sed -e 's/^library=$/library=libnsssysinit.so/' \
+        -e '/^NSS/s/\(Flags=internal\)\(,[^m]\)/\1,moduleDBOnly\2/' > \
+        ${p11conf}.on
     mv ${p11conf}.on ${p11conf}
     ;;
   off | OFF )
-    if [ ! `grep "^library=libnsssysinit" ${p11conf}` ]; then
+    if ! sysinit_enabled; then
       exit 0
     fi
     cat ${p11conf} | \
@@ -49,6 +58,10 @@ case "$1" in
         ${p11conf}.off
     mv ${p11conf}.off ${p11conf}
     ;;
+  status )
+    echo -n 'NSS sysinit is '
+    sysinit_enabled && echo 'enabled' || echo 'disabled'
+    ;;
   * )
     usage 1 1>&2
     ;;

setup-nsssysinit.xml

@@ -0,0 +1,106 @@
+<?xml version='1.0' encoding='utf-8'?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
+  "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
+<!ENTITY date SYSTEM "date.xml">
+<!ENTITY version SYSTEM "version.xml">
+]>
+
+<refentry id="setup-nsssysinit">
+
+  <refentryinfo>
+    <date>&date;</date>
+    <title>Network Security Services</title>
+    <productname>nss</productname>
+    <productnumber>&version;</productnumber>
+  </refentryinfo>
+
+  <refmeta>
+    <refentrytitle>setup-nsssysinit</refentrytitle>
+    <manvolnum>1</manvolnum>
+  </refmeta>
+
+  <refnamediv>
+    <refname>setup-nsssysinit</refname>
+    <refpurpose>Query or enable the nss-sysinit module</refpurpose>
+  </refnamediv>
+
+  <refsynopsisdiv>
+    <cmdsynopsis>
+      <command>setup-nsssysinit</command>
+      <arg><option>on</option></arg>
+      <arg><option>off</option></arg>
+      <arg><option>status</option></arg>
+    </cmdsynopsis>
+  </refsynopsisdiv>
+
+<refsection id="description">
+    <title>Description</title>
+    <para><command>setup-nsssysinit</command> is a shell script to query the status of the nss-sysinit module and when run with root priviledge it can enable or disable it. </para>
+  <para>Turns on or off the nss-sysinit module db by editing the global PKCS #11 configuration file. Displays the status. This script can be invoked by the user as super user. It is invoked at nss-sysinit post install time with argument on.
+  </para>
+  </refsection>
+  
+  <refsection>
+    <title>Options</title>
+    
+    <variablelist>
+      <varlistentry>
+        <term><option>on</option></term>
+        <listitem><simpara>Turn on nss-sysinit.</simpara></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><option>off</option></term>
+        <listitem><simpara>Turn on nss-sysinit.</simpara></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><option>status</option></term>
+        <listitem><simpara>returns whether nss-syinit is enabled or not.</simpara></listitem>
+      </varlistentry>
+
+    </variablelist>
+  </refsection>
+
+  <refsection>
+    <title>Examples</title>
+
+    <para>The following example will query for the status of nss-sysinit:
+      <programlisting>
+        /usr/bin/setup-nsssysinit status
+      </programlisting>
+    </para>
+
+    <para>The following example, when run as superuser, will turn on nss-sysinit:
+      <programlisting>
+        /usr/bin/setup-nsssysinit on
+      </programlisting>
+    </para>
+
+  </refsection>
+
+  <refsection>
+    <title>Files</title>
+    <para><filename>/usr/bin/setup-nsssysinit</filename></para>
+  </refsection>
+
+  <refsection>
+    <title>See also</title>
+    <para>pkg-config(1)</para>
+  </refsection>
+
+  <refsection id="authors">
+    <title>Authors</title>
+    <para>The nss libraries were written and maintained by developers with Netscape, Red Hat,  Sun, Oracle, Mozilla, and Google.</para>
+    <para>Authors: Elio Maldonado &lt;emaldona@redhat.com>.</para>
+  </refsection>
+
+<!-- don't change -->
+  <refsection id="license">
+    <title>LICENSE</title>
+    <para>Licensed under the Mozilla Public License, v. 2.0.  If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/.
+    </para>
+  </refsection>
+
+</refentry>
+

sources

@@ -1,7 +1,6 @@
-51c5958153b6c01fada2e74cedc66835  nss-3.12.5-stripped.tar.bz2
-82c2c72c961f2783c8e975a42fa939cf  nss-pem-20091210.tar.bz2
-a5ae49867124ac75f029a9a33af31bad  blank-cert8.db
-9315689bbd9f28ceebd47894f99fccbd  blank-key3.db
-73bc040a0542bba387e6dd7fb9fd7d23  blank-secmod.db
-691e663ccc07b7a1eaa6f088e03bf8e2  blank-cert9.db
-2ec9e0606ba40fe65196545564b7cc2a  blank-key4.db
+SHA512 (blank-cert8.db) = ac131d15708c5f1b5e467831f919f4fc4ba13b60a4bb5fe260c845fa9afcd899a588d21ed52060abaa1bbb29f2b53af8b495d28407183cb03aff1974f95f1d3d
+SHA512 (blank-cert9.db) = 2f8eab4c0612210ee47db8a3a80c1b58a0b43849551af78c7da403fda3e3d4e7757838061ae56ccf5aac335cb54f254f0a9e6e9c0dd5920b4155a39264525b06
+SHA512 (blank-key3.db) = 01f7314e9fc8a7c9aa997652624cfcde213d18a6b3bb31840c1a60bbd662e56b5bc3221d13874abb42ce78163b225a6dfce2e1326cf6dd29366ad9c28ba5a71c
+SHA512 (blank-key4.db) = 8fedae93af7163da23fe9492ea8e785a44c291604fa98e58438448efb69c85d3253fc22b926d5c3209c62e58a86038fd4d78a1c4c068bc00600a7f3e5382ebe7
+SHA512 (blank-secmod.db) = 06a2dbd861839ef6315093459328b500d3832333a34b30e6fac4a2503af337f014a4d319f0f93322409e719142904ce8bc08252ae9a4f37f30d4c3312e900310
+SHA512 (nss-3.52.tar.gz) = a45baf38717bceda03c292b2c01def680a24a846327e17d36044a85e30ed40c68220c78c0a2c3025c11778ee58f5d5eb0fff1b4cd274b95c408fb59e394e62c6

system-pkcs11.txt

@@ -1,5 +1,5 @@
-library=
+library=libnsssysinit.so
 name=NSS Internal PKCS #11 Module
 parameters=configdir='sql:/etc/pki/nssdb'  certPrefix='' keyPrefix='' secmod='secmod.db' flags= updatedir='' updateCertPrefix='' updateKeyPrefix='' updateid='' updateTokenDescription='' 
-NSS=Flags=internal,critical trustOrder=75 cipherOrder=100 slotParams=(1={slotFlags=[RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512] askpw=any timeout=30})
+NSS=Flags=internal,moduleDBOnly,critical trustOrder=75 cipherOrder=100 slotParams=(1={slotFlags=[RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512] askpw=any timeout=30})
 

tests/NSS-tools-should-not-use-SHA1-by-default-when/Makefile

@@ -0,0 +1,64 @@
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+#   Makefile of /CoreOS/nss/Regression/NSS-tools-should-not-use-SHA1-by-default-when
+#   Description: NSS tools should not use SHA1 by default when
+#   Author: Hubert Kario <hkario@redhat.com>
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+#   Copyright (c) 2016 Red Hat, Inc.
+#
+#   This copyrighted material is made available to anyone wishing
+#   to use, modify, copy, or redistribute it subject to the terms
+#   and conditions of the GNU General Public License version 2.
+#
+#   This program is distributed in the hope that it will be
+#   useful, but WITHOUT ANY WARRANTY; without even the implied
+#   warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
+#   PURPOSE. See the GNU General Public License for more details.
+#
+#   You should have received a copy of the GNU General Public
+#   License along with this program; if not, write to the Free
+#   Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
+#   Boston, MA 02110-1301, USA.
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+export TEST=/CoreOS/nss/Regression/NSS-tools-should-not-use-SHA1-by-default-when
+export TESTVERSION=1.0
+
+BUILT_FILES=
+
+FILES=$(METADATA) runtest.sh Makefile PURPOSE
+
+.PHONY: all install download clean
+
+run: $(FILES) build
+	./runtest.sh
+
+build: $(BUILT_FILES)
+	test -x runtest.sh || chmod a+x runtest.sh
+
+clean:
+	rm -f *~ $(BUILT_FILES)
+
+
+include /usr/share/rhts/lib/rhts-make.include
+
+$(METADATA): Makefile
+	@echo "Owner:           Hubert Kario <hkario@redhat.com>" > $(METADATA)
+	@echo "Name:            $(TEST)" >> $(METADATA)
+	@echo "TestVersion:     $(TESTVERSION)" >> $(METADATA)
+	@echo "Path:            $(TEST_DIR)" >> $(METADATA)
+	@echo "Description:     NSS tools should not use SHA1 by default when" >> $(METADATA)
+	@echo "Type:            Regression" >> $(METADATA)
+	@echo "TestTime:        10m" >> $(METADATA)
+	@echo "RunFor:          nss openssl" >> $(METADATA)
+	@echo "Requires:        nss nss-tools openssl" >> $(METADATA)
+	@echo "Priority:        Normal" >> $(METADATA)
+	@echo "License:         GPLv2" >> $(METADATA)
+	@echo "Confidential:    no" >> $(METADATA)
+	@echo "Destructive:     no" >> $(METADATA)
+	@echo "Releases:        -RHEL4 -RHELClient5 -RHELServer5" >> $(METADATA)
+
+	rhts-lint $(METADATA)

tests/NSS-tools-should-not-use-SHA1-by-default-when/PURPOSE

@@ -0,0 +1,4 @@
+PURPOSE of NSS-tools-should-not-use-SHA1-by-default-when
+Description: NSS tools should not use SHA1 by default when
+Author: Hubert Kario <hkario@redhat.com>
+Summary: NSS tools should not use SHA1 by default when generating digital signatures/certificates

tests/NSS-tools-should-not-use-SHA1-by-default-when/runtest.sh

@@ -0,0 +1,125 @@
+#!/bin/bash
+# vim: dict+=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+#   runtest.sh of NSS-tools-should-not-use-SHA1-by-default-when
+#   Description: NSS tools should not use SHA1 by default when
+#   Author: Hubert Kario <hkario@redhat.com>
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+#   Copyright (c) 2016 Red Hat, Inc.
+#
+#   This copyrighted material is made available to anyone wishing
+#   to use, modify, copy, or redistribute it subject to the terms
+#   and conditions of the GNU General Public License version 2.
+#
+#   This program is distributed in the hope that it will be
+#   useful, but WITHOUT ANY WARRANTY; without even the implied
+#   warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
+#   PURPOSE. See the GNU General Public License for more details.
+#
+#   You should have received a copy of the GNU General Public
+#   License along with this program; if not, write to the Free
+#   Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
+#   Boston, MA 02110-1301, USA.
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+# Include Beaker environment
+. /usr/share/beakerlib/beakerlib.sh || exit 1
+
+PACKAGE="nss"
+PACKAGES="nss openssl"
+DBDIR="nssdb"
+
+rlJournalStart
+    rlPhaseStartSetup
+        rlAssertRpm --all
+        rlRun "TmpDir=\$(mktemp -d)" 0 "Creating tmp directory"
+        rlRun "pushd $TmpDir"
+        rlRun "mkdir nssdb"
+        rlRun "certutil -N -d $DBDIR --empty-password"
+        rlLogInfo "Create a JAR file"
+        rlRun "mkdir java-dir"
+        rlRun "pushd java-dir"
+        rlRun "mkdir META-INF mypackage"
+        rlRun "echo 'Main-Class: mypackage/MyMainFile' > META-INF/MANIFEST.MF"
+        rlRun "echo 'Those are not the droids you are looking for' > mypackage/MyMainFile.class"
+        #rlRun "jar -cfe package.jar mypackage/MyMainFile mypackage/MyMainFile.class"
+        rlRun "popd"
+        #rlRun "mv java-dir/package.jar ."
+    rlPhaseEnd
+
+    rlPhaseStartTest "Self signing certificates"
+        rlRun "dd if=/dev/urandom of=noise bs=1 count=32 >/dev/null"
+        rlRun "certutil -d $DBDIR -S -n 'CA' -t 'cTC,cTC,cTC' -s 'CN=CA' -x -z noise"
+        rlRun -s "certutil -d $DBDIR -L -n 'CA' -a | openssl x509 -noout -text"
+        rlAssertGrep "Signature Algorithm: sha256WithRSAEncryption" "$rlRun_LOG"
+        rlAssertNotGrep "Signature Algorithm: sha1WithRSAEncryption" $rlRun_LOG
+    rlPhaseEnd
+
+    rlPhaseStartTest "Signing certificates"
+        rlRun "dd if=/dev/urandom of=noise bs=1 count=32 >/dev/null"
+        rlRun "certutil -d $DBDIR -S -n 'server' -t 'u,u,u' -s 'CN=server.example.com' -c 'CA' -z noise --nsCertType sslClient,sslServer,objectSigning,smime"
+        rlRun -s "certutil -d $DBDIR -L -n 'server' -a | openssl x509 -noout -text"
+        rlAssertGrep "Signature Algorithm: sha256WithRSAEncryption" "$rlRun_LOG"
+        rlAssertNotGrep "Signature Algorithm: sha1WithRSAEncryption" $rlRun_LOG
+    rlPhaseEnd
+
+    rlPhaseStartTest "Certificate request"
+        rlRun "dd if=/dev/urandom of=noise bs=1 count=32 >/dev/null"
+        rlRun "mkdir srv2db"
+        rlRun "certutil -d srv2db -N --empty-password"
+        rlRun "certutil -d srv2db -R -s CN=www.example.com -o srv2.req -a -z noise"
+        rlRun -s "openssl req -noout -text -in srv2.req"
+        rlAssertGrep "Signature Algorithm: sha256WithRSAEncryption" "$rlRun_LOG"
+        rlAssertNotGrep "Signature Algorithm: sha1WithRSAEncryption" $rlRun_LOG
+        rlRun "certutil -d $DBDIR -C -c 'CA' -i srv2.req -a -o srv2.crt"
+        rlRun -s "openssl x509 -in srv2.crt -noout -text"
+        rlAssertGrep "Signature Algorithm: sha256WithRSAEncryption" "$rlRun_LOG"
+        rlAssertNotGrep "Signature Algorithm: sha1WithRSAEncryption" $rlRun_LOG
+        rlRun "rm -rf srv2db"
+    rlPhaseEnd
+
+    rlPhaseStartTest "Certificate request with SHA1"
+        rlRun "dd if=/dev/urandom of=noise bs=1 count=32 >/dev/null"
+        rlRun "mkdir srv2db"
+        rlRun "certutil -d srv2db -N --empty-password"
+        rlRun "certutil -d srv2db -R -s CN=www.example.com -o srv2.req -a -z noise -Z SHA1"
+        rlRun -s "openssl req -noout -text -in srv2.req"
+        rlAssertGrep "Signature Algorithm: sha1WithRSAEncryption" "$rlRun_LOG"
+        rlRun "certutil -d $DBDIR -C -c 'CA' -i srv2.req -a -o srv2.crt"
+        rlRun -s "openssl x509 -in srv2.crt -noout -text"
+        rlAssertGrep "Signature Algorithm: sha256WithRSAEncryption" "$rlRun_LOG"
+        rlAssertNotGrep "Signature Algorithm: sha1WithRSAEncryption" $rlRun_LOG
+        rlRun "rm -rf srv2db"
+    rlPhaseEnd
+
+    rlPhaseStartTest "Signing CMS messages"
+        rlRun "echo 'This is a document' > document.txt"
+        rlRun "cmsutil -S -d $DBDIR -N 'server' -i document.txt -o document.cms"
+        rlRun -s "openssl cms -in document.cms -inform der -noout -cmsout -print"
+        rlAssertGrep "algorithm: sha256" $rlRun_LOG
+        rlAssertNotGrep "algorithm: sha1" $rlRun_LOG
+    rlPhaseEnd
+
+    rlPhaseStartTest "CRL signing"
+        rlRun "echo $(date --utc +update=%Y%m%d%H%M%SZ) > script"
+        rlRun "echo $(date -d 'next week' --utc +nextupdate=%Y%m%d%H%M%SZ) >> script"
+        rlRun "echo addext crlNumber 0 1245 >>script"
+        rlRun "echo addcert 12 $(date -d 'yesterday' --utc +%Y%m%d%H%M%SZ) >>script"
+        rlRun "echo addext reasonCode 0 0 >>script"
+        rlRun "cat script"
+        rlRun "crlutil -G -c script -d $DBDIR -n CA -o ca.crl"
+        rlRun -s "openssl crl -in ca.crl -inform der -noout -text"
+        rlAssertGrep "Signature Algorithm: sha256WithRSAEncryption" $rlRun_LOG
+        rlAssertNotGrep "Signature Algorithm: sha1WithRSAEncryption" $rlRun_LOG
+    rlPhaseEnd
+
+    rlPhaseStartCleanup
+        rlRun "popd"
+        rlRun "rm -r $TmpDir" 0 "Removing tmp directory"
+    rlPhaseEnd
+rlJournalPrintText
+rlJournalEnd

tests/tests.yml

@@ -0,0 +1,12 @@
+---
+# This first play always runs on the local staging system
+- hosts: localhost
+  roles:
+  - role: standard-test-beakerlib
+    tags:
+    - classic
+    tests:
+    - NSS-tools-should-not-use-SHA1-by-default-when
+    required_packages:
+    - nss-tools
+    - nss