Delay new CK_GCM_PARAMS semantics until fedora 34 unless explicitly enabled.

Also disable building DBM backend

.gitignore

@@ -10,3 +10,42 @@ TestUser51.cert
 /PayPalRootCA.cert
 /PayPalICA.cert
 /nss-3.25.0.tar.gz
+/nss-3.26.0.tar.gz
+/nss-3.27.0.tar.gz
+/nss-3.27.2.tar.gz
+/nss-3.28.1.tar.gz
+/nss-3.29.0.tar.gz
+/nss-3.29.1.tar.gz
+/nss-3.30.0.tar.gz
+/nss-3.30.2.tar.gz
+/nss-3.31.0.tar.gz
+/nss-3.32.0.tar.gz
+/nss-3.32.1.tar.gz
+/nss-3.33.0.tar.gz
+/nss-3.34.0.tar.gz
+/nss-3.35.0.tar.gz
+/nss-3.36.0.tar.gz
+/nss-3.36.1.tar.gz
+/nss-3.37.1.tar.gz
+/nss-3.37.3.tar.gz
+/nss-3.38.0.tar.gz
+/nss-3.39.tar.gz
+/nss-3.40.1.tar.gz
+/nss-3.41.tar.gz
+/nss-3.42.tar.gz
+/nss-3.42.1.tar.gz
+/nss-3.43.tar.gz
+/nss-3.44.tar.gz
+/nss-3.44.1.tar.gz
+/nss-3.45.tar.gz
+/nss-3.46.tar.gz
+/nss-3.46.1.tar.gz
+/nss-3.47.tar.gz
+/nss-3.47.1.tar.gz
+/nss-3.48.tar.gz
+/nss-3.49.tar.gz
+/nss-3.49.2.tar.gz
+/nss-3.50.tar.gz
+/nss-3.51.tar.gz
+/nss-3.51.1.tar.gz
+/nss-3.52.tar.gz

add-relro-linker-option.patch

@@ -1,16 +0,0 @@
-diff -up nss/coreconf/Linux.mk.relro nss/coreconf/Linux.mk
---- nss/coreconf/Linux.mk.relro	2013-04-09 14:29:45.943228682 -0700
-+++ nss/coreconf/Linux.mk	2013-04-09 14:31:26.194953927 -0700
-@@ -174,6 +174,12 @@ endif
- endif
- endif
- 
-+# harden DSOs/executables a bit against exploits
-+ifeq (2.6,$(firstword $(sort 2.6 $(OS_RELEASE))))
-+DSO_LDOPTS+=-Wl,-z,relro
-+LDFLAGS	+= -Wl,-z,relro
-+endif
-+
- USE_SYSTEM_ZLIB = 1
- ZLIB_LIBS = -lz
- 

iquote.patch

@@ -1,211 +1,13 @@
-diff -up ./nss/cmd/certcgi/Makefile.iquote ./nss/cmd/certcgi/Makefile
---- ./nss/cmd/certcgi/Makefile.iquote	2016-02-26 12:51:11.000000000 -0800
-+++ ./nss/cmd/certcgi/Makefile	2016-03-05 12:04:06.216474144 -0800
-@@ -36,7 +36,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk
- # (6) Execute "component" rules. (OPTIONAL)                           #
- #######################################################################
- 
--
-+INCLUDES += -iquote $(DIST)/../public/nss
-+INCLUDES += -iquote $(DIST)/../private/nss
- 
- #######################################################################
- # (7) Execute "local" rules. (OPTIONAL).                              #
-diff -up ./nss/cmd/certutil/Makefile.iquote ./nss/cmd/certutil/Makefile
---- ./nss/cmd/certutil/Makefile.iquote	2016-02-26 12:51:11.000000000 -0800
-+++ ./nss/cmd/certutil/Makefile	2016-03-05 12:04:06.216474144 -0800
-@@ -37,7 +37,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk
- # (6) Execute "component" rules. (OPTIONAL)                           #
- #######################################################################
- 
--
-+INCLUDES += -iquote $(DIST)/../public/nss
-+INCLUDES += -iquote $(DIST)/../private/nss
- 
- #######################################################################
- # (7) Execute "local" rules. (OPTIONAL).                              #
-diff -up ./nss/cmd/lib/Makefile.iquote ./nss/cmd/lib/Makefile
---- ./nss/cmd/lib/Makefile.iquote	2016-02-26 12:51:11.000000000 -0800
-+++ ./nss/cmd/lib/Makefile	2016-03-05 12:04:06.216474144 -0800
-@@ -38,7 +38,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk
- # (6) Execute "component" rules. (OPTIONAL)                           #
- #######################################################################
- 
--
-+INCLUDES += -iquote $(DIST)/../private/nss
-+INCLUDES += -iquote $(DIST)/../public/nss
- 
- #######################################################################
- # (7) Execute "local" rules. (OPTIONAL).                              #
-diff -up ./nss/cmd/modutil/Makefile.iquote ./nss/cmd/modutil/Makefile
---- ./nss/cmd/modutil/Makefile.iquote	2016-02-26 12:51:11.000000000 -0800
-+++ ./nss/cmd/modutil/Makefile	2016-03-05 12:04:06.216474144 -0800
-@@ -37,6 +37,7 @@ include $(CORE_DEPTH)/coreconf/rules.mk
- # (6) Execute "component" rules. (OPTIONAL)                           #
- #######################################################################
- 
-+INCLUDES += -iquote $(DIST)/../public/nss
- 
- 
- #######################################################################
-diff -up ./nss/cmd/selfserv/Makefile.iquote ./nss/cmd/selfserv/Makefile
---- ./nss/cmd/selfserv/Makefile.iquote	2016-02-26 12:51:11.000000000 -0800
-+++ ./nss/cmd/selfserv/Makefile	2016-03-05 12:04:06.216474144 -0800
-@@ -35,7 +35,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk
- # (6) Execute "component" rules. (OPTIONAL)                           #
- #######################################################################
- 
--
-+INCLUDES += -iquote $(DIST)/../public/nss
-+INCLUDES += -iquote $(DIST)/../private/nss
- 
- #######################################################################
- # (7) Execute "local" rules. (OPTIONAL).                              #
-diff -up ./nss/cmd/ssltap/Makefile.iquote ./nss/cmd/ssltap/Makefile
---- ./nss/cmd/ssltap/Makefile.iquote	2016-02-26 12:51:11.000000000 -0800
-+++ ./nss/cmd/ssltap/Makefile	2016-03-05 12:04:06.216474144 -0800
-@@ -39,7 +39,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk
- # (6) Execute "component" rules. (OPTIONAL)                           #
- #######################################################################
- 
--
-+INCLUDES += -iquote $(DIST)/../private/nss
-+INCLUDES += -iquote $(DIST)/../public/nss
- 
- #######################################################################
- # (7) Execute "local" rules. (OPTIONAL).                              #
-diff -up ./nss/cmd/strsclnt/Makefile.iquote ./nss/cmd/strsclnt/Makefile
---- ./nss/cmd/strsclnt/Makefile.iquote	2016-02-26 12:51:11.000000000 -0800
-+++ ./nss/cmd/strsclnt/Makefile	2016-03-05 12:04:06.217474124 -0800
-@@ -36,7 +36,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk
- # (6) Execute "component" rules. (OPTIONAL)                           #
- #######################################################################
- 
--
-+INCLUDES += -iquote $(DIST)/../public/nss
-+INCLUDES += -iquote $(DIST)/../private/nss
- 
- #######################################################################
- # (7) Execute "local" rules. (OPTIONAL).                              #
-diff -up ./nss/cmd/tstclnt/Makefile.iquote ./nss/cmd/tstclnt/Makefile
---- ./nss/cmd/tstclnt/Makefile.iquote	2016-02-26 12:51:11.000000000 -0800
-+++ ./nss/cmd/tstclnt/Makefile	2016-03-05 12:04:06.217474124 -0800
-@@ -37,6 +37,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk
- #######################################################################
- 
- #include ../platlibs.mk
-+INCLUDES += -iquote $(DIST)/../public/nss
-+INCLUDES += -iquote $(DIST)/../private/nss
- 
- #######################################################################
- # (7) Execute "local" rules. (OPTIONAL).                              #
-diff -up ./nss/cmd/vfyserv/Makefile.iquote ./nss/cmd/vfyserv/Makefile
---- ./nss/cmd/vfyserv/Makefile.iquote	2016-02-26 12:51:11.000000000 -0800
-+++ ./nss/cmd/vfyserv/Makefile	2016-03-05 12:04:06.217474124 -0800
-@@ -37,6 +37,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk
- #######################################################################
- 
- #include ../platlibs.mk
-+INCLUDES += -iquote $(DIST)/../public/nss
-+INCLUDES += -iquote $(DIST)/../private/nss
- 
- #######################################################################
- # (7) Execute "local" rules. (OPTIONAL).                              #
-diff -up ./nss/coreconf/location.mk.iquote ./nss/coreconf/location.mk
---- ./nss/coreconf/location.mk.iquote	2016-02-26 12:51:11.000000000 -0800
-+++ ./nss/coreconf/location.mk	2016-03-05 12:04:06.217474124 -0800
-@@ -45,6 +45,10 @@ endif
- 
- ifdef NSS_INCLUDE_DIR
-     INCLUDES += -I$(NSS_INCLUDE_DIR)
-+    ifdef IN_TREE_FREEBL_HEADERS_FIRST
-+        INCLUDES += -iquote $(DIST)/../public/nss
-+        INCLUDES += -iquote $(DIST)/../private/nss
-+    endif
+diff -up nss/coreconf/location.mk.iquote nss/coreconf/location.mk
+--- nss/coreconf/location.mk.iquote	2017-07-27 16:09:32.000000000 +0200
++++ nss/coreconf/location.mk	2017-09-06 13:23:14.633611555 +0200
+@@ -75,4 +75,9 @@ ifndef SQLITE_LIB_NAME
+     SQLITE_LIB_NAME = sqlite3
  endif
  
- ifndef NSS_LIB_DIR
-diff -up ./nss/external_tests/pk11_gtest/Makefile.iquote ./nss/external_tests/pk11_gtest/Makefile
---- ./nss/external_tests/pk11_gtest/Makefile.iquote	2016-02-26 12:51:11.000000000 -0800
-+++ ./nss/external_tests/pk11_gtest/Makefile	2016-03-05 12:04:06.217474124 -0800
-@@ -37,6 +37,7 @@ include $(CORE_DEPTH)/coreconf/rules.mk
- # (6) Execute "component" rules. (OPTIONAL)                           #
- #######################################################################
- 
-+INCLUDES += -iquote $(DIST)/../public/nss
- 
- #######################################################################
- # (7) Execute "local" rules. (OPTIONAL).                              #
-diff -up ./nss/external_tests/ssl_gtest/Makefile.iquote ./nss/external_tests/ssl_gtest/Makefile
---- ./nss/external_tests/ssl_gtest/Makefile.iquote	2016-02-26 12:51:11.000000000 -0800
-+++ ./nss/external_tests/ssl_gtest/Makefile	2016-03-05 12:05:17.208082475 -0800
-@@ -43,6 +43,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk
- # (6) Execute "component" rules. (OPTIONAL)                           #
- #######################################################################
- 
-+INCLUDES += -iquote $(DIST)/../public/nss
-+INCLUDES += -iquote $(DIST)/../public/nss
- 
- #######################################################################
- # (7) Execute "local" rules. (OPTIONAL).                              #
-diff -up ./nss/lib/certhigh/Makefile.iquote ./nss/lib/certhigh/Makefile
---- ./nss/lib/certhigh/Makefile.iquote	2016-02-26 12:51:11.000000000 -0800
-+++ ./nss/lib/certhigh/Makefile	2016-03-05 12:04:06.217474124 -0800
-@@ -38,7 +38,7 @@ include $(CORE_DEPTH)/coreconf/rules.mk
- # (6) Execute "component" rules. (OPTIONAL)                           #
- #######################################################################
- 
--
-+INCLUDES += -iquote $(DIST)/../public/nss
- 
- #######################################################################
- # (7) Execute "local" rules. (OPTIONAL).                              #
-diff -up ./nss/lib/cryptohi/Makefile.iquote ./nss/lib/cryptohi/Makefile
---- ./nss/lib/cryptohi/Makefile.iquote	2016-02-26 12:51:11.000000000 -0800
-+++ ./nss/lib/cryptohi/Makefile	2016-03-05 12:04:06.217474124 -0800
-@@ -38,7 +38,7 @@ include $(CORE_DEPTH)/coreconf/rules.mk
- # (6) Execute "component" rules. (OPTIONAL)                           #
- #######################################################################
- 
--
-+INCLUDES += -iquote $(DIST)/../public/nss
- 
- #######################################################################
- # (7) Execute "local" rules. (OPTIONAL).                              #
-diff -up ./nss/lib/nss/Makefile.iquote ./nss/lib/nss/Makefile
---- ./nss/lib/nss/Makefile.iquote	2016-02-26 12:51:11.000000000 -0800
-+++ ./nss/lib/nss/Makefile	2016-03-05 12:04:06.217474124 -0800
-@@ -37,7 +37,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk
- # (6) Execute "component" rules. (OPTIONAL)                           #
- #######################################################################
- 
--
-+INCLUDES += -iquote $(DIST)/../public/nss
-+INCLUDES += -iquote $(DIST)/../private/nss
- 
- #######################################################################
- # (7) Execute "local" rules. (OPTIONAL).                              #
-diff -up ./nss/lib/pk11wrap/Makefile.iquote ./nss/lib/pk11wrap/Makefile
---- ./nss/lib/pk11wrap/Makefile.iquote	2016-02-26 12:51:11.000000000 -0800
-+++ ./nss/lib/pk11wrap/Makefile	2016-03-05 12:04:06.217474124 -0800
-@@ -38,7 +38,7 @@ include $(CORE_DEPTH)/coreconf/rules.mk
- # (6) Execute "component" rules. (OPTIONAL)                           #
- #######################################################################
- 
--
-+INCLUDES += -iquote $(DIST)/../public/nss
- 
- #######################################################################
- # (7) Execute "local" rules. (OPTIONAL).                              #
-diff -up ./nss/lib/ssl/Makefile.iquote ./nss/lib/ssl/Makefile
---- ./nss/lib/ssl/Makefile.iquote	2016-02-26 12:51:11.000000000 -0800
-+++ ./nss/lib/ssl/Makefile	2016-03-05 12:04:06.217474124 -0800
-@@ -49,7 +49,7 @@ include $(CORE_DEPTH)/coreconf/rules.mk
- # (6) Execute "component" rules. (OPTIONAL)                           #
- #######################################################################
- 
--
-+INCLUDES += -iquote $(DIST)/../public/nss
- 
- #######################################################################
- # (7) Execute "local" rules. (OPTIONAL).                              #
++# Prefer in-tree headers over system headers
++ifdef IN_TREE_FREEBL_HEADERS_FIRST
++    INCLUDES += -iquote $(DIST)/../public/nss -iquote $(DIST)/../private/nss
++endif
++
+ MK_LOCATION = included

nss-3.14.0.0-disble-ocsp-test.patch

@@ -1,11 +0,0 @@
-diff -up nss/tests/chains/scenarios/scenarios.noocsptest nss/tests/chains/scenarios/scenarios
---- nss/tests/chains/scenarios/scenarios.noocsptest	2013-06-27 10:58:08.000000000 -0700
-+++ nss/tests/chains/scenarios/scenarios	2013-07-02 16:13:27.075038930 -0700
-@@ -50,7 +50,6 @@ bridgewithpolicyextensionandmapping.cfg
- realcerts.cfg
- dsa.cfg
- revoc.cfg
--ocsp.cfg
- crldp.cfg
- trustanchors.cfg
- nameconstraints.cfg

nss-539183.patch

@@ -1,5 +1,5 @@
---- ./nss/cmd/httpserv/httpserv.c.539183	2016-05-21 18:31:39.879585420 -0700
-+++ ./nss/cmd/httpserv/httpserv.c	2016-05-21 18:37:22.374464057 -0700
+--- nss/cmd/httpserv/httpserv.c.539183	2016-05-21 18:31:39.879585420 -0700
++++ nss/cmd/httpserv/httpserv.c	2016-05-21 18:37:22.374464057 -0700
 @@ -953,23 +953,23 @@
  getBoundListenSocket(unsigned short port)
  {
@@ -29,8 +29,8 @@
      if (prStatus < 0) {
          PR_Close(listen_sock);
          errExit("PR_SetSocketOption(PR_SockOpt_Nonblocking)");
---- ./nss/cmd/selfserv/selfserv.c.539183	2016-05-21 18:31:39.882585367 -0700
-+++ ./nss/cmd/selfserv/selfserv.c	2016-05-21 18:41:43.092801174 -0700
+--- nss/cmd/selfserv/selfserv.c.539183	2016-05-21 18:31:39.882585367 -0700
++++ nss/cmd/selfserv/selfserv.c	2016-05-21 18:41:43.092801174 -0700
 @@ -1711,23 +1711,23 @@
  getBoundListenSocket(unsigned short port)
  {

nss-check-policy-file.patch

@@ -1,334 +0,0 @@
-diff --git a/lib/nss/config.mk b/lib/nss/config.mk
---- a/lib/nss/config.mk
-+++ b/lib/nss/config.mk
-@@ -95,8 +95,12 @@ SHARED_LIBRARY_DIRS = \
- ifeq (,$(filter-out WINNT WIN95,$(OS_TARGET)))
- ifndef NS_USE_GCC
- # Export 'mktemp' to be backward compatible with NSS 3.2.x and 3.3.x
- # but do not put it in the import library.  See bug 142575.
- DEFINES += -DWIN32_NSS3_DLL_COMPAT
- DLLFLAGS += -EXPORT:mktemp=nss_mktemp,PRIVATE
- endif
- endif
-+
-+ifdef POLICY_FILE
-+DEFINES += -DPOLICY_FILE=\"$(POLICY_FILE)\" -DPOLICY_PATH=\"$(POLICY_PATH)\"
-+endif
-diff --git a/lib/nss/nssinit.c b/lib/nss/nssinit.c
---- a/lib/nss/nssinit.c
-+++ b/lib/nss/nssinit.c
-@@ -330,47 +330,47 @@ nss_FindExternalRoot(const char *dbpath,
- 
- /*
-  * see nss_Init for definitions of the various options.
-  *
-  * this function builds a moduleSpec string from the options and previously
-  * set statics (from PKCS11_Configure, for instance), and uses it to kick off
-  * the loading of the various PKCS #11 modules.
-  */
--static SECStatus
-+static SECMODModule *
- nss_InitModules(const char *configdir, const char *certPrefix, 
- 		const char *keyPrefix, const char *secmodName, 
- 		const char *updateDir, const char *updCertPrefix, 
- 		const char *updKeyPrefix, const char *updateID, 
- 		const char *updateName, char *configName, char *configStrings,
- 		PRBool pwRequired, PRBool readOnly, PRBool noCertDB,
- 		PRBool noModDB, PRBool forceOpen, PRBool optimizeSpace,
- 		PRBool isContextInit)
- {
--    SECStatus rv = SECFailure;
-+    SECMODModule *module = NULL;
-     char *moduleSpec = NULL;
-     char *flags = NULL;
-     char *lconfigdir = NULL;
-     char *lcertPrefix = NULL;
-     char *lkeyPrefix = NULL;
-     char *lsecmodName = NULL;
-     char *lupdateDir = NULL;
-     char *lupdCertPrefix = NULL;
-     char *lupdKeyPrefix = NULL;
-     char *lupdateID = NULL;
-     char *lupdateName = NULL;
- 
-     if (NSS_InitializePRErrorTable() != SECSuccess) {
- 	PORT_SetError(SEC_ERROR_NO_MEMORY);
--	return rv;
-+	return NULL;
-     }
- 
-     flags = nss_makeFlags(readOnly,noCertDB,noModDB,forceOpen,
- 					pwRequired, optimizeSpace);
--    if (flags == NULL) return rv;
-+    if (flags == NULL) return NULL;
- 
-     /*
-      * configdir is double nested, and Windows uses the same character
-      * for file seps as we use for escapes! (sigh).
-      */
-     lconfigdir = NSSUTIL_DoubleEscape(configdir, '\'', '\"');
-     if (lconfigdir == NULL) {
- 	goto loser;
-@@ -427,24 +427,26 @@ loser:
-     if (lsecmodName) PORT_Free(lsecmodName);
-     if (lupdateDir) PORT_Free(lupdateDir);
-     if (lupdCertPrefix) PORT_Free(lupdCertPrefix);
-     if (lupdKeyPrefix) PORT_Free(lupdKeyPrefix);
-     if (lupdateID) PORT_Free(lupdateID);
-     if (lupdateName) PORT_Free(lupdateName);
- 
-     if (moduleSpec) {
--	SECMODModule *module = SECMOD_LoadModule(moduleSpec,NULL,PR_TRUE);
-+	module = SECMOD_LoadModule(moduleSpec,NULL,PR_TRUE);
- 	PR_smprintf_free(moduleSpec);
- 	if (module) {
--	    if (module->loaded) rv=SECSuccess;
--	    SECMOD_DestroyModule(module);
-+	    if (!module->loaded) {
-+	        SECMOD_DestroyModule(module);
-+		module = NULL;
-+	    }
- 	}
-     }
--    return rv;
-+    return module;
- }
- 
- /*
-  * OK there are now lots of options here, lets go through them all:
-  *
-  * configdir - base directory where all the cert, key, and module datbases live.
-  * certPrefix - prefix added to the beginning of the cert database example: "
-  * 			"https-server1-"
-@@ -520,17 +522,17 @@ nss_Init(const char *configdir, const ch
- 		 NSSInitContext ** initContextPtr,
- 		 NSSInitParameters *initParams,
- 		 PRBool readOnly, PRBool noCertDB, 
- 		 PRBool noModDB, PRBool forceOpen, PRBool noRootInit,
- 		 PRBool optimizeSpace, PRBool noSingleThreadedModules,
- 		 PRBool allowAlreadyInitializedModules,
- 		 PRBool dontFinalizeModules)
- {
--    SECStatus rv = SECFailure;
-+    SECMODModule *parent = NULL;
-     PKIX_UInt32 actualMinorVersion = 0;
-     PKIX_Error *pkixError = NULL;
-     PRBool isReallyInitted;
-     char *configStrings = NULL;
-     char *configName = NULL;
-     PRBool passwordRequired = PR_FALSE;
- 
-     /* if we are trying to init with a traditional NSS_Init call, maintain
-@@ -630,23 +632,23 @@ nss_Init(const char *configdir, const ch
- 	configStrings = pk11_config_strings;
- 	configName = pk11_config_name;
- 	passwordRequired = pk11_password_required;
-     }
- 
-     /* Skip the module init if we are already initted and we are trying
-      * to init with noCertDB and noModDB */
-     if (!(isReallyInitted && noCertDB && noModDB)) {
--	rv = nss_InitModules(configdir, certPrefix, keyPrefix, secmodName, 
-+	parent = nss_InitModules(configdir, certPrefix, keyPrefix, secmodName, 
- 		updateDir, updCertPrefix, updKeyPrefix, updateID, 
- 		updateName, configName, configStrings, passwordRequired,
- 		readOnly, noCertDB, noModDB, forceOpen, optimizeSpace, 
- 		(initContextPtr != NULL));
- 
--	if (rv != SECSuccess) {
-+	if (parent == NULL) {
- 	    goto loser;
- 	}
-     }
- 
- 
-     /* finish up initialization */
-     if (!isReallyInitted) {
- 	if (SECOID_Init() != SECSuccess) {
-@@ -675,17 +677,34 @@ nss_Init(const char *configdir, const ch
- 		     * path. Skip it */
- 		    dbpath = NULL;
- 		}
- 		if (dbpath) {
- 		    nss_FindExternalRoot(dbpath, secmodName);
- 		}
- 	    }
- 	}
--
-+#ifdef POLICY_FILE
-+        if (PR_Access(POLICY_PATH "/" POLICY_FILE, PR_ACCESS_READ_OK) == PR_SUCCESS ) {
-+	    SECMODModule *module = SECMOD_LoadModule(
-+		"name=\"Policy File\" "
-+		"parameters=\"configdir='sql:" POLICY_PATH "' "
-+		"secmod='" POLICY_FILE "' "
-+		"flags=readOnly,noCertDB,forceSecmodChoice,forceOpen\" "
-+		"NSS=\"flags=internal,moduleDB,skipFirst,moduleDBOnly,critical\"",
-+		parent, PR_TRUE); 
-+	    if (module) {
-+		PRBool isLoaded = module->loaded;
-+		SECMOD_DestroyModule(module);
-+		if (!isLoaded) {
-+		    goto loser;
-+		}
-+	    }
-+	}
-+#endif
- 	pk11sdr_Init();
- 	cert_CreateSubjectKeyIDHashTable();
- 
- 	pkixError = PKIX_Initialize
- 	    (PKIX_FALSE, PKIX_MAJOR_VERSION, PKIX_MINOR_VERSION,
- 	    PKIX_MINOR_VERSION, &actualMinorVersion, &plContext);
- 
- 	if (pkixError != NULL) {
-@@ -716,32 +735,38 @@ nss_Init(const char *configdir, const ch
-     nssIsInInit--;
-     /* now that we are inited, all waiters can move forward */
-     PZ_NotifyAllCondVar(nssInitCondition);
-     PZ_Unlock(nssInitLock);
- 
-     if (initContextPtr && configStrings) {
- 	PR_smprintf_free(configStrings);
-     }
-+    if (parent) {
-+	SECMOD_DestroyModule(parent);
-+    }
- 
-     return SECSuccess;
- 
- loser:
-     if (initContextPtr && *initContextPtr) {
- 	PORT_Free(*initContextPtr);
- 	*initContextPtr = NULL;
- 	if (configStrings) {
- 	   PR_smprintf_free(configStrings);
- 	}
-     }
-     PZ_Lock(nssInitLock);
-     nssIsInInit--;
-     /* We failed to init, allow one to move forward */
-     PZ_NotifyCondVar(nssInitCondition);
-     PZ_Unlock(nssInitLock);
-+    if (parent) {
-+	SECMOD_DestroyModule(parent);
-+    }
-     return SECFailure;
- }
- 
- 
- SECStatus
- NSS_Init(const char *configdir)
- {
-     return nss_Init(configdir, "", "", SECMOD_DB, "", "", "", "", "", NULL,
-diff --git a/lib/pk11wrap/pk11pars.c b/lib/pk11wrap/pk11pars.c
---- a/lib/pk11wrap/pk11pars.c
-+++ b/lib/pk11wrap/pk11pars.c
-@@ -105,16 +105,17 @@ secmod_NewModule(void)
-  *   This  allows system NSS to delegate those changes to the user's module DB, 
-  *   preserving the user's ability to load new PKCS #11 modules (which only 
-  *   affect him), from existing applications like Firefox.
-  */
- #define SECMOD_FLAG_MODULE_DB_IS_MODULE_DB  0x01 /* must be set if any of the 
- 						  *other flags are set */
- #define SECMOD_FLAG_MODULE_DB_SKIP_FIRST    0x02
- #define SECMOD_FLAG_MODULE_DB_DEFAULT_MODDB 0x04
-+#define SECMOD_FLAG_MODULE_DB_POLICY_ONLY   0x08
- 
- 
- /* private flags for internal (field in SECMODModule). */
- /* The meaing of these flags is as follows:
-  *
-  * SECMOD_FLAG_INTERNAL_IS_INTERNAL - This is a marks the the module is
-  *   the internal module (that is, softoken). This bit is the same as the 
-  *   already existing meaning of internal = PR_TRUE. None of the other 
-@@ -699,16 +700,19 @@ SECMOD_CreateModuleEx(const char *librar
-     if (mod->isModuleDB) {
- 	char flags = SECMOD_FLAG_MODULE_DB_IS_MODULE_DB;
- 	if (NSSUTIL_ArgHasFlag("flags","skipFirst",nssc)) {
- 	    flags |= SECMOD_FLAG_MODULE_DB_SKIP_FIRST;
- 	}
- 	if (NSSUTIL_ArgHasFlag("flags","defaultModDB",nssc)) {
- 	    flags |= SECMOD_FLAG_MODULE_DB_DEFAULT_MODDB;
- 	}
-+	if (NSSUTIL_ArgHasFlag("flags", "policyOnly", nssc)) {
-+	    flags |= SECMOD_FLAG_MODULE_DB_POLICY_ONLY;
-+	}
- 	/* additional moduleDB flags could be added here in the future */
- 	mod->isModuleDB = (PRBool) flags;
-     }
- 
-     if (mod->internal) {
- 	char flags = SECMOD_FLAG_INTERNAL_IS_INTERNAL;
- 
- 	if (NSSUTIL_ArgHasFlag("flags", "internalKeySlot", nssc)) {
-@@ -738,16 +742,24 @@ PRBool
- SECMOD_GetDefaultModDBFlag(SECMODModule *mod)
- {
-    char flags = (char) mod->isModuleDB;
- 
-    return (flags & SECMOD_FLAG_MODULE_DB_DEFAULT_MODDB) ? PR_TRUE : PR_FALSE;
- }
- 
- PRBool
-+secmod_PolicyOnly(SECMODModule *mod)
-+{
-+   char flags = (char) mod->isModuleDB;
-+
-+   return (flags & SECMOD_FLAG_MODULE_DB_POLICY_ONLY) ? PR_TRUE : PR_FALSE;
-+}
-+
-+PRBool
- secmod_IsInternalKeySlot(SECMODModule *mod)
- {
-    char flags = (char) mod->internal;
- 
-    return (flags & SECMOD_FLAG_INTERNAL_KEY_SLOT) ? PR_TRUE : PR_FALSE;
- }
- 
- void
-@@ -1521,16 +1533,22 @@ SECMOD_LoadModule(char *modulespec,SECMO
-     if (library) PORT_Free(library);
-     if (moduleName) PORT_Free(moduleName);
-     if (parameters) PORT_Free(parameters);
-     if (nss) PORT_Free(nss);
-     if (config) PORT_Free(config);
-     if (!module) {
- 	goto loser;
-     }
-+
-+    /* a policy only stanza doesn't actually get 'loaded'. policy has already
-+     * been parsed as a side effect of the CreateModuleEx call */
-+    if (secmod_PolicyOnly(module)) {
-+	return module;
-+    }
-     if (parent) {
-     	module->parent = SECMOD_ReferenceModule(parent);
- 	if (module->internal && secmod_IsInternalKeySlot(parent)) {
- 	    module->internal = parent->internal;
- 	}
-     }
- 
-     /* load it */
-diff --git a/lib/util/utilpars.c b/lib/util/utilpars.c
---- a/lib/util/utilpars.c
-+++ b/lib/util/utilpars.c
-@@ -1139,17 +1139,18 @@ char *
- 	*dbType = NSS_DB_TYPE_SQL;
- 	PORT_Free(*filename);
- 	*filename = NULL;
-         *rw = PR_FALSE;
-    }
- 
-    /* only use the renamed secmod for legacy databases */
-    if ((*dbType != NSS_DB_TYPE_LEGACY) && 
--	(*dbType != NSS_DB_TYPE_MULTIACCESS)) {
-+	(*dbType != NSS_DB_TYPE_MULTIACCESS) &&
-+	  !NSSUTIL_ArgHasFlag("flags", "forceSecmodChoice", save_params)) {
- 	secmodName="pkcs11.txt";
-    }
- 
-    if (noModDB) {
- 	value = NULL;
-    } else if (lconfigdir && lconfigdir[0] != '\0') {
- 	value = PR_smprintf("%s" NSSUTIL_PATH_SEPARATOR "%s",
- 			lconfigdir,secmodName);

nss-gcm-param-default-pkcs11v2.patch

@@ -0,0 +1,21 @@
+diff -up ./lib/util/pkcs11n.h.aes_gcm_pkcs11_v2 ./lib/util/pkcs11n.h
+--- ./lib/util/pkcs11n.h.aes_gcm_pkcs11_v2	2020-05-13 13:44:11.312405744 -0700
++++ ./lib/util/pkcs11n.h	2020-05-13 13:45:23.951723660 -0700
+@@ -605,7 +605,7 @@ typedef struct CK_NSS_GCM_PARAMS {
+ typedef CK_NSS_GCM_PARAMS CK_PTR CK_NSS_GCM_PARAMS_PTR;
+ 
+ /* deprecated #defines. Drop in future NSS releases */
+-#ifdef NSS_PKCS11_2_0_COMPAT
++#ifndef NSS_PKCS11_3_0_STRICT
+ 
+ /* defines that were changed between NSS's PKCS #11 and the Oasis headers */
+ #define CKF_EC_FP CKF_EC_F_P
+@@ -664,7 +664,7 @@ typedef CK_NSS_GCM_PARAMS CK_PTR CK_GCM_
+ #define CKT_NETSCAPE_VALID CKT_NSS_VALID
+ #define CKT_NETSCAPE_VALID_DELEGATOR CKT_NSS_VALID_DELEGATOR
+ #else
+-/* use the new CK_GCM_PARAMS if NSS_PKCS11_2_0_COMPAT is not defined */
++/* use the new CK_GCM_PARAMS if NSS_PKCS11_3_0_STRICT is defined */
+ typedef struct CK_GCM_PARAMS_V3 CK_GCM_PARAMS;
+ typedef CK_GCM_PARAMS_V3 CK_PTR CK_GCM_PARAMS_PTR;
+ #endif

nss-kremlin-ppc64le.patch

@@ -0,0 +1,31 @@
+Index: nss/lib/freebl/verified/kremlin/include/kremlin/internal/types.h
+===================================================================
+--- nss.orig/lib/freebl/verified/kremlin/include/kremlin/internal/types.h
++++ nss/lib/freebl/verified/kremlin/include/kremlin/internal/types.h
+@@ -56,9 +56,10 @@ typedef const char *Prims_string;
+     !defined(__clang__)
+ #include <emmintrin.h>
+ typedef __m128i FStar_UInt128_uint128;
+-#elif !defined(KRML_VERIFIED_UINT128) && !defined(_MSC_VER) &&           \
++#elif !defined(KRML_VERIFIED_UINT128) && !defined(_MSC_VER) && \
+     (defined(__x86_64__) || defined(__x86_64) || defined(__aarch64__) || \
+-     (defined(__powerpc64__) && defined(__LITTLE_ENDIAN__)))
++    (defined(__powerpc64__) && defined(__LITTLE_ENDIAN__)) || \
++     defined(__s390x__))
+ typedef unsigned __int128 FStar_UInt128_uint128;
+ #elif !defined(KRML_VERIFIED_UINT128) && defined(_MSC_VER) && defined(__clang__)
+ typedef __uint128_t FStar_UInt128_uint128;
+Index: nss/lib/freebl/verified/kremlin/kremlib/dist/minimal/fstar_uint128_gcc64.h
+===================================================================
+--- nss.orig/lib/freebl/verified/kremlin/kremlib/dist/minimal/fstar_uint128_gcc64.h
++++ nss/lib/freebl/verified/kremlin/kremlib/dist/minimal/fstar_uint128_gcc64.h
+@@ -26,7 +26,8 @@
+ 
+ #if !defined(KRML_VERIFIED_UINT128) && (!defined(_MSC_VER) || defined(__clang__)) && \
+     (defined(__x86_64__) || defined(__x86_64) || defined(__aarch64__) ||             \
+-     (defined(__powerpc64__) && defined(__LITTLE_ENDIAN__)))
++    (defined(__powerpc64__) && defined(__LITTLE_ENDIAN__)) || \
++     defined(__s390x__))
+ 
+ /* GCC + using native unsigned __int128 support */
+ 

nss-p11-kit.config

@@ -0,0 +1,4 @@
+name=p11-kit-proxy
+library=p11-kit-proxy.so
+
+

nss-pem-unitialized-vars.path

@@ -1,15 +0,0 @@
-diff -up ./lib/ckfw/pem/pinst.c.unitialized_vars ./lib/ckfw/pem/pinst.c
---- ./lib/ckfw/pem/pinst.c.unitialized_var	2016-05-21 19:04:24.471221863 -0700
-+++ ./lib/ckfw/pem/pinst.c	2016-05-21 19:31:07.124298651 -0700
-@@ -534,9 +534,9 @@ CK_RV
- AddCertificate(char *certfile, char *keyfile, PRBool cacert,
-                CK_SLOT_ID slotID)
- {
--    pemInternalObject *o;
-+    pemInternalObject *o = NULL;
-     CK_RV error = 0;
--    int objid, i;
-+    int objid, i = 0;
-     int nobjs = 0;
-     SECItem **objs = NULL;
-     char *ivstring = NULL;

nss-signtool-format.patch

@@ -0,0 +1,94 @@
+diff --git a/cmd/modutil/install.c b/cmd/modutil/install.c
+--- a/cmd/modutil/install.c
++++ b/cmd/modutil/install.c
+@@ -825,17 +825,20 @@ rm_dash_r(char *path)
+ 
+         dir = PR_OpenDir(path);
+         if (!dir) {
+             return -1;
+         }
+ 
+         /* Recursively delete all entries in the directory */
+         while ((entry = PR_ReadDir(dir, PR_SKIP_BOTH)) != NULL) {
+-            sprintf(filename, "%s/%s", path, entry->name);
++            if (snprintf(filename, sizeof(filename), "%s/%s", path, entry->name) >= sizeof(filename)) {
++                PR_CloseDir(dir);
++                return -1;
++            }
+             if (rm_dash_r(filename)) {
+                 PR_CloseDir(dir);
+                 return -1;
+             }
+         }
+ 
+         if (PR_CloseDir(dir) != PR_SUCCESS) {
+             return -1;
+diff --git a/cmd/signtool/util.c b/cmd/signtool/util.c
+--- a/cmd/signtool/util.c
++++ b/cmd/signtool/util.c
+@@ -132,17 +132,20 @@ rm_dash_r(char *path)
+         if (!dir) {
+             PR_fprintf(errorFD, "Error: Unable to open directory %s.\n", path);
+             errorCount++;
+             return -1;
+         }
+ 
+         /* Recursively delete all entries in the directory */
+         while ((entry = PR_ReadDir(dir, PR_SKIP_BOTH)) != NULL) {
+-            sprintf(filename, "%s/%s", path, entry->name);
++            if (snprintf(filename, sizeof(filename), "%s/%s", path, entry->name) >= sizeof(filename)) {
++                errorCount++;
++                return -1;
++            }
+             if (rm_dash_r(filename))
+                 return -1;
+         }
+ 
+         if (PR_CloseDir(dir) != PR_SUCCESS) {
+             PR_fprintf(errorFD, "Error: Could not close %s.\n", path);
+             errorCount++;
+             return -1;
+diff --git a/lib/libpkix/pkix/util/pkix_list.c b/lib/libpkix/pkix/util/pkix_list.c
+--- a/lib/libpkix/pkix/util/pkix_list.c
++++ b/lib/libpkix/pkix/util/pkix_list.c
+@@ -1530,17 +1530,17 @@ cleanup:
+  */
+ PKIX_Error *
+ PKIX_List_SetItem(
+         PKIX_List *list,
+         PKIX_UInt32 index,
+         PKIX_PL_Object *item,
+         void *plContext)
+ {
+-        PKIX_List *element;
++        PKIX_List *element = NULL;
+ 
+         PKIX_ENTER(LIST, "PKIX_List_SetItem");
+         PKIX_NULLCHECK_ONE(list);
+ 
+         if (list->immutable){
+                 PKIX_ERROR(PKIX_OPERATIONNOTPERMITTEDONIMMUTABLELIST);
+         }
+ 
+diff --git a/lib/libpkix/pkix_pl_nss/system/pkix_pl_oid.c b/lib/libpkix/pkix_pl_nss/system/pkix_pl_oid.c
+--- a/lib/libpkix/pkix_pl_nss/system/pkix_pl_oid.c
++++ b/lib/libpkix/pkix_pl_nss/system/pkix_pl_oid.c
+@@ -102,17 +102,17 @@ cleanup:
+  */
+ static PKIX_Error *
+ pkix_pl_OID_Equals(
+         PKIX_PL_Object *first,
+         PKIX_PL_Object *second,
+         PKIX_Boolean *pResult,
+         void *plContext)
+ {
+-        PKIX_Int32 cmpResult;
++        PKIX_Int32 cmpResult = 0;
+ 
+         PKIX_ENTER(OID, "pkix_pl_OID_Equals");
+         PKIX_NULLCHECK_THREE(first, second, pResult);
+ 
+         PKIX_CHECK(pkix_pl_OID_Comparator
+                     (first, second, &cmpResult, plContext),
+                     PKIX_OIDCOMPARATORFAILED);
+ 

nss-skip-bltest-and-fipstest.patch

@@ -1,15 +0,0 @@
-diff -up ./nss/cmd/Makefile.skipthem ./nss/cmd/Makefile
---- ./nss/cmd/Makefile.skipem	2016-06-24 10:10:38.143165159 -0700
-+++ ./nss/cmd/Makefile	2016-06-24 10:13:08.566457400 -0700
-@@ -17,7 +17,11 @@ endif
- ifeq ($(NSS_BUILD_WITHOUT_SOFTOKEN),1)
- BLTEST_SRCDIR =
- FIPSTEST_SRCDIR =
-+ifeq ($(NSS_BLTEST_NOT_AVAILABLE),1)
-+SHLIBSIGN_SRCDIR = shlibsign
-+else
- SHLIBSIGN_SRCDIR =
-+endif
- else
- BLTEST_SRCDIR = bltest
- FIPSTEST_SRCDIR = fipstest

nss-skip-ecperf.patch

@@ -1,11 +0,0 @@
-diff -up ./nss/cmd/manifest.mn.skip_ecperf ./nss/cmd/manifest.mn
---- ./nss/cmd/manifest.mn.noecperf	2016-06-24 08:04:53.891106841 -0700
-+++ ./nss/cmd/manifest.mn	2016-06-24 08:06:57.186887403 -0700
-@@ -42,7 +42,6 @@ NSS_SRCDIRS = \
-  dbtest \
-  derdump  \
-  digest  \
-- ecperf \
-  httpserv  \
-  listsuites \
-  makepqg  \

nss-skip-util-gtest.patch

@@ -1,11 +0,0 @@
-diff -up ./external_tests/manifest.mn.skip_util_gtest ./external_tests/manifest.mn
---- ./external_tests/manifest.mn.skip_util_gtest	2016-05-21 21:34:56.156346633 -0700
-+++ ./external_tests/manifest.mn	2016-05-21 21:35:23.408854282 -0700
-@@ -8,7 +8,6 @@ DEPTH      = ..
- DIRS = \
- 	google_test \
-         der_gtest \
--	util_gtest \
-         pk11_gtest \
-         ssl_gtest \
- 	$(NULL)

nss-softokn-config.in

@@ -0,0 +1,116 @@
+#!/bin/sh
+
+prefix=@prefix@
+
+major_version=@MOD_MAJOR_VERSION@
+minor_version=@MOD_MINOR_VERSION@
+patch_version=@MOD_PATCH_VERSION@
+
+usage()
+{
+	cat <<EOF
+Usage: nss-softokn-config [OPTIONS] [LIBRARIES]
+Options:
+	[--prefix[=DIR]]
+	[--exec-prefix[=DIR]]
+	[--includedir[=DIR]]
+	[--libdir[=DIR]]
+	[--version]
+	[--libs]
+	[--cflags]
+Dynamic Libraries:
+	softokn3 - Requires full dynamic linking
+	freebl3  - for internal use only (and glibc for self-integrity check)
+	nssdbm3  - for internal use only
+Dymamically linked
+EOF
+	exit $1
+}
+
+if test $# -eq 0; then
+	usage 1 1>&2
+fi
+
+while test $# -gt 0; do
+  case "$1" in
+  -*=*) optarg=`echo "$1" | sed 's/[-_a-zA-Z0-9]*=//'` ;;
+  *) optarg= ;;
+  esac
+
+  case $1 in
+    --prefix=*)
+      prefix=$optarg
+      ;;
+    --prefix)
+      echo_prefix=yes
+      ;;
+    --exec-prefix=*)
+      exec_prefix=$optarg
+      ;;
+    --exec-prefix)
+      echo_exec_prefix=yes
+      ;;
+    --includedir=*)
+      includedir=$optarg
+      ;;
+    --includedir)
+      echo_includedir=yes
+      ;;
+    --libdir=*)
+      libdir=$optarg
+      ;;
+    --libdir)
+      echo_libdir=yes
+      ;;
+    --version)
+      echo ${major_version}.${minor_version}.${patch_version}
+      ;;
+    --cflags)
+      echo_cflags=yes
+      ;;
+    --libs)
+      echo_libs=yes
+      ;;
+    *)
+      usage 1 1>&2
+      ;;
+  esac
+  shift
+done
+
+# Set variables that may be dependent upon other variables
+if test -z "$exec_prefix"; then
+    exec_prefix=`pkg-config --variable=exec_prefix nss-softokn`
+fi
+if test -z "$includedir"; then
+    includedir=`pkg-config --variable=includedir nss-softokn`
+fi
+if test -z "$libdir"; then
+    libdir=`pkg-config --variable=libdir nss-softokn`
+fi
+
+if test "$echo_prefix" = "yes"; then
+    echo $prefix
+fi
+
+if test "$echo_exec_prefix" = "yes"; then
+    echo $exec_prefix
+fi
+
+if test "$echo_includedir" = "yes"; then
+    echo $includedir
+fi
+
+if test "$echo_libdir" = "yes"; then
+    echo $libdir
+fi
+
+if test "$echo_cflags" = "yes"; then
+    echo -I$includedir
+fi
+
+if test "$echo_libs" = "yes"; then
+      libdirs="-Wl,-rpath-link,$libdir -L$libdir"
+      echo $libdirs
+fi
+

nss-softokn-dracut-module-setup.sh

@@ -0,0 +1,18 @@
+#!/bin/bash
+# -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*-
+# ex: ts=8 sw=4 sts=4 et filetype=sh
+
+check() {
+    return 255
+}
+
+depends() {
+    return 0
+}
+
+install() {
+    local _dir
+
+    inst_libdir_file libfreeblpriv3.so libfreeblpriv3.chk \
+        libfreebl3.so
+}

nss-softokn-dracut.conf

@@ -0,0 +1,3 @@
+# turn on nss-softokn module
+
+add_dracutmodules+=" nss-softokn "

nss-softokn.pc.in

@@ -0,0 +1,11 @@
+prefix=%prefix%
+exec_prefix=%exec_prefix%
+libdir=%libdir%
+includedir=%includedir%
+
+Name: NSS-SOFTOKN
+Description: Network Security Services Softoken PKCS #11 Module
+Version: %SOFTOKEN_VERSION%
+Requires: nspr >= %NSPR_VERSION%, nss-util >= %NSSUTIL_VERSION%
+Libs: -L${libdir} -lfreebl3 -lnssdbm3 -lsoftokn3
+Cflags: -I${includedir}

nss-util-config.in

@@ -0,0 +1,118 @@
+#!/bin/sh
+
+prefix=@prefix@
+
+major_version=@MOD_MAJOR_VERSION@
+minor_version=@MOD_MINOR_VERSION@
+patch_version=@MOD_PATCH_VERSION@
+
+usage()
+{
+	cat <<EOF
+Usage: nss-util-config [OPTIONS] [LIBRARIES]
+Options:
+	[--prefix[=DIR]]
+	[--exec-prefix[=DIR]]
+	[--includedir[=DIR]]
+	[--libdir[=DIR]]
+	[--version]
+	[--libs]
+	[--cflags]
+Dynamic Libraries:
+	nssutil
+EOF
+	exit $1
+}
+
+if test $# -eq 0; then
+	usage 1 1>&2
+fi
+
+lib_nssutil=yes
+
+while test $# -gt 0; do
+  case "$1" in
+  -*=*) optarg=`echo "$1" | sed 's/[-_a-zA-Z0-9]*=//'` ;;
+  *) optarg= ;;
+  esac
+
+  case $1 in
+    --prefix=*)
+      prefix=$optarg
+      ;;
+    --prefix)
+      echo_prefix=yes
+      ;;
+    --exec-prefix=*)
+      exec_prefix=$optarg
+      ;;
+    --exec-prefix)
+      echo_exec_prefix=yes
+      ;;
+    --includedir=*)
+      includedir=$optarg
+      ;;
+    --includedir)
+      echo_includedir=yes
+      ;;
+    --libdir=*)
+      libdir=$optarg
+      ;;
+    --libdir)
+      echo_libdir=yes
+      ;;
+    --version)
+      echo ${major_version}.${minor_version}.${patch_version}
+      ;;
+    --cflags)
+      echo_cflags=yes
+      ;;
+    --libs)
+      echo_libs=yes
+      ;;
+    *)
+      usage 1 1>&2
+      ;;
+  esac
+  shift
+done
+
+# Set variables that may be dependent upon other variables
+if test -z "$exec_prefix"; then
+    exec_prefix=`pkg-config --variable=exec_prefix nss-util`
+fi
+if test -z "$includedir"; then
+    includedir=`pkg-config --variable=includedir nss-util`
+fi
+if test -z "$libdir"; then
+    libdir=`pkg-config --variable=libdir nss-util`
+fi
+
+if test "$echo_prefix" = "yes"; then
+    echo $prefix
+fi
+
+if test "$echo_exec_prefix" = "yes"; then
+    echo $exec_prefix
+fi
+
+if test "$echo_includedir" = "yes"; then
+    echo $includedir
+fi
+
+if test "$echo_libdir" = "yes"; then
+    echo $libdir
+fi
+
+if test "$echo_cflags" = "yes"; then
+    echo -I$includedir
+fi
+
+if test "$echo_libs" = "yes"; then
+      libdirs="-Wl,-rpath-link,$libdir -L$libdir"
+      if test -n "$lib_nssutil"; then
+	libdirs="$libdirs -lnssutil${major_version}"
+      fi
+      echo $libdirs
+fi
+

nss-util.pc.in

@@ -0,0 +1,11 @@
+prefix=%prefix%
+exec_prefix=%exec_prefix%
+libdir=%libdir%
+includedir=%includedir%
+
+Name: NSS-UTIL
+Description: Network Security Services Utility Library
+Version: %NSSUTIL_VERSION%
+Requires: nspr >= %NSPR_VERSION%
+Libs: -L${libdir} -lnssutil3
+Cflags: -I${includedir}

renegotiate-transitional.patch

@@ -1,12 +0,0 @@
-diff -up ./nss/lib/ssl/sslsock.c.transitional ./nss/lib/ssl/sslsock.c
---- ./nss/lib/ssl/sslsock.c.transitional	2016-06-23 21:03:16.316480089 -0400
-+++ ./nss/lib/ssl/sslsock.c	2016-06-23 21:08:07.290202477 -0400
-@@ -72,7 +72,7 @@ static sslOptions ssl_defaults = {
-     PR_FALSE,              /* noLocks            */
-     PR_FALSE,              /* enableSessionTickets */
-     PR_FALSE,              /* enableDeflate      */
--    2,                     /* enableRenegotiation (default: requires extension) */
-+    3,                     /* enableRenegotiation (default: transitional) */
-     PR_FALSE,              /* requireSafeNegotiation */
-     PR_FALSE,              /* enableFalseStart   */
-     PR_TRUE,               /* cbcRandomIV        */

rhbz1185708-enable-ecc-3des-ciphers-by-default.patch

@@ -1,23 +0,0 @@
---- ./nss/lib/ssl/ssl3con.c.1185708_3des	2016-06-23 21:10:09.765992512 -0400
-+++ ./nss/lib/ssl/ssl3con.c	2016-06-23 22:58:39.121398601 -0400
-@@ -118,18 +118,18 @@
-  { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,    SSL_ALLOWED, PR_TRUE, PR_FALSE},
-  { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,    SSL_ALLOWED, PR_TRUE, PR_FALSE},
-  { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,      SSL_ALLOWED, PR_TRUE, PR_FALSE},
-  { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
-  { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,   SSL_ALLOWED, PR_TRUE, PR_FALSE},
-  { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,      SSL_ALLOWED, PR_TRUE, PR_FALSE},
-  { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE},
-  { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,   SSL_ALLOWED, PR_FALSE, PR_FALSE},
-- { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,   SSL_ALLOWED, PR_FALSE, PR_FALSE},
-- { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,     SSL_ALLOWED, PR_FALSE, PR_FALSE},
-+ { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,   SSL_ALLOWED, PR_TRUE,  PR_FALSE},
-+ { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,     SSL_ALLOWED, PR_TRUE,  PR_FALSE},
-  { TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,        SSL_ALLOWED, PR_FALSE, PR_FALSE},
-  { TLS_ECDHE_RSA_WITH_RC4_128_SHA,          SSL_ALLOWED, PR_FALSE, PR_FALSE},
- 
-  { TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,     SSL_ALLOWED, PR_TRUE,  PR_FALSE},
-  { TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256,SSL_ALLOWED,PR_TRUE,  PR_FALSE},
-  { TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,     SSL_ALLOWED, PR_FALSE, PR_FALSE},
-  { TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,     SSL_ALLOWED, PR_FALSE, PR_FALSE},
-  { TLS_DHE_DSS_WITH_AES_256_GCM_SHA384,     SSL_ALLOWED, PR_FALSE, PR_FALSE},

sources

@@ -1,6 +1,6 @@
-a5ae49867124ac75f029a9a33af31bad  blank-cert8.db
-9315689bbd9f28ceebd47894f99fccbd  blank-key3.db
-73bc040a0542bba387e6dd7fb9fd7d23  blank-secmod.db
-691e663ccc07b7a1eaa6f088e03bf8e2  blank-cert9.db
-2ec9e0606ba40fe65196545564b7cc2a  blank-key4.db
-950263d15d1f055605bfb6e634a1a019  nss-3.25.0.tar.gz
+SHA512 (blank-cert8.db) = ac131d15708c5f1b5e467831f919f4fc4ba13b60a4bb5fe260c845fa9afcd899a588d21ed52060abaa1bbb29f2b53af8b495d28407183cb03aff1974f95f1d3d
+SHA512 (blank-cert9.db) = 2f8eab4c0612210ee47db8a3a80c1b58a0b43849551af78c7da403fda3e3d4e7757838061ae56ccf5aac335cb54f254f0a9e6e9c0dd5920b4155a39264525b06
+SHA512 (blank-key3.db) = 01f7314e9fc8a7c9aa997652624cfcde213d18a6b3bb31840c1a60bbd662e56b5bc3221d13874abb42ce78163b225a6dfce2e1326cf6dd29366ad9c28ba5a71c
+SHA512 (blank-key4.db) = 8fedae93af7163da23fe9492ea8e785a44c291604fa98e58438448efb69c85d3253fc22b926d5c3209c62e58a86038fd4d78a1c4c068bc00600a7f3e5382ebe7
+SHA512 (blank-secmod.db) = 06a2dbd861839ef6315093459328b500d3832333a34b30e6fac4a2503af337f014a4d319f0f93322409e719142904ce8bc08252ae9a4f37f30d4c3312e900310
+SHA512 (nss-3.52.tar.gz) = a45baf38717bceda03c292b2c01def680a24a846327e17d36044a85e30ed40c68220c78c0a2c3025c11778ee58f5d5eb0fff1b4cd274b95c408fb59e394e62c6

tests-check-policy-file.patch

@@ -1,84 +0,0 @@
-diff -up ./tests/ssl/sslauth.txt.check_policy ./tests/ssl/sslauth.txt
-diff -up ./tests/ssl/ssl.sh.check_policy ./tests/ssl/ssl.sh
---- ./tests/ssl/ssl.sh.check_policy	2016-05-17 00:58:45.000000000 -0700
-+++ ./tests/ssl/ssl.sh	2016-05-28 15:45:07.645964005 -0700
-@@ -61,10 +61,19 @@ ssl_init()
-   nss_ssl_run="stapling signed_cert_timestamps cov auth stress"
-   NSS_SSL_RUN=${NSS_SSL_RUN:-$nss_ssl_run}
- 
-+  NSS_POLICY_FILE=[ -f ${POLICY_PATH}/${POLICY_FILE} ] \
-+    ? "${POLICY_PATH}/${POLICY_FILE}" \
-+    : ""
-   # Test case files
--  SSLCOV=${QADIR}/ssl/sslcov.txt
--  SSLAUTH=${QADIR}/ssl/sslauth.txt
--  SSLSTRESS=${QADIR}/ssl/sslstress.txt
-+  if [ -n ${NSS_POLICY_FILE} ]; then
-+    SSLAUTH=${QADIR}/ssl/sslauth.byPolicy.txt
-+    SSLCOV=${QADIR}/ssl/sslcov.byPolicy.txt
-+    SSLSTRESS=${QADIR}/ssl/sslstress.byPolicy.txt
-+  else
-+    SSLAUTH=${QADIR}/ssl/sslauth.txt
-+    SSLCOV=${QADIR}/ssl/sslcov.txt
-+    SSLSTRESS=${QADIR}/ssl/sslstress.txt
-+  fi
-   SSLPOLICY=${QADIR}/ssl/sslpolicy.txt
-   REQUEST_FILE=${QADIR}/ssl/sslreq.dat
- 
-@@ -122,7 +131,11 @@ is_selfserv_alive()
-   fi
- 
-   echo "kill -0 ${PID} >/dev/null 2>/dev/null" 
-+  if [ -n ${NSS_POLICY_FILE}" ] && [[ ${EXP} -eq 0 || ${SSL2} -eq 0 ]]; then
-+  echo "No server to kill"
-+  else
-   kill -0 ${PID} >/dev/null 2>/dev/null || Exit 10 "Fatal - selfserv process not detectable"
-+  fi
- 
-   echo "selfserv with PID ${PID} found at `date`"
- }
-@@ -145,7 +158,11 @@ wait_for_selfserv()
-       ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \
-               -d ${P_R_CLIENTDIR} -v < ${REQUEST_FILE}
-       if [ $? -ne 0 ]; then
-+          if [ -n ${NSS_POLICY_FILE} ] && [[ ${EXP} -eq 0 || ${SSL2} -eq 0 ]]; then
-+              html_passed "Server never started"
-+          else
-           html_failed "Waiting for Server"
-+          fi
-       fi
-   fi
-   is_selfserv_alive
-@@ -216,15 +233,16 @@ start_selfserv()
-   echo "selfserv starting at `date`"
-   echo "selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} -n ${HOSTADDR} ${SERVER_OPTIONS} \\"
-   echo "         ${ECC_OPTIONS} -S ${HOSTADDR}-dsa -w nss ${sparam} -i ${R_SERVERPID}\\"
--  echo "         $verbose -H 1 &"
-+  VMIN_OPT=[ -n ${NSS_POLICY_FILE} ] ? "-V ssl3:" : ""
-+  echo "         $verbose -H 1 ${VMIN_OPT} &"
-   if [ ${fileout} -eq 1 ]; then
-       ${PROFTOOL} ${BINDIR}/selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} -n ${HOSTADDR} ${SERVER_OPTIONS} \
-                ${ECC_OPTIONS} -S ${HOSTADDR}-dsa -w nss ${sparam} -i ${R_SERVERPID} $verbose -H 1 \
--               > ${SERVEROUTFILE} 2>&1 &
-+               ${VMIN_OPT}> ${SERVEROUTFILE} 2>&1 &
-       RET=$?
-   else
-       ${PROFTOOL} ${BINDIR}/selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} -n ${HOSTADDR} ${SERVER_OPTIONS} \
--               ${ECC_OPTIONS} -S ${HOSTADDR}-dsa -w nss ${sparam} -i ${R_SERVERPID} $verbose -H 1 &
-+               ${ECC_OPTIONS} -S ${HOSTADDR}-dsa -w nss ${sparam} -i ${R_SERVERPID} $verbose -H 1 ${VMIN_OPT} &
-       RET=$?
-   fi
- 
-@@ -275,6 +293,12 @@ ssl_cov()
-       echo "${testname}" | grep "EXPORT" > /dev/null 
-       EXP=$?
- 
-+      #  trace these types of tests when build has policy enabled
-+      if [ -n ${NSS_POLICY_FILE} ] &&
-+         [[ ${EXP} -eq 0 || ${SSL2} -eq 0 ] || ${SSL3} -eq 0 ]]; then
-+            echo "exp/ssl2/ssl3 test should fail: (NSS_NO_SSL2,EXP,SSL2,SSL3)=(${NSS_NO_SSL2},${EXP},${SSL2},${SSL3})"
-+      fi
-+
-       if [ "$ectype" = "ECC" -a -n "$NSS_DISABLE_ECC" ] ; then
-           echo "$SCRIPTNAME: skipping  $testname (ECC only)"
-       elif [ "$SERVER_MODE" = "fips" -o "$CLIENT_MODE" = "fips" ] && [ "$EXP" -eq 0 ] ; then

tests-data-adjust-for-policy.patch

@@ -1,101 +0,0 @@
-diff -up ./tests/ssl/sslauth.txt.expected_result ./tests/ssl/sslauth.txt
---- ./tests/ssl/sslauth.txt.expected_result	2016-05-17 00:58:45.000000000 -0700
-+++ ./tests/ssl/sslauth.txt	2016-05-28 15:21:11.800761721 -0700
-@@ -14,12 +14,12 @@
-   noECC    254      -r_-r        -w_nss_-n_none           TLS Require client auth (client does not provide auth)
-   noECC    254      -r_-r        -w_bogus_-n_TestUser     TLS Require client auth (bad password)
-   noECC     0       -r_-r        -w_nss_-n_TestUser_      TLS Require client auth (client auth)
--  noECC     0       -r           -V_:ssl3_-w_nss_-n_none        SSL3 Request don't require client auth (client does not provide auth)
--  noECC     0       -r           -V_:ssl3_-n_TestUser_-w_bogus  SSL3 Request don't require client auth (bad password)
--  noECC     0       -r           -V_:ssl3_-n_TestUser_-w_nss    SSL3 Request don't require client auth (client auth)
-+  noECC    254      -r           -V_:ssl3_-w_nss_-n_none        SSL3 Request don't require client auth (client does not provide auth)
-+  noECC    254      -r           -V_:ssl3_-n_TestUser_-w_bogus  SSL3 Request don't require client auth (bad password)
-+  noECC    254      -r           -V_:ssl3_-n_TestUser_-w_nss    SSL3 Request don't require client auth (client auth)
-   noECC    254      -r_-r        -V_:ssl3_-w_nss_-n_none        SSL3 Require client auth (client does not provide auth)
-   noECC    254      -r_-r        -V_:ssl3_-n_TestUser_-w_bogus  SSL3 Require client auth (bad password)
--  noECC     0       -r_-r        -V_:ssl3_-n_TestUser_-w_nss    SSL3 Require client auth (client auth)
-+  noECC    254      -r_-r        -V_:ssl3_-n_TestUser_-w_nss    SSL3 Require client auth (client auth)
-   noECC     0       -r_-r_-r     -V_ssl3:_-w_nss_-n_none        TLS Request don't require client auth on 2nd hs (client does not provide auth)
-   noECC     0       -r_-r_-r     -V_ssl3:_-w_bogus_-n_TestUser  TLS Request don't require client auth on 2nd hs (bad password)
-   noECC     0       -r_-r_-r     -V_ssl3:_-w_nss_-n_TestUser    TLS Request don't require client auth on 2nd hs (client auth)
-@@ -32,9 +32,9 @@
-   noECC     1       -r_-r_-r_-r  -V_ssl3:tls1.0_-w_nss_-n_none        TLS 1.0 Require client auth on 2nd hs (client does not provide auth)
-   noECC     1       -r_-r_-r_-r  -V_ssl3:tls1.0_-w_bogus_-n_TestUser  TLS 1.0 Require client auth on 2nd hs (bad password)
-   noECC     0       -r_-r_-r_-r  -V_ssl3:tls1.0_-w_nss_-n_TestUser    TLS 1.0 Require client auth on 2nd hs (client auth)
--  noECC     0       -r_-r_-r     -V_ssl3:ssl3_-w_nss_-n_none     SSL3 Request don't require client auth on 2nd hs (client does not provide auth)
--  noECC     0       -r_-r_-r     -V_ssl3:ssl3_-n_TestUser_-w_bogus SSL3 Request don't require client auth on 2nd hs (bad password)
--  noECC     0       -r_-r_-r     -V_ssl3:ssl3_-n_TestUser_-w_nss SSL3 Request don't require client auth on 2nd hs (client auth)
-+  noECC    254      -r_-r_-r     -V_ssl3:ssl3_-w_nss_-n_none     SSL3 Request don't require client auth on 2nd hs (client does not provide auth)
-+  noECC    254      -r_-r_-r     -V_ssl3:ssl3_-n_TestUser_-w_bogus SSL3 Request don't require client auth on 2nd hs (bad password)
-+  noECC    254      -r_-r_-r     -V_ssl3:ssl3_-n_TestUser_-w_nss SSL3 Request don't require client auth on 2nd hs (client auth)
-   noECC     1       -r_-r_-r_-r  -V_ssl3:ssl3_-w_nss_-n_none     SSL3 Require client auth on 2nd hs (client does not provide auth)
-   noECC     1       -r_-r_-r_-r  -V_ssl3:ssl3_-n_TestUser_-w_bogus SSL3 Require client auth on 2nd hs (bad password)
-   noECC     0       -r_-r_-r_-r  -V_ssl3:ssl3_-n_TestUser_-w_nss SSL3 Require client auth on 2nd hs (client auth)
-@@ -57,17 +57,17 @@
-    ECC      0       -r_-r_-r     -V_ssl3:tls1.0_-w_nss_-n_TestUser-ec    TLS 1.0 Request don't require client auth on 2nd hs (EC) (client auth)
-    ECC      1       -r_-r_-r_-r  -V_ssl3:tls1.0_-w_bogus_-n_TestUser-ec  TLS 1.0 Require client auth on 2nd hs (EC) (bad password)
-    ECC      0       -r_-r_-r_-r  -V_ssl3:tls1.0_-w_nss_-n_TestUser-ec_   TLS 1.0 Require client auth on 2nd hs (EC) (client auth)
--   ECC      0       -r_-r_-r     -V_ssl3:ssl3_-n_TestUser-ec_-w_bogus SSL3 Request don't require client auth on 2nd hs (EC) (bad password)
--   ECC      0       -r_-r_-r     -V_ssl3:ssl3_-n_TestUser-ec_-w_nss SSL3 Request don't require client auth on 2nd hs (EC) (client auth)
-+   ECC     254      -r_-r_-r     -V_ssl3:ssl3_-n_TestUser-ec_-w_bogus SSL3 Request don't require client auth on 2nd hs (EC) (bad password)
-+   ECC     254      -r_-r_-r     -V_ssl3:ssl3_-n_TestUser-ec_-w_nss SSL3 Request don't require client auth on 2nd hs (EC) (client auth)
-    ECC      1       -r_-r_-r_-r  -V_ssl3:ssl3_-n_TestUser-ec_-w_bogus SSL3 Require client auth on 2nd hs (EC) (bad password)
--   ECC      0       -r_-r_-r_-r  -V_ssl3:ssl3_-n_TestUser-ec_-w_nss SSL3 Require client auth on 2nd hs (EC) (client auth)
-+   ECC     254      -r_-r_-r_-r  -V_ssl3:ssl3_-n_TestUser-ec_-w_nss SSL3 Require client auth on 2nd hs (EC) (client auth)
- #
- # SNI Tests
- #
-   SNI     0       -r_-a_Host-sni.Dom       -V_ssl3:_-w_nss_-n_TestUser                     TLS Server hello response without SNI
-   SNI     0       -r_-a_Host-sni.Dom       -V_ssl3:_-c_v_-w_nss_-n_TestUser_-a_Host-sni.Dom     TLS Server hello response with SNI
-   SNI     1       -r_-a_Host-sni.Dom       -V_ssl3:_-c_v_-w_nss_-n_TestUser_-a_Host-sni1.Dom    TLS Server response with alert
--  SNI     0       -r_-a_Host-sni.Dom       -V_ssl3:ssl3_-w_nss_-n_TestUser                  SSL3 Server hello response without SNI
-+  SNI    254      -r_-a_Host-sni.Dom       -V_ssl3:ssl3_-w_nss_-n_TestUser                  SSL3 Server hello response without SNI
-   SNI     1       -r_-a_Host-sni.Dom       -V_ssl3:ssl3_-c_v_-w_nss_-n_TestUser_-a_Host-sni.Dom  SSL3 Server hello response with SNI: SSL don't have SH extensions
-   SNI     0       -r_-r_-r_-a_Host-sni.Dom -V_ssl3:_-w_nss_-n_TestUser                     TLS Server hello response without SNI
-   SNI     0       -r_-r_-r_-a_Host-sni.Dom -V_ssl3:_-c_v_-w_nss_-n_TestUser_-a_Host-sni.Dom     TLS Server hello response with SNI
-diff -up ./tests/ssl/sslpolicy.txt.expected_result ./tests/ssl/sslpolicy.txt
---- ./tests/ssl/sslpolicy.txt.expected_result	2016-05-17 00:58:45.000000000 -0700
-+++ ./tests/ssl/sslpolicy.txt	2016-05-28 15:21:11.800761721 -0700
-@@ -148,26 +148,26 @@
- # Exp Enable Enable Cipher Config Policy      Test Name
- # Ret  EC     TLS
- # turn on single cipher 
--  0 noECC  SSL3   d    disallow=all_allow=hmac-sha1:sha256:rsa:des-ede3-cbc:tls-version-min=ssl3.0:tls-version-max=ssl3.0 Allowed by Narrow Policy
--  0 noECC  SSL3   d    disallow=all_allow=hmac-sha1/ssl,ssl-key-exchange:sha256/cert-signature:rsa/ssl-key-exchange:des-ede3-cbc:tls-version-min=ssl3.0:tls-version-max=ssl3.0 Allowed by Strict Policy
--  0 noECC  SSL3   d    disallow=all_allow=md2/all:md4/all:md5/all:sha1/all:sha256/all:sha384/all:sha512/all:hmac-sha1/all:hmac-sha224/all:hmac-sha256/all:hmac-sha384/all:hmac-sha512/all:hmac-md5/all:camellia128-cbc/all:camellia192-cbc/all:camellia256-cbc/all:seed-cbc/all:des-ede3-cbc/all:des-40-cbc/all:des-cbc/all:null-cipher/all:rc2/all:rc4/all:idea/all:rsa/all:rsa-export/all:dhe-rsa/all:dhe-dss/all:ecdhe-ecdsa/all:ecdhe-rsa/all:ecdh-ecdsa/all:ecdh-rsa/all:tls-version-min=ssl2.0:tls-version-max=tls1.2 Allow All Explicitly
--  1 noECC  SSL3   d    disallow=all Disallow All Explicitly.
-+#  0 noECC  SSL3   d    disallow=all_allow=hmac-sha1:sha256:rsa:des-ede3-cbc:tls-version-min=ssl3.0:tls-version-max=ssl3.0 Allowed by Narrow Policy
-+#  0 noECC  SSL3   d    disallow=all_allow=hmac-sha1/ssl,ssl-key-exchange:sha256/cert-signature:rsa/ssl-key-exchange:des-ede3-cbc:tls-version-min=ssl3.0:tls-version-max=ssl3.0 Allowed by Strict Policy
-+#  0 noECC  SSL3   d    disallow=all_allow=md2/all:md4/all:md5/all:sha1/all:sha256/all:sha384/all:sha512/all:hmac-sha1/all:hmac-sha224/all:hmac-sha256/all:hmac-sha384/all:hmac-sha512/all:hmac-md5/all:camellia128-cbc/all:camellia192-cbc/all:camellia256-cbc/all:seed-cbc/all:des-ede3-cbc/all:des-40-cbc/all:des-cbc/all:null-cipher/all:rc2/all:rc4/all:idea/all:rsa/all:rsa-export/all:dhe-rsa/all:dhe-dss/all:ecdhe-ecdsa/all:ecdhe-rsa/all:ecdh-ecdsa/all:ecdh-rsa/all:tls-version-min=ssl2.0:tls-version-max=tls1.2 Allow All Explicitly
-+#  1 noECC  SSL3   d    disallow=all Disallow All Explicitly.
- # turn off signature only
--  1 noECC  SSL3   d    disallow=sha256 Disallow SHA256 Signatures Explicitly.
--  1 noECC  SSL3   d    disallow=all_allow=hmac-sha1:rsa/ssl-key-exchange:des-ede3-cbc:tls-version-min=ssl3.0:tls-version-max=ssl3.0 Disallow SHA256 Signatures Implicitly Narrow.
--  1 noECC  SSL3   d    disallow=all_allow=md2/all:md4/all:md5/all:sha1/all:sha384/all:sha512/all:hmac-sha1/all:hmac-sha224/all:hmac-sha256/all:hmac-sha384/all:hmac-sha512/all:hmac-md5/all:camellia128-cbc/all:camellia192-cbc/all:camellia256-cbc/all:seed-cbc/all:des-ede3-cbc/all:des-40-cbc/all:des-cbc/all:null-cipher/all:rc2/all:rc4/all:idea/all:rsa/all:rsa-export/all:dhe-rsa/all:dhe-dss/all:ecdhe-ecdsa/all:ecdhe-rsa/all:ecdh-ecdsa/all:ecdh-rsa/all:tls-version-min=ssl2.0:tls-version-max=tls1.2 Disallow SHA256 Signatures Implicitly.
-+#  1 noECC  SSL3   d    disallow=sha256 Disallow SHA256 Signatures Explicitly.
-+#  1 noECC  SSL3   d    disallow=all_allow=hmac-sha1:rsa/ssl-key-exchange:des-ede3-cbc:tls-version-min=ssl3.0:tls-version-max=ssl3.0 Disallow SHA256 Signatures Implicitly Narrow.
-+#  1 noECC  SSL3   d    disallow=all_allow=md2/all:md4/all:md5/all:sha1/all:sha384/all:sha512/all:hmac-sha1/all:hmac-sha224/all:hmac-sha256/all:hmac-sha384/all:hmac-sha512/all:hmac-md5/all:camellia128-cbc/all:camellia192-cbc/all:camellia256-cbc/all:seed-cbc/all:des-ede3-cbc/all:des-40-cbc/all:des-cbc/all:null-cipher/all:rc2/all:rc4/all:idea/all:rsa/all:rsa-export/all:dhe-rsa/all:dhe-dss/all:ecdhe-ecdsa/all:ecdhe-rsa/all:ecdh-ecdsa/all:ecdh-rsa/all:tls-version-min=ssl2.0:tls-version-max=tls1.2 Disallow SHA256 Signatures Implicitly.
- # turn off single cipher 
--  1 noECC  SSL3   d    disallow=des-ede3-cbc Disallow Cipher Explicitly
--  1 noECC  SSL3   d    disallow=all_allow=hmac-sha1:sha256:rsa:des-cbc:tls-version-min=ssl3.0:tls-version-max=ssl3.0 Disallow Cipher Implicitly Narrow.
--  1 noECC  SSL3   d    disallow=all_allow=md2/all:md4/all:md5/all:sha1/all:sha256/all:sha384/all:sha512/all:hmac-sha1/all:hmac-sha224/all:hmac-sha256/all:hmac-sha384/all:hmac-sha512/all:hmac-md5/all:camellia128-cbc/all:camellia192-cbc/all:camellia256-cbc/all:seed-cbc/all:des-40-cbc/all:des-cbc/all:null-cipher/all:rc2/all:rc4/all:idea/all:rsa/all:rsa-export/all:dhe-rsa/all:dhe-dss/all:ecdhe-ecdsa/all:ecdhe-rsa/all:ecdh-ecdsa/all:ecdh-rsa/all:tls-version-min=ssl2.0:tls-verion-max=tls1.2 Disallow Cipher Implicitly.
-+#  1 noECC  SSL3   d    disallow=des-ede3-cbc Disallow Cipher Explicitly
-+#  1 noECC  SSL3   d    disallow=all_allow=hmac-sha1:sha256:rsa:des-cbc:tls-version-min=ssl3.0:tls-version-max=ssl3.0 Disallow Cipher Implicitly Narrow.
-+#  1 noECC  SSL3   d    disallow=all_allow=md2/all:md4/all:md5/all:sha1/all:sha256/all:sha384/all:sha512/all:hmac-sha1/all:hmac-sha224/all:hmac-sha256/all:hmac-sha384/all:hmac-sha512/all:hmac-md5/all:camellia128-cbc/all:camellia192-cbc/all:camellia256-cbc/all:seed-cbc/all:des-40-cbc/all:des-cbc/all:null-cipher/all:rc2/all:rc4/all:idea/all:rsa/all:rsa-export/all:dhe-rsa/all:dhe-dss/all:ecdhe-ecdsa/all:ecdhe-rsa/all:ecdh-ecdsa/all:ecdh-rsa/all:tls-version-min=ssl2.0:tls-verion-max=tls1.2 Disallow Cipher Implicitly.
- # turn off H-Mac
--  1 noECC  SSL3   d    disallow=hmac-sha1 Disallow HMAC Explicitly
--  1 noECC  SSL3   d    disallow=all_allow=md5:sha256:rsa:des-ede3-cbc:tls-version-min=ssl3.0:tls-version-max=ssl3.0 Disallow HMAC Implicitly Narrow.
--  1 noECC  SSL3   d    disallow=all_allow=md2/all:md4/all:md5/all:sha1/all:sha256/all:sha384/all:sha512/all:hmac-sha224/all:hmac-sha256/all:hmac-sha384/all:hmac-sha512/all:hmac-md5/all:camellia128-cbc/all:camellia192-cbc/all:camellia256-cbc/all:seed-cbc/all:des-ede3-cbc/all:des-40-cbc/all:des-cbc/all:null-cipher/all:rc2/all:rc4/all:idea/all:rsa/all:rsa-export/all:dhe-rsa/all:dhe-dss/all:ecdhe-ecdsa/all:ecdhe-rsa/all:ecdh-ecdsa/all:ecdh-rsa/all:tls-version-min=ssl2.0:tls-version-max=tls1.2 Disallow HMAC Signatures Implicitly.
-+#  1 noECC  SSL3   d    disallow=hmac-sha1 Disallow HMAC Explicitly
-+#  1 noECC  SSL3   d    disallow=all_allow=md5:sha256:rsa:des-ede3-cbc:tls-version-min=ssl3.0:tls-version-max=ssl3.0 Disallow HMAC Implicitly Narrow.
-+#  1 noECC  SSL3   d    disallow=all_allow=md2/all:md4/all:md5/all:sha1/all:sha256/all:sha384/all:sha512/all:hmac-sha224/all:hmac-sha256/all:hmac-sha384/all:hmac-sha512/all:hmac-md5/all:camellia128-cbc/all:camellia192-cbc/all:camellia256-cbc/all:seed-cbc/all:des-ede3-cbc/all:des-40-cbc/all:des-cbc/all:null-cipher/all:rc2/all:rc4/all:idea/all:rsa/all:rsa-export/all:dhe-rsa/all:dhe-dss/all:ecdhe-ecdsa/all:ecdhe-rsa/all:ecdh-ecdsa/all:ecdh-rsa/all:tls-version-min=ssl2.0:tls-version-max=tls1.2 Disallow HMAC Signatures Implicitly.
- # turn off key exchange 
--  1 noECC  SSL3   d    disallow=rsa/ssl-key-exchange Disallow Key Exchange Explicitly.
--  1 noECC  SSL3   d    disallow=all_allow=hmac-sha1:sha256:dh-dss:des-ede3-cbc:tls-version-min=ssl3.0:tls-version-max=ssl3.0 Disallow Key Exchange Implicitly Narrow.
--  1 noECC  SSL3   d    disallow=all_allow=md2/all:md4/all:md5/all:sha1/all:sha256/all:sha384/all:sha512/all:hmac-sha1/all:hmac-sha224/all:hmac-sha256/all:hmac-sha384/all:hmac-sha512/all:hmac-md5/all:camellia128-cbc/all:camellia192-cbc/all:camellia256-cbc/all:seed-cbc/all:des-ede3-cbc/all:des-40-cbc/all:des-cbc/all:null-cipher/all:rc2/all:rc4/all:idea/all:rsa-export/all:dhe-rsa/all:dhe-dss/all:ecdhe-ecdsa/all:ecdhe-rsa/all:ecdh-ecdsa/all:ecdh-rsa/all:tls-version-min=ssl2.0:tls-version-max=tls1.2 Disallow Key Exchnage Signatures Implicitly.
-+#  1 noECC  SSL3   d    disallow=rsa/ssl-key-exchange Disallow Key Exchange Explicitly.
-+#  1 noECC  SSL3   d    disallow=all_allow=hmac-sha1:sha256:dh-dss:des-ede3-cbc:tls-version-min=ssl3.0:tls-version-max=ssl3.0 Disallow Key Exchange Implicitly Narrow.
-+#  1 noECC  SSL3   d    disallow=all_allow=md2/all:md4/all:md5/all:sha1/all:sha256/all:sha384/all:sha512/all:hmac-sha1/all:hmac-sha224/all:hmac-sha256/all:hmac-sha384/all:hmac-sha512/all:hmac-md5/all:camellia128-cbc/all:camellia192-cbc/all:camellia256-cbc/all:seed-cbc/all:des-ede3-cbc/all:des-40-cbc/all:des-cbc/all:null-cipher/all:rc2/all:rc4/all:idea/all:rsa-export/all:dhe-rsa/all:dhe-dss/all:ecdhe-ecdsa/all:ecdhe-rsa/all:ecdh-ecdsa/all:ecdh-rsa/all:tls-version-min=ssl2.0:tls-version-max=tls1.2 Disallow Key Exchnage Signatures Implicitly.
- # turn off  version
-   1 noECC  SSL3   d    allow=tls-version-min=tls1.0:tls-version-max=tls1.2 Disallow Version Exlicitly
-   1 noECC  SSL3   d    disallow=all_allow=hmac-sha1:sha256:rsa:des-ede3-cbc:tls-version-min=tls1.0:tls-version-max=tls1.2 Disallow Version Implicitly Narrow.

tests/NSS-tools-should-not-use-SHA1-by-default-when/Makefile

@@ -0,0 +1,64 @@
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+#   Makefile of /CoreOS/nss/Regression/NSS-tools-should-not-use-SHA1-by-default-when
+#   Description: NSS tools should not use SHA1 by default when
+#   Author: Hubert Kario <hkario@redhat.com>
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+#   Copyright (c) 2016 Red Hat, Inc.
+#
+#   This copyrighted material is made available to anyone wishing
+#   to use, modify, copy, or redistribute it subject to the terms
+#   and conditions of the GNU General Public License version 2.
+#
+#   This program is distributed in the hope that it will be
+#   useful, but WITHOUT ANY WARRANTY; without even the implied
+#   warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
+#   PURPOSE. See the GNU General Public License for more details.
+#
+#   You should have received a copy of the GNU General Public
+#   License along with this program; if not, write to the Free
+#   Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
+#   Boston, MA 02110-1301, USA.
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+export TEST=/CoreOS/nss/Regression/NSS-tools-should-not-use-SHA1-by-default-when
+export TESTVERSION=1.0
+
+BUILT_FILES=
+
+FILES=$(METADATA) runtest.sh Makefile PURPOSE
+
+.PHONY: all install download clean
+
+run: $(FILES) build
+	./runtest.sh
+
+build: $(BUILT_FILES)
+	test -x runtest.sh || chmod a+x runtest.sh
+
+clean:
+	rm -f *~ $(BUILT_FILES)
+
+
+include /usr/share/rhts/lib/rhts-make.include
+
+$(METADATA): Makefile
+	@echo "Owner:           Hubert Kario <hkario@redhat.com>" > $(METADATA)
+	@echo "Name:            $(TEST)" >> $(METADATA)
+	@echo "TestVersion:     $(TESTVERSION)" >> $(METADATA)
+	@echo "Path:            $(TEST_DIR)" >> $(METADATA)
+	@echo "Description:     NSS tools should not use SHA1 by default when" >> $(METADATA)
+	@echo "Type:            Regression" >> $(METADATA)
+	@echo "TestTime:        10m" >> $(METADATA)
+	@echo "RunFor:          nss openssl" >> $(METADATA)
+	@echo "Requires:        nss nss-tools openssl" >> $(METADATA)
+	@echo "Priority:        Normal" >> $(METADATA)
+	@echo "License:         GPLv2" >> $(METADATA)
+	@echo "Confidential:    no" >> $(METADATA)
+	@echo "Destructive:     no" >> $(METADATA)
+	@echo "Releases:        -RHEL4 -RHELClient5 -RHELServer5" >> $(METADATA)
+
+	rhts-lint $(METADATA)

tests/NSS-tools-should-not-use-SHA1-by-default-when/PURPOSE

@@ -0,0 +1,4 @@
+PURPOSE of NSS-tools-should-not-use-SHA1-by-default-when
+Description: NSS tools should not use SHA1 by default when
+Author: Hubert Kario <hkario@redhat.com>
+Summary: NSS tools should not use SHA1 by default when generating digital signatures/certificates

tests/NSS-tools-should-not-use-SHA1-by-default-when/runtest.sh

@@ -0,0 +1,125 @@
+#!/bin/bash
+# vim: dict+=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+#   runtest.sh of NSS-tools-should-not-use-SHA1-by-default-when
+#   Description: NSS tools should not use SHA1 by default when
+#   Author: Hubert Kario <hkario@redhat.com>
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+#   Copyright (c) 2016 Red Hat, Inc.
+#
+#   This copyrighted material is made available to anyone wishing
+#   to use, modify, copy, or redistribute it subject to the terms
+#   and conditions of the GNU General Public License version 2.
+#
+#   This program is distributed in the hope that it will be
+#   useful, but WITHOUT ANY WARRANTY; without even the implied
+#   warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
+#   PURPOSE. See the GNU General Public License for more details.
+#
+#   You should have received a copy of the GNU General Public
+#   License along with this program; if not, write to the Free
+#   Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
+#   Boston, MA 02110-1301, USA.
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+# Include Beaker environment
+. /usr/share/beakerlib/beakerlib.sh || exit 1
+
+PACKAGE="nss"
+PACKAGES="nss openssl"
+DBDIR="nssdb"
+
+rlJournalStart
+    rlPhaseStartSetup
+        rlAssertRpm --all
+        rlRun "TmpDir=\$(mktemp -d)" 0 "Creating tmp directory"
+        rlRun "pushd $TmpDir"
+        rlRun "mkdir nssdb"
+        rlRun "certutil -N -d $DBDIR --empty-password"
+        rlLogInfo "Create a JAR file"
+        rlRun "mkdir java-dir"
+        rlRun "pushd java-dir"
+        rlRun "mkdir META-INF mypackage"
+        rlRun "echo 'Main-Class: mypackage/MyMainFile' > META-INF/MANIFEST.MF"
+        rlRun "echo 'Those are not the droids you are looking for' > mypackage/MyMainFile.class"
+        #rlRun "jar -cfe package.jar mypackage/MyMainFile mypackage/MyMainFile.class"
+        rlRun "popd"
+        #rlRun "mv java-dir/package.jar ."
+    rlPhaseEnd
+
+    rlPhaseStartTest "Self signing certificates"
+        rlRun "dd if=/dev/urandom of=noise bs=1 count=32 >/dev/null"
+        rlRun "certutil -d $DBDIR -S -n 'CA' -t 'cTC,cTC,cTC' -s 'CN=CA' -x -z noise"
+        rlRun -s "certutil -d $DBDIR -L -n 'CA' -a | openssl x509 -noout -text"
+        rlAssertGrep "Signature Algorithm: sha256WithRSAEncryption" "$rlRun_LOG"
+        rlAssertNotGrep "Signature Algorithm: sha1WithRSAEncryption" $rlRun_LOG
+    rlPhaseEnd
+
+    rlPhaseStartTest "Signing certificates"
+        rlRun "dd if=/dev/urandom of=noise bs=1 count=32 >/dev/null"
+        rlRun "certutil -d $DBDIR -S -n 'server' -t 'u,u,u' -s 'CN=server.example.com' -c 'CA' -z noise --nsCertType sslClient,sslServer,objectSigning,smime"
+        rlRun -s "certutil -d $DBDIR -L -n 'server' -a | openssl x509 -noout -text"
+        rlAssertGrep "Signature Algorithm: sha256WithRSAEncryption" "$rlRun_LOG"
+        rlAssertNotGrep "Signature Algorithm: sha1WithRSAEncryption" $rlRun_LOG
+    rlPhaseEnd
+
+    rlPhaseStartTest "Certificate request"
+        rlRun "dd if=/dev/urandom of=noise bs=1 count=32 >/dev/null"
+        rlRun "mkdir srv2db"
+        rlRun "certutil -d srv2db -N --empty-password"
+        rlRun "certutil -d srv2db -R -s CN=www.example.com -o srv2.req -a -z noise"
+        rlRun -s "openssl req -noout -text -in srv2.req"
+        rlAssertGrep "Signature Algorithm: sha256WithRSAEncryption" "$rlRun_LOG"
+        rlAssertNotGrep "Signature Algorithm: sha1WithRSAEncryption" $rlRun_LOG
+        rlRun "certutil -d $DBDIR -C -c 'CA' -i srv2.req -a -o srv2.crt"
+        rlRun -s "openssl x509 -in srv2.crt -noout -text"
+        rlAssertGrep "Signature Algorithm: sha256WithRSAEncryption" "$rlRun_LOG"
+        rlAssertNotGrep "Signature Algorithm: sha1WithRSAEncryption" $rlRun_LOG
+        rlRun "rm -rf srv2db"
+    rlPhaseEnd
+
+    rlPhaseStartTest "Certificate request with SHA1"
+        rlRun "dd if=/dev/urandom of=noise bs=1 count=32 >/dev/null"
+        rlRun "mkdir srv2db"
+        rlRun "certutil -d srv2db -N --empty-password"
+        rlRun "certutil -d srv2db -R -s CN=www.example.com -o srv2.req -a -z noise -Z SHA1"
+        rlRun -s "openssl req -noout -text -in srv2.req"
+        rlAssertGrep "Signature Algorithm: sha1WithRSAEncryption" "$rlRun_LOG"
+        rlRun "certutil -d $DBDIR -C -c 'CA' -i srv2.req -a -o srv2.crt"
+        rlRun -s "openssl x509 -in srv2.crt -noout -text"
+        rlAssertGrep "Signature Algorithm: sha256WithRSAEncryption" "$rlRun_LOG"
+        rlAssertNotGrep "Signature Algorithm: sha1WithRSAEncryption" $rlRun_LOG
+        rlRun "rm -rf srv2db"
+    rlPhaseEnd
+
+    rlPhaseStartTest "Signing CMS messages"
+        rlRun "echo 'This is a document' > document.txt"
+        rlRun "cmsutil -S -d $DBDIR -N 'server' -i document.txt -o document.cms"
+        rlRun -s "openssl cms -in document.cms -inform der -noout -cmsout -print"
+        rlAssertGrep "algorithm: sha256" $rlRun_LOG
+        rlAssertNotGrep "algorithm: sha1" $rlRun_LOG
+    rlPhaseEnd
+
+    rlPhaseStartTest "CRL signing"
+        rlRun "echo $(date --utc +update=%Y%m%d%H%M%SZ) > script"
+        rlRun "echo $(date -d 'next week' --utc +nextupdate=%Y%m%d%H%M%SZ) >> script"
+        rlRun "echo addext crlNumber 0 1245 >>script"
+        rlRun "echo addcert 12 $(date -d 'yesterday' --utc +%Y%m%d%H%M%SZ) >>script"
+        rlRun "echo addext reasonCode 0 0 >>script"
+        rlRun "cat script"
+        rlRun "crlutil -G -c script -d $DBDIR -n CA -o ca.crl"
+        rlRun -s "openssl crl -in ca.crl -inform der -noout -text"
+        rlAssertGrep "Signature Algorithm: sha256WithRSAEncryption" $rlRun_LOG
+        rlAssertNotGrep "Signature Algorithm: sha1WithRSAEncryption" $rlRun_LOG
+    rlPhaseEnd
+
+    rlPhaseStartCleanup
+        rlRun "popd"
+        rlRun "rm -r $TmpDir" 0 "Removing tmp directory"
+    rlPhaseEnd
+rlJournalPrintText
+rlJournalEnd

tests/tests.yml

@@ -0,0 +1,12 @@
+---
+# This first play always runs on the local staging system
+- hosts: localhost
+  roles:
+  - role: standard-test-beakerlib
+    tags:
+    - classic
+    tests:
+    - NSS-tools-should-not-use-SHA1-by-default-when
+    required_packages:
+    - nss-tools
+    - nss

utilwrap-include-templates.patch

@@ -1,14 +0,0 @@
-diff -up nss/lib/nss/config.mk.templates nss/lib/nss/config.mk
---- nss/lib/nss/config.mk.templates	2013-06-18 11:32:07.590089155 -0700
-+++ nss/lib/nss/config.mk	2013-06-18 11:33:28.732763345 -0700
-@@ -3,6 +3,10 @@
- # License, v. 2.0. If a copy of the MPL was not distributed with this
- # file, You can obtain one at http://mozilla.org/MPL/2.0/.
- 
-+#ifeq ($(NSS_BUILD_WITHOUT_SOFTOKEN),1)
-+INCLUDES += -I/usr/include/nss3/templates
-+#endif
-+
- # can't do this in manifest.mn because OS_TARGET isn't defined there.
- ifeq (,$(filter-out WIN%,$(OS_TARGET)))
-