Network Security Services
CentOS Sources
2018-05-14 74449011e876d8839a7a1053f27fcea5cd1ccf4e
import nss-3.36.0-5.el7_5
5 files added
6 files deleted
7 files modified
1355 ■■■■ changed files
.gitignore 2 ●●● patch | view | raw | blame | history
.nss.metadata 2 ●●● patch | view | raw | blame | history
SOURCES/Bug-1001841-disable-sslv2-tests.patch 19 ●●●● patch | view | raw | blame | history
SOURCES/enable-fips-when-system-is-in-fips-mode.patch 28 ●●●● patch | view | raw | blame | history
SOURCES/nss-certutil-suppress-password.patch 20 ●●●●● patch | view | raw | blame | history
SOURCES/nss-devslot-reinsert.patch 95 ●●●●● patch | view | raw | blame | history
SOURCES/nss-increase-pkcs12-iterations.patch 26 ●●●●● patch | view | raw | blame | history
SOURCES/nss-is-token-present-race.patch 191 ●●●●● patch | view | raw | blame | history
SOURCES/nss-lockcert-api-change.patch 68 ●●●●● patch | view | raw | blame | history
SOURCES/nss-modutil-skip-changepw-fips.patch 22 ●●●●● patch | view | raw | blame | history
SOURCES/nss-modutil-suppress-password.patch 20 ●●●●● patch | view | raw | blame | history
SOURCES/nss-pk12util-faulty-aes.patch 43 ●●●●● patch | view | raw | blame | history
SOURCES/nss-pkcs12-iterations-limit.patch 24 ●●●●● patch | view | raw | blame | history
SOURCES/nss-pss-fixes.patch 649 ●●●●● patch | view | raw | blame | history
SOURCES/nss-reorder-cipher-suites-gtests.patch 12 ●●●● patch | view | raw | blame | history
SOURCES/nss-sql-default.patch 42 ●●●●● patch | view | raw | blame | history
SOURCES/renegotiate-transitional.patch 22 ●●●● patch | view | raw | blame | history
SPECS/nss.spec 70 ●●●●● patch | view | raw | blame | history
.gitignore
@@ -10,7 +10,7 @@
SOURCES/cert9.db.xml
SOURCES/key3.db.xml
SOURCES/key4.db.xml
SOURCES/nss-3.34.0.tar.gz
SOURCES/nss-3.36.0.tar.gz
SOURCES/nss-config.xml
SOURCES/secmod.db.xml
SOURCES/setup-nsssysinit.xml
.nss.metadata
@@ -10,7 +10,7 @@
7cbb7841b1aefe52534704bf2a4358bfea1aa477 SOURCES/cert9.db.xml
24c123810543ff0f6848647d6d910744e275fb01 SOURCES/key3.db.xml
af51b16a56fda1f7525a0eed3ecbdcbb4133be0c SOURCES/key4.db.xml
01388dc47540744bb4b3c32cd8b77f1e770c4661 SOURCES/nss-3.34.0.tar.gz
e9d8137e035efed17bd0ca12db497dbeff9b828e SOURCES/nss-3.36.0.tar.gz
2905c9b06e7e686c9e3c0b5736a218766d4ae4c2 SOURCES/nss-config.xml
ca9ebf79c1437169a02527c18b1e3909943c4be9 SOURCES/secmod.db.xml
bcbe05281b38d843273f91ae3f9f19f70c7d97b3 SOURCES/setup-nsssysinit.xml
SOURCES/Bug-1001841-disable-sslv2-tests.patch
@@ -1,10 +1,11 @@
diff -up nss/tests/ssl/ssl.sh.disableSSL2tests nss/tests/ssl/ssl.sh
--- nss/tests/ssl/ssl.sh.disableSSL2tests    2017-09-20 08:47:27.000000000 +0200
+++ nss/tests/ssl/ssl.sh    2017-10-06 16:19:10.812108552 +0200
@@ -69,8 +69,14 @@ ssl_init()
--- nss/tests/ssl/ssl.sh.disableSSL2tests    2018-03-05 16:58:32.000000000 +0100
+++ nss/tests/ssl/ssl.sh    2018-03-09 17:24:07.047568191 +0100
@@ -68,9 +68,14 @@ ssl_init()
   NSS_SSL_RUN=${NSS_SSL_RUN:-$nss_ssl_run}
   # Test case files
   SSLCOV=${QADIR}/ssl/sslcov.txt
-  SSLCOV=${QADIR}/ssl/sslcov.txt
+  if [ "${NSS_NO_SSL2}" = "1" ]; then
+    SSLCOV=${QADIR}/ssl/sslcov.noSSL2orExport.txt
+    SSLSTRESS=${QADIR}/ssl/sslstress.noSSL2orExport.txt
@@ -17,7 +18,7 @@
   SSLPOLICY=${QADIR}/ssl/sslpolicy.txt
   REQUEST_FILE=${QADIR}/ssl/sslreq.dat
 
@@ -128,7 +134,11 @@ is_selfserv_alive()
@@ -128,7 +133,11 @@ is_selfserv_alive()
   fi
 
   echo "kill -0 ${PID} >/dev/null 2>/dev/null"
@@ -29,7 +30,7 @@
 
   echo "selfserv with PID ${PID} found at `date`"
 }
@@ -152,7 +162,11 @@ wait_for_selfserv()
@@ -152,7 +161,11 @@ wait_for_selfserv()
       ${BINDIR}/tstclnt -4 -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \
               -d ${P_R_CLIENTDIR} $verbose < ${REQUEST_FILE}
       if [ $? -ne 0 ]; then
@@ -41,7 +42,7 @@
       fi
   fi
   is_selfserv_alive
@@ -275,7 +289,7 @@ ssl_cov()
@@ -275,7 +288,7 @@ ssl_cov()
   start_selfserv # Launch the server
 
   VMIN="ssl3"
@@ -50,7 +51,7 @@
 
   ignore_blank_lines ${SSLCOV} | \
   while read ectype testmax param testname
@@ -283,6 +297,12 @@ ssl_cov()
@@ -283,6 +296,12 @@ ssl_cov()
       echo "${testname}" | grep "EXPORT" > /dev/null
       EXP=$?
 
SOURCES/enable-fips-when-system-is-in-fips-mode.patch
@@ -1,7 +1,7 @@
diff -up nss/lib/pk11wrap/pk11pars.c.852023_enable_fips_when_in_fips_mode nss/lib/pk11wrap/pk11pars.c
--- nss/lib/pk11wrap/pk11pars.c.852023_enable_fips_when_in_fips_mode    2017-01-13 17:01:05.278296965 +0100
+++ nss/lib/pk11wrap/pk11pars.c    2017-01-13 17:04:52.968903200 +0100
@@ -672,6 +672,10 @@ SECMOD_CreateModuleEx(const char *librar
--- nss/lib/pk11wrap/pk11pars.c.852023_enable_fips_when_in_fips_mode    2018-03-05 16:58:32.000000000 +0100
+++ nss/lib/pk11wrap/pk11pars.c    2018-03-09 17:24:39.815838810 +0100
@@ -671,6 +671,10 @@ SECMOD_CreateModuleEx(const char *librar
 
     mod->internal = NSSUTIL_ArgHasFlag("flags", "internal", nssc);
     mod->isFIPS = NSSUTIL_ArgHasFlag("flags", "FIPS", nssc);
@@ -13,9 +13,9 @@
     slotParams = NSSUTIL_ArgGetParamValue("slotParams", nssc);
     mod->slotInfo = NSSUTIL_ArgParseSlotInfo(mod->arena, slotParams,
diff -up nss/lib/pk11wrap/pk11util.c.852023_enable_fips_when_in_fips_mode nss/lib/pk11wrap/pk11util.c
--- nss/lib/pk11wrap/pk11util.c.852023_enable_fips_when_in_fips_mode    2017-01-13 17:01:05.278296965 +0100
+++ nss/lib/pk11wrap/pk11util.c    2017-01-13 17:06:24.171723872 +0100
@@ -94,6 +94,26 @@ SECMOD_Shutdown()
--- nss/lib/pk11wrap/pk11util.c.852023_enable_fips_when_in_fips_mode    2018-03-05 16:58:32.000000000 +0100
+++ nss/lib/pk11wrap/pk11util.c    2018-03-09 17:25:46.804347730 +0100
@@ -95,6 +95,26 @@ SECMOD_Shutdown()
     return SECSuccess;
 }
 
@@ -42,7 +42,7 @@
 /*
  * retrieve the internal module
  */
@@ -427,7 +447,7 @@ SECMOD_DeleteInternalModule(const char *
@@ -428,7 +448,7 @@ SECMOD_DeleteInternalModule(const char *
     SECMODModuleList **mlpp;
     SECStatus rv = SECFailure;
 
@@ -51,18 +51,18 @@
         PORT_SetError(SEC_ERROR_MODULE_STUCK);
         return rv;
     }
@@ -902,7 +922,7 @@ SECMOD_DestroyModuleList(SECMODModuleLis
 PRBool
 SECMOD_CanDeleteInternalModule(void)
 {
@@ -963,7 +983,7 @@ SECMOD_CanDeleteInternalModule(void)
 #ifdef NSS_FIPS_DISABLED
     return PR_FALSE;
 #else
-    return (PRBool)(pendingModule == NULL);
+    return (PRBool) ((pendingModule == NULL) && !SECMOD_GetSystemFIPSEnabled());
 #endif
 }
 
 /*
diff -up nss/lib/pk11wrap/secmodi.h.852023_enable_fips_when_in_fips_mode nss/lib/pk11wrap/secmodi.h
--- nss/lib/pk11wrap/secmodi.h.852023_enable_fips_when_in_fips_mode    2017-01-13 17:01:05.278296965 +0100
+++ nss/lib/pk11wrap/secmodi.h    2017-01-13 17:07:08.897624098 +0100
--- nss/lib/pk11wrap/secmodi.h.852023_enable_fips_when_in_fips_mode    2018-03-05 16:58:32.000000000 +0100
+++ nss/lib/pk11wrap/secmodi.h    2018-03-09 17:24:39.816838788 +0100
@@ -115,6 +115,13 @@ PK11SymKey *pk11_TokenKeyGenWithFlagsAnd
 CK_MECHANISM_TYPE pk11_GetPBECryptoMechanism(SECAlgorithmID *algid,
                                              SECItem **param, SECItem *pwd, PRBool faulty3DES);
SOURCES/nss-certutil-suppress-password.patch
File was deleted
SOURCES/nss-devslot-reinsert.patch
New file
@@ -0,0 +1,95 @@
# HG changeset patch
# User Daiki Ueno <dueno@redhat.com>
# Date 1521731296 -3600
#      Thu Mar 22 16:08:16 2018 +0100
# Node ID 6ae3ab8a1e7b4161f3f8eee90db7a745acced408
# Parent  dedf5290c679153e5b3555ba9c711fe62323c156
Bug 1447628, devslot: avoid deadlock when re-inserting a token, r=rrelyea
diff --git a/lib/dev/devslot.c b/lib/dev/devslot.c
--- a/lib/dev/devslot.c
+++ b/lib/dev/devslot.c
@@ -96,10 +96,16 @@ nssSlot_ResetDelay(
 }
 static PRBool
-within_token_delay_period(const NSSSlot *slot)
+token_status_checked(const NSSSlot *slot)
 {
     PRIntervalTime time;
     int lastPingState = slot->lastTokenPingState;
+    /* When called from the same thread, that means
+     * nssSlot_IsTokenPresent() is called recursively through
+     * nssSlot_Refresh(). Return immediately in that case. */
+    if (slot->isPresentThread == PR_GetCurrentThread()) {
+        return PR_TRUE;
+    }
     /* Set the delay time for checking the token presence */
     if (s_token_delay_time == 0) {
         s_token_delay_time = PR_SecondsToInterval(NSSSLOT_TOKEN_DELAY_TIME);
@@ -130,7 +136,7 @@ nssSlot_IsTokenPresent(
     /* avoid repeated calls to check token status within set interval */
     PZ_Lock(slot->isPresentLock);
-    if (within_token_delay_period(slot)) {
+    if (token_status_checked(slot)) {
         CK_FLAGS ckFlags = slot->ckFlags;
         PZ_Unlock(slot->isPresentLock);
         return ((ckFlags & CKF_TOKEN_PRESENT) != 0);
@@ -146,12 +152,12 @@ nssSlot_IsTokenPresent(
     /* set up condition so only one thread is active in this part of the code at a time */
     PZ_Lock(slot->isPresentLock);
-    while (slot->inIsPresent) {
+    while (slot->isPresentThread) {
         PR_WaitCondVar(slot->isPresentCondition, 0);
     }
     /* if we were one of multiple threads here, the first thread will have
      * given us the answer, no need to make more queries of the token. */
-    if (within_token_delay_period(slot)) {
+    if (token_status_checked(slot)) {
         CK_FLAGS ckFlags = slot->ckFlags;
         PZ_Unlock(slot->isPresentLock);
         return ((ckFlags & CKF_TOKEN_PRESENT) != 0);
@@ -159,7 +165,7 @@ nssSlot_IsTokenPresent(
     /* this is the winning thread, block all others until we've determined
      * if the token is present and that it needs initialization. */
     slot->lastTokenPingState = nssSlotLastPingState_Update;
-    slot->inIsPresent = PR_TRUE;
+    slot->isPresentThread = PR_GetCurrentThread();
     PZ_Unlock(slot->isPresentLock);
@@ -257,7 +263,7 @@ done:
         slot->lastTokenPingTime = PR_IntervalNow();
         slot->lastTokenPingState = nssSlotLastPingState_Valid;
     }
-    slot->inIsPresent = PR_FALSE;
+    slot->isPresentThread = NULL;
     PR_NotifyAllCondVar(slot->isPresentCondition);
     PZ_Unlock(slot->isPresentLock);
     return isPresent;
diff --git a/lib/dev/devt.h b/lib/dev/devt.h
--- a/lib/dev/devt.h
+++ b/lib/dev/devt.h
@@ -92,7 +92,7 @@ struct NSSSlotStr {
     PK11SlotInfo *pk11slot;
     PZLock *isPresentLock;
     PRCondVar *isPresentCondition;
-    PRBool inIsPresent;
+    PRThread *isPresentThread;
 };
 struct nssSessionStr {
diff --git a/lib/pk11wrap/dev3hack.c b/lib/pk11wrap/dev3hack.c
--- a/lib/pk11wrap/dev3hack.c
+++ b/lib/pk11wrap/dev3hack.c
@@ -122,7 +122,7 @@ nssSlot_CreateFromPK11SlotInfo(NSSTrustD
     rvSlot->lock = (nss3slot->isThreadSafe) ? NULL : nss3slot->sessionLock;
     rvSlot->isPresentLock = PZ_NewLock(nssiLockOther);
     rvSlot->isPresentCondition = PR_NewCondVar(rvSlot->isPresentLock);
-    rvSlot->inIsPresent = PR_FALSE;
+    rvSlot->isPresentThread = NULL;
     rvSlot->lastTokenPingState = nssSlotLastPingState_Reset;
     return rvSlot;
 }
SOURCES/nss-increase-pkcs12-iterations.patch
File was deleted
SOURCES/nss-is-token-present-race.patch
File was deleted
SOURCES/nss-lockcert-api-change.patch
New file
@@ -0,0 +1,68 @@
# HG changeset patch
# User Franziskus Kiefer <franziskuskiefer@gmail.com>
# Date 1486546862 -3600
#      Wed Feb 08 10:41:02 2017 +0100
# Node ID 896e3eb3a79933a51886949c7adb67ef37b721c0
# Parent  a8d77070526320ad0edc7ba164ce97f10c4f7d94
Bug 1278965 - tsan race in CERTCertificate, r=wtc,ttaubert
diff --git a/lib/certdb/cert.h b/lib/certdb/cert.h
--- a/lib/certdb/cert.h
+++ b/lib/certdb/cert.h
@@ -1405,24 +1405,11 @@ void CERT_SetStatusConfig(CERTCertDBHand
 void CERT_LockCertRefCount(CERTCertificate *cert);
 /*
- * Free the cert reference count lock
+ * Release the cert reference count lock
  */
 void CERT_UnlockCertRefCount(CERTCertificate *cert);
 /*
- * Acquire the cert trust lock
- * There is currently one global lock for all certs, but I'm putting a cert
- * arg here so that it will be easy to make it per-cert in the future if
- * that turns out to be necessary.
- */
-void CERT_LockCertTrust(const CERTCertificate *cert);
-
-/*
- * Free the cert trust lock
- */
-void CERT_UnlockCertTrust(const CERTCertificate *cert);
-
-/*
  * Digest the cert's subject public key using the specified algorithm.
  * NOTE: this digests the value of the BIT STRING subjectPublicKey (excluding
  * the tag, length, and number of unused bits) rather than the whole
diff --git a/lib/certdb/certi.h b/lib/certdb/certi.h
--- a/lib/certdb/certi.h
+++ b/lib/certdb/certi.h
@@ -378,14 +378,27 @@ PRUint32 cert_CountDNSPatterns(CERTGener
 SECStatus cert_CheckLeafTrust(CERTCertificate* cert, SECCertUsage usage,
                               unsigned int* failedFlags, PRBool* isTrusted);
 /*
  * Acquire the cert temp/perm lock
  */
 void CERT_LockCertTempPerm(const CERTCertificate* cert);
 /*
  * Release the temp/perm lock
  */
 void CERT_UnlockCertTempPerm(const CERTCertificate* cert);
+/*
+ * Acquire the cert trust lock
+ * There is currently one global lock for all certs, but I'm putting a cert
+ * arg here so that it will be easy to make it per-cert in the future if
+ * that turns out to be necessary.
+ */
+void CERT_LockCertTrust(const CERTCertificate* cert);
+
+/*
+ * Release the cert trust lock
+ */
+void CERT_UnlockCertTrust(const CERTCertificate* cert);
+
 #endif /* _CERTI_H_ */
SOURCES/nss-modutil-skip-changepw-fips.patch
New file
@@ -0,0 +1,22 @@
# HG changeset patch
# User Daiki Ueno <dueno@redhat.com>
# Date 1523546409 -7200
#      Thu Apr 12 17:20:09 2018 +0200
# Node ID 919e116728f29263c17ec31716ac2bd04c10e9ca
# Parent  2eefd697d661efb82a77c84d893e6fbceefdf458
Bug 1453408, modutil -changepw fails in FIPS mode if password is an empty string
diff --git a/cmd/modutil/pk11.c b/cmd/modutil/pk11.c
--- a/cmd/modutil/pk11.c
+++ b/cmd/modutil/pk11.c
@@ -764,6 +764,10 @@ ChangePW(char *tokenName, char *pwFile,
             ret = CHANGEPW_FAILED_ERR;
             goto loser;
         }
+    } else if (PK11_IsFIPS() && *newpw == '\0' && PK11_CheckUserPassword(slot, newpw) == SECSuccess) {
+        /* Workaround to suppress harmless error in FIPS mode:
+         * When explicitly setting empty password while the old
+         * password is also empty, skip */
     } else {
         if (PK11_ChangePW(slot, oldpw, newpw) != SECSuccess) {
             PR_fprintf(PR_STDERR, errStrings[CHANGEPW_FAILED_ERR], tokenName);
SOURCES/nss-modutil-suppress-password.patch
File was deleted
SOURCES/nss-pk12util-faulty-aes.patch
File was deleted
SOURCES/nss-pkcs12-iterations-limit.patch
New file
@@ -0,0 +1,24 @@
# HG changeset patch
# User J.C. Jones <jjones@mozilla.com>
# Date 1521824312 25200
#      Fri Mar 23 09:58:32 2018 -0700
# Branch NSS_3_36_BRANCH
# Node ID ba3f1cc8a8e644ee6f8a763624d97e987816304d
# Parent  2355c9e3bba477c947a09a2fe8b1ed8971fab1cb
Bug 1278071 - Limit iterations for PKCS #12 export for Windows r=kaie
Per Bug 1436873, Windows is limited on importing PKCS12 files of 600k rounds
or less. So for compatibility's sake, let's limit there, too.
diff --git a/lib/pkcs7/p7create.c b/lib/pkcs7/p7create.c
--- a/lib/pkcs7/p7create.c
+++ b/lib/pkcs7/p7create.c
@@ -22,7 +22,7 @@ const int NSS_PBE_DEFAULT_ITERATION_COUN
 #ifdef DEBUG
     10000
 #else
-    1000000
+    600000
 #endif
     ;
SOURCES/nss-pss-fixes.patch
File was deleted
SOURCES/nss-reorder-cipher-suites-gtests.patch
@@ -1,7 +1,7 @@
diff -up nss/gtests/ssl_gtest/ssl_auth_unittest.cc.reorder-cipher-suites-gtests nss/gtests/ssl_gtest/ssl_auth_unittest.cc
--- nss/gtests/ssl_gtest/ssl_auth_unittest.cc.reorder-cipher-suites-gtests    2017-09-20 08:47:27.000000000 +0200
+++ nss/gtests/ssl_gtest/ssl_auth_unittest.cc    2017-10-06 16:41:39.223713982 +0200
@@ -222,7 +222,9 @@ static SSLNamedGroup NamedGroupForEcdsa3
--- nss/gtests/ssl_gtest/ssl_auth_unittest.cc.reorder-cipher-suites-gtests    2018-03-05 16:58:32.000000000 +0100
+++ nss/gtests/ssl_gtest/ssl_auth_unittest.cc    2018-03-09 17:29:32.985313219 +0100
@@ -231,7 +231,9 @@ static SSLNamedGroup NamedGroupForEcdsa3
   // NSS tries to match the group size to the symmetric cipher. In TLS 1.1 and
   // 1.0, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA is the highest priority suite, so
   // we use P-384. With TLS 1.2 on we pick AES-128 GCM so use x25519.
@@ -12,7 +12,7 @@
     return ssl_grp_ec_secp384r1;
   }
   return ssl_grp_ec_curve25519;
@@ -806,20 +808,24 @@ INSTANTIATE_TEST_CASE_P(
@@ -870,20 +872,24 @@ INSTANTIATE_TEST_CASE_P(
                        ::testing::Values(TlsAgent::kServerEcdsa256),
                        ::testing::Values(ssl_auth_ecdsa),
                        ::testing::Values(ssl_sig_ecdsa_secp256r1_sha256)));
@@ -39,9 +39,9 @@
 INSTANTIATE_TEST_CASE_P(
     SignatureSchemeEcdsaSha1, TlsSignatureSchemeConfiguration,
     ::testing::Combine(TlsConnectTestBase::kTlsVariantsAll,
@@ -828,4 +834,5 @@ INSTANTIATE_TEST_CASE_P(
@@ -892,4 +898,5 @@ INSTANTIATE_TEST_CASE_P(
                                          TlsAgent::kServerEcdsa384),
                        ::testing::Values(ssl_auth_ecdsa),
                        ::testing::Values(ssl_sig_ecdsa_sha1)));
+#endif
 }
 }  // namespace nss_test
SOURCES/nss-sql-default.patch
New file
@@ -0,0 +1,42 @@
# HG changeset patch
# User Kai Engert <kaie@kuix.de>
# Date 1511548994 -3600
#      Fri Nov 24 19:43:14 2017 +0100
# Node ID b0658ed367633e505d38c0c0f63b801ddbbb21a4
# Parent  807662e6ba57db5be05036511ac8634466ed473f
Bug 1377940, Change NSS default storage file format (currently DBM), when no prefix is given, to SQL, r=rrelyea, r=fkiefer
--- a/tests/all.sh
+++ b/tests/all.sh
@@ -111,6 +111,8 @@ RUN_FIPS=""
 ########################################################################
 run_tests()
 {
+    echo "Running test cycle: ${TEST_MODE} ----------------------"
+    echo "List of tests that will be executed: ${TESTS}"
     for TEST in ${TESTS}
     do
         # NOTE: the spaces are important. If you don't include
@@ -172,8 +174,9 @@ run_cycle_pkix()
     NSS_SSL_TESTS=`echo "${NSS_SSL_TESTS}" | sed -e "s/normal//g" -e "s/fips//g" -e "s/_//g"`
     export -n NSS_SSL_RUN
-    # use the default format
+    # use the default format. (unset for the shell, export -n for binaries)
     export -n NSS_DEFAULT_DB_TYPE
+    unset NSS_DEFAULT_DB_TYPE
     run_tests
 }
diff --git a/tests/merge/merge.sh b/tests/merge/merge.sh
--- a/tests/merge/merge.sh
+++ b/tests/merge/merge.sh
@@ -98,7 +98,7 @@ merge_init()
   # are dbm databases.
   if [ "${TEST_MODE}" = "UPGRADE_DB" ]; then
     save=${NSS_DEFAULT_DB_TYPE}
-    NSS_DEFAULT_DB_TYPE= ; export NSS_DEFAULT_DB_TYPE
+    NSS_DEFAULT_DB_TYPE=dbm ; export NSS_DEFAULT_DB_TYPE
   fi
   certutil -N -d ${CONFLICT1DIR} -f ${R_PWFILE}
SOURCES/renegotiate-transitional.patch
@@ -1,12 +1,12 @@
diff -up nss/lib/ssl/sslsock.c.transitional nss/lib/ssl/sslsock.c
--- nss/lib/ssl/sslsock.c.transitional    2016-08-15 17:57:58.146879056 +0200
+++ nss/lib/ssl/sslsock.c    2016-08-15 17:58:02.365758224 +0200
@@ -72,7 +72,7 @@ static sslOptions ssl_defaults = {
     PR_FALSE,              /* noLocks            */
     PR_FALSE,              /* enableSessionTickets */
     PR_FALSE,              /* enableDeflate      */
-    2,                     /* enableRenegotiation (default: requires extension) */
+    3,                     /* enableRenegotiation (default: transitional) */
     PR_FALSE,              /* requireSafeNegotiation */
     PR_FALSE,              /* enableFalseStart   */
     PR_TRUE,               /* cbcRandomIV        */
--- nss/lib/ssl/sslsock.c.transitional    2018-03-09 17:21:52.593560971 +0100
+++ nss/lib/ssl/sslsock.c    2018-03-09 17:22:21.096926523 +0100
@@ -67,7 +67,7 @@ static sslOptions ssl_defaults = {
     .noLocks = PR_FALSE,
     .enableSessionTickets = PR_FALSE,
     .enableDeflate = PR_FALSE,
-    .enableRenegotiation = SSL_RENEGOTIATE_REQUIRES_XTN,
+    .enableRenegotiation = SSL_RENEGOTIATE_TRANSITIONAL,
     .requireSafeNegotiation = PR_FALSE,
     .enableFalseStart = PR_FALSE,
     .cbcRandomIV = PR_TRUE,
SPECS/nss.spec
@@ -1,9 +1,9 @@
%global nspr_version 4.17.0
%global nss_util_version 3.34.0
%global nspr_version 4.19.0
%global nss_util_version 3.36.0
%global nss_util_build -1
# adjust to the version that gets submitted for FIPS validation
%global nss_softokn_fips_version 3.34.0
%global nss_softokn_version 3.34.0
%global nss_softokn_fips_version 3.36.0
%global nss_softokn_version 3.36.0
# Attention: Separate softokn versions for build and runtime.
%global runtime_required_softokn_build_version -1
# Building NSS doesn't require the same version of softokn built for runtime.
@@ -26,8 +26,8 @@
Summary:          Network Security Services
Name:             nss
Version:          3.34.0
Release:          4%{?dist}
Version:          3.36.0
Release:          5%{?dist}
License:          MPLv2.0
URL:              http://www.mozilla.org/projects/security/pki/nss/
Group:            System Environment/Libraries
@@ -123,24 +123,21 @@
Patch131: nss-disable-tls13-gtests.patch
# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1279520
Patch135: nss-check-policy-file.patch
# To revert the change in:
# https://bugzilla.mozilla.org/show_bug.cgi?id=1377940
Patch136: nss-sql-default.patch
# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1278071
Patch137: nss-pkcs12-iterations-limit.patch
# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1447628
Patch138: nss-devslot-reinsert.patch
# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1453408
Patch139: nss-modutil-skip-changepw-fips.patch
# Work around for yum
# https://bugzilla.redhat.com/show_bug.cgi?id=1469526
Patch141: nss-sysinit-getenv.patch
# Patches backported from 3.35:
# https://bugzilla.mozilla.org/show_bug.cgi?id=1416265
Patch144: nss-pk12util-faulty-aes.patch
# https://bugzilla.mozilla.org/show_bug.cgi?id=1278071
Patch145: nss-increase-pkcs12-iterations.patch
# https://bugzilla.mozilla.org/show_bug.cgi?id=1415847
Patch146: nss-modutil-suppress-password.patch
# https://bugzilla.mozilla.org/show_bug.cgi?id=1426361
Patch147: nss-certutil-suppress-password.patch
# https://bugzilla.mozilla.org/show_bug.cgi?id=1423557
# https://bugzilla.mozilla.org/show_bug.cgi?id=1415171
Patch148: nss-pss-fixes.patch
# https://bugzilla.mozilla.org/show_bug.cgi?id=1054373
Patch149: nss-is-token-present-race.patch
# To revert the change in:
# https://hg.mozilla.org/projects/nss/rev/896e3eb3a799
Patch142: nss-lockcert-api-change.patch
%description
Network Security Services (NSS) is a set of libraries designed to
@@ -244,13 +241,12 @@
%patch130 -p1 -b .reorder-cipher-suites-gtests
%patch131 -p1 -b .disable-tls13-gtests
%patch135 -p1 -b .check_policy_file
%patch136 -p1 -R -b .sql-default
%patch137 -p1 -b .pkcs12-iterations-limit
%patch138 -p1 -b .devslot-reinsert
%patch139 -p1 -b .modutil-skip-changepw-fips
%patch141 -p1 -b .sysinit-getenv
%patch144 -p1 -b .pk12util-faulty-aes
%patch145 -p1 -b .increase-pkcs12-iterations
%patch146 -p1 -b .suppress-modutil-password
%patch147 -p1 -b .suppress-certutil-password
%patch148 -p1 -b .pss-fixes
%patch149 -p1 -b .is-token-present-race
%patch142 -p1 -R -b .lockcert-api-change
popd
#########################################################
@@ -356,6 +352,8 @@
export NSS_BLTEST_NOT_AVAILABLE=1
export NSS_DISABLE_TLS_1_3=1
export NSS_FORCE_FIPS=1
%{__make} -C ./nss/coreconf
%{__make} -C ./nss/lib/dbm
@@ -849,6 +847,24 @@
%changelog
* Wed Apr 18 2018 Daiki Ueno <dueno@redhat.com> - 3.36.0-5
- Restore CERT_LockCertTrust and CERT_UnlockCertTrust back in cert.h
* Fri Apr 13 2018 Daiki Ueno <dueno@redhat.com> - 3.36.0-4
- Work around modutil -changepw error if the old and new passwords are
  both empty in FIPS mode
* Tue Mar 27 2018 Daiki Ueno <dueno@redhat.com> - 3.36.0-3
- Decrease the iteration count of PKCS#12 for compatibility with Windows
- Fix deadlock when a token is re-inserted while a client process is running
* Mon Mar 12 2018 Daiki Ueno <dueno@redhat.com> - 3.36.0-2
- Set NSS_FORCE_FIPS=1 in %%build
- Revert the changes to tests assuming the default DB type
* Fri Mar  9 2018 Daiki Ueno <dueno@redhat.com> - 3.36.0-1
- Rebase to NSS 3.36
* Mon Jan 15 2018 Daiki Ueno <dueno@redhat.com> - 3.34.0-4
- Re-enable nss-is-token-present-race.patch