Network Security Services
CentOS Sources
2018-04-10 7f4443088d5ebc92a016375657da9cdcb11ae9d0
import nss-3.34.0-4.el7
6 files added
13 files deleted
6 files modified
8582 ■■■■ changed files
.gitignore 2 ●●● patch | view | raw | blame | history
.nss.metadata 2 ●●● patch | view | raw | blame | history
SOURCES/Bug-1001841-disable-sslv2-tests.patch 22 ●●●● patch | view | raw | blame | history
SOURCES/disable-pss.patch 72 ●●●●● patch | view | raw | blame | history
SOURCES/moz-1320932.patch 24 ●●●●● patch | view | raw | blame | history
SOURCES/nss-1334976-1336487-1345083-ca-2.14.patch 4522 ●●●●● patch | view | raw | blame | history
SOURCES/nss-3.16-token-init-race.patch 363 ●●●●● patch | view | raw | blame | history
SOURCES/nss-alert-handler.patch 461 ●●●●● patch | view | raw | blame | history
SOURCES/nss-certutil-suppress-password.patch 20 ●●●●● patch | view | raw | blame | history
SOURCES/nss-disable-pss-gtests.patch 156 ●●●●● patch | view | raw | blame | history
SOURCES/nss-disable-tls13-gtests.patch 12 ●●●●● patch | view | raw | blame | history
SOURCES/nss-increase-pkcs12-iterations.patch 26 ●●●●● patch | view | raw | blame | history
SOURCES/nss-is-token-present-race.patch 203 ●●●● patch | view | raw | blame | history
SOURCES/nss-modutil-suppress-password.patch 20 ●●●●● patch | view | raw | blame | history
SOURCES/nss-pk12util-force-unicode.patch 408 ●●●●● patch | view | raw | blame | history
SOURCES/nss-pk12util.patch 765 ●●●●● patch | view | raw | blame | history
SOURCES/nss-pss-fixes.patch 649 ●●●●● patch | view | raw | blame | history
SOURCES/nss-reorder-cipher-suites-gtests.patch 47 ●●●●● patch | view | raw | blame | history
SOURCES/nss-skip-util-gtest.patch 47 ●●●● patch | view | raw | blame | history
SOURCES/nss-ssl3gthr.patch 301 ●●●●● patch | view | raw | blame | history
SOURCES/nss-tools-sha256-default.patch 107 ●●●●● patch | view | raw | blame | history
SOURCES/nss-transcript.patch 63 ●●●●● patch | view | raw | blame | history
SOURCES/nss-tstclnt-optspec.patch 21 ●●●●● patch | view | raw | blame | history
SOURCES/race.patch 123 ●●●●● patch | view | raw | blame | history
SPECS/nss.spec 146 ●●●● patch | view | raw | blame | history
.gitignore
@@ -10,7 +10,7 @@
SOURCES/cert9.db.xml
SOURCES/key3.db.xml
SOURCES/key4.db.xml
SOURCES/nss-3.28.4.tar.gz
SOURCES/nss-3.34.0.tar.gz
SOURCES/nss-config.xml
SOURCES/secmod.db.xml
SOURCES/setup-nsssysinit.xml
.nss.metadata
@@ -10,7 +10,7 @@
7cbb7841b1aefe52534704bf2a4358bfea1aa477 SOURCES/cert9.db.xml
24c123810543ff0f6848647d6d910744e275fb01 SOURCES/key3.db.xml
af51b16a56fda1f7525a0eed3ecbdcbb4133be0c SOURCES/key4.db.xml
f358559b9c058ec9ee54cca222722c671131f5cb SOURCES/nss-3.28.4.tar.gz
01388dc47540744bb4b3c32cd8b77f1e770c4661 SOURCES/nss-3.34.0.tar.gz
2905c9b06e7e686c9e3c0b5736a218766d4ae4c2 SOURCES/nss-config.xml
ca9ebf79c1437169a02527c18b1e3909943c4be9 SOURCES/secmod.db.xml
bcbe05281b38d843273f91ae3f9f19f70c7d97b3 SOURCES/setup-nsssysinit.xml
SOURCES/Bug-1001841-disable-sslv2-tests.patch
@@ -1,7 +1,7 @@
diff -up nss/tests/ssl/ssl.sh.disableSSL2tests nss/tests/ssl/ssl.sh
--- nss/tests/ssl/ssl.sh.disableSSL2tests    2017-01-04 15:24:24.000000000 +0100
+++ nss/tests/ssl/ssl.sh    2017-01-13 16:51:20.759277059 +0100
@@ -63,8 +63,14 @@ ssl_init()
--- nss/tests/ssl/ssl.sh.disableSSL2tests    2017-09-20 08:47:27.000000000 +0200
+++ nss/tests/ssl/ssl.sh    2017-10-06 16:19:10.812108552 +0200
@@ -69,8 +69,14 @@ ssl_init()
 
   # Test case files
   SSLCOV=${QADIR}/ssl/sslcov.txt
@@ -17,7 +17,7 @@
   SSLPOLICY=${QADIR}/ssl/sslpolicy.txt
   REQUEST_FILE=${QADIR}/ssl/sslreq.dat
 
@@ -129,7 +135,11 @@ is_selfserv_alive()
@@ -128,7 +134,11 @@ is_selfserv_alive()
   fi
 
   echo "kill -0 ${PID} >/dev/null 2>/dev/null"
@@ -29,8 +29,8 @@
 
   echo "selfserv with PID ${PID} found at `date`"
 }
@@ -153,7 +163,11 @@ wait_for_selfserv()
       ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \
@@ -152,7 +162,11 @@ wait_for_selfserv()
       ${BINDIR}/tstclnt -4 -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \
               -d ${P_R_CLIENTDIR} $verbose < ${REQUEST_FILE}
       if [ $? -ne 0 ]; then
+          if [ "${NSS_NO_SSL2}" = "1" ] && [[ ${EXP} -eq 0 || ${SSL2} -eq 0 ]]; then
@@ -41,16 +41,16 @@
       fi
   fi
   is_selfserv_alive
@@ -272,7 +286,7 @@ ssl_cov()
@@ -275,7 +289,7 @@ ssl_cov()
   start_selfserv # Launch the server
 
   VMIN="ssl3"
-  VMAX="tls1.1"
+  VMAX="tls1.2"
 
   exec < ${SSLCOV}
   ignore_blank_lines ${SSLCOV} | \
   while read ectype testmax param testname
@@ -280,6 +294,12 @@ ssl_cov()
@@ -283,6 +297,12 @@ ssl_cov()
       echo "${testname}" | grep "EXPORT" > /dev/null
       EXP=$?
 
@@ -60,6 +60,6 @@
+         continue
+      fi
+
       if [ "$ectype" = "ECC" -a -n "$NSS_DISABLE_ECC" ] ; then
       if [ "$ectype" = "ECC" ] ; then
           echo "$SCRIPTNAME: skipping  $testname (ECC only)"
       elif [ "`echo $ectype | cut -b 1`" != "#" ] ; then
       else
SOURCES/disable-pss.patch
File was deleted
SOURCES/moz-1320932.patch
File was deleted
SOURCES/nss-1334976-1336487-1345083-ca-2.14.patch
File was deleted
SOURCES/nss-3.16-token-init-race.patch
File was deleted
SOURCES/nss-alert-handler.patch
File was deleted
SOURCES/nss-certutil-suppress-password.patch
New file
@@ -0,0 +1,20 @@
# HG changeset patch
# User Daiki Ueno <dueno@redhat.com>
# Date 1513770602 -3600
#      Wed Dec 20 12:50:02 2017 +0100
# Node ID 29b2a346746fb03316cf97c8c7b0837b714c255b
# Parent  5a14f42384eb22b67e0465949c03555eff41e4af
Bug 1426361, certutil: check CKF_LOGIN_REQUIRED as well as CKF_USER_PIN_INITIALIZED, r=rrelyea
diff --git a/cmd/certutil/certutil.c b/cmd/certutil/certutil.c
--- a/cmd/certutil/certutil.c
+++ b/cmd/certutil/certutil.c
@@ -3171,7 +3171,7 @@ certutil_main(int argc, char **argv, PRB
         certutil.commands[cmd_CreateAndAddCert].activated ||
         certutil.commands[cmd_AddCert].activated ||
         certutil.commands[cmd_AddEmailCert].activated) {
-        if (PK11_NeedUserInit(slot)) {
+        if (PK11_NeedLogin(slot) && PK11_NeedUserInit(slot)) {
             char *password = NULL;
             /* fetch the password from the command line or the file
              * if no password is supplied, initialize the password to NULL */
SOURCES/nss-disable-pss-gtests.patch
File was deleted
SOURCES/nss-disable-tls13-gtests.patch
New file
@@ -0,0 +1,12 @@
diff -up nss/gtests/ssl_gtest/ssl_skip_unittest.cc.disable-tls13-gtests nss/gtests/ssl_gtest/ssl_skip_unittest.cc
--- nss/gtests/ssl_gtest/ssl_skip_unittest.cc.disable-tls13-gtests    2017-10-16 17:13:51.798825185 +0200
+++ nss/gtests/ssl_gtest/ssl_skip_unittest.cc    2017-10-16 17:14:08.238496409 +0200
@@ -234,6 +234,8 @@ INSTANTIATE_TEST_CASE_P(
 INSTANTIATE_TEST_CASE_P(SkipVariants, TlsSkipTest,
                         ::testing::Combine(TlsConnectTestBase::kTlsVariantsAll,
                                            TlsConnectTestBase::kTlsV11V12));
+#if 0
 INSTANTIATE_TEST_CASE_P(Skip13Variants, Tls13SkipTest,
                         TlsConnectTestBase::kTlsVariantsAll);
+#endif
 }  // namespace nss_test
SOURCES/nss-increase-pkcs12-iterations.patch
New file
@@ -0,0 +1,26 @@
# HG changeset patch
# User Kai Engert <kaie@kuix.de>
# Date 1511356939 -3600
#      Wed Nov 22 14:22:19 2017 +0100
# Node ID 93109d4cbedd397f5e75a2096257f9842a0ac5a1
# Parent  6a27e4b4c92c8c3694132b75a1a54c23688789bd
Bug 1278071, increase number of iterations for export to PKCS #12, r=fkiefer
diff --git a/lib/pkcs7/p7create.c b/lib/pkcs7/p7create.c
--- a/lib/pkcs7/p7create.c
+++ b/lib/pkcs7/p7create.c
@@ -18,7 +18,13 @@
 #include "secder.h"
 #include "secpkcs5.h"
-const int NSS_PBE_DEFAULT_ITERATION_COUNT = 100000; /* used in p12e.c too */
+const int NSS_PBE_DEFAULT_ITERATION_COUNT = /* used in p12e.c too */
+#ifdef DEBUG
+    10000
+#else
+    1000000
+#endif
+    ;
 static SECStatus
 sec_pkcs7_init_content_info(SEC_PKCS7ContentInfo *cinfo, PLArenaPool *poolp,
SOURCES/nss-is-token-present-race.patch
@@ -1,76 +1,191 @@
# HG changeset patch
# User Kamil Dudka <kdudka@redhat.com>
# Date 1484568851 -3600
#      Mon Jan 16 13:14:11 2017 +0100
# Node ID 754a4a1f6220fa99e72197408726da14419fc187
# Parent  b6a26d34c0e354344f81a73137deeb682c7961e0
Bug 1297397, avoid race condition in nssSlot_IsTokenPresent() that caused spurious SEC_ERROR_NO_TOKEN, r=rrelyea
# User Robert Relyea <rrelyea@redhat.com>
# Date 1516007838 -3600
#      Mon Jan 15 10:17:18 2018 +0100
# Node ID 33d9c969cd6548c335ce43fa8909b96ef323f670
# Parent  db32ef3be38eb06a91babbcbb48285284d704dbd
Bug 1054373, Crash in PK11_DoesMechanism due to race condition, r=rsleevi
diff --git a/lib/dev/devslot.c b/lib/dev/devslot.c
--- a/lib/dev/devslot.c
+++ b/lib/dev/devslot.c
@@ -91,7 +91,7 @@ nssSlot_ResetDelay(
 }
 static PRBool
-within_token_delay_period(NSSSlot *slot)
+within_token_delay_period(const NSSSlot *slot)
 {
     PRIntervalTime time, lastTime;
     /* Set the delay time for checking the token presence */
@@ -103,7 +103,6 @@ within_token_delay_period(NSSSlot *slot)
     if ((lastTime) && ((time - lastTime) < s_token_delay_time)) {
         return PR_TRUE;
@@ -33,6 +33,8 @@ nssSlot_Destroy(
         if (PR_ATOMIC_DECREMENT(&slot->base.refCount) == 0) {
             PK11_FreeSlot(slot->pk11slot);
             PZ_DestroyLock(slot->base.lock);
+            PZ_DestroyCondVar(slot->isPresentCondition);
+            PZ_DestroyLock(slot->isPresentLock);
             return nssArena_Destroy(slot->base.arena);
         }
     }
-    slot->lastTokenPing = time;
     return PR_FALSE;
 }
@@ -117,35 +119,61 @@ nssSlot_IsTokenPresent(
     nssSession *session;
     CK_SLOT_INFO slotInfo;
     void *epv;
+    PRBool isPresent = PR_FALSE;
+
     /* permanent slots are always present unless they're disabled */
     if (nssSlot_IsPermanent(slot)) {
         return !PK11_IsDisabled(slot->pk11slot);
     }
+
     /* avoid repeated calls to check token status within set interval */
+    PZ_Lock(slot->isPresentLock);
     if (within_token_delay_period(slot)) {
-        return ((slot->ckFlags & CKF_TOKEN_PRESENT) != 0);
+        CK_FLAGS ckFlags = slot->ckFlags;
+        PZ_Unlock(slot->isPresentLock);
+        return ((ckFlags & CKF_TOKEN_PRESENT) != 0);
     }
+    PZ_Unlock(slot->isPresentLock);
 
@@ -136,6 +135,7 @@ nssSlot_IsTokenPresent(
-    /* First obtain the slot info */
+    /* First obtain the slot epv before we set up the condition
+     * variable, so we can just return if we couldn't get it. */
     epv = slot->epv;
     if (!epv) {
         return PR_FALSE;
     }
+
+    /* set up condition so only one thread is active in this part of the code at a time */
+    PZ_Lock(slot->isPresentLock);
+    while (slot->inIsPresent) {
+        PR_WaitCondVar(slot->isPresentCondition, 0);
+    }
+    /* if we were one of multiple threads here, the first thread will have
+     * given us the answer, no need to make more queries of the token. */
+    if (within_token_delay_period(slot)) {
+        CK_FLAGS ckFlags = slot->ckFlags;
+        PZ_Unlock(slot->isPresentLock);
+        return ((ckFlags & CKF_TOKEN_PRESENT) != 0);
+    }
+    /* this is the winning thread, block all others until we've determined
+     * if the token is present and that it needs initialization. */
+    slot->inIsPresent = PR_TRUE;
+    PZ_Unlock(slot->isPresentLock);
+
     nssSlot_EnterMonitor(slot);
     ckrv = CKAPI(epv)->C_GetSlotInfo(slot->slotID, &slotInfo);
     nssSlot_ExitMonitor(slot);
     if (ckrv != CKR_OK) {
         slot->token->base.name[0] = 0; /* XXX */
+        slot->lastTokenPing = PR_IntervalNow();
         return PR_FALSE;
-        slot->lastTokenPing = PR_IntervalNow();
-        return PR_FALSE;
+        isPresent = PR_FALSE;
+        goto done;
     }
     slot->ckFlags = slotInfo.flags;
@@ -143,6 +143,7 @@ nssSlot_IsTokenPresent(
     /* check for the presence of the token */
     if ((slot->ckFlags & CKF_TOKEN_PRESENT) == 0) {
         if (!slot->token) {
             /* token was never present */
+            slot->lastTokenPing = PR_IntervalNow();
             return PR_FALSE;
-            slot->lastTokenPing = PR_IntervalNow();
-            return PR_FALSE;
+            isPresent = PR_FALSE;
+            goto done;
         }
         session = nssToken_GetDefaultSession(slot->token);
@@ -165,6 +166,7 @@ nssSlot_IsTokenPresent(
         if (session) {
@@ -167,15 +195,15 @@ nssSlot_IsTokenPresent(
         slot->token->base.name[0] = 0; /* XXX */
         /* clear the token cache */
         nssToken_Remove(slot->token);
+        slot->lastTokenPing = PR_IntervalNow();
         return PR_FALSE;
-        slot->lastTokenPing = PR_IntervalNow();
-        return PR_FALSE;
+        isPresent = PR_FALSE;
+        goto done;
     }
     /* token is present, use the session info to determine if the card
@@ -187,8 +189,10 @@ nssSlot_IsTokenPresent(
         isPresent = session->handle != CK_INVALID_SESSION;
      * has been removed and reinserted.
      */
     session = nssToken_GetDefaultSession(slot->token);
     if (session) {
-        PRBool isPresent = PR_FALSE;
+        PRBool tokenRemoved;
         nssSession_EnterMonitor(session);
         if (session->handle != CK_INVALID_SESSION) {
             CK_SESSION_INFO sessionInfo;
@@ -187,12 +215,12 @@ nssSlot_IsTokenPresent(
                 session->handle = CK_INVALID_SESSION;
             }
         }
-        isPresent = session->handle != CK_INVALID_SESSION;
+        tokenRemoved = (session->handle == CK_INVALID_SESSION);
         nssSession_ExitMonitor(session);
         /* token not removed, finished */
-        if (isPresent)
+        if (isPresent) {
+            slot->lastTokenPing = PR_IntervalNow();
             return PR_TRUE;
+        }
-        if (isPresent) {
-            slot->lastTokenPing = PR_IntervalNow();
-            return PR_TRUE;
+        if (!tokenRemoved) {
+            isPresent = PR_TRUE;
+            goto done;
         }
     }
     /* the token has been removed, and reinserted, or the slot contains
      * a token it doesn't recognize. invalidate all the old
@@ -201,8 +205,11 @@ nssSlot_IsTokenPresent(
@@ -203,15 +231,27 @@ nssSlot_IsTokenPresent(
     nssToken_Remove(slot->token);
     /* token has been removed, need to refresh with new session */
     nssrv = nssSlot_Refresh(slot);
+    isPresent = PR_TRUE;
     if (nssrv != PR_SUCCESS) {
         slot->token->base.name[0] = 0; /* XXX */
         slot->ckFlags &= ~CKF_TOKEN_PRESENT;
+        /* TODO: insert a barrier here to avoid reordering of the assingments */
+        slot->lastTokenPing = PR_IntervalNow();
         return PR_FALSE;
-        /* TODO: insert a barrier here to avoid reordering of the assingments */
-        slot->lastTokenPing = PR_IntervalNow();
-        return PR_FALSE;
+        isPresent = PR_FALSE;
     }
+    slot->lastTokenPing = PR_IntervalNow();
     return PR_TRUE;
+done:
+    /* Once we've set up the condition variable,
+     * Before returning, it's necessary to:
+     *  1) Set the lastTokenPing time so that any other threads waiting on this
+     *     initialization and any future calls within the initialization window
+     *     return the just-computed status.
+     *  2) Indicate we're complete, waking up all other threads that may still
+     *     be waiting on initialization can progress.
+     */
+    PZ_Lock(slot->isPresentLock);
     slot->lastTokenPing = PR_IntervalNow();
-    return PR_TRUE;
+    slot->inIsPresent = PR_FALSE;
+    PR_NotifyAllCondVar(slot->isPresentCondition);
+    PZ_Unlock(slot->isPresentLock);
+    return isPresent;
 }
 NSS_IMPLEMENT void *
@@ -229,7 +269,7 @@ nssSlot_GetToken(
     if (nssSlot_IsTokenPresent(slot)) {
         /* Even if a token should be present, check `slot->token` too as it
-     * might be gone already. This would happen mostly on shutdown. */
+         * might be gone already. This would happen mostly on shutdown. */
         nssSlot_EnterMonitor(slot);
         if (slot->token)
             rvToken = nssToken_AddRef(slot->token);
diff --git a/lib/dev/devt.h b/lib/dev/devt.h
--- a/lib/dev/devt.h
+++ b/lib/dev/devt.h
@@ -81,6 +81,9 @@ struct NSSSlotStr {
     PZLock *lock;
     void *epv;
     PK11SlotInfo *pk11slot;
+    PZLock *isPresentLock;
+    PRCondVar *isPresentCondition;
+    PRBool inIsPresent;
 };
 struct nssSessionStr {
diff --git a/lib/pk11wrap/dev3hack.c b/lib/pk11wrap/dev3hack.c
--- a/lib/pk11wrap/dev3hack.c
+++ b/lib/pk11wrap/dev3hack.c
@@ -120,6 +120,9 @@ nssSlot_CreateFromPK11SlotInfo(NSSTrustD
     /* Grab the slot name from the PKCS#11 fixed-length buffer */
     rvSlot->base.name = nssUTF8_Duplicate(nss3slot->slot_name, td->arena);
     rvSlot->lock = (nss3slot->isThreadSafe) ? NULL : nss3slot->sessionLock;
+    rvSlot->isPresentLock = PZ_NewLock(nssiLockOther);
+    rvSlot->isPresentCondition = PR_NewCondVar(rvSlot->isPresentLock);
+    rvSlot->inIsPresent = PR_FALSE;
     return rvSlot;
 }
 
SOURCES/nss-modutil-suppress-password.patch
New file
@@ -0,0 +1,20 @@
# HG changeset patch
# User Daiki Ueno <dueno@redhat.com>
# Date 1510244757 -3600
#      Thu Nov 09 17:25:57 2017 +0100
# Node ID 523734e69b5cdd7c2c9047e705e858da352a3b24
# Parent  54be8a4501d454b2b7454e4a44ea013738e0b693
Bug 1415847, modutil: Suppress unnecessary password prompt, r=kaie
diff --git a/cmd/modutil/pk11.c b/cmd/modutil/pk11.c
--- a/cmd/modutil/pk11.c
+++ b/cmd/modutil/pk11.c
@@ -728,7 +728,7 @@ ChangePW(char *tokenName, char *pwFile,
                 ret = BAD_PW_ERR;
                 goto loser;
             }
-        } else {
+        } else if (PK11_NeedLogin(slot)) {
             for (matching = PR_FALSE; !matching;) {
                 oldpw = SECU_GetPasswordString(NULL, "Enter old password: ");
                 if (PK11_CheckUserPassword(slot, oldpw) == SECSuccess) {
SOURCES/nss-pk12util-force-unicode.patch
File was deleted
SOURCES/nss-pk12util.patch
File was deleted
SOURCES/nss-pss-fixes.patch
New file
@@ -0,0 +1,649 @@
# HG changeset patch
# User Daiki Ueno <dueno@redhat.com>
# Date 1510136005 -3600
#      Wed Nov 08 11:13:25 2017 +0100
# Node ID 6da6e699fa02bbf1763acba4176f994c6a5ddf62
# Parent  d515199921dd703087f7e0e03eb71058a015934d
Bug 1415171, Fix handling of default RSA-PSS parameters, r=mt
Reviewers: mt, rrelyea
Reviewed By: mt
Bug #: 1415171
Differential Revision: https://phabricator.services.mozilla.com/D202
diff --git a/cmd/lib/secutil.c b/cmd/lib/secutil.c
--- a/cmd/lib/secutil.c
+++ b/cmd/lib/secutil.c
@@ -1192,7 +1192,7 @@ secu_PrintRSAPSSParams(FILE *out, SECIte
             SECU_Indent(out, level + 1);
             fprintf(out, "Salt length: default, %i (0x%2X)\n", 20, 20);
         } else {
-            SECU_PrintInteger(out, &param.saltLength, "Salt Length", level + 1);
+            SECU_PrintInteger(out, &param.saltLength, "Salt length", level + 1);
         }
     } else {
         SECU_Indent(out, level + 1);
diff --git a/lib/cryptohi/seckey.c b/lib/cryptohi/seckey.c
--- a/lib/cryptohi/seckey.c
+++ b/lib/cryptohi/seckey.c
@@ -2056,9 +2056,13 @@ sec_RSAPSSParamsToMechanism(CK_RSA_PKCS_
         mech->mgf = CKG_MGF1_SHA1; /* default, MGF1 with SHA-1 */
     }
-    rv = SEC_ASN1DecodeInteger((SECItem *)&params->saltLength, &saltLength);
-    if (rv != SECSuccess) {
-        return rv;
+    if (params->saltLength.data) {
+        rv = SEC_ASN1DecodeInteger((SECItem *)&params->saltLength, &saltLength);
+        if (rv != SECSuccess) {
+            return rv;
+        }
+    } else {
+        saltLength = 20; /* default, 20 */
     }
     mech->sLen = saltLength;
diff --git a/lib/cryptohi/secsign.c b/lib/cryptohi/secsign.c
--- a/lib/cryptohi/secsign.c
+++ b/lib/cryptohi/secsign.c
@@ -610,6 +610,7 @@ sec_CreateRSAPSSParameters(PLArenaPool *
     SECKEYRSAPSSParams pssParams;
     int modBytes, hashLength;
     unsigned long saltLength;
+    PRBool defaultSHA1 = PR_FALSE;
     SECStatus rv;
     if (key->keyType != rsaKey && key->keyType != rsaPssKey) {
@@ -631,6 +632,7 @@ sec_CreateRSAPSSParameters(PLArenaPool *
         if (rv != SECSuccess) {
             return NULL;
         }
+        defaultSHA1 = PR_TRUE;
     }
     if (pssParams.trailerField.data) {
@@ -652,15 +654,23 @@ sec_CreateRSAPSSParameters(PLArenaPool *
     /* Determine the hash algorithm to use, based on hashAlgTag and
      * pssParams.hashAlg; there are four cases */
     if (hashAlgTag != SEC_OID_UNKNOWN) {
+        SECOidTag tag = SEC_OID_UNKNOWN;
+
         if (pssParams.hashAlg) {
-            if (SECOID_GetAlgorithmTag(pssParams.hashAlg) != hashAlgTag) {
-                PORT_SetError(SEC_ERROR_INVALID_ARGS);
-                return NULL;
-            }
+            tag = SECOID_GetAlgorithmTag(pssParams.hashAlg);
+        } else if (defaultSHA1) {
+            tag = SEC_OID_SHA1;
+        }
+
+        if (tag != SEC_OID_UNKNOWN && tag != hashAlgTag) {
+            PORT_SetError(SEC_ERROR_INVALID_ARGS);
+            return NULL;
         }
     } else if (hashAlgTag == SEC_OID_UNKNOWN) {
         if (pssParams.hashAlg) {
             hashAlgTag = SECOID_GetAlgorithmTag(pssParams.hashAlg);
+        } else if (defaultSHA1) {
+            hashAlgTag = SEC_OID_SHA1;
         } else {
             /* Find a suitable hash algorithm based on the NIST recommendation */
             if (modBytes <= 384) { /* 128, in NIST 800-57, Part 1 */
@@ -709,6 +719,11 @@ sec_CreateRSAPSSParameters(PLArenaPool *
             PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
             return NULL;
         }
+    } else if (defaultSHA1) {
+        if (hashAlgTag != SEC_OID_SHA1) {
+            PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
+            return NULL;
+        }
     }
     hashLength = HASH_ResultLenByOidTag(hashAlgTag);
@@ -725,6 +740,8 @@ sec_CreateRSAPSSParameters(PLArenaPool *
             PORT_SetError(SEC_ERROR_INVALID_ARGS);
             return NULL;
         }
+    } else if (defaultSHA1) {
+        saltLength = 20;
     }
     /* Fill in the parameters */
diff --git a/tests/cert/cert.sh b/tests/cert/cert.sh
--- a/tests/cert/cert.sh
+++ b/tests/cert/cert.sh
@@ -516,6 +516,9 @@ cert_all_CA()
     cert_rsa_pss_CA $CADIR TestCA-rsa-pss -x "CTu,CTu,CTu" ${D_CA} "1" SHA256
     rm $CLIENT_CADIR/rsapssroot.cert $SERVER_CADIR/rsapssroot.cert
+    ALL_CU_SUBJECT="CN=NSS Test CA (RSA-PSS-SHA1), O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+    cert_rsa_pss_CA $CADIR TestCA-rsa-pss-sha1 -x "CTu,CTu,CTu" ${D_CA} "1" SHA1
+    rm $CLIENT_CADIR/rsapssroot.cert $SERVER_CADIR/rsapssroot.cert
 #
 #       Create EC version of TestCA
@@ -2054,7 +2057,7 @@ check_sign_algo()
 {
   certu -L -n "$CERTNAME" -d "${PROFILEDIR}" -f "${R_PWFILE}" | \
       sed -n '/^ *Data:/,/^$/{
-/^        Signature Algorithm/,/^ *Salt Length/s/^        //p
+/^        Signature Algorithm/,/^ *Salt length/s/^        //p
 }' > ${TMP}/signalgo.txt
   diff ${TMP}/signalgo.exp ${TMP}/signalgo.txt
@@ -2088,6 +2091,12 @@ cert_test_rsapss()
   CU_ACTION="Verify RSA-PSS CA Cert"
   certu -V -u L -e -n "TestCA-rsa-pss" -d "${PROFILEDIR}" -f "${R_PWFILE}"
+  CU_ACTION="Import RSA-PSS CA Cert (SHA1)"
+  certu -A -n "TestCA-rsa-pss-sha1" -t "C,," -d "${PROFILEDIR}" -f "${R_PWFILE}" \
+        -i "${R_CADIR}/TestCA-rsa-pss-sha1.ca.cert" 2>&1
+
+  CERTSERIAL=200
+
   # Subject certificate: RSA
   # Issuer certificate: RSA
   # Signature: RSA-PSS (explicit, with --pss-sign)
@@ -2098,7 +2107,7 @@ cert_test_rsapss()
   certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -o req  2>&1
   CU_ACTION="Sign ${CERTNAME}'s Request"
-  certu -C -c "TestCA" --pss-sign -m 200 -v 60 -d "${P_R_CADIR}" \
+  certu -C -c "TestCA" --pss-sign -m "${CERTSERIAL}" -v 60 -d "${P_R_CADIR}" \
         -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1
   CU_ACTION="Import $CERTNAME's Cert"
@@ -2113,10 +2122,12 @@ Signature Algorithm: PKCS #1 RSA-PSS Sig
         Hash algorithm: SHA-256
         Mask algorithm: PKCS #1 MGF1 Mask Generation Function
         Mask hash algorithm: SHA-256
-        Salt Length: 32 (0x20)
+        Salt length: 32 (0x20)
 EOF
   check_sign_algo
+  CERTSERIAL=`expr $CERTSERIAL + 1`
+
   # Subject certificate: RSA
   # Issuer certificate: RSA
   # Signature: RSA-PSS (explict, with --pss-sign -Z SHA512)
@@ -2127,7 +2138,7 @@ EOF
   certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -o req  2>&1
   CU_ACTION="Sign ${CERTNAME}'s Request"
-  certu -C -c "TestCA" --pss-sign -Z SHA512 -m 201 -v 60 -d "${P_R_CADIR}" \
+  certu -C -c "TestCA" --pss-sign -Z SHA512 -m "${CERTSERIAL}" -v 60 -d "${P_R_CADIR}" \
         -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1
   CU_ACTION="Import $CERTNAME's Cert"
@@ -2142,10 +2153,12 @@ Signature Algorithm: PKCS #1 RSA-PSS Sig
         Hash algorithm: SHA-512
         Mask algorithm: PKCS #1 MGF1 Mask Generation Function
         Mask hash algorithm: SHA-512
-        Salt Length: 64 (0x40)
+        Salt length: 64 (0x40)
 EOF
   check_sign_algo
+  CERTSERIAL=`expr $CERTSERIAL + 1`
+
   # Subject certificate: RSA
   # Issuer certificate: RSA-PSS
   # Signature: RSA-PSS
@@ -2156,7 +2169,69 @@ EOF
   certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -o req  2>&1
   CU_ACTION="Sign ${CERTNAME}'s Request"
-  certu -C -c "TestCA-rsa-pss" -m 202 -v 60 -d "${P_R_CADIR}" \
+  certu -C -c "TestCA-rsa-pss" -m "${CERTSERIAL}" -v 60 -d "${P_R_CADIR}" \
+        -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1
+
+  CU_ACTION="Import $CERTNAME's Cert"
+  certu -A -n "$CERTNAME" -t ",," -d "${PROFILEDIR}" -f "${R_PWFILE}" \
+        -i "${CERTNAME}.cert" 2>&1
+
+  CU_ACTION="Verify $CERTNAME's Cert"
+  certu -V -u V -e -n "$CERTNAME" -d "${PROFILEDIR}" -f "${R_PWFILE}"
+  cat > ${TMP}/signalgo.exp <<EOF
+Signature Algorithm: PKCS #1 RSA-PSS Signature
+    Parameters:
+        Hash algorithm: SHA-256
+        Mask algorithm: PKCS #1 MGF1 Mask Generation Function
+        Mask hash algorithm: SHA-256
+        Salt length: 32 (0x20)
+EOF
+  check_sign_algo
+
+  CERTSERIAL=`expr $CERTSERIAL + 1`
+
+  # Subject certificate: RSA-PSS
+  # Issuer certificate: RSA
+  # Signature: RSA-PSS (explicit, with --pss-sign)
+  CERTNAME="TestUser-rsa-pss4"
+
+  CU_ACTION="Generate Cert Request for $CERTNAME"
+  CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+  certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" --pss -o req  2>&1
+
+  CU_ACTION="Sign ${CERTNAME}'s Request"
+  certu -C -c "TestCA" --pss-sign -m "${CERTSERIAL}" -v 60 -d "${P_R_CADIR}" \
+        -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1
+
+  CU_ACTION="Import $CERTNAME's Cert"
+  certu -A -n "$CERTNAME" -t ",," -d "${PROFILEDIR}" -f "${R_PWFILE}" \
+        -i "${CERTNAME}.cert" 2>&1
+
+  CU_ACTION="Verify $CERTNAME's Cert"
+  certu -V -u V -e -n "$CERTNAME" -d "${PROFILEDIR}" -f "${R_PWFILE}"
+  cat > ${TMP}/signalgo.exp <<EOF
+Signature Algorithm: PKCS #1 RSA-PSS Signature
+    Parameters:
+        Hash algorithm: SHA-256
+        Mask algorithm: PKCS #1 MGF1 Mask Generation Function
+        Mask hash algorithm: SHA-256
+        Salt length: 32 (0x20)
+EOF
+  check_sign_algo
+
+  CERTSERIAL=`expr $CERTSERIAL + 1`
+
+  # Subject certificate: RSA-PSS
+  # Issuer certificate: RSA-PSS
+  # Signature: RSA-PSS (explicit, with --pss-sign)
+  CERTNAME="TestUser-rsa-pss5"
+
+  CU_ACTION="Generate Cert Request for $CERTNAME"
+  CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+  certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" --pss -o req  2>&1
+
+  CU_ACTION="Sign ${CERTNAME}'s Request"
+  certu -C -c "TestCA-rsa-pss" --pss-sign -m "${CERTSERIAL}" -v 60 -d "${P_R_CADIR}" \
         -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1
   CU_ACTION="Import $CERTNAME's Cert"
@@ -2171,21 +2246,24 @@ Signature Algorithm: PKCS #1 RSA-PSS Sig
         Hash algorithm: SHA-256
         Mask algorithm: PKCS #1 MGF1 Mask Generation Function
         Mask hash algorithm: SHA-256
-        Salt Length: 32 (0x20)
+        Salt length: 32 (0x20)
 EOF
   check_sign_algo
+  CERTSERIAL=`expr $CERTSERIAL + 1`
+
   # Subject certificate: RSA-PSS
-  # Issuer certificate: RSA
-  # Signature: RSA-PSS (explicit, with --pss-sign)
-  CERTNAME="TestUser-rsa-pss4"
+  # Issuer certificate: RSA-PSS
+  # Signature: RSA-PSS (implicit, without --pss-sign)
+  CERTNAME="TestUser-rsa-pss6"
   CU_ACTION="Generate Cert Request for $CERTNAME"
   CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
   certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" --pss -o req  2>&1
   CU_ACTION="Sign ${CERTNAME}'s Request"
-  certu -C -c "TestCA" --pss-sign -m 203 -v 60 -d "${P_R_CADIR}" \
+  # Sign without --pss-sign nor -Z option
+  certu -C -c "TestCA-rsa-pss" -m "${CERTSERIAL}" -v 60 -d "${P_R_CADIR}" \
         -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1
   CU_ACTION="Import $CERTNAME's Cert"
@@ -2200,21 +2278,40 @@ Signature Algorithm: PKCS #1 RSA-PSS Sig
         Hash algorithm: SHA-256
         Mask algorithm: PKCS #1 MGF1 Mask Generation Function
         Mask hash algorithm: SHA-256
-        Salt Length: 32 (0x20)
+        Salt length: 32 (0x20)
 EOF
   check_sign_algo
+  CERTSERIAL=`expr $CERTSERIAL + 1`
+
   # Subject certificate: RSA-PSS
   # Issuer certificate: RSA-PSS
-  # Signature: RSA-PSS (explicit, with --pss-sign)
-  CERTNAME="TestUser-rsa-pss5"
+  # Signature: RSA-PSS (with conflicting hash algorithm)
+  CERTNAME="TestUser-rsa-pss7"
   CU_ACTION="Generate Cert Request for $CERTNAME"
   CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
   certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" --pss -o req  2>&1
   CU_ACTION="Sign ${CERTNAME}'s Request"
-  certu -C -c "TestCA-rsa-pss" --pss-sign -m 204 -v 60 -d "${P_R_CADIR}" \
+  RETEXPECTED=255
+  certu -C -c "TestCA-rsa-pss" --pss-sign -Z SHA512 -m "${CERTSERIAL}" -v 60 -d "${P_R_CADIR}" \
+        -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1
+  RETEXPECTED=0
+
+  CERTSERIAL=`expr $CERTSERIAL + 1`
+
+  # Subject certificate: RSA-PSS
+  # Issuer certificate: RSA-PSS
+  # Signature: RSA-PSS (with compatible hash algorithm)
+  CERTNAME="TestUser-rsa-pss8"
+
+  CU_ACTION="Generate Cert Request for $CERTNAME"
+  CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+  certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" --pss -o req  2>&1
+
+  CU_ACTION="Sign ${CERTNAME}'s Request"
+  certu -C -c "TestCA-rsa-pss" --pss-sign -Z SHA256 -m "${CERTSERIAL}" -v 60 -d "${P_R_CADIR}" \
         -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1
   CU_ACTION="Import $CERTNAME's Cert"
@@ -2229,21 +2326,23 @@ Signature Algorithm: PKCS #1 RSA-PSS Sig
         Hash algorithm: SHA-256
         Mask algorithm: PKCS #1 MGF1 Mask Generation Function
         Mask hash algorithm: SHA-256
-        Salt Length: 32 (0x20)
+        Salt length: 32 (0x20)
 EOF
   check_sign_algo
-  # Subject certificate: RSA-PSS
-  # Issuer certificate: RSA-PSS
-  # Signature: RSA-PSS (implicit, without --pss-sign)
-  CERTNAME="TestUser-rsa-pss6"
+  CERTSERIAL=`expr $CERTSERIAL + 1`
+
+  # Subject certificate: RSA
+  # Issuer certificate: RSA
+  # Signature: RSA-PSS (explict, with --pss-sign -Z SHA1)
+  CERTNAME="TestUser-rsa-pss9"
   CU_ACTION="Generate Cert Request for $CERTNAME"
   CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
-  certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" --pss -o req  2>&1
+  certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -o req  2>&1
   CU_ACTION="Sign ${CERTNAME}'s Request"
-  certu -C -c "TestCA-rsa-pss" -m 205 -v 60 -d "${P_R_CADIR}" \
+  certu -C -c "TestCA" --pss-sign -Z SHA1 -m "${CERTSERIAL}" -v 60 -d "${P_R_CADIR}" \
         -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1
   CU_ACTION="Import $CERTNAME's Cert"
@@ -2255,39 +2354,27 @@ EOF
   cat > ${TMP}/signalgo.exp <<EOF
 Signature Algorithm: PKCS #1 RSA-PSS Signature
     Parameters:
-        Hash algorithm: SHA-256
-        Mask algorithm: PKCS #1 MGF1 Mask Generation Function
-        Mask hash algorithm: SHA-256
-        Salt Length: 32 (0x20)
+        Hash algorithm: default, SHA-1
+        Mask algorithm: default, MGF1
+        Mask hash algorithm: default, SHA-1
+        Salt length: default, 20 (0x14)
 EOF
   check_sign_algo
+  CERTSERIAL=`expr $CERTSERIAL + 1`
+
   # Subject certificate: RSA-PSS
   # Issuer certificate: RSA-PSS
-  # Signature: RSA-PSS (with conflicting hash algorithm)
-  CERTNAME="TestUser-rsa-pss7"
+  # Signature: RSA-PSS (implicit, without --pss-sign, default parameters)
+  CERTNAME="TestUser-rsa-pss10"
   CU_ACTION="Generate Cert Request for $CERTNAME"
   CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
-  certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" --pss -o req  2>&1
+  certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -o req  2>&1
   CU_ACTION="Sign ${CERTNAME}'s Request"
-  RETEXPECTED=255
-  certu -C -c "TestCA-rsa-pss" --pss-sign -Z SHA512 -m 206 -v 60 -d "${P_R_CADIR}" \
-        -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1
-  RETEXPECTED=0
-
-  # Subject certificate: RSA-PSS
-  # Issuer certificate: RSA-PSS
-  # Signature: RSA-PSS (with compatible hash algorithm)
-  CERTNAME="TestUser-rsa-pss8"
-
-  CU_ACTION="Generate Cert Request for $CERTNAME"
-  CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
-  certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" --pss -o req  2>&1
-
-  CU_ACTION="Sign ${CERTNAME}'s Request"
-  certu -C -c "TestCA-rsa-pss" --pss-sign -Z SHA256 -m 207 -v 60 -d "${P_R_CADIR}" \
+  # Sign without --pss-sign nor -Z option
+  certu -C -c "TestCA-rsa-pss-sha1" -m "${CERTSERIAL}" -v 60 -d "${P_R_CADIR}" \
         -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1
   CU_ACTION="Import $CERTNAME's Cert"
@@ -2299,12 +2386,29 @@ EOF
   cat > ${TMP}/signalgo.exp <<EOF
 Signature Algorithm: PKCS #1 RSA-PSS Signature
     Parameters:
-        Hash algorithm: SHA-256
-        Mask algorithm: PKCS #1 MGF1 Mask Generation Function
-        Mask hash algorithm: SHA-256
-        Salt Length: 32 (0x20)
+        Hash algorithm: default, SHA-1
+        Mask algorithm: default, MGF1
+        Mask hash algorithm: default, SHA-1
+        Salt length: default, 20 (0x14)
 EOF
   check_sign_algo
+
+  CERTSERIAL=`expr $CERTSERIAL + 1`
+
+  # Subject certificate: RSA-PSS
+  # Issuer certificate: RSA-PSS
+  # Signature: RSA-PSS (with conflicting hash algorithm, default parameters)
+  CERTNAME="TestUser-rsa-pss11"
+
+  CU_ACTION="Generate Cert Request for $CERTNAME"
+  CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+  certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" --pss -o req  2>&1
+
+  CU_ACTION="Sign ${CERTNAME}'s Request"
+  RETEXPECTED=255
+  certu -C -c "TestCA-rsa-pss-sha1" --pss-sign -Z SHA256 -m "${CERTSERIAL}" -v 60 -d "${P_R_CADIR}" \
+        -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1
+  RETEXPECTED=0
 }
 ############################## cert_cleanup ############################
# HG changeset patch
# User Daiki Ueno <dueno@redhat.com>
# Date 1514884761 -3600
#      Tue Jan 02 10:19:21 2018 +0100
# Node ID 5a14f42384eb22b67e0465949c03555eff41e4af
# Parent  e577b1df8dabb31466cebad07fdbe0883290bede
Bug 1423557, cryptohi: make RSA-PSS parameter check stricter, r=mt
Summary: This adds a check on unsupported hash/mask algorithms and invalid trailer field, when converting SECKEYRSAPSSParams to CK_RSA_PKCS_PSS_PARAMS for both signing and verification.  It also add missing support for SHA224 as underlying hash algorithm.
Reviewers: mt
Reviewed By: mt
Bug #: 1423557
Differential Revision: https://phabricator.services.mozilla.com/D322
diff --git a/lib/cryptohi/seckey.c b/lib/cryptohi/seckey.c
--- a/lib/cryptohi/seckey.c
+++ b/lib/cryptohi/seckey.c
@@ -1984,13 +1984,14 @@ sec_GetHashMechanismByOidTag(SECOidTag t
             return CKM_SHA384;
         case SEC_OID_SHA256:
             return CKM_SHA256;
+        case SEC_OID_SHA224:
+            return CKM_SHA224;
+        case SEC_OID_SHA1:
+            return CKM_SHA_1;
         default:
             PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
-        /* fallthrough */
-        case SEC_OID_SHA1:
-            break;
+            return CKM_INVALID_MECHANISM;
     }
-    return CKM_SHA_1;
 }
 static CK_RSA_PKCS_MGF_TYPE
@@ -2003,13 +2004,14 @@ sec_GetMgfTypeByOidTag(SECOidTag tag)
             return CKG_MGF1_SHA384;
         case SEC_OID_SHA256:
             return CKG_MGF1_SHA256;
+        case SEC_OID_SHA224:
+            return CKG_MGF1_SHA224;
+        case SEC_OID_SHA1:
+            return CKG_MGF1_SHA1;
         default:
             PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
-        /* fallthrough */
-        case SEC_OID_SHA1:
-            break;
+            return 0;
     }
-    return CKG_MGF1_SHA1;
 }
 SECStatus
@@ -2019,6 +2021,7 @@ sec_RSAPSSParamsToMechanism(CK_RSA_PKCS_
     SECStatus rv = SECSuccess;
     SECOidTag hashAlgTag;
     unsigned long saltLength;
+    unsigned long trailerField;
     PORT_Memset(mech, 0, sizeof(CK_RSA_PKCS_PSS_PARAMS));
@@ -2028,6 +2031,9 @@ sec_RSAPSSParamsToMechanism(CK_RSA_PKCS_
         hashAlgTag = SEC_OID_SHA1; /* default, SHA-1 */
     }
     mech->hashAlg = sec_GetHashMechanismByOidTag(hashAlgTag);
+    if (mech->hashAlg == CKM_INVALID_MECHANISM) {
+        return SECFailure;
+    }
     if (params->maskAlg) {
         SECAlgorithmID maskHashAlg;
@@ -2050,6 +2056,9 @@ sec_RSAPSSParamsToMechanism(CK_RSA_PKCS_
         }
         maskHashAlgTag = SECOID_GetAlgorithmTag(&maskHashAlg);
         mech->mgf = sec_GetMgfTypeByOidTag(maskHashAlgTag);
+        if (mech->mgf == 0) {
+            return SECFailure;
+        }
     } else {
         mech->mgf = CKG_MGF1_SHA1; /* default, MGF1 with SHA-1 */
     }
@@ -2064,5 +2073,18 @@ sec_RSAPSSParamsToMechanism(CK_RSA_PKCS_
     }
     mech->sLen = saltLength;
+    if (params->trailerField.data) {
+        rv = SEC_ASN1DecodeInteger((SECItem *)&params->trailerField, &trailerField);
+        if (rv != SECSuccess) {
+            return rv;
+        }
+        if (trailerField != 1) {
+            /* the value must be 1, which represents the trailer field
+             * with hexadecimal value 0xBC */
+            PORT_SetError(SEC_ERROR_INVALID_ARGS);
+            return SECFailure;
+        }
+    }
+
     return rv;
 }
diff --git a/tests/cert/TestCA-bogus-rsa-pss1.crt b/tests/cert/TestCA-bogus-rsa-pss1.crt
new file mode 100644
--- /dev/null
+++ b/tests/cert/TestCA-bogus-rsa-pss1.crt
@@ -0,0 +1,26 @@
+-----BEGIN CERTIFICATE-----
+MIIEbDCCAxqgAwIBAgIBATBHBgkqhkiG9w0BAQowOqAPMA0GCWCGSAFlAwQCAQUA
+oRwwGgYJKoZIhvcNAQEIMA0GCWCGSAFlAwQCAQUAogMCASCjBAICEmcwgYMxCzAJ
+BgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1Nb3VudGFp
+biBWaWV3MRIwEAYDVQQKEwlCT0dVUyBOU1MxMzAxBgNVBAMTKk5TUyBUZXN0IENB
+IChSU0EtUFNTIGludmFsaWQgdHJhaWxlckZpZWxkKTAgFw0xNzEyMDcxMjU3NDBa
+GA8yMDY3MTIwNzEyNTc0MFowgYMxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxp
+Zm9ybmlhMRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MRIwEAYDVQQKEwlCT0dVUyBO
+U1MxMzAxBgNVBAMTKk5TUyBUZXN0IENBIChSU0EtUFNTIGludmFsaWQgdHJhaWxl
+ckZpZWxkKTCCAVwwRwYJKoZIhvcNAQEKMDqgDzANBglghkgBZQMEAgEFAKEcMBoG
+CSqGSIb3DQEBCDANBglghkgBZQMEAgEFAKIDAgEgowQCAhJnA4IBDwAwggEKAoIB
+AQDgkKJk+PoFpESak7kMQ0w147/xilUZCG7hDGG2uuGTbX8jqy9N9pxzB9sJjgJX
+yYND0XEmrUQ2Memmy8jufhXML5DekW1tr3Gi2L3VivbIReJZfXk1xDMvNbB/Gjjo
+SoPyu8C4hnevjgMlmqG3KdMkB+eN6PnBG64YFyki3vnLO5iTNHEBTgFYo0gTX4uK
+xl0hLtiDL+4K5l7BwVgxZwQF6uHoHjrjjlhkzR0FwjjqR8U0pH20Pb6IlRsFMv07
+/1GHf+jm34pKb/1ZNzAbiKxYv7YAQUWEZ7e/GSXgA6gbTpV9ueiLkVucUeXN/mXK
+Tqb4zivi5FaSGVl8SJnqsJXJAgMBAAGjOTA3MBQGCWCGSAGG+EIBAQEB/wQEAwIC
+BDAPBgNVHRMECDAGAQH/AgEAMA4GA1UdDwEB/wQEAwICBDBHBgkqhkiG9w0BAQow
+OqAPMA0GCWCGSAFlAwQCAQUAoRwwGgYJKoZIhvcNAQEIMA0GCWCGSAFlAwQCAQUA
+ogMCASCjBAICEmcDggEBAJht9t9p/dlhJtx7ShDvUXyq8N4tCoGKdREM83K/jlW8
+HxdHOz5PuvZx+UMlaUtqZVIriSCnRtEWkoSo0hWmcv1rp80it2G1zLfLPYdyrPba
+nQmE1iFb69Wr9dwrX7o/CII+WHQgoIGeFGntZ8YRZTe5+JeiGAlAyZCqUKbl9lhh
+pCpf1YYxb3VI8mAGVi0jwabWBEbInGBZYH9HP0nK7/Tflk6UY3f4h4Fbkk5D4WZA
+hFfkebx6Wh90QGiKQhp4/N+dYira8bKvWqqn0VqwzBoJBU/RmMaJVpwqFFvcaUJh
+uEKUPeQbqkYvj1WJYmy4ettVwi4OZU50+kCaRQhMsFA=
+-----END CERTIFICATE-----
diff --git a/tests/cert/TestCA-bogus-rsa-pss2.crt b/tests/cert/TestCA-bogus-rsa-pss2.crt
new file mode 100644
--- /dev/null
+++ b/tests/cert/TestCA-bogus-rsa-pss2.crt
@@ -0,0 +1,24 @@
+-----BEGIN CERTIFICATE-----
+MIIEFzCCAs2gAwIBAgIBATA/BgkqhkiG9w0BAQowMqAOMAwGCCqGSIb3DQIFBQCh
+GzAZBgkqhkiG9w0BAQgwDAYIKoZIhvcNAgUFAKIDAgEgMH4xCzAJBgNVBAYTAlVT
+MRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MRIw
+EAYDVQQKEwlCT0dVUyBOU1MxLjAsBgNVBAMTJU5TUyBUZXN0IENBIChSU0EtUFNT
+IGludmFsaWQgaGFzaEFsZykwIBcNMTcxMjA3MTQwNjQ0WhgPMjA2ODAxMDcxNDA2
+NDRaMH4xCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQH
+Ew1Nb3VudGFpbiBWaWV3MRIwEAYDVQQKEwlCT0dVUyBOU1MxLjAsBgNVBAMTJU5T
+UyBUZXN0IENBIChSU0EtUFNTIGludmFsaWQgaGFzaEFsZykwggEgMAsGCSqGSIb3
+DQEBCgOCAQ8AMIIBCgKCAQEAtDXA73yTOgs8zVYNMCtuQ9a07UgbfeQbjHp3pkF6
+7rsC/Q28mrLh+zLkht5e7qU/Qf/8a2ZkcYhPOBAjCzjgIXOdE2lsWvdVujOJLR0x
+Fesd3hDLRmL6f6momc+j1/Tw3bKyZinaeJ9BFRv9c94SayB3QUe+6+TNJKASwlhj
+sx6mUsND+h3DkuL77gi7hIUpUXfFSwa+zM69VLhIu+/WRZfG8gfKkCAIGUC3WYJa
+eU1HgQKfVSXW0ok4ototXWEe9ohU+Z1tO9LJStcY8mMpig7EU9zbpObhG46Sykfu
+aKsubB9J+gFgwP5Tb85tRYT6SbHeHR6U/N8GBrKdRcomWwIDAQABozwwOjAUBglg
+hkgBhvhCAQEBAf8EBAMCAgQwEgYDVR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8E
+BAMCAgQwPwYJKoZIhvcNAQEKMDKgDjAMBggqhkiG9w0CBQUAoRswGQYJKoZIhvcN
+AQEIMAwGCCqGSIb3DQIFBQCiAwIBIAOCAQEAjeemeTxh2xrMUJ6Z5Yn2nH2FbcPY
+fTHJcdfXjfNBkrMl5pe2/lk0JyNuACTuTYFCxdWNRL1coN//h9DSUbF3dpF1ex6D
+difo+6PwxkO2aPVGPYw4DSivt4SFbn5dKGgVqBQfnmNK7p/iT91AcErg/grRrNL+
+4jeT0UiRjQYeX9xKJArv+ocIidNpQL3QYxXuBLZxVC92Af69ol7WG8QBRLnFi1p2
+g6q8hOHqOfB29qnsSo3PkI1yuShOl50tRLbNgyotEfZdk1N3oXvapoBsm/jlcdCT
+0aKelCSQYYAfyl5PKCpa1lgBm7zfcHSDStMhEEFu/fbnJhqO9g9znj3STQ==
+-----END CERTIFICATE-----
diff --git a/tests/cert/cert.sh b/tests/cert/cert.sh
--- a/tests/cert/cert.sh
+++ b/tests/cert/cert.sh
@@ -2095,6 +2095,20 @@ cert_test_rsapss()
   certu -A -n "TestCA-rsa-pss-sha1" -t "C,," -d "${PROFILEDIR}" -f "${R_PWFILE}" \
         -i "${R_CADIR}/TestCA-rsa-pss-sha1.ca.cert" 2>&1
+  CU_ACTION="Import Bogus RSA-PSS CA Cert (invalid trailerField)"
+  certu -A -n "TestCA-bogus-rsa-pss1" -t "C,," -d "${PROFILEDIR}" -f "${R_PWFILE}" \
+        -i "${QADIR}/cert/TestCA-bogus-rsa-pss1.crt" 2>&1
+  RETEXPECTED=255
+  certu -V -b 1712101010Z -n TestCA-bogus-rsa-pss1 -u L -e -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1
+  RETEXPECTED=0
+
+  CU_ACTION="Import Bogus RSA-PSS CA Cert (invalid hashAlg)"
+  certu -A -n "TestCA-bogus-rsa-pss2" -t "C,," -d "${PROFILEDIR}" -f "${R_PWFILE}" \
+        -i "${QADIR}/cert/TestCA-bogus-rsa-pss2.crt" 2>&1
+  RETEXPECTED=255
+  certu -V -b 1712101010Z -n TestCA-bogus-rsa-pss2 -u L -e -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1
+  RETEXPECTED=0
+
   CERTSERIAL=200
   # Subject certificate: RSA
SOURCES/nss-reorder-cipher-suites-gtests.patch
New file
@@ -0,0 +1,47 @@
diff -up nss/gtests/ssl_gtest/ssl_auth_unittest.cc.reorder-cipher-suites-gtests nss/gtests/ssl_gtest/ssl_auth_unittest.cc
--- nss/gtests/ssl_gtest/ssl_auth_unittest.cc.reorder-cipher-suites-gtests    2017-09-20 08:47:27.000000000 +0200
+++ nss/gtests/ssl_gtest/ssl_auth_unittest.cc    2017-10-06 16:41:39.223713982 +0200
@@ -222,7 +222,9 @@ static SSLNamedGroup NamedGroupForEcdsa3
   // NSS tries to match the group size to the symmetric cipher. In TLS 1.1 and
   // 1.0, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA is the highest priority suite, so
   // we use P-384. With TLS 1.2 on we pick AES-128 GCM so use x25519.
-  if (version <= SSL_LIBRARY_VERSION_TLS_1_1) {
+  // FIXME: In RHEL, we assign TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
+  // a higher priority than AES-128 GCM.
+  if (version <= SSL_LIBRARY_VERSION_TLS_1_2) {
     return ssl_grp_ec_secp384r1;
   }
   return ssl_grp_ec_curve25519;
@@ -806,20 +808,24 @@ INSTANTIATE_TEST_CASE_P(
                        ::testing::Values(TlsAgent::kServerEcdsa256),
                        ::testing::Values(ssl_auth_ecdsa),
                        ::testing::Values(ssl_sig_ecdsa_secp256r1_sha256)));
+  // FIXME: In RHEL, we assign TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
+  // a higher priority than AES-128 GCM, and that causes the following
+  // 3 TLS 1.2 tests to fail.
 INSTANTIATE_TEST_CASE_P(
     SignatureSchemeEcdsaP384, TlsSignatureSchemeConfiguration,
     ::testing::Combine(TlsConnectTestBase::kTlsVariantsAll,
-                       TlsConnectTestBase::kTlsV12Plus,
+                       TlsConnectTestBase::kTlsV13,
                        ::testing::Values(TlsAgent::kServerEcdsa384),
                        ::testing::Values(ssl_auth_ecdsa),
                        ::testing::Values(ssl_sig_ecdsa_secp384r1_sha384)));
 INSTANTIATE_TEST_CASE_P(
     SignatureSchemeEcdsaP521, TlsSignatureSchemeConfiguration,
     ::testing::Combine(TlsConnectTestBase::kTlsVariantsAll,
-                       TlsConnectTestBase::kTlsV12Plus,
+                       TlsConnectTestBase::kTlsV13,
                        ::testing::Values(TlsAgent::kServerEcdsa521),
                        ::testing::Values(ssl_auth_ecdsa),
                        ::testing::Values(ssl_sig_ecdsa_secp521r1_sha512)));
+#if 0
 INSTANTIATE_TEST_CASE_P(
     SignatureSchemeEcdsaSha1, TlsSignatureSchemeConfiguration,
     ::testing::Combine(TlsConnectTestBase::kTlsVariantsAll,
@@ -828,4 +834,5 @@ INSTANTIATE_TEST_CASE_P(
                                          TlsAgent::kServerEcdsa384),
                        ::testing::Values(ssl_auth_ecdsa),
                        ::testing::Values(ssl_sig_ecdsa_sha1)));
+#endif
 }
SOURCES/nss-skip-util-gtest.patch
@@ -1,34 +1,33 @@
diff -up nss/gtests/manifest.mn.skip-util-gtests nss/gtests/manifest.mn
--- nss/gtests/manifest.mn.skip-util-gtests    2017-01-30 02:06:08.000000000 +0100
+++ nss/gtests/manifest.mn    2017-02-17 12:55:55.064026636 +0100
@@ -9,7 +9,6 @@ DIRS = \
     google_test \
     common \
     der_gtest \
-    util_gtest \
     pk11_gtest \
     ssl_gtest \
         nss_bogo_shim \
diff -up nss/gtests/ssl_gtest/manifest.mn.skip-util-gtests nss/gtests/ssl_gtest/manifest.mn
--- nss/gtests/ssl_gtest/manifest.mn.skip-util-gtests    2017-02-17 12:55:55.063026657 +0100
+++ nss/gtests/ssl_gtest/manifest.mn    2017-02-17 12:55:55.064026636 +0100
@@ -48,6 +48,6 @@ REQUIRES = nspr nss libdbm gtest
--- nss/gtests/manifest.mn.skip-util-gtests    2017-09-20 08:47:27.000000000 +0200
+++ nss/gtests/manifest.mn    2017-10-19 11:02:27.773910909 +0200
@@ -32,6 +32,5 @@ endif
 
 PROGRAM = ssl_gtest
 EXTRA_LIBS = $(DIST)/lib/$(LIB_PREFIX)gtest.$(LIB_SUFFIX) \
-             $(DIST)/lib/$(LIB_PREFIX)softokn.$(LIB_SUFFIX)
+             -lsoftokn3
 DIRS = \
     $(LIB_SRCDIRS) \
-    $(UTIL_SRCDIRS) \
     $(NSS_SRCDIRS) \
     $(NULL)
diff -up nss/gtests/ssl_gtest/manifest.mn.skip-util-gtests nss/gtests/ssl_gtest/manifest.mn
--- nss/gtests/ssl_gtest/manifest.mn.skip-util-gtests    2017-09-20 08:47:27.000000000 +0200
+++ nss/gtests/ssl_gtest/manifest.mn    2017-10-19 11:02:27.773910909 +0200
@@ -58,6 +58,7 @@ PROGRAM = ssl_gtest
 EXTRA_LIBS += \
       $(DIST)/lib/$(LIB_PREFIX)gtest.$(LIB_SUFFIX) \
       $(DIST)/lib/$(LIB_PREFIX)cpputil.$(LIB_SUFFIX) \
+      -lsoftokn3
       $(NULL)
 
 USE_STATIC_LIBS = 1
diff -up nss/tests/gtests/gtests.sh.skip-util-gtests nss/tests/gtests/gtests.sh
--- nss/tests/gtests/gtests.sh.skip-util-gtests    2017-02-17 12:56:49.434880888 +0100
+++ nss/tests/gtests/gtests.sh    2017-02-17 12:56:54.677770408 +0100
@@ -82,7 +82,7 @@ gtest_cleanup()
--- nss/tests/gtests/gtests.sh.skip-util-gtests    2017-09-20 08:47:27.000000000 +0200
+++ nss/tests/gtests/gtests.sh    2017-10-19 11:03:57.473976538 +0200
@@ -83,7 +83,7 @@ gtest_cleanup()
 }
 
 ################## main #################################################
-GTESTS="der_gtest pk11_gtest util_gtest"
+GTESTS="der_gtest pk11_gtest"
-GTESTS="prng_gtest certhigh_gtest certdb_gtest der_gtest pk11_gtest util_gtest freebl_gtest softoken_gtest blake2b_gtest"
+GTESTS="certhigh_gtest certdb_gtest der_gtest pk11_gtest softoken_gtest"
 SOURCE_DIR="$PWD"/../..
 gtest_init $0
 gtest_start
 gtest_cleanup
SOURCES/nss-ssl3gthr.patch
File was deleted
SOURCES/nss-tools-sha256-default.patch
File was deleted
SOURCES/nss-transcript.patch
File was deleted
SOURCES/nss-tstclnt-optspec.patch
File was deleted
SOURCES/race.patch
File was deleted
SPECS/nss.spec
@@ -1,13 +1,13 @@
%global nspr_version 4.13.1
%global nss_util_version 3.28.4
%global nss_util_build -2
%global nspr_version 4.17.0
%global nss_util_version 3.34.0
%global nss_util_build -1
# adjust to the version that gets submitted for FIPS validation
%global nss_softokn_fips_version 3.16.2
%global nss_softokn_version 3.28.3
%global nss_softokn_fips_version 3.34.0
%global nss_softokn_version 3.34.0
# Attention: Separate softokn versions for build and runtime.
%global runtime_required_softokn_build_version -4
# Building NSS doesn't require the softokn -13 build.
%global build_required_softokn_build_version -4
%global runtime_required_softokn_build_version -1
# Building NSS doesn't require the same version of softokn built for runtime.
%global build_required_softokn_build_version -1
%global unsupported_tools_directory %{_libdir}/nss/unsupported-tools
%global allTools "certutil cmsutil crlutil derdump modutil pk12util pp signtool signver ssltap vfychain vfyserv"
@@ -26,8 +26,8 @@
Summary:          Network Security Services
Name:             nss
Version:          3.28.4
Release:          15%{?dist}
Version:          3.34.0
Release:          4%{?dist}
License:          MPLv2.0
URL:              http://www.mozilla.org/projects/security/pki/nss/
Group:            System Environment/Libraries
@@ -113,54 +113,34 @@
Patch56:          p-ignore-setpolicy.patch
# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=943144
Patch62: nss-fix-deadlock-squash.patch
# Two patches from from rhel6.8 that are also needed for rhel-7
# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1054373
Patch74: race.patch
Patch94: nss-3.16-token-init-race.patch
Patch100: fix-min-library-version-in-SSLVersionRange.patch
Patch108: nss-sni-c-v-fix.patch
Patch123: nss-skip-util-gtest.patch
Patch126: nss-reorder-cipher-suites.patch
Patch127: nss-disable-cipher-suites.patch
Patch128: nss-enable-cipher-suites.patch
# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1320932
Patch129: moz-1320932.patch
# Disable RSA-PSS until the feature is complete
Patch130: disable-pss.patch
# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1341054
Patch132: nss-tstclnt-optspec.patch
# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1334976
# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1336487
# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1345083
# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1350859
# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1349705
Patch133: nss-1334976-1336487-1345083-ca-2.14.patch
# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=956866
# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1360207
Patch134: nss-alert-handler.patch
Patch130: nss-reorder-cipher-suites-gtests.patch
Patch131: nss-disable-tls13-gtests.patch
# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1279520
Patch135: nss-check-policy-file.patch
# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1345106
Patch136: nss-tools-sha256-default.patch
# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1297397
Patch137: nss-is-token-present-race.patch
# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1268143
# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1268141
# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1353724
Patch138: nss-pk12util.patch
Patch139: nss-disable-pss-gtests.patch
# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1328122
Patch140: nss-ssl3gthr.patch
# Work around for yum
# https://bugzilla.redhat.com/show_bug.cgi?id=1469526
Patch141: nss-sysinit-getenv.patch
# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1377618
Patch142: nss-transcript.patch
# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1399867
Patch143: nss-pk12util-force-unicode.patch
# Not upstreamed yet:
# https://bugzilla.redhat.com/show_bug.cgi?id=1493911
# Patches backported from 3.35:
# https://bugzilla.mozilla.org/show_bug.cgi?id=1416265
Patch144: nss-pk12util-faulty-aes.patch
# https://bugzilla.mozilla.org/show_bug.cgi?id=1278071
Patch145: nss-increase-pkcs12-iterations.patch
# https://bugzilla.mozilla.org/show_bug.cgi?id=1415847
Patch146: nss-modutil-suppress-password.patch
# https://bugzilla.mozilla.org/show_bug.cgi?id=1426361
Patch147: nss-certutil-suppress-password.patch
# https://bugzilla.mozilla.org/show_bug.cgi?id=1423557
# https://bugzilla.mozilla.org/show_bug.cgi?id=1415171
Patch148: nss-pss-fixes.patch
# https://bugzilla.mozilla.org/show_bug.cgi?id=1054373
Patch149: nss-is-token-present-race.patch
%description
Network Security Services (NSS) is a set of libraries designed to
@@ -254,30 +234,23 @@
%patch56 -p1 -b .1026677_ignore_set_policy
%patch62 -p1 -b .fix_deadlock
%patch100 -p0 -b .1171318
%patch74 -p1 -b .race
popd
%patch94 -p0 -b .init-token-race
%patch108 -p0 -b .sni_c_v_fix
pushd nss
%patch123 -p1 -b .skip-util-gtests
%patch126 -p1 -b .reorder-cipher-suites
%patch127 -p1 -b .disable-cipher-suites
%patch128 -p1 -b .enable-cipher-suites
%patch129 -p1 -b .fix_ssl_sh_typo
%patch130 -p1 -b .disable_pss
%patch132 -p1 -b .tstclnt-optspec
%patch133 -p1 -b .mozilla-ca-policy-plus-ca-2.14
%patch134 -p1 -b .alert-handler
%patch130 -p1 -b .reorder-cipher-suites-gtests
%patch131 -p1 -b .disable-tls13-gtests
%patch135 -p1 -b .check_policy_file
%patch136 -p1 -b .tools-sha256-default
%patch137 -p1 -b .is-token-present-race
%patch138 -p1 -b .pk12util
%patch139 -p1 -b .disable-pss-gtests
%patch140 -p1 -b .ssl3gthr
%patch141 -p1 -b .sysinit-getenv
%patch142 -p1 -b .transcript
%patch143 -p1 -b .pk12util-force-unicode
%patch144 -p1 -b .pk12util-faulty-aes
%patch145 -p1 -b .increase-pkcs12-iterations
%patch146 -p1 -b .suppress-modutil-password
%patch147 -p1 -b .suppress-certutil-password
%patch148 -p1 -b .pss-fixes
%patch149 -p1 -b .is-token-present-race
popd
#########################################################
@@ -381,6 +354,9 @@
##### phase 2: build the rest of nss
export NSS_BLTEST_NOT_AVAILABLE=1
export NSS_DISABLE_TLS_1_3=1
%{__make} -C ./nss/coreconf
%{__make} -C ./nss/lib/dbm
@@ -491,6 +467,10 @@
%endif
export NSS_BLTEST_NOT_AVAILABLE=1
export NSS_DISABLE_TLS_1_3=1
export NSS_FORCE_FIPS=1
# needed for the fips mangling test
export SOFTOKEN_LIB_DIR=%{_libdir}
@@ -846,6 +826,7 @@
%{_includedir}/nss3/smime.h
%{_includedir}/nss3/ssl.h
%{_includedir}/nss3/sslerr.h
%{_includedir}/nss3/sslexp.h
%{_includedir}/nss3/sslproto.h
%{_includedir}/nss3/sslt.h
@@ -868,20 +849,51 @@
%changelog
* Wed Sep 27 2017 Daiki Ueno <dueno@redhat.com> - 3.28.4-15
* Mon Jan 15 2018 Daiki Ueno <dueno@redhat.com> - 3.34.0-4
- Re-enable nss-is-token-present-race.patch
* Fri Jan  5 2018 Daiki Ueno <dueno@redhat.com> - 3.34.0-3
- Temporarily disable nss-is-token-present-race.patch
* Thu Jan  4 2018 Daiki Ueno <dueno@redhat.com> - 3.34.0-2
- Backport necessary changes from 3.35
* Fri Nov 24 2017 Daiki Ueno <dueno@redhat.com> - 3.34.0-1
- Rebase to NSS 3.34
* Mon Oct 30 2017 Daiki Ueno <dueno@redhat.com> - 3.34.0-0.1.beta1
- Rebase to NSS 3.34.BETA1
* Wed Oct 25 2017 Daiki Ueno <dueno@redhat.com> - 3.33.0-3
- Disable TLS 1.3
* Wed Oct 18 2017 Daiki Ueno <dueno@redhat.com> - 3.33.0-2
- Enable TLS 1.3
* Mon Oct 16 2017 Daiki Ueno <dueno@redhat.com> - 3.33.0-1
- Rebase to NSS 3.33
- Disable TLS 1.3, temporarily disable failing gtests (Skip13Variants)
- Temporarily disable race.patch and nss-3.16-token-init-race.patch,
  which causes a deadlock in newly added test cases
- Remove upstreamed patches: moz-1320932.patch,
  nss-tstclnt-optspec.patch,
  nss-1334976-1336487-1345083-ca-2.14.patch, nss-alert-handler.patch,
  nss-tools-sha256-default.patch, nss-is-token-present-race.patch,
  nss-pk12util.patch, nss-ssl3gthr.patch, and nss-transcript.patch
* Mon Oct 16 2017 Daiki Ueno <dueno@redhat.com> - 3.28.4-14
- Add backward compatibility to pk12util regarding faulty PBES2 AES encryption
* Thu Sep 21 2017 Daiki Ueno <dueno@redhat.com> - 3.28.4-14
* Mon Oct 16 2017 Daiki Ueno <dueno@redhat.com> - 3.28.4-13
- Update iquote.patch to prefer nss.h from the source
* Wed Sep 20 2017 Daiki Ueno <dueno@redhat.com> - 3.28.4-13
* Mon Oct 16 2017 Daiki Ueno <dueno@redhat.com> - 3.28.4-12
- Add backward compatibility to pk12util regarding password encoding
* Fri Aug  4 2017 Daiki Ueno <dueno@redhat.com> - 3.28.4-12
* Thu Aug 10 2017 Daiki Ueno <dueno@redhat.com> - 3.28.4-11
- Backport patch to simplify transcript calculation for CertificateVerify
* Fri Jul 14 2017 Daiki Ueno <dueno@redhat.com> - 3.28.4-11
- Rebuild to get correct release suffix (.el7 -> .el7_4)
- Enable TLS 1.3 and RSA-PSS
- Disable some upstream tests failing due to downstream ciphersuites changes
* Thu Jul 13 2017 Daiki Ueno <dueno@redhat.com> - 3.28.4-10
- Work around yum crash due to new NSPR symbol being used in nss-sysinit,