diff --git a/.gitignore b/.gitignore
index fb97387..51984f5 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,4 +1,5 @@
SOURCES/PayPalEE.cert
+SOURCES/PayPalICA.cert
SOURCES/blank-cert8.db
SOURCES/blank-cert9.db
SOURCES/blank-key3.db
@@ -8,7 +9,7 @@ SOURCES/cert8.db.xml
SOURCES/cert9.db.xml
SOURCES/key3.db.xml
SOURCES/key4.db.xml
-SOURCES/nss-3.16.2.3.tar.gz
+SOURCES/nss-3.18.0.tar.gz
SOURCES/nss-config.xml
SOURCES/nss-pem-20140125.tar.bz2
SOURCES/secmod.db.xml
diff --git a/.nss.metadata b/.nss.metadata
index b2fbd5a..f1cb2d2 100644
--- a/.nss.metadata
+++ b/.nss.metadata
@@ -1,4 +1,5 @@
-084be8769682236828d8e9dc55901e53e8eb8432 SOURCES/PayPalEE.cert
+86cf4eb313dda4bd86a6d096ecc5aee07ee5e124 SOURCES/PayPalEE.cert
+a031c46782e6e6c662c2c87c76da9aa62ccabd8e SOURCES/PayPalICA.cert
d272a7b58364862613d44261c5744f7a336bf177 SOURCES/blank-cert8.db
b5570125fbf6bfb410705706af48217a0817c03a SOURCES/blank-cert9.db
7f78b5bcecdb5005e7b803604b2ec9d1a9df2fb5 SOURCES/blank-key3.db
@@ -8,7 +9,7 @@ bd748cf6e1465a1bbe6e751b72ffc0076aff0b50 SOURCES/blank-secmod.db
7cbb7841b1aefe52534704bf2a4358bfea1aa477 SOURCES/cert9.db.xml
24c123810543ff0f6848647d6d910744e275fb01 SOURCES/key3.db.xml
af51b16a56fda1f7525a0eed3ecbdcbb4133be0c SOURCES/key4.db.xml
-264abc5af31eab16e2245e33a71f77cc7aae5c39 SOURCES/nss-3.16.2.3.tar.gz
+38889e39147cf4d6ccd46dbb28f24ee69b2033c1 SOURCES/nss-3.18.0.tar.gz
2905c9b06e7e686c9e3c0b5736a218766d4ae4c2 SOURCES/nss-config.xml
66f2060c35f4e97bdfa163e8bd7cb2ef5e8125d8 SOURCES/nss-pem-20140125.tar.bz2
ca9ebf79c1437169a02527c18b1e3909943c4be9 SOURCES/secmod.db.xml
diff --git a/SOURCES/Bug-1001841-disable-sslv2-libssl.patch b/SOURCES/Bug-1001841-disable-sslv2-libssl.patch
index efbbfe8..07a7eb1 100644
--- a/SOURCES/Bug-1001841-disable-sslv2-libssl.patch
+++ b/SOURCES/Bug-1001841-disable-sslv2-libssl.patch
@@ -14,18 +14,18 @@ diff --git a/lib/ssl/config.mk b/lib/ssl/config.mk
+DEFINES += -DNSS_NO_SSL2
+endif
+
+ # Allow build-time configuration of TLS 1.3 (Experimental)
+ ifdef NSS_ENABLE_TLS_1_3
+ DEFINES += -DNSS_ENABLE_TLS_1_3
+ endif
+
ifdef NSS_NO_PKCS11_BYPASS
DEFINES += -DNO_PKCS11_BYPASS
else
- CRYPTOLIB=$(SOFTOKEN_LIB_DIR)/$(LIB_PREFIX)freebl.$(LIB_SUFFIX)
-
- EXTRA_LIBS += \
- $(CRYPTOLIB) \
- $(NULL)
diff --git a/lib/ssl/sslsock.c b/lib/ssl/sslsock.c
--- a/lib/ssl/sslsock.c
+++ b/lib/ssl/sslsock.c
-@@ -649,16 +649,24 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 wh
+@@ -650,16 +650,22 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 wh
if (ss->cipherSpecs) {
PORT_Free(ss->cipherSpecs);
ss->cipherSpecs = NULL;
@@ -39,8 +39,6 @@ diff --git a/lib/ssl/sslsock.c b/lib/ssl/sslsock.c
+ PORT_SetError(SSL_ERROR_SSL2_DISABLED);
+ rv = SECFailure; /* not allowed */
+ }
-+ break;
-+ ss->opt.enableSSL2 = on;
+#else
if (IS_DTLS(ss)) {
if (on) {
@@ -50,7 +48,7 @@ diff --git a/lib/ssl/sslsock.c b/lib/ssl/sslsock.c
break;
}
ss->opt.enableSSL2 = on;
-@@ -666,42 +674,51 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 wh
+@@ -667,52 +673,67 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 wh
ss->opt.v2CompatibleHello = on;
}
ss->preferredCipher = NULL;
@@ -79,7 +77,6 @@ diff --git a/lib/ssl/sslsock.c b/lib/ssl/sslsock.c
+ if (on) {
+ PORT_SetError(SSL_ERROR_SSL2_DISABLED);
+ rv = SECFailure; /* not allowed */
-+ break;
+ }
+#else
if (IS_DTLS(ss)) {
@@ -101,27 +98,45 @@ diff --git a/lib/ssl/sslsock.c b/lib/ssl/sslsock.c
break;
case SSL_NO_STEP_DOWN:
- ss->opt.noStepDown = on;
-@@ -1155,17 +1172,21 @@ SSL_CipherPolicySet(PRInt32 which, PRInt
-
- if (rv != SECSuccess) {
- return rv;
- }
-
- if (ssl_IsRemovedCipherSuite(which)) {
- rv = SECSuccess;
- } else if (SSL_IS_SSL2_CIPHER(which)) {
+#ifdef NSS_NO_SSL2
-+ rv = SSL_ERROR_SSL2_DISABLED;
++ if (!on) {
++ PORT_SetError(SSL_ERROR_SSL2_DISABLED);
++ rv = SECFailure; /* not allowed */
++ }
+#else
- rv = ssl2_SetPolicy(which, policy);
+ ss->opt.noStepDown = on;
+ if (on)
+ SSL_DisableExportCipherSuites(fd);
+#endif /* NSS_NO_SSL2 */
- } else {
- rv = ssl3_SetPolicy((ssl3CipherSuite)which, policy);
+ break;
+
+ case SSL_BYPASS_PKCS11:
+ if (ss->handshakeBegun) {
+ PORT_SetError(PR_INVALID_STATE_ERROR);
+ rv = SECFailure;
+ } else {
+ if (PR_FALSE != on) {
+@@ -1127,16 +1148,23 @@ SSL_OptionSetDefault(PRInt32 which, PRBo
}
- return rv;
+ return SECSuccess;
}
- SECStatus
- SSL_CipherPolicyGet(PRInt32 which, PRInt32 *oPolicy)
-
+ /* function tells us if the cipher suite is one that we no longer support. */
+ static PRBool
+ ssl_IsRemovedCipherSuite(PRInt32 suite)
+ {
++#ifdef NSS_NO_SSL2
++ /* both ssl2 and export cipher suites disabled */
++ if (SSL_IS_SSL2_CIPHER(suite))
++ return PR_TRUE;
++ if (SSL_IsExportCipherSuite(suite))
++ return PR_TRUE;
++#endif /* NSS_NO_SSL2_NO_EXPORT */
+ switch (suite) {
+ case SSL_FORTEZZA_DMS_WITH_NULL_SHA:
+ case SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA:
+ case SSL_FORTEZZA_DMS_WITH_RC4_128_SHA:
+ return PR_TRUE;
+ default:
+ return PR_FALSE;
+ }
diff --git a/SOURCES/Bug-1001841-disable-sslv2-tests.patch b/SOURCES/Bug-1001841-disable-sslv2-tests.patch
index c8a0ce0..6ed54ef 100644
--- a/SOURCES/Bug-1001841-disable-sslv2-tests.patch
+++ b/SOURCES/Bug-1001841-disable-sslv2-tests.patch
@@ -1,7 +1,7 @@
diff --git a/tests/ssl/ssl.sh b/tests/ssl/ssl.sh
--- a/tests/ssl/ssl.sh
+++ b/tests/ssl/ssl.sh
-@@ -57,18 +57,23 @@ ssl_init()
+@@ -57,19 +57,23 @@ ssl_init()
fi
PORT=${PORT-8443}
@@ -11,14 +11,15 @@ diff --git a/tests/ssl/ssl.sh b/tests/ssl/ssl.sh
# Test case files
- SSLCOV=${QADIR}/ssl/sslcov.txt
-+ SSLCOV=[ "${NSS_NO_SSL2}" = "1" ] \
-+ && ${QADIR}/ssl/sslcov.noSSL2orExport.txt \
-+ || ${QADIR}/ssl/sslcov.txt
- SSLAUTH=${QADIR}/ssl/sslauth.txt
-+ SSLSTRESS=[ "${NSS_NO_SSL2}" = "1" ] \
-+ && ${QADIR}/ssl/sslstress.noSSL2orExport.txt \
-+ || ${QADIR}/ssl/sslstress.txt
- SSLSTRESS=${QADIR}/ssl/sslstress.txt
+- SSLAUTH=${QADIR}/ssl/sslauth.txt
+- SSLSTRESS=${QADIR}/ssl/sslstress.txt
++ if [ "${NSS_NO_SSL2}" = "1" ]; then
++ SSLCOV=${QADIR}/ssl/sslcov.noSSL2orExport.txt
++ SSLSTRESS=${QADIR}/ssl/sslstress.noSSL2orExport.txt
++ else
++ SSLCOV=${QADIR}/ssl/sslcov.txt
++ SSLSTRESS=${QADIR}/ssl/sslstress.txt
++ fi
REQUEST_FILE=${QADIR}/ssl/sslreq.dat
#temparary files
@@ -26,7 +27,8 @@ diff --git a/tests/ssl/ssl.sh b/tests/ssl/ssl.sh
SERVERPID=${TMP}/tests_pid.$$
R_SERVERPID=../tests_pid.$$
-@@ -115,17 +120,21 @@ is_selfserv_alive()
+
+@@ -115,17 +119,21 @@ is_selfserv_alive()
if [ "${OS_ARCH}" = "WINNT" ] && \
[ "$OS_NAME" = "CYGWIN_NT" -o "$OS_NAME" = "MINGW32_NT" ]; then
PID=${SHELL_SERVERPID}
@@ -35,7 +37,7 @@ diff --git a/tests/ssl/ssl.sh b/tests/ssl/ssl.sh
fi
echo "kill -0 ${PID} >/dev/null 2>/dev/null"
-+ [ "${NSS_NO_SSL2}" = "1" ] && [ -n ${EXP} -o -n ${SSL2} ]; then
++ if [[ "${NSS_NO_SSL2}" = "1" ] && [ -n ${EXP} -o -n ${SSL2} ]]; then
+ echo "No server to kill"
+ else
kill -0 ${PID} >/dev/null 2>/dev/null || Exit 10 "Fatal - selfserv process not detectable"
@@ -48,7 +50,7 @@ diff --git a/tests/ssl/ssl.sh b/tests/ssl/ssl.sh
# local shell function to wait until selfserver is running and initialized
########################################################################
wait_for_selfserv()
-@@ -138,17 +147,21 @@ wait_for_selfserv()
+@@ -138,17 +146,21 @@ wait_for_selfserv()
if [ $? -ne 0 ]; then
sleep 5
echo "retrying to connect to selfserv at `date`"
@@ -70,7 +72,7 @@ diff --git a/tests/ssl/ssl.sh b/tests/ssl/ssl.sh
########################### kill_selfserv ##############################
# local shell function to kill the selfserver after the tests are done
########################################################################
-@@ -273,16 +286,19 @@ ssl_cov()
+@@ -273,16 +285,19 @@ ssl_cov()
exec < ${SSLCOV}
while read ectype testmax param testname
do
diff --git a/SOURCES/Bug-1174527-fixsegfault.patch b/SOURCES/Bug-1174527-fixsegfault.patch
deleted file mode 100644
index ff24334..0000000
--- a/SOURCES/Bug-1174527-fixsegfault.patch
+++ /dev/null
@@ -1,23 +0,0 @@
-diff --git a/lib/pkcs12/p12local.c b/lib/pkcs12/p12local.c
---- a/lib/pkcs12/p12local.c
-+++ b/lib/pkcs12/p12local.c
-@@ -923,17 +923,18 @@ sec_pkcs12_convert_item_to_unicode(PLAre
- if(!arena) {
- PORT_Free(dest->data);
- dest->data = NULL;
- dest->len = 0;
- }
- return PR_FALSE;
- }
-
-- if((dest->data[dest->len-1] || dest->data[dest->len-2]) && zeroTerm) {
-+ if ((dest->len >= 2) &&
-+ (dest->data[dest->len-1] || dest->data[dest->len-2]) && zeroTerm) {
- if(dest->len + 2 > 3 * src->len) {
- if(arena) {
- dest->data = (unsigned char*)PORT_ArenaGrow(arena,
- dest->data, dest->len,
- dest->len + 2);
- } else {
- dest->data = (unsigned char*)PORT_Realloc(dest->data,
- dest->len + 2);
diff --git a/SOURCES/Crash-in-stan_GetCERTCertificate-rhbz1094468.patch b/SOURCES/Crash-in-stan_GetCERTCertificate-rhbz1094468.patch
deleted file mode 100644
index d3e0f21..0000000
--- a/SOURCES/Crash-in-stan_GetCERTCertificate-rhbz1094468.patch
+++ /dev/null
@@ -1,154 +0,0 @@
-diff --git a/lib/pki/pki3hack.c b/lib/pki/pki3hack.c
---- a/lib/pki/pki3hack.c
-+++ b/lib/pki/pki3hack.c
-@@ -849,18 +849,21 @@ fill_CERTCertificateFields(NSSCertificat
- }
-
- static CERTCertificate *
- stan_GetCERTCertificate(NSSCertificate *c, PRBool forceUpdate)
- {
- nssDecodedCert *dc = NULL;
- CERTCertificate *cc = NULL;
- CERTCertTrust certTrust;
-+ nssPKIObject *object = &c->object;
-
-- nssPKIObject_Lock(&c->object);
-+ /* make sure object does not go away until we finish */
-+ nssPKIObject_AddRef(object);
-+ nssPKIObject_Lock(object);
-
- dc = c->decoding;
- if (!dc) {
- dc = nssDecodedPKIXCertificate_Create(NULL, &c->encoding);
- if (!dc) {
- goto loser;
- }
- cc = (CERTCertificate *)dc->data;
-@@ -898,17 +901,18 @@ stan_GetCERTCertificate(NSSCertificate *
- trust = nssTrust_GetCERTCertTrustForCert(c, cc);
-
- CERT_LockCertTrust(cc);
- cc->trust = trust;
- CERT_UnlockCertTrust(cc);
- }
-
- loser:
-- nssPKIObject_Unlock(&c->object);
-+ nssPKIObject_Unlock(object);
-+ nssPKIObject_Destroy(object);
- return cc;
- }
-
- NSS_IMPLEMENT CERTCertificate *
- STAN_ForceCERTCertificateUpdate(NSSCertificate *c)
- {
- if (c->decoding) {
- return stan_GetCERTCertificate(c, PR_TRUE);
-@@ -1265,16 +1269,17 @@ done:
- */
- static PRStatus
- DeleteCertTrustMatchingSlot(PK11SlotInfo *pk11slot, nssPKIObject *tObject)
- {
- int numNotDestroyed = 0; /* the ones skipped plus the failures */
- int failureCount = 0; /* actual deletion failures by devices */
- int index;
-
-+ nssPKIObject_AddRef(tObject);
- nssPKIObject_Lock(tObject);
- /* Keep going even if a module fails to delete. */
- for (index = 0; index < tObject->numInstances; index++) {
- nssCryptokiObject *instance = tObject->instances[index];
- if (!instance) {
- continue;
- }
-
-@@ -1298,16 +1303,17 @@ DeleteCertTrustMatchingSlot(PK11SlotInfo
- if (numNotDestroyed == 0) {
- nss_ZFreeIf(tObject->instances);
- tObject->numInstances = 0;
- } else {
- tObject->numInstances = numNotDestroyed;
- }
-
- nssPKIObject_Unlock(tObject);
-+ nssPKIObject_Destroy(tObject);
-
- return failureCount == 0 ? PR_SUCCESS : PR_FAILURE;
- }
-
- /*
- ** Delete trust objects matching the slot of the given certificate.
- ** Returns an error if any device fails to delete.
- */
-@@ -1324,30 +1330,32 @@ STAN_DeleteCertTrustMatchingSlot(NSSCert
- int i;
-
- /* Iterate through the cert and trust object instances looking for
- * those with matching pk11 slots to delete. Even if some device
- * can't delete we keep going. Keeping a status variable for the
- * loop so that once it's failed the other gets set.
- */
- NSSRWLock_LockRead(td->tokensLock);
-+ nssPKIObject_AddRef(cobject);
- nssPKIObject_Lock(cobject);
- for (i = 0; i < cobject->numInstances; i++) {
- nssCryptokiObject *cInstance = cobject->instances[i];
- if (cInstance && !PK11_IsReadOnly(cInstance->token->pk11slot)) {
- PRStatus status;
- if (!tobject->numInstances || !tobject->instances) continue;
- status = DeleteCertTrustMatchingSlot(cInstance->token->pk11slot, tobject);
- if (status == PR_FAILURE) {
- /* set the outer one but keep going */
- nssrv = PR_FAILURE;
- }
- }
- }
- nssPKIObject_Unlock(cobject);
-+ nssPKIObject_Destroy(cobject);
- NSSRWLock_UnlockRead(td->tokensLock);
- return nssrv;
- }
-
- /* CERT_TraversePermCertsForSubject */
- NSS_IMPLEMENT PRStatus
- nssTrustDomain_TraverseCertificatesBySubject (
- NSSTrustDomain *td,
-diff --git a/lib/pki/tdcache.c b/lib/pki/tdcache.c
---- a/lib/pki/tdcache.c
-+++ b/lib/pki/tdcache.c
-@@ -386,16 +386,17 @@ struct token_cert_dtor {
-
- static void
- remove_token_certs(const void *k, void *v, void *a)
- {
- NSSCertificate *c = (NSSCertificate *)k;
- nssPKIObject *object = &c->object;
- struct token_cert_dtor *dtor = a;
- PRUint32 i;
-+ nssPKIObject_AddRef(object);
- nssPKIObject_Lock(object);
- for (i=0; i<object->numInstances; i++) {
- if (object->instances[i]->token == dtor->token) {
- nssCryptokiObject_Destroy(object->instances[i]);
- object->instances[i] = object->instances[object->numInstances-1];
- object->instances[object->numInstances-1] = NULL;
- object->numInstances--;
- dtor->certs[dtor->numCerts++] = c;
-@@ -404,16 +405,17 @@ remove_token_certs(const void *k, void *
- dtor->certs = nss_ZREALLOCARRAY(dtor->certs,
- NSSCertificate *,
- dtor->arrSize);
- }
- break;
- }
- }
- nssPKIObject_Unlock(object);
-+ nssPKIObject_Destroy(object);
- return;
- }
-
- /*
- * Remove all certs for the given token from the cache. This is
- * needed if the token is removed.
- */
- NSS_IMPLEMENT PRStatus
diff --git a/SOURCES/PayPalRootCA.cert b/SOURCES/PayPalRootCA.cert
new file mode 100644
index 0000000..dae0196
Binary files /dev/null and b/SOURCES/PayPalRootCA.cert differ
diff --git a/SOURCES/certutil-man-supply-missing-options.patch b/SOURCES/certutil-man-supply-missing-options.patch
deleted file mode 100644
index 14bf738..0000000
--- a/SOURCES/certutil-man-supply-missing-options.patch
+++ /dev/null
@@ -1,76 +0,0 @@
-diff -up ./nss/doc/certutil.xml.missing_options ./nss/doc/certutil.xml
---- ./nss/doc/certutil.xml.missing_options 2014-11-25 10:14:22.068846717 -0800
-+++ ./nss/doc/certutil.xml 2014-11-25 10:17:49.810974243 -0800
-@@ -204,6 +204,11 @@ If this option is not used, the validity
- </varlistentry>
-
- <varlistentry>
-+ <term>--dump-ext-val OID </term>
-+ <listitem><para>For single cert, print binary DER encoding of extension OID.</para></listitem>
-+ </varlistentry>
-+
-+ <varlistentry>
- <term>-e </term>
- <listitem><para>Check a certificate's signature during the process of validating a certificate.</para></listitem>
- </varlistentry>
-@@ -214,6 +219,26 @@ If this option is not used, the validity
- </varlistentry>
-
- <varlistentry>
-+ <term>--extGeneric OID:critical-flag:filename[,OID:critical-flag:filename]... </term>
-+ <listitem>
-+ <para>
-+Add one or multiple extensions that certutil cannot encode yet, by loading their encodings from external files.
-+ </para>
-+ <itemizedlist>
-+ <listitem>
-+<para>OID (example): 1.2.3.4</para>
-+ </listitem>
-+ <listitem>
-+<para>critical-flag: critical or not-critical</para>
-+ </listitem>
-+ <listitem>
-+<para>filename: full path to a file containing an encoded extension</para>
-+ </listitem>
-+ </itemizedlist>
-+ </listitem>
-+ </varlistentry>
-+
-+ <varlistentry>
- <term>-f password-file</term>
- <listitem><para>Specify a file that will automatically supply the password to include in a certificate
- or to access a certificate database. This is a plain-text file containing one password. Be sure to prevent
-@@ -376,6 +401,15 @@ of the attribute codes:
- <para><command>V</command> (as an SSL server)</para>
- </listitem>
- <listitem>
-+<para><command>L</command> (as an SSL CA)</para>
-+ </listitem>
-+ <listitem>
-+<para><command>A</command> (as Any CA)</para>
-+ </listitem>
-+ <listitem>
-+<para><command>Y</command> (Verify CA)</para>
-+ </listitem>
-+ <listitem>
- <para><command>S</command> (as an email signer)</para>
- </listitem>
- <listitem>
-@@ -649,6 +683,17 @@ of the attribute codes:
- </varlistentry>
-
- <varlistentry>
-+ <term>--extSAN type:name[,type:name]...</term>
-+ <listitem><para>
-+Create a Subject Alt Name extension with one or multiple names.
-+ </para>
-+ <para>
-+-type: directory, dn, dns, edi, ediparty, email, ip, ipaddr, other, registerid, rfc822, uri, x400, x400addr
-+ </para>
-+ </listitem>
-+ </varlistentry>
-+
-+ <varlistentry>
- <term>--empty-password</term>
- <listitem><para>Use empty password when creating new certificate database with -N.</para></listitem>
- </varlistentry>
diff --git a/SOURCES/dont-hold-issuer-cert-handles-in-crl-cache.patch b/SOURCES/dont-hold-issuer-cert-handles-in-crl-cache.patch
deleted file mode 100644
index ec7d6c8..0000000
--- a/SOURCES/dont-hold-issuer-cert-handles-in-crl-cache.patch
+++ /dev/null
@@ -1,123 +0,0 @@
-diff -up ./nss/lib/certdb/certi.h.1034409 ./nss/lib/certdb/certi.h
---- ./nss/lib/certdb/certi.h.1034409 2014-01-03 11:59:10.000000000 -0800
-+++ ./nss/lib/certdb/certi.h 2014-02-20 08:46:10.345136599 -0800
-@@ -116,11 +116,16 @@ struct CRLDPCacheStr {
- #else
- PRLock* lock;
- #endif
-- CERTCertificate* issuer; /* issuer cert
-- XXX there may be multiple issuer certs,
-- with different validity dates. Also
-- need to deal with SKID/AKID . See
-- bugzilla 217387, 233118 */
-+ SECItem *issuerDERCert; /* issuer DER cert. Don't hold a reference
-+ to the actual cert so the trust can be
-+ updated on the cert automatically.
-+ XXX there may be multiple issuer certs,
-+ with different validity dates. Also
-+ need to deal with SKID/AKID . See
-+ bugzilla 217387, 233118 */
-+
-+ CERTCertDBHandle *dbHandle;
-+
- SECItem* subject; /* DER of issuer subject */
- SECItem* distributionPoint; /* DER of distribution point. This may be
- NULL when distribution points aren't
-@@ -172,7 +177,7 @@ struct CRLIssuerCacheStr {
- NSSRWLock* lock;
- CRLDPCache** dps;
- PLHashTable* distributionpoints;
-- CERTCertificate* issuer;
-+ CERTCertificate* issuer; /* This should be the DER Cert, not a cert handle */
- #endif
- };
-
-diff -up ./nss/lib/certdb/crl.c.1034409 ./nss/lib/certdb/crl.c
---- ./nss/lib/certdb/crl.c.1034409 2014-01-03 11:59:10.000000000 -0800
-+++ ./nss/lib/certdb/crl.c 2014-02-20 08:49:30.835466687 -0800
-@@ -1123,9 +1123,9 @@ static SECStatus DPCache_Destroy(CRLDPCa
- PORT_Free(cache->crls);
- }
- /* destroy the cert */
-- if (cache->issuer)
-+ if (cache->issuerDERCert)
- {
-- CERT_DestroyCertificate(cache->issuer);
-+ SECITEM_FreeItem(cache->issuerDERCert, PR_TRUE);
- }
- /* free the subject */
- if (cache->subject)
-@@ -1571,14 +1571,20 @@ static SECStatus CachedCrl_Verify(CRLDPC
- else
- {
- SECStatus signstatus = SECFailure;
-- if (cache->issuer)
-+ if (cache->issuerDERCert)
- {
-- signstatus = CERT_VerifyCRL(crlobject->crl, cache->issuer, vfdate,
-+ CERTCertificate *issuer = CERT_NewTempCertificate(cache->dbHandle,
-+ cache->issuerDERCert, NULL, PR_FALSE, PR_TRUE);
-+
-+ if (issuer) {
-+ signstatus = CERT_VerifyCRL(crlobject->crl, issuer, vfdate,
- wincx);
-+ CERT_DestroyCertificate(issuer);
-+ }
- }
- if (SECSuccess != signstatus)
- {
-- if (!cache->issuer)
-+ if (!cache->issuerDERCert)
- {
- /* we tried to verify without an issuer cert . This is
- because this CRL came through a call to SEC_FindCrlByName.
-@@ -1925,15 +1931,16 @@ static SECStatus DPCache_GetUpToDate(CRL
- }
-
- /* add issuer certificate if it was previously unavailable */
-- if (issuer && (NULL == cache->issuer) &&
-+ if (issuer && (NULL == cache->issuerDERCert) &&
- (SECSuccess == CERT_CheckCertUsage(issuer, KU_CRL_SIGN)))
- {
- /* if we didn't have a valid issuer cert yet, but we do now. add it */
- DPCache_LockWrite();
-- if (!cache->issuer)
-+ if (!cache->issuerDERCert)
- {
- dirty = PR_TRUE;
-- cache->issuer = CERT_DupCertificate(issuer);
-+ cache->dbHandle = issuer->dbhandle;
-+ cache->issuerDERCert = SECITEM_DupItem(&issuer->derCert);
- }
- DPCache_UnlockWrite();
- }
-@@ -1944,7 +1951,7 @@ static SECStatus DPCache_GetUpToDate(CRL
- SEC_FindCrlByName, or through manual insertion, rather than through a
- certificate verification (CERT_CheckCRL) */
-
-- if (cache->issuer && vfdate )
-+ if (cache->issuerDERCert && vfdate )
- {
- mustunlock = PR_FALSE;
- /* re-process all unverified CRLs */
-@@ -2201,7 +2208,8 @@ static SECStatus DPCache_Create(CRLDPCac
- }
- if (issuer)
- {
-- cache->issuer = CERT_DupCertificate(issuer);
-+ cache->dbHandle = issuer->dbhandle;
-+ cache->issuerDERCert = SECITEM_DupItem(&issuer->derCert);
- }
- cache->distributionPoint = SECITEM_DupItem(dp);
- cache->subject = SECITEM_DupItem(subject);
-diff -up ./nss/tests/chains/chains.sh.1034409 ./nss/tests/chains/chains.sh
---- ./nss/tests/chains/chains.sh.1034409 2014-02-20 08:16:34.867686934 -0800
-+++ ./nss/tests/chains/chains.sh 2014-02-20 08:34:35.149603340 -0800
-@@ -974,6 +974,7 @@ check_ocsp()
- OCSP_HOST=$(${BINDIR}/pp -w -t certificate -i ${CERT_FILE} | grep URI | sed "s/.*:\/\///" | sed "s/:.*//")
- OCSP_PORT=$(${BINDIR}/pp -w -t certificate -i ${CERT_FILE} | grep URI | sed "s/^.*:.*:\/\/.*:\([0-9]*\).*$/\1/")
-
-+ echo "Cert = ${CERT_NICK}.cert"
- echo "tstclnt -h ${OCSP_HOST} -p ${OCSP_PORT} -q -t 20"
- tstclnt -h ${OCSP_HOST} -p ${OCSP_PORT} -q -t 20
- return $?
diff --git a/SOURCES/expired-cert.patch b/SOURCES/expired-cert.patch
new file mode 100644
index 0000000..2754190
--- /dev/null
+++ b/SOURCES/expired-cert.patch
@@ -0,0 +1,28 @@
+diff --git a/tests/chains/scenarios/realcerts.cfg b/tests/chains/scenarios/realcerts.cfg
+--- a/tests/chains/scenarios/realcerts.cfg
++++ b/tests/chains/scenarios/realcerts.cfg
+@@ -16,14 +16,14 @@ import BrAirWaysBadSig:x:
+
+ verify TestUser50:x
+ result pass
+
+ verify TestUser51:x
+ result pass
+
+ verify PayPalEE:x
+- policy OID.2.16.840.1.113733.1.7.23.6
++ policy OID.2.16.840.1.114412.1.1
+ result pass
+
+ verify BrAirWaysBadSig:x
+ result fail
+
+diff --git a/tests/libpkix/vfychain_test.lst b/tests/libpkix/vfychain_test.lst
+--- a/tests/libpkix/vfychain_test.lst
++++ b/tests/libpkix/vfychain_test.lst
+@@ -1,4 +1,4 @@
+ # Status | Leaf Cert | Policies | Others(undef)
+ 0 TestUser50 undef
+ 0 TestUser51 undef
+-0 PayPalEE OID.2.16.840.1.113733.1.7.23.6
++0 PayPalEE OID.2.16.840.1.114412.1.1
diff --git a/SOURCES/iquote.patch b/SOURCES/iquote.patch
index ba9cb71..6e03b38 100644
--- a/SOURCES/iquote.patch
+++ b/SOURCES/iquote.patch
@@ -9,6 +9,18 @@ diff -up ./nss/cmd/bltest/Makefile.iquote ./nss/cmd/bltest/Makefile
#######################################################################
+diff -up ./nss/cmd/certutil/Makefile.iquote ./nss/cmd/certutil/Makefile
+--- ./nss/cmd/certutil/Makefile.iquote 2015-03-25 15:52:30.276938803 -0700
++++ ./nss/cmd/certutil/Makefile 2015-03-25 15:53:53.044536721 -0700
+@@ -37,6 +37,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk
+ # (6) Execute "component" rules. (OPTIONAL) #
+ #######################################################################
+
++INCLUDES += -iquote $(DIST)/../private/nss
++INCLUDES += -iquote $(DIST)/../public/nss
+
+
+ #######################################################################
diff -up ./nss/cmd/httpserv/Makefile.iquote ./nss/cmd/httpserv/Makefile
--- ./nss/cmd/httpserv/Makefile.iquote 2014-01-18 11:33:15.058108851 -0800
+++ ./nss/cmd/httpserv/Makefile 2014-01-18 11:34:08.913478276 -0800
diff --git a/SOURCES/nss-3.16-tcache-race.patch b/SOURCES/nss-3.16-tcache-race.patch
deleted file mode 100644
index 8bbb329..0000000
--- a/SOURCES/nss-3.16-tcache-race.patch
+++ /dev/null
@@ -1,29 +0,0 @@
-diff -up ./nss/lib/pki/tdcache.c.race ./nss/lib/pki/tdcache.c
---- ./nss/lib/pki/tdcache.c.race 2014-12-18 15:39:42.975354956 -0800
-+++ ./nss/lib/pki/tdcache.c 2014-12-18 15:42:33.934201074 -0800
-@@ -399,6 +399,8 @@ remove_token_certs(const void *k, void *
- object->instances[i] = object->instances[object->numInstances-1];
- object->instances[object->numInstances-1] = NULL;
- object->numInstances--;
-+ /* make sure id doesn't disappear on us before we finish */
-+ nssPKIObject_AddRef(object);
- dtor->certs[dtor->numCerts++] = c;
- if (dtor->numCerts == dtor->arrSize) {
- dtor->arrSize *= 2;
-@@ -441,13 +443,15 @@ nssTrustDomain_RemoveTokenCertsFromCache
- for (i=0; i<dtor.numCerts; i++) {
- if (dtor.certs[i]->object.numInstances == 0) {
- nssTrustDomain_RemoveCertFromCacheLOCKED(td, dtor.certs[i]);
-+ nssPKIObject_Destroy(&dtor.certs[i]->object);
- dtor.certs[i] = NULL; /* skip this cert in the second for loop */
-- }
-+ }
- }
- PZ_Unlock(td->cache->lock);
- for (i=0; i<dtor.numCerts; i++) {
- if (dtor.certs[i]) {
- STAN_ForceCERTCertificateUpdate(dtor.certs[i]);
-+ nssPKIObject_Destroy(&dtor.certs[i]->object);
- }
- }
- nss_ZFreeIf(dtor.certs);
diff --git a/SOURCES/nss-3.18.1-ca-2.3-to-2.4.patch b/SOURCES/nss-3.18.1-ca-2.3-to-2.4.patch
new file mode 100644
index 0000000..3e95d9b
--- /dev/null
+++ b/SOURCES/nss-3.18.1-ca-2.3-to-2.4.patch
@@ -0,0 +1,326 @@
+diff -up ./nss/lib/ckfw/builtins/certdata.txt.pre-ca-2.4 ./nss/lib/ckfw/builtins/certdata.txt
+--- ./nss/lib/ckfw/builtins/certdata.txt.pre-ca-2.4 2015-03-17 00:03:37.000000000 +0100
++++ ./nss/lib/ckfw/builtins/certdata.txt 2015-04-23 18:49:24.536940322 +0200
+@@ -187,9 +187,9 @@ END
+ CKA_SERIAL_NUMBER MULTILINE_OCTAL
+ \002\004\065\336\364\317
+ END
+-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
++CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+ CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
++CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
+
+ # Distrust "Distrust a pb.com certificate that does not comply with the baseline requirements."
+@@ -17341,149 +17341,6 @@ CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_
+ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
+
+ #
+-# Certificate "E-Guven Kok Elektronik Sertifika Hizmet Saglayicisi"
+-#
+-# Issuer: CN=e-Guven Kok Elektronik Sertifika Hizmet Saglayicisi,O=Elektronik Bilgi Guvenligi A.S.,C=TR
+-# Serial Number:44:99:8d:3c:c0:03:27:bd:9c:76:95:b9:ea:db:ac:b5
+-# Subject: CN=e-Guven Kok Elektronik Sertifika Hizmet Saglayicisi,O=Elektronik Bilgi Guvenligi A.S.,C=TR
+-# Not Valid Before: Thu Jan 04 11:32:48 2007
+-# Not Valid After : Wed Jan 04 11:32:48 2017
+-# Fingerprint (MD5): 3D:41:29:CB:1E:AA:11:74:CD:5D:B0:62:AF:B0:43:5B
+-# Fingerprint (SHA1): DD:E1:D2:A9:01:80:2E:1D:87:5E:84:B3:80:7E:4B:B1:FD:99:41:34
+-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+-CKA_TOKEN CK_BBOOL CK_TRUE
+-CKA_PRIVATE CK_BBOOL CK_FALSE
+-CKA_MODIFIABLE CK_BBOOL CK_FALSE
+-CKA_LABEL UTF8 "E-Guven Kok Elektronik Sertifika Hizmet Saglayicisi"
+-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+-CKA_SUBJECT MULTILINE_OCTAL
+-\060\165\061\013\060\011\006\003\125\004\006\023\002\124\122\061
+-\050\060\046\006\003\125\004\012\023\037\105\154\145\153\164\162
+-\157\156\151\153\040\102\151\154\147\151\040\107\165\166\145\156
+-\154\151\147\151\040\101\056\123\056\061\074\060\072\006\003\125
+-\004\003\023\063\145\055\107\165\166\145\156\040\113\157\153\040
+-\105\154\145\153\164\162\157\156\151\153\040\123\145\162\164\151
+-\146\151\153\141\040\110\151\172\155\145\164\040\123\141\147\154
+-\141\171\151\143\151\163\151
+-END
+-CKA_ID UTF8 "0"
+-CKA_ISSUER MULTILINE_OCTAL
+-\060\165\061\013\060\011\006\003\125\004\006\023\002\124\122\061
+-\050\060\046\006\003\125\004\012\023\037\105\154\145\153\164\162
+-\157\156\151\153\040\102\151\154\147\151\040\107\165\166\145\156
+-\154\151\147\151\040\101\056\123\056\061\074\060\072\006\003\125
+-\004\003\023\063\145\055\107\165\166\145\156\040\113\157\153\040
+-\105\154\145\153\164\162\157\156\151\153\040\123\145\162\164\151
+-\146\151\153\141\040\110\151\172\155\145\164\040\123\141\147\154
+-\141\171\151\143\151\163\151
+-END
+-CKA_SERIAL_NUMBER MULTILINE_OCTAL
+-\002\020\104\231\215\074\300\003\047\275\234\166\225\271\352\333
+-\254\265
+-END
+-CKA_VALUE MULTILINE_OCTAL
+-\060\202\003\266\060\202\002\236\240\003\002\001\002\002\020\104
+-\231\215\074\300\003\047\275\234\166\225\271\352\333\254\265\060
+-\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060\165
+-\061\013\060\011\006\003\125\004\006\023\002\124\122\061\050\060
+-\046\006\003\125\004\012\023\037\105\154\145\153\164\162\157\156
+-\151\153\040\102\151\154\147\151\040\107\165\166\145\156\154\151
+-\147\151\040\101\056\123\056\061\074\060\072\006\003\125\004\003
+-\023\063\145\055\107\165\166\145\156\040\113\157\153\040\105\154
+-\145\153\164\162\157\156\151\153\040\123\145\162\164\151\146\151
+-\153\141\040\110\151\172\155\145\164\040\123\141\147\154\141\171
+-\151\143\151\163\151\060\036\027\015\060\067\060\061\060\064\061
+-\061\063\062\064\070\132\027\015\061\067\060\061\060\064\061\061
+-\063\062\064\070\132\060\165\061\013\060\011\006\003\125\004\006
+-\023\002\124\122\061\050\060\046\006\003\125\004\012\023\037\105
+-\154\145\153\164\162\157\156\151\153\040\102\151\154\147\151\040
+-\107\165\166\145\156\154\151\147\151\040\101\056\123\056\061\074
+-\060\072\006\003\125\004\003\023\063\145\055\107\165\166\145\156
+-\040\113\157\153\040\105\154\145\153\164\162\157\156\151\153\040
+-\123\145\162\164\151\146\151\153\141\040\110\151\172\155\145\164
+-\040\123\141\147\154\141\171\151\143\151\163\151\060\202\001\042
+-\060\015\006\011\052\206\110\206\367\015\001\001\001\005\000\003
+-\202\001\017\000\060\202\001\012\002\202\001\001\000\303\022\040
+-\236\260\136\000\145\215\116\106\273\200\134\351\054\006\227\325
+-\363\162\311\160\271\347\113\145\200\301\113\276\176\074\327\124
+-\061\224\336\325\022\272\123\026\002\352\130\143\357\133\330\363
+-\355\052\032\252\161\110\243\334\020\055\137\137\353\134\113\234
+-\226\010\102\045\050\021\314\212\132\142\001\120\325\353\011\123
+-\057\370\303\217\376\263\374\375\235\242\343\137\175\276\355\013
+-\340\140\353\151\354\063\355\330\215\373\022\111\203\000\311\213
+-\227\214\073\163\052\062\263\022\367\271\115\362\364\115\155\307
+-\346\326\046\067\010\362\331\375\153\134\243\345\110\134\130\274
+-\102\276\003\132\201\272\034\065\014\000\323\365\043\176\161\060
+-\010\046\070\334\045\021\107\055\363\272\043\020\245\277\274\002
+-\367\103\136\307\376\260\067\120\231\173\017\223\316\346\103\054
+-\303\176\015\362\034\103\146\140\313\141\061\107\207\243\117\256
+-\275\126\154\114\274\274\370\005\312\144\364\351\064\241\054\265
+-\163\341\302\076\350\310\311\064\045\010\134\363\355\246\307\224
+-\237\255\210\103\045\327\341\071\140\376\254\071\131\002\003\001
+-\000\001\243\102\060\100\060\016\006\003\125\035\017\001\001\377
+-\004\004\003\002\001\006\060\017\006\003\125\035\023\001\001\377
+-\004\005\060\003\001\001\377\060\035\006\003\125\035\016\004\026
+-\004\024\237\356\104\263\224\325\372\221\117\056\331\125\232\004
+-\126\333\055\304\333\245\060\015\006\011\052\206\110\206\367\015
+-\001\001\005\005\000\003\202\001\001\000\177\137\271\123\133\143
+-\075\165\062\347\372\304\164\032\313\106\337\106\151\034\122\317
+-\252\117\302\150\353\377\200\251\121\350\075\142\167\211\075\012
+-\165\071\361\156\135\027\207\157\150\005\301\224\154\331\135\337
+-\332\262\131\313\245\020\212\312\314\071\315\237\353\116\336\122
+-\377\014\360\364\222\251\362\154\123\253\233\322\107\240\037\164
+-\367\233\232\361\057\025\237\172\144\060\030\007\074\052\017\147
+-\312\374\017\211\141\235\145\245\074\345\274\023\133\010\333\343
+-\377\355\273\006\273\152\006\261\172\117\145\306\202\375\036\234
+-\213\265\015\356\110\273\270\275\252\010\264\373\243\174\313\237
+-\315\220\166\134\206\226\170\127\012\146\371\130\032\235\375\227
+-\051\140\336\021\246\220\034\031\034\356\001\226\042\064\064\056
+-\221\371\267\304\047\321\173\346\277\373\200\104\132\026\345\353
+-\340\324\012\070\274\344\221\343\325\353\134\301\254\337\033\152
+-\174\236\345\165\322\266\227\207\333\314\207\053\103\072\204\010
+-\257\253\074\333\367\074\146\061\206\260\235\123\171\355\370\043
+-\336\102\343\055\202\361\017\345\372\227
+-END
+-
+-# Trust for Certificate "E-Guven Kok Elektronik Sertifika Hizmet Saglayicisi"
+-# Issuer: CN=e-Guven Kok Elektronik Sertifika Hizmet Saglayicisi,O=Elektronik Bilgi Guvenligi A.S.,C=TR
+-# Serial Number:44:99:8d:3c:c0:03:27:bd:9c:76:95:b9:ea:db:ac:b5
+-# Subject: CN=e-Guven Kok Elektronik Sertifika Hizmet Saglayicisi,O=Elektronik Bilgi Guvenligi A.S.,C=TR
+-# Not Valid Before: Thu Jan 04 11:32:48 2007
+-# Not Valid After : Wed Jan 04 11:32:48 2017
+-# Fingerprint (MD5): 3D:41:29:CB:1E:AA:11:74:CD:5D:B0:62:AF:B0:43:5B
+-# Fingerprint (SHA1): DD:E1:D2:A9:01:80:2E:1D:87:5E:84:B3:80:7E:4B:B1:FD:99:41:34
+-CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+-CKA_TOKEN CK_BBOOL CK_TRUE
+-CKA_PRIVATE CK_BBOOL CK_FALSE
+-CKA_MODIFIABLE CK_BBOOL CK_FALSE
+-CKA_LABEL UTF8 "E-Guven Kok Elektronik Sertifika Hizmet Saglayicisi"
+-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+-\335\341\322\251\001\200\056\035\207\136\204\263\200\176\113\261
+-\375\231\101\064
+-END
+-CKA_CERT_MD5_HASH MULTILINE_OCTAL
+-\075\101\051\313\036\252\021\164\315\135\260\142\257\260\103\133
+-END
+-CKA_ISSUER MULTILINE_OCTAL
+-\060\165\061\013\060\011\006\003\125\004\006\023\002\124\122\061
+-\050\060\046\006\003\125\004\012\023\037\105\154\145\153\164\162
+-\157\156\151\153\040\102\151\154\147\151\040\107\165\166\145\156
+-\154\151\147\151\040\101\056\123\056\061\074\060\072\006\003\125
+-\004\003\023\063\145\055\107\165\166\145\156\040\113\157\153\040
+-\105\154\145\153\164\162\157\156\151\153\040\123\145\162\164\151
+-\146\151\153\141\040\110\151\172\155\145\164\040\123\141\147\154
+-\141\171\151\143\151\163\151
+-END
+-CKA_SERIAL_NUMBER MULTILINE_OCTAL
+-\002\020\104\231\215\074\300\003\047\275\234\166\225\271\352\333
+-\254\265
+-END
+-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
+-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
+-
+-#
+ # Certificate "GlobalSign Root CA - R3"
+ #
+ # Issuer: CN=GlobalSign,O=GlobalSign,OU=GlobalSign Root CA - R3
+@@ -31590,3 +31447,146 @@ CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_T
+ CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
+ CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
+ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
++
++#
++# Certificate "Explicitly Distrusted MCSHOLDING CA"
++#
++# Issuer: CN=CNNIC ROOT,O=CNNIC,C=CN
++# Serial Number: 1228079246 (0x4933008e)
++# Subject: CN=MCSHOLDING TEST,O=MCSHOLDING,C=EG
++# Not Valid Before: Thu Mar 19 06:20:09 2015
++# Not Valid After : Fri Apr 03 06:20:09 2015
++# Fingerprint (SHA-256): 27:40:D9:56:B1:12:7B:79:1A:A1:B3:CC:64:4A:4D:BE:DB:A7:61:86:A2:36:38:B9:51:02:35:1A:83:4E:A8:61
++# Fingerprint (SHA1): E1:F3:59:1E:76:98:65:C4:E4:47:AC:C3:7E:AF:C9:E2:BF:E4:C5:76
++CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
++CKA_TOKEN CK_BBOOL CK_TRUE
++CKA_PRIVATE CK_BBOOL CK_FALSE
++CKA_MODIFIABLE CK_BBOOL CK_FALSE
++CKA_LABEL UTF8 "Explicitly Distrusted MCSHOLDING CA"
++CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
++CKA_SUBJECT MULTILINE_OCTAL
++\060\074\061\013\060\011\006\003\125\004\006\023\002\105\107\061
++\023\060\021\006\003\125\004\012\014\012\115\103\123\110\117\114
++\104\111\116\107\061\030\060\026\006\003\125\004\003\014\017\115
++\103\123\110\117\114\104\111\116\107\040\124\105\123\124
++END
++CKA_ID UTF8 "0"
++CKA_ISSUER MULTILINE_OCTAL
++\060\062\061\013\060\011\006\003\125\004\006\023\002\103\116\061
++\016\060\014\006\003\125\004\012\023\005\103\116\116\111\103\061
++\023\060\021\006\003\125\004\003\023\012\103\116\116\111\103\040
++\122\117\117\124
++END
++CKA_SERIAL_NUMBER MULTILINE_OCTAL
++\002\004\111\063\000\216
++END
++CKA_VALUE MULTILINE_OCTAL
++\060\202\004\222\060\202\003\172\240\003\002\001\002\002\004\111
++\063\000\216\060\015\006\011\052\206\110\206\367\015\001\001\013
++\005\000\060\062\061\013\060\011\006\003\125\004\006\023\002\103
++\116\061\016\060\014\006\003\125\004\012\023\005\103\116\116\111
++\103\061\023\060\021\006\003\125\004\003\023\012\103\116\116\111
++\103\040\122\117\117\124\060\036\027\015\061\065\060\063\061\071
++\060\066\062\060\060\071\132\027\015\061\065\060\064\060\063\060
++\066\062\060\060\071\132\060\074\061\013\060\011\006\003\125\004
++\006\023\002\105\107\061\023\060\021\006\003\125\004\012\014\012
++\115\103\123\110\117\114\104\111\116\107\061\030\060\026\006\003
++\125\004\003\014\017\115\103\123\110\117\114\104\111\116\107\040
++\124\105\123\124\060\202\001\042\060\015\006\011\052\206\110\206
++\367\015\001\001\001\005\000\003\202\001\017\000\060\202\001\012
++\002\202\001\001\000\245\371\165\014\006\256\356\014\021\315\226
++\063\115\153\316\300\112\014\075\135\353\322\113\011\177\347\107
++\054\254\161\000\371\010\257\064\361\243\152\307\374\346\253\316
++\320\276\312\315\052\230\230\271\320\216\063\111\007\141\040\321
++\132\064\316\203\024\006\171\216\032\277\333\344\240\070\072\356
++\224\271\243\240\130\072\211\024\254\140\076\003\324\307\315\073
++\034\260\232\210\032\111\020\251\260\262\375\345\350\341\004\342
++\352\202\155\376\014\121\105\221\255\165\042\256\377\117\220\013
++\300\123\145\167\076\036\302\126\265\066\306\326\205\314\016\203
++\032\063\037\166\231\133\053\227\053\213\327\321\024\025\114\235
++\131\327\200\057\244\242\205\325\210\066\002\140\125\312\130\337
++\223\374\112\142\007\226\323\304\372\277\215\001\047\227\057\246
++\134\164\361\072\102\156\135\171\024\060\061\032\074\331\262\127
++\115\340\270\077\017\151\061\242\235\145\231\331\326\061\207\265
++\230\046\337\360\313\273\025\300\044\023\142\122\032\153\313\105
++\007\227\343\304\224\136\311\015\107\054\351\317\351\364\217\376
++\065\341\062\347\061\002\003\001\000\001\243\202\001\244\060\202
++\001\240\060\166\006\010\053\006\001\005\005\007\001\001\004\152
++\060\150\060\051\006\010\053\006\001\005\005\007\060\001\206\035
++\150\164\164\160\072\057\057\157\143\163\160\143\156\156\151\143
++\162\157\157\164\056\143\156\156\151\143\056\143\156\060\073\006
++\010\053\006\001\005\005\007\060\002\206\057\150\164\164\160\072
++\057\057\167\167\167\056\143\156\156\151\143\056\143\156\057\144
++\157\167\156\154\157\141\144\057\143\145\162\164\057\103\116\116
++\111\103\122\117\117\124\056\143\145\162\060\037\006\003\125\035
++\043\004\030\060\026\200\024\145\362\061\255\052\367\367\335\122
++\226\012\307\002\301\016\357\246\325\073\021\060\017\006\003\125
++\035\023\001\001\377\004\005\060\003\001\001\377\060\077\006\003
++\125\035\040\004\070\060\066\060\064\006\012\053\006\001\004\001
++\201\351\014\001\006\060\046\060\044\006\010\053\006\001\005\005
++\007\002\001\026\030\150\164\164\160\072\057\057\167\167\167\056
++\143\156\156\151\143\056\143\156\057\143\160\163\057\060\201\206
++\006\003\125\035\037\004\177\060\175\060\102\240\100\240\076\244
++\074\060\072\061\013\060\011\006\003\125\004\006\023\002\103\116
++\061\016\060\014\006\003\125\004\012\014\005\103\116\116\111\103
++\061\014\060\012\006\003\125\004\013\014\003\143\162\154\061\015
++\060\013\006\003\125\004\003\014\004\143\162\154\061\060\067\240
++\065\240\063\206\061\150\164\164\160\072\057\057\143\162\154\056
++\143\156\156\151\143\056\143\156\057\144\157\167\156\154\157\141
++\144\057\162\157\157\164\163\150\141\062\143\162\154\057\103\122
++\114\061\056\143\162\154\060\013\006\003\125\035\017\004\004\003
++\002\001\006\060\035\006\003\125\035\016\004\026\004\024\104\244
++\211\253\024\137\075\157\040\074\252\174\372\031\256\364\110\140
++\005\265\060\015\006\011\052\206\110\206\367\015\001\001\013\005
++\000\003\202\001\001\000\134\264\365\123\233\117\271\340\204\211
++\061\276\236\056\352\236\041\113\245\217\155\241\246\363\057\110
++\353\351\333\255\036\061\200\320\171\073\020\357\232\044\367\223
++\033\065\363\032\302\307\302\054\012\177\157\133\361\137\163\221
++\004\373\015\171\015\351\032\006\326\203\375\116\140\235\154\222
++\103\114\352\144\230\104\253\327\373\107\320\257\037\144\114\342
++\335\167\150\026\302\054\241\240\201\227\000\102\037\176\040\170
++\350\306\120\035\013\177\025\223\131\130\100\024\204\360\247\220
++\153\066\005\147\352\177\042\155\273\321\245\046\115\263\060\244
++\130\324\133\265\032\214\120\214\270\015\341\240\007\263\017\130
++\316\327\005\265\175\065\171\157\242\333\014\000\052\150\044\214
++\176\234\301\166\111\272\174\146\021\336\362\107\316\376\320\316
++\125\276\010\332\362\171\046\052\025\071\316\153\030\246\337\330
++\207\050\231\224\016\055\150\241\232\316\122\066\234\053\354\264
++\150\263\154\025\254\313\160\102\362\304\101\245\310\374\041\170
++\123\167\062\040\251\041\114\162\342\323\262\311\166\033\030\130
++\102\013\102\222\263\344
++END
++
++# Distrust "Explicitly Distrusted MCSHOLDING CA"
++# Issuer: CN=CNNIC ROOT,O=CNNIC,C=CN
++# Serial Number: 1228079246 (0x4933008e)
++# Subject: CN=MCSHOLDING TEST,O=MCSHOLDING,C=EG
++# Not Valid Before: Thu Mar 19 06:20:09 2015
++# Not Valid After : Fri Apr 03 06:20:09 2015
++# Fingerprint (SHA-256): 27:40:D9:56:B1:12:7B:79:1A:A1:B3:CC:64:4A:4D:BE:DB:A7:61:86:A2:36:38:B9:51:02:35:1A:83:4E:A8:61
++# Fingerprint (SHA1): E1:F3:59:1E:76:98:65:C4:E4:47:AC:C3:7E:AF:C9:E2:BF:E4:C5:76
++CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
++CKA_TOKEN CK_BBOOL CK_TRUE
++CKA_PRIVATE CK_BBOOL CK_FALSE
++CKA_MODIFIABLE CK_BBOOL CK_FALSE
++CKA_LABEL UTF8 "Explicitly Distrusted MCSHOLDING CA"
++CKA_CERT_SHA1_HASH MULTILINE_OCTAL
++\341\363\131\036\166\230\145\304\344\107\254\303\176\257\311\342
++\277\344\305\166
++END
++CKA_CERT_MD5_HASH MULTILINE_OCTAL
++\366\212\253\024\076\326\060\045\267\111\015\167\205\160\231\313
++END
++CKA_ISSUER MULTILINE_OCTAL
++\060\062\061\013\060\011\006\003\125\004\006\023\002\103\116\061
++\016\060\014\006\003\125\004\012\023\005\103\116\116\111\103\061
++\023\060\021\006\003\125\004\003\023\012\103\116\116\111\103\040
++\122\117\117\124
++END
++CKA_SERIAL_NUMBER MULTILINE_OCTAL
++\002\004\111\063\000\216
++END
++CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_NOT_TRUSTED
++CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_NOT_TRUSTED
++CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_NOT_TRUSTED
++CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
+diff -up ./nss/lib/ckfw/builtins/nssckbi.h.pre-ca-2.4 ./nss/lib/ckfw/builtins/nssckbi.h
+--- ./nss/lib/ckfw/builtins/nssckbi.h.pre-ca-2.4 2015-03-17 00:03:37.000000000 +0100
++++ ./nss/lib/ckfw/builtins/nssckbi.h 2015-04-23 18:49:24.575939481 +0200
+@@ -45,8 +45,8 @@
+ * of the comment in the CK_VERSION type definition.
+ */
+ #define NSS_BUILTINS_LIBRARY_VERSION_MAJOR 2
+-#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 3
+-#define NSS_BUILTINS_LIBRARY_VERSION "2.3"
++#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 4
++#define NSS_BUILTINS_LIBRARY_VERSION "2.4"
+
+ /* These version numbers detail the semantic changes to the ckfw engine. */
+ #define NSS_BUILTINS_HARDWARE_VERSION_MAJOR 1
diff --git a/SOURCES/nss-646045.patch b/SOURCES/nss-646045.patch
index 33b80fe..765f25e 100644
--- a/SOURCES/nss-646045.patch
+++ b/SOURCES/nss-646045.patch
@@ -1,34 +1,34 @@
-diff -up nss/tests/dbtests/dbtests.sh.646045 nss/tests/dbtests/dbtests.sh
---- nss/tests/dbtests/dbtests.sh.646045 2013-04-04 13:31:55.000000000 -0700
-+++ nss/tests/dbtests/dbtests.sh 2013-04-04 15:57:46.298127149 -0700
-@@ -168,6 +168,9 @@ dbtest_main()
+diff --git a/tests/dbtests/dbtests.sh b/tests/dbtests/dbtests.sh
+--- a/tests/dbtests/dbtests.sh
++++ b/tests/dbtests/dbtests.sh
+@@ -165,28 +165,28 @@ dbtest_main()
+ # opens immediately see the files are readonly. As a
+ # workaround we open the files once first. (Bug 185074)
+ if [ "${OS_ARCH}" = "Darwin" ]; then
cat $RONLY_DIR/* > /dev/null
fi
-+ # skipping the next two tests when user is root,
-+ # otherwise they would fail due to rooty powers
-+ if [[ $EUID -ne 0 ]] then
- ${BINDIR}/dbtest -d $RONLY_DIR
+ # skipping the next two tests when user is root,
+ # otherwise they would fail due to rooty powers
+- if [ $UID -ne 0 ]; then
++ if [[ $UID -ne 0 ]]; then
+ ${BINDIR}/dbtest -d $RONLY_DIR
ret=$?
if [ $ret -ne 46 ]; then
-@@ -175,6 +178,10 @@ dbtest_main()
+ html_failed "Dbtest r/w succeeded in a readonly directory $ret"
else
html_passed "Dbtest r/w didn't work in an readonly dir $ret"
fi
-+ else
-+ html_passed "Skipping Dbtest r/w in a readonly dir because user is root"
-+ fi
-+ if [[ $EUID -ne 0 ]] then
- ${BINDIR}/certutil -D -n "TestUser" -d .
+ else
+ html_passed "Skipping Dbtest r/w in a readonly dir because user is root"
+ fi
+- if [ $UID -ne 0 ]; then
++ if [[ $UID -ne 0 ]]; then
+ ${BINDIR}/certutil -D -n "TestUser" -d .
ret=$?
if [ $ret -ne 255 ]; then
-@@ -182,6 +189,9 @@ dbtest_main()
+ html_failed "Certutil succeeded in deleting a cert in a readonly directory $ret"
else
- html_passed "Certutil didn't work in an readonly dir $ret"
+ html_passed "Certutil didn't work in an readonly dir $ret"
fi
-+ else
-+ html_passed "Skipping Certutil delete cert in an readonly directory test because user is root"
-+ fi
-
- Echo "test opening the database ronly in a readonly directory"
-
+ else
diff --git a/SOURCES/nss-revert-tls-version-defaults.patch b/SOURCES/nss-revert-tls-version-defaults.patch
new file mode 100644
index 0000000..f24e91c
--- /dev/null
+++ b/SOURCES/nss-revert-tls-version-defaults.patch
@@ -0,0 +1,37 @@
+
+# HG changeset patch
+# User Martin Thomson <martin.thomson@gmail.com>
+# Date 1425582301 -3600
+# Node ID 3c8e2b57803654f9cc74a37132d72fd0b8a59db5
+# Parent ad602a80ac1013dcd8b7508e0f8474d81e447d4a
+Bug 1083900, Enable TLS 1.2 in the default NSS configuration, r=rrelyea
+
+diff --git a/lib/ssl/sslsock.c b/lib/ssl/sslsock.c
+--- a/lib/ssl/sslsock.c
++++ b/lib/ssl/sslsock.c
+@@ -85,22 +85,22 @@ static sslOptions ssl_defaults = {
+ PR_FALSE /* enableFallbackSCSV */
+ };
+
+ /*
+ * default range of enabled SSL/TLS protocols
+ */
+ static SSLVersionRange versions_defaults_stream = {
+ SSL_LIBRARY_VERSION_3_0,
+- SSL_LIBRARY_VERSION_TLS_1_0
++ SSL_LIBRARY_VERSION_TLS_1_2
+ };
+
+ static SSLVersionRange versions_defaults_datagram = {
+ SSL_LIBRARY_VERSION_TLS_1_1,
+- SSL_LIBRARY_VERSION_TLS_1_1
++ SSL_LIBRARY_VERSION_TLS_1_2
+ };
+
+ #define VERSIONS_DEFAULTS(variant) \
+ (variant == ssl_variant_stream ? &versions_defaults_stream : \
+ &versions_defaults_datagram)
+
+ sslSessionIDLookupFunc ssl_sid_lookup;
+ sslSessionIDCacheFunc ssl_sid_cache;
+
diff --git a/SOURCES/p-1083360.patch b/SOURCES/p-1083360.patch
deleted file mode 100644
index ed8c3d4..0000000
--- a/SOURCES/p-1083360.patch
+++ /dev/null
@@ -1,142 +0,0 @@
-diff --git a/cmd/ssltap/ssltap.c b/cmd/ssltap/ssltap.c
---- a/cmd/ssltap/ssltap.c
-+++ b/cmd/ssltap/ssltap.c
-@@ -398,16 +398,17 @@ const char * V2CipherString(int cs_int)
- case 0x000098: cs_str = "TLS/DH-RSA/SEED-CBC/SHA"; break;
- case 0x000099: cs_str = "TLS/DHE-DSS/SEED-CBC/SHA"; break;
- case 0x00009A: cs_str = "TLS/DHE-RSA/SEED-CBC/SHA"; break;
- case 0x00009B: cs_str = "TLS/DH-ANON/SEED-CBC/SHA"; break;
- case 0x00009C: cs_str = "TLS/RSA/AES128-GCM/SHA256"; break;
- case 0x00009E: cs_str = "TLS/DHE-RSA/AES128-GCM/SHA256"; break;
-
- case 0x0000FF: cs_str = "TLS_EMPTY_RENEGOTIATION_INFO_SCSV"; break;
-+ case 0x005600: cs_str = "TLS_FALLBACK_SCSV"; break;
-
- case 0x00C001: cs_str = "TLS/ECDH-ECDSA/NULL/SHA"; break;
- case 0x00C002: cs_str = "TLS/ECDH-ECDSA/RC4-128/SHA"; break;
- case 0x00C003: cs_str = "TLS/ECDH-ECDSA/3DES-EDE-CBC/SHA"; break;
- case 0x00C004: cs_str = "TLS/ECDH-ECDSA/AES128-CBC/SHA"; break;
- case 0x00C005: cs_str = "TLS/ECDH-ECDSA/AES256-CBC/SHA"; break;
- case 0x00C006: cs_str = "TLS/ECDHE-ECDSA/NULL/SHA"; break;
- case 0x00C007: cs_str = "TLS/ECDHE-ECDSA/RC4-128/SHA"; break;
-diff --git a/cmd/tstclnt/tstclnt.c b/cmd/tstclnt/tstclnt.c
---- a/cmd/tstclnt/tstclnt.c
-+++ b/cmd/tstclnt/tstclnt.c
-@@ -175,17 +175,17 @@ handshakeCallback(PRFileDesc *fd, void *
- }
- }
-
- static void PrintUsageHeader(const char *progName)
- {
- fprintf(stderr,
- "Usage: %s -h host [-a 1st_hs_name ] [-a 2nd_hs_name ] [-p port]\n"
- "[-d certdir] [-n nickname] [-Bafosvx] [-c ciphers] [-Y]\n"
-- "[-V [min-version]:[max-version]] [-T]\n"
-+ "[-V [min-version]:[max-version]] [-K] [-T]\n"
- "[-r N] [-w passwd] [-W pwfile] [-q [-t seconds]]\n",
- progName);
- }
-
- static void PrintParameterUsage(void)
- {
- fprintf(stderr, "%-20s Send different SNI name. 1st_hs_name - at first\n"
- "%-20s handshake, 2nd_hs_name - at second handshake.\n"
-@@ -201,16 +201,17 @@ static void PrintParameterUsage(void)
- fprintf(stderr,
- "%-20s Bypass PKCS11 layer for SSL encryption and MACing.\n", "-B");
- fprintf(stderr,
- "%-20s Restricts the set of enabled SSL/TLS protocols versions.\n"
- "%-20s All versions are enabled by default.\n"
- "%-20s Possible values for min/max: ssl2 ssl3 tls1.0 tls1.1 tls1.2\n"
- "%-20s Example: \"-V ssl3:\" enables SSL 3 and newer.\n",
- "-V [min]:[max]", "", "", "");
-+ fprintf(stderr, "%-20s Send TLS_FALLBACK_SCSV\n", "-K");
- fprintf(stderr, "%-20s Prints only payload data. Skips HTTP header.\n", "-S");
- fprintf(stderr, "%-20s Client speaks first. \n", "-f");
- fprintf(stderr, "%-20s Use synchronous certificate validation "
- "(required for SSL2)\n", "-O");
- fprintf(stderr, "%-20s Override bad server cert. Make it OK.\n", "-o");
- fprintf(stderr, "%-20s Disable SSL socket locking.\n", "-s");
- fprintf(stderr, "%-20s Verbose progress reporting.\n", "-v");
- fprintf(stderr, "%-20s Use export policy.\n", "-x");
-@@ -802,16 +803,17 @@ int main(int argc, char **argv)
- PRBool enableSSL2 = PR_TRUE;
- int bypassPKCS11 = 0;
- int disableLocking = 0;
- int useExportPolicy = 0;
- int enableSessionTickets = 0;
- int enableCompression = 0;
- int enableFalseStart = 0;
- int enableCertStatus = 0;
-+ int forceFallbackSCSV = 0;
- PRSocketOptionData opt;
- PRNetAddr addr;
- PRPollDesc pollset[2];
- PRBool allowIPv4 = PR_TRUE;
- PRBool allowIPv6 = PR_TRUE;
- PRBool pingServerFirst = PR_FALSE;
- int pingTimeoutSeconds = -1;
- PRBool clientSpeaksFirst = PR_FALSE;
-@@ -847,17 +849,17 @@ int main(int argc, char **argv)
- if (sec > 0) {
- maxInterval = PR_SecondsToInterval(sec);
- }
- }
-
- SSL_VersionRangeGetSupported(ssl_variant_stream, &enabledVersions);
-
- optstate = PL_CreateOptState(argc, argv,
-- "46BFM:OSTV:W:Ya:c:d:fgh:m:n:op:qr:st:uvw:xz");
-+ "46BFKM:OSTV:W:Ya:c:d:fgh:m:n:op:qr:st:uvw:xz");
- while ((optstatus = PL_GetNextOpt(optstate)) == PL_OPT_OK) {
- switch (optstate->option) {
- case '?':
- default : Usage(progName); break;
-
- case '4': allowIPv6 = PR_FALSE; if (!allowIPv4) Usage(progName); break;
- case '6': allowIPv4 = PR_FALSE; if (!allowIPv6) Usage(progName); break;
-
-@@ -869,16 +871,18 @@ int main(int argc, char **argv)
- }
- serverCertAuth.testFreshStatusFromSideChannel = PR_TRUE;
- break;
-
- case 'I': /* reserved for OCSP multi-stapling */ break;
-
- case 'O': serverCertAuth.shouldPause = PR_FALSE; break;
-
-+ case 'K': forceFallbackSCSV = PR_TRUE; break;
-+
- case 'M': switch (atoi(optstate->value)) {
- case 1:
- serverCertAuth.allowOCSPSideChannelData = PR_TRUE;
- serverCertAuth.allowCRLSideChannelData = PR_FALSE;
- break;
- case 2:
- serverCertAuth.allowOCSPSideChannelData = PR_FALSE;
- serverCertAuth.allowCRLSideChannelData = PR_TRUE;
-@@ -1213,16 +1216,24 @@ int main(int argc, char **argv)
-
- /* enable false start. */
- rv = SSL_OptionSet(s, SSL_ENABLE_FALSE_START, enableFalseStart);
- if (rv != SECSuccess) {
- SECU_PrintError(progName, "error enabling false start");
- return 1;
- }
-
-+ if (forceFallbackSCSV) {
-+ rv = SSL_OptionSet(s, SSL_ENABLE_FALLBACK_SCSV, PR_TRUE);
-+ if (rv != SECSuccess) {
-+ SECU_PrintError(progName, "error forcing fallback scsv");
-+ return 1;
-+ }
-+ }
-+
- /* enable cert status (OCSP stapling). */
- rv = SSL_OptionSet(s, SSL_ENABLE_OCSP_STAPLING, enableCertStatus);
- if (rv != SECSuccess) {
- SECU_PrintError(progName, "error enabling cert status (OCSP stapling)");
- return 1;
- }
-
- SSL_SetPKCS11PinArg(s, &pwdata);
diff --git a/SOURCES/syntaxfix.patch b/SOURCES/syntaxfix.patch
new file mode 100644
index 0000000..91603a4
--- /dev/null
+++ b/SOURCES/syntaxfix.patch
@@ -0,0 +1,22 @@
+diff --git a/tests/all.sh b/tests/all.sh
+--- a/tests/all.sh
++++ b/tests/all.sh
+@@ -297,17 +297,17 @@ fi
+
+ # NOTE:
+ # Since in make at the top level, modutil is the last file
+ # created, we check for modutil to know whether the build
+ # is complete. If a new file is created after that, the
+ # following test for modutil should check for that instead.
+ # Exception: when building softoken only, shlibsign is the
+ # last file created.
+-if [ ${NSS_BUILD_SOFTOKEN_ONLY} = "1" ]; then
++if [ "${NSS_BUILD_SOFTOKEN_ONLY}" = "1" ]; then
+ LAST_FILE_BUILT=shlibsign
+ else
+ LAST_FILE_BUILT=modutil
+ fi
+
+ if [ ! -f ${DIST}/${OBJDIR}/bin/${LAST_FILE_BUILT}${PROG_SUFFIX} ]; then
+ echo "Build Incomplete. Aborting test." >> ${LOGFILE}
+ html_head "Testing Initialization"
diff --git a/SPECS/nss.spec b/SPECS/nss.spec
index 0a233c4..e7ec2d8 100644
--- a/SPECS/nss.spec
+++ b/SPECS/nss.spec
@@ -1,5 +1,5 @@
-%global nspr_version 4.10.6
-%global nss_util_version 3.16.2.3
+%global nspr_version 4.10.8
+%global nss_util_version 3.18.0
# adjust to the version that gets submitted for FIPS validation
%global nss_softokn_fips_version 3.16.2
%global nss_softokn_version 3.16.2.3
@@ -20,8 +20,8 @@
Summary: Network Security Services
Name: nss
-Version: 3.16.2.3
-Release: 5%{?dist}
+Version: 3.18.0
+Release: 2.2%{?dist}
License: MPLv2.0
URL: http://www.mozilla.org/projects/security/pki/nss/
Group: System Environment/Libraries
@@ -71,6 +71,8 @@ Source24: cert9.db.xml
Source25: key3.db.xml
Source26: key4.db.xml
Source27: secmod.db.xml
+Source30: PayPalRootCA.cert
+Source31: PayPalICA.cert
Patch2: add-relro-linker-option.patch
Patch3: renegotiate-transitional.patch
@@ -98,18 +100,14 @@ Patch53: Bug-1001841-disable-sslv2-tests.patch
Patch55: enable-fips-when-system-is-in-fips-mode.patch
# rhbz: https://bugzilla.redhat.com/show_bug.cgi?id=1026677
Patch56: p-ignore-setpolicy.patch
-# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=921684
-Patch62: dont-hold-issuer-cert-handles-in-crl-cache.patch
-# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1050069
-Patch64: Crash-in-stan_GetCERTCertificate-rhbz1094468.patch
-# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1083360
-# support TLS_FALLBACK_SCSV in tstclnt and ssltap
-Patch88: p-1083360.patch
-Patch89: certutil-man-supply-missing-options.patch
-# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1111901
-Patch90: Bug-1174527-fixsegfault.patch
-# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1050069
-Patch91: nss-3.16-tcache-race.patch
+# Update the root CA list to 2.4 from NSS 3.18.1 (the only change in NSS 3.18.1)
+Patch91: nss-3.18.1-ca-2.3-to-2.4.patch
+# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1151037
+Patch95: expired-cert.patch
+# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1153994
+Patch96: syntaxfix.patch
+# Patch to keep the TLS protocol versions that are enabled by default
+Patch98: nss-revert-tls-version-defaults.patch
%description
Network Security Services (NSS) is a set of libraries designed to
@@ -184,13 +182,17 @@ low level services.
%{__cp} %{SOURCE17} -f ./nss/tests/libpkix/certs
%{__cp} %{SOURCE18} -f ./nss/tests/libpkix/certs
%{__cp} %{SOURCE19} -f ./nss/tests/libpkix/certs
+%{__cp} %{SOURCE30} -f ./nss/tests/libpkix/certs
+%{__cp} %{SOURCE31} -f ./nss/tests/libpkix/certs
%setup -q -T -D -n %{name}-%{version} -a 12
%patch2 -p0 -b .relro
%patch3 -p0 -b .transitional
%patch6 -p0 -b .libpem
%patch16 -p0 -b .539183
-%patch18 -p0 -b .646045
+pushd nss
+%patch18 -p1 -b .646045
+popd
# link pem against buildroot's freebl, essential when mixing and matching
%patch25 -p0 -b .systemfreebl
%patch40 -p0 -b .noocsptest
@@ -203,16 +205,13 @@ pushd nss
popd
%patch55 -p0 -b .852023
%patch56 -p0 -b .1026677
-%patch62 -p0 -b .1034409
+%patch91 -p1 -b .pre-ca-2.4
pushd nss
-%patch64 -p1 -b .1094468
-%patch88 -p1 -b .support_tls_fallback_scsv
+%patch95 -p1 -b .renewed_paypal_cert
+%patch96 -p1 -b .syntax_fix
+# attention, reverting patch98, keep -R
+%patch98 -p1 -R -b .keep_tls_default
popd
-%patch89 -p0 -b .missing_options
- pushd nss
-%patch90 -p1 -b .1174527
-popd
-%patch91 -p0 -b .race
#########################################################
# Higher-level libraries and test tools need access to
@@ -457,7 +456,7 @@ pushd ./nss/tests/
# don't need to run all the tests when testing packaging
# nss_cycles: standard pkix upgradedb sharedb
-nss_tests="libpkix cert dbtests tools fips sdr crmf smime ssl ocsp merge pkits chains"
+%global nss_tests "libpkix cert dbtests tools fips sdr crmf smime ssl ocsp merge pkits chains"
# nss_ssl_tests: crl bypass_normal normal_bypass normal_fips fips_normal iopr
# nss_ssl_run: cov auth stress
#
@@ -537,7 +536,7 @@ done
%{__install} -p -m 644 %{SOURCE6} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/cert9.db
%{__install} -p -m 644 %{SOURCE7} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/key4.db
%{__install} -p -m 644 %{SOURCE8} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/pkcs11.txt
-
+
# Copy the development libraries we want
for file in libcrmf.a libnssb.a libnssckfw.a
do
@@ -793,6 +792,21 @@ fi
%changelog
+* Tue Apr 28 2015 Kai Engert <kaie@redhat.com> - 3.18.0-2.2
+- On RHEL 7.1 keep the TLS version defaults unchanged.
+
+* Thu Apr 23 2015 Kai Engert <kaie@redhat.com> - 3.18.0-2.1
+- Update to CKBI 2.4 from NSS 3.18.1 (the only change in NSS 3.18.1)
+
+* Fri Apr 17 2015 Elio Maldonado <emaldona@redhat.com> - 3.18.0-2
+- Update and reenable nss-646045.patch on account of the rebase
+- Resolves: Bug 1211371 - Rebase nss to 3.18 for Firefox 38 ESR [RHEL7.1]
+
+* Tue Apr 14 2015 Elio Maldonado <emaldona@redhat.com> - 3.18.0-1
+- Resolves: Bug 1211371 - Rebase nss to 3.18 for Firefox 38 ESR [RHEL7.1]
+- Fix shell syntax error on nss/tests/all.sh
+- Replace expired PayPal test certificate that breaks the build
+
* Mon Jan 19 2015 Elio Maldonado <emaldona@redhat.com> - 3.16.2.3-5
- Reverse the sense of a test in patch to fix pk12util segfault
- Resolves: Bug 1174527 - Segfault in pk12util when using -l option with certain .p12 files