diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..d651e6d
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,5 @@
+SOURCES/PayPalEE.cert
+SOURCES/blank-cert9.db
+SOURCES/blank-key4.db
+SOURCES/nspr-4.32.tar.gz
+SOURCES/nss-3.71.tar.gz
diff --git a/.nss.metadata b/.nss.metadata
new file mode 100644
index 0000000..2aedeb3
--- /dev/null
+++ b/.nss.metadata
@@ -0,0 +1,5 @@
+5c92efcd23ae5dc57c4f0a3903d662365bca008c SOURCES/PayPalEE.cert
+b5570125fbf6bfb410705706af48217a0817c03a SOURCES/blank-cert9.db
+f9c9568442386da370193474de1b25c3f68cdaf6 SOURCES/blank-key4.db
+28e05ef5cbe6e7cde239d3cdcccabf571ec73f69 SOURCES/nspr-4.32.tar.gz
+b60e3e0a2765d4009347e08dc9792a4dc4aded03 SOURCES/nss-3.71.tar.gz
diff --git a/SOURCES/cert9.db.xml b/SOURCES/cert9.db.xml
new file mode 100644
index 0000000..815d3f9
--- /dev/null
+++ b/SOURCES/cert9.db.xml
@@ -0,0 +1,59 @@
+
+
+
+]>
+
+
+
+
+ &date;
+ Network Security Services
+ nss
+ &version;
+
+
+
+ cert9.db
+ 5
+
+
+
+ cert9.db
+ NSS certificate database
+
+
+
+ Description
+ cert9.db is an NSS certificate database.
+ This certificate database is the sqlite-based shared database with support for concurrent access.
+
+
+
+
+ Files
+ /etc/pki/nssdb/cert9.db
+
+
+
+ See also
+ pkcs11.txt(5)
+
+
+
+ Authors
+ The nss libraries were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google.
+ Authors: Elio Maldonado <emaldona@redhat.com>.
+
+
+
+
+ LICENSE
+ Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+
+
+
+
+
diff --git a/SOURCES/iquote.patch b/SOURCES/iquote.patch
new file mode 100644
index 0000000..6e4adcd
--- /dev/null
+++ b/SOURCES/iquote.patch
@@ -0,0 +1,13 @@
+diff -up nss/coreconf/location.mk.iquote nss/coreconf/location.mk
+--- nss/coreconf/location.mk.iquote 2017-07-27 16:09:32.000000000 +0200
++++ nss/coreconf/location.mk 2017-09-06 13:23:14.633611555 +0200
+@@ -75,4 +75,9 @@ ifndef SQLITE_LIB_NAME
+ SQLITE_LIB_NAME = sqlite3
+ endif
+
++# Prefer in-tree headers over system headers
++ifdef IN_TREE_FREEBL_HEADERS_FIRST
++ INCLUDES += -iquote $(DIST)/../public/nss -iquote $(DIST)/../private/nss
++endif
++
+ MK_LOCATION = included
diff --git a/SOURCES/key4.db.xml b/SOURCES/key4.db.xml
new file mode 100644
index 0000000..9b65f41
--- /dev/null
+++ b/SOURCES/key4.db.xml
@@ -0,0 +1,59 @@
+
+
+
+]>
+
+
+
+
+ &date;
+ Network Security Services
+ nss
+ &version;
+
+
+
+ key4.db
+ 5
+
+
+
+ key4.db
+ NSS certificate database
+
+
+
+ Description
+ key4.db is an NSS key database.
+ This key database is the sqlite-based shared database format with support for concurrent access.
+
+
+
+
+ Files
+ /etc/pki/nssdb/key4.db
+
+
+
+ See also
+ pkcs11.txt(5)
+
+
+
+ Authors
+ The nss libraries were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google.
+ Authors: Elio Maldonado <emaldona@redhat.com>.
+
+
+
+
+ LICENSE
+ Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+
+
+
+
+
diff --git a/SOURCES/nspr-config-pc.patch b/SOURCES/nspr-config-pc.patch
new file mode 100644
index 0000000..2c1fe87
--- /dev/null
+++ b/SOURCES/nspr-config-pc.patch
@@ -0,0 +1,37 @@
+diff -up nspr/config/nspr-config.in.flags nspr/config/nspr-config.in
+--- nspr/config/nspr-config.in.flags 2013-05-29 13:46:34.147971410 -0700
++++ nspr/config/nspr-config.in 2013-05-29 14:17:10.990838914 -0700
+@@ -102,7 +102,7 @@ if test -z "$includedir"; then
+ includedir=@includedir@
+ fi
+ if test -z "$libdir"; then
+- libdir=@libdir@
++ libdir=`pkg-config --variable=libdir nspr`
+ fi
+
+ if test "$echo_prefix" = "yes"; then
+@@ -136,12 +136,12 @@ if test "$echo_libs" = "yes"; then
+ if test -n "$lib_nspr"; then
+ libdirs="$libdirs -lnspr${major_version}"
+ fi
+- os_ldflags="@LDFLAGS@"
++ os_ldflags=`pkg-config --variable=ldflags nspr`
+ for i in $os_ldflags ; do
+ if echo $i | grep \^-L >/dev/null; then
+ libdirs="$libdirs $i"
+ fi
+ done
+- echo $libdirs @OS_LIBS@
++ echo $libdirs `pkg-config --variable=os_libs nspr`
+ fi
+
+diff -up nspr/config/nspr.pc.in.flags nspr/config/nspr.pc.in
+--- nspr/config/nspr.pc.in.flags 2013-05-29 13:48:15.026643570 -0700
++++ nspr/config/nspr.pc.in 2013-05-29 13:49:47.795202949 -0700
+@@ -6,5 +6,5 @@ includedir=@includedir@
+ Name: NSPR
+ Description: The Netscape Portable Runtime
+ Version: @MOD_MAJOR_VERSION@.@MOD_MINOR_VERSION@.@MOD_PATCH_VERSION@
+-Libs: -L@libdir@ -lplds@MOD_MAJOR_VERSION@ -lplc@MOD_MAJOR_VERSION@ -lnspr@MOD_MAJOR_VERSION@
++Libs: -L@libdir@ -lplds@MOD_MAJOR_VERSION@ -lplc@MOD_MAJOR_VERSION@ -lnspr@MOD_MAJOR_VERSION@ @OS_LIBS@
+ Cflags: -I@includedir@
diff --git a/SOURCES/nspr-config.xml b/SOURCES/nspr-config.xml
new file mode 100644
index 0000000..9e3f99c
--- /dev/null
+++ b/SOURCES/nspr-config.xml
@@ -0,0 +1,127 @@
+
+
+
+]>
+
+
+
+
+ &date;
+ Netscape Portable Runtime
+ nspr
+ &version;
+
+
+
+ nspr-config
+ 1
+
+
+
+ nspr-config
+ Return meta information about nspr libraries
+
+
+
+
+ nspr-config
+
+
+
+
+
+
+
+
+
+
+
+ Description
+ nspr-config is a shell script which can be used to obtain gcc options for building client pacakges of nspr.
+
+
+
+ Options
+
+
+
+
+ Returns the top level system directory under which the nspr libraries are installed.
+
+
+
+
+ Returns the top level system directory under which any nspr binaries would be installed.
+
+
+
+ count
+ Returns the path to the directory were the nspr headers are installed.
+
+
+
+
+ Returns the upstream version of nspr in the form major_version-minor_version-patch_version.
+
+
+
+
+ Returns the compiler linking flags.
+
+
+
+
+ Returns the compiler include flags.
+
+
+
+
+ Returns the path to the directory were the nspr libraries are installed.
+
+
+
+
+
+
+ Examples
+
+ The following example will query for both include path and linkage flags:
+
+ /usr/bin/nspr-config --cflags --libs
+
+
+
+
+
+
+
+ Files
+
+ /usr/bin/nspr-config
+
+
+
+
+ See also
+ pkg-config(1)
+
+
+
+ Authors
+ The NSPR liraries were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google.
+
+ Authors: Elio Maldonado <emaldona@redhat.com>.
+
+
+
+
+
+ LICENSE
+ Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+
+
+
+
diff --git a/SOURCES/nspr-gcc-atomics.patch b/SOURCES/nspr-gcc-atomics.patch
new file mode 100644
index 0000000..b94e840
--- /dev/null
+++ b/SOURCES/nspr-gcc-atomics.patch
@@ -0,0 +1,77 @@
+diff --git a/pr/include/md/_linux.h b/pr/include/md/_linux.h
+--- a/pr/include/md/_linux.h
++++ b/pr/include/md/_linux.h
+@@ -82,53 +82,73 @@
+ #define NO_DLOPEN_NULL
+ #endif
+
+ #if defined(__FreeBSD_kernel__) || defined(__GNU__)
+ #define _PR_HAVE_SOCKADDR_LEN
+ #endif
+
+ #if defined(__i386__)
++#if defined(__GNUC__)
++/* Use GCC built-in functions */
++#define _PR_HAVE_ATOMIC_OPS
++#define _MD_INIT_ATOMIC()
++#define _MD_ATOMIC_INCREMENT(ptr) __sync_add_and_fetch(ptr, 1)
++#define _MD_ATOMIC_DECREMENT(ptr) __sync_sub_and_fetch(ptr, 1)
++#define _MD_ATOMIC_ADD(ptr, i) __sync_add_and_fetch(ptr, i)
++#define _MD_ATOMIC_SET(ptr, nv) __sync_lock_test_and_set(ptr, nv)
++#else
+ #define _PR_HAVE_ATOMIC_OPS
+ #define _MD_INIT_ATOMIC()
+ extern PRInt32 _PR_x86_AtomicIncrement(PRInt32 *val);
+ #define _MD_ATOMIC_INCREMENT _PR_x86_AtomicIncrement
+ extern PRInt32 _PR_x86_AtomicDecrement(PRInt32 *val);
+ #define _MD_ATOMIC_DECREMENT _PR_x86_AtomicDecrement
+ extern PRInt32 _PR_x86_AtomicAdd(PRInt32 *ptr, PRInt32 val);
+ #define _MD_ATOMIC_ADD _PR_x86_AtomicAdd
+ extern PRInt32 _PR_x86_AtomicSet(PRInt32 *val, PRInt32 newval);
+ #define _MD_ATOMIC_SET _PR_x86_AtomicSet
+ #endif
++#endif
+
+ #if defined(__ia64__)
+ #define _PR_HAVE_ATOMIC_OPS
+ #define _MD_INIT_ATOMIC()
+ extern PRInt32 _PR_ia64_AtomicIncrement(PRInt32 *val);
+ #define _MD_ATOMIC_INCREMENT _PR_ia64_AtomicIncrement
+ extern PRInt32 _PR_ia64_AtomicDecrement(PRInt32 *val);
+ #define _MD_ATOMIC_DECREMENT _PR_ia64_AtomicDecrement
+ extern PRInt32 _PR_ia64_AtomicAdd(PRInt32 *ptr, PRInt32 val);
+ #define _MD_ATOMIC_ADD _PR_ia64_AtomicAdd
+ extern PRInt32 _PR_ia64_AtomicSet(PRInt32 *val, PRInt32 newval);
+ #define _MD_ATOMIC_SET _PR_ia64_AtomicSet
+ #endif
+
+ #if defined(__x86_64__)
++#if defined(__GNUC__)
++/* Use GCC built-in functions */
++#define _PR_HAVE_ATOMIC_OPS
++#define _MD_INIT_ATOMIC()
++#define _MD_ATOMIC_INCREMENT(ptr) __sync_add_and_fetch(ptr, 1)
++#define _MD_ATOMIC_DECREMENT(ptr) __sync_sub_and_fetch(ptr, 1)
++#define _MD_ATOMIC_ADD(ptr, i) __sync_add_and_fetch(ptr, i)
++#define _MD_ATOMIC_SET(ptr, nv) __sync_lock_test_and_set(ptr, nv)
++#else
+ #define _PR_HAVE_ATOMIC_OPS
+ #define _MD_INIT_ATOMIC()
+ extern PRInt32 _PR_x86_64_AtomicIncrement(PRInt32 *val);
+ #define _MD_ATOMIC_INCREMENT _PR_x86_64_AtomicIncrement
+ extern PRInt32 _PR_x86_64_AtomicDecrement(PRInt32 *val);
+ #define _MD_ATOMIC_DECREMENT _PR_x86_64_AtomicDecrement
+ extern PRInt32 _PR_x86_64_AtomicAdd(PRInt32 *ptr, PRInt32 val);
+ #define _MD_ATOMIC_ADD _PR_x86_64_AtomicAdd
+ extern PRInt32 _PR_x86_64_AtomicSet(PRInt32 *val, PRInt32 newval);
+ #define _MD_ATOMIC_SET _PR_x86_64_AtomicSet
+ #endif
++#endif
+
+ #if defined(__or1k__)
+ #if defined(__GNUC__)
+ /* Use GCC built-in functions */
+ #define _PR_HAVE_ATOMIC_OPS
+ #define _MD_INIT_ATOMIC()
+ #define _MD_ATOMIC_INCREMENT(ptr) __sync_add_and_fetch(ptr, 1)
+ #define _MD_ATOMIC_DECREMENT(ptr) __sync_sub_and_fetch(ptr, 1)
diff --git a/SOURCES/nss-3.67-cve-2021-43527-test.patch b/SOURCES/nss-3.67-cve-2021-43527-test.patch
new file mode 100644
index 0000000..51cb8e0
--- /dev/null
+++ b/SOURCES/nss-3.67-cve-2021-43527-test.patch
@@ -0,0 +1,325 @@
+diff --git a/tests/cert/Leaf-bogus-dsa.crt b/tests/cert/Leaf-bogus-dsa.crt
+new file mode 100644
+--- /dev/null
++++ b/tests/cert/Leaf-bogus-dsa.crt
+@@ -0,0 +1,143 @@
++-----BEGIN CERTIFICATE-----
++MIIaZzCCCkWgAwIBAgIBATALBgcqhkjOOAQDBQAwMTEvMC0GA1UEAxMmZGVjb2Rl
++RUNvckRTQVNpZ25hdHVyZS10ZXN0Q2FzZS90YXZpc28wHhcNMjEwMTAxMDAwMDAw
++WhcNNDEwMTAxMDAwMDAwWjAxMS8wLQYDVQQDEyZkZWNvZGVFQ29yRFNBU2lnbmF0
++dXJlLXRlc3RDYXNlL3RhdmlzbzCCCaYwggkaBgcqhkjOOAQBMIIJDQKBgQCqqqqq
++qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqq
++qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqq
++qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqgKCCAEAu7u7u7u7u7u7u7u7u7u7
++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
++u7u7u7u7u7u7u7u7u7u7u7sCgYEAzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzM
++zMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzM
++zMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzM
++zMzMzMwDgYUAAoGB3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d
++3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d
++3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3dMAkG
++ByqGSM44BAMDghAPADCCEAoCgggBAO7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
++7u7u7u7uAoIIAQD/////////////////////////////////////////////////
++////////////////////////////////////////////////////////////////
++////////////////////////////////////////////////////////////////
++////////////////////////////////////////////////////////////////
++////////////////////////////////////////////////////////////////
++////////////////////////////////////////////////////////////////
++////////////////////////////////////////////////////////////////
++////////////////////////////////////////////////////////////////
++////////////////////////////////////////////////////////////////
++////////////////////////////////////////////////////////////////
++////////////////////////////////////////////////////////////////
++////////////////////////////////////////////////////////////////
++////////////////////////////////////////////////////////////////
++////////////////////////////////////////////////////////////////
++////////////////////////////////////////////////////////////////
++////////////////////////////////////////////////////////////////
++////////////////////////////////////////////////////////////////
++////////////////////////////////////////////////////////////////
++////////////////////////////////////////////////////////////////
++////////////////////////////////////////////////////////////////
++////////////////////////////////////////////////////////////////
++////////////////////////////////////////////////////////////////
++////////////////////////////////////////////////////////////////
++////////////////////////////////////////////////////////////////
++////////////////////////////////////////////////////////////////
++////////////////////////////////////////////////////////////////
++////////////////////////////////////////////////////////////////
++////////////////////////////////////////////////////////////////
++////////////////////////////////////////////////////////////////
++////////////////////////////////////////////////////////////////
++////////////////////////////////////////////////////////////////
++////////////////////////////////////////////////////////////////
++////////////////////////////////////////////////////////////////
++////////////////////////////////////////////////////////////////
++////////////////////////////////////////////////////////////////
++////////////////////////////////////////////////////////////////
++////////////////////////////////////////////////////////////////
++////////////////////////////////////////////////////////////////
++////////////////////////////////////////////////////////////////
++////////////////////////////////////////////////////////////////
++////////////////////////////////////////////////////////////////
++////////////////////////////////////////////////////////////////
++/////////////////////////////////////////////////////////w==
++-----END CERTIFICATE-----
+diff --git a/tests/cert/Leaf-bogus-rsa-pss.crt b/tests/cert/Leaf-bogus-rsa-pss.crt
+new file mode 100644
+--- /dev/null
++++ b/tests/cert/Leaf-bogus-rsa-pss.crt
+@@ -0,0 +1,126 @@
++-----BEGIN CERTIFICATE-----
++MIIXODCCC/WgAwIBAgIBAjApBgkqhkiG9w0BAQowHKACMAChETAPBQAwCwYJYIZI
++AWUDBAIBogMCASAwNzEgMB4GCSqGSIb3DQEJARYRdGF2aXNvQGdvb2dsZS5jb20x
++EzARBgNVBAMTCmJ1ZzE3Mzc0NzAwHhcNMjAwMTAxMDAwMDAwWhcNNDAwMTAxMDAw
++MDAwWjA3MSAwHgYJKoZIhvcNAQkBFhF0YXZpc29AZ29vZ2xlLmNvbTETMBEGA1UE
++AxMKYnVnMTczNzQ3MDCCCywwDQYJKoZIhvcNAQEBBQADggsZADCCCxQCggsLAMRE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERQIDAQABMC4G
++CSqGSIb3DQEBCjAhoRowGAYJKoZIhvcNAQEIMAsGCSqGSIb3DQEBCqIDAgEgA4IL
++CwAAxVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVU=
++-----END CERTIFICATE-----
+diff --git a/tests/cert/cert.sh b/tests/cert/cert.sh
+--- a/tests/cert/cert.sh
++++ b/tests/cert/cert.sh
+@@ -114,16 +114,28 @@ certu()
+ cert_log "ERROR: ${CU_ACTION} failed $RET"
+ else
+ html_passed "${CU_ACTION}"
+ fi
+
+ return $RET
+ }
+
++cert_test_vfy()
++{
++ echo "$SCRIPTNAME: Verify large rsa pss signature --------------"
++ echo " vfychain -a Leaf-bogus-dsa.crt"
++ vfychain -a ${QADIR}/cert/Leaf-bogus-dsa.crt
++ html_msg $? 1 "Verify large dsa signature"
++ echo "$SCRIPTNAME: Verify large rsa pss signature --------------"
++ echo " vfychain -a Leaf-bogus-rsa-pss.crt"
++ vfychain -a ${QADIR}/cert/Leaf-bogus-rsa-pss.crt
++ html_msg $? 1 "Verify large rsa pss signature"
++}
++
+ ################################ crlu #################################
+ # local shell function to call crlutil, also: writes action and options to
+ # stdout, sets variable RET and writes results to the html file results
+ ########################################################################
+ crlu()
+ {
+ echo "$SCRIPTNAME: ${CU_ACTION} --------------------------"
+
+@@ -2640,11 +2652,13 @@ if [ -z "$NSS_TEST_DISABLE_CRL" ] ; then
+ else
+ echo "$SCRIPTNAME: Skipping CRL Tests"
+ fi
+
+ if [ -n "$DO_DIST_ST" -a "$DO_DIST_ST" = "TRUE" ] ; then
+ cert_stresscerts
+ fi
+
++cert_test_vfy
++
+ cert_iopr_setup
+
+ cert_cleanup
diff --git a/SOURCES/nss-3.67-cve-2021-43527.patch b/SOURCES/nss-3.67-cve-2021-43527.patch
new file mode 100644
index 0000000..8fc81d3
--- /dev/null
+++ b/SOURCES/nss-3.67-cve-2021-43527.patch
@@ -0,0 +1,279 @@
+diff --git a/lib/cryptohi/secvfy.c b/lib/cryptohi/secvfy.c
+--- a/lib/cryptohi/secvfy.c
++++ b/lib/cryptohi/secvfy.c
+@@ -164,6 +164,37 @@
+ PR_FALSE /*XXX: unsafeAllowMissingParameters*/);
+ }
+
++static unsigned int
++checkedSignatureLen(const SECKEYPublicKey *pubk)
++{
++ unsigned int sigLen = SECKEY_SignatureLen(pubk);
++ if (sigLen == 0) {
++ /* Error set by SECKEY_SignatureLen */
++ return sigLen;
++ }
++ unsigned int maxSigLen;
++ switch (pubk->keyType) {
++ case rsaKey:
++ case rsaPssKey:
++ maxSigLen = (RSA_MAX_MODULUS_BITS + 7) / 8;
++ break;
++ case dsaKey:
++ maxSigLen = DSA_MAX_SIGNATURE_LEN;
++ break;
++ case ecKey:
++ maxSigLen = 2 * MAX_ECKEY_LEN;
++ break;
++ default:
++ PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG);
++ return 0;
++ }
++ if (sigLen > maxSigLen) {
++ PORT_SetError(SEC_ERROR_INVALID_KEY);
++ return 0;
++ }
++ return sigLen;
++}
++
+ /*
+ * decode the ECDSA or DSA signature from it's DER wrapping.
+ * The unwrapped/raw signature is placed in the buffer pointed
+@@ -174,38 +205,38 @@
+ unsigned int len)
+ {
+ SECItem *dsasig = NULL; /* also used for ECDSA */
+- SECStatus rv = SECSuccess;
+
+- if ((algid != SEC_OID_ANSIX9_DSA_SIGNATURE) &&
+- (algid != SEC_OID_ANSIX962_EC_PUBLIC_KEY)) {
+- if (sig->len != len) {
+- PORT_SetError(SEC_ERROR_BAD_DER);
+- return SECFailure;
++ /* Safety: Ensure algId is as expected and that signature size is within maxmimums */
++ if (algid == SEC_OID_ANSIX9_DSA_SIGNATURE) {
++ if (len > DSA_MAX_SIGNATURE_LEN) {
++ goto loser;
+ }
+-
+- PORT_Memcpy(dsig, sig->data, sig->len);
+- return SECSuccess;
++ } else if (algid == SEC_OID_ANSIX962_EC_PUBLIC_KEY) {
++ if (len > MAX_ECKEY_LEN * 2) {
++ goto loser;
++ }
++ } else {
++ goto loser;
+ }
+
+- if (algid == SEC_OID_ANSIX962_EC_PUBLIC_KEY) {
+- if (len > MAX_ECKEY_LEN * 2) {
+- PORT_SetError(SEC_ERROR_BAD_DER);
+- return SECFailure;
+- }
++ /* Decode and pad to length */
++ dsasig = DSAU_DecodeDerSigToLen((SECItem *)sig, len);
++ if (dsasig == NULL) {
++ goto loser;
+ }
+- dsasig = DSAU_DecodeDerSigToLen((SECItem *)sig, len);
+-
+- if ((dsasig == NULL) || (dsasig->len != len)) {
+- rv = SECFailure;
+- } else {
+- PORT_Memcpy(dsig, dsasig->data, dsasig->len);
++ if (dsasig->len != len) {
++ SECITEM_FreeItem(dsasig, PR_TRUE);
++ goto loser;
+ }
+
+- if (dsasig != NULL)
+- SECITEM_FreeItem(dsasig, PR_TRUE);
+- if (rv == SECFailure)
+- PORT_SetError(SEC_ERROR_BAD_DER);
+- return rv;
++ PORT_Memcpy(dsig, dsasig->data, len);
++ SECITEM_FreeItem(dsasig, PR_TRUE);
++
++ return SECSuccess;
++
++loser:
++ PORT_SetError(SEC_ERROR_BAD_DER);
++ return SECFailure;
+ }
+
+ const SEC_ASN1Template hashParameterTemplate[] =
+@@ -281,7 +312,7 @@
+ sec_DecodeSigAlg(const SECKEYPublicKey *key, SECOidTag sigAlg,
+ const SECItem *param, SECOidTag *encalgp, SECOidTag *hashalg)
+ {
+- int len;
++ unsigned int len;
+ PLArenaPool *arena;
+ SECStatus rv;
+ SECItem oid;
+@@ -466,48 +497,52 @@
+ cx->pkcs1RSADigestInfo = NULL;
+ rv = SECSuccess;
+ if (sig) {
+- switch (type) {
+- case rsaKey:
+- rv = recoverPKCS1DigestInfo(hashAlg, &cx->hashAlg,
+- &cx->pkcs1RSADigestInfo,
+- &cx->pkcs1RSADigestInfoLen,
+- cx->key,
+- sig, wincx);
+- break;
+- case rsaPssKey:
+- sigLen = SECKEY_SignatureLen(key);
+- if (sigLen == 0) {
+- /* error set by SECKEY_SignatureLen */
+- rv = SECFailure;
++ rv = SECFailure;
++ if (type == rsaKey) {
++ rv = recoverPKCS1DigestInfo(hashAlg, &cx->hashAlg,
++ &cx->pkcs1RSADigestInfo,
++ &cx->pkcs1RSADigestInfoLen,
++ cx->key,
++ sig, wincx);
++ } else {
++ sigLen = checkedSignatureLen(key);
++ /* Check signature length is within limits */
++ if (sigLen == 0) {
++ /* error set by checkedSignatureLen */
++ rv = SECFailure;
++ goto loser;
++ }
++ if (sigLen > sizeof(cx->u)) {
++ PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
++ rv = SECFailure;
++ goto loser;
++ }
++ switch (type) {
++ case rsaPssKey:
++ if (sig->len != sigLen) {
++ PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
++ rv = SECFailure;
++ goto loser;
++ }
++ PORT_Memcpy(cx->u.buffer, sig->data, sigLen);
++ rv = SECSuccess;
+ break;
+- }
+- if (sig->len != sigLen) {
+- PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
++ case ecKey:
++ case dsaKey:
++ /* decodeECorDSASignature will check sigLen == sig->len after padding */
++ rv = decodeECorDSASignature(encAlg, sig, cx->u.buffer, sigLen);
++ break;
++ default:
++ /* Unreachable */
+ rv = SECFailure;
+- break;
+- }
+- PORT_Memcpy(cx->u.buffer, sig->data, sigLen);
+- break;
+- case dsaKey:
+- case ecKey:
+- sigLen = SECKEY_SignatureLen(key);
+- if (sigLen == 0) {
+- /* error set by SECKEY_SignatureLen */
+- rv = SECFailure;
+- break;
+- }
+- rv = decodeECorDSASignature(encAlg, sig, cx->u.buffer, sigLen);
+- break;
+- default:
+- rv = SECFailure;
+- PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG);
+- break;
++ goto loser;
++ }
++ }
++ if (rv != SECSuccess) {
++ goto loser;
+ }
+ }
+
+- if (rv)
+- goto loser;
+-
+ /* check hash alg again, RSA may have changed it.*/
+ if (HASH_GetHashTypeByOidTag(cx->hashAlg) == HASH_AlgNULL) {
+ /* error set by HASH_GetHashTypeByOidTag */
+@@ -650,11 +685,16 @@
+ switch (cx->key->keyType) {
+ case ecKey:
+ case dsaKey:
+- dsasig.data = cx->u.buffer;
+- dsasig.len = SECKEY_SignatureLen(cx->key);
++ dsasig.len = checkedSignatureLen(cx->key);
+ if (dsasig.len == 0) {
+ return SECFailure;
+ }
++ if (dsasig.len > sizeof(cx->u)) {
++ PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
++ return SECFailure;
++ }
++ dsasig.data = cx->u.buffer;
++
+ if (sig) {
+ rv = decodeECorDSASignature(cx->encAlg, sig, dsasig.data,
+ dsasig.len);
+@@ -686,8 +726,13 @@
+ }
+
+ rsasig.data = cx->u.buffer;
+- rsasig.len = SECKEY_SignatureLen(cx->key);
++ rsasig.len = checkedSignatureLen(cx->key);
+ if (rsasig.len == 0) {
++ /* Error set by checkedSignatureLen */
++ return SECFailure;
++ }
++ if (rsasig.len > sizeof(cx->u)) {
++ PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
+ return SECFailure;
+ }
+ if (sig) {
+@@ -749,7 +794,6 @@
+ SECStatus rv;
+ VFYContext *cx;
+ SECItem dsasig; /* also used for ECDSA */
+-
+ rv = SECFailure;
+
+ cx = vfy_CreateContext(key, sig, encAlg, hashAlg, NULL, wincx);
+@@ -757,19 +801,25 @@
+ switch (key->keyType) {
+ case rsaKey:
+ rv = verifyPKCS1DigestInfo(cx, digest);
++ /* Error (if any) set by verifyPKCS1DigestInfo */
+ break;
+- case dsaKey:
+ case ecKey:
++ case dsaKey:
+ dsasig.data = cx->u.buffer;
+- dsasig.len = SECKEY_SignatureLen(cx->key);
++ dsasig.len = checkedSignatureLen(cx->key);
+ if (dsasig.len == 0) {
++ /* Error set by checkedSignatureLen */
++ rv = SECFailure;
+ break;
+ }
+- if (PK11_Verify(cx->key, &dsasig, (SECItem *)digest, cx->wincx) !=
+- SECSuccess) {
++ if (dsasig.len > sizeof(cx->u)) {
+ PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
+- } else {
+- rv = SECSuccess;
++ rv = SECFailure;
++ break;
++ }
++ rv = PK11_Verify(cx->key, &dsasig, (SECItem *)digest, cx->wincx);
++ if (rv != SECSuccess) {
++ PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
+ }
+ break;
+ default:
+
diff --git a/SOURCES/nss-3.71-camellia-pkcs12-doc.patch b/SOURCES/nss-3.71-camellia-pkcs12-doc.patch
new file mode 100644
index 0000000..f14b5a9
--- /dev/null
+++ b/SOURCES/nss-3.71-camellia-pkcs12-doc.patch
@@ -0,0 +1,20 @@
+diff -up ./doc/pk12util.xml.camellia ./doc/pk12util.xml
+--- ./doc/pk12util.xml.camellia 2022-01-26 09:46:39.794919455 -0800
++++ ./doc/pk12util.xml 2022-01-26 09:54:58.277019760 -0800
+@@ -317,7 +317,7 @@ Certificate Friendly Name: Thawte Fre
+
+
+ Password Encryption
+- PKCS #12 provides for not only the protection of the private keys but also the certificate and meta-data associated with the keys. Password-based encryption is used to protect private keys on export to a PKCS #12 file and, optionally, the associated certificates. If no algorithm is specified, the tool defaults to using PKCS #12 SHA-1 and 3-key triple DES for private key encryption. When not in FIPS mode, PKCS #12 SHA-1 and 40-bit RC4 is used for certificate encryption. When in FIPS mode, there is no certificate encryption. If certificate encryption is not wanted, specify "NONE" as the argument of the option.
++ PKCS #12 provides for not only the protection of the private keys but also the certificate and meta-data associated with the keys. Password-based encryption is used to protect private keys on export to a PKCS #12 file and, optionally, the associated certificates. If no algorithm is specified, the tool defaults to using AES-256-CBC for private key encryption and AES-128-CBC for certificate encryption. If certificate encryption is not wanted, specify "NONE" as the argument of the option.
+ The private key is always protected with strong encryption by default.
+ Several types of ciphers are supported.
+
+@@ -327,6 +327,7 @@ Certificate Friendly Name: Thawte Fre
+
+
+ PBES2 with AES-CBC-Pad as underlying encryption scheme ("AES-128-CBC", "AES-192-CBC", and "AES-256-CBC")
++ PBES2 with CAMELLIA-CBC-Pad as underlying encryption scheme ("CAMELLIA-128-CBC", "CAMELLIA-192-CBC", and "CAMELLIA-256-CBC")
+
+
+
diff --git a/SOURCES/nss-3.71-fips-module-name.patch b/SOURCES/nss-3.71-fips-module-name.patch
new file mode 100644
index 0000000..a1ec103
--- /dev/null
+++ b/SOURCES/nss-3.71-fips-module-name.patch
@@ -0,0 +1,825 @@
+diff --git a/cmd/manifest.mn b/cmd/manifest.mn
+--- a/cmd/manifest.mn
++++ b/cmd/manifest.mn
+@@ -76,6 +76,7 @@
+ symkeyutil \
+ tests \
+ tstclnt \
++ validation \
+ vfychain \
+ vfyserv \
+ modutil \
+diff --git a/cmd/validation/Makefile b/cmd/validation/Makefile
+new file mode 100644
+--- /dev/null
++++ b/cmd/validation/Makefile
+@@ -0,0 +1,48 @@
++#! gmake
++#
++# This Source Code Form is subject to the terms of the Mozilla Public
++# License, v. 2.0. If a copy of the MPL was not distributed with this
++# file, You can obtain one at http://mozilla.org/MPL/2.0/.
++
++#######################################################################
++# (1) Include initial platform-independent assignments (MANDATORY). #
++#######################################################################
++
++include manifest.mn
++
++#######################################################################
++# (2) Include "global" configuration information. (OPTIONAL) #
++#######################################################################
++
++include $(CORE_DEPTH)/coreconf/config.mk
++
++#######################################################################
++# (3) Include "component" configuration information. (OPTIONAL) #
++#######################################################################
++
++#######################################################################
++# (4) Include "local" platform-dependent assignments (OPTIONAL). #
++#######################################################################
++
++include ../platlibs.mk
++
++
++#######################################################################
++# (5) Execute "global" rules. (OPTIONAL) #
++#######################################################################
++
++include $(CORE_DEPTH)/coreconf/rules.mk
++
++#######################################################################
++# (6) Execute "component" rules. (OPTIONAL) #
++#######################################################################
++
++
++
++#######################################################################
++# (7) Execute "local" rules. (OPTIONAL). #
++#######################################################################
++
++
++include ../platrules.mk
++
+diff --git a/cmd/validation/manifest.mn b/cmd/validation/manifest.mn
+new file mode 100644
+--- /dev/null
++++ b/cmd/validation/manifest.mn
+@@ -0,0 +1,23 @@
++#
++# This Source Code Form is subject to the terms of the Mozilla Public
++# License, v. 2.0. If a copy of the MPL was not distributed with this
++# file, You can obtain one at http://mozilla.org/MPL/2.0/.
++
++CORE_DEPTH = ../..
++
++DEFINES += -DNSPR20
++
++# MODULE public and private header directories are implicitly REQUIRED.
++MODULE = nss
++
++CSRCS = \
++ validation.c \
++ $(NULL)
++
++# The MODULE is always implicitly required.
++# Listing it here in REQUIRES makes it appear twice in the cc command line.
++REQUIRES = dbm seccmd
++
++PROGRAM = validation
++
++# USE_STATIC_LIBS = 1
+diff --git a/cmd/validation/validation.c b/cmd/validation/validation.c
+new file mode 100644
+--- /dev/null
++++ b/cmd/validation/validation.c
+@@ -0,0 +1,249 @@
++/* This Source Code Form is subject to the terms of the Mozilla Public
++ * License, v. 2.0. If a copy of the MPL was not distributed with this
++ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
++
++#ifdef _CRTDBG_MAP_ALLOC
++#include
++#include
++#endif
++
++#include "nspr.h"
++#include "secutil.h"
++#include "pk11func.h"
++#include "nss.h"
++#include "secport.h"
++#include "secpkcs5.h"
++#include "sechash.h"
++#include "certdb.h"
++#include "secmod.h"
++
++#define PKCS12_IN_BUFFER_SIZE 200
++
++static char *progName;
++PRBool debug = PR_FALSE;
++
++#define ERR_USAGE 2
++#define ERR_PK11GETSLOT 13
++
++static void
++Usage()
++{
++#define FPS PR_fprintf(PR_STDERR,
++ FPS "Usage: %s [-d certdir] [-P dbprefix] [-h tokenname]\n",
++ progName);
++ FPS "\t\t [-k slotpwfile | -K slotpw] [-v]\n");
++
++ exit(ERR_USAGE);
++}
++
++typedef enum {
++ tagULong,
++ tagVersion,
++ tagUtf8
++} tagType;
++
++typedef struct {
++ const char *attributeName;
++ tagType attributeStorageType;
++} attributeTag;
++
++enum {
++ opt_CertDir = 0,
++ opt_TokenName,
++ opt_SlotPWFile,
++ opt_SlotPW,
++ opt_DBPrefix,
++ opt_Debug
++};
++
++static secuCommandFlag validation_options[] =
++ {
++ { /* opt_CertDir */ 'd', PR_TRUE, 0, PR_FALSE },
++ { /* opt_TokenName */ 'h', PR_TRUE, 0, PR_FALSE },
++ { /* opt_SlotPWFile */ 'k', PR_TRUE, 0, PR_FALSE },
++ { /* opt_SlotPW */ 'K', PR_TRUE, 0, PR_FALSE },
++ { /* opt_DBPrefix */ 'P', PR_TRUE, 0, PR_FALSE },
++ { /* opt_Debug */ 'v', PR_FALSE, 0, PR_FALSE }
++ };
++
++void
++dump_Raw(char *label, CK_ATTRIBUTE *attr)
++{
++ int i;
++ unsigned char *value = (unsigned char *)attr->pValue;
++ printf("0x");
++ for (i = 0; i < attr->ulValueLen; i++) {
++ printf("%02x", value[i]);
++ }
++ printf("<%s>\n", label);
++}
++
++SECStatus
++dump_validations(CK_OBJECT_CLASS objc, CK_ATTRIBUTE *template, int count,
++ attributeTag *tags, PK11SlotInfo *slot)
++{
++ PK11GenericObject *objs, *obj;
++
++ objs = PK11_FindGenericObjects(slot, objc);
++
++ for (obj = objs; obj != NULL; obj = PK11_GetNextGenericObject(obj)) {
++ int i;
++ printf("Validation Object:\n");
++ PK11_ReadRawAttributes(NULL, PK11_TypeGeneric, obj, template, count);
++ for (i = 0; i < count; i++) {
++ CK_ULONG ulong;
++ CK_VERSION version;
++ int len = template[i].ulValueLen;
++ printf(" %s: ", tags[i].attributeName);
++ if (len < 0) {
++ printf("\n");
++ } else if (len == 0) {
++ printf("\n");
++ } else
++ switch (tags[i].attributeStorageType) {
++ case tagULong:
++ if (len != sizeof(CK_ULONG)) {
++ dump_Raw("bad ulong", &template[i]);
++ break;
++ }
++ ulong = *(CK_ULONG *)template[i].pValue;
++ printf("%ld\n", ulong);
++ break;
++ case tagVersion:
++ if (len != sizeof(CK_VERSION)) {
++ dump_Raw("bad version", &template[i]);
++ break;
++ }
++ version = *(CK_VERSION *)template[i].pValue;
++ printf("%d.%d\n", version.major, version.minor);
++ break;
++ case tagUtf8:
++ printf("%.*s\n", len, (char *)template[i].pValue);
++ break;
++ default:
++ dump_Raw("unknown tag", &template[i]);
++ break;
++ }
++ PORT_Free(template[i].pValue);
++ template[i].pValue = NULL;
++ template[i].ulValueLen = 0;
++ }
++ }
++ PK11_DestroyGenericObjects(objs);
++ return SECSuccess;
++}
++
++int
++main(int argc, char **argv)
++{
++ secuPWData slotPw = { PW_NONE, NULL };
++ secuPWData p12FilePw = { PW_NONE, NULL };
++ PK11SlotInfo *slot;
++ char *slotname = NULL;
++ char *dbprefix = "";
++ char *nssdir = NULL;
++ SECStatus rv;
++ secuCommand validation;
++ int local_errno = 0;
++
++ CK_ATTRIBUTE validation_template[] = {
++ { CKA_NSS_VALIDATION_TYPE, NULL, 0 },
++ { CKA_NSS_VALIDATION_VERSION, NULL, 0 },
++ { CKA_NSS_VALIDATION_LEVEL, NULL, 0 },
++ { CKA_NSS_VALIDATION_MODULE_ID, NULL, 0 }
++ };
++ attributeTag validation_tags[] = {
++ { "Validation Type", tagULong },
++ { "Validation Version", tagVersion },
++ { "Validation Level", tagULong },
++ { "Validation Module ID", tagUtf8 },
++ };
++
++#ifdef _CRTDBG_MAP_ALLOC
++ _CrtSetDbgFlag(_CRTDBG_ALLOC_MEM_DF | _CRTDBG_LEAK_CHECK_DF);
++#endif
++
++ validation.numCommands = 0;
++ validation.commands = 0;
++ validation.numOptions = PR_ARRAY_SIZE(validation_options);
++ validation.options = validation_options;
++
++ progName = strrchr(argv[0], '/');
++ progName = progName ? progName + 1 : argv[0];
++
++ rv = SECU_ParseCommandLine(argc, argv, progName, &validation);
++
++ if (rv != SECSuccess)
++ Usage();
++
++ debug = validation.options[opt_Debug].activated;
++
++ slotname = SECU_GetOptionArg(&validation, opt_TokenName);
++
++ if (validation.options[opt_SlotPWFile].activated) {
++ slotPw.source = PW_FROMFILE;
++ slotPw.data = PORT_Strdup(validation.options[opt_SlotPWFile].arg);
++ }
++
++ if (validation.options[opt_SlotPW].activated) {
++ slotPw.source = PW_PLAINTEXT;
++ slotPw.data = PORT_Strdup(validation.options[opt_SlotPW].arg);
++ }
++
++ if (validation.options[opt_CertDir].activated) {
++ nssdir = validation.options[opt_CertDir].arg;
++ }
++ if (validation.options[opt_DBPrefix].activated) {
++ dbprefix = validation.options[opt_DBPrefix].arg;
++ }
++
++ PR_Init(PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 1);
++ if (nssdir == NULL && NSS_NoDB_Init("") == SECSuccess) {
++ rv = SECSuccess;
++ /* if the system isn't already in FIPS mode, we need
++ * to switch to FIPS mode */
++ if (!PK11_IsFIPS()) {
++ /* flip to FIPS mode */
++ SECMODModule *module = SECMOD_GetInternalModule();
++ rv = SECMOD_DeleteInternalModule(module->commonName);
++ }
++ } else {
++ rv = NSS_Initialize(nssdir, dbprefix, dbprefix,
++ "secmod.db", 0);
++ }
++ if (rv != SECSuccess) {
++ SECU_PrintPRandOSError(progName);
++ exit(-1);
++ }
++
++ if (!slotname || PL_strcmp(slotname, "internal") == 0)
++ slot = PK11_GetInternalKeySlot();
++ else
++ slot = PK11_FindSlotByName(slotname);
++
++ if (!slot) {
++ SECU_PrintError(progName, "Invalid slot \"%s\"", slotname);
++ local_errno = ERR_PK11GETSLOT;
++ goto done;
++ }
++
++ rv = dump_validations(CKO_NSS_VALIDATION,
++ validation_template,
++ PR_ARRAY_SIZE(validation_template),
++ validation_tags,
++ slot);
++
++done:
++ if (slotPw.data != NULL)
++ PORT_ZFree(slotPw.data, PL_strlen(slotPw.data));
++ if (p12FilePw.data != NULL)
++ PORT_ZFree(p12FilePw.data, PL_strlen(p12FilePw.data));
++ if (slot)
++ PK11_FreeSlot(slot);
++ if (NSS_Shutdown() != SECSuccess) {
++ local_errno = 1;
++ }
++ PL_ArenaFinish();
++ PR_Cleanup();
++ return local_errno;
++}
+diff --git a/cmd/validation/validation.gyp b/cmd/validation/validation.gyp
+new file mode 100644
+--- /dev/null
++++ b/cmd/validation/validation.gyp
+@@ -0,0 +1,30 @@
++# This Source Code Form is subject to the terms of the Mozilla Public
++# License, v. 2.0. If a copy of the MPL was not distributed with this
++# file, You can obtain one at http://mozilla.org/MPL/2.0/.
++{
++ 'includes': [
++ '../../coreconf/config.gypi',
++ '../../cmd/platlibs.gypi'
++ ],
++ 'targets': [
++ {
++ 'target_name': 'validation',
++ 'type': 'executable',
++ 'sources': [
++ 'validation.c'
++ ],
++ 'dependencies': [
++ '<(DEPTH)/exports.gyp:dbm_exports',
++ '<(DEPTH)/exports.gyp:nss_exports'
++ ]
++ }
++ ],
++ 'target_defaults': {
++ 'defines': [
++ 'NSPR20'
++ ]
++ },
++ 'variables': {
++ 'module': 'nss'
++ }
++}
+diff --git a/lib/softoken/config.mk b/lib/softoken/config.mk
+--- a/lib/softoken/config.mk
++++ b/lib/softoken/config.mk
+@@ -59,3 +59,7 @@
+ DEFINES += -DNSS_ENABLE_FIPS_INDICATORS
+ endif
+
++ifdef NSS_FIPS_MODULE_ID
++DEFINES += -DNSS_FIPS_MODULE_ID=\"${NSS_FIPS_MODULE_ID}\"
++endif
++
+diff --git a/lib/softoken/pkcs11.c b/lib/softoken/pkcs11.c
+--- a/lib/softoken/pkcs11.c
++++ b/lib/softoken/pkcs11.c
+@@ -75,7 +75,6 @@
+ * failure so that there are at most 60 login attempts per minute.
+ */
+ static PRIntervalTime loginWaitTime;
+-static PRUint32 minSessionObjectHandle = 1U;
+
+ #define __PASTE(x, y) x##y
+
+@@ -1672,8 +1671,6 @@
+ {
+ SFTKSlot *slot = session->slot;
+ SFTKAttribute *attribute;
+- SFTKObject *duplicateObject = NULL;
+- CK_OBJECT_HANDLE handle;
+ CK_BBOOL ckfalse = CK_FALSE;
+ CK_BBOOL cktrue = CK_TRUE;
+ CK_RV crv;
+@@ -1711,30 +1708,13 @@
+ * token objects and will have a token object handle assigned to
+ * them by a call to sftk_mkHandle in the handler for each object
+ * class, invoked below.
+- *
++ *
+ * It may be helpful to note/remember that
+ * sftk_narrowToXxxObject uses sftk_isToken,
+ * sftk_isToken examines the sign bit of the object's handle, but
+ * sftk_isTrue(...,CKA_TOKEN) examines the CKA_TOKEN attribute.
+ */
+- do {
+- PRUint32 wrappedAround;
+-
+- duplicateObject = NULL;
+- PZ_Lock(slot->objectLock);
+- wrappedAround = slot->sessionObjectHandleCount & SFTK_TOKEN_MASK;
+- handle = slot->sessionObjectHandleCount & ~SFTK_TOKEN_MASK;
+- if (!handle) /* don't allow zero handle */
+- handle = minSessionObjectHandle;
+- slot->sessionObjectHandleCount = (handle + 1U) | wrappedAround;
+- /* Is there already a session object with this handle? */
+- if (wrappedAround) {
+- sftkqueue_find(duplicateObject, handle, slot->sessObjHashTable,
+- slot->sessObjHashSize);
+- }
+- PZ_Unlock(slot->objectLock);
+- } while (duplicateObject != NULL);
+- object->handle = handle;
++ object->handle = sftk_getNextHandle(slot);
+
+ /* get the object class */
+ attribute = sftk_FindAttribute(object, CKA_CLASS);
+@@ -2875,10 +2855,15 @@
+ goto mem_loser;
+
+ slot->sessionIDCount = 0;
+- slot->sessionObjectHandleCount = minSessionObjectHandle;
++ slot->sessionObjectHandleCount = NSC_MIN_SESSION_OBJECT_HANDLE;
+ slot->slotID = slotID;
+ sftk_setStringName(params->slotdes ? params->slotdes : sftk_getDefSlotName(slotID), slot->slotDescription,
+ sizeof(slot->slotDescription), PR_TRUE);
++ crv = sftk_InitSession(&slot->moduleObjects, slot, slotID, NULL, NULL,
++ CKF_SERIAL_SESSION);
++ if (crv != CKR_OK) {
++ goto loser;
++ }
+
+ /* call the reinit code to set everything that changes between token
+ * init calls */
+@@ -2887,6 +2872,12 @@
+ if (crv != CKR_OK) {
+ goto loser;
+ }
++ if (sftk_isFIPS(slotID)) {
++ crv = sftk_CreateValidationObjects(slot);
++ if (crv != CKR_OK) {
++ goto loser;
++ }
++ }
+ crv = sftk_RegisterSlot(slot, moduleIndex);
+ if (crv != CKR_OK) {
+ goto loser;
+@@ -3032,6 +3023,8 @@
+
+ SFTK_ShutdownSlot(slot);
+
++ sftk_ClearSession(&slot->moduleObjects);
++
+ if (slot->tokObjHashTable) {
+ PL_HashTableDestroy(slot->tokObjHashTable);
+ slot->tokObjHashTable = NULL;
+@@ -3262,6 +3255,7 @@
+ CK_RV crv = CKR_OK;
+ SECStatus rv;
+ CK_C_INITIALIZE_ARGS *init_args = (CK_C_INITIALIZE_ARGS *)pReserved;
++ PRBool destroy_freelist_on_error = PR_TRUE;
+ int i;
+ unsigned int moduleIndex = isFIPS ? NSC_FIPS_MODULE : NSC_NON_FIPS_MODULE;
+
+@@ -3341,7 +3335,14 @@
+ "disabled FIPS mode");
+ }
+ }
++ /* if we have a peer open, we don't want to destroy the freelist
++ * from under the peer if we fail, the free list will be
++ * destroyed in that case when the C_Finalize is called for
++ * the peer */
++ destroy_freelist_on_error = PR_FALSE;
+ }
++ /* allow us to create objects in SFTK_SlotInit */
++ sftk_InitFreeLists();
+
+ for (i = 0; i < paramStrings.token_count; i++) {
+ crv = SFTK_SlotInit(paramStrings.configdir,
+@@ -3355,8 +3356,9 @@
+ loser:
+ sftk_freeParams(¶mStrings);
+ }
+- if (CKR_OK == crv) {
+- sftk_InitFreeLists();
++ if (destroy_freelist_on_error && (CKR_OK != crv)) {
++ /* idempotent. If the list are already freed, this is a noop */
++ sftk_CleanupFreeLists();
+ }
+
+ #ifndef NO_FORK_CHECK
+diff --git a/lib/softoken/pkcs11i.h b/lib/softoken/pkcs11i.h
+--- a/lib/softoken/pkcs11i.h
++++ b/lib/softoken/pkcs11i.h
+@@ -49,6 +49,8 @@
+ #define NSC_SEARCH_BLOCK_SIZE 5
+ #define NSC_SLOT_LIST_BLOCK_SIZE 10
+
++#define NSC_MIN_SESSION_OBJECT_HANDLE 1U
++
+ #define NSC_FIPS_MODULE 1
+ #define NSC_NON_FIPS_MODULE 0
+
+@@ -375,6 +377,9 @@
+ char tokDescription[33]; /* per load */
+ char updateTokDescription[33]; /* per load */
+ char slotDescription[65]; /* invariant */
++ SFTKSession moduleObjects; /* global session to hang module specific
++ * objects like profile objects or
++ * validation objects */
+ };
+
+ /*
+@@ -766,6 +771,7 @@
+ extern void sftk_ReferenceObject(SFTKObject *object);
+ extern SFTKObject *sftk_ObjectFromHandle(CK_OBJECT_HANDLE handle,
+ SFTKSession *session);
++extern CK_OBJECT_HANDLE sftk_getNextHandle(SFTKSlot *slot);
+ extern void sftk_AddSlotObject(SFTKSlot *slot, SFTKObject *object);
+ extern void sftk_AddObject(SFTKSession *session, SFTKObject *object);
+ /* clear out all the existing object ID to database key mappings.
+@@ -787,7 +793,11 @@
+ extern CK_SLOT_ID sftk_SlotIDFromSessionHandle(CK_SESSION_HANDLE handle);
+ extern SFTKSession *sftk_SessionFromHandle(CK_SESSION_HANDLE handle);
+ extern void sftk_FreeSession(SFTKSession *session);
++extern void sftk_ClearSession(SFTKSession *session);
+ extern void sftk_DestroySession(SFTKSession *session);
++extern CK_RV sftk_InitSession(SFTKSession *session, SFTKSlot *slot,
++ CK_SLOT_ID slotID, CK_NOTIFY notify,
++ CK_VOID_PTR pApplication, CK_FLAGS flags);
+ extern SFTKSession *sftk_NewSession(CK_SLOT_ID slotID, CK_NOTIFY notify,
+ CK_VOID_PTR pApplication, CK_FLAGS flags);
+ extern void sftk_update_state(SFTKSlot *slot, SFTKSession *session);
+@@ -955,6 +965,9 @@
+ * FIPS security policy */
+ PRBool sftk_operationIsFIPS(SFTKSlot *slot, CK_MECHANISM *mech,
+ CK_ATTRIBUTE_TYPE op, SFTKObject *source);
++/* add validation objects to the slot */
++CK_RV sftk_CreateValidationObjects(SFTKSlot *slot);
++
+ SEC_END_PROTOS
+
+ #endif /* _PKCS11I_H_ */
+diff --git a/lib/softoken/pkcs11u.c b/lib/softoken/pkcs11u.c
+--- a/lib/softoken/pkcs11u.c
++++ b/lib/softoken/pkcs11u.c
+@@ -14,6 +14,7 @@
+ #include "sftkdb.h"
+ #include "softoken.h"
+ #include "secoid.h"
++#include "softkver.h"
+
+ #if !defined(NSS_FIPS_DISABLED) && defined(NSS_ENABLE_FIPS_INDICATORS)
+ /* this file should be supplied by the vendor and include all the
+@@ -1243,6 +1244,32 @@
+ return SFTK_Busy;
+ }
+
++/* find the next available object handle that isn't currently in use */
++CK_OBJECT_HANDLE
++sftk_getNextHandle(SFTKSlot *slot)
++{
++ CK_OBJECT_HANDLE handle;
++ SFTKObject *duplicateObject = NULL;
++ do {
++ PRUint32 wrappedAround;
++
++ duplicateObject = NULL;
++ PZ_Lock(slot->objectLock);
++ wrappedAround = slot->sessionObjectHandleCount & SFTK_TOKEN_MASK;
++ handle = slot->sessionObjectHandleCount & ~SFTK_TOKEN_MASK;
++ if (!handle) /* don't allow zero handle */
++ handle = NSC_MIN_SESSION_OBJECT_HANDLE;
++ slot->sessionObjectHandleCount = (handle + 1U) | wrappedAround;
++ /* Is there already a session object with this handle? */
++ if (wrappedAround) {
++ sftkqueue_find(duplicateObject, handle, slot->sessObjHashTable,
++ slot->sessObjHashSize);
++ }
++ PZ_Unlock(slot->objectLock);
++ } while (duplicateObject != NULL);
++ return handle;
++}
++
+ /*
+ * add an object to a slot and session queue. These two functions
+ * adopt the object.
+@@ -1848,23 +1875,13 @@
+ }
+
+ /*
+- * create a new nession. NOTE: The session handle is not set, and the
++ * Init a new session. NOTE: The session handle is not set, and the
+ * session is not added to the slot's session queue.
+ */
+-SFTKSession *
+-sftk_NewSession(CK_SLOT_ID slotID, CK_NOTIFY notify, CK_VOID_PTR pApplication,
+- CK_FLAGS flags)
++CK_RV
++sftk_InitSession(SFTKSession *session, SFTKSlot *slot, CK_SLOT_ID slotID,
++ CK_NOTIFY notify, CK_VOID_PTR pApplication, CK_FLAGS flags)
+ {
+- SFTKSession *session;
+- SFTKSlot *slot = sftk_SlotFromID(slotID, PR_FALSE);
+-
+- if (slot == NULL)
+- return NULL;
+-
+- session = (SFTKSession *)PORT_Alloc(sizeof(SFTKSession));
+- if (session == NULL)
+- return NULL;
+-
+ session->next = session->prev = NULL;
+ session->enc_context = NULL;
+ session->hash_context = NULL;
+@@ -1873,8 +1890,7 @@
+ session->objectIDCount = 1;
+ session->objectLock = PZ_NewLock(nssILockObject);
+ if (session->objectLock == NULL) {
+- PORT_Free(session);
+- return NULL;
++ return CKR_HOST_MEMORY;
+ }
+ session->objects[0] = NULL;
+
+@@ -1887,12 +1903,38 @@
+ sftk_update_state(slot, session);
+ /* no ops completed yet, so the last one couldn't be a FIPS op */
+ session->lastOpWasFIPS = PR_FALSE;
++ return CKR_OK;
++}
++
++/*
++ * Create a new session and init it.
++ */
++SFTKSession *
++sftk_NewSession(CK_SLOT_ID slotID, CK_NOTIFY notify, CK_VOID_PTR pApplication,
++ CK_FLAGS flags)
++{
++ SFTKSession *session;
++ SFTKSlot *slot = sftk_SlotFromID(slotID, PR_FALSE);
++ CK_RV crv;
++
++ if (slot == NULL)
++ return NULL;
++
++ session = (SFTKSession *)PORT_Alloc(sizeof(SFTKSession));
++ if (session == NULL)
++ return NULL;
++
++ crv = sftk_InitSession(session, slot, slotID, notify, pApplication, flags);
++ if (crv != CKR_OK) {
++ PORT_Free(session);
++ return NULL;
++ }
+ return session;
+ }
+
+ /* free all the data associated with a session. */
+ void
+-sftk_DestroySession(SFTKSession *session)
++sftk_ClearSession(SFTKSession *session)
+ {
+ SFTKObjectList *op, *next;
+
+@@ -1918,6 +1960,13 @@
+ if (session->search) {
+ sftk_FreeSearch(session->search);
+ }
++}
++
++/* free the data associated with the session, and the session */
++void
++sftk_DestroySession(SFTKSession *session)
++{
++ sftk_ClearSession(session);
+ PORT_Free(session);
+ }
+
+@@ -2386,3 +2435,70 @@
+ return PR_FALSE;
+ #endif
+ }
++
++/*
++ * create the FIPS Validation objects. If the vendor
++ * doesn't supply an NSS_FIPS_MODULE_ID, at compile time,
++ * then we assumethis is an unvalidated module.
++ */
++CK_RV
++sftk_CreateValidationObjects(SFTKSlot *slot)
++{
++ const char *module_id;
++ int module_id_len;
++ CK_RV crv = CKR_OK;
++ /* we currently use vendor specific values until the validation
++ * objects are approved for PKCS #11 v3.2. */
++ CK_OBJECT_CLASS cko_validation = CKO_NSS_VALIDATION;
++ CK_NSS_VALIDATION_TYPE ckv_fips = CKV_NSS_FIPS_140;
++ CK_VERSION fips_version = { 3, 0 }; /* FIPS-140-3 */
++ CK_ULONG fips_level = 1; /* or 2 if you validated at level 2 */
++
++#ifndef NSS_FIPS_MODULE_ID
++#define NSS_FIPS_MODULE_ID "Generic NSS " SOFTOKEN_VERSION " Unvalidated"
++#endif
++ module_id = NSS_FIPS_MODULE_ID;
++ module_id_len = sizeof(NSS_FIPS_MODULE_ID) - 1;
++ SFTKObject *object;
++
++ object = sftk_NewObject(slot); /* fill in the handle later */
++ if (object == NULL) {
++ return CKR_HOST_MEMORY;
++ }
++ object->isFIPS = PR_FALSE;
++
++ crv = sftk_AddAttributeType(object, CKA_CLASS,
++ &cko_validation, sizeof(cko_validation));
++ if (crv != CKR_OK) {
++ goto loser;
++ }
++ crv = sftk_AddAttributeType(object, CKA_NSS_VALIDATION_TYPE,
++ &ckv_fips, sizeof(ckv_fips));
++ if (crv != CKR_OK) {
++ goto loser;
++ }
++ crv = sftk_AddAttributeType(object, CKA_NSS_VALIDATION_VERSION,
++ &fips_version, sizeof(fips_version));
++ if (crv != CKR_OK) {
++ goto loser;
++ }
++ crv = sftk_AddAttributeType(object, CKA_NSS_VALIDATION_LEVEL,
++ &fips_level, sizeof(fips_level));
++ if (crv != CKR_OK) {
++ goto loser;
++ }
++ crv = sftk_AddAttributeType(object, CKA_NSS_VALIDATION_MODULE_ID,
++ module_id, module_id_len);
++ if (crv != CKR_OK) {
++ goto loser;
++ }
++
++ /* future, fill in validation certificate information from a supplied
++ * pointer to a config file */
++ object->handle = sftk_getNextHandle(slot);
++ object->slot = slot;
++ sftk_AddObject(&slot->moduleObjects, object);
++loser:
++ sftk_FreeObject(object);
++ return crv;
++}
+diff --git a/lib/util/pkcs11n.h b/lib/util/pkcs11n.h
+--- a/lib/util/pkcs11n.h
++++ b/lib/util/pkcs11n.h
+@@ -38,6 +38,9 @@
+ #define CKO_NSS_BUILTIN_ROOT_LIST (CKO_NSS + 4)
+ #define CKO_NSS_NEWSLOT (CKO_NSS + 5)
+ #define CKO_NSS_DELSLOT (CKO_NSS + 6)
++#define CKO_NSS_VALIDATION (CKO_NSS + 7)
++
++#define CKV_NSS_FIPS_140 (CKO_NSS + 1)
+
+ /*
+ * NSS-defined key types
+@@ -99,6 +102,11 @@
+ #define CKA_NSS_SERVER_DISTRUST_AFTER (CKA_NSS + 35)
+ #define CKA_NSS_EMAIL_DISTRUST_AFTER (CKA_NSS + 36)
+
++#define CKA_NSS_VALIDATION_TYPE (CKA_NSS + 36)
++#define CKA_NSS_VALIDATION_VERSION (CKA_NSS + 37)
++#define CKA_NSS_VALIDATION_LEVEL (CKA_NSS + 38)
++#define CKA_NSS_VALIDATION_MODULE_ID (CKA_NSS + 39)
++
+ /*
+ * Trust attributes:
+ *
+@@ -344,6 +352,9 @@
+ #define CKR_NSS_CERTDB_FAILED (CKR_NSS + 1)
+ #define CKR_NSS_KEYDB_FAILED (CKR_NSS + 2)
+
++/* NSS specific types */
++typedef CK_ULONG CK_NSS_VALIDATION_TYPE;
++
+ /* Mandatory parameter for the CKM_NSS_HKDF_* key deriviation mechanisms.
+ See RFC 5869.
+
+diff --git a/nss.gyp b/nss.gyp
+--- a/nss.gyp
++++ b/nss.gyp
+@@ -131,6 +131,7 @@
+ 'cmd/smimetools/smimetools.gyp:cmsutil',
+ 'cmd/ssltap/ssltap.gyp:ssltap',
+ 'cmd/symkeyutil/symkeyutil.gyp:symkeyutil',
++ 'cmd/validation/validation.gyp:validation',
+ 'nss-tool/nss_tool.gyp:nss',
+ 'nss-tool/nss_tool.gyp:hw-support',
+ ],
+
diff --git a/SOURCES/nss-3.71-fix-lto-gtests.patch b/SOURCES/nss-3.71-fix-lto-gtests.patch
new file mode 100644
index 0000000..462e8ad
--- /dev/null
+++ b/SOURCES/nss-3.71-fix-lto-gtests.patch
@@ -0,0 +1,36 @@
+diff --git a/gtests/ssl_gtest/tls_subcerts_unittest.cc b/gtests/ssl_gtest/tls_subcerts_unittest.cc
+--- a/gtests/ssl_gtest/tls_subcerts_unittest.cc
++++ b/gtests/ssl_gtest/tls_subcerts_unittest.cc
+@@ -8,23 +8,32 @@
+
+ #include "prtime.h"
+ #include "secerr.h"
+ #include "ssl.h"
+
+ #include "gtest_utils.h"
+ #include "tls_agent.h"
+ #include "tls_connect.h"
++#define LTO
+
+ namespace nss_test {
+
++#ifndef LTO
++// sigh this construction breaks LTO
+ const std::string kEcdsaDelegatorId = TlsAgent::kDelegatorEcdsa256;
+ const std::string kRsaeDelegatorId = TlsAgent::kDelegatorRsae2048;
+ const std::string kPssDelegatorId = TlsAgent::kDelegatorRsaPss2048;
+ const std::string kDCId = TlsAgent::kServerEcdsa256;
++#else
++#define kEcdsaDelegatorId TlsAgent::kDelegatorEcdsa256
++#define kRsaeDelegatorId TlsAgent::kDelegatorRsae2048
++#define kPssDelegatorId TlsAgent::kDelegatorRsaPss2048
++#define kDCId TlsAgent::kServerEcdsa256
++#endif
+ const SSLSignatureScheme kDCScheme = ssl_sig_ecdsa_secp256r1_sha256;
+ const PRUint32 kDCValidFor = 60 * 60 * 24 * 7 /* 1 week (seconds) */;
+
+ static void CheckPreliminaryPeerDelegCred(
+ const std::shared_ptr& client, bool expected,
+ PRUint32 key_bits = 0, SSLSignatureScheme sig_scheme = ssl_sig_none) {
+ EXPECT_NE(0U, (client->pre_info().valuesSet & ssl_preinfo_peer_auth));
+ EXPECT_EQ(expected, client->pre_info().peerDelegCred);
diff --git a/SOURCES/nss-3.71-ipv6-fix.patch b/SOURCES/nss-3.71-ipv6-fix.patch
new file mode 100644
index 0000000..b72c80f
--- /dev/null
+++ b/SOURCES/nss-3.71-ipv6-fix.patch
@@ -0,0 +1,36 @@
+diff -up ./cmd/selfserv/selfserv.c.ipv6_fix ./cmd/selfserv/selfserv.c
+--- ./cmd/selfserv/selfserv.c.ipv6_fix 2021-09-14 11:40:06.176408531 -0700
++++ ./cmd/selfserv/selfserv.c 2021-09-14 11:49:46.361907308 -0700
+@@ -1717,14 +1717,28 @@ getBoundListenSocket(unsigned short port
+ PRNetAddr addr;
+ PRSocketOptionData opt;
+
+- addr.inet.family = PR_AF_INET;
+- addr.inet.ip = PR_INADDR_ANY;
+- addr.inet.port = PR_htons(port);
++ if (PR_SetNetAddr(PR_IpAddrAny, PR_AF_INET6, port, &addr) != PR_SUCCESS) {
++ errExit("PR_SetNetAddr");
++ }
+
+- listen_sock = PR_NewTCPSocket();
++ listen_sock = PR_OpenTCPSocket(PR_AF_INET6);
+ if (listen_sock == NULL) {
+ errExit("PR_NewTCPSocket");
+ }
++ /* NSPR has a bug where set inheritable doesn't work unless it's a pure
++ * NSPR socket. If we have an IPV6 emulator on an IPV4 socket, it will fail.
++ * In that case just open an IPV4 socket instead */
++ if (PR_NSPR_IO_LAYER != PR_GetLayersIdentity(listen_sock)) {
++ PR_Close(listen_sock);
++ addr.inet.family = PR_AF_INET;
++ addr.inet.ip = PR_INADDR_ANY;
++ addr.inet.port = PR_htons(port);
++
++ listen_sock = PR_NewTCPSocket();
++ if (listen_sock == NULL) {
++ errExit("PR_NewTCPSocket");
++ }
++ }
+
+ opt.option = PR_SockOpt_Nonblocking;
+ opt.value.non_blocking = PR_FALSE;
diff --git a/SOURCES/nss-3.75-fix-pkcs12-passwords.patch b/SOURCES/nss-3.75-fix-pkcs12-passwords.patch
new file mode 100644
index 0000000..fffe693
--- /dev/null
+++ b/SOURCES/nss-3.75-fix-pkcs12-passwords.patch
@@ -0,0 +1,257 @@
+diff --git a/cmd/pk12util/pk12util.c b/cmd/pk12util/pk12util.c
+--- a/cmd/pk12util/pk12util.c
++++ b/cmd/pk12util/pk12util.c
+@@ -660,16 +660,27 @@ P12U_ExportPKCS12Object(char *nn, char *
+ }
+
+ /* Password to use for PKCS12 file. */
+ pwitem = P12U_GetP12FilePassword(PR_TRUE, p12FilePw);
+ if (!pwitem) {
+ goto loser;
+ }
+
++ /* we are passing UTF8, drop the NULL in the normal password value.
++ * UCS2 conversion will add it back if necessary. This only affects
++ * password > Blocksize of the Hash function and pkcs5v2 pbe (if password
++ * <=Blocksize then the password is zero padded anyway, so an extra NULL
++ * at the end has not effect). This is allows us to work with openssl and
++ * gnutls. Older versions of NSS already fail to decrypt long passwords
++ * in this case, so we aren't breaking anyone with this code */
++ if ((pwitem->len > 1) && (!pwitem->data[pwitem->len-1])) {
++ pwitem->len--;
++ }
++
+ p12cxt = p12u_InitContext(PR_FALSE, outfile);
+ if (!p12cxt) {
+ SECU_PrintError(progName, "Initialization failed: %s", outfile);
+ pk12uErrno = PK12UERR_INIT_FILE;
+ goto loser;
+ }
+
+ if (certlist) {
+diff --git a/lib/pkcs12/p12local.c b/lib/pkcs12/p12local.c
+--- a/lib/pkcs12/p12local.c
++++ b/lib/pkcs12/p12local.c
+@@ -903,31 +903,35 @@ sec_pkcs12_find_object(SEC_PKCS12SafeCon
+ i++;
+ }
+ }
+
+ PORT_SetError(SEC_ERROR_PKCS12_UNABLE_TO_LOCATE_OBJECT_BY_NAME);
+ return NULL;
+ }
+
+-/* this function converts a password to unicode and encures that the
+- * required double 0 byte be placed at the end of the string
++/* this function converts a password to unicode and ensures that the
++ * required double 0 byte be placed at the end of the string (if zeroTerm
++ * is set), or the 0 bytes at the end are dropped (if zeroTerm is not set).
+ */
+ PRBool
+ sec_pkcs12_convert_item_to_unicode(PLArenaPool *arena, SECItem *dest,
+ SECItem *src, PRBool zeroTerm,
+ PRBool asciiConvert, PRBool toUnicode)
+ {
+ PRBool success = PR_FALSE;
++ int bufferSize;
++
+ if (!src || !dest) {
+ PORT_SetError(SEC_ERROR_INVALID_ARGS);
+ return PR_FALSE;
+ }
+
+- dest->len = src->len * 3 + 2;
++ bufferSize = src->len * 3 + 2;
++ dest->len = bufferSize;
+ if (arena) {
+ dest->data = (unsigned char *)PORT_ArenaZAlloc(arena, dest->len);
+ } else {
+ dest->data = (unsigned char *)PORT_ZAlloc(dest->len);
+ }
+
+ if (!dest->data) {
+ dest->len = 0;
+@@ -951,34 +955,44 @@ sec_pkcs12_convert_item_to_unicode(PLAre
+ if (!arena) {
+ PORT_Free(dest->data);
+ dest->data = NULL;
+ dest->len = 0;
+ }
+ return PR_FALSE;
+ }
+
+- if ((dest->len >= 2) &&
+- (dest->data[dest->len - 1] || dest->data[dest->len - 2]) && zeroTerm) {
+- if (dest->len + 2 > 3 * src->len) {
+- if (arena) {
+- dest->data = (unsigned char *)PORT_ArenaGrow(arena,
+- dest->data, dest->len,
+- dest->len + 2);
+- } else {
+- dest->data = (unsigned char *)PORT_Realloc(dest->data,
+- dest->len + 2);
++ /* in some cases we need to add NULL terminations and in others
++ * we need to drop null terminations */
++ if (zeroTerm) {
++ /* unicode adds two nulls a the end */
++ if (toUnicode) {
++ if ((dest->len >= 2) &&
++ (dest->data[dest->len - 1] || dest->data[dest->len - 2])) {
++ /* we've already allocated space for these new NULLs */
++ PORT_Assert(dest->len + 2 <= bufferSize);
++ dest->len += 2;
++ dest->data[dest->len - 1] = dest->data[dest->len - 2] = 0;
+ }
+-
+- if (!dest->data) {
+- return PR_FALSE;
++ /* ascii/utf-8 adds just 1 */
++ } else if ((dest->len >= 1) && dest->data[dest->len-1]) {
++ PORT_Assert(dest->len + 1 <= bufferSize);
++ dest->len ++;
++ dest->data[dest->len-1] = 0;
++ }
++ } else {
++ /* handle the drop case, no need to do any allocations here. */
++ if (toUnicode) {
++ while ((dest->len >=2) && !dest->data[dest->len - 1] &&
++ !dest->data[dest->len - 2]) {
++ dest->len -= 2;
+ }
++ } else while (dest->len && !dest->data[dest->len-1]) {
++ dest->len--;
+ }
+- dest->len += 2;
+- dest->data[dest->len - 1] = dest->data[dest->len - 2] = 0;
+ }
+
+ return PR_TRUE;
+ }
+
+ PRBool
+ sec_pkcs12_is_pkcs12_pbe_algorithm(SECOidTag algorithm)
+ {
+@@ -1006,27 +1020,28 @@ sec_pkcs12_is_pkcs12_pbe_algorithm(SECOi
+ }
+ }
+
+ /* this function decodes a password from Unicode if necessary,
+ * according to the PBE algorithm.
+ *
+ * we assume that the pwitem is already encoded in Unicode by the
+ * caller. if the encryption scheme is not the one defined in PKCS
+- * #12, decode the pwitem back into UTF-8. */
++ * #12, decode the pwitem back into UTF-8. NOTE: UTF-8 strings are
++ * used in the PRF without the trailing NULL */
+ PRBool
+ sec_pkcs12_decode_password(PLArenaPool *arena,
+ SECItem *result,
+ SECOidTag algorithm,
+ const SECItem *pwitem)
+ {
+ if (!sec_pkcs12_is_pkcs12_pbe_algorithm(algorithm))
+ return sec_pkcs12_convert_item_to_unicode(arena, result,
+ (SECItem *)pwitem,
+- PR_TRUE, PR_FALSE, PR_FALSE);
++ PR_FALSE, PR_FALSE, PR_FALSE);
+
+ return SECITEM_CopyItem(arena, result, pwitem) == SECSuccess;
+ }
+
+ /* this function encodes a password into Unicode if necessary,
+ * according to the PBE algorithm.
+ *
+ * we assume that the pwitem holds a raw password. if the encryption
+diff --git a/tests/common/init.sh b/tests/common/init.sh
+--- a/tests/common/init.sh
++++ b/tests/common/init.sh
+@@ -78,25 +78,27 @@ if [ -z "${INIT_SOURCED}" -o "${INIT_SOU
+
+ CERT_EXTENSIONS_DIR=${HOSTDIR}/cert_extensions
+ STAPLINGDIR=${HOSTDIR}/stapling
+ NOLOGINDIR=${HOSTDIR}/nologin
+ SSLGTESTDIR=${HOSTDIR}/ssl_gtests
+ GTESTDIR=${HOSTDIR}/gtests
+
+ PWFILE=${HOSTDIR}/tests.pw
++ LONGPWFILE=${HOSTDIR}/tests.longpw
+ EMPTY_FILE=${HOSTDIR}/tests_empty
+ NOISE_FILE=${HOSTDIR}/tests_noise
+ CORELIST_FILE=${HOSTDIR}/clist
+
+ FIPSPWFILE=${HOSTDIR}/tests.fipspw
+ FIPSBADPWFILE=${HOSTDIR}/tests.fipsbadpw
+ FIPSP12PWFILE=${HOSTDIR}/tests.fipsp12pw
+
+ echo nss > ${PWFILE}
++ echo "nss123456789012345678901234567890123456789012345678901234567890_" > ${LONGPWFILE}
+ echo > ${EMPTY_FILE}
+ echo "fIps140" > ${FIPSPWFILE}
+ echo "fips104" > ${FIPSBADPWFILE}
+ echo "pKcs12fips140" > ${FIPSP12PWFILE}
+
+ noise
+
+ P_SERVER_CADIR=${SERVER_CADIR}
+@@ -656,16 +658,17 @@ if [ -z "${INIT_SOURCED}" -o "${INIT_SOU
+ P_R_NOLOGINDIR="multiaccess:${D_NOLOGIN}"
+ P_R_EXT_SERVERDIR="multiaccess:${D_EXT_SERVER}"
+ P_R_EXT_CLIENTDIR="multiaccess:${D_EXT_CLIENT}"
+ P_R_IMPLICIT_INIT_DIR="multiaccess:${D_IMPLICIT_INIT}"
+ P_R_RSAPSSDIR="multiaccess:${D_RSAPSS}"
+ fi
+
+ R_PWFILE=../tests.pw
++ R_LONGPWFILE=../tests.longpw
+ R_EMPTY_FILE=../tests_empty
+ R_NOISE_FILE=../tests_noise
+
+ R_FIPSPWFILE=../tests.fipspw
+ R_FIPSBADPWFILE=../tests.fipsbadpw
+ R_FIPSP12PWFILE=../tests.fipsp12pw
+
+ trap "Exit $0 Signal_caught" 2 3
+diff --git a/tests/tools/tools.sh b/tests/tools/tools.sh
+--- a/tests/tools/tools.sh
++++ b/tests/tools/tools.sh
+@@ -382,16 +382,40 @@ tools_p12_export_list_import_with_defaul
+ check_tmpfile
+
+ echo "$SCRIPTNAME: Listing Alice's pk12 EC file -----------------"
+ echo "pk12util -l Alice-ec.p12 -w ${R_PWFILE}"
+ ${BINDIR}/pk12util -l Alice-ec.p12 -w ${R_PWFILE} 2>&1
+ ret=$?
+ html_msg $ret 0 "Listing Alice's pk12 EC file (pk12util -l)"
+ check_tmpfile
++
++ echo "$SCRIPTNAME: Exporting Alice's email EC cert & key with long pw------"
++ echo "pk12util -o Alice-ec-long.p12 -n \"Alice-ec\" -d ${P_R_ALICEDIR} -k ${R_PWFILE} \\"
++ echo " -w ${R_LONGPWFILE}"
++ ${BINDIR}/pk12util -o Alice-ec-long.p12 -n "Alice-ec" -d ${P_R_ALICEDIR} -k ${R_PWFILE} \
++ -w ${R_LONGPWFILE} 2>&1
++ ret=$?
++ html_msg $ret 0 "Exporting Alice's email EC cert & key with long pw (pk12util -o)"
++ check_tmpfile
++ verify_p12 Alice-ec-long.p12 "default" "default" "default"
++
++ echo "$SCRIPTNAME: Importing Alice's email EC cert & key with long pw-----"
++ echo "pk12util -i Alice-ec-long.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -w ${R_LONGPWFILE}"
++ ${BINDIR}/pk12util -i Alice-ec-long.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -w ${R_LONGPWFILE} 2>&1
++ ret=$?
++ html_msg $ret 0 "Importing Alice's email EC cert & key with long pw (pk12util -i)"
++ check_tmpfile
++
++ echo "$SCRIPTNAME: Listing Alice's pk12 EC file with long pw ------------"
++ echo "pk12util -l Alice-ec-long.p12 -w ${R_LONGPWFILE}"
++ ${BINDIR}/pk12util -l Alice-ec-long.p12 -w ${R_LONGPWFILE} 2>&1
++ ret=$?
++ html_msg $ret 0 "Listing Alice's pk12 EC file with long pw (pk12util -l)"
++ check_tmpfile
+ }
+
+ tools_p12_import_old_files()
+ {
+ echo "$SCRIPTNAME: Importing PKCS#12 files created with older NSS --------------"
+ echo "pk12util -i TestOldCA.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -w ${R_PWFILE}"
+ ${BINDIR}/pk12util -i ${TOOLSDIR}/data/TestOldCA.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -w ${R_PWFILE} 2>&1
+ ret=$?
diff --git a/SOURCES/nss-config.in b/SOURCES/nss-config.in
new file mode 100644
index 0000000..f8f893e
--- /dev/null
+++ b/SOURCES/nss-config.in
@@ -0,0 +1,145 @@
+#!/bin/sh
+
+prefix=@prefix@
+
+major_version=@MOD_MAJOR_VERSION@
+minor_version=@MOD_MINOR_VERSION@
+patch_version=@MOD_PATCH_VERSION@
+
+usage()
+{
+ cat <&2
+fi
+
+lib_ssl=yes
+lib_smime=yes
+lib_nss=yes
+lib_nssutil=yes
+
+while test $# -gt 0; do
+ case "$1" in
+ -*=*) optarg=`echo "$1" | sed 's/[-_a-zA-Z0-9]*=//'` ;;
+ *) optarg= ;;
+ esac
+
+ case $1 in
+ --prefix=*)
+ prefix=$optarg
+ ;;
+ --prefix)
+ echo_prefix=yes
+ ;;
+ --exec-prefix=*)
+ exec_prefix=$optarg
+ ;;
+ --exec-prefix)
+ echo_exec_prefix=yes
+ ;;
+ --includedir=*)
+ includedir=$optarg
+ ;;
+ --includedir)
+ echo_includedir=yes
+ ;;
+ --libdir=*)
+ libdir=$optarg
+ ;;
+ --libdir)
+ echo_libdir=yes
+ ;;
+ --version)
+ echo ${major_version}.${minor_version}.${patch_version}
+ ;;
+ --cflags)
+ echo_cflags=yes
+ ;;
+ --libs)
+ echo_libs=yes
+ ;;
+ ssl)
+ lib_ssl=yes
+ ;;
+ smime)
+ lib_smime=yes
+ ;;
+ nss)
+ lib_nss=yes
+ ;;
+ nssutil)
+ lib_nssutil=yes
+ ;;
+ *)
+ usage 1 1>&2
+ ;;
+ esac
+ shift
+done
+
+# Set variables that may be dependent upon other variables
+if test -z "$exec_prefix"; then
+ exec_prefix=`pkg-config --variable=exec_prefix nss`
+fi
+if test -z "$includedir"; then
+ includedir=`pkg-config --variable=includedir nss`
+fi
+if test -z "$libdir"; then
+ libdir=`pkg-config --variable=libdir nss`
+fi
+
+if test "$echo_prefix" = "yes"; then
+ echo $prefix
+fi
+
+if test "$echo_exec_prefix" = "yes"; then
+ echo $exec_prefix
+fi
+
+if test "$echo_includedir" = "yes"; then
+ echo $includedir
+fi
+
+if test "$echo_libdir" = "yes"; then
+ echo $libdir
+fi
+
+if test "$echo_cflags" = "yes"; then
+ echo -I$includedir
+fi
+
+if test "$echo_libs" = "yes"; then
+ libdirs="-Wl,-rpath-link,$libdir -L$libdir"
+ if test -n "$lib_ssl"; then
+ libdirs="$libdirs -lssl${major_version}"
+ fi
+ if test -n "$lib_smime"; then
+ libdirs="$libdirs -lsmime${major_version}"
+ fi
+ if test -n "$lib_nss"; then
+ libdirs="$libdirs -lnss${major_version}"
+ fi
+ if test -n "$lib_nssutil"; then
+ libdirs="$libdirs -lnssutil${major_version}"
+ fi
+ echo $libdirs
+fi
+
diff --git a/SOURCES/nss-config.xml b/SOURCES/nss-config.xml
new file mode 100644
index 0000000..f9518c9
--- /dev/null
+++ b/SOURCES/nss-config.xml
@@ -0,0 +1,132 @@
+
+
+
+]>
+
+
+
+
+ &date;
+ Network Security Services
+ nss
+ &version;
+
+
+
+ nss-config
+ 1
+
+
+
+ nss-config
+ Return meta information about nss libraries
+
+
+
+
+ nss-config
+
+
+
+
+
+
+
+
+
+
+
+ Description
+
+ nss-config is a shell scrip
+ tool which can be used to obtain gcc options for building client pacakges of nspt.
+
+
+
+
+ Options
+
+
+
+
+ Returns the top level system directory under which the nss libraries are installed.
+
+
+
+
+ returns the top level system directory under which any nss binaries would be installed.
+
+
+
+ count
+ returns the path to the directory were the nss libraries are installed.
+
+
+
+
+ returns the upstream version of nss in the form major_version-minor_version-patch_version.
+
+
+
+
+ returns the compiler linking flags.
+
+
+
+
+ returns the compiler include flags.
+
+
+
+
+ returns the path to the directory were the nss libraries are installed.
+
+
+
+
+
+
+ Examples
+
+ The following example will query for both include path and linkage flags:
+
+
+ /usr/bin/nss-config --cflags --libs
+
+
+
+
+
+
+
+
+ Files
+
+ /usr/bin/nss-config
+
+
+
+
+ See also
+ pkg-config(1)
+
+
+
+ Authors
+ The nss liraries were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google.
+
+ Authors: Elio Maldonado <emaldona@redhat.com>.
+
+
+
+
+
+ LICENSE
+ Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+
+
+
+
diff --git a/SOURCES/nss-disable-md5.patch b/SOURCES/nss-disable-md5.patch
new file mode 100644
index 0000000..827928f
--- /dev/null
+++ b/SOURCES/nss-disable-md5.patch
@@ -0,0 +1,41 @@
+diff -r 699541a7793b lib/pk11wrap/pk11pars.c
+--- a/lib/pk11wrap/pk11pars.c 2021-04-16 14:43:41.668835607 -0700
++++ b/lib/pk11wrap/pk11pars.c 2021-04-16 14:43:50.585888411 -0700
+@@ -324,11 +324,11 @@ static const oidValDef curveOptList[] =
+ static const oidValDef hashOptList[] = {
+ /* Hashes */
+ { CIPHER_NAME("MD2"), SEC_OID_MD2,
+- NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE },
++ 0 },
+ { CIPHER_NAME("MD4"), SEC_OID_MD4,
+- NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE },
++ 0 },
+ { CIPHER_NAME("MD5"), SEC_OID_MD5,
+- NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE },
++ 0 },
+ { CIPHER_NAME("SHA1"), SEC_OID_SHA1,
+ NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE },
+ { CIPHER_NAME("SHA224"), SEC_OID_SHA224,
+diff -r 699541a7793b lib/util/secoid.c
+--- a/lib/util/secoid.c Tue Jun 16 23:03:22 2020 +0000
++++ b/lib/util/secoid.c Thu Jun 25 14:33:09 2020 +0200
+@@ -2042,6 +2042,19 @@
+ int i;
+
+ for (i = 1; i < SEC_OID_TOTAL; i++) {
++ switch (i) {
++ case SEC_OID_MD2:
++ case SEC_OID_MD4:
++ case SEC_OID_MD5:
++ case SEC_OID_PKCS1_MD2_WITH_RSA_ENCRYPTION:
++ case SEC_OID_PKCS1_MD4_WITH_RSA_ENCRYPTION:
++ case SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION:
++ case SEC_OID_PKCS5_PBE_WITH_MD2_AND_DES_CBC:
++ case SEC_OID_PKCS5_PBE_WITH_MD5_AND_DES_CBC:
++ continue;
++ default:
++ break;
++ }
+ if (oids[i].desc && strstr(arg, oids[i].desc)) {
+ xOids[i].notPolicyFlags = notEnable |
+ (xOids[i].notPolicyFlags & ~(DEF_FLAGS));
diff --git a/SOURCES/nss-dso-ldflags.patch b/SOURCES/nss-dso-ldflags.patch
new file mode 100644
index 0000000..d5485ae
--- /dev/null
+++ b/SOURCES/nss-dso-ldflags.patch
@@ -0,0 +1,13 @@
+Index: nss/coreconf/Linux.mk
+===================================================================
+--- nss.orig/coreconf/Linux.mk
++++ nss/coreconf/Linux.mk
+@@ -144,7 +144,7 @@ ifdef USE_PTHREADS
+ endif
+
+ DSO_CFLAGS = -fPIC
+-DSO_LDOPTS = -shared $(ARCHFLAG) -Wl,--gc-sections
++DSO_LDOPTS = -shared $(ARCHFLAG) -Wl,--gc-sections $(DSO_LDFLAGS)
+ # The linker on Red Hat Linux 7.2 and RHEL 2.1 (GNU ld version 2.11.90.0.8)
+ # incorrectly reports undefined references in the libraries we link with, so
+ # we don't use -z defs there.
diff --git a/SOURCES/nss-no-dbm-man-page.patch b/SOURCES/nss-no-dbm-man-page.patch
new file mode 100644
index 0000000..2a1a9d2
--- /dev/null
+++ b/SOURCES/nss-no-dbm-man-page.patch
@@ -0,0 +1,120 @@
+diff -up ./doc/certutil.xml.no-dbm ./doc/certutil.xml
+--- ./doc/certutil.xml.no-dbm 2021-05-29 10:26:21.853386165 -0700
++++ ./doc/certutil.xml 2021-05-29 10:31:15.057058619 -0700
+@@ -205,8 +205,7 @@ If this option is not used, the validity
+ certutil supports two types of databases: the legacy security databases (cert8.db, key3.db, and secmod.db) and new SQLite databases (cert9.db, key4.db, and pkcs11.txt).
+ NSS recognizes the following prefixes:
+
+- sql: requests the newer database
+- dbm: requests the legacy database
++ sql: requests the sql-lite database
+
+ If no prefix is specified the default type is retrieved from NSS_DEFAULT_DB_TYPE. If NSS_DEFAULT_DB_TYPE is not set then sql: is the default.
+
+@@ -1205,17 +1204,9 @@ BerkeleyDB. These new databases provide
+
+
+
+-Because the SQLite databases are designed to be shared, these are the shared database type. The shared database type is preferred; the legacy format is included for backward compatibility.
++Because the SQLite databases are designed to be shared, these are the shared database type.
+
+-By default, the tools (certutil, pk12util, modutil) assume that the given security databases use the SQLite type.
+-Using the legacy databases must be manually specified by using the dbm: prefix with the given security directory. For example:
+-
+-$ certutil -L -d dbm:/home/my/sharednssdb
+-
+-To set the legacy database type as the default type for the tools, set the NSS_DEFAULT_DB_TYPE environment variable to dbm:
+-export NSS_DEFAULT_DB_TYPE="dbm"
+-
+-This line can be set added to the ~/.bashrc file to make the change permanent.
++By default, the tools (certutil, pk12util, modutil) assume that the given security databases use the SQLite type.
+
+
+
+diff -up ./doc/modutil.xml.no-dbm ./doc/modutil.xml
+--- ./doc/modutil.xml.no-dbm 2021-05-29 10:26:21.854386171 -0700
++++ ./doc/modutil.xml 2021-05-29 10:28:23.293078869 -0700
+@@ -151,7 +151,7 @@
+
+ -dbdir directory
+ Specify the database directory in which to access or create security module database files.
+- modutil supports two types of databases: the legacy security databases (cert8.db, key3.db, and secmod.db) and SQLite databases (cert9.db, key4.db, and pkcs11.txt). If the prefix dbm: is not used, then the tool assumes that the given databases are in SQLite format.
++ modutil supports SQLite databases (cert9.db, key4.db, and pkcs11.txt).
+
+
+
+@@ -689,15 +689,7 @@ BerkleyDB. These new databases provide m
+
+ Because the SQLite databases are designed to be shared, these are the shared database type. The shared database type is preferred; the legacy format is included for backward compatibility.
+
+-By default, the tools (certutil, pk12util, modutil) assume that the given security databases use the SQLite type.
+-Using the legacy databases must be manually specified by using the dbm: prefix with the given security directory. For example:
+-
+-modutil -create -dbdir dbm:/home/my/sharednssdb
+-
+-To set the legacy database type as the default type for the tools, set the NSS_DEFAULT_DB_TYPE environment variable to dbm:
+-export NSS_DEFAULT_DB_TYPE="dbm"
+-
+-This line can be added to the ~/.bashrc file to make the change permanent for the user.
++By default, the tools (certutil, pk12util, modutil) assume that the given security databases use the SQLite type.
+
+
+
+diff -up ./doc/pk12util.xml.no-dbm ./doc/pk12util.xml
+--- ./doc/pk12util.xml.no-dbm 2021-05-29 10:26:21.854386171 -0700
++++ ./doc/pk12util.xml 2021-05-29 10:28:23.293078869 -0700
+@@ -90,7 +90,7 @@
+
+ -d directory
+ Specify the database directory into which to import to or export from certificates and keys.
+- pk12util supports two types of databases: the legacy security databases (cert8.db, key3.db, and secmod.db) and new SQLite databases (cert9.db, key4.db, and pkcs11.txt). If the prefix dbm: is not used, then the tool assumes that the given databases are in the SQLite format.
++ pk12util supports SQLite databases (cert9.db, key4.db, and pkcs11.txt).
+
+
+
+@@ -394,15 +394,7 @@ BerkleyDB. These new databases provide m
+
+ Because the SQLite databases are designed to be shared, these are the shared database type. The shared database type is preferred; the legacy format is included for backward compatibility.
+
+-By default, the tools (certutil, pk12util, modutil) assume that the given security databases use the SQLite type
+-Using the legacy databases must be manually specified by using the dbm: prefix with the given security directory. For example:
+-
+-# pk12util -i /tmp/cert-files/users.p12 -d dbm:/home/my/sharednssdb
+-
+-To set the legacy database type as the default type for the tools, set the NSS_DEFAULT_DB_TYPE environment variable to dbm:
+-export NSS_DEFAULT_DB_TYPE="dbm"
+-
+-This line can be set added to the ~/.bashrc file to make the change permanent.
++By default, the tools (certutil, pk12util, modutil) assume that the given security databases use the SQLite type.
+
+
+
+diff -up ./doc/signver.xml.no-dbm ./doc/signver.xml
+--- ./doc/signver.xml.no-dbm 2021-05-29 10:26:21.854386171 -0700
++++ ./doc/signver.xml 2021-05-29 10:28:23.293078869 -0700
+@@ -66,7 +66,7 @@
+
+ -d directory
+ Specify the database directory which contains the certificates and keys.
+- signver supports two types of databases: the legacy security databases (cert8.db, key3.db, and secmod.db) and new SQLite databases (cert9.db, key4.db, and pkcs11.txt). If the prefix dbm: is not used, then the tool assumes that the given databases are in the SQLite format.
++ signver supports SQLite databases (cert9.db, key4.db, and pkcs11.txt).
+
+
+ -a
+@@ -155,15 +155,7 @@ BerkleyDB. These new databases provide m
+
+ Because the SQLite databases are designed to be shared, these are the shared database type. The shared database type is preferred; the legacy format is included for backward compatibility.
+
+-By default, the tools (certutil, pk12util, modutil) assume that the given security databases use the SQLite type
+-Using the legacy databases must be manually specified by using the dbm: prefix with the given security directory. For example:
+-
+-# signver -A -s signature -d dbm:/home/my/sharednssdb
+-
+-To set the legacy database type as the default type for the tools, set the NSS_DEFAULT_DB_TYPE environment variable to dbm:
+-export NSS_DEFAULT_DB_TYPE="dbm"
+-
+-This line can be added to the ~/.bashrc file to make the change permanent for the user.
++By default, the tools (certutil, pk12util, modutil) assume that the given security databases use the SQLite type.
+
+
+
diff --git a/SOURCES/nss-p11-kit.config b/SOURCES/nss-p11-kit.config
new file mode 100644
index 0000000..0ebf073
--- /dev/null
+++ b/SOURCES/nss-p11-kit.config
@@ -0,0 +1,4 @@
+name=p11-kit-proxy
+library=p11-kit-proxy.so
+
+
diff --git a/SOURCES/nss-signtool-format.patch b/SOURCES/nss-signtool-format.patch
new file mode 100644
index 0000000..5f146f1
--- /dev/null
+++ b/SOURCES/nss-signtool-format.patch
@@ -0,0 +1,85 @@
+diff --git a/cmd/modutil/install.c b/cmd/modutil/install.c
+--- a/cmd/modutil/install.c
++++ b/cmd/modutil/install.c
+@@ -825,17 +825,20 @@ rm_dash_r(char *path)
+
+ dir = PR_OpenDir(path);
+ if (!dir) {
+ return -1;
+ }
+
+ /* Recursively delete all entries in the directory */
+ while ((entry = PR_ReadDir(dir, PR_SKIP_BOTH)) != NULL) {
+- sprintf(filename, "%s/%s", path, entry->name);
++ if (snprintf(filename, sizeof(filename), "%s/%s", path, entry->name) >= sizeof(filename)) {
++ PR_CloseDir(dir);
++ return -1;
++ }
+ if (rm_dash_r(filename)) {
+ PR_CloseDir(dir);
+ return -1;
+ }
+ }
+
+ if (PR_CloseDir(dir) != PR_SUCCESS) {
+ return -1;
+diff --git a/cmd/signtool/util.c b/cmd/signtool/util.c
+--- a/cmd/signtool/util.c
++++ b/cmd/signtool/util.c
+@@ -138,6 +138,12 @@ rm_dash_r(char *path)
+ /* Recursively delete all entries in the directory */
+ while ((entry = PR_ReadDir(dir, PR_SKIP_BOTH)) != NULL) {
+ sprintf(filename, "%s/%s", path, entry->name);
++ if (snprintf(filename, sizeof(filename), "%s/%s", path, entry->name
++) >= sizeof(filename)) {
++ errorCount++;
++ PR_CloseDir(dir);
++ return -1;
++ }
+ if (rm_dash_r(filename)) {
+ PR_CloseDir(dir);
+ return -1;
+diff --git a/lib/libpkix/pkix/util/pkix_list.c b/lib/libpkix/pkix/util/pkix_list.c
+--- a/lib/libpkix/pkix/util/pkix_list.c
++++ b/lib/libpkix/pkix/util/pkix_list.c
+@@ -1530,17 +1530,17 @@ cleanup:
+ */
+ PKIX_Error *
+ PKIX_List_SetItem(
+ PKIX_List *list,
+ PKIX_UInt32 index,
+ PKIX_PL_Object *item,
+ void *plContext)
+ {
+- PKIX_List *element;
++ PKIX_List *element = NULL;
+
+ PKIX_ENTER(LIST, "PKIX_List_SetItem");
+ PKIX_NULLCHECK_ONE(list);
+
+ if (list->immutable){
+ PKIX_ERROR(PKIX_OPERATIONNOTPERMITTEDONIMMUTABLELIST);
+ }
+
+diff --git a/lib/libpkix/pkix_pl_nss/system/pkix_pl_oid.c b/lib/libpkix/pkix_pl_nss/system/pkix_pl_oid.c
+--- a/lib/libpkix/pkix_pl_nss/system/pkix_pl_oid.c
++++ b/lib/libpkix/pkix_pl_nss/system/pkix_pl_oid.c
+@@ -102,17 +102,17 @@ cleanup:
+ */
+ static PKIX_Error *
+ pkix_pl_OID_Equals(
+ PKIX_PL_Object *first,
+ PKIX_PL_Object *second,
+ PKIX_Boolean *pResult,
+ void *plContext)
+ {
+- PKIX_Int32 cmpResult;
++ PKIX_Int32 cmpResult = 0;
+
+ PKIX_ENTER(OID, "pkix_pl_OID_Equals");
+ PKIX_NULLCHECK_THREE(first, second, pResult);
+
+ PKIX_CHECK(pkix_pl_OID_Comparator
+ (first, second, &cmpResult, plContext),
+ PKIX_OIDCOMPARATORFAILED);
+
diff --git a/SOURCES/nss-softokn-config.in b/SOURCES/nss-softokn-config.in
new file mode 100644
index 0000000..c7abe29
--- /dev/null
+++ b/SOURCES/nss-softokn-config.in
@@ -0,0 +1,116 @@
+#!/bin/sh
+
+prefix=@prefix@
+
+major_version=@MOD_MAJOR_VERSION@
+minor_version=@MOD_MINOR_VERSION@
+patch_version=@MOD_PATCH_VERSION@
+
+usage()
+{
+ cat <&2
+fi
+
+while test $# -gt 0; do
+ case "$1" in
+ -*=*) optarg=`echo "$1" | sed 's/[-_a-zA-Z0-9]*=//'` ;;
+ *) optarg= ;;
+ esac
+
+ case $1 in
+ --prefix=*)
+ prefix=$optarg
+ ;;
+ --prefix)
+ echo_prefix=yes
+ ;;
+ --exec-prefix=*)
+ exec_prefix=$optarg
+ ;;
+ --exec-prefix)
+ echo_exec_prefix=yes
+ ;;
+ --includedir=*)
+ includedir=$optarg
+ ;;
+ --includedir)
+ echo_includedir=yes
+ ;;
+ --libdir=*)
+ libdir=$optarg
+ ;;
+ --libdir)
+ echo_libdir=yes
+ ;;
+ --version)
+ echo ${major_version}.${minor_version}.${patch_version}
+ ;;
+ --cflags)
+ echo_cflags=yes
+ ;;
+ --libs)
+ echo_libs=yes
+ ;;
+ *)
+ usage 1 1>&2
+ ;;
+ esac
+ shift
+done
+
+# Set variables that may be dependent upon other variables
+if test -z "$exec_prefix"; then
+ exec_prefix=`pkg-config --variable=exec_prefix nss-softokn`
+fi
+if test -z "$includedir"; then
+ includedir=`pkg-config --variable=includedir nss-softokn`
+fi
+if test -z "$libdir"; then
+ libdir=`pkg-config --variable=libdir nss-softokn`
+fi
+
+if test "$echo_prefix" = "yes"; then
+ echo $prefix
+fi
+
+if test "$echo_exec_prefix" = "yes"; then
+ echo $exec_prefix
+fi
+
+if test "$echo_includedir" = "yes"; then
+ echo $includedir
+fi
+
+if test "$echo_libdir" = "yes"; then
+ echo $libdir
+fi
+
+if test "$echo_cflags" = "yes"; then
+ echo -I$includedir
+fi
+
+if test "$echo_libs" = "yes"; then
+ libdirs="-Wl,-rpath-link,$libdir -L$libdir"
+ echo $libdirs
+fi
+
diff --git a/SOURCES/nss-softokn-dracut-module-setup.sh b/SOURCES/nss-softokn-dracut-module-setup.sh
new file mode 100644
index 0000000..010ec18
--- /dev/null
+++ b/SOURCES/nss-softokn-dracut-module-setup.sh
@@ -0,0 +1,18 @@
+#!/bin/bash
+# -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*-
+# ex: ts=8 sw=4 sts=4 et filetype=sh
+
+check() {
+ return 255
+}
+
+depends() {
+ return 0
+}
+
+install() {
+ local _dir
+
+ inst_libdir_file libfreeblpriv3.so libfreeblpriv3.chk \
+ libfreebl3.so
+}
diff --git a/SOURCES/nss-softokn-dracut.conf b/SOURCES/nss-softokn-dracut.conf
new file mode 100644
index 0000000..2d9232e
--- /dev/null
+++ b/SOURCES/nss-softokn-dracut.conf
@@ -0,0 +1,3 @@
+# turn on nss-softokn module
+
+add_dracutmodules+=" nss-softokn "
diff --git a/SOURCES/nss-softokn.pc.in b/SOURCES/nss-softokn.pc.in
new file mode 100644
index 0000000..022ebbf
--- /dev/null
+++ b/SOURCES/nss-softokn.pc.in
@@ -0,0 +1,11 @@
+prefix=%prefix%
+exec_prefix=%exec_prefix%
+libdir=%libdir%
+includedir=%includedir%
+
+Name: NSS-SOFTOKN
+Description: Network Security Services Softoken PKCS #11 Module
+Version: %SOFTOKEN_VERSION%
+Requires: nspr >= %NSPR_VERSION%, nss-util >= %NSSUTIL_VERSION%
+Libs: -L${libdir} -lfreebl3 -lnssdbm3 -lsoftokn3
+Cflags: -I${includedir}
diff --git a/SOURCES/nss-util-config.in b/SOURCES/nss-util-config.in
new file mode 100644
index 0000000..532abbe
--- /dev/null
+++ b/SOURCES/nss-util-config.in
@@ -0,0 +1,118 @@
+#!/bin/sh
+
+prefix=@prefix@
+
+major_version=@MOD_MAJOR_VERSION@
+minor_version=@MOD_MINOR_VERSION@
+patch_version=@MOD_PATCH_VERSION@
+
+usage()
+{
+ cat <&2
+fi
+
+lib_nssutil=yes
+
+while test $# -gt 0; do
+ case "$1" in
+ -*=*) optarg=`echo "$1" | sed 's/[-_a-zA-Z0-9]*=//'` ;;
+ *) optarg= ;;
+ esac
+
+ case $1 in
+ --prefix=*)
+ prefix=$optarg
+ ;;
+ --prefix)
+ echo_prefix=yes
+ ;;
+ --exec-prefix=*)
+ exec_prefix=$optarg
+ ;;
+ --exec-prefix)
+ echo_exec_prefix=yes
+ ;;
+ --includedir=*)
+ includedir=$optarg
+ ;;
+ --includedir)
+ echo_includedir=yes
+ ;;
+ --libdir=*)
+ libdir=$optarg
+ ;;
+ --libdir)
+ echo_libdir=yes
+ ;;
+ --version)
+ echo ${major_version}.${minor_version}.${patch_version}
+ ;;
+ --cflags)
+ echo_cflags=yes
+ ;;
+ --libs)
+ echo_libs=yes
+ ;;
+ *)
+ usage 1 1>&2
+ ;;
+ esac
+ shift
+done
+
+# Set variables that may be dependent upon other variables
+if test -z "$exec_prefix"; then
+ exec_prefix=`pkg-config --variable=exec_prefix nss-util`
+fi
+if test -z "$includedir"; then
+ includedir=`pkg-config --variable=includedir nss-util`
+fi
+if test -z "$libdir"; then
+ libdir=`pkg-config --variable=libdir nss-util`
+fi
+
+if test "$echo_prefix" = "yes"; then
+ echo $prefix
+fi
+
+if test "$echo_exec_prefix" = "yes"; then
+ echo $exec_prefix
+fi
+
+if test "$echo_includedir" = "yes"; then
+ echo $includedir
+fi
+
+if test "$echo_libdir" = "yes"; then
+ echo $libdir
+fi
+
+if test "$echo_cflags" = "yes"; then
+ echo -I$includedir
+fi
+
+if test "$echo_libs" = "yes"; then
+ libdirs="-Wl,-rpath-link,$libdir -L$libdir"
+ if test -n "$lib_nssutil"; then
+ libdirs="$libdirs -lnssutil${major_version}"
+ fi
+ echo $libdirs
+fi
+
diff --git a/SOURCES/nss-util.pc.in b/SOURCES/nss-util.pc.in
new file mode 100644
index 0000000..1310248
--- /dev/null
+++ b/SOURCES/nss-util.pc.in
@@ -0,0 +1,11 @@
+prefix=%prefix%
+exec_prefix=%exec_prefix%
+libdir=%libdir%
+includedir=%includedir%
+
+Name: NSS-UTIL
+Description: Network Security Services Utility Library
+Version: %NSSUTIL_VERSION%
+Requires: nspr >= %NSPR_VERSION%
+Libs: -L${libdir} -lnssutil3
+Cflags: -I${includedir}
diff --git a/SOURCES/nss.pc.in b/SOURCES/nss.pc.in
new file mode 100644
index 0000000..69823cb
--- /dev/null
+++ b/SOURCES/nss.pc.in
@@ -0,0 +1,11 @@
+prefix=%prefix%
+exec_prefix=%exec_prefix%
+libdir=%libdir%
+includedir=%includedir%
+
+Name: NSS
+Description: Network Security Services
+Version: %NSS_VERSION%
+Requires: nspr >= %NSPR_VERSION%, nss-util >= %NSSUTIL_VERSION%
+Libs: -L${libdir} -lssl3 -lsmime3 -lnss3
+Cflags: -I${includedir}
diff --git a/SOURCES/pkcs11.txt.xml b/SOURCES/pkcs11.txt.xml
new file mode 100644
index 0000000..d30e469
--- /dev/null
+++ b/SOURCES/pkcs11.txt.xml
@@ -0,0 +1,56 @@
+
+
+
+]>
+
+
+
+
+ &date;
+ Network Security Services
+ nss
+ &version;
+
+
+
+ pkcs11.txt
+ 5
+
+
+
+ pkcs11.txt
+ NSS PKCS #11 module configuration file
+
+
+
+ Description
+
+The pkcs11.txt file is used to configure initialization parameters for the nss security module and optionally other pkcs #11 modules.
+
+
+For full documentation visit PKCS #11 Module Specs.
+
+
+
+
+ Files
+ /etc/pki/nssdb/pkcs11.txt
+
+
+
+ Authors
+ The nss libraries were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google.
+ Authors: Elio Maldonado <emaldona@redhat.com>.
+
+
+
+
+ LICENSE
+ Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+
+
+
+
diff --git a/SOURCES/setup-nsssysinit.sh b/SOURCES/setup-nsssysinit.sh
new file mode 100755
index 0000000..8e1f5f7
--- /dev/null
+++ b/SOURCES/setup-nsssysinit.sh
@@ -0,0 +1,68 @@
+#!/bin/sh
+#
+# Turns on or off the nss-sysinit module db by editing the
+# global PKCS #11 congiguration file. Displays the status.
+#
+# This script can be invoked by the user as super user.
+# It is invoked at nss-sysinit post install time with argument on.
+#
+usage()
+{
+ cat <&2
+fi
+
+# the system-wide configuration file
+p11conf="/etc/pki/nssdb/pkcs11.txt"
+# must exist, otherwise report it and exit with failure
+if [ ! -f $p11conf ]; then
+ echo "Could not find ${p11conf}"
+ exit 1
+fi
+
+# check if nsssysinit is currently enabled or disabled
+sysinit_enabled()
+{
+ grep -q '^library=libnsssysinit' ${p11conf}
+}
+
+umask 022
+case "$1" in
+ on | ON )
+ if sysinit_enabled; then
+ exit 0
+ fi
+ cat ${p11conf} | \
+ sed -e 's/^library=$/library=libnsssysinit.so/' \
+ -e '/^NSS/s/\(Flags=internal\)\(,[^m]\)/\1,moduleDBOnly\2/' > \
+ ${p11conf}.on
+ mv ${p11conf}.on ${p11conf}
+ ;;
+ off | OFF )
+ if ! sysinit_enabled; then
+ exit 0
+ fi
+ cat ${p11conf} | \
+ sed -e 's/^library=libnsssysinit.so/library=/' \
+ -e '/^NSS/s/Flags=internal,moduleDBOnly/Flags=internal/' > \
+ ${p11conf}.off
+ mv ${p11conf}.off ${p11conf}
+ ;;
+ status )
+ echo -n 'NSS sysinit is '
+ sysinit_enabled && echo 'enabled' || echo 'disabled'
+ ;;
+ * )
+ usage 1 1>&2
+ ;;
+esac
diff --git a/SOURCES/setup-nsssysinit.xml b/SOURCES/setup-nsssysinit.xml
new file mode 100644
index 0000000..5b9827f
--- /dev/null
+++ b/SOURCES/setup-nsssysinit.xml
@@ -0,0 +1,106 @@
+
+
+
+]>
+
+
+
+
+ &date;
+ Network Security Services
+ nss
+ &version;
+
+
+
+ setup-nsssysinit
+ 1
+
+
+
+ setup-nsssysinit
+ Query or enable the nss-sysinit module
+
+
+
+
+ setup-nsssysinit
+
+
+
+
+
+
+
+ Description
+ setup-nsssysinit is a shell script to query the status of the nss-sysinit module and when run with root priviledge it can enable or disable it.
+ Turns on or off the nss-sysinit module db by editing the global PKCS #11 configuration file. Displays the status. This script can be invoked by the user as super user. It is invoked at nss-sysinit post install time with argument on.
+
+
+
+
+ Options
+
+
+
+
+ Turn on nss-sysinit.
+
+
+
+
+ Turn on nss-sysinit.
+
+
+
+
+ returns whether nss-syinit is enabled or not.
+
+
+
+
+
+
+ Examples
+
+ The following example will query for the status of nss-sysinit:
+
+ /usr/bin/setup-nsssysinit status
+
+
+
+ The following example, when run as superuser, will turn on nss-sysinit:
+
+ /usr/bin/setup-nsssysinit on
+
+
+
+
+
+
+ Files
+ /usr/bin/setup-nsssysinit
+
+
+
+ See also
+ pkg-config(1)
+
+
+
+ Authors
+ The nss libraries were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google.
+ Authors: Elio Maldonado <emaldona@redhat.com>.
+
+
+
+
+ LICENSE
+ Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+
+
+
+
diff --git a/SOURCES/system-pkcs11.txt b/SOURCES/system-pkcs11.txt
new file mode 100644
index 0000000..c2f5704
--- /dev/null
+++ b/SOURCES/system-pkcs11.txt
@@ -0,0 +1,5 @@
+library=libnsssysinit.so
+name=NSS Internal PKCS #11 Module
+parameters=configdir='sql:/etc/pki/nssdb' certPrefix='' keyPrefix='' secmod='secmod.db' flags= updatedir='' updateCertPrefix='' updateKeyPrefix='' updateid='' updateTokenDescription=''
+NSS=Flags=internal,moduleDBOnly,critical trustOrder=75 cipherOrder=100 slotParams=(1={slotFlags=[RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512] askpw=any timeout=30})
+
diff --git a/SPECS/nss.spec b/SPECS/nss.spec
new file mode 100644
index 0000000..755fc2b
--- /dev/null
+++ b/SPECS/nss.spec
@@ -0,0 +1,2737 @@
+%global nspr_version 4.32.0
+# NOTE: To avoid NVR clashes of nspr* packages:
+# - reset %%{nspr_release} to 1, when updating %%{nspr_version}
+# - increment %%{nspr_version}, when updating the NSS part only
+# - put the nss_release number here next to nspr, as they both
+# need to be updated on a given release
+%global nss_release 7
+%global nspr_release %[ %nss_release+2]
+%global nss_version 3.71.0
+# only need to update this as we added new
+# algorithms under nss policy control
+%global crypto_policies_version 20210118
+%global unsupported_tools_directory %{_libdir}/nss/unsupported-tools
+%global saved_files_dir %{_libdir}/nss/saved
+%global dracutlibdir %{_prefix}/lib/dracut
+%global dracut_modules_dir %{dracutlibdir}/modules.d/05nss-softokn/
+%global dracut_conf_dir %{dracutlibdir}/dracut.conf.d
+
+%bcond_without tests
+%bcond_with dbm
+
+# Produce .chk files for the final stripped binaries
+#
+# NOTE: The LD_LIBRARY_PATH line guarantees shlibsign links
+# against the freebl that we just built. This is necessary
+# because the signing algorithm changed on 3.14 to DSA2 with SHA256
+# whereas we previously signed with DSA and SHA1. We must Keep this line
+# until all mock platforms have been updated.
+# After %%{__os_install_post} we would add
+# export LD_LIBRARY_PATH=$RPM_BUILD_ROOT/%%{_libdir}
+%define __spec_install_post \
+ %{?__debug_package:%{__debug_install_post}} \
+ %{__arch_install_post} \
+ %{__os_install_post} \
+ $RPM_BUILD_ROOT/%{unsupported_tools_directory}/shlibsign -i $RPM_BUILD_ROOT/%{_libdir}/libsoftokn3.so \
+ $RPM_BUILD_ROOT/%{unsupported_tools_directory}/shlibsign -i $RPM_BUILD_ROOT/%{_libdir}/libfreeblpriv3.so \
+ $RPM_BUILD_ROOT/%{unsupported_tools_directory}/shlibsign -i $RPM_BUILD_ROOT/%{_libdir}/libfreebl3.so \
+ %{?with_dbm:$RPM_BUILD_ROOT/%{unsupported_tools_directory}/shlibsign -i $RPM_BUILD_ROOT/%{_libdir}/libnssdbm3.so} \
+%{nil}
+
+# The upstream omits the trailing ".0", while we need it for
+# consistency with the pkg-config version:
+# https://bugzilla.redhat.com/show_bug.cgi?id=1578106
+%{lua:
+rpm.define(string.format("nspr_archive_version %s",
+ string.gsub(rpm.expand("%nspr_version"), "(.*)%.0$", "%1")))
+}
+
+%{lua:
+rpm.define(string.format("nss_archive_version %s",
+ string.gsub(rpm.expand("%nss_version"), "(.*)%.0$", "%1")))
+}
+
+%{lua:
+rpm.define(string.format("nss_release_tag NSS_%s_RTM",
+ string.gsub(rpm.expand("%nss_archive_version"), "%.", "_")))
+}
+
+Summary: Network Security Services
+Name: nss
+Version: %{nss_version}
+Release: %{nss_release}%{?dist}
+License: MPLv2.0
+URL: http://www.mozilla.org/projects/security/pki/nss/
+Requires: nspr >= %{nspr_version}
+Requires: nss-util >= %{nss_version}
+# TODO: revert to same version as nss once we are done with the merge
+Requires: nss-softokn%{_isa} >= %{nss_version}
+Requires: nss-system-init
+Requires: p11-kit-trust
+Requires: /usr/bin/update-crypto-policies
+Requires: crypto-policies >= %{crypto_policies_version}
+# for shlibsign
+BuildRequires: make
+BuildRequires: nss-softokn
+BuildRequires: sqlite-devel
+BuildRequires: zlib-devel
+BuildRequires: pkgconfig
+BuildRequires: gawk
+BuildRequires: psmisc
+BuildRequires: perl-interpreter
+BuildRequires: gcc-c++
+
+Source0: https://ftp.mozilla.org/pub/security/nss/releases/%{nss_release_tag}/src/%{name}-%{nss_archive_version}.tar.gz
+Source1: nss-util.pc.in
+Source2: nss-util-config.in
+Source3: nss-softokn.pc.in
+Source4: nss-softokn-config.in
+Source6: nss-softokn-dracut-module-setup.sh
+Source7: nss-softokn-dracut.conf
+Source8: nss.pc.in
+Source9: nss-config.in
+%if %{with dbm}
+Source10: blank-cert8.db
+Source11: blank-key3.db
+Source12: blank-secmod.db
+%endif
+Source13: blank-cert9.db
+Source14: blank-key4.db
+Source15: system-pkcs11.txt
+Source16: setup-nsssysinit.sh
+Source20: nss-config.xml
+Source21: setup-nsssysinit.xml
+%if %{with dbm}
+Source23: cert8.db.xml
+Source25: key3.db.xml
+Source27: secmod.db.xml
+%endif
+Source22: pkcs11.txt.xml
+Source24: cert9.db.xml
+Source26: key4.db.xml
+Source28: nss-p11-kit.config
+Source30: PayPalEE.cert
+
+
+Source100: nspr-%{nspr_archive_version}.tar.gz
+Source101: nspr-config.xml
+
+# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=617723
+Patch2: nss-3.71-ipv6-fix.patch
+# This patch uses the GCC -iquote option documented at
+# http://gcc.gnu.org/onlinedocs/gcc/Directory-Options.html#Directory-Options
+# to give the in-tree headers a higher priority over the system headers,
+# when they are included through the quote form (#include "file.h").
+#
+# This ensures a build even when system headers are older. Such is the
+# case when starting an update with API changes or even private export
+# changes.
+#
+# Once the buildroot aha been bootstrapped the patch may be removed
+# but it doesn't hurt to keep it.
+Patch4: iquote.patch
+Patch12: nss-signtool-format.patch
+# connect our shared library to the build root loader flags (needed for -relro)
+Patch31: nss-dso-ldflags.patch
+# keep RHEL 8 semantics of disabling md4 and md5 even if the env variable is set
+Patch32: nss-disable-md5.patch
+# dbm is disabled on RHEL9, make the man pages reflect that
+%if %{with dbm}
+%else
+Patch33: nss-no-dbm-man-page.patch
+%endif
+
+# upstream bug https://bugzilla.mozilla.org/show_bug.cgi?id=1729550
+Patch50: nss-3.71-fips-module-name.patch
+# upstream bug https://buzilla.mozilla.org/show_bug.cgi?id=1737470
+Patch60: nss-3.67-cve-2021-43527.patch
+Patch70: nss-3.67-cve-2021-43527-test.patch
+# not upstreamable patch...
+Patch80: nss-3.71-fix-lto-gtests.patch
+# camellia pkcs12 docs.
+patch85: nss-3.71-camellia-pkcs12-doc.patch
+# fix issue with long passwords in pkcs12
+patch90: nss-3.75-fix-pkcs12-passwords.patch
+
+Patch100: nspr-config-pc.patch
+Patch101: nspr-gcc-atomics.patch
+
+%description
+Network Security Services (NSS) is a set of libraries designed to
+support cross-platform development of security-enabled client and
+server applications. Applications built with NSS can support SSL v2
+and v3, TLS, PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME, X.509
+v3 certificates, and other security standards.
+
+%package tools
+Summary: Tools for the Network Security Services
+Requires: %{name}%{?_isa} = %{version}-%{release}
+
+%description tools
+Network Security Services (NSS) is a set of libraries designed to
+support cross-platform development of security-enabled client and
+server applications. Applications built with NSS can support SSL v2
+and v3, TLS, PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME, X.509
+v3 certificates, and other security standards.
+
+Install the nss-tools package if you need command-line tools to
+manipulate the NSS certificate and key database.
+
+%package sysinit
+Summary: System NSS Initialization
+# providing nss-system-init without version so that it can
+# be replaced by a better one, e.g. supplied by the os vendor
+Provides: nss-system-init
+Requires: nss%{?_isa} = %{version}-%{release}
+Requires(post): coreutils, sed
+
+%description sysinit
+Default Operating System module that manages applications loading
+NSS globally on the system. This module loads the system defined
+PKCS #11 modules for NSS and chains with other NSS modules to load
+any system or user configured modules.
+
+%package devel
+Summary: Development libraries for Network Security Services
+Provides: nss-static = %{version}-%{release}
+Requires: nss%{?_isa} = %{version}-%{release}
+Requires: nss-util-devel
+Requires: nss-softokn-devel
+Requires: nspr-devel >= %{nspr_version}
+Requires: pkgconfig
+BuildRequires: xmlto
+
+%description devel
+Header and Library files for doing development with Network Security Services.
+
+
+%package pkcs11-devel
+Summary: Development libraries for PKCS #11 (Cryptoki) using NSS
+Provides: nss-pkcs11-devel-static = %{version}-%{release}
+Requires: nss-devel = %{version}-%{release}
+Requires: nss-softokn-freebl-devel = %{version}-%{release}
+
+%description pkcs11-devel
+Library files for developing PKCS #11 modules using basic NSS
+low level services.
+
+
+%package util
+Summary: Network Security Services Utilities Library
+Requires: nspr >= %{nspr_version}
+
+%description util
+Utilities for Network Security Services and the Softoken module
+
+%package util-devel
+Summary: Development libraries for Network Security Services Utilities
+Requires: nss-util%{?_isa} = %{version}-%{release}
+Requires: nspr-devel >= %{nspr_version}
+Requires: pkgconfig
+
+%description util-devel
+Header and library files for doing development with Network Security Services.
+
+
+%package softokn
+Summary: Network Security Services Softoken Module
+Requires: nspr >= %{nspr_version}
+Requires: nss-util >= %{version}-%{release}
+Requires: nss-softokn-freebl%{_isa} >= %{version}-%{release}
+
+%description softokn
+Network Security Services Softoken Cryptographic Module
+
+%package softokn-freebl
+Summary: Freebl library for the Network Security Services
+# For PR_GetEnvSecure() from nspr >= 4.12
+Requires: nspr >= 4.12
+# For NSS_SecureMemcmpZero() from nss-util >= 3.33
+Requires: nss-util >= 3.33
+Conflicts: nss < 3.12.2.99.3-5
+Conflicts: filesystem < 3
+
+%description softokn-freebl
+NSS Softoken Cryptographic Module Freebl Library
+
+Install the nss-softokn-freebl package if you need the freebl library.
+
+%package softokn-freebl-devel
+Summary: Header and Library files for doing development with the Freebl library for NSS
+Provides: nss-softokn-freebl-static = %{version}-%{release}
+Requires: nss-softokn-freebl%{?_isa} = %{version}-%{release}
+
+%description softokn-freebl-devel
+NSS Softoken Cryptographic Module Freebl Library Development Tools
+This package supports special needs of some PKCS #11 module developers and
+is otherwise considered private to NSS. As such, the programming interfaces
+may change and the usual NSS binary compatibility commitments do not apply.
+Developers should rely only on the officially supported NSS public API.
+
+%package softokn-devel
+Summary: Development libraries for Network Security Services
+Requires: nss-softokn%{?_isa} = %{version}-%{release}
+Requires: nss-softokn-freebl-devel%{?_isa} = %{version}-%{release}
+Requires: nspr-devel >= %{nspr_version}
+Requires: nss-util-devel >= %{version}-%{release}
+Requires: pkgconfig
+
+%description softokn-devel
+Header and library files for doing development with Network Security Services.
+
+%package -n nspr
+Summary: Netscape Portable Runtime
+Version: %{nspr_version}
+Release: %{nspr_release}%{?dist}
+License: MPLv2.0
+URL: http://www.mozilla.org/projects/nspr/
+Conflicts: filesystem < 3
+BuildRequires: gcc
+
+%description -n nspr
+NSPR provides platform independence for non-GUI operating system
+facilities. These facilities include threads, thread synchronization,
+normal file and network I/O, interval timing and calendar time, basic
+memory management (malloc and free) and shared library linking.
+
+%package -n nspr-devel
+Summary: Development libraries for the Netscape Portable Runtime
+Version: %{nspr_version}
+Release: %{nspr_release}%{?dist}
+Requires: nspr%{?_isa} = %{nspr_version}-%{nspr_release}%{?dist}
+Requires: pkgconfig
+BuildRequires: xmlto
+Conflicts: filesystem < 3
+
+%description -n nspr-devel
+Header files for doing development with the Netscape Portable Runtime.
+
+
+%prep
+%setup -q -T -b 100 -n nspr-%{nspr_archive_version}
+
+%setup -q -T -b 0 -n %{name}-%{nss_archive_version}
+mv ../nspr-%{nspr_archive_version}/nspr .
+cp ./nspr/config/nspr-config.in ./nspr/config/nspr-config-pc.in
+%{__cp} %{SOURCE30} -f ./nss/tests/libpkix/certs
+
+%patch100 -p0 -b .flags
+pushd nspr
+%patch101 -p1 -b .gcc-atomics
+popd
+
+pushd nss
+%autopatch -p1 -M 99
+popd
+
+# https://bugzilla.redhat.com/show_bug.cgi?id=1247353
+find nss/lib/libpkix -perm /u+x -type f -exec chmod -x {} \;
+
+
+%build
+# Build, check, and install NSPR for building NSS in the later phase
+#
+# TODO: This phase can be done by the NSS build process if we switch
+# to using "make nss_build_all". For now, however, we need some
+# adjustment in the NSS build process.
+mkdir -p nspr_build
+pushd nspr_build
+export LDFLAGS="$RPM_LD_FLAGS"
+export CFLAGS="$RPM_OPT_FLAGS"
+../nspr/configure \
+ --prefix=%{_prefix} \
+ --libdir=%{_libdir} \
+ --includedir=%{_includedir}/nspr4 \
+ --with-dist-prefix=$PWD/../dist \
+%ifnarch noarch
+%if 0%{__isa_bits} == 64
+ --enable-64bit \
+%endif
+%endif
+%ifarch armv7l armv7hl armv7nhl
+ --enable-thumb2 \
+%endif
+ --enable-optimize="$RPM_OPT_FLAGS" \
+ --disable-debug
+
+# The assembly files are only for legacy atomics, to which we prefer GCC atomics
+%ifarch i686 x86_64
+sed -i '/^PR_MD_ASFILES/d' config/autoconf.mk
+%endif
+make
+
+date +"%e %B %Y" | tr -d '\n' > date.xml
+echo -n %{nspr_version} > version.xml
+
+for m in %{SOURCE101}; do
+ cp ${m} .
+done
+for m in nspr-config.xml; do
+ xmlto man ${m}
+done
+popd
+
+# Build NSS
+#
+# This package fails its testsuite with LTO. Disable LTO for now
+#%%global _lto_cflags %%{nil}
+
+#export FREEBL_NO_DEPEND=1
+
+# Must export FREEBL_LOWHASH=1 for nsslowhash.h so that it gets
+# copied to dist and the rpm install phase can find it
+# This due of the upstream changes to fix
+# https://bugzilla.mozilla.org/show_bug.cgi?id=717906
+# export FREEBL_LOWHASH=1
+
+# uncomment if the iquote patch is activated
+export IN_TREE_FREEBL_HEADERS_FIRST=1
+
+# FIPS related defines
+export NSS_FORCE_FIPS=1
+export NSS_FIPS_VERSION="%{name}\ %{version}-$(date +%Y%m%d)"
+%if %{defined rhel}
+%if %{defined centos}
+ export NSS_FIPS_MODULE_ID="Centos\ %rhel\ ${NSS_FIPS_VERSION}\ unvalidated"
+%else
+if grep "Red Hat" /etc/system-release; then
+ export NSS_FIPS_MODULE_ID="Red\ Hat\ Enterprise\ Linux\ %rhel\ ${NSS_FIPS_VERSION}"
+else
+ export NSS_FIPS_MODULE_ID="Generic\ Enterprise\ Linux\ %rhel\ ${NSS_FIPS_VERSION}\ unvalidated"
+fi
+%endif
+%else
+%if %{defined fedora}
+ export NSS_FIPS_MODULE_ID="Fedora\ %fedora\ ${NSS_FIPS_VERSION}\ unvalidated"
+%else
+ export NSS_FIPS_MODULE_ID="Generic\ Linux\ ${NSS_FIPS_VERSION}\ unvalidated"
+%endif
+%endif
+
+# Enable compiler optimizations and disable debugging code
+export BUILD_OPT=1
+
+# Uncomment to disable optimizations
+#RPM_OPT_FLAGS=`echo $RPM_OPT_FLAGS | sed -e 's/-O2/-O0/g'`
+#export RPM_OPT_FLAGS
+
+# Generate symbolic info for debuggers
+export XCFLAGS=$RPM_OPT_FLAGS
+
+# Work around false-positive warnings with gcc 10:
+# https://bugzilla.redhat.com/show_bug.cgi?id=1803029
+%ifarch s390x
+export XCFLAGS="$XCFLAGS -Wno-error=maybe-uninitialized"
+%endif
+
+# Similarly, but for gcc-11
+export XCFLAGS="$XCFLAGS -Wno-array-parameter"
+
+export DSO_LDFLAGS=$RPM_LD_FLAGS
+
+export PKG_CONFIG_ALLOW_SYSTEM_LIBS=1
+export PKG_CONFIG_ALLOW_SYSTEM_CFLAGS=1
+
+export NSPR_INCLUDE_DIR=$PWD/dist/include/nspr
+
+export NSS_USE_SYSTEM_SQLITE=1
+
+export NSS_ALLOW_SSLKEYLOGFILE=1
+
+export NSS_SEED_ONLY_DEV_URANDOM=1
+
+%if %{with dbm}
+%else
+export NSS_DISABLE_DBM=1
+%endif
+
+%ifnarch noarch
+%if 0%{__isa_bits} == 64
+export USE_64=1
+%endif
+%endif
+
+# Set the policy file location
+# if set NSS will always check for the policy file and load if it exists
+export POLICY_FILE="nss.config"
+# location of the policy file
+export POLICY_PATH="/etc/crypto-policies/back-ends"
+
+%{__make} -C ./nss all
+%{__make} -C ./nss latest
+
+# build the man pages clean
+pushd ./nss
+%{__make} clean_docs build_docs
+popd
+
+# and copy them to the dist directory for %%install to find them
+mkdir -p ./dist/docs/nroff
+cp ./nss/doc/nroff/* ./dist/docs/nroff
+
+# Set up our package files
+mkdir -p ./dist/pkgconfig
+
+cat %{SOURCE1} | sed -e "s,%%libdir%%,%{_libdir},g" \
+ -e "s,%%prefix%%,%{_prefix},g" \
+ -e "s,%%exec_prefix%%,%{_prefix},g" \
+ -e "s,%%includedir%%,%{_includedir}/nss3,g" \
+ -e "s,%%NSPR_VERSION%%,%{nspr_version},g" \
+ -e "s,%%NSSUTIL_VERSION%%,%{nss_version},g" > \
+ ./dist/pkgconfig/nss-util.pc
+
+NSSUTIL_VMAJOR=`cat nss/lib/util/nssutil.h | grep "#define.*NSSUTIL_VMAJOR" | awk '{print $3}'`
+NSSUTIL_VMINOR=`cat nss/lib/util/nssutil.h | grep "#define.*NSSUTIL_VMINOR" | awk '{print $3}'`
+NSSUTIL_VPATCH=`cat nss/lib/util/nssutil.h | grep "#define.*NSSUTIL_VPATCH" | awk '{print $3}'`
+
+cat %{SOURCE2} | sed -e "s,@libdir@,%{_libdir},g" \
+ -e "s,@prefix@,%{_prefix},g" \
+ -e "s,@exec_prefix@,%{_prefix},g" \
+ -e "s,@includedir@,%{_includedir}/nss3,g" \
+ -e "s,@MOD_MAJOR_VERSION@,$NSSUTIL_VMAJOR,g" \
+ -e "s,@MOD_MINOR_VERSION@,$NSSUTIL_VMINOR,g" \
+ -e "s,@MOD_PATCH_VERSION@,$NSSUTIL_VPATCH,g" \
+ > ./dist/pkgconfig/nss-util-config
+
+chmod 755 ./dist/pkgconfig/nss-util-config
+
+cat %{SOURCE3} | sed -e "s,%%libdir%%,%{_libdir},g" \
+ -e "s,%%prefix%%,%{_prefix},g" \
+ -e "s,%%exec_prefix%%,%{_prefix},g" \
+ -e "s,%%includedir%%,%{_includedir}/nss3,g" \
+ -e "s,%%NSPR_VERSION%%,%{nspr_version},g" \
+ -e "s,%%NSSUTIL_VERSION%%,%{nss_version},g" \
+ -e "s,%%SOFTOKEN_VERSION%%,%{nss_version},g" > \
+ ./dist/pkgconfig/nss-softokn.pc
+
+SOFTOKEN_VMAJOR=`cat nss/lib/softoken/softkver.h | grep "#define.*SOFTOKEN_VMAJOR" | awk '{print $3}'`
+SOFTOKEN_VMINOR=`cat nss/lib/softoken/softkver.h | grep "#define.*SOFTOKEN_VMINOR" | awk '{print $3}'`
+SOFTOKEN_VPATCH=`cat nss/lib/softoken/softkver.h | grep "#define.*SOFTOKEN_VPATCH" | awk '{print $3}'`
+
+cat %{SOURCE4} | sed -e "s,@libdir@,%{_libdir},g" \
+ -e "s,@prefix@,%{_prefix},g" \
+ -e "s,@exec_prefix@,%{_prefix},g" \
+ -e "s,@includedir@,%{_includedir}/nss3,g" \
+ -e "s,@MOD_MAJOR_VERSION@,$SOFTOKEN_VMAJOR,g" \
+ -e "s,@MOD_MINOR_VERSION@,$SOFTOKEN_VMINOR,g" \
+ -e "s,@MOD_PATCH_VERSION@,$SOFTOKEN_VPATCH,g" \
+ > ./dist/pkgconfig/nss-softokn-config
+
+chmod 755 ./dist/pkgconfig/nss-softokn-config
+
+cat %{SOURCE8} | sed -e "s,%%libdir%%,%{_libdir},g" \
+ -e "s,%%prefix%%,%{_prefix},g" \
+ -e "s,%%exec_prefix%%,%{_prefix},g" \
+ -e "s,%%includedir%%,%{_includedir}/nss3,g" \
+ -e "s,%%NSS_VERSION%%,%{nss_version},g" \
+ -e "s,%%NSPR_VERSION%%,%{nspr_version},g" \
+ -e "s,%%NSSUTIL_VERSION%%,%{nss_version},g" \
+ -e "s,%%SOFTOKEN_VERSION%%,%{nss_version},g" > \
+ ./dist/pkgconfig/nss.pc
+
+NSS_VMAJOR=`cat nss/lib/nss/nss.h | grep "#define.*NSS_VMAJOR" | awk '{print $3}'`
+NSS_VMINOR=`cat nss/lib/nss/nss.h | grep "#define.*NSS_VMINOR" | awk '{print $3}'`
+NSS_VPATCH=`cat nss/lib/nss/nss.h | grep "#define.*NSS_VPATCH" | awk '{print $3}'`
+
+cat %{SOURCE9} | sed -e "s,@libdir@,%{_libdir},g" \
+ -e "s,@prefix@,%{_prefix},g" \
+ -e "s,@exec_prefix@,%{_prefix},g" \
+ -e "s,@includedir@,%{_includedir}/nss3,g" \
+ -e "s,@MOD_MAJOR_VERSION@,$NSS_VMAJOR,g" \
+ -e "s,@MOD_MINOR_VERSION@,$NSS_VMINOR,g" \
+ -e "s,@MOD_PATCH_VERSION@,$NSS_VPATCH,g" \
+ > ./dist/pkgconfig/nss-config
+
+chmod 755 ./dist/pkgconfig/nss-config
+
+cat %{SOURCE16} > ./dist/pkgconfig/setup-nsssysinit.sh
+chmod 755 ./dist/pkgconfig/setup-nsssysinit.sh
+
+cp ./nss/lib/ckfw/nssck.api ./dist/private/nss/
+
+date +"%e %B %Y" | tr -d '\n' > date.xml
+echo -n %{nss_version} > version.xml
+
+# configuration files and setup script
+for m in %{SOURCE20} %{SOURCE21} %{SOURCE22} %{SOURCE24} %{SOURCE26}; do
+ cp ${m} .
+done
+for m in nss-config.xml setup-nsssysinit.xml pkcs11.txt.xml cert9.db.xml key4.db.xml; do
+ xmlto man ${m}
+done
+
+%if %{with dbm}
+# nss dbm databases
+for m in %{SOURCE23} %{SOURCE25} %{SOURCE27}; do
+ cp ${m} .
+done
+for m in cert8.db.xml key3.db.xml secmod.db.xml; do
+ xmlto man ${m}
+done
+%endif
+
+
+%check
+%if %{with tests}
+pushd nspr_build
+# Run test suite.
+perl ../nspr/pr/tests/runtests.pl 2>&1 | tee output.log
+
+TEST_FAILURES=`grep -c FAILED ./output.log` || :
+if [ $TEST_FAILURES -ne 0 ]; then
+ echo "error: test suite returned failure(s)"
+ exit 1
+fi
+echo "test suite completed"
+popd
+%endif
+
+%if %{with tests}
+# Begin -- copied from the build section
+
+export FREEBL_NO_DEPEND=1
+
+export BUILD_OPT=1
+
+%ifnarch noarch
+%if 0%{__isa_bits} == 64
+export USE_64=1
+%endif
+%endif
+
+# End -- copied from the build section
+
+# This is necessary because the test suite tests algorithms that are
+# disabled by the system policy.
+export NSS_IGNORE_SYSTEM_POLICY=1
+
+# enable the following line to force a test failure
+# find ./nss -name \*.chk | xargs rm -f
+
+# Run test suite.
+# In order to support multiple concurrent executions of the test suite
+# (caused by concurrent RPM builds) on a single host,
+# we'll use a random port. Also, we want to clean up any stuck
+# selfserv processes. If process name "selfserv" is used everywhere,
+# we can't simply do a "killall selfserv", because it could disturb
+# concurrent builds. Therefore we'll do a search and replace and use
+# a different process name.
+# Using xargs doesn't mix well with spaces in filenames, in order to
+# avoid weird quoting we'll require that no spaces are being used.
+
+SPACEISBAD=`find ./nss/tests | grep -c ' '` ||:
+if [ $SPACEISBAD -ne 0 ]; then
+ echo "error: filenames containing space are not supported (xargs)"
+ exit 1
+fi
+MYRAND=`perl -e 'print 9000 + int rand 1000'`; echo $MYRAND ||:
+RANDSERV=selfserv_${MYRAND}; echo $RANDSERV ||:
+DISTBINDIR=`ls -d ./dist/*.OBJ/bin`; echo $DISTBINDIR ||:
+pushd "$DISTBINDIR"
+ln -s selfserv $RANDSERV
+popd
+# man perlrun, man perlrequick
+# replace word-occurrences of selfserv with selfserv_$MYRAND
+find ./nss/tests -type f |\
+ grep -v "\.db$" |grep -v "\.crl$" | grep -v "\.crt$" |\
+ grep -vw CVS |xargs grep -lw selfserv |\
+ xargs -l perl -pi -e "s/\bselfserv\b/$RANDSERV/g" ||:
+
+killall $RANDSERV || :
+
+rm -rf ./tests_results
+pushd nss/tests
+# all.sh is the test suite script
+
+# don't need to run all the tests when testing packaging
+# nss_cycles: standard pkix upgradedb sharedb
+# the full list from all.sh is:
+# "cipher lowhash libpkix cert dbtests tools fips sdr crmf smime ssl ocsp merge pkits chains ec gtests ssl_gtests"
+%define nss_tests "libpkix cert dbtests tools fips sdr crmf smime ssl ocsp merge pkits chains ec gtests ssl_gtests"
+# nss_ssl_tests: crl bypass_normal normal_bypass normal_fips fips_normal iopr policy
+# nss_ssl_run: cov auth stapling stress
+#
+# Uncomment these lines if you need to temporarily
+# disable some test suites for faster test builds
+# % define nss_ssl_tests "normal_fips"
+# % define nss_ssl_run "cov"
+
+HOST=localhost DOMSUF=localdomain PORT=$MYRAND NSS_CYCLES=%{?nss_cycles} NSS_TESTS=%{?nss_tests} NSS_SSL_TESTS=%{?nss_ssl_tests} NSS_SSL_RUN=%{?nss_ssl_run} ./all.sh
+popd
+
+killall $RANDSERV || :
+%endif
+
+%install
+
+pushd nspr_build
+make install DESTDIR=$RPM_BUILD_ROOT
+
+mkdir -p $RPM_BUILD_ROOT%{_mandir}/man1
+mkdir -p $RPM_BUILD_ROOT/%{_libdir}/pkgconfig
+
+# Get rid of the things we don't want installed (per upstream)
+rm -rf \
+ $RPM_BUILD_ROOT/%{_bindir}/compile-et.pl \
+ $RPM_BUILD_ROOT/%{_bindir}/prerr.properties \
+ $RPM_BUILD_ROOT/%{_libdir}/libnspr4.a \
+ $RPM_BUILD_ROOT/%{_libdir}/libplc4.a \
+ $RPM_BUILD_ROOT/%{_libdir}/libplds4.a \
+ $RPM_BUILD_ROOT/%{_datadir}/aclocal/nspr.m4 \
+ $RPM_BUILD_ROOT/%{_includedir}/nspr4/md
+
+for f in nspr-config; do
+ install -c -m 644 ${f}.1 $RPM_BUILD_ROOT%{_mandir}/man1/${f}.1
+done
+popd
+
+# There is no make install target so we'll do it ourselves.
+
+mkdir -p $RPM_BUILD_ROOT/%{_includedir}/nss3
+mkdir -p $RPM_BUILD_ROOT/%{_includedir}/nss3/templates
+mkdir -p $RPM_BUILD_ROOT/%{_bindir}
+mkdir -p $RPM_BUILD_ROOT/%{_libdir}
+mkdir -p $RPM_BUILD_ROOT/%{unsupported_tools_directory}
+mkdir -p $RPM_BUILD_ROOT/%{_libdir}/pkgconfig
+mkdir -p $RPM_BUILD_ROOT/%{saved_files_dir}
+mkdir -p $RPM_BUILD_ROOT/%{dracut_modules_dir}
+mkdir -p $RPM_BUILD_ROOT/%{dracut_conf_dir}
+mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/crypto-policies/local.d
+%if %{defined rhel}
+# not needed for rhel and its derivatives only fedora
+%else
+# because of the pp.1 conflict with perl-PAR-Packer
+mkdir -p $RPM_BUILD_ROOT%{_datadir}/doc/nss-tools
+%endif
+
+install -m 755 %{SOURCE6} $RPM_BUILD_ROOT/%{dracut_modules_dir}/module-setup.sh
+install -m 644 %{SOURCE7} $RPM_BUILD_ROOT/%{dracut_conf_dir}/50-nss-softokn.conf
+
+mkdir -p $RPM_BUILD_ROOT%{_mandir}/man1
+mkdir -p $RPM_BUILD_ROOT%{_mandir}/man5
+
+# Copy the binary libraries we want
+for file in libnssutil3.so libsoftokn3.so %{?with_dbm:libnssdbm3.so} libfreebl3.so libfreeblpriv3.so libnss3.so libnsssysinit.so libsmime3.so libssl3.so
+do
+ install -p -m 755 dist/*.OBJ/lib/$file $RPM_BUILD_ROOT/%{_libdir}
+done
+
+# Install the empty NSS db files
+# Legacy db
+mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb
+%if %{with dbm}
+install -p -m 644 %{SOURCE10} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/cert8.db
+install -p -m 644 %{SOURCE11} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/key3.db
+install -p -m 644 %{SOURCE12} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/secmod.db
+%endif
+# Shared db
+install -p -m 644 %{SOURCE13} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/cert9.db
+install -p -m 644 %{SOURCE14} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/key4.db
+install -p -m 644 %{SOURCE15} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/pkcs11.txt
+
+# Copy the development libraries we want
+for file in libcrmf.a libnssb.a libnssckfw.a
+do
+ install -p -m 644 dist/*.OBJ/lib/$file $RPM_BUILD_ROOT/%{_libdir}
+done
+
+# Copy the binaries we want
+for file in certutil cmsutil crlutil modutil nss-policy-check pk12util signver ssltap
+do
+ install -p -m 755 dist/*.OBJ/bin/$file $RPM_BUILD_ROOT/%{_bindir}
+done
+
+# Copy the binaries we ship as unsupported
+for file in bltest ecperf fbectest fipstest shlibsign atob btoa derdump listsuites ocspclnt pp selfserv signtool strsclnt symkeyutil tstclnt validation vfyserv vfychain
+do
+ install -p -m 755 dist/*.OBJ/bin/$file $RPM_BUILD_ROOT/%{unsupported_tools_directory}
+done
+
+# Copy the include files we want
+for file in dist/public/nss/*.h
+do
+ install -p -m 644 $file $RPM_BUILD_ROOT/%{_includedir}/nss3
+done
+
+# Copy some freebl include files we also want
+for file in blapi.h alghmac.h cmac.h
+do
+ install -p -m 644 dist/private/nss/$file $RPM_BUILD_ROOT/%{_includedir}/nss3
+done
+
+# Copy the static freebl library
+for file in libfreebl.a
+do
+install -p -m 644 dist/*.OBJ/lib/$file $RPM_BUILD_ROOT/%{_libdir}
+done
+
+# Copy the template files we want
+for file in dist/private/nss/templates.c dist/private/nss/nssck.api
+do
+ install -p -m 644 $file $RPM_BUILD_ROOT/%{_includedir}/nss3/templates
+done
+
+# Copy the package configuration files
+install -p -m 644 ./dist/pkgconfig/nss-util.pc $RPM_BUILD_ROOT/%{_libdir}/pkgconfig/nss-util.pc
+install -p -m 755 ./dist/pkgconfig/nss-util-config $RPM_BUILD_ROOT/%{_bindir}/nss-util-config
+install -p -m 644 ./dist/pkgconfig/nss-softokn.pc $RPM_BUILD_ROOT/%{_libdir}/pkgconfig/nss-softokn.pc
+install -p -m 755 ./dist/pkgconfig/nss-softokn-config $RPM_BUILD_ROOT/%{_bindir}/nss-softokn-config
+install -p -m 644 ./dist/pkgconfig/nss.pc $RPM_BUILD_ROOT/%{_libdir}/pkgconfig/nss.pc
+install -p -m 755 ./dist/pkgconfig/nss-config $RPM_BUILD_ROOT/%{_bindir}/nss-config
+# Copy the pkcs #11 configuration script
+install -p -m 755 ./dist/pkgconfig/setup-nsssysinit.sh $RPM_BUILD_ROOT/%{_bindir}/setup-nsssysinit.sh
+# install a symbolic link to it, without the ".sh" suffix,
+# that matches the man page documentation
+ln -r -s -f $RPM_BUILD_ROOT/%{_bindir}/setup-nsssysinit.sh $RPM_BUILD_ROOT/%{_bindir}/setup-nsssysinit
+
+# Copy the man pages for scripts
+for f in nss-config setup-nsssysinit; do
+ install -c -m 644 ${f}.1 $RPM_BUILD_ROOT%{_mandir}/man1/${f}.1
+done
+# Copy the man pages for the nss tools
+for f in certutil cmsutil crlutil derdump modutil nss-policy-check pk12util signtool signver ssltap vfychain vfyserv; do
+ install -c -m 644 ./dist/docs/nroff/${f}.1 $RPM_BUILD_ROOT%{_mandir}/man1/${f}.1
+done
+%if %{defined rhel}
+install -c -m 644 ./dist/docs/nroff/pp.1 $RPM_BUILD_ROOT%{_mandir}/man1/pp.1
+%else
+install -c -m 644 ./dist/docs/nroff/pp.1 $RPM_BUILD_ROOT%{_datadir}/doc/nss-tools/pp.1
+%endif
+
+# Copy the man pages for the configuration files
+for f in pkcs11.txt cert9.db key4.db; do
+ install -c -m 644 ${f}.5 $RPM_BUILD_ROOT%{_mandir}/man5/${f}.5
+done
+# Copy the man pages for the nss dbm databases
+%if %{with dbm}
+for f in cert8.db key3.db secmod.db; do
+ install -c -m 644 ${f}.5 $RPM_BUILD_ROOT%{_mandir}/man5/${f}.5
+done
+%endif
+
+# Copy the crypto-policies configuration file
+install -p -m 644 %{SOURCE28} $RPM_BUILD_ROOT/%{_sysconfdir}/crypto-policies/local.d
+
+%triggerpostun -n nss-sysinit -- nss-sysinit < 3.12.8-3
+# Reverse unwanted disabling of sysinit by faulty preun sysinit scriplet
+# from previous versions of nss.spec
+/usr/bin/setup-nsssysinit.sh on
+
+%post
+%if %{with dbm}
+%else
+# Upon upgrade, ensure that the existing database locations are migrated to SQL
+# database.
+if test $1 -eq 2; then
+ for dbdir in %{_sysconfdir}/pki/nssdb; do
+ if test ! -e ${dbdir}/pkcs11.txt; then
+ /usr/bin/certutil --merge -d ${dbdir} --source-dir ${dbdir}
+ fi
+ done
+fi
+%endif
+
+%posttrans
+update-crypto-policies &> /dev/null || :
+
+
+%files
+%{!?_licensedir:%global license %%doc}
+%license nss/COPYING
+%{_libdir}/libnss3.so
+%{_libdir}/libssl3.so
+%{_libdir}/libsmime3.so
+%dir %{_sysconfdir}/pki/nssdb
+%if %{with dbm}
+%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/cert8.db
+%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/key3.db
+%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/secmod.db
+%endif
+%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/cert9.db
+%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/key4.db
+%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/pkcs11.txt
+%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/crypto-policies/local.d/nss-p11-kit.config
+%if %{with dbm}
+%doc %{_mandir}/man5/cert8.db.5*
+%doc %{_mandir}/man5/key3.db.5*
+%doc %{_mandir}/man5/secmod.db.5*
+%endif
+%doc %{_mandir}/man5/cert9.db.5*
+%doc %{_mandir}/man5/key4.db.5*
+%doc %{_mandir}/man5/pkcs11.txt.5*
+
+%files sysinit
+%{_libdir}/libnsssysinit.so
+%{_bindir}/setup-nsssysinit.sh
+# symbolic link to setup-nsssysinit.sh
+%{_bindir}/setup-nsssysinit
+%doc %{_mandir}/man1/setup-nsssysinit.1*
+
+%files tools
+%{_bindir}/certutil
+%{_bindir}/cmsutil
+%{_bindir}/crlutil
+%{_bindir}/modutil
+%{_bindir}/nss-policy-check
+%{_bindir}/pk12util
+%{_bindir}/signver
+%{_bindir}/ssltap
+%{unsupported_tools_directory}/atob
+%{unsupported_tools_directory}/btoa
+%{unsupported_tools_directory}/derdump
+%{unsupported_tools_directory}/listsuites
+%{unsupported_tools_directory}/ocspclnt
+%{unsupported_tools_directory}/pp
+%{unsupported_tools_directory}/selfserv
+%{unsupported_tools_directory}/signtool
+%{unsupported_tools_directory}/strsclnt
+%{unsupported_tools_directory}/symkeyutil
+%{unsupported_tools_directory}/tstclnt
+%{unsupported_tools_directory}/validation
+%{unsupported_tools_directory}/vfyserv
+%{unsupported_tools_directory}/vfychain
+# instead of %%{_mandir}/man*/* let's list them explicitly
+# supported tools
+%doc %{_mandir}/man1/certutil.1*
+%doc %{_mandir}/man1/cmsutil.1*
+%doc %{_mandir}/man1/crlutil.1*
+%doc %{_mandir}/man1/modutil.1*
+%doc %{_mandir}/man1/nss-policy-check.1*
+%doc %{_mandir}/man1/pk12util.1*
+%doc %{_mandir}/man1/signver.1*
+# unsupported tools
+%doc %{_mandir}/man1/derdump.1*
+%doc %{_mandir}/man1/signtool.1*
+%if %{defined rhel}
+%doc %{_mandir}/man1/pp.1*
+%else
+%dir %{_datadir}/doc/nss-tools
+%doc %{_datadir}/doc/nss-tools/pp.1
+%endif
+%doc %{_mandir}/man1/ssltap.1*
+%doc %{_mandir}/man1/vfychain.1*
+%doc %{_mandir}/man1/vfyserv.1*
+
+%files devel
+%{_libdir}/libcrmf.a
+%{_libdir}/pkgconfig/nss.pc
+%{_bindir}/nss-config
+%doc %{_mandir}/man1/nss-config.1*
+
+%dir %{_includedir}/nss3
+%{_includedir}/nss3/cert.h
+%{_includedir}/nss3/certdb.h
+%{_includedir}/nss3/certt.h
+%{_includedir}/nss3/cmmf.h
+%{_includedir}/nss3/cmmft.h
+%{_includedir}/nss3/cms.h
+%{_includedir}/nss3/cmsreclist.h
+%{_includedir}/nss3/cmst.h
+%{_includedir}/nss3/crmf.h
+%{_includedir}/nss3/crmft.h
+%{_includedir}/nss3/cryptohi.h
+%{_includedir}/nss3/cryptoht.h
+%{_includedir}/nss3/sechash.h
+%{_includedir}/nss3/jar-ds.h
+%{_includedir}/nss3/jar.h
+%{_includedir}/nss3/jarfile.h
+%{_includedir}/nss3/key.h
+%{_includedir}/nss3/keyhi.h
+%{_includedir}/nss3/keyt.h
+%{_includedir}/nss3/keythi.h
+%{_includedir}/nss3/nss.h
+%{_includedir}/nss3/nssckbi.h
+%{_includedir}/nss3/ocsp.h
+%{_includedir}/nss3/ocspt.h
+%{_includedir}/nss3/p12.h
+%{_includedir}/nss3/p12plcy.h
+%{_includedir}/nss3/p12t.h
+%{_includedir}/nss3/pk11func.h
+%{_includedir}/nss3/pk11hpke.h
+%{_includedir}/nss3/pk11pqg.h
+%{_includedir}/nss3/pk11priv.h
+%{_includedir}/nss3/pk11pub.h
+%{_includedir}/nss3/pk11sdr.h
+%{_includedir}/nss3/pkcs12.h
+%{_includedir}/nss3/pkcs12t.h
+%{_includedir}/nss3/pkcs7t.h
+%{_includedir}/nss3/preenc.h
+%{_includedir}/nss3/secmime.h
+%{_includedir}/nss3/secmod.h
+%{_includedir}/nss3/secmodt.h
+%{_includedir}/nss3/secpkcs5.h
+%{_includedir}/nss3/secpkcs7.h
+%{_includedir}/nss3/smime.h
+%{_includedir}/nss3/ssl.h
+%{_includedir}/nss3/sslerr.h
+%{_includedir}/nss3/sslexp.h
+%{_includedir}/nss3/sslproto.h
+%{_includedir}/nss3/sslt.h
+
+%files pkcs11-devel
+%{_includedir}/nss3/nssbase.h
+%{_includedir}/nss3/nssbaset.h
+%{_includedir}/nss3/nssckepv.h
+%{_includedir}/nss3/nssckft.h
+%{_includedir}/nss3/nssckfw.h
+%{_includedir}/nss3/nssckfwc.h
+%{_includedir}/nss3/nssckfwt.h
+%{_includedir}/nss3/nssckg.h
+%{_includedir}/nss3/nssckmdt.h
+%{_includedir}/nss3/nssckt.h
+%{_includedir}/nss3/templates/nssck.api
+%{_libdir}/libnssb.a
+%{_libdir}/libnssckfw.a
+
+%files util
+%{!?_licensedir:%global license %%doc}
+%license nss/COPYING
+%{_libdir}/libnssutil3.so
+
+%files util-devel
+# package configuration files
+%{_libdir}/pkgconfig/nss-util.pc
+%{_bindir}/nss-util-config
+
+# co-owned with nss
+%dir %{_includedir}/nss3
+# these are marked as public export in nss/lib/util/manifest.mk
+%{_includedir}/nss3/base64.h
+%{_includedir}/nss3/ciferfam.h
+%{_includedir}/nss3/eccutil.h
+%{_includedir}/nss3/hasht.h
+%{_includedir}/nss3/nssb64.h
+%{_includedir}/nss3/nssb64t.h
+%{_includedir}/nss3/nsslocks.h
+%{_includedir}/nss3/nssilock.h
+%{_includedir}/nss3/nssilckt.h
+%{_includedir}/nss3/nssrwlk.h
+%{_includedir}/nss3/nssrwlkt.h
+%{_includedir}/nss3/nssutil.h
+%{_includedir}/nss3/pkcs1sig.h
+%{_includedir}/nss3/pkcs11.h
+%{_includedir}/nss3/pkcs11f.h
+%{_includedir}/nss3/pkcs11n.h
+%{_includedir}/nss3/pkcs11p.h
+%{_includedir}/nss3/pkcs11t.h
+%{_includedir}/nss3/pkcs11u.h
+%{_includedir}/nss3/pkcs11uri.h
+%{_includedir}/nss3/portreg.h
+%{_includedir}/nss3/secasn1.h
+%{_includedir}/nss3/secasn1t.h
+%{_includedir}/nss3/seccomon.h
+%{_includedir}/nss3/secder.h
+%{_includedir}/nss3/secdert.h
+%{_includedir}/nss3/secdig.h
+%{_includedir}/nss3/secdigt.h
+%{_includedir}/nss3/secerr.h
+%{_includedir}/nss3/secitem.h
+%{_includedir}/nss3/secoid.h
+%{_includedir}/nss3/secoidt.h
+%{_includedir}/nss3/secport.h
+%{_includedir}/nss3/utilmodt.h
+%{_includedir}/nss3/utilpars.h
+%{_includedir}/nss3/utilparst.h
+%{_includedir}/nss3/utilrename.h
+%{_includedir}/nss3/templates/templates.c
+
+%files softokn
+%if %{with dbm}
+%{_libdir}/libnssdbm3.so
+%{_libdir}/libnssdbm3.chk
+%endif
+%{_libdir}/libsoftokn3.so
+%{_libdir}/libsoftokn3.chk
+# shared with nss-tools
+%dir %{_libdir}/nss
+%dir %{saved_files_dir}
+%dir %{unsupported_tools_directory}
+%{unsupported_tools_directory}/bltest
+%{unsupported_tools_directory}/ecperf
+%{unsupported_tools_directory}/fbectest
+%{unsupported_tools_directory}/fipstest
+%{unsupported_tools_directory}/shlibsign
+
+%files softokn-freebl
+%{!?_licensedir:%global license %%doc}
+%license nss/COPYING
+%{_libdir}/libfreebl3.so
+%{_libdir}/libfreebl3.chk
+%{_libdir}/libfreeblpriv3.so
+%{_libdir}/libfreeblpriv3.chk
+#shared
+%dir %{dracut_modules_dir}
+%{dracut_modules_dir}/module-setup.sh
+%{dracut_conf_dir}/50-nss-softokn.conf
+
+%files softokn-freebl-devel
+%{_libdir}/libfreebl.a
+%{_includedir}/nss3/blapi.h
+%{_includedir}/nss3/blapit.h
+%{_includedir}/nss3/alghmac.h
+%{_includedir}/nss3/cmac.h
+%{_includedir}/nss3/lowkeyi.h
+%{_includedir}/nss3/lowkeyti.h
+
+%files softokn-devel
+%{_libdir}/pkgconfig/nss-softokn.pc
+%{_bindir}/nss-softokn-config
+
+# co-owned with nss
+%dir %{_includedir}/nss3
+#
+# The following headers are those exported public in
+# nss/lib/freebl/manifest.mn and
+# nss/lib/softoken/manifest.mn
+#
+# The following list is short because many headers, such as
+# the pkcs #11 ones, have been provided by nss-util-devel
+# which installed them before us.
+#
+%{_includedir}/nss3/ecl-exp.h
+%{_includedir}/nss3/nsslowhash.h
+%{_includedir}/nss3/shsign.h
+
+%files -n nspr
+%{!?_licensedir:%global license %%doc}
+%license nspr/LICENSE
+%{_libdir}/libnspr4.so
+%{_libdir}/libplc4.so
+%{_libdir}/libplds4.so
+
+%files -n nspr-devel
+%{_includedir}/nspr4
+%{_libdir}/pkgconfig/nspr.pc
+%{_bindir}/nspr-config
+%doc %{_mandir}/man1/nspr-config.*
+
+
+%changelog
+* Wed Feb 16 2022 Bob Relyea - 3.71.0-7
+- Fix handling of pkcs12 passwords for PKCS5v2 cases which causes failures
+ on long passwords.
+
+* Wed Jan 26 2022 Bob Relyea - 3.71.0-6
+- update pkcs12 documentation to include camellia
+- turn on lto
+
+* Wed Jan 12 2022 Bob Relyea - 3.71.0-5
+- remove old dbm files from the build
+
+* Wed Dec 1 2021 Bob Relyea - 3.71.0-2
+- Fix CVE-2021-43527
+
+* Tue Oct 19 2021 Bob Relyea - 3.71.0-2
+- make sure validation is built
+- fix syntax on FIPS module name
+
+* Tue Oct 5 2021 Bob Relyea - 3.71.0-1
+- rebase to NSS-3.71
+
+* Wed Aug 25 2021 Bob Relyea - 3.67.0-13
+- rebuild to clear gating.yaml test
+
+* Thu Aug 19 2021 Bob Relyea - 3.67.0-12
+- pick up nspr 3.2 for Firefox 92
+
+* Thu Aug 12 2021 Florian Weimer - 3.67.0-11
+- Change release number to correct cross-package dependencies (#1991688)
+
+* Mon Aug 09 2021 Mohan Boddu
+- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
+ Related: rhbz#1991688
+
+* Thu Jul 8 2021 Bob Relyea - 3.67.0-8
+- fix relro support in nspr part of build
+
+* Tue Jul 6 2021 Bob Relyea - 3.67.0-7
+- fix ssl alert regressions
+
+* Fri Jul 2 2021 Bob Relyea - 3.67.0-6
+- bump the nspr release number
+
+* Thu Jul 1 2021 Bob Relyea - 3.67.0-5
+- fix error when trying to read keys from updated databases when updated
+ from unpatched versions of NSS (like on fedora or upstream).
+- fix spelling of LD_OPTFLAGS which prevents relro from working.
+
+* Fri Jun 18 2021 Bob Relyea - 3.67.0-4
+- update nspr man page files to only pick up nspr man pages
+
+* Fri Jun 18 2021 Bob Relyea - 3.67.0-3
+- Update NSS to 3.67
+- Update NSPR to 2.31
+- pick up rhel coverity patches which have not yet been pushed upstream.
+
+* Fri Apr 16 2021 Bob Relyea - 3.63.0-3
+ - prevent MD5 from being enabled even with the environment variables
+ and policy. This mirrors the rhel8 semantics.
+ - add DSO_LDFLAGS support so we pick up system LDFLAGS in our shared libraries
+
+* Fri Apr 16 2021 Mohan Boddu - 3.63.0-2
+ - Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
+
+* Wed Mar 24 2021 Bob Relyea - 3.63.0-1
+- Update NSS to 3.62
+- Update NSPR to 2.30
+
+* Tue Feb 23 2021 Bob Relyea - 3.62.0-1
+- Update to 3.62
+
+* Mon Feb 01 2021 Kalev Lember - 3.60.1-5
+- Rebuild to fix broken nspr dependencies
+
+* Tue Jan 26 2021 Fedora Release Engineering - 3.60.1-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
+
+* Fri Jan 22 2021 Bob Relyea - 3.60.1-2
+- Update nspr release number
+
+* Fri Jan 22 2021 Bob Relyea - 3.60.1-2
+- Update requires so that we get the correct crypto policies
+ (or all RSA and ECDSA signatures wil fail)
+
+* Thu Jan 21 2021 Bob Relyea - 3.60.1-1
+- Update to NSS 3.60.1
+- Drop NODEPEND_FREEBL and LOWHASH
+
+* Fri Dec 11 2020 Bob Relyea - 3.59.0-2
+- Work around btrfs/sqlite bug
+- Disable new policy entries until crypto-polices has been updated
+
+* Thu Dec 10 2020 Daiki Ueno - 3.59.0-1
+- Update to NSS 3.59
+- Remove unused quilt BR
+
+* Sat Nov 7 2020 Daiki Ueno - 3.58.0-8
+- Replace %%{version} references in %%build with %%{nss_version}, suggested by Dmitry Butskoy in bz#1895447
+
+* Fri Oct 30 2020 Daiki Ueno - 3.58.0-7
+- Use the lockstep release numbering for both nspr and nss
+
+* Thu Oct 29 2020 Jeff Law - 3.58.0-6
+- Disable -Warray-parameter warning for gcc-11
+
+* Tue Oct 27 2020 Daiki Ueno - 3.58.0-5
+- Consolidate NSPR package with this package
+
+* Mon Oct 26 2020 Bob Relyea - 3.58.0-4
+- fix pkix ocsp to tolerate OCSP checking on intermediates
+ when the root is signed by sha1 and sha1 is disabled by
+ policy
+
+* Mon Oct 26 2020 Daiki Ueno - 3.58.0-3
+- Revert the last change, always tolerate the first CCS in TLS 1.3
+
+* Thu Oct 22 2020 Daiki Ueno - 3.58.0-2
+- Enable TLS 1.3 middlebox compatibility mode by default
+
+* Tue Oct 20 2020 Daiki Ueno - 3.58.0-1
+- Update to NSS 3.58
+
+* Sat Sep 19 2020 Daiki Ueno - 3.57.0-1
+- Update to NSS 3.57
+
+* Mon Aug 24 2020 Daiki Ueno - 3.56.0-1
+- Update to NSS 3.56
+
+* Thu Aug 13 2020 Daiki Ueno - 3.55.0-3
+- Fix DBM backend disablement
+- Add scriptlet to auto-migrated known database locations
+
+* Sat Aug 8 2020 Daiki Ueno - 3.55.0-2
+- Disable LTO
+
+* Sun Aug 2 2020 Daiki Ueno - 3.55.0-1
+- Update to NSS 3.55
+- Disable building DBM backend
+
+* Sat Aug 01 2020 Fedora Release Engineering - 3.54.0-3
+- Second attempt - Rebuilt for
+ https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
+
+* Tue Jul 28 2020 Fedora Release Engineering - 3.54.0-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
+
+* Wed Jul 15 2020 Daiki Ueno - 3.54.0-1
+- Update to NSS 3.54
+
+* Thu Jun 4 2020 Bob Relyea - 3.53.0-2
+- Fix non-strict prototype in pk11pub.h
+
+* Mon Jun 1 2020 Daiki Ueno - 3.53.0-1
+- Update to NSS 3.53
+
+* Wed May 13 2020 Bob Relyea - 3.52.0-2
+- Delay CK_GCM_PARAMS semantics until fedora 34
+
+* Mon May 11 2020 Daiki Ueno - 3.52.0-1
+- Update to NSS 3.52
+
+* Sat Apr 25 2020 Daiki Ueno - 3.51.1-2
+- Temporarily revert DBM disablement for kernel build failure (#1827902)
+
+* Mon Apr 20 2020 Daiki Ueno - 3.51.1-1
+- Update to NSS 3.51.1
+- Disable building DBM backend
+
+* Tue Apr 7 2020 Daiki Ueno - 3.51.0-1
+- Update to NSS 3.51
+
+* Thu Mar 26 2020 Tom Stellard - 3.50.0-3
+- Use __make macro to invoke make
+
+* Thu Mar 5 2020 Daiki Ueno - 3.50.0-2
+- Apply CMAC fixes from upstream
+
+* Mon Feb 17 2020 Daiki Ueno - 3.50.0-1
+- Update to NSS 3.50
+
+* Fri Feb 14 2020 Daiki Ueno - 3.49.2-3
+- Ignore false-positive compiler warnings with gcc 10
+- Fix build with gcc 10
+
+* Wed Jan 29 2020 Fedora Release Engineering - 3.49.2-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
+
+* Mon Jan 27 2020 Daiki Ueno - 3.49.2-1
+- Update to NSS 3.49.2
+- Don't enable TLS 1.3 by default (#1794814)
+
+* Fri Jan 10 2020 Daiki Ueno - 3.49.0-1
+- Update to NSS 3.49
+- Fix build on armv7hl with the patch proposed in upstream
+
+* Fri Jan 3 2020 Daiki Ueno - 3.48.0-1
+- Update to NSS 3.48
+
+* Tue Dec 3 2019 Daiki Ueno - 3.47.1-4
+- Update nss-3.47-certdb-temp-cert.patch to avoid setting empty trust value
+
+* Tue Dec 3 2019 Daiki Ueno - 3.47.1-3
+- Update nss-3.47-certdb-temp-cert.patch to the final version
+
+* Thu Nov 28 2019 Daiki Ueno - 3.47.1-2
+- Fix intermittent SEC_ERROR_UNKNOWN_ISSUER (#1752303, #1648617)
+
+* Fri Nov 22 2019 Daiki Ueno - 3.47.1-1
+- Update to NSS 3.47.1
+
+* Mon Nov 4 2019 Bob Relyea - 3.47.0-3
+- Include ike mechanism fix
+
+* Wed Oct 23 2019 Daiki Ueno - 3.47.0-2
+- Install cmac.h required by blapi.h (#1764513)
+
+* Tue Oct 22 2019 Daiki Ueno - 3.47.0-1
+- Update to NSS 3.47
+
+* Mon Oct 21 2019 Daiki Ueno - 3.46.1-1
+- Update to NSS 3.46.1
+
+* Tue Sep 3 2019 Daiki Ueno - 3.46.0-1
+- Update to NSS 3.46
+
+* Thu Aug 29 2019 Daiki Ueno - 3.45.0-1
+- Update to NSS 3.45
+
+* Thu Jul 25 2019 Fedora Release Engineering - 3.44.1-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
+
+* Tue Jul 2 2019 Daiki Ueno - 3.44.1-1
+- Update to NSS 3.44.1
+
+* Mon May 20 2019 Daiki Ueno - 3.44.0-2
+- Skip TLS 1.3 tests under FIPS mode
+
+* Fri May 17 2019 Daiki Ueno - 3.44.0-1
+- Update to NSS 3.44
+
+* Mon May 6 2019 Daiki Ueno - 3.43.0-3
+- Fix PKCS#11 module leak if C_GetSlotInfo() failed
+
+* Tue Mar 26 2019 Elio Maldonado - 3.43.0-2
+- Update %%{nspr_version} to 4.21.0 and remove obsolete comment
+
+* Thu Mar 21 2019 Daiki Ueno - 3.43.0-1
+- Update to NSS 3.43
+
+* Mon Feb 11 2019 Daiki Ueno - 3.42.1-1
+- Update to NSS 3.42.1
+
+* Fri Feb 8 2019 Daiki Ueno - 3.42.0-1
+- Update to NSS 3.42
+
+* Fri Feb 8 2019 Daiki Ueno - 3.41.0-5
+- Simplify test failure detection in %%check
+
+* Fri Feb 01 2019 Fedora Release Engineering - 3.41.0-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
+
+* Fri Jan 11 2019 Daiki Ueno - 3.41.0-3
+- Remove prelink.conf as prelink was removed in F24, suggested by
+ Harald Reindl
+- Use quilt for %%autopatch
+- Make sysinit require arch-dependent nss, suggested by Igor Gnatenko
+- Silence %%post/%%postun scriptlets, suggested by Ian Collier
+
+* Mon Dec 10 2018 Daiki Ueno - 3.41.0-1
+- Update to NSS 3.41
+
+* Thu Dec 6 2018 Daiki Ueno - 3.40.1-3
+- Remove unnecessary patches
+
+* Thu Dec 6 2018 Daiki Ueno - 3.40.1-2
+- Update to NSS 3.40.1
+
+* Wed Nov 14 2018 Daiki Ueno - 3.39.0-4
+- Consolidate nss-util, nss-softokn, and nss into a single package
+- Fix FTBFS with expired test certs
+- Modernize spec file based on the suggestion from Robert-André Mauchin
+
+* Thu Sep 13 2018 Daiki Ueno - 3.39.0-3
+- Fix LDFLAGS injection
+
+* Mon Sep 3 2018 Daiki Ueno - 3.39.0-2
+- Update to NSS 3.39
+- Use the upstream tarball as it is (rhbz#1578106)
+- Allow SSLKEYLOGFILE (rhbz#1620207)
+
+* Fri Jul 20 2018 Kai Engert - 3.38.0-4
+- Backport upstream addition of nss-policy-check utility, rhbz#1428746
+
+* Fri Jul 13 2018 Fedora Release Engineering - 3.38.0-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
+
+* Mon Jul 2 2018 Daiki Ueno - 3.38.0-2
+- Update to NSS 3.38
+- Install crypto-policies configuration file for
+ https://fedoraproject.org/wiki/Changes/NSSLoadP11KitModules
+- Use %%ldconfig_scriptlets
+
+* Wed Jun 6 2018 Daiki Ueno - 3.37.3-3
+- Backport fix for handling DTLS application_data before handshake
+
+* Tue Jun 5 2018 Daiki Ueno - 3.37.3-2
+- Update to NSS 3.37.3
+
+* Mon May 28 2018 Daiki Ueno - 3.37.1-2
+- Update to NSS 3.37.1
+- Temporarily disable AlertBeforeServerHello test
+
+* Wed May 02 2018 Kai Engert - 3.36.1-3
+- Upstream patch to keep nicknames stable on repeated certificate
+ import into SQL DB, mozbz#1458518
+
+* Wed Apr 11 2018 Daiki Ueno - 3.36.1-2
+- Update to NSS 3.36.1
+
+* Mon Mar 12 2018 Daiki Ueno - 3.36.0-3
+- Remove nss-3.14.0.0-disble-ocsp-test.patch
+- Remove obsolete Conflicts
+- Fix partial injection of LDFLAGS
+
+* Fri Mar 9 2018 Daiki Ueno - 3.36.0-2
+- Update to NSS 3.36.0
+- Add gcc-c++ to BuildRequires (C++ is needed for gtests)
+- Remove NSS_NO_PKCS11_BYPASS, which is no-op in upstream
+- Make test failure detection robuster
+
+* Thu Feb 08 2018 Fedora Release Engineering - 3.35.0-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
+
+* Mon Jan 29 2018 Kai Engert - 3.35.0-4
+- Fix a compiler error with gcc 8, mozbz#1434070
+- Set NSS_FORCE_FIPS=1 at %%build time, and remove from %%check.
+
+* Mon Jan 29 2018 Kai Engert - 3.35.0-3
+- Stop pulling in nss-pem automatically, packages that need it should
+ depend on it, rhbz#1539401
+
+* Tue Jan 23 2018 Daiki Ueno - 3.35.0-2
+- Update to NSS 3.35.0
+
+* Tue Nov 14 2017 Daiki Ueno - 3.34.0-2
+- Update to NSS 3.34.0
+
+* Fri Nov 10 2017 Daiki Ueno - 3.33.0-6
+- Make sure 32bit nss-pem always be installed with 32bit nss in
+ multlib environment, patch by Kamil Dudka
+
+* Wed Nov 8 2017 Kai Engert - 3.33.0-5
+- Fix test script
+
+* Tue Nov 7 2017 Kai Engert - 3.33.0-4
+- Update tests to be compatible with default NSS DB changed to sql
+ (the default was changed in the nss-util package).
+
+* Tue Oct 24 2017 Kai Engert - 3.33.0-3
+- rhbz#1505487, backport upstream fixes required for rhbz#1496560
+
+* Tue Oct 3 2017 Daiki Ueno - 3.33.0-2
+- Update to NSS 3.33.0
+
+* Fri Sep 15 2017 Daiki Ueno - 3.32.1-2
+- Update to NSS 3.32.1
+
+* Wed Sep 6 2017 Daiki Ueno - 3.32.0-4
+- Update iquote.patch to really prefer in-tree headers over system headers
+
+* Wed Aug 23 2017 Kai Engert - 3.32.0-3
+- NSS libnssckbi.so has already been obsoleted by p11-kit-trust, rhbz#1484449
+
+* Mon Aug 7 2017 Daiki Ueno - 3.32.0-2
+- Update to NSS 3.32.0
+
+* Thu Aug 03 2017 Fedora Release Engineering - 3.31.0-6
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
+
+* Thu Jul 27 2017 Fedora Release Engineering - 3.31.0-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
+
+* Tue Jul 18 2017 Daiki Ueno - 3.31.0-4
+- Backport mozbz#1381784 to avoid deadlock in dnf
+
+* Thu Jul 13 2017 Daiki Ueno - 3.31.0-3
+- Move signtool to %%_libdir/nss/unsupported-tools, for:
+ https://fedoraproject.org/wiki/Changes/NSSSigntoolDeprecation
+
+* Wed Jun 21 2017 Daiki Ueno - 3.31.0-2
+- Rebase to NSS 3.31.0
+
+* Fri Jun 2 2017 Daiki Ueno - 3.30.2-3
+- Enable gtests
+
+* Mon Apr 24 2017 Daiki Ueno - 3.30.2-2
+- Rebase to NSS 3.30.2
+- Enable TLS 1.3
+
+* Thu Mar 30 2017 Kai Engert - 3.30.0-3
+- Backport upstream mozbz#1328318 to support crypto policy FUTURE.
+
+* Tue Mar 21 2017 Daiki Ueno - 3.30.0-2
+- Rebase to NSS 3.30.0
+- Remove upstreamed patches
+
+* Thu Mar 02 2017 Kai Engert - 3.29.1-3
+- Backport mozbz#1334976 and mozbz#1336487.
+
+* Fri Feb 17 2017 Daiki Ueno - 3.29.1-2
+- Rebase to NSS 3.29.1
+
+* Thu Feb 9 2017 Daiki Ueno - 3.29.0-3
+- Disable TLS 1.3, following the upstream change
+
+* Wed Feb 8 2017 Daiki Ueno - 3.29.0-2
+- Rebase to NSS 3.29.0
+- Suppress -Werror=int-in-bool-context warnings with GCC7
+
+* Mon Jan 23 2017 Daiki Ueno - 3.28.1-6
+- Work around pkgconfig -> pkgconf transition issue (releng#6597)
+
+* Fri Jan 20 2017 Daiki Ueno - 3.28.1-5
+- Disable TLS 1.3
+- Add "Conflicts" with packages using older Mozilla codebase, which is
+ not compatible with NSS 3.28.1
+- Remove NSS_ECC_MORE_THAN_SUITE_B setting, as it was removed in upstream
+
+* Tue Jan 17 2017 Daiki Ueno - 3.28.1-4
+- Add "Conflicts" with older firefox packages which don't have support
+ for smaller curves added in NSS 3.28.1
+
+* Fri Jan 13 2017 Daiki Ueno - 3.28.1-3
+- Fix incorrect version specification in %%nss_{util,softokn}_version,
+ pointed by Elio Maldonado
+
+* Fri Jan 6 2017 Daiki Ueno - 3.28.1-2
+- Rebase to NSS 3.28.1
+- Remove upstreamed patch for disabling RSA-PSS
+- Re-enable TLS 1.3
+
+* Wed Nov 30 2016 Daiki Ueno - 3.27.2-2
+- Rebase to NSS 3.27.2
+
+* Tue Nov 15 2016 Daiki Ueno - 3.27.0-5
+- Revert the previous fix for RSA-PSS and use the upstream fix instead
+
+* Wed Nov 02 2016 Kai Engert - 3.27.0-4
+- Disable the use of RSA-PSS with SSL/TLS. #1383809
+
+* Sun Oct 2 2016 Daiki Ueno - 3.27.0-3
+- Disable TLS 1.3 for now, to avoid reported regression with TLS to
+ version intolerant servers
+
+* Thu Sep 29 2016 Daiki Ueno - 3.27.0-2
+- Rebase to NSS 3.27.0
+- Remove upstreamed ectest patch
+
+* Mon Aug 8 2016 Daiki Ueno - 3.26.0-2
+- Rebase to NSS 3.26.0
+- Update check policy file patch to better match what was upstreamed
+- Remove conditionally ignore system policy patch as it has been upstreamed
+- Skip ectest as well as ecperf, which are built as part of nss-softokn
+- Fix rpmlint error regarding %%define usage
+
+* Thu Jul 14 2016 Elio Maldonado - 3.25.0-6
+- Incorporate some changes requested in upstream review and commited upstream (#1157720)
+
+* Fri Jul 01 2016 Elio Maldonado - 3.25.0-5
+- Add support for conditionally ignoring the system policy (#1157720)
+- Remove unneeded test scripts patches in order to run more tests
+- Remove unneeded test data modifications from the spec file
+
+* Tue Jun 28 2016 Elio Maldonado - 3.25.0-4
+- Remove obsolete patch and spurious lines from the spec file (#1347336)
+
+* Sun Jun 26 2016 Elio Maldonado - 3.25.0-3
+- Cleanup spec file and patches and add references to bugs filed upstream
+
+* Fri Jun 24 2016 Elio Maldonado - 3.25.0-2
+- Rebase to nss 3.25
+
+* Thu Jun 16 2016 Kamil Dudka - 3.24.0-3
+- decouple nss-pem from the nss package (#1347336)
+
+* Fri Jun 03 2016 Elio Maldonado - 3.24.0-2.3
+- Apply the patch that was last introduced
+- Renumber and reorder some of the patches
+- Resolves: Bug 1342158
+
+* Thu Jun 02 2016 Elio Maldonado - 3.24.0-2.2
+- Allow application requests to disable SSL v2 to succeed
+- Resolves: Bug 1342158 - nss-3.24 does no longer support ssl V2, installation of IPA fails because nss init fails
+
+* Sun May 29 2016 Elio Maldonado - 3.24.0-2.1
+- Rebase to NSS 3.24.0
+- Restore setting the policy file location
+- Make ssl tests scripts aware of policy
+- Ajust tests data expected result for policy
+
+* Tue May 24 2016 Elio Maldonado - 3.24.0-2.0
+- Bootstrap build to rebase to NSS 3.24.0
+- Temporarily not setting the policy file location
+
+* Thu May 12 2016 Elio Maldonado - 3.23.0-9
+- Change POLICY_FILE to "nss.config"
+
+* Fri Apr 22 2016 Elio Maldonado - 3.23.0-8
+- Change POLICY_FILE to "nss.cfg"
+
+* Wed Apr 20 2016 Elio Maldonado - 3.23.0-7
+- Change the POLICY_PATH to "/etc/crypto-policies/back-ends"
+- Regenerate the check policy patch with hg to provide more context
+
+* Thu Apr 14 2016 Elio Maldonado - 3.23.0-6
+- Fix typo in the last %%changelog entry
+
+* Thu Mar 24 2016 Elio Maldonado - 3.23.0-5
+- Load policy file if /etc/pki/nssdb/policy.cfg exists
+- Resolves: Bug 1157720 - NSS should enforce the system-wide crypto policy
+
+* Tue Mar 08 2016 Elio Maldonado - 3.23.0-4
+- Remove unused patch rendered obsolete by pem update
+
+* Tue Mar 08 2016 Elio Maldonado - 3.23.0-3
+- Update pem sources to latest from nss-pem upstream
+- Resolves: Bug 1300652 - [PEM] insufficient input validity checking while loading a private key
+
+* Sat Mar 05 2016 Elio Maldonado - 3.23.0-2
+- Rebase to NSS 3.23
+
+* Sat Feb 27 2016 Elio Maldonado - 3.22.2-2
+- Rebase to NSS 3.22.2
+
+* Tue Feb 23 2016 Elio Maldonado - 3.22.1-3
+- Fix ssl2/exp test disabling to run all the required tests
+
+* Sun Feb 21 2016 Elio Maldonado - 3.22.1-1
+- Rebase to NSS 3.22.1
+
+* Mon Feb 08 2016 Elio Maldonado - 3.22.0-3
+- Update .gitignore as part of updating to nss 3.22
+
+* Mon Feb 08 2016 Elio Maldonado - 3.22.0-2
+- Update to NSS 3.22
+
+* Thu Feb 04 2016 Fedora Release Engineering - 3.21.0-7
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
+
+* Fri Jan 15 2016 Elio Maldonado - 3.21.0-6
+- Resolves: Bug 1299040 - Enable ssl_gtests upstream test suite
+- Remove 'export NSS_DISABLE_GTESTS=1' go ssl_gtests are built
+- Use %%define when specifying the nss_tests to run
+
+* Wed Dec 30 2015 Michal Toman - 3.21.0-5
+- Add 64-bit MIPS to multilib arches
+
+* Fri Nov 20 2015 Elio Maldonado - 3.21.0-4
+- Update %%{nss_util_version} and %%{nss_softokn_version} to 3.21.0
+- Resolves: Bug 1284095 - all https fails with sec_error_no_token
+
+* Sun Nov 15 2015 Elio Maldonado - 3.21.0-3
+- Add references to bugs filed upstream
+
+* Fri Nov 13 2015 Elio Maldonado Batiz - 3.21.1-2
+- Update to NSS 3.21
+- Package listsuites as part of the unsupported tools set
+- Resolves: Bug 1279912 - nss-3.21 is available
+- Resolves: Bug 1258425 - Use __isa_bits macro instead of list of 64-bit
+- Resolves: Bug 1280032 - Package listsuites as part of the nss unsupported tools set
+
+* Fri Oct 30 2015 Elio Maldonado - 3.20.1-2
+- Update to NSS 3.20.1
+
+* Wed Sep 30 2015 Elio Maldonado - 3.20.0-6
+- Enable ECC cipher-suites by default [hrbz#1185708]
+- Split the enabling patch in two for easier maintenance
+- Remove unused patches rendered obsolete by prior rebase
+
+* Wed Sep 16 2015 Elio Maldonado - 3.20.0-5
+- Enable ECC cipher-suites by default [hrbz#1185708]
+- Implement corrections requested in code review
+
+* Tue Sep 15 2015 Elio Maldonado - 3.20.0-4
+- Enable ECC cipher-suites by default [hrbz#1185708]
+
+* Mon Sep 14 2015 Elio Maldonado - 3.20.0-3
+- Fix patches that disable ssl2 and export cipher suites support
+- Fix libssl patch that disable ssl2 & export cipher suites to not disable RSA_WITH_NULL ciphers
+- Fix syntax errors in patch to skip ssl2 and export cipher suite tests
+- Turn ssl2 off by default in the tstclnt tool
+- Disable ssl stress tests containing TLS RC4 128 with MD5
+
+* Thu Aug 20 2015 Elio Maldonado - 3.20.0-2
+- Update to NSS 3.20
+
+* Sat Aug 08 2015 Elio Maldonado - 3.19.3-2
+- Update to NSS 3.19.3
+
+* Fri Jun 26 2015 Elio Maldonado - 3.19.2-3
+- Create on the fly versions of sslcov.txt and sslstress.txt that disable tests for SSL2 and EXPORT ciphers
+
+* Wed Jun 17 2015 Kai Engert - 3.19.2-2
+- Update to NSS 3.19.2
+
+* Thu May 28 2015 Kai Engert - 3.19.1-2
+- Update to NSS 3.19.1
+
+* Tue May 19 2015 Kai Engert - 3.19.0-2
+- Update to NSS 3.19
+
+* Fri May 15 2015 Kai Engert - 3.18.0-2
+- Replace expired test certificates, upstream bug 1151037
+
+* Thu Mar 19 2015 Elio Maldonado - 3.18.0-1
+- Update to nss-3.18.0
+- Resolves: Bug 1203689 - nss-3.18 is available
+
+* Tue Mar 03 2015 Elio Maldonado - 3.17.4-5
+- Disable export suites and SSL2 support at build time
+- Fix syntax errors in various shell scripts
+- Resolves: Bug 1189952 - Disable SSL2 and the export cipher suites
+
+* Sat Feb 21 2015 Till Maas - 3.17.4-4
+- Rebuilt for Fedora 23 Change
+ https://fedoraproject.org/wiki/Changes/Harden_all_packages_with_position-independent_code
+
+* Tue Feb 10 2015 Elio Maldonado - 3.17.4-3
+- Commented out the export NSS_NO_SSL2=1 line to not disable ssl2
+- Backing out from disabling ssl2 until the patches are fixed
+
+* Mon Feb 09 2015 Elio Maldonado - 3.17.4-2
+- Disable SSL2 support at build time
+- Fix syntax errors in various shell scripts
+- Resolves: Bug 1189952 - Disable SSL2 and the export cipher suites
+
+* Wed Jan 28 2015 Elio Maldonado - 3.17.4-1
+- Update to nss-3.17.4
+
+* Sat Jan 24 2015 Ville Skyttä - 3.17.3-4
+- Own the %%{_datadir}/doc/nss-tools dir
+
+* Tue Dec 16 2014 Elio Maldonado - 3.17.3-3
+- Resolves: Bug 987189 - nss-tools RPM conflicts with perl-PAR-Packer
+- Install pp man page in %%{_datadir}/doc/nss-tools/pp.1
+- Use %%{_mandir} instead of /usr/share/man as more generic
+
+* Mon Dec 15 2014 Elio Maldonado - 3.17.3-2
+- Install pp man page in alternative location
+- Resolves: Bug 987189 - nss-tools RPM conflicts with perl-PAR-Packer
+
+* Fri Dec 05 2014 Elio Maldonado - 3.17.3-1
+- Update to nss-3.17.3
+- Resolves: Bug 1171012 - nss-3.17.3 is available
+
+* Thu Oct 16 2014 Elio Maldonado - 3.17.2-2
+- Resolves: Bug 994599 - Enable TLS 1.2 by default
+
+* Sun Oct 12 2014 Elio Maldonado - 3.17.2-1
+- Update to nss-3.17.2
+
+* Wed Sep 24 2014 Kai Engert - 3.17.1-1
+- Update to nss-3.17.1
+- Add a mechanism to skip test suite execution during development work
+
+* Thu Aug 21 2014 Kevin Fenzi - 3.17.0-2
+- Rebuild for rpm bug 1131960
+
+* Tue Aug 19 2014 Elio Maldonado - 3.17.0-1
+- Update to nss-3.17.0
+
+* Sun Aug 17 2014 Fedora Release Engineering - 3.16.2-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
+
+* Wed Jul 30 2014 Elio Maldonado - 3.16.2-3
+- Replace expired PayPal test cert with current one to prevent build failure
+
+* Fri Jul 18 2014 Tom Callaway - 3.16.2-2
+- fix license handling
+
+* Sun Jun 29 2014 Elio Maldonado - 3.16.2-1
+- Update to nss-3.16.2
+
+* Sun Jun 15 2014 Elio Maldonado - 3.16.1-4
+- Remove unwanted source directories at end of %%prep so it truly does it
+- Skip the cipher suite already run as part of the nss-softokn build
+
+* Sat Jun 07 2014 Fedora Release Engineering - 3.16.1-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
+
+* Mon May 12 2014 Jaromir Capik - 3.16.1-2
+- Replacing ppc64 and ppc64le with the power64 macro
+- Related: Bug 1052545 - Trivial change for ppc64le in nss spec
+
+* Tue May 06 2014 Elio Maldonado - 3.16.1-1
+- Update to nss-3.16.1
+- Update the iquote patch on account of the rebase
+- Improve error detection in the %%section
+- Resolves: Bug 1094702 - nss-3.16.1 is available
+
+* Tue Mar 18 2014 Elio Maldonado - 3.16.0-1
+- Update to nss-3.16.0
+- Cleanup the copying of the tools man pages
+- Update the iquote.patch on account of the rebase
+
+* Tue Mar 04 2014 Elio Maldonado - 3.15.5-2
+- Restore requiring nss_softokn_version >= 3.15.5
+
+* Wed Feb 19 2014 Elio Maldonado - 3.15.5-1
+- Update to nss-3.15.5
+- Temporarily requiring only nss_softokn_version >= 3.15.4
+- Fix location of sharedb files and their manpages
+- Move cert9.db, key4.db, and pkcs11.txt to the main package
+- Move nss-sysinit manpages tar archives to the main package
+- Resolves: Bug 1066877 - nss-3.15.5 is available
+- Resolves: Bug 1067091 - Move sharedb files to the %%files section
+
+* Thu Feb 06 2014 Elio Maldonado - 3.15.4-5
+- Revert previous change that moved some sysinit manpages
+- Restore nss-sysinit manpages tar archives to %%files sysinit
+- Removing spurious wildcard entry was the only change needed
+
+* Mon Jan 27 2014 Elio Maldonado - 3.15.4-4
+- Add explanatory comments for iquote.patch as was done on f20
+
+* Sat Jan 25 2014 Elio Maldonado - 3.15.4-3
+- Update pem sources to latest from nss-pem upstream
+- Pick up pem fixes verified on RHEL and applied upstream
+- Fix a problem where same files in two rpms created rpm conflict
+- Move some nss-sysinit manpages tar archives to the %%files the
+- All man pages are listed by name so there shouldn't be wildcard inclusion
+- Add support for ppc64le, Resolves: Bug 1052545
+
+* Mon Jan 20 2014 Peter Robinson 3.15.4-2
+- ARM tests pass so remove ARM conditional
+
+* Tue Jan 07 2014 Elio Maldonado - 3.15.4-1
+- Update to nss-3.15.4 (hg tag NSS_3_15_4_RTM)
+- Resolves: Bug 1049229 - nss-3.15.4 is available
+- Update pem sources to latest from the interim upstream for pem
+- Remove no longer needed patches
+- Update pem/rsawrapr.c patch on account of upstream changes to freebl/softoken
+- Update iquote.patch on account of upstream changes
+
+* Wed Dec 11 2013 Elio Maldonado - 3.15.3.1-1
+- Update to nss-3.15.3.1 (hg tag NSS_3_15_3_1_RTM)
+- Resolves: Bug 1040282 - nss: Mis-issued ANSSI/DCSSI certificate (MFSA 2013-117)
+- Resolves: Bug 1040192 - nss-3.15.3.1 is available
+
+* Tue Dec 03 2013 Elio Maldonado - 3.15.3-2
+- Bump the release tag
+
+* Sun Nov 24 2013 Elio Maldonado - 3.15.3-1
+- Update to NSS_3_15_3_RTM
+- Resolves: Bug 1031897 - CVE-2013-5605 CVE-2013-5606 CVE-2013-1741 nss: various flaws
+- Fix option descriptions for setup-nsssysinit manpage
+- Fix man page of nss-sysinit wrong path and other flaws
+- Document email option for certutil manpage
+- Remove unused patches
+
+* Sun Oct 27 2013 Elio Maldonado - 3.15.2-3
+- Revert one change from last commit to preserve full nss pluggable ecc supprt [1019245]
+
+* Wed Oct 23 2013 Elio Maldonado - 3.15.2-2
+- Use the full sources from upstream
+- Bug 1019245 - ECDHE in openssl available -> NSS needs too for Firefox/Thunderbird
+
+* Thu Sep 26 2013 Elio Maldonado - 3.15.2-1
+- Update to NSS_3_15_2_RTM
+- Update iquote.patch on account of modified prototype on cert.h installed by nss-devel
+
+* Wed Aug 28 2013 Elio Maldonado - 3.15.1-7
+- Update pem sources to pick up a patch applied upstream which a faulty merge had missed
+- The pem module should not require unique file basenames
+
+* Tue Aug 27 2013 Elio Maldonado - 3.15.1-6
+- Update pem sources to the latest from interim upstream
+
+* Mon Aug 19 2013 Elio Maldonado - 3.15.1-5
+- Resolves: rhbz#996639 - Minor bugs in nss man pages
+- Fix some typos and improve description and see also sections
+
+* Sun Aug 11 2013 Elio Maldonado - 3.15.1-4
+- Cleanup spec file to address most rpmlint errors and warnings
+- Using double percent symbols to fix macro-in-comment warnings
+- Ignore unversioned-explicit-provides nss-system-init per spec comments
+- Ignore invalid-url Source0 as it comes from the git lookaside cache
+- Ignore invalid-url Source12 as it comes from the git lookaside cache
+
+* Thu Jul 25 2013 Elio Maldonado - 3.15.1-3
+- Add man page for pkcs11.txt configuration file and cert and key databases
+- Resolves: rhbz#985114 - Provide man pages for the nss configuration files
+
+* Fri Jul 19 2013 Elio Maldonado - 3.15.1-2
+- Fix errors in the man pages
+- Resolves: rhbz#984106 - Add missing option descriptions to man pages for {cert|cms|crl}util
+- Resolves: rhbz#982856 - Fix path to script in man page for nss-sysinit
+
+* Tue Jul 02 2013 Elio Maldonado - 3.15.1-1
+- Update to NSS_3_15_1_RTM
+- Enable the iquote.patch to access newly introduced types
+
+* Wed Jun 19 2013 Elio Maldonado - 3.15-5
+- Install man pages for nss-tools and the nss-config and setup-nsssysinit scripts
+- Resolves: rhbz#606020 - nss security tools lack man pages
+
+* Tue Jun 18 2013 emaldona - 3.15-4
+- Build nss without softoken or util sources in the tree
+- Resolves: rhbz#689918
+
+* Mon Jun 17 2013 emaldona - 3.15-3
+- Update ssl-cbc-random-iv-by-default.patch
+
+* Sun Jun 16 2013 Elio Maldonado - 3.15-2
+- Fix generation of NSS_VMAJOR, NSS_VMINOR, and NSS_VPATCH for nss-config
+
+* Sat Jun 15 2013 Elio Maldonado - 3.15-1
+- Update to NSS_3_15_RTM
+
+* Wed Apr 24 2013 Elio Maldonado - 3.15-0.1.beta1.2
+- Fix incorrect path that hid failed test from view
+- Add ocsp to the test suites to run but ...
+- Temporarily disable the ocsp stapling tests
+- Do not treat failed attempts at ssl pkcs11 bypass as fatal errors
+
+* Thu Apr 04 2013 Elio Maldonado - 3.15-0.1.beta1.1
+- Update to NSS_3_15_BETA1
+- Update spec file, patches, and helper scripts on account of a shallower source tree
+
+* Sun Mar 24 2013 Kai Engert - 3.14.3-12
+- Update expired test certificates (fixed in upstream bug 852781)
+
+* Fri Mar 08 2013 Kai Engert - 3.14.3-10
+- Fix incorrect post/postun scripts. Fix broken links in posttrans.
+
+* Wed Mar 06 2013 Kai Engert - 3.14.3-9
+- Configure libnssckbi.so to use the alternatives system
+ in order to prepare for a drop in replacement.
+
+* Fri Feb 15 2013 Elio Maldonado - 3.14.3-1
+- Update to NSS_3_14_3_RTM
+- sync up pem rsawrapr.c with softoken upstream changes for nss-3.14.3
+- Resolves: rhbz#908257 - CVE-2013-1620 nss: TLS CBC padding timing attack
+- Resolves: rhbz#896651 - PEM module trashes private keys if login fails
+- Resolves: rhbz#909775 - specfile support for AArch64
+- Resolves: rhbz#910584 - certutil -a does not produce ASCII output
+
+* Mon Feb 04 2013 Elio Maldonado - 3.14.2-2
+- Allow building nss against older system sqlite
+
+* Fri Feb 01 2013 Elio Maldonado - 3.14.2-1
+- Update to NSS_3_14_2_RTM
+
+* Wed Jan 02 2013 Kai Engert - 3.14.1-3
+- Update to NSS_3_14_1_WITH_CKBI_1_93_RTM
+
+* Sat Dec 22 2012 Elio Maldonado - 3.14.1-2
+- Require nspr >= 4.9.4
+- Fix changelog invalid dates
+
+* Mon Dec 17 2012 Elio Maldonado - 3.14.1-1
+- Update to NSS_3_14_1_RTM
+
+* Wed Dec 12 2012 Elio Maldonado - 3.14-12
+- Bug 879978 - Install the nssck.api header template where mod_revocator can access it
+- Install nssck.api in /usr/includes/nss3/templates
+
+* Tue Nov 27 2012 Elio Maldonado - 3.14-11
+- Bug 879978 - Install the nssck.api header template in a place where mod_revocator can access it
+- Install nssck.api in /usr/includes/nss3
+
+* Mon Nov 19 2012 Elio Maldonado - 3.14-10
+- Bug 870864 - Add support in NSS for Secure Boot
+
+* Sat Nov 10 2012 Elio Maldonado