diff --git a/.gitignore b/.gitignore
index 2f0ede0..4003a06 100644
--- a/.gitignore
+++ b/.gitignore
@@ -8,7 +8,7 @@ SOURCES/cert8.db.xml
SOURCES/cert9.db.xml
SOURCES/key3.db.xml
SOURCES/key4.db.xml
-SOURCES/nss-3.15.4.tar.gz
+SOURCES/nss-3.16.2.tar.gz
SOURCES/nss-config.xml
SOURCES/nss-pem-20140125.tar.bz2
SOURCES/secmod.db.xml
diff --git a/.nss.metadata b/.nss.metadata
index a5e8d3f..6a80d14 100644
--- a/.nss.metadata
+++ b/.nss.metadata
@@ -1,4 +1,4 @@
-21774825dc4a9c54ce02b070928a2e72ce5878e7 SOURCES/PayPalEE.cert
+084be8769682236828d8e9dc55901e53e8eb8432 SOURCES/PayPalEE.cert
d272a7b58364862613d44261c5744f7a336bf177 SOURCES/blank-cert8.db
b5570125fbf6bfb410705706af48217a0817c03a SOURCES/blank-cert9.db
7f78b5bcecdb5005e7b803604b2ec9d1a9df2fb5 SOURCES/blank-key3.db
@@ -8,7 +8,7 @@ bd748cf6e1465a1bbe6e751b72ffc0076aff0b50 SOURCES/blank-secmod.db
7cbb7841b1aefe52534704bf2a4358bfea1aa477 SOURCES/cert9.db.xml
24c123810543ff0f6848647d6d910744e275fb01 SOURCES/key3.db.xml
af51b16a56fda1f7525a0eed3ecbdcbb4133be0c SOURCES/key4.db.xml
-c164fac83fcbaff010786767e2a858ca23a89a5b SOURCES/nss-3.15.4.tar.gz
+c4e7f007723cfafcf7fe743000e3960cc5086642 SOURCES/nss-3.16.2.tar.gz
2905c9b06e7e686c9e3c0b5736a218766d4ae4c2 SOURCES/nss-config.xml
66f2060c35f4e97bdfa163e8bd7cb2ef5e8125d8 SOURCES/nss-pem-20140125.tar.bz2
ca9ebf79c1437169a02527c18b1e3909943c4be9 SOURCES/secmod.db.xml
diff --git a/SOURCES/Bug-1001841-disable-sslv2-libssl.patch b/SOURCES/Bug-1001841-disable-sslv2-libssl.patch
index a9bc128..efbbfe8 100644
--- a/SOURCES/Bug-1001841-disable-sslv2-libssl.patch
+++ b/SOURCES/Bug-1001841-disable-sslv2-libssl.patch
@@ -1,7 +1,12 @@
-diff -up ./nss/lib/ssl/config.mk.disableSSL2 ./nss/lib/ssl/config.mk
---- ./nss/lib/ssl/config.mk.disableSSL2 2013-09-25 06:57:55.000000000 -0700
-+++ ./nss/lib/ssl/config.mk 2013-11-05 16:09:47.459727948 -0800
-@@ -7,6 +7,10 @@ ifdef NISCC_TEST
+diff --git a/lib/ssl/config.mk b/lib/ssl/config.mk
+--- a/lib/ssl/config.mk
++++ b/lib/ssl/config.mk
+@@ -2,16 +2,20 @@
+ # This Source Code Form is subject to the terms of the Mozilla Public
+ # License, v. 2.0. If a copy of the MPL was not distributed with this
+ # file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+ ifdef NISCC_TEST
DEFINES += -DNISCC_TEST
endif
@@ -12,64 +17,111 @@ diff -up ./nss/lib/ssl/config.mk.disableSSL2 ./nss/lib/ssl/config.mk
ifdef NSS_NO_PKCS11_BYPASS
DEFINES += -DNO_PKCS11_BYPASS
else
-diff -up ./nss/lib/ssl/sslsock.c.disableSSL2 ./nss/lib/ssl/sslsock.c
---- ./nss/lib/ssl/sslsock.c.disableSSL2 2013-11-05 16:09:47.419727310 -0800
-+++ ./nss/lib/ssl/sslsock.c 2013-11-05 16:09:47.461727980 -0800
-@@ -639,6 +639,14 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 wh
- break;
+ CRYPTOLIB=$(SOFTOKEN_LIB_DIR)/$(LIB_PREFIX)freebl.$(LIB_SUFFIX)
+
+ EXTRA_LIBS += \
+ $(CRYPTOLIB) \
+ $(NULL)
+diff --git a/lib/ssl/sslsock.c b/lib/ssl/sslsock.c
+--- a/lib/ssl/sslsock.c
++++ b/lib/ssl/sslsock.c
+@@ -649,16 +649,24 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 wh
+ if (ss->cipherSpecs) {
+ PORT_Free(ss->cipherSpecs);
+ ss->cipherSpecs = NULL;
+ ss->sizeCipherSpecs = 0;
+ }
+ break;
case SSL_ENABLE_SSL2:
+#ifdef NSS_NO_SSL2
-+ if (on) {
-+ PORT_SetError(SSL_ERROR_SSL2_DISABLED);
-+ rv = SECFailure; /* not allowed */
-+ }
-+ break;
-+ ss->opt.enableSSL2 = on;
++ if (on) {
++ PORT_SetError(SSL_ERROR_SSL2_DISABLED);
++ rv = SECFailure; /* not allowed */
++ }
++ break;
++ ss->opt.enableSSL2 = on;
+#else
if (IS_DTLS(ss)) {
- if (on) {
- PORT_SetError(SEC_ERROR_INVALID_ARGS);
-@@ -650,6 +658,7 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 wh
- if (on) {
- ss->opt.v2CompatibleHello = on;
- }
-+#endif
- ss->preferredCipher = NULL;
- if (ss->cipherSpecs) {
- PORT_Free(ss->cipherSpecs);
-@@ -671,6 +680,13 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 wh
- break;
+ if (on) {
+ PORT_SetError(SEC_ERROR_INVALID_ARGS);
+ rv = SECFailure; /* not allowed */
+ }
+ break;
+ }
+ ss->opt.enableSSL2 = on;
+@@ -666,42 +674,51 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 wh
+ ss->opt.v2CompatibleHello = on;
+ }
+ ss->preferredCipher = NULL;
+ if (ss->cipherSpecs) {
+ PORT_Free(ss->cipherSpecs);
+ ss->cipherSpecs = NULL;
+ ss->sizeCipherSpecs = 0;
+ }
++#endif /* NSS_NO_SSL2 */
+ break;
+
+ case SSL_NO_CACHE:
+ ss->opt.noCache = on;
+ break;
+
+ case SSL_ENABLE_FDX:
+ if (on && ss->opt.noLocks) {
+ PORT_SetError(SEC_ERROR_INVALID_ARGS);
+ rv = SECFailure;
+ }
+ ss->opt.fdx = on;
+ break;
case SSL_V2_COMPATIBLE_HELLO:
+#ifdef NSS_NO_SSL2
-+ if (on) {
-+ PORT_SetError(SSL_ERROR_SSL2_DISABLED);
-+ rv = SECFailure; /* not allowed */
-+ break;
-+ }
++ if (on) {
++ PORT_SetError(SSL_ERROR_SSL2_DISABLED);
++ rv = SECFailure; /* not allowed */
++ break;
++ }
+#else
if (IS_DTLS(ss)) {
- if (on) {
- PORT_SetError(SEC_ERROR_INVALID_ARGS);
-@@ -678,6 +694,7 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 wh
- }
- break;
- }
-+#endif
- ss->opt.v2CompatibleHello = on;
- if (!on) {
- ss->opt.enableSSL2 = on;
-@@ -1112,7 +1129,12 @@ SSL_CipherPolicySet(PRInt32 which, PRInt
+ if (on) {
+ PORT_SetError(SEC_ERROR_INVALID_ARGS);
+ rv = SECFailure; /* not allowed */
+ }
+ break;
+ }
+ ss->opt.v2CompatibleHello = on;
+ if (!on) {
+ ss->opt.enableSSL2 = on;
+ }
++#endif /* NSS_NO_SSL2 */
+ break;
+
+ case SSL_ROLLBACK_DETECTION:
+ ss->opt.detectRollBack = on;
+ break;
+
+ case SSL_NO_STEP_DOWN:
+ ss->opt.noStepDown = on;
+@@ -1155,17 +1172,21 @@ SSL_CipherPolicySet(PRInt32 which, PRInt
+
+ if (rv != SECSuccess) {
+ return rv;
+ }
+
if (ssl_IsRemovedCipherSuite(which)) {
- rv = SECSuccess;
+ rv = SECSuccess;
} else if (SSL_IS_SSL2_CIPHER(which)) {
+#ifdef NSS_NO_SSL2
-+ PORT_SetError(SSL_ERROR_SSL2_DISABLED);
-+ rv = SECFailure; /* not allowed */
++ rv = SSL_ERROR_SSL2_DISABLED;
+#else
- rv = ssl2_SetPolicy(which, policy);
-+#endif
+ rv = ssl2_SetPolicy(which, policy);
++#endif /* NSS_NO_SSL2 */
} else {
- rv = ssl3_SetPolicy((ssl3CipherSuite)which, policy);
+ rv = ssl3_SetPolicy((ssl3CipherSuite)which, policy);
}
+ return rv;
+ }
+
+ SECStatus
+ SSL_CipherPolicyGet(PRInt32 which, PRInt32 *oPolicy)
+
diff --git a/SOURCES/Bug-1001841-disable-sslv2-tests.patch b/SOURCES/Bug-1001841-disable-sslv2-tests.patch
index bf0adcb..c8a0ce0 100644
--- a/SOURCES/Bug-1001841-disable-sslv2-tests.patch
+++ b/SOURCES/Bug-1001841-disable-sslv2-tests.patch
@@ -1,13 +1,289 @@
-diff -up ./nss/tests/ssl/ssl.sh.disableSSL2 ./nss/tests/ssl/ssl.sh
---- ./nss/tests/ssl/ssl.sh.disableSSL2 2013-09-25 06:57:55.000000000 -0700
-+++ ./nss/tests/ssl/ssl.sh 2013-11-03 16:43:48.905914207 -0800
-@@ -278,6 +278,9 @@ ssl_cov()
+diff --git a/tests/ssl/ssl.sh b/tests/ssl/ssl.sh
+--- a/tests/ssl/ssl.sh
++++ b/tests/ssl/ssl.sh
+@@ -57,18 +57,23 @@ ssl_init()
+ fi
+
+ PORT=${PORT-8443}
+ NSS_SSL_TESTS=${NSS_SSL_TESTS:-normal_normal}
+ nss_ssl_run="stapling cov auth stress"
+ NSS_SSL_RUN=${NSS_SSL_RUN:-$nss_ssl_run}
+
+ # Test case files
+- SSLCOV=${QADIR}/ssl/sslcov.txt
++ SSLCOV=[ "${NSS_NO_SSL2}" = "1" ] \
++ && ${QADIR}/ssl/sslcov.noSSL2orExport.txt \
++ || ${QADIR}/ssl/sslcov.txt
+ SSLAUTH=${QADIR}/ssl/sslauth.txt
++ SSLSTRESS=[ "${NSS_NO_SSL2}" = "1" ] \
++ && ${QADIR}/ssl/sslstress.noSSL2orExport.txt \
++ || ${QADIR}/ssl/sslstress.txt
+ SSLSTRESS=${QADIR}/ssl/sslstress.txt
+ REQUEST_FILE=${QADIR}/ssl/sslreq.dat
+
+ #temparary files
+ SERVEROUTFILE=${TMP}/tests_server.$$
+ SERVERPID=${TMP}/tests_pid.$$
+
+ R_SERVERPID=../tests_pid.$$
+@@ -115,17 +120,21 @@ is_selfserv_alive()
+ if [ "${OS_ARCH}" = "WINNT" ] && \
+ [ "$OS_NAME" = "CYGWIN_NT" -o "$OS_NAME" = "MINGW32_NT" ]; then
+ PID=${SHELL_SERVERPID}
+ else
+ PID=`cat ${SERVERPID}`
+ fi
+
+ echo "kill -0 ${PID} >/dev/null 2>/dev/null"
++ [ "${NSS_NO_SSL2}" = "1" ] && [ -n ${EXP} -o -n ${SSL2} ]; then
++ echo "No server to kill"
++ else
+ kill -0 ${PID} >/dev/null 2>/dev/null || Exit 10 "Fatal - selfserv process not detectable"
++ fi
+
+ echo "selfserv with PID ${PID} found at `date`"
+ }
+
+ ########################### wait_for_selfserv ##########################
+ # local shell function to wait until selfserver is running and initialized
+ ########################################################################
+ wait_for_selfserv()
+@@ -138,17 +147,21 @@ wait_for_selfserv()
+ if [ $? -ne 0 ]; then
+ sleep 5
+ echo "retrying to connect to selfserv at `date`"
+ echo "tstclnt -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \\"
+ echo " -d ${P_R_CLIENTDIR} -v < ${REQUEST_FILE}"
+ ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \
+ -d ${P_R_CLIENTDIR} -v < ${REQUEST_FILE}
+ if [ $? -ne 0 ]; then
++ if [ "${NSS_NO_SSL2}" = "1" ] && [ -n ${EXP} -o -n ${SSL2} ]; then
++ html_passed "Server never started"
++ else
+ html_failed "Waiting for Server"
++ fi
+ fi
+ fi
+ is_selfserv_alive
+ }
+
+ ########################### kill_selfserv ##############################
+ # local shell function to kill the selfserver after the tests are done
+ ########################################################################
+@@ -273,16 +286,19 @@ ssl_cov()
+ exec < ${SSLCOV}
+ while read ectype testmax param testname
+ do
+ echo "${testname}" | grep "EXPORT" > /dev/null
+ EXP=$?
echo "${testname}" | grep "SSL2" > /dev/null
SSL2=$?
+ # skip export and ssl2 tests when build has disabled SSL2
-+ if [ "${NSS_NO_SSL2}" = 1 ] && [ -n ${EXP} -o -n ${SSL2} ] && continue
++ [ "${NSS_NO_SSL2}" = "1" ] && [ -n ${EXP} -o -n ${SSL2} ] && continue
+
if [ "${SSL2}" -eq 0 ] ; then
# We cannot use asynchronous cert verification with SSL2
SSL2_FLAGS=-O
+ VMIN="ssl2"
+ else
+ # Do not enable SSL2 for non-SSL2-specific tests. SSL2 is disabled by
+ # default in libssl but it is enabled by default in tstclnt; we want
+ # to test the libssl default whenever possible.
+diff --git a/tests/ssl/sslcov.noSSL2orExport.txt b/tests/ssl/sslcov.noSSL2orExport.txt
+new file mode 100644
+--- /dev/null
++++ b/tests/ssl/sslcov.noSSL2orExport.txt
+@@ -0,0 +1,134 @@
++# This Source Code Form is subject to the terms of the Mozilla Public
++# License, v. 2.0. If a copy of the MPL was not distributed with this
++# file, You can obtain one at http://mozilla.org/MPL/2.0/.
++#
++# This file enables test coverage of the various SSL ciphers
++#
++# NOTE: SSL2 ciphers are independent of whether TLS is enabled or not. We
++# mix up the enable functions so we can tests boths paths.
++#
++# Enable Enable Cipher Test Name
++# EC TLS
++#
++#
++ noECC SSL3 c SSL3_RSA_WITH_RC4_128_MD5
++ noECC SSL3 d SSL3_RSA_WITH_3DES_EDE_CBC_SHA
++ noECC SSL3 e SSL3_RSA_WITH_DES_CBC_SHA
++ noECC SSL3 i SSL3_RSA_WITH_NULL_MD5
++ noECC SSL3 j SSL3_RSA_FIPS_WITH_3DES_EDE_CBC_SHA
++ noECC SSL3 k SSL3_RSA_FIPS_WITH_DES_CBC_SHA
++ noECC SSL3 n SSL3_RSA_WITH_RC4_128_SHA
++ noECC SSL3 v SSL3_RSA_WITH_AES_128_CBC_SHA
++ noECC SSL3 y SSL3_RSA_WITH_AES_256_CBC_SHA
++ noECC SSL3 z SSL3_RSA_WITH_NULL_SHA
++# noECC SSL3 :0041 TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
++# noECC SSL3 :0084 TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
++#
++ noECC TLS10 c TLS_RSA_WITH_RC4_128_MD5
++ noECC TLS10 d TLS_RSA_WITH_3DES_EDE_CBC_SHA
++ noECC TLS10 e TLS_RSA_WITH_DES_CBC_SHA
++ noECC TLS10 i TLS_RSA_WITH_NULL_MD5
++ noECC TLS10 j TLS_RSA_FIPS_WITH_3DES_EDE_CBC_SHA
++ noECC TLS10 k TLS_RSA_FIPS_WITH_DES_CBC_SHA
++ noECC TLS10 n TLS_RSA_WITH_RC4_128_SHA
++ noECC TLS10 v TLS_RSA_WITH_AES_128_CBC_SHA
++ noECC TLS10 y TLS_RSA_WITH_AES_256_CBC_SHA
++ noECC TLS10 z TLS_RSA_WITH_NULL_SHA
++# noECC TLS10 :0041 TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
++# noECC TLS10 :0084 TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
++#
++#
++ noECC TLS11 c TLS11_RSA_WITH_RC4_128_MD5
++ noECC TLS11 d TLS11_RSA_WITH_3DES_EDE_CBC_SHA
++ noECC TLS11 e TLS11_RSA_WITH_DES_CBC_SHA
++ noECC TLS11 i TLS11_RSA_WITH_NULL_MD5
++ noECC TLS11 j TLS11_RSA_FIPS_WITH_3DES_EDE_CBC_SHA
++ noECC TLS11 k TLS11_RSA_FIPS_WITH_DES_CBC_SHA
++ noECC TLS11 n TLS11_RSA_WITH_RC4_128_SHA
++ noECC TLS11 v TLS11_RSA_WITH_AES_128_CBC_SHA
++ noECC TLS11 y TLS11_RSA_WITH_AES_256_CBC_SHA
++ noECC TLS11 z TLS11_RSA_WITH_NULL_SHA
++#
++ noECC TLS12 c TLS12_RSA_WITH_RC4_128_MD5
++ noECC TLS12 d TLS12_RSA_WITH_3DES_EDE_CBC_SHA
++ noECC TLS12 e TLS12_RSA_WITH_DES_CBC_SHA
++ noECC TLS12 i TLS12_RSA_WITH_NULL_MD5
++ noECC TLS12 j TLS12_RSA_FIPS_WITH_3DES_EDE_CBC_SHA
++ noECC TLS12 k TLS12_RSA_FIPS_WITH_DES_CBC_SHA
++ noECC TLS12 n TLS12_RSA_WITH_RC4_128_SHA
++ noECC TLS12 v TLS12_RSA_WITH_AES_128_CBC_SHA
++ noECC TLS12 y TLS12_RSA_WITH_AES_256_CBC_SHA
++ noECC TLS12 z TLS12_RSA_WITH_NULL_SHA
++ noECC TLS12 :003B TLS12_RSA_WITH_NULL_SHA256
++ noECC TLS12 :003C TLS12_RSA_WITH_AES_128_CBC_SHA256
++ noECC TLS12 :003D TLS12_RSA_WITH_AES_256_CBC_SHA256
++ noECC TLS12 :009C TLS12_RSA_WITH_AES_128_GCM_SHA256
++#
++# ECC ciphers (TLS)
++#
++ ECC TLS10 :C001 TLS_ECDH_ECDSA_WITH_NULL_SHA
++ ECC TLS10 :C002 TLS_ECDH_ECDSA_WITH_RC4_128_SHA
++ ECC TLS10 :C003 TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
++ ECC TLS10 :C004 TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
++ ECC TLS10 :C005 TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
++ ECC TLS10 :C006 TLS_ECDHE_ECDSA_WITH_NULL_SHA
++ ECC TLS10 :C007 TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
++ ECC TLS10 :C008 TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
++ ECC TLS10 :C009 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
++ ECC TLS10 :C00A TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
++ ECC TLS10 :C00B TLS_ECDH_RSA_WITH_NULL_SHA
++ ECC TLS10 :C00C TLS_ECDH_RSA_WITH_RC4_128_SHA
++ ECC TLS10 :C00D TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
++ ECC TLS10 :C00E TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
++ ECC TLS10 :C00F TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
++ ECC TLS10 :C010 TLS_ECDHE_RSA_WITH_NULL_SHA
++ ECC TLS10 :C011 TLS_ECDHE_RSA_WITH_RC4_128_SHA
++ ECC TLS10 :C012 TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
++ ECC TLS10 :C013 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
++ ECC TLS10 :C014 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
++#
++ ECC TLS11 :C001 TLS11_ECDH_ECDSA_WITH_NULL_SHA
++ ECC TLS11 :C002 TLS11_ECDH_ECDSA_WITH_RC4_128_SHA
++ ECC TLS11 :C003 TLS11_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
++ ECC TLS11 :C004 TLS11_ECDH_ECDSA_WITH_AES_128_CBC_SHA
++ ECC TLS11 :C005 TLS11_ECDH_ECDSA_WITH_AES_256_CBC_SHA
++ ECC TLS11 :C006 TLS11_ECDHE_ECDSA_WITH_NULL_SHA
++ ECC TLS11 :C007 TLS11_ECDHE_ECDSA_WITH_RC4_128_SHA
++ ECC TLS11 :C008 TLS11_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
++ ECC TLS11 :C009 TLS11_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
++ ECC TLS11 :C00A TLS11_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
++ ECC TLS11 :C00B TLS11_ECDH_RSA_WITH_NULL_SHA
++ ECC TLS11 :C00C TLS11_ECDH_RSA_WITH_RC4_128_SHA
++ ECC TLS11 :C00D TLS11_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
++ ECC TLS11 :C00E TLS11_ECDH_RSA_WITH_AES_128_CBC_SHA
++ ECC TLS11 :C00F TLS11_ECDH_RSA_WITH_AES_256_CBC_SHA
++ ECC TLS11 :C010 TLS11_ECDHE_RSA_WITH_NULL_SHA
++ ECC TLS11 :C011 TLS11_ECDHE_RSA_WITH_RC4_128_SHA
++ ECC TLS11 :C012 TLS11_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
++ ECC TLS11 :C013 TLS11_ECDHE_RSA_WITH_AES_128_CBC_SHA
++ ECC TLS11 :C014 TLS11_ECDHE_RSA_WITH_AES_256_CBC_SHA
++#
++ ECC TLS12 :C001 TLS12_ECDH_ECDSA_WITH_NULL_SHA
++ ECC TLS12 :C002 TLS12_ECDH_ECDSA_WITH_RC4_128_SHA
++ ECC TLS12 :C003 TLS12_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
++ ECC TLS12 :C004 TLS12_ECDH_ECDSA_WITH_AES_128_CBC_SHA
++ ECC TLS12 :C005 TLS12_ECDH_ECDSA_WITH_AES_256_CBC_SHA
++ ECC TLS12 :C006 TLS12_ECDHE_ECDSA_WITH_NULL_SHA
++ ECC TLS12 :C007 TLS12_ECDHE_ECDSA_WITH_RC4_128_SHA
++ ECC TLS12 :C008 TLS12_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
++ ECC TLS12 :C009 TLS12_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
++ ECC TLS12 :C00A TLS12_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
++ ECC TLS12 :C00B TLS12_ECDH_RSA_WITH_NULL_SHA
++ ECC TLS12 :C00C TLS12_ECDH_RSA_WITH_RC4_128_SHA
++ ECC TLS12 :C00D TLS12_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
++ ECC TLS12 :C00E TLS12_ECDH_RSA_WITH_AES_128_CBC_SHA
++ ECC TLS12 :C00F TLS12_ECDH_RSA_WITH_AES_256_CBC_SHA
++ ECC TLS12 :C010 TLS12_ECDHE_RSA_WITH_NULL_SHA
++ ECC TLS12 :C011 TLS12_ECDHE_RSA_WITH_RC4_128_SHA
++ ECC TLS12 :C012 TLS12_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
++ ECC TLS12 :C013 TLS12_ECDHE_RSA_WITH_AES_128_CBC_SHA
++ ECC TLS12 :C014 TLS12_ECDHE_RSA_WITH_AES_256_CBC_SHA
++ ECC TLS12 :C023 TLS12_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
++ ECC TLS12 :C027 TLS12_ECDHE_RSA_WITH_AES_128_CBC_SHA256
++ ECC TLS12 :C02B TLS12_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
++ ECC TLS12 :C02F TLS12_ECDHE_RSA_WITH_AES_128_GCM_SHA256
+diff --git a/tests/ssl/sslstress.noSSL2orExport.txt b/tests/ssl/sslstress.noSSL2orExport.txt
+new file mode 100644
+--- /dev/null
++++ b/tests/ssl/sslstress.noSSL2orExport.txt
+@@ -0,0 +1,53 @@
++# This Source Code Form is subject to the terms of the Mozilla Public
++# License, v. 2.0. If a copy of the MPL was not distributed with this
++# file, You can obtain one at http://mozilla.org/MPL/2.0/.
++#
++# This file defines the stress tests for SSL/TLS.
++#
++# expected
++# Enable return server client Test Case name
++# ECC value params params
++# ------- ------ ------ ------ ---------------
++ noECC 0 _ -c_1000_-C_c_-V_:ssl3 Stress SSL3 RC4 128 with MD5
++ noECC 0 _ -c_1000_-C_c Stress TLS RC4 128 with MD5
++ noECC 0 _ -c_1000_-C_c_-g Stress TLS RC4 128 with MD5 (false start)
++ noECC 0 -u -V_ssl3:_-c_1000_-C_c_-u Stress TLS RC4 128 with MD5 (session ticket)
++ noECC 0 -z -V_ssl3:_-c_1000_-C_c_-z Stress TLS RC4 128 with MD5 (compression)
++ noECC 0 -u_-z -V_ssl3:_-c_1000_-C_c_-u_-z Stress TLS RC4 128 with MD5 (session ticket, compression)
++ noECC 0 -u_-z -V_ssl3:_-c_1000_-C_c_-u_-z_-g Stress TLS RC4 128 with MD5 (session ticket, compression, false start)
++ SNI 0 -u_-a_Host-sni.Dom -V_tls1.0:_-c_1000_-C_c_-u Stress TLS RC4 128 with MD5 (session ticket, SNI)
++
++#
++# add client auth versions here...
++#
++ noECC 0 -r_-r -c_100_-C_c_-V_:ssl3_-N_-n_TestUser Stress SSL3 RC4 128 with MD5 (no reuse, client auth)
++ noECC 0 -r_-r -c_100_-C_c_-N_-n_TestUser Stress TLS RC4 128 with MD5 (no reuse, client auth)
++ noECC 0 -r_-r_-u -V_ssl3:_-c_100_-C_c_-n_TestUser_-u Stress TLS RC4 128 with MD5 (session ticket, client auth)
++ noECC 0 -r_-r_-z -V_ssl3:_-c_100_-C_c_-n_TestUser_-z Stress TLS RC4 128 with MD5 (compression, client auth)
++ noECC 0 -r_-r_-z -V_ssl3:_-c_100_-C_c_-n_TestUser_-z_-g Stress TLS RC4 128 with MD5 (compression, client auth, false start)
++ noECC 0 -r_-r_-u_-z -V_ssl3:_-c_100_-C_c_-n_TestUser_-u_-z Stress TLS RC4 128 with MD5 (session ticket, compression, client auth)
++ noECC 0 -r_-r_-u_-z -V_ssl3:_-c_100_-C_c_-n_TestUser_-u_-z_-g Stress TLS RC4 128 with MD5 (session ticket, compression, client auth, false start)
++ SNI 0 -r_-r_-u_-a_Host-sni.Dom -V_tls1.0:_-c_1000_-C_c_-u Stress TLS RC4 128 with MD5 (session ticket, SNI, client auth, default virt host)
++ SNI 0 -r_-r_-u_-a_Host-sni.Dom_-k_Host-sni.Dom -V_tls1.0:_-c_1000_-C_c_-u_-a_Host-sni.Dom Stress TLS RC4 128 with MD5 (session ticket, SNI, client auth, change virt host)
++
++#
++# ############################ ECC ciphers ############################
++#
++ ECC 0 -c_:C009 -V_ssl3:_-c_100_-C_:C009_-N Stress TLS ECDHE-ECDSA AES 128 CBC with SHA (no reuse)
++ ECC 0 -c_:C023 -V_ssl3:_-c_100_-C_:C023_-N Stress TLS ECDHE-ECDSA AES 128 CBC with SHA256 (no reuse)
++ ECC 0 -c_:C02B -V_ssl3:_-c_100_-C_:C02B_-N Stress TLS ECDHE-ECDSA AES 128 GCM (no reuse)
++ ECC 0 -c_:C004 -V_ssl3:_-c_100_-C_:C004_-N Stress TLS ECDH-ECDSA AES 128 CBC with SHA (no reuse)
++ ECC 0 -c_:C00E -V_ssl3:_-c_100_-C_:C00E_-N Stress TLS ECDH-RSA AES 128 CBC with SHA (no reuse)
++ ECC 0 -c_:C013 -V_ssl3:_-c_1000_-C_:C013 Stress TLS ECDHE-RSA AES 128 CBC with SHA
++ ECC 0 -c_:C027 -V_ssl3:_-c_1000_-C_:C027 Stress TLS ECDHE-RSA AES 128 CBC with SHA256
++ ECC 0 -c_:C02F -V_ssl3:_-c_1000_-C_:C02F Stress TLS ECDHE-RSA AES 128 GCM
++ ECC 0 -c_:C004_-u -V_ssl3:_-c_1000_-C_:C004_-u Stress TLS ECDH-ECDSA AES 128 CBC with SHA (session ticket)
++#
++# add client auth versions here...
++#
++ ECC 0 -r_-r_-c_:C009 -V_ssl3:_-c_10_-C_:C009_-N_-n_TestUser-ec Stress TLS ECDHE-ECDSA AES 128 CBC with SHA (no reuse, client auth)
++ ECC 0 -r_-r_-c_:C013 -V_ssl3:_-c_100_-C_:C013_-n_TestUser-ec Stress TLS ECDHE-RSA AES 128 CBC with SHA (client auth)
++ ECC 0 -r_-r_-c_:C004 -V_ssl3:_-c_10_-C_:C004_-N_-n_TestUser-ec Stress TLS ECDH-ECDSA AES 128 CBC with SHA (no reuse, client auth)
++ ECC 0 -r_-r_-c_:C00E -V_ssl3:_-c_10_-C_:C00E_-N_-n_TestUser-ecmixed Stress TLS ECDH-RSA AES 128 CBC with SHA (no reuse, client auth)
++ ECC 0 -r_-r_-c_:C013 -V_ssl3:_-c_100_-C_:C013_-n_TestUser-ec Stress TLS ECDHE-RSA AES 128 CBC with SHA(client auth)
++ ECC 0 -r_-r_-c_:C013_-u -V_ssl3:_-c_100_-C_:C013_-n_TestUser-ec_-u Stress TLS ECDHE-RSA AES 128 CBC with SHA(session ticket, client auth)
diff --git a/SOURCES/Free-dangling-reference.patch b/SOURCES/Free-dangling-reference.patch
deleted file mode 100644
index b2d3554..0000000
--- a/SOURCES/Free-dangling-reference.patch
+++ /dev/null
@@ -1,29 +0,0 @@
-diff --git a/lib/pk11wrap/pk11cert.c b/lib/pk11wrap/pk11cert.c
---- a/lib/pk11wrap/pk11cert.c
-+++ b/lib/pk11wrap/pk11cert.c
-@@ -976,18 +976,25 @@ PK11_ImportCert(PK11SlotInfo *slot, CERT
- cert->istemp = PR_FALSE;
- cert->isperm = PR_TRUE;
- }
-
- /* add the new instance to the cert, force an update of the
- * CERTCertificate, and finish
- */
- nssPKIObject_AddInstance(&c->object, certobj);
-+ /* nssTrustDomain_AddCertsToCache may release a reference to 'c' and
-+ * replace 'c' by a different value. So we add a reference to 'c' to
-+ * prevent 'c' from being destroyed. */
-+ nssCertificate_AddRef(c);
- nssTrustDomain_AddCertsToCache(STAN_GetDefaultTrustDomain(), &c, 1);
-+ /* XXX should we pass the original value of 'c' to
-+ * STAN_ForceCERTCertificateUpdate? */
- (void)STAN_ForceCERTCertificateUpdate(c);
-+ nssCertificate_Destroy(c);
- SECITEM_FreeItem(keyID,PR_TRUE);
- return SECSuccess;
- loser:
- CERT_MapStanError();
- SECITEM_FreeItem(keyID,PR_TRUE);
- if (PORT_GetError() != SEC_ERROR_TOKEN_NOT_LOGGED_IN) {
- PORT_SetError(SEC_ERROR_ADDING_CERT);
- }
diff --git a/SOURCES/cert8.db.xml b/SOURCES/cert8.db.xml
deleted file mode 100644
index e82948d..0000000
--- a/SOURCES/cert8.db.xml
+++ /dev/null
@@ -1,59 +0,0 @@
-
-
-
-]>
-
-
-
-
- &date;
- Network Security Services
- nss
- &version;
-
-
-
- cert8.db
- 5
-
-
-
- cert8.db
- Legacy NSS certificate database
-
-
-
- Description
- cert8.db is an NSS certificate database.
- This certificate database is in the legacy database format. Consider migrating to cert9.db and key4.db which are the new sqlite-based shared database format with support for concurrent access.
-
-
-
-
- Files
- /etc/pki/nssdb/cert8.db
-
-
-
- See also
- cert9.db(5), key4.db(5), pkcs11.txt(5),
-
-
-
- Authors
- The nss libraries were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google.
- Authors: Elio Maldonado <emaldona@redhat.com>.
-
-
-
-
- LICENSE
- Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
-
-
-
-
-
diff --git a/SOURCES/cert9.db.xml b/SOURCES/cert9.db.xml
deleted file mode 100644
index 6cff889..0000000
--- a/SOURCES/cert9.db.xml
+++ /dev/null
@@ -1,59 +0,0 @@
-
-
-
-]>
-
-
-
-
- &date;
- Network Security Services
- nss
- &version;
-
-
-
- cert9.db
- 5
-
-
-
- cert9.db
- Legacy NSS certificate database
-
-
-
- Description
- cert9.db is an NSS certificate database.
- This certificate database is the sqlite-based shared databse with support for concurrent access.
-
-
-
-
- Files
- /etc/pki/nssdb/cert9.db
-
-
-
- See also
- pkcs11.txt(5)
-
-
-
- Authors
- The nss libraries were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google.
- Authors: Elio Maldonado <emaldona@redhat.com>.
-
-
-
-
- LICENSE
- Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
-
-
-
-
-
diff --git a/SOURCES/dont-disable-internal-module.patch b/SOURCES/dont-disable-internal-module.patch
deleted file mode 100644
index 5d71643..0000000
--- a/SOURCES/dont-disable-internal-module.patch
+++ /dev/null
@@ -1,39 +0,0 @@
-diff -up ./nss/cmd/modutil/pk11.c.1056036 ./nss/cmd/modutil/pk11.c
---- ./nss/cmd/modutil/pk11.c.1056036 2014-02-24 15:49:00.802754246 -0800
-+++ ./nss/cmd/modutil/pk11.c 2014-02-24 15:49:00.806754285 -0800
-@@ -826,6 +826,12 @@ EnableModule(char *moduleName, char *slo
- PK11_GetSlotName(slot), "enabled");
- }
- } else {
-+ if (module->internal) {
-+ PR_fprintf(PR_STDERR, errStrings[ENABLE_FAILED_ERR],
-+ "disable", PK11_GetSlotName(slot));
-+ rv = ENABLE_FAILED_ERR;
-+ goto loser;
-+ }
- if(! PK11_UserDisableSlot(slot)) {
- PR_fprintf(PR_STDERR, errStrings[ENABLE_FAILED_ERR],
- "disable", PK11_GetSlotName(slot));
-diff -up ./nss/doc/modutil.xml.1056036 ./nss/doc/modutil.xml
---- ./nss/doc/modutil.xml.1056036 2014-01-03 11:59:10.000000000 -0800
-+++ ./nss/doc/modutil.xml 2014-02-24 15:49:00.806754285 -0800
-@@ -86,7 +86,7 @@
-
-
- -disable modulename
-- Disable all slots on the named module. Use the argument to disable a specific slot.
-+ Disable all slots on the named module. Use the argument to disable a specific slot.The internal NSS PKCS #11 module cannot be disabled.
-
-
-
-diff -up ./nss/lib/dev/devtoken.c.1056036 ./nss/lib/dev/devtoken.c
---- ./nss/lib/dev/devtoken.c.1056036 2014-02-24 15:55:16.687529925 -0800
-+++ ./nss/lib/dev/devtoken.c 2014-02-24 15:56:15.720143547 -0800
-@@ -1438,6 +1438,7 @@ nssToken_IsPresent (
- NSSToken *token
- )
- {
-+ if (token == NULL) return PR_FALSE;
- return nssSlot_IsTokenPresent(token->slot);
- }
-
diff --git a/SOURCES/iquote.patch b/SOURCES/iquote.patch
index 9fb7772..ba9cb71 100644
--- a/SOURCES/iquote.patch
+++ b/SOURCES/iquote.patch
@@ -35,6 +35,82 @@ diff -up ./nss/cmd/lib/Makefile.iquote ./nss/cmd/lib/Makefile
#######################################################################
# (7) Execute "local" rules. (OPTIONAL). #
+diff -up ./nss/cmd/modutil/Makefile.iquote ./nss/cmd/modutil/Makefile
+--- ./nss/cmd/modutil/Makefile.iquote 2014-05-31 11:14:36.880951209 -0700
++++ ./nss/cmd/modutil/Makefile 2014-05-31 11:15:13.423253804 -0700
+@@ -41,7 +41,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk
+ # (6) Execute "component" rules. (OPTIONAL) #
+ #######################################################################
+
+-
++INCLUDES += -iquote $(DIST)/../public/nss
++INCLUDES += -iquote $(DIST)/../private/nss
+
+ #######################################################################
+ # (7) Execute "local" rules. (OPTIONAL). #
+diff -up ./nss/cmd/selfserv/Makefile.iquote ./nss/cmd/selfserv/Makefile
+--- ./nss/cmd/selfserv/Makefile.iquote 2014-05-31 10:41:33.790380931 -0700
++++ ./nss/cmd/selfserv/Makefile 2014-05-31 10:42:12.319696191 -0700
+@@ -35,7 +35,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk
+ # (6) Execute "component" rules. (OPTIONAL) #
+ #######################################################################
+
+-
++INCLUDES += -iquote $(DIST)/../public/nss
++INCLUDES += -iquote $(DIST)/../private/nss
+
+ #######################################################################
+ # (7) Execute "local" rules. (OPTIONAL). #
+diff -up ./nss/cmd/ssltap/Makefile.iquote ./nss/cmd/ssltap/Makefile
+--- ./nss/cmd/ssltap/Makefile.iquote 2014-05-31 10:46:19.661718435 -0700
++++ ./nss/cmd/ssltap/Makefile 2014-05-31 10:47:11.269140037 -0700
+@@ -39,7 +39,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk
+ # (6) Execute "component" rules. (OPTIONAL) #
+ #######################################################################
+
+-
++INCLUDES += -iquote $(DIST)/../public/nss
++INCLUDES += -iquote $(DIST)/../private/nss
+
+ #######################################################################
+ # (7) Execute "local" rules. (OPTIONAL). #
+diff -up ./nss/cmd/strsclnt/Makefile.iquote ./nss/cmd/strsclnt/Makefile
+--- ./nss/cmd/strsclnt/Makefile.iquote 2014-05-31 10:51:00.833015089 -0700
++++ ./nss/cmd/strsclnt/Makefile 2014-05-31 10:51:30.397255298 -0700
+@@ -36,7 +36,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk
+ # (6) Execute "component" rules. (OPTIONAL) #
+ #######################################################################
+
+-
++INCLUDES += -iquote $(DIST)/../public/nss
++INCLUDES += -iquote $(DIST)/../private/nss
+
+ #######################################################################
+ # (7) Execute "local" rules. (OPTIONAL). #
+diff -up ./nss/cmd/tstclnt/Makefile.iquote ./nss/cmd/tstclnt/Makefile
+--- ./nss/cmd/tstclnt/Makefile.iquote 2014-05-01 20:27:18.000000000 -0700
++++ ./nss/cmd/tstclnt/Makefile 2014-05-31 10:57:43.740326022 -0700
+@@ -42,5 +42,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk
+ # (7) Execute "local" rules. (OPTIONAL). #
+ #######################################################################
+
++INCLUDES += -iquote $(DIST)/../public/nss
++INCLUDES += -iquote $(DIST)/../private/nss
++
+ include ../platrules.mk
+
+diff -up ./nss/cmd/vfyserv/Makefile.iquote ./nss/cmd/vfyserv/Makefile
+--- ./nss/cmd/vfyserv/Makefile.iquote 2014-05-31 11:00:19.522669067 -0700
++++ ./nss/cmd/vfyserv/Makefile 2014-05-31 11:00:42.954870502 -0700
+@@ -42,5 +42,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk
+ # (7) Execute "local" rules. (OPTIONAL). #
+ #######################################################################
+
++INCLUDES += -iquote $(DIST)/../public/nss
++INCLUDES += -iquote $(DIST)/../private/nss
++
+ include ../platrules.mk
+
diff -up ./nss/coreconf/location.mk.iquote ./nss/coreconf/location.mk
--- ./nss/coreconf/location.mk.iquote 2014-01-03 11:59:10.000000000 -0800
+++ ./nss/coreconf/location.mk 2014-01-18 11:31:32.309404697 -0800
diff --git a/SOURCES/key3.db.xml b/SOURCES/key3.db.xml
deleted file mode 100644
index 444d7aa..0000000
--- a/SOURCES/key3.db.xml
+++ /dev/null
@@ -1,59 +0,0 @@
-
-
-
-]>
-
-
-
-
- &date;
- Network Security Services
- nss
- &version;
-
-
-
- key3.db
- 5
-
-
-
- key3.db
- Legacy NSS certificate database
-
-
-
- Description
- key3.db is an NSS certificate database.
- This is a key database in the legacy database format. Consider migrating to cert9.db and key4.db which which are the new sqlite-based shared database format with support for concurrent access.
-
-
-
-
- Files
- /etc/pki/nssdb/key3.db
-
-
-
- See also
- cert9.db(5), key4.db(5), pkcs11.txt(5),
-
-
-
- Authors
- The nss libraries were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google.
- Authors: Elio Maldonado <emaldona@redhat.com>.
-
-
-
-
- LICENSE
- Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
-
-
-
-
-
diff --git a/SOURCES/key4.db.xml b/SOURCES/key4.db.xml
deleted file mode 100644
index 9b65f41..0000000
--- a/SOURCES/key4.db.xml
+++ /dev/null
@@ -1,59 +0,0 @@
-
-
-
-]>
-
-
-
-
- &date;
- Network Security Services
- nss
- &version;
-
-
-
- key4.db
- 5
-
-
-
- key4.db
- NSS certificate database
-
-
-
- Description
- key4.db is an NSS key database.
- This key database is the sqlite-based shared database format with support for concurrent access.
-
-
-
-
- Files
- /etc/pki/nssdb/key4.db
-
-
-
- See also
- pkcs11.txt(5)
-
-
-
- Authors
- The nss libraries were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google.
- Authors: Elio Maldonado <emaldona@redhat.com>.
-
-
-
-
- LICENSE
- Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
-
-
-
-
-
diff --git a/SOURCES/manfixes.patch b/SOURCES/manfixes.patch
new file mode 100644
index 0000000..c00b1f9
--- /dev/null
+++ b/SOURCES/manfixes.patch
@@ -0,0 +1,76 @@
+diff -up doc/certutil.xml.missing_options doc/certutil.xml
+--- doc/certutil.xml.missing_options 2014-08-06 08:05:31.515329622 -0700
++++ doc/certutil.xml 2014-08-06 08:06:16.520764486 -0700
+@@ -204,6 +204,11 @@ If this option is not used, the validity
+
+
+
++ --dump-ext-val OID
++ For single cert, print binary DER encoding of extension OID.
++
++
++
+ -e
+ Check a certificate's signature during the process of validating a certificate.
+
+@@ -214,6 +219,26 @@ If this option is not used, the validity
+
+
+
++ --extGeneric OID:critical-flag:filename[,OID:critical-flag:filename]...
++
++
++Add one or multiple extensions that certutil cannot encode yet, by loading their encodings from external files.
++
++
++
++OID (example): 1.2.3.4
++
++
++critical-flag: critical or not-critical
++
++
++filename: full path to a file containing an encoded extension
++
++
++
++
++
++
+ -f password-file
+ Specify a file that will automatically supply the password to include in a certificate
+ or to access a certificate database. This is a plain-text file containing one password. Be sure to prevent
+@@ -376,6 +401,15 @@ of the attribute codes:
+ V (as an SSL server)
+
+
++L (as an SSL CA)
++
++
++A (as Any CA)
++
++
++Y (Verify CA)
++
++
+ S (as an email signer)
+
+
+@@ -649,6 +683,17 @@ of the attribute codes:
+
+
+
++ --extSAN type:name[,type:name]...
++
++Create a Subject Alt Name extension with one or multiple names.
++
++
++-type: directory, dn, dns, edi, ediparty, email, ip, ipaddr, other, registerid, rfc822, uri, x400, x400addr
++
++
++
++
++
+ --empty-password
+ Use empty password when creating new certificate database with -N.
+
diff --git a/SOURCES/nss-config.xml b/SOURCES/nss-config.xml
deleted file mode 100644
index f9518c9..0000000
--- a/SOURCES/nss-config.xml
+++ /dev/null
@@ -1,132 +0,0 @@
-
-
-
-]>
-
-
-
-
- &date;
- Network Security Services
- nss
- &version;
-
-
-
- nss-config
- 1
-
-
-
- nss-config
- Return meta information about nss libraries
-
-
-
-
- nss-config
-
-
-
-
-
-
-
-
-
-
-
- Description
-
- nss-config is a shell scrip
- tool which can be used to obtain gcc options for building client pacakges of nspt.
-
-
-
-
- Options
-
-
-
-
- Returns the top level system directory under which the nss libraries are installed.
-
-
-
-
- returns the top level system directory under which any nss binaries would be installed.
-
-
-
- count
- returns the path to the directory were the nss libraries are installed.
-
-
-
-
- returns the upstream version of nss in the form major_version-minor_version-patch_version.
-
-
-
-
- returns the compiler linking flags.
-
-
-
-
- returns the compiler include flags.
-
-
-
-
- returns the path to the directory were the nss libraries are installed.
-
-
-
-
-
-
- Examples
-
- The following example will query for both include path and linkage flags:
-
-
- /usr/bin/nss-config --cflags --libs
-
-
-
-
-
-
-
-
- Files
-
- /usr/bin/nss-config
-
-
-
-
- See also
- pkg-config(1)
-
-
-
- Authors
- The nss liraries were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google.
-
- Authors: Elio Maldonado <emaldona@redhat.com>.
-
-
-
-
-
- LICENSE
- Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
-
-
-
-
diff --git a/SOURCES/nss-ecc-list-3.15.3.patch b/SOURCES/nss-ecc-list-3.15.3.patch
deleted file mode 100644
index 6f86258..0000000
--- a/SOURCES/nss-ecc-list-3.15.3.patch
+++ /dev/null
@@ -1,239 +0,0 @@
-diff -up ./nss/cmd/modutil/pk11.c.ecc-lists ./nss/cmd/modutil/pk11.c
---- ./nss/cmd/modutil/pk11.c.ecc-lists 2013-11-09 09:23:30.000000000 -0800
-+++ ./nss/cmd/modutil/pk11.c 2013-12-20 10:29:01.540726233 -0800
-@@ -7,12 +7,9 @@
- */
-
- #include "modutil.h"
--/* #include "secmodti.h" */
-+#include "secmodi.h"
- #include "pk11func.h"
-
--static PK11DefaultArrayEntry *pk11_DefaultArray = NULL;
--static int pk11_DefaultArraySize = 0;
--
- /*************************************************************************
- *
- * F i p s M o d e
-@@ -110,32 +107,11 @@ ChkFipsMode(char *arg)
-
- typedef struct {
- const char *name;
-- const unsigned long mask;
-+ unsigned long mask;
- } MaskString;
-
--static const MaskString mechanismStrings[] = {
-- {"RSA", PUBLIC_MECH_RSA_FLAG},
-- {"DSA", PUBLIC_MECH_DSA_FLAG},
-- {"RC2", PUBLIC_MECH_RC2_FLAG},
-- {"RC4", PUBLIC_MECH_RC4_FLAG},
-- {"RC5", PUBLIC_MECH_RC5_FLAG},
-- {"DES", PUBLIC_MECH_DES_FLAG},
-- {"DH", PUBLIC_MECH_DH_FLAG},
-- {"FORTEZZA", PUBLIC_MECH_FORTEZZA_FLAG},
-- {"SHA1", PUBLIC_MECH_SHA1_FLAG},
-- {"MD5", PUBLIC_MECH_MD5_FLAG},
-- {"MD2", PUBLIC_MECH_MD2_FLAG},
-- {"SSL", PUBLIC_MECH_SSL_FLAG},
-- {"TLS", PUBLIC_MECH_TLS_FLAG},
-- {"AES", PUBLIC_MECH_AES_FLAG},
-- {"CAMELLIA", PUBLIC_MECH_CAMELLIA_FLAG},
-- {"SHA256", PUBLIC_MECH_SHA256_FLAG},
-- {"SHA512", PUBLIC_MECH_SHA512_FLAG},
-- {"RANDOM", PUBLIC_MECH_RANDOM_FLAG},
-- {"FRIENDLY", PUBLIC_MECH_FRIENDLY_FLAG}
--};
--static const int numMechanismStrings =
-- sizeof(mechanismStrings) / sizeof(mechanismStrings[0]);
-+static MaskString *mechanismStrings = NULL;
-+static int numMechanismStrings = 0;
-
- static const MaskString cipherStrings[] = {
- {"FORTEZZA", PUBLIC_CIPHER_FORTEZZA_FLAG}
-@@ -143,10 +119,83 @@ static const MaskString cipherStrings[]
- static const int numCipherStrings =
- sizeof(cipherStrings) / sizeof(cipherStrings[0]);
-
-+static PK11DefaultArrayEntry *pk11_DefaultArray = NULL;
-+static int pk11_DefaultArraySize = 0;
-+
-+
- /* Maximum length of a colon-separated list of all the strings in an
- * array. */
- #define MAX_STRING_LIST_LEN 240 /* or less */
-
-+/*
-+** The same as SECMOD_InternaltoPubMechFlags
-+** from nss/lib/pk11wrap/pk11util.c wich is a
-+** private export and not visible to us
-+*/
-+static unsigned long
-+InternaltoPubMechFlags(unsigned long internalFlags)
-+{
-+ unsigned long publicFlags = internalFlags;
-+
-+ if (internalFlags & SECMOD_RANDOM_FLAG) {
-+ publicFlags &= ~SECMOD_RANDOM_FLAG;
-+ publicFlags |= PUBLIC_MECH_RANDOM_FLAG;
-+ }
-+ return publicFlags;
-+}
-+
-+
-+Error
-+loadMechanismList(void)
-+{
-+ int i;
-+
-+ if (pk11_DefaultArray == NULL) {
-+ pk11_DefaultArray = PK11_GetDefaultArray(&pk11_DefaultArraySize);
-+ if (pk11_DefaultArray == NULL) {
-+ /* should assert. This shouldn't happen */
-+ return UNSPECIFIED_ERR;
-+ }
-+ }
-+ if (mechanismStrings != NULL) {
-+ PR_Free(mechanismStrings);
-+ }
-+
-+ /* build the mechanismStrings array */
-+ mechanismStrings = PR_Malloc( pk11_DefaultArraySize*sizeof(MaskString) );
-+ if (mechanismStrings == NULL) {
-+ return OUT_OF_MEM_ERR;
-+ }
-+ numMechanismStrings = pk11_DefaultArraySize;
-+ for (i = 0; i < numMechanismStrings; i++) {
-+ char *name = pk11_DefaultArray[i].name;
-+ unsigned long flag = pk11_DefaultArray[i].flag;
-+ /* map new name to old */
-+ switch (flag) {
-+ case SECMOD_FORTEZZA_FLAG:
-+ name = "FORTEZZA";
-+ break;
-+ case SECMOD_SHA1_FLAG:
-+ name = "SHA1";
-+ break;
-+ case SECMOD_CAMELLIA_FLAG:
-+ name = "CAMELLIA";
-+ break;
-+ case SECMOD_RANDOM_FLAG:
-+ name = "RANDOM";
-+ break;
-+ case SECMOD_FRIENDLY_FLAG:
-+ name = "FRIENDLY";
-+ break;
-+ default:
-+ break;
-+ }
-+ mechanismStrings[i].name = name;
-+ mechanismStrings[i].mask = InternaltoPubMechFlags(flag);
-+ }
-+ return SUCCESS;
-+}
-+
- /************************************************************************
- *
- * g e t F l a g s F r o m S t r i n g
-@@ -244,6 +293,12 @@ AddModule(char *moduleName, char *libFil
- unsigned long ciphers;
- unsigned long mechanisms;
- SECStatus status;
-+ Error rv;
-+
-+ rv = loadMechanismList();
-+ if (rv != SUCCESS) {
-+ return rv;
-+ }
-
- mechanisms =
- getFlagsFromString(mechanismString, mechanismStrings,
-@@ -493,6 +548,11 @@ ListModule(char *moduleName)
- return SUCCESS;
- }
-
-+ rv = loadMechanismList();
-+ if (rv != SUCCESS) {
-+ return rv;
-+ }
-+
- module = SECMOD_FindModule(moduleName);
- if(!module) {
- PR_fprintf(PR_STDERR, errStrings[NO_SUCH_MODULE_ERR], moduleName);
-@@ -811,19 +871,18 @@ SetDefaultModule(char *moduleName, char
- SECMODModule *module = NULL;
- PK11SlotInfo *slot;
- int s, i;
-- unsigned long mechFlags = getFlagsFromString(mechanisms, mechanismStrings,
-- numMechanismStrings);
-+ unsigned long mechFlags;
- PRBool found = PR_FALSE;
-- Error errcode = UNSPECIFIED_ERR;
-+ Error errcode;
-
-- if (pk11_DefaultArray == NULL) {
-- pk11_DefaultArray = PK11_GetDefaultArray(&pk11_DefaultArraySize);
-- if (pk11_DefaultArray == NULL) {
-- /* should assert. This shouldn't happen */
-- goto loser;
-- }
-+ errcode = loadMechanismList();
-+ if (errcode != SUCCESS) {
-+ return errcode;
- }
-+ errcode = UNSPECIFIED_ERR;
-
-+ mechFlags = getFlagsFromString(mechanisms, mechanismStrings,
-+ numMechanismStrings);
- mechFlags = SECMOD_PubMechFlagstoInternal(mechFlags);
-
- module = SECMOD_FindModule(moduleName);
-@@ -889,20 +948,17 @@ UnsetDefaultModule(char *moduleName, cha
- SECMODModule * module = NULL;
- PK11SlotInfo *slot;
- int s, i;
-- unsigned long mechFlags = getFlagsFromString(mechanisms,
-- mechanismStrings, numMechanismStrings);
-+ unsigned long mechFlags;
- PRBool found = PR_FALSE;
- Error rv;
-
-- if (pk11_DefaultArray == NULL) {
-- pk11_DefaultArray = PK11_GetDefaultArray(&pk11_DefaultArraySize);
-- if (pk11_DefaultArray == NULL) {
-- /* should assert. This shouldn't happen */
-- rv = UNSPECIFIED_ERR;
-- goto loser;
-- }
-+ rv = loadMechanismList();
-+ if (rv != SUCCESS) {
-+ return rv;
- }
-
-+ mechFlags = getFlagsFromString(mechanisms, mechanismStrings,
-+ numMechanismStrings);
- mechFlags = SECMOD_PubMechFlagstoInternal(mechFlags);
-
- module = SECMOD_FindModule(moduleName);
-diff -up ./nss/lib/pk11wrap/pk11slot.c.ecc-lists ./nss/lib/pk11wrap/pk11slot.c
---- ./nss/lib/pk11wrap/pk11slot.c.ecc-lists 2013-11-09 09:23:30.000000000 -0800
-+++ ./nss/lib/pk11wrap/pk11slot.c 2013-12-20 10:29:55.756109883 -0800
-@@ -32,6 +32,7 @@
- PK11DefaultArrayEntry PK11_DefaultArray[] = {
- { "RSA", SECMOD_RSA_FLAG, CKM_RSA_PKCS },
- { "DSA", SECMOD_DSA_FLAG, CKM_DSA },
-+ { "ECC", SECMOD_ECC_FLAG, CKM_ECDSA },
- { "DH", SECMOD_DH_FLAG, CKM_DH_PKCS_DERIVE },
- { "RC2", SECMOD_RC2_FLAG, CKM_RC2_CBC },
- { "RC4", SECMOD_RC4_FLAG, CKM_RC4 },
-diff -up ./nss/lib/pk11wrap/secmod.h.ecc-lists ./nss/lib/pk11wrap/secmod.h
---- ./nss/lib/pk11wrap/secmod.h.ecc-lists 2013-11-09 09:23:30.000000000 -0800
-+++ ./nss/lib/pk11wrap/secmod.h 2013-12-20 10:26:20.881585723 -0800
-@@ -28,6 +28,7 @@
- #define PUBLIC_MECH_SHA512_FLAG 0x00008000ul
- #define PUBLIC_MECH_CAMELLIA_FLAG 0x00010000ul
- #define PUBLIC_MECH_SEED_FLAG 0x00020000ul
-+#define PUBLIC_MECH_ECC_FLAG 0x00040000ul
-
- #define PUBLIC_MECH_RANDOM_FLAG 0x08000000ul
- #define PUBLIC_MECH_FRIENDLY_FLAG 0x10000000ul
diff --git a/SOURCES/nss-versus-softoken-tests.patch b/SOURCES/nss-versus-softoken-tests.patch
deleted file mode 100644
index e77487d..0000000
--- a/SOURCES/nss-versus-softoken-tests.patch
+++ /dev/null
@@ -1,38 +0,0 @@
-diff -up nss/tests/all.sh.crypto nss/tests/all.sh
---- nss/tests/all.sh.crypto 2013-05-28 14:43:24.000000000 -0700
-+++ nss/tests/all.sh 2013-06-13 12:14:12.741082184 -0700
-@@ -299,9 +299,10 @@ fi
- # created, we check for modutil to know whether the build
- # is complete. If a new file is created after that, the
- # following test for modutil should check for that instead.
-+# Except when building softoken only where shlibsign is the last one built.
-+export LAST_BUILT=[ ${NSS_BUILD_SOFTOKEN_ONLY} -eq "1" ] && shlibsign || modutil
-
--if [ ! -f ${DIST}/${OBJDIR}/bin/modutil -a \
-- ! -f ${DIST}/${OBJDIR}/bin/modutil.exe ]; then
-+if [ ! -f ${DIST}/${OBJDIR}/bin/${LAST_BUILT}${PROG_SUFFIX} -a ]; then
- echo "Build Incomplete. Aborting test." >> ${LOGFILE}
- html_head "Testing Initialization"
- Exit "Checking for build"
-diff -up nss/tests/cipher/cipher.sh.crypto nss/tests/cipher/cipher.sh
---- nss/tests/cipher/cipher.sh.crypto 2013-05-28 14:43:24.000000000 -0700
-+++ nss/tests/cipher/cipher.sh 2013-06-13 11:58:00.956064976 -0700
-@@ -129,6 +129,16 @@ if [ ! -x ${DIST}/${OBJDIR}/bin/bltest${
- return 0
- fi
- cipher_init
--cipher_main
--cipher_gcm
-+if [ "${NSS_BUILD_SOFTOKEN_ONLY}" = "1" ]; then
-+ echo "Skipping cipher_gcm because this is a softoken only build"
-+ cipher_main
-+elif [ "${NSS_BUILD_WITHOUT_SOFTOKEN}" = "1" ]; then
-+ echo "Skipping cipher_main because this an nss without softoken build"
-+ cipher_gcm
-+else
-+ # default is to run both
-+ cipher_init
-+ cipher_main
-+ cipher_gcm
-+fi
- cipher_cleanup
diff --git a/SOURCES/p-ignore-setpolicy.patch b/SOURCES/p-ignore-setpolicy.patch
index c6632b3..741781d 100644
--- a/SOURCES/p-ignore-setpolicy.patch
+++ b/SOURCES/p-ignore-setpolicy.patch
@@ -1,31 +1,17 @@
-diff --git a/lib/ssl/sslsock.c b/lib/ssl/sslsock.c
---- a/lib/ssl/sslsock.c
-+++ b/lib/ssl/sslsock.c
-@@ -1252,25 +1252,22 @@ SSL_CipherPrefGet(PRFileDesc *fd, PRInt3
- rv = ssl3_CipherPrefGet(ss, (ssl3CipherSuite)which, enabled);
- }
- return rv;
- }
-
- SECStatus
- NSS_SetDomesticPolicy(void)
- {
-- SECStatus status = SECSuccess;
+diff -up ./nsslib/ssl/sslsock.c.1026677 ./nsslib/ssl/sslsock.c
+--- ./nss/lib/ssl/sslsock.c.1026677 2014-07-05 08:56:37.137268923 -0700
++++ ./nss/lib/ssl/sslsock.c 2014-07-05 09:01:20.149518959 -0700
+@@ -1315,11 +1315,9 @@ NSS_SetDomesticPolicy(void)
const PRUint16 *cipher;
for (cipher = SSL_ImplementedCiphers; *cipher != 0; ++cipher) {
-- status = SSL_SetPolicy(*cipher, SSL_ALLOWED);
-- if (status != SECSuccess)
-- break;
-+ SSL_SetPolicy(*cipher, SSL_ALLOWED);
+- status = SSL_SetPolicy(*cipher, SSL_ALLOWED);
+- if (status != SECSuccess)
+- break;
++ SSL_SetPolicy(*cipher, SSL_ALLOWED);
}
- return status;
+ return SECSuccess;
}
SECStatus
- NSS_SetExportPolicy(void)
- {
- return NSS_SetDomesticPolicy();
- }
-
diff --git a/SOURCES/secmod.db.xml b/SOURCES/secmod.db.xml
deleted file mode 100644
index afc9dce..0000000
--- a/SOURCES/secmod.db.xml
+++ /dev/null
@@ -1,63 +0,0 @@
-
-
-
-]>
-
-
-
-
- &date;
- Network Security Services
- nss
- &version;
-
-
-
- secmod.db
- 5
-
-
-
- secmod.db
- Legacy NSS security modules database
-
-
-
- Description
- secmod.db is an NSS security modules database.
- The security modules database is used to keep track of the NSS security modules. The NSS security modules export their services via the PKCS #11 API which NSS uses as its Services Provider Interface.
-
- The command line utility modutil is used for managing PKCS #11 module information both within secmod.db files and within hardware tokens.
-
- For new applications the recommended way of tracking security modules is via the pkcs11.txt configuration file used in conjunction the new sqlite-based shared database format for certificate and key databases.
-
-
-
-
- Files
- /etc/pki/nssdb/secmod.db
-
-
-
- See also
- modutil(1), cert8.db(5), cert9.db(5), key3.db(5), key4.db(5), pkcs11.txt(5)
-
-
-
- Authors
- The nss libraries were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google.
- Authors: Elio Maldonado <emaldona@redhat.com>.
-
-
-
-
- LICENSE
- Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
-
-
-
-
-
diff --git a/SOURCES/setup-nsssysinit.xml b/SOURCES/setup-nsssysinit.xml
deleted file mode 100644
index 5b9827f..0000000
--- a/SOURCES/setup-nsssysinit.xml
+++ /dev/null
@@ -1,106 +0,0 @@
-
-
-
-]>
-
-
-
-
- &date;
- Network Security Services
- nss
- &version;
-
-
-
- setup-nsssysinit
- 1
-
-
-
- setup-nsssysinit
- Query or enable the nss-sysinit module
-
-
-
-
- setup-nsssysinit
-
-
-
-
-
-
-
- Description
- setup-nsssysinit is a shell script to query the status of the nss-sysinit module and when run with root priviledge it can enable or disable it.
- Turns on or off the nss-sysinit module db by editing the global PKCS #11 configuration file. Displays the status. This script can be invoked by the user as super user. It is invoked at nss-sysinit post install time with argument on.
-
-
-
-
- Options
-
-
-
-
- Turn on nss-sysinit.
-
-
-
-
- Turn on nss-sysinit.
-
-
-
-
- returns whether nss-syinit is enabled or not.
-
-
-
-
-
-
- Examples
-
- The following example will query for the status of nss-sysinit:
-
- /usr/bin/setup-nsssysinit status
-
-
-
- The following example, when run as superuser, will turn on nss-sysinit:
-
- /usr/bin/setup-nsssysinit on
-
-
-
-
-
-
- Files
- /usr/bin/setup-nsssysinit
-
-
-
- See also
- pkg-config(1)
-
-
-
- Authors
- The nss libraries were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google.
- Authors: Elio Maldonado <emaldona@redhat.com>.
-
-
-
-
- LICENSE
- Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
-
-
-
-
diff --git a/SPECS/nss.spec b/SPECS/nss.spec
index e5acc89..8a03293 100644
--- a/SPECS/nss.spec
+++ b/SPECS/nss.spec
@@ -1,7 +1,8 @@
-%global nspr_version 4.10.2
-%global nss_util_version 3.15.4
-%global nss_softokn_fips_version 3.13.4
-%global nss_softokn_version 3.15.4
+%global nspr_version 4.10.6
+%global nss_util_version 3.16.2
+# adjust to the version that gets submitted for FIPS validation
+%global nss_softokn_fips_version 3.16.2
+%global nss_softokn_version 3.16.2
%global unsupported_tools_directory %{_libdir}/nss/unsupported-tools
%global allTools "certutil cmsutil crlutil derdump modutil pk12util pp signtool signver ssltap vfychain vfyserv"
@@ -19,8 +20,8 @@
Summary: Network Security Services
Name: nss
-Version: 3.15.4
-Release: 7%{?dist}
+Version: 3.16.2
+Release: 2%{?dist}
License: MPLv2.0
URL: http://www.mozilla.org/projects/security/pki/nss/
Group: System Environment/Libraries
@@ -83,8 +84,6 @@ Patch25: nsspem-use-system-freebl.patch
Patch40: nss-3.14.0.0-disble-ocsp-test.patch
# Fedora / RHEL-only patch, the templates directory was originally introduced to support mod_revocator
Patch47: utilwrap-include-templates.patch
-# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=902171
-Patch48: nss-versus-softoken-tests.patch
# TODO remove when we switch to building nss without softoken
Patch49: nss-skip-bltest-and-fipstest.patch
# This patch uses the gcc-iquote dir option documented at
@@ -99,14 +98,10 @@ Patch53: Bug-1001841-disable-sslv2-tests.patch
Patch55: enable-fips-when-system-is-in-fips-mode.patch
# rhbz: https://bugzilla.redhat.com/show_bug.cgi?id=1026677
Patch56: p-ignore-setpolicy.patch
-Patch61: nss-ecc-list-3.15.3.patch
# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=921684
Patch62: dont-hold-issuer-cert-handles-in-crl-cache.patch
-# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=977673
-Patch63: dont-disable-internal-module.patch
-# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=963150
-# Remove when we update to nss-3.16.2
-Patch72: Free-dangling-reference.patch
+# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1007126
+Patch63: manfixes.patch
%description
Network Security Services (NSS) is a set of libraries designed to
@@ -192,20 +187,17 @@ low level services.
%patch25 -p0 -b .systemfreebl
%patch40 -p0 -b .noocsptest
%patch47 -p0 -b .templates
-%patch48 -p0 -b .crypto
%patch49 -p0 -b .skipthem
%patch50 -p0 -b .iquote
-%patch52 -p0 -b .disableSSL2
-%patch53 -p0 -b .disableSSL2
-%patch55 -p0 -b .852023
pushd nss
-%patch56 -p1 -b .1026677
+%patch52 -p1 -b .disableSSL2libssl
+%patch53 -p1 -b .disableSSL2tests
popd
-%patch61 -p0 -b .ecc-lists
+%patch55 -p0 -b .852023
+%patch56 -p0 -b .1026677
%patch62 -p0 -b .1034409
-%patch63 -p0 -b .1056036
pushd nss
-%patch72 -p1 -b .dangling
+%patch63 -p0 -b .missing_options
popd
#########################################################
@@ -224,6 +216,16 @@ done
%{__cp} ./nss/lib/softoken/lowkeyi.h ./nss/cmd/rsaperf
%{__cp} ./nss/lib/softoken/lowkeyti.h ./nss/cmd/rsaperf
+##### Remove util/freebl/softoken and low level tools
+######## Remove freebl, softoken and util
+%{__rm} -rf ./nss/lib/freebl
+%{__rm} -rf ./nss/lib/softoken
+%{__rm} -rf ./nss/lib/util
+######## Remove nss-softokn test tools as we already ran
+# the cipher test suite as part of the nss-softokn build
+%{__rm} -rf ./nss/cmd/bltest
+%{__rm} -rf ./nss/cmd/fipstest
+%{__rm} -rf ./nss/cmd/rsaperf_low
%build
@@ -290,17 +292,6 @@ export USE_64
# uncomment if the iquote patch is activated
export IN_TREE_FREEBL_HEADERS_FIRST=1
-##### phase 1: remove util/freebl/softoken and low level tools
-#
-######## Remove freebl, softoken and util
-%{__rm} -rf ./mozilla/security/nss/lib/freebl
-%{__rm} -rf ./mozilla/security/nss/lib/softoken
-%{__rm} -rf ./mozilla/security/nss/lib/util
-######## Remove nss-softokn test tools
-%{__rm} -rf ./mozilla/security/nss/cmd/bltest
-%{__rm} -rf ./mozilla/security/nss/cmd/fipstest
-%{__rm} -rf ./mozilla/security/nss/cmd/rsaperf_low
-
##### phase 2: build the rest of nss
# nss supports pluggable ecc
NSS_ENABLE_ECC=1
@@ -319,10 +310,9 @@ pushd ./nss
%{__make} clean_docs build_docs
popd
-# and copy them here
-for m in "%{allTools}"; do
- cp ./nss/doc/nroff/${m}.1 .
-done
+# and copy them to the dist directory for %%install to find them
+%{__mkdir_p} ./dist/doc/nroff
+%{__cp} ./nss/doc/nroff/* ./dist/doc/nroff
# Set up our package file
# The nspr_version and nss_{util|softokn}_version globals used
@@ -384,7 +374,7 @@ done
%check
-if [ $DISABLETEST -eq 1 ]; then
+if [ ${DISABLETEST:-0} -eq 1 ]; then
echo "testing disabled"
exit 0
fi
@@ -448,12 +438,12 @@ find ./nss/tests -type f |\
killall $RANDSERV || :
rm -rf ./tests_results
-cd ./nss/tests/
+pushd ./nss/tests/
# all.sh is the test suite script
# don't need to run all the tests when testing packaging
# nss_cycles: standard pkix upgradedb sharedb
-nss_tests="cipher libpkix cert dbtests tools fips sdr crmf smime ssl ocsp merge pkits chains"
+nss_tests="libpkix cert dbtests tools fips sdr crmf smime ssl ocsp merge pkits chains"
# nss_ssl_tests: crl bypass_normal normal_bypass normal_fips fips_normal iopr
# nss_ssl_run: cov auth stress
#
@@ -464,19 +454,39 @@ nss_tests="cipher libpkix cert dbtests tools fips sdr crmf smime ssl ocsp merge
HOST=localhost DOMSUF=localdomain PORT=$MYRAND NSS_CYCLES=%{?nss_cycles} NSS_TESTS=%{?nss_tests} NSS_SSL_TESTS=%{?nss_ssl_tests} NSS_SSL_RUN=%{?nss_ssl_run} ./all.sh
-cd ../../
+popd
+# Normally, the grep exit status is 0 if selected lines are found and 1 otherwise,
+# Grep exits with status greater than 1 if an error ocurred.
+# If there are test failures we expect TEST_FAILURES > 0 and GREP_EXIT_STATUS = 0,
+# With no test failures we expect TEST_FAILURES = 0 and GREP_EXIT_STATUS = 1, whereas
+# GREP_EXIT_STATUS > 1 would indicate an error in grep such as failure to find the log file.
killall $RANDSERV || :
-TEST_FAILURES=`grep -c FAILED ./tests_results/security/localhost.1/output.log` || :
-# test suite is failing on arm and has for awhile let's run the test suite but make it non fatal on arm
+TEST_FAILURES=$(grep -c FAILED ./tests_results/security/localhost.1/output.log) || GREP_EXIT_STATUS=$?
+if [ ${GREP_EXIT_STATUS:-0} -eq 1 ]; then
+ echo "okay: test suite detected no failures"
+else
+# test suite is failing on arm and has for a while let's run the test suite but make it non fatal on arm
%ifnarch %{arm}
-if [ $TEST_FAILURES -ne 0 ]; then
- echo "error: test suite returned failure(s)"
- exit 1
+ if [ ${GREP_EXIT_STATUS:-0} -eq 0 ]; then
+ # while a situation in which grep return status is 0 and it doesn't output
+ # anything shouldn't happen, set the default to something that is
+ # obviously wrong (-1)
+ echo "error: test suite had ${TEST_FAILURES:--1} test failure(s)"
+ exit 1
+ else
+ if [ ${GREP_EXIT_STATUS:-0} -eq 2 ]; then
+ echo "error: grep has not found log file"
+ exit 1
+ else
+ echo "error: grep failed with exit code: ${GREP_EXIT_STATUS}"
+ exit 1
+ fi
+ fi
+%endif
fi
echo "test suite completed"
-%endif
%install
@@ -559,7 +569,7 @@ for f in nss-config setup-nsssysinit; do
done
# Copy the man pages for the nss tools
for f in "%{allTools}"; do
- install -c -m 644 ${f}.1 $RPM_BUILD_ROOT%{_mandir}/man1/${f}.1
+ install -c -m 644 ./dist/doc/nroff/${f}.1 $RPM_BUILD_ROOT%{_mandir}/man1/${f}.1
done
# Copy the man pages for the configuration files
for f in pkcs11.txt; do
@@ -769,6 +779,21 @@ fi
%changelog
+* Wed Aug 06 2014 Elio Maldonado - 3.16.2-2
+- Restore missing options descriptions fix for certutil manpage
+- Document certutil options --dump-ext-val, --extGeneric, and --extSAN
+- Related: Bug 1124659 - Rebase RHEL 7 to at least NSS 3.16.1
+
+* Fri Aug 01 2014 Elio Maldonado - 3.16.2-1
+- Rebase to nss-3.16.2
+- Resolves: Bug 1124659 - Rebase RHEL 7 to at least NSS 3.16.1 (FF 31)
+- Fix test failure detection in the %%check section
+- Move removal of unwanted source directories to the end of the %%prep section
+- Update various patches on account of the rebase
+- Remove unused patches rendered obsolete by the rebase
+- Fix libssl and test patches that disable ssl2 support
+- Replace expired PayPal test certificate that breaks the build
+
* Fri Jul 04 2014 Elio Maldonado - 3.15.4-7
- Fix race-condition in certificate validation
- Resolves: Bug 1116201