diff --git a/.nss.metadata b/.nss.metadata
index d4c0feb..ccb2c1e 100644
--- a/.nss.metadata
+++ b/.nss.metadata
@@ -1,11 +1,11 @@
+66f2060c35f4e97bdfa163e8bd7cb2ef5e8125d8 SOURCES/nss-pem-20140125.tar.bz2
7f78b5bcecdb5005e7b803604b2ec9d1a9df2fb5 SOURCES/blank-key3.db
1a4738a7fcc0bca303b47e9a24739637a9ab6640 SOURCES/TestCA.ca.cert
d63e287dc5d012993221373fe14a8e1dac5eaff7 SOURCES/TestUser51.cert
d272a7b58364862613d44261c5744f7a336bf177 SOURCES/blank-cert8.db
-69c70f63ccf23ca0761e77085fd1970211cdab1e SOURCES/nss-3.15.2.tar.bz2
f9c9568442386da370193474de1b25c3f68cdaf6 SOURCES/blank-key4.db
-59f95324bb4fad179498bf1ddce2ceb0ee245356 SOURCES/nss-pem-20130405.tar.bz2
b5570125fbf6bfb410705706af48217a0817c03a SOURCES/blank-cert9.db
bd748cf6e1465a1bbe6e751b72ffc0076aff0b50 SOURCES/blank-secmod.db
4019f0c1959c2b7102d470821e917e9c02551010 SOURCES/TestUser50.cert
21774825dc4a9c54ce02b070928a2e72ce5878e7 SOURCES/PayPalEE.cert
+c164fac83fcbaff010786767e2a858ca23a89a5b SOURCES/nss-3.15.4.tar.gz
diff --git a/SOURCES/0001-sync-up-with-upstream-softokn-changes.patch b/SOURCES/0001-sync-up-with-upstream-softokn-changes.patch
deleted file mode 100644
index 36fbd9d..0000000
--- a/SOURCES/0001-sync-up-with-upstream-softokn-changes.patch
+++ /dev/null
@@ -1,406 +0,0 @@
-From d6dbecfea317a468be12423595e584f43d84d8ec Mon Sep 17 00:00:00 2001
-From: Elio Maldonado <emaldona@redhat.com>
-Date: Sat, 9 Feb 2013 17:11:00 -0500
-Subject: [PATCH] Sync up with upstream softokn changes
-
-- Disable RSA OEP case in FormatBlock, RSA_OAEP support is experimental and in a state of flux
-- Numerous change upstream due to the work for TLS/DTLS 'Lucky 13' vulnerability CVE-2013-0169
-- It now compiles with the NSS_3_14_3_BETA1 source
----
- mozilla/security/nss/lib/ckfw/pem/rsawrapr.c | 338 +++++++-------------------
- 1 files changed, 82 insertions(+), 256 deletions(-)
-
-diff --git a/nss/lib/ckfw/pem/rsawrapr.c b/nss/lib/ckfw/pem/rsawrapr.c
-index 5ac4f39..3780d30 100644
---- a/nss/lib/ckfw/pem/rsawrapr.c
-+++ b/nss/lib/ckfw/pem/rsawrapr.c
-@@ -46,6 +46,7 @@
- #include "sechash.h"
- #include "base.h"
-
-+#include "lowkeyi.h"
- #include "secerr.h"
-
- #define RSA_BLOCK_MIN_PAD_LEN 8
-@@ -54,9 +55,8 @@
- #define RSA_BLOCK_PRIVATE_PAD_OCTET 0xff
- #define RSA_BLOCK_AFTER_PAD_OCTET 0x00
-
--#define OAEP_SALT_LEN 8
--#define OAEP_PAD_LEN 8
--#define OAEP_PAD_OCTET 0x00
-+/* Needed for RSA-PSS functions */
-+static const unsigned char eightZeros[] = { 0, 0, 0, 0, 0, 0, 0, 0 };
-
- #define FLAT_BUFSIZE 512 /* bytes to hold flattened SHA1Context. */
-
-@@ -78,127 +78,39 @@ pem_PublicModulusLen(NSSLOWKEYPublicKey *pubk)
- return 0;
- }
-
--static SHA1Context *SHA1_CloneContext(SHA1Context * original)
--{
-- SHA1Context *clone = NULL;
-- unsigned char *pBuf;
-- int sha1ContextSize = SHA1_FlattenSize(original);
-- SECStatus frv;
-- unsigned char buf[FLAT_BUFSIZE];
--
-- PORT_Assert(sizeof buf >= sha1ContextSize);
-- if (sizeof buf >= sha1ContextSize) {
-- pBuf = buf;
-- } else {
-- pBuf = nss_ZAlloc(NULL, sha1ContextSize);
-- if (!pBuf)
-- goto done;
-- }
--
-- frv = SHA1_Flatten(original, pBuf);
-- if (frv == SECSuccess) {
-- clone = SHA1_Resurrect(pBuf, NULL);
-- memset(pBuf, 0, sha1ContextSize);
-- }
-- done:
-- if (pBuf != buf)
-- nss_ZFreeIf(pBuf);
-- return clone;
-+/* Constant time comparison of a single byte.
-+ * Returns 1 iff a == b, otherwise returns 0.
-+ * Note: For ranges of bytes, use constantTimeCompare.
-+ */
-+static unsigned char constantTimeEQ8(unsigned char a, unsigned char b) {
-+ unsigned char c = ~(a - b | b - a);
-+ c >>= 7;
-+ return c;
- }
-
--/*
-- * Modify data by XORing it with a special hash of salt.
-+/* Constant time comparison of a range of bytes.
-+ * Returns 1 iff len bytes of a are identical to len bytes of b, otherwise
-+ * returns 0.
- */
--static SECStatus
--oaep_xor_with_h1(unsigned char *data, unsigned int datalen,
-- unsigned char *salt, unsigned int saltlen)
--{
-- SHA1Context *sha1cx;
-- unsigned char *dp, *dataend;
-- unsigned char end_octet;
--
-- sha1cx = SHA1_NewContext();
-- if (sha1cx == NULL) {
-- return SECFailure;
-- }
--
-- /*
-- * Get a hash of salt started; we will use it several times,
-- * adding in a different end octet (x00, x01, x02, ...).
-- */
-- SHA1_Begin(sha1cx);
-- SHA1_Update(sha1cx, salt, saltlen);
-- end_octet = 0;
--
-- dp = data;
-- dataend = data + datalen;
--
-- while (dp < dataend) {
-- SHA1Context *sha1cx_h1;
-- unsigned int sha1len, sha1off;
-- unsigned char sha1[SHA1_LENGTH];
--
-- /*
-- * Create hash of (salt || end_octet)
-- */
-- sha1cx_h1 = SHA1_CloneContext(sha1cx);
-- SHA1_Update(sha1cx_h1, &end_octet, 1);
-- SHA1_End(sha1cx_h1, sha1, &sha1len, sizeof(sha1));
-- SHA1_DestroyContext(sha1cx_h1, PR_TRUE);
-- PORT_Assert(sha1len == SHA1_LENGTH);
--
-- /*
-- * XOR that hash with the data.
-- * When we have fewer than SHA1_LENGTH octets of data
-- * left to xor, use just the low-order ones of the hash.
-- */
-- sha1off = 0;
-- if ((dataend - dp) < SHA1_LENGTH)
-- sha1off = SHA1_LENGTH - (dataend - dp);
-- while (sha1off < SHA1_LENGTH)
-- *dp++ ^= sha1[sha1off++];
--
-- /*
-- * Bump for next hash chunk.
-- */
-- end_octet++;
-- }
--
-- SHA1_DestroyContext(sha1cx, PR_TRUE);
-- return SECSuccess;
-+static unsigned char constantTimeCompare(const unsigned char *a,
-+ const unsigned char *b,
-+ unsigned int len) {
-+ unsigned char tmp = 0;
-+ unsigned int i;
-+ for (i = 0; i < len; ++i, ++a, ++b)
-+ tmp |= *a ^ *b;
-+ return constantTimeEQ8(0x00, tmp);
- }
-
--/*
-- * Modify salt by XORing it with a special hash of data.
-+/* Constant time conditional.
-+ * Returns a if c is 1, or b if c is 0. The result is undefined if c is
-+ * not 0 or 1.
- */
--static SECStatus
--oaep_xor_with_h2(unsigned char *salt, unsigned int saltlen,
-- unsigned char *data, unsigned int datalen)
-+static unsigned int constantTimeCondition(unsigned int c,
-+ unsigned int a,
-+ unsigned int b)
- {
-- unsigned char sha1[SHA1_LENGTH];
-- unsigned char *psalt, *psha1, *saltend;
-- SECStatus rv;
--
-- /*
-- * Create a hash of data.
-- */
-- rv = SHA1_HashBuf(sha1, data, datalen);
-- if (rv != SECSuccess) {
-- return rv;
-- }
--
-- /*
-- * XOR the low-order octets of that hash with salt.
-- */
-- PORT_Assert(saltlen <= SHA1_LENGTH);
-- saltend = salt + saltlen;
-- psalt = salt;
-- psha1 = sha1 + SHA1_LENGTH - saltlen;
-- while (psalt < saltend) {
-- *psalt++ ^= *psha1++;
-- }
--
-- return SECSuccess;
-+ return (~(c - 1) & a) | ((c - 1) & b);
- }
-
- /*
-@@ -212,7 +124,7 @@ static unsigned char *rsa_FormatOneBlock(unsigned modulusLen,
- unsigned char *block;
- unsigned char *bp;
- int padLen;
-- int i;
-+ int i, j;
- SECStatus rv;
-
- block = (unsigned char *) nss_ZAlloc(NULL, modulusLen);
-@@ -260,124 +172,58 @@ static unsigned char *rsa_FormatOneBlock(unsigned modulusLen,
- */
- case RSA_BlockPublic:
-
-- /*
-- * 0x00 || BT || Pad || 0x00 || ActualData
-- * 1 1 padLen 1 data->len
-- * Pad is all non-zero random bytes.
-- */
-- padLen = modulusLen - data->len - 3;
-- PORT_Assert(padLen >= RSA_BLOCK_MIN_PAD_LEN);
-- if (padLen < RSA_BLOCK_MIN_PAD_LEN) {
-- nss_ZFreeIf(block);
-- return NULL;
-- }
-- for (i = 0; i < padLen; i++) {
-- /* Pad with non-zero random data. */
-- do {
-- rv = RNG_GenerateGlobalRandomBytes(bp + i, 1);
-- } while (rv == SECSuccess
-- && bp[i] == RSA_BLOCK_AFTER_PAD_OCTET);
-- if (rv != SECSuccess) {
-- nss_ZFreeIf(block);
-- return NULL;
-- }
-- }
-- bp += padLen;
-- *bp++ = RSA_BLOCK_AFTER_PAD_OCTET;
-- nsslibc_memcpy(bp, data->data, data->len);
--
-- break;
--
-- /*
-- * Blocks intended for public-key operation, using
-- * Optimal Asymmetric Encryption Padding (OAEP).
-- */
-- case RSA_BlockOAEP:
-- /*
-- * 0x00 || BT || Modified2(Salt) || Modified1(PaddedData)
-- * 1 1 OAEP_SALT_LEN OAEP_PAD_LEN + data->len [+ N]
-- *
-- * where:
-- * PaddedData is "Pad1 || ActualData [|| Pad2]"
-- * Salt is random data.
-- * Pad1 is all zeros.
-- * Pad2, if present, is random data.
-- * (The "modified" fields are all the same length as the original
-- * unmodified values; they are just xor'd with other values.)
-- *
-- * Modified1 is an XOR of PaddedData with a special octet
-- * string constructed of iterated hashing of Salt (see below).
-- * Modified2 is an XOR of Salt with the low-order octets of
-- * the hash of Modified1 (see farther below ;-).
-- *
-- * Whew!
-- */
--
--
-- /*
-- * Salt
-- */
-- rv = RNG_GenerateGlobalRandomBytes(bp, OAEP_SALT_LEN);
-- if (rv != SECSuccess) {
-- nss_ZFreeIf(block);
-- return NULL;
-- }
-- bp += OAEP_SALT_LEN;
--
-- /*
-- * Pad1
-- */
-- nsslibc_memset(bp, OAEP_PAD_OCTET, OAEP_PAD_LEN);
-- bp += OAEP_PAD_LEN;
--
-- /*
-- * Data
-- */
-- nsslibc_memcpy(bp, data->data, data->len);
-- bp += data->len;
--
-- /*
-- * Pad2
-- */
-- if (bp < (block + modulusLen)) {
-- rv = RNG_GenerateGlobalRandomBytes(bp,
-- block - bp + modulusLen);
-- if (rv != SECSuccess) {
-- nss_ZFreeIf(block);
-- return NULL;
-- }
-- }
--
-- /*
-- * Now we have the following:
-- * 0x00 || BT || Salt || PaddedData
-- * (From this point on, "Pad1 || Data [|| Pad2]" is treated
-- * as the one entity PaddedData.)
-- *
-- * We need to turn PaddedData into Modified1.
-- */
-- if (oaep_xor_with_h1(block + 2 + OAEP_SALT_LEN,
-- modulusLen - 2 - OAEP_SALT_LEN,
-- block + 2, OAEP_SALT_LEN) != SECSuccess) {
-- nss_ZFreeIf(block);
-- return NULL;
-- }
--
-- /*
-- * Now we have:
-- * 0x00 || BT || Salt || Modified1(PaddedData)
-- *
-- * The remaining task is to turn Salt into Modified2.
-- */
-- if (oaep_xor_with_h2(block + 2, OAEP_SALT_LEN,
-- block + 2 + OAEP_SALT_LEN,
-- modulusLen - 2 - OAEP_SALT_LEN) !=
-- SECSuccess) {
-- nss_ZFreeIf(block);
-- return NULL;
-- }
--
-- break;
-+ /*
-+ * 0x00 || BT || Pad || 0x00 || ActualData
-+ * 1 1 padLen 1 data->len
-+ * Pad is all non-zero random bytes.
-+ *
-+ * Build the block left to right.
-+ * Fill the entire block from Pad to the end with random bytes.
-+ * Use the bytes after Pad as a supply of extra random bytes from
-+ * which to find replacements for the zero bytes in Pad.
-+ * If we need more than that, refill the bytes after Pad with
-+ * new random bytes as necessary.
-+ */
-+ padLen = modulusLen - (data->len + 3);
-+ PORT_Assert (padLen >= RSA_BLOCK_MIN_PAD_LEN);
-+ if (padLen < RSA_BLOCK_MIN_PAD_LEN) {
-+ nss_ZFreeIf (block);
-+ return NULL;
-+ }
-+ j = modulusLen - 2;
-+ rv = RNG_GenerateGlobalRandomBytes(bp, j);
-+ if (rv == SECSuccess) {
-+ for (i = 0; i < padLen; ) {
-+ unsigned char repl;
-+ /* Pad with non-zero random data. */
-+ if (bp[i] != RSA_BLOCK_AFTER_PAD_OCTET) {
-+ ++i;
-+ continue;
-+ }
-+ if (j <= padLen) {
-+ rv = RNG_GenerateGlobalRandomBytes(bp + padLen,
-+ modulusLen - (2 + padLen));
-+ if (rv != SECSuccess)
-+ break;
-+ j = modulusLen - 2;
-+ }
-+ do {
-+ repl = bp[--j];
-+ } while (repl == RSA_BLOCK_AFTER_PAD_OCTET && j > padLen);
-+ if (repl != RSA_BLOCK_AFTER_PAD_OCTET) {
-+ bp[i++] = repl;
-+ }
-+ }
-+ }
-+ if (rv != SECSuccess) {
-+ /*sftk_fatalError = PR_TRUE;*/
-+ nss_ZFreeIf (block);
-+ return NULL;
-+ }
-+ bp += padLen;
-+ *bp++ = RSA_BLOCK_AFTER_PAD_OCTET;
-+ nsslibc_memcpy(bp, data->data, data->len);
-+ break;
-
- default:
- PORT_Assert(0);
-@@ -427,26 +273,6 @@ rsa_FormatBlock(SECItem * result, unsigned modulusLen,
-
- break;
-
-- case RSA_BlockOAEP:
-- /*
-- * 0x00 || BT || M1(Salt) || M2(Pad1||ActualData[||Pad2])
-- *
-- * The "2" below is the first octet + the second octet.
-- * (The other fields do not contain the clear values, but are
-- * the same length as the clear values.)
-- */
-- PORT_Assert(data->len <= (modulusLen - (2 + OAEP_SALT_LEN
-- + OAEP_PAD_LEN)));
--
-- result->data = rsa_FormatOneBlock(modulusLen, blockType, data);
-- if (result->data == NULL) {
-- result->len = 0;
-- return SECFailure;
-- }
-- result->len = modulusLen;
--
-- break;
--
- case RSA_BlockRaw:
- /*
- * Pad || ActualData
---
-1.7.1
-
diff --git a/SOURCES/Bug-896651-pem-dont-trash-keys-on-failed-login.patch b/SOURCES/Bug-896651-pem-dont-trash-keys-on-failed-login.patch
deleted file mode 100644
index 6f0e88c..0000000
--- a/SOURCES/Bug-896651-pem-dont-trash-keys-on-failed-login.patch
+++ /dev/null
@@ -1,44 +0,0 @@
---- nss/lib/ckfw/pem/psession.c
-+++ nss/lib/ckfw/pem/psession.c
-@@ -230,6 +230,7 @@ pem_mdSession_Login
- unsigned int len = 0;
- NSSLOWKEYPrivateKey *lpk = NULL;
- PLArenaPool *arena;
-+ SECItem plain;
- int i;
-
- fwSlot = NSSCKFWToken_GetFWSlot(fwToken);
-@@ -306,23 +321,27 @@ pem_mdSession_Login
- lpk->keyType = NSSLOWKEYRSAKey;
- prepare_low_rsa_priv_key_for_asn1(lpk);
-
-- nss_ZFreeIf(io->u.key.key.privateKey->data);
-- io->u.key.key.privateKey->len = len - output[len - 1];
-- io->u.key.key.privateKey->data =
-- (void *) nss_ZAlloc(NULL, io->u.key.key.privateKey->len);
-- memcpy(io->u.key.key.privateKey->data, output, len - output[len - 1]);
-
- /* Decode the resulting blob and see if it is a decodable DER that fits
- * our private key template. If so we declare success and move on. If not
- * then we return an error.
- */
-+ memset(&plain, 0, sizeof(plain));
-+ plain.data = output;
-+ plain.len = len - output[len - 1];
- rv = SEC_QuickDERDecodeItem(arena, lpk, pem_RSAPrivateKeyTemplate,
-- io->u.key.key.privateKey);
-+ &plain);
- pem_DestroyPrivateKey(lpk);
- arena = NULL;
- if (rv != SECSuccess)
- goto loser;
-
-+ nss_ZFreeIf(io->u.key.key.privateKey->data);
-+ io->u.key.key.privateKey->len = len - output[len - 1];
-+ io->u.key.key.privateKey->data =
-+ (void *) nss_ZAlloc(NULL, io->u.key.key.privateKey->len);
-+ memcpy(io->u.key.key.privateKey->data, output, len - output[len - 1]);
-+
- rv = CKR_OK;
-
- loser:
diff --git a/SOURCES/disable-ocsp-stapling-tests.patch b/SOURCES/disable-ocsp-stapling-tests.patch
deleted file mode 100644
index df27c0e..0000000
--- a/SOURCES/disable-ocsp-stapling-tests.patch
+++ /dev/null
@@ -1,9 +0,0 @@
-diff -up nss/tests/ocsp/ocsp.sh.skipoutbound nss/tests/ocsp/ocsp.sh
---- nss/tests/ocsp/ocsp.sh.skipoutbound 2013-04-24 18:04:30.203307355 -0700
-+++ nss/tests/ocsp/ocsp.sh 2013-04-24 18:06:27.967176794 -0700
-@@ -115,4 +115,4 @@ ocsp_stapling()
- ################## main #################################################
- ocsp_init
- ocsp_iopr_run
--ocsp_stapling
-+#ocsp_stapling
diff --git a/SOURCES/document-certutil-email-option.patch b/SOURCES/document-certutil-email-option.patch
deleted file mode 100644
index b9ca7e1..0000000
--- a/SOURCES/document-certutil-email-option.patch
+++ /dev/null
@@ -1,25 +0,0 @@
-diff --git a/doc/certutil.xml b/doc/certutil.xml
---- a/doc/certutil.xml
-+++ b/doc/certutil.xml
-@@ -204,16 +204,21 @@ If this option is not used, the validity
- </varlistentry>
-
- <varlistentry>
- <term>-e </term>
- <listitem><para>Check a certificate's signature during the process of validating a certificate.</para></listitem>
- </varlistentry>
-
- <varlistentry>
-+ <term>--email email-address</term>
-+ <listitem><para>Specify the email address, used with the -L command option to print a single named certificate.</para></listitem>
-+ </varlistentry>
-+
-+ <varlistentry>
- <term>-f password-file</term>
- <listitem><para>Specify a file that will automatically supply the password to include in a certificate
- or to access a certificate database. This is a plain-text file containing one password. Be sure to prevent
- unauthorized access to this file.</para></listitem>
- </varlistentry>
-
- <varlistentry>
- <term>-g keysize</term>
diff --git a/SOURCES/dont-disable-internal-module.patch b/SOURCES/dont-disable-internal-module.patch
new file mode 100644
index 0000000..5d71643
--- /dev/null
+++ b/SOURCES/dont-disable-internal-module.patch
@@ -0,0 +1,39 @@
+diff -up ./nss/cmd/modutil/pk11.c.1056036 ./nss/cmd/modutil/pk11.c
+--- ./nss/cmd/modutil/pk11.c.1056036 2014-02-24 15:49:00.802754246 -0800
++++ ./nss/cmd/modutil/pk11.c 2014-02-24 15:49:00.806754285 -0800
+@@ -826,6 +826,12 @@ EnableModule(char *moduleName, char *slo
+ PK11_GetSlotName(slot), "enabled");
+ }
+ } else {
++ if (module->internal) {
++ PR_fprintf(PR_STDERR, errStrings[ENABLE_FAILED_ERR],
++ "disable", PK11_GetSlotName(slot));
++ rv = ENABLE_FAILED_ERR;
++ goto loser;
++ }
+ if(! PK11_UserDisableSlot(slot)) {
+ PR_fprintf(PR_STDERR, errStrings[ENABLE_FAILED_ERR],
+ "disable", PK11_GetSlotName(slot));
+diff -up ./nss/doc/modutil.xml.1056036 ./nss/doc/modutil.xml
+--- ./nss/doc/modutil.xml.1056036 2014-01-03 11:59:10.000000000 -0800
++++ ./nss/doc/modutil.xml 2014-02-24 15:49:00.806754285 -0800
+@@ -86,7 +86,7 @@
+
+ <varlistentry>
+ <term>-disable modulename</term>
+- <listitem><para>Disable all slots on the named module. Use the <option>-slot</option> argument to disable a specific slot.</para></listitem>
++ <listitem><para>Disable all slots on the named module. Use the <option>-slot</option> argument to disable a specific slot.</para><para>The internal NSS PKCS #11 module cannot be disabled.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+diff -up ./nss/lib/dev/devtoken.c.1056036 ./nss/lib/dev/devtoken.c
+--- ./nss/lib/dev/devtoken.c.1056036 2014-02-24 15:55:16.687529925 -0800
++++ ./nss/lib/dev/devtoken.c 2014-02-24 15:56:15.720143547 -0800
+@@ -1438,6 +1438,7 @@ nssToken_IsPresent (
+ NSSToken *token
+ )
+ {
++ if (token == NULL) return PR_FALSE;
+ return nssSlot_IsTokenPresent(token->slot);
+ }
+
diff --git a/SOURCES/dont-hold-issuer-cert-handles-in-crl-cache.patch b/SOURCES/dont-hold-issuer-cert-handles-in-crl-cache.patch
new file mode 100644
index 0000000..ec7d6c8
--- /dev/null
+++ b/SOURCES/dont-hold-issuer-cert-handles-in-crl-cache.patch
@@ -0,0 +1,123 @@
+diff -up ./nss/lib/certdb/certi.h.1034409 ./nss/lib/certdb/certi.h
+--- ./nss/lib/certdb/certi.h.1034409 2014-01-03 11:59:10.000000000 -0800
++++ ./nss/lib/certdb/certi.h 2014-02-20 08:46:10.345136599 -0800
+@@ -116,11 +116,16 @@ struct CRLDPCacheStr {
+ #else
+ PRLock* lock;
+ #endif
+- CERTCertificate* issuer; /* issuer cert
+- XXX there may be multiple issuer certs,
+- with different validity dates. Also
+- need to deal with SKID/AKID . See
+- bugzilla 217387, 233118 */
++ SECItem *issuerDERCert; /* issuer DER cert. Don't hold a reference
++ to the actual cert so the trust can be
++ updated on the cert automatically.
++ XXX there may be multiple issuer certs,
++ with different validity dates. Also
++ need to deal with SKID/AKID . See
++ bugzilla 217387, 233118 */
++
++ CERTCertDBHandle *dbHandle;
++
+ SECItem* subject; /* DER of issuer subject */
+ SECItem* distributionPoint; /* DER of distribution point. This may be
+ NULL when distribution points aren't
+@@ -172,7 +177,7 @@ struct CRLIssuerCacheStr {
+ NSSRWLock* lock;
+ CRLDPCache** dps;
+ PLHashTable* distributionpoints;
+- CERTCertificate* issuer;
++ CERTCertificate* issuer; /* This should be the DER Cert, not a cert handle */
+ #endif
+ };
+
+diff -up ./nss/lib/certdb/crl.c.1034409 ./nss/lib/certdb/crl.c
+--- ./nss/lib/certdb/crl.c.1034409 2014-01-03 11:59:10.000000000 -0800
++++ ./nss/lib/certdb/crl.c 2014-02-20 08:49:30.835466687 -0800
+@@ -1123,9 +1123,9 @@ static SECStatus DPCache_Destroy(CRLDPCa
+ PORT_Free(cache->crls);
+ }
+ /* destroy the cert */
+- if (cache->issuer)
++ if (cache->issuerDERCert)
+ {
+- CERT_DestroyCertificate(cache->issuer);
++ SECITEM_FreeItem(cache->issuerDERCert, PR_TRUE);
+ }
+ /* free the subject */
+ if (cache->subject)
+@@ -1571,14 +1571,20 @@ static SECStatus CachedCrl_Verify(CRLDPC
+ else
+ {
+ SECStatus signstatus = SECFailure;
+- if (cache->issuer)
++ if (cache->issuerDERCert)
+ {
+- signstatus = CERT_VerifyCRL(crlobject->crl, cache->issuer, vfdate,
++ CERTCertificate *issuer = CERT_NewTempCertificate(cache->dbHandle,
++ cache->issuerDERCert, NULL, PR_FALSE, PR_TRUE);
++
++ if (issuer) {
++ signstatus = CERT_VerifyCRL(crlobject->crl, issuer, vfdate,
+ wincx);
++ CERT_DestroyCertificate(issuer);
++ }
+ }
+ if (SECSuccess != signstatus)
+ {
+- if (!cache->issuer)
++ if (!cache->issuerDERCert)
+ {
+ /* we tried to verify without an issuer cert . This is
+ because this CRL came through a call to SEC_FindCrlByName.
+@@ -1925,15 +1931,16 @@ static SECStatus DPCache_GetUpToDate(CRL
+ }
+
+ /* add issuer certificate if it was previously unavailable */
+- if (issuer && (NULL == cache->issuer) &&
++ if (issuer && (NULL == cache->issuerDERCert) &&
+ (SECSuccess == CERT_CheckCertUsage(issuer, KU_CRL_SIGN)))
+ {
+ /* if we didn't have a valid issuer cert yet, but we do now. add it */
+ DPCache_LockWrite();
+- if (!cache->issuer)
++ if (!cache->issuerDERCert)
+ {
+ dirty = PR_TRUE;
+- cache->issuer = CERT_DupCertificate(issuer);
++ cache->dbHandle = issuer->dbhandle;
++ cache->issuerDERCert = SECITEM_DupItem(&issuer->derCert);
+ }
+ DPCache_UnlockWrite();
+ }
+@@ -1944,7 +1951,7 @@ static SECStatus DPCache_GetUpToDate(CRL
+ SEC_FindCrlByName, or through manual insertion, rather than through a
+ certificate verification (CERT_CheckCRL) */
+
+- if (cache->issuer && vfdate )
++ if (cache->issuerDERCert && vfdate )
+ {
+ mustunlock = PR_FALSE;
+ /* re-process all unverified CRLs */
+@@ -2201,7 +2208,8 @@ static SECStatus DPCache_Create(CRLDPCac
+ }
+ if (issuer)
+ {
+- cache->issuer = CERT_DupCertificate(issuer);
++ cache->dbHandle = issuer->dbhandle;
++ cache->issuerDERCert = SECITEM_DupItem(&issuer->derCert);
+ }
+ cache->distributionPoint = SECITEM_DupItem(dp);
+ cache->subject = SECITEM_DupItem(subject);
+diff -up ./nss/tests/chains/chains.sh.1034409 ./nss/tests/chains/chains.sh
+--- ./nss/tests/chains/chains.sh.1034409 2014-02-20 08:16:34.867686934 -0800
++++ ./nss/tests/chains/chains.sh 2014-02-20 08:34:35.149603340 -0800
+@@ -974,6 +974,7 @@ check_ocsp()
+ OCSP_HOST=$(${BINDIR}/pp -w -t certificate -i ${CERT_FILE} | grep URI | sed "s/.*:\/\///" | sed "s/:.*//")
+ OCSP_PORT=$(${BINDIR}/pp -w -t certificate -i ${CERT_FILE} | grep URI | sed "s/^.*:.*:\/\/.*:\([0-9]*\).*$/\1/")
+
++ echo "Cert = ${CERT_NICK}.cert"
+ echo "tstclnt -h ${OCSP_HOST} -p ${OCSP_PORT} -q -t 20"
+ tstclnt -h ${OCSP_HOST} -p ${OCSP_PORT} -q -t 20
+ return $?
diff --git a/SOURCES/iquote.patch b/SOURCES/iquote.patch
index 3df4927..9fb7772 100644
--- a/SOURCES/iquote.patch
+++ b/SOURCES/iquote.patch
@@ -1,6 +1,6 @@
-diff -up nss/cmd/bltest/Makefile.iquote nss/cmd/bltest/Makefile
---- nss/cmd/bltest/Makefile.iquote 2013-06-27 10:58:08.000000000 -0700
-+++ nss/cmd/bltest/Makefile 2013-07-02 15:02:26.656643246 -0700
+diff -up ./nss/cmd/bltest/Makefile.iquote ./nss/cmd/bltest/Makefile
+--- ./nss/cmd/bltest/Makefile.iquote 2014-01-03 11:59:10.000000000 -0800
++++ ./nss/cmd/bltest/Makefile 2014-01-18 11:31:32.277404478 -0800
@@ -45,6 +45,7 @@ include $(CORE_DEPTH)/coreconf/rules.mk
# (6) Execute "component" rules. (OPTIONAL) #
#######################################################################
@@ -9,9 +9,22 @@ diff -up nss/cmd/bltest/Makefile.iquote nss/cmd/bltest/Makefile
#######################################################################
-diff -up nss/cmd/lib/Makefile.iquote nss/cmd/lib/Makefile
---- nss/cmd/lib/Makefile.iquote 2013-07-02 15:07:47.260622471 -0700
-+++ nss/cmd/lib/Makefile 2013-07-02 15:08:47.219179157 -0700
+diff -up ./nss/cmd/httpserv/Makefile.iquote ./nss/cmd/httpserv/Makefile
+--- ./nss/cmd/httpserv/Makefile.iquote 2014-01-18 11:33:15.058108851 -0800
++++ ./nss/cmd/httpserv/Makefile 2014-01-18 11:34:08.913478276 -0800
+@@ -35,7 +35,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk
+ # (6) Execute "component" rules. (OPTIONAL) #
+ #######################################################################
+
+-
++INCLUDES += -iquote $(DIST)/../private/nss
++INCLUDES += -iquote $(DIST)/../public/nss
+
+ #######################################################################
+ # (7) Execute "local" rules. (OPTIONAL). #
+diff -up ./nss/cmd/lib/Makefile.iquote ./nss/cmd/lib/Makefile
+--- ./nss/cmd/lib/Makefile.iquote 2014-01-03 11:59:10.000000000 -0800
++++ ./nss/cmd/lib/Makefile 2014-01-18 11:31:32.309404697 -0800
@@ -38,7 +38,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk
# (6) Execute "component" rules. (OPTIONAL) #
#######################################################################
@@ -22,9 +35,9 @@ diff -up nss/cmd/lib/Makefile.iquote nss/cmd/lib/Makefile
#######################################################################
# (7) Execute "local" rules. (OPTIONAL). #
-diff -up nss/coreconf/location.mk.iquote nss/coreconf/location.mk
---- nss/coreconf/location.mk.iquote 2013-06-27 10:58:08.000000000 -0700
-+++ nss/coreconf/location.mk 2013-07-02 15:02:26.656643246 -0700
+diff -up ./nss/coreconf/location.mk.iquote ./nss/coreconf/location.mk
+--- ./nss/coreconf/location.mk.iquote 2014-01-03 11:59:10.000000000 -0800
++++ ./nss/coreconf/location.mk 2014-01-18 11:31:32.309404697 -0800
@@ -45,6 +45,10 @@ endif
ifdef NSS_INCLUDE_DIR
@@ -36,9 +49,9 @@ diff -up nss/coreconf/location.mk.iquote nss/coreconf/location.mk
endif
ifndef NSS_LIB_DIR
-diff -up nss/lib/certhigh/Makefile.iquote nss/lib/certhigh/Makefile
---- nss/lib/certhigh/Makefile.iquote 2013-09-27 11:13:55.158689314 -0700
-+++ nss/lib/certhigh/Makefile 2013-09-27 11:14:38.181042336 -0700
+diff -up ./nss/lib/certhigh/Makefile.iquote ./nss/lib/certhigh/Makefile
+--- ./nss/lib/certhigh/Makefile.iquote 2014-01-03 11:59:10.000000000 -0800
++++ ./nss/lib/certhigh/Makefile 2014-01-18 11:31:32.310404704 -0800
@@ -38,7 +38,7 @@ include $(CORE_DEPTH)/coreconf/rules.mk
# (6) Execute "component" rules. (OPTIONAL) #
#######################################################################
@@ -48,9 +61,9 @@ diff -up nss/lib/certhigh/Makefile.iquote nss/lib/certhigh/Makefile
#######################################################################
# (7) Execute "local" rules. (OPTIONAL). #
-diff -up nss/lib/cryptohi/Makefile.iquote nss/lib/cryptohi/Makefile
---- nss/lib/cryptohi/Makefile.iquote 2013-09-27 11:11:30.117494489 -0700
-+++ nss/lib/cryptohi/Makefile 2013-09-27 11:12:54.704194915 -0700
+diff -up ./nss/lib/cryptohi/Makefile.iquote ./nss/lib/cryptohi/Makefile
+--- ./nss/lib/cryptohi/Makefile.iquote 2014-01-03 11:59:10.000000000 -0800
++++ ./nss/lib/cryptohi/Makefile 2014-01-18 11:31:32.310404704 -0800
@@ -38,7 +38,7 @@ include $(CORE_DEPTH)/coreconf/rules.mk
# (6) Execute "component" rules. (OPTIONAL) #
#######################################################################
@@ -60,3 +73,29 @@ diff -up nss/lib/cryptohi/Makefile.iquote nss/lib/cryptohi/Makefile
#######################################################################
# (7) Execute "local" rules. (OPTIONAL). #
+diff -up ./nss/lib/libpkix/pkix/checker/Makefile.iquote ./nss/lib/libpkix/pkix/checker/Makefile
+--- ./nss/lib/libpkix/pkix/checker/Makefile.iquote 2014-01-03 11:59:10.000000000 -0800
++++ ./nss/lib/libpkix/pkix/checker/Makefile 2014-01-18 11:31:32.310404704 -0800
+@@ -38,7 +38,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk
+ # (6) Execute "component" rules. (OPTIONAL) #
+ #######################################################################
+
+-
++INCLUDES += -iquote $(DIST)/../public/nss
++INCLUDES += -iquote $(DIST)/../private/nss
+
+ #######################################################################
+ # (7) Execute "local" rules. (OPTIONAL). #
+diff -up ./nss/lib/nss/Makefile.iquote ./nss/lib/nss/Makefile
+--- ./nss/lib/nss/Makefile.iquote 2014-01-03 11:59:10.000000000 -0800
++++ ./nss/lib/nss/Makefile 2014-01-18 11:31:32.310404704 -0800
+@@ -37,7 +37,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk
+ # (6) Execute "component" rules. (OPTIONAL) #
+ #######################################################################
+
+-
++INCLUDES += -iquote $(DIST)/../public/nss
++INCLUDES += -iquote $(DIST)/../private/nss
+
+ #######################################################################
+ # (7) Execute "local" rules. (OPTIONAL). #
diff --git a/SOURCES/nss-ecc-list-3.15.3.patch b/SOURCES/nss-ecc-list-3.15.3.patch
new file mode 100644
index 0000000..6f86258
--- /dev/null
+++ b/SOURCES/nss-ecc-list-3.15.3.patch
@@ -0,0 +1,239 @@
+diff -up ./nss/cmd/modutil/pk11.c.ecc-lists ./nss/cmd/modutil/pk11.c
+--- ./nss/cmd/modutil/pk11.c.ecc-lists 2013-11-09 09:23:30.000000000 -0800
++++ ./nss/cmd/modutil/pk11.c 2013-12-20 10:29:01.540726233 -0800
+@@ -7,12 +7,9 @@
+ */
+
+ #include "modutil.h"
+-/* #include "secmodti.h" */
++#include "secmodi.h"
+ #include "pk11func.h"
+
+-static PK11DefaultArrayEntry *pk11_DefaultArray = NULL;
+-static int pk11_DefaultArraySize = 0;
+-
+ /*************************************************************************
+ *
+ * F i p s M o d e
+@@ -110,32 +107,11 @@ ChkFipsMode(char *arg)
+
+ typedef struct {
+ const char *name;
+- const unsigned long mask;
++ unsigned long mask;
+ } MaskString;
+
+-static const MaskString mechanismStrings[] = {
+- {"RSA", PUBLIC_MECH_RSA_FLAG},
+- {"DSA", PUBLIC_MECH_DSA_FLAG},
+- {"RC2", PUBLIC_MECH_RC2_FLAG},
+- {"RC4", PUBLIC_MECH_RC4_FLAG},
+- {"RC5", PUBLIC_MECH_RC5_FLAG},
+- {"DES", PUBLIC_MECH_DES_FLAG},
+- {"DH", PUBLIC_MECH_DH_FLAG},
+- {"FORTEZZA", PUBLIC_MECH_FORTEZZA_FLAG},
+- {"SHA1", PUBLIC_MECH_SHA1_FLAG},
+- {"MD5", PUBLIC_MECH_MD5_FLAG},
+- {"MD2", PUBLIC_MECH_MD2_FLAG},
+- {"SSL", PUBLIC_MECH_SSL_FLAG},
+- {"TLS", PUBLIC_MECH_TLS_FLAG},
+- {"AES", PUBLIC_MECH_AES_FLAG},
+- {"CAMELLIA", PUBLIC_MECH_CAMELLIA_FLAG},
+- {"SHA256", PUBLIC_MECH_SHA256_FLAG},
+- {"SHA512", PUBLIC_MECH_SHA512_FLAG},
+- {"RANDOM", PUBLIC_MECH_RANDOM_FLAG},
+- {"FRIENDLY", PUBLIC_MECH_FRIENDLY_FLAG}
+-};
+-static const int numMechanismStrings =
+- sizeof(mechanismStrings) / sizeof(mechanismStrings[0]);
++static MaskString *mechanismStrings = NULL;
++static int numMechanismStrings = 0;
+
+ static const MaskString cipherStrings[] = {
+ {"FORTEZZA", PUBLIC_CIPHER_FORTEZZA_FLAG}
+@@ -143,10 +119,83 @@ static const MaskString cipherStrings[]
+ static const int numCipherStrings =
+ sizeof(cipherStrings) / sizeof(cipherStrings[0]);
+
++static PK11DefaultArrayEntry *pk11_DefaultArray = NULL;
++static int pk11_DefaultArraySize = 0;
++
++
+ /* Maximum length of a colon-separated list of all the strings in an
+ * array. */
+ #define MAX_STRING_LIST_LEN 240 /* or less */
+
++/*
++** The same as SECMOD_InternaltoPubMechFlags
++** from nss/lib/pk11wrap/pk11util.c wich is a
++** private export and not visible to us
++*/
++static unsigned long
++InternaltoPubMechFlags(unsigned long internalFlags)
++{
++ unsigned long publicFlags = internalFlags;
++
++ if (internalFlags & SECMOD_RANDOM_FLAG) {
++ publicFlags &= ~SECMOD_RANDOM_FLAG;
++ publicFlags |= PUBLIC_MECH_RANDOM_FLAG;
++ }
++ return publicFlags;
++}
++
++
++Error
++loadMechanismList(void)
++{
++ int i;
++
++ if (pk11_DefaultArray == NULL) {
++ pk11_DefaultArray = PK11_GetDefaultArray(&pk11_DefaultArraySize);
++ if (pk11_DefaultArray == NULL) {
++ /* should assert. This shouldn't happen */
++ return UNSPECIFIED_ERR;
++ }
++ }
++ if (mechanismStrings != NULL) {
++ PR_Free(mechanismStrings);
++ }
++
++ /* build the mechanismStrings array */
++ mechanismStrings = PR_Malloc( pk11_DefaultArraySize*sizeof(MaskString) );
++ if (mechanismStrings == NULL) {
++ return OUT_OF_MEM_ERR;
++ }
++ numMechanismStrings = pk11_DefaultArraySize;
++ for (i = 0; i < numMechanismStrings; i++) {
++ char *name = pk11_DefaultArray[i].name;
++ unsigned long flag = pk11_DefaultArray[i].flag;
++ /* map new name to old */
++ switch (flag) {
++ case SECMOD_FORTEZZA_FLAG:
++ name = "FORTEZZA";
++ break;
++ case SECMOD_SHA1_FLAG:
++ name = "SHA1";
++ break;
++ case SECMOD_CAMELLIA_FLAG:
++ name = "CAMELLIA";
++ break;
++ case SECMOD_RANDOM_FLAG:
++ name = "RANDOM";
++ break;
++ case SECMOD_FRIENDLY_FLAG:
++ name = "FRIENDLY";
++ break;
++ default:
++ break;
++ }
++ mechanismStrings[i].name = name;
++ mechanismStrings[i].mask = InternaltoPubMechFlags(flag);
++ }
++ return SUCCESS;
++}
++
+ /************************************************************************
+ *
+ * g e t F l a g s F r o m S t r i n g
+@@ -244,6 +293,12 @@ AddModule(char *moduleName, char *libFil
+ unsigned long ciphers;
+ unsigned long mechanisms;
+ SECStatus status;
++ Error rv;
++
++ rv = loadMechanismList();
++ if (rv != SUCCESS) {
++ return rv;
++ }
+
+ mechanisms =
+ getFlagsFromString(mechanismString, mechanismStrings,
+@@ -493,6 +548,11 @@ ListModule(char *moduleName)
+ return SUCCESS;
+ }
+
++ rv = loadMechanismList();
++ if (rv != SUCCESS) {
++ return rv;
++ }
++
+ module = SECMOD_FindModule(moduleName);
+ if(!module) {
+ PR_fprintf(PR_STDERR, errStrings[NO_SUCH_MODULE_ERR], moduleName);
+@@ -811,19 +871,18 @@ SetDefaultModule(char *moduleName, char
+ SECMODModule *module = NULL;
+ PK11SlotInfo *slot;
+ int s, i;
+- unsigned long mechFlags = getFlagsFromString(mechanisms, mechanismStrings,
+- numMechanismStrings);
++ unsigned long mechFlags;
+ PRBool found = PR_FALSE;
+- Error errcode = UNSPECIFIED_ERR;
++ Error errcode;
+
+- if (pk11_DefaultArray == NULL) {
+- pk11_DefaultArray = PK11_GetDefaultArray(&pk11_DefaultArraySize);
+- if (pk11_DefaultArray == NULL) {
+- /* should assert. This shouldn't happen */
+- goto loser;
+- }
++ errcode = loadMechanismList();
++ if (errcode != SUCCESS) {
++ return errcode;
+ }
++ errcode = UNSPECIFIED_ERR;
+
++ mechFlags = getFlagsFromString(mechanisms, mechanismStrings,
++ numMechanismStrings);
+ mechFlags = SECMOD_PubMechFlagstoInternal(mechFlags);
+
+ module = SECMOD_FindModule(moduleName);
+@@ -889,20 +948,17 @@ UnsetDefaultModule(char *moduleName, cha
+ SECMODModule * module = NULL;
+ PK11SlotInfo *slot;
+ int s, i;
+- unsigned long mechFlags = getFlagsFromString(mechanisms,
+- mechanismStrings, numMechanismStrings);
++ unsigned long mechFlags;
+ PRBool found = PR_FALSE;
+ Error rv;
+
+- if (pk11_DefaultArray == NULL) {
+- pk11_DefaultArray = PK11_GetDefaultArray(&pk11_DefaultArraySize);
+- if (pk11_DefaultArray == NULL) {
+- /* should assert. This shouldn't happen */
+- rv = UNSPECIFIED_ERR;
+- goto loser;
+- }
++ rv = loadMechanismList();
++ if (rv != SUCCESS) {
++ return rv;
+ }
+
++ mechFlags = getFlagsFromString(mechanisms, mechanismStrings,
++ numMechanismStrings);
+ mechFlags = SECMOD_PubMechFlagstoInternal(mechFlags);
+
+ module = SECMOD_FindModule(moduleName);
+diff -up ./nss/lib/pk11wrap/pk11slot.c.ecc-lists ./nss/lib/pk11wrap/pk11slot.c
+--- ./nss/lib/pk11wrap/pk11slot.c.ecc-lists 2013-11-09 09:23:30.000000000 -0800
++++ ./nss/lib/pk11wrap/pk11slot.c 2013-12-20 10:29:55.756109883 -0800
+@@ -32,6 +32,7 @@
+ PK11DefaultArrayEntry PK11_DefaultArray[] = {
+ { "RSA", SECMOD_RSA_FLAG, CKM_RSA_PKCS },
+ { "DSA", SECMOD_DSA_FLAG, CKM_DSA },
++ { "ECC", SECMOD_ECC_FLAG, CKM_ECDSA },
+ { "DH", SECMOD_DH_FLAG, CKM_DH_PKCS_DERIVE },
+ { "RC2", SECMOD_RC2_FLAG, CKM_RC2_CBC },
+ { "RC4", SECMOD_RC4_FLAG, CKM_RC4 },
+diff -up ./nss/lib/pk11wrap/secmod.h.ecc-lists ./nss/lib/pk11wrap/secmod.h
+--- ./nss/lib/pk11wrap/secmod.h.ecc-lists 2013-11-09 09:23:30.000000000 -0800
++++ ./nss/lib/pk11wrap/secmod.h 2013-12-20 10:26:20.881585723 -0800
+@@ -28,6 +28,7 @@
+ #define PUBLIC_MECH_SHA512_FLAG 0x00008000ul
+ #define PUBLIC_MECH_CAMELLIA_FLAG 0x00010000ul
+ #define PUBLIC_MECH_SEED_FLAG 0x00020000ul
++#define PUBLIC_MECH_ECC_FLAG 0x00040000ul
+
+ #define PUBLIC_MECH_RANDOM_FLAG 0x08000000ul
+ #define PUBLIC_MECH_FRIENDLY_FLAG 0x10000000ul
diff --git a/SOURCES/setup-nsssysinit.xml b/SOURCES/setup-nsssysinit.xml
index bca4bfa..5b9827f 100644
--- a/SOURCES/setup-nsssysinit.xml
+++ b/SOURCES/setup-nsssysinit.xml
@@ -55,7 +55,7 @@
</varlistentry>
<varlistentry>
- <term><option>status</option> <replaceable>count</replaceable></term>
+ <term><option>status</option></term>
<listitem><simpara>returns whether nss-syinit is enabled or not.</simpara></listitem>
</varlistentry>
@@ -67,13 +67,13 @@
<para>The following example will query for the status of nss-sysinit:
<programlisting>
- /usr/bin/setup-nsssysinit --status
+ /usr/bin/setup-nsssysinit status
</programlisting>
</para>
<para>The following example, when run as superuser, will turn on nss-sysinit:
<programlisting>
- /usr/bin/setup-nsssysinit --on
+ /usr/bin/setup-nsssysinit on
</programlisting>
</para>
@@ -81,7 +81,7 @@
<refsection>
<title>Files</title>
- <para><filename>/usr/sbin/setup-nsssysinit</filename></para>
+ <para><filename>/usr/bin/setup-nsssysinit</filename></para>
</refsection>
<refsection>
diff --git a/SPECS/nss.spec b/SPECS/nss.spec
index fffec65..0dc3202 100644
--- a/SPECS/nss.spec
+++ b/SPECS/nss.spec
@@ -1,7 +1,7 @@
-%global nspr_version 4.10
-%global nss_util_version 3.15.2
-%global nss_softokn_fips_version 3.12.9
-%global nss_softokn_version 3.15.2
+%global nspr_version 4.10.2
+%global nss_util_version 3.15.4
+%global nss_softokn_fips_version 3.13.4
+%global nss_softokn_version 3.15.4
%global unsupported_tools_directory %{_libdir}/nss/unsupported-tools
%global allTools "certutil cmsutil crlutil derdump modutil pk12util pp signtool signver ssltap vfychain vfyserv"
@@ -19,8 +19,8 @@
Summary: Network Security Services
Name: nss
-Version: 3.15.2
-Release: 8%{?dist}
+Version: 3.15.4
+Release: 6%{?dist}
License: MPLv2.0
URL: http://www.mozilla.org/projects/security/pki/nss/
Group: System Environment/Libraries
@@ -47,7 +47,7 @@ BuildRequires: perl
%{!?nss_ckbi_suffix:%define full_nss_version %{version}}
%{?nss_ckbi_suffix:%define full_nss_version %{version}%{nss_ckbi_suffix}}
-Source0: %{name}-%{full_nss_version}.tar.bz2
+Source0: %{name}-%{full_nss_version}.tar.gz
Source1: nss.pc.in
Source2: nss-config.in
Source3: blank-cert8.db
@@ -58,7 +58,7 @@ Source7: blank-key4.db
Source8: system-pkcs11.txt
Source9: setup-nsssysinit.sh
Source10: PayPalEE.cert
-Source12: %{name}-pem-20130405.tar.bz2
+Source12: %{name}-pem-20140125.tar.bz2
Source17: TestCA.ca.cert
Source18: TestUser50.cert
Source19: TestUser51.cert
@@ -81,25 +81,29 @@ Patch18: nss-646045.patch
Patch25: nsspem-use-system-freebl.patch
# TODO: Remove this patch when the ocsp test are fixed
Patch40: nss-3.14.0.0-disble-ocsp-test.patch
-Patch44: 0001-sync-up-with-upstream-softokn-changes.patch
-Patch45: Bug-896651-pem-dont-trash-keys-on-failed-login.patch
-# The ocsp stapling tests currently require access to the
-# kuix.de test server but koji forbids outbount connections
-Patch46: disable-ocsp-stapling-tests.patch
# Fedora / RHEL-only patch, the templates directory was originally introduced to support mod_revocator
Patch47: utilwrap-include-templates.patch
# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=902171
Patch48: nss-versus-softoken-tests.patch
# TODO remove when we switch to building nss without softoken
Patch49: nss-skip-bltest-and-fipstest.patch
+# This patch uses the gcc-iquote dir option documented at
+# http://gcc.gnu.org/onlinedocs/gcc/Directory-Options.html#Directory-Options
+# to place the in-tree directories at the head of the list of list of directories
+# to be searched for for header files. This ensures a build even when system
+# headers are older. Such is the case when starting an update with API changes or even private export changes.
+# Once the buildroot aha been bootstrapped the patch may be removed but it doesn't hurt to keep it.
Patch50: iquote.patch
Patch52: Bug-1001841-disable-sslv2-libssl.patch
Patch53: Bug-1001841-disable-sslv2-tests.patch
-# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=932001
-Patch54: document-certutil-email-option.patch
Patch55: enable-fips-when-system-is-in-fips-mode.patch
# rhbz: https://bugzilla.redhat.com/show_bug.cgi?id=1026677
Patch56: p-ignore-setpolicy.patch
+Patch61: nss-ecc-list-3.15.3.patch
+# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=921684
+Patch62: dont-hold-issuer-cert-handles-in-crl-cache.patch
+# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=977673
+Patch63: dont-disable-internal-module.patch
%description
Network Security Services (NSS) is a set of libraries designed to
@@ -184,22 +188,19 @@ low level services.
# link pem against buildroot's freebl, essential when mixing and matching
%patch25 -p0 -b .systemfreebl
%patch40 -p0 -b .noocsptest
-%patch44 -p1 -b .syncupwithupstream
-%patch45 -p0 -b .notrash
-%patch46 -p0 -b .skipoutbound
%patch47 -p0 -b .templates
%patch48 -p0 -b .crypto
%patch49 -p0 -b .skipthem
%patch50 -p0 -b .iquote
%patch52 -p0 -b .disableSSL2
%patch53 -p0 -b .disableSSL2
-pushd nss
-%patch54 -p1 -b .948495
-popd
%patch55 -p0 -b .852023
pushd nss
%patch56 -p1 -b .1026677
popd
+%patch61 -p0 -b .ecc-lists
+%patch62 -p0 -b .1034409
+%patch63 -p0 -b .1056036
#########################################################
# Higher-level libraries and test tools need access to
@@ -542,7 +543,7 @@ done
%{__install} -p -m 755 ./dist/pkgconfig/nss-config $RPM_BUILD_ROOT/%{_bindir}/nss-config
# Copy the pkcs #11 configuration script
%{__install} -p -m 755 ./dist/pkgconfig/setup-nsssysinit.sh $RPM_BUILD_ROOT/%{_bindir}/setup-nsssysinit.sh
-# install a symbolic link top it, without the ".sh" suffix,
+# install a symbolic link to it, without the ".sh" suffix,
# that matches the man page documentation
ln -r -s -f $RPM_BUILD_ROOT/%{_bindir}/setup-nsssysinit.sh $RPM_BUILD_ROOT/%{_bindir}/setup-nsssysinit
@@ -602,17 +603,17 @@ fi
/sbin/ldconfig
%posttrans
-# An earlier version of this package had an incorrect %postun script (3.14.3-9).
-# (The incorrect %postun always called "update-alternatives --remove",
+# An earlier version of this package had an incorrect %%postun script (3.14.3-9).
+# (The incorrect %%postun always called "update-alternatives --remove",
# because it incorrectly assumed that test -f returns false for symbolic links.)
# The only possible remedy to fix the mistake that "always removes on upgrade"
-# made by the older %postun script, is to repair it in %posttrans of the new package.
+# made by the older %%postun script, is to repair it in %%posttrans of the new package.
# Strategy:
-# %posttrans is never called when uninstalling.
-# %posttrans is only called when installing or upgrading a package.
-# Because %posttrans is the very last action of a package install,
-# %{_libdir}/libnssckbi.so must exist.
-# If it does not, it's the result of the incorrect removal from a broken %postun.
+# %%posttrans is never called when uninstalling.
+# %%posttrans is only called when installing or upgrading a package.
+# Because %%posttrans is the very last action of a package install,
+# %%{_libdir}/libnssckbi.so must exist.
+# If it does not, it's the result of the incorrect removal from a broken %%postun.
# In this case, we repeat installation of the alternatives link.
if ! test -e %{_libdir}/libnssckbi.so; then
%{_sbindir}/update-alternatives --install %{_libdir}/libnssckbi.so \
@@ -632,20 +633,19 @@ fi
%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/cert8.db
%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/key3.db
%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/secmod.db
-%attr(0644,root,root) %doc /usr/share/man/man5/*
+%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/cert9.db
+%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/key4.db
+%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/pkcs11.txt
%attr(0644,root,root) %doc /usr/share/man/man5/cert8.db.5.gz
%attr(0644,root,root) %doc /usr/share/man/man5/key3.db.5.gz
%attr(0644,root,root) %doc /usr/share/man/man5/secmod.db.5.gz
+%attr(0644,root,root) %doc /usr/share/man/man5/cert9.db.5.gz
+%attr(0644,root,root) %doc /usr/share/man/man5/key4.db.5.gz
+%attr(0644,root,root) %doc /usr/share/man/man5/pkcs11.txt.5.gz
%files sysinit
%defattr(-,root,root)
%{_libdir}/libnsssysinit.so
-%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/cert9.db
-%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/key4.db
-%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/pkcs11.txt
-%attr(0644,root,root) %doc /usr/share/man/man5/cert9.db.5.gz
-%attr(0644,root,root) %doc /usr/share/man/man5/key4.db.5.gz
-%attr(0644,root,root) %doc /usr/share/man/man5/pkcs11.txt.5.gz
%{_bindir}/setup-nsssysinit.sh
# symbolic link to setup-nsssysinit.sh
%{_bindir}/setup-nsssysinit
@@ -672,7 +672,7 @@ fi
%{unsupported_tools_directory}/tstclnt
%{unsupported_tools_directory}/vfyserv
%{unsupported_tools_directory}/vfychain
-# instead of %{_mandir}/man*/* let's list them explicitely
+# instead of %%{_mandir}/man*/* let's list them explicitely
# supported tools
%attr(0644,root,root) %doc /usr/share/man/man1/certutil.1.gz
%attr(0644,root,root) %doc /usr/share/man/man1/cmsutil.1.gz
@@ -763,6 +763,81 @@ fi
%changelog
+* Mon Mar 03 2014 Elio Maldonado <emaldona@redhat.com> - 3.15.4-6
+- Disallow disabling the internal module
+- Resolves: Bug 1056036 - nss segfaults with opencryptoki module
+
+* Thu Feb 20 2014 Elio Maldonado <emaldona@redhat.com> - 3.15.4-5
+- Pick up a fix from rhel-6 and fix an rpm conflict
+- Don't hold issuer cert handles in crl cache
+- Resolves: Bug 1034409 - deadlock in trust domain and object lock
+- Move nss shared db files to the main package
+- Resolves: Bug 1050163 - Same files in two packages create rpm conflict
+
+* Mon Jan 27 2014 Elio Maldonado <emaldona@redhat.com> - 3.15.4-4
+- Update pem sources to latest from nss-pem upstream
+- Pick up pem module fixes verified on RHEL and applied upstream
+- Remove no loger needed pem patches on acccount on this update
+- Add comments documenting the iquote.patch
+- Resolves: Bug 1054457 - CVE-2013-1740
+
+* Sun Jan 26 2014 Elio Maldonado <emaldona@redhat.com> - 3.15.4-3
+- Remove spurious man5 wildcard entry as all manpages are listed by name
+- Resolves: Bug 1050163 - Same files in two packages create rpm conflict
+
+* Fri Jan 24 2014 Daniel Mach <dmach@redhat.com> - 3.15.4-2
+- Mass rebuild 2014-01-24
+
+* Sun Jan 19 2014 Elio Maldonado <emaldona@redhat.com> - 3.15.3-9
+- Rebase to nss-3.15.4
+- Resolves: Bug 1054457 - CVE-2013-1740 nss: false start PR_Recv information disclosure security issue
+- Remove no longer needed patches for manpages that were applied upstream
+- Remove no longer needed patch to disable ocsp stapling tests
+- Update iquote.patch on account of upstream changes
+- Update and rename patch to pem/rsawrapr.c on account of upstream changes
+- Use the pristine upstream sources for nss without repackaging
+- Avoid unneeded manual step which may introduce errors
+
+* Sun Jan 19 2014 Elio Maldonado <emaldona@redhat.com> - 3.15.3-8
+- Fix the spec file to apply the nss ecc list patch for bug 752980
+- Resolves: Bug 752980 - Support ECDSA algorithm in the nss package via puggable ecc
+
+* Fri Jan 17 2014 Elio Maldonado <emaldona@redhat.com> - 3.15.3-7
+- Move several nss-sysinit manpages tar archives to the %%files
+- Resolves: Bug 1050163 - Same files in two packages create rpm conflict
+
+* Fri Jan 17 2014 Elio Maldonado <emaldona@redhat.com> - 3.15.3-6
+- Fix a coverity scan compile time warning for the pem module
+- Resolves: Bug 1002271 - NSS pem module should not require unique base file names
+
+* Wed Jan 15 2014 Elio Maldonado <emaldona@redhat.com> - 3.15.3-5
+- Resolves: Bug 1002271 - NSS pem module should not require unique base file names
+
+* Thu Jan 09 2014 Elio Maldonado <emaldona@redhat.com> - 3.15.3-4
+- Improve pluggable ECC support for ECDSA
+- Resolves: Bug 752980 - [7.0 FEAT] Support ECDSA algorithm in the nss package
+
+* Fri Dec 27 2013 Daniel Mach <dmach@redhat.com> - 3.15.3-3
+- Mass rebuild 2013-12-27
+
+* Thu Dec 12 2013 Elio Maldonado <emaldona@redhat.com> - 3.15.3-2
+- Revoke trust in one mis-issued anssi certificate
+- Resolves: Bug 1040284 - nss: Mis-issued ANSSI/DCSSI certificate (MFSA 2013-117) [rhel-7.0]
+
+* Mon Nov 25 2013 Elio Maldonado <emaldona@redhat.com> - 3.15.3-1
+- Update to NSS_3_15_3_RTM
+- Resolves: Bug 1031463 - CVE-2013-5605 CVE-2013-5606 CVE-2013-1741
+
+* Wed Nov 13 2013 Elio Maldonado <emaldona@redhat.com> - 3.15.2-10
+- Fix path to script and remove -- from some options in nss-sysinit man page
+- Resolves: rhbz#982723 - man page of nss-sysinit worong path and other flaws
+
+* Tue Nov 12 2013 Elio Maldonado <emaldona@redhat.com> - 3.15.2-9
+- Fix certutil man page options names to be consistent with help
+- Resolves: rhbz#948495 - man page scan results for nss
+- Remove incorrect count argument in status description in nss-sysinit man page
+- Resolves: rhbz#982723 - man page of nss-sysinit incorrect option descriptions
+
* Wed Nov 06 2013 Elio Maldonado <emaldona@redhat.com> - 3.15.2-8
- Fix patch for disabling ssl2 in ssl to correctly set error code
- Fix syntax error reported in the build.log even tough it succeeds