diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..7286e8d
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,16 @@
+SOURCES/PayPalEE.cert
+SOURCES/PayPalICA.cert
+SOURCES/TestOldCA.p12
+SOURCES/blank-cert8.db
+SOURCES/blank-cert9.db
+SOURCES/blank-key3.db
+SOURCES/blank-key4.db
+SOURCES/blank-secmod.db
+SOURCES/cert8.db.xml
+SOURCES/cert9.db.xml
+SOURCES/key3.db.xml
+SOURCES/key4.db.xml
+SOURCES/nss-3.34.0.tar.gz
+SOURCES/nss-config.xml
+SOURCES/secmod.db.xml
+SOURCES/setup-nsssysinit.xml
diff --git a/.nss.metadata b/.nss.metadata
new file mode 100644
index 0000000..7b7738a
--- /dev/null
+++ b/.nss.metadata
@@ -0,0 +1,16 @@
+83025bf9062b026aae49ef8775c6432507159bca SOURCES/PayPalEE.cert
+a031c46782e6e6c662c2c87c76da9aa62ccabd8e SOURCES/PayPalICA.cert
+706c3f929a1e7eca473be12fcd92620709fdada6 SOURCES/TestOldCA.p12
+d272a7b58364862613d44261c5744f7a336bf177 SOURCES/blank-cert8.db
+b5570125fbf6bfb410705706af48217a0817c03a SOURCES/blank-cert9.db
+7f78b5bcecdb5005e7b803604b2ec9d1a9df2fb5 SOURCES/blank-key3.db
+f9c9568442386da370193474de1b25c3f68cdaf6 SOURCES/blank-key4.db
+bd748cf6e1465a1bbe6e751b72ffc0076aff0b50 SOURCES/blank-secmod.db
+6a43a6788fff0f2a967051209adbd354fad4c346 SOURCES/cert8.db.xml
+7cbb7841b1aefe52534704bf2a4358bfea1aa477 SOURCES/cert9.db.xml
+24c123810543ff0f6848647d6d910744e275fb01 SOURCES/key3.db.xml
+af51b16a56fda1f7525a0eed3ecbdcbb4133be0c SOURCES/key4.db.xml
+01388dc47540744bb4b3c32cd8b77f1e770c4661 SOURCES/nss-3.34.0.tar.gz
+2905c9b06e7e686c9e3c0b5736a218766d4ae4c2 SOURCES/nss-config.xml
+ca9ebf79c1437169a02527c18b1e3909943c4be9 SOURCES/secmod.db.xml
+bcbe05281b38d843273f91ae3f9f19f70c7d97b3 SOURCES/setup-nsssysinit.xml
diff --git a/README.md b/README.md
deleted file mode 100644
index 0e7897f..0000000
--- a/README.md
+++ /dev/null
@@ -1,5 +0,0 @@
-The master branch has no content
-
-Look at the c7 branch if you are working with CentOS-7, or the c4/c5/c6 branch for CentOS-4, 5 or 6
-
-If you find this file in a distro specific branch, it means that no content has been checked in yet
diff --git a/SOURCES/Bug-1001841-disable-sslv2-libssl.patch b/SOURCES/Bug-1001841-disable-sslv2-libssl.patch
new file mode 100644
index 0000000..527b312
--- /dev/null
+++ b/SOURCES/Bug-1001841-disable-sslv2-libssl.patch
@@ -0,0 +1,26 @@
+diff -up nss/lib/ssl/config.mk.disableSSL2libssl nss/lib/ssl/config.mk
+--- nss/lib/ssl/config.mk.disableSSL2libssl 2017-01-04 15:24:24.000000000 +0100
++++ nss/lib/ssl/config.mk 2017-01-16 10:53:47.629894929 +0100
+@@ -69,3 +69,8 @@ endif
+ ifdef NSS_DISABLE_TLS_1_3
+ DEFINES += -DNSS_DISABLE_TLS_1_3
+ endif
++
++ifdef NSS_NO_SSL2
++DEFINES += -DNSS_NO_SSL2
++endif
++
+diff -up nss/lib/ssl/sslsock.c.disableSSL2libssl nss/lib/ssl/sslsock.c
+--- nss/lib/ssl/sslsock.c.disableSSL2libssl 2017-01-16 10:53:47.615895344 +0100
++++ nss/lib/ssl/sslsock.c 2017-01-16 10:54:16.088051233 +0100
+@@ -1221,6 +1221,10 @@ SSL_OptionSetDefault(PRInt32 which, PRBo
+ static PRBool
+ ssl_IsRemovedCipherSuite(PRInt32 suite)
+ {
++#ifdef NSS_NO_SSL2
++ if (SSL_IS_SSL2_CIPHER(suite))
++ return PR_TRUE;
++#endif /* NSS_NO_SSL2 */
+ switch (suite) {
+ case SSL_FORTEZZA_DMS_WITH_NULL_SHA:
+ case SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA:
diff --git a/SOURCES/Bug-1001841-disable-sslv2-tests.patch b/SOURCES/Bug-1001841-disable-sslv2-tests.patch
new file mode 100644
index 0000000..40e3e6d
--- /dev/null
+++ b/SOURCES/Bug-1001841-disable-sslv2-tests.patch
@@ -0,0 +1,65 @@
+diff -up nss/tests/ssl/ssl.sh.disableSSL2tests nss/tests/ssl/ssl.sh
+--- nss/tests/ssl/ssl.sh.disableSSL2tests 2017-09-20 08:47:27.000000000 +0200
++++ nss/tests/ssl/ssl.sh 2017-10-06 16:19:10.812108552 +0200
+@@ -69,8 +69,14 @@ ssl_init()
+
+ # Test case files
+ SSLCOV=${QADIR}/ssl/sslcov.txt
++ if [ "${NSS_NO_SSL2}" = "1" ]; then
++ SSLCOV=${QADIR}/ssl/sslcov.noSSL2orExport.txt
++ SSLSTRESS=${QADIR}/ssl/sslstress.noSSL2orExport.txt
++ else
++ SSLCOV=${QADIR}/ssl/sslcov.txt
++ SSLSTRESS=${QADIR}/ssl/sslstress.txt
++ fi
+ SSLAUTH=${QADIR}/ssl/sslauth.txt
+- SSLSTRESS=${QADIR}/ssl/sslstress.txt
+ SSLPOLICY=${QADIR}/ssl/sslpolicy.txt
+ REQUEST_FILE=${QADIR}/ssl/sslreq.dat
+
+@@ -128,7 +134,11 @@ is_selfserv_alive()
+ fi
+
+ echo "kill -0 ${PID} >/dev/null 2>/dev/null"
++ if [ "${NSS_NO_SSL2}" = "1" ] && [[ ${EXP} -eq 0 || ${SSL2} -eq 0 ]]; then
++ echo "No server to kill"
++ else
+ kill -0 ${PID} >/dev/null 2>/dev/null || Exit 10 "Fatal - selfserv process not detectable"
++ fi
+
+ echo "selfserv with PID ${PID} found at `date`"
+ }
+@@ -152,7 +162,11 @@ wait_for_selfserv()
+ ${BINDIR}/tstclnt -4 -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \
+ -d ${P_R_CLIENTDIR} $verbose < ${REQUEST_FILE}
+ if [ $? -ne 0 ]; then
++ if [ "${NSS_NO_SSL2}" = "1" ] && [[ ${EXP} -eq 0 || ${SSL2} -eq 0 ]]; then
++ html_passed "Server never started"
++ else
+ html_failed "Waiting for Server"
++ fi
+ fi
+ fi
+ is_selfserv_alive
+@@ -275,7 +289,7 @@ ssl_cov()
+ start_selfserv # Launch the server
+
+ VMIN="ssl3"
+- VMAX="tls1.1"
++ VMAX="tls1.2"
+
+ ignore_blank_lines ${SSLCOV} | \
+ while read ectype testmax param testname
+@@ -283,6 +297,12 @@ ssl_cov()
+ echo "${testname}" | grep "EXPORT" > /dev/null
+ EXP=$?
+
++ # skip export tests
++ if [ ${EXP} -eq 0 ]; then
++ echo "export test skipped"
++ continue
++ fi
++
+ if [ "$ectype" = "ECC" ] ; then
+ echo "$SCRIPTNAME: skipping $testname (ECC only)"
+ else
diff --git a/SOURCES/PayPalRootCA.cert b/SOURCES/PayPalRootCA.cert
new file mode 100644
index 0000000..dae0196
Binary files /dev/null and b/SOURCES/PayPalRootCA.cert differ
diff --git a/SOURCES/TestCA.ca.cert b/SOURCES/TestCA.ca.cert
new file mode 100644
index 0000000..929b793
Binary files /dev/null and b/SOURCES/TestCA.ca.cert differ
diff --git a/SOURCES/TestUser50.cert b/SOURCES/TestUser50.cert
new file mode 100644
index 0000000..ed71727
Binary files /dev/null and b/SOURCES/TestUser50.cert differ
diff --git a/SOURCES/TestUser51.cert b/SOURCES/TestUser51.cert
new file mode 100644
index 0000000..1b45db2
Binary files /dev/null and b/SOURCES/TestUser51.cert differ
diff --git a/SOURCES/add-relro-linker-option.patch b/SOURCES/add-relro-linker-option.patch
new file mode 100644
index 0000000..7ab9db1
--- /dev/null
+++ b/SOURCES/add-relro-linker-option.patch
@@ -0,0 +1,16 @@
+diff -up nss/coreconf/Linux.mk.relro nss/coreconf/Linux.mk
+--- nss/coreconf/Linux.mk.relro 2013-04-09 14:29:45.943228682 -0700
++++ nss/coreconf/Linux.mk 2013-04-09 14:31:26.194953927 -0700
+@@ -174,6 +174,12 @@ endif
+ endif
+ endif
+
++# harden DSOs/executables a bit against exploits
++ifeq (2.6,$(firstword $(sort 2.6 $(OS_RELEASE))))
++DSO_LDOPTS+=-Wl,-z,relro
++LDFLAGS += -Wl,-z,relro
++endif
++
+ USE_SYSTEM_ZLIB = 1
+ ZLIB_LIBS = -lz
+
diff --git a/SOURCES/enable-fips-when-system-is-in-fips-mode.patch b/SOURCES/enable-fips-when-system-is-in-fips-mode.patch
new file mode 100644
index 0000000..72c0cb4
--- /dev/null
+++ b/SOURCES/enable-fips-when-system-is-in-fips-mode.patch
@@ -0,0 +1,79 @@
+diff -up nss/lib/pk11wrap/pk11pars.c.852023_enable_fips_when_in_fips_mode nss/lib/pk11wrap/pk11pars.c
+--- nss/lib/pk11wrap/pk11pars.c.852023_enable_fips_when_in_fips_mode 2017-01-13 17:01:05.278296965 +0100
++++ nss/lib/pk11wrap/pk11pars.c 2017-01-13 17:04:52.968903200 +0100
+@@ -672,6 +672,10 @@ SECMOD_CreateModuleEx(const char *librar
+
+ mod->internal = NSSUTIL_ArgHasFlag("flags", "internal", nssc);
+ mod->isFIPS = NSSUTIL_ArgHasFlag("flags", "FIPS", nssc);
++ /* if the system FIPS mode is enabled, force FIPS to be on */
++ if (SECMOD_GetSystemFIPSEnabled()) {
++ mod->isFIPS = PR_TRUE;
++ }
+ mod->isCritical = NSSUTIL_ArgHasFlag("flags", "critical", nssc);
+ slotParams = NSSUTIL_ArgGetParamValue("slotParams", nssc);
+ mod->slotInfo = NSSUTIL_ArgParseSlotInfo(mod->arena, slotParams,
+diff -up nss/lib/pk11wrap/pk11util.c.852023_enable_fips_when_in_fips_mode nss/lib/pk11wrap/pk11util.c
+--- nss/lib/pk11wrap/pk11util.c.852023_enable_fips_when_in_fips_mode 2017-01-13 17:01:05.278296965 +0100
++++ nss/lib/pk11wrap/pk11util.c 2017-01-13 17:06:24.171723872 +0100
+@@ -94,6 +94,26 @@ SECMOD_Shutdown()
+ return SECSuccess;
+ }
+
++int SECMOD_GetSystemFIPSEnabled(void) {
++#ifdef LINUX
++ FILE *f;
++ char d;
++ size_t size;
++
++ f = fopen("/proc/sys/crypto/fips_enabled", "r");
++ if (!f)
++ return 0;
++
++ size = fread(&d, 1, 1, f);
++ fclose(f);
++ if (size != 1)
++ return 0;
++ if (d == '1')
++ return 1;
++#endif
++ return 0;
++}
++
+ /*
+ * retrieve the internal module
+ */
+@@ -427,7 +447,7 @@ SECMOD_DeleteInternalModule(const char *
+ SECMODModuleList **mlpp;
+ SECStatus rv = SECFailure;
+
+- if (pendingModule) {
++ if (SECMOD_GetSystemFIPSEnabled() || pendingModule) {
+ PORT_SetError(SEC_ERROR_MODULE_STUCK);
+ return rv;
+ }
+@@ -902,7 +922,7 @@ SECMOD_DestroyModuleList(SECMODModuleLis
+ PRBool
+ SECMOD_CanDeleteInternalModule(void)
+ {
+- return (PRBool)(pendingModule == NULL);
++ return (PRBool) ((pendingModule == NULL) && !SECMOD_GetSystemFIPSEnabled());
+ }
+
+ /*
+diff -up nss/lib/pk11wrap/secmodi.h.852023_enable_fips_when_in_fips_mode nss/lib/pk11wrap/secmodi.h
+--- nss/lib/pk11wrap/secmodi.h.852023_enable_fips_when_in_fips_mode 2017-01-13 17:01:05.278296965 +0100
++++ nss/lib/pk11wrap/secmodi.h 2017-01-13 17:07:08.897624098 +0100
+@@ -115,6 +115,13 @@ PK11SymKey *pk11_TokenKeyGenWithFlagsAnd
+ CK_MECHANISM_TYPE pk11_GetPBECryptoMechanism(SECAlgorithmID *algid,
+ SECItem **param, SECItem *pwd, PRBool faulty3DES);
+
++/* Get the state of the system FIPS mode */
++/* NSS uses this to force FIPS mode if the system bit is on. Applications which
++ * use the SECMOD_CanDeleteInteral() to check to see if they can switch to or
++ * from FIPS mode will automatically be told that they can't swith out of FIPS
++ * mode */
++int SECMOD_GetSystemFIPSEnabled();
++
+ extern void pk11sdr_Init(void);
+ extern void pk11sdr_Shutdown(void);
+
diff --git a/SOURCES/fix-min-library-version-in-SSLVersionRange.patch b/SOURCES/fix-min-library-version-in-SSLVersionRange.patch
new file mode 100644
index 0000000..00facbf
--- /dev/null
+++ b/SOURCES/fix-min-library-version-in-SSLVersionRange.patch
@@ -0,0 +1,12 @@
+diff -up ./lib/ssl/sslsock.c.1171318 ./lib/ssl/sslsock.c
+--- ./lib/ssl/sslsock.c.1171318 2016-02-04 10:57:08.489310227 -0800
++++ ./lib/ssl/sslsock.c 2016-02-04 11:02:59.290818001 -0800
+@@ -92,7 +92,7 @@ static sslOptions ssl_defaults = {
+ * default range of enabled SSL/TLS protocols
+ */
+ static SSLVersionRange versions_defaults_stream = {
+- SSL_LIBRARY_VERSION_TLS_1_0,
++ SSL_LIBRARY_VERSION_3_0,
+ SSL_LIBRARY_VERSION_TLS_1_2
+ };
+
diff --git a/SOURCES/iquote.patch b/SOURCES/iquote.patch
new file mode 100644
index 0000000..4908c00
--- /dev/null
+++ b/SOURCES/iquote.patch
@@ -0,0 +1,228 @@
+diff -up ./nss/cmd/certutil/Makefile.iquote ./nss/cmd/certutil/Makefile
+--- ./nss/cmd/certutil/Makefile.iquote 2017-04-05 14:23:56.000000000 +0200
++++ ./nss/cmd/certutil/Makefile 2017-09-21 16:39:08.680260103 +0200
+@@ -37,7 +37,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk
+ # (6) Execute "component" rules. (OPTIONAL) #
+ #######################################################################
+
+-
++INCLUDES += -iquote $(DIST)/../public/nss
++INCLUDES += -iquote $(DIST)/../private/nss
+
+ #######################################################################
+ # (7) Execute "local" rules. (OPTIONAL). #
+diff -up ./nss/cmd/httpserv/Makefile.iquote ./nss/cmd/httpserv/Makefile
+--- ./nss/cmd/httpserv/Makefile.iquote 2017-04-05 14:23:56.000000000 +0200
++++ ./nss/cmd/httpserv/Makefile 2017-09-21 16:39:08.680260103 +0200
+@@ -35,7 +35,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk
+ # (6) Execute "component" rules. (OPTIONAL) #
+ #######################################################################
+
+-
++INCLUDES += -iquote $(DIST)/../private/nss
++INCLUDES += -iquote $(DIST)/../public/nss
+
+ #######################################################################
+ # (7) Execute "local" rules. (OPTIONAL). #
+diff -up ./nss/cmd/lib/Makefile.iquote ./nss/cmd/lib/Makefile
+--- ./nss/cmd/lib/Makefile.iquote 2017-04-05 14:23:56.000000000 +0200
++++ ./nss/cmd/lib/Makefile 2017-09-21 16:39:08.680260103 +0200
+@@ -38,7 +38,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk
+ # (6) Execute "component" rules. (OPTIONAL) #
+ #######################################################################
+
+-
++INCLUDES += -iquote $(DIST)/../private/nss
++INCLUDES += -iquote $(DIST)/../public/nss
+
+ #######################################################################
+ # (7) Execute "local" rules. (OPTIONAL). #
+diff -up ./nss/cmd/modutil/Makefile.iquote ./nss/cmd/modutil/Makefile
+--- ./nss/cmd/modutil/Makefile.iquote 2017-04-05 14:23:56.000000000 +0200
++++ ./nss/cmd/modutil/Makefile 2017-09-21 16:39:08.680260103 +0200
+@@ -37,7 +37,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk
+ # (6) Execute "component" rules. (OPTIONAL) #
+ #######################################################################
+
+-
++INCLUDES += -iquote $(DIST)/../public/nss
++INCLUDES += -iquote $(DIST)/../private/nss
+
+ #######################################################################
+ # (7) Execute "local" rules. (OPTIONAL). #
+diff -up ./nss/cmd/pk12util/Makefile.iquote ./nss/cmd/pk12util/Makefile
+--- ./nss/cmd/pk12util/Makefile.iquote 2017-09-21 16:41:23.158209761 +0200
++++ ./nss/cmd/pk12util/Makefile 2017-09-21 16:41:44.298730232 +0200
+@@ -37,7 +37,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk
+ # (6) Execute "component" rules. (OPTIONAL) #
+ #######################################################################
+
+-
++INCLUDES += -iquote $(DIST)/../public/nss
++INCLUDES += -iquote $(DIST)/../private/nss
+
+ #######################################################################
+ # (7) Execute "local" rules. (OPTIONAL). #
+diff -up ./nss/cmd/selfserv/Makefile.iquote ./nss/cmd/selfserv/Makefile
+--- ./nss/cmd/selfserv/Makefile.iquote 2017-04-05 14:23:56.000000000 +0200
++++ ./nss/cmd/selfserv/Makefile 2017-09-21 16:39:08.680260103 +0200
+@@ -35,7 +35,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk
+ # (6) Execute "component" rules. (OPTIONAL) #
+ #######################################################################
+
+-
++INCLUDES += -iquote $(DIST)/../public/nss
++INCLUDES += -iquote $(DIST)/../private/nss
+
+ #######################################################################
+ # (7) Execute "local" rules. (OPTIONAL). #
+diff -up ./nss/cmd/ssltap/Makefile.iquote ./nss/cmd/ssltap/Makefile
+--- ./nss/cmd/ssltap/Makefile.iquote 2017-04-05 14:23:56.000000000 +0200
++++ ./nss/cmd/ssltap/Makefile 2017-09-21 16:39:08.680260103 +0200
+@@ -39,7 +39,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk
+ # (6) Execute "component" rules. (OPTIONAL) #
+ #######################################################################
+
+-
++INCLUDES += -iquote $(DIST)/../private/nss
++INCLUDES += -iquote $(DIST)/../public/nss
+
+ #######################################################################
+ # (7) Execute "local" rules. (OPTIONAL). #
+diff -up ./nss/cmd/strsclnt/Makefile.iquote ./nss/cmd/strsclnt/Makefile
+--- ./nss/cmd/strsclnt/Makefile.iquote 2017-04-05 14:23:56.000000000 +0200
++++ ./nss/cmd/strsclnt/Makefile 2017-09-21 16:39:08.681260081 +0200
+@@ -36,7 +36,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk
+ # (6) Execute "component" rules. (OPTIONAL) #
+ #######################################################################
+
+-
++INCLUDES += -iquote $(DIST)/../public/nss
++INCLUDES += -iquote $(DIST)/../private/nss
+
+ #######################################################################
+ # (7) Execute "local" rules. (OPTIONAL). #
+diff -up ./nss/cmd/tstclnt/Makefile.iquote ./nss/cmd/tstclnt/Makefile
+--- ./nss/cmd/tstclnt/Makefile.iquote 2017-04-05 14:23:56.000000000 +0200
++++ ./nss/cmd/tstclnt/Makefile 2017-09-21 16:39:08.681260081 +0200
+@@ -37,6 +37,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk
+ #######################################################################
+
+ #include ../platlibs.mk
++INCLUDES += -iquote $(DIST)/../public/nss
++INCLUDES += -iquote $(DIST)/../private/nss
+
+ #######################################################################
+ # (7) Execute "local" rules. (OPTIONAL). #
+diff -up ./nss/cmd/vfyserv/Makefile.iquote ./nss/cmd/vfyserv/Makefile
+--- ./nss/cmd/vfyserv/Makefile.iquote 2017-04-05 14:23:56.000000000 +0200
++++ ./nss/cmd/vfyserv/Makefile 2017-09-21 16:39:08.681260081 +0200
+@@ -37,6 +37,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk
+ #######################################################################
+
+ #include ../platlibs.mk
++INCLUDES += -iquote $(DIST)/../public/nss
++INCLUDES += -iquote $(DIST)/../private/nss
+
+ #######################################################################
+ # (7) Execute "local" rules. (OPTIONAL). #
+diff -up ./nss/coreconf/location.mk.iquote ./nss/coreconf/location.mk
+--- ./nss/coreconf/location.mk.iquote 2017-04-05 14:23:56.000000000 +0200
++++ ./nss/coreconf/location.mk 2017-09-21 16:39:08.681260081 +0200
+@@ -45,6 +45,10 @@ endif
+
+ ifdef NSS_INCLUDE_DIR
+ INCLUDES += -I$(NSS_INCLUDE_DIR)
++ ifdef IN_TREE_FREEBL_HEADERS_FIRST
++ INCLUDES += -iquote $(DIST)/../public/nss
++ INCLUDES += -iquote $(DIST)/../private/nss
++ endif
+ endif
+
+ ifndef NSS_LIB_DIR
+diff -up ./nss/gtests/ssl_gtest/Makefile.iquote ./nss/gtests/ssl_gtest/Makefile
+--- ./nss/gtests/ssl_gtest/Makefile.iquote 2017-04-05 14:23:56.000000000 +0200
++++ ./nss/gtests/ssl_gtest/Makefile 2017-09-21 16:39:08.682260058 +0200
+@@ -53,6 +53,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk
+ # (6) Execute "component" rules. (OPTIONAL) #
+ #######################################################################
+
++INCLUDES += -iquote $(DIST)/../public/nss
++INCLUDES += -iquote $(DIST)/../private/nss
+
+ #######################################################################
+ # (7) Execute "local" rules. (OPTIONAL). #
+diff -up ./nss/lib/certhigh/Makefile.iquote ./nss/lib/certhigh/Makefile
+--- ./nss/lib/certhigh/Makefile.iquote 2017-04-05 14:23:56.000000000 +0200
++++ ./nss/lib/certhigh/Makefile 2017-09-21 16:39:08.681260081 +0200
+@@ -38,7 +38,7 @@ include $(CORE_DEPTH)/coreconf/rules.mk
+ # (6) Execute "component" rules. (OPTIONAL) #
+ #######################################################################
+
+-
++INCLUDES += -iquote $(DIST)/../public/nss
+
+ #######################################################################
+ # (7) Execute "local" rules. (OPTIONAL). #
+diff -up ./nss/lib/cryptohi/Makefile.iquote ./nss/lib/cryptohi/Makefile
+--- ./nss/lib/cryptohi/Makefile.iquote 2017-04-05 14:23:56.000000000 +0200
++++ ./nss/lib/cryptohi/Makefile 2017-09-21 16:39:08.681260081 +0200
+@@ -38,7 +38,7 @@ include $(CORE_DEPTH)/coreconf/rules.mk
+ # (6) Execute "component" rules. (OPTIONAL) #
+ #######################################################################
+
+-
++INCLUDES += -iquote $(DIST)/../public/nss
+
+ #######################################################################
+ # (7) Execute "local" rules. (OPTIONAL). #
+diff -up ./nss/lib/libpkix/pkix/checker/Makefile.iquote ./nss/lib/libpkix/pkix/checker/Makefile
+--- ./nss/lib/libpkix/pkix/checker/Makefile.iquote 2017-04-05 14:23:56.000000000 +0200
++++ ./nss/lib/libpkix/pkix/checker/Makefile 2017-09-21 16:39:08.681260081 +0200
+@@ -38,7 +38,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk
+ # (6) Execute "component" rules. (OPTIONAL) #
+ #######################################################################
+
+-
++INCLUDES += -iquote $(DIST)/../private/nss
++INCLUDES += -iquote $(DIST)/../public/nss
+
+ #######################################################################
+ # (7) Execute "local" rules. (OPTIONAL). #
+diff -up ./nss/lib/nss/Makefile.iquote ./nss/lib/nss/Makefile
+--- ./nss/lib/nss/Makefile.iquote 2017-04-05 14:23:56.000000000 +0200
++++ ./nss/lib/nss/Makefile 2017-09-21 16:39:08.681260081 +0200
+@@ -37,7 +37,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk
+ # (6) Execute "component" rules. (OPTIONAL) #
+ #######################################################################
+
+-
++INCLUDES += -iquote $(DIST)/../public/nss
++INCLUDES += -iquote $(DIST)/../private/nss
+
+ #######################################################################
+ # (7) Execute "local" rules. (OPTIONAL). #
+diff -up ./nss/lib/pkcs12/Makefile.iquote ./nss/lib/pkcs12/Makefile
+--- ./nss/lib/pkcs12/Makefile.iquote 2017-09-21 16:39:49.616331555 +0200
++++ ./nss/lib/pkcs12/Makefile 2017-09-21 16:40:16.286726596 +0200
+@@ -39,7 +39,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk
+ # (6) Execute "component" rules. (OPTIONAL) #
+ #######################################################################
+
+-
++INCLUDES += -iquote $(DIST)/../public/nss
++INCLUDES += -iquote $(DIST)/../private/nss
+
+ #######################################################################
+ # (7) Execute "local" rules. (OPTIONAL). #
+diff -up ./nss/lib/ssl/Makefile.iquote ./nss/lib/ssl/Makefile
+--- ./nss/lib/ssl/Makefile.iquote 2017-04-05 14:23:56.000000000 +0200
++++ ./nss/lib/ssl/Makefile 2017-09-21 16:39:08.681260081 +0200
+@@ -56,6 +56,7 @@ include $(CORE_DEPTH)/coreconf/rules.mk
+ # (6) Execute "component" rules. (OPTIONAL) #
+ #######################################################################
+
++INCLUDES += -iquote $(DIST)/../public/nss
+
+
+ #######################################################################
diff --git a/SOURCES/nss-3.14.0.0-disble-ocsp-test.patch b/SOURCES/nss-3.14.0.0-disble-ocsp-test.patch
new file mode 100644
index 0000000..3347ee9
--- /dev/null
+++ b/SOURCES/nss-3.14.0.0-disble-ocsp-test.patch
@@ -0,0 +1,11 @@
+diff -up nss/tests/chains/scenarios/scenarios.noocsptest nss/tests/chains/scenarios/scenarios
+--- nss/tests/chains/scenarios/scenarios.noocsptest 2013-06-27 10:58:08.000000000 -0700
++++ nss/tests/chains/scenarios/scenarios 2013-07-02 16:13:27.075038930 -0700
+@@ -50,7 +50,6 @@ bridgewithpolicyextensionandmapping.cfg
+ realcerts.cfg
+ dsa.cfg
+ revoc.cfg
+-ocsp.cfg
+ crldp.cfg
+ trustanchors.cfg
+ nameconstraints.cfg
diff --git a/SOURCES/nss-539183.patch b/SOURCES/nss-539183.patch
new file mode 100644
index 0000000..f5db089
--- /dev/null
+++ b/SOURCES/nss-539183.patch
@@ -0,0 +1,44 @@
+diff -up nss/cmd/httpserv/httpserv.c.539183 nss/cmd/httpserv/httpserv.c
+--- nss/cmd/httpserv/httpserv.c.539183 2016-08-15 17:58:41.756630037 +0200
++++ nss/cmd/httpserv/httpserv.c 2016-08-15 18:04:13.559131620 +0200
+@@ -976,13 +976,13 @@ getBoundListenSocket(unsigned short port
+ PRNetAddr addr;
+ PRSocketOptionData opt;
+
+- addr.inet.family = PR_AF_INET;
+- addr.inet.ip = PR_INADDR_ANY;
+- addr.inet.port = PR_htons(port);
++ if (PR_SetNetAddr(PR_IpAddrAny, PR_AF_INET6, port, &addr) != PR_SUCCESS) {
++ errExit("PR_SetNetAddr");
++ }
+
+- listen_sock = PR_NewTCPSocket();
++ listen_sock = PR_OpenTCPSocket(PR_AF_INET6);
+ if (listen_sock == NULL) {
+- errExit("PR_NewTCPSocket");
++ errExit("PR_OpenTCPSocket error");
+ }
+
+ opt.option = PR_SockOpt_Nonblocking;
+diff -up nss/cmd/selfserv/selfserv.c.539183 nss/cmd/selfserv/selfserv.c
+--- nss/cmd/selfserv/selfserv.c.539183 2016-08-15 17:58:41.756630037 +0200
++++ nss/cmd/selfserv/selfserv.c 2016-08-15 18:05:11.027487891 +0200
+@@ -1731,13 +1731,13 @@ getBoundListenSocket(unsigned short port
+ PRNetAddr addr;
+ PRSocketOptionData opt;
+
+- addr.inet.family = PR_AF_INET;
+- addr.inet.ip = PR_INADDR_ANY;
+- addr.inet.port = PR_htons(port);
++ if (PR_SetNetAddr(PR_IpAddrAny, PR_AF_INET6, port, &addr) != PR_SUCCESS) {
++ errExit("PR_SetNetAddr");
++ }
+
+- listen_sock = PR_NewTCPSocket();
++ listen_sock = PR_OpenTCPSocket(PR_AF_INET6);
+ if (listen_sock == NULL) {
+- errExit("PR_NewTCPSocket");
++ errExit("PR_OpenTCPSocket error");
+ }
+
+ opt.option = PR_SockOpt_Nonblocking;
diff --git a/SOURCES/nss-certutil-suppress-password.patch b/SOURCES/nss-certutil-suppress-password.patch
new file mode 100644
index 0000000..985ac21
--- /dev/null
+++ b/SOURCES/nss-certutil-suppress-password.patch
@@ -0,0 +1,20 @@
+# HG changeset patch
+# User Daiki Ueno <dueno@redhat.com>
+# Date 1513770602 -3600
+# Wed Dec 20 12:50:02 2017 +0100
+# Node ID 29b2a346746fb03316cf97c8c7b0837b714c255b
+# Parent 5a14f42384eb22b67e0465949c03555eff41e4af
+Bug 1426361, certutil: check CKF_LOGIN_REQUIRED as well as CKF_USER_PIN_INITIALIZED, r=rrelyea
+
+diff --git a/cmd/certutil/certutil.c b/cmd/certutil/certutil.c
+--- a/cmd/certutil/certutil.c
++++ b/cmd/certutil/certutil.c
+@@ -3171,7 +3171,7 @@ certutil_main(int argc, char **argv, PRB
+ certutil.commands[cmd_CreateAndAddCert].activated ||
+ certutil.commands[cmd_AddCert].activated ||
+ certutil.commands[cmd_AddEmailCert].activated) {
+- if (PK11_NeedUserInit(slot)) {
++ if (PK11_NeedLogin(slot) && PK11_NeedUserInit(slot)) {
+ char *password = NULL;
+ /* fetch the password from the command line or the file
+ * if no password is supplied, initialize the password to NULL */
diff --git a/SOURCES/nss-check-policy-file.patch b/SOURCES/nss-check-policy-file.patch
new file mode 100644
index 0000000..898ffef
--- /dev/null
+++ b/SOURCES/nss-check-policy-file.patch
@@ -0,0 +1,49 @@
+diff -up nss/lib/pk11wrap/pk11pars.c.check_policy_file nss/lib/pk11wrap/pk11pars.c
+--- nss/lib/pk11wrap/pk11pars.c.check_policy_file 2017-02-28 10:49:53.811343156 +0100
++++ nss/lib/pk11wrap/pk11pars.c 2017-02-28 10:59:41.178647490 +0100
+@@ -109,6 +109,7 @@ secmod_NewModule(void)
+ *other flags are set */
+ #define SECMOD_FLAG_MODULE_DB_SKIP_FIRST 0x02
+ #define SECMOD_FLAG_MODULE_DB_DEFAULT_MODDB 0x04
++#define SECMOD_FLAG_MODULE_DB_POLICY_ONLY 0x08
+
+ /* private flags for internal (field in SECMODModule). */
+ /* The meaing of these flags is as follows:
+@@ -704,6 +705,9 @@ SECMOD_CreateModuleEx(const char *librar
+ if (NSSUTIL_ArgHasFlag("flags", "defaultModDB", nssc)) {
+ flags |= SECMOD_FLAG_MODULE_DB_DEFAULT_MODDB;
+ }
++ if (NSSUTIL_ArgHasFlag("flags", "policyOnly", nssc)) {
++ flags |= SECMOD_FLAG_MODULE_DB_POLICY_ONLY;
++ }
+ /* additional moduleDB flags could be added here in the future */
+ mod->isModuleDB = (PRBool)flags;
+ }
+@@ -744,6 +748,14 @@ SECMOD_GetDefaultModDBFlag(SECMODModule
+ }
+
+ PRBool
++secmod_PolicyOnly(SECMODModule *mod)
++{
++ char flags = (char) mod->isModuleDB;
++
++ return (flags & SECMOD_FLAG_MODULE_DB_POLICY_ONLY) ? PR_TRUE : PR_FALSE;
++}
++
++PRBool
+ secmod_IsInternalKeySlot(SECMODModule *mod)
+ {
+ char flags = (char)mod->internal;
+@@ -1661,6 +1673,12 @@ SECMOD_LoadModule(char *modulespec, SECM
+ if (!module) {
+ goto loser;
+ }
++
++ /* a policy only stanza doesn't actually get 'loaded'. policy has already
++ * been parsed as a side effect of the CreateModuleEx call */
++ if (secmod_PolicyOnly(module)) {
++ return module;
++ }
+ if (parent) {
+ module->parent = SECMOD_ReferenceModule(parent);
+ if (module->internal && secmod_IsInternalKeySlot(parent)) {
diff --git a/SOURCES/nss-config.in b/SOURCES/nss-config.in
new file mode 100644
index 0000000..f8f893e
--- /dev/null
+++ b/SOURCES/nss-config.in
@@ -0,0 +1,145 @@
+#!/bin/sh
+
+prefix=@prefix@
+
+major_version=@MOD_MAJOR_VERSION@
+minor_version=@MOD_MINOR_VERSION@
+patch_version=@MOD_PATCH_VERSION@
+
+usage()
+{
+ cat <<EOF
+Usage: nss-config [OPTIONS] [LIBRARIES]
+Options:
+ [--prefix[=DIR]]
+ [--exec-prefix[=DIR]]
+ [--includedir[=DIR]]
+ [--libdir[=DIR]]
+ [--version]
+ [--libs]
+ [--cflags]
+Dynamic Libraries:
+ nss
+ nssutil
+ ssl
+ smime
+EOF
+ exit $1
+}
+
+if test $# -eq 0; then
+ usage 1 1>&2
+fi
+
+lib_ssl=yes
+lib_smime=yes
+lib_nss=yes
+lib_nssutil=yes
+
+while test $# -gt 0; do
+ case "$1" in
+ -*=*) optarg=`echo "$1" | sed 's/[-_a-zA-Z0-9]*=//'` ;;
+ *) optarg= ;;
+ esac
+
+ case $1 in
+ --prefix=*)
+ prefix=$optarg
+ ;;
+ --prefix)
+ echo_prefix=yes
+ ;;
+ --exec-prefix=*)
+ exec_prefix=$optarg
+ ;;
+ --exec-prefix)
+ echo_exec_prefix=yes
+ ;;
+ --includedir=*)
+ includedir=$optarg
+ ;;
+ --includedir)
+ echo_includedir=yes
+ ;;
+ --libdir=*)
+ libdir=$optarg
+ ;;
+ --libdir)
+ echo_libdir=yes
+ ;;
+ --version)
+ echo ${major_version}.${minor_version}.${patch_version}
+ ;;
+ --cflags)
+ echo_cflags=yes
+ ;;
+ --libs)
+ echo_libs=yes
+ ;;
+ ssl)
+ lib_ssl=yes
+ ;;
+ smime)
+ lib_smime=yes
+ ;;
+ nss)
+ lib_nss=yes
+ ;;
+ nssutil)
+ lib_nssutil=yes
+ ;;
+ *)
+ usage 1 1>&2
+ ;;
+ esac
+ shift
+done
+
+# Set variables that may be dependent upon other variables
+if test -z "$exec_prefix"; then
+ exec_prefix=`pkg-config --variable=exec_prefix nss`
+fi
+if test -z "$includedir"; then
+ includedir=`pkg-config --variable=includedir nss`
+fi
+if test -z "$libdir"; then
+ libdir=`pkg-config --variable=libdir nss`
+fi
+
+if test "$echo_prefix" = "yes"; then
+ echo $prefix
+fi
+
+if test "$echo_exec_prefix" = "yes"; then
+ echo $exec_prefix
+fi
+
+if test "$echo_includedir" = "yes"; then
+ echo $includedir
+fi
+
+if test "$echo_libdir" = "yes"; then
+ echo $libdir
+fi
+
+if test "$echo_cflags" = "yes"; then
+ echo -I$includedir
+fi
+
+if test "$echo_libs" = "yes"; then
+ libdirs="-Wl,-rpath-link,$libdir -L$libdir"
+ if test -n "$lib_ssl"; then
+ libdirs="$libdirs -lssl${major_version}"
+ fi
+ if test -n "$lib_smime"; then
+ libdirs="$libdirs -lsmime${major_version}"
+ fi
+ if test -n "$lib_nss"; then
+ libdirs="$libdirs -lnss${major_version}"
+ fi
+ if test -n "$lib_nssutil"; then
+ libdirs="$libdirs -lnssutil${major_version}"
+ fi
+ echo $libdirs
+fi
+
diff --git a/SOURCES/nss-disable-cipher-suites.patch b/SOURCES/nss-disable-cipher-suites.patch
new file mode 100644
index 0000000..b593479
--- /dev/null
+++ b/SOURCES/nss-disable-cipher-suites.patch
@@ -0,0 +1,27 @@
+diff -up nss/lib/ssl/ssl3con.c.disable-cipher-suites nss/lib/ssl/ssl3con.c
+--- nss/lib/ssl/ssl3con.c.disable-cipher-suites 2017-04-26 11:53:57.980039632 +0200
++++ nss/lib/ssl/ssl3con.c 2017-04-26 11:55:56.374264466 +0200
+@@ -97,7 +97,10 @@ static ssl3CipherSuiteCfg cipherSuites[s
+ { TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+ { TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+ { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+- { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
++ /* TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 is disabled by default.
++ * The GCM variant is preferred for new applications.
++ */
++ { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+@@ -106,7 +109,10 @@ static ssl3CipherSuiteCfg cipherSuites[s
+ { TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+ { TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+ { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+- { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
++ /* TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 is disabled by default.
++ * The GCM variant is preferred for new applications.
++ */
++ { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE},
diff --git a/SOURCES/nss-disable-tls13-gtests.patch b/SOURCES/nss-disable-tls13-gtests.patch
new file mode 100644
index 0000000..cc7b661
--- /dev/null
+++ b/SOURCES/nss-disable-tls13-gtests.patch
@@ -0,0 +1,12 @@
+diff -up nss/gtests/ssl_gtest/ssl_skip_unittest.cc.disable-tls13-gtests nss/gtests/ssl_gtest/ssl_skip_unittest.cc
+--- nss/gtests/ssl_gtest/ssl_skip_unittest.cc.disable-tls13-gtests 2017-10-16 17:13:51.798825185 +0200
++++ nss/gtests/ssl_gtest/ssl_skip_unittest.cc 2017-10-16 17:14:08.238496409 +0200
+@@ -234,6 +234,8 @@ INSTANTIATE_TEST_CASE_P(
+ INSTANTIATE_TEST_CASE_P(SkipVariants, TlsSkipTest,
+ ::testing::Combine(TlsConnectTestBase::kTlsVariantsAll,
+ TlsConnectTestBase::kTlsV11V12));
++#if 0
+ INSTANTIATE_TEST_CASE_P(Skip13Variants, Tls13SkipTest,
+ TlsConnectTestBase::kTlsVariantsAll);
++#endif
+ } // namespace nss_test
diff --git a/SOURCES/nss-enable-cipher-suites.patch b/SOURCES/nss-enable-cipher-suites.patch
new file mode 100644
index 0000000..0e6aabd
--- /dev/null
+++ b/SOURCES/nss-enable-cipher-suites.patch
@@ -0,0 +1,39 @@
+diff -up nss/lib/ssl/ssl3con.c.enable-cipher-suites nss/lib/ssl/ssl3con.c
+--- nss/lib/ssl/ssl3con.c.enable-cipher-suites 2017-02-20 16:32:39.464067010 +0100
++++ nss/lib/ssl/ssl3con.c 2017-02-20 16:37:00.506731989 +0100
+@@ -91,7 +91,7 @@ PRBool ssl_IsRsaPssSignatureScheme(SSLSi
+ /* clang-format off */
+ static ssl3CipherSuiteCfg cipherSuites[ssl_V3_SUITES_IMPLEMENTED] = {
+ /* cipher_suite policy enabled isPresent */
+- { TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE},
++ { TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+ { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+ { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+@@ -102,7 +102,7 @@ static ssl3CipherSuiteCfg cipherSuites[s
+ { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+- { TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE},
++ { TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+ { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+ { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+@@ -113,7 +113,7 @@ static ssl3CipherSuiteCfg cipherSuites[s
+ { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+- { TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE},
++ { TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+ { TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_DHE_RSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+ { TLS_DHE_DSS_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+@@ -140,7 +140,7 @@ static ssl3CipherSuiteCfg cipherSuites[s
+ { TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_ECDH_ECDSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_ECDH_RSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+- { TLS_RSA_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE},
++ { TLS_RSA_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+ { TLS_RSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+ { TLS_RSA_WITH_AES_256_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+ { TLS_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
diff --git a/SOURCES/nss-fix-deadlock-squash.patch b/SOURCES/nss-fix-deadlock-squash.patch
new file mode 100644
index 0000000..c8222c7
--- /dev/null
+++ b/SOURCES/nss-fix-deadlock-squash.patch
@@ -0,0 +1,112 @@
+diff -up nss/lib/pki/tdcache.c.fix_deadlock nss/lib/pki/tdcache.c
+--- nss/lib/pki/tdcache.c.fix_deadlock 2017-01-13 17:10:36.055530248 +0100
++++ nss/lib/pki/tdcache.c 2017-01-13 17:14:04.015338438 +0100
+@@ -374,13 +374,19 @@ struct token_cert_dtor {
+ PRUint32 numCerts, arrSize;
+ };
+
+-static void
+-remove_token_certs(const void *k, void *v, void *a)
++static void cert_iter(const void *k, void *v, void *a)
+ {
++ nssList *certList = (nssList *)a;
+ NSSCertificate *c = (NSSCertificate *)k;
++ nssList_Add(certList, nssCertificate_AddRef(c));
++}
++
++static void
++remove_token_certs(NSSCertificate *c, struct token_cert_dtor *dtor)
++{
+ nssPKIObject *object = &c->object;
+- struct token_cert_dtor *dtor = a;
+ PRUint32 i;
++
+ nssPKIObject_AddRef(object);
+ nssPKIObject_Lock(object);
+ for (i = 0; i < object->numInstances; i++) {
+@@ -416,6 +422,11 @@ nssTrustDomain_RemoveTokenCertsFromCache
+ NSSCertificate **certs;
+ PRUint32 i, arrSize = 10;
+ struct token_cert_dtor dtor;
++ nssList *certList;
++ PRStatus nspr_rv = PR_FAILURE;
++ nssListIterator *iter;
++ NSSCertificate *c;
++
+ certs = nss_ZNEWARRAY(NULL, NSSCertificate *, arrSize);
+ if (!certs) {
+ return PR_FAILURE;
+@@ -425,8 +436,33 @@ nssTrustDomain_RemoveTokenCertsFromCache
+ dtor.certs = certs;
+ dtor.numCerts = 0;
+ dtor.arrSize = arrSize;
++
++ certList = nssList_Create(NULL, PR_FALSE);
++ if (!certList) {
++ goto loser;
++ }
++ /* fetch the list of certs in the cache */
++ PZ_Lock(td->cache->lock);
++ nssHash_Iterate(td->cache->issuerAndSN, cert_iter, (void *)certList);
++ PZ_Unlock(td->cache->lock);
++
++ /* find the certs that match this token without olding the td cache lock */
++ iter=nssList_CreateIterator(certList);
++ if (!iter) {
++ goto loser;
++ }
++ for (c = (NSSCertificate *)nssListIterator_Start(iter);
++ c != (NSSCertificate *)NULL;
++ c = (NSSCertificate *)nssListIterator_Next(iter)) {
++ remove_token_certs( c, &dtor);
++ }
++ nssListIterator_Finish(iter);
++ nssListIterator_Destroy(iter);
++ nssList_Destroy(certList);
++ certList = NULL;
++
++ /* now remove theose certs attached to this token */
+ PZ_Lock(td->cache->lock);
+- nssHash_Iterate(td->cache->issuerAndSN, remove_token_certs, &dtor);
+ for (i = 0; i < dtor.numCerts; i++) {
+ if (dtor.certs[i]->object.numInstances == 0) {
+ nssTrustDomain_RemoveCertFromCacheLOCKED(td, dtor.certs[i]);
+@@ -437,14 +473,22 @@ nssTrustDomain_RemoveTokenCertsFromCache
+ }
+ }
+ PZ_Unlock(td->cache->lock);
++
++ /* clean up */
+ for (i = 0; i < dtor.numCerts; i++) {
+ if (dtor.certs[i]) {
+ STAN_ForceCERTCertificateUpdate(dtor.certs[i]);
+ nssCertificate_Destroy(dtor.certs[i]);
+ }
+ }
++
++ nspr_rv = PR_SUCCESS;
++loser:
++ if (certList) {
++ nssList_Destroy(certList);
++ }
+ nss_ZFreeIf(dtor.certs);
+- return PR_SUCCESS;
++ return nspr_rv;
+ }
+
+ NSS_IMPLEMENT PRStatus
+@@ -1058,14 +1102,6 @@ nssTrustDomain_GetCertByDERFromCache(
+ return rvCert;
+ }
+
+-static void
+-cert_iter(const void *k, void *v, void *a)
+-{
+- nssList *certList = (nssList *)a;
+- NSSCertificate *c = (NSSCertificate *)k;
+- nssList_Add(certList, nssCertificate_AddRef(c));
+-}
+-
+ NSS_EXTERN NSSCertificate **
+ nssTrustDomain_GetCertsFromCache(
+ NSSTrustDomain *td,
diff --git a/SOURCES/nss-increase-pkcs12-iterations.patch b/SOURCES/nss-increase-pkcs12-iterations.patch
new file mode 100644
index 0000000..72fedd4
--- /dev/null
+++ b/SOURCES/nss-increase-pkcs12-iterations.patch
@@ -0,0 +1,26 @@
+# HG changeset patch
+# User Kai Engert <kaie@kuix.de>
+# Date 1511356939 -3600
+# Wed Nov 22 14:22:19 2017 +0100
+# Node ID 93109d4cbedd397f5e75a2096257f9842a0ac5a1
+# Parent 6a27e4b4c92c8c3694132b75a1a54c23688789bd
+Bug 1278071, increase number of iterations for export to PKCS #12, r=fkiefer
+
+diff --git a/lib/pkcs7/p7create.c b/lib/pkcs7/p7create.c
+--- a/lib/pkcs7/p7create.c
++++ b/lib/pkcs7/p7create.c
+@@ -18,7 +18,13 @@
+ #include "secder.h"
+ #include "secpkcs5.h"
+
+-const int NSS_PBE_DEFAULT_ITERATION_COUNT = 100000; /* used in p12e.c too */
++const int NSS_PBE_DEFAULT_ITERATION_COUNT = /* used in p12e.c too */
++#ifdef DEBUG
++ 10000
++#else
++ 1000000
++#endif
++ ;
+
+ static SECStatus
+ sec_pkcs7_init_content_info(SEC_PKCS7ContentInfo *cinfo, PLArenaPool *poolp,
diff --git a/SOURCES/nss-is-token-present-race.patch b/SOURCES/nss-is-token-present-race.patch
new file mode 100644
index 0000000..9c85f74
--- /dev/null
+++ b/SOURCES/nss-is-token-present-race.patch
@@ -0,0 +1,191 @@
+# HG changeset patch
+# User Robert Relyea <rrelyea@redhat.com>
+# Date 1516007838 -3600
+# Mon Jan 15 10:17:18 2018 +0100
+# Node ID 33d9c969cd6548c335ce43fa8909b96ef323f670
+# Parent db32ef3be38eb06a91babbcbb48285284d704dbd
+Bug 1054373, Crash in PK11_DoesMechanism due to race condition, r=rsleevi
+
+diff --git a/lib/dev/devslot.c b/lib/dev/devslot.c
+--- a/lib/dev/devslot.c
++++ b/lib/dev/devslot.c
+@@ -33,6 +33,8 @@ nssSlot_Destroy(
+ if (PR_ATOMIC_DECREMENT(&slot->base.refCount) == 0) {
+ PK11_FreeSlot(slot->pk11slot);
+ PZ_DestroyLock(slot->base.lock);
++ PZ_DestroyCondVar(slot->isPresentCondition);
++ PZ_DestroyLock(slot->isPresentLock);
+ return nssArena_Destroy(slot->base.arena);
+ }
+ }
+@@ -117,35 +119,61 @@ nssSlot_IsTokenPresent(
+ nssSession *session;
+ CK_SLOT_INFO slotInfo;
+ void *epv;
++ PRBool isPresent = PR_FALSE;
++
+ /* permanent slots are always present unless they're disabled */
+ if (nssSlot_IsPermanent(slot)) {
+ return !PK11_IsDisabled(slot->pk11slot);
+ }
++
+ /* avoid repeated calls to check token status within set interval */
++ PZ_Lock(slot->isPresentLock);
+ if (within_token_delay_period(slot)) {
+- return ((slot->ckFlags & CKF_TOKEN_PRESENT) != 0);
++ CK_FLAGS ckFlags = slot->ckFlags;
++ PZ_Unlock(slot->isPresentLock);
++ return ((ckFlags & CKF_TOKEN_PRESENT) != 0);
+ }
++ PZ_Unlock(slot->isPresentLock);
+
+- /* First obtain the slot info */
++ /* First obtain the slot epv before we set up the condition
++ * variable, so we can just return if we couldn't get it. */
+ epv = slot->epv;
+ if (!epv) {
+ return PR_FALSE;
+ }
++
++ /* set up condition so only one thread is active in this part of the code at a time */
++ PZ_Lock(slot->isPresentLock);
++ while (slot->inIsPresent) {
++ PR_WaitCondVar(slot->isPresentCondition, 0);
++ }
++ /* if we were one of multiple threads here, the first thread will have
++ * given us the answer, no need to make more queries of the token. */
++ if (within_token_delay_period(slot)) {
++ CK_FLAGS ckFlags = slot->ckFlags;
++ PZ_Unlock(slot->isPresentLock);
++ return ((ckFlags & CKF_TOKEN_PRESENT) != 0);
++ }
++ /* this is the winning thread, block all others until we've determined
++ * if the token is present and that it needs initialization. */
++ slot->inIsPresent = PR_TRUE;
++ PZ_Unlock(slot->isPresentLock);
++
+ nssSlot_EnterMonitor(slot);
+ ckrv = CKAPI(epv)->C_GetSlotInfo(slot->slotID, &slotInfo);
+ nssSlot_ExitMonitor(slot);
+ if (ckrv != CKR_OK) {
+ slot->token->base.name[0] = 0; /* XXX */
+- slot->lastTokenPing = PR_IntervalNow();
+- return PR_FALSE;
++ isPresent = PR_FALSE;
++ goto done;
+ }
+ slot->ckFlags = slotInfo.flags;
+ /* check for the presence of the token */
+ if ((slot->ckFlags & CKF_TOKEN_PRESENT) == 0) {
+ if (!slot->token) {
+ /* token was never present */
+- slot->lastTokenPing = PR_IntervalNow();
+- return PR_FALSE;
++ isPresent = PR_FALSE;
++ goto done;
+ }
+ session = nssToken_GetDefaultSession(slot->token);
+ if (session) {
+@@ -167,15 +195,15 @@ nssSlot_IsTokenPresent(
+ slot->token->base.name[0] = 0; /* XXX */
+ /* clear the token cache */
+ nssToken_Remove(slot->token);
+- slot->lastTokenPing = PR_IntervalNow();
+- return PR_FALSE;
++ isPresent = PR_FALSE;
++ goto done;
+ }
+ /* token is present, use the session info to determine if the card
+ * has been removed and reinserted.
+ */
+ session = nssToken_GetDefaultSession(slot->token);
+ if (session) {
+- PRBool isPresent = PR_FALSE;
++ PRBool tokenRemoved;
+ nssSession_EnterMonitor(session);
+ if (session->handle != CK_INVALID_SESSION) {
+ CK_SESSION_INFO sessionInfo;
+@@ -187,12 +215,12 @@ nssSlot_IsTokenPresent(
+ session->handle = CK_INVALID_SESSION;
+ }
+ }
+- isPresent = session->handle != CK_INVALID_SESSION;
++ tokenRemoved = (session->handle == CK_INVALID_SESSION);
+ nssSession_ExitMonitor(session);
+ /* token not removed, finished */
+- if (isPresent) {
+- slot->lastTokenPing = PR_IntervalNow();
+- return PR_TRUE;
++ if (!tokenRemoved) {
++ isPresent = PR_TRUE;
++ goto done;
+ }
+ }
+ /* the token has been removed, and reinserted, or the slot contains
+@@ -203,15 +231,27 @@ nssSlot_IsTokenPresent(
+ nssToken_Remove(slot->token);
+ /* token has been removed, need to refresh with new session */
+ nssrv = nssSlot_Refresh(slot);
++ isPresent = PR_TRUE;
+ if (nssrv != PR_SUCCESS) {
+ slot->token->base.name[0] = 0; /* XXX */
+ slot->ckFlags &= ~CKF_TOKEN_PRESENT;
+- /* TODO: insert a barrier here to avoid reordering of the assingments */
+- slot->lastTokenPing = PR_IntervalNow();
+- return PR_FALSE;
++ isPresent = PR_FALSE;
+ }
++done:
++ /* Once we've set up the condition variable,
++ * Before returning, it's necessary to:
++ * 1) Set the lastTokenPing time so that any other threads waiting on this
++ * initialization and any future calls within the initialization window
++ * return the just-computed status.
++ * 2) Indicate we're complete, waking up all other threads that may still
++ * be waiting on initialization can progress.
++ */
++ PZ_Lock(slot->isPresentLock);
+ slot->lastTokenPing = PR_IntervalNow();
+- return PR_TRUE;
++ slot->inIsPresent = PR_FALSE;
++ PR_NotifyAllCondVar(slot->isPresentCondition);
++ PZ_Unlock(slot->isPresentLock);
++ return isPresent;
+ }
+
+ NSS_IMPLEMENT void *
+@@ -229,7 +269,7 @@ nssSlot_GetToken(
+
+ if (nssSlot_IsTokenPresent(slot)) {
+ /* Even if a token should be present, check `slot->token` too as it
+- * might be gone already. This would happen mostly on shutdown. */
++ * might be gone already. This would happen mostly on shutdown. */
+ nssSlot_EnterMonitor(slot);
+ if (slot->token)
+ rvToken = nssToken_AddRef(slot->token);
+diff --git a/lib/dev/devt.h b/lib/dev/devt.h
+--- a/lib/dev/devt.h
++++ b/lib/dev/devt.h
+@@ -81,6 +81,9 @@ struct NSSSlotStr {
+ PZLock *lock;
+ void *epv;
+ PK11SlotInfo *pk11slot;
++ PZLock *isPresentLock;
++ PRCondVar *isPresentCondition;
++ PRBool inIsPresent;
+ };
+
+ struct nssSessionStr {
+diff --git a/lib/pk11wrap/dev3hack.c b/lib/pk11wrap/dev3hack.c
+--- a/lib/pk11wrap/dev3hack.c
++++ b/lib/pk11wrap/dev3hack.c
+@@ -120,6 +120,9 @@ nssSlot_CreateFromPK11SlotInfo(NSSTrustD
+ /* Grab the slot name from the PKCS#11 fixed-length buffer */
+ rvSlot->base.name = nssUTF8_Duplicate(nss3slot->slot_name, td->arena);
+ rvSlot->lock = (nss3slot->isThreadSafe) ? NULL : nss3slot->sessionLock;
++ rvSlot->isPresentLock = PZ_NewLock(nssiLockOther);
++ rvSlot->isPresentCondition = PR_NewCondVar(rvSlot->isPresentLock);
++ rvSlot->inIsPresent = PR_FALSE;
+ return rvSlot;
+ }
+
diff --git a/SOURCES/nss-modutil-suppress-password.patch b/SOURCES/nss-modutil-suppress-password.patch
new file mode 100644
index 0000000..160f995
--- /dev/null
+++ b/SOURCES/nss-modutil-suppress-password.patch
@@ -0,0 +1,20 @@
+# HG changeset patch
+# User Daiki Ueno <dueno@redhat.com>
+# Date 1510244757 -3600
+# Thu Nov 09 17:25:57 2017 +0100
+# Node ID 523734e69b5cdd7c2c9047e705e858da352a3b24
+# Parent 54be8a4501d454b2b7454e4a44ea013738e0b693
+Bug 1415847, modutil: Suppress unnecessary password prompt, r=kaie
+
+diff --git a/cmd/modutil/pk11.c b/cmd/modutil/pk11.c
+--- a/cmd/modutil/pk11.c
++++ b/cmd/modutil/pk11.c
+@@ -728,7 +728,7 @@ ChangePW(char *tokenName, char *pwFile,
+ ret = BAD_PW_ERR;
+ goto loser;
+ }
+- } else {
++ } else if (PK11_NeedLogin(slot)) {
+ for (matching = PR_FALSE; !matching;) {
+ oldpw = SECU_GetPasswordString(NULL, "Enter old password: ");
+ if (PK11_CheckUserPassword(slot, oldpw) == SECSuccess) {
diff --git a/SOURCES/nss-pk12util-faulty-aes.patch b/SOURCES/nss-pk12util-faulty-aes.patch
new file mode 100644
index 0000000..c6d22cc
--- /dev/null
+++ b/SOURCES/nss-pk12util-faulty-aes.patch
@@ -0,0 +1,43 @@
+From 0615bf4ad6c7e07cc1b7dee4bded01fe8974ad0b Mon Sep 17 00:00:00 2001
+From: Daiki Ueno <dueno@redhat.com>
+Date: Wed, 27 Sep 2017 11:11:10 +0200
+Subject: [PATCH] pk11wrap: Add backward compatibility with faulty PBES2 AES
+ schemes
+
+---
+ lib/pk11wrap/pk11pbe.c | 19 ++++++++++++++++++-
+ 1 file changed, 18 insertions(+), 1 deletion(-)
+
+diff --git a/lib/pk11wrap/pk11pbe.c b/lib/pk11wrap/pk11pbe.c
+index bea9333f6..5f68f399e 100644
+--- a/lib/pk11wrap/pk11pbe.c
++++ b/lib/pk11wrap/pk11pbe.c
+@@ -367,7 +367,24 @@ sec_pkcs5v2_key_length(SECAlgorithmID *algid, SECAlgorithmID *cipherAlgId)
+ cipherAlg = SECOID_GetAlgorithmTag(cipherAlgId);
+
+ if (sec_pkcs5_is_algorithm_v2_aes_algorithm(cipherAlg)) {
+- length = sec_pkcs5v2_aes_key_length(cipherAlg);
++ /* Previously, the PKCS#12 files created with the old NSS
++ * releases encoded the maximum key size of AES (that is 32)
++ * in the keyLength field of PBKDF2-params. That resulted in
++ * always performing AES-256 even if AES-128-CBC or
++ * AES-192-CBC is specified in the encryptionScheme field of
++ * PBES2-params. This is wrong, but for compatibility reasons,
++ * check the keyLength field and use the value if it is 32.
++ */
++ if (p5_param.keyLength.data != NULL) {
++ length = DER_GetInteger(&p5_param.keyLength);
++ }
++ /* If the keyLength field is present and contains a value
++ * other than 32, that means the file is created outside of
++ * NSS, which we don't care about. Note that the following
++ * also handles the case when the field is absent. */
++ if (length != 32) {
++ length = sec_pkcs5v2_aes_key_length(cipherAlg);
++ }
+ } else if (p5_param.keyLength.data != NULL) {
+ length = DER_GetInteger(&p5_param.keyLength);
+ } else {
+--
+2.13.5
+
diff --git a/SOURCES/nss-pss-fixes.patch b/SOURCES/nss-pss-fixes.patch
new file mode 100644
index 0000000..964e792
--- /dev/null
+++ b/SOURCES/nss-pss-fixes.patch
@@ -0,0 +1,649 @@
+# HG changeset patch
+# User Daiki Ueno <dueno@redhat.com>
+# Date 1510136005 -3600
+# Wed Nov 08 11:13:25 2017 +0100
+# Node ID 6da6e699fa02bbf1763acba4176f994c6a5ddf62
+# Parent d515199921dd703087f7e0e03eb71058a015934d
+Bug 1415171, Fix handling of default RSA-PSS parameters, r=mt
+
+Reviewers: mt, rrelyea
+
+Reviewed By: mt
+
+Bug #: 1415171
+
+Differential Revision: https://phabricator.services.mozilla.com/D202
+
+diff --git a/cmd/lib/secutil.c b/cmd/lib/secutil.c
+--- a/cmd/lib/secutil.c
++++ b/cmd/lib/secutil.c
+@@ -1192,7 +1192,7 @@ secu_PrintRSAPSSParams(FILE *out, SECIte
+ SECU_Indent(out, level + 1);
+ fprintf(out, "Salt length: default, %i (0x%2X)\n", 20, 20);
+ } else {
+- SECU_PrintInteger(out, ¶m.saltLength, "Salt Length", level + 1);
++ SECU_PrintInteger(out, ¶m.saltLength, "Salt length", level + 1);
+ }
+ } else {
+ SECU_Indent(out, level + 1);
+diff --git a/lib/cryptohi/seckey.c b/lib/cryptohi/seckey.c
+--- a/lib/cryptohi/seckey.c
++++ b/lib/cryptohi/seckey.c
+@@ -2056,9 +2056,13 @@ sec_RSAPSSParamsToMechanism(CK_RSA_PKCS_
+ mech->mgf = CKG_MGF1_SHA1; /* default, MGF1 with SHA-1 */
+ }
+
+- rv = SEC_ASN1DecodeInteger((SECItem *)¶ms->saltLength, &saltLength);
+- if (rv != SECSuccess) {
+- return rv;
++ if (params->saltLength.data) {
++ rv = SEC_ASN1DecodeInteger((SECItem *)¶ms->saltLength, &saltLength);
++ if (rv != SECSuccess) {
++ return rv;
++ }
++ } else {
++ saltLength = 20; /* default, 20 */
+ }
+ mech->sLen = saltLength;
+
+diff --git a/lib/cryptohi/secsign.c b/lib/cryptohi/secsign.c
+--- a/lib/cryptohi/secsign.c
++++ b/lib/cryptohi/secsign.c
+@@ -610,6 +610,7 @@ sec_CreateRSAPSSParameters(PLArenaPool *
+ SECKEYRSAPSSParams pssParams;
+ int modBytes, hashLength;
+ unsigned long saltLength;
++ PRBool defaultSHA1 = PR_FALSE;
+ SECStatus rv;
+
+ if (key->keyType != rsaKey && key->keyType != rsaPssKey) {
+@@ -631,6 +632,7 @@ sec_CreateRSAPSSParameters(PLArenaPool *
+ if (rv != SECSuccess) {
+ return NULL;
+ }
++ defaultSHA1 = PR_TRUE;
+ }
+
+ if (pssParams.trailerField.data) {
+@@ -652,15 +654,23 @@ sec_CreateRSAPSSParameters(PLArenaPool *
+ /* Determine the hash algorithm to use, based on hashAlgTag and
+ * pssParams.hashAlg; there are four cases */
+ if (hashAlgTag != SEC_OID_UNKNOWN) {
++ SECOidTag tag = SEC_OID_UNKNOWN;
++
+ if (pssParams.hashAlg) {
+- if (SECOID_GetAlgorithmTag(pssParams.hashAlg) != hashAlgTag) {
+- PORT_SetError(SEC_ERROR_INVALID_ARGS);
+- return NULL;
+- }
++ tag = SECOID_GetAlgorithmTag(pssParams.hashAlg);
++ } else if (defaultSHA1) {
++ tag = SEC_OID_SHA1;
++ }
++
++ if (tag != SEC_OID_UNKNOWN && tag != hashAlgTag) {
++ PORT_SetError(SEC_ERROR_INVALID_ARGS);
++ return NULL;
+ }
+ } else if (hashAlgTag == SEC_OID_UNKNOWN) {
+ if (pssParams.hashAlg) {
+ hashAlgTag = SECOID_GetAlgorithmTag(pssParams.hashAlg);
++ } else if (defaultSHA1) {
++ hashAlgTag = SEC_OID_SHA1;
+ } else {
+ /* Find a suitable hash algorithm based on the NIST recommendation */
+ if (modBytes <= 384) { /* 128, in NIST 800-57, Part 1 */
+@@ -709,6 +719,11 @@ sec_CreateRSAPSSParameters(PLArenaPool *
+ PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
+ return NULL;
+ }
++ } else if (defaultSHA1) {
++ if (hashAlgTag != SEC_OID_SHA1) {
++ PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
++ return NULL;
++ }
+ }
+
+ hashLength = HASH_ResultLenByOidTag(hashAlgTag);
+@@ -725,6 +740,8 @@ sec_CreateRSAPSSParameters(PLArenaPool *
+ PORT_SetError(SEC_ERROR_INVALID_ARGS);
+ return NULL;
+ }
++ } else if (defaultSHA1) {
++ saltLength = 20;
+ }
+
+ /* Fill in the parameters */
+diff --git a/tests/cert/cert.sh b/tests/cert/cert.sh
+--- a/tests/cert/cert.sh
++++ b/tests/cert/cert.sh
+@@ -516,6 +516,9 @@ cert_all_CA()
+ cert_rsa_pss_CA $CADIR TestCA-rsa-pss -x "CTu,CTu,CTu" ${D_CA} "1" SHA256
+ rm $CLIENT_CADIR/rsapssroot.cert $SERVER_CADIR/rsapssroot.cert
+
++ ALL_CU_SUBJECT="CN=NSS Test CA (RSA-PSS-SHA1), O=BOGUS NSS, L=Mountain View, ST=California, C=US"
++ cert_rsa_pss_CA $CADIR TestCA-rsa-pss-sha1 -x "CTu,CTu,CTu" ${D_CA} "1" SHA1
++ rm $CLIENT_CADIR/rsapssroot.cert $SERVER_CADIR/rsapssroot.cert
+
+ #
+ # Create EC version of TestCA
+@@ -2054,7 +2057,7 @@ check_sign_algo()
+ {
+ certu -L -n "$CERTNAME" -d "${PROFILEDIR}" -f "${R_PWFILE}" | \
+ sed -n '/^ *Data:/,/^$/{
+-/^ Signature Algorithm/,/^ *Salt Length/s/^ //p
++/^ Signature Algorithm/,/^ *Salt length/s/^ //p
+ }' > ${TMP}/signalgo.txt
+
+ diff ${TMP}/signalgo.exp ${TMP}/signalgo.txt
+@@ -2088,6 +2091,12 @@ cert_test_rsapss()
+ CU_ACTION="Verify RSA-PSS CA Cert"
+ certu -V -u L -e -n "TestCA-rsa-pss" -d "${PROFILEDIR}" -f "${R_PWFILE}"
+
++ CU_ACTION="Import RSA-PSS CA Cert (SHA1)"
++ certu -A -n "TestCA-rsa-pss-sha1" -t "C,," -d "${PROFILEDIR}" -f "${R_PWFILE}" \
++ -i "${R_CADIR}/TestCA-rsa-pss-sha1.ca.cert" 2>&1
++
++ CERTSERIAL=200
++
+ # Subject certificate: RSA
+ # Issuer certificate: RSA
+ # Signature: RSA-PSS (explicit, with --pss-sign)
+@@ -2098,7 +2107,7 @@ cert_test_rsapss()
+ certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -o req 2>&1
+
+ CU_ACTION="Sign ${CERTNAME}'s Request"
+- certu -C -c "TestCA" --pss-sign -m 200 -v 60 -d "${P_R_CADIR}" \
++ certu -C -c "TestCA" --pss-sign -m "${CERTSERIAL}" -v 60 -d "${P_R_CADIR}" \
+ -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1
+
+ CU_ACTION="Import $CERTNAME's Cert"
+@@ -2113,10 +2122,12 @@ Signature Algorithm: PKCS #1 RSA-PSS Sig
+ Hash algorithm: SHA-256
+ Mask algorithm: PKCS #1 MGF1 Mask Generation Function
+ Mask hash algorithm: SHA-256
+- Salt Length: 32 (0x20)
++ Salt length: 32 (0x20)
+ EOF
+ check_sign_algo
+
++ CERTSERIAL=`expr $CERTSERIAL + 1`
++
+ # Subject certificate: RSA
+ # Issuer certificate: RSA
+ # Signature: RSA-PSS (explict, with --pss-sign -Z SHA512)
+@@ -2127,7 +2138,7 @@ EOF
+ certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -o req 2>&1
+
+ CU_ACTION="Sign ${CERTNAME}'s Request"
+- certu -C -c "TestCA" --pss-sign -Z SHA512 -m 201 -v 60 -d "${P_R_CADIR}" \
++ certu -C -c "TestCA" --pss-sign -Z SHA512 -m "${CERTSERIAL}" -v 60 -d "${P_R_CADIR}" \
+ -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1
+
+ CU_ACTION="Import $CERTNAME's Cert"
+@@ -2142,10 +2153,12 @@ Signature Algorithm: PKCS #1 RSA-PSS Sig
+ Hash algorithm: SHA-512
+ Mask algorithm: PKCS #1 MGF1 Mask Generation Function
+ Mask hash algorithm: SHA-512
+- Salt Length: 64 (0x40)
++ Salt length: 64 (0x40)
+ EOF
+ check_sign_algo
+
++ CERTSERIAL=`expr $CERTSERIAL + 1`
++
+ # Subject certificate: RSA
+ # Issuer certificate: RSA-PSS
+ # Signature: RSA-PSS
+@@ -2156,7 +2169,69 @@ EOF
+ certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -o req 2>&1
+
+ CU_ACTION="Sign ${CERTNAME}'s Request"
+- certu -C -c "TestCA-rsa-pss" -m 202 -v 60 -d "${P_R_CADIR}" \
++ certu -C -c "TestCA-rsa-pss" -m "${CERTSERIAL}" -v 60 -d "${P_R_CADIR}" \
++ -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1
++
++ CU_ACTION="Import $CERTNAME's Cert"
++ certu -A -n "$CERTNAME" -t ",," -d "${PROFILEDIR}" -f "${R_PWFILE}" \
++ -i "${CERTNAME}.cert" 2>&1
++
++ CU_ACTION="Verify $CERTNAME's Cert"
++ certu -V -u V -e -n "$CERTNAME" -d "${PROFILEDIR}" -f "${R_PWFILE}"
++ cat > ${TMP}/signalgo.exp <<EOF
++Signature Algorithm: PKCS #1 RSA-PSS Signature
++ Parameters:
++ Hash algorithm: SHA-256
++ Mask algorithm: PKCS #1 MGF1 Mask Generation Function
++ Mask hash algorithm: SHA-256
++ Salt length: 32 (0x20)
++EOF
++ check_sign_algo
++
++ CERTSERIAL=`expr $CERTSERIAL + 1`
++
++ # Subject certificate: RSA-PSS
++ # Issuer certificate: RSA
++ # Signature: RSA-PSS (explicit, with --pss-sign)
++ CERTNAME="TestUser-rsa-pss4"
++
++ CU_ACTION="Generate Cert Request for $CERTNAME"
++ CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
++ certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" --pss -o req 2>&1
++
++ CU_ACTION="Sign ${CERTNAME}'s Request"
++ certu -C -c "TestCA" --pss-sign -m "${CERTSERIAL}" -v 60 -d "${P_R_CADIR}" \
++ -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1
++
++ CU_ACTION="Import $CERTNAME's Cert"
++ certu -A -n "$CERTNAME" -t ",," -d "${PROFILEDIR}" -f "${R_PWFILE}" \
++ -i "${CERTNAME}.cert" 2>&1
++
++ CU_ACTION="Verify $CERTNAME's Cert"
++ certu -V -u V -e -n "$CERTNAME" -d "${PROFILEDIR}" -f "${R_PWFILE}"
++ cat > ${TMP}/signalgo.exp <<EOF
++Signature Algorithm: PKCS #1 RSA-PSS Signature
++ Parameters:
++ Hash algorithm: SHA-256
++ Mask algorithm: PKCS #1 MGF1 Mask Generation Function
++ Mask hash algorithm: SHA-256
++ Salt length: 32 (0x20)
++EOF
++ check_sign_algo
++
++ CERTSERIAL=`expr $CERTSERIAL + 1`
++
++ # Subject certificate: RSA-PSS
++ # Issuer certificate: RSA-PSS
++ # Signature: RSA-PSS (explicit, with --pss-sign)
++ CERTNAME="TestUser-rsa-pss5"
++
++ CU_ACTION="Generate Cert Request for $CERTNAME"
++ CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
++ certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" --pss -o req 2>&1
++
++ CU_ACTION="Sign ${CERTNAME}'s Request"
++ certu -C -c "TestCA-rsa-pss" --pss-sign -m "${CERTSERIAL}" -v 60 -d "${P_R_CADIR}" \
+ -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1
+
+ CU_ACTION="Import $CERTNAME's Cert"
+@@ -2171,21 +2246,24 @@ Signature Algorithm: PKCS #1 RSA-PSS Sig
+ Hash algorithm: SHA-256
+ Mask algorithm: PKCS #1 MGF1 Mask Generation Function
+ Mask hash algorithm: SHA-256
+- Salt Length: 32 (0x20)
++ Salt length: 32 (0x20)
+ EOF
+ check_sign_algo
+
++ CERTSERIAL=`expr $CERTSERIAL + 1`
++
+ # Subject certificate: RSA-PSS
+- # Issuer certificate: RSA
+- # Signature: RSA-PSS (explicit, with --pss-sign)
+- CERTNAME="TestUser-rsa-pss4"
++ # Issuer certificate: RSA-PSS
++ # Signature: RSA-PSS (implicit, without --pss-sign)
++ CERTNAME="TestUser-rsa-pss6"
+
+ CU_ACTION="Generate Cert Request for $CERTNAME"
+ CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+ certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" --pss -o req 2>&1
+
+ CU_ACTION="Sign ${CERTNAME}'s Request"
+- certu -C -c "TestCA" --pss-sign -m 203 -v 60 -d "${P_R_CADIR}" \
++ # Sign without --pss-sign nor -Z option
++ certu -C -c "TestCA-rsa-pss" -m "${CERTSERIAL}" -v 60 -d "${P_R_CADIR}" \
+ -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1
+
+ CU_ACTION="Import $CERTNAME's Cert"
+@@ -2200,21 +2278,40 @@ Signature Algorithm: PKCS #1 RSA-PSS Sig
+ Hash algorithm: SHA-256
+ Mask algorithm: PKCS #1 MGF1 Mask Generation Function
+ Mask hash algorithm: SHA-256
+- Salt Length: 32 (0x20)
++ Salt length: 32 (0x20)
+ EOF
+ check_sign_algo
+
++ CERTSERIAL=`expr $CERTSERIAL + 1`
++
+ # Subject certificate: RSA-PSS
+ # Issuer certificate: RSA-PSS
+- # Signature: RSA-PSS (explicit, with --pss-sign)
+- CERTNAME="TestUser-rsa-pss5"
++ # Signature: RSA-PSS (with conflicting hash algorithm)
++ CERTNAME="TestUser-rsa-pss7"
+
+ CU_ACTION="Generate Cert Request for $CERTNAME"
+ CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+ certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" --pss -o req 2>&1
+
+ CU_ACTION="Sign ${CERTNAME}'s Request"
+- certu -C -c "TestCA-rsa-pss" --pss-sign -m 204 -v 60 -d "${P_R_CADIR}" \
++ RETEXPECTED=255
++ certu -C -c "TestCA-rsa-pss" --pss-sign -Z SHA512 -m "${CERTSERIAL}" -v 60 -d "${P_R_CADIR}" \
++ -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1
++ RETEXPECTED=0
++
++ CERTSERIAL=`expr $CERTSERIAL + 1`
++
++ # Subject certificate: RSA-PSS
++ # Issuer certificate: RSA-PSS
++ # Signature: RSA-PSS (with compatible hash algorithm)
++ CERTNAME="TestUser-rsa-pss8"
++
++ CU_ACTION="Generate Cert Request for $CERTNAME"
++ CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
++ certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" --pss -o req 2>&1
++
++ CU_ACTION="Sign ${CERTNAME}'s Request"
++ certu -C -c "TestCA-rsa-pss" --pss-sign -Z SHA256 -m "${CERTSERIAL}" -v 60 -d "${P_R_CADIR}" \
+ -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1
+
+ CU_ACTION="Import $CERTNAME's Cert"
+@@ -2229,21 +2326,23 @@ Signature Algorithm: PKCS #1 RSA-PSS Sig
+ Hash algorithm: SHA-256
+ Mask algorithm: PKCS #1 MGF1 Mask Generation Function
+ Mask hash algorithm: SHA-256
+- Salt Length: 32 (0x20)
++ Salt length: 32 (0x20)
+ EOF
+ check_sign_algo
+
+- # Subject certificate: RSA-PSS
+- # Issuer certificate: RSA-PSS
+- # Signature: RSA-PSS (implicit, without --pss-sign)
+- CERTNAME="TestUser-rsa-pss6"
++ CERTSERIAL=`expr $CERTSERIAL + 1`
++
++ # Subject certificate: RSA
++ # Issuer certificate: RSA
++ # Signature: RSA-PSS (explict, with --pss-sign -Z SHA1)
++ CERTNAME="TestUser-rsa-pss9"
+
+ CU_ACTION="Generate Cert Request for $CERTNAME"
+ CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+- certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" --pss -o req 2>&1
++ certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -o req 2>&1
+
+ CU_ACTION="Sign ${CERTNAME}'s Request"
+- certu -C -c "TestCA-rsa-pss" -m 205 -v 60 -d "${P_R_CADIR}" \
++ certu -C -c "TestCA" --pss-sign -Z SHA1 -m "${CERTSERIAL}" -v 60 -d "${P_R_CADIR}" \
+ -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1
+
+ CU_ACTION="Import $CERTNAME's Cert"
+@@ -2255,39 +2354,27 @@ EOF
+ cat > ${TMP}/signalgo.exp <<EOF
+ Signature Algorithm: PKCS #1 RSA-PSS Signature
+ Parameters:
+- Hash algorithm: SHA-256
+- Mask algorithm: PKCS #1 MGF1 Mask Generation Function
+- Mask hash algorithm: SHA-256
+- Salt Length: 32 (0x20)
++ Hash algorithm: default, SHA-1
++ Mask algorithm: default, MGF1
++ Mask hash algorithm: default, SHA-1
++ Salt length: default, 20 (0x14)
+ EOF
+ check_sign_algo
+
++ CERTSERIAL=`expr $CERTSERIAL + 1`
++
+ # Subject certificate: RSA-PSS
+ # Issuer certificate: RSA-PSS
+- # Signature: RSA-PSS (with conflicting hash algorithm)
+- CERTNAME="TestUser-rsa-pss7"
++ # Signature: RSA-PSS (implicit, without --pss-sign, default parameters)
++ CERTNAME="TestUser-rsa-pss10"
+
+ CU_ACTION="Generate Cert Request for $CERTNAME"
+ CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+- certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" --pss -o req 2>&1
++ certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -o req 2>&1
+
+ CU_ACTION="Sign ${CERTNAME}'s Request"
+- RETEXPECTED=255
+- certu -C -c "TestCA-rsa-pss" --pss-sign -Z SHA512 -m 206 -v 60 -d "${P_R_CADIR}" \
+- -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1
+- RETEXPECTED=0
+-
+- # Subject certificate: RSA-PSS
+- # Issuer certificate: RSA-PSS
+- # Signature: RSA-PSS (with compatible hash algorithm)
+- CERTNAME="TestUser-rsa-pss8"
+-
+- CU_ACTION="Generate Cert Request for $CERTNAME"
+- CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
+- certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" --pss -o req 2>&1
+-
+- CU_ACTION="Sign ${CERTNAME}'s Request"
+- certu -C -c "TestCA-rsa-pss" --pss-sign -Z SHA256 -m 207 -v 60 -d "${P_R_CADIR}" \
++ # Sign without --pss-sign nor -Z option
++ certu -C -c "TestCA-rsa-pss-sha1" -m "${CERTSERIAL}" -v 60 -d "${P_R_CADIR}" \
+ -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1
+
+ CU_ACTION="Import $CERTNAME's Cert"
+@@ -2299,12 +2386,29 @@ EOF
+ cat > ${TMP}/signalgo.exp <<EOF
+ Signature Algorithm: PKCS #1 RSA-PSS Signature
+ Parameters:
+- Hash algorithm: SHA-256
+- Mask algorithm: PKCS #1 MGF1 Mask Generation Function
+- Mask hash algorithm: SHA-256
+- Salt Length: 32 (0x20)
++ Hash algorithm: default, SHA-1
++ Mask algorithm: default, MGF1
++ Mask hash algorithm: default, SHA-1
++ Salt length: default, 20 (0x14)
+ EOF
+ check_sign_algo
++
++ CERTSERIAL=`expr $CERTSERIAL + 1`
++
++ # Subject certificate: RSA-PSS
++ # Issuer certificate: RSA-PSS
++ # Signature: RSA-PSS (with conflicting hash algorithm, default parameters)
++ CERTNAME="TestUser-rsa-pss11"
++
++ CU_ACTION="Generate Cert Request for $CERTNAME"
++ CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
++ certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" --pss -o req 2>&1
++
++ CU_ACTION="Sign ${CERTNAME}'s Request"
++ RETEXPECTED=255
++ certu -C -c "TestCA-rsa-pss-sha1" --pss-sign -Z SHA256 -m "${CERTSERIAL}" -v 60 -d "${P_R_CADIR}" \
++ -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1
++ RETEXPECTED=0
+ }
+
+ ############################## cert_cleanup ############################
+# HG changeset patch
+# User Daiki Ueno <dueno@redhat.com>
+# Date 1514884761 -3600
+# Tue Jan 02 10:19:21 2018 +0100
+# Node ID 5a14f42384eb22b67e0465949c03555eff41e4af
+# Parent e577b1df8dabb31466cebad07fdbe0883290bede
+Bug 1423557, cryptohi: make RSA-PSS parameter check stricter, r=mt
+
+Summary: This adds a check on unsupported hash/mask algorithms and invalid trailer field, when converting SECKEYRSAPSSParams to CK_RSA_PKCS_PSS_PARAMS for both signing and verification. It also add missing support for SHA224 as underlying hash algorithm.
+
+Reviewers: mt
+
+Reviewed By: mt
+
+Bug #: 1423557
+
+Differential Revision: https://phabricator.services.mozilla.com/D322
+
+diff --git a/lib/cryptohi/seckey.c b/lib/cryptohi/seckey.c
+--- a/lib/cryptohi/seckey.c
++++ b/lib/cryptohi/seckey.c
+@@ -1984,13 +1984,14 @@ sec_GetHashMechanismByOidTag(SECOidTag t
+ return CKM_SHA384;
+ case SEC_OID_SHA256:
+ return CKM_SHA256;
++ case SEC_OID_SHA224:
++ return CKM_SHA224;
++ case SEC_OID_SHA1:
++ return CKM_SHA_1;
+ default:
+ PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
+- /* fallthrough */
+- case SEC_OID_SHA1:
+- break;
++ return CKM_INVALID_MECHANISM;
+ }
+- return CKM_SHA_1;
+ }
+
+ static CK_RSA_PKCS_MGF_TYPE
+@@ -2003,13 +2004,14 @@ sec_GetMgfTypeByOidTag(SECOidTag tag)
+ return CKG_MGF1_SHA384;
+ case SEC_OID_SHA256:
+ return CKG_MGF1_SHA256;
++ case SEC_OID_SHA224:
++ return CKG_MGF1_SHA224;
++ case SEC_OID_SHA1:
++ return CKG_MGF1_SHA1;
+ default:
+ PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
+- /* fallthrough */
+- case SEC_OID_SHA1:
+- break;
++ return 0;
+ }
+- return CKG_MGF1_SHA1;
+ }
+
+ SECStatus
+@@ -2019,6 +2021,7 @@ sec_RSAPSSParamsToMechanism(CK_RSA_PKCS_
+ SECStatus rv = SECSuccess;
+ SECOidTag hashAlgTag;
+ unsigned long saltLength;
++ unsigned long trailerField;
+
+ PORT_Memset(mech, 0, sizeof(CK_RSA_PKCS_PSS_PARAMS));
+
+@@ -2028,6 +2031,9 @@ sec_RSAPSSParamsToMechanism(CK_RSA_PKCS_
+ hashAlgTag = SEC_OID_SHA1; /* default, SHA-1 */
+ }
+ mech->hashAlg = sec_GetHashMechanismByOidTag(hashAlgTag);
++ if (mech->hashAlg == CKM_INVALID_MECHANISM) {
++ return SECFailure;
++ }
+
+ if (params->maskAlg) {
+ SECAlgorithmID maskHashAlg;
+@@ -2050,6 +2056,9 @@ sec_RSAPSSParamsToMechanism(CK_RSA_PKCS_
+ }
+ maskHashAlgTag = SECOID_GetAlgorithmTag(&maskHashAlg);
+ mech->mgf = sec_GetMgfTypeByOidTag(maskHashAlgTag);
++ if (mech->mgf == 0) {
++ return SECFailure;
++ }
+ } else {
+ mech->mgf = CKG_MGF1_SHA1; /* default, MGF1 with SHA-1 */
+ }
+@@ -2064,5 +2073,18 @@ sec_RSAPSSParamsToMechanism(CK_RSA_PKCS_
+ }
+ mech->sLen = saltLength;
+
++ if (params->trailerField.data) {
++ rv = SEC_ASN1DecodeInteger((SECItem *)¶ms->trailerField, &trailerField);
++ if (rv != SECSuccess) {
++ return rv;
++ }
++ if (trailerField != 1) {
++ /* the value must be 1, which represents the trailer field
++ * with hexadecimal value 0xBC */
++ PORT_SetError(SEC_ERROR_INVALID_ARGS);
++ return SECFailure;
++ }
++ }
++
+ return rv;
+ }
+diff --git a/tests/cert/TestCA-bogus-rsa-pss1.crt b/tests/cert/TestCA-bogus-rsa-pss1.crt
+new file mode 100644
+--- /dev/null
++++ b/tests/cert/TestCA-bogus-rsa-pss1.crt
+@@ -0,0 +1,26 @@
++-----BEGIN CERTIFICATE-----
++MIIEbDCCAxqgAwIBAgIBATBHBgkqhkiG9w0BAQowOqAPMA0GCWCGSAFlAwQCAQUA
++oRwwGgYJKoZIhvcNAQEIMA0GCWCGSAFlAwQCAQUAogMCASCjBAICEmcwgYMxCzAJ
++BgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1Nb3VudGFp
++biBWaWV3MRIwEAYDVQQKEwlCT0dVUyBOU1MxMzAxBgNVBAMTKk5TUyBUZXN0IENB
++IChSU0EtUFNTIGludmFsaWQgdHJhaWxlckZpZWxkKTAgFw0xNzEyMDcxMjU3NDBa
++GA8yMDY3MTIwNzEyNTc0MFowgYMxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxp
++Zm9ybmlhMRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MRIwEAYDVQQKEwlCT0dVUyBO
++U1MxMzAxBgNVBAMTKk5TUyBUZXN0IENBIChSU0EtUFNTIGludmFsaWQgdHJhaWxl
++ckZpZWxkKTCCAVwwRwYJKoZIhvcNAQEKMDqgDzANBglghkgBZQMEAgEFAKEcMBoG
++CSqGSIb3DQEBCDANBglghkgBZQMEAgEFAKIDAgEgowQCAhJnA4IBDwAwggEKAoIB
++AQDgkKJk+PoFpESak7kMQ0w147/xilUZCG7hDGG2uuGTbX8jqy9N9pxzB9sJjgJX
++yYND0XEmrUQ2Memmy8jufhXML5DekW1tr3Gi2L3VivbIReJZfXk1xDMvNbB/Gjjo
++SoPyu8C4hnevjgMlmqG3KdMkB+eN6PnBG64YFyki3vnLO5iTNHEBTgFYo0gTX4uK
++xl0hLtiDL+4K5l7BwVgxZwQF6uHoHjrjjlhkzR0FwjjqR8U0pH20Pb6IlRsFMv07
++/1GHf+jm34pKb/1ZNzAbiKxYv7YAQUWEZ7e/GSXgA6gbTpV9ueiLkVucUeXN/mXK
++Tqb4zivi5FaSGVl8SJnqsJXJAgMBAAGjOTA3MBQGCWCGSAGG+EIBAQEB/wQEAwIC
++BDAPBgNVHRMECDAGAQH/AgEAMA4GA1UdDwEB/wQEAwICBDBHBgkqhkiG9w0BAQow
++OqAPMA0GCWCGSAFlAwQCAQUAoRwwGgYJKoZIhvcNAQEIMA0GCWCGSAFlAwQCAQUA
++ogMCASCjBAICEmcDggEBAJht9t9p/dlhJtx7ShDvUXyq8N4tCoGKdREM83K/jlW8
++HxdHOz5PuvZx+UMlaUtqZVIriSCnRtEWkoSo0hWmcv1rp80it2G1zLfLPYdyrPba
++nQmE1iFb69Wr9dwrX7o/CII+WHQgoIGeFGntZ8YRZTe5+JeiGAlAyZCqUKbl9lhh
++pCpf1YYxb3VI8mAGVi0jwabWBEbInGBZYH9HP0nK7/Tflk6UY3f4h4Fbkk5D4WZA
++hFfkebx6Wh90QGiKQhp4/N+dYira8bKvWqqn0VqwzBoJBU/RmMaJVpwqFFvcaUJh
++uEKUPeQbqkYvj1WJYmy4ettVwi4OZU50+kCaRQhMsFA=
++-----END CERTIFICATE-----
+diff --git a/tests/cert/TestCA-bogus-rsa-pss2.crt b/tests/cert/TestCA-bogus-rsa-pss2.crt
+new file mode 100644
+--- /dev/null
++++ b/tests/cert/TestCA-bogus-rsa-pss2.crt
+@@ -0,0 +1,24 @@
++-----BEGIN CERTIFICATE-----
++MIIEFzCCAs2gAwIBAgIBATA/BgkqhkiG9w0BAQowMqAOMAwGCCqGSIb3DQIFBQCh
++GzAZBgkqhkiG9w0BAQgwDAYIKoZIhvcNAgUFAKIDAgEgMH4xCzAJBgNVBAYTAlVT
++MRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MRIw
++EAYDVQQKEwlCT0dVUyBOU1MxLjAsBgNVBAMTJU5TUyBUZXN0IENBIChSU0EtUFNT
++IGludmFsaWQgaGFzaEFsZykwIBcNMTcxMjA3MTQwNjQ0WhgPMjA2ODAxMDcxNDA2
++NDRaMH4xCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQH
++Ew1Nb3VudGFpbiBWaWV3MRIwEAYDVQQKEwlCT0dVUyBOU1MxLjAsBgNVBAMTJU5T
++UyBUZXN0IENBIChSU0EtUFNTIGludmFsaWQgaGFzaEFsZykwggEgMAsGCSqGSIb3
++DQEBCgOCAQ8AMIIBCgKCAQEAtDXA73yTOgs8zVYNMCtuQ9a07UgbfeQbjHp3pkF6
++7rsC/Q28mrLh+zLkht5e7qU/Qf/8a2ZkcYhPOBAjCzjgIXOdE2lsWvdVujOJLR0x
++Fesd3hDLRmL6f6momc+j1/Tw3bKyZinaeJ9BFRv9c94SayB3QUe+6+TNJKASwlhj
++sx6mUsND+h3DkuL77gi7hIUpUXfFSwa+zM69VLhIu+/WRZfG8gfKkCAIGUC3WYJa
++eU1HgQKfVSXW0ok4ototXWEe9ohU+Z1tO9LJStcY8mMpig7EU9zbpObhG46Sykfu
++aKsubB9J+gFgwP5Tb85tRYT6SbHeHR6U/N8GBrKdRcomWwIDAQABozwwOjAUBglg
++hkgBhvhCAQEBAf8EBAMCAgQwEgYDVR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8E
++BAMCAgQwPwYJKoZIhvcNAQEKMDKgDjAMBggqhkiG9w0CBQUAoRswGQYJKoZIhvcN
++AQEIMAwGCCqGSIb3DQIFBQCiAwIBIAOCAQEAjeemeTxh2xrMUJ6Z5Yn2nH2FbcPY
++fTHJcdfXjfNBkrMl5pe2/lk0JyNuACTuTYFCxdWNRL1coN//h9DSUbF3dpF1ex6D
++difo+6PwxkO2aPVGPYw4DSivt4SFbn5dKGgVqBQfnmNK7p/iT91AcErg/grRrNL+
++4jeT0UiRjQYeX9xKJArv+ocIidNpQL3QYxXuBLZxVC92Af69ol7WG8QBRLnFi1p2
++g6q8hOHqOfB29qnsSo3PkI1yuShOl50tRLbNgyotEfZdk1N3oXvapoBsm/jlcdCT
++0aKelCSQYYAfyl5PKCpa1lgBm7zfcHSDStMhEEFu/fbnJhqO9g9znj3STQ==
++-----END CERTIFICATE-----
+diff --git a/tests/cert/cert.sh b/tests/cert/cert.sh
+--- a/tests/cert/cert.sh
++++ b/tests/cert/cert.sh
+@@ -2095,6 +2095,20 @@ cert_test_rsapss()
+ certu -A -n "TestCA-rsa-pss-sha1" -t "C,," -d "${PROFILEDIR}" -f "${R_PWFILE}" \
+ -i "${R_CADIR}/TestCA-rsa-pss-sha1.ca.cert" 2>&1
+
++ CU_ACTION="Import Bogus RSA-PSS CA Cert (invalid trailerField)"
++ certu -A -n "TestCA-bogus-rsa-pss1" -t "C,," -d "${PROFILEDIR}" -f "${R_PWFILE}" \
++ -i "${QADIR}/cert/TestCA-bogus-rsa-pss1.crt" 2>&1
++ RETEXPECTED=255
++ certu -V -b 1712101010Z -n TestCA-bogus-rsa-pss1 -u L -e -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1
++ RETEXPECTED=0
++
++ CU_ACTION="Import Bogus RSA-PSS CA Cert (invalid hashAlg)"
++ certu -A -n "TestCA-bogus-rsa-pss2" -t "C,," -d "${PROFILEDIR}" -f "${R_PWFILE}" \
++ -i "${QADIR}/cert/TestCA-bogus-rsa-pss2.crt" 2>&1
++ RETEXPECTED=255
++ certu -V -b 1712101010Z -n TestCA-bogus-rsa-pss2 -u L -e -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1
++ RETEXPECTED=0
++
+ CERTSERIAL=200
+
+ # Subject certificate: RSA
diff --git a/SOURCES/nss-reorder-cipher-suites-gtests.patch b/SOURCES/nss-reorder-cipher-suites-gtests.patch
new file mode 100644
index 0000000..7a75e50
--- /dev/null
+++ b/SOURCES/nss-reorder-cipher-suites-gtests.patch
@@ -0,0 +1,47 @@
+diff -up nss/gtests/ssl_gtest/ssl_auth_unittest.cc.reorder-cipher-suites-gtests nss/gtests/ssl_gtest/ssl_auth_unittest.cc
+--- nss/gtests/ssl_gtest/ssl_auth_unittest.cc.reorder-cipher-suites-gtests 2017-09-20 08:47:27.000000000 +0200
++++ nss/gtests/ssl_gtest/ssl_auth_unittest.cc 2017-10-06 16:41:39.223713982 +0200
+@@ -222,7 +222,9 @@ static SSLNamedGroup NamedGroupForEcdsa3
+ // NSS tries to match the group size to the symmetric cipher. In TLS 1.1 and
+ // 1.0, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA is the highest priority suite, so
+ // we use P-384. With TLS 1.2 on we pick AES-128 GCM so use x25519.
+- if (version <= SSL_LIBRARY_VERSION_TLS_1_1) {
++ // FIXME: In RHEL, we assign TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
++ // a higher priority than AES-128 GCM.
++ if (version <= SSL_LIBRARY_VERSION_TLS_1_2) {
+ return ssl_grp_ec_secp384r1;
+ }
+ return ssl_grp_ec_curve25519;
+@@ -806,20 +808,24 @@ INSTANTIATE_TEST_CASE_P(
+ ::testing::Values(TlsAgent::kServerEcdsa256),
+ ::testing::Values(ssl_auth_ecdsa),
+ ::testing::Values(ssl_sig_ecdsa_secp256r1_sha256)));
++ // FIXME: In RHEL, we assign TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
++ // a higher priority than AES-128 GCM, and that causes the following
++ // 3 TLS 1.2 tests to fail.
+ INSTANTIATE_TEST_CASE_P(
+ SignatureSchemeEcdsaP384, TlsSignatureSchemeConfiguration,
+ ::testing::Combine(TlsConnectTestBase::kTlsVariantsAll,
+- TlsConnectTestBase::kTlsV12Plus,
++ TlsConnectTestBase::kTlsV13,
+ ::testing::Values(TlsAgent::kServerEcdsa384),
+ ::testing::Values(ssl_auth_ecdsa),
+ ::testing::Values(ssl_sig_ecdsa_secp384r1_sha384)));
+ INSTANTIATE_TEST_CASE_P(
+ SignatureSchemeEcdsaP521, TlsSignatureSchemeConfiguration,
+ ::testing::Combine(TlsConnectTestBase::kTlsVariantsAll,
+- TlsConnectTestBase::kTlsV12Plus,
++ TlsConnectTestBase::kTlsV13,
+ ::testing::Values(TlsAgent::kServerEcdsa521),
+ ::testing::Values(ssl_auth_ecdsa),
+ ::testing::Values(ssl_sig_ecdsa_secp521r1_sha512)));
++#if 0
+ INSTANTIATE_TEST_CASE_P(
+ SignatureSchemeEcdsaSha1, TlsSignatureSchemeConfiguration,
+ ::testing::Combine(TlsConnectTestBase::kTlsVariantsAll,
+@@ -828,4 +834,5 @@ INSTANTIATE_TEST_CASE_P(
+ TlsAgent::kServerEcdsa384),
+ ::testing::Values(ssl_auth_ecdsa),
+ ::testing::Values(ssl_sig_ecdsa_sha1)));
++#endif
+ }
diff --git a/SOURCES/nss-reorder-cipher-suites.patch b/SOURCES/nss-reorder-cipher-suites.patch
new file mode 100644
index 0000000..9806190
--- /dev/null
+++ b/SOURCES/nss-reorder-cipher-suites.patch
@@ -0,0 +1,234 @@
+diff -up nss/lib/ssl/ssl3con.c.reorder-cipher-suites nss/lib/ssl/ssl3con.c
+--- nss/lib/ssl/ssl3con.c.reorder-cipher-suites 2017-04-26 11:47:33.690047402 +0200
++++ nss/lib/ssl/ssl3con.c 2017-04-26 11:51:51.103013632 +0200
+@@ -91,54 +91,44 @@ PRBool ssl_IsRsaPssSignatureScheme(SSLSi
+ /* clang-format off */
+ static ssl3CipherSuiteCfg cipherSuites[ssl_V3_SUITES_IMPLEMENTED] = {
+ /* cipher_suite policy enabled isPresent */
+- /* Special TLS 1.3 suites. */
+- { TLS_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE },
+- { TLS_CHACHA20_POLY1305_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE },
+- { TLS_AES_256_GCM_SHA384, SSL_ALLOWED, PR_TRUE, PR_FALSE },
+-
+- { TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+- { TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+- { TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+- { TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+ { TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+- { TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+- /* TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA is out of order to work around
+- * bug 946147.
+- */
+ { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
++ { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE},
++ { TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
++ { TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+ { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+- { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+ { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+- { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
++ { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
++ { TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
++ { TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+- { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+- { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
++ { TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
++ { TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
++ { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
++ { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+ { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+- { TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+-
++ { TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE},
++ { TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE},
++ { TLS_DHE_RSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
++ { TLS_DHE_DSS_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
++ { TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
++ { TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE},
++ { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
++ { TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+ { TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256,SSL_ALLOWED,PR_TRUE, PR_FALSE},
+ { TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+- { TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+- { TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_DHE_RSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+ { TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+ { TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+ { TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+- { TLS_DHE_RSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+- { TLS_DHE_DSS_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+- { TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+- { TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+- { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+- { TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+ { TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+ { TLS_DHE_DSS_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+-
+ { TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+@@ -147,27 +137,21 @@ static ssl3CipherSuiteCfg cipherSuites[s
+ { TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_ECDH_ECDSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_ECDH_RSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+-
+- /* RSA */
+- { TLS_RSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+ { TLS_RSA_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+- { TLS_RSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+- { TLS_RSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+- { TLS_RSA_WITH_CAMELLIA_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_RSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+ { TLS_RSA_WITH_AES_256_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+ { TLS_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
++ { TLS_RSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
++ { TLS_RSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
++ { TLS_RSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
++ { TLS_RSA_WITH_CAMELLIA_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_RSA_WITH_SEED_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+ { TLS_RSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+ { TLS_RSA_WITH_RC4_128_MD5, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+-
+- /* 56-bit DES "domestic" cipher suites */
+ { TLS_DHE_RSA_WITH_DES_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_DHE_DSS_WITH_DES_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_RSA_WITH_DES_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+-
+- /* ciphersuites with no encryption */
+ { TLS_ECDHE_ECDSA_WITH_NULL_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_ECDHE_RSA_WITH_NULL_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_ECDH_RSA_WITH_NULL_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+@@ -175,6 +159,9 @@ static ssl3CipherSuiteCfg cipherSuites[s
+ { TLS_RSA_WITH_NULL_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_RSA_WITH_NULL_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_RSA_WITH_NULL_MD5, SSL_ALLOWED, PR_FALSE, PR_FALSE},
++ { TLS_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE },
++ { TLS_CHACHA20_POLY1305_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE },
++ { TLS_AES_256_GCM_SHA384, SSL_ALLOWED, PR_TRUE, PR_FALSE },
+ };
+ /* clang-format on */
+
+diff -up nss/lib/ssl/sslenum.c.reorder-cipher-suites nss/lib/ssl/sslenum.c
+--- nss/lib/ssl/sslenum.c.reorder-cipher-suites 2017-04-26 11:46:50.215066457 +0200
++++ nss/lib/ssl/sslenum.c 2017-04-26 11:47:09.362617638 +0200
+@@ -55,53 +55,44 @@
+ * the third one.
+ */
+ const PRUint16 SSL_ImplementedCiphers[] = {
+- TLS_AES_128_GCM_SHA256,
+- TLS_CHACHA20_POLY1305_SHA256,
+- TLS_AES_256_GCM_SHA384,
+-
+- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
+- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
+ TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+- /* TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA must appear before
+- * TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA to work around bug 946147.
+- */
+ TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
++ TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
++ TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
++ TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
+ TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
+- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
+ TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
+- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
++ TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
++ TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,
++ TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+ TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
+- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
+ TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
+- TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
++ TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
++ TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
++ TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
++ TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
+ TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
+- TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,
+ TLS_ECDHE_RSA_WITH_RC4_128_SHA,
+-
++ TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
++ TLS_DHE_DSS_WITH_AES_256_GCM_SHA384,
++ TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
++ TLS_DHE_DSS_WITH_AES_256_CBC_SHA,
++ TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,
++ TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,
++ TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,
++ TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA,
+ TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
+ TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
+ TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,
+- TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
+- TLS_DHE_DSS_WITH_AES_256_GCM_SHA384,
+ TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
+ TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
+ TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
+ TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,
+ TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,
+ TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA,
+- TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
+- TLS_DHE_DSS_WITH_AES_256_CBC_SHA,
+- TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,
+- TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,
+- TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,
+- TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA,
+ TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
+ TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,
+ TLS_DHE_DSS_WITH_RC4_128_SHA,
+-
+ TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,
+ TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,
+ TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
+@@ -110,26 +101,21 @@ const PRUint16 SSL_ImplementedCiphers[]
+ TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,
+ TLS_ECDH_ECDSA_WITH_RC4_128_SHA,
+ TLS_ECDH_RSA_WITH_RC4_128_SHA,
+-
+- TLS_RSA_WITH_AES_128_GCM_SHA256,
+ TLS_RSA_WITH_AES_256_GCM_SHA384,
+- TLS_RSA_WITH_AES_128_CBC_SHA,
+- TLS_RSA_WITH_AES_128_CBC_SHA256,
+- TLS_RSA_WITH_CAMELLIA_128_CBC_SHA,
+ TLS_RSA_WITH_AES_256_CBC_SHA,
+ TLS_RSA_WITH_AES_256_CBC_SHA256,
+ TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,
++ TLS_RSA_WITH_AES_128_GCM_SHA256,
++ TLS_RSA_WITH_AES_128_CBC_SHA,
++ TLS_RSA_WITH_AES_128_CBC_SHA256,
++ TLS_RSA_WITH_CAMELLIA_128_CBC_SHA,
+ TLS_RSA_WITH_SEED_CBC_SHA,
+ TLS_RSA_WITH_3DES_EDE_CBC_SHA,
+ TLS_RSA_WITH_RC4_128_SHA,
+ TLS_RSA_WITH_RC4_128_MD5,
+-
+- /* 56-bit DES "domestic" cipher suites */
+ TLS_DHE_RSA_WITH_DES_CBC_SHA,
+ TLS_DHE_DSS_WITH_DES_CBC_SHA,
+ TLS_RSA_WITH_DES_CBC_SHA,
+-
+- /* ciphersuites with no encryption */
+ TLS_ECDHE_ECDSA_WITH_NULL_SHA,
+ TLS_ECDHE_RSA_WITH_NULL_SHA,
+ TLS_ECDH_RSA_WITH_NULL_SHA,
+@@ -137,6 +123,9 @@ const PRUint16 SSL_ImplementedCiphers[]
+ TLS_RSA_WITH_NULL_SHA,
+ TLS_RSA_WITH_NULL_SHA256,
+ TLS_RSA_WITH_NULL_MD5,
++ TLS_AES_128_GCM_SHA256,
++ TLS_CHACHA20_POLY1305_SHA256,
++ TLS_AES_256_GCM_SHA384,
+
+ 0
+ };
diff --git a/SOURCES/nss-rhel7.config b/SOURCES/nss-rhel7.config
new file mode 100644
index 0000000..be6d690
--- /dev/null
+++ b/SOURCES/nss-rhel7.config
@@ -0,0 +1,7 @@
+# To re-enable legacy algorithms, edit this file
+# Note that the last empty line in this file must be preserved
+library=
+name=Policy
+NSS=flags=policyOnly,moduleDB
+config="disallow=md5 allow=DH-MIN=1023:DSA-MIN=1023:RSA-MIN=1023"
+
diff --git a/SOURCES/nss-skip-bltest-and-fipstest.patch b/SOURCES/nss-skip-bltest-and-fipstest.patch
new file mode 100644
index 0000000..7d55d10
--- /dev/null
+++ b/SOURCES/nss-skip-bltest-and-fipstest.patch
@@ -0,0 +1,15 @@
+diff -up nss/cmd/Makefile.skipthem nss/cmd/Makefile
+--- nss/cmd/Makefile.skipthem 2017-01-13 16:41:04.117486801 +0100
++++ nss/cmd/Makefile 2017-01-13 16:42:31.396335957 +0100
+@@ -19,7 +19,11 @@ BLTEST_SRCDIR =
+ ECPERF_SRCDIR =
+ FREEBL_ECTEST_SRCDIR =
+ FIPSTEST_SRCDIR =
++ifeq ($(NSS_BLTEST_NOT_AVAILABLE),1)
++SHLIBSIGN_SRCDIR = shlibsign
++else
+ SHLIBSIGN_SRCDIR =
++endif
+ else
+ BLTEST_SRCDIR = bltest
+ ECPERF_SRCDIR = ecperf
diff --git a/SOURCES/nss-skip-util-gtest.patch b/SOURCES/nss-skip-util-gtest.patch
new file mode 100644
index 0000000..02bf308
--- /dev/null
+++ b/SOURCES/nss-skip-util-gtest.patch
@@ -0,0 +1,33 @@
+diff -up nss/gtests/manifest.mn.skip-util-gtests nss/gtests/manifest.mn
+--- nss/gtests/manifest.mn.skip-util-gtests 2017-09-20 08:47:27.000000000 +0200
++++ nss/gtests/manifest.mn 2017-10-19 11:02:27.773910909 +0200
+@@ -32,6 +32,5 @@ endif
+
+ DIRS = \
+ $(LIB_SRCDIRS) \
+- $(UTIL_SRCDIRS) \
+ $(NSS_SRCDIRS) \
+ $(NULL)
+diff -up nss/gtests/ssl_gtest/manifest.mn.skip-util-gtests nss/gtests/ssl_gtest/manifest.mn
+--- nss/gtests/ssl_gtest/manifest.mn.skip-util-gtests 2017-09-20 08:47:27.000000000 +0200
++++ nss/gtests/ssl_gtest/manifest.mn 2017-10-19 11:02:27.773910909 +0200
+@@ -58,6 +58,7 @@ PROGRAM = ssl_gtest
+ EXTRA_LIBS += \
+ $(DIST)/lib/$(LIB_PREFIX)gtest.$(LIB_SUFFIX) \
+ $(DIST)/lib/$(LIB_PREFIX)cpputil.$(LIB_SUFFIX) \
++ -lsoftokn3
+ $(NULL)
+
+ USE_STATIC_LIBS = 1
+diff -up nss/tests/gtests/gtests.sh.skip-util-gtests nss/tests/gtests/gtests.sh
+--- nss/tests/gtests/gtests.sh.skip-util-gtests 2017-09-20 08:47:27.000000000 +0200
++++ nss/tests/gtests/gtests.sh 2017-10-19 11:03:57.473976538 +0200
+@@ -83,7 +83,7 @@ gtest_cleanup()
+ }
+
+ ################## main #################################################
+-GTESTS="prng_gtest certhigh_gtest certdb_gtest der_gtest pk11_gtest util_gtest freebl_gtest softoken_gtest blake2b_gtest"
++GTESTS="certhigh_gtest certdb_gtest der_gtest pk11_gtest softoken_gtest"
+ SOURCE_DIR="$PWD"/../..
+ gtest_init $0
+ gtest_start
diff --git a/SOURCES/nss-sni-c-v-fix.patch b/SOURCES/nss-sni-c-v-fix.patch
new file mode 100644
index 0000000..cc52515
--- /dev/null
+++ b/SOURCES/nss-sni-c-v-fix.patch
@@ -0,0 +1,21 @@
+diff -up nss/tests/ssl/sslauth.txt.sni_c_v_fix nss/tests/ssl/sslauth.txt
+--- nss/tests/ssl/sslauth.txt.sni_c_v_fix 2017-04-05 14:23:56.000000000 +0200
++++ nss/tests/ssl/sslauth.txt 2017-06-02 10:22:27.457072785 +0200
+@@ -64,13 +64,13 @@
+ #
+ # SNI Tests
+ #
+- SNI 0 -r_-a_Host-sni.Dom -V_ssl3:tls1.2_-w_nss_-n_TestUser TLS Server hello response without SNI
++ SNI 0 -r_-a_Host-sni.Dom -V_ssl3:tls1.2_-c_v_-w_nss_-n_TestUser TLS Server hello response without SNI
+ SNI 0 -r_-a_Host-sni.Dom -V_ssl3:tls1.2_-c_v_-w_nss_-n_TestUser_-a_Host-sni.Dom TLS Server hello response with SNI
+ SNI 1 -r_-a_Host-sni.Dom -V_ssl3:tls1.2_-c_v_-w_nss_-n_TestUser_-a_Host-sni1.Dom TLS Server response with alert
+- SNI 0 -r_-a_Host-sni.Dom -V_ssl3:ssl3_-w_nss_-n_TestUser SSL3 Server hello response without SNI
++ SNI 0 -r_-a_Host-sni.Dom -V_ssl3:ssl3_-c_v_-w_nss_-n_TestUser SSL3 Server hello response without SNI
+ SNI 1 -r_-a_Host-sni.Dom -V_ssl3:ssl3_-c_v_-w_nss_-n_TestUser_-a_Host-sni.Dom SSL3 Server hello response with SNI: SSL don't have SH extensions
+- SNI 0 -r_-r_-r_-a_Host-sni.Dom -V_ssl3:tls1.2_-w_nss_-n_TestUser TLS Server hello response without SNI
++ SNI 0 -r_-r_-r_-a_Host-sni.Dom -V_ssl3:tls1.2_-c_v_-w_nss_-n_TestUser TLS Server hello response without SNI
+ SNI 0 -r_-r_-r_-a_Host-sni.Dom -V_ssl3:tls1.2_-c_v_-w_nss_-n_TestUser_-a_Host-sni.Dom TLS Server hello response with SNI
+- SNI 1 -r_-r_-r_-a_Host-sni.Dom -V_ssl3:tls1.2_-w_nss_-n_TestUser_-a_Host-sni.Dom_-a_Host.Dom TLS Server hello response with SNI: Change name on 2d HS
++ SNI 1 -r_-r_-r_-a_Host-sni.Dom -V_ssl3:tls1.2_-c_v_-w_nss_-n_TestUser_-a_Host-sni.Dom_-a_Host.Dom TLS Server hello response with SNI: Change name on 2d HS
+ SNI 1 -r_-r_-r_-a_Host-sni.Dom -V_ssl3:tls1.2_-c_v_-w_nss_-n_TestUser_-a_Host-sni.Dom_-a_Host-sni1.Dom TLS Server hello response with SNI: Change name to invalid 2d HS
+ SNI 1 -r_-r_-r_-a_Host-sni.Dom -V_ssl3:tls1.2_-c_v_-w_nss_-n_TestUser_-a_Host-sni1.Dom TLS Server response with alert
diff --git a/SOURCES/nss-sysinit-getenv.patch b/SOURCES/nss-sysinit-getenv.patch
new file mode 100644
index 0000000..d3f47bc
--- /dev/null
+++ b/SOURCES/nss-sysinit-getenv.patch
@@ -0,0 +1,57 @@
+diff --git a/lib/sysinit/nsssysinit.c b/lib/sysinit/nsssysinit.c
+--- a/lib/sysinit/nsssysinit.c
++++ b/lib/sysinit/nsssysinit.c
+@@ -1,11 +1,15 @@
+ /* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
++
++#define _GNU_SOURCE 1
++#include <stdlib.h>
++
+ #include "seccomon.h"
+ #include "prio.h"
+ #include "prprf.h"
+ #include "plhash.h"
+ #include "prenv.h"
+
+ /*
+ * The following provides a default example for operating systems to set up
+@@ -37,17 +41,17 @@ testdir(char *dir)
+ return S_ISDIR(buf.st_mode);
+ }
+
+ #define NSS_USER_PATH1 "/.pki"
+ #define NSS_USER_PATH2 "/nssdb"
+ static char *
+ getUserDB(void)
+ {
+- char *userdir = PR_GetEnvSecure("HOME");
++ char *userdir = secure_getenv("HOME");
+ char *nssdir = NULL;
+
+ if (userdir == NULL) {
+ return NULL;
+ }
+
+ nssdir = PORT_Alloc(strlen(userdir) + sizeof(NSS_USER_PATH1) + sizeof(NSS_USER_PATH2));
+ if (nssdir == NULL) {
+@@ -129,17 +133,17 @@ userCanModifySystemDB()
+ #else
+ #error "Need to write getUserDB, SystemDB, userIsRoot, and userCanModifySystemDB functions"
+ #endif
+ #endif
+
+ static PRBool
+ getFIPSEnv(void)
+ {
+- char *fipsEnv = PR_GetEnvSecure("NSS_FIPS");
++ char *fipsEnv = secure_getenv("NSS_FIPS");
+ if (!fipsEnv) {
+ return PR_FALSE;
+ }
+ if ((strcasecmp(fipsEnv, "fips") == 0) ||
+ (strcasecmp(fipsEnv, "true") == 0) ||
+ (strcasecmp(fipsEnv, "on") == 0) ||
+ (strcasecmp(fipsEnv, "1") == 0)) {
+ return PR_TRUE;
diff --git a/SOURCES/nss.pc.in b/SOURCES/nss.pc.in
new file mode 100644
index 0000000..69823cb
--- /dev/null
+++ b/SOURCES/nss.pc.in
@@ -0,0 +1,11 @@
+prefix=%prefix%
+exec_prefix=%exec_prefix%
+libdir=%libdir%
+includedir=%includedir%
+
+Name: NSS
+Description: Network Security Services
+Version: %NSS_VERSION%
+Requires: nspr >= %NSPR_VERSION%, nss-util >= %NSSUTIL_VERSION%
+Libs: -L${libdir} -lssl3 -lsmime3 -lnss3
+Cflags: -I${includedir}
diff --git a/SOURCES/p-ignore-setpolicy.patch b/SOURCES/p-ignore-setpolicy.patch
new file mode 100644
index 0000000..7334c80
--- /dev/null
+++ b/SOURCES/p-ignore-setpolicy.patch
@@ -0,0 +1,25 @@
+diff -up nss/lib/ssl/sslsock.c.1026677_ignore_set_policy nss/lib/ssl/sslsock.c
+--- nss/lib/ssl/sslsock.c.1026677_ignore_set_policy 2017-01-13 17:10:36.049530395 +0100
++++ nss/lib/ssl/sslsock.c 2017-01-13 17:10:36.053530297 +0100
+@@ -1391,7 +1391,6 @@ SSL_CipherPrefGet(PRFileDesc *fd, PRInt3
+ SECStatus
+ NSS_SetDomesticPolicy(void)
+ {
+- SECStatus status = SECSuccess;
+ const PRUint16 *cipher;
+ SECStatus rv;
+ PRUint32 policy;
+@@ -1403,11 +1402,9 @@ NSS_SetDomesticPolicy(void)
+ }
+
+ for (cipher = SSL_ImplementedCiphers; *cipher != 0; ++cipher) {
+- status = SSL_SetPolicy(*cipher, SSL_ALLOWED);
+- if (status != SECSuccess)
+- break;
++ (void) SSL_SetPolicy(*cipher, SSL_ALLOWED);
+ }
+- return status;
++ return SECSuccess;
+ }
+
+ SECStatus
diff --git a/SOURCES/pkcs11.txt.xml b/SOURCES/pkcs11.txt.xml
new file mode 100644
index 0000000..d30e469
--- /dev/null
+++ b/SOURCES/pkcs11.txt.xml
@@ -0,0 +1,56 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
+ "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
+<!ENTITY date SYSTEM "date.xml">
+<!ENTITY version SYSTEM "version.xml">
+]>
+
+<refentry id="pkcs11.txt">
+
+ <refentryinfo>
+ <date>&date;</date>
+ <title>Network Security Services</title>
+ <productname>nss</productname>
+ <productnumber>&version;</productnumber>
+ </refentryinfo>
+
+ <refmeta>
+ <refentrytitle>pkcs11.txt</refentrytitle>
+ <manvolnum>5</manvolnum>
+ </refmeta>
+
+ <refnamediv>
+ <refname>pkcs11.txt</refname>
+ <refpurpose>NSS PKCS #11 module configuration file</refpurpose>
+ </refnamediv>
+
+ <refsection id="description">
+ <title>Description</title>
+ <para>
+The pkcs11.txt file is used to configure initialization parameters for the nss security module and optionally other pkcs #11 modules.
+ </para>
+ <para>
+For full documentation visit <ulink url="https://developer.mozilla.org/en-US/docs/PKCS11_Module_Specs">PKCS #11 Module Specs</ulink>.
+ </para>
+ </refsection>
+
+ <refsection>
+ <title>Files</title>
+ <para><filename>/etc/pki/nssdb/pkcs11.txt</filename></para>
+ </refsection>
+
+ <refsection id="authors">
+ <title>Authors</title>
+ <para>The nss libraries were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google.</para>
+ <para>Authors: Elio Maldonado <emaldona@redhat.com>.</para>
+ </refsection>
+
+<!-- don't change -->
+ <refsection id="license">
+ <title>LICENSE</title>
+ <para>Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ </para>
+ </refsection>
+
+</refentry>
+
diff --git a/SOURCES/renegotiate-transitional.patch b/SOURCES/renegotiate-transitional.patch
new file mode 100644
index 0000000..ca92f83
--- /dev/null
+++ b/SOURCES/renegotiate-transitional.patch
@@ -0,0 +1,12 @@
+diff -up nss/lib/ssl/sslsock.c.transitional nss/lib/ssl/sslsock.c
+--- nss/lib/ssl/sslsock.c.transitional 2016-08-15 17:57:58.146879056 +0200
++++ nss/lib/ssl/sslsock.c 2016-08-15 17:58:02.365758224 +0200
+@@ -72,7 +72,7 @@ static sslOptions ssl_defaults = {
+ PR_FALSE, /* noLocks */
+ PR_FALSE, /* enableSessionTickets */
+ PR_FALSE, /* enableDeflate */
+- 2, /* enableRenegotiation (default: requires extension) */
++ 3, /* enableRenegotiation (default: transitional) */
+ PR_FALSE, /* requireSafeNegotiation */
+ PR_FALSE, /* enableFalseStart */
+ PR_TRUE, /* cbcRandomIV */
diff --git a/SOURCES/setup-nsssysinit.sh b/SOURCES/setup-nsssysinit.sh
new file mode 100755
index 0000000..8e1f5f7
--- /dev/null
+++ b/SOURCES/setup-nsssysinit.sh
@@ -0,0 +1,68 @@
+#!/bin/sh
+#
+# Turns on or off the nss-sysinit module db by editing the
+# global PKCS #11 congiguration file. Displays the status.
+#
+# This script can be invoked by the user as super user.
+# It is invoked at nss-sysinit post install time with argument on.
+#
+usage()
+{
+ cat <<EOF
+Usage: setup-nsssysinit [on|off]
+ on - turns on nsssysinit
+ off - turns off nsssysinit
+ status - reports whether nsssysinit is turned on or off
+EOF
+ exit $1
+}
+
+# validate
+if [ $# -eq 0 ]; then
+ usage 1 1>&2
+fi
+
+# the system-wide configuration file
+p11conf="/etc/pki/nssdb/pkcs11.txt"
+# must exist, otherwise report it and exit with failure
+if [ ! -f $p11conf ]; then
+ echo "Could not find ${p11conf}"
+ exit 1
+fi
+
+# check if nsssysinit is currently enabled or disabled
+sysinit_enabled()
+{
+ grep -q '^library=libnsssysinit' ${p11conf}
+}
+
+umask 022
+case "$1" in
+ on | ON )
+ if sysinit_enabled; then
+ exit 0
+ fi
+ cat ${p11conf} | \
+ sed -e 's/^library=$/library=libnsssysinit.so/' \
+ -e '/^NSS/s/\(Flags=internal\)\(,[^m]\)/\1,moduleDBOnly\2/' > \
+ ${p11conf}.on
+ mv ${p11conf}.on ${p11conf}
+ ;;
+ off | OFF )
+ if ! sysinit_enabled; then
+ exit 0
+ fi
+ cat ${p11conf} | \
+ sed -e 's/^library=libnsssysinit.so/library=/' \
+ -e '/^NSS/s/Flags=internal,moduleDBOnly/Flags=internal/' > \
+ ${p11conf}.off
+ mv ${p11conf}.off ${p11conf}
+ ;;
+ status )
+ echo -n 'NSS sysinit is '
+ sysinit_enabled && echo 'enabled' || echo 'disabled'
+ ;;
+ * )
+ usage 1 1>&2
+ ;;
+esac
diff --git a/SOURCES/system-pkcs11.txt b/SOURCES/system-pkcs11.txt
new file mode 100644
index 0000000..c2f5704
--- /dev/null
+++ b/SOURCES/system-pkcs11.txt
@@ -0,0 +1,5 @@
+library=libnsssysinit.so
+name=NSS Internal PKCS #11 Module
+parameters=configdir='sql:/etc/pki/nssdb' certPrefix='' keyPrefix='' secmod='secmod.db' flags= updatedir='' updateCertPrefix='' updateKeyPrefix='' updateid='' updateTokenDescription=''
+NSS=Flags=internal,moduleDBOnly,critical trustOrder=75 cipherOrder=100 slotParams=(1={slotFlags=[RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512] askpw=any timeout=30})
+
diff --git a/SOURCES/utilwrap-include-templates.patch b/SOURCES/utilwrap-include-templates.patch
new file mode 100644
index 0000000..649b548
--- /dev/null
+++ b/SOURCES/utilwrap-include-templates.patch
@@ -0,0 +1,14 @@
+diff -up nss/lib/nss/config.mk.templates nss/lib/nss/config.mk
+--- nss/lib/nss/config.mk.templates 2013-06-18 11:32:07.590089155 -0700
++++ nss/lib/nss/config.mk 2013-06-18 11:33:28.732763345 -0700
+@@ -3,6 +3,10 @@
+ # License, v. 2.0. If a copy of the MPL was not distributed with this
+ # file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
++#ifeq ($(NSS_BUILD_WITHOUT_SOFTOKEN),1)
++INCLUDES += -I/usr/include/nss3/templates
++#endif
++
+ # can't do this in manifest.mn because OS_TARGET isn't defined there.
+ ifeq (,$(filter-out WIN%,$(OS_TARGET)))
+
diff --git a/SPECS/nss.spec b/SPECS/nss.spec
new file mode 100644
index 0000000..ad8821b
--- /dev/null
+++ b/SPECS/nss.spec
@@ -0,0 +1,2145 @@
+%global nspr_version 4.17.0
+%global nss_util_version 3.34.0
+%global nss_util_build -1
+# adjust to the version that gets submitted for FIPS validation
+%global nss_softokn_fips_version 3.34.0
+%global nss_softokn_version 3.34.0
+# Attention: Separate softokn versions for build and runtime.
+%global runtime_required_softokn_build_version -1
+# Building NSS doesn't require the same version of softokn built for runtime.
+%global build_required_softokn_build_version -1
+
+%global unsupported_tools_directory %{_libdir}/nss/unsupported-tools
+%global allTools "certutil cmsutil crlutil derdump modutil pk12util pp signtool signver ssltap vfychain vfyserv"
+
+# solution taken from icedtea-web.spec
+%define multilib_arches ppc64 s390x sparc64 x86_64
+%ifarch %{multilib_arches}
+%define alt_ckbi libnssckbi.so.%{_arch}
+%else
+%define alt_ckbi libnssckbi.so
+%endif
+
+# Define if using a source archive like "nss-version.with.ckbi.version".
+# To "disable", add "#" to start of line, AND a space after "%".
+#% define nss_ckbi_suffix .with.ckbi.1.93
+
+Summary: Network Security Services
+Name: nss
+Version: 3.34.0
+Release: 4%{?dist}
+License: MPLv2.0
+URL: http://www.mozilla.org/projects/security/pki/nss/
+Group: System Environment/Libraries
+Requires: nspr >= %{nspr_version}
+Requires: nss-util >= %{nss_util_version}%{nss_util_build}
+# TODO: revert to same version as nss once we are done with the merge
+Requires: nss-softokn%{_isa} >= %{nss_softokn_version}%{runtime_required_softokn_build_version}
+Requires: nss-system-init
+Requires(post): %{_sbindir}/update-alternatives
+Requires(postun): %{_sbindir}/update-alternatives
+BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
+BuildRequires: nspr-devel >= %{nspr_version}
+# TODO: revert to same version as nss once we are done with the merge
+# Using '>=' but on RHEL the requires should be '='
+BuildRequires: nss-softokn-devel >= %{nss_softokn_version}%{build_required_softokn_build_version}
+BuildRequires: nss-util-devel >= %{nss_util_version}%{nss_util_build}
+BuildRequires: sqlite-devel
+BuildRequires: zlib-devel
+BuildRequires: pkgconfig
+BuildRequires: gawk
+BuildRequires: psmisc
+BuildRequires: perl
+
+# nss-pem used to be bundled with the nss package on Fedora -- make sure that
+# programs relying on that continue to work until they are fixed to require
+# nss-pem instead. Once all of them are fixed, the following line can be
+# removed. See https://bugzilla.redhat.com/1346806 for details.
+Requires: nss-pem%{?_isa}
+
+%if %{defined nss_ckbi_suffix}
+%define full_nss_version %{version}%{nss_ckbi_suffix}
+%else
+%define full_nss_version %{version}
+%endif
+
+Source0: %{name}-%{full_nss_version}.tar.gz
+Source1: nss.pc.in
+Source2: nss-config.in
+Source3: blank-cert8.db
+Source4: blank-key3.db
+Source5: blank-secmod.db
+Source6: blank-cert9.db
+Source7: blank-key4.db
+Source8: system-pkcs11.txt
+Source9: setup-nsssysinit.sh
+Source10: PayPalEE.cert
+Source17: TestCA.ca.cert
+Source18: TestUser50.cert
+Source19: TestUser51.cert
+Source20: nss-config.xml
+Source21: setup-nsssysinit.xml
+Source22: pkcs11.txt.xml
+Source23: cert8.db.xml
+Source24: cert9.db.xml
+Source25: key3.db.xml
+Source26: key4.db.xml
+Source27: secmod.db.xml
+Source30: PayPalRootCA.cert
+Source31: PayPalICA.cert
+Source32: nss-rhel7.config
+Source33: TestOldCA.p12
+
+Patch2: add-relro-linker-option.patch
+Patch3: renegotiate-transitional.patch
+Patch16: nss-539183.patch
+# TODO: Remove this patch when the ocsp test are fixed
+Patch40: nss-3.14.0.0-disble-ocsp-test.patch
+# Fedora / RHEL-only patch, the templates directory was originally introduced to support mod_revocator
+Patch47: utilwrap-include-templates.patch
+# TODO remove when we switch to building nss without softoken
+Patch49: nss-skip-bltest-and-fipstest.patch
+# This patch uses the gcc-iquote dir option documented at
+# http://gcc.gnu.org/onlinedocs/gcc/Directory-Options.html#Directory-Options
+# to place the in-tree directories at the head of the list of list of directories
+# to be searched for for header files. This ensures a build even when system
+# headers are older. Such is the case when starting an update with API changes or even private export changes.
+# Once the buildroot aha been bootstrapped the patch may be removed but it doesn't hurt to keep it.
+Patch50: iquote.patch
+Patch52: Bug-1001841-disable-sslv2-libssl.patch
+Patch53: Bug-1001841-disable-sslv2-tests.patch
+Patch55: enable-fips-when-system-is-in-fips-mode.patch
+# rhbz: https://bugzilla.redhat.com/show_bug.cgi?id=1026677
+Patch56: p-ignore-setpolicy.patch
+# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=943144
+Patch62: nss-fix-deadlock-squash.patch
+Patch100: fix-min-library-version-in-SSLVersionRange.patch
+Patch108: nss-sni-c-v-fix.patch
+Patch123: nss-skip-util-gtest.patch
+Patch126: nss-reorder-cipher-suites.patch
+Patch127: nss-disable-cipher-suites.patch
+Patch128: nss-enable-cipher-suites.patch
+Patch130: nss-reorder-cipher-suites-gtests.patch
+Patch131: nss-disable-tls13-gtests.patch
+# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1279520
+Patch135: nss-check-policy-file.patch
+# Work around for yum
+# https://bugzilla.redhat.com/show_bug.cgi?id=1469526
+Patch141: nss-sysinit-getenv.patch
+
+# Patches backported from 3.35:
+# https://bugzilla.mozilla.org/show_bug.cgi?id=1416265
+Patch144: nss-pk12util-faulty-aes.patch
+# https://bugzilla.mozilla.org/show_bug.cgi?id=1278071
+Patch145: nss-increase-pkcs12-iterations.patch
+# https://bugzilla.mozilla.org/show_bug.cgi?id=1415847
+Patch146: nss-modutil-suppress-password.patch
+# https://bugzilla.mozilla.org/show_bug.cgi?id=1426361
+Patch147: nss-certutil-suppress-password.patch
+# https://bugzilla.mozilla.org/show_bug.cgi?id=1423557
+# https://bugzilla.mozilla.org/show_bug.cgi?id=1415171
+Patch148: nss-pss-fixes.patch
+# https://bugzilla.mozilla.org/show_bug.cgi?id=1054373
+Patch149: nss-is-token-present-race.patch
+
+%description
+Network Security Services (NSS) is a set of libraries designed to
+support cross-platform development of security-enabled client and
+server applications. Applications built with NSS can support SSL v2
+and v3, TLS, PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME, X.509
+v3 certificates, and other security standards.
+
+%package tools
+Summary: Tools for the Network Security Services
+Group: System Environment/Base
+Requires: %{name}%{?_isa} = %{version}-%{release}
+
+%description tools
+Network Security Services (NSS) is a set of libraries designed to
+support cross-platform development of security-enabled client and
+server applications. Applications built with NSS can support SSL v2
+and v3, TLS, PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME, X.509
+v3 certificates, and other security standards.
+
+Install the nss-tools package if you need command-line tools to
+manipulate the NSS certificate and key database.
+
+%package sysinit
+Summary: System NSS Initialization
+Group: System Environment/Base
+# providing nss-system-init without version so that it can
+# be replaced by a better one, e.g. supplied by the os vendor
+Provides: nss-system-init
+Requires: nss = %{version}-%{release}
+Requires(post): coreutils, sed
+
+%description sysinit
+Default Operating System module that manages applications loading
+NSS globally on the system. This module loads the system defined
+PKCS #11 modules for NSS and chains with other NSS modules to load
+any system or user configured modules.
+
+%package devel
+Summary: Development libraries for Network Security Services
+Group: Development/Libraries
+Provides: nss-static = %{version}-%{release}
+Requires: nss = %{version}-%{release}
+Requires: nss-util-devel
+Requires: nss-softokn-devel
+Requires: nspr-devel >= %{nspr_version}
+Requires: pkgconfig
+BuildRequires: xmlto
+
+%description devel
+Header and Library files for doing development with Network Security Services.
+
+
+%package pkcs11-devel
+Summary: Development libraries for PKCS #11 (Cryptoki) using NSS
+Group: Development/Libraries
+Provides: nss-pkcs11-devel-static = %{version}-%{release}
+Requires: nss-devel = %{version}-%{release}
+# TODO: revert to using nss_softokn_version once we are done with
+# the merge into to new rhel git repo
+# For RHEL we should have '=' instead of '>='
+Requires: nss-softokn-freebl-devel >= %{nss_softokn_version}
+
+%description pkcs11-devel
+Library files for developing PKCS #11 modules using basic NSS
+low level services.
+
+
+%prep
+%setup -q
+%{__cp} %{SOURCE10} -f ./nss/tests/libpkix/certs
+%{__cp} %{SOURCE17} -f ./nss/tests/libpkix/certs
+%{__cp} %{SOURCE18} -f ./nss/tests/libpkix/certs
+%{__cp} %{SOURCE19} -f ./nss/tests/libpkix/certs
+%{__cp} %{SOURCE30} -f ./nss/tests/libpkix/certs
+%{__cp} %{SOURCE31} -f ./nss/tests/libpkix/certs
+%{__cp} %{SOURCE33} -f ./nss/tests/tools
+%setup -q -T -D -n %{name}-%{version}
+
+%patch2 -p0 -b .relro
+%patch3 -p0 -b .transitional
+%patch16 -p0 -b .539183
+%patch40 -p0 -b .noocsptest
+%patch47 -p0 -b .templates
+%patch49 -p0 -b .skipthem
+%patch50 -p0 -b .iquote
+pushd nss
+%patch52 -p1 -b .disableSSL2libssl
+%patch53 -p1 -b .disableSSL2tests
+%patch55 -p1 -b .852023_enable_fips_when_in_fips_mode
+%patch56 -p1 -b .1026677_ignore_set_policy
+%patch62 -p1 -b .fix_deadlock
+%patch100 -p0 -b .1171318
+popd
+%patch108 -p0 -b .sni_c_v_fix
+pushd nss
+%patch123 -p1 -b .skip-util-gtests
+%patch126 -p1 -b .reorder-cipher-suites
+%patch127 -p1 -b .disable-cipher-suites
+%patch128 -p1 -b .enable-cipher-suites
+%patch130 -p1 -b .reorder-cipher-suites-gtests
+%patch131 -p1 -b .disable-tls13-gtests
+%patch135 -p1 -b .check_policy_file
+%patch141 -p1 -b .sysinit-getenv
+%patch144 -p1 -b .pk12util-faulty-aes
+%patch145 -p1 -b .increase-pkcs12-iterations
+%patch146 -p1 -b .suppress-modutil-password
+%patch147 -p1 -b .suppress-certutil-password
+%patch148 -p1 -b .pss-fixes
+%patch149 -p1 -b .is-token-present-race
+popd
+
+#########################################################
+# Higher-level libraries and test tools need access to
+# module-private headers from util, freebl, and softoken
+# until fixed upstream we must copy some headers locally
+#########################################################
+
+# Copying these header until the upstream bug is accepted
+# Upstream https://bugzilla.mozilla.org/show_bug.cgi?id=820207
+%{__cp} ./nss/lib/softoken/lowkeyi.h ./nss/cmd/rsaperf
+%{__cp} ./nss/lib/softoken/lowkeyti.h ./nss/cmd/rsaperf
+
+# Before removing util directory we must save verref.h
+# as it will be needed later during the build phase.
+%{__mv} ./nss/lib/util/verref.h ./nss/verref.h
+
+##### Remove util/freebl/softoken and low level tools
+######## Remove freebl, softoken and util
+%{__rm} -rf ./nss/lib/freebl
+%{__rm} -rf ./nss/lib/softoken
+%{__rm} -rf ./nss/lib/util
+######## Remove nss-softokn test tools as we already ran
+# the cipher test suite as part of the nss-softokn build
+%{__rm} -rf ./nss/cmd/bltest
+%{__rm} -rf ./nss/cmd/fipstest
+%{__rm} -rf ./nss/cmd/rsaperf_low
+
+pushd nss/tests/ssl
+# Create versions of sslcov.txt and sslstress.txt that disable tests
+# for SSL2 and EXPORT ciphers.
+cat sslcov.txt| sed -r "s/^([^#].*EXPORT|^[^#].*SSL2)/#disabled \1/" > sslcov.noSSL2orExport.txt
+cat sslstress.txt| sed -r "s/^([^#].*EXPORT|^[^#].*SSL2)/#disabled \1/" > sslstress.noSSL2orExport.txt
+popd
+
+%build
+
+export NSS_NO_SSL2=1
+
+FREEBL_NO_DEPEND=1
+export FREEBL_NO_DEPEND
+
+# Enable compiler optimizations and disable debugging code
+export BUILD_OPT=1
+
+# Uncomment to disable optimizations
+# RPM_OPT_FLAGS=`echo $RPM_OPT_FLAGS | sed -e 's/-O2/-O0/g' -e 's/ -Wp,-D_FORTIFY_SOURCE=2//g'`
+# export RPM_OPT_FLAGS
+
+# Generate symbolic info for debuggers
+XCFLAGS=$RPM_OPT_FLAGS
+
+export XCFLAGS
+
+PKG_CONFIG_ALLOW_SYSTEM_LIBS=1
+PKG_CONFIG_ALLOW_SYSTEM_CFLAGS=1
+
+export PKG_CONFIG_ALLOW_SYSTEM_LIBS
+export PKG_CONFIG_ALLOW_SYSTEM_CFLAGS
+
+NSPR_INCLUDE_DIR=`/usr/bin/pkg-config --cflags-only-I nspr | sed 's/-I//'`
+NSPR_LIB_DIR=%{_libdir}
+
+export NSPR_INCLUDE_DIR
+export NSPR_LIB_DIR
+
+export NSSUTIL_INCLUDE_DIR=`/usr/bin/pkg-config --cflags-only-I nss-util | sed 's/-I//'`
+export NSSUTIL_LIB_DIR=%{_libdir}
+
+export FREEBL_INCLUDE_DIR=`/usr/bin/pkg-config --cflags-only-I nss-softokn | sed 's/-I//'`
+export FREEBL_LIB_DIR=%{_libdir}
+export USE_SYSTEM_FREEBL=1
+# FIXME choose one or the other style and submit a patch upstream
+# wtc has suggested using NSS_USE_SYSTEM_FREEBL
+export NSS_USE_SYSTEM_FREEBL=1
+
+export FREEBL_LIBS=`/usr/bin/pkg-config --libs nss-softokn`
+
+export SOFTOKEN_LIB_DIR=%{_libdir}
+# use the system ones
+export USE_SYSTEM_NSSUTIL=1
+export USE_SYSTEM_SOFTOKEN=1
+
+# tell the upstream build system what we are doing
+export NSS_BUILD_WITHOUT_SOFTOKEN=1
+
+NSS_USE_SYSTEM_SQLITE=1
+export NSS_USE_SYSTEM_SQLITE
+
+export NSS_ALLOW_SSLKEYLOGFILE=1
+
+%ifnarch noarch
+%if 0%{__isa_bits} == 64
+USE_64=1
+export USE_64
+%endif
+%endif
+
+# uncomment if the iquote patch is activated
+export IN_TREE_FREEBL_HEADERS_FIRST=1
+
+##### phase 2: build the rest of nss
+export NSS_BLTEST_NOT_AVAILABLE=1
+
+export NSS_DISABLE_TLS_1_3=1
+
+%{__make} -C ./nss/coreconf
+%{__make} -C ./nss/lib/dbm
+
+# Set the policy file location
+# if set NSS will always check for the policy file and load if it exists
+export POLICY_FILE="nss-rhel7.config"
+# location of the policy file
+export POLICY_PATH="/etc/pki/nss-legacy"
+
+# nss/nssinit.c, ssl/sslcon.c, smime/smimeutil.c and ckfw/builtins/binst.c
+# need nss/lib/util/verref.h which is exported privately,
+# copy the one we saved during prep so it they can find it.
+%{__mkdir_p} ./dist/private/nss
+%{__mv} ./nss/verref.h ./dist/private/nss/verref.h
+
+%{__make} -C ./nss
+unset NSS_BLTEST_NOT_AVAILABLE
+
+# build the man pages clean
+pushd ./nss
+%{__make} clean_docs build_docs
+popd
+
+# and copy them to the dist directory for %%install to find them
+%{__mkdir_p} ./dist/doc/nroff
+%{__cp} ./nss/doc/nroff/* ./dist/doc/nroff
+
+# Set up our package file
+# The nspr_version and nss_{util|softokn}_version globals used
+# here match the ones nss has for its Requires.
+# Using the current %%{nss_softokn_version} for fedora again
+%{__mkdir_p} ./dist/pkgconfig
+%{__cat} %{SOURCE1} | sed -e "s,%%libdir%%,%{_libdir},g" \
+ -e "s,%%prefix%%,%{_prefix},g" \
+ -e "s,%%exec_prefix%%,%{_prefix},g" \
+ -e "s,%%includedir%%,%{_includedir}/nss3,g" \
+ -e "s,%%NSS_VERSION%%,%{version},g" \
+ -e "s,%%NSPR_VERSION%%,%{nspr_version},g" \
+ -e "s,%%NSSUTIL_VERSION%%,%{nss_util_version},g" \
+ -e "s,%%SOFTOKEN_VERSION%%,%{nss_softokn_version},g" > \
+ ./dist/pkgconfig/nss.pc
+
+NSS_VMAJOR=`cat nss/lib/nss/nss.h | grep "#define.*NSS_VMAJOR" | awk '{print $3}'`
+NSS_VMINOR=`cat nss/lib/nss/nss.h | grep "#define.*NSS_VMINOR" | awk '{print $3}'`
+NSS_VPATCH=`cat nss/lib/nss/nss.h | grep "#define.*NSS_VPATCH" | awk '{print $3}'`
+
+export NSS_VMAJOR
+export NSS_VMINOR
+export NSS_VPATCH
+
+%{__cat} %{SOURCE2} | sed -e "s,@libdir@,%{_libdir},g" \
+ -e "s,@prefix@,%{_prefix},g" \
+ -e "s,@exec_prefix@,%{_prefix},g" \
+ -e "s,@includedir@,%{_includedir}/nss3,g" \
+ -e "s,@MOD_MAJOR_VERSION@,$NSS_VMAJOR,g" \
+ -e "s,@MOD_MINOR_VERSION@,$NSS_VMINOR,g" \
+ -e "s,@MOD_PATCH_VERSION@,$NSS_VPATCH,g" \
+ > ./dist/pkgconfig/nss-config
+
+chmod 755 ./dist/pkgconfig/nss-config
+
+%{__cat} %{SOURCE9} > ./dist/pkgconfig/setup-nsssysinit.sh
+chmod 755 ./dist/pkgconfig/setup-nsssysinit.sh
+
+%{__cp} ./nss/lib/ckfw/nssck.api ./dist/private/nss/
+
+date +"%e %B %Y" | tr -d '\n' > date.xml
+echo -n %{version} > version.xml
+
+# configuration files and setup script
+for m in %{SOURCE20} %{SOURCE21} %{SOURCE22}; do
+ cp ${m} .
+done
+for m in nss-config.xml setup-nsssysinit.xml pkcs11.txt.xml; do
+ xmlto man ${m}
+done
+
+# nss databases considered to be configuration files
+for m in %{SOURCE23} %{SOURCE24} %{SOURCE25} %{SOURCE26} %{SOURCE27}; do
+ cp ${m} .
+done
+for m in cert8.db.xml cert9.db.xml key3.db.xml key4.db.xml secmod.db.xml; do
+ xmlto man ${m}
+done
+
+
+%check
+if [ ${DISABLETEST:-0} -eq 1 ]; then
+ echo "testing disabled"
+ exit 0
+fi
+
+# Begin -- copied from the build section
+
+# inform the ssl test scripts that SSL2 is disabled
+export NSS_NO_SSL2=1
+
+FREEBL_NO_DEPEND=1
+export FREEBL_NO_DEPEND
+
+export BUILD_OPT=1
+
+%ifnarch noarch
+%if 0%{__isa_bits} == 64
+USE_64=1
+export USE_64
+%endif
+%endif
+
+export NSS_BLTEST_NOT_AVAILABLE=1
+
+export NSS_DISABLE_TLS_1_3=1
+
+export NSS_FORCE_FIPS=1
+
+# needed for the fips mangling test
+export SOFTOKEN_LIB_DIR=%{_libdir}
+
+# End -- copied from the build section
+
+# enable the following line to force a test failure
+# find ./nss -name \*.chk | xargs rm -f
+
+# Run test suite.
+# In order to support multiple concurrent executions of the test suite
+# (caused by concurrent RPM builds) on a single host,
+# we'll use a random port. Also, we want to clean up any stuck
+# selfserv processes. If process name "selfserv" is used everywhere,
+# we can't simply do a "killall selfserv", because it could disturb
+# concurrent builds. Therefore we'll do a search and replace and use
+# a different process name.
+# Using xargs doesn't mix well with spaces in filenames, in order to
+# avoid weird quoting we'll require that no spaces are being used.
+
+SPACEISBAD=`find ./nss/tests | grep -c ' '` ||:
+if [ $SPACEISBAD -ne 0 ]; then
+ echo "error: filenames containing space are not supported (xargs)"
+ exit 1
+fi
+MYRAND=`perl -e 'print 9000 + int rand 1000'`; echo $MYRAND ||:
+RANDSERV=selfserv_${MYRAND}; echo $RANDSERV ||:
+DISTBINDIR=`ls -d ./dist/*.OBJ/bin`; echo $DISTBINDIR ||:
+pushd `pwd`
+cd $DISTBINDIR
+ln -s selfserv $RANDSERV
+popd
+# man perlrun, man perlrequick
+# replace word-occurrences of selfserv with selfserv_$MYRAND
+find ./nss/tests -type f |\
+ grep -v "\.db$" |grep -v "\.crl$" | grep -v "\.crt$" |\
+ grep -vw CVS |xargs grep -lw selfserv |\
+ xargs -l perl -pi -e "s/\bselfserv\b/$RANDSERV/g" ||:
+
+killall $RANDSERV || :
+
+rm -rf ./tests_results
+pushd ./nss/tests/
+# all.sh is the test suite script
+
+# don't need to run all the tests when testing packaging
+# nss_cycles: standard pkix upgradedb sharedb
+%global nss_tests "libpkix cert dbtests tools fips sdr crmf smime ssl ocsp merge pkits chains ec gtests ssl_gtests"
+# nss_ssl_tests: crl bypass_normal normal_bypass normal_fips fips_normal iopr
+# nss_ssl_run: cov auth stress
+#
+# Uncomment these lines if you need to temporarily
+# disable some test suites for faster test builds
+# global nss_ssl_tests "normal_fips"
+# global nss_ssl_run "cov auth"
+
+# Temporarily disabling ssl stress tests for s390
+%ifarch s390
+%global nss_ssl_run "cov auth"
+%endif
+
+HOST=localhost DOMSUF=localdomain PORT=$MYRAND NSS_CYCLES=%{?nss_cycles} NSS_TESTS=%{?nss_tests} NSS_SSL_TESTS=%{?nss_ssl_tests} NSS_SSL_RUN=%{?nss_ssl_run} ./all.sh
+
+popd
+
+# Normally, the grep exit status is 0 if selected lines are found and 1 otherwise,
+# Grep exits with status greater than 1 if an error ocurred.
+# If there are test failures we expect TEST_FAILURES > 0 and GREP_EXIT_STATUS = 0,
+# With no test failures we expect TEST_FAILURES = 0 and GREP_EXIT_STATUS = 1, whereas
+# GREP_EXIT_STATUS > 1 would indicate an error in grep such as failure to find the log file.
+killall $RANDSERV || :
+
+TEST_FAILURES=$(grep -c FAILED ./tests_results/security/localhost.1/output.log) || GREP_EXIT_STATUS=$?
+if [ ${GREP_EXIT_STATUS:-0} -eq 1 ]; then
+ echo "okay: test suite detected no failures"
+else
+ %ifarch %{arm}
+ :
+ # do nothing on arm where the test suite is failing and has been
+ # for while, do run the test suite but make it non fatal on arm
+ %else
+ if [ ${GREP_EXIT_STATUS:-0} -eq 0 ]; then
+ # while a situation in which grep return status is 0 and it doesn't output
+ # anything shouldn't happen, set the default to something that is
+ # obviously wrong (-1)
+ echo "error: test suite had ${TEST_FAILURES:--1} test failure(s)"
+ exit 1
+ else
+ if [ ${GREP_EXIT_STATUS:-0} -eq 2 ]; then
+ echo "error: grep has not found log file"
+ exit 1
+ else
+ echo "error: grep failed with exit code: ${GREP_EXIT_STATUS}"
+ exit 1
+ fi
+ fi
+%endif
+fi
+echo "test suite completed"
+
+%install
+
+%{__rm} -rf $RPM_BUILD_ROOT
+
+# There is no make install target so we'll do it ourselves.
+
+%{__mkdir_p} $RPM_BUILD_ROOT/%{_includedir}/nss3
+%{__mkdir_p} $RPM_BUILD_ROOT/%{_includedir}/nss3/templates
+%{__mkdir_p} $RPM_BUILD_ROOT/%{_bindir}
+%{__mkdir_p} $RPM_BUILD_ROOT/%{_libdir}
+%{__mkdir_p} $RPM_BUILD_ROOT/%{unsupported_tools_directory}
+%{__mkdir_p} $RPM_BUILD_ROOT/%{_libdir}/pkgconfig
+
+mkdir -p $RPM_BUILD_ROOT%{_mandir}/man1
+mkdir -p $RPM_BUILD_ROOT%{_mandir}/man5
+
+touch $RPM_BUILD_ROOT%{_libdir}/libnssckbi.so
+%{__install} -p -m 755 dist/*.OBJ/lib/libnssckbi.so $RPM_BUILD_ROOT/%{_libdir}/nss/libnssckbi.so
+
+# Copy the binary libraries we want
+for file in libnss3.so libnsssysinit.so libsmime3.so libssl3.so
+do
+ %{__install} -p -m 755 dist/*.OBJ/lib/$file $RPM_BUILD_ROOT/%{_libdir}
+done
+
+# Install the empty NSS db files
+# Legacy db
+%{__mkdir_p} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb
+%{__install} -p -m 644 %{SOURCE3} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/cert8.db
+%{__install} -p -m 644 %{SOURCE4} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/key3.db
+%{__install} -p -m 644 %{SOURCE5} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/secmod.db
+# Shared db
+%{__install} -p -m 644 %{SOURCE6} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/cert9.db
+%{__install} -p -m 644 %{SOURCE7} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/key4.db
+%{__install} -p -m 644 %{SOURCE8} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/pkcs11.txt
+
+# Copy the development libraries we want
+for file in libcrmf.a libnssb.a libnssckfw.a
+do
+ %{__install} -p -m 644 dist/*.OBJ/lib/$file $RPM_BUILD_ROOT/%{_libdir}
+done
+
+# Copy the binaries we want
+for file in certutil cmsutil crlutil modutil pk12util signtool signver ssltap
+do
+ %{__install} -p -m 755 dist/*.OBJ/bin/$file $RPM_BUILD_ROOT/%{_bindir}
+done
+
+# Copy the binaries we ship as unsupported
+for file in atob btoa derdump listsuites ocspclnt pp selfserv strsclnt symkeyutil tstclnt vfyserv vfychain
+do
+ %{__install} -p -m 755 dist/*.OBJ/bin/$file $RPM_BUILD_ROOT/%{unsupported_tools_directory}
+done
+
+# Copy the include files we want
+for file in dist/public/nss/*.h
+do
+ %{__install} -p -m 644 $file $RPM_BUILD_ROOT/%{_includedir}/nss3
+done
+
+# Copy the template files we want
+for file in dist/private/nss/nssck.api
+do
+ %{__install} -p -m 644 $file $RPM_BUILD_ROOT/%{_includedir}/nss3/templates
+done
+
+# Copy the package configuration files
+%{__install} -p -m 644 ./dist/pkgconfig/nss.pc $RPM_BUILD_ROOT/%{_libdir}/pkgconfig/nss.pc
+%{__install} -p -m 755 ./dist/pkgconfig/nss-config $RPM_BUILD_ROOT/%{_bindir}/nss-config
+# Copy the pkcs #11 configuration script
+%{__install} -p -m 755 ./dist/pkgconfig/setup-nsssysinit.sh $RPM_BUILD_ROOT/%{_bindir}/setup-nsssysinit.sh
+# install a symbolic link to it, without the ".sh" suffix,
+# that matches the man page documentation
+ln -r -s -f $RPM_BUILD_ROOT/%{_bindir}/setup-nsssysinit.sh $RPM_BUILD_ROOT/%{_bindir}/setup-nsssysinit
+
+# Copy the man pages for scripts
+for f in nss-config setup-nsssysinit; do
+ install -c -m 644 ${f}.1 $RPM_BUILD_ROOT%{_mandir}/man1/${f}.1
+done
+# Copy the man pages for the nss tools
+for f in "%{allTools}"; do
+ install -c -m 644 ./dist/doc/nroff/${f}.1 $RPM_BUILD_ROOT%{_mandir}/man1/${f}.1
+done
+# Copy the man pages for the configuration files
+for f in pkcs11.txt; do
+ install -c -m 644 ${f}.5 $RPM_BUILD_ROOT%{_mandir}/man5/${f}.5
+done
+# Copy the man pages for the nss databases
+for f in cert8.db cert9.db key3.db key4.db secmod.db; do
+ install -c -m 644 ${f}.5 $RPM_BUILD_ROOT%{_mandir}/man5/${f}.5
+done
+
+%{__mkdir_p} $RPM_BUILD_ROOT%{_sysconfdir}/pki/nss-legacy
+%{__install} -p -m 644 %{SOURCE32} $RPM_BUILD_ROOT%{_sysconfdir}/pki/nss-legacy/nss-rhel7.config
+
+%clean
+%{__rm} -rf $RPM_BUILD_ROOT
+
+%triggerpostun -n nss-sysinit -- nss-sysinit < 3.12.8-3
+# Reverse unwanted disabling of sysinit by faulty preun sysinit scriplet
+# from previous versions of nss.spec
+/usr/bin/setup-nsssysinit.sh on
+
+%post
+# If we upgrade, and the shared filename is a regular file, then we must
+# remove it, before we can install the alternatives symbolic link.
+if [ $1 -gt 1 ] ; then
+ # when upgrading or downgrading
+ if ! test -L %{_libdir}/libnssckbi.so; then
+ rm -f %{_libdir}/libnssckbi.so
+ fi
+fi
+# Install the symbolic link
+# FYI: Certain other packages use alternatives --set to enforce that the first
+# installed package is preferred. We don't do that. Highest priority wins.
+%{_sbindir}/update-alternatives --install %{_libdir}/libnssckbi.so \
+ %{alt_ckbi} %{_libdir}/nss/libnssckbi.so 10
+/sbin/ldconfig
+
+%postun
+if [ $1 -eq 0 ] ; then
+ # package removal
+ %{_sbindir}/update-alternatives --remove %{alt_ckbi} %{_libdir}/nss/libnssckbi.so
+else
+ # upgrade or downgrade
+ # If the new installed package uses a regular file (not a symblic link),
+ # then cleanup the alternatives link.
+ if ! test -L %{_libdir}/libnssckbi.so; then
+ %{_sbindir}/update-alternatives --remove %{alt_ckbi} %{_libdir}/nss/libnssckbi.so
+ fi
+fi
+/sbin/ldconfig
+
+
+%files
+%defattr(-,root,root)
+%{_libdir}/libnss3.so
+%{_libdir}/libssl3.so
+%{_libdir}/libsmime3.so
+%ghost %{_libdir}/libnssckbi.so
+%{_libdir}/nss/libnssckbi.so
+%dir %{_sysconfdir}/pki/nssdb
+%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/cert8.db
+%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/key3.db
+%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/secmod.db
+%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/cert9.db
+%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/key4.db
+%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/pkcs11.txt
+%attr(0644,root,root) %doc /usr/share/man/man5/cert8.db.5.gz
+%attr(0644,root,root) %doc /usr/share/man/man5/key3.db.5.gz
+%attr(0644,root,root) %doc /usr/share/man/man5/secmod.db.5.gz
+%attr(0644,root,root) %doc /usr/share/man/man5/cert9.db.5.gz
+%attr(0644,root,root) %doc /usr/share/man/man5/key4.db.5.gz
+%attr(0644,root,root) %doc /usr/share/man/man5/pkcs11.txt.5.gz
+%dir %{_sysconfdir}/pki/nss-legacy
+%config(noreplace) %{_sysconfdir}/pki/nss-legacy/nss-rhel7.config
+
+%files sysinit
+%defattr(-,root,root)
+%{_libdir}/libnsssysinit.so
+%{_bindir}/setup-nsssysinit.sh
+# symbolic link to setup-nsssysinit.sh
+%{_bindir}/setup-nsssysinit
+%attr(0644,root,root) %doc /usr/share/man/man1/setup-nsssysinit.1.gz
+
+%files tools
+%defattr(-,root,root)
+%{_bindir}/certutil
+%{_bindir}/cmsutil
+%{_bindir}/crlutil
+%{_bindir}/modutil
+%{_bindir}/pk12util
+%{_bindir}/signtool
+%{_bindir}/signver
+%{_bindir}/ssltap
+%{unsupported_tools_directory}/atob
+%{unsupported_tools_directory}/btoa
+%{unsupported_tools_directory}/derdump
+%{unsupported_tools_directory}/listsuites
+%{unsupported_tools_directory}/ocspclnt
+%{unsupported_tools_directory}/pp
+%{unsupported_tools_directory}/selfserv
+%{unsupported_tools_directory}/strsclnt
+%{unsupported_tools_directory}/symkeyutil
+%{unsupported_tools_directory}/tstclnt
+%{unsupported_tools_directory}/vfyserv
+%{unsupported_tools_directory}/vfychain
+# instead of %%{_mandir}/man*/* let's list them explicitely
+# supported tools
+%attr(0644,root,root) %doc /usr/share/man/man1/certutil.1.gz
+%attr(0644,root,root) %doc /usr/share/man/man1/cmsutil.1.gz
+%attr(0644,root,root) %doc /usr/share/man/man1/crlutil.1.gz
+%attr(0644,root,root) %doc /usr/share/man/man1/modutil.1.gz
+%attr(0644,root,root) %doc /usr/share/man/man1/pk12util.1.gz
+%attr(0644,root,root) %doc /usr/share/man/man1/signtool.1.gz
+%attr(0644,root,root) %doc /usr/share/man/man1/signver.1.gz
+# unsupported tools
+%attr(0644,root,root) %doc /usr/share/man/man1/derdump.1.gz
+%attr(0644,root,root) %doc /usr/share/man/man1/pp.1.gz
+%attr(0644,root,root) %doc /usr/share/man/man1/ssltap.1.gz
+%attr(0644,root,root) %doc /usr/share/man/man1/vfychain.1.gz
+%attr(0644,root,root) %doc /usr/share/man/man1/vfyserv.1.gz
+
+%files devel
+%defattr(-,root,root)
+%{_libdir}/libcrmf.a
+%{_libdir}/pkgconfig/nss.pc
+%{_bindir}/nss-config
+%attr(0644,root,root) %doc /usr/share/man/man1/nss-config.1.gz
+
+%dir %{_includedir}/nss3
+%{_includedir}/nss3/cert.h
+%{_includedir}/nss3/certdb.h
+%{_includedir}/nss3/certt.h
+%{_includedir}/nss3/cmmf.h
+%{_includedir}/nss3/cmmft.h
+%{_includedir}/nss3/cms.h
+%{_includedir}/nss3/cmsreclist.h
+%{_includedir}/nss3/cmst.h
+%{_includedir}/nss3/crmf.h
+%{_includedir}/nss3/crmft.h
+%{_includedir}/nss3/cryptohi.h
+%{_includedir}/nss3/cryptoht.h
+%{_includedir}/nss3/sechash.h
+%{_includedir}/nss3/jar-ds.h
+%{_includedir}/nss3/jar.h
+%{_includedir}/nss3/jarfile.h
+%{_includedir}/nss3/key.h
+%{_includedir}/nss3/keyhi.h
+%{_includedir}/nss3/keyt.h
+%{_includedir}/nss3/keythi.h
+%{_includedir}/nss3/nss.h
+%{_includedir}/nss3/nssckbi.h
+%{_includedir}/nss3/ocsp.h
+%{_includedir}/nss3/ocspt.h
+%{_includedir}/nss3/p12.h
+%{_includedir}/nss3/p12plcy.h
+%{_includedir}/nss3/p12t.h
+%{_includedir}/nss3/pk11func.h
+%{_includedir}/nss3/pk11pqg.h
+%{_includedir}/nss3/pk11priv.h
+%{_includedir}/nss3/pk11pub.h
+%{_includedir}/nss3/pk11sdr.h
+%{_includedir}/nss3/pkcs12.h
+%{_includedir}/nss3/pkcs12t.h
+%{_includedir}/nss3/pkcs7t.h
+%{_includedir}/nss3/preenc.h
+%{_includedir}/nss3/secmime.h
+%{_includedir}/nss3/secmod.h
+%{_includedir}/nss3/secmodt.h
+%{_includedir}/nss3/secpkcs5.h
+%{_includedir}/nss3/secpkcs7.h
+%{_includedir}/nss3/smime.h
+%{_includedir}/nss3/ssl.h
+%{_includedir}/nss3/sslerr.h
+%{_includedir}/nss3/sslexp.h
+%{_includedir}/nss3/sslproto.h
+%{_includedir}/nss3/sslt.h
+
+
+%files pkcs11-devel
+%defattr(-, root, root)
+%{_includedir}/nss3/nssbase.h
+%{_includedir}/nss3/nssbaset.h
+%{_includedir}/nss3/nssckepv.h
+%{_includedir}/nss3/nssckft.h
+%{_includedir}/nss3/nssckfw.h
+%{_includedir}/nss3/nssckfwc.h
+%{_includedir}/nss3/nssckfwt.h
+%{_includedir}/nss3/nssckg.h
+%{_includedir}/nss3/nssckmdt.h
+%{_includedir}/nss3/nssckt.h
+%{_includedir}/nss3/templates/nssck.api
+%{_libdir}/libnssb.a
+%{_libdir}/libnssckfw.a
+
+
+%changelog
+* Mon Jan 15 2018 Daiki Ueno <dueno@redhat.com> - 3.34.0-4
+- Re-enable nss-is-token-present-race.patch
+
+* Fri Jan 5 2018 Daiki Ueno <dueno@redhat.com> - 3.34.0-3
+- Temporarily disable nss-is-token-present-race.patch
+
+* Thu Jan 4 2018 Daiki Ueno <dueno@redhat.com> - 3.34.0-2
+- Backport necessary changes from 3.35
+
+* Fri Nov 24 2017 Daiki Ueno <dueno@redhat.com> - 3.34.0-1
+- Rebase to NSS 3.34
+
+* Mon Oct 30 2017 Daiki Ueno <dueno@redhat.com> - 3.34.0-0.1.beta1
+- Rebase to NSS 3.34.BETA1
+
+* Wed Oct 25 2017 Daiki Ueno <dueno@redhat.com> - 3.33.0-3
+- Disable TLS 1.3
+
+* Wed Oct 18 2017 Daiki Ueno <dueno@redhat.com> - 3.33.0-2
+- Enable TLS 1.3
+
+* Mon Oct 16 2017 Daiki Ueno <dueno@redhat.com> - 3.33.0-1
+- Rebase to NSS 3.33
+- Disable TLS 1.3, temporarily disable failing gtests (Skip13Variants)
+- Temporarily disable race.patch and nss-3.16-token-init-race.patch,
+ which causes a deadlock in newly added test cases
+- Remove upstreamed patches: moz-1320932.patch,
+ nss-tstclnt-optspec.patch,
+ nss-1334976-1336487-1345083-ca-2.14.patch, nss-alert-handler.patch,
+ nss-tools-sha256-default.patch, nss-is-token-present-race.patch,
+ nss-pk12util.patch, nss-ssl3gthr.patch, and nss-transcript.patch
+
+* Mon Oct 16 2017 Daiki Ueno <dueno@redhat.com> - 3.28.4-14
+- Add backward compatibility to pk12util regarding faulty PBES2 AES encryption
+
+* Mon Oct 16 2017 Daiki Ueno <dueno@redhat.com> - 3.28.4-13
+- Update iquote.patch to prefer nss.h from the source
+
+* Mon Oct 16 2017 Daiki Ueno <dueno@redhat.com> - 3.28.4-12
+- Add backward compatibility to pk12util regarding password encoding
+
+* Thu Aug 10 2017 Daiki Ueno <dueno@redhat.com> - 3.28.4-11
+- Backport patch to simplify transcript calculation for CertificateVerify
+- Enable TLS 1.3 and RSA-PSS
+- Disable some upstream tests failing due to downstream ciphersuites changes
+
+* Thu Jul 13 2017 Daiki Ueno <dueno@redhat.com> - 3.28.4-10
+- Work around yum crash due to new NSPR symbol being used in nss-sysinit,
+ patch by Kai Engert
+
+* Fri Jun 2 2017 Daiki Ueno <dueno@redhat.com> - 3.28.4-9
+- Fix typo in nss-sni-c-v-fix.patch
+
+* Fri May 5 2017 Kai Engert <kaie@redhat.com> - 3.28.4-8
+- Include CKBI 2.14 and updated CA constraints from NSS 3.28.5
+
+* Fri May 5 2017 Daiki Ueno <dueno@redhat.com> - 3.28.4-7
+- Update nss-pk12util.patch to include fix from mozbz#1353724.
+
+* Wed May 3 2017 Daiki Ueno <dueno@redhat.com> - 3.28.4-6
+- Update nss-alert-handler.patch with the upstream fix from mozbz#1360207.
+
+* Fri Apr 28 2017 Daiki Ueno <dueno@redhat.com> - 3.28.4-5
+- Fix zero-length record treatment for stream ciphers and SSLv2
+
+* Thu Apr 27 2017 Daiki Ueno <dueno@redhat.com> - 3.28.4-4
+- Correctly set policy file location when building
+
+* Wed Apr 26 2017 Daiki Ueno <dueno@redhat.com> - 3.28.4-3
+- Reorder ChaCha20-Poly1305 cipher suites, as suggested in:
+ https://bugzilla.redhat.com/show_bug.cgi?id=1373158#c9
+
+* Thu Apr 20 2017 Daiki Ueno <dueno@redhat.com> - 3.28.4-2
+- Rebase to NSS 3.28.4
+- Update nss-pk12util.patch with backport of mozbz#1353325
+
+* Thu Mar 16 2017 Daiki Ueno <dueno@redhat.com> - 3.28.3-5
+- Switch default hash algorithm used by tools from SHA-1 to SHA-256
+- Avoid race condition in nssSlot_IsTokenPresent()
+- Enable SHA-2 and AES in pk12util
+- Disable RSA-PSS for now
+
+* Fri Mar 10 2017 Daiki Ueno <dueno@redhat.com> - 3.28.3-4
+- Utilize CKA_NSS_MOZILLA_CA_POLICY attribute, patch by Kai Engert
+- Backport changes adding SSL alert callbacks from upstream
+- Add nss-check-policy-file.patch from Fedora
+- Install policy config in /etc/pki/nss-legacy/nss-rhel7.config
+
+* Mon Mar 6 2017 Daiki Ueno <dueno@redhat.com> - 3.28.3-3
+- Make sure 32bit nss-pem always be installed with 32bit nss in
+ multlib environment, patch by Kamil Dudka
+- Enable new algorithms supported by the new nss-softokn
+
+* Mon Mar 6 2017 Daiki Ueno <dueno@redhat.com> - 3.28.3-2
+- Rebase to NSS 3.28.3
+- Bump required version of nss-softokn
+
+* Wed Feb 15 2017 Daiki Ueno <dueno@redhat.com> - 3.28.2-3
+- Remove %%nss_cycles setting, which was also mistakenly added
+- Re-enable BUILD_OPT, mistakenly disabled in the previous build
+- Prevent ABI incompatibilty of SECKEYECPublicKey
+- Disable TLS_ECDHE_{RSA,ECDSA}_WITH_AES_128_CBC_SHA256 by default
+- Enable 4 AES_256_GCM_SHA384 ciphersuites, enabled by the downstream
+ patch in the previous release
+- Fix crash with tstclnt -W
+- Always enable gtests for supported features
+- Add patch to fix bash syntax error in tests/ssl.sh
+- Build with support for SSLKEYLOGFILE
+- Disable the use of RSA-PSS with SSL/TLS
+
+* Tue Feb 14 2017 Daiki Ueno <dueno@redhat.com> - 3.28.2-2
+- Decouple nss-pem from the nss package
+- Resolves: #1316546
+
+* Mon Feb 13 2017 Daiki Ueno <dueno@redhat.com> - 3.28.2-1.1
+- Remove mistakenly added R: nss-pem
+
+* Fri Feb 10 2017 Daiki Ueno <dueno@redhat.com> - 3.28.2-1.0
+- Rebase to NSS 3.28.2
+- Remove NSS_ENABLE_ECC and NSS_ECC_MORE_THAN_SUITE_B setting, which
+ is no-op now
+- Enable gtests when requested
+- Remove nss-646045.patch and fix-nss-test-filtering.patch, which are
+ not necessary
+- Remove sslauth-no-v2.patch and
+ nss-sslstress-txt-ssl3-lower-value-in-range.patch, as SSLv2 is
+ already disabled in upstream
+- Remove ssl-server-min-key-sizes.patch, as we decided to support DH
+ key size greater than 1023 bits
+- Remove local patches for SHA384 cipher suites (now supported in
+ upstream): dhe-sha384-dss-support.patch,
+ client_auth_for_sha384_prf_support.patch,
+ nss-fix-client-auth-init-hashes.patch, nss-map-oid-to-hashalg.patch,
+ nss-enable-384-cipher-tests.patch, nss-fix-signature-and-hash.patch,
+ fix-allowed-sig-alg.patch, tests-extra.patch
+- Remove upstreamed patches: rh1238290.patch,
+ fix-reuse-of-session-cache-entry.patch, flexible-certverify.patch,
+ call-restartmodules-in-nssinit.patch
+
+* Wed Oct 26 2016 Daiki Ueno <dueno@redhat.com> - 3.21.3-1
+- Rebase to NSS 3.21.3
+- Resolves: #1383887
+
+* Thu Jun 30 2016 Kai Engert <kaie@redhat.com> - 3.21.0-17
+- remove additional false duplicates from sha384 downstream patches
+
+* Tue Jun 28 2016 Kai Engert <kaie@redhat.com> - 3.21.0-16
+- enable ssl_gtests (without extended master secret tests), Bug 1298692
+- call SECMOD_RestartModules in nss_Init, Bug 1317691
+
+* Fri Jun 17 2016 Kai Engert <kaie@redhat.com> - 3.21.0-15
+- escape all percent characters in all changelog comments
+
+* Fri Jun 17 2016 Kai Engert <kaie@redhat.com> - 3.21.0-14
+- Support TLS 1.2 certificate_verify hashes other than PRF,
+ backported fix from NSS 3.25 (upstream bug 1179338).
+
+* Mon May 23 2016 Elio Maldonado <emaldona@redhat.com> - 3.21.0-13
+- Fix reuse of session cache entry
+- Resolves: Bug 1241172 - Certificate verification fails with multiple https urls
+
+* Wed Apr 20 2016 Elio Maldonado <emaldona@redhat.com> - 3.21.0-12
+- Fix a flaw in %%check for nss not building on arm
+- Resolves: Bug 1200856
+
+* Wed Apr 20 2016 Elio Maldonado <emaldona@redhat.com> - 3.21.0-11
+- Cleanup: Remove unnecessary %%posttrans script from nss.spec
+- Resolves: Bug 1174201
+
+* Wed Apr 20 2016 Elio Maldonado <emaldona@redhat.com> - 3.21.0-10
+- Merge fixes from the rhel-7.2 branch
+- Fix a bogus %%changelog entry
+- Resolves: Bug 1297941
+
+* Fri Apr 15 2016 Kai Engert <kaie@redhat.com> - 3.21.0-9
+- Rebuild to require the latest nss-util build and nss-softokn build.
+
+* Mon Apr 11 2016 Kai Engert <kaie@redhat.com> - 3.21.0-8
+- Update the minimum nss-softokn build required at runtime.
+
+* Mon Apr 04 2016 Elio Maldonado <emaldona@redhat.com> - 3.21.0-7
+- Delete duplicates from one table
+
+* Tue Mar 29 2016 Kai Engert <kaie@redhat.com> - 3.21.0-6
+- Fix missing support for sha384/dsa in certificate_request
+
+* Wed Mar 23 2016 Kai Engert <kaie@redhat.com> - 3.21.0-5
+- Merge fixes from the rhel-7.2 branch
+- Fix the SigAlgs sent in certificate_request
+- Ensure all ssl.sh tests are executed
+- Update sslauth test patch to run additional tests
+
+* Fri Feb 26 2016 Elio Maldonado <emaldona@redhat.com> - 3.21.0-2
+- Fix sha384 support and testing patches
+
+* Wed Feb 17 2016 Elio Maldonado <emaldona@redhat.com> - 3.21.0-1
+- Rebase to NSS-3.21
+
+* Tue Dec 15 2015 Elio Maldonado <emaldona@redhat.com> - 3.19.1-19
+- Prevent TLS 1.2 Transcript Collision attacks against MD5 in key exchange protocol
+- Fix a mockbuild reported bad %%if condition when using the __isa_bits macro instead of list of 64-bit architectures
+- Change the test to %%if 0%%{__isa_bits} == 64 as required for building the srpm which is noarch
+- Resolves: Bug 1289884
+
+* Wed Oct 21 2015 Kai Engert <kaie@redhat.com> - 3.19.1-18
+- Rebuild against updated NSPR
+
+* Thu Sep 03 2015 Elio Maldonado <emaldona@redhat.com> - 3.19.1-17
+- Change the required_softokn_build_version back to -13
+- Ensure we use nss-softokn-3.16.2.3-13.el7_1
+
+* Thu Sep 03 2015 Elio Maldonado <emaldona@redhat.com> - 3.19.1-16
+- Fix check for public key size of DSA certificates
+- Use size of prime P not the size of dsa.publicValue
+
+* Mon Aug 31 2015 Elio Maldonado <emaldona@redhat.com> - 3.19.1-15
+- Reorder the cipher suites and enable two more by default
+
+* Sun Aug 30 2015 Elio Maldonado <emaldona@redhat.com> - 3.19.1-14
+- Update the required_softokn_build_version to -14
+- Add references to bugs filed upstream for new patches
+- Merge ocsp stapling and sslauth sni tests patches into one
+
+* Sat Aug 29 2015 Elio Maldonado <emaldona@redhat.com> - 3.19.1-13
+- Reorder the cipher suites and enable two more by default
+- Fix some of the ssauth sni and ocsp stapling tests
+
+* Thu Aug 27 2015 Elio Maldonado <emaldona@redhat.com> - 3.19.1-12
+- Support TLS > 1.0 by support while still allowing to connect to SSL3 only servers
+- Enable ECDSA cipher suites by default, a subset of the ones requested
+
+* Wed Aug 26 2015 Elio Maldonado <emaldona@redhat.com> - 3.19.1-11
+- Support TLS > 1.0 by support while still allowing to connect to SSL3 only servers
+
+* Mon Aug 17 2015 Elio Maldonado <emaldona@redhat.com> - 3.19.1-10
+- Fix to correctly report integrity mechanism for TLS_RSA_WITH_AES_256_GCM_SHA384
+
+* Mon Aug 10 2015 Elio Maldonado <emaldona@redhat.com> - 3.19.1-9
+- Fix checks to skip ssl2/export cipher suites tests to not skip needed tests
+- Fix libssl ssl2/export disabling patch to handle NULL cipher cases
+- Enable additional cipher suites by default
+
+* Thu Jul 16 2015 Elio Maldonado <emaldona@redhat.com> - 3.19.1-8
+- Add links to filed upstream bugs to better track patches in spec file
+
+* Tue Jul 07 2015 Elio Maldonado <emaldona@redhat.com> - 3.19.1-7
+- Package listsuites as part of the unsupported tools
+
+* Thu Jul 02 2015 Elio Maldonado <emaldona@redhat.com> - 3.19.1-6
+- Bump the release tag
+
+* Mon Jun 29 2015 Kai Engert <kaie@redhat.com> - 3.19.1-5
+- Incremental patches to fix SSL/TLS test suite execution,
+ fix the earlier SHA384 patch, and inform clients to use SHA384 with
+ certificate_verify if required by NSS.
+
+* Thu Jun 18 2015 Elio Maldonado <emaldona@redhat.com> - 3.19.1-4
+- Add support for sha384 tls cipher suites
+- Add support for server-side hde key exchange
+- Add support for DSS+SHA256 ciphersuites
+
+* Wed Jun 10 2015 Elio Maldonado <emaldona@redhat.com> - 3.19.1-3
+- Reenable a patch that had been mistakenly disabled
+
+* Wed Jun 10 2015 Elio Maldonado <emaldona@redhat.com> - 3.19.1-2
+- Build against nss-softokn-3.16.2.3-9
+
+* Fri Jun 05 2015 Elio Maldonado <emaldona@redhat.com> - 3.19.1-1
+- Rebase to nss-3.19.1
+- Resolves: Bug 1228913 - Rebase to nss-3.19.1 for CVE-2015-4000 [RHEL-7.1]
+
+* Tue Apr 28 2015 Kai Engert <kaie@redhat.com> - 3.18.0-6
+- Backport mozbz#1155922 to support SHA512 signatures with TLS 1.2
+
+* Thu Apr 23 2015 Kai Engert <kaie@redhat.com> - 3.18.0-5
+- Update to CKBI 2.4 from NSS 3.18.1 (the only change in NSS 3.18.1)
+
+* Fri Apr 17 2015 Elio Maldonado <emaldona@redhat.com> - 3.18.0-4
+- Update and reeneable nss-646045.patch on account of the rebase
+- Resolves: Bug 1200898 - Rebase nss to 3.18 for Firefox 38 ESR [RHEL7.1]
+
+* Tue Apr 14 2015 Elio Maldonado <emaldona@redhat.com> - 3.18.0-3
+- Fix shell syntax error on nss/tests/all.sh
+- Resolves: Bug 1200898 - Rebase nss to 3.18 for Firefox 38 ESR [RHEL7.1]
+
+* Fri Apr 10 2015 Elio Maldonado <emaldona@redhat.com> - 3.18.0-2
+- Replace expired PayPal test certificate that breaks the build
+- Resolves: Bug 1200898 - Rebase nss to 3.18 for Firefox 38 ESR [RHEL7.1]
+
+* Mon Mar 30 2015 Elio Maldonado <emaldona@redhat.com> - 3.18.0-1
+- Resolves: Bug 1200898 - Rebase nss to 3.18 for Firefox 38 ESR [RHEL7.1]
+
+* Mon Jan 19 2015 Elio Maldonado <emaldona@redhat.com> - 3.16.2.3-5
+- Reverse the sense of a test in patch to fix pk12util segfault
+- Resolves: Bug 1174527 - Segfault in pk12util when using -l option with certain .p12 files
+
+* Thu Jan 08 2015 Elio Maldonado <emaldona@redhat.com> - 3.16.2.3-4
+- Fix race condition
+- Resolves: Bug 1094468 - 389-ds-base server reported crash in stan_GetCERTCertificate
+- under the replication replay failure condition
+
+* Wed Jan 07 2015 Elio Maldonado <emaldona@redhat.com> - 3.16.2.3-3
+- Resolves: Bug 1174527 - Segfault in pk12util when using -l option with certain .p12 files
+
+* Tue Nov 25 2014 Elio Maldonado <emaldona@redhat.com> - 3.16.2.3-2
+- Restore patch for certutil man page
+- supply missing options descriptions
+- Resolves: Bug 1158161 - Upgrade to NSS 3.16.2.3 for Firefox 31.3
+
+* Thu Nov 13 2014 Elio Maldonado <emaldona@redhat.com> - 3.16.2-10
+- Resolves: Bug 1158161 - Upgrade to NSS 3.16.2.3 for Firefox 31.3
+- Support TLS_FALLBACK_SCSV in tstclnt and ssltap
+
+* Mon Sep 29 2014 Elio Maldonado <emaldona@redhat.com> - 3.16.2-9
+- Resolves: Bug 1145434 - CVE-2014-1568
+- Using a release number higher than on rhel-7.0 branch
+
+* Mon Aug 11 2014 Elio Maldonado <emaldona@redhat.com> - 3.16.2-4
+- Fix crash in stan_GetCERTCertificate
+- Resolves: Bug 1094468
+
+* Tue Aug 05 2014 Elio Maldonado <pbrobinson@redhat.com> 3.16.2-3
+- Generic 32/64 bit platform detection (fix ppc64le build)
+- Resolves: Bug 1125619 - nss fails to build on arch: ppc64le (missing dependencies)
+- Fix contributed by Peter Robinson <pbrobinson@redhat.com>
+
+* Fri Aug 01 2014 Elio Maldonado <emaldona@redhat.com> - 3.16.2-2
+- Fix libssl and test patches that disable ssl2 support
+- Resolves: Bug 1123435
+- Replace expired PayPal test certificate with current one
+
+* Tue Jul 08 2014 Elio Maldonado <emaldona@redhat.com> - 3.16.2-1
+- Rebase to nss-3.16.2
+- Resolves: Bug 1103252 - Rebase RHEL 7.1 to at least NSS 3.16.1 (FF 31)
+- Fix test failure detection in the %%check section
+- Move removal of unwanted source directories to the end of the %%prep section
+- Update various patches on account of the rebase
+- Remove unused patches rendered obsolete by the rebase
+
+* Mon Mar 03 2014 Elio Maldonado <emaldona@redhat.com> - 3.15.4-6
+- Disallow disabling the internal module
+- Resolves: Bug 1056036 - nss segfaults with opencryptoki module
+
+* Thu Feb 20 2014 Elio Maldonado <emaldona@redhat.com> - 3.15.4-5
+- Pick up a fix from rhel-6 and fix an rpm conflict
+- Don't hold issuer cert handles in crl cache
+- Resolves: Bug 1034409 - deadlock in trust domain and object lock
+- Move nss shared db files to the main package
+- Resolves: Bug 1050163 - Same files in two packages create rpm conflict
+
+* Mon Jan 27 2014 Elio Maldonado <emaldona@redhat.com> - 3.15.4-4
+- Update pem sources to latest from nss-pem upstream
+- Pick up pem module fixes verified on RHEL and applied upstream
+- Remove no loger needed pem patches on acccount on this update
+- Add comments documenting the iquote.patch
+- Resolves: Bug 1054457 - CVE-2013-1740
+
+* Sun Jan 26 2014 Elio Maldonado <emaldona@redhat.com> - 3.15.4-3
+- Remove spurious man5 wildcard entry as all manpages are listed by name
+- Resolves: Bug 1050163 - Same files in two packages create rpm conflict
+
+* Fri Jan 24 2014 Daniel Mach <dmach@redhat.com> - 3.15.4-2
+- Mass rebuild 2014-01-24
+
+* Sun Jan 19 2014 Elio Maldonado <emaldona@redhat.com> - 3.15.3-9
+- Rebase to nss-3.15.4
+- Resolves: Bug 1054457 - CVE-2013-1740 nss: false start PR_Recv information disclosure security issue
+- Remove no longer needed patches for manpages that were applied upstream
+- Remove no longer needed patch to disable ocsp stapling tests
+- Update iquote.patch on account of upstream changes
+- Update and rename patch to pem/rsawrapr.c on account of upstream changes
+- Use the pristine upstream sources for nss without repackaging
+- Avoid unneeded manual step which may introduce errors
+
+* Sun Jan 19 2014 Elio Maldonado <emaldona@redhat.com> - 3.15.3-8
+- Fix the spec file to apply the nss ecc list patch for bug 752980
+- Resolves: Bug 752980 - Support ECDSA algorithm in the nss package via puggable ecc
+
+* Fri Jan 17 2014 Elio Maldonado <emaldona@redhat.com> - 3.15.3-7
+- Move several nss-sysinit manpages tar archives to the %%files
+- Resolves: Bug 1050163 - Same files in two packages create rpm conflict
+
+* Fri Jan 17 2014 Elio Maldonado <emaldona@redhat.com> - 3.15.3-6
+- Fix a coverity scan compile time warning for the pem module
+- Resolves: Bug 1002271 - NSS pem module should not require unique base file names
+
+* Wed Jan 15 2014 Elio Maldonado <emaldona@redhat.com> - 3.15.3-5
+- Resolves: Bug 1002271 - NSS pem module should not require unique base file names
+
+* Thu Jan 09 2014 Elio Maldonado <emaldona@redhat.com> - 3.15.3-4
+- Improve pluggable ECC support for ECDSA
+- Resolves: Bug 752980 - [7.0 FEAT] Support ECDSA algorithm in the nss package
+
+* Fri Dec 27 2013 Daniel Mach <dmach@redhat.com> - 3.15.3-3
+- Mass rebuild 2013-12-27
+
+* Thu Dec 12 2013 Elio Maldonado <emaldona@redhat.com> - 3.15.3-2
+- Revoke trust in one mis-issued anssi certificate
+- Resolves: Bug 1040284 - nss: Mis-issued ANSSI/DCSSI certificate (MFSA 2013-117) [rhel-7.0]
+
+* Mon Nov 25 2013 Elio Maldonado <emaldona@redhat.com> - 3.15.3-1
+- Update to NSS_3_15_3_RTM
+- Resolves: Bug 1031463 - CVE-2013-5605 CVE-2013-5606 CVE-2013-1741
+
+* Wed Nov 13 2013 Elio Maldonado <emaldona@redhat.com> - 3.15.2-10
+- Fix path to script and remove -- from some options in nss-sysinit man page
+- Resolves: rhbz#982723 - man page of nss-sysinit worong path and other flaws
+
+* Tue Nov 12 2013 Elio Maldonado <emaldona@redhat.com> - 3.15.2-9
+- Fix certutil man page options names to be consistent with help
+- Resolves: rhbz#948495 - man page scan results for nss
+- Remove incorrect count argument in status description in nss-sysinit man page
+- Resolves: rhbz#982723 - man page of nss-sysinit incorrect option descriptions
+
+* Wed Nov 06 2013 Elio Maldonado <emaldona@redhat.com> - 3.15.2-8
+- Fix patch for disabling ssl2 in ssl to correctly set error code
+- Fix syntax error reported in the build.log even tough it succeeds
+- Add patch top ignore setpolicy result
+- Resolves: rhbz#1001841 - Disable SSL2 and the export cipher suites
+- Resolves: rhbz#1026677 - Attempt to run ipa-client-install fails
+
+* Sun Nov 03 2013 Elio Maldonado <emaldona@redhat.com> - 3.15.2-7
+- Fix bash syntax error in patch for disabling ssl2 tests
+- Resolves: rhbz#1001841 - Disable SSL2 and the export cipher suites
+
+* Sat Nov 02 2013 Elio Maldonado <emaldona@redhat.com> - 3.15.2-6
+- Fix errors in ssl disabling patches for both library and tests
+- Add s390x to the multilib_arches definition used for alt_ckbi
+- Resolves: rhbz#1001841 - Disable SSL2 and the export cipher suites
+
+* Thu Oct 31 2013 Elio Maldonado <emaldona@redhat.com> - 3.15.2-5
+- Fix errors in nss-sysinit manpage options descriptions
+- Resolves: rhbz#982723
+
+* Tue Oct 29 2013 Elio Maldonado <emaldona@redhat.com> - 3.15.2-4
+- Enable fips when system is in fips mode
+- Resolves: rhbz#852023 - FIPS mode detection does not work
+
+* Tue Oct 29 2013 Elio Maldonado <emaldona@redhat.com> - 3.15.2-3
+- Remove unused and obsoleted patches
+- Related: rhbz#1012656
+
+* Mon Oct 28 2013 Elio Maldonado <emaldona@redhat.com> - 3.15.2-2
+- Add description of the certutil's --email option to it's manpage
+- Resolves: rhbz#Bug 948495 - Man page scan results for nss
+
+* Mon Oct 21 2013 Elio Maldonado <emaldona@redhat.com> - 3.15.2-1
+- Rebase to nss-3.15.2
+- Resolves: rhbz#1012656 - pick up NSS 3.15.2 to fix CVE-2013-1739 and disable MD5 in OCSP/CRL
+
+* Fri Oct 11 2013 Elio Maldonado <emaldona@redhat.com> - 3.15.1-4
+- Install symlink to nss-sysinit.sh without the .sh suffix
+- Resolves: rhbz#982723 - nss-sysinit man page has wrong path for the script
+
+* Tue Oct 08 2013 Elio Maldonado <emaldona@redhat.com> - 3.15.1-3
+- Resolves: rhbz#1001841 - Disable SSL2 and the export cipher suites
+
+* Tue Aug 06 2013 Elio Maldonado <emaldona@redhat.com> - 3.15.1-2
+- Add upstream bug URL for a patch subitted upstream and remove obsolete script
+
+* Wed Jul 24 2013 Elio Maldonado <emaldona@redhat.com> - 3.15.1-2
+- Update to NSS_3_15_1_RTM
+- Apply various fixes to the man pages and add new ones
+- Enable the iquote.patch to access newly introduced types
+- Add man page for pkcs11.txt configuration file and cert and key databases
+- Add missing option descriptions for {cert|cms|crl}util
+- Resolves: rhbz#948495 - Man page scan results for nss
+- Resolves: rhbz#982723 - Fix path to script in man page for nss-sysinit
+
+* Tue Jul 02 2013 Elio Maldonado <emaldona@redhat.com> - 3.15-6
+- Use the unstripped source tar ball
+
+* Wed Jun 19 2013 Elio Maldonado <emaldona@redhat.com> - 3.15-5
+- Install man pages for nss-tools and the nss-config and setup-nsssysinit scripts
+- Resolves: rhbz#606020 - nss security tools lack man pages
+
+* Tue Jun 18 2013 emaldona <emaldona@redhat.com> - 3.15-4
+- Build nss without softoken or util sources in the tree
+- Resolves: rhbz#689918
+
+* Mon Jun 17 2013 emaldona <emaldona@redhat.com> - 3.15-3
+- Update ssl-cbc-random-iv-by-default.patch
+
+* Sun Jun 16 2013 Elio Maldonado <emaldona@redhat.com> - 3.15-2
+- Fix generation of NSS_VMAJOR, NSS_VMINOR, and NSS_VPATCH for nss-config
+
+* Sat Jun 15 2013 Elio Maldonado <emaldona@redhat.com> - 3.15-1
+- Update to NSS_3_15_RTM
+
+* Tue May 14 2013 Elio Maldonado <emaldona@redhat.com> - 3.14.3-13.0
+- Reactivate nss-ssl-cbc-random-iv-off-by-default.patch
+
+* Fri Apr 19 2013 Kai Engert <kaie@redhat.com> - 3.14.3-12.0
+- Add upstream patch to fix rhbz#872761
+
+* Sun Mar 24 2013 Kai Engert <kaie@redhat.com> - 3.14.3-11
+- Update expired test certificates (fixed in upstream bug 852781)
+
+* Fri Mar 08 2013 Kai Engert <kaie@redhat.com> - 3.14.3-10
+- Fix incorrect post/postun scripts. Fix broken links in posttrans.
+
+* Wed Mar 06 2013 Kai Engert <kaie@redhat.com> - 3.14.3-9
+- Configure libnssckbi.so to use the alternatives system
+ in order to prepare for a drop in replacement.
+
+* Fri Feb 15 2013 Elio Maldonado <emaldona@redhat.com> - 3.14.3-1
+- Update to NSS_3_14_3_RTM
+- sync up pem rsawrapr.c with softoken upstream changes for nss-3.14.3
+- Resolves: rhbz#908257 - CVE-2013-1620 nss: TLS CBC padding timing attack
+- Resolves: rhbz#896651 - PEM module trashes private keys if login fails
+- Resolves: rhbz#909775 - specfile support for AArch64
+- Resolves: rhbz#910584 - certutil -a does not produce ASCII output
+
+* Mon Feb 04 2013 Elio Maldonado <emaldona@redhat.com> - 3.14.2-2
+- Allow building nss against older system sqlite
+
+* Fri Feb 01 2013 Elio Maldonado <emaldona@redhat.com> - 3.14.2-1
+- Update to NSS_3_14_2_RTM
+
+* Wed Jan 02 2013 Kai Engert <kaie@redhat.com> - 3.14.1-3
+- Update to NSS_3_14_1_WITH_CKBI_1_93_RTM
+
+* Sat Dec 22 2012 Elio Maldonado <emaldona@redhat.com> - 3.14.1-2
+- Require nspr >= 4.9.4
+- Fix changelog invalid dates
+
+* Mon Dec 17 2012 Elio Maldonado <emaldona@redhat.com> - 3.14.1-1
+- Update to NSS_3_14_1_RTM
+
+* Wed Dec 12 2012 Elio Maldonado <emaldona@redhat.com> - 3.14-12
+- Bug 879978 - Install the nssck.api header template where mod_revocator can access it
+- Install nssck.api in /usr/includes/nss3/templates
+
+* Tue Nov 27 2012 Elio Maldonado <emaldona@redhat.com> - 3.14-11
+- Bug 879978 - Install the nssck.api header template in a place where mod_revocator can access it
+- Install nssck.api in /usr/includes/nss3
+
+* Mon Nov 19 2012 Elio Maldonado <emaldona@redhat.com> - 3.14-10
+- Bug 870864 - Add support in NSS for Secure Boot
+
+* Sat Nov 10 2012 Elio Maldonado <emaldona@redhat.com> - 3.14-9
+- Disable bypass code at build time and return failure on attempts to enable at runtime
+- Bug 806588 - Disable SSL PKCS #11 bypass at build time
+
+* Sun Nov 04 2012 Elio Maldonado <emaldona@redhat.com> - 3.14-8
+- Fix pk11wrap locking which fixes 'fedpkg new-sources' and 'fedpkg update' hangs
+- Bug 872124 - nss-3.14 breaks fedpkg new-sources
+- Fix should be considered preliminary since the patch may change upon upstream approval
+
+* Thu Nov 01 2012 Elio Maldonado <emaldona@redhat.com> - 3.14-7
+- Add a dummy source file for testing /preventing fedpkg breakage
+- Helps test the fedpkg new-sources and upload commands for breakage by nss updates
+- Related to Bug 872124 - nss 3.14 breaks fedpkg new-sources
+
+* Thu Nov 01 2012 Elio Maldonado <emaldona@redhat.com> - 3.14-6
+- Fix a previous unwanted merge from f18
+- Update the SS_SSL_CBC_RANDOM_IV patch to match new sources while
+- Keeping the patch disabled while we are still in rawhide and
+- State in comment that patch is needed for both stable and beta branches
+- Update .gitignore to download only the new sources
+
+* Wed Oct 31 2012 Elio Maldonado <emaldona@redhat.com> - 3.14-5
+- Fix the spec file so sechash.h gets installed
+- Resolves: rhbz#871882 - missing header: sechash.h in nss 3.14
+
+* Sat Oct 27 2012 Elio Maldonado <emaldona@redhat.com> - 3.14-4
+- Update the license to MPLv2.0
+
+* Wed Oct 24 2012 Elio Maldonado <emaldona@redhat.com> - 3.14-3
+- Use only -f when removing unwanted headers
+
+* Tue Oct 23 2012 Elio Maldonado <emaldona@redhat.com> - 3.14-2
+- Add secmodt.h to the headers installed by nss-devel
+- nss-devel must install secmodt.h which moved from softoken to pk11wrap with nss-3.14
+
+* Mon Oct 22 2012 Elio Maldonado <emaldona@redhat.com> - 3.14-1
+- Update to NSS_3_14_RTM
+
+* Sun Oct 21 2012 Elio Maldonado <emaldona@redhat.com> - 3.14-0.1.rc.1
+- Update to NSS_3_14_RC1
+- update nss-589636.patch to apply to httpdserv
+- turn off ocsp tests for now
+- remove no longer needed patches
+- remove headers shipped by nss-util
+
+* Fri Oct 05 2012 Kai Engert <kaie@redhat.com> - 3.13.6-1
+- Update to NSS_3_13_6_RTM
+
+* Mon Aug 27 2012 Elio Maldonado <emaldona@redhat.com> - 3.13.5-8
+- Rebase pem sources to fedora-hosted upstream to pick up two fixes from rhel-6.3
+- Resolves: rhbz#847460 - Fix invalid read and free on invalid cert load
+- Resolves: rhbz#847462 - PEM module may attempt to free uninitialized pointer
+- Remove unneeded fix gcc 4.7 c++ issue in secmodt.h that actually undoes the upstream fix
+
+* Mon Aug 13 2012 Elio Maldonado <emaldona@redhat.com> - 3.13.5-7
+- Fix pluggable ecc support
+
+* Fri Jul 20 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 3.13.5-6
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild
+
+* Sun Jul 01 2012 Elio Maldonado <emaldona@redhat.com> - 3.13.5-5
+- Fix checkin comment to prevent unwanted expansions of percents
+
+* Sun Jul 01 2012 Elio Maldonado <emaldona@redhat.com> - 3.13.5-4
+- Resolves: Bug 830410 - Missing Requires %%{?_isa}
+- Use Requires: %%{name}%%{?_isa} = %%{version}-%%{release} on tools
+- Drop zlib requires which rpmlint reports as error E: explicit-lib-dependency zlib
+- Enable sha224 portion of powerup selftest when running test suites
+- Require nspr 4.9.1
+
+* Wed Jun 20 2012 Elio Maldonado <emaldona@redhat.com> - 3.13.5-3
+- Resolves: rhbz#833529 - revert unwanted change to nss.pc.in
+
+* Tue Jun 19 2012 Elio Maldonado <emaldona@redhat.com> - 3.13.5-2
+- Resolves: rhbz#833529 - Remove unwanted space from the Libs: line on nss.pc.in
+
+* Mon Jun 18 2012 Elio Maldonado <emaldona@redhat.com> - 3.13.5-1
+- Update to NSS_3_13_5_RTM
+
+* Fri Apr 13 2012 Elio Maldonado <emaldona@redhat.com> - 3.13.4-3
+- Resolves: Bug 812423 - nss_Init leaks memory, fix from RHEL 6.3
+
+* Sun Apr 08 2012 Elio Maldonado <emaldona@redhat.com> - 3.13.4-2
+- Resolves: Bug 805723 - Library needs partial RELRO support added
+- Patch coreconf/Linux.mk as done on RHEL 6.2
+
+* Fri Apr 06 2012 Elio Maldonado <emaldona@redhat.com> - 3.13.4-1
+- Update to NSS_3_13_4_RTM
+- Update the nss-pem source archive to the latest version
+- Remove no longer needed patches
+- Resolves: Bug 806043 - use pem files interchangeably in a single process
+- Resolves: Bug 806051 - PEM various flaws detected by Coverity
+- Resolves: Bug 806058 - PEM pem_CreateObject leaks memory given a non-existing file name
+
+* Wed Mar 21 2012 Elio Maldonado <emaldona@redhat.com> - 3.13.3-4
+- Resolves: Bug 805723 - Library needs partial RELRO support added
+
+* Fri Mar 09 2012 Elio Maldonado <emaldona@redhat.com> - 3.13.3-3
+- Cleanup of the spec file
+- Add references to the upstream bugs
+- Fix typo in Summary for sysinit
+
+* Thu Mar 08 2012 Elio Maldonado <emaldona@redhat.com> - 3.13.3-2
+- Pick up fixes from RHEL
+- Resolves: rhbz#800674 - Unable to contact LDAP Server during winsync
+- Resolves: rhbz#800682 - Qpid AMQP daemon fails to load after nss update
+- Resolves: rhbz#800676 - NSS workaround for freebl bug that causes openswan to drop connections
+
+* Thu Mar 01 2012 Elio Maldonado <emaldona@redhat.com> - 3.13.3-1
+- Update to NSS_3_13_3_RTM
+
+* Mon Jan 30 2012 Tom Callaway <spot@fedoraproject.org> - 3.13.1-13
+- fix issue with gcc 4.7 in secmodt.h and C++11 user-defined literals
+
+* Thu Jan 26 2012 Elio Maldonado <emaldona@redhat.com> - 3.13.1-12
+- Resolves: Bug 784672 - nss should protect against being called before nss_Init
+
+* Fri Jan 13 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 3.13.1-11
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild
+
+* Fri Jan 06 2012 Elio Maldonado <emaldona@redhat.com> - 3.13.1-11
+- Deactivate a patch currently meant for stable branches only
+
+* Fri Jan 06 2012 Elio Maldonado <emaldona@redhat.com> - 3.13.1-10
+- Resolves: Bug 770682 - nss update breaks pidgin-sipe connectivity
+- NSS_SSL_CBC_RANDOM_IV set to 0 by default and changed to 1 on user request
+
+* Tue Dec 13 2011 elio maldonado <emaldona@redhat.com> - 3.13.1-9
+- Revert to using current nss_softokn_version
+- Patch to deal with lack of sha224 is no longer needed
+
+* Tue Dec 13 2011 Elio Maldonado <emaldona@redhat.com> - 3.13.1-8
+- Resolves: Bug 754771 - [PEM] an unregistered callback causes a SIGSEGV
+
+* Mon Dec 12 2011 Elio Maldonado <emaldona@redhat.com> - 3.13.1-7
+- Resolves: Bug 750376 - nss 3.13 breaks sssd TLS
+- Fix how pem is built so that nss-3.13.x works with nss-softokn-3.12.y
+- Only patch blapitest for the lack of sha224 on system freebl
+- Completed the patch to make pem link against system freebl
+
+* Mon Dec 05 2011 Elio Maldonado <emaldona@redhat.com> - 3.13.1-6
+- Removed unwanted /usr/include/nss3 in front of the normal cflags include path
+- Removed unnecessary patch dealing with CERTDB_TERMINAL_RECORD, it's visible
+
+* Sun Dec 04 2011 Elio Maldonado <emaldona@redhat.com> - 3.13.1-5
+- Statically link the pem module against system freebl found in buildroot
+- Disabling sha224-related powerup selftest until we update softokn
+- Disable sha224 and pss tests which nss-softokn 3.12.x doesn't support
+
+* Fri Dec 02 2011 Elio Maldonado Batiz <emaldona@redhat.com> - 3.13.1-4
+- Rebuild with nss-softokn from 3.12 in the buildroot
+- Allows the pem module to statically link against 3.12.x freebl
+- Required for using nss-3.13.x with nss-softokn-3.12.y for a merge inrto rhel git repo
+- Build will be temprarily placed on buildroot override but not pushed in bodhi
+
+* Fri Nov 04 2011 Elio Maldonado <emaldona@redhat.com> - 3.13.1-2
+- Fix broken dependencies by updating the nss-util and nss-softokn versions
+
+* Thu Nov 03 2011 Elio Maldonado <emaldona@redhat.com> - 3.13.1-1
+- Update to NSS_3_13_1_RTM
+- Update builtin certs to those from NSSCKBI_1_88_RTM
+
+* Sat Oct 15 2011 Elio Maldonado <emaldona@redhat.com> - 3.13-1
+- Update to NSS_3_13_RTM
+
+* Sat Oct 08 2011 Elio Maldonado <emaldona@redhat.com> - 3.13-0.1.rc0.1
+- Update to NSS_3_13_RC0
+
+* Wed Sep 14 2011 Elio Maldonado <emaldona@redhat.com> - 3.12.11-3
+- Fix attempt to free initilized pointer (#717338)
+- Fix leak on pem_CreateObject when given non-existing file name (#734760)
+- Fix pem_Initialize to return CKR_CANT_LOCK on multi-treaded calls (#736410)
+
+* Tue Sep 06 2011 Kai Engert <kaie@redhat.com> - 3.12.11-2
+- Update builtins certs to those from NSSCKBI_1_87_RTM
+
+* Tue Aug 09 2011 Elio Maldonado <emaldona@redhat.com> - 3.12.11-1
+- Update to NSS_3_12_11_RTM
+
+* Sat Jul 23 2011 Elio Maldonado <emaldona@redhat.com> - 3.12.10-6
+- Indicate the provenance of stripped source tarball (#688015)
+
+* Mon Jun 27 2011 Michael Schwendt <mschwendt@fedoraproject.org> - 3.12.10-5
+- Provide virtual -static package to meet guidelines (#609612).
+
+* Fri Jun 10 2011 Elio Maldonado <emaldona@redhat.com> - 3.12.10-4
+- Enable pluggable ecc support (#712556)
+- Disable the nssdb write-access-on-read-only-dir tests when user is root (#646045)
+
+* Fri May 20 2011 Dennis Gilmore <dennis@ausil.us> - 3.12.10-3
+- make the testsuite non fatal on arm arches
+
+* Tue May 17 2011 Elio Maldonado <emaldona@redhat.com> - 3.12.10-2
+- Fix crmf hard-coded maximum size for wrapped private keys (#703656)
+
+* Fri May 06 2011 Elio Maldonado <emaldona@redhat.com> - 3.12.10-1
+- Update to NSS_3_12_10_RTM
+
+* Wed Apr 27 2011 Elio Maldonado <emaldona@redhat.com> - 3.12.10-0.1.beta1
+- Update to NSS_3_12_10_BETA1
+
+* Mon Apr 11 2011 Elio Maldonado <emaldona@redhat.com> - 3.12.9-15
+- Implement PEM logging using NSPR's own (#695011)
+
+* Wed Mar 23 2011 Elio Maldonado <emaldona@redhat.com> - 3.12.9-14
+- Update to NSS_3.12.9_WITH_CKBI_1_82_RTM
+
+* Thu Feb 24 2011 Elio Maldonado <emaldona@redhat.com> - 3.12.9-13
+- Short-term fix for ssl test suites hangs on ipv6 type connections (#539183)
+
+* Fri Feb 18 2011 Elio Maldonado <emaldona@redhat.com> - 3.12.9-12
+- Add a missing requires for pkcs11-devel (#675196)
+
+* Tue Feb 15 2011 Elio Maldonado <emaldona@redhat.com> - 3.12.9-11
+- Run the test suites in the check section (#677809)
+
+* Thu Feb 10 2011 Elio Maldonado <emaldona@redhat.com> - 3.12.9-10
+- Fix cms headers to not use c++ reserved words (#676036)
+- Reenabling Bug 499444 patches
+- Fix to swap internal key slot on fips mode switches
+
+* Tue Feb 08 2011 Elio Maldonado <emaldona@redhat.com> - 3.12.9-9
+- Revert patches for 499444 until all c++ reserved words are found and extirpated
+
+* Tue Feb 08 2011 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 3.12.9-8
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild
+
+* Tue Feb 08 2011 Elio Maldonado <emaldona@redhat.com> - 3.12.9-7
+- Fix cms header to not use c++ reserved word (#676036)
+- Reenable patches for bug 499444
+
+* Tue Feb 08 2011 Christopher Aillon <caillon@redhat.com> - 3.12.9-6
+- Revert patches for 499444 as they use a C++ reserved word and
+ cause compilation of Firefox to fail
+
+* Fri Feb 04 2011 Elio Maldonado <emaldona@redhat.com> - 3.12.9-5
+- Fix the earlier infinite recursion patch (#499444)
+- Remove a header that now nss-softokn-freebl-devel ships
+
+* Tue Feb 01 2011 Elio Maldonado <emaldona@redhat.com> - 3.12.9-4
+- Fix infinite recursion when encoding NSS enveloped/digested data (#499444)
+
+* Mon Jan 31 2011 Elio Maldonado <emaldona@redhat.com> - 3.12.9-3
+- Update the cacert trust patch per upstream review requests (#633043)
+
+* Wed Jan 19 2011 Elio Maldonado <emaldona@redhat.com> - 3.12.9-2
+- Fix to honor the user's cert trust preferences (#633043)
+- Remove obsoleted patch
+
+* Wed Jan 12 2011 Elio Maldonado <emaldona@redhat.com> - 3.12.9-1
+- Update to 3.12.9
+
+* Mon Dec 27 2010 Elio Maldonado <emaldona@redhat.com> - 3.12.9-0.1.beta2
+- Rebuilt according to fedora pre-release package naming guidelines
+
+* Fri Dec 10 2010 Elio Maldonado <emaldona@redhat.com> - 3.12.8.99.2-1
+- Update to NSS_3_12_9_BETA2
+- Fix libpnsspem crash when cacert dir contains other directories (#642433)
+
+* Wed Dec 08 2010 Elio Maldonado <emaldona@redhat.com> - 3.12.8.99.1-1
+- Update to NSS_3_12_9_BETA1
+
+* Thu Nov 25 2010 Elio Maldonado <emaldona@redhat.com> - 3.12.8-9
+- Update pem source tar with fixes for 614532 and 596674
+- Remove no longer needed patches
+
+* Fri Nov 05 2010 Elio Maldonado <emaldona@redhat.com> - 3.12.8-8
+- Update PayPalEE.cert test certificate which had expired
+
+* Sun Oct 31 2010 Elio Maldonado <emaldona@redhat.com> - 3.12.8-7
+- Tell rpm not to verify md5, size, and modtime of configurations file
+
+* Mon Oct 18 2010 Elio Maldonado <emaldona@redhat.com> - 3.12.8-6
+- Fix certificates trust order (#643134)
+- Apply nss-sysinit-userdb-first.patch last
+
+* Wed Oct 06 2010 Elio Maldonado <emaldona@redhat.com> - 3.12.8-5
+- Move triggerpostun -n nss-sysinit script ahead of the other ones (#639248)
+
+* Tue Oct 05 2010 Elio Maldonado <emaldona@redhat.com> - 3.12.8-4
+- Fix invalid %%postun scriptlet (#639248)
+
+* Wed Sep 29 2010 Elio Maldonado <emaldona@redhat.com> - 3.12.8-3
+- Replace posttrans sysinit scriptlet with a triggerpostun one (#636787)
+- Fix and cleanup the setup-nsssysinit.sh script (#636792, #636801)
+
+* Mon Sep 27 2010 Elio Maldonado <emaldona@redhat.com> - 3.12.8-2
+- Add posttrans scriptlet (#636787)
+
+* Thu Sep 23 2010 Elio Maldonado <emaldona@redhat.com> - 3.12.8-1
+- Update to 3.12.8
+- Prevent disabling of nss-sysinit on package upgrade (#636787)
+- Create pkcs11.txt with correct permissions regardless of umask (#636792)
+- Setup-nsssysinit.sh reports whether nss-sysinit is turned on or off (#636801)
+- Added provides pkcs11-devel-static to comply with packaging guidelines (#609612)
+
+* Sat Sep 18 2010 Elio Maldonado <emaldona@redhat.com> - 3.12.7.99.4-1
+- NSS 3.12.8 RC0
+
+* Sun Sep 05 2010 Elio Maldonado <emaldona@redhat.com> - 3.12.7.99.3-2
+- Fix nss-util_version and nss_softokn_version required to be 3.12.7.99.3
+
+* Sat Sep 04 2010 Elio Maldonado <emaldona@redhat.com> - 3.12.7.99.3-1
+- NSS 3.12.8 Beta3
+- Fix unclosed comment in renegotiate-transitional.patch
+
+* Sat Aug 28 2010 Elio Maldonado <emaldona@redhat.com> - 3.12.7-3
+- Change BuildRequries to available version of nss-util-devel
+
+* Sat Aug 28 2010 Elio Maldonado <emaldona@redhat.com> - 3.12.7-2
+- Define NSS_USE_SYSTEM_SQLITE and remove unneeded patch
+- Add comments regarding an unversioned provides which triggers rpmlint warning
+- Build requires nss-softokn-devel >= 3.12.7
+
+* Mon Aug 16 2010 Elio Maldonado <emaldona@redhat.com> - 3.12.7-1
+- Update to 3.12.7
+
+* Sat Aug 14 2010 Elio Maldonado <emaldona@redhat.com> - 3.12.6-12
+- Apply the patches to fix rhbz#614532
+
+* Mon Aug 09 2010 Elio Maldonado <emaldona@redhat.com> - 3.12.6-11
+- Removed pem sourecs as they are in the cache
+
+* Mon Aug 09 2010 Elio Maldonado <emaldona@redhat.com> - 3.12.6-10
+- Add support for PKCS#8 encoded PEM RSA private key files (#614532)
+
+* Sat Jul 31 2010 Elio Maldonado <emaldona@redhat.com> - 3.12.6-9
+- Fix nsssysinit to return userdb ahead of systemdb (#603313)
+
+* Tue Jun 08 2010 Dennis Gilmore <dennis@ausil.us> - 3.12.6-8
+- Require and BuildRequire >= the listed version not =
+
+* Tue Jun 08 2010 Elio Maldonado <emaldona@redhat.com> - 3.12.6-7
+- Require nss-softoken 3.12.6
+
+* Sun Jun 06 2010 Elio Maldonado <emaldona@redhat.com> - 3.12.6-6
+- Fix SIGSEGV within CreateObject (#596674)
+
+* Mon Apr 12 2010 Elio Maldonado <emaldona@redhat.com> - 3.12.6-5
+- Update pem source tar to pick up the following bug fixes:
+- PEM - Allow collect objects to search through all objects
+- PEM - Make CopyObject return a new shallow copy
+- PEM - Fix memory leak in pem_mdCryptoOperationRSAPriv
+
+* Wed Apr 07 2010 Elio Maldonado <emaldona@redhat.com> - 3.12.6-4
+- Update the test cert in the setup phase
+
+* Wed Apr 07 2010 Elio Maldonado <emaldona@redhat.com> - 3.12.6-3
+- Add sed to sysinit requires as setup-nsssysinit.sh requires it (#576071)
+- Update PayPalEE test cert with unexpired one (#580207)
+
+* Thu Mar 18 2010 Elio Maldonado <emaldona@redhat.com> - 3.12.6-2
+- Fix ns.spec to not require nss-softokn (#575001)
+
+* Sat Mar 06 2010 Elio Maldonado <emaldona@redhat.com> - 3.12.6-1.2
+- rebuilt with all tests enabled
+
+* Sat Mar 06 2010 Elio Maldonado <emaldona@redhat.com> - 3.12.6-1.1
+- Using SSL_RENEGOTIATE_TRANSITIONAL as default while on transition period
+- Disabling ssl tests suites until bug 539183 is resolved
+
+* Sat Mar 06 2010 Elio Maldonado <emaldona@redhat.com> - 3.12.6-1
+- Update to 3.12.6
+- Reactivate all tests
+- Patch tools to validate command line options arguments
+
+* Mon Jan 25 2010 Elio Maldonado <emaldona@redhat.com> - 3.12.5-8
+- Fix curl related regression and general patch code clean up
+
+* Wed Jan 13 2010 Elio Maldonado <emaldona@redhat.com> - 3.12.5-5
+- retagging
+
+* Tue Jan 12 2010 Elio Maldonado <emaldona@redhat.com> - 3.12.5-1.1
+- Fix SIGSEGV on call of NSS_Initialize (#553638)
+
+* Wed Jan 06 2010 Elio Maldonado<emaldona@redhat.com> - 3.12.5-1.13.2
+- New version of patch to allow root to modify ystem database (#547860)
+
+* Thu Dec 31 2009 Elio Maldonado<emaldona@redhat.com> - 3.12.5-1.13.1
+- Temporarily disabling the ssl tests
+
+* Sat Dec 26 2009 Elio Maldonado<emaldona@redhat.com> - 3.12.5-1.13
+- Fix nsssysinit to allow root to modify the nss system database (#547860)
+
+* Fri Dec 25 2009 Elio Maldonado<emaldona@redhat.com> - 3.12.5-1.11
+- Fix an error introduced when adapting the patch for rhbz #546211
+
+* Sat Dec 19 2009 Elio maldonado<emaldona@redhat.com> - 3.12.5-1.9
+- Remove left over trace statements from nsssysinit patching
+
+* Fri Dec 18 2009 Elio Maldonado<emaldona@redhat.com> - 3.12.5-2.7
+- Fix a misconstructed patch
+
+* Thu Dec 17 2009 Elio Maldonado<emaldona@redhat.com> - 3.12.5-1.6
+- Fix nsssysinit to enable apps to use system cert store, patch contributed by David Woodhouse (#546221)
+- Fix spec so sysinit requires coreutils for post install scriplet (#547067)
+- Fix segmentation fault when listing keys or certs in the database, patch contributed by Kamil Dudka (#540387)
+
+* Thu Dec 10 2009 Elio Maldonado<emaldona@redhat.com> - 3.12.5-1.5
+- Fix nsssysinit to set the default flags on the crypto module (#545779)
+- Remove redundant header from the pem module
+
+* Wed Dec 09 2009 Elio Maldonado<emaldona@redhat.com> - 3.12.5-1.1
+- Remove unneeded patch
+
+* Thu Dec 03 2009 Elio Maldonado<emaldona@redhat.com> - 3.12.5-1.1
+- Retagging to include missing patch
+
+* Thu Dec 03 2009 Elio Maldonado<emaldona@redhat.com> - 3.12.5-1
+- Update to 3.12.5
+- Patch to allow ssl/tls clients to interoperate with servers that require renogiation
+
+* Fri Nov 20 2009 Elio Maldonado<emaldona@redhat.com> - 3.12.4-14.1
+- Retagging
+
+* Tue Oct 20 2009 Elio Maldonado<emaldona@redhat.com> - 3.12.4-13.1
+- Require nss-softoken of same architecture as nss (#527867)
+- Merge setup-nsssysinit.sh improvements from F-12 (#527051)
+
+* Sat Oct 03 2009 Elio Maldonado<emaldona@redhat.com> - 3.12.4-13
+- User no longer prompted for a password when listing keys an empty system db (#527048)
+- Fix setup-nsssysinit to handle more general formats (#527051)
+
+* Sun Sep 27 2009 Elio Maldonado<emaldona@redhat.com> - 3.12.4-12
+- Fix syntax error in setup-nsssysinit.sh
+
+* Sun Sep 27 2009 Elio Maldonado<emaldona@redhat.com> - 3.12.4-11
+- Fix sysinit to be under mozilla/security/nss/lib
+
+* Sat Sep 26 2009 Elio Maldonado<emaldona@redhat.com> - 3.12.4-10
+- Add nss-sysinit activation/deactivation script
+
+* Fri Sep 18 2009 Elio Maldonado<emaldona@redhat.com - 3.12.4-9
+- Install blank databases and configuration file for system shared database
+- nsssysinit queries system for fips mode before relying on environment variable
+
+* Thu Sep 10 2009 Elio Maldonado<emaldona@redhat.com> - 3.12.4-8
+- Restoring nssutil and -rpath-link to nss-config for now - 522477
+
+* Tue Sep 08 2009 Elio Maldonado<emaldona@redhat.com - 3.12.4-7
+- Add the nss-sysinit subpackage
+
+* Tue Sep 08 2009 Elio Maldonado<emaldona@redhat.com> - 3.12.4-6
+- Installing shared libraries to %%{_libdir}
+
+* Mon Sep 07 2009 Elio Maldonado<emaldona@redhat.com> - 3.12.4-5
+- Retagging to pick up new sources
+
+* Mon Sep 07 2009 Elio Maldonado<emaldona@redhat.com> - 3.12.4-4
+- Update pem enabling source tar with latest fixes (509705, 51209)
+
+* Sun Sep 06 2009 Elio Maldonado<emaldona@redhat.com> - 3.12.4-3
+- PEM module implements memory management for internal objects - 509705
+- PEM module doesn't crash when processing malformed key files - 512019
+
+* Sat Sep 05 2009 Elio Maldonado<emaldona@redhat.com> - 3.12.4-2
+- Remove symbolic links to shared libraries from devel - 521155
+- No rpath-link in nss-softokn-config
+
+* Tue Sep 01 2009 Elio Maldonado<emaldona@redhat.com> - 3.12.4-1
+- Update to 3.12.4
+
+* Mon Aug 31 2009 Elio Maldonado<emaldona@redhat.com> - 3.12.3.99.3-30
+- Fix FORTIFY_SOURCE buffer overflows in test suite on ppc and ppc64 - bug 519766
+- Fixed requires and buildrequires as per recommendations in spec file review
+
+* Sun Aug 30 2009 Elio Maldonado<emaldona@redhat.com> - 3.12.3.99.3-29
+- Restoring patches 2 and 7 as we still compile all sources
+- Applying the nss-nolocalsql.patch solves nss-tools sqlite dependency problems
+
+* Sun Aug 30 2009 Elio Maldonado<emaldona@redhat.com> - 3.12.3.99.3-28
+- restore require sqlite
+
+* Sat Aug 29 2009 Elio Maldonado<emaldona@redhat.com> - 3.12.3.99.3-27
+- Don't require sqlite for nss
+
+* Sat Aug 29 2009 Elio Maldonado<emaldona@redhat.com> - 3.12.3.99.3-26
+- Ensure versions in the requires match those used when creating nss.pc
+
+* Fri Aug 28 2009 Elio Maldonado<emaldona@redhat.com> - 3.12.3.99.3-25
+- Remove nss-prelink.conf as signed all shared libraries moved to nss-softokn
+- Add a temprary hack to nss.pc.in to unblock builds
+
+* Fri Aug 28 2009 Warren Togami <wtogami@redhat.com> - 3.12.3.99.3-24
+- caolan's nss.pc patch
+
+* Thu Aug 27 2009 Elio Maldonado<emaldona@redhat.com> - 3.12.3.99.3-23
+- Bump the release number for a chained build of nss-util, nss-softokn and nss
+
+* Thu Aug 27 2009 Elio Maldonado<emaldona@redhat.com> - 3.12.3.99.3-22
+- Fix nss-config not to include nssutil
+- Add BuildRequires on nss-softokn and nss-util since build also runs the test suite
+
+* Thu Aug 27 2009 Elio Maldonado<emaldona@redhat.com> - 3.12.3.99.3-21
+- disabling all tests while we investigate a buffer overflow bug
+
+* Thu Aug 27 2009 Elio Maldonado<emaldona@redhat.com> - 3.12.3.99.3-20
+- disabling some tests while we investigate a buffer overflow bug - 519766
+
+* Thu Aug 27 2009 Elio Maldonado<emaldona@redhat.com> - 3.12.3.99.3-19
+- remove patches that are now in nss-softokn and
+- remove spurious exec-permissions for nss.pc per rpmlint
+- single requires line in nss.pc.in
+
+* Wed Aug 26 2009 Elio Maldonado<emaldona@redhat.com> - 3.12.3.99.3-18
+- Fix BuildRequires: nss-softokn-devel release number
+
+* Wed Aug 26 2009 Elio Maldonado<emaldona@redhat.com - 3.12.3.99.3-17
+- fix nss.pc.in to have one single requires line
+
+* Tue Aug 25 2009 Dennis Gilmore <dennis@ausil.us> - 3.12.3.99.3-16
+- cleanups for softokn
+
+* Tue Aug 25 2009 Dennis Gilmore <dennis@ausil.us> - 3.12.3.99.3-15
+- remove the softokn subpackages
+
+* Mon Aug 24 2009 Dennis Gilmore <dennis@ausil.us> - 3.12.3.99.3-14
+- don install the nss-util pkgconfig bits
+
+* Mon Aug 24 2009 Dennis Gilmore <dennis@ausil.us> - 3.12.3.99.3-13
+- remove from -devel the 3 headers that ship in nss-util-devel
+
+* Mon Aug 24 2009 Dennis Gilmore <dennis@ausil.us> - 3.12.3.99.3-12
+- kill off the nss-util nss-util-devel subpackages
+
+* Sun Aug 23 2009 Elio Maldonado+emaldona@redhat.com - 3.12.3.99.3-11
+- split off nss-softokn and nss-util as subpackages with their own rpms
+- first phase of splitting nss-softokn and nss-util as their own packages
+
+* Thu Aug 20 2009 Elio Maldonado <emaldona@redhat.com> - 3.12.3.99.3-10
+- must install libnssutil3.since nss-util is untagged at the moment
+- preserve time stamps when installing various files
+
+* Thu Aug 20 2009 Dennis Gilmore <dennis@ausil.us> - 3.12.3.99.3-9
+- dont install libnssutil3.so since its now in nss-util
+
+* Thu Aug 06 2009 Elio Maldonado <emaldona@redhat.com> - 3.12.3.99.3-7.1
+- Fix spec file problems uncovered by Fedora_12_Mass_Rebuild
+
+* Sat Jul 25 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 3.12.3.99.3-7
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild
+
+* Mon Jun 22 2009 Elio Maldonado <emaldona@redhat.com> - 3.12.3.99.3-6
+- removed two patch files which are no longer needed and fixed previous change log number
+* Mon Jun 22 2009 Elio Maldonado <emaldona@redhat.com> - 3.12.3.99.3-5
+- updated pem module incorporates various patches
+- fix off-by-one error when computing size to reduce memory leak. (483855)
+- fix data type to work on x86_64 systems. (429175)
+- fix various memory leaks and free internal objects on module unload. (501080)
+- fix to not clone internal objects in collect_objects(). (501118)
+- fix to not bypass initialization if module arguments are omitted. (501058)
+- fix numerous gcc warnings. (500815)
+- fix to support arbitrarily long password while loading a private key. (500180)
+- fix memory leak in make_key and memory leaks and return values in pem_mdSession_Login (501191)
+* Mon Jun 08 2009 Elio Maldonado <emaldona@redhat.com> - 3.12.3.99.3-4
+- add patch for bug 502133 upstream bug 496997
+* Fri Jun 05 2009 Kai Engert <kaie@redhat.com> - 3.12.3.99.3-3
+- rebuild with higher release number for upgrade sanity
+* Fri Jun 05 2009 Kai Engert <kaie@redhat.com> - 3.12.3.99.3-2
+- updated to NSS_3_12_4_FIPS1_WITH_CKBI_1_75
+* Thu May 07 2009 Kai Engert <kaie@redhat.com> - 3.12.3-7
+- re-enable test suite
+- add patch for upstream bug 488646 and add newer paypal
+ certs in order to make the test suite pass
+* Wed May 06 2009 Kai Engert <kaie@redhat.com> - 3.12.3-4
+- add conflicts info in order to fix bug 499436
+* Tue Apr 14 2009 Kai Engert <kaie@redhat.com> - 3.12.3-3
+- ship .chk files instead of running shlibsign at install time
+- include .chk file in softokn-freebl subpackage
+- add patch for upstream nss bug 488350
+* Tue Apr 14 2009 Kai Engert <kaie@redhat.com> - 3.12.3-2
+- Update to NSS 3.12.3
+* Mon Apr 06 2009 Kai Engert <kaie@redhat.com> - 3.12.2.99.3-7
+- temporarily disable the test suite because of bug 494266
+* Mon Apr 06 2009 Kai Engert <kaie@redhat.com> - 3.12.2.99.3-6
+- fix softokn-freebl dependency for multilib (bug 494122)
+* Thu Apr 02 2009 Kai Engert <kaie@redhat.com> - 3.12.2.99.3-5
+- introduce separate nss-softokn-freebl package
+* Thu Apr 02 2009 Kai Engert <kaie@redhat.com> - 3.12.2.99.3-4
+- disable execstack when building freebl
+* Tue Mar 31 2009 Kai Engert <kaie@redhat.com> - 3.12.2.99.3-3
+- add upstream patch to fix bug 483855
+* Tue Mar 31 2009 Kai Engert <kaie@redhat.com> - 3.12.2.99.3-2
+- build nspr-less freebl library
+* Tue Mar 31 2009 Kai Engert <kaie@redhat.com> - 3.12.2.99.3-1
+- Update to NSS_3_12_3_BETA4
+
+* Wed Feb 25 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 3.12.2.0-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild
+
+* Wed Oct 22 2008 Kai Engert <kaie@redhat.com> - 3.12.2.0-3
+- update to NSS_3_12_2_RC1
+- use system zlib
+* Tue Sep 30 2008 Dennis Gilmore <dennis@ausil.us> - 3.12.1.1-4
+- add sparc64 to the list of 64 bit arches
+
+* Wed Sep 24 2008 Kai Engert <kaie@redhat.com> - 3.12.1.1-3
+- bug 456847, move pkgconfig requirement to devel package
+* Fri Sep 05 2008 Kai Engert <kengert@redhat.com> - 3.12.1.1-2
+- Update to NSS_3_12_1_RC2
+* Fri Aug 22 2008 Kai Engert <kaie@redhat.com> - 3.12.1.0-2
+- NSS 3.12.1 RC1
+* Fri Aug 15 2008 Kai Engert <kaie@redhat.com> - 3.12.0.3-7
+- fix bug bug 429175 in libpem module
+* Tue Aug 05 2008 Kai Engert <kengert@redhat.com> - 3.12.0.3-6
+- bug 456847, add Requires: pkgconfig
+* Tue Jun 24 2008 Kai Engert <kengert@redhat.com> - 3.12.0.3-3
+- nss package should own /etc/prelink.conf.d folder, rhbz#452062
+- use upstream patch to fix test suite abort
+* Mon Jun 02 2008 Kai Engert <kengert@redhat.com> - 3.12.0.3-2
+- Update to NSS_3_12_RC4
+* Mon Apr 14 2008 Kai Engert <kengert@redhat.com> - 3.12.0.1-1
+- Update to NSS_3_12_RC2
+* Thu Mar 20 2008 Jesse Keating <jkeating@redhat.com> - 3.11.99.5-2
+- Zapping old Obsoletes/Provides. No longer needed, causes multilib headache.
+* Mon Mar 17 2008 Kai Engert <kengert@redhat.com> - 3.11.99.5-1
+- Update to NSS_3_12_BETA3
+* Fri Feb 22 2008 Kai Engert <kengert@redhat.com> - 3.11.99.4-1
+- NSS 3.12 Beta 2
+- Use /usr/lib{64} as devel libdir, create symbolic links.
+* Sat Feb 16 2008 Kai Engert <kengert@redhat.com> - 3.11.99.3-6
+- Apply upstream patch for bug 417664, enable test suite on pcc.
+* Fri Feb 15 2008 Kai Engert <kengert@redhat.com> - 3.11.99.3-5
+- Support concurrent runs of the test suite on a single build host.
+* Thu Feb 14 2008 Kai Engert <kengert@redhat.com> - 3.11.99.3-4
+- disable test suite on ppc
+* Thu Feb 14 2008 Kai Engert <kengert@redhat.com> - 3.11.99.3-3
+- disable test suite on ppc64
+
+* Thu Feb 14 2008 Kai Engert <kengert@redhat.com> - 3.11.99.3-2
+- Build against gcc 4.3.0, use workaround for bug 432146
+- Run the test suite after the build and abort on failures.
+
+* Thu Jan 24 2008 Kai Engert <kengert@redhat.com> - 3.11.99.3-1
+* NSS 3.12 Beta 1
+
+* Mon Jan 07 2008 Kai Engert <kengert@redhat.com> - 3.11.99.2b-3
+- move .so files to /lib
+
+* Wed Dec 12 2007 Kai Engert <kengert@redhat.com> - 3.11.99.2b-2
+- NSS 3.12 alpha 2b
+
+* Mon Dec 03 2007 Kai Engert <kengert@redhat.com> - 3.11.99.2-2
+- upstream patches to avoid calling netstat for random data
+
+* Wed Nov 07 2007 Kai Engert <kengert@redhat.com> - 3.11.99.2-1
+- NSS 3.12 alpha 2
+
+* Wed Oct 10 2007 Kai Engert <kengert@redhat.com> - 3.11.7-10
+- Add /etc/prelink.conf.d/nss-prelink.conf in order to blacklist
+ our signed libraries and protect them from modification.
+
+* Thu Sep 06 2007 Rob Crittenden <rcritten@redhat.com> - 3.11.7-9
+- Fix off-by-one error in the PEM module
+
+* Thu Sep 06 2007 Kai Engert <kengert@redhat.com> - 3.11.7-8
+- fix a C++ mode compilation error
+
+* Wed Sep 05 2007 Bob Relyea <rrelyea@redhat.com> - 3.11.7-7
+- Add 3.12 ckfw and libnsspem
+
+* Tue Aug 28 2007 Kai Engert <kengert@redhat.com> - 3.11.7-6
+- Updated license tag
+
+* Wed Jul 11 2007 Kai Engert <kengert@redhat.com> - 3.11.7-5
+- Ensure the workaround for mozilla bug 51429 really get's built.
+
+* Mon Jun 18 2007 Kai Engert <kengert@redhat.com> - 3.11.7-4
+- Better approach to ship freebl/softokn based on 3.11.5
+- Remove link time dependency on softokn
+
+* Sun Jun 10 2007 Kai Engert <kengert@redhat.com> - 3.11.7-3
+- Fix unowned directories, rhbz#233890
+
+* Fri Jun 01 2007 Kai Engert <kengert@redhat.com> - 3.11.7-2
+- Update to 3.11.7, but freebl/softokn remain at 3.11.5.
+- Use a workaround to avoid mozilla bug 51429.
+
+* Fri Mar 02 2007 Kai Engert <kengert@redhat.com> - 3.11.5-2
+- Fix rhbz#230545, failure to enable FIPS mode
+- Fix rhbz#220542, make NSS more tolerant of resets when in the
+ middle of prompting for a user password.
+
+* Sat Feb 24 2007 Kai Engert <kengert@redhat.com> - 3.11.5-1
+- Update to 3.11.5
+- This update fixes two security vulnerabilities with SSL 2
+- Do not use -rpath link option
+- Added several unsupported tools to tools package
+
+* Tue Jan 9 2007 Bob Relyea <rrelyea@redhat.com> - 3.11.4-4
+- disable ECC, cleanout dead code
+
+* Tue Nov 28 2006 Kai Engert <kengert@redhat.com> - 3.11.4-1
+- Update to 3.11.4
+
+* Thu Sep 14 2006 Kai Engert <kengert@redhat.com> - 3.11.3-2
+- Revert the attempt to require latest NSPR, as it is not yet available
+ in the build infrastructure.
+
+* Thu Sep 14 2006 Kai Engert <kengert@redhat.com> - 3.11.3-1
+- Update to 3.11.3
+
+* Thu Aug 03 2006 Kai Engert <kengert@redhat.com> - 3.11.2-2
+- Add /etc/pki/nssdb
+
+* Wed Jul 12 2006 Jesse Keating <jkeating@redhat.com> - 3.11.2-1.1
+- rebuild
+
+* Fri Jun 30 2006 Kai Engert <kengert@redhat.com> - 3.11.2-1
+- Update to 3.11.2
+- Enable executable bit on shared libs, also fixes debug info.
+
+* Wed Jun 14 2006 Kai Engert <kengert@redhat.com> - 3.11.1-2
+- Enable Elliptic Curve Cryptography (ECC)
+
+* Fri May 26 2006 Kai Engert <kengert@redhat.com> - 3.11.1-1
+- Update to 3.11.1
+- Include upstream patch to limit curves
+
+* Wed Feb 15 2006 Kai Engert <kengert@redhat.com> - 3.11-4
+- add --noexecstack when compiling assembler on x86_64
+
+* Fri Feb 10 2006 Jesse Keating <jkeating@redhat.com> - 3.11-3.2
+- bump again for double-long bug on ppc(64)
+
+* Tue Feb 07 2006 Jesse Keating <jkeating@redhat.com> - 3.11-3.1
+- rebuilt for new gcc4.1 snapshot and glibc changes
+
+* Thu Jan 19 2006 Ray Strode <rstrode@redhat.com> 3.11-3
+- rebuild
+
+* Fri Dec 16 2005 Christopher Aillon <caillon@redhat.com> 3.11-2
+- Update file list for the devel packages
+
+* Thu Dec 15 2005 Christopher Aillon <caillon@redhat.com> 3.11-1
+- Update to 3.11
+
+* Thu Dec 15 2005 Christopher Aillon <caillon@redhat.com> 3.11-0.cvs.2
+- Add patch to allow building on ppc*
+- Update the pkgconfig file to Require nspr
+
+* Thu Dec 15 2005 Christopher Aillon <caillon@redhat.com> 3.11-0.cvs
+- Initial import into Fedora Core, based on a CVS snapshot of
+ the NSS_3_11_RTM tag
+- Fix up the pkcs11-devel subpackage to contain the proper headers
+- Build with RPM_OPT_FLAGS
+- No need to have rpath of /usr/lib in the pc file
+
+* Thu Dec 15 2005 Kai Engert <kengert@redhat.com>
+- Adressed review comments by Wan-Teh Chang, Bob Relyea,
+ Christopher Aillon.
+
+* Sat Jul 9 2005 Rob Crittenden <rcritten@redhat.com> 3.10-1
+- Initial build