diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..8cd8873
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,16 @@
+SOURCES/PayPalEE.cert
+SOURCES/PayPalICA.cert
+SOURCES/TestOldCA.p12
+SOURCES/blank-cert8.db
+SOURCES/blank-cert9.db
+SOURCES/blank-key3.db
+SOURCES/blank-key4.db
+SOURCES/blank-secmod.db
+SOURCES/cert8.db.xml
+SOURCES/cert9.db.xml
+SOURCES/key3.db.xml
+SOURCES/key4.db.xml
+SOURCES/nss-3.44.tar.gz
+SOURCES/nss-config.xml
+SOURCES/secmod.db.xml
+SOURCES/setup-nsssysinit.xml
diff --git a/.nss.metadata b/.nss.metadata
new file mode 100644
index 0000000..829bbd4
--- /dev/null
+++ b/.nss.metadata
@@ -0,0 +1,16 @@
+e8207a278cbed4d97f443289e76b13ddce5850f6 SOURCES/PayPalEE.cert
+7e2f3a4f8fe8fa8a5730aeca029696637e986f3f SOURCES/PayPalICA.cert
+706c3f929a1e7eca473be12fcd92620709fdada6 SOURCES/TestOldCA.p12
+d272a7b58364862613d44261c5744f7a336bf177 SOURCES/blank-cert8.db
+b5570125fbf6bfb410705706af48217a0817c03a SOURCES/blank-cert9.db
+7f78b5bcecdb5005e7b803604b2ec9d1a9df2fb5 SOURCES/blank-key3.db
+f9c9568442386da370193474de1b25c3f68cdaf6 SOURCES/blank-key4.db
+bd748cf6e1465a1bbe6e751b72ffc0076aff0b50 SOURCES/blank-secmod.db
+6a43a6788fff0f2a967051209adbd354fad4c346 SOURCES/cert8.db.xml
+7cbb7841b1aefe52534704bf2a4358bfea1aa477 SOURCES/cert9.db.xml
+24c123810543ff0f6848647d6d910744e275fb01 SOURCES/key3.db.xml
+af51b16a56fda1f7525a0eed3ecbdcbb4133be0c SOURCES/key4.db.xml
+44a83b1bf4efd27605177ecdbf217e579ae8c8ae SOURCES/nss-3.44.tar.gz
+2905c9b06e7e686c9e3c0b5736a218766d4ae4c2 SOURCES/nss-config.xml
+ca9ebf79c1437169a02527c18b1e3909943c4be9 SOURCES/secmod.db.xml
+bcbe05281b38d843273f91ae3f9f19f70c7d97b3 SOURCES/setup-nsssysinit.xml
diff --git a/SOURCES/Bug-1001841-disable-sslv2-libssl.patch b/SOURCES/Bug-1001841-disable-sslv2-libssl.patch
new file mode 100644
index 0000000..99a0919
--- /dev/null
+++ b/SOURCES/Bug-1001841-disable-sslv2-libssl.patch
@@ -0,0 +1,28 @@
+diff -up nss/lib/ssl/config.mk.disableSSL2libssl nss/lib/ssl/config.mk
+--- nss/lib/ssl/config.mk.disableSSL2libssl 2019-03-28 10:36:01.859196244 +0100
++++ nss/lib/ssl/config.mk 2019-03-28 10:36:53.250120885 +0100
+@@ -61,6 +61,10 @@ ifdef NSS_DISABLE_TLS_1_3
+ DEFINES += -DNSS_DISABLE_TLS_1_3
+ endif
+
++ifdef NSS_NO_SSL2
++DEFINES += -DNSS_NO_SSL2
++endif
++
+ ifeq (,$(filter-out DragonFly FreeBSD Linux NetBSD OpenBSD, $(OS_TARGET)))
+ CFLAGS += -std=gnu99
+ endif
+diff -up nss/lib/ssl/sslsock.c.disableSSL2libssl nss/lib/ssl/sslsock.c
+--- nss/lib/ssl/sslsock.c.disableSSL2libssl 2019-03-28 10:36:01.849196454 +0100
++++ nss/lib/ssl/sslsock.c 2019-03-28 10:36:01.860196223 +0100
+@@ -1363,6 +1363,10 @@ SSLExp_SetMaxEarlyDataSize(PRFileDesc *f
+ static PRBool
+ ssl_IsRemovedCipherSuite(PRInt32 suite)
+ {
++#ifdef NSS_NO_SSL2
++ if (SSL_IS_SSL2_CIPHER(suite))
++ return PR_TRUE;
++#endif /* NSS_NO_SSL2 */
+ switch (suite) {
+ case SSL_FORTEZZA_DMS_WITH_NULL_SHA:
+ case SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA:
diff --git a/SOURCES/Bug-1001841-disable-sslv2-tests.patch b/SOURCES/Bug-1001841-disable-sslv2-tests.patch
new file mode 100644
index 0000000..093bb54
--- /dev/null
+++ b/SOURCES/Bug-1001841-disable-sslv2-tests.patch
@@ -0,0 +1,66 @@
+diff -up nss/tests/ssl/ssl.sh.disableSSL2tests nss/tests/ssl/ssl.sh
+--- nss/tests/ssl/ssl.sh.disableSSL2tests 2019-03-16 01:25:08.000000000 +0100
++++ nss/tests/ssl/ssl.sh 2019-03-28 10:39:14.254180729 +0100
+@@ -68,9 +68,14 @@ ssl_init()
+ NSS_SSL_RUN=${NSS_SSL_RUN:-$nss_ssl_run}
+
+ # Test case files
+- SSLCOV=${QADIR}/ssl/sslcov.txt
++ if [ "${NSS_NO_SSL2}" = "1" ]; then
++ SSLCOV=${QADIR}/ssl/sslcov.noSSL2orExport.txt
++ SSLSTRESS=${QADIR}/ssl/sslstress.noSSL2orExport.txt
++ else
++ SSLCOV=${QADIR}/ssl/sslcov.txt
++ SSLSTRESS=${QADIR}/ssl/sslstress.txt
++ fi
+ SSLAUTH=${QADIR}/ssl/sslauth.txt
+- SSLSTRESS=${QADIR}/ssl/sslstress.txt
+ SSLPOLICY=${QADIR}/ssl/sslpolicy.txt
+ REQUEST_FILE=${QADIR}/ssl/sslreq.dat
+
+@@ -128,7 +133,11 @@ is_selfserv_alive()
+ fi
+
+ echo "kill -0 ${PID} >/dev/null 2>/dev/null"
++ if [ "${NSS_NO_SSL2}" = "1" ] && [[ ${EXP} -eq 0 || ${SSL2} -eq 0 ]]; then
++ echo "No server to kill"
++ else
+ kill -0 ${PID} >/dev/null 2>/dev/null || Exit 10 "Fatal - selfserv process not detectable"
++ fi
+
+ echo "selfserv with PID ${PID} found at `date`"
+ }
+@@ -152,7 +161,11 @@ wait_for_selfserv()
+ ${BINDIR}/tstclnt -4 -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \
+ -d ${P_R_CLIENTDIR} $verbose < ${REQUEST_FILE}
+ if [ $? -ne 0 ]; then
++ if [ "${NSS_NO_SSL2}" = "1" ] && [[ ${EXP} -eq 0 || ${SSL2} -eq 0 ]]; then
++ html_passed "Server never started"
++ else
+ html_failed "Waiting for Server"
++ fi
+ fi
+ fi
+ is_selfserv_alive
+@@ -278,7 +291,7 @@ ssl_cov()
+ start_selfserv $CIPHER_SUITES # Launch the server
+
+ VMIN="ssl3"
+- VMAX="tls1.1"
++ VMAX="tls1.2"
+
+ ignore_blank_lines ${SSLCOV} | \
+ while read ectype testmax param testname
+@@ -286,6 +299,12 @@ ssl_cov()
+ echo "${testname}" | grep "EXPORT" > /dev/null
+ EXP=$?
+
++ # skip export tests
++ if [ ${EXP} -eq 0 ]; then
++ echo "export test skipped"
++ continue
++ fi
++
+ # RSA-PSS tests are handled in a separate function
+ case $testname in
+ *RSA-PSS)
diff --git a/SOURCES/PayPalRootCA.cert b/SOURCES/PayPalRootCA.cert
new file mode 100644
index 0000000..dae0196
Binary files /dev/null and b/SOURCES/PayPalRootCA.cert differ
diff --git a/SOURCES/TestCA.ca.cert b/SOURCES/TestCA.ca.cert
new file mode 100644
index 0000000..929b793
Binary files /dev/null and b/SOURCES/TestCA.ca.cert differ
diff --git a/SOURCES/TestUser50.cert b/SOURCES/TestUser50.cert
new file mode 100644
index 0000000..ed71727
Binary files /dev/null and b/SOURCES/TestUser50.cert differ
diff --git a/SOURCES/TestUser51.cert b/SOURCES/TestUser51.cert
new file mode 100644
index 0000000..1b45db2
Binary files /dev/null and b/SOURCES/TestUser51.cert differ
diff --git a/SOURCES/add-relro-linker-option.patch b/SOURCES/add-relro-linker-option.patch
new file mode 100644
index 0000000..7ab9db1
--- /dev/null
+++ b/SOURCES/add-relro-linker-option.patch
@@ -0,0 +1,16 @@
+diff -up nss/coreconf/Linux.mk.relro nss/coreconf/Linux.mk
+--- nss/coreconf/Linux.mk.relro 2013-04-09 14:29:45.943228682 -0700
++++ nss/coreconf/Linux.mk 2013-04-09 14:31:26.194953927 -0700
+@@ -174,6 +174,12 @@ endif
+ endif
+ endif
+
++# harden DSOs/executables a bit against exploits
++ifeq (2.6,$(firstword $(sort 2.6 $(OS_RELEASE))))
++DSO_LDOPTS+=-Wl,-z,relro
++LDFLAGS += -Wl,-z,relro
++endif
++
+ USE_SYSTEM_ZLIB = 1
+ ZLIB_LIBS = -lz
+
diff --git a/SOURCES/fix-min-library-version-in-SSLVersionRange.patch b/SOURCES/fix-min-library-version-in-SSLVersionRange.patch
new file mode 100644
index 0000000..00facbf
--- /dev/null
+++ b/SOURCES/fix-min-library-version-in-SSLVersionRange.patch
@@ -0,0 +1,12 @@
+diff -up ./lib/ssl/sslsock.c.1171318 ./lib/ssl/sslsock.c
+--- ./lib/ssl/sslsock.c.1171318 2016-02-04 10:57:08.489310227 -0800
++++ ./lib/ssl/sslsock.c 2016-02-04 11:02:59.290818001 -0800
+@@ -92,7 +92,7 @@ static sslOptions ssl_defaults = {
+ * default range of enabled SSL/TLS protocols
+ */
+ static SSLVersionRange versions_defaults_stream = {
+- SSL_LIBRARY_VERSION_TLS_1_0,
++ SSL_LIBRARY_VERSION_3_0,
+ SSL_LIBRARY_VERSION_TLS_1_2
+ };
+
diff --git a/SOURCES/iquote.patch b/SOURCES/iquote.patch
new file mode 100644
index 0000000..4908c00
--- /dev/null
+++ b/SOURCES/iquote.patch
@@ -0,0 +1,228 @@
+diff -up ./nss/cmd/certutil/Makefile.iquote ./nss/cmd/certutil/Makefile
+--- ./nss/cmd/certutil/Makefile.iquote 2017-04-05 14:23:56.000000000 +0200
++++ ./nss/cmd/certutil/Makefile 2017-09-21 16:39:08.680260103 +0200
+@@ -37,7 +37,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk
+ # (6) Execute "component" rules. (OPTIONAL) #
+ #######################################################################
+
+-
++INCLUDES += -iquote $(DIST)/../public/nss
++INCLUDES += -iquote $(DIST)/../private/nss
+
+ #######################################################################
+ # (7) Execute "local" rules. (OPTIONAL). #
+diff -up ./nss/cmd/httpserv/Makefile.iquote ./nss/cmd/httpserv/Makefile
+--- ./nss/cmd/httpserv/Makefile.iquote 2017-04-05 14:23:56.000000000 +0200
++++ ./nss/cmd/httpserv/Makefile 2017-09-21 16:39:08.680260103 +0200
+@@ -35,7 +35,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk
+ # (6) Execute "component" rules. (OPTIONAL) #
+ #######################################################################
+
+-
++INCLUDES += -iquote $(DIST)/../private/nss
++INCLUDES += -iquote $(DIST)/../public/nss
+
+ #######################################################################
+ # (7) Execute "local" rules. (OPTIONAL). #
+diff -up ./nss/cmd/lib/Makefile.iquote ./nss/cmd/lib/Makefile
+--- ./nss/cmd/lib/Makefile.iquote 2017-04-05 14:23:56.000000000 +0200
++++ ./nss/cmd/lib/Makefile 2017-09-21 16:39:08.680260103 +0200
+@@ -38,7 +38,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk
+ # (6) Execute "component" rules. (OPTIONAL) #
+ #######################################################################
+
+-
++INCLUDES += -iquote $(DIST)/../private/nss
++INCLUDES += -iquote $(DIST)/../public/nss
+
+ #######################################################################
+ # (7) Execute "local" rules. (OPTIONAL). #
+diff -up ./nss/cmd/modutil/Makefile.iquote ./nss/cmd/modutil/Makefile
+--- ./nss/cmd/modutil/Makefile.iquote 2017-04-05 14:23:56.000000000 +0200
++++ ./nss/cmd/modutil/Makefile 2017-09-21 16:39:08.680260103 +0200
+@@ -37,7 +37,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk
+ # (6) Execute "component" rules. (OPTIONAL) #
+ #######################################################################
+
+-
++INCLUDES += -iquote $(DIST)/../public/nss
++INCLUDES += -iquote $(DIST)/../private/nss
+
+ #######################################################################
+ # (7) Execute "local" rules. (OPTIONAL). #
+diff -up ./nss/cmd/pk12util/Makefile.iquote ./nss/cmd/pk12util/Makefile
+--- ./nss/cmd/pk12util/Makefile.iquote 2017-09-21 16:41:23.158209761 +0200
++++ ./nss/cmd/pk12util/Makefile 2017-09-21 16:41:44.298730232 +0200
+@@ -37,7 +37,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk
+ # (6) Execute "component" rules. (OPTIONAL) #
+ #######################################################################
+
+-
++INCLUDES += -iquote $(DIST)/../public/nss
++INCLUDES += -iquote $(DIST)/../private/nss
+
+ #######################################################################
+ # (7) Execute "local" rules. (OPTIONAL). #
+diff -up ./nss/cmd/selfserv/Makefile.iquote ./nss/cmd/selfserv/Makefile
+--- ./nss/cmd/selfserv/Makefile.iquote 2017-04-05 14:23:56.000000000 +0200
++++ ./nss/cmd/selfserv/Makefile 2017-09-21 16:39:08.680260103 +0200
+@@ -35,7 +35,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk
+ # (6) Execute "component" rules. (OPTIONAL) #
+ #######################################################################
+
+-
++INCLUDES += -iquote $(DIST)/../public/nss
++INCLUDES += -iquote $(DIST)/../private/nss
+
+ #######################################################################
+ # (7) Execute "local" rules. (OPTIONAL). #
+diff -up ./nss/cmd/ssltap/Makefile.iquote ./nss/cmd/ssltap/Makefile
+--- ./nss/cmd/ssltap/Makefile.iquote 2017-04-05 14:23:56.000000000 +0200
++++ ./nss/cmd/ssltap/Makefile 2017-09-21 16:39:08.680260103 +0200
+@@ -39,7 +39,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk
+ # (6) Execute "component" rules. (OPTIONAL) #
+ #######################################################################
+
+-
++INCLUDES += -iquote $(DIST)/../private/nss
++INCLUDES += -iquote $(DIST)/../public/nss
+
+ #######################################################################
+ # (7) Execute "local" rules. (OPTIONAL). #
+diff -up ./nss/cmd/strsclnt/Makefile.iquote ./nss/cmd/strsclnt/Makefile
+--- ./nss/cmd/strsclnt/Makefile.iquote 2017-04-05 14:23:56.000000000 +0200
++++ ./nss/cmd/strsclnt/Makefile 2017-09-21 16:39:08.681260081 +0200
+@@ -36,7 +36,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk
+ # (6) Execute "component" rules. (OPTIONAL) #
+ #######################################################################
+
+-
++INCLUDES += -iquote $(DIST)/../public/nss
++INCLUDES += -iquote $(DIST)/../private/nss
+
+ #######################################################################
+ # (7) Execute "local" rules. (OPTIONAL). #
+diff -up ./nss/cmd/tstclnt/Makefile.iquote ./nss/cmd/tstclnt/Makefile
+--- ./nss/cmd/tstclnt/Makefile.iquote 2017-04-05 14:23:56.000000000 +0200
++++ ./nss/cmd/tstclnt/Makefile 2017-09-21 16:39:08.681260081 +0200
+@@ -37,6 +37,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk
+ #######################################################################
+
+ #include ../platlibs.mk
++INCLUDES += -iquote $(DIST)/../public/nss
++INCLUDES += -iquote $(DIST)/../private/nss
+
+ #######################################################################
+ # (7) Execute "local" rules. (OPTIONAL). #
+diff -up ./nss/cmd/vfyserv/Makefile.iquote ./nss/cmd/vfyserv/Makefile
+--- ./nss/cmd/vfyserv/Makefile.iquote 2017-04-05 14:23:56.000000000 +0200
++++ ./nss/cmd/vfyserv/Makefile 2017-09-21 16:39:08.681260081 +0200
+@@ -37,6 +37,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk
+ #######################################################################
+
+ #include ../platlibs.mk
++INCLUDES += -iquote $(DIST)/../public/nss
++INCLUDES += -iquote $(DIST)/../private/nss
+
+ #######################################################################
+ # (7) Execute "local" rules. (OPTIONAL). #
+diff -up ./nss/coreconf/location.mk.iquote ./nss/coreconf/location.mk
+--- ./nss/coreconf/location.mk.iquote 2017-04-05 14:23:56.000000000 +0200
++++ ./nss/coreconf/location.mk 2017-09-21 16:39:08.681260081 +0200
+@@ -45,6 +45,10 @@ endif
+
+ ifdef NSS_INCLUDE_DIR
+ INCLUDES += -I$(NSS_INCLUDE_DIR)
++ ifdef IN_TREE_FREEBL_HEADERS_FIRST
++ INCLUDES += -iquote $(DIST)/../public/nss
++ INCLUDES += -iquote $(DIST)/../private/nss
++ endif
+ endif
+
+ ifndef NSS_LIB_DIR
+diff -up ./nss/gtests/ssl_gtest/Makefile.iquote ./nss/gtests/ssl_gtest/Makefile
+--- ./nss/gtests/ssl_gtest/Makefile.iquote 2017-04-05 14:23:56.000000000 +0200
++++ ./nss/gtests/ssl_gtest/Makefile 2017-09-21 16:39:08.682260058 +0200
+@@ -53,6 +53,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk
+ # (6) Execute "component" rules. (OPTIONAL) #
+ #######################################################################
+
++INCLUDES += -iquote $(DIST)/../public/nss
++INCLUDES += -iquote $(DIST)/../private/nss
+
+ #######################################################################
+ # (7) Execute "local" rules. (OPTIONAL). #
+diff -up ./nss/lib/certhigh/Makefile.iquote ./nss/lib/certhigh/Makefile
+--- ./nss/lib/certhigh/Makefile.iquote 2017-04-05 14:23:56.000000000 +0200
++++ ./nss/lib/certhigh/Makefile 2017-09-21 16:39:08.681260081 +0200
+@@ -38,7 +38,7 @@ include $(CORE_DEPTH)/coreconf/rules.mk
+ # (6) Execute "component" rules. (OPTIONAL) #
+ #######################################################################
+
+-
++INCLUDES += -iquote $(DIST)/../public/nss
+
+ #######################################################################
+ # (7) Execute "local" rules. (OPTIONAL). #
+diff -up ./nss/lib/cryptohi/Makefile.iquote ./nss/lib/cryptohi/Makefile
+--- ./nss/lib/cryptohi/Makefile.iquote 2017-04-05 14:23:56.000000000 +0200
++++ ./nss/lib/cryptohi/Makefile 2017-09-21 16:39:08.681260081 +0200
+@@ -38,7 +38,7 @@ include $(CORE_DEPTH)/coreconf/rules.mk
+ # (6) Execute "component" rules. (OPTIONAL) #
+ #######################################################################
+
+-
++INCLUDES += -iquote $(DIST)/../public/nss
+
+ #######################################################################
+ # (7) Execute "local" rules. (OPTIONAL). #
+diff -up ./nss/lib/libpkix/pkix/checker/Makefile.iquote ./nss/lib/libpkix/pkix/checker/Makefile
+--- ./nss/lib/libpkix/pkix/checker/Makefile.iquote 2017-04-05 14:23:56.000000000 +0200
++++ ./nss/lib/libpkix/pkix/checker/Makefile 2017-09-21 16:39:08.681260081 +0200
+@@ -38,7 +38,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk
+ # (6) Execute "component" rules. (OPTIONAL) #
+ #######################################################################
+
+-
++INCLUDES += -iquote $(DIST)/../private/nss
++INCLUDES += -iquote $(DIST)/../public/nss
+
+ #######################################################################
+ # (7) Execute "local" rules. (OPTIONAL). #
+diff -up ./nss/lib/nss/Makefile.iquote ./nss/lib/nss/Makefile
+--- ./nss/lib/nss/Makefile.iquote 2017-04-05 14:23:56.000000000 +0200
++++ ./nss/lib/nss/Makefile 2017-09-21 16:39:08.681260081 +0200
+@@ -37,7 +37,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk
+ # (6) Execute "component" rules. (OPTIONAL) #
+ #######################################################################
+
+-
++INCLUDES += -iquote $(DIST)/../public/nss
++INCLUDES += -iquote $(DIST)/../private/nss
+
+ #######################################################################
+ # (7) Execute "local" rules. (OPTIONAL). #
+diff -up ./nss/lib/pkcs12/Makefile.iquote ./nss/lib/pkcs12/Makefile
+--- ./nss/lib/pkcs12/Makefile.iquote 2017-09-21 16:39:49.616331555 +0200
++++ ./nss/lib/pkcs12/Makefile 2017-09-21 16:40:16.286726596 +0200
+@@ -39,7 +39,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk
+ # (6) Execute "component" rules. (OPTIONAL) #
+ #######################################################################
+
+-
++INCLUDES += -iquote $(DIST)/../public/nss
++INCLUDES += -iquote $(DIST)/../private/nss
+
+ #######################################################################
+ # (7) Execute "local" rules. (OPTIONAL). #
+diff -up ./nss/lib/ssl/Makefile.iquote ./nss/lib/ssl/Makefile
+--- ./nss/lib/ssl/Makefile.iquote 2017-04-05 14:23:56.000000000 +0200
++++ ./nss/lib/ssl/Makefile 2017-09-21 16:39:08.681260081 +0200
+@@ -56,6 +56,7 @@ include $(CORE_DEPTH)/coreconf/rules.mk
+ # (6) Execute "component" rules. (OPTIONAL) #
+ #######################################################################
+
++INCLUDES += -iquote $(DIST)/../public/nss
+
+
+ #######################################################################
diff --git a/SOURCES/nss-3.14.0.0-disble-ocsp-test.patch b/SOURCES/nss-3.14.0.0-disble-ocsp-test.patch
new file mode 100644
index 0000000..3347ee9
--- /dev/null
+++ b/SOURCES/nss-3.14.0.0-disble-ocsp-test.patch
@@ -0,0 +1,11 @@
+diff -up nss/tests/chains/scenarios/scenarios.noocsptest nss/tests/chains/scenarios/scenarios
+--- nss/tests/chains/scenarios/scenarios.noocsptest 2013-06-27 10:58:08.000000000 -0700
++++ nss/tests/chains/scenarios/scenarios 2013-07-02 16:13:27.075038930 -0700
+@@ -50,7 +50,6 @@ bridgewithpolicyextensionandmapping.cfg
+ realcerts.cfg
+ dsa.cfg
+ revoc.cfg
+-ocsp.cfg
+ crldp.cfg
+ trustanchors.cfg
+ nameconstraints.cfg
diff --git a/SOURCES/nss-539183.patch b/SOURCES/nss-539183.patch
new file mode 100644
index 0000000..f5db089
--- /dev/null
+++ b/SOURCES/nss-539183.patch
@@ -0,0 +1,44 @@
+diff -up nss/cmd/httpserv/httpserv.c.539183 nss/cmd/httpserv/httpserv.c
+--- nss/cmd/httpserv/httpserv.c.539183 2016-08-15 17:58:41.756630037 +0200
++++ nss/cmd/httpserv/httpserv.c 2016-08-15 18:04:13.559131620 +0200
+@@ -976,13 +976,13 @@ getBoundListenSocket(unsigned short port
+ PRNetAddr addr;
+ PRSocketOptionData opt;
+
+- addr.inet.family = PR_AF_INET;
+- addr.inet.ip = PR_INADDR_ANY;
+- addr.inet.port = PR_htons(port);
++ if (PR_SetNetAddr(PR_IpAddrAny, PR_AF_INET6, port, &addr) != PR_SUCCESS) {
++ errExit("PR_SetNetAddr");
++ }
+
+- listen_sock = PR_NewTCPSocket();
++ listen_sock = PR_OpenTCPSocket(PR_AF_INET6);
+ if (listen_sock == NULL) {
+- errExit("PR_NewTCPSocket");
++ errExit("PR_OpenTCPSocket error");
+ }
+
+ opt.option = PR_SockOpt_Nonblocking;
+diff -up nss/cmd/selfserv/selfserv.c.539183 nss/cmd/selfserv/selfserv.c
+--- nss/cmd/selfserv/selfserv.c.539183 2016-08-15 17:58:41.756630037 +0200
++++ nss/cmd/selfserv/selfserv.c 2016-08-15 18:05:11.027487891 +0200
+@@ -1731,13 +1731,13 @@ getBoundListenSocket(unsigned short port
+ PRNetAddr addr;
+ PRSocketOptionData opt;
+
+- addr.inet.family = PR_AF_INET;
+- addr.inet.ip = PR_INADDR_ANY;
+- addr.inet.port = PR_htons(port);
++ if (PR_SetNetAddr(PR_IpAddrAny, PR_AF_INET6, port, &addr) != PR_SUCCESS) {
++ errExit("PR_SetNetAddr");
++ }
+
+- listen_sock = PR_NewTCPSocket();
++ listen_sock = PR_OpenTCPSocket(PR_AF_INET6);
+ if (listen_sock == NULL) {
+- errExit("PR_NewTCPSocket");
++ errExit("PR_OpenTCPSocket error");
+ }
+
+ opt.option = PR_SockOpt_Nonblocking;
diff --git a/SOURCES/nss-add-ipsec-usage-to-manpage.patch b/SOURCES/nss-add-ipsec-usage-to-manpage.patch
new file mode 100644
index 0000000..cedd6a3
--- /dev/null
+++ b/SOURCES/nss-add-ipsec-usage-to-manpage.patch
@@ -0,0 +1,13 @@
+diff -up ./nss/doc/certutil.xml.add_ipsec_usage ./nss/doc/certutil.xml
+--- ./nss/doc/certutil.xml.add_ipsec_usage 2019-06-05 09:40:37.848895763 -0700
++++ ./nss/doc/certutil.xml 2019-06-05 09:40:47.079891058 -0700
+@@ -428,6 +428,9 @@ of the attribute codes:
+
+ J (as an object signer)
+
++
++I (as an IPSEC user)
++
+
+
+
diff --git a/SOURCES/nss-config.in b/SOURCES/nss-config.in
new file mode 100644
index 0000000..f8f893e
--- /dev/null
+++ b/SOURCES/nss-config.in
@@ -0,0 +1,145 @@
+#!/bin/sh
+
+prefix=@prefix@
+
+major_version=@MOD_MAJOR_VERSION@
+minor_version=@MOD_MINOR_VERSION@
+patch_version=@MOD_PATCH_VERSION@
+
+usage()
+{
+ cat <&2
+fi
+
+lib_ssl=yes
+lib_smime=yes
+lib_nss=yes
+lib_nssutil=yes
+
+while test $# -gt 0; do
+ case "$1" in
+ -*=*) optarg=`echo "$1" | sed 's/[-_a-zA-Z0-9]*=//'` ;;
+ *) optarg= ;;
+ esac
+
+ case $1 in
+ --prefix=*)
+ prefix=$optarg
+ ;;
+ --prefix)
+ echo_prefix=yes
+ ;;
+ --exec-prefix=*)
+ exec_prefix=$optarg
+ ;;
+ --exec-prefix)
+ echo_exec_prefix=yes
+ ;;
+ --includedir=*)
+ includedir=$optarg
+ ;;
+ --includedir)
+ echo_includedir=yes
+ ;;
+ --libdir=*)
+ libdir=$optarg
+ ;;
+ --libdir)
+ echo_libdir=yes
+ ;;
+ --version)
+ echo ${major_version}.${minor_version}.${patch_version}
+ ;;
+ --cflags)
+ echo_cflags=yes
+ ;;
+ --libs)
+ echo_libs=yes
+ ;;
+ ssl)
+ lib_ssl=yes
+ ;;
+ smime)
+ lib_smime=yes
+ ;;
+ nss)
+ lib_nss=yes
+ ;;
+ nssutil)
+ lib_nssutil=yes
+ ;;
+ *)
+ usage 1 1>&2
+ ;;
+ esac
+ shift
+done
+
+# Set variables that may be dependent upon other variables
+if test -z "$exec_prefix"; then
+ exec_prefix=`pkg-config --variable=exec_prefix nss`
+fi
+if test -z "$includedir"; then
+ includedir=`pkg-config --variable=includedir nss`
+fi
+if test -z "$libdir"; then
+ libdir=`pkg-config --variable=libdir nss`
+fi
+
+if test "$echo_prefix" = "yes"; then
+ echo $prefix
+fi
+
+if test "$echo_exec_prefix" = "yes"; then
+ echo $exec_prefix
+fi
+
+if test "$echo_includedir" = "yes"; then
+ echo $includedir
+fi
+
+if test "$echo_libdir" = "yes"; then
+ echo $libdir
+fi
+
+if test "$echo_cflags" = "yes"; then
+ echo -I$includedir
+fi
+
+if test "$echo_libs" = "yes"; then
+ libdirs="-Wl,-rpath-link,$libdir -L$libdir"
+ if test -n "$lib_ssl"; then
+ libdirs="$libdirs -lssl${major_version}"
+ fi
+ if test -n "$lib_smime"; then
+ libdirs="$libdirs -lsmime${major_version}"
+ fi
+ if test -n "$lib_nss"; then
+ libdirs="$libdirs -lnss${major_version}"
+ fi
+ if test -n "$lib_nssutil"; then
+ libdirs="$libdirs -lnssutil${major_version}"
+ fi
+ echo $libdirs
+fi
+
diff --git a/SOURCES/nss-disable-cipher-suites.patch b/SOURCES/nss-disable-cipher-suites.patch
new file mode 100644
index 0000000..92a7472
--- /dev/null
+++ b/SOURCES/nss-disable-cipher-suites.patch
@@ -0,0 +1,27 @@
+diff -up nss/lib/ssl/ssl3con.c.disable-cipher-suites nss/lib/ssl/ssl3con.c
+--- nss/lib/ssl/ssl3con.c.disable-cipher-suites 2019-03-21 14:24:14.660150519 +0100
++++ nss/lib/ssl/ssl3con.c 2019-03-21 14:25:12.997929443 +0100
+@@ -96,7 +96,10 @@ static ssl3CipherSuiteCfg cipherSuites[s
+ { TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+ { TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+ { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+- { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
++ /* TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 is disabled by default.
++ * The GCM variant is preferred for new applications.
++ */
++ { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+@@ -105,7 +108,10 @@ static ssl3CipherSuiteCfg cipherSuites[s
+ { TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+ { TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+ { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+- { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
++ /* TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 is disabled by default.
++ * The GCM variant is preferred for new applications.
++ */
++ { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_TRUE, PR_FALSE},
diff --git a/SOURCES/nss-disable-pkcs1-sigalgs-tls13.patch b/SOURCES/nss-disable-pkcs1-sigalgs-tls13.patch
new file mode 100644
index 0000000..1b57e75
--- /dev/null
+++ b/SOURCES/nss-disable-pkcs1-sigalgs-tls13.patch
@@ -0,0 +1,202 @@
+# HG changeset patch
+# User Daiki Ueno
+# Date 1559031046 -7200
+# Tue May 28 10:10:46 2019 +0200
+# Node ID 0a4e8b72a92e144663c2f35d3836f7828cfc97f2
+# Parent 370a9e85f216f5f4ff277995a997c5c9b23a819f
+Bug 1552208, prohibit use of RSASSA-PKCS1-v1_5 algorithms in TLS 1.3, r=mt
+
+Reviewers: mt
+
+Reviewed By: mt
+
+Subscribers: mt, jcj, ueno, rrelyea, HubertKario, KevinJacobs
+
+Tags: #secure-revision, #bmo-crypto-core-security
+
+Bug #: 1552208
+
+Differential Revision: https://phabricator.services.mozilla.com/D32454
+
+diff --git a/gtests/ssl_gtest/ssl_auth_unittest.cc b/gtests/ssl_gtest/ssl_auth_unittest.cc
+--- a/gtests/ssl_gtest/ssl_auth_unittest.cc
++++ b/gtests/ssl_gtest/ssl_auth_unittest.cc
+@@ -701,6 +701,44 @@ TEST_P(TlsConnectTls12, ClientAuthIncons
+ ConnectExpectAlert(server_, kTlsAlertIllegalParameter);
+ }
+
++TEST_P(TlsConnectTls13, ClientAuthPkcs1SignatureScheme) {
++ static const SSLSignatureScheme kSignatureScheme[] = {
++ ssl_sig_rsa_pkcs1_sha256, ssl_sig_rsa_pss_rsae_sha256};
++
++ Reset(TlsAgent::kServerRsa, "rsa");
++ client_->SetSignatureSchemes(kSignatureScheme,
++ PR_ARRAY_SIZE(kSignatureScheme));
++ server_->SetSignatureSchemes(kSignatureScheme,
++ PR_ARRAY_SIZE(kSignatureScheme));
++ client_->SetupClientAuth();
++ server_->RequestClientAuth(true);
++
++ auto capture_cert_verify = MakeTlsFilter(
++ client_, kTlsHandshakeCertificateVerify);
++ capture_cert_verify->EnableDecryption();
++
++ Connect();
++ CheckSigScheme(capture_cert_verify, 0, server_, ssl_sig_rsa_pss_rsae_sha256,
++ 1024);
++}
++
++TEST_P(TlsConnectTls13, ClientAuthPkcs1SignatureSchemeOnly) {
++ static const SSLSignatureScheme kSignatureScheme[] = {
++ ssl_sig_rsa_pkcs1_sha256};
++
++ Reset(TlsAgent::kServerRsa, "rsa");
++ client_->SetSignatureSchemes(kSignatureScheme,
++ PR_ARRAY_SIZE(kSignatureScheme));
++ server_->SetSignatureSchemes(kSignatureScheme,
++ PR_ARRAY_SIZE(kSignatureScheme));
++ client_->SetupClientAuth();
++ server_->RequestClientAuth(true);
++
++ ConnectExpectAlert(server_, kTlsAlertHandshakeFailure);
++ server_->CheckErrorCode(SSL_ERROR_UNSUPPORTED_SIGNATURE_ALGORITHM);
++ client_->CheckErrorCode(SSL_ERROR_NO_CYPHER_OVERLAP);
++}
++
+ class TlsZeroCertificateRequestSigAlgsFilter : public TlsHandshakeFilter {
+ public:
+ TlsZeroCertificateRequestSigAlgsFilter(const std::shared_ptr& a)
+@@ -933,7 +971,7 @@ TEST_P(TlsConnectTls13, InconsistentSign
+ client_->CheckErrorCode(SSL_ERROR_INCORRECT_SIGNATURE_ALGORITHM);
+ }
+
+-TEST_P(TlsConnectTls12Plus, RequestClientAuthWithSha384) {
++TEST_P(TlsConnectTls12, RequestClientAuthWithSha384) {
+ server_->SetSignatureSchemes(kSignatureSchemeRsaSha384,
+ PR_ARRAY_SIZE(kSignatureSchemeRsaSha384));
+ server_->RequestClientAuth(false);
+@@ -1395,12 +1433,21 @@ TEST_P(TlsSignatureSchemeConfiguration,
+ INSTANTIATE_TEST_CASE_P(
+ SignatureSchemeRsa, TlsSignatureSchemeConfiguration,
+ ::testing::Combine(
+- TlsConnectTestBase::kTlsVariantsAll, TlsConnectTestBase::kTlsV12Plus,
++ TlsConnectTestBase::kTlsVariantsAll, TlsConnectTestBase::kTlsV12,
+ ::testing::Values(TlsAgent::kServerRsaSign),
+ ::testing::Values(ssl_auth_rsa_sign),
+ ::testing::Values(ssl_sig_rsa_pkcs1_sha256, ssl_sig_rsa_pkcs1_sha384,
+ ssl_sig_rsa_pkcs1_sha512, ssl_sig_rsa_pss_rsae_sha256,
+ ssl_sig_rsa_pss_rsae_sha384)));
++// RSASSA-PKCS1-v1_5 is not allowed to be used in TLS 1.3
++INSTANTIATE_TEST_CASE_P(
++ SignatureSchemeRsaTls13, TlsSignatureSchemeConfiguration,
++ ::testing::Combine(TlsConnectTestBase::kTlsVariantsAll,
++ TlsConnectTestBase::kTlsV13,
++ ::testing::Values(TlsAgent::kServerRsaSign),
++ ::testing::Values(ssl_auth_rsa_sign),
++ ::testing::Values(ssl_sig_rsa_pss_rsae_sha256,
++ ssl_sig_rsa_pss_rsae_sha384)));
+ // PSS with SHA-512 needs a bigger key to work.
+ INSTANTIATE_TEST_CASE_P(
+ SignatureSchemeBigRsa, TlsSignatureSchemeConfiguration,
+diff --git a/gtests/ssl_gtest/ssl_ciphersuite_unittest.cc b/gtests/ssl_gtest/ssl_ciphersuite_unittest.cc
+--- a/gtests/ssl_gtest/ssl_ciphersuite_unittest.cc
++++ b/gtests/ssl_gtest/ssl_ciphersuite_unittest.cc
+@@ -68,12 +68,6 @@ class TlsCipherSuiteTestBase : public Tl
+ virtual void SetupCertificate() {
+ if (version_ >= SSL_LIBRARY_VERSION_TLS_1_3) {
+ switch (sig_scheme_) {
+- case ssl_sig_rsa_pkcs1_sha256:
+- case ssl_sig_rsa_pkcs1_sha384:
+- case ssl_sig_rsa_pkcs1_sha512:
+- Reset(TlsAgent::kServerRsaSign);
+- auth_type_ = ssl_auth_rsa_sign;
+- break;
+ case ssl_sig_rsa_pss_rsae_sha256:
+ case ssl_sig_rsa_pss_rsae_sha384:
+ Reset(TlsAgent::kServerRsaSign);
+@@ -330,6 +324,12 @@ static SSLSignatureScheme kSignatureSche
+ ssl_sig_rsa_pss_pss_sha256, ssl_sig_rsa_pss_pss_sha384,
+ ssl_sig_rsa_pss_pss_sha512};
+
++static SSLSignatureScheme kSignatureSchemesParamsArrTls13[] = {
++ ssl_sig_ecdsa_secp256r1_sha256, ssl_sig_ecdsa_secp384r1_sha384,
++ ssl_sig_rsa_pss_rsae_sha256, ssl_sig_rsa_pss_rsae_sha384,
++ ssl_sig_rsa_pss_rsae_sha512, ssl_sig_rsa_pss_pss_sha256,
++ ssl_sig_rsa_pss_pss_sha384, ssl_sig_rsa_pss_pss_sha512};
++
+ INSTANTIATE_CIPHER_TEST_P(RC4, Stream, V10ToV12, kDummyNamedGroupParams,
+ kDummySignatureSchemesParams,
+ TLS_RSA_WITH_RC4_128_SHA,
+@@ -394,7 +394,7 @@ INSTANTIATE_CIPHER_TEST_P(
+ #ifndef NSS_DISABLE_TLS_1_3
+ INSTANTIATE_CIPHER_TEST_P(TLS13, All, V13,
+ ::testing::ValuesIn(kFasterDHEGroups),
+- ::testing::ValuesIn(kSignatureSchemesParamsArr),
++ ::testing::ValuesIn(kSignatureSchemesParamsArrTls13),
+ TLS_AES_128_GCM_SHA256, TLS_CHACHA20_POLY1305_SHA256,
+ TLS_AES_256_GCM_SHA384);
+ INSTANTIATE_CIPHER_TEST_P(TLS13AllGroups, All, V13,
+diff --git a/gtests/ssl_gtest/ssl_extension_unittest.cc b/gtests/ssl_gtest/ssl_extension_unittest.cc
+--- a/gtests/ssl_gtest/ssl_extension_unittest.cc
++++ b/gtests/ssl_gtest/ssl_extension_unittest.cc
+@@ -436,14 +436,14 @@ TEST_P(TlsExtensionTest12Plus, Signature
+ }
+
+ TEST_F(TlsExtensionTest13Stream, SignatureAlgorithmsPrecedingGarbage) {
+- // 31 unknown signature algorithms followed by sha-256, rsa
++ // 31 unknown signature algorithms followed by sha-256, rsa-pss
+ const uint8_t val[] = {
+ 0x00, 0x40, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+- 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x04, 0x01};
++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x08, 0x04};
+ DataBuffer extension(val, sizeof(val));
+ MakeTlsFilter(client_, ssl_signature_algorithms_xtn,
+ extension);
+diff --git a/lib/ssl/ssl3con.c b/lib/ssl/ssl3con.c
+--- a/lib/ssl/ssl3con.c
++++ b/lib/ssl/ssl3con.c
+@@ -64,6 +64,7 @@ static SECStatus ssl3_FlushHandshakeMess
+ static CK_MECHANISM_TYPE ssl3_GetHashMechanismByHashType(SSLHashType hashType);
+ static CK_MECHANISM_TYPE ssl3_GetMgfMechanismByHashType(SSLHashType hash);
+ PRBool ssl_IsRsaPssSignatureScheme(SSLSignatureScheme scheme);
++PRBool ssl_IsRsaPkcs1SignatureScheme(SSLSignatureScheme scheme);
+ PRBool ssl_IsDsaSignatureScheme(SSLSignatureScheme scheme);
+
+ const PRUint8 ssl_hello_retry_random[] = {
+@@ -4101,6 +4102,9 @@ ssl_SignatureSchemeValid(SSLSignatureSch
+ if (ssl_SignatureSchemeToHashType(scheme) == ssl_hash_sha1) {
+ return PR_FALSE;
+ }
++ if (ssl_IsRsaPkcs1SignatureScheme(scheme)) {
++ return PR_FALSE;
++ }
+ /* With TLS 1.3, EC keys should have been selected based on calling
+ * ssl_SignatureSchemeFromSpki(), reject them otherwise. */
+ return spkiOid != SEC_OID_ANSIX962_EC_PUBLIC_KEY;
+@@ -4351,6 +4355,22 @@ ssl_IsRsaPssSignatureScheme(SSLSignature
+ }
+
+ PRBool
++ssl_IsRsaPkcs1SignatureScheme(SSLSignatureScheme scheme)
++{
++ switch (scheme) {
++ case ssl_sig_rsa_pkcs1_sha256:
++ case ssl_sig_rsa_pkcs1_sha384:
++ case ssl_sig_rsa_pkcs1_sha512:
++ case ssl_sig_rsa_pkcs1_sha1:
++ return PR_TRUE;
++
++ default:
++ return PR_FALSE;
++ }
++ return PR_FALSE;
++}
++
++PRBool
+ ssl_IsDsaSignatureScheme(SSLSignatureScheme scheme)
+ {
+ switch (scheme) {
diff --git a/SOURCES/nss-dsa-policy.patch b/SOURCES/nss-dsa-policy.patch
new file mode 100644
index 0000000..5a191ff
--- /dev/null
+++ b/SOURCES/nss-dsa-policy.patch
@@ -0,0 +1,51 @@
+diff --git a/lib/certhigh/certvfy.c b/lib/certhigh/certvfy.c
+--- a/lib/certhigh/certvfy.c
++++ b/lib/certhigh/certvfy.c
+@@ -42,23 +42,16 @@ checkKeyParams(const SECAlgorithmID *sig
+ {
+ SECStatus rv;
+ SECOidTag sigAlg;
+ SECOidTag curve;
+ PRUint32 policyFlags = 0;
+ PRInt32 minLen, len;
+
+ sigAlg = SECOID_GetAlgorithmTag(sigAlgorithm);
+- rv = NSS_GetAlgorithmPolicy(sigAlg, &policyFlags);
+- if (rv == SECSuccess &&
+- !(policyFlags & NSS_USE_ALG_IN_CERT_SIGNATURE)) {
+- PORT_SetError(SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED);
+- return SECFailure;
+- }
+-
+ switch (sigAlg) {
+ case SEC_OID_ANSIX962_ECDSA_SHA1_SIGNATURE:
+ case SEC_OID_ANSIX962_ECDSA_SHA224_SIGNATURE:
+ case SEC_OID_ANSIX962_ECDSA_SHA256_SIGNATURE:
+ case SEC_OID_ANSIX962_ECDSA_SHA384_SIGNATURE:
+ case SEC_OID_ANSIX962_ECDSA_SHA512_SIGNATURE:
+ if (key->keyType != ecKey) {
+ PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
+@@ -126,16 +119,23 @@ checkKeyParams(const SECAlgorithmID *sig
+ }
+
+ if (len < minLen) {
+ return SECFailure;
+ }
+
+ return SECSuccess;
+ case SEC_OID_ANSIX9_DSA_SIGNATURE:
++ rv = NSS_GetAlgorithmPolicy(sigAlg, &policyFlags);
++ if (rv == SECSuccess &&
++ !(policyFlags & NSS_USE_ALG_IN_CERT_SIGNATURE)) {
++ PORT_SetError(SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED);
++ return SECFailure;
++ }
++ /* fall through */
+ case SEC_OID_ANSIX9_DSA_SIGNATURE_WITH_SHA1_DIGEST:
+ case SEC_OID_BOGUS_DSA_SIGNATURE_WITH_SHA1_DIGEST:
+ case SEC_OID_SDN702_DSA_SIGNATURE:
+ case SEC_OID_NIST_DSA_SIGNATURE_WITH_SHA224_DIGEST:
+ case SEC_OID_NIST_DSA_SIGNATURE_WITH_SHA256_DIGEST:
+ if (key->keyType != dsaKey) {
+ PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
+ return SECFailure;
diff --git a/SOURCES/nss-fips-disable-tls13.patch b/SOURCES/nss-fips-disable-tls13.patch
new file mode 100644
index 0000000..8b30bbc
--- /dev/null
+++ b/SOURCES/nss-fips-disable-tls13.patch
@@ -0,0 +1,30 @@
+diff --git a/lib/ssl/sslsock.c b/lib/ssl/sslsock.c
+--- a/lib/ssl/sslsock.c
++++ b/lib/ssl/sslsock.c
+@@ -2382,16 +2382,26 @@ ssl3_CreateOverlapWithPolicy(SSLProtocol
+ rv = ssl3_GetEffectiveVersionPolicy(protocolVariant,
+ &effectivePolicyBoundary);
+ if (rv == SECFailure) {
+ /* SECFailure means internal failure or invalid configuration. */
+ overlap->min = overlap->max = SSL_LIBRARY_VERSION_NONE;
+ return SECFailure;
+ }
+
++ /* TODO: TLSv1.3 doesn't work yet under FIPS mode */
++ if (PK11_IsFIPS()) {
++ if (effectivePolicyBoundary.min >= SSL_LIBRARY_VERSION_TLS_1_3) {
++ effectivePolicyBoundary.min = SSL_LIBRARY_VERSION_TLS_1_2;
++ }
++ if (effectivePolicyBoundary.max >= SSL_LIBRARY_VERSION_TLS_1_3) {
++ effectivePolicyBoundary.max = SSL_LIBRARY_VERSION_TLS_1_2;
++ }
++ }
++
+ vrange.min = PR_MAX(input->min, effectivePolicyBoundary.min);
+ vrange.max = PR_MIN(input->max, effectivePolicyBoundary.max);
+
+ if (vrange.max < vrange.min) {
+ /* there was no overlap, turn off range altogether */
+ overlap->min = overlap->max = SSL_LIBRARY_VERSION_NONE;
+ return SECFailure;
+ }
diff --git a/SOURCES/nss-fix-deadlock-squash.patch b/SOURCES/nss-fix-deadlock-squash.patch
new file mode 100644
index 0000000..c8222c7
--- /dev/null
+++ b/SOURCES/nss-fix-deadlock-squash.patch
@@ -0,0 +1,112 @@
+diff -up nss/lib/pki/tdcache.c.fix_deadlock nss/lib/pki/tdcache.c
+--- nss/lib/pki/tdcache.c.fix_deadlock 2017-01-13 17:10:36.055530248 +0100
++++ nss/lib/pki/tdcache.c 2017-01-13 17:14:04.015338438 +0100
+@@ -374,13 +374,19 @@ struct token_cert_dtor {
+ PRUint32 numCerts, arrSize;
+ };
+
+-static void
+-remove_token_certs(const void *k, void *v, void *a)
++static void cert_iter(const void *k, void *v, void *a)
+ {
++ nssList *certList = (nssList *)a;
+ NSSCertificate *c = (NSSCertificate *)k;
++ nssList_Add(certList, nssCertificate_AddRef(c));
++}
++
++static void
++remove_token_certs(NSSCertificate *c, struct token_cert_dtor *dtor)
++{
+ nssPKIObject *object = &c->object;
+- struct token_cert_dtor *dtor = a;
+ PRUint32 i;
++
+ nssPKIObject_AddRef(object);
+ nssPKIObject_Lock(object);
+ for (i = 0; i < object->numInstances; i++) {
+@@ -416,6 +422,11 @@ nssTrustDomain_RemoveTokenCertsFromCache
+ NSSCertificate **certs;
+ PRUint32 i, arrSize = 10;
+ struct token_cert_dtor dtor;
++ nssList *certList;
++ PRStatus nspr_rv = PR_FAILURE;
++ nssListIterator *iter;
++ NSSCertificate *c;
++
+ certs = nss_ZNEWARRAY(NULL, NSSCertificate *, arrSize);
+ if (!certs) {
+ return PR_FAILURE;
+@@ -425,8 +436,33 @@ nssTrustDomain_RemoveTokenCertsFromCache
+ dtor.certs = certs;
+ dtor.numCerts = 0;
+ dtor.arrSize = arrSize;
++
++ certList = nssList_Create(NULL, PR_FALSE);
++ if (!certList) {
++ goto loser;
++ }
++ /* fetch the list of certs in the cache */
++ PZ_Lock(td->cache->lock);
++ nssHash_Iterate(td->cache->issuerAndSN, cert_iter, (void *)certList);
++ PZ_Unlock(td->cache->lock);
++
++ /* find the certs that match this token without olding the td cache lock */
++ iter=nssList_CreateIterator(certList);
++ if (!iter) {
++ goto loser;
++ }
++ for (c = (NSSCertificate *)nssListIterator_Start(iter);
++ c != (NSSCertificate *)NULL;
++ c = (NSSCertificate *)nssListIterator_Next(iter)) {
++ remove_token_certs( c, &dtor);
++ }
++ nssListIterator_Finish(iter);
++ nssListIterator_Destroy(iter);
++ nssList_Destroy(certList);
++ certList = NULL;
++
++ /* now remove theose certs attached to this token */
+ PZ_Lock(td->cache->lock);
+- nssHash_Iterate(td->cache->issuerAndSN, remove_token_certs, &dtor);
+ for (i = 0; i < dtor.numCerts; i++) {
+ if (dtor.certs[i]->object.numInstances == 0) {
+ nssTrustDomain_RemoveCertFromCacheLOCKED(td, dtor.certs[i]);
+@@ -437,14 +473,22 @@ nssTrustDomain_RemoveTokenCertsFromCache
+ }
+ }
+ PZ_Unlock(td->cache->lock);
++
++ /* clean up */
+ for (i = 0; i < dtor.numCerts; i++) {
+ if (dtor.certs[i]) {
+ STAN_ForceCERTCertificateUpdate(dtor.certs[i]);
+ nssCertificate_Destroy(dtor.certs[i]);
+ }
+ }
++
++ nspr_rv = PR_SUCCESS;
++loser:
++ if (certList) {
++ nssList_Destroy(certList);
++ }
+ nss_ZFreeIf(dtor.certs);
+- return PR_SUCCESS;
++ return nspr_rv;
+ }
+
+ NSS_IMPLEMENT PRStatus
+@@ -1058,14 +1102,6 @@ nssTrustDomain_GetCertByDERFromCache(
+ return rvCert;
+ }
+
+-static void
+-cert_iter(const void *k, void *v, void *a)
+-{
+- nssList *certList = (nssList *)a;
+- NSSCertificate *c = (NSSCertificate *)k;
+- nssList_Add(certList, nssCertificate_AddRef(c));
+-}
+-
+ NSS_EXTERN NSSCertificate **
+ nssTrustDomain_GetCertsFromCache(
+ NSSTrustDomain *td,
diff --git a/SOURCES/nss-fix-pkix-name-constraints-common-name.patch b/SOURCES/nss-fix-pkix-name-constraints-common-name.patch
new file mode 100644
index 0000000..0741cef
--- /dev/null
+++ b/SOURCES/nss-fix-pkix-name-constraints-common-name.patch
@@ -0,0 +1,29 @@
+diff --git a/lib/libpkix/pkix_pl_nss/pki/pkix_pl_cert.c b/lib/libpkix/pkix_pl_nss/pki/pkix_pl_cert.c
+--- a/lib/libpkix/pkix_pl_nss/pki/pkix_pl_cert.c
++++ b/lib/libpkix/pkix_pl_nss/pki/pkix_pl_cert.c
+@@ -3145,16 +3145,25 @@ PKIX_PL_Cert_CheckNameConstraints(
+ PKIX_NULLCHECK_ONE(cert);
+
+ if (nameConstraints != NULL) {
+
+ arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+ if (arena == NULL) {
+ PKIX_ERROR(PKIX_OUTOFMEMORY);
+ }
++ /* only check common Name if the usage requires it */
++ if (treatCommonNameAsDNSName) {
++ SECCertificateUsage certificateUsage;
++ certificateUsage = ((PKIX_PL_NssContext*)plContext)->certificateUsage;
++ if ((certificateUsage != certificateUsageSSLServer) &&
++ (certificateUsage != certificateUsageIPsec)) {
++ treatCommonNameAsDNSName = PKIX_FALSE;
++ }
++ }
+
+ /* This NSS call returns Subject Alt Names. If
+ * treatCommonNameAsDNSName is true, it also returns the
+ * Subject Common Name
+ */
+ PKIX_CERT_DEBUG
+ ("\t\tCalling CERT_GetConstrainedCertificateNames\n");
+ nssSubjectNames = CERT_GetConstrainedCertificateNames
diff --git a/SOURCES/nss-fix-public-key-from-priv.patch b/SOURCES/nss-fix-public-key-from-priv.patch
new file mode 100644
index 0000000..275bfc7
--- /dev/null
+++ b/SOURCES/nss-fix-public-key-from-priv.patch
@@ -0,0 +1,299 @@
+diff -up ./nss/gtests/pk11_gtest/pk11_import_unittest.cc.pub-priv-mechs ./nss/gtests/pk11_gtest/pk11_import_unittest.cc
+--- ./nss/gtests/pk11_gtest/pk11_import_unittest.cc.pub-priv-mechs 2019-05-10 14:14:18.000000000 -0700
++++ ./nss/gtests/pk11_gtest/pk11_import_unittest.cc 2019-06-05 12:01:13.728544204 -0700
+@@ -78,17 +78,40 @@ class Pk11KeyImportTestBase : public ::t
+ CK_MECHANISM_TYPE mech_;
+
+ private:
++ SECItem GetPublicComponent(ScopedSECKEYPublicKey& pub_key) {
++ SECItem null = { siBuffer, NULL, 0};
++ switch(SECKEY_GetPublicKeyType(pub_key.get())) {
++ case rsaKey:
++ case rsaPssKey:
++ case rsaOaepKey:
++ return pub_key->u.rsa.modulus;
++ case keaKey:
++ return pub_key->u.kea.publicValue;
++ case dsaKey:
++ return pub_key->u.dsa.publicValue;
++ case dhKey:
++ return pub_key->u.dh.publicValue;
++ case ecKey:
++ return pub_key->u.ec.publicValue;
++ case fortezzaKey: /* depricated */
++ case nullKey:
++ /* didn't use default here so we can catch new key types at compile time */
++ break;
++ }
++ return null;
++ }
+ void CheckForPublicKey(const ScopedSECKEYPrivateKey& priv_key,
+ const SECItem* expected_public) {
+ // Verify the public key exists.
+ StackSECItem priv_id;
++ KeyType type = SECKEY_GetPrivateKeyType(priv_key.get());
+ SECStatus rv = PK11_ReadRawAttribute(PK11_TypePrivKey, priv_key.get(),
+ CKA_ID, &priv_id);
+ ASSERT_EQ(SECSuccess, rv) << "Couldn't read CKA_ID from private key: "
+ << PORT_ErrorToName(PORT_GetError());
+
+ CK_ATTRIBUTE_TYPE value_type = CKA_VALUE;
+- switch (SECKEY_GetPrivateKeyType(priv_key.get())) {
++ switch (type) {
+ case rsaKey:
+ value_type = CKA_MODULUS;
+ break;
+@@ -106,6 +129,8 @@ class Pk11KeyImportTestBase : public ::t
+ FAIL() << "unknown key type";
+ }
+
++ // Scan public key objects until we find one with the same CKA_ID as
++ // priv_key
+ std::unique_ptr objs(
+ PK11_FindGenericObjects(slot_.get(), CKO_PUBLIC_KEY));
+ ASSERT_NE(nullptr, objs);
+@@ -128,20 +153,46 @@ class Pk11KeyImportTestBase : public ::t
+ ASSERT_EQ(1U, token.len);
+ ASSERT_NE(0, token.data[0]);
+
+- StackSECItem value;
+- rv = PK11_ReadRawAttribute(PK11_TypeGeneric, obj, value_type, &value);
++ StackSECItem raw_value;
++ SECItem decoded_value;
++ rv = PK11_ReadRawAttribute(PK11_TypeGeneric, obj, value_type, &raw_value);
+ ASSERT_EQ(SECSuccess, rv);
++ SECItem value = raw_value;
+
++ // Decode the EC_POINT and check the output against expected.
+ // CKA_EC_POINT isn't stable, see Bug 1520649.
++ ScopedPLArenaPool arena(PORT_NewArena(DER_DEFAULT_CHUNKSIZE));
++ ASSERT_TRUE(arena);
+ if (value_type == CKA_EC_POINT) {
+- continue;
+- }
+
++ // If this fails due to the noted inconsistency, we may need to
++ // check the whole raw_value, or remove a leading UNCOMPRESSED_POINT tag
++ rv = SEC_QuickDERDecodeItem(arena.get(), &decoded_value,
++ SEC_ASN1_GET(SEC_OctetStringTemplate),
++ &raw_value);
++ ASSERT_EQ(SECSuccess, rv);
++ value = decoded_value;
++ }
+ ASSERT_TRUE(SECITEM_ItemsAreEqual(expected_public, &value))
+ << "expected: "
+ << DataBuffer(expected_public->data, expected_public->len)
+ << std::endl
+ << "actual: " << DataBuffer(value.data, value.len) << std::endl;
++
++ // Finally, convert the private to public and ensure it matches.
++ ScopedSECKEYPublicKey pub_key(
++ SECKEY_ConvertToPublicKey(priv_key.get()));
++ ASSERT_TRUE(pub_key);
++ SECItem converted_public = GetPublicComponent(pub_key);
++ ASSERT_TRUE(converted_public.len != 0);
++
++ ASSERT_TRUE(SECITEM_ItemsAreEqual(expected_public, &converted_public))
++ << "expected: "
++ << DataBuffer(expected_public->data, expected_public->len)
++ << std::endl
++ << "actual: "
++ << DataBuffer(converted_public.data, converted_public.len)
++ << std::endl;
+ }
+ }
+
+diff -up ./nss/lib/cryptohi/seckey.c.pub-priv-mechs ./nss/lib/cryptohi/seckey.c
+--- ./nss/lib/cryptohi/seckey.c.pub-priv-mechs 2019-05-10 14:14:18.000000000 -0700
++++ ./nss/lib/cryptohi/seckey.c 2019-06-05 12:01:13.729544204 -0700
+@@ -1206,6 +1206,37 @@ SECKEY_CopyPublicKey(const SECKEYPublicK
+ return NULL;
+ }
+
++/*
++ * Use the private key to find a public key handle. The handle will be on
++ * the same slot as the private key.
++ */
++static CK_OBJECT_HANDLE
++seckey_FindPublicKeyHandle(SECKEYPrivateKey *privk, SECKEYPublicKey *pubk)
++{
++ CK_OBJECT_HANDLE keyID;
++
++ /* this helper function is only used below. If we want to make this more
++ * general, we would need to free up any already cached handles if the
++ * slot doesn't match up with the private key slot */
++ PORT_Assert(pubk->pkcs11ID == CK_INVALID_HANDLE);
++
++ /* first look for a matching public key */
++ keyID = PK11_MatchItem(privk->pkcs11Slot, privk->pkcs11ID, CKO_PUBLIC_KEY);
++ if (keyID != CK_INVALID_HANDLE) {
++ return keyID;
++ }
++
++ /* none found, create a temp one, make the pubk the owner */
++ pubk->pkcs11ID = PK11_DerivePubKeyFromPrivKey(privk);
++ if (pubk->pkcs11ID == CK_INVALID_HANDLE) {
++ /* end of the road. Token doesn't have matching public key, nor can
++ * token regenerate a new public key from and existing private key. */
++ return CK_INVALID_HANDLE;
++ }
++ pubk->pkcs11Slot = PK11_ReferenceSlot(privk->pkcs11Slot);
++ return pubk->pkcs11ID;
++}
++
+ SECKEYPublicKey *
+ SECKEY_ConvertToPublicKey(SECKEYPrivateKey *privk)
+ {
+@@ -1213,6 +1244,8 @@ SECKEY_ConvertToPublicKey(SECKEYPrivateK
+ PLArenaPool *arena;
+ CERTCertificate *cert;
+ SECStatus rv;
++ CK_OBJECT_HANDLE pubKeyHandle;
++ SECItem decodedPoint;
+
+ /*
+ * First try to look up the cert.
+@@ -1243,11 +1276,47 @@ SECKEY_ConvertToPublicKey(SECKEYPrivateK
+
+ switch (privk->keyType) {
+ case nullKey:
+- case dhKey:
+- case dsaKey:
+ /* Nothing to query, if the cert isn't there, we're done -- no way
+ * to get the public key */
+ break;
++ case dsaKey:
++ pubKeyHandle = seckey_FindPublicKeyHandle(privk, pubk);
++ if (pubKeyHandle == CK_INVALID_HANDLE)
++ break;
++ rv = PK11_ReadAttribute(privk->pkcs11Slot, pubKeyHandle,
++ CKA_BASE, arena, &pubk->u.dsa.params.base);
++ if (rv != SECSuccess)
++ break;
++ rv = PK11_ReadAttribute(privk->pkcs11Slot, pubKeyHandle,
++ CKA_PRIME, arena, &pubk->u.dsa.params.prime);
++ if (rv != SECSuccess)
++ break;
++ rv = PK11_ReadAttribute(privk->pkcs11Slot, pubKeyHandle,
++ CKA_SUBPRIME, arena, &pubk->u.dsa.params.subPrime);
++ if (rv != SECSuccess)
++ break;
++ rv = PK11_ReadAttribute(privk->pkcs11Slot, pubKeyHandle,
++ CKA_VALUE, arena, &pubk->u.dsa.publicValue);
++ if (rv != SECSuccess)
++ break;
++ return pubk;
++ case dhKey:
++ pubKeyHandle = seckey_FindPublicKeyHandle(privk, pubk);
++ if (pubKeyHandle == CK_INVALID_HANDLE)
++ break;
++ rv = PK11_ReadAttribute(privk->pkcs11Slot, pubKeyHandle,
++ CKA_BASE, arena, &pubk->u.dh.base);
++ if (rv != SECSuccess)
++ break;
++ rv = PK11_ReadAttribute(privk->pkcs11Slot, pubKeyHandle,
++ CKA_PRIME, arena, &pubk->u.dh.prime);
++ if (rv != SECSuccess)
++ break;
++ rv = PK11_ReadAttribute(privk->pkcs11Slot, pubKeyHandle,
++ CKA_VALUE, arena, &pubk->u.dh.publicValue);
++ if (rv != SECSuccess)
++ break;
++ return pubk;
+ case rsaKey:
+ rv = PK11_ReadAttribute(privk->pkcs11Slot, privk->pkcs11ID,
+ CKA_MODULUS, arena, &pubk->u.rsa.modulus);
+@@ -1258,7 +1327,6 @@ SECKEY_ConvertToPublicKey(SECKEYPrivateK
+ if (rv != SECSuccess)
+ break;
+ return pubk;
+- break;
+ case ecKey:
+ rv = PK11_ReadAttribute(privk->pkcs11Slot, privk->pkcs11ID,
+ CKA_EC_PARAMS, arena, &pubk->u.ec.DEREncodedParams);
+@@ -1268,7 +1336,23 @@ SECKEY_ConvertToPublicKey(SECKEYPrivateK
+ rv = PK11_ReadAttribute(privk->pkcs11Slot, privk->pkcs11ID,
+ CKA_EC_POINT, arena, &pubk->u.ec.publicValue);
+ if (rv != SECSuccess || pubk->u.ec.publicValue.len == 0) {
+- break;
++ pubKeyHandle = seckey_FindPublicKeyHandle(privk, pubk);
++ if (pubKeyHandle == CK_INVALID_HANDLE)
++ break;
++ rv = PK11_ReadAttribute(privk->pkcs11Slot, pubKeyHandle,
++ CKA_EC_POINT, arena, &pubk->u.ec.publicValue);
++ if (rv != SECSuccess)
++ break;
++ }
++ /* ec.publicValue should be decoded, PKCS #11 defines CKA_EC_POINT
++ * as encoded, but it's not always. try do decoded it and if it
++ * succeeds store the decoded value */
++ rv = SEC_QuickDERDecodeItem(arena, &decodedPoint,
++ SEC_ASN1_GET(SEC_OctetStringTemplate), &pubk->u.ec.publicValue);
++ if (rv == SECSuccess) {
++ /* both values are in the public key arena, so it's safe to
++ * overwrite the old value */
++ pubk->u.ec.publicValue = decodedPoint;
+ }
+ pubk->u.ec.encoding = ECPoint_Undefined;
+ return pubk;
+@@ -1276,7 +1360,9 @@ SECKEY_ConvertToPublicKey(SECKEYPrivateK
+ break;
+ }
+
+- PORT_FreeArena(arena, PR_FALSE);
++ /* must use Destroy public key here, because some paths create temporary
++ * PKCS #11 objects which need to be freed */
++ SECKEY_DestroyPublicKey(pubk);
+ return NULL;
+ }
+
+diff -up ./nss/lib/pk11wrap/pk11priv.h.pub-priv-mechs ./nss/lib/pk11wrap/pk11priv.h
+--- ./nss/lib/pk11wrap/pk11priv.h.pub-priv-mechs 2019-05-10 14:14:18.000000000 -0700
++++ ./nss/lib/pk11wrap/pk11priv.h 2019-06-05 12:01:13.729544204 -0700
+@@ -111,6 +111,7 @@ CK_OBJECT_HANDLE PK11_FindObjectForCert(
+ PK11SymKey *pk11_CopyToSlot(PK11SlotInfo *slot, CK_MECHANISM_TYPE type,
+ CK_ATTRIBUTE_TYPE operation, PK11SymKey *symKey);
+ unsigned int pk11_GetPredefinedKeyLength(CK_KEY_TYPE keyType);
++CK_OBJECT_HANDLE PK11_DerivePubKeyFromPrivKey(SECKEYPrivateKey *privKey);
+
+ /**********************************************************************
+ * Certs
+diff -up ./nss/lib/pk11wrap/pk11skey.c.pub-priv-mechs ./nss/lib/pk11wrap/pk11skey.c
+--- ./nss/lib/pk11wrap/pk11skey.c.pub-priv-mechs 2019-05-10 14:14:18.000000000 -0700
++++ ./nss/lib/pk11wrap/pk11skey.c 2019-06-05 12:01:13.730544203 -0700
+@@ -1840,6 +1840,35 @@ loser:
+ }
+
+ /*
++ * This regenerate a public key from a private key. This function is currently
++ * NSS private. If we want to make it public, we need to add and optional
++ * template or at least flags (a.la. PK11_DeriveWithFlags).
++ */
++CK_OBJECT_HANDLE
++PK11_DerivePubKeyFromPrivKey(SECKEYPrivateKey *privKey)
++{
++ PK11SlotInfo *slot = privKey->pkcs11Slot;
++ CK_MECHANISM mechanism;
++ CK_OBJECT_HANDLE objectID = CK_INVALID_HANDLE;
++ CK_RV crv;
++
++ mechanism.mechanism = CKM_NSS_PUB_FROM_PRIV;
++ mechanism.pParameter = NULL;
++ mechanism.ulParameterLen = 0;
++
++ PK11_EnterSlotMonitor(slot);
++ crv = PK11_GETTAB(slot)->C_DeriveKey(slot->session, &mechanism,
++ privKey->pkcs11ID, NULL, 0,
++ &objectID);
++ PK11_ExitSlotMonitor(slot);
++ if (crv != CKR_OK) {
++ PORT_SetError(PK11_MapError(crv));
++ return CK_INVALID_HANDLE;
++ }
++ return objectID;
++}
++
++/*
+ * This Generates a wrapping key based on a privateKey, publicKey, and two
+ * random numbers. For Mail usage RandomB should be NULL. In the Sender's
+ * case RandomA is generate, outherwize it is passed.
diff --git a/SOURCES/nss-modutil-skip-changepw-fips.patch b/SOURCES/nss-modutil-skip-changepw-fips.patch
new file mode 100644
index 0000000..9ed2983
--- /dev/null
+++ b/SOURCES/nss-modutil-skip-changepw-fips.patch
@@ -0,0 +1,22 @@
+# HG changeset patch
+# User Daiki Ueno
+# Date 1523546409 -7200
+# Thu Apr 12 17:20:09 2018 +0200
+# Node ID 919e116728f29263c17ec31716ac2bd04c10e9ca
+# Parent 2eefd697d661efb82a77c84d893e6fbceefdf458
+Bug 1453408, modutil -changepw fails in FIPS mode if password is an empty string
+
+diff --git a/cmd/modutil/pk11.c b/cmd/modutil/pk11.c
+--- a/cmd/modutil/pk11.c
++++ b/cmd/modutil/pk11.c
+@@ -764,6 +764,10 @@ ChangePW(char *tokenName, char *pwFile,
+ ret = CHANGEPW_FAILED_ERR;
+ goto loser;
+ }
++ } else if (PK11_IsFIPS() && *newpw == '\0' && PK11_CheckUserPassword(slot, newpw) == SECSuccess) {
++ /* Workaround to suppress harmless error in FIPS mode:
++ * When explicitly setting empty password while the old
++ * password is also empty, skip */
+ } else {
+ if (PK11_ChangePW(slot, oldpw, newpw) != SECSuccess) {
+ PR_fprintf(PR_STDERR, errStrings[CHANGEPW_FAILED_ERR], tokenName);
diff --git a/SOURCES/nss-post-handshake-auth-with-tickets.patch b/SOURCES/nss-post-handshake-auth-with-tickets.patch
new file mode 100644
index 0000000..ac51f07
--- /dev/null
+++ b/SOURCES/nss-post-handshake-auth-with-tickets.patch
@@ -0,0 +1,96 @@
+# HG changeset patch
+# User Daiki Ueno
+# Date 1559121620 -7200
+# Wed May 29 11:20:20 2019 +0200
+# Node ID 29a48b604602a523defd6f9322a5adeca7e284a5
+# Parent 43a7fb4f994a31222c308113b0fccdd5480d5b8e
+Bug 1553443, send session ticket only after handshake is marked as finished
+
+Reviewers: mt
+
+Reviewed By: mt
+
+Bug #: 1553443
+
+Differential Revision: https://phabricator.services.mozilla.com/D32128
+
+diff --git a/gtests/ssl_gtest/ssl_auth_unittest.cc b/gtests/ssl_gtest/ssl_auth_unittest.cc
+--- a/gtests/ssl_gtest/ssl_auth_unittest.cc
++++ b/gtests/ssl_gtest/ssl_auth_unittest.cc
+@@ -537,6 +537,40 @@ TEST_F(TlsConnectStreamTls13, PostHandsh
+ capture_cert_req->buffer().len()));
+ }
+
++// Check if post-handshake auth still works when session tickets are enabled:
++// https://bugzilla.mozilla.org/show_bug.cgi?id=1553443
++TEST_F(TlsConnectStreamTls13, PostHandshakeAuthWithSessionTicketsEnabled) {
++ EnsureTlsSetup();
++ client_->SetupClientAuth();
++ EXPECT_EQ(SECSuccess, SSL_OptionSet(client_->ssl_fd(),
++ SSL_ENABLE_POST_HANDSHAKE_AUTH, PR_TRUE));
++ EXPECT_EQ(SECSuccess, SSL_OptionSet(client_->ssl_fd(),
++ SSL_ENABLE_SESSION_TICKETS, PR_TRUE));
++ EXPECT_EQ(SECSuccess, SSL_OptionSet(server_->ssl_fd(),
++ SSL_ENABLE_SESSION_TICKETS, PR_TRUE));
++ size_t called = 0;
++ server_->SetAuthCertificateCallback(
++ [&called](TlsAgent*, PRBool, PRBool) -> SECStatus {
++ called++;
++ return SECSuccess;
++ });
++ Connect();
++ EXPECT_EQ(0U, called);
++ // Send CertificateRequest.
++ EXPECT_EQ(SECSuccess, SSL_GetClientAuthDataHook(
++ client_->ssl_fd(), GetClientAuthDataHook, nullptr));
++ EXPECT_EQ(SECSuccess, SSL_SendCertificateRequest(server_->ssl_fd()))
++ << "Unexpected error: " << PORT_ErrorToName(PORT_GetError());
++ server_->SendData(50);
++ client_->ReadBytes(50);
++ client_->SendData(50);
++ server_->ReadBytes(50);
++ EXPECT_EQ(1U, called);
++ ScopedCERTCertificate cert1(SSL_PeerCertificate(server_->ssl_fd()));
++ ScopedCERTCertificate cert2(SSL_LocalCertificate(client_->ssl_fd()));
++ EXPECT_TRUE(SECITEM_ItemsAreEqual(&cert1->derCert, &cert2->derCert));
++}
++
+ // In TLS 1.3, the client sends its cert rejection on the
+ // second flight, and since it has already received the
+ // server's Finished, it transitions to complete and
+diff --git a/lib/ssl/tls13con.c b/lib/ssl/tls13con.c
+--- a/lib/ssl/tls13con.c
++++ b/lib/ssl/tls13con.c
+@@ -4561,6 +4561,11 @@ tls13_ServerHandleFinished(sslSocket *ss
+ return SECFailure;
+ }
+
++ rv = tls13_FinishHandshake(ss);
++ if (rv != SECSuccess) {
++ return SECFailure;
++ }
++
+ ssl_GetXmitBufLock(ss);
+ if (ss->opt.enableSessionTickets) {
+ rv = tls13_SendNewSessionTicket(ss, NULL, 0);
+@@ -4573,8 +4578,7 @@ tls13_ServerHandleFinished(sslSocket *ss
+ }
+ }
+ ssl_ReleaseXmitBufLock(ss);
+-
+- return tls13_FinishHandshake(ss);
++ return SECSuccess;
+
+ loser:
+ ssl_ReleaseXmitBufLock(ss);
+diff --git a/tests/ssl/sslauth.txt b/tests/ssl/sslauth.txt
+--- a/tests/ssl/sslauth.txt
++++ b/tests/ssl/sslauth.txt
+@@ -42,6 +42,7 @@
+ noECC 0 -r_-r_-r_-r_-E -V_tls1.3:tls1.3_-E_-n_TestUser_-w_nss TLS 1.3 Require client auth on post hs (client auth)
+ noECC 0 -r_-r_-r_-E -V_tls1.3:tls1.3_-E_-n_none_-w_nss TLS 1.3 Request don't require client auth on post hs (client does not provide auth)
+ noECC 1 -r_-r_-r_-r_-E -V_tls1.3:tls1.3_-E_-n_none_-w_nss TLS 1.3 Require client auth on post hs (client does not provide auth)
++ noECC 0 -r_-r_-r_-E_-u -V_tls1.3:tls1.3_-E_-n_TestUser_-w_nss TLS 1.3 Request don't require client auth on post hs with session ticket (client auth)
+ #
+ # Use EC cert for client authentication
+ #
diff --git a/SOURCES/nss-reorder-cipher-suites-gtests.patch b/SOURCES/nss-reorder-cipher-suites-gtests.patch
new file mode 100644
index 0000000..73b049f
--- /dev/null
+++ b/SOURCES/nss-reorder-cipher-suites-gtests.patch
@@ -0,0 +1,101 @@
+diff -up nss/gtests/ssl_gtest/ssl_auth_unittest.cc.reorder-cipher-suites-gtests nss/gtests/ssl_gtest/ssl_auth_unittest.cc
+--- nss/gtests/ssl_gtest/ssl_auth_unittest.cc.reorder-cipher-suites-gtests 2019-03-16 01:25:08.000000000 +0100
++++ nss/gtests/ssl_gtest/ssl_auth_unittest.cc 2019-03-22 11:25:50.523173253 +0100
+@@ -728,7 +728,9 @@ static SSLNamedGroup NamedGroupForEcdsa3
+ // NSS tries to match the group size to the symmetric cipher. In TLS 1.1 and
+ // 1.0, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA is the highest priority suite, so
+ // we use P-384. With TLS 1.2 on we pick AES-128 GCM so use x25519.
+- if (version <= SSL_LIBRARY_VERSION_TLS_1_1) {
++ // FIXME: In RHEL, we assign TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
++ // a higher priority than AES-128 GCM.
++ if (version <= SSL_LIBRARY_VERSION_TLS_1_2) {
+ return ssl_grp_ec_secp384r1;
+ }
+ return ssl_grp_ec_curve25519;
+@@ -1377,20 +1379,24 @@ INSTANTIATE_TEST_CASE_P(
+ ::testing::Values(TlsAgent::kServerEcdsa256),
+ ::testing::Values(ssl_auth_ecdsa),
+ ::testing::Values(ssl_sig_ecdsa_secp256r1_sha256)));
++ // FIXME: In RHEL, we assign TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
++ // a higher priority than AES-128 GCM, and that causes the following
++ // 3 TLS 1.2 tests to fail.
+ INSTANTIATE_TEST_CASE_P(
+ SignatureSchemeEcdsaP384, TlsSignatureSchemeConfiguration,
+ ::testing::Combine(TlsConnectTestBase::kTlsVariantsAll,
+- TlsConnectTestBase::kTlsV12Plus,
++ TlsConnectTestBase::kTlsV13,
+ ::testing::Values(TlsAgent::kServerEcdsa384),
+ ::testing::Values(ssl_auth_ecdsa),
+ ::testing::Values(ssl_sig_ecdsa_secp384r1_sha384)));
+ INSTANTIATE_TEST_CASE_P(
+ SignatureSchemeEcdsaP521, TlsSignatureSchemeConfiguration,
+ ::testing::Combine(TlsConnectTestBase::kTlsVariantsAll,
+- TlsConnectTestBase::kTlsV12Plus,
++ TlsConnectTestBase::kTlsV13,
+ ::testing::Values(TlsAgent::kServerEcdsa521),
+ ::testing::Values(ssl_auth_ecdsa),
+ ::testing::Values(ssl_sig_ecdsa_secp521r1_sha512)));
++#if 0
+ INSTANTIATE_TEST_CASE_P(
+ SignatureSchemeEcdsaSha1, TlsSignatureSchemeConfiguration,
+ ::testing::Combine(TlsConnectTestBase::kTlsVariantsAll,
+@@ -1399,4 +1405,5 @@ INSTANTIATE_TEST_CASE_P(
+ TlsAgent::kServerEcdsa384),
+ ::testing::Values(ssl_auth_ecdsa),
+ ::testing::Values(ssl_sig_ecdsa_sha1)));
++#endif
+ } // namespace nss_test
+diff -up nss/gtests/ssl_gtest/ssl_recordsize_unittest.cc.reorder-cipher-suites-gtests nss/gtests/ssl_gtest/ssl_recordsize_unittest.cc
+--- nss/gtests/ssl_gtest/ssl_recordsize_unittest.cc.reorder-cipher-suites-gtests 2019-03-16 01:25:08.000000000 +0100
++++ nss/gtests/ssl_gtest/ssl_recordsize_unittest.cc 2019-03-22 11:25:50.523173253 +0100
+@@ -71,11 +71,13 @@ void CheckRecordSizes(const std::shared_
+ break;
+
+ case TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256:
++ case TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384:
+ expansion = 16;
+ iv = 8;
+ break;
+
+ case TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA:
++ case TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA:
+ // Expansion is 20 for the MAC. Maximum block padding is 16. Maximum
+ // padding is added when the input plus the MAC is an exact multiple of
+ // the block size.
+diff -up nss/gtests/ssl_gtest/ssl_staticrsa_unittest.cc.reorder-cipher-suites-gtests nss/gtests/ssl_gtest/ssl_staticrsa_unittest.cc
+--- nss/gtests/ssl_gtest/ssl_staticrsa_unittest.cc.reorder-cipher-suites-gtests 2019-03-16 01:25:08.000000000 +0100
++++ nss/gtests/ssl_gtest/ssl_staticrsa_unittest.cc 2019-03-22 11:29:30.452433420 +0100
+@@ -133,7 +133,19 @@ TEST_P(TlsConnectGenericPre13, TooLargeR
+ TEST_P(TlsConnectGeneric, ServerAuthBiggestRsa) {
+ Reset(TlsAgent::kRsa8192);
+ Connect();
+- CheckKeys();
++ if (version_ >= SSL_LIBRARY_VERSION_TLS_1_3) {
++ CheckKeys();
++ } else {
++ // in TLS 1.2 or TLS 1.1, AES-256 is selected by default, which
++ // needs a different kea setup
++ SSLSignatureScheme scheme;
++ if (version_ >= SSL_LIBRARY_VERSION_TLS_1_2) {
++ scheme = ssl_sig_rsa_pss_rsae_sha256;
++ } else {
++ scheme = ssl_sig_rsa_pkcs1_sha256;
++ }
++ CheckKeys(ssl_kea_ecdh, ssl_grp_ec_secp521r1, ssl_auth_rsa_sign, scheme);
++ }
+ }
+
+ } // namespace nss_test
+diff -up nss/gtests/ssl_gtest/tls_agent.cc.reorder-cipher-suites-gtests nss/gtests/ssl_gtest/tls_agent.cc
+--- nss/gtests/ssl_gtest/tls_agent.cc.reorder-cipher-suites-gtests 2019-03-22 11:28:19.936944328 +0100
++++ nss/gtests/ssl_gtest/tls_agent.cc 2019-03-22 11:29:58.712828287 +0100
+@@ -532,6 +532,9 @@ void TlsAgent::CheckKEA(SSLKEAType kea,
+ case ssl_grp_ec_secp384r1:
+ kea_size = 384;
+ break;
++ case ssl_grp_ec_secp521r1:
++ kea_size = 521;
++ break;
+ case ssl_grp_ffdhe_2048:
+ kea_size = 2048;
+ break;
diff --git a/SOURCES/nss-reorder-cipher-suites.patch b/SOURCES/nss-reorder-cipher-suites.patch
new file mode 100644
index 0000000..c295c1d
--- /dev/null
+++ b/SOURCES/nss-reorder-cipher-suites.patch
@@ -0,0 +1,205 @@
+diff -up nss/lib/ssl/ssl3con.c.reorder-cipher-suites nss/lib/ssl/ssl3con.c
+--- nss/lib/ssl/ssl3con.c.reorder-cipher-suites 2019-03-16 01:25:08.000000000 +0100
++++ nss/lib/ssl/ssl3con.c 2019-03-21 14:22:01.578936057 +0100
+@@ -90,49 +90,44 @@ static ssl3CipherSuiteCfg cipherSuites[s
+ { TLS_CHACHA20_POLY1305_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE },
+ { TLS_AES_256_GCM_SHA384, SSL_ALLOWED, PR_TRUE, PR_FALSE },
+
+- { TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+- { TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+- { TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+- { TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+ { TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+- { TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+- /* TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA is out of order to work around
+- * bug 946147.
+- */
+ { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
++ { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE},
++ { TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
++ { TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+ { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+- { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+ { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+- { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
++ { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
++ { TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
++ { TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+ { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+- { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+- { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
++ { TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
++ { TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
++ { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
++ { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+ { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+- { TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+-
++ { TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_TRUE, PR_FALSE},
++ { TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE},
++ { TLS_DHE_RSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
++ { TLS_DHE_DSS_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
++ { TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
++ { TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE},
++ { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
++ { TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+ { TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256,SSL_ALLOWED,PR_TRUE, PR_FALSE},
+ { TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+- { TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+- { TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_DHE_RSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+ { TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+ { TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+ { TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+- { TLS_DHE_RSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+- { TLS_DHE_DSS_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+- { TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+- { TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+- { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+- { TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+ { TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+ { TLS_DHE_DSS_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+-
+ { TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+@@ -141,27 +136,21 @@ static ssl3CipherSuiteCfg cipherSuites[s
+ { TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_ECDH_ECDSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_ECDH_RSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+-
+- /* RSA */
+- { TLS_RSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+ { TLS_RSA_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+- { TLS_RSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+- { TLS_RSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+- { TLS_RSA_WITH_CAMELLIA_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_RSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+ { TLS_RSA_WITH_AES_256_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+ { TLS_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
++ { TLS_RSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
++ { TLS_RSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
++ { TLS_RSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
++ { TLS_RSA_WITH_CAMELLIA_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_RSA_WITH_SEED_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+ { TLS_RSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+ { TLS_RSA_WITH_RC4_128_MD5, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+-
+- /* 56-bit DES "domestic" cipher suites */
+ { TLS_DHE_RSA_WITH_DES_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_DHE_DSS_WITH_DES_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_RSA_WITH_DES_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+-
+- /* ciphersuites with no encryption */
+ { TLS_ECDHE_ECDSA_WITH_NULL_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_ECDHE_RSA_WITH_NULL_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_ECDH_RSA_WITH_NULL_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+diff -up nss/lib/ssl/sslenum.c.reorder-cipher-suites nss/lib/ssl/sslenum.c
+--- nss/lib/ssl/sslenum.c.reorder-cipher-suites 2019-03-16 01:25:08.000000000 +0100
++++ nss/lib/ssl/sslenum.c 2019-03-21 14:22:16.479624167 +0100
+@@ -59,49 +59,44 @@ const PRUint16 SSL_ImplementedCiphers[]
+ TLS_CHACHA20_POLY1305_SHA256,
+ TLS_AES_256_GCM_SHA384,
+
+- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
+- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
+ TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+- /* TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA must appear before
+- * TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA to work around bug 946147.
+- */
+ TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
++ TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
++ TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
++ TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
+ TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
+- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
+ TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
+- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
++ TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
++ TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,
++ TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+ TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
+- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
+ TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
+- TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
++ TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
++ TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
++ TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
++ TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
+ TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
+- TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,
+ TLS_ECDHE_RSA_WITH_RC4_128_SHA,
+-
++ TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
++ TLS_DHE_DSS_WITH_AES_256_GCM_SHA384,
++ TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
++ TLS_DHE_DSS_WITH_AES_256_CBC_SHA,
++ TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,
++ TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,
++ TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,
++ TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA,
+ TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
+ TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
+ TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,
+- TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
+- TLS_DHE_DSS_WITH_AES_256_GCM_SHA384,
+ TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
+ TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
+ TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
+ TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,
+ TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,
+ TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA,
+- TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
+- TLS_DHE_DSS_WITH_AES_256_CBC_SHA,
+- TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,
+- TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,
+- TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,
+- TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA,
+ TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
+ TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,
+ TLS_DHE_DSS_WITH_RC4_128_SHA,
+-
+ TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,
+ TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,
+ TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
+@@ -110,26 +105,21 @@ const PRUint16 SSL_ImplementedCiphers[]
+ TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,
+ TLS_ECDH_ECDSA_WITH_RC4_128_SHA,
+ TLS_ECDH_RSA_WITH_RC4_128_SHA,
+-
+- TLS_RSA_WITH_AES_128_GCM_SHA256,
+ TLS_RSA_WITH_AES_256_GCM_SHA384,
+- TLS_RSA_WITH_AES_128_CBC_SHA,
+- TLS_RSA_WITH_AES_128_CBC_SHA256,
+- TLS_RSA_WITH_CAMELLIA_128_CBC_SHA,
+ TLS_RSA_WITH_AES_256_CBC_SHA,
+ TLS_RSA_WITH_AES_256_CBC_SHA256,
+ TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,
++ TLS_RSA_WITH_AES_128_GCM_SHA256,
++ TLS_RSA_WITH_AES_128_CBC_SHA,
++ TLS_RSA_WITH_AES_128_CBC_SHA256,
++ TLS_RSA_WITH_CAMELLIA_128_CBC_SHA,
+ TLS_RSA_WITH_SEED_CBC_SHA,
+ TLS_RSA_WITH_3DES_EDE_CBC_SHA,
+ TLS_RSA_WITH_RC4_128_SHA,
+ TLS_RSA_WITH_RC4_128_MD5,
+-
+- /* 56-bit DES "domestic" cipher suites */
+ TLS_DHE_RSA_WITH_DES_CBC_SHA,
+ TLS_DHE_DSS_WITH_DES_CBC_SHA,
+ TLS_RSA_WITH_DES_CBC_SHA,
+-
+- /* ciphersuites with no encryption */
+ TLS_ECDHE_ECDSA_WITH_NULL_SHA,
+ TLS_ECDHE_RSA_WITH_NULL_SHA,
+ TLS_ECDH_RSA_WITH_NULL_SHA,
diff --git a/SOURCES/nss-rhel7.config b/SOURCES/nss-rhel7.config
new file mode 100644
index 0000000..84e18ce
--- /dev/null
+++ b/SOURCES/nss-rhel7.config
@@ -0,0 +1,7 @@
+# To re-enable legacy algorithms, edit this file
+# Note that the last empty line in this file must be preserved
+library=
+name=Policy
+NSS=flags=policyOnly,moduleDB
+config="disallow=MD5:RC4 allow=DH-MIN=1023:DSA-MIN=1023:RSA-MIN=1023:TLS-VERSION-MIN=tls1.0"
+
diff --git a/SOURCES/nss-skip-bltest-and-fipstest.patch b/SOURCES/nss-skip-bltest-and-fipstest.patch
new file mode 100644
index 0000000..7d55d10
--- /dev/null
+++ b/SOURCES/nss-skip-bltest-and-fipstest.patch
@@ -0,0 +1,15 @@
+diff -up nss/cmd/Makefile.skipthem nss/cmd/Makefile
+--- nss/cmd/Makefile.skipthem 2017-01-13 16:41:04.117486801 +0100
++++ nss/cmd/Makefile 2017-01-13 16:42:31.396335957 +0100
+@@ -19,7 +19,11 @@ BLTEST_SRCDIR =
+ ECPERF_SRCDIR =
+ FREEBL_ECTEST_SRCDIR =
+ FIPSTEST_SRCDIR =
++ifeq ($(NSS_BLTEST_NOT_AVAILABLE),1)
++SHLIBSIGN_SRCDIR = shlibsign
++else
+ SHLIBSIGN_SRCDIR =
++endif
+ else
+ BLTEST_SRCDIR = bltest
+ ECPERF_SRCDIR = ecperf
diff --git a/SOURCES/nss-skip-sysinit-gtests.patch b/SOURCES/nss-skip-sysinit-gtests.patch
new file mode 100644
index 0000000..4c3ea29
--- /dev/null
+++ b/SOURCES/nss-skip-sysinit-gtests.patch
@@ -0,0 +1,11 @@
+diff -up nss/gtests/manifest.mn.skip-sysinit-gtests nss/gtests/manifest.mn
+--- nss/gtests/manifest.mn.skip-sysinit-gtests 2019-04-26 12:55:05.979302035 +0200
++++ nss/gtests/manifest.mn 2019-04-26 12:55:09.507228984 +0200
+@@ -27,7 +27,6 @@ NSS_SRCDIRS = \
+ smime_gtest \
+ softoken_gtest \
+ ssl_gtest \
+- $(SYSINIT_GTEST) \
+ nss_bogo_shim \
+ $(NULL)
+ endif
diff --git a/SOURCES/nss-skip-tls13-fips-tests.sh b/SOURCES/nss-skip-tls13-fips-tests.sh
new file mode 100644
index 0000000..2d4ff9c
--- /dev/null
+++ b/SOURCES/nss-skip-tls13-fips-tests.sh
@@ -0,0 +1,16 @@
+diff -up nss/tests/ssl/ssl.sh.skip-tls13-fips-mode nss/tests/ssl/ssl.sh
+--- nss/tests/ssl/ssl.sh.skip-tls13-fips-mode 2019-05-16 10:52:35.926904215 +0200
++++ nss/tests/ssl/ssl.sh 2019-05-16 10:53:05.953281239 +0200
+@@ -412,6 +412,12 @@ ssl_auth()
+ echo "${testname}" | grep "TLS 1.3" > /dev/null
+ TLS13=$?
+
++ if [ "${TLS13}" -eq 0 ] && \
++ [ "$SERVER_MODE" = "fips" -o "$CLIENT_MODE" = "fips" ] ; then
++ echo "$SCRIPTNAME: skipping $testname (non-FIPS only)"
++ continue
++ fi
++
+ if [ "${CLIENT_MODE}" = "fips" -a "${CAUTH}" -eq 0 ] ; then
+ echo "$SCRIPTNAME: skipping $testname (non-FIPS only)"
+ elif [ "$ectype" = "SNI" -a "$NORM_EXT" = "Extended Test" ] ; then
diff --git a/SOURCES/nss-skip-util-gtest.patch b/SOURCES/nss-skip-util-gtest.patch
new file mode 100644
index 0000000..2a914d3
--- /dev/null
+++ b/SOURCES/nss-skip-util-gtest.patch
@@ -0,0 +1,21 @@
+diff -up nss/gtests/manifest.mn.skip-util-gtests nss/gtests/manifest.mn
+--- nss/gtests/manifest.mn.skip-util-gtests 2019-03-16 01:25:08.000000000 +0100
++++ nss/gtests/manifest.mn 2019-03-21 12:41:02.264072681 +0100
+@@ -35,6 +35,5 @@ endif
+
+ DIRS = \
+ $(LIB_SRCDIRS) \
+- $(UTIL_SRCDIRS) \
+ $(NSS_SRCDIRS) \
+ $(NULL)
+diff -up nss/gtests/ssl_gtest/manifest.mn.skip-util-gtests nss/gtests/ssl_gtest/manifest.mn
+--- nss/gtests/ssl_gtest/manifest.mn.skip-util-gtests 2019-03-16 01:25:08.000000000 +0100
++++ nss/gtests/ssl_gtest/manifest.mn 2019-03-21 12:41:02.265072660 +0100
+@@ -67,6 +67,7 @@ PROGRAM = ssl_gtest
+ EXTRA_LIBS += \
+ $(DIST)/lib/$(LIB_PREFIX)gtest.$(LIB_SUFFIX) \
+ $(DIST)/lib/$(LIB_PREFIX)cpputil.$(LIB_SUFFIX) \
++ -lsoftokn3
+ $(NULL)
+
+ USE_STATIC_LIBS = 1
diff --git a/SOURCES/nss-sni-c-v-fix.patch b/SOURCES/nss-sni-c-v-fix.patch
new file mode 100644
index 0000000..cc52515
--- /dev/null
+++ b/SOURCES/nss-sni-c-v-fix.patch
@@ -0,0 +1,21 @@
+diff -up nss/tests/ssl/sslauth.txt.sni_c_v_fix nss/tests/ssl/sslauth.txt
+--- nss/tests/ssl/sslauth.txt.sni_c_v_fix 2017-04-05 14:23:56.000000000 +0200
++++ nss/tests/ssl/sslauth.txt 2017-06-02 10:22:27.457072785 +0200
+@@ -64,13 +64,13 @@
+ #
+ # SNI Tests
+ #
+- SNI 0 -r_-a_Host-sni.Dom -V_ssl3:tls1.2_-w_nss_-n_TestUser TLS Server hello response without SNI
++ SNI 0 -r_-a_Host-sni.Dom -V_ssl3:tls1.2_-c_v_-w_nss_-n_TestUser TLS Server hello response without SNI
+ SNI 0 -r_-a_Host-sni.Dom -V_ssl3:tls1.2_-c_v_-w_nss_-n_TestUser_-a_Host-sni.Dom TLS Server hello response with SNI
+ SNI 1 -r_-a_Host-sni.Dom -V_ssl3:tls1.2_-c_v_-w_nss_-n_TestUser_-a_Host-sni1.Dom TLS Server response with alert
+- SNI 0 -r_-a_Host-sni.Dom -V_ssl3:ssl3_-w_nss_-n_TestUser SSL3 Server hello response without SNI
++ SNI 0 -r_-a_Host-sni.Dom -V_ssl3:ssl3_-c_v_-w_nss_-n_TestUser SSL3 Server hello response without SNI
+ SNI 1 -r_-a_Host-sni.Dom -V_ssl3:ssl3_-c_v_-w_nss_-n_TestUser_-a_Host-sni.Dom SSL3 Server hello response with SNI: SSL don't have SH extensions
+- SNI 0 -r_-r_-r_-a_Host-sni.Dom -V_ssl3:tls1.2_-w_nss_-n_TestUser TLS Server hello response without SNI
++ SNI 0 -r_-r_-r_-a_Host-sni.Dom -V_ssl3:tls1.2_-c_v_-w_nss_-n_TestUser TLS Server hello response without SNI
+ SNI 0 -r_-r_-r_-a_Host-sni.Dom -V_ssl3:tls1.2_-c_v_-w_nss_-n_TestUser_-a_Host-sni.Dom TLS Server hello response with SNI
+- SNI 1 -r_-r_-r_-a_Host-sni.Dom -V_ssl3:tls1.2_-w_nss_-n_TestUser_-a_Host-sni.Dom_-a_Host.Dom TLS Server hello response with SNI: Change name on 2d HS
++ SNI 1 -r_-r_-r_-a_Host-sni.Dom -V_ssl3:tls1.2_-c_v_-w_nss_-n_TestUser_-a_Host-sni.Dom_-a_Host.Dom TLS Server hello response with SNI: Change name on 2d HS
+ SNI 1 -r_-r_-r_-a_Host-sni.Dom -V_ssl3:tls1.2_-c_v_-w_nss_-n_TestUser_-a_Host-sni.Dom_-a_Host-sni1.Dom TLS Server hello response with SNI: Change name to invalid 2d HS
+ SNI 1 -r_-r_-r_-a_Host-sni.Dom -V_ssl3:tls1.2_-c_v_-w_nss_-n_TestUser_-a_Host-sni1.Dom TLS Server response with alert
diff --git a/SOURCES/nss-sql-default.patch b/SOURCES/nss-sql-default.patch
new file mode 100644
index 0000000..fd39778
--- /dev/null
+++ b/SOURCES/nss-sql-default.patch
@@ -0,0 +1,42 @@
+# HG changeset patch
+# User Kai Engert
+# Date 1511548994 -3600
+# Fri Nov 24 19:43:14 2017 +0100
+# Node ID b0658ed367633e505d38c0c0f63b801ddbbb21a4
+# Parent 807662e6ba57db5be05036511ac8634466ed473f
+Bug 1377940, Change NSS default storage file format (currently DBM), when no prefix is given, to SQL, r=rrelyea, r=fkiefer
+
+--- a/tests/all.sh
++++ b/tests/all.sh
+@@ -111,6 +111,8 @@ RUN_FIPS=""
+ ########################################################################
+ run_tests()
+ {
++ echo "Running test cycle: ${TEST_MODE} ----------------------"
++ echo "List of tests that will be executed: ${TESTS}"
+ for TEST in ${TESTS}
+ do
+ # NOTE: the spaces are important. If you don't include
+@@ -172,8 +174,9 @@ run_cycle_pkix()
+ NSS_SSL_TESTS=`echo "${NSS_SSL_TESTS}" | sed -e "s/normal//g" -e "s/fips//g" -e "s/_//g"`
+ export -n NSS_SSL_RUN
+
+- # use the default format
++ # use the default format. (unset for the shell, export -n for binaries)
+ export -n NSS_DEFAULT_DB_TYPE
++ unset NSS_DEFAULT_DB_TYPE
+
+ run_tests
+ }
+diff --git a/tests/merge/merge.sh b/tests/merge/merge.sh
+--- a/tests/merge/merge.sh
++++ b/tests/merge/merge.sh
+@@ -98,7 +98,7 @@ merge_init()
+ # are dbm databases.
+ if [ "${TEST_MODE}" = "UPGRADE_DB" ]; then
+ save=${NSS_DEFAULT_DB_TYPE}
+- NSS_DEFAULT_DB_TYPE= ; export NSS_DEFAULT_DB_TYPE
++ NSS_DEFAULT_DB_TYPE=dbm ; export NSS_DEFAULT_DB_TYPE
+ fi
+
+ certutil -N -d ${CONFLICT1DIR} -f ${R_PWFILE}
diff --git a/SOURCES/nss-ssl2-compatible-client-hello.patch b/SOURCES/nss-ssl2-compatible-client-hello.patch
new file mode 100644
index 0000000..a1f5217
--- /dev/null
+++ b/SOURCES/nss-ssl2-compatible-client-hello.patch
@@ -0,0 +1,12 @@
+diff -up nss/lib/ssl/sslsock.c.ssl2hello nss/lib/ssl/sslsock.c
+--- nss/lib/ssl/sslsock.c.ssl2hello 2019-04-26 11:31:02.139693304 +0200
++++ nss/lib/ssl/sslsock.c 2019-04-26 11:31:36.842975724 +0200
+@@ -86,7 +86,7 @@ static sslOptions ssl_defaults = {
+ .enableTls13CompatMode = PR_FALSE,
+ .enableDtlsShortHeader = PR_FALSE,
+ .enableHelloDowngradeCheck = PR_FALSE,
+- .enableV2CompatibleHello = PR_FALSE,
++ .enableV2CompatibleHello = PR_TRUE,
+ .enablePostHandshakeAuth = PR_FALSE
+ };
+
diff --git a/SOURCES/nss-sysinit-getenv.patch b/SOURCES/nss-sysinit-getenv.patch
new file mode 100644
index 0000000..9352e33
--- /dev/null
+++ b/SOURCES/nss-sysinit-getenv.patch
@@ -0,0 +1,32 @@
+diff -up nss/lib/sysinit/nsssysinit.c.sysinit-getenv nss/lib/sysinit/nsssysinit.c
+--- nss/lib/sysinit/nsssysinit.c.sysinit-getenv 2019-04-26 12:08:48.155862312 +0200
++++ nss/lib/sysinit/nsssysinit.c 2019-04-26 12:09:13.228344780 +0200
+@@ -1,6 +1,10 @@
+ /* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
++
++#define _GNU_SOURCE 1
++#include
++
+ #include "seccomon.h"
+ #include "prio.h"
+ #include "prprf.h"
+@@ -41,7 +45,7 @@ testdir(char *dir)
+ static char *
+ getUserDB(void)
+ {
+- char *userdir = PR_GetEnvSecure("HOME");
++ char *userdir = secure_getenv("HOME");
+ char *nssdir = NULL;
+
+ if (userdir == NULL) {
+@@ -95,7 +99,7 @@ userCanModifySystemDB()
+ static PRBool
+ getFIPSEnv(void)
+ {
+- char *fipsEnv = PR_GetEnvSecure("NSS_FIPS");
++ char *fipsEnv = secure_getenv("NSS_FIPS");
+ if (!fipsEnv) {
+ return PR_FALSE;
+ }
diff --git a/SOURCES/nss-sysinit-userdb.patch b/SOURCES/nss-sysinit-userdb.patch
new file mode 100644
index 0000000..a88132a
--- /dev/null
+++ b/SOURCES/nss-sysinit-userdb.patch
@@ -0,0 +1,132 @@
+# HG changeset patch
+# User Edênis Freindorfer Azevedo
+# Date 1547073505 -39600
+# Thu Jan 10 09:38:25 2019 +1100
+# Node ID da45424cb9a0b4d8e45e5040e2e3b574d994e254
+# Parent f7187a33fad7b9cafe0c2947c6d48618fdda57e4
+Bug 818686 - XDG Base Directory Specification support with fallback, r=mt
+
+Summary:
+We check if $HOME/.pki and $HOME/.pki/nssdb exist; if they do, then we use
+this path. Otherwise, use ${XDG_DATA_HOME:-$HOME/.local/share}/pki/nssdb
+
+Test Plan:
+Create dummy empty dir and set HOME to it. Then, check if getUserDb returns:
+1. $HOME/.pki/nssdb when this path exists;
+2. $HOME/.local/share/pki/nssdb when $HOME/.pki/nssdb does not and XDG_DATA_HOME is not defined;
+3. $XDG_DATA_HOME/pki/nssdb when $HOME/.pki/nssdb does not exist and XDG_DATA_HOME is defined.
+
+Reviewers: mt
+
+Reviewed By: mt
+
+Bug #: 818686
+
+Differential Revision: https://phabricator.services.mozilla.com/D14007
+
+diff --git a/lib/sysinit/nsssysinit.c b/lib/sysinit/nsssysinit.c
+--- a/lib/sysinit/nsssysinit.c
++++ b/lib/sysinit/nsssysinit.c
+@@ -37,9 +37,41 @@ testdir(char *dir)
+ return S_ISDIR(buf.st_mode);
+ }
+
++/**
++ * Append given @dir to @path and creates the directory with mode @mode.
++ * Returns 0 if successful, -1 otherwise.
++ * Assumes that the allocation for @path has sufficient space for @dir
++ * to be added.
++ */
++static int
++appendDirAndCreate(char *path, char *dir, mode_t mode)
++{
++ PORT_Strcat(path, dir);
++ if (!testdir(path)) {
++ if (mkdir(path, mode)) {
++ return -1;
++ }
++ }
++ return 0;
++}
++
++#define XDG_NSS_USER_PATH1 "/.local"
++#define XDG_NSS_USER_PATH2 "/share"
++#define XDG_NSS_USER_PATH3 "/pki"
++
+ #define NSS_USER_PATH1 "/.pki"
+ #define NSS_USER_PATH2 "/nssdb"
+-static char *
++
++/**
++ * Return the path to user's NSS database.
++ * We search in the following dirs in order:
++ * (1) $HOME/.pki/nssdb;
++ * (2) $XDG_DATA_HOME/pki/nssdb if XDG_DATA_HOME is set;
++ * (3) $HOME/.local/share/pki/nssdb (default XDG_DATA_HOME value).
++ * If (1) does not exist, then the returned dir will be set to either
++ * (2) or (3), depending if XDG_DATA_HOME is set.
++ */
++char *
+ getUserDB(void)
+ {
+ char *userdir = PR_GetEnvSecure("HOME");
+@@ -50,22 +82,47 @@ getUserDB(void)
+ }
+
+ nssdir = PORT_Alloc(strlen(userdir) + sizeof(NSS_USER_PATH1) + sizeof(NSS_USER_PATH2));
++ PORT_Strcpy(nssdir, userdir);
++ PORT_Strcat(nssdir, NSS_USER_PATH1 NSS_USER_PATH2);
++ if (testdir(nssdir)) {
++ /* $HOME/.pki/nssdb exists */
++ return nssdir;
++ } else {
++ /* either $HOME/.pki or $HOME/.pki/nssdb does not exist */
++ PORT_Free(nssdir);
++ }
++ int size = 0;
++ char *xdguserdatadir = PR_GetEnvSecure("XDG_DATA_HOME");
++ if (xdguserdatadir) {
++ size = strlen(xdguserdatadir);
++ } else {
++ size = strlen(userdir) + sizeof(XDG_NSS_USER_PATH1) + sizeof(XDG_NSS_USER_PATH2);
++ }
++ size += sizeof(XDG_NSS_USER_PATH3) + sizeof(NSS_USER_PATH2);
++
++ nssdir = PORT_Alloc(size);
+ if (nssdir == NULL) {
+ return NULL;
+ }
+- PORT_Strcpy(nssdir, userdir);
+- /* verify it exists */
+- if (!testdir(nssdir)) {
+- PORT_Free(nssdir);
+- return NULL;
++
++ if (xdguserdatadir) {
++ PORT_Strcpy(nssdir, xdguserdatadir);
++ if (!testdir(nssdir)) {
++ PORT_Free(nssdir);
++ return NULL;
++ }
++
++ } else {
++ PORT_Strcpy(nssdir, userdir);
++ if (appendDirAndCreate(nssdir, XDG_NSS_USER_PATH1, 0755) ||
++ appendDirAndCreate(nssdir, XDG_NSS_USER_PATH2, 0755)) {
++ PORT_Free(nssdir);
++ return NULL;
++ }
+ }
+- PORT_Strcat(nssdir, NSS_USER_PATH1);
+- if (!testdir(nssdir) && mkdir(nssdir, 0760)) {
+- PORT_Free(nssdir);
+- return NULL;
+- }
+- PORT_Strcat(nssdir, NSS_USER_PATH2);
+- if (!testdir(nssdir) && mkdir(nssdir, 0760)) {
++ /* ${XDG_DATA_HOME:-$HOME/.local/share}/pki/nssdb */
++ if (appendDirAndCreate(nssdir, XDG_NSS_USER_PATH3, 0760) ||
++ appendDirAndCreate(nssdir, NSS_USER_PATH2, 0760)) {
+ PORT_Free(nssdir);
+ return NULL;
+ }
diff --git a/SOURCES/nss-version-range-set.patch b/SOURCES/nss-version-range-set.patch
new file mode 100644
index 0000000..8b3b25a
--- /dev/null
+++ b/SOURCES/nss-version-range-set.patch
@@ -0,0 +1,43 @@
+diff -up nss/gtests/ssl_gtest/ssl_versionpolicy_unittest.cc.version-range-set nss/gtests/ssl_gtest/ssl_versionpolicy_unittest.cc
+--- nss/gtests/ssl_gtest/ssl_versionpolicy_unittest.cc.version-range-set 2019-04-26 16:56:32.753283497 +0200
++++ nss/gtests/ssl_gtest/ssl_versionpolicy_unittest.cc 2019-04-26 16:56:51.096889439 +0200
+@@ -151,12 +151,6 @@ class TestPolicyVersionRange
+ }
+
+ bool IsValidInputForVersionRangeSet(SSLVersionRange* expectedEffectiveRange) {
+- if (input_.min() <= SSL_LIBRARY_VERSION_3_0 &&
+- input_.max() >= SSL_LIBRARY_VERSION_TLS_1_3) {
+- // This is always invalid input, independent of policy
+- return false;
+- }
+-
+ if (input_.min() < library_.min() || input_.max() > library_.max() ||
+ input_.min() > input_.max()) {
+ // Asking for unsupported ranges is invalid input for VersionRangeSet
+diff -up nss/lib/ssl/sslsock.c.version-range-set nss/lib/ssl/sslsock.c
+--- nss/lib/ssl/sslsock.c.version-range-set 2019-04-26 16:56:11.810733383 +0200
++++ nss/lib/ssl/sslsock.c 2019-04-26 16:56:11.813733319 +0200
+@@ -2542,13 +2542,6 @@ SSL_VersionRangeGetDefault(SSLProtocolVa
+ return ssl3_CreateOverlapWithPolicy(protocolVariant, vrange, vrange);
+ }
+
+-static PRBool
+-ssl3_HasConflictingSSLVersions(const SSLVersionRange *vrange)
+-{
+- return (vrange->min <= SSL_LIBRARY_VERSION_3_0 &&
+- vrange->max >= SSL_LIBRARY_VERSION_TLS_1_3);
+-}
+-
+ static SECStatus
+ ssl3_CheckRangeValidAndConstrainByPolicy(SSLProtocolVariant protocolVariant,
+ SSLVersionRange *vrange)
+@@ -2557,8 +2550,7 @@ ssl3_CheckRangeValidAndConstrainByPolicy
+
+ if (vrange->min > vrange->max ||
+ !ssl3_VersionIsSupportedByCode(protocolVariant, vrange->min) ||
+- !ssl3_VersionIsSupportedByCode(protocolVariant, vrange->max) ||
+- ssl3_HasConflictingSSLVersions(vrange)) {
++ !ssl3_VersionIsSupportedByCode(protocolVariant, vrange->max)) {
+ PORT_SetError(SSL_ERROR_INVALID_VERSION_RANGE);
+ return SECFailure;
+ }
diff --git a/SOURCES/nss.pc.in b/SOURCES/nss.pc.in
new file mode 100644
index 0000000..69823cb
--- /dev/null
+++ b/SOURCES/nss.pc.in
@@ -0,0 +1,11 @@
+prefix=%prefix%
+exec_prefix=%exec_prefix%
+libdir=%libdir%
+includedir=%includedir%
+
+Name: NSS
+Description: Network Security Services
+Version: %NSS_VERSION%
+Requires: nspr >= %NSPR_VERSION%, nss-util >= %NSSUTIL_VERSION%
+Libs: -L${libdir} -lssl3 -lsmime3 -lnss3
+Cflags: -I${includedir}
diff --git a/SOURCES/p-ignore-setpolicy.patch b/SOURCES/p-ignore-setpolicy.patch
new file mode 100644
index 0000000..7334c80
--- /dev/null
+++ b/SOURCES/p-ignore-setpolicy.patch
@@ -0,0 +1,25 @@
+diff -up nss/lib/ssl/sslsock.c.1026677_ignore_set_policy nss/lib/ssl/sslsock.c
+--- nss/lib/ssl/sslsock.c.1026677_ignore_set_policy 2017-01-13 17:10:36.049530395 +0100
++++ nss/lib/ssl/sslsock.c 2017-01-13 17:10:36.053530297 +0100
+@@ -1391,7 +1391,6 @@ SSL_CipherPrefGet(PRFileDesc *fd, PRInt3
+ SECStatus
+ NSS_SetDomesticPolicy(void)
+ {
+- SECStatus status = SECSuccess;
+ const PRUint16 *cipher;
+ SECStatus rv;
+ PRUint32 policy;
+@@ -1403,11 +1402,9 @@ NSS_SetDomesticPolicy(void)
+ }
+
+ for (cipher = SSL_ImplementedCiphers; *cipher != 0; ++cipher) {
+- status = SSL_SetPolicy(*cipher, SSL_ALLOWED);
+- if (status != SECSuccess)
+- break;
++ (void) SSL_SetPolicy(*cipher, SSL_ALLOWED);
+ }
+- return status;
++ return SECSuccess;
+ }
+
+ SECStatus
diff --git a/SOURCES/pkcs11.txt.xml b/SOURCES/pkcs11.txt.xml
new file mode 100644
index 0000000..d30e469
--- /dev/null
+++ b/SOURCES/pkcs11.txt.xml
@@ -0,0 +1,56 @@
+
+
+
+]>
+
+
+
+
+ &date;
+ Network Security Services
+ nss
+ &version;
+
+
+
+ pkcs11.txt
+ 5
+
+
+
+ pkcs11.txt
+ NSS PKCS #11 module configuration file
+
+
+
+ Description
+
+The pkcs11.txt file is used to configure initialization parameters for the nss security module and optionally other pkcs #11 modules.
+
+
+For full documentation visit PKCS #11 Module Specs.
+
+
+
+
+ Files
+ /etc/pki/nssdb/pkcs11.txt
+
+
+
+ Authors
+ The nss libraries were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google.
+ Authors: Elio Maldonado <emaldona@redhat.com>.
+
+
+
+
+ LICENSE
+ Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+
+
+
+
diff --git a/SOURCES/renegotiate-transitional.patch b/SOURCES/renegotiate-transitional.patch
new file mode 100644
index 0000000..5e3dbc7
--- /dev/null
+++ b/SOURCES/renegotiate-transitional.patch
@@ -0,0 +1,12 @@
+diff -up nss/lib/ssl/sslsock.c.transitional nss/lib/ssl/sslsock.c
+--- nss/lib/ssl/sslsock.c.transitional 2018-03-09 17:21:52.593560971 +0100
++++ nss/lib/ssl/sslsock.c 2018-03-09 17:22:21.096926523 +0100
+@@ -67,7 +67,7 @@ static sslOptions ssl_defaults = {
+ .noLocks = PR_FALSE,
+ .enableSessionTickets = PR_FALSE,
+ .enableDeflate = PR_FALSE,
+- .enableRenegotiation = SSL_RENEGOTIATE_REQUIRES_XTN,
++ .enableRenegotiation = SSL_RENEGOTIATE_TRANSITIONAL,
+ .requireSafeNegotiation = PR_FALSE,
+ .enableFalseStart = PR_FALSE,
+ .cbcRandomIV = PR_TRUE,
diff --git a/SOURCES/setup-nsssysinit.sh b/SOURCES/setup-nsssysinit.sh
new file mode 100755
index 0000000..8e1f5f7
--- /dev/null
+++ b/SOURCES/setup-nsssysinit.sh
@@ -0,0 +1,68 @@
+#!/bin/sh
+#
+# Turns on or off the nss-sysinit module db by editing the
+# global PKCS #11 congiguration file. Displays the status.
+#
+# This script can be invoked by the user as super user.
+# It is invoked at nss-sysinit post install time with argument on.
+#
+usage()
+{
+ cat <&2
+fi
+
+# the system-wide configuration file
+p11conf="/etc/pki/nssdb/pkcs11.txt"
+# must exist, otherwise report it and exit with failure
+if [ ! -f $p11conf ]; then
+ echo "Could not find ${p11conf}"
+ exit 1
+fi
+
+# check if nsssysinit is currently enabled or disabled
+sysinit_enabled()
+{
+ grep -q '^library=libnsssysinit' ${p11conf}
+}
+
+umask 022
+case "$1" in
+ on | ON )
+ if sysinit_enabled; then
+ exit 0
+ fi
+ cat ${p11conf} | \
+ sed -e 's/^library=$/library=libnsssysinit.so/' \
+ -e '/^NSS/s/\(Flags=internal\)\(,[^m]\)/\1,moduleDBOnly\2/' > \
+ ${p11conf}.on
+ mv ${p11conf}.on ${p11conf}
+ ;;
+ off | OFF )
+ if ! sysinit_enabled; then
+ exit 0
+ fi
+ cat ${p11conf} | \
+ sed -e 's/^library=libnsssysinit.so/library=/' \
+ -e '/^NSS/s/Flags=internal,moduleDBOnly/Flags=internal/' > \
+ ${p11conf}.off
+ mv ${p11conf}.off ${p11conf}
+ ;;
+ status )
+ echo -n 'NSS sysinit is '
+ sysinit_enabled && echo 'enabled' || echo 'disabled'
+ ;;
+ * )
+ usage 1 1>&2
+ ;;
+esac
diff --git a/SOURCES/system-pkcs11.txt b/SOURCES/system-pkcs11.txt
new file mode 100644
index 0000000..c2f5704
--- /dev/null
+++ b/SOURCES/system-pkcs11.txt
@@ -0,0 +1,5 @@
+library=libnsssysinit.so
+name=NSS Internal PKCS #11 Module
+parameters=configdir='sql:/etc/pki/nssdb' certPrefix='' keyPrefix='' secmod='secmod.db' flags= updatedir='' updateCertPrefix='' updateKeyPrefix='' updateid='' updateTokenDescription=''
+NSS=Flags=internal,moduleDBOnly,critical trustOrder=75 cipherOrder=100 slotParams=(1={slotFlags=[RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512] askpw=any timeout=30})
+
diff --git a/SOURCES/utilwrap-include-templates.patch b/SOURCES/utilwrap-include-templates.patch
new file mode 100644
index 0000000..649b548
--- /dev/null
+++ b/SOURCES/utilwrap-include-templates.patch
@@ -0,0 +1,14 @@
+diff -up nss/lib/nss/config.mk.templates nss/lib/nss/config.mk
+--- nss/lib/nss/config.mk.templates 2013-06-18 11:32:07.590089155 -0700
++++ nss/lib/nss/config.mk 2013-06-18 11:33:28.732763345 -0700
+@@ -3,6 +3,10 @@
+ # License, v. 2.0. If a copy of the MPL was not distributed with this
+ # file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
++#ifeq ($(NSS_BUILD_WITHOUT_SOFTOKEN),1)
++INCLUDES += -I/usr/include/nss3/templates
++#endif
++
+ # can't do this in manifest.mn because OS_TARGET isn't defined there.
+ ifeq (,$(filter-out WIN%,$(OS_TARGET)))
+
diff --git a/SPECS/nss.spec b/SPECS/nss.spec
new file mode 100644
index 0000000..e719d04
--- /dev/null
+++ b/SPECS/nss.spec
@@ -0,0 +1,2280 @@
+%global nspr_version 4.21.0
+%global nss_util_version 3.44.0
+%global nss_util_build -3
+# adjust to the version that gets submitted for FIPS validation
+%global nss_softokn_fips_version 3.44.0
+%global nss_softokn_version 3.44.0
+# Attention: Separate softokn versions for build and runtime.
+%global runtime_required_softokn_build_version -1
+# Building NSS doesn't require the same version of softokn built for runtime.
+%global build_required_softokn_build_version -1
+%global nss_version 3.44.0
+
+%global unsupported_tools_directory %{_libdir}/nss/unsupported-tools
+%global allTools "certutil cmsutil crlutil derdump modutil nss-policy-check pk12util pp signtool signver ssltap vfychain vfyserv"
+
+# The timestamp of our downstream manual pages, e.g., nss-config.1
+%global manual_date "Nov 13 2013"
+
+# The upstream omits the trailing ".0", while we need it for
+# consistency with the pkg-config version:
+# https://bugzilla.redhat.com/show_bug.cgi?id=1578106
+%{lua:
+rpm.define(string.format("nss_archive_version %s",
+ string.gsub(rpm.expand("%nss_version"), "(.*)%.0$", "%1")))
+}
+
+# solution taken from icedtea-web.spec
+%define multilib_arches ppc64 s390x sparc64 x86_64
+%ifarch %{multilib_arches}
+%define alt_ckbi libnssckbi.so.%{_arch}
+%else
+%define alt_ckbi libnssckbi.so
+%endif
+
+# Define if using a source archive like "nss-version.with.ckbi.version".
+# To "disable", add "#" to start of line, AND a space after "%".
+#% define nss_ckbi_suffix .with.ckbi.1.93
+
+%bcond_without tests
+
+Summary: Network Security Services
+Name: nss
+Version: %{nss_version}
+Release: 5%{?dist}
+License: MPLv2.0
+URL: http://www.mozilla.org/projects/security/pki/nss/
+Group: System Environment/Libraries
+Requires: nspr >= %{nspr_version}
+Requires: nss-util >= %{nss_util_version}%{nss_util_build}
+# TODO: revert to same version as nss once we are done with the merge
+Requires: nss-softokn%{_isa} >= %{nss_softokn_version}%{runtime_required_softokn_build_version}
+Requires: nss-system-init
+Requires(post): %{_sbindir}/update-alternatives
+Requires(postun): %{_sbindir}/update-alternatives
+BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
+BuildRequires: nspr-devel >= %{nspr_version}
+# TODO: revert to same version as nss once we are done with the merge
+# Using '>=' but on RHEL the requires should be '='
+BuildRequires: nss-softokn-devel >= %{nss_softokn_version}%{build_required_softokn_build_version}
+BuildRequires: nss-util-devel >= %{nss_util_version}%{nss_util_build}
+BuildRequires: sqlite-devel
+BuildRequires: zlib-devel
+BuildRequires: pkgconfig
+BuildRequires: gawk
+BuildRequires: psmisc
+BuildRequires: perl
+
+# nss-pem used to be bundled with the nss package on Fedora -- make sure that
+# programs relying on that continue to work until they are fixed to require
+# nss-pem instead. Once all of them are fixed, the following line can be
+# removed. See https://bugzilla.redhat.com/1346806 for details.
+Requires: nss-pem%{?_isa}
+
+%if %{defined nss_ckbi_suffix}
+%define full_nss_version %{version}%{nss_ckbi_suffix}
+%else
+%define full_nss_version %{version}
+%endif
+
+Source0: %{name}-%{nss_archive_version}.tar.gz
+Source1: nss.pc.in
+Source2: nss-config.in
+Source3: blank-cert8.db
+Source4: blank-key3.db
+Source5: blank-secmod.db
+Source6: blank-cert9.db
+Source7: blank-key4.db
+Source8: system-pkcs11.txt
+Source9: setup-nsssysinit.sh
+Source10: PayPalEE.cert
+Source17: TestCA.ca.cert
+Source18: TestUser50.cert
+Source19: TestUser51.cert
+Source20: nss-config.xml
+Source21: setup-nsssysinit.xml
+Source22: pkcs11.txt.xml
+Source23: cert8.db.xml
+Source24: cert9.db.xml
+Source25: key3.db.xml
+Source26: key4.db.xml
+Source27: secmod.db.xml
+Source30: PayPalRootCA.cert
+Source31: PayPalICA.cert
+Source32: nss-rhel7.config
+Source33: TestOldCA.p12
+
+Patch2: add-relro-linker-option.patch
+Patch3: renegotiate-transitional.patch
+Patch16: nss-539183.patch
+# TODO: Remove this patch when the ocsp test are fixed
+Patch40: nss-3.14.0.0-disble-ocsp-test.patch
+# Fedora / RHEL-only patch, the templates directory was originally introduced to support mod_revocator
+Patch47: utilwrap-include-templates.patch
+# TODO remove when we switch to building nss without softoken
+Patch49: nss-skip-bltest-and-fipstest.patch
+# This patch uses the gcc-iquote dir option documented at
+# http://gcc.gnu.org/onlinedocs/gcc/Directory-Options.html#Directory-Options
+# to place the in-tree directories at the head of the list of list of directories
+# to be searched for for header files. This ensures a build even when system
+# headers are older. Such is the case when starting an update with API changes or even private export changes.
+# Once the buildroot aha been bootstrapped the patch may be removed but it doesn't hurt to keep it.
+Patch50: iquote.patch
+Patch52: Bug-1001841-disable-sslv2-libssl.patch
+Patch53: Bug-1001841-disable-sslv2-tests.patch
+# rhbz: https://bugzilla.redhat.com/show_bug.cgi?id=1026677
+Patch56: p-ignore-setpolicy.patch
+# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=943144
+Patch62: nss-fix-deadlock-squash.patch
+Patch100: fix-min-library-version-in-SSLVersionRange.patch
+Patch108: nss-sni-c-v-fix.patch
+Patch123: nss-skip-util-gtest.patch
+Patch126: nss-reorder-cipher-suites.patch
+Patch127: nss-disable-cipher-suites.patch
+Patch130: nss-reorder-cipher-suites-gtests.patch
+# To revert the change in:
+# https://bugzilla.mozilla.org/show_bug.cgi?id=1377940
+Patch136: nss-sql-default.patch
+# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1453408
+Patch139: nss-modutil-skip-changepw-fips.patch
+# Work around for yum
+# https://bugzilla.redhat.com/show_bug.cgi?id=1469526
+Patch141: nss-sysinit-getenv.patch
+# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1542207
+Patch147: nss-dsa-policy.patch
+# To revert the change in:
+# https://bugzilla.mozilla.org/show_bug.cgi?id=818686
+Patch148: nss-sysinit-userdb.patch
+# Disable nss-sysinit test which is sorely to test the above change
+Patch149: nss-skip-sysinit-gtests.patch
+# Enable SSLv2 compatible ClientHello, disabled in the change:
+# https://bugzilla.mozilla.org/show_bug.cgi?id=1483128
+Patch150: nss-ssl2-compatible-client-hello.patch
+# TLS 1.3 currently doesn't work under FIPS mode:
+# https://bugzilla.redhat.com/show_bug.cgi?id=1710372
+Patch151: nss-skip-tls13-fips-tests.sh
+# For backward compatibility: make -V "ssl3:" continue working, while
+# the minimum version is clamped to tls1.0
+Patch152: nss-version-range-set.patch
+# TLS 1.3 currently doesn't work under FIPS mode:
+# https://bugzilla.redhat.com/show_bug.cgi?id=1710372
+Patch153: nss-fips-disable-tls13.patch
+# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1552208
+Patch154: nss-disable-pkcs1-sigalgs-tls13.patch
+# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1553443
+Patch155: nss-post-handshake-auth-with-tickets.patch
+# https://bugzilla.mozilla.org/show_bug.cgi?id=1473806
+Patch156: nss-fix-public-key-from-priv.patch
+Patch157: nss-add-ipsec-usage-to-manpage.patch
+# https://bugzilla.mozilla.org/show_bug.cgi?id=1571677
+Patch158: nss-fix-pkix-name-constraints-common-name.patch
+
+%description
+Network Security Services (NSS) is a set of libraries designed to
+support cross-platform development of security-enabled client and
+server applications. Applications built with NSS can support SSL v2
+and v3, TLS, PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME, X.509
+v3 certificates, and other security standards.
+
+%package tools
+Summary: Tools for the Network Security Services
+Group: System Environment/Base
+Requires: %{name}%{?_isa} = %{version}-%{release}
+
+%description tools
+Network Security Services (NSS) is a set of libraries designed to
+support cross-platform development of security-enabled client and
+server applications. Applications built with NSS can support SSL v2
+and v3, TLS, PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME, X.509
+v3 certificates, and other security standards.
+
+Install the nss-tools package if you need command-line tools to
+manipulate the NSS certificate and key database.
+
+%package sysinit
+Summary: System NSS Initialization
+Group: System Environment/Base
+# providing nss-system-init without version so that it can
+# be replaced by a better one, e.g. supplied by the os vendor
+Provides: nss-system-init
+Requires: nss = %{version}-%{release}
+Requires(post): coreutils, sed
+
+%description sysinit
+Default Operating System module that manages applications loading
+NSS globally on the system. This module loads the system defined
+PKCS #11 modules for NSS and chains with other NSS modules to load
+any system or user configured modules.
+
+%package devel
+Summary: Development libraries for Network Security Services
+Group: Development/Libraries
+Provides: nss-static = %{version}-%{release}
+Requires: nss = %{version}-%{release}
+Requires: nss-util-devel
+Requires: nss-softokn-devel
+Requires: nspr-devel >= %{nspr_version}
+Requires: pkgconfig
+BuildRequires: xmlto
+
+%description devel
+Header and Library files for doing development with Network Security Services.
+
+
+%package pkcs11-devel
+Summary: Development libraries for PKCS #11 (Cryptoki) using NSS
+Group: Development/Libraries
+Provides: nss-pkcs11-devel-static = %{version}-%{release}
+Requires: nss-devel = %{version}-%{release}
+# TODO: revert to using nss_softokn_version once we are done with
+# the merge into to new rhel git repo
+# For RHEL we should have '=' instead of '>='
+Requires: nss-softokn-freebl-devel >= %{nss_softokn_version}
+
+%description pkcs11-devel
+Library files for developing PKCS #11 modules using basic NSS
+low level services.
+
+
+%prep
+%setup -q -n %{name}-%{nss_archive_version}
+%{__cp} %{SOURCE10} -f ./nss/tests/libpkix/certs
+%{__cp} %{SOURCE17} -f ./nss/tests/libpkix/certs
+%{__cp} %{SOURCE18} -f ./nss/tests/libpkix/certs
+%{__cp} %{SOURCE19} -f ./nss/tests/libpkix/certs
+%{__cp} %{SOURCE30} -f ./nss/tests/libpkix/certs
+%{__cp} %{SOURCE31} -f ./nss/tests/libpkix/certs
+%{__cp} %{SOURCE33} -f ./nss/tests/tools
+
+%patch2 -p0 -b .relro
+%patch3 -p0 -b .transitional
+%patch16 -p0 -b .539183
+%patch40 -p0 -b .noocsptest
+%patch47 -p0 -b .templates
+%patch49 -p0 -b .skipthem
+%patch50 -p0 -b .iquote
+pushd nss
+%patch52 -p1 -b .disableSSL2libssl
+%patch53 -p1 -b .disableSSL2tests
+%patch56 -p1 -b .1026677_ignore_set_policy
+%patch62 -p1 -b .fix_deadlock
+%patch100 -p0 -b .1171318
+popd
+%patch108 -p0 -b .sni_c_v_fix
+pushd nss
+%patch123 -p1 -b .skip-util-gtests
+%patch126 -p1 -b .reorder-cipher-suites
+%patch127 -p1 -b .disable-cipher-suites
+%patch130 -p1 -b .reorder-cipher-suites-gtests
+%patch136 -p1 -R -b .sql-default
+%patch139 -p1 -b .modutil-skip-changepw-fips
+%patch148 -R -p1 -b .sysinit-userdb
+%patch141 -p1 -b .sysinit-getenv
+%patch147 -p1 -b .dsa-policy
+%patch149 -p1 -b .skip-sysinit-gtests
+%patch150 -p1 -b .ssl2hello
+%patch151 -p1 -b .skip-tls13-fips-mode
+%patch152 -p1 -b .version-range-set
+%patch153 -p1 -b .fips-disable-tls13
+%patch154 -p1 -b .disable-pkcs1-sigalgs-tls13
+%patch155 -p1 -b .post-handshake-auth-with-tickets
+popd
+%patch156 -p1 -b .pub-priv-mechs
+%patch157 -p1 -b .ipsec-usage
+pushd nss
+%patch158 -p1 -b .pkix-name-constraints-common-name
+popd
+
+#########################################################
+# Higher-level libraries and test tools need access to
+# module-private headers from util, freebl, and softoken
+# until fixed upstream we must copy some headers locally
+#########################################################
+
+# Copying these header until the upstream bug is accepted
+# Upstream https://bugzilla.mozilla.org/show_bug.cgi?id=820207
+%{__cp} ./nss/lib/softoken/lowkeyi.h ./nss/cmd/rsaperf
+%{__cp} ./nss/lib/softoken/lowkeyti.h ./nss/cmd/rsaperf
+
+# Before removing util directory we must save verref.h
+# as it will be needed later during the build phase.
+%{__mv} ./nss/lib/util/verref.h ./nss/verref.h
+
+##### Remove util/freebl/softoken and low level tools
+######## Remove freebl, softoken and util
+%{__rm} -rf ./nss/lib/freebl
+%{__rm} -rf ./nss/lib/softoken
+%{__rm} -rf ./nss/lib/util
+######## Remove nss-softokn test tools as we already ran
+# the cipher test suite as part of the nss-softokn build
+%{__rm} -rf ./nss/cmd/bltest
+%{__rm} -rf ./nss/cmd/fipstest
+%{__rm} -rf ./nss/cmd/rsaperf_low
+
+pushd nss/tests/ssl
+# Create versions of sslcov.txt and sslstress.txt that disable tests
+# for SSL2 and EXPORT ciphers.
+cat sslcov.txt| sed -r "s/^([^#].*EXPORT|^[^#].*SSL2)/#disabled \1/" > sslcov.noSSL2orExport.txt
+cat sslstress.txt| sed -r "s/^([^#].*EXPORT|^[^#].*SSL2)/#disabled \1/" > sslstress.noSSL2orExport.txt
+popd
+
+%build
+
+export NSS_NO_SSL2=1
+
+FREEBL_NO_DEPEND=1
+export FREEBL_NO_DEPEND
+
+# Enable compiler optimizations and disable debugging code
+export BUILD_OPT=1
+
+# Uncomment to disable optimizations
+# RPM_OPT_FLAGS=`echo $RPM_OPT_FLAGS | sed -e 's/-O2/-O0/g' -e 's/ -Wp,-D_FORTIFY_SOURCE=2//g'`
+# export RPM_OPT_FLAGS
+
+# Generate symbolic info for debuggers
+XCFLAGS=$RPM_OPT_FLAGS
+
+export XCFLAGS
+
+PKG_CONFIG_ALLOW_SYSTEM_LIBS=1
+PKG_CONFIG_ALLOW_SYSTEM_CFLAGS=1
+
+export PKG_CONFIG_ALLOW_SYSTEM_LIBS
+export PKG_CONFIG_ALLOW_SYSTEM_CFLAGS
+
+NSPR_INCLUDE_DIR=`/usr/bin/pkg-config --cflags-only-I nspr | sed 's/-I//'`
+NSPR_LIB_DIR=%{_libdir}
+
+export NSPR_INCLUDE_DIR
+export NSPR_LIB_DIR
+
+export NSSUTIL_INCLUDE_DIR=`/usr/bin/pkg-config --cflags-only-I nss-util | sed 's/-I//'`
+export NSSUTIL_LIB_DIR=%{_libdir}
+
+export FREEBL_INCLUDE_DIR=`/usr/bin/pkg-config --cflags-only-I nss-softokn | sed 's/-I//'`
+export FREEBL_LIB_DIR=%{_libdir}
+export USE_SYSTEM_FREEBL=1
+# FIXME choose one or the other style and submit a patch upstream
+# wtc has suggested using NSS_USE_SYSTEM_FREEBL
+export NSS_USE_SYSTEM_FREEBL=1
+
+export FREEBL_LIBS=`/usr/bin/pkg-config --libs nss-softokn`
+
+export SOFTOKEN_LIB_DIR=%{_libdir}
+# use the system ones
+export USE_SYSTEM_NSSUTIL=1
+export USE_SYSTEM_SOFTOKEN=1
+
+# tell the upstream build system what we are doing
+export NSS_BUILD_WITHOUT_SOFTOKEN=1
+
+NSS_USE_SYSTEM_SQLITE=1
+export NSS_USE_SYSTEM_SQLITE
+
+export NSS_ALLOW_SSLKEYLOGFILE=1
+
+%ifnarch noarch
+%if 0%{__isa_bits} == 64
+USE_64=1
+export USE_64
+%endif
+%endif
+
+# uncomment if the iquote patch is activated
+export IN_TREE_FREEBL_HEADERS_FIRST=1
+
+##### phase 2: build the rest of nss
+export NSS_BLTEST_NOT_AVAILABLE=1
+
+export NSS_FORCE_FIPS=1
+
+%{__make} -C ./nss/coreconf
+%{__make} -C ./nss/lib/dbm
+
+# Set the policy file location
+# if set NSS will always check for the policy file and load if it exists
+export POLICY_FILE="nss-rhel7.config"
+# location of the policy file
+export POLICY_PATH="/etc/pki/nss-legacy"
+
+# nss/nssinit.c, ssl/sslcon.c, smime/smimeutil.c and ckfw/builtins/binst.c
+# need nss/lib/util/verref.h which is exported privately,
+# copy the one we saved during prep so it they can find it.
+%{__mkdir_p} ./dist/private/nss
+%{__mv} ./nss/verref.h ./dist/private/nss/verref.h
+
+%{__make} -C ./nss
+unset NSS_BLTEST_NOT_AVAILABLE
+
+# build the man pages clean
+pushd ./nss/doc
+rm -rf ./nroff
+%{__make} clean
+echo -n %{manual_date} > date.xml
+echo -n %{version} > version.xml
+%{__make}
+popd
+
+# and copy them to the dist directory for %%install to find them
+%{__mkdir_p} ./dist/doc/nroff
+%{__cp} ./nss/doc/nroff/* ./dist/doc/nroff
+
+# Set up our package file
+# The nspr_version and nss_{util|softokn}_version globals used
+# here match the ones nss has for its Requires.
+# Using the current %%{nss_softokn_version} for fedora again
+%{__mkdir_p} ./dist/pkgconfig
+%{__cat} %{SOURCE1} | sed -e "s,%%libdir%%,%{_libdir},g" \
+ -e "s,%%prefix%%,%{_prefix},g" \
+ -e "s,%%exec_prefix%%,%{_prefix},g" \
+ -e "s,%%includedir%%,%{_includedir}/nss3,g" \
+ -e "s,%%NSS_VERSION%%,%{version},g" \
+ -e "s,%%NSPR_VERSION%%,%{nspr_version},g" \
+ -e "s,%%NSSUTIL_VERSION%%,%{nss_util_version},g" \
+ -e "s,%%SOFTOKEN_VERSION%%,%{nss_softokn_version},g" > \
+ ./dist/pkgconfig/nss.pc
+
+NSS_VMAJOR=`cat nss/lib/nss/nss.h | grep "#define.*NSS_VMAJOR" | awk '{print $3}'`
+NSS_VMINOR=`cat nss/lib/nss/nss.h | grep "#define.*NSS_VMINOR" | awk '{print $3}'`
+NSS_VPATCH=`cat nss/lib/nss/nss.h | grep "#define.*NSS_VPATCH" | awk '{print $3}'`
+
+export NSS_VMAJOR
+export NSS_VMINOR
+export NSS_VPATCH
+
+%{__cat} %{SOURCE2} | sed -e "s,@libdir@,%{_libdir},g" \
+ -e "s,@prefix@,%{_prefix},g" \
+ -e "s,@exec_prefix@,%{_prefix},g" \
+ -e "s,@includedir@,%{_includedir}/nss3,g" \
+ -e "s,@MOD_MAJOR_VERSION@,$NSS_VMAJOR,g" \
+ -e "s,@MOD_MINOR_VERSION@,$NSS_VMINOR,g" \
+ -e "s,@MOD_PATCH_VERSION@,$NSS_VPATCH,g" \
+ > ./dist/pkgconfig/nss-config
+
+chmod 755 ./dist/pkgconfig/nss-config
+
+%{__cat} %{SOURCE9} > ./dist/pkgconfig/setup-nsssysinit.sh
+chmod 755 ./dist/pkgconfig/setup-nsssysinit.sh
+
+%{__cp} ./nss/lib/ckfw/nssck.api ./dist/private/nss/
+
+echo -n %{manual_date} > date.xml
+echo -n %{version} > version.xml
+
+# configuration files and setup script
+for m in %{SOURCE20} %{SOURCE21} %{SOURCE22}; do
+ cp ${m} .
+done
+for m in nss-config.xml setup-nsssysinit.xml pkcs11.txt.xml; do
+ xmlto man ${m}
+done
+
+# nss databases considered to be configuration files
+for m in %{SOURCE23} %{SOURCE24} %{SOURCE25} %{SOURCE26} %{SOURCE27}; do
+ cp ${m} .
+done
+for m in cert8.db.xml cert9.db.xml key3.db.xml key4.db.xml secmod.db.xml; do
+ xmlto man ${m}
+done
+
+
+%check
+%if %{with tests}
+if [ ${DISABLETEST:-0} -eq 1 ]; then
+ echo "testing disabled"
+ exit 0
+fi
+
+# Begin -- copied from the build section
+
+# inform the ssl test scripts that SSL2 is disabled
+export NSS_NO_SSL2=1
+
+FREEBL_NO_DEPEND=1
+export FREEBL_NO_DEPEND
+
+export BUILD_OPT=1
+
+%ifnarch noarch
+%if 0%{__isa_bits} == 64
+USE_64=1
+export USE_64
+%endif
+%endif
+
+export NSS_BLTEST_NOT_AVAILABLE=1
+
+export NSS_FORCE_FIPS=1
+
+# needed for the fips mangling test
+export SOFTOKEN_LIB_DIR=%{_libdir}
+
+# End -- copied from the build section
+
+export GTESTS="certhigh_gtest certdb_gtest der_gtest pk11_gtest softoken_gtest smime_gtest"
+export GTESTFILTER='-TlsConnectTest.DisallowSSLv3HelloWithTLSv13Enabled'
+
+# This is necessary because the test suite tests algorithms that are
+# disabled by the system policy.
+export NSS_IGNORE_SYSTEM_POLICY=1
+
+# enable the following line to force a test failure
+# find ./nss -name \*.chk | xargs rm -f
+
+# Run test suite.
+# In order to support multiple concurrent executions of the test suite
+# (caused by concurrent RPM builds) on a single host,
+# we'll use a random port. Also, we want to clean up any stuck
+# selfserv processes. If process name "selfserv" is used everywhere,
+# we can't simply do a "killall selfserv", because it could disturb
+# concurrent builds. Therefore we'll do a search and replace and use
+# a different process name.
+# Using xargs doesn't mix well with spaces in filenames, in order to
+# avoid weird quoting we'll require that no spaces are being used.
+
+SPACEISBAD=`find ./nss/tests | grep -c ' '` ||:
+if [ $SPACEISBAD -ne 0 ]; then
+ echo "error: filenames containing space are not supported (xargs)"
+ exit 1
+fi
+MYRAND=`perl -e 'print 9000 + int rand 1000'`; echo $MYRAND ||:
+RANDSERV=selfserv_${MYRAND}; echo $RANDSERV ||:
+DISTBINDIR=`ls -d ./dist/*.OBJ/bin`; echo $DISTBINDIR ||:
+pushd `pwd`
+cd $DISTBINDIR
+ln -s selfserv $RANDSERV
+popd
+# man perlrun, man perlrequick
+# replace word-occurrences of selfserv with selfserv_$MYRAND
+find ./nss/tests -type f |\
+ grep -v "\.db$" |grep -v "\.crl$" | grep -v "\.crt$" |\
+ grep -vw CVS |xargs grep -lw selfserv |\
+ xargs -l perl -pi -e "s/\bselfserv\b/$RANDSERV/g" ||:
+
+killall $RANDSERV || :
+
+rm -rf ./tests_results
+pushd ./nss/tests/
+# all.sh is the test suite script
+
+# don't need to run all the tests when testing packaging
+# nss_cycles: standard pkix upgradedb sharedb
+%global nss_tests "libpkix cert dbtests tools fips sdr crmf smime ssl ocsp merge pkits chains ec gtests ssl_gtests"
+# nss_ssl_tests: crl bypass_normal normal_bypass normal_fips fips_normal iopr
+# nss_ssl_run: cov auth stress
+#
+# Uncomment these lines if you need to temporarily
+# disable some test suites for faster test builds
+# global nss_ssl_tests "normal_fips"
+# global nss_ssl_run "cov auth"
+
+# Temporarily disabling ssl stress tests for s390
+%ifarch s390
+%global nss_ssl_run "cov auth"
+%endif
+
+HOST=localhost DOMSUF=localdomain PORT=$MYRAND NSS_CYCLES=%{?nss_cycles} NSS_TESTS=%{?nss_tests} NSS_SSL_TESTS=%{?nss_ssl_tests} NSS_SSL_RUN=%{?nss_ssl_run} ./all.sh
+
+popd
+
+# Normally, the grep exit status is 0 if selected lines are found and 1 otherwise,
+# Grep exits with status greater than 1 if an error ocurred.
+# If there are test failures we expect TEST_FAILURES > 0 and GREP_EXIT_STATUS = 0,
+# With no test failures we expect TEST_FAILURES = 0 and GREP_EXIT_STATUS = 1, whereas
+# GREP_EXIT_STATUS > 1 would indicate an error in grep such as failure to find the log file.
+killall $RANDSERV || :
+
+TEST_FAILURES=$(grep -c -- '- FAILED$' ./tests_results/security/localhost.1/output.log) || GREP_EXIT_STATUS=$?
+if [ ${GREP_EXIT_STATUS:-0} -eq 1 ]; then
+ echo "okay: test suite detected no failures"
+else
+ %ifarch %{arm}
+ :
+ # do nothing on arm where the test suite is failing and has been
+ # for while, do run the test suite but make it non fatal on arm
+ %else
+ if [ ${GREP_EXIT_STATUS:-0} -eq 0 ]; then
+ # while a situation in which grep return status is 0 and it doesn't output
+ # anything shouldn't happen, set the default to something that is
+ # obviously wrong (-1)
+ echo "error: test suite had ${TEST_FAILURES:--1} test failure(s)"
+ exit 1
+ else
+ if [ ${GREP_EXIT_STATUS:-0} -eq 2 ]; then
+ echo "error: grep has not found log file"
+ exit 1
+ else
+ echo "error: grep failed with exit code: ${GREP_EXIT_STATUS}"
+ exit 1
+ fi
+ fi
+%endif
+fi
+echo "test suite completed"
+%endif
+
+%install
+
+%{__rm} -rf $RPM_BUILD_ROOT
+
+# There is no make install target so we'll do it ourselves.
+
+%{__mkdir_p} $RPM_BUILD_ROOT/%{_includedir}/nss3
+%{__mkdir_p} $RPM_BUILD_ROOT/%{_includedir}/nss3/templates
+%{__mkdir_p} $RPM_BUILD_ROOT/%{_bindir}
+%{__mkdir_p} $RPM_BUILD_ROOT/%{_libdir}
+%{__mkdir_p} $RPM_BUILD_ROOT/%{unsupported_tools_directory}
+%{__mkdir_p} $RPM_BUILD_ROOT/%{_libdir}/pkgconfig
+
+mkdir -p $RPM_BUILD_ROOT%{_mandir}/man1
+mkdir -p $RPM_BUILD_ROOT%{_mandir}/man5
+
+touch $RPM_BUILD_ROOT%{_libdir}/libnssckbi.so
+%{__install} -p -m 755 dist/*.OBJ/lib/libnssckbi.so $RPM_BUILD_ROOT/%{_libdir}/nss/libnssckbi.so
+
+# Copy the binary libraries we want
+for file in libnss3.so libnsssysinit.so libsmime3.so libssl3.so
+do
+ %{__install} -p -m 755 dist/*.OBJ/lib/$file $RPM_BUILD_ROOT/%{_libdir}
+done
+
+# Install the empty NSS db files
+# Legacy db
+%{__mkdir_p} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb
+%{__install} -p -m 644 %{SOURCE3} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/cert8.db
+%{__install} -p -m 644 %{SOURCE4} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/key3.db
+%{__install} -p -m 644 %{SOURCE5} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/secmod.db
+# Shared db
+%{__install} -p -m 644 %{SOURCE6} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/cert9.db
+%{__install} -p -m 644 %{SOURCE7} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/key4.db
+%{__install} -p -m 644 %{SOURCE8} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/pkcs11.txt
+
+# Copy the development libraries we want
+for file in libcrmf.a libnssb.a libnssckfw.a
+do
+ %{__install} -p -m 644 dist/*.OBJ/lib/$file $RPM_BUILD_ROOT/%{_libdir}
+done
+
+# Copy the binaries we want
+for file in certutil cmsutil crlutil modutil nss-policy-check pk12util signver ssltap
+do
+ %{__install} -p -m 755 dist/*.OBJ/bin/$file $RPM_BUILD_ROOT/%{_bindir}
+done
+
+# Copy the binaries we ship as unsupported
+for file in atob btoa derdump listsuites ocspclnt pp selfserv signtool strsclnt symkeyutil tstclnt vfyserv vfychain
+do
+ %{__install} -p -m 755 dist/*.OBJ/bin/$file $RPM_BUILD_ROOT/%{unsupported_tools_directory}
+done
+
+# Copy the include files we want
+for file in dist/public/nss/*.h
+do
+ %{__install} -p -m 644 $file $RPM_BUILD_ROOT/%{_includedir}/nss3
+done
+
+# Copy the template files we want
+for file in dist/private/nss/nssck.api
+do
+ %{__install} -p -m 644 $file $RPM_BUILD_ROOT/%{_includedir}/nss3/templates
+done
+
+# Copy the package configuration files
+%{__install} -p -m 644 ./dist/pkgconfig/nss.pc $RPM_BUILD_ROOT/%{_libdir}/pkgconfig/nss.pc
+%{__install} -p -m 755 ./dist/pkgconfig/nss-config $RPM_BUILD_ROOT/%{_bindir}/nss-config
+# Copy the pkcs #11 configuration script
+%{__install} -p -m 755 ./dist/pkgconfig/setup-nsssysinit.sh $RPM_BUILD_ROOT/%{_bindir}/setup-nsssysinit.sh
+# install a symbolic link to it, without the ".sh" suffix,
+# that matches the man page documentation
+ln -r -s -f $RPM_BUILD_ROOT/%{_bindir}/setup-nsssysinit.sh $RPM_BUILD_ROOT/%{_bindir}/setup-nsssysinit
+
+# Copy the man pages for scripts
+for f in nss-config setup-nsssysinit; do
+ install -c -m 644 ${f}.1 $RPM_BUILD_ROOT%{_mandir}/man1/${f}.1
+done
+# Copy the man pages for the nss tools
+for f in "%{allTools}"; do
+ install -c -m 644 ./dist/doc/nroff/${f}.1 $RPM_BUILD_ROOT%{_mandir}/man1/${f}.1
+done
+# Copy the man pages for the configuration files
+for f in pkcs11.txt; do
+ install -c -m 644 ${f}.5 $RPM_BUILD_ROOT%{_mandir}/man5/${f}.5
+done
+# Copy the man pages for the nss databases
+for f in cert8.db cert9.db key3.db key4.db secmod.db; do
+ install -c -m 644 ${f}.5 $RPM_BUILD_ROOT%{_mandir}/man5/${f}.5
+done
+
+%{__mkdir_p} $RPM_BUILD_ROOT%{_sysconfdir}/pki/nss-legacy
+%{__install} -p -m 644 %{SOURCE32} $RPM_BUILD_ROOT%{_sysconfdir}/pki/nss-legacy/nss-rhel7.config
+
+%clean
+%{__rm} -rf $RPM_BUILD_ROOT
+
+%triggerpostun -n nss-sysinit -- nss-sysinit < 3.12.8-3
+# Reverse unwanted disabling of sysinit by faulty preun sysinit scriplet
+# from previous versions of nss.spec
+/usr/bin/setup-nsssysinit.sh on
+
+%post
+# If we upgrade, and the shared filename is a regular file, then we must
+# remove it, before we can install the alternatives symbolic link.
+if [ $1 -gt 1 ] ; then
+ # when upgrading or downgrading
+ if ! test -L %{_libdir}/libnssckbi.so; then
+ rm -f %{_libdir}/libnssckbi.so
+ fi
+fi
+# Install the symbolic link
+# FYI: Certain other packages use alternatives --set to enforce that the first
+# installed package is preferred. We don't do that. Highest priority wins.
+%{_sbindir}/update-alternatives --install %{_libdir}/libnssckbi.so \
+ %{alt_ckbi} %{_libdir}/nss/libnssckbi.so 10
+/sbin/ldconfig
+
+%postun
+if [ $1 -eq 0 ] ; then
+ # package removal
+ %{_sbindir}/update-alternatives --remove %{alt_ckbi} %{_libdir}/nss/libnssckbi.so
+else
+ # upgrade or downgrade
+ # If the new installed package uses a regular file (not a symblic link),
+ # then cleanup the alternatives link.
+ if ! test -L %{_libdir}/libnssckbi.so; then
+ %{_sbindir}/update-alternatives --remove %{alt_ckbi} %{_libdir}/nss/libnssckbi.so
+ fi
+fi
+/sbin/ldconfig
+
+
+%files
+%defattr(-,root,root)
+%{_libdir}/libnss3.so
+%{_libdir}/libssl3.so
+%{_libdir}/libsmime3.so
+%ghost %{_libdir}/libnssckbi.so
+%{_libdir}/nss/libnssckbi.so
+%dir %{_sysconfdir}/pki/nssdb
+%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/cert8.db
+%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/key3.db
+%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/secmod.db
+%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/cert9.db
+%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/key4.db
+%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/pkcs11.txt
+%attr(0644,root,root) %doc /usr/share/man/man5/cert8.db.5.gz
+%attr(0644,root,root) %doc /usr/share/man/man5/key3.db.5.gz
+%attr(0644,root,root) %doc /usr/share/man/man5/secmod.db.5.gz
+%attr(0644,root,root) %doc /usr/share/man/man5/cert9.db.5.gz
+%attr(0644,root,root) %doc /usr/share/man/man5/key4.db.5.gz
+%attr(0644,root,root) %doc /usr/share/man/man5/pkcs11.txt.5.gz
+%dir %{_sysconfdir}/pki/nss-legacy
+%config(noreplace) %{_sysconfdir}/pki/nss-legacy/nss-rhel7.config
+
+%files sysinit
+%defattr(-,root,root)
+%{_libdir}/libnsssysinit.so
+%{_bindir}/setup-nsssysinit.sh
+# symbolic link to setup-nsssysinit.sh
+%{_bindir}/setup-nsssysinit
+%attr(0644,root,root) %doc /usr/share/man/man1/setup-nsssysinit.1.gz
+
+%files tools
+%defattr(-,root,root)
+%{_bindir}/certutil
+%{_bindir}/cmsutil
+%{_bindir}/crlutil
+%{_bindir}/modutil
+%{_bindir}/nss-policy-check
+%{_bindir}/pk12util
+%{_bindir}/signver
+%{_bindir}/ssltap
+%{unsupported_tools_directory}/atob
+%{unsupported_tools_directory}/btoa
+%{unsupported_tools_directory}/derdump
+%{unsupported_tools_directory}/listsuites
+%{unsupported_tools_directory}/ocspclnt
+%{unsupported_tools_directory}/pp
+%{unsupported_tools_directory}/selfserv
+%{unsupported_tools_directory}/signtool
+%{unsupported_tools_directory}/strsclnt
+%{unsupported_tools_directory}/symkeyutil
+%{unsupported_tools_directory}/tstclnt
+%{unsupported_tools_directory}/vfyserv
+%{unsupported_tools_directory}/vfychain
+# instead of %%{_mandir}/man*/* let's list them explicitely
+# supported tools
+%attr(0644,root,root) %doc /usr/share/man/man1/certutil.1.gz
+%attr(0644,root,root) %doc /usr/share/man/man1/cmsutil.1.gz
+%attr(0644,root,root) %doc /usr/share/man/man1/crlutil.1.gz
+%attr(0644,root,root) %doc /usr/share/man/man1/modutil.1.gz
+%attr(0644,root,root) %doc /usr/share/man/man1/nss-policy-check.1.gz
+%attr(0644,root,root) %doc /usr/share/man/man1/pk12util.1.gz
+%attr(0644,root,root) %doc /usr/share/man/man1/signver.1.gz
+# unsupported tools
+%attr(0644,root,root) %doc /usr/share/man/man1/derdump.1.gz
+%attr(0644,root,root) %doc /usr/share/man/man1/pp.1.gz
+%attr(0644,root,root) %doc /usr/share/man/man1/signtool.1.gz
+%attr(0644,root,root) %doc /usr/share/man/man1/ssltap.1.gz
+%attr(0644,root,root) %doc /usr/share/man/man1/vfychain.1.gz
+%attr(0644,root,root) %doc /usr/share/man/man1/vfyserv.1.gz
+
+%files devel
+%defattr(-,root,root)
+%{_libdir}/libcrmf.a
+%{_libdir}/pkgconfig/nss.pc
+%{_bindir}/nss-config
+%attr(0644,root,root) %doc /usr/share/man/man1/nss-config.1.gz
+
+%dir %{_includedir}/nss3
+%{_includedir}/nss3/cert.h
+%{_includedir}/nss3/certdb.h
+%{_includedir}/nss3/certt.h
+%{_includedir}/nss3/cmmf.h
+%{_includedir}/nss3/cmmft.h
+%{_includedir}/nss3/cms.h
+%{_includedir}/nss3/cmsreclist.h
+%{_includedir}/nss3/cmst.h
+%{_includedir}/nss3/crmf.h
+%{_includedir}/nss3/crmft.h
+%{_includedir}/nss3/cryptohi.h
+%{_includedir}/nss3/cryptoht.h
+%{_includedir}/nss3/sechash.h
+%{_includedir}/nss3/jar-ds.h
+%{_includedir}/nss3/jar.h
+%{_includedir}/nss3/jarfile.h
+%{_includedir}/nss3/key.h
+%{_includedir}/nss3/keyhi.h
+%{_includedir}/nss3/keyt.h
+%{_includedir}/nss3/keythi.h
+%{_includedir}/nss3/nss.h
+%{_includedir}/nss3/nssckbi.h
+%{_includedir}/nss3/ocsp.h
+%{_includedir}/nss3/ocspt.h
+%{_includedir}/nss3/p12.h
+%{_includedir}/nss3/p12plcy.h
+%{_includedir}/nss3/p12t.h
+%{_includedir}/nss3/pk11func.h
+%{_includedir}/nss3/pk11pqg.h
+%{_includedir}/nss3/pk11priv.h
+%{_includedir}/nss3/pk11pub.h
+%{_includedir}/nss3/pk11sdr.h
+%{_includedir}/nss3/pkcs12.h
+%{_includedir}/nss3/pkcs12t.h
+%{_includedir}/nss3/pkcs7t.h
+%{_includedir}/nss3/preenc.h
+%{_includedir}/nss3/secmime.h
+%{_includedir}/nss3/secmod.h
+%{_includedir}/nss3/secmodt.h
+%{_includedir}/nss3/secpkcs5.h
+%{_includedir}/nss3/secpkcs7.h
+%{_includedir}/nss3/smime.h
+%{_includedir}/nss3/ssl.h
+%{_includedir}/nss3/sslerr.h
+%{_includedir}/nss3/sslexp.h
+%{_includedir}/nss3/sslproto.h
+%{_includedir}/nss3/sslt.h
+
+
+%files pkcs11-devel
+%defattr(-, root, root)
+%{_includedir}/nss3/nssbase.h
+%{_includedir}/nss3/nssbaset.h
+%{_includedir}/nss3/nssckepv.h
+%{_includedir}/nss3/nssckft.h
+%{_includedir}/nss3/nssckfw.h
+%{_includedir}/nss3/nssckfwc.h
+%{_includedir}/nss3/nssckfwt.h
+%{_includedir}/nss3/nssckg.h
+%{_includedir}/nss3/nssckmdt.h
+%{_includedir}/nss3/nssckt.h
+%{_includedir}/nss3/templates/nssck.api
+%{_libdir}/libnssb.a
+%{_libdir}/libnssckfw.a
+
+
+%changelog
+* Wed Aug 14 2019 Bob Relyea - 3.44.0-5
+- Fix pkix name constraints processing to only process the common name if the
+ certusage you are checking is IPSEC or SSL Server.
+
+* Wed Jun 5 2019 Bob Relyea - 3.44.0-4
+- Fix certutil man page
+- Fix extracting a public key from a private key for dh, ec, and dsa
+
+* Thu May 30 2019 Daiki Ueno - 3.44.0-3
+- Disable TLS 1.3 under FIPS mode
+- Disable RSASSA-PKCS1-v1_5 in TLS 1.3
+- Fix post-handshake auth transcript calculation if
+ SSL_ENABLE_SESSION_TICKETS is set
+
+* Thu May 16 2019 Daiki Ueno - 3.44.0-2
+- Skip sysinit gtests properly
+- Fix shell syntax error in tests/ssl/ssl.sh
+- Regenerate manual pages
+
+* Wed May 15 2019 Daiki Ueno - 3.44.0-1
+- Rebase to NSS 3.44
+- Restore fix-min-library-version-in-SSLVersionRange.patch to keep
+ SSL3 supported in the code level while it is disabled by policy
+- Skip TLS 1.3 tests under FIPS mode
+
+* Fri May 10 2019 Daiki Ueno - 3.43.0-9
+- Ignore system policy when running %%check
+
+* Fri May 3 2019 Daiki Ueno - 3.43.0-8
+- Fix policy string
+
+* Fri Apr 26 2019 Daiki Ueno - 3.43.0-7
+- Don't override date in man-pages
+- Revert the change to use XDG basedirs (mozilla#818686)
+- Enable SSL2 compatible ClientHello by default
+- Disable SSL3 and RC4 by default
+
+* Mon Apr 8 2019 Daiki Ueno - 3.43.0-6
+- Make "-V ssl3:" option work with tools
+
+* Fri Apr 5 2019 Daiki Ueno - 3.43.0-5
+- Fix regression in MD5 disablement
+
+* Mon Apr 1 2019 Bob Relyea - 3.43.0-4
+- add certutil documentation
+
+* Thu Mar 28 2019 Daiki Ueno - 3.43.0-3
+- Restore complete removal of SSLv2
+- Disable SSLv3
+- Move signtool to unsupported directory
+
+* Mon Mar 25 2019 Bob Relyea - 3.43.0-2
+- Expand IPSEC usage to include ssl and email certs. Remove special
+ processing of the usage based on the critical flag
+
+* Thu Mar 21 2019 Daiki Ueno - 3.43.0-1
+- Rebase to NSS 3.43
+
+* Mon Feb 25 2019 Bob Relyea - 3.36.0-8.1
+- move key on unwrap failure and retry.
+
+* Mon Nov 12 2018 Bob Relyea - 3.36.0-8
+- Update the cert verify code to allow a new ipsec usage and follow RFC 4945
+
+* Wed Aug 29 2018 Daiki Ueno - 3.36.0-7
+- Backport upstream fix for CVE-2018-12384
+- Remove nss-lockcert-api-change.patch, which turned out to be a
+ mistake (the symbol was not exported from libnss)
+
+* Thu Apr 19 2018 Daiki Ueno - 3.36.0-6
+- Exercise SSL tests which only run under non-FIPS setting
+
+* Wed Apr 18 2018 Daiki Ueno - 3.36.0-5
+- Restore CERT_LockCertTrust and CERT_UnlockCertTrust back in cert.h
+
+* Fri Apr 13 2018 Daiki Ueno - 3.36.0-4
+- Work around modutil -changepw error if the old and new passwords are
+ both empty in FIPS mode
+
+* Tue Mar 27 2018 Daiki Ueno - 3.36.0-3
+- Decrease the iteration count of PKCS#12 for compatibility with Windows
+- Fix deadlock when a token is re-inserted while a client process is running
+
+* Mon Mar 12 2018 Daiki Ueno - 3.36.0-2
+- Set NSS_FORCE_FIPS=1 in %%build
+- Revert the changes to tests assuming the default DB type
+
+* Fri Mar 9 2018 Daiki Ueno - 3.36.0-1
+- Rebase to NSS 3.36
+
+* Mon Jan 15 2018 Daiki Ueno - 3.34.0-4
+- Re-enable nss-is-token-present-race.patch
+
+* Fri Jan 5 2018 Daiki Ueno - 3.34.0-3
+- Temporarily disable nss-is-token-present-race.patch
+
+* Thu Jan 4 2018 Daiki Ueno - 3.34.0-2
+- Backport necessary changes from 3.35
+
+* Fri Nov 24 2017 Daiki Ueno - 3.34.0-1
+- Rebase to NSS 3.34
+
+* Mon Oct 30 2017 Daiki Ueno - 3.34.0-0.1.beta1
+- Rebase to NSS 3.34.BETA1
+
+* Wed Oct 25 2017 Daiki Ueno - 3.33.0-3
+- Disable TLS 1.3
+
+* Wed Oct 18 2017 Daiki Ueno - 3.33.0-2
+- Enable TLS 1.3
+
+* Mon Oct 16 2017 Daiki Ueno - 3.33.0-1
+- Rebase to NSS 3.33
+- Disable TLS 1.3, temporarily disable failing gtests (Skip13Variants)
+- Temporarily disable race.patch and nss-3.16-token-init-race.patch,
+ which causes a deadlock in newly added test cases
+- Remove upstreamed patches: moz-1320932.patch,
+ nss-tstclnt-optspec.patch,
+ nss-1334976-1336487-1345083-ca-2.14.patch, nss-alert-handler.patch,
+ nss-tools-sha256-default.patch, nss-is-token-present-race.patch,
+ nss-pk12util.patch, nss-ssl3gthr.patch, and nss-transcript.patch
+
+* Mon Oct 16 2017 Daiki Ueno - 3.28.4-14
+- Add backward compatibility to pk12util regarding faulty PBES2 AES encryption
+
+* Mon Oct 16 2017 Daiki Ueno - 3.28.4-13
+- Update iquote.patch to prefer nss.h from the source
+
+* Mon Oct 16 2017 Daiki Ueno - 3.28.4-12
+- Add backward compatibility to pk12util regarding password encoding
+
+* Thu Aug 10 2017 Daiki Ueno - 3.28.4-11
+- Backport patch to simplify transcript calculation for CertificateVerify
+- Enable TLS 1.3 and RSA-PSS
+- Disable some upstream tests failing due to downstream ciphersuites changes
+
+* Thu Jul 13 2017 Daiki Ueno - 3.28.4-10
+- Work around yum crash due to new NSPR symbol being used in nss-sysinit,
+ patch by Kai Engert
+
+* Fri Jun 2 2017 Daiki Ueno - 3.28.4-9
+- Fix typo in nss-sni-c-v-fix.patch
+
+* Fri May 5 2017 Kai Engert - 3.28.4-8
+- Include CKBI 2.14 and updated CA constraints from NSS 3.28.5
+
+* Fri May 5 2017 Daiki Ueno - 3.28.4-7
+- Update nss-pk12util.patch to include fix from mozbz#1353724.
+
+* Wed May 3 2017 Daiki Ueno - 3.28.4-6
+- Update nss-alert-handler.patch with the upstream fix from mozbz#1360207.
+
+* Fri Apr 28 2017 Daiki Ueno - 3.28.4-5
+- Fix zero-length record treatment for stream ciphers and SSLv2
+
+* Thu Apr 27 2017 Daiki Ueno - 3.28.4-4
+- Correctly set policy file location when building
+
+* Wed Apr 26 2017 Daiki Ueno - 3.28.4-3
+- Reorder ChaCha20-Poly1305 cipher suites, as suggested in:
+ https://bugzilla.redhat.com/show_bug.cgi?id=1373158#c9
+
+* Thu Apr 20 2017 Daiki Ueno - 3.28.4-2
+- Rebase to NSS 3.28.4
+- Update nss-pk12util.patch with backport of mozbz#1353325
+
+* Thu Mar 16 2017 Daiki Ueno - 3.28.3-5
+- Switch default hash algorithm used by tools from SHA-1 to SHA-256
+- Avoid race condition in nssSlot_IsTokenPresent()
+- Enable SHA-2 and AES in pk12util
+- Disable RSA-PSS for now
+
+* Fri Mar 10 2017 Daiki Ueno - 3.28.3-4
+- Utilize CKA_NSS_MOZILLA_CA_POLICY attribute, patch by Kai Engert
+- Backport changes adding SSL alert callbacks from upstream
+- Add nss-check-policy-file.patch from Fedora
+- Install policy config in /etc/pki/nss-legacy/nss-rhel7.config
+
+* Mon Mar 6 2017 Daiki Ueno - 3.28.3-3
+- Make sure 32bit nss-pem always be installed with 32bit nss in
+ multlib environment, patch by Kamil Dudka
+- Enable new algorithms supported by the new nss-softokn
+
+* Mon Mar 6 2017 Daiki Ueno - 3.28.3-2
+- Rebase to NSS 3.28.3
+- Bump required version of nss-softokn
+
+* Wed Feb 15 2017 Daiki Ueno - 3.28.2-3
+- Remove %%nss_cycles setting, which was also mistakenly added
+- Re-enable BUILD_OPT, mistakenly disabled in the previous build
+- Prevent ABI incompatibilty of SECKEYECPublicKey
+- Disable TLS_ECDHE_{RSA,ECDSA}_WITH_AES_128_CBC_SHA256 by default
+- Enable 4 AES_256_GCM_SHA384 ciphersuites, enabled by the downstream
+ patch in the previous release
+- Fix crash with tstclnt -W
+- Always enable gtests for supported features
+- Add patch to fix bash syntax error in tests/ssl.sh
+- Build with support for SSLKEYLOGFILE
+- Disable the use of RSA-PSS with SSL/TLS
+
+* Tue Feb 14 2017 Daiki Ueno - 3.28.2-2
+- Decouple nss-pem from the nss package
+- Resolves: #1316546
+
+* Mon Feb 13 2017 Daiki Ueno - 3.28.2-1.1
+- Remove mistakenly added R: nss-pem
+
+* Fri Feb 10 2017 Daiki Ueno - 3.28.2-1.0
+- Rebase to NSS 3.28.2
+- Remove NSS_ENABLE_ECC and NSS_ECC_MORE_THAN_SUITE_B setting, which
+ is no-op now
+- Enable gtests when requested
+- Remove nss-646045.patch and fix-nss-test-filtering.patch, which are
+ not necessary
+- Remove sslauth-no-v2.patch and
+ nss-sslstress-txt-ssl3-lower-value-in-range.patch, as SSLv2 is
+ already disabled in upstream
+- Remove ssl-server-min-key-sizes.patch, as we decided to support DH
+ key size greater than 1023 bits
+- Remove local patches for SHA384 cipher suites (now supported in
+ upstream): dhe-sha384-dss-support.patch,
+ client_auth_for_sha384_prf_support.patch,
+ nss-fix-client-auth-init-hashes.patch, nss-map-oid-to-hashalg.patch,
+ nss-enable-384-cipher-tests.patch, nss-fix-signature-and-hash.patch,
+ fix-allowed-sig-alg.patch, tests-extra.patch
+- Remove upstreamed patches: rh1238290.patch,
+ fix-reuse-of-session-cache-entry.patch, flexible-certverify.patch,
+ call-restartmodules-in-nssinit.patch
+
+* Wed Oct 26 2016 Daiki Ueno - 3.21.3-1
+- Rebase to NSS 3.21.3
+- Resolves: #1383887
+
+* Thu Jun 30 2016 Kai Engert - 3.21.0-17
+- remove additional false duplicates from sha384 downstream patches
+
+* Tue Jun 28 2016 Kai Engert - 3.21.0-16
+- enable ssl_gtests (without extended master secret tests), Bug 1298692
+- call SECMOD_RestartModules in nss_Init, Bug 1317691
+
+* Fri Jun 17 2016 Kai Engert - 3.21.0-15
+- escape all percent characters in all changelog comments
+
+* Fri Jun 17 2016 Kai Engert - 3.21.0-14
+- Support TLS 1.2 certificate_verify hashes other than PRF,
+ backported fix from NSS 3.25 (upstream bug 1179338).
+
+* Mon May 23 2016 Elio Maldonado - 3.21.0-13
+- Fix reuse of session cache entry
+- Resolves: Bug 1241172 - Certificate verification fails with multiple https urls
+
+* Wed Apr 20 2016 Elio Maldonado - 3.21.0-12
+- Fix a flaw in %%check for nss not building on arm
+- Resolves: Bug 1200856
+
+* Wed Apr 20 2016 Elio Maldonado - 3.21.0-11
+- Cleanup: Remove unnecessary %%posttrans script from nss.spec
+- Resolves: Bug 1174201
+
+* Wed Apr 20 2016 Elio Maldonado - 3.21.0-10
+- Merge fixes from the rhel-7.2 branch
+- Fix a bogus %%changelog entry
+- Resolves: Bug 1297941
+
+* Fri Apr 15 2016 Kai Engert - 3.21.0-9
+- Rebuild to require the latest nss-util build and nss-softokn build.
+
+* Mon Apr 11 2016 Kai Engert - 3.21.0-8
+- Update the minimum nss-softokn build required at runtime.
+
+* Mon Apr 04 2016 Elio Maldonado - 3.21.0-7
+- Delete duplicates from one table
+
+* Tue Mar 29 2016 Kai Engert - 3.21.0-6
+- Fix missing support for sha384/dsa in certificate_request
+
+* Wed Mar 23 2016 Kai Engert - 3.21.0-5
+- Merge fixes from the rhel-7.2 branch
+- Fix the SigAlgs sent in certificate_request
+- Ensure all ssl.sh tests are executed
+- Update sslauth test patch to run additional tests
+
+* Fri Feb 26 2016 Elio Maldonado - 3.21.0-2
+- Fix sha384 support and testing patches
+
+* Wed Feb 17 2016 Elio Maldonado - 3.21.0-1
+- Rebase to NSS-3.21
+
+* Tue Dec 15 2015 Elio Maldonado - 3.19.1-19
+- Prevent TLS 1.2 Transcript Collision attacks against MD5 in key exchange protocol
+- Fix a mockbuild reported bad %%if condition when using the __isa_bits macro instead of list of 64-bit architectures
+- Change the test to %%if 0%%{__isa_bits} == 64 as required for building the srpm which is noarch
+- Resolves: Bug 1289884
+
+* Wed Oct 21 2015 Kai Engert - 3.19.1-18
+- Rebuild against updated NSPR
+
+* Thu Sep 03 2015 Elio Maldonado - 3.19.1-17
+- Change the required_softokn_build_version back to -13
+- Ensure we use nss-softokn-3.16.2.3-13.el7_1
+
+* Thu Sep 03 2015 Elio Maldonado - 3.19.1-16
+- Fix check for public key size of DSA certificates
+- Use size of prime P not the size of dsa.publicValue
+
+* Mon Aug 31 2015 Elio Maldonado - 3.19.1-15
+- Reorder the cipher suites and enable two more by default
+
+* Sun Aug 30 2015 Elio Maldonado - 3.19.1-14
+- Update the required_softokn_build_version to -14
+- Add references to bugs filed upstream for new patches
+- Merge ocsp stapling and sslauth sni tests patches into one
+
+* Sat Aug 29 2015 Elio Maldonado - 3.19.1-13
+- Reorder the cipher suites and enable two more by default
+- Fix some of the ssauth sni and ocsp stapling tests
+
+* Thu Aug 27 2015 Elio Maldonado - 3.19.1-12
+- Support TLS > 1.0 by support while still allowing to connect to SSL3 only servers
+- Enable ECDSA cipher suites by default, a subset of the ones requested
+
+* Wed Aug 26 2015 Elio Maldonado - 3.19.1-11
+- Support TLS > 1.0 by support while still allowing to connect to SSL3 only servers
+
+* Mon Aug 17 2015 Elio Maldonado - 3.19.1-10
+- Fix to correctly report integrity mechanism for TLS_RSA_WITH_AES_256_GCM_SHA384
+
+* Mon Aug 10 2015 Elio Maldonado - 3.19.1-9
+- Fix checks to skip ssl2/export cipher suites tests to not skip needed tests
+- Fix libssl ssl2/export disabling patch to handle NULL cipher cases
+- Enable additional cipher suites by default
+
+* Thu Jul 16 2015 Elio Maldonado - 3.19.1-8
+- Add links to filed upstream bugs to better track patches in spec file
+
+* Tue Jul 07 2015 Elio Maldonado - 3.19.1-7
+- Package listsuites as part of the unsupported tools
+
+* Thu Jul 02 2015 Elio Maldonado - 3.19.1-6
+- Bump the release tag
+
+* Mon Jun 29 2015 Kai Engert - 3.19.1-5
+- Incremental patches to fix SSL/TLS test suite execution,
+ fix the earlier SHA384 patch, and inform clients to use SHA384 with
+ certificate_verify if required by NSS.
+
+* Thu Jun 18 2015 Elio Maldonado - 3.19.1-4
+- Add support for sha384 tls cipher suites
+- Add support for server-side hde key exchange
+- Add support for DSS+SHA256 ciphersuites
+
+* Wed Jun 10 2015 Elio Maldonado - 3.19.1-3
+- Reenable a patch that had been mistakenly disabled
+
+* Wed Jun 10 2015 Elio Maldonado - 3.19.1-2
+- Build against nss-softokn-3.16.2.3-9
+
+* Fri Jun 05 2015 Elio Maldonado - 3.19.1-1
+- Rebase to nss-3.19.1
+- Resolves: Bug 1228913 - Rebase to nss-3.19.1 for CVE-2015-4000 [RHEL-7.1]
+
+* Tue Apr 28 2015 Kai Engert - 3.18.0-6
+- Backport mozbz#1155922 to support SHA512 signatures with TLS 1.2
+
+* Thu Apr 23 2015 Kai Engert - 3.18.0-5
+- Update to CKBI 2.4 from NSS 3.18.1 (the only change in NSS 3.18.1)
+
+* Fri Apr 17 2015 Elio Maldonado - 3.18.0-4
+- Update and reeneable nss-646045.patch on account of the rebase
+- Resolves: Bug 1200898 - Rebase nss to 3.18 for Firefox 38 ESR [RHEL7.1]
+
+* Tue Apr 14 2015 Elio Maldonado - 3.18.0-3
+- Fix shell syntax error on nss/tests/all.sh
+- Resolves: Bug 1200898 - Rebase nss to 3.18 for Firefox 38 ESR [RHEL7.1]
+
+* Fri Apr 10 2015 Elio Maldonado - 3.18.0-2
+- Replace expired PayPal test certificate that breaks the build
+- Resolves: Bug 1200898 - Rebase nss to 3.18 for Firefox 38 ESR [RHEL7.1]
+
+* Mon Mar 30 2015 Elio Maldonado - 3.18.0-1
+- Resolves: Bug 1200898 - Rebase nss to 3.18 for Firefox 38 ESR [RHEL7.1]
+
+* Mon Jan 19 2015 Elio Maldonado - 3.16.2.3-5
+- Reverse the sense of a test in patch to fix pk12util segfault
+- Resolves: Bug 1174527 - Segfault in pk12util when using -l option with certain .p12 files
+
+* Thu Jan 08 2015 Elio Maldonado - 3.16.2.3-4
+- Fix race condition
+- Resolves: Bug 1094468 - 389-ds-base server reported crash in stan_GetCERTCertificate
+- under the replication replay failure condition
+
+* Wed Jan 07 2015 Elio Maldonado - 3.16.2.3-3
+- Resolves: Bug 1174527 - Segfault in pk12util when using -l option with certain .p12 files
+
+* Tue Nov 25 2014 Elio Maldonado - 3.16.2.3-2
+- Restore patch for certutil man page
+- supply missing options descriptions
+- Resolves: Bug 1158161 - Upgrade to NSS 3.16.2.3 for Firefox 31.3
+
+* Thu Nov 13 2014 Elio Maldonado - 3.16.2-10
+- Resolves: Bug 1158161 - Upgrade to NSS 3.16.2.3 for Firefox 31.3
+- Support TLS_FALLBACK_SCSV in tstclnt and ssltap
+
+* Mon Sep 29 2014 Elio Maldonado - 3.16.2-9
+- Resolves: Bug 1145434 - CVE-2014-1568
+- Using a release number higher than on rhel-7.0 branch
+
+* Mon Aug 11 2014 Elio Maldonado - 3.16.2-4
+- Fix crash in stan_GetCERTCertificate
+- Resolves: Bug 1094468
+
+* Tue Aug 05 2014 Elio Maldonado 3.16.2-3
+- Generic 32/64 bit platform detection (fix ppc64le build)
+- Resolves: Bug 1125619 - nss fails to build on arch: ppc64le (missing dependencies)
+- Fix contributed by Peter Robinson
+
+* Fri Aug 01 2014 Elio Maldonado - 3.16.2-2
+- Fix libssl and test patches that disable ssl2 support
+- Resolves: Bug 1123435
+- Replace expired PayPal test certificate with current one
+
+* Tue Jul 08 2014 Elio Maldonado - 3.16.2-1
+- Rebase to nss-3.16.2
+- Resolves: Bug 1103252 - Rebase RHEL 7.1 to at least NSS 3.16.1 (FF 31)
+- Fix test failure detection in the %%check section
+- Move removal of unwanted source directories to the end of the %%prep section
+- Update various patches on account of the rebase
+- Remove unused patches rendered obsolete by the rebase
+
+* Mon Mar 03 2014 Elio Maldonado - 3.15.4-6
+- Disallow disabling the internal module
+- Resolves: Bug 1056036 - nss segfaults with opencryptoki module
+
+* Thu Feb 20 2014 Elio Maldonado - 3.15.4-5
+- Pick up a fix from rhel-6 and fix an rpm conflict
+- Don't hold issuer cert handles in crl cache
+- Resolves: Bug 1034409 - deadlock in trust domain and object lock
+- Move nss shared db files to the main package
+- Resolves: Bug 1050163 - Same files in two packages create rpm conflict
+
+* Mon Jan 27 2014 Elio Maldonado - 3.15.4-4
+- Update pem sources to latest from nss-pem upstream
+- Pick up pem module fixes verified on RHEL and applied upstream
+- Remove no loger needed pem patches on acccount on this update
+- Add comments documenting the iquote.patch
+- Resolves: Bug 1054457 - CVE-2013-1740
+
+* Sun Jan 26 2014 Elio Maldonado - 3.15.4-3
+- Remove spurious man5 wildcard entry as all manpages are listed by name
+- Resolves: Bug 1050163 - Same files in two packages create rpm conflict
+
+* Fri Jan 24 2014 Daniel Mach - 3.15.4-2
+- Mass rebuild 2014-01-24
+
+* Sun Jan 19 2014 Elio Maldonado - 3.15.3-9
+- Rebase to nss-3.15.4
+- Resolves: Bug 1054457 - CVE-2013-1740 nss: false start PR_Recv information disclosure security issue
+- Remove no longer needed patches for manpages that were applied upstream
+- Remove no longer needed patch to disable ocsp stapling tests
+- Update iquote.patch on account of upstream changes
+- Update and rename patch to pem/rsawrapr.c on account of upstream changes
+- Use the pristine upstream sources for nss without repackaging
+- Avoid unneeded manual step which may introduce errors
+
+* Sun Jan 19 2014 Elio Maldonado - 3.15.3-8
+- Fix the spec file to apply the nss ecc list patch for bug 752980
+- Resolves: Bug 752980 - Support ECDSA algorithm in the nss package via puggable ecc
+
+* Fri Jan 17 2014 Elio Maldonado - 3.15.3-7
+- Move several nss-sysinit manpages tar archives to the %%files
+- Resolves: Bug 1050163 - Same files in two packages create rpm conflict
+
+* Fri Jan 17 2014 Elio Maldonado - 3.15.3-6
+- Fix a coverity scan compile time warning for the pem module
+- Resolves: Bug 1002271 - NSS pem module should not require unique base file names
+
+* Wed Jan 15 2014 Elio Maldonado - 3.15.3-5
+- Resolves: Bug 1002271 - NSS pem module should not require unique base file names
+
+* Thu Jan 09 2014 Elio Maldonado - 3.15.3-4
+- Improve pluggable ECC support for ECDSA
+- Resolves: Bug 752980 - [7.0 FEAT] Support ECDSA algorithm in the nss package
+
+* Fri Dec 27 2013 Daniel Mach - 3.15.3-3
+- Mass rebuild 2013-12-27
+
+* Thu Dec 12 2013 Elio Maldonado - 3.15.3-2
+- Revoke trust in one mis-issued anssi certificate
+- Resolves: Bug 1040284 - nss: Mis-issued ANSSI/DCSSI certificate (MFSA 2013-117) [rhel-7.0]
+
+* Mon Nov 25 2013 Elio Maldonado - 3.15.3-1
+- Update to NSS_3_15_3_RTM
+- Resolves: Bug 1031463 - CVE-2013-5605 CVE-2013-5606 CVE-2013-1741
+
+* Wed Nov 13 2013 Elio Maldonado - 3.15.2-10
+- Fix path to script and remove -- from some options in nss-sysinit man page
+- Resolves: rhbz#982723 - man page of nss-sysinit worong path and other flaws
+
+* Tue Nov 12 2013 Elio Maldonado - 3.15.2-9
+- Fix certutil man page options names to be consistent with help
+- Resolves: rhbz#948495 - man page scan results for nss
+- Remove incorrect count argument in status description in nss-sysinit man page
+- Resolves: rhbz#982723 - man page of nss-sysinit incorrect option descriptions
+
+* Wed Nov 06 2013 Elio Maldonado - 3.15.2-8
+- Fix patch for disabling ssl2 in ssl to correctly set error code
+- Fix syntax error reported in the build.log even tough it succeeds
+- Add patch top ignore setpolicy result
+- Resolves: rhbz#1001841 - Disable SSL2 and the export cipher suites
+- Resolves: rhbz#1026677 - Attempt to run ipa-client-install fails
+
+* Sun Nov 03 2013 Elio Maldonado - 3.15.2-7
+- Fix bash syntax error in patch for disabling ssl2 tests
+- Resolves: rhbz#1001841 - Disable SSL2 and the export cipher suites
+
+* Sat Nov 02 2013 Elio Maldonado - 3.15.2-6
+- Fix errors in ssl disabling patches for both library and tests
+- Add s390x to the multilib_arches definition used for alt_ckbi
+- Resolves: rhbz#1001841 - Disable SSL2 and the export cipher suites
+
+* Thu Oct 31 2013 Elio Maldonado - 3.15.2-5
+- Fix errors in nss-sysinit manpage options descriptions
+- Resolves: rhbz#982723
+
+* Tue Oct 29 2013 Elio Maldonado - 3.15.2-4
+- Enable fips when system is in fips mode
+- Resolves: rhbz#852023 - FIPS mode detection does not work
+
+* Tue Oct 29 2013 Elio Maldonado - 3.15.2-3
+- Remove unused and obsoleted patches
+- Related: rhbz#1012656
+
+* Mon Oct 28 2013 Elio Maldonado - 3.15.2-2
+- Add description of the certutil's --email option to it's manpage
+- Resolves: rhbz#Bug 948495 - Man page scan results for nss
+
+* Mon Oct 21 2013 Elio Maldonado - 3.15.2-1
+- Rebase to nss-3.15.2
+- Resolves: rhbz#1012656 - pick up NSS 3.15.2 to fix CVE-2013-1739 and disable MD5 in OCSP/CRL
+
+* Fri Oct 11 2013 Elio Maldonado - 3.15.1-4
+- Install symlink to nss-sysinit.sh without the .sh suffix
+- Resolves: rhbz#982723 - nss-sysinit man page has wrong path for the script
+
+* Tue Oct 08 2013 Elio Maldonado - 3.15.1-3
+- Resolves: rhbz#1001841 - Disable SSL2 and the export cipher suites
+
+* Tue Aug 06 2013 Elio Maldonado - 3.15.1-2
+- Add upstream bug URL for a patch subitted upstream and remove obsolete script
+
+* Wed Jul 24 2013 Elio Maldonado - 3.15.1-2
+- Update to NSS_3_15_1_RTM
+- Apply various fixes to the man pages and add new ones
+- Enable the iquote.patch to access newly introduced types
+- Add man page for pkcs11.txt configuration file and cert and key databases
+- Add missing option descriptions for {cert|cms|crl}util
+- Resolves: rhbz#948495 - Man page scan results for nss
+- Resolves: rhbz#982723 - Fix path to script in man page for nss-sysinit
+
+* Tue Jul 02 2013 Elio Maldonado - 3.15-6
+- Use the unstripped source tar ball
+
+* Wed Jun 19 2013 Elio Maldonado - 3.15-5
+- Install man pages for nss-tools and the nss-config and setup-nsssysinit scripts
+- Resolves: rhbz#606020 - nss security tools lack man pages
+
+* Tue Jun 18 2013 emaldona - 3.15-4
+- Build nss without softoken or util sources in the tree
+- Resolves: rhbz#689918
+
+* Mon Jun 17 2013 emaldona - 3.15-3
+- Update ssl-cbc-random-iv-by-default.patch
+
+* Sun Jun 16 2013 Elio Maldonado - 3.15-2
+- Fix generation of NSS_VMAJOR, NSS_VMINOR, and NSS_VPATCH for nss-config
+
+* Sat Jun 15 2013 Elio Maldonado - 3.15-1
+- Update to NSS_3_15_RTM
+
+* Tue May 14 2013 Elio Maldonado - 3.14.3-13.0
+- Reactivate nss-ssl-cbc-random-iv-off-by-default.patch
+
+* Fri Apr 19 2013 Kai Engert - 3.14.3-12.0
+- Add upstream patch to fix rhbz#872761
+
+* Sun Mar 24 2013 Kai Engert - 3.14.3-11
+- Update expired test certificates (fixed in upstream bug 852781)
+
+* Fri Mar 08 2013 Kai Engert - 3.14.3-10
+- Fix incorrect post/postun scripts. Fix broken links in posttrans.
+
+* Wed Mar 06 2013 Kai Engert - 3.14.3-9
+- Configure libnssckbi.so to use the alternatives system
+ in order to prepare for a drop in replacement.
+
+* Fri Feb 15 2013 Elio Maldonado - 3.14.3-1
+- Update to NSS_3_14_3_RTM
+- sync up pem rsawrapr.c with softoken upstream changes for nss-3.14.3
+- Resolves: rhbz#908257 - CVE-2013-1620 nss: TLS CBC padding timing attack
+- Resolves: rhbz#896651 - PEM module trashes private keys if login fails
+- Resolves: rhbz#909775 - specfile support for AArch64
+- Resolves: rhbz#910584 - certutil -a does not produce ASCII output
+
+* Mon Feb 04 2013 Elio Maldonado - 3.14.2-2
+- Allow building nss against older system sqlite
+
+* Fri Feb 01 2013 Elio Maldonado - 3.14.2-1
+- Update to NSS_3_14_2_RTM
+
+* Wed Jan 02 2013 Kai Engert - 3.14.1-3
+- Update to NSS_3_14_1_WITH_CKBI_1_93_RTM
+
+* Sat Dec 22 2012 Elio Maldonado - 3.14.1-2
+- Require nspr >= 4.9.4
+- Fix changelog invalid dates
+
+* Mon Dec 17 2012 Elio Maldonado - 3.14.1-1
+- Update to NSS_3_14_1_RTM
+
+* Wed Dec 12 2012 Elio Maldonado - 3.14-12
+- Bug 879978 - Install the nssck.api header template where mod_revocator can access it
+- Install nssck.api in /usr/includes/nss3/templates
+
+* Tue Nov 27 2012 Elio Maldonado - 3.14-11
+- Bug 879978 - Install the nssck.api header template in a place where mod_revocator can access it
+- Install nssck.api in /usr/includes/nss3
+
+* Mon Nov 19 2012 Elio Maldonado - 3.14-10
+- Bug 870864 - Add support in NSS for Secure Boot
+
+* Sat Nov 10 2012 Elio Maldonado - 3.14-9
+- Disable bypass code at build time and return failure on attempts to enable at runtime
+- Bug 806588 - Disable SSL PKCS #11 bypass at build time
+
+* Sun Nov 04 2012 Elio Maldonado - 3.14-8
+- Fix pk11wrap locking which fixes 'fedpkg new-sources' and 'fedpkg update' hangs
+- Bug 872124 - nss-3.14 breaks fedpkg new-sources
+- Fix should be considered preliminary since the patch may change upon upstream approval
+
+* Thu Nov 01 2012 Elio Maldonado - 3.14-7
+- Add a dummy source file for testing /preventing fedpkg breakage
+- Helps test the fedpkg new-sources and upload commands for breakage by nss updates
+- Related to Bug 872124 - nss 3.14 breaks fedpkg new-sources
+
+* Thu Nov 01 2012 Elio Maldonado - 3.14-6
+- Fix a previous unwanted merge from f18
+- Update the SS_SSL_CBC_RANDOM_IV patch to match new sources while
+- Keeping the patch disabled while we are still in rawhide and
+- State in comment that patch is needed for both stable and beta branches
+- Update .gitignore to download only the new sources
+
+* Wed Oct 31 2012 Elio Maldonado - 3.14-5
+- Fix the spec file so sechash.h gets installed
+- Resolves: rhbz#871882 - missing header: sechash.h in nss 3.14
+
+* Sat Oct 27 2012 Elio Maldonado - 3.14-4
+- Update the license to MPLv2.0
+
+* Wed Oct 24 2012 Elio Maldonado - 3.14-3
+- Use only -f when removing unwanted headers
+
+* Tue Oct 23 2012 Elio Maldonado - 3.14-2
+- Add secmodt.h to the headers installed by nss-devel
+- nss-devel must install secmodt.h which moved from softoken to pk11wrap with nss-3.14
+
+* Mon Oct 22 2012 Elio Maldonado - 3.14-1
+- Update to NSS_3_14_RTM
+
+* Sun Oct 21 2012 Elio Maldonado - 3.14-0.1.rc.1
+- Update to NSS_3_14_RC1
+- update nss-589636.patch to apply to httpdserv
+- turn off ocsp tests for now
+- remove no longer needed patches
+- remove headers shipped by nss-util
+
+* Fri Oct 05 2012 Kai Engert - 3.13.6-1
+- Update to NSS_3_13_6_RTM
+
+* Mon Aug 27 2012 Elio Maldonado - 3.13.5-8
+- Rebase pem sources to fedora-hosted upstream to pick up two fixes from rhel-6.3
+- Resolves: rhbz#847460 - Fix invalid read and free on invalid cert load
+- Resolves: rhbz#847462 - PEM module may attempt to free uninitialized pointer
+- Remove unneeded fix gcc 4.7 c++ issue in secmodt.h that actually undoes the upstream fix
+
+* Mon Aug 13 2012 Elio Maldonado - 3.13.5-7
+- Fix pluggable ecc support
+
+* Fri Jul 20 2012 Fedora Release Engineering - 3.13.5-6
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild
+
+* Sun Jul 01 2012 Elio Maldonado - 3.13.5-5
+- Fix checkin comment to prevent unwanted expansions of percents
+
+* Sun Jul 01 2012 Elio Maldonado - 3.13.5-4
+- Resolves: Bug 830410 - Missing Requires %%{?_isa}
+- Use Requires: %%{name}%%{?_isa} = %%{version}-%%{release} on tools
+- Drop zlib requires which rpmlint reports as error E: explicit-lib-dependency zlib
+- Enable sha224 portion of powerup selftest when running test suites
+- Require nspr 4.9.1
+
+* Wed Jun 20 2012 Elio Maldonado - 3.13.5-3
+- Resolves: rhbz#833529 - revert unwanted change to nss.pc.in
+
+* Tue Jun 19 2012 Elio Maldonado - 3.13.5-2
+- Resolves: rhbz#833529 - Remove unwanted space from the Libs: line on nss.pc.in
+
+* Mon Jun 18 2012 Elio Maldonado - 3.13.5-1
+- Update to NSS_3_13_5_RTM
+
+* Fri Apr 13 2012 Elio Maldonado - 3.13.4-3
+- Resolves: Bug 812423 - nss_Init leaks memory, fix from RHEL 6.3
+
+* Sun Apr 08 2012 Elio Maldonado - 3.13.4-2
+- Resolves: Bug 805723 - Library needs partial RELRO support added
+- Patch coreconf/Linux.mk as done on RHEL 6.2
+
+* Fri Apr 06 2012 Elio Maldonado - 3.13.4-1
+- Update to NSS_3_13_4_RTM
+- Update the nss-pem source archive to the latest version
+- Remove no longer needed patches
+- Resolves: Bug 806043 - use pem files interchangeably in a single process
+- Resolves: Bug 806051 - PEM various flaws detected by Coverity
+- Resolves: Bug 806058 - PEM pem_CreateObject leaks memory given a non-existing file name
+
+* Wed Mar 21 2012 Elio Maldonado - 3.13.3-4
+- Resolves: Bug 805723 - Library needs partial RELRO support added
+
+* Fri Mar 09 2012 Elio Maldonado - 3.13.3-3
+- Cleanup of the spec file
+- Add references to the upstream bugs
+- Fix typo in Summary for sysinit
+
+* Thu Mar 08 2012 Elio Maldonado - 3.13.3-2
+- Pick up fixes from RHEL
+- Resolves: rhbz#800674 - Unable to contact LDAP Server during winsync
+- Resolves: rhbz#800682 - Qpid AMQP daemon fails to load after nss update
+- Resolves: rhbz#800676 - NSS workaround for freebl bug that causes openswan to drop connections
+
+* Thu Mar 01 2012 Elio Maldonado - 3.13.3-1
+- Update to NSS_3_13_3_RTM
+
+* Mon Jan 30 2012 Tom Callaway - 3.13.1-13
+- fix issue with gcc 4.7 in secmodt.h and C++11 user-defined literals
+
+* Thu Jan 26 2012 Elio Maldonado - 3.13.1-12
+- Resolves: Bug 784672 - nss should protect against being called before nss_Init
+
+* Fri Jan 13 2012 Fedora Release Engineering - 3.13.1-11
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild
+
+* Fri Jan 06 2012 Elio Maldonado - 3.13.1-11
+- Deactivate a patch currently meant for stable branches only
+
+* Fri Jan 06 2012 Elio Maldonado - 3.13.1-10
+- Resolves: Bug 770682 - nss update breaks pidgin-sipe connectivity
+- NSS_SSL_CBC_RANDOM_IV set to 0 by default and changed to 1 on user request
+
+* Tue Dec 13 2011 elio maldonado - 3.13.1-9
+- Revert to using current nss_softokn_version
+- Patch to deal with lack of sha224 is no longer needed
+
+* Tue Dec 13 2011 Elio Maldonado - 3.13.1-8
+- Resolves: Bug 754771 - [PEM] an unregistered callback causes a SIGSEGV
+
+* Mon Dec 12 2011 Elio Maldonado - 3.13.1-7
+- Resolves: Bug 750376 - nss 3.13 breaks sssd TLS
+- Fix how pem is built so that nss-3.13.x works with nss-softokn-3.12.y
+- Only patch blapitest for the lack of sha224 on system freebl
+- Completed the patch to make pem link against system freebl
+
+* Mon Dec 05 2011 Elio Maldonado - 3.13.1-6
+- Removed unwanted /usr/include/nss3 in front of the normal cflags include path
+- Removed unnecessary patch dealing with CERTDB_TERMINAL_RECORD, it's visible
+
+* Sun Dec 04 2011 Elio Maldonado - 3.13.1-5
+- Statically link the pem module against system freebl found in buildroot
+- Disabling sha224-related powerup selftest until we update softokn
+- Disable sha224 and pss tests which nss-softokn 3.12.x doesn't support
+
+* Fri Dec 02 2011 Elio Maldonado Batiz - 3.13.1-4
+- Rebuild with nss-softokn from 3.12 in the buildroot
+- Allows the pem module to statically link against 3.12.x freebl
+- Required for using nss-3.13.x with nss-softokn-3.12.y for a merge inrto rhel git repo
+- Build will be temprarily placed on buildroot override but not pushed in bodhi
+
+* Fri Nov 04 2011 Elio Maldonado - 3.13.1-2
+- Fix broken dependencies by updating the nss-util and nss-softokn versions
+
+* Thu Nov 03 2011 Elio Maldonado - 3.13.1-1
+- Update to NSS_3_13_1_RTM
+- Update builtin certs to those from NSSCKBI_1_88_RTM
+
+* Sat Oct 15 2011 Elio Maldonado - 3.13-1
+- Update to NSS_3_13_RTM
+
+* Sat Oct 08 2011 Elio Maldonado - 3.13-0.1.rc0.1
+- Update to NSS_3_13_RC0
+
+* Wed Sep 14 2011 Elio Maldonado - 3.12.11-3
+- Fix attempt to free initilized pointer (#717338)
+- Fix leak on pem_CreateObject when given non-existing file name (#734760)
+- Fix pem_Initialize to return CKR_CANT_LOCK on multi-treaded calls (#736410)
+
+* Tue Sep 06 2011 Kai Engert - 3.12.11-2
+- Update builtins certs to those from NSSCKBI_1_87_RTM
+
+* Tue Aug 09 2011 Elio Maldonado - 3.12.11-1
+- Update to NSS_3_12_11_RTM
+
+* Sat Jul 23 2011 Elio Maldonado - 3.12.10-6
+- Indicate the provenance of stripped source tarball (#688015)
+
+* Mon Jun 27 2011 Michael Schwendt - 3.12.10-5
+- Provide virtual -static package to meet guidelines (#609612).
+
+* Fri Jun 10 2011 Elio Maldonado - 3.12.10-4
+- Enable pluggable ecc support (#712556)
+- Disable the nssdb write-access-on-read-only-dir tests when user is root (#646045)
+
+* Fri May 20 2011 Dennis Gilmore - 3.12.10-3
+- make the testsuite non fatal on arm arches
+
+* Tue May 17 2011 Elio Maldonado - 3.12.10-2
+- Fix crmf hard-coded maximum size for wrapped private keys (#703656)
+
+* Fri May 06 2011 Elio Maldonado - 3.12.10-1
+- Update to NSS_3_12_10_RTM
+
+* Wed Apr 27 2011 Elio Maldonado - 3.12.10-0.1.beta1
+- Update to NSS_3_12_10_BETA1
+
+* Mon Apr 11 2011 Elio Maldonado - 3.12.9-15
+- Implement PEM logging using NSPR's own (#695011)
+
+* Wed Mar 23 2011 Elio Maldonado - 3.12.9-14
+- Update to NSS_3.12.9_WITH_CKBI_1_82_RTM
+
+* Thu Feb 24 2011 Elio Maldonado - 3.12.9-13
+- Short-term fix for ssl test suites hangs on ipv6 type connections (#539183)
+
+* Fri Feb 18 2011 Elio Maldonado - 3.12.9-12
+- Add a missing requires for pkcs11-devel (#675196)
+
+* Tue Feb 15 2011 Elio Maldonado - 3.12.9-11
+- Run the test suites in the check section (#677809)
+
+* Thu Feb 10 2011 Elio Maldonado - 3.12.9-10
+- Fix cms headers to not use c++ reserved words (#676036)
+- Reenabling Bug 499444 patches
+- Fix to swap internal key slot on fips mode switches
+
+* Tue Feb 08 2011 Elio Maldonado - 3.12.9-9
+- Revert patches for 499444 until all c++ reserved words are found and extirpated
+
+* Tue Feb 08 2011 Fedora Release Engineering - 3.12.9-8
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild
+
+* Tue Feb 08 2011 Elio Maldonado - 3.12.9-7
+- Fix cms header to not use c++ reserved word (#676036)
+- Reenable patches for bug 499444
+
+* Tue Feb 08 2011 Christopher Aillon - 3.12.9-6
+- Revert patches for 499444 as they use a C++ reserved word and
+ cause compilation of Firefox to fail
+
+* Fri Feb 04 2011 Elio Maldonado - 3.12.9-5
+- Fix the earlier infinite recursion patch (#499444)
+- Remove a header that now nss-softokn-freebl-devel ships
+
+* Tue Feb 01 2011 Elio Maldonado - 3.12.9-4
+- Fix infinite recursion when encoding NSS enveloped/digested data (#499444)
+
+* Mon Jan 31 2011 Elio Maldonado - 3.12.9-3
+- Update the cacert trust patch per upstream review requests (#633043)
+
+* Wed Jan 19 2011 Elio Maldonado - 3.12.9-2
+- Fix to honor the user's cert trust preferences (#633043)
+- Remove obsoleted patch
+
+* Wed Jan 12 2011 Elio Maldonado - 3.12.9-1
+- Update to 3.12.9
+
+* Mon Dec 27 2010 Elio Maldonado - 3.12.9-0.1.beta2
+- Rebuilt according to fedora pre-release package naming guidelines
+
+* Fri Dec 10 2010 Elio Maldonado - 3.12.8.99.2-1
+- Update to NSS_3_12_9_BETA2
+- Fix libpnsspem crash when cacert dir contains other directories (#642433)
+
+* Wed Dec 08 2010 Elio Maldonado - 3.12.8.99.1-1
+- Update to NSS_3_12_9_BETA1
+
+* Thu Nov 25 2010 Elio Maldonado - 3.12.8-9
+- Update pem source tar with fixes for 614532 and 596674
+- Remove no longer needed patches
+
+* Fri Nov 05 2010 Elio Maldonado - 3.12.8-8
+- Update PayPalEE.cert test certificate which had expired
+
+* Sun Oct 31 2010 Elio Maldonado - 3.12.8-7
+- Tell rpm not to verify md5, size, and modtime of configurations file
+
+* Mon Oct 18 2010 Elio Maldonado - 3.12.8-6
+- Fix certificates trust order (#643134)
+- Apply nss-sysinit-userdb-first.patch last
+
+* Wed Oct 06 2010 Elio Maldonado - 3.12.8-5
+- Move triggerpostun -n nss-sysinit script ahead of the other ones (#639248)
+
+* Tue Oct 05 2010 Elio Maldonado - 3.12.8-4
+- Fix invalid %%postun scriptlet (#639248)
+
+* Wed Sep 29 2010 Elio Maldonado - 3.12.8-3
+- Replace posttrans sysinit scriptlet with a triggerpostun one (#636787)
+- Fix and cleanup the setup-nsssysinit.sh script (#636792, #636801)
+
+* Mon Sep 27 2010 Elio Maldonado - 3.12.8-2
+- Add posttrans scriptlet (#636787)
+
+* Thu Sep 23 2010 Elio Maldonado - 3.12.8-1
+- Update to 3.12.8
+- Prevent disabling of nss-sysinit on package upgrade (#636787)
+- Create pkcs11.txt with correct permissions regardless of umask (#636792)
+- Setup-nsssysinit.sh reports whether nss-sysinit is turned on or off (#636801)
+- Added provides pkcs11-devel-static to comply with packaging guidelines (#609612)
+
+* Sat Sep 18 2010 Elio Maldonado - 3.12.7.99.4-1
+- NSS 3.12.8 RC0
+
+* Sun Sep 05 2010 Elio Maldonado - 3.12.7.99.3-2
+- Fix nss-util_version and nss_softokn_version required to be 3.12.7.99.3
+
+* Sat Sep 04 2010 Elio Maldonado - 3.12.7.99.3-1
+- NSS 3.12.8 Beta3
+- Fix unclosed comment in renegotiate-transitional.patch
+
+* Sat Aug 28 2010 Elio Maldonado - 3.12.7-3
+- Change BuildRequries to available version of nss-util-devel
+
+* Sat Aug 28 2010 Elio Maldonado - 3.12.7-2
+- Define NSS_USE_SYSTEM_SQLITE and remove unneeded patch
+- Add comments regarding an unversioned provides which triggers rpmlint warning
+- Build requires nss-softokn-devel >= 3.12.7
+
+* Mon Aug 16 2010 Elio Maldonado - 3.12.7-1
+- Update to 3.12.7
+
+* Sat Aug 14 2010 Elio Maldonado - 3.12.6-12
+- Apply the patches to fix rhbz#614532
+
+* Mon Aug 09 2010 Elio Maldonado - 3.12.6-11
+- Removed pem sourecs as they are in the cache
+
+* Mon Aug 09 2010 Elio Maldonado - 3.12.6-10
+- Add support for PKCS#8 encoded PEM RSA private key files (#614532)
+
+* Sat Jul 31 2010 Elio Maldonado - 3.12.6-9
+- Fix nsssysinit to return userdb ahead of systemdb (#603313)
+
+* Tue Jun 08 2010 Dennis Gilmore - 3.12.6-8
+- Require and BuildRequire >= the listed version not =
+
+* Tue Jun 08 2010 Elio Maldonado - 3.12.6-7
+- Require nss-softoken 3.12.6
+
+* Sun Jun 06 2010 Elio Maldonado