diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..b5e48bc
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,7 @@
+/PayPalEE.cert
+/blank-cert8.db
+/blank-cert9.db
+/blank-key3.db
+/blank-key4.db
+/blank-secmod.db
+/nss-3.67.tar.gz
diff --git a/EMPTY b/EMPTY
deleted file mode 100644
index 0519ecb..0000000
--- a/EMPTY
+++ /dev/null
@@ -1 +0,0 @@
-
\ No newline at end of file
diff --git a/cert8.db.xml b/cert8.db.xml
new file mode 100644
index 0000000..e82948d
--- /dev/null
+++ b/cert8.db.xml
@@ -0,0 +1,59 @@
+
+
+
+]>
+
+
+
+
+ &date;
+ Network Security Services
+ nss
+ &version;
+
+
+
+ cert8.db
+ 5
+
+
+
+ cert8.db
+ Legacy NSS certificate database
+
+
+
+ Description
+ cert8.db is an NSS certificate database.
+ This certificate database is in the legacy database format. Consider migrating to cert9.db and key4.db which are the new sqlite-based shared database format with support for concurrent access.
+
+
+
+
+ Files
+ /etc/pki/nssdb/cert8.db
+
+
+
+ See also
+ cert9.db(5), key4.db(5), pkcs11.txt(5),
+
+
+
+ Authors
+ The nss libraries were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google.
+ Authors: Elio Maldonado <emaldona@redhat.com>.
+
+
+
+
+ LICENSE
+ Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+
+
+
+
+
diff --git a/cert9.db.xml b/cert9.db.xml
new file mode 100644
index 0000000..815d3f9
--- /dev/null
+++ b/cert9.db.xml
@@ -0,0 +1,59 @@
+
+
+
+]>
+
+
+
+
+ &date;
+ Network Security Services
+ nss
+ &version;
+
+
+
+ cert9.db
+ 5
+
+
+
+ cert9.db
+ NSS certificate database
+
+
+
+ Description
+ cert9.db is an NSS certificate database.
+ This certificate database is the sqlite-based shared database with support for concurrent access.
+
+
+
+
+ Files
+ /etc/pki/nssdb/cert9.db
+
+
+
+ See also
+ pkcs11.txt(5)
+
+
+
+ Authors
+ The nss libraries were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google.
+ Authors: Elio Maldonado <emaldona@redhat.com>.
+
+
+
+
+ LICENSE
+ Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+
+
+
+
+
diff --git a/iquote.patch b/iquote.patch
new file mode 100644
index 0000000..6e4adcd
--- /dev/null
+++ b/iquote.patch
@@ -0,0 +1,13 @@
+diff -up nss/coreconf/location.mk.iquote nss/coreconf/location.mk
+--- nss/coreconf/location.mk.iquote 2017-07-27 16:09:32.000000000 +0200
++++ nss/coreconf/location.mk 2017-09-06 13:23:14.633611555 +0200
+@@ -75,4 +75,9 @@ ifndef SQLITE_LIB_NAME
+ SQLITE_LIB_NAME = sqlite3
+ endif
+
++# Prefer in-tree headers over system headers
++ifdef IN_TREE_FREEBL_HEADERS_FIRST
++ INCLUDES += -iquote $(DIST)/../public/nss -iquote $(DIST)/../private/nss
++endif
++
+ MK_LOCATION = included
diff --git a/key3.db.xml b/key3.db.xml
new file mode 100644
index 0000000..444d7aa
--- /dev/null
+++ b/key3.db.xml
@@ -0,0 +1,59 @@
+
+
+
+]>
+
+
+
+
+ &date;
+ Network Security Services
+ nss
+ &version;
+
+
+
+ key3.db
+ 5
+
+
+
+ key3.db
+ Legacy NSS certificate database
+
+
+
+ Description
+ key3.db is an NSS certificate database.
+ This is a key database in the legacy database format. Consider migrating to cert9.db and key4.db which which are the new sqlite-based shared database format with support for concurrent access.
+
+
+
+
+ Files
+ /etc/pki/nssdb/key3.db
+
+
+
+ See also
+ cert9.db(5), key4.db(5), pkcs11.txt(5),
+
+
+
+ Authors
+ The nss libraries were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google.
+ Authors: Elio Maldonado <emaldona@redhat.com>.
+
+
+
+
+ LICENSE
+ Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+
+
+
+
+
diff --git a/key4.db.xml b/key4.db.xml
new file mode 100644
index 0000000..9b65f41
--- /dev/null
+++ b/key4.db.xml
@@ -0,0 +1,59 @@
+
+
+
+]>
+
+
+
+
+ &date;
+ Network Security Services
+ nss
+ &version;
+
+
+
+ key4.db
+ 5
+
+
+
+ key4.db
+ NSS certificate database
+
+
+
+ Description
+ key4.db is an NSS key database.
+ This key database is the sqlite-based shared database format with support for concurrent access.
+
+
+
+
+ Files
+ /etc/pki/nssdb/key4.db
+
+
+
+ See also
+ pkcs11.txt(5)
+
+
+
+ Authors
+ The nss libraries were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google.
+ Authors: Elio Maldonado <emaldona@redhat.com>.
+
+
+
+
+ LICENSE
+ Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+
+
+
+
+
diff --git a/nss-3.44-kbkdf-coverity.patch b/nss-3.44-kbkdf-coverity.patch
new file mode 100644
index 0000000..1ef1d8d
--- /dev/null
+++ b/nss-3.44-kbkdf-coverity.patch
@@ -0,0 +1,39 @@
+diff -up ./lib/softoken/kbkdf.c.coverity ./lib/softoken/kbkdf.c
+--- ./lib/softoken/kbkdf.c.coverity 2019-12-03 15:33:43.047732312 -0800
++++ ./lib/softoken/kbkdf.c 2019-12-03 15:39:40.982578357 -0800
+@@ -534,6 +534,10 @@ CK_RV kbkdf_CreateKey(CK_SESSION_HANDLE
+ PR_ASSERT(derived_key != NULL);
+ PR_ASSERT(derived_key->phKey != NULL);
+
++ if (slot == NULL) {
++ return CKR_SESSION_HANDLE_INVALID;
++ }
++
+ /* Create the new key object for this additional derived key. */
+ key = sftk_NewObject(slot);
+ if (key == NULL) {
+@@ -589,7 +593,9 @@ done:
+ sftk_FreeObject(key);
+
+ /* Doesn't do anything. */
+- sftk_FreeSession(session);
++ if (session) {
++ sftk_FreeSession(session);
++ }
+
+ return ret;
+ }
+diff -up ./lib/softoken/sftkhmac.c.coverity ./lib/softoken/sftkhmac.c
+--- ./lib/softoken/sftkhmac.c.coverity 2019-12-03 15:40:06.108848341 -0800
++++ ./lib/softoken/sftkhmac.c 2019-12-03 15:41:04.919480267 -0800
+@@ -232,7 +232,9 @@ sftk_MAC_Init(sftk_MACCtx *ctx, CK_MECHA
+ keyval->attrib.ulValueLen, isFIPS);
+
+ done:
+- sftk_FreeAttribute(keyval);
++ if (keyval) {
++ sftk_FreeAttribute(keyval);
++ }
+ return ret;
+ }
+
diff --git a/nss-3.53.1-measure-fix.patch b/nss-3.53.1-measure-fix.patch
new file mode 100644
index 0000000..a312936
--- /dev/null
+++ b/nss-3.53.1-measure-fix.patch
@@ -0,0 +1,24 @@
+diff -up ./coreconf/config.gypi.orig ./coreconf/config.gypi
+--- ./coreconf/config.gypi.orig 2020-06-16 15:50:59.000000000 -0700
++++ ./coreconf/config.gypi 2020-10-15 16:05:37.542761192 -0700
+@@ -363,7 +363,7 @@
+ '_DEFAULT_SOURCE', # for functions, strdup, realpath, and getentropy
+ '_BSD_SOURCE', # for the above in glibc <= 2.19
+ '_POSIX_SOURCE', # for
+- 'SQL_MEASURE_USE_TEMP_DIR', # use tmpdir for the access calls
++ 'SDB_MEASURE_USE_TEMP_DIR', # use tmpdir for the access calls
+ ],
+ }],
+ [ 'OS=="dragonfly" or OS=="freebsd"', {
+diff -up ./coreconf/Linux.mk.orig ./coreconf/Linux.mk
+--- ./coreconf/Linux.mk.orig 2020-10-15 16:05:04.794591674 -0700
++++ ./coreconf/Linux.mk 2020-10-15 16:05:37.543761197 -0700
+@@ -21,7 +21,7 @@ ifeq ($(USE_PTHREADS),1)
+ endif
+
+ DEFAULT_COMPILER = gcc
+-DEFINES += -D_DEFAULT_SOURCE -D_BSD_SOURCE -D_POSIX_SOURCE -DSQL_MEASURE_USE_TEMP_DIR
++DEFINES += -D_DEFAULT_SOURCE -D_BSD_SOURCE -D_POSIX_SOURCE -DSDB_MEASURE_USE_TEMP_DIR
+
+ ifeq ($(OS_TARGET),Android)
+ ifndef ANDROID_NDK
diff --git a/nss-3.66-disable-external-host-test.patch b/nss-3.66-disable-external-host-test.patch
new file mode 100644
index 0000000..7f04502
--- /dev/null
+++ b/nss-3.66-disable-external-host-test.patch
@@ -0,0 +1,14 @@
+diff -up ./tests/ssl/ssl.sh.brew ./tests/ssl/ssl.sh
+--- ./tests/ssl/ssl.sh.brew 2021-06-12 11:37:46.153265942 -0700
++++ ./tests/ssl/ssl.sh 2021-06-12 11:39:43.069925034 -0700
+@@ -1641,7 +1641,9 @@ ssl_run_tests()
+ if [ "${TEST_MODE}" = "SHARED_DB" ] ; then
+ ssl_policy_listsuites
+ ssl_policy_selfserv
+- ssl_policy_pkix_ocsp
++ # requires access to external servers, which fails
++ # when running in brew
++ #ssl_policy_pkix_ocsp
+ ssl_policy
+ fi
+ ;;
diff --git a/nss-3.66-disable-signature-policies.patch b/nss-3.66-disable-signature-policies.patch
new file mode 100644
index 0000000..3329634
--- /dev/null
+++ b/nss-3.66-disable-signature-policies.patch
@@ -0,0 +1,42 @@
+diff -up ./lib/pk11wrap/pk11pars.c.no_signature_policy ./lib/pk11wrap/pk11pars.c
+--- ./lib/pk11wrap/pk11pars.c.no_signature_policy 2021-06-03 10:08:49.988118880 -0700
++++ ./lib/pk11wrap/pk11pars.c 2021-06-03 10:16:26.059935708 -0700
+@@ -391,12 +391,9 @@ static const oidValDef signOptList[] = {
+ /* Signatures */
+ { CIPHER_NAME("DSA"), SEC_OID_ANSIX9_DSA_SIGNATURE,
+ NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE },
+- { CIPHER_NAME("RSA-PKCS"), SEC_OID_PKCS1_RSA_ENCRYPTION,
+- NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE },
+- { CIPHER_NAME("RSA-PSS"), SEC_OID_PKCS1_RSA_PSS_SIGNATURE,
+- NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE },
+- { CIPHER_NAME("ECDSA"), SEC_OID_ANSIX962_EC_PUBLIC_KEY,
+- NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE },
++ { CIPHER_NAME("RSA-PKCS"), SEC_OID_PKCS1_RSA_ENCRYPTION, 0},
++ { CIPHER_NAME("RSA-PSS"), SEC_OID_PKCS1_RSA_PSS_SIGNATURE, 0},
++ { CIPHER_NAME("ECDSA"), SEC_OID_ANSIX962_EC_PUBLIC_KEY, 0},
+ };
+
+ typedef struct {
+@@ -412,7 +409,7 @@ static const algListsDef algOptLists[] =
+ { macOptList, PR_ARRAY_SIZE(macOptList), "MAC", PR_FALSE },
+ { cipherOptList, PR_ARRAY_SIZE(cipherOptList), "CIPHER", PR_FALSE },
+ { kxOptList, PR_ARRAY_SIZE(kxOptList), "OTHER-KX", PR_FALSE },
+- { signOptList, PR_ARRAY_SIZE(signOptList), "OTHER-SIGN", PR_FALSE },
++ { signOptList, PR_ARRAY_SIZE(signOptList), "OTHER-SIGN", PR_TRUE },
+ };
+
+ static const optionFreeDef sslOptList[] = {
+diff -up ./tests/ssl/sslpolicy.txt.policy_revert ./tests/ssl/sslpolicy.txt
+--- ./tests/ssl/sslpolicy.txt.policy_revert 2020-11-04 10:31:20.837715397 -0800
++++ ./tests/ssl/sslpolicy.txt 2020-11-04 10:33:19.598357223 -0800
+@@ -193,7 +193,9 @@
+ 1 noECC SSL3 d disallow=all_allow=hmac-sha1:sha256:rsa-pkcs:rsa:des-ede3-cbc:tls-version-min=tls1.0:tls-version-max=tls1.2 Disallow Version Implicitly Narrow
+ 1 noECC SSL3 d disallow=all_allow=md2/all:md4/all:md5/all:sha1/all:sha256/all:sha384/all:sha512/all:rsa-pkcs/all:rsa-pss/all:ecdsa/all:dsa/all:hmac-sha1/all:hmac-sha224/all:hmac-sha256/all:hmac-sha384/all:hmac-sha512/all:hmac-md5/all:camellia128-cbc/all:camellia192-cbc/all:camellia256-cbc/all:seed-cbc/all:des-ede3-cbc/all:des-40-cbc/all:des-cbc/all:null-cipher/all:rc2/all:rc4/all:idea/all:rsa/all:rsa-export/all:dhe-rsa/all:dhe-dss/all:ecdhe-ecdsa/all:ecdhe-rsa/all:ecdh-ecdsa/all:ecdh-rsa/all:tls-version-min=tls1.0:tls-version-max=tls1.2 Disallow Version Implicitly
+ 0 noECC SSL3 d disallow=dsa Disallow DSA Signatures Explicitly
+- 1 noECC SSL3 d disallow=rsa-pkcs Disallow RSA PKCS 1 Signatures Explicitly
++# rsa-pkcs, rsa-pss, and ecdsa policy checking reverted in rhel8 for binary
++# compatibility reasons
++# 1 noECC SSL3 d disallow=rsa-pkcs Disallow RSA PKCS 1 Signatures Explicitly
+ # test default settings
+ # NOTE: tstclient will attempt to overide the defaults, so we detect we
+ # were successful by locking in our settings
diff --git a/nss-3.66-fix-gtest-parsing.patch b/nss-3.66-fix-gtest-parsing.patch
new file mode 100644
index 0000000..7e5ff4b
--- /dev/null
+++ b/nss-3.66-fix-gtest-parsing.patch
@@ -0,0 +1,16 @@
+diff -up ./tests/common/parsegtestreport.sed.new_gtest ./tests/common/parsegtestreport.sed
+--- ./tests/common/parsegtestreport.sed.new_gtest 2021-06-17 16:26:49.361035662 -0700
++++ ./tests/common/parsegtestreport.sed 2021-06-17 16:49:08.512261136 -0700
+@@ -1,8 +1,11 @@
+ /\len) {
+ case 1536 / PR_BITS_PER_BYTE:
++ /* don't accept 1536 bit primes in FIPS mode */
++ if (isFIPS) {
++ break;
++ }
+ if (PORT_Memcmp(dhPrime->data, prime_ike_1536,
+ sizeof(prime_ike_1536)) == 0) {
+ return &subprime_ike_1536;
diff --git a/nss-3.66-restore-old-pkcs12-default.patch b/nss-3.66-restore-old-pkcs12-default.patch
new file mode 100644
index 0000000..54f020c
--- /dev/null
+++ b/nss-3.66-restore-old-pkcs12-default.patch
@@ -0,0 +1,44 @@
+diff -up ./cmd/pk12util/pk12util.c.orig ./cmd/pk12util/pk12util.c
+--- ./cmd/pk12util/pk12util.c.orig 2021-05-28 02:50:43.000000000 -0700
++++ ./cmd/pk12util/pk12util.c 2021-06-15 17:05:37.200262345 -0700
+@@ -1031,9 +1031,11 @@ main(int argc, char **argv)
+ char *export_file = NULL;
+ char *dbprefix = "";
+ SECStatus rv;
+- SECOidTag cipher = SEC_OID_AES_256_CBC;
+- SECOidTag hash = SEC_OID_SHA256;
+- SECOidTag certCipher = SEC_OID_AES_128_CBC;
++ SECOidTag cipher =
++ SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_3KEY_TRIPLE_DES_CBC;
++ SECOidTag hash = SEC_OID_SHA1;
++ SECOidTag certCipher =
++ SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_40_BIT_RC2_CBC;
+ int keyLen = 0;
+ int certKeyLen = 0;
+ secuCommand pk12util;
+@@ -1147,6 +1149,9 @@ main(int argc, char **argv)
+ }
+ }
+
++ if (PK11_IsFIPS()) {
++ certCipher = SEC_OID_UNKNOWN;
++ }
+ if (pk12util.options[opt_CertCipher].activated) {
+ char *cipherString = pk12util.options[opt_CertCipher].arg;
+
+diff -up ./tests/tools/tools.sh.orig ./tests/tools/tools.sh
+--- ./tests/tools/tools.sh.orig 2021-06-15 17:06:27.650564449 -0700
++++ ./tests/tools/tools.sh 2021-06-15 17:07:59.934117192 -0700
+@@ -47,9 +47,9 @@
+ "PKCS #5 Password Based Encryption with SHA-1 and DES-CBC"
+
+ # if we change the defaults in pk12util, update these variables
+- export CERT_ENCRYPTION_DEFAULT="AES-128-CBC"
+- export KEY_ENCRYPTION_DEFAULT="AES-256-CBC"
+- export HASH_DEFAULT="SHA-256"
++ export CERT_ENCRYPTION_DEFAULT=${pkcs12v2pbeWithSha1And40BitRc2Cbc}
++ export KEY_ENCRYPTION_DEFAULT=${pkcs12v2pbeWithSha1AndTripleDESCBC}
++ export HASH_DEFAULT="SHA-1"
+
+ export PKCS5v1_PBE_CIPHERS="${pkcs5pbeWithMD2AndDEScbc},\
+ ${pkcs5pbeWithMD5AndDEScbc},\
diff --git a/nss-3.67-cve-2021-43527-test.patch b/nss-3.67-cve-2021-43527-test.patch
new file mode 100644
index 0000000..51cb8e0
--- /dev/null
+++ b/nss-3.67-cve-2021-43527-test.patch
@@ -0,0 +1,325 @@
+diff --git a/tests/cert/Leaf-bogus-dsa.crt b/tests/cert/Leaf-bogus-dsa.crt
+new file mode 100644
+--- /dev/null
++++ b/tests/cert/Leaf-bogus-dsa.crt
+@@ -0,0 +1,143 @@
++-----BEGIN CERTIFICATE-----
++MIIaZzCCCkWgAwIBAgIBATALBgcqhkjOOAQDBQAwMTEvMC0GA1UEAxMmZGVjb2Rl
++RUNvckRTQVNpZ25hdHVyZS10ZXN0Q2FzZS90YXZpc28wHhcNMjEwMTAxMDAwMDAw
++WhcNNDEwMTAxMDAwMDAwWjAxMS8wLQYDVQQDEyZkZWNvZGVFQ29yRFNBU2lnbmF0
++dXJlLXRlc3RDYXNlL3RhdmlzbzCCCaYwggkaBgcqhkjOOAQBMIIJDQKBgQCqqqqq
++qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqq
++qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqq
++qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqgKCCAEAu7u7u7u7u7u7u7u7u7u7
++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
++u7u7u7u7u7u7u7u7u7u7u7sCgYEAzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzM
++zMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzM
++zMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzM
++zMzMzMwDgYUAAoGB3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d
++3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d
++3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3dMAkG
++ByqGSM44BAMDghAPADCCEAoCgggBAO7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
++7u7u7u7uAoIIAQD/////////////////////////////////////////////////
++////////////////////////////////////////////////////////////////
++////////////////////////////////////////////////////////////////
++////////////////////////////////////////////////////////////////
++////////////////////////////////////////////////////////////////
++////////////////////////////////////////////////////////////////
++////////////////////////////////////////////////////////////////
++////////////////////////////////////////////////////////////////
++////////////////////////////////////////////////////////////////
++////////////////////////////////////////////////////////////////
++////////////////////////////////////////////////////////////////
++////////////////////////////////////////////////////////////////
++////////////////////////////////////////////////////////////////
++////////////////////////////////////////////////////////////////
++////////////////////////////////////////////////////////////////
++////////////////////////////////////////////////////////////////
++////////////////////////////////////////////////////////////////
++////////////////////////////////////////////////////////////////
++////////////////////////////////////////////////////////////////
++////////////////////////////////////////////////////////////////
++////////////////////////////////////////////////////////////////
++////////////////////////////////////////////////////////////////
++////////////////////////////////////////////////////////////////
++////////////////////////////////////////////////////////////////
++////////////////////////////////////////////////////////////////
++////////////////////////////////////////////////////////////////
++////////////////////////////////////////////////////////////////
++////////////////////////////////////////////////////////////////
++////////////////////////////////////////////////////////////////
++////////////////////////////////////////////////////////////////
++////////////////////////////////////////////////////////////////
++////////////////////////////////////////////////////////////////
++////////////////////////////////////////////////////////////////
++////////////////////////////////////////////////////////////////
++////////////////////////////////////////////////////////////////
++////////////////////////////////////////////////////////////////
++////////////////////////////////////////////////////////////////
++////////////////////////////////////////////////////////////////
++////////////////////////////////////////////////////////////////
++////////////////////////////////////////////////////////////////
++////////////////////////////////////////////////////////////////
++////////////////////////////////////////////////////////////////
++/////////////////////////////////////////////////////////w==
++-----END CERTIFICATE-----
+diff --git a/tests/cert/Leaf-bogus-rsa-pss.crt b/tests/cert/Leaf-bogus-rsa-pss.crt
+new file mode 100644
+--- /dev/null
++++ b/tests/cert/Leaf-bogus-rsa-pss.crt
+@@ -0,0 +1,126 @@
++-----BEGIN CERTIFICATE-----
++MIIXODCCC/WgAwIBAgIBAjApBgkqhkiG9w0BAQowHKACMAChETAPBQAwCwYJYIZI
++AWUDBAIBogMCASAwNzEgMB4GCSqGSIb3DQEJARYRdGF2aXNvQGdvb2dsZS5jb20x
++EzARBgNVBAMTCmJ1ZzE3Mzc0NzAwHhcNMjAwMTAxMDAwMDAwWhcNNDAwMTAxMDAw
++MDAwWjA3MSAwHgYJKoZIhvcNAQkBFhF0YXZpc29AZ29vZ2xlLmNvbTETMBEGA1UE
++AxMKYnVnMTczNzQ3MDCCCywwDQYJKoZIhvcNAQEBBQADggsZADCCCxQCggsLAMRE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERQIDAQABMC4G
++CSqGSIb3DQEBCjAhoRowGAYJKoZIhvcNAQEIMAsGCSqGSIb3DQEBCqIDAgEgA4IL
++CwAAxVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVU=
++-----END CERTIFICATE-----
+diff --git a/tests/cert/cert.sh b/tests/cert/cert.sh
+--- a/tests/cert/cert.sh
++++ b/tests/cert/cert.sh
+@@ -114,16 +114,28 @@ certu()
+ cert_log "ERROR: ${CU_ACTION} failed $RET"
+ else
+ html_passed "${CU_ACTION}"
+ fi
+
+ return $RET
+ }
+
++cert_test_vfy()
++{
++ echo "$SCRIPTNAME: Verify large rsa pss signature --------------"
++ echo " vfychain -a Leaf-bogus-dsa.crt"
++ vfychain -a ${QADIR}/cert/Leaf-bogus-dsa.crt
++ html_msg $? 1 "Verify large dsa signature"
++ echo "$SCRIPTNAME: Verify large rsa pss signature --------------"
++ echo " vfychain -a Leaf-bogus-rsa-pss.crt"
++ vfychain -a ${QADIR}/cert/Leaf-bogus-rsa-pss.crt
++ html_msg $? 1 "Verify large rsa pss signature"
++}
++
+ ################################ crlu #################################
+ # local shell function to call crlutil, also: writes action and options to
+ # stdout, sets variable RET and writes results to the html file results
+ ########################################################################
+ crlu()
+ {
+ echo "$SCRIPTNAME: ${CU_ACTION} --------------------------"
+
+@@ -2640,11 +2652,13 @@ if [ -z "$NSS_TEST_DISABLE_CRL" ] ; then
+ else
+ echo "$SCRIPTNAME: Skipping CRL Tests"
+ fi
+
+ if [ -n "$DO_DIST_ST" -a "$DO_DIST_ST" = "TRUE" ] ; then
+ cert_stresscerts
+ fi
+
++cert_test_vfy
++
+ cert_iopr_setup
+
+ cert_cleanup
diff --git a/nss-3.67-cve-2021-43527.patch b/nss-3.67-cve-2021-43527.patch
new file mode 100644
index 0000000..8fc81d3
--- /dev/null
+++ b/nss-3.67-cve-2021-43527.patch
@@ -0,0 +1,279 @@
+diff --git a/lib/cryptohi/secvfy.c b/lib/cryptohi/secvfy.c
+--- a/lib/cryptohi/secvfy.c
++++ b/lib/cryptohi/secvfy.c
+@@ -164,6 +164,37 @@
+ PR_FALSE /*XXX: unsafeAllowMissingParameters*/);
+ }
+
++static unsigned int
++checkedSignatureLen(const SECKEYPublicKey *pubk)
++{
++ unsigned int sigLen = SECKEY_SignatureLen(pubk);
++ if (sigLen == 0) {
++ /* Error set by SECKEY_SignatureLen */
++ return sigLen;
++ }
++ unsigned int maxSigLen;
++ switch (pubk->keyType) {
++ case rsaKey:
++ case rsaPssKey:
++ maxSigLen = (RSA_MAX_MODULUS_BITS + 7) / 8;
++ break;
++ case dsaKey:
++ maxSigLen = DSA_MAX_SIGNATURE_LEN;
++ break;
++ case ecKey:
++ maxSigLen = 2 * MAX_ECKEY_LEN;
++ break;
++ default:
++ PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG);
++ return 0;
++ }
++ if (sigLen > maxSigLen) {
++ PORT_SetError(SEC_ERROR_INVALID_KEY);
++ return 0;
++ }
++ return sigLen;
++}
++
+ /*
+ * decode the ECDSA or DSA signature from it's DER wrapping.
+ * The unwrapped/raw signature is placed in the buffer pointed
+@@ -174,38 +205,38 @@
+ unsigned int len)
+ {
+ SECItem *dsasig = NULL; /* also used for ECDSA */
+- SECStatus rv = SECSuccess;
+
+- if ((algid != SEC_OID_ANSIX9_DSA_SIGNATURE) &&
+- (algid != SEC_OID_ANSIX962_EC_PUBLIC_KEY)) {
+- if (sig->len != len) {
+- PORT_SetError(SEC_ERROR_BAD_DER);
+- return SECFailure;
++ /* Safety: Ensure algId is as expected and that signature size is within maxmimums */
++ if (algid == SEC_OID_ANSIX9_DSA_SIGNATURE) {
++ if (len > DSA_MAX_SIGNATURE_LEN) {
++ goto loser;
+ }
+-
+- PORT_Memcpy(dsig, sig->data, sig->len);
+- return SECSuccess;
++ } else if (algid == SEC_OID_ANSIX962_EC_PUBLIC_KEY) {
++ if (len > MAX_ECKEY_LEN * 2) {
++ goto loser;
++ }
++ } else {
++ goto loser;
+ }
+
+- if (algid == SEC_OID_ANSIX962_EC_PUBLIC_KEY) {
+- if (len > MAX_ECKEY_LEN * 2) {
+- PORT_SetError(SEC_ERROR_BAD_DER);
+- return SECFailure;
+- }
++ /* Decode and pad to length */
++ dsasig = DSAU_DecodeDerSigToLen((SECItem *)sig, len);
++ if (dsasig == NULL) {
++ goto loser;
+ }
+- dsasig = DSAU_DecodeDerSigToLen((SECItem *)sig, len);
+-
+- if ((dsasig == NULL) || (dsasig->len != len)) {
+- rv = SECFailure;
+- } else {
+- PORT_Memcpy(dsig, dsasig->data, dsasig->len);
++ if (dsasig->len != len) {
++ SECITEM_FreeItem(dsasig, PR_TRUE);
++ goto loser;
+ }
+
+- if (dsasig != NULL)
+- SECITEM_FreeItem(dsasig, PR_TRUE);
+- if (rv == SECFailure)
+- PORT_SetError(SEC_ERROR_BAD_DER);
+- return rv;
++ PORT_Memcpy(dsig, dsasig->data, len);
++ SECITEM_FreeItem(dsasig, PR_TRUE);
++
++ return SECSuccess;
++
++loser:
++ PORT_SetError(SEC_ERROR_BAD_DER);
++ return SECFailure;
+ }
+
+ const SEC_ASN1Template hashParameterTemplate[] =
+@@ -281,7 +312,7 @@
+ sec_DecodeSigAlg(const SECKEYPublicKey *key, SECOidTag sigAlg,
+ const SECItem *param, SECOidTag *encalgp, SECOidTag *hashalg)
+ {
+- int len;
++ unsigned int len;
+ PLArenaPool *arena;
+ SECStatus rv;
+ SECItem oid;
+@@ -466,48 +497,52 @@
+ cx->pkcs1RSADigestInfo = NULL;
+ rv = SECSuccess;
+ if (sig) {
+- switch (type) {
+- case rsaKey:
+- rv = recoverPKCS1DigestInfo(hashAlg, &cx->hashAlg,
+- &cx->pkcs1RSADigestInfo,
+- &cx->pkcs1RSADigestInfoLen,
+- cx->key,
+- sig, wincx);
+- break;
+- case rsaPssKey:
+- sigLen = SECKEY_SignatureLen(key);
+- if (sigLen == 0) {
+- /* error set by SECKEY_SignatureLen */
+- rv = SECFailure;
++ rv = SECFailure;
++ if (type == rsaKey) {
++ rv = recoverPKCS1DigestInfo(hashAlg, &cx->hashAlg,
++ &cx->pkcs1RSADigestInfo,
++ &cx->pkcs1RSADigestInfoLen,
++ cx->key,
++ sig, wincx);
++ } else {
++ sigLen = checkedSignatureLen(key);
++ /* Check signature length is within limits */
++ if (sigLen == 0) {
++ /* error set by checkedSignatureLen */
++ rv = SECFailure;
++ goto loser;
++ }
++ if (sigLen > sizeof(cx->u)) {
++ PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
++ rv = SECFailure;
++ goto loser;
++ }
++ switch (type) {
++ case rsaPssKey:
++ if (sig->len != sigLen) {
++ PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
++ rv = SECFailure;
++ goto loser;
++ }
++ PORT_Memcpy(cx->u.buffer, sig->data, sigLen);
++ rv = SECSuccess;
+ break;
+- }
+- if (sig->len != sigLen) {
+- PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
++ case ecKey:
++ case dsaKey:
++ /* decodeECorDSASignature will check sigLen == sig->len after padding */
++ rv = decodeECorDSASignature(encAlg, sig, cx->u.buffer, sigLen);
++ break;
++ default:
++ /* Unreachable */
+ rv = SECFailure;
+- break;
+- }
+- PORT_Memcpy(cx->u.buffer, sig->data, sigLen);
+- break;
+- case dsaKey:
+- case ecKey:
+- sigLen = SECKEY_SignatureLen(key);
+- if (sigLen == 0) {
+- /* error set by SECKEY_SignatureLen */
+- rv = SECFailure;
+- break;
+- }
+- rv = decodeECorDSASignature(encAlg, sig, cx->u.buffer, sigLen);
+- break;
+- default:
+- rv = SECFailure;
+- PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG);
+- break;
++ goto loser;
++ }
++ }
++ if (rv != SECSuccess) {
++ goto loser;
+ }
+ }
+
+- if (rv)
+- goto loser;
+-
+ /* check hash alg again, RSA may have changed it.*/
+ if (HASH_GetHashTypeByOidTag(cx->hashAlg) == HASH_AlgNULL) {
+ /* error set by HASH_GetHashTypeByOidTag */
+@@ -650,11 +685,16 @@
+ switch (cx->key->keyType) {
+ case ecKey:
+ case dsaKey:
+- dsasig.data = cx->u.buffer;
+- dsasig.len = SECKEY_SignatureLen(cx->key);
++ dsasig.len = checkedSignatureLen(cx->key);
+ if (dsasig.len == 0) {
+ return SECFailure;
+ }
++ if (dsasig.len > sizeof(cx->u)) {
++ PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
++ return SECFailure;
++ }
++ dsasig.data = cx->u.buffer;
++
+ if (sig) {
+ rv = decodeECorDSASignature(cx->encAlg, sig, dsasig.data,
+ dsasig.len);
+@@ -686,8 +726,13 @@
+ }
+
+ rsasig.data = cx->u.buffer;
+- rsasig.len = SECKEY_SignatureLen(cx->key);
++ rsasig.len = checkedSignatureLen(cx->key);
+ if (rsasig.len == 0) {
++ /* Error set by checkedSignatureLen */
++ return SECFailure;
++ }
++ if (rsasig.len > sizeof(cx->u)) {
++ PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
+ return SECFailure;
+ }
+ if (sig) {
+@@ -749,7 +794,6 @@
+ SECStatus rv;
+ VFYContext *cx;
+ SECItem dsasig; /* also used for ECDSA */
+-
+ rv = SECFailure;
+
+ cx = vfy_CreateContext(key, sig, encAlg, hashAlg, NULL, wincx);
+@@ -757,19 +801,25 @@
+ switch (key->keyType) {
+ case rsaKey:
+ rv = verifyPKCS1DigestInfo(cx, digest);
++ /* Error (if any) set by verifyPKCS1DigestInfo */
+ break;
+- case dsaKey:
+ case ecKey:
++ case dsaKey:
+ dsasig.data = cx->u.buffer;
+- dsasig.len = SECKEY_SignatureLen(cx->key);
++ dsasig.len = checkedSignatureLen(cx->key);
+ if (dsasig.len == 0) {
++ /* Error set by checkedSignatureLen */
++ rv = SECFailure;
+ break;
+ }
+- if (PK11_Verify(cx->key, &dsasig, (SECItem *)digest, cx->wincx) !=
+- SECSuccess) {
++ if (dsasig.len > sizeof(cx->u)) {
+ PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
+- } else {
+- rv = SECSuccess;
++ rv = SECFailure;
++ break;
++ }
++ rv = PK11_Verify(cx->key, &dsasig, (SECItem *)digest, cx->wincx);
++ if (rv != SECSuccess) {
++ PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
+ }
+ break;
+ default:
+
diff --git a/nss-3.67-fix-coverity-issues.patch b/nss-3.67-fix-coverity-issues.patch
new file mode 100644
index 0000000..a68fa57
--- /dev/null
+++ b/nss-3.67-fix-coverity-issues.patch
@@ -0,0 +1,45 @@
+diff -up ./lib/pk11wrap/pk11cxt.c.coverity ./lib/pk11wrap/pk11cxt.c
+--- ./lib/pk11wrap/pk11cxt.c.coverity 2021-06-18 09:36:19.499203028 -0700
++++ ./lib/pk11wrap/pk11cxt.c 2021-06-18 09:37:57.993765299 -0700
+@@ -382,7 +382,7 @@ pk11_CreateNewContextInSlot(CK_MECHANISM
+ * of the connection.*/
+ context->fortezzaHack = PR_FALSE;
+ if (type == CKM_SKIPJACK_CBC64) {
+- if (symKey->origin == PK11_OriginFortezzaHack) {
++ if (symKey && (symKey->origin == PK11_OriginFortezzaHack)) {
+ context->fortezzaHack = PR_TRUE;
+ }
+ }
+diff -up ./lib/pk11wrap/pk11hpke.c.coverity ./lib/pk11wrap/pk11hpke.c
+--- ./lib/pk11wrap/pk11hpke.c.coverity 2021-06-18 13:40:05.410644464 -0700
++++ ./lib/pk11wrap/pk11hpke.c 2021-06-18 13:42:40.627606469 -0700
+@@ -1164,8 +1164,6 @@ PK11_HPKE_Seal(HpkeContext *cx, const SE
+ unsigned char tagBuf[HASH_LENGTH_MAX];
+ size_t tagLen;
+ unsigned int fixedBits;
+- PORT_Assert(cx->baseNonce->len == sizeof(ivOut));
+- PORT_Memcpy(ivOut, cx->baseNonce->data, cx->baseNonce->len);
+
+ /* aad may be NULL, PT may be zero-length but not NULL. */
+ if (!cx || !cx->aeadContext ||
+@@ -1176,6 +1174,9 @@ PK11_HPKE_Seal(HpkeContext *cx, const SE
+ return SECFailure;
+ }
+
++ PORT_Assert(cx->baseNonce->len == sizeof(ivOut));
++ PORT_Memcpy(ivOut, cx->baseNonce->data, cx->baseNonce->len);
++
+ tagLen = cx->aeadParams->tagLen;
+ maxOut = pt->len + tagLen;
+ fixedBits = (cx->baseNonce->len - 8) * 8;
+diff -up ./lib/softoken/sftkike.c.coverity ./lib/softoken/sftkike.c
+--- ./lib/softoken/sftkike.c.coverity 2021-06-18 09:33:59.633405513 -0700
++++ ./lib/softoken/sftkike.c 2021-06-18 09:34:20.305523382 -0700
+@@ -1411,7 +1411,6 @@ sftk_fips_IKE_PowerUpSelfTests(void)
+ (outKeySize != sizeof(ike_known_sha256_prf_plus)) ||
+ (PORT_Memcmp(outKeyData, ike_known_sha256_prf_plus,
+ sizeof(ike_known_sha256_prf_plus)) != 0)) {
+- PORT_ZFree(outKeyData, outKeySize);
+ PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+ return SECFailure;
+ }
diff --git a/nss-3.67-fix-private-key-mac.patch b/nss-3.67-fix-private-key-mac.patch
new file mode 100644
index 0000000..d211940
--- /dev/null
+++ b/nss-3.67-fix-private-key-mac.patch
@@ -0,0 +1,81 @@
+diff -up ./lib/softoken/sftkpwd.c.orig ./lib/softoken/sftkpwd.c
+--- ./lib/softoken/sftkpwd.c.orig 2021-06-10 05:33:12.000000000 -0700
++++ ./lib/softoken/sftkpwd.c 2021-07-01 14:04:34.068596942 -0700
+@@ -287,9 +287,12 @@ sftkdb_DecryptAttribute(SFTKDBHandle *ha
+ }
+
+ /* If we are using aes 256, we need to check authentication as well.*/
+- if ((type != CKT_INVALID_TYPE) && (cipherValue.alg == SEC_OID_AES_256_CBC)) {
++ if ((type != CKT_INVALID_TYPE) &&
++ (cipherValue.alg == SEC_OID_PKCS5_PBES2) &&
++ (cipherValue.param->encAlg == SEC_OID_AES_256_CBC)) {
+ SECItem signature;
+ unsigned char signData[SDB_MAX_META_DATA_LEN];
++ CK_RV crv;
+
+ /* if we get here from the old legacy db, there is clearly an
+ * error, don't return the plaintext */
+@@ -301,15 +304,28 @@ sftkdb_DecryptAttribute(SFTKDBHandle *ha
+
+ signature.data = signData;
+ signature.len = sizeof(signData);
+- rv = sftkdb_GetAttributeSignature(handle, handle, id, type,
++ rv = SECFailure;
++ /* sign sftkdb_GetAttriibuteSignature returns a crv, not an rv */
++ crv = sftkdb_GetAttributeSignature(handle, handle, id, type,
+ &signature);
+- if (rv != SECSuccess) {
+- goto loser;
++ if (crv == CKR_OK) {
++ rv = sftkdb_VerifyAttribute(handle, passKey, CK_INVALID_HANDLE,
++ type, *plain, &signature);
+ }
+- rv = sftkdb_VerifyAttribute(handle, passKey, CK_INVALID_HANDLE, type,
+- *plain, &signature);
+ if (rv != SECSuccess) {
+- goto loser;
++ /* handle a bug where old versions of NSS misfiled the signature
++ * attribute on password update */
++ id |= SFTK_KEYDB_TYPE|SFTK_TOKEN_TYPE;
++ signature.len = sizeof(signData);
++ crv = sftkdb_GetAttributeSignature(handle, handle, id, type,
++ &signature);
++ if (crv != CKR_OK) {
++ rv = SECFailure;
++ PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
++ goto loser;
++ }
++ rv = sftkdb_VerifyAttribute(handle, passKey, CK_INVALID_HANDLE,
++ type, *plain, &signature);
+ }
+ }
+
+@@ -1198,6 +1214,7 @@ sftk_updateEncrypted(PLArenaPool *arena,
+ unsigned int i;
+ for (i = 0; i < privAttrCount; i++) {
+ // Read the old attribute in the clear.
++ CK_OBJECT_HANDLE sdbId = id & SFTK_OBJ_ID_MASK;
+ CK_ATTRIBUTE privAttr = { privAttrTypes[i], NULL, 0 };
+ CK_RV crv = sftkdb_GetAttributeValue(keydb, id, &privAttr, 1);
+ if (crv != CKR_OK) {
+@@ -1222,7 +1239,7 @@ sftk_updateEncrypted(PLArenaPool *arena,
+ plainText.data = privAttr.pValue;
+ plainText.len = privAttr.ulValueLen;
+ if (sftkdb_EncryptAttribute(arena, keydb, keydb->db, newKey,
+- iterationCount, id, privAttr.type,
++ iterationCount, sdbId, privAttr.type,
+ &plainText, &result) != SECSuccess) {
+ return CKR_GENERAL_ERROR;
+ }
+@@ -1232,10 +1249,9 @@ sftk_updateEncrypted(PLArenaPool *arena,
+ PORT_Memset(plainText.data, 0, plainText.len);
+
+ // Write the newly encrypted attributes out directly.
+- CK_OBJECT_HANDLE newId = id & SFTK_OBJ_ID_MASK;
+ keydb->newKey = newKey;
+ keydb->newDefaultIterationCount = iterationCount;
+- crv = (*keydb->db->sdb_SetAttributeValue)(keydb->db, newId, &privAttr, 1);
++ crv = (*keydb->db->sdb_SetAttributeValue)(keydb->db, sdbId, &privAttr, 1);
+ keydb->newKey = NULL;
+ if (crv != CKR_OK) {
+ return crv;
diff --git a/nss-3.67-fix-sdb-timeout.patch b/nss-3.67-fix-sdb-timeout.patch
new file mode 100644
index 0000000..120cb5b
--- /dev/null
+++ b/nss-3.67-fix-sdb-timeout.patch
@@ -0,0 +1,63 @@
+diff --git a/lib/softoken/sdb.c b/lib/softoken/sdb.c
+--- a/lib/softoken/sdb.c
++++ b/lib/softoken/sdb.c
+@@ -1519,16 +1519,18 @@ sdb_Begin(SDB *sdb)
+
+ sqlerr = sqlite3_prepare_v2(sqlDB, BEGIN_CMD, -1, &stmt, NULL);
+
+ do {
+ sqlerr = sqlite3_step(stmt);
+ if (sqlerr == SQLITE_BUSY) {
+ PR_Sleep(SDB_BUSY_RETRY_TIME);
+ }
++ /* don't retry BEGIN transaction*/
++ retry = 0;
+ } while (!sdb_done(sqlerr, &retry));
+
+ if (stmt) {
+ sqlite3_reset(stmt);
+ sqlite3_finalize(stmt);
+ }
+
+ loser:
+diff --git a/lib/softoken/sftkdb.c b/lib/softoken/sftkdb.c
+--- a/lib/softoken/sftkdb.c
++++ b/lib/softoken/sftkdb.c
+@@ -1521,17 +1521,17 @@ sftkdb_DestroyObject(SFTKDBHandle *handl
+ if (handle == NULL) {
+ return CKR_TOKEN_WRITE_PROTECTED;
+ }
+ db = SFTK_GET_SDB(handle);
+ objectID &= SFTK_OBJ_ID_MASK;
+
+ crv = (*db->sdb_Begin)(db);
+ if (crv != CKR_OK) {
+- goto loser;
++ return crv;
+ }
+ crv = (*db->sdb_DestroyObject)(db, objectID);
+ if (crv != CKR_OK) {
+ goto loser;
+ }
+ /* if the database supports meta data, delete any old signatures
+ * that we may have added */
+ if ((db->sdb_flags & SDB_HAS_META) == SDB_HAS_META) {
+@@ -2456,17 +2456,17 @@ sftkdb_Update(SFTKDBHandle *handle, SECI
+ return CKR_OK;
+ }
+ /*
+ * put the whole update under a transaction. This allows us to handle
+ * any possible race conditions between with the updateID check.
+ */
+ crv = (*handle->db->sdb_Begin)(handle->db);
+ if (crv != CKR_OK) {
+- goto loser;
++ return crv;
+ }
+ inTransaction = PR_TRUE;
+
+ /* some one else has already updated this db */
+ if (sftkdb_hasUpdate(sftkdb_TypeString(handle),
+ handle->db, handle->updateID)) {
+ crv = CKR_OK;
+ goto done;
diff --git a/nss-3.67-fix-ssl-alerts.patch b/nss-3.67-fix-ssl-alerts.patch
new file mode 100644
index 0000000..10cdaf5
--- /dev/null
+++ b/nss-3.67-fix-ssl-alerts.patch
@@ -0,0 +1,122 @@
+diff -up ./lib/ssl/ssl3con.c.alert-fix ./lib/ssl/ssl3con.c
+--- ./lib/ssl/ssl3con.c.alert-fix 2021-06-10 05:33:12.000000000 -0700
++++ ./lib/ssl/ssl3con.c 2021-07-06 17:08:25.894018521 -0700
+@@ -4319,7 +4319,11 @@ ssl_SignatureSchemeValid(SSLSignatureSch
+ if (!ssl_IsSupportedSignatureScheme(scheme)) {
+ return PR_FALSE;
+ }
+- if (!ssl_SignatureSchemeMatchesSpkiOid(scheme, spkiOid)) {
++ /* if we are purposefully passed SEC_OID_UNKOWN, it means
++ * we not checking the scheme against a potential key, so skip
++ * the call */
++ if ((spkiOid != SEC_OID_UNKNOWN) &&
++ !ssl_SignatureSchemeMatchesSpkiOid(scheme, spkiOid)) {
+ return PR_FALSE;
+ }
+ if (isTls13) {
+@@ -4517,7 +4521,8 @@ ssl_CheckSignatureSchemeConsistency(sslS
+ }
+
+ /* Verify that the signature scheme matches the signing key. */
+- if (!ssl_SignatureSchemeValid(scheme, spkiOid, isTLS13)) {
++ if ((spkiOid == SEC_OID_UNKNOWN) ||
++ !ssl_SignatureSchemeValid(scheme, spkiOid, isTLS13)) {
+ PORT_SetError(SSL_ERROR_INCORRECT_SIGNATURE_ALGORITHM);
+ return SECFailure;
+ }
+@@ -4533,6 +4538,7 @@ ssl_CheckSignatureSchemeConsistency(sslS
+ PRBool
+ ssl_IsSupportedSignatureScheme(SSLSignatureScheme scheme)
+ {
++ PRBool isSupported = PR_FALSE;
+ switch (scheme) {
+ case ssl_sig_rsa_pkcs1_sha1:
+ case ssl_sig_rsa_pkcs1_sha256:
+@@ -4552,7 +4558,8 @@ ssl_IsSupportedSignatureScheme(SSLSignat
+ case ssl_sig_dsa_sha384:
+ case ssl_sig_dsa_sha512:
+ case ssl_sig_ecdsa_sha1:
+- return PR_TRUE;
++ isSupported = PR_TRUE;
++ break;
+
+ case ssl_sig_rsa_pkcs1_sha1md5:
+ case ssl_sig_none:
+@@ -4560,7 +4567,19 @@ ssl_IsSupportedSignatureScheme(SSLSignat
+ case ssl_sig_ed448:
+ return PR_FALSE;
+ }
+- return PR_FALSE;
++ if (isSupported) {
++ SECOidTag hashOID = ssl3_HashTypeToOID(ssl_SignatureSchemeToHashType(scheme));
++ PRUint32 policy;
++ const PRUint32 sigSchemePolicy=
++ NSS_USE_ALG_IN_SSL_KX|NSS_USE_ALG_IN_SIGNATURE;
++ /* check hash policy */
++ if ((NSS_GetAlgorithmPolicy(hashOID, &policy) == SECSuccess) &&
++ ((policy & sigSchemePolicy) != sigSchemePolicy)) {
++ return PR_FALSE;
++ }
++ /* check algorithm policy */
++ }
++ return isSupported;
+ }
+
+ PRBool
+@@ -6533,6 +6552,9 @@ ssl_PickSignatureScheme(sslSocket *ss,
+ }
+
+ spkiOid = SECOID_GetAlgorithmTag(&cert->subjectPublicKeyInfo.algorithm);
++ if (spkiOid == SEC_OID_UNKNOWN) {
++ goto loser;
++ }
+
+ /* Now we have to search based on the key type. Go through our preferred
+ * schemes in order and find the first that can be used. */
+@@ -6547,6 +6569,7 @@ ssl_PickSignatureScheme(sslSocket *ss,
+ }
+ }
+
++loser:
+ PORT_SetError(SSL_ERROR_UNSUPPORTED_SIGNATURE_ALGORITHM);
+ return SECFailure;
+ }
+@@ -7700,7 +7723,8 @@ ssl_ParseSignatureSchemes(const sslSocke
+ PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+ return SECFailure;
+ }
+- if (ssl_IsSupportedSignatureScheme((SSLSignatureScheme)tmp)) {
++ if (ssl_SignatureSchemeValid((SSLSignatureScheme)tmp, SEC_OID_UNKNOWN,
++ (PRBool)ss->version >= SSL_LIBRARY_VERSION_TLS_1_3)) {;
+ schemes[numSupported++] = (SSLSignatureScheme)tmp;
+ }
+ }
+@@ -10286,7 +10310,12 @@ ssl3_HandleCertificateVerify(sslSocket *
+ PORT_Assert(ss->ssl3.hs.hashType == handshake_hash_record);
+ rv = ssl_ConsumeSignatureScheme(ss, &b, &length, &sigScheme);
+ if (rv != SECSuccess) {
+- goto loser; /* malformed or unsupported. */
++ errCode = PORT_GetError();
++ /* unsupported == illegal_parameter, others == handshake_failure. */
++ if (errCode == SSL_ERROR_UNSUPPORTED_SIGNATURE_ALGORITHM) {
++ desc = illegal_parameter;
++ }
++ goto alert_loser;
+ }
+ rv = ssl_CheckSignatureSchemeConsistency(
+ ss, sigScheme, &ss->sec.peerCert->subjectPublicKeyInfo);
+diff -up ./gtests/ssl_gtest/ssl_extension_unittest.cc.alert-fix ./gtests/ssl_gtest/ssl_extension_unittest.cc
+--- ./gtests/ssl_gtest/ssl_extension_unittest.cc.alert-fix 2021-07-07 11:32:11.634376932 -0700
++++ ./gtests/ssl_gtest/ssl_extension_unittest.cc 2021-07-07 11:33:30.595841110 -0700
+@@ -428,7 +428,10 @@ TEST_P(TlsExtensionTest12Plus, Signature
+ }
+
+ TEST_P(TlsExtensionTest12Plus, SignatureAlgorithmsTrailingData) {
+- const uint8_t val[] = {0x00, 0x02, 0x04, 0x01, 0x00}; // sha-256, rsa
++ // make sure the test uses an algorithm that is legal for
++ // tls 1.3 (or tls 1.3 will through and illegalParameter
++ // instead of a decode error)
++ const uint8_t val[] = {0x00, 0x02, 0x08, 0x09, 0x00}; // sha-256, rsa-pss-pss
+ DataBuffer extension(val, sizeof(val));
+ ClientHelloErrorTest(std::make_shared(
+ client_, ssl_signature_algorithms_xtn, extension));
diff --git a/nss-539183.patch b/nss-539183.patch
new file mode 100644
index 0000000..267e71e
--- /dev/null
+++ b/nss-539183.patch
@@ -0,0 +1,62 @@
+--- nss/cmd/httpserv/httpserv.c.539183 2016-05-21 18:31:39.879585420 -0700
++++ nss/cmd/httpserv/httpserv.c 2016-05-21 18:37:22.374464057 -0700
+@@ -953,23 +953,23 @@
+ getBoundListenSocket(unsigned short port)
+ {
+ PRFileDesc *listen_sock;
+ int listenQueueDepth = 5 + (2 * maxThreads);
+ PRStatus prStatus;
+ PRNetAddr addr;
+ PRSocketOptionData opt;
+
+- addr.inet.family = PR_AF_INET;
+- addr.inet.ip = PR_INADDR_ANY;
+- addr.inet.port = PR_htons(port);
++ if (PR_SetNetAddr(PR_IpAddrAny, PR_AF_INET6, port, &addr) != PR_SUCCESS) {
++ errExit("PR_SetNetAddr");
++ }
+
+- listen_sock = PR_NewTCPSocket();
++ listen_sock = PR_OpenTCPSocket(PR_AF_INET6);
+ if (listen_sock == NULL) {
+- errExit("PR_NewTCPSocket");
++ errExit("PR_OpenTCPSockett");
+ }
+
+ opt.option = PR_SockOpt_Nonblocking;
+ opt.value.non_blocking = PR_FALSE;
+ prStatus = PR_SetSocketOption(listen_sock, &opt);
+ if (prStatus < 0) {
+ PR_Close(listen_sock);
+ errExit("PR_SetSocketOption(PR_SockOpt_Nonblocking)");
+--- nss/cmd/selfserv/selfserv.c.539183 2016-05-21 18:31:39.882585367 -0700
++++ nss/cmd/selfserv/selfserv.c 2016-05-21 18:41:43.092801174 -0700
+@@ -1711,23 +1711,23 @@
+ getBoundListenSocket(unsigned short port)
+ {
+ PRFileDesc *listen_sock;
+ int listenQueueDepth = 5 + (2 * maxThreads);
+ PRStatus prStatus;
+ PRNetAddr addr;
+ PRSocketOptionData opt;
+
+- addr.inet.family = PR_AF_INET;
+- addr.inet.ip = PR_INADDR_ANY;
+- addr.inet.port = PR_htons(port);
++ if (PR_SetNetAddr(PR_IpAddrAny, PR_AF_INET6, port, &addr) != PR_SUCCESS) {
++ errExit("PR_SetNetAddr");
++ }
+
+- listen_sock = PR_NewTCPSocket();
++ listen_sock = PR_OpenTCPSocket(PR_AF_INET6);
+ if (listen_sock == NULL) {
+- errExit("PR_NewTCPSocket");
++ errExit("PR_OpenTCPSocket error");
+ }
+
+ opt.option = PR_SockOpt_Nonblocking;
+ opt.value.non_blocking = PR_FALSE;
+ prStatus = PR_SetSocketOption(listen_sock, &opt);
+ if (prStatus < 0) {
+ PR_Close(listen_sock);
+ errExit("PR_SetSocketOption(PR_SockOpt_Nonblocking)");
diff --git a/nss-config.in b/nss-config.in
new file mode 100644
index 0000000..f8f893e
--- /dev/null
+++ b/nss-config.in
@@ -0,0 +1,145 @@
+#!/bin/sh
+
+prefix=@prefix@
+
+major_version=@MOD_MAJOR_VERSION@
+minor_version=@MOD_MINOR_VERSION@
+patch_version=@MOD_PATCH_VERSION@
+
+usage()
+{
+ cat <&2
+fi
+
+lib_ssl=yes
+lib_smime=yes
+lib_nss=yes
+lib_nssutil=yes
+
+while test $# -gt 0; do
+ case "$1" in
+ -*=*) optarg=`echo "$1" | sed 's/[-_a-zA-Z0-9]*=//'` ;;
+ *) optarg= ;;
+ esac
+
+ case $1 in
+ --prefix=*)
+ prefix=$optarg
+ ;;
+ --prefix)
+ echo_prefix=yes
+ ;;
+ --exec-prefix=*)
+ exec_prefix=$optarg
+ ;;
+ --exec-prefix)
+ echo_exec_prefix=yes
+ ;;
+ --includedir=*)
+ includedir=$optarg
+ ;;
+ --includedir)
+ echo_includedir=yes
+ ;;
+ --libdir=*)
+ libdir=$optarg
+ ;;
+ --libdir)
+ echo_libdir=yes
+ ;;
+ --version)
+ echo ${major_version}.${minor_version}.${patch_version}
+ ;;
+ --cflags)
+ echo_cflags=yes
+ ;;
+ --libs)
+ echo_libs=yes
+ ;;
+ ssl)
+ lib_ssl=yes
+ ;;
+ smime)
+ lib_smime=yes
+ ;;
+ nss)
+ lib_nss=yes
+ ;;
+ nssutil)
+ lib_nssutil=yes
+ ;;
+ *)
+ usage 1 1>&2
+ ;;
+ esac
+ shift
+done
+
+# Set variables that may be dependent upon other variables
+if test -z "$exec_prefix"; then
+ exec_prefix=`pkg-config --variable=exec_prefix nss`
+fi
+if test -z "$includedir"; then
+ includedir=`pkg-config --variable=includedir nss`
+fi
+if test -z "$libdir"; then
+ libdir=`pkg-config --variable=libdir nss`
+fi
+
+if test "$echo_prefix" = "yes"; then
+ echo $prefix
+fi
+
+if test "$echo_exec_prefix" = "yes"; then
+ echo $exec_prefix
+fi
+
+if test "$echo_includedir" = "yes"; then
+ echo $includedir
+fi
+
+if test "$echo_libdir" = "yes"; then
+ echo $libdir
+fi
+
+if test "$echo_cflags" = "yes"; then
+ echo -I$includedir
+fi
+
+if test "$echo_libs" = "yes"; then
+ libdirs="-Wl,-rpath-link,$libdir -L$libdir"
+ if test -n "$lib_ssl"; then
+ libdirs="$libdirs -lssl${major_version}"
+ fi
+ if test -n "$lib_smime"; then
+ libdirs="$libdirs -lsmime${major_version}"
+ fi
+ if test -n "$lib_nss"; then
+ libdirs="$libdirs -lnss${major_version}"
+ fi
+ if test -n "$lib_nssutil"; then
+ libdirs="$libdirs -lnssutil${major_version}"
+ fi
+ echo $libdirs
+fi
+
diff --git a/nss-config.xml b/nss-config.xml
new file mode 100644
index 0000000..f9518c9
--- /dev/null
+++ b/nss-config.xml
@@ -0,0 +1,132 @@
+
+
+
+]>
+
+
+
+
+ &date;
+ Network Security Services
+ nss
+ &version;
+
+
+
+ nss-config
+ 1
+
+
+
+ nss-config
+ Return meta information about nss libraries
+
+
+
+
+ nss-config
+
+
+
+
+
+
+
+
+
+
+
+ Description
+
+ nss-config is a shell scrip
+ tool which can be used to obtain gcc options for building client pacakges of nspt.
+
+
+
+
+ Options
+
+
+
+
+ Returns the top level system directory under which the nss libraries are installed.
+
+
+
+
+ returns the top level system directory under which any nss binaries would be installed.
+
+
+
+ count
+ returns the path to the directory were the nss libraries are installed.
+
+
+
+
+ returns the upstream version of nss in the form major_version-minor_version-patch_version.
+
+
+
+
+ returns the compiler linking flags.
+
+
+
+
+ returns the compiler include flags.
+
+
+
+
+ returns the path to the directory were the nss libraries are installed.
+
+
+
+
+
+
+ Examples
+
+ The following example will query for both include path and linkage flags:
+
+
+ /usr/bin/nss-config --cflags --libs
+
+
+
+
+
+
+
+
+ Files
+
+ /usr/bin/nss-config
+
+
+
+
+ See also
+ pkg-config(1)
+
+
+
+ Authors
+ The nss liraries were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google.
+
+ Authors: Elio Maldonado <emaldona@redhat.com>.
+
+
+
+
+
+ LICENSE
+ Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+
+
+
+
diff --git a/nss-disable-dc.patch b/nss-disable-dc.patch
new file mode 100644
index 0000000..6eae5e4
--- /dev/null
+++ b/nss-disable-dc.patch
@@ -0,0 +1,32 @@
+diff -up ./gtests/ssl_gtest/manifest.mn.orig ./gtests/ssl_gtest/manifest.mn
+--- ./gtests/ssl_gtest/manifest.mn.orig 2021-06-02 15:40:48.677355426 -0700
++++ ./gtests/ssl_gtest/manifest.mn 2021-06-02 15:42:31.248977261 -0700
+@@ -57,7 +57,6 @@ CPPSRCS = \
+ tls_filter.cc \
+ tls_protect.cc \
+ tls_psk_unittest.cc \
+- tls_subcerts_unittest.cc \
+ tls_ech_unittest.cc \
+ $(SSLKEYLOGFILE_FILES) \
+ $(NULL)
+diff -up ./lib/ssl/sslsock.c.orig ./lib/ssl/sslsock.c
+--- ./lib/ssl/sslsock.c.orig 2021-05-28 02:50:43.000000000 -0700
++++ ./lib/ssl/sslsock.c 2021-06-02 15:40:48.676355420 -0700
+@@ -819,7 +819,7 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 wh
+ break;
+
+ case SSL_ENABLE_DELEGATED_CREDENTIALS:
+- ss->opt.enableDelegatedCredentials = val;
++ /* disable it for now */
+ break;
+
+ case SSL_ENABLE_NPN:
+@@ -1337,7 +1337,7 @@ SSL_OptionSetDefault(PRInt32 which, PRIn
+ break;
+
+ case SSL_ENABLE_DELEGATED_CREDENTIALS:
+- ssl_defaults.enableDelegatedCredentials = val;
++ /* disable it for now */
+ break;
+
+ case SSL_ENABLE_NPN:
diff --git a/nss-disable-md5.patch b/nss-disable-md5.patch
new file mode 100644
index 0000000..827928f
--- /dev/null
+++ b/nss-disable-md5.patch
@@ -0,0 +1,41 @@
+diff -r 699541a7793b lib/pk11wrap/pk11pars.c
+--- a/lib/pk11wrap/pk11pars.c 2021-04-16 14:43:41.668835607 -0700
++++ b/lib/pk11wrap/pk11pars.c 2021-04-16 14:43:50.585888411 -0700
+@@ -324,11 +324,11 @@ static const oidValDef curveOptList[] =
+ static const oidValDef hashOptList[] = {
+ /* Hashes */
+ { CIPHER_NAME("MD2"), SEC_OID_MD2,
+- NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE },
++ 0 },
+ { CIPHER_NAME("MD4"), SEC_OID_MD4,
+- NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE },
++ 0 },
+ { CIPHER_NAME("MD5"), SEC_OID_MD5,
+- NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE },
++ 0 },
+ { CIPHER_NAME("SHA1"), SEC_OID_SHA1,
+ NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE },
+ { CIPHER_NAME("SHA224"), SEC_OID_SHA224,
+diff -r 699541a7793b lib/util/secoid.c
+--- a/lib/util/secoid.c Tue Jun 16 23:03:22 2020 +0000
++++ b/lib/util/secoid.c Thu Jun 25 14:33:09 2020 +0200
+@@ -2042,6 +2042,19 @@
+ int i;
+
+ for (i = 1; i < SEC_OID_TOTAL; i++) {
++ switch (i) {
++ case SEC_OID_MD2:
++ case SEC_OID_MD4:
++ case SEC_OID_MD5:
++ case SEC_OID_PKCS1_MD2_WITH_RSA_ENCRYPTION:
++ case SEC_OID_PKCS1_MD4_WITH_RSA_ENCRYPTION:
++ case SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION:
++ case SEC_OID_PKCS5_PBE_WITH_MD2_AND_DES_CBC:
++ case SEC_OID_PKCS5_PBE_WITH_MD5_AND_DES_CBC:
++ continue;
++ default:
++ break;
++ }
+ if (oids[i].desc && strstr(arg, oids[i].desc)) {
+ xOids[i].notPolicyFlags = notEnable |
+ (xOids[i].notPolicyFlags & ~(DEF_FLAGS));
diff --git a/nss-dso-ldflags.patch b/nss-dso-ldflags.patch
new file mode 100644
index 0000000..d5485ae
--- /dev/null
+++ b/nss-dso-ldflags.patch
@@ -0,0 +1,13 @@
+Index: nss/coreconf/Linux.mk
+===================================================================
+--- nss.orig/coreconf/Linux.mk
++++ nss/coreconf/Linux.mk
+@@ -144,7 +144,7 @@ ifdef USE_PTHREADS
+ endif
+
+ DSO_CFLAGS = -fPIC
+-DSO_LDOPTS = -shared $(ARCHFLAG) -Wl,--gc-sections
++DSO_LDOPTS = -shared $(ARCHFLAG) -Wl,--gc-sections $(DSO_LDFLAGS)
+ # The linker on Red Hat Linux 7.2 and RHEL 2.1 (GNU ld version 2.11.90.0.8)
+ # incorrectly reports undefined references in the libraries we link with, so
+ # we don't use -z defs there.
diff --git a/nss-gcm-param-default-pkcs11v2.patch b/nss-gcm-param-default-pkcs11v2.patch
new file mode 100644
index 0000000..2d6cba8
--- /dev/null
+++ b/nss-gcm-param-default-pkcs11v2.patch
@@ -0,0 +1,21 @@
+diff -up ./lib/util/pkcs11n.h.aes_gcm_pkcs11_v2 ./lib/util/pkcs11n.h
+--- ./lib/util/pkcs11n.h.aes_gcm_pkcs11_v2 2020-05-13 13:44:11.312405744 -0700
++++ ./lib/util/pkcs11n.h 2020-05-13 13:45:23.951723660 -0700
+@@ -605,7 +605,7 @@ typedef struct CK_NSS_GCM_PARAMS {
+ typedef CK_NSS_GCM_PARAMS CK_PTR CK_NSS_GCM_PARAMS_PTR;
+
+ /* deprecated #defines. Drop in future NSS releases */
+-#ifdef NSS_PKCS11_2_0_COMPAT
++#ifndef NSS_PKCS11_3_0_STRICT
+
+ /* defines that were changed between NSS's PKCS #11 and the Oasis headers */
+ #define CKF_EC_FP CKF_EC_F_P
+@@ -664,7 +664,7 @@ typedef CK_NSS_GCM_PARAMS CK_PTR CK_GCM_
+ #define CKT_NETSCAPE_VALID CKT_NSS_VALID
+ #define CKT_NETSCAPE_VALID_DELEGATOR CKT_NSS_VALID_DELEGATOR
+ #else
+-/* use the new CK_GCM_PARAMS if NSS_PKCS11_2_0_COMPAT is not defined */
++/* use the new CK_GCM_PARAMS if NSS_PKCS11_3_0_STRICT is defined */
+ typedef struct CK_GCM_PARAMS_V3 CK_GCM_PARAMS;
+ typedef CK_GCM_PARAMS_V3 CK_PTR CK_GCM_PARAMS_PTR;
+ #endif
diff --git a/nss-p11-kit.config b/nss-p11-kit.config
new file mode 100644
index 0000000..0ebf073
--- /dev/null
+++ b/nss-p11-kit.config
@@ -0,0 +1,4 @@
+name=p11-kit-proxy
+library=p11-kit-proxy.so
+
+
diff --git a/nss-skip-sysinit-gtests.patch b/nss-skip-sysinit-gtests.patch
new file mode 100644
index 0000000..0a80e48
--- /dev/null
+++ b/nss-skip-sysinit-gtests.patch
@@ -0,0 +1,12 @@
+Index: nss/gtests/manifest.mn
+===================================================================
+--- nss.orig/gtests/manifest.mn
++++ nss/gtests/manifest.mn
+@@ -31,7 +31,6 @@ NSS_SRCDIRS = \
+ smime_gtest \
+ softoken_gtest \
+ ssl_gtest \
+- $(SYSINIT_GTEST) \
+ nss_bogo_shim \
+ pkcs11testmodule \
+ $(NULL)
diff --git a/nss-softokn-config.in b/nss-softokn-config.in
new file mode 100644
index 0000000..c7abe29
--- /dev/null
+++ b/nss-softokn-config.in
@@ -0,0 +1,116 @@
+#!/bin/sh
+
+prefix=@prefix@
+
+major_version=@MOD_MAJOR_VERSION@
+minor_version=@MOD_MINOR_VERSION@
+patch_version=@MOD_PATCH_VERSION@
+
+usage()
+{
+ cat <&2
+fi
+
+while test $# -gt 0; do
+ case "$1" in
+ -*=*) optarg=`echo "$1" | sed 's/[-_a-zA-Z0-9]*=//'` ;;
+ *) optarg= ;;
+ esac
+
+ case $1 in
+ --prefix=*)
+ prefix=$optarg
+ ;;
+ --prefix)
+ echo_prefix=yes
+ ;;
+ --exec-prefix=*)
+ exec_prefix=$optarg
+ ;;
+ --exec-prefix)
+ echo_exec_prefix=yes
+ ;;
+ --includedir=*)
+ includedir=$optarg
+ ;;
+ --includedir)
+ echo_includedir=yes
+ ;;
+ --libdir=*)
+ libdir=$optarg
+ ;;
+ --libdir)
+ echo_libdir=yes
+ ;;
+ --version)
+ echo ${major_version}.${minor_version}.${patch_version}
+ ;;
+ --cflags)
+ echo_cflags=yes
+ ;;
+ --libs)
+ echo_libs=yes
+ ;;
+ *)
+ usage 1 1>&2
+ ;;
+ esac
+ shift
+done
+
+# Set variables that may be dependent upon other variables
+if test -z "$exec_prefix"; then
+ exec_prefix=`pkg-config --variable=exec_prefix nss-softokn`
+fi
+if test -z "$includedir"; then
+ includedir=`pkg-config --variable=includedir nss-softokn`
+fi
+if test -z "$libdir"; then
+ libdir=`pkg-config --variable=libdir nss-softokn`
+fi
+
+if test "$echo_prefix" = "yes"; then
+ echo $prefix
+fi
+
+if test "$echo_exec_prefix" = "yes"; then
+ echo $exec_prefix
+fi
+
+if test "$echo_includedir" = "yes"; then
+ echo $includedir
+fi
+
+if test "$echo_libdir" = "yes"; then
+ echo $libdir
+fi
+
+if test "$echo_cflags" = "yes"; then
+ echo -I$includedir
+fi
+
+if test "$echo_libs" = "yes"; then
+ libdirs="-Wl,-rpath-link,$libdir -L$libdir"
+ echo $libdirs
+fi
+
diff --git a/nss-softokn-dracut-module-setup.sh b/nss-softokn-dracut-module-setup.sh
new file mode 100644
index 0000000..010ec18
--- /dev/null
+++ b/nss-softokn-dracut-module-setup.sh
@@ -0,0 +1,18 @@
+#!/bin/bash
+# -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*-
+# ex: ts=8 sw=4 sts=4 et filetype=sh
+
+check() {
+ return 255
+}
+
+depends() {
+ return 0
+}
+
+install() {
+ local _dir
+
+ inst_libdir_file libfreeblpriv3.so libfreeblpriv3.chk \
+ libfreebl3.so
+}
diff --git a/nss-softokn-dracut.conf b/nss-softokn-dracut.conf
new file mode 100644
index 0000000..2d9232e
--- /dev/null
+++ b/nss-softokn-dracut.conf
@@ -0,0 +1,3 @@
+# turn on nss-softokn module
+
+add_dracutmodules+=" nss-softokn "
diff --git a/nss-softokn.pc.in b/nss-softokn.pc.in
new file mode 100644
index 0000000..022ebbf
--- /dev/null
+++ b/nss-softokn.pc.in
@@ -0,0 +1,11 @@
+prefix=%prefix%
+exec_prefix=%exec_prefix%
+libdir=%libdir%
+includedir=%includedir%
+
+Name: NSS-SOFTOKN
+Description: Network Security Services Softoken PKCS #11 Module
+Version: %SOFTOKEN_VERSION%
+Requires: nspr >= %NSPR_VERSION%, nss-util >= %NSSUTIL_VERSION%
+Libs: -L${libdir} -lfreebl3 -lnssdbm3 -lsoftokn3
+Cflags: -I${includedir}
diff --git a/nss-sysinit-userdb.patch b/nss-sysinit-userdb.patch
new file mode 100644
index 0000000..7347260
--- /dev/null
+++ b/nss-sysinit-userdb.patch
@@ -0,0 +1,106 @@
+Index: nss/lib/sysinit/nsssysinit.c
+===================================================================
+--- nss.orig/lib/sysinit/nsssysinit.c
++++ nss/lib/sysinit/nsssysinit.c
+@@ -36,41 +36,9 @@ testdir(char *dir)
+ return S_ISDIR(buf.st_mode);
+ }
+
+-/**
+- * Append given @dir to @path and creates the directory with mode @mode.
+- * Returns 0 if successful, -1 otherwise.
+- * Assumes that the allocation for @path has sufficient space for @dir
+- * to be added.
+- */
+-static int
+-appendDirAndCreate(char *path, char *dir, mode_t mode)
+-{
+- PORT_Strcat(path, dir);
+- if (!testdir(path)) {
+- if (mkdir(path, mode)) {
+- return -1;
+- }
+- }
+- return 0;
+-}
+-
+-#define XDG_NSS_USER_PATH1 "/.local"
+-#define XDG_NSS_USER_PATH2 "/share"
+-#define XDG_NSS_USER_PATH3 "/pki"
+-
+ #define NSS_USER_PATH1 "/.pki"
+ #define NSS_USER_PATH2 "/nssdb"
+-
+-/**
+- * Return the path to user's NSS database.
+- * We search in the following dirs in order:
+- * (1) $HOME/.pki/nssdb;
+- * (2) $XDG_DATA_HOME/pki/nssdb if XDG_DATA_HOME is set;
+- * (3) $HOME/.local/share/pki/nssdb (default XDG_DATA_HOME value).
+- * If (1) does not exist, then the returned dir will be set to either
+- * (2) or (3), depending if XDG_DATA_HOME is set.
+- */
+-char *
++static char *
+ getUserDB(void)
+ {
+ char *userdir = PR_GetEnvSecure("HOME");
+@@ -81,47 +49,22 @@ getUserDB(void)
+ }
+
+ nssdir = PORT_Alloc(strlen(userdir) + sizeof(NSS_USER_PATH1) + sizeof(NSS_USER_PATH2));
++ if (nssdir == NULL) {
++ return NULL;
++ }
+ PORT_Strcpy(nssdir, userdir);
+- PORT_Strcat(nssdir, NSS_USER_PATH1 NSS_USER_PATH2);
+- if (testdir(nssdir)) {
+- /* $HOME/.pki/nssdb exists */
+- return nssdir;
+- } else {
+- /* either $HOME/.pki or $HOME/.pki/nssdb does not exist */
++ /* verify it exists */
++ if (!testdir(nssdir)) {
+ PORT_Free(nssdir);
+- }
+- int size = 0;
+- char *xdguserdatadir = PR_GetEnvSecure("XDG_DATA_HOME");
+- if (xdguserdatadir) {
+- size = strlen(xdguserdatadir);
+- } else {
+- size = strlen(userdir) + sizeof(XDG_NSS_USER_PATH1) + sizeof(XDG_NSS_USER_PATH2);
+- }
+- size += sizeof(XDG_NSS_USER_PATH3) + sizeof(NSS_USER_PATH2);
+-
+- nssdir = PORT_Alloc(size);
+- if (nssdir == NULL) {
+ return NULL;
+ }
+-
+- if (xdguserdatadir) {
+- PORT_Strcpy(nssdir, xdguserdatadir);
+- if (!testdir(nssdir)) {
+- PORT_Free(nssdir);
+- return NULL;
+- }
+-
+- } else {
+- PORT_Strcpy(nssdir, userdir);
+- if (appendDirAndCreate(nssdir, XDG_NSS_USER_PATH1, 0755) ||
+- appendDirAndCreate(nssdir, XDG_NSS_USER_PATH2, 0755)) {
+- PORT_Free(nssdir);
+- return NULL;
+- }
++ PORT_Strcat(nssdir, NSS_USER_PATH1);
++ if (!testdir(nssdir) && mkdir(nssdir, 0760)) {
++ PORT_Free(nssdir);
++ return NULL;
+ }
+- /* ${XDG_DATA_HOME:-$HOME/.local/share}/pki/nssdb */
+- if (appendDirAndCreate(nssdir, XDG_NSS_USER_PATH3, 0760) ||
+- appendDirAndCreate(nssdir, NSS_USER_PATH2, 0760)) {
++ PORT_Strcat(nssdir, NSS_USER_PATH2);
++ if (!testdir(nssdir) && mkdir(nssdir, 0760)) {
+ PORT_Free(nssdir);
+ return NULL;
+ }
diff --git a/nss-util-config.in b/nss-util-config.in
new file mode 100644
index 0000000..532abbe
--- /dev/null
+++ b/nss-util-config.in
@@ -0,0 +1,118 @@
+#!/bin/sh
+
+prefix=@prefix@
+
+major_version=@MOD_MAJOR_VERSION@
+minor_version=@MOD_MINOR_VERSION@
+patch_version=@MOD_PATCH_VERSION@
+
+usage()
+{
+ cat <&2
+fi
+
+lib_nssutil=yes
+
+while test $# -gt 0; do
+ case "$1" in
+ -*=*) optarg=`echo "$1" | sed 's/[-_a-zA-Z0-9]*=//'` ;;
+ *) optarg= ;;
+ esac
+
+ case $1 in
+ --prefix=*)
+ prefix=$optarg
+ ;;
+ --prefix)
+ echo_prefix=yes
+ ;;
+ --exec-prefix=*)
+ exec_prefix=$optarg
+ ;;
+ --exec-prefix)
+ echo_exec_prefix=yes
+ ;;
+ --includedir=*)
+ includedir=$optarg
+ ;;
+ --includedir)
+ echo_includedir=yes
+ ;;
+ --libdir=*)
+ libdir=$optarg
+ ;;
+ --libdir)
+ echo_libdir=yes
+ ;;
+ --version)
+ echo ${major_version}.${minor_version}.${patch_version}
+ ;;
+ --cflags)
+ echo_cflags=yes
+ ;;
+ --libs)
+ echo_libs=yes
+ ;;
+ *)
+ usage 1 1>&2
+ ;;
+ esac
+ shift
+done
+
+# Set variables that may be dependent upon other variables
+if test -z "$exec_prefix"; then
+ exec_prefix=`pkg-config --variable=exec_prefix nss-util`
+fi
+if test -z "$includedir"; then
+ includedir=`pkg-config --variable=includedir nss-util`
+fi
+if test -z "$libdir"; then
+ libdir=`pkg-config --variable=libdir nss-util`
+fi
+
+if test "$echo_prefix" = "yes"; then
+ echo $prefix
+fi
+
+if test "$echo_exec_prefix" = "yes"; then
+ echo $exec_prefix
+fi
+
+if test "$echo_includedir" = "yes"; then
+ echo $includedir
+fi
+
+if test "$echo_libdir" = "yes"; then
+ echo $libdir
+fi
+
+if test "$echo_cflags" = "yes"; then
+ echo -I$includedir
+fi
+
+if test "$echo_libs" = "yes"; then
+ libdirs="-Wl,-rpath-link,$libdir -L$libdir"
+ if test -n "$lib_nssutil"; then
+ libdirs="$libdirs -lnssutil${major_version}"
+ fi
+ echo $libdirs
+fi
+
diff --git a/nss-util.pc.in b/nss-util.pc.in
new file mode 100644
index 0000000..1310248
--- /dev/null
+++ b/nss-util.pc.in
@@ -0,0 +1,11 @@
+prefix=%prefix%
+exec_prefix=%exec_prefix%
+libdir=%libdir%
+includedir=%includedir%
+
+Name: NSS-UTIL
+Description: Network Security Services Utility Library
+Version: %NSSUTIL_VERSION%
+Requires: nspr >= %NSPR_VERSION%
+Libs: -L${libdir} -lnssutil3
+Cflags: -I${includedir}
diff --git a/nss.pc.in b/nss.pc.in
new file mode 100644
index 0000000..69823cb
--- /dev/null
+++ b/nss.pc.in
@@ -0,0 +1,11 @@
+prefix=%prefix%
+exec_prefix=%exec_prefix%
+libdir=%libdir%
+includedir=%includedir%
+
+Name: NSS
+Description: Network Security Services
+Version: %NSS_VERSION%
+Requires: nspr >= %NSPR_VERSION%, nss-util >= %NSSUTIL_VERSION%
+Libs: -L${libdir} -lssl3 -lsmime3 -lnss3
+Cflags: -I${includedir}
diff --git a/nss.spec b/nss.spec
new file mode 100644
index 0000000..3f000bc
--- /dev/null
+++ b/nss.spec
@@ -0,0 +1,2471 @@
+%global nspr_build_version 4.25.0
+%global nspr_version 4.25.0
+%global nss_version 3.67.0
+%global unsupported_tools_directory %{_libdir}/nss/unsupported-tools
+%global saved_files_dir %{_libdir}/nss/saved
+%global dracutlibdir %{_prefix}/lib/dracut
+%global dracut_modules_dir %{dracutlibdir}/modules.d/05nss-softokn/
+%global dracut_conf_dir %{dracutlibdir}/dracut.conf.d
+
+# The timestamp of our downstream manual pages, e.g., nss-config.1
+%global manual_date "Nov 13 2013"
+
+%bcond_without tests
+
+# Produce .chk files for the final stripped binaries
+#
+# NOTE: The LD_LIBRARY_PATH line guarantees shlibsign links
+# against the freebl that we just built. This is necessary
+# because the signing algorithm changed on 3.14 to DSA2 with SHA256
+# whereas we previously signed with DSA and SHA1. We must Keep this line
+# until all mock platforms have been updated.
+# After %%{__os_install_post} we would add
+# export LD_LIBRARY_PATH=$RPM_BUILD_ROOT/%%{_libdir}
+%define __spec_install_post \
+ %{?__debug_package:%{__debug_install_post}} \
+ %{__arch_install_post} \
+ %{__os_install_post} \
+ $RPM_BUILD_ROOT/%{unsupported_tools_directory}/shlibsign -i $RPM_BUILD_ROOT/%{_libdir}/libsoftokn3.so \
+ $RPM_BUILD_ROOT/%{unsupported_tools_directory}/shlibsign -i $RPM_BUILD_ROOT/%{_libdir}/libfreeblpriv3.so \
+ $RPM_BUILD_ROOT/%{unsupported_tools_directory}/shlibsign -i $RPM_BUILD_ROOT/%{_libdir}/libfreebl3.so \
+ $RPM_BUILD_ROOT/%{unsupported_tools_directory}/shlibsign -i $RPM_BUILD_ROOT/%{_libdir}/libnssdbm3.so \
+%{nil}
+
+# The upstream omits the trailing ".0", while we need it for
+# consistency with the pkg-config version:
+# https://bugzilla.redhat.com/show_bug.cgi?id=1578106
+%{lua:
+rpm.define(string.format("nss_archive_version %s",
+ string.gsub(rpm.expand("%nss_version"), "(.*)%.0$", "%1")))
+}
+
+%{lua:
+rpm.define(string.format("nss_release_tag NSS_%s_RTM",
+ string.gsub(rpm.expand("%nss_archive_version"), "%.", "_")))
+}
+
+Summary: Network Security Services
+Name: nss
+Version: %{nss_version}
+Release: 7%{?dist}
+License: MPLv2.0
+URL: http://www.mozilla.org/projects/security/pki/nss/
+Requires: nspr >= %{nspr_version}
+Requires: nss-util >= %{nss_version}
+# TODO: revert to same version as nss once we are done with the merge
+Requires: nss-softokn%{_isa} >= %{nss_version}
+Requires: nss-system-init
+Requires: p11-kit-trust
+Requires: /usr/bin/update-crypto-policies
+BuildRequires: nspr-devel >= %{nspr_build_version}
+# for shlibsign
+BuildRequires: nss-softokn
+BuildRequires: sqlite-devel
+BuildRequires: zlib-devel
+BuildRequires: pkgconfig
+BuildRequires: gawk
+BuildRequires: psmisc
+BuildRequires: perl-interpreter
+BuildRequires: gcc-c++
+
+Source0: https://ftp.mozilla.org/pub/security/nss/releases/%{nss_release_tag}/src/%{name}-%{nss_archive_version}.tar.gz
+Source1: nss-util.pc.in
+Source2: nss-util-config.in
+Source3: nss-softokn.pc.in
+Source4: nss-softokn-config.in
+Source6: nss-softokn-dracut-module-setup.sh
+Source7: nss-softokn-dracut.conf
+Source8: nss.pc.in
+Source9: nss-config.in
+Source10: blank-cert8.db
+Source11: blank-key3.db
+Source12: blank-secmod.db
+Source13: blank-cert9.db
+Source14: blank-key4.db
+Source15: system-pkcs11.txt
+Source16: setup-nsssysinit.sh
+Source20: nss-config.xml
+Source21: setup-nsssysinit.xml
+Source22: pkcs11.txt.xml
+Source23: cert8.db.xml
+Source24: cert9.db.xml
+Source25: key3.db.xml
+Source26: key4.db.xml
+Source27: secmod.db.xml
+Source28: nss-p11-kit.config
+Source30: PayPalEE.cert
+
+# To inject hardening flags for DSO
+Patch1: nss-dso-ldflags.patch
+# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=617723
+Patch2: nss-539183.patch
+# This patch uses the GCC -iquote option documented at
+# http://gcc.gnu.org/onlinedocs/gcc/Directory-Options.html#Directory-Options
+# to give the in-tree headers a higher priority over the system headers,
+# when they are included through the quote form (#include "file.h").
+#
+# This ensures a build even when system headers are older. Such is the
+# case when starting an update with API changes or even private export
+# changes.
+#
+# Once the buildroot aha been bootstrapped the patch may be removed
+# but it doesn't hurt to keep it.
+Patch4: iquote.patch
+# To revert the change in:
+# https://bugzilla.mozilla.org/show_bug.cgi?id=818686
+Patch9: nss-sysinit-userdb.patch
+# Disable nss-sysinit test which is solely to test the above change
+Patch10: nss-skip-sysinit-gtests.patch
+
+# For compatibility reasons, we stick with the old PKCS #11 2.40
+# definition of CK_GCM_PARAMS:
+%if 0%{?fedora} < 34
+%if 0%{?rhel} < 9
+Patch20: nss-gcm-param-default-pkcs11v2.patch
+%endif
+%endif
+# Local patch: disable MD5 (also MD2 and MD4) completely
+# https://bugzilla.redhat.com/show_bug.cgi?id=1849938
+Patch25: nss-disable-md5.patch
+# Local patch for TLS_ECDHE_{ECDSA|RSA}_WITH_3DES_EDE_CBC_SHA ciphers
+Patch30: rhbz1185708-enable-ecc-3des-ciphers-by-default.patch
+# Local patch: disable Delegated Credentials
+Patch35: nss-disable-dc.patch
+# Local patch: ignore rsa, rsa-pss, ecdsa policies until crypto-policies
+# is updated.
+Patch40: nss-3.66-disable-signature-policies.patch
+# Local patch: disable tests that require external reference so brew completes
+Patch45: nss-3.66-disable-external-host-test.patch
+# Local patch: restore old pkcs 12 defaults on old version of rhel
+Patch50: nss-3.66-restore-old-pkcs12-default.patch
+
+# Patches that should be upstreamed, and (hopefully) will disappear next
+# rebase
+# Need upstream bug
+Patch219: nss-3.44-kbkdf-coverity.patch
+# no upsteam bug yet
+Patch225: nss-3.67-fix-private-key-mac.patch
+# no upstream bug yet
+Patch229: nss-3.53.1-measure-fix.patch
+# no upstream bug yet
+Patch230: nss-3.66-no-small-primes.patch
+# no upstream bug yet
+Patch232: nss-3.66-fix-gtest-parsing.patch
+# no upstream bug yet
+Patch233: nss-3.67-fix-coverity-issues.patch
+# no upstream bug yet
+Patch234: nss-3.67-fix-sdb-timeout.patch
+# no upstream bug yet
+Patch235: nss-3.67-fix-ssl-alerts.patch
+Patch300: nss-3.67-cve-2021-43527.patch
+Patch301: nss-3.67-cve-2021-43527-test.patch
+
+
+
+%description
+Network Security Services (NSS) is a set of libraries designed to
+support cross-platform development of security-enabled client and
+server applications. Applications built with NSS can support SSL v2
+and v3, TLS, PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME, X.509
+v3 certificates, and other security standards.
+
+%package tools
+Summary: Tools for the Network Security Services
+Requires: %{name}%{?_isa} = %{version}-%{release}
+
+%description tools
+Network Security Services (NSS) is a set of libraries designed to
+support cross-platform development of security-enabled client and
+server applications. Applications built with NSS can support SSL v2
+and v3, TLS, PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME, X.509
+v3 certificates, and other security standards.
+
+Install the nss-tools package if you need command-line tools to
+manipulate the NSS certificate and key database.
+
+%package sysinit
+Summary: System NSS Initialization
+# providing nss-system-init without version so that it can
+# be replaced by a better one, e.g. supplied by the os vendor
+Provides: nss-system-init
+Requires: nss%{?_isa} = %{version}-%{release}
+Requires(post): coreutils, sed
+
+%description sysinit
+Default Operating System module that manages applications loading
+NSS globally on the system. This module loads the system defined
+PKCS #11 modules for NSS and chains with other NSS modules to load
+any system or user configured modules.
+
+%package devel
+Summary: Development libraries for Network Security Services
+Provides: nss-static = %{version}-%{release}
+Requires: nss%{?_isa} = %{version}-%{release}
+Requires: nss-util-devel
+Requires: nss-softokn-devel
+Requires: nspr-devel >= %{nspr_version}
+Requires: pkgconfig
+BuildRequires: xmlto
+
+%description devel
+Header and Library files for doing development with Network Security Services.
+
+
+%package pkcs11-devel
+Summary: Development libraries for PKCS #11 (Cryptoki) using NSS
+Provides: nss-pkcs11-devel-static = %{version}-%{release}
+Requires: nss-devel = %{version}-%{release}
+Requires: nss-softokn-freebl-devel = %{version}-%{release}
+
+%description pkcs11-devel
+Library files for developing PKCS #11 modules using basic NSS
+low level services.
+
+
+%package util
+Summary: Network Security Services Utilities Library
+Requires: nspr >= %{nspr_version}
+
+%description util
+Utilities for Network Security Services and the Softoken module
+
+%package util-devel
+Summary: Development libraries for Network Security Services Utilities
+Requires: nss-util%{?_isa} = %{version}-%{release}
+Requires: nspr-devel >= %{nspr_version}
+Requires: pkgconfig
+
+%description util-devel
+Header and library files for doing development with Network Security Services.
+
+
+%package softokn
+Summary: Network Security Services Softoken Module
+Requires: nspr >= %{nspr_version}
+Requires: nss-util >= %{version}-%{release}
+Requires: nss-softokn-freebl%{_isa} >= %{version}-%{release}
+
+%description softokn
+Network Security Services Softoken Cryptographic Module
+
+%package softokn-freebl
+Summary: Freebl library for the Network Security Services
+# For PR_GetEnvSecure() from nspr >= 4.12
+Requires: nspr >= 4.12
+# For NSS_SecureMemcmpZero() from nss-util >= 3.33
+Requires: nss-util >= 3.33
+Conflicts: nss < 3.12.2.99.3-5
+Conflicts: filesystem < 3
+
+%description softokn-freebl
+NSS Softoken Cryptographic Module Freebl Library
+
+Install the nss-softokn-freebl package if you need the freebl library.
+
+%package softokn-freebl-devel
+Summary: Header and Library files for doing development with the Freebl library for NSS
+Provides: nss-softokn-freebl-static = %{version}-%{release}
+Requires: nss-softokn-freebl%{?_isa} = %{version}-%{release}
+
+%description softokn-freebl-devel
+NSS Softoken Cryptographic Module Freebl Library Development Tools
+This package supports special needs of some PKCS #11 module developers and
+is otherwise considered private to NSS. As such, the programming interfaces
+may change and the usual NSS binary compatibility commitments do not apply.
+Developers should rely only on the officially supported NSS public API.
+
+%package softokn-devel
+Summary: Development libraries for Network Security Services
+Requires: nss-softokn%{?_isa} = %{version}-%{release}
+Requires: nss-softokn-freebl-devel%{?_isa} = %{version}-%{release}
+Requires: nspr-devel >= %{nspr_version}
+Requires: nss-util-devel >= %{version}-%{release}
+Requires: pkgconfig
+BuildRequires: nspr-devel >= %{nspr_build_version}
+
+%description softokn-devel
+Header and library files for doing development with Network Security Services.
+
+
+%prep
+%autosetup -N -n %{name}-%{nss_archive_version}
+pushd nss
+%autopatch -p1
+popd
+
+# https://bugzilla.redhat.com/show_bug.cgi?id=1247353
+find nss/lib/libpkix -perm /u+x -type f -exec chmod -x {} \;
+
+#update paypal cert (git binary patches don't work with autopatch)
+cp %{SOURCE30} nss/tests/libpkix/certs/
+
+%build
+
+export FREEBL_NO_DEPEND=1
+
+# Must export FREEBL_LOWHASH=1 for nsslowhash.h so that it gets
+# copied to dist and the rpm install phase can find it
+# This due of the upstream changes to fix
+# https://bugzilla.mozilla.org/show_bug.cgi?id=717906
+export FREEBL_LOWHASH=1
+
+# uncomment if the iquote patch is activated
+export IN_TREE_FREEBL_HEADERS_FIRST=1
+
+export NSS_FORCE_FIPS=1
+
+# Enable compiler optimizations and disable debugging code
+export BUILD_OPT=1
+
+# Uncomment to disable optimizations
+#RPM_OPT_FLAGS=`echo $RPM_OPT_FLAGS | sed -e 's/-O2/-O0/g'`
+#export RPM_OPT_FLAGS
+
+# Generate symbolic info for debuggers
+export XCFLAGS=$RPM_OPT_FLAGS
+
+export LDFLAGS=$RPM_LD_FLAGS
+
+export DSO_LDFLAGS=$RPM_LD_FLAGS
+
+export PKG_CONFIG_ALLOW_SYSTEM_LIBS=1
+export PKG_CONFIG_ALLOW_SYSTEM_CFLAGS=1
+
+export NSPR_INCLUDE_DIR=`/usr/bin/pkg-config --cflags-only-I nspr | sed 's/-I//'`
+export NSPR_LIB_DIR=%{_libdir}
+
+export NSS_USE_SYSTEM_SQLITE=1
+
+export NSS_ALLOW_SSLKEYLOGFILE=1
+
+export NSS_SEED_ONLY_DEV_URANDOM=1
+
+%ifnarch noarch
+%if 0%{__isa_bits} == 64
+export USE_64=1
+%endif
+%endif
+
+# Set the policy file location
+# if set NSS will always check for the policy file and load if it exists
+export POLICY_FILE="nss.config"
+# location of the policy file
+export POLICY_PATH="/etc/crypto-policies/back-ends"
+
+%{__make} -C ./nss all
+%{__make} -C ./nss latest
+
+# build the man pages clean
+pushd ./nss/doc
+rm -rf ./nroff
+make clean
+echo -n %{manual_date} > date.xml
+echo -n %{version} > version.xml
+make
+popd
+
+# and copy them to the dist directory for %%install to find them
+mkdir -p ./dist/docs/nroff
+cp ./nss/doc/nroff/* ./dist/docs/nroff
+
+# Set up our package files
+mkdir -p ./dist/pkgconfig
+
+cat %{SOURCE1} | sed -e "s,%%libdir%%,%{_libdir},g" \
+ -e "s,%%prefix%%,%{_prefix},g" \
+ -e "s,%%exec_prefix%%,%{_prefix},g" \
+ -e "s,%%includedir%%,%{_includedir}/nss3,g" \
+ -e "s,%%NSPR_VERSION%%,%{nspr_version},g" \
+ -e "s,%%NSSUTIL_VERSION%%,%{version},g" > \
+ ./dist/pkgconfig/nss-util.pc
+
+NSSUTIL_VMAJOR=`cat nss/lib/util/nssutil.h | grep "#define.*NSSUTIL_VMAJOR" | awk '{print $3}'`
+NSSUTIL_VMINOR=`cat nss/lib/util/nssutil.h | grep "#define.*NSSUTIL_VMINOR" | awk '{print $3}'`
+NSSUTIL_VPATCH=`cat nss/lib/util/nssutil.h | grep "#define.*NSSUTIL_VPATCH" | awk '{print $3}'`
+
+cat %{SOURCE2} | sed -e "s,@libdir@,%{_libdir},g" \
+ -e "s,@prefix@,%{_prefix},g" \
+ -e "s,@exec_prefix@,%{_prefix},g" \
+ -e "s,@includedir@,%{_includedir}/nss3,g" \
+ -e "s,@MOD_MAJOR_VERSION@,$NSSUTIL_VMAJOR,g" \
+ -e "s,@MOD_MINOR_VERSION@,$NSSUTIL_VMINOR,g" \
+ -e "s,@MOD_PATCH_VERSION@,$NSSUTIL_VPATCH,g" \
+ > ./dist/pkgconfig/nss-util-config
+
+chmod 755 ./dist/pkgconfig/nss-util-config
+
+cat %{SOURCE3} | sed -e "s,%%libdir%%,%{_libdir},g" \
+ -e "s,%%prefix%%,%{_prefix},g" \
+ -e "s,%%exec_prefix%%,%{_prefix},g" \
+ -e "s,%%includedir%%,%{_includedir}/nss3,g" \
+ -e "s,%%NSPR_VERSION%%,%{nspr_version},g" \
+ -e "s,%%NSSUTIL_VERSION%%,%{nss_version},g" \
+ -e "s,%%SOFTOKEN_VERSION%%,%{version},g" > \
+ ./dist/pkgconfig/nss-softokn.pc
+
+SOFTOKEN_VMAJOR=`cat nss/lib/softoken/softkver.h | grep "#define.*SOFTOKEN_VMAJOR" | awk '{print $3}'`
+SOFTOKEN_VMINOR=`cat nss/lib/softoken/softkver.h | grep "#define.*SOFTOKEN_VMINOR" | awk '{print $3}'`
+SOFTOKEN_VPATCH=`cat nss/lib/softoken/softkver.h | grep "#define.*SOFTOKEN_VPATCH" | awk '{print $3}'`
+
+cat %{SOURCE4} | sed -e "s,@libdir@,%{_libdir},g" \
+ -e "s,@prefix@,%{_prefix},g" \
+ -e "s,@exec_prefix@,%{_prefix},g" \
+ -e "s,@includedir@,%{_includedir}/nss3,g" \
+ -e "s,@MOD_MAJOR_VERSION@,$SOFTOKEN_VMAJOR,g" \
+ -e "s,@MOD_MINOR_VERSION@,$SOFTOKEN_VMINOR,g" \
+ -e "s,@MOD_PATCH_VERSION@,$SOFTOKEN_VPATCH,g" \
+ > ./dist/pkgconfig/nss-softokn-config
+
+chmod 755 ./dist/pkgconfig/nss-softokn-config
+
+cat %{SOURCE8} | sed -e "s,%%libdir%%,%{_libdir},g" \
+ -e "s,%%prefix%%,%{_prefix},g" \
+ -e "s,%%exec_prefix%%,%{_prefix},g" \
+ -e "s,%%includedir%%,%{_includedir}/nss3,g" \
+ -e "s,%%NSS_VERSION%%,%{version},g" \
+ -e "s,%%NSPR_VERSION%%,%{nspr_version},g" \
+ -e "s,%%NSSUTIL_VERSION%%,%{nss_version},g" \
+ -e "s,%%SOFTOKEN_VERSION%%,%{nss_version},g" > \
+ ./dist/pkgconfig/nss.pc
+
+NSS_VMAJOR=`cat nss/lib/nss/nss.h | grep "#define.*NSS_VMAJOR" | awk '{print $3}'`
+NSS_VMINOR=`cat nss/lib/nss/nss.h | grep "#define.*NSS_VMINOR" | awk '{print $3}'`
+NSS_VPATCH=`cat nss/lib/nss/nss.h | grep "#define.*NSS_VPATCH" | awk '{print $3}'`
+
+cat %{SOURCE9} | sed -e "s,@libdir@,%{_libdir},g" \
+ -e "s,@prefix@,%{_prefix},g" \
+ -e "s,@exec_prefix@,%{_prefix},g" \
+ -e "s,@includedir@,%{_includedir}/nss3,g" \
+ -e "s,@MOD_MAJOR_VERSION@,$NSS_VMAJOR,g" \
+ -e "s,@MOD_MINOR_VERSION@,$NSS_VMINOR,g" \
+ -e "s,@MOD_PATCH_VERSION@,$NSS_VPATCH,g" \
+ > ./dist/pkgconfig/nss-config
+
+chmod 755 ./dist/pkgconfig/nss-config
+
+cat %{SOURCE16} > ./dist/pkgconfig/setup-nsssysinit.sh
+chmod 755 ./dist/pkgconfig/setup-nsssysinit.sh
+
+cp ./nss/lib/ckfw/nssck.api ./dist/private/nss/
+
+date +"%e %B %Y" | tr -d '\n' > date.xml
+echo -n %{version} > version.xml
+
+# configuration files and setup script
+for m in %{SOURCE20} %{SOURCE21} %{SOURCE22}; do
+ cp ${m} .
+done
+for m in nss-config.xml setup-nsssysinit.xml pkcs11.txt.xml; do
+ xmlto man ${m}
+done
+
+# nss databases considered to be configuration files
+for m in %{SOURCE23} %{SOURCE24} %{SOURCE25} %{SOURCE26} %{SOURCE27}; do
+ cp ${m} .
+done
+for m in cert8.db.xml cert9.db.xml key3.db.xml key4.db.xml secmod.db.xml; do
+ xmlto man ${m}
+done
+
+
+%check
+%if %{with tests}
+# Begin -- copied from the build section
+
+export FREEBL_NO_DEPEND=1
+
+export BUILD_OPT=1
+
+%ifnarch noarch
+%if 0%{__isa_bits} == 64
+export USE_64=1
+%endif
+%endif
+
+# End -- copied from the build section
+
+# This is necessary because the test suite tests algorithms that are
+# disabled by the system policy.
+export NSS_IGNORE_SYSTEM_POLICY=1
+
+# enable the following line to force a test failure
+# find ./nss -name \*.chk | xargs rm -f
+
+# Run test suite.
+# In order to support multiple concurrent executions of the test suite
+# (caused by concurrent RPM builds) on a single host,
+# we'll use a random port. Also, we want to clean up any stuck
+# selfserv processes. If process name "selfserv" is used everywhere,
+# we can't simply do a "killall selfserv", because it could disturb
+# concurrent builds. Therefore we'll do a search and replace and use
+# a different process name.
+# Using xargs doesn't mix well with spaces in filenames, in order to
+# avoid weird quoting we'll require that no spaces are being used.
+
+SPACEISBAD=`find ./nss/tests | grep -c ' '` ||:
+if [ $SPACEISBAD -ne 0 ]; then
+ echo "error: filenames containing space are not supported (xargs)"
+ exit 1
+fi
+MYRAND=`perl -e 'print 9000 + int rand 1000'`; echo $MYRAND ||:
+RANDSERV=selfserv_${MYRAND}; echo $RANDSERV ||:
+DISTBINDIR=`ls -d ./dist/*.OBJ/bin`; echo $DISTBINDIR ||:
+pushd "$DISTBINDIR"
+ln -s selfserv $RANDSERV
+popd
+# man perlrun, man perlrequick
+# replace word-occurrences of selfserv with selfserv_$MYRAND
+find ./nss/tests -type f |\
+ grep -v "\.db$" |grep -v "\.crl$" | grep -v "\.crt$" |\
+ grep -vw CVS |xargs grep -lw selfserv |\
+ xargs -l perl -pi -e "s/\bselfserv\b/$RANDSERV/g" ||:
+
+killall $RANDSERV || :
+
+rm -rf ./tests_results
+pushd nss/tests
+# all.sh is the test suite script
+
+# don't need to run all the tests when testing packaging
+export NSS_DEFAULT_DB_TYPE=dbm #in RHEL 8, the default db is sql, but we want
+ # standard to test dbm, or upgradedb will fail
+%define nss_cycles "standard pkix upgradedb sharedb threadunsafe"
+# the full list from all.sh is:
+# "cipher lowhash libpkix cert dbtests tools fips sdr crmf smime ssl ocsp merge pkits chains ec gtests ssl_gtests"
+%define nss_tests "libpkix cert dbtests tools fips sdr crmf smime ssl ocsp merge pkits chains ec gtests ssl_gtests"
+# nss_ssl_tests: crl bypass_normal normal_bypass normal_fips fips_normal iopr policy
+# nss_ssl_run: cov auth stapling stress
+#
+# Uncomment these lines if you need to temporarily
+# disable some test suites for faster test builds
+# % define nss_ssl_tests "normal_fips"
+# % define nss_ssl_run "cov"
+
+HOST=localhost DOMSUF=localdomain PORT=$MYRAND NSS_CYCLES=%{?nss_cycles} NSS_TESTS=%{?nss_tests} NSS_SSL_TESTS=%{?nss_ssl_tests} NSS_SSL_RUN=%{?nss_ssl_run} ./all.sh
+popd
+
+%endif
+
+%install
+
+# There is no make install target so we'll do it ourselves.
+
+mkdir -p $RPM_BUILD_ROOT/%{_includedir}/nss3
+mkdir -p $RPM_BUILD_ROOT/%{_includedir}/nss3/templates
+mkdir -p $RPM_BUILD_ROOT/%{_bindir}
+mkdir -p $RPM_BUILD_ROOT/%{_libdir}
+mkdir -p $RPM_BUILD_ROOT/%{unsupported_tools_directory}
+mkdir -p $RPM_BUILD_ROOT/%{_libdir}/pkgconfig
+mkdir -p $RPM_BUILD_ROOT/%{saved_files_dir}
+mkdir -p $RPM_BUILD_ROOT/%{dracut_modules_dir}
+mkdir -p $RPM_BUILD_ROOT/%{dracut_conf_dir}
+mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/crypto-policies/local.d
+%if %{defined rhel}
+# not needed for rhel and its derivatives only fedora
+%else
+# because of the pp.1 conflict with perl-PAR-Packer
+mkdir -p $RPM_BUILD_ROOT%{_datadir}/doc/nss-tools
+%endif
+
+install -m 755 %{SOURCE6} $RPM_BUILD_ROOT/%{dracut_modules_dir}/module-setup.sh
+install -m 644 %{SOURCE7} $RPM_BUILD_ROOT/%{dracut_conf_dir}/50-nss-softokn.conf
+
+mkdir -p $RPM_BUILD_ROOT%{_mandir}/man1
+mkdir -p $RPM_BUILD_ROOT%{_mandir}/man5
+
+# Copy the binary libraries we want
+for file in libnssutil3.so libsoftokn3.so libnssdbm3.so libfreebl3.so libfreeblpriv3.so libnss3.so libnsssysinit.so libsmime3.so libssl3.so
+do
+ install -p -m 755 dist/*.OBJ/lib/$file $RPM_BUILD_ROOT/%{_libdir}
+done
+
+# Install the empty NSS db files
+# Legacy db
+mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb
+install -p -m 644 %{SOURCE10} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/cert8.db
+install -p -m 644 %{SOURCE11} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/key3.db
+install -p -m 644 %{SOURCE12} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/secmod.db
+# Shared db
+install -p -m 644 %{SOURCE13} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/cert9.db
+install -p -m 644 %{SOURCE14} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/key4.db
+install -p -m 644 %{SOURCE15} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/pkcs11.txt
+
+# Copy the development libraries we want
+for file in libcrmf.a libnssb.a libnssckfw.a
+do
+ install -p -m 644 dist/*.OBJ/lib/$file $RPM_BUILD_ROOT/%{_libdir}
+done
+
+# Copy the binaries we want
+for file in certutil cmsutil crlutil modutil nss-policy-check pk12util signver ssltap
+do
+ install -p -m 755 dist/*.OBJ/bin/$file $RPM_BUILD_ROOT/%{_bindir}
+done
+
+# Copy the binaries we ship as unsupported
+for file in bltest ecperf fbectest fipstest shlibsign atob btoa derdump listsuites ocspclnt pp selfserv signtool strsclnt symkeyutil tstclnt vfyserv vfychain
+do
+ install -p -m 755 dist/*.OBJ/bin/$file $RPM_BUILD_ROOT/%{unsupported_tools_directory}
+done
+
+# Copy the include files we want
+for file in dist/public/nss/*.h
+do
+ install -p -m 644 $file $RPM_BUILD_ROOT/%{_includedir}/nss3
+done
+
+# Copy some freebl include files we also want
+for file in blapi.h alghmac.h cmac.h
+do
+ install -p -m 644 dist/private/nss/$file $RPM_BUILD_ROOT/%{_includedir}/nss3
+done
+
+# Copy the static freebl library
+for file in libfreebl.a
+do
+install -p -m 644 dist/*.OBJ/lib/$file $RPM_BUILD_ROOT/%{_libdir}
+done
+
+# Copy the template files we want
+for file in dist/private/nss/templates.c dist/private/nss/nssck.api
+do
+ install -p -m 644 $file $RPM_BUILD_ROOT/%{_includedir}/nss3/templates
+done
+
+# Copy the package configuration files
+install -p -m 644 ./dist/pkgconfig/nss-util.pc $RPM_BUILD_ROOT/%{_libdir}/pkgconfig/nss-util.pc
+install -p -m 755 ./dist/pkgconfig/nss-util-config $RPM_BUILD_ROOT/%{_bindir}/nss-util-config
+install -p -m 644 ./dist/pkgconfig/nss-softokn.pc $RPM_BUILD_ROOT/%{_libdir}/pkgconfig/nss-softokn.pc
+install -p -m 755 ./dist/pkgconfig/nss-softokn-config $RPM_BUILD_ROOT/%{_bindir}/nss-softokn-config
+install -p -m 644 ./dist/pkgconfig/nss.pc $RPM_BUILD_ROOT/%{_libdir}/pkgconfig/nss.pc
+install -p -m 755 ./dist/pkgconfig/nss-config $RPM_BUILD_ROOT/%{_bindir}/nss-config
+# Copy the pkcs #11 configuration script
+install -p -m 755 ./dist/pkgconfig/setup-nsssysinit.sh $RPM_BUILD_ROOT/%{_bindir}/setup-nsssysinit.sh
+# install a symbolic link to it, without the ".sh" suffix,
+# that matches the man page documentation
+ln -r -s -f $RPM_BUILD_ROOT/%{_bindir}/setup-nsssysinit.sh $RPM_BUILD_ROOT/%{_bindir}/setup-nsssysinit
+
+# Copy the man pages for scripts
+for f in nss-config setup-nsssysinit; do
+ install -c -m 644 ${f}.1 $RPM_BUILD_ROOT%{_mandir}/man1/${f}.1
+done
+# Copy the man pages for the nss tools
+for f in certutil cmsutil crlutil derdump modutil nss-policy-check pk12util signtool signver ssltap vfychain vfyserv; do
+ install -c -m 644 ./dist/docs/nroff/${f}.1 $RPM_BUILD_ROOT%{_mandir}/man1/${f}.1
+done
+%if %{defined rhel}
+install -c -m 644 ./dist/docs/nroff/pp.1 $RPM_BUILD_ROOT%{_mandir}/man1/pp.1
+%else
+install -c -m 644 ./dist/docs/nroff/pp.1 $RPM_BUILD_ROOT%{_datadir}/doc/nss-tools/pp.1
+%endif
+
+# Copy the man pages for the configuration files
+for f in pkcs11.txt; do
+ install -c -m 644 ${f}.5 $RPM_BUILD_ROOT%{_mandir}/man5/${f}.5
+done
+# Copy the man pages for the nss databases
+for f in cert8.db cert9.db key3.db key4.db secmod.db; do
+ install -c -m 644 ${f}.5 $RPM_BUILD_ROOT%{_mandir}/man5/${f}.5
+done
+
+# Copy the crypto-policies configuration file
+install -p -m 644 %{SOURCE28} $RPM_BUILD_ROOT/%{_sysconfdir}/crypto-policies/local.d
+
+%triggerpostun -n nss-sysinit -- nss-sysinit < 3.12.8-3
+# Reverse unwanted disabling of sysinit by faulty preun sysinit scriplet
+# from previous versions of nss.spec
+/usr/bin/setup-nsssysinit.sh on
+
+%posttrans
+update-crypto-policies --no-reload &> /dev/null || :
+
+
+%files
+%{!?_licensedir:%global license %%doc}
+%license nss/COPYING
+%{_libdir}/libnss3.so
+%{_libdir}/libssl3.so
+%{_libdir}/libsmime3.so
+%dir %{_sysconfdir}/pki/nssdb
+%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/cert8.db
+%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/key3.db
+%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/secmod.db
+%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/cert9.db
+%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/key4.db
+%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/pkcs11.txt
+%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/crypto-policies/local.d/nss-p11-kit.config
+%doc %{_mandir}/man5/cert8.db.5*
+%doc %{_mandir}/man5/key3.db.5*
+%doc %{_mandir}/man5/secmod.db.5*
+%doc %{_mandir}/man5/cert9.db.5*
+%doc %{_mandir}/man5/key4.db.5*
+%doc %{_mandir}/man5/pkcs11.txt.5*
+
+%files sysinit
+%{_libdir}/libnsssysinit.so
+%{_bindir}/setup-nsssysinit.sh
+# symbolic link to setup-nsssysinit.sh
+%{_bindir}/setup-nsssysinit
+%doc %{_mandir}/man1/setup-nsssysinit.1*
+
+%files tools
+%{_bindir}/certutil
+%{_bindir}/cmsutil
+%{_bindir}/crlutil
+%{_bindir}/modutil
+%{_bindir}/nss-policy-check
+%{_bindir}/pk12util
+%{_bindir}/signver
+%{_bindir}/ssltap
+%{unsupported_tools_directory}/atob
+%{unsupported_tools_directory}/btoa
+%{unsupported_tools_directory}/derdump
+%{unsupported_tools_directory}/listsuites
+%{unsupported_tools_directory}/ocspclnt
+%{unsupported_tools_directory}/pp
+%{unsupported_tools_directory}/selfserv
+%{unsupported_tools_directory}/signtool
+%{unsupported_tools_directory}/strsclnt
+%{unsupported_tools_directory}/symkeyutil
+%{unsupported_tools_directory}/tstclnt
+%{unsupported_tools_directory}/vfyserv
+%{unsupported_tools_directory}/vfychain
+# instead of %%{_mandir}/man*/* let's list them explicitly
+# supported tools
+%doc %{_mandir}/man1/certutil.1*
+%doc %{_mandir}/man1/cmsutil.1*
+%doc %{_mandir}/man1/crlutil.1*
+%doc %{_mandir}/man1/modutil.1*
+%doc %{_mandir}/man1/nss-policy-check.1*
+%doc %{_mandir}/man1/pk12util.1*
+%doc %{_mandir}/man1/signver.1*
+# unsupported tools
+%doc %{_mandir}/man1/derdump.1*
+%doc %{_mandir}/man1/signtool.1*
+%if %{defined rhel}
+%doc %{_mandir}/man1/pp.1*
+%else
+%dir %{_datadir}/doc/nss-tools
+%doc %{_datadir}/doc/nss-tools/pp.1
+%endif
+%doc %{_mandir}/man1/ssltap.1*
+%doc %{_mandir}/man1/vfychain.1*
+%doc %{_mandir}/man1/vfyserv.1*
+
+%files devel
+%{_libdir}/libcrmf.a
+%{_libdir}/pkgconfig/nss.pc
+%{_bindir}/nss-config
+%doc %{_mandir}/man1/nss-config.1*
+
+%dir %{_includedir}/nss3
+%{_includedir}/nss3/cert.h
+%{_includedir}/nss3/certdb.h
+%{_includedir}/nss3/certt.h
+%{_includedir}/nss3/cmmf.h
+%{_includedir}/nss3/cmmft.h
+%{_includedir}/nss3/cms.h
+%{_includedir}/nss3/cmsreclist.h
+%{_includedir}/nss3/cmst.h
+%{_includedir}/nss3/crmf.h
+%{_includedir}/nss3/crmft.h
+%{_includedir}/nss3/cryptohi.h
+%{_includedir}/nss3/cryptoht.h
+%{_includedir}/nss3/sechash.h
+%{_includedir}/nss3/jar-ds.h
+%{_includedir}/nss3/jar.h
+%{_includedir}/nss3/jarfile.h
+%{_includedir}/nss3/key.h
+%{_includedir}/nss3/keyhi.h
+%{_includedir}/nss3/keyt.h
+%{_includedir}/nss3/keythi.h
+%{_includedir}/nss3/nss.h
+%{_includedir}/nss3/nssckbi.h
+%{_includedir}/nss3/ocsp.h
+%{_includedir}/nss3/ocspt.h
+%{_includedir}/nss3/p12.h
+%{_includedir}/nss3/p12plcy.h
+%{_includedir}/nss3/p12t.h
+%{_includedir}/nss3/pk11func.h
+%{_includedir}/nss3/pk11hpke.h
+%{_includedir}/nss3/pk11pqg.h
+%{_includedir}/nss3/pk11priv.h
+%{_includedir}/nss3/pk11pub.h
+%{_includedir}/nss3/pk11sdr.h
+%{_includedir}/nss3/pkcs12.h
+%{_includedir}/nss3/pkcs12t.h
+%{_includedir}/nss3/pkcs7t.h
+%{_includedir}/nss3/preenc.h
+%{_includedir}/nss3/secmime.h
+%{_includedir}/nss3/secmod.h
+%{_includedir}/nss3/secmodt.h
+%{_includedir}/nss3/secpkcs5.h
+%{_includedir}/nss3/secpkcs7.h
+%{_includedir}/nss3/smime.h
+%{_includedir}/nss3/ssl.h
+%{_includedir}/nss3/sslerr.h
+%{_includedir}/nss3/sslexp.h
+%{_includedir}/nss3/sslproto.h
+%{_includedir}/nss3/sslt.h
+
+%files pkcs11-devel
+%{_includedir}/nss3/nssbase.h
+%{_includedir}/nss3/nssbaset.h
+%{_includedir}/nss3/nssckepv.h
+%{_includedir}/nss3/nssckft.h
+%{_includedir}/nss3/nssckfw.h
+%{_includedir}/nss3/nssckfwc.h
+%{_includedir}/nss3/nssckfwt.h
+%{_includedir}/nss3/nssckg.h
+%{_includedir}/nss3/nssckmdt.h
+%{_includedir}/nss3/nssckt.h
+%{_includedir}/nss3/templates/nssck.api
+%{_libdir}/libnssb.a
+%{_libdir}/libnssckfw.a
+
+%files util
+%{!?_licensedir:%global license %%doc}
+%license nss/COPYING
+%{_libdir}/libnssutil3.so
+
+%files util-devel
+# package configuration files
+%{_libdir}/pkgconfig/nss-util.pc
+%{_bindir}/nss-util-config
+
+# co-owned with nss
+%dir %{_includedir}/nss3
+# these are marked as public export in nss/lib/util/manifest.mk
+%{_includedir}/nss3/base64.h
+%{_includedir}/nss3/ciferfam.h
+%{_includedir}/nss3/eccutil.h
+%{_includedir}/nss3/hasht.h
+%{_includedir}/nss3/nssb64.h
+%{_includedir}/nss3/nssb64t.h
+%{_includedir}/nss3/nsslocks.h
+%{_includedir}/nss3/nssilock.h
+%{_includedir}/nss3/nssilckt.h
+%{_includedir}/nss3/nssrwlk.h
+%{_includedir}/nss3/nssrwlkt.h
+%{_includedir}/nss3/nssutil.h
+%{_includedir}/nss3/pkcs1sig.h
+%{_includedir}/nss3/pkcs11.h
+%{_includedir}/nss3/pkcs11f.h
+%{_includedir}/nss3/pkcs11n.h
+%{_includedir}/nss3/pkcs11p.h
+%{_includedir}/nss3/pkcs11t.h
+%{_includedir}/nss3/pkcs11u.h
+%{_includedir}/nss3/pkcs11uri.h
+%{_includedir}/nss3/portreg.h
+%{_includedir}/nss3/secasn1.h
+%{_includedir}/nss3/secasn1t.h
+%{_includedir}/nss3/seccomon.h
+%{_includedir}/nss3/secder.h
+%{_includedir}/nss3/secdert.h
+%{_includedir}/nss3/secdig.h
+%{_includedir}/nss3/secdigt.h
+%{_includedir}/nss3/secerr.h
+%{_includedir}/nss3/secitem.h
+%{_includedir}/nss3/secoid.h
+%{_includedir}/nss3/secoidt.h
+%{_includedir}/nss3/secport.h
+%{_includedir}/nss3/utilmodt.h
+%{_includedir}/nss3/utilpars.h
+%{_includedir}/nss3/utilparst.h
+%{_includedir}/nss3/utilrename.h
+%{_includedir}/nss3/templates/templates.c
+
+%files softokn
+%{_libdir}/libnssdbm3.so
+%{_libdir}/libnssdbm3.chk
+%{_libdir}/libsoftokn3.so
+%{_libdir}/libsoftokn3.chk
+# shared with nss-tools
+%dir %{_libdir}/nss
+%dir %{saved_files_dir}
+%dir %{unsupported_tools_directory}
+%{unsupported_tools_directory}/bltest
+%{unsupported_tools_directory}/ecperf
+%{unsupported_tools_directory}/fbectest
+%{unsupported_tools_directory}/fipstest
+%{unsupported_tools_directory}/shlibsign
+
+%files softokn-freebl
+%{!?_licensedir:%global license %%doc}
+%license nss/COPYING
+%{_libdir}/libfreebl3.so
+%{_libdir}/libfreebl3.chk
+%{_libdir}/libfreeblpriv3.so
+%{_libdir}/libfreeblpriv3.chk
+#shared
+%dir %{dracut_modules_dir}
+%{dracut_modules_dir}/module-setup.sh
+%{dracut_conf_dir}/50-nss-softokn.conf
+
+%files softokn-freebl-devel
+%{_libdir}/libfreebl.a
+%{_includedir}/nss3/blapi.h
+%{_includedir}/nss3/blapit.h
+%{_includedir}/nss3/alghmac.h
+%{_includedir}/nss3/cmac.h
+%{_includedir}/nss3/lowkeyi.h
+%{_includedir}/nss3/lowkeyti.h
+
+%files softokn-devel
+%{_libdir}/pkgconfig/nss-softokn.pc
+%{_bindir}/nss-softokn-config
+
+# co-owned with nss
+%dir %{_includedir}/nss3
+#
+# The following headers are those exported public in
+# nss/lib/freebl/manifest.mn and
+# nss/lib/softoken/manifest.mn
+#
+# The following list is short because many headers, such as
+# the pkcs #11 ones, have been provided by nss-util-devel
+# which installed them before us.
+#
+%{_includedir}/nss3/ecl-exp.h
+%{_includedir}/nss3/nsslowhash.h
+%{_includedir}/nss3/shsign.h
+
+
+%changelog
+* Thu Nov 18 2021 Bob Relyea - 3.67.0-7
+- Fix CVE 2021 43527
+
+* Tue Jul 6 2021 Bob Relyea - 3.67.0-6
+- Fix ssl alert issue
+
+* Thu Jul 1 2021 Bob Relyea - 3.67.0-5
+- Fix issue with reading databases that were updated using
+ unpatched versions of nss
+
+* Tue Jun 29 2021 Bob Relyea - 3.67.0-4
+- Better fix for the sdb timeout. The issue wasn't a race, it was
+ the sqlite timeout waiting to begin a transaction under heavy
+ thread usage.
+
+* Mon Jun 28 2021 Bob Relyea - 3.67.0-3
+- Fix sdb race condition
+
+* Fri Jun 18 2021 Bob Relyea - 3.67.0-2
+- Fix coverity issues
+
+* Thu Jun 17 2021 Bob Relyea - 3.67.0-1
+- Rebase to NSS 3.67
+
+* Tue Jun 15 2021 Bob Relyea - 3.66.0-2
+- Restore old pkcs12 defaults.
+
+* Mon Jun 14 2021 Bob Relyea - 3.66.0-1.1
+- build nss for older nspr so we can pass gating with
+ the new nspr in the build root
+
+* Wed Jun 2 2021 Bob Relyea - 3.66.0-1
+- Rebase to NSS 3.66
+
+* Thu Dec 3 2020 Bob Relyea - 3.53.1-17
+- Fix various corner cases with ike v1 app b support.
+
+* Thu Nov 19 2020 Bob Relyea - 3.53.1-16
+- Fix the following CVE
+- CVE-2020-12403 chacha-poly issues
+- CVE-2020-12400 constant time ECC.
+- CVE-2020-6829 constant time ECC.
+
+* Wed Nov 4 2020 Bob Relyea - 3.53.1-15
+- Revert some policy changes the generate ABI runtime issues.
+
+* Thu Oct 29 2020 Bob Relyea - 3.53.1-14
+- Add support for enable/disable in policy. Now if your policy
+ file has disallow=x enable=y it will act just like our other
+ libraries.
+
+* Mon Oct 26 2020 Bob Relyea - 3.53.1-13
+- Add OAEP interface so applications can wrap keys with RSA-OAEP
+ rather than RSA-PKCS-1.
+
+* Mon Oct 19 2020 Bob Relyea - 3.53.1-12
+- fips need to reject small primes even if they are approved
+- code to autodetect whether or not to use the cache needs to do so
+ in a way that doesn't mess with filesystem negative file caching.
+- add kdf selftests
+
+* Thu Jul 30 2020 Bob Relyea - 3.53.1-11
+- Fix issue with upgradedb where upgradedb expects standard to
+ generate dbm databases, not sql databases (default in RHEL8)
+
+* Thu Jul 30 2020 Bob Relyea - 3.53.1-10
+- Disable dh timing test because it's unreliable on s390
+
+* Thu Jul 30 2020 Daiki Ueno - 3.53.1-9
+- Explicitly enable upgradedb/sharedb test cycles
+
+* Wed Jul 29 2020 Daiki Ueno - 3.53.1-8
+- Disable Delegated Credentials for TLS
+
+* Fri Jul 24 2020 Bob Relyea - 3.53.1-7
+- Fix attribute decryption issue where the private key components
+ integrity check on private attributes where not being checked.
+
+* Mon Jul 13 2020 Daiki Ueno - 3.53.1-6
+- Update nss-rsa-pkcs1-sigalgs.patch to the upstream version
+
+* Sat Jul 11 2020 Bob Relyea - 3.53.1-5
+- Include required checks for dh and ecdh key generation in FIPS mode.
+
+* Wed Jul 8 2020 Bob Relyea - 3.53.1-4
+- Add better checks for dh derive operations in FIPS mode.
+
+* Thu Jun 25 2020 Daiki Ueno - 3.53.1-3
+- Disable NSS_HASH_ALG_SUPPORT as well for MD5 (#1849938)
+- Adjust for update-crypto-policies packaging change (#1848649)
+- Fix compilation with -Werror=strict-prototypes (#1843417)
+
+* Wed Jun 24 2020 Daiki Ueno - 3.53.1-2
+- Fix regression in MD5 disablement (#1849938)
+- Include rsa_pkcs1_* in signature_algorithms extension (#1847945)
+
+* Mon Jun 22 2020 Daiki Ueno - 3.53.1-1
+- Update to NSS 3.53.1
+
+* Sat Jun 6 2020 Daiki Ueno - 3.53.0-1
+- Update to NSS 3.53
+
+* Fri Jan 31 2020 Bob Relyea - 3.44.0-15
+- Fix swapped CMAC PKCS #11 values.
+- Fix data alignment crash in CMAC.
+
+* Tue Dec 3 2019 Bob Relyea - 3.44.0-14
+- Fix coverify scan issue
+
+* Mon Dec 2 2019 Bob Relyea - 3.44.0-13
+- Fix endian problem in SP-800 108 code.
+
+* Thu Nov 28 2019 Daiki Ueno - 3.44.0-12
+- Install cmac.h required by blapi.h (#1764513)
+- Fix out-of-bounds write in NSC_EncryptUpdate (#1775913)
+
+* Wed Nov 27 2019 Bob Relyea - 3.44.0-11
+- Add SP-800 108 Generalized kdf
+
+* Mon Nov 11 2019 Daiki Ueno - 3.44.0-10
+- Check policy against hash algorithms used for ServerKeyExchange (#1730039)
+
+* Wed Nov 6 2019 Bob Relyea - 3.44.0-9
+- Add CMAC
+
+* Thu Aug 8 2019 Bob Relyea - 3.44.0-8
+- CKM_NSS_IKE1_APP_B_PRF_DERIVE was missing from the mechanism list, preventing
+ PK11_Derive*() from using it. Add gtests for the PK11_Derive interface for
+ all the CKM_NSS_IKE*_DERIVE mechanism.
+
+* Wed Jul 3 2019 Daiki Ueno - 3.44.0-7
+- Backport fixes from 3.44.1
+
+* Wed Jun 26 2019 Daiki Ueno - 3.44.0-6
+- Add continuous RNG test required by FIPS
+- fipstest: use CKM_TLS12_MASTER_KEY_DERIVE instead of vendor specific mechanism
+
+* Mon Jun 10 2019 Daiki Ueno - 3.44.0-5
+- Rebuild with the correct build target
+
+*Fri Jun 7 2019 Bob Relyea - 3.44.0-4.1
+- rebuild to try to retrigger CI tests
+
+*Wed Jun 5 2019 Bob Relyea - 3.44.0-4
+- Fix certutil man page
+- Fix extracting a public key from a private key for dh, ec, and dsa
+
+* Thu May 30 2019 Daiki Ueno - 3.44.0-3
+- Disable TLS 1.3 under FIPS mode
+- Disable RSASSA-PKCS1-v1_5 in TLS 1.3
+- Fix post-handshake auth transcript calculation if
+ SSL_ENABLE_SESSION_TICKETS is set
+- Revert the change to use XDG basedirs (mozilla#818686)
+
+* Fri May 24 2019 Bob Relyea - 3.44.0-2
+- Add ike mechanisms in softokn
+- Add FIPS checks in softoken
+
+* Fri May 24 2019 Daiki Ueno - 3.44.0-1
+- Update to NSS 3.44
+- Define NSS_SEED_ONLY_DEV_URANDOM=1 to exclusively use getentropy
+- Use %%autosetup
+- Clean up manual pages generation
+- Clean up %%check
+- Remove prelink dependency, which is not available in RHEL-8
+- Remove upstreamed patches
+
+* Mon Dec 17 2018 Daiki Ueno - 3.41.0-5
+- Update manual pages to reflect recent changes in commands
+
+* Fri Dec 14 2018 Bob Relyea - 3.41.0-4
+- Make sure corresponding public keys are created when importing private keys.
+
+* Thu Dec 13 2018 Daiki Ueno - 3.41.0-3
+- Fix the last change
+- Add --no-reload option to update-crypto-policies to avoid
+ unnecessary restart of daemons
+
+* Thu Dec 13 2018 Daiki Ueno - 3.41.0-2
+- Restore LDFLAGS injection when linking DSO
+
+* Mon Dec 10 2018 Daiki Ueno - 3.41.0-1
+- Update to NSS 3.41
+- Consolidate nss-util, nss-softokn, and nss into a single source package
+
+* Fri Dec 7 2018 Daiki Ueno - 3.39.0-1.5
+- Fix the last commit
+
+* Tue Dec 4 2018 Bob Relyea - 3.39.0-1.4
+- Support for IKE/IPsec typical PKIX usage so libreswan can use nss
+ without rejecting certs based on EKU
+
+* Thu Nov 29 2018 Daiki Ueno - 3.39.0-1.3
+- Backport upstream fixes for rhbz#1649026, rhbz#1608895, rhbz#1644854
+- Document PKCS #11 URI
+- Add warning when adding module with modutil while p11-kit is enabled
+
+* Tue Nov 13 2018 Daiki Ueno - 3.39.0-1.2
+- Update nss-dsa.patch to not advertise DSA signature algorithm
+- Update PayPal test certs for testing
+
+* Thu Oct 18 2018 Daiki Ueno - 3.39.0-1.1
+- Backport "DSA" keyword in crypto-policies
+
+* Tue Sep 25 2018 Daiki Ueno - 3.39.0-1.0
+- Update to NSS 3.39
+
+* Fri Sep 14 2018 Daiki Ueno - 3.38.0-1.2
+- Fix LDFLAGS injection when linking DSO
+
+* Tue Jul 24 2018 Daiki Ueno - 3.38.0-1.1
+- Install crypto-policies configuration file for
+ https://fedoraproject.org/wiki/Changes/NSSLoadP11KitModules
+- Port enable-fips-when-system-is-in-fips-mode.patch from RHEL-7
+- Use %%ldconfig_scriptlets
+- Remove needless use of %defattr, by Jason Tibbitts
+
+* Wed Jul 18 2018 Daiki Ueno - 3.38.0-1.0
+- Update to NSS 3.38
+
+* Tue Jul 17 2018 Kai Engert - 3.36.1-1.2
+- Backport upstream addition of nss-policy-check utility, rhbz#1428746,
+ includes required fixes for mozbz#1296263 and mozbz#1474875
+
+* Fri May 25 2018 Daiki Ueno - 3.36.1-1.1
+- Switch the default DB type to SQL
+- Enable SSLKEYLOGFILE
+
+* Wed Apr 11 2018 Daiki Ueno - 3.36.1-1.0
+- Update to NSS 3.36.1
+- Remove nss-3.14.0.0-disble-ocsp-test.patch
+- Fix partial injection of LDFLAGS
+- Remove NSS_NO_PKCS11_BYPASS, which is no-op in upstream
+
+* Fri Mar 9 2018 Daiki Ueno - 3.36.0-1.0
+- Update to NSS 3.36.0
+- Add gcc-c++ to BuildRequires (C++ is needed for gtests)
+- Make test failure detection robuster
+
+* Thu Feb 08 2018 Fedora Release Engineering - 3.35.0-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
+
+* Mon Jan 29 2018 Kai Engert - 3.35.0-4
+- Fix a compiler error with gcc 8, mozbz#1434070
+- Set NSS_FORCE_FIPS=1 at %%build time, and remove from %%check.
+
+* Mon Jan 29 2018 Kai Engert - 3.35.0-3
+- Stop pulling in nss-pem automatically, packages that need it should
+ depend on it, rhbz#1539401
+
+* Tue Jan 23 2018 Daiki Ueno - 3.35.0-2
+- Update to NSS 3.35.0
+
+* Tue Nov 14 2017 Daiki Ueno - 3.34.0-2
+- Update to NSS 3.34.0
+
+* Fri Nov 10 2017 Daiki Ueno - 3.33.0-6
+- Make sure 32bit nss-pem always be installed with 32bit nss in
+ multlib environment, patch by Kamil Dudka
+
+* Wed Nov 8 2017 Kai Engert - 3.33.0-5
+- Fix test script
+
+* Tue Nov 7 2017 Kai Engert - 3.33.0-4
+- Update tests to be compatible with default NSS DB changed to sql
+ (the default was changed in the nss-util package).
+
+* Tue Oct 24 2017 Kai Engert - 3.33.0-3
+- rhbz#1505487, backport upstream fixes required for rhbz#1496560
+
+* Tue Oct 3 2017 Daiki Ueno - 3.33.0-2
+- Update to NSS 3.33.0
+
+* Fri Sep 15 2017 Daiki Ueno - 3.32.1-2
+- Update to NSS 3.32.1
+
+* Wed Sep 6 2017 Daiki Ueno - 3.32.0-4
+- Update iquote.patch to really prefer in-tree headers over system headers
+
+* Wed Aug 23 2017 Kai Engert - 3.32.0-3
+- NSS libnssckbi.so has already been obsoleted by p11-kit-trust, rhbz#1484449
+
+* Mon Aug 7 2017 Daiki Ueno - 3.32.0-2
+- Update to NSS 3.32.0
+
+* Thu Aug 03 2017 Fedora Release Engineering - 3.31.0-6
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
+
+* Thu Jul 27 2017 Fedora Release Engineering - 3.31.0-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
+
+* Tue Jul 18 2017 Daiki Ueno - 3.31.0-4
+- Backport mozbz#1381784 to avoid deadlock in dnf
+
+* Thu Jul 13 2017 Daiki Ueno - 3.31.0-3
+- Move signtool to %%_libdir/nss/unsupported-tools, for:
+ https://fedoraproject.org/wiki/Changes/NSSSigntoolDeprecation
+
+* Wed Jun 21 2017 Daiki Ueno - 3.31.0-2
+- Rebase to NSS 3.31.0
+
+* Fri Jun 2 2017 Daiki Ueno - 3.30.2-3
+- Enable gtests
+
+* Mon Apr 24 2017 Daiki Ueno - 3.30.2-2
+- Rebase to NSS 3.30.2
+- Enable TLS 1.3
+
+* Thu Mar 30 2017 Kai Engert - 3.30.0-3
+- Backport upstream mozbz#1328318 to support crypto policy FUTURE.
+
+* Tue Mar 21 2017 Daiki Ueno - 3.30.0-2
+- Rebase to NSS 3.30.0
+- Remove upstreamed patches
+
+* Thu Mar 02 2017 Kai Engert - 3.29.1-3
+- Backport mozbz#1334976 and mozbz#1336487.
+
+* Fri Feb 17 2017 Daiki Ueno - 3.29.1-2
+- Rebase to NSS 3.29.1
+
+* Thu Feb 9 2017 Daiki Ueno - 3.29.0-3
+- Disable TLS 1.3, following the upstream change
+
+* Wed Feb 8 2017 Daiki Ueno - 3.29.0-2
+- Rebase to NSS 3.29.0
+- Suppress -Werror=int-in-bool-context warnings with GCC7
+
+* Mon Jan 23 2017 Daiki Ueno - 3.28.1-6
+- Work around pkgconfig -> pkgconf transition issue (releng#6597)
+
+* Fri Jan 20 2017 Daiki Ueno - 3.28.1-5
+- Disable TLS 1.3
+- Add "Conflicts" with packages using older Mozilla codebase, which is
+ not compatible with NSS 3.28.1
+- Remove NSS_ECC_MORE_THAN_SUITE_B setting, as it was removed in upstream
+
+* Tue Jan 17 2017 Daiki Ueno - 3.28.1-4
+- Add "Conflicts" with older firefox packages which don't have support
+ for smaller curves added in NSS 3.28.1
+
+* Fri Jan 13 2017 Daiki Ueno - 3.28.1-3
+- Fix incorrect version specification in %%nss_{util,softokn}_version,
+ pointed by Elio Maldonado
+
+* Fri Jan 6 2017 Daiki Ueno - 3.28.1-2
+- Rebase to NSS 3.28.1
+- Remove upstreamed patch for disabling RSA-PSS
+- Re-enable TLS 1.3
+
+* Wed Nov 30 2016 Daiki Ueno - 3.27.2-2
+- Rebase to NSS 3.27.2
+
+* Tue Nov 15 2016 Daiki Ueno - 3.27.0-5
+- Revert the previous fix for RSA-PSS and use the upstream fix instead
+
+* Wed Nov 02 2016 Kai Engert - 3.27.0-4
+- Disable the use of RSA-PSS with SSL/TLS. #1383809
+
+* Sun Oct 2 2016 Daiki Ueno - 3.27.0-3
+- Disable TLS 1.3 for now, to avoid reported regression with TLS to
+ version intolerant servers
+
+* Thu Sep 29 2016 Daiki Ueno - 3.27.0-2
+- Rebase to NSS 3.27.0
+- Remove upstreamed ectest patch
+
+* Mon Aug 8 2016 Daiki Ueno - 3.26.0-2
+- Rebase to NSS 3.26.0
+- Update check policy file patch to better match what was upstreamed
+- Remove conditionally ignore system policy patch as it has been upstreamed
+- Skip ectest as well as ecperf, which are built as part of nss-softokn
+- Fix rpmlint error regarding %%define usage
+
+* Thu Jul 14 2016 Elio Maldonado - 3.25.0-6
+- Incorporate some changes requested in upstream review and commited upstream (#1157720)
+
+* Fri Jul 01 2016 Elio Maldonado - 3.25.0-5
+- Add support for conditionally ignoring the system policy (#1157720)
+- Remove unneeded test scripts patches in order to run more tests
+- Remove unneeded test data modifications from the spec file
+
+* Tue Jun 28 2016 Elio Maldonado - 3.25.0-4
+- Remove obsolete patch and spurious lines from the spec file (#1347336)
+
+* Sun Jun 26 2016 Elio Maldonado - 3.25.0-3
+- Cleanup spec file and patches and add references to bugs filed upstream
+
+* Fri Jun 24 2016 Elio Maldonado - 3.25.0-2
+- Rebase to nss 3.25
+
+* Thu Jun 16 2016 Kamil Dudka - 3.24.0-3
+- decouple nss-pem from the nss package (#1347336)
+
+* Fri Jun 03 2016 Elio Maldonado - 3.24.0-2.3
+- Apply the patch that was last introduced
+- Renumber and reorder some of the patches
+- Resolves: Bug 1342158
+
+* Thu Jun 02 2016 Elio Maldonado - 3.24.0-2.2
+- Allow application requests to disable SSL v2 to succeed
+- Resolves: Bug 1342158 - nss-3.24 does no longer support ssl V2, installation of IPA fails because nss init fails
+
+* Sun May 29 2016 Elio Maldonado - 3.24.0-2.1
+- Rebase to NSS 3.24.0
+- Restore setting the policy file location
+- Make ssl tests scripts aware of policy
+- Ajust tests data expected result for policy
+
+* Tue May 24 2016 Elio Maldonado - 3.24.0-2.0
+- Bootstrap build to rebase to NSS 3.24.0
+- Temporarily not setting the policy file location
+
+* Thu May 12 2016 Elio Maldonado - 3.23.0-9
+- Change POLICY_FILE to "nss.config"
+
+* Fri Apr 22 2016 Elio Maldonado - 3.23.0-8
+- Change POLICY_FILE to "nss.cfg"
+
+* Wed Apr 20 2016 Elio Maldonado - 3.23.0-7
+- Change the POLICY_PATH to "/etc/crypto-policies/back-ends"
+- Regenerate the check policy patch with hg to provide more context
+
+* Thu Apr 14 2016 Elio Maldonado - 3.23.0-6
+- Fix typo in the last %%changelog entry
+
+* Thu Mar 24 2016 Elio Maldonado - 3.23.0-5
+- Load policy file if /etc/pki/nssdb/policy.cfg exists
+- Resolves: Bug 1157720 - NSS should enforce the system-wide crypto policy
+
+* Tue Mar 08 2016 Elio Maldonado - 3.23.0-4
+- Remove unused patch rendered obsolete by pem update
+
+* Tue Mar 08 2016 Elio Maldonado - 3.23.0-3
+- Update pem sources to latest from nss-pem upstream
+- Resolves: Bug 1300652 - [PEM] insufficient input validity checking while loading a private key
+
+* Sat Mar 05 2016 Elio Maldonado - 3.23.0-2
+- Rebase to NSS 3.23
+
+* Sat Feb 27 2016 Elio Maldonado - 3.22.2-2
+- Rebase to NSS 3.22.2
+
+* Tue Feb 23 2016 Elio Maldonado - 3.22.1-3
+- Fix ssl2/exp test disabling to run all the required tests
+
+* Sun Feb 21 2016 Elio Maldonado - 3.22.1-1
+- Rebase to NSS 3.22.1
+
+* Mon Feb 08 2016 Elio Maldonado - 3.22.0-3
+- Update .gitignore as part of updating to nss 3.22
+
+* Mon Feb 08 2016 Elio Maldonado - 3.22.0-2
+- Update to NSS 3.22
+
+* Thu Feb 04 2016 Fedora Release Engineering - 3.21.0-7
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
+
+* Fri Jan 15 2016 Elio Maldonado - 3.21.0-6
+- Resolves: Bug 1299040 - Enable ssl_gtests upstream test suite
+- Remove 'export NSS_DISABLE_GTESTS=1' go ssl_gtests are built
+- Use %%define when specifying the nss_tests to run
+
+* Wed Dec 30 2015 Michal Toman - 3.21.0-5
+- Add 64-bit MIPS to multilib arches
+
+* Fri Nov 20 2015 Elio Maldonado - 3.21.0-4
+- Update %%{nss_util_version} and %%{nss_softokn_version} to 3.21.0
+- Resolves: Bug 1284095 - all https fails with sec_error_no_token
+
+* Sun Nov 15 2015 Elio Maldonado - 3.21.0-3
+- Add references to bugs filed upstream
+
+* Fri Nov 13 2015 Elio Maldonado Batiz - 3.21.1-2
+- Update to NSS 3.21
+- Package listsuites as part of the unsupported tools set
+- Resolves: Bug 1279912 - nss-3.21 is available
+- Resolves: Bug 1258425 - Use __isa_bits macro instead of list of 64-bit
+- Resolves: Bug 1280032 - Package listsuites as part of the nss unsupported tools set
+
+* Fri Oct 30 2015 Elio Maldonado - 3.20.1-2
+- Update to NSS 3.20.1
+
+* Wed Sep 30 2015 Elio Maldonado - 3.20.0-6
+- Enable ECC cipher-suites by default [hrbz#1185708]
+- Split the enabling patch in two for easier maintenance
+- Remove unused patches rendered obsolete by prior rebase
+
+* Wed Sep 16 2015 Elio Maldonado - 3.20.0-5
+- Enable ECC cipher-suites by default [hrbz#1185708]
+- Implement corrections requested in code review
+
+* Tue Sep 15 2015 Elio Maldonado - 3.20.0-4
+- Enable ECC cipher-suites by default [hrbz#1185708]
+
+* Mon Sep 14 2015 Elio Maldonado - 3.20.0-3
+- Fix patches that disable ssl2 and export cipher suites support
+- Fix libssl patch that disable ssl2 & export cipher suites to not disable RSA_WITH_NULL ciphers
+- Fix syntax errors in patch to skip ssl2 and export cipher suite tests
+- Turn ssl2 off by default in the tstclnt tool
+- Disable ssl stress tests containing TLS RC4 128 with MD5
+
+* Thu Aug 20 2015 Elio Maldonado - 3.20.0-2
+- Update to NSS 3.20
+
+* Sat Aug 08 2015 Elio Maldonado - 3.19.3-2
+- Update to NSS 3.19.3
+
+* Fri Jun 26 2015 Elio Maldonado - 3.19.2-3
+- Create on the fly versions of sslcov.txt and sslstress.txt that disable tests for SSL2 and EXPORT ciphers
+
+* Wed Jun 17 2015 Kai Engert - 3.19.2-2
+- Update to NSS 3.19.2
+
+* Thu May 28 2015 Kai Engert - 3.19.1-2
+- Update to NSS 3.19.1
+
+* Tue May 19 2015 Kai Engert - 3.19.0-2
+- Update to NSS 3.19
+
+* Fri May 15 2015 Kai Engert - 3.18.0-2
+- Replace expired test certificates, upstream bug 1151037
+
+* Thu Mar 19 2015 Elio Maldonado - 3.18.0-1
+- Update to nss-3.18.0
+- Resolves: Bug 1203689 - nss-3.18 is available
+
+* Tue Mar 03 2015 Elio Maldonado - 3.17.4-5
+- Disable export suites and SSL2 support at build time
+- Fix syntax errors in various shell scripts
+- Resolves: Bug 1189952 - Disable SSL2 and the export cipher suites
+
+* Sat Feb 21 2015 Till Maas - 3.17.4-4
+- Rebuilt for Fedora 23 Change
+ https://fedoraproject.org/wiki/Changes/Harden_all_packages_with_position-independent_code
+
+* Tue Feb 10 2015 Elio Maldonado - 3.17.4-3
+- Commented out the export NSS_NO_SSL2=1 line to not disable ssl2
+- Backing out from disabling ssl2 until the patches are fixed
+
+* Mon Feb 09 2015 Elio Maldonado - 3.17.4-2
+- Disable SSL2 support at build time
+- Fix syntax errors in various shell scripts
+- Resolves: Bug 1189952 - Disable SSL2 and the export cipher suites
+
+* Wed Jan 28 2015 Elio Maldonado - 3.17.4-1
+- Update to nss-3.17.4
+
+* Sat Jan 24 2015 Ville Skyttä - 3.17.3-4
+- Own the %%{_datadir}/doc/nss-tools dir
+
+* Tue Dec 16 2014 Elio Maldonado - 3.17.3-3
+- Resolves: Bug 987189 - nss-tools RPM conflicts with perl-PAR-Packer
+- Install pp man page in %%{_datadir}/doc/nss-tools/pp.1
+- Use %%{_mandir} instead of /usr/share/man as more generic
+
+* Mon Dec 15 2014 Elio Maldonado - 3.17.3-2
+- Install pp man page in alternative location
+- Resolves: Bug 987189 - nss-tools RPM conflicts with perl-PAR-Packer
+
+* Fri Dec 05 2014 Elio Maldonado - 3.17.3-1
+- Update to nss-3.17.3
+- Resolves: Bug 1171012 - nss-3.17.3 is available
+
+* Thu Oct 16 2014 Elio Maldonado - 3.17.2-2
+- Resolves: Bug 994599 - Enable TLS 1.2 by default
+
+* Sun Oct 12 2014 Elio Maldonado - 3.17.2-1
+- Update to nss-3.17.2
+
+* Wed Sep 24 2014 Kai Engert - 3.17.1-1
+- Update to nss-3.17.1
+- Add a mechanism to skip test suite execution during development work
+
+* Thu Aug 21 2014 Kevin Fenzi - 3.17.0-2
+- Rebuild for rpm bug 1131960
+
+* Tue Aug 19 2014 Elio Maldonado - 3.17.0-1
+- Update to nss-3.17.0
+
+* Sun Aug 17 2014 Fedora Release Engineering - 3.16.2-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
+
+* Wed Jul 30 2014 Elio Maldonado - 3.16.2-3
+- Replace expired PayPal test cert with current one to prevent build failure
+
+* Fri Jul 18 2014 Tom Callaway - 3.16.2-2
+- fix license handling
+
+* Sun Jun 29 2014 Elio Maldonado - 3.16.2-1
+- Update to nss-3.16.2
+
+* Sun Jun 15 2014 Elio Maldonado - 3.16.1-4
+- Remove unwanted source directories at end of %%prep so it truly does it
+- Skip the cipher suite already run as part of the nss-softokn build
+
+* Sat Jun 07 2014 Fedora Release Engineering - 3.16.1-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
+
+* Mon May 12 2014 Jaromir Capik - 3.16.1-2
+- Replacing ppc64 and ppc64le with the power64 macro
+- Related: Bug 1052545 - Trivial change for ppc64le in nss spec
+
+* Tue May 06 2014 Elio Maldonado - 3.16.1-1
+- Update to nss-3.16.1
+- Update the iquote patch on account of the rebase
+- Improve error detection in the %%section
+- Resolves: Bug 1094702 - nss-3.16.1 is available
+
+* Tue Mar 18 2014 Elio Maldonado - 3.16.0-1
+- Update to nss-3.16.0
+- Cleanup the copying of the tools man pages
+- Update the iquote.patch on account of the rebase
+
+* Tue Mar 04 2014 Elio Maldonado - 3.15.5-2
+- Restore requiring nss_softokn_version >= 3.15.5
+
+* Wed Feb 19 2014 Elio Maldonado - 3.15.5-1
+- Update to nss-3.15.5
+- Temporarily requiring only nss_softokn_version >= 3.15.4
+- Fix location of sharedb files and their manpages
+- Move cert9.db, key4.db, and pkcs11.txt to the main package
+- Move nss-sysinit manpages tar archives to the main package
+- Resolves: Bug 1066877 - nss-3.15.5 is available
+- Resolves: Bug 1067091 - Move sharedb files to the %%files section
+
+* Thu Feb 06 2014 Elio Maldonado - 3.15.4-5
+- Revert previous change that moved some sysinit manpages
+- Restore nss-sysinit manpages tar archives to %%files sysinit
+- Removing spurious wildcard entry was the only change needed
+
+* Mon Jan 27 2014 Elio Maldonado - 3.15.4-4
+- Add explanatory comments for iquote.patch as was done on f20
+
+* Sat Jan 25 2014 Elio Maldonado - 3.15.4-3
+- Update pem sources to latest from nss-pem upstream
+- Pick up pem fixes verified on RHEL and applied upstream
+- Fix a problem where same files in two rpms created rpm conflict
+- Move some nss-sysinit manpages tar archives to the %%files the
+- All man pages are listed by name so there shouldn't be wildcard inclusion
+- Add support for ppc64le, Resolves: Bug 1052545
+
+* Mon Jan 20 2014 Peter Robinson 3.15.4-2
+- ARM tests pass so remove ARM conditional
+
+* Tue Jan 07 2014 Elio Maldonado - 3.15.4-1
+- Update to nss-3.15.4 (hg tag NSS_3_15_4_RTM)
+- Resolves: Bug 1049229 - nss-3.15.4 is available
+- Update pem sources to latest from the interim upstream for pem
+- Remove no longer needed patches
+- Update pem/rsawrapr.c patch on account of upstream changes to freebl/softoken
+- Update iquote.patch on account of upstream changes
+
+* Wed Dec 11 2013 Elio Maldonado - 3.15.3.1-1
+- Update to nss-3.15.3.1 (hg tag NSS_3_15_3_1_RTM)
+- Resolves: Bug 1040282 - nss: Mis-issued ANSSI/DCSSI certificate (MFSA 2013-117)
+- Resolves: Bug 1040192 - nss-3.15.3.1 is available
+
+* Tue Dec 03 2013 Elio Maldonado - 3.15.3-2
+- Bump the release tag
+
+* Sun Nov 24 2013 Elio Maldonado - 3.15.3-1
+- Update to NSS_3_15_3_RTM
+- Resolves: Bug 1031897 - CVE-2013-5605 CVE-2013-5606 CVE-2013-1741 nss: various flaws
+- Fix option descriptions for setup-nsssysinit manpage
+- Fix man page of nss-sysinit wrong path and other flaws
+- Document email option for certutil manpage
+- Remove unused patches
+
+* Sun Oct 27 2013 Elio Maldonado - 3.15.2-3
+- Revert one change from last commit to preserve full nss pluggable ecc supprt [1019245]
+
+* Wed Oct 23 2013 Elio Maldonado - 3.15.2-2
+- Use the full sources from upstream
+- Bug 1019245 - ECDHE in openssl available -> NSS needs too for Firefox/Thunderbird
+
+* Thu Sep 26 2013 Elio Maldonado - 3.15.2-1
+- Update to NSS_3_15_2_RTM
+- Update iquote.patch on account of modified prototype on cert.h installed by nss-devel
+
+* Wed Aug 28 2013 Elio Maldonado - 3.15.1-7
+- Update pem sources to pick up a patch applied upstream which a faulty merge had missed
+- The pem module should not require unique file basenames
+
+* Tue Aug 27 2013 Elio Maldonado - 3.15.1-6
+- Update pem sources to the latest from interim upstream
+
+* Mon Aug 19 2013 Elio Maldonado - 3.15.1-5
+- Resolves: rhbz#996639 - Minor bugs in nss man pages
+- Fix some typos and improve description and see also sections
+
+* Sun Aug 11 2013 Elio Maldonado - 3.15.1-4
+- Cleanup spec file to address most rpmlint errors and warnings
+- Using double percent symbols to fix macro-in-comment warnings
+- Ignore unversioned-explicit-provides nss-system-init per spec comments
+- Ignore invalid-url Source0 as it comes from the git lookaside cache
+- Ignore invalid-url Source12 as it comes from the git lookaside cache
+
+* Thu Jul 25 2013 Elio Maldonado - 3.15.1-3
+- Add man page for pkcs11.txt configuration file and cert and key databases
+- Resolves: rhbz#985114 - Provide man pages for the nss configuration files
+
+* Fri Jul 19 2013 Elio Maldonado - 3.15.1-2
+- Fix errors in the man pages
+- Resolves: rhbz#984106 - Add missing option descriptions to man pages for {cert|cms|crl}util
+- Resolves: rhbz#982856 - Fix path to script in man page for nss-sysinit
+
+* Tue Jul 02 2013 Elio Maldonado - 3.15.1-1
+- Update to NSS_3_15_1_RTM
+- Enable the iquote.patch to access newly introduced types
+
+* Wed Jun 19 2013 Elio Maldonado - 3.15-5
+- Install man pages for nss-tools and the nss-config and setup-nsssysinit scripts
+- Resolves: rhbz#606020 - nss security tools lack man pages
+
+* Tue Jun 18 2013 emaldona - 3.15-4
+- Build nss without softoken or util sources in the tree
+- Resolves: rhbz#689918
+
+* Mon Jun 17 2013 emaldona - 3.15-3
+- Update ssl-cbc-random-iv-by-default.patch
+
+* Sun Jun 16 2013 Elio Maldonado - 3.15-2
+- Fix generation of NSS_VMAJOR, NSS_VMINOR, and NSS_VPATCH for nss-config
+
+* Sat Jun 15 2013 Elio Maldonado - 3.15-1
+- Update to NSS_3_15_RTM
+
+* Wed Apr 24 2013 Elio Maldonado - 3.15-0.1.beta1.2
+- Fix incorrect path that hid failed test from view
+- Add ocsp to the test suites to run but ...
+- Temporarily disable the ocsp stapling tests
+- Do not treat failed attempts at ssl pkcs11 bypass as fatal errors
+
+* Thu Apr 04 2013 Elio Maldonado - 3.15-0.1.beta1.1
+- Update to NSS_3_15_BETA1
+- Update spec file, patches, and helper scripts on account of a shallower source tree
+
+* Sun Mar 24 2013 Kai Engert - 3.14.3-12
+- Update expired test certificates (fixed in upstream bug 852781)
+
+* Fri Mar 08 2013 Kai Engert - 3.14.3-10
+- Fix incorrect post/postun scripts. Fix broken links in posttrans.
+
+* Wed Mar 06 2013 Kai Engert - 3.14.3-9
+- Configure libnssckbi.so to use the alternatives system
+ in order to prepare for a drop in replacement.
+
+* Fri Feb 15 2013 Elio Maldonado - 3.14.3-1
+- Update to NSS_3_14_3_RTM
+- sync up pem rsawrapr.c with softoken upstream changes for nss-3.14.3
+- Resolves: rhbz#908257 - CVE-2013-1620 nss: TLS CBC padding timing attack
+- Resolves: rhbz#896651 - PEM module trashes private keys if login fails
+- Resolves: rhbz#909775 - specfile support for AArch64
+- Resolves: rhbz#910584 - certutil -a does not produce ASCII output
+
+* Mon Feb 04 2013 Elio Maldonado - 3.14.2-2
+- Allow building nss against older system sqlite
+
+* Fri Feb 01 2013 Elio Maldonado - 3.14.2-1
+- Update to NSS_3_14_2_RTM
+
+* Wed Jan 02 2013 Kai Engert - 3.14.1-3
+- Update to NSS_3_14_1_WITH_CKBI_1_93_RTM
+
+* Sat Dec 22 2012 Elio Maldonado - 3.14.1-2
+- Require nspr >= 4.9.4
+- Fix changelog invalid dates
+
+* Mon Dec 17 2012 Elio Maldonado - 3.14.1-1
+- Update to NSS_3_14_1_RTM
+
+* Wed Dec 12 2012 Elio Maldonado - 3.14-12
+- Bug 879978 - Install the nssck.api header template where mod_revocator can access it
+- Install nssck.api in /usr/includes/nss3/templates
+
+* Tue Nov 27 2012 Elio Maldonado - 3.14-11
+- Bug 879978 - Install the nssck.api header template in a place where mod_revocator can access it
+- Install nssck.api in /usr/includes/nss3
+
+* Mon Nov 19 2012 Elio Maldonado - 3.14-10
+- Bug 870864 - Add support in NSS for Secure Boot
+
+* Sat Nov 10 2012 Elio Maldonado - 3.14-9
+- Disable bypass code at build time and return failure on attempts to enable at runtime
+- Bug 806588 - Disable SSL PKCS #11 bypass at build time
+
+* Sun Nov 04 2012 Elio Maldonado - 3.14-8
+- Fix pk11wrap locking which fixes 'fedpkg new-sources' and 'fedpkg update' hangs
+- Bug 872124 - nss-3.14 breaks fedpkg new-sources
+- Fix should be considered preliminary since the patch may change upon upstream approval
+
+* Thu Nov 01 2012 Elio Maldonado - 3.14-7
+- Add a dummy source file for testing /preventing fedpkg breakage
+- Helps test the fedpkg new-sources and upload commands for breakage by nss updates
+- Related to Bug 872124 - nss 3.14 breaks fedpkg new-sources
+
+* Thu Nov 01 2012 Elio Maldonado - 3.14-6
+- Fix a previous unwanted merge from f18
+- Update the SS_SSL_CBC_RANDOM_IV patch to match new sources while
+- Keeping the patch disabled while we are still in rawhide and
+- State in comment that patch is needed for both stable and beta branches
+- Update .gitignore to download only the new sources
+
+* Wed Oct 31 2012 Elio Maldonado - 3.14-5
+- Fix the spec file so sechash.h gets installed
+- Resolves: rhbz#871882 - missing header: sechash.h in nss 3.14
+
+* Sat Oct 27 2012 Elio Maldonado - 3.14-4
+- Update the license to MPLv2.0
+
+* Wed Oct 24 2012 Elio Maldonado - 3.14-3
+- Use only -f when removing unwanted headers
+
+* Tue Oct 23 2012 Elio Maldonado - 3.14-2
+- Add secmodt.h to the headers installed by nss-devel
+- nss-devel must install secmodt.h which moved from softoken to pk11wrap with nss-3.14
+
+* Mon Oct 22 2012 Elio Maldonado - 3.14-1
+- Update to NSS_3_14_RTM
+
+* Sun Oct 21 2012 Elio Maldonado - 3.14-0.1.rc.1
+- Update to NSS_3_14_RC1
+- update nss-589636.patch to apply to httpdserv
+- turn off ocsp tests for now
+- remove no longer needed patches
+- remove headers shipped by nss-util
+
+* Fri Oct 05 2012 Kai Engert - 3.13.6-1
+- Update to NSS_3_13_6_RTM
+
+* Mon Aug 27 2012 Elio Maldonado - 3.13.5-8
+- Rebase pem sources to fedora-hosted upstream to pick up two fixes from rhel-6.3
+- Resolves: rhbz#847460 - Fix invalid read and free on invalid cert load
+- Resolves: rhbz#847462 - PEM module may attempt to free uninitialized pointer
+- Remove unneeded fix gcc 4.7 c++ issue in secmodt.h that actually undoes the upstream fix
+
+* Mon Aug 13 2012 Elio Maldonado - 3.13.5-7
+- Fix pluggable ecc support
+
+* Fri Jul 20 2012 Fedora Release Engineering - 3.13.5-6
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild
+
+* Sun Jul 01 2012 Elio Maldonado - 3.13.5-5
+- Fix checkin comment to prevent unwanted expansions of percents
+
+* Sun Jul 01 2012 Elio Maldonado - 3.13.5-4
+- Resolves: Bug 830410 - Missing Requires %%{?_isa}
+- Use Requires: %%{name}%%{?_isa} = %%{version}-%%{release} on tools
+- Drop zlib requires which rpmlint reports as error E: explicit-lib-dependency zlib
+- Enable sha224 portion of powerup selftest when running test suites
+- Require nspr 4.9.1
+
+* Wed Jun 20 2012 Elio Maldonado - 3.13.5-3
+- Resolves: rhbz#833529 - revert unwanted change to nss.pc.in
+
+* Tue Jun 19 2012 Elio Maldonado - 3.13.5-2
+- Resolves: rhbz#833529 - Remove unwanted space from the Libs: line on nss.pc.in
+
+* Mon Jun 18 2012 Elio Maldonado - 3.13.5-1
+- Update to NSS_3_13_5_RTM
+
+* Fri Apr 13 2012 Elio Maldonado - 3.13.4-3
+- Resolves: Bug 812423 - nss_Init leaks memory, fix from RHEL 6.3
+
+* Sun Apr 08 2012 Elio Maldonado - 3.13.4-2
+- Resolves: Bug 805723 - Library needs partial RELRO support added
+- Patch coreconf/Linux.mk as done on RHEL 6.2
+
+* Fri Apr 06 2012 Elio Maldonado - 3.13.4-1
+- Update to NSS_3_13_4_RTM
+- Update the nss-pem source archive to the latest version
+- Remove no longer needed patches
+- Resolves: Bug 806043 - use pem files interchangeably in a single process
+- Resolves: Bug 806051 - PEM various flaws detected by Coverity
+- Resolves: Bug 806058 - PEM pem_CreateObject leaks memory given a non-existing file name
+
+* Wed Mar 21 2012 Elio Maldonado - 3.13.3-4
+- Resolves: Bug 805723 - Library needs partial RELRO support added
+
+* Fri Mar 09 2012 Elio Maldonado - 3.13.3-3
+- Cleanup of the spec file
+- Add references to the upstream bugs
+- Fix typo in Summary for sysinit
+
+* Thu Mar 08 2012 Elio Maldonado - 3.13.3-2
+- Pick up fixes from RHEL
+- Resolves: rhbz#800674 - Unable to contact LDAP Server during winsync
+- Resolves: rhbz#800682 - Qpid AMQP daemon fails to load after nss update
+- Resolves: rhbz#800676 - NSS workaround for freebl bug that causes openswan to drop connections
+
+* Thu Mar 01 2012 Elio Maldonado - 3.13.3-1
+- Update to NSS_3_13_3_RTM
+
+* Mon Jan 30 2012 Tom Callaway - 3.13.1-13
+- fix issue with gcc 4.7 in secmodt.h and C++11 user-defined literals
+
+* Thu Jan 26 2012 Elio Maldonado - 3.13.1-12
+- Resolves: Bug 784672 - nss should protect against being called before nss_Init
+
+* Fri Jan 13 2012 Fedora Release Engineering - 3.13.1-11
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild
+
+* Fri Jan 06 2012 Elio Maldonado - 3.13.1-11
+- Deactivate a patch currently meant for stable branches only
+
+* Fri Jan 06 2012 Elio Maldonado - 3.13.1-10
+- Resolves: Bug 770682 - nss update breaks pidgin-sipe connectivity
+- NSS_SSL_CBC_RANDOM_IV set to 0 by default and changed to 1 on user request
+
+* Tue Dec 13 2011 elio maldonado - 3.13.1-9
+- Revert to using current nss_softokn_version
+- Patch to deal with lack of sha224 is no longer needed
+
+* Tue Dec 13 2011 Elio Maldonado - 3.13.1-8
+- Resolves: Bug 754771 - [PEM] an unregistered callback causes a SIGSEGV
+
+* Mon Dec 12 2011 Elio Maldonado - 3.13.1-7
+- Resolves: Bug 750376 - nss 3.13 breaks sssd TLS
+- Fix how pem is built so that nss-3.13.x works with nss-softokn-3.12.y
+- Only patch blapitest for the lack of sha224 on system freebl
+- Completed the patch to make pem link against system freebl
+
+* Mon Dec 05 2011 Elio Maldonado - 3.13.1-6
+- Removed unwanted /usr/include/nss3 in front of the normal cflags include path
+- Removed unnecessary patch dealing with CERTDB_TERMINAL_RECORD, it's visible
+
+* Sun Dec 04 2011 Elio Maldonado - 3.13.1-5
+- Statically link the pem module against system freebl found in buildroot
+- Disabling sha224-related powerup selftest until we update softokn
+- Disable sha224 and pss tests which nss-softokn 3.12.x doesn't support
+
+* Fri Dec 02 2011 Elio Maldonado Batiz - 3.13.1-4
+- Rebuild with nss-softokn from 3.12 in the buildroot
+- Allows the pem module to statically link against 3.12.x freebl
+- Required for using nss-3.13.x with nss-softokn-3.12.y for a merge inrto rhel git repo
+- Build will be temprarily placed on buildroot override but not pushed in bodhi
+
+* Fri Nov 04 2011 Elio Maldonado - 3.13.1-2
+- Fix broken dependencies by updating the nss-util and nss-softokn versions
+
+* Thu Nov 03 2011 Elio Maldonado - 3.13.1-1
+- Update to NSS_3_13_1_RTM
+- Update builtin certs to those from NSSCKBI_1_88_RTM
+
+* Sat Oct 15 2011 Elio Maldonado - 3.13-1
+- Update to NSS_3_13_RTM
+
+* Sat Oct 08 2011 Elio Maldonado - 3.13-0.1.rc0.1
+- Update to NSS_3_13_RC0
+
+* Wed Sep 14 2011 Elio Maldonado - 3.12.11-3
+- Fix attempt to free initilized pointer (#717338)
+- Fix leak on pem_CreateObject when given non-existing file name (#734760)
+- Fix pem_Initialize to return CKR_CANT_LOCK on multi-treaded calls (#736410)
+
+* Tue Sep 06 2011 Kai Engert