Update to NSS 3.34.0

2017-11-14 14:20:29 +01:00 · 2017-11-14 14:20:29 +01:00 · bd239c046a
commit bd239c046a
parent 6d15c06123
9 changed files with 9 additions and 563 deletions
--- a/.gitignore
+++ b/.gitignore
@ -22,3 +22,4 @@ TestUser51.cert
 /nss-3.32.0.tar.gz
 /nss-3.32.1.tar.gz
 /nss-3.33.0.tar.gz
 /nss-3.34.0.tar.gz
--- a/nss-sql-1-1403691-a.patch
+++ b/nss-sql-1-1403691-a.patch
@ -1,92 +0,0 @@
 # HG changeset patch
 # User Kai Engert <kaie@kuix.de>
 # Date 1507823956 -7200
 # Node ID 994e89150fc1cd0008d19a8ad8aafed565d98069
 # Parent  f3766809817ba03aa8cc1da4fdf48bd011fc01e3
 Bug 1403691, Change first NSS test cycle to explicitly use dbm file format, r=rrelyea
 diff --git a/tests/all.sh b/tests/all.sh
 --- a/tests/all.sh
 +++ b/tests/all.sh
@@ -125,24 +125,30 @@ run_tests()
         echo "Running tests for ${TEST}"
         echo "TIMESTAMP ${TEST} BEGIN: `date`"
         (cd ${QADIR}/${TEST}; . ./${SCRIPTNAME} 2>&1)
         echo "TIMESTAMP ${TEST} END: `date`"
     done
 }
 ########################## run_cycle_standard ##########################
 -# run test suites with defaults settings (no PKIX, no sharedb)
 +# run test suites with dbm database (no PKIX, no sharedb)
 ########################################################################
 run_cycle_standard()
 {
     TEST_MODE=STANDARD
     TESTS="${ALL_TESTS}"
 -    TESTS_SKIP=
 +    TESTS_SKIP="cipher libpkix sdr ocsp pkits"
 +
 +    NSS_DEFAULT_DB_TYPE="dbm"
 +    export NSS_DEFAULT_DB_TYPE
 +
 +    NSS_SSL_TESTS=`echo "${NSS_SSL_TESTS}" | sed -e "s/normal//g" -e "s/fips//g" -e "s/_//g"`
 +    NSS_SSL_RUN=`echo "${NSS_SSL_RUN}" | sed -e "s/cov//g" -e "s/auth//g"`
     run_tests
 }
 ############################ run_cycle_pkix ############################
 # run test suites with PKIX enabled
 ########################################################################
 run_cycle_pkix()
@@ -157,17 +163,22 @@ run_cycle_pkix()
     mkdir -p "${HOSTDIR}"
     init_directories
     NSS_ENABLE_PKIX_VERIFY="1"
     export NSS_ENABLE_PKIX_VERIFY
     TESTS="${ALL_TESTS}"
     TESTS_SKIP="cipher dbtests sdr crmf smime merge multinit"
 +
     NSS_SSL_TESTS=`echo "${NSS_SSL_TESTS}" | sed -e "s/normal//g" -e "s/fips//g" -e "s/_//g"`
 +    export -n NSS_SSL_RUN
 +
 +    # use the default format
 +    export -n NSS_DEFAULT_DB_TYPE
     run_tests
 }
 ######################### run_cycle_upgrade_db #########################
 # upgrades certificate database to shareable format and run test suites
 # with those databases
 ########################################################################
@@ -226,20 +237,20 @@ run_cycle_shared_db()
     mkdir -p "${HOSTDIR}"
     init_directories
     NSS_DEFAULT_DB_TYPE="sql"
     export NSS_DEFAULT_DB_TYPE
     # run the tests for native sharedb support
     TESTS="${ALL_TESTS}"
 -    TESTS_SKIP="cipher libpkix dbupgrade sdr ocsp pkits"
 +    TESTS_SKIP="dbupgrade"
 -    NSS_SSL_TESTS=`echo "${NSS_SSL_TESTS}" | sed -e "s/normal//g" -e "s/fips//g" -e "s/_//g"`
 -    NSS_SSL_RUN=`echo "${NSS_SSL_RUN}" | sed -e "s/cov//g" -e "s/auth//g"`
 +    export -n NSS_SSL_TESTS
 +    export -n NSS_SSL_RUN
     run_tests
 }
 ############################# run_cycles ###############################
 # run test cycles defined in CYCLES variable
 ########################################################################
 run_cycles()
--- a/nss-sql-1-1403691-b.patch
+++ b/nss-sql-1-1403691-b.patch
@ -1,31 +0,0 @@
 # HG changeset patch
 # User Kai Engert <kaie@kuix.de>
 # Date 1508150373 -7200
 # Node ID e73fedaecd63afe28c9da46cd26906f247375d59
 # Parent  24695a55c095a1c37ed92ac2a4fa6c56595e17c0
 Bug 1403691, follow up fix to allow the pkits tests to work with sql db format
 diff --git a/tests/pkits/pkits.sh b/tests/pkits/pkits.sh
 --- a/tests/pkits/pkits.sh
 +++ b/tests/pkits/pkits.sh
@@ -88,17 +88,17 @@ pkits_init()
   echo "PKITS_DATA" $PKITS_DATA
   echo "certs" $certs
   echo "crls" $crls
   echo nss > ${PKITSdb}/pw
   ${BINDIR}/certutil -N -d ${PKITSdb} -f ${PKITSdb}/pw
   ${BINDIR}/certutil -A -n TrustAnchorRootCertificate -t "C,C,C" -i \
 -      $certs/TrustAnchorRootCertificate.crt -d $PKITSdb
 +      $certs/TrustAnchorRootCertificate.crt -d $PKITSdb -f ${PKITSdb}/pw
   if [ -z "$NSS_NO_PKITS_CRLS" ]; then
     ${BINDIR}/crlutil -I -i $crls/TrustAnchorRootCRL.crl -d ${PKITSdb} -f ${PKITSdb}/pw
   else
     html  "<H3>NO CRLs are being used.</H3>"
     pkits_log "NO CRLs are being used."
   fi
   cp ${PKITSdb}/* ${PKITSbkp}
--- a/nss-sql-2-1382278-a.patch
+++ b/nss-sql-2-1382278-a.patch
@ -1,56 +0,0 @@
 # HG changeset patch
 # User Bob Relyea <rrelyea@redhat.com>
 # Date 1505757778 -7200
 # Node ID 18edd4ad8389d50d4231cc1a545a468dbb11185c
 # Parent  70109a01ce53328b511aaa6c839593a3282cb725
 Bug 1382278, certutil -A creates uninitialised database, r=kaie
 diff --git a/cmd/certutil/certutil.c b/cmd/certutil/certutil.c
 --- a/cmd/certutil/certutil.c
 +++ b/cmd/certutil/certutil.c
@@ -3005,16 +3005,43 @@ certutil_main(int argc, char **argv, PRB
                                 certutil.options[opt_NewPasswordFile].arg);
         }
         if (rv != SECSuccess) {
             SECU_PrintError(progName, "Could not set password for the slot");
             goto shutdown;
         }
     }
 +    /* if we are going to modify the cert database,
 +     * make sure it's initialized */
 +    if (certutil.commands[cmd_ModifyCertTrust].activated ||
 +        certutil.commands[cmd_CreateAndAddCert].activated ||
 +        certutil.commands[cmd_AddCert].activated ||
 +        certutil.commands[cmd_AddEmailCert].activated) {
 +        if (PK11_NeedUserInit(slot)) {
 +            char *password = NULL;
 +            /* fetch the password from the command line or the file
 +             * if no password is supplied, initialize the password to NULL */
 +            if (pwdata.source == PW_FROMFILE) {
 +                password = SECU_FilePasswd(slot, PR_FALSE, pwdata.data);
 +            } else if (pwdata.source == PW_PLAINTEXT) {
 +                password = PL_strdup(pwdata.data);
 +            }
 +            rv = PK11_InitPin(slot, (char *)NULL, password ? password : "");
 +            if (password) {
 +                PORT_Memset(password, 0, PL_strlen(password));
 +                PORT_Free(password);
 +            }
 +            if (rv != SECSuccess) {
 +                SECU_PrintError(progName, "Could not set password for the slot");
 +                goto shutdown;
 +            }
 +        }
 +    }
 +
     /* walk through the upgrade merge if necessary.
      * This option is more to test what some applications will want to do
      * to do an automatic upgrade. The --merge command is more useful for
      * the general case where 2 database need to be merged together.
      */
     if (certutil.commands[cmd_UpgradeMerge].activated) {
         if (*upgradeTokenName == 0) {
             upgradeTokenName = upgradeID;
--- a/nss-sql-2-1382278-b.patch
+++ b/nss-sql-2-1382278-b.patch
@ -1,142 +0,0 @@
 # HG changeset patch
 # User Kai Engert <kaie@kuix.de>
 # Date 1506452962 -7200
 # Node ID fe8b221d3bded99b2b21e2e62fb27cc8c659ec2f
 # Parent  96a835be15192281d67a8b1046b7f159ff6deb12
 Bug 1382278, add test to confirm implicit init with certutil -A is working, r=rrelyea
 diff --git a/tests/cert/cert.sh b/tests/cert/cert.sh
 --- a/tests/cert/cert.sh
 +++ b/tests/cert/cert.sh
@@ -1941,32 +1941,42 @@ cert_test_distrust()
 cert_test_ocspresp()
 {
   echo "$SCRIPTNAME: OCSP response creation selftest"
   OR_ACTION="perform selftest"
   RETEXPECTED=0
   ocspr ${SERVER_CADIR} "serverCA" "chain-1-serverCA" -f "${R_PWFILE}" 2>&1
 }
 +cert_test_implicit_db_init()
 +{
 +  echo "$SCRIPTNAME: test implicit database init"
 +
 +  CU_ACTION="Add cert with trust flags to db with implicit init"
 +  mkdir ${IMPLICIT_INIT_DIR}
 +  certu -A -n ca -t 'C,C,C' -d ${P_R_IMPLICIT_INIT_DIR} -i "${SERVER_CADIR}/serverCA.ca.cert"
 +}
 +
 ############################## cert_cleanup ############################
 # local shell function to finish this script (no exit since it might be
 # sourced)
 ########################################################################
 cert_cleanup()
 {
   cert_log "$SCRIPTNAME: finished $SCRIPTNAME"
   html "</TABLE><BR>"
   cd ${QADIR}
   . common/cleanup.sh
 }
 ################## main #################################################
 cert_init
 cert_all_CA
 +cert_test_implicit_db_init
 cert_extended_ssl
 cert_ssl
 cert_smime_client
 if [[ -n "$NSS_TEST_ENABLE_FIPS" ]]; then
     cert_fips
 fi
 cert_eccurves
 cert_extensions
 diff --git a/tests/common/init.sh b/tests/common/init.sh
 --- a/tests/common/init.sh
 +++ b/tests/common/init.sh
@@ -63,16 +63,17 @@ if [ -z "${INIT_SOURCED}" -o "${INIT_SOU
         DBPASSDIR=${HOSTDIR}/dbpass
         ECCURVES_DIR=${HOSTDIR}/eccurves
         DISTRUSTDIR=${HOSTDIR}/distrust
         SERVER_CADIR=${HOSTDIR}/serverCA
         CLIENT_CADIR=${HOSTDIR}/clientCA
         EXT_SERVERDIR=${HOSTDIR}/ext_server
         EXT_CLIENTDIR=${HOSTDIR}/ext_client
 +        IMPLICIT_INIT_DIR=${HOSTDIR}/implicit_init
         IOPR_CADIR=${HOSTDIR}/CA_iopr
         IOPR_SSL_SERVERDIR=${HOSTDIR}/server_ssl_iopr
         IOPR_SSL_CLIENTDIR=${HOSTDIR}/client_ssl_iopr
         IOPR_OCSP_CLIENTDIR=${HOSTDIR}/client_ocsp_iopr
         CERT_EXTENSIONS_DIR=${HOSTDIR}/cert_extensions
         STAPLINGDIR=${HOSTDIR}/stapling
@@ -531,16 +532,17 @@ if [ -z "${INIT_SOURCED}" -o "${INIT_SOU
     D_SERVER="Server.$version"
     D_CLIENT="Client.$version"
     D_NOLOGIN="NoLogin.$version"
     D_FIPS="FIPS.$version"
     D_DBPASS="DBPASS.$version"
     D_ECCURVES="ECCURVES.$version"
     D_EXT_SERVER="ExtendedServer.$version"
     D_EXT_CLIENT="ExtendedClient.$version"
 +    D_IMPLICIT_INIT="ImplicitInit.$version"
     D_CERT_EXTENSTIONS="CertExtensions.$version"
     D_DISTRUST="Distrust.$version"
     # we need relative pathnames of these files abd directories, since our
     # tools can't handle the unix style absolut pathnames on cygnus
     R_CADIR=../CA
     R_SERVERDIR=../server
@@ -550,16 +552,17 @@ if [ -z "${INIT_SOURCED}" -o "${INIT_SOU
     R_IOPR_SSL_CLIENTDIR=../client_ssl_iopr
     R_IOPR_OCSP_CLIENTDIR=../client_ocsp_iopr
     R_ALICEDIR=../alicedir
     R_BOBDIR=../bobdir
     R_DAVEDIR=../dave
     R_EVEDIR=../eve
     R_EXT_SERVERDIR=../ext_server
     R_EXT_CLIENTDIR=../ext_client
 +    R_IMPLICIT_INIT_DIR=../implicit_init
     R_CERT_EXT=../cert_extensions
     R_STAPLINGDIR=../stapling
     R_NOLOGINDIR=../nologin
     R_SSLGTESTDIR=../ssl_gtests
     R_GTESTDIR=../gtests
     #
     # profiles are either paths or domains depending on the setting of
@@ -570,27 +573,29 @@ if [ -z "${INIT_SOURCED}" -o "${INIT_SOU
     P_R_BOBDIR=${R_BOBDIR}
     P_R_DAVEDIR=${R_DAVEDIR}
     P_R_EVEDIR=${R_EVEDIR}
     P_R_SERVERDIR=${R_SERVERDIR}
     P_R_CLIENTDIR=${R_CLIENTDIR}
     P_R_NOLOGINDIR=${R_NOLOGINDIR}
     P_R_EXT_SERVERDIR=${R_EXT_SERVERDIR}
     P_R_EXT_CLIENTDIR=${R_EXT_CLIENTDIR}
 +    P_R_IMPLICIT_INIT_DIR=${R_IMPLICIT_INIT_DIR}
     if [ -n "${MULTIACCESS_DBM}" ]; then
         P_R_CADIR="multiaccess:${D_CA}"
         P_R_ALICEDIR="multiaccess:${D_ALICE}"
         P_R_BOBDIR="multiaccess:${D_BOB}"
         P_R_DAVEDIR="multiaccess:${D_DAVE}"
         P_R_EVEDIR="multiaccess:${D_EVE}"
         P_R_SERVERDIR="multiaccess:${D_SERVER}"
         P_R_CLIENTDIR="multiaccess:${D_CLIENT}"
         P_R_NOLOGINDIR="multiaccess:${D_NOLOGIN}"
         P_R_EXT_SERVERDIR="multiaccess:${D_EXT_SERVER}"
         P_R_EXT_CLIENTDIR="multiaccess:${D_EXT_CLIENT}"
 +        P_R_IMPLICIT_INIT_DIR="multiaccess:${D_IMPLICIT_INIT}"
     fi
     R_PWFILE=../tests.pw
     R_EMPTY_FILE=../tests_empty
     R_NOISE_FILE=../tests_noise
     R_FIPSPWFILE=../tests.fipspw
     R_FIPSBADPWFILE=../tests.fipsbadpw
--- a/nss-sql-3-1395495-a.patch
+++ b/nss-sql-3-1395495-a.patch
@ -1,191 +0,0 @@
 # HG changeset patch
 # User Daiki Ueno <dueno@redhat.com>
 # Date 1505483851 -7200
 # Node ID 279b257c6433f1972d49c529247e6ed2633b979f
 # Parent  88b6e9707b17c6b1ba5017cbf62e70bba58c2fcd
 Bug 1395495, modutil: Initialize DB with empty password on -create, r=kaie
 diff --git a/cmd/modutil/error.h b/cmd/modutil/error.h
 --- a/cmd/modutil/error.h
 +++ b/cmd/modutil/error.h
@@ -52,16 +52,17 @@ typedef enum {
     ENABLE_FAILED_ERR,
     UPDATE_MOD_FAILED_ERR,
     DEFAULT_FAILED_ERR,
     UNDEFAULT_FAILED_ERR,
     STDIN_READ_ERR,
     UNSPECIFIED_ERR,
     NOCERTDB_MISUSE_ERR,
     NSS_INITIALIZE_FAILED_ERR,
 +    INITPW_FAILED_ERR,
     LAST_ERR /* must be last */
 } Error;
 #define SUCCESS NO_ERR
 /* !!! Should move this into its own .c and un-static it. */
 static char *errStrings[] = {
     "Operation completed successfully.\n",
@@ -105,17 +106,18 @@ static char *errStrings[] = {
     "ERROR: Slot \"%s\" not found.\n",
     "ERROR: Failed to %s slot \"%s\".\n",
     "ERROR: Failed to update module \"%s\".\n",
     "ERROR: Failed to change defaults.\n",
     "ERROR: Failed to change default.\n",
     "ERROR: Unable to read from standard input.\n",
     "ERROR: Unknown error occurred.\n",
     "ERROR: -nocertdb option can only be used with the -jar command.\n",
 -    "ERROR: NSS_Initialize() failed.\n"
 +    "ERROR: NSS_Initialize() failed.\n",
 +    "ERROR: Unable to set initial password on the database.\n"
 };
 typedef enum {
     FIPS_ENABLED_MSG = 0,
     FIPS_DISABLED_MSG,
     USING_DBDIR_MSG,
     CREATING_DB_MSG,
     ADD_MODULE_SUCCESS_MSG,
 diff --git a/cmd/modutil/modutil.c b/cmd/modutil/modutil.c
 --- a/cmd/modutil/modutil.c
 +++ b/cmd/modutil/modutil.c
@@ -860,17 +860,17 @@ main(int argc, char* argv[])
     switch (command) {
         case ADD_COMMAND:
             errcode = AddModule(moduleName, libFile, ciphers, mechanisms, secmodString);
             break;
         case CHANGEPW_COMMAND:
             errcode = ChangePW(tokenName, pwFile, newpwFile);
             break;
         case CREATE_COMMAND:
 -            /* The work was already done in init_crypto() */
 +            errcode = InitPW();
             break;
         case DEFAULT_COMMAND:
             errcode = SetDefaultModule(moduleName, slotName, mechanisms);
             break;
         case DELETE_COMMAND:
             errcode = DeleteModule(moduleName);
             break;
         case DISABLE_COMMAND:
 diff --git a/cmd/modutil/modutil.h b/cmd/modutil/modutil.h
 --- a/cmd/modutil/modutil.h
 +++ b/cmd/modutil/modutil.h
@@ -24,16 +24,17 @@
 Error LoadMechanismList(void);
 Error FipsMode(char *arg);
 Error ChkFipsMode(char *arg);
 Error AddModule(char *moduleName, char *libFile, char *ciphers,
                 char *mechanisms, char *modparms);
 Error DeleteModule(char *moduleName);
 Error ListModule(char *moduleName);
 Error ListModules();
 +Error InitPW(void);
 Error ChangePW(char *tokenName, char *pwFile, char *newpwFile);
 Error EnableModule(char *moduleName, char *slotName, PRBool enable);
 Error RawAddModule(char *dbmodulespec, char *modulespec);
 Error RawListModule(char *modulespec);
 Error SetDefaultModule(char *moduleName, char *slotName, char *mechanisms);
 Error UnsetDefaultModule(char *moduleName, char *slotName, char *mechanisms);
 void out_of_memory(void);
 diff --git a/cmd/modutil/pk11.c b/cmd/modutil/pk11.c
 --- a/cmd/modutil/pk11.c
 +++ b/cmd/modutil/pk11.c
@@ -665,16 +665,49 @@ loser:
     if (module) {
         SECMOD_DestroyModule(module);
     }
     return rv;
 }
 /************************************************************************
  *
 + * I n i t P W
 + */
 +Error
 +InitPW(void)
 +{
 +    PK11SlotInfo *slot;
 +    Error ret = UNSPECIFIED_ERR;
 +
 +    slot = PK11_GetInternalKeySlot();
 +    if (!slot) {
 +        PR_fprintf(PR_STDERR, errStrings[NO_SUCH_TOKEN_ERR], "internal");
 +        return NO_SUCH_TOKEN_ERR;
 +    }
 +
 +    /* Set the initial password to empty */
 +    if (PK11_NeedUserInit(slot)) {
 +        if (PK11_InitPin(slot, NULL, "") != SECSuccess) {
 +            PR_fprintf(PR_STDERR, errStrings[INITPW_FAILED_ERR]);
 +            ret = INITPW_FAILED_ERR;
 +            goto loser;
 +        }
 +    }
 +
 +    ret = SUCCESS;
 +
 +loser:
 +    PK11_FreeSlot(slot);
 +
 +    return ret;
 +}
 +
 +/************************************************************************
 + *
  * C h a n g e P W
  */
 Error
 ChangePW(char *tokenName, char *pwFile, char *newpwFile)
 {
     char *oldpw = NULL, *newpw = NULL, *newpw2 = NULL;
     PK11SlotInfo *slot;
     Error ret = UNSPECIFIED_ERR;
 diff --git a/tests/tools/tools.sh b/tests/tools/tools.sh
 --- a/tests/tools/tools.sh
 +++ b/tests/tools/tools.sh
@@ -492,27 +492,41 @@ SIGNSCRIPT
   echo "$SCRIPTNAME: Show who signed xpi ------------------------------"
   echo "signtool -w nojs.xpi -d ${P_R_SIGNDIR}"
   ${BINDIR}/signtool -w nojs.xpi -d ${P_R_SIGNDIR}
   html_msg $? 0 "Show who signed xpi (signtool -w)"
 }
 +tools_modutil()
 +{
 +  echo "$SCRIPTNAME: Test if DB created by modutil -create is initialized"
 +  mkdir -p ${R_TOOLSDIR}/moddir
 +  modu -create -dbdir "${R_TOOLSDIR}/moddir" 2>&1
 +  ret=$?
 +  ${BINDIR}/certutil -S -s 'CN=TestUser' -d "${TOOLSDIR}/moddir" -n TestUser \
 +	   -x -t ',,' -z "${R_NOISE_FILE}"
 +  ret=$?
 +  html_msg $ret 0 "Test if DB created by modutil -create is initialized"
 +  check_tmpfile
 +}
 +
 ############################## tools_cleanup ###########################
 # local shell function to finish this script (no exit since it might be 
 # sourced)
 ########################################################################
 tools_cleanup()
 {
   html "</TABLE><BR>"
   cd ${QADIR}
   . common/cleanup.sh
 }
 ################## main #################################################
 tools_init
 tools_p12
 tools_sign
 +tools_modutil
 tools_cleanup
--- a/nss-sql-3-1395495-b.patch
+++ b/nss-sql-3-1395495-b.patch
@ -1,33 +0,0 @@
 # HG changeset patch
 # User Daiki Ueno <dueno@redhat.com>
 # Date 1505742679 -7200
 # Node ID 70109a01ce53328b511aaa6c839593a3282cb725
 # Parent  279b257c6433f1972d49c529247e6ed2633b979f
 Bug 1395495, bustage fix, Don't use the modu function from cert.sh, r=kaie
 diff --git a/tests/tools/tools.sh b/tests/tools/tools.sh
 --- a/tests/tools/tools.sh
 +++ b/tests/tools/tools.sh
@@ -496,17 +496,19 @@ SIGNSCRIPT
   html_msg $? 0 "Show who signed xpi (signtool -w)"
 }
 tools_modutil()
 {
   echo "$SCRIPTNAME: Test if DB created by modutil -create is initialized"
   mkdir -p ${R_TOOLSDIR}/moddir
 -  modu -create -dbdir "${R_TOOLSDIR}/moddir" 2>&1
 +  # copied from modu function in cert.sh
 +  # echo is used to press Enter expected by modutil
 +  echo | ${BINDIR}/modutil -create -dbdir "${R_TOOLSDIR}/moddir" 2>&1
   ret=$?
   ${BINDIR}/certutil -S -s 'CN=TestUser' -d "${TOOLSDIR}/moddir" -n TestUser \
 	   -x -t ',,' -z "${R_NOISE_FILE}"
   ret=$?
   html_msg $ret 0 "Test if DB created by modutil -create is initialized"
   check_tmpfile
 }
--- a/nss.spec
+++ b/nss.spec
@ -1,15 +1,15 @@
 %global nspr_version 4.17.0
-%global nss_util_version 3.33.0
+%global nss_util_version 3.34.0
-%global nss_softokn_version 3.33.0
+%global nss_softokn_version 3.34.0
 %global unsupported_tools_directory %{_libdir}/nss/unsupported-tools
 %global allTools "certutil cmsutil crlutil derdump modutil pk12util signtool signver ssltap vfychain vfyserv"
 Summary:          Network Security Services
 Name:             nss
-Version:          3.33.0
+Version:          3.34.0
 # for Rawhide, please always use release >= 2
 # for Fedora release branches, please use release < 2 (1.0, 1.1, ...)
-Release:          6%{?dist}
+Release:          2%{?dist}
 License:          MPLv2.0
 URL:              http://www.mozilla.org/projects/security/pki/nss/
 Group:            System Environment/Libraries
@ -98,13 +98,6 @@ Patch58: rhbz1185708-enable-ecc-3des-ciphers-by-default.patch
 Patch59: nss-check-policy-file.patch
 Patch62: nss-skip-util-gtest.patch
 # rhbz#1505487, backport several upstream fixes from upstream NSS 3.34
 Patch71: nss-sql-1-1403691-a.patch
 Patch72: nss-sql-1-1403691-b.patch
 Patch73: nss-sql-2-1382278-a.patch
 Patch74: nss-sql-2-1382278-b.patch
 Patch75: nss-sql-3-1395495-a.patch
 Patch76: nss-sql-3-1395495-b.patch
 # Fix upgrade_db test use dbm by default, required with default sql
 Patch77: nss-sql-4-1377940-test.patch
@ -191,12 +184,6 @@ pushd nss
 %patch59 -p1 -b .check_policy_file
 %patch62 -p1 -b .skip_util_gtest
 %patch71 -p1 -b .1403691-a
 %patch72 -p1 -b .1403691-b
 %patch73 -p1 -b .1382278-a
 %patch74 -p1 -b .1382278-b
 %patch75 -p1 -b .1395495-a
 %patch76 -p1 -b .1395495-b
 %patch77 -p1 -b .1377940
 popd
@ -774,6 +761,9 @@ done
 %changelog
 * Tue Nov 14 2017 Daiki Ueno <dueno@redhat.com> - 3.34.0-2
 - Update to NSS 3.34.0
 * Fri Nov 10 2017 Daiki Ueno <dueno@redhat.com> - 3.33.0-6
 - Make sure 32bit nss-pem always be installed with 32bit nss in
  multlib environment, patch by Kamil Dudka
--- a/2
+++ b/2
@ -3,4 +3,4 @@ SHA512 (blank-cert9.db) = 2f8eab4c0612210ee47db8a3a80c1b58a0b43849551af78c7da403
 SHA512 (blank-key3.db) = 01f7314e9fc8a7c9aa997652624cfcde213d18a6b3bb31840c1a60bbd662e56b5bc3221d13874abb42ce78163b225a6dfce2e1326cf6dd29366ad9c28ba5a71c
 SHA512 (blank-key4.db) = 8fedae93af7163da23fe9492ea8e785a44c291604fa98e58438448efb69c85d3253fc22b926d5c3209c62e58a86038fd4d78a1c4c068bc00600a7f3e5382ebe7
 SHA512 (blank-secmod.db) = 06a2dbd861839ef6315093459328b500d3832333a34b30e6fac4a2503af337f014a4d319f0f93322409e719142904ce8bc08252ae9a4f37f30d4c3312e900310
-SHA512 (nss-3.33.0.tar.gz) = 50c0445c64972e80ac5863b34c3e0639a02f32247d1a6d3505e2a7c93c950c098f79e75cd9ca420b8b77432ac4558eed049e621f080f53b5652a3bbc1f390c54
+SHA512 (nss-3.34.0.tar.gz) = 2826e3d327af34714d521edac0fba4da6e14c7a28750ccfeeba8259b0a1954233fc47dcbec47b6aeb96f53de501adc15adf130379efa503b00677a924eb50080