- Bug 750376 Enable updating nss to 3.13.x while keeping nss-softokn at 3.12.9

- Statically link the pem module against system freebl found in buildroot
- Disable sha224-related powerup selftest until we update softokn
- Disable sha224 and rsapss tests which nss-softokn 3.12.x doesn't support
- nss-softokn 3.12.9 was submitted for FIPS 140 minor revalidation

nofipstest.patch

@@ -0,0 +1,19 @@
+diff -up ./mozilla/security/nss/cmd/manifest.mn.nofipstest ./mozilla/security/nss/cmd/manifest.mn
+--- ./mozilla/security/nss/cmd/manifest.mn.nofipstest	2011-12-03 22:54:40.969914919 -0800
++++ ./mozilla/security/nss/cmd/manifest.mn	2011-12-03 22:55:12.348505822 -0800
+@@ -54,7 +54,6 @@ DIRS = lib  \
+  dbtest \
+  derdump  \
+  digest  \
+- fipstest  \
+  makepqg  \
+  multinit \
+  ocspclnt  \
+@@ -84,6 +83,7 @@ DIRS = lib  \
+  $(NULL)
+ 
+ TEMPORARILY_DONT_BUILD = \
++ fipstest  \
+  $(NULL)
+ 
+ # rsaperf  \

nosha224.patch

@@ -0,0 +1,618 @@
+diff -up ./mozilla/security/coreconf/Linux.mk.nosha224 ./mozilla/security/coreconf/Linux.mk
+--- ./mozilla/security/coreconf/Linux.mk.nosha224	2011-12-04 22:03:47.295609957 -0800
++++ ./mozilla/security/coreconf/Linux.mk	2011-12-04 22:03:47.301609957 -0800
+@@ -188,6 +188,14 @@ NSSUTIL_LIBS = -lnssutil3
+ USE_SYSTEM_FREEBL = 1
+ FREEBL_LIBS = -lfreebl3
+ 
++#
++# Don't compile code that requires SHA224 if it isn't avilable
++# Such is the case when system freebl/softokn is the 3.12 one
++#
++ifdef NO_SHA224_AVAILABLE
++CFLAGS+=-DNO_SHA224_AVAILABLE
++endif
++
+ # The -rpath '$$ORIGIN' linker option instructs this library to search for its
+ # dependencies in the same directory where it resides.
+ ifeq ($(BUILD_SUN_PKG), 1)
+diff -up ./mozilla/security/nss/cmd/bltest/blapitest.c.nosha224 ./mozilla/security/nss/cmd/bltest/blapitest.c
+--- ./mozilla/security/nss/cmd/bltest/blapitest.c.nosha224	2011-09-16 12:16:50.000000000 -0700
++++ ./mozilla/security/nss/cmd/bltest/blapitest.c	2011-12-04 22:03:47.302609957 -0800
+@@ -686,7 +686,9 @@ typedef enum {
+     bltestMD2,		  /* Hash algorithms	   */
+     bltestMD5,		  /* .			   */
+     bltestSHA1,           /* .			   */
++#ifndef NO_SHA224_AVAILABLE
+     bltestSHA224,         /* .			   */
++#endif
+     bltestSHA256,         /* .			   */
+     bltestSHA384,         /* .			   */
+     bltestSHA512,         /* .			   */
+@@ -721,7 +723,9 @@ static char *mode_strings[] =
+     "md2",
+     "md5",
+     "sha1",
++#ifndef NO_SHA224_AVAILABLE
+     "sha224",
++#endif
+     "sha256",
+     "sha384",
+     "sha512",
+@@ -1761,6 +1765,7 @@ finish:
+     return rv;
+ }
+ 
++#ifndef NO_SHA224_AVAILABLE
+ SECStatus
+ SHA224_restart(unsigned char *dest, const unsigned char *src, uint32 src_length)
+ {
+@@ -1800,6 +1805,7 @@ finish:
+     SHA224_DestroyContext(cx, PR_TRUE);
+     return rv;
+ }
++#endif
+ 
+ SECStatus
+ SHA256_restart(unsigned char *dest, const unsigned char *src, uint32 src_length)
+@@ -2093,6 +2099,7 @@ cipherInit(bltestCipherInfo *cipherInfo,
+ 	cipherInfo->cipher.hashCipher = (restart) ? sha1_restart : SHA1_HashBuf;
+ 	return SECSuccess;
+ 	break;
++#ifndef NO_SHA224_AVAILABLE
+     case bltestSHA224:
+ 	restart = cipherInfo->params.hash.restart;
+ 	SECITEM_AllocItem(cipherInfo->arena, &cipherInfo->output.buf,
+@@ -2100,6 +2107,7 @@ cipherInit(bltestCipherInfo *cipherInfo,
+ 	cipherInfo->cipher.hashCipher = (restart) ? SHA224_restart 
+ 	                                          : SHA224_HashBuf;
+ 	return SECSuccess;
++#endif
+ 	break;
+     case bltestSHA256:
+ 	restart = cipherInfo->params.hash.restart;
+@@ -2542,7 +2550,9 @@ cipherFinish(bltestCipherInfo *cipherInf
+     case bltestMD2: /* hash contexts are ephemeral */
+     case bltestMD5:
+     case bltestSHA1:
++#ifndef NO_SHA224_AVAILABLE
+     case bltestSHA224:
++#endif
+     case bltestSHA256:
+     case bltestSHA384:
+     case bltestSHA512:
+@@ -2896,7 +2906,9 @@ get_params(PRArenaPool *arena, bltestPar
+     case bltestMD2:
+     case bltestMD5:
+     case bltestSHA1:
++#ifndef NO_SHA224_AVAILABLE
+     case bltestSHA224:
++#endif
+     case bltestSHA256:
+     case bltestSHA384:
+     case bltestSHA512:
+diff -up ./mozilla/security/nss/cmd/chktest/chktest.c.nosha224 ./mozilla/security/nss/cmd/chktest/chktest.c
+--- ./mozilla/security/nss/cmd/chktest/chktest.c.nosha224	2010-12-06 09:22:49.000000000 -0800
++++ ./mozilla/security/nss/cmd/chktest/chktest.c	2011-12-04 22:03:47.304609957 -0800
+@@ -41,6 +41,10 @@
+ #include "blapi.h"
+ #include "secutil.h"
+ 
++#ifdef NO_SHA224_AVAILABLE
++PRBool BLAPI_SHVerifyFile(const char *shName);
++#endif
++
+ static int Usage()
+ {
+     fprintf(stderr, "Usage:  chktest <full-path-to-shared-library>\n");
+diff -up ./mozilla/security/nss/cmd/lib/secutil.c.nosha224 ./mozilla/security/nss/cmd/lib/secutil.c
+--- ./mozilla/security/nss/cmd/lib/secutil.c.nosha224	2011-10-22 07:35:41.000000000 -0700
++++ ./mozilla/security/nss/cmd/lib/secutil.c	2011-12-04 22:03:47.305609957 -0800
+@@ -86,6 +86,14 @@ static char consoleName[] =  {
+ #include "nssutil.h"
+ #include "ssl.h"
+ 
++/* Defined in ./mozilla/dist/public/nss/certdb.h which was included
++ * and also in ./mozilla/security/nss/lib/softoken/legacydb/pcertt.h
++ * but invisible here for some reason
++ */
++#ifndef CERTDB_TERMINAL_RECORD
++#define CERTDB_TERMINAL_RECORD	(1<<0)
++#endif
++
+ 
+ void 
+ SECU_PrintErrMsg(FILE *out, int level, char *progName, char *msg, ...)
+@@ -1509,6 +1517,8 @@ const SEC_ASN1Template secuPBEV2Params[]
+     { 0 }
+ };
+ 
++/* if no sha224 then no psapss either */
++#ifndef NO_SHA224_AVAILABLE
+ void
+ secu_PrintRSAPSSParams(FILE *out, SECItem *value, char *m, int level)
+ {
+@@ -1572,6 +1582,7 @@ secu_PrintRSAPSSParams(FILE *out, SECIte
+     }
+     PORT_FreeArena(pool, PR_FALSE);
+ }
++#endif
+ 
+ void
+ secu_PrintKDF2Params(FILE *out, SECItem *value, char *m, int level)
+@@ -1684,10 +1695,12 @@ SECU_PrintAlgorithmID(FILE *out, SECAlgo
+ 	return;
+     }
+ 
++#ifndef NO_SHA224_AVAILABLE
+     if (algtag == SEC_OID_PKCS1_RSA_PSS_SIGNATURE) {
+ 	secu_PrintRSAPSSParams(out, &a->parameters, "Parameters", level+1);
+ 	return;
+     }
++#endif
+ 
+     if (a->parameters.len == 0
+ 	|| (a->parameters.len == 2
+@@ -3763,8 +3776,10 @@ SECU_StringToSignatureAlgTag(const char
+ 	    hashAlgTag = SEC_OID_MD5;
+ 	} else if (!PL_strcmp(alg, "SHA1")) {
+ 	    hashAlgTag = SEC_OID_SHA1;
++#ifndef NO_SHA224_AVAILABLE
+ 	} else if (!PL_strcmp(alg, "SHA224")) {
+ 	    hashAlgTag = SEC_OID_SHA224;
++#endif
+ 	} else if (!PL_strcmp(alg, "SHA256")) {
+ 	    hashAlgTag = SEC_OID_SHA256;
+ 	} else if (!PL_strcmp(alg, "SHA384")) {
+diff -up ./mozilla/security/nss/cmd/pk11mode/pk11mode.c.nosha224 ./mozilla/security/nss/cmd/pk11mode/pk11mode.c
+--- ./mozilla/security/nss/cmd/pk11mode/pk11mode.c.nosha224	2011-12-04 22:07:27.230604899 -0800
++++ ./mozilla/security/nss/cmd/pk11mode/pk11mode.c	2011-12-04 22:10:06.365601241 -0800
+@@ -883,21 +883,27 @@ CK_RV PKM_KeyTests(CK_FUNCTION_LIST_PTR
+ 
+     mech_str digestMechs[] = {
+         {CKM_SHA_1, "CKM_SHA_1 "},
++#ifndef NO_SHA224_AVAILABLE
+         {CKM_SHA224, "CKM_SHA224"},
++#endif
+         {CKM_SHA256, "CKM_SHA256"},
+         {CKM_SHA384, "CKM_SHA384"},
+         {CKM_SHA512, "CKM_SHA512"}
+     };
+     mech_str hmacMechs[] = {
+         {CKM_SHA_1_HMAC, "CKM_SHA_1_HMAC"}, 
++#ifndef NO_SHA224_AVAILABLE
+         {CKM_SHA224_HMAC, "CKM_SHA224_HMAC"},
++#endif
+         {CKM_SHA256_HMAC, "CKM_SHA256_HMAC"},
+         {CKM_SHA384_HMAC, "CKM_SHA384_HMAC"},
+         {CKM_SHA512_HMAC, "CKM_SHA512_HMAC"}
+     };
+     mech_str sigRSAMechs[] = {
+         {CKM_SHA1_RSA_PKCS, "CKM_SHA1_RSA_PKCS"}, 
++#ifndef NO_SHA224_AVAILABLE
+         {CKM_SHA224_RSA_PKCS, "CKM_SHA224_RSA_PKCS"},
++#endif
+         {CKM_SHA256_RSA_PKCS, "CKM_SHA256_RSA_PKCS"},
+         {CKM_SHA384_RSA_PKCS, "CKM_SHA384_RSA_PKCS"},
+         {CKM_SHA512_RSA_PKCS, "CKM_SHA512_RSA_PKCS"}
+diff -up ./mozilla/security/nss/lib/cryptohi/sechash.c.nosha224 ./mozilla/security/nss/lib/cryptohi/sechash.c
+--- ./mozilla/security/nss/lib/cryptohi/sechash.c.nosha224	2011-06-21 15:47:54.000000000 -0700
++++ ./mozilla/security/nss/lib/cryptohi/sechash.c	2011-12-04 22:03:47.306609957 -0800
+@@ -91,10 +91,12 @@ sha1_NewContext(void) {
+ 	return (void *) PK11_CreateDigestContext(SEC_OID_SHA1);
+ }
+ 
++#ifndef NO_SHA224_AVAILABLE
+ static void *
+ sha224_NewContext(void) {
+ 	return (void *) PK11_CreateDigestContext(SEC_OID_SHA224);
+ }
++#endif
+ 
+ static void *
+ sha256_NewContext(void) {
+@@ -189,6 +191,7 @@ const SECHashObject SECHashObjects[] = {
+     SHA512_BLOCK_LENGTH,
+     HASH_AlgSHA512
+   },
++#ifndef NO_SHA224_AVAILABLE
+   { SHA224_LENGTH,
+     (void * (*)(void)) sha224_NewContext,
+     (void * (*)(void *)) PK11_CloneContext,
+@@ -200,6 +203,7 @@ const SECHashObject SECHashObjects[] = {
+     SHA224_BLOCK_LENGTH,
+     HASH_AlgSHA224
+   },
++#endif
+ };
+ 
+ const SECHashObject * 
+@@ -217,7 +221,9 @@ HASH_GetHashTypeByOidTag(SECOidTag hashO
+     case SEC_OID_MD2:	 ht = HASH_AlgMD2;    break;
+     case SEC_OID_MD5:	 ht = HASH_AlgMD5;    break;
+     case SEC_OID_SHA1:	 ht = HASH_AlgSHA1;   break;
++#ifndef NO_SHA224_AVAILABLE
+     case SEC_OID_SHA224: ht = HASH_AlgSHA224; break;
++#endif
+     case SEC_OID_SHA256: ht = HASH_AlgSHA256; break;
+     case SEC_OID_SHA384: ht = HASH_AlgSHA384; break;
+     case SEC_OID_SHA512: ht = HASH_AlgSHA512; break;
+@@ -237,7 +243,9 @@ HASH_GetHashOidTagByHMACOidTag(SECOidTag
+     /* no oid exists for HMAC_MD2 */
+     /* NSS does not define a oid for HMAC_MD4 */
+     case SEC_OID_HMAC_SHA1:   hashOid = SEC_OID_SHA1;   break;
++#ifndef NO_SHA224_AVAILABLE
+     case SEC_OID_HMAC_SHA224: hashOid = SEC_OID_SHA224; break;
++#endif
+     case SEC_OID_HMAC_SHA256: hashOid = SEC_OID_SHA256; break;
+     case SEC_OID_HMAC_SHA384: hashOid = SEC_OID_SHA384; break;
+     case SEC_OID_HMAC_SHA512: hashOid = SEC_OID_SHA512; break;
+@@ -257,7 +265,9 @@ HASH_GetHMACOidTagByHashOidTag(SECOidTag
+     /* no oid exists for HMAC_MD2 */
+     /* NSS does not define a oid for HMAC_MD4 */
+     case SEC_OID_SHA1:   hmacOid = SEC_OID_HMAC_SHA1;   break;
++#ifndef NO_SHA224_AVAILABLE
+     case SEC_OID_SHA224: hmacOid = SEC_OID_HMAC_SHA224; break;
++#endif
+     case SEC_OID_SHA256: hmacOid = SEC_OID_HMAC_SHA256; break;
+     case SEC_OID_SHA384: hmacOid = SEC_OID_HMAC_SHA384; break;
+     case SEC_OID_SHA512: hmacOid = SEC_OID_HMAC_SHA512; break;
+diff -up ./mozilla/security/nss/lib/cryptohi/seckey.c.nosha224 ./mozilla/security/nss/lib/cryptohi/seckey.c
+--- ./mozilla/security/nss/lib/cryptohi/seckey.c.nosha224	2011-10-22 07:35:42.000000000 -0700
++++ ./mozilla/security/nss/lib/cryptohi/seckey.c	2011-12-04 22:03:47.307609957 -0800
+@@ -550,7 +550,9 @@ seckey_GetKeyType (SECOidTag tag) {
+ 	* should be handing us a cipher type */
+       case SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION:
+       case SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION:
++#ifndef NO_SHA224_AVAILABLE
+       case SEC_OID_PKCS1_SHA224_WITH_RSA_ENCRYPTION:
++#endif
+       case SEC_OID_PKCS1_SHA256_WITH_RSA_ENCRYPTION:
+       case SEC_OID_PKCS1_SHA384_WITH_RSA_ENCRYPTION:
+       case SEC_OID_PKCS1_SHA512_WITH_RSA_ENCRYPTION:
+diff -up ./mozilla/security/nss/lib/cryptohi/secvfy.c.nosha224 ./mozilla/security/nss/lib/cryptohi/secvfy.c
+--- ./mozilla/security/nss/lib/cryptohi/secvfy.c.nosha224	2011-10-22 07:35:42.000000000 -0700
++++ ./mozilla/security/nss/lib/cryptohi/secvfy.c	2011-12-04 22:03:47.307609957 -0800
+@@ -240,11 +240,12 @@ sec_DecodeSigAlg(const SECKEYPublicKey *
+       case SEC_OID_PKCS1_RSA_PSS_SIGNATURE:
+         *hashalg = SEC_OID_UNKNOWN; /* get it from the RSA signature */
+ 	break;
+-
++#ifndef NO_SHA224_AVAILABLE
+       case SEC_OID_ANSIX962_ECDSA_SHA224_SIGNATURE:
+       case SEC_OID_PKCS1_SHA224_WITH_RSA_ENCRYPTION:
+ 	*hashalg = SEC_OID_SHA224;
+ 	break;
++#endif
+       case SEC_OID_ANSIX962_ECDSA_SHA256_SIGNATURE:
+       case SEC_OID_PKCS1_SHA256_WITH_RSA_ENCRYPTION:
+ 	*hashalg = SEC_OID_SHA256;
+@@ -279,8 +280,10 @@ sec_DecodeSigAlg(const SECKEYPublicKey *
+ 	len = SECKEY_PublicKeyStrength(key);
+ 	if (len < 28) { /* 28 bytes == 224 bits */
+ 	    *hashalg = SEC_OID_SHA1;
++#ifndef NO_SHA224_AVAILABLE
+ 	} else if (len < 32) { /* 32 bytes == 256 bits */
+ 	    *hashalg = SEC_OID_SHA224;
++#endif
+ 	} else if (len < 48) { /* 48 bytes == 384 bits */
+ 	    *hashalg = SEC_OID_SHA256;
+ 	} else if (len < 64) { /* 48 bytes == 512 bits */
+@@ -325,7 +328,9 @@ sec_DecodeSigAlg(const SECKEYPublicKey *
+       case SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION:
+       case SEC_OID_ISO_SHA_WITH_RSA_SIGNATURE:
+       case SEC_OID_ISO_SHA1_WITH_RSA_SIGNATURE:
++#ifndef NO_SHA224_AVAILABLE
+       case SEC_OID_PKCS1_SHA224_WITH_RSA_ENCRYPTION:
++#endif
+       case SEC_OID_PKCS1_SHA256_WITH_RSA_ENCRYPTION:
+       case SEC_OID_PKCS1_SHA384_WITH_RSA_ENCRYPTION:
+       case SEC_OID_PKCS1_SHA512_WITH_RSA_ENCRYPTION:
+@@ -347,7 +352,9 @@ sec_DecodeSigAlg(const SECKEYPublicKey *
+ 	*encalg = SEC_OID_MISSI_DSS;
+ 	break;
+       case SEC_OID_ANSIX962_ECDSA_SHA1_SIGNATURE:
++#ifndef NO_SHA224_AVAILABLE
+       case SEC_OID_ANSIX962_ECDSA_SHA224_SIGNATURE:
++#endif
+       case SEC_OID_ANSIX962_ECDSA_SHA256_SIGNATURE:
+       case SEC_OID_ANSIX962_ECDSA_SHA384_SIGNATURE:
+       case SEC_OID_ANSIX962_ECDSA_SHA512_SIGNATURE:
+diff -up ./mozilla/security/nss/lib/freebl/blapi.h.nosha224 ./mozilla/security/nss/lib/freebl/blapi.h
+--- ./mozilla/security/nss/lib/freebl/blapi.h.nosha224	2011-10-04 15:05:53.000000000 -0700
++++ ./mozilla/security/nss/lib/freebl/blapi.h	2011-12-04 22:03:47.308609957 -0800
+@@ -1088,7 +1088,7 @@ extern SHA1Context * SHA1_Resurrect(unsi
+ extern void SHA1_Clone(SHA1Context *dest, SHA1Context *src);
+ 
+ /******************************************/
+-
++#ifndef NO_SHA224_AVAILABLE
+ extern SHA224Context *SHA224_NewContext(void);
+ extern void SHA224_DestroyContext(SHA224Context *cx, PRBool freeit);
+ extern void SHA224_Begin(SHA224Context *cx);
+@@ -1104,6 +1104,7 @@ extern unsigned int SHA224_FlattenSize(S
+ extern SECStatus SHA224_Flatten(SHA224Context *cx,unsigned char *space);
+ extern SHA224Context * SHA224_Resurrect(unsigned char *space, void *arg);
+ extern void SHA224_Clone(SHA224Context *dest, SHA224Context *src);
++#endif
+ 
+ /******************************************/
+ 
+diff -up ./mozilla/security/nss/lib/freebl/ldvector.c.nosha224 ./mozilla/security/nss/lib/freebl/ldvector.c
+--- ./mozilla/security/nss/lib/freebl/ldvector.c.nosha224	2011-10-04 15:05:53.000000000 -0700
++++ ./mozilla/security/nss/lib/freebl/ldvector.c	2011-12-04 22:03:47.309609957 -0800
+@@ -270,7 +270,7 @@ static const struct FREEBLVectorStr vect
+     JPAKE_Verify,
+     JPAKE_Round2,
+     JPAKE_Final,
+-
++#ifndef NO_SHA224_AVAILABLE
+     /* End of Version 3.012 */
+ 
+     TLS_P_hash,
+@@ -287,7 +287,7 @@ static const struct FREEBLVectorStr vect
+     SHA224_Resurrect,
+     SHA224_Clone,
+     BLAPI_SHVerifyFile
+-
++#endif
+     /* End of Version 3.013 */
+ };
+ 
+diff -up ./mozilla/security/nss/lib/freebl/nsslowhash.c.nosha224 ./mozilla/security/nss/lib/freebl/nsslowhash.c
+--- ./mozilla/security/nss/lib/freebl/nsslowhash.c.nosha224	2010-09-09 17:42:36.000000000 -0700
++++ ./mozilla/security/nss/lib/freebl/nsslowhash.c	2011-12-04 22:03:47.309609957 -0800
+@@ -128,14 +128,14 @@ freebl_fips_SHA_PowerUpSelfTest( void )
+ 			       0x0a,0x6d,0x07,0xba,0x1e,0xbd,0x8a,0x1b,
+ 			       0x72,0xf6,0xc7,0x22,0xf1,0x27,0x9f,0xf0,
+ 			       0xe0,0x68,0x47,0x7a};
+-
++#ifndef NO_SHA224_AVAILABLE
+     /* SHA-224 Known Digest Message (224-bits). */
+     static const PRUint8 sha224_known_digest[] = {
+         0x1c,0xc3,0x06,0x8e,0xce,0x37,0x68,0xfb, 
+         0x1a,0x82,0x4a,0xbe,0x2b,0x00,0x51,0xf8,
+         0x9d,0xb6,0xe0,0x90,0x0d,0x00,0xc9,0x64,
+         0x9a,0xb8,0x98,0x4e};
+-
++#endif
+     /* SHA-256 Known Digest Message (256-bits). */
+     static const PRUint8 sha256_known_digest[] = {
+         0x38,0xa9,0xc1,0xf0,0x35,0xf6,0x5d,0x61,
+@@ -178,7 +178,7 @@ freebl_fips_SHA_PowerUpSelfTest( void )
+         ( PORT_Memcmp( sha_computed_digest, sha1_known_digest,
+                        SHA1_LENGTH ) != 0 ) )
+         return( CKR_DEVICE_ERROR );
+-
++#ifndef NO_SHA224_AVAILABLE
+     /***************************************************/
+     /* SHA-224 Single-Round Known Answer Hashing Test. */
+     /***************************************************/
+@@ -190,7 +190,7 @@ freebl_fips_SHA_PowerUpSelfTest( void )
+         ( PORT_Memcmp( sha_computed_digest, sha224_known_digest,
+                        SHA224_LENGTH ) != 0 ) )
+         return( CKR_DEVICE_ERROR );
+-
++#endif
+     /***************************************************/
+     /* SHA-256 Single-Round Known Answer Hashing Test. */
+     /***************************************************/
+diff -up ./mozilla/security/nss/lib/freebl/rawhash.c.nosha224 ./mozilla/security/nss/lib/freebl/rawhash.c
+--- ./mozilla/security/nss/lib/freebl/rawhash.c.nosha224	2010-08-17 22:55:47.000000000 -0700
++++ ./mozilla/security/nss/lib/freebl/rawhash.c	2011-12-04 22:03:47.309609957 -0800
+@@ -155,6 +155,7 @@ const SECHashObject SECRawHashObjects[]
+     SHA512_BLOCK_LENGTH,
+     HASH_AlgSHA512
+   },
++#ifndef NO_SHA224_AVAILABLE
+   { SHA224_LENGTH,
+     (void * (*)(void)) SHA224_NewContext,
+     (void * (*)(void *)) null_hash_clone_context,
+@@ -166,6 +167,7 @@ const SECHashObject SECRawHashObjects[]
+     SHA224_BLOCK_LENGTH,
+     HASH_AlgSHA224
+   },
++#endif
+ };
+ 
+ const SECHashObject *
+diff -up ./mozilla/security/nss/lib/freebl/sha512.c.nosha224 ./mozilla/security/nss/lib/freebl/sha512.c
+--- ./mozilla/security/nss/lib/freebl/sha512.c.nosha224	2011-09-14 10:48:03.000000000 -0700
++++ ./mozilla/security/nss/lib/freebl/sha512.c	2011-12-04 22:03:47.310609957 -0800
+@@ -544,6 +544,7 @@ void SHA256_Clone(SHA256Context *dest, S
+     memcpy(dest, src, sizeof *dest);
+ }
+ 
++#ifndef NO_SHA224_AVAILABLE
+ /* ============= SHA224 implementation ================================== */
+ 
+ /* SHA-224 initial hash values */
+@@ -630,7 +631,7 @@ void SHA224_Clone(SHA224Context *dest, S
+ {
+     SHA256_Clone(dest, src);
+ }
+-
++#endif
+ 
+ /* ======= SHA512 and SHA384 common constants and defines ================= */
+ 
+diff -up ./mozilla/security/nss/lib/softoken/fipstest.c.nosha224 ./mozilla/security/nss/lib/softoken/fipstest.c
+--- ./mozilla/security/nss/lib/softoken/fipstest.c.nosha224	2011-03-29 08:12:43.000000000 -0700
++++ ./mozilla/security/nss/lib/softoken/fipstest.c	2011-12-04 22:03:47.311609956 -0800
+@@ -865,12 +865,14 @@ sftk_fips_HMAC_PowerUpSelfTest( void )
+         0x3b, 0x57, 0x1d, 0x61, 0xe7, 0xb8, 0x84, 0x1e, 
+         0x5d, 0x0e, 0x1e, 0x11};
+ 
++#ifndef NO_SHA224_AVAILABLE
+     /* known SHA224 hmac (28 bytes) */
+     static const PRUint8 known_SHA224_hmac[] = {
+         0x1c, 0xc3, 0x06, 0x8e, 0xce, 0x37, 0x68, 0xfb, 
+         0x1a, 0x82, 0x4a, 0xbe, 0x2b, 0x00, 0x51, 0xf8,
+         0x9d, 0xb6, 0xe0, 0x90, 0x0d, 0x00, 0xc9, 0x64,
+         0x9a, 0xb8, 0x98, 0x4e};
++#endif
+ 
+     /* known SHA256 hmac (32 bytes) */
+     static const PRUint8 known_SHA256_hmac[] = {
+@@ -922,6 +924,7 @@ sftk_fips_HMAC_PowerUpSelfTest( void )
+     /* HMAC SHA-224 Single-Round Known Answer Test.    */
+     /***************************************************/
+ 
++#ifndef NO_SHA224_AVAILABLE
+     hmac_status = sftk_fips_HMAC(hmac_computed, 
+                                  HMAC_known_secret_key,
+                                  HMAC_known_secret_key_length,
+@@ -933,6 +936,7 @@ sftk_fips_HMAC_PowerUpSelfTest( void )
+         ( PORT_Memcmp( hmac_computed, known_SHA224_hmac,
+                        SHA224_LENGTH ) != 0 ) )
+         return( CKR_DEVICE_ERROR );
++#endif
+ 
+     /***************************************************/
+     /* HMAC SHA-256 Single-Round Known Answer Test.    */
+@@ -994,12 +998,14 @@ sftk_fips_SHA_PowerUpSelfTest( void )
+ 			       0x72,0xf6,0xc7,0x22,0xf1,0x27,0x9f,0xf0,
+ 			       0xe0,0x68,0x47,0x7a};
+ 
++#ifndef NO_SHA224_AVAILABLE
+     /* SHA-224 Known Digest Message (224-bits). */
+     static const PRUint8 sha224_known_digest[] = {
+         0x89,0x5e,0x7f,0xfd,0x0e,0xd8,0x35,0x6f,
+         0x64,0x6d,0xf2,0xde,0x5e,0xed,0xa6,0x7f, 
+         0x29,0xd1,0x12,0x73,0x42,0x84,0x95,0x4f, 
+         0x8e,0x08,0xe5,0xcb};
++#endif
+ 
+     /* SHA-256 Known Digest Message (256-bits). */
+     static const PRUint8 sha256_known_digest[] = {
+@@ -1048,6 +1054,7 @@ sftk_fips_SHA_PowerUpSelfTest( void )
+     /* SHA-224 Single-Round Known Answer Hashing Test. */
+     /***************************************************/
+ 
++#ifndef NO_SHA224_AVAILABLE
+     sha_status = SHA224_HashBuf( sha_computed_digest, known_hash_message,
+                                 FIPS_KNOWN_HASH_MESSAGE_LENGTH );
+ 
+@@ -1055,6 +1062,7 @@ sftk_fips_SHA_PowerUpSelfTest( void )
+         ( PORT_Memcmp( sha_computed_digest, sha224_known_digest,
+                        SHA224_LENGTH ) != 0 ) )
+         return( CKR_DEVICE_ERROR );
++#endif
+ 
+     /***************************************************/
+     /* SHA-256 Single-Round Known Answer Hashing Test. */
+diff -up ./mozilla/security/nss/lib/softoken/pkcs11c.c.nosha224 ./mozilla/security/nss/lib/softoken/pkcs11c.c
+--- ./mozilla/security/nss/lib/softoken/pkcs11c.c.nosha224	2011-09-21 11:49:16.000000000 -0700
++++ ./mozilla/security/nss/lib/softoken/pkcs11c.c	2011-12-04 22:03:47.313609956 -0800
+@@ -1316,7 +1316,9 @@ CK_RV NSC_DigestInit(CK_SESSION_HANDLE h
+     INIT_MECH(CKM_MD2,    MD2)
+     INIT_MECH(CKM_MD5,    MD5)
+     INIT_MECH(CKM_SHA_1,  SHA1)
++#ifndef NO_SHA224_AVAILABLE
+     INIT_MECH(CKM_SHA224, SHA224)
++#endif
+     INIT_MECH(CKM_SHA256, SHA256)
+     INIT_MECH(CKM_SHA384, SHA384)
+     INIT_MECH(CKM_SHA512, SHA512)
+@@ -1440,7 +1442,9 @@ sftk_doSub ## mmm(SFTKSessionContext *co
+ DOSUB(MD2)
+ DOSUB(MD5)
+ DOSUB(SHA1)
++#ifndef NO_SHA224_AVAILABLE
+ DOSUB(SHA224)
++#endif
+ DOSUB(SHA256)
+ DOSUB(SHA384)
+ DOSUB(SHA512)
+@@ -2013,7 +2017,9 @@ CK_RV NSC_SignInit(CK_SESSION_HANDLE hSe
+     INIT_RSA_SIGN_MECH(MD5)
+     INIT_RSA_SIGN_MECH(MD2)
+     INIT_RSA_SIGN_MECH(SHA1)
++#ifndef NO_SHA224_AVAILABLE
+     INIT_RSA_SIGN_MECH(SHA224)
++#endif
+     INIT_RSA_SIGN_MECH(SHA256)
+     INIT_RSA_SIGN_MECH(SHA384)
+     INIT_RSA_SIGN_MECH(SHA512)
+@@ -2131,7 +2137,9 @@ finish_rsa:
+ 
+     INIT_HMAC_MECH(MD2)
+     INIT_HMAC_MECH(MD5)
++#ifndef NO_SHA224_AVAILABLE
+     INIT_HMAC_MECH(SHA224)
++#endif
+     INIT_HMAC_MECH(SHA256)
+     INIT_HMAC_MECH(SHA384)
+     INIT_HMAC_MECH(SHA512)
+@@ -2529,7 +2537,9 @@ CK_RV NSC_VerifyInit(CK_SESSION_HANDLE h
+     INIT_RSA_VFY_MECH(MD5) 
+     INIT_RSA_VFY_MECH(MD2) 
+     INIT_RSA_VFY_MECH(SHA1) 
++#ifndef NO_SHA224_AVAILABLE
+     INIT_RSA_VFY_MECH(SHA224)
++#endif
+     INIT_RSA_VFY_MECH(SHA256) 
+     INIT_RSA_VFY_MECH(SHA384) 
+     INIT_RSA_VFY_MECH(SHA512) 
+@@ -2626,7 +2636,9 @@ finish_rsa:
+ 
+     INIT_HMAC_MECH(MD2)
+     INIT_HMAC_MECH(MD5)
++#ifndef NO_SHA224_AVAILABLE
+     INIT_HMAC_MECH(SHA224)
++#endif
+     INIT_HMAC_MECH(SHA256)
+     INIT_HMAC_MECH(SHA384)
+     INIT_HMAC_MECH(SHA512)
+diff -up ./mozilla/security/nss/lib/softoken/pkcs11.c.nosha224 ./mozilla/security/nss/lib/softoken/pkcs11.c
+--- ./mozilla/security/nss/lib/softoken/pkcs11.c.nosha224	2011-01-21 16:12:04.000000000 -0800
++++ ./mozilla/security/nss/lib/softoken/pkcs11.c	2011-12-04 22:03:47.316609956 -0800
+@@ -311,8 +311,10 @@ static const struct mechanismList mechan
+ 				 CKF_SN_VR}, 	PR_TRUE},
+      {CKM_SHA1_RSA_PKCS,	{RSA_MIN_MODULUS_BITS,CK_MAX,
+ 				 CKF_SN_VR}, 	PR_TRUE},
++#ifndef NO_SHA224_AVAILABLE
+      {CKM_SHA224_RSA_PKCS,	{RSA_MIN_MODULUS_BITS,CK_MAX,
+ 				 CKF_SN_VR}, 	PR_TRUE},
++#endif
+      {CKM_SHA256_RSA_PKCS,	{RSA_MIN_MODULUS_BITS,CK_MAX,
+ 				 CKF_SN_VR}, 	PR_TRUE},
+      {CKM_SHA384_RSA_PKCS,	{RSA_MIN_MODULUS_BITS,CK_MAX,
+@@ -401,9 +403,11 @@ static const struct mechanismList mechan
+      {CKM_SHA_1,		{0,   0, CKF_DIGEST},		PR_FALSE},
+      {CKM_SHA_1_HMAC,		{1, 128, CKF_SN_VR},		PR_TRUE},
+      {CKM_SHA_1_HMAC_GENERAL,	{1, 128, CKF_SN_VR},		PR_TRUE},
++#ifndef NO_SHA224_AVAILABLE
+      {CKM_SHA224,		{0,   0, CKF_DIGEST},		PR_FALSE},
+      {CKM_SHA224_HMAC,		{1, 128, CKF_SN_VR},		PR_TRUE},
+      {CKM_SHA224_HMAC_GENERAL,	{1, 128, CKF_SN_VR},		PR_TRUE},
++#endif
+      {CKM_SHA256,		{0,   0, CKF_DIGEST},		PR_FALSE},
+      {CKM_SHA256_HMAC,		{1, 128, CKF_SN_VR},		PR_TRUE},
+      {CKM_SHA256_HMAC_GENERAL,	{1, 128, CKF_SN_VR},		PR_TRUE},
+diff -up ./mozilla/security/nss/lib/softoken/rsawrapr.c.nosha224 ./mozilla/security/nss/lib/softoken/rsawrapr.c
+--- ./mozilla/security/nss/lib/softoken/rsawrapr.c.nosha224	2011-10-22 07:35:43.000000000 -0700
++++ ./mozilla/security/nss/lib/softoken/rsawrapr.c	2011-12-04 22:03:47.316609956 -0800
+@@ -1173,9 +1173,11 @@ GetHashTypeFromMechanism(CK_MECHANISM_TY
+         case CKM_SHA_1:
+         case CKG_MGF1_SHA1:
+ 	    return HASH_AlgSHA1;
++#ifndef NO_SHA224_AVAILABLE
+         case CKM_SHA224:
+         case CKG_MGF1_SHA224:
+ 	    return HASH_AlgSHA224;
++#endif
+         case CKM_SHA256:
+         case CKG_MGF1_SHA256:
+ 	    return HASH_AlgSHA256;
+diff -up ./mozilla/security/nss/tests/cipher/cipher.txt.nosha224 ./mozilla/security/nss/tests/cipher/cipher.txt
+--- ./mozilla/security/nss/tests/cipher/cipher.txt.nosha224	2010-08-17 22:57:05.000000000 -0700
++++ ./mozilla/security/nss/tests/cipher/cipher.txt	2011-12-04 22:03:47.317609956 -0800
+@@ -73,7 +73,6 @@
+ 	0	md2_-H		MD2_Hash
+ 	0	md5_-H		MD5_Hash
+ 	0	sha1_-H		SHA1_Hash
+-	0	sha224_-H	SHA224_Hash
+ 	0	sha256_-H	SHA256_Hash
+ 	0	sha384_-H	SHA384_Hash
+ 	0	sha512_-H	SHA512_Hash

nss.spec

@@ -7,7 +7,7 @@
 Summary:          Network Security Services
 Name:             nss
 Version:          3.13.1
-Release:          4%{?dist}
+Release:          5%{?dist}
 License:          MPLv1.1 or GPLv2+ or LGPLv2+
 URL:              http://www.mozilla.org/projects/security/pki/nss/
 Group:            System Environment/Libraries
@@ -64,8 +64,14 @@ Patch20:          nsspem-createobject-initialize-pointer.patch
 Patch21:          0001-libnsspem-rhbz-734760.patch
 Patch22:          nsspem-init-inform-not-thread-safe.patch
 Patch23:          nss-ckbi-1.88.rtm.patch
-# Remove this patch which belongs in nss-util
-#Patch24:          gnuc-minor-def-fix.patch
+# must statically link pem against the 3.12.x system freebl in the buildroot
+Patch25:          nsspem-use-system-freebl.patch
+# don't compile the fipstest application
+Patch26:          nofipstest.patch
+# sha224 isn't available we use 3.12 softokn
+Patch27:          nosha224.patch
+# Get rid of it as soon as we can
+Patch28:          terminalrecord.patch
 
 
 %description
@@ -150,8 +156,11 @@ low level services.
 %patch21 -p1 -b .734760
 %patch22 -p0 -b .736410
 %patch23 -p0 -b .ckbi188
-# TODO: Reemove this patch which is now in nss-util
-#%patch24 -p1 -b .gnuc-minor
+# link pem against buildroot's 3.12 freebl
+%patch25 -p0 -b .systemfreebl
+%patch26 -p0 -b .nofipstest
+%patch27 -p0 -b .nosha224
+%patch28 -p0 -b .terminalrecord
 
 
 %build
@@ -178,13 +187,20 @@ export PKG_CONFIG_ALLOW_SYSTEM_LIBS
 export PKG_CONFIG_ALLOW_SYSTEM_CFLAGS
 
 NSPR_INCLUDE_DIR=`/usr/bin/pkg-config --cflags-only-I nspr | sed 's/-I//'`
-NSPR_LIB_DIR=`/usr/bin/pkg-config --libs-only-L nspr | sed 's/-L//'`
+NSPR_LIB_DIR=%{_libdir}
 
 export NSPR_INCLUDE_DIR
 export NSPR_LIB_DIR
 
 NSS_INCLUDE_DIR=`/usr/bin/pkg-config --cflags-only-I nss-util | sed 's/-I//'`
-NSS_LIB_DIR=`/usr/bin/pkg-config --libs-only-L nss-util | sed 's/-L//'`
+
+export NSSUTIL_INCLUDE_DIR=`/usr/bin/pkg-config --cflags-only-I nss-util | sed 's/-I//'`
+export NSSUTIL_LIB_DIR=%{_libdir}
+export FREEBL_INCLUDE_DIR=`/usr/bin/pkg-config --cflags-only-I nss-softokn | sed 's/-I//'`
+export FREEBL_LIB_DIR=%{_libdir}
+export USE_SYSTEM_FREEBL=1
+# prevents running the sha224 portion of the powerup selftest when testing
+export NO_SHA224_AVAILABLE=1
 
 NSS_USE_SYSTEM_SQLITE=1
 export NSS_USE_SYSTEM_SQLITE
@@ -221,6 +237,9 @@ export NSS_ECC_MORE_THAN_SUITE_B
 # Set up our package file
 # The nspr_version and nss_{util|softokn}_version globals used
 # here match the ones nss has for its Requires. 
+# TODO: using %%{nss_softokn_fips_version} for rhel
+# but for fefora we will revert to nss_softokn_version after
+# the merge is completed
 %{__mkdir_p} ./mozilla/dist/pkgconfig
 %{__cat} %{SOURCE1} | sed -e "s,%%libdir%%,%{_libdir},g" \
                           -e "s,%%prefix%%,%{_prefix},g" \
@@ -229,7 +248,7 @@ export NSS_ECC_MORE_THAN_SUITE_B
                           -e "s,%%NSS_VERSION%%,%{version},g" \
                           -e "s,%%NSPR_VERSION%%,%{nspr_version},g" \
                           -e "s,%%NSSUTIL_VERSION%%,%{nss_util_version},g" \
-                          -e "s,%%SOFTOKEN_VERSION%%,%{nss_softokn_version},g" > \
+                          -e "s,%%SOFTOKEN_VERSION%%,%{nss_softokn_fips_version},g" > \
                           ./mozilla/dist/pkgconfig/nss.pc
 
 NSS_VMAJOR=`cat mozilla/security/nss/lib/nss/nss.h | grep "#define.*NSS_VMAJOR" | awk '{print $3}'`
@@ -562,6 +581,10 @@ rm -rf $RPM_BUILD_ROOT/%{_includedir}/nss3/nsslowhash.h
 
 
 %changelog
+* Sun Dec 04 2011 Elio Maldonado <emaldona@redhat.com> - 3.13.1-5
+- Statically link the pem module against system freebl found in buildroot
+- Disabling sha224-related powerup selftest until we update softokn
+
 * Fri Dec 02 2011 Elio Maldonado Batiz <emaldona@redhat.com> - 3.13.1-4
 - Rebuild with nss-softokn from 3.12 in the buildroot
 - Allows the pem module to statically link against 3.12.x freebl

nsspem-use-system-freebl.patch

@@ -0,0 +1,16 @@
+diff -up ./mozilla/security/coreconf/Linux.mk.sytemfreebl ./mozilla/security/coreconf/Linux.mk
+--- ./mozilla/security/coreconf/Linux.mk.sytemfreebl	2011-12-03 22:07:23.924156119 -0800
++++ ./mozilla/security/coreconf/Linux.mk	2011-12-03 22:08:28.322328345 -0800
+@@ -182,6 +182,12 @@ endif
+ USE_SYSTEM_ZLIB = 1
+ ZLIB_LIBS = -lz
+ 
++USE_SYSTEM_NSSUTIL = 1
++NSSUTIL_LIBS = -lnssutil3
++
++USE_SYSTEM_FREEBL = 1
++FREEBL_LIBS = -lfreebl3
++
+ # The -rpath '$$ORIGIN' linker option instructs this library to search for its
+ # dependencies in the same directory where it resides.
+ ifeq ($(BUILD_SUN_PKG), 1)

terminalrecord.patch

@@ -0,0 +1,90 @@
+diff -up ./mozilla/security/nss/cmd/addbuiltin/addbuiltin.c.terminalrecord ./mozilla/security/nss/cmd/addbuiltin/addbuiltin.c
+--- ./mozilla/security/nss/cmd/addbuiltin/addbuiltin.c.terminalrecord	2011-12-04 21:15:47.660672521 -0800
++++ ./mozilla/security/nss/cmd/addbuiltin/addbuiltin.c	2011-12-04 21:16:39.491674974 -0800
+@@ -52,6 +52,14 @@
+ #include <io.h>
+ #endif
+ 
++/* Defined in ./mozilla/dist/public/nss/certdb.h which was included
++ * and also in ./mozilla/security/nss/lib/softoken/legacydb/pcertt.h
++ * but invisible here for some reason
++ */
++#ifndef CERTDB_TERMINAL_RECORD
++#define CERTDB_TERMINAL_RECORD	(1<<0)
++#endif
++
+ void dumpbytes(unsigned char *buf, int len)
+ {
+     int i;
+diff -up ./mozilla/security/nss/lib/certhigh/certvfy.c.terminalrecord ./mozilla/security/nss/lib/certhigh/certvfy.c
+--- ./mozilla/security/nss/lib/certhigh/certvfy.c.terminalrecord	2011-09-13 17:28:47.000000000 -0700
++++ ./mozilla/security/nss/lib/certhigh/certvfy.c	2011-12-04 21:14:01.683678605 -0800
+@@ -56,6 +56,14 @@
+ #include "pki3hack.h"
+ #include "base.h"
+ 
++/* Defined in ./mozilla/dist/public/nss/certdb.h which was included
++ * and also in ./mozilla/security/nss/lib/softoken/legacydb/pcertt.h
++ * but invisible here for some reason
++ */
++#ifndef CERTDB_TERMINAL_RECORD
++#define CERTDB_TERMINAL_RECORD	(1<<0)
++#endif
++
+ /*
+  * Check the validity times of a certificate
+  */
+diff -up ./mozilla/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_cert.c.terminalrecord ./mozilla/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_cert.c
+--- ./mozilla/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_cert.c.terminalrecord	2011-09-14 16:16:16.000000000 -0700
++++ ./mozilla/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_cert.c	2011-12-04 21:14:01.684678605 -0800
+@@ -43,6 +43,14 @@
+ 
+ #include "pkix_pl_cert.h"
+ 
++/* Defined in ./mozilla/dist/public/nss/certdb.h which was included
++ * and also in ./mozilla/security/nss/lib/softoken/legacydb/pcertt.h
++ * but invisible here for some reason
++ */
++#ifndef CERTDB_TERMINAL_RECORD
++#define CERTDB_TERMINAL_RECORD	(1<<0)
++#endif
++
+ extern PKIX_PL_HashTable *cachedCertSigTable;
+ 
+ /* --Private-Cert-Functions------------------------------------- */
+diff -up ./mozilla/security/nss/lib/pk11wrap/pk11nobj.c.terminalrecord ./mozilla/security/nss/lib/pk11wrap/pk11nobj.c
+--- ./mozilla/security/nss/lib/pk11wrap/pk11nobj.c.terminalrecord	2011-04-12 17:10:26.000000000 -0700
++++ ./mozilla/security/nss/lib/pk11wrap/pk11nobj.c	2011-12-04 21:14:01.685678605 -0800
+@@ -62,6 +62,14 @@
+ #include "pki.h"
+ #include "pkim.h" 
+ 
++/* Defined in ./mozilla/dist/public/nss/certdb.h which was included
++ * and also in ./mozilla/security/nss/lib/softoken/legacydb/pcertt.h
++ * but invisible here for some reason
++ */
++#ifndef CERTDB_TERMINAL_RECORD
++#define CERTDB_TERMINAL_RECORD	(1<<0)
++#endif
++
+ extern const NSSError NSS_ERROR_NOT_FOUND;
+ 
+ CK_TRUST
+diff -up ./mozilla/security/nss/lib/pki/pki3hack.c.terminalrecord ./mozilla/security/nss/lib/pki/pki3hack.c
+--- ./mozilla/security/nss/lib/pki/pki3hack.c.terminalrecord	2011-04-12 17:10:26.000000000 -0700
++++ ./mozilla/security/nss/lib/pki/pki3hack.c	2011-12-04 21:14:01.686678605 -0800
+@@ -76,6 +76,14 @@ static const char CVS_ID[] = "@(#) $RCSf
+ #include "secmod.h"
+ #include "nssrwlk.h"
+ 
++/* Defined in ./mozilla/dist/public/nss/certdb.h which was included
++ * and also in ./mozilla/security/nss/lib/softoken/legacydb/pcertt.h
++ * but invisible here for some reason
++ */
++#ifndef CERTDB_TERMINAL_RECORD
++#define CERTDB_TERMINAL_RECORD	(1<<0)
++#endif
++
+ NSSTrustDomain *g_default_trust_domain = NULL;
+ 
+ NSSCryptoContext *g_default_crypto_context = NULL;