Update to 3.15.1

Changelog:
NSS 3.15.1 release notes

Introduction

Network Security Services (NSS) 3.15.1 is a patch release for NSS 3.15. The bug fixes in NSS 3.15.1 are described in the "Bugs Fixed" section below.
Distribution Information

NSS 3.15.1 source distributions are also available on ftp.mozilla.org for secure HTTPS download:

    Source tarballs:
    https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_15_1_RTM/src/

New in NSS 3.15.1
New Functionality

    TLS 1.2: TLS 1.2 (RFC 5246) is supported. HMAC-SHA256 cipher suites (RFC 5246 and RFC 5289) are supported, allowing TLS to be used without MD5 and SHA-1. Note the following limitations.
        The hash function used in the signature for TLS 1.2 client authentication must be the hash function of the TLS 1.2 PRF, which is always SHA-256 in NSS 3.15.1.
        AES GCM cipher suites are not yet supported.

New Functions

None.
New Types

    in sslprot.h
        SSL_LIBRARY_VERSION_TLS_1_2 - The protocol version of TLS 1.2 on the wire, value 0x0303.
        TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_NULL_SHA256 - New TLS 1.2 only HMAC-SHA256 cipher suites.
    in sslerr.h
        SSL_ERROR_UNSUPPORTED_HASH_ALGORITHM, SSL_ERROR_DIGEST_FAILURE, SSL_ERROR_INCORRECT_SIGNATURE_ALGORITHM - New error codes for TLS 1.2.
    in sslt.h
        ssl_hmac_sha256 - A new value in the SSLMACAlgorithm enum type.
        ssl_signature_algorithms_xtn - A new value in the SSLExtensionType enum type.

New PKCS #11 Mechanisms

None.
Notable Changes in NSS 3.15.1

    Bug 856060 - Enforce name constraints on the common name in libpkix  when no subjectAltName is present.
    Bug 875156 - Add const to the function arguments of SEC_CertNicknameConflict.
    Bug 877798 - Fix ssltap to print the certificate_status handshake message correctly.
    Bug 882829 - On Windows, NSS initialization fails if NSS cannot call the RtlGenRandom function.
    Bug 875601 - SECMOD_CloseUserDB/SECMOD_OpenUserDB fails to reset the token delay, leading to spurious failures.
    Bug 884072 - Fix a typo in the header include guard macro of secmod.h.
    Bug 876352 - certutil now warns if importing a PEM file that contains a private key.
    Bug 565296 - Fix the bug that shlibsign exited with status 0 even though it failed.
    The NSS_SURVIVE_DOUBLE_BYPASS_FAILURE build option is removed.

Bugs fixed in NSS 3.15.1

    https://bugzilla.mozilla.org/buglist.cgi?list_id=5689256;resolution=FIXED;classification=Components;query_format=advanced;target_milestone=3.15.1;product=NSS

Compatibility

NSS 3.15.1 shared libraries are backward compatible with all older NSS 3.x shared libraries. A program linked with older NSS 3.x shared libraries will work with NSS 3.15.1 shared libraries without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs to the functions listed in NSS Public Functions will remain compatible with future versions of the NSS shared libraries.



NSS 3.15 release notes

Introduction

The NSS team has released Network Security Services (NSS) 3.15, which is a minor release.
Distribution Information

The HG tag is NSS_3_15_RTM. NSS 3.15 requires NSPR 4.10 or newer.

NSS 3.15 source distributions are available on ftp.mozilla.org for secure HTTPS download:

    Source tarballs:
    https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_15_RTM/src/

New in NSS 3.15
New Functionality

    Support for OCSP Stapling (RFC 6066, Certificate Status Request) has been added for both client and server sockets. TLS client applications may enable this via a call to SSL_OptionSetDefault(SSL_ENABLE_OCSP_STAPLING, PR_TRUE);
    Added function SECITEM_ReallocItemV2. It replaces function SECITEM_ReallocItem, which is now declared as obsolete.
    Support for single-operation (eg: not multi-part) symmetric key encryption and decryption, via PK11_Encrypt and PK11_Decrypt.
    certutil has been updated to support creating name constraints extensions.

New Functions

    in ssl.h
        SSL_PeerStapledOCSPResponse - Returns the server's stapled OCSP response, when used with a TLS client socket that negotiated the status_request extension.
        SSL_SetStapledOCSPResponses - Set's a stapled OCSP response for a TLS server socket to return when clients send the status_request extension.
    in ocsp.h
        CERT_PostOCSPRequest - Primarily intended for testing, permits the sending and receiving of raw OCSP request/responses.
    in secpkcs7.h
        SEC_PKCS7VerifyDetachedSignatureAtTime - Verifies a PKCS#7 signature at a specific time other than the present time.
    in xconst.h
        CERT_EncodeNameConstraintsExtension - Matching function for CERT_DecodeNameConstraintsExtension, added in NSS 3.10.
    in secitem.h
        SECITEM_AllocArray
        SECITEM_DupArray
        SECITEM_FreeArray
        SECITEM_ZfreeArray - Utility functions to handle the allocation and deallocation of SECItemArrays
        SECITEM_ReallocItemV2 - Replaces SECITEM_ReallocItem, which is now obsolete. SECITEM_ReallocItemV2 better matches caller expectations, in that it updates item->len on allocation. For more details of the issues with SECITEM_ReallocItem, see Bug 298649 and Bug 298938.
    in pk11pub.h
        PK11_Decrypt - Performs decryption as a single PKCS#11 operation (eg: not multi-part). This is necessary for AES-GCM.
        PK11_Encrypt - Performs encryption as a single PKCS#11 operation (eg: not multi-part). This is necessary for AES-GCM.

New Types

    in secitem.h
        SECItemArray - Represents a variable-length array of SECItems.

New Macros

    in ssl.h
        SSL_ENABLE_OCSP_STAPLING - Used with SSL_OptionSet to configure TLS client sockets to request the certificate_status extension (eg: OCSP stapling) when set to PR_TRUE

Notable Changes in NSS 3.15

    SECITEM_ReallocItem is now deprecated. Please consider using SECITEM_ReallocItemV2 in all future code.

    NSS has migrated from CVS to the Mercurial source control management system.

    Updated build instructions are available at Migration to HG

    As part of this migration, the source code directory layout has been re-organized.

    The list of root CA certificates in the nssckbi module has been updated.

    The default implementation of SSL_AuthCertificate has been updated to add certificate status responses stapled by the TLS server to the OCSP cache.

    Applications that use SSL_AuthCertificateHook to override the default handler should add appropriate calls to SSL_PeerStapledOCSPResponse and CERT_CacheOCSPResponseFromSideChannel.
    Bug 554369: Fixed correctness of CERT_CacheOCSPResponseFromSideChannel and other OCSP caching behaviour.
    Bug 853285: Fixed bugs in AES GCM.
    Bug 341127: Fix the invalid read in rc4_wordconv.
    Faster NIST curve P-256 implementation.
    Dropped (32-bit) SPARC V8 processor support on Solaris. The shared library libfreebl_32int_3.so is no longer produced.

Bugs fixed in NSS 3.15

This Bugzilla query returns all the bugs fixed in NSS 3.15:

https://bugzilla.mozilla.org/buglist.cgi?list_id=6278317&resolution=FIXED&classification=Components&query_format=advanced&product=NSS&target_milestone=3.15

12 files changed, 54 insertions, 56 deletions

diff --git a/devel/nss/Makefile b/devel/nss/Makefile
index 15d406a71af..a0dab70c84b 100644
--- a/devel/nss/Makefile
+++ b/devel/nss/Makefile
@@ -1,8 +1,7 @@
-# $NetBSD: Makefile,v 1.68 2013/05/31 12:40:02 wiz Exp $
+# $NetBSD: Makefile,v 1.69 2013/07/20 09:28:11 ryoon Exp $
 
 DISTNAME=		nss-${NSS_RELEASE}
-NSS_RELEASE=		3.14.3
-PKGREVISION=		2
+NSS_RELEASE=		3.15.1
 CATEGORIES=		security
 MASTER_SITES=		${MASTER_SITE_MOZILLA_ALL:=security/nss/releases/NSS_${NSS_RELEASE:S/./_/g}_RTM/src/}
 
@@ -11,13 +10,11 @@ HOMEPAGE=		http://www.mozilla.org/projects/security/pki/nss/
 COMMENT=		Libraries to support development of security-enabled applications
 LICENSE=		mpl-2.0
 
-CHECK_PORTABILITY_SKIP+=${MOZILLA_DIR}security/nss/tests/libpkix/libpkix.sh
-CHECK_PORTABILITY_SKIP+=${MOZILLA_DIR}security/nss/tests/multinit/multinit.sh
+CHECK_PORTABILITY_SKIP+=${MOZILLA_DIR}nss/tests/libpkix/libpkix.sh
+CHECK_PORTABILITY_SKIP+=${MOZILLA_DIR}nss/tests/multinit/multinit.sh
 CHECK_PORTABILITY_SKIP+=${MOZILLA_DIR}js/src/configure
 CHECK_PORTABILITY_SKIP+=${MOZILLA_DIR}configure
 
-WRKSRC=			${WRKDIR}/${DISTNAME}/mozilla
-
 USE_TOOLS+=		gmake perl pax pkg-config
 
 .include		"../../mk/bsd.prefs.mk"
@@ -26,8 +23,8 @@ USE_TOOLS+=		gmake perl pax pkg-config
 SUBST_CLASSES+=			exec_path
 SUBST_STAGE.exec_path=		pre-configure
 SUBST_MESSAGE.exec_path=	Fixing @executable_path
-SUBST_FILES.exec_path=		security/nss/lib/freebl/config.mk
-SUBST_FILES.exec_path=		security/coreconf/Darwin.mk
+SUBST_FILES.exec_path=		nss/lib/freebl/config.mk
+SUBST_FILES.exec_path=		coreconf/Darwin.mk
 SUBST_SED.exec_path=		-e 's,@executable_path,${PREFIX}/lib/nss,g'
 .endif
 
@@ -65,8 +62,7 @@ post-extract:
 	find ${WRKSRC} -type d | xargs ${CHMOD} 755
 
 do-build:
-	cd ${WRKSRC}/security/nss && ${SETENV} ${MAKE_ENV} ${MAKE_PROGRAM} \
-	  build_coreconf build_dbm all
+	cd ${WRKSRC}/nss && ${SETENV} ${MAKE_ENV} ${MAKE_PROGRAM} all
 
 INSTALLATION_DIRS=	include/nss lib/nss lib/pkgconfig
 DIST=	${WRKSRC}/dist
diff --git a/devel/nss/distinfo b/devel/nss/distinfo
index efd1e68e4e3..5cdfe04c38c 100644
--- a/devel/nss/distinfo
+++ b/devel/nss/distinfo
@@ -1,15 +1,15 @@
-$NetBSD: distinfo,v 1.27 2013/02/20 19:49:17 ryoon Exp $
+$NetBSD: distinfo,v 1.28 2013/07/20 09:28:11 ryoon Exp $
 
-SHA1 (nss-3.14.3.tar.gz) = 94d8781d1fa29cfbd37453dda3e9488709b82c4c
-RMD160 (nss-3.14.3.tar.gz) = 78ce247c6d649ac0624b087d7a947e8b3482d520
-Size (nss-3.14.3.tar.gz) = 6189790 bytes
-SHA1 (patch-am) = 75eb92d1941309ffc13f01d7f1946a2f09170220
-SHA1 (patch-an) = e975941955b578f1d3336d546e99f0c464cdd9d7
-SHA1 (patch-md) = 6bf5242245b17fbd868a6a978eb5849726f81393
-SHA1 (patch-me) = f5a8e29fc004ef7696b67d260384ab23fd1658c2
-SHA1 (patch-mf) = 7bdb6950386d4c3a4262bb53b70306fbbb7e1601
-SHA1 (patch-mg) = 75ddcceaffae0bdb6ecb4efd1b5ffca68a8ae8a8
-SHA1 (patch-mh) = 0318566ecddafd00d4abd22a08ccab3eb72eabe3
-SHA1 (patch-mj) = 197fab0e00256dedc8a5f181ee0d0d6e42d8177f
-SHA1 (patch-mn) = a59f31b58547657b96a45a2753aab93866940203
-SHA1 (patch-security_nss_cmd_shlibsign_sign.sh) = 0f4a691aacd5f58ab59ce7f11e22b4f6714e6938
+SHA1 (nss-3.15.1.tar.gz) = 1aa7c0ff8af7fb2c8b6e4886ae2291f4bfe0d5c0
+RMD160 (nss-3.15.1.tar.gz) = b55be619393acf4f176797025838334d06287891
+Size (nss-3.15.1.tar.gz) = 6286561 bytes
+SHA1 (patch-am) = ee4c4beeb120397852fc4b06b7dd54534d0d5ac5
+SHA1 (patch-an) = 4ab22f2a575676b5b640bc9a760b83eb05c75e69
+SHA1 (patch-md) = 0a09fd2abb8674a2d301f1b6a5331af5db94178f
+SHA1 (patch-me) = e785e4e12b54f2618746a550a09593c2eede5f65
+SHA1 (patch-mf) = 64d3b2cc09ffbc9c4e8ffdb68cb2fa89b6897e8c
+SHA1 (patch-mg) = 3c878548c98bdea559a3e653e63e0ed22a2a8834
+SHA1 (patch-mh) = a46d3098a85c3a4a57895a9845bc1741fc5e9561
+SHA1 (patch-mj) = 08ca1a37afce99e0292a20348fc6855547f44e8a
+SHA1 (patch-mn) = ab5820ecca7e1a3aef7785763115d38fa55109b4
+SHA1 (patch-security_nss_cmd_shlibsign_sign.sh) = 7948b7b502a4c148ee185836dde8a84d3aa388af
diff --git a/devel/nss/patches/patch-am b/devel/nss/patches/patch-am
index 88ad392b165..e88279c3098 100644
--- a/devel/nss/patches/patch-am
+++ b/devel/nss/patches/patch-am
@@ -1,11 +1,11 @@
-$NetBSD: patch-am,v 1.3 2012/04/18 21:01:42 ryoon Exp $
+$NetBSD: patch-am,v 1.4 2013/07/20 09:28:11 ryoon Exp $
 
 SHA1_Update conflicts with openssl which may be dynamically loaded
 at runtime via libcups or libgssapi so causing a crash due to using
 the wrong binding.  So rename here to avoid conflict.
 
---- security/nss/lib/freebl/blapi.h.orig	2009-06-29 18:15:13.000000000 +0200
-+++ security/nss/lib/freebl/blapi.h
+--- nss/lib/freebl/blapi.h.orig	2009-06-29 18:15:13.000000000 +0200
++++ nss/lib/freebl/blapi.h
 @@ -925,6 +925,8 @@ extern void SHA1_DestroyContext(SHA1Cont
  */
  extern void SHA1_Begin(SHA1Context *cx);
diff --git a/devel/nss/patches/patch-an b/devel/nss/patches/patch-an
index 40adcc25f22..cbecc888cae 100644
--- a/devel/nss/patches/patch-an
+++ b/devel/nss/patches/patch-an
@@ -1,11 +1,11 @@
-$NetBSD: patch-an,v 1.5 2012/04/18 21:01:42 ryoon Exp $
+$NetBSD: patch-an,v 1.6 2013/07/20 09:28:12 ryoon Exp $
 
 SHA1_Update conflicts with openssl which may be dynamically loaded
 at runtime via libcups or libgssapi so causing a crash due to using
 the wrong binding.  So rename here to avoid conflict.
 
---- security/nss/lib/freebl/sha-fast-amd64-sun.s.orig	2009-06-29 18:15:14.000000000 +0200
-+++ security/nss/lib/freebl/sha-fast-amd64-sun.s
+--- nss/lib/freebl/sha-fast-amd64-sun.s.orig	2009-06-29 18:15:14.000000000 +0200
++++ nss/lib/freebl/sha-fast-amd64-sun.s
 @@ -1712,9 +1712,9 @@ shaCompress:
  .LFE7:
  	.size	shaCompress, .-shaCompress
diff --git a/devel/nss/patches/patch-md b/devel/nss/patches/patch-md
index 53155f52b09..c25cd554848 100644
--- a/devel/nss/patches/patch-md
+++ b/devel/nss/patches/patch-md
@@ -1,9 +1,9 @@
-$NetBSD: patch-md,v 1.1 2012/04/18 21:01:42 ryoon Exp $
+$NetBSD: patch-md,v 1.2 2013/07/20 09:28:12 ryoon Exp $
 
 ???. from www/firefox/patch-ax.
 
---- security/coreconf/SunOS5.mk.orig	2009-06-29 18:15:11.000000000 +0200
-+++ security/coreconf/SunOS5.mk
+--- nss/coreconf/SunOS5.mk.orig	2009-06-29 18:15:11.000000000 +0200
++++ nss/coreconf/SunOS5.mk
 @@ -156,6 +156,10 @@ endif
  endif
  DSO_LDOPTS += -z combreloc -z defs -z ignore
diff --git a/devel/nss/patches/patch-me b/devel/nss/patches/patch-me
index 793761e3b8c..7d0d871d087 100644
--- a/devel/nss/patches/patch-me
+++ b/devel/nss/patches/patch-me
@@ -1,9 +1,9 @@
-$NetBSD: patch-me,v 1.1 2012/04/18 21:01:42 ryoon Exp $
+$NetBSD: patch-me,v 1.2 2013/07/20 09:28:12 ryoon Exp $
 
 Add DragonFly support.
 
---- security/nss/lib/freebl/Makefile.orig	2009-06-29 18:15:13.000000000 +0200
-+++ security/nss/lib/freebl/Makefile
+--- nss/lib/freebl/Makefile.orig	2009-06-29 18:15:13.000000000 +0200
++++ nss/lib/freebl/Makefile
 @@ -212,7 +212,7 @@ endif
  # to bind the blapi function references in FREEBLVector vector
  # (ldvector.c) to the blapi functions defined in the freebl
diff --git a/devel/nss/patches/patch-mf b/devel/nss/patches/patch-mf
index d306ac51b97..22f08b9631f 100644
--- a/devel/nss/patches/patch-mf
+++ b/devel/nss/patches/patch-mf
@@ -1,10 +1,10 @@
-$NetBSD: patch-mf,v 1.3 2013/02/20 19:49:17 ryoon Exp $
+$NetBSD: patch-mf,v 1.4 2013/07/20 09:28:12 ryoon Exp $
 
 Add DragonFly support.
 Make sure nss libraries have a run path defined.
 
---- security/coreconf/config.mk.orig	2013-01-08 16:19:07.000000000 +0000
-+++ security/coreconf/config.mk
+--- nss/coreconf/config.mk.orig	2013-06-27 17:58:08.000000000 +0000
++++ nss/coreconf/config.mk
 @@ -31,7 +31,7 @@ endif
  #######################################################################
  
@@ -14,8 +14,10 @@ Make sure nss libraries have a run path defined.
  
  ifeq (,$(filter-out $(TARGET_OSES),$(OS_TARGET)))
  include $(CORE_DEPTH)/coreconf/$(OS_TARGET).mk
-@@ -175,3 +175,4 @@ endif
+@@ -179,5 +179,6 @@ endif
  DEFINES += -DUSE_UTIL_DIRECTLY
  USE_UTIL_DIRECTLY = 1
  
 +EXTRA_SHARED_LIBS +=    -Wl,-R${PREFIX}/lib/${MOZILLA_PKG_NAME}
+ # Build with NO_NSPR_10_SUPPORT to avoid using obsolete NSPR features
+ DEFINES += -DNO_NSPR_10_SUPPORT
diff --git a/devel/nss/patches/patch-mg b/devel/nss/patches/patch-mg
index e77c8fbe8f7..009f422ec7b 100644
--- a/devel/nss/patches/patch-mg
+++ b/devel/nss/patches/patch-mg
@@ -1,9 +1,9 @@
-$NetBSD: patch-mg,v 1.1 2012/04/18 21:01:42 ryoon Exp $
+$NetBSD: patch-mg,v 1.2 2013/07/20 09:28:12 ryoon Exp $
 
 Add DragonFly support.
 
---- security/coreconf/DragonFly.mk.orig	2009-06-30 22:20:24.000000000 +0200
-+++ security/coreconf/DragonFly.mk
+--- nss/coreconf/DragonFly.mk.orig	2009-06-30 22:20:24.000000000 +0200
++++ nss/coreconf/DragonFly.mk
 @@ -0,0 +1,83 @@
 +#
 +# The contents of this file are subject to the Mozilla Public
diff --git a/devel/nss/patches/patch-mh b/devel/nss/patches/patch-mh
index 377cbe32652..e572c340ab2 100644
--- a/devel/nss/patches/patch-mh
+++ b/devel/nss/patches/patch-mh
@@ -1,7 +1,7 @@
-$NetBSD: patch-mh,v 1.1 2012/04/18 21:01:42 ryoon Exp $
+$NetBSD: patch-mh,v 1.2 2013/07/20 09:28:12 ryoon Exp $
 
---- security/nss/lib/Makefile.orig	2011-03-18 23:34:05.000000000 +0000
-+++ security/nss/lib/Makefile
+--- nss/lib/Makefile.orig	2011-03-18 23:34:05.000000000 +0000
++++ nss/lib/Makefile
 @@ -70,7 +70,7 @@ endif
  
  ifndef MOZILLA_CLIENT
diff --git a/devel/nss/patches/patch-mj b/devel/nss/patches/patch-mj
index c73d7de222a..fa4ff8458c4 100644
--- a/devel/nss/patches/patch-mj
+++ b/devel/nss/patches/patch-mj
@@ -1,9 +1,9 @@
-$NetBSD: patch-mj,v 1.1 2012/04/18 21:01:42 ryoon Exp $
+$NetBSD: patch-mj,v 1.2 2013/07/20 09:28:12 ryoon Exp $
 
 Add DragonFly support.
 
---- security/coreconf/arch.mk.orig	2009-06-29 18:15:11.000000000 +0200
-+++ security/coreconf/arch.mk
+--- nss/coreconf/arch.mk.orig	2009-06-29 18:15:11.000000000 +0200
++++ nss/coreconf/arch.mk
 @@ -146,7 +146,7 @@ endif
  # IRIX 6.5-ALPHA-1289139620.
  #
diff --git a/devel/nss/patches/patch-mn b/devel/nss/patches/patch-mn
index ed8ffb1dbed..7bab723ecce 100644
--- a/devel/nss/patches/patch-mn
+++ b/devel/nss/patches/patch-mn
@@ -1,9 +1,9 @@
-$NetBSD: patch-mn,v 1.1 2012/04/18 21:01:42 ryoon Exp $
+$NetBSD: patch-mn,v 1.2 2013/07/20 09:28:12 ryoon Exp $
 
 Make sure we link correctly with sqlite3 from pkgsrc.
 
---- security/nss/lib/softoken/config.mk.orig	2010-07-21 00:52:46.000000000 +0000
-+++ security/nss/lib/softoken/config.mk
+--- nss/lib/softoken/config.mk.orig	2010-07-21 00:52:46.000000000 +0000
++++ nss/lib/softoken/config.mk
 @@ -80,7 +80,7 @@ else
  # $(EXTRA_SHARED_LIBS) come before $(OS_LIBS), except on AIX.
  EXTRA_SHARED_LIBS += \
diff --git a/devel/nss/patches/patch-security_nss_cmd_shlibsign_sign.sh b/devel/nss/patches/patch-security_nss_cmd_shlibsign_sign.sh
index 0e45f8ebf7a..36326df7a08 100644
--- a/devel/nss/patches/patch-security_nss_cmd_shlibsign_sign.sh
+++ b/devel/nss/patches/patch-security_nss_cmd_shlibsign_sign.sh
@@ -1,11 +1,11 @@
-$NetBSD: patch-security_nss_cmd_shlibsign_sign.sh,v 1.1 2012/04/18 21:01:42 ryoon Exp $
+$NetBSD: patch-security_nss_cmd_shlibsign_sign.sh,v 1.2 2013/07/20 09:28:12 ryoon Exp $
 
 This tries to dlopen libsoftokn3.so which is linked against sqlite3,
 so we need a directory containing libsqlite3.so in the search path,
 beside the directory containing libsoftokn3.so itself.
 
---- security/nss/cmd/shlibsign/sign.sh.orig	2011-06-15 21:57:52.000000000 +0000
-+++ security/nss/cmd/shlibsign/sign.sh
+--- nss/cmd/shlibsign/sign.sh.orig	2011-06-15 21:57:52.000000000 +0000
++++ nss/cmd/shlibsign/sign.sh
 @@ -26,7 +26,7 @@ WIN*)
      export LIBPATH
      SHLIB_PATH=${1}/lib:${4}:$SHLIB_PATH