Delay new CK_GCM_PARAMS semantics until fedora 34 unless explicitly enabled.

Also disable building DBM backend

.gitignore

@@ -37,3 +37,15 @@ TestUser51.cert
 /nss-3.43.tar.gz
 /nss-3.44.tar.gz
 /nss-3.44.1.tar.gz
+/nss-3.45.tar.gz
+/nss-3.46.tar.gz
+/nss-3.46.1.tar.gz
+/nss-3.47.tar.gz
+/nss-3.47.1.tar.gz
+/nss-3.48.tar.gz
+/nss-3.49.tar.gz
+/nss-3.49.2.tar.gz
+/nss-3.50.tar.gz
+/nss-3.51.tar.gz
+/nss-3.51.1.tar.gz
+/nss-3.52.tar.gz

nss-cavs-tests.patch

@@ -1,155 +0,0 @@
-# HG changeset patch
-# User Daiki Ueno <dueno@redhat.com>
-# Date 1562162181 -7200
-#      Wed Jul 03 15:56:21 2019 +0200
-# Node ID 88feab2a3e5e4b00b1626d59a0d3ecef93cafb92
-# Parent  b5d3f574967f8c5c705dab15682b0e16fac3e4be
-tests: ensure CAVS test dirs are created
-
-diff --git a/tests/fips/cavs_scripts/aes.sh b/tests/fips/cavs_scripts/aes.sh
---- a/tests/fips/cavs_scripts/aes.sh
-+++ b/tests/fips/cavs_scripts/aes.sh
-@@ -83,6 +83,8 @@ if [ ${COMMAND} = "verify" ]; then
-     exit $result
- fi
- 
-+test -d "${RSPDIR}" || mkdir "${RSPDIR}"
-+
- for request in $cbc_kat_requests; do
-     response=`echo $request | sed -e "s/req/rsp/"`
-     echo $request $response
-diff --git a/tests/fips/cavs_scripts/aesgcm.sh b/tests/fips/cavs_scripts/aesgcm.sh
---- a/tests/fips/cavs_scripts/aesgcm.sh
-+++ b/tests/fips/cavs_scripts/aesgcm.sh
-@@ -56,6 +56,8 @@ if [ ${COMMAND} = "verify" ]; then
-     exit $result
- fi
- 
-+test -d "${RSPDIR}" || mkdir "${RSPDIR}"
-+
- for request in $gcm_decrypt_requests; do
-     response=`echo $request | sed -e "s/req/rsp/"`
-     echo $request $response
-diff --git a/tests/fips/cavs_scripts/dsa.sh b/tests/fips/cavs_scripts/dsa.sh
---- a/tests/fips/cavs_scripts/dsa.sh
-+++ b/tests/fips/cavs_scripts/dsa.sh
-@@ -59,6 +59,8 @@ if [ ${COMMAND} = "verify" ]; then
-     exit $result
- fi
- 
-+test -d "${RSPDIR}" || mkdir "${RSPDIR}"
-+
- request=KeyPair.req
- response=`echo $request | sed -e "s/req/rsp/"`
- echo $request $response
-diff --git a/tests/fips/cavs_scripts/ecdsa.sh b/tests/fips/cavs_scripts/ecdsa.sh
---- a/tests/fips/cavs_scripts/ecdsa.sh
-+++ b/tests/fips/cavs_scripts/ecdsa.sh
-@@ -50,6 +50,8 @@ if [ ${COMMAND} = "verify" ]; then
-     exit $result
- fi
- 
-+test -d "${RSPDIR}" || mkdir "${RSPDIR}"
-+
- request=KeyPair.req
- response=`echo $request | sed -e "s/req/rsp/"`
- echo $request $response
-diff --git a/tests/fips/cavs_scripts/hmac.sh b/tests/fips/cavs_scripts/hmac.sh
---- a/tests/fips/cavs_scripts/hmac.sh
-+++ b/tests/fips/cavs_scripts/hmac.sh
-@@ -31,6 +31,9 @@ if [ ${COMMAND} = "verify" ]; then
-     done
-     exit $result
- fi
-+
-+test -d "${RSPDIR}" || mkdir "${RSPDIR}"
-+
- for request in $hmac_requests; do
-     response=`echo $request | sed -e "s/req/rsp/"`
-     echo $request $response
-diff --git a/tests/fips/cavs_scripts/ike.sh b/tests/fips/cavs_scripts/ike.sh
---- a/tests/fips/cavs_scripts/ike.sh
-+++ b/tests/fips/cavs_scripts/ike.sh
-@@ -33,6 +33,8 @@ if [ ${COMMAND} = "verify" ]; then
-     exit $result
- fi
- 
-+test -d "${RSPDIR}" || mkdir "${RSPDIR}"
-+
- request=ikev1_dsa.req
- response=`echo $request | sed -e "s/req/rsp/"`
- echo $request $response
-diff --git a/tests/fips/cavs_scripts/kas.sh b/tests/fips/cavs_scripts/kas.sh
---- a/tests/fips/cavs_scripts/kas.sh
-+++ b/tests/fips/cavs_scripts/kas.sh
-@@ -68,6 +68,8 @@ if [ ${COMMAND} = "verify" ]; then
-     exit $result
- fi
- 
-+test -d "${RSPDIR}" || mkdir "${RSPDIR}"
-+
- request=KASFunctionTest_ECCEphemeralUnified_NOKC_ZZOnly_init.req
- response=`echo $request | sed -e "s/req/rsp/"`
- echo $request $response
-diff --git a/tests/fips/cavs_scripts/rng.sh b/tests/fips/cavs_scripts/rng.sh
---- a/tests/fips/cavs_scripts/rng.sh
-+++ b/tests/fips/cavs_scripts/rng.sh
-@@ -30,6 +30,9 @@ if [ ${COMMAND} = "verify" ]; then
-     done
-     exit $result
- fi
-+
-+test -d "${RSPDIR}" || mkdir "${RSPDIR}"
-+
- for request in $drbg_requests; do
-     response=`echo $request | sed -e "s/req/rsp/"`
-     echo $request $response
-diff --git a/tests/fips/cavs_scripts/rsa.sh b/tests/fips/cavs_scripts/rsa.sh
---- a/tests/fips/cavs_scripts/rsa.sh
-+++ b/tests/fips/cavs_scripts/rsa.sh
-@@ -38,6 +38,8 @@ if [ ${COMMAND} = "verify" ]; then
-     exit $result
- fi
- 
-+test -d "${RSPDIR}" || mkdir "${RSPDIR}"
-+
- request=SigGen15_186-3.req
- response=`echo $request | sed -e "s/req/rsp/"`
- echo $request $response
-diff --git a/tests/fips/cavs_scripts/sha.sh b/tests/fips/cavs_scripts/sha.sh
---- a/tests/fips/cavs_scripts/sha.sh
-+++ b/tests/fips/cavs_scripts/sha.sh
-@@ -51,6 +51,8 @@ if [ ${COMMAND} = "verify" ]; then
-     exit $result
- fi
- 
-+test -d "${RSPDIR}" || mkdir "${RSPDIR}"
-+
- for request in $sha_ShortMsg_requests; do
-     response=`echo $request | sed -e "s/req/rsp/"`
-     echo $request $response
-diff --git a/tests/fips/cavs_scripts/tdea.sh b/tests/fips/cavs_scripts/tdea.sh
---- a/tests/fips/cavs_scripts/tdea.sh
-+++ b/tests/fips/cavs_scripts/tdea.sh
-@@ -77,6 +77,8 @@ if [ ${COMMAND} = "verify" ]; then
-     exit $result
- fi
- 
-+test -d "${RSPDIR}" || mkdir "${RSPDIR}"
-+
- for request in $cbc_kat_requests; do
-     response=`echo $request | sed -e "s/req/rsp/"`
-     echo $request $response
-diff --git a/tests/fips/cavs_scripts/tls.sh b/tests/fips/cavs_scripts/tls.sh
---- a/tests/fips/cavs_scripts/tls.sh
-+++ b/tests/fips/cavs_scripts/tls.sh
-@@ -30,6 +30,9 @@ if [ ${COMMAND} = "verify" ]; then
-     done
-     exit $result
- fi
-+
-+test -d "${RSPDIR}" || mkdir "${RSPDIR}"
-+
- for request in $tls_requests; do
-     response=`echo $request | sed -e "s/req/rsp/"`
-     echo $request $response

nss-gcm-param-default-pkcs11v2.patch

@@ -0,0 +1,21 @@
+diff -up ./lib/util/pkcs11n.h.aes_gcm_pkcs11_v2 ./lib/util/pkcs11n.h
+--- ./lib/util/pkcs11n.h.aes_gcm_pkcs11_v2	2020-05-13 13:44:11.312405744 -0700
++++ ./lib/util/pkcs11n.h	2020-05-13 13:45:23.951723660 -0700
+@@ -605,7 +605,7 @@ typedef struct CK_NSS_GCM_PARAMS {
+ typedef CK_NSS_GCM_PARAMS CK_PTR CK_NSS_GCM_PARAMS_PTR;
+ 
+ /* deprecated #defines. Drop in future NSS releases */
+-#ifdef NSS_PKCS11_2_0_COMPAT
++#ifndef NSS_PKCS11_3_0_STRICT
+ 
+ /* defines that were changed between NSS's PKCS #11 and the Oasis headers */
+ #define CKF_EC_FP CKF_EC_F_P
+@@ -664,7 +664,7 @@ typedef CK_NSS_GCM_PARAMS CK_PTR CK_GCM_
+ #define CKT_NETSCAPE_VALID CKT_NSS_VALID
+ #define CKT_NETSCAPE_VALID_DELEGATOR CKT_NSS_VALID_DELEGATOR
+ #else
+-/* use the new CK_GCM_PARAMS if NSS_PKCS11_2_0_COMPAT is not defined */
++/* use the new CK_GCM_PARAMS if NSS_PKCS11_3_0_STRICT is defined */
+ typedef struct CK_GCM_PARAMS_V3 CK_GCM_PARAMS;
+ typedef CK_GCM_PARAMS_V3 CK_PTR CK_GCM_PARAMS_PTR;
+ #endif

nss-kremlin-ppc64le.patch

@@ -0,0 +1,31 @@
+Index: nss/lib/freebl/verified/kremlin/include/kremlin/internal/types.h
+===================================================================
+--- nss.orig/lib/freebl/verified/kremlin/include/kremlin/internal/types.h
++++ nss/lib/freebl/verified/kremlin/include/kremlin/internal/types.h
+@@ -56,9 +56,10 @@ typedef const char *Prims_string;
+     !defined(__clang__)
+ #include <emmintrin.h>
+ typedef __m128i FStar_UInt128_uint128;
+-#elif !defined(KRML_VERIFIED_UINT128) && !defined(_MSC_VER) &&           \
++#elif !defined(KRML_VERIFIED_UINT128) && !defined(_MSC_VER) && \
+     (defined(__x86_64__) || defined(__x86_64) || defined(__aarch64__) || \
+-     (defined(__powerpc64__) && defined(__LITTLE_ENDIAN__)))
++    (defined(__powerpc64__) && defined(__LITTLE_ENDIAN__)) || \
++     defined(__s390x__))
+ typedef unsigned __int128 FStar_UInt128_uint128;
+ #elif !defined(KRML_VERIFIED_UINT128) && defined(_MSC_VER) && defined(__clang__)
+ typedef __uint128_t FStar_UInt128_uint128;
+Index: nss/lib/freebl/verified/kremlin/kremlib/dist/minimal/fstar_uint128_gcc64.h
+===================================================================
+--- nss.orig/lib/freebl/verified/kremlin/kremlib/dist/minimal/fstar_uint128_gcc64.h
++++ nss/lib/freebl/verified/kremlin/kremlib/dist/minimal/fstar_uint128_gcc64.h
+@@ -26,7 +26,8 @@
+ 
+ #if !defined(KRML_VERIFIED_UINT128) && (!defined(_MSC_VER) || defined(__clang__)) && \
+     (defined(__x86_64__) || defined(__x86_64) || defined(__aarch64__) ||             \
+-     (defined(__powerpc64__) && defined(__LITTLE_ENDIAN__)))
++    (defined(__powerpc64__) && defined(__LITTLE_ENDIAN__)) || \
++     defined(__s390x__))
+ 
+ /* GCC + using native unsigned __int128 support */
+ 

nss-module-leak.patch

@@ -1,35 +0,0 @@
-# HG changeset patch
-# User Daiki Ueno <dueno@redhat.com>
-# Date 1557150127 -7200
-#      Mon May 06 15:42:07 2019 +0200
-# Node ID 438ac983bda9ec7944990d22a37877e9111caa90
-# Parent  b018f3e84d87cce99a1fd81feeecb31123058687
-pk11slot: reference module from slot for finalization
-
-diff --git a/lib/pk11wrap/pk11slot.c b/lib/pk11wrap/pk11slot.c
---- a/lib/pk11wrap/pk11slot.c
-+++ b/lib/pk11wrap/pk11slot.c
-@@ -1439,6 +1439,11 @@ PK11_InitSlot(SECMODModule *mod, CK_SLOT
-     slot->slotID = slotID;
-     slot->isThreadSafe = mod->isThreadSafe;
-     slot->hasRSAInfo = PR_FALSE;
-+    slot->module = mod; /* NOTE: we don't make a reference here because
-+                         * modules have references to their slots. This
-+                         * works because modules keep implicit references
-+                         * from their slots, and won't unload and disappear
-+                         * until all their slots have been freed */
- 
-     if (PK11_GETTAB(slot)->C_GetSlotInfo(slotID, &slotInfo) != CKR_OK) {
-         slot->disabled = PR_TRUE;
-@@ -1448,11 +1453,6 @@ PK11_InitSlot(SECMODModule *mod, CK_SLOT
- 
-     /* test to make sure claimed mechanism work */
-     slot->needTest = mod->internal ? PR_FALSE : PR_TRUE;
--    slot->module = mod; /* NOTE: we don't make a reference here because
--                         * modules have references to their slots. This
--                         * works because modules keep implicit references
--                         * from their slots, and won't unload and disappear
--                         * until all their slots have been freed */
-     (void)PK11_MakeString(NULL, slot->slot_name,
-                           (char *)slotInfo.slotDescription, sizeof(slotInfo.slotDescription));
-     slot->isHW = (PRBool)((slotInfo.flags & CKF_HW_SLOT) == CKF_HW_SLOT);

nss-signtool-format.patch

@@ -0,0 +1,94 @@
+diff --git a/cmd/modutil/install.c b/cmd/modutil/install.c
+--- a/cmd/modutil/install.c
++++ b/cmd/modutil/install.c
+@@ -825,17 +825,20 @@ rm_dash_r(char *path)
+ 
+         dir = PR_OpenDir(path);
+         if (!dir) {
+             return -1;
+         }
+ 
+         /* Recursively delete all entries in the directory */
+         while ((entry = PR_ReadDir(dir, PR_SKIP_BOTH)) != NULL) {
+-            sprintf(filename, "%s/%s", path, entry->name);
++            if (snprintf(filename, sizeof(filename), "%s/%s", path, entry->name) >= sizeof(filename)) {
++                PR_CloseDir(dir);
++                return -1;
++            }
+             if (rm_dash_r(filename)) {
+                 PR_CloseDir(dir);
+                 return -1;
+             }
+         }
+ 
+         if (PR_CloseDir(dir) != PR_SUCCESS) {
+             return -1;
+diff --git a/cmd/signtool/util.c b/cmd/signtool/util.c
+--- a/cmd/signtool/util.c
++++ b/cmd/signtool/util.c
+@@ -132,17 +132,20 @@ rm_dash_r(char *path)
+         if (!dir) {
+             PR_fprintf(errorFD, "Error: Unable to open directory %s.\n", path);
+             errorCount++;
+             return -1;
+         }
+ 
+         /* Recursively delete all entries in the directory */
+         while ((entry = PR_ReadDir(dir, PR_SKIP_BOTH)) != NULL) {
+-            sprintf(filename, "%s/%s", path, entry->name);
++            if (snprintf(filename, sizeof(filename), "%s/%s", path, entry->name) >= sizeof(filename)) {
++                errorCount++;
++                return -1;
++            }
+             if (rm_dash_r(filename))
+                 return -1;
+         }
+ 
+         if (PR_CloseDir(dir) != PR_SUCCESS) {
+             PR_fprintf(errorFD, "Error: Could not close %s.\n", path);
+             errorCount++;
+             return -1;
+diff --git a/lib/libpkix/pkix/util/pkix_list.c b/lib/libpkix/pkix/util/pkix_list.c
+--- a/lib/libpkix/pkix/util/pkix_list.c
++++ b/lib/libpkix/pkix/util/pkix_list.c
+@@ -1530,17 +1530,17 @@ cleanup:
+  */
+ PKIX_Error *
+ PKIX_List_SetItem(
+         PKIX_List *list,
+         PKIX_UInt32 index,
+         PKIX_PL_Object *item,
+         void *plContext)
+ {
+-        PKIX_List *element;
++        PKIX_List *element = NULL;
+ 
+         PKIX_ENTER(LIST, "PKIX_List_SetItem");
+         PKIX_NULLCHECK_ONE(list);
+ 
+         if (list->immutable){
+                 PKIX_ERROR(PKIX_OPERATIONNOTPERMITTEDONIMMUTABLELIST);
+         }
+ 
+diff --git a/lib/libpkix/pkix_pl_nss/system/pkix_pl_oid.c b/lib/libpkix/pkix_pl_nss/system/pkix_pl_oid.c
+--- a/lib/libpkix/pkix_pl_nss/system/pkix_pl_oid.c
++++ b/lib/libpkix/pkix_pl_nss/system/pkix_pl_oid.c
+@@ -102,17 +102,17 @@ cleanup:
+  */
+ static PKIX_Error *
+ pkix_pl_OID_Equals(
+         PKIX_PL_Object *first,
+         PKIX_PL_Object *second,
+         PKIX_Boolean *pResult,
+         void *plContext)
+ {
+-        PKIX_Int32 cmpResult;
++        PKIX_Int32 cmpResult = 0;
+ 
+         PKIX_ENTER(OID, "pkix_pl_OID_Equals");
+         PKIX_NULLCHECK_THREE(first, second, pResult);
+ 
+         PKIX_CHECK(pkix_pl_OID_Comparator
+                     (first, second, &cmpResult, plContext),
+                     PKIX_OIDCOMPARATORFAILED);
+ 

nss-skip-tls13-fips.patch

@@ -1,27 +0,0 @@
-# HG changeset patch
-# User Daiki Ueno <dueno@redhat.com>
-# Date 1558341826 -7200
-#      Mon May 20 10:43:46 2019 +0200
-# Node ID b447f0046807b718d2928d0e33313620d38a287a
-# Parent  02ea5f29ac3c1f1c6e6eb4b655afd9b4fc075a9e
-tests: skip TLS 1.3 tests under FIPS mode
-
-diff --git a/tests/ssl/ssl.sh b/tests/ssl/ssl.sh
---- a/tests/ssl/ssl.sh
-+++ b/tests/ssl/ssl.sh
-@@ -393,6 +393,15 @@ ssl_auth()
-       echo "${testname}" | grep "TLS 1.3" > /dev/null
-       TLS13=$?
- 
-+      # Currently TLS 1.3 tests are known to fail under FIPS mode,
-+      # because HKDF is implemented using the PKCS #11 functions
-+      # prohibited under FIPS mode.
-+      if [ "${TLS13}" -eq 0 ] && \
-+	 [ "$SERVER_MODE" = "fips" -o "$CLIENT_MODE" = "fips" ] ; then
-+          echo "$SCRIPTNAME: skipping  $testname (non-FIPS only)"
-+          continue
-+      fi
-+
-       if [ "${CLIENT_MODE}" = "fips" -a "${CAUTH}" -eq 0 ] ; then
-           echo "$SCRIPTNAME: skipping  $testname (non-FIPS only)"
-       elif [ "$ectype" = "SNI" -a "$NORM_EXT" = "Extended Test" ] ; then

nss.spec

@@ -1,5 +1,5 @@
-%global nspr_version 4.21.0
-%global nss_version 3.44.1
+%global nspr_version 4.25.0
+%global nss_version 3.52.0
 %global unsupported_tools_directory %{_libdir}/nss/unsupported-tools
 %global saved_files_dir %{_libdir}/nss/saved
 %global dracutlibdir %{_prefix}/lib/dracut
@@ -7,6 +7,7 @@
 %global dracut_conf_dir %{dracutlibdir}/dracut.conf.d
 
 %bcond_without tests
+%bcond_without dbm
 
 # Produce .chk files for the final stripped binaries
 #
@@ -24,7 +25,7 @@
     $RPM_BUILD_ROOT/%{unsupported_tools_directory}/shlibsign -i $RPM_BUILD_ROOT/%{_libdir}/libsoftokn3.so \
     $RPM_BUILD_ROOT/%{unsupported_tools_directory}/shlibsign -i $RPM_BUILD_ROOT/%{_libdir}/libfreeblpriv3.so \
     $RPM_BUILD_ROOT/%{unsupported_tools_directory}/shlibsign -i $RPM_BUILD_ROOT/%{_libdir}/libfreebl3.so \
-    $RPM_BUILD_ROOT/%{unsupported_tools_directory}/shlibsign -i $RPM_BUILD_ROOT/%{_libdir}/libnssdbm3.so \
+    %{?with_dbm:$RPM_BUILD_ROOT/%{unsupported_tools_directory}/shlibsign -i $RPM_BUILD_ROOT/%{_libdir}/libnssdbm3.so} \
 %{nil}
 
 # The upstream omits the trailing ".0", while we need it for
@@ -93,8 +94,6 @@ Source28:         nss-p11-kit.config
 
 # Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=617723
 Patch2:           nss-539183.patch
-# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1549382
-Patch3:           nss-module-leak.patch
 # This patch uses the GCC -iquote option documented at
 # http://gcc.gnu.org/onlinedocs/gcc/Directory-Options.html#Directory-Options
 # to give the in-tree headers a higher priority over the system headers,
@@ -107,9 +106,14 @@ Patch3:           nss-module-leak.patch
 # Once the buildroot aha been bootstrapped the patch may be removed
 # but it doesn't hurt to keep it.
 Patch4:           iquote.patch
-# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1552767
-Patch5:           nss-skip-tls13-fips.patch
-Patch6:           nss-cavs-tests.patch
+Patch12:          nss-signtool-format.patch
+# https://github.com/FStarLang/kremlin/issues/166
+Patch13:          nss-kremlin-ppc64le.patch
+%if 0%{?fedora} < 34
+%if 0%{?rhel} < 9
+Patch20:          nss-gcm-param-default-pkcs11v2.patch
+%endif
+%endif
 
 %description
 Network Security Services (NSS) is a set of libraries designed to
@@ -271,6 +275,12 @@ export BUILD_OPT=1
 # Generate symbolic info for debuggers
 export XCFLAGS=$RPM_OPT_FLAGS
 
+# Work around false-positive warnings with gcc 10:
+# https://bugzilla.redhat.com/show_bug.cgi?id=1803029
+%ifarch s390x
+export XCFLAGS="$XCFLAGS -Wno-error=maybe-uninitialized"
+%endif
+
 export LDFLAGS=$RPM_LD_FLAGS
 
 export DSO_LDOPTS=$RPM_LD_FLAGS
@@ -285,14 +295,19 @@ export NSS_USE_SYSTEM_SQLITE=1
 
 export NSS_ALLOW_SSLKEYLOGFILE=1
 
+%if %{with dbm}
+%else
+export NSS_DISABLE_DBM=1
+%endif
+
 %ifnarch noarch
 %if 0%{__isa_bits} == 64
 export USE_64=1
 %endif
 %endif
 
-make -C ./nss/coreconf
-make -C ./nss/lib/dbm
+%{__make} -C ./nss/coreconf
+%{__make} -C ./nss/lib/dbm
 
 # Set the policy file location
 # if set NSS will always check for the policy file and load if it exists
@@ -300,11 +315,11 @@ export POLICY_FILE="nss.config"
 # location of the policy file
 export POLICY_PATH="/etc/crypto-policies/back-ends"
 
-make -C ./nss
+%{__make} -C ./nss
 
 # build the man pages clean
 pushd ./nss
-make clean_docs build_docs
+%{__make} clean_docs build_docs
 popd
 
 # and copy them to the dist directory for %%install to find them
@@ -516,7 +531,7 @@ mkdir -p $RPM_BUILD_ROOT%{_mandir}/man1
 mkdir -p $RPM_BUILD_ROOT%{_mandir}/man5
 
 # Copy the binary libraries we want
-for file in libnssutil3.so libsoftokn3.so libnssdbm3.so libfreebl3.so libfreeblpriv3.so libnss3.so libnsssysinit.so libsmime3.so libssl3.so
+for file in libnssutil3.so libsoftokn3.so %{?with_dbm:libnssdbm3.so} libfreebl3.so libfreeblpriv3.so libnss3.so libnsssysinit.so libsmime3.so libssl3.so
 do
   install -p -m 755 dist/*.OBJ/lib/$file $RPM_BUILD_ROOT/%{_libdir}
 done
@@ -557,7 +572,7 @@ do
 done
 
 # Copy some freebl include files we also want
-for file in blapi.h alghmac.h
+for file in blapi.h alghmac.h cmac.h
 do
   install -p -m 644 dist/private/nss/$file $RPM_BUILD_ROOT/%{_includedir}/nss3
 done
@@ -819,8 +834,10 @@ update-crypto-policies &> /dev/null || :
 %{_includedir}/nss3/templates/templates.c
 
 %files softokn
+%if %{with dbm}
 %{_libdir}/libnssdbm3.so
 %{_libdir}/libnssdbm3.chk
+%endif
 %{_libdir}/libsoftokn3.so
 %{_libdir}/libsoftokn3.chk
 # shared with nss-tools
@@ -850,6 +867,7 @@ update-crypto-policies &> /dev/null || :
 %{_includedir}/nss3/blapi.h
 %{_includedir}/nss3/blapit.h
 %{_includedir}/nss3/alghmac.h
+%{_includedir}/nss3/cmac.h
 %{_includedir}/nss3/lowkeyi.h
 %{_includedir}/nss3/lowkeyti.h
 
@@ -874,6 +892,79 @@ update-crypto-policies &> /dev/null || :
 
 
 %changelog
+* Wed May 13 2020 Bob Relyea <rrelyea@redhat.com> - 3.52.0-2
+- Delay CK_GCM_PARAMS semantics until fedora 34
+
+* Mon May 11 2020 Daiki Ueno <dueno@redhat.com> - 3.52.0-1
+- Update to NSS 3.52
+
+* Sat Apr 25 2020 Daiki Ueno <dueno@redhat.com> - 3.51.1-2
+- Temporarily revert DBM disablement for kernel build failure (#1827902)
+
+* Mon Apr 20 2020 Daiki Ueno <dueno@redhat.com> - 3.51.1-1
+- Update to NSS 3.51.1
+- Disable building DBM backend
+
+* Tue Apr  7 2020 Daiki Ueno <dueno@redhat.com> - 3.51.0-1
+- Update to NSS 3.51
+
+* Thu Mar 26 2020 Tom Stellard <tstellar@redhat.com> - 3.50.0-3
+- Use __make macro to invoke make
+
+* Thu Mar  5 2020 Daiki Ueno <dueno@redhat.com> - 3.50.0-2
+- Apply CMAC fixes from upstream
+
+* Mon Feb 17 2020 Daiki Ueno <dueno@redhat.com> - 3.50.0-1
+- Update to NSS 3.50
+
+* Fri Feb 14 2020 Daiki Ueno <dueno@redhat.com> - 3.49.2-3
+- Ignore false-positive compiler warnings with gcc 10
+- Fix build with gcc 10
+
+* Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 3.49.2-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
+
+* Mon Jan 27 2020 Daiki Ueno <dueno@redhat.com> - 3.49.2-1
+- Update to NSS 3.49.2
+- Don't enable TLS 1.3 by default (#1794814)
+
+* Fri Jan 10 2020 Daiki Ueno <dueno@redhat.com> - 3.49.0-1
+- Update to NSS 3.49
+- Fix build on armv7hl with the patch proposed in upstream
+
+* Fri Jan  3 2020 Daiki Ueno <dueno@redhat.com> - 3.48.0-1
+- Update to NSS 3.48
+
+* Tue Dec  3 2019 Daiki Ueno <dueno@redhat.com> - 3.47.1-4
+- Update nss-3.47-certdb-temp-cert.patch to avoid setting empty trust value
+
+* Tue Dec  3 2019 Daiki Ueno <dueno@redhat.com> - 3.47.1-3
+- Update nss-3.47-certdb-temp-cert.patch to the final version
+
+* Thu Nov 28 2019 Daiki Ueno <dueno@redhat.com> - 3.47.1-2
+- Fix intermittent SEC_ERROR_UNKNOWN_ISSUER (#1752303, #1648617)
+
+* Fri Nov 22 2019 Daiki Ueno <dueno@redhat.com> - 3.47.1-1
+- Update to NSS 3.47.1
+
+* Mon Nov 4 2019 Bob Relyea <rrelyea@redhat.com> - 3.47.0-3
+- Include ike mechanism fix
+
+* Wed Oct 23 2019 Daiki Ueno <dueno@redhat.com> - 3.47.0-2
+- Install cmac.h required by blapi.h (#1764513)
+
+* Tue Oct 22 2019 Daiki Ueno <dueno@redhat.com> - 3.47.0-1
+- Update to NSS 3.47
+
+* Mon Oct 21 2019 Daiki Ueno <dueno@redhat.com> - 3.46.1-1
+- Update to NSS 3.46.1
+
+* Tue Sep  3 2019 Daiki Ueno <dueno@redhat.com> - 3.46.0-1
+- Update to NSS 3.46
+
+* Thu Aug 29 2019 Daiki Ueno <dueno@redhat.com> - 3.45.0-1
+- Update to NSS 3.45
+
 * Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 3.44.1-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
 

sources

@@ -3,4 +3,4 @@ SHA512 (blank-cert9.db) = 2f8eab4c0612210ee47db8a3a80c1b58a0b43849551af78c7da403
 SHA512 (blank-key3.db) = 01f7314e9fc8a7c9aa997652624cfcde213d18a6b3bb31840c1a60bbd662e56b5bc3221d13874abb42ce78163b225a6dfce2e1326cf6dd29366ad9c28ba5a71c
 SHA512 (blank-key4.db) = 8fedae93af7163da23fe9492ea8e785a44c291604fa98e58438448efb69c85d3253fc22b926d5c3209c62e58a86038fd4d78a1c4c068bc00600a7f3e5382ebe7
 SHA512 (blank-secmod.db) = 06a2dbd861839ef6315093459328b500d3832333a34b30e6fac4a2503af337f014a4d319f0f93322409e719142904ce8bc08252ae9a4f37f30d4c3312e900310
-SHA512 (nss-3.44.1.tar.gz) = eb8777701a25b54377026633b6bf284e4c62308012058355f348a7c57525afe96db74a07de41ba01754e316a7dff06689de527359a5474ed7ab606779c4cf169
+SHA512 (nss-3.52.tar.gz) = a45baf38717bceda03c292b2c01def680a24a846327e17d36044a85e30ed40c68220c78c0a2c3025c11778ee58f5d5eb0fff1b4cd274b95c408fb59e394e62c6