Update NSS to 3.88.1

Signed-off-by: Frantisek Krenzelok <krenzelok.frantisek@gmail.com>

.gitignore

@@ -49,3 +49,32 @@ TestUser51.cert
 /nss-3.51.tar.gz
 /nss-3.51.1.tar.gz
 /nss-3.52.tar.gz
+/nss-3.53.tar.gz
+/nss-3.54.tar.gz
+/nss-3.55.tar.gz
+/nss-3.56.tar.gz
+/nss-3.57.tar.gz
+/nss-3.58.tar.gz
+/nspr-4.29.tar.gz
+/nss-3.59.tar.gz
+/nss-3.60.1.tar.gz
+/nss-3.62.tar.gz
+/nss-3.63.tar.gz
+/nspr-4.30.tar.gz
+/nss-3.65.tar.gz
+/nss-3.67.tar.gz
+/nspr-4.31.tar.gz
+/nss-3.69.tar.gz
+/nspr-4.32.tar.gz
+/nss-3.71.tar.gz
+/nss-3.73.tar.gz
+/nss-3.75.tar.gz
+/nss-3.77.tar.gz
+/nss-3.79.tar.gz
+/nspr-4.34.tar.gz
+/nss-3.81.tar.gz
+/nss-3.83.tar.gz
+/nspr-4.35.tar.gz
+/nss-3.85.tar.gz
+/nss-3.87.tar.gz
+/nss-3.88.1.tar.gz

nspr-config-pc.patch

@@ -0,0 +1,37 @@
+diff -up nspr/config/nspr-config.in.flags nspr/config/nspr-config.in
+--- nspr/config/nspr-config.in.flags	2013-05-29 13:46:34.147971410 -0700
++++ nspr/config/nspr-config.in	2013-05-29 14:17:10.990838914 -0700
+@@ -102,7 +102,7 @@ if test -z "$includedir"; then
+     includedir=@includedir@
+ fi
+ if test -z "$libdir"; then
+-    libdir=@libdir@
++    libdir=`pkg-config --variable=libdir nspr`
+ fi
+ 
+ if test "$echo_prefix" = "yes"; then
+@@ -136,12 +136,12 @@ if test "$echo_libs" = "yes"; then
+       if test -n "$lib_nspr"; then
+ 	libdirs="$libdirs -lnspr${major_version}"
+       fi
+-      os_ldflags="@LDFLAGS@"
++      os_ldflags=`pkg-config --variable=ldflags nspr`
+       for i in $os_ldflags ; do
+ 	if echo $i | grep \^-L >/dev/null; then
+ 	  libdirs="$libdirs $i"
+         fi
+       done
+-      echo $libdirs @OS_LIBS@
++      echo $libdirs `pkg-config --variable=os_libs nspr`
+ fi      
+ 
+diff -up nspr/config/nspr.pc.in.flags nspr/config/nspr.pc.in
+--- nspr/config/nspr.pc.in.flags	2013-05-29 13:48:15.026643570 -0700
++++ nspr/config/nspr.pc.in	2013-05-29 13:49:47.795202949 -0700
+@@ -6,5 +6,5 @@ includedir=@includedir@
+ Name: NSPR
+ Description: The Netscape Portable Runtime
+ Version: @MOD_MAJOR_VERSION@.@MOD_MINOR_VERSION@.@MOD_PATCH_VERSION@
+-Libs: -L@libdir@ -lplds@MOD_MAJOR_VERSION@ -lplc@MOD_MAJOR_VERSION@ -lnspr@MOD_MAJOR_VERSION@
++Libs: -L@libdir@ -lplds@MOD_MAJOR_VERSION@ -lplc@MOD_MAJOR_VERSION@ -lnspr@MOD_MAJOR_VERSION@ @OS_LIBS@
+ Cflags: -I@includedir@

nspr-config.xml

@@ -0,0 +1,127 @@
+<?xml version='1.0' encoding='utf-8'?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
+  "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
+<!ENTITY date SYSTEM "date.xml">
+<!ENTITY version SYSTEM "version.xml">
+]>
+
+<refentry id="nspr-config">
+
+  <refentryinfo>
+    <date>&date;</date>
+    <title>Netscape Portable Runtime</title>
+    <productname>nspr</productname>
+    <productnumber>&version;</productnumber>
+  </refentryinfo>
+
+  <refmeta>
+    <refentrytitle>nspr-config</refentrytitle>
+    <manvolnum>1</manvolnum>
+  </refmeta>
+
+  <refnamediv>
+    <refname>nspr-config</refname>
+    <refpurpose>Return meta information about nspr libraries</refpurpose>
+  </refnamediv>
+
+  <refsynopsisdiv>
+    <cmdsynopsis>
+      <command>nspr-config</command>
+      <arg><option>--prefix</option></arg>
+      <arg><option>--exec-prefix</option></arg>
+      <arg><option>--includedir</option></arg>
+      <arg><option>--libs</option></arg>
+      <arg><option>--cflags</option></arg>
+      <arg><option>--libdir</option></arg>
+      <arg><option>--version</option></arg>
+    </cmdsynopsis>
+  </refsynopsisdiv>
+
+<refsection id="description">
+    <title>Description</title>
+    <para><command>nspr-config</command> is a shell script which can be used to obtain gcc options for building client pacakges of nspr.</para>
+  </refsection>
+  
+  <refsection>
+    <title>Options</title>
+    
+    <variablelist>
+      <varlistentry>
+        <term><option>--prefix</option></term>
+        <listitem><simpara>Returns the top level system directory under which the nspr libraries are installed.</simpara></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><option>--exec-prefix</option></term>
+        <listitem><simpara>Returns the top level system directory under which any nspr binaries would be installed.</simpara></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><option>--includedir</option> <replaceable>count</replaceable></term>
+        <listitem><simpara>Returns the path to the directory were the nspr headers are installed.</simpara></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><option>--version</option></term>
+        <listitem><simpara>Returns the upstream version of nspr in the form major_version-minor_version-patch_version.</simpara></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><option>--libs</option></term>
+        <listitem><simpara>Returns the compiler linking flags.</simpara></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><option>--cflags</option></term>
+        <listitem><simpara>Returns the compiler include flags.</simpara></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><option>--libdir</option></term>
+        <listitem><simpara>Returns the path to the directory were the nspr libraries are installed.</simpara></listitem>
+      </varlistentry>
+
+    </variablelist>
+  </refsection>
+
+  <refsection>
+    <title>Examples</title>
+
+    <para>The following example will query for both include path and linkage flags:
+      <programlisting>
+        /usr/bin/nspr-config --cflags --libs
+      </programlisting>
+    </para>
+
+   
+  </refsection>
+
+  <refsection>
+    <title>Files</title>
+
+    <para><filename>/usr/bin/nspr-config</filename></para>
+
+  </refsection>
+
+  <refsection>
+    <title>See also</title>
+    <para>pkg-config(1)</para>
+  </refsection>
+
+  <refsection id="authors">
+    <title>Authors</title>
+    <para>The NSPR liraries were written and maintained by developers with Netscape, Red Hat,  Sun, Oracle, Mozilla, and Google.</para>
+    <para>
+	Authors: Elio Maldonado &lt;emaldona@redhat.com>.
+    </para>
+  </refsection>
+
+<!-- don't change -->
+  <refsection id="license">
+    <title>LICENSE</title>
+    <para>Licensed under the Mozilla Public License, v. 2.0.  If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/.
+    </para>
+  </refsection>
+
+</refentry>
+

nspr-gcc-atomics.patch

@@ -0,0 +1,51 @@
+diff -up ./pr/include/md/_linux.h.gcc-atomics ./pr/include/md/_linux.h
+--- ./pr/include/md/_linux.h.gcc-atomics	2022-09-20 11:23:22.008942926 -0700
++++ ./pr/include/md/_linux.h	2022-09-20 11:34:45.536751340 -0700
+@@ -105,6 +105,15 @@
+ #endif
+ 
+ #if defined(__i386__)
++#if defined(__GNUC__)
++/* Use GCC built-in functions */
++#define _PR_HAVE_ATOMIC_OPS
++#define _MD_INIT_ATOMIC()
++#define _MD_ATOMIC_INCREMENT(ptr) __sync_add_and_fetch(ptr, 1)
++#define _MD_ATOMIC_DECREMENT(ptr) __sync_sub_and_fetch(ptr, 1)
++#define _MD_ATOMIC_ADD(ptr, i) __sync_add_and_fetch(ptr, i)
++#define _MD_ATOMIC_SET(ptr, nv) __sync_lock_test_and_set(ptr, nv)
++#else
+ #define _PR_HAVE_ATOMIC_OPS
+ #define _MD_INIT_ATOMIC()
+ extern PRInt32 _PR_x86_AtomicIncrement(PRInt32 *val);
+@@ -116,6 +125,7 @@ extern PRInt32 _PR_x86_AtomicAdd(PRInt32
+ extern PRInt32 _PR_x86_AtomicSet(PRInt32 *val, PRInt32 newval);
+ #define _MD_ATOMIC_SET                _PR_x86_AtomicSet
+ #endif
++#endif
+ 
+ #if defined(__ia64__)
+ #define _PR_HAVE_ATOMIC_OPS
+@@ -131,6 +141,15 @@ extern PRInt32 _PR_ia64_AtomicSet(PRInt3
+ #endif
+ 
+ #if defined(__x86_64__)
++#if defined(__GNUC__)
++/* Use GCC built-in functions */
++#define _PR_HAVE_ATOMIC_OPS
++#define _MD_INIT_ATOMIC()
++#define _MD_ATOMIC_INCREMENT(ptr) __sync_add_and_fetch(ptr, 1)
++#define _MD_ATOMIC_DECREMENT(ptr) __sync_sub_and_fetch(ptr, 1)
++#define _MD_ATOMIC_ADD(ptr, i) __sync_add_and_fetch(ptr, i)
++#define _MD_ATOMIC_SET(ptr, nv) __sync_lock_test_and_set(ptr, nv)
++#else
+ #define _PR_HAVE_ATOMIC_OPS
+ #define _MD_INIT_ATOMIC()
+ extern PRInt32 _PR_x86_64_AtomicIncrement(PRInt32 *val);
+@@ -142,6 +161,7 @@ extern PRInt32 _PR_x86_64_AtomicAdd(PRIn
+ extern PRInt32 _PR_x86_64_AtomicSet(PRInt32 *val, PRInt32 newval);
+ #define _MD_ATOMIC_SET                _PR_x86_64_AtomicSet
+ #endif
++#endif
+ 
+ #if defined(__loongarch__)
+ #if defined(__GNUC__)

nss-539183.patch

@@ -1,62 +0,0 @@
---- nss/cmd/httpserv/httpserv.c.539183	2016-05-21 18:31:39.879585420 -0700
-+++ nss/cmd/httpserv/httpserv.c	2016-05-21 18:37:22.374464057 -0700
-@@ -953,23 +953,23 @@
- getBoundListenSocket(unsigned short port)
- {
-     PRFileDesc *listen_sock;
-     int listenQueueDepth = 5 + (2 * maxThreads);
-     PRStatus prStatus;
-     PRNetAddr addr;
-     PRSocketOptionData opt;
- 
--    addr.inet.family = PR_AF_INET;
--    addr.inet.ip = PR_INADDR_ANY;
--    addr.inet.port = PR_htons(port);
-+    if (PR_SetNetAddr(PR_IpAddrAny, PR_AF_INET6, port, &addr) != PR_SUCCESS) {
-+        errExit("PR_SetNetAddr");
-+    }
- 
--    listen_sock = PR_NewTCPSocket();
-+    listen_sock = PR_OpenTCPSocket(PR_AF_INET6);
-     if (listen_sock == NULL) {
--        errExit("PR_NewTCPSocket");
-+        errExit("PR_OpenTCPSockett");
-     }
- 
-     opt.option = PR_SockOpt_Nonblocking;
-     opt.value.non_blocking = PR_FALSE;
-     prStatus = PR_SetSocketOption(listen_sock, &opt);
-     if (prStatus < 0) {
-         PR_Close(listen_sock);
-         errExit("PR_SetSocketOption(PR_SockOpt_Nonblocking)");
---- nss/cmd/selfserv/selfserv.c.539183	2016-05-21 18:31:39.882585367 -0700
-+++ nss/cmd/selfserv/selfserv.c	2016-05-21 18:41:43.092801174 -0700
-@@ -1711,23 +1711,23 @@
- getBoundListenSocket(unsigned short port)
- {
-     PRFileDesc *listen_sock;
-     int listenQueueDepth = 5 + (2 * maxThreads);
-     PRStatus prStatus;
-     PRNetAddr addr;
-     PRSocketOptionData opt;
- 
--    addr.inet.family = PR_AF_INET;
--    addr.inet.ip = PR_INADDR_ANY;
--    addr.inet.port = PR_htons(port);
-+    if (PR_SetNetAddr(PR_IpAddrAny, PR_AF_INET6, port, &addr) != PR_SUCCESS) {
-+        errExit("PR_SetNetAddr");
-+    }
- 
--    listen_sock = PR_NewTCPSocket();
-+    listen_sock = PR_OpenTCPSocket(PR_AF_INET6);
-     if (listen_sock == NULL) {
--        errExit("PR_NewTCPSocket");
-+        errExit("PR_OpenTCPSocket error");
-     }
- 
-     opt.option = PR_SockOpt_Nonblocking;
-     opt.value.non_blocking = PR_FALSE;
-     prStatus = PR_SetSocketOption(listen_sock, &opt);
-     if (prStatus < 0) {
-         PR_Close(listen_sock);
-         errExit("PR_SetSocketOption(PR_SockOpt_Nonblocking)");

nss-gcm-param-default-pkcs11v2.patch

@@ -1,21 +0,0 @@
-diff -up ./lib/util/pkcs11n.h.aes_gcm_pkcs11_v2 ./lib/util/pkcs11n.h
---- ./lib/util/pkcs11n.h.aes_gcm_pkcs11_v2	2020-05-13 13:44:11.312405744 -0700
-+++ ./lib/util/pkcs11n.h	2020-05-13 13:45:23.951723660 -0700
-@@ -605,7 +605,7 @@ typedef struct CK_NSS_GCM_PARAMS {
- typedef CK_NSS_GCM_PARAMS CK_PTR CK_NSS_GCM_PARAMS_PTR;
- 
- /* deprecated #defines. Drop in future NSS releases */
--#ifdef NSS_PKCS11_2_0_COMPAT
-+#ifndef NSS_PKCS11_3_0_STRICT
- 
- /* defines that were changed between NSS's PKCS #11 and the Oasis headers */
- #define CKF_EC_FP CKF_EC_F_P
-@@ -664,7 +664,7 @@ typedef CK_NSS_GCM_PARAMS CK_PTR CK_GCM_
- #define CKT_NETSCAPE_VALID CKT_NSS_VALID
- #define CKT_NETSCAPE_VALID_DELEGATOR CKT_NSS_VALID_DELEGATOR
- #else
--/* use the new CK_GCM_PARAMS if NSS_PKCS11_2_0_COMPAT is not defined */
-+/* use the new CK_GCM_PARAMS if NSS_PKCS11_3_0_STRICT is defined */
- typedef struct CK_GCM_PARAMS_V3 CK_GCM_PARAMS;
- typedef CK_GCM_PARAMS_V3 CK_PTR CK_GCM_PARAMS_PTR;
- #endif

nss-kremlin-ppc64le.patch

@@ -1,31 +0,0 @@
-Index: nss/lib/freebl/verified/kremlin/include/kremlin/internal/types.h
-===================================================================
---- nss.orig/lib/freebl/verified/kremlin/include/kremlin/internal/types.h
-+++ nss/lib/freebl/verified/kremlin/include/kremlin/internal/types.h
-@@ -56,9 +56,10 @@ typedef const char *Prims_string;
-     !defined(__clang__)
- #include <emmintrin.h>
- typedef __m128i FStar_UInt128_uint128;
--#elif !defined(KRML_VERIFIED_UINT128) && !defined(_MSC_VER) &&           \
-+#elif !defined(KRML_VERIFIED_UINT128) && !defined(_MSC_VER) && \
-     (defined(__x86_64__) || defined(__x86_64) || defined(__aarch64__) || \
--     (defined(__powerpc64__) && defined(__LITTLE_ENDIAN__)))
-+    (defined(__powerpc64__) && defined(__LITTLE_ENDIAN__)) || \
-+     defined(__s390x__))
- typedef unsigned __int128 FStar_UInt128_uint128;
- #elif !defined(KRML_VERIFIED_UINT128) && defined(_MSC_VER) && defined(__clang__)
- typedef __uint128_t FStar_UInt128_uint128;
-Index: nss/lib/freebl/verified/kremlin/kremlib/dist/minimal/fstar_uint128_gcc64.h
-===================================================================
---- nss.orig/lib/freebl/verified/kremlin/kremlib/dist/minimal/fstar_uint128_gcc64.h
-+++ nss/lib/freebl/verified/kremlin/kremlib/dist/minimal/fstar_uint128_gcc64.h
-@@ -26,7 +26,8 @@
- 
- #if !defined(KRML_VERIFIED_UINT128) && (!defined(_MSC_VER) || defined(__clang__)) && \
-     (defined(__x86_64__) || defined(__x86_64) || defined(__aarch64__) ||             \
--     (defined(__powerpc64__) && defined(__LITTLE_ENDIAN__)))
-+    (defined(__powerpc64__) && defined(__LITTLE_ENDIAN__)) || \
-+     defined(__s390x__))
- 
- /* GCC + using native unsigned __int128 support */
- 

nss-no-dbm-man-page.patch

@@ -0,0 +1,120 @@
+diff -up ./doc/certutil.xml.no-dbm ./doc/certutil.xml
+--- ./doc/certutil.xml.no-dbm	2021-05-29 10:26:21.853386165 -0700
++++ ./doc/certutil.xml	2021-05-29 10:31:15.057058619 -0700
+@@ -205,8 +205,7 @@ If this option is not used, the validity
+           <para><command>certutil</command> supports two types of databases: the legacy security databases (<filename>cert8.db</filename>, <filename>key3.db</filename>, and <filename>secmod.db</filename>) and new SQLite databases (<filename>cert9.db</filename>, <filename>key4.db</filename>, and <filename>pkcs11.txt</filename>). </para>
+           <para>NSS recognizes the following prefixes:</para>
+           <itemizedlist>
+-            <listitem><para><command>sql:</command> requests the newer database</para></listitem>
+-	    <listitem><para><command>dbm:</command> requests the legacy database</para></listitem>
++            <listitem><para><command>sql:</command> requests the sql-lite database</para></listitem>
+           </itemizedlist>
+           <para>If no prefix is specified the default type is retrieved from NSS_DEFAULT_DB_TYPE. If NSS_DEFAULT_DB_TYPE is not set then <command>sql:</command> is the default.</para>
+         </listitem>
+@@ -1205,17 +1204,9 @@ BerkeleyDB. These new databases provide
+ 	</listitem>
+ </itemizedlist>
+ 
+-<para>Because the SQLite databases are designed to be shared, these are the <emphasis>shared</emphasis> database type. The shared database type is preferred; the legacy format is included for backward compatibility.</para>
++<para>Because the SQLite databases are designed to be shared, these are the <emphasis>shared</emphasis> database type. </para>
+ 
+-<para>By default, the tools (<command>certutil</command>, <command>pk12util</command>, <command>modutil</command>) assume that the given security databases use the SQLite type.
+-Using the legacy databases must be manually specified by using the <command>dbm:</command> prefix with the given security directory. For example:</para>
+-
+-<programlisting>$ certutil -L -d dbm:/home/my/sharednssdb</programlisting>
+-
+-<para>To set the legacy database type as the default type for the tools, set the <envar>NSS_DEFAULT_DB_TYPE</envar> environment variable to <envar>dbm</envar>:</para>
+-<programlisting>export NSS_DEFAULT_DB_TYPE="dbm"</programlisting>
+-
+-<para>This line can be set added to the <filename>~/.bashrc</filename> file to make the change permanent.</para>
++<para>By default, the tools (<command>certutil</command>, <command>pk12util</command>, <command>modutil</command>) assume that the given security databases use the SQLite type.</para>
+ 
+ <itemizedlist>
+ 	<listitem>
+diff -up ./doc/modutil.xml.no-dbm ./doc/modutil.xml
+--- ./doc/modutil.xml.no-dbm	2021-05-29 10:26:21.854386171 -0700
++++ ./doc/modutil.xml	2021-05-29 10:28:23.293078869 -0700
+@@ -151,7 +151,7 @@
+       <varlistentry>
+         <term>-dbdir directory</term>
+ 	  <listitem><para>Specify the database directory in which to access or create security module database files.</para>
+-	<para><command>modutil</command> supports two types of databases: the legacy security databases (<filename>cert8.db</filename>, <filename>key3.db</filename>, and <filename>secmod.db</filename>) and SQLite databases (<filename>cert9.db</filename>, <filename>key4.db</filename>, and <filename>pkcs11.txt</filename>). If the prefix <command>dbm:</command> is not used, then the tool assumes that the given databases are in SQLite format.</para></listitem>
++	<para><command>modutil</command> supports SQLite databases (<filename>cert9.db</filename>, <filename>key4.db</filename>, and <filename>pkcs11.txt</filename>). </para></listitem>
+       </varlistentry>
+ 
+       <varlistentry>
+@@ -689,15 +689,7 @@ BerkleyDB. These new databases provide m
+ 
+ <para>Because the SQLite databases are designed to be shared, these are the <emphasis>shared</emphasis> database type. The shared database type is preferred; the legacy format is included for backward compatibility.</para>
+ 
+-<para>By default, the tools (<command>certutil</command>, <command>pk12util</command>, <command>modutil</command>) assume that the given security databases use the SQLite type.
+-Using the legacy databases must be manually specified by using the <command>dbm:</command> prefix with the given security directory. For example:</para>
+-
+-<programlisting>modutil -create -dbdir dbm:/home/my/sharednssdb</programlisting>
+-
+-<para>To set the legacy database type as the default type for the tools, set the <envar>NSS_DEFAULT_DB_TYPE</envar> environment variable to <envar>dbm</envar>:</para>
+-<programlisting>export NSS_DEFAULT_DB_TYPE="dbm"</programlisting>
+-
+-<para>This line can be added to the <filename>~/.bashrc</filename> file to make the change permanent for the user.</para>
++<para>By default, the tools (<command>certutil</command>, <command>pk12util</command>, <command>modutil</command>) assume that the given security databases use the SQLite type.  </para> 
+ 
+ <itemizedlist>
+ 	<listitem>
+diff -up ./doc/pk12util.xml.no-dbm ./doc/pk12util.xml
+--- ./doc/pk12util.xml.no-dbm	2021-05-29 10:26:21.854386171 -0700
++++ ./doc/pk12util.xml	2021-05-29 10:28:23.293078869 -0700
+@@ -90,7 +90,7 @@
+       <varlistentry>
+         <term>-d directory</term>
+         <listitem><para>Specify the database directory into which to import to or export from certificates and keys.</para>
+-	<para><command>pk12util</command> supports two types of databases: the legacy security databases (<filename>cert8.db</filename>, <filename>key3.db</filename>, and <filename>secmod.db</filename>) and new SQLite databases (<filename>cert9.db</filename>, <filename>key4.db</filename>, and <filename>pkcs11.txt</filename>). If the prefix <command>dbm:</command> is not used, then the tool assumes that the given databases are in the SQLite format.</para></listitem>
++	<para><command>pk12util</command> supports SQLite databases (<filename>cert9.db</filename>, <filename>key4.db</filename>, and <filename>pkcs11.txt</filename>). </para></listitem>
+       </varlistentry>
+ 
+       <varlistentry>
+@@ -394,15 +394,7 @@ BerkleyDB. These new databases provide m
+ 
+ <para>Because the SQLite databases are designed to be shared, these are the <emphasis>shared</emphasis> database type. The shared database type is preferred; the legacy format is included for backward compatibility.</para>
+ 
+-<para>By default, the tools (<command>certutil</command>, <command>pk12util</command>, <command>modutil</command>) assume that the given security databases use the SQLite type
+-Using the legacy databases must be manually specified by using the <command>dbm:</command> prefix with the given security directory. For example:</para>
+-
+-<programlisting># pk12util -i /tmp/cert-files/users.p12 -d dbm:/home/my/sharednssdb</programlisting>
+-
+-<para>To set the legacy database type as the default type for the tools, set the <envar>NSS_DEFAULT_DB_TYPE</envar> environment variable to <envar>dbm</envar>:</para>
+-<programlisting>export NSS_DEFAULT_DB_TYPE="dbm"</programlisting>
+-
+-<para>This line can be set added to the <filename>~/.bashrc</filename> file to make the change permanent.</para>
++<para>By default, the tools (<command>certutil</command>, <command>pk12util</command>, <command>modutil</command>) assume that the given security databases use the SQLite type.  </para>
+ 
+ <itemizedlist>
+ 	<listitem>
+diff -up ./doc/signver.xml.no-dbm ./doc/signver.xml
+--- ./doc/signver.xml.no-dbm	2021-05-29 10:26:21.854386171 -0700
++++ ./doc/signver.xml	2021-05-29 10:28:23.293078869 -0700
+@@ -66,7 +66,7 @@
+       <varlistentry>
+         <term>-d <emphasis>directory</emphasis></term>
+         <listitem><para>Specify the database directory which contains the certificates and keys.</para>
+-	<para><command>signver</command> supports two types of databases: the legacy security databases (<filename>cert8.db</filename>, <filename>key3.db</filename>, and <filename>secmod.db</filename>) and new SQLite databases (<filename>cert9.db</filename>, <filename>key4.db</filename>, and <filename>pkcs11.txt</filename>). If the prefix <command>dbm:</command> is not used, then the tool assumes that the given databases are in the SQLite format.</para></listitem>
++	<para><command>signver</command> supports SQLite databases (<filename>cert9.db</filename>, <filename>key4.db</filename>, and <filename>pkcs11.txt</filename>). </para></listitem>
+       </varlistentry>
+       <varlistentry>
+         <term>-a</term>
+@@ -155,15 +155,7 @@ BerkleyDB. These new databases provide m
+ 
+ <para>Because the SQLite databases are designed to be shared, these are the <emphasis>shared</emphasis> database type. The shared database type is preferred; the legacy format is included for backward compatibility.</para>
+ 
+-<para>By default, the tools (<command>certutil</command>, <command>pk12util</command>, <command>modutil</command>) assume that the given security databases use the SQLite type
+-Using the legacy databases must be manually specified by using the <command>dbm:</command> prefix with the given security directory. For example:</para>
+-
+-<programlisting># signver -A -s <replaceable>signature</replaceable> -d dbm:/home/my/sharednssdb</programlisting>
+-
+-<para>To set the legacy database type as the default type for the tools, set the <envar>NSS_DEFAULT_DB_TYPE</envar> environment variable to <envar>dbm</envar>:</para>
+-<programlisting>export NSS_DEFAULT_DB_TYPE="dbm"</programlisting>
+-
+-<para>This line can be added to the <filename>~/.bashrc</filename> file to make the change permanent for the user.</para>
++<para>By default, the tools (<command>certutil</command>, <command>pk12util</command>, <command>modutil</command>) assume that the given security databases use the SQLite type.</para>
+ 
+ <itemizedlist>
+ 	<listitem>

nss-signtool-format.patch

@@ -26,28 +26,19 @@ diff --git a/cmd/modutil/install.c b/cmd/modutil/install.c
 diff --git a/cmd/signtool/util.c b/cmd/signtool/util.c
 --- a/cmd/signtool/util.c
 +++ b/cmd/signtool/util.c
-@@ -132,17 +132,20 @@ rm_dash_r(char *path)
-         if (!dir) {
-             PR_fprintf(errorFD, "Error: Unable to open directory %s.\n", path);
-             errorCount++;
-             return -1;
-         }
- 
+@@ -138,6 +138,12 @@ rm_dash_r(char *path)
          /* Recursively delete all entries in the directory */
          while ((entry = PR_ReadDir(dir, PR_SKIP_BOTH)) != NULL) {
--            sprintf(filename, "%s/%s", path, entry->name);
-+            if (snprintf(filename, sizeof(filename), "%s/%s", path, entry->name) >= sizeof(filename)) {
+             sprintf(filename, "%s/%s", path, entry->name);
++            if (snprintf(filename, sizeof(filename), "%s/%s", path, entry->name
++) >= sizeof(filename)) {
 +                errorCount++;
++                PR_CloseDir(dir);
 +                return -1;
 +            }
-             if (rm_dash_r(filename))
+             if (rm_dash_r(filename)) {
+                 PR_CloseDir(dir);
                  return -1;
-         }
- 
-         if (PR_CloseDir(dir) != PR_SUCCESS) {
-             PR_fprintf(errorFD, "Error: Could not close %s.\n", path);
-             errorCount++;
-             return -1;
 diff --git a/lib/libpkix/pkix/util/pkix_list.c b/lib/libpkix/pkix/util/pkix_list.c
 --- a/lib/libpkix/pkix/util/pkix_list.c
 +++ b/lib/libpkix/pkix/util/pkix_list.c

nss.spec

@@ -1,5 +1,16 @@
-%global nspr_version 4.25.0
-%global nss_version 3.52.0
+%global nspr_version 4.35.0
+%global nss_version 3.88.1
+# NOTE: To avoid NVR clashes of nspr* packages:
+# - reset %%{nspr_release} to 1, when updating %%{nspr_version}
+# - increment %%{nspr_version}, when updating the NSS part only
+%global baserelease 1
+%global nss_release %baserelease
+# use "%%global nspr_release %%[%%baserelease+n]" to handle offsets when
+# release number between nss and nspr are different.
+%global nspr_release %[%baserelease+3]
+# only need to update this as we added new
+# algorithms under nss policy control
+%global crypto_policies_version 20210118
 %global unsupported_tools_directory %{_libdir}/nss/unsupported-tools
 %global saved_files_dir %{_libdir}/nss/saved
 %global dracutlibdir %{_prefix}/lib/dracut
@@ -7,7 +18,7 @@
 %global dracut_conf_dir %{dracutlibdir}/dracut.conf.d
 
 %bcond_without tests
-%bcond_without dbm
+%bcond_with dbm
 
 # Produce .chk files for the final stripped binaries
 #
@@ -31,6 +42,11 @@
 # The upstream omits the trailing ".0", while we need it for
 # consistency with the pkg-config version:
 # https://bugzilla.redhat.com/show_bug.cgi?id=1578106
+%{lua:
+rpm.define(string.format("nspr_archive_version %s",
+           string.gsub(rpm.expand("%nspr_version"), "(.*)%.0$", "%1")))
+}
+
 %{lua:
 rpm.define(string.format("nss_archive_version %s",
            string.gsub(rpm.expand("%nss_version"), "(.*)%.0$", "%1")))
@@ -44,7 +60,7 @@ rpm.define(string.format("nss_release_tag NSS_%s_RTM",
 Summary:          Network Security Services
 Name:             nss
 Version:          %{nss_version}
-Release:          2%{?dist}
+Release:          %{nss_release}%{?dist}
 License:          MPLv2.0
 URL:              http://www.mozilla.org/projects/security/pki/nss/
 Requires:         nspr >= %{nspr_version}
@@ -53,9 +69,10 @@ Requires:         nss-util >= %{nss_version}
 Requires:         nss-softokn%{_isa} >= %{nss_version}
 Requires:         nss-system-init
 Requires:         p11-kit-trust
-Requires:         crypto-policies
-BuildRequires:    nspr-devel >= %{nspr_version}
+Requires:         /usr/bin/update-crypto-policies
+Requires:         crypto-policies >= %{crypto_policies_version}
 # for shlibsign
+BuildRequires: make
 BuildRequires:    nss-softokn
 BuildRequires:    sqlite-devel
 BuildRequires:    zlib-devel
@@ -64,7 +81,6 @@ BuildRequires:    gawk
 BuildRequires:    psmisc
 BuildRequires:    perl-interpreter
 BuildRequires:    gcc-c++
-BuildRequires:    quilt
 
 Source0:          https://ftp.mozilla.org/pub/security/nss/releases/%{nss_release_tag}/src/%{name}-%{nss_archive_version}.tar.gz
 Source1:          nss-util.pc.in
@@ -75,9 +91,11 @@ Source6:          nss-softokn-dracut-module-setup.sh
 Source7:          nss-softokn-dracut.conf
 Source8:          nss.pc.in
 Source9:          nss-config.in
+%if %{with dbm}
 Source10:         blank-cert8.db
 Source11:         blank-key3.db
 Source12:         blank-secmod.db
+%endif
 Source13:         blank-cert9.db
 Source14:         blank-key4.db
 Source15:         system-pkcs11.txt
@@ -85,15 +103,18 @@ Source16:         setup-nsssysinit.sh
 Source20:         nss-config.xml
 Source21:         setup-nsssysinit.xml
 Source22:         pkcs11.txt.xml
-Source23:         cert8.db.xml
 Source24:         cert9.db.xml
-Source25:         key3.db.xml
 Source26:         key4.db.xml
+%if %{with dbm}
+Source23:         cert8.db.xml
+Source25:         key3.db.xml
 Source27:         secmod.db.xml
+%endif
 Source28:         nss-p11-kit.config
 
-# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=617723
-Patch2:           nss-539183.patch
+Source100:        nspr-%{nspr_archive_version}.tar.gz
+Source101:        nspr-config.xml
+
 # This patch uses the GCC -iquote option documented at
 # http://gcc.gnu.org/onlinedocs/gcc/Directory-Options.html#Directory-Options
 # to give the in-tree headers a higher priority over the system headers,
@@ -103,17 +124,16 @@ Patch2:           nss-539183.patch
 # case when starting an update with API changes or even private export
 # changes.
 #
-# Once the buildroot aha been bootstrapped the patch may be removed
+# Once the buildroot has been bootstrapped the patch may be removed
 # but it doesn't hurt to keep it.
 Patch4:           iquote.patch
 Patch12:          nss-signtool-format.patch
-# https://github.com/FStarLang/kremlin/issues/166
-Patch13:          nss-kremlin-ppc64le.patch
-%if 0%{?fedora} < 34
-%if 0%{?rhel} < 9
-Patch20:          nss-gcm-param-default-pkcs11v2.patch
-%endif
-%endif
+# fedora disabled dbm by default
+Patch40:          nss-no-dbm-man-page.patch
+
+Patch100:         nspr-config-pc.patch
+Patch101:         nspr-gcc-atomics.patch
+
 
 %description
 Network Security Services (NSS) is a set of libraries designed to
@@ -234,16 +254,52 @@ Requires:         nss-softokn-freebl-devel%{?_isa} = %{version}-%{release}
 Requires:         nspr-devel >= %{nspr_version}
 Requires:         nss-util-devel >= %{version}-%{release}
 Requires:         pkgconfig
-BuildRequires:    nspr-devel >= %{nspr_version}
 
 %description softokn-devel
 Header and library files for doing development with Network Security Services.
 
+%package -n nspr
+Summary:        Netscape Portable Runtime
+Version:        %{nspr_version}
+Release:        %{nspr_release}%{?dist}
+License:        MPLv2.0
+URL:            http://www.mozilla.org/projects/nspr/
+Conflicts:      filesystem < 3
+BuildRequires:  gcc
+
+%description -n nspr
+NSPR provides platform independence for non-GUI operating system
+facilities. These facilities include threads, thread synchronization,
+normal file and network I/O, interval timing and calendar time, basic
+memory management (malloc and free) and shared library linking.
+
+%package -n nspr-devel
+Summary:        Development libraries for the Netscape Portable Runtime
+Version:        %{nspr_version}
+Release:        %{nspr_release}%{?dist}
+Requires:       nspr%{?_isa} = %{nspr_version}-%{nspr_release}%{?dist}
+Requires:       pkgconfig
+BuildRequires:  xmlto
+Conflicts:      filesystem < 3
+
+%description -n nspr-devel
+Header files for doing development with the Netscape Portable Runtime.
+
 
 %prep
-%autosetup -N -S quilt -n %{name}-%{nss_archive_version}
+%setup -q -T -b 100 -n nspr-%{nspr_archive_version}
+
+%setup -q -T -b 0 -n %{name}-%{nss_archive_version}
+mv ../nspr-%{nspr_archive_version}/nspr .
+cp ./nspr/config/nspr-config.in ./nspr/config/nspr-config-pc.in
+
+%patch100 -p0 -b .flags
+pushd nspr
+%patch101 -p1 -b .gcc-atomics
+popd
+
 pushd nss
-%autopatch -p1
+%autopatch -p1 -M 99
 popd
 
 # https://bugzilla.redhat.com/show_bug.cgi?id=1247353
@@ -251,14 +307,58 @@ find nss/lib/libpkix -perm /u+x -type f -exec chmod -x {} \;
 
 
 %build
+# Build, check, and install NSPR for building NSS in the later phase
+#
+# TODO: This phase can be done by the NSS build process if we switch
+# to using "make nss_build_all".  For now, however, we need some
+# adjustment in the NSS build process.
+mkdir -p nspr_build
+pushd nspr_build
+../nspr/configure \
+                 --prefix=%{_prefix} \
+                 --libdir=%{_libdir} \
+                 --includedir=%{_includedir}/nspr4 \
+                 --with-dist-prefix=$PWD/../dist \
+%ifnarch noarch
+%if 0%{__isa_bits} == 64
+                 --enable-64bit \
+%endif
+%endif
+%ifarch armv7l armv7hl armv7nhl
+                 --enable-thumb2 \
+%endif
+                 --enable-optimize="$RPM_OPT_FLAGS" \
+                 --disable-debug
 
-export FREEBL_NO_DEPEND=1
+# The assembly files are only for legacy atomics, to which we prefer GCC atomics
+%ifarch i686 x86_64
+sed -i '/^PR_MD_ASFILES/d' config/autoconf.mk
+%endif
+make
+
+date +"%e %B %Y" | tr -d '\n' > date.xml
+echo -n %{nspr_version} > version.xml
+
+for m in %{SOURCE101}; do
+  cp ${m} .
+done
+for m in nspr-config.xml; do
+  xmlto man ${m}
+done
+popd
+
+# Build NSS
+#
+# This package fails its testsuite with LTO.  Disable LTO for now
+#%global _lto_cflags %{nil}
+
+#export FREEBL_NO_DEPEND=1
 
 # Must export FREEBL_LOWHASH=1 for nsslowhash.h so that it gets
 # copied to dist and the rpm install phase can find it
 # This due of the upstream changes to fix
 # https://bugzilla.mozilla.org/show_bug.cgi?id=717906
-export FREEBL_LOWHASH=1
+# export FREEBL_LOWHASH=1
 
 # uncomment if the iquote patch is activated
 export IN_TREE_FREEBL_HEADERS_FIRST=1
@@ -281,6 +381,9 @@ export XCFLAGS=$RPM_OPT_FLAGS
 export XCFLAGS="$XCFLAGS -Wno-error=maybe-uninitialized"
 %endif
 
+# Similarly, but for gcc-11
+export XCFLAGS="$XCFLAGS -Wno-array-parameter"
+
 export LDFLAGS=$RPM_LD_FLAGS
 
 export DSO_LDOPTS=$RPM_LD_FLAGS
@@ -288,13 +391,15 @@ export DSO_LDOPTS=$RPM_LD_FLAGS
 export PKG_CONFIG_ALLOW_SYSTEM_LIBS=1
 export PKG_CONFIG_ALLOW_SYSTEM_CFLAGS=1
 
-export NSPR_INCLUDE_DIR=`/usr/bin/pkg-config --cflags-only-I nspr | sed 's/-I//'`
-export NSPR_LIB_DIR=%{_libdir}
+export NSPR_INCLUDE_DIR=$PWD/dist/include/nspr
+export NSPR_LIB_DIR=$PWD/dist/lib
 
 export NSS_USE_SYSTEM_SQLITE=1
 
 export NSS_ALLOW_SSLKEYLOGFILE=1
 
+export NSS_SEED_ONLY_DEV_URANDOM=1
+
 %if %{with dbm}
 %else
 export NSS_DISABLE_DBM=1
@@ -306,16 +411,15 @@ export USE_64=1
 %endif
 %endif
 
-%{__make} -C ./nss/coreconf
-%{__make} -C ./nss/lib/dbm
-
 # Set the policy file location
 # if set NSS will always check for the policy file and load if it exists
 export POLICY_FILE="nss.config"
 # location of the policy file
 export POLICY_PATH="/etc/crypto-policies/back-ends"
 
-%{__make} -C ./nss
+
+%{__make} -C ./nss all
+%{__make} -C ./nss latest
 
 # build the man pages clean
 pushd ./nss
@@ -334,7 +438,7 @@ cat %{SOURCE1} | sed -e "s,%%libdir%%,%{_libdir},g" \
                           -e "s,%%exec_prefix%%,%{_prefix},g" \
                           -e "s,%%includedir%%,%{_includedir}/nss3,g" \
                           -e "s,%%NSPR_VERSION%%,%{nspr_version},g" \
-                          -e "s,%%NSSUTIL_VERSION%%,%{version},g" > \
+                          -e "s,%%NSSUTIL_VERSION%%,%{nss_version},g" > \
                           ./dist/pkgconfig/nss-util.pc
 
 NSSUTIL_VMAJOR=`cat nss/lib/util/nssutil.h | grep "#define.*NSSUTIL_VMAJOR" | awk '{print $3}'`
@@ -358,7 +462,7 @@ cat %{SOURCE3} | sed -e "s,%%libdir%%,%{_libdir},g" \
                           -e "s,%%includedir%%,%{_includedir}/nss3,g" \
                           -e "s,%%NSPR_VERSION%%,%{nspr_version},g" \
                           -e "s,%%NSSUTIL_VERSION%%,%{nss_version},g" \
-                          -e "s,%%SOFTOKEN_VERSION%%,%{version},g" > \
+                          -e "s,%%SOFTOKEN_VERSION%%,%{nss_version},g" > \
                           ./dist/pkgconfig/nss-softokn.pc
 
 SOFTOKEN_VMAJOR=`cat nss/lib/softoken/softkver.h | grep "#define.*SOFTOKEN_VMAJOR" | awk '{print $3}'`
@@ -380,7 +484,7 @@ cat %{SOURCE8} | sed -e "s,%%libdir%%,%{_libdir},g" \
                           -e "s,%%prefix%%,%{_prefix},g" \
                           -e "s,%%exec_prefix%%,%{_prefix},g" \
                           -e "s,%%includedir%%,%{_includedir}/nss3,g" \
-                          -e "s,%%NSS_VERSION%%,%{version},g" \
+                          -e "s,%%NSS_VERSION%%,%{nss_version},g" \
                           -e "s,%%NSPR_VERSION%%,%{nspr_version},g" \
                           -e "s,%%NSSUTIL_VERSION%%,%{nss_version},g" \
                           -e "s,%%SOFTOKEN_VERSION%%,%{nss_version},g" > \
@@ -407,32 +511,47 @@ chmod 755 ./dist/pkgconfig/setup-nsssysinit.sh
 cp ./nss/lib/ckfw/nssck.api ./dist/private/nss/
 
 date +"%e %B %Y" | tr -d '\n' > date.xml
-echo -n %{version} > version.xml
+echo -n %{nss_version} > version.xml
 
 # configuration files and setup script
-for m in %{SOURCE20} %{SOURCE21} %{SOURCE22}; do
+%if %{with dbm}
+%global XMLSOURCES %{SOURCE23} %{SOURCE24} %{SOURCE25} %{SOURCE26} %{SOURCE27}
+%global dbfiles cert8.db key3.db secmod.db cert9.db key4.db pkcs11.txt
+%else
+%global XMLSOURCES %{SOURCE22} %{SOURCE24} %{SOURCE26}
+%global dbfiles cert9.db key4.db pkcs11.txt
+%endif
+for m in %{SOURCE20} %{SOURCE21} %{XMLSOURCES}; do
   cp ${m} .
 done
-for m in nss-config.xml setup-nsssysinit.xml pkcs11.txt.xml; do
-  xmlto man ${m}
-done
-
-# nss databases considered to be configuration files
-for m in %{SOURCE23} %{SOURCE24} %{SOURCE25} %{SOURCE26} %{SOURCE27}; do
-  cp ${m} .
-done
-for m in cert8.db.xml cert9.db.xml key3.db.xml key4.db.xml secmod.db.xml; do
-  xmlto man ${m}
+%global configFiles nss-config setup-nsssysinit
+for m in %{configFiles}  %{dbfiles}; do
+  xmlto man ${m}.xml
 done
 
 
 %check
+%if %{with tests}
+pushd nspr_build
+# Run test suite.
+perl ../nspr/pr/tests/runtests.pl 2>&1 | tee output.log
+
+TEST_FAILURES=`grep -c FAILED ./output.log` || :
+if [ $TEST_FAILURES -ne 0 ]; then
+  echo "error: test suite returned failure(s)"
+  exit 1
+fi
+echo "test suite completed"
+popd
+%endif
+
 %if %{with tests}
 # Begin -- copied from the build section
 
 export FREEBL_NO_DEPEND=1
 
 export BUILD_OPT=1
+export NSS_DISABLE_PPC_GHASH=1
 
 %ifnarch noarch
 %if 0%{__isa_bits} == 64
@@ -442,6 +561,15 @@ export USE_64=1
 
 # End -- copied from the build section
 
+# copy the nspr libraries into the NSS object directory so we use the
+# newly compiled nspr binaries in our test rather than the build root
+# versions
+export LOBJDIR=`make -s -C ./nss/tests/common objdir_name`
+for i in ./dist/lib/*.so
+do
+   cp $i ./dist/${LOBJDIR}/lib
+done
+
 # This is necessary because the test suite tests algorithms that are
 # disabled by the system policy.
 export NSS_IGNORE_SYSTEM_POLICY=1
@@ -465,9 +593,9 @@ if [ $SPACEISBAD -ne 0 ]; then
   echo "error: filenames containing space are not supported (xargs)"
   exit 1
 fi
-MYRAND=`perl -e 'print 9000 + int rand 1000'`; echo $MYRAND ||:
-RANDSERV=selfserv_${MYRAND}; echo $RANDSERV ||:
-DISTBINDIR=`ls -d ./dist/*.OBJ/bin`; echo $DISTBINDIR ||:
+export MYRAND=`perl -e 'print 9000 + int rand 1000'`; echo $MYRAND
+export RANDSERV=selfserv_${MYRAND}; echo $RANDSERV
+export DISTBINDIR=./dist/${LOBJDIR}/bin
 pushd "$DISTBINDIR"
 ln -s selfserv $RANDSERV
 popd
@@ -505,6 +633,46 @@ killall $RANDSERV || :
 
 %install
 
+pushd nspr_build
+make install DESTDIR=$RPM_BUILD_ROOT
+
+mkdir -p $RPM_BUILD_ROOT%{_mandir}/man1
+mkdir -p $RPM_BUILD_ROOT/%{_libdir}/pkgconfig
+
+# Get rid of the things we don't want installed (per upstream)
+rm -rf \
+   $RPM_BUILD_ROOT/%{_bindir}/compile-et.pl \
+   $RPM_BUILD_ROOT/%{_bindir}/prerr.properties \
+   $RPM_BUILD_ROOT/%{_libdir}/libnspr4.a \
+   $RPM_BUILD_ROOT/%{_libdir}/libplc4.a \
+   $RPM_BUILD_ROOT/%{_libdir}/libplds4.a \
+   $RPM_BUILD_ROOT/%{_datadir}/aclocal/nspr.m4 \
+   $RPM_BUILD_ROOT/%{_includedir}/nspr4/md
+
+for f in nspr-config; do
+   install -c -m 644 ${f}.1 $RPM_BUILD_ROOT%{_mandir}/man1/${f}.1
+done
+popd
+
+# Begin -- copied from the build section
+# this is needed to make sure LOBJDIR is correct
+
+export FREEBL_NO_DEPEND=1
+
+export BUILD_OPT=1
+export NSS_DISABLE_PPC_GHASH=1
+
+%ifnarch noarch
+%if 0%{__isa_bits} == 64
+export USE_64=1
+%endif
+%endif
+
+# End -- copied from the build section
+
+# get the objdir value from the test make file
+export LOBJDIR=`make -s -C ./nss/tests/common objdir_name`
+
 # There is no make install target so we'll do it ourselves.
 
 mkdir -p $RPM_BUILD_ROOT/%{_includedir}/nss3
@@ -533,15 +701,17 @@ mkdir -p $RPM_BUILD_ROOT%{_mandir}/man5
 # Copy the binary libraries we want
 for file in libnssutil3.so libsoftokn3.so %{?with_dbm:libnssdbm3.so} libfreebl3.so libfreeblpriv3.so libnss3.so libnsssysinit.so libsmime3.so libssl3.so
 do
-  install -p -m 755 dist/*.OBJ/lib/$file $RPM_BUILD_ROOT/%{_libdir}
+  install -p -m 755 dist/${LOBJDIR}/lib/$file $RPM_BUILD_ROOT/%{_libdir}
 done
 
 # Install the empty NSS db files
 # Legacy db
 mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb
+%if %{with dbm}
 install -p -m 644 %{SOURCE10} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/cert8.db
 install -p -m 644 %{SOURCE11} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/key3.db
 install -p -m 644 %{SOURCE12} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/secmod.db
+%endif
 # Shared db
 install -p -m 644 %{SOURCE13} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/cert9.db
 install -p -m 644 %{SOURCE14} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/key4.db
@@ -550,19 +720,19 @@ install -p -m 644 %{SOURCE15} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/pkcs11.tx
 # Copy the development libraries we want
 for file in libcrmf.a libnssb.a libnssckfw.a
 do
-  install -p -m 644 dist/*.OBJ/lib/$file $RPM_BUILD_ROOT/%{_libdir}
+  install -p -m 644 dist/${LOBJDIR}/lib/$file $RPM_BUILD_ROOT/%{_libdir}
 done
 
 # Copy the binaries we want
 for file in certutil cmsutil crlutil modutil nss-policy-check pk12util signver ssltap
 do
-  install -p -m 755 dist/*.OBJ/bin/$file $RPM_BUILD_ROOT/%{_bindir}
+  install -p -m 755 dist/${LOBJDIR}/bin/$file $RPM_BUILD_ROOT/%{_bindir}
 done
 
 # Copy the binaries we ship as unsupported
 for file in bltest ecperf fbectest fipstest shlibsign atob btoa derdump listsuites ocspclnt pp selfserv signtool strsclnt symkeyutil tstclnt vfyserv vfychain
 do
-  install -p -m 755 dist/*.OBJ/bin/$file $RPM_BUILD_ROOT/%{unsupported_tools_directory}
+  install -p -m 755 dist/${LOBJDIR}/bin/$file $RPM_BUILD_ROOT/%{unsupported_tools_directory}
 done
 
 # Copy the include files we want
@@ -580,7 +750,7 @@ done
 # Copy the static freebl library
 for file in libfreebl.a
 do
-install -p -m 644 dist/*.OBJ/lib/$file $RPM_BUILD_ROOT/%{_libdir}
+install -p -m 644 dist/${LOBJDIR}/lib/$file $RPM_BUILD_ROOT/%{_libdir}
 done
 
 # Copy the template files we want
@@ -603,7 +773,7 @@ install -p -m 755 ./dist/pkgconfig/setup-nsssysinit.sh $RPM_BUILD_ROOT/%{_bindir
 ln -r -s -f $RPM_BUILD_ROOT/%{_bindir}/setup-nsssysinit.sh $RPM_BUILD_ROOT/%{_bindir}/setup-nsssysinit
 
 # Copy the man pages for scripts
-for f in nss-config setup-nsssysinit; do
+for f in %{configFiles}; do
    install -c -m 644 ${f}.1 $RPM_BUILD_ROOT%{_mandir}/man1/${f}.1
 done
 # Copy the man pages for the nss tools
@@ -616,12 +786,8 @@ install -c -m 644 ./dist/docs/nroff/pp.1 $RPM_BUILD_ROOT%{_mandir}/man1/pp.1
 install -c -m 644 ./dist/docs/nroff/pp.1 $RPM_BUILD_ROOT%{_datadir}/doc/nss-tools/pp.1
 %endif
 
-# Copy the man pages for the configuration files
-for f in pkcs11.txt; do
-   install -c -m 644 ${f}.5 $RPM_BUILD_ROOT%{_mandir}/man5/${f}.5
-done
 # Copy the man pages for the nss databases
-for f in cert8.db cert9.db key3.db key4.db secmod.db; do
+for f in %{dbfiles}; do
    install -c -m 644 ${f}.5 $RPM_BUILD_ROOT%{_mandir}/man5/${f}.5
 done
 
@@ -634,9 +800,20 @@ install -p -m 644 %{SOURCE28} $RPM_BUILD_ROOT/%{_sysconfdir}/crypto-policies/loc
 /usr/bin/setup-nsssysinit.sh on
 
 %post
-update-crypto-policies &> /dev/null || :
+%if %{with dbm}
+%else
+# Upon upgrade, ensure that the existing database locations are migrated to SQL
+# database.
+if test $1 -eq 2; then
+    for dbdir in %{_sysconfdir}/pki/nssdb; do
+        if test ! -e ${dbdir}/pkcs11.txt; then
+            /usr/bin/certutil --merge -d ${dbdir} --source-dir ${dbdir}
+        fi
+    done
+fi
+%endif
 
-%postun
+%posttrans
 update-crypto-policies &> /dev/null || :
 
 
@@ -647,16 +824,20 @@ update-crypto-policies &> /dev/null || :
 %{_libdir}/libssl3.so
 %{_libdir}/libsmime3.so
 %dir %{_sysconfdir}/pki/nssdb
+%if %{with dbm}
 %config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/cert8.db
 %config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/key3.db
 %config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/secmod.db
+%endif
 %config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/cert9.db
 %config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/key4.db
 %config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/pkcs11.txt
 %config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/crypto-policies/local.d/nss-p11-kit.config
+%if %{with dbm}
 %doc %{_mandir}/man5/cert8.db.5*
 %doc %{_mandir}/man5/key3.db.5*
 %doc %{_mandir}/man5/secmod.db.5*
+%endif
 %doc %{_mandir}/man5/cert9.db.5*
 %doc %{_mandir}/man5/key4.db.5*
 %doc %{_mandir}/man5/pkcs11.txt.5*
@@ -746,6 +927,7 @@ update-crypto-policies &> /dev/null || :
 %{_includedir}/nss3/p12plcy.h
 %{_includedir}/nss3/p12t.h
 %{_includedir}/nss3/pk11func.h
+%{_includedir}/nss3/pk11hpke.h
 %{_includedir}/nss3/pk11pqg.h
 %{_includedir}/nss3/pk11priv.h
 %{_includedir}/nss3/pk11pub.h
@@ -890,8 +1072,177 @@ update-crypto-policies &> /dev/null || :
 %{_includedir}/nss3/nsslowhash.h
 %{_includedir}/nss3/shsign.h
 
+%files -n nspr
+%{!?_licensedir:%global license %%doc}
+%license nspr/LICENSE
+%{_libdir}/libnspr4.so
+%{_libdir}/libplc4.so
+%{_libdir}/libplds4.so
+
+%files -n nspr-devel
+%{_includedir}/nspr4
+%{_libdir}/pkgconfig/nspr.pc
+%{_bindir}/nspr-config
+%{_mandir}/man*/*
+
 
 %changelog
+* Fri Feb 10 2023 Frantisek Krenzelok <krenzelok.frantisek@gmail.com> - 3.88.1-1
+- Update NSS to 3.88.1
+
+* Tue Jan 10 2023 Frantisek Krenzelok <krenzelok.frantisek@gmail.com> - 3.87.0-1
+- Update NSS to 3.87 & remove unused patches
+
+* Thu Nov 17 2022 Bob Relyea <rrelyea@redhat.com> - 3.85.0-1
+ - update to NSS 3.85
+
+* Tue Sep 20 2022 Bob Relyea <rrelyea@redhat.com> - 3.83.0-1
+ - update to NSS 3.83
+ - update to NSPR 4.35
+
+* Thu Jun 21 2022 Bob Relyea <rrelyea@redhat.com> - 3.81.0-1
+- udpate to NSS 3.81
+
+* Thu Jun 16 2022 Bob Relyea <rrelyea@redhat.com> - 3.79.0-2
+- Fix crash when getting client cert and there is none in the database.
+
+* Tue May 31 2022 Bob Relyea <rrelyea@redhat.com> - 3.79.0-1
+- Update to NSS 3.79
+- Update to NSPR 4.34
+
+* Mon Apr 4 2022 Bob Relyea <rrelyea@redhat.com> - 3.77.0-1
+- Update to 3.77
+
+* Fri Feb 4 2022 Bob Relyea <rrelyea@redhat.com> - 3.75.0-1
+- Update to 3.75
+- fix PayPal expiration issue
+
+* Thu Jan 20 2022 Fedora Release Engineering <releng@fedoraproject.org> - 3.73.0-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
+
+* Wed Dec 1 2021 Bob Relyea <rrelyea@redhat.com> - 3.73.0-1
+- Update to 3.73
+- includes CVE 2021-43527
+
+* Mon Oct 4 2021 Bob Relyea <rrelyea@redhat.com> - 3.71.0-1
+- Update to 3.71
+
+* Tue Aug 10 2021 Bob Relyea <rrelyea@redhat.com> - 3.69.0-2
+- turn on lto
+
+* Tue Aug 10 2021 Bob Relyea <rrelyea@redhat.com> - 3.69.0-1
+- Update to 3.69
+- Update to NSPR 4.31
+
+* Tue Jul 27 2021 Bob Relyea <rrelyea@redhat.com> - 3.67.0-4
+- switch to baserelease so rpmdev-bumpspec will work next time
+
+* Tue Jul 27 2021 Bob Relyea <rrelyea@redhat.com> - 3.67.0-3
+- rpmdev-bumpspec doesn't work correctly with nss/nspr. Fixup version numbers
+
+* Thu Jul 22 2021 Fedora Release Engineering <releng@fedoraproject.org> - 3.67.0-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
+
+* Tue Mar 23 2021 Bob Relyea <rrelyea@redhat.com> - 3.67.0-1
+- Update to 3.67
+- Update to NSPR 2.31
+
+* Tue Mar 23 2021 Bob Relyea <rrelyea@redhat.com> - 3.65.0-1
+- Update to 3.65
+- update nss-tools manages to remove references to dbm
+
+* Tue Mar 23 2021 Bob Relyea <rrelyea@redhat.com> - 3.63.0-1
+- Update to 3.63
+- Update to NSPR 2.30
+- Remove old dbm files and man pages
+
+* Tue Feb 23 2021 Bob Relyea <rrelyea@redhat.com> - 3.62.0-1
+- Update to 3.62
+
+* Mon Feb 01 2021 Kalev Lember <klember@redhat.com> - 3.60.1-5
+- Rebuild to fix broken nspr dependencies
+
+* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 3.60.1-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
+
+* Fri Jan 22 2021 Bob Relyea <rrelyea@redhat.com> - 3.60.1-2
+- Update nspr release number
+
+* Fri Jan 22 2021 Bob Relyea <rrelyea@redhat.com> - 3.60.1-2
+- Update requires so that we get the correct crypto policies
+  (or all RSA and ECDSA signatures wil fail)
+
+* Thu Jan 21 2021 Bob Relyea <rrelyea@redhat.com> - 3.60.1-1
+- Update to NSS 3.60.1
+- Drop NODEPEND_FREEBL and LOWHASH
+
+* Fri Dec 11 2020 Bob Relyea <rrelyea@redhat.com> - 3.59.0-2
+- Work around btrfs/sqlite bug
+- Disable new policy entries until crypto-polices has been updated
+
+* Thu Dec 10 2020 Daiki Ueno <dueno@redhat.com> - 3.59.0-1
+- Update to NSS 3.59
+- Remove unused quilt BR
+
+* Sat Nov  7 2020 Daiki Ueno <dueno@redhat.com> - 3.58.0-8
+- Replace %%{version} references in %%build with %%{nss_version}, suggested by Dmitry Butskoy in bz#1895447
+
+* Fri Oct 30 2020 Daiki Ueno <dueno@redhat.com> - 3.58.0-7
+- Use the lockstep release numbering for both nspr and nss
+
+* Thu Oct 29 2020 Jeff Law <law@redhat.com> - 3.58.0-6
+- Disable -Warray-parameter warning for gcc-11
+
+* Tue Oct 27 2020 Daiki Ueno <dueno@redhat.com> - 3.58.0-5
+- Consolidate NSPR package with this package
+
+* Mon Oct 26 2020 Bob Relyea <rrelyea@redhat.com> - 3.58.0-4
+- fix pkix ocsp to tolerate OCSP checking on intermediates
+  when the root is signed by sha1 and sha1 is disabled by
+  policy
+
+* Mon Oct 26 2020 Daiki Ueno <dueno@redhat.com> - 3.58.0-3
+- Revert the last change, always tolerate the first CCS in TLS 1.3
+
+* Thu Oct 22 2020 Daiki Ueno <dueno@redhat.com> - 3.58.0-2
+- Enable TLS 1.3 middlebox compatibility mode by default
+
+* Tue Oct 20 2020 Daiki Ueno <dueno@redhat.com> - 3.58.0-1
+- Update to NSS 3.58
+
+* Sat Sep 19 2020 Daiki Ueno <dueno@redhat.com> - 3.57.0-1
+- Update to NSS 3.57
+
+* Mon Aug 24 2020 Daiki Ueno <dueno@redhat.com> - 3.56.0-1
+- Update to NSS 3.56
+
+* Thu Aug 13 2020 Daiki Ueno <dueno@redhat.com> - 3.55.0-3
+- Fix DBM backend disablement
+- Add scriptlet to auto-migrated known database locations
+
+* Sat Aug  8 2020 Daiki Ueno <dueno@redhat.com> - 3.55.0-2
+- Disable LTO
+
+* Sun Aug  2 2020 Daiki Ueno <dueno@redhat.com> - 3.55.0-1
+- Update to NSS 3.55
+- Disable building DBM backend
+
+* Sat Aug 01 2020 Fedora Release Engineering <releng@fedoraproject.org> - 3.54.0-3
+- Second attempt - Rebuilt for
+  https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
+
+* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 3.54.0-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
+
+* Wed Jul 15 2020 Daiki Ueno <dueno@redhat.com> - 3.54.0-1
+- Update to NSS 3.54
+
+* Thu Jun  4 2020 Bob Relyea <rrelyea@redhat.com> - 3.53.0-2
+- Fix non-strict prototype in pk11pub.h
+
+* Mon Jun  1 2020 Daiki Ueno <dueno@redhat.com> - 3.53.0-1
+- Update to NSS 3.53
+
 * Wed May 13 2020 Bob Relyea <rrelyea@redhat.com> - 3.52.0-2
 - Delay CK_GCM_PARAMS semantics until fedora 34
 

sources

@@ -1,6 +1,4 @@
-SHA512 (blank-cert8.db) = ac131d15708c5f1b5e467831f919f4fc4ba13b60a4bb5fe260c845fa9afcd899a588d21ed52060abaa1bbb29f2b53af8b495d28407183cb03aff1974f95f1d3d
 SHA512 (blank-cert9.db) = 2f8eab4c0612210ee47db8a3a80c1b58a0b43849551af78c7da403fda3e3d4e7757838061ae56ccf5aac335cb54f254f0a9e6e9c0dd5920b4155a39264525b06
-SHA512 (blank-key3.db) = 01f7314e9fc8a7c9aa997652624cfcde213d18a6b3bb31840c1a60bbd662e56b5bc3221d13874abb42ce78163b225a6dfce2e1326cf6dd29366ad9c28ba5a71c
 SHA512 (blank-key4.db) = 8fedae93af7163da23fe9492ea8e785a44c291604fa98e58438448efb69c85d3253fc22b926d5c3209c62e58a86038fd4d78a1c4c068bc00600a7f3e5382ebe7
-SHA512 (blank-secmod.db) = 06a2dbd861839ef6315093459328b500d3832333a34b30e6fac4a2503af337f014a4d319f0f93322409e719142904ce8bc08252ae9a4f37f30d4c3312e900310
-SHA512 (nss-3.52.tar.gz) = a45baf38717bceda03c292b2c01def680a24a846327e17d36044a85e30ed40c68220c78c0a2c3025c11778ee58f5d5eb0fff1b4cd274b95c408fb59e394e62c6
+SHA512 (nspr-4.35.tar.gz) = 502815833116e25f79ddf71d1526484908aa92fbc55f8a892729cb404a4daafcc0470a89854cd080d2d20299fdb7d9662507c5362c7ae661cbacf308ac56ef7f
+SHA512 (nss-3.88.1.tar.gz) = d15289803a4c3caa1b7a8872b761a95b4f571688c8b8ffaf2a1478e032a356fbcf8a9239ebe1777561503329f63dd237384e1d8af9ca70fb48b40e70954b455a