Disable tests on riscv64 for now

[..]
Tests summary:
--------------
Passed:             82622
Failed:             1
Failed with core:   0
ASan failures:      0
Unknown status:     2
TinderboxPrint:Unknown: 2
error: Bad exit status from /var/tmp/rpm-tmp.C2RdRB (%check)
[..]

Most likely:
[..]
------------- time ----------------------
real 1.40 user 1.07 sys 0.31
1 seconds
sdr.sh: #9: pwdecrypt no time regression  - FAILED
[..]

Signed-off-by: David Abdurachmanov <davidlt@rivosinc.com>

.fmf/version

@@ -0,0 +1 @@
+1

.gitignore

@@ -49,3 +49,40 @@ TestUser51.cert
 /nss-3.51.tar.gz
 /nss-3.51.1.tar.gz
 /nss-3.52.tar.gz
+/nss-3.53.tar.gz
+/nss-3.54.tar.gz
+/nss-3.55.tar.gz
+/nss-3.56.tar.gz
+/nss-3.57.tar.gz
+/nss-3.58.tar.gz
+/nspr-4.29.tar.gz
+/nss-3.59.tar.gz
+/nss-3.60.1.tar.gz
+/nss-3.62.tar.gz
+/nss-3.63.tar.gz
+/nspr-4.30.tar.gz
+/nss-3.65.tar.gz
+/nss-3.67.tar.gz
+/nspr-4.31.tar.gz
+/nss-3.69.tar.gz
+/nspr-4.32.tar.gz
+/nss-3.71.tar.gz
+/nss-3.73.tar.gz
+/nss-3.75.tar.gz
+/nss-3.77.tar.gz
+/nss-3.79.tar.gz
+/nspr-4.34.tar.gz
+/nss-3.81.tar.gz
+/nss-3.83.tar.gz
+/nspr-4.35.tar.gz
+/nss-3.85.tar.gz
+/nss-3.87.tar.gz
+/nss-3.88.1.tar.gz
+/nss-3.89.tar.gz
+/nss-3.89-with-nspr-4.35.tar.gz
+/nss-3.90-with-nspr-4.35.tar.gz
+/nss-3.91-with-nspr-4.35.tar.gz
+/nss-3.92-with-nspr-4.35.tar.gz
+/nss-3.93-with-nspr-4.35.tar.gz
+/nss-3.94-with-nspr-4.35.tar.gz
+/nss-3.95-with-nspr-4.35.tar.gz

ci.fmf

@@ -0,0 +1 @@
+resultsdb-testcase: separate

nspr-config-pc.patch

@@ -0,0 +1,37 @@
+diff -up nspr/config/nspr-config.in.flags nspr/config/nspr-config.in
+--- nspr/config/nspr-config.in.flags	2013-05-29 13:46:34.147971410 -0700
++++ nspr/config/nspr-config.in	2013-05-29 14:17:10.990838914 -0700
+@@ -102,7 +102,7 @@ if test -z "$includedir"; then
+     includedir=@includedir@
+ fi
+ if test -z "$libdir"; then
+-    libdir=@libdir@
++    libdir=`pkg-config --variable=libdir nspr`
+ fi
+ 
+ if test "$echo_prefix" = "yes"; then
+@@ -136,12 +136,12 @@ if test "$echo_libs" = "yes"; then
+       if test -n "$lib_nspr"; then
+ 	libdirs="$libdirs -lnspr${major_version}"
+       fi
+-      os_ldflags="@LDFLAGS@"
++      os_ldflags=`pkg-config --variable=ldflags nspr`
+       for i in $os_ldflags ; do
+ 	if echo $i | grep \^-L >/dev/null; then
+ 	  libdirs="$libdirs $i"
+         fi
+       done
+-      echo $libdirs @OS_LIBS@
++      echo $libdirs `pkg-config --variable=os_libs nspr`
+ fi      
+ 
+diff -up nspr/config/nspr.pc.in.flags nspr/config/nspr.pc.in
+--- nspr/config/nspr.pc.in.flags	2013-05-29 13:48:15.026643570 -0700
++++ nspr/config/nspr.pc.in	2013-05-29 13:49:47.795202949 -0700
+@@ -6,5 +6,5 @@ includedir=@includedir@
+ Name: NSPR
+ Description: The Netscape Portable Runtime
+ Version: @MOD_MAJOR_VERSION@.@MOD_MINOR_VERSION@.@MOD_PATCH_VERSION@
+-Libs: -L@libdir@ -lplds@MOD_MAJOR_VERSION@ -lplc@MOD_MAJOR_VERSION@ -lnspr@MOD_MAJOR_VERSION@
++Libs: -L@libdir@ -lplds@MOD_MAJOR_VERSION@ -lplc@MOD_MAJOR_VERSION@ -lnspr@MOD_MAJOR_VERSION@ @OS_LIBS@
+ Cflags: -I@includedir@

nspr-config.xml

@@ -0,0 +1,127 @@
+<?xml version='1.0' encoding='utf-8'?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
+  "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
+<!ENTITY date SYSTEM "date.xml">
+<!ENTITY version SYSTEM "version.xml">
+]>
+
+<refentry id="nspr-config">
+
+  <refentryinfo>
+    <date>&date;</date>
+    <title>Netscape Portable Runtime</title>
+    <productname>nspr</productname>
+    <productnumber>&version;</productnumber>
+  </refentryinfo>
+
+  <refmeta>
+    <refentrytitle>nspr-config</refentrytitle>
+    <manvolnum>1</manvolnum>
+  </refmeta>
+
+  <refnamediv>
+    <refname>nspr-config</refname>
+    <refpurpose>Return meta information about nspr libraries</refpurpose>
+  </refnamediv>
+
+  <refsynopsisdiv>
+    <cmdsynopsis>
+      <command>nspr-config</command>
+      <arg><option>--prefix</option></arg>
+      <arg><option>--exec-prefix</option></arg>
+      <arg><option>--includedir</option></arg>
+      <arg><option>--libs</option></arg>
+      <arg><option>--cflags</option></arg>
+      <arg><option>--libdir</option></arg>
+      <arg><option>--version</option></arg>
+    </cmdsynopsis>
+  </refsynopsisdiv>
+
+<refsection id="description">
+    <title>Description</title>
+    <para><command>nspr-config</command> is a shell script which can be used to obtain gcc options for building client pacakges of nspr.</para>
+  </refsection>
+  
+  <refsection>
+    <title>Options</title>
+    
+    <variablelist>
+      <varlistentry>
+        <term><option>--prefix</option></term>
+        <listitem><simpara>Returns the top level system directory under which the nspr libraries are installed.</simpara></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><option>--exec-prefix</option></term>
+        <listitem><simpara>Returns the top level system directory under which any nspr binaries would be installed.</simpara></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><option>--includedir</option> <replaceable>count</replaceable></term>
+        <listitem><simpara>Returns the path to the directory were the nspr headers are installed.</simpara></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><option>--version</option></term>
+        <listitem><simpara>Returns the upstream version of nspr in the form major_version-minor_version-patch_version.</simpara></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><option>--libs</option></term>
+        <listitem><simpara>Returns the compiler linking flags.</simpara></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><option>--cflags</option></term>
+        <listitem><simpara>Returns the compiler include flags.</simpara></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><option>--libdir</option></term>
+        <listitem><simpara>Returns the path to the directory were the nspr libraries are installed.</simpara></listitem>
+      </varlistentry>
+
+    </variablelist>
+  </refsection>
+
+  <refsection>
+    <title>Examples</title>
+
+    <para>The following example will query for both include path and linkage flags:
+      <programlisting>
+        /usr/bin/nspr-config --cflags --libs
+      </programlisting>
+    </para>
+
+   
+  </refsection>
+
+  <refsection>
+    <title>Files</title>
+
+    <para><filename>/usr/bin/nspr-config</filename></para>
+
+  </refsection>
+
+  <refsection>
+    <title>See also</title>
+    <para>pkg-config(1)</para>
+  </refsection>
+
+  <refsection id="authors">
+    <title>Authors</title>
+    <para>The NSPR liraries were written and maintained by developers with Netscape, Red Hat,  Sun, Oracle, Mozilla, and Google.</para>
+    <para>
+	Authors: Elio Maldonado &lt;emaldona@redhat.com>.
+    </para>
+  </refsection>
+
+<!-- don't change -->
+  <refsection id="license">
+    <title>LICENSE</title>
+    <para>Licensed under the Mozilla Public License, v. 2.0.  If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/.
+    </para>
+  </refsection>
+
+</refentry>
+

nspr-gcc-atomics.patch

@@ -0,0 +1,51 @@
+diff -up ./pr/include/md/_linux.h.gcc-atomics ./pr/include/md/_linux.h
+--- ./pr/include/md/_linux.h.gcc-atomics	2022-09-20 11:23:22.008942926 -0700
++++ ./pr/include/md/_linux.h	2022-09-20 11:34:45.536751340 -0700
+@@ -105,6 +105,15 @@
+ #endif
+ 
+ #if defined(__i386__)
++#if defined(__GNUC__)
++/* Use GCC built-in functions */
++#define _PR_HAVE_ATOMIC_OPS
++#define _MD_INIT_ATOMIC()
++#define _MD_ATOMIC_INCREMENT(ptr) __sync_add_and_fetch(ptr, 1)
++#define _MD_ATOMIC_DECREMENT(ptr) __sync_sub_and_fetch(ptr, 1)
++#define _MD_ATOMIC_ADD(ptr, i) __sync_add_and_fetch(ptr, i)
++#define _MD_ATOMIC_SET(ptr, nv) __sync_lock_test_and_set(ptr, nv)
++#else
+ #define _PR_HAVE_ATOMIC_OPS
+ #define _MD_INIT_ATOMIC()
+ extern PRInt32 _PR_x86_AtomicIncrement(PRInt32 *val);
+@@ -116,6 +125,7 @@ extern PRInt32 _PR_x86_AtomicAdd(PRInt32
+ extern PRInt32 _PR_x86_AtomicSet(PRInt32 *val, PRInt32 newval);
+ #define _MD_ATOMIC_SET                _PR_x86_AtomicSet
+ #endif
++#endif
+ 
+ #if defined(__ia64__)
+ #define _PR_HAVE_ATOMIC_OPS
+@@ -131,6 +141,15 @@ extern PRInt32 _PR_ia64_AtomicSet(PRInt3
+ #endif
+ 
+ #if defined(__x86_64__)
++#if defined(__GNUC__)
++/* Use GCC built-in functions */
++#define _PR_HAVE_ATOMIC_OPS
++#define _MD_INIT_ATOMIC()
++#define _MD_ATOMIC_INCREMENT(ptr) __sync_add_and_fetch(ptr, 1)
++#define _MD_ATOMIC_DECREMENT(ptr) __sync_sub_and_fetch(ptr, 1)
++#define _MD_ATOMIC_ADD(ptr, i) __sync_add_and_fetch(ptr, i)
++#define _MD_ATOMIC_SET(ptr, nv) __sync_lock_test_and_set(ptr, nv)
++#else
+ #define _PR_HAVE_ATOMIC_OPS
+ #define _MD_INIT_ATOMIC()
+ extern PRInt32 _PR_x86_64_AtomicIncrement(PRInt32 *val);
+@@ -142,6 +161,7 @@ extern PRInt32 _PR_x86_64_AtomicAdd(PRIn
+ extern PRInt32 _PR_x86_64_AtomicSet(PRInt32 *val, PRInt32 newval);
+ #define _MD_ATOMIC_SET                _PR_x86_64_AtomicSet
+ #endif
++#endif
+ 
+ #if defined(__loongarch__)
+ #if defined(__GNUC__)

nss-3.89-dangling.patch

@@ -0,0 +1,78 @@
+diff --git a/cmd/ecperf/ecperf.c b/cmd/ecperf/ecperf.c
+--- a/cmd/ecperf/ecperf.c
++++ b/cmd/ecperf/ecperf.c
+@@ -51,10 +51,11 @@
+     int iters = threadData->iters;
+     unsigned char sigData[256];
+     SECItem sig;
+     CK_SESSION_HANDLE session;
+     CK_RV crv;
++    void *tmp = NULL;
+ 
+     threadData->status = SECSuccess;
+     threadData->count = 0;
+ 
+     /* get our thread's session */
+@@ -66,10 +67,11 @@
+     }
+ 
+     if (threadData->isSign) {
+         sig.data = sigData;
+         sig.len = sizeof(sigData);
++        tmp = threadData->p2;
+         threadData->p2 = (void *)&sig;
+     }
+ 
+     while (iters--) {
+         threadData->status = (*op)(session, threadData->p1,
+@@ -77,27 +79,33 @@
+         if (threadData->status != SECSuccess) {
+             break;
+         }
+         threadData->count++;
+     }
++
++    if (threadData->isSign) {
++        threadData->p2 = tmp;
++    }
+     return;
+ }
+ 
+ void
+ genericThread(void *data)
+ {
+     ThreadData *threadData = (ThreadData *)data;
+     int iters = threadData->iters;
+     unsigned char sigData[256];
+     SECItem sig;
++    void *tmp = NULL;
+ 
+     threadData->status = SECSuccess;
+     threadData->count = 0;
+ 
+     if (threadData->isSign) {
+         sig.data = sigData;
+         sig.len = sizeof(sigData);
++        tmp = threadData->p2;
+         threadData->p2 = (void *)&sig;
+     }
+ 
+     while (iters--) {
+         threadData->status = (*threadData->op)(threadData->p1,
+@@ -105,10 +113,14 @@
+         if (threadData->status != SECSuccess) {
+             break;
+         }
+         threadData->count++;
+     }
++
++    if (threadData->isSign) {
++        threadData->p2 = tmp;
++    }
+     return;
+ }
+ 
+ /* Time iter repetitions of operation op. */
+ SECStatus
+
+

nss-539183.patch

@@ -1,62 +0,0 @@
---- nss/cmd/httpserv/httpserv.c.539183	2016-05-21 18:31:39.879585420 -0700
-+++ nss/cmd/httpserv/httpserv.c	2016-05-21 18:37:22.374464057 -0700
-@@ -953,23 +953,23 @@
- getBoundListenSocket(unsigned short port)
- {
-     PRFileDesc *listen_sock;
-     int listenQueueDepth = 5 + (2 * maxThreads);
-     PRStatus prStatus;
-     PRNetAddr addr;
-     PRSocketOptionData opt;
- 
--    addr.inet.family = PR_AF_INET;
--    addr.inet.ip = PR_INADDR_ANY;
--    addr.inet.port = PR_htons(port);
-+    if (PR_SetNetAddr(PR_IpAddrAny, PR_AF_INET6, port, &addr) != PR_SUCCESS) {
-+        errExit("PR_SetNetAddr");
-+    }
- 
--    listen_sock = PR_NewTCPSocket();
-+    listen_sock = PR_OpenTCPSocket(PR_AF_INET6);
-     if (listen_sock == NULL) {
--        errExit("PR_NewTCPSocket");
-+        errExit("PR_OpenTCPSockett");
-     }
- 
-     opt.option = PR_SockOpt_Nonblocking;
-     opt.value.non_blocking = PR_FALSE;
-     prStatus = PR_SetSocketOption(listen_sock, &opt);
-     if (prStatus < 0) {
-         PR_Close(listen_sock);
-         errExit("PR_SetSocketOption(PR_SockOpt_Nonblocking)");
---- nss/cmd/selfserv/selfserv.c.539183	2016-05-21 18:31:39.882585367 -0700
-+++ nss/cmd/selfserv/selfserv.c	2016-05-21 18:41:43.092801174 -0700
-@@ -1711,23 +1711,23 @@
- getBoundListenSocket(unsigned short port)
- {
-     PRFileDesc *listen_sock;
-     int listenQueueDepth = 5 + (2 * maxThreads);
-     PRStatus prStatus;
-     PRNetAddr addr;
-     PRSocketOptionData opt;
- 
--    addr.inet.family = PR_AF_INET;
--    addr.inet.ip = PR_INADDR_ANY;
--    addr.inet.port = PR_htons(port);
-+    if (PR_SetNetAddr(PR_IpAddrAny, PR_AF_INET6, port, &addr) != PR_SUCCESS) {
-+        errExit("PR_SetNetAddr");
-+    }
- 
--    listen_sock = PR_NewTCPSocket();
-+    listen_sock = PR_OpenTCPSocket(PR_AF_INET6);
-     if (listen_sock == NULL) {
--        errExit("PR_NewTCPSocket");
-+        errExit("PR_OpenTCPSocket error");
-     }
- 
-     opt.option = PR_SockOpt_Nonblocking;
-     opt.value.non_blocking = PR_FALSE;
-     prStatus = PR_SetSocketOption(listen_sock, &opt);
-     if (prStatus < 0) {
-         PR_Close(listen_sock);
-         errExit("PR_SetSocketOption(PR_SockOpt_Nonblocking)");

nss-gcm-param-default-pkcs11v2.patch

@@ -1,21 +0,0 @@
-diff -up ./lib/util/pkcs11n.h.aes_gcm_pkcs11_v2 ./lib/util/pkcs11n.h
---- ./lib/util/pkcs11n.h.aes_gcm_pkcs11_v2	2020-05-13 13:44:11.312405744 -0700
-+++ ./lib/util/pkcs11n.h	2020-05-13 13:45:23.951723660 -0700
-@@ -605,7 +605,7 @@ typedef struct CK_NSS_GCM_PARAMS {
- typedef CK_NSS_GCM_PARAMS CK_PTR CK_NSS_GCM_PARAMS_PTR;
- 
- /* deprecated #defines. Drop in future NSS releases */
--#ifdef NSS_PKCS11_2_0_COMPAT
-+#ifndef NSS_PKCS11_3_0_STRICT
- 
- /* defines that were changed between NSS's PKCS #11 and the Oasis headers */
- #define CKF_EC_FP CKF_EC_F_P
-@@ -664,7 +664,7 @@ typedef CK_NSS_GCM_PARAMS CK_PTR CK_GCM_
- #define CKT_NETSCAPE_VALID CKT_NSS_VALID
- #define CKT_NETSCAPE_VALID_DELEGATOR CKT_NSS_VALID_DELEGATOR
- #else
--/* use the new CK_GCM_PARAMS if NSS_PKCS11_2_0_COMPAT is not defined */
-+/* use the new CK_GCM_PARAMS if NSS_PKCS11_3_0_STRICT is defined */
- typedef struct CK_GCM_PARAMS_V3 CK_GCM_PARAMS;
- typedef CK_GCM_PARAMS_V3 CK_PTR CK_GCM_PARAMS_PTR;
- #endif

nss-kremlin-ppc64le.patch

@@ -1,31 +0,0 @@
-Index: nss/lib/freebl/verified/kremlin/include/kremlin/internal/types.h
-===================================================================
---- nss.orig/lib/freebl/verified/kremlin/include/kremlin/internal/types.h
-+++ nss/lib/freebl/verified/kremlin/include/kremlin/internal/types.h
-@@ -56,9 +56,10 @@ typedef const char *Prims_string;
-     !defined(__clang__)
- #include <emmintrin.h>
- typedef __m128i FStar_UInt128_uint128;
--#elif !defined(KRML_VERIFIED_UINT128) && !defined(_MSC_VER) &&           \
-+#elif !defined(KRML_VERIFIED_UINT128) && !defined(_MSC_VER) && \
-     (defined(__x86_64__) || defined(__x86_64) || defined(__aarch64__) || \
--     (defined(__powerpc64__) && defined(__LITTLE_ENDIAN__)))
-+    (defined(__powerpc64__) && defined(__LITTLE_ENDIAN__)) || \
-+     defined(__s390x__))
- typedef unsigned __int128 FStar_UInt128_uint128;
- #elif !defined(KRML_VERIFIED_UINT128) && defined(_MSC_VER) && defined(__clang__)
- typedef __uint128_t FStar_UInt128_uint128;
-Index: nss/lib/freebl/verified/kremlin/kremlib/dist/minimal/fstar_uint128_gcc64.h
-===================================================================
---- nss.orig/lib/freebl/verified/kremlin/kremlib/dist/minimal/fstar_uint128_gcc64.h
-+++ nss/lib/freebl/verified/kremlin/kremlib/dist/minimal/fstar_uint128_gcc64.h
-@@ -26,7 +26,8 @@
- 
- #if !defined(KRML_VERIFIED_UINT128) && (!defined(_MSC_VER) || defined(__clang__)) && \
-     (defined(__x86_64__) || defined(__x86_64) || defined(__aarch64__) ||             \
--     (defined(__powerpc64__) && defined(__LITTLE_ENDIAN__)))
-+    (defined(__powerpc64__) && defined(__LITTLE_ENDIAN__)) || \
-+     defined(__s390x__))
- 
- /* GCC + using native unsigned __int128 support */
- 

nss-no-dbm-man-page.patch

@@ -0,0 +1,120 @@
+diff -up ./doc/certutil.xml.no-dbm ./doc/certutil.xml
+--- ./doc/certutil.xml.no-dbm	2021-05-29 10:26:21.853386165 -0700
++++ ./doc/certutil.xml	2021-05-29 10:31:15.057058619 -0700
+@@ -205,8 +205,7 @@ If this option is not used, the validity
+           <para><command>certutil</command> supports two types of databases: the legacy security databases (<filename>cert8.db</filename>, <filename>key3.db</filename>, and <filename>secmod.db</filename>) and new SQLite databases (<filename>cert9.db</filename>, <filename>key4.db</filename>, and <filename>pkcs11.txt</filename>). </para>
+           <para>NSS recognizes the following prefixes:</para>
+           <itemizedlist>
+-            <listitem><para><command>sql:</command> requests the newer database</para></listitem>
+-	    <listitem><para><command>dbm:</command> requests the legacy database</para></listitem>
++            <listitem><para><command>sql:</command> requests the sql-lite database</para></listitem>
+           </itemizedlist>
+           <para>If no prefix is specified the default type is retrieved from NSS_DEFAULT_DB_TYPE. If NSS_DEFAULT_DB_TYPE is not set then <command>sql:</command> is the default.</para>
+         </listitem>
+@@ -1205,17 +1204,9 @@ BerkeleyDB. These new databases provide
+ 	</listitem>
+ </itemizedlist>
+ 
+-<para>Because the SQLite databases are designed to be shared, these are the <emphasis>shared</emphasis> database type. The shared database type is preferred; the legacy format is included for backward compatibility.</para>
++<para>Because the SQLite databases are designed to be shared, these are the <emphasis>shared</emphasis> database type. </para>
+ 
+-<para>By default, the tools (<command>certutil</command>, <command>pk12util</command>, <command>modutil</command>) assume that the given security databases use the SQLite type.
+-Using the legacy databases must be manually specified by using the <command>dbm:</command> prefix with the given security directory. For example:</para>
+-
+-<programlisting>$ certutil -L -d dbm:/home/my/sharednssdb</programlisting>
+-
+-<para>To set the legacy database type as the default type for the tools, set the <envar>NSS_DEFAULT_DB_TYPE</envar> environment variable to <envar>dbm</envar>:</para>
+-<programlisting>export NSS_DEFAULT_DB_TYPE="dbm"</programlisting>
+-
+-<para>This line can be set added to the <filename>~/.bashrc</filename> file to make the change permanent.</para>
++<para>By default, the tools (<command>certutil</command>, <command>pk12util</command>, <command>modutil</command>) assume that the given security databases use the SQLite type.</para>
+ 
+ <itemizedlist>
+ 	<listitem>
+diff -up ./doc/modutil.xml.no-dbm ./doc/modutil.xml
+--- ./doc/modutil.xml.no-dbm	2021-05-29 10:26:21.854386171 -0700
++++ ./doc/modutil.xml	2021-05-29 10:28:23.293078869 -0700
+@@ -151,7 +151,7 @@
+       <varlistentry>
+         <term>-dbdir directory</term>
+ 	  <listitem><para>Specify the database directory in which to access or create security module database files.</para>
+-	<para><command>modutil</command> supports two types of databases: the legacy security databases (<filename>cert8.db</filename>, <filename>key3.db</filename>, and <filename>secmod.db</filename>) and SQLite databases (<filename>cert9.db</filename>, <filename>key4.db</filename>, and <filename>pkcs11.txt</filename>). If the prefix <command>dbm:</command> is not used, then the tool assumes that the given databases are in SQLite format.</para></listitem>
++	<para><command>modutil</command> supports SQLite databases (<filename>cert9.db</filename>, <filename>key4.db</filename>, and <filename>pkcs11.txt</filename>). </para></listitem>
+       </varlistentry>
+ 
+       <varlistentry>
+@@ -689,15 +689,7 @@ BerkleyDB. These new databases provide m
+ 
+ <para>Because the SQLite databases are designed to be shared, these are the <emphasis>shared</emphasis> database type. The shared database type is preferred; the legacy format is included for backward compatibility.</para>
+ 
+-<para>By default, the tools (<command>certutil</command>, <command>pk12util</command>, <command>modutil</command>) assume that the given security databases use the SQLite type.
+-Using the legacy databases must be manually specified by using the <command>dbm:</command> prefix with the given security directory. For example:</para>
+-
+-<programlisting>modutil -create -dbdir dbm:/home/my/sharednssdb</programlisting>
+-
+-<para>To set the legacy database type as the default type for the tools, set the <envar>NSS_DEFAULT_DB_TYPE</envar> environment variable to <envar>dbm</envar>:</para>
+-<programlisting>export NSS_DEFAULT_DB_TYPE="dbm"</programlisting>
+-
+-<para>This line can be added to the <filename>~/.bashrc</filename> file to make the change permanent for the user.</para>
++<para>By default, the tools (<command>certutil</command>, <command>pk12util</command>, <command>modutil</command>) assume that the given security databases use the SQLite type.  </para> 
+ 
+ <itemizedlist>
+ 	<listitem>
+diff -up ./doc/pk12util.xml.no-dbm ./doc/pk12util.xml
+--- ./doc/pk12util.xml.no-dbm	2021-05-29 10:26:21.854386171 -0700
++++ ./doc/pk12util.xml	2021-05-29 10:28:23.293078869 -0700
+@@ -90,7 +90,7 @@
+       <varlistentry>
+         <term>-d directory</term>
+         <listitem><para>Specify the database directory into which to import to or export from certificates and keys.</para>
+-	<para><command>pk12util</command> supports two types of databases: the legacy security databases (<filename>cert8.db</filename>, <filename>key3.db</filename>, and <filename>secmod.db</filename>) and new SQLite databases (<filename>cert9.db</filename>, <filename>key4.db</filename>, and <filename>pkcs11.txt</filename>). If the prefix <command>dbm:</command> is not used, then the tool assumes that the given databases are in the SQLite format.</para></listitem>
++	<para><command>pk12util</command> supports SQLite databases (<filename>cert9.db</filename>, <filename>key4.db</filename>, and <filename>pkcs11.txt</filename>). </para></listitem>
+       </varlistentry>
+ 
+       <varlistentry>
+@@ -394,15 +394,7 @@ BerkleyDB. These new databases provide m
+ 
+ <para>Because the SQLite databases are designed to be shared, these are the <emphasis>shared</emphasis> database type. The shared database type is preferred; the legacy format is included for backward compatibility.</para>
+ 
+-<para>By default, the tools (<command>certutil</command>, <command>pk12util</command>, <command>modutil</command>) assume that the given security databases use the SQLite type
+-Using the legacy databases must be manually specified by using the <command>dbm:</command> prefix with the given security directory. For example:</para>
+-
+-<programlisting># pk12util -i /tmp/cert-files/users.p12 -d dbm:/home/my/sharednssdb</programlisting>
+-
+-<para>To set the legacy database type as the default type for the tools, set the <envar>NSS_DEFAULT_DB_TYPE</envar> environment variable to <envar>dbm</envar>:</para>
+-<programlisting>export NSS_DEFAULT_DB_TYPE="dbm"</programlisting>
+-
+-<para>This line can be set added to the <filename>~/.bashrc</filename> file to make the change permanent.</para>
++<para>By default, the tools (<command>certutil</command>, <command>pk12util</command>, <command>modutil</command>) assume that the given security databases use the SQLite type.  </para>
+ 
+ <itemizedlist>
+ 	<listitem>
+diff -up ./doc/signver.xml.no-dbm ./doc/signver.xml
+--- ./doc/signver.xml.no-dbm	2021-05-29 10:26:21.854386171 -0700
++++ ./doc/signver.xml	2021-05-29 10:28:23.293078869 -0700
+@@ -66,7 +66,7 @@
+       <varlistentry>
+         <term>-d <emphasis>directory</emphasis></term>
+         <listitem><para>Specify the database directory which contains the certificates and keys.</para>
+-	<para><command>signver</command> supports two types of databases: the legacy security databases (<filename>cert8.db</filename>, <filename>key3.db</filename>, and <filename>secmod.db</filename>) and new SQLite databases (<filename>cert9.db</filename>, <filename>key4.db</filename>, and <filename>pkcs11.txt</filename>). If the prefix <command>dbm:</command> is not used, then the tool assumes that the given databases are in the SQLite format.</para></listitem>
++	<para><command>signver</command> supports SQLite databases (<filename>cert9.db</filename>, <filename>key4.db</filename>, and <filename>pkcs11.txt</filename>). </para></listitem>
+       </varlistentry>
+       <varlistentry>
+         <term>-a</term>
+@@ -155,15 +155,7 @@ BerkleyDB. These new databases provide m
+ 
+ <para>Because the SQLite databases are designed to be shared, these are the <emphasis>shared</emphasis> database type. The shared database type is preferred; the legacy format is included for backward compatibility.</para>
+ 
+-<para>By default, the tools (<command>certutil</command>, <command>pk12util</command>, <command>modutil</command>) assume that the given security databases use the SQLite type
+-Using the legacy databases must be manually specified by using the <command>dbm:</command> prefix with the given security directory. For example:</para>
+-
+-<programlisting># signver -A -s <replaceable>signature</replaceable> -d dbm:/home/my/sharednssdb</programlisting>
+-
+-<para>To set the legacy database type as the default type for the tools, set the <envar>NSS_DEFAULT_DB_TYPE</envar> environment variable to <envar>dbm</envar>:</para>
+-<programlisting>export NSS_DEFAULT_DB_TYPE="dbm"</programlisting>
+-
+-<para>This line can be added to the <filename>~/.bashrc</filename> file to make the change permanent for the user.</para>
++<para>By default, the tools (<command>certutil</command>, <command>pk12util</command>, <command>modutil</command>) assume that the given security databases use the SQLite type.</para>
+ 
+ <itemizedlist>
+ 	<listitem>

nss-signtool-format.patch

@@ -10,7 +10,7 @@ diff --git a/cmd/modutil/install.c b/cmd/modutil/install.c
  
          /* Recursively delete all entries in the directory */
          while ((entry = PR_ReadDir(dir, PR_SKIP_BOTH)) != NULL) {
--            sprintf(filename, "%s/%s", path, entry->name);
+-            snprintf(filename, sizeof(filename), "%s/%s", path, entry->name);
 +            if (snprintf(filename, sizeof(filename), "%s/%s", path, entry->name) >= sizeof(filename)) {
 +                PR_CloseDir(dir);
 +                return -1;
@@ -26,28 +26,19 @@ diff --git a/cmd/modutil/install.c b/cmd/modutil/install.c
 diff --git a/cmd/signtool/util.c b/cmd/signtool/util.c
 --- a/cmd/signtool/util.c
 +++ b/cmd/signtool/util.c
-@@ -132,17 +132,20 @@ rm_dash_r(char *path)
-         if (!dir) {
-             PR_fprintf(errorFD, "Error: Unable to open directory %s.\n", path);
-             errorCount++;
-             return -1;
-         }
- 
+@@ -138,6 +138,12 @@ rm_dash_r(char *path)
          /* Recursively delete all entries in the directory */
          while ((entry = PR_ReadDir(dir, PR_SKIP_BOTH)) != NULL) {
--            sprintf(filename, "%s/%s", path, entry->name);
-+            if (snprintf(filename, sizeof(filename), "%s/%s", path, entry->name) >= sizeof(filename)) {
+             snprintf(filename, sizeof(filename), "%s/%s", path, entry->name);
++            if (snprintf(filename, sizeof(filename), "%s/%s", path, entry->name
++) >= sizeof(filename)) {
 +                errorCount++;
++                PR_CloseDir(dir);
 +                return -1;
 +            }
-             if (rm_dash_r(filename))
+             if (rm_dash_r(filename)) {
+                 PR_CloseDir(dir);
                  return -1;
-         }
- 
-         if (PR_CloseDir(dir) != PR_SUCCESS) {
-             PR_fprintf(errorFD, "Error: Could not close %s.\n", path);
-             errorCount++;
-             return -1;
 diff --git a/lib/libpkix/pkix/util/pkix_list.c b/lib/libpkix/pkix/util/pkix_list.c
 --- a/lib/libpkix/pkix/util/pkix_list.c
 +++ b/lib/libpkix/pkix/util/pkix_list.c

nss.spec

@@ -1,13 +1,28 @@
-%global nspr_version 4.25.0
-%global nss_version 3.52.0
+%global nspr_version 4.35.0
+%global nss_version 3.95.0
+# NOTE: To avoid NVR clashes of nspr* packages:
+# - reset %%{nspr_release} to 1, when updating %%{nspr_version}
+# - increment %%{nspr_version}, when updating the NSS part only
+%global baserelease 1
+%global nss_release %baserelease
+# use "%%global nspr_release %%[%%baserelease+n]" to handle offsets when
+# release number between nss and nspr are different.
+%global nspr_release %[%baserelease+15]
+# only need to update this as we added new
+# algorithms under nss policy control
+%global crypto_policies_version 20210118
 %global unsupported_tools_directory %{_libdir}/nss/unsupported-tools
 %global saved_files_dir %{_libdir}/nss/saved
 %global dracutlibdir %{_prefix}/lib/dracut
 %global dracut_modules_dir %{dracutlibdir}/modules.d/05nss-softokn/
 %global dracut_conf_dir %{dracutlibdir}/dracut.conf.d
 
+%ifnarch riscv64
 %bcond_without tests
-%bcond_without dbm
+%else
+%bcond_with tests
+%endif
+%bcond_with dbm
 
 # Produce .chk files for the final stripped binaries
 #
@@ -31,6 +46,11 @@
 # The upstream omits the trailing ".0", while we need it for
 # consistency with the pkg-config version:
 # https://bugzilla.redhat.com/show_bug.cgi?id=1578106
+%{lua:
+rpm.define(string.format("nspr_archive_version %s",
+           string.gsub(rpm.expand("%nspr_version"), "(.*)%.0$", "%1")))
+}
+
 %{lua:
 rpm.define(string.format("nss_archive_version %s",
            string.gsub(rpm.expand("%nss_version"), "(.*)%.0$", "%1")))
@@ -41,11 +61,13 @@ rpm.define(string.format("nss_release_tag NSS_%s_RTM",
            string.gsub(rpm.expand("%nss_archive_version"), "%.", "_")))
 }
 
+%global nss_nspr_archive nss-%{nss_archive_version}-with-nspr-%{nspr_archive_version}
+
 Summary:          Network Security Services
 Name:             nss
 Version:          %{nss_version}
-Release:          2%{?dist}
-License:          MPLv2.0
+Release:          %{nss_release}.0.riscv64%{?dist}
+License:          MPL-2.0
 URL:              http://www.mozilla.org/projects/security/pki/nss/
 Requires:         nspr >= %{nspr_version}
 Requires:         nss-util >= %{nss_version}
@@ -53,9 +75,10 @@ Requires:         nss-util >= %{nss_version}
 Requires:         nss-softokn%{_isa} >= %{nss_version}
 Requires:         nss-system-init
 Requires:         p11-kit-trust
-Requires:         crypto-policies
-BuildRequires:    nspr-devel >= %{nspr_version}
+Requires:         /usr/bin/update-crypto-policies
+Requires:         crypto-policies >= %{crypto_policies_version}
 # for shlibsign
+BuildRequires: make
 BuildRequires:    nss-softokn
 BuildRequires:    sqlite-devel
 BuildRequires:    zlib-devel
@@ -64,9 +87,8 @@ BuildRequires:    gawk
 BuildRequires:    psmisc
 BuildRequires:    perl-interpreter
 BuildRequires:    gcc-c++
-BuildRequires:    quilt
 
-Source0:          https://ftp.mozilla.org/pub/security/nss/releases/%{nss_release_tag}/src/%{name}-%{nss_archive_version}.tar.gz
+Source0:          https://ftp.mozilla.org/pub/security/nss/releases/%{nss_release_tag}/src/%{nss_nspr_archive}.tar.gz
 Source1:          nss-util.pc.in
 Source2:          nss-util-config.in
 Source3:          nss-softokn.pc.in
@@ -75,9 +97,11 @@ Source6:          nss-softokn-dracut-module-setup.sh
 Source7:          nss-softokn-dracut.conf
 Source8:          nss.pc.in
 Source9:          nss-config.in
+%if %{with dbm}
 Source10:         blank-cert8.db
 Source11:         blank-key3.db
 Source12:         blank-secmod.db
+%endif
 Source13:         blank-cert9.db
 Source14:         blank-key4.db
 Source15:         system-pkcs11.txt
@@ -85,15 +109,17 @@ Source16:         setup-nsssysinit.sh
 Source20:         nss-config.xml
 Source21:         setup-nsssysinit.xml
 Source22:         pkcs11.txt.xml
-Source23:         cert8.db.xml
 Source24:         cert9.db.xml
-Source25:         key3.db.xml
 Source26:         key4.db.xml
+%if %{with dbm}
+Source23:         cert8.db.xml
+Source25:         key3.db.xml
 Source27:         secmod.db.xml
+%endif
 Source28:         nss-p11-kit.config
 
-# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=617723
-Patch2:           nss-539183.patch
+Source101:        nspr-config.xml
+
 # This patch uses the GCC -iquote option documented at
 # http://gcc.gnu.org/onlinedocs/gcc/Directory-Options.html#Directory-Options
 # to give the in-tree headers a higher priority over the system headers,
@@ -103,17 +129,15 @@ Patch2:           nss-539183.patch
 # case when starting an update with API changes or even private export
 # changes.
 #
-# Once the buildroot aha been bootstrapped the patch may be removed
+# Once the buildroot has been bootstrapped the patch may be removed
 # but it doesn't hurt to keep it.
 Patch4:           iquote.patch
 Patch12:          nss-signtool-format.patch
-# https://github.com/FStarLang/kremlin/issues/166
-Patch13:          nss-kremlin-ppc64le.patch
-%if 0%{?fedora} < 34
-%if 0%{?rhel} < 9
-Patch20:          nss-gcm-param-default-pkcs11v2.patch
-%endif
-%endif
+# fedora disabled dbm by default
+Patch40:          nss-no-dbm-man-page.patch
+
+Patch100:         nspr-config-pc.patch
+Patch101:         nspr-gcc-atomics.patch
 
 %description
 Network Security Services (NSS) is a set of libraries designed to
@@ -124,7 +148,7 @@ v3 certificates, and other security standards.
 
 %package tools
 Summary:          Tools for the Network Security Services
-Requires:         %{name}%{?_isa} = %{version}-%{release}
+Requires:         %{name}%{?_isa} = %{nss_version}-%{release}
 
 %description tools
 Network Security Services (NSS) is a set of libraries designed to
@@ -141,7 +165,7 @@ Summary:          System NSS Initialization
 # providing nss-system-init without version so that it can
 # be replaced by a better one, e.g. supplied by the os vendor
 Provides:         nss-system-init
-Requires:         nss%{?_isa} = %{version}-%{release}
+Requires:         nss%{?_isa} = %{nss_version}-%{release}
 Requires(post):   coreutils, sed
 
 %description sysinit
@@ -152,8 +176,8 @@ any system or user configured modules.
 
 %package devel
 Summary:          Development libraries for Network Security Services
-Provides:         nss-static = %{version}-%{release}
-Requires:         nss%{?_isa} = %{version}-%{release}
+Provides:         nss-static = %{nss_version}-%{release}
+Requires:         nss%{?_isa} = %{nss_version}-%{release}
 Requires:         nss-util-devel
 Requires:         nss-softokn-devel
 Requires:         nspr-devel >= %{nspr_version}
@@ -166,9 +190,9 @@ Header and Library files for doing development with Network Security Services.
 
 %package pkcs11-devel
 Summary:          Development libraries for PKCS #11 (Cryptoki) using NSS
-Provides:         nss-pkcs11-devel-static = %{version}-%{release}
-Requires:         nss-devel = %{version}-%{release}
-Requires:         nss-softokn-freebl-devel = %{version}-%{release}
+Provides:         nss-pkcs11-devel-static = %{nss_version}-%{release}
+Requires:         nss-devel = %{nss_version}-%{release}
+Requires:         nss-softokn-freebl-devel = %{nss_version}-%{release}
 
 %description pkcs11-devel
 Library files for developing PKCS #11 modules using basic NSS
@@ -184,7 +208,7 @@ Utilities for Network Security Services and the Softoken module
 
 %package util-devel
 Summary:          Development libraries for Network Security Services Utilities
-Requires:         nss-util%{?_isa} = %{version}-%{release}
+Requires:         nss-util%{?_isa} = %{nss_version}-%{release}
 Requires:         nspr-devel >= %{nspr_version}
 Requires:         pkgconfig
 
@@ -195,8 +219,8 @@ Header and library files for doing development with Network Security Services.
 %package softokn
 Summary:          Network Security Services Softoken Module
 Requires:         nspr >= %{nspr_version}
-Requires:         nss-util >= %{version}-%{release}
-Requires:         nss-softokn-freebl%{_isa} >= %{version}-%{release}
+Requires:         nss-util >= %{nss_version}-%{release}
+Requires:         nss-softokn-freebl%{_isa} >= %{nss_version}-%{release}
 
 %description softokn
 Network Security Services Softoken Cryptographic Module
@@ -217,8 +241,8 @@ Install the nss-softokn-freebl package if you need the freebl library.
 
 %package softokn-freebl-devel
 Summary:          Header and Library files for doing development with the Freebl library for NSS
-Provides:         nss-softokn-freebl-static = %{version}-%{release}
-Requires:         nss-softokn-freebl%{?_isa} = %{version}-%{release}
+Provides:         nss-softokn-freebl-static = %{nss_version}-%{release}
+Requires:         nss-softokn-freebl%{?_isa} = %{nss_version}-%{release}
 
 %description softokn-freebl-devel
 NSS Softoken Cryptographic Module Freebl Library Development Tools
@@ -229,21 +253,53 @@ Developers should rely only on the officially supported NSS public API.
 
 %package softokn-devel
 Summary:          Development libraries for Network Security Services
-Requires:         nss-softokn%{?_isa} = %{version}-%{release}
-Requires:         nss-softokn-freebl-devel%{?_isa} = %{version}-%{release}
+Requires:         nss-softokn%{?_isa} = %{nss_version}-%{release}
+Requires:         nss-softokn-freebl-devel%{?_isa} = %{nss_version}-%{release}
 Requires:         nspr-devel >= %{nspr_version}
-Requires:         nss-util-devel >= %{version}-%{release}
+Requires:         nss-util-devel >= %{nss_version}-%{release}
 Requires:         pkgconfig
-BuildRequires:    nspr-devel >= %{nspr_version}
 
 %description softokn-devel
 Header and library files for doing development with Network Security Services.
 
+%package -n nspr
+Summary:        Netscape Portable Runtime
+Version:        %{nspr_version}
+Release:        %{nspr_release}%{?dist}
+License:        MPL-2.0
+URL:            http://www.mozilla.org/projects/nspr/
+Conflicts:      filesystem < 3
+BuildRequires:  gcc
+
+%description -n nspr
+NSPR provides platform independence for non-GUI operating system
+facilities. These facilities include threads, thread synchronization,
+normal file and network I/O, interval timing and calendar time, basic
+memory management (malloc and free) and shared library linking.
+
+%package -n nspr-devel
+Summary:        Development libraries for the Netscape Portable Runtime
+Version:        %{nspr_version}
+Release:        %{nspr_release}%{?dist}
+Requires:       nspr%{?_isa} = %{nspr_version}-%{nspr_release}%{?dist}
+Requires:       pkgconfig
+BuildRequires:  xmlto
+Conflicts:      filesystem < 3
+
+%description -n nspr-devel
+Header files for doing development with the Netscape Portable Runtime.
 
 %prep
-%autosetup -N -S quilt -n %{name}-%{nss_archive_version}
+%setup -q -T -b 0 -n %{name}-%{nss_archive_version}
+cp ./nspr/config/nspr-config.in ./nspr/config/nspr-config-pc.in
+
+%patch 100 -p0 -b .flags
+pushd nspr
+%patch 101 -p1 -b .gcc-atomics
+popd
+
 pushd nss
-%autopatch -p1
+%autopatch -p1 -M 99
 popd
 
 # https://bugzilla.redhat.com/show_bug.cgi?id=1247353
@@ -251,14 +307,58 @@ find nss/lib/libpkix -perm /u+x -type f -exec chmod -x {} \;
 
 
 %build
+# Build, check, and install NSPR for building NSS in the later phase
+#
+# TODO: This phase can be done by the NSS build process if we switch
+# to using "make nss_build_all".  For now, however, we need some
+# adjustment in the NSS build process.
+mkdir -p nspr_build
+pushd nspr_build
+../nspr/configure \
+                 --prefix=%{_prefix} \
+                 --libdir=%{_libdir} \
+                 --includedir=%{_includedir}/nspr4 \
+                 --with-dist-prefix=$PWD/../dist \
+%ifnarch noarch
+%if 0%{__isa_bits} == 64
+                 --enable-64bit \
+%endif
+%endif
+%ifarch armv7l armv7hl armv7nhl
+                 --enable-thumb2 \
+%endif
+                 --enable-optimize="$RPM_OPT_FLAGS" \
+                 --disable-debug
 
-export FREEBL_NO_DEPEND=1
+# The assembly files are only for legacy atomics, to which we prefer GCC atomics
+%ifarch i686 x86_64
+sed -i '/^PR_MD_ASFILES/d' config/autoconf.mk
+%endif
+make
+
+date +"%e %B %Y" | tr -d '\n' > date.xml
+echo -n %{nspr_version} > version.xml
+
+for m in %{SOURCE101}; do
+  cp ${m} .
+done
+for m in nspr-config.xml; do
+  xmlto man ${m}
+done
+popd
+
+# Build NSS
+#
+# This package fails its testsuite with LTO.  Disable LTO for now
+#%global _lto_cflags %{nil}
+
+#export FREEBL_NO_DEPEND=1
 
 # Must export FREEBL_LOWHASH=1 for nsslowhash.h so that it gets
 # copied to dist and the rpm install phase can find it
 # This due of the upstream changes to fix
 # https://bugzilla.mozilla.org/show_bug.cgi?id=717906
-export FREEBL_LOWHASH=1
+# export FREEBL_LOWHASH=1
 
 # uncomment if the iquote patch is activated
 export IN_TREE_FREEBL_HEADERS_FIRST=1
@@ -281,6 +381,9 @@ export XCFLAGS=$RPM_OPT_FLAGS
 export XCFLAGS="$XCFLAGS -Wno-error=maybe-uninitialized"
 %endif
 
+# Similarly, but for gcc-11
+export XCFLAGS="$XCFLAGS -Wno-array-parameter"
+
 export LDFLAGS=$RPM_LD_FLAGS
 
 export DSO_LDOPTS=$RPM_LD_FLAGS
@@ -288,13 +391,15 @@ export DSO_LDOPTS=$RPM_LD_FLAGS
 export PKG_CONFIG_ALLOW_SYSTEM_LIBS=1
 export PKG_CONFIG_ALLOW_SYSTEM_CFLAGS=1
 
-export NSPR_INCLUDE_DIR=`/usr/bin/pkg-config --cflags-only-I nspr | sed 's/-I//'`
-export NSPR_LIB_DIR=%{_libdir}
+export NSPR_INCLUDE_DIR=$PWD/dist/include/nspr
+export NSPR_LIB_DIR=$PWD/dist/lib
 
 export NSS_USE_SYSTEM_SQLITE=1
 
 export NSS_ALLOW_SSLKEYLOGFILE=1
 
+export NSS_SEED_ONLY_DEV_URANDOM=1
+
 %if %{with dbm}
 %else
 export NSS_DISABLE_DBM=1
@@ -306,16 +411,15 @@ export USE_64=1
 %endif
 %endif
 
-%{__make} -C ./nss/coreconf
-%{__make} -C ./nss/lib/dbm
-
 # Set the policy file location
 # if set NSS will always check for the policy file and load if it exists
 export POLICY_FILE="nss.config"
 # location of the policy file
 export POLICY_PATH="/etc/crypto-policies/back-ends"
 
-%{__make} -C ./nss
+
+%{__make} -C ./nss all
+%{__make} -C ./nss latest
 
 # build the man pages clean
 pushd ./nss
@@ -334,7 +438,7 @@ cat %{SOURCE1} | sed -e "s,%%libdir%%,%{_libdir},g" \
                           -e "s,%%exec_prefix%%,%{_prefix},g" \
                           -e "s,%%includedir%%,%{_includedir}/nss3,g" \
                           -e "s,%%NSPR_VERSION%%,%{nspr_version},g" \
-                          -e "s,%%NSSUTIL_VERSION%%,%{version},g" > \
+                          -e "s,%%NSSUTIL_VERSION%%,%{nss_version},g" > \
                           ./dist/pkgconfig/nss-util.pc
 
 NSSUTIL_VMAJOR=`cat nss/lib/util/nssutil.h | grep "#define.*NSSUTIL_VMAJOR" | awk '{print $3}'`
@@ -358,7 +462,7 @@ cat %{SOURCE3} | sed -e "s,%%libdir%%,%{_libdir},g" \
                           -e "s,%%includedir%%,%{_includedir}/nss3,g" \
                           -e "s,%%NSPR_VERSION%%,%{nspr_version},g" \
                           -e "s,%%NSSUTIL_VERSION%%,%{nss_version},g" \
-                          -e "s,%%SOFTOKEN_VERSION%%,%{version},g" > \
+                          -e "s,%%SOFTOKEN_VERSION%%,%{nss_version},g" > \
                           ./dist/pkgconfig/nss-softokn.pc
 
 SOFTOKEN_VMAJOR=`cat nss/lib/softoken/softkver.h | grep "#define.*SOFTOKEN_VMAJOR" | awk '{print $3}'`
@@ -380,7 +484,7 @@ cat %{SOURCE8} | sed -e "s,%%libdir%%,%{_libdir},g" \
                           -e "s,%%prefix%%,%{_prefix},g" \
                           -e "s,%%exec_prefix%%,%{_prefix},g" \
                           -e "s,%%includedir%%,%{_includedir}/nss3,g" \
-                          -e "s,%%NSS_VERSION%%,%{version},g" \
+                          -e "s,%%NSS_VERSION%%,%{nss_version},g" \
                           -e "s,%%NSPR_VERSION%%,%{nspr_version},g" \
                           -e "s,%%NSSUTIL_VERSION%%,%{nss_version},g" \
                           -e "s,%%SOFTOKEN_VERSION%%,%{nss_version},g" > \
@@ -407,32 +511,47 @@ chmod 755 ./dist/pkgconfig/setup-nsssysinit.sh
 cp ./nss/lib/ckfw/nssck.api ./dist/private/nss/
 
 date +"%e %B %Y" | tr -d '\n' > date.xml
-echo -n %{version} > version.xml
+echo -n %{nss_version} > version.xml
 
 # configuration files and setup script
-for m in %{SOURCE20} %{SOURCE21} %{SOURCE22}; do
+%if %{with dbm}
+%global XMLSOURCES %{SOURCE23} %{SOURCE24} %{SOURCE25} %{SOURCE26} %{SOURCE27}
+%global dbfiles cert8.db key3.db secmod.db cert9.db key4.db pkcs11.txt
+%else
+%global XMLSOURCES %{SOURCE22} %{SOURCE24} %{SOURCE26}
+%global dbfiles cert9.db key4.db pkcs11.txt
+%endif
+for m in %{SOURCE20} %{SOURCE21} %{XMLSOURCES}; do
   cp ${m} .
 done
-for m in nss-config.xml setup-nsssysinit.xml pkcs11.txt.xml; do
-  xmlto man ${m}
-done
-
-# nss databases considered to be configuration files
-for m in %{SOURCE23} %{SOURCE24} %{SOURCE25} %{SOURCE26} %{SOURCE27}; do
-  cp ${m} .
-done
-for m in cert8.db.xml cert9.db.xml key3.db.xml key4.db.xml secmod.db.xml; do
-  xmlto man ${m}
+%global configFiles nss-config setup-nsssysinit
+for m in %{configFiles}  %{dbfiles}; do
+  xmlto man ${m}.xml
 done
 
 
 %check
+%if %{with tests}
+pushd nspr_build
+# Run test suite.
+perl ../nspr/pr/tests/runtests.pl 2>&1 | tee output.log
+
+TEST_FAILURES=`grep -c FAILED ./output.log` || :
+if [ $TEST_FAILURES -ne 0 ]; then
+  echo "error: test suite returned failure(s)"
+  exit 1
+fi
+echo "test suite completed"
+popd
+%endif
+
 %if %{with tests}
 # Begin -- copied from the build section
 
 export FREEBL_NO_DEPEND=1
 
 export BUILD_OPT=1
+export NSS_DISABLE_PPC_GHASH=1
 
 %ifnarch noarch
 %if 0%{__isa_bits} == 64
@@ -442,6 +561,15 @@ export USE_64=1
 
 # End -- copied from the build section
 
+# copy the nspr libraries into the NSS object directory so we use the
+# newly compiled nspr binaries in our test rather than the build root
+# versions
+export LOBJDIR=`make -s -C ./nss/tests/common objdir_name`
+for i in ./dist/lib/*.so
+do
+   cp $i ./dist/${LOBJDIR}/lib
+done
+
 # This is necessary because the test suite tests algorithms that are
 # disabled by the system policy.
 export NSS_IGNORE_SYSTEM_POLICY=1
@@ -465,9 +593,9 @@ if [ $SPACEISBAD -ne 0 ]; then
   echo "error: filenames containing space are not supported (xargs)"
   exit 1
 fi
-MYRAND=`perl -e 'print 9000 + int rand 1000'`; echo $MYRAND ||:
-RANDSERV=selfserv_${MYRAND}; echo $RANDSERV ||:
-DISTBINDIR=`ls -d ./dist/*.OBJ/bin`; echo $DISTBINDIR ||:
+export MYRAND=`perl -e 'print 9000 + int rand 1000'`; echo $MYRAND
+export RANDSERV=selfserv_${MYRAND}; echo $RANDSERV
+export DISTBINDIR=./dist/${LOBJDIR}/bin
 pushd "$DISTBINDIR"
 ln -s selfserv $RANDSERV
 popd
@@ -505,6 +633,46 @@ killall $RANDSERV || :
 
 %install
 
+pushd nspr_build
+make install DESTDIR=$RPM_BUILD_ROOT
+
+mkdir -p $RPM_BUILD_ROOT%{_mandir}/man1
+mkdir -p $RPM_BUILD_ROOT/%{_libdir}/pkgconfig
+
+# Get rid of the things we don't want installed (per upstream)
+rm -rf \
+   $RPM_BUILD_ROOT/%{_bindir}/compile-et.pl \
+   $RPM_BUILD_ROOT/%{_bindir}/prerr.properties \
+   $RPM_BUILD_ROOT/%{_libdir}/libnspr4.a \
+   $RPM_BUILD_ROOT/%{_libdir}/libplc4.a \
+   $RPM_BUILD_ROOT/%{_libdir}/libplds4.a \
+   $RPM_BUILD_ROOT/%{_datadir}/aclocal/nspr.m4 \
+   $RPM_BUILD_ROOT/%{_includedir}/nspr4/md
+
+for f in nspr-config; do
+   install -c -m 644 ${f}.1 $RPM_BUILD_ROOT%{_mandir}/man1/${f}.1
+done
+popd
+
+# Begin -- copied from the build section
+# this is needed to make sure LOBJDIR is correct
+
+export FREEBL_NO_DEPEND=1
+
+export BUILD_OPT=1
+export NSS_DISABLE_PPC_GHASH=1
+
+%ifnarch noarch
+%if 0%{__isa_bits} == 64
+export USE_64=1
+%endif
+%endif
+
+# End -- copied from the build section
+
+# get the objdir value from the test make file
+export LOBJDIR=`make -s -C ./nss/tests/common objdir_name`
+
 # There is no make install target so we'll do it ourselves.
 
 mkdir -p $RPM_BUILD_ROOT/%{_includedir}/nss3
@@ -533,15 +701,17 @@ mkdir -p $RPM_BUILD_ROOT%{_mandir}/man5
 # Copy the binary libraries we want
 for file in libnssutil3.so libsoftokn3.so %{?with_dbm:libnssdbm3.so} libfreebl3.so libfreeblpriv3.so libnss3.so libnsssysinit.so libsmime3.so libssl3.so
 do
-  install -p -m 755 dist/*.OBJ/lib/$file $RPM_BUILD_ROOT/%{_libdir}
+  install -p -m 755 dist/${LOBJDIR}/lib/$file $RPM_BUILD_ROOT/%{_libdir}
 done
 
 # Install the empty NSS db files
 # Legacy db
 mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb
+%if %{with dbm}
 install -p -m 644 %{SOURCE10} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/cert8.db
 install -p -m 644 %{SOURCE11} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/key3.db
 install -p -m 644 %{SOURCE12} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/secmod.db
+%endif
 # Shared db
 install -p -m 644 %{SOURCE13} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/cert9.db
 install -p -m 644 %{SOURCE14} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/key4.db
@@ -550,19 +720,19 @@ install -p -m 644 %{SOURCE15} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/pkcs11.tx
 # Copy the development libraries we want
 for file in libcrmf.a libnssb.a libnssckfw.a
 do
-  install -p -m 644 dist/*.OBJ/lib/$file $RPM_BUILD_ROOT/%{_libdir}
+  install -p -m 644 dist/${LOBJDIR}/lib/$file $RPM_BUILD_ROOT/%{_libdir}
 done
 
 # Copy the binaries we want
 for file in certutil cmsutil crlutil modutil nss-policy-check pk12util signver ssltap
 do
-  install -p -m 755 dist/*.OBJ/bin/$file $RPM_BUILD_ROOT/%{_bindir}
+  install -p -m 755 dist/${LOBJDIR}/bin/$file $RPM_BUILD_ROOT/%{_bindir}
 done
 
 # Copy the binaries we ship as unsupported
-for file in bltest ecperf fbectest fipstest shlibsign atob btoa derdump listsuites ocspclnt pp selfserv signtool strsclnt symkeyutil tstclnt vfyserv vfychain
+for file in bltest dbtool ecperf fbectest fipstest shlibsign atob btoa derdump listsuites ocspclnt pp selfserv signtool strsclnt symkeyutil tstclnt vfyserv vfychain
 do
-  install -p -m 755 dist/*.OBJ/bin/$file $RPM_BUILD_ROOT/%{unsupported_tools_directory}
+  install -p -m 755 dist/${LOBJDIR}/bin/$file $RPM_BUILD_ROOT/%{unsupported_tools_directory}
 done
 
 # Copy the include files we want
@@ -580,7 +750,7 @@ done
 # Copy the static freebl library
 for file in libfreebl.a
 do
-install -p -m 644 dist/*.OBJ/lib/$file $RPM_BUILD_ROOT/%{_libdir}
+install -p -m 644 dist/${LOBJDIR}/lib/$file $RPM_BUILD_ROOT/%{_libdir}
 done
 
 # Copy the template files we want
@@ -603,7 +773,7 @@ install -p -m 755 ./dist/pkgconfig/setup-nsssysinit.sh $RPM_BUILD_ROOT/%{_bindir
 ln -r -s -f $RPM_BUILD_ROOT/%{_bindir}/setup-nsssysinit.sh $RPM_BUILD_ROOT/%{_bindir}/setup-nsssysinit
 
 # Copy the man pages for scripts
-for f in nss-config setup-nsssysinit; do
+for f in %{configFiles}; do
    install -c -m 644 ${f}.1 $RPM_BUILD_ROOT%{_mandir}/man1/${f}.1
 done
 # Copy the man pages for the nss tools
@@ -616,12 +786,8 @@ install -c -m 644 ./dist/docs/nroff/pp.1 $RPM_BUILD_ROOT%{_mandir}/man1/pp.1
 install -c -m 644 ./dist/docs/nroff/pp.1 $RPM_BUILD_ROOT%{_datadir}/doc/nss-tools/pp.1
 %endif
 
-# Copy the man pages for the configuration files
-for f in pkcs11.txt; do
-   install -c -m 644 ${f}.5 $RPM_BUILD_ROOT%{_mandir}/man5/${f}.5
-done
 # Copy the man pages for the nss databases
-for f in cert8.db cert9.db key3.db key4.db secmod.db; do
+for f in %{dbfiles}; do
    install -c -m 644 ${f}.5 $RPM_BUILD_ROOT%{_mandir}/man5/${f}.5
 done
 
@@ -634,9 +800,20 @@ install -p -m 644 %{SOURCE28} $RPM_BUILD_ROOT/%{_sysconfdir}/crypto-policies/loc
 /usr/bin/setup-nsssysinit.sh on
 
 %post
-update-crypto-policies &> /dev/null || :
+%if %{with dbm}
+%else
+# Upon upgrade, ensure that the existing database locations are migrated to SQL
+# database.
+if test $1 -eq 2; then
+    for dbdir in %{_sysconfdir}/pki/nssdb; do
+        if test ! -e ${dbdir}/pkcs11.txt; then
+            /usr/bin/certutil --merge -d ${dbdir} --source-dir ${dbdir}
+        fi
+    done
+fi
+%endif
 
-%postun
+%posttrans
 update-crypto-policies &> /dev/null || :
 
 
@@ -647,16 +824,20 @@ update-crypto-policies &> /dev/null || :
 %{_libdir}/libssl3.so
 %{_libdir}/libsmime3.so
 %dir %{_sysconfdir}/pki/nssdb
+%if %{with dbm}
 %config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/cert8.db
 %config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/key3.db
 %config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/secmod.db
+%endif
 %config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/cert9.db
 %config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/key4.db
 %config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/pkcs11.txt
 %config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/crypto-policies/local.d/nss-p11-kit.config
+%if %{with dbm}
 %doc %{_mandir}/man5/cert8.db.5*
 %doc %{_mandir}/man5/key3.db.5*
 %doc %{_mandir}/man5/secmod.db.5*
+%endif
 %doc %{_mandir}/man5/cert9.db.5*
 %doc %{_mandir}/man5/key4.db.5*
 %doc %{_mandir}/man5/pkcs11.txt.5*
@@ -746,6 +927,7 @@ update-crypto-policies &> /dev/null || :
 %{_includedir}/nss3/p12plcy.h
 %{_includedir}/nss3/p12t.h
 %{_includedir}/nss3/pk11func.h
+%{_includedir}/nss3/pk11hpke.h
 %{_includedir}/nss3/pk11pqg.h
 %{_includedir}/nss3/pk11priv.h
 %{_includedir}/nss3/pk11pub.h
@@ -845,6 +1027,7 @@ update-crypto-policies &> /dev/null || :
 %dir %{saved_files_dir}
 %dir %{unsupported_tools_directory}
 %{unsupported_tools_directory}/bltest
+%{unsupported_tools_directory}/dbtool
 %{unsupported_tools_directory}/ecperf
 %{unsupported_tools_directory}/fbectest
 %{unsupported_tools_directory}/fipstest
@@ -890,8 +1073,232 @@ update-crypto-policies &> /dev/null || :
 %{_includedir}/nss3/nsslowhash.h
 %{_includedir}/nss3/shsign.h
 
+%files -n nspr
+%{!?_licensedir:%global license %%doc}
+%license nspr/LICENSE
+%{_libdir}/libnspr4.so
+%{_libdir}/libplc4.so
+%{_libdir}/libplds4.so
+
+%files -n nspr-devel
+%{_includedir}/nspr4
+%{_libdir}/pkgconfig/nspr.pc
+%{_bindir}/nspr-config
+%doc %{_mandir}/man1/nspr-config.*
+
 
 %changelog
+* Thu Dec 14 2023 David Abdurachmanov <davidlt@rivosinc.com> - 3.95.0-1.0.riscv64
+- Disable tests on riscv64 for now
+
+* Mon Nov 27 2023 Frantisek Krenzelok <krenzelok.frantisek@gmail.com> - 3.95.0-1
+- Update NSS to 3.95.0
+
+* Wed Oct 25 2023 Frantisek Krenzelok <krenzelok.frantisek@gmail.com> - 3.94.0-2
+- revert HACL 256 code to fix binary compatibility issue.
+
+* Wed Oct 4 2023 Frantisek Krenzelok <krenzelok.frantisek@gmail.com> - 3.94.0-1
+- Update NSS to 3.94.0
+
+* Thu Sep 07 2023 Bob Relyea <rrelyea@redhat.com> - 3.93.0-2
+- Update License field to SPDX.
+
+* Thu Aug 31 2023 Frantisek Krenzelok <krenzelok.frantisek@gmail.com> - 3.93.0-1
+- Update NSS to 3.93.0
+
+* Tue Aug 1 2023 Frantisek Krenzelok <krenzelok.frantisek@gmail.com> - 3.92.0-1
+- Update NSS to 3.92.0
+
+* Thu Jul 20 2023 Fedora Release Engineering <releng@fedoraproject.org> - 3.91.0-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
+
+* Tue Jul 4 2023 Frantisek Krenzelok <krenzelok.frantisek@gmail.com> - 3.91.0-1
+- Update NSS to 3.91.0
+
+* Tue Jun 6 2023 Frantisek Krenzelok <krenzelok.frantisek@gmail.com> - 3.90.0-1
+- Add patch for https://bugzilla.mozilla.org/show_bug.cgi?id=1836781 &
+                https://bugzilla.mozilla.org/show_bug.cgi?id=1836925
+
+* Mon Jun 5 2023 Frantisek Krenzelok <krenzelok.frantisek@gmail.com> - 3.90.0-1
+- Update %patch syntax
+
+* Mon Jun 5 2023 Frantisek Krenzelok <krenzelok.frantisek@gmail.com> - 3.90.0-1
+- Update NSS to 3.90.0
+
+* Fri May 5 2023 Frantisek Krenzelok <krenzelok.frantisek@gmail.com> - 3.89.0-1
+- combine nss and nspr source togeather
+
+* Fri May 5 2023 Frantisek Krenzelok <krenzelok.frantisek@gmail.com> - 3.89.0-1
+- replace %{version} with %{nss_version} as it version can be overiden.
+
+* Fri Mar 10 2023 Frantisek Krenzelok <krenzelok.frantisek@gmail.com> - 3.89.0-1
+- Update NSS to 3.89.0
+
+* Fri Feb 10 2023 Frantisek Krenzelok <krenzelok.frantisek@gmail.com> - 3.88.1-1
+- Update NSS to 3.88.1
+
+* Tue Jan 24 2023 Bob Relyea - 3.87.0-2
+- Fix rebuild errors
+
+* Thu Jan 19 2023 Fedora Release Engineering <releng@fedoraproject.org> - 3.87.0-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
+
+* Tue Jan 10 2023 Frantisek Krenzelok <krenzelok.frantisek@gmail.com> - 3.87.0-1
+- Update NSS to 3.87 & remove unused patches
+
+* Thu Nov 17 2022 Bob Relyea <rrelyea@redhat.com> - 3.85.0-1
+- update to NSS 3.83
+
+* Fri Sep 9 2022 Bob Relyea <rrelyea@redhat.com> - 3.83.0-1
+- update to NSS 3.83
+- update to NSPR 4.35
+
+* Fri Sep 9 2022 Bob Relyea <rrelyea@redhat.com> - 3.81.0-2
+- add dbtool
+
+* Thu Jul 21 2022 Bob Relyea <rrelyea@redhat.com> - 3.81.0-1
+- udpate to NSS 3.81
+
+* Thu Jun 16 2022 Bob Relyea <rrelyea@redhat.com> - 3.79.0-2
+- Fix crash when getting client cert and there is none in the database.
+
+* Tue May 31 2022 Bob Relyea <rrelyea@redhat.com> - 3.79.0-1
+- Update to NSS 3.79
+- Update to NSPR 4.34
+
+* Mon Apr 4 2022 Bob Relyea <rrelyea@redhat.com> - 3.77.0-1
+- Update to 3.77
+
+* Fri Feb 4 2022 Bob Relyea <rrelyea@redhat.com> - 3.75.0-1
+- Update to 3.75
+- fix PayPal expiration issue
+
+* Thu Jan 20 2022 Fedora Release Engineering <releng@fedoraproject.org> - 3.73.0-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
+
+* Wed Dec 1 2021 Bob Relyea <rrelyea@redhat.com> - 3.73.0-1
+- Update to 3.73
+- includes CVE 2021-43527
+
+* Mon Oct 4 2021 Bob Relyea <rrelyea@redhat.com> - 3.71.0-1
+- Update to 3.71
+
+* Tue Aug 10 2021 Bob Relyea <rrelyea@redhat.com> - 3.69.0-2
+- turn on lto
+
+* Tue Aug 10 2021 Bob Relyea <rrelyea@redhat.com> - 3.69.0-1
+- Update to 3.69
+- Update to NSPR 4.31
+
+* Tue Jul 27 2021 Bob Relyea <rrelyea@redhat.com> - 3.67.0-4
+- switch to baserelease so rpmdev-bumpspec will work next time
+
+* Tue Jul 27 2021 Bob Relyea <rrelyea@redhat.com> - 3.67.0-3
+- rpmdev-bumpspec doesn't work correctly with nss/nspr. Fixup version numbers
+
+* Thu Jul 22 2021 Fedora Release Engineering <releng@fedoraproject.org> - 3.67.0-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
+
+* Tue Mar 23 2021 Bob Relyea <rrelyea@redhat.com> - 3.67.0-1
+- Update to 3.67
+- Update to NSPR 2.31
+
+* Tue Mar 23 2021 Bob Relyea <rrelyea@redhat.com> - 3.65.0-1
+- Update to 3.65
+- update nss-tools manages to remove references to dbm
+
+* Tue Mar 23 2021 Bob Relyea <rrelyea@redhat.com> - 3.63.0-1
+- Update to 3.63
+- Update to NSPR 2.30
+- Remove old dbm files and man pages
+
+* Tue Feb 23 2021 Bob Relyea <rrelyea@redhat.com> - 3.62.0-1
+- Update to 3.62
+
+* Mon Feb 01 2021 Kalev Lember <klember@redhat.com> - 3.60.1-5
+- Rebuild to fix broken nspr dependencies
+
+* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 3.60.1-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
+
+* Fri Jan 22 2021 Bob Relyea <rrelyea@redhat.com> - 3.60.1-2
+- Update nspr release number
+
+* Fri Jan 22 2021 Bob Relyea <rrelyea@redhat.com> - 3.60.1-2
+- Update requires so that we get the correct crypto policies
+  (or all RSA and ECDSA signatures wil fail)
+
+* Thu Jan 21 2021 Bob Relyea <rrelyea@redhat.com> - 3.60.1-1
+- Update to NSS 3.60.1
+- Drop NODEPEND_FREEBL and LOWHASH
+
+* Fri Dec 11 2020 Bob Relyea <rrelyea@redhat.com> - 3.59.0-2
+- Work around btrfs/sqlite bug
+- Disable new policy entries until crypto-polices has been updated
+
+* Thu Dec 10 2020 Daiki Ueno <dueno@redhat.com> - 3.59.0-1
+- Update to NSS 3.59
+- Remove unused quilt BR
+
+* Sat Nov  7 2020 Daiki Ueno <dueno@redhat.com> - 3.58.0-8
+- Replace %%{version} references in %%build with %%{nss_version}, suggested by Dmitry Butskoy in bz#1895447
+
+* Fri Oct 30 2020 Daiki Ueno <dueno@redhat.com> - 3.58.0-7
+- Use the lockstep release numbering for both nspr and nss
+
+* Thu Oct 29 2020 Jeff Law <law@redhat.com> - 3.58.0-6
+- Disable -Warray-parameter warning for gcc-11
+
+* Tue Oct 27 2020 Daiki Ueno <dueno@redhat.com> - 3.58.0-5
+- Consolidate NSPR package with this package
+
+* Mon Oct 26 2020 Bob Relyea <rrelyea@redhat.com> - 3.58.0-4
+- fix pkix ocsp to tolerate OCSP checking on intermediates
+  when the root is signed by sha1 and sha1 is disabled by
+  policy
+
+* Mon Oct 26 2020 Daiki Ueno <dueno@redhat.com> - 3.58.0-3
+- Revert the last change, always tolerate the first CCS in TLS 1.3
+
+* Thu Oct 22 2020 Daiki Ueno <dueno@redhat.com> - 3.58.0-2
+- Enable TLS 1.3 middlebox compatibility mode by default
+
+* Tue Oct 20 2020 Daiki Ueno <dueno@redhat.com> - 3.58.0-1
+- Update to NSS 3.58
+
+* Sat Sep 19 2020 Daiki Ueno <dueno@redhat.com> - 3.57.0-1
+- Update to NSS 3.57
+
+* Mon Aug 24 2020 Daiki Ueno <dueno@redhat.com> - 3.56.0-1
+- Update to NSS 3.56
+
+* Thu Aug 13 2020 Daiki Ueno <dueno@redhat.com> - 3.55.0-3
+- Fix DBM backend disablement
+- Add scriptlet to auto-migrated known database locations
+
+* Sat Aug  8 2020 Daiki Ueno <dueno@redhat.com> - 3.55.0-2
+- Disable LTO
+
+* Sun Aug  2 2020 Daiki Ueno <dueno@redhat.com> - 3.55.0-1
+- Update to NSS 3.55
+- Disable building DBM backend
+
+* Sat Aug 01 2020 Fedora Release Engineering <releng@fedoraproject.org> - 3.54.0-3
+- Second attempt - Rebuilt for
+  https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
+
+* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 3.54.0-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
+
+* Wed Jul 15 2020 Daiki Ueno <dueno@redhat.com> - 3.54.0-1
+- Update to NSS 3.54
+
+* Thu Jun  4 2020 Bob Relyea <rrelyea@redhat.com> - 3.53.0-2
+- Fix non-strict prototype in pk11pub.h
+
+* Mon Jun  1 2020 Daiki Ueno <dueno@redhat.com> - 3.53.0-1
+- Update to NSS 3.53
+
 * Wed May 13 2020 Bob Relyea <rrelyea@redhat.com> - 3.52.0-2
 - Delay CK_GCM_PARAMS semantics until fedora 34
 

plans/gnutls-2way.fmf

@@ -0,0 +1,10 @@
+summary: Upstreamed interop-2way tests
+contact: Stanislav Zidek <szidek@redhat.com>
+discover:
+  # upstreamed tests (public)
+  - name: interop-gnutls-2way
+    how: fmf
+    url: https://gitlab.com/redhat-crypto/tests/interop.git
+    filter: 'tag: interop-nss & tag: interop-gnutls & tag: interop-2way'
+execute:
+    how: tmt

plans/openssl-2way.fmf

@@ -0,0 +1,10 @@
+summary: Upstreamed interop-2way tests
+contact: Stanislav Zidek <szidek@redhat.com>
+discover:
+  # upstreamed tests (public)
+  - name: interop-openssl-2way
+    how: fmf
+    url: https://gitlab.com/redhat-crypto/tests/interop.git
+    filter: 'tag: interop-nss & tag: interop-openssl & tag: interop-2way'
+execute:
+    how: tmt

plans/openssl-reneg.fmf

@@ -0,0 +1,10 @@
+summary: Upstreamed interop-nss-openssl renegotiation test
+contact: Stanislav Zidek <szidek@redhat.com>
+discover:
+  # upstreamed tests (public)
+  - name: interop-openssl-reneg
+    how: fmf
+    url: https://gitlab.com/redhat-crypto/tests/interop.git
+    filter: 'tag: interop-nss & tag: interop-openssl & tag: interop-reneg'
+execute:
+    how: tmt

plans/short-interop-tests.fmf

@@ -0,0 +1,10 @@
+summary: Upstreamed interop tests - short tests which do not need to run in parallel
+contact: Stanislav Zidek <szidek@redhat.com>
+discover:
+  # upstreamed tests (public)
+  - name: interop-other+nss-fast
+    how: fmf
+    url: https://gitlab.com/redhat-crypto/tests/interop.git
+    filter: 'tag: interop-nss & tag: -interop-slow'
+execute:
+    how: tmt

sources

@@ -1,6 +1,3 @@
-SHA512 (blank-cert8.db) = ac131d15708c5f1b5e467831f919f4fc4ba13b60a4bb5fe260c845fa9afcd899a588d21ed52060abaa1bbb29f2b53af8b495d28407183cb03aff1974f95f1d3d
 SHA512 (blank-cert9.db) = 2f8eab4c0612210ee47db8a3a80c1b58a0b43849551af78c7da403fda3e3d4e7757838061ae56ccf5aac335cb54f254f0a9e6e9c0dd5920b4155a39264525b06
-SHA512 (blank-key3.db) = 01f7314e9fc8a7c9aa997652624cfcde213d18a6b3bb31840c1a60bbd662e56b5bc3221d13874abb42ce78163b225a6dfce2e1326cf6dd29366ad9c28ba5a71c
 SHA512 (blank-key4.db) = 8fedae93af7163da23fe9492ea8e785a44c291604fa98e58438448efb69c85d3253fc22b926d5c3209c62e58a86038fd4d78a1c4c068bc00600a7f3e5382ebe7
-SHA512 (blank-secmod.db) = 06a2dbd861839ef6315093459328b500d3832333a34b30e6fac4a2503af337f014a4d319f0f93322409e719142904ce8bc08252ae9a4f37f30d4c3312e900310
-SHA512 (nss-3.52.tar.gz) = a45baf38717bceda03c292b2c01def680a24a846327e17d36044a85e30ed40c68220c78c0a2c3025c11778ee58f5d5eb0fff1b4cd274b95c408fb59e394e62c6
+SHA512 (nss-3.95-with-nspr-4.35.tar.gz) = 8394a0381db5b5d7f975f5057e0578909901244616ccaca694c1932fd9428e651a52bbf3f30e4d993e692538a603a57df1eae5e9badda3a1291d35836ab02ecd

tests/NSS-tools-should-not-use-SHA1-by-default-when/Makefile

@@ -1,64 +0,0 @@
-# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-#
-#   Makefile of /CoreOS/nss/Regression/NSS-tools-should-not-use-SHA1-by-default-when
-#   Description: NSS tools should not use SHA1 by default when
-#   Author: Hubert Kario <hkario@redhat.com>
-#
-# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-#
-#   Copyright (c) 2016 Red Hat, Inc.
-#
-#   This copyrighted material is made available to anyone wishing
-#   to use, modify, copy, or redistribute it subject to the terms
-#   and conditions of the GNU General Public License version 2.
-#
-#   This program is distributed in the hope that it will be
-#   useful, but WITHOUT ANY WARRANTY; without even the implied
-#   warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
-#   PURPOSE. See the GNU General Public License for more details.
-#
-#   You should have received a copy of the GNU General Public
-#   License along with this program; if not, write to the Free
-#   Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
-#   Boston, MA 02110-1301, USA.
-#
-# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-export TEST=/CoreOS/nss/Regression/NSS-tools-should-not-use-SHA1-by-default-when
-export TESTVERSION=1.0
-
-BUILT_FILES=
-
-FILES=$(METADATA) runtest.sh Makefile PURPOSE
-
-.PHONY: all install download clean
-
-run: $(FILES) build
-	./runtest.sh
-
-build: $(BUILT_FILES)
-	test -x runtest.sh || chmod a+x runtest.sh
-
-clean:
-	rm -f *~ $(BUILT_FILES)
-
-
-include /usr/share/rhts/lib/rhts-make.include
-
-$(METADATA): Makefile
-	@echo "Owner:           Hubert Kario <hkario@redhat.com>" > $(METADATA)
-	@echo "Name:            $(TEST)" >> $(METADATA)
-	@echo "TestVersion:     $(TESTVERSION)" >> $(METADATA)
-	@echo "Path:            $(TEST_DIR)" >> $(METADATA)
-	@echo "Description:     NSS tools should not use SHA1 by default when" >> $(METADATA)
-	@echo "Type:            Regression" >> $(METADATA)
-	@echo "TestTime:        10m" >> $(METADATA)
-	@echo "RunFor:          nss openssl" >> $(METADATA)
-	@echo "Requires:        nss nss-tools openssl" >> $(METADATA)
-	@echo "Priority:        Normal" >> $(METADATA)
-	@echo "License:         GPLv2" >> $(METADATA)
-	@echo "Confidential:    no" >> $(METADATA)
-	@echo "Destructive:     no" >> $(METADATA)
-	@echo "Releases:        -RHEL4 -RHELClient5 -RHELServer5" >> $(METADATA)
-
-	rhts-lint $(METADATA)

tests/NSS-tools-should-not-use-SHA1-by-default-when/PURPOSE

@@ -1,4 +0,0 @@
-PURPOSE of NSS-tools-should-not-use-SHA1-by-default-when
-Description: NSS tools should not use SHA1 by default when
-Author: Hubert Kario <hkario@redhat.com>
-Summary: NSS tools should not use SHA1 by default when generating digital signatures/certificates

tests/NSS-tools-should-not-use-SHA1-by-default-when/runtest.sh

@@ -1,125 +0,0 @@
-#!/bin/bash
-# vim: dict+=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k
-# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-#
-#   runtest.sh of NSS-tools-should-not-use-SHA1-by-default-when
-#   Description: NSS tools should not use SHA1 by default when
-#   Author: Hubert Kario <hkario@redhat.com>
-#
-# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-#
-#   Copyright (c) 2016 Red Hat, Inc.
-#
-#   This copyrighted material is made available to anyone wishing
-#   to use, modify, copy, or redistribute it subject to the terms
-#   and conditions of the GNU General Public License version 2.
-#
-#   This program is distributed in the hope that it will be
-#   useful, but WITHOUT ANY WARRANTY; without even the implied
-#   warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
-#   PURPOSE. See the GNU General Public License for more details.
-#
-#   You should have received a copy of the GNU General Public
-#   License along with this program; if not, write to the Free
-#   Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
-#   Boston, MA 02110-1301, USA.
-#
-# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-# Include Beaker environment
-. /usr/share/beakerlib/beakerlib.sh || exit 1
-
-PACKAGE="nss"
-PACKAGES="nss openssl"
-DBDIR="nssdb"
-
-rlJournalStart
-    rlPhaseStartSetup
-        rlAssertRpm --all
-        rlRun "TmpDir=\$(mktemp -d)" 0 "Creating tmp directory"
-        rlRun "pushd $TmpDir"
-        rlRun "mkdir nssdb"
-        rlRun "certutil -N -d $DBDIR --empty-password"
-        rlLogInfo "Create a JAR file"
-        rlRun "mkdir java-dir"
-        rlRun "pushd java-dir"
-        rlRun "mkdir META-INF mypackage"
-        rlRun "echo 'Main-Class: mypackage/MyMainFile' > META-INF/MANIFEST.MF"
-        rlRun "echo 'Those are not the droids you are looking for' > mypackage/MyMainFile.class"
-        #rlRun "jar -cfe package.jar mypackage/MyMainFile mypackage/MyMainFile.class"
-        rlRun "popd"
-        #rlRun "mv java-dir/package.jar ."
-    rlPhaseEnd
-
-    rlPhaseStartTest "Self signing certificates"
-        rlRun "dd if=/dev/urandom of=noise bs=1 count=32 >/dev/null"
-        rlRun "certutil -d $DBDIR -S -n 'CA' -t 'cTC,cTC,cTC' -s 'CN=CA' -x -z noise"
-        rlRun -s "certutil -d $DBDIR -L -n 'CA' -a | openssl x509 -noout -text"
-        rlAssertGrep "Signature Algorithm: sha256WithRSAEncryption" "$rlRun_LOG"
-        rlAssertNotGrep "Signature Algorithm: sha1WithRSAEncryption" $rlRun_LOG
-    rlPhaseEnd
-
-    rlPhaseStartTest "Signing certificates"
-        rlRun "dd if=/dev/urandom of=noise bs=1 count=32 >/dev/null"
-        rlRun "certutil -d $DBDIR -S -n 'server' -t 'u,u,u' -s 'CN=server.example.com' -c 'CA' -z noise --nsCertType sslClient,sslServer,objectSigning,smime"
-        rlRun -s "certutil -d $DBDIR -L -n 'server' -a | openssl x509 -noout -text"
-        rlAssertGrep "Signature Algorithm: sha256WithRSAEncryption" "$rlRun_LOG"
-        rlAssertNotGrep "Signature Algorithm: sha1WithRSAEncryption" $rlRun_LOG
-    rlPhaseEnd
-
-    rlPhaseStartTest "Certificate request"
-        rlRun "dd if=/dev/urandom of=noise bs=1 count=32 >/dev/null"
-        rlRun "mkdir srv2db"
-        rlRun "certutil -d srv2db -N --empty-password"
-        rlRun "certutil -d srv2db -R -s CN=www.example.com -o srv2.req -a -z noise"
-        rlRun -s "openssl req -noout -text -in srv2.req"
-        rlAssertGrep "Signature Algorithm: sha256WithRSAEncryption" "$rlRun_LOG"
-        rlAssertNotGrep "Signature Algorithm: sha1WithRSAEncryption" $rlRun_LOG
-        rlRun "certutil -d $DBDIR -C -c 'CA' -i srv2.req -a -o srv2.crt"
-        rlRun -s "openssl x509 -in srv2.crt -noout -text"
-        rlAssertGrep "Signature Algorithm: sha256WithRSAEncryption" "$rlRun_LOG"
-        rlAssertNotGrep "Signature Algorithm: sha1WithRSAEncryption" $rlRun_LOG
-        rlRun "rm -rf srv2db"
-    rlPhaseEnd
-
-    rlPhaseStartTest "Certificate request with SHA1"
-        rlRun "dd if=/dev/urandom of=noise bs=1 count=32 >/dev/null"
-        rlRun "mkdir srv2db"
-        rlRun "certutil -d srv2db -N --empty-password"
-        rlRun "certutil -d srv2db -R -s CN=www.example.com -o srv2.req -a -z noise -Z SHA1"
-        rlRun -s "openssl req -noout -text -in srv2.req"
-        rlAssertGrep "Signature Algorithm: sha1WithRSAEncryption" "$rlRun_LOG"
-        rlRun "certutil -d $DBDIR -C -c 'CA' -i srv2.req -a -o srv2.crt"
-        rlRun -s "openssl x509 -in srv2.crt -noout -text"
-        rlAssertGrep "Signature Algorithm: sha256WithRSAEncryption" "$rlRun_LOG"
-        rlAssertNotGrep "Signature Algorithm: sha1WithRSAEncryption" $rlRun_LOG
-        rlRun "rm -rf srv2db"
-    rlPhaseEnd
-
-    rlPhaseStartTest "Signing CMS messages"
-        rlRun "echo 'This is a document' > document.txt"
-        rlRun "cmsutil -S -d $DBDIR -N 'server' -i document.txt -o document.cms"
-        rlRun -s "openssl cms -in document.cms -inform der -noout -cmsout -print"
-        rlAssertGrep "algorithm: sha256" $rlRun_LOG
-        rlAssertNotGrep "algorithm: sha1" $rlRun_LOG
-    rlPhaseEnd
-
-    rlPhaseStartTest "CRL signing"
-        rlRun "echo $(date --utc +update=%Y%m%d%H%M%SZ) > script"
-        rlRun "echo $(date -d 'next week' --utc +nextupdate=%Y%m%d%H%M%SZ) >> script"
-        rlRun "echo addext crlNumber 0 1245 >>script"
-        rlRun "echo addcert 12 $(date -d 'yesterday' --utc +%Y%m%d%H%M%SZ) >>script"
-        rlRun "echo addext reasonCode 0 0 >>script"
-        rlRun "cat script"
-        rlRun "crlutil -G -c script -d $DBDIR -n CA -o ca.crl"
-        rlRun -s "openssl crl -in ca.crl -inform der -noout -text"
-        rlAssertGrep "Signature Algorithm: sha256WithRSAEncryption" $rlRun_LOG
-        rlAssertNotGrep "Signature Algorithm: sha1WithRSAEncryption" $rlRun_LOG
-    rlPhaseEnd
-
-    rlPhaseStartCleanup
-        rlRun "popd"
-        rlRun "rm -r $TmpDir" 0 "Removing tmp directory"
-    rlPhaseEnd
-rlJournalPrintText
-rlJournalEnd

tests/tests.yml

@@ -1,12 +0,0 @@
----
-# This first play always runs on the local staging system
-- hosts: localhost
-  roles:
-  - role: standard-test-beakerlib
-    tags:
-    - classic
-    tests:
-    - NSS-tools-should-not-use-SHA1-by-default-when
-    required_packages:
-    - nss-tools
-    - nss