Consolidate nss-util, nss-softokn, and nss into a single package

.gitignore

@@ -30,22 +30,3 @@ TestUser51.cert
 /nss-3.37.3.tar.gz
 /nss-3.38.0.tar.gz
 /nss-3.39.tar.gz
-/nss-3.40.1.tar.gz
-/nss-3.41.tar.gz
-/nss-3.42.tar.gz
-/nss-3.42.1.tar.gz
-/nss-3.43.tar.gz
-/nss-3.44.tar.gz
-/nss-3.44.1.tar.gz
-/nss-3.45.tar.gz
-/nss-3.46.tar.gz
-/nss-3.46.1.tar.gz
-/nss-3.47.tar.gz
-/nss-3.47.1.tar.gz
-/nss-3.48.tar.gz
-/nss-3.49.tar.gz
-/nss-3.49.2.tar.gz
-/nss-3.50.tar.gz
-/nss-3.51.tar.gz
-/nss-3.51.1.tar.gz
-/nss-3.52.tar.gz

nss-539183.patch

@@ -1,5 +1,5 @@
---- nss/cmd/httpserv/httpserv.c.539183	2016-05-21 18:31:39.879585420 -0700
-+++ nss/cmd/httpserv/httpserv.c	2016-05-21 18:37:22.374464057 -0700
+--- ./nss/cmd/httpserv/httpserv.c.539183	2016-05-21 18:31:39.879585420 -0700
++++ ./nss/cmd/httpserv/httpserv.c	2016-05-21 18:37:22.374464057 -0700
 @@ -953,23 +953,23 @@
  getBoundListenSocket(unsigned short port)
  {
@@ -29,8 +29,8 @@
      if (prStatus < 0) {
          PR_Close(listen_sock);
          errExit("PR_SetSocketOption(PR_SockOpt_Nonblocking)");
---- nss/cmd/selfserv/selfserv.c.539183	2016-05-21 18:31:39.882585367 -0700
-+++ nss/cmd/selfserv/selfserv.c	2016-05-21 18:41:43.092801174 -0700
+--- ./nss/cmd/selfserv/selfserv.c.539183	2016-05-21 18:31:39.882585367 -0700
++++ ./nss/cmd/selfserv/selfserv.c	2016-05-21 18:41:43.092801174 -0700
 @@ -1711,23 +1711,23 @@
  getBoundListenSocket(unsigned short port)
  {

nss-gcm-param-default-pkcs11v2.patch

@@ -1,21 +0,0 @@
-diff -up ./lib/util/pkcs11n.h.aes_gcm_pkcs11_v2 ./lib/util/pkcs11n.h
---- ./lib/util/pkcs11n.h.aes_gcm_pkcs11_v2	2020-05-13 13:44:11.312405744 -0700
-+++ ./lib/util/pkcs11n.h	2020-05-13 13:45:23.951723660 -0700
-@@ -605,7 +605,7 @@ typedef struct CK_NSS_GCM_PARAMS {
- typedef CK_NSS_GCM_PARAMS CK_PTR CK_NSS_GCM_PARAMS_PTR;
- 
- /* deprecated #defines. Drop in future NSS releases */
--#ifdef NSS_PKCS11_2_0_COMPAT
-+#ifndef NSS_PKCS11_3_0_STRICT
- 
- /* defines that were changed between NSS's PKCS #11 and the Oasis headers */
- #define CKF_EC_FP CKF_EC_F_P
-@@ -664,7 +664,7 @@ typedef CK_NSS_GCM_PARAMS CK_PTR CK_GCM_
- #define CKT_NETSCAPE_VALID CKT_NSS_VALID
- #define CKT_NETSCAPE_VALID_DELEGATOR CKT_NSS_VALID_DELEGATOR
- #else
--/* use the new CK_GCM_PARAMS if NSS_PKCS11_2_0_COMPAT is not defined */
-+/* use the new CK_GCM_PARAMS if NSS_PKCS11_3_0_STRICT is defined */
- typedef struct CK_GCM_PARAMS_V3 CK_GCM_PARAMS;
- typedef CK_GCM_PARAMS_V3 CK_PTR CK_GCM_PARAMS_PTR;
- #endif

nss-kremlin-ppc64le.patch

@@ -1,31 +0,0 @@
-Index: nss/lib/freebl/verified/kremlin/include/kremlin/internal/types.h
-===================================================================
---- nss.orig/lib/freebl/verified/kremlin/include/kremlin/internal/types.h
-+++ nss/lib/freebl/verified/kremlin/include/kremlin/internal/types.h
-@@ -56,9 +56,10 @@ typedef const char *Prims_string;
-     !defined(__clang__)
- #include <emmintrin.h>
- typedef __m128i FStar_UInt128_uint128;
--#elif !defined(KRML_VERIFIED_UINT128) && !defined(_MSC_VER) &&           \
-+#elif !defined(KRML_VERIFIED_UINT128) && !defined(_MSC_VER) && \
-     (defined(__x86_64__) || defined(__x86_64) || defined(__aarch64__) || \
--     (defined(__powerpc64__) && defined(__LITTLE_ENDIAN__)))
-+    (defined(__powerpc64__) && defined(__LITTLE_ENDIAN__)) || \
-+     defined(__s390x__))
- typedef unsigned __int128 FStar_UInt128_uint128;
- #elif !defined(KRML_VERIFIED_UINT128) && defined(_MSC_VER) && defined(__clang__)
- typedef __uint128_t FStar_UInt128_uint128;
-Index: nss/lib/freebl/verified/kremlin/kremlib/dist/minimal/fstar_uint128_gcc64.h
-===================================================================
---- nss.orig/lib/freebl/verified/kremlin/kremlib/dist/minimal/fstar_uint128_gcc64.h
-+++ nss/lib/freebl/verified/kremlin/kremlib/dist/minimal/fstar_uint128_gcc64.h
-@@ -26,7 +26,8 @@
- 
- #if !defined(KRML_VERIFIED_UINT128) && (!defined(_MSC_VER) || defined(__clang__)) && \
-     (defined(__x86_64__) || defined(__x86_64) || defined(__aarch64__) ||             \
--     (defined(__powerpc64__) && defined(__LITTLE_ENDIAN__)))
-+    (defined(__powerpc64__) && defined(__LITTLE_ENDIAN__)) || \
-+     defined(__s390x__))
- 
- /* GCC + using native unsigned __int128 support */
- 

nss-signtool-format.patch

@@ -1,94 +0,0 @@
-diff --git a/cmd/modutil/install.c b/cmd/modutil/install.c
---- a/cmd/modutil/install.c
-+++ b/cmd/modutil/install.c
-@@ -825,17 +825,20 @@ rm_dash_r(char *path)
- 
-         dir = PR_OpenDir(path);
-         if (!dir) {
-             return -1;
-         }
- 
-         /* Recursively delete all entries in the directory */
-         while ((entry = PR_ReadDir(dir, PR_SKIP_BOTH)) != NULL) {
--            sprintf(filename, "%s/%s", path, entry->name);
-+            if (snprintf(filename, sizeof(filename), "%s/%s", path, entry->name) >= sizeof(filename)) {
-+                PR_CloseDir(dir);
-+                return -1;
-+            }
-             if (rm_dash_r(filename)) {
-                 PR_CloseDir(dir);
-                 return -1;
-             }
-         }
- 
-         if (PR_CloseDir(dir) != PR_SUCCESS) {
-             return -1;
-diff --git a/cmd/signtool/util.c b/cmd/signtool/util.c
---- a/cmd/signtool/util.c
-+++ b/cmd/signtool/util.c
-@@ -132,17 +132,20 @@ rm_dash_r(char *path)
-         if (!dir) {
-             PR_fprintf(errorFD, "Error: Unable to open directory %s.\n", path);
-             errorCount++;
-             return -1;
-         }
- 
-         /* Recursively delete all entries in the directory */
-         while ((entry = PR_ReadDir(dir, PR_SKIP_BOTH)) != NULL) {
--            sprintf(filename, "%s/%s", path, entry->name);
-+            if (snprintf(filename, sizeof(filename), "%s/%s", path, entry->name) >= sizeof(filename)) {
-+                errorCount++;
-+                return -1;
-+            }
-             if (rm_dash_r(filename))
-                 return -1;
-         }
- 
-         if (PR_CloseDir(dir) != PR_SUCCESS) {
-             PR_fprintf(errorFD, "Error: Could not close %s.\n", path);
-             errorCount++;
-             return -1;
-diff --git a/lib/libpkix/pkix/util/pkix_list.c b/lib/libpkix/pkix/util/pkix_list.c
---- a/lib/libpkix/pkix/util/pkix_list.c
-+++ b/lib/libpkix/pkix/util/pkix_list.c
-@@ -1530,17 +1530,17 @@ cleanup:
-  */
- PKIX_Error *
- PKIX_List_SetItem(
-         PKIX_List *list,
-         PKIX_UInt32 index,
-         PKIX_PL_Object *item,
-         void *plContext)
- {
--        PKIX_List *element;
-+        PKIX_List *element = NULL;
- 
-         PKIX_ENTER(LIST, "PKIX_List_SetItem");
-         PKIX_NULLCHECK_ONE(list);
- 
-         if (list->immutable){
-                 PKIX_ERROR(PKIX_OPERATIONNOTPERMITTEDONIMMUTABLELIST);
-         }
- 
-diff --git a/lib/libpkix/pkix_pl_nss/system/pkix_pl_oid.c b/lib/libpkix/pkix_pl_nss/system/pkix_pl_oid.c
---- a/lib/libpkix/pkix_pl_nss/system/pkix_pl_oid.c
-+++ b/lib/libpkix/pkix_pl_nss/system/pkix_pl_oid.c
-@@ -102,17 +102,17 @@ cleanup:
-  */
- static PKIX_Error *
- pkix_pl_OID_Equals(
-         PKIX_PL_Object *first,
-         PKIX_PL_Object *second,
-         PKIX_Boolean *pResult,
-         void *plContext)
- {
--        PKIX_Int32 cmpResult;
-+        PKIX_Int32 cmpResult = 0;
- 
-         PKIX_ENTER(OID, "pkix_pl_OID_Equals");
-         PKIX_NULLCHECK_THREE(first, second, pResult);
- 
-         PKIX_CHECK(pkix_pl_OID_Comparator
-                     (first, second, &cmpResult, plContext),
-                     PKIX_OIDCOMPARATORFAILED);
- 

nss-softokn-config.in

@@ -112,5 +112,5 @@ fi
 if test "$echo_libs" = "yes"; then
       libdirs="-Wl,-rpath-link,$libdir -L$libdir"
       echo $libdirs
-fi
+fi      
 

nss-softokn-dracut-module-setup.sh

@@ -14,5 +14,6 @@ install() {
     local _dir
 
     inst_libdir_file libfreeblpriv3.so libfreeblpriv3.chk \
-        libfreebl3.so
+        libfreebl3.so 
 }
+

nss-softokn-prelink.conf

@@ -0,0 +1,6 @@
+-b /lib{,64}/libfreeblpriv3.so
+-b /lib{,64}/libsoftokn3.so
+-b /lib{,64}/libnssdbm3.so
+-b /usr/lib{,64}/libfreeblpriv3.so
+-b /usr/lib{,64}/libsoftokn3.so
+-b /usr/lib{,64}/libnssdbm3.so

nss-util-config.in

@@ -114,5 +114,5 @@ if test "$echo_libs" = "yes"; then
 	libdirs="$libdirs -lnssutil${major_version}"
       fi
       echo $libdirs
-fi
+fi      
 

nss.spec

@@ -1,33 +1,13 @@
-%global nspr_version 4.25.0
-%global nss_version 3.52.0
+%global nspr_version 4.20.0
+%global nss_version 3.39.0
 %global unsupported_tools_directory %{_libdir}/nss/unsupported-tools
+%global allTools "certutil cmsutil crlutil derdump modutil pk12util signtool signver ssltap vfychain vfyserv"
 %global saved_files_dir %{_libdir}/nss/saved
-%global dracutlibdir %{_prefix}/lib/dracut
+%global prelink_conf_dir %{_sysconfdir}/prelink.conf.d/
+%define dracutlibdir %{_prefix}/lib/dracut
 %global dracut_modules_dir %{dracutlibdir}/modules.d/05nss-softokn/
 %global dracut_conf_dir %{dracutlibdir}/dracut.conf.d
 
-%bcond_without tests
-%bcond_without dbm
-
-# Produce .chk files for the final stripped binaries
-#
-# NOTE: The LD_LIBRARY_PATH line guarantees shlibsign links
-# against the freebl that we just built. This is necessary
-# because the signing algorithm changed on 3.14 to DSA2 with SHA256
-# whereas we previously signed with DSA and SHA1. We must Keep this line
-# until all mock platforms have been updated.
-# After %%{__os_install_post} we would add
-# export LD_LIBRARY_PATH=$RPM_BUILD_ROOT/%%{_libdir}
-%define __spec_install_post \
-    %{?__debug_package:%{__debug_install_post}} \
-    %{__arch_install_post} \
-    %{__os_install_post} \
-    $RPM_BUILD_ROOT/%{unsupported_tools_directory}/shlibsign -i $RPM_BUILD_ROOT/%{_libdir}/libsoftokn3.so \
-    $RPM_BUILD_ROOT/%{unsupported_tools_directory}/shlibsign -i $RPM_BUILD_ROOT/%{_libdir}/libfreeblpriv3.so \
-    $RPM_BUILD_ROOT/%{unsupported_tools_directory}/shlibsign -i $RPM_BUILD_ROOT/%{_libdir}/libfreebl3.so \
-    %{?with_dbm:$RPM_BUILD_ROOT/%{unsupported_tools_directory}/shlibsign -i $RPM_BUILD_ROOT/%{_libdir}/libnssdbm3.so} \
-%{nil}
-
 # The upstream omits the trailing ".0", while we need it for
 # consistency with the pkg-config version:
 # https://bugzilla.redhat.com/show_bug.cgi?id=1578106
@@ -36,17 +16,15 @@ rpm.define(string.format("nss_archive_version %s",
            string.gsub(rpm.expand("%nss_version"), "(.*)%.0$", "%1")))
 }
 
-%{lua:
-rpm.define(string.format("nss_release_tag NSS_%s_RTM",
-           string.gsub(rpm.expand("%nss_archive_version"), "%.", "_")))
-}
-
 Summary:          Network Security Services
 Name:             nss
 Version:          %{nss_version}
-Release:          2%{?dist}
+# for Rawhide, please always use release >= 2
+# for Fedora release branches, please use release < 2 (1.0, 1.1, ...)
+Release:          3%{?dist}
 License:          MPLv2.0
 URL:              http://www.mozilla.org/projects/security/pki/nss/
+Group:            System Environment/Libraries
 Requires:         nspr >= %{nspr_version}
 Requires:         nss-util >= %{nss_version}
 # TODO: revert to same version as nss once we are done with the merge
@@ -55,8 +33,6 @@ Requires:         nss-system-init
 Requires:         p11-kit-trust
 Requires:         crypto-policies
 BuildRequires:    nspr-devel >= %{nspr_version}
-# for shlibsign
-BuildRequires:    nss-softokn
 BuildRequires:    sqlite-devel
 BuildRequires:    zlib-devel
 BuildRequires:    pkgconfig
@@ -64,13 +40,13 @@ BuildRequires:    gawk
 BuildRequires:    psmisc
 BuildRequires:    perl-interpreter
 BuildRequires:    gcc-c++
-BuildRequires:    quilt
 
-Source0:          https://ftp.mozilla.org/pub/security/nss/releases/%{nss_release_tag}/src/%{name}-%{nss_archive_version}.tar.gz
+Source0:          %{name}-%{nss_archive_version}.tar.gz
 Source1:          nss-util.pc.in
 Source2:          nss-util-config.in
 Source3:          nss-softokn.pc.in
 Source4:          nss-softokn-config.in
+Source5:          nss-softokn-prelink.conf
 Source6:          nss-softokn-dracut-module-setup.sh
 Source7:          nss-softokn-dracut.conf
 Source8:          nss.pc.in
@@ -92,8 +68,11 @@ Source26:         key4.db.xml
 Source27:         secmod.db.xml
 Source28:         nss-p11-kit.config
 
+Patch3:           renegotiate-transitional.patch
 # Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=617723
-Patch2:           nss-539183.patch
+Patch16:          nss-539183.patch
+# Fedora / RHEL-only patch, the templates directory was originally introduced to support mod_revocator
+Patch47:          utilwrap-include-templates.patch
 # This patch uses the GCC -iquote option documented at
 # http://gcc.gnu.org/onlinedocs/gcc/Directory-Options.html#Directory-Options
 # to give the in-tree headers a higher priority over the system headers,
@@ -105,15 +84,9 @@ Patch2:           nss-539183.patch
 #
 # Once the buildroot aha been bootstrapped the patch may be removed
 # but it doesn't hurt to keep it.
-Patch4:           iquote.patch
-Patch12:          nss-signtool-format.patch
-# https://github.com/FStarLang/kremlin/issues/166
-Patch13:          nss-kremlin-ppc64le.patch
-%if 0%{?fedora} < 34
-%if 0%{?rhel} < 9
-Patch20:          nss-gcm-param-default-pkcs11v2.patch
-%endif
-%endif
+Patch50:          iquote.patch
+# Local patch for TLS_ECDHE_{ECDSA|RSA}_WITH_3DES_EDE_CBC_SHA ciphers
+Patch58: rhbz1185708-enable-ecc-3des-ciphers-by-default.patch
 
 %description
 Network Security Services (NSS) is a set of libraries designed to
@@ -124,6 +97,7 @@ v3 certificates, and other security standards.
 
 %package tools
 Summary:          Tools for the Network Security Services
+Group:            System Environment/Base
 Requires:         %{name}%{?_isa} = %{version}-%{release}
 
 %description tools
@@ -138,10 +112,11 @@ manipulate the NSS certificate and key database.
 
 %package sysinit
 Summary:          System NSS Initialization
+Group:            System Environment/Base
 # providing nss-system-init without version so that it can
 # be replaced by a better one, e.g. supplied by the os vendor
 Provides:         nss-system-init
-Requires:         nss%{?_isa} = %{version}-%{release}
+Requires:         nss = %{version}-%{release}
 Requires(post):   coreutils, sed
 
 %description sysinit
@@ -152,8 +127,9 @@ any system or user configured modules.
 
 %package devel
 Summary:          Development libraries for Network Security Services
+Group:            Development/Libraries
 Provides:         nss-static = %{version}-%{release}
-Requires:         nss%{?_isa} = %{version}-%{release}
+Requires:         nss = %{version}-%{release}
 Requires:         nss-util-devel
 Requires:         nss-softokn-devel
 Requires:         nspr-devel >= %{nspr_version}
@@ -166,6 +142,7 @@ Header and Library files for doing development with Network Security Services.
 
 %package pkcs11-devel
 Summary:          Development libraries for PKCS #11 (Cryptoki) using NSS
+Group:            Development/Libraries
 Provides:         nss-pkcs11-devel-static = %{version}-%{release}
 Requires:         nss-devel = %{version}-%{release}
 Requires:         nss-softokn-freebl-devel = %{version}-%{release}
@@ -177,6 +154,7 @@ low level services.
 
 %package util
 Summary:          Network Security Services Utilities Library
+Group:            System Environment/Libraries
 Requires:         nspr >= %{nspr_version}
 
 %description util
@@ -184,7 +162,8 @@ Utilities for Network Security Services and the Softoken module
 
 %package util-devel
 Summary:          Development libraries for Network Security Services Utilities
-Requires:         nss-util%{?_isa} = %{version}-%{release}
+Group:            Development/Libraries
+Requires:         nss-util = %{version}-%{release}
 Requires:         nspr-devel >= %{nspr_version}
 Requires:         pkgconfig
 
@@ -194,6 +173,7 @@ Header and library files for doing development with Network Security Services.
 
 %package softokn
 Summary:          Network Security Services Softoken Module
+Group:            System Environment/Libraries
 Requires:         nspr >= %{nspr_version}
 Requires:         nss-util >= %{version}-%{release}
 Requires:         nss-softokn-freebl%{_isa} >= %{version}-%{release}
@@ -203,11 +183,13 @@ Network Security Services Softoken Cryptographic Module
 
 %package softokn-freebl
 Summary:          Freebl library for the Network Security Services
+Group:            System Environment/Base
 # For PR_GetEnvSecure() from nspr >= 4.12
 Requires:         nspr >= 4.12
 # For NSS_SecureMemcmpZero() from nss-util >= 3.33
 Requires:         nss-util >= 3.33
 Conflicts:        nss < 3.12.2.99.3-5
+Conflicts:        prelink < 0.4.3
 Conflicts:        filesystem < 3
 
 %description softokn-freebl
@@ -217,6 +199,7 @@ Install the nss-softokn-freebl package if you need the freebl library.
 
 %package softokn-freebl-devel
 Summary:          Header and Library files for doing development with the Freebl library for NSS
+Group:            System Environment/Base
 Provides:         nss-softokn-freebl-static = %{version}-%{release}
 Requires:         nss-softokn-freebl%{?_isa} = %{version}-%{release}
 
@@ -229,6 +212,7 @@ Developers should rely only on the officially supported NSS public API.
 
 %package softokn-devel
 Summary:          Development libraries for Network Security Services
+Group:            Development/Libraries
 Requires:         nss-softokn%{?_isa} = %{version}-%{release}
 Requires:         nss-softokn-freebl-devel%{?_isa} = %{version}-%{release}
 Requires:         nspr-devel >= %{nspr_version}
@@ -241,29 +225,32 @@ Header and library files for doing development with Network Security Services.
 
 
 %prep
-%autosetup -N -S quilt -n %{name}-%{nss_archive_version}
-pushd nss
-%autopatch -p1
-popd
+%setup -q -n %{name}-%{nss_archive_version}
 
-# https://bugzilla.redhat.com/show_bug.cgi?id=1247353
-find nss/lib/libpkix -perm /u+x -type f -exec chmod -x {} \;
+%patch3 -p0 -b .transitional
+%patch16 -p0 -b .539183
+%patch47 -p0 -b .templates
+%patch50 -p0 -b .iquote
+%patch58 -p0 -b .1185708_3des
 
 
 %build
 
-export FREEBL_NO_DEPEND=1
+FREEBL_NO_DEPEND=1
+export FREEBL_NO_DEPEND
 
 # Must export FREEBL_LOWHASH=1 for nsslowhash.h so that it gets
 # copied to dist and the rpm install phase can find it
 # This due of the upstream changes to fix
 # https://bugzilla.mozilla.org/show_bug.cgi?id=717906
-export FREEBL_LOWHASH=1
+FREEBL_LOWHASH=1
+export FREEBL_LOWHASH
 
 # uncomment if the iquote patch is activated
 export IN_TREE_FREEBL_HEADERS_FIRST=1
 
-export NSS_FORCE_FIPS=1
+NSS_FORCE_FIPS=1
+export NSS_FORCE_FIPS
 
 # Enable compiler optimizations and disable debugging code
 export BUILD_OPT=1
@@ -273,39 +260,40 @@ export BUILD_OPT=1
 #export RPM_OPT_FLAGS
 
 # Generate symbolic info for debuggers
-export XCFLAGS=$RPM_OPT_FLAGS
+XCFLAGS=$RPM_OPT_FLAGS
+export XCFLAGS
 
-# Work around false-positive warnings with gcc 10:
-# https://bugzilla.redhat.com/show_bug.cgi?id=1803029
-%ifarch s390x
-export XCFLAGS="$XCFLAGS -Wno-error=maybe-uninitialized"
-%endif
+LDFLAGS=$RPM_LD_FLAGS
+export LDFLAGS
 
-export LDFLAGS=$RPM_LD_FLAGS
+DSO_LDOPTS=$RPM_LD_FLAGS
+export DSO_LDOPTS
 
-export DSO_LDOPTS=$RPM_LD_FLAGS
+PKG_CONFIG_ALLOW_SYSTEM_LIBS=1
+PKG_CONFIG_ALLOW_SYSTEM_CFLAGS=1
 
-export PKG_CONFIG_ALLOW_SYSTEM_LIBS=1
-export PKG_CONFIG_ALLOW_SYSTEM_CFLAGS=1
+export PKG_CONFIG_ALLOW_SYSTEM_LIBS
+export PKG_CONFIG_ALLOW_SYSTEM_CFLAGS
 
-export NSPR_INCLUDE_DIR=`/usr/bin/pkg-config --cflags-only-I nspr | sed 's/-I//'`
-export NSPR_LIB_DIR=%{_libdir}
+NSPR_INCLUDE_DIR=`/usr/bin/pkg-config --cflags-only-I nspr | sed 's/-I//'`
+NSPR_LIB_DIR=%{_libdir}
 
-export NSS_USE_SYSTEM_SQLITE=1
+export NSPR_INCLUDE_DIR
+export NSPR_LIB_DIR
+
+NSS_USE_SYSTEM_SQLITE=1
+export NSS_USE_SYSTEM_SQLITE
 
 export NSS_ALLOW_SSLKEYLOGFILE=1
 
-%if %{with dbm}
-%else
-export NSS_DISABLE_DBM=1
-%endif
-
 %ifnarch noarch
 %if 0%{__isa_bits} == 64
-export USE_64=1
+USE_64=1
+export USE_64
 %endif
 %endif
 
+##### phase 2: build the rest of nss
 %{__make} -C ./nss/coreconf
 %{__make} -C ./nss/lib/dbm
 
@@ -323,13 +311,13 @@ pushd ./nss
 popd
 
 # and copy them to the dist directory for %%install to find them
-mkdir -p ./dist/docs/nroff
-cp ./nss/doc/nroff/* ./dist/docs/nroff
+%{__mkdir_p} ./dist/docs/nroff
+%{__cp} ./nss/doc/nroff/* ./dist/docs/nroff
 
 # Set up our package files
-mkdir -p ./dist/pkgconfig
+%{__mkdir_p} ./dist/pkgconfig
 
-cat %{SOURCE1} | sed -e "s,%%libdir%%,%{_libdir},g" \
+%{__cat} %{SOURCE1} | sed -e "s,%%libdir%%,%{_libdir},g" \
                           -e "s,%%prefix%%,%{_prefix},g" \
                           -e "s,%%exec_prefix%%,%{_prefix},g" \
                           -e "s,%%includedir%%,%{_includedir}/nss3,g" \
@@ -341,7 +329,11 @@ NSSUTIL_VMAJOR=`cat nss/lib/util/nssutil.h | grep "#define.*NSSUTIL_VMAJOR" | aw
 NSSUTIL_VMINOR=`cat nss/lib/util/nssutil.h | grep "#define.*NSSUTIL_VMINOR" | awk '{print $3}'`
 NSSUTIL_VPATCH=`cat nss/lib/util/nssutil.h | grep "#define.*NSSUTIL_VPATCH" | awk '{print $3}'`
 
-cat %{SOURCE2} | sed -e "s,@libdir@,%{_libdir},g" \
+export NSSUTIL_VMAJOR
+export NSSUTIL_VMINOR
+export NSSUTIL_VPATCH
+
+%{__cat} %{SOURCE2} | sed -e "s,@libdir@,%{_libdir},g" \
                           -e "s,@prefix@,%{_prefix},g" \
                           -e "s,@exec_prefix@,%{_prefix},g" \
                           -e "s,@includedir@,%{_includedir}/nss3,g" \
@@ -352,7 +344,7 @@ cat %{SOURCE2} | sed -e "s,@libdir@,%{_libdir},g" \
 
 chmod 755 ./dist/pkgconfig/nss-util-config
 
-cat %{SOURCE3} | sed -e "s,%%libdir%%,%{_libdir},g" \
+%{__cat} %{SOURCE3} | sed -e "s,%%libdir%%,%{_libdir},g" \
                           -e "s,%%prefix%%,%{_prefix},g" \
                           -e "s,%%exec_prefix%%,%{_prefix},g" \
                           -e "s,%%includedir%%,%{_includedir}/nss3,g" \
@@ -365,7 +357,11 @@ SOFTOKEN_VMAJOR=`cat nss/lib/softoken/softkver.h | grep "#define.*SOFTOKEN_VMAJO
 SOFTOKEN_VMINOR=`cat nss/lib/softoken/softkver.h | grep "#define.*SOFTOKEN_VMINOR" | awk '{print $3}'`
 SOFTOKEN_VPATCH=`cat nss/lib/softoken/softkver.h | grep "#define.*SOFTOKEN_VPATCH" | awk '{print $3}'`
 
-cat %{SOURCE4} | sed -e "s,@libdir@,%{_libdir},g" \
+export SOFTOKEN_VMAJOR
+export SOFTOKEN_VMINOR
+export SOFTOKEN_VPATCH
+
+%{__cat} %{SOURCE4} | sed -e "s,@libdir@,%{_libdir},g" \
                           -e "s,@prefix@,%{_prefix},g" \
                           -e "s,@exec_prefix@,%{_prefix},g" \
                           -e "s,@includedir@,%{_includedir}/nss3,g" \
@@ -376,7 +372,7 @@ cat %{SOURCE4} | sed -e "s,@libdir@,%{_libdir},g" \
 
 chmod 755 ./dist/pkgconfig/nss-softokn-config
 
-cat %{SOURCE8} | sed -e "s,%%libdir%%,%{_libdir},g" \
+%{__cat} %{SOURCE8} | sed -e "s,%%libdir%%,%{_libdir},g" \
                           -e "s,%%prefix%%,%{_prefix},g" \
                           -e "s,%%exec_prefix%%,%{_prefix},g" \
                           -e "s,%%includedir%%,%{_includedir}/nss3,g" \
@@ -390,7 +386,11 @@ NSS_VMAJOR=`cat nss/lib/nss/nss.h | grep "#define.*NSS_VMAJOR" | awk '{print $3}
 NSS_VMINOR=`cat nss/lib/nss/nss.h | grep "#define.*NSS_VMINOR" | awk '{print $3}'`
 NSS_VPATCH=`cat nss/lib/nss/nss.h | grep "#define.*NSS_VPATCH" | awk '{print $3}'`
 
-cat %{SOURCE9} | sed -e "s,@libdir@,%{_libdir},g" \
+export NSS_VMAJOR
+export NSS_VMINOR
+export NSS_VPATCH
+
+%{__cat} %{SOURCE9} | sed -e "s,@libdir@,%{_libdir},g" \
                           -e "s,@prefix@,%{_prefix},g" \
                           -e "s,@exec_prefix@,%{_prefix},g" \
                           -e "s,@includedir@,%{_includedir}/nss3,g" \
@@ -401,10 +401,10 @@ cat %{SOURCE9} | sed -e "s,@libdir@,%{_libdir},g" \
 
 chmod 755 ./dist/pkgconfig/nss-config
 
-cat %{SOURCE16} > ./dist/pkgconfig/setup-nsssysinit.sh
+%{__cat} %{SOURCE16} > ./dist/pkgconfig/setup-nsssysinit.sh
 chmod 755 ./dist/pkgconfig/setup-nsssysinit.sh
 
-cp ./nss/lib/ckfw/nssck.api ./dist/private/nss/
+%{__cp} ./nss/lib/ckfw/nssck.api ./dist/private/nss/
 
 date +"%e %B %Y" | tr -d '\n' > date.xml
 echo -n %{version} > version.xml
@@ -427,16 +427,22 @@ done
 
 
 %check
-%if %{with tests}
+if [ ${DISABLETEST:-0} -eq 1 ]; then
+  echo "testing disabled"
+  exit 0
+fi
+
 # Begin -- copied from the build section
 
-export FREEBL_NO_DEPEND=1
+FREEBL_NO_DEPEND=1
+export FREEBL_NO_DEPEND
 
 export BUILD_OPT=1
 
 %ifnarch noarch
 %if 0%{__isa_bits} == 64
-export USE_64=1
+USE_64=1
+export USE_64
 %endif
 %endif
 
@@ -468,7 +474,8 @@ fi
 MYRAND=`perl -e 'print 9000 + int rand 1000'`; echo $MYRAND ||:
 RANDSERV=selfserv_${MYRAND}; echo $RANDSERV ||:
 DISTBINDIR=`ls -d ./dist/*.OBJ/bin`; echo $DISTBINDIR ||:
-pushd "$DISTBINDIR"
+pushd `pwd`
+cd $DISTBINDIR
 ln -s selfserv $RANDSERV
 popd
 # man perlrun, man perlrequick
@@ -481,7 +488,7 @@ find ./nss/tests -type f |\
 killall $RANDSERV || :
 
 rm -rf ./tests_results
-pushd nss/tests
+pushd ./nss/tests/
 # all.sh is the test suite script
 
 #  don't need to run all the tests when testing packaging
@@ -497,107 +504,150 @@ pushd nss/tests
 # % define nss_ssl_tests "normal_fips"
 # % define nss_ssl_run "cov"
 
-HOST=localhost DOMSUF=localdomain PORT=$MYRAND NSS_CYCLES=%{?nss_cycles} NSS_TESTS=%{?nss_tests} NSS_SSL_TESTS=%{?nss_ssl_tests} NSS_SSL_RUN=%{?nss_ssl_run} ./all.sh
+SKIP_NSS_TEST_SUITE=`echo $SKIP_NSS_TEST_SUITE`
+
+if [ "x$SKIP_NSS_TEST_SUITE" == "x" ]; then
+  HOST=localhost DOMSUF=localdomain PORT=$MYRAND NSS_CYCLES=%{?nss_cycles} NSS_TESTS=%{?nss_tests} NSS_SSL_TESTS=%{?nss_ssl_tests} NSS_SSL_RUN=%{?nss_ssl_run} ./all.sh
+else
+  echo "skipped test suite"
+fi
+
 popd
 
+# Normally, the grep exit status is 0 if selected lines are found and 1 otherwise,
+# Grep exits with status greater than 1 if an error ocurred.
+# If there are test failures we expect TEST_FAILURES > 0 and GREP_EXIT_STATUS = 0,
+# With no test failures we expect TEST_FAILURES = 0 and GREP_EXIT_STATUS = 1, whereas
+# GREP_EXIT_STATUS > 1 would indicate an error in grep such as failure to find the log file.
 killall $RANDSERV || :
-%endif
+
+if [ "x$SKIP_NSS_TEST_SUITE" == "x" ]; then
+  TEST_FAILURES=$(grep -c -- '- FAILED$' ./tests_results/security/localhost.1/output.log) || GREP_EXIT_STATUS=$?
+else
+  TEST_FAILURES=0
+  GREP_EXIT_STATUS=1
+fi
+
+if [ ${GREP_EXIT_STATUS:-0} -eq 1 ]; then
+  echo "okay: test suite detected no failures"
+else
+  if [ ${GREP_EXIT_STATUS:-0} -eq 0 ]; then
+    # while a situation in which grep return status is 0 and it doesn't output
+    # anything shouldn't happen, set the default to something that is
+    # obviously wrong (-1)
+    echo "error: test suite had ${TEST_FAILURES:--1} test failure(s)"
+    exit 1
+  else
+    if [ ${GREP_EXIT_STATUS:-0} -eq 2 ]; then
+      echo "error: grep has not found log file"
+      exit 1
+    else
+      echo "error: grep failed with exit code: ${GREP_EXIT_STATUS}"
+      exit 1
+    fi
+  fi
+fi
+echo "test suite completed"
 
 %install
 
+%{__rm} -rf $RPM_BUILD_ROOT
+
 # There is no make install target so we'll do it ourselves.
 
-mkdir -p $RPM_BUILD_ROOT/%{_includedir}/nss3
-mkdir -p $RPM_BUILD_ROOT/%{_includedir}/nss3/templates
-mkdir -p $RPM_BUILD_ROOT/%{_bindir}
-mkdir -p $RPM_BUILD_ROOT/%{_libdir}
-mkdir -p $RPM_BUILD_ROOT/%{unsupported_tools_directory}
-mkdir -p $RPM_BUILD_ROOT/%{_libdir}/pkgconfig
-mkdir -p $RPM_BUILD_ROOT/%{saved_files_dir}
-mkdir -p $RPM_BUILD_ROOT/%{dracut_modules_dir}
-mkdir -p $RPM_BUILD_ROOT/%{dracut_conf_dir}
-mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/crypto-policies/local.d
+%{__mkdir_p} $RPM_BUILD_ROOT/%{_includedir}/nss3
+%{__mkdir_p} $RPM_BUILD_ROOT/%{_includedir}/nss3/templates
+%{__mkdir_p} $RPM_BUILD_ROOT/%{_bindir}
+%{__mkdir_p} $RPM_BUILD_ROOT/%{_libdir}
+%{__mkdir_p} $RPM_BUILD_ROOT/%{unsupported_tools_directory}
+%{__mkdir_p} $RPM_BUILD_ROOT/%{_libdir}/pkgconfig
+%{__mkdir_p} $RPM_BUILD_ROOT/%{saved_files_dir}
+%{__mkdir_p} $RPM_BUILD_ROOT/%{prelink_conf_dir}
+%{__mkdir_p} $RPM_BUILD_ROOT/%{dracut_modules_dir}
+%{__mkdir_p} $RPM_BUILD_ROOT/%{dracut_conf_dir}
+%{__mkdir_p} $RPM_BUILD_ROOT/%{_sysconfdir}/crypto-policies/local.d
 %if %{defined rhel}
 # not needed for rhel and its derivatives only fedora
 %else
 # because of the pp.1 conflict with perl-PAR-Packer
-mkdir -p $RPM_BUILD_ROOT%{_datadir}/doc/nss-tools
+%{__mkdir_p} $RPM_BUILD_ROOT%{_datadir}/doc/nss-tools
 %endif
 
-install -m 755 %{SOURCE6} $RPM_BUILD_ROOT/%{dracut_modules_dir}/module-setup.sh
-install -m 644 %{SOURCE7} $RPM_BUILD_ROOT/%{dracut_conf_dir}/50-nss-softokn.conf
+%{__install} -m 644 %{SOURCE5} $RPM_BUILD_ROOT/%{prelink_conf_dir}
+%{__install} -m 755 %{SOURCE6} $RPM_BUILD_ROOT/%{dracut_modules_dir}/module-setup.sh
+%{__install} -m 644 %{SOURCE7} $RPM_BUILD_ROOT/%{dracut_conf_dir}/50-nss-softokn.conf
 
 mkdir -p $RPM_BUILD_ROOT%{_mandir}/man1
 mkdir -p $RPM_BUILD_ROOT%{_mandir}/man5
 
 # Copy the binary libraries we want
-for file in libnssutil3.so libsoftokn3.so %{?with_dbm:libnssdbm3.so} libfreebl3.so libfreeblpriv3.so libnss3.so libnsssysinit.so libsmime3.so libssl3.so
+for file in libnssutil3.so libsoftokn3.so libnssdbm3.so libfreebl3.so libfreeblpriv3.so libnss3.so libnsssysinit.so libsmime3.so libssl3.so
 do
-  install -p -m 755 dist/*.OBJ/lib/$file $RPM_BUILD_ROOT/%{_libdir}
+  %{__install} -p -m 755 dist/*.OBJ/lib/$file $RPM_BUILD_ROOT/%{_libdir}
 done
 
 # Install the empty NSS db files
 # Legacy db
-mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb
-install -p -m 644 %{SOURCE10} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/cert8.db
-install -p -m 644 %{SOURCE11} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/key3.db
-install -p -m 644 %{SOURCE12} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/secmod.db
+%{__mkdir_p} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb
+%{__install} -p -m 644 %{SOURCE10} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/cert8.db
+%{__install} -p -m 644 %{SOURCE11} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/key3.db
+%{__install} -p -m 644 %{SOURCE12} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/secmod.db
 # Shared db
-install -p -m 644 %{SOURCE13} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/cert9.db
-install -p -m 644 %{SOURCE14} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/key4.db
-install -p -m 644 %{SOURCE15} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/pkcs11.txt
+%{__install} -p -m 644 %{SOURCE13} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/cert9.db
+%{__install} -p -m 644 %{SOURCE14} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/key4.db
+%{__install} -p -m 644 %{SOURCE15} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/pkcs11.txt
 
 # Copy the development libraries we want
 for file in libcrmf.a libnssb.a libnssckfw.a
 do
-  install -p -m 644 dist/*.OBJ/lib/$file $RPM_BUILD_ROOT/%{_libdir}
+  %{__install} -p -m 644 dist/*.OBJ/lib/$file $RPM_BUILD_ROOT/%{_libdir}
 done
 
 # Copy the binaries we want
 for file in certutil cmsutil crlutil modutil nss-policy-check pk12util signver ssltap
 do
-  install -p -m 755 dist/*.OBJ/bin/$file $RPM_BUILD_ROOT/%{_bindir}
+  %{__install} -p -m 755 dist/*.OBJ/bin/$file $RPM_BUILD_ROOT/%{_bindir}
 done
 
 # Copy the binaries we ship as unsupported
 for file in bltest ecperf fbectest fipstest shlibsign atob btoa derdump listsuites ocspclnt pp selfserv signtool strsclnt symkeyutil tstclnt vfyserv vfychain
 do
-  install -p -m 755 dist/*.OBJ/bin/$file $RPM_BUILD_ROOT/%{unsupported_tools_directory}
+  %{__install} -p -m 755 dist/*.OBJ/bin/$file $RPM_BUILD_ROOT/%{unsupported_tools_directory}
 done
 
 # Copy the include files we want
 for file in dist/public/nss/*.h
 do
-  install -p -m 644 $file $RPM_BUILD_ROOT/%{_includedir}/nss3
+  %{__install} -p -m 644 $file $RPM_BUILD_ROOT/%{_includedir}/nss3
 done
 
 # Copy some freebl include files we also want
-for file in blapi.h alghmac.h cmac.h
+for file in blapi.h alghmac.h
 do
-  install -p -m 644 dist/private/nss/$file $RPM_BUILD_ROOT/%{_includedir}/nss3
+  %{__install} -p -m 644 dist/private/nss/$file $RPM_BUILD_ROOT/%{_includedir}/nss3
 done
 
 # Copy the static freebl library
 for file in libfreebl.a
 do
-install -p -m 644 dist/*.OBJ/lib/$file $RPM_BUILD_ROOT/%{_libdir}
+%{__install} -p -m 644 dist/*.OBJ/lib/$file $RPM_BUILD_ROOT/%{_libdir}
 done
 
 # Copy the template files we want
 for file in dist/private/nss/templates.c dist/private/nss/nssck.api
 do
-  install -p -m 644 $file $RPM_BUILD_ROOT/%{_includedir}/nss3/templates
+  %{__install} -p -m 644 $file $RPM_BUILD_ROOT/%{_includedir}/nss3/templates
 done
 
 # Copy the package configuration files
-install -p -m 644 ./dist/pkgconfig/nss-util.pc $RPM_BUILD_ROOT/%{_libdir}/pkgconfig/nss-util.pc
-install -p -m 755 ./dist/pkgconfig/nss-util-config $RPM_BUILD_ROOT/%{_bindir}/nss-util-config
-install -p -m 644 ./dist/pkgconfig/nss-softokn.pc $RPM_BUILD_ROOT/%{_libdir}/pkgconfig/nss-softokn.pc
-install -p -m 755 ./dist/pkgconfig/nss-softokn-config $RPM_BUILD_ROOT/%{_bindir}/nss-softokn-config
-install -p -m 644 ./dist/pkgconfig/nss.pc $RPM_BUILD_ROOT/%{_libdir}/pkgconfig/nss.pc
-install -p -m 755 ./dist/pkgconfig/nss-config $RPM_BUILD_ROOT/%{_bindir}/nss-config
+%{__install} -p -m 644 ./dist/pkgconfig/nss-util.pc $RPM_BUILD_ROOT/%{_libdir}/pkgconfig/nss-util.pc
+%{__install} -p -m 755 ./dist/pkgconfig/nss-util-config $RPM_BUILD_ROOT/%{_bindir}/nss-util-config
+%{__install} -p -m 644 ./dist/pkgconfig/nss-softokn.pc $RPM_BUILD_ROOT/%{_libdir}/pkgconfig/nss-softokn.pc
+%{__install} -p -m 755 ./dist/pkgconfig/nss-softokn-config $RPM_BUILD_ROOT/%{_bindir}/nss-softokn-config
+%{__install} -p -m 644 ./dist/pkgconfig/nss.pc $RPM_BUILD_ROOT/%{_libdir}/pkgconfig/nss.pc
+%{__install} -p -m 755 ./dist/pkgconfig/nss-config $RPM_BUILD_ROOT/%{_bindir}/nss-config
 # Copy the pkcs #11 configuration script
-install -p -m 755 ./dist/pkgconfig/setup-nsssysinit.sh $RPM_BUILD_ROOT/%{_bindir}/setup-nsssysinit.sh
+%{__install} -p -m 755 ./dist/pkgconfig/setup-nsssysinit.sh $RPM_BUILD_ROOT/%{_bindir}/setup-nsssysinit.sh
 # install a symbolic link to it, without the ".sh" suffix,
 # that matches the man page documentation
 ln -r -s -f $RPM_BUILD_ROOT/%{_bindir}/setup-nsssysinit.sh $RPM_BUILD_ROOT/%{_bindir}/setup-nsssysinit
@@ -607,7 +657,7 @@ for f in nss-config setup-nsssysinit; do
    install -c -m 644 ${f}.1 $RPM_BUILD_ROOT%{_mandir}/man1/${f}.1
 done
 # Copy the man pages for the nss tools
-for f in certutil cmsutil crlutil derdump modutil pk12util signtool signver ssltap vfychain vfyserv; do
+for f in "%{allTools}"; do
   install -c -m 644 ./dist/docs/nroff/${f}.1 $RPM_BUILD_ROOT%{_mandir}/man1/${f}.1
 done
 %if %{defined rhel}
@@ -626,7 +676,7 @@ for f in cert8.db cert9.db key3.db key4.db secmod.db; do
 done
 
 # Copy the crypto-policies configuration file
-install -p -m 644 %{SOURCE28} $RPM_BUILD_ROOT/%{_sysconfdir}/crypto-policies/local.d
+%{__install} -p -m 644 %{SOURCE28} $RPM_BUILD_ROOT/%{_sysconfdir}/crypto-policies/local.d
 
 %triggerpostun -n nss-sysinit -- nss-sysinit < 3.12.8-3
 # Reverse unwanted disabling of sysinit by faulty preun sysinit scriplet
@@ -634,10 +684,12 @@ install -p -m 644 %{SOURCE28} $RPM_BUILD_ROOT/%{_sysconfdir}/crypto-policies/loc
 /usr/bin/setup-nsssysinit.sh on
 
 %post
-update-crypto-policies &> /dev/null || :
+update-crypto-policies
 
 %postun
-update-crypto-policies &> /dev/null || :
+update-crypto-policies
+
+%ldconfig_scriptlets
 
 
 %files
@@ -654,19 +706,19 @@ update-crypto-policies &> /dev/null || :
 %config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/key4.db
 %config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/pkcs11.txt
 %config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/crypto-policies/local.d/nss-p11-kit.config
-%doc %{_mandir}/man5/cert8.db.5*
-%doc %{_mandir}/man5/key3.db.5*
-%doc %{_mandir}/man5/secmod.db.5*
-%doc %{_mandir}/man5/cert9.db.5*
-%doc %{_mandir}/man5/key4.db.5*
-%doc %{_mandir}/man5/pkcs11.txt.5*
+%attr(0644,root,root) %doc %{_mandir}/man5/cert8.db.5.gz
+%attr(0644,root,root) %doc %{_mandir}/man5/key3.db.5.gz
+%attr(0644,root,root) %doc %{_mandir}/man5/secmod.db.5.gz
+%attr(0644,root,root) %doc %{_mandir}/man5/cert9.db.5.gz
+%attr(0644,root,root) %doc %{_mandir}/man5/key4.db.5.gz
+%attr(0644,root,root) %doc %{_mandir}/man5/pkcs11.txt.5.gz
 
 %files sysinit
 %{_libdir}/libnsssysinit.so
 %{_bindir}/setup-nsssysinit.sh
 # symbolic link to setup-nsssysinit.sh
 %{_bindir}/setup-nsssysinit
-%doc %{_mandir}/man1/setup-nsssysinit.1*
+%attr(0644,root,root) %doc %{_mandir}/man1/setup-nsssysinit.1.gz
 
 %files tools
 %{_bindir}/certutil
@@ -690,32 +742,32 @@ update-crypto-policies &> /dev/null || :
 %{unsupported_tools_directory}/tstclnt
 %{unsupported_tools_directory}/vfyserv
 %{unsupported_tools_directory}/vfychain
-# instead of %%{_mandir}/man*/* let's list them explicitly
+# instead of %%{_mandir}/man*/* let's list them explicitely
 # supported tools
-%doc %{_mandir}/man1/certutil.1*
-%doc %{_mandir}/man1/cmsutil.1*
-%doc %{_mandir}/man1/crlutil.1*
-%doc %{_mandir}/man1/modutil.1*
-%doc %{_mandir}/man1/pk12util.1*
-%doc %{_mandir}/man1/signver.1*
+%attr(0644,root,root) %doc %{_mandir}/man1/certutil.1.gz
+%attr(0644,root,root) %doc %{_mandir}/man1/cmsutil.1.gz
+%attr(0644,root,root) %doc %{_mandir}/man1/crlutil.1.gz
+%attr(0644,root,root) %doc %{_mandir}/man1/modutil.1.gz
+%attr(0644,root,root) %doc %{_mandir}/man1/pk12util.1.gz
+%attr(0644,root,root) %doc %{_mandir}/man1/signver.1.gz
 # unsupported tools
-%doc %{_mandir}/man1/derdump.1*
-%doc %{_mandir}/man1/signtool.1*
+%attr(0644,root,root) %doc %{_mandir}/man1/derdump.1.gz
+%attr(0644,root,root) %doc %{_mandir}/man1/signtool.1.gz
 %if %{defined rhel}
-%doc %{_mandir}/man1/pp.1*
+%attr(0644,root,root) %doc %{_mandir}/man1/pp.1.gz
 %else
 %dir %{_datadir}/doc/nss-tools
-%doc %{_datadir}/doc/nss-tools/pp.1
+%attr(0644,root,root) %doc %{_datadir}/doc/nss-tools/pp.1
 %endif
-%doc %{_mandir}/man1/ssltap.1*
-%doc %{_mandir}/man1/vfychain.1*
-%doc %{_mandir}/man1/vfyserv.1*
+%attr(0644,root,root) %doc %{_mandir}/man1/ssltap.1.gz
+%attr(0644,root,root) %doc %{_mandir}/man1/vfychain.1.gz
+%attr(0644,root,root) %doc %{_mandir}/man1/vfyserv.1.gz
 
 %files devel
 %{_libdir}/libcrmf.a
 %{_libdir}/pkgconfig/nss.pc
 %{_bindir}/nss-config
-%doc %{_mandir}/man1/nss-config.1*
+%attr(0644,root,root) %doc %{_mandir}/man1/nss-config.1.gz
 
 %dir %{_includedir}/nss3
 %{_includedir}/nss3/cert.h
@@ -834,10 +886,8 @@ update-crypto-policies &> /dev/null || :
 %{_includedir}/nss3/templates/templates.c
 
 %files softokn
-%if %{with dbm}
 %{_libdir}/libnssdbm3.so
 %{_libdir}/libnssdbm3.chk
-%endif
 %{_libdir}/libsoftokn3.so
 %{_libdir}/libsoftokn3.chk
 # shared with nss-tools
@@ -858,6 +908,8 @@ update-crypto-policies &> /dev/null || :
 %{_libdir}/libfreeblpriv3.so
 %{_libdir}/libfreeblpriv3.chk
 #shared
+%dir %{prelink_conf_dir}
+%{prelink_conf_dir}/nss-softokn-prelink.conf
 %dir %{dracut_modules_dir}
 %{dracut_modules_dir}/module-setup.sh
 %{dracut_conf_dir}/50-nss-softokn.conf
@@ -867,7 +919,6 @@ update-crypto-policies &> /dev/null || :
 %{_includedir}/nss3/blapi.h
 %{_includedir}/nss3/blapit.h
 %{_includedir}/nss3/alghmac.h
-%{_includedir}/nss3/cmac.h
 %{_includedir}/nss3/lowkeyi.h
 %{_includedir}/nss3/lowkeyti.h
 
@@ -892,133 +943,6 @@ update-crypto-policies &> /dev/null || :
 
 
 %changelog
-* Wed May 13 2020 Bob Relyea <rrelyea@redhat.com> - 3.52.0-2
-- Delay CK_GCM_PARAMS semantics until fedora 34
-
-* Mon May 11 2020 Daiki Ueno <dueno@redhat.com> - 3.52.0-1
-- Update to NSS 3.52
-
-* Sat Apr 25 2020 Daiki Ueno <dueno@redhat.com> - 3.51.1-2
-- Temporarily revert DBM disablement for kernel build failure (#1827902)
-
-* Mon Apr 20 2020 Daiki Ueno <dueno@redhat.com> - 3.51.1-1
-- Update to NSS 3.51.1
-- Disable building DBM backend
-
-* Tue Apr  7 2020 Daiki Ueno <dueno@redhat.com> - 3.51.0-1
-- Update to NSS 3.51
-
-* Thu Mar 26 2020 Tom Stellard <tstellar@redhat.com> - 3.50.0-3
-- Use __make macro to invoke make
-
-* Thu Mar  5 2020 Daiki Ueno <dueno@redhat.com> - 3.50.0-2
-- Apply CMAC fixes from upstream
-
-* Mon Feb 17 2020 Daiki Ueno <dueno@redhat.com> - 3.50.0-1
-- Update to NSS 3.50
-
-* Fri Feb 14 2020 Daiki Ueno <dueno@redhat.com> - 3.49.2-3
-- Ignore false-positive compiler warnings with gcc 10
-- Fix build with gcc 10
-
-* Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 3.49.2-2
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
-
-* Mon Jan 27 2020 Daiki Ueno <dueno@redhat.com> - 3.49.2-1
-- Update to NSS 3.49.2
-- Don't enable TLS 1.3 by default (#1794814)
-
-* Fri Jan 10 2020 Daiki Ueno <dueno@redhat.com> - 3.49.0-1
-- Update to NSS 3.49
-- Fix build on armv7hl with the patch proposed in upstream
-
-* Fri Jan  3 2020 Daiki Ueno <dueno@redhat.com> - 3.48.0-1
-- Update to NSS 3.48
-
-* Tue Dec  3 2019 Daiki Ueno <dueno@redhat.com> - 3.47.1-4
-- Update nss-3.47-certdb-temp-cert.patch to avoid setting empty trust value
-
-* Tue Dec  3 2019 Daiki Ueno <dueno@redhat.com> - 3.47.1-3
-- Update nss-3.47-certdb-temp-cert.patch to the final version
-
-* Thu Nov 28 2019 Daiki Ueno <dueno@redhat.com> - 3.47.1-2
-- Fix intermittent SEC_ERROR_UNKNOWN_ISSUER (#1752303, #1648617)
-
-* Fri Nov 22 2019 Daiki Ueno <dueno@redhat.com> - 3.47.1-1
-- Update to NSS 3.47.1
-
-* Mon Nov 4 2019 Bob Relyea <rrelyea@redhat.com> - 3.47.0-3
-- Include ike mechanism fix
-
-* Wed Oct 23 2019 Daiki Ueno <dueno@redhat.com> - 3.47.0-2
-- Install cmac.h required by blapi.h (#1764513)
-
-* Tue Oct 22 2019 Daiki Ueno <dueno@redhat.com> - 3.47.0-1
-- Update to NSS 3.47
-
-* Mon Oct 21 2019 Daiki Ueno <dueno@redhat.com> - 3.46.1-1
-- Update to NSS 3.46.1
-
-* Tue Sep  3 2019 Daiki Ueno <dueno@redhat.com> - 3.46.0-1
-- Update to NSS 3.46
-
-* Thu Aug 29 2019 Daiki Ueno <dueno@redhat.com> - 3.45.0-1
-- Update to NSS 3.45
-
-* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 3.44.1-2
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
-
-* Tue Jul  2 2019 Daiki Ueno <dueno@redhat.com> - 3.44.1-1
-- Update to NSS 3.44.1
-
-* Mon May 20 2019 Daiki Ueno <dueno@redhat.com> - 3.44.0-2
-- Skip TLS 1.3 tests under FIPS mode
-
-* Fri May 17 2019 Daiki Ueno <dueno@redhat.com> - 3.44.0-1
-- Update to NSS 3.44
-
-* Mon May  6 2019 Daiki Ueno <dueno@redhat.com> - 3.43.0-3
-- Fix PKCS#11 module leak if C_GetSlotInfo() failed
-
-* Tue Mar 26 2019 Elio Maldonado <elio.maldonado.batiz@gmail.com> - 3.43.0-2
-- Update %%{nspr_version} to 4.21.0 and remove obsolete comment
-
-* Thu Mar 21 2019 Daiki Ueno <dueno@redhat.com> - 3.43.0-1
-- Update to NSS 3.43
-
-* Mon Feb 11 2019 Daiki Ueno <dueno@redhat.com> - 3.42.1-1
-- Update to NSS 3.42.1
-
-* Fri Feb  8 2019 Daiki Ueno <dueno@redhat.com> - 3.42.0-1
-- Update to NSS 3.42
-
-* Fri Feb  8 2019 Daiki Ueno <dueno@redhat.com> - 3.41.0-5
-- Simplify test failure detection in %%check
-
-* Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 3.41.0-4
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
-
-* Fri Jan 11 2019 Daiki Ueno <dueno@redhat.com> - 3.41.0-3
-- Remove prelink.conf as prelink was removed in F24, suggested by
-  Harald Reindl
-- Use quilt for %%autopatch
-- Make sysinit require arch-dependent nss, suggested by Igor Gnatenko
-- Silence %%post/%%postun scriptlets, suggested by Ian Collier
-
-* Mon Dec 10 2018 Daiki Ueno <dueno@redhat.com> - 3.41.0-1
-- Update to NSS 3.41
-
-* Thu Dec  6 2018 Daiki Ueno <dueno@redhat.com> - 3.40.1-3
-- Remove unnecessary patches
-
-* Thu Dec  6 2018 Daiki Ueno <dueno@redhat.com> - 3.40.1-2
-- Update to NSS 3.40.1
-
-* Wed Nov 14 2018 Daiki Ueno <dueno@redhat.com> - 3.39.0-4
-- Consolidate nss-util, nss-softokn, and nss into a single package
-- Fix FTBFS with expired test certs
-- Modernize spec file based on the suggestion from Robert-André Mauchin
-
 * Thu Sep 13 2018 Daiki Ueno <dueno@redhat.com> - 3.39.0-3
 - Fix LDFLAGS injection
 

renegotiate-transitional.patch

@@ -0,0 +1,12 @@
+diff -up nss/lib/ssl/sslsock.c.transitional nss/lib/ssl/sslsock.c
+--- nss/lib/ssl/sslsock.c.transitional	2018-03-09 13:57:50.615706802 +0100
++++ nss/lib/ssl/sslsock.c	2018-03-09 13:58:23.708974970 +0100
+@@ -67,7 +67,7 @@ static sslOptions ssl_defaults = {
+     .noLocks = PR_FALSE,
+     .enableSessionTickets = PR_FALSE,
+     .enableDeflate = PR_FALSE,
+-    .enableRenegotiation = SSL_RENEGOTIATE_REQUIRES_XTN,
++    .enableRenegotiation = SSL_RENEGOTIATE_TRANSITIONAL,
+     .requireSafeNegotiation = PR_FALSE,
+     .enableFalseStart = PR_FALSE,
+     .cbcRandomIV = PR_TRUE,

rhbz1185708-enable-ecc-3des-ciphers-by-default.patch

@@ -0,0 +1,23 @@
+--- ./nss/lib/ssl/ssl3con.c.1185708_3des	2016-06-23 21:10:09.765992512 -0400
++++ ./nss/lib/ssl/ssl3con.c	2016-06-23 22:58:39.121398601 -0400
+@@ -118,18 +118,18 @@
+  { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,    SSL_ALLOWED, PR_TRUE, PR_FALSE},
+  { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,    SSL_ALLOWED, PR_TRUE, PR_FALSE},
+  { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,      SSL_ALLOWED, PR_TRUE, PR_FALSE},
+  { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+  { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,   SSL_ALLOWED, PR_TRUE, PR_FALSE},
+  { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,      SSL_ALLOWED, PR_TRUE, PR_FALSE},
+  { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+  { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,   SSL_ALLOWED, PR_FALSE, PR_FALSE},
+- { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,   SSL_ALLOWED, PR_FALSE, PR_FALSE},
+- { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,     SSL_ALLOWED, PR_FALSE, PR_FALSE},
++ { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,   SSL_ALLOWED, PR_TRUE,  PR_FALSE},
++ { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,     SSL_ALLOWED, PR_TRUE,  PR_FALSE},
+  { TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,        SSL_ALLOWED, PR_FALSE, PR_FALSE},
+  { TLS_ECDHE_RSA_WITH_RC4_128_SHA,          SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ 
+  { TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,     SSL_ALLOWED, PR_TRUE,  PR_FALSE},
+  { TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256,SSL_ALLOWED,PR_TRUE,  PR_FALSE},
+  { TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,     SSL_ALLOWED, PR_FALSE, PR_FALSE},
+  { TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,     SSL_ALLOWED, PR_FALSE, PR_FALSE},
+  { TLS_DHE_DSS_WITH_AES_256_GCM_SHA384,     SSL_ALLOWED, PR_FALSE, PR_FALSE},

sources

@@ -3,4 +3,4 @@ SHA512 (blank-cert9.db) = 2f8eab4c0612210ee47db8a3a80c1b58a0b43849551af78c7da403
 SHA512 (blank-key3.db) = 01f7314e9fc8a7c9aa997652624cfcde213d18a6b3bb31840c1a60bbd662e56b5bc3221d13874abb42ce78163b225a6dfce2e1326cf6dd29366ad9c28ba5a71c
 SHA512 (blank-key4.db) = 8fedae93af7163da23fe9492ea8e785a44c291604fa98e58438448efb69c85d3253fc22b926d5c3209c62e58a86038fd4d78a1c4c068bc00600a7f3e5382ebe7
 SHA512 (blank-secmod.db) = 06a2dbd861839ef6315093459328b500d3832333a34b30e6fac4a2503af337f014a4d319f0f93322409e719142904ce8bc08252ae9a4f37f30d4c3312e900310
-SHA512 (nss-3.52.tar.gz) = a45baf38717bceda03c292b2c01def680a24a846327e17d36044a85e30ed40c68220c78c0a2c3025c11778ee58f5d5eb0fff1b4cd274b95c408fb59e394e62c6
+SHA512 (nss-3.39.tar.gz) = 16358c2d8660ca301410b1d39b2eae64fe2ebbbfab797872410e5fcc67f802ef48f4e362edeecb0591626c77013537019094a6a5dfc8d24487b6b6e54564da8f

utilwrap-include-templates.patch

@@ -0,0 +1,14 @@
+diff -up nss/lib/nss/config.mk.templates nss/lib/nss/config.mk
+--- nss/lib/nss/config.mk.templates	2013-06-18 11:32:07.590089155 -0700
++++ nss/lib/nss/config.mk	2013-06-18 11:33:28.732763345 -0700
+@@ -3,6 +3,10 @@
+ # License, v. 2.0. If a copy of the MPL was not distributed with this
+ # file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ 
++#ifeq ($(NSS_BUILD_WITHOUT_SOFTOKEN),1)
++INCLUDES += -I/usr/include/nss3/templates
++#endif
++
+ # can't do this in manifest.mn because OS_TARGET isn't defined there.
+ ifeq (,$(filter-out WIN%,$(OS_TARGET)))
+