Consolidate nss-util, nss-softokn, and nss into a single package

2018-11-02 17:56:27 +01:00
14 changed files with 275 additions and 460 deletions
--- a/.gitignore
+++ b/.gitignore
@ -30,22 +30,3 @@ TestUser51.cert
 /nss-3.37.3.tar.gz
 /nss-3.38.0.tar.gz
 /nss-3.39.tar.gz
 /nss-3.40.1.tar.gz
 /nss-3.41.tar.gz
 /nss-3.42.tar.gz
 /nss-3.42.1.tar.gz
 /nss-3.43.tar.gz
 /nss-3.44.tar.gz
 /nss-3.44.1.tar.gz
 /nss-3.45.tar.gz
 /nss-3.46.tar.gz
 /nss-3.46.1.tar.gz
 /nss-3.47.tar.gz
 /nss-3.47.1.tar.gz
 /nss-3.48.tar.gz
 /nss-3.49.tar.gz
 /nss-3.49.2.tar.gz
 /nss-3.50.tar.gz
 /nss-3.51.tar.gz
 /nss-3.51.1.tar.gz
 /nss-3.52.tar.gz
--- a/nss-539183.patch
+++ b/nss-539183.patch
@ -1,5 +1,5 @@
--- nss/cmd/httpserv/httpserv.c.539183	2016-05-21 18:31:39.879585420 -0700
+--- ./nss/cmd/httpserv/httpserv.c.539183	2016-05-21 18:31:39.879585420 -0700
-+++ nss/cmd/httpserv/httpserv.c	2016-05-21 18:37:22.374464057 -0700
+++ ./nss/cmd/httpserv/httpserv.c	2016-05-21 18:37:22.374464057 -0700
@@ -953,23 +953,23 @@
 getBoundListenSocket(unsigned short port)
 {
@ -29,8 +29,8 @@
     if (prStatus < 0) {
         PR_Close(listen_sock);
         errExit("PR_SetSocketOption(PR_SockOpt_Nonblocking)");
--- nss/cmd/selfserv/selfserv.c.539183	2016-05-21 18:31:39.882585367 -0700
+--- ./nss/cmd/selfserv/selfserv.c.539183	2016-05-21 18:31:39.882585367 -0700
-+++ nss/cmd/selfserv/selfserv.c	2016-05-21 18:41:43.092801174 -0700
+++ ./nss/cmd/selfserv/selfserv.c	2016-05-21 18:41:43.092801174 -0700
@@ -1711,23 +1711,23 @@
 getBoundListenSocket(unsigned short port)
 {
--- a/nss-gcm-param-default-pkcs11v2.patch
+++ b/nss-gcm-param-default-pkcs11v2.patch
@ -1,21 +0,0 @@
 diff -up ./lib/util/pkcs11n.h.aes_gcm_pkcs11_v2 ./lib/util/pkcs11n.h
 --- ./lib/util/pkcs11n.h.aes_gcm_pkcs11_v2	2020-05-13 13:44:11.312405744 -0700
 +++ ./lib/util/pkcs11n.h	2020-05-13 13:45:23.951723660 -0700
@@ -605,7 +605,7 @@ typedef struct CK_NSS_GCM_PARAMS {
 typedef CK_NSS_GCM_PARAMS CK_PTR CK_NSS_GCM_PARAMS_PTR;
 /* deprecated #defines. Drop in future NSS releases */
 -#ifdef NSS_PKCS11_2_0_COMPAT
 +#ifndef NSS_PKCS11_3_0_STRICT
 /* defines that were changed between NSS's PKCS #11 and the Oasis headers */
 #define CKF_EC_FP CKF_EC_F_P
@@ -664,7 +664,7 @@ typedef CK_NSS_GCM_PARAMS CK_PTR CK_GCM_
 #define CKT_NETSCAPE_VALID CKT_NSS_VALID
 #define CKT_NETSCAPE_VALID_DELEGATOR CKT_NSS_VALID_DELEGATOR
 #else
 -/* use the new CK_GCM_PARAMS if NSS_PKCS11_2_0_COMPAT is not defined */
 +/* use the new CK_GCM_PARAMS if NSS_PKCS11_3_0_STRICT is defined */
 typedef struct CK_GCM_PARAMS_V3 CK_GCM_PARAMS;
 typedef CK_GCM_PARAMS_V3 CK_PTR CK_GCM_PARAMS_PTR;
 #endif
--- a/nss-kremlin-ppc64le.patch
+++ b/nss-kremlin-ppc64le.patch
@ -1,31 +0,0 @@
 Index: nss/lib/freebl/verified/kremlin/include/kremlin/internal/types.h
 ===================================================================
 --- nss.orig/lib/freebl/verified/kremlin/include/kremlin/internal/types.h
 +++ nss/lib/freebl/verified/kremlin/include/kremlin/internal/types.h
@@ -56,9 +56,10 @@ typedef const char *Prims_string;
     !defined(__clang__)
 #include <emmintrin.h>
 typedef __m128i FStar_UInt128_uint128;
 -#elif !defined(KRML_VERIFIED_UINT128) && !defined(_MSC_VER) &&           \
 +#elif !defined(KRML_VERIFIED_UINT128) && !defined(_MSC_VER) && \
     (defined(__x86_64__) || defined(__x86_64) || defined(__aarch64__) || \
 -     (defined(__powerpc64__) && defined(__LITTLE_ENDIAN__)))
 +    (defined(__powerpc64__) && defined(__LITTLE_ENDIAN__)) || \
 +     defined(__s390x__))
 typedef unsigned __int128 FStar_UInt128_uint128;
 #elif !defined(KRML_VERIFIED_UINT128) && defined(_MSC_VER) && defined(__clang__)
 typedef __uint128_t FStar_UInt128_uint128;
 Index: nss/lib/freebl/verified/kremlin/kremlib/dist/minimal/fstar_uint128_gcc64.h
 ===================================================================
 --- nss.orig/lib/freebl/verified/kremlin/kremlib/dist/minimal/fstar_uint128_gcc64.h
 +++ nss/lib/freebl/verified/kremlin/kremlib/dist/minimal/fstar_uint128_gcc64.h
@@ -26,7 +26,8 @@
 #if !defined(KRML_VERIFIED_UINT128) && (!defined(_MSC_VER) || defined(__clang__)) && \
     (defined(__x86_64__) || defined(__x86_64) || defined(__aarch64__) ||             \
 -     (defined(__powerpc64__) && defined(__LITTLE_ENDIAN__)))
 +    (defined(__powerpc64__) && defined(__LITTLE_ENDIAN__)) || \
 +     defined(__s390x__))
 /* GCC + using native unsigned __int128 support */
--- a/nss-signtool-format.patch
+++ b/nss-signtool-format.patch
@ -1,94 +0,0 @@
 diff --git a/cmd/modutil/install.c b/cmd/modutil/install.c
 --- a/cmd/modutil/install.c
 +++ b/cmd/modutil/install.c
@@ -825,17 +825,20 @@ rm_dash_r(char *path)
         dir = PR_OpenDir(path);
         if (!dir) {
             return -1;
         }
         /* Recursively delete all entries in the directory */
         while ((entry = PR_ReadDir(dir, PR_SKIP_BOTH)) != NULL) {
 -            sprintf(filename, "%s/%s", path, entry->name);
 +            if (snprintf(filename, sizeof(filename), "%s/%s", path, entry->name) >= sizeof(filename)) {
 +                PR_CloseDir(dir);
 +                return -1;
 +            }
             if (rm_dash_r(filename)) {
                 PR_CloseDir(dir);
                 return -1;
             }
         }
         if (PR_CloseDir(dir) != PR_SUCCESS) {
             return -1;
 diff --git a/cmd/signtool/util.c b/cmd/signtool/util.c
 --- a/cmd/signtool/util.c
 +++ b/cmd/signtool/util.c
@@ -132,17 +132,20 @@ rm_dash_r(char *path)
         if (!dir) {
             PR_fprintf(errorFD, "Error: Unable to open directory %s.\n", path);
             errorCount++;
             return -1;
         }
         /* Recursively delete all entries in the directory */
         while ((entry = PR_ReadDir(dir, PR_SKIP_BOTH)) != NULL) {
 -            sprintf(filename, "%s/%s", path, entry->name);
 +            if (snprintf(filename, sizeof(filename), "%s/%s", path, entry->name) >= sizeof(filename)) {
 +                errorCount++;
 +                return -1;
 +            }
             if (rm_dash_r(filename))
                 return -1;
         }
         if (PR_CloseDir(dir) != PR_SUCCESS) {
             PR_fprintf(errorFD, "Error: Could not close %s.\n", path);
             errorCount++;
             return -1;
 diff --git a/lib/libpkix/pkix/util/pkix_list.c b/lib/libpkix/pkix/util/pkix_list.c
 --- a/lib/libpkix/pkix/util/pkix_list.c
 +++ b/lib/libpkix/pkix/util/pkix_list.c
@@ -1530,17 +1530,17 @@ cleanup:
  */
 PKIX_Error *
 PKIX_List_SetItem(
         PKIX_List *list,
         PKIX_UInt32 index,
         PKIX_PL_Object *item,
         void *plContext)
 {
 -        PKIX_List *element;
 +        PKIX_List *element = NULL;
         PKIX_ENTER(LIST, "PKIX_List_SetItem");
         PKIX_NULLCHECK_ONE(list);
         if (list->immutable){
                 PKIX_ERROR(PKIX_OPERATIONNOTPERMITTEDONIMMUTABLELIST);
         }
 diff --git a/lib/libpkix/pkix_pl_nss/system/pkix_pl_oid.c b/lib/libpkix/pkix_pl_nss/system/pkix_pl_oid.c
 --- a/lib/libpkix/pkix_pl_nss/system/pkix_pl_oid.c
 +++ b/lib/libpkix/pkix_pl_nss/system/pkix_pl_oid.c
@@ -102,17 +102,17 @@ cleanup:
  */
 static PKIX_Error *
 pkix_pl_OID_Equals(
         PKIX_PL_Object *first,
         PKIX_PL_Object *second,
         PKIX_Boolean *pResult,
         void *plContext)
 {
 -        PKIX_Int32 cmpResult;
 +        PKIX_Int32 cmpResult = 0;
         PKIX_ENTER(OID, "pkix_pl_OID_Equals");
         PKIX_NULLCHECK_THREE(first, second, pResult);
         PKIX_CHECK(pkix_pl_OID_Comparator
                     (first, second, &cmpResult, plContext),
                     PKIX_OIDCOMPARATORFAILED);
--- a/nss-softokn-config.in
+++ b/nss-softokn-config.in
@ -112,5 +112,5 @@ fi
 if test "$echo_libs" = "yes"; then
      libdirs="-Wl,-rpath-link,$libdir -L$libdir"
      echo $libdirs
-fi
+fi      
--- a/nss-softokn-dracut-module-setup.sh
+++ b/nss-softokn-dracut-module-setup.sh
@ -14,5 +14,6 @@ install() {
    local _dir
    inst_libdir_file libfreeblpriv3.so libfreeblpriv3.chk \
-        libfreebl3.so
+        libfreebl3.so 
 }
--- a/nss-softokn-prelink.conf
+++ b/nss-softokn-prelink.conf
@ -0,0 +1,6 @@
 -b /lib{,64}/libfreeblpriv3.so
 -b /lib{,64}/libsoftokn3.so
 -b /lib{,64}/libnssdbm3.so
 -b /usr/lib{,64}/libfreeblpriv3.so
 -b /usr/lib{,64}/libsoftokn3.so
 -b /usr/lib{,64}/libnssdbm3.so
--- a/nss-util-config.in
+++ b/nss-util-config.in
@ -114,5 +114,5 @@ if test "$echo_libs" = "yes"; then
 	libdirs="$libdirs -lnssutil${major_version}"
      fi
      echo $libdirs
-fi
+fi      
--- a/nss.spec
+++ b/nss.spec
@ -1,33 +1,13 @@
-%global nspr_version 4.25.0
+%global nspr_version 4.20.0
-%global nss_version 3.52.0
+%global nss_version 3.39.0
 %global unsupported_tools_directory %{_libdir}/nss/unsupported-tools
 %global allTools "certutil cmsutil crlutil derdump modutil pk12util signtool signver ssltap vfychain vfyserv"
 %global saved_files_dir %{_libdir}/nss/saved
-%global dracutlibdir %{_prefix}/lib/dracut
+%global prelink_conf_dir %{_sysconfdir}/prelink.conf.d/
 %define dracutlibdir %{_prefix}/lib/dracut
 %global dracut_modules_dir %{dracutlibdir}/modules.d/05nss-softokn/
 %global dracut_conf_dir %{dracutlibdir}/dracut.conf.d
 %bcond_without tests
 %bcond_without dbm
 # Produce .chk files for the final stripped binaries
 #
 # NOTE: The LD_LIBRARY_PATH line guarantees shlibsign links
 # against the freebl that we just built. This is necessary
 # because the signing algorithm changed on 3.14 to DSA2 with SHA256
 # whereas we previously signed with DSA and SHA1. We must Keep this line
 # until all mock platforms have been updated.
 # After %%{__os_install_post} we would add
 # export LD_LIBRARY_PATH=$RPM_BUILD_ROOT/%%{_libdir}
 %define __spec_install_post \
    %{?__debug_package:%{__debug_install_post}} \
    %{__arch_install_post} \
    %{__os_install_post} \
    $RPM_BUILD_ROOT/%{unsupported_tools_directory}/shlibsign -i $RPM_BUILD_ROOT/%{_libdir}/libsoftokn3.so \
    $RPM_BUILD_ROOT/%{unsupported_tools_directory}/shlibsign -i $RPM_BUILD_ROOT/%{_libdir}/libfreeblpriv3.so \
    $RPM_BUILD_ROOT/%{unsupported_tools_directory}/shlibsign -i $RPM_BUILD_ROOT/%{_libdir}/libfreebl3.so \
    %{?with_dbm:$RPM_BUILD_ROOT/%{unsupported_tools_directory}/shlibsign -i $RPM_BUILD_ROOT/%{_libdir}/libnssdbm3.so} \
 %{nil}
 # The upstream omits the trailing ".0", while we need it for
 # consistency with the pkg-config version:
 # https://bugzilla.redhat.com/show_bug.cgi?id=1578106
@ -36,17 +16,15 @@ rpm.define(string.format("nss_archive_version %s",
           string.gsub(rpm.expand("%nss_version"), "(.*)%.0$", "%1")))
 }
 %{lua:
 rpm.define(string.format("nss_release_tag NSS_%s_RTM",
           string.gsub(rpm.expand("%nss_archive_version"), "%.", "_")))
 }
 Summary:          Network Security Services
 Name:             nss
 Version:          %{nss_version}
-Release:          2%{?dist}
+# for Rawhide, please always use release >= 2
 # for Fedora release branches, please use release < 2 (1.0, 1.1, ...)
 Release:          3%{?dist}
 License:          MPLv2.0
 URL:              http://www.mozilla.org/projects/security/pki/nss/
 Group:            System Environment/Libraries
 Requires:         nspr >= %{nspr_version}
 Requires:         nss-util >= %{nss_version}
 # TODO: revert to same version as nss once we are done with the merge
@ -55,8 +33,6 @@ Requires:         nss-system-init
 Requires:         p11-kit-trust
 Requires:         crypto-policies
 BuildRequires:    nspr-devel >= %{nspr_version}
 # for shlibsign
 BuildRequires:    nss-softokn
 BuildRequires:    sqlite-devel
 BuildRequires:    zlib-devel
 BuildRequires:    pkgconfig
@ -64,13 +40,13 @@ BuildRequires:    gawk
 BuildRequires:    psmisc
 BuildRequires:    perl-interpreter
 BuildRequires:    gcc-c++
 BuildRequires:    quilt
-Source0:          https://ftp.mozilla.org/pub/security/nss/releases/%{nss_release_tag}/src/%{name}-%{nss_archive_version}.tar.gz
+Source0:          %{name}-%{nss_archive_version}.tar.gz
 Source1:          nss-util.pc.in
 Source2:          nss-util-config.in
 Source3:          nss-softokn.pc.in
 Source4:          nss-softokn-config.in
 Source5:          nss-softokn-prelink.conf
 Source6:          nss-softokn-dracut-module-setup.sh
 Source7:          nss-softokn-dracut.conf
 Source8:          nss.pc.in
@ -92,8 +68,11 @@ Source26:         key4.db.xml
 Source27:         secmod.db.xml
 Source28:         nss-p11-kit.config
 Patch3:           renegotiate-transitional.patch
 # Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=617723
-Patch2:           nss-539183.patch
+Patch16:          nss-539183.patch
 # Fedora / RHEL-only patch, the templates directory was originally introduced to support mod_revocator
 Patch47:          utilwrap-include-templates.patch
 # This patch uses the GCC -iquote option documented at
 # http://gcc.gnu.org/onlinedocs/gcc/Directory-Options.html#Directory-Options
 # to give the in-tree headers a higher priority over the system headers,
@ -105,15 +84,9 @@ Patch2:           nss-539183.patch
 #
 # Once the buildroot aha been bootstrapped the patch may be removed
 # but it doesn't hurt to keep it.
-Patch4:           iquote.patch
+Patch50:          iquote.patch
-Patch12:          nss-signtool-format.patch
+# Local patch for TLS_ECDHE_{ECDSA|RSA}_WITH_3DES_EDE_CBC_SHA ciphers
-# https://github.com/FStarLang/kremlin/issues/166
+Patch58: rhbz1185708-enable-ecc-3des-ciphers-by-default.patch
 Patch13:          nss-kremlin-ppc64le.patch
 %if 0%{?fedora} < 34
 %if 0%{?rhel} < 9
 Patch20:          nss-gcm-param-default-pkcs11v2.patch
 %endif
 %endif
 %description
 Network Security Services (NSS) is a set of libraries designed to
@ -124,6 +97,7 @@ v3 certificates, and other security standards.
 %package tools
 Summary:          Tools for the Network Security Services
 Group:            System Environment/Base
 Requires:         %{name}%{?_isa} = %{version}-%{release}
 %description tools
@ -138,10 +112,11 @@ manipulate the NSS certificate and key database.
 %package sysinit
 Summary:          System NSS Initialization
 Group:            System Environment/Base
 # providing nss-system-init without version so that it can
 # be replaced by a better one, e.g. supplied by the os vendor
 Provides:         nss-system-init
-Requires:         nss%{?_isa} = %{version}-%{release}
+Requires:         nss = %{version}-%{release}
 Requires(post):   coreutils, sed
 %description sysinit
@ -152,8 +127,9 @@ any system or user configured modules.
 %package devel
 Summary:          Development libraries for Network Security Services
 Group:            Development/Libraries
 Provides:         nss-static = %{version}-%{release}
-Requires:         nss%{?_isa} = %{version}-%{release}
+Requires:         nss = %{version}-%{release}
 Requires:         nss-util-devel
 Requires:         nss-softokn-devel
 Requires:         nspr-devel >= %{nspr_version}
@ -166,6 +142,7 @@ Header and Library files for doing development with Network Security Services.
 %package pkcs11-devel
 Summary:          Development libraries for PKCS #11 (Cryptoki) using NSS
 Group:            Development/Libraries
 Provides:         nss-pkcs11-devel-static = %{version}-%{release}
 Requires:         nss-devel = %{version}-%{release}
 Requires:         nss-softokn-freebl-devel = %{version}-%{release}
@ -177,6 +154,7 @@ low level services.
 %package util
 Summary:          Network Security Services Utilities Library
 Group:            System Environment/Libraries
 Requires:         nspr >= %{nspr_version}
 %description util
@ -184,7 +162,8 @@ Utilities for Network Security Services and the Softoken module
 %package util-devel
 Summary:          Development libraries for Network Security Services Utilities
-Requires:         nss-util%{?_isa} = %{version}-%{release}
+Group:            Development/Libraries
 Requires:         nss-util = %{version}-%{release}
 Requires:         nspr-devel >= %{nspr_version}
 Requires:         pkgconfig
@ -194,6 +173,7 @@ Header and library files for doing development with Network Security Services.
 %package softokn
 Summary:          Network Security Services Softoken Module
 Group:            System Environment/Libraries
 Requires:         nspr >= %{nspr_version}
 Requires:         nss-util >= %{version}-%{release}
 Requires:         nss-softokn-freebl%{_isa} >= %{version}-%{release}
@ -203,11 +183,13 @@ Network Security Services Softoken Cryptographic Module
 %package softokn-freebl
 Summary:          Freebl library for the Network Security Services
 Group:            System Environment/Base
 # For PR_GetEnvSecure() from nspr >= 4.12
 Requires:         nspr >= 4.12
 # For NSS_SecureMemcmpZero() from nss-util >= 3.33
 Requires:         nss-util >= 3.33
 Conflicts:        nss < 3.12.2.99.3-5
 Conflicts:        prelink < 0.4.3
 Conflicts:        filesystem < 3
 %description softokn-freebl
@ -217,6 +199,7 @@ Install the nss-softokn-freebl package if you need the freebl library.
 %package softokn-freebl-devel
 Summary:          Header and Library files for doing development with the Freebl library for NSS
 Group:            System Environment/Base
 Provides:         nss-softokn-freebl-static = %{version}-%{release}
 Requires:         nss-softokn-freebl%{?_isa} = %{version}-%{release}
@ -229,6 +212,7 @@ Developers should rely only on the officially supported NSS public API.
 %package softokn-devel
 Summary:          Development libraries for Network Security Services
 Group:            Development/Libraries
 Requires:         nss-softokn%{?_isa} = %{version}-%{release}
 Requires:         nss-softokn-freebl-devel%{?_isa} = %{version}-%{release}
 Requires:         nspr-devel >= %{nspr_version}
@ -241,29 +225,32 @@ Header and library files for doing development with Network Security Services.
 %prep
-%autosetup -N -S quilt -n %{name}-%{nss_archive_version}
+%setup -q -n %{name}-%{nss_archive_version}
 pushd nss
 %autopatch -p1
 popd
-# https://bugzilla.redhat.com/show_bug.cgi?id=1247353
+%patch3 -p0 -b .transitional
-find nss/lib/libpkix -perm /u+x -type f -exec chmod -x {} \;
+%patch16 -p0 -b .539183
 %patch47 -p0 -b .templates
 %patch50 -p0 -b .iquote
 %patch58 -p0 -b .1185708_3des
 %build
-export FREEBL_NO_DEPEND=1
+FREEBL_NO_DEPEND=1
 export FREEBL_NO_DEPEND
 # Must export FREEBL_LOWHASH=1 for nsslowhash.h so that it gets
 # copied to dist and the rpm install phase can find it
 # This due of the upstream changes to fix
 # https://bugzilla.mozilla.org/show_bug.cgi?id=717906
-export FREEBL_LOWHASH=1
+FREEBL_LOWHASH=1
 export FREEBL_LOWHASH
 # uncomment if the iquote patch is activated
 export IN_TREE_FREEBL_HEADERS_FIRST=1
-export NSS_FORCE_FIPS=1
+NSS_FORCE_FIPS=1
 export NSS_FORCE_FIPS
 # Enable compiler optimizations and disable debugging code
 export BUILD_OPT=1
@ -273,39 +260,40 @@ export BUILD_OPT=1
 #export RPM_OPT_FLAGS
 # Generate symbolic info for debuggers
-export XCFLAGS=$RPM_OPT_FLAGS
+XCFLAGS=$RPM_OPT_FLAGS
 export XCFLAGS
-# Work around false-positive warnings with gcc 10:
+LDFLAGS=$RPM_LD_FLAGS
-# https://bugzilla.redhat.com/show_bug.cgi?id=1803029
+export LDFLAGS
 %ifarch s390x
 export XCFLAGS="$XCFLAGS -Wno-error=maybe-uninitialized"
 %endif
-export LDFLAGS=$RPM_LD_FLAGS
+DSO_LDOPTS=$RPM_LD_FLAGS
 export DSO_LDOPTS
-export DSO_LDOPTS=$RPM_LD_FLAGS
+PKG_CONFIG_ALLOW_SYSTEM_LIBS=1
 PKG_CONFIG_ALLOW_SYSTEM_CFLAGS=1
-export PKG_CONFIG_ALLOW_SYSTEM_LIBS=1
+export PKG_CONFIG_ALLOW_SYSTEM_LIBS
-export PKG_CONFIG_ALLOW_SYSTEM_CFLAGS=1
+export PKG_CONFIG_ALLOW_SYSTEM_CFLAGS
-export NSPR_INCLUDE_DIR=`/usr/bin/pkg-config --cflags-only-I nspr | sed 's/-I//'`
+NSPR_INCLUDE_DIR=`/usr/bin/pkg-config --cflags-only-I nspr | sed 's/-I//'`
-export NSPR_LIB_DIR=%{_libdir}
+NSPR_LIB_DIR=%{_libdir}
-export NSS_USE_SYSTEM_SQLITE=1
+export NSPR_INCLUDE_DIR
 export NSPR_LIB_DIR
 NSS_USE_SYSTEM_SQLITE=1
 export NSS_USE_SYSTEM_SQLITE
 export NSS_ALLOW_SSLKEYLOGFILE=1
 %if %{with dbm}
 %else
 export NSS_DISABLE_DBM=1
 %endif
 %ifnarch noarch
 %if 0%{__isa_bits} == 64
-export USE_64=1
+USE_64=1
 export USE_64
 %endif
 %endif
 ##### phase 2: build the rest of nss
 %{__make} -C ./nss/coreconf
 %{__make} -C ./nss/lib/dbm
@ -323,13 +311,13 @@ pushd ./nss
 popd
 # and copy them to the dist directory for %%install to find them
-mkdir -p ./dist/docs/nroff
+%{__mkdir_p} ./dist/docs/nroff
-cp ./nss/doc/nroff/* ./dist/docs/nroff
+%{__cp} ./nss/doc/nroff/* ./dist/docs/nroff
 # Set up our package files
-mkdir -p ./dist/pkgconfig
+%{__mkdir_p} ./dist/pkgconfig
-cat %{SOURCE1} | sed -e "s,%%libdir%%,%{_libdir},g" \
+%{__cat} %{SOURCE1} | sed -e "s,%%libdir%%,%{_libdir},g" \
                          -e "s,%%prefix%%,%{_prefix},g" \
                          -e "s,%%exec_prefix%%,%{_prefix},g" \
                          -e "s,%%includedir%%,%{_includedir}/nss3,g" \
@ -341,7 +329,11 @@ NSSUTIL_VMAJOR=`cat nss/lib/util/nssutil.h | grep "#define.*NSSUTIL_VMAJOR" | aw
 NSSUTIL_VMINOR=`cat nss/lib/util/nssutil.h | grep "#define.*NSSUTIL_VMINOR" | awk '{print $3}'`
 NSSUTIL_VPATCH=`cat nss/lib/util/nssutil.h | grep "#define.*NSSUTIL_VPATCH" | awk '{print $3}'`
-cat %{SOURCE2} | sed -e "s,@libdir@,%{_libdir},g" \
+export NSSUTIL_VMAJOR
 export NSSUTIL_VMINOR
 export NSSUTIL_VPATCH
 %{__cat} %{SOURCE2} | sed -e "s,@libdir@,%{_libdir},g" \
                          -e "s,@prefix@,%{_prefix},g" \
                          -e "s,@exec_prefix@,%{_prefix},g" \
                          -e "s,@includedir@,%{_includedir}/nss3,g" \
@ -352,7 +344,7 @@ cat %{SOURCE2} | sed -e "s,@libdir@,%{_libdir},g" \
 chmod 755 ./dist/pkgconfig/nss-util-config
-cat %{SOURCE3} | sed -e "s,%%libdir%%,%{_libdir},g" \
+%{__cat} %{SOURCE3} | sed -e "s,%%libdir%%,%{_libdir},g" \
                          -e "s,%%prefix%%,%{_prefix},g" \
                          -e "s,%%exec_prefix%%,%{_prefix},g" \
                          -e "s,%%includedir%%,%{_includedir}/nss3,g" \
@ -365,7 +357,11 @@ SOFTOKEN_VMAJOR=`cat nss/lib/softoken/softkver.h | grep "#define.*SOFTOKEN_VMAJO
 SOFTOKEN_VMINOR=`cat nss/lib/softoken/softkver.h | grep "#define.*SOFTOKEN_VMINOR" | awk '{print $3}'`
 SOFTOKEN_VPATCH=`cat nss/lib/softoken/softkver.h | grep "#define.*SOFTOKEN_VPATCH" | awk '{print $3}'`
-cat %{SOURCE4} | sed -e "s,@libdir@,%{_libdir},g" \
+export SOFTOKEN_VMAJOR
 export SOFTOKEN_VMINOR
 export SOFTOKEN_VPATCH
 %{__cat} %{SOURCE4} | sed -e "s,@libdir@,%{_libdir},g" \
                          -e "s,@prefix@,%{_prefix},g" \
                          -e "s,@exec_prefix@,%{_prefix},g" \
                          -e "s,@includedir@,%{_includedir}/nss3,g" \
@ -376,7 +372,7 @@ cat %{SOURCE4} | sed -e "s,@libdir@,%{_libdir},g" \
 chmod 755 ./dist/pkgconfig/nss-softokn-config
-cat %{SOURCE8} | sed -e "s,%%libdir%%,%{_libdir},g" \
+%{__cat} %{SOURCE8} | sed -e "s,%%libdir%%,%{_libdir},g" \
                          -e "s,%%prefix%%,%{_prefix},g" \
                          -e "s,%%exec_prefix%%,%{_prefix},g" \
                          -e "s,%%includedir%%,%{_includedir}/nss3,g" \
@ -390,7 +386,11 @@ NSS_VMAJOR=`cat nss/lib/nss/nss.h | grep "#define.*NSS_VMAJOR" | awk '{print $3}
 NSS_VMINOR=`cat nss/lib/nss/nss.h | grep "#define.*NSS_VMINOR" | awk '{print $3}'`
 NSS_VPATCH=`cat nss/lib/nss/nss.h | grep "#define.*NSS_VPATCH" | awk '{print $3}'`
-cat %{SOURCE9} | sed -e "s,@libdir@,%{_libdir},g" \
+export NSS_VMAJOR
 export NSS_VMINOR
 export NSS_VPATCH
 %{__cat} %{SOURCE9} | sed -e "s,@libdir@,%{_libdir},g" \
                          -e "s,@prefix@,%{_prefix},g" \
                          -e "s,@exec_prefix@,%{_prefix},g" \
                          -e "s,@includedir@,%{_includedir}/nss3,g" \
@ -401,10 +401,10 @@ cat %{SOURCE9} | sed -e "s,@libdir@,%{_libdir},g" \
 chmod 755 ./dist/pkgconfig/nss-config
-cat %{SOURCE16} > ./dist/pkgconfig/setup-nsssysinit.sh
+%{__cat} %{SOURCE16} > ./dist/pkgconfig/setup-nsssysinit.sh
 chmod 755 ./dist/pkgconfig/setup-nsssysinit.sh
-cp ./nss/lib/ckfw/nssck.api ./dist/private/nss/
+%{__cp} ./nss/lib/ckfw/nssck.api ./dist/private/nss/
 date +"%e %B %Y" | tr -d '\n' > date.xml
 echo -n %{version} > version.xml
@ -427,16 +427,22 @@ done
 %check
-%if %{with tests}
+if [ ${DISABLETEST:-0} -eq 1 ]; then
  echo "testing disabled"
  exit 0
 fi
 # Begin -- copied from the build section
-export FREEBL_NO_DEPEND=1
+FREEBL_NO_DEPEND=1
 export FREEBL_NO_DEPEND
 export BUILD_OPT=1
 %ifnarch noarch
 %if 0%{__isa_bits} == 64
-export USE_64=1
+USE_64=1
 export USE_64
 %endif
 %endif
@ -468,7 +474,8 @@ fi
 MYRAND=`perl -e 'print 9000 + int rand 1000'`; echo $MYRAND ||:
 RANDSERV=selfserv_${MYRAND}; echo $RANDSERV ||:
 DISTBINDIR=`ls -d ./dist/*.OBJ/bin`; echo $DISTBINDIR ||:
-pushd "$DISTBINDIR"
+pushd `pwd`
 cd $DISTBINDIR
 ln -s selfserv $RANDSERV
 popd
 # man perlrun, man perlrequick
@ -481,7 +488,7 @@ find ./nss/tests -type f |\
 killall $RANDSERV || :
 rm -rf ./tests_results
-pushd nss/tests
+pushd ./nss/tests/
 # all.sh is the test suite script
 #  don't need to run all the tests when testing packaging
@ -497,107 +504,150 @@ pushd nss/tests
 # % define nss_ssl_tests "normal_fips"
 # % define nss_ssl_run "cov"
-HOST=localhost DOMSUF=localdomain PORT=$MYRAND NSS_CYCLES=%{?nss_cycles} NSS_TESTS=%{?nss_tests} NSS_SSL_TESTS=%{?nss_ssl_tests} NSS_SSL_RUN=%{?nss_ssl_run} ./all.sh
+SKIP_NSS_TEST_SUITE=`echo $SKIP_NSS_TEST_SUITE`
 if [ "x$SKIP_NSS_TEST_SUITE" == "x" ]; then
  HOST=localhost DOMSUF=localdomain PORT=$MYRAND NSS_CYCLES=%{?nss_cycles} NSS_TESTS=%{?nss_tests} NSS_SSL_TESTS=%{?nss_ssl_tests} NSS_SSL_RUN=%{?nss_ssl_run} ./all.sh
 else
  echo "skipped test suite"
 fi
 popd
 # Normally, the grep exit status is 0 if selected lines are found and 1 otherwise,
 # Grep exits with status greater than 1 if an error ocurred.
 # If there are test failures we expect TEST_FAILURES > 0 and GREP_EXIT_STATUS = 0,
 # With no test failures we expect TEST_FAILURES = 0 and GREP_EXIT_STATUS = 1, whereas
 # GREP_EXIT_STATUS > 1 would indicate an error in grep such as failure to find the log file.
 killall $RANDSERV || :
-%endif
+
 if [ "x$SKIP_NSS_TEST_SUITE" == "x" ]; then
  TEST_FAILURES=$(grep -c -- '- FAILED$' ./tests_results/security/localhost.1/output.log) || GREP_EXIT_STATUS=$?
 else
  TEST_FAILURES=0
  GREP_EXIT_STATUS=1
 fi
 if [ ${GREP_EXIT_STATUS:-0} -eq 1 ]; then
  echo "okay: test suite detected no failures"
 else
  if [ ${GREP_EXIT_STATUS:-0} -eq 0 ]; then
    # while a situation in which grep return status is 0 and it doesn't output
    # anything shouldn't happen, set the default to something that is
    # obviously wrong (-1)
    echo "error: test suite had ${TEST_FAILURES:--1} test failure(s)"
    exit 1
  else
    if [ ${GREP_EXIT_STATUS:-0} -eq 2 ]; then
      echo "error: grep has not found log file"
      exit 1
    else
      echo "error: grep failed with exit code: ${GREP_EXIT_STATUS}"
      exit 1
    fi
  fi
 fi
 echo "test suite completed"
 %install
 %{__rm} -rf $RPM_BUILD_ROOT
 # There is no make install target so we'll do it ourselves.
-mkdir -p $RPM_BUILD_ROOT/%{_includedir}/nss3
+%{__mkdir_p} $RPM_BUILD_ROOT/%{_includedir}/nss3
-mkdir -p $RPM_BUILD_ROOT/%{_includedir}/nss3/templates
+%{__mkdir_p} $RPM_BUILD_ROOT/%{_includedir}/nss3/templates
-mkdir -p $RPM_BUILD_ROOT/%{_bindir}
+%{__mkdir_p} $RPM_BUILD_ROOT/%{_bindir}
-mkdir -p $RPM_BUILD_ROOT/%{_libdir}
+%{__mkdir_p} $RPM_BUILD_ROOT/%{_libdir}
-mkdir -p $RPM_BUILD_ROOT/%{unsupported_tools_directory}
+%{__mkdir_p} $RPM_BUILD_ROOT/%{unsupported_tools_directory}
-mkdir -p $RPM_BUILD_ROOT/%{_libdir}/pkgconfig
+%{__mkdir_p} $RPM_BUILD_ROOT/%{_libdir}/pkgconfig
-mkdir -p $RPM_BUILD_ROOT/%{saved_files_dir}
+%{__mkdir_p} $RPM_BUILD_ROOT/%{saved_files_dir}
-mkdir -p $RPM_BUILD_ROOT/%{dracut_modules_dir}
+%{__mkdir_p} $RPM_BUILD_ROOT/%{prelink_conf_dir}
-mkdir -p $RPM_BUILD_ROOT/%{dracut_conf_dir}
+%{__mkdir_p} $RPM_BUILD_ROOT/%{dracut_modules_dir}
-mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/crypto-policies/local.d
+%{__mkdir_p} $RPM_BUILD_ROOT/%{dracut_conf_dir}
 %{__mkdir_p} $RPM_BUILD_ROOT/%{_sysconfdir}/crypto-policies/local.d
 %if %{defined rhel}
 # not needed for rhel and its derivatives only fedora
 %else
 # because of the pp.1 conflict with perl-PAR-Packer
-mkdir -p $RPM_BUILD_ROOT%{_datadir}/doc/nss-tools
+%{__mkdir_p} $RPM_BUILD_ROOT%{_datadir}/doc/nss-tools
 %endif
-install -m 755 %{SOURCE6} $RPM_BUILD_ROOT/%{dracut_modules_dir}/module-setup.sh
+%{__install} -m 644 %{SOURCE5} $RPM_BUILD_ROOT/%{prelink_conf_dir}
-install -m 644 %{SOURCE7} $RPM_BUILD_ROOT/%{dracut_conf_dir}/50-nss-softokn.conf
+%{__install} -m 755 %{SOURCE6} $RPM_BUILD_ROOT/%{dracut_modules_dir}/module-setup.sh
 %{__install} -m 644 %{SOURCE7} $RPM_BUILD_ROOT/%{dracut_conf_dir}/50-nss-softokn.conf
 mkdir -p $RPM_BUILD_ROOT%{_mandir}/man1
 mkdir -p $RPM_BUILD_ROOT%{_mandir}/man5
 # Copy the binary libraries we want
-for file in libnssutil3.so libsoftokn3.so %{?with_dbm:libnssdbm3.so} libfreebl3.so libfreeblpriv3.so libnss3.so libnsssysinit.so libsmime3.so libssl3.so
+for file in libnssutil3.so libsoftokn3.so libnssdbm3.so libfreebl3.so libfreeblpriv3.so libnss3.so libnsssysinit.so libsmime3.so libssl3.so
 do
-  install -p -m 755 dist/*.OBJ/lib/$file $RPM_BUILD_ROOT/%{_libdir}
+  %{__install} -p -m 755 dist/*.OBJ/lib/$file $RPM_BUILD_ROOT/%{_libdir}
 done
 # Install the empty NSS db files
 # Legacy db
-mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb
+%{__mkdir_p} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb
-install -p -m 644 %{SOURCE10} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/cert8.db
+%{__install} -p -m 644 %{SOURCE10} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/cert8.db
-install -p -m 644 %{SOURCE11} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/key3.db
+%{__install} -p -m 644 %{SOURCE11} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/key3.db
-install -p -m 644 %{SOURCE12} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/secmod.db
+%{__install} -p -m 644 %{SOURCE12} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/secmod.db
 # Shared db
-install -p -m 644 %{SOURCE13} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/cert9.db
+%{__install} -p -m 644 %{SOURCE13} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/cert9.db
-install -p -m 644 %{SOURCE14} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/key4.db
+%{__install} -p -m 644 %{SOURCE14} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/key4.db
-install -p -m 644 %{SOURCE15} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/pkcs11.txt
+%{__install} -p -m 644 %{SOURCE15} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/pkcs11.txt
 # Copy the development libraries we want
 for file in libcrmf.a libnssb.a libnssckfw.a
 do
-  install -p -m 644 dist/*.OBJ/lib/$file $RPM_BUILD_ROOT/%{_libdir}
+  %{__install} -p -m 644 dist/*.OBJ/lib/$file $RPM_BUILD_ROOT/%{_libdir}
 done
 # Copy the binaries we want
 for file in certutil cmsutil crlutil modutil nss-policy-check pk12util signver ssltap
 do
-  install -p -m 755 dist/*.OBJ/bin/$file $RPM_BUILD_ROOT/%{_bindir}
+  %{__install} -p -m 755 dist/*.OBJ/bin/$file $RPM_BUILD_ROOT/%{_bindir}
 done
 # Copy the binaries we ship as unsupported
 for file in bltest ecperf fbectest fipstest shlibsign atob btoa derdump listsuites ocspclnt pp selfserv signtool strsclnt symkeyutil tstclnt vfyserv vfychain
 do
-  install -p -m 755 dist/*.OBJ/bin/$file $RPM_BUILD_ROOT/%{unsupported_tools_directory}
+  %{__install} -p -m 755 dist/*.OBJ/bin/$file $RPM_BUILD_ROOT/%{unsupported_tools_directory}
 done
 # Copy the include files we want
 for file in dist/public/nss/*.h
 do
-  install -p -m 644 $file $RPM_BUILD_ROOT/%{_includedir}/nss3
+  %{__install} -p -m 644 $file $RPM_BUILD_ROOT/%{_includedir}/nss3
 done
 # Copy some freebl include files we also want
-for file in blapi.h alghmac.h cmac.h
+for file in blapi.h alghmac.h
 do
-  install -p -m 644 dist/private/nss/$file $RPM_BUILD_ROOT/%{_includedir}/nss3
+  %{__install} -p -m 644 dist/private/nss/$file $RPM_BUILD_ROOT/%{_includedir}/nss3
 done
 # Copy the static freebl library
 for file in libfreebl.a
 do
-install -p -m 644 dist/*.OBJ/lib/$file $RPM_BUILD_ROOT/%{_libdir}
+%{__install} -p -m 644 dist/*.OBJ/lib/$file $RPM_BUILD_ROOT/%{_libdir}
 done
 # Copy the template files we want
 for file in dist/private/nss/templates.c dist/private/nss/nssck.api
 do
-  install -p -m 644 $file $RPM_BUILD_ROOT/%{_includedir}/nss3/templates
+  %{__install} -p -m 644 $file $RPM_BUILD_ROOT/%{_includedir}/nss3/templates
 done
 # Copy the package configuration files
-install -p -m 644 ./dist/pkgconfig/nss-util.pc $RPM_BUILD_ROOT/%{_libdir}/pkgconfig/nss-util.pc
+%{__install} -p -m 644 ./dist/pkgconfig/nss-util.pc $RPM_BUILD_ROOT/%{_libdir}/pkgconfig/nss-util.pc
-install -p -m 755 ./dist/pkgconfig/nss-util-config $RPM_BUILD_ROOT/%{_bindir}/nss-util-config
+%{__install} -p -m 755 ./dist/pkgconfig/nss-util-config $RPM_BUILD_ROOT/%{_bindir}/nss-util-config
-install -p -m 644 ./dist/pkgconfig/nss-softokn.pc $RPM_BUILD_ROOT/%{_libdir}/pkgconfig/nss-softokn.pc
+%{__install} -p -m 644 ./dist/pkgconfig/nss-softokn.pc $RPM_BUILD_ROOT/%{_libdir}/pkgconfig/nss-softokn.pc
-install -p -m 755 ./dist/pkgconfig/nss-softokn-config $RPM_BUILD_ROOT/%{_bindir}/nss-softokn-config
+%{__install} -p -m 755 ./dist/pkgconfig/nss-softokn-config $RPM_BUILD_ROOT/%{_bindir}/nss-softokn-config
-install -p -m 644 ./dist/pkgconfig/nss.pc $RPM_BUILD_ROOT/%{_libdir}/pkgconfig/nss.pc
+%{__install} -p -m 644 ./dist/pkgconfig/nss.pc $RPM_BUILD_ROOT/%{_libdir}/pkgconfig/nss.pc
-install -p -m 755 ./dist/pkgconfig/nss-config $RPM_BUILD_ROOT/%{_bindir}/nss-config
+%{__install} -p -m 755 ./dist/pkgconfig/nss-config $RPM_BUILD_ROOT/%{_bindir}/nss-config
 # Copy the pkcs #11 configuration script
-install -p -m 755 ./dist/pkgconfig/setup-nsssysinit.sh $RPM_BUILD_ROOT/%{_bindir}/setup-nsssysinit.sh
+%{__install} -p -m 755 ./dist/pkgconfig/setup-nsssysinit.sh $RPM_BUILD_ROOT/%{_bindir}/setup-nsssysinit.sh
 # install a symbolic link to it, without the ".sh" suffix,
 # that matches the man page documentation
 ln -r -s -f $RPM_BUILD_ROOT/%{_bindir}/setup-nsssysinit.sh $RPM_BUILD_ROOT/%{_bindir}/setup-nsssysinit
@ -607,7 +657,7 @@ for f in nss-config setup-nsssysinit; do
   install -c -m 644 ${f}.1 $RPM_BUILD_ROOT%{_mandir}/man1/${f}.1
 done
 # Copy the man pages for the nss tools
-for f in certutil cmsutil crlutil derdump modutil pk12util signtool signver ssltap vfychain vfyserv; do
+for f in "%{allTools}"; do
  install -c -m 644 ./dist/docs/nroff/${f}.1 $RPM_BUILD_ROOT%{_mandir}/man1/${f}.1
 done
 %if %{defined rhel}
@ -626,7 +676,7 @@ for f in cert8.db cert9.db key3.db key4.db secmod.db; do
 done
 # Copy the crypto-policies configuration file
-install -p -m 644 %{SOURCE28} $RPM_BUILD_ROOT/%{_sysconfdir}/crypto-policies/local.d
+%{__install} -p -m 644 %{SOURCE28} $RPM_BUILD_ROOT/%{_sysconfdir}/crypto-policies/local.d
 %triggerpostun -n nss-sysinit -- nss-sysinit < 3.12.8-3
 # Reverse unwanted disabling of sysinit by faulty preun sysinit scriplet
@ -634,10 +684,12 @@ install -p -m 644 %{SOURCE28} $RPM_BUILD_ROOT/%{_sysconfdir}/crypto-policies/loc
 /usr/bin/setup-nsssysinit.sh on
 %post
-update-crypto-policies &> /dev/null || :
+update-crypto-policies
 %postun
-update-crypto-policies &> /dev/null || :
+update-crypto-policies
 %ldconfig_scriptlets
 %files
@ -654,19 +706,19 @@ update-crypto-policies &> /dev/null || :
 %config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/key4.db
 %config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/pkcs11.txt
 %config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/crypto-policies/local.d/nss-p11-kit.config
-%doc %{_mandir}/man5/cert8.db.5*
+%attr(0644,root,root) %doc %{_mandir}/man5/cert8.db.5.gz
-%doc %{_mandir}/man5/key3.db.5*
+%attr(0644,root,root) %doc %{_mandir}/man5/key3.db.5.gz
-%doc %{_mandir}/man5/secmod.db.5*
+%attr(0644,root,root) %doc %{_mandir}/man5/secmod.db.5.gz
-%doc %{_mandir}/man5/cert9.db.5*
+%attr(0644,root,root) %doc %{_mandir}/man5/cert9.db.5.gz
-%doc %{_mandir}/man5/key4.db.5*
+%attr(0644,root,root) %doc %{_mandir}/man5/key4.db.5.gz
-%doc %{_mandir}/man5/pkcs11.txt.5*
+%attr(0644,root,root) %doc %{_mandir}/man5/pkcs11.txt.5.gz
 %files sysinit
 %{_libdir}/libnsssysinit.so
 %{_bindir}/setup-nsssysinit.sh
 # symbolic link to setup-nsssysinit.sh
 %{_bindir}/setup-nsssysinit
-%doc %{_mandir}/man1/setup-nsssysinit.1*
+%attr(0644,root,root) %doc %{_mandir}/man1/setup-nsssysinit.1.gz
 %files tools
 %{_bindir}/certutil
@ -690,32 +742,32 @@ update-crypto-policies &> /dev/null || :
 %{unsupported_tools_directory}/tstclnt
 %{unsupported_tools_directory}/vfyserv
 %{unsupported_tools_directory}/vfychain
-# instead of %%{_mandir}/man*/* let's list them explicitly
+# instead of %%{_mandir}/man*/* let's list them explicitely
 # supported tools
-%doc %{_mandir}/man1/certutil.1*
+%attr(0644,root,root) %doc %{_mandir}/man1/certutil.1.gz
-%doc %{_mandir}/man1/cmsutil.1*
+%attr(0644,root,root) %doc %{_mandir}/man1/cmsutil.1.gz
-%doc %{_mandir}/man1/crlutil.1*
+%attr(0644,root,root) %doc %{_mandir}/man1/crlutil.1.gz
-%doc %{_mandir}/man1/modutil.1*
+%attr(0644,root,root) %doc %{_mandir}/man1/modutil.1.gz
-%doc %{_mandir}/man1/pk12util.1*
+%attr(0644,root,root) %doc %{_mandir}/man1/pk12util.1.gz
-%doc %{_mandir}/man1/signver.1*
+%attr(0644,root,root) %doc %{_mandir}/man1/signver.1.gz
 # unsupported tools
-%doc %{_mandir}/man1/derdump.1*
+%attr(0644,root,root) %doc %{_mandir}/man1/derdump.1.gz
-%doc %{_mandir}/man1/signtool.1*
+%attr(0644,root,root) %doc %{_mandir}/man1/signtool.1.gz
 %if %{defined rhel}
-%doc %{_mandir}/man1/pp.1*
+%attr(0644,root,root) %doc %{_mandir}/man1/pp.1.gz
 %else
 %dir %{_datadir}/doc/nss-tools
-%doc %{_datadir}/doc/nss-tools/pp.1
+%attr(0644,root,root) %doc %{_datadir}/doc/nss-tools/pp.1
 %endif
-%doc %{_mandir}/man1/ssltap.1*
+%attr(0644,root,root) %doc %{_mandir}/man1/ssltap.1.gz
-%doc %{_mandir}/man1/vfychain.1*
+%attr(0644,root,root) %doc %{_mandir}/man1/vfychain.1.gz
-%doc %{_mandir}/man1/vfyserv.1*
+%attr(0644,root,root) %doc %{_mandir}/man1/vfyserv.1.gz
 %files devel
 %{_libdir}/libcrmf.a
 %{_libdir}/pkgconfig/nss.pc
 %{_bindir}/nss-config
-%doc %{_mandir}/man1/nss-config.1*
+%attr(0644,root,root) %doc %{_mandir}/man1/nss-config.1.gz
 %dir %{_includedir}/nss3
 %{_includedir}/nss3/cert.h
@ -834,10 +886,8 @@ update-crypto-policies &> /dev/null || :
 %{_includedir}/nss3/templates/templates.c
 %files softokn
 %if %{with dbm}
 %{_libdir}/libnssdbm3.so
 %{_libdir}/libnssdbm3.chk
 %endif
 %{_libdir}/libsoftokn3.so
 %{_libdir}/libsoftokn3.chk
 # shared with nss-tools
@ -858,6 +908,8 @@ update-crypto-policies &> /dev/null || :
 %{_libdir}/libfreeblpriv3.so
 %{_libdir}/libfreeblpriv3.chk
 #shared
 %dir %{prelink_conf_dir}
 %{prelink_conf_dir}/nss-softokn-prelink.conf
 %dir %{dracut_modules_dir}
 %{dracut_modules_dir}/module-setup.sh
 %{dracut_conf_dir}/50-nss-softokn.conf
@ -867,7 +919,6 @@ update-crypto-policies &> /dev/null || :
 %{_includedir}/nss3/blapi.h
 %{_includedir}/nss3/blapit.h
 %{_includedir}/nss3/alghmac.h
 %{_includedir}/nss3/cmac.h
 %{_includedir}/nss3/lowkeyi.h
 %{_includedir}/nss3/lowkeyti.h
@ -892,133 +943,6 @@ update-crypto-policies &> /dev/null || :
 %changelog
 * Wed May 13 2020 Bob Relyea <rrelyea@redhat.com> - 3.52.0-2
 - Delay CK_GCM_PARAMS semantics until fedora 34
 * Mon May 11 2020 Daiki Ueno <dueno@redhat.com> - 3.52.0-1
 - Update to NSS 3.52
 * Sat Apr 25 2020 Daiki Ueno <dueno@redhat.com> - 3.51.1-2
 - Temporarily revert DBM disablement for kernel build failure (#1827902)
 * Mon Apr 20 2020 Daiki Ueno <dueno@redhat.com> - 3.51.1-1
 - Update to NSS 3.51.1
 - Disable building DBM backend
 * Tue Apr  7 2020 Daiki Ueno <dueno@redhat.com> - 3.51.0-1
 - Update to NSS 3.51
 * Thu Mar 26 2020 Tom Stellard <tstellar@redhat.com> - 3.50.0-3
 - Use __make macro to invoke make
 * Thu Mar  5 2020 Daiki Ueno <dueno@redhat.com> - 3.50.0-2
 - Apply CMAC fixes from upstream
 * Mon Feb 17 2020 Daiki Ueno <dueno@redhat.com> - 3.50.0-1
 - Update to NSS 3.50
 * Fri Feb 14 2020 Daiki Ueno <dueno@redhat.com> - 3.49.2-3
 - Ignore false-positive compiler warnings with gcc 10
 - Fix build with gcc 10
 * Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 3.49.2-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
 * Mon Jan 27 2020 Daiki Ueno <dueno@redhat.com> - 3.49.2-1
 - Update to NSS 3.49.2
 - Don't enable TLS 1.3 by default (#1794814)
 * Fri Jan 10 2020 Daiki Ueno <dueno@redhat.com> - 3.49.0-1
 - Update to NSS 3.49
 - Fix build on armv7hl with the patch proposed in upstream
 * Fri Jan  3 2020 Daiki Ueno <dueno@redhat.com> - 3.48.0-1
 - Update to NSS 3.48
 * Tue Dec  3 2019 Daiki Ueno <dueno@redhat.com> - 3.47.1-4
 - Update nss-3.47-certdb-temp-cert.patch to avoid setting empty trust value
 * Tue Dec  3 2019 Daiki Ueno <dueno@redhat.com> - 3.47.1-3
 - Update nss-3.47-certdb-temp-cert.patch to the final version
 * Thu Nov 28 2019 Daiki Ueno <dueno@redhat.com> - 3.47.1-2
 - Fix intermittent SEC_ERROR_UNKNOWN_ISSUER (#1752303, #1648617)
 * Fri Nov 22 2019 Daiki Ueno <dueno@redhat.com> - 3.47.1-1
 - Update to NSS 3.47.1
 * Mon Nov 4 2019 Bob Relyea <rrelyea@redhat.com> - 3.47.0-3
 - Include ike mechanism fix
 * Wed Oct 23 2019 Daiki Ueno <dueno@redhat.com> - 3.47.0-2
 - Install cmac.h required by blapi.h (#1764513)
 * Tue Oct 22 2019 Daiki Ueno <dueno@redhat.com> - 3.47.0-1
 - Update to NSS 3.47
 * Mon Oct 21 2019 Daiki Ueno <dueno@redhat.com> - 3.46.1-1
 - Update to NSS 3.46.1
 * Tue Sep  3 2019 Daiki Ueno <dueno@redhat.com> - 3.46.0-1
 - Update to NSS 3.46
 * Thu Aug 29 2019 Daiki Ueno <dueno@redhat.com> - 3.45.0-1
 - Update to NSS 3.45
 * Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 3.44.1-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
 * Tue Jul  2 2019 Daiki Ueno <dueno@redhat.com> - 3.44.1-1
 - Update to NSS 3.44.1
 * Mon May 20 2019 Daiki Ueno <dueno@redhat.com> - 3.44.0-2
 - Skip TLS 1.3 tests under FIPS mode
 * Fri May 17 2019 Daiki Ueno <dueno@redhat.com> - 3.44.0-1
 - Update to NSS 3.44
 * Mon May  6 2019 Daiki Ueno <dueno@redhat.com> - 3.43.0-3
 - Fix PKCS#11 module leak if C_GetSlotInfo() failed
 * Tue Mar 26 2019 Elio Maldonado <elio.maldonado.batiz@gmail.com> - 3.43.0-2
 - Update %%{nspr_version} to 4.21.0 and remove obsolete comment
 * Thu Mar 21 2019 Daiki Ueno <dueno@redhat.com> - 3.43.0-1
 - Update to NSS 3.43
 * Mon Feb 11 2019 Daiki Ueno <dueno@redhat.com> - 3.42.1-1
 - Update to NSS 3.42.1
 * Fri Feb  8 2019 Daiki Ueno <dueno@redhat.com> - 3.42.0-1
 - Update to NSS 3.42
 * Fri Feb  8 2019 Daiki Ueno <dueno@redhat.com> - 3.41.0-5
 - Simplify test failure detection in %%check
 * Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 3.41.0-4
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
 * Fri Jan 11 2019 Daiki Ueno <dueno@redhat.com> - 3.41.0-3
 - Remove prelink.conf as prelink was removed in F24, suggested by
  Harald Reindl
 - Use quilt for %%autopatch
 - Make sysinit require arch-dependent nss, suggested by Igor Gnatenko
 - Silence %%post/%%postun scriptlets, suggested by Ian Collier
 * Mon Dec 10 2018 Daiki Ueno <dueno@redhat.com> - 3.41.0-1
 - Update to NSS 3.41
 * Thu Dec  6 2018 Daiki Ueno <dueno@redhat.com> - 3.40.1-3
 - Remove unnecessary patches
 * Thu Dec  6 2018 Daiki Ueno <dueno@redhat.com> - 3.40.1-2
 - Update to NSS 3.40.1
 * Wed Nov 14 2018 Daiki Ueno <dueno@redhat.com> - 3.39.0-4
 - Consolidate nss-util, nss-softokn, and nss into a single package
 - Fix FTBFS with expired test certs
 - Modernize spec file based on the suggestion from Robert-André Mauchin
 * Thu Sep 13 2018 Daiki Ueno <dueno@redhat.com> - 3.39.0-3
 - Fix LDFLAGS injection
--- a/renegotiate-transitional.patch
+++ b/renegotiate-transitional.patch
@ -0,0 +1,12 @@
 diff -up nss/lib/ssl/sslsock.c.transitional nss/lib/ssl/sslsock.c
 --- nss/lib/ssl/sslsock.c.transitional	2018-03-09 13:57:50.615706802 +0100
 +++ nss/lib/ssl/sslsock.c	2018-03-09 13:58:23.708974970 +0100
@@ -67,7 +67,7 @@ static sslOptions ssl_defaults = {
     .noLocks = PR_FALSE,
     .enableSessionTickets = PR_FALSE,
     .enableDeflate = PR_FALSE,
 -    .enableRenegotiation = SSL_RENEGOTIATE_REQUIRES_XTN,
 +    .enableRenegotiation = SSL_RENEGOTIATE_TRANSITIONAL,
     .requireSafeNegotiation = PR_FALSE,
     .enableFalseStart = PR_FALSE,
     .cbcRandomIV = PR_TRUE,
--- a/rhbz1185708-enable-ecc-3des-ciphers-by-default.patch
+++ b/rhbz1185708-enable-ecc-3des-ciphers-by-default.patch
@ -0,0 +1,23 @@
 --- ./nss/lib/ssl/ssl3con.c.1185708_3des	2016-06-23 21:10:09.765992512 -0400
 +++ ./nss/lib/ssl/ssl3con.c	2016-06-23 22:58:39.121398601 -0400
@@ -118,18 +118,18 @@
  { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,    SSL_ALLOWED, PR_TRUE, PR_FALSE},
  { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,    SSL_ALLOWED, PR_TRUE, PR_FALSE},
  { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,      SSL_ALLOWED, PR_TRUE, PR_FALSE},
  { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
  { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,   SSL_ALLOWED, PR_TRUE, PR_FALSE},
  { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,      SSL_ALLOWED, PR_TRUE, PR_FALSE},
  { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE},
  { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,   SSL_ALLOWED, PR_FALSE, PR_FALSE},
 - { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,   SSL_ALLOWED, PR_FALSE, PR_FALSE},
 - { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,     SSL_ALLOWED, PR_FALSE, PR_FALSE},
 + { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,   SSL_ALLOWED, PR_TRUE,  PR_FALSE},
 + { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,     SSL_ALLOWED, PR_TRUE,  PR_FALSE},
  { TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,        SSL_ALLOWED, PR_FALSE, PR_FALSE},
  { TLS_ECDHE_RSA_WITH_RC4_128_SHA,          SSL_ALLOWED, PR_FALSE, PR_FALSE},
  { TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,     SSL_ALLOWED, PR_TRUE,  PR_FALSE},
  { TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256,SSL_ALLOWED,PR_TRUE,  PR_FALSE},
  { TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,     SSL_ALLOWED, PR_FALSE, PR_FALSE},
  { TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,     SSL_ALLOWED, PR_FALSE, PR_FALSE},
  { TLS_DHE_DSS_WITH_AES_256_GCM_SHA384,     SSL_ALLOWED, PR_FALSE, PR_FALSE},
--- a/2
+++ b/2
@ -3,4 +3,4 @@ SHA512 (blank-cert9.db) = 2f8eab4c0612210ee47db8a3a80c1b58a0b43849551af78c7da403
 SHA512 (blank-key3.db) = 01f7314e9fc8a7c9aa997652624cfcde213d18a6b3bb31840c1a60bbd662e56b5bc3221d13874abb42ce78163b225a6dfce2e1326cf6dd29366ad9c28ba5a71c
 SHA512 (blank-key4.db) = 8fedae93af7163da23fe9492ea8e785a44c291604fa98e58438448efb69c85d3253fc22b926d5c3209c62e58a86038fd4d78a1c4c068bc00600a7f3e5382ebe7
 SHA512 (blank-secmod.db) = 06a2dbd861839ef6315093459328b500d3832333a34b30e6fac4a2503af337f014a4d319f0f93322409e719142904ce8bc08252ae9a4f37f30d4c3312e900310
-SHA512 (nss-3.52.tar.gz) = a45baf38717bceda03c292b2c01def680a24a846327e17d36044a85e30ed40c68220c78c0a2c3025c11778ee58f5d5eb0fff1b4cd274b95c408fb59e394e62c6
+SHA512 (nss-3.39.tar.gz) = 16358c2d8660ca301410b1d39b2eae64fe2ebbbfab797872410e5fcc67f802ef48f4e362edeecb0591626c77013537019094a6a5dfc8d24487b6b6e54564da8f
--- a/utilwrap-include-templates.patch
+++ b/utilwrap-include-templates.patch
@ -0,0 +1,14 @@
 diff -up nss/lib/nss/config.mk.templates nss/lib/nss/config.mk
 --- nss/lib/nss/config.mk.templates	2013-06-18 11:32:07.590089155 -0700
 +++ nss/lib/nss/config.mk	2013-06-18 11:33:28.732763345 -0700
@@ -3,6 +3,10 @@
 # License, v. 2.0. If a copy of the MPL was not distributed with this
 # file, You can obtain one at http://mozilla.org/MPL/2.0/.
 +#ifeq ($(NSS_BUILD_WITHOUT_SOFTOKEN),1)
 +INCLUDES += -I/usr/include/nss3/templates
 +#endif
 +
 # can't do this in manifest.mn because OS_TARGET isn't defined there.
 ifeq (,$(filter-out WIN%,$(OS_TARGET)))