diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..42f8cb6
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,13 @@
+SOURCES/blank-cert8.db
+SOURCES/blank-cert9.db
+SOURCES/blank-key3.db
+SOURCES/blank-key4.db
+SOURCES/blank-secmod.db
+SOURCES/cert8.db.xml
+SOURCES/cert9.db.xml
+SOURCES/key3.db.xml
+SOURCES/key4.db.xml
+SOURCES/nss-3.41.tar.gz
+SOURCES/nss-config.xml
+SOURCES/secmod.db.xml
+SOURCES/setup-nsssysinit.xml
diff --git a/.nss.metadata b/.nss.metadata
new file mode 100644
index 0000000..359f253
--- /dev/null
+++ b/.nss.metadata
@@ -0,0 +1,13 @@
+d272a7b58364862613d44261c5744f7a336bf177 SOURCES/blank-cert8.db
+b5570125fbf6bfb410705706af48217a0817c03a SOURCES/blank-cert9.db
+7f78b5bcecdb5005e7b803604b2ec9d1a9df2fb5 SOURCES/blank-key3.db
+f9c9568442386da370193474de1b25c3f68cdaf6 SOURCES/blank-key4.db
+bd748cf6e1465a1bbe6e751b72ffc0076aff0b50 SOURCES/blank-secmod.db
+6a43a6788fff0f2a967051209adbd354fad4c346 SOURCES/cert8.db.xml
+ea6705e15999bdc6365f05b3d66f9c1d49677f84 SOURCES/cert9.db.xml
+24c123810543ff0f6848647d6d910744e275fb01 SOURCES/key3.db.xml
+af51b16a56fda1f7525a0eed3ecbdcbb4133be0c SOURCES/key4.db.xml
+69c60e8d3190573dbcbc01f50e68e3ceb7d92522 SOURCES/nss-3.41.tar.gz
+2905c9b06e7e686c9e3c0b5736a218766d4ae4c2 SOURCES/nss-config.xml
+ca9ebf79c1437169a02527c18b1e3909943c4be9 SOURCES/secmod.db.xml
+bcbe05281b38d843273f91ae3f9f19f70c7d97b3 SOURCES/setup-nsssysinit.xml
diff --git a/SOURCES/enable-fips-when-system-is-in-fips-mode.patch b/SOURCES/enable-fips-when-system-is-in-fips-mode.patch
new file mode 100644
index 0000000..dde5dcb
--- /dev/null
+++ b/SOURCES/enable-fips-when-system-is-in-fips-mode.patch
@@ -0,0 +1,79 @@
+diff -up nss/lib/pk11wrap/pk11pars.c.852023_enable_fips_when_in_fips_mode nss/lib/pk11wrap/pk11pars.c
+--- nss/lib/pk11wrap/pk11pars.c.852023_enable_fips_when_in_fips_mode 2018-03-05 16:58:32.000000000 +0100
++++ nss/lib/pk11wrap/pk11pars.c 2018-03-09 17:24:39.815838810 +0100
+@@ -671,6 +671,10 @@ SECMOD_CreateModuleEx(const char *librar
+
+ mod->internal = NSSUTIL_ArgHasFlag("flags", "internal", nssc);
+ mod->isFIPS = NSSUTIL_ArgHasFlag("flags", "FIPS", nssc);
++ /* if the system FIPS mode is enabled, force FIPS to be on */
++ if (SECMOD_GetSystemFIPSEnabled()) {
++ mod->isFIPS = PR_TRUE;
++ }
+ mod->isCritical = NSSUTIL_ArgHasFlag("flags", "critical", nssc);
+ slotParams = NSSUTIL_ArgGetParamValue("slotParams", nssc);
+ mod->slotInfo = NSSUTIL_ArgParseSlotInfo(mod->arena, slotParams,
+diff -up nss/lib/pk11wrap/pk11util.c.852023_enable_fips_when_in_fips_mode nss/lib/pk11wrap/pk11util.c
+--- nss/lib/pk11wrap/pk11util.c.852023_enable_fips_when_in_fips_mode 2018-03-05 16:58:32.000000000 +0100
++++ nss/lib/pk11wrap/pk11util.c 2018-03-09 17:25:46.804347730 +0100
+@@ -95,6 +95,26 @@ SECMOD_Shutdown()
+ return SECSuccess;
+ }
+
++int SECMOD_GetSystemFIPSEnabled(void) {
++#ifdef LINUX
++ FILE *f;
++ char d;
++ size_t size;
++
++ f = fopen("/proc/sys/crypto/fips_enabled", "r");
++ if (!f)
++ return 0;
++
++ size = fread(&d, 1, 1, f);
++ fclose(f);
++ if (size != 1)
++ return 0;
++ if (d == '1')
++ return 1;
++#endif
++ return 0;
++}
++
+ /*
+ * retrieve the internal module
+ */
+@@ -428,7 +448,7 @@ SECMOD_DeleteInternalModule(const char *
+ SECMODModuleList **mlpp;
+ SECStatus rv = SECFailure;
+
+- if (pendingModule) {
++ if (SECMOD_GetSystemFIPSEnabled() || pendingModule) {
+ PORT_SetError(SEC_ERROR_MODULE_STUCK);
+ return rv;
+ }
+@@ -963,7 +983,7 @@ SECMOD_CanDeleteInternalModule(void)
+ #ifdef NSS_FIPS_DISABLED
+ return PR_FALSE;
+ #else
+- return (PRBool)(pendingModule == NULL);
++ return (PRBool) ((pendingModule == NULL) && !SECMOD_GetSystemFIPSEnabled());
+ #endif
+ }
+
+diff -up nss/lib/pk11wrap/secmodi.h.852023_enable_fips_when_in_fips_mode nss/lib/pk11wrap/secmodi.h
+--- nss/lib/pk11wrap/secmodi.h.852023_enable_fips_when_in_fips_mode 2018-03-05 16:58:32.000000000 +0100
++++ nss/lib/pk11wrap/secmodi.h 2018-03-09 17:24:39.816838788 +0100
+@@ -115,6 +115,13 @@ PK11SymKey *pk11_TokenKeyGenWithFlagsAnd
+ CK_MECHANISM_TYPE pk11_GetPBECryptoMechanism(SECAlgorithmID *algid,
+ SECItem **param, SECItem *pwd, PRBool faulty3DES);
+
++/* Get the state of the system FIPS mode */
++/* NSS uses this to force FIPS mode if the system bit is on. Applications which
++ * use the SECMOD_CanDeleteInteral() to check to see if they can switch to or
++ * from FIPS mode will automatically be told that they can't swith out of FIPS
++ * mode */
++int SECMOD_GetSystemFIPSEnabled();
++
+ extern void pk11sdr_Init(void);
+ extern void pk11sdr_Shutdown(void);
+
diff --git a/SOURCES/iquote.patch b/SOURCES/iquote.patch
new file mode 100644
index 0000000..6e4adcd
--- /dev/null
+++ b/SOURCES/iquote.patch
@@ -0,0 +1,13 @@
+diff -up nss/coreconf/location.mk.iquote nss/coreconf/location.mk
+--- nss/coreconf/location.mk.iquote 2017-07-27 16:09:32.000000000 +0200
++++ nss/coreconf/location.mk 2017-09-06 13:23:14.633611555 +0200
+@@ -75,4 +75,9 @@ ifndef SQLITE_LIB_NAME
+ SQLITE_LIB_NAME = sqlite3
+ endif
+
++# Prefer in-tree headers over system headers
++ifdef IN_TREE_FREEBL_HEADERS_FIRST
++ INCLUDES += -iquote $(DIST)/../public/nss -iquote $(DIST)/../private/nss
++endif
++
+ MK_LOCATION = included
diff --git a/SOURCES/nss-3.39-create-public-key-on-private-import.patch b/SOURCES/nss-3.39-create-public-key-on-private-import.patch
new file mode 100644
index 0000000..c17a38a
--- /dev/null
+++ b/SOURCES/nss-3.39-create-public-key-on-private-import.patch
@@ -0,0 +1,804 @@
+# HG changeset patch
+# User Robert Relyea <rrelyea@redhat.com>
+# Date 1544226862 28800
+# Fri Dec 07 15:54:22 2018 -0800
+# Node ID 521a5b2f10cc197b9349df033f9d3cca0b5226c5
+# Parent 5ac4d4904afae59149bb1fab49c3b21244a51a22
+try: -b do -u all - p all -t all
+
+diff --git a/cmd/manifest.mn b/cmd/manifest.mn
+--- a/cmd/manifest.mn
++++ b/cmd/manifest.mn
+@@ -51,16 +51,17 @@ NSS_SRCDIRS = \
+ ocspclnt \
+ ocspresp \
+ oidcalc \
+ p7content \
+ p7env \
+ p7sign \
+ p7verify \
+ pk12util \
++ pk11import \
+ pk11ectest \
+ pk11gcmtest \
+ pk11mode \
+ pk1sign \
+ pp \
+ pwdecrypt \
+ rsaperf \
+ rsapoptst \
+diff --git a/cmd/pk11import/Makefile b/cmd/pk11import/Makefile
+new file mode 100644
+--- /dev/null
++++ b/cmd/pk11import/Makefile
+@@ -0,0 +1,43 @@
++#! gmake
++#
++# This Source Code Form is subject to the terms of the Mozilla Public
++# License, v. 2.0. If a copy of the MPL was not distributed with this
++# file, You can obtain one at http://mozilla.org/MPL/2.0/.
++
++#######################################################################
++# (1) Include initial platform-independent assignments (MANDATORY). #
++#######################################################################
++
++include manifest.mn
++
++#######################################################################
++# (2) Include "global" configuration information. (OPTIONAL) #
++#######################################################################
++
++include $(CORE_DEPTH)/coreconf/config.mk
++
++#######################################################################
++# (3) Include "component" configuration information. (OPTIONAL) #
++#######################################################################
++
++#######################################################################
++# (4) Include "local" platform-dependent assignments (OPTIONAL). #
++#######################################################################
++
++include ../platlibs.mk
++
++#######################################################################
++# (5) Execute "global" rules. (OPTIONAL) #
++#######################################################################
++
++include $(CORE_DEPTH)/coreconf/rules.mk
++
++#######################################################################
++# (6) Execute "component" rules. (OPTIONAL) #
++#######################################################################
++
++#######################################################################
++# (7) Execute "local" rules. (OPTIONAL). #
++#######################################################################
++
++include ../platrules.mk
+diff --git a/cmd/pk11import/manifest.mn b/cmd/pk11import/manifest.mn
+new file mode 100644
+--- /dev/null
++++ b/cmd/pk11import/manifest.mn
+@@ -0,0 +1,15 @@
++# This Source Code Form is subject to the terms of the Mozilla Public
++# License, v. 2.0. If a copy of the MPL was not distributed with this
++# file, You can obtain one at http://mozilla.org/MPL/2.0/.
++
++CORE_DEPTH = ../..
++
++MODULE = nss
++
++CSRCS = pk11import.c \
++ $(NULL)
++
++REQUIRES = seccmd
++
++PROGRAM = pk11import
++
+diff --git a/cmd/pk11import/pk11import.c b/cmd/pk11import/pk11import.c
+new file mode 100644
+--- /dev/null
++++ b/cmd/pk11import/pk11import.c
+@@ -0,0 +1,410 @@
++/* This Source Code Form is subject to the terms of the Mozilla Public
++ * License, v. 2.0. If a copy of the MPL was not distributed with this
++ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
++
++#include "secutil.h"
++#include "secmod.h"
++#include "cert.h"
++#include "secoid.h"
++#include "nss.h"
++#include "pk11pub.h"
++#include "pk11pqg.h"
++
++/* NSPR 2.0 header files */
++#include "prinit.h"
++#include "prprf.h"
++#include "prsystem.h"
++#include "prmem.h"
++/* Portable layer header files */
++#include "plstr.h"
++
++SECOidData *
++getCurveFromString(char *curve_name)
++{
++ SECOidTag tag = SEC_OID_SECG_EC_SECP256R1;
++
++ if (PORT_Strcasecmp(curve_name, "NISTP256") == 0) {
++ } else if (PORT_Strcasecmp(curve_name, "NISTP384") == 0) {
++ tag = SEC_OID_SECG_EC_SECP384R1;
++ } else if (PORT_Strcasecmp(curve_name, "NISTP521") == 0) {
++ tag = SEC_OID_SECG_EC_SECP521R1;
++ } else if (PORT_Strcasecmp(curve_name, "Curve25519") == 0) {
++ tag = SEC_OID_CURVE25519;
++ }
++ return SECOID_FindOIDByTag(tag);
++}
++
++void
++dumpItem(const char *label, const SECItem *item)
++{
++ int i;
++ printf("%s = [%d bytes] {", label, item->len);
++ for (i = 0; i < item->len; i++) {
++ if ((i & 0xf) == 0)
++ printf("\n ");
++ else
++ printf(", ");
++ printf("%02x", item->data[i]);
++ }
++ printf("};\n");
++}
++
++SECStatus
++handleEncryptedPrivateImportTest(char *progName, PK11SlotInfo *slot,
++ char *testname, CK_MECHANISM_TYPE genMech, void *params, void *pwArgs)
++{
++ SECStatus rv = SECSuccess;
++ SECItem privID = { 0 };
++ SECItem pubID = { 0 };
++ SECItem pubValue = { 0 };
++ SECItem pbePwItem = { 0 };
++ SECItem nickname = { 0 };
++ SECItem token = { 0 };
++ SECKEYPublicKey *pubKey = NULL;
++ SECKEYPrivateKey *privKey = NULL;
++ PK11GenericObject *objs = NULL;
++ PK11GenericObject *obj = NULL;
++ SECKEYEncryptedPrivateKeyInfo *epki = NULL;
++ PRBool keyFound = 0;
++ KeyType keyType;
++
++ fprintf(stderr, "Testing %s PrivateKeyImport ***********************\n",
++ testname);
++
++ /* generate a temp key */
++ privKey = PK11_GenerateKeyPair(slot, genMech, params, &pubKey,
++ PR_FALSE, PR_TRUE, pwArgs);
++ if (privKey == NULL) {
++ SECU_PrintError(progName, "PK11_GenerateKeyPair Failed");
++ goto cleanup;
++ }
++
++ /* wrap the temp key */
++ pbePwItem.data = (unsigned char *)"pw";
++ pbePwItem.len = 2;
++ epki = PK11_ExportEncryptedPrivKeyInfo(slot, SEC_OID_AES_256_CBC,
++ &pbePwItem, privKey, 1, NULL);
++ if (epki == NULL) {
++ SECU_PrintError(progName, "PK11_ExportEncryptedPrivKeyInfo Failed");
++ goto cleanup;
++ }
++
++ /* Save the public value, which we will need on import */
++ keyType = pubKey->keyType;
++ switch (keyType) {
++ case rsaKey:
++ SECITEM_CopyItem(NULL, &pubValue, &pubKey->u.rsa.modulus);
++ break;
++ case dhKey:
++ SECITEM_CopyItem(NULL, &pubValue, &pubKey->u.dh.publicValue);
++ break;
++ case dsaKey:
++ SECITEM_CopyItem(NULL, &pubValue, &pubKey->u.dsa.publicValue);
++ break;
++ case ecKey:
++ SECITEM_CopyItem(NULL, &pubValue, &pubKey->u.ec.publicValue);
++ break;
++ default:
++ fprintf(stderr, "Unknown keytype = %d\n", keyType);
++ goto cleanup;
++ }
++ dumpItem("pubValue", &pubValue);
++
++ /* when Asymetric keys represent session keys, those session keys are
++ * destroyed when we destroy the Asymetric key representations */
++ SECKEY_DestroyPublicKey(pubKey);
++ pubKey = NULL;
++ SECKEY_DestroyPrivateKey(privKey);
++ privKey = NULL;
++
++ /* unwrap the temp key as a perm */
++ nickname.data = (unsigned char *)"testKey";
++ nickname.len = sizeof("testKey");
++ rv = PK11_ImportEncryptedPrivateKeyInfoAndReturnKey(slot, epki, &pbePwItem,
++ &nickname, &pubValue, PR_TRUE, PR_TRUE, keyType, 0, &privKey, NULL);
++ if (rv != SECSuccess) {
++ SECU_PrintError(progName, "PK11_ImportEncryptedPrivateKeyInfo Failed");
++ goto cleanup;
++ }
++
++ /* verify the public key exists */
++ rv = PK11_ReadRawAttribute(PK11_TypePrivKey, privKey, CKA_ID, &privID);
++ if (rv != SECSuccess) {
++ SECU_PrintError(progName,
++ "Couldn't read CKA_ID from pub key, checking next key");
++ goto cleanup;
++ }
++ dumpItem("privKey CKA_ID", &privID);
++ objs = PK11_FindGenericObjects(slot, CKO_PUBLIC_KEY);
++ for (obj = objs; obj; obj = PK11_GetNextGenericObject(obj)) {
++ rv = PK11_ReadRawAttribute(PK11_TypeGeneric, obj, CKA_ID, &pubID);
++ if (rv != SECSuccess) {
++ SECU_PrintError(progName,
++ "Couldn't read CKA_ID from pub key, checking next key");
++ continue;
++ }
++ dumpItem("pubKey CKA_ID", &pubID);
++ if (!SECITEM_ItemsAreEqual(&privID, &pubID)) {
++ fprintf(stderr,
++ "CKA_ID does not match priv key, checking next key\n");
++ SECITEM_FreeItem(&pubID, PR_FALSE);
++ continue;
++ }
++ SECITEM_FreeItem(&pubID, PR_FALSE);
++ rv = PK11_ReadRawAttribute(PK11_TypeGeneric, obj, CKA_TOKEN, &token);
++ if (rv == SECSuccess) {
++ if (token.len == 1) {
++ keyFound = token.data[0];
++ }
++ SECITEM_FreeItem(&token, PR_FALSE);
++ }
++ if (keyFound) {
++ printf("matching public key found\n");
++ break;
++ }
++ printf("Matching key was not a token key, checking next key\n");
++ }
++cleanup:
++ if (objs) {
++ PK11_DestroyGenericObjects(objs);
++ }
++ if (pubValue.data) {
++ SECITEM_FreeItem(&pubValue, PR_FALSE);
++ }
++ if (privID.data) {
++ SECITEM_FreeItem(&privID, PR_FALSE);
++ }
++ if (epki) {
++ PORT_FreeArena(epki->arena, PR_TRUE);
++ }
++ if (pubKey) {
++ SECKEY_DestroyPublicKey(pubKey);
++ }
++ if (privKey) {
++ SECKEY_DestroyPrivateKey(privKey);
++ }
++ fprintf(stderr, "%s PrivateKeyImport %s ***********************\n",
++ testname, keyFound ? "PASSED" : "FAILED");
++ return keyFound ? SECSuccess : SECFailure;
++}
++
++static const char *const usageInfo[] = {
++ "pk11import - test PK11_PrivateKeyImport()"
++ "Options:",
++ " -d certdir directory containing cert database",
++ " -k keysize size of the rsa, dh, and dsa key to test (default 1024)",
++ " -C ecc_curve ecc curve (default )",
++ " -f pwFile file to fetch the password from",
++ " -p pwString password",
++ " -r skip rsa test",
++ " -D skip dsa test",
++ " -h skip dh test",
++ " -e skip ec test",
++};
++static int nUsageInfo = sizeof(usageInfo) / sizeof(char *);
++
++static void
++Usage(char *progName, FILE *outFile)
++{
++ int i;
++ fprintf(outFile, "Usage: %s [ commands ] options\n", progName);
++ for (i = 0; i < nUsageInfo; i++)
++ fprintf(outFile, "%s\n", usageInfo[i]);
++ exit(-1);
++}
++
++enum {
++ opt_CertDir,
++ opt_KeySize,
++ opt_ECCurve,
++ opt_PWFile,
++ opt_PWString,
++ opt_NoRSA,
++ opt_NoDSA,
++ opt_NoDH,
++ opt_NoEC
++};
++
++static secuCommandFlag options[] =
++ {
++ { /* opt_CertDir */ 'd', PR_TRUE, 0, PR_FALSE },
++ { /* opt_KeySize */ 'k', PR_TRUE, 0, PR_FALSE },
++ { /* opt_ECCurve */ 'C', PR_TRUE, 0, PR_FALSE },
++ { /* opt_PWFile */ 'f', PR_TRUE, 0, PR_FALSE },
++ { /* opt_PWString */ 'p', PR_TRUE, 0, PR_FALSE },
++ { /* opt_NORSA */ 'r', PR_FALSE, 0, PR_FALSE },
++ { /* opt_NoDSA */ 'D', PR_FALSE, 0, PR_FALSE },
++ { /* opt_NoDH */ 'h', PR_FALSE, 0, PR_FALSE },
++ { /* opt_NoEC */ 'e', PR_FALSE, 0, PR_FALSE },
++ };
++
++int
++main(int argc, char **argv)
++{
++ char *progName;
++ SECStatus rv;
++ secuCommand args;
++ PK11SlotInfo *slot = NULL;
++ PRBool failed = PR_FALSE;
++ secuPWData pwArgs = { PW_NONE, 0 };
++ PRBool doRSA = PR_TRUE;
++ PRBool doDSA = PR_TRUE;
++ PRBool doDH = PR_FALSE; /* NSS currently can't export wrapped DH keys */
++ PRBool doEC = PR_TRUE;
++ PQGParams *pqgParams = NULL;
++ int keySize;
++
++ args.numCommands = 0;
++ args.numOptions = sizeof(options) / sizeof(secuCommandFlag);
++ args.commands = NULL;
++ args.options = options;
++
++#ifdef XP_PC
++ progName = strrchr(argv[0], '\\');
++#else
++ progName = strrchr(argv[0], '/');
++#endif
++ progName = progName ? progName + 1 : argv[0];
++
++ rv = SECU_ParseCommandLine(argc, argv, progName, &args);
++ if (SECSuccess != rv) {
++ Usage(progName, stderr);
++ }
++
++ /* Set the certdb directory (default is ~/.netscape) */
++ rv = NSS_InitReadWrite(SECU_ConfigDirectory(args.options[opt_CertDir].arg));
++ if (rv != SECSuccess) {
++ SECU_PrintPRandOSError(progName);
++ return 255;
++ }
++ PK11_SetPasswordFunc(SECU_GetModulePassword);
++
++ /* below here, goto cleanup */
++ SECU_RegisterDynamicOids();
++
++ /* handle the arguments */
++ if (args.options[opt_PWFile].arg) {
++ pwArgs.source = PW_FROMFILE;
++ pwArgs.data = args.options[opt_PWFile].arg;
++ }
++ if (args.options[opt_PWString].arg) {
++ pwArgs.source = PW_PLAINTEXT;
++ pwArgs.data = args.options[opt_PWString].arg;
++ }
++ if (args.options[opt_NoRSA].activated) {
++ doRSA = PR_FALSE;
++ }
++ if (args.options[opt_NoDSA].activated) {
++ doDSA = PR_FALSE;
++ }
++ if (args.options[opt_NoDH].activated) {
++ doDH = PR_FALSE;
++ }
++ if (args.options[opt_NoEC].activated) {
++ doEC = PR_FALSE;
++ }
++
++ slot = PK11_GetInternalKeySlot();
++ if (slot == NULL) {
++ SECU_PrintError(progName, "Couldn't find the internal key slot\n");
++ return 255;
++ }
++ rv = PK11_Authenticate(slot, PR_TRUE, &pwArgs);
++ if (rv != SECSuccess) {
++ SECU_PrintError(progName, "Failed to log into slot");
++ PK11_FreeSlot(slot);
++ return 255;
++ }
++
++ keySize = 1024;
++ if (args.options[opt_KeySize].activated &&
++ args.options[opt_KeySize].arg) {
++ keySize = atoi(args.options[opt_KeySize].arg);
++ }
++
++ if (doDSA || doDH) {
++ PQGVerify *pqgVfy;
++ rv = PK11_PQG_ParamGenV2(keySize, 0, keySize / 16, &pqgParams, &pqgVfy);
++ if (rv == SECSuccess) {
++ PK11_PQG_DestroyVerify(pqgVfy);
++ } else {
++ SECU_PrintError(progName,
++ "PK11_PQG_ParamGenV2 failed, can't test DH or DSA");
++ doDSA = doDH = PR_FALSE;
++ failed = PR_TRUE;
++ }
++ }
++
++ if (doRSA) {
++ PK11RSAGenParams rsaParams;
++ rsaParams.keySizeInBits = keySize;
++ rsaParams.pe = 0x010001;
++ rv = handleEncryptedPrivateImportTest(progName, slot, "RSA",
++ CKM_RSA_PKCS_KEY_PAIR_GEN, &rsaParams, &pwArgs);
++ if (rv != SECSuccess) {
++ fprintf(stderr, "RSA Import Failed!\n");
++ failed = PR_TRUE;
++ }
++ }
++ if (doDSA) {
++ rv = handleEncryptedPrivateImportTest(progName, slot, "DSA",
++ CKM_DSA_KEY_PAIR_GEN, pqgParams, &pwArgs);
++ if (rv != SECSuccess) {
++ fprintf(stderr, "DSA Import Failed!\n");
++ failed = PR_TRUE;
++ }
++ }
++ if (doDH) {
++ SECKEYDHParams dhParams;
++ dhParams.prime = pqgParams->prime;
++ dhParams.base = pqgParams->base;
++ rv = handleEncryptedPrivateImportTest(progName, slot, "DH",
++ CKM_DH_PKCS_KEY_PAIR_GEN, &dhParams, &pwArgs);
++ if (rv != SECSuccess) {
++ fprintf(stderr, "DH Import Failed!\n");
++ failed = PR_TRUE;
++ }
++ }
++ if (doEC) {
++ SECKEYECParams ecParams;
++ SECOidData *curve = SECOID_FindOIDByTag(SEC_OID_SECG_EC_SECP256R1);
++ if (args.options[opt_ECCurve].activated &&
++ args.options[opt_ECCurve].arg) {
++ curve = getCurveFromString(args.options[opt_ECCurve].arg);
++ }
++ ecParams.data = PORT_Alloc(curve->oid.len + 2);
++ if (ecParams.data == NULL) {
++ rv = SECFailure;
++ goto ec_failed;
++ }
++ ecParams.data[0] = SEC_ASN1_OBJECT_ID;
++ ecParams.data[1] = (unsigned char)curve->oid.len;
++ PORT_Memcpy(&ecParams.data[2], curve->oid.data, curve->oid.len);
++ ecParams.len = curve->oid.len + 2;
++ rv = handleEncryptedPrivateImportTest(progName, slot, "ECC",
++ CKM_EC_KEY_PAIR_GEN, &ecParams, &pwArgs);
++ PORT_Free(ecParams.data);
++ ec_failed:
++ if (rv != SECSuccess) {
++ fprintf(stderr, "ECC Import Failed!\n");
++ failed = PR_TRUE;
++ }
++ }
++
++ if (pqgParams) {
++ PK11_PQG_DestroyParams(pqgParams);
++ }
++
++ if (slot) {
++ PK11_FreeSlot(slot);
++ }
++
++ rv = NSS_Shutdown();
++ if (rv != SECSuccess) {
++ fprintf(stderr, "Shutdown failed\n");
++ SECU_PrintPRandOSError(progName);
++ return 255;
++ }
++
++ return failed ? 1 : 0;
++}
+diff --git a/cmd/pk11import/pk11import.gyp b/cmd/pk11import/pk11import.gyp
+new file mode 100644
+--- /dev/null
++++ b/cmd/pk11import/pk11import.gyp
+@@ -0,0 +1,25 @@
++# This Source Code Form is subject to the terms of the Mozilla Public
++# License, v. 2.0. If a copy of the MPL was not distributed with this
++# file, You can obtain one at http://mozilla.org/MPL/2.0/.
++{
++ 'includes': [
++ '../../coreconf/config.gypi',
++ '../../cmd/platlibs.gypi'
++ ],
++ 'targets': [
++ {
++ 'target_name': 'pk11import',
++ 'type': 'executable',
++ 'sources': [
++ 'pk11import.c'
++ ],
++ 'dependencies': [
++ '<(DEPTH)/exports.gyp:dbm_exports',
++ '<(DEPTH)/exports.gyp:nss_exports'
++ ]
++ }
++ ],
++ 'variables': {
++ 'module': 'nss'
++ }
++}
+diff --git a/lib/pk11wrap/pk11akey.c b/lib/pk11wrap/pk11akey.c
+--- a/lib/pk11wrap/pk11akey.c
++++ b/lib/pk11wrap/pk11akey.c
+@@ -1672,16 +1672,96 @@ PK11_MakeKEAPubKey(unsigned char *keyDat
+ rv = SECITEM_CopyItem(arena, &pubk->u.fortezza.KEAKey, &pkData);
+ if (rv != SECSuccess) {
+ PORT_FreeArena(arena, PR_FALSE);
+ return NULL;
+ }
+ return pubk;
+ }
+
++SECStatus
++SECKEY_SetPublicValue(SECKEYPrivateKey *privKey, SECItem *publicValue)
++{
++ SECStatus rv;
++ SECKEYPublicKey pubKey;
++ PLArenaPool *arena;
++ PK11SlotInfo *slot = privKey->pkcs11Slot;
++ CK_OBJECT_HANDLE privKeyID = privKey->pkcs11ID;
++
++ pubKey.arena = NULL;
++ pubKey.keyType = privKey->keyType;
++ pubKey.pkcs11Slot = NULL;
++ pubKey.pkcs11ID = CK_INVALID_HANDLE;
++ /* can't use PORT_InitCheapArena here becase SECKEY_DestroyPublic is used
++ * to free it, and it uses PORT_FreeArena which not only frees the
++ * underlying arena, it also frees the allocated arena struct. */
++ arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
++ pubKey.arena = arena;
++ if (arena == NULL) {
++ return SECFailure;
++ }
++ rv = SECFailure;
++ switch (privKey->keyType) {
++ default:
++ /* error code already set to SECFailure */
++ break;
++ case rsaKey:
++ pubKey.u.rsa.modulus = *publicValue;
++ rv = PK11_ReadAttribute(slot, privKeyID, CKA_PUBLIC_EXPONENT,
++ arena, &pubKey.u.rsa.publicExponent);
++ break;
++ case dsaKey:
++ pubKey.u.dsa.publicValue = *publicValue;
++ rv = PK11_ReadAttribute(slot, privKeyID, CKA_PRIME,
++ arena, &pubKey.u.dsa.params.prime);
++ if (rv != SECSuccess) {
++ break;
++ }
++ rv = PK11_ReadAttribute(slot, privKeyID, CKA_SUBPRIME,
++ arena, &pubKey.u.dsa.params.subPrime);
++ if (rv != SECSuccess) {
++ break;
++ }
++ rv = PK11_ReadAttribute(slot, privKeyID, CKA_BASE,
++ arena, &pubKey.u.dsa.params.base);
++ break;
++ case dhKey:
++ pubKey.u.dh.publicValue = *publicValue;
++ rv = PK11_ReadAttribute(slot, privKeyID, CKA_PRIME,
++ arena, &pubKey.u.dh.prime);
++ if (rv != SECSuccess) {
++ break;
++ }
++ rv = PK11_ReadAttribute(slot, privKeyID, CKA_BASE,
++ arena, &pubKey.u.dh.base);
++ break;
++ case ecKey:
++ pubKey.u.ec.publicValue = *publicValue;
++ pubKey.u.ec.encoding = ECPoint_Undefined;
++ pubKey.u.ec.size = 0;
++ rv = PK11_ReadAttribute(slot, privKeyID, CKA_EC_PARAMS,
++ arena, &pubKey.u.ec.DEREncodedParams);
++ break;
++ }
++ if (rv == SECSuccess) {
++ rv = PK11_ImportPublicKey(slot, &pubKey, PR_TRUE);
++ }
++ /* Even though pubKey is stored on the stack, we've allocated
++ * some of it's data from the arena. SECKEY_DestroyPublicKey
++ * destroys keys by freeing the arena, so this will clean up all
++ * the data we allocated specifically for the key above. It will
++ * also free any slot references which we may have picked up in
++ * PK11_ImportPublicKey. It won't delete the underlying key if
++ * its a Token/Permanent key (which it will be if
++ * PK11_ImportPublicKey succeeds). */
++ SECKEY_DestroyPublicKey(&pubKey);
++
++ return rv;
++}
++
+ /*
+ * NOTE: This function doesn't return a SECKEYPrivateKey struct to represent
+ * the new private key object. If it were to create a session object that
+ * could later be looked up by its nickname, it would leak a SECKEYPrivateKey.
+ * So isPerm must be true.
+ */
+ SECStatus
+ PK11_ImportEncryptedPrivateKeyInfo(PK11SlotInfo *slot,
+@@ -1797,22 +1877,16 @@ try_faulty_3des:
+
+ PORT_Assert(usage != NULL);
+ PORT_Assert(usageCount != 0);
+ privKey = PK11_UnwrapPrivKey(slot, key, cryptoMechType,
+ crypto_param, &epki->encryptedData,
+ nickname, publicValue, isPerm, isPrivate,
+ key_type, usage, usageCount, wincx);
+ if (privKey) {
+- if (privk) {
+- *privk = privKey;
+- } else {
+- SECKEY_DestroyPrivateKey(privKey);
+- }
+- privKey = NULL;
+ rv = SECSuccess;
+ goto done;
+ }
+
+ /* if we are unable to import the key and the pbeMechType is
+ * CKM_NETSCAPE_PBE_SHA1_TRIPLE_DES_CBC, then it is possible that
+ * the encrypted blob was created with a buggy key generation method
+ * which is described in the PKCS 12 implementation notes. So we
+@@ -1832,16 +1906,35 @@ try_faulty_3des:
+ faulty3DES = PR_TRUE;
+ goto try_faulty_3des;
+ }
+
+ /* key import really did fail */
+ rv = SECFailure;
+
+ done:
++ if ((rv == SECSuccess) && isPerm) {
++ /* If we are importing a token object,
++ * create the corresponding public key.
++ * If this fails, just continue as the target
++ * token simply might not support persistant
++ * public keys. Such tokens are usable, but
++ * need to be authenticated before searching
++ * for user certs. */
++ (void)SECKEY_SetPublicValue(privKey, publicValue);
++ }
++
++ if (privKey) {
++ if (privk) {
++ *privk = privKey;
++ } else {
++ SECKEY_DestroyPrivateKey(privKey);
++ }
++ privKey = NULL;
++ }
+ if (crypto_param != NULL) {
+ SECITEM_ZfreeItem(crypto_param, PR_TRUE);
+ }
+
+ if (key != NULL) {
+ PK11_FreeSymKey(key);
+ }
+
+diff --git a/lib/softoken/pkcs11.c b/lib/softoken/pkcs11.c
+--- a/lib/softoken/pkcs11.c
++++ b/lib/softoken/pkcs11.c
+@@ -1810,29 +1810,36 @@ sftk_GetPubKey(SFTKObject *object, CK_KE
+ * Some curves are always pressumed to be non-DER.
+ */
+ if (pubKey->u.ec.publicValue.len == keyLen &&
+ (pubKey->u.ec.ecParams.fieldID.type == ec_field_plain ||
+ pubKey->u.ec.publicValue.data[0] == EC_POINT_FORM_UNCOMPRESSED)) {
+ break; /* key was not DER encoded, no need to unwrap */
+ }
+
+- PORT_Assert(pubKey->u.ec.ecParams.name != ECCurve25519);
++ /* The PKCS #11 spec says that the Params should be DER encoded. Even though the params from the
++ * Certificate aren't according the the ECCurve 25519 spec. We should accept this encoding.
++ PORT_Assert(pubKey->u.ec.ecParams.name != ECCurve25519); */
+
+ /* handle the encoded case */
+ if ((pubKey->u.ec.publicValue.data[0] == SEC_ASN1_OCTET_STRING) &&
+ pubKey->u.ec.publicValue.len > keyLen) {
+ SECItem publicValue;
+ SECStatus rv;
+
+ rv = SEC_QuickDERDecodeItem(arena, &publicValue,
+ SEC_ASN1_GET(SEC_OctetStringTemplate),
+ &pubKey->u.ec.publicValue);
+ /* nope, didn't decode correctly */
+- if ((rv != SECSuccess) || (publicValue.data[0] != EC_POINT_FORM_UNCOMPRESSED) || (publicValue.len != keyLen)) {
++ if ((rv != SECSuccess) || (publicValue.len != keyLen)) {
++ crv = CKR_ATTRIBUTE_VALUE_INVALID;
++ break;
++ }
++ /* we don't handle compressed points except in the case of ECCurve25519 */
++ if ((pubKey->u.ec.ecParams.fieldID.type != ec_field_plain) && (publicValue.data[0] != EC_POINT_FORM_UNCOMPRESSED)) {
+ crv = CKR_ATTRIBUTE_VALUE_INVALID;
+ break;
+ }
+ /* replace our previous with the decoded key */
+ pubKey->u.ec.publicValue = publicValue;
+ break;
+ }
+ crv = CKR_ATTRIBUTE_VALUE_INVALID;
+diff --git a/nss.gyp b/nss.gyp
+--- a/nss.gyp
++++ b/nss.gyp
+@@ -159,16 +159,17 @@
+ 'cmd/oidcalc/oidcalc.gyp:oidcalc',
+ 'cmd/p7content/p7content.gyp:p7content',
+ 'cmd/p7env/p7env.gyp:p7env',
+ 'cmd/p7sign/p7sign.gyp:p7sign',
+ 'cmd/p7verify/p7verify.gyp:p7verify',
+ 'cmd/pk11ectest/pk11ectest.gyp:pk11ectest',
+ 'cmd/pk11gcmtest/pk11gcmtest.gyp:pk11gcmtest',
+ 'cmd/pk11mode/pk11mode.gyp:pk11mode',
++ 'cmd/pk11import/pk11import.gyp:pk11import',
+ 'cmd/pk1sign/pk1sign.gyp:pk1sign',
+ 'cmd/pp/pp.gyp:pp',
+ 'cmd/rsaperf/rsaperf.gyp:rsaperf',
+ 'cmd/rsapoptst/rsapoptst.gyp:rsapoptst',
+ 'cmd/sdrtest/sdrtest.gyp:sdrtest',
+ 'cmd/selfserv/selfserv.gyp:selfserv',
+ 'cmd/shlibsign/mangle/mangle.gyp:mangle',
+ 'cmd/strsclnt/strsclnt.gyp:strsclnt',
+diff --git a/tests/dbtests/dbtests.sh b/tests/dbtests/dbtests.sh
+--- a/tests/dbtests/dbtests.sh
++++ b/tests/dbtests/dbtests.sh
+@@ -247,16 +247,35 @@ dbtest_main()
+ # the old one should still be there...
+ ${BINDIR}/certutil -L -n bob -d ${CONFLICT_DIR}
+ ret=$?
+ if [ $ret -ne 0 ]; then
+ html_failed "Nicknane conflict test-setting nickname conflict incorrectly worked"
+ else
+ html_passed "Nicknane conflict test-setting nickname conflict was correctly rejected"
+ fi
+-
++ # import a token private key and make sure the corresponding public key is
++ # created
++ ${BINDIR}/pk11import -d ${CONFLICT_DIR} -f ${R_PWFILE}
++ echo ${BINDIR}/pk11import -d ${CONFLICT_DIR} -f ${R_PWFILE}
++ ret=$?
++ if [ $ret -ne 0 ]; then
++ html_failed "Importing Token Private Key does not create the corrresponding Public Key"
++ else
++ html_passed "Importing Token Private Key correctly creates the corrresponding Public Key"
++ fi
++ # import a token private key and make sure the corresponding public key is
++ # created
++ ${BINDIR}/pk11import -r -D -h -C Curve25519 -d ${CONFLICT_DIR} -f ${R_PWFILE}
++ echo ${BINDIR}/pk11import -r -D -h -C Curve25519 -d ${CONFLICT_DIR} -f ${R_PWFILE}
++ ret=$?
++ if [ $ret -ne 0 ]; then
++ html_failed "Importing ECC Curve 25519 Token Private Key does not create the corrresponding Public Key"
++ else
++ html_passed "Importing ECC Curve 25519 Token Private Key correctly creates the corrresponding Public Key"
++ fi
+ }
+
+ ################## main #################################################
+
+ dbtest_init
+ dbtest_main 2>&1
+ dbtest_cleanup
diff --git a/SOURCES/nss-539183.patch b/SOURCES/nss-539183.patch
new file mode 100644
index 0000000..267e71e
--- /dev/null
+++ b/SOURCES/nss-539183.patch
@@ -0,0 +1,62 @@
+--- nss/cmd/httpserv/httpserv.c.539183 2016-05-21 18:31:39.879585420 -0700
++++ nss/cmd/httpserv/httpserv.c 2016-05-21 18:37:22.374464057 -0700
+@@ -953,23 +953,23 @@
+ getBoundListenSocket(unsigned short port)
+ {
+ PRFileDesc *listen_sock;
+ int listenQueueDepth = 5 + (2 * maxThreads);
+ PRStatus prStatus;
+ PRNetAddr addr;
+ PRSocketOptionData opt;
+
+- addr.inet.family = PR_AF_INET;
+- addr.inet.ip = PR_INADDR_ANY;
+- addr.inet.port = PR_htons(port);
++ if (PR_SetNetAddr(PR_IpAddrAny, PR_AF_INET6, port, &addr) != PR_SUCCESS) {
++ errExit("PR_SetNetAddr");
++ }
+
+- listen_sock = PR_NewTCPSocket();
++ listen_sock = PR_OpenTCPSocket(PR_AF_INET6);
+ if (listen_sock == NULL) {
+- errExit("PR_NewTCPSocket");
++ errExit("PR_OpenTCPSockett");
+ }
+
+ opt.option = PR_SockOpt_Nonblocking;
+ opt.value.non_blocking = PR_FALSE;
+ prStatus = PR_SetSocketOption(listen_sock, &opt);
+ if (prStatus < 0) {
+ PR_Close(listen_sock);
+ errExit("PR_SetSocketOption(PR_SockOpt_Nonblocking)");
+--- nss/cmd/selfserv/selfserv.c.539183 2016-05-21 18:31:39.882585367 -0700
++++ nss/cmd/selfserv/selfserv.c 2016-05-21 18:41:43.092801174 -0700
+@@ -1711,23 +1711,23 @@
+ getBoundListenSocket(unsigned short port)
+ {
+ PRFileDesc *listen_sock;
+ int listenQueueDepth = 5 + (2 * maxThreads);
+ PRStatus prStatus;
+ PRNetAddr addr;
+ PRSocketOptionData opt;
+
+- addr.inet.family = PR_AF_INET;
+- addr.inet.ip = PR_INADDR_ANY;
+- addr.inet.port = PR_htons(port);
++ if (PR_SetNetAddr(PR_IpAddrAny, PR_AF_INET6, port, &addr) != PR_SUCCESS) {
++ errExit("PR_SetNetAddr");
++ }
+
+- listen_sock = PR_NewTCPSocket();
++ listen_sock = PR_OpenTCPSocket(PR_AF_INET6);
+ if (listen_sock == NULL) {
+- errExit("PR_NewTCPSocket");
++ errExit("PR_OpenTCPSocket error");
+ }
+
+ opt.option = PR_SockOpt_Nonblocking;
+ opt.value.non_blocking = PR_FALSE;
+ prStatus = PR_SetSocketOption(listen_sock, &opt);
+ if (prStatus < 0) {
+ PR_Close(listen_sock);
+ errExit("PR_SetSocketOption(PR_SockOpt_Nonblocking)");
diff --git a/SOURCES/nss-config.in b/SOURCES/nss-config.in
new file mode 100644
index 0000000..f8f893e
--- /dev/null
+++ b/SOURCES/nss-config.in
@@ -0,0 +1,145 @@
+#!/bin/sh
+
+prefix=@prefix@
+
+major_version=@MOD_MAJOR_VERSION@
+minor_version=@MOD_MINOR_VERSION@
+patch_version=@MOD_PATCH_VERSION@
+
+usage()
+{
+ cat <<EOF
+Usage: nss-config [OPTIONS] [LIBRARIES]
+Options:
+ [--prefix[=DIR]]
+ [--exec-prefix[=DIR]]
+ [--includedir[=DIR]]
+ [--libdir[=DIR]]
+ [--version]
+ [--libs]
+ [--cflags]
+Dynamic Libraries:
+ nss
+ nssutil
+ ssl
+ smime
+EOF
+ exit $1
+}
+
+if test $# -eq 0; then
+ usage 1 1>&2
+fi
+
+lib_ssl=yes
+lib_smime=yes
+lib_nss=yes
+lib_nssutil=yes
+
+while test $# -gt 0; do
+ case "$1" in
+ -*=*) optarg=`echo "$1" | sed 's/[-_a-zA-Z0-9]*=//'` ;;
+ *) optarg= ;;
+ esac
+
+ case $1 in
+ --prefix=*)
+ prefix=$optarg
+ ;;
+ --prefix)
+ echo_prefix=yes
+ ;;
+ --exec-prefix=*)
+ exec_prefix=$optarg
+ ;;
+ --exec-prefix)
+ echo_exec_prefix=yes
+ ;;
+ --includedir=*)
+ includedir=$optarg
+ ;;
+ --includedir)
+ echo_includedir=yes
+ ;;
+ --libdir=*)
+ libdir=$optarg
+ ;;
+ --libdir)
+ echo_libdir=yes
+ ;;
+ --version)
+ echo ${major_version}.${minor_version}.${patch_version}
+ ;;
+ --cflags)
+ echo_cflags=yes
+ ;;
+ --libs)
+ echo_libs=yes
+ ;;
+ ssl)
+ lib_ssl=yes
+ ;;
+ smime)
+ lib_smime=yes
+ ;;
+ nss)
+ lib_nss=yes
+ ;;
+ nssutil)
+ lib_nssutil=yes
+ ;;
+ *)
+ usage 1 1>&2
+ ;;
+ esac
+ shift
+done
+
+# Set variables that may be dependent upon other variables
+if test -z "$exec_prefix"; then
+ exec_prefix=`pkg-config --variable=exec_prefix nss`
+fi
+if test -z "$includedir"; then
+ includedir=`pkg-config --variable=includedir nss`
+fi
+if test -z "$libdir"; then
+ libdir=`pkg-config --variable=libdir nss`
+fi
+
+if test "$echo_prefix" = "yes"; then
+ echo $prefix
+fi
+
+if test "$echo_exec_prefix" = "yes"; then
+ echo $exec_prefix
+fi
+
+if test "$echo_includedir" = "yes"; then
+ echo $includedir
+fi
+
+if test "$echo_libdir" = "yes"; then
+ echo $libdir
+fi
+
+if test "$echo_cflags" = "yes"; then
+ echo -I$includedir
+fi
+
+if test "$echo_libs" = "yes"; then
+ libdirs="-Wl,-rpath-link,$libdir -L$libdir"
+ if test -n "$lib_ssl"; then
+ libdirs="$libdirs -lssl${major_version}"
+ fi
+ if test -n "$lib_smime"; then
+ libdirs="$libdirs -lsmime${major_version}"
+ fi
+ if test -n "$lib_nss"; then
+ libdirs="$libdirs -lnss${major_version}"
+ fi
+ if test -n "$lib_nssutil"; then
+ libdirs="$libdirs -lnssutil${major_version}"
+ fi
+ echo $libdirs
+fi
+
diff --git a/SOURCES/nss-dsa.patch b/SOURCES/nss-dsa.patch
new file mode 100644
index 0000000..6a068f7
--- /dev/null
+++ b/SOURCES/nss-dsa.patch
@@ -0,0 +1,170 @@
+# HG changeset patch
+# User Daiki Ueno <dueno@redhat.com>
+# Date 1542120846 -3600
+# Tue Nov 13 15:54:06 2018 +0100
+# Node ID 5046749fa8a56a99c251bc1cdd1b3302f43947d2
+# Parent 0d97145d524ab35b8bc2a4a8aea60a83bd244f14
+Bug 1493936, add a new "DSA" policy keyword
+
+Summary:
+This adds a new policy keyword "DSA" to explicitly disable DSA in TLS 1.2 or earlier.
+
+We could make this a bit more generic, e.g., by adding "ECDSA", "RSA-PSS" etc. However, considering the current use of policy in [fedora-crypto-policies](https://gitlab.com/redhat-crypto/fedora-crypto-policies), I realized that adding new keywords may cause compatibility problems; because the Fedora configuration has `disallow=ALL`, all new keywords would be disabled by default. I think it's okay for DSA, though.
+
+Reviewers: kaie
+
+Reviewed By: kaie
+
+Bug #: 1493936
+
+Differential Revision: https://phabricator.services.mozilla.com/D6777
+
+diff --git a/lib/certhigh/certvfy.c b/lib/certhigh/certvfy.c
+--- a/lib/certhigh/certvfy.c
++++ b/lib/certhigh/certvfy.c
+@@ -37,7 +37,7 @@ CERT_CertTimesValid(CERTCertificate *c)
+ return (valid == secCertTimeValid) ? SECSuccess : SECFailure;
+ }
+
+-SECStatus
++static SECStatus
+ checkKeyParams(const SECAlgorithmID *sigAlgorithm, const SECKEYPublicKey *key)
+ {
+ SECStatus rv;
+@@ -47,6 +47,12 @@ checkKeyParams(const SECAlgorithmID *sig
+ PRInt32 minLen, len;
+
+ sigAlg = SECOID_GetAlgorithmTag(sigAlgorithm);
++ rv = NSS_GetAlgorithmPolicy(sigAlg, &policyFlags);
++ if (rv == SECSuccess &&
++ !(policyFlags & NSS_USE_ALG_IN_CERT_SIGNATURE)) {
++ PORT_SetError(SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED);
++ return SECFailure;
++ }
+
+ switch (sigAlg) {
+ case SEC_OID_ANSIX962_ECDSA_SHA1_SIGNATURE:
+diff --git a/lib/pk11wrap/pk11pars.c b/lib/pk11wrap/pk11pars.c
+--- a/lib/pk11wrap/pk11pars.c
++++ b/lib/pk11wrap/pk11pars.c
+@@ -384,18 +384,26 @@ static const oidValDef kxOptList[] = {
+ { CIPHER_NAME("ECDH-RSA"), SEC_OID_TLS_ECDH_RSA, NSS_USE_ALG_IN_SSL_KX },
+ };
+
++static const oidValDef signOptList[] = {
++ /* Signatures */
++ { CIPHER_NAME("DSA"), SEC_OID_ANSIX9_DSA_SIGNATURE,
++ NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE },
++};
++
+ typedef struct {
+ const oidValDef *list;
+ PRUint32 entries;
+ const char *description;
++ PRBool allowEmpty;
+ } algListsDef;
+
+ static const algListsDef algOptLists[] = {
+- { curveOptList, PR_ARRAY_SIZE(curveOptList), "ECC" },
+- { hashOptList, PR_ARRAY_SIZE(hashOptList), "HASH" },
+- { macOptList, PR_ARRAY_SIZE(macOptList), "MAC" },
+- { cipherOptList, PR_ARRAY_SIZE(cipherOptList), "CIPHER" },
+- { kxOptList, PR_ARRAY_SIZE(kxOptList), "OTHER-KX" },
++ { curveOptList, PR_ARRAY_SIZE(curveOptList), "ECC", PR_FALSE },
++ { hashOptList, PR_ARRAY_SIZE(hashOptList), "HASH", PR_FALSE },
++ { macOptList, PR_ARRAY_SIZE(macOptList), "MAC", PR_FALSE },
++ { cipherOptList, PR_ARRAY_SIZE(cipherOptList), "CIPHER", PR_FALSE },
++ { kxOptList, PR_ARRAY_SIZE(kxOptList), "OTHER-KX", PR_FALSE },
++ { signOptList, PR_ARRAY_SIZE(signOptList), "OTHER-SIGN", PR_TRUE },
+ };
+
+ static const optionFreeDef sslOptList[] = {
+@@ -718,7 +726,7 @@ secmod_sanityCheckCryptoPolicy(void)
+ for (i = 0; i < PR_ARRAY_SIZE(algOptLists); i++) {
+ const algListsDef *algOptList = &algOptLists[i];
+ fprintf(stderr, "NSS-POLICY-%s: NUMBER-OF-%s: %u\n", enabledCount[i] ? sInfo : sWarn, algOptList->description, enabledCount[i]);
+- if (!enabledCount[i]) {
++ if (!enabledCount[i] && !algOptList->allowEmpty) {
+ haveWarning = PR_TRUE;
+ }
+ }
+diff --git a/lib/ssl/ssl3con.c b/lib/ssl/ssl3con.c
+--- a/lib/ssl/ssl3con.c
++++ b/lib/ssl/ssl3con.c
+@@ -64,6 +64,7 @@ static SECStatus ssl3_FlushHandshakeMess
+ static CK_MECHANISM_TYPE ssl3_GetHashMechanismByHashType(SSLHashType hashType);
+ static CK_MECHANISM_TYPE ssl3_GetMgfMechanismByHashType(SSLHashType hash);
+ PRBool ssl_IsRsaPssSignatureScheme(SSLSignatureScheme scheme);
++PRBool ssl_IsDsaSignatureScheme(SSLSignatureScheme scheme);
+
+ const PRUint8 ssl_hello_retry_random[] = {
+ 0xCF, 0x21, 0xAD, 0x74, 0xE5, 0x9A, 0x61, 0x11,
+@@ -4309,6 +4310,22 @@ ssl_IsRsaPssSignatureScheme(SSLSignature
+ return PR_FALSE;
+ }
+
++PRBool
++ssl_IsDsaSignatureScheme(SSLSignatureScheme scheme)
++{
++ switch (scheme) {
++ case ssl_sig_dsa_sha256:
++ case ssl_sig_dsa_sha384:
++ case ssl_sig_dsa_sha512:
++ case ssl_sig_dsa_sha1:
++ return PR_TRUE;
++
++ default:
++ return PR_FALSE;
++ }
++ return PR_FALSE;
++}
++
+ SSLAuthType
+ ssl_SignatureSchemeToAuthType(SSLSignatureScheme scheme)
+ {
+@@ -6017,6 +6034,13 @@ ssl_CanUseSignatureScheme(SSLSignatureSc
+ return PR_FALSE;
+ }
+
++ if (ssl_IsDsaSignatureScheme(scheme) &&
++ (NSS_GetAlgorithmPolicy(SEC_OID_ANSIX9_DSA_SIGNATURE, &policy) ==
++ SECSuccess) &&
++ !(policy & NSS_USE_ALG_IN_SSL_KX)) {
++ return PR_FALSE;
++ }
++
+ hashType = ssl_SignatureSchemeToHashType(scheme);
+ if (requireSha1 && (hashType != ssl_hash_sha1)) {
+ return PR_FALSE;
+@@ -9490,6 +9514,14 @@ ssl3_EncodeSigAlgs(const sslSocket *ss,
+ continue;
+ }
+
++ /* Skip DSA scheme if it is disabled by policy. */
++ if (ssl_IsDsaSignatureScheme(ss->ssl3.signatureSchemes[i]) &&
++ (NSS_GetAlgorithmPolicy(SEC_OID_ANSIX9_DSA_SIGNATURE, &policy) ==
++ SECSuccess) &&
++ !(policy & NSS_USE_ALG_IN_SSL_KX)) {
++ continue;
++ }
++
+ if ((NSS_GetAlgorithmPolicy(hashOID, &policy) != SECSuccess) ||
+ (policy & NSS_USE_ALG_IN_SSL_KX)) {
+ rv = sslBuffer_AppendNumber(buf, ss->ssl3.signatureSchemes[i], 2);
+diff --git a/tests/ssl/sslpolicy.txt b/tests/ssl/sslpolicy.txt
+--- a/tests/ssl/sslpolicy.txt
++++ b/tests/ssl/sslpolicy.txt
+@@ -74,6 +74,8 @@
+ # SECT409R1
+ # SECT571K1
+ # SECT571R1
++# Signatures:
++# DSA
+ # Hashes:
+ # MD2
+ # MD4
+@@ -172,3 +174,4 @@
+ 1 noECC SSL3 d allow=tls-version-min=tls1.0:tls-version-max=tls1.2 Disallow Version Exlicitly
+ 1 noECC SSL3 d disallow=all_allow=hmac-sha1:sha256:rsa:des-ede3-cbc:tls-version-min=tls1.0:tls-version-max=tls1.2 Disallow Version Implicitly Narrow.
+ 1 noECC SSL3 d disallow=all_allow=md2/all:md4/all:md5/all:sha1/all:sha256/all:sha384/all:sha512/all:hmac-sha1/all:hmac-sha224/all:hmac-sha256/all:hmac-sha384/all:hmac-sha512/all:hmac-md5/all:camellia128-cbc/all:camellia192-cbc/all:camellia256-cbc/all:seed-cbc/all:des-ede3-cbc/all:des-40-cbc/all:des-cbc/all:null-cipher/all:rc2/all:rc4/all:idea/all:rsa/all:rsa-export/all:dhe-rsa/all:dhe-dss/all:ecdhe-ecdsa/all:ecdhe-rsa/all:ecdh-ecdsa/all:ecdh-rsa/all:tls-version-min=tls1.0:tls-version-max=tls1.2 Disallow Version Implicitly.
++ 0 noECC SSL3 d disallow=dsa Disallow DSA Signatures Explicitly.
diff --git a/SOURCES/nss-dso-ldflags.patch b/SOURCES/nss-dso-ldflags.patch
new file mode 100644
index 0000000..fe39ae3
--- /dev/null
+++ b/SOURCES/nss-dso-ldflags.patch
@@ -0,0 +1,22 @@
+diff --git a/coreconf/Linux.mk b/coreconf/Linux.mk
+--- a/coreconf/Linux.mk
++++ b/coreconf/Linux.mk
+@@ -135,17 +135,17 @@ ifeq ($(KERNEL),Linux)
+ endif
+ OS_LIBS = $(OS_PTHREAD) -ldl -lc
+
+ ifdef USE_PTHREADS
+ DEFINES += -D_REENTRANT
+ endif
+
+ DSO_CFLAGS = -fPIC
+-DSO_LDOPTS = -shared $(ARCHFLAG) -Wl,--gc-sections
++DSO_LDOPTS = -shared $(ARCHFLAG) -Wl,--gc-sections $(DSO_LDFLAGS)
+ # The linker on Red Hat Linux 7.2 and RHEL 2.1 (GNU ld version 2.11.90.0.8)
+ # incorrectly reports undefined references in the libraries we link with, so
+ # we don't use -z defs there.
+ # Also, -z defs conflicts with Address Sanitizer, which emits relocations
+ # against the libsanitizer runtime built into the main executable.
+ ZDEFS_FLAG = -Wl,-z,defs
+ DSO_LDOPTS += $(if $(findstring 2.11.90.0.8,$(shell ld -v)),,$(ZDEFS_FLAG))
+ LDFLAGS += $(ARCHFLAG) -z noexecstack
diff --git a/SOURCES/nss-manpage-fixes.patch b/SOURCES/nss-manpage-fixes.patch
new file mode 100644
index 0000000..ae2b2fd
--- /dev/null
+++ b/SOURCES/nss-manpage-fixes.patch
@@ -0,0 +1,170 @@
+# HG changeset patch
+# User Daiki Ueno <dueno@redhat.com>
+# Date 1544699159 -3600
+# Thu Dec 13 12:05:59 2018 +0100
+# Node ID 0124a811bdf7abfe4bcf135ccc8c719b14db0580
+# Parent 5b2efc615899a283c1ab2e26ddb41684aeae60f0
+Add manual for nss-policy-check
+
+diff --git a/doc/Makefile b/doc/Makefile
+--- a/doc/Makefile
++++ b/doc/Makefile
+@@ -21,7 +21,7 @@ all: prepare all-man all-html
+ prepare: date-and-version
+ mkdir -p html
+ mkdir -p nroff
+-
++
+ clean:
+ rm -f date.xml version.xml *.tar.bz2
+ rm -f html/*.proc
+@@ -45,11 +45,11 @@ version.xml:
+
+ nroff/%.1 : %.xml
+ $(COMPILE.1) $<
+-
++
+ MANPAGES = \
+ nroff/certutil.1 nroff/cmsutil.1 nroff/crlutil.1 nroff/pk12util.1 \
+ nroff/modutil.1 nroff/ssltap.1 nroff/derdump.1 nroff/signtool.1 nroff/signver.1 \
+-nroff/pp.1 nroff/vfychain.1 nroff/vfyserv.1
++nroff/pp.1 nroff/vfychain.1 nroff/vfyserv.1 nroff/nss-policy-check.1
+
+ all-man: prepare $(MANPAGES)
+
+@@ -64,6 +64,6 @@ html/%.html : %.xml
+ HTMLPAGES = \
+ html/certutil.html html/cmsutil.html html/crlutil.html html/pk12util.html html/modutil.html \
+ html/ssltap.html html/derdump.html html/signtool.html html/signver.html html/pp.html \
+-html/vfychain.html html/vfyserv.html
++html/vfychain.html html/vfyserv.html html/nss-policy-check.html
+
+ all-html: prepare $(HTMLPAGES)
+diff --git a/doc/certutil.xml b/doc/certutil.xml
+--- a/doc/certutil.xml
++++ b/doc/certutil.xml
+@@ -180,6 +180,10 @@ For certificate requests, ASCII output d
+ </varlistentry>
+
+ <varlistentry>
++ <term>--simple-self-signed</term>
++ <listitem><para>When printing the certificate chain, don't search for a chain if issuer name equals to subject name.</para></listitem>
++ </varlistentry>
++ <varlistentry>
+ <term>-b validity-time</term>
+ <listitem><para>Specify a time at which a certificate is required to be valid. Use when checking certificate validity with the <option>-V</option> option. The format of the <emphasis>validity-time</emphasis> argument is <emphasis>YYMMDDHHMMSS[+HHMM|-HHMM|Z]</emphasis>, which allows offsets to be set relative to the validity end time. Specifying seconds (<emphasis>SS</emphasis>) is optional. When specifying an explicit time, use a Z at the end of the term, <emphasis>YYMMDDHHMMSSZ</emphasis>, to close it. When specifying an offset time, use <emphasis>YYMMDDHHMMSS+HHMM</emphasis> or <emphasis>YYMMDDHHMMSS-HHMM</emphasis> for adding or subtracting time, respectively.
+ </para>
+diff --git a/doc/nss-policy-check.xml b/doc/nss-policy-check.xml
+new file mode 100644
+--- /dev/null
++++ b/doc/nss-policy-check.xml
+@@ -0,0 +1,97 @@
++<?xml version="1.0" encoding="UTF-8"?>
++<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
++ "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
++<!ENTITY date SYSTEM "date.xml">
++<!ENTITY version SYSTEM "version.xml">
++]>
++
++<refentry id="nss-policy-check">
++
++ <refentryinfo>
++ <date>&date;</date>
++ <title>NSS Security Tools</title>
++ <productname>nss-tools</productname>
++ <productnumber>&version;</productnumber>
++ </refentryinfo>
++
++ <refmeta>
++ <refentrytitle>NSS-POLICY-CHECK</refentrytitle>
++ <manvolnum>1</manvolnum>
++ </refmeta>
++
++ <refnamediv>
++ <refname>nss-policy-check</refname>
++ <refpurpose>nss-policy-check policy-file</refpurpose>
++ </refnamediv>
++
++ <refsynopsisdiv>
++ <cmdsynopsis>
++ <command>nss-policy-check</command>
++ </cmdsynopsis>
++ </refsynopsisdiv>
++
++ <refsection id="description">
++ <title>Description</title>
++ <para><command>nss-policy-check</command> verifies crypto-policy configuration that controls certain crypto algorithms are allowed/disallowed to use in the NSS library.</para>
++
++ <para>The crypto-policy configuration can be stored in either a system-wide configuration file, specified with the POLICY_PATH and POLICY_FILE build options, or in the pkcs11.txt in NSS database.</para>
++ </refsection>
++
++ <refsection id="basic-usage">
++ <title>Usage and Examples</title>
++ <para>To check the global crypto-policy configuration in <filename>/etc/crypto-policies/back-ends/nss.config</filename>:
++ </para>
++ <programlisting>$ nss-policy-check /etc/crypto-policies/back-ends/nss.config
++NSS-POLICY-INFO: LOADED-SUCCESSFULLY
++NSS-POLICY-INFO: PRIME256V1 is enabled for KX
++NSS-POLICY-INFO: PRIME256V1 is enabled for CERT-SIGNATURE
++NSS-POLICY-INFO: SECP256R1 is enabled for KX
++NSS-POLICY-INFO: SECP256R1 is enabled for CERT-SIGNATURE
++NSS-POLICY-INFO: SECP384R1 is enabled for KX
++NSS-POLICY-INFO: SECP384R1 is enabled for CERT-SIGNATURE
++...
++NSS-POLICY-INFO: NUMBER-OF-SSL-ALG-KX: 13
++NSS-POLICY-INFO: NUMBER-OF-SSL-ALG: 9
++NSS-POLICY-INFO: NUMBER-OF-CERT-SIG: 9
++...
++NSS-POLICY-INFO: ciphersuite TLS_AES_128_GCM_SHA256 is enabled
++NSS-POLICY-INFO: ciphersuite TLS_CHACHA20_POLY1305_SHA256 is enabled
++NSS-POLICY-INFO: ciphersuite TLS_AES_256_GCM_SHA384 is enabled
++...
++NSS-POLICY-INFO: NUMBER-OF-CIPHERSUITES: 24
++NSS-POLICY-INFO: NUMBER-OF-TLS-VERSIONS: 3
++NSS-POLICY-INFO: NUMBER-OF-DTLS-VERSIONS: 2
++ </programlisting>
++ <para>If there is a failure or warning, it will be prefixed with
++ NSS-POLICY-FAIL or NSS-POLICY_WARN.
++ </para>
++ <para><command>nss-policy-check</command> exits with 2 if any
++ failure is found, 1 if any warning is found, or 0 if no errors are
++ found.</para>
++ </refsection>
++
++<!-- don't change -->
++ <refsection id="resources">
++ <title>Additional Resources</title>
++ <para>For information about NSS and other tools related to NSS (like JSS), check out the NSS project wiki at <ulink url="http://www.mozilla.org/projects/security/pki/nss/">http://www.mozilla.org/projects/security/pki/nss/</ulink>. The NSS site relates directly to NSS code changes and releases.</para>
++ <para>Mailing lists: https://lists.mozilla.org/listinfo/dev-tech-crypto</para>
++ <para>IRC: Freenode at #dogtag-pki</para>
++ </refsection>
++
++<!-- fill in your name first; keep the other names for reference -->
++ <refsection id="authors">
++ <title>Authors</title>
++ <para>The NSS tools were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google.</para>
++ <para>
++ Authors: Elio Maldonado <emaldona@redhat.com>, Deon Lackey <dlackey@redhat.com>.
++ </para>
++ </refsection>
++
++<!-- don't change -->
++ <refsection id="license">
++ <title>LICENSE</title>
++ <para>Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/.
++ </para>
++ </refsection>
++
++</refentry>
+diff --git a/doc/pk12util.xml b/doc/pk12util.xml
+--- a/doc/pk12util.xml
++++ b/doc/pk12util.xml
+@@ -108,7 +108,7 @@
+ </varlistentry>
+
+ <varlistentry>
+- <term>-n | --cert-key-len certKeyLength</term>
++ <term>--cert-key-len certKeyLength</term>
+ <listitem><para>Specify the desired length of the symmetric key to be used to encrypt the certificates and other meta-data.</para></listitem>
+ </varlistentry>
+
diff --git a/SOURCES/nss-p11-kit.config b/SOURCES/nss-p11-kit.config
new file mode 100644
index 0000000..0ebf073
--- /dev/null
+++ b/SOURCES/nss-p11-kit.config
@@ -0,0 +1,4 @@
+name=p11-kit-proxy
+library=p11-kit-proxy.so
+
+
diff --git a/SOURCES/nss-softokn-config.in b/SOURCES/nss-softokn-config.in
new file mode 100644
index 0000000..c7abe29
--- /dev/null
+++ b/SOURCES/nss-softokn-config.in
@@ -0,0 +1,116 @@
+#!/bin/sh
+
+prefix=@prefix@
+
+major_version=@MOD_MAJOR_VERSION@
+minor_version=@MOD_MINOR_VERSION@
+patch_version=@MOD_PATCH_VERSION@
+
+usage()
+{
+ cat <<EOF
+Usage: nss-softokn-config [OPTIONS] [LIBRARIES]
+Options:
+ [--prefix[=DIR]]
+ [--exec-prefix[=DIR]]
+ [--includedir[=DIR]]
+ [--libdir[=DIR]]
+ [--version]
+ [--libs]
+ [--cflags]
+Dynamic Libraries:
+ softokn3 - Requires full dynamic linking
+ freebl3 - for internal use only (and glibc for self-integrity check)
+ nssdbm3 - for internal use only
+Dymamically linked
+EOF
+ exit $1
+}
+
+if test $# -eq 0; then
+ usage 1 1>&2
+fi
+
+while test $# -gt 0; do
+ case "$1" in
+ -*=*) optarg=`echo "$1" | sed 's/[-_a-zA-Z0-9]*=//'` ;;
+ *) optarg= ;;
+ esac
+
+ case $1 in
+ --prefix=*)
+ prefix=$optarg
+ ;;
+ --prefix)
+ echo_prefix=yes
+ ;;
+ --exec-prefix=*)
+ exec_prefix=$optarg
+ ;;
+ --exec-prefix)
+ echo_exec_prefix=yes
+ ;;
+ --includedir=*)
+ includedir=$optarg
+ ;;
+ --includedir)
+ echo_includedir=yes
+ ;;
+ --libdir=*)
+ libdir=$optarg
+ ;;
+ --libdir)
+ echo_libdir=yes
+ ;;
+ --version)
+ echo ${major_version}.${minor_version}.${patch_version}
+ ;;
+ --cflags)
+ echo_cflags=yes
+ ;;
+ --libs)
+ echo_libs=yes
+ ;;
+ *)
+ usage 1 1>&2
+ ;;
+ esac
+ shift
+done
+
+# Set variables that may be dependent upon other variables
+if test -z "$exec_prefix"; then
+ exec_prefix=`pkg-config --variable=exec_prefix nss-softokn`
+fi
+if test -z "$includedir"; then
+ includedir=`pkg-config --variable=includedir nss-softokn`
+fi
+if test -z "$libdir"; then
+ libdir=`pkg-config --variable=libdir nss-softokn`
+fi
+
+if test "$echo_prefix" = "yes"; then
+ echo $prefix
+fi
+
+if test "$echo_exec_prefix" = "yes"; then
+ echo $exec_prefix
+fi
+
+if test "$echo_includedir" = "yes"; then
+ echo $includedir
+fi
+
+if test "$echo_libdir" = "yes"; then
+ echo $libdir
+fi
+
+if test "$echo_cflags" = "yes"; then
+ echo -I$includedir
+fi
+
+if test "$echo_libs" = "yes"; then
+ libdirs="-Wl,-rpath-link,$libdir -L$libdir"
+ echo $libdirs
+fi
+
diff --git a/SOURCES/nss-softokn-dracut-module-setup.sh b/SOURCES/nss-softokn-dracut-module-setup.sh
new file mode 100644
index 0000000..010ec18
--- /dev/null
+++ b/SOURCES/nss-softokn-dracut-module-setup.sh
@@ -0,0 +1,18 @@
+#!/bin/bash
+# -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*-
+# ex: ts=8 sw=4 sts=4 et filetype=sh
+
+check() {
+ return 255
+}
+
+depends() {
+ return 0
+}
+
+install() {
+ local _dir
+
+ inst_libdir_file libfreeblpriv3.so libfreeblpriv3.chk \
+ libfreebl3.so
+}
diff --git a/SOURCES/nss-softokn-dracut.conf b/SOURCES/nss-softokn-dracut.conf
new file mode 100644
index 0000000..2d9232e
--- /dev/null
+++ b/SOURCES/nss-softokn-dracut.conf
@@ -0,0 +1,3 @@
+# turn on nss-softokn module
+
+add_dracutmodules+=" nss-softokn "
diff --git a/SOURCES/nss-softokn-prelink.conf b/SOURCES/nss-softokn-prelink.conf
new file mode 100644
index 0000000..11d7fb0
--- /dev/null
+++ b/SOURCES/nss-softokn-prelink.conf
@@ -0,0 +1,6 @@
+-b /lib{,64}/libfreeblpriv3.so
+-b /lib{,64}/libsoftokn3.so
+-b /lib{,64}/libnssdbm3.so
+-b /usr/lib{,64}/libfreeblpriv3.so
+-b /usr/lib{,64}/libsoftokn3.so
+-b /usr/lib{,64}/libnssdbm3.so
diff --git a/SOURCES/nss-softokn.pc.in b/SOURCES/nss-softokn.pc.in
new file mode 100644
index 0000000..022ebbf
--- /dev/null
+++ b/SOURCES/nss-softokn.pc.in
@@ -0,0 +1,11 @@
+prefix=%prefix%
+exec_prefix=%exec_prefix%
+libdir=%libdir%
+includedir=%includedir%
+
+Name: NSS-SOFTOKN
+Description: Network Security Services Softoken PKCS #11 Module
+Version: %SOFTOKEN_VERSION%
+Requires: nspr >= %NSPR_VERSION%, nss-util >= %NSSUTIL_VERSION%
+Libs: -L${libdir} -lfreebl3 -lnssdbm3 -lsoftokn3
+Cflags: -I${includedir}
diff --git a/SOURCES/nss-util-config.in b/SOURCES/nss-util-config.in
new file mode 100644
index 0000000..532abbe
--- /dev/null
+++ b/SOURCES/nss-util-config.in
@@ -0,0 +1,118 @@
+#!/bin/sh
+
+prefix=@prefix@
+
+major_version=@MOD_MAJOR_VERSION@
+minor_version=@MOD_MINOR_VERSION@
+patch_version=@MOD_PATCH_VERSION@
+
+usage()
+{
+ cat <<EOF
+Usage: nss-util-config [OPTIONS] [LIBRARIES]
+Options:
+ [--prefix[=DIR]]
+ [--exec-prefix[=DIR]]
+ [--includedir[=DIR]]
+ [--libdir[=DIR]]
+ [--version]
+ [--libs]
+ [--cflags]
+Dynamic Libraries:
+ nssutil
+EOF
+ exit $1
+}
+
+if test $# -eq 0; then
+ usage 1 1>&2
+fi
+
+lib_nssutil=yes
+
+while test $# -gt 0; do
+ case "$1" in
+ -*=*) optarg=`echo "$1" | sed 's/[-_a-zA-Z0-9]*=//'` ;;
+ *) optarg= ;;
+ esac
+
+ case $1 in
+ --prefix=*)
+ prefix=$optarg
+ ;;
+ --prefix)
+ echo_prefix=yes
+ ;;
+ --exec-prefix=*)
+ exec_prefix=$optarg
+ ;;
+ --exec-prefix)
+ echo_exec_prefix=yes
+ ;;
+ --includedir=*)
+ includedir=$optarg
+ ;;
+ --includedir)
+ echo_includedir=yes
+ ;;
+ --libdir=*)
+ libdir=$optarg
+ ;;
+ --libdir)
+ echo_libdir=yes
+ ;;
+ --version)
+ echo ${major_version}.${minor_version}.${patch_version}
+ ;;
+ --cflags)
+ echo_cflags=yes
+ ;;
+ --libs)
+ echo_libs=yes
+ ;;
+ *)
+ usage 1 1>&2
+ ;;
+ esac
+ shift
+done
+
+# Set variables that may be dependent upon other variables
+if test -z "$exec_prefix"; then
+ exec_prefix=`pkg-config --variable=exec_prefix nss-util`
+fi
+if test -z "$includedir"; then
+ includedir=`pkg-config --variable=includedir nss-util`
+fi
+if test -z "$libdir"; then
+ libdir=`pkg-config --variable=libdir nss-util`
+fi
+
+if test "$echo_prefix" = "yes"; then
+ echo $prefix
+fi
+
+if test "$echo_exec_prefix" = "yes"; then
+ echo $exec_prefix
+fi
+
+if test "$echo_includedir" = "yes"; then
+ echo $includedir
+fi
+
+if test "$echo_libdir" = "yes"; then
+ echo $libdir
+fi
+
+if test "$echo_cflags" = "yes"; then
+ echo -I$includedir
+fi
+
+if test "$echo_libs" = "yes"; then
+ libdirs="-Wl,-rpath-link,$libdir -L$libdir"
+ if test -n "$lib_nssutil"; then
+ libdirs="$libdirs -lnssutil${major_version}"
+ fi
+ echo $libdirs
+fi
+
diff --git a/SOURCES/nss-util.pc.in b/SOURCES/nss-util.pc.in
new file mode 100644
index 0000000..1310248
--- /dev/null
+++ b/SOURCES/nss-util.pc.in
@@ -0,0 +1,11 @@
+prefix=%prefix%
+exec_prefix=%exec_prefix%
+libdir=%libdir%
+includedir=%includedir%
+
+Name: NSS-UTIL
+Description: Network Security Services Utility Library
+Version: %NSSUTIL_VERSION%
+Requires: nspr >= %NSPR_VERSION%
+Libs: -L${libdir} -lnssutil3
+Cflags: -I${includedir}
diff --git a/SOURCES/nss.pc.in b/SOURCES/nss.pc.in
new file mode 100644
index 0000000..69823cb
--- /dev/null
+++ b/SOURCES/nss.pc.in
@@ -0,0 +1,11 @@
+prefix=%prefix%
+exec_prefix=%exec_prefix%
+libdir=%libdir%
+includedir=%includedir%
+
+Name: NSS
+Description: Network Security Services
+Version: %NSS_VERSION%
+Requires: nspr >= %NSPR_VERSION%, nss-util >= %NSSUTIL_VERSION%
+Libs: -L${libdir} -lssl3 -lsmime3 -lnss3
+Cflags: -I${includedir}
diff --git a/SOURCES/pkcs11.txt.xml b/SOURCES/pkcs11.txt.xml
new file mode 100644
index 0000000..d30e469
--- /dev/null
+++ b/SOURCES/pkcs11.txt.xml
@@ -0,0 +1,56 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
+ "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
+<!ENTITY date SYSTEM "date.xml">
+<!ENTITY version SYSTEM "version.xml">
+]>
+
+<refentry id="pkcs11.txt">
+
+ <refentryinfo>
+ <date>&date;</date>
+ <title>Network Security Services</title>
+ <productname>nss</productname>
+ <productnumber>&version;</productnumber>
+ </refentryinfo>
+
+ <refmeta>
+ <refentrytitle>pkcs11.txt</refentrytitle>
+ <manvolnum>5</manvolnum>
+ </refmeta>
+
+ <refnamediv>
+ <refname>pkcs11.txt</refname>
+ <refpurpose>NSS PKCS #11 module configuration file</refpurpose>
+ </refnamediv>
+
+ <refsection id="description">
+ <title>Description</title>
+ <para>
+The pkcs11.txt file is used to configure initialization parameters for the nss security module and optionally other pkcs #11 modules.
+ </para>
+ <para>
+For full documentation visit <ulink url="https://developer.mozilla.org/en-US/docs/PKCS11_Module_Specs">PKCS #11 Module Specs</ulink>.
+ </para>
+ </refsection>
+
+ <refsection>
+ <title>Files</title>
+ <para><filename>/etc/pki/nssdb/pkcs11.txt</filename></para>
+ </refsection>
+
+ <refsection id="authors">
+ <title>Authors</title>
+ <para>The nss libraries were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google.</para>
+ <para>Authors: Elio Maldonado <emaldona@redhat.com>.</para>
+ </refsection>
+
+<!-- don't change -->
+ <refsection id="license">
+ <title>LICENSE</title>
+ <para>Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ </para>
+ </refsection>
+
+</refentry>
+
diff --git a/SOURCES/rhbz1185708-enable-ecc-3des-ciphers-by-default.patch b/SOURCES/rhbz1185708-enable-ecc-3des-ciphers-by-default.patch
new file mode 100644
index 0000000..970c84e
--- /dev/null
+++ b/SOURCES/rhbz1185708-enable-ecc-3des-ciphers-by-default.patch
@@ -0,0 +1,14 @@
+diff -up nss/lib/ssl/ssl3con.c.1185708_3des nss/lib/ssl/ssl3con.c
+--- nss/lib/ssl/ssl3con.c.1185708_3des 2018-12-11 18:28:06.736592552 +0100
++++ nss/lib/ssl/ssl3con.c 2018-12-11 18:29:06.273314692 +0100
+@@ -106,8 +106,8 @@ static ssl3CipherSuiteCfg cipherSuites[s
+ { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+ { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+- { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+- { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
++ { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
++ { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+ { TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+
diff --git a/SOURCES/setup-nsssysinit.sh b/SOURCES/setup-nsssysinit.sh
new file mode 100755
index 0000000..8e1f5f7
--- /dev/null
+++ b/SOURCES/setup-nsssysinit.sh
@@ -0,0 +1,68 @@
+#!/bin/sh
+#
+# Turns on or off the nss-sysinit module db by editing the
+# global PKCS #11 congiguration file. Displays the status.
+#
+# This script can be invoked by the user as super user.
+# It is invoked at nss-sysinit post install time with argument on.
+#
+usage()
+{
+ cat <<EOF
+Usage: setup-nsssysinit [on|off]
+ on - turns on nsssysinit
+ off - turns off nsssysinit
+ status - reports whether nsssysinit is turned on or off
+EOF
+ exit $1
+}
+
+# validate
+if [ $# -eq 0 ]; then
+ usage 1 1>&2
+fi
+
+# the system-wide configuration file
+p11conf="/etc/pki/nssdb/pkcs11.txt"
+# must exist, otherwise report it and exit with failure
+if [ ! -f $p11conf ]; then
+ echo "Could not find ${p11conf}"
+ exit 1
+fi
+
+# check if nsssysinit is currently enabled or disabled
+sysinit_enabled()
+{
+ grep -q '^library=libnsssysinit' ${p11conf}
+}
+
+umask 022
+case "$1" in
+ on | ON )
+ if sysinit_enabled; then
+ exit 0
+ fi
+ cat ${p11conf} | \
+ sed -e 's/^library=$/library=libnsssysinit.so/' \
+ -e '/^NSS/s/\(Flags=internal\)\(,[^m]\)/\1,moduleDBOnly\2/' > \
+ ${p11conf}.on
+ mv ${p11conf}.on ${p11conf}
+ ;;
+ off | OFF )
+ if ! sysinit_enabled; then
+ exit 0
+ fi
+ cat ${p11conf} | \
+ sed -e 's/^library=libnsssysinit.so/library=/' \
+ -e '/^NSS/s/Flags=internal,moduleDBOnly/Flags=internal/' > \
+ ${p11conf}.off
+ mv ${p11conf}.off ${p11conf}
+ ;;
+ status )
+ echo -n 'NSS sysinit is '
+ sysinit_enabled && echo 'enabled' || echo 'disabled'
+ ;;
+ * )
+ usage 1 1>&2
+ ;;
+esac
diff --git a/SOURCES/system-pkcs11.txt b/SOURCES/system-pkcs11.txt
new file mode 100644
index 0000000..c2f5704
--- /dev/null
+++ b/SOURCES/system-pkcs11.txt
@@ -0,0 +1,5 @@
+library=libnsssysinit.so
+name=NSS Internal PKCS #11 Module
+parameters=configdir='sql:/etc/pki/nssdb' certPrefix='' keyPrefix='' secmod='secmod.db' flags= updatedir='' updateCertPrefix='' updateKeyPrefix='' updateid='' updateTokenDescription=''
+NSS=Flags=internal,moduleDBOnly,critical trustOrder=75 cipherOrder=100 slotParams=(1={slotFlags=[RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512] askpw=any timeout=30})
+
diff --git a/SPECS/nss.spec b/SPECS/nss.spec
new file mode 100644
index 0000000..ddbb575
--- /dev/null
+++ b/SPECS/nss.spec
@@ -0,0 +1,2287 @@
+%global nspr_version 4.20.0
+%global nss_version 3.41.0
+%global unsupported_tools_directory %{_libdir}/nss/unsupported-tools
+%global saved_files_dir %{_libdir}/nss/saved
+%global prelink_conf_dir %{_sysconfdir}/prelink.conf.d/
+%global dracutlibdir %{_prefix}/lib/dracut
+%global dracut_modules_dir %{dracutlibdir}/modules.d/05nss-softokn/
+%global dracut_conf_dir %{dracutlibdir}/dracut.conf.d
+
+%bcond_without tests
+
+# Produce .chk files for the final stripped binaries
+#
+# NOTE: The LD_LIBRARY_PATH line guarantees shlibsign links
+# against the freebl that we just built. This is necessary
+# because the signing algorithm changed on 3.14 to DSA2 with SHA256
+# whereas we previously signed with DSA and SHA1. We must Keep this line
+# until all mock platforms have been updated.
+# After %%{__os_install_post} we would add
+# export LD_LIBRARY_PATH=$RPM_BUILD_ROOT/%%{_libdir}
+%define __spec_install_post \
+ %{?__debug_package:%{__debug_install_post}} \
+ %{__arch_install_post} \
+ %{__os_install_post} \
+ $RPM_BUILD_ROOT/%{unsupported_tools_directory}/shlibsign -i $RPM_BUILD_ROOT/%{_libdir}/libsoftokn3.so \
+ $RPM_BUILD_ROOT/%{unsupported_tools_directory}/shlibsign -i $RPM_BUILD_ROOT/%{_libdir}/libfreeblpriv3.so \
+ $RPM_BUILD_ROOT/%{unsupported_tools_directory}/shlibsign -i $RPM_BUILD_ROOT/%{_libdir}/libfreebl3.so \
+ $RPM_BUILD_ROOT/%{unsupported_tools_directory}/shlibsign -i $RPM_BUILD_ROOT/%{_libdir}/libnssdbm3.so \
+%{nil}
+
+# The upstream omits the trailing ".0", while we need it for
+# consistency with the pkg-config version:
+# https://bugzilla.redhat.com/show_bug.cgi?id=1578106
+%{lua:
+rpm.define(string.format("nss_archive_version %s",
+ string.gsub(rpm.expand("%nss_version"), "(.*)%.0$", "%1")))
+}
+
+%{lua:
+rpm.define(string.format("nss_release_tag NSS_%s_RTM",
+ string.gsub(rpm.expand("%nss_archive_version"), "%.", "_")))
+}
+
+Summary: Network Security Services
+Name: nss
+Version: %{nss_version}
+Release: 5%{?dist}
+License: MPLv2.0
+URL: http://www.mozilla.org/projects/security/pki/nss/
+Requires: nspr >= %{nspr_version}
+Requires: nss-util >= %{nss_version}
+# TODO: revert to same version as nss once we are done with the merge
+Requires: nss-softokn%{_isa} >= %{nss_version}
+Requires: nss-system-init
+Requires: p11-kit-trust
+Requires: crypto-policies
+BuildRequires: nspr-devel >= %{nspr_version}
+# for shlibsign
+BuildRequires: nss-softokn
+BuildRequires: sqlite-devel
+BuildRequires: zlib-devel
+BuildRequires: pkgconfig
+BuildRequires: gawk
+BuildRequires: psmisc
+BuildRequires: perl-interpreter
+BuildRequires: gcc-c++
+
+Source0: https://ftp.mozilla.org/pub/security/nss/releases/%{nss_release_tag}/src/%{name}-%{nss_archive_version}.tar.gz
+Source1: nss-util.pc.in
+Source2: nss-util-config.in
+Source3: nss-softokn.pc.in
+Source4: nss-softokn-config.in
+Source5: nss-softokn-prelink.conf
+Source6: nss-softokn-dracut-module-setup.sh
+Source7: nss-softokn-dracut.conf
+Source8: nss.pc.in
+Source9: nss-config.in
+Source10: blank-cert8.db
+Source11: blank-key3.db
+Source12: blank-secmod.db
+Source13: blank-cert9.db
+Source14: blank-key4.db
+Source15: system-pkcs11.txt
+Source16: setup-nsssysinit.sh
+Source20: nss-config.xml
+Source21: setup-nsssysinit.xml
+Source22: pkcs11.txt.xml
+Source23: cert8.db.xml
+Source24: cert9.db.xml
+Source25: key3.db.xml
+Source26: key4.db.xml
+Source27: secmod.db.xml
+Source28: nss-p11-kit.config
+
+# To inject hardening flags for DSO
+Patch1: nss-dso-ldflags.patch
+# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=617723
+Patch2: nss-539183.patch
+# This patch uses the GCC -iquote option documented at
+# http://gcc.gnu.org/onlinedocs/gcc/Directory-Options.html#Directory-Options
+# to give the in-tree headers a higher priority over the system headers,
+# when they are included through the quote form (#include "file.h").
+#
+# This ensures a build even when system headers are older. Such is the
+# case when starting an update with API changes or even private export
+# changes.
+#
+# Once the buildroot aha been bootstrapped the patch may be removed
+# but it doesn't hurt to keep it.
+Patch4: iquote.patch
+# Local patch for enabling FIPS when the system is in FIPS mode:
+# https://bugzilla.redhat.com/show_bug.cgi?id=852023
+Patch55: enable-fips-when-system-is-in-fips-mode.patch
+# Local patch for TLS_ECDHE_{ECDSA|RSA}_WITH_3DES_EDE_CBC_SHA ciphers
+Patch58: rhbz1185708-enable-ecc-3des-ciphers-by-default.patch
+# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1493936
+Patch129: nss-dsa.patch
+# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1496124
+Patch150: nss-3.39-create-public-key-on-private-import.patch
+# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1513909
+Patch151: nss-manpage-fixes.patch
+
+%description
+Network Security Services (NSS) is a set of libraries designed to
+support cross-platform development of security-enabled client and
+server applications. Applications built with NSS can support SSL v2
+and v3, TLS, PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME, X.509
+v3 certificates, and other security standards.
+
+%package tools
+Summary: Tools for the Network Security Services
+Requires: %{name}%{?_isa} = %{version}-%{release}
+
+%description tools
+Network Security Services (NSS) is a set of libraries designed to
+support cross-platform development of security-enabled client and
+server applications. Applications built with NSS can support SSL v2
+and v3, TLS, PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME, X.509
+v3 certificates, and other security standards.
+
+Install the nss-tools package if you need command-line tools to
+manipulate the NSS certificate and key database.
+
+%package sysinit
+Summary: System NSS Initialization
+# providing nss-system-init without version so that it can
+# be replaced by a better one, e.g. supplied by the os vendor
+Provides: nss-system-init
+Requires: nss = %{version}-%{release}
+Requires(post): coreutils, sed
+
+%description sysinit
+Default Operating System module that manages applications loading
+NSS globally on the system. This module loads the system defined
+PKCS #11 modules for NSS and chains with other NSS modules to load
+any system or user configured modules.
+
+%package devel
+Summary: Development libraries for Network Security Services
+Provides: nss-static = %{version}-%{release}
+Requires: nss%{?_isa} = %{version}-%{release}
+Requires: nss-util-devel
+Requires: nss-softokn-devel
+Requires: nspr-devel >= %{nspr_version}
+Requires: pkgconfig
+BuildRequires: xmlto
+
+%description devel
+Header and Library files for doing development with Network Security Services.
+
+
+%package pkcs11-devel
+Summary: Development libraries for PKCS #11 (Cryptoki) using NSS
+Provides: nss-pkcs11-devel-static = %{version}-%{release}
+Requires: nss-devel = %{version}-%{release}
+Requires: nss-softokn-freebl-devel = %{version}-%{release}
+
+%description pkcs11-devel
+Library files for developing PKCS #11 modules using basic NSS
+low level services.
+
+
+%package util
+Summary: Network Security Services Utilities Library
+Requires: nspr >= %{nspr_version}
+
+%description util
+Utilities for Network Security Services and the Softoken module
+
+%package util-devel
+Summary: Development libraries for Network Security Services Utilities
+Requires: nss-util%{?_isa} = %{version}-%{release}
+Requires: nspr-devel >= %{nspr_version}
+Requires: pkgconfig
+
+%description util-devel
+Header and library files for doing development with Network Security Services.
+
+
+%package softokn
+Summary: Network Security Services Softoken Module
+Requires: nspr >= %{nspr_version}
+Requires: nss-util >= %{version}-%{release}
+Requires: nss-softokn-freebl%{_isa} >= %{version}-%{release}
+
+%description softokn
+Network Security Services Softoken Cryptographic Module
+
+%package softokn-freebl
+Summary: Freebl library for the Network Security Services
+# For PR_GetEnvSecure() from nspr >= 4.12
+Requires: nspr >= 4.12
+# For NSS_SecureMemcmpZero() from nss-util >= 3.33
+Requires: nss-util >= 3.33
+Conflicts: nss < 3.12.2.99.3-5
+Conflicts: prelink < 0.4.3
+Conflicts: filesystem < 3
+
+%description softokn-freebl
+NSS Softoken Cryptographic Module Freebl Library
+
+Install the nss-softokn-freebl package if you need the freebl library.
+
+%package softokn-freebl-devel
+Summary: Header and Library files for doing development with the Freebl library for NSS
+Provides: nss-softokn-freebl-static = %{version}-%{release}
+Requires: nss-softokn-freebl%{?_isa} = %{version}-%{release}
+
+%description softokn-freebl-devel
+NSS Softoken Cryptographic Module Freebl Library Development Tools
+This package supports special needs of some PKCS #11 module developers and
+is otherwise considered private to NSS. As such, the programming interfaces
+may change and the usual NSS binary compatibility commitments do not apply.
+Developers should rely only on the officially supported NSS public API.
+
+%package softokn-devel
+Summary: Development libraries for Network Security Services
+Requires: nss-softokn%{?_isa} = %{version}-%{release}
+Requires: nss-softokn-freebl-devel%{?_isa} = %{version}-%{release}
+Requires: nspr-devel >= %{nspr_version}
+Requires: nss-util-devel >= %{version}-%{release}
+Requires: pkgconfig
+BuildRequires: nspr-devel >= %{nspr_version}
+
+%description softokn-devel
+Header and library files for doing development with Network Security Services.
+
+
+%prep
+%setup -q -n %{name}-%{nss_archive_version}
+pushd nss
+%autopatch -p1
+popd
+
+
+%build
+
+export FREEBL_NO_DEPEND=1
+
+# Must export FREEBL_LOWHASH=1 for nsslowhash.h so that it gets
+# copied to dist and the rpm install phase can find it
+# This due of the upstream changes to fix
+# https://bugzilla.mozilla.org/show_bug.cgi?id=717906
+export FREEBL_LOWHASH=1
+
+# uncomment if the iquote patch is activated
+export IN_TREE_FREEBL_HEADERS_FIRST=1
+
+export NSS_FORCE_FIPS=1
+
+# Enable compiler optimizations and disable debugging code
+export BUILD_OPT=1
+
+# Uncomment to disable optimizations
+#RPM_OPT_FLAGS=`echo $RPM_OPT_FLAGS | sed -e 's/-O2/-O0/g'`
+#export RPM_OPT_FLAGS
+
+# Generate symbolic info for debuggers
+export XCFLAGS=$RPM_OPT_FLAGS
+
+export LDFLAGS=$RPM_LD_FLAGS
+
+export DSO_LDFLAGS=$RPM_LD_FLAGS
+
+export PKG_CONFIG_ALLOW_SYSTEM_LIBS=1
+export PKG_CONFIG_ALLOW_SYSTEM_CFLAGS=1
+
+export NSPR_INCLUDE_DIR=`/usr/bin/pkg-config --cflags-only-I nspr | sed 's/-I//'`
+export NSPR_LIB_DIR=%{_libdir}
+
+export NSS_USE_SYSTEM_SQLITE=1
+
+export NSS_ALLOW_SSLKEYLOGFILE=1
+
+%ifnarch noarch
+%if 0%{__isa_bits} == 64
+export USE_64=1
+%endif
+%endif
+
+##### phase 2: build the rest of nss
+make -C ./nss/coreconf
+make -C ./nss/lib/dbm
+
+# Set the policy file location
+# if set NSS will always check for the policy file and load if it exists
+export POLICY_FILE="nss.config"
+# location of the policy file
+export POLICY_PATH="/etc/crypto-policies/back-ends"
+
+make -C ./nss
+
+# build the man pages clean
+pushd ./nss
+make clean_docs build_docs
+popd
+
+# and copy them to the dist directory for %%install to find them
+mkdir -p ./dist/docs/nroff
+cp ./nss/doc/nroff/* ./dist/docs/nroff
+
+# Set up our package files
+mkdir -p ./dist/pkgconfig
+
+cat %{SOURCE1} | sed -e "s,%%libdir%%,%{_libdir},g" \
+ -e "s,%%prefix%%,%{_prefix},g" \
+ -e "s,%%exec_prefix%%,%{_prefix},g" \
+ -e "s,%%includedir%%,%{_includedir}/nss3,g" \
+ -e "s,%%NSPR_VERSION%%,%{nspr_version},g" \
+ -e "s,%%NSSUTIL_VERSION%%,%{version},g" > \
+ ./dist/pkgconfig/nss-util.pc
+
+NSSUTIL_VMAJOR=`cat nss/lib/util/nssutil.h | grep "#define.*NSSUTIL_VMAJOR" | awk '{print $3}'`
+NSSUTIL_VMINOR=`cat nss/lib/util/nssutil.h | grep "#define.*NSSUTIL_VMINOR" | awk '{print $3}'`
+NSSUTIL_VPATCH=`cat nss/lib/util/nssutil.h | grep "#define.*NSSUTIL_VPATCH" | awk '{print $3}'`
+
+cat %{SOURCE2} | sed -e "s,@libdir@,%{_libdir},g" \
+ -e "s,@prefix@,%{_prefix},g" \
+ -e "s,@exec_prefix@,%{_prefix},g" \
+ -e "s,@includedir@,%{_includedir}/nss3,g" \
+ -e "s,@MOD_MAJOR_VERSION@,$NSSUTIL_VMAJOR,g" \
+ -e "s,@MOD_MINOR_VERSION@,$NSSUTIL_VMINOR,g" \
+ -e "s,@MOD_PATCH_VERSION@,$NSSUTIL_VPATCH,g" \
+ > ./dist/pkgconfig/nss-util-config
+
+chmod 755 ./dist/pkgconfig/nss-util-config
+
+cat %{SOURCE3} | sed -e "s,%%libdir%%,%{_libdir},g" \
+ -e "s,%%prefix%%,%{_prefix},g" \
+ -e "s,%%exec_prefix%%,%{_prefix},g" \
+ -e "s,%%includedir%%,%{_includedir}/nss3,g" \
+ -e "s,%%NSPR_VERSION%%,%{nspr_version},g" \
+ -e "s,%%NSSUTIL_VERSION%%,%{nss_version},g" \
+ -e "s,%%SOFTOKEN_VERSION%%,%{version},g" > \
+ ./dist/pkgconfig/nss-softokn.pc
+
+SOFTOKEN_VMAJOR=`cat nss/lib/softoken/softkver.h | grep "#define.*SOFTOKEN_VMAJOR" | awk '{print $3}'`
+SOFTOKEN_VMINOR=`cat nss/lib/softoken/softkver.h | grep "#define.*SOFTOKEN_VMINOR" | awk '{print $3}'`
+SOFTOKEN_VPATCH=`cat nss/lib/softoken/softkver.h | grep "#define.*SOFTOKEN_VPATCH" | awk '{print $3}'`
+
+cat %{SOURCE4} | sed -e "s,@libdir@,%{_libdir},g" \
+ -e "s,@prefix@,%{_prefix},g" \
+ -e "s,@exec_prefix@,%{_prefix},g" \
+ -e "s,@includedir@,%{_includedir}/nss3,g" \
+ -e "s,@MOD_MAJOR_VERSION@,$SOFTOKEN_VMAJOR,g" \
+ -e "s,@MOD_MINOR_VERSION@,$SOFTOKEN_VMINOR,g" \
+ -e "s,@MOD_PATCH_VERSION@,$SOFTOKEN_VPATCH,g" \
+ > ./dist/pkgconfig/nss-softokn-config
+
+chmod 755 ./dist/pkgconfig/nss-softokn-config
+
+cat %{SOURCE8} | sed -e "s,%%libdir%%,%{_libdir},g" \
+ -e "s,%%prefix%%,%{_prefix},g" \
+ -e "s,%%exec_prefix%%,%{_prefix},g" \
+ -e "s,%%includedir%%,%{_includedir}/nss3,g" \
+ -e "s,%%NSS_VERSION%%,%{version},g" \
+ -e "s,%%NSPR_VERSION%%,%{nspr_version},g" \
+ -e "s,%%NSSUTIL_VERSION%%,%{nss_version},g" \
+ -e "s,%%SOFTOKEN_VERSION%%,%{nss_version},g" > \
+ ./dist/pkgconfig/nss.pc
+
+NSS_VMAJOR=`cat nss/lib/nss/nss.h | grep "#define.*NSS_VMAJOR" | awk '{print $3}'`
+NSS_VMINOR=`cat nss/lib/nss/nss.h | grep "#define.*NSS_VMINOR" | awk '{print $3}'`
+NSS_VPATCH=`cat nss/lib/nss/nss.h | grep "#define.*NSS_VPATCH" | awk '{print $3}'`
+
+cat %{SOURCE9} | sed -e "s,@libdir@,%{_libdir},g" \
+ -e "s,@prefix@,%{_prefix},g" \
+ -e "s,@exec_prefix@,%{_prefix},g" \
+ -e "s,@includedir@,%{_includedir}/nss3,g" \
+ -e "s,@MOD_MAJOR_VERSION@,$NSS_VMAJOR,g" \
+ -e "s,@MOD_MINOR_VERSION@,$NSS_VMINOR,g" \
+ -e "s,@MOD_PATCH_VERSION@,$NSS_VPATCH,g" \
+ > ./dist/pkgconfig/nss-config
+
+chmod 755 ./dist/pkgconfig/nss-config
+
+cat %{SOURCE16} > ./dist/pkgconfig/setup-nsssysinit.sh
+chmod 755 ./dist/pkgconfig/setup-nsssysinit.sh
+
+cp ./nss/lib/ckfw/nssck.api ./dist/private/nss/
+
+date +"%e %B %Y" | tr -d '\n' > date.xml
+echo -n %{version} > version.xml
+
+# configuration files and setup script
+for m in %{SOURCE20} %{SOURCE21} %{SOURCE22}; do
+ cp ${m} .
+done
+for m in nss-config.xml setup-nsssysinit.xml pkcs11.txt.xml; do
+ xmlto man ${m}
+done
+
+# nss databases considered to be configuration files
+for m in %{SOURCE23} %{SOURCE24} %{SOURCE25} %{SOURCE26} %{SOURCE27}; do
+ cp ${m} .
+done
+for m in cert8.db.xml cert9.db.xml key3.db.xml key4.db.xml secmod.db.xml; do
+ xmlto man ${m}
+done
+
+
+%check
+%if %{with tests}
+# Begin -- copied from the build section
+
+export FREEBL_NO_DEPEND=1
+
+export BUILD_OPT=1
+
+%ifnarch noarch
+%if 0%{__isa_bits} == 64
+export USE_64=1
+%endif
+%endif
+
+# End -- copied from the build section
+
+# This is necessary because the test suite tests algorithms that are
+# disabled by the system policy.
+export NSS_IGNORE_SYSTEM_POLICY=1
+
+# enable the following line to force a test failure
+# find ./nss -name \*.chk | xargs rm -f
+
+# Run test suite.
+# In order to support multiple concurrent executions of the test suite
+# (caused by concurrent RPM builds) on a single host,
+# we'll use a random port. Also, we want to clean up any stuck
+# selfserv processes. If process name "selfserv" is used everywhere,
+# we can't simply do a "killall selfserv", because it could disturb
+# concurrent builds. Therefore we'll do a search and replace and use
+# a different process name.
+# Using xargs doesn't mix well with spaces in filenames, in order to
+# avoid weird quoting we'll require that no spaces are being used.
+
+SPACEISBAD=`find ./nss/tests | grep -c ' '` ||:
+if [ $SPACEISBAD -ne 0 ]; then
+ echo "error: filenames containing space are not supported (xargs)"
+ exit 1
+fi
+MYRAND=`perl -e 'print 9000 + int rand 1000'`; echo $MYRAND ||:
+RANDSERV=selfserv_${MYRAND}; echo $RANDSERV ||:
+DISTBINDIR=`ls -d ./dist/*.OBJ/bin`; echo $DISTBINDIR ||:
+pushd "$DISTBINDIR"
+ln -s selfserv $RANDSERV
+popd
+# man perlrun, man perlrequick
+# replace word-occurrences of selfserv with selfserv_$MYRAND
+find ./nss/tests -type f |\
+ grep -v "\.db$" |grep -v "\.crl$" | grep -v "\.crt$" |\
+ grep -vw CVS |xargs grep -lw selfserv |\
+ xargs -l perl -pi -e "s/\bselfserv\b/$RANDSERV/g" ||:
+
+killall $RANDSERV || :
+
+rm -rf ./tests_results
+pushd nss/tests
+# all.sh is the test suite script
+
+# don't need to run all the tests when testing packaging
+# nss_cycles: standard pkix upgradedb sharedb
+# the full list from all.sh is:
+# "cipher lowhash libpkix cert dbtests tools fips sdr crmf smime ssl ocsp merge pkits chains ec gtests ssl_gtests"
+%define nss_tests "libpkix cert dbtests tools fips sdr crmf smime ssl ocsp merge pkits chains ec gtests ssl_gtests"
+# nss_ssl_tests: crl bypass_normal normal_bypass normal_fips fips_normal iopr policy
+# nss_ssl_run: cov auth stapling stress
+#
+# Uncomment these lines if you need to temporarily
+# disable some test suites for faster test builds
+# % define nss_ssl_tests "normal_fips"
+# % define nss_ssl_run "cov"
+
+HOST=localhost DOMSUF=localdomain PORT=$MYRAND NSS_CYCLES=%{?nss_cycles} NSS_TESTS=%{?nss_tests} NSS_SSL_TESTS=%{?nss_ssl_tests} NSS_SSL_RUN=%{?nss_ssl_run} ./all.sh
+popd
+
+# Normally, the grep exit status is 0 if selected lines are found and 1 otherwise,
+# Grep exits with status greater than 1 if an error ocurred.
+# If there are test failures we expect TEST_FAILURES > 0 and GREP_EXIT_STATUS = 0,
+# With no test failures we expect TEST_FAILURES = 0 and GREP_EXIT_STATUS = 1, whereas
+# GREP_EXIT_STATUS > 1 would indicate an error in grep such as failure to find the log file.
+killall $RANDSERV || :
+
+TEST_FAILURES=$(grep -c -- '- FAILED$' ./tests_results/security/localhost.1/output.log) || GREP_EXIT_STATUS=$?
+
+if [ ${GREP_EXIT_STATUS:-0} -eq 1 ]; then
+ echo "okay: test suite detected no failures"
+else
+ if [ ${GREP_EXIT_STATUS:-0} -eq 0 ]; then
+ # while a situation in which grep return status is 0 and it doesn't output
+ # anything shouldn't happen, set the default to something that is
+ # obviously wrong (-1)
+ echo "error: test suite had ${TEST_FAILURES:--1} test failure(s)"
+ exit 1
+ else
+ if [ ${GREP_EXIT_STATUS:-0} -eq 2 ]; then
+ echo "error: grep has not found log file"
+ exit 1
+ else
+ echo "error: grep failed with exit code: ${GREP_EXIT_STATUS}"
+ exit 1
+ fi
+ fi
+fi
+echo "test suite completed"
+%endif
+
+%install
+
+# There is no make install target so we'll do it ourselves.
+
+mkdir -p $RPM_BUILD_ROOT/%{_includedir}/nss3
+mkdir -p $RPM_BUILD_ROOT/%{_includedir}/nss3/templates
+mkdir -p $RPM_BUILD_ROOT/%{_bindir}
+mkdir -p $RPM_BUILD_ROOT/%{_libdir}
+mkdir -p $RPM_BUILD_ROOT/%{unsupported_tools_directory}
+mkdir -p $RPM_BUILD_ROOT/%{_libdir}/pkgconfig
+mkdir -p $RPM_BUILD_ROOT/%{saved_files_dir}
+mkdir -p $RPM_BUILD_ROOT/%{prelink_conf_dir}
+mkdir -p $RPM_BUILD_ROOT/%{dracut_modules_dir}
+mkdir -p $RPM_BUILD_ROOT/%{dracut_conf_dir}
+mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/crypto-policies/local.d
+%if %{defined rhel}
+# not needed for rhel and its derivatives only fedora
+%else
+# because of the pp.1 conflict with perl-PAR-Packer
+mkdir -p $RPM_BUILD_ROOT%{_datadir}/doc/nss-tools
+%endif
+
+install -m 644 %{SOURCE5} $RPM_BUILD_ROOT/%{prelink_conf_dir}
+install -m 755 %{SOURCE6} $RPM_BUILD_ROOT/%{dracut_modules_dir}/module-setup.sh
+install -m 644 %{SOURCE7} $RPM_BUILD_ROOT/%{dracut_conf_dir}/50-nss-softokn.conf
+
+mkdir -p $RPM_BUILD_ROOT%{_mandir}/man1
+mkdir -p $RPM_BUILD_ROOT%{_mandir}/man5
+
+# Copy the binary libraries we want
+for file in libnssutil3.so libsoftokn3.so libnssdbm3.so libfreebl3.so libfreeblpriv3.so libnss3.so libnsssysinit.so libsmime3.so libssl3.so
+do
+ install -p -m 755 dist/*.OBJ/lib/$file $RPM_BUILD_ROOT/%{_libdir}
+done
+
+# Install the empty NSS db files
+# Legacy db
+mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb
+install -p -m 644 %{SOURCE10} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/cert8.db
+install -p -m 644 %{SOURCE11} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/key3.db
+install -p -m 644 %{SOURCE12} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/secmod.db
+# Shared db
+install -p -m 644 %{SOURCE13} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/cert9.db
+install -p -m 644 %{SOURCE14} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/key4.db
+install -p -m 644 %{SOURCE15} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/pkcs11.txt
+
+# Copy the development libraries we want
+for file in libcrmf.a libnssb.a libnssckfw.a
+do
+ install -p -m 644 dist/*.OBJ/lib/$file $RPM_BUILD_ROOT/%{_libdir}
+done
+
+# Copy the binaries we want
+for file in certutil cmsutil crlutil modutil nss-policy-check pk12util signver ssltap
+do
+ install -p -m 755 dist/*.OBJ/bin/$file $RPM_BUILD_ROOT/%{_bindir}
+done
+
+# Copy the binaries we ship as unsupported
+for file in bltest ecperf fbectest fipstest shlibsign atob btoa derdump listsuites ocspclnt pp selfserv signtool strsclnt symkeyutil tstclnt vfyserv vfychain
+do
+ install -p -m 755 dist/*.OBJ/bin/$file $RPM_BUILD_ROOT/%{unsupported_tools_directory}
+done
+
+# Copy the include files we want
+for file in dist/public/nss/*.h
+do
+ install -p -m 644 $file $RPM_BUILD_ROOT/%{_includedir}/nss3
+done
+
+# Copy some freebl include files we also want
+for file in blapi.h alghmac.h
+do
+ install -p -m 644 dist/private/nss/$file $RPM_BUILD_ROOT/%{_includedir}/nss3
+done
+
+# Copy the static freebl library
+for file in libfreebl.a
+do
+install -p -m 644 dist/*.OBJ/lib/$file $RPM_BUILD_ROOT/%{_libdir}
+done
+
+# Copy the template files we want
+for file in dist/private/nss/templates.c dist/private/nss/nssck.api
+do
+ install -p -m 644 $file $RPM_BUILD_ROOT/%{_includedir}/nss3/templates
+done
+
+# Copy the package configuration files
+install -p -m 644 ./dist/pkgconfig/nss-util.pc $RPM_BUILD_ROOT/%{_libdir}/pkgconfig/nss-util.pc
+install -p -m 755 ./dist/pkgconfig/nss-util-config $RPM_BUILD_ROOT/%{_bindir}/nss-util-config
+install -p -m 644 ./dist/pkgconfig/nss-softokn.pc $RPM_BUILD_ROOT/%{_libdir}/pkgconfig/nss-softokn.pc
+install -p -m 755 ./dist/pkgconfig/nss-softokn-config $RPM_BUILD_ROOT/%{_bindir}/nss-softokn-config
+install -p -m 644 ./dist/pkgconfig/nss.pc $RPM_BUILD_ROOT/%{_libdir}/pkgconfig/nss.pc
+install -p -m 755 ./dist/pkgconfig/nss-config $RPM_BUILD_ROOT/%{_bindir}/nss-config
+# Copy the pkcs #11 configuration script
+install -p -m 755 ./dist/pkgconfig/setup-nsssysinit.sh $RPM_BUILD_ROOT/%{_bindir}/setup-nsssysinit.sh
+# install a symbolic link to it, without the ".sh" suffix,
+# that matches the man page documentation
+ln -r -s -f $RPM_BUILD_ROOT/%{_bindir}/setup-nsssysinit.sh $RPM_BUILD_ROOT/%{_bindir}/setup-nsssysinit
+
+# Copy the man pages for scripts
+for f in nss-config setup-nsssysinit; do
+ install -c -m 644 ${f}.1 $RPM_BUILD_ROOT%{_mandir}/man1/${f}.1
+done
+# Copy the man pages for the nss tools
+for f in certutil cmsutil crlutil derdump modutil nss-policy-check pk12util signtool signver ssltap vfychain vfyserv; do
+ install -c -m 644 ./dist/docs/nroff/${f}.1 $RPM_BUILD_ROOT%{_mandir}/man1/${f}.1
+done
+%if %{defined rhel}
+install -c -m 644 ./dist/docs/nroff/pp.1 $RPM_BUILD_ROOT%{_mandir}/man1/pp.1
+%else
+install -c -m 644 ./dist/docs/nroff/pp.1 $RPM_BUILD_ROOT%{_datadir}/doc/nss-tools/pp.1
+%endif
+
+# Copy the man pages for the configuration files
+for f in pkcs11.txt; do
+ install -c -m 644 ${f}.5 $RPM_BUILD_ROOT%{_mandir}/man5/${f}.5
+done
+# Copy the man pages for the nss databases
+for f in cert8.db cert9.db key3.db key4.db secmod.db; do
+ install -c -m 644 ${f}.5 $RPM_BUILD_ROOT%{_mandir}/man5/${f}.5
+done
+
+# Copy the crypto-policies configuration file
+install -p -m 644 %{SOURCE28} $RPM_BUILD_ROOT/%{_sysconfdir}/crypto-policies/local.d
+
+%triggerpostun -n nss-sysinit -- nss-sysinit < 3.12.8-3
+# Reverse unwanted disabling of sysinit by faulty preun sysinit scriplet
+# from previous versions of nss.spec
+/usr/bin/setup-nsssysinit.sh on
+
+%post
+update-crypto-policies --no-reload
+
+%postun
+update-crypto-policies --no-reload
+
+
+%files
+%{!?_licensedir:%global license %%doc}
+%license nss/COPYING
+%{_libdir}/libnss3.so
+%{_libdir}/libssl3.so
+%{_libdir}/libsmime3.so
+%dir %{_sysconfdir}/pki/nssdb
+%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/cert8.db
+%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/key3.db
+%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/secmod.db
+%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/cert9.db
+%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/key4.db
+%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/pkcs11.txt
+%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/crypto-policies/local.d/nss-p11-kit.config
+%doc %{_mandir}/man5/cert8.db.5*
+%doc %{_mandir}/man5/key3.db.5*
+%doc %{_mandir}/man5/secmod.db.5*
+%doc %{_mandir}/man5/cert9.db.5*
+%doc %{_mandir}/man5/key4.db.5*
+%doc %{_mandir}/man5/pkcs11.txt.5*
+
+%files sysinit
+%{_libdir}/libnsssysinit.so
+%{_bindir}/setup-nsssysinit.sh
+# symbolic link to setup-nsssysinit.sh
+%{_bindir}/setup-nsssysinit
+%doc %{_mandir}/man1/setup-nsssysinit.1*
+
+%files tools
+%{_bindir}/certutil
+%{_bindir}/cmsutil
+%{_bindir}/crlutil
+%{_bindir}/modutil
+%{_bindir}/nss-policy-check
+%{_bindir}/pk12util
+%{_bindir}/signver
+%{_bindir}/ssltap
+%{unsupported_tools_directory}/atob
+%{unsupported_tools_directory}/btoa
+%{unsupported_tools_directory}/derdump
+%{unsupported_tools_directory}/listsuites
+%{unsupported_tools_directory}/ocspclnt
+%{unsupported_tools_directory}/pp
+%{unsupported_tools_directory}/selfserv
+%{unsupported_tools_directory}/signtool
+%{unsupported_tools_directory}/strsclnt
+%{unsupported_tools_directory}/symkeyutil
+%{unsupported_tools_directory}/tstclnt
+%{unsupported_tools_directory}/vfyserv
+%{unsupported_tools_directory}/vfychain
+# instead of %%{_mandir}/man*/* let's list them explicitly
+# supported tools
+%doc %{_mandir}/man1/certutil.1*
+%doc %{_mandir}/man1/cmsutil.1*
+%doc %{_mandir}/man1/crlutil.1*
+%doc %{_mandir}/man1/modutil.1*
+%doc %{_mandir}/man1/nss-policy-check.1*
+%doc %{_mandir}/man1/pk12util.1*
+%doc %{_mandir}/man1/signver.1*
+# unsupported tools
+%doc %{_mandir}/man1/derdump.1*
+%doc %{_mandir}/man1/signtool.1*
+%if %{defined rhel}
+%doc %{_mandir}/man1/pp.1*
+%else
+%dir %{_datadir}/doc/nss-tools
+%doc %{_datadir}/doc/nss-tools/pp.1
+%endif
+%doc %{_mandir}/man1/ssltap.1*
+%doc %{_mandir}/man1/vfychain.1*
+%doc %{_mandir}/man1/vfyserv.1*
+
+%files devel
+%{_libdir}/libcrmf.a
+%{_libdir}/pkgconfig/nss.pc
+%{_bindir}/nss-config
+%doc %{_mandir}/man1/nss-config.1*
+
+%dir %{_includedir}/nss3
+%{_includedir}/nss3/cert.h
+%{_includedir}/nss3/certdb.h
+%{_includedir}/nss3/certt.h
+%{_includedir}/nss3/cmmf.h
+%{_includedir}/nss3/cmmft.h
+%{_includedir}/nss3/cms.h
+%{_includedir}/nss3/cmsreclist.h
+%{_includedir}/nss3/cmst.h
+%{_includedir}/nss3/crmf.h
+%{_includedir}/nss3/crmft.h
+%{_includedir}/nss3/cryptohi.h
+%{_includedir}/nss3/cryptoht.h
+%{_includedir}/nss3/sechash.h
+%{_includedir}/nss3/jar-ds.h
+%{_includedir}/nss3/jar.h
+%{_includedir}/nss3/jarfile.h
+%{_includedir}/nss3/key.h
+%{_includedir}/nss3/keyhi.h
+%{_includedir}/nss3/keyt.h
+%{_includedir}/nss3/keythi.h
+%{_includedir}/nss3/nss.h
+%{_includedir}/nss3/nssckbi.h
+%{_includedir}/nss3/ocsp.h
+%{_includedir}/nss3/ocspt.h
+%{_includedir}/nss3/p12.h
+%{_includedir}/nss3/p12plcy.h
+%{_includedir}/nss3/p12t.h
+%{_includedir}/nss3/pk11func.h
+%{_includedir}/nss3/pk11pqg.h
+%{_includedir}/nss3/pk11priv.h
+%{_includedir}/nss3/pk11pub.h
+%{_includedir}/nss3/pk11sdr.h
+%{_includedir}/nss3/pkcs12.h
+%{_includedir}/nss3/pkcs12t.h
+%{_includedir}/nss3/pkcs7t.h
+%{_includedir}/nss3/preenc.h
+%{_includedir}/nss3/secmime.h
+%{_includedir}/nss3/secmod.h
+%{_includedir}/nss3/secmodt.h
+%{_includedir}/nss3/secpkcs5.h
+%{_includedir}/nss3/secpkcs7.h
+%{_includedir}/nss3/smime.h
+%{_includedir}/nss3/ssl.h
+%{_includedir}/nss3/sslerr.h
+%{_includedir}/nss3/sslexp.h
+%{_includedir}/nss3/sslproto.h
+%{_includedir}/nss3/sslt.h
+
+%files pkcs11-devel
+%{_includedir}/nss3/nssbase.h
+%{_includedir}/nss3/nssbaset.h
+%{_includedir}/nss3/nssckepv.h
+%{_includedir}/nss3/nssckft.h
+%{_includedir}/nss3/nssckfw.h
+%{_includedir}/nss3/nssckfwc.h
+%{_includedir}/nss3/nssckfwt.h
+%{_includedir}/nss3/nssckg.h
+%{_includedir}/nss3/nssckmdt.h
+%{_includedir}/nss3/nssckt.h
+%{_includedir}/nss3/templates/nssck.api
+%{_libdir}/libnssb.a
+%{_libdir}/libnssckfw.a
+
+%files util
+%{!?_licensedir:%global license %%doc}
+%license nss/COPYING
+%{_libdir}/libnssutil3.so
+
+%files util-devel
+# package configuration files
+%{_libdir}/pkgconfig/nss-util.pc
+%{_bindir}/nss-util-config
+
+# co-owned with nss
+%dir %{_includedir}/nss3
+# these are marked as public export in nss/lib/util/manifest.mk
+%{_includedir}/nss3/base64.h
+%{_includedir}/nss3/ciferfam.h
+%{_includedir}/nss3/eccutil.h
+%{_includedir}/nss3/hasht.h
+%{_includedir}/nss3/nssb64.h
+%{_includedir}/nss3/nssb64t.h
+%{_includedir}/nss3/nsslocks.h
+%{_includedir}/nss3/nssilock.h
+%{_includedir}/nss3/nssilckt.h
+%{_includedir}/nss3/nssrwlk.h
+%{_includedir}/nss3/nssrwlkt.h
+%{_includedir}/nss3/nssutil.h
+%{_includedir}/nss3/pkcs1sig.h
+%{_includedir}/nss3/pkcs11.h
+%{_includedir}/nss3/pkcs11f.h
+%{_includedir}/nss3/pkcs11n.h
+%{_includedir}/nss3/pkcs11p.h
+%{_includedir}/nss3/pkcs11t.h
+%{_includedir}/nss3/pkcs11u.h
+%{_includedir}/nss3/pkcs11uri.h
+%{_includedir}/nss3/portreg.h
+%{_includedir}/nss3/secasn1.h
+%{_includedir}/nss3/secasn1t.h
+%{_includedir}/nss3/seccomon.h
+%{_includedir}/nss3/secder.h
+%{_includedir}/nss3/secdert.h
+%{_includedir}/nss3/secdig.h
+%{_includedir}/nss3/secdigt.h
+%{_includedir}/nss3/secerr.h
+%{_includedir}/nss3/secitem.h
+%{_includedir}/nss3/secoid.h
+%{_includedir}/nss3/secoidt.h
+%{_includedir}/nss3/secport.h
+%{_includedir}/nss3/utilmodt.h
+%{_includedir}/nss3/utilpars.h
+%{_includedir}/nss3/utilparst.h
+%{_includedir}/nss3/utilrename.h
+%{_includedir}/nss3/templates/templates.c
+
+%files softokn
+%{_libdir}/libnssdbm3.so
+%{_libdir}/libnssdbm3.chk
+%{_libdir}/libsoftokn3.so
+%{_libdir}/libsoftokn3.chk
+# shared with nss-tools
+%dir %{_libdir}/nss
+%dir %{saved_files_dir}
+%dir %{unsupported_tools_directory}
+%{unsupported_tools_directory}/bltest
+%{unsupported_tools_directory}/ecperf
+%{unsupported_tools_directory}/fbectest
+%{unsupported_tools_directory}/fipstest
+%{unsupported_tools_directory}/shlibsign
+
+%files softokn-freebl
+%{!?_licensedir:%global license %%doc}
+%license nss/COPYING
+%{_libdir}/libfreebl3.so
+%{_libdir}/libfreebl3.chk
+%{_libdir}/libfreeblpriv3.so
+%{_libdir}/libfreeblpriv3.chk
+#shared
+%dir %{prelink_conf_dir}
+%{prelink_conf_dir}/nss-softokn-prelink.conf
+%dir %{dracut_modules_dir}
+%{dracut_modules_dir}/module-setup.sh
+%{dracut_conf_dir}/50-nss-softokn.conf
+
+%files softokn-freebl-devel
+%{_libdir}/libfreebl.a
+%{_includedir}/nss3/blapi.h
+%{_includedir}/nss3/blapit.h
+%{_includedir}/nss3/alghmac.h
+%{_includedir}/nss3/lowkeyi.h
+%{_includedir}/nss3/lowkeyti.h
+
+%files softokn-devel
+%{_libdir}/pkgconfig/nss-softokn.pc
+%{_bindir}/nss-softokn-config
+
+# co-owned with nss
+%dir %{_includedir}/nss3
+#
+# The following headers are those exported public in
+# nss/lib/freebl/manifest.mn and
+# nss/lib/softoken/manifest.mn
+#
+# The following list is short because many headers, such as
+# the pkcs #11 ones, have been provided by nss-util-devel
+# which installed them before us.
+#
+%{_includedir}/nss3/ecl-exp.h
+%{_includedir}/nss3/nsslowhash.h
+%{_includedir}/nss3/shsign.h
+
+
+%changelog
+* Mon Dec 17 2018 Daiki Ueno <dueno@redhat.com> - 3.41.0-5
+- Update manual pages to reflect recent changes in commands
+
+* Fri Dec 14 2018 Bob Relyea <rrelyea@redhat.com> - 3.41.0-4
+- Make sure corresponding public keys are created when importing private keys.
+
+* Thu Dec 13 2018 Daiki Ueno <dueno@redhat.com> - 3.41.0-3
+- Fix the last change
+- Add --no-reload option to update-crypto-policies to avoid
+ unnecessary restart of daemons
+
+* Thu Dec 13 2018 Daiki Ueno <dueno@redhat.com> - 3.41.0-2
+- Restore LDFLAGS injection when linking DSO
+
+* Mon Dec 10 2018 Daiki Ueno <dueno@redhat.com> - 3.41.0-1
+- Update to NSS 3.41
+- Consolidate nss-util, nss-softokn, and nss into a single source package
+
+* Fri Dec 7 2018 Daiki Ueno <dueno@redhat.com> - 3.39.0-1.5
+- Fix the last commit
+
+* Tue Dec 4 2018 Bob Relyea <rrelyea@redhat.com> - 3.39.0-1.4
+- Support for IKE/IPsec typical PKIX usage so libreswan can use nss
+ without rejecting certs based on EKU
+
+* Thu Nov 29 2018 Daiki Ueno <dueno@redhat.com> - 3.39.0-1.3
+- Backport upstream fixes for rhbz#1649026, rhbz#1608895, rhbz#1644854
+- Document PKCS #11 URI
+- Add warning when adding module with modutil while p11-kit is enabled
+
+* Tue Nov 13 2018 Daiki Ueno <dueno@redhat.com> - 3.39.0-1.2
+- Update nss-dsa.patch to not advertise DSA signature algorithm
+- Update PayPal test certs for testing
+
+* Thu Oct 18 2018 Daiki Ueno <dueno@redhat.com> - 3.39.0-1.1
+- Backport "DSA" keyword in crypto-policies
+
+* Tue Sep 25 2018 Daiki Ueno <dueno@redhat.com> - 3.39.0-1.0
+- Update to NSS 3.39
+
+* Fri Sep 14 2018 Daiki Ueno <dueno@redhat.com> - 3.38.0-1.2
+- Fix LDFLAGS injection when linking DSO
+
+* Tue Jul 24 2018 Daiki Ueno <dueno@redhat.com> - 3.38.0-1.1
+- Install crypto-policies configuration file for
+ https://fedoraproject.org/wiki/Changes/NSSLoadP11KitModules
+- Port enable-fips-when-system-is-in-fips-mode.patch from RHEL-7
+- Use %%ldconfig_scriptlets
+- Remove needless use of %defattr, by Jason Tibbitts
+
+* Wed Jul 18 2018 Daiki Ueno <dueno@redhat.com> - 3.38.0-1.0
+- Update to NSS 3.38
+
+* Tue Jul 17 2018 Kai Engert <kaie@redhat.com> - 3.36.1-1.2
+- Backport upstream addition of nss-policy-check utility, rhbz#1428746,
+ includes required fixes for mozbz#1296263 and mozbz#1474875
+
+* Fri May 25 2018 Daiki Ueno <dueno@redhat.com> - 3.36.1-1.1
+- Switch the default DB type to SQL
+- Enable SSLKEYLOGFILE
+
+* Wed Apr 11 2018 Daiki Ueno <dueno@redhat.com> - 3.36.1-1.0
+- Update to NSS 3.36.1
+- Remove nss-3.14.0.0-disble-ocsp-test.patch
+- Fix partial injection of LDFLAGS
+- Remove NSS_NO_PKCS11_BYPASS, which is no-op in upstream
+
+* Fri Mar 9 2018 Daiki Ueno <dueno@redhat.com> - 3.36.0-1.0
+- Update to NSS 3.36.0
+- Add gcc-c++ to BuildRequires (C++ is needed for gtests)
+- Make test failure detection robuster
+
+* Thu Feb 08 2018 Fedora Release Engineering <releng@fedoraproject.org> - 3.35.0-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
+
+* Mon Jan 29 2018 Kai Engert <kaie@redhat.com> - 3.35.0-4
+- Fix a compiler error with gcc 8, mozbz#1434070
+- Set NSS_FORCE_FIPS=1 at %%build time, and remove from %%check.
+
+* Mon Jan 29 2018 Kai Engert <kaie@redhat.com> - 3.35.0-3
+- Stop pulling in nss-pem automatically, packages that need it should
+ depend on it, rhbz#1539401
+
+* Tue Jan 23 2018 Daiki Ueno <dueno@redhat.com> - 3.35.0-2
+- Update to NSS 3.35.0
+
+* Tue Nov 14 2017 Daiki Ueno <dueno@redhat.com> - 3.34.0-2
+- Update to NSS 3.34.0
+
+* Fri Nov 10 2017 Daiki Ueno <dueno@redhat.com> - 3.33.0-6
+- Make sure 32bit nss-pem always be installed with 32bit nss in
+ multlib environment, patch by Kamil Dudka
+
+* Wed Nov 8 2017 Kai Engert <kaie@redhat.com> - 3.33.0-5
+- Fix test script
+
+* Tue Nov 7 2017 Kai Engert <kaie@redhat.com> - 3.33.0-4
+- Update tests to be compatible with default NSS DB changed to sql
+ (the default was changed in the nss-util package).
+
+* Tue Oct 24 2017 Kai Engert <kaie@redhat.com> - 3.33.0-3
+- rhbz#1505487, backport upstream fixes required for rhbz#1496560
+
+* Tue Oct 3 2017 Daiki Ueno <dueno@redhat.com> - 3.33.0-2
+- Update to NSS 3.33.0
+
+* Fri Sep 15 2017 Daiki Ueno <dueno@redhat.com> - 3.32.1-2
+- Update to NSS 3.32.1
+
+* Wed Sep 6 2017 Daiki Ueno <dueno@redhat.com> - 3.32.0-4
+- Update iquote.patch to really prefer in-tree headers over system headers
+
+* Wed Aug 23 2017 Kai Engert <kaie@redhat.com> - 3.32.0-3
+- NSS libnssckbi.so has already been obsoleted by p11-kit-trust, rhbz#1484449
+
+* Mon Aug 7 2017 Daiki Ueno <dueno@redhat.com> - 3.32.0-2
+- Update to NSS 3.32.0
+
+* Thu Aug 03 2017 Fedora Release Engineering <releng@fedoraproject.org> - 3.31.0-6
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
+
+* Thu Jul 27 2017 Fedora Release Engineering <releng@fedoraproject.org> - 3.31.0-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
+
+* Tue Jul 18 2017 Daiki Ueno <dueno@redhat.com> - 3.31.0-4
+- Backport mozbz#1381784 to avoid deadlock in dnf
+
+* Thu Jul 13 2017 Daiki Ueno <dueno@redhat.com> - 3.31.0-3
+- Move signtool to %%_libdir/nss/unsupported-tools, for:
+ https://fedoraproject.org/wiki/Changes/NSSSigntoolDeprecation
+
+* Wed Jun 21 2017 Daiki Ueno <dueno@redhat.com> - 3.31.0-2
+- Rebase to NSS 3.31.0
+
+* Fri Jun 2 2017 Daiki Ueno <dueno@redhat.com> - 3.30.2-3
+- Enable gtests
+
+* Mon Apr 24 2017 Daiki Ueno <dueno@redhat.com> - 3.30.2-2
+- Rebase to NSS 3.30.2
+- Enable TLS 1.3
+
+* Thu Mar 30 2017 Kai Engert <kaie@redhat.com> - 3.30.0-3
+- Backport upstream mozbz#1328318 to support crypto policy FUTURE.
+
+* Tue Mar 21 2017 Daiki Ueno <dueno@redhat.com> - 3.30.0-2
+- Rebase to NSS 3.30.0
+- Remove upstreamed patches
+
+* Thu Mar 02 2017 Kai Engert <kaie@redhat.com> - 3.29.1-3
+- Backport mozbz#1334976 and mozbz#1336487.
+
+* Fri Feb 17 2017 Daiki Ueno <dueno@redhat.com> - 3.29.1-2
+- Rebase to NSS 3.29.1
+
+* Thu Feb 9 2017 Daiki Ueno <dueno@redhat.com> - 3.29.0-3
+- Disable TLS 1.3, following the upstream change
+
+* Wed Feb 8 2017 Daiki Ueno <dueno@redhat.com> - 3.29.0-2
+- Rebase to NSS 3.29.0
+- Suppress -Werror=int-in-bool-context warnings with GCC7
+
+* Mon Jan 23 2017 Daiki Ueno <dueno@redhat.com> - 3.28.1-6
+- Work around pkgconfig -> pkgconf transition issue (releng#6597)
+
+* Fri Jan 20 2017 Daiki Ueno <dueno@redhat.com> - 3.28.1-5
+- Disable TLS 1.3
+- Add "Conflicts" with packages using older Mozilla codebase, which is
+ not compatible with NSS 3.28.1
+- Remove NSS_ECC_MORE_THAN_SUITE_B setting, as it was removed in upstream
+
+* Tue Jan 17 2017 Daiki Ueno <dueno@redhat.com> - 3.28.1-4
+- Add "Conflicts" with older firefox packages which don't have support
+ for smaller curves added in NSS 3.28.1
+
+* Fri Jan 13 2017 Daiki Ueno <dueno@redhat.com> - 3.28.1-3
+- Fix incorrect version specification in %%nss_{util,softokn}_version,
+ pointed by Elio Maldonado
+
+* Fri Jan 6 2017 Daiki Ueno <dueno@redhat.com> - 3.28.1-2
+- Rebase to NSS 3.28.1
+- Remove upstreamed patch for disabling RSA-PSS
+- Re-enable TLS 1.3
+
+* Wed Nov 30 2016 Daiki Ueno <dueno@redhat.com> - 3.27.2-2
+- Rebase to NSS 3.27.2
+
+* Tue Nov 15 2016 Daiki Ueno <dueno@redhat.com> - 3.27.0-5
+- Revert the previous fix for RSA-PSS and use the upstream fix instead
+
+* Wed Nov 02 2016 Kai Engert <kaie@redhat.com> - 3.27.0-4
+- Disable the use of RSA-PSS with SSL/TLS. #1383809
+
+* Sun Oct 2 2016 Daiki Ueno <dueno@redhat.com> - 3.27.0-3
+- Disable TLS 1.3 for now, to avoid reported regression with TLS to
+ version intolerant servers
+
+* Thu Sep 29 2016 Daiki Ueno <dueno@redhat.com> - 3.27.0-2
+- Rebase to NSS 3.27.0
+- Remove upstreamed ectest patch
+
+* Mon Aug 8 2016 Daiki Ueno <dueno@redhat.com> - 3.26.0-2
+- Rebase to NSS 3.26.0
+- Update check policy file patch to better match what was upstreamed
+- Remove conditionally ignore system policy patch as it has been upstreamed
+- Skip ectest as well as ecperf, which are built as part of nss-softokn
+- Fix rpmlint error regarding %%define usage
+
+* Thu Jul 14 2016 Elio Maldonado <emaldona@redhat.com> - 3.25.0-6
+- Incorporate some changes requested in upstream review and commited upstream (#1157720)
+
+* Fri Jul 01 2016 Elio Maldonado <emaldona@redhat.com> - 3.25.0-5
+- Add support for conditionally ignoring the system policy (#1157720)
+- Remove unneeded test scripts patches in order to run more tests
+- Remove unneeded test data modifications from the spec file
+
+* Tue Jun 28 2016 Elio Maldonado <emaldona@redhat.com> - 3.25.0-4
+- Remove obsolete patch and spurious lines from the spec file (#1347336)
+
+* Sun Jun 26 2016 Elio Maldonado <emaldona@redhat.com> - 3.25.0-3
+- Cleanup spec file and patches and add references to bugs filed upstream
+
+* Fri Jun 24 2016 Elio Maldonado <emaldona@redhat.com> - 3.25.0-2
+- Rebase to nss 3.25
+
+* Thu Jun 16 2016 Kamil Dudka <kdudka@redhat.com> - 3.24.0-3
+- decouple nss-pem from the nss package (#1347336)
+
+* Fri Jun 03 2016 Elio Maldonado <emaldona@redhat.com> - 3.24.0-2.3
+- Apply the patch that was last introduced
+- Renumber and reorder some of the patches
+- Resolves: Bug 1342158
+
+* Thu Jun 02 2016 Elio Maldonado <emaldona@redhat.com> - 3.24.0-2.2
+- Allow application requests to disable SSL v2 to succeed
+- Resolves: Bug 1342158 - nss-3.24 does no longer support ssl V2, installation of IPA fails because nss init fails
+
+* Sun May 29 2016 Elio Maldonado <emaldona@redhat.com> - 3.24.0-2.1
+- Rebase to NSS 3.24.0
+- Restore setting the policy file location
+- Make ssl tests scripts aware of policy
+- Ajust tests data expected result for policy
+
+* Tue May 24 2016 Elio Maldonado <emaldona@redhat.com> - 3.24.0-2.0
+- Bootstrap build to rebase to NSS 3.24.0
+- Temporarily not setting the policy file location
+
+* Thu May 12 2016 Elio Maldonado <emaldona@redhat.com> - 3.23.0-9
+- Change POLICY_FILE to "nss.config"
+
+* Fri Apr 22 2016 Elio Maldonado <emaldona@redhat.com> - 3.23.0-8
+- Change POLICY_FILE to "nss.cfg"
+
+* Wed Apr 20 2016 Elio Maldonado <emaldona@redhat.com> - 3.23.0-7
+- Change the POLICY_PATH to "/etc/crypto-policies/back-ends"
+- Regenerate the check policy patch with hg to provide more context
+
+* Thu Apr 14 2016 Elio Maldonado <emaldona@redhat.com> - 3.23.0-6
+- Fix typo in the last %%changelog entry
+
+* Thu Mar 24 2016 Elio Maldonado <emaldona@redhat.com> - 3.23.0-5
+- Load policy file if /etc/pki/nssdb/policy.cfg exists
+- Resolves: Bug 1157720 - NSS should enforce the system-wide crypto policy
+
+* Tue Mar 08 2016 Elio Maldonado <emaldona@redhat.com> - 3.23.0-4
+- Remove unused patch rendered obsolete by pem update
+
+* Tue Mar 08 2016 Elio Maldonado <emaldona@redhat.com> - 3.23.0-3
+- Update pem sources to latest from nss-pem upstream
+- Resolves: Bug 1300652 - [PEM] insufficient input validity checking while loading a private key
+
+* Sat Mar 05 2016 Elio Maldonado <emaldona@redhat.com> - 3.23.0-2
+- Rebase to NSS 3.23
+
+* Sat Feb 27 2016 Elio Maldonado <emaldona@redhat.com> - 3.22.2-2
+- Rebase to NSS 3.22.2
+
+* Tue Feb 23 2016 Elio Maldonado <emaldona@redhat.com> - 3.22.1-3
+- Fix ssl2/exp test disabling to run all the required tests
+
+* Sun Feb 21 2016 Elio Maldonado <emaldona@redhat.com> - 3.22.1-1
+- Rebase to NSS 3.22.1
+
+* Mon Feb 08 2016 Elio Maldonado <emaldona@redhat.com> - 3.22.0-3
+- Update .gitignore as part of updating to nss 3.22
+
+* Mon Feb 08 2016 Elio Maldonado <emaldona@redhat.com> - 3.22.0-2
+- Update to NSS 3.22
+
+* Thu Feb 04 2016 Fedora Release Engineering <releng@fedoraproject.org> - 3.21.0-7
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
+
+* Fri Jan 15 2016 Elio Maldonado <emaldona@redhat.com> - 3.21.0-6
+- Resolves: Bug 1299040 - Enable ssl_gtests upstream test suite
+- Remove 'export NSS_DISABLE_GTESTS=1' go ssl_gtests are built
+- Use %%define when specifying the nss_tests to run
+
+* Wed Dec 30 2015 Michal Toman <mtoman@fedoraproject.org> - 3.21.0-5
+- Add 64-bit MIPS to multilib arches
+
+* Fri Nov 20 2015 Elio Maldonado <emaldona@redhat.com> - 3.21.0-4
+- Update %%{nss_util_version} and %%{nss_softokn_version} to 3.21.0
+- Resolves: Bug 1284095 - all https fails with sec_error_no_token
+
+* Sun Nov 15 2015 Elio Maldonado <emaldona@redhat.com> - 3.21.0-3
+- Add references to bugs filed upstream
+
+* Fri Nov 13 2015 Elio Maldonado Batiz <emaldona@redhat.com> - 3.21.1-2
+- Update to NSS 3.21
+- Package listsuites as part of the unsupported tools set
+- Resolves: Bug 1279912 - nss-3.21 is available
+- Resolves: Bug 1258425 - Use __isa_bits macro instead of list of 64-bit
+- Resolves: Bug 1280032 - Package listsuites as part of the nss unsupported tools set
+
+* Fri Oct 30 2015 Elio Maldonado <emaldona@redhat.com> - 3.20.1-2
+- Update to NSS 3.20.1
+
+* Wed Sep 30 2015 Elio Maldonado <emaldona@redhat.com> - 3.20.0-6
+- Enable ECC cipher-suites by default [hrbz#1185708]
+- Split the enabling patch in two for easier maintenance
+- Remove unused patches rendered obsolete by prior rebase
+
+* Wed Sep 16 2015 Elio Maldonado <emaldona@redhat.com> - 3.20.0-5
+- Enable ECC cipher-suites by default [hrbz#1185708]
+- Implement corrections requested in code review
+
+* Tue Sep 15 2015 Elio Maldonado <emaldona@redhat.com> - 3.20.0-4
+- Enable ECC cipher-suites by default [hrbz#1185708]
+
+* Mon Sep 14 2015 Elio Maldonado <emaldona@redhat.com> - 3.20.0-3
+- Fix patches that disable ssl2 and export cipher suites support
+- Fix libssl patch that disable ssl2 & export cipher suites to not disable RSA_WITH_NULL ciphers
+- Fix syntax errors in patch to skip ssl2 and export cipher suite tests
+- Turn ssl2 off by default in the tstclnt tool
+- Disable ssl stress tests containing TLS RC4 128 with MD5
+
+* Thu Aug 20 2015 Elio Maldonado <emaldona@redhat.com> - 3.20.0-2
+- Update to NSS 3.20
+
+* Sat Aug 08 2015 Elio Maldonado <emaldona@redhat.com> - 3.19.3-2
+- Update to NSS 3.19.3
+
+* Fri Jun 26 2015 Elio Maldonado <emaldona@redhat.com> - 3.19.2-3
+- Create on the fly versions of sslcov.txt and sslstress.txt that disable tests for SSL2 and EXPORT ciphers
+
+* Wed Jun 17 2015 Kai Engert <kaie@redhat.com> - 3.19.2-2
+- Update to NSS 3.19.2
+
+* Thu May 28 2015 Kai Engert <kaie@redhat.com> - 3.19.1-2
+- Update to NSS 3.19.1
+
+* Tue May 19 2015 Kai Engert <kaie@redhat.com> - 3.19.0-2
+- Update to NSS 3.19
+
+* Fri May 15 2015 Kai Engert <kaie@redhat.com> - 3.18.0-2
+- Replace expired test certificates, upstream bug 1151037
+
+* Thu Mar 19 2015 Elio Maldonado <emaldona@redhat.com> - 3.18.0-1
+- Update to nss-3.18.0
+- Resolves: Bug 1203689 - nss-3.18 is available
+
+* Tue Mar 03 2015 Elio Maldonado <emaldona@redhat.com> - 3.17.4-5
+- Disable export suites and SSL2 support at build time
+- Fix syntax errors in various shell scripts
+- Resolves: Bug 1189952 - Disable SSL2 and the export cipher suites
+
+* Sat Feb 21 2015 Till Maas <opensource@till.name> - 3.17.4-4
+- Rebuilt for Fedora 23 Change
+ https://fedoraproject.org/wiki/Changes/Harden_all_packages_with_position-independent_code
+
+* Tue Feb 10 2015 Elio Maldonado <emaldona@redhat.com> - 3.17.4-3
+- Commented out the export NSS_NO_SSL2=1 line to not disable ssl2
+- Backing out from disabling ssl2 until the patches are fixed
+
+* Mon Feb 09 2015 Elio Maldonado <emaldona@redhat.com> - 3.17.4-2
+- Disable SSL2 support at build time
+- Fix syntax errors in various shell scripts
+- Resolves: Bug 1189952 - Disable SSL2 and the export cipher suites
+
+* Wed Jan 28 2015 Elio Maldonado <emaldona@redhat.com> - 3.17.4-1
+- Update to nss-3.17.4
+
+* Sat Jan 24 2015 Ville Skyttä <ville.skytta@iki.fi> - 3.17.3-4
+- Own the %%{_datadir}/doc/nss-tools dir
+
+* Tue Dec 16 2014 Elio Maldonado <emaldona@redhat.com> - 3.17.3-3
+- Resolves: Bug 987189 - nss-tools RPM conflicts with perl-PAR-Packer
+- Install pp man page in %%{_datadir}/doc/nss-tools/pp.1
+- Use %%{_mandir} instead of /usr/share/man as more generic
+
+* Mon Dec 15 2014 Elio Maldonado <emaldona@redhat.com> - 3.17.3-2
+- Install pp man page in alternative location
+- Resolves: Bug 987189 - nss-tools RPM conflicts with perl-PAR-Packer
+
+* Fri Dec 05 2014 Elio Maldonado <emaldona@redhat.com> - 3.17.3-1
+- Update to nss-3.17.3
+- Resolves: Bug 1171012 - nss-3.17.3 is available
+
+* Thu Oct 16 2014 Elio Maldonado <emaldona@redhat.com> - 3.17.2-2
+- Resolves: Bug 994599 - Enable TLS 1.2 by default
+
+* Sun Oct 12 2014 Elio Maldonado <emaldona@redhat.com> - 3.17.2-1
+- Update to nss-3.17.2
+
+* Wed Sep 24 2014 Kai Engert <kaie@redhat.com> - 3.17.1-1
+- Update to nss-3.17.1
+- Add a mechanism to skip test suite execution during development work
+
+* Thu Aug 21 2014 Kevin Fenzi <kevin@scrye.com> - 3.17.0-2
+- Rebuild for rpm bug 1131960
+
+* Tue Aug 19 2014 Elio Maldonado <emaldona@redhat.com> - 3.17.0-1
+- Update to nss-3.17.0
+
+* Sun Aug 17 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 3.16.2-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
+
+* Wed Jul 30 2014 Elio Maldonado <emaldona@redhat.com> - 3.16.2-3
+- Replace expired PayPal test cert with current one to prevent build failure
+
+* Fri Jul 18 2014 Tom Callaway <spot@fedoraproject.org> - 3.16.2-2
+- fix license handling
+
+* Sun Jun 29 2014 Elio Maldonado <emaldona@redhat.com> - 3.16.2-1
+- Update to nss-3.16.2
+
+* Sun Jun 15 2014 Elio Maldonado <emaldona@redhat.com> - 3.16.1-4
+- Remove unwanted source directories at end of %%prep so it truly does it
+- Skip the cipher suite already run as part of the nss-softokn build
+
+* Sat Jun 07 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 3.16.1-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
+
+* Mon May 12 2014 Jaromir Capik <jcapik@redhat.com> - 3.16.1-2
+- Replacing ppc64 and ppc64le with the power64 macro
+- Related: Bug 1052545 - Trivial change for ppc64le in nss spec
+
+* Tue May 06 2014 Elio Maldonado <emaldona@redhat.com> - 3.16.1-1
+- Update to nss-3.16.1
+- Update the iquote patch on account of the rebase
+- Improve error detection in the %%section
+- Resolves: Bug 1094702 - nss-3.16.1 is available
+
+* Tue Mar 18 2014 Elio Maldonado <emaldona@redhat.com> - 3.16.0-1
+- Update to nss-3.16.0
+- Cleanup the copying of the tools man pages
+- Update the iquote.patch on account of the rebase
+
+* Tue Mar 04 2014 Elio Maldonado <emaldona@redhat.com> - 3.15.5-2
+- Restore requiring nss_softokn_version >= 3.15.5
+
+* Wed Feb 19 2014 Elio Maldonado <emaldona@redhat.com> - 3.15.5-1
+- Update to nss-3.15.5
+- Temporarily requiring only nss_softokn_version >= 3.15.4
+- Fix location of sharedb files and their manpages
+- Move cert9.db, key4.db, and pkcs11.txt to the main package
+- Move nss-sysinit manpages tar archives to the main package
+- Resolves: Bug 1066877 - nss-3.15.5 is available
+- Resolves: Bug 1067091 - Move sharedb files to the %%files section
+
+* Thu Feb 06 2014 Elio Maldonado <emaldona@redhat.com> - 3.15.4-5
+- Revert previous change that moved some sysinit manpages
+- Restore nss-sysinit manpages tar archives to %%files sysinit
+- Removing spurious wildcard entry was the only change needed
+
+* Mon Jan 27 2014 Elio Maldonado <emaldona@redhat.com> - 3.15.4-4
+- Add explanatory comments for iquote.patch as was done on f20
+
+* Sat Jan 25 2014 Elio Maldonado <emaldona@redhat.com> - 3.15.4-3
+- Update pem sources to latest from nss-pem upstream
+- Pick up pem fixes verified on RHEL and applied upstream
+- Fix a problem where same files in two rpms created rpm conflict
+- Move some nss-sysinit manpages tar archives to the %%files the
+- All man pages are listed by name so there shouldn't be wildcard inclusion
+- Add support for ppc64le, Resolves: Bug 1052545
+
+* Mon Jan 20 2014 Peter Robinson <pbrobinson@fedoraproject.org> 3.15.4-2
+- ARM tests pass so remove ARM conditional
+
+* Tue Jan 07 2014 Elio Maldonado <emaldona@redhat.com> - 3.15.4-1
+- Update to nss-3.15.4 (hg tag NSS_3_15_4_RTM)
+- Resolves: Bug 1049229 - nss-3.15.4 is available
+- Update pem sources to latest from the interim upstream for pem
+- Remove no longer needed patches
+- Update pem/rsawrapr.c patch on account of upstream changes to freebl/softoken
+- Update iquote.patch on account of upstream changes
+
+* Wed Dec 11 2013 Elio Maldonado <emaldona@redhat.com> - 3.15.3.1-1
+- Update to nss-3.15.3.1 (hg tag NSS_3_15_3_1_RTM)
+- Resolves: Bug 1040282 - nss: Mis-issued ANSSI/DCSSI certificate (MFSA 2013-117)
+- Resolves: Bug 1040192 - nss-3.15.3.1 is available
+
+* Tue Dec 03 2013 Elio Maldonado <emaldona@redhat.com> - 3.15.3-2
+- Bump the release tag
+
+* Sun Nov 24 2013 Elio Maldonado <emaldona@redhat.com> - 3.15.3-1
+- Update to NSS_3_15_3_RTM
+- Resolves: Bug 1031897 - CVE-2013-5605 CVE-2013-5606 CVE-2013-1741 nss: various flaws
+- Fix option descriptions for setup-nsssysinit manpage
+- Fix man page of nss-sysinit wrong path and other flaws
+- Document email option for certutil manpage
+- Remove unused patches
+
+* Sun Oct 27 2013 Elio Maldonado <emaldona@redhat.com> - 3.15.2-3
+- Revert one change from last commit to preserve full nss pluggable ecc supprt [1019245]
+
+* Wed Oct 23 2013 Elio Maldonado <emaldona@redhat.com> - 3.15.2-2
+- Use the full sources from upstream
+- Bug 1019245 - ECDHE in openssl available -> NSS needs too for Firefox/Thunderbird
+
+* Thu Sep 26 2013 Elio Maldonado <emaldona@redhat.com> - 3.15.2-1
+- Update to NSS_3_15_2_RTM
+- Update iquote.patch on account of modified prototype on cert.h installed by nss-devel
+
+* Wed Aug 28 2013 Elio Maldonado <emaldona@redhat.com> - 3.15.1-7
+- Update pem sources to pick up a patch applied upstream which a faulty merge had missed
+- The pem module should not require unique file basenames
+
+* Tue Aug 27 2013 Elio Maldonado <emaldona@redhat.com> - 3.15.1-6
+- Update pem sources to the latest from interim upstream
+
+* Mon Aug 19 2013 Elio Maldonado <emaldona@redhat.com> - 3.15.1-5
+- Resolves: rhbz#996639 - Minor bugs in nss man pages
+- Fix some typos and improve description and see also sections
+
+* Sun Aug 11 2013 Elio Maldonado <emaldona@redhat.com> - 3.15.1-4
+- Cleanup spec file to address most rpmlint errors and warnings
+- Using double percent symbols to fix macro-in-comment warnings
+- Ignore unversioned-explicit-provides nss-system-init per spec comments
+- Ignore invalid-url Source0 as it comes from the git lookaside cache
+- Ignore invalid-url Source12 as it comes from the git lookaside cache
+
+* Thu Jul 25 2013 Elio Maldonado <emaldona@redhat.com> - 3.15.1-3
+- Add man page for pkcs11.txt configuration file and cert and key databases
+- Resolves: rhbz#985114 - Provide man pages for the nss configuration files
+
+* Fri Jul 19 2013 Elio Maldonado <emaldona@redhat.com> - 3.15.1-2
+- Fix errors in the man pages
+- Resolves: rhbz#984106 - Add missing option descriptions to man pages for {cert|cms|crl}util
+- Resolves: rhbz#982856 - Fix path to script in man page for nss-sysinit
+
+* Tue Jul 02 2013 Elio Maldonado <emaldona@redhat.com> - 3.15.1-1
+- Update to NSS_3_15_1_RTM
+- Enable the iquote.patch to access newly introduced types
+
+* Wed Jun 19 2013 Elio Maldonado <emaldona@redhat.com> - 3.15-5
+- Install man pages for nss-tools and the nss-config and setup-nsssysinit scripts
+- Resolves: rhbz#606020 - nss security tools lack man pages
+
+* Tue Jun 18 2013 emaldona <emaldona@redhat.com> - 3.15-4
+- Build nss without softoken or util sources in the tree
+- Resolves: rhbz#689918
+
+* Mon Jun 17 2013 emaldona <emaldona@redhat.com> - 3.15-3
+- Update ssl-cbc-random-iv-by-default.patch
+
+* Sun Jun 16 2013 Elio Maldonado <emaldona@redhat.com> - 3.15-2
+- Fix generation of NSS_VMAJOR, NSS_VMINOR, and NSS_VPATCH for nss-config
+
+* Sat Jun 15 2013 Elio Maldonado <emaldona@redhat.com> - 3.15-1
+- Update to NSS_3_15_RTM
+
+* Wed Apr 24 2013 Elio Maldonado <emaldona@redhat.com> - 3.15-0.1.beta1.2
+- Fix incorrect path that hid failed test from view
+- Add ocsp to the test suites to run but ...
+- Temporarily disable the ocsp stapling tests
+- Do not treat failed attempts at ssl pkcs11 bypass as fatal errors
+
+* Thu Apr 04 2013 Elio Maldonado <emaldona@redhat.com> - 3.15-0.1.beta1.1
+- Update to NSS_3_15_BETA1
+- Update spec file, patches, and helper scripts on account of a shallower source tree
+
+* Sun Mar 24 2013 Kai Engert <kaie@redhat.com> - 3.14.3-12
+- Update expired test certificates (fixed in upstream bug 852781)
+
+* Fri Mar 08 2013 Kai Engert <kaie@redhat.com> - 3.14.3-10
+- Fix incorrect post/postun scripts. Fix broken links in posttrans.
+
+* Wed Mar 06 2013 Kai Engert <kaie@redhat.com> - 3.14.3-9
+- Configure libnssckbi.so to use the alternatives system
+ in order to prepare for a drop in replacement.
+
+* Fri Feb 15 2013 Elio Maldonado <emaldona@redhat.com> - 3.14.3-1
+- Update to NSS_3_14_3_RTM
+- sync up pem rsawrapr.c with softoken upstream changes for nss-3.14.3
+- Resolves: rhbz#908257 - CVE-2013-1620 nss: TLS CBC padding timing attack
+- Resolves: rhbz#896651 - PEM module trashes private keys if login fails
+- Resolves: rhbz#909775 - specfile support for AArch64
+- Resolves: rhbz#910584 - certutil -a does not produce ASCII output
+
+* Mon Feb 04 2013 Elio Maldonado <emaldona@redhat.com> - 3.14.2-2
+- Allow building nss against older system sqlite
+
+* Fri Feb 01 2013 Elio Maldonado <emaldona@redhat.com> - 3.14.2-1
+- Update to NSS_3_14_2_RTM
+
+* Wed Jan 02 2013 Kai Engert <kaie@redhat.com> - 3.14.1-3
+- Update to NSS_3_14_1_WITH_CKBI_1_93_RTM
+
+* Sat Dec 22 2012 Elio Maldonado <emaldona@redhat.com> - 3.14.1-2
+- Require nspr >= 4.9.4
+- Fix changelog invalid dates
+
+* Mon Dec 17 2012 Elio Maldonado <emaldona@redhat.com> - 3.14.1-1
+- Update to NSS_3_14_1_RTM
+
+* Wed Dec 12 2012 Elio Maldonado <emaldona@redhat.com> - 3.14-12
+- Bug 879978 - Install the nssck.api header template where mod_revocator can access it
+- Install nssck.api in /usr/includes/nss3/templates
+
+* Tue Nov 27 2012 Elio Maldonado <emaldona@redhat.com> - 3.14-11
+- Bug 879978 - Install the nssck.api header template in a place where mod_revocator can access it
+- Install nssck.api in /usr/includes/nss3
+
+* Mon Nov 19 2012 Elio Maldonado <emaldona@redhat.com> - 3.14-10
+- Bug 870864 - Add support in NSS for Secure Boot
+
+* Sat Nov 10 2012 Elio Maldonado <emaldona@redhat.com> - 3.14-9
+- Disable bypass code at build time and return failure on attempts to enable at runtime
+- Bug 806588 - Disable SSL PKCS #11 bypass at build time
+
+* Sun Nov 04 2012 Elio Maldonado <emaldona@redhat.com> - 3.14-8
+- Fix pk11wrap locking which fixes 'fedpkg new-sources' and 'fedpkg update' hangs
+- Bug 872124 - nss-3.14 breaks fedpkg new-sources
+- Fix should be considered preliminary since the patch may change upon upstream approval
+
+* Thu Nov 01 2012 Elio Maldonado <emaldona@redhat.com> - 3.14-7
+- Add a dummy source file for testing /preventing fedpkg breakage
+- Helps test the fedpkg new-sources and upload commands for breakage by nss updates
+- Related to Bug 872124 - nss 3.14 breaks fedpkg new-sources
+
+* Thu Nov 01 2012 Elio Maldonado <emaldona@redhat.com> - 3.14-6
+- Fix a previous unwanted merge from f18
+- Update the SS_SSL_CBC_RANDOM_IV patch to match new sources while
+- Keeping the patch disabled while we are still in rawhide and
+- State in comment that patch is needed for both stable and beta branches
+- Update .gitignore to download only the new sources
+
+* Wed Oct 31 2012 Elio Maldonado <emaldona@redhat.com> - 3.14-5
+- Fix the spec file so sechash.h gets installed
+- Resolves: rhbz#871882 - missing header: sechash.h in nss 3.14
+
+* Sat Oct 27 2012 Elio Maldonado <emaldona@redhat.com> - 3.14-4
+- Update the license to MPLv2.0
+
+* Wed Oct 24 2012 Elio Maldonado <emaldona@redhat.com> - 3.14-3
+- Use only -f when removing unwanted headers
+
+* Tue Oct 23 2012 Elio Maldonado <emaldona@redhat.com> - 3.14-2
+- Add secmodt.h to the headers installed by nss-devel
+- nss-devel must install secmodt.h which moved from softoken to pk11wrap with nss-3.14
+
+* Mon Oct 22 2012 Elio Maldonado <emaldona@redhat.com> - 3.14-1
+- Update to NSS_3_14_RTM
+
+* Sun Oct 21 2012 Elio Maldonado <emaldona@redhat.com> - 3.14-0.1.rc.1
+- Update to NSS_3_14_RC1
+- update nss-589636.patch to apply to httpdserv
+- turn off ocsp tests for now
+- remove no longer needed patches
+- remove headers shipped by nss-util
+
+* Fri Oct 05 2012 Kai Engert <kaie@redhat.com> - 3.13.6-1
+- Update to NSS_3_13_6_RTM
+
+* Mon Aug 27 2012 Elio Maldonado <emaldona@redhat.com> - 3.13.5-8
+- Rebase pem sources to fedora-hosted upstream to pick up two fixes from rhel-6.3
+- Resolves: rhbz#847460 - Fix invalid read and free on invalid cert load
+- Resolves: rhbz#847462 - PEM module may attempt to free uninitialized pointer
+- Remove unneeded fix gcc 4.7 c++ issue in secmodt.h that actually undoes the upstream fix
+
+* Mon Aug 13 2012 Elio Maldonado <emaldona@redhat.com> - 3.13.5-7
+- Fix pluggable ecc support
+
+* Fri Jul 20 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 3.13.5-6
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild
+
+* Sun Jul 01 2012 Elio Maldonado <emaldona@redhat.com> - 3.13.5-5
+- Fix checkin comment to prevent unwanted expansions of percents
+
+* Sun Jul 01 2012 Elio Maldonado <emaldona@redhat.com> - 3.13.5-4
+- Resolves: Bug 830410 - Missing Requires %%{?_isa}
+- Use Requires: %%{name}%%{?_isa} = %%{version}-%%{release} on tools
+- Drop zlib requires which rpmlint reports as error E: explicit-lib-dependency zlib
+- Enable sha224 portion of powerup selftest when running test suites
+- Require nspr 4.9.1
+
+* Wed Jun 20 2012 Elio Maldonado <emaldona@redhat.com> - 3.13.5-3
+- Resolves: rhbz#833529 - revert unwanted change to nss.pc.in
+
+* Tue Jun 19 2012 Elio Maldonado <emaldona@redhat.com> - 3.13.5-2
+- Resolves: rhbz#833529 - Remove unwanted space from the Libs: line on nss.pc.in
+
+* Mon Jun 18 2012 Elio Maldonado <emaldona@redhat.com> - 3.13.5-1
+- Update to NSS_3_13_5_RTM
+
+* Fri Apr 13 2012 Elio Maldonado <emaldona@redhat.com> - 3.13.4-3
+- Resolves: Bug 812423 - nss_Init leaks memory, fix from RHEL 6.3
+
+* Sun Apr 08 2012 Elio Maldonado <emaldona@redhat.com> - 3.13.4-2
+- Resolves: Bug 805723 - Library needs partial RELRO support added
+- Patch coreconf/Linux.mk as done on RHEL 6.2
+
+* Fri Apr 06 2012 Elio Maldonado <emaldona@redhat.com> - 3.13.4-1
+- Update to NSS_3_13_4_RTM
+- Update the nss-pem source archive to the latest version
+- Remove no longer needed patches
+- Resolves: Bug 806043 - use pem files interchangeably in a single process
+- Resolves: Bug 806051 - PEM various flaws detected by Coverity
+- Resolves: Bug 806058 - PEM pem_CreateObject leaks memory given a non-existing file name
+
+* Wed Mar 21 2012 Elio Maldonado <emaldona@redhat.com> - 3.13.3-4
+- Resolves: Bug 805723 - Library needs partial RELRO support added
+
+* Fri Mar 09 2012 Elio Maldonado <emaldona@redhat.com> - 3.13.3-3
+- Cleanup of the spec file
+- Add references to the upstream bugs
+- Fix typo in Summary for sysinit
+
+* Thu Mar 08 2012 Elio Maldonado <emaldona@redhat.com> - 3.13.3-2
+- Pick up fixes from RHEL
+- Resolves: rhbz#800674 - Unable to contact LDAP Server during winsync
+- Resolves: rhbz#800682 - Qpid AMQP daemon fails to load after nss update
+- Resolves: rhbz#800676 - NSS workaround for freebl bug that causes openswan to drop connections
+
+* Thu Mar 01 2012 Elio Maldonado <emaldona@redhat.com> - 3.13.3-1
+- Update to NSS_3_13_3_RTM
+
+* Mon Jan 30 2012 Tom Callaway <spot@fedoraproject.org> - 3.13.1-13
+- fix issue with gcc 4.7 in secmodt.h and C++11 user-defined literals
+
+* Thu Jan 26 2012 Elio Maldonado <emaldona@redhat.com> - 3.13.1-12
+- Resolves: Bug 784672 - nss should protect against being called before nss_Init
+
+* Fri Jan 13 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 3.13.1-11
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild
+
+* Fri Jan 06 2012 Elio Maldonado <emaldona@redhat.com> - 3.13.1-11
+- Deactivate a patch currently meant for stable branches only
+
+* Fri Jan 06 2012 Elio Maldonado <emaldona@redhat.com> - 3.13.1-10
+- Resolves: Bug 770682 - nss update breaks pidgin-sipe connectivity
+- NSS_SSL_CBC_RANDOM_IV set to 0 by default and changed to 1 on user request
+
+* Tue Dec 13 2011 elio maldonado <emaldona@redhat.com> - 3.13.1-9
+- Revert to using current nss_softokn_version
+- Patch to deal with lack of sha224 is no longer needed
+
+* Tue Dec 13 2011 Elio Maldonado <emaldona@redhat.com> - 3.13.1-8
+- Resolves: Bug 754771 - [PEM] an unregistered callback causes a SIGSEGV
+
+* Mon Dec 12 2011 Elio Maldonado <emaldona@redhat.com> - 3.13.1-7
+- Resolves: Bug 750376 - nss 3.13 breaks sssd TLS
+- Fix how pem is built so that nss-3.13.x works with nss-softokn-3.12.y
+- Only patch blapitest for the lack of sha224 on system freebl
+- Completed the patch to make pem link against system freebl
+
+* Mon Dec 05 2011 Elio Maldonado <emaldona@redhat.com> - 3.13.1-6
+- Removed unwanted /usr/include/nss3 in front of the normal cflags include path
+- Removed unnecessary patch dealing with CERTDB_TERMINAL_RECORD, it's visible
+
+* Sun Dec 04 2011 Elio Maldonado <emaldona@redhat.com> - 3.13.1-5
+- Statically link the pem module against system freebl found in buildroot
+- Disabling sha224-related powerup selftest until we update softokn
+- Disable sha224 and pss tests which nss-softokn 3.12.x doesn't support
+
+* Fri Dec 02 2011 Elio Maldonado Batiz <emaldona@redhat.com> - 3.13.1-4
+- Rebuild with nss-softokn from 3.12 in the buildroot
+- Allows the pem module to statically link against 3.12.x freebl
+- Required for using nss-3.13.x with nss-softokn-3.12.y for a merge inrto rhel git repo
+- Build will be temprarily placed on buildroot override but not pushed in bodhi
+
+* Fri Nov 04 2011 Elio Maldonado <emaldona@redhat.com> - 3.13.1-2
+- Fix broken dependencies by updating the nss-util and nss-softokn versions
+
+* Thu Nov 03 2011 Elio Maldonado <emaldona@redhat.com> - 3.13.1-1
+- Update to NSS_3_13_1_RTM
+- Update builtin certs to those from NSSCKBI_1_88_RTM
+
+* Sat Oct 15 2011 Elio Maldonado <emaldona@redhat.com> - 3.13-1
+- Update to NSS_3_13_RTM
+
+* Sat Oct 08 2011 Elio Maldonado <emaldona@redhat.com> - 3.13-0.1.rc0.1
+- Update to NSS_3_13_RC0
+
+* Wed Sep 14 2011 Elio Maldonado <emaldona@redhat.com> - 3.12.11-3
+- Fix attempt to free initilized pointer (#717338)
+- Fix leak on pem_CreateObject when given non-existing file name (#734760)
+- Fix pem_Initialize to return CKR_CANT_LOCK on multi-treaded calls (#736410)
+
+* Tue Sep 06 2011 Kai Engert <kaie@redhat.com> - 3.12.11-2
+- Update builtins certs to those from NSSCKBI_1_87_RTM
+
+* Tue Aug 09 2011 Elio Maldonado <emaldona@redhat.com> - 3.12.11-1
+- Update to NSS_3_12_11_RTM
+
+* Sat Jul 23 2011 Elio Maldonado <emaldona@redhat.com> - 3.12.10-6
+- Indicate the provenance of stripped source tarball (#688015)
+
+* Mon Jun 27 2011 Michael Schwendt <mschwendt@fedoraproject.org> - 3.12.10-5
+- Provide virtual -static package to meet guidelines (#609612).
+
+* Fri Jun 10 2011 Elio Maldonado <emaldona@redhat.com> - 3.12.10-4
+- Enable pluggable ecc support (#712556)
+- Disable the nssdb write-access-on-read-only-dir tests when user is root (#646045)
+
+* Fri May 20 2011 Dennis Gilmore <dennis@ausil.us> - 3.12.10-3
+- make the testsuite non fatal on arm arches
+
+* Tue May 17 2011 Elio Maldonado <emaldona@redhat.com> - 3.12.10-2
+- Fix crmf hard-coded maximum size for wrapped private keys (#703656)
+
+* Fri May 06 2011 Elio Maldonado <emaldona@redhat.com> - 3.12.10-1
+- Update to NSS_3_12_10_RTM
+
+* Wed Apr 27 2011 Elio Maldonado <emaldona@redhat.com> - 3.12.10-0.1.beta1
+- Update to NSS_3_12_10_BETA1
+
+* Mon Apr 11 2011 Elio Maldonado <emaldona@redhat.com> - 3.12.9-15
+- Implement PEM logging using NSPR's own (#695011)
+
+* Wed Mar 23 2011 Elio Maldonado <emaldona@redhat.com> - 3.12.9-14
+- Update to NSS_3.12.9_WITH_CKBI_1_82_RTM
+
+* Thu Feb 24 2011 Elio Maldonado <emaldona@redhat.com> - 3.12.9-13
+- Short-term fix for ssl test suites hangs on ipv6 type connections (#539183)
+
+* Fri Feb 18 2011 Elio Maldonado <emaldona@redhat.com> - 3.12.9-12
+- Add a missing requires for pkcs11-devel (#675196)
+
+* Tue Feb 15 2011 Elio Maldonado <emaldona@redhat.com> - 3.12.9-11
+- Run the test suites in the check section (#677809)
+
+* Thu Feb 10 2011 Elio Maldonado <emaldona@redhat.com> - 3.12.9-10
+- Fix cms headers to not use c++ reserved words (#676036)
+- Reenabling Bug 499444 patches
+- Fix to swap internal key slot on fips mode switches
+
+* Tue Feb 08 2011 Elio Maldonado <emaldona@redhat.com> - 3.12.9-9
+- Revert patches for 499444 until all c++ reserved words are found and extirpated
+
+* Tue Feb 08 2011 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 3.12.9-8
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild
+
+* Tue Feb 08 2011 Elio Maldonado <emaldona@redhat.com> - 3.12.9-7
+- Fix cms header to not use c++ reserved word (#676036)
+- Reenable patches for bug 499444
+
+* Tue Feb 08 2011 Christopher Aillon <caillon@redhat.com> - 3.12.9-6
+- Revert patches for 499444 as they use a C++ reserved word and
+ cause compilation of Firefox to fail
+
+* Fri Feb 04 2011 Elio Maldonado <emaldona@redhat.com> - 3.12.9-5
+- Fix the earlier infinite recursion patch (#499444)
+- Remove a header that now nss-softokn-freebl-devel ships
+
+* Tue Feb 01 2011 Elio Maldonado <emaldona@redhat.com> - 3.12.9-4
+- Fix infinite recursion when encoding NSS enveloped/digested data (#499444)
+
+* Mon Jan 31 2011 Elio Maldonado <emaldona@redhat.com> - 3.12.9-3
+- Update the cacert trust patch per upstream review requests (#633043)
+
+* Wed Jan 19 2011 Elio Maldonado <emaldona@redhat.com> - 3.12.9-2
+- Fix to honor the user's cert trust preferences (#633043)
+- Remove obsoleted patch
+
+* Wed Jan 12 2011 Elio Maldonado <emaldona@redhat.com> - 3.12.9-1
+- Update to 3.12.9
+
+* Mon Dec 27 2010 Elio Maldonado <emaldona@redhat.com> - 3.12.9-0.1.beta2
+- Rebuilt according to fedora pre-release package naming guidelines
+
+* Fri Dec 10 2010 Elio Maldonado <emaldona@redhat.com> - 3.12.8.99.2-1
+- Update to NSS_3_12_9_BETA2
+- Fix libpnsspem crash when cacert dir contains other directories (#642433)
+
+* Wed Dec 08 2010 Elio Maldonado <emaldona@redhat.com> - 3.12.8.99.1-1
+- Update to NSS_3_12_9_BETA1
+
+* Thu Nov 25 2010 Elio Maldonado <emaldona@redhat.com> - 3.12.8-9
+- Update pem source tar with fixes for 614532 and 596674
+- Remove no longer needed patches
+
+* Fri Nov 05 2010 Elio Maldonado <emaldona@redhat.com> - 3.12.8-8
+- Update PayPalEE.cert test certificate which had expired
+
+* Sun Oct 31 2010 Elio Maldonado <emaldona@redhat.com> - 3.12.8-7
+- Tell rpm not to verify md5, size, and modtime of configurations file
+
+* Mon Oct 18 2010 Elio Maldonado <emaldona@redhat.com> - 3.12.8-6
+- Fix certificates trust order (#643134)
+- Apply nss-sysinit-userdb-first.patch last
+
+* Wed Oct 06 2010 Elio Maldonado <emaldona@redhat.com> - 3.12.8-5
+- Move triggerpostun -n nss-sysinit script ahead of the other ones (#639248)
+
+* Tue Oct 05 2010 Elio Maldonado <emaldona@redhat.com> - 3.12.8-4
+- Fix invalid %%postun scriptlet (#639248)
+
+* Wed Sep 29 2010 Elio Maldonado <emaldona@redhat.com> - 3.12.8-3
+- Replace posttrans sysinit scriptlet with a triggerpostun one (#636787)
+- Fix and cleanup the setup-nsssysinit.sh script (#636792, #636801)
+
+* Mon Sep 27 2010 Elio Maldonado <emaldona@redhat.com> - 3.12.8-2
+- Add posttrans scriptlet (#636787)
+
+* Thu Sep 23 2010 Elio Maldonado <emaldona@redhat.com> - 3.12.8-1
+- Update to 3.12.8
+- Prevent disabling of nss-sysinit on package upgrade (#636787)
+- Create pkcs11.txt with correct permissions regardless of umask (#636792)
+- Setup-nsssysinit.sh reports whether nss-sysinit is turned on or off (#636801)
+- Added provides pkcs11-devel-static to comply with packaging guidelines (#609612)
+
+* Sat Sep 18 2010 Elio Maldonado <emaldona@redhat.com> - 3.12.7.99.4-1
+- NSS 3.12.8 RC0
+
+* Sun Sep 05 2010 Elio Maldonado <emaldona@redhat.com> - 3.12.7.99.3-2
+- Fix nss-util_version and nss_softokn_version required to be 3.12.7.99.3
+
+* Sat Sep 04 2010 Elio Maldonado <emaldona@redhat.com> - 3.12.7.99.3-1
+- NSS 3.12.8 Beta3
+- Fix unclosed comment in renegotiate-transitional.patch
+
+* Sat Aug 28 2010 Elio Maldonado <emaldona@redhat.com> - 3.12.7-3
+- Change BuildRequries to available version of nss-util-devel
+
+* Sat Aug 28 2010 Elio Maldonado <emaldona@redhat.com> - 3.12.7-2
+- Define NSS_USE_SYSTEM_SQLITE and remove unneeded patch
+- Add comments regarding an unversioned provides which triggers rpmlint warning
+- Build requires nss-softokn-devel >= 3.12.7
+
+* Mon Aug 16 2010 Elio Maldonado <emaldona@redhat.com> - 3.12.7-1
+- Update to 3.12.7
+
+* Sat Aug 14 2010 Elio Maldonado <emaldona@redhat.com> - 3.12.6-12
+- Apply the patches to fix rhbz#614532
+
+* Mon Aug 09 2010 Elio Maldonado <emaldona@redhat.com> - 3.12.6-11
+- Removed pem sourecs as they are in the cache
+
+* Mon Aug 09 2010 Elio Maldonado <emaldona@redhat.com> - 3.12.6-10
+- Add support for PKCS#8 encoded PEM RSA private key files (#614532)
+
+* Sat Jul 31 2010 Elio Maldonado <emaldona@redhat.com> - 3.12.6-9
+- Fix nsssysinit to return userdb ahead of systemdb (#603313)
+
+* Tue Jun 08 2010 Dennis Gilmore <dennis@ausil.us> - 3.12.6-8
+- Require and BuildRequire >= the listed version not =
+
+* Tue Jun 08 2010 Elio Maldonado <emaldona@redhat.com> - 3.12.6-7
+- Require nss-softoken 3.12.6
+
+* Sun Jun 06 2010 Elio Maldonado <emaldona@redhat.com> - 3.12.6-6
+- Fix SIGSEGV within CreateObject (#596674)
+
+* Mon Apr 12 2010 Elio Maldonado <emaldona@redhat.com> - 3.12.6-5
+- Update pem source tar to pick up the following bug fixes:
+- PEM - Allow collect objects to search through all objects
+- PEM - Make CopyObject return a new shallow copy
+- PEM - Fix memory leak in pem_mdCryptoOperationRSAPriv
+
+* Wed Apr 07 2010 Elio Maldonado <emaldona@redhat.com> - 3.12.6-4
+- Update the test cert in the setup phase
+
+* Wed Apr 07 2010 Elio Maldonado <emaldona@redhat.com> - 3.12.6-3
+- Add sed to sysinit requires as setup-nsssysinit.sh requires it (#576071)
+- Update PayPalEE test cert with unexpired one (#580207)
+
+* Thu Mar 18 2010 Elio Maldonado <emaldona@redhat.com> - 3.12.6-2
+- Fix ns.spec to not require nss-softokn (#575001)
+
+* Sat Mar 06 2010 Elio Maldonado <emaldona@redhat.com> - 3.12.6-1.2
+- rebuilt with all tests enabled
+
+* Sat Mar 06 2010 Elio Maldonado <emaldona@redhat.com> - 3.12.6-1.1
+- Using SSL_RENEGOTIATE_TRANSITIONAL as default while on transition period
+- Disabling ssl tests suites until bug 539183 is resolved
+
+* Sat Mar 06 2010 Elio Maldonado <emaldona@redhat.com> - 3.12.6-1
+- Update to 3.12.6
+- Reactivate all tests
+- Patch tools to validate command line options arguments
+
+* Mon Jan 25 2010 Elio Maldonado <emaldona@redhat.com> - 3.12.5-8
+- Fix curl related regression and general patch code clean up
+
+* Wed Jan 13 2010 Elio Maldonado <emaldona@redhat.com> - 3.12.5-5
+- retagging
+
+* Tue Jan 12 2010 Elio Maldonado <emaldona@redhat.com> - 3.12.5-1.1
+- Fix SIGSEGV on call of NSS_Initialize (#553638)
+
+* Wed Jan 06 2010 Elio Maldonado<emaldona@redhat.com> - 3.12.5-1.13.2
+- New version of patch to allow root to modify ystem database (#547860)
+
+* Thu Dec 31 2009 Elio Maldonado<emaldona@redhat.com> - 3.12.5-1.13.1
+- Temporarily disabling the ssl tests
+
+* Sat Dec 26 2009 Elio Maldonado<emaldona@redhat.com> - 3.12.5-1.13
+- Fix nsssysinit to allow root to modify the nss system database (#547860)
+
+* Fri Dec 25 2009 Elio Maldonado<emaldona@redhat.com> - 3.12.5-1.11
+- Fix an error introduced when adapting the patch for rhbz #546211
+
+* Sat Dec 19 2009 Elio maldonado<emaldona@redhat.com> - 3.12.5-1.9
+- Remove left over trace statements from nsssysinit patching
+
+* Fri Dec 18 2009 Elio Maldonado<emaldona@redhat.com> - 3.12.5-2.7
+- Fix a misconstructed patch
+
+* Thu Dec 17 2009 Elio Maldonado<emaldona@redhat.com> - 3.12.5-1.6
+- Fix nsssysinit to enable apps to use system cert store, patch contributed by David Woodhouse (#546221)
+- Fix spec so sysinit requires coreutils for post install scriplet (#547067)
+- Fix segmentation fault when listing keys or certs in the database, patch contributed by Kamil Dudka (#540387)
+
+* Thu Dec 10 2009 Elio Maldonado<emaldona@redhat.com> - 3.12.5-1.5
+- Fix nsssysinit to set the default flags on the crypto module (#545779)
+- Remove redundant header from the pem module
+
+* Wed Dec 09 2009 Elio Maldonado<emaldona@redhat.com> - 3.12.5-1.1
+- Remove unneeded patch
+
+* Thu Dec 03 2009 Elio Maldonado<emaldona@redhat.com> - 3.12.5-1.1
+- Retagging to include missing patch
+
+* Thu Dec 03 2009 Elio Maldonado<emaldona@redhat.com> - 3.12.5-1
+- Update to 3.12.5
+- Patch to allow ssl/tls clients to interoperate with servers that require renogiation
+
+* Fri Nov 20 2009 Elio Maldonado<emaldona@redhat.com> - 3.12.4-14.1
+- Retagging
+
+* Tue Oct 20 2009 Elio Maldonado<emaldona@redhat.com> - 3.12.4-13.1
+- Require nss-softoken of same architecture as nss (#527867)
+- Merge setup-nsssysinit.sh improvements from F-12 (#527051)
+
+* Sat Oct 03 2009 Elio Maldonado<emaldona@redhat.com> - 3.12.4-13
+- User no longer prompted for a password when listing keys an empty system db (#527048)
+- Fix setup-nsssysinit to handle more general formats (#527051)
+
+* Sun Sep 27 2009 Elio Maldonado<emaldona@redhat.com> - 3.12.4-12
+- Fix syntax error in setup-nsssysinit.sh
+
+* Sun Sep 27 2009 Elio Maldonado<emaldona@redhat.com> - 3.12.4-11
+- Fix sysinit to be under mozilla/security/nss/lib
+
+* Sat Sep 26 2009 Elio Maldonado<emaldona@redhat.com> - 3.12.4-10
+- Add nss-sysinit activation/deactivation script
+
+* Fri Sep 18 2009 Elio Maldonado<emaldona@redhat.com - 3.12.4-9
+- Install blank databases and configuration file for system shared database
+- nsssysinit queries system for fips mode before relying on environment variable
+
+* Thu Sep 10 2009 Elio Maldonado<emaldona@redhat.com> - 3.12.4-8
+- Restoring nssutil and -rpath-link to nss-config for now - 522477
+
+* Tue Sep 08 2009 Elio Maldonado<emaldona@redhat.com - 3.12.4-7
+- Add the nss-sysinit subpackage
+
+* Tue Sep 08 2009 Elio Maldonado<emaldona@redhat.com> - 3.12.4-6
+- Installing shared libraries to %%{_libdir}
+
+* Mon Sep 07 2009 Elio Maldonado<emaldona@redhat.com> - 3.12.4-5
+- Retagging to pick up new sources
+
+* Mon Sep 07 2009 Elio Maldonado<emaldona@redhat.com> - 3.12.4-4
+- Update pem enabling source tar with latest fixes (509705, 51209)
+
+* Sun Sep 06 2009 Elio Maldonado<emaldona@redhat.com> - 3.12.4-3
+- PEM module implements memory management for internal objects - 509705
+- PEM module doesn't crash when processing malformed key files - 512019
+
+* Sat Sep 05 2009 Elio Maldonado<emaldona@redhat.com> - 3.12.4-2
+- Remove symbolic links to shared libraries from devel - 521155
+- No rpath-link in nss-softokn-config
+
+* Tue Sep 01 2009 Elio Maldonado<emaldona@redhat.com> - 3.12.4-1
+- Update to 3.12.4
+
+* Mon Aug 31 2009 Elio Maldonado<emaldona@redhat.com> - 3.12.3.99.3-30
+- Fix FORTIFY_SOURCE buffer overflows in test suite on ppc and ppc64 - bug 519766
+- Fixed requires and buildrequires as per recommendations in spec file review
+
+* Sun Aug 30 2009 Elio Maldonado<emaldona@redhat.com> - 3.12.3.99.3-29
+- Restoring patches 2 and 7 as we still compile all sources
+- Applying the nss-nolocalsql.patch solves nss-tools sqlite dependency problems
+
+* Sun Aug 30 2009 Elio Maldonado<emaldona@redhat.com> - 3.12.3.99.3-28
+- restore require sqlite
+
+* Sat Aug 29 2009 Elio Maldonado<emaldona@redhat.com> - 3.12.3.99.3-27
+- Don't require sqlite for nss
+
+* Sat Aug 29 2009 Elio Maldonado<emaldona@redhat.com> - 3.12.3.99.3-26
+- Ensure versions in the requires match those used when creating nss.pc
+
+* Fri Aug 28 2009 Elio Maldonado<emaldona@redhat.com> - 3.12.3.99.3-25
+- Remove nss-prelink.conf as signed all shared libraries moved to nss-softokn
+- Add a temprary hack to nss.pc.in to unblock builds
+
+* Fri Aug 28 2009 Warren Togami <wtogami@redhat.com> - 3.12.3.99.3-24
+- caolan's nss.pc patch
+
+* Thu Aug 27 2009 Elio Maldonado<emaldona@redhat.com> - 3.12.3.99.3-23
+- Bump the release number for a chained build of nss-util, nss-softokn and nss
+
+* Thu Aug 27 2009 Elio Maldonado<emaldona@redhat.com> - 3.12.3.99.3-22
+- Fix nss-config not to include nssutil
+- Add BuildRequires on nss-softokn and nss-util since build also runs the test suite
+
+* Thu Aug 27 2009 Elio Maldonado<emaldona@redhat.com> - 3.12.3.99.3-21
+- disabling all tests while we investigate a buffer overflow bug
+
+* Thu Aug 27 2009 Elio Maldonado<emaldona@redhat.com> - 3.12.3.99.3-20
+- disabling some tests while we investigate a buffer overflow bug - 519766
+
+* Thu Aug 27 2009 Elio Maldonado<emaldona@redhat.com> - 3.12.3.99.3-19
+- remove patches that are now in nss-softokn and
+- remove spurious exec-permissions for nss.pc per rpmlint
+- single requires line in nss.pc.in
+
+* Wed Aug 26 2009 Elio Maldonado<emaldona@redhat.com> - 3.12.3.99.3-18
+- Fix BuildRequires: nss-softokn-devel release number
+
+* Wed Aug 26 2009 Elio Maldonado<emaldona@redhat.com - 3.12.3.99.3-17
+- fix nss.pc.in to have one single requires line
+
+* Tue Aug 25 2009 Dennis Gilmore <dennis@ausil.us> - 3.12.3.99.3-16
+- cleanups for softokn
+
+* Tue Aug 25 2009 Dennis Gilmore <dennis@ausil.us> - 3.12.3.99.3-15
+- remove the softokn subpackages
+
+* Mon Aug 24 2009 Dennis Gilmore <dennis@ausil.us> - 3.12.3.99.3-14
+- don install the nss-util pkgconfig bits
+
+* Mon Aug 24 2009 Dennis Gilmore <dennis@ausil.us> - 3.12.3.99.3-13
+- remove from -devel the 3 headers that ship in nss-util-devel
+
+* Mon Aug 24 2009 Dennis Gilmore <dennis@ausil.us> - 3.12.3.99.3-12
+- kill off the nss-util nss-util-devel subpackages
+
+* Sun Aug 23 2009 Elio Maldonado+emaldona@redhat.com - 3.12.3.99.3-11
+- split off nss-softokn and nss-util as subpackages with their own rpms
+- first phase of splitting nss-softokn and nss-util as their own packages
+
+* Thu Aug 20 2009 Elio Maldonado <emaldona@redhat.com> - 3.12.3.99.3-10
+- must install libnssutil3.since nss-util is untagged at the moment
+- preserve time stamps when installing various files
+
+* Thu Aug 20 2009 Dennis Gilmore <dennis@ausil.us> - 3.12.3.99.3-9
+- dont install libnssutil3.so since its now in nss-util
+
+* Thu Aug 06 2009 Elio Maldonado <emaldona@redhat.com> - 3.12.3.99.3-7.1
+- Fix spec file problems uncovered by Fedora_12_Mass_Rebuild
+
+* Sat Jul 25 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 3.12.3.99.3-7
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild
+
+* Mon Jun 22 2009 Elio Maldonado <emaldona@redhat.com> - 3.12.3.99.3-6
+- removed two patch files which are no longer needed and fixed previous change log number
+* Mon Jun 22 2009 Elio Maldonado <emaldona@redhat.com> - 3.12.3.99.3-5
+- updated pem module incorporates various patches
+- fix off-by-one error when computing size to reduce memory leak. (483855)
+- fix data type to work on x86_64 systems. (429175)
+- fix various memory leaks and free internal objects on module unload. (501080)
+- fix to not clone internal objects in collect_objects(). (501118)
+- fix to not bypass initialization if module arguments are omitted. (501058)
+- fix numerous gcc warnings. (500815)
+- fix to support arbitrarily long password while loading a private key. (500180)
+- fix memory leak in make_key and memory leaks and return values in pem_mdSession_Login (501191)
+* Mon Jun 08 2009 Elio Maldonado <emaldona@redhat.com> - 3.12.3.99.3-4
+- add patch for bug 502133 upstream bug 496997
+* Fri Jun 05 2009 Kai Engert <kaie@redhat.com> - 3.12.3.99.3-3
+- rebuild with higher release number for upgrade sanity
+* Fri Jun 05 2009 Kai Engert <kaie@redhat.com> - 3.12.3.99.3-2
+- updated to NSS_3_12_4_FIPS1_WITH_CKBI_1_75
+* Thu May 07 2009 Kai Engert <kaie@redhat.com> - 3.12.3-7
+- re-enable test suite
+- add patch for upstream bug 488646 and add newer paypal
+ certs in order to make the test suite pass
+* Wed May 06 2009 Kai Engert <kaie@redhat.com> - 3.12.3-4
+- add conflicts info in order to fix bug 499436
+* Tue Apr 14 2009 Kai Engert <kaie@redhat.com> - 3.12.3-3
+- ship .chk files instead of running shlibsign at install time
+- include .chk file in softokn-freebl subpackage
+- add patch for upstream nss bug 488350
+* Tue Apr 14 2009 Kai Engert <kaie@redhat.com> - 3.12.3-2
+- Update to NSS 3.12.3
+* Mon Apr 06 2009 Kai Engert <kaie@redhat.com> - 3.12.2.99.3-7
+- temporarily disable the test suite because of bug 494266
+* Mon Apr 06 2009 Kai Engert <kaie@redhat.com> - 3.12.2.99.3-6
+- fix softokn-freebl dependency for multilib (bug 494122)
+* Thu Apr 02 2009 Kai Engert <kaie@redhat.com> - 3.12.2.99.3-5
+- introduce separate nss-softokn-freebl package
+* Thu Apr 02 2009 Kai Engert <kaie@redhat.com> - 3.12.2.99.3-4
+- disable execstack when building freebl
+* Tue Mar 31 2009 Kai Engert <kaie@redhat.com> - 3.12.2.99.3-3
+- add upstream patch to fix bug 483855
+* Tue Mar 31 2009 Kai Engert <kaie@redhat.com> - 3.12.2.99.3-2
+- build nspr-less freebl library
+* Tue Mar 31 2009 Kai Engert <kaie@redhat.com> - 3.12.2.99.3-1
+- Update to NSS_3_12_3_BETA4
+
+* Wed Feb 25 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 3.12.2.0-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild
+
+* Wed Oct 22 2008 Kai Engert <kaie@redhat.com> - 3.12.2.0-3
+- update to NSS_3_12_2_RC1
+- use system zlib
+* Tue Sep 30 2008 Dennis Gilmore <dennis@ausil.us> - 3.12.1.1-4
+- add sparc64 to the list of 64 bit arches
+
+* Wed Sep 24 2008 Kai Engert <kaie@redhat.com> - 3.12.1.1-3
+- bug 456847, move pkgconfig requirement to devel package
+* Fri Sep 05 2008 Kai Engert <kengert@redhat.com> - 3.12.1.1-2
+- Update to NSS_3_12_1_RC2
+* Fri Aug 22 2008 Kai Engert <kaie@redhat.com> - 3.12.1.0-2
+- NSS 3.12.1 RC1
+* Fri Aug 15 2008 Kai Engert <kaie@redhat.com> - 3.12.0.3-7
+- fix bug bug 429175 in libpem module
+* Tue Aug 05 2008 Kai Engert <kengert@redhat.com> - 3.12.0.3-6
+- bug 456847, add Requires: pkgconfig
+* Tue Jun 24 2008 Kai Engert <kengert@redhat.com> - 3.12.0.3-3
+- nss package should own /etc/prelink.conf.d folder, rhbz#452062
+- use upstream patch to fix test suite abort
+* Mon Jun 02 2008 Kai Engert <kengert@redhat.com> - 3.12.0.3-2
+- Update to NSS_3_12_RC4
+* Mon Apr 14 2008 Kai Engert <kengert@redhat.com> - 3.12.0.1-1
+- Update to NSS_3_12_RC2
+* Thu Mar 20 2008 Jesse Keating <jkeating@redhat.com> - 3.11.99.5-2
+- Zapping old Obsoletes/Provides. No longer needed, causes multilib headache.
+* Mon Mar 17 2008 Kai Engert <kengert@redhat.com> - 3.11.99.5-1
+- Update to NSS_3_12_BETA3
+* Fri Feb 22 2008 Kai Engert <kengert@redhat.com> - 3.11.99.4-1
+- NSS 3.12 Beta 2
+- Use /usr/lib{64} as devel libdir, create symbolic links.
+* Sat Feb 16 2008 Kai Engert <kengert@redhat.com> - 3.11.99.3-6
+- Apply upstream patch for bug 417664, enable test suite on pcc.
+* Fri Feb 15 2008 Kai Engert <kengert@redhat.com> - 3.11.99.3-5
+- Support concurrent runs of the test suite on a single build host.
+* Thu Feb 14 2008 Kai Engert <kengert@redhat.com> - 3.11.99.3-4
+- disable test suite on ppc
+* Thu Feb 14 2008 Kai Engert <kengert@redhat.com> - 3.11.99.3-3
+- disable test suite on ppc64
+
+* Thu Feb 14 2008 Kai Engert <kengert@redhat.com> - 3.11.99.3-2
+- Build against gcc 4.3.0, use workaround for bug 432146
+- Run the test suite after the build and abort on failures.
+
+* Thu Jan 24 2008 Kai Engert <kengert@redhat.com> - 3.11.99.3-1
+* NSS 3.12 Beta 1
+
+* Mon Jan 07 2008 Kai Engert <kengert@redhat.com> - 3.11.99.2b-3
+- move .so files to /lib
+
+* Wed Dec 12 2007 Kai Engert <kengert@redhat.com> - 3.11.99.2b-2
+- NSS 3.12 alpha 2b
+
+* Mon Dec 03 2007 Kai Engert <kengert@redhat.com> - 3.11.99.2-2
+- upstream patches to avoid calling netstat for random data
+
+* Wed Nov 07 2007 Kai Engert <kengert@redhat.com> - 3.11.99.2-1
+- NSS 3.12 alpha 2
+
+* Wed Oct 10 2007 Kai Engert <kengert@redhat.com> - 3.11.7-10
+- Add /etc/prelink.conf.d/nss-prelink.conf in order to blacklist
+ our signed libraries and protect them from modification.
+
+* Thu Sep 06 2007 Rob Crittenden <rcritten@redhat.com> - 3.11.7-9
+- Fix off-by-one error in the PEM module
+
+* Thu Sep 06 2007 Kai Engert <kengert@redhat.com> - 3.11.7-8
+- fix a C++ mode compilation error
+
+* Wed Sep 05 2007 Bob Relyea <rrelyea@redhat.com> - 3.11.7-7
+- Add 3.12 ckfw and libnsspem
+
+* Tue Aug 28 2007 Kai Engert <kengert@redhat.com> - 3.11.7-6
+- Updated license tag
+
+* Wed Jul 11 2007 Kai Engert <kengert@redhat.com> - 3.11.7-5
+- Ensure the workaround for mozilla bug 51429 really get's built.
+
+* Mon Jun 18 2007 Kai Engert <kengert@redhat.com> - 3.11.7-4
+- Better approach to ship freebl/softokn based on 3.11.5
+- Remove link time dependency on softokn
+
+* Sun Jun 10 2007 Kai Engert <kengert@redhat.com> - 3.11.7-3
+- Fix unowned directories, rhbz#233890
+
+* Fri Jun 01 2007 Kai Engert <kengert@redhat.com> - 3.11.7-2
+- Update to 3.11.7, but freebl/softokn remain at 3.11.5.
+- Use a workaround to avoid mozilla bug 51429.
+
+* Fri Mar 02 2007 Kai Engert <kengert@redhat.com> - 3.11.5-2
+- Fix rhbz#230545, failure to enable FIPS mode
+- Fix rhbz#220542, make NSS more tolerant of resets when in the
+ middle of prompting for a user password.
+
+* Sat Feb 24 2007 Kai Engert <kengert@redhat.com> - 3.11.5-1
+- Update to 3.11.5
+- This update fixes two security vulnerabilities with SSL 2
+- Do not use -rpath link option
+- Added several unsupported tools to tools package
+
+* Tue Jan 9 2007 Bob Relyea <rrelyea@redhat.com> - 3.11.4-4
+- disable ECC, cleanout dead code
+
+* Tue Nov 28 2006 Kai Engert <kengert@redhat.com> - 3.11.4-1
+- Update to 3.11.4
+
+* Thu Sep 14 2006 Kai Engert <kengert@redhat.com> - 3.11.3-2
+- Revert the attempt to require latest NSPR, as it is not yet available
+ in the build infrastructure.
+
+* Thu Sep 14 2006 Kai Engert <kengert@redhat.com> - 3.11.3-1
+- Update to 3.11.3
+
+* Thu Aug 03 2006 Kai Engert <kengert@redhat.com> - 3.11.2-2
+- Add /etc/pki/nssdb
+
+* Wed Jul 12 2006 Jesse Keating <jkeating@redhat.com> - 3.11.2-1.1
+- rebuild
+
+* Fri Jun 30 2006 Kai Engert <kengert@redhat.com> - 3.11.2-1
+- Update to 3.11.2
+- Enable executable bit on shared libs, also fixes debug info.
+
+* Wed Jun 14 2006 Kai Engert <kengert@redhat.com> - 3.11.1-2
+- Enable Elliptic Curve Cryptography (ECC)
+
+* Fri May 26 2006 Kai Engert <kengert@redhat.com> - 3.11.1-1
+- Update to 3.11.1
+- Include upstream patch to limit curves
+
+* Wed Feb 15 2006 Kai Engert <kengert@redhat.com> - 3.11-4
+- add --noexecstack when compiling assembler on x86_64
+
+* Fri Feb 10 2006 Jesse Keating <jkeating@redhat.com> - 3.11-3.2
+- bump again for double-long bug on ppc(64)
+
+* Tue Feb 07 2006 Jesse Keating <jkeating@redhat.com> - 3.11-3.1
+- rebuilt for new gcc4.1 snapshot and glibc changes
+
+* Thu Jan 19 2006 Ray Strode <rstrode@redhat.com> 3.11-3
+- rebuild
+
+* Fri Dec 16 2005 Christopher Aillon <caillon@redhat.com> 3.11-2
+- Update file list for the devel packages
+
+* Thu Dec 15 2005 Christopher Aillon <caillon@redhat.com> 3.11-1
+- Update to 3.11
+
+* Thu Dec 15 2005 Christopher Aillon <caillon@redhat.com> 3.11-0.cvs.2
+- Add patch to allow building on ppc*
+- Update the pkgconfig file to Require nspr
+
+* Thu Dec 15 2005 Christopher Aillon <caillon@redhat.com> 3.11-0.cvs
+- Initial import into Fedora Core, based on a CVS snapshot of
+ the NSS_3_11_RTM tag
+- Fix up the pkcs11-devel subpackage to contain the proper headers
+- Build with RPM_OPT_FLAGS
+- No need to have rpath of /usr/lib in the pc file
+
+* Thu Dec 15 2005 Kai Engert <kengert@redhat.com>
+- Adressed review comments by Wan-Teh Chang, Bob Relyea,
+ Christopher Aillon.
+
+* Sat Jul 9 2005 Rob Crittenden <rcritten@redhat.com> 3.10-1
+- Initial build