diff --git a/.nss.metadata b/.nss.metadata
new file mode 100644
index 0000000..d4c0feb
--- /dev/null
+++ b/.nss.metadata
@@ -0,0 +1,11 @@
+7f78b5bcecdb5005e7b803604b2ec9d1a9df2fb5 SOURCES/blank-key3.db
+1a4738a7fcc0bca303b47e9a24739637a9ab6640 SOURCES/TestCA.ca.cert
+d63e287dc5d012993221373fe14a8e1dac5eaff7 SOURCES/TestUser51.cert
+d272a7b58364862613d44261c5744f7a336bf177 SOURCES/blank-cert8.db
+69c70f63ccf23ca0761e77085fd1970211cdab1e SOURCES/nss-3.15.2.tar.bz2
+f9c9568442386da370193474de1b25c3f68cdaf6 SOURCES/blank-key4.db
+59f95324bb4fad179498bf1ddce2ceb0ee245356 SOURCES/nss-pem-20130405.tar.bz2
+b5570125fbf6bfb410705706af48217a0817c03a SOURCES/blank-cert9.db
+bd748cf6e1465a1bbe6e751b72ffc0076aff0b50 SOURCES/blank-secmod.db
+4019f0c1959c2b7102d470821e917e9c02551010 SOURCES/TestUser50.cert
+21774825dc4a9c54ce02b070928a2e72ce5878e7 SOURCES/PayPalEE.cert
diff --git a/README.md b/README.md
deleted file mode 100644
index 0e7897f..0000000
--- a/README.md
+++ /dev/null
@@ -1,5 +0,0 @@
-The master branch has no content
-
-Look at the c7 branch if you are working with CentOS-7, or the c4/c5/c6 branch for CentOS-4, 5 or 6
-
-If you find this file in a distro specific branch, it means that no content has been checked in yet
diff --git a/SOURCES/0001-sync-up-with-upstream-softokn-changes.patch b/SOURCES/0001-sync-up-with-upstream-softokn-changes.patch
new file mode 100644
index 0000000..36fbd9d
--- /dev/null
+++ b/SOURCES/0001-sync-up-with-upstream-softokn-changes.patch
@@ -0,0 +1,406 @@
+From d6dbecfea317a468be12423595e584f43d84d8ec Mon Sep 17 00:00:00 2001
+From: Elio Maldonado <emaldona@redhat.com>
+Date: Sat, 9 Feb 2013 17:11:00 -0500
+Subject: [PATCH] Sync up with upstream softokn changes
+
+- Disable RSA OEP case in FormatBlock, RSA_OAEP support is experimental and in a state of flux
+- Numerous change upstream due to the work for TLS/DTLS 'Lucky 13' vulnerability CVE-2013-0169
+- It now compiles with the NSS_3_14_3_BETA1 source
+---
+ mozilla/security/nss/lib/ckfw/pem/rsawrapr.c | 338 +++++++-------------------
+ 1 files changed, 82 insertions(+), 256 deletions(-)
+
+diff --git a/nss/lib/ckfw/pem/rsawrapr.c b/nss/lib/ckfw/pem/rsawrapr.c
+index 5ac4f39..3780d30 100644
+--- a/nss/lib/ckfw/pem/rsawrapr.c
++++ b/nss/lib/ckfw/pem/rsawrapr.c
+@@ -46,6 +46,7 @@
+ #include "sechash.h"
+ #include "base.h"
+
++#include "lowkeyi.h"
+ #include "secerr.h"
+
+ #define RSA_BLOCK_MIN_PAD_LEN 8
+@@ -54,9 +55,8 @@
+ #define RSA_BLOCK_PRIVATE_PAD_OCTET 0xff
+ #define RSA_BLOCK_AFTER_PAD_OCTET 0x00
+
+-#define OAEP_SALT_LEN 8
+-#define OAEP_PAD_LEN 8
+-#define OAEP_PAD_OCTET 0x00
++/* Needed for RSA-PSS functions */
++static const unsigned char eightZeros[] = { 0, 0, 0, 0, 0, 0, 0, 0 };
+
+ #define FLAT_BUFSIZE 512 /* bytes to hold flattened SHA1Context. */
+
+@@ -78,127 +78,39 @@ pem_PublicModulusLen(NSSLOWKEYPublicKey *pubk)
+ return 0;
+ }
+
+-static SHA1Context *SHA1_CloneContext(SHA1Context * original)
+-{
+- SHA1Context *clone = NULL;
+- unsigned char *pBuf;
+- int sha1ContextSize = SHA1_FlattenSize(original);
+- SECStatus frv;
+- unsigned char buf[FLAT_BUFSIZE];
+-
+- PORT_Assert(sizeof buf >= sha1ContextSize);
+- if (sizeof buf >= sha1ContextSize) {
+- pBuf = buf;
+- } else {
+- pBuf = nss_ZAlloc(NULL, sha1ContextSize);
+- if (!pBuf)
+- goto done;
+- }
+-
+- frv = SHA1_Flatten(original, pBuf);
+- if (frv == SECSuccess) {
+- clone = SHA1_Resurrect(pBuf, NULL);
+- memset(pBuf, 0, sha1ContextSize);
+- }
+- done:
+- if (pBuf != buf)
+- nss_ZFreeIf(pBuf);
+- return clone;
++/* Constant time comparison of a single byte.
++ * Returns 1 iff a == b, otherwise returns 0.
++ * Note: For ranges of bytes, use constantTimeCompare.
++ */
++static unsigned char constantTimeEQ8(unsigned char a, unsigned char b) {
++ unsigned char c = ~(a - b | b - a);
++ c >>= 7;
++ return c;
+ }
+
+-/*
+- * Modify data by XORing it with a special hash of salt.
++/* Constant time comparison of a range of bytes.
++ * Returns 1 iff len bytes of a are identical to len bytes of b, otherwise
++ * returns 0.
+ */
+-static SECStatus
+-oaep_xor_with_h1(unsigned char *data, unsigned int datalen,
+- unsigned char *salt, unsigned int saltlen)
+-{
+- SHA1Context *sha1cx;
+- unsigned char *dp, *dataend;
+- unsigned char end_octet;
+-
+- sha1cx = SHA1_NewContext();
+- if (sha1cx == NULL) {
+- return SECFailure;
+- }
+-
+- /*
+- * Get a hash of salt started; we will use it several times,
+- * adding in a different end octet (x00, x01, x02, ...).
+- */
+- SHA1_Begin(sha1cx);
+- SHA1_Update(sha1cx, salt, saltlen);
+- end_octet = 0;
+-
+- dp = data;
+- dataend = data + datalen;
+-
+- while (dp < dataend) {
+- SHA1Context *sha1cx_h1;
+- unsigned int sha1len, sha1off;
+- unsigned char sha1[SHA1_LENGTH];
+-
+- /*
+- * Create hash of (salt || end_octet)
+- */
+- sha1cx_h1 = SHA1_CloneContext(sha1cx);
+- SHA1_Update(sha1cx_h1, &end_octet, 1);
+- SHA1_End(sha1cx_h1, sha1, &sha1len, sizeof(sha1));
+- SHA1_DestroyContext(sha1cx_h1, PR_TRUE);
+- PORT_Assert(sha1len == SHA1_LENGTH);
+-
+- /*
+- * XOR that hash with the data.
+- * When we have fewer than SHA1_LENGTH octets of data
+- * left to xor, use just the low-order ones of the hash.
+- */
+- sha1off = 0;
+- if ((dataend - dp) < SHA1_LENGTH)
+- sha1off = SHA1_LENGTH - (dataend - dp);
+- while (sha1off < SHA1_LENGTH)
+- *dp++ ^= sha1[sha1off++];
+-
+- /*
+- * Bump for next hash chunk.
+- */
+- end_octet++;
+- }
+-
+- SHA1_DestroyContext(sha1cx, PR_TRUE);
+- return SECSuccess;
++static unsigned char constantTimeCompare(const unsigned char *a,
++ const unsigned char *b,
++ unsigned int len) {
++ unsigned char tmp = 0;
++ unsigned int i;
++ for (i = 0; i < len; ++i, ++a, ++b)
++ tmp |= *a ^ *b;
++ return constantTimeEQ8(0x00, tmp);
+ }
+
+-/*
+- * Modify salt by XORing it with a special hash of data.
++/* Constant time conditional.
++ * Returns a if c is 1, or b if c is 0. The result is undefined if c is
++ * not 0 or 1.
+ */
+-static SECStatus
+-oaep_xor_with_h2(unsigned char *salt, unsigned int saltlen,
+- unsigned char *data, unsigned int datalen)
++static unsigned int constantTimeCondition(unsigned int c,
++ unsigned int a,
++ unsigned int b)
+ {
+- unsigned char sha1[SHA1_LENGTH];
+- unsigned char *psalt, *psha1, *saltend;
+- SECStatus rv;
+-
+- /*
+- * Create a hash of data.
+- */
+- rv = SHA1_HashBuf(sha1, data, datalen);
+- if (rv != SECSuccess) {
+- return rv;
+- }
+-
+- /*
+- * XOR the low-order octets of that hash with salt.
+- */
+- PORT_Assert(saltlen <= SHA1_LENGTH);
+- saltend = salt + saltlen;
+- psalt = salt;
+- psha1 = sha1 + SHA1_LENGTH - saltlen;
+- while (psalt < saltend) {
+- *psalt++ ^= *psha1++;
+- }
+-
+- return SECSuccess;
++ return (~(c - 1) & a) | ((c - 1) & b);
+ }
+
+ /*
+@@ -212,7 +124,7 @@ static unsigned char *rsa_FormatOneBlock(unsigned modulusLen,
+ unsigned char *block;
+ unsigned char *bp;
+ int padLen;
+- int i;
++ int i, j;
+ SECStatus rv;
+
+ block = (unsigned char *) nss_ZAlloc(NULL, modulusLen);
+@@ -260,124 +172,58 @@ static unsigned char *rsa_FormatOneBlock(unsigned modulusLen,
+ */
+ case RSA_BlockPublic:
+
+- /*
+- * 0x00 || BT || Pad || 0x00 || ActualData
+- * 1 1 padLen 1 data->len
+- * Pad is all non-zero random bytes.
+- */
+- padLen = modulusLen - data->len - 3;
+- PORT_Assert(padLen >= RSA_BLOCK_MIN_PAD_LEN);
+- if (padLen < RSA_BLOCK_MIN_PAD_LEN) {
+- nss_ZFreeIf(block);
+- return NULL;
+- }
+- for (i = 0; i < padLen; i++) {
+- /* Pad with non-zero random data. */
+- do {
+- rv = RNG_GenerateGlobalRandomBytes(bp + i, 1);
+- } while (rv == SECSuccess
+- && bp[i] == RSA_BLOCK_AFTER_PAD_OCTET);
+- if (rv != SECSuccess) {
+- nss_ZFreeIf(block);
+- return NULL;
+- }
+- }
+- bp += padLen;
+- *bp++ = RSA_BLOCK_AFTER_PAD_OCTET;
+- nsslibc_memcpy(bp, data->data, data->len);
+-
+- break;
+-
+- /*
+- * Blocks intended for public-key operation, using
+- * Optimal Asymmetric Encryption Padding (OAEP).
+- */
+- case RSA_BlockOAEP:
+- /*
+- * 0x00 || BT || Modified2(Salt) || Modified1(PaddedData)
+- * 1 1 OAEP_SALT_LEN OAEP_PAD_LEN + data->len [+ N]
+- *
+- * where:
+- * PaddedData is "Pad1 || ActualData [|| Pad2]"
+- * Salt is random data.
+- * Pad1 is all zeros.
+- * Pad2, if present, is random data.
+- * (The "modified" fields are all the same length as the original
+- * unmodified values; they are just xor'd with other values.)
+- *
+- * Modified1 is an XOR of PaddedData with a special octet
+- * string constructed of iterated hashing of Salt (see below).
+- * Modified2 is an XOR of Salt with the low-order octets of
+- * the hash of Modified1 (see farther below ;-).
+- *
+- * Whew!
+- */
+-
+-
+- /*
+- * Salt
+- */
+- rv = RNG_GenerateGlobalRandomBytes(bp, OAEP_SALT_LEN);
+- if (rv != SECSuccess) {
+- nss_ZFreeIf(block);
+- return NULL;
+- }
+- bp += OAEP_SALT_LEN;
+-
+- /*
+- * Pad1
+- */
+- nsslibc_memset(bp, OAEP_PAD_OCTET, OAEP_PAD_LEN);
+- bp += OAEP_PAD_LEN;
+-
+- /*
+- * Data
+- */
+- nsslibc_memcpy(bp, data->data, data->len);
+- bp += data->len;
+-
+- /*
+- * Pad2
+- */
+- if (bp < (block + modulusLen)) {
+- rv = RNG_GenerateGlobalRandomBytes(bp,
+- block - bp + modulusLen);
+- if (rv != SECSuccess) {
+- nss_ZFreeIf(block);
+- return NULL;
+- }
+- }
+-
+- /*
+- * Now we have the following:
+- * 0x00 || BT || Salt || PaddedData
+- * (From this point on, "Pad1 || Data [|| Pad2]" is treated
+- * as the one entity PaddedData.)
+- *
+- * We need to turn PaddedData into Modified1.
+- */
+- if (oaep_xor_with_h1(block + 2 + OAEP_SALT_LEN,
+- modulusLen - 2 - OAEP_SALT_LEN,
+- block + 2, OAEP_SALT_LEN) != SECSuccess) {
+- nss_ZFreeIf(block);
+- return NULL;
+- }
+-
+- /*
+- * Now we have:
+- * 0x00 || BT || Salt || Modified1(PaddedData)
+- *
+- * The remaining task is to turn Salt into Modified2.
+- */
+- if (oaep_xor_with_h2(block + 2, OAEP_SALT_LEN,
+- block + 2 + OAEP_SALT_LEN,
+- modulusLen - 2 - OAEP_SALT_LEN) !=
+- SECSuccess) {
+- nss_ZFreeIf(block);
+- return NULL;
+- }
+-
+- break;
++ /*
++ * 0x00 || BT || Pad || 0x00 || ActualData
++ * 1 1 padLen 1 data->len
++ * Pad is all non-zero random bytes.
++ *
++ * Build the block left to right.
++ * Fill the entire block from Pad to the end with random bytes.
++ * Use the bytes after Pad as a supply of extra random bytes from
++ * which to find replacements for the zero bytes in Pad.
++ * If we need more than that, refill the bytes after Pad with
++ * new random bytes as necessary.
++ */
++ padLen = modulusLen - (data->len + 3);
++ PORT_Assert (padLen >= RSA_BLOCK_MIN_PAD_LEN);
++ if (padLen < RSA_BLOCK_MIN_PAD_LEN) {
++ nss_ZFreeIf (block);
++ return NULL;
++ }
++ j = modulusLen - 2;
++ rv = RNG_GenerateGlobalRandomBytes(bp, j);
++ if (rv == SECSuccess) {
++ for (i = 0; i < padLen; ) {
++ unsigned char repl;
++ /* Pad with non-zero random data. */
++ if (bp[i] != RSA_BLOCK_AFTER_PAD_OCTET) {
++ ++i;
++ continue;
++ }
++ if (j <= padLen) {
++ rv = RNG_GenerateGlobalRandomBytes(bp + padLen,
++ modulusLen - (2 + padLen));
++ if (rv != SECSuccess)
++ break;
++ j = modulusLen - 2;
++ }
++ do {
++ repl = bp[--j];
++ } while (repl == RSA_BLOCK_AFTER_PAD_OCTET && j > padLen);
++ if (repl != RSA_BLOCK_AFTER_PAD_OCTET) {
++ bp[i++] = repl;
++ }
++ }
++ }
++ if (rv != SECSuccess) {
++ /*sftk_fatalError = PR_TRUE;*/
++ nss_ZFreeIf (block);
++ return NULL;
++ }
++ bp += padLen;
++ *bp++ = RSA_BLOCK_AFTER_PAD_OCTET;
++ nsslibc_memcpy(bp, data->data, data->len);
++ break;
+
+ default:
+ PORT_Assert(0);
+@@ -427,26 +273,6 @@ rsa_FormatBlock(SECItem * result, unsigned modulusLen,
+
+ break;
+
+- case RSA_BlockOAEP:
+- /*
+- * 0x00 || BT || M1(Salt) || M2(Pad1||ActualData[||Pad2])
+- *
+- * The "2" below is the first octet + the second octet.
+- * (The other fields do not contain the clear values, but are
+- * the same length as the clear values.)
+- */
+- PORT_Assert(data->len <= (modulusLen - (2 + OAEP_SALT_LEN
+- + OAEP_PAD_LEN)));
+-
+- result->data = rsa_FormatOneBlock(modulusLen, blockType, data);
+- if (result->data == NULL) {
+- result->len = 0;
+- return SECFailure;
+- }
+- result->len = modulusLen;
+-
+- break;
+-
+ case RSA_BlockRaw:
+ /*
+ * Pad || ActualData
+--
+1.7.1
+
diff --git a/SOURCES/Bug-1001841-disable-sslv2-libssl.patch b/SOURCES/Bug-1001841-disable-sslv2-libssl.patch
new file mode 100644
index 0000000..a9bc128
--- /dev/null
+++ b/SOURCES/Bug-1001841-disable-sslv2-libssl.patch
@@ -0,0 +1,75 @@
+diff -up ./nss/lib/ssl/config.mk.disableSSL2 ./nss/lib/ssl/config.mk
+--- ./nss/lib/ssl/config.mk.disableSSL2 2013-09-25 06:57:55.000000000 -0700
++++ ./nss/lib/ssl/config.mk 2013-11-05 16:09:47.459727948 -0800
+@@ -7,6 +7,10 @@ ifdef NISCC_TEST
+ DEFINES += -DNISCC_TEST
+ endif
+
++ifdef NSS_NO_SSL2
++DEFINES += -DNSS_NO_SSL2
++endif
++
+ ifdef NSS_NO_PKCS11_BYPASS
+ DEFINES += -DNO_PKCS11_BYPASS
+ else
+diff -up ./nss/lib/ssl/sslsock.c.disableSSL2 ./nss/lib/ssl/sslsock.c
+--- ./nss/lib/ssl/sslsock.c.disableSSL2 2013-11-05 16:09:47.419727310 -0800
++++ ./nss/lib/ssl/sslsock.c 2013-11-05 16:09:47.461727980 -0800
+@@ -639,6 +639,14 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 wh
+ break;
+
+ case SSL_ENABLE_SSL2:
++#ifdef NSS_NO_SSL2
++ if (on) {
++ PORT_SetError(SSL_ERROR_SSL2_DISABLED);
++ rv = SECFailure; /* not allowed */
++ }
++ break;
++ ss->opt.enableSSL2 = on;
++#else
+ if (IS_DTLS(ss)) {
+ if (on) {
+ PORT_SetError(SEC_ERROR_INVALID_ARGS);
+@@ -650,6 +658,7 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 wh
+ if (on) {
+ ss->opt.v2CompatibleHello = on;
+ }
++#endif
+ ss->preferredCipher = NULL;
+ if (ss->cipherSpecs) {
+ PORT_Free(ss->cipherSpecs);
+@@ -671,6 +680,13 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 wh
+ break;
+
+ case SSL_V2_COMPATIBLE_HELLO:
++#ifdef NSS_NO_SSL2
++ if (on) {
++ PORT_SetError(SSL_ERROR_SSL2_DISABLED);
++ rv = SECFailure; /* not allowed */
++ break;
++ }
++#else
+ if (IS_DTLS(ss)) {
+ if (on) {
+ PORT_SetError(SEC_ERROR_INVALID_ARGS);
+@@ -678,6 +694,7 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 wh
+ }
+ break;
+ }
++#endif
+ ss->opt.v2CompatibleHello = on;
+ if (!on) {
+ ss->opt.enableSSL2 = on;
+@@ -1112,7 +1129,12 @@ SSL_CipherPolicySet(PRInt32 which, PRInt
+ if (ssl_IsRemovedCipherSuite(which)) {
+ rv = SECSuccess;
+ } else if (SSL_IS_SSL2_CIPHER(which)) {
++#ifdef NSS_NO_SSL2
++ PORT_SetError(SSL_ERROR_SSL2_DISABLED);
++ rv = SECFailure; /* not allowed */
++#else
+ rv = ssl2_SetPolicy(which, policy);
++#endif
+ } else {
+ rv = ssl3_SetPolicy((ssl3CipherSuite)which, policy);
+ }
diff --git a/SOURCES/Bug-1001841-disable-sslv2-tests.patch b/SOURCES/Bug-1001841-disable-sslv2-tests.patch
new file mode 100644
index 0000000..bf0adcb
--- /dev/null
+++ b/SOURCES/Bug-1001841-disable-sslv2-tests.patch
@@ -0,0 +1,13 @@
+diff -up ./nss/tests/ssl/ssl.sh.disableSSL2 ./nss/tests/ssl/ssl.sh
+--- ./nss/tests/ssl/ssl.sh.disableSSL2 2013-09-25 06:57:55.000000000 -0700
++++ ./nss/tests/ssl/ssl.sh 2013-11-03 16:43:48.905914207 -0800
+@@ -278,6 +278,9 @@ ssl_cov()
+ echo "${testname}" | grep "SSL2" > /dev/null
+ SSL2=$?
+
++ # skip export and ssl2 tests when build has disabled SSL2
++ if [ "${NSS_NO_SSL2}" = 1 ] && [ -n ${EXP} -o -n ${SSL2} ] && continue
++
+ if [ "${SSL2}" -eq 0 ] ; then
+ # We cannot use asynchronous cert verification with SSL2
+ SSL2_FLAGS=-O
diff --git a/SOURCES/Bug-896651-pem-dont-trash-keys-on-failed-login.patch b/SOURCES/Bug-896651-pem-dont-trash-keys-on-failed-login.patch
new file mode 100644
index 0000000..6f0e88c
--- /dev/null
+++ b/SOURCES/Bug-896651-pem-dont-trash-keys-on-failed-login.patch
@@ -0,0 +1,44 @@
+--- nss/lib/ckfw/pem/psession.c
++++ nss/lib/ckfw/pem/psession.c
+@@ -230,6 +230,7 @@ pem_mdSession_Login
+ unsigned int len = 0;
+ NSSLOWKEYPrivateKey *lpk = NULL;
+ PLArenaPool *arena;
++ SECItem plain;
+ int i;
+
+ fwSlot = NSSCKFWToken_GetFWSlot(fwToken);
+@@ -306,23 +321,27 @@ pem_mdSession_Login
+ lpk->keyType = NSSLOWKEYRSAKey;
+ prepare_low_rsa_priv_key_for_asn1(lpk);
+
+- nss_ZFreeIf(io->u.key.key.privateKey->data);
+- io->u.key.key.privateKey->len = len - output[len - 1];
+- io->u.key.key.privateKey->data =
+- (void *) nss_ZAlloc(NULL, io->u.key.key.privateKey->len);
+- memcpy(io->u.key.key.privateKey->data, output, len - output[len - 1]);
+
+ /* Decode the resulting blob and see if it is a decodable DER that fits
+ * our private key template. If so we declare success and move on. If not
+ * then we return an error.
+ */
++ memset(&plain, 0, sizeof(plain));
++ plain.data = output;
++ plain.len = len - output[len - 1];
+ rv = SEC_QuickDERDecodeItem(arena, lpk, pem_RSAPrivateKeyTemplate,
+- io->u.key.key.privateKey);
++ &plain);
+ pem_DestroyPrivateKey(lpk);
+ arena = NULL;
+ if (rv != SECSuccess)
+ goto loser;
+
++ nss_ZFreeIf(io->u.key.key.privateKey->data);
++ io->u.key.key.privateKey->len = len - output[len - 1];
++ io->u.key.key.privateKey->data =
++ (void *) nss_ZAlloc(NULL, io->u.key.key.privateKey->len);
++ memcpy(io->u.key.key.privateKey->data, output, len - output[len - 1]);
++
+ rv = CKR_OK;
+
+ loser:
diff --git a/SOURCES/add-relro-linker-option.patch b/SOURCES/add-relro-linker-option.patch
new file mode 100644
index 0000000..7ab9db1
--- /dev/null
+++ b/SOURCES/add-relro-linker-option.patch
@@ -0,0 +1,16 @@
+diff -up nss/coreconf/Linux.mk.relro nss/coreconf/Linux.mk
+--- nss/coreconf/Linux.mk.relro 2013-04-09 14:29:45.943228682 -0700
++++ nss/coreconf/Linux.mk 2013-04-09 14:31:26.194953927 -0700
+@@ -174,6 +174,12 @@ endif
+ endif
+ endif
+
++# harden DSOs/executables a bit against exploits
++ifeq (2.6,$(firstword $(sort 2.6 $(OS_RELEASE))))
++DSO_LDOPTS+=-Wl,-z,relro
++LDFLAGS += -Wl,-z,relro
++endif
++
+ USE_SYSTEM_ZLIB = 1
+ ZLIB_LIBS = -lz
+
diff --git a/SOURCES/cert8.db.xml b/SOURCES/cert8.db.xml
new file mode 100644
index 0000000..e82948d
--- /dev/null
+++ b/SOURCES/cert8.db.xml
@@ -0,0 +1,59 @@
+<?xml version='1.0' encoding='utf-8'?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
+ "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
+<!ENTITY date SYSTEM "date.xml">
+<!ENTITY version SYSTEM "version.xml">
+]>
+
+<refentry id="cert8.db">
+
+ <refentryinfo>
+ <date>&date;</date>
+ <title>Network Security Services</title>
+ <productname>nss</productname>
+ <productnumber>&version;</productnumber>
+ </refentryinfo>
+
+ <refmeta>
+ <refentrytitle>cert8.db</refentrytitle>
+ <manvolnum>5</manvolnum>
+ </refmeta>
+
+ <refnamediv>
+ <refname>cert8.db</refname>
+ <refpurpose>Legacy NSS certificate database</refpurpose>
+ </refnamediv>
+
+<refsection id="description">
+ <title>Description</title>
+ <para><emphasis>cert8.db</emphasis> is an NSS certificate database.</para>
+ <para>This certificate database is in the legacy database format. Consider migrating to cert9.db and key4.db which are the new sqlite-based shared database format with support for concurrent access.
+ </para>
+ </refsection>
+
+ <refsection>
+ <title>Files</title>
+ <para><filename>/etc/pki/nssdb/cert8.db</filename></para>
+ </refsection>
+
+ <refsection>
+ <title>See also</title>
+ <para>cert9.db(5), key4.db(5), pkcs11.txt(5), </para>
+ </refsection>
+
+ <refsection id="authors">
+ <title>Authors</title>
+ <para>The nss libraries were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google.</para>
+ <para>Authors: Elio Maldonado <emaldona@redhat.com>.</para>
+ </refsection>
+
+<!-- don't change -->
+ <refsection id="license">
+ <title>LICENSE</title>
+ <para>Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ </para>
+
+ </refsection>
+
+
+</refentry>
diff --git a/SOURCES/cert9.db.xml b/SOURCES/cert9.db.xml
new file mode 100644
index 0000000..6cff889
--- /dev/null
+++ b/SOURCES/cert9.db.xml
@@ -0,0 +1,59 @@
+<?xml version='1.0' encoding='utf-8'?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
+ "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
+<!ENTITY date SYSTEM "date.xml">
+<!ENTITY version SYSTEM "version.xml">
+]>
+
+<refentry id="cert9.db">
+
+ <refentryinfo>
+ <date>&date;</date>
+ <title>Network Security Services</title>
+ <productname>nss</productname>
+ <productnumber>&version;</productnumber>
+ </refentryinfo>
+
+ <refmeta>
+ <refentrytitle>cert9.db</refentrytitle>
+ <manvolnum>5</manvolnum>
+ </refmeta>
+
+ <refnamediv>
+ <refname>cert9.db</refname>
+ <refpurpose>Legacy NSS certificate database</refpurpose>
+ </refnamediv>
+
+<refsection id="description">
+ <title>Description</title>
+ <para><emphasis>cert9.db</emphasis> is an NSS certificate database.</para>
+ <para>This certificate database is the sqlite-based shared databse with support for concurrent access.
+ </para>
+ </refsection>
+
+ <refsection>
+ <title>Files</title>
+ <para><filename>/etc/pki/nssdb/cert9.db</filename></para>
+ </refsection>
+
+ <refsection>
+ <title>See also</title>
+ <para>pkcs11.txt(5)</para>
+ </refsection>
+
+ <refsection id="authors">
+ <title>Authors</title>
+ <para>The nss libraries were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google.</para>
+ <para>Authors: Elio Maldonado <emaldona@redhat.com>.</para>
+ </refsection>
+
+<!-- don't change -->
+ <refsection id="license">
+ <title>LICENSE</title>
+ <para>Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ </para>
+
+ </refsection>
+
+
+</refentry>
diff --git a/SOURCES/disable-ocsp-stapling-tests.patch b/SOURCES/disable-ocsp-stapling-tests.patch
new file mode 100644
index 0000000..df27c0e
--- /dev/null
+++ b/SOURCES/disable-ocsp-stapling-tests.patch
@@ -0,0 +1,9 @@
+diff -up nss/tests/ocsp/ocsp.sh.skipoutbound nss/tests/ocsp/ocsp.sh
+--- nss/tests/ocsp/ocsp.sh.skipoutbound 2013-04-24 18:04:30.203307355 -0700
++++ nss/tests/ocsp/ocsp.sh 2013-04-24 18:06:27.967176794 -0700
+@@ -115,4 +115,4 @@ ocsp_stapling()
+ ################## main #################################################
+ ocsp_init
+ ocsp_iopr_run
+-ocsp_stapling
++#ocsp_stapling
diff --git a/SOURCES/document-certutil-email-option.patch b/SOURCES/document-certutil-email-option.patch
new file mode 100644
index 0000000..b9ca7e1
--- /dev/null
+++ b/SOURCES/document-certutil-email-option.patch
@@ -0,0 +1,25 @@
+diff --git a/doc/certutil.xml b/doc/certutil.xml
+--- a/doc/certutil.xml
++++ b/doc/certutil.xml
+@@ -204,16 +204,21 @@ If this option is not used, the validity
+ </varlistentry>
+
+ <varlistentry>
+ <term>-e </term>
+ <listitem><para>Check a certificate's signature during the process of validating a certificate.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
++ <term>--email email-address</term>
++ <listitem><para>Specify the email address, used with the -L command option to print a single named certificate.</para></listitem>
++ </varlistentry>
++
++ <varlistentry>
+ <term>-f password-file</term>
+ <listitem><para>Specify a file that will automatically supply the password to include in a certificate
+ or to access a certificate database. This is a plain-text file containing one password. Be sure to prevent
+ unauthorized access to this file.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-g keysize</term>
diff --git a/SOURCES/enable-fips-when-system-is-in-fips-mode.patch b/SOURCES/enable-fips-when-system-is-in-fips-mode.patch
new file mode 100644
index 0000000..3870cfc
--- /dev/null
+++ b/SOURCES/enable-fips-when-system-is-in-fips-mode.patch
@@ -0,0 +1,78 @@
+diff -up nss/lib/pk11wrap/pk11pars.c.fips nss/lib/pk11wrap/pk11pars.c
+--- nss/lib/pk11wrap/pk11pars.c.fips 2013-05-28 14:43:24.000000000 -0700
++++ nss/lib/pk11wrap/pk11pars.c 2013-07-10 18:54:16.733465910 -0700
+@@ -150,6 +150,10 @@ SECMOD_CreateModule(const char *library,
+ }
+ mod->internal = NSSUTIL_ArgHasFlag("flags","internal",nssc);
+ mod->isFIPS = NSSUTIL_ArgHasFlag("flags","FIPS",nssc);
++ /* if the system FIPS mode is enabled, force FIPS to be on */
++ if (SECMOD_GetSystemFIPSEnabled()) {
++ mod->isFIPS = PR_TRUE;
++ }
+ mod->isCritical = NSSUTIL_ArgHasFlag("flags","critical",nssc);
+ slotParams = NSSUTIL_ArgGetParamValue("slotParams",nssc);
+ mod->slotInfo = NSSUTIL_ArgParseSlotInfo(mod->arena,slotParams,
+diff -up nss/lib/pk11wrap/pk11util.c.fips nss/lib/pk11wrap/pk11util.c
+--- nss/lib/pk11wrap/pk11util.c.fips 2013-05-28 14:43:24.000000000 -0700
++++ nss/lib/pk11wrap/pk11util.c 2013-07-10 18:54:16.734465927 -0700
+@@ -95,6 +95,25 @@ SECMOD_Shutdown()
+ return SECSuccess;
+ }
+
++int SECMOD_GetSystemFIPSEnabled(void) {
++#ifdef LINUX
++ FILE *f;
++ char d;
++ size_t size;
++
++ f = fopen("/proc/sys/crypto/fips_enabled", "r");
++ if (!f)
++ return 0;
++
++ size = fread(&d, 1, 1, f);
++ fclose(f);
++ if (size != 1)
++ return 0;
++ if (d == '1')
++ return 1;
++#endif
++ return 0;
++}
+
+ /*
+ * retrieve the internal module
+@@ -417,7 +436,7 @@ SECMOD_DeleteInternalModule(const char *
+ SECMODModuleList **mlpp;
+ SECStatus rv = SECFailure;
+
+- if (pendingModule) {
++ if (SECMOD_GetSystemFIPSEnabled() || pendingModule) {
+ PORT_SetError(SEC_ERROR_MODULE_STUCK);
+ return rv;
+ }
+@@ -888,7 +907,7 @@ SECMOD_DestroyModuleList(SECMODModuleLis
+ PRBool
+ SECMOD_CanDeleteInternalModule(void)
+ {
+- return (PRBool) (pendingModule == NULL);
++ return (PRBool) ((pendingModule == NULL) && !SECMOD_GetSystemFIPSEnabled());
+ }
+
+ /*
+diff -up nss/lib/pk11wrap/secmodi.h.fips nss/lib/pk11wrap/secmodi.h
+--- nss/lib/pk11wrap/secmodi.h.fips 2013-07-10 18:55:06.358298154 -0700
++++ nss/lib/pk11wrap/secmodi.h 2013-07-10 18:56:52.050069372 -0700
+@@ -116,7 +116,12 @@ PK11SymKey *pk11_TokenKeyGenWithFlagsAnd
+ CK_MECHANISM_TYPE pk11_GetPBECryptoMechanism(SECAlgorithmID *algid,
+ SECItem **param, SECItem *pwd, PRBool faulty3DES);
+
+-
++/* Get the state of the system FIPS mode */
++/* NSS uses this to force FIPS mode if the system bit is on. Applications which
++ * use the SECMOD_CanDeleteInteral() to check to see if they can switch to or
++ * from FIPS mode will automatically be told that they can't swith out of FIPS
++ * mode */
++int SECMOD_GetSystemFIPSEnabled();
+
+ extern void pk11sdr_Init(void);
+ extern void pk11sdr_Shutdown(void);
diff --git a/SOURCES/iquote.patch b/SOURCES/iquote.patch
new file mode 100644
index 0000000..3df4927
--- /dev/null
+++ b/SOURCES/iquote.patch
@@ -0,0 +1,62 @@
+diff -up nss/cmd/bltest/Makefile.iquote nss/cmd/bltest/Makefile
+--- nss/cmd/bltest/Makefile.iquote 2013-06-27 10:58:08.000000000 -0700
++++ nss/cmd/bltest/Makefile 2013-07-02 15:02:26.656643246 -0700
+@@ -45,6 +45,7 @@ include $(CORE_DEPTH)/coreconf/rules.mk
+ # (6) Execute "component" rules. (OPTIONAL) #
+ #######################################################################
+
++INCLUDES += -iquote $(DIST)/../private/nss
+
+
+ #######################################################################
+diff -up nss/cmd/lib/Makefile.iquote nss/cmd/lib/Makefile
+--- nss/cmd/lib/Makefile.iquote 2013-07-02 15:07:47.260622471 -0700
++++ nss/cmd/lib/Makefile 2013-07-02 15:08:47.219179157 -0700
+@@ -38,7 +38,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk
+ # (6) Execute "component" rules. (OPTIONAL) #
+ #######################################################################
+
+-
++INCLUDES += -iquote $(DIST)/../private/nss
++INCLUDES += -iquote $(DIST)/../public/nss
+
+ #######################################################################
+ # (7) Execute "local" rules. (OPTIONAL). #
+diff -up nss/coreconf/location.mk.iquote nss/coreconf/location.mk
+--- nss/coreconf/location.mk.iquote 2013-06-27 10:58:08.000000000 -0700
++++ nss/coreconf/location.mk 2013-07-02 15:02:26.656643246 -0700
+@@ -45,6 +45,10 @@ endif
+
+ ifdef NSS_INCLUDE_DIR
+ INCLUDES += -I$(NSS_INCLUDE_DIR)
++ ifdef IN_TREE_FREEBL_HEADERS_FIRST
++ INCLUDES += -iquote $(DIST)/../public/nss
++ INCLUDES += -iquote $(DIST)/../private/nss
++ endif
+ endif
+
+ ifndef NSS_LIB_DIR
+diff -up nss/lib/certhigh/Makefile.iquote nss/lib/certhigh/Makefile
+--- nss/lib/certhigh/Makefile.iquote 2013-09-27 11:13:55.158689314 -0700
++++ nss/lib/certhigh/Makefile 2013-09-27 11:14:38.181042336 -0700
+@@ -38,7 +38,7 @@ include $(CORE_DEPTH)/coreconf/rules.mk
+ # (6) Execute "component" rules. (OPTIONAL) #
+ #######################################################################
+
+-
++INCLUDES += -iquote $(DIST)/../public/nss
+
+ #######################################################################
+ # (7) Execute "local" rules. (OPTIONAL). #
+diff -up nss/lib/cryptohi/Makefile.iquote nss/lib/cryptohi/Makefile
+--- nss/lib/cryptohi/Makefile.iquote 2013-09-27 11:11:30.117494489 -0700
++++ nss/lib/cryptohi/Makefile 2013-09-27 11:12:54.704194915 -0700
+@@ -38,7 +38,7 @@ include $(CORE_DEPTH)/coreconf/rules.mk
+ # (6) Execute "component" rules. (OPTIONAL) #
+ #######################################################################
+
+-
++INCLUDES += -iquote $(DIST)/../public/nss
+
+ #######################################################################
+ # (7) Execute "local" rules. (OPTIONAL). #
diff --git a/SOURCES/key3.db.xml b/SOURCES/key3.db.xml
new file mode 100644
index 0000000..444d7aa
--- /dev/null
+++ b/SOURCES/key3.db.xml
@@ -0,0 +1,59 @@
+<?xml version='1.0' encoding='utf-8'?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
+ "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
+<!ENTITY date SYSTEM "date.xml">
+<!ENTITY version SYSTEM "version.xml">
+]>
+
+<refentry id="key3.db">
+
+ <refentryinfo>
+ <date>&date;</date>
+ <title>Network Security Services</title>
+ <productname>nss</productname>
+ <productnumber>&version;</productnumber>
+ </refentryinfo>
+
+ <refmeta>
+ <refentrytitle>key3.db</refentrytitle>
+ <manvolnum>5</manvolnum>
+ </refmeta>
+
+ <refnamediv>
+ <refname>key3.db</refname>
+ <refpurpose>Legacy NSS certificate database</refpurpose>
+ </refnamediv>
+
+<refsection id="description">
+ <title>Description</title>
+ <para><emphasis>key3.db</emphasis> is an NSS certificate database.</para>
+ <para>This is a key database in the legacy database format. Consider migrating to cert9.db and key4.db which which are the new sqlite-based shared database format with support for concurrent access.
+ </para>
+ </refsection>
+
+ <refsection>
+ <title>Files</title>
+ <para><filename>/etc/pki/nssdb/key3.db</filename></para>
+ </refsection>
+
+ <refsection>
+ <title>See also</title>
+ <para>cert9.db(5), key4.db(5), pkcs11.txt(5), </para>
+ </refsection>
+
+ <refsection id="authors">
+ <title>Authors</title>
+ <para>The nss libraries were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google.</para>
+ <para>Authors: Elio Maldonado <emaldona@redhat.com>.</para>
+ </refsection>
+
+<!-- don't change -->
+ <refsection id="license">
+ <title>LICENSE</title>
+ <para>Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ </para>
+
+ </refsection>
+
+
+</refentry>
diff --git a/SOURCES/key4.db.xml b/SOURCES/key4.db.xml
new file mode 100644
index 0000000..9b65f41
--- /dev/null
+++ b/SOURCES/key4.db.xml
@@ -0,0 +1,59 @@
+<?xml version='1.0' encoding='utf-8'?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
+ "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
+<!ENTITY date SYSTEM "date.xml">
+<!ENTITY version SYSTEM "version.xml">
+]>
+
+<refentry id="key4.db">
+
+ <refentryinfo>
+ <date>&date;</date>
+ <title>Network Security Services</title>
+ <productname>nss</productname>
+ <productnumber>&version;</productnumber>
+ </refentryinfo>
+
+ <refmeta>
+ <refentrytitle>key4.db</refentrytitle>
+ <manvolnum>5</manvolnum>
+ </refmeta>
+
+ <refnamediv>
+ <refname>key4.db</refname>
+ <refpurpose>NSS certificate database</refpurpose>
+ </refnamediv>
+
+<refsection id="description">
+ <title>Description</title>
+ <para><emphasis>key4.db</emphasis> is an NSS key database.</para>
+ <para>This key database is the sqlite-based shared database format with support for concurrent access.
+ </para>
+ </refsection>
+
+ <refsection>
+ <title>Files</title>
+ <para><filename>/etc/pki/nssdb/key4.db</filename></para>
+ </refsection>
+
+ <refsection>
+ <title>See also</title>
+ <para>pkcs11.txt(5)</para>
+ </refsection>
+
+ <refsection id="authors">
+ <title>Authors</title>
+ <para>The nss libraries were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google.</para>
+ <para>Authors: Elio Maldonado <emaldona@redhat.com>.</para>
+ </refsection>
+
+<!-- don't change -->
+ <refsection id="license">
+ <title>LICENSE</title>
+ <para>Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ </para>
+
+ </refsection>
+
+
+</refentry>
diff --git a/SOURCES/nss-3.14.0.0-disble-ocsp-test.patch b/SOURCES/nss-3.14.0.0-disble-ocsp-test.patch
new file mode 100644
index 0000000..3347ee9
--- /dev/null
+++ b/SOURCES/nss-3.14.0.0-disble-ocsp-test.patch
@@ -0,0 +1,11 @@
+diff -up nss/tests/chains/scenarios/scenarios.noocsptest nss/tests/chains/scenarios/scenarios
+--- nss/tests/chains/scenarios/scenarios.noocsptest 2013-06-27 10:58:08.000000000 -0700
++++ nss/tests/chains/scenarios/scenarios 2013-07-02 16:13:27.075038930 -0700
+@@ -50,7 +50,6 @@ bridgewithpolicyextensionandmapping.cfg
+ realcerts.cfg
+ dsa.cfg
+ revoc.cfg
+-ocsp.cfg
+ crldp.cfg
+ trustanchors.cfg
+ nameconstraints.cfg
diff --git a/SOURCES/nss-539183.patch b/SOURCES/nss-539183.patch
new file mode 100644
index 0000000..3798c35
--- /dev/null
+++ b/SOURCES/nss-539183.patch
@@ -0,0 +1,54 @@
+diff -up nss/cmd/httpserv/httpserv.c.539183 nss/cmd/httpserv/httpserv.c
+--- nss/cmd/httpserv/httpserv.c.539183 2013-05-28 14:43:24.000000000 -0700
++++ nss/cmd/httpserv/httpserv.c 2013-05-30 22:16:46.685373471 -0700
+@@ -661,14 +661,18 @@ getBoundListenSocket(unsigned short port
+ PRStatus prStatus;
+ PRNetAddr addr;
+ PRSocketOptionData opt;
++ PRUint16 socketDomain = PR_AF_INET;
+
+- addr.inet.family = PR_AF_INET;
+- addr.inet.ip = PR_INADDR_ANY;
+- addr.inet.port = PR_htons(port);
++ if (PR_SetNetAddr(PR_IpAddrAny, PR_AF_INET6, port, &addr) != PR_SUCCESS) {
++ errExit("PR_SetNetAddr");
++ }
+
+- listen_sock = PR_NewTCPSocket();
++ if (PR_GetEnv("NSS_USE_SDP")) {
++ socketDomain = PR_AF_INET_SDP;
++ }
++ listen_sock = PR_OpenTCPSocket(PR_AF_INET6);
+ if (listen_sock == NULL) {
+- errExit("PR_NewTCPSocket");
++ errExit("PR_OpenTCPSocket error");
+ }
+
+ opt.option = PR_SockOpt_Nonblocking;
+diff -up nss/cmd/selfserv/selfserv.c.539183 nss/cmd/selfserv/selfserv.c
+--- nss/cmd/selfserv/selfserv.c.539183 2013-05-28 14:43:24.000000000 -0700
++++ nss/cmd/selfserv/selfserv.c 2013-05-30 22:16:46.688373495 -0700
+@@ -1687,14 +1687,18 @@ getBoundListenSocket(unsigned short port
+ PRStatus prStatus;
+ PRNetAddr addr;
+ PRSocketOptionData opt;
++ PRUint16 socketDomain = PR_AF_INET;
+
+- addr.inet.family = PR_AF_INET;
+- addr.inet.ip = PR_INADDR_ANY;
+- addr.inet.port = PR_htons(port);
++ if (PR_SetNetAddr(PR_IpAddrAny, PR_AF_INET6, port, &addr) != PR_SUCCESS) {
++ errExit("PR_SetNetAddr");
++ }
+
+- listen_sock = PR_NewTCPSocket();
++ if (PR_GetEnv("NSS_USE_SDP")) {
++ socketDomain = PR_AF_INET_SDP;
++ }
++ listen_sock = PR_OpenTCPSocket(PR_AF_INET6);
+ if (listen_sock == NULL) {
+- errExit("PR_NewTCPSocket");
++ errExit("PR_OpenTCPSocket error");
+ }
+
+ opt.option = PR_SockOpt_Nonblocking;
diff --git a/SOURCES/nss-646045.patch b/SOURCES/nss-646045.patch
new file mode 100644
index 0000000..33b80fe
--- /dev/null
+++ b/SOURCES/nss-646045.patch
@@ -0,0 +1,34 @@
+diff -up nss/tests/dbtests/dbtests.sh.646045 nss/tests/dbtests/dbtests.sh
+--- nss/tests/dbtests/dbtests.sh.646045 2013-04-04 13:31:55.000000000 -0700
++++ nss/tests/dbtests/dbtests.sh 2013-04-04 15:57:46.298127149 -0700
+@@ -168,6 +168,9 @@ dbtest_main()
+ cat $RONLY_DIR/* > /dev/null
+ fi
+
++ # skipping the next two tests when user is root,
++ # otherwise they would fail due to rooty powers
++ if [[ $EUID -ne 0 ]] then
+ ${BINDIR}/dbtest -d $RONLY_DIR
+ ret=$?
+ if [ $ret -ne 46 ]; then
+@@ -175,6 +178,10 @@ dbtest_main()
+ else
+ html_passed "Dbtest r/w didn't work in an readonly dir $ret"
+ fi
++ else
++ html_passed "Skipping Dbtest r/w in a readonly dir because user is root"
++ fi
++ if [[ $EUID -ne 0 ]] then
+ ${BINDIR}/certutil -D -n "TestUser" -d .
+ ret=$?
+ if [ $ret -ne 255 ]; then
+@@ -182,6 +189,9 @@ dbtest_main()
+ else
+ html_passed "Certutil didn't work in an readonly dir $ret"
+ fi
++ else
++ html_passed "Skipping Certutil delete cert in an readonly directory test because user is root"
++ fi
+
+ Echo "test opening the database ronly in a readonly directory"
+
diff --git a/SOURCES/nss-config.in b/SOURCES/nss-config.in
new file mode 100644
index 0000000..f8f893e
--- /dev/null
+++ b/SOURCES/nss-config.in
@@ -0,0 +1,145 @@
+#!/bin/sh
+
+prefix=@prefix@
+
+major_version=@MOD_MAJOR_VERSION@
+minor_version=@MOD_MINOR_VERSION@
+patch_version=@MOD_PATCH_VERSION@
+
+usage()
+{
+ cat <<EOF
+Usage: nss-config [OPTIONS] [LIBRARIES]
+Options:
+ [--prefix[=DIR]]
+ [--exec-prefix[=DIR]]
+ [--includedir[=DIR]]
+ [--libdir[=DIR]]
+ [--version]
+ [--libs]
+ [--cflags]
+Dynamic Libraries:
+ nss
+ nssutil
+ ssl
+ smime
+EOF
+ exit $1
+}
+
+if test $# -eq 0; then
+ usage 1 1>&2
+fi
+
+lib_ssl=yes
+lib_smime=yes
+lib_nss=yes
+lib_nssutil=yes
+
+while test $# -gt 0; do
+ case "$1" in
+ -*=*) optarg=`echo "$1" | sed 's/[-_a-zA-Z0-9]*=//'` ;;
+ *) optarg= ;;
+ esac
+
+ case $1 in
+ --prefix=*)
+ prefix=$optarg
+ ;;
+ --prefix)
+ echo_prefix=yes
+ ;;
+ --exec-prefix=*)
+ exec_prefix=$optarg
+ ;;
+ --exec-prefix)
+ echo_exec_prefix=yes
+ ;;
+ --includedir=*)
+ includedir=$optarg
+ ;;
+ --includedir)
+ echo_includedir=yes
+ ;;
+ --libdir=*)
+ libdir=$optarg
+ ;;
+ --libdir)
+ echo_libdir=yes
+ ;;
+ --version)
+ echo ${major_version}.${minor_version}.${patch_version}
+ ;;
+ --cflags)
+ echo_cflags=yes
+ ;;
+ --libs)
+ echo_libs=yes
+ ;;
+ ssl)
+ lib_ssl=yes
+ ;;
+ smime)
+ lib_smime=yes
+ ;;
+ nss)
+ lib_nss=yes
+ ;;
+ nssutil)
+ lib_nssutil=yes
+ ;;
+ *)
+ usage 1 1>&2
+ ;;
+ esac
+ shift
+done
+
+# Set variables that may be dependent upon other variables
+if test -z "$exec_prefix"; then
+ exec_prefix=`pkg-config --variable=exec_prefix nss`
+fi
+if test -z "$includedir"; then
+ includedir=`pkg-config --variable=includedir nss`
+fi
+if test -z "$libdir"; then
+ libdir=`pkg-config --variable=libdir nss`
+fi
+
+if test "$echo_prefix" = "yes"; then
+ echo $prefix
+fi
+
+if test "$echo_exec_prefix" = "yes"; then
+ echo $exec_prefix
+fi
+
+if test "$echo_includedir" = "yes"; then
+ echo $includedir
+fi
+
+if test "$echo_libdir" = "yes"; then
+ echo $libdir
+fi
+
+if test "$echo_cflags" = "yes"; then
+ echo -I$includedir
+fi
+
+if test "$echo_libs" = "yes"; then
+ libdirs="-Wl,-rpath-link,$libdir -L$libdir"
+ if test -n "$lib_ssl"; then
+ libdirs="$libdirs -lssl${major_version}"
+ fi
+ if test -n "$lib_smime"; then
+ libdirs="$libdirs -lsmime${major_version}"
+ fi
+ if test -n "$lib_nss"; then
+ libdirs="$libdirs -lnss${major_version}"
+ fi
+ if test -n "$lib_nssutil"; then
+ libdirs="$libdirs -lnssutil${major_version}"
+ fi
+ echo $libdirs
+fi
+
diff --git a/SOURCES/nss-config.xml b/SOURCES/nss-config.xml
new file mode 100644
index 0000000..f9518c9
--- /dev/null
+++ b/SOURCES/nss-config.xml
@@ -0,0 +1,132 @@
+<?xml version='1.0' encoding='utf-8'?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
+ "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
+<!ENTITY date SYSTEM "date.xml">
+<!ENTITY version SYSTEM "version.xml">
+]>
+
+<refentry id="nss-config">
+
+ <refentryinfo>
+ <date>&date;</date>
+ <title>Network Security Services</title>
+ <productname>nss</productname>
+ <productnumber>&version;</productnumber>
+ </refentryinfo>
+
+ <refmeta>
+ <refentrytitle>nss-config</refentrytitle>
+ <manvolnum>1</manvolnum>
+ </refmeta>
+
+ <refnamediv>
+ <refname>nss-config</refname>
+ <refpurpose>Return meta information about nss libraries</refpurpose>
+ </refnamediv>
+
+ <refsynopsisdiv>
+ <cmdsynopsis>
+ <command>nss-config</command>
+ <arg><option>--prefix</option></arg>
+ <arg><option>--exec-prefix</option></arg>
+ <arg><option>--includedir</option></arg>
+ <arg><option>--libs</option></arg>
+ <arg><option>--cflags</option></arg>
+ <arg><option>--libdir</option></arg>
+ <arg><option>--version</option></arg>
+ </cmdsynopsis>
+ </refsynopsisdiv>
+
+<refsection id="description">
+ <title>Description</title>
+
+ <para><command>nss-config</command> is a shell scrip
+ tool which can be used to obtain gcc options for building client pacakges of nspt. </para>
+
+ </refsection>
+
+ <refsection>
+ <title>Options</title>
+
+ <variablelist>
+ <varlistentry>
+ <term><option>--prefix</option></term>
+ <listitem><simpara>Returns the top level system directory under which the nss libraries are installed.</simpara></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>--exec-prefix</option></term>
+ <listitem><simpara>returns the top level system directory under which any nss binaries would be installed.</simpara></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>--includedir</option> <replaceable>count</replaceable></term>
+ <listitem><simpara>returns the path to the directory were the nss libraries are installed.</simpara></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>--version</option></term>
+ <listitem><simpara>returns the upstream version of nss in the form major_version-minor_version-patch_version.</simpara></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>--libs</option></term>
+ <listitem><simpara>returns the compiler linking flags.</simpara></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>--cflags</option></term>
+ <listitem><simpara>returns the compiler include flags.</simpara></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>--libdir</option></term>
+ <listitem><simpara>returns the path to the directory were the nss libraries are installed.</simpara></listitem>
+ </varlistentry>
+
+ </variablelist>
+ </refsection>
+
+ <refsection>
+ <title>Examples</title>
+
+ <para>The following example will query for both include path and linkage flags:
+
+ <programlisting>
+ /usr/bin/nss-config --cflags --libs
+ </programlisting>
+
+ </para>
+
+
+ </refsection>
+
+ <refsection>
+ <title>Files</title>
+
+ <para><filename>/usr/bin/nss-config</filename></para>
+
+ </refsection>
+
+ <refsection>
+ <title>See also</title>
+ <para>pkg-config(1)</para>
+ </refsection>
+
+ <refsection id="authors">
+ <title>Authors</title>
+ <para>The nss liraries were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google.</para>
+ <para>
+ Authors: Elio Maldonado <emaldona@redhat.com>.
+ </para>
+ </refsection>
+
+<!-- don't change -->
+ <refsection id="license">
+ <title>LICENSE</title>
+ <para>Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ </para>
+ </refsection>
+
+</refentry>
+
diff --git a/SOURCES/nss-enable-pem.patch b/SOURCES/nss-enable-pem.patch
new file mode 100644
index 0000000..723039a
--- /dev/null
+++ b/SOURCES/nss-enable-pem.patch
@@ -0,0 +1,12 @@
+diff -up nss/lib/ckfw/manifest.mn.libpem nss/lib/ckfw/manifest.mn
+--- nss/lib/ckfw/manifest.mn.libpem 2013-05-28 14:43:24.000000000 -0700
++++ nss/lib/ckfw/manifest.mn 2013-05-30 22:14:49.247459672 -0700
+@@ -5,7 +5,7 @@
+
+ CORE_DEPTH = ../..
+
+-DIRS = builtins
++DIRS = builtins pem
+
+ PRIVATE_EXPORTS = \
+ ck.h \
diff --git a/SOURCES/nss-skip-bltest-and-fipstest.patch b/SOURCES/nss-skip-bltest-and-fipstest.patch
new file mode 100644
index 0000000..7d2427b
--- /dev/null
+++ b/SOURCES/nss-skip-bltest-and-fipstest.patch
@@ -0,0 +1,17 @@
+diff -up nss/cmd/Makefile.skipthem nss/cmd/Makefile
+--- nss/cmd/Makefile.nobltest 2013-05-28 14:43:24.000000000 -0700
++++ nss/cmd/Makefile 2013-06-15 11:51:11.669655168 -0700
+@@ -14,10 +14,10 @@ ifdef BUILD_LIBPKIX_TESTS
+ DIRS += libpkix
+ endif
+
+-ifeq ($(NSS_BUILD_WITHOUT_SOFTOKEN),1)
++ifeq ($(NSS_BLTEST_NOT_AVAILABLE),1)
+ BLTEST_SRCDIR =
+-FIPSTEST_SRCDIR =
+-SHLIBSIGN_SRCDIR =
++FIPSTEST_SRCDIR =
++SHLIBSIGN_SRCDIR = shlibsign
+ else
+ BLTEST_SRCDIR = bltest
+ FIPSTEST_SRCDIR = fipstest
diff --git a/SOURCES/nss-versus-softoken-tests.patch b/SOURCES/nss-versus-softoken-tests.patch
new file mode 100644
index 0000000..e77487d
--- /dev/null
+++ b/SOURCES/nss-versus-softoken-tests.patch
@@ -0,0 +1,38 @@
+diff -up nss/tests/all.sh.crypto nss/tests/all.sh
+--- nss/tests/all.sh.crypto 2013-05-28 14:43:24.000000000 -0700
++++ nss/tests/all.sh 2013-06-13 12:14:12.741082184 -0700
+@@ -299,9 +299,10 @@ fi
+ # created, we check for modutil to know whether the build
+ # is complete. If a new file is created after that, the
+ # following test for modutil should check for that instead.
++# Except when building softoken only where shlibsign is the last one built.
++export LAST_BUILT=[ ${NSS_BUILD_SOFTOKEN_ONLY} -eq "1" ] && shlibsign || modutil
+
+-if [ ! -f ${DIST}/${OBJDIR}/bin/modutil -a \
+- ! -f ${DIST}/${OBJDIR}/bin/modutil.exe ]; then
++if [ ! -f ${DIST}/${OBJDIR}/bin/${LAST_BUILT}${PROG_SUFFIX} -a ]; then
+ echo "Build Incomplete. Aborting test." >> ${LOGFILE}
+ html_head "Testing Initialization"
+ Exit "Checking for build"
+diff -up nss/tests/cipher/cipher.sh.crypto nss/tests/cipher/cipher.sh
+--- nss/tests/cipher/cipher.sh.crypto 2013-05-28 14:43:24.000000000 -0700
++++ nss/tests/cipher/cipher.sh 2013-06-13 11:58:00.956064976 -0700
+@@ -129,6 +129,16 @@ if [ ! -x ${DIST}/${OBJDIR}/bin/bltest${
+ return 0
+ fi
+ cipher_init
+-cipher_main
+-cipher_gcm
++if [ "${NSS_BUILD_SOFTOKEN_ONLY}" = "1" ]; then
++ echo "Skipping cipher_gcm because this is a softoken only build"
++ cipher_main
++elif [ "${NSS_BUILD_WITHOUT_SOFTOKEN}" = "1" ]; then
++ echo "Skipping cipher_main because this an nss without softoken build"
++ cipher_gcm
++else
++ # default is to run both
++ cipher_init
++ cipher_main
++ cipher_gcm
++fi
+ cipher_cleanup
diff --git a/SOURCES/nss.pc.in b/SOURCES/nss.pc.in
new file mode 100644
index 0000000..69823cb
--- /dev/null
+++ b/SOURCES/nss.pc.in
@@ -0,0 +1,11 @@
+prefix=%prefix%
+exec_prefix=%exec_prefix%
+libdir=%libdir%
+includedir=%includedir%
+
+Name: NSS
+Description: Network Security Services
+Version: %NSS_VERSION%
+Requires: nspr >= %NSPR_VERSION%, nss-util >= %NSSUTIL_VERSION%
+Libs: -L${libdir} -lssl3 -lsmime3 -lnss3
+Cflags: -I${includedir}
diff --git a/SOURCES/nsspem-use-system-freebl.patch b/SOURCES/nsspem-use-system-freebl.patch
new file mode 100644
index 0000000..115b49c
--- /dev/null
+++ b/SOURCES/nsspem-use-system-freebl.patch
@@ -0,0 +1,80 @@
+diff -up nss/lib/ckfw/pem/config.mk.systemfreebl nss/lib/ckfw/pem/config.mk
+--- nss/lib/ckfw/pem/config.mk.systemfreebl 2012-08-11 09:06:59.000000000 -0700
++++ nss/lib/ckfw/pem/config.mk 2013-04-04 16:02:33.805744145 -0700
+@@ -41,6 +41,11 @@ CONFIG_CVS_ID = "@(#) $RCSfile: config.m
+ # are specifed as dependencies within rules.mk.
+ #
+
++
++EXTRA_LIBS += \
++ $(SOFTOKEN_LIB_DIR)/$(LIB_PREFIX)freebl.$(LIB_SUFFIX) \
++ $(NULL)
++
+ TARGETS = $(SHARED_LIBRARY)
+ LIBRARY =
+ IMPORT_LIBRARY =
+@@ -69,3 +74,22 @@ ifeq ($(OS_TARGET),SunOS)
+ MKSHLIB += -R '$$ORIGIN'
+ endif
+
++# If a platform has a system nssutil, set USE_SYSTEM_NSSUTIL to 1 and
++# NSSUTIL_LIBS to the linker command-line arguments for the system nssutil
++# (for example, -lnssutil3 on fedora) in the platform's config file in coreconf.
++ifdef USE_SYSTEM_NSSUTIL
++OS_LIBS += $(NSSUTIL_LIBS)
++else
++NSSUTIL_LIBS = $(DIST)/lib/$(LIB_PREFIX)nssutil3.$(LIB_SUFFIX)
++EXTRA_LIBS += $(NSSUTIL_LIBS)
++endif
++# If a platform has a system freebl, set USE_SYSTEM_FREEBL to 1 and
++# FREEBL_LIBS to the linker command-line arguments for the system nssutil
++# (for example, -lfreebl3 on fedora) in the platform's config file in coreconf.
++ifdef USE_SYSTEM_FREEBL
++OS_LIBS += $(FREEBL_LIBS)
++else
++FREEBL_LIBS = $(DIST)/lib/$(LIB_PREFIX)freebl3.$(LIB_SUFFIX)
++EXTRA_LIBS += $(FREEBL_LIBS)
++endif
++
+diff -up nss/lib/ckfw/pem/Makefile.systemfreebl nss/lib/ckfw/pem/Makefile
+--- nss/lib/ckfw/pem/Makefile.systemfreebl 2012-08-11 09:06:59.000000000 -0700
++++ nss/lib/ckfw/pem/Makefile 2013-04-04 16:02:33.806744154 -0700
+@@ -43,8 +43,7 @@ include config.mk
+ EXTRA_LIBS = \
+ $(DIST)/lib/$(LIB_PREFIX)nssckfw.$(LIB_SUFFIX) \
+ $(DIST)/lib/$(LIB_PREFIX)nssb.$(LIB_SUFFIX) \
+- $(DIST)/lib/$(LIB_PREFIX)freebl.$(LIB_SUFFIX) \
+- $(DIST)/lib/$(LIB_PREFIX)nssutil.$(LIB_SUFFIX) \
++ $(FREEBL_LIB_DIR)/$(LIB_PREFIX)freebl.$(LIB_SUFFIX) \
+ $(NULL)
+
+ # can't do this in manifest.mn because OS_TARGET isn't defined there.
+@@ -56,6 +55,9 @@ EXTRA_LIBS += \
+ -lplc4 \
+ -lplds4 \
+ -lnspr4 \
++ -L$(NSSUTIL_LIB_DIR) \
++ -lnssutil3 \
++ -lfreebl3
+ $(NULL)
+ else
+ EXTRA_SHARED_LIBS += \
+@@ -74,6 +76,9 @@ EXTRA_LIBS += \
+ -lplc4 \
+ -lplds4 \
+ -lnspr4 \
++ -L$(NSSUTIL_LIB_DIR) \
++ -lnssutil3 \
++ -lfreebl3 \
+ $(NULL)
+ endif
+
+diff -up nss/lib/ckfw/pem/manifest.mn.systemfreebl nss/lib/ckfw/pem/manifest.mn
+--- nss/lib/ckfw/pem/manifest.mn.systemfreebl 2012-08-11 09:06:59.000000000 -0700
++++ nss/lib/ckfw/pem/manifest.mn 2013-04-04 16:02:33.807744163 -0700
+@@ -65,4 +65,4 @@ REQUIRES = nspr
+
+ LIBRARY_NAME = nsspem
+
+-#EXTRA_SHARED_LIBS = -L$(DIST)/lib -lnssckfw -lnssb -lplc4 -lplds4
++EXTRA_SHARED_LIBS = -L$(DIST)/lib -lnssckfw -lnssb -lplc4 -lplds4 -L$(NSS_LIB_DIR) -lnssutil3 -lfreebl3 -lsoftokn3
diff --git a/SOURCES/p-ignore-setpolicy.patch b/SOURCES/p-ignore-setpolicy.patch
new file mode 100644
index 0000000..c6632b3
--- /dev/null
+++ b/SOURCES/p-ignore-setpolicy.patch
@@ -0,0 +1,31 @@
+diff --git a/lib/ssl/sslsock.c b/lib/ssl/sslsock.c
+--- a/lib/ssl/sslsock.c
++++ b/lib/ssl/sslsock.c
+@@ -1252,25 +1252,22 @@ SSL_CipherPrefGet(PRFileDesc *fd, PRInt3
+ rv = ssl3_CipherPrefGet(ss, (ssl3CipherSuite)which, enabled);
+ }
+ return rv;
+ }
+
+ SECStatus
+ NSS_SetDomesticPolicy(void)
+ {
+- SECStatus status = SECSuccess;
+ const PRUint16 *cipher;
+
+ for (cipher = SSL_ImplementedCiphers; *cipher != 0; ++cipher) {
+- status = SSL_SetPolicy(*cipher, SSL_ALLOWED);
+- if (status != SECSuccess)
+- break;
++ SSL_SetPolicy(*cipher, SSL_ALLOWED);
+ }
+- return status;
++ return SECSuccess;
+ }
+
+ SECStatus
+ NSS_SetExportPolicy(void)
+ {
+ return NSS_SetDomesticPolicy();
+ }
+
diff --git a/SOURCES/pkcs11.txt.xml b/SOURCES/pkcs11.txt.xml
new file mode 100644
index 0000000..d30e469
--- /dev/null
+++ b/SOURCES/pkcs11.txt.xml
@@ -0,0 +1,56 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
+ "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
+<!ENTITY date SYSTEM "date.xml">
+<!ENTITY version SYSTEM "version.xml">
+]>
+
+<refentry id="pkcs11.txt">
+
+ <refentryinfo>
+ <date>&date;</date>
+ <title>Network Security Services</title>
+ <productname>nss</productname>
+ <productnumber>&version;</productnumber>
+ </refentryinfo>
+
+ <refmeta>
+ <refentrytitle>pkcs11.txt</refentrytitle>
+ <manvolnum>5</manvolnum>
+ </refmeta>
+
+ <refnamediv>
+ <refname>pkcs11.txt</refname>
+ <refpurpose>NSS PKCS #11 module configuration file</refpurpose>
+ </refnamediv>
+
+ <refsection id="description">
+ <title>Description</title>
+ <para>
+The pkcs11.txt file is used to configure initialization parameters for the nss security module and optionally other pkcs #11 modules.
+ </para>
+ <para>
+For full documentation visit <ulink url="https://developer.mozilla.org/en-US/docs/PKCS11_Module_Specs">PKCS #11 Module Specs</ulink>.
+ </para>
+ </refsection>
+
+ <refsection>
+ <title>Files</title>
+ <para><filename>/etc/pki/nssdb/pkcs11.txt</filename></para>
+ </refsection>
+
+ <refsection id="authors">
+ <title>Authors</title>
+ <para>The nss libraries were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google.</para>
+ <para>Authors: Elio Maldonado <emaldona@redhat.com>.</para>
+ </refsection>
+
+<!-- don't change -->
+ <refsection id="license">
+ <title>LICENSE</title>
+ <para>Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ </para>
+ </refsection>
+
+</refentry>
+
diff --git a/SOURCES/renegotiate-transitional.patch b/SOURCES/renegotiate-transitional.patch
new file mode 100644
index 0000000..c55a1a2
--- /dev/null
+++ b/SOURCES/renegotiate-transitional.patch
@@ -0,0 +1,12 @@
+diff -up nss/lib/ssl/sslsock.c.transitional nss/lib/ssl/sslsock.c
+--- nss/lib/ssl/sslsock.c.transitional 2013-05-30 22:10:54.882675807 -0700
++++ nss/lib/ssl/sslsock.c 2013-05-30 22:12:11.909260024 -0700
+@@ -149,7 +149,7 @@ static sslOptions ssl_defaults = {
+ PR_FALSE, /* noLocks */
+ PR_FALSE, /* enableSessionTickets */
+ PR_FALSE, /* enableDeflate */
+- 2, /* enableRenegotiation (default: requires extension) */
++ 3, /* enableRenegotiation (default: transitional) */
+ PR_FALSE, /* requireSafeNegotiation */
+ PR_FALSE, /* enableFalseStart */
+ PR_TRUE, /* cbcRandomIV */
diff --git a/SOURCES/secmod.db.xml b/SOURCES/secmod.db.xml
new file mode 100644
index 0000000..afc9dce
--- /dev/null
+++ b/SOURCES/secmod.db.xml
@@ -0,0 +1,63 @@
+<?xml version='1.0' encoding='utf-8'?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
+ "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
+<!ENTITY date SYSTEM "date.xml">
+<!ENTITY version SYSTEM "version.xml">
+]>
+
+<refentry id="secmod.db">
+
+ <refentryinfo>
+ <date>&date;</date>
+ <title>Network Security Services</title>
+ <productname>nss</productname>
+ <productnumber>&version;</productnumber>
+ </refentryinfo>
+
+ <refmeta>
+ <refentrytitle>secmod.db</refentrytitle>
+ <manvolnum>5</manvolnum>
+ </refmeta>
+
+ <refnamediv>
+ <refname>secmod.db</refname>
+ <refpurpose>Legacy NSS security modules database</refpurpose>
+ </refnamediv>
+
+<refsection id="description">
+ <title>Description</title>
+ <para><emphasis>secmod.db</emphasis> is an NSS security modules database.</para>
+ <para>The security modules database is used to keep track of the NSS security modules. The NSS security modules export their services via the PKCS #11 API which NSS uses as its Services Provider Interface.
+ </para>
+ <para>The command line utility <emphasis>modutil</emphasis> is used for managing PKCS #11 module information both within secmod.db files and within hardware tokens.
+ </para>
+ <para>For new applications the recommended way of tracking security modules is via the pkcs11.txt configuration file used in conjunction the new sqlite-based shared database format for certificate and key databases.
+ </para>
+ </refsection>
+
+ <refsection>
+ <title>Files</title>
+ <para><filename>/etc/pki/nssdb/secmod.db</filename></para>
+ </refsection>
+
+ <refsection>
+ <title>See also</title>
+ <para>modutil(1), cert8.db(5), cert9.db(5), key3.db(5), key4.db(5), pkcs11.txt(5)</para>
+ </refsection>
+
+ <refsection id="authors">
+ <title>Authors</title>
+ <para>The nss libraries were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google.</para>
+ <para>Authors: Elio Maldonado <emaldona@redhat.com>.</para>
+ </refsection>
+
+<!-- don't change -->
+ <refsection id="license">
+ <title>LICENSE</title>
+ <para>Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ </para>
+
+ </refsection>
+
+
+</refentry>
diff --git a/SOURCES/setup-nsssysinit.sh b/SOURCES/setup-nsssysinit.sh
new file mode 100755
index 0000000..8e1f5f7
--- /dev/null
+++ b/SOURCES/setup-nsssysinit.sh
@@ -0,0 +1,68 @@
+#!/bin/sh
+#
+# Turns on or off the nss-sysinit module db by editing the
+# global PKCS #11 congiguration file. Displays the status.
+#
+# This script can be invoked by the user as super user.
+# It is invoked at nss-sysinit post install time with argument on.
+#
+usage()
+{
+ cat <<EOF
+Usage: setup-nsssysinit [on|off]
+ on - turns on nsssysinit
+ off - turns off nsssysinit
+ status - reports whether nsssysinit is turned on or off
+EOF
+ exit $1
+}
+
+# validate
+if [ $# -eq 0 ]; then
+ usage 1 1>&2
+fi
+
+# the system-wide configuration file
+p11conf="/etc/pki/nssdb/pkcs11.txt"
+# must exist, otherwise report it and exit with failure
+if [ ! -f $p11conf ]; then
+ echo "Could not find ${p11conf}"
+ exit 1
+fi
+
+# check if nsssysinit is currently enabled or disabled
+sysinit_enabled()
+{
+ grep -q '^library=libnsssysinit' ${p11conf}
+}
+
+umask 022
+case "$1" in
+ on | ON )
+ if sysinit_enabled; then
+ exit 0
+ fi
+ cat ${p11conf} | \
+ sed -e 's/^library=$/library=libnsssysinit.so/' \
+ -e '/^NSS/s/\(Flags=internal\)\(,[^m]\)/\1,moduleDBOnly\2/' > \
+ ${p11conf}.on
+ mv ${p11conf}.on ${p11conf}
+ ;;
+ off | OFF )
+ if ! sysinit_enabled; then
+ exit 0
+ fi
+ cat ${p11conf} | \
+ sed -e 's/^library=libnsssysinit.so/library=/' \
+ -e '/^NSS/s/Flags=internal,moduleDBOnly/Flags=internal/' > \
+ ${p11conf}.off
+ mv ${p11conf}.off ${p11conf}
+ ;;
+ status )
+ echo -n 'NSS sysinit is '
+ sysinit_enabled && echo 'enabled' || echo 'disabled'
+ ;;
+ * )
+ usage 1 1>&2
+ ;;
+esac
diff --git a/SOURCES/setup-nsssysinit.xml b/SOURCES/setup-nsssysinit.xml
new file mode 100644
index 0000000..bca4bfa
--- /dev/null
+++ b/SOURCES/setup-nsssysinit.xml
@@ -0,0 +1,106 @@
+<?xml version='1.0' encoding='utf-8'?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
+ "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
+<!ENTITY date SYSTEM "date.xml">
+<!ENTITY version SYSTEM "version.xml">
+]>
+
+<refentry id="setup-nsssysinit">
+
+ <refentryinfo>
+ <date>&date;</date>
+ <title>Network Security Services</title>
+ <productname>nss</productname>
+ <productnumber>&version;</productnumber>
+ </refentryinfo>
+
+ <refmeta>
+ <refentrytitle>setup-nsssysinit</refentrytitle>
+ <manvolnum>1</manvolnum>
+ </refmeta>
+
+ <refnamediv>
+ <refname>setup-nsssysinit</refname>
+ <refpurpose>Query or enable the nss-sysinit module</refpurpose>
+ </refnamediv>
+
+ <refsynopsisdiv>
+ <cmdsynopsis>
+ <command>setup-nsssysinit</command>
+ <arg><option>on</option></arg>
+ <arg><option>off</option></arg>
+ <arg><option>status</option></arg>
+ </cmdsynopsis>
+ </refsynopsisdiv>
+
+<refsection id="description">
+ <title>Description</title>
+ <para><command>setup-nsssysinit</command> is a shell script to query the status of the nss-sysinit module and when run with root priviledge it can enable or disable it. </para>
+ <para>Turns on or off the nss-sysinit module db by editing the global PKCS #11 configuration file. Displays the status. This script can be invoked by the user as super user. It is invoked at nss-sysinit post install time with argument on.
+ </para>
+ </refsection>
+
+ <refsection>
+ <title>Options</title>
+
+ <variablelist>
+ <varlistentry>
+ <term><option>on</option></term>
+ <listitem><simpara>Turn on nss-sysinit.</simpara></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>off</option></term>
+ <listitem><simpara>Turn on nss-sysinit.</simpara></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>status</option> <replaceable>count</replaceable></term>
+ <listitem><simpara>returns whether nss-syinit is enabled or not.</simpara></listitem>
+ </varlistentry>
+
+ </variablelist>
+ </refsection>
+
+ <refsection>
+ <title>Examples</title>
+
+ <para>The following example will query for the status of nss-sysinit:
+ <programlisting>
+ /usr/bin/setup-nsssysinit --status
+ </programlisting>
+ </para>
+
+ <para>The following example, when run as superuser, will turn on nss-sysinit:
+ <programlisting>
+ /usr/bin/setup-nsssysinit --on
+ </programlisting>
+ </para>
+
+ </refsection>
+
+ <refsection>
+ <title>Files</title>
+ <para><filename>/usr/sbin/setup-nsssysinit</filename></para>
+ </refsection>
+
+ <refsection>
+ <title>See also</title>
+ <para>pkg-config(1)</para>
+ </refsection>
+
+ <refsection id="authors">
+ <title>Authors</title>
+ <para>The nss libraries were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google.</para>
+ <para>Authors: Elio Maldonado <emaldona@redhat.com>.</para>
+ </refsection>
+
+<!-- don't change -->
+ <refsection id="license">
+ <title>LICENSE</title>
+ <para>Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ </para>
+ </refsection>
+
+</refentry>
+
diff --git a/SOURCES/system-pkcs11.txt b/SOURCES/system-pkcs11.txt
new file mode 100644
index 0000000..c2f5704
--- /dev/null
+++ b/SOURCES/system-pkcs11.txt
@@ -0,0 +1,5 @@
+library=libnsssysinit.so
+name=NSS Internal PKCS #11 Module
+parameters=configdir='sql:/etc/pki/nssdb' certPrefix='' keyPrefix='' secmod='secmod.db' flags= updatedir='' updateCertPrefix='' updateKeyPrefix='' updateid='' updateTokenDescription=''
+NSS=Flags=internal,moduleDBOnly,critical trustOrder=75 cipherOrder=100 slotParams=(1={slotFlags=[RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512] askpw=any timeout=30})
+
diff --git a/SOURCES/utilwrap-include-templates.patch b/SOURCES/utilwrap-include-templates.patch
new file mode 100644
index 0000000..649b548
--- /dev/null
+++ b/SOURCES/utilwrap-include-templates.patch
@@ -0,0 +1,14 @@
+diff -up nss/lib/nss/config.mk.templates nss/lib/nss/config.mk
+--- nss/lib/nss/config.mk.templates 2013-06-18 11:32:07.590089155 -0700
++++ nss/lib/nss/config.mk 2013-06-18 11:33:28.732763345 -0700
+@@ -3,6 +3,10 @@
+ # License, v. 2.0. If a copy of the MPL was not distributed with this
+ # file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
++#ifeq ($(NSS_BUILD_WITHOUT_SOFTOKEN),1)
++INCLUDES += -I/usr/include/nss3/templates
++#endif
++
+ # can't do this in manifest.mn because OS_TARGET isn't defined there.
+ ifeq (,$(filter-out WIN%,$(OS_TARGET)))
+
diff --git a/SPECS/nss.spec b/SPECS/nss.spec
new file mode 100644
index 0000000..fffec65
--- /dev/null
+++ b/SPECS/nss.spec
@@ -0,0 +1,1645 @@
+%global nspr_version 4.10
+%global nss_util_version 3.15.2
+%global nss_softokn_fips_version 3.12.9
+%global nss_softokn_version 3.15.2
+%global unsupported_tools_directory %{_libdir}/nss/unsupported-tools
+%global allTools "certutil cmsutil crlutil derdump modutil pk12util pp signtool signver ssltap vfychain vfyserv"
+
+# solution taken from icedtea-web.spec
+%define multilib_arches ppc64 s390x sparc64 x86_64
+%ifarch %{multilib_arches}
+%define alt_ckbi libnssckbi.so.%{_arch}
+%else
+%define alt_ckbi libnssckbi.so
+%endif
+
+# Define if using a source archive like "nss-version.with.ckbi.version".
+# To "disable", add "#" to start of line, AND a space after "%".
+#% define nss_ckbi_suffix .with.ckbi.1.93
+
+Summary: Network Security Services
+Name: nss
+Version: 3.15.2
+Release: 8%{?dist}
+License: MPLv2.0
+URL: http://www.mozilla.org/projects/security/pki/nss/
+Group: System Environment/Libraries
+Requires: nspr >= %{nspr_version}
+Requires: nss-util >= %{nss_util_version}
+# TODO: revert to same version as nss once we are done with the merge
+Requires: nss-softokn%{_isa} >= %{nss_softokn_version}
+Requires: nss-system-init
+Requires(post): %{_sbindir}/update-alternatives
+Requires(postun): %{_sbindir}/update-alternatives
+BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
+BuildRequires: nspr-devel >= %{nspr_version}
+# TODO: revert to same version as nss once we are done with the merge
+# Using '>=' but on RHEL the requires should be '='
+BuildRequires: nss-softokn-devel >= %{nss_softokn_version}
+BuildRequires: nss-util-devel >= %{nss_util_version}
+BuildRequires: sqlite-devel
+BuildRequires: zlib-devel
+BuildRequires: pkgconfig
+BuildRequires: gawk
+BuildRequires: psmisc
+BuildRequires: perl
+
+%{!?nss_ckbi_suffix:%define full_nss_version %{version}}
+%{?nss_ckbi_suffix:%define full_nss_version %{version}%{nss_ckbi_suffix}}
+
+Source0: %{name}-%{full_nss_version}.tar.bz2
+Source1: nss.pc.in
+Source2: nss-config.in
+Source3: blank-cert8.db
+Source4: blank-key3.db
+Source5: blank-secmod.db
+Source6: blank-cert9.db
+Source7: blank-key4.db
+Source8: system-pkcs11.txt
+Source9: setup-nsssysinit.sh
+Source10: PayPalEE.cert
+Source12: %{name}-pem-20130405.tar.bz2
+Source17: TestCA.ca.cert
+Source18: TestUser50.cert
+Source19: TestUser51.cert
+Source20: nss-config.xml
+Source21: setup-nsssysinit.xml
+Source22: pkcs11.txt.xml
+Source23: cert8.db.xml
+Source24: cert9.db.xml
+Source25: key3.db.xml
+Source26: key4.db.xml
+Source27: secmod.db.xml
+
+Patch2: add-relro-linker-option.patch
+Patch3: renegotiate-transitional.patch
+Patch6: nss-enable-pem.patch
+Patch16: nss-539183.patch
+Patch18: nss-646045.patch
+# must statically link pem against the freebl in the buildroot
+# Needed only when freebl on tree has new APIS
+Patch25: nsspem-use-system-freebl.patch
+# TODO: Remove this patch when the ocsp test are fixed
+Patch40: nss-3.14.0.0-disble-ocsp-test.patch
+Patch44: 0001-sync-up-with-upstream-softokn-changes.patch
+Patch45: Bug-896651-pem-dont-trash-keys-on-failed-login.patch
+# The ocsp stapling tests currently require access to the
+# kuix.de test server but koji forbids outbount connections
+Patch46: disable-ocsp-stapling-tests.patch
+# Fedora / RHEL-only patch, the templates directory was originally introduced to support mod_revocator
+Patch47: utilwrap-include-templates.patch
+# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=902171
+Patch48: nss-versus-softoken-tests.patch
+# TODO remove when we switch to building nss without softoken
+Patch49: nss-skip-bltest-and-fipstest.patch
+Patch50: iquote.patch
+Patch52: Bug-1001841-disable-sslv2-libssl.patch
+Patch53: Bug-1001841-disable-sslv2-tests.patch
+# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=932001
+Patch54: document-certutil-email-option.patch
+Patch55: enable-fips-when-system-is-in-fips-mode.patch
+# rhbz: https://bugzilla.redhat.com/show_bug.cgi?id=1026677
+Patch56: p-ignore-setpolicy.patch
+
+%description
+Network Security Services (NSS) is a set of libraries designed to
+support cross-platform development of security-enabled client and
+server applications. Applications built with NSS can support SSL v2
+and v3, TLS, PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME, X.509
+v3 certificates, and other security standards.
+
+%package tools
+Summary: Tools for the Network Security Services
+Group: System Environment/Base
+Requires: %{name}%{?_isa} = %{version}-%{release}
+
+%description tools
+Network Security Services (NSS) is a set of libraries designed to
+support cross-platform development of security-enabled client and
+server applications. Applications built with NSS can support SSL v2
+and v3, TLS, PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME, X.509
+v3 certificates, and other security standards.
+
+Install the nss-tools package if you need command-line tools to
+manipulate the NSS certificate and key database.
+
+%package sysinit
+Summary: System NSS Initialization
+Group: System Environment/Base
+# providing nss-system-init without version so that it can
+# be replaced by a better one, e.g. supplied by the os vendor
+Provides: nss-system-init
+Requires: nss = %{version}-%{release}
+Requires(post): coreutils, sed
+
+%description sysinit
+Default Operating System module that manages applications loading
+NSS globally on the system. This module loads the system defined
+PKCS #11 modules for NSS and chains with other NSS modules to load
+any system or user configured modules.
+
+%package devel
+Summary: Development libraries for Network Security Services
+Group: Development/Libraries
+Provides: nss-static = %{version}-%{release}
+Requires: nss = %{version}-%{release}
+Requires: nss-util-devel
+Requires: nss-softokn-devel
+Requires: nspr-devel >= %{nspr_version}
+Requires: pkgconfig
+BuildRequires: xmlto
+
+%description devel
+Header and Library files for doing development with Network Security Services.
+
+
+%package pkcs11-devel
+Summary: Development libraries for PKCS #11 (Cryptoki) using NSS
+Group: Development/Libraries
+Provides: nss-pkcs11-devel-static = %{version}-%{release}
+Requires: nss-devel = %{version}-%{release}
+# TODO: revert to using nss_softokn_version once we are done with
+# the merge into to new rhel git repo
+# For RHEL we should have '=' instead of '>='
+Requires: nss-softokn-freebl-devel >= %{nss_softokn_version}
+
+%description pkcs11-devel
+Library files for developing PKCS #11 modules using basic NSS
+low level services.
+
+
+%prep
+%setup -q
+%{__cp} %{SOURCE10} -f ./nss/tests/libpkix/certs
+%{__cp} %{SOURCE17} -f ./nss/tests/libpkix/certs
+%{__cp} %{SOURCE18} -f ./nss/tests/libpkix/certs
+%{__cp} %{SOURCE19} -f ./nss/tests/libpkix/certs
+%setup -q -T -D -n %{name}-%{version} -a 12
+
+%patch2 -p0 -b .relro
+%patch3 -p0 -b .transitional
+%patch6 -p0 -b .libpem
+%patch16 -p0 -b .539183
+%patch18 -p0 -b .646045
+# link pem against buildroot's freebl, essential when mixing and matching
+%patch25 -p0 -b .systemfreebl
+%patch40 -p0 -b .noocsptest
+%patch44 -p1 -b .syncupwithupstream
+%patch45 -p0 -b .notrash
+%patch46 -p0 -b .skipoutbound
+%patch47 -p0 -b .templates
+%patch48 -p0 -b .crypto
+%patch49 -p0 -b .skipthem
+%patch50 -p0 -b .iquote
+%patch52 -p0 -b .disableSSL2
+%patch53 -p0 -b .disableSSL2
+pushd nss
+%patch54 -p1 -b .948495
+popd
+%patch55 -p0 -b .852023
+pushd nss
+%patch56 -p1 -b .1026677
+popd
+
+#########################################################
+# Higher-level libraries and test tools need access to
+# module-private headers from util, freebl, and softoken
+# until fixed upstream we must copy some headers locally
+#########################################################
+
+pemNeedsFromSoftoken="lowkeyi lowkeyti softoken softoknt"
+for file in ${pemNeedsFromSoftoken}; do
+ %{__cp} ./nss/lib/softoken/${file}.h ./nss/lib/ckfw/pem/
+done
+
+# Copying these header util the upstream bug is accepted
+# Upstream https://bugzilla.mozilla.org/show_bug.cgi?id=820207
+%{__cp} ./nss/lib/softoken/lowkeyi.h ./nss/cmd/rsaperf
+%{__cp} ./nss/lib/softoken/lowkeyti.h ./nss/cmd/rsaperf
+
+
+%build
+
+export NSS_NO_SSL2=1
+
+NSS_NO_PKCS11_BYPASS=1
+export NSS_NO_PKCS11_BYPASS
+
+FREEBL_NO_DEPEND=1
+export FREEBL_NO_DEPEND
+
+# Enable compiler optimizations and disable debugging code
+BUILD_OPT=1
+export BUILD_OPT
+
+# Uncomment to disable optimizations
+#RPM_OPT_FLAGS=`echo $RPM_OPT_FLAGS | sed -e 's/-O2/-O0/g'`
+#export RPM_OPT_FLAGS
+
+# Generate symbolic info for debuggers
+XCFLAGS=$RPM_OPT_FLAGS
+export XCFLAGS
+
+PKG_CONFIG_ALLOW_SYSTEM_LIBS=1
+PKG_CONFIG_ALLOW_SYSTEM_CFLAGS=1
+
+export PKG_CONFIG_ALLOW_SYSTEM_LIBS
+export PKG_CONFIG_ALLOW_SYSTEM_CFLAGS
+
+NSPR_INCLUDE_DIR=`/usr/bin/pkg-config --cflags-only-I nspr | sed 's/-I//'`
+NSPR_LIB_DIR=%{_libdir}
+
+export NSPR_INCLUDE_DIR
+export NSPR_LIB_DIR
+
+export NSSUTIL_INCLUDE_DIR=`/usr/bin/pkg-config --cflags-only-I nss-util | sed 's/-I//'`
+export NSSUTIL_LIB_DIR=%{_libdir}
+
+export FREEBL_INCLUDE_DIR=`/usr/bin/pkg-config --cflags-only-I nss-softokn | sed 's/-I//'`
+export FREEBL_LIB_DIR=%{_libdir}
+export USE_SYSTEM_FREEBL=1
+# FIXME choose one or the other style and submit a patch upstream
+# wtc has suggested using NSS_USE_SYSTEM_FREEBL
+export NSS_USE_SYSTEM_FREEBL=1
+
+export FREEBL_LIBS=`/usr/bin/pkg-config --libs nss-softokn`
+
+export SOFTOKEN_LIB_DIR=%{_libdir}
+# use the system ones
+export USE_SYSTEM_NSSUTIL=1
+export USE_SYSTEM_SOFTOKEN=1
+
+# tell the upstream build system what we are doing
+export NSS_BUILD_WITHOUT_SOFTOKEN=1
+
+NSS_USE_SYSTEM_SQLITE=1
+export NSS_USE_SYSTEM_SQLITE
+
+%ifarch x86_64 ppc64 ia64 s390x sparc64 aarch64
+USE_64=1
+export USE_64
+%endif
+
+# uncomment if the iquote patch is activated
+export IN_TREE_FREEBL_HEADERS_FIRST=1
+
+##### phase 1: remove util/freebl/softoken and low level tools
+#
+######## Remove freebl, softoken and util
+%{__rm} -rf ./mozilla/security/nss/lib/freebl
+%{__rm} -rf ./mozilla/security/nss/lib/softoken
+%{__rm} -rf ./mozilla/security/nss/lib/util
+######## Remove nss-softokn test tools
+%{__rm} -rf ./mozilla/security/nss/cmd/bltest
+%{__rm} -rf ./mozilla/security/nss/cmd/fipstest
+%{__rm} -rf ./mozilla/security/nss/cmd/rsaperf_low
+
+##### phase 2: build the rest of nss
+# nss supports pluggable ecc
+NSS_ENABLE_ECC=1
+export NSS_ENABLE_ECC
+NSS_ECC_MORE_THAN_SUITE_B=1
+export NSS_ECC_MORE_THAN_SUITE_B
+
+export NSS_BLTEST_NOT_AVAILABLE=1
+%{__make} -C ./nss/coreconf
+%{__make} -C ./nss/lib/dbm
+%{__make} -C ./nss
+unset NSS_BLTEST_NOT_AVAILABLE
+
+# build the man pages clean
+pushd ./nss
+%{__make} clean_docs build_docs
+popd
+
+# and copy them here
+for m in "%{allTools}"; do
+ cp ./nss/doc/nroff/${m}.1 .
+done
+
+# Set up our package file
+# The nspr_version and nss_{util|softokn}_version globals used
+# here match the ones nss has for its Requires.
+# Using the current %%{nss_softokn_version} for fedora again
+%{__mkdir_p} ./dist/pkgconfig
+%{__cat} %{SOURCE1} | sed -e "s,%%libdir%%,%{_libdir},g" \
+ -e "s,%%prefix%%,%{_prefix},g" \
+ -e "s,%%exec_prefix%%,%{_prefix},g" \
+ -e "s,%%includedir%%,%{_includedir}/nss3,g" \
+ -e "s,%%NSS_VERSION%%,%{version},g" \
+ -e "s,%%NSPR_VERSION%%,%{nspr_version},g" \
+ -e "s,%%NSSUTIL_VERSION%%,%{nss_util_version},g" \
+ -e "s,%%SOFTOKEN_VERSION%%,%{nss_softokn_version},g" > \
+ ./dist/pkgconfig/nss.pc
+
+NSS_VMAJOR=`cat nss/lib/nss/nss.h | grep "#define.*NSS_VMAJOR" | awk '{print $3}'`
+NSS_VMINOR=`cat nss/lib/nss/nss.h | grep "#define.*NSS_VMINOR" | awk '{print $3}'`
+NSS_VPATCH=`cat nss/lib/nss/nss.h | grep "#define.*NSS_VPATCH" | awk '{print $3}'`
+
+export NSS_VMAJOR
+export NSS_VMINOR
+export NSS_VPATCH
+
+%{__cat} %{SOURCE2} | sed -e "s,@libdir@,%{_libdir},g" \
+ -e "s,@prefix@,%{_prefix},g" \
+ -e "s,@exec_prefix@,%{_prefix},g" \
+ -e "s,@includedir@,%{_includedir}/nss3,g" \
+ -e "s,@MOD_MAJOR_VERSION@,$NSS_VMAJOR,g" \
+ -e "s,@MOD_MINOR_VERSION@,$NSS_VMINOR,g" \
+ -e "s,@MOD_PATCH_VERSION@,$NSS_VPATCH,g" \
+ > ./dist/pkgconfig/nss-config
+
+chmod 755 ./dist/pkgconfig/nss-config
+
+%{__cat} %{SOURCE9} > ./dist/pkgconfig/setup-nsssysinit.sh
+chmod 755 ./dist/pkgconfig/setup-nsssysinit.sh
+
+%{__cp} ./nss/lib/ckfw/nssck.api ./dist/private/nss/
+
+date +"%e %B %Y" | tr -d '\n' > date.xml
+echo -n %{version} > version.xml
+
+# configuration files and setup script
+for m in %{SOURCE20} %{SOURCE21} %{SOURCE22}; do
+ cp ${m} .
+done
+for m in nss-config.xml setup-nsssysinit.xml pkcs11.txt.xml; do
+ xmlto man ${m}
+done
+
+# nss databases considered to be configuration files
+for m in %{SOURCE23} %{SOURCE24} %{SOURCE25} %{SOURCE26} %{SOURCE27}; do
+ cp ${m} .
+done
+for m in cert8.db.xml cert9.db.xml key3.db.xml key4.db.xml secmod.db.xml; do
+ xmlto man ${m}
+done
+
+
+%check
+if [ $DISABLETEST -eq 1 ]; then
+ echo "testing disabled"
+ exit 0
+fi
+
+# Begin -- copied from the build section
+
+# inform the ssl test scripts that SSL2 is disabled
+export NSS_NO_SSL2=1
+
+FREEBL_NO_DEPEND=1
+export FREEBL_NO_DEPEND
+
+BUILD_OPT=1
+export BUILD_OPT
+
+%ifarch x86_64 ppc64 ia64 s390x sparc64 aarch64
+USE_64=1
+export USE_64
+%endif
+
+export NSS_BLTEST_NOT_AVAILABLE=1
+
+# needed for the fips manging test
+export SOFTOKEN_LIB_DIR=%{_libdir}
+
+# End -- copied from the build section
+
+# enable the following line to force a test failure
+# find ./nss -name \*.chk | xargs rm -f
+
+# Run test suite.
+# In order to support multiple concurrent executions of the test suite
+# (caused by concurrent RPM builds) on a single host,
+# we'll use a random port. Also, we want to clean up any stuck
+# selfserv processes. If process name "selfserv" is used everywhere,
+# we can't simply do a "killall selfserv", because it could disturb
+# concurrent builds. Therefore we'll do a search and replace and use
+# a different process name.
+# Using xargs doesn't mix well with spaces in filenames, in order to
+# avoid weird quoting we'll require that no spaces are being used.
+
+SPACEISBAD=`find ./nss/tests | grep -c ' '` ||:
+if [ $SPACEISBAD -ne 0 ]; then
+ echo "error: filenames containing space are not supported (xargs)"
+ exit 1
+fi
+MYRAND=`perl -e 'print 9000 + int rand 1000'`; echo $MYRAND ||:
+RANDSERV=selfserv_${MYRAND}; echo $RANDSERV ||:
+DISTBINDIR=`ls -d ./dist/*.OBJ/bin`; echo $DISTBINDIR ||:
+pushd `pwd`
+cd $DISTBINDIR
+ln -s selfserv $RANDSERV
+popd
+# man perlrun, man perlrequick
+# replace word-occurrences of selfserv with selfserv_$MYRAND
+find ./nss/tests -type f |\
+ grep -v "\.db$" |grep -v "\.crl$" | grep -v "\.crt$" |\
+ grep -vw CVS |xargs grep -lw selfserv |\
+ xargs -l perl -pi -e "s/\bselfserv\b/$RANDSERV/g" ||:
+
+killall $RANDSERV || :
+
+rm -rf ./tests_results
+cd ./nss/tests/
+# all.sh is the test suite script
+
+# don't need to run all the tests when testing packaging
+# nss_cycles: standard pkix upgradedb sharedb
+nss_tests="cipher libpkix cert dbtests tools fips sdr crmf smime ssl ocsp merge pkits chains"
+# nss_ssl_tests: crl bypass_normal normal_bypass normal_fips fips_normal iopr
+# nss_ssl_run: cov auth stress
+#
+# Uncomment these lines if you need to temporarily
+# disable some test suites for faster test builds
+# global nss_ssl_tests "normal_fips"
+# global nss_ssl_run "cov auth"
+
+HOST=localhost DOMSUF=localdomain PORT=$MYRAND NSS_CYCLES=%{?nss_cycles} NSS_TESTS=%{?nss_tests} NSS_SSL_TESTS=%{?nss_ssl_tests} NSS_SSL_RUN=%{?nss_ssl_run} ./all.sh
+
+cd ../../
+
+killall $RANDSERV || :
+
+TEST_FAILURES=`grep -c FAILED ./tests_results/security/localhost.1/output.log` || :
+# test suite is failing on arm and has for awhile let's run the test suite but make it non fatal on arm
+%ifnarch %{arm}
+if [ $TEST_FAILURES -ne 0 ]; then
+ echo "error: test suite returned failure(s)"
+ exit 1
+fi
+echo "test suite completed"
+%endif
+
+%install
+
+%{__rm} -rf $RPM_BUILD_ROOT
+
+# There is no make install target so we'll do it ourselves.
+
+%{__mkdir_p} $RPM_BUILD_ROOT/%{_includedir}/nss3
+%{__mkdir_p} $RPM_BUILD_ROOT/%{_includedir}/nss3/templates
+%{__mkdir_p} $RPM_BUILD_ROOT/%{_bindir}
+%{__mkdir_p} $RPM_BUILD_ROOT/%{_libdir}
+%{__mkdir_p} $RPM_BUILD_ROOT/%{unsupported_tools_directory}
+%{__mkdir_p} $RPM_BUILD_ROOT/%{_libdir}/pkgconfig
+
+mkdir -p $RPM_BUILD_ROOT%{_mandir}/man1
+mkdir -p $RPM_BUILD_ROOT%{_mandir}/man5
+
+touch $RPM_BUILD_ROOT%{_libdir}/libnssckbi.so
+%{__install} -p -m 755 dist/*.OBJ/lib/libnssckbi.so $RPM_BUILD_ROOT/%{_libdir}/nss/libnssckbi.so
+
+# Copy the binary libraries we want
+for file in libnss3.so libnsspem.so libnsssysinit.so libsmime3.so libssl3.so
+do
+ %{__install} -p -m 755 dist/*.OBJ/lib/$file $RPM_BUILD_ROOT/%{_libdir}
+done
+
+# Install the empty NSS db files
+# Legacy db
+%{__mkdir_p} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb
+%{__install} -p -m 644 %{SOURCE3} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/cert8.db
+%{__install} -p -m 644 %{SOURCE4} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/key3.db
+%{__install} -p -m 644 %{SOURCE5} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/secmod.db
+# Shared db
+%{__install} -p -m 644 %{SOURCE6} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/cert9.db
+%{__install} -p -m 644 %{SOURCE7} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/key4.db
+%{__install} -p -m 644 %{SOURCE8} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/pkcs11.txt
+
+# Copy the development libraries we want
+for file in libcrmf.a libnssb.a libnssckfw.a
+do
+ %{__install} -p -m 644 dist/*.OBJ/lib/$file $RPM_BUILD_ROOT/%{_libdir}
+done
+
+# Copy the binaries we want
+for file in certutil cmsutil crlutil modutil pk12util signtool signver ssltap
+do
+ %{__install} -p -m 755 dist/*.OBJ/bin/$file $RPM_BUILD_ROOT/%{_bindir}
+done
+
+# Copy the binaries we ship as unsupported
+for file in atob btoa derdump ocspclnt pp selfserv strsclnt symkeyutil tstclnt vfyserv vfychain
+do
+ %{__install} -p -m 755 dist/*.OBJ/bin/$file $RPM_BUILD_ROOT/%{unsupported_tools_directory}
+done
+
+# Copy the include files we want
+for file in dist/public/nss/*.h
+do
+ %{__install} -p -m 644 $file $RPM_BUILD_ROOT/%{_includedir}/nss3
+done
+
+# Copy the template files we want
+for file in dist/private/nss/nssck.api
+do
+ %{__install} -p -m 644 $file $RPM_BUILD_ROOT/%{_includedir}/nss3/templates
+done
+
+# Copy the package configuration files
+%{__install} -p -m 644 ./dist/pkgconfig/nss.pc $RPM_BUILD_ROOT/%{_libdir}/pkgconfig/nss.pc
+%{__install} -p -m 755 ./dist/pkgconfig/nss-config $RPM_BUILD_ROOT/%{_bindir}/nss-config
+# Copy the pkcs #11 configuration script
+%{__install} -p -m 755 ./dist/pkgconfig/setup-nsssysinit.sh $RPM_BUILD_ROOT/%{_bindir}/setup-nsssysinit.sh
+# install a symbolic link top it, without the ".sh" suffix,
+# that matches the man page documentation
+ln -r -s -f $RPM_BUILD_ROOT/%{_bindir}/setup-nsssysinit.sh $RPM_BUILD_ROOT/%{_bindir}/setup-nsssysinit
+
+# Copy the man pages for scripts
+for f in nss-config setup-nsssysinit; do
+ install -c -m 644 ${f}.1 $RPM_BUILD_ROOT%{_mandir}/man1/${f}.1
+done
+# Copy the man pages for the nss tools
+for f in "%{allTools}"; do
+ install -c -m 644 ${f}.1 $RPM_BUILD_ROOT%{_mandir}/man1/${f}.1
+done
+# Copy the man pages for the configuration files
+for f in pkcs11.txt; do
+ install -c -m 644 ${f}.5 $RPM_BUILD_ROOT%{_mandir}/man5/${f}.5
+done
+# Copy the man pages for the nss databases
+for f in cert8.db cert9.db key3.db key4.db secmod.db; do
+ install -c -m 644 ${f}.5 $RPM_BUILD_ROOT%{_mandir}/man5/${f}.5
+done
+
+%clean
+%{__rm} -rf $RPM_BUILD_ROOT
+
+%triggerpostun -n nss-sysinit -- nss-sysinit < 3.12.8-3
+# Reverse unwanted disabling of sysinit by faulty preun sysinit scriplet
+# from previous versions of nss.spec
+/usr/bin/setup-nsssysinit.sh on
+
+%post
+# If we upgrade, and the shared filename is a regular file, then we must
+# remove it, before we can install the alternatives symbolic link.
+if [ $1 -gt 1 ] ; then
+ # when upgrading or downgrading
+ if ! test -L %{_libdir}/libnssckbi.so; then
+ rm -f %{_libdir}/libnssckbi.so
+ fi
+fi
+# Install the symbolic link
+# FYI: Certain other packages use alternatives --set to enforce that the first
+# installed package is preferred. We don't do that. Highest priority wins.
+%{_sbindir}/update-alternatives --install %{_libdir}/libnssckbi.so \
+ %{alt_ckbi} %{_libdir}/nss/libnssckbi.so 10
+/sbin/ldconfig
+
+%postun
+if [ $1 -eq 0 ] ; then
+ # package removal
+ %{_sbindir}/update-alternatives --remove %{alt_ckbi} %{_libdir}/nss/libnssckbi.so
+else
+ # upgrade or downgrade
+ # If the new installed package uses a regular file (not a symblic link),
+ # then cleanup the alternatives link.
+ if ! test -L %{_libdir}/libnssckbi.so; then
+ %{_sbindir}/update-alternatives --remove %{alt_ckbi} %{_libdir}/nss/libnssckbi.so
+ fi
+fi
+/sbin/ldconfig
+
+%posttrans
+# An earlier version of this package had an incorrect %postun script (3.14.3-9).
+# (The incorrect %postun always called "update-alternatives --remove",
+# because it incorrectly assumed that test -f returns false for symbolic links.)
+# The only possible remedy to fix the mistake that "always removes on upgrade"
+# made by the older %postun script, is to repair it in %posttrans of the new package.
+# Strategy:
+# %posttrans is never called when uninstalling.
+# %posttrans is only called when installing or upgrading a package.
+# Because %posttrans is the very last action of a package install,
+# %{_libdir}/libnssckbi.so must exist.
+# If it does not, it's the result of the incorrect removal from a broken %postun.
+# In this case, we repeat installation of the alternatives link.
+if ! test -e %{_libdir}/libnssckbi.so; then
+ %{_sbindir}/update-alternatives --install %{_libdir}/libnssckbi.so \
+ %{alt_ckbi} %{_libdir}/nss/libnssckbi.so 10
+fi
+
+
+%files
+%defattr(-,root,root)
+%{_libdir}/libnss3.so
+%{_libdir}/libssl3.so
+%{_libdir}/libsmime3.so
+%ghost %{_libdir}/libnssckbi.so
+%{_libdir}/nss/libnssckbi.so
+%{_libdir}/libnsspem.so
+%dir %{_sysconfdir}/pki/nssdb
+%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/cert8.db
+%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/key3.db
+%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/secmod.db
+%attr(0644,root,root) %doc /usr/share/man/man5/*
+%attr(0644,root,root) %doc /usr/share/man/man5/cert8.db.5.gz
+%attr(0644,root,root) %doc /usr/share/man/man5/key3.db.5.gz
+%attr(0644,root,root) %doc /usr/share/man/man5/secmod.db.5.gz
+
+%files sysinit
+%defattr(-,root,root)
+%{_libdir}/libnsssysinit.so
+%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/cert9.db
+%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/key4.db
+%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/pkcs11.txt
+%attr(0644,root,root) %doc /usr/share/man/man5/cert9.db.5.gz
+%attr(0644,root,root) %doc /usr/share/man/man5/key4.db.5.gz
+%attr(0644,root,root) %doc /usr/share/man/man5/pkcs11.txt.5.gz
+%{_bindir}/setup-nsssysinit.sh
+# symbolic link to setup-nsssysinit.sh
+%{_bindir}/setup-nsssysinit
+%attr(0644,root,root) %doc /usr/share/man/man1/setup-nsssysinit.1.gz
+
+%files tools
+%defattr(-,root,root)
+%{_bindir}/certutil
+%{_bindir}/cmsutil
+%{_bindir}/crlutil
+%{_bindir}/modutil
+%{_bindir}/pk12util
+%{_bindir}/signtool
+%{_bindir}/signver
+%{_bindir}/ssltap
+%{unsupported_tools_directory}/atob
+%{unsupported_tools_directory}/btoa
+%{unsupported_tools_directory}/derdump
+%{unsupported_tools_directory}/ocspclnt
+%{unsupported_tools_directory}/pp
+%{unsupported_tools_directory}/selfserv
+%{unsupported_tools_directory}/strsclnt
+%{unsupported_tools_directory}/symkeyutil
+%{unsupported_tools_directory}/tstclnt
+%{unsupported_tools_directory}/vfyserv
+%{unsupported_tools_directory}/vfychain
+# instead of %{_mandir}/man*/* let's list them explicitely
+# supported tools
+%attr(0644,root,root) %doc /usr/share/man/man1/certutil.1.gz
+%attr(0644,root,root) %doc /usr/share/man/man1/cmsutil.1.gz
+%attr(0644,root,root) %doc /usr/share/man/man1/crlutil.1.gz
+%attr(0644,root,root) %doc /usr/share/man/man1/modutil.1.gz
+%attr(0644,root,root) %doc /usr/share/man/man1/pk12util.1.gz
+%attr(0644,root,root) %doc /usr/share/man/man1/signtool.1.gz
+%attr(0644,root,root) %doc /usr/share/man/man1/signver.1.gz
+# unsupported tools
+%attr(0644,root,root) %doc /usr/share/man/man1/derdump.1.gz
+%attr(0644,root,root) %doc /usr/share/man/man1/pp.1.gz
+%attr(0644,root,root) %doc /usr/share/man/man1/ssltap.1.gz
+%attr(0644,root,root) %doc /usr/share/man/man1/vfychain.1.gz
+%attr(0644,root,root) %doc /usr/share/man/man1/vfyserv.1.gz
+
+%files devel
+%defattr(-,root,root)
+%{_libdir}/libcrmf.a
+%{_libdir}/pkgconfig/nss.pc
+%{_bindir}/nss-config
+%attr(0644,root,root) %doc /usr/share/man/man1/nss-config.1.gz
+
+%dir %{_includedir}/nss3
+%{_includedir}/nss3/cert.h
+%{_includedir}/nss3/certdb.h
+%{_includedir}/nss3/certt.h
+%{_includedir}/nss3/cmmf.h
+%{_includedir}/nss3/cmmft.h
+%{_includedir}/nss3/cms.h
+%{_includedir}/nss3/cmsreclist.h
+%{_includedir}/nss3/cmst.h
+%{_includedir}/nss3/crmf.h
+%{_includedir}/nss3/crmft.h
+%{_includedir}/nss3/cryptohi.h
+%{_includedir}/nss3/cryptoht.h
+%{_includedir}/nss3/sechash.h
+%{_includedir}/nss3/jar-ds.h
+%{_includedir}/nss3/jar.h
+%{_includedir}/nss3/jarfile.h
+%{_includedir}/nss3/key.h
+%{_includedir}/nss3/keyhi.h
+%{_includedir}/nss3/keyt.h
+%{_includedir}/nss3/keythi.h
+%{_includedir}/nss3/nss.h
+%{_includedir}/nss3/nssckbi.h
+%{_includedir}/nss3/nsspem.h
+%{_includedir}/nss3/ocsp.h
+%{_includedir}/nss3/ocspt.h
+%{_includedir}/nss3/p12.h
+%{_includedir}/nss3/p12plcy.h
+%{_includedir}/nss3/p12t.h
+%{_includedir}/nss3/pk11func.h
+%{_includedir}/nss3/pk11pqg.h
+%{_includedir}/nss3/pk11priv.h
+%{_includedir}/nss3/pk11pub.h
+%{_includedir}/nss3/pk11sdr.h
+%{_includedir}/nss3/pkcs12.h
+%{_includedir}/nss3/pkcs12t.h
+%{_includedir}/nss3/pkcs7t.h
+%{_includedir}/nss3/preenc.h
+%{_includedir}/nss3/secmime.h
+%{_includedir}/nss3/secmod.h
+%{_includedir}/nss3/secmodt.h
+%{_includedir}/nss3/secpkcs5.h
+%{_includedir}/nss3/secpkcs7.h
+%{_includedir}/nss3/smime.h
+%{_includedir}/nss3/ssl.h
+%{_includedir}/nss3/sslerr.h
+%{_includedir}/nss3/sslproto.h
+%{_includedir}/nss3/sslt.h
+
+
+%files pkcs11-devel
+%defattr(-, root, root)
+%{_includedir}/nss3/nssbase.h
+%{_includedir}/nss3/nssbaset.h
+%{_includedir}/nss3/nssckepv.h
+%{_includedir}/nss3/nssckft.h
+%{_includedir}/nss3/nssckfw.h
+%{_includedir}/nss3/nssckfwc.h
+%{_includedir}/nss3/nssckfwt.h
+%{_includedir}/nss3/nssckg.h
+%{_includedir}/nss3/nssckmdt.h
+%{_includedir}/nss3/nssckt.h
+%{_includedir}/nss3/templates/nssck.api
+%{_libdir}/libnssb.a
+%{_libdir}/libnssckfw.a
+
+
+%changelog
+* Wed Nov 06 2013 Elio Maldonado <emaldona@redhat.com> - 3.15.2-8
+- Fix patch for disabling ssl2 in ssl to correctly set error code
+- Fix syntax error reported in the build.log even tough it succeeds
+- Add patch top ignore setpolicy result
+- Resolves: rhbz#1001841 - Disable SSL2 and the export cipher suites
+- Resolves: rhbz#1026677 - Attempt to run ipa-client-install fails
+
+* Sun Nov 03 2013 Elio Maldonado <emaldona@redhat.com> - 3.15.2-7
+- Fix bash syntax error in patch for disabling ssl2 tests
+- Resolves: rhbz#1001841 - Disable SSL2 and the export cipher suites
+
+* Sat Nov 02 2013 Elio Maldonado <emaldona@redhat.com> - 3.15.2-6
+- Fix errors in ssl disabling patches for both library and tests
+- Add s390x to the multilib_arches definition used for alt_ckbi
+- Resolves: rhbz#1001841 - Disable SSL2 and the export cipher suites
+
+* Thu Oct 31 2013 Elio Maldonado <emaldona@redhat.com> - 3.15.2-5
+- Fix errors in nss-sysinit manpage options descriptions
+- Resolves: rhbz#982723
+
+* Tue Oct 29 2013 Elio Maldonado <emaldona@redhat.com> - 3.15.2-4
+- Enable fips when system is in fips mode
+- Resolves: rhbz#852023 - FIPS mode detection does not work
+
+* Tue Oct 29 2013 Elio Maldonado <emaldona@redhat.com> - 3.15.2-3
+- Remove unused and obsoleted patches
+- Related: rhbz#1012656
+
+* Mon Oct 28 2013 Elio Maldonado <emaldona@redhat.com> - 3.15.2-2
+- Add description of the certutil's --email option to it's manpage
+- Resolves: rhbz#Bug 948495 - Man page scan results for nss
+
+* Mon Oct 21 2013 Elio Maldonado <emaldona@redhat.com> - 3.15.2-1
+- Rebase to nss-3.15.2
+- Resolves: rhbz#1012656 - pick up NSS 3.15.2 to fix CVE-2013-1739 and disable MD5 in OCSP/CRL
+
+* Fri Oct 11 2013 Elio Maldonado <emaldona@redhat.com> - 3.15.1-4
+- Install symlink to nss-sysinit.sh without the .sh suffix
+- Resolves: rhbz#982723 - nss-sysinit man page has wrong path for the script
+
+* Tue Oct 08 2013 Elio Maldonado <emaldona@redhat.com> - 3.15.1-3
+- Resolves: rhbz#1001841 - Disable SSL2 and the export cipher suites
+
+* Tue Aug 06 2013 Elio Maldonado <emaldona@redhat.com> - 3.15.1-2
+- Add upstream bug URL for a patch subitted upstream and remove obsolete script
+
+* Wed Jul 24 2013 Elio Maldonado <emaldona@redhat.com> - 3.15.1-2
+- Update to NSS_3_15_1_RTM
+- Apply various fixes to the man pages and add new ones
+- Enable the iquote.patch to access newly introduced types
+- Add man page for pkcs11.txt configuration file and cert and key databases
+- Add missing option descriptions for {cert|cms|crl}util
+- Resolves: rhbz#948495 - Man page scan results for nss
+- Resolves: rhbz#982723 - Fix path to script in man page for nss-sysinit
+
+* Tue Jul 02 2013 Elio Maldonado <emaldona@redhat.com> - 3.15-6
+- Use the unstripped source tar ball
+
+* Wed Jun 19 2013 Elio Maldonado <emaldona@redhat.com> - 3.15-5
+- Install man pages for nss-tools and the nss-config and setup-nsssysinit scripts
+- Resolves: rhbz#606020 - nss security tools lack man pages
+
+* Tue Jun 18 2013 emaldona <emaldona@redhat.com> - 3.15-4
+- Build nss without softoken or util sources in the tree
+- Resolves: rhbz#689918
+
+* Mon Jun 17 2013 emaldona <emaldona@redhat.com> - 3.15-3
+- Update ssl-cbc-random-iv-by-default.patch
+
+* Sun Jun 16 2013 Elio Maldonado <emaldona@redhat.com> - 3.15-2
+- Fix generation of NSS_VMAJOR, NSS_VMINOR, and NSS_VPATCH for nss-config
+
+* Sat Jun 15 2013 Elio Maldonado <emaldona@redhat.com> - 3.15-1
+- Update to NSS_3_15_RTM
+
+* Tue May 14 2013 Elio Maldonado <emaldona@redhat.com> - 3.14.3-13.0
+- Reactivate nss-ssl-cbc-random-iv-off-by-default.patch
+
+* Fri Apr 19 2013 Kai Engert <kaie@redhat.com> - 3.14.3-12.0
+- Add upstream patch to fix rhbz#872761
+
+* Sun Mar 24 2013 Kai Engert <kaie@redhat.com> - 3.14.3-11
+- Update expired test certificates (fixed in upstream bug 852781)
+
+* Fri Mar 08 2013 Kai Engert <kaie@redhat.com> - 3.14.3-10
+- Fix incorrect post/postun scripts. Fix broken links in posttrans.
+
+* Wed Mar 06 2013 Kai Engert <kaie@redhat.com> - 3.14.3-9
+- Configure libnssckbi.so to use the alternatives system
+ in order to prepare for a drop in replacement.
+
+* Fri Feb 15 2013 Elio Maldonado <emaldona@redhat.com> - 3.14.3-1
+- Update to NSS_3_14_3_RTM
+- sync up pem rsawrapr.c with softoken upstream changes for nss-3.14.3
+- Resolves: rhbz#908257 - CVE-2013-1620 nss: TLS CBC padding timing attack
+- Resolves: rhbz#896651 - PEM module trashes private keys if login fails
+- Resolves: rhbz#909775 - specfile support for AArch64
+- Resolves: rhbz#910584 - certutil -a does not produce ASCII output
+
+* Mon Feb 04 2013 Elio Maldonado <emaldona@redhat.com> - 3.14.2-2
+- Allow building nss against older system sqlite
+
+* Fri Feb 01 2013 Elio Maldonado <emaldona@redhat.com> - 3.14.2-1
+- Update to NSS_3_14_2_RTM
+
+* Wed Jan 02 2013 Kai Engert <kaie@redhat.com> - 3.14.1-3
+- Update to NSS_3_14_1_WITH_CKBI_1_93_RTM
+
+* Sat Dec 22 2012 Elio Maldonado <emaldona@redhat.com> - 3.14.1-2
+- Require nspr >= 4.9.4
+- Fix changelog invalid dates
+
+* Mon Dec 17 2012 Elio Maldonado <emaldona@redhat.com> - 3.14.1-1
+- Update to NSS_3_14_1_RTM
+
+* Wed Dec 12 2012 Elio Maldonado <emaldona@redhat.com> - 3.14-12
+- Bug 879978 - Install the nssck.api header template where mod_revocator can access it
+- Install nssck.api in /usr/includes/nss3/templates
+
+* Tue Nov 27 2012 Elio Maldonado <emaldona@redhat.com> - 3.14-11
+- Bug 879978 - Install the nssck.api header template in a place where mod_revocator can access it
+- Install nssck.api in /usr/includes/nss3
+
+* Mon Nov 19 2012 Elio Maldonado <emaldona@redhat.com> - 3.14-10
+- Bug 870864 - Add support in NSS for Secure Boot
+
+* Sat Nov 10 2012 Elio Maldonado <emaldona@redhat.com> - 3.14-9
+- Disable bypass code at build time and return failure on attempts to enable at runtime
+- Bug 806588 - Disable SSL PKCS #11 bypass at build time
+
+* Sun Nov 04 2012 Elio Maldonado <emaldona@redhat.com> - 3.14-8
+- Fix pk11wrap locking which fixes 'fedpkg new-sources' and 'fedpkg update' hangs
+- Bug 872124 - nss-3.14 breaks fedpkg new-sources
+- Fix should be considered preliminary since the patch may change upon upstream approval
+
+* Thu Nov 01 2012 Elio Maldonado <emaldona@redhat.com> - 3.14-7
+- Add a dummy source file for testing /preventing fedpkg breakage
+- Helps test the fedpkg new-sources and upload commands for breakage by nss updates
+- Related to Bug 872124 - nss 3.14 breaks fedpkg new-sources
+
+* Thu Nov 01 2012 Elio Maldonado <emaldona@redhat.com> - 3.14-6
+- Fix a previous unwanted merge from f18
+- Update the SS_SSL_CBC_RANDOM_IV patch to match new sources while
+- Keeping the patch disabled while we are still in rawhide and
+- State in comment that patch is needed for both stable and beta branches
+- Update .gitignore to download only the new sources
+
+* Wed Oct 31 2012 Elio Maldonado <emaldona@redhat.com> - 3.14-5
+- Fix the spec file so sechash.h gets installed
+- Resolves: rhbz#871882 - missing header: sechash.h in nss 3.14
+
+* Sat Oct 27 2012 Elio Maldonado <emaldona@redhat.com> - 3.14-4
+- Update the license to MPLv2.0
+
+* Wed Oct 24 2012 Elio Maldonado <emaldona@redhat.com> - 3.14-3
+- Use only -f when removing unwanted headers
+
+* Tue Oct 23 2012 Elio Maldonado <emaldona@redhat.com> - 3.14-2
+- Add secmodt.h to the headers installed by nss-devel
+- nss-devel must install secmodt.h which moved from softoken to pk11wrap with nss-3.14
+
+* Mon Oct 22 2012 Elio Maldonado <emaldona@redhat.com> - 3.14-1
+- Update to NSS_3_14_RTM
+
+* Sun Oct 21 2012 Elio Maldonado <emaldona@redhat.com> - 3.14-0.1.rc.1
+- Update to NSS_3_14_RC1
+- update nss-589636.patch to apply to httpdserv
+- turn off ocsp tests for now
+- remove no longer needed patches
+- remove headers shipped by nss-util
+
+* Fri Oct 05 2012 Kai Engert <kaie@redhat.com> - 3.13.6-1
+- Update to NSS_3_13_6_RTM
+
+* Mon Aug 27 2012 Elio Maldonado <emaldona@redhat.com> - 3.13.5-8
+- Rebase pem sources to fedora-hosted upstream to pick up two fixes from rhel-6.3
+- Resolves: rhbz#847460 - Fix invalid read and free on invalid cert load
+- Resolves: rhbz#847462 - PEM module may attempt to free uninitialized pointer
+- Remove unneeded fix gcc 4.7 c++ issue in secmodt.h that actually undoes the upstream fix
+
+* Mon Aug 13 2012 Elio Maldonado <emaldona@redhat.com> - 3.13.5-7
+- Fix pluggable ecc support
+
+* Fri Jul 20 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 3.13.5-6
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild
+
+* Sun Jul 01 2012 Elio Maldonado <emaldona@redhat.com> - 3.13.5-5
+- Fix checkin comment to prevent unwanted expansions of percents
+
+* Sun Jul 01 2012 Elio Maldonado <emaldona@redhat.com> - 3.13.5-4
+- Resolves: Bug 830410 - Missing Requires %%{?_isa}
+- Use Requires: %%{name}%%{?_isa} = %%{version}-%%{release} on tools
+- Drop zlib requires which rpmlint reports as error E: explicit-lib-dependency zlib
+- Enable sha224 portion of powerup selftest when running test suites
+- Require nspr 4.9.1
+
+* Wed Jun 20 2012 Elio Maldonado <emaldona@redhat.com> - 3.13.5-3
+- Resolves: rhbz#833529 - revert unwanted change to nss.pc.in
+
+* Tue Jun 19 2012 Elio Maldonado <emaldona@redhat.com> - 3.13.5-2
+- Resolves: rhbz#833529 - Remove unwanted space from the Libs: line on nss.pc.in
+
+* Mon Jun 18 2012 Elio Maldonado <emaldona@redhat.com> - 3.13.5-1
+- Update to NSS_3_13_5_RTM
+
+* Fri Apr 13 2012 Elio Maldonado <emaldona@redhat.com> - 3.13.4-3
+- Resolves: Bug 812423 - nss_Init leaks memory, fix from RHEL 6.3
+
+* Sun Apr 08 2012 Elio Maldonado <emaldona@redhat.com> - 3.13.4-2
+- Resolves: Bug 805723 - Library needs partial RELRO support added
+- Patch coreconf/Linux.mk as done on RHEL 6.2
+
+* Fri Apr 06 2012 Elio Maldonado <emaldona@redhat.com> - 3.13.4-1
+- Update to NSS_3_13_4_RTM
+- Update the nss-pem source archive to the latest version
+- Remove no longer needed patches
+- Resolves: Bug 806043 - use pem files interchangeably in a single process
+- Resolves: Bug 806051 - PEM various flaws detected by Coverity
+- Resolves: Bug 806058 - PEM pem_CreateObject leaks memory given a non-existing file name
+
+* Wed Mar 21 2012 Elio Maldonado <emaldona@redhat.com> - 3.13.3-4
+- Resolves: Bug 805723 - Library needs partial RELRO support added
+
+* Fri Mar 09 2012 Elio Maldonado <emaldona@redhat.com> - 3.13.3-3
+- Cleanup of the spec file
+- Add references to the upstream bugs
+- Fix typo in Summary for sysinit
+
+* Thu Mar 08 2012 Elio Maldonado <emaldona@redhat.com> - 3.13.3-2
+- Pick up fixes from RHEL
+- Resolves: rhbz#800674 - Unable to contact LDAP Server during winsync
+- Resolves: rhbz#800682 - Qpid AMQP daemon fails to load after nss update
+- Resolves: rhbz#800676 - NSS workaround for freebl bug that causes openswan to drop connections
+
+* Thu Mar 01 2012 Elio Maldonado <emaldona@redhat.com> - 3.13.3-1
+- Update to NSS_3_13_3_RTM
+
+* Mon Jan 30 2012 Tom Callaway <spot@fedoraproject.org> - 3.13.1-13
+- fix issue with gcc 4.7 in secmodt.h and C++11 user-defined literals
+
+* Thu Jan 26 2012 Elio Maldonado <emaldona@redhat.com> - 3.13.1-12
+- Resolves: Bug 784672 - nss should protect against being called before nss_Init
+
+* Fri Jan 13 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 3.13.1-11
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild
+
+* Fri Jan 06 2012 Elio Maldonado <emaldona@redhat.com> - 3.13.1-11
+- Deactivate a patch currently meant for stable branches only
+
+* Fri Jan 06 2012 Elio Maldonado <emaldona@redhat.com> - 3.13.1-10
+- Resolves: Bug 770682 - nss update breaks pidgin-sipe connectivity
+- NSS_SSL_CBC_RANDOM_IV set to 0 by default and changed to 1 on user request
+
+* Tue Dec 13 2011 elio maldonado <emaldona@redhat.com> - 3.13.1-9
+- Revert to using current nss_softokn_version
+- Patch to deal with lack of sha224 is no longer needed
+
+* Tue Dec 13 2011 Elio Maldonado <emaldona@redhat.com> - 3.13.1-8
+- Resolves: Bug 754771 - [PEM] an unregistered callback causes a SIGSEGV
+
+* Mon Dec 12 2011 Elio Maldonado <emaldona@redhat.com> - 3.13.1-7
+- Resolves: Bug 750376 - nss 3.13 breaks sssd TLS
+- Fix how pem is built so that nss-3.13.x works with nss-softokn-3.12.y
+- Only patch blapitest for the lack of sha224 on system freebl
+- Completed the patch to make pem link against system freebl
+
+* Mon Dec 05 2011 Elio Maldonado <emaldona@redhat.com> - 3.13.1-6
+- Removed unwanted /usr/include/nss3 in front of the normal cflags include path
+- Removed unnecessary patch dealing with CERTDB_TERMINAL_RECORD, it's visible
+
+* Sun Dec 04 2011 Elio Maldonado <emaldona@redhat.com> - 3.13.1-5
+- Statically link the pem module against system freebl found in buildroot
+- Disabling sha224-related powerup selftest until we update softokn
+- Disable sha224 and pss tests which nss-softokn 3.12.x doesn't support
+
+* Fri Dec 02 2011 Elio Maldonado Batiz <emaldona@redhat.com> - 3.13.1-4
+- Rebuild with nss-softokn from 3.12 in the buildroot
+- Allows the pem module to statically link against 3.12.x freebl
+- Required for using nss-3.13.x with nss-softokn-3.12.y for a merge inrto rhel git repo
+- Build will be temprarily placed on buildroot override but not pushed in bodhi
+
+* Fri Nov 04 2011 Elio Maldonado <emaldona@redhat.com> - 3.13.1-2
+- Fix broken dependencies by updating the nss-util and nss-softokn versions
+
+* Thu Nov 03 2011 Elio Maldonado <emaldona@redhat.com> - 3.13.1-1
+- Update to NSS_3_13_1_RTM
+- Update builtin certs to those from NSSCKBI_1_88_RTM
+
+* Sat Oct 15 2011 Elio Maldonado <emaldona@redhat.com> - 3.13-1
+- Update to NSS_3_13_RTM
+
+* Sat Oct 08 2011 Elio Maldonado <emaldona@redhat.com> - 3.13-0.1.rc0.1
+- Update to NSS_3_13_RC0
+
+* Wed Sep 14 2011 Elio Maldonado <emaldona@redhat.com> - 3.12.11-3
+- Fix attempt to free initilized pointer (#717338)
+- Fix leak on pem_CreateObject when given non-existing file name (#734760)
+- Fix pem_Initialize to return CKR_CANT_LOCK on multi-treaded calls (#736410)
+
+* Tue Sep 06 2011 Kai Engert <kaie@redhat.com> - 3.12.11-2
+- Update builtins certs to those from NSSCKBI_1_87_RTM
+
+* Tue Aug 09 2011 Elio Maldonado <emaldona@redhat.com> - 3.12.11-1
+- Update to NSS_3_12_11_RTM
+
+* Sat Jul 23 2011 Elio Maldonado <emaldona@redhat.com> - 3.12.10-6
+- Indicate the provenance of stripped source tarball (#688015)
+
+* Mon Jun 27 2011 Michael Schwendt <mschwendt@fedoraproject.org> - 3.12.10-5
+- Provide virtual -static package to meet guidelines (#609612).
+
+* Fri Jun 10 2011 Elio Maldonado <emaldona@redhat.com> - 3.12.10-4
+- Enable pluggable ecc support (#712556)
+- Disable the nssdb write-access-on-read-only-dir tests when user is root (#646045)
+
+* Fri May 20 2011 Dennis Gilmore <dennis@ausil.us> - 3.12.10-3
+- make the testsuite non fatal on arm arches
+
+* Tue May 17 2011 Elio Maldonado <emaldona@redhat.com> - 3.12.10-2
+- Fix crmf hard-coded maximum size for wrapped private keys (#703656)
+
+* Fri May 06 2011 Elio Maldonado <emaldona@redhat.com> - 3.12.10-1
+- Update to NSS_3_12_10_RTM
+
+* Wed Apr 27 2011 Elio Maldonado <emaldona@redhat.com> - 3.12.10-0.1.beta1
+- Update to NSS_3_12_10_BETA1
+
+* Mon Apr 11 2011 Elio Maldonado <emaldona@redhat.com> - 3.12.9-15
+- Implement PEM logging using NSPR's own (#695011)
+
+* Wed Mar 23 2011 Elio Maldonado <emaldona@redhat.com> - 3.12.9-14
+- Update to NSS_3.12.9_WITH_CKBI_1_82_RTM
+
+* Thu Feb 24 2011 Elio Maldonado <emaldona@redhat.com> - 3.12.9-13
+- Short-term fix for ssl test suites hangs on ipv6 type connections (#539183)
+
+* Fri Feb 18 2011 Elio Maldonado <emaldona@redhat.com> - 3.12.9-12
+- Add a missing requires for pkcs11-devel (#675196)
+
+* Tue Feb 15 2011 Elio Maldonado <emaldona@redhat.com> - 3.12.9-11
+- Run the test suites in the check section (#677809)
+
+* Thu Feb 10 2011 Elio Maldonado <emaldona@redhat.com> - 3.12.9-10
+- Fix cms headers to not use c++ reserved words (#676036)
+- Reenabling Bug 499444 patches
+- Fix to swap internal key slot on fips mode switches
+
+* Tue Feb 08 2011 Elio Maldonado <emaldona@redhat.com> - 3.12.9-9
+- Revert patches for 499444 until all c++ reserved words are found and extirpated
+
+* Tue Feb 08 2011 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 3.12.9-8
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild
+
+* Tue Feb 08 2011 Elio Maldonado <emaldona@redhat.com> - 3.12.9-7
+- Fix cms header to not use c++ reserved word (#676036)
+- Reenable patches for bug 499444
+
+* Tue Feb 08 2011 Christopher Aillon <caillon@redhat.com> - 3.12.9-6
+- Revert patches for 499444 as they use a C++ reserved word and
+ cause compilation of Firefox to fail
+
+* Fri Feb 04 2011 Elio Maldonado <emaldona@redhat.com> - 3.12.9-5
+- Fix the earlier infinite recursion patch (#499444)
+- Remove a header that now nss-softokn-freebl-devel ships
+
+* Tue Feb 01 2011 Elio Maldonado <emaldona@redhat.com> - 3.12.9-4
+- Fix infinite recursion when encoding NSS enveloped/digested data (#499444)
+
+* Mon Jan 31 2011 Elio Maldonado <emaldona@redhat.com> - 3.12.9-3
+- Update the cacert trust patch per upstream review requests (#633043)
+
+* Wed Jan 19 2011 Elio Maldonado <emaldona@redhat.com> - 3.12.9-2
+- Fix to honor the user's cert trust preferences (#633043)
+- Remove obsoleted patch
+
+* Wed Jan 12 2011 Elio Maldonado <emaldona@redhat.com> - 3.12.9-1
+- Update to 3.12.9
+
+* Mon Dec 27 2010 Elio Maldonado <emaldona@redhat.com> - 3.12.9-0.1.beta2
+- Rebuilt according to fedora pre-release package naming guidelines
+
+* Fri Dec 10 2010 Elio Maldonado <emaldona@redhat.com> - 3.12.8.99.2-1
+- Update to NSS_3_12_9_BETA2
+- Fix libpnsspem crash when cacert dir contains other directories (#642433)
+
+* Wed Dec 08 2010 Elio Maldonado <emaldona@redhat.com> - 3.12.8.99.1-1
+- Update to NSS_3_12_9_BETA1
+
+* Thu Nov 25 2010 Elio Maldonado <emaldona@redhat.com> - 3.12.8-9
+- Update pem source tar with fixes for 614532 and 596674
+- Remove no longer needed patches
+
+* Fri Nov 05 2010 Elio Maldonado <emaldona@redhat.com> - 3.12.8-8
+- Update PayPalEE.cert test certificate which had expired
+
+* Sun Oct 31 2010 Elio Maldonado <emaldona@redhat.com> - 3.12.8-7
+- Tell rpm not to verify md5, size, and modtime of configurations file
+
+* Mon Oct 18 2010 Elio Maldonado <emaldona@redhat.com> - 3.12.8-6
+- Fix certificates trust order (#643134)
+- Apply nss-sysinit-userdb-first.patch last
+
+* Wed Oct 06 2010 Elio Maldonado <emaldona@redhat.com> - 3.12.8-5
+- Move triggerpostun -n nss-sysinit script ahead of the other ones (#639248)
+
+* Tue Oct 05 2010 Elio Maldonado <emaldona@redhat.com> - 3.12.8-4
+- Fix invalid %postun scriptlet (#639248)
+
+* Wed Sep 29 2010 Elio Maldonado <emaldona@redhat.com> - 3.12.8-3
+- Replace posttrans sysinit scriptlet with a triggerpostun one (#636787)
+- Fix and cleanup the setup-nsssysinit.sh script (#636792, #636801)
+
+* Mon Sep 27 2010 Elio Maldonado <emaldona@redhat.com> - 3.12.8-2
+- Add posttrans scriptlet (#636787)
+
+* Thu Sep 23 2010 Elio Maldonado <emaldona@redhat.com> - 3.12.8-1
+- Update to 3.12.8
+- Prevent disabling of nss-sysinit on package upgrade (#636787)
+- Create pkcs11.txt with correct permissions regardless of umask (#636792)
+- Setup-nsssysinit.sh reports whether nss-sysinit is turned on or off (#636801)
+- Added provides pkcs11-devel-static to comply with packaging guidelines (#609612)
+
+* Sat Sep 18 2010 Elio Maldonado <emaldona@redhat.com> - 3.12.7.99.4-1
+- NSS 3.12.8 RC0
+
+* Sun Sep 05 2010 Elio Maldonado <emaldona@redhat.com> - 3.12.7.99.3-2
+- Fix nss-util_version and nss_softokn_version required to be 3.12.7.99.3
+
+* Sat Sep 04 2010 Elio Maldonado <emaldona@redhat.com> - 3.12.7.99.3-1
+- NSS 3.12.8 Beta3
+- Fix unclosed comment in renegotiate-transitional.patch
+
+* Sat Aug 28 2010 Elio Maldonado <emaldona@redhat.com> - 3.12.7-3
+- Change BuildRequries to available version of nss-util-devel
+
+* Sat Aug 28 2010 Elio Maldonado <emaldona@redhat.com> - 3.12.7-2
+- Define NSS_USE_SYSTEM_SQLITE and remove unneeded patch
+- Add comments regarding an unversioned provides which triggers rpmlint warning
+- Build requires nss-softokn-devel >= 3.12.7
+
+* Mon Aug 16 2010 Elio Maldonado <emaldona@redhat.com> - 3.12.7-1
+- Update to 3.12.7
+
+* Sat Aug 14 2010 Elio Maldonado <emaldona@redhat.com> - 3.12.6-12
+- Apply the patches to fix rhbz#614532
+
+* Mon Aug 09 2010 Elio Maldonado <emaldona@redhat.com> - 3.12.6-11
+- Removed pem sourecs as they are in the cache
+
+* Mon Aug 09 2010 Elio Maldonado <emaldona@redhat.com> - 3.12.6-10
+- Add support for PKCS#8 encoded PEM RSA private key files (#614532)
+
+* Sat Jul 31 2010 Elio Maldonado <emaldona@redhat.com> - 3.12.6-9
+- Fix nsssysinit to return userdb ahead of systemdb (#603313)
+
+* Tue Jun 08 2010 Dennis Gilmore <dennis@ausil.us> - 3.12.6-8
+- Require and BuildRequire >= the listed version not =
+
+* Tue Jun 08 2010 Elio Maldonado <emaldona@redhat.com> - 3.12.6-7
+- Require nss-softoken 3.12.6
+
+* Sun Jun 06 2010 Elio Maldonado <emaldona@redhat.com> - 3.12.6-6
+- Fix SIGSEGV within CreateObject (#596674)
+
+* Mon Apr 12 2010 Elio Maldonado <emaldona@redhat.com> - 3.12.6-5
+- Update pem source tar to pick up the following bug fixes:
+- PEM - Allow collect objects to search through all objects
+- PEM - Make CopyObject return a new shallow copy
+- PEM - Fix memory leak in pem_mdCryptoOperationRSAPriv
+
+* Wed Apr 07 2010 Elio Maldonado <emaldona@redhat.com> - 3.12.6-4
+- Update the test cert in the setup phase
+
+* Wed Apr 07 2010 Elio Maldonado <emaldona@redhat.com> - 3.12.6-3
+- Add sed to sysinit requires as setup-nsssysinit.sh requires it (#576071)
+- Update PayPalEE test cert with unexpired one (#580207)
+
+* Thu Mar 18 2010 Elio Maldonado <emaldona@redhat.com> - 3.12.6-2
+- Fix ns.spec to not require nss-softokn (#575001)
+
+* Sat Mar 06 2010 Elio Maldonado <emaldona@redhat.com> - 3.12.6-1.2
+- rebuilt with all tests enabled
+
+* Sat Mar 06 2010 Elio Maldonado <emaldona@redhat.com> - 3.12.6-1.1
+- Using SSL_RENEGOTIATE_TRANSITIONAL as default while on transition period
+- Disabling ssl tests suites until bug 539183 is resolved
+
+* Sat Mar 06 2010 Elio Maldonado <emaldona@redhat.com> - 3.12.6-1
+- Update to 3.12.6
+- Reactivate all tests
+- Patch tools to validate command line options arguments
+
+* Mon Jan 25 2010 Elio Maldonado <emaldona@redhat.com> - 3.12.5-8
+- Fix curl related regression and general patch code clean up
+
+* Wed Jan 13 2010 Elio Maldonado <emaldona@redhat.com> - 3.12.5-5
+- retagging
+
+* Tue Jan 12 2010 Elio Maldonado <emaldona@redhat.com> - 3.12.5-1.1
+- Fix SIGSEGV on call of NSS_Initialize (#553638)
+
+* Wed Jan 06 2010 Elio Maldonado<emaldona@redhat.com> - 3.12.5-1.13.2
+- New version of patch to allow root to modify ystem database (#547860)
+
+* Thu Dec 31 2009 Elio Maldonado<emaldona@redhat.com> - 3.12.5-1.13.1
+- Temporarily disabling the ssl tests
+
+* Sat Dec 26 2009 Elio Maldonado<emaldona@redhat.com> - 3.12.5-1.13
+- Fix nsssysinit to allow root to modify the nss system database (#547860)
+
+* Fri Dec 25 2009 Elio Maldonado<emaldona@redhat.com> - 3.12.5-1.11
+- Fix an error introduced when adapting the patch for rhbz #546211
+
+* Sat Dec 19 2009 Elio maldonado<emaldona@redhat.com> - 3.12.5-1.9
+- Remove left over trace statements from nsssysinit patching
+
+* Fri Dec 18 2009 Elio Maldonado<emaldona@redhat.com> - 3.12.5-2.7
+- Fix a misconstructed patch
+
+* Thu Dec 17 2009 Elio Maldonado<emaldona@redhat.com> - 3.12.5-1.6
+- Fix nsssysinit to enable apps to use system cert store, patch contributed by David Woodhouse (#546221)
+- Fix spec so sysinit requires coreutils for post install scriplet (#547067)
+- Fix segmentation fault when listing keys or certs in the database, patch contributed by Kamil Dudka (#540387)
+
+* Thu Dec 10 2009 Elio Maldonado<emaldona@redhat.com> - 3.12.5-1.5
+- Fix nsssysinit to set the default flags on the crypto module (#545779)
+- Remove redundant header from the pem module
+
+* Wed Dec 09 2009 Elio Maldonado<emaldona@redhat.com> - 3.12.5-1.1
+- Remove unneeded patch
+
+* Thu Dec 03 2009 Elio Maldonado<emaldona@redhat.com> - 3.12.5-1.1
+- Retagging to include missing patch
+
+* Thu Dec 03 2009 Elio Maldonado<emaldona@redhat.com> - 3.12.5-1
+- Update to 3.12.5
+- Patch to allow ssl/tls clients to interoperate with servers that require renogiation
+
+* Fri Nov 20 2009 Elio Maldonado<emaldona@redhat.com> - 3.12.4-14.1
+- Retagging
+
+* Tue Oct 20 2009 Elio Maldonado<emaldona@redhat.com> - 3.12.4-13.1
+- Require nss-softoken of same architecture as nss (#527867)
+- Merge setup-nsssysinit.sh improvements from F-12 (#527051)
+
+* Sat Oct 03 2009 Elio Maldonado<emaldona@redhat.com> - 3.12.4-13
+- User no longer prompted for a password when listing keys an empty system db (#527048)
+- Fix setup-nsssysinit to handle more general formats (#527051)
+
+* Sun Sep 27 2009 Elio Maldonado<emaldona@redhat.com> - 3.12.4-12
+- Fix syntax error in setup-nsssysinit.sh
+
+* Sun Sep 27 2009 Elio Maldonado<emaldona@redhat.com> - 3.12.4-11
+- Fix sysinit to be under mozilla/security/nss/lib
+
+* Sat Sep 26 2009 Elio Maldonado<emaldona@redhat.com> - 3.12.4-10
+- Add nss-sysinit activation/deactivation script
+
+* Fri Sep 18 2009 Elio Maldonado<emaldona@redhat.com - 3.12.4-9
+- Install blank databases and configuration file for system shared database
+- nsssysinit queries system for fips mode before relying on environment variable
+
+* Thu Sep 10 2009 Elio Maldonado<emaldona@redhat.com> - 3.12.4-8
+- Restoring nssutil and -rpath-link to nss-config for now - 522477
+
+* Tue Sep 08 2009 Elio Maldonado<emaldona@redhat.com - 3.12.4-7
+- Add the nss-sysinit subpackage
+
+* Tue Sep 08 2009 Elio Maldonado<emaldona@redhat.com> - 3.12.4-6
+- Installing shared libraries to %%{_libdir}
+
+* Mon Sep 07 2009 Elio Maldonado<emaldona@redhat.com> - 3.12.4-5
+- Retagging to pick up new sources
+
+* Mon Sep 07 2009 Elio Maldonado<emaldona@redhat.com> - 3.12.4-4
+- Update pem enabling source tar with latest fixes (509705, 51209)
+
+* Sun Sep 06 2009 Elio Maldonado<emaldona@redhat.com> - 3.12.4-3
+- PEM module implements memory management for internal objects - 509705
+- PEM module doesn't crash when processing malformed key files - 512019
+
+* Sat Sep 05 2009 Elio Maldonado<emaldona@redhat.com> - 3.12.4-2
+- Remove symbolic links to shared libraries from devel - 521155
+- No rpath-link in nss-softokn-config
+
+* Tue Sep 01 2009 Elio Maldonado<emaldona@redhat.com> - 3.12.4-1
+- Update to 3.12.4
+
+* Mon Aug 31 2009 Elio Maldonado<emaldona@redhat.com> - 3.12.3.99.3-30
+- Fix FORTIFY_SOURCE buffer overflows in test suite on ppc and ppc64 - bug 519766
+- Fixed requires and buildrequires as per recommendations in spec file review
+
+* Sun Aug 30 2009 Elio Maldonado<emaldona@redhat.com> - 3.12.3.99.3-29
+- Restoring patches 2 and 7 as we still compile all sources
+- Applying the nss-nolocalsql.patch solves nss-tools sqlite dependency problems
+
+* Sun Aug 30 2009 Elio Maldonado<emaldona@redhat.com> - 3.12.3.99.3-28
+- restore require sqlite
+
+* Sat Aug 29 2009 Elio Maldonado<emaldona@redhat.com> - 3.12.3.99.3-27
+- Don't require sqlite for nss
+
+* Sat Aug 29 2009 Elio Maldonado<emaldona@redhat.com> - 3.12.3.99.3-26
+- Ensure versions in the requires match those used when creating nss.pc
+
+* Fri Aug 28 2009 Elio Maldonado<emaldona@redhat.com> - 3.12.3.99.3-25
+- Remove nss-prelink.conf as signed all shared libraries moved to nss-softokn
+- Add a temprary hack to nss.pc.in to unblock builds
+
+* Fri Aug 28 2009 Warren Togami <wtogami@redhat.com> - 3.12.3.99.3-24
+- caolan's nss.pc patch
+
+* Thu Aug 27 2009 Elio Maldonado<emaldona@redhat.com> - 3.12.3.99.3-23
+- Bump the release number for a chained build of nss-util, nss-softokn and nss
+
+* Thu Aug 27 2009 Elio Maldonado<emaldona@redhat.com> - 3.12.3.99.3-22
+- Fix nss-config not to include nssutil
+- Add BuildRequires on nss-softokn and nss-util since build also runs the test suite
+
+* Thu Aug 27 2009 Elio Maldonado<emaldona@redhat.com> - 3.12.3.99.3-21
+- disabling all tests while we investigate a buffer overflow bug
+
+* Thu Aug 27 2009 Elio Maldonado<emaldona@redhat.com> - 3.12.3.99.3-20
+- disabling some tests while we investigate a buffer overflow bug - 519766
+
+* Thu Aug 27 2009 Elio Maldonado<emaldona@redhat.com> - 3.12.3.99.3-19
+- remove patches that are now in nss-softokn and
+- remove spurious exec-permissions for nss.pc per rpmlint
+- single requires line in nss.pc.in
+
+* Wed Aug 26 2009 Elio Maldonado<emaldona@redhat.com> - 3.12.3.99.3-18
+- Fix BuildRequires: nss-softokn-devel release number
+
+* Wed Aug 26 2009 Elio Maldonado<emaldona@redhat.com - 3.12.3.99.3-17
+- fix nss.pc.in to have one single requires line
+
+* Tue Aug 25 2009 Dennis Gilmore <dennis@ausil.us> - 3.12.3.99.3-16
+- cleanups for softokn
+
+* Tue Aug 25 2009 Dennis Gilmore <dennis@ausil.us> - 3.12.3.99.3-15
+- remove the softokn subpackages
+
+* Mon Aug 24 2009 Dennis Gilmore <dennis@ausil.us> - 3.12.3.99.3-14
+- don install the nss-util pkgconfig bits
+
+* Mon Aug 24 2009 Dennis Gilmore <dennis@ausil.us> - 3.12.3.99.3-13
+- remove from -devel the 3 headers that ship in nss-util-devel
+
+* Mon Aug 24 2009 Dennis Gilmore <dennis@ausil.us> - 3.12.3.99.3-12
+- kill off the nss-util nss-util-devel subpackages
+
+* Sun Aug 23 2009 Elio Maldonado+emaldona@redhat.com - 3.12.3.99.3-11
+- split off nss-softokn and nss-util as subpackages with their own rpms
+- first phase of splitting nss-softokn and nss-util as their own packages
+
+* Thu Aug 20 2009 Elio Maldonado <emaldona@redhat.com> - 3.12.3.99.3-10
+- must install libnssutil3.since nss-util is untagged at the moment
+- preserve time stamps when installing various files
+
+* Thu Aug 20 2009 Dennis Gilmore <dennis@ausil.us> - 3.12.3.99.3-9
+- dont install libnssutil3.so since its now in nss-util
+
+* Thu Aug 06 2009 Elio Maldonado <emaldona@redhat.com> - 3.12.3.99.3-7.1
+- Fix spec file problems uncovered by Fedora_12_Mass_Rebuild
+
+* Sat Jul 25 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 3.12.3.99.3-7
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild
+
+* Mon Jun 22 2009 Elio Maldonado <emaldona@redhat.com> - 3.12.3.99.3-6
+- removed two patch files which are no longer needed and fixed previous change log number
+* Mon Jun 22 2009 Elio Maldonado <emaldona@redhat.com> - 3.12.3.99.3-5
+- updated pem module incorporates various patches
+- fix off-by-one error when computing size to reduce memory leak. (483855)
+- fix data type to work on x86_64 systems. (429175)
+- fix various memory leaks and free internal objects on module unload. (501080)
+- fix to not clone internal objects in collect_objects(). (501118)
+- fix to not bypass initialization if module arguments are omitted. (501058)
+- fix numerous gcc warnings. (500815)
+- fix to support arbitrarily long password while loading a private key. (500180)
+- fix memory leak in make_key and memory leaks and return values in pem_mdSession_Login (501191)
+* Mon Jun 08 2009 Elio Maldonado <emaldona@redhat.com> - 3.12.3.99.3-4
+- add patch for bug 502133 upstream bug 496997
+* Fri Jun 05 2009 Kai Engert <kaie@redhat.com> - 3.12.3.99.3-3
+- rebuild with higher release number for upgrade sanity
+* Fri Jun 05 2009 Kai Engert <kaie@redhat.com> - 3.12.3.99.3-2
+- updated to NSS_3_12_4_FIPS1_WITH_CKBI_1_75
+* Thu May 07 2009 Kai Engert <kaie@redhat.com> - 3.12.3-7
+- re-enable test suite
+- add patch for upstream bug 488646 and add newer paypal
+ certs in order to make the test suite pass
+* Wed May 06 2009 Kai Engert <kaie@redhat.com> - 3.12.3-4
+- add conflicts info in order to fix bug 499436
+* Tue Apr 14 2009 Kai Engert <kaie@redhat.com> - 3.12.3-3
+- ship .chk files instead of running shlibsign at install time
+- include .chk file in softokn-freebl subpackage
+- add patch for upstream nss bug 488350
+* Tue Apr 14 2009 Kai Engert <kaie@redhat.com> - 3.12.3-2
+- Update to NSS 3.12.3
+* Mon Apr 06 2009 Kai Engert <kaie@redhat.com> - 3.12.2.99.3-7
+- temporarily disable the test suite because of bug 494266
+* Mon Apr 06 2009 Kai Engert <kaie@redhat.com> - 3.12.2.99.3-6
+- fix softokn-freebl dependency for multilib (bug 494122)
+* Thu Apr 02 2009 Kai Engert <kaie@redhat.com> - 3.12.2.99.3-5
+- introduce separate nss-softokn-freebl package
+* Thu Apr 02 2009 Kai Engert <kaie@redhat.com> - 3.12.2.99.3-4
+- disable execstack when building freebl
+* Tue Mar 31 2009 Kai Engert <kaie@redhat.com> - 3.12.2.99.3-3
+- add upstream patch to fix bug 483855
+* Tue Mar 31 2009 Kai Engert <kaie@redhat.com> - 3.12.2.99.3-2
+- build nspr-less freebl library
+* Tue Mar 31 2009 Kai Engert <kaie@redhat.com> - 3.12.2.99.3-1
+- Update to NSS_3_12_3_BETA4
+
+* Wed Feb 25 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 3.12.2.0-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild
+
+* Wed Oct 22 2008 Kai Engert <kaie@redhat.com> - 3.12.2.0-3
+- update to NSS_3_12_2_RC1
+- use system zlib
+* Tue Sep 30 2008 Dennis Gilmore <dennis@ausil.us> - 3.12.1.1-4
+- add sparc64 to the list of 64 bit arches
+
+* Wed Sep 24 2008 Kai Engert <kaie@redhat.com> - 3.12.1.1-3
+- bug 456847, move pkgconfig requirement to devel package
+* Fri Sep 05 2008 Kai Engert <kengert@redhat.com> - 3.12.1.1-2
+- Update to NSS_3_12_1_RC2
+* Fri Aug 22 2008 Kai Engert <kaie@redhat.com> - 3.12.1.0-2
+- NSS 3.12.1 RC1
+* Fri Aug 15 2008 Kai Engert <kaie@redhat.com> - 3.12.0.3-7
+- fix bug bug 429175 in libpem module
+* Tue Aug 05 2008 Kai Engert <kengert@redhat.com> - 3.12.0.3-6
+- bug 456847, add Requires: pkgconfig
+* Tue Jun 24 2008 Kai Engert <kengert@redhat.com> - 3.12.0.3-3
+- nss package should own /etc/prelink.conf.d folder, rhbz#452062
+- use upstream patch to fix test suite abort
+* Mon Jun 02 2008 Kai Engert <kengert@redhat.com> - 3.12.0.3-2
+- Update to NSS_3_12_RC4
+* Mon Apr 14 2008 Kai Engert <kengert@redhat.com> - 3.12.0.1-1
+- Update to NSS_3_12_RC2
+* Thu Mar 20 2008 Jesse Keating <jkeating@redhat.com> - 3.11.99.5-2
+- Zapping old Obsoletes/Provides. No longer needed, causes multilib headache.
+* Mon Mar 17 2008 Kai Engert <kengert@redhat.com> - 3.11.99.5-1
+- Update to NSS_3_12_BETA3
+* Fri Feb 22 2008 Kai Engert <kengert@redhat.com> - 3.11.99.4-1
+- NSS 3.12 Beta 2
+- Use /usr/lib{64} as devel libdir, create symbolic links.
+* Sat Feb 16 2008 Kai Engert <kengert@redhat.com> - 3.11.99.3-6
+- Apply upstream patch for bug 417664, enable test suite on pcc.
+* Fri Feb 15 2008 Kai Engert <kengert@redhat.com> - 3.11.99.3-5
+- Support concurrent runs of the test suite on a single build host.
+* Thu Feb 14 2008 Kai Engert <kengert@redhat.com> - 3.11.99.3-4
+- disable test suite on ppc
+* Thu Feb 14 2008 Kai Engert <kengert@redhat.com> - 3.11.99.3-3
+- disable test suite on ppc64
+
+* Thu Feb 14 2008 Kai Engert <kengert@redhat.com> - 3.11.99.3-2
+- Build against gcc 4.3.0, use workaround for bug 432146
+- Run the test suite after the build and abort on failures.
+
+* Thu Jan 24 2008 Kai Engert <kengert@redhat.com> - 3.11.99.3-1
+* NSS 3.12 Beta 1
+
+* Mon Jan 07 2008 Kai Engert <kengert@redhat.com> - 3.11.99.2b-3
+- move .so files to /lib
+
+* Wed Dec 12 2007 Kai Engert <kengert@redhat.com> - 3.11.99.2b-2
+- NSS 3.12 alpha 2b
+
+* Mon Dec 03 2007 Kai Engert <kengert@redhat.com> - 3.11.99.2-2
+- upstream patches to avoid calling netstat for random data
+
+* Wed Nov 07 2007 Kai Engert <kengert@redhat.com> - 3.11.99.2-1
+- NSS 3.12 alpha 2
+
+* Wed Oct 10 2007 Kai Engert <kengert@redhat.com> - 3.11.7-10
+- Add /etc/prelink.conf.d/nss-prelink.conf in order to blacklist
+ our signed libraries and protect them from modification.
+
+* Thu Sep 06 2007 Rob Crittenden <rcritten@redhat.com> - 3.11.7-9
+- Fix off-by-one error in the PEM module
+
+* Thu Sep 06 2007 Kai Engert <kengert@redhat.com> - 3.11.7-8
+- fix a C++ mode compilation error
+
+* Wed Sep 05 2007 Bob Relyea <rrelyea@redhat.com> - 3.11.7-7
+- Add 3.12 ckfw and libnsspem
+
+* Tue Aug 28 2007 Kai Engert <kengert@redhat.com> - 3.11.7-6
+- Updated license tag
+
+* Wed Jul 11 2007 Kai Engert <kengert@redhat.com> - 3.11.7-5
+- Ensure the workaround for mozilla bug 51429 really get's built.
+
+* Mon Jun 18 2007 Kai Engert <kengert@redhat.com> - 3.11.7-4
+- Better approach to ship freebl/softokn based on 3.11.5
+- Remove link time dependency on softokn
+
+* Sun Jun 10 2007 Kai Engert <kengert@redhat.com> - 3.11.7-3
+- Fix unowned directories, rhbz#233890
+
+* Fri Jun 01 2007 Kai Engert <kengert@redhat.com> - 3.11.7-2
+- Update to 3.11.7, but freebl/softokn remain at 3.11.5.
+- Use a workaround to avoid mozilla bug 51429.
+
+* Fri Mar 02 2007 Kai Engert <kengert@redhat.com> - 3.11.5-2
+- Fix rhbz#230545, failure to enable FIPS mode
+- Fix rhbz#220542, make NSS more tolerant of resets when in the
+ middle of prompting for a user password.
+
+* Sat Feb 24 2007 Kai Engert <kengert@redhat.com> - 3.11.5-1
+- Update to 3.11.5
+- This update fixes two security vulnerabilities with SSL 2
+- Do not use -rpath link option
+- Added several unsupported tools to tools package
+
+* Tue Jan 9 2007 Bob Relyea <rrelyea@redhat.com> - 3.11.4-4
+- disable ECC, cleanout dead code
+
+* Tue Nov 28 2006 Kai Engert <kengert@redhat.com> - 3.11.4-1
+- Update to 3.11.4
+
+* Thu Sep 14 2006 Kai Engert <kengert@redhat.com> - 3.11.3-2
+- Revert the attempt to require latest NSPR, as it is not yet available
+ in the build infrastructure.
+
+* Thu Sep 14 2006 Kai Engert <kengert@redhat.com> - 3.11.3-1
+- Update to 3.11.3
+
+* Thu Aug 03 2006 Kai Engert <kengert@redhat.com> - 3.11.2-2
+- Add /etc/pki/nssdb
+
+* Wed Jul 12 2006 Jesse Keating <jkeating@redhat.com> - 3.11.2-1.1
+- rebuild
+
+* Fri Jun 30 2006 Kai Engert <kengert@redhat.com> - 3.11.2-1
+- Update to 3.11.2
+- Enable executable bit on shared libs, also fixes debug info.
+
+* Wed Jun 14 2006 Kai Engert <kengert@redhat.com> - 3.11.1-2
+- Enable Elliptic Curve Cryptography (ECC)
+
+* Fri May 26 2006 Kai Engert <kengert@redhat.com> - 3.11.1-1
+- Update to 3.11.1
+- Include upstream patch to limit curves
+
+* Wed Feb 15 2006 Kai Engert <kengert@redhat.com> - 3.11-4
+- add --noexecstack when compiling assembler on x86_64
+
+* Fri Feb 10 2006 Jesse Keating <jkeating@redhat.com> - 3.11-3.2
+- bump again for double-long bug on ppc(64)
+
+* Tue Feb 07 2006 Jesse Keating <jkeating@redhat.com> - 3.11-3.1
+- rebuilt for new gcc4.1 snapshot and glibc changes
+
+* Thu Jan 19 2006 Ray Strode <rstrode@redhat.com> 3.11-3
+- rebuild
+
+* Fri Dec 16 2005 Christopher Aillon <caillon@redhat.com> 3.11-2
+- Update file list for the devel packages
+
+* Thu Dec 15 2005 Christopher Aillon <caillon@redhat.com> 3.11-1
+- Update to 3.11
+
+* Thu Dec 15 2005 Christopher Aillon <caillon@redhat.com> 3.11-0.cvs.2
+- Add patch to allow building on ppc*
+- Update the pkgconfig file to Require nspr
+
+* Thu Dec 15 2005 Christopher Aillon <caillon@redhat.com> 3.11-0.cvs
+- Initial import into Fedora Core, based on a CVS snapshot of
+ the NSS_3_11_RTM tag
+- Fix up the pkcs11-devel subpackage to contain the proper headers
+- Build with RPM_OPT_FLAGS
+- No need to have rpath of /usr/lib in the pc file
+
+* Thu Dec 15 2005 Kai Engert <kengert@redhat.com>
+- Adressed review comments by Wan-Teh Chang, Bob Relyea,
+ Christopher Aillon.
+
+* Sat Jul 9 2005 Rob Crittenden <rcritten@redhat.com> 3.10-1
+- Initial build