Merge pull request #1 from import/nss:rosa2023.1

Backports and update

.abf.yml

@@ -3,5 +3,5 @@ sources:
   blank-cert8.db: d272a7b58364862613d44261c5744f7a336bf177
   blank-key3.db: 7f78b5bcecdb5005e7b803604b2ec9d1a9df2fb5
   blank-secmod.db: bd748cf6e1465a1bbe6e751b72ffc0076aff0b50
-  nss-3.52.1.tar.gz: 15c56e41102a788cebc1df3cf46ca08b71ac0942
+  nss-3.103.tar.gz: 45eda4a1dfe7b28d082865bdd028ef5d58bc8d7b
   verisign-class-3-secure-server-ca.der: 188590e94878478e33b6194e59fbbb28ff0888d5

add-relro-linker-option.patch

@@ -0,0 +1,16 @@
+diff -up nss/coreconf/Linux.mk.relro nss/coreconf/Linux.mk
+--- nss/coreconf/Linux.mk.relro	2013-04-09 14:29:45.943228682 -0700
++++ nss/coreconf/Linux.mk	2013-04-09 14:31:26.194953927 -0700
+@@ -174,6 +174,12 @@ endif
+ endif
+ endif
+ 
++# harden DSOs/executables a bit against exploits
++ifeq (2.6,$(firstword $(sort 2.6 $(OS_RELEASE))))
++DSO_LDOPTS+=-Wl,-z,relro
++LDFLAGS	+= -Wl,-z,relro
++endif
++
+ USE_SYSTEM_ZLIB = 1
+ ZLIB_LIBS = -lz
+ 

iquote.patch

@@ -0,0 +1,13 @@
+diff -up nss/coreconf/location.mk.iquote nss/coreconf/location.mk
+--- nss/coreconf/location.mk.iquote	2017-07-27 16:09:32.000000000 +0200
++++ nss/coreconf/location.mk	2017-09-06 13:23:14.633611555 +0200
+@@ -75,4 +75,9 @@ ifndef SQLITE_LIB_NAME
+     SQLITE_LIB_NAME = sqlite3
+ endif
+ 
++# Prefer in-tree headers over system headers
++ifdef IN_TREE_FREEBL_HEADERS_FIRST
++    INCLUDES += -iquote $(DIST)/../public/nss -iquote $(DIST)/../private/nss
++endif
++
+ MK_LOCATION = included

nss-config.in

@@ -66,7 +66,11 @@ while test $# -gt 0; do
       echo_libdir=yes
       ;;
     --version)
-      echo ${major_version}.${minor_version}.${patch_version}
+      version=${major_version}.${minor_version}
+      if [ ! -z ${patch_version} ]; then
+	  version=${version}.${patch_version}
+      fi
+      echo ${version}
       ;;
     --cflags)
       echo_cflags=yes

nss-config.xml

@@ -0,0 +1,132 @@
+<?xml version='1.0' encoding='utf-8'?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
+  "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
+<!ENTITY date SYSTEM "date.xml">
+<!ENTITY version SYSTEM "version.xml">
+]>
+
+<refentry id="nss-config">
+
+  <refentryinfo>
+    <date>&date;</date>
+    <title>Network Security Services</title>
+    <productname>nss</productname>
+    <productnumber>&version;</productnumber>
+  </refentryinfo>
+
+  <refmeta>
+    <refentrytitle>nss-config</refentrytitle>
+    <manvolnum>1</manvolnum>
+  </refmeta>
+
+  <refnamediv>
+    <refname>nss-config</refname>
+    <refpurpose>Return meta information about nss libraries</refpurpose>
+  </refnamediv>
+
+  <refsynopsisdiv>
+    <cmdsynopsis>
+      <command>nss-config</command>
+      <arg><option>--prefix</option></arg>
+      <arg><option>--exec-prefix</option></arg>
+      <arg><option>--includedir</option></arg>
+      <arg><option>--libs</option></arg>
+      <arg><option>--cflags</option></arg>
+      <arg><option>--libdir</option></arg>
+      <arg><option>--version</option></arg>
+    </cmdsynopsis>
+  </refsynopsisdiv>
+
+<refsection id="description">
+    <title>Description</title>
+
+    <para><command>nss-config</command> is a shell scrip
+    tool which can be used to obtain gcc options for building client pacakges of nspt. </para>
+
+  </refsection>
+  
+  <refsection>
+    <title>Options</title>
+    
+    <variablelist>
+      <varlistentry>
+        <term><option>--prefix</option></term>
+        <listitem><simpara>Returns the top level system directory under which the nss libraries are installed.</simpara></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><option>--exec-prefix</option></term>
+        <listitem><simpara>returns the top level system directory under which any nss binaries would be installed.</simpara></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><option>--includedir</option> <replaceable>count</replaceable></term>
+        <listitem><simpara>returns the path to the directory were the nss libraries are installed.</simpara></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><option>--version</option></term>
+        <listitem><simpara>returns the upstream version of nss in the form major_version-minor_version-patch_version.</simpara></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><option>--libs</option></term>
+        <listitem><simpara>returns the compiler linking flags.</simpara></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><option>--cflags</option></term>
+        <listitem><simpara>returns the compiler include flags.</simpara></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><option>--libdir</option></term>
+        <listitem><simpara>returns the path to the directory were the nss libraries are installed.</simpara></listitem>
+      </varlistentry>
+
+    </variablelist>
+  </refsection>
+
+  <refsection>
+    <title>Examples</title>
+
+    <para>The following example will query for both include path and linkage flags:
+    
+      <programlisting>
+        /usr/bin/nss-config --cflags --libs
+      </programlisting>
+
+    </para>
+
+   
+  </refsection>
+
+  <refsection>
+    <title>Files</title>
+
+    <para><filename>/usr/bin/nss-config</filename></para>
+
+  </refsection>
+
+  <refsection>
+    <title>See also</title>
+    <para>pkg-config(1)</para>
+  </refsection>
+
+  <refsection id="authors">
+    <title>Authors</title>
+    <para>The nss liraries were written and maintained by developers with Netscape, Red Hat,  Sun, Oracle, Mozilla, and Google.</para>
+    <para>
+	Authors: Elio Maldonado &lt;emaldona@redhat.com>.
+    </para>
+  </refsection>
+
+<!-- don't change -->
+  <refsection id="license">
+    <title>LICENSE</title>
+    <para>Licensed under the Mozilla Public License, v. 2.0.  If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/.
+    </para>
+  </refsection>
+
+</refentry>
+

nss-p11-kit.config

@@ -0,0 +1,4 @@
+name=p11-kit-proxy
+library=p11-kit-proxy.so
+
+

nss-skip-util-gtest.patch

@@ -0,0 +1,10 @@
+diff -up nss/gtests/manifest.mn.skip_util_gtest nss/gtests/manifest.mn
+--- nss/gtests/manifest.mn.skip_util_gtest	2017-08-08 12:45:57.598801125 +0200
++++ nss/gtests/manifest.mn	2017-08-08 12:46:59.682419852 +0200
+@@ -31,6 +31,5 @@ endif
+ 
+ DIRS = \
+ 	$(LIB_SRCDIRS) \
+-	$(UTIL_SRCDIRS) \
+ 	$(NSS_SRCDIRS) \
+ 	$(NULL)

nss-softokn-config.in

@@ -0,0 +1,116 @@
+#!/bin/sh
+
+prefix=@prefix@
+
+major_version=@MOD_MAJOR_VERSION@
+minor_version=@MOD_MINOR_VERSION@
+patch_version=@MOD_PATCH_VERSION@
+
+usage()
+{
+	cat <<EOF
+Usage: nss-softokn-config [OPTIONS] [LIBRARIES]
+Options:
+	[--prefix[=DIR]]
+	[--exec-prefix[=DIR]]
+	[--includedir[=DIR]]
+	[--libdir[=DIR]]
+	[--version]
+	[--libs]
+	[--cflags]
+Dynamic Libraries:
+	softokn3 - Requires full dynamic linking
+	freebl3  - for internal use only (and glibc for self-integrity check)
+	nssdbm3  - for internal use only
+Dymamically linked
+EOF
+	exit $1
+}
+
+if test $# -eq 0; then
+	usage 1 1>&2
+fi
+
+while test $# -gt 0; do
+  case "$1" in
+  -*=*) optarg=`echo "$1" | sed 's/[-_a-zA-Z0-9]*=//'` ;;
+  *) optarg= ;;
+  esac
+
+  case $1 in
+    --prefix=*)
+      prefix=$optarg
+      ;;
+    --prefix)
+      echo_prefix=yes
+      ;;
+    --exec-prefix=*)
+      exec_prefix=$optarg
+      ;;
+    --exec-prefix)
+      echo_exec_prefix=yes
+      ;;
+    --includedir=*)
+      includedir=$optarg
+      ;;
+    --includedir)
+      echo_includedir=yes
+      ;;
+    --libdir=*)
+      libdir=$optarg
+      ;;
+    --libdir)
+      echo_libdir=yes
+      ;;
+    --version)
+      echo ${major_version}.${minor_version}.${patch_version}
+      ;;
+    --cflags)
+      echo_cflags=yes
+      ;;
+    --libs)
+      echo_libs=yes
+      ;;
+    *)
+      usage 1 1>&2
+      ;;
+  esac
+  shift
+done
+
+# Set variables that may be dependent upon other variables
+if test -z "$exec_prefix"; then
+    exec_prefix=`pkg-config --variable=exec_prefix nss-softokn`
+fi
+if test -z "$includedir"; then
+    includedir=`pkg-config --variable=includedir nss-softokn`
+fi
+if test -z "$libdir"; then
+    libdir=`pkg-config --variable=libdir nss-softokn`
+fi
+
+if test "$echo_prefix" = "yes"; then
+    echo $prefix
+fi
+
+if test "$echo_exec_prefix" = "yes"; then
+    echo $exec_prefix
+fi
+
+if test "$echo_includedir" = "yes"; then
+    echo $includedir
+fi
+
+if test "$echo_libdir" = "yes"; then
+    echo $libdir
+fi
+
+if test "$echo_cflags" = "yes"; then
+    echo -I$includedir
+fi
+
+if test "$echo_libs" = "yes"; then
+      libdirs="-Wl,-rpath-link,$libdir -L$libdir"
+      echo $libdirs
+fi
+

nss-softokn-dracut-module-setup.sh

@@ -0,0 +1,18 @@
+#!/bin/bash
+# -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*-
+# ex: ts=8 sw=4 sts=4 et filetype=sh
+
+check() {
+    return 255
+}
+
+depends() {
+    return 0
+}
+
+install() {
+    local _dir
+
+    inst_libdir_file libfreeblpriv3.so libfreeblpriv3.chk \
+        libfreebl3.so
+}

nss-softokn-dracut.conf

@@ -0,0 +1,3 @@
+# turn on nss-softokn module
+
+add_dracutmodules+=" nss-softokn "

nss-softokn.pc.in

@@ -6,6 +6,6 @@ includedir=%includedir%
 Name: NSS-SOFTOKN
 Description: Network Security Services Softoken PKCS #11 Module
 Version: %SOFTOKEN_VERSION%
-Requires: nspr >= %NSPR_VERSION%
+Requires: nspr >= %NSPR_VERSION%, nss-util >= %NSSUTIL_VERSION%
-Libs: -L${libdir} -lfreebl3 -lnssdbm3 -lsoftokn3 -lnssutil3
+Libs: -L${libdir} -lfreebl3 -lnssdbm3 -lsoftokn3
 Cflags: -I${includedir}

nss-util-config.in

@@ -0,0 +1,118 @@
+#!/bin/sh
+
+prefix=@prefix@
+
+major_version=@MOD_MAJOR_VERSION@
+minor_version=@MOD_MINOR_VERSION@
+patch_version=@MOD_PATCH_VERSION@
+
+usage()
+{
+	cat <<EOF
+Usage: nss-util-config [OPTIONS] [LIBRARIES]
+Options:
+	[--prefix[=DIR]]
+	[--exec-prefix[=DIR]]
+	[--includedir[=DIR]]
+	[--libdir[=DIR]]
+	[--version]
+	[--libs]
+	[--cflags]
+Dynamic Libraries:
+	nssutil
+EOF
+	exit $1
+}
+
+if test $# -eq 0; then
+	usage 1 1>&2
+fi
+
+lib_nssutil=yes
+
+while test $# -gt 0; do
+  case "$1" in
+  -*=*) optarg=`echo "$1" | sed 's/[-_a-zA-Z0-9]*=//'` ;;
+  *) optarg= ;;
+  esac
+
+  case $1 in
+    --prefix=*)
+      prefix=$optarg
+      ;;
+    --prefix)
+      echo_prefix=yes
+      ;;
+    --exec-prefix=*)
+      exec_prefix=$optarg
+      ;;
+    --exec-prefix)
+      echo_exec_prefix=yes
+      ;;
+    --includedir=*)
+      includedir=$optarg
+      ;;
+    --includedir)
+      echo_includedir=yes
+      ;;
+    --libdir=*)
+      libdir=$optarg
+      ;;
+    --libdir)
+      echo_libdir=yes
+      ;;
+    --version)
+      echo ${major_version}.${minor_version}.${patch_version}
+      ;;
+    --cflags)
+      echo_cflags=yes
+      ;;
+    --libs)
+      echo_libs=yes
+      ;;
+    *)
+      usage 1 1>&2
+      ;;
+  esac
+  shift
+done
+
+# Set variables that may be dependent upon other variables
+if test -z "$exec_prefix"; then
+    exec_prefix=`pkg-config --variable=exec_prefix nss-util`
+fi
+if test -z "$includedir"; then
+    includedir=`pkg-config --variable=includedir nss-util`
+fi
+if test -z "$libdir"; then
+    libdir=`pkg-config --variable=libdir nss-util`
+fi
+
+if test "$echo_prefix" = "yes"; then
+    echo $prefix
+fi
+
+if test "$echo_exec_prefix" = "yes"; then
+    echo $exec_prefix
+fi
+
+if test "$echo_includedir" = "yes"; then
+    echo $includedir
+fi
+
+if test "$echo_libdir" = "yes"; then
+    echo $libdir
+fi
+
+if test "$echo_cflags" = "yes"; then
+    echo -I$includedir
+fi
+
+if test "$echo_libs" = "yes"; then
+      libdirs="-Wl,-rpath-link,$libdir -L$libdir"
+      if test -n "$lib_nssutil"; then
+	libdirs="$libdirs -lnssutil${major_version}"
+      fi
+      echo $libdirs
+fi
+

nss-util.pc.in

@@ -0,0 +1,11 @@
+prefix=%prefix%
+exec_prefix=%exec_prefix%
+libdir=%libdir%
+includedir=%includedir%
+
+Name: NSS-UTIL
+Description: Network Security Services Utility Library
+Version: %NSSUTIL_VERSION%
+Requires: nspr >= %NSPR_VERSION%
+Libs: -L${libdir} -lnssutil3
+Cflags: -I${includedir}

nss.spec

@@ -1,6 +1,16 @@
 %bcond_without lib
+%bcond_with cross_compiling
 %define url_ver %(echo %{version}| sed -e "s|\\.|_|g")
 
+# Excluding devel packages from nss libs
+# libraries are named in a non standard way,
+# all really devel ones are *.chk
+# fix it
+#global __develgen_exclude_path ^/%{_libdir}/.*$
+%global __develgen_path %nil
+
+# (tpg) WARNING !!!
+# When you bump major, please make sure you bump "local major = 3" in %post section for lua script
 %define major 3
 %define libname %mklibname %{name} %{major}
 %define libfreebl %mklibname freebl %{major}
@@ -8,48 +18,70 @@
 %define sdevname %mklibname -d -s %{name}
 %define _disable_lto 1
 
+%global optflags %{optflags} -O3
+
 # this seems fragile, so require the exact version or later (#58754)
 %define sqlite3_version %(pkg-config --modversion sqlite3 &>/dev/null && pkg-config --modversion sqlite3 2>/dev/null || echo 0)
 %define nspr_version %(pkg-config --modversion nspr &>/dev/null && pkg-config --modversion nspr 2>/dev/null || echo 0)
 
 %define build_empty 0
-%{?_with_empty: %{expand: %%global build_empty 1}}
+%{?_with_empty:   %{expand: %%global build_empty 1}}
-%{?_without_empty: %{expand: %%global build_empty 0}}
+%{?_without_empty:   %{expand: %%global build_empty 0}}
 
 Summary:	Network Security Services
 Name:		nss
-Version:	3.52.1
-Release:	1
 Epoch:		2
+Version:	3.103
+Release:	1
 Group:		System/Libraries
 License:	MPL or GPLv2+ or LGPLv2+
 Url:		http://www.mozilla.org/projects/security/pki/nss/index.html
-Source0:	http://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_%{url_ver}_RTM/src/nss-%{version}.tar.gz
+Source0:	https://ftp.mozilla.org/pub/security/nss/releases/NSS_%{url_ver}_RTM/src/nss-%{version}.tar.gz
-Source2:	nss.pc.in
+# pkgconfig file templates and other extras from Fedora
-Source3:	nss-config.in
+Source1:	https://src.fedoraproject.org/rpms/nss/raw/rawhide/f/nss-util.pc.in
-Source4:	blank-cert8.db
+Source2:	https://src.fedoraproject.org/rpms/nss/raw/rawhide/f/nss-util-config.in
-Source5:	blank-key3.db
+Source3:	https://src.fedoraproject.org/rpms/nss/raw/rawhide/f/nss-softokn.pc.in
-Source6:	blank-secmod.db
+Source4:	https://src.fedoraproject.org/rpms/nss/raw/rawhide/f/nss-softokn-config.in
-Source7:	certdata_empty.txt
+Source6:	https://src.fedoraproject.org/rpms/nss/raw/rawhide/f/nss-softokn-dracut-module-setup.sh
+Source7:	https://src.fedoraproject.org/rpms/nss/raw/rawhide/f/nss-softokn-dracut.conf
+Source8:	https://src.fedoraproject.org/rpms/nss/raw/rawhide/f/nss.pc.in
+Source9:	https://src.fedoraproject.org/rpms/nss/raw/rawhide/f/nss-config.in
+Source10:	blank-cert8.db
+Source11:	blank-key3.db
+Source12:	blank-secmod.db
+Source15:	https://src.fedoraproject.org/rpms/nss/raw/rawhide/f/system-pkcs11.txt
+Source16:	https://src.fedoraproject.org/rpms/nss/raw/rawhide/f/setup-nsssysinit.sh
+Source20:	https://src.fedoraproject.org/rpms/nss/raw/rawhide/f/nss-config.xml
+Source21:	https://src.fedoraproject.org/rpms/nss/raw/rawhide/f/setup-nsssysinit.xml
+Source22:	https://src.fedoraproject.org/rpms/nss/raw/rawhide/f/pkcs11.txt.xml
+Source28:	https://src.fedoraproject.org/rpms/nss/raw/rawhide/f/nss-p11-kit.config
 # https://www.verisign.com/support/verisign-intermediate-ca/secure-site-intermediate/index.html
 # converted from PEM to DER format with openssl command:
 # openssl x509 -in cert.pem -inform PEM -outform DER -out cert.der
 # this way we can avoid a buildrequires for openssl
-Source8:	verisign-class-3-secure-server-ca.der
+Source100:	verisign-class-3-secure-server-ca.der
 # Brasilian government certificate
 # verified in person with a government official
-Source9:	https://github.com/demoiselle/certificate/raw/master/impl/ca-icp-brasil/src/main/resources/trustedca/CertificadoACRaiz.crt
+Source101:	https://github.com/demoiselle/certificate/raw/master/impl/ca-icp-brasil/src/main/resources/trustedca/CertificadoACRaiz.crt
-Source10:	nss-softokn.pc.in
+# From Fedora
-Patch0:		nss-no-rpath.patch
+Patch0:		add-relro-linker-option.patch
-Patch2:		renegotiate-transitional.patch
+Patch1:		renegotiate-transitional.patch
-# (tpg) be carefull with last nspr4-4.10 because prtypes.h was moved to include/nspr4/
+Patch3:		utilwrap-include-templates.patch
-Patch4:		nss-3.15.1-correct-path-to-prtypes.h.patch
+Patch5:		iquote.patch
+Patch8:		nss-skip-util-gtest.patch
+# Our own
 
 BuildRequires:	rootcerts >= 1:20120218.00
 BuildRequires:	zip
 BuildRequires:	pkgconfig(nspr)
 BuildRequires:	pkgconfig(sqlite3)
 BuildRequires:	pkgconfig(zlib)
+BuildRequires:	p11-kit
+
+# compat with RH/Fedora
+Provides:              nss-tools = %{EVRD}
+# compat with openSUSE
+Provides:              mozilla-nss = %{EVRD}
 
 %description
 Network Security Services (NSS) is a set of libraries designed to
@@ -58,7 +90,7 @@ applications. Applications built with NSS can support SSL v2 and v3,
 TLS, PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME, X.509 v3 certificates, and
 other security standards. For detailed information on standards supported, see
 http://www.mozilla.org/projects/security/pki/nss/overview.html.
-%if %without lib
+%if %{without lib}
 
 Note: This package currently contains the NSS binaries only. The
 libraries have been not been included due to conflicts with the Mozilla
@@ -66,78 +98,113 @@ libraries.
 %endif
 
 %files
-%doc docs/*
+%dir %{_sysconfdir}/pki/nssdb
+%config(noreplace) %{_sysconfdir}/pki/nssdb/cert8.db
+%config(noreplace) %{_sysconfdir}/pki/nssdb/key3.db
+%config(noreplace) %{_sysconfdir}/pki/nssdb/secmod.db
+#nss supported bins
+%attr(0755,root,root) %{_bindir}/certutil
+%attr(0755,root,root) %{_bindir}/dbtool
+%attr(0755,root,root) %{_bindir}/cmsutil
+%attr(0755,root,root) %{_bindir}/crlutil
+%attr(0755,root,root) %{_bindir}/modutil
+%attr(0755,root,root) %{_bindir}/nss-policy-check
+%attr(0755,root,root) %{_bindir}/pk12util
+%attr(0755,root,root) %{_bindir}/signver
+%attr(0755,root,root) %{_bindir}/ssltap
+%attr(0755,root,root) %{_bindir}/sdbthreadtst
+#debian-additional
 %attr(0755,root,root) %{_bindir}/addbuiltin
+%attr(0755,root,root) %{_bindir}/chktest
+%attr(0755,root,root) %{_bindir}/dbtest
+%attr(0755,root,root) %{_bindir}/derdump
+%attr(0755,root,root) %{_bindir}/httpserv
+%attr(0755,root,root) %{_bindir}/ocspclnt
+%attr(0755,root,root) %{_bindir}/p7content
+%attr(0755,root,root) %{_bindir}/p7env
+%attr(0755,root,root) %{_bindir}/p7sign
+%attr(0755,root,root) %{_bindir}/p7verify
+%attr(0755,root,root) %{_bindir}/pk1sign
+%attr(0755,root,root) %{_bindir}/pp
+%attr(0755,root,root) %{_bindir}/pwdecrypt
+%attr(0755,root,root) %{_bindir}/rsaperf
+%attr(0755,root,root) %{_bindir}/selfserv
+%attr(0755,root,root) %{_bindir}/signtool
+%attr(0755,root,root) %{_bindir}/strsclnt
+%attr(0755,root,root) %{_bindir}/symkeyutil
+%attr(0755,root,root) %{_bindir}/tstclnt
+%attr(0755,root,root) %{_bindir}/vfychain
+%attr(0755,root,root) %{_bindir}/vfyserv
+%attr(0755,root,root) %{_bindir}/validation
+
+#-------------------------------------------------------------------------
+
+%package unsupported-tools
+Summary:	Network Security Services - Examples
+Group:		System/Libraries
+Requires:	%{name} = %{EVRD}
+Conflicts:	%{name} < 1:3.44-2
+
+%description unsupported-tools
+This package contains additional unsupported tools
+for ${name}.
+
+%files unsupported-tools
+#unsupported
 %attr(0755,root,root) %{_bindir}/atob
 %attr(0755,root,root) %{_bindir}/baddbdir
 %attr(0755,root,root) %{_bindir}/bltest
 %attr(0755,root,root) %{_bindir}/btoa
-%attr(0755,root,root) %{_bindir}/certutil
-%attr(0755,root,root) %{_bindir}/chktest
-%attr(0755,root,root) %{_bindir}/cmsutil
 %attr(0755,root,root) %{_bindir}/conflict
-%attr(0755,root,root) %{_bindir}/crlutil
 %attr(0755,root,root) %{_bindir}/crmftest
-%attr(0755,root,root) %{_bindir}/dbtest
-%attr(0755,root,root) %{_bindir}/derdump
 %attr(0755,root,root) %{_bindir}/dertimetest
 %attr(0755,root,root) %{_bindir}/digest
 %attr(0755,root,root) %{_bindir}/ecperf
 %attr(0755,root,root) %{_bindir}/encodeinttest
 %attr(0755,root,root) %{_bindir}/fbectest
 %attr(0755,root,root) %{_bindir}/fipstest
-%attr(0755,root,root) %{_bindir}/httpserv
 %attr(0755,root,root) %{_bindir}/listsuites
 %attr(0755,root,root) %{_bindir}/lowhashtest
 %attr(0755,root,root) %{_bindir}/makepqg
 %attr(0755,root,root) %{_bindir}/mangle
-%attr(0755,root,root) %{_bindir}/modutil
 %attr(0755,root,root) %{_bindir}/multinit
 %attr(0755,root,root) %{_bindir}/nonspr10
-%attr(0755,root,root) %{_bindir}/nss-policy-check
-%attr(0755,root,root) %{_bindir}/ocspclnt
 %attr(0755,root,root) %{_bindir}/ocspresp
 %attr(0755,root,root) %{_bindir}/oidcalc
-%attr(0755,root,root) %{_bindir}/p7content
-%attr(0755,root,root) %{_bindir}/p7env
-%attr(0755,root,root) %{_bindir}/p7sign
-%attr(0755,root,root) %{_bindir}/p7verify
 %attr(0755,root,root) %{_bindir}/pk11ectest
 %attr(0755,root,root) %{_bindir}/pk11gcmtest
 %attr(0755,root,root) %{_bindir}/pk11importtest
 %attr(0755,root,root) %{_bindir}/pk11mode
-%attr(0755,root,root) %{_bindir}/pk12util
-%attr(0755,root,root) %{_bindir}/pk1sign
 %attr(0755,root,root) %{_bindir}/pkix-errcodes
-%attr(0755,root,root) %{_bindir}/pp
-%attr(0755,root,root) %{_bindir}/pwdecrypt
 %attr(0755,root,root) %{_bindir}/remtest
-%attr(0755,root,root) %{_bindir}/rsaperf
 %attr(0755,root,root) %{_bindir}/rsapoptst
 %attr(0755,root,root) %{_bindir}/sdrtest
 %attr(0755,root,root) %{_bindir}/secmodtest
-%attr(0755,root,root) %{_bindir}/selfserv
-%attr(0755,root,root) %{_bindir}/signtool
-%attr(0755,root,root) %{_bindir}/signver
 %attr(0755,root,root) %{_bindir}/smime
-%attr(0755,root,root) %{_bindir}/ssltap
-%attr(0755,root,root) %{_bindir}/strsclnt
-%attr(0755,root,root) %{_bindir}/symkeyutil
-%attr(0755,root,root) %{_bindir}/tstclnt
-%attr(0755,root,root) %{_bindir}/vfychain
-%attr(0755,root,root) %{_bindir}/vfyserv
 
-%dir %{_sysconfdir}/pki/nssdb
+#-------------------------------------------------------------------------
-%config(noreplace) %{_sysconfdir}/pki/nssdb/cert8.db
+
-%config(noreplace) %{_sysconfdir}/pki/nssdb/key3.db
+%package examples
-%config(noreplace) %{_sysconfdir}/pki/nssdb/secmod.db
+Summary:	Network Security Services - Examples
+Group:		System/Libraries
+Requires:	%{name} = %{EVRD}
+Conflicts:	%{name} < 1:3.44-2
+
+%description examples
+This package contains the bltest, modutil, signtool, signver,
+and ssltap examples for ${name}.
+
+%files examples
+%{_datadir}/%{name}/*
 
 #-------------------------------------------------------------------------
 
 %package shlibsign
 Summary:	Network Security Services - shlibsign
 Group:		System/Libraries
-Conflicts:	%{name} < 2:3.13.1-2
+%if %{with lib}
+Requires:	%{libname}
+%endif
 
 %description shlibsign
 This package contains the binary shlibsign needed by libfreebl3
@@ -148,54 +215,79 @@ and libsoftokn3.
 
 #-------------------------------------------------------------------------
 
-%if %with lib
+%if %{with lib}
 %package -n %{libname}
 Summary:	Network Security Services (NSS)
 Group:		System/Libraries
+Requires:	p11-kit-trust
 
 %description -n %{libname}
-This package contains the shared libraries libnss3, libnssckbi, libnssdbm3,
+This package contains the shared libraries libnss3, libnssdbm3,
 libnssutil3, libsmime3, and libssl3.
 
 %files -n %{libname}
-/%{_lib}/libnss%{major}.so
+%{_libdir}/libnss%{major}.so
-/%{_lib}/libnssckbi.so
 %if %{build_empty}
-/%{_lib}/libnssckbi_empty.so
+%{_libdir}/libnssckbi_empty.so
 %endif
-/%{_lib}/libnssutil%{major}.so
+%{_libdir}/libnssutil%{major}.so
-/%{_lib}/libnssdbm%{major}.so
+%{_libdir}/libnssdbm%{major}.so
-/%{_lib}/libsmime%{major}.so
+%{_libdir}/libsmime%{major}.so
-/%{_lib}/libssl%{major}.so
+%{_libdir}/libssl%{major}.so
+%{_libdir}/p11-kit-trust.so
+%{_libdir}/libnssckbi.so
 
-#-------------------------------------------------------------------------
+%post -n %{libname} -p <lua>
+-- (tpg) execute only on install
+if arg[2] == "0" then
+-- variable definitions
+-- make sure it meets %{major} from spec file
+local major = 3
+local f1 = "libsoftokn" .. major .. ".chk"
+local f2 = "libfreebl" .. major .. ".chk"
+local f3 = "libfreeblpriv" .. major .. ".chk"
+
+-- check if we are 64bit
+	libcheck = posix.stat("/lib64")
+	if libcheck then
+		libpath = "/lib64"
+	else
+		libpath = "/lib"
+	end
+
+-- list of files to iterate
+	files = { f1, f2, f3 }
+
+-- iterate through all the files
+	for file in list_iter(files) do
+		local f = io.open(libpath .. "/" .. file, "w")
+		f:write("")
+		f:close()
+		posix.chown(libpath .. "/" .. file, "root", "root")
+		posix.chmod(libpath .. "/" .. file, "0644")
+		posix.exec(shlibsign, "-i", libpath .. "/" .. file)
+	end
+end
 
 %package -n %{libfreebl}
 Summary:	Network Security Services (NSS)
 Group:		System/Libraries
 Requires(post): nss-shlibsign
-Requires(post): rpm-helper
-Requires(post):	coreutils
-Requires(post):	/bin/sh
-Provides:		nss-softokn%{?_isa} = %{EVRD}
-Conflicts: %{_lib}nss3 < 2:3.13.1-5
 
 %description -n %{libfreebl}
 This package contains the shared libraries libfreebl3 and libsoftokn3.
 
 %files -n %{libfreebl}
-/%{_lib}/libfreebl%{major}.so
+%{_libdir}/libfreebl%{major}.so
-/%{_lib}/libfreeblpriv%{major}.so
+%{_libdir}/libfreeblpriv%{major}.so
-/%{_lib}/libsoftokn%{major}.so
+%{_libdir}/libsoftokn%{major}.so
-%defattr(0644,root,root,0755)
-%ghost /%{_lib}/libfreebl%{major}.chk
-%ghost /%{_lib}/libsoftokn%{major}.chk
 
-%posttrans -n %{libfreebl}
+%defattr(0644,root,root,0755)
-%create_ghostfile /%{_lib}/libsoftokn%{major}.chk root root 644
+%ghost %{_libdir}/libfreebl%{major}.chk
-%create_ghostfile /%{_lib}/libfreebl%{major}.chk root root 644
+%ghost %{_libdir}/libsoftokn%{major}.chk
-%{_bindir}/shlibsign -i /%{_lib}/libsoftokn%{major}.so >/dev/null 2>/dev/null
+%if %rpm4
-%{_bindir}/shlibsign -i /%{_lib}/libfreebl%{major}.so >/dev/null 2>/dev/null
+%ghost %{_libdir}/libfreeblpriv%{major}.chk
+%endif
 
 #-------------------------------------------------------------------------
 
@@ -205,8 +297,26 @@ Group:		Development/C++
 Requires:	%{libname} >= %{EVRD}
 Requires:	%{libfreebl} >= %{EVRD}
 Provides:	nss-devel = %{EVRD}
-# a BR of Java in RH/OEU
 Provides:	nss-softokn-freebl-devel = %{EVRD}
+
+%if %{__isa_bits} == 64
+Provides: devel(libfreebl3(64bit))
+Provides: devel(libnss3(64bit))
+Provides: devel(libnssdbm3(64bit))
+Provides: devel(libnssutil3(64bit))
+Provides: devel(libsmime3(64bit))
+Provides: devel(libsoftokn3(64bit))
+Provides: devel(libssl3(64bit))
+%else
+Provides: devel(libfreebl3)
+Provides: devel(libnss3)
+Provides: devel(libnssdbm3)
+Provides: devel(libnssutil3)
+Provides: devel(libsmime3)
+Provides: devel(libsoftokn3)
+Provides: devel(libssl3)
+%endif
+
 %rename %{libname}-devel
 
 %description -n %{devname}
@@ -214,12 +324,10 @@ Header files to doing development with Network Security Services.
 
 %files -n %{devname}
 %attr(0755,root,root) %{_bindir}/nss-config
-%_libdir/*.so
+%{_includedir}/nss
-%dir %{_includedir}/nss
-%{_includedir}/nss/*.h
-%{_includedir}/nss/nssck.api
 %{_libdir}/pkgconfig/nss.pc
 %{_libdir}/pkgconfig/nss-softokn.pc
+%{_libdir}/pkgconfig/nss-util.pc
 %{_libdir}/libsoftokn%{major}.chk
 %{_libdir}/libfreebl%{major}.chk
 
@@ -245,15 +353,13 @@ Static libraries for doing development with Network Security Services.
 %{_libdir}/libnssckfw.a
 %{_libdir}/libsmime.a
 %{_libdir}/libssl.a
+%{_libdir}/libfreebl.a
 %endif
+
 #-------------------------------------------------------------------------
 
 %prep
-%setup -q
+%autosetup -p0
-#%  apply_patches
-%patch0 -p0
-%patch2 -p0 -b .transitional
-%patch4 -p1
 
 find . -type d -perm 0700 -exec chmod 755 {} \;
 find . -type f -perm 0555 -exec chmod 755 {} \;
@@ -264,10 +370,13 @@ find . -name '*.c' -executable -exec chmod -x {} \;
 # remove hardcoded gcc
 sed -i 's!gcc!%{__cc}!g' nss/coreconf/Linux.mk
 
+# make 100% sure we don't pull in the internal copy of sqlite
+rm nss/lib/sqlite/*.{c,h}
+
 %build
 %serverbuild
 %setup_compile_flags
-export CC=gcc
+export CC=%{__cc}
 export BUILD_OPT=1
 export OPTIMIZER="%{optflags}"
 export XCFLAGS="%{optflags} -Wno-error"
@@ -280,9 +389,10 @@ export PKG_CONFIG_ALLOW_SYSTEM_CFLAGS=1
 export NSPR_INCLUDE_DIR=`%{_bindir}/pkg-config --cflags-only-I nspr | sed 's/-I//'`
 export NSPR_LIB_DIR=`%{_bindir}/pkg-config --libs-only-L nspr | sed 's/-L//'`
 export MOZILLA_CLIENT=1
-export NS_USE_GCC=1
 export NSS_USE_SYSTEM_SQLITE=1
 export NSS_ENABLE_ECC=1
+export MAKE_FLAGS="BUILD_OPT=1 NSS_ENABLE_ECC=1"
+export NSS_ENABLE_TLS_1_3=1
 
 # external tests are causing build problems because they access ssl internal types
 # TODO: Investigate as there may be a better solution
@@ -290,30 +400,57 @@ export NSS_DISABLE_GTESTS=1
 
 %if %{build_empty}
 # (oe) the "trust no one" scenario, it goes like:
-# 1. mv /%%{_lib}/libnssckbi.so /%%{_lib}/libnssckbi.so.BAK
+# 1. mv /%{_lib}/libnssckbi.so /%{_lib}/libnssckbi.so.BAK
-# 2. mv /%%{_lib}/libnssckbi_empty.so /%%{_lib}/libnssckbi.so
+# 2. mv /%{_lib}/libnssckbi_empty.so /%{_lib}/libnssckbi.so
 # 3. restart ff/tb
-# it has to be done manually for now, but at least we have a way for 
+# it has to be done manually for now, but at least we have a way for
 # users to quickly mitigate future problems, or whatever :-)
 
 pushd nss/lib/ckfw/builtins
-perl ./certdata.perl < %{SOURCE7}
+perl ./certdata.perl /etc/pki/tls/mozilla/certdata.txt
 popd
 %endif
 
-export NATIVE_CC="/usr/bin/gcc"
+%if %{with cross_compiling}
+	# Compile tools used at build time (nsinstall) in native
+	# mode before setting up the environment for crosscompiling
+	export USE_64=1
+	make -j1 -C ./nss all
+        make -j1 -C ./nss latest
+
+	CPU_ARCH="%_target_cpu"
+	if echo $CPU_ARCH |grep -qE '(i.86|pentium.|athlon)'; then
+		CPU_ARCH=x86
+	fi
+	export CPU_ARCH
+%endif
+
+export NATIVE_CC=%{__cc}
 export TARGETCC="%{__cc}"
 export TARGETCCC="%{__cxx}"
 export TARGETRANLIB="%{__ranlib}"
-%ifarch x86_64 ppc64 ia64 s390x aarch64
+%ifarch %{x86_64} ppc64 ia64 s390x aarch64 riscv64 %{e2k}
 export USE_64=1
 %else
 unset USE_64 || :
 %endif
 
-%make -j1 -C ./nss/coreconf
+# Parallel is broken as of 3.11.4 :(
-%make -j1 -C ./nss/lib/dbm
+#make -j1 -C ./nss/coreconf ./nss/lib/dbm ./nss \
-%make -j1 -C ./nss
+#	TARGETCC="$TARGETCC" \
+#	TARGETCCC="$TARGETCCC" \
+#	TARGETRANLIB="$TARGETRANLIB" \
+#	AR="%__ar cr \"\$@\"" \
+#%if %cross_compiling
+#	CPU_ARCH="$CPU_ARCH" \
+#%endif
+#%if %with %{cross_compiling}
+#buildflags="TARGETCC='$TARGETCC' TARGETCCC='$TARGETCCC' TARGETRANLIB='$TARGETRANLIB' AR='%__ar" CPU_ARCH="$CPU_ARCH"
+#%else
+#buildflags="TARGETCC='$TARGETCC' TARGETCCC='$TARGETCCC' TARGETRANLIB='$TARGETRANLIB' AR='%__ar"
+#%endif
+%make_build -j1 -C ./nss all
+%make_build -j1 -C ./nss latest
 
 %if %{build_empty}
 # tuck away the empty libnssckbi.so library
@@ -324,9 +461,9 @@ cp -p nss/lib/ckfw/builtins/Linux*/libnssckbi.so libnssckbi_empty.so
 # http://qa.mandriva.com/show_bug.cgi?id=29612
 # use built addbuildin command to avoid having
 # a buildrequires for nss
-ADDBUILTIN=`%{_bindir}/find . -type f -name addbuiltin`
+ADDBUILTIN=$(%{_bindir}/find . -type f -name addbuiltin)
 if [ -z "$ADDBUILTIN" ]; then
-	exit 1
+    exit 1
 fi
 ADDBUILTIN="$PWD/$ADDBUILTIN"
 OLD="$LD_LIBRARY_PATH"
@@ -342,7 +479,7 @@ pushd nss/lib/ckfw/builtins
 # So, for Mandriva we can add/remove certs easily in the rootcerts package. Please
 # checkout and examine the rootcerts package.
 # Once this has been done and the new rootcerts package has been installed this
-# package (nss) has to be rebuilt to pickup the changes made. The "recreate 
+# package (nss) has to be rebuilt to pickup the changes made. The "recreate
 # certificates" lines below generates a new certdata.c source containing the root
 # CA certs for mozilla.
 # *ALL* of the mozilla based softwares that support SSL has to link against
@@ -351,7 +488,7 @@ pushd nss/lib/ckfw/builtins
 perl ./certdata.perl /etc/pki/tls/mozilla/certdata.txt
 
 %make clean
-%make -j1
+%make_build
 
 popd
 export LD_LIBRARY_PATH="$OLD"
@@ -362,71 +499,101 @@ pushd dist/$(uname -s)*
 mkdir -p %{buildroot}%{_bindir}
 cp -aL bin/* %{buildroot}%{_bindir}
 
-%if %with lib
+%if %{with lib}
 mkdir -p %{buildroot}%{_libdir}
-mkdir -p %{buildroot}/%{_lib}
 mkdir -p %{buildroot}%{_includedir}/nss
-cp -aL ../public/nss/* %{buildroot}%{_includedir}/nss
 
 cp -aL lib/libcrmf.a \
-	lib/libnss.a \
+       lib/libnss.a \
-	lib/libnssb.a \
+       lib/libnssb.a \
-	lib/libnssckbi.so \
+       lib/libnssckfw.a \
-	lib/libnssckfw.a \
+       lib/libnssutil.a \
-	lib/libnssutil.a \
+       lib/libsmime.a \
-	lib/libsmime.a \
+       lib/libssl.a \
-	lib/libssl.a \
+       %{buildroot}%{_libdir}
-	%{buildroot}%{_libdir}
 
 # Copy the binary libraries we want
 for file in libsoftokn3.so libfreebl3.so libfreeblpriv3.so libnss3.so libnssutil3.so \
-	libssl3.so libsmime3.so libnssckbi.so libnssdbm3.so
+            libssl3.so libsmime3.so libnssdbm3.so
 do
-	install -m 755 lib/$file %{buildroot}/%{_lib}
+  install -m 755 lib/$file %{buildroot}/%{_libdir}
-	ln -sf ../../%{_lib}/$file %{buildroot}%{_libdir}/$file
 done
 
+# Copy the include files we want
+cp -aL ../public/nss/* %{buildroot}%{_includedir}/nss
+
+# Copy some freebl include files we also want
+for file in blapi.h alghmac.h cmac.h; do
+	install -p -m 644 ../private/nss/$file $RPM_BUILD_ROOT/%{_includedir}/nss
+done
+
+# Copy the static freebl library
+for file in libfreebl.a; do
+	install -p -m 644 ../*.OBJ/lib/$file $RPM_BUILD_ROOT/%{_libdir}
+done
+
+
+ln -s %{_libdir}/pkcs11/p11-kit-trust.so %{buildroot}/%{_libdir}/libnssckbi.so
+# weird bug that exist only on new arches
+# /lib64/p11-kit-trust.so not exist
+if [ ! -L %{buildroot}/%{_libdir}/p11-kit-trust.so ]; then
+  echo "=> p11-kit symlink not exist"
+  pushd %{buildroot}/%{_libdir}
+  ln -s libnssckbi.so p11-kit-trust.so
+  popd
+fi
+
 # These ghost files will be generated in the post step
 # Make sure chk files can be found in both places
 for file in libsoftokn3.chk libfreebl3.chk
 do
-	touch %{buildroot}/%{_lib}/$file
+  touch %{buildroot}/%{_libdir}/$file
-	ln -s ../../%{_lib}/$file %{buildroot}%{_libdir}/$file
 done
 
 mkdir -p %{buildroot}%{_libdir}/pkgconfig
-cat %{SOURCE2} | sed -e "s,%%libdir%%,%{_libdir},g" \
+cat %{SOURCE1} | sed -e "s,%%libdir%%,%{_libdir},g" \
-	-e "s,%%prefix%%,%{_prefix},g" \
+       -e "s,%%prefix%%,%{_prefix},g" \
-	-e "s,%%exec_prefix%%,%{_prefix},g" \
+       -e "s,%%exec_prefix%%,%{_prefix},g" \
-	-e "s,%%includedir%%,%{_includedir}/nss,g" \
+       -e "s,%%includedir%%,%{_includedir}/nss,g" \
-	-e "s,%%NSPR_VERSION%%,%{nspr_version},g" \
+       -e "s,%%NSPR_VERSION%%,%{nspr_version},g" \
-	-e "s,%%NSS_VERSION%%,%{version},g" > \
+       -e "s,%%NSSUTIL_VERSION%%,%{version},g" > \
-	%{buildroot}%{_libdir}/pkgconfig/nss.pc
+       %{buildroot}%{_libdir}/pkgconfig/nss-util.pc
-cat %{SOURCE10} | sed -e "s,%%libdir%%,%{_libdir},g" \
+cat %{SOURCE3} | sed -e "s,%%libdir%%,%{_libdir},g" \
-	-e "s,%%prefix%%,%{_prefix},g" \
+       -e "s,%%prefix%%,%{_prefix},g" \
-	-e "s,%%exec_prefix%%,%{_prefix},g" \
+       -e "s,%%exec_prefix%%,%{_prefix},g" \
-	-e "s,%%includedir%%,%{_includedir}/nss3,g" \
+       -e "s,%%includedir%%,%{_includedir}/nss,g" \
-	-e "s,%%NSPR_VERSION%%,%{nspr_version},g" \
+       -e "s,%%NSPR_VERSION%%,%{nspr_version},g" \
-	-e "s,%%SOFTOKEN_VERSION%%,%{version},g" > \
+       -e "s,%%NSSUTIL_VERSION%%,%{version},g" \
-	%{buildroot}%{_libdir}/pkgconfig/nss-softokn.pc
+       -e "s,%%SOFTOKEN_VERSION%%,%{version},g" > \
+       %{buildroot}%{_libdir}/pkgconfig/nss-softokn.pc
+cat %{SOURCE8} | sed -e "s,%%libdir%%,%{_libdir},g" \
+       -e "s,%%prefix%%,%{_prefix},g" \
+       -e "s,%%exec_prefix%%,%{_prefix},g" \
+       -e "s,%%includedir%%,%{_includedir}/nss,g" \
+       -e "s,%%NSS_VERSION%%,%{version},g" \
+       -e "s,%%NSPR_VERSION%%,%{nspr_version},g" \
+       -e "s,%%NSSUTIL_VERSION%%,%{version},g" \
+       -e "s,%%SOFTOKEN_VERSION%%,%{version},g" > \
+       %{buildroot}%{_libdir}/pkgconfig/nss.pc
+
 %endif
 
 popd
 
-%if %with lib
+%if %{with lib}
 export NSS_VMAJOR=`%{__cat} nss/lib/nss/nss.h | %{__grep} "#define.*NSS_VMAJOR" | %{__awk} '{print $3}'`
 export NSS_VMINOR=`%{__cat} nss/lib/nss/nss.h | %{__grep} "#define.*NSS_VMINOR" | %{__awk} '{print $3}'`
 export NSS_VPATCH=`echo %{version} | sed 's/\([0-9]*\).\([0-9]*\).\([0-9]*\)/\3/'`
 
 mkdir -p %{buildroot}%{_bindir}
-cat %{SOURCE3} | sed -e "s,@libdir@,%{_libdir},g" \
+cat %{SOURCE9} | sed -e "s,@libdir@,%{_libdir},g" \
-	-e "s,@prefix@,%{_prefix},g" \
+        -e "s,@prefix@,%{_prefix},g" \
-	-e "s,@exec_prefix@,%{_prefix},g" \
+        -e "s,@exec_prefix@,%{_prefix},g" \
-	-e "s,@includedir@,%{_includedir}/nss%{major},g" \
+        -e "s,@includedir@,%{_includedir}/nss,g" \
-	-e "s,@MOD_MAJOR_VERSION@,$NSS_VMAJOR,g" \
+        -e "s,@MOD_MAJOR_VERSION@,$NSS_VMAJOR,g" \
-	-e "s,@MOD_MINOR_VERSION@,$NSS_VMINOR,g" \
+        -e "s,@MOD_MINOR_VERSION@,$NSS_VMINOR,g" \
-	-e "s,@MOD_PATCH_VERSION@,$NSS_VPATCH,g" \
+        -e "s,@MOD_PATCH_VERSION@,$NSS_VPATCH,g" \
-	> %{buildroot}/%{_bindir}/nss-config
+        > %{buildroot}/%{_bindir}/nss-config
 %endif
 
 pushd nss/cmd/smimetools
@@ -434,7 +601,7 @@ install -m 0755 smime %{buildroot}%{_bindir}
 perl -pi -e 's|/usr/local/bin|%{_bindir}|g' %{buildroot}%{_bindir}/smime
 popd
 
-# add docs
+# add docs/examples
 mkdir -p docs/SSLsample
 #cp -a mozilla/security/nss/cmd/SSLsample/README docs/SSLsample/
 
@@ -455,15 +622,18 @@ cp -a nss/cmd/signver/examples/1/*.html docs/signver/
 mkdir -p docs/ssltap
 cp -a nss/cmd/ssltap/*.html docs/ssltap/
 
+install -d %{buildroot}%{_datadir}/%{name}/
+cp -pr docs/* %{buildroot}%{_datadir}/%{name}/
+
 # Install the empty NSS db files
 mkdir -p %{buildroot}%{_sysconfdir}/pki/nssdb
-install -m 644 %{SOURCE4} %{buildroot}%{_sysconfdir}/pki/nssdb/cert8.db
+install -m 644 %{SOURCE10} %{buildroot}%{_sysconfdir}/pki/nssdb/cert8.db
-install -m 644 %{SOURCE5} %{buildroot}%{_sysconfdir}/pki/nssdb/key3.db
+install -m 644 %{SOURCE11} %{buildroot}%{_sysconfdir}/pki/nssdb/key3.db
-install -m 644 %{SOURCE6} %{buildroot}%{_sysconfdir}/pki/nssdb/secmod.db
+install -m 644 %{SOURCE12} %{buildroot}%{_sysconfdir}/pki/nssdb/secmod.db
 
 %{_bindir}/find docs -type f | %{_bindir}/xargs -t perl -pi -e 's/\r$//g'
 
 %if %{build_empty}
 # install the empty libnssckbi.so library (use alternatives?)
-install -m0755 libnssckbi_empty.so %{buildroot}/%{_lib}/libnssckbi_empty.so
+install -m0755 libnssckbi_empty.so %{buildroot}/%{_libdir}/libnssckbi_empty.so
 %endif

pkcs11.txt.xml

@@ -0,0 +1,56 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
+  "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
+<!ENTITY date SYSTEM "date.xml">
+<!ENTITY version SYSTEM "version.xml">
+]>
+
+<refentry id="pkcs11.txt">
+
+  <refentryinfo>
+    <date>&date;</date>
+    <title>Network Security Services</title>
+    <productname>nss</productname>
+    <productnumber>&version;</productnumber>
+  </refentryinfo>
+
+  <refmeta>
+    <refentrytitle>pkcs11.txt</refentrytitle>
+    <manvolnum>5</manvolnum>
+  </refmeta>
+
+  <refnamediv>
+    <refname>pkcs11.txt</refname>
+    <refpurpose>NSS PKCS #11 module configuration file</refpurpose>
+  </refnamediv>
+
+  <refsection id="description">
+    <title>Description</title>
+    <para>
+The pkcs11.txt file is used to configure initialization parameters for the nss security module and optionally other pkcs #11 modules.
+    </para>
+    <para>
+For full documentation visit <ulink url="https://developer.mozilla.org/en-US/docs/PKCS11_Module_Specs">PKCS #11 Module Specs</ulink>.
+    </para>
+  </refsection>
+
+  <refsection>
+    <title>Files</title>
+    <para><filename>/etc/pki/nssdb/pkcs11.txt</filename></para>
+  </refsection>
+
+  <refsection id="authors">
+    <title>Authors</title>
+    <para>The nss libraries were written and maintained by developers with Netscape, Red Hat,  Sun, Oracle, Mozilla, and Google.</para>
+    <para>Authors: Elio Maldonado &lt;emaldona@redhat.com>.</para>
+  </refsection>
+
+<!-- don't change -->
+  <refsection id="license">
+    <title>LICENSE</title>
+    <para>Licensed under the Mozilla Public License, v. 2.0.  If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/.
+    </para>
+  </refsection>
+
+</refentry>
+

setup-nsssysinit.sh

@@ -0,0 +1,68 @@
+#!/bin/sh
+#
+# Turns on or off the nss-sysinit module db by editing the
+# global PKCS #11 congiguration file. Displays the status.
+#
+# This script can be invoked by the user as super user.
+# It is invoked at nss-sysinit post install time with argument on.
+#
+usage()
+{
+  cat <<EOF
+Usage: setup-nsssysinit [on|off]
+  on     - turns on nsssysinit
+  off    - turns off nsssysinit
+  status - reports whether nsssysinit is turned on or off
+EOF
+  exit $1
+}
+
+# validate
+if [ $# -eq 0 ]; then
+  usage 1 1>&2
+fi
+
+# the system-wide configuration file
+p11conf="/etc/pki/nssdb/pkcs11.txt"
+# must exist, otherwise report it and exit with failure
+if [ ! -f $p11conf ]; then
+  echo "Could not find ${p11conf}"
+  exit 1
+fi
+
+# check if nsssysinit is currently enabled or disabled
+sysinit_enabled()
+{
+  grep -q '^library=libnsssysinit' ${p11conf}
+}
+
+umask 022
+case "$1" in
+  on | ON )
+    if sysinit_enabled; then 
+      exit 0 
+    fi
+    cat ${p11conf} | \
+    sed -e 's/^library=$/library=libnsssysinit.so/' \
+        -e '/^NSS/s/\(Flags=internal\)\(,[^m]\)/\1,moduleDBOnly\2/' > \
+        ${p11conf}.on
+    mv ${p11conf}.on ${p11conf}
+    ;;
+  off | OFF )
+    if ! sysinit_enabled; then
+      exit 0
+    fi
+    cat ${p11conf} | \
+    sed -e 's/^library=libnsssysinit.so/library=/' \
+        -e '/^NSS/s/Flags=internal,moduleDBOnly/Flags=internal/' > \
+        ${p11conf}.off
+    mv ${p11conf}.off ${p11conf}
+    ;;
+  status )
+    echo -n 'NSS sysinit is '
+    sysinit_enabled && echo 'enabled' || echo 'disabled'
+    ;;
+  * )
+    usage 1 1>&2
+    ;;
+esac

setup-nsssysinit.xml

@@ -0,0 +1,106 @@
+<?xml version='1.0' encoding='utf-8'?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
+  "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
+<!ENTITY date SYSTEM "date.xml">
+<!ENTITY version SYSTEM "version.xml">
+]>
+
+<refentry id="setup-nsssysinit">
+
+  <refentryinfo>
+    <date>&date;</date>
+    <title>Network Security Services</title>
+    <productname>nss</productname>
+    <productnumber>&version;</productnumber>
+  </refentryinfo>
+
+  <refmeta>
+    <refentrytitle>setup-nsssysinit</refentrytitle>
+    <manvolnum>1</manvolnum>
+  </refmeta>
+
+  <refnamediv>
+    <refname>setup-nsssysinit</refname>
+    <refpurpose>Query or enable the nss-sysinit module</refpurpose>
+  </refnamediv>
+
+  <refsynopsisdiv>
+    <cmdsynopsis>
+      <command>setup-nsssysinit</command>
+      <arg><option>on</option></arg>
+      <arg><option>off</option></arg>
+      <arg><option>status</option></arg>
+    </cmdsynopsis>
+  </refsynopsisdiv>
+
+<refsection id="description">
+    <title>Description</title>
+    <para><command>setup-nsssysinit</command> is a shell script to query the status of the nss-sysinit module and when run with root priviledge it can enable or disable it. </para>
+  <para>Turns on or off the nss-sysinit module db by editing the global PKCS #11 configuration file. Displays the status. This script can be invoked by the user as super user. It is invoked at nss-sysinit post install time with argument on.
+  </para>
+  </refsection>
+  
+  <refsection>
+    <title>Options</title>
+    
+    <variablelist>
+      <varlistentry>
+        <term><option>on</option></term>
+        <listitem><simpara>Turn on nss-sysinit.</simpara></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><option>off</option></term>
+        <listitem><simpara>Turn on nss-sysinit.</simpara></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><option>status</option></term>
+        <listitem><simpara>returns whether nss-syinit is enabled or not.</simpara></listitem>
+      </varlistentry>
+
+    </variablelist>
+  </refsection>
+
+  <refsection>
+    <title>Examples</title>
+
+    <para>The following example will query for the status of nss-sysinit:
+      <programlisting>
+        /usr/bin/setup-nsssysinit status
+      </programlisting>
+    </para>
+
+    <para>The following example, when run as superuser, will turn on nss-sysinit:
+      <programlisting>
+        /usr/bin/setup-nsssysinit on
+      </programlisting>
+    </para>
+
+  </refsection>
+
+  <refsection>
+    <title>Files</title>
+    <para><filename>/usr/bin/setup-nsssysinit</filename></para>
+  </refsection>
+
+  <refsection>
+    <title>See also</title>
+    <para>pkg-config(1)</para>
+  </refsection>
+
+  <refsection id="authors">
+    <title>Authors</title>
+    <para>The nss libraries were written and maintained by developers with Netscape, Red Hat,  Sun, Oracle, Mozilla, and Google.</para>
+    <para>Authors: Elio Maldonado &lt;emaldona@redhat.com>.</para>
+  </refsection>
+
+<!-- don't change -->
+  <refsection id="license">
+    <title>LICENSE</title>
+    <para>Licensed under the Mozilla Public License, v. 2.0.  If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/.
+    </para>
+  </refsection>
+
+</refentry>
+

system-pkcs11.txt

@@ -0,0 +1,5 @@
+library=libnsssysinit.so
+name=NSS Internal PKCS #11 Module
+parameters=configdir='sql:/etc/pki/nssdb'  certPrefix='' keyPrefix='' secmod='secmod.db' flags= updatedir='' updateCertPrefix='' updateKeyPrefix='' updateid='' updateTokenDescription='' 
+NSS=Flags=internal,moduleDBOnly,critical trustOrder=75 cipherOrder=100 slotParams=(1={slotFlags=[RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512] askpw=any timeout=30})
+

utilwrap-include-templates.patch

@@ -0,0 +1,14 @@
+diff -up nss/lib/nss/config.mk.templates nss/lib/nss/config.mk
+--- nss/lib/nss/config.mk.templates	2013-06-18 11:32:07.590089155 -0700
++++ nss/lib/nss/config.mk	2013-06-18 11:33:28.732763345 -0700
+@@ -3,6 +3,10 @@
+ # License, v. 2.0. If a copy of the MPL was not distributed with this
+ # file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ 
++#ifeq ($(NSS_BUILD_WITHOUT_SOFTOKEN),1)
++INCLUDES += -I/usr/include/nss3/templates
++#endif
++
+ # can't do this in manifest.mn because OS_TARGET isn't defined there.
+ ifeq (,$(filter-out WIN%,$(OS_TARGET)))
+