.gitignore

@@ -1,3 +1,4 @@
 SOURCES/blank-cert9.db
 SOURCES/blank-key4.db
-SOURCES/nss-3.101-with-nspr-4.35.tar.gz
+SOURCES/nspr-4.35.tar.gz
+SOURCES/nss-3.101.tar.gz

.nss.metadata

@@ -1,3 +1,4 @@
 b5570125fbf6bfb410705706af48217a0817c03a SOURCES/blank-cert9.db
 f9c9568442386da370193474de1b25c3f68cdaf6 SOURCES/blank-key4.db
-592ea337ee2504efb09a21a4593cc1f19e4477c2 SOURCES/nss-3.101-with-nspr-4.35.tar.gz
+71267859a581d61fea8d7d36c25f716750271cac SOURCES/nspr-4.35.tar.gz
+90f6f1d5440e7cc72cd27f2ecf2e8f3f680a00aa SOURCES/nss-3.101.tar.gz

SOURCES/fips_algorithms.h

@@ -20,6 +20,7 @@ typedef enum {
     SFTKFIPSChkHash,  /* make sure the base hash of KDF functions is FIPS */
     SFTKFIPSChkHashTls,  /* make sure the base hash of TLS KDF functions is FIPS */
     SFTKFIPSChkHashSp800,  /* make sure the base hash of SP-800-108 KDF functions is FIPS */
+    SFTKFIPSRSAOAEP, /* make sure that both hashes use the same FIPS compliant algorithm */
 } SFTKFIPSSpecialClass;
 
 /* set according to your security policy */
@@ -79,6 +80,7 @@ SFTKFIPSAlgorithmList sftk_fips_mechs[] = {
 #define AES_FB_KEY 128, 256
 #define AES_FB_STEP 64
     { CKM_RSA_PKCS_KEY_PAIR_GEN, { RSA_FB_KEY, CKF_KPG }, RSA_FB_STEP, SFTKFIPSNone },
+    { CKM_RSA_PKCS_OAEP, { RSA_FB_KEY, CKF_ENC }, RSA_FB_STEP, SFTKFIPSRSAOAEP },
 
     /* -------------- RSA Multipart Signing Operations -------------------- */
     { CKM_SHA224_RSA_PKCS, { RSA_FB_KEY, CKF_SGN }, RSA_FB_STEP, SFTKFIPSNone },

SOURCES/nss-3.101-allow-fips-rsa-oaep.patch

@@ -0,0 +1,20 @@
+diff -up ./lib/softoken/pkcs11u.c.fipsrsaoaep ./lib/softoken/pkcs11u.c
+--- ./lib/softoken/pkcs11u.c.fipsrsaoaep	2024-10-24 09:27:17.971673855 +0200
++++ ./lib/softoken/pkcs11u.c	2024-10-24 09:23:35.006352872 +0200
+@@ -2565,6 +2565,16 @@ sftk_handleSpecial(SFTKSlot *slot, CK_ME
+                 }
+             }
+             return sftk_checkKeyLength(targetKeyLength, 112, 512, 1);
++        case SFTKFIPSRSAOAEP:;
++            CK_RSA_PKCS_OAEP_PARAMS *rsaoaep = (CK_RSA_PKCS_OAEP_PARAMS *)
++                                                mech->pParameter;
++
++            HASH_HashType hash_msg = sftk_GetHashTypeFromMechanism(rsaoaep->hashAlg);
++            HASH_HashType hash_pad = sftk_GetHashTypeFromMechanism(rsaoaep->mgf);
++            /* message hash and mask generation function must be the same */
++            if (hash_pad != hash_msg) return PR_FALSE;
++
++            return sftk_checkFIPSHash(rsaoaep->hashAlg, PR_FALSE, PR_FALSE);
+         default:
+             break;
+     }

SOURCES/nss-3.101-el9-restore-old-pkcs12-default.patch

@@ -0,0 +1,14 @@
+diff -up ./cmd/pk12util/pk12util.c.no_pkcs12_macpbe_default ./cmd/pk12util/pk12util.c
+--- ./cmd/pk12util/pk12util.c.no_pkcs12_macpbe_default	2024-07-18 08:26:35.773248450 -0700
++++ ./cmd/pk12util/pk12util.c	2024-07-18 08:27:05.796595554 -0700
+@@ -1165,10 +1165,6 @@ main(int argc, char **argv)
+             }
+         }
+     }
+-    /* in FIPS mode default to encoding with pkcs5v2 for the MAC */
+-    if (PK11_IsFIPS()) {
+-        hash = SEC_OID_HMAC_SHA256;
+-    }
+     if (pk12util.options[opt_Mac].activated) {
+         char *hashString = pk12util.options[opt_Mac].arg;
+ 

SOURCES/nss-3.101-fips-check-ec25519-size.patch

@@ -0,0 +1,12 @@
+diff -up ./lib/softoken/pkcs11u.c.fips_check_curver25519 ./lib/softoken/pkcs11u.c
+--- ./lib/softoken/pkcs11u.c.fips_check_curver25519	2024-11-11 11:24:25.186654635 +0100
++++ ./lib/softoken/pkcs11u.c	2024-11-07 10:26:03.806562274 +0100
+@@ -2356,7 +2356,7 @@ sftk_getKeyLength(SFTKObject *source)
+          * key length is CKA_VALUE, which is the default */
+         keyType = CKK_INVALID_KEY_TYPE;
+     }
+-    if (keyType == CKK_EC) {
++    if (keyType == CKK_EC || keyType == CKK_EC_EDWARDS || keyType == CKK_EC_MONTGOMERY) {
+         SECOidTag curve = sftk_quickGetECCCurveOid(source);
+         switch (curve) {
+             case SEC_OID_CURVE25519:

SOURCES/nss-3.101-fix-cavs-test.patch

@@ -1,12 +0,0 @@
-diff -up ./tests/fips/cavs_scripts/validate1.sh.fix_cavs ./tests/fips/cavs_scripts/validate1.sh
---- ./tests/fips/cavs_scripts/validate1.sh.fix_cavs	2024-09-12 14:39:41.421586862 -0700
-+++ ./tests/fips/cavs_scripts/validate1.sh	2024-09-12 14:39:55.036747283 -0700
-@@ -21,7 +21,7 @@ name=`basename $request .req`
- echo ">>>>>  $name"
- sed -e 's;
;;g' -e 's;	; ;g' -e '/^#/d' $extraneous_response ${TESTDIR}/resp/${name}.rsp > /tmp/y1
- # if we didn't generate any output, flag that as an error
--size=`sum /tmp/y1 | awk '{ print $NF }'`
-+size=`sum /tmp/y1 | awk '{ print $1 }'`
- if [ $size -eq 0 ]; then
-    echo "${TESTDIR}/resp/${name}.rsp: empty"
-    exit 1;

SOURCES/nss-3.101-fix-shlibsign-fips.patch

@@ -0,0 +1,12 @@
+diff -up ./cmd/shlibsign/shlibsign.c.shlibsign ./cmd/shlibsign/shlibsign.c
+--- ./cmd/shlibsign/shlibsign.c.shlibsign	2024-06-07 09:26:03.000000000 -0700
++++ ./cmd/shlibsign/shlibsign.c	2024-10-31 10:49:28.637449054 -0700
+@@ -1426,7 +1426,7 @@ main(int argc, char **argv)
+     } else {
+         /* NON FIPS mode  == C_GetFunctionList */
+         pC_GetFunctionList = (CK_C_GetFunctionList)
+-            PR_FindFunctionSymbol(lib, "C_GetFunctionList");
++            PR_FindFunctionSymbol(lib, "NSC_GetFunctionList");
+     }
+     assert(pC_GetFunctionList != NULL);
+     if (!pC_GetFunctionList) {

SOURCES/nss-3.101-no-p12-smime-policy.patch

@@ -0,0 +1,83 @@
+diff -up ./lib/pkcs12/p12plcy.c.no_p12_smime_policy ./lib/pkcs12/p12plcy.c
+--- ./lib/pkcs12/p12plcy.c.no_p12_smime_policy	2024-06-07 09:26:03.000000000 -0700
++++ ./lib/pkcs12/p12plcy.c	2024-07-17 11:26:00.334836451 -0700
+@@ -37,6 +37,7 @@ static pkcs12SuiteMap pkcs12SuiteMaps[]
+ static PRBool
+ sec_PKCS12Allowed(SECOidTag alg, PRUint32 needed)
+ {
++#ifdef notdef
+     PRUint32 policy;
+     SECStatus rv;
+ 
+@@ -48,6 +49,9 @@ sec_PKCS12Allowed(SECOidTag alg, PRUint3
+         return PR_TRUE;
+     }
+     return PR_FALSE;
++#else
++    return PR_TRUE;
++#endif
+ }
+ 
+ PRBool
+diff -up ./lib/smime/smimeutil.c.no_p12_smime_policy ./lib/smime/smimeutil.c
+--- ./lib/smime/smimeutil.c.no_p12_smime_policy	2024-06-07 09:26:03.000000000 -0700
++++ ./lib/smime/smimeutil.c	2024-07-17 11:27:04.716617111 -0700
+@@ -202,6 +202,7 @@ smime_get_policy_tag_from_key_length(SEC
+ PRBool
+ smime_allowed_by_policy(SECOidTag algtag, PRUint32 neededPolicy)
+ {
++#ifdef notdef
+     PRUint32 policyFlags;
+ 
+     /* some S/MIME algs map to the same underlying KEA mechanism,
+@@ -221,6 +222,7 @@ smime_allowed_by_policy(SECOidTag algtag
+         PORT_SetError(SEC_ERROR_BAD_EXPORT_ALGORITHM);
+         return PR_FALSE;
+     }
++#endif
+     return PR_TRUE;
+ }
+ 
+@@ -485,6 +487,7 @@ smime_init_once(void *arg)
+         return PR_FAILURE;
+     }
+ 
++#ifdef notdef
+     /* At initialization time, we need to set up the defaults. We first
+      * look to see if the system or application has set up certain algorithms
+      * by policy. If they have set up values by policy we'll only allow those
+@@ -497,6 +500,11 @@ smime_init_once(void *arg)
+         PORT_Free(tags);
+         tags = NULL;
+     }
++#else
++    /* just initialize the old maps */
++    rv = SECSuccess;
++    tagCount = 0;
++#endif
+     if ((rv != SECSuccess) || (tagCount == 0)) {
+         /* No algorithms have been enabled by policy (either by the system
+          * or by the application, we then will use the traditional default
+diff -up ./tests/smime/smime.sh.no_p12_smime_policy ./tests/smime/smime.sh
+--- ./tests/smime/smime.sh.no_p12_smime_policy	2024-07-17 11:26:00.303836075 -0700
++++ ./tests/smime/smime.sh	2024-07-17 11:26:00.334836451 -0700
+@@ -872,6 +872,6 @@ smime_init
+ smime_main
+ smime_data_tb
+ smime_p7
+-smime_policy
++#smime_policy
+ smime_cleanup
+ 
+diff -up ./tests/tools/tools.sh.no_p12_smime_policy ./tests/tools/tools.sh
+--- ./tests/tools/tools.sh.no_p12_smime_policy	2024-07-17 11:26:00.304836087 -0700
++++ ./tests/tools/tools.sh	2024-07-17 11:26:00.334836451 -0700
+@@ -585,7 +585,7 @@ tools_p12()
+   tools_p12_import_old_files
+   tools_p12_import_pbmac1_samples
+   tools_p12_import_rsa_pss_private_key
+-  tools_p12_policy
++  #tools_p12_policy
+ }
+ 
+ ############################## tools_sign ##############################

SOURCES/nss-3.101-revert-libpkix-default.patch

@@ -0,0 +1,104 @@
+diff -up ./lib/certhigh/certvfypkix.c.revert_libpkix ./lib/certhigh/certvfypkix.c
+--- ./lib/certhigh/certvfypkix.c.revert_libpkix	2024-06-07 09:26:03.000000000 -0700
++++ ./lib/certhigh/certvfypkix.c	2024-07-05 13:18:34.285174699 -0700
+@@ -39,7 +39,7 @@ pkix_pl_lifecycle_ObjectTableUpdate(int
+ PRInt32 parallelFnInvocationCount;
+ #endif /* PKIX_OBJECT_LEAK_TEST */
+ 
+-static PRBool usePKIXValidationEngine = PR_TRUE;
++static PRBool usePKIXValidationEngine = PR_FALSE;
+ #endif /* NSS_DISABLE_LIBPKIX */
+ 
+ /*
+diff -up ./lib/nss/nssinit.c.revert_libpkix ./lib/nss/nssinit.c
+--- ./lib/nss/nssinit.c.revert_libpkix	2024-06-07 09:26:03.000000000 -0700
++++ ./lib/nss/nssinit.c	2024-07-05 13:18:34.285174699 -0700
+@@ -764,9 +764,9 @@ nss_Init(const char *configdir, const ch
+         if (pkixError != NULL) {
+             goto loser;
+         } else {
+-            char *ev = PR_GetEnvSecure("NSS_DISABLE_PKIX_VERIFY");
++            char *ev = PR_GetEnvSecure("NSS_ENABLE_PKIX_VERIFY");
+             if (ev && ev[0]) {
+-                CERT_SetUsePKIXForValidation(PR_FALSE);
++                CERT_SetUsePKIXForValidation(PR_TRUE);
+             }
+         }
+ #endif /* NSS_DISABLE_LIBPKIX */
+diff -up ./tests/all.sh.revert_libpkix ./tests/all.sh
+--- ./tests/all.sh.revert_libpkix	2024-06-07 09:26:03.000000000 -0700
++++ ./tests/all.sh	2024-07-05 13:18:34.285174699 -0700
+@@ -143,9 +143,6 @@ run_cycle_standard()
+ {
+     TEST_MODE=STANDARD
+ 
+-    NSS_DISABLE_LIBPKIX_VERIFY="1"
+-    export NSS_DISABLE_LIBPKIX_VERIFY
+-
+     TESTS="${ALL_TESTS}"
+     TESTS_SKIP="libpkix pkits"
+ 
+@@ -153,8 +150,6 @@ run_cycle_standard()
+     export NSS_DEFAULT_DB_TYPE
+ 
+     run_tests
+-
+-    unset NSS_DISABLE_LIBPKIX_VERIFY
+ }
+ 
+ ############################ run_cycle_pkix ############################
+@@ -172,6 +167,9 @@ run_cycle_pkix()
+     mkdir -p "${HOSTDIR}"
+     init_directories
+ 
++    NSS_ENABLE_PKIX_VERIFY="1"
++    export NSS_ENABLE_PKIX_VERIFY
++
+     TESTS="${ALL_TESTS}"
+     TESTS_SKIP="cipher dbtests sdr crmf smime merge multinit"
+ 
+diff -up ./tests/common/init.sh.revert_libpkix ./tests/common/init.sh
+--- ./tests/common/init.sh.revert_libpkix	2024-06-07 09:26:03.000000000 -0700
++++ ./tests/common/init.sh	2024-07-05 13:18:34.285174699 -0700
+@@ -140,8 +140,8 @@ if [ -z "${INIT_SOURCED}" -o "${INIT_SOU
+         echo "NSS_SSL_RUN=\"${NSS_SSL_RUN}\""
+         echo "NSS_DEFAULT_DB_TYPE=${NSS_DEFAULT_DB_TYPE}"
+         echo "export NSS_DEFAULT_DB_TYPE"
+-        echo "NSS_DISABLE_PKIX_VERIFY=${NSS_DISABLE_PKIX_VERIFY}"
+-        echo "export NSS_DISABLE_PKIX_VERIFY"
++        echo "NSS_ENABLE_PKIX_VERIFY=${NSS_ENABLE_PKIX_VERIFY}"
++        echo "export NSS_ENABLE_PKIX_VERIFY"
+         echo "init_directories"
+     }
+ 
+diff -up ./tests/ssl/ssl.sh.revert_libpkix ./tests/ssl/ssl.sh
+--- ./tests/ssl/ssl.sh.revert_libpkix	2024-07-05 13:18:34.267174492 -0700
++++ ./tests/ssl/ssl.sh	2024-07-05 13:23:15.295402481 -0700
+@@ -971,8 +971,9 @@ ssl_policy_pkix_ocsp()
+       return 0
+   fi
+ 
+-  PKIX_SAVE=${NSS_DISABLE_LIBPKIX_VERIFY-"unset"}
+-  unset NSS_DISABLE_LIBPKIX_VERIFY
++  PKIX_SAVE=${NSS_ENABLE_PKIX_VERIFY-"unset"}
++  NSS_ENABLE_PKIX_VERIFY="1"
++  export NSS_ENABLE_PKIX_VERIFY
+ 
+   testname=""
+ 
+@@ -997,10 +998,12 @@ ssl_policy_pkix_ocsp()
+   html_msg $RET $RET_EXP "${testname}" \
+            "produced a returncode of $RET, expected is $RET_EXP"
+ 
+-  if [ "{PKIX_SAVE}" != "unset" ]; then
+-      export NSS_DISABLE_LIBPKIX_VERIFY=${PKIX_SAVE}
++  if [ "${PKIX_SAVE}" = "unset" ]; then
++      unset NSS_ENABLE_PKIX_VERIFY
++  else
++      NSS_ENABLE_PKIX_VERIFY=${PKIX_SAVE}
++      export NSS_ENABLE_PKIX_VERIFY
+   fi
+-
+   cp ${P_R_SERVERDIR}/pkcs11.txt.sav ${P_R_SERVERDIR}/pkcs11.txt
+ 
+   html "</TABLE><BR>"

SOURCES/nss-p11-kit.config

@@ -0,0 +1,4 @@
+name=p11-kit-proxy
+library=p11-kit-proxy.so
+
+

SOURCES/nss-softokn-config.in

@@ -21,7 +21,6 @@ Options:
 Dynamic Libraries:
 	softokn3 - Requires full dynamic linking
 	freebl3  - for internal use only (and glibc for self-integrity check)
-	nssdbm3  - for internal use only
 Dymamically linked
 EOF
 	exit $1

SOURCES/nss-softokn.pc.in

@@ -7,5 +7,5 @@ Name: NSS-SOFTOKN
 Description: Network Security Services Softoken PKCS #11 Module
 Version: %SOFTOKEN_VERSION%
 Requires: nspr >= %NSPR_VERSION%, nss-util >= %NSSUTIL_VERSION%
-Libs: -L${libdir} -lfreebl3 -lnssdbm3 -lsoftokn3
+Libs: -L${libdir} -lfreebl3 -lsoftokn3
 Cflags: -I${includedir}

SPECS/nss.spec

@@ -1,16 +1,16 @@
 %global nss_version 3.101.0
 %global nspr_version 4.35.0
-# NOTE: To avoid NVR clashes of nspr* packages:
+%global baserelease 10
-# - reset %%{nspr_release} to 1, when updating %%{nspr_version}
-# - increment %%{nspr_version}, when updating the NSS part only
-%global baserelease 7
 %global nss_release %baserelease
+# NOTE: To avoid NVR clashes of nspr* packages:
 # use "%%global nspr_release %%[%%baserelease+n]" to handle offsets when
 # release number between nss and nspr are different.
-%global nspr_release %[%baserelease+21]
+# when a new nspr is released with nss, reset nspr_release to baserelease.
+# for each new nss relase with the same nspr, change increment n by one.
+%global nspr_release %[%baserelease+7]
 # only need to update this as we added new
 # algorithms under nss policy control
-%global crypto_policies_version 20240522
+%global crypto_policies_version 20210118
 %global unsupported_tools_directory %{_libdir}/nss/unsupported-tools
 %global saved_files_dir %{_libdir}/nss/saved
 %global dracutlibdir %{_prefix}/lib/dracut
@@ -57,8 +57,6 @@ rpm.define(string.format("nss_release_tag NSS_%s_RTM",
            string.gsub(rpm.expand("%nss_archive_version"), "%.", "_")))
 }
 
-%global nss_nspr_archive nss-%{nss_archive_version}-with-nspr-%{nspr_archive_version}
-
 # This is taken from gnutls.spec
 %define srpmhash() %{lua:
 local files = rpm.expand("%_specdir/nss.spec")
@@ -78,7 +76,7 @@ Summary:          Network Security Services
 Name:             nss
 Version:          %{nss_version}
 Release:          %{nss_release}%{?dist}
-License:          MPL-2.0
+License:          MPLv2.0
 URL:              http://www.mozilla.org/projects/security/pki/nss/
 Requires:         nspr >= %{nspr_version}
 Requires:         nss-util >= %{nss_version}
@@ -86,6 +84,7 @@ Requires:         nss-util >= %{nss_version}
 Requires:         nss-softokn%{_isa} >= %{nss_version}
 Requires:         nss-system-init
 Requires:         p11-kit-trust
+Requires:         /usr/bin/update-crypto-policies
 Requires:         crypto-policies >= %{crypto_policies_version}
 # for shlibsign
 BuildRequires: make
@@ -98,7 +97,7 @@ BuildRequires:    psmisc
 BuildRequires:    perl-interpreter
 BuildRequires:    gcc-c++
 
-Source0:          https://ftp.mozilla.org/pub/security/nss/releases/%{nss_release_tag}/src/%{nss_nspr_archive}.tar.gz
+Source0:          https://ftp.mozilla.org/pub/security/nss/releases/%{nss_release_tag}/src/%{name}-%{nss_archive_version}.tar.gz
 Source1:          nss-util.pc.in
 Source2:          nss-util-config.in
 Source3:          nss-softokn.pc.in
@@ -118,18 +117,22 @@ Source15:         system-pkcs11.txt
 Source16:         setup-nsssysinit.sh
 Source20:         nss-config.xml
 Source21:         setup-nsssysinit.xml
-Source22:         pkcs11.txt.xml
-Source24:         cert9.db.xml
-Source26:         key4.db.xml
 %if %{with dbm}
 Source23:         cert8.db.xml
 Source25:         key3.db.xml
 Source27:         secmod.db.xml
 %endif
+Source22:         pkcs11.txt.xml
+Source24:         cert9.db.xml
+Source26:         key4.db.xml
+Source28:         nss-p11-kit.config
 # fips algorithms are tied to the red hat validation, others
 # will have their own validation
 Source30:         fips_algorithms.h
 
+#Source50:         NameConstraints_Certs.tar
+
+Source100:        nspr-%{nspr_archive_version}.tar.gz
 Source101:        nspr-config.xml
 
 # This patch uses the GCC -iquote option documented at
@@ -142,19 +145,22 @@ Source101:        nspr-config.xml
 # changes.
 #
 # Once the buildroot has been bootstrapped the patch may be removed
-# but it doesn't hurt to keep it.
+# but it doesn't hurt to keep it
 Patch4:           iquote.patch
 Patch12:          nss-signtool-format.patch
 Patch20:          nss-3.101-extend-db-dump-time.patch
 Patch21:          nss-3.101-enable-sdb-tests.patch
-
 # connect our shared library to the build root loader flags (needed for -relro)
 Patch31:          nss-dso-ldflags.patch
+# keep RHEL 8 semantics of disabling md4 and md5 even if the env variable is set
 Patch32:          nss-3.101-disable-md5.patch
-# rhel10 disabled dbm by default
+# dbm is disabled on RHEL9, make the man pages reflect that
+%if %{with dbm}
+%else
 Patch33:          nss-no-dbm-man-page.patch
-
+%endif
 # not upstreamable patch...
+# WARNING: Need to make this patch work before checking!!! $$$$@@@
 Patch34:          nss-3.71-fix-lto-gtests.patch
 # camellia pkcs12 docs.
 Patch35:          nss-3.71-camellia-pkcs12-doc.patch
@@ -169,6 +175,8 @@ Patch50:          nss-3.79-fips.patch
 Patch51:          nss-3.101-fips-review.patches
 Patch52:          nss-3.90-pbkdf2-indicator.patch
 Patch53:          nss-3.101-skip-ocsp-if-not-connected.patch
+# dont upstream, must be after patch53 (sigh)
+Patch54:          nss-3.101-revert-libpkix-default.patch
 
 # ems policy. needs to upstream
 Patch60:          nss-3.101-add-ems-policy.patch
@@ -181,6 +189,8 @@ Patch75:          nss-3.90-ppc_no_init.patch
 Patch76:          nss-3.101-enable-kyber-policy.patch
 Patch77:          nss-3.101-fix-rsa-policy-test.patch
 Patch78:          nss-3.101-fix-pkcs12-md5-decode.patch
+Patch79:          nss-3.101-el9-restore-old-pkcs12-default.patch
+Patch80:          nss-3.101-no-p12-smime-policy.patch
 Patch81:          nss-3.101-fix-missing-size-checks.patch
 # https://bugzilla.mozilla.org/show_bug.cgi?id=1905691
 Patch82:          nss-3.101-chacha-timing-fix.patch
@@ -189,13 +199,9 @@ Patch84:          nss-3.101-fix-pkcs12-pbkdf1-encoding.patch
 # https://bugzilla.mozilla.org/show_bug.cgi?id=676100
 Patch85:          nss-3.101-fix-cms-abi-break.patch
 Patch86:          nss-3.101-long-pwd-fix.patch
-Patch87:          nss-3.101-fix-cavs-test.patch
+Patch87:          nss-3.101-fix-shlibsign-fips.patch
-
+Patch88:          nss-3.101-fips-check-ec25519-size.patch
-# RHEL-10 specific
+Patch89:          nss-3.101-allow-fips-rsa-oaep.patch
-Patch90:          nss-3.101-disable_dsa.patch
-
-# NSS reverse patches
-Patch300:         nss-3.79-distrusted-certs.patch
 
 Patch100:         nspr-config-pc.patch
 Patch101:         nspr-gcc-atomics.patch
@@ -203,6 +209,11 @@ Patch101:         nspr-gcc-atomics.patch
 Patch110:         nspr-4.34-fix-coverity-loop-issue.patch
 Patch120:         nspr-4.34-server-passive.patch
 
+
+# NSS reverse patches
+Patch300:         nss-3.79-distrusted-certs.patch
+
+
 %description
 Network Security Services (NSS) is a set of libraries designed to
 support cross-platform development of security-enabled client and
@@ -212,7 +223,7 @@ v3 certificates, and other security standards.
 
 %package tools
 Summary:          Tools for the Network Security Services
-Requires:         %{name}%{?_isa} = %{nss_version}-%{release}
+Requires:         %{name}%{?_isa} = %{nss_version}-%{nss_release}%{dist}
 
 %description tools
 Network Security Services (NSS) is a set of libraries designed to
@@ -229,7 +240,7 @@ Summary:          System NSS Initialization
 # providing nss-system-init without version so that it can
 # be replaced by a better one, e.g. supplied by the os vendor
 Provides:         nss-system-init
-Requires:         nss%{?_isa} = %{nss_version}-%{release}
+Requires:         nss%{?_isa} = %{nss_version}-%{nss_release}%{dist}
 Requires(post):   coreutils, sed
 
 %description sysinit
@@ -240,8 +251,8 @@ any system or user configured modules.
 
 %package devel
 Summary:          Development libraries for Network Security Services
-Provides:         nss-static = %{nss_version}-%{release}
+Provides:         nss-static = %{nss_version}-%{nss_release}%{dist}
-Requires:         nss%{?_isa} = %{nss_version}-%{release}
+Requires:         nss%{?_isa} = %{nss_version}-%{nss_release}%{dist}
 Requires:         nss-util-devel
 Requires:         nss-softokn-devel
 Requires:         nspr-devel >= %{nspr_version}
@@ -254,9 +265,9 @@ Header and Library files for doing development with Network Security Services.
 
 %package pkcs11-devel
 Summary:          Development libraries for PKCS #11 (Cryptoki) using NSS
-Provides:         nss-pkcs11-devel-static = %{nss_version}-%{release}
+Provides:         nss-pkcs11-devel-static = %{nss_version}-%{nss_release}%{dist}
-Requires:         nss-devel = %{nss_version}-%{release}
+Requires:         nss-devel = %{nss_version}-%{nss_release}%{dist}
-Requires:         nss-softokn-freebl-devel = %{nss_version}-%{release}
+Requires:         nss-softokn-freebl-devel = %{nss_version}-%{nss_release}%{dist}
 
 %description pkcs11-devel
 Library files for developing PKCS #11 modules using basic NSS
@@ -272,7 +283,7 @@ Utilities for Network Security Services and the Softoken module
 
 %package util-devel
 Summary:          Development libraries for Network Security Services Utilities
-Requires:         nss-util%{?_isa} = %{nss_version}-%{release}
+Requires:         nss-util%{?_isa} = %{nss_version}-%{nss_release}%{dist}
 Requires:         nspr-devel >= %{nspr_version}
 Requires:         pkgconfig
 
@@ -283,8 +294,8 @@ Header and library files for doing development with Network Security Services.
 %package softokn
 Summary:          Network Security Services Softoken Module
 Requires:         nspr >= %{nspr_version}
-Requires:         nss-util >= %{nss_version}-%{release}
+Requires:         nss-util >= %{nss_version}-%{nss_release}%{dist}
-Requires:         nss-softokn-freebl%{_isa} >= %{nss_version}-%{release}
+Requires:         nss-softokn-freebl%{_isa} >= %{nss_version}-%{nss_release}%{dist}
 
 %description softokn
 Network Security Services Softoken Cryptographic Module
@@ -305,8 +316,8 @@ Install the nss-softokn-freebl package if you need the freebl library.
 
 %package softokn-freebl-devel
 Summary:          Header and Library files for doing development with the Freebl library for NSS
-Provides:         nss-softokn-freebl-static = %{nss_version}-%{release}
+Provides:         nss-softokn-freebl-static = %{nss_version}-%{nss_release}%{dist}
-Requires:         nss-softokn-freebl%{?_isa} = %{nss_version}-%{release}
+Requires:         nss-softokn-freebl%{?_isa} = %{nss_version}-%{nss_release}%{dist}
 
 %description softokn-freebl-devel
 NSS Softoken Cryptographic Module Freebl Library Development Tools
@@ -317,10 +328,10 @@ Developers should rely only on the officially supported NSS public API.
 
 %package softokn-devel
 Summary:          Development libraries for Network Security Services
-Requires:         nss-softokn%{?_isa} = %{nss_version}-%{release}
+Requires:         nss-softokn%{?_isa} = %{nss_version}-%{nss_release}%{dist}
-Requires:         nss-softokn-freebl-devel%{?_isa} = %{nss_version}-%{release}
+Requires:         nss-softokn-freebl-devel%{?_isa} = %{nss_version}-%{nss_release}%{dist}
 Requires:         nspr-devel >= %{nspr_version}
-Requires:         nss-util-devel >= %{nss_version}-%{release}
+Requires:         nss-util-devel >= %{nss_version}-%{nss_release}%{dist}
 Requires:         pkgconfig
 
 %description softokn-devel
@@ -330,7 +341,7 @@ Header and library files for doing development with Network Security Services.
 Summary:        Netscape Portable Runtime
 Version:        %{nspr_version}
 Release:        %{nspr_release}%{?dist}
-License:        MPL-2.0
+License:        MPLv2.0
 URL:            http://www.mozilla.org/projects/nspr/
 Conflicts:      filesystem < 3
 BuildRequires:  gcc
@@ -353,8 +364,12 @@ Conflicts:      filesystem < 3
 %description -n nspr-devel
 Header files for doing development with the Netscape Portable Runtime.
 
+
 %prep
+%setup -q -T -b 100 -n nspr-%{nspr_archive_version}
+
 %setup -q -T -b 0 -n %{name}-%{nss_archive_version}
+mv ../nspr-%{nspr_archive_version}/nspr .
 cp ./nspr/config/nspr-config.in ./nspr/config/nspr-config-pc.in
 
 %patch -P 100 -p0 -b .flags
@@ -362,10 +377,12 @@ pushd nspr
 %autopatch -p 1 -m 101 -M 299
 popd
 
+
 pushd nss
 %autopatch -p1 -M 99
+#%%patch -P 400 -p1 -b .backup
 # sigh it would be nice if autopatch supported -R
-%patch -P 300 -R -p 1
+%patch -P 300 -R -p1
 popd
 
 # copy the fips_algorithms.h for this release
@@ -373,6 +390,11 @@ popd
 # each vendors claim in their own FIPS certification
 cp %{SOURCE30} nss/lib/softoken/
 
+#update expired test certs
+#pushd nss
+#tar xvf %{SOURCE50}
+#popd
+
 # https://bugzilla.redhat.com/show_bug.cgi?id=1247353
 find nss/lib/libpkix -perm /u+x -type f -exec chmod -x {} \;
 
@@ -385,6 +407,8 @@ find nss/lib/libpkix -perm /u+x -type f -exec chmod -x {} \;
 # adjustment in the NSS build process.
 mkdir -p nspr_build
 pushd nspr_build
+export LDFLAGS="$RPM_LD_FLAGS"
+export CFLAGS="$RPM_OPT_FLAGS"
 ../nspr/configure \
                  --prefix=%{_prefix} \
                  --libdir=%{_libdir} \
@@ -434,10 +458,6 @@ popd
 # uncomment if the iquote patch is activated
 export IN_TREE_FREEBL_HEADERS_FIRST=1
 
-# deprication
-export NSS_DISABLE_DEPRECATED_SEED=1
-export NSS_DISABLE_DSA=1
-
 # FIPS related defines
 export NSS_FORCE_FIPS=1
 export NSS_FIPS_VERSION="%{name}\ %{nss_version}-%{srpmhash}"
@@ -467,8 +487,6 @@ export XCFLAGS="$XCFLAGS -Wno-error=maybe-uninitialized"
 # Similarly, but for gcc-11
 export XCFLAGS="$XCFLAGS -Wno-array-parameter"
 
-export LDFLAGS=$RPM_LD_FLAGS
-
 export DSO_LDFLAGS=$RPM_LD_FLAGS
 
 export PKG_CONFIG_ALLOW_SYSTEM_LIBS=1
@@ -500,7 +518,6 @@ export POLICY_FILE="nss.config"
 # location of the policy file
 export POLICY_PATH="/etc/crypto-policies/back-ends"
 
-
 %{__make} -C ./nss all
 %{__make} -C ./nss latest
 
@@ -597,20 +614,22 @@ date +"%e %B %Y" | tr -d '\n' > date.xml
 echo -n %{nss_version} > version.xml
 
 # configuration files and setup script
+for m in %{SOURCE20} %{SOURCE21} %{SOURCE22} %{SOURCE24} %{SOURCE26}; do
+  cp ${m} .
+done
+for m in nss-config.xml setup-nsssysinit.xml pkcs11.txt.xml cert9.db.xml key4.db.xml; do
+  xmlto man ${m}
+done
+
 %if %{with dbm}
-%global XMLSOURCES %{SOURCE23} %{SOURCE24} %{SOURCE25} %{SOURCE26} %{SOURCE27}
+# nss dbm databases 
-%global dbfiles cert8.db key3.db secmod.db cert9.db key4.db pkcs11.txt
+for m in %{SOURCE23} %{SOURCE25} %{SOURCE27}; do
-%else
-%global XMLSOURCES %{SOURCE22} %{SOURCE24} %{SOURCE26}
-%global dbfiles cert9.db key4.db pkcs11.txt
-%endif
-for m in %{SOURCE20} %{SOURCE21} %{XMLSOURCES}; do
   cp ${m} .
 done
-%global configFiles nss-config setup-nsssysinit
+for m in cert8.db.xml key3.db.xml secmod.db.xml; do
-for m in %{configFiles}  %{dbfiles}; do
+  xmlto man ${m}
-  xmlto man ${m}.xml
 done
+%endif
 
 
 %check
@@ -634,9 +653,6 @@ popd
 export FREEBL_NO_DEPEND=1
 
 export BUILD_OPT=1
-export NSS_DISABLE_PPC_GHASH=1
-export NSS_DISABLE_DEPRECATED_SEED=1
-export NSS_DISABLE_DSA=1
 
 %ifnarch noarch
 %if 0%{__isa_bits} == 64
@@ -659,6 +675,10 @@ done
 # disabled by the system policy.
 export NSS_IGNORE_SYSTEM_POLICY=1
 
+%ifarch i686 ppcle64
+export NSS_DB_DUMP_TIME=10
+%endif
+
 # enable the following line to force a test failure
 # find ./nss -name \*.chk | xargs rm -f
 
@@ -769,6 +789,7 @@ mkdir -p $RPM_BUILD_ROOT/%{_libdir}/pkgconfig
 mkdir -p $RPM_BUILD_ROOT/%{saved_files_dir}
 mkdir -p $RPM_BUILD_ROOT/%{dracut_modules_dir}
 mkdir -p $RPM_BUILD_ROOT/%{dracut_conf_dir}
+mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/crypto-policies/local.d
 %if %{defined rhel}
 # not needed for rhel and its derivatives only fedora
 %else
@@ -857,11 +878,11 @@ install -p -m 755 ./dist/pkgconfig/setup-nsssysinit.sh $RPM_BUILD_ROOT/%{_bindir
 ln -r -s -f $RPM_BUILD_ROOT/%{_bindir}/setup-nsssysinit.sh $RPM_BUILD_ROOT/%{_bindir}/setup-nsssysinit
 
 # Copy the man pages for scripts
-for f in %{configFiles}; do
+for f in nss-config setup-nsssysinit; do
    install -c -m 644 ${f}.1 $RPM_BUILD_ROOT%{_mandir}/man1/${f}.1
 done
 # Copy the man pages for the nss tools
-for f in certutil cmsutil crlutil derdump modutil pk12util signtool signver ssltap vfychain vfyserv; do
+for f in certutil cmsutil crlutil derdump modutil nss-policy-check pk12util signtool signver ssltap vfychain vfyserv; do
   install -c -m 644 ./dist/docs/nroff/${f}.1 $RPM_BUILD_ROOT%{_mandir}/man1/${f}.1
 done
 %if %{defined rhel}
@@ -870,10 +891,19 @@ install -c -m 644 ./dist/docs/nroff/pp.1 $RPM_BUILD_ROOT%{_mandir}/man1/pp.1
 install -c -m 644 ./dist/docs/nroff/pp.1 $RPM_BUILD_ROOT%{_datadir}/doc/nss-tools/pp.1
 %endif
 
-# Copy the man pages for the nss databases
+# Copy the man pages for the configuration files
-for f in %{dbfiles}; do
+for f in pkcs11.txt cert9.db key4.db; do
    install -c -m 644 ${f}.5 $RPM_BUILD_ROOT%{_mandir}/man5/${f}.5
 done
+# Copy the man pages for the nss dbm databases
+%if %{with dbm}
+for f in cert8.db key3.db secmod.db; do
+   install -c -m 644 ${f}.5 $RPM_BUILD_ROOT%{_mandir}/man5/${f}.5
+done
+%endif
+
+# Copy the crypto-policies configuration file
+install -p -m 644 %{SOURCE28} $RPM_BUILD_ROOT/%{_sysconfdir}/crypto-policies/local.d
 
 %triggerpostun -n nss-sysinit -- nss-sysinit < 3.12.8-3
 # Reverse unwanted disabling of sysinit by faulty preun sysinit scriplet
@@ -894,6 +924,9 @@ if test $1 -eq 2; then
 fi
 %endif
 
+%posttrans
+update-crypto-policies &> /dev/null || :
+
 
 %files
 %{!?_licensedir:%global license %%doc}
@@ -910,6 +943,7 @@ fi
 %config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/cert9.db
 %config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/key4.db
 %config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/pkcs11.txt
+%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/crypto-policies/local.d/nss-p11-kit.config
 %if %{with dbm}
 %doc %{_mandir}/man5/cert8.db.5*
 %doc %{_mandir}/man5/key3.db.5*
@@ -955,6 +989,7 @@ fi
 %doc %{_mandir}/man1/cmsutil.1*
 %doc %{_mandir}/man1/crlutil.1*
 %doc %{_mandir}/man1/modutil.1*
+%doc %{_mandir}/man1/nss-policy-check.1*
 %doc %{_mandir}/man1/pk12util.1*
 %doc %{_mandir}/man1/signver.1*
 # unsupported tools
@@ -1057,8 +1092,8 @@ fi
 %{_includedir}/nss3/base64.h
 %{_includedir}/nss3/ciferfam.h
 %{_includedir}/nss3/eccutil.h
-%{_includedir}/nss3/kyber.h
 %{_includedir}/nss3/hasht.h
+%{_includedir}/nss3/kyber.h
 %{_includedir}/nss3/nssb64.h
 %{_includedir}/nss3/nssb64t.h
 %{_includedir}/nss3/nsshash.h
@@ -1168,6 +1203,17 @@ fi
 
 
 %changelog
+* Mon Nov 11 2024 Frantisek Krenzelok <krenzelok.frantisek@gmail.com> - 3.101.0-10
+- Allow RSA-OAEP in FIPS mode
+
+* Mon Nov 11 2024 Frantisek Krenzelok <krenzelok.frantisek@gmail.com> - 3.101.0-9
+- Add SEC_OID_CURVE25519 to FIPS checks.
+- This will mark algorithms using it as FIPS unapproved.
+
+* Mon Nov 4 2024 Bob Relyea <rrelyea@redhat.com> - 3.101.0-8
+- fix shlibsign in FIPS mode
+- remove dbm from pkgconfig
+
 * Wed Sep 4 2024 Bob Relyea <rrelyea@redhat.com> - 3.101.0-7
 - fix cms abi breakage
 - fix long password issue on pbmac encodings
@@ -1176,159 +1222,187 @@ fi
 - fix param encoding in pkcs12 pbamac encoding
 - add support for certificate compression in selfserv and tstclient
 
-* Wed Jul 24 2024 Bob Relyea <rrelyea@redhat.com> - 3.101.0-5
+* Wed Jul 24 2024 Bob Relyea <rrelyea@redhat.com> - 3.101.0-3
 - Fix missing and inaccurate key length checks
 - Fix chacha timing issue
 
-* Thu Jul 18 2024 Bob Relyea <rrelyea@redhat.com> - 3.101.0-4
+* Tue Jul 16 2024 Bob Relyea <rrelyea@redhat.com> - 3.101.0-2
 - Fix MD-5 decode issue in pkcs #12
+- turn off policy processing for pkcs12 and smime
+- restore the rhel9 pkcs12 defaults for pk12util
 
-* Mon Jul 15 2024 Bob Relyea <rrelyea@redhat.com> - 3.101.0-3
+* Tue Jun 11 2024 Bob Relyea <rrelyea@redhat.com> - 3.101.0-1
-- Add FIPS 140-3 defines to sec file
+- Rebase to NSS 3.101
+- restore ppc init support
 
-* Fri Jul 12 2024 Bob Relyea <rrelyea@redhat.com> - 3.101.0-2
+* Wed Apr 10 2024 Frantisek Krenzelok <krenzelok.frantisek@gmail.com> - 3.90.0-7
-- Fix spec to deal with annocheck failures
+- Allow for shorter ecdsa signatures by padding them to full length
 
-* Tue Jun 25 2024 Bob Relyea <rrelyea@redhat.com> - 3.101.0-1
+* Tue Jan 23 2024 Bob Relyea <rrelyea@redhat.com> - 3.90.0-6
-- Update NSS to 3.101.0
+- Fix ecc DER wrapping.
-- Pick up RHEL FIPS and other patches
-- Turn off SEED and DSA
 
-* Mon Jun 24 2024 Troy Dawson <tdawson@redhat.com> - 3.97.0-2
+* Tue Jan 9 2024 Bob Relyea <rrelyea@redhat.com> - 3.90.0-5
-- Bump release for June 2024 mass rebuild
+- Pick up validated constant time implementations of p256, p384, and p521
+  from upsream
+- More Fips indicator changes
 
-* Sun Jan 28 2024 Frantisek Krenzelok <krenzelok.frantisek@gmail.com> - 3.97.0-1
+* Wed Nov 22 2023 Bob Relyea <rrelyea@redhat.com> - 3.90.0-4
-- Update NSS to 3.97.0
+- FIPS review changes
+-   add PORT_SafeZero to avoid compiler optimizing a way zeroing memory.
+-   update the indicators for this release
+-   allow hashing of longer than int32 values in a single PKCS #11 call.
 
-* Thu Jan 25 2024 Fedora Release Engineering <releng@fedoraproject.org> - 3.96.1-3
+* Tue Nov 21 2023 Bob Relyea <rrelyea@redhat.com> - 3.90.0-3.3
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
+- Fix expired certs in tests
+- Fix CVE-2023-5388
 
-* Sun Jan 21 2024 Fedora Release Engineering <releng@fedoraproject.org> - 3.96.1-2
+* Fri Aug 4 2023 Bob Relyea <rrelyea@redhat.com> - 3.90.0-3
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
+- add indicator for pbkdf
+- fix ems policy bug
 
-* Thu Dec 21 2023 Frantisek Krenzelok <krenzelok.frantisek@gmail.com> - 3.96.1-1
+* Thu Jun 29 2023 frantisek Krenzelok <krenzelok.frantisek@gmail.com> - 3.90.0-2
-- Update NSS to 3.96.1
+- fix release number
 
-* Mon Nov 27 2023 Frantisek Krenzelok <krenzelok.frantisek@gmail.com> - 3.95.0-1
+* Wed Jun 28 2023 Frantisek Krenzelok <krenzelok.frantisek@gmail.com> - 3.90.0-1
-- Update NSS to 3.95.0
+- fix missing dist tag in packages version
+- move from deprecate %%patch format
 
-* Wed Oct 25 2023 Frantisek Krenzelok <krenzelok.frantisek@gmail.com> - 3.94.0-2
+* Mon Jun 12 2023 Bob Relyea <rrelyea@redhat.com> - 3.90.0-1
-- revert HACL 256 code to fix binary compatibility issue.
+- Rebase to NSS-3.90
+- Rebase to NSPR-3.35
+- fix incorrect version values in the NSS spec file for FIPS
 
-* Wed Oct 4 2023 Frantisek Krenzelok <krenzelok.frantisek@gmail.com> - 3.94.0-1
+* Fri Mar 17 2023 Bob Relyea <rrelyea@redhat.com> - 3.79.0-18
-- Update NSS to 3.94.0
+- fix memory leak, add generator test in FIPS mode.
 
-* Thu Sep 07 2023 Bob Relyea <rrelyea@redhat.com> - 3.93.0-2
+* Thu Mar 16 2023 Bob Relyea <rrelyea@redhat.com> - 3.79.0-17
-- Update License field to SPDX.
+- fix consistency return errors. We shouldn't lock the FIPS
+  token if the application asked for invalid DH parameters on
+  on keygen.
 
-* Thu Aug 31 2023 Frantisek Krenzelok <krenzelok.frantisek@gmail.com> - 3.93.0-1
+* Mon Mar 13 2023 Bob Relyea <rrelyea@redhat.com> - 3.79.0-16
-- Update NSS to 3.93.0
+- Add check for RSA PSS Salt required by FIPS
+- Update fips_algorithms.sh according to the review.
 
-* Tue Aug 1 2023 Frantisek Krenzelok <krenzelok.frantisek@gmail.com> - 3.92.0-1
+* Thu Mar 2 2023 Bob Relyea <rrelyea@redhat.com> - 3.79.0-15
-- Update NSS to 3.92.0
+- Fix CVE-2023-0767
 
-* Thu Jul 20 2023 Fedora Release Engineering <releng@fedoraproject.org> - 3.91.0-2
+* Wed Aug 24 2022 Bob Relyea <rrelyea@redhat.com> - 3.79.0-14
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
+- Update fips_algorithms.h to match the final FIPS requirements
+- Disable delegated credentials
 
-* Tue Jul 4 2023 Frantisek Krenzelok <krenzelok.frantisek@gmail.com> - 3.91.0-1
+* Wed Aug 24 2022 Bob Relyea <rrelyea@redhat.com> - 3.79.0-13
-- Update NSS to 3.91.0
+- remove OAEP from the FIPS indicators
 
-* Tue Jun 6 2023 Frantisek Krenzelok <krenzelok.frantisek@gmail.com> - 3.90.0-1
+* Thu Aug 11 2022 Bob Relyea <rrelyea@redhat.com> - 3.79.0-12
-- Add patch for https://bugzilla.mozilla.org/show_bug.cgi?id=1836781 &
+- only turn off rand changes on all non-fips kernels
-                https://bugzilla.mozilla.org/show_bug.cgi?id=1836925
 
-* Mon Jun 5 2023 Frantisek Krenzelok <krenzelok.frantisek@gmail.com> - 3.90.0-1
+* Mon Aug 8 2022 Bob Relyea <rrelyea@redhat.com> - 3.79.0-11
-- Update %%patch syntax
+- only turn off rand changes on ppc64le at build-test time.
 
-* Mon Jun 5 2023 Frantisek Krenzelok <krenzelok.frantisek@gmail.com> - 3.90.0-1
+* Mon Aug 8 2022 Bob Relyea <rrelyea@redhat.com> - 3.79.0-10
-- Update NSS to 3.90.0
+- turn off rand changes on ppc64le
 
-* Fri May 5 2023 Frantisek Krenzelok <krenzelok.frantisek@gmail.com> - 3.89.0-1
+* Sun Aug 7 2022 Bob Relyea <rrelyea@redhat.com> - 3.79.0-9
-- combine nss and nspr source togeather
+- FIPS 140-3 changes
 
-* Fri May 5 2023 Frantisek Krenzelok <krenzelok.frantisek@gmail.com> - 3.89.0-1
+* Thu Jul 21 2022 Bob Relyea <rrelyea@redhat.com> - 3.79.0-8
-- replace %{version} with %{nss_version} as it version can be overiden.
+- fix encoding issue with NULL passwords
 
-* Fri Mar 10 2023 Frantisek Krenzelok <krenzelok.frantisek@gmail.com> - 3.89.0-1
+* Thu Jul 7 2022 Bob Relyea <rrelyea@redhat.com> - 3.79.0-7
-- Update NSS to 3.89.0
+- more complete fix for cert auth regression crash
 
-* Fri Feb 10 2023 Frantisek Krenzelok <krenzelok.frantisek@gmail.com> - 3.88.1-1
+* Wed Jun 22 2022 Bob Relyea <rrelyea@redhat.com> - 3.79.0-6
-- Update NSS to 3.88.1
+- Remove debugging printf from a patch
+- increase the pbe cache size to handle reusing the same token key.
 
-* Tue Jan 24 2023 Bob Relyea - 3.87.0-2
+* Mon Jun 20 2022 Bob Relyea <rrelyea@redhat.com> - 3.79.0-5
-- Fix rebuild errors
+- FIPS 140-3 changes
+-  Reject Small RSA keys, 1024 bit keys are marked as FIP OK when verifying, reject
+   signature keys by policy
+-  Allow applications to retrigger selftests on demand.
 
-* Thu Jan 19 2023 Fedora Release Engineering <releng@fedoraproject.org> - 3.87.0-2
+* Tue Jun 14 2022 Bob Relyea <rrelyea@redhat.com> - 3.79.0-4
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
+- server passive fix
 
-* Tue Jan 10 2023 Frantisek Krenzelok <krenzelok.frantisek@gmail.com> - 3.87.0-1
+* Sat Jun 11 2022 Bob Relyea <rrelyea@redhat.com> - 3.79.0-3
-- Update NSS to 3.87 & remove unused patches
+- fix regressions in test suite
 
-* Thu Nov 17 2022 Bob Relyea <rrelyea@redhat.com> - 3.85.0-1
+* Mon Jun 6 2022 Bob Relyea <rrelyea@redhat.com> - 3.79.0-2
-- update to NSS 3.83
+- fix nspr coverify issues.
 
-* Fri Sep 9 2022 Bob Relyea <rrelyea@redhat.com> - 3.83.0-1
+* Wed Jun 1 2022 Bob Relyea <rrelyea@redhat.com> - 3.79.0-1
-- update to NSS 3.83
+- update to NSS 3.79
-- update to NSPR 4.35
+- update to NSPR 4.34
+- change FIPS Modulename to conform with our final module standard
 
-* Fri Sep 9 2022 Bob Relyea <rrelyea@redhat.com> - 3.81.0-2
+* Wed Feb 16 2022 Bob Relyea <rrelyea@redhat.com> - 3.71.0-7
-- add dbtool
+- Fix handling of pkcs12 passwords for PKCS5v2 cases which causes failures
+  on long passwords.
 
-* Thu Jul 21 2022 Bob Relyea <rrelyea@redhat.com> - 3.81.0-1
+* Wed Jan 26 2022 Bob Relyea <rrelyea@redhat.com> - 3.71.0-6
-- udpate to NSS 3.81
+- update pkcs12 documentation to include camellia
+- turn on lto
 
-* Thu Jun 16 2022 Bob Relyea <rrelyea@redhat.com> - 3.79.0-2
+* Wed Jan 12 2022 Bob Relyea <rrelyea@redhat.com> - 3.71.0-5
-- Fix crash when getting client cert and there is none in the database.
+- remove old dbm files from the build
 
-* Tue May 31 2022 Bob Relyea <rrelyea@redhat.com> - 3.79.0-1
+* Wed Dec  1 2021 Bob Relyea <rrelyea@redhat.com> - 3.71.0-2
-- Update to NSS 3.79
+- Fix CVE-2021-43527
-- Update to NSPR 4.34
 
-* Mon Apr 4 2022 Bob Relyea <rrelyea@redhat.com> - 3.77.0-1
+* Tue Oct 19 2021 Bob Relyea <rrelyea@redhat.com> - 3.71.0-2
-- Update to 3.77
+- make sure validation is built
+- fix syntax on FIPS module name
 
-* Fri Feb 4 2022 Bob Relyea <rrelyea@redhat.com> - 3.75.0-1
+* Tue Oct 5 2021 Bob Relyea <rrelyea@redhat.com> - 3.71.0-1
-- Update to 3.75
+- rebase to NSS-3.71
-- fix PayPal expiration issue
 
-* Thu Jan 20 2022 Fedora Release Engineering <releng@fedoraproject.org> - 3.73.0-2
+* Wed Aug 25 2021 Bob Relyea <rrelyea@redhat.com> - 3.67.0-13
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
+- rebuild to clear gating.yaml test
 
-* Wed Dec 1 2021 Bob Relyea <rrelyea@redhat.com> - 3.73.0-1
+* Thu Aug 19 2021 Bob Relyea <rrelyea@redhat.com> - 3.67.0-12
-- Update to 3.73
+- pick up nspr 3.2 for Firefox 92
-- includes CVE 2021-43527
 
-* Mon Oct 4 2021 Bob Relyea <rrelyea@redhat.com> - 3.71.0-1
+* Thu Aug 12 2021 Florian Weimer <fweimer@redhat.com> - 3.67.0-11
-- Update to 3.71
+- Change release number to correct cross-package dependencies (#1991688)
 
-* Tue Aug 10 2021 Bob Relyea <rrelyea@redhat.com> - 3.69.0-2
+* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com>
-- turn on lto
+- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
+  Related: rhbz#1991688
+
+* Thu Jul 8 2021 Bob Relyea <rrelyea@redhat.com> - 3.67.0-8
+- fix relro support in nspr part of build
+
+* Tue Jul 6 2021 Bob Relyea <rrelyea@redhat.com> - 3.67.0-7
+- fix ssl alert regressions
 
-* Tue Aug 10 2021 Bob Relyea <rrelyea@redhat.com> - 3.69.0-1
+* Fri Jul 2 2021 Bob Relyea <rrelyea@redhat.com> - 3.67.0-6
-- Update to 3.69
+- bump the nspr release number
-- Update to NSPR 4.31
 
-* Tue Jul 27 2021 Bob Relyea <rrelyea@redhat.com> - 3.67.0-4
+* Thu Jul 1 2021 Bob Relyea <rrelyea@redhat.com> - 3.67.0-5
-- switch to baserelease so rpmdev-bumpspec will work next time
+- fix error when trying to read keys from updated databases when updated
+  from unpatched versions of NSS (like on fedora or upstream).
+- fix spelling of LD_OPTFLAGS which prevents relro from working.
 
-* Tue Jul 27 2021 Bob Relyea <rrelyea@redhat.com> - 3.67.0-3
+* Fri Jun 18 2021 Bob Relyea <rrelyea@redhat.com> - 3.67.0-4
-- rpmdev-bumpspec doesn't work correctly with nss/nspr. Fixup version numbers
+- update nspr man page files to only pick up nspr man pages
 
-* Thu Jul 22 2021 Fedora Release Engineering <releng@fedoraproject.org> - 3.67.0-2
+* Fri Jun 18 2021 Bob Relyea <rrelyea@redhat.com> - 3.67.0-3
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
+- Update NSS to 3.67
+- Update NSPR to 2.31
+- pick up rhel coverity patches which have not yet been pushed upstream.
 
-* Tue Mar 23 2021 Bob Relyea <rrelyea@redhat.com> - 3.67.0-1
+* Fri Apr 16 2021 Bob Relyea <rrelyea@redhat.com> - 3.63.0-3
-- Update to 3.67
+ - prevent MD5 from being enabled even with the environment variables
-- Update to NSPR 2.31
+   and policy. This mirrors the rhel8 semantics.
+ - add DSO_LDFLAGS support so we pick up system LDFLAGS in our shared libraries
 
-* Tue Mar 23 2021 Bob Relyea <rrelyea@redhat.com> - 3.65.0-1
+* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 3.63.0-2
-- Update to 3.65
+ - Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
-- update nss-tools manages to remove references to dbm
 
-* Tue Mar 23 2021 Bob Relyea <rrelyea@redhat.com> - 3.63.0-1
+* Wed Mar 24 2021 Bob Relyea <rrelyea@redhat.com> - 3.63.0-1
-- Update to 3.63
+- Update NSS to 3.62
-- Update to NSPR 2.30
+- Update NSPR to 2.30
-- Remove old dbm files and man pages
 
 * Tue Feb 23 2021 Bob Relyea <rrelyea@redhat.com> - 3.62.0-1
 - Update to 3.62