.gitignore

@@ -3,4 +3,4 @@ SOURCES/blank-cert9.db
 SOURCES/blank-key3.db
 SOURCES/blank-key4.db
 SOURCES/blank-secmod.db
-SOURCES/nss-3.101.tar.gz
+SOURCES/nss-3.79.tar.gz

.nss.metadata

@@ -3,4 +3,4 @@ b5570125fbf6bfb410705706af48217a0817c03a SOURCES/blank-cert9.db
 7f78b5bcecdb5005e7b803604b2ec9d1a9df2fb5 SOURCES/blank-key3.db
 f9c9568442386da370193474de1b25c3f68cdaf6 SOURCES/blank-key4.db
 bd748cf6e1465a1bbe6e751b72ffc0076aff0b50 SOURCES/blank-secmod.db
-90f6f1d5440e7cc72cd27f2ecf2e8f3f680a00aa SOURCES/nss-3.101.tar.gz
+3719dd97c8ec9cb04aa61e6aca41b129b4adc004 SOURCES/nss-3.79.tar.gz

SOURCES/fips_algorithms.h

@@ -1,188 +0,0 @@
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-/*
- * Vendors should replace this header file with the file containing those
- * algorithms which have NIST algorithm Certificates.
- */
-
-/* handle special cases. Classes require existing code to already be
- * in place for that class */
-typedef enum {
-    SFTKFIPSNone = 0,
-    SFTKFIPSDH,  /* allow only specific primes */
-    SFTKFIPSECC, /* not just keys but specific curves */
-    SFTKFIPSAEAD, /* single shot AEAD functions not allowed in FIPS mode */
-    SFTKFIPSRSAPSS, /* make sure salt isn't too big */
-    SFTKFIPSPBKDF2,  /* handle pbkdf2 FIPS restrictions */
-    SFTKFIPSTlsKeyCheck,  /* check the output of TLS prf functions */
-    SFTKFIPSChkHash,  /* make sure the base hash of KDF functions is FIPS */
-    SFTKFIPSChkHashTls,  /* make sure the base hash of TLS KDF functions is FIPS */
-    SFTKFIPSChkHashSp800,  /* make sure the base hash of SP-800-108 KDF functions is FIPS */
-} SFTKFIPSSpecialClass;
-
-/* set according to your security policy */
-#define SFTKFIPS_PBKDF2_MIN_PW_LEN  8
-
-typedef struct SFTKFIPSAlgorithmListStr SFTKFIPSAlgorithmList;
-struct SFTKFIPSAlgorithmListStr {
-    CK_MECHANISM_TYPE type;
-    CK_MECHANISM_INFO info;
-    CK_ULONG step;
-    SFTKFIPSSpecialClass special;
-    size_t offset;
-};
-
-SFTKFIPSAlgorithmList sftk_fips_mechs[] = {
-/* A sample set of algorithms to allow basic testing in our continous
- * testing infrastructure. The vendor version should replace this with
- * a version that matches their algorithm testing and security policy */
-/* NOTE, This looks a lot like the PKCS #11 mechanism list in pkcs11.c, it
- * differs in the following ways:
- *    1) the addition of step and class elements to help restrict
- *       the supported key sizes and types.
- *    2) The mechanism flags are restricted to only those that map to
- *       fips approved operations.
- *    3) All key sizes are in bits, independent of mechanism.
- *    4) You can add more then one entry for the same mechanism to handle
- *       multiple descrete keys where the MIN/MAX/STEP semantics doesn't apply
- *       or where different operations have different key requirements.
- * This table does not encode all the modules legal FIPS semantics, only
- * those semantics that might possibly change due to algorithms dropping
- * of the security policy late in the process. */
-/* handy common flag types */
-#define CKF_KPG CKF_GENERATE_KEY_PAIR
-#define CKF_GEN CKF_GENERATE
-#define CKF_SGN (CKF_SIGN | CKF_VERIFY)
-#define CKF_ENC (CKF_ENCRYPT | CKF_DECRYPT )
-#define CKF_ECW (CKF_ENCRYPT | CKF_DECRYPT | CKF_WRAP | CKF_UNWRAP)
-#define CKF_WRP (CKF_WRAP | CKF_UNWRAP)
-#define CKF_KEK (CKF_WRAP | CKF_UNWRAP)
-#define CKF_KEA CKF_DERIVE
-#define CKF_KDF CKF_DERIVE
-#define CKF_HSH CKF_DIGEST
-#define CK_MAX 0xffffffffUL
-/* mechanisms using the same key types share the same key type
- * limits */
-#define RSA_FB_KEY 2048, 4096 /* min, max */
-#define RSA_FB_STEP 1
-#define RSA_LEGACY_FB_KEY 1024, 1792 /* min, max */
-#define RSA_LEGACY_FB_STEP 256
-
-#define DSA_FB_KEY 2048, 4096 /* min, max */
-#define DSA_FB_STEP 1024
-#define DH_FB_KEY 2048, 8192 /* min, max */
-#define DH_FB_STEP 1024
-#define EC_FB_KEY 256, 521 /* min, max */
-#define EC_FB_STEP 1       /* key limits handled by special operation */
-#define AES_FB_KEY 128, 256
-#define AES_FB_STEP 64
-    { CKM_RSA_PKCS_KEY_PAIR_GEN, { RSA_FB_KEY, CKF_KPG }, RSA_FB_STEP, SFTKFIPSNone },
-
-    /* -------------- RSA Multipart Signing Operations -------------------- */
-    { CKM_SHA224_RSA_PKCS, { RSA_FB_KEY, CKF_SGN }, RSA_FB_STEP, SFTKFIPSNone },
-    { CKM_SHA256_RSA_PKCS, { RSA_FB_KEY, CKF_SGN }, RSA_FB_STEP, SFTKFIPSNone },
-    { CKM_SHA384_RSA_PKCS, { RSA_FB_KEY, CKF_SGN }, RSA_FB_STEP, SFTKFIPSNone },
-    { CKM_SHA512_RSA_PKCS, { RSA_FB_KEY, CKF_SGN }, RSA_FB_STEP, SFTKFIPSNone },
-    { CKM_SHA224_RSA_PKCS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSNone },
-    { CKM_SHA256_RSA_PKCS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSNone },
-    { CKM_SHA384_RSA_PKCS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSNone },
-    { CKM_SHA512_RSA_PKCS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSNone },
-    { CKM_SHA224_RSA_PKCS_PSS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSRSAPSS },
-    { CKM_SHA256_RSA_PKCS_PSS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSRSAPSS },
-    { CKM_SHA384_RSA_PKCS_PSS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSRSAPSS },
-    { CKM_SHA512_RSA_PKCS_PSS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSRSAPSS },
-    { CKM_SHA224_RSA_PKCS_PSS, { RSA_FB_KEY, CKF_SGN }, RSA_FB_STEP, SFTKFIPSRSAPSS },
-    { CKM_SHA256_RSA_PKCS_PSS, { RSA_FB_KEY, CKF_SGN }, RSA_FB_STEP, SFTKFIPSRSAPSS },
-    { CKM_SHA384_RSA_PKCS_PSS, { RSA_FB_KEY, CKF_SGN }, RSA_FB_STEP, SFTKFIPSRSAPSS },
-    { CKM_SHA512_RSA_PKCS_PSS, { RSA_FB_KEY, CKF_SGN }, RSA_FB_STEP, SFTKFIPSRSAPSS },
-    /* -------------------- Diffie Hellman Operations --------------------- */
-    { CKM_DH_PKCS_KEY_PAIR_GEN, { DH_FB_KEY, CKF_KPG }, DH_FB_STEP, SFTKFIPSDH },
-    { CKM_DH_PKCS_DERIVE, { DH_FB_KEY, CKF_KEA }, DH_FB_STEP, SFTKFIPSDH },
-    /* -------------------- Elliptic Curve Operations --------------------- */
-    { CKM_EC_KEY_PAIR_GEN, { EC_FB_KEY, CKF_KPG }, EC_FB_STEP, SFTKFIPSECC },
-    { CKM_ECDH1_DERIVE, { EC_FB_KEY, CKF_KEA }, EC_FB_STEP, SFTKFIPSECC },
-    { CKM_ECDH1_COFACTOR_DERIVE, { EC_FB_KEY, CKF_KEA }, EC_FB_STEP, SFTKFIPSECC },
-    { CKM_ECDSA_SHA224, { EC_FB_KEY, CKF_SGN }, EC_FB_STEP, SFTKFIPSECC },
-    { CKM_ECDSA_SHA256, { EC_FB_KEY, CKF_SGN }, EC_FB_STEP, SFTKFIPSECC },
-    { CKM_ECDSA_SHA384, { EC_FB_KEY, CKF_SGN }, EC_FB_STEP, SFTKFIPSECC },
-    { CKM_ECDSA_SHA512, { EC_FB_KEY, CKF_SGN }, EC_FB_STEP, SFTKFIPSECC },
-    /* ------------------------- RC2 Operations --------------------------- */
-    /* ------------------------- AES Operations --------------------------- */
-    { CKM_AES_KEY_GEN, { AES_FB_KEY, CKF_GEN }, AES_FB_STEP, SFTKFIPSNone },
-    { CKM_AES_ECB, { AES_FB_KEY, CKF_ENC }, AES_FB_STEP, SFTKFIPSNone },
-    { CKM_AES_CBC, { AES_FB_KEY, CKF_ENC }, AES_FB_STEP, SFTKFIPSNone },
-    { CKM_AES_CMAC, { AES_FB_KEY, CKF_SGN }, AES_FB_STEP, SFTKFIPSNone },
-    { CKM_AES_CMAC_GENERAL, { AES_FB_KEY, CKF_SGN }, AES_FB_STEP, SFTKFIPSNone },
-    { CKM_AES_CBC_PAD, { AES_FB_KEY, CKF_ENC }, AES_FB_STEP, SFTKFIPSNone },
-    { CKM_AES_CTS, { AES_FB_KEY, CKF_ENC }, AES_FB_STEP, SFTKFIPSNone },
-    { CKM_AES_CTR, { AES_FB_KEY, CKF_ENC }, AES_FB_STEP, SFTKFIPSNone },
-    { CKM_AES_GCM, { AES_FB_KEY, CKF_ECW }, AES_FB_STEP, SFTKFIPSAEAD },
-    { CKM_AES_KEY_WRAP, { AES_FB_KEY, CKF_ECW }, AES_FB_STEP, SFTKFIPSNone },
-    { CKM_AES_KEY_WRAP_PAD, { AES_FB_KEY, CKF_ECW }, AES_FB_STEP, SFTKFIPSNone },
-    { CKM_AES_KEY_WRAP_KWP, { AES_FB_KEY, CKF_ECW }, AES_FB_STEP, SFTKFIPSNone },
-    /* ------------------------- Hashing Operations ----------------------- */
-    { CKM_SHA224, { 0, 0, CKF_HSH }, 1, SFTKFIPSNone },
-    { CKM_SHA224_HMAC, { 112, 224, CKF_SGN }, 1, SFTKFIPSNone },
-    { CKM_SHA224_HMAC_GENERAL, { 112, 224, CKF_SGN }, 1, SFTKFIPSNone },
-    { CKM_SHA256, { 0, 0, CKF_HSH }, 1, SFTKFIPSNone },
-    { CKM_SHA256_HMAC, { 112, 256, CKF_SGN }, 1, SFTKFIPSNone },
-    { CKM_SHA256_HMAC_GENERAL, { 112, 256, CKF_SGN }, 1, SFTKFIPSNone },
-    { CKM_SHA384, { 0, 0, CKF_HSH }, 1, SFTKFIPSNone },
-    { CKM_SHA384_HMAC, { 112, 384, CKF_SGN }, 1, SFTKFIPSNone },
-    { CKM_SHA384_HMAC_GENERAL, { 112, 384, CKF_SGN }, 1, SFTKFIPSNone },
-    { CKM_SHA512, { 0, 0, CKF_HSH }, 1, SFTKFIPSNone },
-    { CKM_SHA512_HMAC, { 112, 512, CKF_SGN }, 1, SFTKFIPSNone },
-    { CKM_SHA512_HMAC_GENERAL, { 112, 512, CKF_SGN }, 1, SFTKFIPSNone },
-    /* --------------------- Secret Key Operations ------------------------ */
-    { CKM_GENERIC_SECRET_KEY_GEN, { 112, 256, CKF_GEN }, 1, SFTKFIPSNone },
-    /* ---------------------- SSL/TLS operations ------------------------- */
-    { CKM_SSL3_PRE_MASTER_KEY_GEN, { 384, 384, CKF_GEN }, 1, SFTKFIPSNone },
-    { CKM_TLS12_KEY_AND_MAC_DERIVE, { 384, 384, CKF_KDF }, 1, SFTKFIPSTlsKeyCheck, offsetof(CK_TLS12_KEY_MAT_PARAMS, prfHashMechanism) },
-    { CKM_TLS_MAC, { 112, 512, CKF_SGN }, 1, SFTKFIPSChkHashTls,
-        offsetof(CK_TLS_MAC_PARAMS, prfHashMechanism) },
-    { CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE, { 192, 1024, CKF_KDF }, 1, SFTKFIPSChkHashTls,
-        offsetof(CK_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_PARAMS, prfHashMechanism) },
-    { CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_DH, { 192, 1024, CKF_DERIVE }, 1, SFTKFIPSChkHashTls,
-        offsetof(CK_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_PARAMS, prfHashMechanism) },
-
-    /* ------------------------- HKDF Operations -------------------------- */
-    { CKM_HKDF_DERIVE, { 112, 255 * 64 * 8, CKF_KDF }, 1, SFTKFIPSChkHash,
-        offsetof(CK_HKDF_PARAMS, prfHashMechanism) },
-    { CKM_HKDF_DATA, { 112, 255 * 64 * 8, CKF_KDF }, 1, SFTKFIPSChkHash,
-        offsetof(CK_HKDF_PARAMS, prfHashMechanism) },
-    { CKM_HKDF_KEY_GEN, { 160, 224, CKF_GEN }, 1, SFTKFIPSNone },
-    { CKM_HKDF_KEY_GEN, { 256, 512, CKF_GEN }, 128, SFTKFIPSNone },
-    /* ------------------ NIST 800-108 Key Derivations  ------------------- */
-    { CKM_SP800_108_COUNTER_KDF, { 112, CK_MAX, CKF_KDF }, 1, SFTKFIPSChkHashSp800,
-        offsetof(CK_SP800_108_KDF_PARAMS, prfType) },
-    { CKM_SP800_108_FEEDBACK_KDF, { 112, CK_MAX, CKF_KDF }, 1, SFTKFIPSChkHashSp800,
-        offsetof(CK_SP800_108_KDF_PARAMS, prfType) },
-    { CKM_SP800_108_DOUBLE_PIPELINE_KDF, { 112, CK_MAX, CKF_KDF }, 1, SFTKFIPSChkHashSp800,
-        offsetof(CK_SP800_108_KDF_PARAMS, prfType) },
-    /* --------------------IPSEC ----------------------- */
-    { CKM_NSS_IKE_PRF_PLUS_DERIVE, { 112, 255 * 64 * 8, CKF_KDF }, 1, SFTKFIPSChkHash,
-        offsetof(CK_NSS_IKE_PRF_PLUS_DERIVE_PARAMS, prfMechanism) },
-    { CKM_NSS_IKE_PRF_DERIVE, { 112, 64 * 8, CKF_KDF }, 1, SFTKFIPSChkHash,
-        offsetof(CK_NSS_IKE_PRF_DERIVE_PARAMS, prfMechanism) },
-    /* ------------------ PBE Key Derivations  ------------------- */
-    { CKM_PKCS5_PBKD2, { 112, 256, CKF_GEN }, 1, SFTKFIPSPBKDF2 },
-    /* the deprecated mechanisms, don't use for some reason we are supposed
-     * to set the FIPS indicators on these (sigh) */
-    { CKM_NSS_AES_KEY_WRAP, { AES_FB_KEY, CKF_ECW }, AES_FB_STEP, SFTKFIPSNone },
-    { CKM_NSS_AES_KEY_WRAP_PAD, { AES_FB_KEY, CKF_ECW }, AES_FB_STEP, SFTKFIPSNone },
-    { CKM_NSS_TLS_KEY_AND_MAC_DERIVE_SHA256, { 384, 384, CKF_DERIVE }, 1, SFTKFIPSTlsKeyCheck },
-    { CKM_NSS_TLS_PRF_GENERAL_SHA256, { 112, 512, CKF_SGN }, 1, SFTKFIPSNone },
-    { CKM_NSS_HKDF_SHA1, { 1, 128, CKF_DERIVE }, 1, SFTKFIPSNone },
-    { CKM_NSS_HKDF_SHA256, { 1, 128, CKF_DERIVE }, 1, SFTKFIPSNone },
-    { CKM_NSS_HKDF_SHA384, { 1, 128, CKF_DERIVE }, 1, SFTKFIPSNone },
-    { CKM_NSS_HKDF_SHA512, { 1, 128, CKF_DERIVE }, 1, SFTKFIPSNone },
-    { CKM_NSS_SP800_108_COUNTER_KDF_DERIVE_DATA, { 112, CK_MAX, CKF_KDF }, 1, SFTKFIPSChkHashSp800,
-        offsetof(CK_SP800_108_KDF_PARAMS, prfType) },
-    { CKM_NSS_SP800_108_FEEDBACK_KDF_DERIVE_DATA, { 112, CK_MAX, CKF_KDF }, 1, SFTKFIPSChkHashSp800,
-        offsetof(CK_SP800_108_KDF_PARAMS, prfType) },
-    { CKM_NSS_SP800_108_DOUBLE_PIPELINE_KDF_DERIVE_DATA, { 112, CK_MAX, CKF_KDF }, 1,  SFTKFIPSChkHashSp800,
-        offsetof(CK_SP800_108_KDF_PARAMS, prfType) },
-};
-const int SFTK_NUMBER_FIPS_ALGORITHMS = PR_ARRAY_SIZE(sftk_fips_mechs);

SOURCES/nss-3.101-add-ems-policy.patch

@@ -1,107 +0,0 @@
-diff -up ./lib/pk11wrap/pk11pars.c.ems ./lib/pk11wrap/pk11pars.c
---- ./lib/pk11wrap/pk11pars.c.ems	2024-06-11 13:09:25.956760476 -0700
-+++ ./lib/pk11wrap/pk11pars.c	2024-06-11 13:09:52.837067481 -0700
-@@ -433,6 +433,8 @@ static const oidValDef kxOptList[] = {
-     { CIPHER_NAME("ECDHE-RSA"), SEC_OID_TLS_ECDHE_RSA, NSS_USE_ALG_IN_SSL_KX },
-     { CIPHER_NAME("ECDH-ECDSA"), SEC_OID_TLS_ECDH_ECDSA, NSS_USE_ALG_IN_SSL_KX },
-     { CIPHER_NAME("ECDH-RSA"), SEC_OID_TLS_ECDH_RSA, NSS_USE_ALG_IN_SSL_KX },
-+    { CIPHER_NAME("TLS-REQUIRE-EMS"), SEC_OID_TLS_REQUIRE_EMS, NSS_USE_ALG_IN_SSL_KX },
-+
- };
- 
- static const oidValDef smimeKxOptList[] = {
-diff -up ./lib/pk11wrap/secmodti.h.add_ems_policy ./lib/pk11wrap/secmodti.h
---- ./lib/pk11wrap/secmodti.h.add_ems_policy	2023-06-04 01:42:53.000000000 -0700
-+++ ./lib/pk11wrap/secmodti.h	2023-06-12 17:18:35.129938514 -0700
-@@ -202,4 +202,10 @@ struct PK11GenericObjectStr {
- /* This mask includes all CK_FLAGs with an equivalent CKA_ attribute. */
- #define CKF_KEY_OPERATION_FLAGS 0x000e7b00UL
- 
-+/* this oid value could change values if it's added after other new
-+ * upstream oids. We protect applications by hiding the define in a private
-+ * header file that only NSS sees. Currently it's only available through
-+ * the policy code */
-+#define SEC_OID_TLS_REQUIRE_EMS SEC_OID_PRIVATE_1
-+
- #endif /* _SECMODTI_H_ */
-diff -up ./lib/ssl/ssl3con.c.add_ems_policy ./lib/ssl/ssl3con.c
---- ./lib/ssl/ssl3con.c.add_ems_policy	2023-06-04 01:42:53.000000000 -0700
-+++ ./lib/ssl/ssl3con.c	2023-06-12 17:18:35.130938525 -0700
-@@ -36,6 +36,7 @@
- #include "pk11func.h"
- #include "secmod.h"
- #include "blapi.h"
-+#include "secmodti.h" /* until SEC_OID_TLS_REQUIRE_EMS is upstream */
- 
- #include <stdio.h>
- 
-@@ -3480,6 +3481,29 @@ ssl3_ComputeMasterSecretInt(sslSocket *s
-     CK_TLS12_MASTER_KEY_DERIVE_PARAMS master_params;
-     unsigned int master_params_len;
- 
-+    /* if we are using TLS and we aren't using the extended master secret,
-+     * and SEC_OID_TLS_REQUIRE_EMS policy is true, fail. The caller will
-+     * send and alert (eventually). In the RSA Server case, the alert
-+     * won't happen until Finish time because the upper level code
-+     * can't tell a difference between this failure and an RSA decrypt
-+     * failure, so it will proceed with a faux key */
-+    if (isTLS) {
-+        PRUint32 policy;
-+        SECStatus rv;
-+
-+        /* first fetch the policy for this algorithm */
-+        rv = NSS_GetAlgorithmPolicy(SEC_OID_TLS_REQUIRE_EMS, &policy);
-+        /* we only look at the policy if we can fetch it. */
-+        if (rv == SECSuccess) {
-+            if (policy & NSS_USE_ALG_IN_SSL_KX) {
-+                /* just set the error, we don't want to map any errors
-+                 * set by NSS_GetAlgorithmPolicy here */
-+                PORT_SetError(SSL_ERROR_UNSUPPORTED_VERSION);
-+                return SECFailure;
-+            }
-+        }
-+    }
-+
-     if (isTLS12) {
-         if (isDH)
-             master_derive = CKM_TLS12_MASTER_KEY_DERIVE_DH;
-diff -up ./lib/util/secoid.c.ems ./lib/util/secoid.c
---- ./lib/util/secoid.c.ems	2024-06-11 13:11:28.078155282 -0700
-+++ ./lib/util/secoid.c	2024-06-11 13:12:58.511188172 -0700
-@@ -1890,6 +1890,12 @@ const static SECOidData oids[SEC_OID_TOT
-     ODE(SEC_OID_RC2_64_CBC, "RC2-64-CBC", CKM_RC2_CBC, INVALID_CERT_EXTENSION),
-     ODE(SEC_OID_RC2_128_CBC, "RC2-128-CBC", CKM_RC2_CBC, INVALID_CERT_EXTENSION),
-     ODE(SEC_OID_ECDH_KEA, "ECDH", CKM_ECDH1_DERIVE, INVALID_CERT_EXTENSION),
-+
-+    /* this will change upstream. for now apps shouldn't use it */
-+    /* we need it for the policy code.  */
-+    ODE(SEC_OID_PRIVATE_1,
-+        "TLS Require EMS", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
-+
- };
-
- /* PRIVATE EXTENDED SECOID Table
-@@ -2198,6 +2204,10 @@ SECOID_Init(void)
-
-     /* turn off NSS_USE_POLICY_IN_SSL by default */
-     xOids[SEC_OID_APPLY_SSL_POLICY].notPolicyFlags = NSS_USE_POLICY_IN_SSL;
-+    /* turn off TLS REQUIRE EMS by default */
-+    xOids[SEC_OID_PRIVATE_1].notPolicyFlags = ~0;
-+
-+
-
-     envVal = PR_GetEnvSecure("NSS_HASH_ALG_SUPPORT");
-     if (envVal)
-diff -up ./lib/util/secoidt.h.ems ./lib/util/secoidt.h
---- ./lib/util/secoidt.h.ems	2024-06-11 13:16:13.212411967 -0700
-+++ ./lib/util/secoidt.h	2024-06-11 13:16:48.098810434 -0700
-@@ -530,6 +530,9 @@ typedef enum {
-     SEC_OID_RC2_64_CBC = 385,
-     SEC_OID_RC2_128_CBC = 386,
-     SEC_OID_ECDH_KEA = 387,
-+    /* this will change upstream. for now apps shouldn't use it */
-+    /* give it an obscure name here */
-+    SEC_OID_PRIVATE_1 = 388,
- 
-     SEC_OID_TOTAL
- } SECOidTag;

SOURCES/nss-3.101-chacha-timing-fix.patch

@@ -1,59 +0,0 @@
-diff --git a/lib/freebl/chacha20poly1305.c b/lib/freebl/chacha20poly1305.c
---- a/lib/freebl/chacha20poly1305.c
-+++ b/lib/freebl/chacha20poly1305.c
-@@ -213,27 +213,31 @@
- {
- #ifdef NSS_X64
- #ifndef NSS_DISABLE_AVX2
-     if (avx2_support()) {
-         Hacl_Chacha20_Vec256_chacha20_encrypt_256(len, output, block, k, nonce, ctr);
-+        return;
-     }
- #endif
- 
- #ifndef NSS_DISABLE_SSE3
-     if (ssse3_support() && sse4_1_support() && avx_support()) {
-         Hacl_Chacha20_Vec128_chacha20_encrypt_128(len, output, block, k, nonce, ctr);
-+        return;
-     }
- #endif
- 
- #elif defined(__powerpc64__) && defined(__LITTLE_ENDIAN__) && \
-     !defined(NSS_DISABLE_ALTIVEC) && !defined(NSS_DISABLE_CRYPTO_VSX)
-     if (ppc_crypto_support()) {
-         chacha20vsx(len, output, block, k, nonce, ctr);
--    } else
-+        return;
-+    }
- #endif
-     {
-         Hacl_Chacha20_chacha20_encrypt(len, output, block, k, nonce, ctr);
-+        return;
-     }
- }
- #endif /* NSS_DISABLE_CHACHAPOLY */
- 
- SECStatus
-@@ -449,20 +453,18 @@
-             (uint8_t *)ctx->key, (uint8_t *)nonce, adLen, (uint8_t *)ad, inputLen,
-             (uint8_t *)input, output, outTag);
-         goto finish;
-     }
- #endif
--
--    else
- #elif defined(__powerpc64__) && defined(__LITTLE_ENDIAN__) && \
-     !defined(NSS_DISABLE_ALTIVEC) && !defined(NSS_DISABLE_CRYPTO_VSX)
-     if (ppc_crypto_support()) {
-         Chacha20Poly1305_vsx_aead_encrypt(
-             (uint8_t *)ctx->key, (uint8_t *)nonce, adLen, (uint8_t *)ad, inputLen,
-             (uint8_t *)input, output, outTag);
-         goto finish;
--    } else
-+    }
- #endif
-     {
-         Hacl_Chacha20Poly1305_32_aead_encrypt(
-             (uint8_t *)ctx->key, (uint8_t *)nonce, adLen, (uint8_t *)ad, inputLen,
-             (uint8_t *)input, output, outTag);
-

SOURCES/nss-3.101-default-libpkix.patch

@@ -1,133 +0,0 @@
-diff --git a/lib/certhigh/certvfypkix.c b/lib/certhigh/certvfypkix.c
---- a/lib/certhigh/certvfypkix.c
-+++ b/lib/certhigh/certvfypkix.c
-@@ -37,11 +37,11 @@
- pkix_pl_lifecycle_ObjectTableUpdate(int *objCountTable);
- 
- PRInt32 parallelFnInvocationCount;
- #endif /* PKIX_OBJECT_LEAK_TEST */
- 
--static PRBool usePKIXValidationEngine = PR_FALSE;
-+static PRBool usePKIXValidationEngine = PR_TRUE;
- #endif /* NSS_DISABLE_LIBPKIX */
- 
- /*
-  * FUNCTION: CERT_SetUsePKIXForValidation
-  * DESCRIPTION:
-diff --git a/lib/nss/nssinit.c b/lib/nss/nssinit.c
---- a/lib/nss/nssinit.c
-+++ b/lib/nss/nssinit.c
-@@ -762,13 +762,13 @@
-                                     PKIX_MINOR_VERSION, &actualMinorVersion, &plContext);
- 
-         if (pkixError != NULL) {
-             goto loser;
-         } else {
--            char *ev = PR_GetEnvSecure("NSS_ENABLE_PKIX_VERIFY");
-+            char *ev = PR_GetEnvSecure("NSS_DISABLE_PKIX_VERIFY");
-             if (ev && ev[0]) {
--                CERT_SetUsePKIXForValidation(PR_TRUE);
-+                CERT_SetUsePKIXForValidation(PR_FALSE);
-             }
-         }
- #endif /* NSS_DISABLE_LIBPKIX */
-     }
- 
-diff --git a/tests/all.sh b/tests/all.sh
---- a/tests/all.sh
-+++ b/tests/all.sh
-@@ -141,17 +141,22 @@
- ########################################################################
- run_cycle_standard()
- {
-     TEST_MODE=STANDARD
- 
-+    NSS_DISABLE_LIBPKIX_VERIFY="1"
-+    export NSS_DISABLE_LIBPKIX_VERIFY
-+
-     TESTS="${ALL_TESTS}"
-     TESTS_SKIP="libpkix pkits"
- 
-     NSS_DEFAULT_DB_TYPE=${NSS_DEFAULT_DB_TYPE:-"sql"}
-     export NSS_DEFAULT_DB_TYPE
- 
-     run_tests
-+
-+    unset NSS_DISABLE_LIBPKIX_VERIFY
- }
- 
- ############################ run_cycle_pkix ############################
- # run test suites with PKIX enabled
- ########################################################################
-@@ -165,13 +170,10 @@
- 
-     HOSTDIR="${HOSTDIR}/pkix"
-     mkdir -p "${HOSTDIR}"
-     init_directories
- 
--    NSS_ENABLE_PKIX_VERIFY="1"
--    export NSS_ENABLE_PKIX_VERIFY
--
-     TESTS="${ALL_TESTS}"
-     TESTS_SKIP="cipher dbtests sdr crmf smime merge multinit"
- 
-     export -n NSS_SSL_RUN
- 
-diff --git a/tests/common/init.sh b/tests/common/init.sh
---- a/tests/common/init.sh
-+++ b/tests/common/init.sh
-@@ -138,12 +138,12 @@
-         echo "NSS_TEST_DISABLE_CRL=${NSS_TEST_DISABLE_CRL}"
-         echo "NSS_SSL_TESTS=\"${NSS_SSL_TESTS}\""
-         echo "NSS_SSL_RUN=\"${NSS_SSL_RUN}\""
-         echo "NSS_DEFAULT_DB_TYPE=${NSS_DEFAULT_DB_TYPE}"
-         echo "export NSS_DEFAULT_DB_TYPE"
--        echo "NSS_ENABLE_PKIX_VERIFY=${NSS_ENABLE_PKIX_VERIFY}"
--        echo "export NSS_ENABLE_PKIX_VERIFY"
-+        echo "NSS_DISABLE_PKIX_VERIFY=${NSS_DISABLE_PKIX_VERIFY}"
-+        echo "export NSS_DISABLE_PKIX_VERIFY"
-         echo "init_directories"
-     }
- 
- # Exit shellfunction to clean up at exit (error, regular or signal)
-     Exit()
-diff --git a/tests/ssl/ssl.sh b/tests/ssl/ssl.sh
---- a/tests/ssl/ssl.sh
-+++ b/tests/ssl/ssl.sh
-@@ -960,13 +960,12 @@
- ssl_policy_pkix_ocsp()
- {
-   #verbose="-v"
-   html_head "Check that OCSP doesn't break if we disable sha1 $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE"
- 
--  PKIX_SAVE=${NSS_ENABLE_PKIX_VERIFY-"unset"}
--  NSS_ENABLE_PKIX_VERIFY="1"
--  export NSS_ENABLE_PKIX_VERIFY
-+  PKIX_SAVE=${NSS_DISABLE_LIBPKIX_VERIFY-"unset"}
-+  unset NSS_DISABLE_LIBPKIX_VERIFY
- 
-   testname=""
- 
-   if [ ! -f "${P_R_SERVERDIR}/pkcs11.txt" ] ; then
-       html_failed "${SCRIPTNAME}: ${P_R_SERVERDIR} is not initialized"
-@@ -987,16 +986,14 @@
-   grep 12276 ${P_R_SERVERDIR}/vfy.out
-   RET=$?
-   html_msg $RET $RET_EXP "${testname}" \
-            "produced a returncode of $RET, expected is $RET_EXP"
- 
--  if [ "${PKIX_SAVE}" = "unset" ]; then
--      unset NSS_ENABLE_PKIX_VERIFY
--  else
--      NSS_ENABLE_PKIX_VERIFY=${PKIX_SAVE}
--      export NSS_ENABLE_PKIX_VERIFY
-+  if [ "{PKIX_SAVE}" != "unset" ]; then
-+      export NSS_DISABLE_LIBPKIX_VERIFY=${PKIX_SAVE}
-   fi
-+
-   cp ${P_R_SERVERDIR}/pkcs11.txt.sav ${P_R_SERVERDIR}/pkcs11.txt
- 
-   html "</TABLE><BR>"
- 
- }
-

SOURCES/nss-3.101-disable-ech.patch

@@ -1,81 +0,0 @@
-diff -up ./gtests/ssl_gtest/manifest.mn.disable_ech ./gtests/ssl_gtest/manifest.mn
---- ./gtests/ssl_gtest/manifest.mn.disable_ech	2024-06-12 13:29:17.162207862 -0700
-+++ ./gtests/ssl_gtest/manifest.mn	2024-06-12 13:30:25.699047788 -0700
-@@ -59,7 +59,6 @@ CPPSRCS = \
-       tls_protect.cc \
-       tls_psk_unittest.cc \
-       tls_subcerts_unittest.cc \
--      tls_ech_unittest.cc \
-       tls_xyber_unittest.cc \
-       $(SSLKEYLOGFILE_FILES) \
-       $(NULL)
-diff -up ./lib/ssl/sslsock.c.disable_ech ./lib/ssl/sslsock.c
---- ./lib/ssl/sslsock.c.disable_ech	2024-06-07 09:26:03.000000000 -0700
-+++ ./lib/ssl/sslsock.c	2024-06-12 13:29:17.162207862 -0700
-@@ -4415,17 +4415,23 @@ ssl_ClearPRCList(PRCList *list, void (*f
- SECStatus
- SSLExp_EnableTls13GreaseEch(PRFileDesc *fd, PRBool enabled)
- {
-+#ifdef notdef
-     sslSocket *ss = ssl_FindSocket(fd);
-     if (!ss) {
-         return SECFailure;
-     }
-     ss->opt.enableTls13GreaseEch = enabled;
-     return SECSuccess;
-+#else
-+    PORT_SetError(SSL_ERROR_UNSUPPORTED_EXPERIMENTAL_API);
-+    return SECFailure;
-+#endif
- }
- 
- SECStatus
- SSLExp_SetTls13GreaseEchSize(PRFileDesc *fd, PRUint8 size)
- {
-+#ifdef notdef
-     sslSocket *ss = ssl_FindSocket(fd);
-     if (!ss || size == 0) {
-         return SECFailure;
-@@ -4439,28 +4445,42 @@ SSLExp_SetTls13GreaseEchSize(PRFileDesc
-     ssl_Release1stHandshakeLock(ss);
- 
-     return SECSuccess;
-+#else
-+    PORT_SetError(SSL_ERROR_UNSUPPORTED_EXPERIMENTAL_API);
-+    return SECFailure;
-+#endif
- }
- 
- SECStatus
- SSLExp_EnableTls13BackendEch(PRFileDesc *fd, PRBool enabled)
- {
-+#ifdef notdef
-     sslSocket *ss = ssl_FindSocket(fd);
-     if (!ss) {
-         return SECFailure;
-     }
-     ss->opt.enableTls13BackendEch = enabled;
-     return SECSuccess;
-+#else
-+    PORT_SetError(SSL_ERROR_UNSUPPORTED_EXPERIMENTAL_API);
-+    return SECFailure;
-+#endif
- }
- 
- SECStatus
- SSLExp_CallExtensionWriterOnEchInner(PRFileDesc *fd, PRBool enabled)
- {
-+#ifdef notdef
-     sslSocket *ss = ssl_FindSocket(fd);
-     if (!ss) {
-         return SECFailure;
-     }
-     ss->opt.callExtensionWriterOnEchInner = enabled;
-     return SECSuccess;
-+#else
-+    PORT_SetError(SSL_ERROR_UNSUPPORTED_EXPERIMENTAL_API);
-+    return SECFailure;
-+#endif
- }
- 
- SECStatus

SOURCES/nss-3.101-disable-md5.patch

@@ -1,81 +0,0 @@
-diff -up ./lib/pk11wrap/pk11pars.c.no_md ./lib/pk11wrap/pk11pars.c
---- ./lib/pk11wrap/pk11pars.c.no_md	2024-06-11 12:41:35.054654990 -0700
-+++ ./lib/pk11wrap/pk11pars.c	2024-06-11 12:46:25.347979894 -0700
-@@ -329,14 +329,11 @@ static const oidValDef curveOptList[] =
- static const oidValDef hashOptList[] = {
-     /* Hashes */
-     { CIPHER_NAME("MD2"), SEC_OID_MD2,
--      NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE | NSS_USE_ALG_IN_SMIME |
--          NSS_USE_ALG_IN_PKCS12 },
-+      NSS_USE_ALG_IN_SMIME_LEGACY | NSS_USE_ALG_IN_PKCS12_DECRYPT },
-     { CIPHER_NAME("MD4"), SEC_OID_MD4,
--      NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE | NSS_USE_ALG_IN_SMIME |
--          NSS_USE_ALG_IN_PKCS12 },
-+      NSS_USE_ALG_IN_SMIME_LEGACY | NSS_USE_ALG_IN_PKCS12_DECRYPT },
-     { CIPHER_NAME("MD5"), SEC_OID_MD5,
--      NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE | NSS_USE_ALG_IN_SMIME |
--          NSS_USE_ALG_IN_PKCS12 },
-+      NSS_USE_ALG_IN_SMIME_LEGACY | NSS_USE_ALG_IN_PKCS12_DECRYPT },
-     { CIPHER_NAME("SHA1"), SEC_OID_SHA1,
-       NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE | NSS_USE_ALG_IN_SMIME |
-           NSS_USE_ALG_IN_PKCS12 },
-diff -up ./lib/util/secoid.c.no_md ./lib/util/secoid.c
-diff -r 699541a7793b lib/util/secoid.c
---- a/lib/util/secoid.c	Tue Jun 16 23:03:22 2020 +0000
-+++ b/lib/util/secoid.c	Thu Jun 25 14:33:09 2020 +0200
-@@ -2042,6 +2042,19 @@
-             int i;
- 
-             for (i = 1; i < SEC_OID_TOTAL; i++) {
-+                switch (i) {
-+                case SEC_OID_MD2:
-+                case SEC_OID_MD4:
-+                case SEC_OID_MD5:
-+                case SEC_OID_PKCS1_MD2_WITH_RSA_ENCRYPTION:
-+                case SEC_OID_PKCS1_MD4_WITH_RSA_ENCRYPTION:
-+                case SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION:
-+                case SEC_OID_PKCS5_PBE_WITH_MD2_AND_DES_CBC:
-+                case SEC_OID_PKCS5_PBE_WITH_MD5_AND_DES_CBC:
-+                    continue;
-+                default:
-+                    break;
-+                }
-                 if (oids[i].desc && strstr(arg, oids[i].desc)) {
-                     xOids[i].notPolicyFlags = notEnable |
-                                               (xOids[i].notPolicyFlags & ~(DEF_FLAGS));
-diff -up ./tests/tools/pkcs12policy.txt.disable_md5_test ./tests/tools/pkcs12policy.txt
---- ./tests/tools/pkcs12policy.txt.disable_md5_test	2024-06-07 09:26:03.000000000 -0700
-+++ ./tests/tools/pkcs12policy.txt	2024-06-19 11:15:46.666728170 -0700
-@@ -91,21 +91,21 @@
-   0 18 allow_all disallow=rc2 PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC4 PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC SHA-1  disallow rc2 (read), RC4 and RC2
- # integrity policy check the various has based controls.
- #  NOTE: md4, md2, and md5 are turned off by policy by default for encrypting
--# (decrypting is fine). To be enabled, you must allow=all or allow=mdX on the
-+# (decrypting is fine). To be enabled, you must allow=mdX/pkcs12 on the
- # encryption side. These tests purposefully tests that the default fails to encrypt
- # but succeeds when decrypting.
-  27  x allow=tls allow=tls PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC PKCS_#5_Password_Based_Encryption_with_MD2_and_DES-CBC SHA-256 Use default policy with multiple hashes
--  0  0 allow=all allow=tls PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC PKCS_#5_Password_Based_Encryption_with_MD2_and_DES-CBC SHA-256 Allow all encrypt, use default decrypt with multiple hashes
--  0  0 allow=all allow=all PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC PKCS_#5_Password_Based_Encryption_with_MD2_and_DES-CBC SHA-256 Allow all with multiple hashes
-- 28  x disallow=sha1_allow=md2 allow=all PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC PKCS_#5_Password_Based_Encryption_with_MD2_and_DES-CBC SHA-256 Disallow sha1 on write
-+  0  0 allow=md2/pkcs12 allow=tls PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC PKCS_#5_Password_Based_Encryption_with_MD2_and_DES-CBC SHA-256 Allow all encrypt, use default decrypt with multiple hashes
-+  0  0 allow=md2/pkcs12 allow=all PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC PKCS_#5_Password_Based_Encryption_with_MD2_and_DES-CBC SHA-256 Allow all with multiple hashes
-+ 28  x disallow=sha1_allow=md2/pkcs12 allow=all PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC PKCS_#5_Password_Based_Encryption_with_MD2_and_DES-CBC SHA-256 Disallow sha1 on write
-  27  x disallow=md2 allow=all PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC PKCS_#5_Password_Based_Encryption_with_MD2_and_DES-CBC SHA-256 Disallow md2 on write
-- 29  x disallow=sha256_allow=md2 allow=all PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC PKCS_#5_Password_Based_Encryption_with_MD2_and_DES-CBC SHA-256 Disallow sha256 on write
--  0 19 allow=all disallow=sha1 PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC PKCS_#5_Password_Based_Encryption_with_MD2_and_DES-CBC SHA-256 Disallow sha1 on read
--  0 18 allow=all disallow=md2 PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC PKCS_#5_Password_Based_Encryption_with_MD2_and_DES-CBC SHA-256 Disallow md2 on read
--  0 17 allow=all disallow=sha256 PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC PKCS_#5_Password_Based_Encryption_with_MD2_and_DES-CBC SHA-256 Disallow sha256 on read
--  0  0 allow=all disallow=md2/pkcs12-encrypt PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC PKCS_#5_Password_Based_Encryption_with_MD2_and_DES-CBC SHA-256 Disallow md2 on read
--  0  0 allow=all disallow=sha1/pkcs12-encrypt PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC PKCS_#5_Password_Based_Encryption_with_MD2_and_DES-CBC SHA-256 Disallow sha1 on read
--  0  0 allow=all disallow=sha256/pkcs12-encrypt PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC PKCS_#5_Password_Based_Encryption_with_MD2_and_DES-CBC SHA-256 Disallow sha256 on read
-+ 29  x disallow=sha256_allow=md2/pkcs12 allow=all PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC PKCS_#5_Password_Based_Encryption_with_MD2_and_DES-CBC SHA-256 Disallow sha256 on write
-+  0 19 allow=all:md2/pkcs12 disallow=sha1 PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC PKCS_#5_Password_Based_Encryption_with_MD2_and_DES-CBC SHA-256 Disallow sha1 on read
-+  0 18 allow=md2/pkcs12 disallow=md2 PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC PKCS_#5_Password_Based_Encryption_with_MD2_and_DES-CBC SHA-256 Disallow md2 on read
-+  0 17 allow=md2/pkcs12 disallow=sha256 PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC PKCS_#5_Password_Based_Encryption_with_MD2_and_DES-CBC SHA-256 Disallow sha256 on read
-+  0  0 allow=md2/pkcs12 disallow=md2/pkcs12-encrypt PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC PKCS_#5_Password_Based_Encryption_with_MD2_and_DES-CBC SHA-256 Disallow md2 on read
-+  0  0 allow=md2/pkcs12 disallow=sha1/pkcs12-encrypt PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC PKCS_#5_Password_Based_Encryption_with_MD2_and_DES-CBC SHA-256 Disallow sha1 on read
-+  0  0 allow=md2/pkcs12 disallow=sha256/pkcs12-encrypt PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC PKCS_#5_Password_Based_Encryption_with_MD2_and_DES-CBC SHA-256 Disallow sha256 on read
-   0  0 allow=all allow=all AES-128-CBC AES-128-CBC HMAC_SHA-256
-  29  x disallow=hmac-sha256 allow=all AES-128-CBC AES-128-CBC HMAC_SHA-256
-   0 18 allow=all disallow=hmac-sha256 AES-128-CBC AES-128-CBC HMAC_SHA-256

SOURCES/nss-3.101-ec-dbm-test.patch

@@ -1,24 +0,0 @@
-diff -up ./tests/ec/ectest.sh.dbm ./tests/ec/ectest.sh
---- ./tests/ec/ectest.sh.dbm	2024-06-18 14:53:51.201438651 -0700
-+++ ./tests/ec/ectest.sh	2024-06-18 14:56:09.993993637 -0700
-@@ -45,12 +45,20 @@ ectest_genkeydb_test()
-   if [ $? -ne 0 ]; then
-     return $?
-   fi
-+  if [ "${TEST_MODE}" = "SHARED_DB" ] ; then
-   curves=( \
-     "curve25519" \
-     "secp256r1" \
-     "secp384r1" \
-     "secp521r1" \
-   )
-+  else
-+  curves=( \
-+    "secp256r1" \
-+    "secp384r1" \
-+    "secp521r1" \
-+  )
-+  fi
-   for curve in "${curves[@]}"; do
-     echo "Test $curve key generation using certutil ..."
-     certutil -G -d "${HOSTDIR}" -k ec -q $curve -f "${R_PWFILE}" -z ${NOISE_FILE}

SOURCES/nss-3.101-el8-fix-rsa-policy-test.patch

@@ -1,12 +0,0 @@
-diff -up ./tests/ssl/sslpolicy.txt.rsa_disable_test ./tests/ssl/sslpolicy.txt
---- ./tests/ssl/sslpolicy.txt.rsa_disable_test	2024-06-19 11:17:10.261637015 -0700
-+++ ./tests/ssl/sslpolicy.txt	2024-06-19 11:18:22.797425628 -0700
-@@ -197,7 +197,7 @@
- # compatibility reasons
- #  1 noECC  SSL3   d    disallow=rsa-pkcs Disallow RSA PKCS 1 Signatures Explicitly
-   1 noECC  SSL3   d    allow=rsa-min=16384:key-size-flags=key-size-verify Restrict RSA keys on signature verification
--  1 noECC  SSL3   d    allow=rsa-min=16384:key-size-flags=key-size-sign Restrict RSA keys on signing
-+  0 noECC  SSL3   d    allow=rsa-min=16384:key-size-flags=key-size-sign Restrict RSA keys on signing
-   1 noECC  SSL3   d    allow=rsa-min=16384:key-size-flags=key-size-ssl Restrict RSA keys when used in SSL
-   0 noECC  SSL3   d    allow=rsa-min=1023 Restrict RSA keys when used in SSL
- # test default settings

SOURCES/nss-3.101-el8-no-p12-smime-policy.patch

@@ -1,89 +0,0 @@
-diff -up ./lib/pkcs12/p12plcy.c.no_p12_smime_policy ./lib/pkcs12/p12plcy.c
---- ./lib/pkcs12/p12plcy.c.no_p12_smime_policy	2024-06-07 09:26:03.000000000 -0700
-+++ ./lib/pkcs12/p12plcy.c	2024-07-17 11:26:00.334836451 -0700
-@@ -37,6 +37,7 @@ static pkcs12SuiteMap pkcs12SuiteMaps[]
- static PRBool
- sec_PKCS12Allowed(SECOidTag alg, PRUint32 needed)
- {
-+#ifdef notdef
-     PRUint32 policy;
-     SECStatus rv;
- 
-@@ -48,6 +49,9 @@ sec_PKCS12Allowed(SECOidTag alg, PRUint3
-         return PR_TRUE;
-     }
-     return PR_FALSE;
-+#else
-+    return PR_TRUE;
-+#endif
- }
- 
- PRBool
-diff -up ./lib/smime/smimeutil.c.no_p12_smime_policy ./lib/smime/smimeutil.c
---- ./lib/smime/smimeutil.c.no_p12_smime_policy	2024-06-07 09:26:03.000000000 -0700
-+++ ./lib/smime/smimeutil.c	2024-07-17 11:27:04.716617111 -0700
-@@ -202,6 +202,7 @@ smime_get_policy_tag_from_key_length(SEC
- PRBool
- smime_allowed_by_policy(SECOidTag algtag, PRUint32 neededPolicy)
- {
-+#ifdef notdef
-     PRUint32 policyFlags;
- 
-     /* some S/MIME algs map to the same underlying KEA mechanism,
-@@ -221,6 +222,7 @@ smime_allowed_by_policy(SECOidTag algtag
-         PORT_SetError(SEC_ERROR_BAD_EXPORT_ALGORITHM);
-         return PR_FALSE;
-     }
-+#endif
-     return PR_TRUE;
- }
- 
-@@ -485,6 +487,7 @@ smime_init_once(void *arg)
-         return PR_FAILURE;
-     }
- 
-+#ifdef notdef
-     /* At initialization time, we need to set up the defaults. We first
-      * look to see if the system or application has set up certain algorithms
-      * by policy. If they have set up values by policy we'll only allow those
-@@ -497,6 +500,11 @@ smime_init_once(void *arg)
-         PORT_Free(tags);
-         tags = NULL;
-     }
-+#else
-+    /* just initialize the old maps */
-+    rv = SECSuccess;
-+    tagCount = 0;
-+#endif
-     if ((rv != SECSuccess) || (tagCount == 0)) {
-         /* No algorithms have been enabled by policy (either by the system
-          * or by the application, we then will use the traditional default
-diff -up ./smime/smime.sh.no_p12_smime_policy ./smime/smime.sh
---- ./tests/smime/smime.sh.no_p12_smime_policy	2024-07-17 12:27:36.262106070 -0
-700
-+++ ./tests/smime/smime.sh	2024-07-17 12:29:08.251207306 -0700
-@@ -872,8 +872,8 @@ smime_init
- smime_main
- smime_data_tb
- smime_p7
--if [ "${TEST_MODE}" = "SHARED_DB" ] ; then
--  smime_policy
--fi
-+#if [ "${TEST_MODE}" = "SHARED_DB" ] ; then
-+#  smime_policy
-+#fi
- smime_cleanup
-
-diff -up ./tools/tools.sh.no_p12_smime_policy ./tools/tools.sh
---- ./tests/tools/tools.sh.no_p12_smime_policy	2024-07-17 12:27:36.262106070 -0
-700
-+++ ./tests/tools/tools.sh	2024-07-17 12:28:32.418778346 -0700
-@@ -586,7 +586,7 @@ tools_p12()
-   tools_p12_import_pbmac1_samples
-   if [ "${TEST_MODE}" = "SHARED_DB" ] ; then
-     tools_p12_import_rsa_pss_private_key
--    tools_p12_policy
-+#tools_p12_policy
-   fi
- }
-

SOURCES/nss-3.101-enable-kyber-policy.patch

@@ -1,13 +0,0 @@
-diff -up ./lib/pk11wrap/pk11pars.c.enable_kyber_policy ./lib/pk11wrap/pk11pars.c
---- ./lib/pk11wrap/pk11pars.c.enable_kyber_policy	2024-06-12 14:44:24.680338868 -0700
-+++ ./lib/pk11wrap/pk11pars.c	2024-06-12 14:44:48.368609356 -0700
-@@ -245,7 +245,8 @@ static const oidValDef curveOptList[] =
-       NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE },
-     { CIPHER_NAME("CURVE25519"), SEC_OID_CURVE25519,
-       NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE },
--    { CIPHER_NAME("XYBER768D00"), SEC_OID_XYBER768D00, 0 },
-+    { CIPHER_NAME("XYBER768D00"), SEC_OID_XYBER768D00, 
-+      NSS_USE_ALG_IN_SSL_KX },
-     /* ANSI X9.62 named elliptic curves (characteristic two field) */
-     { CIPHER_NAME("C2PNB163V1"), SEC_OID_ANSIX962_EC_C2PNB163V1,
-       NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE },

SOURCES/nss-3.101-extend-db-dump-time.patch

@@ -1,12 +0,0 @@
-diff -up ./tests/dbtests/dbtests.sh.extend ./tests/dbtests/dbtests.sh
---- ./tests/dbtests/dbtests.sh.extend	2023-11-15 13:17:50.651020458 -0800
-+++ ./tests/dbtests/dbtests.sh	2023-11-15 13:18:57.091608850 -0800
-@@ -366,7 +366,7 @@ dbtest_main()
-       RARRAY=($dtime)
-       TIMEARRAY=(${RARRAY[1]//./ })
-       echo "${TIMEARRAY[0]} seconds"
--      test ${TIMEARRAY[0]} -lt 5
-+      test ${TIMEARRAY[0]} -lt ${NSS_DB_DUMP_TIME-5}
-       ret=$?
-       html_msg ${ret} 0 "certutil dump keys with explicit default trust flags"
-     fi

SOURCES/nss-3.101-fips-indicators.patch

@@ -1,190 +0,0 @@
-diff -up ./lib/softoken/pkcs11c.c.fips_indicators ./lib/softoken/pkcs11c.c
---- ./lib/softoken/pkcs11c.c.fips_indicators	2024-06-12 13:38:15.995811284 -0700
-+++ ./lib/softoken/pkcs11c.c	2024-06-12 13:41:30.008188930 -0700
-@@ -453,7 +453,7 @@ sftk_InitGeneric(SFTKSession *session, C
-     context->blockSize = 0;
-     context->maxLen = 0;
-     context->isFIPS = sftk_operationIsFIPS(session->slot, pMechanism,
--                                           operation, key);
-+                                           operation, key, 0);
-     *contextPtr = context;
-     return CKR_OK;
- }
-@@ -4885,7 +4885,7 @@ NSC_GenerateKey(CK_SESSION_HANDLE hSessi
-     crv = sftk_handleObject(key, session);
-     /* we need to do this check at the end, so we can check the generated
-      * key length against fips requirements */
--    key->isFIPS = sftk_operationIsFIPS(slot, pMechanism, CKA_NSS_GENERATE, key);
-+    key->isFIPS = sftk_operationIsFIPS(slot, pMechanism, CKA_NSS_GENERATE, key, 0);
-     session->lastOpWasFIPS = key->isFIPS;
-     sftk_FreeSession(session);
-     if (crv == CKR_OK && sftk_isTrue(key, CKA_SENSITIVE)) {
-@@ -6020,7 +6020,7 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hS
-         return crv;
-     }
-     /* we need to do this check at the end to make sure the generated key meets the key length requirements */
--    privateKey->isFIPS = sftk_operationIsFIPS(slot, pMechanism, CKA_NSS_GENERATE_KEY_PAIR, privateKey);
-+    privateKey->isFIPS = sftk_operationIsFIPS(slot, pMechanism, CKA_NSS_GENERATE_KEY_PAIR, privateKey, 0);
-     publicKey->isFIPS = privateKey->isFIPS;
-     session->lastOpWasFIPS = privateKey->isFIPS;
-     sftk_FreeSession(session);
-@@ -7220,6 +7220,10 @@ sftk_HKDF(CK_HKDF_PARAMS_PTR params, CK_
-         return CKR_TEMPLATE_INCONSISTENT;
-     }
- 
-+    if (!params->bExpand) {
-+        keySize = hashLen;
-+    }
-+
-     /* sourceKey is NULL if we are called from the POST, skip the
-      * sensitiveCheck */
-     if (sourceKey != NULL) {
-@@ -7269,7 +7273,8 @@ sftk_HKDF(CK_HKDF_PARAMS_PTR params, CK_
-                     mech.pParameter = params;
-                     mech.ulParameterLen = sizeof(*params);
-                     key->isFIPS = sftk_operationIsFIPS(saltKey->slot, &mech,
--                                                       CKA_DERIVE, saltKey);
-+                                                       CKA_DERIVE, saltKey,
-+                                                       keySize);
-                 }
-                 saltKeySource = saltKey->source;
-                 saltKey_att = sftk_FindAttribute(saltKey, CKA_VALUE);
-@@ -7336,7 +7341,7 @@ sftk_HKDF(CK_HKDF_PARAMS_PTR params, CK_
-     /* HKDF-Expand */
-     if (!params->bExpand) {
-         okm = prk;
--        keySize = genLen = hashLen;
-+        genLen = hashLen;
-     } else {
-         /* T(1) = HMAC-Hash(prk, "" | info | 0x01)
-          * T(n) = HMAC-Hash(prk, T(n-1) | info | n
-@@ -7583,7 +7588,8 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession
-             return CKR_KEY_HANDLE_INVALID;
-         }
-     }
--    key->isFIPS = sftk_operationIsFIPS(slot, pMechanism, CKA_DERIVE, sourceKey);
-+    key->isFIPS = sftk_operationIsFIPS(slot, pMechanism, CKA_DERIVE, sourceKey,
-+                                       keySize);
- 
-     switch (mechanism) {
-         /* get a public key from a private key. nsslowkey_ConvertToPublickey()
-diff -up ./lib/softoken/pkcs11i.h.fips_indicators ./lib/softoken/pkcs11i.h
---- ./lib/softoken/pkcs11i.h.fips_indicators	2024-06-12 13:38:15.988811198 -0700
-+++ ./lib/softoken/pkcs11i.h	2024-06-12 13:38:15.996811296 -0700
-@@ -979,7 +979,8 @@ CK_FLAGS sftk_AttributeToFlags(CK_ATTRIB
- /* check the FIPS table to determine if this current operation is allowed by
-  * FIPS security policy */
- PRBool sftk_operationIsFIPS(SFTKSlot *slot, CK_MECHANISM *mech,
--                            CK_ATTRIBUTE_TYPE op, SFTKObject *source);
-+                            CK_ATTRIBUTE_TYPE op, SFTKObject *source,
-+                            CK_ULONG targetKeySize);
- /* add validation objects to the slot */
- CK_RV sftk_CreateValidationObjects(SFTKSlot *slot);
- 
-diff -up ./lib/softoken/pkcs11u.c.fips_indicators ./lib/softoken/pkcs11u.c
---- ./lib/softoken/pkcs11u.c.fips_indicators	2024-06-12 13:38:15.990811223 -0700
-+++ ./lib/softoken/pkcs11u.c	2024-06-12 13:38:15.996811296 -0700
-@@ -2336,7 +2336,7 @@ sftk_quickGetECCCurveOid(SFTKObject *sou
- static CK_ULONG
- sftk_getKeyLength(SFTKObject *source)
- {
--    CK_KEY_TYPE keyType = CK_INVALID_HANDLE;
-+    CK_KEY_TYPE keyType = CKK_INVALID_KEY_TYPE;
-     CK_ATTRIBUTE_TYPE keyAttribute;
-     CK_ULONG keyLength = 0;
-     SFTKAttribute *attribute;
-@@ -2398,13 +2398,29 @@ sftk_getKeyLength(SFTKObject *source)
-     return keyLength;
- }
- 
-+PRBool
-+sftk_CheckFIPSHash(CK_MECHANISM_TYPE hash)
-+{
-+    switch (hash) {
-+        case CKM_SHA256:
-+        case CKG_MGF1_SHA256:
-+        case CKM_SHA384:
-+        case CKG_MGF1_SHA384:
-+        case CKM_SHA512:
-+        case CKG_MGF1_SHA512:
-+            return PR_TRUE;
-+    }
-+    return PR_FALSE;
-+}
-+
- /*
-  * handle specialized FIPS semantics that are too complicated to
-  * handle with just a table. NOTE: this means any additional semantics
-  * would have to be coded here before they can be added to the table */
- static PRBool
- sftk_handleSpecial(SFTKSlot *slot, CK_MECHANISM *mech,
--                   SFTKFIPSAlgorithmList *mechInfo, SFTKObject *source)
-+                   SFTKFIPSAlgorithmList *mechInfo, SFTKObject *source,
-+                   CK_ULONG keyLength, CK_ULONG targetKeyLength)
- {
-     switch (mechInfo->special) {
-         case SFTKFIPSDH: {
-@@ -2464,10 +2480,15 @@ sftk_handleSpecial(SFTKSlot *slot, CK_ME
-             if (hashObj == NULL) {
-                 return PR_FALSE;
-             }
-+            /* cap the salt for legacy keys */
-+            if ((keyLength <= 1024) && (pss->sLen > 63)) {
-+                return PR_FALSE;
-+            }
-+            /* cap the salt for based on the hash */
-             if (pss->sLen > hashObj->length) {
-                 return PR_FALSE;
-             }
--            return PR_TRUE;
-+            return sftk_CheckFIPSHash(pss->hashAlg);
-         }
-         case SFTKFIPSPBKDF2: {
-             /* PBKDF2 must have the following addition restrictions
-@@ -2492,6 +2513,13 @@ sftk_handleSpecial(SFTKSlot *slot, CK_ME
-              }
-              return PR_TRUE;
-         }
-+        /* check the hash mechanisms to make sure they themselves are FIPS */
-+        case SFTKFIPSChkHash:
-+            if (mech->ulParameterLen < mechInfo->offset +sizeof(CK_ULONG)) {
-+                return PR_FALSE;
-+            }
-+            return sftk_CheckFIPSHash(*(CK_ULONG *)(((char *)mech->pParameter)
-+                        + mechInfo->offset));
-         default:
-             break;
-     }
-@@ -2502,7 +2530,7 @@ sftk_handleSpecial(SFTKSlot *slot, CK_ME
- 
- PRBool
- sftk_operationIsFIPS(SFTKSlot *slot, CK_MECHANISM *mech, CK_ATTRIBUTE_TYPE op,
--                     SFTKObject *source)
-+                     SFTKObject *source, CK_ULONG targetKeyLength)
- {
- #ifndef NSS_HAS_FIPS_INDICATORS
-     return PR_FALSE;
-@@ -2534,13 +2562,17 @@ sftk_operationIsFIPS(SFTKSlot *slot, CK_
-         SFTKFIPSAlgorithmList *mechs = &sftk_fips_mechs[i];
-         /* if we match the number of records exactly, then we are an
-          * approved algorithm in the approved mode with an approved key */
--        if (((mech->mechanism == mechs->type) &&
--             (opFlags == (mechs->info.flags & opFlags)) &&
--             (keyLength <= mechs->info.ulMaxKeySize) &&
--             (keyLength >= mechs->info.ulMinKeySize) &&
--             ((keyLength - mechs->info.ulMinKeySize) % mechs->step) == 0) &&
-+        if ((mech->mechanism == mechs->type) &&
-+            (opFlags == (mechs->info.flags & opFlags)) &&
-+            (keyLength <= mechs->info.ulMaxKeySize) &&
-+            (keyLength >= mechs->info.ulMinKeySize) &&
-+            (((keyLength - mechs->info.ulMinKeySize) % mechs->step) == 0) &&
-+            ((targetKeyLength == 0) ||
-+             ((targetKeyLength <= mechs->info.ulMaxKeySize) &&
-+             (targetKeyLength >= mechs->info.ulMinKeySize) &&
-+             ((targetKeyLength - mechs->info.ulMinKeySize) % mechs->step) == 0)) &&
-             ((mechs->special == SFTKFIPSNone) ||
--             sftk_handleSpecial(slot, mech, mechs, source))) {
-+             sftk_handleSpecial(slot, mech, mechs, source, keyLength, targetKeyLength))) {
-             return PR_TRUE;
-         }
-     }

SOURCES/nss-3.101-fips-review.patches

@@ -1,490 +0,0 @@
-diff -up ./lib/freebl/dh.c.fips-review ./lib/freebl/dh.c
---- ./lib/freebl/dh.c.fips-review	2024-06-07 09:26:03.000000000 -0700
-+++ ./lib/freebl/dh.c	2024-06-12 12:04:10.639360404 -0700
-@@ -445,7 +445,7 @@ cleanup:
- PRBool
- KEA_Verify(SECItem *Y, SECItem *prime, SECItem *subPrime)
- {
--    mp_int p, q, y, r;
-+    mp_int p, q, y, r, psub1;
-     mp_err err;
-     int cmp = 1; /* default is false */
-     if (!Y || !prime || !subPrime) {
-@@ -456,13 +456,30 @@ KEA_Verify(SECItem *Y, SECItem *prime, S
-     MP_DIGITS(&q) = 0;
-     MP_DIGITS(&y) = 0;
-     MP_DIGITS(&r) = 0;
-+    MP_DIGITS(&psub1) = 0;
-     CHECK_MPI_OK(mp_init(&p));
-     CHECK_MPI_OK(mp_init(&q));
-     CHECK_MPI_OK(mp_init(&y));
-     CHECK_MPI_OK(mp_init(&r));
-+    CHECK_MPI_OK(mp_init(&psub1));
-     SECITEM_TO_MPINT(*prime, &p);
-     SECITEM_TO_MPINT(*subPrime, &q);
-     SECITEM_TO_MPINT(*Y, &y);
-+    CHECK_MPI_OK(mp_sub_d(&p, 1, &psub1));
-+    /*
-+     * We check that the public value isn't zero (which isn't in the
-+     * group), one (subgroup of order one) or p-1 (subgroup of order 2). We
-+     * also check that the public value is less than p, to avoid being fooled
-+     * by values like p+1 or 2*p-1.
-+     * This check is required by SP-800-56Ar3. It's also done in derive,
-+     * but this is only called in various FIPS cases, so put it here to help
-+     * reviewers find it.
-+     */
-+    if (mp_cmp_d(&y, 1) <= 0 ||
-+        mp_cmp(&y, &psub1) >= 0) {
-+        err = MP_BADARG;
-+        goto cleanup;
-+    }
-     /* compute r = y**q mod p */
-     CHECK_MPI_OK(mp_exptmod(&y, &q, &p, &r));
-     /* compare to 1 */
-@@ -472,6 +489,7 @@ cleanup:
-     mp_clear(&q);
-     mp_clear(&y);
-     mp_clear(&r);
-+    mp_clear(&psub1);
-     if (err) {
-         MP_TO_SEC_ERROR(err);
-         return PR_FALSE;
-diff -up ./lib/softoken/pkcs11c.c.fips-review ./lib/softoken/pkcs11c.c
---- ./lib/softoken/pkcs11c.c.fips-review	2024-06-12 12:04:10.638360392 -0700
-+++ ./lib/softoken/pkcs11c.c	2024-06-12 13:06:35.410551333 -0700
-@@ -43,6 +43,7 @@
- 
- #include "prprf.h"
- #include "prenv.h"
-+#include "prerror.h"
- 
- #define __PASTE(x, y) x##y
- #define BAD_PARAM_CAST(pMech, typeSize) (!pMech->pParameter || pMech->ulParameterLen < typeSize)
-@@ -4882,6 +4883,10 @@ NSC_GenerateKey(CK_SESSION_HANDLE hSessi
-      * handle the base object stuff
-      */
-     crv = sftk_handleObject(key, session);
-+    /* we need to do this check at the end, so we can check the generated
-+     * key length against fips requirements */
-+    key->isFIPS = sftk_operationIsFIPS(slot, pMechanism, CKA_NSS_GENERATE, key);
-+    session->lastOpWasFIPS = key->isFIPS;
-     sftk_FreeSession(session);
-     if (crv == CKR_OK && sftk_isTrue(key, CKA_SENSITIVE)) {
-         crv = sftk_forceAttribute(key, CKA_ALWAYS_SENSITIVE, &cktrue, sizeof(CK_BBOOL));
-@@ -4889,9 +4894,6 @@ NSC_GenerateKey(CK_SESSION_HANDLE hSessi
-     if (crv == CKR_OK && !sftk_isTrue(key, CKA_EXTRACTABLE)) {
-         crv = sftk_forceAttribute(key, CKA_NEVER_EXTRACTABLE, &cktrue, sizeof(CK_BBOOL));
-     }
--    /* we need to do this check at the end, so we can check the generated key length against
--     * fips requirements */
--    key->isFIPS = sftk_operationIsFIPS(slot, pMechanism, CKA_NSS_GENERATE, key);
-     if (crv == CKR_OK) {
-         *phKey = key->handle;
-     }
-@@ -5199,60 +5201,68 @@ sftk_PairwiseConsistencyCheck(CK_SESSION
- 
-     if (isDerivable) {
-         SFTKAttribute *pubAttribute = NULL;
--        CK_OBJECT_HANDLE newKey;
-         PRBool isFIPS = sftk_isFIPS(slot->slotID);
--        CK_RV crv2;
--        CK_OBJECT_CLASS secret = CKO_SECRET_KEY;
--        CK_KEY_TYPE generic = CKK_GENERIC_SECRET;
--        CK_ULONG keyLen = 128;
--        CK_BBOOL ckTrue = CK_TRUE;
--        CK_ATTRIBUTE template[] = {
--            { CKA_CLASS, &secret, sizeof(secret) },
--            { CKA_KEY_TYPE, &generic, sizeof(generic) },
--            { CKA_VALUE_LEN, &keyLen, sizeof(keyLen) },
--            { CKA_DERIVE, &ckTrue, sizeof(ckTrue) }
--        };
--        CK_ULONG templateCount = PR_ARRAY_SIZE(template);
--        CK_ECDH1_DERIVE_PARAMS ecParams;
-+        NSSLOWKEYPrivateKey *lowPrivKey = NULL;
-+        ECPrivateKey *ecPriv;
-+        SECItem *lowPubValue = NULL;
-+        SECItem item;
-+        SECStatus rv;
- 
-         crv = CKR_OK; /*paranoia, already get's set before we drop to the end */
--        /* FIPS 140-2 requires we verify that the resulting key is a valid key.
--         * The easiest way to do this is to do a derive operation, which checks
--         * the validity of the key */
--
-+        /* FIPS 140-3 requires we verify that the resulting key is a valid key
-+         * by recalculating the public can an compare it to our own public
-+         * key. */
-+        lowPrivKey = sftk_GetPrivKey(privateKey, keyType, &crv);
-+        if (lowPrivKey == NULL) {
-+            return sftk_MapCryptError(PORT_GetError());
-+        }
-+        /* recalculate the public key from the private key */
-         switch (keyType) {
--            case CKK_DH:
--                mech.mechanism = CKM_DH_PKCS_DERIVE;
--                pubAttribute = sftk_FindAttribute(publicKey, CKA_VALUE);
--                if (pubAttribute == NULL) {
--                    return CKR_DEVICE_ERROR;
--                }
--                mech.pParameter = pubAttribute->attrib.pValue;
--                mech.ulParameterLen = pubAttribute->attrib.ulValueLen;
--                break;
--            case CKK_EC:
--                mech.mechanism = CKM_ECDH1_DERIVE;
--                pubAttribute = sftk_FindAttribute(publicKey, CKA_EC_POINT);
--                if (pubAttribute == NULL) {
--                    return CKR_DEVICE_ERROR;
--                }
--                ecParams.kdf = CKD_NULL;
--                ecParams.ulSharedDataLen = 0;
--                ecParams.pSharedData = NULL;
--                ecParams.ulPublicDataLen = pubAttribute->attrib.ulValueLen;
--                ecParams.pPublicData = pubAttribute->attrib.pValue;
--                mech.pParameter = &ecParams;
--                mech.ulParameterLen = sizeof(ecParams);
--                break;
--            default:
--                return CKR_DEVICE_ERROR;
-+        case CKK_DH:
-+            rv = DH_Derive(&lowPrivKey->u.dh.base, &lowPrivKey->u.dh.prime,
-+                           &lowPrivKey->u.dh.privateValue, &item, 0);
-+            if (rv != SECSuccess) {
-+                return CKR_GENERAL_ERROR;
-+            }
-+            lowPubValue = SECITEM_DupItem(&item);
-+            SECITEM_ZfreeItem(&item, PR_FALSE);
-+            pubAttribute = sftk_FindAttribute(publicKey, CKA_VALUE);
-+            break;
-+        case CKK_EC:
-+            rv = EC_NewKeyFromSeed(&lowPrivKey->u.ec.ecParams, &ecPriv,
-+                                   lowPrivKey->u.ec.privateValue.data,
-+                                   lowPrivKey->u.ec.privateValue.len);
-+            if (rv != SECSuccess) {
-+                return CKR_GENERAL_ERROR;
-+            }
-+            /* make sure it has the same encoding */
-+            if (PR_GetEnvSecure("NSS_USE_DECODED_CKA_EC_POINT") ||
-+                lowPrivKey->u.ec.ecParams.type != ec_params_named) {
-+              lowPubValue = SECITEM_DupItem(&ecPriv->publicValue);
-+            } else {
-+              lowPubValue = SEC_ASN1EncodeItem(NULL, NULL, &ecPriv->publicValue,
-+                                               SEC_ASN1_GET(SEC_OctetStringTemplate));;
-+            }
-+            pubAttribute = sftk_FindAttribute(publicKey, CKA_EC_POINT);
-+            /* clear out our generated private key */
-+            PORT_FreeArena(ecPriv->ecParams.arena, PR_TRUE);
-+            break;
-+        default:
-+            return CKR_DEVICE_ERROR;
-         }
- 
--        crv = NSC_DeriveKey(hSession, &mech, privateKey->handle, template, templateCount, &newKey);
--        if (crv != CKR_OK) {
--            sftk_FreeAttribute(pubAttribute);
--            return crv;
-+        /* now compare new public key with our already generated key */
-+        if ((pubAttribute == NULL) || (lowPubValue == NULL) ||
-+            (pubAttribute->attrib.ulValueLen != lowPubValue->len) ||
-+            (PORT_Memcmp(pubAttribute->attrib.pValue, lowPubValue->data,
-+                        lowPubValue->len) != 0)) {
-+            if (pubAttribute) sftk_FreeAttribute(pubAttribute);
-+            if (lowPubValue) SECITEM_ZfreeItem(lowPubValue, PR_TRUE);
-+            PORT_SetError(SEC_ERROR_BAD_KEY);
-+            return CKR_GENERAL_ERROR;
-         }
-+        SECITEM_ZfreeItem(lowPubValue, PR_TRUE);
-+
-         /* FIPS requires full validation, but in fipx mode NSC_Derive
-          * only does partial validation with approved primes, now handle
-          * full validation */
-@@ -5260,44 +5270,78 @@ sftk_PairwiseConsistencyCheck(CK_SESSION
-             SECItem pubKey;
-             SECItem prime;
-             SECItem subPrime;
-+            SECItem base;
-+            SECItem generator;
-             const SECItem *subPrimePtr = &subPrime;
- 
-             pubKey.data = pubAttribute->attrib.pValue;
-             pubKey.len = pubAttribute->attrib.ulValueLen;
--            prime.data = subPrime.data = NULL;
--            prime.len = subPrime.len = 0;
-+            base.data = prime.data = subPrime.data = NULL;
-+            base.len = prime.len = subPrime.len = 0;
-             crv = sftk_Attribute2SecItem(NULL, &prime, privateKey, CKA_PRIME);
-             if (crv != CKR_OK) {
-                 goto done;
-             }
--            crv = sftk_Attribute2SecItem(NULL, &prime, privateKey, CKA_PRIME);
-+            crv = sftk_Attribute2SecItem(NULL, &base, privateKey, CKA_BASE);
-+            if (crv != CKR_OK) {
-+                goto done;
-+            }
-             /* we ignore the return code an only look at the length */
--            if (subPrime.len == 0) {
--                /* subprime not supplied, In this case look it up.
--                 * This only works with approved primes, but in FIPS mode
--                 * that's the only kine of prime that will get here */
--                subPrimePtr = sftk_VerifyDH_Prime(&prime, isFIPS);
--                if (subPrimePtr == NULL) {
--                    crv = CKR_GENERAL_ERROR;
-+            /* do we have a known prime ? */
-+            subPrimePtr = sftk_VerifyDH_Prime(&prime, &generator, isFIPS);
-+            if (subPrimePtr == NULL) {
-+                if (subPrime.len == 0) {
-+                    /* if not a known prime, subprime must be supplied */
-+                    crv = CKR_ATTRIBUTE_VALUE_INVALID;
-+                    goto done;
-+                } else {
-+                    /* not a known prime, check for primality of prime
-+                     * and subPrime */
-+                    if (!KEA_PrimeCheck(&prime)) {
-+                        crv = CKR_ATTRIBUTE_VALUE_INVALID;
-+                        goto done;
-+                    }
-+                    if (!KEA_PrimeCheck(&subPrime)) {
-+                        crv = CKR_ATTRIBUTE_VALUE_INVALID;
-+                        goto done;
-+                    }
-+                    /* if we aren't using a defined group, make sure base is in the
-+                     * subgroup. If it's not, then our key could fail or succeed sometimes.
-+                     * This makes the failure reliable */
-+                    if (!KEA_Verify(&base, &prime, (SECItem *)subPrimePtr)) {
-+                        crv = CKR_ATTRIBUTE_VALUE_INVALID;
-+                    }
-+                }
-+                subPrimePtr = &subPrime;
-+            } else {
-+                /* we're using a known group, make sure we are using the known generator for that group */
-+                if (SECITEM_CompareItem(&generator, &base) != 0) {
-+                    crv = CKR_ATTRIBUTE_VALUE_INVALID;
-                     goto done;
-                 }
-+                if (subPrime.len != 0) {
-+                    /* we have a known prime and a supplied subPrime,
-+                     * make sure the subPrime matches the subPrime for
-+                     * the known Prime */
-+                     if (SECITEM_CompareItem(subPrimePtr, &subPrime) != 0) {
-+                        crv = CKR_ATTRIBUTE_VALUE_INVALID;
-+                        goto done;
-+                     }
-+                 }
-             }
-             if (!KEA_Verify(&pubKey, &prime, (SECItem *)subPrimePtr)) {
--                crv = CKR_GENERAL_ERROR;
-+                crv = CKR_ATTRIBUTE_VALUE_INVALID;
-             }
-         done:
-+            SECITEM_ZfreeItem(&base, PR_FALSE);
-             SECITEM_ZfreeItem(&subPrime, PR_FALSE);
-             SECITEM_ZfreeItem(&prime, PR_FALSE);
-         }
-         /* clean up before we return */
-         sftk_FreeAttribute(pubAttribute);
--        crv2 = NSC_DestroyObject(hSession, newKey);
-         if (crv != CKR_OK) {
-             return crv;
-         }
--        if (crv2 != CKR_OK) {
--            return crv2;
--        }
-     }
- 
-     return CKR_OK;
-@@ -5925,8 +5969,8 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hS
-      * created and linked.
-      */
-     crv = sftk_handleObject(publicKey, session);
--    sftk_FreeSession(session);
-     if (crv != CKR_OK) {
-+        sftk_FreeSession(session);
-         sftk_FreeObject(publicKey);
-         NSC_DestroyObject(hSession, privateKey->handle);
-         sftk_FreeObject(privateKey);
-@@ -5968,6 +6012,7 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hS
-     }
- 
-     if (crv != CKR_OK) {
-+        sftk_FreeSession(session);
-         NSC_DestroyObject(hSession, publicKey->handle);
-         sftk_FreeObject(publicKey);
-         NSC_DestroyObject(hSession, privateKey->handle);
-@@ -5977,6 +6022,8 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hS
-     /* we need to do this check at the end to make sure the generated key meets the key length requirements */
-     privateKey->isFIPS = sftk_operationIsFIPS(slot, pMechanism, CKA_NSS_GENERATE_KEY_PAIR, privateKey);
-     publicKey->isFIPS = privateKey->isFIPS;
-+    session->lastOpWasFIPS = privateKey->isFIPS;
-+    sftk_FreeSession(session);
- 
-     *phPrivateKey = privateKey->handle;
-     *phPublicKey = publicKey->handle;
-@@ -8610,7 +8657,7 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession
- 
-             /* if the prime is an approved prime, we can skip all the other
-              * checks. */
--            subPrime = sftk_VerifyDH_Prime(&dhPrime, isFIPS);
-+            subPrime = sftk_VerifyDH_Prime(&dhPrime, NULL, isFIPS);
-             if (subPrime == NULL) {
-                 SECItem dhSubPrime;
-                 /* If the caller set the subprime value, it means that
-@@ -8792,6 +8839,7 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession
-                 secretlen = tmp.len;
-             } else {
-                 secretlen = keySize;
-+                key->isFIPS = PR_FALSE;
-                 crv = sftk_ANSI_X9_63_kdf(&secret, keySize,
-                                           &tmp, mechParams->pSharedData,
-                                           mechParams->ulSharedDataLen, mechParams->kdf);
-diff -up ./lib/softoken/pkcs11i.h.fips-review ./lib/softoken/pkcs11i.h
---- ./lib/softoken/pkcs11i.h.fips-review	2024-06-12 12:04:10.638360392 -0700
-+++ ./lib/softoken/pkcs11i.h	2024-06-12 12:04:10.640360416 -0700
-@@ -971,7 +971,7 @@ char **NSC_ModuleDBFunc(unsigned long fu
- /* dh verify functions */
- /* verify that dhPrime matches one of our known primes, and if so return
-  * it's subprime value */
--const SECItem *sftk_VerifyDH_Prime(SECItem *dhPrime, PRBool isFIPS);
-+const SECItem *sftk_VerifyDH_Prime(SECItem *dhPrime, SECItem *generator, PRBool isFIPS);
- /* check if dhSubPrime claims dhPrime is a safe prime. */
- SECStatus sftk_IsSafePrime(SECItem *dhPrime, SECItem *dhSubPrime, PRBool *isSafe);
- /* map an operation Attribute to a Mechanism flag */
-diff -up ./lib/softoken/pkcs11u.c.fips-review ./lib/softoken/pkcs11u.c
---- ./lib/softoken/pkcs11u.c.fips-review	2024-06-12 12:04:10.638360392 -0700
-+++ ./lib/softoken/pkcs11u.c	2024-06-12 12:04:10.640360416 -0700
-@@ -2409,15 +2409,27 @@ sftk_handleSpecial(SFTKSlot *slot, CK_ME
-     switch (mechInfo->special) {
-         case SFTKFIPSDH: {
-             SECItem dhPrime;
-+            SECItem dhBase;
-+            SECItem dhGenerator;
-+            PRBool val = PR_FALSE;
-             const SECItem *dhSubPrime;
-             CK_RV crv = sftk_Attribute2SecItem(NULL, &dhPrime,
-                                                source, CKA_PRIME);
-             if (crv != CKR_OK) {
-                 return PR_FALSE;
-             }
--            dhSubPrime = sftk_VerifyDH_Prime(&dhPrime, PR_TRUE);
-+            crv = sftk_Attribute2SecItem(NULL, &dhBase, source, CKA_BASE);
-+            if (crv != CKR_OK) {
-+                return PR_FALSE;
-+            }
-+            dhSubPrime = sftk_VerifyDH_Prime(&dhPrime, &dhGenerator, PR_TRUE);
-+            val = (dhSubPrime) ? PR_TRUE : PR_FALSE;
-+            if (val && (SECITEM_CompareItem(&dhBase, &dhGenerator) != 0)) {
-+                val = PR_FALSE;
-+            }
-             SECITEM_ZfreeItem(&dhPrime, PR_FALSE);
--            return (dhSubPrime) ? PR_TRUE : PR_FALSE;
-+            SECITEM_ZfreeItem(&dhBase, PR_FALSE);
-+            return val;
-         }
-         case SFTKFIPSNone:
-             return PR_FALSE;
-diff -up ./lib/softoken/sftkdhverify.c.fips-review ./lib/softoken/sftkdhverify.c
---- ./lib/softoken/sftkdhverify.c.fips-review	2024-06-07 09:26:03.000000000 -0700
-+++ ./lib/softoken/sftkdhverify.c	2024-06-12 12:04:10.641360427 -0700
-@@ -6726,11 +6726,20 @@ static const SECItem subprime_tls_8192 =
-                                            (unsigned char *)subprime_tls_8192_data,
-                                            sizeof(subprime_tls_8192_data) };
- 
-+/* generator for all the groups is 2 */
-+static const unsigned char generator_2_data[] = { 2 };
-+
-+
-+static const SECItem generator_2 =
-+    { siBuffer,
-+      (unsigned char *)generator_2_data,
-+      sizeof(generator_2_data) };
-+
- /*
-  * verify that dhPrime matches one of our known primes
-  */
- const SECItem *
--sftk_VerifyDH_Prime(SECItem *dhPrime, PRBool isFIPS)
-+sftk_VerifyDH_Prime(SECItem *dhPrime, SECItem *g, PRBool isFIPS)
- {
-     /* use the length to decide which primes to check */
-     switch (dhPrime->len) {
-@@ -6741,56 +6750,67 @@ sftk_VerifyDH_Prime(SECItem *dhPrime, PR
-             }
-             if (PORT_Memcmp(dhPrime->data, prime_ike_1536,
-                             sizeof(prime_ike_1536)) == 0) {
-+                if (g) *g = generator_2;
-                 return &subprime_ike_1536;
-             }
-             break;
-         case 2048 / PR_BITS_PER_BYTE:
-             if (PORT_Memcmp(dhPrime->data, prime_tls_2048,
-                             sizeof(prime_tls_2048)) == 0) {
-+                if (g) *g = generator_2;
-                 return &subprime_tls_2048;
-             }
-             if (PORT_Memcmp(dhPrime->data, prime_ike_2048,
-                             sizeof(prime_ike_2048)) == 0) {
-+                if (g) *g = generator_2;
-                 return &subprime_ike_2048;
-             }
-             break;
-         case 3072 / PR_BITS_PER_BYTE:
-             if (PORT_Memcmp(dhPrime->data, prime_tls_3072,
-                             sizeof(prime_tls_3072)) == 0) {
-+                if (g) *g = generator_2;
-                 return &subprime_tls_3072;
-             }
-             if (PORT_Memcmp(dhPrime->data, prime_ike_3072,
-                             sizeof(prime_ike_3072)) == 0) {
-+                if (g) *g = generator_2;
-                 return &subprime_ike_3072;
-             }
-             break;
-         case 4096 / PR_BITS_PER_BYTE:
-             if (PORT_Memcmp(dhPrime->data, prime_tls_4096,
-                             sizeof(prime_tls_4096)) == 0) {
-+                if (g) *g = generator_2;
-                 return &subprime_tls_4096;
-             }
-             if (PORT_Memcmp(dhPrime->data, prime_ike_4096,
-                             sizeof(prime_ike_4096)) == 0) {
-+                if (g) *g = generator_2;
-                 return &subprime_ike_4096;
-             }
-             break;
-         case 6144 / PR_BITS_PER_BYTE:
-             if (PORT_Memcmp(dhPrime->data, prime_tls_6144,
-                             sizeof(prime_tls_6144)) == 0) {
-+                if (g) *g = generator_2;
-                 return &subprime_tls_6144;
-             }
-             if (PORT_Memcmp(dhPrime->data, prime_ike_6144,
-                             sizeof(prime_ike_6144)) == 0) {
-+                if (g) *g = generator_2;
-                 return &subprime_ike_6144;
-             }
-             break;
-         case 8192 / PR_BITS_PER_BYTE:
-             if (PORT_Memcmp(dhPrime->data, prime_tls_8192,
-                             sizeof(prime_tls_8192)) == 0) {
-+                if (g) *g = generator_2;
-                 return &subprime_tls_8192;
-             }
-             if (PORT_Memcmp(dhPrime->data, prime_ike_8192,
-                             sizeof(prime_ike_8192)) == 0) {
-+                if (g) *g = generator_2;
-                 return &subprime_ike_8192;
-             }
-             break;
-diff -up ./lib/softoken/sftkike.c.fips-review ./lib/softoken/sftkike.c
---- ./lib/softoken/sftkike.c.fips-review	2024-06-07 09:26:03.000000000 -0700
-+++ ./lib/softoken/sftkike.c	2024-06-12 12:04:10.641360427 -0700
-@@ -516,6 +516,11 @@ sftk_ike_prf(CK_SESSION_HANDLE hSession,
-             goto fail;
-         }
-     } else {
-+        /* ikev1 isn't validated, if we use this function in ikev1 mode,
-+         * mark the resulting key as not FIPS */
-+        if (!params->bRekey) {
-+            outKey->isFIPS = PR_FALSE;
-+        }
-         crv = prf_init(&context, inKey->attrib.pValue,
-                        inKey->attrib.ulValueLen);
-         if (crv != CKR_OK) {

SOURCES/nss-3.101-fix-cms-abi-break.patch

@@ -1,115 +0,0 @@
-diff -up ./lib/smime/cmsasn1.c.restore_abi ./lib/smime/cmsasn1.c
---- ./lib/smime/cmsasn1.c.restore_abi	2024-06-07 09:26:03.000000000 -0700
-+++ ./lib/smime/cmsasn1.c	2024-09-06 18:05:27.808338289 -0700
-@@ -350,7 +350,7 @@ static const SEC_ASN1Template NSSCMSKeyA
-     { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_EXPLICIT |
-           SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 1,
-       offsetof(NSSCMSKeyAgreeRecipientInfo, ukm),
--      SEC_ASN1_SUB(SEC_OctetStringTemplate) },
-+      SEC_ASN1_SUB(SEC_PointerToOctetStringTemplate) },
-     { SEC_ASN1_INLINE | SEC_ASN1_XTRN,
-       offsetof(NSSCMSKeyAgreeRecipientInfo, keyEncAlg),
-       SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
-diff -up ./lib/smime/cmslocal.h.restore_abi ./lib/smime/cmslocal.h
---- ./lib/smime/cmslocal.h.restore_abi	2024-06-07 09:26:03.000000000 -0700
-+++ ./lib/smime/cmslocal.h	2024-09-06 18:04:47.647863624 -0700
-@@ -174,7 +174,7 @@ NSS_CMSUtil_DecryptSymKey_RSA_OAEP(SECKE
- 
- extern SECStatus
- NSS_CMSUtil_EncryptSymKey_ESECDH(PLArenaPool *poolp, CERTCertificate *cert, PK11SymKey *key,
--                                 SECItem *encKey, PRBool genUkm, SECItem *ukm,
-+                                 SECItem *encKey, PRBool genUkm, SECItem **ukm,
-                                  SECAlgorithmID *keyEncAlg, SECItem *originatorPubKey, void *wincx);
- 
- PK11SymKey *
-diff -up ./lib/smime/cmspubkey.c.restore_abi ./lib/smime/cmspubkey.c
---- ./lib/smime/cmspubkey.c.restore_abi	2024-06-07 09:26:03.000000000 -0700
-+++ ./lib/smime/cmspubkey.c	2024-09-06 18:04:47.647863624 -0700
-@@ -292,9 +292,15 @@ Create_ECC_CMS_SharedInfo(PLArenaPool *p
-     unsigned char suppPubInfo[4] = { 0 };
- 
-     SI.keyInfo = keyInfo;
--    SI.entityUInfo.type = ukm->type;
--    SI.entityUInfo.data = ukm->data;
--    SI.entityUInfo.len = ukm->len;
-+    if (ukm) {
-+        SI.entityUInfo.type = ukm->type;
-+        SI.entityUInfo.data = ukm->data;
-+        SI.entityUInfo.len = ukm->len;
-+    } else {
-+        SI.entityUInfo.type = siBuffer;
-+        SI.entityUInfo.data = NULL;
-+        SI.entityUInfo.len = 0;
-+    }
- 
-     SI.suppPubInfo.type = siBuffer;
-     SI.suppPubInfo.data = suppPubInfo;
-@@ -322,7 +328,7 @@ Create_ECC_CMS_SharedInfo(PLArenaPool *p
- SECStatus
- NSS_CMSUtil_EncryptSymKey_ESECDH(PLArenaPool *poolp, CERTCertificate *cert,
-                                  PK11SymKey *bulkkey, SECItem *encKey,
--                                 PRBool genUkm, SECItem *ukm,
-+                                 PRBool genUkm, SECItem **ukmp,
-                                  SECAlgorithmID *keyEncAlg, SECItem *pubKey,
-                                  void *wincx)
- {
-@@ -337,10 +343,11 @@ NSS_CMSUtil_EncryptSymKey_ESECDH(PLArena
-     SECAlgorithmID keyWrapAlg;
-     SECOidTag keyEncAlgtag;
-     SECItem keyWrapAlg_params, *keyEncAlg_params, *SharedInfo;
-+    SECItem *ukm = *ukmp;
-     CK_MECHANISM_TYPE keyDerivationType, keyWrapMech;
-     CK_ULONG kdf;
- 
--    if (genUkm && (ukm->len != 0 || ukm->data != NULL)) {
-+    if (genUkm && (ukm != NULL)) {
-         PORT_SetError(PR_INVALID_ARGUMENT_ERROR);
-         return SECFailure;
-     }
-@@ -427,17 +434,17 @@ NSS_CMSUtil_EncryptSymKey_ESECDH(PLArena
-      * contain 512 bits for Diffie-Hellman key agreement. */
- 
-     if (genUkm) {
--        ukm->type = siBuffer;
--        ukm->len = 64;
--        ukm->data = (unsigned char *)PORT_ArenaAlloc(poolp, ukm->len);
--
--        if (ukm->data == NULL) {
-+        ukm = SECITEM_AllocItem(poolp, NULL, 64);
-+        if (ukm == NULL) {
-             goto loser;
-         }
-+        ukm->type = siBuffer;
-+
-         rv = PK11_GenerateRandom(ukm->data, ukm->len);
-         if (rv != SECSuccess) {
-             goto loser;
-         }
-+        *ukmp = ukm; /* return it */
-     }
- 
-     SharedInfo = Create_ECC_CMS_SharedInfo(poolp, &keyWrapAlg,
-diff -up ./lib/smime/cmsrecinfo.c.restore_abi ./lib/smime/cmsrecinfo.c
---- ./lib/smime/cmsrecinfo.c.restore_abi	2024-06-07 09:26:03.000000000 -0700
-+++ ./lib/smime/cmsrecinfo.c	2024-09-06 18:04:47.647863624 -0700
-@@ -582,7 +582,7 @@ NSS_CMSRecipientInfo_UnwrapBulkKey(NSSCM
-             parameters = &(ri->ri.keyAgreeRecipientInfo.keyEncAlg.parameters);
-             enckey = &(ri->ri.keyAgreeRecipientInfo.recipientEncryptedKeys[subIndex]->encKey);
-             oiok = &(ri->ri.keyAgreeRecipientInfo.originatorIdentifierOrKey);
--            ukm = &(ri->ri.keyAgreeRecipientInfo.ukm);
-+            ukm = ri->ri.keyAgreeRecipientInfo.ukm;
-             break;
-         case NSSCMSRecipientInfoID_KEK:
-             algid = &(ri->ri.kekRecipientInfo.keyEncAlg);
-diff -up ./lib/smime/cmst.h.restore_abi ./lib/smime/cmst.h
---- ./lib/smime/cmst.h.restore_abi	2024-06-07 09:26:03.000000000 -0700
-+++ ./lib/smime/cmst.h	2024-09-06 18:04:47.647863624 -0700
-@@ -376,7 +376,7 @@ typedef struct NSSCMSRecipientEncryptedK
- struct NSSCMSKeyAgreeRecipientInfoStr {
-     SECItem version;
-     NSSCMSOriginatorIdentifierOrKey originatorIdentifierOrKey;
--    SECItem ukm; /* optional */
-+    SECItem *ukm; /* optional */
-     SECAlgorithmID keyEncAlg;
-     NSSCMSRecipientEncryptedKey **recipientEncryptedKeys;
- };

SOURCES/nss-3.101-fix-missing-size-checks.patch

@@ -1,126 +0,0 @@
-diff --git a/gtests/ssl_gtest/tls_subcerts_unittest.cc b/gtests/ssl_gtest/tls_subcerts_unittest.cc
---- a/gtests/ssl_gtest/tls_subcerts_unittest.cc
-+++ b/gtests/ssl_gtest/tls_subcerts_unittest.cc
-@@ -371,16 +371,21 @@ static void GenerateWeakRsaKey(ScopedSEC
- // Fail to connect with a weak RSA key.
- TEST_P(TlsConnectTls13, DCWeakKey) {
-   Reset(kPssDelegatorId);
-   EnsureTlsSetup();
-   static const SSLSignatureScheme kSchemes[] = {ssl_sig_rsa_pss_rsae_sha256,
-                                                 ssl_sig_rsa_pss_pss_sha256};
-   client_->SetSignatureSchemes(kSchemes, PR_ARRAY_SIZE(kSchemes));
-   server_->SetSignatureSchemes(kSchemes, PR_ARRAY_SIZE(kSchemes));
-+  PRInt32 keySizeFlags;
-+  ASSERT_EQ(SECSuccess, NSS_OptionGet(NSS_KEY_SIZE_POLICY_FLAGS, &keySizeFlags));
-+  // turn off the signing key sizes so we actually test the ssl tests
-+  ASSERT_EQ(SECSuccess,
-+            NSS_OptionSet(NSS_KEY_SIZE_POLICY_FLAGS, NSS_KEY_SIZE_POLICY_SSL_FLAG ));
- #if RSA_MIN_MODULUS_BITS > RSA_WEAK_KEY
-   // save the MIN POLICY length.
-   PRInt32 minRsa;
- 
-   ASSERT_EQ(SECSuccess, NSS_OptionGet(NSS_RSA_MIN_KEY_SIZE, &minRsa));
- #if RSA_MIN_MODULUS_BITS >= 2048
-   ASSERT_EQ(SECSuccess,
-             NSS_OptionSet(NSS_RSA_MIN_KEY_SIZE, RSA_MIN_MODULUS_BITS + 1024));
-@@ -408,16 +413,17 @@ TEST_P(TlsConnectTls13, DCWeakKey) {
-   client_->EnableDelegatedCredentials();
- 
-   auto cfilter = MakeTlsFilter<TlsExtensionCapture>(
-       client_, ssl_delegated_credentials_xtn);
-   ConnectExpectAlert(client_, kTlsAlertInsufficientSecurity);
- #if RSA_MIN_MODULUS_BITS > RSA_WEAK_KEY
-   ASSERT_EQ(SECSuccess, NSS_OptionSet(NSS_RSA_MIN_KEY_SIZE, minRsa));
- #endif
-+  ASSERT_EQ(SECSuccess, NSS_OptionSet(NSS_KEY_SIZE_POLICY_FLAGS, keySizeFlags));
- }
- 
- class ReplaceDCSigScheme : public TlsHandshakeFilter {
-  public:
-   ReplaceDCSigScheme(const std::shared_ptr<TlsAgent>& a)
-       : TlsHandshakeFilter(a, {ssl_hs_certificate_verify}) {}
- 
-  protected:
-diff --git a/lib/cryptohi/seckey.c b/lib/cryptohi/seckey.c
---- a/lib/cryptohi/seckey.c
-+++ b/lib/cryptohi/seckey.c
-@@ -1134,22 +1134,31 @@ SECKEY_PrivateKeyStrengthInBits(const SE
-         return 0;
-     }
- 
-     /* interpret modulus length as key strength */
-     switch (privk->keyType) {
-         case rsaKey:
-         case rsaPssKey:
-         case rsaOaepKey:
--            /* some tokens don't export CKA_MODULUS on the private key,
--             * PK11_SignatureLen works around this if necessary */
--            bitSize = PK11_SignatureLen((SECKEYPrivateKey *)privk) * PR_BITS_PER_BYTE;
--            if (bitSize == -1) {
--                bitSize = 0;
-+            rv = PK11_ReadAttribute(privk->pkcs11Slot, privk->pkcs11ID,
-+                                    CKA_MODULUS, NULL, &params);
-+            if ((rv != SECSuccess) || (params.data == NULL)) {
-+                /* some tokens don't export CKA_MODULUS on the private key,
-+                 * PK11_SignatureLen works around this if necessary. This
-+                 * method is less percise because it returns bytes instead
-+                 * bits, so we only do it if we can't get the modulus */
-+                bitSize = PK11_SignatureLen((SECKEYPrivateKey *)privk) * PR_BITS_PER_BYTE;
-+                if (bitSize == -1) {
-+                    return 0;
-+                }
-+                return bitSize;
-             }
-+            bitSize = SECKEY_BigIntegerBitLength(&params);
-+            PORT_Free(params.data);
-             return bitSize;
-         case dsaKey:
-         case fortezzaKey:
-         case dhKey:
-         case keaKey:
-             rv = PK11_ReadAttribute(privk->pkcs11Slot, privk->pkcs11ID,
-                                     CKA_PRIME, NULL, &params);
-             if ((rv != SECSuccess) || (params.data == NULL)) {
-diff --git a/lib/ssl/ssl3con.c b/lib/ssl/ssl3con.c
---- a/lib/ssl/ssl3con.c
-+++ b/lib/ssl/ssl3con.c
-@@ -1277,27 +1277,39 @@ ssl3_SignHashesWithPrivKey(SSL3Hashes *h
-             PORT_SetError(SEC_ERROR_INVALID_KEY);
-             goto done;
-     }
-     PRINT_BUF(60, (NULL, "hash(es) to be signed", hashItem.data, hashItem.len));
- 
-     if (useRsaPss || hash->hashAlg == ssl_hash_none) {
-         CK_MECHANISM_TYPE mech = PK11_MapSignKeyType(key->keyType);
-         int signatureLen = PK11_SignatureLen(key);
-+        PRInt32 optval;
- 
-         SECItem *params = NULL;
-         CK_RSA_PKCS_PSS_PARAMS pssParams;
-         SECItem pssParamsItem = { siBuffer,
-                                   (unsigned char *)&pssParams,
-                                   sizeof(pssParams) };
- 
-         if (signatureLen <= 0) {
-             PORT_SetError(SEC_ERROR_INVALID_KEY);
-             goto done;
-         }
-+        /* since we are calling PK11_SignWithMechanism directly, we need to check the
-+         * key policy ourselves (which is already checked in SGN_Digest */
-+        rv = NSS_OptionGet(NSS_KEY_SIZE_POLICY_FLAGS, &optval);
-+        if ((rv == SECSuccess) &&
-+            ((optval & NSS_KEY_SIZE_POLICY_SIGN_FLAG) == NSS_KEY_SIZE_POLICY_SIGN_FLAG)) {
-+            rv = SECKEY_EnforceKeySize(key->keyType, SECKEY_PrivateKeyStrengthInBits(key),
-+                                       SEC_ERROR_SIGNATURE_ALGORITHM_DISABLED);
-+            if (rv != SECSuccess) {
-+                goto done; /* error code already set */
-+            }
-+        }
- 
-         buf->len = (unsigned)signatureLen;
-         buf->data = (unsigned char *)PORT_Alloc(signatureLen);
-         if (!buf->data)
-             goto done; /* error code was set. */
- 
-         if (useRsaPss) {
-             pssParams.hashAlg = ssl3_GetHashMechanismByHashType(hash->hashAlg);

SOURCES/nss-3.101-fix-pkcs12-md5-decode.patch

@@ -1,43 +0,0 @@
-diff --git a/lib/util/nsshash.c b/lib/util/nsshash.c
---- a/lib/util/nsshash.c
-+++ b/lib/util/nsshash.c
-@@ -102,16 +102,19 @@ HASH_GetHashOidTagByHashType(HASH_HashTy
- SECOidTag
- HASH_GetHashOidTagByHMACOidTag(SECOidTag hmacOid)
- {
-     SECOidTag hashOid = SEC_OID_UNKNOWN;
- 
-     switch (hmacOid) {
-         /* no oid exists for HMAC_MD2 */
-         /* NSS does not define a oid for HMAC_MD4 */
-+        case SEC_OID_HMAC_MD5:
-+            hashOid = SEC_OID_MD5;
-+            break;
-         case SEC_OID_HMAC_SHA1:
-             hashOid = SEC_OID_SHA1;
-             break;
-         case SEC_OID_HMAC_SHA224:
-             hashOid = SEC_OID_SHA224;
-             break;
-         case SEC_OID_HMAC_SHA256:
-             hashOid = SEC_OID_SHA256;
-@@ -145,16 +148,19 @@ HASH_GetHashOidTagByHMACOidTag(SECOidTag
- SECOidTag
- HASH_GetHMACOidTagByHashOidTag(SECOidTag hashOid)
- {
-     SECOidTag hmacOid = SEC_OID_UNKNOWN;
- 
-     switch (hashOid) {
-         /* no oid exists for HMAC_MD2 */
-         /* NSS does not define a oid for HMAC_MD4 */
-+        case SEC_OID_MD5:
-+            hmacOid = SEC_OID_HMAC_MD5;
-+            break;
-         case SEC_OID_SHA1:
-             hmacOid = SEC_OID_HMAC_SHA1;
-             break;
-         case SEC_OID_SHA224:
-             hmacOid = SEC_OID_HMAC_SHA224;
-             break;
-         case SEC_OID_SHA256:
-             hmacOid = SEC_OID_HMAC_SHA256;

SOURCES/nss-3.101-fix-pkcs12-pbkdf1-encoding.patch

@@ -1,121 +0,0 @@
-diff --git a/lib/pk11wrap/pk11mech.c b/lib/pk11wrap/pk11mech.c
---- a/lib/pk11wrap/pk11mech.c
-+++ b/lib/pk11wrap/pk11mech.c
-@@ -1710,20 +1710,26 @@ PK11_ParamToAlgid(SECOidTag algTag, SECI
-         case CKM_BATON_ECB96:
-         case CKM_BATON_CBC128:
-         case CKM_BATON_COUNTER:
-         case CKM_BATON_SHUFFLE:
-         case CKM_JUNIPER_ECB128:
-         case CKM_JUNIPER_CBC128:
-         case CKM_JUNIPER_COUNTER:
-         case CKM_JUNIPER_SHUFFLE:
--            newParams = SEC_ASN1EncodeItem(NULL, NULL, param,
--                                           SEC_ASN1_GET(SEC_OctetStringTemplate));
--            if (newParams == NULL)
--                break;
-+            /* if no parameters have been supplied, then encode a NULL params
-+             */
-+            if (param && param->len > 0) {
-+                newParams = SEC_ASN1EncodeItem(NULL, NULL, param,
-+                                               SEC_ASN1_GET(SEC_OctetStringTemplate));
-+                if (newParams == NULL)
-+                    break;
-+            } else {
-+                newParams = NULL;
-+            }
-             rv = SECSuccess;
-             break;
-     }
- 
-     if (rv != SECSuccess) {
-         if (newParams)
-             SECITEM_FreeItem(newParams, PR_TRUE);
-         return rv;
-diff --git a/lib/pk11wrap/pk11pbe.c b/lib/pk11wrap/pk11pbe.c
---- a/lib/pk11wrap/pk11pbe.c
-+++ b/lib/pk11wrap/pk11pbe.c
-@@ -765,45 +765,53 @@ sec_pkcs5CreateAlgorithmID(SECOidTag alg
-          * algorithm is). We use choose this algorithm oid based on the
-          * cipherAlgorithm to determine what this should be (MAC1 or PBES2).
-          */
-         if (algorithm == SEC_OID_PKCS5_PBKDF2) {
-             /* choose mac or pbes */
-             algorithm = sec_pkcs5v2_get_pbe(cipherAlgorithm);
-         }
- 
-+        SECOidTag hashAlg = HASH_GetHashOidTagByHMACOidTag(cipherAlgorithm);
-+
-         /* set the PKCS5v2 specific parameters */
-         if (keyLength == 0) {
--            SECOidTag hashAlg = HASH_GetHashOidTagByHMACOidTag(cipherAlgorithm);
-             if (hashAlg != SEC_OID_UNKNOWN) {
-                 keyLength = HASH_ResultLenByOidTag(hashAlg);
-             } else {
-                 keyLength = sec_pkcs5v2_default_key_length(cipherAlgorithm);
-             }
-             if (keyLength <= 0) {
-                 goto loser;
-             }
-         }
-         /* currently SEC_OID_HMAC_SHA1 is the default */
-         if (prfAlg == SEC_OID_UNKNOWN) {
-             prfAlg = SEC_OID_HMAC_SHA1;
-         }
- 
--        /* build the PKCS5v2 cipher algorithm id */
--        cipherParams = pk11_GenerateNewParamWithKeyLen(
--            PK11_AlgtagToMechanism(cipherAlgorithm), keyLength);
--        if (!cipherParams) {
--            goto loser;
-+        /* build the PKCS5v2 cipher algorithm id, if cipher
-+         * is an HMAC, the cipherParams should be NULL */
-+        if (hashAlg == SEC_OID_UNKNOWN) {
-+            cipherParams = pk11_GenerateNewParamWithKeyLen(
-+                PK11_AlgtagToMechanism(cipherAlgorithm), keyLength);
-+            if (!cipherParams) {
-+                goto loser;
-+            }
-+        } else {
-+            cipherParams = NULL;
-         }
- 
-         PORT_Memset(&pbeV2_param, 0, sizeof(pbeV2_param));
- 
-         rv = PK11_ParamToAlgid(cipherAlgorithm, cipherParams,
-                                poolp, &pbeV2_param.cipherAlgId);
--        SECITEM_FreeItem(cipherParams, PR_TRUE);
-+        if (cipherParams) {
-+            SECITEM_FreeItem(cipherParams, PR_TRUE);
-+        }
-         if (rv != SECSuccess) {
-             goto loser;
-         }
-     }
- 
-     /* generate the parameter */
-     pbe_param = sec_pkcs5_create_pbe_parameter(pbeAlgorithm, salt, iteration,
-                                                keyLength, prfAlg);
-diff --git a/lib/util/secalgid.c b/lib/util/secalgid.c
---- a/lib/util/secalgid.c
-+++ b/lib/util/secalgid.c
-@@ -50,17 +50,18 @@ SECOID_SetAlgorithmID(PLArenaPool *arena
-         PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
-         return SECFailure;
-     }
- 
-     if (SECITEM_CopyItem(arena, &id->algorithm, &oiddata->oid))
-         return SECFailure;
- 
-     if ((secoid_IsRSAPKCS1(which)) ||
--        (HASH_GetHashTypeByOidTag(which) != HASH_AlgNULL)) {
-+        (HASH_GetHashTypeByOidTag(which) != HASH_AlgNULL) /* ||
-+        (HASH_GetHashOidTagByHMACOidTag(which) != SEC_OID_UNKNOWN) */) {
-         add_null_param = PR_TRUE;
-     } else {
-         add_null_param = PR_FALSE;
-     }
- 
-     if (params) {
-         /*
-          * I am specifically *not* enforcing the following assertion

SOURCES/nss-3.101-long-pwd-fix.patch

@@ -1,12 +0,0 @@
-diff -up ./lib/pkcs12/p12local.c.long_pw_fix ./lib/pkcs12/p12local.c
---- ./lib/pkcs12/p12local.c.long_pw_fix	2024-09-06 17:58:39.905517185 -0700
-+++ ./lib/pkcs12/p12local.c	2024-09-06 17:59:19.568985976 -0700
-@@ -102,7 +102,7 @@ sec_pkcs12_integrity_key(PK11SlotInfo *s
-         *hmacMech = PK11_AlgtagToMechanism(hmacAlg);
-         /* pkcs12v2 hmac uses UTF8 rather than unicode */
-         if (!sec_pkcs12_convert_item_to_unicode(NULL, &utf8Pw, pwitem,
--                                                PR_TRUE, PR_FALSE, PR_FALSE)) {
-+                                                PR_FALSE, PR_FALSE, PR_FALSE)) {
-             return NULL;
-         }
-         symKey = PK11_PBEKeyGen(slot, prfAlgid, &utf8Pw, PR_FALSE, pwarg);

SOURCES/nss-3.66-disable-signature-policies.patch

@@ -1,7 +1,7 @@
 diff -up ./lib/pk11wrap/pk11pars.c.no_signature_policy ./lib/pk11wrap/pk11pars.c
---- ./lib/pk11wrap/pk11pars.c.no_signature_policy	2023-06-21 08:54:54.802785229 +0200
-+++ ./lib/pk11wrap/pk11pars.c	2023-06-21 08:58:24.748282499 +0200
-@@ -395,12 +395,9 @@ static const oidValDef signOptList[] = {
+--- ./lib/pk11wrap/pk11pars.c.no_signature_policy	2021-06-03 10:08:49.988118880 -0700
++++ ./lib/pk11wrap/pk11pars.c	2021-06-03 10:16:26.059935708 -0700
+@@ -391,12 +391,9 @@ static const oidValDef signOptList[] = {
      /* Signatures */
      { CIPHER_NAME("DSA"), SEC_OID_ANSIX9_DSA_SIGNATURE,
        NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE },
@@ -14,24 +14,21 @@ diff -up ./lib/pk11wrap/pk11pars.c.no_signature_policy ./lib/pk11wrap/pk11pars.c
 +    { CIPHER_NAME("RSA-PKCS"), SEC_OID_PKCS1_RSA_ENCRYPTION, 0},
 +    { CIPHER_NAME("RSA-PSS"), SEC_OID_PKCS1_RSA_PSS_SIGNATURE, 0},
 +    { CIPHER_NAME("ECDSA"), SEC_OID_ANSIX962_EC_PUBLIC_KEY, 0},
-     { CIPHER_NAME("ED25519"), SEC_OID_ED25519_PUBLIC_KEY,
-       NSS_USE_ALG_IN_SIGNATURE },
  };
  
  typedef struct {
-@@ -416,7 +413,7 @@ static const algListsDef algOptLists[] =
+@@ -412,7 +409,7 @@ static const algListsDef algOptLists[] =
      { macOptList, PR_ARRAY_SIZE(macOptList), "MAC", PR_FALSE },
      { cipherOptList, PR_ARRAY_SIZE(cipherOptList), "CIPHER", PR_FALSE },
      { kxOptList, PR_ARRAY_SIZE(kxOptList), "OTHER-KX", PR_FALSE },
-     { smimeKxOptList, PR_ARRAY_SIZE(smimeKxOptList), "SMIME-KX", PR_TRUE },
 -    { signOptList, PR_ARRAY_SIZE(signOptList), "OTHER-SIGN", PR_FALSE },
 +    { signOptList, PR_ARRAY_SIZE(signOptList), "OTHER-SIGN", PR_TRUE },
  };
  
  static const optionFreeDef sslOptList[] = {
-diff -up ./tests/ssl/sslpolicy.txt.no_signature_policy ./tests/ssl/sslpolicy.txt
---- ./tests/ssl/sslpolicy.txt.no_signature_policy	2023-06-21 09:00:17.720181306 +0200
-+++ ./tests/ssl/sslpolicy.txt	2023-06-21 09:00:55.637501208 +0200
+diff -up ./tests/ssl/sslpolicy.txt.policy_revert ./tests/ssl/sslpolicy.txt
+--- ./tests/ssl/sslpolicy.txt.policy_revert	2020-11-04 10:31:20.837715397 -0800
++++ ./tests/ssl/sslpolicy.txt	2020-11-04 10:33:19.598357223 -0800
 @@ -193,7 +193,9 @@
    1 noECC  SSL3   d    disallow=all_allow=hmac-sha1:sha256:rsa-pkcs:rsa:des-ede3-cbc:tls-version-min=tls1.0:tls-version-max=tls1.2 Disallow Version Implicitly Narrow
    1 noECC  SSL3   d    disallow=all_allow=md2/all:md4/all:md5/all:sha1/all:sha256/all:sha384/all:sha512/all:rsa-pkcs/all:rsa-pss/all:ecdsa/all:dsa/all:hmac-sha1/all:hmac-sha224/all:hmac-sha256/all:hmac-sha384/all:hmac-sha512/all:hmac-md5/all:camellia128-cbc/all:camellia192-cbc/all:camellia256-cbc/all:seed-cbc/all:des-ede3-cbc/all:des-40-cbc/all:des-cbc/all:null-cipher/all:rc2/all:rc4/all:idea/all:rsa/all:rsa-export/all:dhe-rsa/all:dhe-dss/all:ecdhe-ecdsa/all:ecdhe-rsa/all:ecdh-ecdsa/all:ecdh-rsa/all:tls-version-min=tls1.0:tls-version-max=tls1.2 Disallow Version Implicitly
@@ -40,6 +37,6 @@ diff -up ./tests/ssl/sslpolicy.txt.no_signature_policy ./tests/ssl/sslpolicy.txt
 +# rsa-pkcs, rsa-pss, and ecdsa policy checking reverted in rhel8 for binary
 +# compatibility reasons
 +#  1 noECC  SSL3   d    disallow=rsa-pkcs Disallow RSA PKCS 1 Signatures Explicitly
-   1 noECC  SSL3   d    allow=rsa-min=16384:key-size-flags=key-size-verify Restrict RSA keys on signature verification
-   1 noECC  SSL3   d    allow=rsa-min=16384:key-size-flags=key-size-sign Restrict RSA keys on signing
-   1 noECC  SSL3   d    allow=rsa-min=16384:key-size-flags=key-size-ssl Restrict RSA keys when used in SSL
+ # test default settings
+ # NOTE: tstclient will attempt to overide the defaults, so we detect we
+ # were successful by locking in our settings

SOURCES/nss-3.66-restore-old-pkcs12-default.patch

@@ -26,20 +26,6 @@ diff -up ./cmd/pk12util/pk12util.c.orig ./cmd/pk12util/pk12util.c
      if (pk12util.options[opt_CertCipher].activated) {
          char *cipherString = pk12util.options[opt_CertCipher].arg;
  
---- ./cmd/pk12util/pk12util.c.no_pkcs12_macpbe_default	2024-07-18 08:26:35.7732
-48450 -0700
-+++ ./cmd/pk12util/pk12util.c	2024-07-18 08:27:05.796595554 -0700
-@@ -1165,10 +1165,6 @@ main(int argc, char **argv)
-             }
-         }
-     }
--    /* in FIPS mode default to encoding with pkcs5v2 for the MAC */
--    if (PK11_IsFIPS()) {
--        hash = SEC_OID_HMAC_SHA256;
--    }
-     if (pk12util.options[opt_Mac].activated) {
-         char *hashString = pk12util.options[opt_Mac].arg;
- 
 diff -up ./tests/tools/tools.sh.orig ./tests/tools/tools.sh
 --- ./tests/tools/tools.sh.orig	2021-06-15 17:06:27.650564449 -0700
 +++ ./tests/tools/tools.sh	2021-06-15 17:07:59.934117192 -0700

SOURCES/nss-3.71-camellia-pkcs12-doc.patch

@@ -1,20 +0,0 @@
-diff -up ./doc/pk12util.xml.camellia ./doc/pk12util.xml
---- ./doc/pk12util.xml.camellia	2022-01-26 09:46:39.794919455 -0800
-+++ ./doc/pk12util.xml	2022-01-26 09:54:58.277019760 -0800
-@@ -317,7 +317,7 @@ Certificate    Friendly Name: Thawte Fre
- 
-   <refsection id="encryption">
-     <title>Password Encryption</title>
--    <para>PKCS #12 provides for not only the protection of the private keys but also the certificate and meta-data associated with the keys. Password-based encryption is used to protect private keys on export to a PKCS #12 file and, optionally, the associated certificates. If no algorithm is specified, the tool defaults to using PKCS #12 SHA-1 and 3-key triple DES for private key encryption. When not in FIPS mode, PKCS #12 SHA-1 and 40-bit RC4 is used for certificate encryption. When in FIPS mode, there is no certificate encryption. If certificate encryption is not wanted, specify <userinput>"NONE"</userinput> as the argument of the <option>-C</option> option.</para>
-+    <para>PKCS #12 provides for not only the protection of the private keys but also the certificate and meta-data associated with the keys. Password-based encryption is used to protect private keys on export to a PKCS #12 file and, optionally, the associated certificates. If no algorithm is specified, the tool defaults to using AES-256-CBC for private key encryption and AES-128-CBC for certificate encryption. If certificate encryption is not wanted, specify <userinput>"NONE"</userinput> as the argument of the <option>-C</option> option.</para>
-     <para>The private key is always protected with strong encryption by default.</para>
-     <para>Several types of ciphers are supported.</para>
-     <variablelist>
-@@ -327,6 +327,7 @@ Certificate    Friendly Name: Thawte Fre
-         <listitem>
- 	  <itemizedlist>
- 	    <listitem><para>PBES2 with AES-CBC-Pad as underlying encryption scheme (<userinput>"AES-128-CBC"</userinput>, <userinput>"AES-192-CBC"</userinput>, and <userinput>"AES-256-CBC"</userinput>)</para></listitem>
-+	    <listitem><para>PBES2 with CAMELLIA-CBC-Pad as underlying encryption scheme (<userinput>"CAMELLIA-128-CBC"</userinput>, <userinput>"CAMELLIA-192-CBC"</userinput>, and <userinput>"CAMELLIA-256-CBC"</userinput>)</para></listitem>
- 	  </itemizedlist>
-         </listitem>
-       </varlistentry>

SOURCES/nss-3.71-fix-lto-gtests.patch

@@ -1,26 +0,0 @@
-diff --git a/gtests/ssl_gtest/tls_subcerts_unittest.cc b/gtests/ssl_gtest/tls_subcerts_unittest.cc
---- a/gtests/ssl_gtest/tls_subcerts_unittest.cc
-+++ b/gtests/ssl_gtest/tls_subcerts_unittest.cc
-@@ -15,13 +15,22 @@
- #include "gtest_utils.h"
- #include "tls_agent.h"
- #include "tls_connect.h"
-+#define LTO
-
- namespace nss_test {
-
-+#ifndef LTO
-+// sigh this construction breaks LTO
- const std::string kEcdsaDelegatorId = TlsAgent::kDelegatorEcdsa256;
- const std::string kRsaeDelegatorId = TlsAgent::kDelegatorRsae2048;
- const std::string kPssDelegatorId = TlsAgent::kDelegatorRsaPss2048;
- const std::string kDCId = TlsAgent::kServerEcdsa256;
-+#else
-+#define kEcdsaDelegatorId TlsAgent::kDelegatorEcdsa256
-+#define kRsaeDelegatorId TlsAgent::kDelegatorRsae2048
-+#define kPssDelegatorId TlsAgent::kDelegatorRsaPss2048
-+#define kDCId  TlsAgent::kServerEcdsa256
-+#endif
- const SSLSignatureScheme kDCScheme = ssl_sig_ecdsa_secp256r1_sha256;
- const PRUint32 kDCValidFor = 60 * 60 * 24 * 7 /* 1 week (seconds) */;
-

SOURCES/nss-3.79-dont-verify-default.patch

@@ -0,0 +1,170 @@
+diff --git a/lib/softoken/legacydb/pcertdb.c b/lib/softoken/legacydb/pcertdb.c
+--- a/lib/softoken/legacydb/pcertdb.c
++++ b/lib/softoken/legacydb/pcertdb.c
+@@ -4272,16 +4272,17 @@ CreateTrust(void)
+ {
+     NSSLOWCERTTrust *trust = NULL;
+ 
+     nsslowcert_LockFreeList();
+     trust = trustListHead;
+     if (trust) {
+         trustListCount--;
+         trustListHead = trust->next;
++        trust->next = NULL;
+     }
+     PORT_Assert(trustListCount >= 0);
+     nsslowcert_UnlockFreeList();
+     if (trust) {
+         return trust;
+     }
+ 
+     return PORT_ZNew(NSSLOWCERTTrust);
+@@ -5155,19 +5156,21 @@ done:
+ }
+ 
+ PRBool
+ nsslowcert_hasTrust(NSSLOWCERTCertTrust *trust)
+ {
+     if (trust == NULL) {
+         return PR_FALSE;
+     }
+-    return !((trust->sslFlags & CERTDB_TRUSTED_UNKNOWN) &&
+-             (trust->emailFlags & CERTDB_TRUSTED_UNKNOWN) &&
+-             (trust->objectSigningFlags & CERTDB_TRUSTED_UNKNOWN));
++    /* if we only have CERTDB__USER and CERTDB_TRUSTED_UNKNOWN bits, then
++     * we don't have a trust record. */
++    return !(((trust->sslFlags & ~(CERTDB_USER|CERTDB_TRUSTED_UNKNOWN)) == 0) &&
++        ((trust->emailFlags & ~(CERTDB_USER|CERTDB_TRUSTED_UNKNOWN)) == 0) &&
++        ((trust->objectSigningFlags & ~(CERTDB_USER|CERTDB_TRUSTED_UNKNOWN)) == 0));
+ }
+ 
+ /*
+  * This function has the logic that decides if another person's cert and
+  * email profile from an S/MIME message should be saved.  It can deal with
+  * the case when there is no profile.
+  */
+ static SECStatus
+diff --git a/lib/softoken/sftkdb.c b/lib/softoken/sftkdb.c
+--- a/lib/softoken/sftkdb.c
++++ b/lib/softoken/sftkdb.c
+@@ -119,47 +119,79 @@ sftkdb_isAuthenticatedAttribute(CK_ATTRI
+         case CKA_TRUST_STEP_UP_APPROVED:
+         case CKA_NSS_OVERRIDE_EXTENSIONS:
+             return PR_TRUE;
+         default:
+             break;
+     }
+     return PR_FALSE;
+ }
+-
+ /*
+  * convert a native ULONG to a database ulong. Database ulong's
+  * are all 4 byte big endian values.
+  */
+ void
+ sftk_ULong2SDBULong(unsigned char *data, CK_ULONG value)
+ {
+     int i;
+ 
+     for (i = 0; i < SDB_ULONG_SIZE; i++) {
+         data[i] = (value >> (SDB_ULONG_SIZE - 1 - i) * BBP) & 0xff;
+     }
+ }
+ 
+ /*
+  * convert a database ulong back to a native ULONG. (reverse of the above
+- * function.
++ * function).
+  */
+ static CK_ULONG
+ sftk_SDBULong2ULong(unsigned char *data)
+ {
+     int i;
+     CK_ULONG value = 0;
+ 
+     for (i = 0; i < SDB_ULONG_SIZE; i++) {
+         value |= (((CK_ULONG)data[i]) << (SDB_ULONG_SIZE - 1 - i) * BBP);
+     }
+     return value;
+ }
+ 
++/* certain trust records are default values, which are the values
++ * returned if the signature check fails anyway.
++ * In those cases, we can skip the signature check. */
++PRBool
++sftkdb_isNullTrust(const CK_ATTRIBUTE *template)
++{
++    switch (template->type) {
++        case CKA_TRUST_SERVER_AUTH:
++        case CKA_TRUST_CLIENT_AUTH:
++        case CKA_TRUST_EMAIL_PROTECTION:
++        case CKA_TRUST_CODE_SIGNING:
++            if (template->ulValueLen != SDB_ULONG_SIZE) {
++                break;
++            }
++            if (sftk_SDBULong2ULong(template->pValue) == 
++                CKT_NSS_TRUST_UNKNOWN) {
++                return PR_TRUE;
++            }
++            break;
++        case CKA_TRUST_STEP_UP_APPROVED:
++            if (template->ulValueLen != 1) {
++                break;
++            }
++            if (*((unsigned char *)(template->pValue)) == 0) {
++                return PR_TRUE;
++            }
++            break;
++        default:
++            break;
++    }
++    return PR_FALSE;
++}
++
+ /*
+  * fix up the input templates. Our fixed up ints are stored in data and must
+  * be freed by the caller. The new template must also be freed. If there are no
+  * CK_ULONG attributes, the orignal template is passed in as is.
+  */
+ static CK_ATTRIBUTE *
+ sftkdb_fixupTemplateIn(const CK_ATTRIBUTE *template, int count,
+                        unsigned char **dataOut, int *dataOutSize)
+@@ -410,17 +442,18 @@ sftkdb_fixupTemplateOut(CK_ATTRIBUTE *te
+             }
+ 
+             /* copy the plain text back into the template */
+             PORT_Memcpy(template[i].pValue, plainText->data, plainText->len);
+             template[i].ulValueLen = plainText->len;
+             SECITEM_ZfreeItem(plainText, PR_TRUE);
+         }
+         /* make sure signed attributes are valid */
+-        if (checkSig && sftkdb_isAuthenticatedAttribute(ntemplate[i].type)) {
++        if (checkSig && sftkdb_isAuthenticatedAttribute(ntemplate[i].type)
++            && !sftkdb_isNullTrust(&ntemplate[i])) {
+             SECStatus rv;
+             CK_RV local_crv;
+             SECItem signText;
+             SECItem plainText;
+             unsigned char signData[SDB_MAX_META_DATA_LEN];
+ 
+             signText.data = signData;
+             signText.len = sizeof(signData);
+@@ -2387,16 +2420,18 @@ sftkdb_mergeObject(SFTKDBHandle *handle,
+     crv = (*source->sdb_GetAttributeValue)(source, id,
+                                            ptemplate, max_attributes);
+     if (crv != CKR_OK) {
+         goto loser;
+     }
+ 
+     objectType = sftkdb_getULongFromTemplate(CKA_CLASS, ptemplate,
+                                              max_attributes);
++/*printf(" - merging object Type 0x%08lx id=0x%08lx updateID=%s\n", objectType, id,
++       handle->updateID?handle->updateID: "<NULL>");*/
+ 
+     /*
+      * Update Object updates the object template if necessary then returns
+      * whether or not we need to actually write the object out to our target
+      * database.
+      */
+     if (!handle->updateID) {
+         crv = sftkdb_CreateObject(arena, handle, target, &newID,

SOURCES/nss-3.79-enable-POST-rerun.patch

@@ -0,0 +1,522 @@
+diff --git a/cmd/bltest/blapitest.c b/cmd/bltest/blapitest.c
+--- a/cmd/bltest/blapitest.c
++++ b/cmd/bltest/blapitest.c
+@@ -3870,17 +3870,17 @@ main(int argc, char **argv)
+         rv = blapi_selftest(modesToTest, numModesToTest, inoff, outoff,
+                             encrypt, decrypt);
+         PORT_Free(cipherInfo);
+         return rv == SECSuccess ? 0 : 1;
+     }
+ 
+     /* Do FIPS self-test */
+     if (bltest.commands[cmd_FIPS].activated) {
+-        CK_RV ckrv = sftk_FIPSEntryOK();
++        CK_RV ckrv = sftk_FIPSEntryOK(PR_FALSE);
+         fprintf(stdout, "CK_RV: %ld.\n", ckrv);
+         PORT_Free(cipherInfo);
+         if (ckrv == CKR_OK)
+             return SECSuccess;
+         return SECFailure;
+     }
+ 
+     /*
+diff --git a/cmd/pk11mode/pk11mode.c b/cmd/pk11mode/pk11mode.c
+--- a/cmd/pk11mode/pk11mode.c
++++ b/cmd/pk11mode/pk11mode.c
+@@ -318,23 +318,25 @@ static PRBool verbose = PR_FALSE;
+ 
+ int
+ main(int argc, char **argv)
+ {
+     CK_C_GetFunctionList pC_GetFunctionList;
+     CK_FUNCTION_LIST_PTR pFunctionList;
+     CK_RV crv = CKR_OK;
+     CK_C_INITIALIZE_ARGS_NSS initArgs;
++    CK_C_INITIALIZE_ARGS_NSS initArgsRerun; /* rerun selftests */
+     CK_SLOT_ID *pSlotList = NULL;
+     CK_TOKEN_INFO tokenInfo;
+     CK_ULONG slotID = 0; /* slotID == 0 for FIPSMODE */
+ 
+     CK_UTF8CHAR *pwd = NULL;
+     CK_ULONG pwdLen = 0;
+     char *moduleSpec = NULL;
++    char *moduleSpecRerun = NULL;
+     char *configDir = NULL;
+     char *dbPrefix = NULL;
+     char *disableUnload = NULL;
+     PRBool doForkTests = PR_TRUE;
+ 
+     PLOptStatus os;
+     PLOptState *opt = PL_CreateOptState(argc, argv, "nvhf:Fd:p:");
+     while (PL_OPT_EOL != (os = PL_GetNextOpt(opt))) {
+@@ -458,18 +460,23 @@ main(int argc, char **argv)
+     initArgs.CreateMutex = NULL;
+     initArgs.DestroyMutex = NULL;
+     initArgs.LockMutex = NULL;
+     initArgs.UnlockMutex = NULL;
+     initArgs.flags = CKF_OS_LOCKING_OK;
+     moduleSpec = PR_smprintf("configdir='%s' certPrefix='%s' "
+                              "keyPrefix='%s' secmod='secmod.db' flags= ",
+                              configDir, dbPrefix, dbPrefix);
++    moduleSpecRerun = PR_smprintf("configdir='%s' certPrefix='%s' "
++                             "keyPrefix='%s' secmod='secmod.db' flags=forcePOST ",
++                             configDir, dbPrefix, dbPrefix);
+     initArgs.LibraryParameters = (CK_CHAR_PTR *)moduleSpec;
+     initArgs.pReserved = NULL;
++    initArgsRerun = initArgs;
++    initArgsRerun.LibraryParameters = (CK_CHAR_PTR *)moduleSpecRerun;
+ 
+     /*DebugBreak();*/
+     /* FIPSMODE invokes FC_Initialize as pFunctionList->C_Initialize */
+     /* NSS cryptographic module library initialization for the FIPS  */
+     /* Approved mode when FC_Initialize is envoked will perfom       */
+     /* software integrity test, and power-up self-tests before       */
+     /* FC_Initialize returns                                         */
+     crv = pFunctionList->C_Initialize(&initArgs);
+@@ -705,17 +712,17 @@ main(int argc, char **argv)
+         PKM_Error("PKM_HybridMode failed with 0x%08X, %-26s\n", crv,
+                   PKM_CK_RVtoStr(crv));
+         goto cleanup;
+     }
+ 
+     if (doForkTests) {
+         /* testing one more C_Initialize / C_Finalize to exercise getpid()
+          * fork check code */
+-        crv = pFunctionList->C_Initialize(&initArgs);
++        crv = pFunctionList->C_Initialize(&initArgsRerun);
+         if (crv == CKR_OK) {
+             PKM_LogIt("C_Initialize succeeded\n");
+         } else {
+             PKM_Error("C_Initialize failed with 0x%08X, %-26s\n", crv,
+                       PKM_CK_RVtoStr(crv));
+             goto cleanup;
+         }
+         crv = pFunctionList->C_Finalize(NULL);
+@@ -741,16 +748,19 @@ cleanup:
+         free(configDir);
+     }
+     if (dbPrefix) {
+         free(dbPrefix);
+     }
+     if (moduleSpec) {
+         PR_smprintf_free(moduleSpec);
+     }
++    if (moduleSpecRerun) {
++        PR_smprintf_free(moduleSpecRerun);
++    }
+ 
+ #ifdef _WIN32
+     FreeLibrary(hModule);
+ #else
+     disableUnload = PR_GetEnvSecure("NSS_DISABLE_UNLOAD");
+     if (!disableUnload) {
+         PR_UnloadLibrary(lib);
+     }
+diff --git a/lib/freebl/blapii.h b/lib/freebl/blapii.h
+--- a/lib/freebl/blapii.h
++++ b/lib/freebl/blapii.h
+@@ -24,17 +24,17 @@ typedef SECStatus (*freeblAeadFunc)(void
+                                     void *params, unsigned int paramsLen,
+                                     const unsigned char *aad, unsigned int aadLen,
+                                     unsigned int blocksize);
+ typedef void (*freeblDestroyFunc)(void *cx, PRBool freeit);
+ 
+ SEC_BEGIN_PROTOS
+ 
+ #ifndef NSS_FIPS_DISABLED
+-SECStatus BL_FIPSEntryOK(PRBool freeblOnly);
++SECStatus BL_FIPSEntryOK(PRBool freeblOnly, PRBool rerun);
+ PRBool BL_POSTRan(PRBool freeblOnly);
+ #endif
+ 
+ #if defined(XP_UNIX) && !defined(NO_FORK_CHECK)
+ 
+ extern PRBool bl_parentForkedAfterC_Initialize;
+ 
+ #define SKIP_AFTER_FORK(x)                 \
+diff --git a/lib/freebl/blapit.h b/lib/freebl/blapit.h
+--- a/lib/freebl/blapit.h
++++ b/lib/freebl/blapit.h
+@@ -223,16 +223,21 @@ typedef int __BLAPI_DEPRECATED __attribu
+  *
+  * If we arbitrarily set p = 10^-18 (1 chance in trillion trillion operation)
+  * we get GCMIV_RANDOM_BIRTHDAY_BITS = -(-18)/.301 -1 = 59 (.301 = log10 2)
+  * GCMIV_RANDOM_BIRTHDAY_BITS should be at least 59, call it a round 64. NOTE:
+  * the variable IV size for TLS is 64 bits, which explains why it's not safe
+  * to use a random value for the nonce in TLS. */
+ #define GCMIV_RANDOM_BIRTHDAY_BITS 64
+ 
++/* flag to tell BLAPI_Verify* to rerun the post and integrity tests */
++#define BLAPI_FIPS_RERUN_FLAG '\377'  /* 0xff, 255 invalide code for UFT8/ASCII */
++#define BLAPI_FIPS_RERUN_FLAG_STRING "\377"  /* The above as a C string */
++
++
+ /***************************************************************************
+ ** Opaque objects
+ */
+ 
+ struct DESContextStr;
+ struct RC2ContextStr;
+ struct RC4ContextStr;
+ struct RC5ContextStr;
+diff --git a/lib/freebl/fipsfreebl.c b/lib/freebl/fipsfreebl.c
+--- a/lib/freebl/fipsfreebl.c
++++ b/lib/freebl/fipsfreebl.c
+@@ -2211,29 +2211,37 @@ bl_startup_tests(void)
+ }
+ 
+ /*
+  * this is called from the freebl init entry points that controll access to
+  * all other freebl functions. This prevents freebl from operating if our
+  * power on selftest failed.
+  */
+ SECStatus
+-BL_FIPSEntryOK(PRBool freebl_only)
++BL_FIPSEntryOK(PRBool freebl_only, PRBool rerun)
+ {
+ #ifdef NSS_NO_INIT_SUPPORT
+     /* this should only be set on platforms that can't handle one of the INIT
+     * schemes.  This code allows those platforms to continue to function,
+     * though they don't meet the strict NIST requirements. If NSS_NO_INIT_SUPPORT
+     * is not set, and init support has not been properly enabled, freebl
+     * will always fail because of the test below
+     */
+     if (!self_tests_freebl_ran) {
+         bl_startup_tests();
+     }
+ #endif
++    if (rerun) {
++        /* reset the flags */
++        self_tests_freebl_ran = PR_FALSE;
++        self_tests_success = PR_FALSE;
++        self_tests_success = PR_FALSE;
++        self_tests_freebl_success = PR_FALSE;
++        bl_startup_tests();
++    }
+     /* if the general self tests succeeded, we're done */
+     if (self_tests_success) {
+         return SECSuccess;
+     }
+     /* standalone freebl can initialize */
+     if (freebl_only && self_tests_freebl_success) {
+         return SECSuccess;
+     }
+diff --git a/lib/freebl/nsslowhash.c b/lib/freebl/nsslowhash.c
+--- a/lib/freebl/nsslowhash.c
++++ b/lib/freebl/nsslowhash.c
+@@ -55,17 +55,17 @@ NSSLOW_Init(void)
+ #ifdef FREEBL_NO_DEPEND
+     (void)FREEBL_InitStubs();
+ #endif
+ 
+ #ifndef NSS_FIPS_DISABLED
+     /* make sure the FIPS product is installed if we are trying to
+      * go into FIPS mode */
+     if (nsslow_GetFIPSEnabled()) {
+-        if (BL_FIPSEntryOK(PR_TRUE) != SECSuccess) {
++        if (BL_FIPSEntryOK(PR_TRUE, PR_FALSE) != SECSuccess) {
+             PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+             post_failed = PR_TRUE;
+             return NULL;
+         }
+     }
+ #endif
+     post_failed = PR_FALSE;
+ 
+diff --git a/lib/freebl/shvfy.c b/lib/freebl/shvfy.c
+--- a/lib/freebl/shvfy.c
++++ b/lib/freebl/shvfy.c
+@@ -282,52 +282,62 @@ readItem(PRFileDesc *fd, SECItem *item)
+         PORT_Free(item->data);
+         item->data = NULL;
+         item->len = 0;
+         return SECFailure;
+     }
+     return SECSuccess;
+ }
+ 
+-static PRBool blapi_SHVerifyFile(const char *shName, PRBool self);
++static PRBool blapi_SHVerifyFile(const char *shName, PRBool self, PRBool rerun);
+ 
+ static PRBool
+-blapi_SHVerify(const char *name, PRFuncPtr addr, PRBool self)
++blapi_SHVerify(const char *name, PRFuncPtr addr, PRBool self, PRBool rerun)
+ {
+     PRBool result = PR_FALSE; /* if anything goes wrong,
+                    * the signature does not verify */
+     /* find our shared library name */
+     char *shName = PR_GetLibraryFilePathname(name, addr);
+     if (!shName) {
+         goto loser;
+     }
+-    result = blapi_SHVerifyFile(shName, self);
++    result = blapi_SHVerifyFile(shName, self, rerun);
+ 
+ loser:
+     if (shName != NULL) {
+         PR_Free(shName);
+     }
+ 
+     return result;
+ }
+ 
+ PRBool
+ BLAPI_SHVerify(const char *name, PRFuncPtr addr)
+ {
+-    return blapi_SHVerify(name, addr, PR_FALSE);
++    PRBool rerun = PR_FALSE;
++    if (name && *name == BLAPI_FIPS_RERUN_FLAG) {
++        name++;
++        rerun = PR_TRUE;
++    }
++    return blapi_SHVerify(name, addr, PR_FALSE, rerun);
+ }
+ 
+ PRBool
+ BLAPI_SHVerifyFile(const char *shName)
+ {
+-    return blapi_SHVerifyFile(shName, PR_FALSE);
++    PRBool rerun = PR_FALSE;
++    if (shName && *shName == BLAPI_FIPS_RERUN_FLAG) {
++        shName++;
++        rerun = PR_TRUE;
++    }
++    return blapi_SHVerifyFile(shName, PR_FALSE, rerun);
+ }
+ 
+ static PRBool
+-blapi_SHVerifyFile(const char *shName, PRBool self)
++blapi_SHVerifyFile(const char *shName, PRBool self, PRBool rerun)
+ {
+     char *checkName = NULL;
+     PRFileDesc *checkFD = NULL;
+     PRFileDesc *shFD = NULL;
+     void *hashcx = NULL;
+     const SECHashObject *hashObj = NULL;
+     SECItem signature = { 0, NULL, 0 };
+     SECItem hash;
+@@ -346,17 +356,17 @@ blapi_SHVerifyFile(const char *shName, P
+     unsigned char hashBuf[HASH_LENGTH_MAX];
+ 
+     PORT_Memset(&key, 0, sizeof(key));
+     hash.data = hashBuf;
+     hash.len = sizeof(hashBuf);
+ 
+     /* If our integrity check was never ran or failed, fail any other
+      * integrity checks to prevent any token going into FIPS mode. */
+-    if (!self && (BL_FIPSEntryOK(PR_FALSE) != SECSuccess)) {
++    if (!self && (BL_FIPSEntryOK(PR_FALSE, rerun) != SECSuccess)) {
+         return PR_FALSE;
+     }
+ 
+     if (!shName) {
+         goto loser;
+     }
+ 
+     /* figure out the name of our check file */
+@@ -536,17 +546,17 @@ BLAPI_VerifySelf(const char *name)
+ {
+     if (name == NULL) {
+         /*
+          * If name is NULL, freebl is statically linked into softoken.
+          * softoken will call BLAPI_SHVerify next to verify itself.
+          */
+         return PR_TRUE;
+     }
+-    return blapi_SHVerify(name, (PRFuncPtr)decodeInt, PR_TRUE);
++    return blapi_SHVerify(name, (PRFuncPtr)decodeInt, PR_TRUE, PR_FALSE);
+ }
+ 
+ #else /* NSS_FIPS_DISABLED */
+ 
+ PRBool
+ BLAPI_SHVerifyFile(const char *shName)
+ {
+     return PR_FALSE;
+diff --git a/lib/softoken/fipstest.c b/lib/softoken/fipstest.c
+--- a/lib/softoken/fipstest.c
++++ b/lib/softoken/fipstest.c
+@@ -684,22 +684,25 @@ sftk_fips_HKDF_PowerUpSelfTest(void)
+ 
+ static PRBool sftk_self_tests_ran = PR_FALSE;
+ static PRBool sftk_self_tests_success = PR_FALSE;
+ 
+ /*
+  * This function is called at dll load time, the code tha makes this
+  * happen is platform specific on defined above.
+  */
+-static void
+-sftk_startup_tests(void)
++void sftk_startup_tests_with_rerun(PRBool rerun)
+ {
+     SECStatus rv;
+-    const char *libraryName = SOFTOKEN_LIB_NAME;
+-
++    /*const char *nlibraryName = SOFTOKEN_LIB_NAME;
++    const char *rlibraryName = BLAPI_FIPS_RERUN_FLAG_STRING SOFTOKEN_LIB_NAME; */
++    const char *libraryName = rerun ?
++               BLAPI_FIPS_RERUN_FLAG_STRING SOFTOKEN_LIB_NAME :
++               SOFTOKEN_LIB_NAME;
++    
+     PORT_Assert(!sftk_self_tests_ran);
+     PORT_Assert(!sftk_self_tests_success);
+     sftk_self_tests_ran = PR_TRUE;
+     sftk_self_tests_success = PR_FALSE; /* just in case */
+ 
+     /* need to initiallize the oid library before the RSA tests */
+     rv = SECOID_Init();
+     if (rv != SECSuccess) {
+@@ -746,35 +749,46 @@ sftk_startup_tests(void)
+     rv = sftk_fips_pbkdf_PowerUpSelfTests();
+     if (rv != SECSuccess) {
+         return;
+     }
+ 
+     sftk_self_tests_success = PR_TRUE;
+ }
+ 
++static void
++sftk_startup_tests(void)
++{
++    sftk_startup_tests_with_rerun(PR_FALSE);
++}
++
+ /*
+  * this is called from nsc_Common_Initizialize entry points that gates access
+  * to * all other pkcs11 functions. This prevents softoken operation if our
+  * power on selftest failed.
+  */
+ CK_RV
+-sftk_FIPSEntryOK()
++sftk_FIPSEntryOK(PRBool rerun)
+ {
+ #ifdef NSS_NO_INIT_SUPPORT
+     /* this should only be set on platforms that can't handle one of the INIT
+      * schemes.  This code allows those platforms to continue to function,
+      * though they don't meet the strict NIST requirements. If NSS_NO_INIT_SUPPORT
+      * is not set, and init support has not been properly enabled, softken
+      * will always fail because of the test below
+      */
+     if (!sftk_self_tests_ran) {
+         sftk_startup_tests();
+     }
+ #endif
++    if (rerun) {
++        sftk_self_tests_ran = PR_FALSE;
++        sftk_self_tests_success = PR_FALSE;
++        sftk_startup_tests_with_rerun(PR_TRUE);
++    }
+     if (!sftk_self_tests_success) {
+         return CKR_DEVICE_ERROR;
+     }
+     return CKR_OK;
+ }
+ #else
+ #include "pkcs11t.h"
+ CK_RV
+diff --git a/lib/softoken/fipstokn.c b/lib/softoken/fipstokn.c
+--- a/lib/softoken/fipstokn.c
++++ b/lib/softoken/fipstokn.c
+@@ -524,25 +524,32 @@ fc_log_init_error(CK_RV crv)
+ }
+ 
+ /* FC_Initialize initializes the PKCS #11 library. */
+ CK_RV
+ FC_Initialize(CK_VOID_PTR pReserved)
+ {
+     const char *envp;
+     CK_RV crv;
++    PRBool rerun;
+ 
+     if ((envp = PR_GetEnv("NSS_ENABLE_AUDIT")) != NULL) {
+         sftk_audit_enabled = (atoi(envp) == 1);
+     }
+ 
++    /* if we have the forcePOST flag on, rerun the integrity checks */
++    /* we need to know this before we fully parse the arguments in
++     * nsc_CommonInitialize, so read it now */
++    rerun = sftk_RawArgHasFlag("flags", "forcePost", pReserved);
++
+     /* At this point we should have already done post and integrity checks.
+      * if we haven't, it probably means the FIPS product has not been installed
+-     * or the tests failed. Don't let an application try to enter FIPS mode */
+-    crv = sftk_FIPSEntryOK();
++     * or the tests failed. Don't let an application try to enter FIPS mode. This
++     * also forces the tests to be rerun if forcePOST is set. */
++    crv = sftk_FIPSEntryOK(rerun);
+     if (crv != CKR_OK) {
+         sftk_fatalError = PR_TRUE;
+         fc_log_init_error(crv);
+         return crv;
+     }
+ 
+     sftk_ForkReset(pReserved, &crv);
+ 
+diff --git a/lib/softoken/pkcs11i.h b/lib/softoken/pkcs11i.h
+--- a/lib/softoken/pkcs11i.h
++++ b/lib/softoken/pkcs11i.h
+@@ -869,16 +869,17 @@ extern CK_RV sftk_MechAllowsOperation(CK
+  * acquiring a reference to the keydb from the slot */
+ NSSLOWKEYPrivateKey *sftk_FindKeyByPublicKey(SFTKSlot *slot, SECItem *dbKey);
+ 
+ /*
+  * parameter parsing functions
+  */
+ CK_RV sftk_parseParameters(char *param, sftk_parameters *parsed, PRBool isFIPS);
+ void sftk_freeParams(sftk_parameters *params);
++PRBool sftk_RawArgHasFlag(const char *entry, const char *flag, const void *pReserved);
+ 
+ /*
+  * narrow objects
+  */
+ SFTKSessionObject *sftk_narrowToSessionObject(SFTKObject *);
+ SFTKTokenObject *sftk_narrowToTokenObject(SFTKObject *);
+ 
+ /*
+diff --git a/lib/softoken/sftkpars.c b/lib/softoken/sftkpars.c
+--- a/lib/softoken/sftkpars.c
++++ b/lib/softoken/sftkpars.c
+@@ -244,8 +244,21 @@ sftk_freeParams(sftk_parameters *params)
+     FREE_CLEAR(params->configdir);
+     FREE_CLEAR(params->secmodName);
+     FREE_CLEAR(params->man);
+     FREE_CLEAR(params->libdes);
+     FREE_CLEAR(params->tokens);
+     FREE_CLEAR(params->updatedir);
+     FREE_CLEAR(params->updateID);
+ }
++
++PRBool
++sftk_RawArgHasFlag(const char *entry, const char *flag, const void *pReserved)
++{
++    CK_C_INITIALIZE_ARGS *init_args = (CK_C_INITIALIZE_ARGS *)pReserved;
++
++    /* if we don't have any params, the flag isn't set */
++    if ((!init_args || !init_args->LibraryParameters)) {
++        return PR_FALSE;
++    }
++
++    return NSSUTIL_ArgHasFlag(entry, flag, (const char *)init_args->LibraryParameters);
++}
+diff --git a/lib/softoken/softoken.h b/lib/softoken/softoken.h
+--- a/lib/softoken/softoken.h
++++ b/lib/softoken/softoken.h
+@@ -52,17 +52,17 @@ extern unsigned char *CBC_PadBuffer(PLAr
+                                     unsigned int inlen, unsigned int *outlen,
+                                     int blockSize);
+ 
+ /****************************************/
+ /*
+ ** Power-Up selftests are required for FIPS.
+ */
+ /* make sure Power-up selftests have been run. */
+-extern CK_RV sftk_FIPSEntryOK(void);
++extern CK_RV sftk_FIPSEntryOK(PRBool rerun);
+ 
+ /*
+ ** make known fixed PKCS #11 key types to their sizes in bytes
+ */
+ unsigned long sftk_MapKeySize(CK_KEY_TYPE keyType);
+ 
+ /*
+ ** FIPS 140-2 auditing

SOURCES/nss-3.79-fips.patch

@@ -160,19 +160,178 @@ diff --git a/lib/softoken/config.mk b/lib/softoken/config.mk
 +DEFINES += -DNSS_FIPS_140_3
 +endif
 +
+diff --git a/lib/softoken/fips_algorithms.h b/lib/softoken/fips_algorithms.h
+--- a/lib/softoken/fips_algorithms.h
++++ b/lib/softoken/fips_algorithms.h
+@@ -49,33 +49,46 @@ SFTKFIPSAlgorithmList sftk_fips_mechs[] 
+ #define CKF_KEK (CKF_WRAP | CKF_UNWRAP)
+ #define CKF_KEA CKF_DERIVE
+ #define CKF_KDF CKF_DERIVE
+ #define CKF_HSH CKF_DIGEST
+ #define CK_MAX 0xffffffffUL
+ /* mechanisms using the same key types share the same key type
+  * limits */
+ #define RSA_FB_KEY 2048, 4096 /* min, max */
+-#define RSA_FB_STEP 1024
++#define RSA_FB_STEP 1
++#define RSA_LEGACY_FB_KEY 1024, 1792 /* min, max */
++#define RSA_LEGACY_FB_STEP 256
++
+ #define DSA_FB_KEY 2048, 4096 /* min, max */
+ #define DSA_FB_STEP 1024
+ #define DH_FB_KEY 2048, 4096 /* min, max */
+ #define DH_FB_STEP 1024
+ #define EC_FB_KEY 256, 521 /* min, max */
+ #define EC_FB_STEP 1       /* key limits handled by special operation */
+ #define AES_FB_KEY 128, 256
+ #define AES_FB_STEP 64
+     { CKM_RSA_PKCS_KEY_PAIR_GEN, { RSA_FB_KEY, CKF_KPG }, RSA_FB_STEP, SFTKFIPSNone },
+     { CKM_RSA_PKCS_PSS, { RSA_FB_KEY, CKF_SGN }, RSA_FB_STEP, SFTKFIPSNone },
+     { CKM_RSA_PKCS_OAEP, { RSA_FB_KEY, CKF_ENC }, RSA_FB_STEP, SFTKFIPSNone },
++    { CKM_RSA_PKCS_PSS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSNone },
++
+     /* -------------- RSA Multipart Signing Operations -------------------- */
+     { CKM_SHA224_RSA_PKCS, { RSA_FB_KEY, CKF_SGN }, RSA_FB_STEP, SFTKFIPSNone },
+     { CKM_SHA256_RSA_PKCS, { RSA_FB_KEY, CKF_SGN }, RSA_FB_STEP, SFTKFIPSNone },
+     { CKM_SHA384_RSA_PKCS, { RSA_FB_KEY, CKF_SGN }, RSA_FB_STEP, SFTKFIPSNone },
+     { CKM_SHA512_RSA_PKCS, { RSA_FB_KEY, CKF_SGN }, RSA_FB_STEP, SFTKFIPSNone },
++    { CKM_SHA224_RSA_PKCS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSNone },
++    { CKM_SHA256_RSA_PKCS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSNone },
++    { CKM_SHA384_RSA_PKCS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSNone },
++    { CKM_SHA512_RSA_PKCS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSNone },
++    { CKM_SHA224_RSA_PKCS_PSS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSNone },
++    { CKM_SHA256_RSA_PKCS_PSS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSNone },
++    { CKM_SHA384_RSA_PKCS_PSS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSNone },
++    { CKM_SHA512_RSA_PKCS_PSS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSNone },
+     { CKM_SHA224_RSA_PKCS_PSS, { RSA_FB_KEY, CKF_SGN }, RSA_FB_STEP, SFTKFIPSNone },
+     { CKM_SHA256_RSA_PKCS_PSS, { RSA_FB_KEY, CKF_SGN }, RSA_FB_STEP, SFTKFIPSNone },
+     { CKM_SHA384_RSA_PKCS_PSS, { RSA_FB_KEY, CKF_SGN }, RSA_FB_STEP, SFTKFIPSNone },
+     { CKM_SHA512_RSA_PKCS_PSS, { RSA_FB_KEY, CKF_SGN }, RSA_FB_STEP, SFTKFIPSNone },
+     /* ------------------------- DSA Operations --------------------------- */
+     { CKM_DSA_KEY_PAIR_GEN, { DSA_FB_KEY, CKF_KPG }, DSA_FB_STEP, SFTKFIPSNone },
+     { CKM_DSA, { DSA_FB_KEY, CKF_SGN }, DSA_FB_STEP, SFTKFIPSNone },
+     { CKM_DSA_PARAMETER_GEN, { DSA_FB_KEY, CKF_KPG }, DSA_FB_STEP, SFTKFIPSNone },
+@@ -95,76 +108,73 @@ SFTKFIPSAlgorithmList sftk_fips_mechs[] 
+     { CKM_ECDSA_SHA256, { EC_FB_KEY, CKF_SGN }, EC_FB_STEP, SFTKFIPSECC },
+     { CKM_ECDSA_SHA384, { EC_FB_KEY, CKF_SGN }, EC_FB_STEP, SFTKFIPSECC },
+     { CKM_ECDSA_SHA512, { EC_FB_KEY, CKF_SGN }, EC_FB_STEP, SFTKFIPSECC },
+     /* ------------------------- RC2 Operations --------------------------- */
+     /* ------------------------- AES Operations --------------------------- */
+     { CKM_AES_KEY_GEN, { AES_FB_KEY, CKF_GEN }, AES_FB_STEP, SFTKFIPSNone },
+     { CKM_AES_ECB, { AES_FB_KEY, CKF_ENC }, AES_FB_STEP, SFTKFIPSNone },
+     { CKM_AES_CBC, { AES_FB_KEY, CKF_ENC }, AES_FB_STEP, SFTKFIPSNone },
+-    { CKM_AES_MAC, { AES_FB_KEY, CKF_SGN }, AES_FB_STEP, SFTKFIPSNone },
+-    { CKM_AES_MAC_GENERAL, { AES_FB_KEY, CKF_SGN }, AES_FB_STEP, SFTKFIPSNone },
+     { CKM_AES_CMAC, { AES_FB_KEY, CKF_SGN }, AES_FB_STEP, SFTKFIPSNone },
+     { CKM_AES_CMAC_GENERAL, { AES_FB_KEY, CKF_SGN }, AES_FB_STEP, SFTKFIPSNone },
+     { CKM_AES_CBC_PAD, { AES_FB_KEY, CKF_ENC }, AES_FB_STEP, SFTKFIPSNone },
+     { CKM_AES_CTS, { AES_FB_KEY, CKF_ENC }, AES_FB_STEP, SFTKFIPSNone },
+     { CKM_AES_CTR, { AES_FB_KEY, CKF_ENC }, AES_FB_STEP, SFTKFIPSNone },
+     { CKM_AES_GCM, { AES_FB_KEY, CKF_ENC }, AES_FB_STEP, SFTKFIPSAEAD },
+     { CKM_AES_KEY_WRAP, { AES_FB_KEY, CKF_ENC }, AES_FB_STEP, SFTKFIPSNone },
+     { CKM_AES_KEY_WRAP_PAD, { AES_FB_KEY, CKF_ENC }, AES_FB_STEP, SFTKFIPSNone },
+     { CKM_AES_KEY_WRAP_KWP, { AES_FB_KEY, CKF_ENC }, AES_FB_STEP, SFTKFIPSNone },
+-    { CKM_AES_XCBC_MAC_96, { 96, 96, CKF_SGN }, 1, SFTKFIPSNone },
+-    { CKM_AES_XCBC_MAC, { 128, 128, CKF_SGN }, 1, SFTKFIPSNone },
+     /* ------------------------- Hashing Operations ----------------------- */
+     { CKM_SHA224, { 0, 0, CKF_HSH }, 1, SFTKFIPSNone },
+     { CKM_SHA224_HMAC, { 112, 224, CKF_SGN }, 1, SFTKFIPSNone },
+     { CKM_SHA224_HMAC_GENERAL, { 112, 224, CKF_SGN }, 1, SFTKFIPSNone },
+     { CKM_SHA256, { 0, 0, CKF_HSH }, 1, SFTKFIPSNone },
+-    { CKM_SHA256_HMAC, { 128, 256, CKF_SGN }, 1, SFTKFIPSNone },
+-    { CKM_SHA256_HMAC_GENERAL, { 128, 256, CKF_SGN }, 1, SFTKFIPSNone },
++    { CKM_SHA256_HMAC, { 112, 256, CKF_SGN }, 1, SFTKFIPSNone },
++    { CKM_SHA256_HMAC_GENERAL, { 112, 256, CKF_SGN }, 1, SFTKFIPSNone },
+     { CKM_SHA384, { 0, 0, CKF_HSH }, 1, SFTKFIPSNone },
+-    { CKM_SHA384_HMAC, { 192, 384, CKF_SGN }, 1, SFTKFIPSNone },
+-    { CKM_SHA384_HMAC_GENERAL, { 192, 384, CKF_SGN }, 1, SFTKFIPSNone },
++    { CKM_SHA384_HMAC, { 112, 384, CKF_SGN }, 1, SFTKFIPSNone },
++    { CKM_SHA384_HMAC_GENERAL, { 112, 384, CKF_SGN }, 1, SFTKFIPSNone },
+     { CKM_SHA512, { 0, 0, CKF_HSH }, 1, SFTKFIPSNone },
+-    { CKM_SHA512_HMAC, { 256, 512, CKF_SGN }, 1, SFTKFIPSNone },
+-    { CKM_SHA512_HMAC_GENERAL, { 256, 512, CKF_SGN }, 1, SFTKFIPSNone },
++    { CKM_SHA512_HMAC, { 112, 512, CKF_SGN }, 1, SFTKFIPSNone },
++    { CKM_SHA512_HMAC_GENERAL, { 112, 512, CKF_SGN }, 1, SFTKFIPSNone },
+     /* --------------------- Secret Key Operations ------------------------ */
+-    { CKM_GENERIC_SECRET_KEY_GEN, { 8, 256, CKF_GEN }, 1, SFTKFIPSNone },
++    { CKM_GENERIC_SECRET_KEY_GEN, { 112, 256, CKF_GEN }, 1, SFTKFIPSNone },
+     /* ---------------------- SSL/TLS operations ------------------------- */
+     { CKM_SHA224_KEY_DERIVATION, { 112, 224, CKF_KDF }, 1, SFTKFIPSNone },
+-    { CKM_SHA256_KEY_DERIVATION, { 128, 256, CKF_KDF }, 1, SFTKFIPSNone },
+-    { CKM_SHA384_KEY_DERIVATION, { 192, 284, CKF_KDF }, 1, SFTKFIPSNone },
+-    { CKM_SHA512_KEY_DERIVATION, { 256, 512, CKF_KDF }, 1, SFTKFIPSNone },
++    { CKM_SHA256_KEY_DERIVATION, { 112, 256, CKF_KDF }, 1, SFTKFIPSNone },
++    { CKM_SHA384_KEY_DERIVATION, { 112, 284, CKF_KDF }, 1, SFTKFIPSNone },
++    { CKM_SHA512_KEY_DERIVATION, { 112, 512, CKF_KDF }, 1, SFTKFIPSNone },
++    { CKM_SSL3_PRE_MASTER_KEY_GEN, { 384, 384, CKF_GEN }, 1, SFTKFIPSNone },
+     { CKM_TLS12_MASTER_KEY_DERIVE, { 384, 384, CKF_KDF }, 1, SFTKFIPSNone },
+     { CKM_TLS12_MASTER_KEY_DERIVE_DH, { DH_FB_KEY, CKF_KDF }, 1, SFTKFIPSNone },
+     { CKM_TLS12_KEY_AND_MAC_DERIVE, { 384, 384, CKF_KDF }, 1, SFTKFIPSNone },
+-    { CKM_TLS_PRF_GENERAL, { 8, 512, CKF_SGN }, 1, SFTKFIPSNone },
+-    { CKM_TLS_MAC, { 8, 512, CKF_SGN }, 1, SFTKFIPSNone },
++    { CKM_TLS_PRF_GENERAL, { 112, 512, CKF_SGN }, 1, SFTKFIPSNone },
++    { CKM_TLS_MAC, { 112, 512, CKF_SGN }, 1, SFTKFIPSNone },
+     /* sigh, is this algorithm really tested. ssl doesn't seem to have a
+      * way of turning the extension off */
+     { CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE, { 192, 1024, CKF_KDF }, 1, SFTKFIPSNone },
+     { CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_DH, { 192, 1024, CKF_DERIVE }, 1, SFTKFIPSNone },
+ 
+     /* ------------------------- HKDF Operations -------------------------- */
+-    { CKM_HKDF_DERIVE, { 8, 255 * 64 * 8, CKF_KDF }, 1, SFTKFIPSNone },
+-    { CKM_HKDF_DATA, { 8, 255 * 64 * 8, CKF_KDF }, 1, SFTKFIPSNone },
++    { CKM_HKDF_DERIVE, { 112, 255 * 64 * 8, CKF_KDF }, 1, SFTKFIPSNone },
++    { CKM_HKDF_DATA, { 112, 255 * 64 * 8, CKF_KDF }, 1, SFTKFIPSNone },
+     { CKM_HKDF_KEY_GEN, { 160, 224, CKF_GEN }, 1, SFTKFIPSNone },
+     { CKM_HKDF_KEY_GEN, { 256, 512, CKF_GEN }, 128, SFTKFIPSNone },
+     /* ------------------ NIST 800-108 Key Derivations  ------------------- */
+-    { CKM_SP800_108_COUNTER_KDF, { 0, CK_MAX, CKF_KDF }, 1, SFTKFIPSNone },
+-    { CKM_SP800_108_FEEDBACK_KDF, { 0, CK_MAX, CKF_KDF }, 1, SFTKFIPSNone },
+-    { CKM_SP800_108_DOUBLE_PIPELINE_KDF, { 0, CK_MAX, CKF_KDF }, 1, SFTKFIPSNone },
+-    { CKM_NSS_SP800_108_COUNTER_KDF_DERIVE_DATA, { 0, CK_MAX, CKF_KDF }, 1, SFTKFIPSNone },
+-    { CKM_NSS_SP800_108_FEEDBACK_KDF_DERIVE_DATA, { 0, CK_MAX, CKF_KDF }, 1, SFTKFIPSNone },
+-    { CKM_NSS_SP800_108_DOUBLE_PIPELINE_KDF_DERIVE_DATA, { 0, CK_MAX, CKF_KDF }, 1, SFTKFIPSNone },
++    { CKM_SP800_108_COUNTER_KDF, { 112, CK_MAX, CKF_KDF }, 1, SFTKFIPSNone },
++    { CKM_SP800_108_FEEDBACK_KDF, { 112, CK_MAX, CKF_KDF }, 1, SFTKFIPSNone },
++    { CKM_SP800_108_DOUBLE_PIPELINE_KDF, { 112, CK_MAX, CKF_KDF }, 1, SFTKFIPSNone },
++    { CKM_NSS_SP800_108_COUNTER_KDF_DERIVE_DATA, { 112, CK_MAX, CKF_KDF }, 1, SFTKFIPSNone },
++    { CKM_NSS_SP800_108_FEEDBACK_KDF_DERIVE_DATA, { 112, CK_MAX, CKF_KDF }, 1, SFTKFIPSNone },
++    { CKM_NSS_SP800_108_DOUBLE_PIPELINE_KDF_DERIVE_DATA, { 112, CK_MAX, CKF_KDF }, 1, SFTKFIPSNone },
+     /* --------------------IPSEC ----------------------- */
+-    { CKM_NSS_IKE_PRF_PLUS_DERIVE, { 8, 255 * 64, CKF_KDF }, 1, SFTKFIPSNone },
+-    { CKM_NSS_IKE_PRF_DERIVE, { 8, 64, CKF_KDF }, 1, SFTKFIPSNone },
+-    { CKM_NSS_IKE1_PRF_DERIVE, { 8, 64, CKF_KDF }, 1, SFTKFIPSNone },
+-    { CKM_NSS_IKE1_APP_B_PRF_DERIVE, { 8, 255 * 64, CKF_KDF }, 1, SFTKFIPSNone },
++    { CKM_NSS_IKE_PRF_PLUS_DERIVE, { 112, 255 * 64, CKF_KDF }, 1, SFTKFIPSNone },
++    { CKM_NSS_IKE_PRF_DERIVE, { 112, 64, CKF_KDF }, 1, SFTKFIPSNone },
++    { CKM_NSS_IKE1_PRF_DERIVE, { 112, 64, CKF_KDF }, 1, SFTKFIPSNone },
++    { CKM_NSS_IKE1_APP_B_PRF_DERIVE, { 112, 255 * 64, CKF_KDF }, 1, SFTKFIPSNone },
+     /* ------------------ PBE Key Derivations  ------------------- */
+-    { CKM_PKCS5_PBKD2, { 1, 256, CKF_GEN }, 1, SFTKFIPSNone },
++    { CKM_PKCS5_PBKD2, { 112, 256, CKF_GEN }, 1, SFTKFIPSNone },
+     { CKM_NSS_PKCS12_PBE_SHA224_HMAC_KEY_GEN, { 224, 224, CKF_GEN }, 1, SFTKFIPSNone },
+     { CKM_NSS_PKCS12_PBE_SHA256_HMAC_KEY_GEN, { 256, 256, CKF_GEN }, 1, SFTKFIPSNone },
+     { CKM_NSS_PKCS12_PBE_SHA384_HMAC_KEY_GEN, { 384, 384, CKF_GEN }, 1, SFTKFIPSNone },
+     { CKM_NSS_PKCS12_PBE_SHA512_HMAC_KEY_GEN, { 512, 512, CKF_GEN }, 1, SFTKFIPSNone }
+ };
+ const int SFTK_NUMBER_FIPS_ALGORITHMS = PR_ARRAY_SIZE(sftk_fips_mechs);
 diff --git a/lib/softoken/lowpbe.c b/lib/softoken/lowpbe.c
 --- a/lib/softoken/lowpbe.c
 +++ b/lib/softoken/lowpbe.c
-@@ -1766,16 +1766,20 @@ sftk_fips_pbkdf_PowerUpSelfTests(void)
+@@ -1765,27 +1765,29 @@ SECStatus
+ sftk_fips_pbkdf_PowerUpSelfTests(void)
+ {
+     SECItem *result;
+     SECItem inKey;
+     NSSPKCS5PBEParameter pbe_params;
      unsigned char iteration_count = 5;
      unsigned char keyLen = 64;
      char *inKeyData = TEST_KEY;
--    static const unsigned char saltData[] = { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07 };
+-    static const unsigned char saltData[] =
+-        { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07 };
 +    static const unsigned char saltData[] = {
 +        0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
 +        0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f
 +    };
-+
      static const unsigned char pbkdf_known_answer[] = {
 -        0x31, 0xf0, 0xe5, 0x39, 0x9f, 0x39, 0xb9, 0x29,
 -        0x68, 0xac, 0xf2, 0xe9, 0x53, 0x9b, 0xb4, 0x9c,
@@ -193,6 +352,11 @@ diff --git a/lib/softoken/lowpbe.c b/lib/softoken/lowpbe.c
      };
  
      sftk_PBELockInit();
+ 
+     inKey.data = (unsigned char *)inKeyData;
+     inKey.len = sizeof(TEST_KEY) - 1;
+ 
+     pbe_params.salt.data = (unsigned char *)saltData;
 diff --git a/lib/softoken/pkcs11c.c b/lib/softoken/pkcs11c.c
 --- a/lib/softoken/pkcs11c.c
 +++ b/lib/softoken/pkcs11c.c

SOURCES/nss-3.79-fix-client-cert-crash.patch

@@ -0,0 +1,23 @@
+diff --git a/lib/ssl/authcert.c b/lib/ssl/authcert.c
+--- a/lib/ssl/authcert.c
++++ b/lib/ssl/authcert.c
+@@ -201,16 +201,19 @@ NSS_GetClientAuthData(void *arg,
+ 
+     /* otherwise look through the cache based on usage
+      * if chosenNickname is set, we ignore the expiration date */
+     if (certList == NULL) {
+         certList = CERT_FindUserCertsByUsage(CERT_GetDefaultCertDB(),
+                                              certUsageSSLClient,
+                                              PR_FALSE, chosenNickName == NULL,
+                                              pw_arg);
++        if (certList == NULL) {
++            return SECFailure;
++        }
+         /* filter only the certs that meet the nickname requirements */
+         if (chosenNickName) {
+             rv = CERT_FilterCertListByNickname(certList, chosenNickName,
+                                                pw_arg);
+         } else {
+             int nnames = 0;
+             char **names = ssl_DistNamesToStrings(caNames, &nnames);
+             rv = CERT_FilterCertListByCANames(certList, nnames, names,

SOURCES/nss-3.79-increase-pbe-cache.patch

@@ -0,0 +1,22 @@
+diff --git a/lib/softoken/lowpbe.c b/lib/softoken/lowpbe.c
+--- a/lib/softoken/lowpbe.c
++++ b/lib/softoken/lowpbe.c
+@@ -565,17 +565,17 @@ struct KDFCacheItemStr {
+     int iterations;
+     int keyLen;
+ };
+ typedef struct KDFCacheItemStr KDFCacheItem;
+ 
+ /* Bug 1606992 - Cache the hash result for the common case that we're
+  * asked to repeatedly compute the key for the same password item,
+  * hash, iterations and salt. */
+-#define KDF2_CACHE_COUNT 3
++#define KDF2_CACHE_COUNT 150
+ static struct {
+     PZLock *lock;
+     struct {
+         KDFCacheItem common;
+         int ivLen;
+         PRBool faulty3DES;
+     } cacheKDF1;
+     struct {

SOURCES/nss-3.79-pkcs12-fix-null-password.patch

@@ -0,0 +1,21 @@
+diff -up ./lib/pkcs12/p12local.c.fix_null_password ./lib/pkcs12/p12local.c
+--- ./lib/pkcs12/p12local.c.fix_null_password	2022-07-20 14:15:45.081009438 -0700
++++ ./lib/pkcs12/p12local.c	2022-07-20 14:19:40.856546963 -0700
+@@ -968,15 +968,14 @@ sec_pkcs12_convert_item_to_unicode(PLAre
+     if (zeroTerm) {
+         /* unicode adds two nulls at the end */
+         if (toUnicode) {
+-            if ((dest->len >= 2) &&
+-                (dest->data[dest->len - 1] || dest->data[dest->len - 2])) {
++            if ((dest->len < 2) || dest->data[dest->len - 1] || dest->data[dest->len - 2]) {
+                 /* we've already allocated space for these new NULLs */
+                 PORT_Assert(dest->len + 2 <= bufferSize);
+                 dest->len += 2;
+                 dest->data[dest->len - 1] = dest->data[dest->len - 2] = 0;
+             }
+             /* ascii/utf-8 adds just 1 */
+-        } else if ((dest->len >= 1) && dest->data[dest->len - 1]) {
++        } else if (!dest->len || dest->data[dest->len - 1]) {
+             PORT_Assert(dest->len + 1 <= bufferSize);
+             dest->len++;
+             dest->data[dest->len - 1] = 0;

SOURCES/nss-3.79-rhel-8-fips-signature-policy.patch

@@ -0,0 +1,685 @@
+diff -up ./cmd/crmftest/testcrmf.c.sign_policy ./cmd/crmftest/testcrmf.c
+--- ./cmd/crmftest/testcrmf.c.sign_policy	2022-05-26 02:54:33.000000000 -0700
++++ ./cmd/crmftest/testcrmf.c	2022-06-20 16:47:35.023785628 -0700
+@@ -85,7 +85,7 @@
+ #include "sechash.h"
+ #endif
+ 
+-#define MAX_KEY_LEN 512
++#define MAX_KEY_LEN 1024
+ #define PATH_LEN 150
+ #define BUFF_SIZE 150
+ #define UID_BITS 800
+diff -up ./gtests/pk11_gtest/pk11_rsapkcs1_unittest.cc.sign_policy ./gtests/pk11_gtest/pk11_rsapkcs1_unittest.cc
+--- ./gtests/pk11_gtest/pk11_rsapkcs1_unittest.cc.sign_policy	2022-05-26 02:54:33.000000000 -0700
++++ ./gtests/pk11_gtest/pk11_rsapkcs1_unittest.cc	2022-06-20 16:47:35.024785635 -0700
+@@ -16,6 +16,7 @@
+ #include "secerr.h"
+ #include "sechash.h"
+ #include "pk11_signature_test.h"
++#include "blapit.h"
+ 
+ #include "testvectors/rsa_signature_2048_sha224-vectors.h"
+ #include "testvectors/rsa_signature_2048_sha256-vectors.h"
+@@ -109,7 +110,11 @@ class Pkcs11RsaPkcs1WycheproofTest
+  * Use 6 as the invalid value since modLen % 16 must be zero.
+  */
+ TEST(RsaPkcs1Test, Pkcs1MinimumPadding) {
+-  const size_t kRsaShortKeyBits = 736;
++#define RSA_SHORT_KEY_LENGTH 736
++/* if our minimum supported key length is big enough to handle
++ * our largest Hash function, we can't test a short length */
++#if RSA_MIN_MODULUS_BITS < RSA_SHORT_KEY_LENGTH
++  const size_t kRsaShortKeyBits = RSA_SHORT_KEY_LENGTH;
+   const size_t kRsaKeyBits = 752;
+   static const std::vector<uint8_t> kMsg{'T', 'E', 'S', 'T'};
+   static const std::vector<uint8_t> kSha512DigestInfo{
+@@ -209,6 +214,9 @@ TEST(RsaPkcs1Test, Pkcs1MinimumPadding)
+                               SEC_OID_PKCS1_RSA_ENCRYPTION, SEC_OID_SHA512,
+                               nullptr);
+   EXPECT_EQ(SECSuccess, rv);
++#else
++  GTEST_SKIP();
++#endif
+ }
+ 
+ TEST(RsaPkcs1Test, RequireNullParameter) {
+diff -up ./gtests/ssl_gtest/tls_subcerts_unittest.cc.sign_policy ./gtests/ssl_gtest/tls_subcerts_unittest.cc
+--- ./gtests/ssl_gtest/tls_subcerts_unittest.cc.sign_policy	2022-05-26 02:54:33.000000000 -0700
++++ ./gtests/ssl_gtest/tls_subcerts_unittest.cc	2022-06-20 16:47:35.024785635 -0700
+@@ -9,6 +9,8 @@
+ #include "prtime.h"
+ #include "secerr.h"
+ #include "ssl.h"
++#include "nss.h"
++#include "blapit.h"
+ 
+ #include "gtest_utils.h"
+ #include "tls_agent.h"
+@@ -348,9 +350,14 @@ static void GenerateWeakRsaKey(ScopedSEC
+   ScopedPK11SlotInfo slot(PK11_GetInternalSlot());
+   ASSERT_TRUE(slot);
+   PK11RSAGenParams rsaparams;
+-  // The absolute minimum size of RSA key that we can use with SHA-256 is
+-  // 256bit (hash) + 256bit (salt) + 8 (start byte) + 8 (end byte) = 528.
++// The absolute minimum size of RSA key that we can use with SHA-256 is
++// 256bit (hash) + 256bit (salt) + 8 (start byte) + 8 (end byte) = 528.
++#define RSA_WEAK_KEY 528
++#if RSA_MIN_MODULUS_BITS < RSA_WEAK_KEY
+   rsaparams.keySizeInBits = 528;
++#else
++  rsaparams.keySizeInBits = RSA_MIN_MODULUS_BITS + 1;
++#endif
+   rsaparams.pe = 65537;
+ 
+   // Bug 1012786: PK11_GenerateKeyPair can fail if there is insufficient
+@@ -390,6 +397,18 @@ TEST_P(TlsConnectTls13, DCWeakKey) {
+                                                 ssl_sig_rsa_pss_pss_sha256};
+   client_->SetSignatureSchemes(kSchemes, PR_ARRAY_SIZE(kSchemes));
+   server_->SetSignatureSchemes(kSchemes, PR_ARRAY_SIZE(kSchemes));
++#if RSA_MIN_MODULUS_BITS > RSA_WEAK_KEY
++  // save the MIN POLICY length.
++  PRInt32 minRsa;
++
++  ASSERT_EQ(SECSuccess, NSS_OptionGet(NSS_RSA_MIN_KEY_SIZE, &minRsa));
++#if RSA_MIN_MODULUS_BITS >= 2048
++  ASSERT_EQ(SECSuccess,
++            NSS_OptionSet(NSS_RSA_MIN_KEY_SIZE, RSA_MIN_MODULUS_BITS + 1024));
++#else
++  ASSERT_EQ(SECSuccess, NSS_OptionSet(NSS_RSA_MIN_KEY_SIZE, 2048));
++#endif
++#endif
+ 
+   ScopedSECKEYPrivateKey dc_priv;
+   ScopedSECKEYPublicKey dc_pub;
+@@ -412,6 +431,9 @@ TEST_P(TlsConnectTls13, DCWeakKey) {
+   auto cfilter = MakeTlsFilter<TlsExtensionCapture>(
+       client_, ssl_delegated_credentials_xtn);
+   ConnectExpectAlert(client_, kTlsAlertInsufficientSecurity);
++#if RSA_MIN_MODULUS_BITS > RSA_WEAK_KEY
++  ASSERT_EQ(SECSuccess, NSS_OptionSet(NSS_RSA_MIN_KEY_SIZE, minRsa));
++#endif
+ }
+ 
+ class ReplaceDCSigScheme : public TlsHandshakeFilter {
+diff -up ./lib/cryptohi/keyhi.h.sign_policy ./lib/cryptohi/keyhi.h
+--- ./lib/cryptohi/keyhi.h.sign_policy	2022-05-26 02:54:33.000000000 -0700
++++ ./lib/cryptohi/keyhi.h	2022-06-20 16:47:35.024785635 -0700
+@@ -53,6 +53,11 @@ extern unsigned SECKEY_PublicKeyStrength
+ extern unsigned SECKEY_PublicKeyStrengthInBits(const SECKEYPublicKey *pubk);
+ 
+ /*
++** Return the strength of the private key in bits
++*/
++extern unsigned SECKEY_PrivateKeyStrengthInBits(const SECKEYPrivateKey *privk);
++
++/*
+ ** Return the length of the signature in bytes
+ */
+ extern unsigned SECKEY_SignatureLen(const SECKEYPublicKey *pubk);
+diff -up ./lib/cryptohi/keyi.h.sign_policy ./lib/cryptohi/keyi.h
+--- ./lib/cryptohi/keyi.h.sign_policy	2022-05-26 02:54:33.000000000 -0700
++++ ./lib/cryptohi/keyi.h	2022-06-20 16:47:35.024785635 -0700
+@@ -4,6 +4,7 @@
+ 
+ #ifndef _KEYI_H_
+ #define _KEYI_H_
++#include "secerr.h"
+ 
+ SEC_BEGIN_PROTOS
+ /* NSS private functions */
+@@ -36,6 +37,9 @@ SECStatus sec_DecodeRSAPSSParamsToMechan
+                                             const SECItem *params,
+                                             CK_RSA_PKCS_PSS_PARAMS *mech);
+ 
++/* make sure the key length matches the policy for keyType */
++SECStatus seckey_EnforceKeySize(KeyType keyType, unsigned keyLength,
++                                SECErrorCodes error);
+ SEC_END_PROTOS
+ 
+ #endif /* _KEYHI_H_ */
+diff -up ./lib/cryptohi/seckey.c.sign_policy ./lib/cryptohi/seckey.c
+--- ./lib/cryptohi/seckey.c.sign_policy	2022-05-26 02:54:33.000000000 -0700
++++ ./lib/cryptohi/seckey.c	2022-06-20 16:47:35.025785641 -0700
+@@ -14,6 +14,7 @@
+ #include "secdig.h"
+ #include "prtime.h"
+ #include "keyi.h"
++#include "nss.h"
+ 
+ SEC_ASN1_MKSUB(SECOID_AlgorithmIDTemplate)
+ SEC_ASN1_MKSUB(SEC_IntegerTemplate)
+@@ -1042,6 +1043,62 @@ SECKEY_PublicKeyStrengthInBits(const SEC
+     return bitSize;
+ }
+ 
++unsigned
++SECKEY_PrivateKeyStrengthInBits(const SECKEYPrivateKey *privk)
++{
++    unsigned bitSize = 0;
++    CK_ATTRIBUTE_TYPE attribute = CKT_INVALID_TYPE;
++    SECItem params;
++    SECStatus rv;
++
++    if (!privk) {
++        PORT_SetError(SEC_ERROR_INVALID_KEY);
++        return 0;
++    }
++
++    /* interpret modulus length as key strength */
++    switch (privk->keyType) {
++        case rsaKey:
++        case rsaPssKey:
++        case rsaOaepKey:
++            /* some tokens don't export CKA_MODULUS on the private key,
++             * PK11_SignatureLen works around this if necessary */
++            bitSize = PK11_SignatureLen((SECKEYPrivateKey *)privk) * PR_BITS_PER_BYTE;
++            if (bitSize == -1) {
++                bitSize = 0;
++            }
++            return bitSize;
++        case dsaKey:
++        case fortezzaKey:
++        case dhKey:
++        case keaKey:
++            attribute = CKA_PRIME;
++            break;
++        case ecKey:
++            rv = PK11_ReadAttribute(privk->pkcs11Slot, privk->pkcs11ID,
++                                    CKA_EC_PARAMS, NULL, &params);
++            if ((rv != SECSuccess) || (params.data == NULL)) {
++                return 0;
++            }
++            bitSize = SECKEY_ECParamsToKeySize(&params);
++            PORT_Free(params.data);
++            return bitSize;
++        default:
++            PORT_SetError(SEC_ERROR_INVALID_KEY);
++            return 0;
++    }
++    PORT_Assert(attribute != CKT_INVALID_TYPE);
++    rv = PK11_ReadAttribute(privk->pkcs11Slot, privk->pkcs11ID,
++                            attribute, NULL, &params);
++    if ((rv != SECSuccess) || (params.data == NULL)) {
++        PORT_SetError(SEC_ERROR_INVALID_KEY);
++        return 0;
++    }
++    bitSize = SECKEY_BigIntegerBitLength(&params);
++    PORT_Free(params.data);
++    return bitSize;
++}
++
+ /* returns signature length in bytes (not bits) */
+ unsigned
+ SECKEY_SignatureLen(const SECKEYPublicKey *pubk)
+@@ -1212,6 +1269,51 @@ SECKEY_CopyPublicKey(const SECKEYPublicK
+ }
+ 
+ /*
++ * Check that a given key meets the policy limits for the given key
++ * size.
++ */
++SECStatus
++seckey_EnforceKeySize(KeyType keyType, unsigned keyLength, SECErrorCodes error)
++{
++    PRInt32 opt = -1;
++    PRInt32 optVal;
++    SECStatus rv;
++
++    switch (keyType) {
++        case rsaKey:
++        case rsaPssKey:
++        case rsaOaepKey:
++            opt = NSS_RSA_MIN_KEY_SIZE;
++            break;
++        case dsaKey:
++        case fortezzaKey:
++            opt = NSS_DSA_MIN_KEY_SIZE;
++            break;
++        case dhKey:
++        case keaKey:
++            opt = NSS_DH_MIN_KEY_SIZE;
++            break;
++        case ecKey:
++            opt = NSS_ECC_MIN_KEY_SIZE;
++            break;
++        case nullKey:
++        default:
++            PORT_SetError(SEC_ERROR_INVALID_KEY);
++            return SECFailure;
++    }
++    PORT_Assert(opt != -1);
++    rv = NSS_OptionGet(opt, &optVal);
++    if (rv != SECSuccess) {
++        return rv;
++    }
++    if (optVal < keyLength) {
++        PORT_SetError(error);
++        return SECFailure;
++    }
++    return SECSuccess;
++}
++
++/*
+  * Use the private key to find a public key handle. The handle will be on
+  * the same slot as the private key.
+  */
+diff -up ./lib/cryptohi/secsign.c.sign_policy ./lib/cryptohi/secsign.c
+--- ./lib/cryptohi/secsign.c.sign_policy	2022-05-26 02:54:33.000000000 -0700
++++ ./lib/cryptohi/secsign.c	2022-06-20 16:47:35.025785641 -0700
+@@ -15,6 +15,7 @@
+ #include "pk11func.h"
+ #include "secerr.h"
+ #include "keyi.h"
++#include "nss.h"
+ 
+ struct SGNContextStr {
+     SECOidTag signalg;
+@@ -32,6 +33,7 @@ sgn_NewContext(SECOidTag alg, SECItem *p
+     SECOidTag hashalg, signalg;
+     KeyType keyType;
+     PRUint32 policyFlags;
++    PRInt32 optFlags;
+     SECStatus rv;
+ 
+     /* OK, map a PKCS #7 hash and encrypt algorithm into
+@@ -56,6 +58,16 @@ sgn_NewContext(SECOidTag alg, SECItem *p
+         PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
+         return NULL;
+     }
++    if (NSS_OptionGet(NSS_KEY_SIZE_POLICY_FLAGS, &optFlags) != SECFailure) {
++        if (optFlags & NSS_KEY_SIZE_POLICY_SIGN_FLAG) {
++            rv = seckey_EnforceKeySize(key->keyType,
++                                       SECKEY_PrivateKeyStrengthInBits(key),
++                                       SEC_ERROR_SIGNATURE_ALGORITHM_DISABLED);
++            if (rv != SECSuccess) {
++                return NULL;
++            }
++        }
++    }
+     /* check the policy on the hash algorithm */
+     if ((NSS_GetAlgorithmPolicy(hashalg, &policyFlags) == SECFailure) ||
+         !(policyFlags & NSS_USE_ALG_IN_ANY_SIGNATURE)) {
+@@ -467,9 +479,20 @@ SGN_Digest(SECKEYPrivateKey *privKey,
+     SGNDigestInfo *di = 0;
+     SECOidTag enctag;
+     PRUint32 policyFlags;
++    PRInt32 optFlags;
+ 
+     result->data = 0;
+ 
++    if (NSS_OptionGet(NSS_KEY_SIZE_POLICY_FLAGS, &optFlags) != SECFailure) {
++        if (optFlags & NSS_KEY_SIZE_POLICY_SIGN_FLAG) {
++            rv = seckey_EnforceKeySize(privKey->keyType,
++                                       SECKEY_PrivateKeyStrengthInBits(privKey),
++                                       SEC_ERROR_SIGNATURE_ALGORITHM_DISABLED);
++            if (rv != SECSuccess) {
++                return SECFailure;
++            }
++        }
++    }
+     /* check the policy on the hash algorithm */
+     if ((NSS_GetAlgorithmPolicy(algtag, &policyFlags) == SECFailure) ||
+         !(policyFlags & NSS_USE_ALG_IN_ANY_SIGNATURE)) {
+diff -up ./lib/cryptohi/secvfy.c.sign_policy ./lib/cryptohi/secvfy.c
+--- ./lib/cryptohi/secvfy.c.sign_policy	2022-05-26 02:54:33.000000000 -0700
++++ ./lib/cryptohi/secvfy.c	2022-06-20 16:47:35.025785641 -0700
+@@ -16,6 +16,7 @@
+ #include "secdig.h"
+ #include "secerr.h"
+ #include "keyi.h"
++#include "nss.h"
+ 
+ /*
+ ** Recover the DigestInfo from an RSA PKCS#1 signature.
+@@ -467,6 +468,7 @@ vfy_CreateContext(const SECKEYPublicKey
+     unsigned int sigLen;
+     KeyType type;
+     PRUint32 policyFlags;
++    PRInt32 optFlags;
+ 
+     /* make sure the encryption algorithm matches the key type */
+     /* RSA-PSS algorithm can be used with both rsaKey and rsaPssKey */
+@@ -476,7 +478,16 @@ vfy_CreateContext(const SECKEYPublicKey
+         PORT_SetError(SEC_ERROR_PKCS7_KEYALG_MISMATCH);
+         return NULL;
+     }
+-
++    if (NSS_OptionGet(NSS_KEY_SIZE_POLICY_FLAGS, &optFlags) != SECFailure) {
++        if (optFlags & NSS_KEY_SIZE_POLICY_VERIFY_FLAG) {
++            rv = seckey_EnforceKeySize(key->keyType,
++                                       SECKEY_PublicKeyStrengthInBits(key),
++                                       SEC_ERROR_SIGNATURE_ALGORITHM_DISABLED);
++            if (rv != SECSuccess) {
++                return NULL;
++            }
++        }
++    }
+     /* check the policy on the encryption algorithm */
+     if ((NSS_GetAlgorithmPolicy(encAlg, &policyFlags) == SECFailure) ||
+         !(policyFlags & NSS_USE_ALG_IN_ANY_SIGNATURE)) {
+diff -up ./lib/freebl/blapit.h.sign_policy ./lib/freebl/blapit.h
+--- ./lib/freebl/blapit.h.sign_policy	2022-05-26 02:54:33.000000000 -0700
++++ ./lib/freebl/blapit.h	2022-06-20 16:47:35.025785641 -0700
+@@ -135,7 +135,7 @@ typedef int __BLAPI_DEPRECATED __attribu
+  * These values come from the initial key size limits from the PKCS #11
+  * module. They may be arbitrarily adjusted to any value freebl supports.
+  */
+-#define RSA_MIN_MODULUS_BITS 128
++#define RSA_MIN_MODULUS_BITS 1023 /* 128 */
+ #define RSA_MAX_MODULUS_BITS 16384
+ #define RSA_MAX_EXPONENT_BITS 64
+ #define DH_MIN_P_BITS 128
+diff -up ./lib/nss/nss.h.sign_policy ./lib/nss/nss.h
+--- ./lib/nss/nss.h.sign_policy	2022-05-26 02:54:33.000000000 -0700
++++ ./lib/nss/nss.h	2022-06-20 16:47:35.026785647 -0700
+@@ -302,6 +302,28 @@ SECStatus NSS_UnregisterShutdown(NSS_Shu
+ #define NSS_DEFAULT_LOCKS 0x00d /* lock default values */
+ #define NSS_DEFAULT_SSL_LOCK 1  /* lock the ssl default values */
+ 
++/* NSS_KEY_SIZE_POLICY controls what kinds of operations are subject to
++ * the NSS_XXX_MIN_KEY_SIZE values.
++ *    NSS_KEY_SIZE_POLICY_FLAGS sets and clears all the flags to the input
++ *                              value
++ *     On get it returns all the flags
++ *    NSS_KEY_SIZE_POLICY_SET_FLAGS sets only the flags=1 in theinput value and
++ *                                  does not affect the other flags
++ *     On get it returns all the flags
++ *    NSS_KEY_SIZE_POLICY_CLEAR_FLAGS clears only the flags=1 in the input
++ *                                    value and does not affect the other flags
++ *     On get it returns all the compliment of all the flags
++ *     (cleared flags == 1) */
++#define NSS_KEY_SIZE_POLICY_FLAGS 0x00e
++#define NSS_KEY_SIZE_POLICY_SET_FLAGS 0x00f
++#define NSS_KEY_SIZE_POLICY_CLEAR_FLAGS 0x010
++/* currently defined flags */
++#define NSS_KEY_SIZE_POLICY_SSL_FLAG 1
++#define NSS_KEY_SIZE_POLICY_VERIFY_FLAG 2
++#define NSS_KEY_SIZE_POLICY_SIGN_FLAG 4
++
++#define NSS_ECC_MIN_KEY_SIZE 0x011
++
+ /*
+  * Set and get global options for the NSS library.
+  */
+diff -up ./lib/nss/nssoptions.c.sign_policy ./lib/nss/nssoptions.c
+--- ./lib/nss/nssoptions.c.sign_policy	2022-05-26 02:54:33.000000000 -0700
++++ ./lib/nss/nssoptions.c	2022-06-20 16:47:35.026785647 -0700
+@@ -26,6 +26,8 @@ struct nssOps {
+     PRInt32 dtlsVersionMaxPolicy;
+     PRInt32 pkcs12DecodeForceUnicode;
+     PRInt32 defaultLocks;
++    PRInt32 keySizePolicyFlags;
++    PRInt32 eccMinKeySize;
+ };
+ 
+ static struct nssOps nss_ops = {
+@@ -37,7 +39,9 @@ static struct nssOps nss_ops = {
+     1,
+     0xffff,
+     PR_FALSE,
+-    0
++    0,
++    NSS_KEY_SIZE_POLICY_SSL_FLAG,
++    SSL_ECC_MIN_CURVE_BITS
+ };
+ 
+ SECStatus
+@@ -78,6 +82,18 @@ NSS_OptionSet(PRInt32 which, PRInt32 val
+         case NSS_DEFAULT_LOCKS:
+             nss_ops.defaultLocks = value;
+             break;
++        case NSS_KEY_SIZE_POLICY_FLAGS:
++            nss_ops.keySizePolicyFlags = value;
++            break;
++        case NSS_KEY_SIZE_POLICY_SET_FLAGS:
++            nss_ops.keySizePolicyFlags |= value;
++            break;
++        case NSS_KEY_SIZE_POLICY_CLEAR_FLAGS:
++            nss_ops.keySizePolicyFlags &= ~value;
++            break;
++        case NSS_ECC_MIN_KEY_SIZE:
++            nss_ops.eccMinKeySize = value;
++            break;
+         default:
+             PORT_SetError(SEC_ERROR_INVALID_ARGS);
+             rv = SECFailure;
+@@ -119,6 +135,16 @@ NSS_OptionGet(PRInt32 which, PRInt32 *va
+         case NSS_DEFAULT_LOCKS:
+             *value = nss_ops.defaultLocks;
+             break;
++        case NSS_KEY_SIZE_POLICY_FLAGS:
++        case NSS_KEY_SIZE_POLICY_SET_FLAGS:
++            *value = nss_ops.keySizePolicyFlags;
++            break;
++        case NSS_KEY_SIZE_POLICY_CLEAR_FLAGS:
++            *value = ~nss_ops.keySizePolicyFlags;
++            break;
++        case NSS_ECC_MIN_KEY_SIZE:
++            *value = nss_ops.eccMinKeySize;
++            break;
+         default:
+             rv = SECFailure;
+     }
+diff -up ./lib/nss/nssoptions.h.sign_policy ./lib/nss/nssoptions.h
+--- ./lib/nss/nssoptions.h.sign_policy	2022-05-26 02:54:33.000000000 -0700
++++ ./lib/nss/nssoptions.h	2022-06-20 16:47:35.026785647 -0700
+@@ -18,3 +18,5 @@
+  * happens because NSS used to count bit lengths incorrectly. */
+ #define SSL_DH_MIN_P_BITS 1023
+ #define SSL_DSA_MIN_P_BITS 1023
++/* not really used by SSL, but define it here for consistency */
++#define SSL_ECC_MIN_CURVE_BITS 256
+diff -up ./lib/pk11wrap/pk11kea.c.sign_policy ./lib/pk11wrap/pk11kea.c
+--- ./lib/pk11wrap/pk11kea.c.sign_policy	2022-05-26 02:54:33.000000000 -0700
++++ ./lib/pk11wrap/pk11kea.c	2022-06-20 16:47:35.026785647 -0700
+@@ -78,15 +78,14 @@ pk11_KeyExchange(PK11SlotInfo *slot, CK_
+         if (privKeyHandle == CK_INVALID_HANDLE) {
+             PK11RSAGenParams rsaParams;
+ 
+-            if (symKeyLength > 53) /* bytes */ {
+-                /* we'd have to generate an RSA key pair > 512 bits long,
++            if (symKeyLength > 120) /* bytes */ {
++                /* we'd have to generate an RSA key pair > 1024 bits long,
+                 ** and that's too costly.  Don't even try.
+                 */
+                 PORT_SetError(SEC_ERROR_CANNOT_MOVE_SENSITIVE_KEY);
+                 goto rsa_failed;
+             }
+-            rsaParams.keySizeInBits =
+-                (symKeyLength > 21 || symKeyLength == 0) ? 512 : 256;
++            rsaParams.keySizeInBits = 1024;
+             rsaParams.pe = 0x10001;
+             privKey = PK11_GenerateKeyPair(slot, CKM_RSA_PKCS_KEY_PAIR_GEN,
+                                            &rsaParams, &pubKey, PR_FALSE, PR_TRUE, symKey->cx);
+diff -up ./lib/pk11wrap/pk11pars.c.sign_policy ./lib/pk11wrap/pk11pars.c
+--- ./lib/pk11wrap/pk11pars.c.sign_policy	2022-06-20 16:47:35.004785510 -0700
++++ ./lib/pk11wrap/pk11pars.c	2022-06-20 16:47:35.026785647 -0700
+@@ -427,12 +427,21 @@ static const optionFreeDef sslOptList[]
+     { CIPHER_NAME("DTLS1.3"), 0x304 },
+ };
+ 
++static const optionFreeDef keySizeFlagsList[] = {
++    { CIPHER_NAME("KEY-SIZE-SSL"), NSS_KEY_SIZE_POLICY_SSL_FLAG },
++    { CIPHER_NAME("KEY-SIZE-SIGN"), NSS_KEY_SIZE_POLICY_SIGN_FLAG },
++    { CIPHER_NAME("KEY-SIZE-VERIFY"), NSS_KEY_SIZE_POLICY_VERIFY_FLAG },
++};
++
+ static const optionFreeDef freeOptList[] = {
+ 
+     /* Restrictions for asymetric keys */
+     { CIPHER_NAME("RSA-MIN"), NSS_RSA_MIN_KEY_SIZE },
+     { CIPHER_NAME("DH-MIN"), NSS_DH_MIN_KEY_SIZE },
+     { CIPHER_NAME("DSA-MIN"), NSS_DSA_MIN_KEY_SIZE },
++    { CIPHER_NAME("ECC-MIN"), NSS_ECC_MIN_KEY_SIZE },
++    /* what operations doe the key size apply to */
++    { CIPHER_NAME("KEY-SIZE-FLAGS"), NSS_KEY_SIZE_POLICY_FLAGS },
+     /* constraints on SSL Protocols */
+     { CIPHER_NAME("TLS-VERSION-MIN"), NSS_TLS_VERSION_MIN_POLICY },
+     { CIPHER_NAME("TLS-VERSION-MAX"), NSS_TLS_VERSION_MAX_POLICY },
+@@ -540,6 +549,7 @@ secmod_getPolicyOptValue(const char *pol
+         *result = val;
+         return SECSuccess;
+     }
++    /* handle any ssl strings */
+     for (i = 0; i < PR_ARRAY_SIZE(sslOptList); i++) {
+         if (policyValueLength == sslOptList[i].name_size &&
+             PORT_Strncasecmp(sslOptList[i].name, policyValue,
+@@ -548,7 +558,29 @@ secmod_getPolicyOptValue(const char *pol
+             return SECSuccess;
+         }
+     }
+-    return SECFailure;
++    /* handle key_size flags. Each flag represents a bit, which
++     * gets or'd together. They can be separated by , | or + */
++    val = 0;
++    while (*policyValue) {
++        PRBool found = PR_FALSE;
++        for (i = 0; i < PR_ARRAY_SIZE(keySizeFlagsList); i++) {
++            if (PORT_Strncasecmp(keySizeFlagsList[i].name, policyValue,
++                                 keySizeFlagsList[i].name_size) == 0) {
++                val |= keySizeFlagsList[i].option;
++                found = PR_TRUE;
++                policyValue += keySizeFlagsList[i].name_size;
++                break;
++            }
++        }
++        if (!found) {
++            return SECFailure;
++        }
++        if (*policyValue == ',' || *policyValue == '|' || *policyValue == '+') {
++            policyValue++;
++        }
++    }
++    *result = val;
++    return SECSuccess;
+ }
+ 
+ /* Policy operations:
+diff -up ./lib/ssl/ssl3con.c.sign_policy ./lib/ssl/ssl3con.c
+--- ./lib/ssl/ssl3con.c.sign_policy	2022-06-20 16:47:34.998785473 -0700
++++ ./lib/ssl/ssl3con.c	2022-06-20 16:47:35.028785660 -0700
+@@ -7409,6 +7409,8 @@ ssl_HandleDHServerKeyExchange(sslSocket
+     unsigned dh_p_bits;
+     unsigned dh_g_bits;
+     PRInt32 minDH;
++    PRInt32 optval;
++    PRBool usePolicyLength = PR_FALSE;
+ 
+     SSL3Hashes hashes;
+     SECItem signature = { siBuffer, NULL, 0 };
+@@ -7419,8 +7421,13 @@ ssl_HandleDHServerKeyExchange(sslSocket
+     if (rv != SECSuccess) {
+         goto loser; /* malformed. */
+     }
++    rv = NSS_OptionGet(NSS_KEY_SIZE_POLICY_FLAGS, &optval);
++    if (rv == SECSuccess) {
++        usePolicyLength = (PRBool)((optval & NSS_KEY_SIZE_POLICY_SSL_FLAG) == NSS_KEY_SIZE_POLICY_SSL_FLAG);
++    }
+ 
+-    rv = NSS_OptionGet(NSS_DH_MIN_KEY_SIZE, &minDH);
++    rv = usePolicyLength ? NSS_OptionGet(NSS_DH_MIN_KEY_SIZE, &minDH)
++                         : SECFailure;
+     if (rv != SECSuccess || minDH <= 0) {
+         minDH = SSL_DH_MIN_P_BITS;
+     }
+@@ -11411,13 +11418,20 @@ ssl_SetAuthKeyBits(sslSocket *ss, const
+     SECStatus rv;
+     PRUint32 minKey;
+     PRInt32 optval;
++    PRBool usePolicyLength = PR_TRUE;
++
++    rv = NSS_OptionGet(NSS_KEY_SIZE_POLICY_FLAGS, &optval);
++    if (rv == SECSuccess) {
++        usePolicyLength = (PRBool)((optval & NSS_KEY_SIZE_POLICY_SSL_FLAG) == NSS_KEY_SIZE_POLICY_SSL_FLAG);
++    }
+ 
+     ss->sec.authKeyBits = SECKEY_PublicKeyStrengthInBits(pubKey);
+     switch (SECKEY_GetPublicKeyType(pubKey)) {
+         case rsaKey:
+         case rsaPssKey:
+         case rsaOaepKey:
+-            rv = NSS_OptionGet(NSS_RSA_MIN_KEY_SIZE, &optval);
++            rv = usePolicyLength ? NSS_OptionGet(NSS_RSA_MIN_KEY_SIZE, &optval)
++                                 : SECFailure;
+             if (rv == SECSuccess && optval > 0) {
+                 minKey = (PRUint32)optval;
+             } else {
+@@ -11426,7 +11440,8 @@ ssl_SetAuthKeyBits(sslSocket *ss, const
+             break;
+ 
+         case dsaKey:
+-            rv = NSS_OptionGet(NSS_DSA_MIN_KEY_SIZE, &optval);
++            rv = usePolicyLength ? NSS_OptionGet(NSS_DSA_MIN_KEY_SIZE, &optval)
++                                 : SECFailure;
+             if (rv == SECSuccess && optval > 0) {
+                 minKey = (PRUint32)optval;
+             } else {
+@@ -11435,7 +11450,8 @@ ssl_SetAuthKeyBits(sslSocket *ss, const
+             break;
+ 
+         case dhKey:
+-            rv = NSS_OptionGet(NSS_DH_MIN_KEY_SIZE, &optval);
++            rv = usePolicyLength ? NSS_OptionGet(NSS_DH_MIN_KEY_SIZE, &optval)
++                                 : SECFailure;
+             if (rv == SECSuccess && optval > 0) {
+                 minKey = (PRUint32)optval;
+             } else {
+@@ -11444,9 +11460,15 @@ ssl_SetAuthKeyBits(sslSocket *ss, const
+             break;
+ 
+         case ecKey:
+-            /* Don't check EC strength here on the understanding that we only
+-             * support curves we like. */
+-            minKey = ss->sec.authKeyBits;
++            rv = usePolicyLength ? NSS_OptionGet(NSS_ECC_MIN_KEY_SIZE, &optval)
++                                 : SECFailure;
++            if (rv == SECSuccess && optval > 0) {
++                minKey = (PRUint32)optval;
++            } else {
++                /* Don't check EC strength here on the understanding that we
++                 * only support curves we like. */
++                minKey = ss->sec.authKeyBits;
++            }
+             break;
+ 
+         default:
+diff -up ./tests/policy/crypto-policy.txt.sign_policy ./tests/policy/crypto-policy.txt
+--- ./tests/policy/crypto-policy.txt.sign_policy	2022-05-26 02:54:33.000000000 -0700
++++ ./tests/policy/crypto-policy.txt	2022-06-20 16:47:35.028785660 -0700
+@@ -6,6 +6,8 @@
+ 0 disallow=ALL_allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:aes256-cbc:camellia256-cbc:aes128-gcm:aes128-cbc:camellia128-cbc:SHA256:SHA384:SHA512:SHA1:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:rsa-pkcs:rsa-pss:ecdsa:tls-version-min=tls1.0:dtls-version-min=dtls1.0:DH-MIN=1023:DSA-MIN=2048:RSA-MIN=2048 NSS-POLICY-INFO.*LOADED-SUCCESSFULLY Standard policy
+ 0 disallow=ALL_allow=HMAC-SHA1:HMAC-SHA256:HMAC-SHA384:HMAC-SHA512:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:aes256-cbc:camellia256-cbc:aes128-gcm:aes128-cbc:camellia128-cbc:des-ede3-cbc:rc4:SHA256:SHA384:SHA512:SHA1:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:DHE-DSS:rsa-pkcs:rsa-pss:ecdsa:tls-version-min=tls1.0:dtls-version-min=tls1.0:DH-MIN=1023:DSA-MIN=1023:RSA-MIN=1023 NSS-POLICY-INFO.*LOADED-SUCCESSFULLY Legacy policy
+ 0 disallow=ALL_allow=HMAC-SHA256:HMAC-SHA384:HMAC-SHA512:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:SHA384:SHA512:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:rsa-pkcs:rsa-pss:ecdsa:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=3072:DSA-MIN=3072:RSA-MIN=3072 NSS-POLICY-INFO.*LOADED-SUCCESSFULLY Reduced policy
++0 disallow=ALL_allow=HMAC-SHA256:HMAC-SHA384:HMAC-SHA512:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:SHA384:SHA512:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:rsa-pkcs:rsa-pss:ecdsa:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=3072:DSA-MIN=3072:RSA-MIN=3072:KEY-SIZE-FLAGS=KEY-SIZE-SSL,KEY-SIZE-SIGN,KEY-SIZE-VERIFY NSS-POLICY-INFO.*LOADED-SUCCESSFULLY Valid key size
++2 disallow=ALL_allow=HMAC-SHA256:HMAC-SHA384:HMAC-SHA512:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:SHA384:SHA512:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:rsa-pkcs:rsa-pss:ecdsa:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=3072:DSA-MIN=3072:RSA-MIN=3072:KEY-SIZE-FLAGS=UNKNOWN,KEY-SIZE-SIGN,KEY-SIZE-VERIFY NSS-POLICY-FAIL.*unknown.* Invalid key size
+ 2 disallow=ALL_allow=dtls-version-min=:dtls-version-max= NSS-POLICY-FAIL Missing value
+ 2 disallow=ALL_allow=RSA-MIN=whatever NSS-POLICY-FAIL Invalid value
+ 2 disallow=ALL_allow=flower NSS-POLICY-FAIL Invalid identifier
+diff -up ./tests/ssl/sslpolicy.txt.sign_policy ./tests/ssl/sslpolicy.txt
+--- ./tests/ssl/sslpolicy.txt.sign_policy	2022-06-20 16:47:35.028785660 -0700
++++ ./tests/ssl/sslpolicy.txt	2022-06-20 16:50:08.958742135 -0700
+@@ -196,6 +196,11 @@
+ # rsa-pkcs, rsa-pss, and ecdsa policy checking reverted in rhel8 for binary
+ # compatibility reasons
+ #  1 noECC  SSL3   d    disallow=rsa-pkcs Disallow RSA PKCS 1 Signatures Explicitly
++  1 noECC  SSL3   d    allow=rsa-min=16384:key-size-flags=key-size-verify Restrict RSA keys on signature verification
++  1 noECC  SSL3   d    allow=rsa-min=16384:key-size-flags=key-size-sign Restrict RSA keys on signing
++  1 noECC  SSL3   d    allow=rsa-min=16384:key-size-flags=key-size-ssl Restrict RSA keys when used in SSL
++  0 noECC  SSL3   d    allow=rsa-min=1023 Restrict RSA keys when used in SSL
++
+ # test default settings
+ # NOTE: tstclient will attempt to overide the defaults, so we detect we
+ # were successful by locking in our settings
+diff -up ./tests/dbupgrade/dbupgrade.sh.sign_policy ./tests/dbupgrade/dbupgrade.sh
+--- ./tests/dbupgrade/dbupgrade.sh.sign_policy	2022-06-22 08:43:55.905407738 -0700
++++ ./tests/dbupgrade/dbupgrade.sh	2022-06-22 08:43:58.837426779 -0700
+@@ -69,7 +69,7 @@ dbupgrade_main()
+ 		echo $i
+ 		if [ -d $i ]; then
+ 			echo "upgrading db $i"
+-			${BINDIR}/certutil -G -g 512 -d sql:$i -f ${PWFILE} -z ${NOISE_FILE} 2>&1
++			${BINDIR}/certutil -G -g 1024 -d sql:$i -f ${PWFILE} -z ${NOISE_FILE} 2>&1
+ 			html_msg $? 0 "Upgrading $i"
+ 		else
+ 			echo "skipping db $i"

SOURCES/nss-3.90-aes-gmc-indicator.patch

@@ -1,42 +0,0 @@
-diff --git a/lib/softoken/sftkmessage.c b/lib/softoken/sftkmessage.c
---- a/lib/softoken/sftkmessage.c
-+++ b/lib/softoken/sftkmessage.c
-@@ -146,16 +146,38 @@ sftk_CryptMessage(CK_SESSION_HANDLE hSes
- 
-     CHECK_FORK();
- 
-     /* make sure we're legal */
-     crv = sftk_GetContext(hSession, &context, contextType, PR_TRUE, NULL);
-     if (crv != CKR_OK)
-         return crv;
- 
-+    if (context->isFIPS && (contextType == SFTK_MESSAGE_ENCRYPT)) {
-+        if ((pParameter == NULL) || (ulParameterLen != sizeof(CK_GCM_MESSAGE_PARAMS))) {
-+            context->isFIPS = PR_FALSE;
-+        } else {
-+            CK_GCM_MESSAGE_PARAMS *p = (CK_GCM_MESSAGE_PARAMS *)pParameter;
-+            switch (p->ivGenerator) {
-+                case CKG_NO_GENERATE:
-+                    context->isFIPS = PR_FALSE;
-+                    break;
-+                case CKG_GENERATE_RANDOM:
-+                    if ((p->ulIvLen < 12) || (p->ulIvFixedBits != 0)) {
-+                        context->isFIPS = PR_FALSE;
-+                    }
-+                    break;
-+                default:
-+                    if ((p->ulIvLen < 12) || (p->ulIvFixedBits < 32)) {
-+                        context->isFIPS = PR_FALSE;
-+                    }
-+            }
-+        }
-+    }
-+
-     if (!pOuttext) {
-         *pulOuttextLen = ulIntextLen;
-         return CKR_OK;
-     }
-     rv = (*context->aeadUpdate)(context->cipherInfo, pOuttext, &outlen,
-                                 maxout, pIntext, ulIntextLen,
-                                 pParameter, ulParameterLen,
-                                 pAssociatedData, ulAssociatedDataLen);

SOURCES/nss-3.90-dh-test-update.patch

@@ -1,90 +0,0 @@
-diff -up ./lib/freebl/fipsfreebl.c.dh_test ./lib/freebl/fipsfreebl.c
---- ./lib/freebl/fipsfreebl.c.dh_test	2024-01-18 08:34:45.936944401 -0800
-+++ ./lib/freebl/fipsfreebl.c	2024-01-18 09:20:57.555980326 -0800
-@@ -1816,38 +1816,39 @@ freebl_fips_DH_PowerUpSelfTest(void)
- {
-     /* DH Known P (2048-bits) */
-     static const PRUint8 dh_known_P[] = {
--        0xc2, 0x79, 0xbb, 0x76, 0x32, 0x0d, 0x43, 0xfd,
--        0x1b, 0x8c, 0xa2, 0x3c, 0x00, 0xdd, 0x6d, 0xef,
--        0xf8, 0x1a, 0xd9, 0xc1, 0xa2, 0xf5, 0x73, 0x2b,
--        0xdb, 0x1a, 0x3e, 0x84, 0x90, 0xeb, 0xe7, 0x8e,
--        0x5f, 0x5c, 0x6b, 0xb6, 0x61, 0x89, 0xd1, 0x03,
--        0xb0, 0x5f, 0x91, 0xe4, 0xd2, 0x82, 0x90, 0xfc,
--        0x3c, 0x49, 0x69, 0x59, 0xc1, 0x51, 0x6a, 0x85,
--        0x71, 0xe7, 0x5d, 0x72, 0x5a, 0x45, 0xad, 0x01,
--        0x6f, 0x82, 0xae, 0xec, 0x91, 0x08, 0x2e, 0x7c,
--        0x64, 0x93, 0x46, 0x1c, 0x68, 0xef, 0xc2, 0x03,
--        0x28, 0x1d, 0x75, 0x3a, 0xeb, 0x9c, 0x46, 0xf0,
--        0xc9, 0xdb, 0x99, 0x95, 0x13, 0x66, 0x4d, 0xd5,
--        0x1a, 0x78, 0x92, 0x51, 0x89, 0x72, 0x28, 0x7f,
--        0x20, 0x70, 0x41, 0x49, 0xa2, 0x86, 0xe9, 0xf9,
--        0x78, 0x5f, 0x8d, 0x2e, 0x5d, 0xfa, 0xdb, 0x57,
--        0xd4, 0x71, 0xdf, 0x66, 0xe3, 0x9e, 0x88, 0x70,
--        0xa4, 0x21, 0x44, 0x6a, 0xc7, 0xae, 0x30, 0x2c,
--        0x9c, 0x1f, 0x91, 0x57, 0xc8, 0x24, 0x34, 0x2d,
--        0x7a, 0x4a, 0x43, 0xc2, 0x5f, 0xab, 0x64, 0x2e,
--        0xaa, 0x28, 0x32, 0x95, 0x42, 0x7b, 0xa0, 0xcc,
--        0xdf, 0xfd, 0x22, 0xc8, 0x56, 0x84, 0xc1, 0x62,
--        0x15, 0xb2, 0x77, 0x86, 0x81, 0xfc, 0xa5, 0x12,
--        0x3c, 0xca, 0x28, 0x17, 0x8f, 0x03, 0x16, 0x6e,
--        0xb8, 0x24, 0xfa, 0x1b, 0x15, 0x02, 0xfd, 0x8b,
--        0xb6, 0x0a, 0x1a, 0xf7, 0x47, 0x41, 0xc5, 0x2b,
--        0x37, 0x3e, 0xa1, 0xbf, 0x68, 0xda, 0x1c, 0x55,
--        0x44, 0xc3, 0xee, 0xa1, 0x63, 0x07, 0x11, 0x3b,
--        0x5f, 0x00, 0x84, 0xb4, 0xc4, 0xe4, 0xa7, 0x97,
--        0x29, 0xf8, 0xce, 0xab, 0xfc, 0x27, 0x3e, 0x34,
--        0xe4, 0xc7, 0x81, 0x52, 0x32, 0x0e, 0x27, 0x3c,
--        0xa6, 0x70, 0x3f, 0x4a, 0x54, 0xda, 0xdd, 0x60,
--        0x26, 0xb3, 0x6e, 0x45, 0x26, 0x19, 0x41, 0x6f
-+        0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
-+        0xAD, 0xF8, 0x54, 0x58, 0xA2, 0xBB, 0x4A, 0x9A,
-+        0xAF, 0xDC, 0x56, 0x20, 0x27, 0x3D, 0x3C, 0xF1,
-+        0xD8, 0xB9, 0xC5, 0x83, 0xCE, 0x2D, 0x36, 0x95,
-+        0xA9, 0xE1, 0x36, 0x41, 0x14, 0x64, 0x33, 0xFB,
-+        0xCC, 0x93, 0x9D, 0xCE, 0x24, 0x9B, 0x3E, 0xF9,
-+        0x7D, 0x2F, 0xE3, 0x63, 0x63, 0x0C, 0x75, 0xD8,
-+        0xF6, 0x81, 0xB2, 0x02, 0xAE, 0xC4, 0x61, 0x7A,
-+        0xD3, 0xDF, 0x1E, 0xD5, 0xD5, 0xFD, 0x65, 0x61,
-+        0x24, 0x33, 0xF5, 0x1F, 0x5F, 0x06, 0x6E, 0xD0,
-+        0x85, 0x63, 0x65, 0x55, 0x3D, 0xED, 0x1A, 0xF3,
-+        0xB5, 0x57, 0x13, 0x5E, 0x7F, 0x57, 0xC9, 0x35,
-+        0x98, 0x4F, 0x0C, 0x70, 0xE0, 0xE6, 0x8B, 0x77,
-+        0xE2, 0xA6, 0x89, 0xDA, 0xF3, 0xEF, 0xE8, 0x72,
-+        0x1D, 0xF1, 0x58, 0xA1, 0x36, 0xAD, 0xE7, 0x35,
-+        0x30, 0xAC, 0xCA, 0x4F, 0x48, 0x3A, 0x79, 0x7A,
-+        0xBC, 0x0A, 0xB1, 0x82, 0xB3, 0x24, 0xFB, 0x61,
-+        0xD1, 0x08, 0xA9, 0x4B, 0xB2, 0xC8, 0xE3, 0xFB,
-+        0xB9, 0x6A, 0xDA, 0xB7, 0x60, 0xD7, 0xF4, 0x68,
-+        0x1D, 0x4F, 0x42, 0xA3, 0xDE, 0x39, 0x4D, 0xF4,
-+        0xAE, 0x56, 0xED, 0xE7, 0x63, 0x72, 0xBB, 0x19,
-+        0x0B, 0x07, 0xA7, 0xC8, 0xEE, 0x0A, 0x6D, 0x70,
-+        0x9E, 0x02, 0xFC, 0xE1, 0xCD, 0xF7, 0xE2, 0xEC,
-+        0xC0, 0x34, 0x04, 0xCD, 0x28, 0x34, 0x2F, 0x61,
-+        0x91, 0x72, 0xFE, 0x9C, 0xE9, 0x85, 0x83, 0xFF,
-+        0x8E, 0x4F, 0x12, 0x32, 0xEE, 0xF2, 0x81, 0x83,
-+        0xC3, 0xFE, 0x3B, 0x1B, 0x4C, 0x6F, 0xAD, 0x73,
-+        0x3B, 0xB5, 0xFC, 0xBC, 0x2E, 0xC2, 0x20, 0x05,
-+        0xC5, 0x8E, 0xF1, 0x83, 0x7D, 0x16, 0x83, 0xB2,
-+        0xC6, 0xF3, 0x4A, 0x26, 0xC1, 0xB2, 0xEF, 0xFA,
-+        0x88, 0x6B, 0x42, 0x38, 0x61, 0x28, 0x5C, 0x97,
-+        0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF
-+
-     };
- 
-     static const PRUint8 dh_known_Y_1[] = {
-@@ -1893,10 +1894,10 @@ freebl_fips_DH_PowerUpSelfTest(void)
-     };
- 
-     static const PRUint8 dh_known_hash_result[] = {
--        0x93, 0xa2, 0x89, 0x1c, 0x8a, 0xc3, 0x70, 0xbf,
--        0xa7, 0xdf, 0xb6, 0xd7, 0x82, 0xfb, 0x87, 0x81,
--        0x09, 0x47, 0xf3, 0x9f, 0x5a, 0xbf, 0x4f, 0x3f,
--        0x8e, 0x5e, 0x06, 0xca, 0x30, 0xa7, 0xaf, 0x10
-+        0x40, 0xe3, 0x7a, 0x34, 0x83, 0x2d, 0x94, 0x57,
-+        0x99, 0x3d, 0x66, 0xec, 0x54, 0xdf, 0x82, 0x4a,
-+        0x37, 0x0d, 0xf9, 0x01, 0xb3, 0xbc, 0x54, 0xe5,
-+        0x5e, 0x63, 0xd3, 0x46, 0x4e, 0xa3, 0xe2, 0x8a
-     };
- 
-     /* DH variables. */

SOURCES/nss-3.90-fips-indicators2.patch

@@ -1,176 +0,0 @@
-diff -up ./lib/softoken/pkcs11c.c.fips_2 ./lib/softoken/pkcs11c.c
---- ./lib/softoken/pkcs11c.c.fips_2	2024-01-19 09:21:19.632889660 -0800
-+++ ./lib/softoken/pkcs11c.c	2024-01-19 09:22:18.541471306 -0800
-@@ -7090,7 +7090,7 @@ sftk_HKDF(CK_HKDF_PARAMS_PTR params, CK_
-                     mech.ulParameterLen = sizeof(*params);
-                     key->isFIPS = sftk_operationIsFIPS(saltKey->slot, &mech,
-                                                        CKA_DERIVE, saltKey,
--                                                       keySize);
-+                                                       keySize*PR_BITS_PER_BYTE);
-                 }
-                 saltKeySource = saltKey->source;
-                 saltKey_att = sftk_FindAttribute(saltKey, CKA_VALUE);
-@@ -7404,7 +7404,7 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession
-         }
-     }
-     key->isFIPS = sftk_operationIsFIPS(slot, pMechanism, CKA_DERIVE, sourceKey,
--                                       keySize);
-+                                       keySize*PR_BITS_PER_BYTE);
- 
-     switch (mechanism) {
-         /* get a public key from a private key. nsslowkey_ConvertToPublickey()
-diff -up ./lib/softoken/pkcs11u.c.fips_2 ./lib/softoken/pkcs11u.c
---- ./lib/softoken/pkcs11u.c.fips_2	2024-01-19 09:21:19.633889670 -0800
-+++ ./lib/softoken/pkcs11u.c	2024-01-19 09:28:00.082843565 -0800
-@@ -2393,20 +2393,43 @@ sftk_getKeyLength(SFTKObject *source)
- }
- 
- PRBool
--sftk_CheckFIPSHash(CK_MECHANISM_TYPE hash)
-+sftk_checkFIPSHash(CK_MECHANISM_TYPE hash, PRBool allowSmall, PRBool allowCMAC)
- {
-     switch (hash) {
-+        case CKM_AES_CMAC:
-+            return allowCMAC;
-+        case CKM_SHA_1:
-+        case CKM_SHA_1_HMAC:
-+        case CKM_SHA224:
-+        case CKM_SHA224_HMAC:
-+            return allowSmall;
-         case CKM_SHA256:
--        case CKG_MGF1_SHA256:
-+        case CKM_SHA256_HMAC:
-         case CKM_SHA384:
--        case CKG_MGF1_SHA384:
-+        case CKM_SHA384_HMAC:
-         case CKM_SHA512:
--        case CKG_MGF1_SHA512:
-+        case CKM_SHA512_HMAC:
-             return PR_TRUE;
-     }
-     return PR_FALSE;
- }
- 
-+PRBool
-+sftk_checkKeyLength(CK_ULONG keyLength, CK_ULONG min,
-+                    CK_ULONG max, CK_ULONG step)
-+{
-+     if (keyLength > max) {
-+         return PR_FALSE;
-+     }
-+     if (keyLength < min ) {
-+         return PR_FALSE;
-+     }
-+     if (((keyLength - min) % step) != 0) {
-+         return PR_FALSE;
-+     }
-+     return PR_TRUE;
-+}
-+
- /*
-  * handle specialized FIPS semantics that are too complicated to
-  * handle with just a table. NOTE: this means any additional semantics
-@@ -2416,6 +2439,8 @@ sftk_handleSpecial(SFTKSlot *slot, CK_ME
-                    SFTKFIPSAlgorithmList *mechInfo, SFTKObject *source,
-                    CK_ULONG keyLength, CK_ULONG targetKeyLength)
- {
-+    PRBool allowSmall = PR_FALSE;
-+    PRBool allowCMAC = PR_FALSE;
-     switch (mechInfo->special) {
-         case SFTKFIPSDH: {
-             SECItem dhPrime;
-@@ -2482,7 +2507,11 @@ sftk_handleSpecial(SFTKSlot *slot, CK_ME
-             if (pss->sLen > hashObj->length) {
-                 return PR_FALSE;
-             }
--            return sftk_CheckFIPSHash(pss->hashAlg);
-+            /* Our code makes sure pss->hashAlg matches the explicit
-+             * hash in the mechanism, and only mechanisms with approved
-+             * hashes are included, so no need to check pss->hashAlg
-+             * here */
-+            return PR_TRUE;
-         }
-         case SFTKFIPSPBKDF2: {
-             /* PBKDF2 must have the following addition restrictions
-@@ -2508,12 +2537,28 @@ sftk_handleSpecial(SFTKSlot *slot, CK_ME
-              return PR_TRUE;
-         }
-         /* check the hash mechanisms to make sure they themselves are FIPS */
-+        case SFTKFIPSChkHashSp800:
-+             allowCMAC = PR_TRUE;
-         case SFTKFIPSChkHash:
-+             allowSmall = PR_TRUE;
-+        case SFTKFIPSChkHashTls:
-             if (mech->ulParameterLen < mechInfo->offset +sizeof(CK_ULONG)) {
-                 return PR_FALSE;
-             }
--            return sftk_CheckFIPSHash(*(CK_ULONG *)(((char *)mech->pParameter)
--                        + mechInfo->offset));
-+            return sftk_checkFIPSHash(*(CK_ULONG *)(((char *)mech->pParameter)
-+                        + mechInfo->offset), allowSmall, allowCMAC);
-+        case SFTKFIPSTlsKeyCheck:
-+            if (mech->mechanism != CKM_NSS_TLS_KEY_AND_MAC_DERIVE_SHA256) {
-+                /* unless the mechnism has a built-in hash, check the hash */
-+                if (mech->ulParameterLen < mechInfo->offset +sizeof(CK_ULONG)) {
-+                    return PR_FALSE;
-+                }
-+                if (!sftk_checkFIPSHash(*(CK_ULONG *)(((char *)mech->pParameter)
-+                        + mechInfo->offset), PR_FALSE, PR_FALSE)) {
-+                    return PR_FALSE;
-+                }
-+            }
-+            return sftk_checkKeyLength(targetKeyLength, 112, 512, 1);
-         default:
-             break;
-     }
-@@ -2558,13 +2603,11 @@ sftk_operationIsFIPS(SFTKSlot *slot, CK_
-          * approved algorithm in the approved mode with an approved key */
-         if ((mech->mechanism == mechs->type) &&
-             (opFlags == (mechs->info.flags & opFlags)) &&
--            (keyLength <= mechs->info.ulMaxKeySize) &&
--            (keyLength >= mechs->info.ulMinKeySize) &&
--            (((keyLength - mechs->info.ulMinKeySize) % mechs->step) == 0) &&
--            ((targetKeyLength == 0) ||
--             ((targetKeyLength <= mechs->info.ulMaxKeySize) &&
--             (targetKeyLength >= mechs->info.ulMinKeySize) &&
--             ((targetKeyLength - mechs->info.ulMinKeySize) % mechs->step) == 0)) &&
-+            sftk_checkKeyLength(keyLength, mechs->info.ulMinKeySize,
-+                                mechs->info.ulMaxKeySize, mechs->step) &&
-+            ((targetKeyLength == 0) ||  (mechs->special == SFTKFIPSTlsKeyCheck)
-+             || sftk_checkKeyLength(targetKeyLength, mechs->info.ulMinKeySize,
-+                                mechs->info.ulMaxKeySize, mechs->step)) &&
-             ((mechs->special == SFTKFIPSNone) ||
-              sftk_handleSpecial(slot, mech, mechs, source, keyLength, targetKeyLength))) {
-             return PR_TRUE;
-diff -up ./lib/softoken/sftkmessage.c.fips_2 ./lib/softoken/sftkmessage.c
---- ./lib/softoken/sftkmessage.c.fips_2	2024-01-19 09:21:19.634889680 -0800
-+++ ./lib/softoken/sftkmessage.c	2024-01-19 09:22:18.541471306 -0800
-@@ -157,16 +157,25 @@ sftk_CryptMessage(CK_SESSION_HANDLE hSes
-         } else {
-             CK_GCM_MESSAGE_PARAMS *p = (CK_GCM_MESSAGE_PARAMS *)pParameter;
-             switch (p->ivGenerator) {
-+                default:
-                 case CKG_NO_GENERATE:
-                     context->isFIPS = PR_FALSE;
-                     break;
-                 case CKG_GENERATE_RANDOM:
--                    if ((p->ulIvLen < 12) || (p->ulIvFixedBits != 0)) {
-+                    if ((p->ulIvLen < 96/PR_BITS_PER_BYTE) ||
-+                        (p->ulIvFixedBits != 0)) {
-                         context->isFIPS = PR_FALSE;
-                     }
-                     break;
--                default:
--                    if ((p->ulIvLen < 12) || (p->ulIvFixedBits < 32)) {
-+                case CKG_GENERATE_COUNTER_XOR:
-+                    if ((p->ulIvLen != 96/PR_BITS_PER_BYTE) ||
-+                        (p->ulIvFixedBits != 32)) {
-+                        context->isFIPS = PR_FALSE;
-+                    }
-+                    break;
-+                case CKG_GENERATE_COUNTER:
-+                    if ((p->ulIvFixedBits < 32) ||
-+                       ((p->ulIvLen*PR_BITS_PER_BYTE - p->ulIvFixedBits) < 32)) {
-                         context->isFIPS = PR_FALSE;
-                     }
-             }

SOURCES/nss-3.90-fips-safe-memset.patch

@@ -1,506 +0,0 @@
-diff -up ./lib/freebl/aeskeywrap.c.safe_zero ./lib/freebl/aeskeywrap.c
---- ./lib/freebl/aeskeywrap.c.safe_zero	2023-06-04 01:42:53.000000000 -0700
-+++ ./lib/freebl/aeskeywrap.c	2023-11-22 14:42:24.246388369 -0800
-@@ -512,7 +512,7 @@ AESKeyWrap_EncryptKWP(AESKeyWrapContext
-         PORT_Memcpy(iv + AES_KEY_WRAP_BLOCK_SIZE, input, inputLen);
-         rv = AES_Encrypt(&cx->aescx, output, pOutputLen, maxOutputLen, iv,
-                          outLen);
--        PORT_Memset(iv, 0, sizeof(iv));
-+        PORT_SafeZero(iv, sizeof(iv));
-         return rv;
-     }
- 
-@@ -528,7 +528,7 @@ AESKeyWrap_EncryptKWP(AESKeyWrapContext
-     PORT_ZFree(newBuf, paddedInputLen);
-     /* a little overkill, we only need to clear out the length, but this
-      * is easier to verify we got it all */
--    PORT_Memset(iv, 0, sizeof(iv));
-+    PORT_SafeZero(iv, sizeof(iv));
-     return rv;
- }
- 
-@@ -631,12 +631,12 @@ AESKeyWrap_DecryptKWP(AESKeyWrapContext
- loser:
-     /* if we failed, make sure we don't return any data to the user */
-     if ((rv != SECSuccess) && (output == newBuf)) {
--        PORT_Memset(newBuf, 0, paddedLen);
-+        PORT_SafeZero(newBuf, paddedLen);
-     }
-     /* clear out CSP sensitive data from the heap and stack */
-     if (allocBuf) {
-         PORT_ZFree(allocBuf, paddedLen);
-     }
--    PORT_Memset(iv, 0, sizeof(iv));
-+    PORT_SafeZero(iv, sizeof(iv));
-     return rv;
- }
-diff -up ./lib/freebl/blapii.h.safe_zero ./lib/freebl/blapii.h
---- ./lib/freebl/blapii.h.safe_zero	2023-06-04 01:42:53.000000000 -0700
-+++ ./lib/freebl/blapii.h	2023-11-22 14:42:24.246388369 -0800
-@@ -101,10 +101,10 @@ PRBool ppc_crypto_support();
- #ifdef NSS_FIPS_DISABLED
- #define BLAPI_CLEAR_STACK(stack_size)
- #else
--#define BLAPI_CLEAR_STACK(stack_size)                    \
--    {                                                    \
--        volatile char _stkclr[stack_size];               \
--        PORT_Memset((void *)&_stkclr[0], 0, stack_size); \
-+#define BLAPI_CLEAR_STACK(stack_size)                   \
-+    {                                                   \
-+        volatile char _stkclr[stack_size];              \
-+        PORT_SafeZero((void *)&_stkclr[0], stack_size); \
-     }
- #endif
- 
-diff -up ./lib/freebl/drbg.c.safe_zero ./lib/freebl/drbg.c
---- ./lib/freebl/drbg.c.safe_zero	2023-06-04 01:42:53.000000000 -0700
-+++ ./lib/freebl/drbg.c	2023-11-22 14:42:24.246388369 -0800
-@@ -197,7 +197,7 @@ prng_initEntropy(void)
-     SHA256_Update(&ctx, block, sizeof(block));
-     SHA256_End(&ctx, globalrng->previousEntropyHash, NULL,
-                sizeof(globalrng->previousEntropyHash));
--    PORT_Memset(block, 0, sizeof(block));
-+    PORT_SafeZero(block, sizeof(block));
-     SHA256_DestroyContext(&ctx, PR_FALSE);
-     return PR_SUCCESS;
- }
-@@ -246,8 +246,8 @@ prng_getEntropy(PRUint8 *buffer, size_t
-     }
- 
- out:
--    PORT_Memset(hash, 0, sizeof hash);
--    PORT_Memset(block, 0, sizeof block);
-+    PORT_SafeZero(hash, sizeof hash);
-+    PORT_SafeZero(block, sizeof block);
-     return rv;
- }
- 
-@@ -393,8 +393,8 @@ prng_Hashgen(RNGContext *rng, PRUint8 *r
-         PRNG_ADD_CARRY_ONLY(data, (sizeof data) - 1, carry);
-         SHA256_DestroyContext(&ctx, PR_FALSE);
-     }
--    PORT_Memset(data, 0, sizeof data);
--    PORT_Memset(thisHash, 0, sizeof thisHash);
-+    PORT_SafeZero(data, sizeof data);
-+    PORT_SafeZero(thisHash, sizeof thisHash);
- }
- 
- /*
-@@ -455,7 +455,7 @@ prng_generateNewBytes(RNGContext *rng,
-     PRNG_ADD_CARRY_ONLY(rng->reseed_counter, (sizeof rng->reseed_counter) - 1, carry);
- 
-     /* if the prng failed, don't return any output, signal softoken */
--    PORT_Memset(H, 0, sizeof H);
-+    PORT_SafeZero(H, sizeof H);
-     if (!rng->isValid) {
-         PORT_Memset(returned_bytes, 0, no_of_returned_bytes);
-         PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
-diff -up ./lib/freebl/dsa.c.safe_zero ./lib/freebl/dsa.c
---- ./lib/freebl/dsa.c.safe_zero	2023-06-04 01:42:53.000000000 -0700
-+++ ./lib/freebl/dsa.c	2023-11-22 14:42:24.246388369 -0800
-@@ -471,7 +471,7 @@ dsa_SignDigest(DSAPrivateKey *key, SECIt
-     err = MP_OKAY;
-     signature->len = dsa_signature_len;
- cleanup:
--    PORT_Memset(localDigestData, 0, DSA_MAX_SUBPRIME_LEN);
-+    PORT_SafeZero(localDigestData, DSA_MAX_SUBPRIME_LEN);
-     mp_clear(&p);
-     mp_clear(&q);
-     mp_clear(&g);
-@@ -532,7 +532,7 @@ DSA_SignDigest(DSAPrivateKey *key, SECIt
-         rv = dsa_SignDigest(key, signature, digest, kSeed);
-     } while (rv != SECSuccess && PORT_GetError() == SEC_ERROR_NEED_RANDOM &&
-              --retries > 0);
--    PORT_Memset(kSeed, 0, sizeof kSeed);
-+    PORT_SafeZero(kSeed, sizeof kSeed);
-     return rv;
- }
- 
-@@ -673,7 +673,7 @@ DSA_VerifyDigest(DSAPublicKey *key, cons
-         verified = SECSuccess; /* Signature verified. */
-     }
- cleanup:
--    PORT_Memset(localDigestData, 0, sizeof localDigestData);
-+    PORT_SafeZero(localDigestData, sizeof localDigestData);
-     mp_clear(&p);
-     mp_clear(&q);
-     mp_clear(&g);
-diff -up ./lib/freebl/gcm.c.safe_zero ./lib/freebl/gcm.c
---- ./lib/freebl/gcm.c.safe_zero	2023-06-04 01:42:53.000000000 -0700
-+++ ./lib/freebl/gcm.c	2023-11-22 14:42:24.246388369 -0800
-@@ -480,7 +480,7 @@ gcmHash_Final(gcmHashContext *ghash, uns
-     rv = SECSuccess;
- 
- cleanup:
--    PORT_Memset(T, 0, sizeof(T));
-+    PORT_SafeZero(T, sizeof(T));
-     return rv;
- }
- 
-@@ -596,15 +596,15 @@ GCM_CreateContext(void *context, freeblC
-     if (rv != SECSuccess) {
-         goto loser;
-     }
--    PORT_Memset(H, 0, AES_BLOCK_SIZE);
-+    PORT_SafeZero(H, AES_BLOCK_SIZE);
-     gcm->ctr_context_init = PR_TRUE;
-     return gcm;
- 
- loser:
--    PORT_Memset(H, 0, AES_BLOCK_SIZE);
-+    PORT_SafeZero(H, AES_BLOCK_SIZE);
-     if (ghash && ghash->mem) {
-         void *mem = ghash->mem;
--        PORT_Memset(ghash, 0, sizeof(gcmHashContext));
-+        PORT_SafeZero(ghash, sizeof(gcmHashContext));
-         PORT_Free(mem);
-     }
-     if (gcm) {
-@@ -682,11 +682,11 @@ gcm_InitCounter(GCMContext *gcm, const u
-         goto loser;
-     }
- 
--    PORT_Memset(&ctrParams, 0, sizeof ctrParams);
-+    PORT_SafeZero(&ctrParams, sizeof ctrParams);
-     return SECSuccess;
- 
- loser:
--    PORT_Memset(&ctrParams, 0, sizeof ctrParams);
-+    PORT_SafeZero(&ctrParams, sizeof ctrParams);
-     if (freeCtr) {
-         CTR_DestroyContext(&gcm->ctr_context, PR_FALSE);
-     }
-@@ -866,10 +866,10 @@ GCM_DecryptUpdate(GCMContext *gcm, unsig
-     if (NSS_SecureMemcmp(tag, intag, tagBytes) != 0) {
-         /* force a CKR_ENCRYPTED_DATA_INVALID error at in softoken */
-         PORT_SetError(SEC_ERROR_BAD_DATA);
--        PORT_Memset(tag, 0, sizeof(tag));
-+        PORT_SafeZero(tag, sizeof(tag));
-         return SECFailure;
-     }
--    PORT_Memset(tag, 0, sizeof(tag));
-+    PORT_SafeZero(tag, sizeof(tag));
-     /* finish the decryption */
-     return CTR_Update(&gcm->ctr_context, outbuf, outlen, maxout,
-                       inbuf, inlen, AES_BLOCK_SIZE);
-@@ -1159,10 +1159,10 @@ GCM_DecryptAEAD(GCMContext *gcm, unsigne
-         /* force a CKR_ENCRYPTED_DATA_INVALID error at in softoken */
-         CTR_DestroyContext(&gcm->ctr_context, PR_FALSE);
-         PORT_SetError(SEC_ERROR_BAD_DATA);
--        PORT_Memset(tag, 0, sizeof(tag));
-+        PORT_SafeZero(tag, sizeof(tag));
-         return SECFailure;
-     }
--    PORT_Memset(tag, 0, sizeof(tag));
-+    PORT_SafeZero(tag, sizeof(tag));
-     /* finish the decryption */
-     rv = CTR_Update(&gcm->ctr_context, outbuf, outlen, maxout,
-                     inbuf, inlen, AES_BLOCK_SIZE);
-diff -up ./lib/freebl/hmacct.c.safe_zero ./lib/freebl/hmacct.c
---- ./lib/freebl/hmacct.c.safe_zero	2023-06-04 01:42:53.000000000 -0700
-+++ ./lib/freebl/hmacct.c	2023-11-22 14:42:24.246388369 -0800
-@@ -274,10 +274,10 @@ MAC(unsigned char *mdOut,
-     hashObj->end(mdState, mdOut, mdOutLen, mdOutMax);
-     hashObj->destroy(mdState, PR_TRUE);
- 
--    PORT_Memset(lengthBytes, 0, sizeof lengthBytes);
--    PORT_Memset(hmacPad, 0, sizeof hmacPad);
--    PORT_Memset(firstBlock, 0, sizeof firstBlock);
--    PORT_Memset(macOut, 0, sizeof macOut);
-+    PORT_SafeZero(lengthBytes, sizeof lengthBytes);
-+    PORT_SafeZero(hmacPad, sizeof hmacPad);
-+    PORT_SafeZero(firstBlock, sizeof firstBlock);
-+    PORT_SafeZero(macOut, sizeof macOut);
- 
-     return SECSuccess;
- }
-diff -up ./lib/freebl/intel-gcm-wrap.c.safe_zero ./lib/freebl/intel-gcm-wrap.c
---- ./lib/freebl/intel-gcm-wrap.c.safe_zero	2023-06-04 01:42:53.000000000 -0700
-+++ ./lib/freebl/intel-gcm-wrap.c	2023-11-22 14:42:24.246388369 -0800
-@@ -195,7 +195,7 @@ intel_aes_gcmInitCounter(intel_AES_GCMCo
- void
- intel_AES_GCM_DestroyContext(intel_AES_GCMContext *gcm, PRBool freeit)
- {
--    PORT_Memset(gcm, 0, sizeof(intel_AES_GCMContext));
-+    PORT_SafeZero(gcm, sizeof(intel_AES_GCMContext));
-     if (freeit) {
-         PORT_Free(gcm);
-     }
-diff -up ./lib/freebl/ppc-gcm-wrap.c.safe_zero ./lib/freebl/ppc-gcm-wrap.c
---- ./lib/freebl/ppc-gcm-wrap.c.safe_zero	2023-06-04 01:42:53.000000000 -0700
-+++ ./lib/freebl/ppc-gcm-wrap.c	2023-11-22 14:42:24.246388369 -0800
-@@ -169,7 +169,7 @@ ppc_aes_gcmInitCounter(ppc_AES_GCMContex
- void
- ppc_AES_GCM_DestroyContext(ppc_AES_GCMContext *gcm, PRBool freeit)
- {
--    PORT_Memset(gcm, 0, sizeof(ppc_AES_GCMContext));
-+    PORT_SafeZero(gcm, sizeof(ppc_AES_GCMContext));
-     if (freeit) {
-         PORT_Free(gcm);
-     }
-diff -up ./lib/freebl/pqg.c.safe_zero ./lib/freebl/pqg.c
---- ./lib/freebl/pqg.c.safe_zero	2023-06-04 01:42:53.000000000 -0700
-+++ ./lib/freebl/pqg.c	2023-11-22 14:42:24.246388369 -0800
-@@ -703,7 +703,7 @@ cleanup:
-     mp_clear(&a);
-     mp_clear(&z);
-     mp_clear(&two_length_minus_1);
--    PORT_Memset(x, 0, sizeof(x));
-+    PORT_SafeZero(x, sizeof(x));
-     if (err) {
-         MP_TO_SEC_ERROR(err);
-         rv = SECFailure;
-@@ -859,7 +859,7 @@ cleanup:
-     mp_clear(&c);
-     mp_clear(&c0);
-     mp_clear(&one);
--    PORT_Memset(x, 0, sizeof(x));
-+    PORT_SafeZero(x, sizeof(x));
-     if (err) {
-         MP_TO_SEC_ERROR(err);
-         rv = SECFailure;
-@@ -1072,7 +1072,7 @@ makePfromQandSeed(
-     CHECK_MPI_OK(mp_sub_d(&c, 1, &c)); /* c -= 1       */
-     CHECK_MPI_OK(mp_sub(&X, &c, P));   /* P = X - c    */
- cleanup:
--    PORT_Memset(V_j, 0, sizeof V_j);
-+    PORT_SafeZero(V_j, sizeof V_j);
-     mp_clear(&W);
-     mp_clear(&X);
-     mp_clear(&c);
-@@ -1221,7 +1221,7 @@ makeGfromIndex(HASH_HashType hashtype,
- /* step 11.
-      * return valid G */
- cleanup:
--    PORT_Memset(data, 0, sizeof(data));
-+    PORT_SafeZero(data, sizeof(data));
-     if (hashcx) {
-         hashobj->destroy(hashcx, PR_TRUE);
-     }
-diff -up ./lib/freebl/rijndael.c.safe_zero ./lib/freebl/rijndael.c
---- ./lib/freebl/rijndael.c.safe_zero	2023-06-04 01:42:53.000000000 -0700
-+++ ./lib/freebl/rijndael.c	2023-11-22 14:42:24.247388378 -0800
-@@ -1114,7 +1114,7 @@ AES_DestroyContext(AESContext *cx, PRBoo
-         cx->worker_cx = NULL;
-         cx->destroy = NULL;
-     }
--    PORT_Memset(cx, 0, sizeof(AESContext));
-+    PORT_SafeZero(cx, sizeof(AESContext));
-     if (freeit) {
-         PORT_Free(mem);
-     } else {
-diff -up ./lib/freebl/rsa.c.safe_zero ./lib/freebl/rsa.c
---- ./lib/freebl/rsa.c.safe_zero	2023-11-22 14:41:24.066840894 -0800
-+++ ./lib/freebl/rsa.c	2023-11-22 14:42:24.247388378 -0800
-@@ -143,8 +143,8 @@ rsa_build_from_primes(const mp_int *p, c
-     /* 2.  Compute phi = (p-1)*(q-1) */
-     CHECK_MPI_OK(mp_sub_d(p, 1, &psub1));
-     CHECK_MPI_OK(mp_sub_d(q, 1, &qsub1));
-+    CHECK_MPI_OK(mp_lcm(&psub1, &qsub1, &phi));
-     if (needPublicExponent || needPrivateExponent) {
--        CHECK_MPI_OK(mp_lcm(&psub1, &qsub1, &phi));
-         /* 3.  Compute d = e**-1 mod(phi) */
-         /*     or      e = d**-1 mod(phi) as necessary */
-         if (needPublicExponent) {
-@@ -165,6 +165,15 @@ rsa_build_from_primes(const mp_int *p, c
-         goto cleanup;
-     }
- 
-+    /* make sure we weren't passed in a d or e = 1 mod phi */
-+    /* just need to check d, because if one is = 1 mod phi, they both are */
-+    CHECK_MPI_OK(mp_mod(d, &phi, &tmp));
-+    if (mp_cmp_d(&tmp, 2) <= 0) {
-+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
-+        rv = SECFailure;
-+        goto cleanup;
-+    }
-+
-     /* 4.  Compute exponent1 = d mod (p-1) */
-     CHECK_MPI_OK(mp_mod(d, &psub1, &tmp));
-     MPINT_TO_SECITEM(&tmp, &key->exponent1, key->arena);
-@@ -1152,6 +1161,8 @@ rsa_PrivateKeyOpCRTCheckedPubKey(RSAPriv
-     /* Perform a public key operation v = m ** e mod n */
-     CHECK_MPI_OK(mp_exptmod(m, &e, &n, &v));
-     if (mp_cmp(&v, c) != 0) {
-+        /* this error triggers a fips fatal error lock */
-+        PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
-         rv = SECFailure;
-     }
- cleanup:
-diff -up ./lib/freebl/rsapkcs.c.safe_zero ./lib/freebl/rsapkcs.c
---- ./lib/freebl/rsapkcs.c.safe_zero	2023-06-04 01:42:53.000000000 -0700
-+++ ./lib/freebl/rsapkcs.c	2023-11-22 14:42:24.247388378 -0800
-@@ -977,14 +977,14 @@ rsa_GetHMACContext(const SECHashObject *
-     /* now create the hmac key */
-     hmac = HMAC_Create(hash, keyHash, keyLen, PR_TRUE);
-     if (hmac == NULL) {
--        PORT_Memset(keyHash, 0, sizeof(keyHash));
-+        PORT_SafeZero(keyHash, sizeof(keyHash));
-         return NULL;
-     }
-     HMAC_Begin(hmac);
-     HMAC_Update(hmac, input, inputLen);
-     rv = HMAC_Finish(hmac, keyHash, &keyLen, sizeof(keyHash));
-     if (rv != SECSuccess) {
--        PORT_Memset(keyHash, 0, sizeof(keyHash));
-+        PORT_SafeZero(keyHash, sizeof(keyHash));
-         HMAC_Destroy(hmac, PR_TRUE);
-         return NULL;
-     }
-@@ -992,7 +992,7 @@ rsa_GetHMACContext(const SECHashObject *
-      * reuse the original context allocated above so we don't
-      * need to allocate and free another one */
-     rv = HMAC_ReInit(hmac, hash, keyHash, keyLen, PR_TRUE);
--    PORT_Memset(keyHash, 0, sizeof(keyHash));
-+    PORT_SafeZero(keyHash, sizeof(keyHash));
-     if (rv != SECSuccess) {
-         HMAC_Destroy(hmac, PR_TRUE);
-         return NULL;
-@@ -1042,7 +1042,7 @@ rsa_HMACPrf(HMACContext *hmac, const cha
-             return rv;
-         }
-         PORT_Memcpy(output, hmacLast, left);
--        PORT_Memset(hmacLast, 0, sizeof(hmacLast));
-+        PORT_SafeZero(hmacLast, sizeof(hmacLast));
-     }
-     return rv;
- }
-@@ -1087,7 +1087,7 @@ rsa_GetErrorLength(HMACContext *hmac, in
-         outLength = PORT_CT_SEL(PORT_CT_LT(candidate, maxLegalLen),
-                                 candidate, outLength);
-     }
--    PORT_Memset(out, 0, sizeof(out));
-+    PORT_SafeZero(out, sizeof(out));
-     return outLength;
- }
- 
-diff -up ./lib/freebl/shvfy.c.safe_zero ./lib/freebl/shvfy.c
---- ./lib/freebl/shvfy.c.safe_zero	2023-06-04 01:42:53.000000000 -0700
-+++ ./lib/freebl/shvfy.c	2023-11-22 14:42:24.247388378 -0800
-@@ -365,7 +365,7 @@ blapi_SHVerifyDSACheck(PRFileDesc *shFD,
- 
-     /* verify the hash against the check file */
-     rv = DSA_VerifyDigest(key, signature, &hash);
--    PORT_Memset(hashBuf, 0, sizeof hashBuf);
-+    PORT_SafeZero(hashBuf, sizeof hashBuf);
-     return (rv == SECSuccess) ? PR_TRUE : PR_FALSE;
- }
- #endif
-@@ -427,7 +427,7 @@ blapi_SHVerifyHMACCheck(PRFileDesc *shFD
-     if (rv == SECSuccess) {
-         result = SECITEM_ItemsAreEqual(signature, &hash);
-     }
--    PORT_Memset(hashBuf, 0, sizeof hashBuf);
-+    PORT_SafeZero(hashBuf, sizeof hashBuf);
-     return result;
- }
- 
-@@ -451,7 +451,7 @@ blapi_SHVerifyFile(const char *shName, P
- #ifndef NSS_STRICT_INTEGRITY
-     DSAPublicKey key;
- 
--    PORT_Memset(&key, 0, sizeof(key));
-+    PORT_SafeZero(&key, sizeof(key));
- #endif
- 
-     /* If our integrity check was never ran or failed, fail any other
-@@ -597,7 +597,7 @@ blapi_SHVerifyFile(const char *shName, P
-     shFD = NULL;
- 
- loser:
--    PORT_Memset(&header, 0, sizeof header);
-+    PORT_SafeZero(&header, sizeof header);
-     if (checkName != NULL) {
-         PORT_Free(checkName);
-     }
-diff -up ./lib/freebl/tlsprfalg.c.safe_zero ./lib/freebl/tlsprfalg.c
---- ./lib/freebl/tlsprfalg.c.safe_zero	2023-06-04 01:42:53.000000000 -0700
-+++ ./lib/freebl/tlsprfalg.c	2023-11-22 14:42:24.247388378 -0800
-@@ -82,8 +82,8 @@ loser:
-     /* clear out state so it's not left on the stack */
-     if (cx)
-         HMAC_Destroy(cx, PR_TRUE);
--    PORT_Memset(state, 0, sizeof(state));
--    PORT_Memset(outbuf, 0, sizeof(outbuf));
-+    PORT_SafeZero(state, sizeof(state));
-+    PORT_SafeZero(outbuf, sizeof(outbuf));
-     return rv;
- }
- 
-diff -up ./lib/freebl/unix_urandom.c.safe_zero ./lib/freebl/unix_urandom.c
---- ./lib/freebl/unix_urandom.c.safe_zero	2023-11-22 14:42:24.247388378 -0800
-+++ ./lib/freebl/unix_urandom.c	2023-11-22 14:44:15.519400684 -0800
-@@ -22,7 +22,7 @@ RNG_SystemInfoForRNG(void)
-         return;
-     }
-     RNG_RandomUpdate(bytes, numBytes);
--    PORT_Memset(bytes, 0, sizeof bytes);
-+    PORT_SafeZero(bytes, sizeof bytes);
- }
- 
- #ifdef NSS_FIPS_140_3
-diff -up ./lib/softoken/pkcs11c.c.safe_zero ./lib/softoken/pkcs11c.c
---- ./lib/softoken/pkcs11c.c.safe_zero	2023-11-22 14:41:24.069840921 -0800
-+++ ./lib/softoken/pkcs11c.c	2023-11-22 14:42:24.248388387 -0800
-@@ -5092,7 +5092,7 @@ sftk_PairwiseConsistencyCheck(CK_SESSION
-         if ((signature_length >= pairwise_digest_length) &&
-             (PORT_Memcmp(known_digest, signature + (signature_length - pairwise_digest_length), pairwise_digest_length) == 0)) {
-             PORT_Free(signature);
--            return CKR_DEVICE_ERROR;
-+            return CKR_GENERAL_ERROR;
-         }
- 
-         /* Verify the known hash using the public key. */
-diff -up ./lib/util/secport.h.safe_zero ./lib/util/secport.h
---- ./lib/util/secport.h.safe_zero	2023-06-04 01:42:53.000000000 -0700
-+++ ./lib/util/secport.h	2023-11-22 14:42:24.248388387 -0800
-@@ -36,6 +36,9 @@
- #include <sys/types.h>
- 
- #include <ctype.h>
-+/* ask for Annex K for memset_s. will set the appropriate #define
-+ * if Annex K is supported */
-+#define __STDC_WANT_LIB_EXT1__ 1
- #include <string.h>
- #include <stddef.h>
- #include <stdlib.h>
-@@ -182,6 +185,39 @@ SEC_END_PROTOS
- #endif /*SUNOS4*/
- #define PORT_Memset memset
- 
-+/* there are cases where the compiler optimizes away our attempt to clear
-+ * out our stack variables. There are multiple solutions for this problem,
-+ * but they aren't universally accepted on all platforms. This attempts
-+ * to select the best solution available given our os, compilier, and libc */
-+#ifdef __STDC_LIB_EXT1__
-+/* if the os implements C11 annex K, use memset_s */
-+#define PORT_SafeZero(p, n) memset_s(p, n, 0, n)
-+#else
-+#ifdef XP_WIN
-+/* windows has a secure zero funtion */
-+#define PORT_SafeZero(p, n) SecureZeroMemory(p, n)
-+#else
-+/* _DEFAULT_SORUCE  == BSD source in GCC based environments
-+ * if other environmens support explicit_bzero, their defines
-+ * should be added here */
-+#if defined(_DEFAULT_SOURCE) || defined(_BSD_SOURCE)
-+#define PORT_SafeZero(p, n) explicit_bzero(p, n)
-+#else
-+/* if the os doesn't support one of the above, but does support
-+ * memset_explicit, you can add the definition for memset with the
-+ * appropriate define check here */
-+/* define an explicitly implementated Safe zero if the OS
-+ * doesn't provide one */
-+#define PORT_SafeZero(p, n)                                \
-+    if (p != NULL) {                                       \
-+        volatile unsigned char *__vl = (unsigned char *)p; \
-+        size_t __nl = n;                                   \
-+        while (__nl--) *__vl++ = 0;                        \
-+    }
-+#endif /* no explicit_bzero */
-+#endif /* no windows SecureZeroMemory */
-+#endif /* no memset_s */
-+
- #define PORT_Strcasecmp PL_strcasecmp
- #define PORT_Strcat strcat
- #define PORT_Strchr strchr

SOURCES/nss-3.90-pbkdf2-indicator.patch

@@ -1,42 +0,0 @@
-diff -up ./lib/softoken/pkcs11u.c.pkcs12_indicator ./lib/softoken/pkcs11u.c
---- ./lib/softoken/pkcs11u.c.pkcs12_indicator	2023-08-03 10:50:37.067109367 -0700
-+++ ./lib/softoken/pkcs11u.c	2023-08-03 11:41:55.641541953 -0700
-@@ -2429,7 +2429,7 @@ sftk_handleSpecial(SFTKSlot *slot, CK_ME
-             return PR_FALSE;
-         case SFTKFIPSECC:
-             /* we've already handled the curve selection in the 'getlength'
--          * function */
-+             * function */
-             return PR_TRUE;
-         case SFTKFIPSAEAD: {
-             if (mech->ulParameterLen == 0) {
-@@ -2463,6 +2463,29 @@ sftk_handleSpecial(SFTKSlot *slot, CK_ME
-             }
-             return PR_TRUE;
-         }
-+        case SFTKFIPSPBKDF2: {
-+            /* PBKDF2 must have the following addition restrictions
-+             * (independent of keysize).
-+             *    1. iteration count must be at least 1000.
-+             *    2. salt must be at least 128 bits (16 bytes).
-+             *    3. password must match the length specified in the SP
-+             */
-+             CK_PKCS5_PBKD2_PARAMS *pbkdf2 = (CK_PKCS5_PBKD2_PARAMS *)
-+                                                    mech->pParameter;
-+             if (mech->ulParameterLen != sizeof(*pbkdf2)) {
-+                 return PR_FALSE;
-+             }
-+             if (pbkdf2->iterations < 1000) {
-+                 return PR_FALSE;
-+             }
-+             if (pbkdf2->ulSaltSourceDataLen < 16) {
-+                 return PR_FALSE;
-+             }
-+             if (*(pbkdf2->ulPasswordLen) < SFTKFIPS_PBKDF2_MIN_PW_LEN) {
-+                 return PR_FALSE;
-+             }
-+             return PR_TRUE;
-+        }
-         default:
-             break;
-     }

SOURCES/nss-3.90-ppc_no_init.patch

@@ -1,36 +0,0 @@
-diff -up ./lib/freebl/Makefile.ppc_no_init ./lib/freebl/Makefile
---- ./lib/freebl/Makefile.ppc_no_init	2024-06-03 14:12:24.216755903 -0700
-+++ ./lib/freebl/Makefile	2024-06-03 14:11:36.464234903 -0700
-@@ -303,7 +303,7 @@ endif
- ifeq ($(CPU_ARCH),ppc)
-     EXTRA_SRCS += gcm-ppc.c
- ifdef USE_64
--    DEFINES += -DNSS_NO_INIT_SUPPORT
-+#    DEFINES += -DNSS_NO_INIT_SUPPORT
-     PPC_ABI := $(shell $(CC) -dM -E - < /dev/null | awk '$$2 == "_CALL_ELF" {print $$3}')
-     ifeq ($(PPC_ABI),2)
-         ASFILES += sha512-p8.s
-diff -up ./lib/softoken/Makefile.ppc_no_init ./lib/softoken/Makefile
---- ./lib/softoken/Makefile.ppc_no_init	2024-06-03 14:12:44.664979003 -0700
-+++ ./lib/softoken/Makefile	2024-06-03 14:10:26.703473806 -0700
-@@ -23,13 +23,13 @@ include $(CORE_DEPTH)/coreconf/config.mk
- ifdef NSS_NO_INIT_SUPPORT
-     DEFINES += -DNSS_NO_INIT_SUPPORT
- endif
--ifeq ($(OS_TARGET),Linux)
--ifeq ($(CPU_ARCH),ppc)
--ifdef USE_64
--    DEFINES += -DNSS_NO_INIT_SUPPORT
--endif # USE_64
--endif # ppc
--endif # Linux
-+#ifeq ($(OS_TARGET),Linux)
-+#ifeq ($(CPU_ARCH),ppc)
-+#ifdef USE_64
-+#    DEFINES += -DNSS_NO_INIT_SUPPORT
-+#endif # USE_64
-+#endif # ppc
-+#endif # Linux
- 
- 
- #######################################################################

SOURCES/nss-disable-dc.patch

@@ -0,0 +1,32 @@
+diff -up ./gtests/ssl_gtest/manifest.mn.orig ./gtests/ssl_gtest/manifest.mn
+--- ./gtests/ssl_gtest/manifest.mn.orig	2021-06-02 15:40:48.677355426 -0700
++++ ./gtests/ssl_gtest/manifest.mn	2021-06-02 15:42:31.248977261 -0700
+@@ -57,7 +57,6 @@ CPPSRCS = \
+       tls_filter.cc \
+       tls_protect.cc \
+       tls_psk_unittest.cc \
+-      tls_subcerts_unittest.cc \
+       tls_ech_unittest.cc \
+       $(SSLKEYLOGFILE_FILES) \
+       $(NULL)
+diff -up ./lib/ssl/sslsock.c.orig ./lib/ssl/sslsock.c
+--- ./lib/ssl/sslsock.c.orig	2021-05-28 02:50:43.000000000 -0700
++++ ./lib/ssl/sslsock.c	2021-06-02 15:40:48.676355420 -0700
+@@ -819,7 +819,7 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 wh
+             break;
+ 
+         case SSL_ENABLE_DELEGATED_CREDENTIALS:
+-            ss->opt.enableDelegatedCredentials = val;
++            /* disable it for now */
+             break;
+ 
+         case SSL_ENABLE_NPN:
+@@ -1337,7 +1337,7 @@ SSL_OptionSetDefault(PRInt32 which, PRIn
+             break;
+ 
+         case SSL_ENABLE_DELEGATED_CREDENTIALS:
+-            ssl_defaults.enableDelegatedCredentials = val;
++            /* disable it for now */
+             break;
+ 
+         case SSL_ENABLE_NPN:

SOURCES/nss-disable-md5.patch

@@ -0,0 +1,41 @@
+diff -r 699541a7793b lib/pk11wrap/pk11pars.c
+--- a/lib/pk11wrap/pk11pars.c	2021-04-16 14:43:41.668835607 -0700
++++ b/lib/pk11wrap/pk11pars.c	2021-04-16 14:43:50.585888411 -0700
+@@ -324,11 +324,11 @@ static const oidValDef curveOptList[] =
+ static const oidValDef hashOptList[] = {
+     /* Hashes */
+     { CIPHER_NAME("MD2"), SEC_OID_MD2,
+-      NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE },
++      0 },
+     { CIPHER_NAME("MD4"), SEC_OID_MD4,
+-      NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE },
++      0 },
+     { CIPHER_NAME("MD5"), SEC_OID_MD5,
+-      NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE },
++      0 },
+     { CIPHER_NAME("SHA1"), SEC_OID_SHA1,
+       NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE },
+     { CIPHER_NAME("SHA224"), SEC_OID_SHA224,
+diff -r 699541a7793b lib/util/secoid.c
+--- a/lib/util/secoid.c	Tue Jun 16 23:03:22 2020 +0000
++++ b/lib/util/secoid.c	Thu Jun 25 14:33:09 2020 +0200
+@@ -2042,6 +2042,19 @@
+             int i;
+ 
+             for (i = 1; i < SEC_OID_TOTAL; i++) {
++                switch (i) {
++                case SEC_OID_MD2:
++                case SEC_OID_MD4:
++                case SEC_OID_MD5:
++                case SEC_OID_PKCS1_MD2_WITH_RSA_ENCRYPTION:
++                case SEC_OID_PKCS1_MD4_WITH_RSA_ENCRYPTION:
++                case SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION:
++                case SEC_OID_PKCS5_PBE_WITH_MD2_AND_DES_CBC:
++                case SEC_OID_PKCS5_PBE_WITH_MD5_AND_DES_CBC:
++                    continue;
++                default:
++                    break;
++                }
+                 if (oids[i].desc && strstr(arg, oids[i].desc)) {
+                     xOids[i].notPolicyFlags = notEnable |
+                                               (xOids[i].notPolicyFlags & ~(DEF_FLAGS));

SPECS/nss.spec

@@ -1,7 +1,7 @@
-%global nspr_build_version 4.35.0-1
-%global nspr_release -1
-%global nspr_version 4.35.0
-%global nss_version 3.101.0
+%global nspr_build_version 4.34.0-3
+%global nspr_release -3
+%global nspr_version 4.34.0
+%global nss_version 3.79.0
 %global unsupported_tools_directory %{_libdir}/nss/unsupported-tools
 %global saved_files_dir %{_libdir}/nss/saved
 %global dracutlibdir %{_prefix}/lib/dracut
@@ -63,7 +63,7 @@ print(string.sub(hash, 0, 16))
 Summary:          Network Security Services
 Name:             nss
 Version:          %{nss_version}
-Release:          7%{?dist}
+Release:          10%{?dist}
 License:          MPLv2.0
 URL:              http://www.mozilla.org/projects/security/pki/nss/
 Requires:         nspr >= %{nspr_version}%{nspr_release}
@@ -109,11 +109,6 @@ Source25:         key3.db.xml
 Source26:         key4.db.xml
 Source27:         secmod.db.xml
 Source28:         nss-p11-kit.config
-# fips algorithms are tied to the red hat validation, others
-# will have their own validation
-Source30:         fips_algorithms.h
-
-#Source50:         NameConstraints_Certs.tar
 
 # To inject hardening flags for DSO
 Patch1:           nss-dso-ldflags.patch
@@ -129,82 +124,49 @@ Patch1:           nss-dso-ldflags.patch
 # Once the buildroot aha been bootstrapped the patch may be removed
 # but it doesn't hurt to keep it.
 Patch4:           iquote.patch
-
-#
-# RHEL-8 specific patches not in RHEL-9
-#
 # To revert the change in:
 # https://bugzilla.mozilla.org/show_bug.cgi?id=818686
-Patch10:	  nss-sysinit-userdb.patch
+Patch9:		  nss-sysinit-userdb.patch
 # Disable nss-sysinit test which is solely to test the above change
-Patch11:          nss-skip-sysinit-gtests.patch
+Patch10:	  nss-skip-sysinit-gtests.patch
+
 # For compatibility reasons, we stick with the old PKCS #11 2.40
 # definition of CK_GCM_PARAMS:
 %if 0%{?fedora} < 34
 %if 0%{?rhel} < 9
-Patch12:          nss-gcm-param-default-pkcs11v2.patch
+Patch20:          nss-gcm-param-default-pkcs11v2.patch
 %endif
 %endif
-# Local patch for TLS_ECDHE_{ECDSA|RSA}_WITH_3DES_EDE_CBC_SHA ciphers
-Patch13:          rhbz1185708-enable-ecc-3des-ciphers-by-default.patch
-# Local patch: ignore rsa, rsa-pss, ecdsa policies until crypto-policies
-# is updated.
-Patch14:          nss-3.101-disable-signature-policies.patch
-Patch15:          nss-3.101-el8-fix-rsa-policy-test.patch
-# Local patch: disable tests that require external reference so brew completes
-Patch16:          nss-3.66-disable-external-host-test.patch
-# Local patch: restore old pkcs 12 defaults on old version of rhel
-Patch17:          nss-3.101-el8-restore-old-pkcs12-default.patch
-# Local Patch: restore expired distrusted certs for now
-Patch18:          nss-3.79-revert-distrusted-certs.patch
-# Local Patch: update fipsdefaults to AES
-Patch19:          nss-3.79-pkcs12-fips-defaults.patch
-# Local Patch: curve25519 keys can't be stored in dbm databases,
-# only rhel-8 has dbm databases left, don't try to store
-# curve25519 keys in the dbm database.
-Patch20:          nss-3.101-ec-dbm-test.patch
-# end of RHEL-8 specific patches
-
-# RHEL-specific shared with RHEL-9
-Patch30:          nss-3.101-extend-db-dump-time.patch
 # Local patch: disable MD5 (also MD2 and MD4) completely
 # https://bugzilla.redhat.com/show_bug.cgi?id=1849938
-Patch32:          nss-3.101-disable-md5.patch
-Patch34:          nss-3.71-fix-lto-gtests.patch
-Patch35:          nss-3.71-camellia-pkcs12-doc.patch
-Patch36:          nss-3.101-disable-ech.patch
-
-# patches that expect to be upstreamed
-# https://bugzilla.mozilla.org/show_bug.cgi?id=1767883
-Patch50:          nss-3.79-fips.patch
-# https://bugzilla.mozilla.org/show_bug.cgi?id=1836781
-# https://bugzilla.mozilla.org/show_bug.cgi?id=1836925
-Patch51:          nss-3.101-fips-review.patches
-Patch52:          nss-3.90-pbkdf2-indicator.patch
-
-# ems policy. needs to upstream
-Patch60:          nss-3.101-add-ems-policy.patch
-Patch70:          nss-3.90-fips-safe-memset.patch
-Patch71:          nss-3.101-fips-indicators.patch
-Patch72:          nss-3.90-aes-gmc-indicator.patch
-Patch73:          nss-3.90-fips-indicators2.patch
-Patch74:          nss-3.90-dh-test-update.patch
-Patch75:          nss-3.90-ppc_no_init.patch
-Patch76:          nss-3.101-enable-kyber-policy.patch
-Patch78:          nss-3.101-fix-pkcs12-md5-decode.patch
-Patch80:          nss-3.101-el8-no-p12-smime-policy.patch
-Patch81:          nss-3.101-fix-missing-size-checks.patch
-# https://bugzilla.mozilla.org/show_bug.cgi?id=1905691
-Patch82:          nss-3.101-chacha-timing-fix.patch
-Patch83:          nss-3.101-add-certificate-compression-test.patch
-Patch84:          nss-3.101-fix-pkcs12-pbkdf1-encoding.patch
-# https://bugzilla.mozilla.org/show_bug.cgi?id=676100
-Patch85:          nss-3.101-fix-cms-abi-break.patch
-Patch86:          nss-3.101-long-pwd-fix.patch
-
-#revert patches
-Patch300:         nss-3.101-default-libpkix.patch
+Patch25:         nss-disable-md5.patch
+# Local patch for TLS_ECDHE_{ECDSA|RSA}_WITH_3DES_EDE_CBC_SHA ciphers
+Patch30:          rhbz1185708-enable-ecc-3des-ciphers-by-default.patch
+# Local patch: disable Delegated Credentials
+Patch35:	  nss-disable-dc.patch
+# Local patch: ignore rsa, rsa-pss, ecdsa policies until crypto-policies
+# is updated.
+Patch40:          nss-3.66-disable-signature-policies.patch
+# Local patch: disable tests that require external reference so brew completes
+Patch45:          nss-3.66-disable-external-host-test.patch
+# Local patch: restore old pkcs 12 defaults on old version of rhel
+Patch50:          nss-3.66-restore-old-pkcs12-default.patch
+# Local Patch: restore expired distrusted certs for now
+Patch51:          nss-3.79-revert-distrusted-certs.patch
+# Local Patch: update fipsdefaults to AES
+Patch52:          nss-3.79-pkcs12-fips-defaults.patch
 
+# https://bugzilla.redhat.com/show_bug.cgi?id=1774659
+Patch60:          nss-3.79-dbtool.patch
+Patch61:          nss-3.79-dont-verify-default.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=1774654
+Patch63:          nss-3.79-fix-client-cert-crash.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=1767883
+Patch64:          nss-3.79-rhel-8-fips-signature-policy.patch
+Patch65:          nss-3.79-enable-POST-rerun.patch
+Patch66:          nss-3.79-increase-pbe-cache.patch
+Patch67:          nss-3.79-pkcs12-fix-null-password.patch
+Patch68:          nss-3.79-fips.patch
 
 %description
 Network Security Services (NSS) is a set of libraries designed to
@@ -334,20 +296,9 @@ Header and library files for doing development with Network Security Services.
 %prep
 %autosetup -N -n %{name}-%{nss_archive_version}
 pushd nss
-%autopatch -M 299 -p1 
-%patch -P 300 -p1 -R
+%autopatch -p1 
 popd
 
-# copy the fips_algorithms.h for this release
-# this file is release specific and matches what
-# each vendors claim in their own FIPS certification
-cp %{SOURCE30} nss/lib/softoken/
-
-#update expired test certs
-#pushd nss
-#tar xvf %{SOURCE50}
-#popd
-
 # https://bugzilla.redhat.com/show_bug.cgi?id=1247353
 find nss/lib/libpkix -perm /u+x -type f -exec chmod -x {} \;
 
@@ -547,10 +498,6 @@ export USE_64=1
 # disabled by the system policy.
 export NSS_IGNORE_SYSTEM_POLICY=1
 
-%ifarch i686 ppcle64
-export NSS_DB_DUMP_TIME=10
-%endif
-
 # enable the following line to force a test failure
 # find ./nss -name \*.chk | xargs rm -f
 
@@ -904,13 +851,11 @@ update-crypto-policies --no-reload &> /dev/null || :
 %{_includedir}/nss3/ciferfam.h
 %{_includedir}/nss3/eccutil.h
 %{_includedir}/nss3/hasht.h
-%{_includedir}/nss3/kyber.h
 %{_includedir}/nss3/nssb64.h
 %{_includedir}/nss3/nssb64t.h
-%{_includedir}/nss3/nsshash.h
+%{_includedir}/nss3/nsslocks.h
 %{_includedir}/nss3/nssilock.h
 %{_includedir}/nss3/nssilckt.h
-%{_includedir}/nss3/nsslocks.h
 %{_includedir}/nss3/nssrwlk.h
 %{_includedir}/nss3/nssrwlkt.h
 %{_includedir}/nss3/nssutil.h
@@ -999,63 +944,7 @@ update-crypto-policies --no-reload &> /dev/null || :
 
 
 %changelog
-* Wed Sep 4 2024 Bob Relyea <rrelyea@redhat.com> - 3.101.0-7
-- fix cms abi breakage
-- fix long password issue on pbmac encodings
-
-* Thu Aug 1 2024 Bob Relyea <rrelyea@redhat.com> - 3.101.0-6
-- fix param encoding in pkcs12 pbamac encoding
-- add support for certificate compression in selfserv and tstclient
-
-* Wed Jul 24 2024 Bob Relyea <rrelyea@redhat.com> - 3.101.0-3
-- Fix missing and inaccurate key length checks
-- Fix chacha timing issue
-
-* Wed Jul 17 2024 Bob Relyea <rrelyea@redhat.com> - 3.101.0-2
-- Fix MD-5 decode issue in pkcs #12
-- turn off policy processing for pkcs12 and smime
-- update the restore defaults for pkcs12
-
-* Tue Jun 18 2024 Bob Relyea <rrelyea@redhat.com> - 3.101.0-1
-- Rebase to NSS 3.101
-
-* Wed Apr 10 2024 Frantisek Krenzelok <krenzelok.frantisek@gmail.com> - 3.90.0-7
-- Allow for shorter ecdsa signatures by padding them to full length
-
-* Tue Jan 23 2024 Bob Relyea <rrelyea@redhat.com> - 3.90.0-6
-- Fix ecc DER wrapping.
-
-* Wed Jan 17 2024 Bob Relyea <rrelyea@redhat.com> - 3.90.0-5
-- Pick up validated constant time implementations of p256, p384, and p521
-  from upsream
-- More Fips indicator changes
-
-* Wed Dec 6 2023 Bob Relyea <rrelyea@redhat.com> - 3.90.0-4
-- FIPS review changes
--   add PORT_SafeZero to avoid compiler optimizing a way zeroing memory.
--   update the indicators for this release
--   allow hashing of longer than int32 values in a single PKCS #11 call.
-
-* Tue Nov 21 2023 Bob Relyea <rrelyea@redhat.com> - 3.90.0-3.1
-- Fix expired certs in tests
-- Fix CVE-2023-5388
-
-* Thu Aug 3 2023 Bob Relyea <rrelyea@redhat.com> - 3.90.0-3
-- add indicators for pbkdf2
-- add camellia to pkcs12 doc files
-- fix ems policy bug
-- disable ech
-
-* Thu Jul 27 2023 Bob Relyea <rrelyea@redhat.com> - 3.90.0-2
-- fix the change log
-
-* Thu Jul 27 2023 Bob Relyea <rrelyea@redhat.com> - 3.90.0-1
-- rebase to NSS 3.90
-
-* Wed Mar 8 2023 Bob Relyea <rrelyea@redhat.com> - 3.79.0-11
-- Fix CVE-2023-0767
-
-* Thu Aug 11 2022 Bob Relyea <rrelyea@redhat.com> - 3.79.0-10
+* Thu Aug 11 2022 Bob Relyea <rrelyea@redhat.com> - 3.79.0-11
 - Fix QA found failures:
 -  remove extra '+' from sslpolicy.txt file causing test error values
 -  only use GRND_RANDOM if the kernel is in FIPS mode.