Sync from SUSE:SLFO:Main mozilla-nss revision c93ee6ade8e657336f888002b3b5ab70

2025-07-16 00:56:06 +02:00
26 changed files with 439 additions and 1366 deletions
--- a/baselibs.conf
+++ b/baselibs.conf
@@ -1,5 +1,5 @@
 mozilla-nss
-  requires "mozilla-nspr-<targettype> >= 4.35"
+  requires "mozilla-nspr-<targettype> >= 4.36"
  requires "libfreebl3-<targettype>"
  requires "libsoftokn3-<targettype>"
  requires "libnssckbi.so"
@@ -10,7 +10,7 @@ libsoftokn3
  +/usr/lib/libsoftokn3.chk
  +/usr/lib/libnssdbm3.chk
 libfreebl3
-  provides "libfreebl3-hmac-<targettype> = <version>-%release" 
+  provides "libfreebl3-hmac-<targettype> = <version>-%release"
  obsoletes "libfreebl3-hmac-<targettype> < <version>-%release"
  +/lib/libfreebl3.chk
  +/lib/libfreeblpriv3.chk
--- a/bmo-1400603.patch
+++ b/bmo-1400603.patch
@@ -1,337 +0,0 @@
 From b2f3a6407d2d6ec89522410d7ac4c56d310c92b1 Mon Sep 17 00:00:00 2001
 From: Daiki Ueno <dueno@redhat.com>
 Date: Mon, 18 Sep 2017 11:24:00 +0200
 Subject: [PATCH] freebl: Reorganize AES-GCM source code based on hw/sw
 implementation
 diff --git a/lib/freebl/gcm-hw.c b/lib/freebl/gcm-hw.c
 new file mode 100644
 --- /dev/null
 +++ b/lib/freebl/gcm-hw.c
@@ -0,0 +1,151 @@
 +/* This Source Code Form is subject to the terms of the Mozilla Public
 + * License, v. 2.0. If a copy of the MPL was not distributed with this
 + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 +
 +#ifdef FREEBL_NO_DEPEND
 +#include "stubs.h"
 +#endif
 +#include "gcm.h"
 +#include "secerr.h"
 +
 +#ifdef NSS_X86_OR_X64
 +#include <wmmintrin.h> /* clmul */
 +#endif
 +
 +#define WRITE64(x, bytes)   \
 +    (bytes)[0] = (x) >> 56; \
 +    (bytes)[1] = (x) >> 48; \
 +    (bytes)[2] = (x) >> 40; \
 +    (bytes)[3] = (x) >> 32; \
 +    (bytes)[4] = (x) >> 24; \
 +    (bytes)[5] = (x) >> 16; \
 +    (bytes)[6] = (x) >> 8;  \
 +    (bytes)[7] = (x);
 +
 +SECStatus
 +gcm_HashWrite_hw(gcmHashContext *ghash, unsigned char *outbuf,
 +                 unsigned int maxout)
 +{
 +#ifdef NSS_X86_OR_X64
 +        uint64_t tmp_out[2];
 +        _mm_storeu_si128((__m128i *)tmp_out, ghash->x);
 +        PORT_Assert(maxout >= 16);
 +        WRITE64(tmp_out[0], outbuf + 8);
 +        WRITE64(tmp_out[1], outbuf);
 +        return SECSuccess;
 +#else
 +        PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
 +        return SECFailure;
 +#endif /* NSS_X86_OR_X64 */
 +}
 +
 +SECStatus
 +gcm_HashMult_hw(gcmHashContext *ghash, const unsigned char *buf,
 +                unsigned int count)
 +{
 +#ifdef NSS_X86_OR_X64
 +    size_t i;
 +    pre_align __m128i z_high post_align;
 +    pre_align __m128i z_low post_align;
 +    pre_align __m128i C post_align;
 +    pre_align __m128i D post_align;
 +    pre_align __m128i E post_align;
 +    pre_align __m128i F post_align;
 +    pre_align __m128i bin post_align;
 +    pre_align __m128i Ci post_align;
 +    pre_align __m128i tmp post_align;
 +
 +    for (i = 0; i < count; i++, buf += 16) {
 +        bin = _mm_set_epi16(((uint16_t)buf[0] << 8) | buf[1],
 +                            ((uint16_t)buf[2] << 8) | buf[3],
 +                            ((uint16_t)buf[4] << 8) | buf[5],
 +                            ((uint16_t)buf[6] << 8) | buf[7],
 +                            ((uint16_t)buf[8] << 8) | buf[9],
 +                            ((uint16_t)buf[10] << 8) | buf[11],
 +                            ((uint16_t)buf[12] << 8) | buf[13],
 +                            ((uint16_t)buf[14] << 8) | buf[15]);
 +        Ci = _mm_xor_si128(bin, ghash->x);
 +
 +        /* Do binary mult ghash->X = Ci * ghash->H. */
 +        C = _mm_clmulepi64_si128(Ci, ghash->h, 0x00);
 +        D = _mm_clmulepi64_si128(Ci, ghash->h, 0x11);
 +        E = _mm_clmulepi64_si128(Ci, ghash->h, 0x01);
 +        F = _mm_clmulepi64_si128(Ci, ghash->h, 0x10);
 +        tmp = _mm_xor_si128(E, F);
 +        z_high = _mm_xor_si128(tmp, _mm_slli_si128(D, 8));
 +        z_high = _mm_unpackhi_epi64(z_high, D);
 +        z_low = _mm_xor_si128(_mm_slli_si128(tmp, 8), C);
 +        z_low = _mm_unpackhi_epi64(_mm_slli_si128(C, 8), z_low);
 +
 +        /* Shift one to the left (multiply by x) as gcm spec is stupid. */
 +        C = _mm_slli_si128(z_low, 8);
 +        E = _mm_srli_epi64(C, 63);
 +        D = _mm_slli_si128(z_high, 8);
 +        F = _mm_srli_epi64(D, 63);
 +        /* Carry over */
 +        C = _mm_srli_si128(z_low, 8);
 +        D = _mm_srli_epi64(C, 63);
 +        z_low = _mm_or_si128(_mm_slli_epi64(z_low, 1), E);
 +        z_high = _mm_or_si128(_mm_or_si128(_mm_slli_epi64(z_high, 1), F), D);
 +
 +        /* Reduce */
 +        C = _mm_slli_si128(z_low, 8);
 +        /* D = z_low << 127 */
 +        D = _mm_slli_epi64(C, 63);
 +        /* E = z_low << 126 */
 +        E = _mm_slli_epi64(C, 62);
 +        /* F = z_low << 121 */
 +        F = _mm_slli_epi64(C, 57);
 +        /* z_low ^= (z_low << 127) ^ (z_low << 126) ^ (z_low << 121); */
 +        z_low = _mm_xor_si128(_mm_xor_si128(_mm_xor_si128(z_low, D), E), F);
 +        C = _mm_srli_si128(z_low, 8);
 +        /* D = z_low >> 1 */
 +        D = _mm_slli_epi64(C, 63);
 +        D = _mm_or_si128(_mm_srli_epi64(z_low, 1), D);
 +        /* E = z_low >> 2 */
 +        E = _mm_slli_epi64(C, 62);
 +        E = _mm_or_si128(_mm_srli_epi64(z_low, 2), E);
 +        /* F = z_low >> 7 */
 +        F = _mm_slli_epi64(C, 57);
 +        F = _mm_or_si128(_mm_srli_epi64(z_low, 7), F);
 +        /* ghash->x ^= z_low ^ (z_low >> 1) ^ (z_low >> 2) ^ (z_low >> 7); */
 +        ghash->x = _mm_xor_si128(_mm_xor_si128(
 +                                     _mm_xor_si128(_mm_xor_si128(z_high, z_low), D), E),
 +                                 F);
 +    }
 +    return SECSuccess;
 +#else
 +    PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
 +    return SECFailure;
 +#endif /* NSS_X86_OR_X64 */
 +}
 +
 +SECStatus
 +gcm_HashInit_hw(gcmHashContext *ghash)
 +{
 +#ifdef NSS_X86_OR_X64
 +        ghash->ghash_mul = gcm_HashMult_hw;
 +        ghash->x = _mm_setzero_si128();
 +        /* MSVC requires __m64 to load epi64. */
 +        ghash->h = _mm_set_epi32(ghash->h_high >> 32, (uint32_t)ghash->h_high,
 +                                 ghash->h_low >> 32, (uint32_t)ghash->h_low);
 +        ghash->hw = PR_TRUE;
 +        return SECSuccess;
 +#else
 +        PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
 +        return SECFailure;
 +#endif /* NSS_X86_OR_X64 */
 +}
 +
 +SECStatus
 +gcm_HashZeroX_hw(gcmHashContext *ghash)
 +{
 +#ifdef NSS_X86_OR_X64
 +    ghash->x = _mm_setzero_si128();
 +    return SECSuccess;
 +#else
 +    PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
 +    return SECFailure;
 +#endif /* NSS_X86_OR_X64 */
 +}
 +
 diff --git a/lib/freebl/rijndael-hw.c b/lib/freebl/rijndael-hw.c
 new file mode 100644
 --- /dev/null
 +++ b/lib/freebl/rijndael-hw.c
@@ -0,0 +1,170 @@
 +/* This Source Code Form is subject to the terms of the Mozilla Public
 + * License, v. 2.0. If a copy of the MPL was not distributed with this
 + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 +
 +#ifdef FREEBL_NO_DEPEND
 +#include "stubs.h"
 +#endif
 +#include "rijndael.h"
 +#include "secerr.h"
 +
 +#ifdef NSS_X86_OR_X64
 +#include <wmmintrin.h> /* aes-ni */
 +#endif
 +
 +#if defined(NSS_X86_OR_X64)
 +#define EXPAND_KEY128(k, rcon, res)                   \
 +    tmp_key = _mm_aeskeygenassist_si128(k, rcon);     \
 +    tmp_key = _mm_shuffle_epi32(tmp_key, 0xFF);       \
 +    tmp = _mm_xor_si128(k, _mm_slli_si128(k, 4));     \
 +    tmp = _mm_xor_si128(tmp, _mm_slli_si128(tmp, 4)); \
 +    tmp = _mm_xor_si128(tmp, _mm_slli_si128(tmp, 4)); \
 +    res = _mm_xor_si128(tmp, tmp_key)
 +
 +static void
 +native_key_expansion128(AESContext *cx, const unsigned char *key)
 +{
 +    __m128i *keySchedule = cx->keySchedule;
 +    pre_align __m128i tmp_key post_align;
 +    pre_align __m128i tmp post_align;
 +    keySchedule[0] = _mm_loadu_si128((__m128i *)key);
 +    EXPAND_KEY128(keySchedule[0], 0x01, keySchedule[1]);
 +    EXPAND_KEY128(keySchedule[1], 0x02, keySchedule[2]);
 +    EXPAND_KEY128(keySchedule[2], 0x04, keySchedule[3]);
 +    EXPAND_KEY128(keySchedule[3], 0x08, keySchedule[4]);
 +    EXPAND_KEY128(keySchedule[4], 0x10, keySchedule[5]);
 +    EXPAND_KEY128(keySchedule[5], 0x20, keySchedule[6]);
 +    EXPAND_KEY128(keySchedule[6], 0x40, keySchedule[7]);
 +    EXPAND_KEY128(keySchedule[7], 0x80, keySchedule[8]);
 +    EXPAND_KEY128(keySchedule[8], 0x1B, keySchedule[9]);
 +    EXPAND_KEY128(keySchedule[9], 0x36, keySchedule[10]);
 +}
 +
 +#define EXPAND_KEY192_PART1(res, k0, kt, rcon)                                \
 +    tmp2 = _mm_slli_si128(k0, 4);                                             \
 +    tmp1 = _mm_xor_si128(k0, tmp2);                                           \
 +    tmp2 = _mm_slli_si128(tmp2, 4);                                           \
 +    tmp1 = _mm_xor_si128(_mm_xor_si128(tmp1, tmp2), _mm_slli_si128(tmp2, 4)); \
 +    tmp2 = _mm_aeskeygenassist_si128(kt, rcon);                               \
 +    res = _mm_xor_si128(tmp1, _mm_shuffle_epi32(tmp2, 0x55))
 +
 +#define EXPAND_KEY192_PART2(res, k1, k2)             \
 +    tmp2 = _mm_xor_si128(k1, _mm_slli_si128(k1, 4)); \
 +    res = _mm_xor_si128(tmp2, _mm_shuffle_epi32(k2, 0xFF))
 +
 +#define EXPAND_KEY192(k0, res1, res2, res3, carry, rcon1, rcon2)         \
 +    EXPAND_KEY192_PART1(tmp3, k0, res1, rcon1);                          \
 +    EXPAND_KEY192_PART2(carry, res1, tmp3);                              \
 +    res1 = _mm_castpd_si128(_mm_shuffle_pd(_mm_castsi128_pd(res1),       \
 +                                           _mm_castsi128_pd(tmp3), 0));  \
 +    res2 = _mm_castpd_si128(_mm_shuffle_pd(_mm_castsi128_pd(tmp3),       \
 +                                           _mm_castsi128_pd(carry), 1)); \
 +    EXPAND_KEY192_PART1(res3, tmp3, carry, rcon2)
 +
 +static void
 +native_key_expansion192(AESContext *cx, const unsigned char *key)
 +{
 +    __m128i *keySchedule = cx->keySchedule;
 +    pre_align __m128i tmp1 post_align;
 +    pre_align __m128i tmp2 post_align;
 +    pre_align __m128i tmp3 post_align;
 +    pre_align __m128i carry post_align;
 +    keySchedule[0] = _mm_loadu_si128((__m128i *)key);
 +    keySchedule[1] = _mm_loadu_si128((__m128i *)(key + 16));
 +    EXPAND_KEY192(keySchedule[0], keySchedule[1], keySchedule[2],
 +                  keySchedule[3], carry, 0x1, 0x2);
 +    EXPAND_KEY192_PART2(keySchedule[4], carry, keySchedule[3]);
 +    EXPAND_KEY192(keySchedule[3], keySchedule[4], keySchedule[5],
 +                  keySchedule[6], carry, 0x4, 0x8);
 +    EXPAND_KEY192_PART2(keySchedule[7], carry, keySchedule[6]);
 +    EXPAND_KEY192(keySchedule[6], keySchedule[7], keySchedule[8],
 +                  keySchedule[9], carry, 0x10, 0x20);
 +    EXPAND_KEY192_PART2(keySchedule[10], carry, keySchedule[9]);
 +    EXPAND_KEY192(keySchedule[9], keySchedule[10], keySchedule[11],
 +                  keySchedule[12], carry, 0x40, 0x80);
 +}
 +
 +#define EXPAND_KEY256_PART(res, rconx, k1x, k2x, X)                           \
 +    tmp_key = _mm_shuffle_epi32(_mm_aeskeygenassist_si128(k2x, rconx), X);    \
 +    tmp2 = _mm_slli_si128(k1x, 4);                                            \
 +    tmp1 = _mm_xor_si128(k1x, tmp2);                                          \
 +    tmp2 = _mm_slli_si128(tmp2, 4);                                           \
 +    tmp1 = _mm_xor_si128(_mm_xor_si128(tmp1, tmp2), _mm_slli_si128(tmp2, 4)); \
 +    res = _mm_xor_si128(tmp1, tmp_key);
 +
 +#define EXPAND_KEY256(res1, res2, k1, k2, rcon)   \
 +    EXPAND_KEY256_PART(res1, rcon, k1, k2, 0xFF); \
 +    EXPAND_KEY256_PART(res2, 0x00, k2, res1, 0xAA)
 +
 +static void
 +native_key_expansion256(AESContext *cx, const unsigned char *key)
 +{
 +    __m128i *keySchedule = cx->keySchedule;
 +    pre_align __m128i tmp_key post_align;
 +    pre_align __m128i tmp1 post_align;
 +    pre_align __m128i tmp2 post_align;
 +    keySchedule[0] = _mm_loadu_si128((__m128i *)key);
 +    keySchedule[1] = _mm_loadu_si128((__m128i *)(key + 16));
 +    EXPAND_KEY256(keySchedule[2], keySchedule[3], keySchedule[0],
 +                  keySchedule[1], 0x01);
 +    EXPAND_KEY256(keySchedule[4], keySchedule[5], keySchedule[2],
 +                  keySchedule[3], 0x02);
 +    EXPAND_KEY256(keySchedule[6], keySchedule[7], keySchedule[4],
 +                  keySchedule[5], 0x04);
 +    EXPAND_KEY256(keySchedule[8], keySchedule[9], keySchedule[6],
 +                  keySchedule[7], 0x08);
 +    EXPAND_KEY256(keySchedule[10], keySchedule[11], keySchedule[8],
 +                  keySchedule[9], 0x10);
 +    EXPAND_KEY256(keySchedule[12], keySchedule[13], keySchedule[10],
 +                  keySchedule[11], 0x20);
 +    EXPAND_KEY256_PART(keySchedule[14], 0x40, keySchedule[12],
 +                       keySchedule[13], 0xFF);
 +}
 +
 +#endif /* NSS_X86_OR_X64 */
 +
 +/*
 + * AES key expansion using aes-ni instructions.
 + */
 +void
 +rijndael_native_key_expansion(AESContext *cx, const unsigned char *key,
 +                              unsigned int Nk)
 +{
 +#ifdef NSS_X86_OR_X64
 +    switch (Nk) {
 +        case 4:
 +            native_key_expansion128(cx, key);
 +            return;
 +        case 6:
 +            native_key_expansion192(cx, key);
 +            return;
 +        case 8:
 +            native_key_expansion256(cx, key);
 +            return;
 +        default:
 +            /* This shouldn't happen. */
 +            PORT_Assert(0);
 +    }
 +#else
 +    PORT_Assert(0);
 +#endif /* NSS_X86_OR_X64 */
 +}
 +
 +void
 +rijndael_native_encryptBlock(AESContext *cx,
 +                             unsigned char *output,
 +                             const unsigned char *input)
 +{
 +#ifdef NSS_X86_OR_X64
 +    int i;
 +    pre_align __m128i m post_align = _mm_loadu_si128((__m128i *)input);
 +    m = _mm_xor_si128(m, cx->keySchedule[0]);
 +    for (i = 1; i < cx->Nr; ++i) {
 +        m = _mm_aesenc_si128(m, cx->keySchedule[i]);
 +    }
 +    m = _mm_aesenclast_si128(m, cx->keySchedule[cx->Nr]);
 +    _mm_storeu_si128((__m128i *)output, m);
 +#else
 +    PORT_Assert(0);
 +#endif /* NSS_X86_OR_X64 */
 +}
--- a/bmo1962556.patch
+++ b/bmo1962556.patch
@@ -0,0 +1,29 @@
 commit ae5fe2c5652185fe58f9a7bb97486388f84ad5f9
 Author: Dennis Jackson <djackson@mozilla.com>
 Date:   Tue Apr 29 08:07:21 2025 +0000
    Bug 1962556 - Tolerate intermittent failures in ssl_policy_pkix_ocsp. r=nss-reviewers,jschanck
    Differential Revision: https://phabricator.services.mozilla.com/D246682
 NOTE(Martin Sirringhaus): We get a different error code in OBS:
 PR_DIRECTORY_LOOKUP_ERROR                (-5973L)
 instead of
 PR_CONNECT_RESET_ERROR                   (-5961L)
 so I modified the upstreamed patch to grep for both
 Index: nss/tests/ssl/ssl.sh
 ===================================================================
 --- nss.orig/tests/ssl/ssl.sh
 +++ nss/tests/ssl/ssl.sh
@@ -982,8 +982,8 @@ ssl_policy_pkix_ocsp()
   echo " vfyserv -o wrong.host.badssl.com -d ${P_R_SERVERDIR} 2>&1 | tee ${P_R_SERVERDIR}/vfy.out"
   vfyserv -o wrong.host.badssl.com -d ${P_R_SERVERDIR} 2>&1 | tee ${P_R_SERVERDIR}/vfy.out
   # make sure we have the domain mismatch, not bad signature error
 -  echo "grep -E '12276|5961' ${P_R_SERVERDIR}/vfy.out"
 -  grep -E '12276|5961' ${P_R_SERVERDIR}/vfy.out
 +  echo "grep -E '12276|5961|5973' ${P_R_SERVERDIR}/vfy.out"
 +  grep -E '12276|5961|5973' ${P_R_SERVERDIR}/vfy.out
   RET=$?
   html_msg $RET $RET_EXP "${testname}" \
            "produced a returncode of $RET, expected is $RET_EXP"
--- a/malloc.patch
+++ b/malloc.patch
@@ -2,7 +2,7 @@ Index: nss/tests/ssl/ssl.sh
 ===================================================================
 --- nss.orig/tests/ssl/ssl.sh
 +++ nss/tests/ssl/ssl.sh
-@@ -1696,6 +1696,7 @@ ssl_run_tests()
+@@ -1661,6 +1661,7 @@ ssl_run_tests()
 ################################# main #################################
--- a/mozilla-nss.changes
+++ b/mozilla-nss.changes
@@ -1,3 +1,273 @@
 -------------------------------------------------------------------
 Mon May 26 12:08:54 UTC 2025 - Martin Sirringhaus <martin.sirringhaus@suse.com>
 - update to NSS 3.112
   * bmo#1963792 - Fix alias for mac workers on try
   * bmo#1966786 - ensure all options can be configured with SSL_OptionSet and SSL_OptionSetDefault
   * bmo#1931930 - ABI/API break in ssl certificate processing
   * bmo#1955971 - remove unnecessary assertion in sec_asn1d_init_state_based_on_template
   * bmo#1965754 - update taskgraph to v14.2.1
   * bmo#1964358 - Workflow for automation of the release on GitHub when pushing a tag
   * bmo#1952860 - fix faulty assertions in SEC_ASN1DecoderUpdate
   * bmo#1934877 - Renegotiations should use a fresh ECH GREASE buffer
   * bmo#1951396 - update taskgraph to v14.1.1
   * bmo#1962503 - Partial fix for ACVP build CI job
   * bmo#1961827 - Initialize find in sftk_searchDatabase
   * bmo#1963121 - Add clang-18 to extra builds
   * bmo#1963044 - Fault tolerant git fetch for fuzzing
   * bmo#1962556 - Tolerate intermittent failures in ssl_policy_pkix_ocsp
   * bmo#1962770 - fix compiler warnings when DEBUG_ASN1D_STATES or CMSDEBUG are set
   * bmo#1961835 - fix content type tag check in NSS_CMSMessage_ContainsCertsOrCrls
   * bmo#1963102 - Remove Cryptofuzz CI version check
 -------------------------------------------------------------------
 Wed May 21 13:59:29 UTC 2025 - Martin Sirringhaus <martin.sirringhaus@suse.com>
 - update to NSS 3.111
  * bmo#1930806 - FIPS changes need to be upstreamed: force ems policy
  * bmo#1957685 - Turn off Websites Trust Bit from CAs
  * bmo#1937338 - Update nssckbi version following April 2025 Batch of Changes
  * bmo#1943135 - Disable SMIME ‘trust bit’ for GoDaddy CAs
  * bmo#1874383 - Replaced deprecated sprintf function with snprintf in dbtool.c
  * bmo#1954612 - Need up update NSS for PKCS 3.1
  * bmo#1773374 - avoid leaking localCert if it is already set in ssl3_FillInCachedSID
  * bmo#1953097 - Decrease ASAN quarantine size for Cryptofuzz in CI
  * bmo#1943962 - selfserv: Add support for zlib certificate compression
 -------------------------------------------------------------------
 Wed May 14 08:22:14 UTC 2025 - Martin Sirringhaus <martin.sirringhaus@suse.com>
 - update to NSS 3.110
  * bmo#1930806 - FIPS changes need to be upstreamed: force ems policy
  * bmo#1954724 - Prevent excess allocations in sslBuffer_Grow
  * bmo#1953429 - Remove Crl templates from ASN1 fuzz target
  * bmo#1953429 - Remove CERT_CrlTemplate from ASN1 fuzz target
  * bmo#1952855 - Fix memory leak in NSS_CMSMessage_IsSigned
  * bmo#1930807 - NSS policy updates
  * bmo#1951161 - Improve locking in nssPKIObject_GetInstances
  * bmo#1951394 - Fix race in sdb_GetMetaData
  * bmo#1951800 - Fix member access within null pointer
  * bmo#1950077 - Increase smime fuzzer memory limit
  * bmo#1949677 - Enable resumption when using custom extensions
  * bmo#1952568 - change CN of server12 test certificate
  * bmo#1949118 - Part 2: Add missing check in
                  NSS_CMSDigestContext_FinishSingle
  * bmo#1949118 - Part 1: Fix smime UBSan errors
  * bmo#1930806 - FIPS changes need to be upstreamed: updated key checks
  * bmo#1951491 - Don't build libpkix in static builds
  * bmo#1951395 - handle `-p all` in try syntax
  * bmo#1951346 - fix opt-make builds to actually be opt
  * bmo#1951346 - fix opt-static builds to actually be opt
  * bmo#1916439 - Remove extraneous assert
 - Removed upstreamed nss-fips-stricter-dh.patch
 - Removed upstreamed nss-reproducible-chksums.patch
 - Added bmo1962556.patch to fix test failures
 - Rebased nss-fips-approved-crypto-non-ec.patch nss-fips-combined-hash-sign-dsa-ecdsa.patch
 - update to NSS 3.109
  * bmo#1939512 - Call BL_Init before RNG_RNGInit() so that special
                  SHA instructions can be used if available
  * bmo#1930807 - NSS policy updates - fix inaccurate key policy issues
  * bmo#1945883 - SMIME fuzz target
  * bmo#1914256 - ASN1 decoder fuzz target
  * bmo#1936001 - Part 2: Revert “Extract testcases from ssl gtests
                  for fuzzing”
  * bmo#1915155 - Add fuzz/README.md
  * bmo#1936001 - Part 4: Fix tstclnt arguments script
  * bmo#1944545 - Extend pkcs7 fuzz target
  * bmo#1912320 - Extend certDN fuzz target
  * bmo#1944300 - revert changes to HACL* files from bug 1866841
  * bmo#1936001 - Part 3: Package frida corpus script
 - update to NSS 3.108
  * bmo#1923285 - libclang-16 -> libclang-19
  * bmo#1939086 - Turn off Secure Email Trust Bit for Security
                  Communication ECC RootCA1
  * bmo#1937332 - Turn off Secure Email Trust Bit for BJCA Global Root
                  CA1 and BJCA Global Root CA2
  * bmo#1915902 - Remove SwissSign Silver CA – G2
  * bmo#1938245 - Add D-Trust 2023 TLS Roots to NSS
  * bmo#1942301 - fix fips test failure on windows
  * bmo#1935925 - change default sensitivity of KEM keys
  * bmo#1936001 - Part 1: Introduce frida hooks and script
  * bmo#1942350 - add missing arm_neon.h include to gcm.c
  * bmo#1831552 - ci: update windows workers to win2022
  * bmo#1831552 - strip trailing carriage returns in tools tests
  * bmo#1880256 - work around unix/windows path translation issues
                  in cert test script
  * bmo#1831552 - ci: let the windows setup script work without $m
  * bmo#1880255 - detect msys
  * bmo#1936680 - add a specialized CTR_Update variant for AES-GCM
  * bmo#1930807 - NSS policy updates
  * bmo#1930806 - FIPS changes need to be upstreamed: FIPS 140-3 RNG
  * bmo#1930806 - FIPS changes need to be upstreamed: Add SafeZero
  * bmo#1930806 - FIPS changes need to be upstreamed - updated POST
  * bmo#1933031 - Segmentation fault in SECITEM_Hash during pkcs12 processing
  * bmo#1929922 - Extending NSS with LoadModuleFromFunction functionality
  * bmo#1935984 - Ensure zero-initialization of collectArgs.cert
  * bmo#1934526 - pkcs7 fuzz target use CERT_DestroyCertificate
  * bmo#1915898 - Fix actual underlying ODR violations issue
  * bmo#1184059 - mozilla::pkix: allow reference ID labels to begin
                  and/or end with hyphens
  * bmo#1927953 - don't look for secmod.db in nssutil_ReadSecmodDB if
                  NSS_DISABLE_DBM is set
  * bmo#1934526 - Fix memory leak in pkcs7 fuzz target
  * bmo#1934529 - Set -O2 for ASan builds in CI
  * bmo#1934543 - Change branch of tlsfuzzer dependency
  * bmo#1915898 - Run tests in CI for ASan builds with detect_odr_violation=1
  * bmo#1934241 - Fix coverage failure in CI
  * bmo#1934213 - Add fuzzing for delegated credentials, DTLS short
                  header and Tls13BackendEch
  * bmo#1927142 - Add fuzzing for SSL_EnableTls13GreaseEch and
                  SSL_SetDtls13VersionWorkaround
  * bmo#1913677 - Part 3: Restructure fuzz/
  * bmo#1931925 - Extract testcases from ssl gtests for fuzzing
  * bmo#1923037 - Force Cryptofuzz to use NSS in CI
  * bmo#1923037 - Fix Cryptofuzz on 32 bit in CI
  * bmo#1933154 - Update Cryptofuzz repository link
  * bmo#1926256 - fix build error from 9505f79d
  * bmo#1926256 - simplify error handling in get_token_objects_for_cache
  * bmo#1931973 - nss doc: fix a warning
  * bmo#1930797 - pkcs12 fixes from RHEL need to be picked up
 - remove obsolete patches
  * nss-fips-safe-memset.patch
  * nss-bmo1930797.patch
 - update to NSS 3.107
  * bmo#1923038 - Remove MPI fuzz targets.
  * bmo#1925512 - Remove globals `lockStatus` and `locksEverDisabled`.
  * bmo#1919015 - Enable PKCS8 fuzz target.
  * bmo#1923037 - Integrate Cryptofuzz in CI.
  * bmo#1913677 - Part 2: Set tls server target socket options in config class
  * bmo#1913677 - Part 1: Set tls client target socket options in config class
  * bmo#1913680 - Support building with thread sanitizer.
  * bmo#1922392 - set nssckbi version number to 2.72.
  * bmo#1919913 - remove Websites Trust Bit from Entrust Root
                  Certification Authority - G4.
  * bmo#1920641 - remove Security Communication RootCA3 root cert.
  * bmo#1918559 - remove SecureSign RootCA11 root cert.
  * bmo#1922387 - Add distrust-after for TLS to Entrust Roots.
  * bmo#1927096 - update expected error code in pk12util pbmac1 tests.
  * bmo#1929041 - Use random tstclnt args with handshake collection script
  * bmo#1920466 - Remove extraneous assert in ssl3gthr.c.
  * bmo#1928402 - Adding missing release notes for NSS_3_105.
  * bmo#1874451 - Enable the disabled mlkem tests for dtls.
  * bmo#1874451 - NSS gtests filter cleans up the constucted buffer
                  before the use.
  * bmo#1925505 - Make ssl_SetDefaultsFromEnvironment thread-safe.
  * bmo#1925503 - Remove short circuit test from ssl_Init.
 - fix build on loongarch64 (setting it as 64bit arch)
 - Remove upstreamed bmo-1400603.patch
 - Added nss-bmo1930797.patch to fix failing tests in testsuite
 - update to NSS 3.106
  * bmo#1925975 - NSS 3.106 should be distributed with NSPR 4.36.
  * bmo#1923767 - pk12util: improve error handling in p12U_ReadPKCS12File.
  * bmo#1899402 - Correctly destroy bulkkey in error scenario.
  * bmo#1919997 - PKCS7 fuzz target, r=djackson,nss-reviewers.
  * bmo#1923002 - Extract certificates with handshake collection script.
  * bmo#1923006 - Specify len_control for fuzz targets.
  * bmo#1923280 - Fix memory leak in dumpCertificatePEM.
  * bmo#1102981 - Fix UBSan errors for SECU_PrintCertificate and
                  SECU_PrintCertificateBasicInfo.
  * bmo#1921528 - add new error codes to mozilla::pkix for Firefox to use.
  * bmo#1921768 - allow null phKey in NSC_DeriveKey.
  * bmo#1921801 - Only create seed corpus zip from existing corpus.
  * bmo#1826035 - Use explicit allowlist for for KDF PRFS.
  * bmo#1920138 - Increase optimization level for fuzz builds.
  * bmo#1920470 - Remove incorrect assert.
  * bmo#1914870 - Use libFuzzer options from fuzz/options/\*.options in CI.
  * bmo#1920945 - Polish corpus collection for automation.
  * bmo#1917572 - Detect new and unfuzzed SSL options.
  * bmo#1804646 - PKCS12 fuzzing target.
 - requires NSPR 4.36
 - update to NSS 3.105
  * bmo#1915792 - Allow importing PKCS#8 private EC keys missing public key
  * bmo#1909768 - UBSAN fix: applying zero offset to null pointer in sslsnce.c
  * bmo#1919577 - set KRML_MUSTINLINE=inline in makefile builds
  * bmo#1918965 - Don't set CKA_SIGN for CKK_EC_MONTGOMERY private keys
  * bmo#1918767 - override default definition of KRML_MUSTINLINE
  * bmo#1916525 - libssl support for mlkem768x25519
  * bmo#1916524 - support for ML-KEM-768 in softoken and pk11wrap
  * bmo#1866841 - Add Libcrux implementation of ML-KEM 768 to FreeBL
  * bmo#1911912 - Avoid misuse of ctype(3) functions
  * bmo#1917311 - part 2: run clang-format
  * bmo#1917311 - part 1: upgrade to clang-format 13
  * bmo#1916953 - clang-format fuzz
  * bmo#1910370 - DTLS client message buffer may not empty be on retransmit
  * bmo#1916413 - Optionally print config for TLS client and server
                  fuzz target
  * bmo#1916059 - Fix some simple documentation issues in NSS.
  * bmo#1915439 - improve performance of NSC_FindObjectsInit when
                  template has CKA_TOKEN attr
  * bmo#1912828 - define CKM_NSS_ECDHE_NO_PAIRWISE_CHECK_KEY_PAIR_GEN
 - Fix build error under Leap by rebasing nss-fips-safe-memset.patch.
 - update to NSS 3.104
  * bmo#1910071 - Copy original corpus to heap-allocated buffer
  * bmo#1910079 - Fix min ssl version for DTLS client fuzzer
  * bmo#1908990 - Remove OS2 support just like we did on NSPR
  * bmo#1910605 - clang-format NSS improvements
  * bmo#1902078 - Adding basicutil.h to use HexString2SECItem function
  * bmo#1908990 - removing dirent.c from build
  * bmo#1902078 - Allow handing in keymaterial to shlibsign to make
                  the output reproducible
  * bmo#1908990 - remove nec4.3, sunos4, riscos and SNI references
  * bmo#1908990 - remove other old OS (BSDI, old HP UX, NCR,
                  openunix, sco, unixware or reliantUnix
  * bmo#1908990 - remove mentions of WIN95
  * bmo#1908990 - remove mentions of WIN16
  * bmo#1913750 - More explicit directory naming
  * bmo#1913755 - Add more options to TLS server fuzz target
  * bmo#1913675 - Add more options to TLS client fuzz target
  * bmo#1835240 - Use OSS-Fuzz corpus in NSS CI
  * bmo#1908012 - set nssckbi version number to 2.70.
  * bmo#1914499 - Remove Email Trust bit from ACCVRAIZ1 root cert.
  * bmo#1908009 - Remove Email Trust bit from certSIGN ROOT CA.
  * bmo#1908006 - Add Cybertrust Japan Roots to NSS.
  * bmo#1908004 - Add Taiwan CA Roots to NSS.
  * bmo#1911354 - remove search by decoded serial in
                  nssToken_FindCertificateByIssuerAndSerialNumber
  * bmo#1913132 - Fix tstclnt CI build failure
  * bmo#1913047 - vfyserv: ensure peer cert chain is in db for
                  CERT_VerifyCertificateNow
  * bmo#1912427 - Enable all supported protocol versions for UDP
  * bmo#1910361 - Actually use random PSK hash type
  * bmo#1911576 - Initialize NSS DB once
  * bmo#1910361 - Additional ECH cipher suites and PSK hash types
  * bmo#1903604 - Automate corpus file generation for TLS client Fuzzer
  * bmo#1910364 - Fix crash with UNSAFE_FUZZER_MODE
  * bmo#1910605 - clang-format shlibsign.c
 - remove obsolete nss-reproducible-builds.patch
 - update to NSS 3.103
  * bmo#1908623 - move list size check after lock acquisition in sftk_PutObjectToList.
  * bmo#1899542 - Add fuzzing support for SSL_ENABLE_POST_HANDSHAKE_AUTH,
  * bmo#1909638 - Follow-up to fix test for presence of file nspr.patch.
  * bmo#1903783 - Adjust libFuzzer size limits
  * bmo#1899542 - Add fuzzing support for SSL_SetCertificateCompressionAlgorithm,
                  SSL_SetClientEchConfigs, SSL_VersionRangeSet and SSL_AddExternalPsk
  * bmo#1899542 - Add fuzzing support for SSL_ENABLE_GREASE and
                  SSL_ENABLE_CH_EXTENSION_PERMUTATION
 - Add nss-reproducible-builds.patch to make the rpms reproducible,
  by using a hardcoded, static key to generate the checksums (*.chk-files)
 - Updated nss-fips-approved-crypto-non-ec.patch to enforce
  approved curves with the CKK_EC_MONTGOMERY key type (bsc#1224113).
 - update to NSS 3.102.1
  * bmo#1905691 - ChaChaXor to return after the function
 - update to NSS 3.102
  * bmo#1880351 - Add Valgrind annotations to freebl Chacha20-Poly1305.
  * bmo#1901932 - missing sqlite header.
  * bmo#1901080 - GLOBALTRUST 2020: Set Distrust After for TLS and S/MIME.
  * bmo#1615298 - improve certutil keyUsage, extKeyUsage, and nsCertType keyword handling.
  * bmo#1660676 - correct length of raw SPKI data before printing in pp utility.
 -------------------------------------------------------------------
 Mon Mar 10 07:43:37 UTC 2025 - Martin Sirringhaus <martin.sirringhaus@suse.com>
--- a/mozilla-nss.spec
+++ b/mozilla-nss.spec
@@ -1,8 +1,8 @@
 #
 # spec file for package mozilla-nss
 #
-# Copyright (c) 2024 SUSE LLC
+# Copyright (c) 2025 SUSE LLC
-# Copyright (c) 2006-2024 Wolfgang Rosenauer
+# Copyright (c) 2006-2025 Wolfgang Rosenauer
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -17,14 +17,14 @@
 #
-%global nss_softokn_fips_version 3.101.2
+%global nss_softokn_fips_version 3.112
-%define NSPR_min_version 4.35
+%define NSPR_min_version 4.36
 %define nspr_ver %(rpm -q --queryformat '%%{VERSION}' mozilla-nspr)
 %define nssdbdir %{_sysconfdir}/pki/nssdb
 Name:           mozilla-nss
-Version:        3.101.2
+Version:        3.112
 Release:        0
-%define underscore_version 3_101_2
+%define underscore_version 3_112
 Summary:        Network Security Services
 License:        MPL-2.0
 Group:          System/Libraries
@@ -49,7 +49,7 @@ Patch2:         system-nspr.patch
 Patch3:         nss-no-rpath.patch
 Patch4:         add-relro-linker-option.patch
 Patch5:         malloc.patch
-Patch6:         bmo-1400603.patch
+Patch6:         bmo1962556.patch
 Patch7:         nss-sqlitename.patch
 Patch9:         nss-fips-use-getrandom.patch
 Patch10:        nss-fips-dsa-kat.patch
@@ -70,7 +70,6 @@ Patch25:        nss-fips-detect-fips-mode-fixes.patch
 Patch26:        nss-fips-combined-hash-sign-dsa-ecdsa.patch
 Patch27:        nss-fips-aes-keywrap-post.patch
 Patch37:        nss-fips-fix-missing-nspr.patch
 Patch38:        nss-fips-stricter-dh.patch
 Patch40:        nss-fips-180-3-csp-clearing.patch
 Patch41:        nss-fips-pbkdf-kat-compliance.patch
 Patch44:        nss-fips-tests-enable-fips.patch
@@ -81,8 +80,6 @@ Patch48:        nss-fips-test.patch
 Patch49:        nss-allow-slow-tests-s390x.patch
 Patch50:        nss-fips-bsc1223724.patch
 Patch51:        nss-fips-aes-gcm-restrict.patch
 Patch52:        nss-fips-safe-memset.patch
 Patch53:        nss-reproducible-chksums.patch
 %if 0%{?sle_version} >= 120000 && 0%{?sle_version} < 150000
 # aarch64 + gcc4.8 fails to build on SLE-12 due to undefined references
 BuildRequires:  gcc9-c++
@@ -99,6 +96,9 @@ BuildRequires:  jitterentropy-devel
 Requires(pre):  libjitterentropy3
 Requires:       libjitterentropy3
 %endif
 %if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150400
 Requires:       crypto-policies >= %{crypto_policies_version}
 %endif
 Requires:       libfreebl3 >= %{nss_softokn_fips_version}
 Requires:       libsoftokn3 >= %{nss_softokn_fips_version}
 Requires:       mozilla-nspr >= %{NSPR_min_version}
@@ -229,7 +229,6 @@ cd nss
 %patch -P 26 -p1
 %patch -P 27 -p1
 %patch -P 37 -p1
 %patch -P 38 -p1
 %patch -P 40 -p1
 %patch -P 41 -p1
 %patch -P 44 -p1
@@ -246,11 +245,6 @@ cd nss
 %endif
 %patch -P 50 -p1
 %patch -P 51 -p1
 %if 0%{?sle_version} >= 150000
 # glibc on SLE-12 is too old and doesn't have explicit_bzero yet. 
 %patch -P 52 -p1
 %endif
 %patch -P 53 -p1
 # additional CA certificates
 #cd security/nss/lib/ckfw/builtins
@@ -281,7 +275,7 @@ export NSPR_INCLUDE_DIR=`nspr-config --includedir`
 export NSPR_LIB_DIR=`nspr-config --libdir`
 export OPT_FLAGS="%{optflags} -fno-strict-aliasing -fPIE -pie"
 export LIBDIR=%{_libdir}
-%ifarch x86_64 s390x ppc64 ppc64le ia64 aarch64 riscv64
+%ifarch x86_64 s390x ppc64 ppc64le ia64 aarch64 riscv64 loongarch64
 export USE_64=1
 %endif
 export NSS_DISABLE_GTESTS=1
--- a/nss-3.101.2.tar.gz
+++ b/nss-3.101.2.tar.gz
--- a/nss-3.112.tar.gz
+++ b/nss-3.112.tar.gz
--- a/nss-fips-aes-gcm-restrict.patch
+++ b/nss-fips-aes-gcm-restrict.patch
@@ -2,7 +2,7 @@ Index: nss/lib/softoken/sftkmessage.c
 ===================================================================
 --- nss.orig/lib/softoken/sftkmessage.c
 +++ nss/lib/softoken/sftkmessage.c
-@@ -151,6 +151,37 @@ sftk_CryptMessage(CK_SESSION_HANDLE hSes
+@@ -183,6 +183,37 @@ sftk_CryptMessage(CK_SESSION_HANDLE hSes
     if (crv != CKR_OK)
         return crv;
--- a/nss-fips-aes-keywrap-post.patch
+++ b/nss-fips-aes-keywrap-post.patch
@@ -57,11 +57,11 @@ Index: nss/lib/freebl/fipsfreebl.c
 +    };
 +
     const PRUint8 *aes_ecb_known_ciphertext =
-         (aes_key_size == FIPS_AES_128_KEY_SIZE) ? aes_ecb128_known_ciphertext : (aes_key_size == FIPS_AES_192_KEY_SIZE) ? aes_ecb192_known_ciphertext : aes_ecb256_known_ciphertext;
+         (aes_key_size == FIPS_AES_128_KEY_SIZE) ? aes_ecb128_known_ciphertext : (aes_key_size == FIPS_AES_192_KEY_SIZE) ? aes_ecb192_known_ciphertext
- 
+                                                                                                                         : aes_ecb256_known_ciphertext;
-@@ -374,11 +399,15 @@ freebl_fips_AES_PowerUpSelfTest(int aes_
+@@ -378,11 +403,15 @@ freebl_fips_AES_PowerUpSelfTest(int aes_
-     const PRUint8 *aes_cmac_known_ciphertext =
+         (aes_key_size == FIPS_AES_128_KEY_SIZE) ? aes_cmac128_known_ciphertext : (aes_key_size == FIPS_AES_192_KEY_SIZE) ? aes_cmac192_known_ciphertext
-         (aes_key_size == FIPS_AES_128_KEY_SIZE) ? aes_cmac128_known_ciphertext : (aes_key_size == FIPS_AES_192_KEY_SIZE) ? aes_cmac192_known_ciphertext : aes_cmac256_known_ciphertext;
+                                                                                                                          : aes_cmac256_known_ciphertext;
 +    const PRUint8 *aes_keywrap_known_ciphertext =
 +        (aes_key_size == FIPS_AES_128_KEY_SIZE) ? aes_kw128_known_ciphertext : (aes_key_size == FIPS_AES_192_KEY_SIZE) ? aes_kw192_known_ciphertext : aes_kw256_known_ciphertext;
@@ -75,7 +75,7 @@ Index: nss/lib/freebl/fipsfreebl.c
     unsigned int aes_bytes_encrypted;
     unsigned int aes_bytes_decrypted;
     CK_NSS_GCM_PARAMS gcmParams;
-@@ -604,6 +633,52 @@ freebl_fips_AES_PowerUpSelfTest(int aes_
+@@ -608,6 +637,52 @@ freebl_fips_AES_PowerUpSelfTest(int aes_
         PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
         return (SECFailure);
     }
--- a/nss-fips-approved-crypto-non-ec.patch
+++ b/nss-fips-approved-crypto-non-ec.patch
@@ -349,9 +349,9 @@ Index: nss/lib/freebl/rawhash.c
 #include "secerr.h"
 +#include "fips.h"
- static void *
+ #define RawHashBase(ctxtype, mmm)                                                        \
- null_hash_new_context(void)
+     static void *                                                                        \
-@@ -190,7 +191,11 @@ const SECHashObject SECRawHashObjects[]
+@@ -236,7 +237,11 @@ const SECHashObject SECRawHashObjects[]
 const SECHashObject *
 HASH_GetRawHashObject(HASH_HashType hashType)
 {
@@ -368,7 +368,7 @@ Index: nss/lib/softoken/pkcs11c.c
 ===================================================================
 --- nss.orig/lib/softoken/pkcs11c.c
 +++ nss/lib/softoken/pkcs11c.c
-@@ -452,7 +452,7 @@ sftk_InitGeneric(SFTKSession *session, C
+@@ -539,7 +539,7 @@ sftk_InitGeneric(SFTKSession *session, C
     context->blockSize = 0;
     context->maxLen = 0;
     context->isFIPS = sftk_operationIsFIPS(session->slot, pMechanism,
@@ -377,7 +377,7 @@ Index: nss/lib/softoken/pkcs11c.c
     *contextPtr = context;
     return CKR_OK;
 }
-@@ -4877,6 +4877,10 @@ NSC_GenerateKey(CK_SESSION_HANDLE hSessi
+@@ -4990,6 +4990,10 @@ NSC_GenerateKey(CK_SESSION_HANDLE hSessi
         goto loser;
     }
@@ -388,7 +388,7 @@ Index: nss/lib/softoken/pkcs11c.c
     /*
      * handle the base object stuff
      */
-@@ -4891,6 +4895,7 @@ NSC_GenerateKey(CK_SESSION_HANDLE hSessi
+@@ -5004,6 +5008,7 @@ NSC_GenerateKey(CK_SESSION_HANDLE hSessi
     if (crv == CKR_OK) {
         *phKey = key->handle;
     }
@@ -396,7 +396,7 @@ Index: nss/lib/softoken/pkcs11c.c
 loser:
     PORT_Memset(buf, 0, sizeof buf);
     sftk_FreeObject(key);
-@@ -5318,7 +5323,7 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hS
+@@ -5475,7 +5480,7 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hS
     CK_OBJECT_CLASS privClass = CKO_PRIVATE_KEY;
     int i;
     SFTKSlot *slot = sftk_SlotFromSessionHandle(hSession);
@@ -405,7 +405,7 @@ Index: nss/lib/softoken/pkcs11c.c
     /* RSA */
     int public_modulus_bits = 0;
-@@ -5921,11 +5926,11 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hS
+@@ -6081,11 +6086,11 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hS
      * created and linked.
      */
     crv = sftk_handleObject(publicKey, session);
@@ -418,27 +418,28 @@ Index: nss/lib/softoken/pkcs11c.c
         return crv;
     }
     if (sftk_isTrue(privateKey, CKA_SENSITIVE)) {
-@@ -5969,13 +5974,19 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hS
+@@ -6129,12 +6134,20 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hS
         sftk_FreeObject(publicKey);
         NSC_DestroyObject(hSession, privateKey->handle);
         sftk_FreeObject(privateKey);
 +        sftk_FreeSession(session);
         return crv;
     }
- 
+
 +    publicKey->isFIPS = sftk_operationIsFIPS(slot, pMechanism, CKA_KEY_PAIR_GEN_MECHANISM, publicKey, 0);
 +    privateKey->isFIPS = sftk_operationIsFIPS(slot, pMechanism, CKA_KEY_PAIR_GEN_MECHANISM, privateKey, 0);
 +    session->lastOpWasFIPS = privateKey->isFIPS;
-+
+    
     *phPrivateKey = privateKey->handle;
     *phPublicKey = publicKey->handle;
     sftk_FreeObject(publicKey);
     sftk_FreeObject(privateKey);
 +    sftk_FreeSession(session);
 +
     return CKR_OK;
 }
-@@ -7167,6 +7178,14 @@ sftk_HKDF(CK_HKDF_PARAMS_PTR params, CK_
+@@ -7326,6 +7339,14 @@ sftk_HKDF(CK_HKDF_PARAMS_PTR params, CK_
         return CKR_TEMPLATE_INCONSISTENT;
     }
@@ -453,7 +454,7 @@ Index: nss/lib/softoken/pkcs11c.c
     /* sourceKey is NULL if we are called from the POST, skip the
      * sensitiveCheck */
     if (sourceKey != NULL) {
-@@ -7215,7 +7234,8 @@ sftk_HKDF(CK_HKDF_PARAMS_PTR params, CK_
+@@ -7374,7 +7395,8 @@ sftk_HKDF(CK_HKDF_PARAMS_PTR params, CK_
                     mech.pParameter = params;
                     mech.ulParameterLen = sizeof(*params);
                     key->isFIPS = sftk_operationIsFIPS(saltKey->slot, &mech,
@@ -463,7 +464,7 @@ Index: nss/lib/softoken/pkcs11c.c
                 }
                 saltKey_att = sftk_FindAttribute(saltKey, CKA_VALUE);
                 if (saltKey_att == NULL) {
-@@ -7257,7 +7277,7 @@ sftk_HKDF(CK_HKDF_PARAMS_PTR params, CK_
+@@ -7416,7 +7438,7 @@ sftk_HKDF(CK_HKDF_PARAMS_PTR params, CK_
     /* HKDF-Expand */
     if (!params->bExpand) {
         okm = prk;
@@ -472,7 +473,7 @@ Index: nss/lib/softoken/pkcs11c.c
     } else {
         /* T(1) = HMAC-Hash(prk, "" | info | 0x01)
          * T(n) = HMAC-Hash(prk, T(n-1) | info | n
-@@ -7480,7 +7500,8 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession
+@@ -7640,7 +7662,8 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession
             return CKR_KEY_HANDLE_INVALID;
         }
     }
@@ -482,7 +483,7 @@ Index: nss/lib/softoken/pkcs11c.c
     switch (mechanism) {
         /* get a public key from a private key. nsslowkey_ConvertToPublickey()
-@@ -7681,7 +7702,7 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession
+@@ -7841,7 +7864,7 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession
             } else {
                 /* now allocate the hash contexts */
                 md5 = MD5_NewContext();
@@ -491,7 +492,7 @@ Index: nss/lib/softoken/pkcs11c.c
                     PORT_Memset(crsrdata, 0, sizeof crsrdata);
                     crv = CKR_HOST_MEMORY;
                     break;
-@@ -8070,6 +8091,7 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession
+@@ -8230,6 +8253,7 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession
                 PORT_Assert(i <= sizeof key_block);
             }
@@ -833,7 +834,7 @@ Index: nss/lib/softoken/pkcs11u.c
 ===================================================================
 --- nss.orig/lib/softoken/pkcs11u.c
 +++ nss/lib/softoken/pkcs11u.c
-@@ -2248,6 +2248,12 @@ sftk_AttributeToFlags(CK_ATTRIBUTE_TYPE
+@@ -2251,6 +2251,12 @@ sftk_AttributeToFlags(CK_ATTRIBUTE_TYPE
         case CKA_NSS_MESSAGE | CKA_VERIFY:
             flags = CKF_MESSAGE_VERIFY;
             break;
@@ -846,7 +847,7 @@ Index: nss/lib/softoken/pkcs11u.c
         default:
             break;
     }
-@@ -2324,7 +2330,7 @@ sftk_quickGetECCCurveOid(SFTKObject *sou
+@@ -2327,7 +2333,7 @@ sftk_quickGetECCCurveOid(SFTKObject *sou
 static int
 sftk_getKeyLength(SFTKObject *source)
 {
@@ -855,7 +856,7 @@ Index: nss/lib/softoken/pkcs11u.c
     CK_ATTRIBUTE_TYPE keyAttribute;
     CK_ULONG keyLength = 0;
     SFTKAttribute *attribute;
-@@ -2344,7 +2350,7 @@ sftk_getKeyLength(SFTKObject *source)
+@@ -2347,7 +2353,7 @@ sftk_getKeyLength(SFTKObject *source)
          * key length is CKA_VALUE, which is the default */
         keyType = CKK_INVALID_KEY_TYPE;
     }
@@ -864,7 +865,7 @@ Index: nss/lib/softoken/pkcs11u.c
         SECOidTag curve = sftk_quickGetECCCurveOid(source);
         switch (curve) {
             case SEC_OID_CURVE25519:
-@@ -2386,14 +2392,53 @@ sftk_getKeyLength(SFTKObject *source)
+@@ -2389,14 +2395,55 @@ sftk_getKeyLength(SFTKObject *source)
     return keyLength;
 }
@@ -874,6 +875,8 @@ Index: nss/lib/softoken/pkcs11u.c
 +    switch (hash) {
 +        case CKM_AES_CMAC:
 +            return allowCMAC;
 +        case CKM_SHA_1:
 +        case CKM_SHA_1_HMAC:
 +        case CKM_SHA224:
 +        case CKM_SHA224_HMAC:
 +            return allowSmall;
@@ -919,7 +922,7 @@ Index: nss/lib/softoken/pkcs11u.c
     switch (mechInfo->special) {
         case SFTKFIPSDH: {
             SECItem dhPrime;
-@@ -2409,10 +2454,27 @@ sftk_handleSpecial(SFTKSlot *slot, CK_ME
+@@ -2425,10 +2472,27 @@ sftk_handleSpecial(SFTKSlot *slot, CK_ME
         }
         case SFTKFIPSNone:
             return PR_FALSE;
@@ -942,14 +945,13 @@ Index: nss/lib/softoken/pkcs11u.c
 +            }
 +
             /* we've already handled the curve selection in the 'getlength'
-          * function */
+              * function */
 +             * function */
             return PR_TRUE;
 +        }
         case SFTKFIPSAEAD: {
             if (mech->ulParameterLen == 0) {
                 /* AEAD ciphers are only in FIPS mode if we are using the
-@@ -2440,11 +2502,44 @@ sftk_handleSpecial(SFTKSlot *slot, CK_ME
+@@ -2456,11 +2520,44 @@ sftk_handleSpecial(SFTKSlot *slot, CK_ME
             if (hashObj == NULL) {
                 return PR_FALSE;
             }
@@ -994,7 +996,7 @@ Index: nss/lib/softoken/pkcs11u.c
         default:
             break;
     }
-@@ -2455,7 +2550,7 @@ sftk_handleSpecial(SFTKSlot *slot, CK_ME
+@@ -2471,7 +2568,7 @@ sftk_handleSpecial(SFTKSlot *slot, CK_ME
 PRBool
 sftk_operationIsFIPS(SFTKSlot *slot, CK_MECHANISM *mech, CK_ATTRIBUTE_TYPE op,
@@ -1003,7 +1005,7 @@ Index: nss/lib/softoken/pkcs11u.c
 {
 #ifndef NSS_HAS_FIPS_INDICATORS
     return PR_FALSE;
-@@ -2468,18 +2563,35 @@ sftk_operationIsFIPS(SFTKSlot *slot, CK_
+@@ -2484,18 +2581,35 @@ sftk_operationIsFIPS(SFTKSlot *slot, CK_
     if (!sftk_isFIPS(slot->slotID)) {
         return PR_FALSE;
     }
@@ -1043,7 +1045,7 @@ Index: nss/lib/softoken/pkcs11u.c
     keyLength = sftk_getKeyLength(source);
     /* check against our algorithm array */
-@@ -2487,13 +2599,15 @@ sftk_operationIsFIPS(SFTKSlot *slot, CK_
+@@ -2503,13 +2617,15 @@ sftk_operationIsFIPS(SFTKSlot *slot, CK_
         SFTKFIPSAlgorithmList *mechs = &sftk_fips_mechs[i];
         /* if we match the number of records exactly, then we are an
          * approved algorithm in the approved mode with an approved key */
@@ -1081,7 +1083,7 @@ Index: nss/lib/softoken/pkcs11.c
 ===================================================================
 --- nss.orig/lib/softoken/pkcs11.c
 +++ nss/lib/softoken/pkcs11.c
-@@ -573,17 +573,17 @@ static const struct mechanismList mechan
+@@ -575,17 +575,17 @@ static const struct mechanismList mechan
     { CKM_TLS_MASTER_KEY_DERIVE, { 48, 48, CKF_DERIVE }, PR_FALSE },
     { CKM_TLS12_MASTER_KEY_DERIVE, { 48, 48, CKF_DERIVE }, PR_FALSE },
     { CKM_NSS_TLS_MASTER_KEY_DERIVE_SHA256,
--- a/nss-fips-bsc1223724.patch
+++ b/nss-fips-bsc1223724.patch
@@ -2,7 +2,7 @@ Index: nss/lib/pk11wrap/pk11skey.c
 ===================================================================
 --- nss.orig/lib/pk11wrap/pk11skey.c
 +++ nss/lib/pk11wrap/pk11skey.c
-@@ -520,6 +520,14 @@ PK11_ImportDataKey(PK11SlotInfo *slot, C
+@@ -521,6 +521,14 @@ PK11_ImportDataKey(PK11SlotInfo *slot, C
     CK_OBJECT_HANDLE handle;
     PK11GenericObject *genObject;
--- a/nss-fips-cavs-dsa-fixes.patch
+++ b/nss-fips-cavs-dsa-fixes.patch
@@ -20,9 +20,9 @@ Index: nss/cmd/fipstest/fipstest.c
 {
 -    char buf[800]; /* holds one line from the input REQUEST file
 +    char buf[2048]; /* holds one line from the input REQUEST file
-                          * or to the output RESPONSE file.
+                     * or to the output RESPONSE file.
-                          * 800 to hold seed = (384 public key (x2 for HEX)
+                     * 800 to hold seed = (384 public key (x2 for HEX)
-                          */
+                     */
@@ -5591,6 +5591,13 @@ dsa_pqggen_test(char *reqfn)
     PQGVerify *vfy = NULL;
     unsigned int keySizeIndex = 0;
--- a/nss-fips-combined-hash-sign-dsa-ecdsa.patch
+++ b/nss-fips-combined-hash-sign-dsa-ecdsa.patch
@@ -68,16 +68,7 @@ Index: nss/lib/softoken/pkcs11c.c
 ===================================================================
 --- nss.orig/lib/softoken/pkcs11c.c
 +++ nss/lib/softoken/pkcs11c.c
-@@ -2677,7 +2677,7 @@ nsc_DSA_Verify_Stub(void *ctx, void *sig
+@@ -2849,6 +2849,38 @@ nsc_EDDSASignStub(void *ctx, unsigned ch
 static SECStatus
 nsc_DSA_Sign_Stub(void *ctx, void *sigBuf,
                   unsigned int *sigLen, unsigned int maxSigLen,
 -                  void *dataBuf, unsigned int dataLen)
 +                  const void *dataBuf, unsigned int dataLen)
 {
     NSSLOWKEYPrivateKey *key = (NSSLOWKEYPrivateKey *)ctx;
     SECItem signature = { siBuffer, (unsigned char *)sigBuf, maxSigLen };
@@ -2690,6 +2690,22 @@ nsc_DSA_Sign_Stub(void *ctx, void *sigBu
     return rv;
 }
@@ -97,22 +88,6 @@ Index: nss/lib/softoken/pkcs11c.c
 +    return rv;
 +}
 +
 static SECStatus
 nsc_ECDSAVerifyStub(void *ctx, void *sigBuf, unsigned int sigLen,
                     void *dataBuf, unsigned int dataLen)
@@ -2703,7 +2719,7 @@ nsc_ECDSAVerifyStub(void *ctx, void *sig
 static SECStatus
 nsc_ECDSASignStub(void *ctx, void *sigBuf,
                   unsigned int *sigLen, unsigned int maxSigLen,
 -                  void *dataBuf, unsigned int dataLen)
 +                  const void *dataBuf, unsigned int dataLen)
 {
     NSSLOWKEYPrivateKey *key = (NSSLOWKEYPrivateKey *)ctx;
     SECItem signature = { siBuffer, (unsigned char *)sigBuf, maxSigLen };
@@ -2744,6 +2760,22 @@ nsc_EDDSASignStub(void *ctx, void *sigBu
     return rv;
 }
 +SECStatus
 +ECDSA_HashSign(SECOidTag hashOid, NSSLOWKEYPrivateKey *key,
 +               unsigned char *sig, unsigned int *sigLen, unsigned int maxLen,
@@ -132,8 +107,8 @@ Index: nss/lib/softoken/pkcs11c.c
 /* NSC_SignInit setups up the signing operations. There are three basic
  * types of signing:
  *      (1) the tradition single part, where "Raw RSA" or "Raw DSA" is applied
-@@ -3647,6 +3679,22 @@ NSC_VerifyInit(CK_SESSION_HANDLE hSessio
+@@ -3756,6 +3788,22 @@ NSC_VerifyInit(CK_SESSION_HANDLE hSessio
-         info->hashOid = SEC_OID_##mmm;                    \
+         info->hashOid = SEC_OID_##mmm;        \
         goto finish_rsa;
 +#define INIT_DSA_VFY_MECH(mmm)                            \
@@ -155,7 +130,7 @@ Index: nss/lib/softoken/pkcs11c.c
     switch (pMechanism->mechanism) {
         INIT_RSA_VFY_MECH(MD5)
         INIT_RSA_VFY_MECH(MD2)
-@@ -4904,6 +4952,73 @@ loser:
+@@ -5018,6 +5066,73 @@ loser:
 #define PAIRWISE_DIGEST_LENGTH SHA224_LENGTH /* 224-bits */
 #define PAIRWISE_MESSAGE_LENGTH 20           /* 160-bits */
@@ -229,7 +204,7 @@ Index: nss/lib/softoken/pkcs11c.c
 /*
  * FIPS 140-2 pairwise consistency check utilized to validate key pair.
  *
-@@ -4957,8 +5072,6 @@ sftk_PairwiseConsistencyCheck(CK_SESSION
+@@ -5072,8 +5187,6 @@ sftk_PairwiseConsistencyCheck(CK_SESSION
     /* Variables used for Signature/Verification functions. */
     /* Must be at least 256 bits for DSA2 digest */
@@ -238,7 +213,7 @@ Index: nss/lib/softoken/pkcs11c.c
     CK_ULONG signature_length;
     if (keyType == CKK_RSA) {
-@@ -5112,80 +5225,36 @@ sftk_PairwiseConsistencyCheck(CK_SESSION
+@@ -5227,80 +5340,37 @@ sftk_PairwiseConsistencyCheck(CK_SESSION
         }
     }
@@ -248,6 +223,7 @@ Index: nss/lib/softoken/pkcs11c.c
 +                                    mech, signature_length, pairwise_digest_length); \
 +    if (crv != CKR_OK)                                                               \
 +        return crv;
 +    
 +
     if (canSignVerify) {
 -        /* Determine length of signature. */
@@ -304,7 +280,7 @@ Index: nss/lib/softoken/pkcs11c.c
 -        if ((signature_length >= pairwise_digest_length) &&
 -            (PORT_Memcmp(known_digest, signature + (signature_length - pairwise_digest_length), pairwise_digest_length) == 0)) {
 -            PORT_Free(signature);
-            return CKR_DEVICE_ERROR;
+-            return CKR_GENERAL_ERROR;
 -        }
 -
 -        /* Verify the known hash using the public key. */
--- a/nss-fips-constructor-self-tests.patch
+++ b/nss-fips-constructor-self-tests.patch
@@ -21,7 +21,7 @@ Index: nss/cmd/shlibsign/shlibsign.c
 ===================================================================
 --- nss.orig/cmd/shlibsign/shlibsign.c
 +++ nss/cmd/shlibsign/shlibsign.c
-@@ -814,10 +814,12 @@ shlibSignDSA(CK_FUNCTION_LIST_PTR pFunct
+@@ -818,10 +818,12 @@ shlibSignDSA(CK_FUNCTION_LIST_PTR pFunct
             return crv;
         }
@@ -63,9 +63,9 @@ Index: nss/lib/freebl/blapi.h
 /*********************************************************************/
 extern const SECHashObject *HASH_GetRawHashObject(HASH_HashType hashType);
-@@ -1942,6 +1942,9 @@ extern SECStatus ED_VerifyMessage(ECPubl
+@@ -1947,6 +1947,9 @@ extern SECStatus X25519_DerivePublicKey(
-  */
+ /* Public key derivation is supported only for the curves supporting pt_mul method. */
- extern SECStatus ED_DerivePublicKey(const SECItem *privateKey, SECItem *publicKey);
+ extern SECStatus EC_DerivePublicKey(const SECItem *privateKey, const ECParams *ecParams, SECItem *publicKey);
 +/* Unconditionally run the integrity check. */
 +extern void BL_FIPSRepeatIntegrityCheck(void);
@@ -483,7 +483,7 @@ Index: nss/lib/freebl/fipsfreebl.c
 /*
  * different platforms have different ways of calling and initial entry point
  * when the dll/.so is loaded. Most platforms support either a posix pragma
-@@ -1663,38 +1670,39 @@ freebl_fips_DH_PowerUpSelfTest(void)
+@@ -1667,38 +1674,39 @@ freebl_fips_DH_PowerUpSelfTest(void)
 {
     /* DH Known P (2048-bits) */
     static const PRUint8 dh_known_P[] = {
@@ -555,7 +555,7 @@ Index: nss/lib/freebl/fipsfreebl.c
     };
     static const PRUint8 dh_known_Y_1[] = {
-@@ -1740,10 +1748,10 @@ freebl_fips_DH_PowerUpSelfTest(void)
+@@ -1744,10 +1752,10 @@ freebl_fips_DH_PowerUpSelfTest(void)
     };
     static const PRUint8 dh_known_hash_result[] = {
@@ -570,7 +570,7 @@ Index: nss/lib/freebl/fipsfreebl.c
     };
     /* DH variables. */
-@@ -1807,17 +1815,19 @@ freebl_fips_RNG_PowerUpSelfTest(void)
+@@ -1811,17 +1819,19 @@ freebl_fips_RNG_PowerUpSelfTest(void)
     return (SECSuccess);
 }
@@ -591,7 +591,7 @@ Index: nss/lib/freebl/fipsfreebl.c
 #define DO_FREEBL 1
 #define DO_REST 2
-@@ -1929,11 +1939,13 @@ static PRBool self_tests_ran = PR_FALSE;
+@@ -1933,11 +1943,13 @@ static PRBool self_tests_ran = PR_FALSE;
 static PRBool self_tests_freebl_success = PR_FALSE;
 static PRBool self_tests_success = PR_FALSE;
@@ -606,7 +606,7 @@ Index: nss/lib/freebl/fipsfreebl.c
 {
     SECStatus rv;
     /* if the freebl self tests didn't run, there is something wrong with
-@@ -1946,7 +1958,7 @@ BL_POSTRan(PRBool freebl_only)
+@@ -1950,7 +1962,7 @@ BL_POSTRan(PRBool freebl_only)
         return PR_TRUE;
     }
     /* if we only care about the freebl tests, we are good */
@@ -615,7 +615,7 @@ Index: nss/lib/freebl/fipsfreebl.c
         return PR_TRUE;
     }
     /* run the rest of the self tests */
-@@ -1965,32 +1977,16 @@ BL_POSTRan(PRBool freebl_only)
+@@ -1969,32 +1981,16 @@ BL_POSTRan(PRBool freebl_only)
     return PR_TRUE;
 }
@@ -653,7 +653,7 @@ Index: nss/lib/freebl/fipsfreebl.c
     self_tests_freebl_ran = PR_TRUE; /* we are running the tests */
     if (!freebl_only) {
-@@ -2002,20 +1998,55 @@ bl_startup_tests(void)
+@@ -2006,20 +2002,55 @@ bl_startup_tests(void)
     /* always run the post tests */
     rv = freebl_fipsPowerUpSelfTest(freebl_only ? DO_FREEBL : DO_FREEBL | DO_REST);
     if (rv != SECSuccess) {
@@ -711,7 +711,7 @@ Index: nss/lib/freebl/fipsfreebl.c
 }
 /*
-@@ -2024,19 +2055,12 @@ bl_startup_tests(void)
+@@ -2028,19 +2059,12 @@ bl_startup_tests(void)
  * power on selftest failed.
  */
 SECStatus
@@ -720,11 +720,11 @@ Index: nss/lib/freebl/fipsfreebl.c
 {
 -#ifdef NSS_NO_INIT_SUPPORT
 -    /* this should only be set on platforms that can't handle one of the INIT
-    * schemes.  This code allows those platforms to continue to function,
+-     * schemes.  This code allows those platforms to continue to function,
-    * though they don't meet the strict NIST requirements. If NSS_NO_INIT_SUPPORT
+-     * though they don't meet the strict NIST requirements. If NSS_NO_INIT_SUPPORT
-    * is not set, and init support has not been properly enabled, freebl
+-     * is not set, and init support has not been properly enabled, freebl
-    * will always fail because of the test below
+-     * will always fail because of the test below
-    */
+-     */
 +    /* For platforms that don't support on-load constructors */
     if (!self_tests_freebl_ran) {
         bl_startup_tests();
@@ -733,7 +733,7 @@ Index: nss/lib/freebl/fipsfreebl.c
     if (rerun) {
         /* reset the flags */
         self_tests_freebl_ran = PR_FALSE;
-@@ -2050,10 +2074,89 @@ BL_FIPSEntryOK(PRBool freebl_only, PRBoo
+@@ -2054,10 +2078,89 @@ BL_FIPSEntryOK(PRBool freebl_only, PRBoo
         return SECSuccess;
     }
     /* standalone freebl can initialize */
@@ -910,7 +910,7 @@ Index: nss/lib/freebl/loader.h
     /* Version 3.013 came to here */
-@@ -927,6 +927,9 @@ struct FREEBLVectorStr {
+@@ -933,6 +933,9 @@ struct FREEBLVectorStr {
     /* Add new function pointers at the end of this struct and bump
      * FREEBL_VERSION at the beginning of this file. */
@@ -962,7 +962,7 @@ Index: nss/lib/freebl/shvfy.c
 static char *
 mkCheckFileName(const char *libName)
 {
-@@ -288,19 +288,19 @@ readItem(PRFileDesc *fd, SECItem *item)
+@@ -288,10 +288,10 @@ readItem(PRFileDesc *fd, SECItem *item)
     return SECSuccess;
 }
@@ -974,10 +974,8 @@ Index: nss/lib/freebl/shvfy.c
 +blapi_SHVerify(const char *name, PRFuncPtr addr, PRBool self, PRBool rerun, int *err)
 {
     PRBool result = PR_FALSE; /* if anything goes wrong,
-                   * the signature does not verify */
+                                * the signature does not verify */
-+                               * the signature does not verify */
+@@ -300,7 +300,7 @@ blapi_SHVerify(const char *name, PRFuncP
     /* find our shared library name */
     char *shName = PR_GetLibraryFilePathname(name, addr);
     if (!shName) {
         goto loser;
     }
@@ -1025,15 +1023,6 @@ Index: nss/lib/freebl/shvfy.c
 {
     char *checkName = NULL;
     PRFileDesc *checkFD = NULL;
@@ -446,7 +446,7 @@ blapi_SHVerifyFile(const char *shName, P
     int pid = 0;
 #endif
     PRBool result = PR_FALSE; /* if anything goes wrong,
 -               * the signature does not verify */
 +                               * the signature does not verify */
     NSSSignChkHeader header;
 #ifndef NSS_STRICT_INTEGRITY
     DSAPublicKey key;
@@ -473,14 +473,17 @@ blapi_SHVerifyFile(const char *shName, P
     /* open the check File */
     checkFD = PR_Open(checkName, PR_RDONLY, 0);
@@ -1085,7 +1074,7 @@ Index: nss/lib/freebl/shvfy.c
     if (name == NULL) {
         /*
@@ -640,7 +643,7 @@ BLAPI_VerifySelf(const char *name)
-      */
+          */
         return PR_TRUE;
     }
 -    return blapi_SHVerify(name, (PRFuncPtr)decodeInt, PR_TRUE, PR_FALSE);
@@ -1541,11 +1530,11 @@ Index: nss/lib/freebl/ldvector.c
 ===================================================================
 --- nss.orig/lib/freebl/ldvector.c
 +++ nss/lib/freebl/ldvector.c
-@@ -443,6 +443,9 @@ static const struct FREEBLVectorStr vect
+@@ -449,6 +449,9 @@ static const struct FREEBLVectorStr vect
-     ED_VerifyMessage,
+ 
-     ED_DerivePublicKey,
+     EC_DerivePublicKey,
-     /* End of version 3.028 */
+     /* End of version 3.030 */
-+    
+
 +    /* SUSE patch: Goes last */
 +    BL_FIPSRepeatIntegrityCheck
 };
--- a/nss-fips-detect-fips-mode-fixes.patch
+++ b/nss-fips-detect-fips-mode-fixes.patch
@@ -62,15 +62,7 @@ Index: nss/lib/sysinit/nsssysinit.c
 ===================================================================
 --- nss.orig/lib/sysinit/nsssysinit.c
 +++ nss/lib/sysinit/nsssysinit.c
-@@ -178,16 +178,16 @@ getFIPSMode(void)
+@@ -185,9 +185,9 @@ getFIPSMode(void)
     f = fopen("/proc/sys/crypto/fips_enabled", "r");
     if (!f) {
         /* if we don't have a proc flag, fall back to the
 -     * environment variable */
 +         * environment variable */
         return getFIPSEnv();
     }
     size = fread(&d, 1, 1, f);
     fclose(f);
     if (size != 1)
--- a/nss-fips-fix-missing-nspr.patch
+++ b/nss-fips-fix-missing-nspr.patch
@@ -1,7 +1,7 @@
-diff --git a/lib/freebl/drbg.c b/lib/freebl/drbg.c
+Index: nss/lib/freebl/drbg.c
-index 3ed1751..56a1a58 100644
+===================================================================
--- a/lib/freebl/drbg.c
+--- nss.orig/lib/freebl/drbg.c
-+++ b/lib/freebl/drbg.c
+++ nss/lib/freebl/drbg.c
@@ -6,6 +6,8 @@
 #include "stubs.h"
 #endif
@@ -11,7 +11,7 @@ index 3ed1751..56a1a58 100644
 #include "prerror.h"
 #include "secerr.h"
-@@ -182,11 +184,30 @@ prng_initEntropy(void)
+@@ -183,11 +185,30 @@ prng_initEntropy(void)
     PRUint8 block[PRNG_ENTROPY_BLOCK_SIZE];
     SHA256Context ctx;
@@ -42,9 +42,9 @@ index 3ed1751..56a1a58 100644
         return PR_FAILURE; /* error is already set */
     }
     PORT_Assert(length == sizeof(block));
-@@ -199,6 +220,9 @@ prng_initEntropy(void)
+@@ -200,6 +221,9 @@ prng_initEntropy(void)
                sizeof(globalrng->previousEntropyHash));
-     PORT_Memset(block, 0, sizeof(block));
+     PORT_SafeZero(block, sizeof(block));
     SHA256_DestroyContext(&ctx, PR_FALSE);
 +    coRNGInitEntropy.status = PR_SUCCESS;
 +    __sync_synchronize ();
@@ -52,7 +52,7 @@ index 3ed1751..56a1a58 100644
     return PR_SUCCESS;
 }
-@@ -211,7 +235,7 @@ prng_getEntropy(PRUint8 *buffer, size_t requestLength)
+@@ -212,7 +236,7 @@ prng_getEntropy(PRUint8 *buffer, size_t
     SHA256Context ctx;
     SECStatus rv = SECSuccess;
@@ -61,7 +61,7 @@ index 3ed1751..56a1a58 100644
         PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
         return SECFailure;
     }
-@@ -564,10 +588,34 @@ prng_freeRNGContext(RNGContext *rng)
+@@ -566,10 +590,34 @@ prng_freeRNGContext(RNGContext *rng)
 SECStatus
 RNG_RNGInit(void)
 {
@@ -98,7 +98,7 @@ index 3ed1751..56a1a58 100644
 }
 /*
-@@ -842,7 +890,21 @@ PRNGTEST_Generate(PRUint8 *bytes, unsigned int bytes_len,
+@@ -844,7 +892,21 @@ PRNGTEST_Generate(PRUint8 *bytes, unsign
     }
     /* replicate reseed test from prng_GenerateGlobalRandomBytes */
     if (testContext.reseed_counter[0] >= RESEED_VALUE) {
--- a/nss-fips-gcm-ctr.patch
+++ b/nss-fips-gcm-ctr.patch
@@ -14,7 +14,7 @@ Index: nss/lib/freebl/gcm.c
 ===================================================================
 --- nss.orig/lib/freebl/gcm.c
 +++ nss/lib/freebl/gcm.c
-@@ -535,8 +535,14 @@ struct GCMContextStr {
+@@ -539,8 +539,14 @@ struct GCMContextStr {
     unsigned char tagKey[MAX_BLOCK_SIZE];
     PRBool ctr_context_init;
     gcmIVContext gcm_iv;
@@ -29,7 +29,7 @@ Index: nss/lib/freebl/gcm.c
 SECStatus gcm_InitCounter(GCMContext *gcm, const unsigned char *iv,
                           unsigned int ivLen, unsigned int tagBits,
                           const unsigned char *aad, unsigned int aadLen);
-@@ -676,6 +682,8 @@ gcm_InitCounter(GCMContext *gcm, const u
+@@ -794,6 +800,8 @@ gcm_InitCounter(GCMContext *gcm, const u
         goto loser;
     }
@@ -38,7 +38,7 @@ Index: nss/lib/freebl/gcm.c
     /* finally mix in the AAD data */
     rv = gcmHash_Reset(ghash, aad, aadLen);
     if (rv != SECSuccess) {
-@@ -777,6 +785,13 @@ GCM_EncryptUpdate(GCMContext *gcm, unsig
+@@ -895,6 +903,13 @@ GCM_EncryptUpdate(GCMContext *gcm, unsig
         return SECFailure;
     }
@@ -52,7 +52,7 @@ Index: nss/lib/freebl/gcm.c
     tagBytes = (gcm->tagBits + (PR_BITS_PER_BYTE - 1)) / PR_BITS_PER_BYTE;
     if (UINT_MAX - inlen < tagBytes) {
         PORT_SetError(SEC_ERROR_INPUT_LEN);
-@@ -805,6 +820,7 @@ GCM_EncryptUpdate(GCMContext *gcm, unsig
+@@ -923,6 +938,7 @@ GCM_EncryptUpdate(GCMContext *gcm, unsig
         *outlen = 0;
         return SECFailure;
     };
--- a/nss-fips-pairwise-consistency-check.patch
+++ b/nss-fips-pairwise-consistency-check.patch
@@ -14,7 +14,7 @@ Index: nss/lib/softoken/pkcs11c.c
 ===================================================================
 --- nss.orig/lib/softoken/pkcs11c.c
 +++ nss/lib/softoken/pkcs11c.c
-@@ -4843,8 +4843,8 @@ loser:
+@@ -5009,8 +5009,8 @@ loser:
     return crv;
 }
@@ -25,7 +25,7 @@ Index: nss/lib/softoken/pkcs11c.c
 /*
  * FIPS 140-2 pairwise consistency check utilized to validate key pair.
-@@ -5847,6 +5847,7 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hS
+@@ -6077,6 +6077,7 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hS
                             (PRUint32)crv);
                 sftk_LogAuditMessage(NSS_AUDIT_ERROR, NSS_AUDIT_SELF_TEST, msg);
             }
--- a/nss-fips-pbkdf-kat-compliance.patch
+++ b/nss-fips-pbkdf-kat-compliance.patch
@@ -2,7 +2,7 @@ Index: nss/lib/softoken/lowpbe.c
 ===================================================================
 --- nss.orig/lib/softoken/lowpbe.c
 +++ nss/lib/softoken/lowpbe.c
-@@ -1756,7 +1756,7 @@ loser:
+@@ -1755,7 +1755,7 @@ loser:
     return ret_algid;
 }
@@ -11,27 +11,27 @@ Index: nss/lib/softoken/lowpbe.c
 SECStatus
 sftk_fips_pbkdf_PowerUpSelfTests(void)
 {
-@@ -1766,16 +1766,22 @@ sftk_fips_pbkdf_PowerUpSelfTests(void)
+@@ -1766,19 +1766,21 @@ sftk_fips_pbkdf_PowerUpSelfTests(void)
     unsigned char iteration_count = 5;
     unsigned char keyLen = 64;
     char *inKeyData = TEST_KEY;
-    static const unsigned char saltData[] = { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07 };
+     static const unsigned char saltData[] = {
-+    static const unsigned char saltData[] = {
+-        0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
 -        0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f
 +        0x11, 0x39, 0x93, 0x54, 0x1C, 0xDD, 0xD7, 0x18,
 +        0x2F, 0x4A, 0xC1, 0x14, 0x03, 0x7A, 0x0B, 0x64,
 +        0x48, 0x99, 0xF4, 0x6D, 0xB7, 0x48, 0xE3, 0x3B,
 +        0x91, 0xBF, 0x65, 0xA9, 0x26, 0x83, 0xE8, 0x22
-+    };
+     };
-+
+ 
     static const unsigned char pbkdf_known_answer[] = {
-        0x31, 0xf0, 0xe5, 0x39, 0x9f, 0x39, 0xb9, 0x29,
+-        0x73, 0x8c, 0xfa, 0x02, 0xe8, 0xdb, 0x43, 0xe4,
-        0x68, 0xac, 0xf2, 0xe9, 0x53, 0x9b, 0xb4, 0x9c,
+-        0x99, 0xc5, 0xfd, 0xd9, 0x4d, 0x8e, 0x3e, 0x7b,
-        0x28, 0x59, 0x8b, 0x5c, 0xd8, 0xd4, 0x02, 0x37,
+-        0xc4, 0xda, 0x22, 0x1b, 0xe1, 0xae, 0x23, 0x7a,
-        0x18, 0x22, 0xc1, 0x92, 0xd0, 0xfa, 0x72, 0x90,
+-        0x21, 0x27, 0xbd, 0xcc, 0x78, 0xc4, 0xe6, 0xc5,
-        0x2c, 0x8d, 0x19, 0xd4, 0x56, 0xfb, 0x16, 0xfa,
+-        0x33, 0x38, 0x35, 0xe0, 0x68, 0x1a, 0x1e, 0x06,
-        0x8d, 0x5c, 0x06, 0x33, 0xd1, 0x5f, 0x17, 0xb1,
+-        0xad, 0xaf, 0x7f, 0xd7, 0x3f, 0x0e, 0xc0, 0x90,
-        0x22, 0xd9, 0x9c, 0xaf, 0x5e, 0x3f, 0xf3, 0x66,
+-        0x17, 0x97, 0x73, 0x75, 0x7b, 0x88, 0x49, 0xd8,
-        0xc6, 0x14, 0xfe, 0x83, 0xfa, 0x1a, 0x2a, 0xc5
+-        0x6f, 0x78, 0x5a, 0xde, 0x50, 0x20, 0x55, 0x33
 +        0x44, 0xd2, 0xae, 0x2d, 0x45, 0xb9, 0x42, 0x70,
 +        0xcb, 0x3e, 0x40, 0xc5, 0xcf, 0x36, 0x9b, 0x5f,
 +        0xfc, 0x64, 0xb1, 0x10, 0x18, 0x4d, 0xd8, 0xb6,
@@ -43,7 +43,7 @@ Index: nss/lib/softoken/lowpbe.c
     };
     sftk_PBELockInit();
-@@ -1804,11 +1810,12 @@ sftk_fips_pbkdf_PowerUpSelfTests(void)
+@@ -1807,11 +1809,12 @@ sftk_fips_pbkdf_PowerUpSelfTests(void)
      * for NSSPKCS5_PBKDF2 */
     pbe_params.iter = iteration_count;
     pbe_params.keyLen = keyLen;
--- a/nss-fips-pct-pubkeys.patch
+++ b/nss-fips-pct-pubkeys.patch
@@ -5,15 +5,7 @@ Index: nss/lib/softoken/pkcs11c.c
 ===================================================================
 --- nss.orig/lib/softoken/pkcs11c.c
 +++ nss/lib/softoken/pkcs11c.c
-@@ -20,6 +20,7 @@
+@@ -5132,6 +5132,88 @@ pairwise_signverify_mech (CK_SESSION_HAN
 #include <limits.h> /* for UINT_MAX and ULONG_MAX */
 +#include "lowkeyti.h"
 #include "seccomon.h"
 #include "secitem.h"
 #include "secport.h"
@@ -4965,6 +4966,88 @@ pairwise_signverify_mech (CK_SESSION_HAN
     return crv;
 }
@@ -102,7 +94,7 @@ Index: nss/lib/softoken/pkcs11c.c
 /*
  * FIPS 140-2 pairwise consistency check utilized to validate key pair.
  *
-@@ -5311,6 +5394,30 @@ sftk_PairwiseConsistencyCheck(CK_SESSION
+@@ -5484,6 +5566,30 @@ sftk_PairwiseConsistencyCheck(CK_SESSION
         }
     }
--- a/nss-fips-rsa-keygen-strictness.patch
+++ b/nss-fips-rsa-keygen-strictness.patch
@@ -65,7 +65,7 @@ Index: nss/lib/freebl/rsa.c
 /* The minimal required randomness is 64 bits */
 /* EXP_BLINDING_RANDOMNESS_LEN is the length of the randomness in mp_digits */
-@@ -149,11 +151,24 @@ rsa_build_from_primes(const mp_int *p, c
+@@ -151,11 +153,24 @@ rsa_build_from_primes(const mp_int *p, c
             err = mp_invmod(d, &phi, e);
         } else {
             err = mp_invmod(e, &phi, d);
@@ -92,7 +92,7 @@ Index: nss/lib/freebl/rsa.c
     if (err != MP_OKAY) {
         if (err == MP_UNDEF) {
             PORT_SetError(SEC_ERROR_NEED_RANDOM);
-@@ -286,10 +301,12 @@ RSA_NewKey(int keySizeInBits, SECItem *p
+@@ -288,10 +303,12 @@ RSA_NewKey(int keySizeInBits, SECItem *p
     mp_int q = { 0, 0, 0, NULL };
     mp_int e = { 0, 0, 0, NULL };
     mp_int d = { 0, 0, 0, NULL };
@@ -106,7 +106,7 @@ Index: nss/lib/freebl/rsa.c
     int prerr = 0;
     RSAPrivateKey *key = NULL;
     PLArenaPool *arena = NULL;
-@@ -307,11 +324,40 @@ RSA_NewKey(int keySizeInBits, SECItem *p
+@@ -309,11 +326,40 @@ RSA_NewKey(int keySizeInBits, SECItem *p
         PORT_SetError(SEC_ERROR_INVALID_ARGS);
         goto cleanup;
     }
@@ -151,7 +151,7 @@ Index: nss/lib/freebl/rsa.c
     }
 #endif
-@@ -329,12 +375,7 @@ RSA_NewKey(int keySizeInBits, SECItem *p
+@@ -331,12 +377,7 @@ RSA_NewKey(int keySizeInBits, SECItem *p
     key->arena = arena;
     /* length of primes p and q (in bytes) */
     primeLen = keySizeInBits / (2 * PR_BITS_PER_BYTE);
@@ -165,7 +165,7 @@ Index: nss/lib/freebl/rsa.c
     /* 3.  Set the version number (PKCS1 v1.5 says it should be zero) */
     SECITEM_AllocItem(arena, &key->version, 1);
     key->version.data[0] = 0;
-@@ -345,13 +386,64 @@ RSA_NewKey(int keySizeInBits, SECItem *p
+@@ -347,13 +388,64 @@ RSA_NewKey(int keySizeInBits, SECItem *p
         PORT_SetError(0);
         CHECK_SEC_OK(generate_prime(&p, primeLen));
         CHECK_SEC_OK(generate_prime(&q, primeLen));
@@ -231,7 +231,7 @@ Index: nss/lib/freebl/rsa.c
         /* Attempt to use these primes to generate a key */
         rv = rsa_build_from_primes(&p, &q,
                                    &e, PR_FALSE, /* needPublicExponent=false */
-@@ -374,7 +466,9 @@ cleanup:
+@@ -376,7 +468,9 @@ cleanup:
     mp_clear(&q);
     mp_clear(&e);
     mp_clear(&d);
--- a/nss-fips-safe-memset.patch
+++ b/nss-fips-safe-memset.patch
@@ -1,510 +0,0 @@
 Index: nss/lib/freebl/aeskeywrap.c
 ===================================================================
 --- nss.orig/lib/freebl/aeskeywrap.c
 +++ nss/lib/freebl/aeskeywrap.c
@@ -513,7 +513,7 @@ AESKeyWrap_EncryptKWP(AESKeyWrapContext
         PORT_Memcpy(iv + AES_KEY_WRAP_BLOCK_SIZE, input, inputLen);
         rv = AES_Encrypt(&cx->aescx, output, pOutputLen, maxOutputLen, iv,
                          outLen);
 -        PORT_Memset(iv, 0, sizeof(iv));
 +        PORT_SafeZero(iv, sizeof(iv));
         return rv;
     }
@@ -529,7 +529,7 @@ AESKeyWrap_EncryptKWP(AESKeyWrapContext
     PORT_ZFree(newBuf, paddedInputLen);
     /* a little overkill, we only need to clear out the length, but this
      * is easier to verify we got it all */
 -    PORT_Memset(iv, 0, sizeof(iv));
 +    PORT_SafeZero(iv, sizeof(iv));
     return rv;
 }
@@ -632,12 +632,12 @@ AESKeyWrap_DecryptKWP(AESKeyWrapContext
 loser:
     /* if we failed, make sure we don't return any data to the user */
     if ((rv != SECSuccess) && (output == newBuf)) {
 -        PORT_Memset(newBuf, 0, paddedLen);
 +        PORT_SafeZero(newBuf, paddedLen);
     }
     /* clear out CSP sensitive data from the heap and stack */
     if (allocBuf) {
         PORT_ZFree(allocBuf, paddedLen);
     }
 -    PORT_Memset(iv, 0, sizeof(iv));
 +    PORT_SafeZero(iv, sizeof(iv));
     return rv;
 }
 Index: nss/lib/freebl/blapii.h
 ===================================================================
 --- nss.orig/lib/freebl/blapii.h
 +++ nss/lib/freebl/blapii.h
@@ -113,10 +113,10 @@ PRBool ppc_crypto_support();
 #ifdef NSS_FIPS_DISABLED
 #define BLAPI_CLEAR_STACK(stack_size)
 #else
 -#define BLAPI_CLEAR_STACK(stack_size)                    \
 -    {                                                    \
 -        volatile char _stkclr[stack_size];               \
 -        PORT_Memset((void *)&_stkclr[0], 0, stack_size); \
 +#define BLAPI_CLEAR_STACK(stack_size)                   \
 +    {                                                   \
 +        volatile char _stkclr[stack_size];              \
 +        PORT_SafeZero((void *)&_stkclr[0], stack_size); \
     }
 #endif
 Index: nss/lib/freebl/drbg.c
 ===================================================================
 --- nss.orig/lib/freebl/drbg.c
 +++ nss/lib/freebl/drbg.c
@@ -259,7 +259,7 @@ prng_initEntropy(void)
     SHA256_Update(&ctx, block, sizeof(block));
     SHA256_End(&ctx, globalrng->previousEntropyHash, NULL,
                sizeof(globalrng->previousEntropyHash));
 -    PORT_Memset(block, 0, sizeof(block));
 +    PORT_SafeZero(block, sizeof(block));
     SHA256_DestroyContext(&ctx, PR_FALSE);
     coRNGInitEntropy.status = PR_SUCCESS;
     __sync_synchronize ();
@@ -311,8 +311,8 @@ prng_getEntropy(PRUint8 *buffer, size_t
     }
 out:
 -    PORT_Memset(hash, 0, sizeof hash);
 -    PORT_Memset(block, 0, sizeof block);
 +    PORT_SafeZero(hash, sizeof hash);
 +    PORT_SafeZero(block, sizeof block);
     return rv;
 }
@@ -458,8 +458,8 @@ prng_Hashgen(RNGContext *rng, PRUint8 *r
         PRNG_ADD_CARRY_ONLY(data, (sizeof data) - 1, carry);
         SHA256_DestroyContext(&ctx, PR_FALSE);
     }
 -    PORT_Memset(data, 0, sizeof data);
 -    PORT_Memset(thisHash, 0, sizeof thisHash);
 +    PORT_SafeZero(data, sizeof data);
 +    PORT_SafeZero(thisHash, sizeof thisHash);
 }
 /*
@@ -520,7 +520,7 @@ prng_generateNewBytes(RNGContext *rng,
     PRNG_ADD_CARRY_ONLY(rng->reseed_counter, (sizeof rng->reseed_counter) - 1, carry);
     /* if the prng failed, don't return any output, signal softoken */
 -    PORT_Memset(H, 0, sizeof H);
 +    PORT_SafeZero(H, sizeof H);
     if (!rng->isValid) {
         PORT_Memset(returned_bytes, 0, no_of_returned_bytes);
         PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
 Index: nss/lib/freebl/dsa.c
 ===================================================================
 --- nss.orig/lib/freebl/dsa.c
 +++ nss/lib/freebl/dsa.c
@@ -471,7 +471,7 @@ dsa_SignDigest(DSAPrivateKey *key, SECIt
     err = MP_OKAY;
     signature->len = dsa_signature_len;
 cleanup:
 -    PORT_Memset(localDigestData, 0, DSA_MAX_SUBPRIME_LEN);
 +    PORT_SafeZero(localDigestData, DSA_MAX_SUBPRIME_LEN);
     mp_clear(&p);
     mp_clear(&q);
     mp_clear(&g);
@@ -532,7 +532,7 @@ DSA_SignDigest(DSAPrivateKey *key, SECIt
         rv = dsa_SignDigest(key, signature, digest, kSeed);
     } while (rv != SECSuccess && PORT_GetError() == SEC_ERROR_NEED_RANDOM &&
              --retries > 0);
 -    PORT_Memset(kSeed, 0, sizeof kSeed);
 +    PORT_SafeZero(kSeed, sizeof kSeed);
     return rv;
 }
@@ -673,7 +673,7 @@ DSA_VerifyDigest(DSAPublicKey *key, cons
         verified = SECSuccess; /* Signature verified. */
     }
 cleanup:
 -    PORT_Memset(localDigestData, 0, sizeof localDigestData);
 +    PORT_SafeZero(localDigestData, sizeof localDigestData);
     mp_clear(&p);
     mp_clear(&q);
     mp_clear(&g);
 Index: nss/lib/freebl/gcm.c
 ===================================================================
 --- nss.orig/lib/freebl/gcm.c
 +++ nss/lib/freebl/gcm.c
@@ -507,7 +507,7 @@ gcmHash_Final(gcmHashContext *ghash, uns
     rv = SECSuccess;
 cleanup:
 -    PORT_Memset(T, 0, sizeof(T));
 +    PORT_SafeZero(T, sizeof(T));
     return rv;
 }
@@ -629,15 +629,15 @@ GCM_CreateContext(void *context, freeblC
     if (rv != SECSuccess) {
         goto loser;
     }
 -    PORT_Memset(H, 0, AES_BLOCK_SIZE);
 +    PORT_SafeZero(H, AES_BLOCK_SIZE);
     gcm->ctr_context_init = PR_TRUE;
     return gcm;
 loser:
 -    PORT_Memset(H, 0, AES_BLOCK_SIZE);
 +    PORT_SafeZero(H, AES_BLOCK_SIZE);
     if (ghash && ghash->mem) {
         void *mem = ghash->mem;
 -        PORT_Memset(ghash, 0, sizeof(gcmHashContext));
 +        PORT_SafeZero(ghash, sizeof(gcmHashContext));
         PORT_Free(mem);
     }
     if (gcm) {
@@ -717,11 +717,11 @@ gcm_InitCounter(GCMContext *gcm, const u
         goto loser;
     }
 -    PORT_Memset(&ctrParams, 0, sizeof ctrParams);
 +    PORT_SafeZero(&ctrParams, sizeof ctrParams);
     return SECSuccess;
 loser:
 -    PORT_Memset(&ctrParams, 0, sizeof ctrParams);
 +    PORT_SafeZero(&ctrParams, sizeof ctrParams);
     if (freeCtr) {
         CTR_DestroyContext(&gcm->ctr_context, PR_FALSE);
     }
@@ -1212,10 +1212,10 @@ GCM_DecryptAEAD(GCMContext *gcm, unsigne
         /* force a CKR_ENCRYPTED_DATA_INVALID error at in softoken */
         CTR_DestroyContext(&gcm->ctr_context, PR_FALSE);
         PORT_SetError(SEC_ERROR_BAD_DATA);
 -        PORT_Memset(tag, 0, sizeof(tag));
 +        PORT_SafeZero(tag, sizeof(tag));
         return SECFailure;
     }
 -    PORT_Memset(tag, 0, sizeof(tag));
 +    PORT_SafeZero(tag, sizeof(tag));
     /* finish the decryption */
     rv = CTR_Update(&gcm->ctr_context, outbuf, outlen, maxout,
                     inbuf, inlen, AES_BLOCK_SIZE);
 Index: nss/lib/freebl/hmacct.c
 ===================================================================
 --- nss.orig/lib/freebl/hmacct.c
 +++ nss/lib/freebl/hmacct.c
@@ -274,10 +274,10 @@ MAC(unsigned char *mdOut,
     hashObj->end(mdState, mdOut, mdOutLen, mdOutMax);
     hashObj->destroy(mdState, PR_TRUE);
 -    PORT_Memset(lengthBytes, 0, sizeof lengthBytes);
 -    PORT_Memset(hmacPad, 0, sizeof hmacPad);
 -    PORT_Memset(firstBlock, 0, sizeof firstBlock);
 -    PORT_Memset(macOut, 0, sizeof macOut);
 +    PORT_SafeZero(lengthBytes, sizeof lengthBytes);
 +    PORT_SafeZero(hmacPad, sizeof hmacPad);
 +    PORT_SafeZero(firstBlock, sizeof firstBlock);
 +    PORT_SafeZero(macOut, sizeof macOut);
     return SECSuccess;
 }
 Index: nss/lib/freebl/intel-gcm-wrap.c
 ===================================================================
 --- nss.orig/lib/freebl/intel-gcm-wrap.c
 +++ nss/lib/freebl/intel-gcm-wrap.c
@@ -195,7 +195,7 @@ intel_aes_gcmInitCounter(intel_AES_GCMCo
 void
 intel_AES_GCM_DestroyContext(intel_AES_GCMContext *gcm, PRBool freeit)
 {
 -    PORT_Memset(gcm, 0, sizeof(intel_AES_GCMContext));
 +    PORT_SafeZero(gcm, sizeof(intel_AES_GCMContext));
     if (freeit) {
         PORT_Free(gcm);
     }
 Index: nss/lib/freebl/ppc-gcm-wrap.c
 ===================================================================
 --- nss.orig/lib/freebl/ppc-gcm-wrap.c
 +++ nss/lib/freebl/ppc-gcm-wrap.c
@@ -169,7 +169,7 @@ ppc_aes_gcmInitCounter(ppc_AES_GCMContex
 void
 ppc_AES_GCM_DestroyContext(ppc_AES_GCMContext *gcm, PRBool freeit)
 {
 -    PORT_Memset(gcm, 0, sizeof(ppc_AES_GCMContext));
 +    PORT_SafeZero(gcm, sizeof(ppc_AES_GCMContext));
     if (freeit) {
         PORT_Free(gcm);
     }
 Index: nss/lib/freebl/pqg.c
 ===================================================================
 --- nss.orig/lib/freebl/pqg.c
 +++ nss/lib/freebl/pqg.c
@@ -703,7 +703,7 @@ cleanup:
     mp_clear(&a);
     mp_clear(&z);
     mp_clear(&two_length_minus_1);
 -    PORT_Memset(x, 0, sizeof(x));
 +    PORT_SafeZero(x, sizeof(x));
     if (err) {
         MP_TO_SEC_ERROR(err);
         rv = SECFailure;
@@ -859,7 +859,7 @@ cleanup:
     mp_clear(&c);
     mp_clear(&c0);
     mp_clear(&one);
 -    PORT_Memset(x, 0, sizeof(x));
 +    PORT_SafeZero(x, sizeof(x));
     if (err) {
         MP_TO_SEC_ERROR(err);
         rv = SECFailure;
@@ -1072,7 +1072,7 @@ makePfromQandSeed(
     CHECK_MPI_OK(mp_sub_d(&c, 1, &c)); /* c -= 1       */
     CHECK_MPI_OK(mp_sub(&X, &c, P));   /* P = X - c    */
 cleanup:
 -    PORT_Memset(V_j, 0, sizeof V_j);
 +    PORT_SafeZero(V_j, sizeof V_j);
     mp_clear(&W);
     mp_clear(&X);
     mp_clear(&c);
@@ -1221,7 +1221,7 @@ makeGfromIndex(HASH_HashType hashtype,
 /* step 11.
      * return valid G */
 cleanup:
 -    PORT_Memset(data, 0, sizeof(data));
 +    PORT_SafeZero(data, sizeof(data));
     if (hashcx) {
         hashobj->destroy(hashcx, PR_TRUE);
     }
 Index: nss/lib/freebl/rijndael.c
 ===================================================================
 --- nss.orig/lib/freebl/rijndael.c
 +++ nss/lib/freebl/rijndael.c
@@ -1114,7 +1114,7 @@ AES_DestroyContext(AESContext *cx, PRBoo
         cx->worker_cx = NULL;
         cx->destroy = NULL;
     }
 -    PORT_Memset(cx, 0, sizeof(AESContext));
 +    PORT_SafeZero(cx, sizeof(AESContext));
     if (freeit) {
         PORT_Free(mem);
     } else {
 Index: nss/lib/freebl/rsa.c
 ===================================================================
 --- nss.orig/lib/freebl/rsa.c
 +++ nss/lib/freebl/rsa.c
@@ -145,8 +145,8 @@ rsa_build_from_primes(const mp_int *p, c
     /* 2.  Compute phi = (p-1)*(q-1) */
     CHECK_MPI_OK(mp_sub_d(p, 1, &psub1));
     CHECK_MPI_OK(mp_sub_d(q, 1, &qsub1));
 +    CHECK_MPI_OK(mp_lcm(&psub1, &qsub1, &phi));
     if (needPublicExponent || needPrivateExponent) {
 -        CHECK_MPI_OK(mp_lcm(&psub1, &qsub1, &phi));
         /* 3.  Compute d = e**-1 mod(phi) */
         /*     or      e = d**-1 mod(phi) as necessary */
         if (needPublicExponent) {
@@ -180,6 +180,15 @@ rsa_build_from_primes(const mp_int *p, c
         goto cleanup;
     }
 +    /* make sure we weren't passed in a d or e = 1 mod phi */
 +    /* just need to check d, because if one is = 1 mod phi, they both are */
 +    CHECK_MPI_OK(mp_mod(d, &phi, &tmp));
 +    if (mp_cmp_d(&tmp, 2) <= 0) {
 +        PORT_SetError(SEC_ERROR_INVALID_ARGS);
 +        rv = SECFailure;
 +        goto cleanup;
 +    }
 +
     /* 4.  Compute exponent1 = d mod (p-1) */
     CHECK_MPI_OK(mp_mod(d, &psub1, &tmp));
     MPINT_TO_SECITEM(&tmp, &key->exponent1, key->arena);
@@ -1251,6 +1260,8 @@ rsa_PrivateKeyOpCRTCheckedPubKey(RSAPriv
     /* Perform a public key operation v = m ** e mod n */
     CHECK_MPI_OK(mp_exptmod(m, &e, &n, &v));
     if (mp_cmp(&v, c) != 0) {
 +        /* this error triggers a fips fatal error lock */
 +        PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
         rv = SECFailure;
     }
 cleanup:
 Index: nss/lib/freebl/rsapkcs.c
 ===================================================================
 --- nss.orig/lib/freebl/rsapkcs.c
 +++ nss/lib/freebl/rsapkcs.c
@@ -978,14 +978,14 @@ rsa_GetHMACContext(const SECHashObject *
     /* now create the hmac key */
     hmac = HMAC_Create(hash, keyHash, keyLen, PR_TRUE);
     if (hmac == NULL) {
 -        PORT_Memset(keyHash, 0, sizeof(keyHash));
 +        PORT_SafeZero(keyHash, sizeof(keyHash));
         return NULL;
     }
     HMAC_Begin(hmac);
     HMAC_Update(hmac, input, inputLen);
     rv = HMAC_Finish(hmac, keyHash, &keyLen, sizeof(keyHash));
     if (rv != SECSuccess) {
 -        PORT_Memset(keyHash, 0, sizeof(keyHash));
 +        PORT_SafeZero(keyHash, sizeof(keyHash));
         HMAC_Destroy(hmac, PR_TRUE);
         return NULL;
     }
@@ -993,7 +993,7 @@ rsa_GetHMACContext(const SECHashObject *
      * reuse the original context allocated above so we don't
      * need to allocate and free another one */
     rv = HMAC_ReInit(hmac, hash, keyHash, keyLen, PR_TRUE);
 -    PORT_Memset(keyHash, 0, sizeof(keyHash));
 +    PORT_SafeZero(keyHash, sizeof(keyHash));
     if (rv != SECSuccess) {
         HMAC_Destroy(hmac, PR_TRUE);
         return NULL;
@@ -1043,7 +1043,7 @@ rsa_HMACPrf(HMACContext *hmac, const cha
             return rv;
         }
         PORT_Memcpy(output, hmacLast, left);
 -        PORT_Memset(hmacLast, 0, sizeof(hmacLast));
 +        PORT_SafeZero(hmacLast, sizeof(hmacLast));
     }
     return rv;
 }
@@ -1088,7 +1088,7 @@ rsa_GetErrorLength(HMACContext *hmac, in
         outLength = PORT_CT_SEL(PORT_CT_LT(candidate, maxLegalLen),
                                 candidate, outLength);
     }
 -    PORT_Memset(out, 0, sizeof(out));
 +    PORT_SafeZero(out, sizeof(out));
     return outLength;
 }
 Index: nss/lib/freebl/shvfy.c
 ===================================================================
 --- nss.orig/lib/freebl/shvfy.c
 +++ nss/lib/freebl/shvfy.c
@@ -365,7 +365,7 @@ blapi_SHVerifyDSACheck(PRFileDesc *shFD,
     /* verify the hash against the check file */
     rv = DSA_VerifyDigest(key, signature, &hash);
 -    PORT_Memset(hashBuf, 0, sizeof hashBuf);
 +    PORT_SafeZero(hashBuf, sizeof hashBuf);
     return (rv == SECSuccess) ? PR_TRUE : PR_FALSE;
 }
 #endif
@@ -427,7 +427,7 @@ blapi_SHVerifyHMACCheck(PRFileDesc *shFD
     if (rv == SECSuccess) {
         result = SECITEM_ItemsAreEqual(signature, &hash);
     }
 -    PORT_Memset(hashBuf, 0, sizeof hashBuf);
 +    PORT_SafeZero(hashBuf, sizeof hashBuf);
     return result;
 }
@@ -451,7 +451,7 @@ blapi_SHVerifyFile(const char *shName, P
 #ifndef NSS_STRICT_INTEGRITY
     DSAPublicKey key;
 -    PORT_Memset(&key, 0, sizeof(key));
 +    PORT_SafeZero(&key, sizeof(key));
 #endif
     /* If our integrity check was never ran or failed, fail any other
@@ -600,7 +600,7 @@ blapi_SHVerifyFile(const char *shName, P
     shFD = NULL;
 loser:
 -    PORT_Memset(&header, 0, sizeof header);
 +    PORT_SafeZero(&header, sizeof header);
     if (checkName != NULL) {
         PORT_Free(checkName);
     }
 Index: nss/lib/freebl/tlsprfalg.c
 ===================================================================
 --- nss.orig/lib/freebl/tlsprfalg.c
 +++ nss/lib/freebl/tlsprfalg.c
@@ -82,8 +82,8 @@ loser:
     /* clear out state so it's not left on the stack */
     if (cx)
         HMAC_Destroy(cx, PR_TRUE);
 -    PORT_Memset(state, 0, sizeof(state));
 -    PORT_Memset(outbuf, 0, sizeof(outbuf));
 +    PORT_SafeZero(state, sizeof(state));
 +    PORT_SafeZero(outbuf, sizeof(outbuf));
     return rv;
 }
 Index: nss/lib/freebl/unix_urandom.c
 ===================================================================
 --- nss.orig/lib/freebl/unix_urandom.c
 +++ nss/lib/freebl/unix_urandom.c
@@ -22,7 +22,7 @@ RNG_SystemInfoForRNG(void)
         return;
     }
     RNG_RandomUpdate(bytes, numBytes);
 -    PORT_Memset(bytes, 0, sizeof bytes);
 +    PORT_SafeZero(bytes, sizeof bytes);
 }
 size_t
 Index: nss/lib/softoken/pkcs11c.c
 ===================================================================
 --- nss.orig/lib/softoken/pkcs11c.c
 +++ nss/lib/softoken/pkcs11c.c
@@ -4994,7 +4994,7 @@ pairwise_signverify_mech (CK_SESSION_HAN
     if ((signature_length >= pairwise_digest_length) &&
         (PORT_Memcmp(known_digest, signature + (signature_length - pairwise_digest_length), pairwise_digest_length) == 0)) {
         PORT_Free(signature);
 -        return CKR_DEVICE_ERROR;
 +        return CKR_GENERAL_ERROR;
     }
     /* Verify the known hash using the public key. */
 Index: nss/lib/util/secport.h
 ===================================================================
 --- nss.orig/lib/util/secport.h
 +++ nss/lib/util/secport.h
@@ -36,6 +36,9 @@
 #include <sys/types.h>
 #include <ctype.h>
 +/* ask for Annex K for memset_s. will set the appropriate #define
 + * if Annex K is supported */
 +#define __STDC_WANT_LIB_EXT1__ 1
 #include <string.h>
 #include <stddef.h>
 #include <stdlib.h>
@@ -182,6 +185,39 @@ SEC_END_PROTOS
 #endif /*SUNOS4*/
 #define PORT_Memset memset
 +/* there are cases where the compiler optimizes away our attempt to clear
 + * out our stack variables. There are multiple solutions for this problem,
 + * but they aren't universally accepted on all platforms. This attempts
 + * to select the best solution available given our os, compilier, and libc */
 +#ifdef __STDC_LIB_EXT1__
 +/* if the os implements C11 annex K, use memset_s */
 +#define PORT_SafeZero(p, n) memset_s(p, n, 0, n)
 +#else
 +#ifdef XP_WIN
 +/* windows has a secure zero funtion */
 +#define PORT_SafeZero(p, n) SecureZeroMemory(p, n)
 +#else
 +/* _DEFAULT_SORUCE  == BSD source in GCC based environments
 + * if other environmens support explicit_bzero, their defines
 + * should be added here */
 +#if defined(_DEFAULT_SOURCE) || defined(_BSD_SOURCE)
 +#define PORT_SafeZero(p, n) explicit_bzero(p, n)
 +#else
 +/* if the os doesn't support one of the above, but does support
 + * memset_explicit, you can add the definition for memset with the
 + * appropriate define check here */
 +/* define an explicitly implementated Safe zero if the OS
 + * doesn't provide one */
 +#define PORT_SafeZero(p, n)                                \
 +    if (p != NULL) {                                       \
 +        volatile unsigned char *__vl = (unsigned char *)p; \
 +        size_t __nl = n;                                   \
 +        while (__nl--) *__vl++ = 0;                        \
 +    }
 +#endif /* no explicit_bzero */
 +#endif /* no windows SecureZeroMemory */
 +#endif /* no memset_s */
 +
 #define PORT_Strcasecmp PL_strcasecmp
 #define PORT_Strcat strcat
 #define PORT_Strchr strchr
--- a/nss-fips-stricter-dh.patch
+++ b/nss-fips-stricter-dh.patch
@@ -1,52 +0,0 @@
 commit 3ab80b72e85583bd727730bc5b57f91e07b89710
 Author: Hans Petter Jansson <hpj@cl.no>
 Date:   Fri Sep 4 13:41:34 2020 +0200
    Patch 38: nss-fips-stricter-dh.patch
 Index: nss/lib/freebl/dh.c
 ===================================================================
 --- nss.orig/lib/freebl/dh.c
 +++ nss/lib/freebl/dh.c
@@ -449,7 +449,7 @@ cleanup:
 PRBool
 KEA_Verify(SECItem *Y, SECItem *prime, SECItem *subPrime)
 {
 -    mp_int p, q, y, r;
 +    mp_int p, q, y, r, psub1;
     mp_err err;
     int cmp = 1; /* default is false */
     if (!Y || !prime || !subPrime) {
@@ -460,13 +460,24 @@ KEA_Verify(SECItem *Y, SECItem *prime, S
     MP_DIGITS(&q) = 0;
     MP_DIGITS(&y) = 0;
     MP_DIGITS(&r) = 0;
 +    MP_DIGITS(&psub1) = 0;
     CHECK_MPI_OK(mp_init(&p));
     CHECK_MPI_OK(mp_init(&q));
     CHECK_MPI_OK(mp_init(&y));
     CHECK_MPI_OK(mp_init(&r));
 +    CHECK_MPI_OK(mp_init(&psub1));
     SECITEM_TO_MPINT(*prime, &p);
     SECITEM_TO_MPINT(*subPrime, &q);
     SECITEM_TO_MPINT(*Y, &y);
 +
 +    CHECK_MPI_OK(mp_sub_d(&p, 1, &psub1));
 +
 +    if (mp_cmp_d(&y, 1) <= 0 ||
 +        mp_cmp(&y, &psub1) >= 0) {
 +        err = MP_BADARG;
 +        goto cleanup;
 +    }
 +
     /* compute r = y**q mod p */
     CHECK_MPI_OK(mp_exptmod(&y, &q, &p, &r));
     /* compare to 1 */
@@ -476,6 +487,7 @@ cleanup:
     mp_clear(&q);
     mp_clear(&y);
     mp_clear(&r);
 +    mp_clear(&psub1);
     if (err) {
         MP_TO_SEC_ERROR(err);
         return PR_FALSE;
--- a/nss-fips-zeroization.patch
+++ b/nss-fips-zeroization.patch
@@ -107,7 +107,7 @@ Index: nss/lib/freebl/gcm.c
 ===================================================================
 --- nss.orig/lib/freebl/gcm.c
 +++ nss/lib/freebl/gcm.c
-@@ -162,6 +162,9 @@ bmul(uint64_t x, uint64_t y, uint64_t *r
+@@ -166,6 +166,9 @@ bmul(uint64_t x, uint64_t y, uint64_t *r
     *r_high = (uint64_t)(r >> 64);
     *r_low = (uint64_t)r;
@@ -117,7 +117,7 @@ Index: nss/lib/freebl/gcm.c
 }
 SECStatus
-@@ -200,6 +203,12 @@ gcm_HashMult_sftw(gcmHashContext *ghash,
+@@ -204,6 +207,12 @@ gcm_HashMult_sftw(gcmHashContext *ghash,
     }
     ghash->x_low = ci_low;
     ghash->x_high = ci_high;
@@ -130,7 +130,7 @@ Index: nss/lib/freebl/gcm.c
     return SECSuccess;
 }
 #else
-@@ -239,6 +248,10 @@ bmul32(uint32_t x, uint32_t y, uint32_t
+@@ -243,6 +252,10 @@ bmul32(uint32_t x, uint32_t y, uint32_t
     z = z0 | z1 | z2 | z3;
     *r_high = (uint32_t)(z >> 32);
     *r_low = (uint32_t)z;
@@ -141,7 +141,7 @@ Index: nss/lib/freebl/gcm.c
 }
 SECStatus
-@@ -324,6 +337,20 @@ gcm_HashMult_sftw32(gcmHashContext *ghas
+@@ -328,6 +341,20 @@ gcm_HashMult_sftw32(gcmHashContext *ghas
         ghash->x_high = z_high_h;
         ghash->x_low = z_high_l;
     }
@@ -162,40 +162,3 @@ Index: nss/lib/freebl/gcm.c
     return SECSuccess;
 }
 #endif /* HAVE_INT128_SUPPORT */
@@ -870,11 +897,13 @@ GCM_DecryptUpdate(GCMContext *gcm, unsig
     /* verify the block */
     rv = gcmHash_Update(gcm->ghash_context, inbuf, inlen);
     if (rv != SECSuccess) {
 -        return SECFailure;
 +        rv = SECFailure;
 +        goto cleanup;
     }
     rv = gcm_GetTag(gcm, tag, &len, AES_BLOCK_SIZE);
     if (rv != SECSuccess) {
 -        return SECFailure;
 +        rv = SECFailure;
 +        goto cleanup;
     }
     /* Don't decrypt if we can't authenticate the encrypted data!
      * This assumes that if tagBits is not a multiple of 8, intag will
@@ -882,10 +911,18 @@ GCM_DecryptUpdate(GCMContext *gcm, unsig
     if (NSS_SecureMemcmp(tag, intag, tagBytes) != 0) {
         /* force a CKR_ENCRYPTED_DATA_INVALID error at in softoken */
         PORT_SetError(SEC_ERROR_BAD_DATA);
 -        PORT_Memset(tag, 0, sizeof(tag));
 -        return SECFailure;
 +        rv = SECFailure;
 +        goto cleanup;
     }
 +cleanup:
 +    tagBytes = 0;
     PORT_Memset(tag, 0, sizeof(tag));
 +    intag = NULL;
 +    len = 0;
 +    if (rv != SECSuccess) {
 +        return rv;
 +    }
 +
     /* finish the decryption */
     return CTR_Update(&gcm->ctr_context, outbuf, outlen, maxout,
                       inbuf, inlen, AES_BLOCK_SIZE);
--- a/nss-reproducible-chksums.patch
+++ b/nss-reproducible-chksums.patch
@@ -1,235 +0,0 @@
 commit 759ac09c2697b77c27b92aba69b267d4b11126d9
 Author: Martin Sirringhaus <martin.sirringhaus@suse.com>
 Date:   Mon Jul 22 16:03:58 2024 +0200
    Bug 1902078 - Allow handing in keymaterial to shlibsign to make the output reproducible (r=#nss-reviewers)
    Differential Revision: https://phabricator.services.mozilla.com/D217282
 diff --git a/cmd/shlibsign/Makefile b/cmd/shlibsign/Makefile
 index a1192055c1..eb68618157 100644
 --- a/cmd/shlibsign/Makefile
 +++ b/cmd/shlibsign/Makefile
@@ -24,25 +24,7 @@ include $(CORE_DEPTH)/coreconf/config.mk
 # (4) Include "local" platform-dependent assignments (OPTIONAL).      #
 #######################################################################
 -ifeq ($(OS_ARCH), WINNT)
 -
 -EXTRA_LIBS += \
 -	$(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)plc4.$(LIB_SUFFIX) \
 -	$(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)plds4.$(LIB_SUFFIX) \
 -	$(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)nspr4.$(LIB_SUFFIX) \
 -	$(NULL)
 -
 -else
 -
 -EXTRA_SHARED_LIBS += \
 -	-L$(NSPR_LIB_DIR) \
 -	-lplc4 \
 -	-lplds4 \
 -	-lnspr4 \
 -	$(NULL)
 -
 -endif
 -
 +include ../platlibs.mk
 # sign any and all shared libraries that contain the word freebl
 ifeq ($(NSS_BUILD_WITHOUT_SOFTOKEN),1)
 diff --git a/cmd/shlibsign/shlibsign.c b/cmd/shlibsign/shlibsign.c
 index 5745426ba4..55c6c9ac09 100644
 --- a/cmd/shlibsign/shlibsign.c
 +++ b/cmd/shlibsign/shlibsign.c
@@ -54,6 +54,7 @@
 /* nss headers for definition of HASH_HashType */
 #include "hasht.h"
 +#include "secitem.h"
 CK_BBOOL cktrue = CK_TRUE;
 CK_BBOOL ckfalse = CK_FALSE;
@@ -86,6 +87,8 @@ static HashTable hashTable[] = {
     MKHASH("sha512", SHA512)
 };
 static size_t hashTableSize = PR_ARRAY_SIZE(hashTable);
 +// Arbitrary value for now, to avoid memory allocations
 +#define MAX_CLI_KEYLENGTH 64
 const HashTable *
 findHash(const char *hashName)
@@ -111,7 +114,7 @@ usage(const char *program_name)
     PR_fprintf(debug_out,
                "Usage: %s [-v] [-V] [-o outfile] [-d dbdir] [-f pwfile]\n"
                "          [-F] [-p pwd] -[P dbprefix ] [-t hash]"
 -               "          [-D] [-k keysize] [-c]"
 +               "          [-D] [-k keysize] [-c] [-K key]"
                "-i shared_library_name\n",
                program_name);
     PR_fprintf(debug_out, "Valid Hashes: ");
@@ -136,6 +139,7 @@ long_usage(const char *program_name)
     PR_fprintf(debug_out, "\t-t <hash>    Hash for HMAC/or DSA\n");
     PR_fprintf(debug_out, "\t-D           Sign with DSA rather than HMAC\n");
     PR_fprintf(debug_out, "\t-k <keysize> size of the DSA key\n");
 +    PR_fprintf(debug_out, "\t-K <key>     key-material to use for hmac (hex-string, without leading 0x)\n");
     PR_fprintf(debug_out, "\t-c           Use compatible versions for old NSS\n");
     PR_fprintf(debug_out, "\t-P <prefix>  database prefix\n");
     PR_fprintf(debug_out, "\t-f <file>    password File : echo pw > file \n");
@@ -1067,7 +1071,7 @@ shlibSignDSA(CK_FUNCTION_LIST_PTR pFunctionList, CK_SLOT_ID slot,
 CK_RV
 shlibSignHMAC(CK_FUNCTION_LIST_PTR pFunctionList, CK_SLOT_ID slot,
 -              CK_SESSION_HANDLE hRwSession, int keySize, PRFileDesc *ifd,
 +              CK_SESSION_HANDLE hRwSession, int keySize, char* key, PRFileDesc *ifd,
               PRFileDesc *ofd, const HashTable *hash)
 {
     CK_MECHANISM hmacMech = { 0, NULL, 0 };
@@ -1098,40 +1102,78 @@ shlibSignHMAC(CK_FUNCTION_LIST_PTR pFunctionList, CK_SLOT_ID slot,
                    "Internal error:Could find sha256 entry in table.\n");
     }
 -    hmacKeyTemplate[0].type = CKA_TOKEN;
 -    hmacKeyTemplate[0].pValue = &ckfalse; /* session object */
 -    hmacKeyTemplate[0].ulValueLen = sizeof(ckfalse);
 -    hmacKeyTemplate[1].type = CKA_PRIVATE;
 -    hmacKeyTemplate[1].pValue = &cktrue;
 -    hmacKeyTemplate[1].ulValueLen = sizeof(cktrue);
 -    hmacKeyTemplate[2].type = CKA_SENSITIVE;
 -    hmacKeyTemplate[2].pValue = &ckfalse;
 -    hmacKeyTemplate[2].ulValueLen = sizeof(cktrue);
 -    hmacKeyTemplate[3].type = CKA_SIGN;
 -    hmacKeyTemplate[3].pValue = &cktrue;
 -    hmacKeyTemplate[3].ulValueLen = sizeof(cktrue);
 -    hmacKeyTemplate[4].type = CKA_EXTRACTABLE;
 -    hmacKeyTemplate[4].pValue = &ckfalse;
 -    hmacKeyTemplate[4].ulValueLen = sizeof(ckfalse);
 -    hmacKeyTemplate[5].type = CKA_VALUE_LEN;
 -    hmacKeyTemplate[5].pValue = (void *)&hash->hashLength;
 -    hmacKeyTemplate[5].ulValueLen = sizeof(hash->hashLength);
 -    hmacKeyTemplate[6].type = CKA_KEY_TYPE;
 -    hmacKeyTemplate[6].pValue = (void *)&hash->keyType;
 -    hmacKeyTemplate[6].ulValueLen = sizeof(hash->keyType);
 -    hmacKeyGenMech.mechanism = CKM_GENERIC_SECRET_KEY_GEN;
 -    hmacMech.mechanism = hash->hmac;
 +    if (key == NULL) {
 +        hmacKeyTemplate[0].type = CKA_TOKEN;
 +        hmacKeyTemplate[0].pValue = &ckfalse; /* session object */
 +        hmacKeyTemplate[0].ulValueLen = sizeof(ckfalse);
 +        hmacKeyTemplate[1].type = CKA_PRIVATE;
 +        hmacKeyTemplate[1].pValue = &cktrue;
 +        hmacKeyTemplate[1].ulValueLen = sizeof(cktrue);
 +        hmacKeyTemplate[2].type = CKA_SENSITIVE;
 +        hmacKeyTemplate[2].pValue = &ckfalse;
 +        hmacKeyTemplate[2].ulValueLen = sizeof(cktrue);
 +        hmacKeyTemplate[3].type = CKA_SIGN;
 +        hmacKeyTemplate[3].pValue = &cktrue;
 +        hmacKeyTemplate[3].ulValueLen = sizeof(cktrue);
 +        hmacKeyTemplate[4].type = CKA_EXTRACTABLE;
 +        hmacKeyTemplate[4].pValue = &ckfalse;
 +        hmacKeyTemplate[4].ulValueLen = sizeof(ckfalse);
 +        hmacKeyTemplate[5].type = CKA_VALUE_LEN;
 +        hmacKeyTemplate[5].pValue = (void *)&hash->hashLength;
 +        hmacKeyTemplate[5].ulValueLen = sizeof(hash->hashLength);
 +        hmacKeyTemplate[6].type = CKA_KEY_TYPE;
 +        hmacKeyTemplate[6].pValue = (void *)&hash->keyType;
 +        hmacKeyTemplate[6].ulValueLen = sizeof(hash->keyType);
 +        hmacKeyGenMech.mechanism = CKM_GENERIC_SECRET_KEY_GEN;
 +
 +        /* Generate a DSA key pair */
 +        logIt("Generate an HMAC key ... \n");
 +        crv = pFunctionList->C_GenerateKey(hRwSession, &hmacKeyGenMech,
 +                                           hmacKeyTemplate,
 +                                           PR_ARRAY_SIZE(hmacKeyTemplate),
 +                                           &hHMACKey);
 +    } else {
 +        SECItem keyitem = { 0 };
 +        if (SECU_HexString2SECItem(NULL, &keyitem, key) == NULL) {
 +            pk11error("Reading HMAC key from commandline failed. Not a valid hex-key.", crv);
 +            return crv;
 +        }
 +
 +        CK_OBJECT_CLASS secret_key_obj_class = CKO_SECRET_KEY;
 +        CK_ATTRIBUTE hmacKeyObject[] = {
 +            {
 +                .type = CKA_CLASS,
 +                .pValue = &secret_key_obj_class,
 +                .ulValueLen = sizeof(CK_OBJECT_CLASS),
 +            },
 +            {
 +                .type = CKA_KEY_TYPE,
 +                .pValue = (void *)&hash->keyType,
 +                .ulValueLen = sizeof(hash->keyType),
 +            },
 +            {
 +                .type = CKA_VALUE,
 +                .pValue = keyitem.data,
 +                .ulValueLen = keyitem.len,
 +            },
 +            {
 +                .type = CKA_SIGN,
 +                .pValue = &cktrue,
 +                .ulValueLen = sizeof(cktrue),
 +            },
 +        };
 +        logIt("Using static HMAC key ... \n");
 +        crv = pFunctionList->C_CreateObject(hRwSession,
 +                                           hmacKeyObject,
 +                                           PR_ARRAY_SIZE(hmacKeyObject),
 +                                           &hHMACKey);
 +    }
 -    /* Generate a DSA key pair */
 -    logIt("Generate an HMAC key ... \n");
 -    crv = pFunctionList->C_GenerateKey(hRwSession, &hmacKeyGenMech,
 -                                       hmacKeyTemplate,
 -                                       PR_ARRAY_SIZE(hmacKeyTemplate),
 -                                       &hHMACKey);
     if (crv != CKR_OK) {
         pk11error("HMAC key generation failed", crv);
         return crv;
     }
 +    hmacMech.mechanism = hash->hmac;
     /* compute the digest */
     memset(sign, 0, sizeof(sign));
@@ -1256,6 +1298,7 @@ main(int argc, char **argv)
     static PRBool useDSA = PR_FALSE;
     PRBool successful = PR_FALSE;
     const HashTable *hash = NULL;
 +    char *key = NULL;
 #ifdef USES_LINKS
     int ret;
@@ -1279,7 +1322,7 @@ main(int argc, char **argv)
     program_name = strrchr(argv[0], '/');
     program_name = program_name ? (program_name + 1) : argv[0];
 -    optstate = PL_CreateOptState(argc, argv, "i:o:f:Fd:hH?k:p:P:vVs:t:Dc");
 +    optstate = PL_CreateOptState(argc, argv, "i:o:f:Fd:hH?k:K:p:P:vVs:t:Dc");
     if (optstate == NULL) {
         lperror("PL_CreateOptState failed");
         return 1;
@@ -1329,6 +1372,14 @@ main(int argc, char **argv)
                 keySize = atoi(optstate->value);
                 break;
 +            case 'K':
 +                if (!optstate->value) {
 +                    PL_DestroyOptState(optstate);
 +                    usage(program_name);
 +                }
 +                key = PL_strdup(optstate->value);
 +                break;
 +
             case 'f':
                 if (!optstate->value) {
                     PL_DestroyOptState(optstate);
@@ -1567,7 +1618,7 @@ main(int argc, char **argv)
                            keySize, ifd, ofd, hash);
     } else {
         crv = shlibSignHMAC(pFunctionList, pSlotList[slotIndex], hRwSession,
 -                            keySize, ifd, ofd, hash);
 +                            keySize, key, ifd, ofd, hash);
     }
     if (crv == CKR_INTERNAL_OUT_FAILURE) {
         lperror(output_file);