OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=408

2023-03-13 08:10:43 +00:00 · 2023-03-13 08:10:43 +00:00 · 9ad7a5b5cd
commit 9ad7a5b5cd
parent 0524eebc24
23 changed files with 188 additions and 210 deletions
--- a/add-relro-linker-option.patch
+++ b/add-relro-linker-option.patch
@ -2,7 +2,7 @@ Index: nss/coreconf/Linux.mk
 ===================================================================
 --- nss.orig/coreconf/Linux.mk
 +++ nss/coreconf/Linux.mk
-@@ -183,6 +183,12 @@ endif
+@@ -184,6 +184,12 @@ endif
 endif
 endif
--- a/malloc.patch
+++ b/malloc.patch
@ -2,7 +2,7 @@ Index: nss/tests/ssl/ssl.sh
 ===================================================================
 --- nss.orig/tests/ssl/ssl.sh
 +++ nss/tests/ssl/ssl.sh
-@@ -1683,6 +1683,7 @@ ssl_run_tests()
+@@ -1696,6 +1696,7 @@ ssl_run_tests()
 ################################# main #################################
--- a/nss-fips-180-3-csp-clearing.patch
+++ b/nss-fips-180-3-csp-clearing.patch
@ -29,7 +29,7 @@ Index: nss/lib/softoken/sftkpwd.c
 ===================================================================
 --- nss.orig/lib/softoken/sftkpwd.c
 +++ nss/lib/softoken/sftkpwd.c
-@@ -1439,7 +1439,7 @@ loser:
+@@ -1459,7 +1459,7 @@ loser:
         PORT_ZFree(newKey.data, newKey.len);
     }
     if (result) {
--- a/nss-fips-approved-crypto-non-ec.patch
+++ b/nss-fips-approved-crypto-non-ec.patch
@ -440,7 +440,7 @@ Index: nss/lib/freebl/nsslowhash.c
 ===================================================================
 --- nss.orig/lib/freebl/nsslowhash.c
 +++ nss/lib/freebl/nsslowhash.c
-@@ -12,6 +12,7 @@
+@@ -13,6 +13,7 @@
 #include "plhash.h"
 #include "nsslowhash.h"
 #include "blapii.h"
@ -448,7 +448,7 @@ Index: nss/lib/freebl/nsslowhash.c
 struct NSSLOWInitContextStr {
     int count;
-@@ -92,6 +93,12 @@ NSSLOWHASH_NewContext(NSSLOWInitContext
+@@ -99,6 +100,12 @@ NSSLOWHASH_NewContext(NSSLOWInitContext
 {
     NSSLOWHASHContext *context;
@ -487,7 +487,7 @@ Index: nss/lib/softoken/pkcs11c.c
 ===================================================================
 --- nss.orig/lib/softoken/pkcs11c.c
 +++ nss/lib/softoken/pkcs11c.c
-@@ -7491,7 +7491,7 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession
+@@ -7495,7 +7495,7 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession
             } else {
                 /* now allocate the hash contexts */
                 md5 = MD5_NewContext();
--- a/nss-fips-cavs-dsa-fixes.patch
+++ b/nss-fips-cavs-dsa-fixes.patch
@ -10,10 +10,11 @@ From ef2620b770082c77dbbbccae2e773157897b005d Mon Sep 17 00:00:00 2001
 nss/cmd/fipstest/fipstest.c | 112 ++++++++++++++++++++++++++++++++----
 1 file changed, 101 insertions(+), 11 deletions(-)
-diff --git a/cmd/fipstest/fipstest.c b/cmd/fipstest/fipstest.c
+Index: nss/cmd/fipstest/fipstest.c
--- a/cmd/fipstest/fipstest.c
+===================================================================
-+++ b/cmd/fipstest/fipstest.c
+--- nss.orig/cmd/fipstest/fipstest.c
-@@ -5576,7 +5576,7 @@
+++ nss/cmd/fipstest/fipstest.c
@@ -5575,7 +5575,7 @@ loser:
 void
 dsa_pqggen_test(char *reqfn)
 {
@ -22,7 +23,7 @@ diff --git a/cmd/fipstest/fipstest.c b/cmd/fipstest/fipstest.c
                          * or to the output RESPONSE file.
                          * 800 to hold seed = (384 public key (x2 for HEX)
                          */
-@@ -5592,6 +5592,13 @@
+@@ -5591,6 +5591,13 @@ dsa_pqggen_test(char *reqfn)
     PQGVerify *vfy = NULL;
     unsigned int keySizeIndex = 0;
     dsa_pqg_type type = FIPS186_1;
@ -36,7 +37,7 @@ diff --git a/cmd/fipstest/fipstest.c b/cmd/fipstest/fipstest.c
     dsareq = fopen(reqfn, "r");
     dsaresp = stdout;
-@@ -5612,8 +5619,8 @@
+@@ -5611,8 +5618,8 @@ dsa_pqggen_test(char *reqfn)
                 output_g = 1;
                 exit(1);
             } else if (strncmp(&buf[1], "A.2.3", 5) == 0) {
@ -47,7 +48,7 @@ diff --git a/cmd/fipstest/fipstest.c b/cmd/fipstest/fipstest.c
             } else if (strncmp(&buf[1], "A.1.2.1", 7) == 0) {
                 type = A_1_2_1;
                 output_g = 0;
-@@ -5627,14 +5634,17 @@
+@@ -5626,14 +5633,17 @@ dsa_pqggen_test(char *reqfn)
         /* [Mod = ... ] */
         if (buf[0] == '[') {
@ -59,15 +60,14 @@ diff --git a/cmd/fipstest/fipstest.c b/cmd/fipstest/fipstest.c
                     goto loser;
                 }
 -            } else if (sscanf(buf, "[mod = L=%d, N=%d", &L, &N) != 2) {
 -                goto loser;
 +            } else if (sscanf(buf, "[mod = L=%d, N=%d, SHA-%d", &L, &N, &hashbits) != 3) {
-+                goto loser;
+                 goto loser;
 +            } else {
 +                hashtype = sha_get_hashType (hashbits);
             }
             fputs(buf, dsaresp);
-@@ -5656,7 +5666,7 @@
+@@ -5655,7 +5665,7 @@ dsa_pqggen_test(char *reqfn)
             continue;
         }
         /* N = ... */
@ -76,7 +76,7 @@ diff --git a/cmd/fipstest/fipstest.c b/cmd/fipstest/fipstest.c
             if (strncmp(buf, "Num", 3) == 0) {
                 if (sscanf(buf, "Num = %d", &count) != 1) {
                     goto loser;
-@@ -5671,7 +5681,10 @@
+@@ -5670,7 +5680,10 @@ dsa_pqggen_test(char *reqfn)
                     rv = PQG_ParamGenSeedLen(keySizeIndex, PQG_TEST_SEED_BYTES,
                                              &pqg, &vfy);
                 } else {
@ -88,7 +88,7 @@ diff --git a/cmd/fipstest/fipstest.c b/cmd/fipstest/fipstest.c
                 }
                 if (rv != SECSuccess) {
                     fprintf(dsaresp,
-@@ -5682,6 +5695,10 @@
+@@ -5681,6 +5694,10 @@ dsa_pqggen_test(char *reqfn)
                 fprintf(dsaresp, "P = %s\n", buf);
                 to_hex_str(buf, pqg->subPrime.data, pqg->subPrime.len);
                 fprintf(dsaresp, "Q = %s\n", buf);
@ -99,7 +99,7 @@ diff --git a/cmd/fipstest/fipstest.c b/cmd/fipstest/fipstest.c
                 if (output_g) {
                     to_hex_str(buf, pqg->base.data, pqg->base.len);
                     fprintf(dsaresp, "G = %s\n", buf);
-@@ -5697,13 +5714,13 @@
+@@ -5696,13 +5713,13 @@ dsa_pqggen_test(char *reqfn)
                     }
                     fprintf(dsaresp, "%s\n", buf);
                 } else {
@ -118,11 +118,10 @@ diff --git a/cmd/fipstest/fipstest.c b/cmd/fipstest/fipstest.c
                     fprintf(dsaresp, "qseed = %s\n", buf);
                     fprintf(dsaresp, "pgen_counter = %d\n", pgen_counter);
                     fprintf(dsaresp, "qgen_counter = %d\n", qgen_counter);
-@@ -5723,12 +5740,85 @@
+@@ -5722,12 +5739,85 @@ dsa_pqggen_test(char *reqfn)
                     vfy = NULL;
                 }
             }
 -
 +            continue;
 +        }
 +
@ -180,7 +179,7 @@ diff --git a/cmd/fipstest/fipstest.c b/cmd/fipstest/fipstest.c
 +
 +            to_hex_str(buf, pqg->base.data, pqg->base.len);
 +            fprintf(dsaresp, "G = %s\n\n", buf);
-+
+ 
 +            PQG_DestroyParams(pqg);
 +            pqg = NULL;
 +            PQG_DestroyVerify(vfy);
--- a/nss-fips-cavs-general.patch
+++ b/nss-fips-cavs-general.patch
@ -102,7 +102,7 @@ Index: nss/cmd/fipstest/fipstest.c
 SECStatus
 tdea_encrypt_buf(
     int mode,
-@@ -8930,41 +8994,6 @@ out:
+@@ -8915,41 +8979,6 @@ out:
     }
 }
@ -144,7 +144,7 @@ Index: nss/cmd/fipstest/fipstest.c
 void
 kas_ffc_test(char *reqfn, int do_validity)
 {
-@@ -9387,12 +9416,34 @@ out:
+@@ -9372,12 +9401,34 @@ out:
     free_param_specs (pspecs);
 }
--- a/nss-fips-cavs-kas-ecc.patch
+++ b/nss-fips-cavs-kas-ecc.patch
@ -11,10 +11,11 @@ From 4c27df62aa425745620f45710465b0264acacbb0 Mon Sep 17 00:00:00 2001
 nss/cmd/fipstest/kas.sh     |  22 +++
 2 files changed, 326 insertions(+)
-diff --git a/cmd/fipstest/fipstest.c b/cmd/fipstest/fipstest.c
+Index: nss/cmd/fipstest/fipstest.c
--- a/cmd/fipstest/fipstest.c
+===================================================================
-+++ b/cmd/fipstest/fipstest.c
+--- nss.orig/cmd/fipstest/fipstest.c
-@@ -9092,6 +9092,301 @@
+++ nss/cmd/fipstest/fipstest.c
@@ -9077,6 +9077,301 @@ out:
     }
 }
@ -316,7 +317,7 @@ diff --git a/cmd/fipstest/fipstest.c b/cmd/fipstest/fipstest.c
 int
 main(int argc, char **argv)
 {
-@@ -9287,6 +9582,15 @@
+@@ -9272,6 +9567,15 @@ main(int argc, char **argv)
         } else {
             kas_ffc_test(argv[3], PR_FALSE);
         }
@ -332,10 +333,11 @@ diff --git a/cmd/fipstest/fipstest.c b/cmd/fipstest/fipstest.c
     }
     return 0;
 }
-diff --git a/cmd/fipstest/kas.sh b/cmd/fipstest/kas.sh
+Index: nss/cmd/fipstest/kas.sh
--- a/cmd/fipstest/kas.sh
+===================================================================
-+++ b/cmd/fipstest/kas.sh
+--- nss.orig/cmd/fipstest/kas.sh
-@@ -27,6 +27,16 @@
+++ nss/cmd/fipstest/kas.sh
@@ -27,6 +27,16 @@ KASValidityTest_FFCEphem_NOKC_ZZOnly_ini
 KASValidityTest_FFCEphem_NOKC_ZZOnly_resp.req
 "
@ -352,7 +354,7 @@ diff --git a/cmd/fipstest/kas.sh b/cmd/fipstest/kas.sh
 if [ ${COMMAND} = "verify" ]; then
     for request in $kas_requests; do
 	sh ./validate1.sh ${TESTDIR} $request
-@@ -45,3 +55,15 @@
+@@ -45,3 +55,15 @@ for request in $kas_requests_ffc_validit
     echo $request $response
     fipstest kasffc validity ${REQDIR}/$request > ${RSPDIR}/$response
 done
--- a/nss-fips-cavs-kas-ffc.patch
+++ b/nss-fips-cavs-kas-ffc.patch
@ -12,10 +12,11 @@ From ac98082c3bc0c9f85213078b730980483062f25c Mon Sep 17 00:00:00 2001
 2 files changed, 241 insertions(+)
 create mode 100644 nss/cmd/fipstest/kas.sh
-diff --git a/cmd/fipstest/fipstest.c b/cmd/fipstest/fipstest.c
+Index: nss/cmd/fipstest/fipstest.c
--- a/cmd/fipstest/fipstest.c
+===================================================================
-+++ b/cmd/fipstest/fipstest.c
+--- nss.orig/cmd/fipstest/fipstest.c
-@@ -2258,6 +2258,29 @@
+++ nss/cmd/fipstest/fipstest.c
@@ -2257,6 +2257,29 @@ fips_hashBuf(HASH_HashType type, unsigne
     return rv;
 }
@ -45,7 +46,7 @@ diff --git a/cmd/fipstest/fipstest.c b/cmd/fipstest/fipstest.c
 int
 fips_hashLen(HASH_HashType type)
 {
-@@ -8907,6 +8930,168 @@
+@@ -8892,6 +8915,168 @@ out:
     }
 }
@ -214,7 +215,7 @@ diff --git a/cmd/fipstest/fipstest.c b/cmd/fipstest/fipstest.c
 int
 main(int argc, char **argv)
 {
-@@ -9093,6 +9278,15 @@
+@@ -9078,6 +9263,15 @@ main(int argc, char **argv)
         /* AES Keywrap */
         /***************/
         keywrap(argv[2]);
@ -230,10 +231,10 @@ diff --git a/cmd/fipstest/fipstest.c b/cmd/fipstest/fipstest.c
     }
     return 0;
 }
-diff --git a/cmd/fipstest/kas.sh b/cmd/fipstest/kas.sh
+Index: nss/cmd/fipstest/kas.sh
-new file mode 100644
+===================================================================
 --- /dev/null
-+++ b/cmd/fipstest/kas.sh
+++ nss/cmd/fipstest/kas.sh
@@ -0,0 +1,47 @@
 +#!/bin/sh
 +# 
--- a/nss-fips-cavs-keywrap.patch
+++ b/nss-fips-cavs-keywrap.patch
@ -12,10 +12,11 @@ From f4cbaf95fcf2519029bb3c4407b2f15aa27c94c1 Mon Sep 17 00:00:00 2001
 2 files changed, 200 insertions(+)
 create mode 100644 nss/cmd/fipstest/keywrap.sh
-diff -r 2f570c6952d8 -r 5d6e015d1af4 cmd/fipstest/fipstest.c
+Index: nss/cmd/fipstest/fipstest.c
--- a/cmd/fipstest/fipstest.c	Sun Mar 15 21:54:30 2020 +0100
+===================================================================
-+++ b/cmd/fipstest/fipstest.c	Wed Nov 20 08:13:43 2019 +0100
+--- nss.orig/cmd/fipstest/fipstest.c
-@@ -8752,6 +8752,161 @@
+++ nss/cmd/fipstest/fipstest.c
@@ -8737,6 +8737,161 @@ done:
     return;
 }
@ -177,7 +178,7 @@ diff -r 2f570c6952d8 -r 5d6e015d1af4 cmd/fipstest/fipstest.c
 int
 main(int argc, char **argv)
 {
-@@ -8933,6 +9088,11 @@
+@@ -8918,6 +9073,11 @@ main(int argc, char **argv)
         ikev2(argv[2]);
     } else if (strcmp(argv[1], "kbkdf") == 0) {
         kbkdf(argv[2]);
@ -189,9 +190,10 @@ diff -r 2f570c6952d8 -r 5d6e015d1af4 cmd/fipstest/fipstest.c
     }
     return 0;
 }
-diff -r 2f570c6952d8 -r 5d6e015d1af4 cmd/fipstest/keywrap.sh
+Index: nss/cmd/fipstest/keywrap.sh
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+===================================================================
-+++ b/cmd/fipstest/keywrap.sh	Wed Nov 20 08:13:43 2019 +0100
+--- /dev/null
 +++ nss/cmd/fipstest/keywrap.sh
@@ -0,0 +1,40 @@
 +#!/bin/sh
 +# 
--- a/nss-fips-cavs-rsa-fixes.patch
+++ b/nss-fips-cavs-rsa-fixes.patch
@ -10,10 +10,11 @@ From 9b4636ad75add2ac09ce1844b3071785d563c275 Mon Sep 17 00:00:00 2001
 nss/cmd/fipstest/fipstest.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)
-diff --git a/cmd/fipstest/fipstest.c b/cmd/fipstest/fipstest.c
+Index: nss/cmd/fipstest/fipstest.c
--- a/cmd/fipstest/fipstest.c
+===================================================================
-+++ b/cmd/fipstest/fipstest.c
+--- nss.orig/cmd/fipstest/fipstest.c
-@@ -6536,7 +6536,7 @@
+++ nss/cmd/fipstest/fipstest.c
@@ -6535,7 +6535,7 @@ rsa_siggen_test(char *reqfn)
             /* Output the signature */
             fputs(buf, rsaresp);
             to_hex_str(buf, rsa_computed_signature, rsa_bytes_signed);
@ -22,7 +23,7 @@ diff --git a/cmd/fipstest/fipstest.c b/cmd/fipstest/fipstest.c
             /* Perform RSA verification with the RSA public key. */
             rv = RSA_HashCheckSign(shaOid,
-@@ -9536,6 +9536,7 @@
+@@ -9521,6 +9521,7 @@ main(int argc, char **argv)
     init_functions();
     RNG_RNGInit();
     SECOID_Init();
--- a/nss-fips-combined-hash-sign-dsa-ecdsa.patch
+++ b/nss-fips-combined-hash-sign-dsa-ecdsa.patch
@ -42,7 +42,7 @@ Index: nss/lib/pk11wrap/pk11mech.c
 ===================================================================
 --- nss.orig/lib/pk11wrap/pk11mech.c
 +++ nss/lib/pk11wrap/pk11mech.c
-@@ -376,6 +376,10 @@ PK11_GetKeyType(CK_MECHANISM_TYPE type,
+@@ -375,6 +375,10 @@ PK11_GetKeyType(CK_MECHANISM_TYPE type,
             return CKK_RSA;
         case CKM_DSA:
         case CKM_DSA_SHA1:
@ -53,7 +53,7 @@ Index: nss/lib/pk11wrap/pk11mech.c
         case CKM_DSA_KEY_PAIR_GEN:
             return CKK_DSA;
         case CKM_DH_PKCS_DERIVE:
-@@ -386,6 +390,10 @@ PK11_GetKeyType(CK_MECHANISM_TYPE type,
+@@ -385,6 +389,10 @@ PK11_GetKeyType(CK_MECHANISM_TYPE type,
             return CKK_KEA;
         case CKM_ECDSA:
         case CKM_ECDSA_SHA1:
@ -68,7 +68,7 @@ Index: nss/lib/softoken/pkcs11c.c
 ===================================================================
 --- nss.orig/lib/softoken/pkcs11c.c
 +++ nss/lib/softoken/pkcs11c.c
-@@ -2675,7 +2675,7 @@ nsc_DSA_Verify_Stub(void *ctx, void *sig
+@@ -2679,7 +2679,7 @@ nsc_DSA_Verify_Stub(void *ctx, void *sig
 static SECStatus
 nsc_DSA_Sign_Stub(void *ctx, void *sigBuf,
                   unsigned int *sigLen, unsigned int maxSigLen,
@ -77,7 +77,7 @@ Index: nss/lib/softoken/pkcs11c.c
 {
     SECItem signature, digest;
     SECStatus rv;
-@@ -2693,6 +2693,22 @@ nsc_DSA_Sign_Stub(void *ctx, void *sigBu
+@@ -2697,6 +2697,22 @@ nsc_DSA_Sign_Stub(void *ctx, void *sigBu
     return rv;
 }
@ -100,7 +100,7 @@ Index: nss/lib/softoken/pkcs11c.c
 static SECStatus
 nsc_ECDSAVerifyStub(void *ctx, void *sigBuf, unsigned int sigLen,
                     void *dataBuf, unsigned int dataLen)
-@@ -2710,7 +2726,7 @@ nsc_ECDSAVerifyStub(void *ctx, void *sig
+@@ -2714,7 +2730,7 @@ nsc_ECDSAVerifyStub(void *ctx, void *sig
 static SECStatus
 nsc_ECDSASignStub(void *ctx, void *sigBuf,
                   unsigned int *sigLen, unsigned int maxSigLen,
@ -109,7 +109,7 @@ Index: nss/lib/softoken/pkcs11c.c
 {
     SECItem signature, digest;
     SECStatus rv;
-@@ -2728,6 +2744,22 @@ nsc_ECDSASignStub(void *ctx, void *sigBu
+@@ -2732,6 +2748,22 @@ nsc_ECDSASignStub(void *ctx, void *sigBu
     return rv;
 }
@ -132,7 +132,7 @@ Index: nss/lib/softoken/pkcs11c.c
 /* NSC_SignInit setups up the signing operations. There are three basic
  * types of signing:
  *      (1) the tradition single part, where "Raw RSA" or "Raw DSA" is applied
-@@ -3597,6 +3629,22 @@ NSC_VerifyInit(CK_SESSION_HANDLE hSessio
+@@ -3601,6 +3633,22 @@ NSC_VerifyInit(CK_SESSION_HANDLE hSessio
         info->hashOid = SEC_OID_##mmm;                    \
         goto finish_rsa;
@ -155,7 +155,7 @@ Index: nss/lib/softoken/pkcs11c.c
     switch (pMechanism->mechanism) {
         INIT_RSA_VFY_MECH(MD5)
         INIT_RSA_VFY_MECH(MD2)
-@@ -4825,6 +4873,73 @@ loser:
+@@ -4829,6 +4877,73 @@ loser:
 #define PAIRWISE_DIGEST_LENGTH SHA224_LENGTH /* 224-bits */
 #define PAIRWISE_MESSAGE_LENGTH 20           /* 160-bits */
@ -229,7 +229,7 @@ Index: nss/lib/softoken/pkcs11c.c
 /*
  * FIPS 140-2 pairwise consistency check utilized to validate key pair.
  *
-@@ -4878,8 +4993,6 @@ sftk_PairwiseConsistencyCheck(CK_SESSION
+@@ -4882,8 +4997,6 @@ sftk_PairwiseConsistencyCheck(CK_SESSION
     /* Variables used for Signature/Verification functions. */
     /* Must be at least 256 bits for DSA2 digest */
@ -238,7 +238,7 @@ Index: nss/lib/softoken/pkcs11c.c
     CK_ULONG signature_length;
     if (keyType == CKK_RSA) {
-@@ -5033,76 +5146,32 @@ sftk_PairwiseConsistencyCheck(CK_SESSION
+@@ -5037,76 +5150,32 @@ sftk_PairwiseConsistencyCheck(CK_SESSION
         }
     }
--- a/nss-fips-constructor-self-tests.patch
+++ b/nss-fips-constructor-self-tests.patch
@ -21,8 +21,8 @@ Index: nss/cmd/shlibsign/shlibsign.c
 ===================================================================
 --- nss.orig/cmd/shlibsign/shlibsign.c
 +++ nss/cmd/shlibsign/shlibsign.c
-@@ -946,10 +946,12 @@ main(int argc, char **argv)
+@@ -814,10 +814,12 @@ shlibSignDSA(CK_FUNCTION_LIST_PTR pFunct
-             goto cleanup;
+             return crv;
         }
 -        if ((keySize == 0) && mechInfo.ulMaxKeySize >= 2048) {
@ -839,7 +839,7 @@ Index: nss/lib/freebl/manifest.mn
 	$(NULL)
 MPI_HDRS = mpi-config.h mpi.h mpi-priv.h mplogic.h mpprime.h logtab.h mp_gf2m.h
-@@ -186,6 +187,7 @@ ALL_HDRS =  \
+@@ -187,6 +188,7 @@ ALL_HDRS =  \
 	shsign.h \
 	vis_proto.h \
 	seed.h \
@ -851,7 +851,7 @@ Index: nss/lib/freebl/shvfy.c
 ===================================================================
 --- nss.orig/lib/freebl/shvfy.c
 +++ nss/lib/freebl/shvfy.c
-@@ -22,6 +22,8 @@
+@@ -23,6 +23,8 @@
 #ifndef NSS_FIPS_DISABLED
@ -860,7 +860,7 @@ Index: nss/lib/freebl/shvfy.c
 /*
  * Most modern version of Linux support a speed optimization scheme where an
  * application called prelink modifies programs and shared libraries to quickly
-@@ -231,8 +233,6 @@ bl_CloseUnPrelink(PRFileDesc *file, int
+@@ -232,8 +234,6 @@ bl_CloseUnPrelink(PRFileDesc *file, int
 }
 #endif
@ -869,7 +869,7 @@ Index: nss/lib/freebl/shvfy.c
 static char *
 mkCheckFileName(const char *libName)
 {
-@@ -287,19 +287,19 @@ readItem(PRFileDesc *fd, SECItem *item)
+@@ -288,19 +288,19 @@ readItem(PRFileDesc *fd, SECItem *item)
     return SECSuccess;
 }
@ -893,7 +893,7 @@ Index: nss/lib/freebl/shvfy.c
 loser:
     if (shName != NULL) {
-@@ -310,19 +310,19 @@ loser:
+@@ -311,15 +311,15 @@ loser:
 }
 PRBool
@ -912,96 +912,84 @@ Index: nss/lib/freebl/shvfy.c
 +    return blapi_SHVerifyFile(shName, PR_FALSE, err);
 }
- static PRBool
+ #ifndef NSS_STRICT_INTEGRITY
-blapi_SHVerifyFile(const char *shName, PRBool self)
+@@ -421,7 +421,7 @@ blapi_SHVerifyHMACCheck(PRFileDesc *shFD
-+blapi_SHVerifyFile(const char *shName, PRBool self, int *err)
+     }
 {
     char *checkName = NULL;
     PRFileDesc *checkFD = NULL;
@@ -340,7 +340,7 @@ blapi_SHVerifyFile(const char *shName, P
 #endif
-     PRBool result = PR_FALSE; /* if anything goes wrong,
+     static PRBool
-                   * the signature does not verify */
+-    blapi_SHVerifyFile(const char *shName, PRBool self)
-+                               * the signature does not verify */
+    blapi_SHVerifyFile(const char *shName, PRBool self, int *err)
-     unsigned char buf[4096];
+     {
-     unsigned char hashBuf[HASH_LENGTH_MAX];
+         char *checkName = NULL;
- 
+         PRFileDesc *checkFD = NULL;
-@@ -367,14 +367,17 @@ blapi_SHVerifyFile(const char *shName, P
+@@ -462,14 +462,17 @@ blapi_SHVerifyHMACCheck(PRFileDesc *shFD
-     /* open the check File */
+         /* open the check File */
-     checkFD = PR_Open(checkName, PR_RDONLY, 0);
+         checkFD = PR_Open(checkName, PR_RDONLY, 0);
-     if (checkFD == NULL) {
+         if (checkFD == NULL) {
-+        if (err) {
+            if (err) {
-+            *err = PORT_GetError();
+                *err = PORT_GetError();
-+        }
+            }
 #ifdef DEBUG_SHVERIFY
-        fprintf(stderr, "Failed to open the check file %s: (%d, %d)\n",
+-            fprintf(stderr, "Failed to open the check file %s: (%d, %d)\n",
-                checkName, (int)PR_GetError(), (int)PR_GetOSError());
+-                    checkName, (int)PR_GetError(), (int)PR_GetOSError());
-+        fprintf(stderr, "Failed to open the check file %s: (%d)\n",
+            fprintf(stderr, "Failed to open the check file %s: (%d)\n",
-+                checkName, (int)PORT_GetError());
+                    checkName, (int)PR_GetError());
 #endif /* DEBUG_SHVERIFY */
-         goto loser;
+             goto loser;
-     }
+         }
-    /* read and Verify the headerthe header */
+-        /* read and Verify the headerthe header */
-+    /* read and Verify the header */
+        /* read and Verify the header */
-     bytesRead = PR_Read(checkFD, buf, 12);
+         bytesRead = PR_Read(checkFD, &header, sizeof(header));
-     if (bytesRead != 12) {
+         if (bytesRead != sizeof(header)) {
-         goto loser;
+             goto loser;
-@@ -415,7 +418,8 @@ blapi_SHVerifyFile(const char *shName, P
+@@ -550,7 +553,7 @@ blapi_SHVerifyHMACCheck(PRFileDesc *shFD
-     if (rv != SECSuccess) {
+             goto loser;
-         goto loser;
+         }
     }
 -    /* read the siganture */
 +
 +    /* read the signature */
     rv = readItem(checkFD, &signature);
     if (rv != SECSuccess) {
         goto loser;
@@ -430,7 +434,7 @@ blapi_SHVerifyFile(const char *shName, P
         goto loser;
     }
 -/* open our library file */
 +    /* open our library file */
 #ifdef FREEBL_USE_PRELINK
-     shFD = bl_OpenUnPrelink(shName, &pid);
+         shFD = bl_OpenUnPrelink(shName, &pid);
 #else
-@@ -438,13 +442,13 @@ blapi_SHVerifyFile(const char *shName, P
+@@ -558,8 +561,8 @@ blapi_SHVerifyHMACCheck(PRFileDesc *shFD
 #endif
-     if (shFD == NULL) {
+         if (shFD == NULL) {
 #ifdef DEBUG_SHVERIFY
-        fprintf(stderr, "Failed to open the library file %s: (%d, %d)\n",
+-            fprintf(stderr, "Failed to open the library file %s: (%d, %d)\n",
-                shName, (int)PR_GetError(), (int)PR_GetOSError());
+-                    shName, (int)PR_GetError(), (int)PR_GetOSError());
-+        fprintf(stderr, "Failed to open the library file %s: (%d)\n",
+            fprintf(stderr, "Failed to open the library file %s: (%d)\n",
-+                shName, (int)PORT_GetError());
+                    shName, (int)PR_GetError());
 #endif /* DEBUG_SHVERIFY */
-         goto loser;
+             goto loser;
         }
@@ -620,7 +623,7 @@ blapi_SHVerifyHMACCheck(PRFileDesc *shFD
     }
-    /* hash our library file with SHA1 */
+     PRBool
-+    /* hash our library file */
+-    BLAPI_VerifySelf(const char *name)
-     hashcx = hashObj->create();
+    BLAPI_VerifySelf(const char *name, int *err)
-     if (hashcx == NULL) {
+     {
-         goto loser;
+         if (name == NULL) {
-@@ -531,7 +535,7 @@ loser:
+             /*
- }
+@@ -629,7 +632,7 @@ blapi_SHVerifyHMACCheck(PRFileDesc *shFD
          */
             return PR_TRUE;
         }
 -        return blapi_SHVerify(name, (PRFuncPtr)decodeInt, PR_TRUE);
 +        return blapi_SHVerify(name, (PRFuncPtr)decodeInt, PR_TRUE, err);
     }
 #else /* NSS_FIPS_DISABLED */
@@ -645,7 +648,7 @@ BLAPI_SHVerify(const char *name, PRFuncP
     return PR_FALSE;
 }
 PRBool
 -BLAPI_VerifySelf(const char *name)
 +BLAPI_VerifySelf(const char *name, int *err)
 {
-     if (name == NULL) {
+     return PR_FALSE;
         /*
@@ -540,7 +544,7 @@ BLAPI_VerifySelf(const char *name)
          */
         return PR_TRUE;
     }
 -    return blapi_SHVerify(name, (PRFuncPtr)decodeInt, PR_TRUE);
 +    return blapi_SHVerify(name, (PRFuncPtr)decodeInt, PR_TRUE, err);
 }
 #else /* NSS_FIPS_DISABLED */
 Index: nss/lib/softoken/fips.c
 ===================================================================
 --- /dev/null
@ -1066,7 +1054,7 @@ Index: nss/lib/softoken/fipstest.c
 ===================================================================
 --- nss.orig/lib/softoken/fipstest.c
 +++ nss/lib/softoken/fipstest.c
-@@ -682,6 +682,327 @@ sftk_fips_HKDF_PowerUpSelfTest(void)
+@@ -683,6 +683,327 @@ sftk_fips_HKDF_PowerUpSelfTest(void)
     return (SECSuccess);
 }
@ -1394,7 +1382,7 @@ Index: nss/lib/softoken/fipstest.c
 static PRBool sftk_self_tests_ran = PR_FALSE;
 static PRBool sftk_self_tests_success = PR_FALSE;
-@@ -693,7 +1014,6 @@ static void
+@@ -694,7 +1015,6 @@ static void
 sftk_startup_tests(void)
 {
     SECStatus rv;
@ -1402,7 +1390,7 @@ Index: nss/lib/softoken/fipstest.c
     PORT_Assert(!sftk_self_tests_ran);
     PORT_Assert(!sftk_self_tests_success);
-@@ -705,6 +1025,7 @@ sftk_startup_tests(void)
+@@ -706,6 +1026,7 @@ sftk_startup_tests(void)
     if (rv != SECSuccess) {
         return;
     }
@ -1410,7 +1398,7 @@ Index: nss/lib/softoken/fipstest.c
     /* make sure freebl is initialized, or our RSA check
      * may fail. This is normally done at freebl load time, but it's
      * possible we may have shut freebl down without unloading it. */
-@@ -722,12 +1043,21 @@ sftk_startup_tests(void)
+@@ -723,12 +1044,21 @@ sftk_startup_tests(void)
     if (rv != SECSuccess) {
         return;
     }
@ -1436,7 +1424,7 @@ Index: nss/lib/softoken/fipstest.c
     rv = sftk_fips_IKE_PowerUpSelfTests();
     if (rv != SECSuccess) {
         return;
-@@ -759,17 +1089,11 @@ sftk_startup_tests(void)
+@@ -760,17 +1090,11 @@ sftk_startup_tests(void)
 CK_RV
 sftk_FIPSEntryOK()
 {
@ -1500,7 +1488,7 @@ Index: nss/lib/softoken/legacydb/lgfips.c
 ===================================================================
 --- nss.orig/lib/softoken/legacydb/lgfips.c
 +++ nss/lib/softoken/legacydb/lgfips.c
-@@ -90,7 +90,7 @@ lg_startup_tests(void)
+@@ -91,7 +91,7 @@ lg_startup_tests(void)
     /* no self tests required for the legacy db, only the integrity check */
     /* check the integrity of our shared library */
--- a/nss-fips-detect-fips-mode-fixes.patch
+++ b/nss-fips-detect-fips-mode-fixes.patch
@ -8,10 +8,11 @@ commit facacdb9078693d7a4219e84f73ea7b8f977ddc2
 Author: Hans Petter Jansson <hpj@cl.no>
    Patch 32: nss-fips-detect-fips-mode-fixes.patch
-diff --git a/lib/freebl/nsslowhash.c b/lib/freebl/nsslowhash.c
+Index: nss/lib/freebl/nsslowhash.c
--- a/lib/freebl/nsslowhash.c
+===================================================================
-+++ b/lib/freebl/nsslowhash.c
+--- nss.orig/lib/freebl/nsslowhash.c
-@@ -2,10 +2,15 @@
+++ nss/lib/freebl/nsslowhash.c
@@ -2,6 +2,9 @@
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
@ -21,13 +22,7 @@ diff --git a/lib/freebl/nsslowhash.c b/lib/freebl/nsslowhash.c
 #ifdef FREEBL_NO_DEPEND
 #include "stubs.h"
 #endif
-+
+@@ -25,6 +28,23 @@ struct NSSLOWHASHContextStr {
 #include "prtypes.h"
 +#include "prenv.h"
 #include "secerr.h"
 #include "blapi.h"
 #include "hasht.h"
@@ -24,6 +29,23 @@
 };
 #ifndef NSS_FIPS_DISABLED
@ -51,7 +46,7 @@ diff --git a/lib/freebl/nsslowhash.c b/lib/freebl/nsslowhash.c
 static int
 nsslow_GetFIPSEnabled(void)
 {
-@@ -45,6 +67,7 @@
+@@ -52,6 +72,7 @@ nsslow_GetFIPSEnabled(void)
 #endif /* LINUX */
     return 1;
 }
@ -59,7 +54,7 @@ diff --git a/lib/freebl/nsslowhash.c b/lib/freebl/nsslowhash.c
 #endif /* NSS_FIPS_DISABLED */
 static NSSLOWInitContext dummyContext = { 0 };
-@@ -60,7 +83,7 @@
+@@ -67,7 +88,7 @@ NSSLOW_Init(void)
 #ifndef NSS_FIPS_DISABLED
     /* make sure the FIPS product is installed if we are trying to
      * go into FIPS mode */
@ -68,10 +63,11 @@ diff --git a/lib/freebl/nsslowhash.c b/lib/freebl/nsslowhash.c
         if (BL_FIPSEntryOK(PR_TRUE) != SECSuccess) {
             PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
             post_failed = PR_TRUE;
-diff --git a/lib/sysinit/nsssysinit.c b/lib/sysinit/nsssysinit.c
+Index: nss/lib/sysinit/nsssysinit.c
--- a/lib/sysinit/nsssysinit.c
+===================================================================
-+++ b/lib/sysinit/nsssysinit.c
+--- nss.orig/lib/sysinit/nsssysinit.c
-@@ -178,16 +178,16 @@
+++ nss/lib/sysinit/nsssysinit.c
@@ -178,16 +178,16 @@ getFIPSMode(void)
     f = fopen("/proc/sys/crypto/fips_enabled", "r");
     if (!f) {
         /* if we don't have a proc flag, fall back to the
--- a/nss-fips-dsa-kat.patch
+++ b/nss-fips-dsa-kat.patch
@ -28,7 +28,7 @@ Index: nss/lib/freebl/fipsfreebl.c
 ===================================================================
 --- nss.orig/lib/freebl/fipsfreebl.c
 +++ nss/lib/freebl/fipsfreebl.c
-@@ -126,11 +126,11 @@ BOOL WINAPI DllMain(
+@@ -127,11 +127,11 @@ DllMain(
 /* FIPS preprocessor directives for DSA.                        */
 #define FIPS_DSA_TYPE siBuffer
--- a/nss-fips-gcm-ctr.patch
+++ b/nss-fips-gcm-ctr.patch
@ -14,7 +14,7 @@ Index: nss/lib/freebl/gcm.c
 ===================================================================
 --- nss.orig/lib/freebl/gcm.c
 +++ nss/lib/freebl/gcm.c
-@@ -532,8 +532,14 @@ struct GCMContextStr {
+@@ -535,8 +535,14 @@ struct GCMContextStr {
     unsigned char tagKey[MAX_BLOCK_SIZE];
     PRBool ctr_context_init;
     gcmIVContext gcm_iv;
@ -29,7 +29,7 @@ Index: nss/lib/freebl/gcm.c
 SECStatus gcm_InitCounter(GCMContext *gcm, const unsigned char *iv,
                           unsigned int ivLen, unsigned int tagBits,
                           const unsigned char *aad, unsigned int aadLen);
-@@ -673,6 +679,8 @@ gcm_InitCounter(GCMContext *gcm, const u
+@@ -676,6 +682,8 @@ gcm_InitCounter(GCMContext *gcm, const u
         goto loser;
     }
@ -38,7 +38,7 @@ Index: nss/lib/freebl/gcm.c
     /* finally mix in the AAD data */
     rv = gcmHash_Reset(ghash, aad, aadLen);
     if (rv != SECSuccess) {
-@@ -774,6 +782,13 @@ GCM_EncryptUpdate(GCMContext *gcm, unsig
+@@ -777,6 +785,13 @@ GCM_EncryptUpdate(GCMContext *gcm, unsig
         return SECFailure;
     }
@ -52,7 +52,7 @@ Index: nss/lib/freebl/gcm.c
     tagBytes = (gcm->tagBits + (PR_BITS_PER_BYTE - 1)) / PR_BITS_PER_BYTE;
     if (UINT_MAX - inlen < tagBytes) {
         PORT_SetError(SEC_ERROR_INPUT_LEN);
-@@ -802,6 +817,7 @@ GCM_EncryptUpdate(GCMContext *gcm, unsig
+@@ -805,6 +820,7 @@ GCM_EncryptUpdate(GCMContext *gcm, unsig
         *outlen = 0;
         return SECFailure;
     };
--- a/nss-fips-pairwise-consistency-check.patch
+++ b/nss-fips-pairwise-consistency-check.patch
@ -14,7 +14,7 @@ Index: nss/lib/softoken/pkcs11c.c
 ===================================================================
 --- nss.orig/lib/softoken/pkcs11c.c
 +++ nss/lib/softoken/pkcs11c.c
-@@ -4822,8 +4822,8 @@ loser:
+@@ -4826,8 +4826,8 @@ loser:
     return crv;
 }
@ -25,7 +25,7 @@ Index: nss/lib/softoken/pkcs11c.c
 /*
  * FIPS 140-2 pairwise consistency check utilized to validate key pair.
-@@ -5771,6 +5771,7 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hS
+@@ -5775,6 +5775,7 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hS
                             (PRUint32)crv);
                 sftk_LogAuditMessage(NSS_AUDIT_ERROR, NSS_AUDIT_SELF_TEST, msg);
             }
--- a/nss-fips-stricter-dh.patch
+++ b/nss-fips-stricter-dh.patch
@ -4,15 +4,11 @@ Date:   Fri Sep 4 13:41:34 2020 +0200
    Patch 38: nss-fips-stricter-dh.patch
-diff --git a/lib/freebl/dh.c b/lib/freebl/dh.c
+Index: nss/lib/freebl/dh.c
--- a/lib/freebl/dh.c
+===================================================================
-+++ b/lib/freebl/dh.c
+--- nss.orig/lib/freebl/dh.c
-@@ -445,41 +445,53 @@ KEA_PrimeCheck(SECItem *prime)
+++ nss/lib/freebl/dh.c
- cleanup:
+@@ -449,7 +449,7 @@ cleanup:
     mp_clear(&p);
     return err ? PR_FALSE : PR_TRUE;
 }
 PRBool
 KEA_Verify(SECItem *Y, SECItem *prime, SECItem *subPrime)
 {
@ -21,10 +17,7 @@ diff --git a/lib/freebl/dh.c b/lib/freebl/dh.c
     mp_err err;
     int cmp = 1; /* default is false */
     if (!Y || !prime || !subPrime) {
-         PORT_SetError(SEC_ERROR_INVALID_ARGS);
+@@ -460,13 +460,24 @@ KEA_Verify(SECItem *Y, SECItem *prime, S
         return SECFailure;
     }
     MP_DIGITS(&p) = 0;
     MP_DIGITS(&q) = 0;
     MP_DIGITS(&y) = 0;
     MP_DIGITS(&r) = 0;
@ -49,9 +42,7 @@ diff --git a/lib/freebl/dh.c b/lib/freebl/dh.c
     /* compute r = y**q mod p */
     CHECK_MPI_OK(mp_exptmod(&y, &q, &p, &r));
     /* compare to 1 */
-     cmp = mp_cmp_d(&r, 1);
+@@ -476,6 +487,7 @@ cleanup:
 cleanup:
     mp_clear(&p);
     mp_clear(&q);
     mp_clear(&y);
     mp_clear(&r);
@ -59,6 +50,3 @@ diff --git a/lib/freebl/dh.c b/lib/freebl/dh.c
     if (err) {
         MP_TO_SEC_ERROR(err);
         return PR_FALSE;
     }
     return (cmp == 0) ? PR_TRUE : PR_FALSE;
 }
--- a/nss-fips-tests-enable-fips.patch
+++ b/nss-fips-tests-enable-fips.patch
@ -2,7 +2,7 @@ Index: nss/tests/cert/cert.sh
 ===================================================================
 --- nss.orig/tests/cert/cert.sh
 +++ nss/tests/cert/cert.sh
-@@ -1353,6 +1353,11 @@ cert_stresscerts()
+@@ -1350,6 +1350,11 @@ cert_stresscerts()
 ##############################################################################
 cert_fips()
 {
@ -14,7 +14,7 @@ Index: nss/tests/cert/cert.sh
   CERTFAILED=0
   echo "$SCRIPTNAME: Creating FIPS 140 DSA Certificates =============="
   cert_init_cert "${FIPSDIR}" "FIPS PUB 140 Test Certificate" 1000 "${D_FIPS}"
-@@ -1393,6 +1398,8 @@ MODSCRIPT
+@@ -1390,6 +1395,8 @@ MODSCRIPT
     cert_log "SUCCESS: FIPS passed"
   fi
--- a/nss-fips-tls-allow-md5-prf.patch
+++ b/nss-fips-tls-allow-md5-prf.patch
@ -250,7 +250,7 @@ Index: nss/lib/softoken/pkcs11c.c
 ===================================================================
 --- nss.orig/lib/softoken/pkcs11c.c
 +++ nss/lib/softoken/pkcs11c.c
-@@ -7158,7 +7158,7 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession
+@@ -7162,7 +7162,7 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession
     SFTKAttribute *att2 = NULL;
     unsigned char *buf;
     SHA1Context *sha;
@ -259,7 +259,7 @@ Index: nss/lib/softoken/pkcs11c.c
     MD2Context *md2;
     CK_ULONG macSize;
     CK_ULONG tmpKeySize;
-@@ -7698,7 +7698,7 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession
+@@ -7702,7 +7702,7 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession
             }
             sftk_FreeAttribute(att2);
             md5 = MD5_NewContext();
--- a/nss-fips-use-getrandom.patch
+++ b/nss-fips-use-getrandom.patch
@ -12,7 +12,7 @@ Index: nss/coreconf/Linux.mk
 ===================================================================
 --- nss.orig/coreconf/Linux.mk
 +++ nss/coreconf/Linux.mk
-@@ -189,6 +189,18 @@ DSO_LDOPTS+=-Wl,-z,relro
+@@ -190,6 +190,18 @@ DSO_LDOPTS+=-Wl,-z,relro
 LDFLAGS	+= -Wl,-z,relro
 endif
@ -90,7 +90,7 @@ Index: nss/lib/freebl/unix_rand.c
 size_t RNG_FileUpdate(const char *fileName, size_t limit);
 /*
-@@ -862,6 +903,26 @@ ReadFileOK(char *dir, char *file)
+@@ -775,6 +816,26 @@ ReadFileOK(char *dir, char *file)
 size_t
 RNG_SystemRNG(void *dest, size_t maxLen)
 {
@ -117,7 +117,7 @@ Index: nss/lib/freebl/unix_rand.c
     FILE *file;
     int fd;
     int bytes;
-@@ -895,4 +956,5 @@ RNG_SystemRNG(void *dest, size_t maxLen)
+@@ -808,4 +869,5 @@ RNG_SystemRNG(void *dest, size_t maxLen)
         fileBytes = 0;
     }
     return fileBytes;
--- a/nss-fips-use-strong-random-pool.patch
+++ b/nss-fips-use-strong-random-pool.patch
@ -10,9 +10,10 @@ From a7cbf64ba8ac07a4a1fdea91f39da56d86af03bf Mon Sep 17 00:00:00 2001
 nss/lib/freebl/unix_rand.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)
-diff --git a/lib/freebl/unix_rand.c b/lib/freebl/unix_rand.c
+Index: nss/lib/freebl/unix_rand.c
--- a/lib/freebl/unix_rand.c
+===================================================================
-+++ b/lib/freebl/unix_rand.c
+--- nss.orig/lib/freebl/unix_rand.c
 +++ nss/lib/freebl/unix_rand.c
@@ -24,6 +24,7 @@
 #include "prthread.h"
 #include "prprf.h"
@ -21,7 +22,7 @@ diff --git a/lib/freebl/unix_rand.c b/lib/freebl/unix_rand.c
 #ifdef NSS_USE_GETRANDOM
 #  ifndef __NR_getrandom
-@@ -779,7 +780,7 @@
+@@ -692,7 +693,7 @@ RNG_SystemInfoForRNG(void)
     }
     /* grab some data from system's PRNG before any other files. */
@ -30,7 +31,7 @@ diff --git a/lib/freebl/unix_rand.c b/lib/freebl/unix_rand.c
     if (!bytes) {
         PORT_SetError(SEC_ERROR_NEED_RANDOM);
     }
-@@ -909,7 +910,8 @@
+@@ -822,7 +823,8 @@ RNG_SystemRNG(void *dest, size_t maxLen)
     int ret;
     do {
@ -40,7 +41,7 @@ diff --git a/lib/freebl/unix_rand.c b/lib/freebl/unix_rand.c
         if (0 < ret)
             inBytes += ret;
-@@ -929,7 +931,7 @@
+@@ -842,7 +844,7 @@ RNG_SystemRNG(void *dest, size_t maxLen)
     size_t fileBytes = 0;
     unsigned char *buffer = dest;
--- a/nss-fips-zeroization.patch
+++ b/nss-fips-zeroization.patch
@ -92,7 +92,7 @@ Index: nss/lib/freebl/dh.c
 ===================================================================
 --- nss.orig/lib/freebl/dh.c
 +++ nss/lib/freebl/dh.c
-@@ -193,6 +193,10 @@ cleanup:
+@@ -192,6 +192,10 @@ cleanup:
         rv = SECFailure;
     }
     if (rv) {
@ -107,7 +107,7 @@ Index: nss/lib/freebl/ec.c
 ===================================================================
 --- nss.orig/lib/freebl/ec.c
 +++ nss/lib/freebl/ec.c
-@@ -943,7 +943,7 @@ ECDSA_VerifyDigest(ECPublicKey *key, con
+@@ -974,7 +974,7 @@ ECDSA_VerifyDigest(ECPublicKey *key, con
     ECParams *ecParams = NULL;
     SECItem pointC = { siBuffer, NULL, 0 };
     int slen;       /* length in bytes of a half signature (r or s) */
@ -175,7 +175,7 @@ Index: nss/lib/freebl/gcm.c
     return SECSuccess;
 }
 #endif /* HAVE_INT128_SUPPORT */
-@@ -867,11 +894,13 @@ GCM_DecryptUpdate(GCMContext *gcm, unsig
+@@ -870,11 +897,13 @@ GCM_DecryptUpdate(GCMContext *gcm, unsig
     /* verify the block */
     rv = gcmHash_Update(gcm->ghash_context, inbuf, inlen);
     if (rv != SECSuccess) {
@ -191,7 +191,7 @@ Index: nss/lib/freebl/gcm.c
     }
     /* Don't decrypt if we can't authenticate the encrypted data!
      * This assumes that if tagBits is not a multiple of 8, intag will
-@@ -879,10 +908,18 @@ GCM_DecryptUpdate(GCMContext *gcm, unsig
+@@ -882,10 +911,18 @@ GCM_DecryptUpdate(GCMContext *gcm, unsig
     if (NSS_SecureMemcmp(tag, intag, tagBytes) != 0) {
         /* force a CKR_ENCRYPTED_DATA_INVALID error at in softoken */
         PORT_SetError(SEC_ERROR_BAD_DATA);
--- a/nss-opt.patch
+++ b/nss-opt.patch
@ -2,7 +2,7 @@ Index: nss/coreconf/Linux.mk
 ===================================================================
 --- nss.orig/coreconf/Linux.mk
 +++ nss/coreconf/Linux.mk
-@@ -113,11 +113,7 @@ LIBC_TAG		= _glibc
+@@ -114,11 +114,7 @@ LIBC_TAG		= _glibc
 endif
 ifdef BUILD_OPT