From 333228d97234b4b9d6bd361a6ab846ce5ceeb8c8 Mon Sep 17 00:00:00 2001
From: Renbo <rb01097748@alibaba-inc.com>
Date: Fri, 28 Jun 2024 10:56:28 +0800
Subject: [PATCH 1/3] update to nss-3.90.0-7.src.rpm

Signed-off-by: Renbo <rb01097748@alibaba-inc.com>
---
 NameConstraints_Certs.tar             | Bin 0 -> 51200 bytes
 blinding_ct.patch                     | 949 ++++++++++++++++++++++++++
 dist                                  |   2 +-
 fips_algorithms.h                     |  88 ++-
 nss-3.71-fix-lto-gtests.patch         |  26 +
 nss-3.90-aes-gmc-indicator.patch      |  42 ++
 nss-3.90-dh-test-update.patch         |  90 +++
 nss-3.90-ecdsa-sign-padding-fix.patch | 335 +++++++++
 nss-3.90-extend-db-dump-time.patch    |  12 +
 nss-3.90-fips-indicators.patch        | 190 ++++++
 nss-3.90-fips-indicators2.patch       | 176 +++++
 nss-3.90-fips-pkcs11-long-hash.patch  |  83 +++
 nss-3.90-fips-safe-memset.patch       | 506 ++++++++++++++
 nss-add-sw.patch                      |  50 --
 nss.spec                              |  71 +-
 15 files changed, 2508 insertions(+), 112 deletions(-)
 create mode 100644 NameConstraints_Certs.tar
 create mode 100644 blinding_ct.patch
 create mode 100644 nss-3.71-fix-lto-gtests.patch
 create mode 100644 nss-3.90-aes-gmc-indicator.patch
 create mode 100644 nss-3.90-dh-test-update.patch
 create mode 100644 nss-3.90-ecdsa-sign-padding-fix.patch
 create mode 100644 nss-3.90-extend-db-dump-time.patch
 create mode 100644 nss-3.90-fips-indicators.patch
 create mode 100644 nss-3.90-fips-indicators2.patch
 create mode 100644 nss-3.90-fips-pkcs11-long-hash.patch
 create mode 100644 nss-3.90-fips-safe-memset.patch
 delete mode 100644 nss-add-sw.patch

diff --git a/NameConstraints_Certs.tar b/NameConstraints_Certs.tar
new file mode 100644
index 0000000000000000000000000000000000000000..377a746411fe7dcca94b78dab46ba78d6e9ca48d
GIT binary patch
literal 51200
zcmeI51yohp_xS1VE+wVo(cRrC-S7ydq(teE4hca(LXhr|5S8w*2@wPY0ZA1JCH{{A
zzoX0y0-`g&^?$6zg7a>jx6i(xz3<-poa+p9a&}^|u{L$MXzj*g26P0qluT@a;`Vk<
z&W<M5cFs=BW+u$L8z4^l0|5PSad1F@{;+a$0>1sbyNQ*Riw%O6gOimNz{bYT2HMWX
z%ErzLK?XSK1&?!_i<7g7BN-Wlqa)Df3ee;q5B<^he?0KNy#e3{We4zs97u<Tf`o#C
zgan|%A<_rR1g@b%LL$RL0L)pD0f=zW=V9Qmq0XzbVgoRD8wl7);wCoM7WR&I)+VfY
z0G!<q;jvK_?Op7gK}tiWX$`#0iUq*f{TvA!QA}C-ygHeZx;iTk0BiR%Xl!Iqi%bKg
zePrUIfV23hZ0rCo04p1SgO#0A7ax`5+vacTg>Txo-yRYc0@^nM0^l10<?9Pk^N9B;
zlW2K18HK!BaAm;77q+;ISNh{=H{f(_+WJ15T}fz4r<Gc~zF-bNZ9IBg^q%jQ^NLJ_
z#WkZZumyt#%I#W<YMM0;jUAOeSDZPApnYEF0d1XEpR=6VX(Bh|wN}Z;C6rn2$mp~S
zV)j>6FD7HB#}1=10WzsvR3qwkG=qYMgn-Nh0GL4ofM^^j0~xq31_=oR0}TZM4?qEl
z^b9r(EC3o3atDCC+d|*n1PS-;7Xl3@H0YZ|Q1z$Q`oa}pX(q(sKM+@Qn~)THIrtF&
zJ_nO=L%UVI#d=74rb?!u``U(6`knT1#VC?@F0$}1F52p7YrhP88o|YO??Qe#`=ye0
zTQ1^ii9nIJ7O)=1GG?zQVCjpRUcq$YaXT+Hb=^!@vg9o53dSsM8sQL+$Me0{%!P?6
zhw|UPAO3&qo%0d+Z*FGo<YZ!FV}BWFeiBQt3;DzN&&drqz<+jjHZCy#e}^st{Ggpd
zHb8%m|Ip}ypAH}c;Ct;G6CkC=iVoW04-)_<<!EAO24qG1gFhhr!>X7#T05~~0MK@K
zK*EMsQDjk<mQeb-2QoISgt)r8?AJClHmt0)IEyGNC4l^YRtFIh569Zl%tXY=(%g>O
z!Is(5-o=&K!g1e5@a)?No;@4!XA>a$O*cW7YTs-jU_*(EvZ4Tx_PPWuWpB@l55V1R
zL1Uv?*xNG$-Ars9Y=FC$@PnlI_S^4T06$1{2+-$9P=1h*5Dj8!S1u^1U<5J0(Q8W(
zmL^CDpkD7uOXpu`snyK4>%7o8nVEM%wk(5rhl+;&Cd<P>6?ogCn5sa9i*godezf&b
z@v>4Rg7Q9OqTRvxTL`fZNHVe^qGL{%BGP7cvw{Q&r$#+i!lm30FL&%f$dhdK$6(Y2
zC?GOyv?5Kl$>(*}S+7RN7Te(%FOz1z>FyO~LQB={O)&~@AR5$uQ+zYA>|D9?<DpE2
zfHMe&O2d^TpP=t`^V9FdEt5Rf=De2r6qZoA!m-Qq1{z%x4?n6hCY07<{<ApY+!y{)
zW#NgVv!nqukc6?2dDn8ktOZ24JTZ;JN2<;7Nd>$ab}-ld^v^~Ju3_H@fea7~6v&19
z(+EM=d@IvkBeW|@hi9(M#VfuWcV58QeTkM@_OS2Kt>%Q$WBg*?@z4S_bK;}_YD>Cw
z&n;8wJC9}gFJkeyM97*GnG1}q@p38XFsZfQoTMtOdca?BCp-ELUd_7vD)jJdO`>Sc
zQWjgg9MkAa<S>UVjxEW)p36jK>!tc7(eJYi*XbE<L^lm(!f<mSLg!x@GpQQT9C~aC
zsmqdKNP=#5*?gj}FyXaj@3fWp^jT#cryQ-qXVvWq=V9n;)A5{$(%*1Xzy4U1DbugP
zcG(d9`syHFnpof~+W-w6(FP*7*H;ba!_-)!HX1Q5R(iRR@W%>Oj9RE{0pLYQeXz>S
z0wOk;xZoC{Ff-tie#gCilxrNB|E4zfW*2`I|5^XSe*im}|3?|WpWO$<e-{w{4gSaf
zl>>L{{~7*^eMSD>lgc6dCjj8>@gMzL{+rp`{?GvA3)ZXJ3Gpju;;iw6vTv(Q4zO!F
zOg1iTQKI3KRVYwZZr5284-#BA#~cdm9=WBirPBXFv7wueXQl$a3#aDuSnIlLKleiX
z1w=icJYij=ZQ(6r1s%l=(svKz%4y-w_;EhUqN|y|g6<(uz1jp!MzAAobB$sxykg+f
zuZhlH$w!?7Dc8`~)mX2Csz$+|qDZlERo<&o9bur3c}@a=<Tc&)34*D)mw53}U^dqo
zVg>otg$gU*Gf{<!XZ6_4m`Ij{m)l)dlo<^Ml8_#hE)ceazvZ@-m9=14mQl|^*$%6L
z-N?H)_QbQ^V@X}j_k9xvoe#9&Z9rG=+914n>7`RN0Q9MHL;3Yof_1N`0Nz15Ho5+f
z7|%hA%JM15&+JGs*`!x>T~%gm(;q2zuXH!|M5E;V7_Mv0))E%;p6SA+Spz~{=0|kX
zeToE}Voy8jJ|hL(g?JN6rDoMcd!F4o;XY+yn7u3oN}fLa*l?~PUzR|a5nASTuW5CB
zAshQ#JHbVVX52zXgv?3gdTZn@i%cuil4gI6{vQACS_2pYSzSQgn}zP`fTd-ug%>VQ
zRMMG<%?Nb@c@vj9)Q#1LgFQ!Z@8OpUQI<BiT9s`+OrBhJ@=1IZIOLXbp+$e-<&9{p
zYu87K{b-eQXtmI%+WFohn=nJ`WhB2%$a}~4%HQtX*3aI!r*!<0`EO?LaOEV<Kd7HS
z^8dNGIS=rkjf;~T%>Ppw;zLgZ;(slO|F{3g|BwG|{(p@T?fd_KHvcnr>PHU|W%1`z
z2De|E8ecY-s1N0?82+4>;!$4GSd_Qo0_>y{DiPy<j@+pP|M<RCyQH~j#g?{LmGKSr
zg|L-1N-tmRna10sUTXc_EQyc!wgsiq8PO?T*!QwikY4b};An~uL%gZ7=^o?k=50?7
z8M$?-#b`-5(OahOwydF5GTjrx&h<k08~0bsyLHKLM^e|%iGAs2p<7Fy?Nx*nZPvIz
zK81j)IHC}~J&E1Oe#WE>CfK!yV$<K2v#nbGd@xG_hRR#4v0(Y~nrOWz89uD|65&sH
z#3floZ!>lq<kX=@#M(c40O5V<4YG|mPX&sYX>y*H<hlS>F8zRY+u2vB*c??U|7=5!
z70KFti140dLO@OmCoaNZ2xL?xjMkA4Uzu3TkZ5DkA%D<rZu-oOhyga0(ag`~_R5@r
zo0V<2W~2Lc6jDzd2zsbR{1<6B>Clmo*ug|1M1)+1B~Def@5q`aDXZ|dcf`oX=!Nvo
zjZdu_Jmd9_qAk(LsBto-Mu+oCP!<dp*Ip0|R)>%s)1MfTLwpYRx-a9x@^Y3Qg92pt
z;^j<z^1)T(jm@Uf=dCRR&qw3s&*HIhA;u0WAzLZq&CqSoz7K3%Ng8l<Pt@vmpbCtr
zLM2WchI<f$P6e&snph+mBM!|`yyRJw<oZAy?U~Lri{FSlzu(elhbV1d2Nf0AYpIq=
zMfwDphu+yo+jtcI+nN1b2H;2hXJbFee^yRTu>XIw0sP6mK<rNh{X*@>|Dg`j-}Vr%
z`Z#g_a{$UcpPOVi?!TL1BKu#83208HW^eyZB7l28$iuxC<l+2Z6Y!h6b67?okF4Gz
zR0(g5dLw7pSj6n9?}f)G`nR@S<Zm@gPE}?(_sMe;SgOQT)92gEDx_p7vE3Q8Ttt+3
z*cS*R8qoRjP6BqnPE^Tf?(?!1)j8=5v)N@-3jIl?9_deg3My6xtQom@V3?adpVr50
zBM(o}6-_A%#mNI(x~j56nY=vuME5u<3y}W1i~v4J*k{hdfI@NUpxBom!q+I*@lpju
zH@44irLu+RQYJu#6^PjjpyMJjq`;zjeiANIa?FLzZc2`u1Fj|meJw9MaM@u}ij5o8
zPTj%3!_1niN>J?-xdhiZESYd_Q7f{D|D(3aAa$iY+QW9&H=ngKs0z~%v0NL8Yii}u
zQzeBqGxA}dz7X~0G12PtQP(l7<@I>x^OL#_KK#cL*yH~X62PD=FwoH!Xl`xd3}ie0
zL%<LD58yc9|Fd&&g5&=`9=uc71H^tGP}pO3pZ~ZA`ET<*|9?9FO9CL;vjf<>c0l$U
z#UeXG9@y@bdvg{*vez5jzv&Gb8{jbh56c$fYIA4>6JjL1<^s?U7$rOiRxJ(@m3zS)
zdx?33dL5tc0c0M!%7#Tn)XE|%saox*D&419xRLr!;dgD@UGdi8F<a;?MUXWT#w;an
z_3_o8reAHhP>f-~+@p=BUcQ%aqF5rqi`vwlhz^zA=C2V1@bNH*n4q~iNE+hz8TFL>
zXi!F&`Kqh*)7K&>wIY1^*O9I9F7N>X0K}vYhevM<A_?O}U=y@p-V9X+ClD9BykL!V
zMVyT3TKroi_GaY1u*hc&om=!Aaa)EP!^%V|F}nINMqv{JDxse{=4D+&QLv&zS%)t-
z(4Si{rGprtgI-U5q$tVX(tlfO6-Tedpr-64!h=&#WAG_XD1l@1pZ)at&ki`~|Fd&&
zf$M)xIHJcp48;FN&@cTz@&9+$|9o}(xxRP%xpWV@{XcDm&H#w_xR3KU+-E-&`*Y51
zXc~A}-1=Sv?P&SJUT(!Z{CN?QInX@p-kKrAJ3Xs>SR^gwXB6A9BtF=03F-@Q3{01I
z1vVC{vph;Uo9Fj@eZia4>iHaun%Fs@q;x~d2%ZVYfY0OEi?wH%Ovd9)r}gXe`tE(!
zchy6Ol?`%4iyJn3BB#gyadVtyQY>T-`&R*Of9Lkg?797-0O52&0IDDIH~9?!;~jbc
z?Kk$*#p!DUlp{AY`94Q}yypZO+64>cfDrRaFBngt{tLMD0-S-_adA3Se1ta9S2iKh
z$wFM@r5|E2nRsZ)N}l`88@epUs>eNY)T*|gsT3&+RaMy3Y~exGSL;@Tx7Vr~=Po6R
z4i%S6yzJ=AZ4JLD476-Tm5U~hSo~5{Ji_o;gY)u>^%Vs-jX_U*>Y!r#<EcD&?{6e<
zZ2ohcKL1(Sx&Pw-b8&*>|KAMLFZ&n7em#)?-?Gnt5H<c+iStMO=YfFBuO{#Jg`oR}
z;A@Z{WC&!wGV6y)-k)*p^AjYn_$;S+qw`@fY_=B}8eXvGHbYL}+<-BxPM#f7-Zph6
zf{bNi#JZX~GjsM;X!RA>+&n4^351MQCu3bc2}i1YqKX$h6=?4GX9YPtc|8+L(L2#C
zgX_<{p&XvFuDX2B*4?^lSRg(xT#<AZ=EEukpR44SC(J_x!_tNuqU5LN+LNHQ+a!>;
z(PloXofQX?!;-;g8ljyLj_HA5z8}#~r&!ss;}po&tOsRLLCrrpY(Nw-QdMPzbTi(_
z(-abxH^QLSHan9tCP`0S6({1Io6Y5f&LnJ&1wJvE^UL_#=cZ>`M9VUa2b4T7#|A>t
zN|q_yewxW3Q}NE`MpGmbU18KO(_8R~Pe%gB=0E2z;6G??!1wk4Apf5O%>UCF;ls}Y
z;=eJ7|DF5%7y6I$U-1zBV*=23oq8l}1Z8I{prf**CF{=^f$A#a_i3Eds5{s7#YPBu
zc6Nwo-rLwze!z8@A5kqola*2)Kq9Ydz-=6iggiLx;53BWtgJG;u!X=S{^lcux<V<R
zbArzO3IvtU&#rpD?{+EYvbhksGo#^DhB`%^-Fly}$#)isPTybXN-$Jv1arKQQCkTT
z2?~41T_qo>Y!T(tGXj!wWuFQAwjuMslnB@glZX$@LqfF@`R4XbA$Hl{RB2-h8sA|L
zy_2NZUrdZ<8Cu(h8${NDgR<bl^XVo@d09vZH5u_U>clqmckWm4fZjp*AErJwONvol
z)EK={)UDjisNc3a2I(8C*JGjBn9LVRPhUXO>XT`NK}|_CdD+13a18`+{Wm3WZ2oio
z3jVW$`Ts8|0f_%bApUpk^I!M}{Qs`1@|Wd*zdHQ;`QJaA0EOf6|Ij!O*P(HqcZNe;
z`116h=he>&NYkJM-;jO&4k}2&#s}SbIe@c}gdnMPd0cvy*k<8QD!aZ_ombAQv`a3J
zcsG}Q3%B6ph8=fAOTSp*WL-1qQ!gdkR6&k5#SYQW!5d~!LDPT7^Qd2#{+?!gl2I0l
zj{ZZxh)0^KGOUr94bN6rIqoxYx4k|+{2M-jemw_$Q=2-~Gdg@27GH|XQ#x8?Wo5F&
z0ROEEM~6ym2crGB1(OS5L(_oE`GCiCC7%?AnIYCm@R6sY<UHF&O+4X!RMFeBD_Crv
zwV(TF$fH<CYGP%jA3qvXUd8q@ki0hEO0(T&w3>`;w#qhac(Jp1#GlCT$%X2OI)3wi
zNwdM1J&FX5&Hv-$|A+OTpjp2M`Ogk22?fvpJ<0(7<USz&M}hdizR!Q0gZ%$D;{W^e
zf4`RfaOwhnZx;HntZzC0RS(75YwnYa-8M8kTDUY`ToGc9fk0oE56Q@oC~nImgYyy4
zxRp59p}TNqg2cx>-f?Su(t<Gb#Cue>G#-qu#h}gQ#u2?Viz+q2?LaO(;D@iT&o(#|
z)x5NNtDRAxb6vXT`j})@FRb~7?LGDxfHiK8-dzelWNI0jp?LN^v+zr+eqfrf3aCY#
ze~&Qh-eF(b<<K?!_zpEv-)fVrJM_~a$bhBk^*E){Vg%rbc-vhjZ$)=K{kZ3HtY)%o
zU%0fXs@#L8ylY%nMFq{==rc3uE_(~Q%urr^%v+R;RM(N@EL<(YkyKx*So7pHoIbRn
zAX8Q86%LXx?&Q15LPJSR4FxVgsnOuWk0XIS{vW>ngA>rv73jzcI05?q=*o}ke?Sxe
z5AYwf`~w@9|Hm1}lkN-RKO>0$H}?6@c#!|67jWMT?SGxHyC2$T-!JV1h4zIGaqYjK
zzx(GJ5~e1O|Ep{~jM`-qp^vdJ8Rr1fQ1!7B4W=^>X(;D!srLka>TCI;-lnfg>$2ir
z{2q4)`{AV^Sl_Z*{5;#2J|3z!haR69SG*D-92s##@ROKV=Vgy!)zwIkRB<ujT?zF>
zzM)`k*tWg_6!J4Et|&>~9engNFGjy0jy4hLp%<vMrnzfRY7&-K|FbiHtckOrS{->x
zmMM!@E=C{erV^iLjh)j?o8j-!!J_iB%I`0eT8;4TLkTFwsg@&GU3h7{mMjF5kGkN$
zZL6(op*)*1MC1~~>UY+W)b8yXL5HYTL1IJ;Cz@o*j?s-OgZ4@;)-;P(&|M0ZiF)M5
zL{)7iUX00u_5n&53jUlm9+_x39+wACs%PNi{+kjw2LD-q75`aT56=Gu@gD%@|L@Qk
z5dS4X{4d_;KhwX*f8itZ9~XeVSG|McWbF(*k^vZLopQh$cFFqUQeEy%>oa=R_v2O6
zYUxs&dk)!5WjKp4Nn=&q`si3YZuZ=m0#~WlEv@G+3pbKce2fkpFL#oy-O<`?eeCaW
z*6UfGBp}HjQZRB!vo=;z!$vR4Y`8g0b}HsNWs~9RleUi!`p$|jBtxLNH5J1Ygb8vG
zulXqH?HK?WfYcvTkI!JjfL77?zC7pPvOdQ(4EkemCJecrKv%3-kN$R?$Wfe-cN_E0
z2vxoa&vNQ-`>S>}MEl+H)-s72$|Sf>!;hAX7og%K9MVk48Alf?k~q+$S80a#WynD3
zuC!5fx0=!>YTr9cRtajlSAE19P(r0Ep9rAL?bBK}LzRos5)wGlNyh~G2$YLnILX2V
zNbvj)Wd&d3)Fp5X{-2=of3Leg_WuvA{|4eexc>jt$NKM12;x68i2n)u{Ad36_%Cu~
z{_p1<ps`V9?Co|}kP|ht0?kf2G@M^&&feGnwNaWx%w{3{K*=zaPUrmEru#bx@**j}
zs1grET1hqknf$dGdKavDKS{l1i^r|5DDDYQFfB<bTFO=Jq*fPGb+y>)*yq!Y&SH0z
ziZw&Gq1miqLt77So2?+;-MmxraS<B#kzRyK_Y_`cAjSuMzU{(ZD!Aab{FuVo(|ZEQ
zjwdH0#%mm?Z3=VKqfIQXB||}7v&PIJz4erTwTL5~s~(%PC+s8Q$HWgY@>&D^1DmT;
zqWU`-h5Y!RtuBQZW7v=1?JOG+#9u14w5t&?)W?$4=s>+I^r^ypr7t$TH3ZUKVB=ao
zl)D06hjyX6#HUCO>=2<$!I?}sivlw9+P~8x@Mr&5C2$P>pP=%8Pbxp;KR4H3;y-NQ
z`k&vTQXu~Gf%u=f&wsju{6FP_o9}}_`}y6kK_G5jfb=0o;BV@C{#?n&)Wn(j+iLg2
zqCvIFR<f%4d`Tp7x#nkIxwde>H!GUKxI^>wMlGtddu%e_@;g|}?u7NLkg!|AH`Dut
z1h7}d?uZLYCKX8KZzI%EJF}G;T!5qlAmWJbATy8BWL$uC4tN!&lCml`amM}gAU>ny
zxqF|m$CEqoMD+|EUFU?=iZ;iG+;re#dO3oaPR|z5Q@PD;=X|*NsS!7S_+j`O+cR~R
z=jnCNMS9{?KnpgMBTd4|Oj9O@lFsugXcR!PL}3jY3}O?!3$iW}Lo62!x>O`)E6P7n
z7HhXnJ9sNkg3J0XZrkwlD>!dB%@*B^-SMuYNYQ9SF0JdjzMnDj^Oq*N8a*L>^Xw9d
zVNl+OY^C3#qTq}CLJ1s$|0k&Y-|P5^_z%wi{=!lJ^VHw-9}4o_zia@c4lw}VX9514
zNo-<gzgzHmbpF3J8Q^AoRA_mP(={{VZn>R$DxrMOhWr!MHJa6eC88FyO79rK(YqA_
zZ&ucymZ@jW+#$2x<d!dbRoPpw&k5C4o9AJIIYP;@#isg1nu!7qr^XM{P}eSk(GSNk
z&SEejbpk`&HU{yWUomnVWbP{2X6m3<(ZxK251$8scy|R)kN<9q^j@>?4c-MzlU^Kp
z<E4NiI_XwBGKDQG-QoDaSx##5)Ak*LQV#js<VHH^ScXRCNbf70pPviwf)S5Lh#Beb
zmgmz(5TffL;xg^J{vcRK!G2`OjkX36$v!P*Cz+7rmE=eR+=uX0xjN~dv<AnpNLs*n
zBX>kPTN-WcRft5fKlKRw-~UYs9E1NSsQllP$&dKY%Kg{)52z#vT>tYMR0_m@SCIez
zdf)#SIf(z$Ex7!V`)~C<{eOD4*`Ln`yL!I+d|++o3VLzD;jyA@FJ0+(cxg{y#qyw1
z$dm7)zd=O2qGBMeNe>j!#8x&-#FjGE9<6_4HM#QEXf4D<pyJ`k%RqvnQU)(cLP}Fb
zIp2BcKxSs0(oXvc`utTo*J#s_s9ubM9B2z%rxy~<Yg;<bz-Y0#6)}c^V#Srl$c`+c
zFWVO=vU{y&`qf9J_w0iLK<<yVGC;`!kR1Hb4}OE6O&BynrCq}yZC`q3X`NY{J8j6`
zAYvWj)ysy1>A*`rW$&e3^G0h^g86O6X9s^gJDwJ-<!ho!I2h^pywnV$op*cDlSjoq
zriVUx?e@4bmqqPnT!Zb^ge}31(j37Kjtim@!^4zQEJ3b#o{<?WIk836g!KZM0yZ|q
z?CmH9mof(<e}i&^FY!YO9E1NSsQll%{15s6m-%0y*T8`J|HH96jU7Pz|91YD=)cSV
zU$wpu3hw?hg3+$NvmeO{%<JjVOZNGl(;(`MX+VhM0@A;@)D*73dA?X$^$f(6tynw{
z46)StFM?L4_in^{Tl;Sihk5n@JXw{BJ8f;9pD&!R&$6LZ$G0}uqlt{W<I8`R)|#y8
zMYH@$)n*x$r*Ql^0V8!@4y60Rq=eY<2I{`@eS&lP64JGUsp1B<BJQX6l%R5Thoi5x
zaKJh}m_@=?TsxY`)gi>p!XP^CEWxWUy#>WClV$4~YA)BH#=UOanXz&g7>ICeYWU1O
zkm>cCmQ6krQ)rmGK`{DaA&?7y+<?x*ZIsWJD<9o#h-|QomTxI2>J_dIeL@Oag;9z^
zK*2P$e@HF^&?Ir*OJ1vbz!&_Ka2hx2FFMCD_|N^z>VLTY8vkbp*Z=&Y5&!<QApY;Z
z_hfkA{}=mr`EPN`{{Nqu;$1!GI8v$5%L>an$jVjdAzQ*Bn9oKgL8*cYn`lF~-e)sC
z&W<Y<pt}`(orvA5j*duu^`>?4bR?3XsShz8P{IW5!9`-2)X(}|f<Cs^DjX|M8|nEk
z%&C$+Qr0Wr8uFkHMoa5^-+aE#m9L!W^SFY8SHv?)&QA@~9$~}D*f-3oCTcIr56bUx
zUk)GxAlO~a2NMRA_wYmgzW+b#`wv2FK-*45+&mAzs3SCG!b}$3afk1^<<KI@m=jdv
zQq2}3qe~4Aoh3sLX(A@Xbp3SfYy;ZIk4Vge1T~|m(qnO*3B@Y8N@cRWGb9K)vYL?R
zh?wOjJ3etkyP~^mL#IDnNXw0)lAzPV7*%8p<S1I8DagJM%!#45v=%ayb}#yS9R#=j
zJqa9x|0l)&5$1m#T>k+yBMhAX{VhrX;{SCJ|2OvePkWI6zjx-<_wk|qd0=1D!=QO!
zz*Dvle^!$2-Uml|ENHLFf0J4JZn+eZ&eT8)b{Q~)lz|7#A)b6u6H5Fs&0R!cBum6*
zGXJJ#M|U(}sH$J#J#F9hi6`f?B6VXK&k!)Qay!?cXAxe_WhOB;lo%1u;4-;dCcWwP
zfSD9dx1`2639lX=^5tu)I~S}?7O)#rzr2JUf0US0x6L$A^6)+Ko_W}v0QSck&zQSw
zJo}-1*ZrTh4&)SV!izKh{QVzeblQj?uhOVkwY->KUASRluySJ+I;tBhbAd+u+(gzH
z7h}yXl9gAb`f8oaQEl=@XW7OcG;L`5XRY^GNUvn#n9dDrmJ)YcM*B2~G2e#dMQ3}%
z=vs|#ZUjrAP{{&&{fSA)yNS!Zw@Rhzq7|IpT_aR{XqZ3$TNEFBkv}AGbpD^X{PV~B
z2fgg;`}Kcz-vbPe|NjmZ1@Ye-#Q&Lps{i?K@&8w?Mu&p)ZG7lRcHrUNj5LOd+NuB`
z>5NF9+4VwkS|cyQXOw&;cJ~y{-)ijZO;Fv5A5YhPkHSP&Kj54e$DTbOb91HpT>tYA
zTTO81)-M@Y&<CDrFQP^WZO&^#-+JzvAEPjcIjITrR*$U8#PSPu=Z1;7X86b3sxF$*
zOlY2{komD1&hyeExS_5FrxzaLn0Dm31RbNzn8_sGimSfbw=x+t9@Ap2sCEW_Qh3OK
z-HQ8@a29<!7KQY9sjG!Wynr0DwYO(HQ4b8+HSPGe^lhhC{s?L~N(8qVcFLU_^JQex
zv-D6XJ7KP^rC8L&xWJb-``za^#pa|4`tY*6%Kp}>z12-fjI1a49$$zmwSR}2gRk)q
z5;!{lPh9@_WB!ARJ^#XgaQ**3jM(XZe8B&w|Nq+m-+vYGp%V$xHcBbfH3{pe+YKKY
z(Jf)C49>#>*zI-SF(iAm#e`94=T7Ofjn8GuncKP<H#*QMhfeg+_+uutEODZ}s0;7K
zJ)hvJL5)oi74tw>8joVcDpbO_>{S#7=oKpLCa>FbeXdh=J&_X8MR$oBGZQ9T?|TdE
z->k}LSBq0+iqI>*c!>Z1wfjHo|K9*4M_=n(%o7mu$q|0it`^ZGFy{IMZnoI;xqRow
z<aW!`>2}HYkJd3E?$@{Bib={?Rmc%!eKrhG>nOPIpXOqfJB(1Ul9Fwulfb(p5Q7ri
zh%vTWAMJku-lGJFrU3P!A&kD>^@Bv`xk(l>#cNiqDiBDW*z{|ia|v`(++O^rtKs0Y
z9VUUJ^Z&%<pGV;T!S$cn*f_xc|6#*+YTH2kj|KVvoBRGh+d=;Ss*Ei5KfH0}M-iZ3
zn;~F3lIuTMA|u$Zc6E_u-5INJ+;mVZh`Sfghiam4AXI@gq(1YZ=u|Lgv)Bz=E+V$a
z?el1t(nc%nA>y)GugsA?gZEM;))0cYN5hyPgl$QvjKVXTo#?>X>^N4GK$=e8lj(-f
zQImRSrghjesks*@bQ_^ONIu_zP`(_7K1P1~#cjvKOu*Ojrk^zd*RX=DFVZx6TJky0
zcv%nj=3Yux&<~n)za$yiQga<1#ZP6a|6@Qopfck=pqR2{?t&v+(SxX%kLQ+A3P!J9
zY@tR=YQj@C$hTqRB{!hyiiKywB=)>f+`DY|m}z<H3jm&!gFai~uC&SkTjv@(53<c&
zZ-pMFamt~k0MWMID=ep`-{2D+E`g)-|HS2=KjuH+FZo|K4sibW@PRv}tswsUf%reS
z&wuv+I{$x_J^H>v=xBDJ%BzIeWmzMRf5+CRFs%RzVU&dqHgkw(l=;?uyB^)QZ!x{P
zU%l}A0vsvKt|J^8!e&T_;&xaQDiidkEsapPx)_8-%$M}}K}fGwGnY$>t8(=Ut1*%y
z7ArSoPi8!RWbNn-?86ZTgRUTQb9bYmj#>1ShM+MFe$uilyp+rGw@)twBr2YS_b}rF
z-p*z}*<{<9=}V(VY74X}??|pL>jo=AUDr(>&bdx~-=*KM%BQK-eI_>}*1`*^2bd(L
z#Csm&azEySRyTt=)4psSO)?tk?rUL=#IBihv08JprX5>PXu@VLKg=~{)=Z^lOmyfn
z56ITIOIf@vfh*MbFg1)Fb6n??lo@=QV@u%Z{6BH|=a2c%_BZ}NIRAU>u{_BE2mF7I
z|2qGFwg3M$hH}{a;nF}ypUYBdO@2Jni^Mk*xNFu?*Cr=1jP4te&BKV9Rf}STKYOF8
z|8h8$pI5{$u$P(wH;^Etb=yNS&!NTit+Tq=?d{N=8Dq<vS@XEmbU>@~m8{g>KpAer
zQi#Xus5^@zB#9GOlo)TlZ{%uWF&|cHA`oG&y=AwPst(6Hp*ZpzLO>}+S$A_rY{RJ9
z=A|=}Qkq~UXl`Xnd3?mTC)SI~d}XI5l0NUNw@nv4sEHQat01sO2>qC1>k=#Ab2M*$
zE4-!tz1n9=FfI=?QN^@x_**+)y){c}K&&4u;q+;WNL)#_JRR$Chm)i>g-Zr8j-aA&
zNkHuj_$mIpsI`YfULyp!CsAeaF(;6~(fNPk^3NagpB3<z`Cq%Qga^<6I>C4z_Ye^O
zg+Ts)&OhaUf8Y9_D&N=keD|h-?`Qt*w~(=+LF<3A{yE3%IBP)U&l0$FlW?w(L#GM0
zW<9nQOUlQxdy(-<yq()1K)uCj83qkS9M8Ku@0Quc8y~1{%%v|4sq6%LrD`x+lH(2o
z3vb10B&FEEbG9lw@osULp~EH@`OH7nj#uiycXbs!(|z;K^|78uv4+eHi|J(Uwr`d#
zczEBsCZlXTMiNxMgL!(syLDIc2l8-4oll|ng>#>_wr|ij6MI8f)f9^?NPc`}U~XU5
z;<bK$20(E?+#&~}8{-bLZ`q5ve5&P^vw_}GnEaE@qt~UgCbjGz-&rX{dnr3NTaY{_
zm=o$9qU+Pl2}?4c9<_?BG~;<*byf1^5Ic%cg%uLELmK)8T0i|*Nh+G-Y8-g~|B?ib
z&VQa?R{seAz3l5?{+9#H|KFk}ApQeD{7>BH|6lUIzmNZ7N9O;@h~HCN7b}5oO663O
za&DMw?E@O^{hcQhkFKVhexT@T!EUaA3(cc`-H_ji@MSyV%M9btoWIJQY>4?NS>+B+
zI7;-pbyd*R_kwA@T)UW2JmTcB5$Lg_PC;nz<3kgKohPG@cv08irqbITfTzaVNdd1=
z=;xNv*aF0{Q;X`vQdAx|J>tj4i;)fxPMjMk6^|0Rf^{Er`|R_Q7RLS}z5C8>5OQZB
zVpDFzdYqdEzU5OKye(x?8w%9*b7LE?l@P;JcIY32q3JEZy>)I72TRTEq2}~3ozktD
z5WVmm4xgvo<~=zz&#Ju$qMx=9aKwF1;@KX%yBw11N*($rG_b(5GOMR!;I}9y_#(eW
z0!QaR@2}%O$KS+%xWWGa?@#~`|0zNI58vlM!@>B^@8dt`_x%6f<v$tnO9XQSOBWud
zgtM@lM=uV?ITy@G2w0guyzSd5s%F;}RrkrNOGazFj4o>{)V_~@TVd`3v&Hx(MXi+A
zy+?V*D%;C|M0i=|vrJ#Q92_>e-4pt96g2sQZ%YVfQ(u{))4L|r@Zs|64o<n=GSk2m
zTu<2@#R=#}MSKY3g)Iwl_BW@8e6pU%YJ23^*GaObd2!sW=0rsETkyy%lNUptbZQE;
z0`G^jir#y}I?#r#{XvHVMn+d#QG)nELFe2`yd2S0LxTBA)oUsS>!SV=JZ(8Hwn((l
zY~fxag!*anmh7mPI5j6c>PbIR%gOLpg(#dAxlfKvA1+s1OCIoYWSTVTNqocaP(|=H
zz!CsU04xEp1i%siO8_hZumr#o080QY0k8zX5&%m8ECH|tz!CsU04xEp1i%siO8_hZ
cumr#o080QY0k8zX5&%m8ECH|tP9TB*2MuDE?EnA(

literal 0
HcmV?d00001

diff --git a/blinding_ct.patch b/blinding_ct.patch
new file mode 100644
index 0000000..8d338a1
--- /dev/null
+++ b/blinding_ct.patch
@@ -0,0 +1,949 @@
+diff --git a/lib/freebl/mpi/mpi-priv.h b/lib/freebl/mpi/mpi-priv.h
+--- a/lib/freebl/mpi/mpi-priv.h
++++ b/lib/freebl/mpi/mpi-priv.h
+@@ -199,16 +199,19 @@ void MPI_ASM_DECL s_mpv_mul_d(const mp_d
+ void MPI_ASM_DECL s_mpv_mul_d_add(const mp_digit *a, mp_size a_len,
+                                   mp_digit b, mp_digit *c);
+ 
+ #endif
+ 
+ void MPI_ASM_DECL s_mpv_mul_d_add_prop(const mp_digit *a,
+                                        mp_size a_len, mp_digit b,
+                                        mp_digit *c);
++void MPI_ASM_DECL s_mpv_mul_d_add_propCT(const mp_digit *a,
++                                       mp_size a_len, mp_digit b,
++                                       mp_digit *c, mp_size c_len);
+ void MPI_ASM_DECL s_mpv_sqr_add_prop(const mp_digit *a,
+                                      mp_size a_len,
+                                      mp_digit *sqrs);
+ 
+ mp_err MPI_ASM_DECL s_mpv_div_2dx1d(mp_digit Nhi, mp_digit Nlo,
+                                     mp_digit divisor, mp_digit *quot, mp_digit *rem);
+ 
+ /* c += a * b * (MP_RADIX ** offset);  */
+diff --git a/lib/freebl/mpi/mpi.c b/lib/freebl/mpi/mpi.c
+--- a/lib/freebl/mpi/mpi.c
++++ b/lib/freebl/mpi/mpi.c
+@@ -5,16 +5,18 @@
+  *
+  * This Source Code Form is subject to the terms of the Mozilla Public
+  * License, v. 2.0. If a copy of the MPL was not distributed with this
+  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+ 
+ #include "mpi-priv.h"
+ #include "mplogic.h"
+ 
++#include <assert.h>
++
+ #if defined(__arm__) && \
+     ((defined(__thumb__) && !defined(__thumb2__)) || defined(__ARM_ARCH_3__))
+ /* 16-bit thumb or ARM v3 doesn't work inlined assember version */
+ #undef MP_ASSEMBLY_MULTIPLY
+ #undef MP_ASSEMBLY_SQUARE
+ #endif
+ 
+ #if MP_LOGTAB
+@@ -797,25 +799,28 @@ mp_sub(const mp_int *a, const mp_int *b,
+ 
+ CLEANUP:
+     return res;
+ 
+ } /* end mp_sub() */
+ 
+ /* }}} */
+ 
+-/* {{{ mp_mul(a, b, c) */
++/* {{{ s_mp_mulg(a, b, c) */
+ 
+ /*
+-  mp_mul(a, b, c)
+-
+-  Compute c = a * b.  All parameters may be identical.
++  s_mp_mulg(a, b, c)
++
++  Compute c = a * b.  All parameters may be identical. if constantTime is set,
++  then the operations are done in constant time. The original is mostly
++  constant time as long as s_mpv_mul_d_add() is constant time. This is true
++  of the x86 assembler, as well as the current c code.
+  */
+ mp_err
+-mp_mul(const mp_int *a, const mp_int *b, mp_int *c)
++s_mp_mulg(const mp_int *a, const mp_int *b, mp_int *c, int constantTime)
+ {
+     mp_digit *pb;
+     mp_int tmp;
+     mp_err res;
+     mp_size ib;
+     mp_size useda, usedb;
+ 
+     ARGCHK(a != NULL && b != NULL && c != NULL, MP_BADARG);
+@@ -841,17 +846,24 @@ mp_mul(const mp_int *a, const mp_int *b,
+     }
+ 
+     MP_USED(c) = 1;
+     MP_DIGIT(c, 0) = 0;
+     if ((res = s_mp_pad(c, USED(a) + USED(b))) != MP_OKAY)
+         goto CLEANUP;
+ 
+ #ifdef NSS_USE_COMBA
+-    if ((MP_USED(a) == MP_USED(b)) && IS_POWER_OF_2(MP_USED(b))) {
++    /* comba isn't constant time because it clamps! If we cared
++     * (we needed a constant time version of multiply that was 'faster'
++     * we could easily pass constantTime down to the comba code and
++     * get it to skip the clamp... but here are assembler versions
++     * which add comba to platforms that can't compile the normal
++     * comba's imbedded assembler which would also need to change, so
++     * for now we just skip comba when we are running constant time. */
++    if (!constantTime && (MP_USED(a) == MP_USED(b)) && IS_POWER_OF_2(MP_USED(b))) {
+         if (MP_USED(a) == 4) {
+             s_mp_mul_comba_4(a, b, c);
+             goto CLEANUP;
+         }
+         if (MP_USED(a) == 8) {
+             s_mp_mul_comba_8(a, b, c);
+             goto CLEANUP;
+         }
+@@ -871,36 +883,82 @@ mp_mul(const mp_int *a, const mp_int *b,
+ 
+     /* Outer loop:  Digits of b */
+     useda = MP_USED(a);
+     usedb = MP_USED(b);
+     for (ib = 1; ib < usedb; ib++) {
+         mp_digit b_i = *pb++;
+ 
+         /* Inner product:  Digits of a */
+-        if (b_i)
++        if (constantTime || b_i)
+             s_mpv_mul_d_add(MP_DIGITS(a), useda, b_i, MP_DIGITS(c) + ib);
+         else
+             MP_DIGIT(c, ib + useda) = b_i;
+     }
+ 
+-    s_mp_clamp(c);
++    if (!constantTime) {
++        s_mp_clamp(c);
++    }
+ 
+     if (SIGN(a) == SIGN(b) || s_mp_cmp_d(c, 0) == MP_EQ)
+         SIGN(c) = ZPOS;
+     else
+         SIGN(c) = NEG;
+ 
+ CLEANUP:
+     mp_clear(&tmp);
+     return res;
++} /* end smp_mulg() */
++
++/* }}} */
++
++/* {{{ mp_mul(a, b, c) */
++
++/*
++  mp_mul(a, b, c)
++
++  Compute c = a * b.  All parameters may be identical.
++ */
++
++mp_err
++mp_mul(const mp_int *a, const mp_int *b, mp_int *c)
++{
++    return s_mp_mulg(a, b, c, 0);
+ } /* end mp_mul() */
+ 
+ /* }}} */
+ 
++/* {{{ mp_mulCT(a, b, c) */
++
++/*
++  mp_mulCT(a, b, c)
++
++  Compute c = a * b. In constant time. Parameters may not be identical.
++  NOTE: a and b may be modified.
++ */
++
++mp_err
++mp_mulCT(mp_int *a, mp_int *b, mp_int *c, mp_size setSize)
++{
++    mp_err res;
++
++    /* make the multiply values fixed length so multiply
++     * doesn't leak the length. at this point all the
++     * values are blinded, but once we finish we want the
++     * output size to be hidden (so no clamping the out put) */
++    MP_CHECKOK(s_mp_pad(a, setSize));
++    MP_CHECKOK(s_mp_pad(b, setSize));
++    MP_CHECKOK(s_mp_pad(c, 2*setSize));
++    MP_CHECKOK(s_mp_mulg(a, b, c, 1));
++CLEANUP:
++    return res;
++} /* end mp_mulCT() */
++
++/* }}} */
++
+ /* {{{ mp_sqr(a, sqr) */
+ 
+ #if MP_SQUARE
+ /*
+   Computes the square of a.  This can be done more
+   efficiently than a general multiplication, because many of the
+   computation steps are redundant when squaring.  The inner product
+   step is a bit more complicated, but we save a fair number of
+@@ -1263,16 +1321,174 @@ mp_mod(const mp_int *a, const mp_int *m,
+     }
+ 
+     return MP_OKAY;
+ 
+ } /* end mp_mod() */
+ 
+ /* }}} */
+ 
++/* {{{ s_mp_subCT_d(a, b, borrow, c) */
++
++/*
++  s_mp_subCT_d(a, b, borrow, c)
++
++  Compute c = (a -b) - subtract in constant time. returns borrow
++ */
++mp_digit
++s_mp_subCT_d(mp_digit a, mp_digit b, mp_digit borrow, mp_digit *ret) {
++    mp_digit borrow1, borrow2, t;
++#ifdef MP_COMPILER_USES_CARRY
++    /* while it doesn't look constant-time, this is idiomatic code
++     * to tell compilers to use the carry bit from subtraction */
++    t = a - borrow;
++    if (t > a) {
++        borrow1 = 1;
++    } else {
++        borrow1 = 0;
++    }
++    *ret = t - b;
++    if (*ret > t) {
++        borrow2 = 1;
++    } else {
++        borrow2 = 0;
++    }
++#else
++    mp_digit bitr, bitb, nbitt;
++    /* this is constant time independent of compilier */
++    t = a - borrow;
++    borrow1 = ((~a) >> (MP_DIGIT_BIT-1)) & ((t) >> (MP_DIGIT_BIT-1));
++    *ret = t - b;
++    bitb = b >> (MP_DIGIT_BIT-1);
++    bitr = *ret >> (MP_DIGIT_BIT-1);
++    nbitt = (~t) >> (MP_DIGIT_BIT-1);
++    borrow2  = (nbitt & bitb) | (bitb & bitr) | (nbitt & bitr);
++#endif
++    /* only borrow 1 or borrow 2 should be 1, we want to guarrentee
++     * the overall borrow is 1, so use | here */
++    return borrow1 | borrow2;
++} /*  s_mp_subCT_d() */
++
++/* }}} */
++
++/* {{{ mp_subCT(a, b, ret, borrow) */
++
++/* return ret= a - b and borrow in borrow. done in constant time.
++ * b could be modified.
++ */
++mp_err
++mp_subCT(const mp_int *a,  mp_int *b, mp_int *ret, mp_digit *borrow)
++{
++    mp_size used_a = MP_USED(a);
++    mp_size i;
++    mp_err res;
++
++    MP_CHECKOK(s_mp_pad(b, used_a));
++    MP_CHECKOK(s_mp_pad(ret, used_a));
++    *borrow = 0;
++    for (i=0; i < used_a; i++) {
++        *borrow = s_mp_subCT_d(MP_DIGIT(a,i), MP_DIGIT(b,i), *borrow,
++                               &MP_DIGIT(ret,i));
++    }
++
++    res = MP_OKAY;
++CLEANUP:
++    return res;
++} /*  end mp_subCT() */
++
++/* }}} */
++
++/* {{{ mp_selectCT(cond, a, b, ret) */
++
++/*
++ * return ret= cond ? a : b; cond should be either 0 or 1
++ */
++mp_err
++mp_selectCT(mp_digit cond, const mp_int *a, const mp_int *b, mp_int *ret)
++{
++    mp_size used_a = MP_USED(a);
++    mp_err res;
++    mp_size i;
++
++    cond *= MP_DIGIT_MAX;
++
++    /* we currently require these to be equal on input,
++     * we could use pad to extend one of them, but that might
++     * leak data as it wouldn't be constant time */
++    assert(used_a == MP_USED(b));
++
++    MP_CHECKOK(s_mp_pad(ret, used_a));
++    for (i=0; i < used_a; i++) {
++        MP_DIGIT(ret,i) = (MP_DIGIT(a,i)&cond) | (MP_DIGIT(b,i)&~cond);
++    }
++    res = MP_OKAY;
++CLEANUP:
++    return res;
++} /* end mp_selectCT() */
++
++
++/* {{{ mp_reduceCT(a, m, c) */
++
++/*
++  mp_reduceCT(a, m, c)
++
++  Compute c = aR^-1 (mod m) in constant time.
++   input should be in montgomery form. If input is the
++   result of a montgomery multiply then out put will be
++   in mongomery form.
++   Result will be reduced to MP_USED(m), but not be
++   clamped.
++ */
++
++mp_err
++mp_reduceCT(const mp_int *a, const mp_int *m, mp_digit n0i, mp_int *c)
++{
++    mp_size used_m = MP_USED(m);
++    mp_size used_c = used_m*2+1;
++    mp_digit *m_digits, *c_digits;
++    mp_size i;
++    mp_digit borrow, carry;
++    mp_err res;
++    mp_int sub;
++
++    MP_DIGITS(&sub) = 0;
++    MP_CHECKOK(mp_init_size(&sub,used_m));
++
++    if (a != c) {
++        MP_CHECKOK(mp_copy(a, c));
++    }
++    MP_CHECKOK(s_mp_pad(c, used_c));
++    m_digits = MP_DIGITS(m);
++    c_digits = MP_DIGITS(c);
++    for (i=0; i < used_m; i++) {
++        mp_digit m_i = MP_DIGIT(c,i)*n0i;
++        s_mpv_mul_d_add_propCT(m_digits, used_m,  m_i, c_digits++, used_c--);
++    }
++    s_mp_rshd(c, used_m);
++    /* MP_USED(c) should be used_m+1 with the high word being any carry
++     * from the previous multiply, save that carry and drop the high
++     * word for the substraction below */
++    carry = MP_DIGIT(c,used_m);
++    MP_DIGIT(c,used_m) = 0;
++    MP_USED(c) = used_m;
++    /* mp_subCT wants c and m to be the same size, we've already
++     * guarrenteed that in the previous statement, so mp_subCT won't actually
++     * modify m, so it's safe to recast */
++    MP_CHECKOK(mp_subCT(c, (mp_int *)m, &sub, &borrow));
++
++    /* we return c-m if c >= m no borrow or there was a borrow and a carry */
++    MP_CHECKOK(mp_selectCT(borrow ^ carry, c, &sub, c));
++    res = MP_OKAY;
++CLEANUP:
++    mp_clear(&sub);
++    return res;
++}  /* end mp_reduceCT() */
++
++/* }}} */
++
+ /* {{{ mp_mod_d(a, d, c) */
+ 
+ /*
+   mp_mod_d(a, d, c)
+ 
+   Compute c = a (mod d).  Result will always be 0 <= c < d
+  */
+ mp_err
+@@ -1379,16 +1595,47 @@ mp_mulmod(const mp_int *a, const mp_int 
+     if ((res = mp_mod(c, m, c)) != MP_OKAY)
+         return res;
+ 
+     return MP_OKAY;
+ }
+ 
+ /* }}} */
+ 
++/* {{{ mp_mulmontmodCT(a, b, m, c) */
++
++/*
++  mp_mulmontmodCT(a, b, m, c)
++
++  Compute c = (a * b) mod m in constant time wrt a and b. either a or b
++  should be in montgomery form and the output is native. If both a and b
++  are in montgomery form, then the output will also be in montgomery form
++  and can be recovered with an mp_reduceCT call.
++  NOTE: a and b may be modified.
++ */
++
++mp_err
++mp_mulmontmodCT(mp_int *a, mp_int *b, const mp_int *m, mp_digit n0i,
++                mp_int *c)
++{
++    mp_err res;
++
++    ARGCHK(a != NULL && b != NULL && m != NULL && c != NULL, MP_BADARG);
++
++    if ((res = mp_mulCT(a, b, c, MP_USED(m))) != MP_OKAY)
++        return res;
++
++    if ((res = mp_reduceCT(c, m, n0i, c)) != MP_OKAY)
++        return res;
++
++    return MP_OKAY;
++}
++
++/* }}} */
++
+ /* {{{ mp_sqrmod(a, m, c) */
+ 
+ #if MP_SQUARE
+ mp_err
+ mp_sqrmod(const mp_int *a, const mp_int *m, mp_int *c)
+ {
+     mp_err res;
+ 
+@@ -3936,25 +4183,73 @@ s_mp_mul(mp_int *a, const mp_int *b)
+     {                                                              \
+         mp_digit a0b1, a1b0;                                       \
+         Plo = (a & MP_HALF_DIGIT_MAX) * (b & MP_HALF_DIGIT_MAX);   \
+         Phi = (a >> MP_HALF_DIGIT_BIT) * (b >> MP_HALF_DIGIT_BIT); \
+         a0b1 = (a & MP_HALF_DIGIT_MAX) * (b >> MP_HALF_DIGIT_BIT); \
+         a1b0 = (a >> MP_HALF_DIGIT_BIT) * (b & MP_HALF_DIGIT_MAX); \
+         a1b0 += a0b1;                                              \
+         Phi += a1b0 >> MP_HALF_DIGIT_BIT;                          \
+-        if (a1b0 < a0b1)                                           \
+-            Phi += MP_HALF_RADIX;                                  \
++        Phi += (MP_CT_LTU(a1b0, a0b1)) << MP_HALF_DIGIT_BIT;     \
+         a1b0 <<= MP_HALF_DIGIT_BIT;                                \
+         Plo += a1b0;                                               \
+-        if (Plo < a1b0)                                            \
+-            ++Phi;                                                 \
++        Phi += MP_CT_LTU(Plo, a1b0);                                          \
+     }
+ #endif
+ 
++/* Constant time version of s_mpv_mul_d_add_prop.
++ * Presently, this is only used by the Constant time Montgomery arithmetic code. */
++/* c += a * b */
++void
++s_mpv_mul_d_add_propCT(const mp_digit *a, mp_size a_len, mp_digit b,
++                       mp_digit *c, mp_size c_len)
++{
++#if !defined(MP_NO_MP_WORD) && !defined(MP_NO_MUL_WORD)
++    mp_digit d = 0;
++
++    c_len -= a_len;
++    /* Inner product:  Digits of a */
++    while (a_len--) {
++        mp_word w = ((mp_word)b * *a++) + *c + d;
++        *c++ = ACCUM(w);
++        d = CARRYOUT(w);
++    }
++
++    /* propagate the carry to the end, even if carry is zero */
++    while (c_len--) {
++        mp_word w = (mp_word)*c + d;
++        *c++ = ACCUM(w);
++        d = CARRYOUT(w);
++    }
++#else
++    mp_digit carry = 0;
++    c_len -= a_len;
++    while (a_len--) {
++        mp_digit a_i = *a++;
++        mp_digit a0b0, a1b1;
++        MP_MUL_DxD(a_i, b, a1b1, a0b0);
++
++        a0b0 += carry;
++        a1b1 += MP_CT_LTU(a0b0, carry);
++        a0b0 += a_i = *c;
++        a1b1 += MP_CT_LTU(a0b0, a_i);
++
++        *c++ = a0b0;
++        carry = a1b1;
++    }
++    /* propagate the carry to the end, even if carry is zero */
++    while (c_len--) {
++        mp_digit c_i = *c;
++        carry += c_i;
++        *c++ = carry;
++        carry = MP_CT_LTU(carry, c_i);
++    }
++#endif
++}
++
+ #if !defined(MP_ASSEMBLY_MULTIPLY)
+ /* c = a * b */
+ void
+ s_mpv_mul_d(const mp_digit *a, mp_size a_len, mp_digit b, mp_digit *c)
+ {
+ #if !defined(MP_NO_MP_WORD) && !defined(MP_NO_MUL_WORD)
+     mp_digit d = 0;
+ 
+@@ -3969,18 +4264,17 @@ s_mpv_mul_d(const mp_digit *a, mp_size a
+     mp_digit carry = 0;
+     while (a_len--) {
+         mp_digit a_i = *a++;
+         mp_digit a0b0, a1b1;
+ 
+         MP_MUL_DxD(a_i, b, a1b1, a0b0);
+ 
+         a0b0 += carry;
+-        if (a0b0 < carry)
+-            ++a1b1;
++        a1b1 += a0b0 < carry;
+         *c++ = a0b0;
+         carry = a1b1;
+     }
+     *c = carry;
+ #endif
+ }
+ 
+ /* c += a * b */
+@@ -4002,21 +4296,19 @@ s_mpv_mul_d_add(const mp_digit *a, mp_si
+     mp_digit carry = 0;
+     while (a_len--) {
+         mp_digit a_i = *a++;
+         mp_digit a0b0, a1b1;
+ 
+         MP_MUL_DxD(a_i, b, a1b1, a0b0);
+ 
+         a0b0 += carry;
+-        if (a0b0 < carry)
+-            ++a1b1;
++        a1b1 += (a0b0 < carry);
+         a0b0 += a_i = *c;
+-        if (a0b0 < a_i)
+-            ++a1b1;
++        a1b1 += (a0b0 < a_i);
+         *c++ = a0b0;
+         carry = a1b1;
+     }
+     *c = carry;
+ #endif
+ }
+ 
+ /* Presently, this is only used by the Montgomery arithmetic code. */
+diff --git a/lib/freebl/mpi/mpi.h b/lib/freebl/mpi/mpi.h
+--- a/lib/freebl/mpi/mpi.h
++++ b/lib/freebl/mpi/mpi.h
+@@ -145,16 +145,54 @@ typedef int mp_sword;
+ #define MP_USED(MP) ((MP)->used)
+ #define MP_ALLOC(MP) ((MP)->alloc)
+ #define MP_DIGITS(MP) ((MP)->dp)
+ #define MP_DIGIT(MP, N) (MP)->dp[(N)]
+ 
+ /* This defines the maximum I/O base (minimum is 2)   */
+ #define MP_MAX_RADIX 64
+ 
++/* Constant Time Macros on mp_digits */
++#define MP_CT_HIGH_TO_LOW(x) ((mp_digit)((mp_digit)(x) >> (MP_DIGIT_BIT - 1)))
++
++/* basic zero and non zero tests */
++#define MP_CT_NOT_ZERO(x) (MP_CT_HIGH_TO_LOW(((x) | (((mp_digit)0) - (x)))))
++#define MP_CT_ZERO(x) (~MP_CT_HIGH_TO_LOW(((x) | (((mp_digit)0) - (x)))))
++
++
++/* basic constant-time helper macro for equalities and inequalities.
++ * The inequalities will produce incorrect results if
++ * abs(a-b) >= MP_DIGIT_SIZE/2. This can be avoided if unsigned values stay
++ * within the range 0-MP_DIGIT_MAX/2. */
++#define MP_CT_EQ(a, b) MP_CT_ZERO(((a) - (b)))
++#define MP_CT_NE(a, b) MP_CT_NOT_ZERO(((a) - (b)))
++#define MP_CT_GT(a, b) MP_CT_HIGH_TO_LOW((b) - (a))
++#define MP_CT_LT(a, b) MP_CT_HIGH_TO_LOW((a) - (b))
++#define MP_CT_GE(a, b) (1^MP_CT_LT(a, b))
++#define MP_CT_LE(a, b) (1^MP_CT_GT(a, b))
++#define MP_CT_TRUE ((mp_digit)1)
++#define MP_CT_FALSE ((mp_digit)0)
++
++/* use constant time result to select a boolean value */
++#define MP_CT_SELB(m, l, r) (((m) & (l)) | (~(m) & (r)))
++
++/* full inequalities that work with full mp_digit values */
++#define MP_CT_OVERFLOW(a,b,c,d) \
++        MP_CT_SELB(MP_CT_HIGH_TO_LOW((a)^(b)), \
++                  (MP_CT_HIGH_TO_LOW(d)),c)
++#define MP_CT_GTU(a,b) MP_CT_OVERFLOW(a,b,MP_CT_GT(a,b),a)
++#define MP_CT_LTU(a,b) MP_CT_OVERFLOW(a,b,MP_CT_LT(a,b),b)
++#define MP_CT_GEU(a,b) MP_CT_OVERFLOW(a,b,MP_CT_GE(a,b),a)
++#define MP_CT_LEU(a,b) MP_CT_OVERFLOW(a,b,MP_CT_LE(a,b),b)
++#define MP_CT_GTS(a,b) MP_CT_OVERFLOW(a,b,MP_CT_GT(a,b),b)
++#define MP_CT_LTS(a,b) MP_CT_OVERFLOW(a,b,MP_CT_LT(a,b),a)
++#define MP_CT_GES(a,b) MP_CT_OVERFLOW(a,b,MP_CT_GE(a,b),b)
++#define MP_CT_LES(a,b) MP_CT_OVERFLOW(a,b,MP_CT_LE(a,b),a)
++
++
+ typedef struct {
+     mp_sign sign;  /* sign of this quantity      */
+     mp_size alloc; /* how many digits allocated  */
+     mp_size used;  /* how many digits used       */
+     mp_digit *dp;  /* the digits themselves      */
+ } mp_int;
+ 
+ /* Default precision       */
+@@ -185,17 +223,19 @@ mp_err mp_expt_d(const mp_int *a, mp_dig
+ 
+ /* Sign manipulations      */
+ mp_err mp_abs(const mp_int *a, mp_int *b);
+ mp_err mp_neg(const mp_int *a, mp_int *b);
+ 
+ /* Full arithmetic         */
+ mp_err mp_add(const mp_int *a, const mp_int *b, mp_int *c);
+ mp_err mp_sub(const mp_int *a, const mp_int *b, mp_int *c);
++mp_err mp_subCT(const mp_int *a, mp_int *b, mp_int *c, mp_digit *borrow);
+ mp_err mp_mul(const mp_int *a, const mp_int *b, mp_int *c);
++mp_err mp_mulCT(mp_int *a, mp_int *b, mp_int *c, mp_size setSize);
+ #if MP_SQUARE
+ mp_err mp_sqr(const mp_int *a, mp_int *b);
+ #else
+ #define mp_sqr(a, b) mp_mul(a, a, b)
+ #endif
+ mp_err mp_div(const mp_int *a, const mp_int *b, mp_int *q, mp_int *r);
+ mp_err mp_div_2d(const mp_int *a, mp_digit d, mp_int *q, mp_int *r);
+ mp_err mp_expt(mp_int *a, mp_int *b, mp_int *c);
+@@ -212,23 +252,30 @@ mp_err mp_mulmod(const mp_int *a, const 
+ mp_err mp_sqrmod(const mp_int *a, const mp_int *m, mp_int *c);
+ #else
+ #define mp_sqrmod(a, m, c) mp_mulmod(a, a, m, c)
+ #endif
+ mp_err mp_exptmod(const mp_int *a, const mp_int *b, const mp_int *m, mp_int *c);
+ mp_err mp_exptmod_d(const mp_int *a, mp_digit d, const mp_int *m, mp_int *c);
+ #endif /* MP_MODARITH */
+ 
++/* montgomery math */
++mp_err mp_to_mont(const mp_int *x, const mp_int *N, mp_int *xMont);
++mp_digit mp_calculate_mont_n0i(const mp_int *N);
++mp_err mp_reduceCT(const mp_int *a, const mp_int *m, mp_digit n0i, mp_int *ct);
++mp_err mp_mulmontmodCT(mp_int *a, mp_int *b, const mp_int *m, mp_digit n0i, mp_int *c);
++
+ /* Comparisons             */
+ int mp_cmp_z(const mp_int *a);
+ int mp_cmp_d(const mp_int *a, mp_digit d);
+ int mp_cmp(const mp_int *a, const mp_int *b);
+ int mp_cmp_mag(const mp_int *a, const mp_int *b);
+ int mp_isodd(const mp_int *a);
+ int mp_iseven(const mp_int *a);
++mp_err mp_selectCT(mp_digit cond, const mp_int *a, const mp_int *b, mp_int *ret);
+ 
+ /* Number theoretic        */
+ mp_err mp_gcd(mp_int *a, mp_int *b, mp_int *c);
+ mp_err mp_lcm(mp_int *a, mp_int *b, mp_int *c);
+ mp_err mp_xgcd(const mp_int *a, const mp_int *b, mp_int *g, mp_int *x, mp_int *y);
+ mp_err mp_invmod(const mp_int *a, const mp_int *m, mp_int *c);
+ mp_err mp_invmod_xgcd(const mp_int *a, const mp_int *m, mp_int *c);
+ 
+diff --git a/lib/freebl/mpi/mpmontg.c b/lib/freebl/mpi/mpmontg.c
+--- a/lib/freebl/mpi/mpmontg.c
++++ b/lib/freebl/mpi/mpmontg.c
+@@ -124,30 +124,37 @@ s_mp_mul_mont(const mp_int *a, const mp_
+     }
+     res = MP_OKAY;
+ 
+ CLEANUP:
+     return res;
+ }
+ #endif
+ 
+-STATIC
+ mp_err
+-s_mp_to_mont(const mp_int *x, mp_mont_modulus *mmm, mp_int *xMont)
++mp_to_mont(const mp_int *x, const mp_int *N, mp_int *xMont)
+ {
+     mp_err res;
+ 
+     /* xMont = x * R mod N   where  N is modulus */
+-    MP_CHECKOK(mp_copy(x, xMont));
+-    MP_CHECKOK(s_mp_lshd(xMont, MP_USED(&mmm->N))); /* xMont = x << b */
+-    MP_CHECKOK(mp_div(xMont, &mmm->N, 0, xMont));   /*         mod N */
++    if (x != xMont) {
++        MP_CHECKOK(mp_copy(x, xMont));
++    }
++    MP_CHECKOK(s_mp_lshd(xMont, MP_USED(N))); /* xMont = x << b */
++    MP_CHECKOK(mp_div(xMont, N, 0, xMont));   /*         mod N */
+ CLEANUP:
+     return res;
+ }
+ 
++mp_digit
++mp_calculate_mont_n0i(const mp_int *N)
++{
++    return 0 - s_mp_invmod_radix(MP_DIGIT(N,0));
++}
++
+ #ifdef MP_USING_MONT_MULF
+ 
+ /* the floating point multiply is already cache safe,
+  * don't turn on cache safe unless we specifically
+  * force it */
+ #ifndef MP_FORCE_CACHE_SAFE
+ #undef MP_USING_CACHE_SAFE_MOD_EXP
+ #endif
+@@ -193,17 +200,17 @@ mp_exptmod_f(const mp_int *montBase,
+     MP_DIGITS(&accum1) = 0;
+ 
+     for (i = 0; i < MAX_ODD_INTS; ++i)
+         oddPowers[i] = 0;
+ 
+     MP_CHECKOK(mp_init_size(&accum1, 3 * nLen + 2));
+ 
+     mp_set(&accum1, 1);
+-    MP_CHECKOK(s_mp_to_mont(&accum1, mmm, &accum1));
++    MP_CHECKOK(mp_to_mont(&accum1, &(mmm->N), &accum1));
+     MP_CHECKOK(s_mp_pad(&accum1, nLen));
+ 
+     oddPowSize = 2 * nLen + 1;
+     dTmpSize = 2 * oddPowSize;
+     dSize = sizeof(double) * (nLen * 4 + 1 +
+                               ((odd_ints + 1) * oddPowSize) + dTmpSize);
+     dBuf = malloc(dSize);
+     if (!dBuf) {
+@@ -473,17 +480,17 @@ mp_exptmod_i(const mp_int *montBase,
+     for (i = 1; i < odd_ints; ++i) {
+         MP_CHECKOK(mp_init_size(oddPowers + i, nLen + 2 * MP_USED(&power2) + 2));
+         MP_CHECKOK(mp_mul(oddPowers + (i - 1), &power2, oddPowers + i));
+         MP_CHECKOK(s_mp_redc(oddPowers + i, mmm));
+     }
+ 
+     /* set accumulator to montgomery residue of 1 */
+     mp_set(&accum1, 1);
+-    MP_CHECKOK(s_mp_to_mont(&accum1, mmm, &accum1));
++    MP_CHECKOK(mp_to_mont(&accum1, &(mmm->N), &accum1));
+     pa1 = &accum1;
+     pa2 = &accum2;
+ 
+     for (expOff = bits_in_exponent - window_bits; expOff >= 0; expOff -= window_bits) {
+         mp_size smallExp;
+         MP_CHECKOK(mpl_get_bits(exponent, expOff, window_bits));
+         smallExp = (mp_size)res;
+ 
+@@ -862,17 +869,17 @@ mp_exptmod_safe_i(const mp_int *montBase
+     /* build the first WEAVE_WORD powers inline */
+     /* if WEAVE_WORD_SIZE is not 4, this code will have to change */
+     if (num_powers > 2) {
+         MP_CHECKOK(mp_init_size(&accum[0], 3 * nLen + 2));
+         MP_CHECKOK(mp_init_size(&accum[1], 3 * nLen + 2));
+         MP_CHECKOK(mp_init_size(&accum[2], 3 * nLen + 2));
+         MP_CHECKOK(mp_init_size(&accum[3], 3 * nLen + 2));
+         mp_set(&accum[0], 1);
+-        MP_CHECKOK(s_mp_to_mont(&accum[0], mmm, &accum[0]));
++        MP_CHECKOK(mp_to_mont(&accum[0], &(mmm->N), &accum[0]));
+         MP_CHECKOK(mp_copy(montBase, &accum[1]));
+         SQR(montBase, &accum[2]);
+         MUL_NOWEAVE(montBase, &accum[2], &accum[3]);
+         powersArray = (mp_digit *)malloc(num_powers * (nLen * sizeof(mp_digit) + 1));
+         if (!powersArray) {
+             res = MP_MEM;
+             goto CLEANUP;
+         }
+@@ -881,17 +888,17 @@ mp_exptmod_safe_i(const mp_int *montBase
+         MP_CHECKOK(mpi_to_weave(accum, powers, nLen, num_powers));
+         if (first_window < 4) {
+             MP_CHECKOK(mp_copy(&accum[first_window], &accum1));
+             first_window = num_powers;
+         }
+     } else {
+         if (first_window == 0) {
+             mp_set(&accum1, 1);
+-            MP_CHECKOK(s_mp_to_mont(&accum1, mmm, &accum1));
++            MP_CHECKOK(mp_to_mont(&accum1, &(mmm->N), &accum1));
+         } else {
+             /* assert first_window == 1? */
+             MP_CHECKOK(mp_copy(montBase, &accum1));
+         }
+     }
+ 
+     /*
+      * calculate all the powers in the powers array.
+@@ -1054,19 +1061,19 @@ mp_exptmod(const mp_int *inBase, const m
+     nLen = MP_USED(modulus);
+     MP_CHECKOK(mp_init_size(&montBase, 2 * nLen + 2));
+ 
+     mmm.N = *modulus; /* a copy of the mp_int struct */
+ 
+     /* compute n0', given n0, n0' = -(n0 ** -1) mod MP_RADIX
+     **        where n0 = least significant mp_digit of N, the modulus.
+     */
+-    mmm.n0prime = 0 - s_mp_invmod_radix(MP_DIGIT(modulus, 0));
++    mmm.n0prime = mp_calculate_mont_n0i(modulus);
+ 
+-    MP_CHECKOK(s_mp_to_mont(base, &mmm, &montBase));
++    MP_CHECKOK(mp_to_mont(base, modulus, &montBase));
+ 
+     bits_in_exponent = mpl_significant_bits(exponent);
+ #ifdef MP_USING_CACHE_SAFE_MOD_EXP
+     if (mp_using_cache_safe_exp) {
+         if (bits_in_exponent > 780)
+             window_bits = 6;
+         else if (bits_in_exponent > 256)
+             window_bits = 5;
+diff --git a/lib/freebl/rsa.c b/lib/freebl/rsa.c
+--- a/lib/freebl/rsa.c
++++ b/lib/freebl/rsa.c
+@@ -65,16 +65,18 @@ struct blindingParamsStr {
+ ** the Handbook of Applied Cryptography, 11.118-11.119.
+ */
+ struct RSABlindingParamsStr {
+     /* Blinding-specific parameters */
+     PRCList link;              /* link to list of structs            */
+     SECItem modulus;           /* list element "key"                 */
+     blindingParams *free, *bp; /* Blinding parameters queue          */
+     blindingParams array[RSA_BLINDING_PARAMS_MAX_CACHE_SIZE];
++    /* precalculate montegomery reduction value */
++    mp_digit n0i; /* n0i = -( n & MP_DIGIT) ** -1 mod mp_RADIX */
+ };
+ typedef struct RSABlindingParamsStr RSABlindingParams;
+ 
+ /*
+ ** RSABlindingParamsListStr
+ **
+ ** List of key-specific blinding params.  The arena holds the volatile pool
+ ** of memory for each entry and the list itself.  The lock is for list
+@@ -1210,16 +1212,18 @@ generate_blinding_params(RSAPrivateKey *
+     CHECK_SEC_OK(RNG_GenerateGlobalRandomBytes(kb, modLen));
+     CHECK_MPI_OK(mp_read_unsigned_octets(&k, kb, modLen));
+     /* k < n */
+     CHECK_MPI_OK(mp_mod(&k, n, &k));
+     /* f = k**e mod n */
+     CHECK_MPI_OK(mp_exptmod(&k, &e, n, f));
+     /* g = k**-1 mod n */
+     CHECK_MPI_OK(mp_invmod(&k, n, g));
++    /* g in montgomery form.. */
++    CHECK_MPI_OK(mp_to_mont(g, n, g));
+ cleanup:
+     if (kb)
+         PORT_ZFree(kb, modLen);
+     mp_clear(&k);
+     mp_clear(&e);
+     if (err) {
+         MP_TO_SEC_ERROR(err);
+         rv = SECFailure;
+@@ -1246,23 +1250,26 @@ init_blinding_params(RSABlindingParams *
+      * of rsabp->array pointer and must be set to NULL
+      */
+     rsabp->array[RSA_BLINDING_PARAMS_MAX_CACHE_SIZE - 1].next = NULL;
+ 
+     bp = rsabp->array;
+     rsabp->bp = NULL;
+     rsabp->free = bp;
+ 
++    /* precalculate montgomery reduction parameter */
++    rsabp->n0i = mp_calculate_mont_n0i(n);
++
+     /* List elements are keyed using the modulus */
+     return SECITEM_CopyItem(NULL, &rsabp->modulus, &key->modulus);
+ }
+ 
+ static SECStatus
+ get_blinding_params(RSAPrivateKey *key, mp_int *n, unsigned int modLen,
+-                    mp_int *f, mp_int *g)
++                    mp_int *f, mp_int *g, mp_digit *n0i)
+ {
+     RSABlindingParams *rsabp = NULL;
+     blindingParams *bpUnlinked = NULL;
+     blindingParams *bp;
+     PRCList *el;
+     SECStatus rv = SECSuccess;
+     mp_err err = MP_OKAY;
+     int cmp = -1;
+@@ -1312,16 +1319,17 @@ get_blinding_params(RSAPrivateKey *key, 
+             ** head (since el would have looped back to the head).
+             */
+             PR_INSERT_BEFORE(&rsabp->link, el);
+         }
+ 
+         /* We've found (or created) the RSAblindingParams struct for this key.
+          * Now, search its list of ready blinding params for a usable one.
+          */
++        *n0i = rsabp->n0i;
+         while (0 != (bp = rsabp->bp)) {
+ #ifdef UNSAFE_FUZZER_MODE
+             /* Found a match and there are still remaining uses left */
+             /* Return the parameters */
+             CHECK_MPI_OK(mp_copy(&bp->f, f));
+             CHECK_MPI_OK(mp_copy(&bp->g, g));
+ 
+             PZ_Unlock(blindingParamsList.lock);
+@@ -1426,16 +1434,17 @@ cleanup:
+         rsabp->free = bp;
+     }
+     if (holdingLock) {
+         PZ_Unlock(blindingParamsList.lock);
+     }
+     if (err) {
+         MP_TO_SEC_ERROR(err);
+     }
++    *n0i = 0;
+     return SECFailure;
+ }
+ 
+ /*
+ ** Perform a raw private-key operation
+ **  Length of input and output buffers are equal to key's modulus len.
+ */
+ static SECStatus
+@@ -1445,16 +1454,17 @@ rsa_PrivateKeyOp(RSAPrivateKey *key,
+                  PRBool check)
+ {
+     unsigned int modLen;
+     unsigned int offset;
+     SECStatus rv = SECSuccess;
+     mp_err err;
+     mp_int n, c, m;
+     mp_int f, g;
++    mp_digit n0i;
+     if (!key || !output || !input) {
+         PORT_SetError(SEC_ERROR_INVALID_ARGS);
+         return SECFailure;
+     }
+     /* check input out of range (needs to be in range [0..n-1]) */
+     modLen = rsa_modulusLen(&key->modulus);
+     if (modLen == 0) {
+         PORT_SetError(SEC_ERROR_INVALID_ARGS);
+@@ -1476,17 +1486,17 @@ rsa_PrivateKeyOp(RSAPrivateKey *key,
+     CHECK_MPI_OK(mp_init(&f));
+     CHECK_MPI_OK(mp_init(&g));
+     SECITEM_TO_MPINT(key->modulus, &n);
+     OCTETS_TO_MPINT(input, &c, modLen);
+     /* If blinding, compute pre-image of ciphertext by multiplying by
+     ** blinding factor
+     */
+     if (nssRSAUseBlinding) {
+-        CHECK_SEC_OK(get_blinding_params(key, &n, modLen, &f, &g));
++        CHECK_SEC_OK(get_blinding_params(key, &n, modLen, &f, &g, &n0i));
+         /* c' = c*f mod n */
+         CHECK_MPI_OK(mp_mulmod(&c, &f, &n, &c));
+     }
+     /* Do the private key operation m = c**d mod n */
+     if (key->prime1.len == 0 ||
+         key->prime2.len == 0 ||
+         key->exponent1.len == 0 ||
+         key->exponent2.len == 0 ||
+@@ -1497,17 +1507,17 @@ rsa_PrivateKeyOp(RSAPrivateKey *key,
+     } else {
+         CHECK_SEC_OK(rsa_PrivateKeyOpCRTNoCheck(key, &m, &c));
+     }
+     /* If blinding, compute post-image of plaintext by multiplying by
+     ** blinding factor
+     */
+     if (nssRSAUseBlinding) {
+         /* m = m'*g mod n */
+-        CHECK_MPI_OK(mp_mulmod(&m, &g, &n, &m));
++        CHECK_MPI_OK(mp_mulmontmodCT(&m, &g, &n, n0i, &m));
+     }
+     err = mp_to_fixlen_octets(&m, output, modLen);
+     if (err >= 0)
+         err = MP_OKAY;
+ cleanup:
+     mp_clear(&n);
+     mp_clear(&c);
+     mp_clear(&m);
diff --git a/dist b/dist
index 5aa45c5..1fe92cf 100644
--- a/dist
+++ b/dist
@@ -1 +1 @@
-an8_8
+an8_10
diff --git a/fips_algorithms.h b/fips_algorithms.h
index 80d7dcd..30f8688 100644
--- a/fips_algorithms.h
+++ b/fips_algorithms.h
@@ -15,11 +15,15 @@ typedef enum {
     SFTKFIPSECC, /* not just keys but specific curves */
     SFTKFIPSAEAD, /* single shot AEAD functions not allowed in FIPS mode */
     SFTKFIPSRSAPSS, /* make sure salt isn't too big */
-    SFTKFIPSPBKDF2  /* handle pbkdf2 FIPS restrictions */
+    SFTKFIPSPBKDF2,  /* handle pbkdf2 FIPS restrictions */
+    SFTKFIPSTlsKeyCheck,  /* check the output of TLS prf functions */
+    SFTKFIPSChkHash,  /* make sure the base hash of KDF functions is FIPS */
+    SFTKFIPSChkHashTls,  /* make sure the base hash of TLS KDF functions is FIPS */
+    SFTKFIPSChkHashSp800,  /* make sure the base hash of SP-800-108 KDF functions is FIPS */
 } SFTKFIPSSpecialClass;
 
 /* set according to your security policy */
-#define SFTKFIPS_PBKDF2_MIN_PW_LEN  7
+#define SFTKFIPS_PBKDF2_MIN_PW_LEN  8
 
 typedef struct SFTKFIPSAlgorithmListStr SFTKFIPSAlgorithmList;
 struct SFTKFIPSAlgorithmListStr {
@@ -27,6 +31,7 @@ struct SFTKFIPSAlgorithmListStr {
     CK_MECHANISM_INFO info;
     CK_ULONG step;
     SFTKFIPSSpecialClass special;
+    size_t offset;
 };
 
 SFTKFIPSAlgorithmList sftk_fips_mechs[] = {
@@ -50,7 +55,9 @@ SFTKFIPSAlgorithmList sftk_fips_mechs[] = {
 #define CKF_KPG CKF_GENERATE_KEY_PAIR
 #define CKF_GEN CKF_GENERATE
 #define CKF_SGN (CKF_SIGN | CKF_VERIFY)
-#define CKF_ENC (CKF_ENCRYPT | CKF_DECRYPT | CKF_WRAP | CKF_UNWRAP)
+#define CKF_ENC (CKF_ENCRYPT | CKF_DECRYPT )
+#define CKF_ECW (CKF_ENCRYPT | CKF_DECRYPT | CKF_WRAP | CKF_UNWRAP)
+#define CKF_WRP (CKF_WRAP | CKF_UNWRAP)
 #define CKF_KEK (CKF_WRAP | CKF_UNWRAP)
 #define CKF_KEA CKF_DERIVE
 #define CKF_KDF CKF_DERIVE
@@ -90,17 +97,13 @@ SFTKFIPSAlgorithmList sftk_fips_mechs[] = {
     { CKM_SHA256_RSA_PKCS_PSS, { RSA_FB_KEY, CKF_SGN }, RSA_FB_STEP, SFTKFIPSRSAPSS },
     { CKM_SHA384_RSA_PKCS_PSS, { RSA_FB_KEY, CKF_SGN }, RSA_FB_STEP, SFTKFIPSRSAPSS },
     { CKM_SHA512_RSA_PKCS_PSS, { RSA_FB_KEY, CKF_SGN }, RSA_FB_STEP, SFTKFIPSRSAPSS },
-    /* ------------------------- DSA Operations --------------------------- */
-    { CKM_DSA_SHA224, { DSA_FB_KEY, CKF_VERIFY }, DSA_FB_STEP, SFTKFIPSNone },
-    { CKM_DSA_SHA256, { DSA_FB_KEY, CKF_VERIFY }, DSA_FB_STEP, SFTKFIPSNone },
-    { CKM_DSA_SHA384, { DSA_FB_KEY, CKF_VERIFY }, DSA_FB_STEP, SFTKFIPSNone },
-    { CKM_DSA_SHA512, { DSA_FB_KEY, CKF_VERIFY }, DSA_FB_STEP, SFTKFIPSNone },
     /* -------------------- Diffie Hellman Operations --------------------- */
     { CKM_DH_PKCS_KEY_PAIR_GEN, { DH_FB_KEY, CKF_KPG }, DH_FB_STEP, SFTKFIPSDH },
     { CKM_DH_PKCS_DERIVE, { DH_FB_KEY, CKF_KEA }, DH_FB_STEP, SFTKFIPSDH },
     /* -------------------- Elliptic Curve Operations --------------------- */
     { CKM_EC_KEY_PAIR_GEN, { EC_FB_KEY, CKF_KPG }, EC_FB_STEP, SFTKFIPSECC },
     { CKM_ECDH1_DERIVE, { EC_FB_KEY, CKF_KEA }, EC_FB_STEP, SFTKFIPSECC },
+    { CKM_ECDH1_COFACTOR_DERIVE, { EC_FB_KEY, CKF_KEA }, EC_FB_STEP, SFTKFIPSECC },
     { CKM_ECDSA_SHA224, { EC_FB_KEY, CKF_SGN }, EC_FB_STEP, SFTKFIPSECC },
     { CKM_ECDSA_SHA256, { EC_FB_KEY, CKF_SGN }, EC_FB_STEP, SFTKFIPSECC },
     { CKM_ECDSA_SHA384, { EC_FB_KEY, CKF_SGN }, EC_FB_STEP, SFTKFIPSECC },
@@ -115,10 +118,10 @@ SFTKFIPSAlgorithmList sftk_fips_mechs[] = {
     { CKM_AES_CBC_PAD, { AES_FB_KEY, CKF_ENC }, AES_FB_STEP, SFTKFIPSNone },
     { CKM_AES_CTS, { AES_FB_KEY, CKF_ENC }, AES_FB_STEP, SFTKFIPSNone },
     { CKM_AES_CTR, { AES_FB_KEY, CKF_ENC }, AES_FB_STEP, SFTKFIPSNone },
-    { CKM_AES_GCM, { AES_FB_KEY, CKF_ENC }, AES_FB_STEP, SFTKFIPSAEAD },
-    { CKM_AES_KEY_WRAP, { AES_FB_KEY, CKF_ENC }, AES_FB_STEP, SFTKFIPSNone },
-    { CKM_AES_KEY_WRAP_PAD, { AES_FB_KEY, CKF_ENC }, AES_FB_STEP, SFTKFIPSNone },
-    { CKM_AES_KEY_WRAP_KWP, { AES_FB_KEY, CKF_ENC }, AES_FB_STEP, SFTKFIPSNone },
+    { CKM_AES_GCM, { AES_FB_KEY, CKF_ECW }, AES_FB_STEP, SFTKFIPSAEAD },
+    { CKM_AES_KEY_WRAP, { AES_FB_KEY, CKF_ECW }, AES_FB_STEP, SFTKFIPSNone },
+    { CKM_AES_KEY_WRAP_PAD, { AES_FB_KEY, CKF_ECW }, AES_FB_STEP, SFTKFIPSNone },
+    { CKM_AES_KEY_WRAP_KWP, { AES_FB_KEY, CKF_ECW }, AES_FB_STEP, SFTKFIPSNone },
     /* ------------------------- Hashing Operations ----------------------- */
     { CKM_SHA224, { 0, 0, CKF_HSH }, 1, SFTKFIPSNone },
     { CKM_SHA224_HMAC, { 112, 224, CKF_SGN }, 1, SFTKFIPSNone },
@@ -136,37 +139,50 @@ SFTKFIPSAlgorithmList sftk_fips_mechs[] = {
     { CKM_GENERIC_SECRET_KEY_GEN, { 112, 256, CKF_GEN }, 1, SFTKFIPSNone },
     /* ---------------------- SSL/TLS operations ------------------------- */
     { CKM_SSL3_PRE_MASTER_KEY_GEN, { 384, 384, CKF_GEN }, 1, SFTKFIPSNone },
-    { CKM_TLS_MASTER_KEY_DERIVE, { 384, 384, CKF_KDF }, 1, SFTKFIPSNone },
-    { CKM_TLS_MASTER_KEY_DERIVE_DH, { DH_FB_KEY, CKF_KDF }, 1, SFTKFIPSNone },
-    { CKM_TLS_KEY_AND_MAC_DERIVE, { 384, 384, CKF_KDF }, 1, SFTKFIPSNone },
-    { CKM_TLS12_MASTER_KEY_DERIVE, { 384, 384, CKF_KDF }, 1, SFTKFIPSNone },
-    { CKM_TLS12_MASTER_KEY_DERIVE_DH, { DH_FB_KEY, CKF_KDF }, 1, SFTKFIPSNone },
-    { CKM_TLS12_KEY_AND_MAC_DERIVE, { 384, 384, CKF_KDF }, 1, SFTKFIPSNone },
-    { CKM_NSS_TLS_MASTER_KEY_DERIVE_SHA256, { 384, 384, CKF_KDF }, 1, SFTKFIPSNone },
-    { CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256, { DH_FB_KEY, CKF_KDF }, 1, SFTKFIPSNone },
-    { CKM_NSS_TLS_KEY_AND_MAC_DERIVE_SHA256, { 384, 384, CKF_KDF }, 1, SFTKFIPSNone },
-    { CKM_NSS_TLS_PRF_GENERAL_SHA256, { 112, 512, CKF_SGN }, 1, SFTKFIPSNone },
-    { CKM_TLS_PRF_GENERAL, { 112, 512, CKF_SGN }, 1, SFTKFIPSNone },
-    { CKM_TLS_MAC, { 112, 512, CKF_SGN }, 1, SFTKFIPSNone },
-    { CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE, { 192, 1024, CKF_KDF }, 1, SFTKFIPSNone },
-    { CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_DH, { 192, 1024, CKF_DERIVE }, 1, SFTKFIPSNone },
+    { CKM_TLS12_KEY_AND_MAC_DERIVE, { 384, 384, CKF_KDF }, 1, SFTKFIPSTlsKeyCheck, offsetof(CK_TLS12_KEY_MAT_PARAMS, prfHashMechanism) },
+    { CKM_TLS_MAC, { 112, 512, CKF_SGN }, 1, SFTKFIPSChkHashTls,
+        offsetof(CK_TLS_MAC_PARAMS, prfHashMechanism) },
+    { CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE, { 192, 1024, CKF_KDF }, 1, SFTKFIPSChkHashTls,
+        offsetof(CK_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_PARAMS, prfHashMechanism) },
+    { CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_DH, { 192, 1024, CKF_DERIVE }, 1, SFTKFIPSChkHashTls,
+        offsetof(CK_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_PARAMS, prfHashMechanism) },
 
     /* ------------------------- HKDF Operations -------------------------- */
-    { CKM_HKDF_DERIVE, { 112, 255 * 64 * 8, CKF_KDF }, 1, SFTKFIPSNone },
-    { CKM_HKDF_DATA, { 112, 255 * 64 * 8, CKF_KDF }, 1, SFTKFIPSNone },
+    { CKM_HKDF_DERIVE, { 112, 255 * 64 * 8, CKF_KDF }, 1, SFTKFIPSChkHash,
+        offsetof(CK_HKDF_PARAMS, prfHashMechanism) },
+    { CKM_HKDF_DATA, { 112, 255 * 64 * 8, CKF_KDF }, 1, SFTKFIPSChkHash,
+        offsetof(CK_HKDF_PARAMS, prfHashMechanism) },
     { CKM_HKDF_KEY_GEN, { 160, 224, CKF_GEN }, 1, SFTKFIPSNone },
     { CKM_HKDF_KEY_GEN, { 256, 512, CKF_GEN }, 128, SFTKFIPSNone },
     /* ------------------ NIST 800-108 Key Derivations  ------------------- */
-    { CKM_SP800_108_COUNTER_KDF, { 112, CK_MAX, CKF_KDF }, 1, SFTKFIPSNone },
-    { CKM_SP800_108_FEEDBACK_KDF, { 112, CK_MAX, CKF_KDF }, 1, SFTKFIPSNone },
-    { CKM_SP800_108_DOUBLE_PIPELINE_KDF, { 112, CK_MAX, CKF_KDF }, 1, SFTKFIPSNone },
-    { CKM_NSS_SP800_108_COUNTER_KDF_DERIVE_DATA, { 112, CK_MAX, CKF_KDF }, 1, SFTKFIPSNone },
-    { CKM_NSS_SP800_108_FEEDBACK_KDF_DERIVE_DATA, { 112, CK_MAX, CKF_KDF }, 1, SFTKFIPSNone },
-    { CKM_NSS_SP800_108_DOUBLE_PIPELINE_KDF_DERIVE_DATA, { 112, CK_MAX, CKF_KDF }, 1, SFTKFIPSNone },
+    { CKM_SP800_108_COUNTER_KDF, { 112, CK_MAX, CKF_KDF }, 1, SFTKFIPSChkHashSp800,
+        offsetof(CK_SP800_108_KDF_PARAMS, prfType) },
+    { CKM_SP800_108_FEEDBACK_KDF, { 112, CK_MAX, CKF_KDF }, 1, SFTKFIPSChkHashSp800,
+        offsetof(CK_SP800_108_KDF_PARAMS, prfType) },
+    { CKM_SP800_108_DOUBLE_PIPELINE_KDF, { 112, CK_MAX, CKF_KDF }, 1, SFTKFIPSChkHashSp800,
+        offsetof(CK_SP800_108_KDF_PARAMS, prfType) },
     /* --------------------IPSEC ----------------------- */
-    { CKM_NSS_IKE_PRF_PLUS_DERIVE, { 112, 255 * 64 * 8, CKF_KDF }, 1, SFTKFIPSNone },
-    { CKM_NSS_IKE_PRF_DERIVE, { 112, 64 * 8, CKF_KDF }, 1, SFTKFIPSNone },
+    { CKM_NSS_IKE_PRF_PLUS_DERIVE, { 112, 255 * 64 * 8, CKF_KDF }, 1, SFTKFIPSChkHash,
+        offsetof(CK_NSS_IKE_PRF_PLUS_DERIVE_PARAMS, prfMechanism) },
+    { CKM_NSS_IKE_PRF_DERIVE, { 112, 64 * 8, CKF_KDF }, 1, SFTKFIPSChkHash,
+        offsetof(CK_NSS_IKE_PRF_DERIVE_PARAMS, prfMechanism) },
     /* ------------------ PBE Key Derivations  ------------------- */
     { CKM_PKCS5_PBKD2, { 112, 256, CKF_GEN }, 1, SFTKFIPSPBKDF2 },
+    /* the deprecated mechanisms, don't use for some reason we are supposed
+     * to set the FIPS indicators on these (sigh) */
+    { CKM_NSS_AES_KEY_WRAP, { AES_FB_KEY, CKF_ECW }, AES_FB_STEP, SFTKFIPSNone },
+    { CKM_NSS_AES_KEY_WRAP_PAD, { AES_FB_KEY, CKF_ECW }, AES_FB_STEP, SFTKFIPSNone },
+    { CKM_NSS_TLS_KEY_AND_MAC_DERIVE_SHA256, { 384, 384, CKF_DERIVE }, 1, SFTKFIPSTlsKeyCheck },
+    { CKM_NSS_TLS_PRF_GENERAL_SHA256, { 112, 512, CKF_SGN }, 1, SFTKFIPSNone },
+    { CKM_NSS_HKDF_SHA1, { 1, 128, CKF_DERIVE }, 1, SFTKFIPSNone },
+    { CKM_NSS_HKDF_SHA256, { 1, 128, CKF_DERIVE }, 1, SFTKFIPSNone },
+    { CKM_NSS_HKDF_SHA384, { 1, 128, CKF_DERIVE }, 1, SFTKFIPSNone },
+    { CKM_NSS_HKDF_SHA512, { 1, 128, CKF_DERIVE }, 1, SFTKFIPSNone },
+    { CKM_NSS_SP800_108_COUNTER_KDF_DERIVE_DATA, { 112, CK_MAX, CKF_KDF }, 1, SFTKFIPSChkHashSp800,
+        offsetof(CK_SP800_108_KDF_PARAMS, prfType) },
+    { CKM_NSS_SP800_108_FEEDBACK_KDF_DERIVE_DATA, { 112, CK_MAX, CKF_KDF }, 1, SFTKFIPSChkHashSp800,
+        offsetof(CK_SP800_108_KDF_PARAMS, prfType) },
+    { CKM_NSS_SP800_108_DOUBLE_PIPELINE_KDF_DERIVE_DATA, { 112, CK_MAX, CKF_KDF }, 1,  SFTKFIPSChkHashSp800,
+        offsetof(CK_SP800_108_KDF_PARAMS, prfType) },
 };
 const int SFTK_NUMBER_FIPS_ALGORITHMS = PR_ARRAY_SIZE(sftk_fips_mechs);
diff --git a/nss-3.71-fix-lto-gtests.patch b/nss-3.71-fix-lto-gtests.patch
new file mode 100644
index 0000000..2699ca3
--- /dev/null
+++ b/nss-3.71-fix-lto-gtests.patch
@@ -0,0 +1,26 @@
+diff --git a/gtests/ssl_gtest/tls_subcerts_unittest.cc b/gtests/ssl_gtest/tls_subcerts_unittest.cc
+--- a/gtests/ssl_gtest/tls_subcerts_unittest.cc
++++ b/gtests/ssl_gtest/tls_subcerts_unittest.cc
+@@ -15,13 +15,22 @@
+ #include "gtest_utils.h"
+ #include "tls_agent.h"
+ #include "tls_connect.h"
++#define LTO
+
+ namespace nss_test {
+
++#ifndef LTO
++// sigh this construction breaks LTO
+ const std::string kEcdsaDelegatorId = TlsAgent::kDelegatorEcdsa256;
+ const std::string kRsaeDelegatorId = TlsAgent::kDelegatorRsae2048;
+ const std::string kPssDelegatorId = TlsAgent::kDelegatorRsaPss2048;
+ const std::string kDCId = TlsAgent::kServerEcdsa256;
++#else
++#define kEcdsaDelegatorId TlsAgent::kDelegatorEcdsa256
++#define kRsaeDelegatorId TlsAgent::kDelegatorRsae2048
++#define kPssDelegatorId TlsAgent::kDelegatorRsaPss2048
++#define kDCId  TlsAgent::kServerEcdsa256
++#endif
+ const SSLSignatureScheme kDCScheme = ssl_sig_ecdsa_secp256r1_sha256;
+ const PRUint32 kDCValidFor = 60 * 60 * 24 * 7 /* 1 week (seconds) */;
+
diff --git a/nss-3.90-aes-gmc-indicator.patch b/nss-3.90-aes-gmc-indicator.patch
new file mode 100644
index 0000000..8a91208
--- /dev/null
+++ b/nss-3.90-aes-gmc-indicator.patch
@@ -0,0 +1,42 @@
+diff --git a/lib/softoken/sftkmessage.c b/lib/softoken/sftkmessage.c
+--- a/lib/softoken/sftkmessage.c
++++ b/lib/softoken/sftkmessage.c
+@@ -146,16 +146,38 @@ sftk_CryptMessage(CK_SESSION_HANDLE hSes
+ 
+     CHECK_FORK();
+ 
+     /* make sure we're legal */
+     crv = sftk_GetContext(hSession, &context, contextType, PR_TRUE, NULL);
+     if (crv != CKR_OK)
+         return crv;
+ 
++    if (context->isFIPS && (contextType == SFTK_MESSAGE_ENCRYPT)) {
++        if ((pParameter == NULL) || (ulParameterLen != sizeof(CK_GCM_MESSAGE_PARAMS))) {
++            context->isFIPS = PR_FALSE;
++        } else {
++            CK_GCM_MESSAGE_PARAMS *p = (CK_GCM_MESSAGE_PARAMS *)pParameter;
++            switch (p->ivGenerator) {
++                case CKG_NO_GENERATE:
++                    context->isFIPS = PR_FALSE;
++                    break;
++                case CKG_GENERATE_RANDOM:
++                    if ((p->ulIvLen < 12) || (p->ulIvFixedBits != 0)) {
++                        context->isFIPS = PR_FALSE;
++                    }
++                    break;
++                default:
++                    if ((p->ulIvLen < 12) || (p->ulIvFixedBits < 32)) {
++                        context->isFIPS = PR_FALSE;
++                    }
++            }
++        }
++    }
++
+     if (!pOuttext) {
+         *pulOuttextLen = ulIntextLen;
+         return CKR_OK;
+     }
+     rv = (*context->aeadUpdate)(context->cipherInfo, pOuttext, &outlen,
+                                 maxout, pIntext, ulIntextLen,
+                                 pParameter, ulParameterLen,
+                                 pAssociatedData, ulAssociatedDataLen);
diff --git a/nss-3.90-dh-test-update.patch b/nss-3.90-dh-test-update.patch
new file mode 100644
index 0000000..fcbeae5
--- /dev/null
+++ b/nss-3.90-dh-test-update.patch
@@ -0,0 +1,90 @@
+diff -up ./lib/freebl/fipsfreebl.c.dh_test ./lib/freebl/fipsfreebl.c
+--- ./lib/freebl/fipsfreebl.c.dh_test	2024-01-18 08:34:45.936944401 -0800
++++ ./lib/freebl/fipsfreebl.c	2024-01-18 09:20:57.555980326 -0800
+@@ -1816,38 +1816,39 @@ freebl_fips_DH_PowerUpSelfTest(void)
+ {
+     /* DH Known P (2048-bits) */
+     static const PRUint8 dh_known_P[] = {
+-        0xc2, 0x79, 0xbb, 0x76, 0x32, 0x0d, 0x43, 0xfd,
+-        0x1b, 0x8c, 0xa2, 0x3c, 0x00, 0xdd, 0x6d, 0xef,
+-        0xf8, 0x1a, 0xd9, 0xc1, 0xa2, 0xf5, 0x73, 0x2b,
+-        0xdb, 0x1a, 0x3e, 0x84, 0x90, 0xeb, 0xe7, 0x8e,
+-        0x5f, 0x5c, 0x6b, 0xb6, 0x61, 0x89, 0xd1, 0x03,
+-        0xb0, 0x5f, 0x91, 0xe4, 0xd2, 0x82, 0x90, 0xfc,
+-        0x3c, 0x49, 0x69, 0x59, 0xc1, 0x51, 0x6a, 0x85,
+-        0x71, 0xe7, 0x5d, 0x72, 0x5a, 0x45, 0xad, 0x01,
+-        0x6f, 0x82, 0xae, 0xec, 0x91, 0x08, 0x2e, 0x7c,
+-        0x64, 0x93, 0x46, 0x1c, 0x68, 0xef, 0xc2, 0x03,
+-        0x28, 0x1d, 0x75, 0x3a, 0xeb, 0x9c, 0x46, 0xf0,
+-        0xc9, 0xdb, 0x99, 0x95, 0x13, 0x66, 0x4d, 0xd5,
+-        0x1a, 0x78, 0x92, 0x51, 0x89, 0x72, 0x28, 0x7f,
+-        0x20, 0x70, 0x41, 0x49, 0xa2, 0x86, 0xe9, 0xf9,
+-        0x78, 0x5f, 0x8d, 0x2e, 0x5d, 0xfa, 0xdb, 0x57,
+-        0xd4, 0x71, 0xdf, 0x66, 0xe3, 0x9e, 0x88, 0x70,
+-        0xa4, 0x21, 0x44, 0x6a, 0xc7, 0xae, 0x30, 0x2c,
+-        0x9c, 0x1f, 0x91, 0x57, 0xc8, 0x24, 0x34, 0x2d,
+-        0x7a, 0x4a, 0x43, 0xc2, 0x5f, 0xab, 0x64, 0x2e,
+-        0xaa, 0x28, 0x32, 0x95, 0x42, 0x7b, 0xa0, 0xcc,
+-        0xdf, 0xfd, 0x22, 0xc8, 0x56, 0x84, 0xc1, 0x62,
+-        0x15, 0xb2, 0x77, 0x86, 0x81, 0xfc, 0xa5, 0x12,
+-        0x3c, 0xca, 0x28, 0x17, 0x8f, 0x03, 0x16, 0x6e,
+-        0xb8, 0x24, 0xfa, 0x1b, 0x15, 0x02, 0xfd, 0x8b,
+-        0xb6, 0x0a, 0x1a, 0xf7, 0x47, 0x41, 0xc5, 0x2b,
+-        0x37, 0x3e, 0xa1, 0xbf, 0x68, 0xda, 0x1c, 0x55,
+-        0x44, 0xc3, 0xee, 0xa1, 0x63, 0x07, 0x11, 0x3b,
+-        0x5f, 0x00, 0x84, 0xb4, 0xc4, 0xe4, 0xa7, 0x97,
+-        0x29, 0xf8, 0xce, 0xab, 0xfc, 0x27, 0x3e, 0x34,
+-        0xe4, 0xc7, 0x81, 0x52, 0x32, 0x0e, 0x27, 0x3c,
+-        0xa6, 0x70, 0x3f, 0x4a, 0x54, 0xda, 0xdd, 0x60,
+-        0x26, 0xb3, 0x6e, 0x45, 0x26, 0x19, 0x41, 0x6f
++        0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
++        0xAD, 0xF8, 0x54, 0x58, 0xA2, 0xBB, 0x4A, 0x9A,
++        0xAF, 0xDC, 0x56, 0x20, 0x27, 0x3D, 0x3C, 0xF1,
++        0xD8, 0xB9, 0xC5, 0x83, 0xCE, 0x2D, 0x36, 0x95,
++        0xA9, 0xE1, 0x36, 0x41, 0x14, 0x64, 0x33, 0xFB,
++        0xCC, 0x93, 0x9D, 0xCE, 0x24, 0x9B, 0x3E, 0xF9,
++        0x7D, 0x2F, 0xE3, 0x63, 0x63, 0x0C, 0x75, 0xD8,
++        0xF6, 0x81, 0xB2, 0x02, 0xAE, 0xC4, 0x61, 0x7A,
++        0xD3, 0xDF, 0x1E, 0xD5, 0xD5, 0xFD, 0x65, 0x61,
++        0x24, 0x33, 0xF5, 0x1F, 0x5F, 0x06, 0x6E, 0xD0,
++        0x85, 0x63, 0x65, 0x55, 0x3D, 0xED, 0x1A, 0xF3,
++        0xB5, 0x57, 0x13, 0x5E, 0x7F, 0x57, 0xC9, 0x35,
++        0x98, 0x4F, 0x0C, 0x70, 0xE0, 0xE6, 0x8B, 0x77,
++        0xE2, 0xA6, 0x89, 0xDA, 0xF3, 0xEF, 0xE8, 0x72,
++        0x1D, 0xF1, 0x58, 0xA1, 0x36, 0xAD, 0xE7, 0x35,
++        0x30, 0xAC, 0xCA, 0x4F, 0x48, 0x3A, 0x79, 0x7A,
++        0xBC, 0x0A, 0xB1, 0x82, 0xB3, 0x24, 0xFB, 0x61,
++        0xD1, 0x08, 0xA9, 0x4B, 0xB2, 0xC8, 0xE3, 0xFB,
++        0xB9, 0x6A, 0xDA, 0xB7, 0x60, 0xD7, 0xF4, 0x68,
++        0x1D, 0x4F, 0x42, 0xA3, 0xDE, 0x39, 0x4D, 0xF4,
++        0xAE, 0x56, 0xED, 0xE7, 0x63, 0x72, 0xBB, 0x19,
++        0x0B, 0x07, 0xA7, 0xC8, 0xEE, 0x0A, 0x6D, 0x70,
++        0x9E, 0x02, 0xFC, 0xE1, 0xCD, 0xF7, 0xE2, 0xEC,
++        0xC0, 0x34, 0x04, 0xCD, 0x28, 0x34, 0x2F, 0x61,
++        0x91, 0x72, 0xFE, 0x9C, 0xE9, 0x85, 0x83, 0xFF,
++        0x8E, 0x4F, 0x12, 0x32, 0xEE, 0xF2, 0x81, 0x83,
++        0xC3, 0xFE, 0x3B, 0x1B, 0x4C, 0x6F, 0xAD, 0x73,
++        0x3B, 0xB5, 0xFC, 0xBC, 0x2E, 0xC2, 0x20, 0x05,
++        0xC5, 0x8E, 0xF1, 0x83, 0x7D, 0x16, 0x83, 0xB2,
++        0xC6, 0xF3, 0x4A, 0x26, 0xC1, 0xB2, 0xEF, 0xFA,
++        0x88, 0x6B, 0x42, 0x38, 0x61, 0x28, 0x5C, 0x97,
++        0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF
++
+     };
+ 
+     static const PRUint8 dh_known_Y_1[] = {
+@@ -1893,10 +1894,10 @@ freebl_fips_DH_PowerUpSelfTest(void)
+     };
+ 
+     static const PRUint8 dh_known_hash_result[] = {
+-        0x93, 0xa2, 0x89, 0x1c, 0x8a, 0xc3, 0x70, 0xbf,
+-        0xa7, 0xdf, 0xb6, 0xd7, 0x82, 0xfb, 0x87, 0x81,
+-        0x09, 0x47, 0xf3, 0x9f, 0x5a, 0xbf, 0x4f, 0x3f,
+-        0x8e, 0x5e, 0x06, 0xca, 0x30, 0xa7, 0xaf, 0x10
++        0x40, 0xe3, 0x7a, 0x34, 0x83, 0x2d, 0x94, 0x57,
++        0x99, 0x3d, 0x66, 0xec, 0x54, 0xdf, 0x82, 0x4a,
++        0x37, 0x0d, 0xf9, 0x01, 0xb3, 0xbc, 0x54, 0xe5,
++        0x5e, 0x63, 0xd3, 0x46, 0x4e, 0xa3, 0xe2, 0x8a
+     };
+ 
+     /* DH variables. */
diff --git a/nss-3.90-ecdsa-sign-padding-fix.patch b/nss-3.90-ecdsa-sign-padding-fix.patch
new file mode 100644
index 0000000..6c9c744
--- /dev/null
+++ b/nss-3.90-ecdsa-sign-padding-fix.patch
@@ -0,0 +1,335 @@
+--- ./gtests/pk11_gtest/pk11_ecdsa_vectors.h.ecdsa-sign-padding-fix	2024-04-04 21:20:23.166838534 +0200
++++ ./gtests/pk11_gtest/pk11_ecdsa_vectors.h	2024-04-10 09:05:12.664050773 +0200
+@@ -280,4 +280,101 @@ const uint8_t kP256SpkiPointNotOnCurve[]
+     0x28, 0xbc, 0x64, 0xf2, 0xf1, 0xb2, 0x0c, 0x2d, 0x7e, 0x9f, 0x51, 0x77,
+     0xa3, 0xc2, 0x94, 0x00, 0x33, 0x11, 0x77};
+ 
++const uint8_t kP521DataUnpaddedSigLong[] = {'W', 'T', 'F', '6', '0', 'M', 'W', 'M', 'N', '3'};
++const uint8_t kP521DataUnpaddedSigShort[] = { 'M', 'I', '6', '3', 'V', 'N', 'G', 'L', 'F', 'R',};
++const uint8_t kP521SpkiUnpaddedSig[] = {
++    0x30, 0x81, 0x9b, 0x30, 0x10, 0x06, 0x07, 0x2a, 0x86, 0x48, 0xce, 0x3d,
++    0x02, 0x01, 0x06, 0x05, 0x2b, 0x81, 0x04, 0x00, 0x23, 0x03, 0x81, 0x86,
++    0x00, 0x04, 0x01, 0xd2, 0x37, 0xeb, 0x78, 0xc7, 0x9b, 0x86, 0xff, 0x29,
++    0x7b, 0x55, 0x4d, 0x11, 0xc7, 0x9c, 0x2d, 0xc1, 0x67, 0x9f, 0xad, 0x2a,
++    0xa9, 0xb9, 0x51, 0x30, 0x6d, 0xde, 0x14, 0x16, 0xea, 0xb3, 0x9d, 0x18,
++    0xfc, 0xf0, 0x38, 0x6e, 0x7f, 0xa6, 0x82, 0xb9, 0x19, 0x01, 0xaf, 0xe7,
++    0xc3, 0xd8, 0xec, 0x9a, 0x62, 0x7b, 0xbf, 0x41, 0xc7, 0x86, 0x89, 0x52,
++    0x76, 0x8e, 0x01, 0x97, 0x1b, 0x16, 0x97, 0x69, 0x01, 0x2d, 0x07, 0x88,
++    0x6f, 0xe0, 0x17, 0xbe, 0x82, 0xc4, 0x12, 0xd6, 0x16, 0x72, 0xf8, 0x57,
++    0x75, 0x5c, 0x69, 0x79, 0xd0, 0x11, 0x05, 0x96, 0x2f, 0xa4, 0x61, 0xcd,
++    0x8f, 0x54, 0x95, 0x58, 0xbd, 0x7d, 0x71, 0x84, 0x63, 0x18, 0xb8, 0x5b,
++    0xaa, 0x1b, 0xd2, 0xe9, 0x65, 0x63, 0x15, 0x34, 0x25, 0x35, 0x2f, 0x35,
++    0x27, 0x3a, 0x84, 0x42, 0x7a, 0x42, 0x8e, 0xfd, 0x15, 0xbe, 0x0c, 0x0c,
++    0xe2, 0x9f};
++const uint8_t kP521SignatureUnpaddedSigLong[] = {
++    0x01, 0xa7, 0x3a, 0x14, 0x79, 0x77, 0x9e, 0x48, 0xb0, 0xff, 0xb5, 0xbe,
++    0xfb, 0xfa, 0x7a, 0x84, 0x24, 0xb3, 0x5c, 0xf0, 0xfd, 0x77, 0x9d, 0xd4,
++    0x66, 0x49, 0xfd, 0xbf, 0x04, 0xbf, 0xbb, 0x75, 0x22, 0xbb, 0x35, 0x42,
++    0xdb, 0xe7, 0xed, 0x5a, 0x8f, 0x15, 0xf3, 0xa9, 0x0e, 0xb6, 0x5b, 0xde,
++    0x23, 0x79, 0x47, 0xa7, 0x1d, 0x25, 0x24, 0x68, 0x63, 0xf6, 0x9c, 0x2e,
++    0x21, 0xe0, 0x30, 0xfc, 0xd3, 0x65, 0x01, 0x12, 0x4e, 0xf0, 0xbb, 0x89,
++    0xec, 0xec, 0x4f, 0xef, 0xbe, 0xdc, 0xd6, 0xac, 0xa4, 0x16, 0x68, 0x2b,
++    0x78, 0xdf, 0x6c, 0x6e, 0xb8, 0xf4, 0x5b, 0x45, 0x1b, 0xdd, 0x84, 0x40,
++    0x94, 0x07, 0xc7, 0xbc, 0xb6, 0x57, 0x92, 0xf1, 0x64, 0xb9, 0x2c, 0xcb,
++    0x1d, 0xbe, 0x1c, 0x93, 0x78, 0x97, 0x8b, 0x84, 0x4e, 0x69, 0x6d, 0x0b,
++    0xb0, 0x5f, 0xf1, 0x84, 0x18, 0x82, 0x8d, 0x55, 0xdf, 0x36, 0x43, 0x8a};
++const uint8_t kP521SignatureUnpaddedSigShort[] = {
++    0x40, 0x12, 0xa7, 0x96, 0x5d, 0x77, 0xba, 0x8a, 0x90, 0x57, 0x52, 0x11,
++    0xad, 0x72, 0x21, 0xd6, 0x6c, 0x73, 0x81, 0x43, 0x5d, 0x09, 0xe4, 0xde,
++    0xee, 0xc2, 0xb5, 0x03, 0x1f, 0x0f, 0xd1, 0x6a, 0xfc, 0x26, 0x6d, 0x99,
++    0x6d, 0x84, 0x32, 0x05, 0x56, 0x66, 0xe3, 0x6b, 0xf7, 0xf2, 0x04, 0xc9,
++    0x44, 0x17, 0xaa, 0xbd, 0x24, 0xd8, 0x87, 0x4e, 0x53, 0x9d, 0x08, 0x65,
++    0x91, 0x95, 0xeb, 0xeb, 0x92, 0x0b, 0xdb, 0x34, 0x80, 0xe8, 0x9f, 0x38,
++    0x73, 0x00, 0x7c, 0xfc, 0x2b, 0xfa, 0xcf, 0xa6, 0x6c, 0x1c, 0xb0, 0x75,
++    0x76, 0x01, 0x22, 0xe7, 0x3c, 0xd8, 0xc4, 0x1f, 0x5e, 0xde, 0x0b, 0x95,
++    0x7a, 0x50, 0x2b, 0x8c, 0x87, 0xc4, 0x12, 0x8e, 0x00, 0x09, 0x29, 0x2c,
++    0x21, 0xd1, 0x96, 0xa0, 0xf3, 0x0f, 0x54, 0xdb, 0x6a, 0xbb, 0x90, 0xf5,
++    0x5c, 0x7a, 0x8d, 0x83, 0x9c, 0x39, 0x38, 0x58, 0x5a, 0x0e};
++const uint8_t kP384DataUnpaddedSigLong[] = {'L', 'T', 'N', '4', 'B', 'P', 'X', 'Y', '5', 'N'};
++const uint8_t kP384DataUnpaddedSigShort[] = {'3', 'U', 'S', 'N', 'N', 'U', '6', 'E', 'E', '0'};
++const uint8_t kP384SpkiUnpaddedSig[] = {
++    0x30, 0x76, 0x30, 0x10, 0x06, 0x07, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x02,
++    0x01, 0x06, 0x05, 0x2b, 0x81, 0x04, 0x00, 0x22, 0x03, 0x62, 0x00, 0x04,
++    0x1e, 0x98, 0x4c, 0xcf, 0x05, 0xd4, 0x9b, 0x98, 0x11, 0xae, 0xa1, 0xaa,
++    0x72, 0x27, 0xac, 0xde, 0x7f, 0xe8, 0x4d, 0xda, 0xaa, 0x67, 0x51, 0x2e,
++    0x0b, 0x30, 0x31, 0xab, 0x05, 0xac, 0x95, 0xdf, 0x09, 0x96, 0xcf, 0xe3,
++    0xf5, 0xfa, 0x30, 0xad, 0x43, 0x0b, 0xa5, 0x7e, 0xd7, 0xd1, 0xee, 0x4e,
++    0x83, 0x53, 0xe3, 0x26, 0xeb, 0xc1, 0xc9, 0xe5, 0x35, 0x36, 0x1a, 0xbf,
++    0xbf, 0x99, 0xd6, 0xe2, 0x14, 0x43, 0xcb, 0x54, 0xde, 0x06, 0xb5, 0x7d,
++    0x27, 0xb7, 0xc2, 0x27, 0xaf, 0xb6, 0x12, 0x4f, 0x47, 0xa0, 0xdb, 0xb5,
++    0x6e, 0x7b, 0x44, 0x0d, 0xc8, 0xbd, 0x13, 0x3c, 0x27, 0x7c, 0xf2, 0x3a};
++const uint8_t kP384SignatureUnpaddedSigLong[] = {
++    0x19, 0x22, 0x21, 0x72, 0x8a, 0xa4, 0x22, 0x26, 0x75, 0x16, 0x9c, 0x58,
++    0x93, 0xd8, 0x43, 0xac, 0x28, 0x78, 0xe7, 0xe2, 0xf2, 0x5d, 0xa6, 0x59,
++    0x74, 0x6d, 0x55, 0x95, 0xe1, 0xa8, 0xc9, 0x18, 0x54, 0x5d, 0x03, 0xa0,
++    0xb0, 0x90, 0xe9, 0xf1, 0xc5, 0xf6, 0x29, 0x1a, 0x50, 0x9d, 0xe3, 0xde,
++    0x4a, 0x69, 0xdf, 0x1b, 0xe5, 0x53, 0xd7, 0xe8, 0xd4, 0xbf, 0x8c, 0xfc,
++    0x07, 0x66, 0xbc, 0xa7, 0xb5, 0x47, 0x29, 0xbd, 0x15, 0x8c, 0x57, 0x6c,
++    0xde, 0x37, 0x57, 0xa4, 0xd4, 0x61, 0x79, 0x92, 0x67, 0x25, 0x2e, 0xbc,
++    0x8b, 0x88, 0x6a, 0xfa, 0xa5, 0x00, 0x19, 0x11, 0x64, 0x69, 0x7b, 0xf6};
++const uint8_t kP384SignatureUnpaddedSigShort[] = {
++    0x69, 0xe6, 0xc2, 0xd0, 0xb0, 0x59, 0xca, 0x1f, 0x07, 0x4c, 0x90, 0x13,
++    0x75, 0xe0, 0xc5, 0xb9, 0x38, 0xf2, 0xd8, 0x55, 0xf7, 0x08, 0xbd, 0x8e,
++    0x61, 0xbd, 0x50, 0x7e, 0xb6, 0xb5, 0xea, 0xbc, 0xa4, 0xa0, 0x18, 0x9b,
++    0x63, 0x6b, 0x8a, 0x91, 0x88, 0x39, 0x0a, 0xbe, 0x6a, 0xb6, 0x4b, 0xaf,
++    0xcb, 0x31, 0x89, 0xcf, 0x43, 0x28, 0x4b, 0x04, 0x6a, 0xe0, 0x8d, 0xbc,
++    0xbf, 0xa2, 0x45, 0xdf, 0x1c, 0x83, 0x82, 0x3e, 0x2b, 0xa3, 0xea, 0x50,
++    0x80, 0xec, 0x31, 0x48, 0x20, 0x30, 0x75, 0x94, 0xd9, 0x08, 0x9f, 0x6f,
++    0x53, 0x21, 0x6f, 0x72, 0x74, 0x0c, 0xc4, 0x21, 0x28, 0xc9};
++const uint8_t kP256DataUnpaddedSigLong[] = {'J', '5', 'C', 'N', 'Q', 'T', 'F', 'A', 'J', 'T'};
++const uint8_t kP256DataUnpaddedSigShort[] = {'K', 'O', 'S', '9', '4', 'F', 'V', 'C', 'Y', 'C'};
++const uint8_t kP256SpkiUnpaddedSig[] = {
++    0x30, 0x59, 0x30, 0x13, 0x06, 0x07, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x02,
++    0x01, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07, 0x03,
++    0x42, 0x00, 0x04, 0x30, 0x40, 0x9d, 0x57, 0xdd, 0xd0, 0x70, 0x1d, 0x4b,
++    0x40, 0x84, 0xd4, 0x7a, 0xc0, 0x30, 0x68, 0x33, 0xf1, 0x1d, 0x47, 0xaa,
++    0x37, 0x4d, 0xe2, 0xc8, 0xce, 0xdc, 0x82, 0x1d, 0xf7, 0xcf, 0xdd, 0x9e,
++    0xb6, 0x6c, 0x85, 0x87, 0x9d, 0x31, 0x79, 0x7e, 0xe4, 0xe9, 0xc7, 0x4f,
++    0xd6, 0x07, 0x1d, 0x2f, 0x54, 0x82, 0x5d, 0x22, 0xbf, 0xbc, 0xf0, 0x75,
++    0x01, 0x09, 0x43, 0xc6, 0x52, 0xcb, 0x45 };
++const uint8_t kP256SignatureUnpaddedSigLong[] = {
++    0xad, 0x6f, 0xcf, 0x41, 0xc1, 0x83, 0xe3, 0x6f, 0xe0, 0x2c, 0x9f, 0x56,
++    0xa5, 0x17, 0x60, 0xbf, 0x80, 0x71, 0x18, 0x54, 0x1d, 0x82, 0xdb, 0xe6,
++    0xc2, 0x4e, 0x60, 0x4a, 0xa6, 0x0c, 0xed, 0xcf, 0xe9, 0xbf, 0xda, 0x11,
++    0xc2, 0x0a, 0x9c, 0x02, 0x5f, 0xb6, 0xa0, 0xb8, 0xbc, 0xda, 0xbf, 0x80,
++    0xb4, 0xfb, 0x68, 0xab, 0xc8, 0xa8, 0x07, 0xeb, 0x50, 0x5c, 0x8a, 0x47,
++    0xcf, 0x61, 0x91, 0x5f};
++const uint8_t kP256SignatureUnpaddedSigShort[] = {
++    0x3d, 0x99, 0x94, 0xa9, 0x80, 0x12, 0x43, 0x27, 0xde, 0x78, 0x9e, 0x61,
++    0xaf, 0x10, 0xee, 0xd2, 0x22, 0xc6, 0x6e, 0x1c, 0xdf, 0xe7, 0x75, 0x28,
++    0x84, 0xae, 0xb8, 0xdb, 0x7b, 0xf1, 0x91, 0x86, 0x5b, 0x5a, 0x28, 0x16,
++    0x15, 0xfe, 0xd9, 0x48, 0x33, 0x95, 0xa8, 0x8f, 0x92, 0xbb, 0xe3, 0x9c,
++    0xca, 0x04, 0xef, 0x56, 0x48, 0x16, 0x73, 0xa6, 0xb6, 0x6a, 0x38, 0xc9,
++    0x78, 0xc4};
+ }  // namespace nss_test
+--- ./gtests/pk11_gtest/pk11_ecdsa_unittest.cc.ecdsa-sign-padding-fix	2024-04-04 21:19:59.583677319 +0200
++++ ./gtests/pk11_gtest/pk11_ecdsa_unittest.cc	2024-04-10 17:03:24.202133898 +0200
+@@ -326,4 +326,47 @@ INSTANTIATE_TEST_SUITE_P(Pkcs11EcdsaRoun
+                                            SEC_OID_SECG_EC_SECP521R1,
+                                            SEC_OID_CURVE25519));
+ 
++class Pkcs11EcdsaUnpaddedSignatureTest
++    : public Pkcs11EcdsaTestBase,
++      public ::testing::WithParamInterface<Pkcs11EcdsaTestParams> {
++ public:
++  Pkcs11EcdsaUnpaddedSignatureTest() : Pkcs11EcdsaTestBase(GetParam().hash_oid_) {}
++};
++
++static const Pkcs11EcdsaTestParams kEcdsaUnpaddedSignaturesVectors[] = {
++    {SEC_OID_SHA512,
++     {DataBuffer(NULL, 0),
++      DataBuffer(kP256SpkiUnpaddedSig, sizeof(kP256SpkiUnpaddedSig)),
++      DataBuffer(kP256DataUnpaddedSigLong, sizeof(kP256DataUnpaddedSigLong)),
++      DataBuffer(kP256SignatureUnpaddedSigLong, sizeof(kP256SignatureUnpaddedSigLong))}},
++    {SEC_OID_SHA512,
++     {DataBuffer(NULL, 0),
++      DataBuffer(kP256SpkiUnpaddedSig, sizeof(kP256SpkiUnpaddedSig)),
++      DataBuffer(kP256DataUnpaddedSigShort, sizeof(kP256DataUnpaddedSigShort)),
++      DataBuffer(kP256SignatureUnpaddedSigShort, sizeof(kP256SignatureUnpaddedSigShort))}},
++    {SEC_OID_SHA512,
++     {DataBuffer(NULL, 0),
++      DataBuffer(kP384SpkiUnpaddedSig, sizeof(kP384SpkiUnpaddedSig)),
++      DataBuffer(kP384DataUnpaddedSigLong, sizeof(kP384DataUnpaddedSigLong)),
++      DataBuffer(kP384SignatureUnpaddedSigLong, sizeof(kP384SignatureUnpaddedSigLong))}},
++    {SEC_OID_SHA512,
++     {DataBuffer(NULL, 0),
++      DataBuffer(kP384SpkiUnpaddedSig, sizeof(kP384SpkiUnpaddedSig)),
++      DataBuffer(kP384DataUnpaddedSigShort, sizeof(kP384DataUnpaddedSigShort)),
++      DataBuffer(kP384SignatureUnpaddedSigShort, sizeof(kP384SignatureUnpaddedSigShort))}},
++    {SEC_OID_SHA512,
++     {DataBuffer(NULL, 0),
++      DataBuffer(kP521SpkiUnpaddedSig, sizeof(kP521SpkiUnpaddedSig)),
++      DataBuffer(kP521DataUnpaddedSigLong, sizeof(kP521DataUnpaddedSigLong)),
++      DataBuffer(kP521SignatureUnpaddedSigLong, sizeof(kP521SignatureUnpaddedSigLong))}},
++    {SEC_OID_SHA512,
++     {DataBuffer(NULL, 0),
++      DataBuffer(kP521SpkiUnpaddedSig, sizeof(kP521SpkiUnpaddedSig)),
++      DataBuffer(kP521DataUnpaddedSigShort, sizeof(kP521DataUnpaddedSigShort)),
++      DataBuffer(kP521SignatureUnpaddedSigShort, sizeof(kP521SignatureUnpaddedSigShort))}}
++};
++
++TEST_P(Pkcs11EcdsaUnpaddedSignatureTest, Verify) { Verify(GetParam().sig_params_); }
++INSTANTIATE_TEST_SUITE_P(EcdsaVerifyUnpaddedSignatures, Pkcs11EcdsaUnpaddedSignatureTest,
++                         ::testing::ValuesIn(kEcdsaUnpaddedSignaturesVectors));
+ }  // namespace nss_test
+--- ./lib/freebl/ecl/ecp_secp256r1.c.ecdsa-sign-padding-fix	2024-04-09 14:58:28.413482715 +0200
++++ ./lib/freebl/ecl/ecp_secp256r1.c	2024-04-09 21:15:23.717222679 +0200
+@@ -214,6 +214,9 @@ ec_secp256r1_verify_digest(ECPublicKey *
+ {
+     SECStatus res = SECSuccess;
+ 
++    unsigned char _padded_sig_data[64] = { 0 };
++    unsigned char *sig_r, *sig_s;
++
+     if (!key || !signature || !digest ||
+         !key->publicValue.data ||
+         !signature->data || !digest->data ||
+@@ -223,9 +226,10 @@ ec_secp256r1_verify_digest(ECPublicKey *
+         return res;
+     }
+ 
+-    if (key->publicValue.len != 65 ||
+-        digest->len == 0 ||
+-        signature->len != 64) {
++    unsigned int olen = key->ecParams.order.len;
++    if (signature->len == 0 || signature->len % 2 != 0 ||
++        signature->len > 2 * olen ||
++        digest->len == 0 || key->publicValue.len != 65) {
+         PORT_SetError(SEC_ERROR_INPUT_LEN);
+         res = SECFailure;
+         return res;
+@@ -237,6 +241,25 @@ ec_secp256r1_verify_digest(ECPublicKey *
+         return res;
+     }
+ 
++    /* P-256 signature has to be 64 bytes long, pad it with 0s if it isn't */
++    if (signature->len != 64) {
++        unsigned split = signature->len / 2;
++        unsigned pad = 32 - split;
++
++        unsigned char *o_sig = signature->data;
++        unsigned char *p_sig = _padded_sig_data;
++
++        memcpy(p_sig + pad, o_sig, split);
++        memcpy(p_sig + 32 + pad, o_sig + split, split);
++
++        sig_r = p_sig;
++        sig_s = p_sig + 32;
++    } else {
++        sig_r = signature->data;
++        sig_s = signature->data + 32;
++    }
++
++
+     uint8_t hash[32] = { 0 };
+     if (digest->len < 32) {
+         memcpy(hash + 32 - digest->len, digest->data, digest->len);
+@@ -247,7 +270,7 @@ ec_secp256r1_verify_digest(ECPublicKey *
+     bool b = Hacl_P256_ecdsa_verif_without_hash(
+         32, hash,
+         key->publicValue.data + 1,
+-        signature->data, signature->data + 32);
++        sig_r, sig_s);
+     if (!b) {
+         PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
+         res = SECFailure;
+--- ./lib/freebl/ecl/ecp_secp384r1.c.ecdsa-sign-padding-fix	2024-04-09 14:58:12.726377972 +0200
++++ ./lib/freebl/ecl/ecp_secp384r1.c	2024-04-09 14:50:47.932425779 +0200
+@@ -185,6 +185,9 @@ ec_secp384r1_verify_digest(ECPublicKey *
+ {
+     SECStatus res = SECSuccess;
+ 
++    unsigned char _padded_sig_data[96] = { 0 };
++    unsigned char *sig_r, *sig_s;
++
+     if (!key || !signature || !digest ||
+         !key->publicValue.data ||
+         !signature->data || !digest->data ||
+@@ -194,9 +197,10 @@ ec_secp384r1_verify_digest(ECPublicKey *
+         return res;
+     }
+ 
+-    if (key->publicValue.len != 97 ||
+-        digest->len == 0 ||
+-        signature->len != 96) {
++    unsigned int olen = key->ecParams.order.len;
++    if (signature->len == 0 || signature->len % 2 != 0 ||
++        signature->len > 2 * olen ||
++        digest->len == 0 || key->publicValue.len != 97) {
+         PORT_SetError(SEC_ERROR_INPUT_LEN);
+         res = SECFailure;
+         return res;
+@@ -208,6 +212,24 @@ ec_secp384r1_verify_digest(ECPublicKey *
+         return res;
+     }
+ 
++    /* P-384 signature has to be 96 bytes long, pad it with 0s if it isn't */
++    if (signature->len != 96) {
++        unsigned split = signature->len / 2;
++        unsigned pad = 48 - split;
++
++        unsigned char *o_sig = signature->data;
++        unsigned char *p_sig = _padded_sig_data;
++
++        memcpy(p_sig + pad, o_sig, split);
++        memcpy(p_sig + 48 + pad, o_sig + split, split);
++
++        sig_r = p_sig;
++        sig_s = p_sig + 48;
++    } else {
++        sig_r = signature->data;
++        sig_s = signature->data + 48;
++    }
++
+     uint8_t hash[48] = { 0 };
+     if (digest->len < 48) {
+         memcpy(hash + 48 - digest->len, digest->data, digest->len);
+@@ -218,7 +240,7 @@ ec_secp384r1_verify_digest(ECPublicKey *
+     bool b = Hacl_P384_ecdsa_verif_without_hash(
+         48, hash,
+         key->publicValue.data + 1,
+-        signature->data, signature->data + 48);
++        sig_r, sig_s);
+     if (!b) {
+         PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
+         res = SECFailure;
+--- ./lib/freebl/ecl/ecp_secp521r1.c.ecdsa-sign-padding-fix	2024-04-05 22:42:26.553728340 +0200
++++ ./lib/freebl/ecl/ecp_secp521r1.c	2024-04-09 13:02:14.821865860 +0200
+@@ -189,6 +189,9 @@ ec_secp521r1_verify_digest(ECPublicKey *
+ {
+     SECStatus res = SECSuccess;
+ 
++    unsigned char _padded_sig_data[132] = { 0 };
++    unsigned char *sig_r, *sig_s;
++
+     if (!key || !signature || !digest ||
+         !key->publicValue.data ||
+         !signature->data || !digest->data ||
+@@ -198,9 +201,10 @@ ec_secp521r1_verify_digest(ECPublicKey *
+         return res;
+     }
+ 
+-    if (key->publicValue.len != 133 ||
+-        digest->len == 0 ||
+-        signature->len != 132) {
++    unsigned int olen = key->ecParams.order.len;
++    if (signature->len == 0 || signature->len % 2 != 0 ||
++        signature->len > 2 * olen ||
++        digest->len == 0 || key->publicValue.len != 133) {
+         PORT_SetError(SEC_ERROR_INPUT_LEN);
+         res = SECFailure;
+         return res;
+@@ -212,6 +216,24 @@ ec_secp521r1_verify_digest(ECPublicKey *
+         return res;
+     }
+ 
++    /* P-521 signature has to be 132 bytes long, pad it with 0s if it isn't */
++    if (signature->len != 132) {
++        unsigned split = signature->len / 2;
++        unsigned pad = 66 - split;
++
++        unsigned char *o_sig = signature->data;
++        unsigned char *p_sig = _padded_sig_data;
++
++        memcpy(p_sig + pad, o_sig, split);
++        memcpy(p_sig + 66 + pad, o_sig + split, split);
++
++        sig_r = p_sig;
++        sig_s = p_sig + 66;
++    } else {
++        sig_r = signature->data;
++        sig_s = signature->data + 66;
++    }
++
+     uint8_t hash[66] = { 0 };
+     if (digest->len < 66) {
+         memcpy(hash + 66 - digest->len, digest->data, digest->len);
+@@ -227,7 +249,7 @@ ec_secp521r1_verify_digest(ECPublicKey *
+     bool b = Hacl_P521_ecdsa_verif_without_hash(
+         66, hash,
+         key->publicValue.data + 1,
+-        signature->data, signature->data + 66);
++        sig_r, sig_s);
+     if (!b) {
+         PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
+         res = SECFailure;
diff --git a/nss-3.90-extend-db-dump-time.patch b/nss-3.90-extend-db-dump-time.patch
new file mode 100644
index 0000000..9d26770
--- /dev/null
+++ b/nss-3.90-extend-db-dump-time.patch
@@ -0,0 +1,12 @@
+diff -up ./tests/dbtests/dbtests.sh.extend ./tests/dbtests/dbtests.sh
+--- ./tests/dbtests/dbtests.sh.extend	2023-11-15 13:17:50.651020458 -0800
++++ ./tests/dbtests/dbtests.sh	2023-11-15 13:18:57.091608850 -0800
+@@ -366,7 +366,7 @@ dbtest_main()
+       RARRAY=($dtime)
+       TIMEARRAY=(${RARRAY[1]//./ })
+       echo "${TIMEARRAY[0]} seconds"
+-      test ${TIMEARRAY[0]} -lt 2
++      test ${TIMEARRAY[0]} -lt ${NSS_DB_DUMP_TIME-3}
+       ret=$?
+       html_msg ${ret} 0 "certutil dump keys with explicit default trust flags"
+     fi
diff --git a/nss-3.90-fips-indicators.patch b/nss-3.90-fips-indicators.patch
new file mode 100644
index 0000000..961d64b
--- /dev/null
+++ b/nss-3.90-fips-indicators.patch
@@ -0,0 +1,190 @@
+diff -up ./lib/softoken/pkcs11c.c.fips_indicators ./lib/softoken/pkcs11c.c
+--- ./lib/softoken/pkcs11c.c.fips_indicators	2023-11-27 11:21:42.459523398 -0800
++++ ./lib/softoken/pkcs11c.c	2023-11-27 11:22:56.821120920 -0800
+@@ -450,7 +450,7 @@ sftk_InitGeneric(SFTKSession *session, C
+     context->blockSize = 0;
+     context->maxLen = 0;
+     context->isFIPS = sftk_operationIsFIPS(session->slot, pMechanism,
+-                                           operation, key);
++                                           operation, key, 0);
+     *contextPtr = context;
+     return CKR_OK;
+ }
+@@ -4816,7 +4816,7 @@ NSC_GenerateKey(CK_SESSION_HANDLE hSessi
+     crv = sftk_handleObject(key, session);
+     /* we need to do this check at the end, so we can check the generated 
+      * key length against fips requirements */
+-    key->isFIPS = sftk_operationIsFIPS(slot, pMechanism, CKA_NSS_GENERATE, key);
++    key->isFIPS = sftk_operationIsFIPS(slot, pMechanism, CKA_NSS_GENERATE, key, 0);
+     session->lastOpWasFIPS = key->isFIPS;
+     sftk_FreeSession(session);
+     if (crv == CKR_OK && sftk_isTrue(key, CKA_SENSITIVE)) {
+@@ -5836,7 +5836,7 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hS
+         return crv;
+     }
+     /* we need to do this check at the end to make sure the generated key meets the key length requirements */
+-    privateKey->isFIPS = sftk_operationIsFIPS(slot, pMechanism, CKA_NSS_GENERATE_KEY_PAIR, privateKey);
++    privateKey->isFIPS = sftk_operationIsFIPS(slot, pMechanism, CKA_NSS_GENERATE_KEY_PAIR, privateKey, 0);
+     publicKey->isFIPS = privateKey->isFIPS;
+     session->lastOpWasFIPS = privateKey->isFIPS;
+     sftk_FreeSession(session);
+@@ -7036,6 +7036,10 @@ sftk_HKDF(CK_HKDF_PARAMS_PTR params, CK_
+         return CKR_TEMPLATE_INCONSISTENT;
+     }
+ 
++    if (!params->bExpand) {
++        keySize = hashLen;
++    }
++
+     /* sourceKey is NULL if we are called from the POST, skip the
+      * sensitiveCheck */
+     if (sourceKey != NULL) {
+@@ -7085,7 +7089,8 @@ sftk_HKDF(CK_HKDF_PARAMS_PTR params, CK_
+                     mech.pParameter = params;
+                     mech.ulParameterLen = sizeof(*params);
+                     key->isFIPS = sftk_operationIsFIPS(saltKey->slot, &mech,
+-                                                       CKA_DERIVE, saltKey);
++                                                       CKA_DERIVE, saltKey,
++                                                       keySize);
+                 }
+                 saltKeySource = saltKey->source;
+                 saltKey_att = sftk_FindAttribute(saltKey, CKA_VALUE);
+@@ -7152,7 +7157,7 @@ sftk_HKDF(CK_HKDF_PARAMS_PTR params, CK_
+     /* HKDF-Expand */
+     if (!params->bExpand) {
+         okm = prk;
+-        keySize = genLen = hashLen;
++        genLen = hashLen;
+     } else {
+         /* T(1) = HMAC-Hash(prk, "" | info | 0x01)
+          * T(n) = HMAC-Hash(prk, T(n-1) | info | n
+@@ -7398,7 +7403,8 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession
+             return CKR_KEY_HANDLE_INVALID;
+         }
+     }
+-    key->isFIPS = sftk_operationIsFIPS(slot, pMechanism, CKA_DERIVE, sourceKey);
++    key->isFIPS = sftk_operationIsFIPS(slot, pMechanism, CKA_DERIVE, sourceKey,
++                                       keySize);
+ 
+     switch (mechanism) {
+         /* get a public key from a private key. nsslowkey_ConvertToPublickey()
+diff -up ./lib/softoken/pkcs11i.h.fips_indicators ./lib/softoken/pkcs11i.h
+--- ./lib/softoken/pkcs11i.h.fips_indicators	2023-11-27 11:21:42.450523326 -0800
++++ ./lib/softoken/pkcs11i.h	2023-11-27 11:22:56.821120920 -0800
+@@ -979,7 +979,8 @@ CK_FLAGS sftk_AttributeToFlags(CK_ATTRIB
+ /* check the FIPS table to determine if this current operation is allowed by
+  * FIPS security policy */
+ PRBool sftk_operationIsFIPS(SFTKSlot *slot, CK_MECHANISM *mech,
+-                            CK_ATTRIBUTE_TYPE op, SFTKObject *source);
++                            CK_ATTRIBUTE_TYPE op, SFTKObject *source,
++                            CK_ULONG targetKeySize);
+ /* add validation objects to the slot */
+ CK_RV sftk_CreateValidationObjects(SFTKSlot *slot);
+ 
+diff -up ./lib/softoken/pkcs11u.c.fips_indicators ./lib/softoken/pkcs11u.c
+--- ./lib/softoken/pkcs11u.c.fips_indicators	2023-11-27 11:21:42.451523334 -0800
++++ ./lib/softoken/pkcs11u.c	2023-11-27 11:31:51.812419789 -0800
+@@ -2330,7 +2330,7 @@ sftk_quickGetECCCurveOid(SFTKObject *sou
+ static CK_ULONG
+ sftk_getKeyLength(SFTKObject *source)
+ {
+-    CK_KEY_TYPE keyType = CK_INVALID_HANDLE;
++    CK_KEY_TYPE keyType = CKK_INVALID_KEY_TYPE;
+     CK_ATTRIBUTE_TYPE keyAttribute;
+     CK_ULONG keyLength = 0;
+     SFTKAttribute *attribute;
+@@ -2392,13 +2392,29 @@ sftk_getKeyLength(SFTKObject *source)
+     return keyLength;
+ }
+ 
++PRBool
++sftk_CheckFIPSHash(CK_MECHANISM_TYPE hash)
++{
++    switch (hash) {
++        case CKM_SHA256:
++        case CKG_MGF1_SHA256:
++        case CKM_SHA384:
++        case CKG_MGF1_SHA384:
++        case CKM_SHA512:
++        case CKG_MGF1_SHA512:
++            return PR_TRUE;
++    }
++    return PR_FALSE;
++}
++
+ /*
+  * handle specialized FIPS semantics that are too complicated to
+  * handle with just a table. NOTE: this means any additional semantics
+  * would have to be coded here before they can be added to the table */
+ static PRBool
+ sftk_handleSpecial(SFTKSlot *slot, CK_MECHANISM *mech,
+-                   SFTKFIPSAlgorithmList *mechInfo, SFTKObject *source)
++                   SFTKFIPSAlgorithmList *mechInfo, SFTKObject *source,
++                   CK_ULONG keyLength, CK_ULONG targetKeyLength)
+ {
+     switch (mechInfo->special) {
+         case SFTKFIPSDH: {
+@@ -2458,10 +2474,15 @@ sftk_handleSpecial(SFTKSlot *slot, CK_ME
+             if (hashObj == NULL) {
+                 return PR_FALSE;
+             }
++            /* cap the salt for legacy keys */
++            if ((keyLength <= 1024) && (pss->sLen > 63)) {
++                return PR_FALSE;
++            }
++            /* cap the salt for based on the hash */
+             if (pss->sLen > hashObj->length) {
+                 return PR_FALSE;
+             }
+-            return PR_TRUE;
++            return sftk_CheckFIPSHash(pss->hashAlg);
+         }
+         case SFTKFIPSPBKDF2: {
+             /* PBKDF2 must have the following addition restrictions
+@@ -2486,6 +2507,13 @@ sftk_handleSpecial(SFTKSlot *slot, CK_ME
+              }
+              return PR_TRUE;
+         }
++        /* check the hash mechanisms to make sure they themselves are FIPS */
++        case SFTKFIPSChkHash:
++            if (mech->ulParameterLen < mechInfo->offset +sizeof(CK_ULONG)) {
++                return PR_FALSE;
++            }
++            return sftk_CheckFIPSHash(*(CK_ULONG *)(((char *)mech->pParameter)
++                        + mechInfo->offset));
+         default:
+             break;
+     }
+@@ -2496,7 +2524,7 @@ sftk_handleSpecial(SFTKSlot *slot, CK_ME
+ 
+ PRBool
+ sftk_operationIsFIPS(SFTKSlot *slot, CK_MECHANISM *mech, CK_ATTRIBUTE_TYPE op,
+-                     SFTKObject *source)
++                     SFTKObject *source, CK_ULONG targetKeyLength)
+ {
+ #ifndef NSS_HAS_FIPS_INDICATORS
+     return PR_FALSE;
+@@ -2528,13 +2556,17 @@ sftk_operationIsFIPS(SFTKSlot *slot, CK_
+         SFTKFIPSAlgorithmList *mechs = &sftk_fips_mechs[i];
+         /* if we match the number of records exactly, then we are an
+          * approved algorithm in the approved mode with an approved key */
+-        if (((mech->mechanism == mechs->type) &&
+-             (opFlags == (mechs->info.flags & opFlags)) &&
+-             (keyLength <= mechs->info.ulMaxKeySize) &&
+-             (keyLength >= mechs->info.ulMinKeySize) &&
+-             ((keyLength - mechs->info.ulMinKeySize) % mechs->step) == 0) &&
++        if ((mech->mechanism == mechs->type) &&
++            (opFlags == (mechs->info.flags & opFlags)) &&
++            (keyLength <= mechs->info.ulMaxKeySize) &&
++            (keyLength >= mechs->info.ulMinKeySize) &&
++            (((keyLength - mechs->info.ulMinKeySize) % mechs->step) == 0) &&
++            ((targetKeyLength == 0) ||
++             ((targetKeyLength <= mechs->info.ulMaxKeySize) &&
++             (targetKeyLength >= mechs->info.ulMinKeySize) &&
++             ((targetKeyLength - mechs->info.ulMinKeySize) % mechs->step) == 0)) &&
+             ((mechs->special == SFTKFIPSNone) ||
+-             sftk_handleSpecial(slot, mech, mechs, source))) {
++             sftk_handleSpecial(slot, mech, mechs, source, keyLength, targetKeyLength))) {
+             return PR_TRUE;
+         }
+     }
diff --git a/nss-3.90-fips-indicators2.patch b/nss-3.90-fips-indicators2.patch
new file mode 100644
index 0000000..e02d8bf
--- /dev/null
+++ b/nss-3.90-fips-indicators2.patch
@@ -0,0 +1,176 @@
+diff -up ./lib/softoken/pkcs11c.c.fips_2 ./lib/softoken/pkcs11c.c
+--- ./lib/softoken/pkcs11c.c.fips_2	2024-01-19 09:21:19.632889660 -0800
++++ ./lib/softoken/pkcs11c.c	2024-01-19 09:22:18.541471306 -0800
+@@ -7090,7 +7090,7 @@ sftk_HKDF(CK_HKDF_PARAMS_PTR params, CK_
+                     mech.ulParameterLen = sizeof(*params);
+                     key->isFIPS = sftk_operationIsFIPS(saltKey->slot, &mech,
+                                                        CKA_DERIVE, saltKey,
+-                                                       keySize);
++                                                       keySize*PR_BITS_PER_BYTE);
+                 }
+                 saltKeySource = saltKey->source;
+                 saltKey_att = sftk_FindAttribute(saltKey, CKA_VALUE);
+@@ -7404,7 +7404,7 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession
+         }
+     }
+     key->isFIPS = sftk_operationIsFIPS(slot, pMechanism, CKA_DERIVE, sourceKey,
+-                                       keySize);
++                                       keySize*PR_BITS_PER_BYTE);
+ 
+     switch (mechanism) {
+         /* get a public key from a private key. nsslowkey_ConvertToPublickey()
+diff -up ./lib/softoken/pkcs11u.c.fips_2 ./lib/softoken/pkcs11u.c
+--- ./lib/softoken/pkcs11u.c.fips_2	2024-01-19 09:21:19.633889670 -0800
++++ ./lib/softoken/pkcs11u.c	2024-01-19 09:28:00.082843565 -0800
+@@ -2393,20 +2393,43 @@ sftk_getKeyLength(SFTKObject *source)
+ }
+ 
+ PRBool
+-sftk_CheckFIPSHash(CK_MECHANISM_TYPE hash)
++sftk_checkFIPSHash(CK_MECHANISM_TYPE hash, PRBool allowSmall, PRBool allowCMAC)
+ {
+     switch (hash) {
++        case CKM_AES_CMAC:
++            return allowCMAC;
++        case CKM_SHA_1:
++        case CKM_SHA_1_HMAC:
++        case CKM_SHA224:
++        case CKM_SHA224_HMAC:
++            return allowSmall;
+         case CKM_SHA256:
+-        case CKG_MGF1_SHA256:
++        case CKM_SHA256_HMAC:
+         case CKM_SHA384:
+-        case CKG_MGF1_SHA384:
++        case CKM_SHA384_HMAC:
+         case CKM_SHA512:
+-        case CKG_MGF1_SHA512:
++        case CKM_SHA512_HMAC:
+             return PR_TRUE;
+     }
+     return PR_FALSE;
+ }
+ 
++PRBool
++sftk_checkKeyLength(CK_ULONG keyLength, CK_ULONG min,
++                    CK_ULONG max, CK_ULONG step)
++{
++     if (keyLength > max) {
++         return PR_FALSE;
++     }
++     if (keyLength < min ) {
++         return PR_FALSE;
++     }
++     if (((keyLength - min) % step) != 0) {
++         return PR_FALSE;
++     }
++     return PR_TRUE;
++}
++
+ /*
+  * handle specialized FIPS semantics that are too complicated to
+  * handle with just a table. NOTE: this means any additional semantics
+@@ -2416,6 +2439,8 @@ sftk_handleSpecial(SFTKSlot *slot, CK_ME
+                    SFTKFIPSAlgorithmList *mechInfo, SFTKObject *source,
+                    CK_ULONG keyLength, CK_ULONG targetKeyLength)
+ {
++    PRBool allowSmall = PR_FALSE;
++    PRBool allowCMAC = PR_FALSE;
+     switch (mechInfo->special) {
+         case SFTKFIPSDH: {
+             SECItem dhPrime;
+@@ -2482,7 +2507,11 @@ sftk_handleSpecial(SFTKSlot *slot, CK_ME
+             if (pss->sLen > hashObj->length) {
+                 return PR_FALSE;
+             }
+-            return sftk_CheckFIPSHash(pss->hashAlg);
++            /* Our code makes sure pss->hashAlg matches the explicit
++             * hash in the mechanism, and only mechanisms with approved
++             * hashes are included, so no need to check pss->hashAlg
++             * here */
++            return PR_TRUE;
+         }
+         case SFTKFIPSPBKDF2: {
+             /* PBKDF2 must have the following addition restrictions
+@@ -2508,12 +2537,28 @@ sftk_handleSpecial(SFTKSlot *slot, CK_ME
+              return PR_TRUE;
+         }
+         /* check the hash mechanisms to make sure they themselves are FIPS */
++        case SFTKFIPSChkHashSp800:
++             allowCMAC = PR_TRUE;
+         case SFTKFIPSChkHash:
++             allowSmall = PR_TRUE;
++        case SFTKFIPSChkHashTls:
+             if (mech->ulParameterLen < mechInfo->offset +sizeof(CK_ULONG)) {
+                 return PR_FALSE;
+             }
+-            return sftk_CheckFIPSHash(*(CK_ULONG *)(((char *)mech->pParameter)
+-                        + mechInfo->offset));
++            return sftk_checkFIPSHash(*(CK_ULONG *)(((char *)mech->pParameter)
++                        + mechInfo->offset), allowSmall, allowCMAC);
++        case SFTKFIPSTlsKeyCheck:
++            if (mech->mechanism != CKM_NSS_TLS_KEY_AND_MAC_DERIVE_SHA256) {
++                /* unless the mechnism has a built-in hash, check the hash */
++                if (mech->ulParameterLen < mechInfo->offset +sizeof(CK_ULONG)) {
++                    return PR_FALSE;
++                }
++                if (!sftk_checkFIPSHash(*(CK_ULONG *)(((char *)mech->pParameter)
++                        + mechInfo->offset), PR_FALSE, PR_FALSE)) {
++                    return PR_FALSE;
++                }
++            }
++            return sftk_checkKeyLength(targetKeyLength, 112, 512, 1);
+         default:
+             break;
+     }
+@@ -2558,13 +2603,11 @@ sftk_operationIsFIPS(SFTKSlot *slot, CK_
+          * approved algorithm in the approved mode with an approved key */
+         if ((mech->mechanism == mechs->type) &&
+             (opFlags == (mechs->info.flags & opFlags)) &&
+-            (keyLength <= mechs->info.ulMaxKeySize) &&
+-            (keyLength >= mechs->info.ulMinKeySize) &&
+-            (((keyLength - mechs->info.ulMinKeySize) % mechs->step) == 0) &&
+-            ((targetKeyLength == 0) ||
+-             ((targetKeyLength <= mechs->info.ulMaxKeySize) &&
+-             (targetKeyLength >= mechs->info.ulMinKeySize) &&
+-             ((targetKeyLength - mechs->info.ulMinKeySize) % mechs->step) == 0)) &&
++            sftk_checkKeyLength(keyLength, mechs->info.ulMinKeySize,
++                                mechs->info.ulMaxKeySize, mechs->step) &&
++            ((targetKeyLength == 0) ||  (mechs->special == SFTKFIPSTlsKeyCheck)
++             || sftk_checkKeyLength(targetKeyLength, mechs->info.ulMinKeySize,
++                                mechs->info.ulMaxKeySize, mechs->step)) &&
+             ((mechs->special == SFTKFIPSNone) ||
+              sftk_handleSpecial(slot, mech, mechs, source, keyLength, targetKeyLength))) {
+             return PR_TRUE;
+diff -up ./lib/softoken/sftkmessage.c.fips_2 ./lib/softoken/sftkmessage.c
+--- ./lib/softoken/sftkmessage.c.fips_2	2024-01-19 09:21:19.634889680 -0800
++++ ./lib/softoken/sftkmessage.c	2024-01-19 09:22:18.541471306 -0800
+@@ -157,16 +157,25 @@ sftk_CryptMessage(CK_SESSION_HANDLE hSes
+         } else {
+             CK_GCM_MESSAGE_PARAMS *p = (CK_GCM_MESSAGE_PARAMS *)pParameter;
+             switch (p->ivGenerator) {
++                default:
+                 case CKG_NO_GENERATE:
+                     context->isFIPS = PR_FALSE;
+                     break;
+                 case CKG_GENERATE_RANDOM:
+-                    if ((p->ulIvLen < 12) || (p->ulIvFixedBits != 0)) {
++                    if ((p->ulIvLen < 96/PR_BITS_PER_BYTE) ||
++                        (p->ulIvFixedBits != 0)) {
+                         context->isFIPS = PR_FALSE;
+                     }
+                     break;
+-                default:
+-                    if ((p->ulIvLen < 12) || (p->ulIvFixedBits < 32)) {
++                case CKG_GENERATE_COUNTER_XOR:
++                    if ((p->ulIvLen != 96/PR_BITS_PER_BYTE) ||
++                        (p->ulIvFixedBits != 32)) {
++                        context->isFIPS = PR_FALSE;
++                    }
++                    break;
++                case CKG_GENERATE_COUNTER:
++                    if ((p->ulIvFixedBits < 32) ||
++                       ((p->ulIvLen*PR_BITS_PER_BYTE - p->ulIvFixedBits) < 32)) {
+                         context->isFIPS = PR_FALSE;
+                     }
+             }
diff --git a/nss-3.90-fips-pkcs11-long-hash.patch b/nss-3.90-fips-pkcs11-long-hash.patch
new file mode 100644
index 0000000..7728732
--- /dev/null
+++ b/nss-3.90-fips-pkcs11-long-hash.patch
@@ -0,0 +1,83 @@
+diff --git a/lib/softoken/pkcs11c.c b/lib/softoken/pkcs11c.c
+--- a/lib/softoken/pkcs11c.c
++++ b/lib/softoken/pkcs11c.c
+@@ -15,10 +15,13 @@
+  *   keys and their associated Certificates are saved on the token.
+  *
+  *   In this implementation, session objects are only visible to the session
+  *   that created or generated them.
+  */
++
++#include <limits.h> /* for UINT_MAX and ULONG_MAX */
++
+ #include "seccomon.h"
+ #include "secitem.h"
+ #include "secport.h"
+ #include "blapi.h"
+ #include "pkcs11.h"
+@@ -1954,12 +1957,21 @@
+     if (pDigest == NULL) {
+         *pulDigestLen = context->maxLen;
+         goto finish;
+     }
+ 
+-    /* do it: */
++#if (ULONG_MAX > UINT_MAX)
++    /* The context->hashUpdate function takes an unsigned int for its data
++     * length argument, but NSC_Digest takes an unsigned long. */
++    while (ulDataLen > UINT_MAX) {
++        (*context->hashUpdate)(context->cipherInfo, pData, UINT_MAX);
++        pData += UINT_MAX;
++        ulDataLen -= UINT_MAX;
++    }
++#endif
+     (*context->hashUpdate)(context->cipherInfo, pData, ulDataLen);
++
+     /*  NOTE: this assumes buf size is bigenough for the algorithm */
+     (*context->end)(context->cipherInfo, pDigest, &digestLen, maxout);
+     *pulDigestLen = digestLen;
+ 
+     sftk_TerminateOp(session, SFTK_HASH, context);
+@@ -1980,12 +1992,22 @@
+ 
+     /* make sure we're legal */
+     crv = sftk_GetContext(hSession, &context, SFTK_HASH, PR_TRUE, NULL);
+     if (crv != CKR_OK)
+         return crv;
+-    /* do it: */
++
++#if (ULONG_MAX > UINT_MAX)
++    /* The context->hashUpdate function takes an unsigned int for its data
++     * length argument, but NSC_DigestUpdate takes an unsigned long. */
++    while (ulPartLen > UINT_MAX) {
++        (*context->hashUpdate)(context->cipherInfo, pPart, UINT_MAX);
++        pPart += UINT_MAX;
++        ulPartLen -= UINT_MAX;
++    }
++#endif
+     (*context->hashUpdate)(context->cipherInfo, pPart, ulPartLen);
++
+     return CKR_OK;
+ }
+ 
+ /* NSC_DigestFinal finishes a multiple-part message-digesting operation. */
+ CK_RV
+@@ -3166,10 +3188,17 @@
+     crv = sftk_GetContext(hSession, &context, type, PR_TRUE, &session);
+     if (crv != CKR_OK)
+         return crv;
+ 
+     if (context->hashInfo) {
++#if (ULONG_MAX > UINT_MAX)
++        while (ulPartLen > UINT_MAX) {
++            (*context->hashUpdate)(context->cipherInfo, pPart, UINT_MAX);
++            pPart += UINT_MAX;
++            ulPartLen -= UINT_MAX;
++        }
++#endif
+         (*context->hashUpdate)(context->hashInfo, pPart, ulPartLen);
+     } else {
+         /* must be block cipher MACing */
+ 
+         unsigned int blkSize = context->blockSize;
+
diff --git a/nss-3.90-fips-safe-memset.patch b/nss-3.90-fips-safe-memset.patch
new file mode 100644
index 0000000..1503bd9
--- /dev/null
+++ b/nss-3.90-fips-safe-memset.patch
@@ -0,0 +1,506 @@
+diff -up ./lib/freebl/aeskeywrap.c.safe_zero ./lib/freebl/aeskeywrap.c
+--- ./lib/freebl/aeskeywrap.c.safe_zero	2023-06-04 01:42:53.000000000 -0700
++++ ./lib/freebl/aeskeywrap.c	2023-11-22 14:42:24.246388369 -0800
+@@ -512,7 +512,7 @@ AESKeyWrap_EncryptKWP(AESKeyWrapContext
+         PORT_Memcpy(iv + AES_KEY_WRAP_BLOCK_SIZE, input, inputLen);
+         rv = AES_Encrypt(&cx->aescx, output, pOutputLen, maxOutputLen, iv,
+                          outLen);
+-        PORT_Memset(iv, 0, sizeof(iv));
++        PORT_SafeZero(iv, sizeof(iv));
+         return rv;
+     }
+ 
+@@ -528,7 +528,7 @@ AESKeyWrap_EncryptKWP(AESKeyWrapContext
+     PORT_ZFree(newBuf, paddedInputLen);
+     /* a little overkill, we only need to clear out the length, but this
+      * is easier to verify we got it all */
+-    PORT_Memset(iv, 0, sizeof(iv));
++    PORT_SafeZero(iv, sizeof(iv));
+     return rv;
+ }
+ 
+@@ -631,12 +631,12 @@ AESKeyWrap_DecryptKWP(AESKeyWrapContext
+ loser:
+     /* if we failed, make sure we don't return any data to the user */
+     if ((rv != SECSuccess) && (output == newBuf)) {
+-        PORT_Memset(newBuf, 0, paddedLen);
++        PORT_SafeZero(newBuf, paddedLen);
+     }
+     /* clear out CSP sensitive data from the heap and stack */
+     if (allocBuf) {
+         PORT_ZFree(allocBuf, paddedLen);
+     }
+-    PORT_Memset(iv, 0, sizeof(iv));
++    PORT_SafeZero(iv, sizeof(iv));
+     return rv;
+ }
+diff -up ./lib/freebl/blapii.h.safe_zero ./lib/freebl/blapii.h
+--- ./lib/freebl/blapii.h.safe_zero	2023-06-04 01:42:53.000000000 -0700
++++ ./lib/freebl/blapii.h	2023-11-22 14:42:24.246388369 -0800
+@@ -101,10 +101,10 @@ PRBool ppc_crypto_support();
+ #ifdef NSS_FIPS_DISABLED
+ #define BLAPI_CLEAR_STACK(stack_size)
+ #else
+-#define BLAPI_CLEAR_STACK(stack_size)                    \
+-    {                                                    \
+-        volatile char _stkclr[stack_size];               \
+-        PORT_Memset((void *)&_stkclr[0], 0, stack_size); \
++#define BLAPI_CLEAR_STACK(stack_size)                   \
++    {                                                   \
++        volatile char _stkclr[stack_size];              \
++        PORT_SafeZero((void *)&_stkclr[0], stack_size); \
+     }
+ #endif
+ 
+diff -up ./lib/freebl/drbg.c.safe_zero ./lib/freebl/drbg.c
+--- ./lib/freebl/drbg.c.safe_zero	2023-06-04 01:42:53.000000000 -0700
++++ ./lib/freebl/drbg.c	2023-11-22 14:42:24.246388369 -0800
+@@ -197,7 +197,7 @@ prng_initEntropy(void)
+     SHA256_Update(&ctx, block, sizeof(block));
+     SHA256_End(&ctx, globalrng->previousEntropyHash, NULL,
+                sizeof(globalrng->previousEntropyHash));
+-    PORT_Memset(block, 0, sizeof(block));
++    PORT_SafeZero(block, sizeof(block));
+     SHA256_DestroyContext(&ctx, PR_FALSE);
+     return PR_SUCCESS;
+ }
+@@ -246,8 +246,8 @@ prng_getEntropy(PRUint8 *buffer, size_t
+     }
+ 
+ out:
+-    PORT_Memset(hash, 0, sizeof hash);
+-    PORT_Memset(block, 0, sizeof block);
++    PORT_SafeZero(hash, sizeof hash);
++    PORT_SafeZero(block, sizeof block);
+     return rv;
+ }
+ 
+@@ -393,8 +393,8 @@ prng_Hashgen(RNGContext *rng, PRUint8 *r
+         PRNG_ADD_CARRY_ONLY(data, (sizeof data) - 1, carry);
+         SHA256_DestroyContext(&ctx, PR_FALSE);
+     }
+-    PORT_Memset(data, 0, sizeof data);
+-    PORT_Memset(thisHash, 0, sizeof thisHash);
++    PORT_SafeZero(data, sizeof data);
++    PORT_SafeZero(thisHash, sizeof thisHash);
+ }
+ 
+ /*
+@@ -455,7 +455,7 @@ prng_generateNewBytes(RNGContext *rng,
+     PRNG_ADD_CARRY_ONLY(rng->reseed_counter, (sizeof rng->reseed_counter) - 1, carry);
+ 
+     /* if the prng failed, don't return any output, signal softoken */
+-    PORT_Memset(H, 0, sizeof H);
++    PORT_SafeZero(H, sizeof H);
+     if (!rng->isValid) {
+         PORT_Memset(returned_bytes, 0, no_of_returned_bytes);
+         PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+diff -up ./lib/freebl/dsa.c.safe_zero ./lib/freebl/dsa.c
+--- ./lib/freebl/dsa.c.safe_zero	2023-06-04 01:42:53.000000000 -0700
++++ ./lib/freebl/dsa.c	2023-11-22 14:42:24.246388369 -0800
+@@ -471,7 +471,7 @@ dsa_SignDigest(DSAPrivateKey *key, SECIt
+     err = MP_OKAY;
+     signature->len = dsa_signature_len;
+ cleanup:
+-    PORT_Memset(localDigestData, 0, DSA_MAX_SUBPRIME_LEN);
++    PORT_SafeZero(localDigestData, DSA_MAX_SUBPRIME_LEN);
+     mp_clear(&p);
+     mp_clear(&q);
+     mp_clear(&g);
+@@ -532,7 +532,7 @@ DSA_SignDigest(DSAPrivateKey *key, SECIt
+         rv = dsa_SignDigest(key, signature, digest, kSeed);
+     } while (rv != SECSuccess && PORT_GetError() == SEC_ERROR_NEED_RANDOM &&
+              --retries > 0);
+-    PORT_Memset(kSeed, 0, sizeof kSeed);
++    PORT_SafeZero(kSeed, sizeof kSeed);
+     return rv;
+ }
+ 
+@@ -673,7 +673,7 @@ DSA_VerifyDigest(DSAPublicKey *key, cons
+         verified = SECSuccess; /* Signature verified. */
+     }
+ cleanup:
+-    PORT_Memset(localDigestData, 0, sizeof localDigestData);
++    PORT_SafeZero(localDigestData, sizeof localDigestData);
+     mp_clear(&p);
+     mp_clear(&q);
+     mp_clear(&g);
+diff -up ./lib/freebl/gcm.c.safe_zero ./lib/freebl/gcm.c
+--- ./lib/freebl/gcm.c.safe_zero	2023-06-04 01:42:53.000000000 -0700
++++ ./lib/freebl/gcm.c	2023-11-22 14:42:24.246388369 -0800
+@@ -480,7 +480,7 @@ gcmHash_Final(gcmHashContext *ghash, uns
+     rv = SECSuccess;
+ 
+ cleanup:
+-    PORT_Memset(T, 0, sizeof(T));
++    PORT_SafeZero(T, sizeof(T));
+     return rv;
+ }
+ 
+@@ -596,15 +596,15 @@ GCM_CreateContext(void *context, freeblC
+     if (rv != SECSuccess) {
+         goto loser;
+     }
+-    PORT_Memset(H, 0, AES_BLOCK_SIZE);
++    PORT_SafeZero(H, AES_BLOCK_SIZE);
+     gcm->ctr_context_init = PR_TRUE;
+     return gcm;
+ 
+ loser:
+-    PORT_Memset(H, 0, AES_BLOCK_SIZE);
++    PORT_SafeZero(H, AES_BLOCK_SIZE);
+     if (ghash && ghash->mem) {
+         void *mem = ghash->mem;
+-        PORT_Memset(ghash, 0, sizeof(gcmHashContext));
++        PORT_SafeZero(ghash, sizeof(gcmHashContext));
+         PORT_Free(mem);
+     }
+     if (gcm) {
+@@ -682,11 +682,11 @@ gcm_InitCounter(GCMContext *gcm, const u
+         goto loser;
+     }
+ 
+-    PORT_Memset(&ctrParams, 0, sizeof ctrParams);
++    PORT_SafeZero(&ctrParams, sizeof ctrParams);
+     return SECSuccess;
+ 
+ loser:
+-    PORT_Memset(&ctrParams, 0, sizeof ctrParams);
++    PORT_SafeZero(&ctrParams, sizeof ctrParams);
+     if (freeCtr) {
+         CTR_DestroyContext(&gcm->ctr_context, PR_FALSE);
+     }
+@@ -866,10 +866,10 @@ GCM_DecryptUpdate(GCMContext *gcm, unsig
+     if (NSS_SecureMemcmp(tag, intag, tagBytes) != 0) {
+         /* force a CKR_ENCRYPTED_DATA_INVALID error at in softoken */
+         PORT_SetError(SEC_ERROR_BAD_DATA);
+-        PORT_Memset(tag, 0, sizeof(tag));
++        PORT_SafeZero(tag, sizeof(tag));
+         return SECFailure;
+     }
+-    PORT_Memset(tag, 0, sizeof(tag));
++    PORT_SafeZero(tag, sizeof(tag));
+     /* finish the decryption */
+     return CTR_Update(&gcm->ctr_context, outbuf, outlen, maxout,
+                       inbuf, inlen, AES_BLOCK_SIZE);
+@@ -1159,10 +1159,10 @@ GCM_DecryptAEAD(GCMContext *gcm, unsigne
+         /* force a CKR_ENCRYPTED_DATA_INVALID error at in softoken */
+         CTR_DestroyContext(&gcm->ctr_context, PR_FALSE);
+         PORT_SetError(SEC_ERROR_BAD_DATA);
+-        PORT_Memset(tag, 0, sizeof(tag));
++        PORT_SafeZero(tag, sizeof(tag));
+         return SECFailure;
+     }
+-    PORT_Memset(tag, 0, sizeof(tag));
++    PORT_SafeZero(tag, sizeof(tag));
+     /* finish the decryption */
+     rv = CTR_Update(&gcm->ctr_context, outbuf, outlen, maxout,
+                     inbuf, inlen, AES_BLOCK_SIZE);
+diff -up ./lib/freebl/hmacct.c.safe_zero ./lib/freebl/hmacct.c
+--- ./lib/freebl/hmacct.c.safe_zero	2023-06-04 01:42:53.000000000 -0700
++++ ./lib/freebl/hmacct.c	2023-11-22 14:42:24.246388369 -0800
+@@ -274,10 +274,10 @@ MAC(unsigned char *mdOut,
+     hashObj->end(mdState, mdOut, mdOutLen, mdOutMax);
+     hashObj->destroy(mdState, PR_TRUE);
+ 
+-    PORT_Memset(lengthBytes, 0, sizeof lengthBytes);
+-    PORT_Memset(hmacPad, 0, sizeof hmacPad);
+-    PORT_Memset(firstBlock, 0, sizeof firstBlock);
+-    PORT_Memset(macOut, 0, sizeof macOut);
++    PORT_SafeZero(lengthBytes, sizeof lengthBytes);
++    PORT_SafeZero(hmacPad, sizeof hmacPad);
++    PORT_SafeZero(firstBlock, sizeof firstBlock);
++    PORT_SafeZero(macOut, sizeof macOut);
+ 
+     return SECSuccess;
+ }
+diff -up ./lib/freebl/intel-gcm-wrap.c.safe_zero ./lib/freebl/intel-gcm-wrap.c
+--- ./lib/freebl/intel-gcm-wrap.c.safe_zero	2023-06-04 01:42:53.000000000 -0700
++++ ./lib/freebl/intel-gcm-wrap.c	2023-11-22 14:42:24.246388369 -0800
+@@ -195,7 +195,7 @@ intel_aes_gcmInitCounter(intel_AES_GCMCo
+ void
+ intel_AES_GCM_DestroyContext(intel_AES_GCMContext *gcm, PRBool freeit)
+ {
+-    PORT_Memset(gcm, 0, sizeof(intel_AES_GCMContext));
++    PORT_SafeZero(gcm, sizeof(intel_AES_GCMContext));
+     if (freeit) {
+         PORT_Free(gcm);
+     }
+diff -up ./lib/freebl/ppc-gcm-wrap.c.safe_zero ./lib/freebl/ppc-gcm-wrap.c
+--- ./lib/freebl/ppc-gcm-wrap.c.safe_zero	2023-06-04 01:42:53.000000000 -0700
++++ ./lib/freebl/ppc-gcm-wrap.c	2023-11-22 14:42:24.246388369 -0800
+@@ -169,7 +169,7 @@ ppc_aes_gcmInitCounter(ppc_AES_GCMContex
+ void
+ ppc_AES_GCM_DestroyContext(ppc_AES_GCMContext *gcm, PRBool freeit)
+ {
+-    PORT_Memset(gcm, 0, sizeof(ppc_AES_GCMContext));
++    PORT_SafeZero(gcm, sizeof(ppc_AES_GCMContext));
+     if (freeit) {
+         PORT_Free(gcm);
+     }
+diff -up ./lib/freebl/pqg.c.safe_zero ./lib/freebl/pqg.c
+--- ./lib/freebl/pqg.c.safe_zero	2023-06-04 01:42:53.000000000 -0700
++++ ./lib/freebl/pqg.c	2023-11-22 14:42:24.246388369 -0800
+@@ -703,7 +703,7 @@ cleanup:
+     mp_clear(&a);
+     mp_clear(&z);
+     mp_clear(&two_length_minus_1);
+-    PORT_Memset(x, 0, sizeof(x));
++    PORT_SafeZero(x, sizeof(x));
+     if (err) {
+         MP_TO_SEC_ERROR(err);
+         rv = SECFailure;
+@@ -859,7 +859,7 @@ cleanup:
+     mp_clear(&c);
+     mp_clear(&c0);
+     mp_clear(&one);
+-    PORT_Memset(x, 0, sizeof(x));
++    PORT_SafeZero(x, sizeof(x));
+     if (err) {
+         MP_TO_SEC_ERROR(err);
+         rv = SECFailure;
+@@ -1072,7 +1072,7 @@ makePfromQandSeed(
+     CHECK_MPI_OK(mp_sub_d(&c, 1, &c)); /* c -= 1       */
+     CHECK_MPI_OK(mp_sub(&X, &c, P));   /* P = X - c    */
+ cleanup:
+-    PORT_Memset(V_j, 0, sizeof V_j);
++    PORT_SafeZero(V_j, sizeof V_j);
+     mp_clear(&W);
+     mp_clear(&X);
+     mp_clear(&c);
+@@ -1221,7 +1221,7 @@ makeGfromIndex(HASH_HashType hashtype,
+ /* step 11.
+      * return valid G */
+ cleanup:
+-    PORT_Memset(data, 0, sizeof(data));
++    PORT_SafeZero(data, sizeof(data));
+     if (hashcx) {
+         hashobj->destroy(hashcx, PR_TRUE);
+     }
+diff -up ./lib/freebl/rijndael.c.safe_zero ./lib/freebl/rijndael.c
+--- ./lib/freebl/rijndael.c.safe_zero	2023-06-04 01:42:53.000000000 -0700
++++ ./lib/freebl/rijndael.c	2023-11-22 14:42:24.247388378 -0800
+@@ -1114,7 +1114,7 @@ AES_DestroyContext(AESContext *cx, PRBoo
+         cx->worker_cx = NULL;
+         cx->destroy = NULL;
+     }
+-    PORT_Memset(cx, 0, sizeof(AESContext));
++    PORT_SafeZero(cx, sizeof(AESContext));
+     if (freeit) {
+         PORT_Free(mem);
+     } else {
+diff -up ./lib/freebl/rsa.c.safe_zero ./lib/freebl/rsa.c
+--- ./lib/freebl/rsa.c.safe_zero	2023-11-22 14:41:24.066840894 -0800
++++ ./lib/freebl/rsa.c	2023-11-22 14:42:24.247388378 -0800
+@@ -143,8 +143,8 @@ rsa_build_from_primes(const mp_int *p, c
+     /* 2.  Compute phi = (p-1)*(q-1) */
+     CHECK_MPI_OK(mp_sub_d(p, 1, &psub1));
+     CHECK_MPI_OK(mp_sub_d(q, 1, &qsub1));
++    CHECK_MPI_OK(mp_lcm(&psub1, &qsub1, &phi));
+     if (needPublicExponent || needPrivateExponent) {
+-        CHECK_MPI_OK(mp_lcm(&psub1, &qsub1, &phi));
+         /* 3.  Compute d = e**-1 mod(phi) */
+         /*     or      e = d**-1 mod(phi) as necessary */
+         if (needPublicExponent) {
+@@ -165,6 +165,15 @@ rsa_build_from_primes(const mp_int *p, c
+         goto cleanup;
+     }
+ 
++    /* make sure we weren't passed in a d or e = 1 mod phi */
++    /* just need to check d, because if one is = 1 mod phi, they both are */
++    CHECK_MPI_OK(mp_mod(d, &phi, &tmp));
++    if (mp_cmp_d(&tmp, 2) <= 0) {
++        PORT_SetError(SEC_ERROR_INVALID_ARGS);
++        rv = SECFailure;
++        goto cleanup;
++    }
++
+     /* 4.  Compute exponent1 = d mod (p-1) */
+     CHECK_MPI_OK(mp_mod(d, &psub1, &tmp));
+     MPINT_TO_SECITEM(&tmp, &key->exponent1, key->arena);
+@@ -1152,6 +1161,8 @@ rsa_PrivateKeyOpCRTCheckedPubKey(RSAPriv
+     /* Perform a public key operation v = m ** e mod n */
+     CHECK_MPI_OK(mp_exptmod(m, &e, &n, &v));
+     if (mp_cmp(&v, c) != 0) {
++        /* this error triggers a fips fatal error lock */
++        PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+         rv = SECFailure;
+     }
+ cleanup:
+diff -up ./lib/freebl/rsapkcs.c.safe_zero ./lib/freebl/rsapkcs.c
+--- ./lib/freebl/rsapkcs.c.safe_zero	2023-06-04 01:42:53.000000000 -0700
++++ ./lib/freebl/rsapkcs.c	2023-11-22 14:42:24.247388378 -0800
+@@ -977,14 +977,14 @@ rsa_GetHMACContext(const SECHashObject *
+     /* now create the hmac key */
+     hmac = HMAC_Create(hash, keyHash, keyLen, PR_TRUE);
+     if (hmac == NULL) {
+-        PORT_Memset(keyHash, 0, sizeof(keyHash));
++        PORT_SafeZero(keyHash, sizeof(keyHash));
+         return NULL;
+     }
+     HMAC_Begin(hmac);
+     HMAC_Update(hmac, input, inputLen);
+     rv = HMAC_Finish(hmac, keyHash, &keyLen, sizeof(keyHash));
+     if (rv != SECSuccess) {
+-        PORT_Memset(keyHash, 0, sizeof(keyHash));
++        PORT_SafeZero(keyHash, sizeof(keyHash));
+         HMAC_Destroy(hmac, PR_TRUE);
+         return NULL;
+     }
+@@ -992,7 +992,7 @@ rsa_GetHMACContext(const SECHashObject *
+      * reuse the original context allocated above so we don't
+      * need to allocate and free another one */
+     rv = HMAC_ReInit(hmac, hash, keyHash, keyLen, PR_TRUE);
+-    PORT_Memset(keyHash, 0, sizeof(keyHash));
++    PORT_SafeZero(keyHash, sizeof(keyHash));
+     if (rv != SECSuccess) {
+         HMAC_Destroy(hmac, PR_TRUE);
+         return NULL;
+@@ -1042,7 +1042,7 @@ rsa_HMACPrf(HMACContext *hmac, const cha
+             return rv;
+         }
+         PORT_Memcpy(output, hmacLast, left);
+-        PORT_Memset(hmacLast, 0, sizeof(hmacLast));
++        PORT_SafeZero(hmacLast, sizeof(hmacLast));
+     }
+     return rv;
+ }
+@@ -1087,7 +1087,7 @@ rsa_GetErrorLength(HMACContext *hmac, in
+         outLength = PORT_CT_SEL(PORT_CT_LT(candidate, maxLegalLen),
+                                 candidate, outLength);
+     }
+-    PORT_Memset(out, 0, sizeof(out));
++    PORT_SafeZero(out, sizeof(out));
+     return outLength;
+ }
+ 
+diff -up ./lib/freebl/shvfy.c.safe_zero ./lib/freebl/shvfy.c
+--- ./lib/freebl/shvfy.c.safe_zero	2023-06-04 01:42:53.000000000 -0700
++++ ./lib/freebl/shvfy.c	2023-11-22 14:42:24.247388378 -0800
+@@ -365,7 +365,7 @@ blapi_SHVerifyDSACheck(PRFileDesc *shFD,
+ 
+     /* verify the hash against the check file */
+     rv = DSA_VerifyDigest(key, signature, &hash);
+-    PORT_Memset(hashBuf, 0, sizeof hashBuf);
++    PORT_SafeZero(hashBuf, sizeof hashBuf);
+     return (rv == SECSuccess) ? PR_TRUE : PR_FALSE;
+ }
+ #endif
+@@ -427,7 +427,7 @@ blapi_SHVerifyHMACCheck(PRFileDesc *shFD
+     if (rv == SECSuccess) {
+         result = SECITEM_ItemsAreEqual(signature, &hash);
+     }
+-    PORT_Memset(hashBuf, 0, sizeof hashBuf);
++    PORT_SafeZero(hashBuf, sizeof hashBuf);
+     return result;
+ }
+ 
+@@ -451,7 +451,7 @@ blapi_SHVerifyFile(const char *shName, P
+ #ifndef NSS_STRICT_INTEGRITY
+     DSAPublicKey key;
+ 
+-    PORT_Memset(&key, 0, sizeof(key));
++    PORT_SafeZero(&key, sizeof(key));
+ #endif
+ 
+     /* If our integrity check was never ran or failed, fail any other
+@@ -597,7 +597,7 @@ blapi_SHVerifyFile(const char *shName, P
+     shFD = NULL;
+ 
+ loser:
+-    PORT_Memset(&header, 0, sizeof header);
++    PORT_SafeZero(&header, sizeof header);
+     if (checkName != NULL) {
+         PORT_Free(checkName);
+     }
+diff -up ./lib/freebl/tlsprfalg.c.safe_zero ./lib/freebl/tlsprfalg.c
+--- ./lib/freebl/tlsprfalg.c.safe_zero	2023-06-04 01:42:53.000000000 -0700
++++ ./lib/freebl/tlsprfalg.c	2023-11-22 14:42:24.247388378 -0800
+@@ -82,8 +82,8 @@ loser:
+     /* clear out state so it's not left on the stack */
+     if (cx)
+         HMAC_Destroy(cx, PR_TRUE);
+-    PORT_Memset(state, 0, sizeof(state));
+-    PORT_Memset(outbuf, 0, sizeof(outbuf));
++    PORT_SafeZero(state, sizeof(state));
++    PORT_SafeZero(outbuf, sizeof(outbuf));
+     return rv;
+ }
+ 
+diff -up ./lib/freebl/unix_urandom.c.safe_zero ./lib/freebl/unix_urandom.c
+--- ./lib/freebl/unix_urandom.c.safe_zero	2023-11-22 14:42:24.247388378 -0800
++++ ./lib/freebl/unix_urandom.c	2023-11-22 14:44:15.519400684 -0800
+@@ -22,7 +22,7 @@ RNG_SystemInfoForRNG(void)
+         return;
+     }
+     RNG_RandomUpdate(bytes, numBytes);
+-    PORT_Memset(bytes, 0, sizeof bytes);
++    PORT_SafeZero(bytes, sizeof bytes);
+ }
+ 
+ #ifdef NSS_FIPS_140_3
+diff -up ./lib/softoken/pkcs11c.c.safe_zero ./lib/softoken/pkcs11c.c
+--- ./lib/softoken/pkcs11c.c.safe_zero	2023-11-22 14:41:24.069840921 -0800
++++ ./lib/softoken/pkcs11c.c	2023-11-22 14:42:24.248388387 -0800
+@@ -5092,7 +5092,7 @@ sftk_PairwiseConsistencyCheck(CK_SESSION
+         if ((signature_length >= pairwise_digest_length) &&
+             (PORT_Memcmp(known_digest, signature + (signature_length - pairwise_digest_length), pairwise_digest_length) == 0)) {
+             PORT_Free(signature);
+-            return CKR_DEVICE_ERROR;
++            return CKR_GENERAL_ERROR;
+         }
+ 
+         /* Verify the known hash using the public key. */
+diff -up ./lib/util/secport.h.safe_zero ./lib/util/secport.h
+--- ./lib/util/secport.h.safe_zero	2023-06-04 01:42:53.000000000 -0700
++++ ./lib/util/secport.h	2023-11-22 14:42:24.248388387 -0800
+@@ -36,6 +36,9 @@
+ #include <sys/types.h>
+ 
+ #include <ctype.h>
++/* ask for Annex K for memset_s. will set the appropriate #define
++ * if Annex K is supported */
++#define __STDC_WANT_LIB_EXT1__ 1
+ #include <string.h>
+ #include <stddef.h>
+ #include <stdlib.h>
+@@ -182,6 +185,39 @@ SEC_END_PROTOS
+ #endif /*SUNOS4*/
+ #define PORT_Memset memset
+ 
++/* there are cases where the compiler optimizes away our attempt to clear
++ * out our stack variables. There are multiple solutions for this problem,
++ * but they aren't universally accepted on all platforms. This attempts
++ * to select the best solution available given our os, compilier, and libc */
++#ifdef __STDC_LIB_EXT1__
++/* if the os implements C11 annex K, use memset_s */
++#define PORT_SafeZero(p, n) memset_s(p, n, 0, n)
++#else
++#ifdef XP_WIN
++/* windows has a secure zero funtion */
++#define PORT_SafeZero(p, n) SecureZeroMemory(p, n)
++#else
++/* _DEFAULT_SORUCE  == BSD source in GCC based environments
++ * if other environmens support explicit_bzero, their defines
++ * should be added here */
++#if defined(_DEFAULT_SOURCE) || defined(_BSD_SOURCE)
++#define PORT_SafeZero(p, n) explicit_bzero(p, n)
++#else
++/* if the os doesn't support one of the above, but does support
++ * memset_explicit, you can add the definition for memset with the
++ * appropriate define check here */
++/* define an explicitly implementated Safe zero if the OS
++ * doesn't provide one */
++#define PORT_SafeZero(p, n)                                \
++    if (p != NULL) {                                       \
++        volatile unsigned char *__vl = (unsigned char *)p; \
++        size_t __nl = n;                                   \
++        while (__nl--) *__vl++ = 0;                        \
++    }
++#endif /* no explicit_bzero */
++#endif /* no windows SecureZeroMemory */
++#endif /* no memset_s */
++
+ #define PORT_Strcasecmp PL_strcasecmp
+ #define PORT_Strcat strcat
+ #define PORT_Strchr strchr
diff --git a/nss-add-sw.patch b/nss-add-sw.patch
deleted file mode 100644
index 45dda38..0000000
--- a/nss-add-sw.patch
+++ /dev/null
@@ -1,50 +0,0 @@
-From 43f5d373ecd297761a6c4b94ec0495266830f465 Mon Sep 17 00:00:00 2001
-From: wxiat <nijie@wxiat.com>
-Date: Tue, 27 Jun 2023 16:43:45 +0800
-Subject: [PATCH] add sw
-
-Signed-off-by: wxiat <nijie@wxiat.com>
----
- coreconf/Linux.mk         | 5 +++++
- lib/dbm/include/mcom_db.h | 2 +-
- 2 files changed, 6 insertions(+), 1 deletion(-)
-
-diff --git a/coreconf/Linux.mk b/coreconf/Linux.mk
-index 891086d..ee34ae3 100644
---- a/coreconf/Linux.mk
-+++ b/coreconf/Linux.mk
-@@ -65,6 +65,10 @@ ifeq ($(OS_TEST),alpha)
-         OS_REL_CFLAGS   = -D_ALPHA_
- 	CPU_ARCH	= alpha
- else
-+ifeq ($(OS_TEST),sw_64)
-+        OS_REL_CFLAGS   = -D_SW_64_
-+	CPU_ARCH	= sw_64
-+else
- ifeq ($(OS_TEST),x86_64)
- ifeq ($(USE_64),1)
- 	CPU_ARCH	= x86_64
-@@ -107,6 +111,7 @@ endif
- endif
- endif
- endif
-+endif
- 
- 
- ifneq ($(OS_TARGET),Android)
-diff --git a/lib/dbm/include/mcom_db.h b/lib/dbm/include/mcom_db.h
-index e961dd1..e8cea2d 100644
---- a/lib/dbm/include/mcom_db.h
-+++ b/lib/dbm/include/mcom_db.h
-@@ -126,7 +126,7 @@ typedef PRUint32 uint32;
- #include <machine/endian.h>
- #endif
- 
--#ifdef __alpha
-+#if defined __alpha || defined __sw_64
- #ifndef WIN32
- #else
- /* Alpha NT */
--- 
-2.31.1
-
diff --git a/nss.spec b/nss.spec
index 31594ef..379b2a6 100644
--- a/nss.spec
+++ b/nss.spec
@@ -1,9 +1,7 @@
-%define anolis_release .0.3
 %global nspr_build_version 4.35.0-1
 %global nspr_release -1
 %global nspr_version 4.35.0
 %global nss_version 3.90.0
-
 %global unsupported_tools_directory %{_libdir}/nss/unsupported-tools
 %global saved_files_dir %{_libdir}/nss/saved
 %global dracutlibdir %{_prefix}/lib/dracut
@@ -13,7 +11,7 @@
 # The timestamp of our downstream manual pages, e.g., nss-config.1
 %global manual_date "Nov 13 2013"
 
-%bcond_with tests
+%bcond_without tests
 
 # Produce .chk files for the final stripped binaries
 #
@@ -65,7 +63,7 @@ print(string.sub(hash, 0, 16))
 Summary:          Network Security Services
 Name:             nss
 Version:          %{nss_version}
-Release:          3%{anolis_release}%{?dist}
+Release:          7%{?dist}
 License:          MPLv2.0
 URL:              http://www.mozilla.org/projects/security/pki/nss/
 Requires:         nspr >= %{nspr_version}%{nspr_release}
@@ -115,6 +113,8 @@ Source28:         nss-p11-kit.config
 # will have their own validation
 Source30:         fips_algorithms.h
 
+Source50:         NameConstraints_Certs.tar
+
 # To inject hardening flags for DSO
 Patch1:           nss-dso-ldflags.patch
 # This patch uses the GCC -iquote option documented at
@@ -133,8 +133,8 @@ Patch4:           iquote.patch
 # https://bugzilla.mozilla.org/show_bug.cgi?id=818686
 Patch9:		  nss-sysinit-userdb.patch
 # Disable nss-sysinit test which is solely to test the above change
-Patch10:	  nss-skip-sysinit-gtests.patch
-
+Patch10:          nss-skip-sysinit-gtests.patch
+Patch15:          nss-3.90-extend-db-dump-time.patch
 # For compatibility reasons, we stick with the old PKCS #11 2.40
 # definition of CK_GCM_PARAMS:
 %if 0%{?fedora} < 34
@@ -144,9 +144,10 @@ Patch20:          nss-gcm-param-default-pkcs11v2.patch
 %endif
 # Local patch: disable MD5 (also MD2 and MD4) completely
 # https://bugzilla.redhat.com/show_bug.cgi?id=1849938
-Patch25:         nss-disable-md5.patch
+Patch25:          nss-disable-md5.patch
 # Local patch for TLS_ECDHE_{ECDSA|RSA}_WITH_3DES_EDE_CBC_SHA ciphers
 Patch30:          rhbz1185708-enable-ecc-3des-ciphers-by-default.patch
+Patch34:          nss-3.71-fix-lto-gtests.patch
 # Local patch: disable Delegated Credentials
 Patch35:	  nss-disable-dc.patch
 # Local patch: ignore rsa, rsa-pss, ecdsa policies until crypto-policies
@@ -166,23 +167,29 @@ Patch54:          nss-3.90-disable-ech.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=1774659
 Patch57:          nss-3.79-dbtool.patch
 Patch58:          nss-3.79-fips.patch
-Patch61:          nss-3.79-fips-review.patches
 # https://bugzilla.mozilla.org/show_bug.cgi?id=1836781
 # https://bugzilla.mozilla.org/show_bug.cgi?id=1836925
-Patch62:          nss-3.90-DisablingASM.patch
-Patch63:          nss-3.90-no-dbm-25519.patch
-Patch64:          nss-3.90-pbkdf2-indicator.patch
+Patch60:          nss-3.90-DisablingASM.patch
+Patch61:          nss-3.79-fips-review.patches
+Patch62:          nss-3.90-no-dbm-25519.patch
+Patch63:          nss-3.90-pbkdf2-indicator.patch
 
 #ems policy. needs to upstream
 Patch70:          nss-3.90-add-ems-policy.patch
 
-Patch71:          nss-add-sw.patch
-
+Patch80:         blinding_ct.patch
+Patch81:         nss-3.90-fips-pkcs11-long-hash.patch
+Patch82:         nss-3.90-fips-safe-memset.patch
+Patch83:         nss-3.90-fips-indicators.patch
+Patch84:         nss-3.90-aes-gmc-indicator.patch
+Patch85:         nss-3.90-fips-indicators2.patch
+Patch86:         nss-3.90-dh-test-update.patch
 Patch90:         nss_p256_scalar_validated.patch
 Patch91:         nss_p384_scalar_validated.patch
 Patch92:         nss_p384_hacl.patch
 Patch93:         nss_p521_hacl.patch
 Patch94:         nss-3.90-ecc-wrap-fix.patch
+Patch95:         nss-3.90-ecdsa-sign-padding-fix.patch
 
 %description
 Network Security Services (NSS) is a set of libraries designed to
@@ -320,10 +327,16 @@ popd
 # each vendors claim in their own FIPS certification
 cp %{SOURCE30} nss/lib/softoken/
 
+#update expired test certs
+pushd nss
+tar xvf %{SOURCE50}
+popd
+
 # https://bugzilla.redhat.com/show_bug.cgi?id=1247353
 find nss/lib/libpkix -perm /u+x -type f -exec chmod -x {} \;
 
 %build
+
 export FREEBL_NO_DEPEND=1
 
 # Must export FREEBL_LOWHASH=1 for nsslowhash.h so that it gets
@@ -518,6 +531,10 @@ export USE_64=1
 # disabled by the system policy.
 export NSS_IGNORE_SYSTEM_POLICY=1
 
+%ifarch i686 ppcle64
+export NSS_DB_DUMP_TIME=10
+%endif
+
 # enable the following line to force a test failure
 # find ./nss -name \*.chk | xargs rm -f
 
@@ -964,22 +981,26 @@ update-crypto-policies --no-reload &> /dev/null || :
 
 
 %changelog
-* Tue Apr 9 2024 Kai Song <songkai@inspur.com> -3.90.0-3.0.3
-- Backport upstream patches
--   FIPS review changes
+* Wed Apr 10 2024 Frantisek Krenzelok <krenzelok.frantisek@gmail.com> - 3.90.0-7
+- Allow for shorter ecdsa signatures by padding them to full length
+
+* Tue Jan 23 2024 Bob Relyea <rrelyea@redhat.com> - 3.90.0-6
+- Fix ecc DER wrapping.
+
+* Wed Jan 17 2024 Bob Relyea <rrelyea@redhat.com> - 3.90.0-5
+- Pick up validated constant time implementations of p256, p384, and p521
+  from upsream
+- More Fips indicator changes
+
+* Wed Dec 6 2023 Bob Relyea <rrelyea@redhat.com> - 3.90.0-4
+- FIPS review changes
 -   add PORT_SafeZero to avoid compiler optimizing a way zeroing memory.
 -   update the indicators for this release
 -   allow hashing of longer than int32 values in a single PKCS #11 call.
--   Pick up validated constant time implementations of p256, p384, and p521
-    from upsream
--   More Fips indicator changes
-- Fix ecc DER wrapping(CVE-2023-6135)
-
-* Wed Mar 20 2024 wxiat <nijie@wxiat.com> - 3.90.0-3.0.2
-- cherry-pick `add sw patch #ce8dbcf775a1bf3d6bd0d5de53d3688e7caa00db`.
 
-* Mon Oct 10 2023 Zhao Hang <wb-zh951434@alibaba-inc.com> - 3.90.0-3.0.1
-- disable unit test
+* Tue Nov 21 2023 Bob Relyea <rrelyea@redhat.com> - 3.90.0-3.1
+- Fix expired certs in tests
+- Fix CVE-2023-5388
 
 * Thu Aug 3 2023 Bob Relyea <rrelyea@redhat.com> - 3.90.0-3
 - add indicators for pbkdf2
-- 
Gitee


From b3920e66c7b5d9f7528eb3e529a28aea2a87c931 Mon Sep 17 00:00:00 2001
From: Zhao Hang <wb-zh951434@alibaba-inc.com>
Date: Tue, 10 Oct 2023 10:54:50 +0800
Subject: [PATCH 2/3] disable unit test

Signed-off-by: Zhao Hang <wb-zh951434@alibaba-inc.com>
---
 nss.spec | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/nss.spec b/nss.spec
index 379b2a6..2d944aa 100644
--- a/nss.spec
+++ b/nss.spec
@@ -1,3 +1,4 @@
+%define anolis_release .0.1
 %global nspr_build_version 4.35.0-1
 %global nspr_release -1
 %global nspr_version 4.35.0
@@ -11,7 +12,7 @@
 # The timestamp of our downstream manual pages, e.g., nss-config.1
 %global manual_date "Nov 13 2013"
 
-%bcond_without tests
+%bcond_with tests
 
 # Produce .chk files for the final stripped binaries
 #
@@ -63,7 +64,7 @@ print(string.sub(hash, 0, 16))
 Summary:          Network Security Services
 Name:             nss
 Version:          %{nss_version}
-Release:          7%{?dist}
+Release:          7%{anolis_release}%{?dist}
 License:          MPLv2.0
 URL:              http://www.mozilla.org/projects/security/pki/nss/
 Requires:         nspr >= %{nspr_version}%{nspr_release}
@@ -981,6 +982,9 @@ update-crypto-policies --no-reload &> /dev/null || :
 
 
 %changelog
+* Fri Jun 28 2024 Zhao Hang <wb-zh951434@alibaba-inc.com> - 3.90.0-7.0.1
+- disable unit test
+
 * Wed Apr 10 2024 Frantisek Krenzelok <krenzelok.frantisek@gmail.com> - 3.90.0-7
 - Allow for shorter ecdsa signatures by padding them to full length
 
-- 
Gitee


From 3fb6f434d0da64c2956a712cbddf0f4832606576 Mon Sep 17 00:00:00 2001
From: wxiat <nijie@wxiat.com>
Date: Tue, 27 Jun 2023 16:47:34 +0800
Subject: [PATCH 3/3] cherry-pick `add sw patch
 #ce8dbcf775a1bf3d6bd0d5de53d3688e7caa00db`.

Signed-off-by: wxiat <nijie@wxiat.com>
Signed-off-by: Weisson <Weisson@linux.alibaba.com>
---
 nss-add-sw.patch | 50 ++++++++++++++++++++++++++++++++++++++++++++++++
 nss.spec         |  4 +++-
 2 files changed, 53 insertions(+), 1 deletion(-)
 create mode 100644 nss-add-sw.patch

diff --git a/nss-add-sw.patch b/nss-add-sw.patch
new file mode 100644
index 0000000..45dda38
--- /dev/null
+++ b/nss-add-sw.patch
@@ -0,0 +1,50 @@
+From 43f5d373ecd297761a6c4b94ec0495266830f465 Mon Sep 17 00:00:00 2001
+From: wxiat <nijie@wxiat.com>
+Date: Tue, 27 Jun 2023 16:43:45 +0800
+Subject: [PATCH] add sw
+
+Signed-off-by: wxiat <nijie@wxiat.com>
+---
+ coreconf/Linux.mk         | 5 +++++
+ lib/dbm/include/mcom_db.h | 2 +-
+ 2 files changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/coreconf/Linux.mk b/coreconf/Linux.mk
+index 891086d..ee34ae3 100644
+--- a/coreconf/Linux.mk
++++ b/coreconf/Linux.mk
+@@ -65,6 +65,10 @@ ifeq ($(OS_TEST),alpha)
+         OS_REL_CFLAGS   = -D_ALPHA_
+ 	CPU_ARCH	= alpha
+ else
++ifeq ($(OS_TEST),sw_64)
++        OS_REL_CFLAGS   = -D_SW_64_
++	CPU_ARCH	= sw_64
++else
+ ifeq ($(OS_TEST),x86_64)
+ ifeq ($(USE_64),1)
+ 	CPU_ARCH	= x86_64
+@@ -107,6 +111,7 @@ endif
+ endif
+ endif
+ endif
++endif
+ 
+ 
+ ifneq ($(OS_TARGET),Android)
+diff --git a/lib/dbm/include/mcom_db.h b/lib/dbm/include/mcom_db.h
+index e961dd1..e8cea2d 100644
+--- a/lib/dbm/include/mcom_db.h
++++ b/lib/dbm/include/mcom_db.h
+@@ -126,7 +126,7 @@ typedef PRUint32 uint32;
+ #include <machine/endian.h>
+ #endif
+ 
+-#ifdef __alpha
++#if defined __alpha || defined __sw_64
+ #ifndef WIN32
+ #else
+ /* Alpha NT */
+-- 
+2.31.1
+
diff --git a/nss.spec b/nss.spec
index 2d944aa..647e179 100644
--- a/nss.spec
+++ b/nss.spec
@@ -3,6 +3,7 @@
 %global nspr_release -1
 %global nspr_version 4.35.0
 %global nss_version 3.90.0
+
 %global unsupported_tools_directory %{_libdir}/nss/unsupported-tools
 %global saved_files_dir %{_libdir}/nss/saved
 %global dracutlibdir %{_prefix}/lib/dracut
@@ -191,6 +192,7 @@ Patch92:         nss_p384_hacl.patch
 Patch93:         nss_p521_hacl.patch
 Patch94:         nss-3.90-ecc-wrap-fix.patch
 Patch95:         nss-3.90-ecdsa-sign-padding-fix.patch
+Patch1000:          nss-add-sw.patch
 
 %description
 Network Security Services (NSS) is a set of libraries designed to
@@ -337,7 +339,6 @@ popd
 find nss/lib/libpkix -perm /u+x -type f -exec chmod -x {} \;
 
 %build
-
 export FREEBL_NO_DEPEND=1
 
 # Must export FREEBL_LOWHASH=1 for nsslowhash.h so that it gets
@@ -984,6 +985,7 @@ update-crypto-policies --no-reload &> /dev/null || :
 %changelog
 * Fri Jun 28 2024 Zhao Hang <wb-zh951434@alibaba-inc.com> - 3.90.0-7.0.1
 - disable unit test
+- cherry-pick `add sw patch #ce8dbcf775a1bf3d6bd0d5de53d3688e7caa00db`. (nijie@wxiat.com)
 
 * Wed Apr 10 2024 Frantisek Krenzelok <krenzelok.frantisek@gmail.com> - 3.90.0-7
 - Allow for shorter ecdsa signatures by padding them to full length
-- 
Gitee