diff --git a/Feature-fix-sm2-sm3-code-error.patch b/Feature-fix-sm2-sm3-code-error.patch
index a553f1286db6be54bd8f16a5c9eb47e789fa64ac..4187885a89905b00f9ad3f4034fdda981d5dd84a 100644
--- a/Feature-fix-sm2-sm3-code-error.patch
+++ b/Feature-fix-sm2-sm3-code-error.patch
@@ -8,10 +8,10 @@ Subject: [PATCH] fix sm2 sm3 code error
  1 file changed, 5 insertions(+), 4 deletions(-)
 
 diff --git a/lib/util/secoid.c b/lib/util/secoid.c
-index e97eead..cc776c1 100644
+index 5119ac6..deb66ab 100644
 --- a/lib/util/secoid.c
 +++ b/lib/util/secoid.c
-@@ -1813,10 +1813,6 @@ const static SECOidData oids[SEC_OID_TOTAL] = {
+@@ -1845,10 +1845,6 @@ const static SECOidData oids[SEC_OID_TOTAL] = {
         "IPsec User",
         CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
  
@@ -22,10 +22,10 @@ index e97eead..cc776c1 100644
      OD(sha3_224, SEC_OID_SHA3_224, "SHA3-224", CKM_SHA3_224, INVALID_CERT_EXTENSION),
      OD(sha3_256, SEC_OID_SHA3_256, "SHA3-256", CKM_SHA3_256, INVALID_CERT_EXTENSION),
      OD(sha3_384, SEC_OID_SHA3_384, "SHA3-384", CKM_SHA3_384, INVALID_CERT_EXTENSION),
-@@ -1826,6 +1822,11 @@ const static SECOidData oids[SEC_OID_TOTAL] = {
-     OD(hmac_sha3_256, SEC_OID_HMAC_SHA3_256, "HMAC SHA3-256", CKM_SHA3_256_HMAC, INVALID_CERT_EXTENSION),
-     OD(hmac_sha3_384, SEC_OID_HMAC_SHA3_384, "HMAC SHA3-384", CKM_SHA3_384_HMAC, INVALID_CERT_EXTENSION),
-     OD(hmac_sha3_512, SEC_OID_HMAC_SHA3_512, "HMAC SHA3-512", CKM_SHA3_512_HMAC, INVALID_CERT_EXTENSION),
+@@ -1901,6 +1897,11 @@ const static SECOidData oids[SEC_OID_TOTAL] = {
+     ODE(SEC_OID_RC2_64_CBC, "RC2-64-CBC", CKM_RC2_CBC, INVALID_CERT_EXTENSION),
+     ODE(SEC_OID_RC2_128_CBC, "RC2-128-CBC", CKM_RC2_CBC, INVALID_CERT_EXTENSION),
+     ODE(SEC_OID_ECDH_KEA, "ECDH", CKM_ECDH1_DERIVE, INVALID_CERT_EXTENSION),
 +
 +    OD(sm3, SEC_OID_SM3, "SM3", CKM_NSS_SM3, INVALID_CERT_EXTENSION),
 +    OD(sm2, SEC_OID_SM2, "SM2", CKM_NSS_SM2, INVALID_CERT_EXTENSION),
diff --git a/Feature-fix-sm3-code-error.patch b/Feature-fix-sm3-code-error.patch
index 7f64bb4741929671ecfdec1aa18eead8597e9987..c764282150d34726cf4b6027c5b48cd54f54e7bd 100644
--- a/Feature-fix-sm3-code-error.patch
+++ b/Feature-fix-sm3-code-error.patch
@@ -7,11 +7,11 @@ Subject: [PATCH] fix sm3 code error
  nss/lib/cryptohi/sechash.c | 20 ++++++++++----------
  1 file changed, 10 insertions(+), 10 deletions(-)
 
-diff --git a/nss/lib/cryptohi/sechash.c b/nss/lib/cryptohi/sechash.c
-index b288145..8d60fbc 100644
+diff --git a/lib/cryptohi/sechash.c b/lib/cryptohi/sechash.c
+index 32b50ff..701d2e1 100644
 --- a/lib/cryptohi/sechash.c
 +++ b/lib/cryptohi/sechash.c
-@@ -196,16 +196,6 @@ const SECHashObject SECHashObjects[] = {
+@@ -197,16 +197,6 @@ const SECHashObject SECHashObjects[] = {
            PK11_DigestFinal,
        SHA224_BLOCK_LENGTH,
        HASH_AlgSHA224 },
@@ -28,7 +28,7 @@ index b288145..8d60fbc 100644
      { SHA3_224_LENGTH,
        (void *(*)(void))sha3_224_NewContext,
        (void *(*)(void *))PK11_CloneContext,
-@@ -246,6 +236,16 @@ const SECHashObject SECHashObjects[] = {
+@@ -247,6 +237,16 @@ const SECHashObject SECHashObjects[] = {
            PK11_DigestFinal,
        SHA3_512_BLOCK_LENGTH,
        HASH_AlgSHA3_512 },
diff --git a/Feature-nss-fix-the-certificate-resolution-in-sm2.patch b/Feature-nss-fix-the-certificate-resolution-in-sm2.patch
index c1a133090140b147bf279d65983fe18e2d574e4b..3c6cfa198ac388c213f8883b0b3c741150f7bc78 100644
--- a/Feature-nss-fix-the-certificate-resolution-in-sm2.patch
+++ b/Feature-nss-fix-the-certificate-resolution-in-sm2.patch
@@ -9,22 +9,22 @@ Subject: [PATCH] fix the certificate resolution in sm2
  2 files changed, 2 insertions(+)
 
 diff --git a/lib/cryptohi/seckey.c b/lib/cryptohi/seckey.c
-index 6a230e1..11a936e 100644
+index ab7bdd2..fb373f6 100644
 --- a/lib/cryptohi/seckey.c
 +++ b/lib/cryptohi/seckey.c
-@@ -639,6 +639,7 @@ seckey_ExtractPublicKey(const CERTSubjectPublicKeyInfo *spki)
-                     return pubk;
-                 break;
+@@ -702,6 +702,7 @@ seckey_ExtractPublicKey(const CERTSubjectPublicKeyInfo *spki)
+                 }
+                 return pubk;
              case SEC_OID_ANSIX962_EC_PUBLIC_KEY:
 +            case SEC_OID_SM2:
                  /* A basic sanity check on inputs. */
                  if (spki->algorithm.parameters.len == 0 || newOs.len == 0) {
                      PORT_SetError(SEC_ERROR_INPUT_LEN);
 diff --git a/lib/softoken/pkcs11c.c b/lib/softoken/pkcs11c.c
-index 2105cb5..5261a92 100644
+index 81f9bc6..4aed912 100644
 --- a/lib/softoken/pkcs11c.c
 +++ b/lib/softoken/pkcs11c.c
-@@ -6199,6 +6199,7 @@ sftk_unwrapPrivateKey(SFTKObject *key, SECItem *bpki)
+@@ -6379,6 +6379,7 @@ sftk_unwrapPrivateKey(SFTKObject *key, SECItem *bpki)
              prepare_low_pqg_params_for_asn1(&lpk->u.dsa.params);
              break;
          /* case NSSLOWKEYDHKey: */
diff --git a/Feature-nss-support-SM2-signature-algorithm.patch b/Feature-nss-support-SM2-signature-algorithm.patch
index 89bc63b8aa6c81466bf2853766be76aa0220bef0..b97561ce4ccc8933ac01b8fb1cb349faa66a5a05 100644
--- a/Feature-nss-support-SM2-signature-algorithm.patch
+++ b/Feature-nss-support-SM2-signature-algorithm.patch
@@ -20,18 +20,18 @@ index 7b66f0b..4f99ef9 100644
  
  #endif /* _CRYPTOHI_H_ */
 diff --git a/lib/cryptohi/seckey.c b/lib/cryptohi/seckey.c
-index 656609e..6a230e1 100644
+index 03a60c3..ab7bdd2 100644
 --- a/lib/cryptohi/seckey.c
 +++ b/lib/cryptohi/seckey.c
-@@ -519,6 +519,7 @@ seckey_GetKeyType(SECOidTag tag)
+@@ -548,6 +548,7 @@ seckey_GetKeyType(SECOidTag tag)
              keyType = dhKey;
              break;
          case SEC_OID_ANSIX962_EC_PUBLIC_KEY:
 +        case SEC_OID_SM2:
              keyType = ecKey;
              break;
-         /* accommodate applications that hand us a signature type when they
-@@ -775,6 +776,7 @@ SECKEY_ECParamsToKeySize(const SECItem *encodedParams)
+         case SEC_OID_ED25519_PUBLIC_KEY:
+@@ -838,6 +839,7 @@ SECKEY_ECParamsToKeySize(const SECItem *encodedParams)
  
          case SEC_OID_SECG_EC_SECP256K1:
          case SEC_OID_ANSIX962_EC_PRIME256V1:
@@ -39,7 +39,7 @@ index 656609e..6a230e1 100644
              return 256;
  
          case SEC_OID_ANSIX962_EC_C2PNB272W1:
-@@ -923,6 +925,7 @@ SECKEY_ECParamsToBasePointOrderLen(const SECItem *encodedParams)
+@@ -987,6 +989,7 @@ SECKEY_ECParamsToBasePointOrderLen(const SECItem *encodedParams)
  
          case SEC_OID_SECG_EC_SECP256K1:
          case SEC_OID_ANSIX962_EC_PRIME256V1:
@@ -48,10 +48,10 @@ index 656609e..6a230e1 100644
  
          case SEC_OID_ANSIX962_EC_C2PNB272W1:
 diff --git a/lib/cryptohi/secsign.c b/lib/cryptohi/secsign.c
-index 8779904..8a12b25 100644
+index 9bcdee1..269cb47 100644
 --- a/lib/cryptohi/secsign.c
 +++ b/lib/cryptohi/secsign.c
-@@ -882,3 +882,46 @@ SEC_CreateSignatureAlgorithmParameters(PLArenaPool *arena,
+@@ -985,3 +985,46 @@ SEC_CreateSignatureAlgorithmParameters(PLArenaPool *arena,
              return result;
      }
  }
@@ -99,10 +99,10 @@ index 8779904..8a12b25 100644
 +    return SECSuccess;
 +}
 diff --git a/lib/cryptohi/secvfy.c b/lib/cryptohi/secvfy.c
-index 8c9dc2d..981cb0d 100644
+index 34b6ab5..8d0a1f1 100644
 --- a/lib/cryptohi/secvfy.c
 +++ b/lib/cryptohi/secvfy.c
-@@ -288,6 +288,8 @@ sec_GetEncAlgFromSigAlg(SECOidTag sigAlg)
+@@ -294,6 +294,8 @@ sec_GetEncAlgFromSigAlg(SECOidTag sigAlg)
          case SEC_OID_ANSIX962_ECDSA_SIGNATURE_RECOMMENDED_DIGEST:
          case SEC_OID_ANSIX962_ECDSA_SIGNATURE_SPECIFIED_DIGEST:
              return SEC_OID_ANSIX962_EC_PUBLIC_KEY;
@@ -111,9 +111,9 @@ index 8c9dc2d..981cb0d 100644
          /* we don't implement MD4 hashes */
          case SEC_OID_PKCS1_MD4_WITH_RSA_ENCRYPTION:
          default:
-@@ -430,6 +432,9 @@ sec_DecodeSigAlg(const SECKEYPublicKey *key, SECOidTag sigAlg,
-                 return SECFailure;
+@@ -588,6 +590,9 @@ sec_DecodeSigAlg(const SECKEYPublicKey *key, SECOidTag sigAlg,
              }
+             *mechp = sec_ECDSAGetCombinedMech(*hashalg);
              break;
 +        case SEC_OID_SM2_WITH_SM3:
 +            *hashalg = SEC_OID_SM3;
@@ -122,33 +122,33 @@ index 8c9dc2d..981cb0d 100644
          case SEC_OID_PKCS1_MD4_WITH_RSA_ENCRYPTION:
          default:
 diff --git a/lib/freebl/ec.c b/lib/freebl/ec.c
-index 5bf7d81..2b8e321 100644
+index ed390e7..97affef 100644
 --- a/lib/freebl/ec.c
 +++ b/lib/freebl/ec.c
-@@ -15,6 +15,7 @@
- #include "mplogic.h"
- #include "ec.h"
- #include "ecl.h"
+@@ -19,6 +19,7 @@
+ #include "verified/Hacl_P521.h"
+ #include "secport.h"
+ #include "verified/Hacl_Ed25519.h"
 +#include "sm2.h"
  
  #define EC_DOUBLECHECK PR_FALSE
  
-@@ -988,7 +989,9 @@ ECDSA_SignDigest(ECPrivateKey *key, SECItem *signature, const SECItem *digest)
-         goto cleanup;
+@@ -512,7 +513,9 @@ ECDSA_SignDigest(ECPrivateKey *key, SECItem *signature, const SECItem *digest)
+     }
  
      /* Generate ECDSA signature with the specified k value */
--    rv = ECDSA_SignDigestWithSeed(key, signature, digest, kBytes, len);
+-    rv = ECDSA_SignDigestWithSeed(key, signature, digest, nonceRand.data, nonceRand.len);
 +    rv = key->ecParams.name == ECCurve_sm2p256v1 ?
 +        SM2_SignDigestWithSeed(key, signature, digest, kBytes, len) :
 +        ECDSA_SignDigestWithSeed(key, signature, digest, kBytes, len);
+     NSS_DECLASSIFY(signature->data, signature->len);
  
  cleanup:
-     if (kBytes) {
 diff --git a/lib/freebl/ecdecode.c b/lib/freebl/ecdecode.c
-index bd31eb0..29f41c9 100644
+index 8ba5a85..9c836c3 100644
 --- a/lib/freebl/ecdecode.c
 +++ b/lib/freebl/ecdecode.c
-@@ -181,6 +181,10 @@ EC_FillParams(PLArenaPool *arena, const SECItem *encodedParams,
+@@ -184,6 +184,11 @@ EC_FillParams(PLArenaPool *arena, const SECItem *encodedParams,
                                                    params));
              break;
  
@@ -156,15 +156,16 @@ index bd31eb0..29f41c9 100644
 +            /* Populate params for Curve SM2 */
 +           CHECK_SEC_OK(gf_populate_params_bytes(ECCurve_sm2p256v1, ec_field_plain,
 +                                                 params));
++
          default:
              break;
      };
 diff --git a/lib/freebl/ecl/ecl-curve.h b/lib/freebl/ecl/ecl-curve.h
-index dec3ce3..b525ba5 100644
+index 1c9cb5d..8a14ac4 100644
 --- a/lib/freebl/ecl/ecl-curve.h
 +++ b/lib/freebl/ecl/ecl-curve.h
-@@ -178,6 +178,38 @@ static const ECCurveBytes ecCurve_25519 = {
-     KU_KEY_AGREEMENT
+@@ -185,6 +185,38 @@ static const ECCurveBytes ecCurve_Ed25519 = {
+     KU_DIGITAL_SIGNATURE
  };
  
 +static const PRUint8 sm2_irr[32] =
@@ -202,31 +203,31 @@ index dec3ce3..b525ba5 100644
  /* mapping between ECCurveName enum and pointers to ECCurveParams */
  static const ECCurveBytes *ecCurve_map[] = {
      NULL,               /* ECCurve_noName */
-@@ -239,6 +271,7 @@ static const ECCurveBytes *ecCurve_map[] = {
+@@ -246,6 +278,7 @@ static const ECCurveBytes *ecCurve_map[] = {
      NULL,               /* ECCurve_WTLS_8 */
      NULL,               /* ECCurve_WTLS_9 */
      &ecCurve_25519,     /* ECCurve25519 */
 +    &ecCurve_sm2p256v1, /* ECCurve_sm2p256v1 */
-     NULL                /* ECCurve_pastLastCurve */
+     &ecCurve_Ed25519,
+     NULL /* ECCurve_pastLastCurve */
  };
- 
 diff --git a/lib/freebl/ecl/ecl-exp.h b/lib/freebl/ecl/ecl-exp.h
-index 44adb8a..d071fc9 100644
+index 14263c7..196b7ff 100644
 --- a/lib/freebl/ecl/ecl-exp.h
 +++ b/lib/freebl/ecl/ecl-exp.h
-@@ -132,6 +132,7 @@ typedef enum {
-     /* ECCurve_WTLS_12 == ECCurve_NIST_P224 */
+@@ -133,6 +133,7 @@ typedef enum {
  
      ECCurve25519,
+     ECCurve_Ed25519,
 +    ECCurve_sm2p256v1,
  
      ECCurve_pastLastCurve
  } ECCurveName;
 diff --git a/lib/freebl/freebl_base.gypi b/lib/freebl/freebl_base.gypi
-index 920d613..e6094a9 100644
+index 6e17854..91dc80e 100644
 --- a/lib/freebl/freebl_base.gypi
 +++ b/lib/freebl/freebl_base.gypi
-@@ -61,6 +61,7 @@
+@@ -51,6 +51,7 @@
      'sha_fast.c',
      'shvfy.c',
      'sm3.c',
@@ -235,10 +236,10 @@ index 920d613..e6094a9 100644
      'tlsprfalg.c',
      'secmpi.c',
 diff --git a/lib/freebl/manifest.mn b/lib/freebl/manifest.mn
-index 3214369..f321f67 100644
+index 0be9761..3ae830f 100644
 --- a/lib/freebl/manifest.mn
 +++ b/lib/freebl/manifest.mn
-@@ -161,6 +161,7 @@ CSRCS = \
+@@ -166,6 +166,7 @@ CSRCS = \
  	$(LOWHASH_SRCS) \
  	$(EXTRA_SRCS) \
  	sm3.c \
@@ -246,7 +247,7 @@ index 3214369..f321f67 100644
  	$(NULL)
  
  ifndef NSS_DISABLE_DEPRECATED_SEED
-@@ -191,6 +192,7 @@ ALL_HDRS =  \
+@@ -196,6 +197,7 @@ ALL_HDRS =  \
  	vis_proto.h \
  	seed.h \
  	sm3.h \
@@ -255,10 +256,10 @@ index 3214369..f321f67 100644
  
  
 diff --git a/lib/nss/nss.def b/lib/nss/nss.def
-index 35850ca..4d778e5 100644
+index 7c9bdda..800b3f0 100644
 --- a/lib/nss/nss.def
 +++ b/lib/nss/nss.def
-@@ -1253,3 +1253,9 @@ SECMOD_LockedModuleHasRemovableSlots;
+@@ -1270,3 +1270,9 @@ SECKEY_PrivateKeyStrengthInBits;
  ;+    local:
  ;+       *;
  ;+};
@@ -269,32 +270,32 @@ index 35850ca..4d778e5 100644
 +;+       *;
 +;+};
 diff --git a/lib/util/pkcs11n.h b/lib/util/pkcs11n.h
-index 5027847..31a0807 100644
+index a7ddd46..69a3426 100644
 --- a/lib/util/pkcs11n.h
 +++ b/lib/util/pkcs11n.h
-@@ -260,6 +260,8 @@
+@@ -264,6 +264,8 @@
  
  /* SM algorithm (to be proposed to PKCS #11) */
  #define CKM_NSS_SM3 (CKM_NSS + 45)
 +#define CKM_NSS_SM2 (CKM_NSS + 46)
 +#define CKM_NSS_SM2_WITH_SM3 (CKM_NSS + 47)
  
- 
- /*
+ /* Kyber */
+ #define CKM_NSS_KYBER_KEY_PAIR_GEN (CKM_NSS + 45)
 diff --git a/lib/util/secoid.c b/lib/util/secoid.c
-index 2060429..e97eead 100644
+index df9b1aa..5119ac6 100644
 --- a/lib/util/secoid.c
 +++ b/lib/util/secoid.c
-@@ -616,6 +616,8 @@ CONST_OID curve25519[] = { 0x2B, 0x06, 0x01, 0x04, 0x01, 0xDA, 0x47, 0x0F, 0x01
+@@ -632,6 +632,8 @@ CONST_OID curve25519[] = { 0x2B, 0x06, 0x01, 0x04, 0x01, 0xDA, 0x47, 0x0F, 0x01
   * 1.2.156.197.1.401
   */
  CONST_OID sm3[] = { 0x2A, 0x81, 0x1C, 0xCF, 0x55, 0x01, 0x83, 0x11 };
 +CONST_OID sm2[] = { 0x2A, 0x81, 0x1C, 0xCF, 0x55, 0x01, 0x82, 0x2D };
 +CONST_OID sm2_with_sm3[] = { 0x2A, 0x81, 0x1C, 0xCF, 0x55, 0x01, 0x83, 0x75 };
  
- #define OI(x)                                  \
-     {                                          \
-@@ -1812,6 +1814,8 @@ const static SECOidData oids[SEC_OID_TOTAL] = {
+ /*
+ 	https://oid-rep.orange-labs.fr/get/1.3.101.112
+@@ -1844,6 +1846,8 @@ const static SECOidData oids[SEC_OID_TOTAL] = {
         CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
  
      OD(sm3, SEC_OID_SM3, "SM3", CKM_NSS_SM3, INVALID_CERT_EXTENSION),
@@ -304,15 +305,15 @@ index 2060429..e97eead 100644
      OD(sha3_224, SEC_OID_SHA3_224, "SHA3-224", CKM_SHA3_224, INVALID_CERT_EXTENSION),
      OD(sha3_256, SEC_OID_SHA3_256, "SHA3-256", CKM_SHA3_256, INVALID_CERT_EXTENSION),
 diff --git a/lib/util/secoidt.h b/lib/util/secoidt.h
-index b6a98a2..b60f74e 100644
+index 433510b..12892cb 100644
 --- a/lib/util/secoidt.h
 +++ b/lib/util/secoidt.h
-@@ -513,6 +513,8 @@ typedef enum {
-     SEC_OID_HMAC_SHA3_512 = 371,
+@@ -532,6 +532,8 @@ typedef enum {
+     SEC_OID_ECDH_KEA = 387,
  
-     SEC_OID_SM3 = 372,
-+    SEC_OID_SM2 = 373,
-+    SEC_OID_SM2_WITH_SM3 = 374,
+     SEC_OID_SM3 = 388,
++    SEC_OID_SM2 = 389,
++    SEC_OID_SM2_WITH_SM3 = 390,
  
      SEC_OID_TOTAL
  } SECOidTag;
diff --git a/Feature-nss-support-SM3-digest-algorithm.patch b/Feature-nss-support-SM3-digest-algorithm.patch
index 658b82393115e8713be91ef143e19ea6346f3957..2ee7abda0c6e51f50b3ea03639122453718cb5b3 100644
--- a/Feature-nss-support-SM3-digest-algorithm.patch
+++ b/Feature-nss-support-SM3-digest-algorithm.patch
@@ -7,10 +7,10 @@ Co-authored-by: godcansee <liu332084460@foxmail.com>
 Signed-off-by: Huaxin Lu <luhuaxin1@huawei.com>
 
 diff --git a/lib/cryptohi/sechash.c b/lib/cryptohi/sechash.c
-index 5c592df..b288145 100644
+index 11eb837..32b50ff 100644
 --- a/lib/cryptohi/sechash.c
 +++ b/lib/cryptohi/sechash.c
-@@ -85,6 +85,12 @@ sha512_NewContext(void)
+@@ -85,6 +85,13 @@ sha512_NewContext(void)
      return (void *)PK11_CreateDigestContext(SEC_OID_SHA512);
  }
  
@@ -19,11 +19,12 @@ index 5c592df..b288145 100644
 +{
 +    return (void *)PK11_CreateDigestContext(SEC_OID_SM3);
 +}
++
 +
  static void *
  sha3_224_NewContext(void)
  {
-@@ -190,6 +196,16 @@ const SECHashObject SECHashObjects[] = {
+@@ -190,6 +197,16 @@ const SECHashObject SECHashObjects[] = {
            PK11_DigestFinal,
        SHA224_BLOCK_LENGTH,
        HASH_AlgSHA224 },
@@ -40,16 +41,6 @@ index 5c592df..b288145 100644
      { SHA3_224_LENGTH,
        (void *(*)(void))sha3_224_NewContext,
        (void *(*)(void *))PK11_CloneContext,
-@@ -265,6 +281,9 @@ HASH_GetHashTypeByOidTag(SECOidTag hashOid)
-         case SEC_OID_SHA512:
-             ht = HASH_AlgSHA512;
-             break;
-+        case SEC_OID_SM3:
-+            ht = HASH_AlgSM3;
-+            break;
-         case SEC_OID_SHA3_224:
-             ht = HASH_AlgSHA3_224;
-             break;
 diff --git a/lib/freebl/blapi.h b/lib/freebl/blapi.h
 index b8bc4d3..a06544e 100644
 --- a/lib/freebl/blapi.h
@@ -319,18 +310,19 @@ index 07a34cf..0e4e2e3 100644
        (void *(*)(void))SHA3_224_NewContext,
        (void *(*)(void *))null_hash_clone_context,
 diff --git a/lib/pk11wrap/pk11pars.c b/lib/pk11wrap/pk11pars.c
-index 0243a93..5c4408e 100644
+index 4fc1601..c2b00c4 100644
 --- a/lib/pk11wrap/pk11pars.c
 +++ b/lib/pk11wrap/pk11pars.c
-@@ -342,6 +342,8 @@ static const oidValDef hashOptList[] = {
-     { CIPHER_NAME("SHA384"), SEC_OID_SHA384,
-       NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE },
+@@ -352,6 +352,9 @@ static const oidValDef hashOptList[] = {
      { CIPHER_NAME("SHA512"), SEC_OID_SHA512,
-+      NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE },
+       NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE | NSS_USE_ALG_IN_SMIME |
+           NSS_USE_ALG_IN_PKCS12 },
 +    { CIPHER_NAME("SM3"), SEC_OID_SM3,
-       NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE }
- };
- 
++      NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE | NSS_USE_ALG_IN_SMIME |
++          NSS_USE_ALG_IN_PKCS12 },
+     { CIPHER_NAME("SHA3-224"), SEC_OID_SHA3_224,
+       NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE | NSS_USE_ALG_IN_SMIME |
+           NSS_USE_ALG_IN_PKCS12 },
 diff --git a/lib/pk11wrap/pk11slot.c b/lib/pk11wrap/pk11slot.c
 index fb05ba6..e29cb26 100644
 --- a/lib/pk11wrap/pk11slot.c
@@ -445,26 +437,39 @@ index b70b94f..26506c3 100644
  #define HASH_LENGTH_MAX SHA512_LENGTH
  
  /*
+diff --git a/lib/util/nsshash.c b/lib/util/nsshash.c
+index 0feb207..efa4a05 100644
+--- a/lib/util/nsshash.c
++++ b/lib/util/nsshash.c
+@@ -34,6 +34,9 @@ HASH_GetHashTypeByOidTag(SECOidTag hashOid)
+         case SEC_OID_SHA512:
+             ht = HASH_AlgSHA512;
+             break;
++        case SEC_OID_SM3:
++            ht = HASH_AlgSM3;
++            break;
+         case SEC_OID_SHA3_224:
+             ht = HASH_AlgSHA3_224;
+             break;
 diff --git a/lib/util/pkcs11n.h b/lib/util/pkcs11n.h
-index cb76720..5027847 100644
+index 8c33b87..a7ddd46 100644
 --- a/lib/util/pkcs11n.h
 +++ b/lib/util/pkcs11n.h
-@@ -258,6 +258,10 @@
+@@ -262,6 +262,9 @@
  #define CKM_NSS_SP800_108_FEEDBACK_KDF_DERIVE_DATA (CKM_NSS + 43)
  #define CKM_NSS_SP800_108_DOUBLE_PIPELINE_KDF_DERIVE_DATA (CKM_NSS + 44)
  
 +/* SM algorithm (to be proposed to PKCS #11) */
 +#define CKM_NSS_SM3 (CKM_NSS + 45)
 +
-+
- /*
-  * HISTORICAL:
-  * Do not attempt to use these. They are only used by NSS's internal
+ /* Kyber */
+ #define CKM_NSS_KYBER_KEY_PAIR_GEN (CKM_NSS + 45)
+ #define CKM_NSS_KYBER (CKM_NSS + 46)
 diff --git a/lib/util/secoid.c b/lib/util/secoid.c
-index 5026d4b..2060429 100644
+index 641c5b0..df9b1aa 100644
 --- a/lib/util/secoid.c
 +++ b/lib/util/secoid.c
-@@ -612,6 +612,11 @@ CONST_OID evIncorporationCountry[] = { EV_NAME_ATTRIBUTE, 3 };
+@@ -628,6 +628,11 @@ CONST_OID evIncorporationCountry[] = { EV_NAME_ATTRIBUTE, 3 };
   */
  CONST_OID curve25519[] = { 0x2B, 0x06, 0x01, 0x04, 0x01, 0xDA, 0x47, 0x0F, 0x01 };
  
@@ -473,10 +478,10 @@ index 5026d4b..2060429 100644
 + */
 +CONST_OID sm3[] = { 0x2A, 0x81, 0x1C, 0xCF, 0x55, 0x01, 0x83, 0x11 };
 +
- #define OI(x)                                  \
-     {                                          \
-         siDEROID, (unsigned char *)x, sizeof x \
-@@ -1806,6 +1811,8 @@ const static SECOidData oids[SEC_OID_TOTAL] = {
+ /*
+ 	https://oid-rep.orange-labs.fr/get/1.3.101.112
+ 	A.1.  ASN.1 Object for Ed25519
+@@ -1838,6 +1843,8 @@ const static SECOidData oids[SEC_OID_TOTAL] = {
         "IPsec User",
         CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
  
@@ -486,14 +491,14 @@ index 5026d4b..2060429 100644
      OD(sha3_256, SEC_OID_SHA3_256, "SHA3-256", CKM_SHA3_256, INVALID_CERT_EXTENSION),
      OD(sha3_384, SEC_OID_SHA3_384, "SHA3-384", CKM_SHA3_384, INVALID_CERT_EXTENSION),
 diff --git a/lib/util/secoidt.h b/lib/util/secoidt.h
-index 788bed0..b6a98a2 100644
+index f76462e..433510b 100644
 --- a/lib/util/secoidt.h
 +++ b/lib/util/secoidt.h
-@@ -512,6 +512,8 @@ typedef enum {
-     SEC_OID_HMAC_SHA3_384 = 370,
-     SEC_OID_HMAC_SHA3_512 = 371,
+@@ -531,6 +531,8 @@ typedef enum {
+     SEC_OID_RC2_128_CBC = 386,
+     SEC_OID_ECDH_KEA = 387,
  
-+    SEC_OID_SM3 = 372,
++    SEC_OID_SM3 = 388,
 +
      SEC_OID_TOTAL
  } SECOidTag;
diff --git a/Temp-fix-nss-3-101-build-error.patch b/Temp-fix-nss-3-101-build-error.patch
new file mode 100644
index 0000000000000000000000000000000000000000..911055ae8a7a28a2f9a017598b78edd6d16053c7
--- /dev/null
+++ b/Temp-fix-nss-3-101-build-error.patch
@@ -0,0 +1,80 @@
+From f777c2a254f564f75197a8a9985ed1904a20ed0c Mon Sep 17 00:00:00 2001
+From: misaka00251 <liuxin@iscas.ac.cn>
+Date: Thu, 11 Jul 2024 17:54:57 +0800
+Subject: [PATCH] Temp fix nss 3.101 build error
+
+
+diff --git a/lib/freebl/ec.c b/lib/freebl/ec.c
+index 97affef..4eaa1ff 100644
+--- a/lib/freebl/ec.c
++++ b/lib/freebl/ec.c
+@@ -514,8 +514,8 @@ ECDSA_SignDigest(ECPrivateKey *key, SECItem *signature, const SECItem *digest)
+ 
+     /* Generate ECDSA signature with the specified k value */
+     rv = key->ecParams.name == ECCurve_sm2p256v1 ?
+-        SM2_SignDigestWithSeed(key, signature, digest, kBytes, len) :
+-        ECDSA_SignDigestWithSeed(key, signature, digest, kBytes, len);
++        SM2_SignDigestWithSeed(key, signature, digest, nonceRand.data, nonceRand.len) :
++        ECDSA_SignDigestWithSeed(key, signature, digest, nonceRand.data, nonceRand.len);
+     NSS_DECLASSIFY(signature->data, signature->len);
+ 
+ cleanup:
+diff --git a/lib/freebl/sm2.c b/lib/freebl/sm2.c
+index f80b8ca..7739137 100644
+--- a/lib/freebl/sm2.c
++++ b/lib/freebl/sm2.c
+@@ -22,7 +22,6 @@ SM2_SignDigestWithSeed(ECPrivateKey *key, SECItem *signature,
+     mp_int e, k, x1, y1, r, n, dA, tmp, s;
+     mp_err err = MP_OKAY;
+     ECParams *ecParams;
+-    ECGroup *group;
+     SECItem kGpoint = { siBuffer, NULL, 0 };
+     mp_size olen;
+ 
+@@ -62,18 +61,11 @@ SM2_SignDigestWithSeed(ECPrivateKey *key, SECItem *signature,
+         goto cleanup;
+     }
+ 
+-    /* (x1, y1) = [k]G */
+-    group = ECGroup_fromName(ecParams->name);
+-    if (!group)
+-        goto cleanup;
+-
+     kGpoint.len = EC_GetPointSize(ecParams);
+     kGpoint.data = PORT_Alloc(kGpoint.len);
+     if (kGpoint.data == NULL)
+         goto cleanup;
+ 
+-    CHECK_MPI_OK(ECPoints_mul(group, &k, NULL, NULL, NULL, &x1, &y1));
+-
+     /* r = (e + x1) mod n */
+     CHECK_MPI_OK(mp_addmod(&e, &x1, &n, &r));
+ 
+diff --git a/lib/util/pkcs11n.h b/lib/util/pkcs11n.h
+index 69a3426..f7201cd 100644
+--- a/lib/util/pkcs11n.h
++++ b/lib/util/pkcs11n.h
+@@ -262,15 +262,15 @@
+ #define CKM_NSS_SP800_108_FEEDBACK_KDF_DERIVE_DATA (CKM_NSS + 43)
+ #define CKM_NSS_SP800_108_DOUBLE_PIPELINE_KDF_DERIVE_DATA (CKM_NSS + 44)
+ 
+-/* SM algorithm (to be proposed to PKCS #11) */
+-#define CKM_NSS_SM3 (CKM_NSS + 45)
+-#define CKM_NSS_SM2 (CKM_NSS + 46)
+-#define CKM_NSS_SM2_WITH_SM3 (CKM_NSS + 47)
+-
+ /* Kyber */
+ #define CKM_NSS_KYBER_KEY_PAIR_GEN (CKM_NSS + 45)
+ #define CKM_NSS_KYBER (CKM_NSS + 46)
+ 
++/* SM algorithm (to be proposed to PKCS #11) */
++#define CKM_NSS_SM3 (CKM_NSS + 47)
++#define CKM_NSS_SM2 (CKM_NSS + 48)
++#define CKM_NSS_SM2_WITH_SM3 (CKM_NSS + 49)
++
+ /*
+  * HISTORICAL:
+  * Do not attempt to use these. They are only used by NSS's internal
+-- 
+2.45.2
+
diff --git a/nss-3.101.tar.gz b/nss-3.101.tar.gz
new file mode 100644
index 0000000000000000000000000000000000000000..9ed04bd6af126a0d82518c0f466d85a176f6143a
Binary files /dev/null and b/nss-3.101.tar.gz differ
diff --git a/nss-config b/nss-config
index 5c5cd7e0ae4153e01ae183d5458c8ff989c82348..9822491d31d6b9f0a7af5b203865ffc70173cb3a 100644
--- a/nss-config
+++ b/nss-config
@@ -3,7 +3,7 @@
 prefix=/usr
 
 major_version=3
-minor_version=94
+minor_version=101
 patch_version=0
 
 usage()
diff --git a/nss-softokn-config b/nss-softokn-config
index 8422c7985f71ee72b2e53b5e7b80df054c2166c8..9611915e7407b96d9597a16e31f06e0dd7447d35 100644
--- a/nss-softokn-config
+++ b/nss-softokn-config
@@ -3,7 +3,7 @@
 prefix=/usr
 
 major_version=3
-minor_version=94
+minor_version=101
 patch_version=0
 
 usage()
diff --git a/nss-softokn.pc b/nss-softokn.pc
index f831298f21002dc3a4c113bc251b81cfe41b4247..4e2ded4ec5d986a83a88cbb2e5ed3365218a7ad4 100644
--- a/nss-softokn.pc
+++ b/nss-softokn.pc
@@ -5,7 +5,7 @@ includedir=/usr/include/nss3
 
 Name: NSS-SOFTOKN
 Description: Network Security Services Softoken PKCS #11 Module
-Version: 3.94
-Requires: nspr >= 4.35.0, nss-util >= 3.94
+Version: 3.101
+Requires: nspr >= 4.35.0, nss-util >= 3.101
 Libs: -L${libdir} -lfreebl3 -lnssdbm3 -lsoftokn3
 Cflags: -I${includedir}
diff --git a/nss-util-config b/nss-util-config
index 4726a838282ffc1b5a455d85be39518ff0d0794b..6f30486e6980048cd05720be68acfc19868209b1 100644
--- a/nss-util-config
+++ b/nss-util-config
@@ -3,7 +3,7 @@
 prefix=/usr
 
 major_version=3
-minor_version=94
+minor_version=101
 patch_version=0
 
 usage()
diff --git a/nss-util.pc b/nss-util.pc
index 86515d236577eb832b5d67ff984528576f48784d..055658b577b1197fef0b6eb541e8be05ddf9ecf2 100644
--- a/nss-util.pc
+++ b/nss-util.pc
@@ -5,7 +5,7 @@ includedir=/usr/include/nss3
 
 Name: NSS-UTIL
 Description: Network Security Services Utility Library
-Version: 3.94
+Version: 3.101
 Requires: nspr >= 4.35.0
 Libs: -L${libdir} -lnssutil3
 Cflags: -I${includedir}
diff --git a/nss.pc b/nss.pc
index ff03a70c82e37e0a20a8dc464bfdf52379b337f1..64fa784bd233dba850853d5f9d31014493ff667c 100644
--- a/nss.pc
+++ b/nss.pc
@@ -5,7 +5,7 @@ includedir=/usr/include/nss3
 
 Name: NSS
 Description: Network Security Services
-Version: 3.94
+Version: 3.101
 Requires: nspr >= 4.35.0, nss-util >= 3.94
 Libs: -L${libdir} -lssl3 -lsmime3 -lnss3
 Cflags: -I${includedir}
diff --git a/nss.spec b/nss.spec
index c1a85c918cb49c50e41793f6dc4de18a59bce828..a9a5020e0c0b1bac4c7b9393bb41fd21942211a4 100644
--- a/nss.spec
+++ b/nss.spec
@@ -1,7 +1,7 @@
 %global nspr_version 4.35.0
-%global nss_version 3.94.0
-%global nss_ver 3_94
-%global nss_archive_version 3.94
+%global nss_version 3.101.0
+%global nss_ver 3_101
+%global nss_archive_version 3.101
 %global unsupported_tools_directory %{_libdir}/nss/unsupported-tools
 %global allTools "certutil cmsutil crlutil derdump modutil pk12util signtool signver ssltap vfychain vfyserv"
 
@@ -26,7 +26,7 @@
 Summary:          Network Security Services
 Name:             nss
 Version:          %{nss_version}
-Release:          6
+Release:          1
 License:          MPLv2.0
 URL:              http://www.mozilla.org/projects/security/pki/nss/
 Provides:         nss-system-init
@@ -60,6 +60,7 @@ Patch9003:        Feature-nss-support-SM2-signature-algorithm.patch
 Patch9004:        Feature-nss-fix-the-certificate-resolution-in-sm2.patch
 Patch9005:        Feature-fix-sm2-sm3-code-error.patch
 Patch9006:        Feature-fix-sm3-code-error.patch
+Patch10000:       Temp-fix-nss-3-101-build-error.patch
 
 %description
 Network Security Services (NSS) is a set of libraries designed to
@@ -150,11 +151,13 @@ pushd nss
 %patch9004 -p1
 %patch9005 -p1
 %patch9006 -p1
+%patch10000 -p1
 popd
 
 %build
 
 export NSS_FORCE_FIPS=1
+export NSS_DISABLE_DEPRECATED_SEED=1
 # Enable compiler optimizations and disable debugging code
 
 export BUILD_OPT=1
@@ -245,6 +248,7 @@ echo -n %{version} > version.xml
 export FREEBL_NO_DEPEND=1
 
 export BUILD_OPT=1
+export NSS_DISABLE_DEPRECATED_SEED=1
 
 %ifnarch noarch
 %if 0%{__isa_bits} == 64
@@ -466,6 +470,8 @@ update-crypto-policies &>/dev/null||:
 %{_includedir}/nss3/nssbaset.h
 %{_includedir}/nss3/nssck*.h
 %{_includedir}/nss3/templates/nssck.api
+%{_includedir}/nss3/kyber.h
+%{_includedir}/nss3/nsshash.h
 
 %files util
 %{!?_licensedir:%global license %%doc}
@@ -572,6 +578,9 @@ update-crypto-policies &>/dev/null||:
 %doc %{_mandir}/man*
 
 %changelog
+* Mon Jul 15 2024 misaka00251 <liuxin@iscas.ac.cn> - 3.101.0-1
+- Upgrade to 3.101.0
+
 * Thu Apr 18 2024 jinlun <jinlun@huawei.com> - 3.94.0-6
 - Add Integrity Verification File in nss-softokn