import nss-3.90.0-6.el9_3

79fad0fd · Rocky Automation · d715112c · 79fad0fd · 79fad0fd · 79fad0fd
Commit 79fad0fd authored 1 year ago by Rocky Automation
--- a/.nss.checksum
+++ b/.nss.checksum
-70914ace811c40f497d00e377c0fb2788385e0e30228a1369a3ea7e05efece06
+be54fdbb3acb2de3d452ae3a71f1d14ed1cab5225c1e477c27e40f46d4419cba
--- a/.nss.metadata
+++ b/.nss.metadata
+9acd6534c41d8ead19fca6fcb3fffed2f9f09c437c3d79fee6a4ee668aaa93b6 SOURCES/nss-3.90.tar.gz
 a96b7b66493ec6161f3dbdc673562d5b3d78efe92ac2506ef6c65719b789111b SOURCES/NameConstraints_Certs.tar
 6bda6ce59a46dea427681cc8a76295e34c7c2f17f4a2f265b39cfe258ab65ded SOURCES/blank-cert9.db
 a2fa0ba8e20d1aee355a0f45266eb3e53fb5720ace9fe4c9bcc964f6d4fdf87d SOURCES/blank-key4.db
 7ea3297ea5969b5d25a5dd8d47f2443cda88e9ee746301f6e1e1426f8a6abc8f SOURCES/nspr-4.35.tar.gz
-9acd6534c41d8ead19fca6fcb3fffed2f9f09c437c3d79fee6a4ee668aaa93b6 SOURCES/nss-3.90.tar.gz
--- a/SOURCES/fips_algorithms.h
+++ b/SOURCES/fips_algorithms.h
@@ -16,7 +16,10 @@ typedef enum {
    SFTKFIPSAEAD, /* single shot AEAD functions not allowed in FIPS mode */
    SFTKFIPSRSAPSS, /* make sure salt isn't too big */
    SFTKFIPSPBKDF2,  /* handle pbkdf2 FIPS restrictions */
+    SFTKFIPSTlsKeyCheck,  /* check the output of TLS prf functions */
    SFTKFIPSChkHash,  /* make sure the base hash of KDF functions is FIPS */
+    SFTKFIPSChkHashTls,  /* make sure the base hash of TLS KDF functions is FIPS */
+    SFTKFIPSChkHashSp800,  /* make sure the base hash of SP-800-108 KDF functions is FIPS */
 } SFTKFIPSSpecialClass;

 /* set according to your security policy */
@@ -94,11 +97,6 @@ SFTKFIPSAlgorithmList sftk_fips_mechs[] = {
    { CKM_SHA256_RSA_PKCS_PSS, { RSA_FB_KEY, CKF_SGN }, RSA_FB_STEP, SFTKFIPSRSAPSS },
    { CKM_SHA384_RSA_PKCS_PSS, { RSA_FB_KEY, CKF_SGN }, RSA_FB_STEP, SFTKFIPSRSAPSS },
    { CKM_SHA512_RSA_PKCS_PSS, { RSA_FB_KEY, CKF_SGN }, RSA_FB_STEP, SFTKFIPSRSAPSS },
-    /* ------------------------- DSA Operations --------------------------- */
-    { CKM_DSA_SHA224, { DSA_FB_KEY, CKF_VERIFY }, DSA_FB_STEP, SFTKFIPSNone },
-    { CKM_DSA_SHA256, { DSA_FB_KEY, CKF_VERIFY }, DSA_FB_STEP, SFTKFIPSNone },
-    { CKM_DSA_SHA384, { DSA_FB_KEY, CKF_VERIFY }, DSA_FB_STEP, SFTKFIPSNone },
-    { CKM_DSA_SHA512, { DSA_FB_KEY, CKF_VERIFY }, DSA_FB_STEP, SFTKFIPSNone },
    /* -------------------- Diffie Hellman Operations --------------------- */
    { CKM_DH_PKCS_KEY_PAIR_GEN, { DH_FB_KEY, CKF_KPG }, DH_FB_STEP, SFTKFIPSDH },
    { CKM_DH_PKCS_DERIVE, { DH_FB_KEY, CKF_KEA }, DH_FB_STEP, SFTKFIPSDH },
@@ -141,14 +139,12 @@ SFTKFIPSAlgorithmList sftk_fips_mechs[] = {
    { CKM_GENERIC_SECRET_KEY_GEN, { 112, 256, CKF_GEN }, 1, SFTKFIPSNone },
    /* ---------------------- SSL/TLS operations ------------------------- */
    { CKM_SSL3_PRE_MASTER_KEY_GEN, { 384, 384, CKF_GEN }, 1, SFTKFIPSNone },
-    { CKM_TLS_KEY_AND_MAC_DERIVE, { 384, 384, CKF_KDF }, 1, SFTKFIPSNone },
-    { CKM_TLS12_KEY_AND_MAC_DERIVE, { 384, 384, CKF_KDF }, 1, SFTKFIPSNone },
-    { CKM_TLS_PRF_GENERAL, { 112, 512, CKF_SGN }, 1, SFTKFIPSNone },
-    { CKM_TLS_MAC, { 112, 512, CKF_SGN }, 1, SFTKFIPSChkHash,
+    { CKM_TLS12_KEY_AND_MAC_DERIVE, { 384, 384, CKF_KDF }, 1, SFTKFIPSTlsKeyCheck, offsetof(CK_TLS12_KEY_MAT_PARAMS, prfHashMechanism) },
+    { CKM_TLS_MAC, { 112, 512, CKF_SGN }, 1, SFTKFIPSChkHashTls,
        offsetof(CK_TLS_MAC_PARAMS, prfHashMechanism) },
-    { CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE, { 192, 1024, CKF_KDF }, 1, SFTKFIPSChkHash,
+    { CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE, { 192, 1024, CKF_KDF }, 1, SFTKFIPSChkHashTls,
        offsetof(CK_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_PARAMS, prfHashMechanism) },
-    { CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_DH, { 192, 1024, CKF_DERIVE }, 1, SFTKFIPSChkHash,
+    { CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_DH, { 192, 1024, CKF_DERIVE }, 1, SFTKFIPSChkHashTls,
        offsetof(CK_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_PARAMS, prfHashMechanism) },

    /* ------------------------- HKDF Operations -------------------------- */
@@ -159,17 +155,11 @@ SFTKFIPSAlgorithmList sftk_fips_mechs[] = {
    { CKM_HKDF_KEY_GEN, { 160, 224, CKF_GEN }, 1, SFTKFIPSNone },
    { CKM_HKDF_KEY_GEN, { 256, 512, CKF_GEN }, 128, SFTKFIPSNone },
    /* ------------------ NIST 800-108 Key Derivations  ------------------- */
-    { CKM_SP800_108_COUNTER_KDF, { 112, CK_MAX, CKF_KDF }, 1, SFTKFIPSChkHash,
+    { CKM_SP800_108_COUNTER_KDF, { 112, CK_MAX, CKF_KDF }, 1, SFTKFIPSChkHashSp800,
        offsetof(CK_SP800_108_KDF_PARAMS, prfType) },
-    { CKM_SP800_108_FEEDBACK_KDF, { 112, CK_MAX, CKF_KDF }, 1, SFTKFIPSChkHash,
+    { CKM_SP800_108_FEEDBACK_KDF, { 112, CK_MAX, CKF_KDF }, 1, SFTKFIPSChkHashSp800,
        offsetof(CK_SP800_108_KDF_PARAMS, prfType) },
-    { CKM_SP800_108_DOUBLE_PIPELINE_KDF, { 112, CK_MAX, CKF_KDF }, 1, SFTKFIPSChkHash,
-        offsetof(CK_SP800_108_KDF_PARAMS, prfType) },
-    { CKM_NSS_SP800_108_COUNTER_KDF_DERIVE_DATA, { 112, CK_MAX, CKF_KDF }, 1, SFTKFIPSChkHash,
-        offsetof(CK_SP800_108_KDF_PARAMS, prfType) },
-    { CKM_NSS_SP800_108_FEEDBACK_KDF_DERIVE_DATA, { 112, CK_MAX, CKF_KDF }, 1, SFTKFIPSChkHash,
-        offsetof(CK_SP800_108_KDF_PARAMS, prfType) },
-    { CKM_NSS_SP800_108_DOUBLE_PIPELINE_KDF_DERIVE_DATA, { 112, CK_MAX, CKF_KDF }, 1,  SFTKFIPSChkHash,
+    { CKM_SP800_108_DOUBLE_PIPELINE_KDF, { 112, CK_MAX, CKF_KDF }, 1, SFTKFIPSChkHashSp800,
        offsetof(CK_SP800_108_KDF_PARAMS, prfType) },
    /* --------------------IPSEC ----------------------- */
    { CKM_NSS_IKE_PRF_PLUS_DERIVE, { 112, 255 * 64 * 8, CKF_KDF }, 1, SFTKFIPSChkHash,
@@ -178,5 +168,21 @@ SFTKFIPSAlgorithmList sftk_fips_mechs[] = {
        offsetof(CK_NSS_IKE_PRF_DERIVE_PARAMS, prfMechanism) },
    /* ------------------ PBE Key Derivations  ------------------- */
    { CKM_PKCS5_PBKD2, { 112, 256, CKF_GEN }, 1, SFTKFIPSPBKDF2 },
+    /* the deprecated mechanisms, don't use for some reason we are supposed
+     * to set the FIPS indicators on these (sigh) */
+    { CKM_NSS_AES_KEY_WRAP, { AES_FB_KEY, CKF_ECW }, AES_FB_STEP, SFTKFIPSNone },
+    { CKM_NSS_AES_KEY_WRAP_PAD, { AES_FB_KEY, CKF_ECW }, AES_FB_STEP, SFTKFIPSNone },
+    { CKM_NSS_TLS_KEY_AND_MAC_DERIVE_SHA256, { 384, 384, CKF_DERIVE }, 1, SFTKFIPSTlsKeyCheck },
+    { CKM_NSS_TLS_PRF_GENERAL_SHA256, { 112, 512, CKF_SGN }, 1, SFTKFIPSNone },
+    { CKM_NSS_HKDF_SHA1, { 1, 128, CKF_DERIVE }, 1, SFTKFIPSNone },
+    { CKM_NSS_HKDF_SHA256, { 1, 128, CKF_DERIVE }, 1, SFTKFIPSNone },
+    { CKM_NSS_HKDF_SHA384, { 1, 128, CKF_DERIVE }, 1, SFTKFIPSNone },
+    { CKM_NSS_HKDF_SHA512, { 1, 128, CKF_DERIVE }, 1, SFTKFIPSNone },
+    { CKM_NSS_SP800_108_COUNTER_KDF_DERIVE_DATA, { 112, CK_MAX, CKF_KDF }, 1, SFTKFIPSChkHashSp800,
+        offsetof(CK_SP800_108_KDF_PARAMS, prfType) },
+    { CKM_NSS_SP800_108_FEEDBACK_KDF_DERIVE_DATA, { 112, CK_MAX, CKF_KDF }, 1, SFTKFIPSChkHashSp800,
+        offsetof(CK_SP800_108_KDF_PARAMS, prfType) },
+    { CKM_NSS_SP800_108_DOUBLE_PIPELINE_KDF_DERIVE_DATA, { 112, CK_MAX, CKF_KDF }, 1,  SFTKFIPSChkHashSp800,
+        offsetof(CK_SP800_108_KDF_PARAMS, prfType) },
 };
 const int SFTK_NUMBER_FIPS_ALGORITHMS = PR_ARRAY_SIZE(sftk_fips_mechs);
--- a/SOURCES/nss-3.90-aes-gmc-indicator.patch
+++ b/SOURCES/nss-3.90-aes-gmc-indicator.patch
@@ -10,7 +10,7 @@ diff --git a/lib/softoken/sftkmessage.c b/lib/softoken/sftkmessage.c
     if (crv != CKR_OK)
         return crv;
 
-+    if (context->isFIPS && (contextType == CKA_ENCRYPT)) {
+    if (context->isFIPS && (contextType == SFTK_MESSAGE_ENCRYPT)) {
 +        if ((pParameter == NULL) || (ulParameterLen != sizeof(CK_GCM_MESSAGE_PARAMS))) {
 +            context->isFIPS = PR_FALSE;
 +        } else {

--- a/SOURCES/nss-3.90-dh-test-update.patch
+++ b/SOURCES/nss-3.90-dh-test-update.patch
+diff -up ./lib/freebl/fipsfreebl.c.dh_test ./lib/freebl/fipsfreebl.c
+--- ./lib/freebl/fipsfreebl.c.dh_test	2024-01-18 08:34:45.936944401 -0800
+++ ./lib/freebl/fipsfreebl.c	2024-01-18 09:20:57.555980326 -0800
+@@ -1816,38 +1816,39 @@ freebl_fips_DH_PowerUpSelfTest(void)
+ {
+     /* DH Known P (2048-bits) */
+     static const PRUint8 dh_known_P[] = {
+-        0xc2, 0x79, 0xbb, 0x76, 0x32, 0x0d, 0x43, 0xfd,
+-        0x1b, 0x8c, 0xa2, 0x3c, 0x00, 0xdd, 0x6d, 0xef,
+-        0xf8, 0x1a, 0xd9, 0xc1, 0xa2, 0xf5, 0x73, 0x2b,
+-        0xdb, 0x1a, 0x3e, 0x84, 0x90, 0xeb, 0xe7, 0x8e,
+-        0x5f, 0x5c, 0x6b, 0xb6, 0x61, 0x89, 0xd1, 0x03,
+-        0xb0, 0x5f, 0x91, 0xe4, 0xd2, 0x82, 0x90, 0xfc,
+-        0x3c, 0x49, 0x69, 0x59, 0xc1, 0x51, 0x6a, 0x85,
+-        0x71, 0xe7, 0x5d, 0x72, 0x5a, 0x45, 0xad, 0x01,
+-        0x6f, 0x82, 0xae, 0xec, 0x91, 0x08, 0x2e, 0x7c,
+-        0x64, 0x93, 0x46, 0x1c, 0x68, 0xef, 0xc2, 0x03,
+-        0x28, 0x1d, 0x75, 0x3a, 0xeb, 0x9c, 0x46, 0xf0,
+-        0xc9, 0xdb, 0x99, 0x95, 0x13, 0x66, 0x4d, 0xd5,
+-        0x1a, 0x78, 0x92, 0x51, 0x89, 0x72, 0x28, 0x7f,
+-        0x20, 0x70, 0x41, 0x49, 0xa2, 0x86, 0xe9, 0xf9,
+-        0x78, 0x5f, 0x8d, 0x2e, 0x5d, 0xfa, 0xdb, 0x57,
+-        0xd4, 0x71, 0xdf, 0x66, 0xe3, 0x9e, 0x88, 0x70,
+-        0xa4, 0x21, 0x44, 0x6a, 0xc7, 0xae, 0x30, 0x2c,
+-        0x9c, 0x1f, 0x91, 0x57, 0xc8, 0x24, 0x34, 0x2d,
+-        0x7a, 0x4a, 0x43, 0xc2, 0x5f, 0xab, 0x64, 0x2e,
+-        0xaa, 0x28, 0x32, 0x95, 0x42, 0x7b, 0xa0, 0xcc,
+-        0xdf, 0xfd, 0x22, 0xc8, 0x56, 0x84, 0xc1, 0x62,
+-        0x15, 0xb2, 0x77, 0x86, 0x81, 0xfc, 0xa5, 0x12,
+-        0x3c, 0xca, 0x28, 0x17, 0x8f, 0x03, 0x16, 0x6e,
+-        0xb8, 0x24, 0xfa, 0x1b, 0x15, 0x02, 0xfd, 0x8b,
+-        0xb6, 0x0a, 0x1a, 0xf7, 0x47, 0x41, 0xc5, 0x2b,
+-        0x37, 0x3e, 0xa1, 0xbf, 0x68, 0xda, 0x1c, 0x55,
+-        0x44, 0xc3, 0xee, 0xa1, 0x63, 0x07, 0x11, 0x3b,
+-        0x5f, 0x00, 0x84, 0xb4, 0xc4, 0xe4, 0xa7, 0x97,
+-        0x29, 0xf8, 0xce, 0xab, 0xfc, 0x27, 0x3e, 0x34,
+-        0xe4, 0xc7, 0x81, 0x52, 0x32, 0x0e, 0x27, 0x3c,
+-        0xa6, 0x70, 0x3f, 0x4a, 0x54, 0xda, 0xdd, 0x60,
+-        0x26, 0xb3, 0x6e, 0x45, 0x26, 0x19, 0x41, 0x6f
+        0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+        0xAD, 0xF8, 0x54, 0x58, 0xA2, 0xBB, 0x4A, 0x9A,
+        0xAF, 0xDC, 0x56, 0x20, 0x27, 0x3D, 0x3C, 0xF1,
+        0xD8, 0xB9, 0xC5, 0x83, 0xCE, 0x2D, 0x36, 0x95,
+        0xA9, 0xE1, 0x36, 0x41, 0x14, 0x64, 0x33, 0xFB,
+        0xCC, 0x93, 0x9D, 0xCE, 0x24, 0x9B, 0x3E, 0xF9,
+        0x7D, 0x2F, 0xE3, 0x63, 0x63, 0x0C, 0x75, 0xD8,
+        0xF6, 0x81, 0xB2, 0x02, 0xAE, 0xC4, 0x61, 0x7A,
+        0xD3, 0xDF, 0x1E, 0xD5, 0xD5, 0xFD, 0x65, 0x61,
+        0x24, 0x33, 0xF5, 0x1F, 0x5F, 0x06, 0x6E, 0xD0,
+        0x85, 0x63, 0x65, 0x55, 0x3D, 0xED, 0x1A, 0xF3,
+        0xB5, 0x57, 0x13, 0x5E, 0x7F, 0x57, 0xC9, 0x35,
+        0x98, 0x4F, 0x0C, 0x70, 0xE0, 0xE6, 0x8B, 0x77,
+        0xE2, 0xA6, 0x89, 0xDA, 0xF3, 0xEF, 0xE8, 0x72,
+        0x1D, 0xF1, 0x58, 0xA1, 0x36, 0xAD, 0xE7, 0x35,
+        0x30, 0xAC, 0xCA, 0x4F, 0x48, 0x3A, 0x79, 0x7A,
+        0xBC, 0x0A, 0xB1, 0x82, 0xB3, 0x24, 0xFB, 0x61,
+        0xD1, 0x08, 0xA9, 0x4B, 0xB2, 0xC8, 0xE3, 0xFB,
+        0xB9, 0x6A, 0xDA, 0xB7, 0x60, 0xD7, 0xF4, 0x68,
+        0x1D, 0x4F, 0x42, 0xA3, 0xDE, 0x39, 0x4D, 0xF4,
+        0xAE, 0x56, 0xED, 0xE7, 0x63, 0x72, 0xBB, 0x19,
+        0x0B, 0x07, 0xA7, 0xC8, 0xEE, 0x0A, 0x6D, 0x70,
+        0x9E, 0x02, 0xFC, 0xE1, 0xCD, 0xF7, 0xE2, 0xEC,
+        0xC0, 0x34, 0x04, 0xCD, 0x28, 0x34, 0x2F, 0x61,
+        0x91, 0x72, 0xFE, 0x9C, 0xE9, 0x85, 0x83, 0xFF,
+        0x8E, 0x4F, 0x12, 0x32, 0xEE, 0xF2, 0x81, 0x83,
+        0xC3, 0xFE, 0x3B, 0x1B, 0x4C, 0x6F, 0xAD, 0x73,
+        0x3B, 0xB5, 0xFC, 0xBC, 0x2E, 0xC2, 0x20, 0x05,
+        0xC5, 0x8E, 0xF1, 0x83, 0x7D, 0x16, 0x83, 0xB2,
+        0xC6, 0xF3, 0x4A, 0x26, 0xC1, 0xB2, 0xEF, 0xFA,
+        0x88, 0x6B, 0x42, 0x38, 0x61, 0x28, 0x5C, 0x97,
+        0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF
+
+     };
+ 
+     static const PRUint8 dh_known_Y_1[] = {
+@@ -1893,10 +1894,10 @@ freebl_fips_DH_PowerUpSelfTest(void)
+     };
+ 
+     static const PRUint8 dh_known_hash_result[] = {
+-        0x93, 0xa2, 0x89, 0x1c, 0x8a, 0xc3, 0x70, 0xbf,
+-        0xa7, 0xdf, 0xb6, 0xd7, 0x82, 0xfb, 0x87, 0x81,
+-        0x09, 0x47, 0xf3, 0x9f, 0x5a, 0xbf, 0x4f, 0x3f,
+-        0x8e, 0x5e, 0x06, 0xca, 0x30, 0xa7, 0xaf, 0x10
+        0x40, 0xe3, 0x7a, 0x34, 0x83, 0x2d, 0x94, 0x57,
+        0x99, 0x3d, 0x66, 0xec, 0x54, 0xdf, 0x82, 0x4a,
+        0x37, 0x0d, 0xf9, 0x01, 0xb3, 0xbc, 0x54, 0xe5,
+        0x5e, 0x63, 0xd3, 0x46, 0x4e, 0xa3, 0xe2, 0x8a
+     };
+ 
+     /* DH variables. */
--- a/SOURCES/nss-3.90-ecc-wrap-fix.patch
+++ b/SOURCES/nss-3.90-ecc-wrap-fix.patch
+diff -up ./cmd/pk11ectest/pk11ectest.c.ecc_wrap ./cmd/pk11ectest/pk11ectest.c
+--- ./cmd/pk11ectest/pk11ectest.c.ecc_wrap	2023-06-04 01:42:53.000000000 -0700
+++ ./cmd/pk11ectest/pk11ectest.c	2024-01-23 14:07:29.421036328 -0800
+@@ -10,6 +10,32 @@
+ #include "pk11pub.h"
+ #include <stdio.h>
+ 
+typedef struct KeyLengthEntryStr {
+    SECOidTag tag;
+    unsigned int len;
+    PRBool encoded;
+} KeyLengthEntry;
+
+const KeyLengthEntry keyLengthTable[] = {
+    { SEC_OID_SECG_EC_SECP256R1, 65, PR_TRUE },
+    { SEC_OID_SECG_EC_SECP384R1, 97, PR_TRUE },
+    { SEC_OID_SECG_EC_SECP521R1, 133, PR_TRUE },
+    { SEC_OID_CURVE25519, 32, PR_FALSE }
+};
+
+const KeyLengthEntry *
+getKeyLengthEntry(SECOidTag tag)
+{
+    int i;
+
+    for (i = 0; i < PR_ARRAY_SIZE(keyLengthTable); i++) {
+        if (keyLengthTable[i].tag == tag) {
+            return &keyLengthTable[i];
+        }
+    }
+    return NULL;
+}
+
+ void
+ printBuf(const SECItem *item)
+ {
+@@ -53,6 +79,10 @@ ectest_curve_pkcs11(SECOidTag oid)
+     CK_MECHANISM_TYPE target = CKM_TLS12_MASTER_KEY_DERIVE_DH;
+     PK11SymKey *symKey = NULL;
+     SECStatus rv = SECFailure;
+    const KeyLengthEntry *keyLengthEntry;
+    SECItem point = { siBuffer, NULL, 0 };
+    SECItem value = { siBuffer, NULL, 0 };
+    PLArenaPool *arena = NULL;
+ 
+     oidData = SECOID_FindOIDByTag(oid);
+     if (oidData == NULL) {
+@@ -79,8 +109,63 @@ ectest_curve_pkcs11(SECOidTag oid)
+         goto cleanup;
+     }
+     PrintKey(symKey);
+-    rv = SECSuccess;
+ 
+    keyLengthEntry = getKeyLengthEntry(oid);
+    /* this shouldn't happen unless new curves are added without adding them
+     * to the keyLengthTable */
+    PR_ASSERT(keyLengthEntry);
+
+    /* make sure we are returning CKA_EC_POINT according to the PKCS #11 standard.
+     * NSS itself can tolerate non-standard CKA_EC_POINT, so this is the only place
+     * our test will detect incorrect behavior */
+    rv = PK11_ReadRawAttribute(PK11_TypePubKey, pubKey, CKA_EC_POINT, &point);
+    if (rv == SECFailure) {
+        printf(" >>> Couldn't get CKA_EC_POINT from the ec pubKey.\n");
+        goto cleanup;
+    }
+    rv = SECFailure;
+    if (keyLengthEntry->encoded) {
+        if (point.len == keyLengthEntry->len) {
+            printf(" >>> Expected encoded CKA_EC_POINT and got a decoded value.\n");
+            printBuf(&point);
+            goto cleanup;
+        }
+        arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+        if (arena == NULL) {
+            printf(" >>> arena alloc failed.\n");
+            goto cleanup;
+        }
+
+        rv = SEC_QuickDERDecodeItem(arena, &value, SEC_ASN1_GET(SEC_OctetStringTemplate),
+                                    &point);
+        if (rv != SECSuccess) {
+            printf(" >>> invalid endoded CKA_EC_POINT.\n");
+            printBuf(&point);
+            goto cleanup;
+        }
+        rv = SECFailure;
+        if (value.len != keyLengthEntry->len) {
+            printf(" >>> invalid decoded CKA_EC_POINT len (%d) expected %d.\n",
+                   value.len, keyLengthEntry->len);
+            printBuf(&value);
+            goto cleanup;
+        }
+        if (value.data[0] != EC_POINT_FORM_UNCOMPRESSED) {
+            printf(" >>> invalid CKA_EC_POINT format (%02x) expected %02x.\n",
+                   value.data[0], EC_POINT_FORM_UNCOMPRESSED);
+            printBuf(&value);
+            goto cleanup;
+        }
+    } else {
+        if (point.len != keyLengthEntry->len) {
+            printf(" >>> invalid CKA_EC_POINT len (%d) expected %d.\n",
+                   point.len, keyLengthEntry->len);
+            printBuf(&point);
+            goto cleanup;
+        }
+    }
+
+    rv = SECSuccess;
+ cleanup:
+     if (privKey) {
+         SECKEY_DestroyPrivateKey(privKey);
+@@ -91,7 +176,11 @@ cleanup:
+     if (symKey) {
+         PK11_FreeSymKey(symKey);
+     }
+    if (arena) {
+        PORT_FreeArena(arena, PR_TRUE);
+    }
+     SECITEM_FreeItem(&pk_11_ecParams, PR_FALSE);
+    SECITEM_FreeItem(&point, PR_FALSE);
+ 
+     return rv;
+ }
+diff -up ./lib/freebl/blapit.h.ecc_wrap ./lib/freebl/blapit.h
+--- ./lib/freebl/blapit.h.ecc_wrap	2023-06-04 01:42:53.000000000 -0700
+++ ./lib/freebl/blapit.h	2024-01-23 14:07:29.421036328 -0800
+@@ -375,7 +375,9 @@ typedef struct DHPrivateKeyStr DHPrivate
+ */
+ 
+ typedef enum { ec_params_explicit,
+-               ec_params_named
+               ec_params_named,
+               ec_params_edwards_named,
+               ec_params_montgomery_named,
+ } ECParamsType;
+ 
+ typedef enum { ec_field_GFp = 1,
+diff -up ./lib/freebl/ecdecode.c.ecc_wrap ./lib/freebl/ecdecode.c
+--- ./lib/freebl/ecdecode.c.ecc_wrap	2024-01-23 14:07:14.533870602 -0800
+++ ./lib/freebl/ecdecode.c	2024-01-23 14:07:29.422036340 -0800
+@@ -176,6 +176,7 @@ EC_FillParams(PLArenaPool *arena, const
+ 
+         case SEC_OID_CURVE25519:
+             /* Populate params for Curve25519 */
+            params->type = ec_params_montgomery_named;
+             CHECK_SEC_OK(gf_populate_params_bytes(ECCurve25519,
+                                                   ec_field_plain,
+                                                   params));
+diff -up ./lib/softoken/pkcs11c.c.ecc_wrap ./lib/softoken/pkcs11c.c
+--- ./lib/softoken/pkcs11c.c.ecc_wrap	2024-01-23 14:07:14.520870457 -0800
+++ ./lib/softoken/pkcs11c.c	2024-01-23 14:08:38.198801966 -0800
+@@ -5164,7 +5164,7 @@ sftk_PairwiseConsistencyCheck(CK_SESSION
+             }
+             /* make sure it has the same encoding */
+             if (PR_GetEnvSecure("NSS_USE_DECODED_CKA_EC_POINT") ||
+-                lowPrivKey->u.ec.ecParams.fieldID.type == ec_field_plain) {
+                lowPrivKey->u.ec.ecParams.type != ec_params_named) {
+               lowPubValue = SECITEM_DupItem(&ecPriv->publicValue);
+             } else {
+               lowPubValue = SEC_ASN1EncodeItem(NULL, NULL, &ecPriv->publicValue,
+@@ -5694,7 +5694,7 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hS
+             }
+ 
+             if (PR_GetEnvSecure("NSS_USE_DECODED_CKA_EC_POINT") ||
+-                ecParams->fieldID.type == ec_field_plain) {
+                ecParams->type != ec_params_named) {
+                 PORT_FreeArena(ecParams->arena, PR_TRUE);
+                 crv = sftk_AddAttributeType(publicKey, CKA_EC_POINT,
+                                             sftk_item_expand(&ecPriv->publicValue));
+diff -up ./lib/softoken/pkcs11.c.ecc_wrap ./lib/softoken/pkcs11.c
+--- ./lib/softoken/pkcs11.c.ecc_wrap	2024-01-23 14:07:14.505870290 -0800
+++ ./lib/softoken/pkcs11.c	2024-01-23 14:07:29.423036351 -0800
+@@ -1897,8 +1897,8 @@ sftk_GetPubKey(SFTKObject *object, CK_KE
+                 /* Handle the non-DER encoded case.
+                  * Some curves are always pressumed to be non-DER.
+                  */
+-                if (pubKey->u.ec.publicValue.len == keyLen &&
+-                    (pubKey->u.ec.ecParams.fieldID.type == ec_field_plain ||
+                if (pubKey->u.ec.ecParams.type != ec_params_named ||
+                    (pubKey->u.ec.publicValue.len == keyLen &&
+                      pubKey->u.ec.publicValue.data[0] == EC_POINT_FORM_UNCOMPRESSED)) {
+                     break; /* key was not DER encoded, no need to unwrap */
+                 }
+@@ -1918,8 +1918,7 @@ sftk_GetPubKey(SFTKObject *object, CK_KE
+                         break;
+                     }
+                     /* we don't handle compressed points except in the case of ECCurve25519 */
+-                    if ((pubKey->u.ec.ecParams.fieldID.type != ec_field_plain) &&
+-                        (publicValue.data[0] != EC_POINT_FORM_UNCOMPRESSED)) {
+                    if (publicValue.data[0] != EC_POINT_FORM_UNCOMPRESSED) {
+                         crv = CKR_ATTRIBUTE_VALUE_INVALID;
+                         break;
+                     }
--- a/SOURCES/nss-3.90-fips-indicators2.patch
+++ b/SOURCES/nss-3.90-fips-indicators2.patch
+diff -up ./lib/softoken/pkcs11c.c.fips_2 ./lib/softoken/pkcs11c.c
+--- ./lib/softoken/pkcs11c.c.fips_2	2024-01-19 09:21:19.632889660 -0800
+++ ./lib/softoken/pkcs11c.c	2024-01-19 09:22:18.541471306 -0800
+@@ -7090,7 +7090,7 @@ sftk_HKDF(CK_HKDF_PARAMS_PTR params, CK_
+                     mech.ulParameterLen = sizeof(*params);
+                     key->isFIPS = sftk_operationIsFIPS(saltKey->slot, &mech,
+                                                        CKA_DERIVE, saltKey,
+-                                                       keySize);
+                                                       keySize*PR_BITS_PER_BYTE);
+                 }
+                 saltKeySource = saltKey->source;
+                 saltKey_att = sftk_FindAttribute(saltKey, CKA_VALUE);
+@@ -7404,7 +7404,7 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession
+         }
+     }
+     key->isFIPS = sftk_operationIsFIPS(slot, pMechanism, CKA_DERIVE, sourceKey,
+-                                       keySize);
+                                       keySize*PR_BITS_PER_BYTE);
+ 
+     switch (mechanism) {
+         /* get a public key from a private key. nsslowkey_ConvertToPublickey()
+diff -up ./lib/softoken/pkcs11u.c.fips_2 ./lib/softoken/pkcs11u.c
+--- ./lib/softoken/pkcs11u.c.fips_2	2024-01-19 09:21:19.633889670 -0800
+++ ./lib/softoken/pkcs11u.c	2024-01-19 09:28:00.082843565 -0800
+@@ -2393,20 +2393,43 @@ sftk_getKeyLength(SFTKObject *source)
+ }
+ 
+ PRBool
+-sftk_CheckFIPSHash(CK_MECHANISM_TYPE hash)
+sftk_checkFIPSHash(CK_MECHANISM_TYPE hash, PRBool allowSmall, PRBool allowCMAC)
+ {
+     switch (hash) {
+        case CKM_AES_CMAC:
+            return allowCMAC;
+        case CKM_SHA_1:
+        case CKM_SHA_1_HMAC:
+        case CKM_SHA224:
+        case CKM_SHA224_HMAC:
+            return allowSmall;
+         case CKM_SHA256:
+-        case CKG_MGF1_SHA256:
+        case CKM_SHA256_HMAC:
+         case CKM_SHA384:
+-        case CKG_MGF1_SHA384:
+        case CKM_SHA384_HMAC:
+         case CKM_SHA512:
+-        case CKG_MGF1_SHA512:
+        case CKM_SHA512_HMAC:
+             return PR_TRUE;
+     }
+     return PR_FALSE;
+ }
+ 
+PRBool
+sftk_checkKeyLength(CK_ULONG keyLength, CK_ULONG min,
+                    CK_ULONG max, CK_ULONG step)
+{
+     if (keyLength > max) {
+         return PR_FALSE;
+     }
+     if (keyLength < min ) {
+         return PR_FALSE;
+     }
+     if (((keyLength - min) % step) != 0) {
+         return PR_FALSE;
+     }
+     return PR_TRUE;
+}
+
+ /*
+  * handle specialized FIPS semantics that are too complicated to
+  * handle with just a table. NOTE: this means any additional semantics
+@@ -2416,6 +2439,8 @@ sftk_handleSpecial(SFTKSlot *slot, CK_ME
+                    SFTKFIPSAlgorithmList *mechInfo, SFTKObject *source,
+                    CK_ULONG keyLength, CK_ULONG targetKeyLength)
+ {
+    PRBool allowSmall = PR_FALSE;
+    PRBool allowCMAC = PR_FALSE;
+     switch (mechInfo->special) {
+         case SFTKFIPSDH: {
+             SECItem dhPrime;
+@@ -2482,7 +2507,11 @@ sftk_handleSpecial(SFTKSlot *slot, CK_ME
+             if (pss->sLen > hashObj->length) {
+                 return PR_FALSE;
+             }
+-            return sftk_CheckFIPSHash(pss->hashAlg);
+            /* Our code makes sure pss->hashAlg matches the explicit
+             * hash in the mechanism, and only mechanisms with approved
+             * hashes are included, so no need to check pss->hashAlg
+             * here */
+            return PR_TRUE;
+         }
+         case SFTKFIPSPBKDF2: {
+             /* PBKDF2 must have the following addition restrictions
+@@ -2508,12 +2537,28 @@ sftk_handleSpecial(SFTKSlot *slot, CK_ME
+              return PR_TRUE;
+         }
+         /* check the hash mechanisms to make sure they themselves are FIPS */
+        case SFTKFIPSChkHashSp800:
+             allowCMAC = PR_TRUE;
+         case SFTKFIPSChkHash:
+             allowSmall = PR_TRUE;
+        case SFTKFIPSChkHashTls:
+             if (mech->ulParameterLen < mechInfo->offset +sizeof(CK_ULONG)) {
+                 return PR_FALSE;
+             }
+-            return sftk_CheckFIPSHash(*(CK_ULONG *)(((char *)mech->pParameter)
+-                        + mechInfo->offset));
+            return sftk_checkFIPSHash(*(CK_ULONG *)(((char *)mech->pParameter)
+                        + mechInfo->offset), allowSmall, allowCMAC);
+        case SFTKFIPSTlsKeyCheck:
+            if (mech->mechanism != CKM_NSS_TLS_KEY_AND_MAC_DERIVE_SHA256) {
+                /* unless the mechnism has a built-in hash, check the hash */
+                if (mech->ulParameterLen < mechInfo->offset +sizeof(CK_ULONG)) {
+                    return PR_FALSE;
+                }
+                if (!sftk_checkFIPSHash(*(CK_ULONG *)(((char *)mech->pParameter)
+                        + mechInfo->offset), PR_FALSE, PR_FALSE)) {
+                    return PR_FALSE;
+                }
+            }
+            return sftk_checkKeyLength(targetKeyLength, 112, 512, 1);
+         default:
+             break;
+     }
+@@ -2558,13 +2603,11 @@ sftk_operationIsFIPS(SFTKSlot *slot, CK_
+          * approved algorithm in the approved mode with an approved key */
+         if ((mech->mechanism == mechs->type) &&
+             (opFlags == (mechs->info.flags & opFlags)) &&
+-            (keyLength <= mechs->info.ulMaxKeySize) &&
+-            (keyLength >= mechs->info.ulMinKeySize) &&
+-            (((keyLength - mechs->info.ulMinKeySize) % mechs->step) == 0) &&
+-            ((targetKeyLength == 0) ||
+-             ((targetKeyLength <= mechs->info.ulMaxKeySize) &&
+-             (targetKeyLength >= mechs->info.ulMinKeySize) &&
+-             ((targetKeyLength - mechs->info.ulMinKeySize) % mechs->step) == 0)) &&
+            sftk_checkKeyLength(keyLength, mechs->info.ulMinKeySize,
+                                mechs->info.ulMaxKeySize, mechs->step) &&
+            ((targetKeyLength == 0) ||  (mechs->special == SFTKFIPSTlsKeyCheck)
+             || sftk_checkKeyLength(targetKeyLength, mechs->info.ulMinKeySize,
+                                mechs->info.ulMaxKeySize, mechs->step)) &&
+             ((mechs->special == SFTKFIPSNone) ||
+              sftk_handleSpecial(slot, mech, mechs, source, keyLength, targetKeyLength))) {
+             return PR_TRUE;
+diff -up ./lib/softoken/sftkmessage.c.fips_2 ./lib/softoken/sftkmessage.c
+--- ./lib/softoken/sftkmessage.c.fips_2	2024-01-19 09:21:19.634889680 -0800
+++ ./lib/softoken/sftkmessage.c	2024-01-19 09:22:18.541471306 -0800
+@@ -157,16 +157,25 @@ sftk_CryptMessage(CK_SESSION_HANDLE hSes
+         } else {
+             CK_GCM_MESSAGE_PARAMS *p = (CK_GCM_MESSAGE_PARAMS *)pParameter;
+             switch (p->ivGenerator) {
+                default:
+                 case CKG_NO_GENERATE:
+                     context->isFIPS = PR_FALSE;
+                     break;
+                 case CKG_GENERATE_RANDOM:
+-                    if ((p->ulIvLen < 12) || (p->ulIvFixedBits != 0)) {
+                    if ((p->ulIvLen < 96/PR_BITS_PER_BYTE) ||
+                        (p->ulIvFixedBits != 0)) {
+                         context->isFIPS = PR_FALSE;
+                     }
+                     break;
+-                default:
+-                    if ((p->ulIvLen < 12) || (p->ulIvFixedBits < 32)) {
+                case CKG_GENERATE_COUNTER_XOR:
+                    if ((p->ulIvLen != 96/PR_BITS_PER_BYTE) ||
+                        (p->ulIvFixedBits != 32)) {
+                        context->isFIPS = PR_FALSE;
+                    }
+                    break;
+                case CKG_GENERATE_COUNTER:
+                    if ((p->ulIvFixedBits < 32) ||
+                       ((p->ulIvLen*PR_BITS_PER_BYTE - p->ulIvFixedBits) < 32)) {
+                         context->isFIPS = PR_FALSE;
+                     }
+             }
--- a/SOURCES/nss_p256_scalar_validated.patch
+++ b/SOURCES/nss_p256_scalar_validated.patch
--- a/SOURCES/nss_p384_hacl.patch
+++ b/SOURCES/nss_p384_hacl.patch
--- a/SOURCES/nss_p384_scalar_validated.patch
+++ b/SOURCES/nss_p384_scalar_validated.patch
--- a/SOURCES/nss_p521_hacl.patch
+++ b/SOURCES/nss_p521_hacl.patch
--- a/SPECS/nss.spec
+++ b/SPECS/nss.spec
 %global nss_version 3.90.0
 %global nspr_version 4.35.0
-%global baserelease 4
+%global baserelease 6
 %global nss_release %baserelease
 # NOTE: To avoid NVR clashes of nspr* packages:
 # use "%%global nspr_release %%[%%baserelease+n]" to handle offsets when
@@ -187,6 +187,13 @@ Patch81:         nss-3.90-fips-pkcs11-long-hash.patch
 Patch82:         nss-3.90-fips-safe-memset.patch
 Patch83:         nss-3.90-fips-indicators.patch
 Patch84:         nss-3.90-aes-gmc-indicator.patch
+Patch85:         nss-3.90-fips-indicators2.patch
+Patch86:         nss-3.90-dh-test-update.patch
+Patch90:         nss_p256_scalar_validated.patch
+Patch91:         nss_p384_scalar_validated.patch
+Patch92:         nss_p384_hacl.patch
+Patch93:         nss_p521_hacl.patch
+Patch94:         nss-3.90-ecc-wrap-fix.patch

 Patch100:         nspr-config-pc.patch
 Patch101:         nspr-gcc-atomics.patch
@@ -1186,7 +1193,15 @@ update-crypto-policies &> /dev/null || :


 %changelog
-* Wed Nov 22 2023 Bob Relyea <rrelyea@redhat.com> - 3.90.0-3.3
+* Tue Jan 23 2024 Bob Relyea <rrelyea@redhat.com> - 3.90.0-6
+- Fix ecc DER wrapping.
+
+* Tue Jan 9 2024 Bob Relyea <rrelyea@redhat.com> - 3.90.0-5
+- Pick up validated constant time implementations of p256, p384, and p521
+  from upsream
+- More Fips indicator changes
+
+* Wed Nov 22 2023 Bob Relyea <rrelyea@redhat.com> - 3.90.0-4
 - FIPS review changes
 -   add PORT_SafeZero to avoid compiler optimizing a way zeroing memory.
 -   update the indicators for this release
@@ -1205,7 +1220,7 @@ update-crypto-policies &> /dev/null || :

 * Wed Jun 28 2023 Frantisek Krenzelok <krenzelok.frantisek@gmail.com> - 3.90.0-1
 - fix missing dist tag in packages version
- move from deprecate %patch format
+- move from deprecate %%patch format

 * Mon Jun 12 2023 Bob Relyea <rrelyea@redhat.com> - 3.90.0-1
 - Rebase to NSS-3.90