From 57c5949090693f7c9523cc0556d2c53af5187ea0 Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: Dec 10 2019 15:06:25 +0000
Subject: import nss-3.44.0-7.el7_7


---

diff --git a/SOURCES/nss-3.44-handle-malformed-ecdh-gtests.patch b/SOURCES/nss-3.44-handle-malformed-ecdh-gtests.patch
new file mode 100644
index 0000000..225f023
--- /dev/null
+++ b/SOURCES/nss-3.44-handle-malformed-ecdh-gtests.patch
@@ -0,0 +1,580 @@
+diff -up ./gtests/pk11_gtest/manifest.mn.handle-malformed-ecdh-gtests ./gtests/pk11_gtest/manifest.mn
+--- ./gtests/pk11_gtest/manifest.mn.handle-malformed-ecdh-gtests	2019-12-05 10:56:41.827832606 -0800
++++ ./gtests/pk11_gtest/manifest.mn	2019-12-05 10:59:53.802966671 -0800
+@@ -10,16 +10,18 @@ CPPSRCS = \
+       pk11_aeskeywrap_unittest.cc \
+       pk11_chacha20poly1305_unittest.cc \
+       pk11_curve25519_unittest.cc \
++      pk11_der_private_key_import_unittest.cc \
+       pk11_ecdsa_unittest.cc \
+       pk11_encrypt_derive_unittest.cc \
+       pk11_export_unittest.cc \
+       pk11_import_unittest.cc \
++      pk11_keygen.cc \
++      pk11_key_unittest.cc \
+       pk11_pbkdf2_unittest.cc \
+       pk11_prf_unittest.cc \
+       pk11_prng_unittest.cc \
+       pk11_rsapkcs1_unittest.cc \
+       pk11_rsapss_unittest.cc \
+-      pk11_der_private_key_import_unittest.cc \
+       $(NULL)
+ 
+ INCLUDES += -I$(CORE_DEPTH)/gtests/google_test/gtest/include \
+diff -up ./gtests/pk11_gtest/pk11_gtest.gyp.handle-malformed-ecdh-gtests ./gtests/pk11_gtest/pk11_gtest.gyp
+--- ./gtests/pk11_gtest/pk11_gtest.gyp.handle-malformed-ecdh-gtests	2019-12-05 10:56:41.828832617 -0800
++++ ./gtests/pk11_gtest/pk11_gtest.gyp	2019-12-05 11:01:38.874134681 -0800
+@@ -11,20 +11,22 @@
+       'target_name': 'pk11_gtest',
+       'type': 'executable',
+       'sources': [
+-        'pk11_aeskeywrap_unittest.cc',
+         'pk11_aes_gcm_unittest.cc',
++        'pk11_aeskeywrap_unittest.cc',
+         'pk11_chacha20poly1305_unittest.cc',
+         'pk11_cipherop_unittest.cc',
+         'pk11_curve25519_unittest.cc',
++        'pk11_der_private_key_import_unittest.cc',
+         'pk11_ecdsa_unittest.cc',
+         'pk11_encrypt_derive_unittest.cc',
+         'pk11_import_unittest.cc',
++        'pk11_keygen.cc',
++        'pk11_key_unittest.cc',
+         'pk11_pbkdf2_unittest.cc',
+         'pk11_prf_unittest.cc',
+         'pk11_prng_unittest.cc',
+         'pk11_rsapkcs1_unittest.cc',
+         'pk11_rsapss_unittest.cc',
+-        'pk11_der_private_key_import_unittest.cc',
+         '<(DEPTH)/gtests/common/gtests.cc'
+       ],
+       'dependencies': [
+diff -up ./gtests/pk11_gtest/pk11_import_unittest.cc.handle-malformed-ecdh-gtests ./gtests/pk11_gtest/pk11_import_unittest.cc
+--- ./gtests/pk11_gtest/pk11_import_unittest.cc.handle-malformed-ecdh-gtests	2019-12-05 10:56:41.821832539 -0800
++++ ./gtests/pk11_gtest/pk11_import_unittest.cc	2019-12-05 11:08:42.394842692 -0800
+@@ -15,6 +15,7 @@
+ #include "nss_scoped_ptrs.h"
+ #include "gtest/gtest.h"
+ #include "databuffer.h"
++#include "pk11_keygen.h"
+ 
+ namespace nss_test {
+ 
+@@ -30,7 +31,7 @@ struct PK11GenericObjectsDeleter {
+ 
+ class Pk11KeyImportTestBase : public ::testing::Test {
+  public:
+-  Pk11KeyImportTestBase(CK_MECHANISM_TYPE mech) : mech_(mech) {}
++  Pk11KeyImportTestBase() = default;
+   virtual ~Pk11KeyImportTestBase() = default;
+ 
+   void SetUp() override {
+@@ -42,12 +43,18 @@ class Pk11KeyImportTestBase : public ::t
+     password_.reset(SECITEM_DupItem(&pwItem));
+   }
+ 
+-  void Test() {
++  void Test(const Pkcs11KeyPairGenerator& generator) {
+     // Generate a key and export it.
+-    KeyType key_type;
++    KeyType key_type = nullKey;
+     ScopedSECKEYEncryptedPrivateKeyInfo key_info;
+     ScopedSECItem public_value;
+-    GenerateAndExport(&key_type, &key_info, &public_value);
++    GenerateAndExport(generator, &key_type, &key_info, &public_value);
++
++    // Note: NSS is currently unable export wrapped DH keys, so this doesn't
++    // test those beyond generate and verify.
++    if (key_type == dhKey) {
++      return;
++    }
+     ASSERT_NE(nullptr, key_info);
+     ASSERT_NE(nullptr, public_value);
+ 
+@@ -66,17 +73,6 @@ class Pk11KeyImportTestBase : public ::t
+     CheckForPublicKey(priv_key, public_value.get());
+   }
+ 
+- protected:
+-  class ParamHolder {
+-   public:
+-    virtual ~ParamHolder() = default;
+-    virtual void* get() = 0;
+-  };
+-
+-  virtual std::unique_ptr<ParamHolder> MakeParams() = 0;
+-
+-  CK_MECHANISM_TYPE mech_;
+-
+  private:
+   SECItem GetPublicComponent(ScopedSECKEYPublicKey& pub_key) {
+     SECItem null = { siBuffer, NULL, 0};
+@@ -196,20 +192,14 @@ class Pk11KeyImportTestBase : public ::t
+     }
+   }
+ 
+-  void GenerateAndExport(KeyType* key_type,
++  void GenerateAndExport(const Pkcs11KeyPairGenerator& generator,
++                         KeyType* key_type,
+                          ScopedSECKEYEncryptedPrivateKeyInfo* key_info,
+                          ScopedSECItem* public_value) {
+-    auto params = MakeParams();
+-    ASSERT_NE(nullptr, params);
+-
+-    SECKEYPublicKey* pub_tmp;
+-    ScopedSECKEYPrivateKey priv_key(
+-        PK11_GenerateKeyPair(slot_.get(), mech_, params->get(), &pub_tmp,
+-                             PR_FALSE, PR_TRUE, nullptr));
+-    ASSERT_NE(nullptr, priv_key) << "PK11_GenerateKeyPair failed: "
+-                                 << PORT_ErrorToName(PORT_GetError());
+-    ScopedSECKEYPublicKey pub_key(pub_tmp);
+-    ASSERT_NE(nullptr, pub_key);
++    ScopedSECKEYPrivateKey priv_key;
++    ScopedSECKEYPublicKey pub_key;
++    generator.GenerateKey(&priv_key, &pub_key);
++    ASSERT_TRUE(priv_key);
+ 
+     // Wrap and export the key.
+     ScopedSECKEYEncryptedPrivateKeyInfo epki(PK11_ExportEncryptedPrivKeyInfo(
+@@ -239,6 +229,11 @@ class Pk11KeyImportTestBase : public ::t
+     }
+ 
+     CheckForPublicKey(priv_key, pub_val);
++    // Note: NSS is currently unable export wrapped DH keys, so this doesn't
++    // test those beyond generate and verify.
++    if (t == dhKey) {
++      return;
++    }
+ 
+     *key_type = t;
+     key_info->swap(epki);
+@@ -253,82 +248,13 @@ class Pk11KeyImportTest
+     : public Pk11KeyImportTestBase,
+       public ::testing::WithParamInterface<CK_MECHANISM_TYPE> {
+  public:
+-  Pk11KeyImportTest() : Pk11KeyImportTestBase(GetParam()) {}
++  Pk11KeyImportTest() = default;
+   virtual ~Pk11KeyImportTest() = default;
+-
+- protected:
+-  std::unique_ptr<ParamHolder> MakeParams() override {
+-    switch (mech_) {
+-      case CKM_RSA_PKCS_KEY_PAIR_GEN:
+-        return std::unique_ptr<ParamHolder>(new RsaParamHolder());
+-
+-      case CKM_DSA_KEY_PAIR_GEN:
+-      case CKM_DH_PKCS_KEY_PAIR_GEN: {
+-        PQGParams* pqg_params = nullptr;
+-        PQGVerify* pqg_verify = nullptr;
+-        const unsigned int key_size = 1024;
+-        SECStatus rv = PK11_PQG_ParamGenV2(key_size, 0, key_size / 16,
+-                                           &pqg_params, &pqg_verify);
+-        if (rv != SECSuccess) {
+-          ADD_FAILURE() << "PK11_PQG_ParamGenV2 failed";
+-          return nullptr;
+-        }
+-        EXPECT_NE(nullptr, pqg_verify);
+-        EXPECT_NE(nullptr, pqg_params);
+-        PK11_PQG_DestroyVerify(pqg_verify);
+-        if (mech_ == CKM_DSA_KEY_PAIR_GEN) {
+-          return std::unique_ptr<ParamHolder>(new PqgParamHolder(pqg_params));
+-        }
+-        return std::unique_ptr<ParamHolder>(new DhParamHolder(pqg_params));
+-      }
+-
+-      default:
+-        ADD_FAILURE() << "unknown OID " << mech_;
+-    }
+-    return nullptr;
+-  }
+-
+- private:
+-  class RsaParamHolder : public ParamHolder {
+-   public:
+-    RsaParamHolder()
+-        : params_({/*.keySizeInBits = */ 1024, /*.pe = */ 0x010001}) {}
+-    ~RsaParamHolder() = default;
+-
+-    void* get() override { return &params_; }
+-
+-   private:
+-    PK11RSAGenParams params_;
+-  };
+-
+-  class PqgParamHolder : public ParamHolder {
+-   public:
+-    PqgParamHolder(PQGParams* params) : params_(params) {}
+-    ~PqgParamHolder() = default;
+-
+-    void* get() override { return params_.get(); }
+-
+-   private:
+-    ScopedPQGParams params_;
+-  };
+-
+-  class DhParamHolder : public PqgParamHolder {
+-   public:
+-    DhParamHolder(PQGParams* params)
+-        : PqgParamHolder(params),
+-          params_({/*.arena = */ nullptr,
+-                   /*.prime = */ params->prime,
+-                   /*.base = */ params->base}) {}
+-    ~DhParamHolder() = default;
+-
+-    void* get() override { return &params_; }
+-
+-   private:
+-    SECKEYDHParams params_;
+-  };
+ };
+ 
+-TEST_P(Pk11KeyImportTest, GenerateExportImport) { Test(); }
++TEST_P(Pk11KeyImportTest, GenerateExportImport) {
++  Test(Pkcs11KeyPairGenerator(GetParam()));
++}
+ 
+ INSTANTIATE_TEST_CASE_P(Pk11KeyImportTest, Pk11KeyImportTest,
+                         ::testing::Values(CKM_RSA_PKCS_KEY_PAIR_GEN,
+@@ -339,42 +265,13 @@ INSTANTIATE_TEST_CASE_P(Pk11KeyImportTes
+ class Pk11KeyImportTestEC : public Pk11KeyImportTestBase,
+                             public ::testing::WithParamInterface<SECOidTag> {
+  public:
+-  Pk11KeyImportTestEC() : Pk11KeyImportTestBase(CKM_EC_KEY_PAIR_GEN) {}
++  Pk11KeyImportTestEC() = default;
+   virtual ~Pk11KeyImportTestEC() = default;
+-
+- protected:
+-  std::unique_ptr<ParamHolder> MakeParams() override {
+-    return std::unique_ptr<ParamHolder>(new EcParamHolder(GetParam()));
+-  }
+-
+- private:
+-  class EcParamHolder : public ParamHolder {
+-   public:
+-    EcParamHolder(SECOidTag curve_oid) {
+-      SECOidData* curve = SECOID_FindOIDByTag(curve_oid);
+-      EXPECT_NE(nullptr, curve);
+-
+-      size_t plen = curve->oid.len + 2;
+-      extra_.reset(new uint8_t[plen]);
+-      extra_[0] = SEC_ASN1_OBJECT_ID;
+-      extra_[1] = static_cast<uint8_t>(curve->oid.len);
+-      memcpy(&extra_[2], curve->oid.data, curve->oid.len);
+-
+-      ec_params_ = {/*.type = */ siBuffer,
+-                    /*.data = */ extra_.get(),
+-                    /*.len = */ static_cast<unsigned int>(plen)};
+-    }
+-    ~EcParamHolder() = default;
+-
+-    void* get() override { return &ec_params_; }
+-
+-   private:
+-    SECKEYECParams ec_params_;
+-    std::unique_ptr<uint8_t[]> extra_;
+-  };
+ };
+ 
+-TEST_P(Pk11KeyImportTestEC, GenerateExportImport) { Test(); }
++TEST_P(Pk11KeyImportTestEC, GenerateExportImport) {
++  Test(Pkcs11KeyPairGenerator(CKM_EC_KEY_PAIR_GEN, GetParam()));
++}
+ 
+ INSTANTIATE_TEST_CASE_P(Pk11KeyImportTestEC, Pk11KeyImportTestEC,
+                         ::testing::Values(SEC_OID_SECG_EC_SECP256R1,
+diff -up ./gtests/pk11_gtest/pk11_keygen.cc.handle-malformed-ecdh-gtests ./gtests/pk11_gtest/pk11_keygen.cc
+--- ./gtests/pk11_gtest/pk11_keygen.cc.handle-malformed-ecdh-gtests	2019-12-05 10:56:41.829832628 -0800
++++ ./gtests/pk11_gtest/pk11_keygen.cc	2019-12-05 10:56:41.829832628 -0800
+@@ -0,0 +1,143 @@
++/* This Source Code Form is subject to the terms of the Mozilla Public
++ * License, v. 2.0. If a copy of the MPL was not distributed with this file,
++ * You can obtain one at http://mozilla.org/MPL/2.0/. */
++
++#include "pk11_keygen.h"
++
++#include "pk11pub.h"
++#include "pk11pqg.h"
++#include "prerror.h"
++
++#include "gtest/gtest.h"
++
++namespace nss_test {
++
++class ParamHolder {
++ public:
++  virtual void* get() = 0;
++  virtual ~ParamHolder() = default;
++
++ protected:
++  ParamHolder() = default;
++};
++
++void Pkcs11KeyPairGenerator::GenerateKey(ScopedSECKEYPrivateKey* priv_key,
++                                         ScopedSECKEYPublicKey* pub_key) const {
++  // This function returns if an assertion fails, so don't leak anything.
++  priv_key->reset(nullptr);
++  pub_key->reset(nullptr);
++
++  auto params = MakeParams();
++  ASSERT_NE(nullptr, params);
++
++  ScopedPK11SlotInfo slot(PK11_GetInternalKeySlot());
++  ASSERT_TRUE(slot);
++
++  SECKEYPublicKey* pub_tmp;
++  ScopedSECKEYPrivateKey priv_tmp(PK11_GenerateKeyPair(
++      slot.get(), mech_, params->get(), &pub_tmp, PR_FALSE, PR_TRUE, nullptr));
++  ASSERT_NE(nullptr, priv_tmp) << "PK11_GenerateKeyPair failed: "
++                               << PORT_ErrorToName(PORT_GetError());
++  ASSERT_NE(nullptr, pub_tmp);
++
++  priv_key->swap(priv_tmp);
++  pub_key->reset(pub_tmp);
++}
++
++class RsaParamHolder : public ParamHolder {
++ public:
++  RsaParamHolder() : params_({1024, 0x010001}) {}
++  ~RsaParamHolder() = default;
++
++  void* get() override { return &params_; }
++
++ private:
++  PK11RSAGenParams params_;
++};
++
++class PqgParamHolder : public ParamHolder {
++ public:
++  PqgParamHolder(PQGParams* params) : params_(params) {}
++  ~PqgParamHolder() = default;
++
++  void* get() override { return params_.get(); }
++
++ private:
++  ScopedPQGParams params_;
++};
++
++class DhParamHolder : public PqgParamHolder {
++ public:
++  DhParamHolder(PQGParams* params)
++      : PqgParamHolder(params),
++        params_({nullptr, params->prime, params->base}) {}
++  ~DhParamHolder() = default;
++
++  void* get() override { return &params_; }
++
++ private:
++  SECKEYDHParams params_;
++};
++
++class EcParamHolder : public ParamHolder {
++ public:
++  EcParamHolder(SECOidTag curve_oid) {
++    SECOidData* curve = SECOID_FindOIDByTag(curve_oid);
++    EXPECT_NE(nullptr, curve);
++
++    size_t plen = curve->oid.len + 2;
++    extra_.reset(new uint8_t[plen]);
++    extra_[0] = SEC_ASN1_OBJECT_ID;
++    extra_[1] = static_cast<uint8_t>(curve->oid.len);
++    memcpy(&extra_[2], curve->oid.data, curve->oid.len);
++
++    ec_params_ = {siBuffer, extra_.get(), static_cast<unsigned int>(plen)};
++  }
++  ~EcParamHolder() = default;
++
++  void* get() override { return &ec_params_; }
++
++ private:
++  SECKEYECParams ec_params_;
++  std::unique_ptr<uint8_t[]> extra_;
++};
++
++std::unique_ptr<ParamHolder> Pkcs11KeyPairGenerator::MakeParams() const {
++  switch (mech_) {
++    case CKM_RSA_PKCS_KEY_PAIR_GEN:
++      std::cerr << "Generate RSA pair" << std::endl;
++      return std::unique_ptr<ParamHolder>(new RsaParamHolder());
++
++    case CKM_DSA_KEY_PAIR_GEN:
++    case CKM_DH_PKCS_KEY_PAIR_GEN: {
++      PQGParams* pqg_params = nullptr;
++      PQGVerify* pqg_verify = nullptr;
++      const unsigned int key_size = 1024;
++      SECStatus rv = PK11_PQG_ParamGenV2(key_size, 0, key_size / 16,
++                                         &pqg_params, &pqg_verify);
++      if (rv != SECSuccess) {
++        ADD_FAILURE() << "PK11_PQG_ParamGenV2 failed";
++        return nullptr;
++      }
++      EXPECT_NE(nullptr, pqg_verify);
++      EXPECT_NE(nullptr, pqg_params);
++      PK11_PQG_DestroyVerify(pqg_verify);
++      if (mech_ == CKM_DSA_KEY_PAIR_GEN) {
++        std::cerr << "Generate DSA pair" << std::endl;
++        return std::unique_ptr<ParamHolder>(new PqgParamHolder(pqg_params));
++      }
++      std::cerr << "Generate DH pair" << std::endl;
++      return std::unique_ptr<ParamHolder>(new DhParamHolder(pqg_params));
++    }
++
++    case CKM_EC_KEY_PAIR_GEN:
++      std::cerr << "Generate EC pair on " << curve_ << std::endl;
++      return std::unique_ptr<ParamHolder>(new EcParamHolder(curve_));
++
++    default:
++      ADD_FAILURE() << "unknown OID " << mech_;
++  }
++  return nullptr;
++}
++
++}  // namespace nss_test
+diff -up ./gtests/pk11_gtest/pk11_keygen.h.handle-malformed-ecdh-gtests ./gtests/pk11_gtest/pk11_keygen.h
+--- ./gtests/pk11_gtest/pk11_keygen.h.handle-malformed-ecdh-gtests	2019-12-05 10:56:41.828832617 -0800
++++ ./gtests/pk11_gtest/pk11_keygen.h	2019-12-05 10:56:41.828832617 -0800
+@@ -0,0 +1,34 @@
++/* This Source Code Form is subject to the terms of the Mozilla Public
++ * License, v. 2.0. If a copy of the MPL was not distributed with this file,
++ * You can obtain one at http://mozilla.org/MPL/2.0/. */
++
++#include "nss.h"
++#include "secoid.h"
++
++#include "nss_scoped_ptrs.h"
++
++namespace nss_test {
++
++class ParamHolder;
++
++class Pkcs11KeyPairGenerator {
++ public:
++  Pkcs11KeyPairGenerator(CK_MECHANISM_TYPE mech, SECOidTag curve_oid)
++      : mech_(mech), curve_(curve_oid) {}
++  Pkcs11KeyPairGenerator(CK_MECHANISM_TYPE mech)
++      : Pkcs11KeyPairGenerator(mech, SEC_OID_UNKNOWN) {}
++
++  CK_MECHANISM_TYPE mechanism() const { return mech_; }
++  SECOidTag curve() const { return curve_; }
++
++  void GenerateKey(ScopedSECKEYPrivateKey* priv_key,
++                   ScopedSECKEYPublicKey* pub_key) const;
++
++ private:
++  std::unique_ptr<ParamHolder> MakeParams() const;
++
++  CK_MECHANISM_TYPE mech_;
++  SECOidTag curve_;
++};
++
++}  // namespace nss_test
+diff -up ./gtests/pk11_gtest/pk11_key_unittest.cc.handle-malformed-ecdh-gtests ./gtests/pk11_gtest/pk11_key_unittest.cc
+--- ./gtests/pk11_gtest/pk11_key_unittest.cc.handle-malformed-ecdh-gtests	2019-12-05 10:56:41.828832617 -0800
++++ ./gtests/pk11_gtest/pk11_key_unittest.cc	2019-12-05 10:56:41.828832617 -0800
+@@ -0,0 +1,80 @@
++/* This Source Code Form is subject to the terms of the Mozilla Public
++ * License, v. 2.0. If a copy of the MPL was not distributed with this file,
++ * You can obtain one at http://mozilla.org/MPL/2.0/. */
++
++#include <memory>
++#include "nss.h"
++#include "pk11pub.h"
++#include "pk11pqg.h"
++#include "prerror.h"
++#include "secoid.h"
++
++#include "gtest/gtest.h"
++#include "nss_scoped_ptrs.h"
++#include "pk11_keygen.h"
++
++namespace nss_test {
++
++class Pkcs11NullKeyTestBase : public ::testing::Test {
++ protected:
++  // This constructs a key pair, then erases the public value from the public
++  // key.  NSS should reject this.
++  void Test(const Pkcs11KeyPairGenerator& generator,
++            CK_MECHANISM_TYPE dh_mech) {
++    ScopedSECKEYPrivateKey priv;
++    ScopedSECKEYPublicKey pub;
++    generator.GenerateKey(&priv, &pub);
++    ASSERT_TRUE(priv);
++
++    // These don't leak because they are allocated to the arena associated with
++    // the public key.
++    SECItem* pub_val = nullptr;
++    switch (SECKEY_GetPublicKeyType(pub.get())) {
++      case rsaKey:
++        pub_val = &pub->u.rsa.modulus;
++        break;
++
++      case dsaKey:
++        pub_val = &pub->u.dsa.publicValue;
++        break;
++
++      case dhKey:
++        pub_val = &pub->u.dh.publicValue;
++        break;
++
++      case ecKey:
++        pub_val = &pub->u.ec.publicValue;
++        break;
++
++      default:
++        FAIL() << "Unknown key type " << SECKEY_GetPublicKeyType(pub.get());
++    }
++    pub_val->data = nullptr;
++    pub_val->len = 0;
++
++    ScopedPK11SymKey symKey(PK11_PubDeriveWithKDF(
++        priv.get(), pub.get(), false, nullptr, nullptr, dh_mech,
++        CKM_SHA512_HMAC, CKA_DERIVE, 0, CKD_NULL, nullptr, nullptr));
++    ASSERT_FALSE(symKey);
++  }
++};
++
++class Pkcs11DhNullKeyTest : public Pkcs11NullKeyTestBase {};
++TEST_F(Pkcs11DhNullKeyTest, UseNullPublicValue) {
++  Test(Pkcs11KeyPairGenerator(CKM_DH_PKCS_KEY_PAIR_GEN), CKM_DH_PKCS_DERIVE);
++}
++
++class Pkcs11EcdhNullKeyTest : public Pkcs11NullKeyTestBase,
++                              public ::testing::WithParamInterface<SECOidTag> {
++};
++TEST_P(Pkcs11EcdhNullKeyTest, UseNullPublicValue) {
++  Test(Pkcs11KeyPairGenerator(CKM_EC_KEY_PAIR_GEN, GetParam()),
++       CKM_ECDH1_DERIVE);
++}
++INSTANTIATE_TEST_CASE_P(Pkcs11EcdhNullKeyTest, Pkcs11EcdhNullKeyTest,
++                        ::testing::Values(SEC_OID_SECG_EC_SECP256R1,
++                                          SEC_OID_SECG_EC_SECP384R1,
++                                          SEC_OID_SECG_EC_SECP521R1,
++                                          SEC_OID_CURVE25519));
++
++}  // namespace nss_test
+diff --git ./gtests/pk11_gtest/pk11_curve25519_unittest.cc.handle-malformed-ecdh-gtests ./gtests/pk11_gtest/pk11_curve25519_unittest.cc
+--- ./gtests/pk11_gtest/pk11_curve25519_unittest.cc.handle-malformed-ecdh-gtests
++++ ./gtests/pk11_gtest/pk11_curve25519_unittest.cc
+@@ -40,6 +40,9 @@
+ 
+     ScopedCERTSubjectPublicKeyInfo certSpki(
+         SECKEY_DecodeDERSubjectPublicKeyInfo(&spkiItem));
++    if (!expect_success && !certSpki) {
++      return;
++    }
+     ASSERT_TRUE(certSpki);
+ 
+     ScopedSECKEYPublicKey pubKey(SECKEY_ExtractPublicKey(certSpki.get()));
+
+diff -up ./gtests/ssl_gtest/tls_connect.cc.addtime ./gtests/ssl_gtest/tls_connect.cc
+--- ./gtests/ssl_gtest/tls_connect.cc.addtime	2019-12-06 09:02:39.006583359 -0800
++++ ./gtests/ssl_gtest/tls_connect.cc	2019-12-06 09:02:54.120745545 -0800
+@@ -292,7 +292,7 @@ void TlsConnectTestBase::Handshake() {
+ 
+   ASSERT_TRUE_WAIT((client_->state() != TlsAgent::STATE_CONNECTING) &&
+                        (server_->state() != TlsAgent::STATE_CONNECTING),
+-                   5000);
++                   10000);
+ }
+ 
+ void TlsConnectTestBase::EnableExtendedMasterSecret() {
+
diff --git a/SOURCES/nss-3.44-handle-malformed-ecdh.patch b/SOURCES/nss-3.44-handle-malformed-ecdh.patch
new file mode 100644
index 0000000..a0a6305
--- /dev/null
+++ b/SOURCES/nss-3.44-handle-malformed-ecdh.patch
@@ -0,0 +1,14 @@
+diff --git a/lib/cryptohi/seckey.c b/lib/cryptohi/seckey.c
+--- a/lib/cryptohi/seckey.c
++++ b/lib/cryptohi/seckey.c
+@@ -639,6 +639,11 @@
+                     return pubk;
+                 break;
+             case SEC_OID_ANSIX962_EC_PUBLIC_KEY:
++                /* A basic sanity check on inputs. */
++                if (spki->algorithm.parameters.len == 0 || newOs.len == 0) {
++                    PORT_SetError(SEC_ERROR_INPUT_LEN);
++                    break;
++                }
+                 pubk->keyType = ecKey;
+                 pubk->u.ec.size = 0;
diff --git a/SPECS/nss.spec b/SPECS/nss.spec
index 8b7324e..5292a7d 100644
--- a/SPECS/nss.spec
+++ b/SPECS/nss.spec
@@ -41,7 +41,7 @@ rpm.define(string.format("nss_archive_version %s",
 Summary:          Network Security Services
 Name:             nss
 Version:          %{nss_version}
-Release:          4%{?dist}
+Release:          7%{?dist}
 License:          MPLv2.0
 URL:              http://www.mozilla.org/projects/security/pki/nss/
 Group:            System Environment/Libraries
@@ -166,7 +166,9 @@ Patch155: nss-post-handshake-auth-with-tickets.patch
 # https://bugzilla.mozilla.org/show_bug.cgi?id=1473806
 Patch156: nss-fix-public-key-from-priv.patch
 Patch157: nss-add-ipsec-usage-to-manpage.patch
-
+# https://bugzilla.mozilla.org/show_bug.cgi?id=1515342
+Patch159: nss-3.44-handle-malformed-ecdh.patch
+Patch160: nss-3.44-handle-malformed-ecdh-gtests.patch
 
 %description
 Network Security Services (NSS) is a set of libraries designed to
@@ -280,6 +282,10 @@ pushd nss
 popd
 %patch156 -p1 -b .pub-priv-mechs
 %patch157 -p1 -b .ipsec-usage
+pushd nss
+%patch159 -p1 -b .handle-malformed-ecdh
+%patch160 -p1 -b .handle-malformed-ecdh-gtests
+popd
 
 #########################################################
 # Higher-level libraries and test tools need access to
@@ -890,6 +896,17 @@ fi
 
 
 %changelog
+* Fri Dec 6 2019 Bob Relyea <rrelyea@redhat.com> - 3.44.0-7
+- Increase timeout on ssl_gtest so that slow platforms can complete when
+   running on a busy system.
+
+* Thu Dec 5 2019 Bob Relyea <rrelyea@redhat.com> - 3.44.0-6
+- back out out-of-bounds patch (patch for nss-softokn).
+- Fix segfault on empty or malformed ecdh keys (#1777712)
+
+* Wed Dec 4 2019 Bob Relyea <rrelyea@redhat.com> - 3.44.0-5
+- Fix out-of-bounds write in NSC_EncryptUpdate (#1775910)
+
 * Wed Jun 5 2019 Bob Relyea <rrelyea@redhat.com> - 3.44.0-4
 - Fix certutil man page
 - Fix extracting a public key from a private key for dh, ec, and dsa