diff --git a/SOURCES/nss-3.44-handle-malformed-ecdh-gtests.patch b/SOURCES/nss-3.44-handle-malformed-ecdh-gtests.patch
new file mode 100644
index 0000000..225f023
--- /dev/null
+++ b/SOURCES/nss-3.44-handle-malformed-ecdh-gtests.patch
@@ -0,0 +1,580 @@
+diff -up ./gtests/pk11_gtest/manifest.mn.handle-malformed-ecdh-gtests ./gtests/pk11_gtest/manifest.mn
+--- ./gtests/pk11_gtest/manifest.mn.handle-malformed-ecdh-gtests 2019-12-05 10:56:41.827832606 -0800
++++ ./gtests/pk11_gtest/manifest.mn 2019-12-05 10:59:53.802966671 -0800
+@@ -10,16 +10,18 @@ CPPSRCS = \
+ pk11_aeskeywrap_unittest.cc \
+ pk11_chacha20poly1305_unittest.cc \
+ pk11_curve25519_unittest.cc \
++ pk11_der_private_key_import_unittest.cc \
+ pk11_ecdsa_unittest.cc \
+ pk11_encrypt_derive_unittest.cc \
+ pk11_export_unittest.cc \
+ pk11_import_unittest.cc \
++ pk11_keygen.cc \
++ pk11_key_unittest.cc \
+ pk11_pbkdf2_unittest.cc \
+ pk11_prf_unittest.cc \
+ pk11_prng_unittest.cc \
+ pk11_rsapkcs1_unittest.cc \
+ pk11_rsapss_unittest.cc \
+- pk11_der_private_key_import_unittest.cc \
+ $(NULL)
+
+ INCLUDES += -I$(CORE_DEPTH)/gtests/google_test/gtest/include \
+diff -up ./gtests/pk11_gtest/pk11_gtest.gyp.handle-malformed-ecdh-gtests ./gtests/pk11_gtest/pk11_gtest.gyp
+--- ./gtests/pk11_gtest/pk11_gtest.gyp.handle-malformed-ecdh-gtests 2019-12-05 10:56:41.828832617 -0800
++++ ./gtests/pk11_gtest/pk11_gtest.gyp 2019-12-05 11:01:38.874134681 -0800
+@@ -11,20 +11,22 @@
+ 'target_name': 'pk11_gtest',
+ 'type': 'executable',
+ 'sources': [
+- 'pk11_aeskeywrap_unittest.cc',
+ 'pk11_aes_gcm_unittest.cc',
++ 'pk11_aeskeywrap_unittest.cc',
+ 'pk11_chacha20poly1305_unittest.cc',
+ 'pk11_cipherop_unittest.cc',
+ 'pk11_curve25519_unittest.cc',
++ 'pk11_der_private_key_import_unittest.cc',
+ 'pk11_ecdsa_unittest.cc',
+ 'pk11_encrypt_derive_unittest.cc',
+ 'pk11_import_unittest.cc',
++ 'pk11_keygen.cc',
++ 'pk11_key_unittest.cc',
+ 'pk11_pbkdf2_unittest.cc',
+ 'pk11_prf_unittest.cc',
+ 'pk11_prng_unittest.cc',
+ 'pk11_rsapkcs1_unittest.cc',
+ 'pk11_rsapss_unittest.cc',
+- 'pk11_der_private_key_import_unittest.cc',
+ '<(DEPTH)/gtests/common/gtests.cc'
+ ],
+ 'dependencies': [
+diff -up ./gtests/pk11_gtest/pk11_import_unittest.cc.handle-malformed-ecdh-gtests ./gtests/pk11_gtest/pk11_import_unittest.cc
+--- ./gtests/pk11_gtest/pk11_import_unittest.cc.handle-malformed-ecdh-gtests 2019-12-05 10:56:41.821832539 -0800
++++ ./gtests/pk11_gtest/pk11_import_unittest.cc 2019-12-05 11:08:42.394842692 -0800
+@@ -15,6 +15,7 @@
+ #include "nss_scoped_ptrs.h"
+ #include "gtest/gtest.h"
+ #include "databuffer.h"
++#include "pk11_keygen.h"
+
+ namespace nss_test {
+
+@@ -30,7 +31,7 @@ struct PK11GenericObjectsDeleter {
+
+ class Pk11KeyImportTestBase : public ::testing::Test {
+ public:
+- Pk11KeyImportTestBase(CK_MECHANISM_TYPE mech) : mech_(mech) {}
++ Pk11KeyImportTestBase() = default;
+ virtual ~Pk11KeyImportTestBase() = default;
+
+ void SetUp() override {
+@@ -42,12 +43,18 @@ class Pk11KeyImportTestBase : public ::t
+ password_.reset(SECITEM_DupItem(&pwItem));
+ }
+
+- void Test() {
++ void Test(const Pkcs11KeyPairGenerator& generator) {
+ // Generate a key and export it.
+- KeyType key_type;
++ KeyType key_type = nullKey;
+ ScopedSECKEYEncryptedPrivateKeyInfo key_info;
+ ScopedSECItem public_value;
+- GenerateAndExport(&key_type, &key_info, &public_value);
++ GenerateAndExport(generator, &key_type, &key_info, &public_value);
++
++ // Note: NSS is currently unable export wrapped DH keys, so this doesn't
++ // test those beyond generate and verify.
++ if (key_type == dhKey) {
++ return;
++ }
+ ASSERT_NE(nullptr, key_info);
+ ASSERT_NE(nullptr, public_value);
+
+@@ -66,17 +73,6 @@ class Pk11KeyImportTestBase : public ::t
+ CheckForPublicKey(priv_key, public_value.get());
+ }
+
+- protected:
+- class ParamHolder {
+- public:
+- virtual ~ParamHolder() = default;
+- virtual void* get() = 0;
+- };
+-
+- virtual std::unique_ptr<ParamHolder> MakeParams() = 0;
+-
+- CK_MECHANISM_TYPE mech_;
+-
+ private:
+ SECItem GetPublicComponent(ScopedSECKEYPublicKey& pub_key) {
+ SECItem null = { siBuffer, NULL, 0};
+@@ -196,20 +192,14 @@ class Pk11KeyImportTestBase : public ::t
+ }
+ }
+
+- void GenerateAndExport(KeyType* key_type,
++ void GenerateAndExport(const Pkcs11KeyPairGenerator& generator,
++ KeyType* key_type,
+ ScopedSECKEYEncryptedPrivateKeyInfo* key_info,
+ ScopedSECItem* public_value) {
+- auto params = MakeParams();
+- ASSERT_NE(nullptr, params);
+-
+- SECKEYPublicKey* pub_tmp;
+- ScopedSECKEYPrivateKey priv_key(
+- PK11_GenerateKeyPair(slot_.get(), mech_, params->get(), &pub_tmp,
+- PR_FALSE, PR_TRUE, nullptr));
+- ASSERT_NE(nullptr, priv_key) << "PK11_GenerateKeyPair failed: "
+- << PORT_ErrorToName(PORT_GetError());
+- ScopedSECKEYPublicKey pub_key(pub_tmp);
+- ASSERT_NE(nullptr, pub_key);
++ ScopedSECKEYPrivateKey priv_key;
++ ScopedSECKEYPublicKey pub_key;
++ generator.GenerateKey(&priv_key, &pub_key);
++ ASSERT_TRUE(priv_key);
+
+ // Wrap and export the key.
+ ScopedSECKEYEncryptedPrivateKeyInfo epki(PK11_ExportEncryptedPrivKeyInfo(
+@@ -239,6 +229,11 @@ class Pk11KeyImportTestBase : public ::t
+ }
+
+ CheckForPublicKey(priv_key, pub_val);
++ // Note: NSS is currently unable export wrapped DH keys, so this doesn't
++ // test those beyond generate and verify.
++ if (t == dhKey) {
++ return;
++ }
+
+ *key_type = t;
+ key_info->swap(epki);
+@@ -253,82 +248,13 @@ class Pk11KeyImportTest
+ : public Pk11KeyImportTestBase,
+ public ::testing::WithParamInterface<CK_MECHANISM_TYPE> {
+ public:
+- Pk11KeyImportTest() : Pk11KeyImportTestBase(GetParam()) {}
++ Pk11KeyImportTest() = default;
+ virtual ~Pk11KeyImportTest() = default;
+-
+- protected:
+- std::unique_ptr<ParamHolder> MakeParams() override {
+- switch (mech_) {
+- case CKM_RSA_PKCS_KEY_PAIR_GEN:
+- return std::unique_ptr<ParamHolder>(new RsaParamHolder());
+-
+- case CKM_DSA_KEY_PAIR_GEN:
+- case CKM_DH_PKCS_KEY_PAIR_GEN: {
+- PQGParams* pqg_params = nullptr;
+- PQGVerify* pqg_verify = nullptr;
+- const unsigned int key_size = 1024;
+- SECStatus rv = PK11_PQG_ParamGenV2(key_size, 0, key_size / 16,
+- &pqg_params, &pqg_verify);
+- if (rv != SECSuccess) {
+- ADD_FAILURE() << "PK11_PQG_ParamGenV2 failed";
+- return nullptr;
+- }
+- EXPECT_NE(nullptr, pqg_verify);
+- EXPECT_NE(nullptr, pqg_params);
+- PK11_PQG_DestroyVerify(pqg_verify);
+- if (mech_ == CKM_DSA_KEY_PAIR_GEN) {
+- return std::unique_ptr<ParamHolder>(new PqgParamHolder(pqg_params));
+- }
+- return std::unique_ptr<ParamHolder>(new DhParamHolder(pqg_params));
+- }
+-
+- default:
+- ADD_FAILURE() << "unknown OID " << mech_;
+- }
+- return nullptr;
+- }
+-
+- private:
+- class RsaParamHolder : public ParamHolder {
+- public:
+- RsaParamHolder()
+- : params_({/*.keySizeInBits = */ 1024, /*.pe = */ 0x010001}) {}
+- ~RsaParamHolder() = default;
+-
+- void* get() override { return ¶ms_; }
+-
+- private:
+- PK11RSAGenParams params_;
+- };
+-
+- class PqgParamHolder : public ParamHolder {
+- public:
+- PqgParamHolder(PQGParams* params) : params_(params) {}
+- ~PqgParamHolder() = default;
+-
+- void* get() override { return params_.get(); }
+-
+- private:
+- ScopedPQGParams params_;
+- };
+-
+- class DhParamHolder : public PqgParamHolder {
+- public:
+- DhParamHolder(PQGParams* params)
+- : PqgParamHolder(params),
+- params_({/*.arena = */ nullptr,
+- /*.prime = */ params->prime,
+- /*.base = */ params->base}) {}
+- ~DhParamHolder() = default;
+-
+- void* get() override { return ¶ms_; }
+-
+- private:
+- SECKEYDHParams params_;
+- };
+ };
+
+-TEST_P(Pk11KeyImportTest, GenerateExportImport) { Test(); }
++TEST_P(Pk11KeyImportTest, GenerateExportImport) {
++ Test(Pkcs11KeyPairGenerator(GetParam()));
++}
+
+ INSTANTIATE_TEST_CASE_P(Pk11KeyImportTest, Pk11KeyImportTest,
+ ::testing::Values(CKM_RSA_PKCS_KEY_PAIR_GEN,
+@@ -339,42 +265,13 @@ INSTANTIATE_TEST_CASE_P(Pk11KeyImportTes
+ class Pk11KeyImportTestEC : public Pk11KeyImportTestBase,
+ public ::testing::WithParamInterface<SECOidTag> {
+ public:
+- Pk11KeyImportTestEC() : Pk11KeyImportTestBase(CKM_EC_KEY_PAIR_GEN) {}
++ Pk11KeyImportTestEC() = default;
+ virtual ~Pk11KeyImportTestEC() = default;
+-
+- protected:
+- std::unique_ptr<ParamHolder> MakeParams() override {
+- return std::unique_ptr<ParamHolder>(new EcParamHolder(GetParam()));
+- }
+-
+- private:
+- class EcParamHolder : public ParamHolder {
+- public:
+- EcParamHolder(SECOidTag curve_oid) {
+- SECOidData* curve = SECOID_FindOIDByTag(curve_oid);
+- EXPECT_NE(nullptr, curve);
+-
+- size_t plen = curve->oid.len + 2;
+- extra_.reset(new uint8_t[plen]);
+- extra_[0] = SEC_ASN1_OBJECT_ID;
+- extra_[1] = static_cast<uint8_t>(curve->oid.len);
+- memcpy(&extra_[2], curve->oid.data, curve->oid.len);
+-
+- ec_params_ = {/*.type = */ siBuffer,
+- /*.data = */ extra_.get(),
+- /*.len = */ static_cast<unsigned int>(plen)};
+- }
+- ~EcParamHolder() = default;
+-
+- void* get() override { return &ec_params_; }
+-
+- private:
+- SECKEYECParams ec_params_;
+- std::unique_ptr<uint8_t[]> extra_;
+- };
+ };
+
+-TEST_P(Pk11KeyImportTestEC, GenerateExportImport) { Test(); }
++TEST_P(Pk11KeyImportTestEC, GenerateExportImport) {
++ Test(Pkcs11KeyPairGenerator(CKM_EC_KEY_PAIR_GEN, GetParam()));
++}
+
+ INSTANTIATE_TEST_CASE_P(Pk11KeyImportTestEC, Pk11KeyImportTestEC,
+ ::testing::Values(SEC_OID_SECG_EC_SECP256R1,
+diff -up ./gtests/pk11_gtest/pk11_keygen.cc.handle-malformed-ecdh-gtests ./gtests/pk11_gtest/pk11_keygen.cc
+--- ./gtests/pk11_gtest/pk11_keygen.cc.handle-malformed-ecdh-gtests 2019-12-05 10:56:41.829832628 -0800
++++ ./gtests/pk11_gtest/pk11_keygen.cc 2019-12-05 10:56:41.829832628 -0800
+@@ -0,0 +1,143 @@
++/* This Source Code Form is subject to the terms of the Mozilla Public
++ * License, v. 2.0. If a copy of the MPL was not distributed with this file,
++ * You can obtain one at http://mozilla.org/MPL/2.0/. */
++
++#include "pk11_keygen.h"
++
++#include "pk11pub.h"
++#include "pk11pqg.h"
++#include "prerror.h"
++
++#include "gtest/gtest.h"
++
++namespace nss_test {
++
++class ParamHolder {
++ public:
++ virtual void* get() = 0;
++ virtual ~ParamHolder() = default;
++
++ protected:
++ ParamHolder() = default;
++};
++
++void Pkcs11KeyPairGenerator::GenerateKey(ScopedSECKEYPrivateKey* priv_key,
++ ScopedSECKEYPublicKey* pub_key) const {
++ // This function returns if an assertion fails, so don't leak anything.
++ priv_key->reset(nullptr);
++ pub_key->reset(nullptr);
++
++ auto params = MakeParams();
++ ASSERT_NE(nullptr, params);
++
++ ScopedPK11SlotInfo slot(PK11_GetInternalKeySlot());
++ ASSERT_TRUE(slot);
++
++ SECKEYPublicKey* pub_tmp;
++ ScopedSECKEYPrivateKey priv_tmp(PK11_GenerateKeyPair(
++ slot.get(), mech_, params->get(), &pub_tmp, PR_FALSE, PR_TRUE, nullptr));
++ ASSERT_NE(nullptr, priv_tmp) << "PK11_GenerateKeyPair failed: "
++ << PORT_ErrorToName(PORT_GetError());
++ ASSERT_NE(nullptr, pub_tmp);
++
++ priv_key->swap(priv_tmp);
++ pub_key->reset(pub_tmp);
++}
++
++class RsaParamHolder : public ParamHolder {
++ public:
++ RsaParamHolder() : params_({1024, 0x010001}) {}
++ ~RsaParamHolder() = default;
++
++ void* get() override { return ¶ms_; }
++
++ private:
++ PK11RSAGenParams params_;
++};
++
++class PqgParamHolder : public ParamHolder {
++ public:
++ PqgParamHolder(PQGParams* params) : params_(params) {}
++ ~PqgParamHolder() = default;
++
++ void* get() override { return params_.get(); }
++
++ private:
++ ScopedPQGParams params_;
++};
++
++class DhParamHolder : public PqgParamHolder {
++ public:
++ DhParamHolder(PQGParams* params)
++ : PqgParamHolder(params),
++ params_({nullptr, params->prime, params->base}) {}
++ ~DhParamHolder() = default;
++
++ void* get() override { return ¶ms_; }
++
++ private:
++ SECKEYDHParams params_;
++};
++
++class EcParamHolder : public ParamHolder {
++ public:
++ EcParamHolder(SECOidTag curve_oid) {
++ SECOidData* curve = SECOID_FindOIDByTag(curve_oid);
++ EXPECT_NE(nullptr, curve);
++
++ size_t plen = curve->oid.len + 2;
++ extra_.reset(new uint8_t[plen]);
++ extra_[0] = SEC_ASN1_OBJECT_ID;
++ extra_[1] = static_cast<uint8_t>(curve->oid.len);
++ memcpy(&extra_[2], curve->oid.data, curve->oid.len);
++
++ ec_params_ = {siBuffer, extra_.get(), static_cast<unsigned int>(plen)};
++ }
++ ~EcParamHolder() = default;
++
++ void* get() override { return &ec_params_; }
++
++ private:
++ SECKEYECParams ec_params_;
++ std::unique_ptr<uint8_t[]> extra_;
++};
++
++std::unique_ptr<ParamHolder> Pkcs11KeyPairGenerator::MakeParams() const {
++ switch (mech_) {
++ case CKM_RSA_PKCS_KEY_PAIR_GEN:
++ std::cerr << "Generate RSA pair" << std::endl;
++ return std::unique_ptr<ParamHolder>(new RsaParamHolder());
++
++ case CKM_DSA_KEY_PAIR_GEN:
++ case CKM_DH_PKCS_KEY_PAIR_GEN: {
++ PQGParams* pqg_params = nullptr;
++ PQGVerify* pqg_verify = nullptr;
++ const unsigned int key_size = 1024;
++ SECStatus rv = PK11_PQG_ParamGenV2(key_size, 0, key_size / 16,
++ &pqg_params, &pqg_verify);
++ if (rv != SECSuccess) {
++ ADD_FAILURE() << "PK11_PQG_ParamGenV2 failed";
++ return nullptr;
++ }
++ EXPECT_NE(nullptr, pqg_verify);
++ EXPECT_NE(nullptr, pqg_params);
++ PK11_PQG_DestroyVerify(pqg_verify);
++ if (mech_ == CKM_DSA_KEY_PAIR_GEN) {
++ std::cerr << "Generate DSA pair" << std::endl;
++ return std::unique_ptr<ParamHolder>(new PqgParamHolder(pqg_params));
++ }
++ std::cerr << "Generate DH pair" << std::endl;
++ return std::unique_ptr<ParamHolder>(new DhParamHolder(pqg_params));
++ }
++
++ case CKM_EC_KEY_PAIR_GEN:
++ std::cerr << "Generate EC pair on " << curve_ << std::endl;
++ return std::unique_ptr<ParamHolder>(new EcParamHolder(curve_));
++
++ default:
++ ADD_FAILURE() << "unknown OID " << mech_;
++ }
++ return nullptr;
++}
++
++} // namespace nss_test
+diff -up ./gtests/pk11_gtest/pk11_keygen.h.handle-malformed-ecdh-gtests ./gtests/pk11_gtest/pk11_keygen.h
+--- ./gtests/pk11_gtest/pk11_keygen.h.handle-malformed-ecdh-gtests 2019-12-05 10:56:41.828832617 -0800
++++ ./gtests/pk11_gtest/pk11_keygen.h 2019-12-05 10:56:41.828832617 -0800
+@@ -0,0 +1,34 @@
++/* This Source Code Form is subject to the terms of the Mozilla Public
++ * License, v. 2.0. If a copy of the MPL was not distributed with this file,
++ * You can obtain one at http://mozilla.org/MPL/2.0/. */
++
++#include "nss.h"
++#include "secoid.h"
++
++#include "nss_scoped_ptrs.h"
++
++namespace nss_test {
++
++class ParamHolder;
++
++class Pkcs11KeyPairGenerator {
++ public:
++ Pkcs11KeyPairGenerator(CK_MECHANISM_TYPE mech, SECOidTag curve_oid)
++ : mech_(mech), curve_(curve_oid) {}
++ Pkcs11KeyPairGenerator(CK_MECHANISM_TYPE mech)
++ : Pkcs11KeyPairGenerator(mech, SEC_OID_UNKNOWN) {}
++
++ CK_MECHANISM_TYPE mechanism() const { return mech_; }
++ SECOidTag curve() const { return curve_; }
++
++ void GenerateKey(ScopedSECKEYPrivateKey* priv_key,
++ ScopedSECKEYPublicKey* pub_key) const;
++
++ private:
++ std::unique_ptr<ParamHolder> MakeParams() const;
++
++ CK_MECHANISM_TYPE mech_;
++ SECOidTag curve_;
++};
++
++} // namespace nss_test
+diff -up ./gtests/pk11_gtest/pk11_key_unittest.cc.handle-malformed-ecdh-gtests ./gtests/pk11_gtest/pk11_key_unittest.cc
+--- ./gtests/pk11_gtest/pk11_key_unittest.cc.handle-malformed-ecdh-gtests 2019-12-05 10:56:41.828832617 -0800
++++ ./gtests/pk11_gtest/pk11_key_unittest.cc 2019-12-05 10:56:41.828832617 -0800
+@@ -0,0 +1,80 @@
++/* This Source Code Form is subject to the terms of the Mozilla Public
++ * License, v. 2.0. If a copy of the MPL was not distributed with this file,
++ * You can obtain one at http://mozilla.org/MPL/2.0/. */
++
++#include <memory>
++#include "nss.h"
++#include "pk11pub.h"
++#include "pk11pqg.h"
++#include "prerror.h"
++#include "secoid.h"
++
++#include "gtest/gtest.h"
++#include "nss_scoped_ptrs.h"
++#include "pk11_keygen.h"
++
++namespace nss_test {
++
++class Pkcs11NullKeyTestBase : public ::testing::Test {
++ protected:
++ // This constructs a key pair, then erases the public value from the public
++ // key. NSS should reject this.
++ void Test(const Pkcs11KeyPairGenerator& generator,
++ CK_MECHANISM_TYPE dh_mech) {
++ ScopedSECKEYPrivateKey priv;
++ ScopedSECKEYPublicKey pub;
++ generator.GenerateKey(&priv, &pub);
++ ASSERT_TRUE(priv);
++
++ // These don't leak because they are allocated to the arena associated with
++ // the public key.
++ SECItem* pub_val = nullptr;
++ switch (SECKEY_GetPublicKeyType(pub.get())) {
++ case rsaKey:
++ pub_val = &pub->u.rsa.modulus;
++ break;
++
++ case dsaKey:
++ pub_val = &pub->u.dsa.publicValue;
++ break;
++
++ case dhKey:
++ pub_val = &pub->u.dh.publicValue;
++ break;
++
++ case ecKey:
++ pub_val = &pub->u.ec.publicValue;
++ break;
++
++ default:
++ FAIL() << "Unknown key type " << SECKEY_GetPublicKeyType(pub.get());
++ }
++ pub_val->data = nullptr;
++ pub_val->len = 0;
++
++ ScopedPK11SymKey symKey(PK11_PubDeriveWithKDF(
++ priv.get(), pub.get(), false, nullptr, nullptr, dh_mech,
++ CKM_SHA512_HMAC, CKA_DERIVE, 0, CKD_NULL, nullptr, nullptr));
++ ASSERT_FALSE(symKey);
++ }
++};
++
++class Pkcs11DhNullKeyTest : public Pkcs11NullKeyTestBase {};
++TEST_F(Pkcs11DhNullKeyTest, UseNullPublicValue) {
++ Test(Pkcs11KeyPairGenerator(CKM_DH_PKCS_KEY_PAIR_GEN), CKM_DH_PKCS_DERIVE);
++}
++
++class Pkcs11EcdhNullKeyTest : public Pkcs11NullKeyTestBase,
++ public ::testing::WithParamInterface<SECOidTag> {
++};
++TEST_P(Pkcs11EcdhNullKeyTest, UseNullPublicValue) {
++ Test(Pkcs11KeyPairGenerator(CKM_EC_KEY_PAIR_GEN, GetParam()),
++ CKM_ECDH1_DERIVE);
++}
++INSTANTIATE_TEST_CASE_P(Pkcs11EcdhNullKeyTest, Pkcs11EcdhNullKeyTest,
++ ::testing::Values(SEC_OID_SECG_EC_SECP256R1,
++ SEC_OID_SECG_EC_SECP384R1,
++ SEC_OID_SECG_EC_SECP521R1,
++ SEC_OID_CURVE25519));
++
++} // namespace nss_test
+diff --git ./gtests/pk11_gtest/pk11_curve25519_unittest.cc.handle-malformed-ecdh-gtests ./gtests/pk11_gtest/pk11_curve25519_unittest.cc
+--- ./gtests/pk11_gtest/pk11_curve25519_unittest.cc.handle-malformed-ecdh-gtests
++++ ./gtests/pk11_gtest/pk11_curve25519_unittest.cc
+@@ -40,6 +40,9 @@
+
+ ScopedCERTSubjectPublicKeyInfo certSpki(
+ SECKEY_DecodeDERSubjectPublicKeyInfo(&spkiItem));
++ if (!expect_success && !certSpki) {
++ return;
++ }
+ ASSERT_TRUE(certSpki);
+
+ ScopedSECKEYPublicKey pubKey(SECKEY_ExtractPublicKey(certSpki.get()));
+
+diff -up ./gtests/ssl_gtest/tls_connect.cc.addtime ./gtests/ssl_gtest/tls_connect.cc
+--- ./gtests/ssl_gtest/tls_connect.cc.addtime 2019-12-06 09:02:39.006583359 -0800
++++ ./gtests/ssl_gtest/tls_connect.cc 2019-12-06 09:02:54.120745545 -0800
+@@ -292,7 +292,7 @@ void TlsConnectTestBase::Handshake() {
+
+ ASSERT_TRUE_WAIT((client_->state() != TlsAgent::STATE_CONNECTING) &&
+ (server_->state() != TlsAgent::STATE_CONNECTING),
+- 5000);
++ 10000);
+ }
+
+ void TlsConnectTestBase::EnableExtendedMasterSecret() {
+
diff --git a/SOURCES/nss-3.44-handle-malformed-ecdh.patch b/SOURCES/nss-3.44-handle-malformed-ecdh.patch
new file mode 100644
index 0000000..a0a6305
--- /dev/null
+++ b/SOURCES/nss-3.44-handle-malformed-ecdh.patch
@@ -0,0 +1,14 @@
+diff --git a/lib/cryptohi/seckey.c b/lib/cryptohi/seckey.c
+--- a/lib/cryptohi/seckey.c
++++ b/lib/cryptohi/seckey.c
+@@ -639,6 +639,11 @@
+ return pubk;
+ break;
+ case SEC_OID_ANSIX962_EC_PUBLIC_KEY:
++ /* A basic sanity check on inputs. */
++ if (spki->algorithm.parameters.len == 0 || newOs.len == 0) {
++ PORT_SetError(SEC_ERROR_INPUT_LEN);
++ break;
++ }
+ pubk->keyType = ecKey;
+ pubk->u.ec.size = 0;
diff --git a/SPECS/nss.spec b/SPECS/nss.spec
index 8b7324e..5292a7d 100644
--- a/SPECS/nss.spec
+++ b/SPECS/nss.spec
@@ -41,7 +41,7 @@ rpm.define(string.format("nss_archive_version %s",
Summary: Network Security Services
Name: nss
Version: %{nss_version}
-Release: 4%{?dist}
+Release: 7%{?dist}
License: MPLv2.0
URL: http://www.mozilla.org/projects/security/pki/nss/
Group: System Environment/Libraries
@@ -166,7 +166,9 @@ Patch155: nss-post-handshake-auth-with-tickets.patch
# https://bugzilla.mozilla.org/show_bug.cgi?id=1473806
Patch156: nss-fix-public-key-from-priv.patch
Patch157: nss-add-ipsec-usage-to-manpage.patch
-
+# https://bugzilla.mozilla.org/show_bug.cgi?id=1515342
+Patch159: nss-3.44-handle-malformed-ecdh.patch
+Patch160: nss-3.44-handle-malformed-ecdh-gtests.patch
%description
Network Security Services (NSS) is a set of libraries designed to
@@ -280,6 +282,10 @@ pushd nss
popd
%patch156 -p1 -b .pub-priv-mechs
%patch157 -p1 -b .ipsec-usage
+pushd nss
+%patch159 -p1 -b .handle-malformed-ecdh
+%patch160 -p1 -b .handle-malformed-ecdh-gtests
+popd
#########################################################
# Higher-level libraries and test tools need access to
@@ -890,6 +896,17 @@ fi
%changelog
+* Fri Dec 6 2019 Bob Relyea <rrelyea@redhat.com> - 3.44.0-7
+- Increase timeout on ssl_gtest so that slow platforms can complete when
+ running on a busy system.
+
+* Thu Dec 5 2019 Bob Relyea <rrelyea@redhat.com> - 3.44.0-6
+- back out out-of-bounds patch (patch for nss-softokn).
+- Fix segfault on empty or malformed ecdh keys (#1777712)
+
+* Wed Dec 4 2019 Bob Relyea <rrelyea@redhat.com> - 3.44.0-5
+- Fix out-of-bounds write in NSC_EncryptUpdate (#1775910)
+
* Wed Jun 5 2019 Bob Relyea <rrelyea@redhat.com> - 3.44.0-4
- Fix certutil man page
- Fix extracting a public key from a private key for dh, ec, and dsa