diff --git a/SOURCES/nss-3.44-fix-cmac-alignment-crash.patch b/SOURCES/nss-3.44-fix-cmac-alignment-crash.patch
new file mode 100644
index 0000000..3b68ef9
--- /dev/null
+++ b/SOURCES/nss-3.44-fix-cmac-alignment-crash.patch
@@ -0,0 +1,45 @@
+diff --git a/lib/freebl/cmac.c b/lib/freebl/cmac.c
+--- a/lib/freebl/cmac.c
++++ b/lib/freebl/cmac.c
+@@ -22,7 +22,7 @@
+ * add a new Context pointer to the cipher union with the correct type. */
+ CMACCipher cipherType;
+ union {
+- AESContext aes;
++ AESContext *aes;
+ } cipher;
+ int blockSize;
+
+@@ -62,7 +62,7 @@
+ {
+ if (ctx->cipherType == CMAC_AES) {
+ unsigned int tmpOutputLen;
+- SECStatus rv = AES_Encrypt(&ctx->cipher.aes, output, &tmpOutputLen,
++ SECStatus rv = AES_Encrypt(ctx->cipher.aes, output, &tmpOutputLen,
+ ctx->blockSize, input, inputLen);
+
+ /* Assumption: AES_Encrypt (when in ECB mode) always returns an
+@@ -156,8 +156,9 @@
+
+ ctx->blockSize = AES_BLOCK_SIZE;
+ ctx->cipherType = CMAC_AES;
+- if (AES_InitContext(&ctx->cipher.aes, key, key_len, NULL, NSS_AES, 1,
+- ctx->blockSize) != SECSuccess) {
++ ctx->cipher.aes = AES_CreateContext(key, NULL, NSS_AES, 1, key_len,
++ ctx->blockSize);
++ if (ctx->cipher.aes == NULL) {
+ return SECFailure;
+ }
+
+@@ -308,8 +309,8 @@
+ return;
+ }
+
+- if (ctx->cipherType == CMAC_AES) {
+- AES_DestroyContext(&ctx->cipher.aes, PR_FALSE);
++ if (ctx->cipherType == CMAC_AES && ctx->cipher.aes != NULL) {
++ AES_DestroyContext(ctx->cipher.aes, PR_TRUE);
+ }
+
+ /* Destroy everything in the context. This includes sensitive data in
+
diff --git a/SOURCES/nss-3.44-fix-swapped-cmac.patch b/SOURCES/nss-3.44-fix-swapped-cmac.patch
new file mode 100644
index 0000000..54684ca
--- /dev/null
+++ b/SOURCES/nss-3.44-fix-swapped-cmac.patch
@@ -0,0 +1,15 @@
+diff --git a/lib/util/pkcs11t.h b/lib/util/pkcs11t.h
+--- a/lib/util/pkcs11t.h
++++ b/lib/util/pkcs11t.h
+@@ -898,8 +898,8 @@
+ #define CKM_AES_CCM 0x00001088
+ #define CKM_AES_CTS 0x00001089
+ /* AES-CMAC values copied from v2.40 errata 1 header file */
+-#define CKM_AES_CMAC_GENERAL 0x0000108A
+-#define CKM_AES_CMAC 0x0000108B
++#define CKM_AES_CMAC 0x0000108A
++#define CKM_AES_CMAC_GENERAL 0x0000108B
+ #define CKM_AES_XCBC_MAC 0x0000108C
+ #define CKM_AES_XCBC_MAC_96 0x0000108D
+
+
diff --git a/SPECS/nss.spec b/SPECS/nss.spec
index 013b644..10e08e2 100644
--- a/SPECS/nss.spec
+++ b/SPECS/nss.spec
@@ -46,7 +46,7 @@ rpm.define(string.format("nss_release_tag NSS_%s_RTM",
Summary: Network Security Services
Name: nss
Version: %{nss_version}
-Release: 14%{?dist}
+Release: 15%{?dist}
License: MPLv2.0
URL: http://www.mozilla.org/projects/security/pki/nss/
Requires: nspr >= %{nspr_version}
@@ -154,6 +154,10 @@ Patch216: nss-3.44-kbkdf.patch
Patch217: nss-3.44-kbkdf-update.patch
Patch218: nss-3.44-encrypt-update.patch
Patch219: nss-3.44-kbkdf-coverity.patch
+# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1611209
+Patch220: nss-3.44-fix-swapped-cmac.patch
+# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1610687
+Patch221: nss-3.44-fix-cmac-alignment-crash.patch
%description
@@ -928,6 +932,10 @@ update-crypto-policies --no-reload &> /dev/null || :
%changelog
+* Fri Jan 31 2020 Bob Relyea <rrelyea@redhat.com> - 3.44.0-15
+- Fix swapped CMAC PKCS #11 values.
+- Fix data alignment crash in CMAC.
+
* Tue Dec 3 2019 Bob Relyea <rrelyea@redhat.com> - 3.44.0-14
- Fix coverify scan issue