diff --git a/.gitignore b/.gitignore
index 4befa78..eda990c 100644
--- a/.gitignore
+++ b/.gitignore
@@ -3,4 +3,4 @@ SOURCES/blank-cert9.db
SOURCES/blank-key3.db
SOURCES/blank-key4.db
SOURCES/blank-secmod.db
-SOURCES/nss-3.79.tar.gz
+SOURCES/nss-3.90.tar.gz
diff --git a/.nss.metadata b/.nss.metadata
index b374a5a..f78c944 100644
--- a/.nss.metadata
+++ b/.nss.metadata
@@ -3,4 +3,4 @@ b5570125fbf6bfb410705706af48217a0817c03a SOURCES/blank-cert9.db
7f78b5bcecdb5005e7b803604b2ec9d1a9df2fb5 SOURCES/blank-key3.db
f9c9568442386da370193474de1b25c3f68cdaf6 SOURCES/blank-key4.db
bd748cf6e1465a1bbe6e751b72ffc0076aff0b50 SOURCES/blank-secmod.db
-3719dd97c8ec9cb04aa61e6aca41b129b4adc004 SOURCES/nss-3.79.tar.gz
+1e7d2f16655281cfb2972688af1605e0de302481 SOURCES/nss-3.90.tar.gz
diff --git a/SOURCES/cve-2023-0767.patch b/SOURCES/cve-2023-0767.patch
deleted file mode 100644
index fc5d4fa..0000000
--- a/SOURCES/cve-2023-0767.patch
+++ /dev/null
@@ -1,92 +0,0 @@
-diff --git a/lib/pkcs12/p12d.c b/lib/pkcs12/p12d.c
---- a/lib/pkcs12/p12d.c
-+++ b/lib/pkcs12/p12d.c
-@@ -335,35 +335,42 @@
- sec_PKCS12SafeContentsContext *safeContentsCtx =
- (sec_PKCS12SafeContentsContext *)arg;
- SEC_PKCS12DecoderContext *p12dcx;
- SECStatus rv;
-
-- /* make sure that we are not skipping the current safeBag,
-- * and that there are no errors. If so, just return rather
-- * than continuing to process.
-- */
-- if (!safeContentsCtx || !safeContentsCtx->p12dcx ||
-- safeContentsCtx->p12dcx->error || safeContentsCtx->skipCurrentSafeBag) {
-+ if (!safeContentsCtx || !safeContentsCtx->p12dcx || !safeContentsCtx->currentSafeBagA1Dcx) {
- return;
- }
- p12dcx = safeContentsCtx->p12dcx;
-
-+ /* make sure that there are no errors and we are not skipping the current safeBag */
-+ if (p12dcx->error || safeContentsCtx->skipCurrentSafeBag) {
-+ goto loser;
-+ }
-+
- rv = SEC_ASN1DecoderUpdate(safeContentsCtx->currentSafeBagA1Dcx, data, len);
- if (rv != SECSuccess) {
- p12dcx->errorValue = PORT_GetError();
-+ p12dcx->error = PR_TRUE;
-+ goto loser;
-+ }
-+
-+ /* The update may have set safeContentsCtx->skipCurrentSafeBag, and we
-+ * may not get another opportunity to clean up the decoder context.
-+ */
-+ if (safeContentsCtx->skipCurrentSafeBag) {
- goto loser;
- }
-
- return;
-
- loser:
-- /* set the error, and finish the decoder context. because there
-+ /* Finish the decoder context. Because there
- * is not a way of returning an error message, it may be worth
- * while to do a check higher up and finish any decoding contexts
- * that are still open.
- */
-- p12dcx->error = PR_TRUE;
- SEC_ASN1DecoderFinish(safeContentsCtx->currentSafeBagA1Dcx);
- safeContentsCtx->currentSafeBagA1Dcx = NULL;
- return;
- }
-
-diff --git a/lib/pkcs12/p12t.h b/lib/pkcs12/p12t.h
---- a/lib/pkcs12/p12t.h
-+++ b/lib/pkcs12/p12t.h
-@@ -71,10 +71,11 @@
- SECKEYEncryptedPrivateKeyInfo *pkcs8ShroudedKeyBag;
- sec_PKCS12CertBag *certBag;
- sec_PKCS12CRLBag *crlBag;
- sec_PKCS12SecretBag *secretBag;
- sec_PKCS12SafeContents *safeContents;
-+ SECItem *unknownBag;
- } safeBagContent;
-
- sec_PKCS12Attribute **attribs;
-
- /* used locally */
-diff --git a/lib/pkcs12/p12tmpl.c b/lib/pkcs12/p12tmpl.c
---- a/lib/pkcs12/p12tmpl.c
-+++ b/lib/pkcs12/p12tmpl.c
-@@ -28,16 +28,16 @@
-
- safeBag = (sec_PKCS12SafeBag *)src_or_dest;
-
- oiddata = SECOID_FindOID(&safeBag->safeBagType);
- if (oiddata == NULL) {
-- return SEC_ASN1_GET(SEC_AnyTemplate);
-+ return SEC_ASN1_GET(SEC_PointerToAnyTemplate);
- }
-
- switch (oiddata->offset) {
- default:
-- theTemplate = SEC_ASN1_GET(SEC_AnyTemplate);
-+ theTemplate = SEC_ASN1_GET(SEC_PointerToAnyTemplate);
- break;
- case SEC_OID_PKCS12_V1_KEY_BAG_ID:
- theTemplate = SEC_ASN1_GET(SECKEY_PointerToPrivateKeyInfoTemplate);
- break;
- case SEC_OID_PKCS12_V1_CERT_BAG_ID:
-
diff --git a/SOURCES/iquote.patch b/SOURCES/iquote.patch
index 4908c00..6e4adcd 100644
--- a/SOURCES/iquote.patch
+++ b/SOURCES/iquote.patch
@@ -1,228 +1,13 @@
-diff -up ./nss/cmd/certutil/Makefile.iquote ./nss/cmd/certutil/Makefile
---- ./nss/cmd/certutil/Makefile.iquote 2017-04-05 14:23:56.000000000 +0200
-+++ ./nss/cmd/certutil/Makefile 2017-09-21 16:39:08.680260103 +0200
-@@ -37,7 +37,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk
- # (6) Execute "component" rules. (OPTIONAL) #
- #######################################################################
-
--
-+INCLUDES += -iquote $(DIST)/../public/nss
-+INCLUDES += -iquote $(DIST)/../private/nss
-
- #######################################################################
- # (7) Execute "local" rules. (OPTIONAL). #
-diff -up ./nss/cmd/httpserv/Makefile.iquote ./nss/cmd/httpserv/Makefile
---- ./nss/cmd/httpserv/Makefile.iquote 2017-04-05 14:23:56.000000000 +0200
-+++ ./nss/cmd/httpserv/Makefile 2017-09-21 16:39:08.680260103 +0200
-@@ -35,7 +35,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk
- # (6) Execute "component" rules. (OPTIONAL) #
- #######################################################################
-
--
-+INCLUDES += -iquote $(DIST)/../private/nss
-+INCLUDES += -iquote $(DIST)/../public/nss
-
- #######################################################################
- # (7) Execute "local" rules. (OPTIONAL). #
-diff -up ./nss/cmd/lib/Makefile.iquote ./nss/cmd/lib/Makefile
---- ./nss/cmd/lib/Makefile.iquote 2017-04-05 14:23:56.000000000 +0200
-+++ ./nss/cmd/lib/Makefile 2017-09-21 16:39:08.680260103 +0200
-@@ -38,7 +38,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk
- # (6) Execute "component" rules. (OPTIONAL) #
- #######################################################################
-
--
-+INCLUDES += -iquote $(DIST)/../private/nss
-+INCLUDES += -iquote $(DIST)/../public/nss
-
- #######################################################################
- # (7) Execute "local" rules. (OPTIONAL). #
-diff -up ./nss/cmd/modutil/Makefile.iquote ./nss/cmd/modutil/Makefile
---- ./nss/cmd/modutil/Makefile.iquote 2017-04-05 14:23:56.000000000 +0200
-+++ ./nss/cmd/modutil/Makefile 2017-09-21 16:39:08.680260103 +0200
-@@ -37,7 +37,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk
- # (6) Execute "component" rules. (OPTIONAL) #
- #######################################################################
-
--
-+INCLUDES += -iquote $(DIST)/../public/nss
-+INCLUDES += -iquote $(DIST)/../private/nss
-
- #######################################################################
- # (7) Execute "local" rules. (OPTIONAL). #
-diff -up ./nss/cmd/pk12util/Makefile.iquote ./nss/cmd/pk12util/Makefile
---- ./nss/cmd/pk12util/Makefile.iquote 2017-09-21 16:41:23.158209761 +0200
-+++ ./nss/cmd/pk12util/Makefile 2017-09-21 16:41:44.298730232 +0200
-@@ -37,7 +37,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk
- # (6) Execute "component" rules. (OPTIONAL) #
- #######################################################################
-
--
-+INCLUDES += -iquote $(DIST)/../public/nss
-+INCLUDES += -iquote $(DIST)/../private/nss
-
- #######################################################################
- # (7) Execute "local" rules. (OPTIONAL). #
-diff -up ./nss/cmd/selfserv/Makefile.iquote ./nss/cmd/selfserv/Makefile
---- ./nss/cmd/selfserv/Makefile.iquote 2017-04-05 14:23:56.000000000 +0200
-+++ ./nss/cmd/selfserv/Makefile 2017-09-21 16:39:08.680260103 +0200
-@@ -35,7 +35,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk
- # (6) Execute "component" rules. (OPTIONAL) #
- #######################################################################
-
--
-+INCLUDES += -iquote $(DIST)/../public/nss
-+INCLUDES += -iquote $(DIST)/../private/nss
-
- #######################################################################
- # (7) Execute "local" rules. (OPTIONAL). #
-diff -up ./nss/cmd/ssltap/Makefile.iquote ./nss/cmd/ssltap/Makefile
---- ./nss/cmd/ssltap/Makefile.iquote 2017-04-05 14:23:56.000000000 +0200
-+++ ./nss/cmd/ssltap/Makefile 2017-09-21 16:39:08.680260103 +0200
-@@ -39,7 +39,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk
- # (6) Execute "component" rules. (OPTIONAL) #
- #######################################################################
-
--
-+INCLUDES += -iquote $(DIST)/../private/nss
-+INCLUDES += -iquote $(DIST)/../public/nss
-
- #######################################################################
- # (7) Execute "local" rules. (OPTIONAL). #
-diff -up ./nss/cmd/strsclnt/Makefile.iquote ./nss/cmd/strsclnt/Makefile
---- ./nss/cmd/strsclnt/Makefile.iquote 2017-04-05 14:23:56.000000000 +0200
-+++ ./nss/cmd/strsclnt/Makefile 2017-09-21 16:39:08.681260081 +0200
-@@ -36,7 +36,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk
- # (6) Execute "component" rules. (OPTIONAL) #
- #######################################################################
-
--
-+INCLUDES += -iquote $(DIST)/../public/nss
-+INCLUDES += -iquote $(DIST)/../private/nss
-
- #######################################################################
- # (7) Execute "local" rules. (OPTIONAL). #
-diff -up ./nss/cmd/tstclnt/Makefile.iquote ./nss/cmd/tstclnt/Makefile
---- ./nss/cmd/tstclnt/Makefile.iquote 2017-04-05 14:23:56.000000000 +0200
-+++ ./nss/cmd/tstclnt/Makefile 2017-09-21 16:39:08.681260081 +0200
-@@ -37,6 +37,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk
- #######################################################################
-
- #include ../platlibs.mk
-+INCLUDES += -iquote $(DIST)/../public/nss
-+INCLUDES += -iquote $(DIST)/../private/nss
-
- #######################################################################
- # (7) Execute "local" rules. (OPTIONAL). #
-diff -up ./nss/cmd/vfyserv/Makefile.iquote ./nss/cmd/vfyserv/Makefile
---- ./nss/cmd/vfyserv/Makefile.iquote 2017-04-05 14:23:56.000000000 +0200
-+++ ./nss/cmd/vfyserv/Makefile 2017-09-21 16:39:08.681260081 +0200
-@@ -37,6 +37,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk
- #######################################################################
-
- #include ../platlibs.mk
-+INCLUDES += -iquote $(DIST)/../public/nss
-+INCLUDES += -iquote $(DIST)/../private/nss
-
- #######################################################################
- # (7) Execute "local" rules. (OPTIONAL). #
-diff -up ./nss/coreconf/location.mk.iquote ./nss/coreconf/location.mk
---- ./nss/coreconf/location.mk.iquote 2017-04-05 14:23:56.000000000 +0200
-+++ ./nss/coreconf/location.mk 2017-09-21 16:39:08.681260081 +0200
-@@ -45,6 +45,10 @@ endif
-
- ifdef NSS_INCLUDE_DIR
- INCLUDES += -I$(NSS_INCLUDE_DIR)
-+ ifdef IN_TREE_FREEBL_HEADERS_FIRST
-+ INCLUDES += -iquote $(DIST)/../public/nss
-+ INCLUDES += -iquote $(DIST)/../private/nss
-+ endif
+diff -up nss/coreconf/location.mk.iquote nss/coreconf/location.mk
+--- nss/coreconf/location.mk.iquote 2017-07-27 16:09:32.000000000 +0200
++++ nss/coreconf/location.mk 2017-09-06 13:23:14.633611555 +0200
+@@ -75,4 +75,9 @@ ifndef SQLITE_LIB_NAME
+ SQLITE_LIB_NAME = sqlite3
endif
- ifndef NSS_LIB_DIR
-diff -up ./nss/gtests/ssl_gtest/Makefile.iquote ./nss/gtests/ssl_gtest/Makefile
---- ./nss/gtests/ssl_gtest/Makefile.iquote 2017-04-05 14:23:56.000000000 +0200
-+++ ./nss/gtests/ssl_gtest/Makefile 2017-09-21 16:39:08.682260058 +0200
-@@ -53,6 +53,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk
- # (6) Execute "component" rules. (OPTIONAL) #
- #######################################################################
-
-+INCLUDES += -iquote $(DIST)/../public/nss
-+INCLUDES += -iquote $(DIST)/../private/nss
-
- #######################################################################
- # (7) Execute "local" rules. (OPTIONAL). #
-diff -up ./nss/lib/certhigh/Makefile.iquote ./nss/lib/certhigh/Makefile
---- ./nss/lib/certhigh/Makefile.iquote 2017-04-05 14:23:56.000000000 +0200
-+++ ./nss/lib/certhigh/Makefile 2017-09-21 16:39:08.681260081 +0200
-@@ -38,7 +38,7 @@ include $(CORE_DEPTH)/coreconf/rules.mk
- # (6) Execute "component" rules. (OPTIONAL) #
- #######################################################################
-
--
-+INCLUDES += -iquote $(DIST)/../public/nss
-
- #######################################################################
- # (7) Execute "local" rules. (OPTIONAL). #
-diff -up ./nss/lib/cryptohi/Makefile.iquote ./nss/lib/cryptohi/Makefile
---- ./nss/lib/cryptohi/Makefile.iquote 2017-04-05 14:23:56.000000000 +0200
-+++ ./nss/lib/cryptohi/Makefile 2017-09-21 16:39:08.681260081 +0200
-@@ -38,7 +38,7 @@ include $(CORE_DEPTH)/coreconf/rules.mk
- # (6) Execute "component" rules. (OPTIONAL) #
- #######################################################################
-
--
-+INCLUDES += -iquote $(DIST)/../public/nss
-
- #######################################################################
- # (7) Execute "local" rules. (OPTIONAL). #
-diff -up ./nss/lib/libpkix/pkix/checker/Makefile.iquote ./nss/lib/libpkix/pkix/checker/Makefile
---- ./nss/lib/libpkix/pkix/checker/Makefile.iquote 2017-04-05 14:23:56.000000000 +0200
-+++ ./nss/lib/libpkix/pkix/checker/Makefile 2017-09-21 16:39:08.681260081 +0200
-@@ -38,7 +38,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk
- # (6) Execute "component" rules. (OPTIONAL) #
- #######################################################################
-
--
-+INCLUDES += -iquote $(DIST)/../private/nss
-+INCLUDES += -iquote $(DIST)/../public/nss
-
- #######################################################################
- # (7) Execute "local" rules. (OPTIONAL). #
-diff -up ./nss/lib/nss/Makefile.iquote ./nss/lib/nss/Makefile
---- ./nss/lib/nss/Makefile.iquote 2017-04-05 14:23:56.000000000 +0200
-+++ ./nss/lib/nss/Makefile 2017-09-21 16:39:08.681260081 +0200
-@@ -37,7 +37,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk
- # (6) Execute "component" rules. (OPTIONAL) #
- #######################################################################
-
--
-+INCLUDES += -iquote $(DIST)/../public/nss
-+INCLUDES += -iquote $(DIST)/../private/nss
-
- #######################################################################
- # (7) Execute "local" rules. (OPTIONAL). #
-diff -up ./nss/lib/pkcs12/Makefile.iquote ./nss/lib/pkcs12/Makefile
---- ./nss/lib/pkcs12/Makefile.iquote 2017-09-21 16:39:49.616331555 +0200
-+++ ./nss/lib/pkcs12/Makefile 2017-09-21 16:40:16.286726596 +0200
-@@ -39,7 +39,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk
- # (6) Execute "component" rules. (OPTIONAL) #
- #######################################################################
-
--
-+INCLUDES += -iquote $(DIST)/../public/nss
-+INCLUDES += -iquote $(DIST)/../private/nss
-
- #######################################################################
- # (7) Execute "local" rules. (OPTIONAL). #
-diff -up ./nss/lib/ssl/Makefile.iquote ./nss/lib/ssl/Makefile
---- ./nss/lib/ssl/Makefile.iquote 2017-04-05 14:23:56.000000000 +0200
-+++ ./nss/lib/ssl/Makefile 2017-09-21 16:39:08.681260081 +0200
-@@ -56,6 +56,7 @@ include $(CORE_DEPTH)/coreconf/rules.mk
- # (6) Execute "component" rules. (OPTIONAL) #
- #######################################################################
-
-+INCLUDES += -iquote $(DIST)/../public/nss
-
-
- #######################################################################
++# Prefer in-tree headers over system headers
++ifdef IN_TREE_FREEBL_HEADERS_FIRST
++ INCLUDES += -iquote $(DIST)/../public/nss -iquote $(DIST)/../private/nss
++endif
++
+ MK_LOCATION = included
diff --git a/SOURCES/nss-3.67-cve-2021-43527-test.patch b/SOURCES/nss-3.67-cve-2021-43527-test.patch
new file mode 100644
index 0000000..51cb8e0
--- /dev/null
+++ b/SOURCES/nss-3.67-cve-2021-43527-test.patch
@@ -0,0 +1,325 @@
+diff --git a/tests/cert/Leaf-bogus-dsa.crt b/tests/cert/Leaf-bogus-dsa.crt
+new file mode 100644
+--- /dev/null
++++ b/tests/cert/Leaf-bogus-dsa.crt
+@@ -0,0 +1,143 @@
++-----BEGIN CERTIFICATE-----
++MIIaZzCCCkWgAwIBAgIBATALBgcqhkjOOAQDBQAwMTEvMC0GA1UEAxMmZGVjb2Rl
++RUNvckRTQVNpZ25hdHVyZS10ZXN0Q2FzZS90YXZpc28wHhcNMjEwMTAxMDAwMDAw
++WhcNNDEwMTAxMDAwMDAwWjAxMS8wLQYDVQQDEyZkZWNvZGVFQ29yRFNBU2lnbmF0
++dXJlLXRlc3RDYXNlL3RhdmlzbzCCCaYwggkaBgcqhkjOOAQBMIIJDQKBgQCqqqqq
++qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqq
++qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqq
++qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqgKCCAEAu7u7u7u7u7u7u7u7u7u7
++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
++u7u7u7u7u7u7u7u7u7u7u7sCgYEAzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzM
++zMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzM
++zMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzM
++zMzMzMwDgYUAAoGB3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d
++3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d
++3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3dMAkG
++ByqGSM44BAMDghAPADCCEAoCgggBAO7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
++7u7u7u7uAoIIAQD/////////////////////////////////////////////////
++////////////////////////////////////////////////////////////////
++////////////////////////////////////////////////////////////////
++////////////////////////////////////////////////////////////////
++////////////////////////////////////////////////////////////////
++////////////////////////////////////////////////////////////////
++////////////////////////////////////////////////////////////////
++////////////////////////////////////////////////////////////////
++////////////////////////////////////////////////////////////////
++////////////////////////////////////////////////////////////////
++////////////////////////////////////////////////////////////////
++////////////////////////////////////////////////////////////////
++////////////////////////////////////////////////////////////////
++////////////////////////////////////////////////////////////////
++////////////////////////////////////////////////////////////////
++////////////////////////////////////////////////////////////////
++////////////////////////////////////////////////////////////////
++////////////////////////////////////////////////////////////////
++////////////////////////////////////////////////////////////////
++////////////////////////////////////////////////////////////////
++////////////////////////////////////////////////////////////////
++////////////////////////////////////////////////////////////////
++////////////////////////////////////////////////////////////////
++////////////////////////////////////////////////////////////////
++////////////////////////////////////////////////////////////////
++////////////////////////////////////////////////////////////////
++////////////////////////////////////////////////////////////////
++////////////////////////////////////////////////////////////////
++////////////////////////////////////////////////////////////////
++////////////////////////////////////////////////////////////////
++////////////////////////////////////////////////////////////////
++////////////////////////////////////////////////////////////////
++////////////////////////////////////////////////////////////////
++////////////////////////////////////////////////////////////////
++////////////////////////////////////////////////////////////////
++////////////////////////////////////////////////////////////////
++////////////////////////////////////////////////////////////////
++////////////////////////////////////////////////////////////////
++////////////////////////////////////////////////////////////////
++////////////////////////////////////////////////////////////////
++////////////////////////////////////////////////////////////////
++////////////////////////////////////////////////////////////////
++/////////////////////////////////////////////////////////w==
++-----END CERTIFICATE-----
+diff --git a/tests/cert/Leaf-bogus-rsa-pss.crt b/tests/cert/Leaf-bogus-rsa-pss.crt
+new file mode 100644
+--- /dev/null
++++ b/tests/cert/Leaf-bogus-rsa-pss.crt
+@@ -0,0 +1,126 @@
++-----BEGIN CERTIFICATE-----
++MIIXODCCC/WgAwIBAgIBAjApBgkqhkiG9w0BAQowHKACMAChETAPBQAwCwYJYIZI
++AWUDBAIBogMCASAwNzEgMB4GCSqGSIb3DQEJARYRdGF2aXNvQGdvb2dsZS5jb20x
++EzARBgNVBAMTCmJ1ZzE3Mzc0NzAwHhcNMjAwMTAxMDAwMDAwWhcNNDAwMTAxMDAw
++MDAwWjA3MSAwHgYJKoZIhvcNAQkBFhF0YXZpc29AZ29vZ2xlLmNvbTETMBEGA1UE
++AxMKYnVnMTczNzQ3MDCCCywwDQYJKoZIhvcNAQEBBQADggsZADCCCxQCggsLAMRE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
++RERERERERERERERERERERERERERERERERERERERERERERERERERERQIDAQABMC4G
++CSqGSIb3DQEBCjAhoRowGAYJKoZIhvcNAQEIMAsGCSqGSIb3DQEBCqIDAgEgA4IL
++CwAAxVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVU=
++-----END CERTIFICATE-----
+diff --git a/tests/cert/cert.sh b/tests/cert/cert.sh
+--- a/tests/cert/cert.sh
++++ b/tests/cert/cert.sh
+@@ -114,16 +114,28 @@ certu()
+ cert_log "ERROR: ${CU_ACTION} failed $RET"
+ else
+ html_passed "${CU_ACTION}"
+ fi
+
+ return $RET
+ }
+
++cert_test_vfy()
++{
++ echo "$SCRIPTNAME: Verify large rsa pss signature --------------"
++ echo " vfychain -a Leaf-bogus-dsa.crt"
++ vfychain -a ${QADIR}/cert/Leaf-bogus-dsa.crt
++ html_msg $? 1 "Verify large dsa signature"
++ echo "$SCRIPTNAME: Verify large rsa pss signature --------------"
++ echo " vfychain -a Leaf-bogus-rsa-pss.crt"
++ vfychain -a ${QADIR}/cert/Leaf-bogus-rsa-pss.crt
++ html_msg $? 1 "Verify large rsa pss signature"
++}
++
+ ################################ crlu #################################
+ # local shell function to call crlutil, also: writes action and options to
+ # stdout, sets variable RET and writes results to the html file results
+ ########################################################################
+ crlu()
+ {
+ echo "$SCRIPTNAME: ${CU_ACTION} --------------------------"
+
+@@ -2640,11 +2652,13 @@ if [ -z "$NSS_TEST_DISABLE_CRL" ] ; then
+ else
+ echo "$SCRIPTNAME: Skipping CRL Tests"
+ fi
+
+ if [ -n "$DO_DIST_ST" -a "$DO_DIST_ST" = "TRUE" ] ; then
+ cert_stresscerts
+ fi
+
++cert_test_vfy
++
+ cert_iopr_setup
+
+ cert_cleanup
diff --git a/SOURCES/nss-3.79-fix-client-cert-crash.patch b/SOURCES/nss-3.79-fix-client-cert-crash.patch
deleted file mode 100644
index 2d752e4..0000000
--- a/SOURCES/nss-3.79-fix-client-cert-crash.patch
+++ /dev/null
@@ -1,23 +0,0 @@
-diff --git a/lib/ssl/authcert.c b/lib/ssl/authcert.c
---- a/lib/ssl/authcert.c
-+++ b/lib/ssl/authcert.c
-@@ -201,16 +201,19 @@ NSS_GetClientAuthData(void *arg,
-
- /* otherwise look through the cache based on usage
- * if chosenNickname is set, we ignore the expiration date */
- if (certList == NULL) {
- certList = CERT_FindUserCertsByUsage(CERT_GetDefaultCertDB(),
- certUsageSSLClient,
- PR_FALSE, chosenNickName == NULL,
- pw_arg);
-+ if (certList == NULL) {
-+ return SECFailure;
-+ }
- /* filter only the certs that meet the nickname requirements */
- if (chosenNickName) {
- rv = CERT_FilterCertListByNickname(certList, chosenNickName,
- pw_arg);
- } else {
- int nnames = 0;
- char **names = ssl_DistNamesToStrings(caNames, &nnames);
- rv = CERT_FilterCertListByCANames(certList, nnames, names,
diff --git a/SOURCES/nss-3.79-pkcs12-fix-null-password.patch b/SOURCES/nss-3.79-pkcs12-fix-null-password.patch
deleted file mode 100644
index 1195e5c..0000000
--- a/SOURCES/nss-3.79-pkcs12-fix-null-password.patch
+++ /dev/null
@@ -1,21 +0,0 @@
-diff -up ./lib/pkcs12/p12local.c.fix_null_password ./lib/pkcs12/p12local.c
---- ./lib/pkcs12/p12local.c.fix_null_password 2022-07-20 14:15:45.081009438 -0700
-+++ ./lib/pkcs12/p12local.c 2022-07-20 14:19:40.856546963 -0700
-@@ -968,15 +968,14 @@ sec_pkcs12_convert_item_to_unicode(PLAre
- if (zeroTerm) {
- /* unicode adds two nulls at the end */
- if (toUnicode) {
-- if ((dest->len >= 2) &&
-- (dest->data[dest->len - 1] || dest->data[dest->len - 2])) {
-+ if ((dest->len < 2) || dest->data[dest->len - 1] || dest->data[dest->len - 2]) {
- /* we've already allocated space for these new NULLs */
- PORT_Assert(dest->len + 2 <= bufferSize);
- dest->len += 2;
- dest->data[dest->len - 1] = dest->data[dest->len - 2] = 0;
- }
- /* ascii/utf-8 adds just 1 */
-- } else if ((dest->len >= 1) && dest->data[dest->len - 1]) {
-+ } else if (!dest->len || dest->data[dest->len - 1]) {
- PORT_Assert(dest->len + 1 <= bufferSize);
- dest->len++;
- dest->data[dest->len - 1] = 0;
diff --git a/SOURCES/nss-3.79-skip-pwdecrypt-time.patch b/SOURCES/nss-3.79-skip-pwdecrypt-time.patch
deleted file mode 100644
index 004ea51..0000000
--- a/SOURCES/nss-3.79-skip-pwdecrypt-time.patch
+++ /dev/null
@@ -1,14 +0,0 @@
-diff -up ./tests/sdr/sdr.sh.skip ./tests/sdr/sdr.sh
---- ./tests/sdr/sdr.sh.skip 2022-06-11 09:52:05.037086587 -0700
-+++ ./tests/sdr/sdr.sh 2022-06-11 09:52:16.825162027 -0700
-@@ -146,7 +146,10 @@ sdr_main()
- RARRAY=($dtime)
- TIMEARRAY=(${RARRAY[1]//./ })
- echo "${TIMEARRAY[0]} seconds"
-+ # allow an environment variable to skip the test
-+ if [ "${NSS_SKIP_PWDECRYPT_TIME}" != "true" ]; then
- html_msg ${TIMEARRAY[0]} 0 "pwdecrypt no time regression"
-+ fi
- export NSS_MAX_MP_PBE_ITERATION_COUNT=$OLD_MAX_PBE_ITERATIONS
- }
-
diff --git a/SOURCES/nss-3.90-add-ems-policy.patch b/SOURCES/nss-3.90-add-ems-policy.patch
new file mode 100644
index 0000000..18739d9
--- /dev/null
+++ b/SOURCES/nss-3.90-add-ems-policy.patch
@@ -0,0 +1,104 @@
+diff -up ./lib/pk11wrap/pk11pars.c.add_ems_policy ./lib/pk11wrap/pk11pars.c
+--- ./lib/pk11wrap/pk11pars.c.add_ems_policy 2023-06-12 15:37:49.292905411 -0700
++++ ./lib/pk11wrap/pk11pars.c 2023-06-12 17:18:35.129938514 -0700
+@@ -389,6 +389,8 @@ static const oidValDef kxOptList[] = {
+ { CIPHER_NAME("ECDHE-RSA"), SEC_OID_TLS_ECDHE_RSA, NSS_USE_ALG_IN_SSL_KX },
+ { CIPHER_NAME("ECDH-ECDSA"), SEC_OID_TLS_ECDH_ECDSA, NSS_USE_ALG_IN_SSL_KX },
+ { CIPHER_NAME("ECDH-RSA"), SEC_OID_TLS_ECDH_RSA, NSS_USE_ALG_IN_SSL_KX },
++ /* not really a key exchange, but it's the closest fit */
++ { CIPHER_NAME("TLS-REQUIRE-EMS"), SEC_OID_TLS_REQUIRE_EMS, NSS_USE_ALG_IN_SSL_KX },
+ };
+
+ static const oidValDef signOptList[] = {
+diff -up ./lib/pk11wrap/secmodti.h.add_ems_policy ./lib/pk11wrap/secmodti.h
+--- ./lib/pk11wrap/secmodti.h.add_ems_policy 2023-06-04 01:42:53.000000000 -0700
++++ ./lib/pk11wrap/secmodti.h 2023-06-12 17:18:35.129938514 -0700
+@@ -202,4 +202,10 @@ struct PK11GenericObjectStr {
+ /* This mask includes all CK_FLAGs with an equivalent CKA_ attribute. */
+ #define CKF_KEY_OPERATION_FLAGS 0x000e7b00UL
+
++/* this oid value could change values if it's added after other new
++ * upstream oids. We protect applications by hiding the define in a private
++ * header file that only NSS sees. Currently it's only available through
++ * the policy code */
++#define SEC_OID_TLS_REQUIRE_EMS SEC_OID_PRIVATE_1
++
+ #endif /* _SECMODTI_H_ */
+diff -up ./lib/ssl/ssl3con.c.add_ems_policy ./lib/ssl/ssl3con.c
+--- ./lib/ssl/ssl3con.c.add_ems_policy 2023-06-04 01:42:53.000000000 -0700
++++ ./lib/ssl/ssl3con.c 2023-06-12 17:18:35.130938525 -0700
+@@ -36,6 +36,7 @@
+ #include "pk11func.h"
+ #include "secmod.h"
+ #include "blapi.h"
++#include "secmodti.h" /* until SEC_OID_TLS_REQUIRE_EMS is upstream */
+
+ #include <stdio.h>
+
+@@ -3480,6 +3481,29 @@ ssl3_ComputeMasterSecretInt(sslSocket *s
+ CK_TLS12_MASTER_KEY_DERIVE_PARAMS master_params;
+ unsigned int master_params_len;
+
++ /* if we are using TLS and we aren't using the extended master secret,
++ * and SEC_OID_TLS_REQUIRE_EMS policy is true, fail. The caller will
++ * send and alert (eventually). In the RSA Server case, the alert
++ * won't happen until Finish time because the upper level code
++ * can't tell a difference between this failure and an RSA decrypt
++ * failure, so it will proceed with a faux key */
++ if (isTLS) {
++ PRUint32 policy;
++ SECStatus rv;
++
++ /* first fetch the policy for this algorithm */
++ rv = NSS_GetAlgorithmPolicy(SEC_OID_TLS_REQUIRE_EMS, &policy);
++ /* we only look at the policy if we can fetch it. */
++ if (rv == SECSuccess) {
++ if (policy & NSS_USE_ALG_IN_SSL_KX) {
++ /* just set the error, we don't want to map any errors
++ * set by NSS_GetAlgorithmPolicy here */
++ PORT_SetError(SSL_ERROR_UNSUPPORTED_VERSION);
++ return SECFailure;
++ }
++ }
++ }
++
+ if (isTLS12) {
+ if (isDH)
+ master_derive = CKM_TLS12_MASTER_KEY_DERIVE_DH;
+diff -up ./lib/util/secoid.c.add_ems_policy ./lib/util/secoid.c
+--- ./lib/util/secoid.c.add_ems_policy 2023-06-12 15:37:49.293905422 -0700
++++ ./lib/util/secoid.c 2023-06-12 17:20:29.498142775 -0700
+@@ -1795,6 +1795,11 @@ const static SECOidData oids[SEC_OID_TOT
+ SEC_OID_EXT_KEY_USAGE_IPSEC_USER,
+ "IPsec User",
+ CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
++
++ /* this will change upstream. for now apps shouldn't use it */
++ /* we need it for the policy code. */
++ ODE(SEC_OID_PRIVATE_1,
++ "TLS Require EMS", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
+ };
+
+ /* PRIVATE EXTENDED SECOID Table
+@@ -2095,6 +2100,8 @@ SECOID_Init(void)
+
+ /* turn off NSS_USE_POLICY_IN_SSL by default */
+ xOids[SEC_OID_APPLY_SSL_POLICY].notPolicyFlags = NSS_USE_POLICY_IN_SSL;
++ /* turn off TLS REQUIRE EMS by default */
++ xOids[SEC_OID_PRIVATE_1].notPolicyFlags = ~0;
+
+ envVal = PR_GetEnvSecure("NSS_HASH_ALG_SUPPORT");
+ if (envVal)
+diff -up ./lib/util/secoidt.h.add_ems_policy ./lib/util/secoidt.h
+--- ./lib/util/secoidt.h.add_ems_policy 2023-06-12 17:18:35.131938535 -0700
++++ ./lib/util/secoidt.h 2023-06-12 17:21:49.675987022 -0700
+@@ -501,6 +501,9 @@ typedef enum {
+ SEC_OID_EXT_KEY_USAGE_IPSEC_END = 361,
+ SEC_OID_EXT_KEY_USAGE_IPSEC_TUNNEL = 362,
+ SEC_OID_EXT_KEY_USAGE_IPSEC_USER = 363,
++ /* this will change upstream. for now apps shouldn't use it */
++ /* give it an obscure name here */
++ SEC_OID_PRIVATE_1 = 372,
+
+ SEC_OID_TOTAL
+ } SECOidTag;
diff --git a/SOURCES/nss-3.90-certutil-dump-speed.patch b/SOURCES/nss-3.90-certutil-dump-speed.patch
new file mode 100644
index 0000000..81566c3
--- /dev/null
+++ b/SOURCES/nss-3.90-certutil-dump-speed.patch
@@ -0,0 +1,17 @@
+diff -up ./tests/dbtests/dbtests.sh.handle_time ./tests/dbtests/dbtests.sh
+--- ./tests/dbtests/dbtests.sh.handle_time 2023-07-29 14:39:51.907864604 -0700
++++ ./tests/dbtests/dbtests.sh 2023-07-29 14:40:58.268377159 -0700
+@@ -362,11 +362,12 @@ dbtest_main()
+ dtime=$(time -p (certutil -K -d ${BIG_DIR} -f ${R_PWFILE}) 2>&1 1>/dev/null)
+ echo "------------- time ----------------------"
+ echo $dtime
++ expected_time=${NSS_EXPECTED_TIME-2}
+ # now parse the real time to make sure it's subsecond
+ RARRAY=($dtime)
+ TIMEARRAY=(${RARRAY[1]//./ })
+ echo "${TIMEARRAY[0]} seconds"
+- test ${TIMEARRAY[0]} -lt 2
++ test ${TIMEARRAY[0]} -lt ${expected_time}
+ ret=$?
+ html_msg ${ret} 0 "certutil dump keys with explicit default trust flags"
+ fi
diff --git a/SOURCES/nss-3.90-disable-ech.patch b/SOURCES/nss-3.90-disable-ech.patch
new file mode 100644
index 0000000..eee8c39
--- /dev/null
+++ b/SOURCES/nss-3.90-disable-ech.patch
@@ -0,0 +1,96 @@
+diff --git a/lib/ssl/sslsock.c b/lib/ssl/sslsock.c
+--- a/lib/ssl/sslsock.c
++++ b/lib/ssl/sslsock.c
+@@ -4394,62 +4394,82 @@ ssl_ClearPRCList(PRCList *list, void (*f
+ }
+ PORT_Free(cursor);
+ }
+ }
+
+ SECStatus
+ SSLExp_EnableTls13GreaseEch(PRFileDesc *fd, PRBool enabled)
+ {
++#ifdef notdef
+ sslSocket *ss = ssl_FindSocket(fd);
+ if (!ss) {
+ return SECFailure;
+ }
+ ss->opt.enableTls13GreaseEch = enabled;
+ return SECSuccess;
++#else
++ PORT_SetError(SSL_ERROR_UNSUPPORTED_EXPERIMENTAL_API);
++ return SECFailure;
++#endif
+ }
+
+ SECStatus
+ SSLExp_SetTls13GreaseEchSize(PRFileDesc *fd, PRUint8 size)
+ {
++#ifdef notdef
+ sslSocket *ss = ssl_FindSocket(fd);
+ if (!ss || size == 0) {
+ return SECFailure;
+ }
+ ssl_Get1stHandshakeLock(ss);
+ ssl_GetSSL3HandshakeLock(ss);
+
+ ss->ssl3.hs.greaseEchSize = size;
+
+ ssl_ReleaseSSL3HandshakeLock(ss);
+ ssl_Release1stHandshakeLock(ss);
+
+ return SECSuccess;
++#else
++ PORT_SetError(SSL_ERROR_UNSUPPORTED_EXPERIMENTAL_API);
++ return SECFailure;
++#endif
+ }
+
+ SECStatus
+ SSLExp_EnableTls13BackendEch(PRFileDesc *fd, PRBool enabled)
+ {
++#ifdef notdef
+ sslSocket *ss = ssl_FindSocket(fd);
+ if (!ss) {
+ return SECFailure;
+ }
+ ss->opt.enableTls13BackendEch = enabled;
+ return SECSuccess;
++#else
++ PORT_SetError(SSL_ERROR_UNSUPPORTED_EXPERIMENTAL_API);
++ return SECFailure;
++#endif
+ }
+
+ SECStatus
+ SSLExp_CallExtensionWriterOnEchInner(PRFileDesc *fd, PRBool enabled)
+ {
++#ifdef notdef
+ sslSocket *ss = ssl_FindSocket(fd);
+ if (!ss) {
+ return SECFailure;
+ }
+ ss->opt.callExtensionWriterOnEchInner = enabled;
+ return SECSuccess;
++#else
++ PORT_SetError(SSL_ERROR_UNSUPPORTED_EXPERIMENTAL_API);
++ return SECFailure;
++#endif
+ }
+
+ SECStatus
+ SSLExp_SetDtls13VersionWorkaround(PRFileDesc *fd, PRBool enabled)
+ {
+ sslSocket *ss = ssl_FindSocket(fd);
+ if (!ss) {
+ return SECFailure;
+diff -up ./gtests/ssl_gtest/manifest.mn.disable_ech ./gtests/ssl_gtest/manifest.mn
+--- ./gtests/ssl_gtest/manifest.mn.disable_ech 2023-06-21 19:02:02.160400997 +0200
++++ ./gtests/ssl_gtest/manifest.mn 2023-06-21 19:02:18.226618324 +0200
+@@ -57,7 +57,6 @@ CPPSRCS = \
+ tls_filter.cc \
+ tls_protect.cc \
+ tls_psk_unittest.cc \
+- tls_ech_unittest.cc \
+ $(SSLKEYLOGFILE_FILES) \
+ $(NULL)
diff --git a/SOURCES/nss-3.90-no-dbm-25519.patch b/SOURCES/nss-3.90-no-dbm-25519.patch
new file mode 100644
index 0000000..3c7c614
--- /dev/null
+++ b/SOURCES/nss-3.90-no-dbm-25519.patch
@@ -0,0 +1,18 @@
+diff -up ./tests/ec/ectest.sh.no_dbm_25519 ./tests/ec/ectest.sh
+--- ./tests/ec/ectest.sh.no_dbm_25519 2023-07-26 10:12:29.531147406 -0700
++++ ./tests/ec/ectest.sh 2023-07-26 10:12:39.547245445 -0700
+@@ -46,11 +46,13 @@ ectest_genkeydb_test()
+ return $?
+ fi
+ curves=( \
+- "curve25519" \
+ "secp256r1" \
+ "secp384r1" \
+ "secp521r1" \
+ )
++ if [ "${NSS_DEFAULT_DB_TYPE}" = "sql" ] ; then
++ curves=( "curve25519" "${curves[@]}" )
++ fi
+ for curve in "${curves[@]}"; do
+ echo "Test $curve key generation using certutil ..."
+ certutil -G -d "${HOSTDIR}" -k ec -q $curve -f "${R_PWFILE}" -z ${NOISE_FILE}
diff --git a/SPECS/nss.spec b/SPECS/nss.spec
index 2ed4f53..cc28bbe 100644
--- a/SPECS/nss.spec
+++ b/SPECS/nss.spec
@@ -1,14 +1,14 @@
-%global nspr_version 4.34.0
-%global nss_util_version 3.79.0
+%global nspr_version 4.35.0
+%global nss_util_version 3.90.0
%global nss_util_build -1
# adjust to the version that gets submitted for FIPS validation
# Attention: Separate softokn versions for build and runtime.
-%global nss_softokn_version 3.79.0
+%global nss_softokn_version 3.90.0
%global runtime_required_softokn_build_version -1
# Building NSS doesn't require the same version of softokn built for runtime.
-%global nss_softokn_build_version 3.67.0
+%global nss_softokn_build_version 3.90.0
%global build_required_softokn_build_version -1
-%global nss_version 3.79.0
+%global nss_version 3.90.0
%global unsupported_tools_directory %{_libdir}/nss/unsupported-tools
%global allTools "certutil cmsutil crlutil derdump modutil nss-policy-check pk12util pp signtool signver ssltap vfychain vfyserv"
@@ -42,7 +42,7 @@ rpm.define(string.format("nss_archive_version %s",
Summary: Network Security Services
Name: nss
Version: %{nss_version}
-Release: 5%{?dist}
+Release: 2%{?dist}
License: MPLv2.0
URL: http://www.mozilla.org/projects/security/pki/nss/
Group: System Environment/Libraries
@@ -163,20 +163,22 @@ Patch160:nss-3.66-restore-old-pkcs12-default.patch
Patch161: nss-3.66-disable-external-host-test.patch
# keep expired distrusted certs
Patch162: nss-3.79-distrusted-certs.patch
-#-----------------------------------
-# cve 2023-0767, remove on rebase to nss 3.88.1 or later
-# https://bugzilla.mozilla.org/show_bug.cgi?id=1804640
-Patch170: cve-2023-0767.patch
+# already upstream patches to deal with curve 25519
+Patch163: nss-3.90-no-dbm-25519.patch
+# already upstream - increases certutil timeout for slower machines
+# https://bugzilla.mozilla.org/show_bug.cgi?id=1835357
+Patch164: nss-3.90-certutil-dump-speed.patch
+# restore test patch that has not been upstreamed
+Patch165: nss-3.67-cve-2021-43527-test.patch
+# disable ech
+Patch166: nss-3.90-disable-ech.patch
-# remove when nss-softokn is 3.79 during builds
-Patch200: nss-3.79-skip-pwdecrypt-time.patch
# patches that just need to be upstreamed
Patch300: nss-3.79-r7-remove-explicit-ipv4.patch
-Patch301: nss-3.79-fix-client-cert-crash.patch
-Patch302: nss-3.79-pkcs12-fix-null-password.patch
-
+#ems policy. needs to upstream
+Patch301: nss-3.90-add-ems-policy.patch
%description
Network Security Services (NSS) is a set of libraries designed to
@@ -282,12 +284,13 @@ pushd nss
%patch160 -p1 -b .restore-pkcs12-defaults
%patch161 -p1 -b .brew
%patch162 -R -p1 -b .distrusted-certs
-%patch170 -p1 -b .cve-2023-0767
+%patch163 -p1 -b .no-dbm-25519
+%patch164 -p1 -b .certutil-dump-speed
+%patch165 -p1 -b .cve-2021-43527-test
+%patch166 -p1 -b .disable-ech
-%patch200 -p1 -b .skip-pwdecrypt-time
%patch300 -p1 -b .remove-explicit-ipv4
-%patch301 -p1 -b .client-cert-crash
-%patch302 -p1 -b .fix-pkcs12-null
+%patch301 -p1 -b .ems
popd
#########################################################
@@ -392,6 +395,9 @@ export IN_TREE_FREEBL_HEADERS_FIRST=1
##### phase 2: build the rest of nss
export NSS_BLTEST_NOT_AVAILABLE=1
+# uncomment if the iquote patch is activated
+export IN_TREE_FREEBL_HEADERS_FIRST=1
+
export NSS_FORCE_FIPS=1
# Set the policy file location
@@ -575,17 +581,20 @@ pushd ./nss/tests/
# don't need to run all the tests when testing packaging
export NSS_DEFAULT_DB_TYPE=dbm #in RHEL 7, the default db is sql, but we want
# standard to test dbm, or upgradedb will fail
+%ifnarch x86_64
+export NSS_EXPECTED_TIME=8
+%endif
+%if %{with gtests}
+%define do_gtests gtests
+%define do_ssl_gtests ssl_gtests
+%endif
%global nss_full_cycles "standard pkix upgradedb sharedb threadunsafe"
%global nss_cycles "standard pkix upgradedb sharedb"
-%global nss_full_tests "libpkix cert dbtests tools fips sdr crmf smime ssl ocsp merge pkits chains ec"
-%global nss_tests "libpkix cert dbtests tools fips sdr crmf smime ssl ocsp merge pkits chains ec"
+%define nss_full_tests "libpkix cert dbtests tools fips sdr crmf smime ssl ocsp merge pkits chains ec %{do_gtests} %{do_ssl_gtests}"
+%global nss_tests "libpkix cert dbtests tools fips sdr crmf smime ssl ocsp merge pkits chains ec %{do_gtests} %{do_ssl_gtests}"
%ifarch x86_64
%global nss_cycles "standard pkix upgradedb sharedb threadunsafe"
%endif
-%if %{with gtests}
-%global nss_full_tests "%{nss_full_tests} gtests ssl_gtests"
-%global nss_tests "%{nss_tests} ssl_gtests"
-%endif
# nss_ssl_tests: crl bypass_normal normal_bypass normal_fips fips_normal iopr
# nss_ssl_run: cov auth stress
#
@@ -597,15 +606,13 @@ export NSS_DEFAULT_DB_TYPE=dbm #in RHEL 7, the default db is sql, but we want
# Temporarily disabling tests for s390
%ifarch s390
%global nss_ssl_run "cov auth"
-%global nss_tests "libpkix cert dbtests tools sdr crmf smime ocsp merge pkits ec"
+%global nss_tests "libpkix cert dbtests tools sdr crmf smime ocsp merge pkits ec%{do_gtests}"
%endif
%ifarch s390x
%global nss_ssl_run "cov auth"
-%global nss_tests "libpkix cert dbtests tools sdr crmf smime ocsp merge pkits ec"
-%endif
-%if %{with gtests}
-%global nss_tests "%{nss_tests} gtests"
+%global nss_tests "libpkix cert dbtests tools sdr crmf smime ocsp merge pkits ec%{do_gtests}"
%endif
+
# nss_ssl_tests: crl bypass_normal normal_bypass normal_fips fips_normal iopr
soft=$(rpm -q nss-softokn)
soft_minor=${soft:14:2}
@@ -946,6 +953,15 @@ fi
%changelog
+* Mon Aug 7 2023 Bob Relyea <rrelyea@redhat.com> - 3.90.0-2
+- fix EMS bug
+- disbale ECH
+- fix gtests in spec file
+- restore missing test case
+
+* Wed Jun 21 2023 Bob Relyea <rrelyea@redhat.com> - 3.90.0-1
+- Rebase to NSS 3.90
+
* Wed Mar 8 2023 Bob Relyea <rrelyea@redhat.com> - 3.79.0-5
- fix CVE-2023-0767