update version to 3.94

2023-11-20 17:00:34 +08:00 · 2023-11-20 17:00:34 +08:00 · 8b3ce1faf7
commit 8b3ce1faf7
parent 328d72d6e6
10 changed files with 157 additions and 200 deletions
--- a/Feature-nss-support-SM2-signature-algorithm.patch
+++ b/Feature-nss-support-SM2-signature-algorithm.patch
@ -5,22 +5,6 @@ Subject: [PATCH 4/4] nss support SM2 signature algorithm
 Co-authored-by: godcansee <liu332084460@foxmail.com>
 Signed-off-by: Huaxin Lu <luhuaxin1@huawei.com>
 ---
 lib/cryptohi/cryptohi.h     |  2 ++
 lib/cryptohi/seckey.c       |  3 +++
 lib/cryptohi/secsign.c      | 43 +++++++++++++++++++++++++++++++++++++
 lib/cryptohi/secvfy.c       |  5 +++++
 lib/freebl/ec.c             |  5 ++++-
 lib/freebl/ecdecode.c       |  5 ++++-
 lib/freebl/ecl/ecl-curve.h  | 33 ++++++++++++++++++++++++++++
 lib/freebl/ecl/ecl-exp.h    |  1 +
 lib/freebl/freebl_base.gypi |  1 +
 lib/freebl/manifest.mn      |  2 ++
 lib/nss/nss.def             |  6 ++++++
 lib/util/pkcs11n.h          |  2 ++
 lib/util/secoid.c           |  4 ++++
 lib/util/secoidt.h          |  2 ++
 14 files changed, 112 insertions(+), 2 deletions(-)
 diff --git a/lib/cryptohi/cryptohi.h b/lib/cryptohi/cryptohi.h
 index 7b66f0b..4f99ef9 100644
@ -36,10 +20,10 @@ index 7b66f0b..4f99ef9 100644
 #endif /* _CRYPTOHI_H_ */
 diff --git a/lib/cryptohi/seckey.c b/lib/cryptohi/seckey.c
-index fa13bc3..4bcd43e 100644
+index 656609e..6a230e1 100644
 --- a/lib/cryptohi/seckey.c
 +++ b/lib/cryptohi/seckey.c
-@@ -520,6 +520,7 @@ seckey_GetKeyType(SECOidTag tag)
+@@ -519,6 +519,7 @@ seckey_GetKeyType(SECOidTag tag)
             keyType = dhKey;
             break;
         case SEC_OID_ANSIX962_EC_PUBLIC_KEY:
@ -47,7 +31,7 @@ index fa13bc3..4bcd43e 100644
             keyType = ecKey;
             break;
         /* accommodate applications that hand us a signature type when they
-@@ -776,6 +777,7 @@ SECKEY_ECParamsToKeySize(const SECItem *encodedParams)
+@@ -775,6 +776,7 @@ SECKEY_ECParamsToKeySize(const SECItem *encodedParams)
         case SEC_OID_SECG_EC_SECP256K1:
         case SEC_OID_ANSIX962_EC_PRIME256V1:
@ -55,7 +39,7 @@ index fa13bc3..4bcd43e 100644
             return 256;
         case SEC_OID_ANSIX962_EC_C2PNB272W1:
-@@ -924,6 +926,7 @@ SECKEY_ECParamsToBasePointOrderLen(const SECItem *encodedParams)
+@@ -923,6 +925,7 @@ SECKEY_ECParamsToBasePointOrderLen(const SECItem *encodedParams)
         case SEC_OID_SECG_EC_SECP256K1:
         case SEC_OID_ANSIX962_EC_PRIME256V1:
@ -64,10 +48,10 @@ index fa13bc3..4bcd43e 100644
         case SEC_OID_ANSIX962_EC_C2PNB272W1:
 diff --git a/lib/cryptohi/secsign.c b/lib/cryptohi/secsign.c
-index c46b2b1..90be1d1 100644
+index 8779904..8a12b25 100644
 --- a/lib/cryptohi/secsign.c
 +++ b/lib/cryptohi/secsign.c
-@@ -861,3 +861,46 @@ SEC_CreateSignatureAlgorithmParameters(PLArenaPool *arena,
+@@ -882,3 +882,46 @@ SEC_CreateSignatureAlgorithmParameters(PLArenaPool *arena,
             return result;
     }
 }
@ -115,7 +99,7 @@ index c46b2b1..90be1d1 100644
 +    return SECSuccess;
 +}
 diff --git a/lib/cryptohi/secvfy.c b/lib/cryptohi/secvfy.c
-index 1754584..1d75bdf 100644
+index 8c9dc2d..981cb0d 100644
 --- a/lib/cryptohi/secvfy.c
 +++ b/lib/cryptohi/secvfy.c
@@ -288,6 +288,8 @@ sec_GetEncAlgFromSigAlg(SECOidTag sigAlg)
@ -138,7 +122,7 @@ index 1754584..1d75bdf 100644
         case SEC_OID_PKCS1_MD4_WITH_RSA_ENCRYPTION:
         default:
 diff --git a/lib/freebl/ec.c b/lib/freebl/ec.c
-index 73a625a..bf2aea7 100644
+index 5bf7d81..2b8e321 100644
 --- a/lib/freebl/ec.c
 +++ b/lib/freebl/ec.c
@@ -15,6 +15,7 @@
@ -148,8 +132,8 @@ index 73a625a..bf2aea7 100644
 +#include "sm2.h"
 #define EC_DOUBLECHECK PR_FALSE
-
+ 
-@@ -907,7 +908,9 @@ ECDSA_SignDigest(ECPrivateKey *key, SECItem *signature, const SECItem *digest)
+@@ -988,7 +989,9 @@ ECDSA_SignDigest(ECPrivateKey *key, SECItem *signature, const SECItem *digest)
         goto cleanup;
     /* Generate ECDSA signature with the specified k value */
@ -161,14 +145,13 @@ index 73a625a..bf2aea7 100644
 cleanup:
     if (kBytes) {
 diff --git a/lib/freebl/ecdecode.c b/lib/freebl/ecdecode.c
-index 652ad42..4c090d2 100644
+index bd31eb0..29f41c9 100644
 --- a/lib/freebl/ecdecode.c
 +++ b/lib/freebl/ecdecode.c
-@@ -179,7 +179,10 @@ EC_FillParams(PLArenaPool *arena, const SECItem *encodedParams,
+@@ -181,6 +181,10 @@ EC_FillParams(PLArenaPool *arena, const SECItem *encodedParams,
             CHECK_SEC_OK(gf_populate_params_bytes(ECCurve25519, ec_field_plain,
                                                   params));
             break;
-
+ 
 +        case SEC_OID_SM2:
 +            /* Populate params for Curve SM2 */
 +           CHECK_SEC_OK(gf_populate_params_bytes(ECCurve_sm2p256v1, ec_field_plain,
@ -177,10 +160,10 @@ index 652ad42..4c090d2 100644
             break;
     };
 diff --git a/lib/freebl/ecl/ecl-curve.h b/lib/freebl/ecl/ecl-curve.h
-index fc8003f..e64fe4d 100644
+index dec3ce3..b525ba5 100644
 --- a/lib/freebl/ecl/ecl-curve.h
 +++ b/lib/freebl/ecl/ecl-curve.h
-@@ -206,6 +206,38 @@ static const ECCurveBytes ecCurve_25519 = {
+@@ -178,6 +178,38 @@ static const ECCurveBytes ecCurve_25519 = {
     KU_KEY_AGREEMENT
 };
@ -219,7 +202,7 @@ index fc8003f..e64fe4d 100644
 /* mapping between ECCurveName enum and pointers to ECCurveParams */
 static const ECCurveBytes *ecCurve_map[] = {
     NULL,               /* ECCurve_noName */
-@@ -267,6 +299,7 @@ static const ECCurveBytes *ecCurve_map[] = {
+@@ -239,6 +271,7 @@ static const ECCurveBytes *ecCurve_map[] = {
     NULL,               /* ECCurve_WTLS_8 */
     NULL,               /* ECCurve_WTLS_9 */
     &ecCurve_25519,     /* ECCurve25519 */
@ -240,10 +223,10 @@ index 44adb8a..d071fc9 100644
     ECCurve_pastLastCurve
 } ECCurveName;
 diff --git a/lib/freebl/freebl_base.gypi b/lib/freebl/freebl_base.gypi
-index 85a569f..253ce8d 100644
+index 920d613..e6094a9 100644
 --- a/lib/freebl/freebl_base.gypi
 +++ b/lib/freebl/freebl_base.gypi
-@@ -59,6 +59,7 @@
+@@ -61,6 +61,7 @@
     'sha_fast.c',
     'shvfy.c',
     'sm3.c',
@ -252,10 +235,10 @@ index 85a569f..253ce8d 100644
     'tlsprfalg.c',
     'secmpi.c',
 diff --git a/lib/freebl/manifest.mn b/lib/freebl/manifest.mn
-index fd3218d..2dbf7c9 100644
+index 3214369..f321f67 100644
 --- a/lib/freebl/manifest.mn
 +++ b/lib/freebl/manifest.mn
-@@ -158,6 +158,7 @@ CSRCS = \
+@@ -161,6 +161,7 @@ CSRCS = \
 	$(LOWHASH_SRCS) \
 	$(EXTRA_SRCS) \
 	sm3.c \
@ -263,7 +246,7 @@ index fd3218d..2dbf7c9 100644
 	$(NULL)
 ifndef NSS_DISABLE_DEPRECATED_SEED
-@@ -188,6 +189,7 @@ ALL_HDRS =  \
+@@ -191,6 +192,7 @@ ALL_HDRS =  \
 	vis_proto.h \
 	seed.h \
 	sm3.h \
@ -272,10 +255,10 @@ index fd3218d..2dbf7c9 100644
 diff --git a/lib/nss/nss.def b/lib/nss/nss.def
-index e87395b..2bc4965 100644
+index 35850ca..4d778e5 100644
 --- a/lib/nss/nss.def
 +++ b/lib/nss/nss.def
-@@ -1238,3 +1238,9 @@ PK11_SlotGetLastFIPSStatus;
+@@ -1253,3 +1253,9 @@ SECMOD_LockedModuleHasRemovableSlots;
 ;+    local:
 ;+       *;
 ;+};
@ -286,10 +269,10 @@ index e87395b..2bc4965 100644
 +;+       *;
 +;+};
 diff --git a/lib/util/pkcs11n.h b/lib/util/pkcs11n.h
-index 9bb704c..f195077 100644
+index 5027847..31a0807 100644
 --- a/lib/util/pkcs11n.h
 +++ b/lib/util/pkcs11n.h
-@@ -252,6 +252,8 @@
+@@ -260,6 +260,8 @@
 /* SM algorithm (to be proposed to PKCS #11) */
 #define CKM_NSS_SM3 (CKM_NSS + 45)
@ -299,10 +282,10 @@ index 9bb704c..f195077 100644
 /*
 diff --git a/lib/util/secoid.c b/lib/util/secoid.c
-index 3091d99..f5f2b12 100644
+index 2060429..e97eead 100644
 --- a/lib/util/secoid.c
 +++ b/lib/util/secoid.c
-@@ -606,6 +606,8 @@ CONST_OID curve25519[] = { 0x2B, 0x06, 0x01, 0x04, 0x01, 0xDA, 0x47, 0x0F, 0x01
+@@ -616,6 +616,8 @@ CONST_OID curve25519[] = { 0x2B, 0x06, 0x01, 0x04, 0x01, 0xDA, 0x47, 0x0F, 0x01
  * 1.2.156.197.1.401
  */
 CONST_OID sm3[] = { 0x2A, 0x81, 0x1C, 0xCF, 0x55, 0x01, 0x83, 0x11 };
@ -311,28 +294,25 @@ index 3091d99..f5f2b12 100644
 #define OI(x)                                  \
     {                                          \
-@@ -1801,6 +1803,8 @@ const static SECOidData oids[SEC_OID_TOTAL] = {
+@@ -1812,6 +1814,8 @@ const static SECOidData oids[SEC_OID_TOTAL] = {
        "IPsec User",
        CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
     OD(sm3, SEC_OID_SM3, "SM3", CKM_NSS_SM3, INVALID_CERT_EXTENSION),
 +    OD(sm2, SEC_OID_SM2, "SM2", CKM_NSS_SM2, INVALID_CERT_EXTENSION),
 +    OD(sm2_with_sm3, SEC_OID_SM2_WITH_SM3, "SM2_WITH_SM3", CKM_NSS_SM2_WITH_SM3, INVALID_CERT_EXTENSION),
 };
- /* PRIVATE EXTENDED SECOID Table
+     OD(sha3_224, SEC_OID_SHA3_224, "SHA3-224", CKM_SHA3_224, INVALID_CERT_EXTENSION),
     OD(sha3_256, SEC_OID_SHA3_256, "SHA3-256", CKM_SHA3_256, INVALID_CERT_EXTENSION),
 diff --git a/lib/util/secoidt.h b/lib/util/secoidt.h
-index 984b7fb..fe49661 100644
+index b6a98a2..b60f74e 100644
 --- a/lib/util/secoidt.h
 +++ b/lib/util/secoidt.h
-@@ -503,6 +503,8 @@ typedef enum {
+@@ -513,6 +513,8 @@ typedef enum {
-     SEC_OID_EXT_KEY_USAGE_IPSEC_USER = 363,
+     SEC_OID_HMAC_SHA3_512 = 371,
-     SEC_OID_SM3 = 364,
+     SEC_OID_SM3 = 372,
-+    SEC_OID_SM2 = 365,
+    SEC_OID_SM2 = 373,
-+    SEC_OID_SM2_WITH_SM3 = 366,
+    SEC_OID_SM2_WITH_SM3 = 374,
     SEC_OID_TOTAL
 } SECOidTag;
 -- 
 2.33.0
--- a/Feature-nss-support-SM3-digest-algorithm.patch
+++ b/Feature-nss-support-SM3-digest-algorithm.patch
@ -5,32 +5,9 @@ Subject: [PATCH 2/4] nss support SM3 digest algorithm
 Co-authored-by: godcansee <liu332084460@foxmail.com>
 Signed-off-by: Huaxin Lu <luhuaxin1@huawei.com>
 ---
 lib/cryptohi/sechash.c      | 19 ++++++++
 lib/freebl/blapi.h          | 18 ++++++++
 lib/freebl/blapit.h         |  4 ++
 lib/freebl/freebl_base.gypi |  1 +
 lib/freebl/ldvector.c       | 13 +++++-
 lib/freebl/loader.c         | 91 +++++++++++++++++++++++++++++++++++++
 lib/freebl/loader.h         | 14 ++++++
 lib/freebl/manifest.mn      |  2 +
 lib/freebl/rawhash.c        | 12 +++++
 lib/pk11wrap/pk11pars.c     |  2 +
 lib/pk11wrap/pk11slot.c     | 11 ++++-
 lib/pk11wrap/secmod.h       |  1 +
 lib/softoken/pkcs11.c       |  1 +
 lib/softoken/pkcs11c.c      |  2 +
 lib/util/hasht.h            |  2 +
 lib/util/pkcs11n.h          |  4 ++
 lib/util/secoid.c           |  6 +++
 lib/util/secoidt.h          |  2 +
 lib/util/utilmodt.h         |  1 +
 lib/util/utilpars.c         |  1 +
 lib/util/utilparst.h        |  2 +-
 21 files changed, 205 insertions(+), 4 deletions(-)
 diff --git a/lib/cryptohi/sechash.c b/lib/cryptohi/sechash.c
-index 474fdff..7c4cdbf 100644
+index 5c592df..b288145 100644
 --- a/lib/cryptohi/sechash.c
 +++ b/lib/cryptohi/sechash.c
@@ -85,6 +85,12 @@ sha512_NewContext(void)
@ -43,10 +20,10 @@ index 474fdff..7c4cdbf 100644
 +    return (void *)PK11_CreateDigestContext(SEC_OID_SM3);
 +}
 +
- const SECHashObject SECHashObjects[] = {
+ static void *
-     { 0,
+ sha3_224_NewContext(void)
-       (void *(*)(void))null_hash_new_context,
+ {
-@@ -166,6 +172,16 @@ const SECHashObject SECHashObjects[] = {
+@@ -190,6 +196,16 @@ const SECHashObject SECHashObjects[] = {
           PK11_DigestFinal,
       SHA224_BLOCK_LENGTH,
       HASH_AlgSHA224 },
@ -60,26 +37,26 @@ index 474fdff..7c4cdbf 100644
 +          PK11_DigestFinal,
 +      SM3_BLOCK_LENGTH,
 +      HASH_AlgSM3 },
- };
+     { SHA3_224_LENGTH,
- 
+       (void *(*)(void))sha3_224_NewContext,
- const SECHashObject *
+       (void *(*)(void *))PK11_CloneContext,
-@@ -201,6 +217,9 @@ HASH_GetHashTypeByOidTag(SECOidTag hashOid)
+@@ -265,6 +281,9 @@ HASH_GetHashTypeByOidTag(SECOidTag hashOid)
         case SEC_OID_SHA512:
             ht = HASH_AlgSHA512;
             break;
 +        case SEC_OID_SM3:
 +            ht = HASH_AlgSM3;
 +            break;
-         default:
+         case SEC_OID_SHA3_224:
-             PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
+             ht = HASH_AlgSHA3_224;
             break;
 diff --git a/lib/freebl/blapi.h b/lib/freebl/blapi.h
-index 94fd802..d53c196 100644
+index b8bc4d3..a06544e 100644
 --- a/lib/freebl/blapi.h
 +++ b/lib/freebl/blapi.h
-@@ -1484,6 +1484,24 @@ extern SECStatus SHA384_Flatten(SHA384Context *cx, unsigned char *space);
+@@ -1584,6 +1584,24 @@ extern SECStatus SHAKE_256_HashBuf(unsigned char *dest, unsigned int dest_len,
- extern SHA384Context *SHA384_Resurrect(unsigned char *space, void *arg);
+                                    const unsigned char *src, PRUint32 src_length);
- extern void SHA384_Clone(SHA384Context *dest, SHA384Context *src);
+ extern SECStatus SHAKE_256_Hash(unsigned char *dest, unsigned int dest_len, const char *src);
 +/******************************************/
 +
@ -103,46 +80,46 @@ index 94fd802..d53c196 100644
  * implement TLS 1.0 Pseudo Random Function (PRF) and TLS P_hash function
  */
 diff --git a/lib/freebl/blapit.h b/lib/freebl/blapit.h
-index 0054e17..2d400ec 100644
+index 8cba3ec..cbd6b79 100644
 --- a/lib/freebl/blapit.h
 +++ b/lib/freebl/blapit.h
-@@ -98,6 +98,7 @@ typedef int __BLAPI_DEPRECATED __attribute__((deprecated));
+@@ -102,6 +102,7 @@ typedef int __BLAPI_DEPRECATED __attribute__((deprecated));
- #define SHA384_LENGTH 48     /* bytes */
+ #define SHA3_384_LENGTH 48   /* bytes */
- #define SHA512_LENGTH 64     /* bytes */
+ #define SHA3_512_LENGTH 64   /* bytes */
 #define BLAKE2B512_LENGTH 64 /* Bytes */
 +#define SM3_LENGTH 32        /* bytes */
 #define HASH_LENGTH_MAX SHA512_LENGTH
 /*
-@@ -112,6 +113,7 @@ typedef int __BLAPI_DEPRECATED __attribute__((deprecated));
+@@ -120,6 +121,7 @@ typedef int __BLAPI_DEPRECATED __attribute__((deprecated));
- #define SHA384_BLOCK_LENGTH 128  /* bytes */
+ #define SHA3_384_BLOCK_LENGTH 104 /* bytes */
- #define SHA512_BLOCK_LENGTH 128  /* bytes */
+ #define SHA3_512_BLOCK_LENGTH 72  /* bytes */
- #define BLAKE2B_BLOCK_LENGTH 128 /* Bytes */
+ #define BLAKE2B_BLOCK_LENGTH 128  /* Bytes */
 +#define SM3_BLOCK_LENGTH 64      /* bytes */
- #define HASH_BLOCK_LENGTH_MAX SHA512_BLOCK_LENGTH
+ #define HASH_BLOCK_LENGTH_MAX SHA3_224_BLOCK_LENGTH
 #define AES_BLOCK_SIZE 16 /* bytes */
-@@ -243,6 +245,7 @@ struct MD5ContextStr;
+@@ -255,6 +257,7 @@ struct MD5ContextStr;
 struct SHA1ContextStr;
 struct SHA256ContextStr;
 struct SHA512ContextStr;
 +struct SM3ContextStr;
 struct SHA3ContextStr;
 struct SHAKEContextStr;
 struct AESKeyWrapContextStr;
- struct SEEDContextStr;
+@@ -278,6 +281,7 @@ typedef struct SHA256ContextStr SHA224Context;
 struct ChaCha20ContextStr;
@@ -264,6 +267,7 @@ typedef struct SHA256ContextStr SHA224Context;
 typedef struct SHA512ContextStr SHA512Context;
 /* SHA384Context is really a SHA512ContextStr.  This is not a mistake. */
 typedef struct SHA512ContextStr SHA384Context;
 +typedef struct SM3ContextStr SM3Context;
- typedef struct AESKeyWrapContextStr AESKeyWrapContext;
+ /* All SHA3_*Contexts are the same.  This is not a mistake. */
- typedef struct SEEDContextStr SEEDContext;
+ typedef struct SHA3ContextStr SHA3_224Context;
- typedef struct ChaCha20ContextStr ChaCha20Context;
+ typedef struct SHA3ContextStr SHA3_256Context;
 diff --git a/lib/freebl/freebl_base.gypi b/lib/freebl/freebl_base.gypi
-index 34b6b3c..8f64046 100644
+index d2e16f2..920d613 100644
 --- a/lib/freebl/freebl_base.gypi
 +++ b/lib/freebl/freebl_base.gypi
-@@ -58,6 +58,7 @@
+@@ -60,6 +60,7 @@
     'rsapkcs.c',
     'sha_fast.c',
     'shvfy.c',
@ -151,17 +128,13 @@ index 34b6b3c..8f64046 100644
     'tlsprfalg.c',
     'secmpi.c',
 diff --git a/lib/freebl/ldvector.c b/lib/freebl/ldvector.c
-index 6f4bd6a..143584b 100644
+index ff0a5f8..bf41759 100644
 --- a/lib/freebl/ldvector.c
 +++ b/lib/freebl/ldvector.c
-@@ -375,9 +375,20 @@ static const struct FREEBLVectorStr vector = {
+@@ -379,6 +379,18 @@ static const struct FREEBLVectorStr vector = {
     /* End of version 3.024 */
     ChaCha20_InitContext,
     ChaCha20_CreateContext,
 -    ChaCha20_DestroyContext
 +    ChaCha20_DestroyContext,
     /* End of version 3.025 */
 +    SM3_NewContext,
 +    SM3_DestroyContext,
 +    SM3_Begin,
@ -172,19 +145,19 @@ index 6f4bd6a..143584b 100644
 +    SM3_TraceState,
 +    SM3_FlattenSize,
 +    SM3_Flatten,
-+    SM3_Resurrect
+    SM3_Resurrect,
- };
+
- 
+     SHA3_224_NewContext,
- const FREEBLVector*
+     SHA3_224_DestroyContext,
     SHA3_224_FlattenSize,
 diff --git a/lib/freebl/loader.c b/lib/freebl/loader.c
-index 692a883..dc3a37e 100644
+index c44343f..8e4b542 100644
 --- a/lib/freebl/loader.c
 +++ b/lib/freebl/loader.c
-@@ -2446,3 +2446,94 @@ CMAC_Destroy(CMACContext *ctx, PRBool free_it)
+@@ -2447,6 +2447,96 @@ CMAC_Destroy(CMACContext *ctx, PRBool free_it)
         return;
     (vector->p_CMAC_Destroy)(ctx, free_it);
 }
-+
+ 
 +SECStatus
 +SM3_Hash(unsigned char *dest, const char *src)
 +{
@ -275,8 +248,11 @@ index 692a883..dc3a37e 100644
 +    return (vector->p_SM3_Resurrect)(space, arg);
 +}
 +
 /* ============== New for 3.0026 =============================== */
 SHA3_224Context *
 diff --git a/lib/freebl/loader.h b/lib/freebl/loader.h
-index eb3046d..f67595e 100644
+index cab96ba..b949e9f 100644
 --- a/lib/freebl/loader.h
 +++ b/lib/freebl/loader.h
@@ -831,6 +831,20 @@ struct FREEBLVectorStr {
@ -298,13 +274,13 @@ index eb3046d..f67595e 100644
 +    SECStatus (*p_SM3_Flatten)(SM3Context *cx, unsigned char *space);
 +    SM3Context *(*p_SM3_Resurrect)(unsigned char *space, void *arg);
-     /* Add new function pointers at the end of this struct and bump
+     SHA3_224Context *(*p_SHA3_224_NewContext)(void);
-      * FREEBL_VERSION at the beginning of this file. */
+     void (*p_SHA3_224_DestroyContext)(SHA3_224Context *cx, PRBool freeit);
 diff --git a/lib/freebl/manifest.mn b/lib/freebl/manifest.mn
-index 9dac210..fd3218d 100644
+index 6ac8fcd..3214369 100644
 --- a/lib/freebl/manifest.mn
 +++ b/lib/freebl/manifest.mn
-@@ -157,6 +157,7 @@ CSRCS = \
+@@ -160,6 +160,7 @@ CSRCS = \
 	$(STUBS_SRCS) \
 	$(LOWHASH_SRCS) \
 	$(EXTRA_SRCS) \
@ -312,7 +288,7 @@ index 9dac210..fd3218d 100644
 	$(NULL)
 ifndef NSS_DISABLE_DEPRECATED_SEED
-@@ -186,6 +187,7 @@ ALL_HDRS =  \
+@@ -189,6 +190,7 @@ ALL_HDRS =  \
 	shsign.h \
 	vis_proto.h \
 	seed.h \
@ -321,14 +297,14 @@ index 9dac210..fd3218d 100644
 diff --git a/lib/freebl/rawhash.c b/lib/freebl/rawhash.c
-index 551727b..c74cbbc 100644
+index 07a34cf..0e4e2e3 100644
 --- a/lib/freebl/rawhash.c
 +++ b/lib/freebl/rawhash.c
-@@ -141,6 +141,18 @@ const SECHashObject SECRawHashObjects[] = {
+@@ -141,6 +141,17 @@ const SECHashObject SECRawHashObjects[] = {
       HASH_AlgSHA224,
       (void (*)(void *, unsigned char *, unsigned int *,
                 unsigned int))SHA224_EndRaw },
-+      { SM3_LENGTH,
+    { SM3_LENGTH,
 +      (void *(*)(void))SM3_NewContext,
 +      (void *(*)(void *))null_hash_clone_context,
 +      (void (*)(void *, PRBool))SM3_DestroyContext,
@ -338,16 +314,15 @@ index 551727b..c74cbbc 100644
 +                unsigned int))SM3_End,
 +      SM3_BLOCK_LENGTH,
 +      HASH_AlgSM3,
-+      NULL /* end_raw */
+      NULL },
-+    },
+     { SHA3_224_LENGTH,
- };
+       (void *(*)(void))SHA3_224_NewContext,
- 
+       (void *(*)(void *))null_hash_clone_context,
 const SECHashObject *
 diff --git a/lib/pk11wrap/pk11pars.c b/lib/pk11wrap/pk11pars.c
-index 23e5af3..c127309 100644
+index 0243a93..5c4408e 100644
 --- a/lib/pk11wrap/pk11pars.c
 +++ b/lib/pk11wrap/pk11pars.c
-@@ -338,6 +338,8 @@ static const oidValDef hashOptList[] = {
+@@ -342,6 +342,8 @@ static const oidValDef hashOptList[] = {
     { CIPHER_NAME("SHA384"), SEC_OID_SHA384,
       NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE },
     { CIPHER_NAME("SHA512"), SEC_OID_SHA512,
@ -357,7 +332,7 @@ index 23e5af3..c127309 100644
 };
 diff --git a/lib/pk11wrap/pk11slot.c b/lib/pk11wrap/pk11slot.c
-index c320019..41a326b 100644
+index fb05ba6..e29cb26 100644
 --- a/lib/pk11wrap/pk11slot.c
 +++ b/lib/pk11wrap/pk11slot.c
@@ -51,6 +51,7 @@ const PK11DefaultArrayEntry PK11_DefaultArray[] = {
@ -378,7 +353,7 @@ index c320019..41a326b 100644
 /************************************************************
  * Generic Slot List and Slot List element manipulations
-@@ -838,6 +840,7 @@ PK11_InitSlotLists(void)
+@@ -848,6 +850,7 @@ PK11_InitSlotLists(void)
     pk11_InitSlotListStatic(&pk11_randomSlotList);
     pk11_InitSlotListStatic(&pk11_sha256SlotList);
     pk11_InitSlotListStatic(&pk11_sha512SlotList);
@ -386,7 +361,7 @@ index c320019..41a326b 100644
     return SECSuccess;
 }
-@@ -864,6 +867,7 @@ PK11_DestroySlotLists(void)
+@@ -874,6 +877,7 @@ PK11_DestroySlotLists(void)
     pk11_FreeSlotListStatic(&pk11_randomSlotList);
     pk11_FreeSlotListStatic(&pk11_sha256SlotList);
     pk11_FreeSlotListStatic(&pk11_sha512SlotList);
@ -394,7 +369,7 @@ index c320019..41a326b 100644
     return;
 }
-@@ -911,6 +915,8 @@ PK11_GetSlotList(CK_MECHANISM_TYPE type)
+@@ -925,6 +929,8 @@ PK11_GetSlotList(CK_MECHANISM_TYPE type)
             return &pk11_md5SlotList;
         case CKM_MD2:
             return &pk11_md2SlotList;
@ -403,7 +378,7 @@ index c320019..41a326b 100644
         case CKM_RC2_ECB:
         case CKM_RC2_CBC:
             return &pk11_rc2SlotList;
-@@ -2362,7 +2368,8 @@ PK11_GetBestSlotMultipleWithAttributes(CK_MECHANISM_TYPE *type,
+@@ -2385,7 +2391,8 @@ PK11_GetBestSlotMultipleWithAttributes(CK_MECHANISM_TYPE *type,
             (type[i] != CKM_SHA384) &&
             (type[i] != CKM_SHA512) &&
             (type[i] != CKM_MD5) &&
@ -414,7 +389,7 @@ index c320019..41a326b 100644
             break;
         }
 diff --git a/lib/pk11wrap/secmod.h b/lib/pk11wrap/secmod.h
-index fcc7707..dbc58e8 100644
+index 53181f0..5ebc86f 100644
 --- a/lib/pk11wrap/secmod.h
 +++ b/lib/pk11wrap/secmod.h
@@ -29,6 +29,7 @@
@ -426,10 +401,10 @@ index fcc7707..dbc58e8 100644
 #define PUBLIC_MECH_RANDOM_FLAG 0x08000000ul
 #define PUBLIC_MECH_FRIENDLY_FLAG 0x10000000ul
 diff --git a/lib/softoken/pkcs11.c b/lib/softoken/pkcs11.c
-index 3f49333..323b2e2 100644
+index 8e7872f..75985ab 100644
 --- a/lib/softoken/pkcs11.c
 +++ b/lib/softoken/pkcs11.c
-@@ -452,6 +452,7 @@ static const struct mechanismList mechanisms[] = {
+@@ -475,6 +475,7 @@ static const struct mechanismList mechanisms[] = {
     { CKM_NSS_TLS_PRF_GENERAL_SHA256,
       { 0, 512, CKF_SN_VR },
       PR_FALSE },
@ -438,43 +413,43 @@ index 3f49333..323b2e2 100644
     { CKM_HKDF_DERIVE, { 1, 255 * 64, CKF_DERIVE }, PR_TRUE },
     { CKM_HKDF_DATA, { 1, 255 * 64, CKF_DERIVE }, PR_TRUE },
 diff --git a/lib/softoken/pkcs11c.c b/lib/softoken/pkcs11c.c
-index 201a0c7..813f4d7 100644
+index f99f114..4a1e44b 100644
 --- a/lib/softoken/pkcs11c.c
 +++ b/lib/softoken/pkcs11c.c
-@@ -1939,6 +1939,8 @@ NSC_DigestInit(CK_SESSION_HANDLE hSession,
+@@ -1919,6 +1919,8 @@ NSC_DigestInit(CK_SESSION_HANDLE hSession,
-         INIT_MECH(SHA256)
+         INIT_MECH(SHA3_256)
-         INIT_MECH(SHA384)
+         INIT_MECH(SHA3_384)
-         INIT_MECH(SHA512)
+         INIT_MECH(SHA3_512)
 +#define CKM_SM3 CKM_NSS_SM3
 +        INIT_MECH(SM3)
         default:
             crv = CKR_MECHANISM_INVALID;
 diff --git a/lib/util/hasht.h b/lib/util/hasht.h
-index 536d34c..556c6ba 100644
+index b70b94f..26506c3 100644
 --- a/lib/util/hasht.h
 +++ b/lib/util/hasht.h
-@@ -24,6 +24,7 @@ typedef enum {
+@@ -28,6 +28,7 @@ typedef enum {
-     HASH_AlgSHA384 = 5,
+     HASH_AlgSHA3_256 = 9,
-     HASH_AlgSHA512 = 6,
+     HASH_AlgSHA3_384 = 10,
-     HASH_AlgSHA224 = 7,
+     HASH_AlgSHA3_512 = 11,
-+    HASH_AlgSM3 = 8,
+    HASH_AlgSM3 = 12,
     HASH_AlgTOTAL
 } HASH_HashType;
-@@ -37,6 +38,7 @@ typedef enum {
+@@ -45,6 +46,7 @@ typedef enum {
- #define SHA256_LENGTH 32
+ #define SHA3_256_LENGTH 32
- #define SHA384_LENGTH 48
+ #define SHA3_384_LENGTH 48
- #define SHA512_LENGTH 64
+ #define SHA3_512_LENGTH 64
 +#define SM3_LENGTH 32
 #define HASH_LENGTH_MAX SHA512_LENGTH
 /*
 diff --git a/lib/util/pkcs11n.h b/lib/util/pkcs11n.h
-index 9a8126a..9bb704c 100644
+index cb76720..5027847 100644
 --- a/lib/util/pkcs11n.h
 +++ b/lib/util/pkcs11n.h
-@@ -250,6 +250,10 @@
+@@ -258,6 +258,10 @@
 #define CKM_NSS_SP800_108_FEEDBACK_KDF_DERIVE_DATA (CKM_NSS + 43)
 #define CKM_NSS_SP800_108_DOUBLE_PIPELINE_KDF_DERIVE_DATA (CKM_NSS + 44)
@ -486,10 +461,10 @@ index 9a8126a..9bb704c 100644
  * HISTORICAL:
  * Do not attempt to use these. They are only used by NSS's internal
 diff --git a/lib/util/secoid.c b/lib/util/secoid.c
-index b10f859..3091d99 100644
+index 5026d4b..2060429 100644
 --- a/lib/util/secoid.c
 +++ b/lib/util/secoid.c
-@@ -602,6 +602,11 @@ CONST_OID evIncorporationCountry[] = { EV_NAME_ATTRIBUTE, 3 };
+@@ -612,6 +612,11 @@ CONST_OID evIncorporationCountry[] = { EV_NAME_ATTRIBUTE, 3 };
  */
 CONST_OID curve25519[] = { 0x2B, 0x06, 0x01, 0x04, 0x01, 0xDA, 0x47, 0x0F, 0x01 };
@ -501,23 +476,24 @@ index b10f859..3091d99 100644
 #define OI(x)                                  \
     {                                          \
         siDEROID, (unsigned char *)x, sizeof x \
-@@ -1795,6 +1800,7 @@ const static SECOidData oids[SEC_OID_TOTAL] = {
+@@ -1806,6 +1811,8 @@ const static SECOidData oids[SEC_OID_TOTAL] = {
        SEC_OID_EXT_KEY_USAGE_IPSEC_USER,
        "IPsec User",
        CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
 +    OD(sm3, SEC_OID_SM3, "SM3", CKM_NSS_SM3, INVALID_CERT_EXTENSION),
 };
- /* PRIVATE EXTENDED SECOID Table
+    OD(sm3, SEC_OID_SM3, "SM3", CKM_NSS_SM3, INVALID_CERT_EXTENSION),
 +
     OD(sha3_224, SEC_OID_SHA3_224, "SHA3-224", CKM_SHA3_224, INVALID_CERT_EXTENSION),
     OD(sha3_256, SEC_OID_SHA3_256, "SHA3-256", CKM_SHA3_256, INVALID_CERT_EXTENSION),
     OD(sha3_384, SEC_OID_SHA3_384, "SHA3-384", CKM_SHA3_384, INVALID_CERT_EXTENSION),
 diff --git a/lib/util/secoidt.h b/lib/util/secoidt.h
-index 2b7eb21..984b7fb 100644
+index 788bed0..b6a98a2 100644
 --- a/lib/util/secoidt.h
 +++ b/lib/util/secoidt.h
-@@ -502,6 +502,8 @@ typedef enum {
+@@ -512,6 +512,8 @@ typedef enum {
-     SEC_OID_EXT_KEY_USAGE_IPSEC_TUNNEL = 362,
+     SEC_OID_HMAC_SHA3_384 = 370,
-     SEC_OID_EXT_KEY_USAGE_IPSEC_USER = 363,
+     SEC_OID_HMAC_SHA3_512 = 371,
-+    SEC_OID_SM3 = 364,
+    SEC_OID_SM3 = 372,
 +
     SEC_OID_TOTAL
 } SECOidTag;
@ -535,7 +511,7 @@ index e1555f3..cc927dd 100644
 #define SECMOD_RESERVED_FLAG 0X08000000L
 #define SECMOD_FRIENDLY_FLAG 0x10000000L
 diff --git a/lib/util/utilpars.c b/lib/util/utilpars.c
-index c248aa6..56ede24 100644
+index dd3d232..97c6fe2 100644
 --- a/lib/util/utilpars.c
 +++ b/lib/util/utilpars.c
@@ -607,6 +607,7 @@ static struct nssutilArgSlotFlagTable nssutil_argSlotFlagTable[] = {
@ -559,6 +535,3 @@ index 5dda090..7a4c9f7 100644
 #define NSSUTIL_DEFAULT_CIPHER_ORDER 0
 #define NSSUTIL_DEFAULT_TRUST_ORDER 50
 -- 
 2.33.0
--- a/nss-3.94.tar.gz
+++ b/nss-3.94.tar.gz
--- a/2
+++ b/2
@ -3,7 +3,7 @@
 prefix=/usr
 major_version=3
-minor_version=89
+minor_version=94
 patch_version=0
 usage()
--- a/2
+++ b/2
@ -3,7 +3,7 @@
 prefix=/usr
 major_version=3
-minor_version=89
+minor_version=94
 patch_version=0
 usage()
--- a/nss-softokn.pc
+++ b/nss-softokn.pc
@ -5,7 +5,7 @@ includedir=/usr/include/nss3
 Name: NSS-SOFTOKN
 Description: Network Security Services Softoken PKCS #11 Module
-Version: 3.89
+Version: 394
-Requires: nspr >= 4.35.0, nss-util >= 3.89
+Requires: nspr >= 4.35.0, nss-util >= 3.94
 Libs: -L${libdir} -lfreebl3 -lnssdbm3 -lsoftokn3
 Cflags: -I${includedir}
--- a/2
+++ b/2
@ -3,7 +3,7 @@
 prefix=/usr
 major_version=3
-minor_version=89
+minor_version=94
 patch_version=0
 usage()
--- a/nss-util.pc
+++ b/nss-util.pc
@ -5,7 +5,7 @@ includedir=/usr/include/nss3
 Name: NSS-UTIL
 Description: Network Security Services Utility Library
-Version: 3.89
+Version: 3.94
 Requires: nspr >= 4.35.0
 Libs: -L${libdir} -lnssutil3
 Cflags: -I${includedir}
--- a/nss.pc
+++ b/nss.pc
@ -5,7 +5,7 @@ includedir=/usr/include/nss3
 Name: NSS
 Description: Network Security Services
-Version: 3.89
+Version: 3.94
-Requires: nspr >= 4.35.0, nss-util >= 3.89
+Requires: nspr >= 4.35.0, nss-util >= 3.94
 Libs: -L${libdir} -lssl3 -lsmime3 -lnss3
 Cflags: -I${includedir}
--- a/nss.spec
+++ b/nss.spec
@ -1,6 +1,7 @@
 %global nspr_version 4.35.0
-%global nss_version 3.89.0
+%global nss_version 3.94
-%global nss_archive_version 3.89
+%global nss_ver 3_94
 %global nss_archive_version 3.94
 %global unsupported_tools_directory %{_libdir}/nss/unsupported-tools
 %global allTools "certutil cmsutil crlutil derdump modutil pk12util signtool signver ssltap vfychain vfyserv"
@ -14,18 +15,18 @@
 Summary:          Network Security Services
 Name:             nss
 Version:          %{nss_version}
-Release:          2
+Release:          1
 License:          MPLv2.0
 URL:              http://www.mozilla.org/projects/security/pki/nss/
 Provides:         nss-system-init
 Requires:         nspr >= %{nspr_version} nss-util >= %{nss_version} nss-softokn%{_isa} >= %{nss_version}
-Requires:         p11-kit-trust crypto-policies 
+Requires:         p11-kit-trust crypto-policies
 Requires(post):   coreutils, sed
 BuildRequires:    nspr-devel >= %{nspr_version} nss-softokn sqlite-devel zlib-devel
-BuildRequires:    pkgconf gawk psmisc perl-interpreter gcc-c++ 
+BuildRequires:    pkgconf gawk psmisc perl-interpreter gcc-c++
 obsoletes:	  nss-sysinit < %{version}-%{release}
-Source0:          https://ftp.mozilla.org/pub/security/nss/releases/NSS_3_89_RTM/src/%{name}-%{nss_archive_version}.tar.gz
+Source0:          https://ftp.mozilla.org/pub/security/nss/releases/NSS_%{nss_ver}_RTM/src/%{name}-%{nss_archive_version}.tar.gz
 Source1:          nss-util.pc
 Source2:          nss-util-config
 Source3:          nss-softokn.pc
@ -42,7 +43,7 @@ Source16:         setup-nsssysinit.sh
 # Feature: support sm2 and sm3
 Patch9000:        Feature-nss-add-implement-of-SM3-digest-algorithm.patch
-Patch9001:        Feature-nss-add-implement-of-SM2-signature-algorithm.patch  
+Patch9001:        Feature-nss-add-implement-of-SM2-signature-algorithm.patch
 Patch9002:        Feature-nss-support-SM3-digest-algorithm.patch
 Patch9003:        Feature-nss-support-SM2-signature-algorithm.patch
 Patch9004:        Feature-nss-fix-the-certificate-resolution-in-sm2.patch
@ -556,6 +557,9 @@ update-crypto-policies &>/dev/null||:
 %doc %{_mandir}/man*
 %changelog
 * Mon Nov 20 2023 Jingwiw  <wangjingwei@iscas.ac.cn> - 3.94-1
 - update version to 3.94
 * Tue Sep 12 2023 jinlun <jinlun@huawei.com> - 3.89.0-2
 - fix the certificate resolution in sm2