Resolves: RHEL-58245

- Add ml-kem support and remove xyber support - Fix shlibsign when the system is in FIPS mode
2024-11-02 13:20:24 -07:00 · 2024-11-02 13:20:24 -07:00 · 059ca7646f
commit 059ca7646f
parent 9ae1c12152
4 changed files with 21503 additions and 1 deletions
--- a/fips_algorithms.h
+++ b/fips_algorithms.h
@ -184,5 +184,12 @@ SFTKFIPSAlgorithmList sftk_fips_mechs[] = {
        offsetof(CK_SP800_108_KDF_PARAMS, prfType) },
    { CKM_NSS_SP800_108_DOUBLE_PIPELINE_KDF_DERIVE_DATA, { 112, CK_MAX, CKF_KDF }, 1,  SFTKFIPSChkHashSp800,
        offsetof(CK_SP800_108_KDF_PARAMS, prfType) },
+    /* concatentate fuctions used in hybrid operations */
+    /* The following functions add data at the end of a base key. If the base
+     * key is FIPS, and the resulting keys are strong enough, then the
+     * resulting key will also be FIPS and the resulting operations will be
+     * FIPS approved. */
+    { CKM_CONCATENATE_BASE_AND_KEY, { 112, CK_MAX, CKF_DERIVE }, 1, SFTKFIPSNone },
+    { CKM_CONCATENATE_BASE_AND_DATA, { 112, CK_MAX, CKF_DERIVE }, 1, SFTKFIPSNone },
 };
 const int SFTK_NUMBER_FIPS_ALGORITHMS = PR_ARRAY_SIZE(sftk_fips_mechs);
--- a/nss-3.101-fix-shlibsign-fips.patch
+++ b/nss-3.101-fix-shlibsign-fips.patch
@ -0,0 +1,12 @@
+diff -up ./cmd/shlibsign/shlibsign.c.shlibsign ./cmd/shlibsign/shlibsign.c
+--- ./cmd/shlibsign/shlibsign.c.shlibsign	2024-06-07 09:26:03.000000000 -0700
+++ ./cmd/shlibsign/shlibsign.c	2024-10-31 10:49:28.637449054 -0700
+@@ -1426,7 +1426,7 @@ main(int argc, char **argv)
+     } else {
+         /* NON FIPS mode  == C_GetFunctionList */
+         pC_GetFunctionList = (CK_C_GetFunctionList)
+-            PR_FindFunctionSymbol(lib, "C_GetFunctionList");
+            PR_FindFunctionSymbol(lib, "NSC_GetFunctionList");
+     }
+     assert(pC_GetFunctionList != NULL);
+     if (!pC_GetFunctionList) {
--- a/nss-3.101-replace-xyber_with-mlkem.patch
+++ b/nss-3.101-replace-xyber_with-mlkem.patch
--- a/nss.spec
+++ b/nss.spec
@ -3,7 +3,7 @@
 # NOTE: To avoid NVR clashes of nspr* packages:
 # - reset %%{nspr_release} to 1, when updating %%{nspr_version}
 # - increment %%{nspr_version}, when updating the NSS part only
-%global baserelease 8
+%global baserelease 9
 %global nss_release %baserelease
 # use "%%global nspr_release %%[%%baserelease+n]" to handle offsets when
 # release number between nss and nspr are different.
@ -190,9 +190,11 @@ Patch84:          nss-3.101-fix-pkcs12-pbkdf1-encoding.patch
 Patch85:          nss-3.101-fix-cms-abi-break.patch
 Patch86:          nss-3.101-long-pwd-fix.patch
 Patch87:          nss-3.101-fix-cavs-test.patch
+Patch88:          nss-3.101-fix-shlibsign-fips.patch

 # RHEL-10 specific
 Patch90:          nss-3.101-disable_dsa.patch
+Patch91:          nss-3.101-replace-xyber_with-mlkem.patch

 # NSS reverse patches
 Patch300:         nss-3.79-distrusted-certs.patch
@ -1168,6 +1170,10 @@ fi


 %changelog
+* Fri Nov 1 2024 Bob Relyea <rrelyea@redhat.com> - 3.101.0-9
+- Add ml-kem support and remove xyber support
+- Fix shlibsign when the system is in FIPS mode
+
 * Tue Oct 29 2024 Troy Dawson <tdawson@redhat.com> - 3.101.0-8
 - Bump release for October 2024 mass rebuild:
  Resolves: RHEL-64018