Resolves: RHEL-58245

- Add ml-kem support and remove xyber support
- Fix shlibsign when the system is in FIPS mode

fips_algorithms.h

@@ -184,5 +184,12 @@ SFTKFIPSAlgorithmList sftk_fips_mechs[] = {
         offsetof(CK_SP800_108_KDF_PARAMS, prfType) },
     { CKM_NSS_SP800_108_DOUBLE_PIPELINE_KDF_DERIVE_DATA, { 112, CK_MAX, CKF_KDF }, 1,  SFTKFIPSChkHashSp800,
         offsetof(CK_SP800_108_KDF_PARAMS, prfType) },
+    /* concatentate fuctions used in hybrid operations */
+    /* The following functions add data at the end of a base key. If the base
+     * key is FIPS, and the resulting keys are strong enough, then the
+     * resulting key will also be FIPS and the resulting operations will be
+     * FIPS approved. */
+    { CKM_CONCATENATE_BASE_AND_KEY, { 112, CK_MAX, CKF_DERIVE }, 1, SFTKFIPSNone },
+    { CKM_CONCATENATE_BASE_AND_DATA, { 112, CK_MAX, CKF_DERIVE }, 1, SFTKFIPSNone },
 };
 const int SFTK_NUMBER_FIPS_ALGORITHMS = PR_ARRAY_SIZE(sftk_fips_mechs);

nss-3.101-fix-shlibsign-fips.patch

@@ -0,0 +1,12 @@
+diff -up ./cmd/shlibsign/shlibsign.c.shlibsign ./cmd/shlibsign/shlibsign.c
+--- ./cmd/shlibsign/shlibsign.c.shlibsign	2024-06-07 09:26:03.000000000 -0700
++++ ./cmd/shlibsign/shlibsign.c	2024-10-31 10:49:28.637449054 -0700
+@@ -1426,7 +1426,7 @@ main(int argc, char **argv)
+     } else {
+         /* NON FIPS mode  == C_GetFunctionList */
+         pC_GetFunctionList = (CK_C_GetFunctionList)
+-            PR_FindFunctionSymbol(lib, "C_GetFunctionList");
++            PR_FindFunctionSymbol(lib, "NSC_GetFunctionList");
+     }
+     assert(pC_GetFunctionList != NULL);
+     if (!pC_GetFunctionList) {

nss.spec

@@ -3,7 +3,7 @@
 # NOTE: To avoid NVR clashes of nspr* packages:
 # - reset %%{nspr_release} to 1, when updating %%{nspr_version}
 # - increment %%{nspr_version}, when updating the NSS part only
-%global baserelease 8
+%global baserelease 9
 %global nss_release %baserelease
 # use "%%global nspr_release %%[%%baserelease+n]" to handle offsets when
 # release number between nss and nspr are different.
@@ -190,9 +190,11 @@ Patch84:          nss-3.101-fix-pkcs12-pbkdf1-encoding.patch
 Patch85:          nss-3.101-fix-cms-abi-break.patch
 Patch86:          nss-3.101-long-pwd-fix.patch
 Patch87:          nss-3.101-fix-cavs-test.patch
+Patch88:          nss-3.101-fix-shlibsign-fips.patch
 
 # RHEL-10 specific
 Patch90:          nss-3.101-disable_dsa.patch
+Patch91:          nss-3.101-replace-xyber_with-mlkem.patch
 
 # NSS reverse patches
 Patch300:         nss-3.79-distrusted-certs.patch
@@ -1168,6 +1170,10 @@ fi
 
 
 %changelog
+* Fri Nov 1 2024 Bob Relyea <rrelyea@redhat.com> - 3.101.0-9
+- Add ml-kem support and remove xyber support
+- Fix shlibsign when the system is in FIPS mode
+
 * Tue Oct 29 2024 Troy Dawson <tdawson@redhat.com> - 3.101.0-8
 - Bump release for October 2024 mass rebuild:
   Resolves: RHEL-64018