Merge remote-tracking branch 'up/main' into main-riscv64

dbtests.sh Test #27 cannot be executed within 5 seconds: https://github.com/nss-dev/nss/blob/master/tests/dbtests/dbtests.sh#L369C13-L369C33 Signed-off-by: David Abdurachmanov <davidlt@rivosinc.com>
2024-08-07 21:48:17 +03:00 · 2024-08-07 21:48:17 +03:00 · 97df199bb1
commit 97df199bb1
parent 722d69a69e 2e3eef8d0b
6 changed files with 83 additions and 23 deletions
--- a/.gitignore
+++ b/.gitignore
@ -86,3 +86,10 @@ TestUser51.cert
 /nss-3.93-with-nspr-4.35.tar.gz
 /nss-3.94-with-nspr-4.35.tar.gz
 /nss-3.95-with-nspr-4.35.tar.gz
+/nss-3.96-with-nspr-4.35.tar.gz
+/nss-3.96.1-with-nspr-4.35.tar.gz
+/nss-3.97-with-nspr-4.35.tar.gz
+/nss-3.98-with-nspr-4.35.tar.gz
+/nss-3.99-with-nspr-4.35.tar.gz
+/nss-3.100-with-nspr-4.35.tar.gz
+/nss-3.101-with-nspr-4.35.tar.gz
--- a/nss-3.101-enable-kyber-policy.patch
+++ b/nss-3.101-enable-kyber-policy.patch
@ -0,0 +1,13 @@
+diff -up ./lib/pk11wrap/pk11pars.c.enable_kyber_policy ./lib/pk11wrap/pk11pars.c
+--- ./lib/pk11wrap/pk11pars.c.enable_kyber_policy	2024-06-12 14:44:24.680338868 -0700
+++ ./lib/pk11wrap/pk11pars.c	2024-06-12 14:44:48.368609356 -0700
+@@ -245,7 +245,8 @@ static const oidValDef curveOptList[] =
+       NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE },
+     { CIPHER_NAME("CURVE25519"), SEC_OID_CURVE25519,
+       NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE },
+-    { CIPHER_NAME("XYBER768D00"), SEC_OID_XYBER768D00, 0 },
+    { CIPHER_NAME("XYBER768D00"), SEC_OID_XYBER768D00, 
+      NSS_USE_ALG_IN_SSL_KX },
+     /* ANSI X9.62 named elliptic curves (characteristic two field) */
+     { CIPHER_NAME("C2PNB163V1"), SEC_OID_ANSIX962_EC_C2PNB163V1,
+       NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE },
--- a/nss-dso-ldflags.patch
+++ b/nss-dso-ldflags.patch
@ -0,0 +1,13 @@
+Index: nss/coreconf/Linux.mk
+===================================================================
+--- nss.orig/coreconf/Linux.mk
+++ nss/coreconf/Linux.mk
+@@ -144,7 +144,7 @@ ifdef USE_PTHREADS
+ endif
+ 
+ DSO_CFLAGS		= -fPIC
+-DSO_LDOPTS		= -shared $(ARCHFLAG) -Wl,--gc-sections
+DSO_LDOPTS		= -shared $(ARCHFLAG) -Wl,--gc-sections $(DSO_LDFLAGS)
+ # The linker on Red Hat Linux 7.2 and RHEL 2.1 (GNU ld version 2.11.90.0.8)
+ # incorrectly reports undefined references in the libraries we link with, so
+ # we don't use -z defs there.
--- a/nss-p11-kit.config
+++ b/nss-p11-kit.config
@ -1,4 +0,0 @@
-name=p11-kit-proxy
-library=p11-kit-proxy.so
-
-
--- a/nss.spec
+++ b/nss.spec
@ -1,16 +1,16 @@
 %global nspr_version 4.35.0
-%global nss_version 3.95.0
+%global nss_version 3.101.0
 # NOTE: To avoid NVR clashes of nspr* packages:
 # - reset %%{nspr_release} to 1, when updating %%{nspr_version}
 # - increment %%{nspr_version}, when updating the NSS part only
-%global baserelease 1
+%global baserelease 4
 %global nss_release %baserelease
 # use "%%global nspr_release %%[%%baserelease+n]" to handle offsets when
 # release number between nss and nspr are different.
-%global nspr_release %[%baserelease+15]
+%global nspr_release %[%baserelease+23]
 # only need to update this as we added new
 # algorithms under nss policy control
-%global crypto_policies_version 20210118
+%global crypto_policies_version 20240521
 %global unsupported_tools_directory %{_libdir}/nss/unsupported-tools
 %global saved_files_dir %{_libdir}/nss/saved
 %global dracutlibdir %{_prefix}/lib/dracut
@ -75,7 +75,6 @@ Requires:         nss-util >= %{nss_version}
 Requires:         nss-softokn%{_isa} >= %{nss_version}
 Requires:         nss-system-init
 Requires:         p11-kit-trust
-Requires:         /usr/bin/update-crypto-policies
 Requires:         crypto-policies >= %{crypto_policies_version}
 # for shlibsign
 BuildRequires: make
@ -116,7 +115,6 @@ Source23:         cert8.db.xml
 Source25:         key3.db.xml
 Source27:         secmod.db.xml
 %endif
-Source28:         nss-p11-kit.config

 Source101:        nspr-config.xml

@ -133,8 +131,11 @@ Source101:        nspr-config.xml
 # but it doesn't hurt to keep it.
 Patch4:           iquote.patch
 Patch12:          nss-signtool-format.patch
+Patch13:          nss-dso-ldflags.patch
 # fedora disabled dbm by default
 Patch40:          nss-no-dbm-man-page.patch
+# allow crypto policies to enable kyber
+Patch41:          nss-3.101-enable-kyber-policy.patch

 Patch100:         nspr-config-pc.patch
 Patch101:         nspr-gcc-atomics.patch
@ -293,9 +294,9 @@ Header files for doing development with the Netscape Portable Runtime.
 %setup -q -T -b 0 -n %{name}-%{nss_archive_version}
 cp ./nspr/config/nspr-config.in ./nspr/config/nspr-config-pc.in

-%patch 100 -p0 -b .flags
+%patch -P 100 -p0 -b .flags
 pushd nspr
-%patch 101 -p1 -b .gcc-atomics
+%patch -P 101 -p1 -b .gcc-atomics
 popd

 pushd nss
@ -364,6 +365,7 @@ popd
 export IN_TREE_FREEBL_HEADERS_FIRST=1

 export NSS_FORCE_FIPS=1
+export NSS_DISABLE_DEPRECATED_SEED=1

 # Enable compiler optimizations and disable debugging code
 export BUILD_OPT=1
@ -386,7 +388,7 @@ export XCFLAGS="$XCFLAGS -Wno-array-parameter"

 export LDFLAGS=$RPM_LD_FLAGS

-export DSO_LDOPTS=$RPM_LD_FLAGS
+export DSO_LDFLAGS=$RPM_LD_FLAGS

 export PKG_CONFIG_ALLOW_SYSTEM_LIBS=1
 export PKG_CONFIG_ALLOW_SYSTEM_CFLAGS=1
@ -552,6 +554,7 @@ export FREEBL_NO_DEPEND=1

 export BUILD_OPT=1
 export NSS_DISABLE_PPC_GHASH=1
+export NSS_DISABLE_DEPRECATED_SEED=1

 %ifnarch noarch
 %if 0%{__isa_bits} == 64
@ -684,7 +687,6 @@ mkdir -p $RPM_BUILD_ROOT/%{_libdir}/pkgconfig
 mkdir -p $RPM_BUILD_ROOT/%{saved_files_dir}
 mkdir -p $RPM_BUILD_ROOT/%{dracut_modules_dir}
 mkdir -p $RPM_BUILD_ROOT/%{dracut_conf_dir}
-mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/crypto-policies/local.d
 %if %{defined rhel}
 # not needed for rhel and its derivatives only fedora
 %else
@ -791,9 +793,6 @@ for f in %{dbfiles}; do
   install -c -m 644 ${f}.5 $RPM_BUILD_ROOT%{_mandir}/man5/${f}.5
 done

-# Copy the crypto-policies configuration file
-install -p -m 644 %{SOURCE28} $RPM_BUILD_ROOT/%{_sysconfdir}/crypto-policies/local.d
-
 %triggerpostun -n nss-sysinit -- nss-sysinit < 3.12.8-3
 # Reverse unwanted disabling of sysinit by faulty preun sysinit scriplet
 # from previous versions of nss.spec
@ -813,9 +812,6 @@ if test $1 -eq 2; then
 fi
 %endif

-%posttrans
-update-crypto-policies &> /dev/null || :
-

 %files
 %{!?_licensedir:%global license %%doc}
@ -832,7 +828,6 @@ update-crypto-policies &> /dev/null || :
 %config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/cert9.db
 %config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/key4.db
 %config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/pkcs11.txt
-%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/crypto-policies/local.d/nss-p11-kit.config
 %if %{with dbm}
 %doc %{_mandir}/man5/cert8.db.5*
 %doc %{_mandir}/man5/key3.db.5*
@ -980,9 +975,11 @@ update-crypto-policies &> /dev/null || :
 %{_includedir}/nss3/ciferfam.h
 %{_includedir}/nss3/eccutil.h
 %{_includedir}/nss3/hasht.h
+%{_includedir}/nss3/kyber.h
 %{_includedir}/nss3/nssb64.h
 %{_includedir}/nss3/nssb64t.h
 %{_includedir}/nss3/nsslocks.h
+%{_includedir}/nss3/nsshash.h
 %{_includedir}/nss3/nssilock.h
 %{_includedir}/nss3/nssilckt.h
 %{_includedir}/nss3/nssrwlk.h
@ -1088,9 +1085,43 @@ update-crypto-policies &> /dev/null || :


 %changelog
-* Thu Dec 14 2023 David Abdurachmanov <davidlt@rivosinc.com> - 3.95.0-1.0.riscv64
+* Wed Aug 07 2024 David Abdurachmanov <davidlt@rivosinc.com> - 3.101.0-4.0.riscv64
 - Disable tests on riscv64 for now

+* Thu Jul 18 2024 Fedora Release Engineering <releng@fedoraproject.org> - 3.101.0-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild
+
+* Wed Jun 20 2024 Bob Relyea <rrelyea@redhat.com> - 3.101.0-3
+- Make sure the rpm LD flags are passed to the NSS build system.
+
+* Wed Jun 12 2024 Bob Relyea <rrelyea@redhat.com> - 3.101.0-2
+- Enable the Kyber record so we can control it with policies.
+
+* Mon Jun 10 2024 Bob Relyea <rrelyea@redhat.com> - 3.101.0-1
+- Update NSS to 3.101.0
+- Turn off deprecated SEED algorithm
+
+* Tue May 28 2024 Frantisek Krenzelok <krenzelok.frantisek@gmail.com> - 3.100.0-1
+- Update NSS to 3.100.0
+
+* Mon Mar 18 2024 Frantisek Krenzelok <krenzelok.frantisek@gmail.com> - 3.99.0-1
+- Update NSS to 3.99.0
+
+* Sat Feb 17 2024 Frantisek Krenzelok <krenzelok.frantisek@gmail.com> - 3.98.0-1
+- Update NSS to 3.98.0
+
+* Sat Jan 27 2024 Frantisek Krenzelok <krenzelok.frantisek@gmail.com> - 3.97.0-1
+- Update NSS to 3.97.0
+
+* Thu Jan 25 2024 Fedora Release Engineering <releng@fedoraproject.org> - 3.96.1-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
+
+* Sun Jan 21 2024 Fedora Release Engineering <releng@fedoraproject.org> - 3.96.1-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
+
+* Thu Dec 21 2023 Frantisek Krenzelok <krenzelok.frantisek@gmail.com> - 3.96.1-1
+- Update NSS to 3.96.1
+
 * Mon Nov 27 2023 Frantisek Krenzelok <krenzelok.frantisek@gmail.com> - 3.95.0-1
 - Update NSS to 3.95.0

--- a/2
+++ b/2
@ -1,3 +1,3 @@
 SHA512 (blank-cert9.db) = 2f8eab4c0612210ee47db8a3a80c1b58a0b43849551af78c7da403fda3e3d4e7757838061ae56ccf5aac335cb54f254f0a9e6e9c0dd5920b4155a39264525b06
 SHA512 (blank-key4.db) = 8fedae93af7163da23fe9492ea8e785a44c291604fa98e58438448efb69c85d3253fc22b926d5c3209c62e58a86038fd4d78a1c4c068bc00600a7f3e5382ebe7
-SHA512 (nss-3.95-with-nspr-4.35.tar.gz) = 8394a0381db5b5d7f975f5057e0578909901244616ccaca694c1932fd9428e651a52bbf3f30e4d993e692538a603a57df1eae5e9badda3a1291d35836ab02ecd
+SHA512 (nss-3.101-with-nspr-4.35.tar.gz) = 95c8ef1c12e1de7da4d918cebd1d5464b0ff4932083f6d395733345bd9f8598069028793fd1c08f974efcb31129cd84718487fd5326e45a878fba0d8c309bd39