Allow crypto policies to tweak with the kyber policy entry

nss-3.101-enable-kyber-policy.patch

@@ -0,0 +1,13 @@
+diff -up ./lib/pk11wrap/pk11pars.c.enable_kyber_policy ./lib/pk11wrap/pk11pars.c
+--- ./lib/pk11wrap/pk11pars.c.enable_kyber_policy	2024-06-12 14:44:24.680338868 -0700
++++ ./lib/pk11wrap/pk11pars.c	2024-06-12 14:44:48.368609356 -0700
+@@ -245,7 +245,8 @@ static const oidValDef curveOptList[] =
+       NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE },
+     { CIPHER_NAME("CURVE25519"), SEC_OID_CURVE25519,
+       NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE },
+-    { CIPHER_NAME("XYBER768D00"), SEC_OID_XYBER768D00, 0 },
++    { CIPHER_NAME("XYBER768D00"), SEC_OID_XYBER768D00, 
++      NSS_USE_ALG_IN_SSL_KX },
+     /* ANSI X9.62 named elliptic curves (characteristic two field) */
+     { CIPHER_NAME("C2PNB163V1"), SEC_OID_ANSIX962_EC_C2PNB163V1,
+       NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE },

nss.spec

@@ -3,7 +3,7 @@
 # NOTE: To avoid NVR clashes of nspr* packages:
 # - reset %%{nspr_release} to 1, when updating %%{nspr_version}
 # - increment %%{nspr_version}, when updating the NSS part only
-%global baserelease 1
+%global baserelease 2
 %global nss_release %baserelease
 # use "%%global nspr_release %%[%%baserelease+n]" to handle offsets when
 # release number between nss and nspr are different.
@@ -131,6 +131,8 @@ Patch4:           iquote.patch
 Patch12:          nss-signtool-format.patch
 # fedora disabled dbm by default
 Patch40:          nss-no-dbm-man-page.patch
+# allow crypto policies to enable kyber
+Patch41:          nss-3.101-enable-kyber-policy.patch
 
 Patch100:         nspr-config-pc.patch
 Patch101:         nspr-gcc-atomics.patch
@@ -978,14 +980,15 @@ update-crypto-policies &> /dev/null || :
 %{_includedir}/nss3/ciferfam.h
 %{_includedir}/nss3/eccutil.h
 %{_includedir}/nss3/hasht.h
+%{_includedir}/nss3/kyber.h
 %{_includedir}/nss3/nssb64.h
 %{_includedir}/nss3/nssb64t.h
 %{_includedir}/nss3/nsslocks.h
+%{_includedir}/nss3/nsshash.h
 %{_includedir}/nss3/nssilock.h
 %{_includedir}/nss3/nssilckt.h
 %{_includedir}/nss3/nssrwlk.h
 %{_includedir}/nss3/nssrwlkt.h
-%{_includedir}/nss3/nsshash.h
 %{_includedir}/nss3/nssutil.h
 %{_includedir}/nss3/pkcs1sig.h
 %{_includedir}/nss3/pkcs11.h
@@ -1012,7 +1015,6 @@ update-crypto-policies &> /dev/null || :
 %{_includedir}/nss3/utilpars.h
 %{_includedir}/nss3/utilparst.h
 %{_includedir}/nss3/utilrename.h
-%{_includedir}/nss3/kyber.h
 %{_includedir}/nss3/templates/templates.c
 
 %files softokn
@@ -1088,6 +1090,9 @@ update-crypto-policies &> /dev/null || :
 
 
 %changelog
+* Wed Jun 12 2024 Bob Relyea <rrelyea@redhat.com> - 3.101.0-2
+- Enable the Kyber record so we can control it with policies.
+
 * Mon Jun 10 2024 Bob Relyea <rrelyea@redhat.com> - 3.101.0-1
 - Update NSS to 3.101.0
 - Turn off deprecated SEED algorithm