Delay new CK_GCM_PARAMS semantics until fedora 34 unless explicitly enabled.

Also disable building DBM backend

.gitignore

@@ -47,3 +47,5 @@ TestUser51.cert
 /nss-3.49.2.tar.gz
 /nss-3.50.tar.gz
 /nss-3.51.tar.gz
+/nss-3.51.1.tar.gz
+/nss-3.52.tar.gz

nss-3.47-ike-fix.patch

@@ -1,22 +0,0 @@
-diff -up ./lib/softoken/pkcs11.c.ike_fix ./lib/softoken/pkcs11.c
---- ./lib/softoken/pkcs11.c.ike_fix	2019-11-04 10:15:08.022176945 -0800
-+++ ./lib/softoken/pkcs11.c	2019-11-04 10:17:35.396733750 -0800
-@@ -330,7 +330,7 @@ static const struct mechanismList mechan
-     { CKM_AES_CTS, { 16, 32, CKF_EN_DE }, PR_TRUE },
-     { CKM_AES_CTR, { 16, 32, CKF_EN_DE }, PR_TRUE },
-     { CKM_AES_GCM, { 16, 32, CKF_EN_DE }, PR_TRUE },
--    { CKM_AES_XCBC_MAC_96, { 16, 16, CKF_SN_VR }, PR_TRUE },
-+    { CKM_AES_XCBC_MAC_96, { 12, 12, CKF_SN_VR }, PR_TRUE },
-     { CKM_AES_XCBC_MAC, { 16, 16, CKF_SN_VR }, PR_TRUE },
-     /* ------------------------- Camellia Operations --------------------- */
-     { CKM_CAMELLIA_KEY_GEN, { 16, 32, CKF_GENERATE }, PR_TRUE },
-@@ -518,7 +518,8 @@ static const struct mechanismList mechan
-     /* --------------------IPSEC ----------------------- */
-     { CKM_NSS_IKE_PRF_PLUS_DERIVE, { 8, 255 * 64, CKF_DERIVE }, PR_TRUE },
-     { CKM_NSS_IKE_PRF_DERIVE, { 8, 64, CKF_DERIVE }, PR_TRUE },
--    { CKM_NSS_IKE1_PRF_DERIVE, { 8, 64, CKF_DERIVE }, PR_TRUE }
-+    { CKM_NSS_IKE1_PRF_DERIVE, { 8, 64, CKF_DERIVE }, PR_TRUE },
-+    { CKM_NSS_IKE1_APP_B_PRF_DERIVE, { 8, 255 * 64, CKF_DERIVE }, PR_TRUE }
- };
- static const CK_ULONG mechanismCount = sizeof(mechanisms) / sizeof(mechanisms[0]);
- 

nss-gcm-param-default-pkcs11v2.patch

@@ -0,0 +1,21 @@
+diff -up ./lib/util/pkcs11n.h.aes_gcm_pkcs11_v2 ./lib/util/pkcs11n.h
+--- ./lib/util/pkcs11n.h.aes_gcm_pkcs11_v2	2020-05-13 13:44:11.312405744 -0700
++++ ./lib/util/pkcs11n.h	2020-05-13 13:45:23.951723660 -0700
+@@ -605,7 +605,7 @@ typedef struct CK_NSS_GCM_PARAMS {
+ typedef CK_NSS_GCM_PARAMS CK_PTR CK_NSS_GCM_PARAMS_PTR;
+ 
+ /* deprecated #defines. Drop in future NSS releases */
+-#ifdef NSS_PKCS11_2_0_COMPAT
++#ifndef NSS_PKCS11_3_0_STRICT
+ 
+ /* defines that were changed between NSS's PKCS #11 and the Oasis headers */
+ #define CKF_EC_FP CKF_EC_F_P
+@@ -664,7 +664,7 @@ typedef CK_NSS_GCM_PARAMS CK_PTR CK_GCM_
+ #define CKT_NETSCAPE_VALID CKT_NSS_VALID
+ #define CKT_NETSCAPE_VALID_DELEGATOR CKT_NSS_VALID_DELEGATOR
+ #else
+-/* use the new CK_GCM_PARAMS if NSS_PKCS11_2_0_COMPAT is not defined */
++/* use the new CK_GCM_PARAMS if NSS_PKCS11_3_0_STRICT is defined */
+ typedef struct CK_GCM_PARAMS_V3 CK_GCM_PARAMS;
+ typedef CK_GCM_PARAMS_V3 CK_PTR CK_GCM_PARAMS_PTR;
+ #endif

nss-kremlin-ppc64le.patch

@@ -2,27 +2,28 @@ Index: nss/lib/freebl/verified/kremlin/include/kremlin/internal/types.h
 ===================================================================
 --- nss.orig/lib/freebl/verified/kremlin/include/kremlin/internal/types.h
 +++ nss/lib/freebl/verified/kremlin/include/kremlin/internal/types.h
-@@ -56,7 +56,9 @@ typedef const char *Prims_string;
+@@ -56,9 +56,10 @@ typedef const char *Prims_string;
+     !defined(__clang__)
  #include <emmintrin.h>
  typedef __m128i FStar_UInt128_uint128;
- #elif !defined(KRML_VERIFIED_UINT128) && !defined(_MSC_VER) && \
+-#elif !defined(KRML_VERIFIED_UINT128) && !defined(_MSC_VER) &&           \
--    (defined(__x86_64__) || defined(__x86_64) || defined(__aarch64__))
++#elif !defined(KRML_VERIFIED_UINT128) && !defined(_MSC_VER) && \
-+    (defined(__x86_64__) || defined(__x86_64) || defined(__aarch64__) || \
+     (defined(__x86_64__) || defined(__x86_64) || defined(__aarch64__) || \
+-     (defined(__powerpc64__) && defined(__LITTLE_ENDIAN__)))
 +    (defined(__powerpc64__) && defined(__LITTLE_ENDIAN__)) || \
 +     defined(__s390x__))
  typedef unsigned __int128 FStar_UInt128_uint128;
- #else
+ #elif !defined(KRML_VERIFIED_UINT128) && defined(_MSC_VER) && defined(__clang__)
- typedef struct FStar_UInt128_uint128_s {
+ typedef __uint128_t FStar_UInt128_uint128;
 Index: nss/lib/freebl/verified/kremlin/kremlib/dist/minimal/fstar_uint128_gcc64.h
 ===================================================================
 --- nss.orig/lib/freebl/verified/kremlin/kremlib/dist/minimal/fstar_uint128_gcc64.h
 +++ nss/lib/freebl/verified/kremlin/kremlib/dist/minimal/fstar_uint128_gcc64.h
-@@ -25,7 +25,9 @@
+@@ -26,7 +26,8 @@
- #include "LowStar_Endianness.h"
  
- #if !defined(KRML_VERIFIED_UINT128) && !defined(_MSC_VER) && \
+ #if !defined(KRML_VERIFIED_UINT128) && (!defined(_MSC_VER) || defined(__clang__)) && \
--    (defined(__x86_64__) || defined(__x86_64) || defined(__aarch64__))
+     (defined(__x86_64__) || defined(__x86_64) || defined(__aarch64__) ||             \
-+    (defined(__x86_64__) || defined(__x86_64) || defined(__aarch64__) || \
+-     (defined(__powerpc64__) && defined(__LITTLE_ENDIAN__)))
 +    (defined(__powerpc64__) && defined(__LITTLE_ENDIAN__)) || \
 +     defined(__s390x__))
  

nss-tls13-default.patch

@@ -1,12 +0,0 @@
-diff -up nss/lib/ssl/sslsock.c.tls13-default nss/lib/ssl/sslsock.c
---- nss/lib/ssl/sslsock.c.tls13-default	2020-01-27 10:21:44.930830558 +0100
-+++ nss/lib/ssl/sslsock.c	2020-01-27 10:21:47.419852229 +0100
-@@ -97,7 +97,7 @@ static sslOptions ssl_defaults = {
-  */
- static SSLVersionRange versions_defaults_stream = {
-     SSL_LIBRARY_VERSION_TLS_1_0,
--    SSL_LIBRARY_VERSION_TLS_1_3
-+    SSL_LIBRARY_VERSION_TLS_1_2
- };
- 
- static SSLVersionRange versions_defaults_datagram = {

nss.spec

@@ -1,5 +1,5 @@
 %global nspr_version 4.25.0
-%global nss_version 3.51.0
+%global nss_version 3.52.0
 %global unsupported_tools_directory %{_libdir}/nss/unsupported-tools
 %global saved_files_dir %{_libdir}/nss/saved
 %global dracutlibdir %{_prefix}/lib/dracut
@@ -7,6 +7,7 @@
 %global dracut_conf_dir %{dracutlibdir}/dracut.conf.d
 
 %bcond_without tests
+%bcond_without dbm
 
 # Produce .chk files for the final stripped binaries
 #
@@ -24,7 +25,7 @@
     $RPM_BUILD_ROOT/%{unsupported_tools_directory}/shlibsign -i $RPM_BUILD_ROOT/%{_libdir}/libsoftokn3.so \
     $RPM_BUILD_ROOT/%{unsupported_tools_directory}/shlibsign -i $RPM_BUILD_ROOT/%{_libdir}/libfreeblpriv3.so \
     $RPM_BUILD_ROOT/%{unsupported_tools_directory}/shlibsign -i $RPM_BUILD_ROOT/%{_libdir}/libfreebl3.so \
-    $RPM_BUILD_ROOT/%{unsupported_tools_directory}/shlibsign -i $RPM_BUILD_ROOT/%{_libdir}/libnssdbm3.so \
+    %{?with_dbm:$RPM_BUILD_ROOT/%{unsupported_tools_directory}/shlibsign -i $RPM_BUILD_ROOT/%{_libdir}/libnssdbm3.so} \
 %{nil}
 
 # The upstream omits the trailing ".0", while we need it for
@@ -43,7 +44,7 @@ rpm.define(string.format("nss_release_tag NSS_%s_RTM",
 Summary:          Network Security Services
 Name:             nss
 Version:          %{nss_version}
-Release:          1%{?dist}
+Release:          2%{?dist}
 License:          MPLv2.0
 URL:              http://www.mozilla.org/projects/security/pki/nss/
 Requires:         nspr >= %{nspr_version}
@@ -105,16 +106,14 @@ Patch2:           nss-539183.patch
 # Once the buildroot aha been bootstrapped the patch may be removed
 # but it doesn't hurt to keep it.
 Patch4:           iquote.patch
-# add missing ike mechanism to softoken
-Patch10:          nss-3.47-ike-fix.patch
-# To revert the upstream change:
-# https://bugzilla.mozilla.org/show_bug.cgi?id=1573118
-# as it still doesn't work under FIPS mode because of missing HKDF
-# support in PKCS #11.
-Patch11:	  nss-tls13-default.patch
 Patch12:          nss-signtool-format.patch
 # https://github.com/FStarLang/kremlin/issues/166
 Patch13:          nss-kremlin-ppc64le.patch
+%if 0%{?fedora} < 34
+%if 0%{?rhel} < 9
+Patch20:          nss-gcm-param-default-pkcs11v2.patch
+%endif
+%endif
 
 %description
 Network Security Services (NSS) is a set of libraries designed to
@@ -296,14 +295,19 @@ export NSS_USE_SYSTEM_SQLITE=1
 
 export NSS_ALLOW_SSLKEYLOGFILE=1
 
+%if %{with dbm}
+%else
+export NSS_DISABLE_DBM=1
+%endif
+
 %ifnarch noarch
 %if 0%{__isa_bits} == 64
 export USE_64=1
 %endif
 %endif
 
-make -C ./nss/coreconf
+%{__make} -C ./nss/coreconf
-make -C ./nss/lib/dbm
+%{__make} -C ./nss/lib/dbm
 
 # Set the policy file location
 # if set NSS will always check for the policy file and load if it exists
@@ -311,11 +315,11 @@ export POLICY_FILE="nss.config"
 # location of the policy file
 export POLICY_PATH="/etc/crypto-policies/back-ends"
 
-make -C ./nss
+%{__make} -C ./nss
 
 # build the man pages clean
 pushd ./nss
-make clean_docs build_docs
+%{__make} clean_docs build_docs
 popd
 
 # and copy them to the dist directory for %%install to find them
@@ -527,7 +531,7 @@ mkdir -p $RPM_BUILD_ROOT%{_mandir}/man1
 mkdir -p $RPM_BUILD_ROOT%{_mandir}/man5
 
 # Copy the binary libraries we want
-for file in libnssutil3.so libsoftokn3.so libnssdbm3.so libfreebl3.so libfreeblpriv3.so libnss3.so libnsssysinit.so libsmime3.so libssl3.so
+for file in libnssutil3.so libsoftokn3.so %{?with_dbm:libnssdbm3.so} libfreebl3.so libfreeblpriv3.so libnss3.so libnsssysinit.so libsmime3.so libssl3.so
 do
   install -p -m 755 dist/*.OBJ/lib/$file $RPM_BUILD_ROOT/%{_libdir}
 done
@@ -830,8 +834,10 @@ update-crypto-policies &> /dev/null || :
 %{_includedir}/nss3/templates/templates.c
 
 %files softokn
+%if %{with dbm}
 %{_libdir}/libnssdbm3.so
 %{_libdir}/libnssdbm3.chk
+%endif
 %{_libdir}/libsoftokn3.so
 %{_libdir}/libsoftokn3.chk
 # shared with nss-tools
@@ -886,9 +892,25 @@ update-crypto-policies &> /dev/null || :
 
 
 %changelog
+* Wed May 13 2020 Bob Relyea <rrelyea@redhat.com> - 3.52.0-2
+- Delay CK_GCM_PARAMS semantics until fedora 34
+
+* Mon May 11 2020 Daiki Ueno <dueno@redhat.com> - 3.52.0-1
+- Update to NSS 3.52
+
+* Sat Apr 25 2020 Daiki Ueno <dueno@redhat.com> - 3.51.1-2
+- Temporarily revert DBM disablement for kernel build failure (#1827902)
+
+* Mon Apr 20 2020 Daiki Ueno <dueno@redhat.com> - 3.51.1-1
+- Update to NSS 3.51.1
+- Disable building DBM backend
+
 * Tue Apr  7 2020 Daiki Ueno <dueno@redhat.com> - 3.51.0-1
 - Update to NSS 3.51
 
+* Thu Mar 26 2020 Tom Stellard <tstellar@redhat.com> - 3.50.0-3
+- Use __make macro to invoke make
+
 * Thu Mar  5 2020 Daiki Ueno <dueno@redhat.com> - 3.50.0-2
 - Apply CMAC fixes from upstream
 

sources

@@ -3,4 +3,4 @@ SHA512 (blank-cert9.db) = 2f8eab4c0612210ee47db8a3a80c1b58a0b43849551af78c7da403
 SHA512 (blank-key3.db) = 01f7314e9fc8a7c9aa997652624cfcde213d18a6b3bb31840c1a60bbd662e56b5bc3221d13874abb42ce78163b225a6dfce2e1326cf6dd29366ad9c28ba5a71c
 SHA512 (blank-key4.db) = 8fedae93af7163da23fe9492ea8e785a44c291604fa98e58438448efb69c85d3253fc22b926d5c3209c62e58a86038fd4d78a1c4c068bc00600a7f3e5382ebe7
 SHA512 (blank-secmod.db) = 06a2dbd861839ef6315093459328b500d3832333a34b30e6fac4a2503af337f014a4d319f0f93322409e719142904ce8bc08252ae9a4f37f30d4c3312e900310
-SHA512 (nss-3.51.tar.gz) = 9c894b1ea41449b000750a7b3a89fcb43dfc3d0d4d6dcc0dc288bc73996f76f1ee1ede927a8aecae6d4a07f9f3d3e3a042c6a60cf06e27e0cdc004fce2e510fd
+SHA512 (nss-3.52.tar.gz) = a45baf38717bceda03c292b2c01def680a24a846327e17d36044a85e30ed40c68220c78c0a2c3025c11778ee58f5d5eb0fff1b4cd274b95c408fb59e394e62c6