From 88a947fc0b44ef8b91de7e8e404a468dfb6c4569 Mon Sep 17 00:00:00 2001
From: Bob Relyea <rrelyea@redhat.com>
Date: Fri, 16 Apr 2021 14:12:00 -0700
Subject: [PATCH] Resolves: rhbz#1926367 Restore RHEL-8 patch to prevent MD5
 and MD4 hash operations

---
 nss-disable-md5.patch | 41 +++++++++++++++++++++++++++++++++++++++++
 nss-dso-ldflags.patch | 13 +++++++++++++
 nss.spec              | 21 +++++++++++++++------
 3 files changed, 69 insertions(+), 6 deletions(-)
 create mode 100644 nss-disable-md5.patch
 create mode 100644 nss-dso-ldflags.patch

diff --git a/nss-disable-md5.patch b/nss-disable-md5.patch
new file mode 100644
index 0000000..3e05210
--- /dev/null
+++ b/nss-disable-md5.patch
@@ -0,0 +1,41 @@
+diff -r 699541a7793b lib/pk11wrap/pk11pars.c
+--- a/lib/pk11wrap/pk11pars.c	Tue Jun 16 23:03:22 2020 +0000
++++ b/lib/pk11wrap/pk11pars.c	Thu Jun 25 14:33:09 2020 +0200
+@@ -323,11 +323,11 @@
+ static const oidValDef hashOptList[] = {
+     /* Hashes */
+     { CIPHER_NAME("MD2"), SEC_OID_MD2,
+-      NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE },
++      0 },
+     { CIPHER_NAME("MD4"), SEC_OID_MD4,
+-      NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE },
++      0 },
+     { CIPHER_NAME("MD5"), SEC_OID_MD5,
+-      NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE },
++      0 },
+     { CIPHER_NAME("SHA1"), SEC_OID_SHA1,
+       NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE },
+     { CIPHER_NAME("SHA224"), SEC_OID_SHA224,
+diff -r 699541a7793b lib/util/secoid.c
+--- a/lib/util/secoid.c	Tue Jun 16 23:03:22 2020 +0000
++++ b/lib/util/secoid.c	Thu Jun 25 14:33:09 2020 +0200
+@@ -2042,6 +2042,19 @@
+             int i;
+ 
+             for (i = 1; i < SEC_OID_TOTAL; i++) {
++                switch (i) {
++                case SEC_OID_MD2:
++                case SEC_OID_MD4:
++                case SEC_OID_MD5:
++                case SEC_OID_PKCS1_MD2_WITH_RSA_ENCRYPTION:
++                case SEC_OID_PKCS1_MD4_WITH_RSA_ENCRYPTION:
++                case SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION:
++                case SEC_OID_PKCS5_PBE_WITH_MD2_AND_DES_CBC:
++                case SEC_OID_PKCS5_PBE_WITH_MD5_AND_DES_CBC:
++                    continue;
++                default:
++                    break;
++                }
+                 if (oids[i].desc && strstr(arg, oids[i].desc)) {
+                     xOids[i].notPolicyFlags = notEnable |
+                                               (xOids[i].notPolicyFlags & ~(DEF_FLAGS));
diff --git a/nss-dso-ldflags.patch b/nss-dso-ldflags.patch
new file mode 100644
index 0000000..d5485ae
--- /dev/null
+++ b/nss-dso-ldflags.patch
@@ -0,0 +1,13 @@
+Index: nss/coreconf/Linux.mk
+===================================================================
+--- nss.orig/coreconf/Linux.mk
++++ nss/coreconf/Linux.mk
+@@ -144,7 +144,7 @@ ifdef USE_PTHREADS
+ endif
+ 
+ DSO_CFLAGS		= -fPIC
+-DSO_LDOPTS		= -shared $(ARCHFLAG) -Wl,--gc-sections
++DSO_LDOPTS		= -shared $(ARCHFLAG) -Wl,--gc-sections $(DSO_LDFLAGS)
+ # The linker on Red Hat Linux 7.2 and RHEL 2.1 (GNU ld version 2.11.90.0.8)
+ # incorrectly reports undefined references in the libraries we link with, so
+ # we don't use -z defs there.
diff --git a/nss.spec b/nss.spec
index f44ba1d..1180604 100644
--- a/nss.spec
+++ b/nss.spec
@@ -2,7 +2,7 @@
 # NOTE: To avoid NVR clashes of nspr* packages:
 # - reset %%{nspr_release} to 1, when updating %%{nspr_version}
 # - increment %%{nspr_version}, when updating the NSS part only
-%global nspr_release 1
+%global nspr_release 2
 %global nss_version 3.63.0
 # only need to update this as we added new
 # algorithms under nss policy control
@@ -56,7 +56,7 @@ rpm.define(string.format("nss_release_tag NSS_%s_RTM",
 Summary:          Network Security Services
 Name:             nss
 Version:          %{nss_version}
-Release:          2%{?dist}
+Release:          3%{?dist}
 License:          MPLv2.0
 URL:              http://www.mozilla.org/projects/security/pki/nss/
 Requires:         nspr >= %{nspr_version}
@@ -129,6 +129,10 @@ Patch20:          nss-gcm-param-default-pkcs11v2.patch
 %endif
 # can drop this patch when the underlying btrfs/sqlite issue is solved
 Patch30:          nss-fedora-btrf-sql-hack.patch
+# connect our shared library to the build root loader flags (needed for -relro)
+Patch31:          nss-dso-ldflags.patch
+# keep RHEL 8 semantics of disabling md4 and md5 even if the env variable is set
+Patch32:          nss-disable-md5.patch
 
 Patch100:         nspr-config-pc.patch
 Patch101:         nspr-gcc-atomics.patch
@@ -259,7 +263,7 @@ Header and library files for doing development with Network Security Services.
 %package -n nspr
 Summary:        Netscape Portable Runtime
 Version:        %{nspr_version}
-Release:        %{nspr_release}%{?dist}.1
+Release:        %{nspr_release}%{?dist}
 License:        MPLv2.0
 URL:            http://www.mozilla.org/projects/nspr/
 Conflicts:      filesystem < 3
@@ -274,7 +278,7 @@ memory management (malloc and free) and shared library linking.
 %package -n nspr-devel
 Summary:        Development libraries for the Netscape Portable Runtime
 Version:        %{nspr_version}
-Release:        %{nspr_release}%{?dist}.1
+Release:        %{nspr_release}%{?dist}
 Requires:       nspr%{?_isa} = %{nspr_version}-%{nspr_release}%{?dist}
 Requires:       pkgconfig
 BuildRequires:  xmlto
@@ -1052,8 +1056,13 @@ update-crypto-policies &> /dev/null || :
 
 
 %changelog
-* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com>
-- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
+* Fri Apr 16 2021 Bob Relyea <rrelyea@redhat.com> - 3.63.0-3
+ - prevent MD5 from being enabled even with the environment variables
+   and policy. This mirrors the rhel8 semantics.
+ - add DSO_LDFLAGS support so we pick up system LDFLAGS in our shared libraries
+
+* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 3.63.0-2
+ - Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
 
 * Wed Mar 24 2021 Bob Relyea <rrelyea@redhat.com> - 3.63.0-1
 - Update NSS to 3.62