import nss-3.79.0-8.el8_6

SOURCES/nss-3.79-pkcs12-fips-defaults.patch

@@ -0,0 +1,25 @@
+diff -up ./cmd/pk12util/pk12util.c.pkcs12_fips_defaults ./cmd/pk12util/pk12util.c
+--- ./cmd/pk12util/pk12util.c.pkcs12_fips_defaults	2022-07-20 13:40:24.152212683 -0700
++++ ./cmd/pk12util/pk12util.c	2022-07-20 13:42:40.031094190 -0700
+@@ -1146,6 +1146,11 @@ main(int argc, char **argv)
+         goto done;
+     }
+ 
++    if (PK11_IsFIPS()) {
++        cipher =  SEC_OID_AES_256_CBC;
++        certCipher =  SEC_OID_AES_128_CBC;
++    }
++
+     if (pk12util.options[opt_Cipher].activated) {
+         char *cipherString = pk12util.options[opt_Cipher].arg;
+ 
+@@ -1160,9 +1165,6 @@ main(int argc, char **argv)
+         }
+     }
+ 
+-    if (PK11_IsFIPS()) {
+-        certCipher =  SEC_OID_UNKNOWN;
+-    }
+     if (pk12util.options[opt_CertCipher].activated) {
+         char *cipherString = pk12util.options[opt_CertCipher].arg;
+ 

SOURCES/nss-3.79-pkcs12-fix-null-password.patch

@@ -0,0 +1,21 @@
+diff -up ./lib/pkcs12/p12local.c.fix_null_password ./lib/pkcs12/p12local.c
+--- ./lib/pkcs12/p12local.c.fix_null_password	2022-07-20 14:15:45.081009438 -0700
++++ ./lib/pkcs12/p12local.c	2022-07-20 14:19:40.856546963 -0700
+@@ -968,15 +968,14 @@ sec_pkcs12_convert_item_to_unicode(PLAre
+     if (zeroTerm) {
+         /* unicode adds two nulls at the end */
+         if (toUnicode) {
+-            if ((dest->len >= 2) &&
+-                (dest->data[dest->len - 1] || dest->data[dest->len - 2])) {
++            if ((dest->len < 2) || dest->data[dest->len - 1] || dest->data[dest->len - 2]) {
+                 /* we've already allocated space for these new NULLs */
+                 PORT_Assert(dest->len + 2 <= bufferSize);
+                 dest->len += 2;
+                 dest->data[dest->len - 1] = dest->data[dest->len - 2] = 0;
+             }
+             /* ascii/utf-8 adds just 1 */
+-        } else if ((dest->len >= 1) && dest->data[dest->len - 1]) {
++        } else if (!dest->len || dest->data[dest->len - 1]) {
+             PORT_Assert(dest->len + 1 <= bufferSize);
+             dest->len++;
+             dest->data[dest->len - 1] = 0;

SPECS/nss.spec

@@ -63,7 +63,7 @@ print(string.sub(hash, 0, 16))
 Summary:          Network Security Services
 Name:             nss
 Version:          %{nss_version}
-Release:          7%{?dist}
+Release:          8%{?dist}
 License:          MPLv2.0
 URL:              http://www.mozilla.org/projects/security/pki/nss/
 Requires:         nspr >= %{nspr_version}%{nspr_release}
@@ -153,6 +153,8 @@ Patch45:          nss-3.66-disable-external-host-test.patch
 Patch50:          nss-3.66-restore-old-pkcs12-default.patch
 # Local Patch: restore expired distrusted certs for now
 Patch51:          nss-3.79-revert-distrusted-certs.patch
+# Local Patch: update fipsdefaults to AES
+Patch52:          nss-3.79-pkcs12-fips-defaults.patch
 
 # https://bugzilla.redhat.com/show_bug.cgi?id=1774659
 Patch60:          nss-3.79-dbtool.patch
@@ -163,8 +165,7 @@ Patch63:          nss-3.79-fix-client-cert-crash.patch
 Patch64:          nss-3.79-rhel-8-fips-signature-policy.patch
 Patch65:          nss-3.79-enable-POST-rerun.patch
 Patch66:          nss-3.79-increase-pbe-cache.patch
-
-
+Patch67:          /nss-3.79-pkcs12-fix-null-password.patch
 
 %description
 Network Security Services (NSS) is a set of libraries designed to
@@ -941,6 +942,10 @@ update-crypto-policies --no-reload &> /dev/null || :
 
 
 %changelog
+* Wed Jul 13 2022 Bob Relyea <rrelyea@redhat.com> - 3.79.0-8
+- Update fips default for pk12util to AES rather than TDES
+- Fix bug in pkcs12 files with null passwords
+
 * Wed Jul 6 2022 Bob Relyea <rrelyea@redhat.com> - 3.79.0-7
 - Better fix for test regressions