Related: RHEL-46852

Fix the following problems with the rebase:
- Fix MD-5 decode issue in pkcs #12
- turn off policy processing for pkcs12 and smime
- restore the rhel9 pkcs12 defaults for pk12util

nss-3.101-el9-restore-old-pkcs12-default.patch

@@ -0,0 +1,14 @@
+diff -up ./cmd/pk12util/pk12util.c.no_pkcs12_macpbe_default ./cmd/pk12util/pk12util.c
+--- ./cmd/pk12util/pk12util.c.no_pkcs12_macpbe_default	2024-07-18 08:26:35.773248450 -0700
++++ ./cmd/pk12util/pk12util.c	2024-07-18 08:27:05.796595554 -0700
+@@ -1165,10 +1165,6 @@ main(int argc, char **argv)
+             }
+         }
+     }
+-    /* in FIPS mode default to encoding with pkcs5v2 for the MAC */
+-    if (PK11_IsFIPS()) {
+-        hash = SEC_OID_HMAC_SHA256;
+-    }
+     if (pk12util.options[opt_Mac].activated) {
+         char *hashString = pk12util.options[opt_Mac].arg;
+ 

nss-3.101-fix-pkcs12-md5-decode.patch

@@ -0,0 +1,43 @@
+diff --git a/lib/util/nsshash.c b/lib/util/nsshash.c
+--- a/lib/util/nsshash.c
++++ b/lib/util/nsshash.c
+@@ -102,16 +102,19 @@ HASH_GetHashOidTagByHashType(HASH_HashTy
+ SECOidTag
+ HASH_GetHashOidTagByHMACOidTag(SECOidTag hmacOid)
+ {
+     SECOidTag hashOid = SEC_OID_UNKNOWN;
+ 
+     switch (hmacOid) {
+         /* no oid exists for HMAC_MD2 */
+         /* NSS does not define a oid for HMAC_MD4 */
++        case SEC_OID_HMAC_MD5:
++            hashOid = SEC_OID_MD5;
++            break;
+         case SEC_OID_HMAC_SHA1:
+             hashOid = SEC_OID_SHA1;
+             break;
+         case SEC_OID_HMAC_SHA224:
+             hashOid = SEC_OID_SHA224;
+             break;
+         case SEC_OID_HMAC_SHA256:
+             hashOid = SEC_OID_SHA256;
+@@ -145,16 +148,19 @@ HASH_GetHashOidTagByHMACOidTag(SECOidTag
+ SECOidTag
+ HASH_GetHMACOidTagByHashOidTag(SECOidTag hashOid)
+ {
+     SECOidTag hmacOid = SEC_OID_UNKNOWN;
+ 
+     switch (hashOid) {
+         /* no oid exists for HMAC_MD2 */
+         /* NSS does not define a oid for HMAC_MD4 */
++        case SEC_OID_MD5:
++            hmacOid = SEC_OID_HMAC_MD5;
++            break;
+         case SEC_OID_SHA1:
+             hmacOid = SEC_OID_HMAC_SHA1;
+             break;
+         case SEC_OID_SHA224:
+             hmacOid = SEC_OID_HMAC_SHA224;
+             break;
+         case SEC_OID_SHA256:
+             hmacOid = SEC_OID_HMAC_SHA256;

nss-3.101-no-p12-smime-policy.patch

@@ -0,0 +1,83 @@
+diff -up ./lib/pkcs12/p12plcy.c.no_p12_smime_policy ./lib/pkcs12/p12plcy.c
+--- ./lib/pkcs12/p12plcy.c.no_p12_smime_policy	2024-06-07 09:26:03.000000000 -0700
++++ ./lib/pkcs12/p12plcy.c	2024-07-17 11:26:00.334836451 -0700
+@@ -37,6 +37,7 @@ static pkcs12SuiteMap pkcs12SuiteMaps[]
+ static PRBool
+ sec_PKCS12Allowed(SECOidTag alg, PRUint32 needed)
+ {
++#ifdef notdef
+     PRUint32 policy;
+     SECStatus rv;
+ 
+@@ -48,6 +49,9 @@ sec_PKCS12Allowed(SECOidTag alg, PRUint3
+         return PR_TRUE;
+     }
+     return PR_FALSE;
++#else
++    return PR_TRUE;
++#endif
+ }
+ 
+ PRBool
+diff -up ./lib/smime/smimeutil.c.no_p12_smime_policy ./lib/smime/smimeutil.c
+--- ./lib/smime/smimeutil.c.no_p12_smime_policy	2024-06-07 09:26:03.000000000 -0700
++++ ./lib/smime/smimeutil.c	2024-07-17 11:27:04.716617111 -0700
+@@ -202,6 +202,7 @@ smime_get_policy_tag_from_key_length(SEC
+ PRBool
+ smime_allowed_by_policy(SECOidTag algtag, PRUint32 neededPolicy)
+ {
++#ifdef notdef
+     PRUint32 policyFlags;
+ 
+     /* some S/MIME algs map to the same underlying KEA mechanism,
+@@ -221,6 +222,7 @@ smime_allowed_by_policy(SECOidTag algtag
+         PORT_SetError(SEC_ERROR_BAD_EXPORT_ALGORITHM);
+         return PR_FALSE;
+     }
++#endif
+     return PR_TRUE;
+ }
+ 
+@@ -485,6 +487,7 @@ smime_init_once(void *arg)
+         return PR_FAILURE;
+     }
+ 
++#ifdef notdef
+     /* At initialization time, we need to set up the defaults. We first
+      * look to see if the system or application has set up certain algorithms
+      * by policy. If they have set up values by policy we'll only allow those
+@@ -497,6 +500,11 @@ smime_init_once(void *arg)
+         PORT_Free(tags);
+         tags = NULL;
+     }
++#else
++    /* just initialize the old maps */
++    rv = SECSuccess;
++    tagCount = 0;
++#endif
+     if ((rv != SECSuccess) || (tagCount == 0)) {
+         /* No algorithms have been enabled by policy (either by the system
+          * or by the application, we then will use the traditional default
+diff -up ./tests/smime/smime.sh.no_p12_smime_policy ./tests/smime/smime.sh
+--- ./tests/smime/smime.sh.no_p12_smime_policy	2024-07-17 11:26:00.303836075 -0700
++++ ./tests/smime/smime.sh	2024-07-17 11:26:00.334836451 -0700
+@@ -872,6 +872,6 @@ smime_init
+ smime_main
+ smime_data_tb
+ smime_p7
+-smime_policy
++#smime_policy
+ smime_cleanup
+ 
+diff -up ./tests/tools/tools.sh.no_p12_smime_policy ./tests/tools/tools.sh
+--- ./tests/tools/tools.sh.no_p12_smime_policy	2024-07-17 11:26:00.304836087 -0700
++++ ./tests/tools/tools.sh	2024-07-17 11:26:00.334836451 -0700
+@@ -585,7 +585,7 @@ tools_p12()
+   tools_p12_import_old_files
+   tools_p12_import_pbmac1_samples
+   tools_p12_import_rsa_pss_private_key
+-  tools_p12_policy
++  #tools_p12_policy
+ }
+ 
+ ############################## tools_sign ##############################

nss-3.101-skip-ocsp-if-not-connected.patch

@@ -8,7 +8,7 @@ diff -up ./tests/ssl/ssl.sh.disable_ocsp_policy ./tests/ssl/ssl.sh
 +  # if we are running on a build machine that can't tolerate external
 +  # references don't run.
 +  vfyserv -o wrong.host.badssl.com -d ${P_R_SERVERDIR} > ${P_R_SERVERDIR}/vfy2.out 2>&1
-+  RET=$? ; cat ${P_R_SERVERDIR}/vfy2.out" 
++  RET=$? ; cat "${P_R_SERVERDIR}/vfy2.out" 
 +  # 5961 reset by peer
 +  grep 5961 ${P_R_SERVERDIR}/vfy2.out
 +  GRET=$?  ; echo "OCSP: RET=$RET GRET=$GRET"

nss.spec

@@ -1,6 +1,6 @@
 %global nss_version 3.101.0
 %global nspr_version 4.35.0
-%global baserelease 1
+%global baserelease 2
 %global nss_release %baserelease
 # NOTE: To avoid NVR clashes of nspr* packages:
 # use "%%global nspr_release %%[%%baserelease+n]" to handle offsets when
@@ -188,6 +188,9 @@ Patch74:          nss-3.90-dh-test-update.patch
 Patch75:          nss-3.90-ppc_no_init.patch
 Patch76:          nss-3.101-enable-kyber-policy.patch
 Patch77:          nss-3.101-fix-rsa-policy-test.patch
+Patch78:          nss-3.101-fix-pkcs12-md5-decode.patch
+Patch79:          nss-3.101-el9-restore-old-pkcs12-default.patch
+Patch80:          nss-3.101-no-p12-smime-policy.patch
 
 Patch100:         nspr-config-pc.patch
 Patch101:         nspr-gcc-atomics.patch
@@ -366,7 +369,7 @@ popd
 
 pushd nss
 %autopatch -p1 -M 99
-#%%patch -P 400 -p1 -b .fips_indicators
+#%%patch -P 400 -p1 -b .backup
 # sigh it would be nice if autopatch supported -R
 %patch -P 300 -R -p1
 popd
@@ -1189,6 +1192,11 @@ update-crypto-policies &> /dev/null || :
 
 
 %changelog
+* Tue Jul 16 2024 Bob Relyea <rrelyea@redhat.com> - 3.101.0-2
+- Fix MD-5 decode issue in pkcs #12
+- turn off policy processing for pkcs12 and smime
+- restore the rhel9 pkcs12 defaults for pk12util
+
 * Tue Jun 11 2024 Bob Relyea <rrelyea@redhat.com> - 3.101.0-1
 - Rebase to NSS 3.101
 - restore ppc init support