Resolves: RHEL-33511

Fix QE discovered issues:
    1) need parameter to test certificate compression in selfserv and
       tstclient.
    2) pkcs12 encoding for pbamac adding a spurious IV as a parameter
       instead of an NULL.

nss-3.101-fix-pkcs12-pbkdf1-encoding.patch

@@ -0,0 +1,121 @@
+diff --git a/lib/pk11wrap/pk11mech.c b/lib/pk11wrap/pk11mech.c
+--- a/lib/pk11wrap/pk11mech.c
++++ b/lib/pk11wrap/pk11mech.c
+@@ -1710,20 +1710,26 @@ PK11_ParamToAlgid(SECOidTag algTag, SECI
+         case CKM_BATON_ECB96:
+         case CKM_BATON_CBC128:
+         case CKM_BATON_COUNTER:
+         case CKM_BATON_SHUFFLE:
+         case CKM_JUNIPER_ECB128:
+         case CKM_JUNIPER_CBC128:
+         case CKM_JUNIPER_COUNTER:
+         case CKM_JUNIPER_SHUFFLE:
+-            newParams = SEC_ASN1EncodeItem(NULL, NULL, param,
+-                                           SEC_ASN1_GET(SEC_OctetStringTemplate));
+-            if (newParams == NULL)
+-                break;
++            /* if no parameters have been supplied, then encode a NULL params
++             */
++            if (param && param->len > 0) {
++                newParams = SEC_ASN1EncodeItem(NULL, NULL, param,
++                                               SEC_ASN1_GET(SEC_OctetStringTemplate));
++                if (newParams == NULL)
++                    break;
++            } else {
++                newParams = NULL;
++            }
+             rv = SECSuccess;
+             break;
+     }
+ 
+     if (rv != SECSuccess) {
+         if (newParams)
+             SECITEM_FreeItem(newParams, PR_TRUE);
+         return rv;
+diff --git a/lib/pk11wrap/pk11pbe.c b/lib/pk11wrap/pk11pbe.c
+--- a/lib/pk11wrap/pk11pbe.c
++++ b/lib/pk11wrap/pk11pbe.c
+@@ -765,45 +765,53 @@ sec_pkcs5CreateAlgorithmID(SECOidTag alg
+          * algorithm is). We use choose this algorithm oid based on the
+          * cipherAlgorithm to determine what this should be (MAC1 or PBES2).
+          */
+         if (algorithm == SEC_OID_PKCS5_PBKDF2) {
+             /* choose mac or pbes */
+             algorithm = sec_pkcs5v2_get_pbe(cipherAlgorithm);
+         }
+ 
++        SECOidTag hashAlg = HASH_GetHashOidTagByHMACOidTag(cipherAlgorithm);
++
+         /* set the PKCS5v2 specific parameters */
+         if (keyLength == 0) {
+-            SECOidTag hashAlg = HASH_GetHashOidTagByHMACOidTag(cipherAlgorithm);
+             if (hashAlg != SEC_OID_UNKNOWN) {
+                 keyLength = HASH_ResultLenByOidTag(hashAlg);
+             } else {
+                 keyLength = sec_pkcs5v2_default_key_length(cipherAlgorithm);
+             }
+             if (keyLength <= 0) {
+                 goto loser;
+             }
+         }
+         /* currently SEC_OID_HMAC_SHA1 is the default */
+         if (prfAlg == SEC_OID_UNKNOWN) {
+             prfAlg = SEC_OID_HMAC_SHA1;
+         }
+ 
+-        /* build the PKCS5v2 cipher algorithm id */
+-        cipherParams = pk11_GenerateNewParamWithKeyLen(
+-            PK11_AlgtagToMechanism(cipherAlgorithm), keyLength);
+-        if (!cipherParams) {
+-            goto loser;
++        /* build the PKCS5v2 cipher algorithm id, if cipher
++         * is an HMAC, the cipherParams should be NULL */
++        if (hashAlg == SEC_OID_UNKNOWN) {
++            cipherParams = pk11_GenerateNewParamWithKeyLen(
++                PK11_AlgtagToMechanism(cipherAlgorithm), keyLength);
++            if (!cipherParams) {
++                goto loser;
++            }
++        } else {
++            cipherParams = NULL;
+         }
+ 
+         PORT_Memset(&pbeV2_param, 0, sizeof(pbeV2_param));
+ 
+         rv = PK11_ParamToAlgid(cipherAlgorithm, cipherParams,
+                                poolp, &pbeV2_param.cipherAlgId);
+-        SECITEM_FreeItem(cipherParams, PR_TRUE);
++        if (cipherParams) {
++            SECITEM_FreeItem(cipherParams, PR_TRUE);
++        }
+         if (rv != SECSuccess) {
+             goto loser;
+         }
+     }
+ 
+     /* generate the parameter */
+     pbe_param = sec_pkcs5_create_pbe_parameter(pbeAlgorithm, salt, iteration,
+                                                keyLength, prfAlg);
+diff --git a/lib/util/secalgid.c b/lib/util/secalgid.c
+--- a/lib/util/secalgid.c
++++ b/lib/util/secalgid.c
+@@ -50,17 +50,18 @@ SECOID_SetAlgorithmID(PLArenaPool *arena
+         PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
+         return SECFailure;
+     }
+ 
+     if (SECITEM_CopyItem(arena, &id->algorithm, &oiddata->oid))
+         return SECFailure;
+ 
+     if ((secoid_IsRSAPKCS1(which)) ||
+-        (HASH_GetHashTypeByOidTag(which) != HASH_AlgNULL)) {
++        (HASH_GetHashTypeByOidTag(which) != HASH_AlgNULL) /* ||
++        (HASH_GetHashOidTagByHMACOidTag(which) != SEC_OID_UNKNOWN) */) {
+         add_null_param = PR_TRUE;
+     } else {
+         add_null_param = PR_FALSE;
+     }
+ 
+     if (params) {
+         /*
+          * I am specifically *not* enforcing the following assertion

nss.spec

@@ -3,7 +3,7 @@
 # NOTE: To avoid NVR clashes of nspr* packages:
 # - reset %%{nspr_release} to 1, when updating %%{nspr_version}
 # - increment %%{nspr_version}, when updating the NSS part only
-%global baserelease 5
+%global baserelease 6
 %global nss_release %baserelease
 # use "%%global nspr_release %%[%%baserelease+n]" to handle offsets when
 # release number between nss and nspr are different.
@@ -184,6 +184,8 @@ Patch78:          nss-3.101-fix-pkcs12-md5-decode.patch
 Patch81:          nss-3.101-fix-missing-size-checks.patch
 # https://bugzilla.mozilla.org/show_bug.cgi?id=1905691
 Patch82:          nss-3.101-chacha-timing-fix.patch
+Patch83:          nss-3.101-add-certificate-compression-test.patch
+Patch84:          nss-3.101-fix-pkcs12-pbkdf1-encoding.patch
 
 # RHEL-10 specific
 Patch90:          nss-3.101-disable_dsa.patch
@@ -1162,6 +1164,10 @@ fi
 
 
 %changelog
+* Thu Aug 1 2024 Bob Relyea <rrelyea@redhat.com> - 3.101.0-6
+- fix param encoding in pkcs12 pbamac encoding
+- add support for certificate compression in selfserv and tstclient
+
 * Wed Jul 24 2024 Bob Relyea <rrelyea@redhat.com> - 3.101.0-5
 - Fix missing and inaccurate key length checks
 - Fix chacha timing issue