Resolves: RHEL-57292

- Fix abi issue in S/MIME code.
- Fix long password issue in pkcs12 when using pbmac

nss-3.101-fix-cms-abi-break.patch

@@ -0,0 +1,115 @@
+diff -up ./lib/smime/cmsasn1.c.restore_abi ./lib/smime/cmsasn1.c
+--- ./lib/smime/cmsasn1.c.restore_abi	2024-06-07 09:26:03.000000000 -0700
++++ ./lib/smime/cmsasn1.c	2024-09-06 11:17:01.609516368 -0700
+@@ -347,7 +347,7 @@ static const SEC_ASN1Template NSSCMSKeyA
+     { SEC_ASN1_EXPLICIT | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 0,
+       offsetof(NSSCMSKeyAgreeRecipientInfo, originatorIdentifierOrKey),
+       NSSCMSOriginatorIdentifierOrKeyTemplate },
+-    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_EXPLICIT |
++    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_POINTER |
+           SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 1,
+       offsetof(NSSCMSKeyAgreeRecipientInfo, ukm),
+       SEC_ASN1_SUB(SEC_OctetStringTemplate) },
+diff -up ./lib/smime/cmslocal.h.restore_abi ./lib/smime/cmslocal.h
+--- ./lib/smime/cmslocal.h.restore_abi	2024-06-07 09:26:03.000000000 -0700
++++ ./lib/smime/cmslocal.h	2024-09-06 11:16:00.674783508 -0700
+@@ -174,7 +174,7 @@ NSS_CMSUtil_DecryptSymKey_RSA_OAEP(SECKE
+ 
+ extern SECStatus
+ NSS_CMSUtil_EncryptSymKey_ESECDH(PLArenaPool *poolp, CERTCertificate *cert, PK11SymKey *key,
+-                                 SECItem *encKey, PRBool genUkm, SECItem *ukm,
++                                 SECItem *encKey, PRBool genUkm, SECItem **ukm,
+                                  SECAlgorithmID *keyEncAlg, SECItem *originatorPubKey, void *wincx);
+ 
+ PK11SymKey *
+diff -up ./lib/smime/cmspubkey.c.restore_abi ./lib/smime/cmspubkey.c
+--- ./lib/smime/cmspubkey.c.restore_abi	2024-06-07 09:26:03.000000000 -0700
++++ ./lib/smime/cmspubkey.c	2024-09-06 11:16:00.674783508 -0700
+@@ -292,9 +292,15 @@ Create_ECC_CMS_SharedInfo(PLArenaPool *p
+     unsigned char suppPubInfo[4] = { 0 };
+ 
+     SI.keyInfo = keyInfo;
+-    SI.entityUInfo.type = ukm->type;
+-    SI.entityUInfo.data = ukm->data;
+-    SI.entityUInfo.len = ukm->len;
++    if (ukm) {
++        SI.entityUInfo.type = ukm->type;
++        SI.entityUInfo.data = ukm->data;
++        SI.entityUInfo.len = ukm->len;
++    } else {
++        SI.entityUInfo.type = siBuffer;
++        SI.entityUInfo.data = NULL;
++        SI.entityUInfo.len = 0;
++    }
+ 
+     SI.suppPubInfo.type = siBuffer;
+     SI.suppPubInfo.data = suppPubInfo;
+@@ -322,7 +328,7 @@ Create_ECC_CMS_SharedInfo(PLArenaPool *p
+ SECStatus
+ NSS_CMSUtil_EncryptSymKey_ESECDH(PLArenaPool *poolp, CERTCertificate *cert,
+                                  PK11SymKey *bulkkey, SECItem *encKey,
+-                                 PRBool genUkm, SECItem *ukm,
++                                 PRBool genUkm, SECItem **ukmp,
+                                  SECAlgorithmID *keyEncAlg, SECItem *pubKey,
+                                  void *wincx)
+ {
+@@ -337,10 +343,11 @@ NSS_CMSUtil_EncryptSymKey_ESECDH(PLArena
+     SECAlgorithmID keyWrapAlg;
+     SECOidTag keyEncAlgtag;
+     SECItem keyWrapAlg_params, *keyEncAlg_params, *SharedInfo;
++    SECItem *ukm = *ukmp;
+     CK_MECHANISM_TYPE keyDerivationType, keyWrapMech;
+     CK_ULONG kdf;
+ 
+-    if (genUkm && (ukm->len != 0 || ukm->data != NULL)) {
++    if (genUkm && (ukm != NULL)) {
+         PORT_SetError(PR_INVALID_ARGUMENT_ERROR);
+         return SECFailure;
+     }
+@@ -427,17 +434,17 @@ NSS_CMSUtil_EncryptSymKey_ESECDH(PLArena
+      * contain 512 bits for Diffie-Hellman key agreement. */
+ 
+     if (genUkm) {
+-        ukm->type = siBuffer;
+-        ukm->len = 64;
+-        ukm->data = (unsigned char *)PORT_ArenaAlloc(poolp, ukm->len);
+-
+-        if (ukm->data == NULL) {
++        ukm = SECITEM_AllocItem(poolp, NULL, 64);
++        if (ukm == NULL) {
+             goto loser;
+         }
++        ukm->type = siBuffer;
++
+         rv = PK11_GenerateRandom(ukm->data, ukm->len);
+         if (rv != SECSuccess) {
+             goto loser;
+         }
++        *ukmp = ukm; /* return it */
+     }
+ 
+     SharedInfo = Create_ECC_CMS_SharedInfo(poolp, &keyWrapAlg,
+diff -up ./lib/smime/cmsrecinfo.c.restore_abi ./lib/smime/cmsrecinfo.c
+--- ./lib/smime/cmsrecinfo.c.restore_abi	2024-06-07 09:26:03.000000000 -0700
++++ ./lib/smime/cmsrecinfo.c	2024-09-06 11:16:00.674783508 -0700
+@@ -582,7 +582,7 @@ NSS_CMSRecipientInfo_UnwrapBulkKey(NSSCM
+             parameters = &(ri->ri.keyAgreeRecipientInfo.keyEncAlg.parameters);
+             enckey = &(ri->ri.keyAgreeRecipientInfo.recipientEncryptedKeys[subIndex]->encKey);
+             oiok = &(ri->ri.keyAgreeRecipientInfo.originatorIdentifierOrKey);
+-            ukm = &(ri->ri.keyAgreeRecipientInfo.ukm);
++            ukm = ri->ri.keyAgreeRecipientInfo.ukm;
+             break;
+         case NSSCMSRecipientInfoID_KEK:
+             algid = &(ri->ri.kekRecipientInfo.keyEncAlg);
+diff -up ./lib/smime/cmst.h.restore_abi ./lib/smime/cmst.h
+--- ./lib/smime/cmst.h.restore_abi	2024-06-07 09:26:03.000000000 -0700
++++ ./lib/smime/cmst.h	2024-09-06 11:16:00.674783508 -0700
+@@ -376,7 +376,7 @@ typedef struct NSSCMSRecipientEncryptedK
+ struct NSSCMSKeyAgreeRecipientInfoStr {
+     SECItem version;
+     NSSCMSOriginatorIdentifierOrKey originatorIdentifierOrKey;
+-    SECItem ukm; /* optional */
++    SECItem *ukm; /* optional */
+     SECAlgorithmID keyEncAlg;
+     NSSCMSRecipientEncryptedKey **recipientEncryptedKeys;
+ };

nss-3.101-long-pwd-fix.patch

@@ -0,0 +1,12 @@
+diff -up ./lib/pkcs12/p12local.c.long_pw_fix ./lib/pkcs12/p12local.c
+--- ./lib/pkcs12/p12local.c.long_pw_fix	2024-09-06 17:58:39.905517185 -0700
++++ ./lib/pkcs12/p12local.c	2024-09-06 17:59:19.568985976 -0700
+@@ -102,7 +102,7 @@ sec_pkcs12_integrity_key(PK11SlotInfo *s
+         *hmacMech = PK11_AlgtagToMechanism(hmacAlg);
+         /* pkcs12v2 hmac uses UTF8 rather than unicode */
+         if (!sec_pkcs12_convert_item_to_unicode(NULL, &utf8Pw, pwitem,
+-                                                PR_TRUE, PR_FALSE, PR_FALSE)) {
++                                                PR_FALSE, PR_FALSE, PR_FALSE)) {
+             return NULL;
+         }
+         symKey = PK11_PBEKeyGen(slot, prfAlgid, &utf8Pw, PR_FALSE, pwarg);

nss.spec

@@ -63,7 +63,7 @@ print(string.sub(hash, 0, 16))
 Summary:          Network Security Services
 Name:             nss
 Version:          %{nss_version}
-Release:          6%{?dist}
+Release:          7%{?dist}
 License:          MPLv2.0
 URL:              http://www.mozilla.org/projects/security/pki/nss/
 Requires:         nspr >= %{nspr_version}%{nspr_release}
@@ -198,6 +198,9 @@ Patch81:          nss-3.101-fix-missing-size-checks.patch
 Patch82:          nss-3.101-chacha-timing-fix.patch
 Patch83:          nss-3.101-add-certificate-compression-test.patch
 Patch84:          nss-3.101-fix-pkcs12-pbkdf1-encoding.patch
+# https://bugzilla.mozilla.org/show_bug.cgi?id=676100
+Patch85:          nss-3.101-fix-cms-abi-break.patch
+Patch86:          nss-3.101-long-pwd-fix.patch
 
 #revert patches
 Patch300:         nss-3.101-default-libpkix.patch
@@ -996,6 +999,10 @@ update-crypto-policies --no-reload &> /dev/null || :
 
 
 %changelog
+* Wed Sep 4 2024 Bob Relyea <rrelyea@redhat.com> - 3.101.0-7
+- fix cms abi breakage
+- fix long password issue on pbmac encodings
+
 * Thu Aug 1 2024 Bob Relyea <rrelyea@redhat.com> - 3.101.0-6
 - fix param encoding in pkcs12 pbamac encoding
 - add support for certificate compression in selfserv and tstclient