From ae9a202e77c40bc57c2b63092e87cfe54447b84d Mon Sep 17 00:00:00 2001
From: Robert Relyea <rrelyea@redhat.com>
Date: Thu, 12 Sep 2024 08:23:06 -0700
Subject: [PATCH] Resolves: RHEL-57300

Fix ABI breakage in cms.
---
 nss-3.101-fix-cms-abi-break.patch | 115 ++++++++++++++++++++++++++++++
 nss-3.101-long-pwd-fix.patch      |  12 ++++
 nss.spec                          |   9 ++-
 3 files changed, 135 insertions(+), 1 deletion(-)
 create mode 100644 nss-3.101-fix-cms-abi-break.patch
 create mode 100644 nss-3.101-long-pwd-fix.patch

diff --git a/nss-3.101-fix-cms-abi-break.patch b/nss-3.101-fix-cms-abi-break.patch
new file mode 100644
index 0000000..c60fab6
--- /dev/null
+++ b/nss-3.101-fix-cms-abi-break.patch
@@ -0,0 +1,115 @@
+diff -up ./lib/smime/cmsasn1.c.restore_abi ./lib/smime/cmsasn1.c
+--- ./lib/smime/cmsasn1.c.restore_abi	2024-06-07 09:26:03.000000000 -0700
++++ ./lib/smime/cmsasn1.c	2024-09-06 18:05:27.808338289 -0700
+@@ -350,7 +350,7 @@ static const SEC_ASN1Template NSSCMSKeyA
+     { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_EXPLICIT |
+           SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 1,
+       offsetof(NSSCMSKeyAgreeRecipientInfo, ukm),
+-      SEC_ASN1_SUB(SEC_OctetStringTemplate) },
++      SEC_ASN1_SUB(SEC_PointerToOctetStringTemplate) },
+     { SEC_ASN1_INLINE | SEC_ASN1_XTRN,
+       offsetof(NSSCMSKeyAgreeRecipientInfo, keyEncAlg),
+       SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
+diff -up ./lib/smime/cmslocal.h.restore_abi ./lib/smime/cmslocal.h
+--- ./lib/smime/cmslocal.h.restore_abi	2024-06-07 09:26:03.000000000 -0700
++++ ./lib/smime/cmslocal.h	2024-09-06 18:04:47.647863624 -0700
+@@ -174,7 +174,7 @@ NSS_CMSUtil_DecryptSymKey_RSA_OAEP(SECKE
+ 
+ extern SECStatus
+ NSS_CMSUtil_EncryptSymKey_ESECDH(PLArenaPool *poolp, CERTCertificate *cert, PK11SymKey *key,
+-                                 SECItem *encKey, PRBool genUkm, SECItem *ukm,
++                                 SECItem *encKey, PRBool genUkm, SECItem **ukm,
+                                  SECAlgorithmID *keyEncAlg, SECItem *originatorPubKey, void *wincx);
+ 
+ PK11SymKey *
+diff -up ./lib/smime/cmspubkey.c.restore_abi ./lib/smime/cmspubkey.c
+--- ./lib/smime/cmspubkey.c.restore_abi	2024-06-07 09:26:03.000000000 -0700
++++ ./lib/smime/cmspubkey.c	2024-09-06 18:04:47.647863624 -0700
+@@ -292,9 +292,15 @@ Create_ECC_CMS_SharedInfo(PLArenaPool *p
+     unsigned char suppPubInfo[4] = { 0 };
+ 
+     SI.keyInfo = keyInfo;
+-    SI.entityUInfo.type = ukm->type;
+-    SI.entityUInfo.data = ukm->data;
+-    SI.entityUInfo.len = ukm->len;
++    if (ukm) {
++        SI.entityUInfo.type = ukm->type;
++        SI.entityUInfo.data = ukm->data;
++        SI.entityUInfo.len = ukm->len;
++    } else {
++        SI.entityUInfo.type = siBuffer;
++        SI.entityUInfo.data = NULL;
++        SI.entityUInfo.len = 0;
++    }
+ 
+     SI.suppPubInfo.type = siBuffer;
+     SI.suppPubInfo.data = suppPubInfo;
+@@ -322,7 +328,7 @@ Create_ECC_CMS_SharedInfo(PLArenaPool *p
+ SECStatus
+ NSS_CMSUtil_EncryptSymKey_ESECDH(PLArenaPool *poolp, CERTCertificate *cert,
+                                  PK11SymKey *bulkkey, SECItem *encKey,
+-                                 PRBool genUkm, SECItem *ukm,
++                                 PRBool genUkm, SECItem **ukmp,
+                                  SECAlgorithmID *keyEncAlg, SECItem *pubKey,
+                                  void *wincx)
+ {
+@@ -337,10 +343,11 @@ NSS_CMSUtil_EncryptSymKey_ESECDH(PLArena
+     SECAlgorithmID keyWrapAlg;
+     SECOidTag keyEncAlgtag;
+     SECItem keyWrapAlg_params, *keyEncAlg_params, *SharedInfo;
++    SECItem *ukm = *ukmp;
+     CK_MECHANISM_TYPE keyDerivationType, keyWrapMech;
+     CK_ULONG kdf;
+ 
+-    if (genUkm && (ukm->len != 0 || ukm->data != NULL)) {
++    if (genUkm && (ukm != NULL)) {
+         PORT_SetError(PR_INVALID_ARGUMENT_ERROR);
+         return SECFailure;
+     }
+@@ -427,17 +434,17 @@ NSS_CMSUtil_EncryptSymKey_ESECDH(PLArena
+      * contain 512 bits for Diffie-Hellman key agreement. */
+ 
+     if (genUkm) {
+-        ukm->type = siBuffer;
+-        ukm->len = 64;
+-        ukm->data = (unsigned char *)PORT_ArenaAlloc(poolp, ukm->len);
+-
+-        if (ukm->data == NULL) {
++        ukm = SECITEM_AllocItem(poolp, NULL, 64);
++        if (ukm == NULL) {
+             goto loser;
+         }
++        ukm->type = siBuffer;
++
+         rv = PK11_GenerateRandom(ukm->data, ukm->len);
+         if (rv != SECSuccess) {
+             goto loser;
+         }
++        *ukmp = ukm; /* return it */
+     }
+ 
+     SharedInfo = Create_ECC_CMS_SharedInfo(poolp, &keyWrapAlg,
+diff -up ./lib/smime/cmsrecinfo.c.restore_abi ./lib/smime/cmsrecinfo.c
+--- ./lib/smime/cmsrecinfo.c.restore_abi	2024-06-07 09:26:03.000000000 -0700
++++ ./lib/smime/cmsrecinfo.c	2024-09-06 18:04:47.647863624 -0700
+@@ -582,7 +582,7 @@ NSS_CMSRecipientInfo_UnwrapBulkKey(NSSCM
+             parameters = &(ri->ri.keyAgreeRecipientInfo.keyEncAlg.parameters);
+             enckey = &(ri->ri.keyAgreeRecipientInfo.recipientEncryptedKeys[subIndex]->encKey);
+             oiok = &(ri->ri.keyAgreeRecipientInfo.originatorIdentifierOrKey);
+-            ukm = &(ri->ri.keyAgreeRecipientInfo.ukm);
++            ukm = ri->ri.keyAgreeRecipientInfo.ukm;
+             break;
+         case NSSCMSRecipientInfoID_KEK:
+             algid = &(ri->ri.kekRecipientInfo.keyEncAlg);
+diff -up ./lib/smime/cmst.h.restore_abi ./lib/smime/cmst.h
+--- ./lib/smime/cmst.h.restore_abi	2024-06-07 09:26:03.000000000 -0700
++++ ./lib/smime/cmst.h	2024-09-06 18:04:47.647863624 -0700
+@@ -376,7 +376,7 @@ typedef struct NSSCMSRecipientEncryptedK
+ struct NSSCMSKeyAgreeRecipientInfoStr {
+     SECItem version;
+     NSSCMSOriginatorIdentifierOrKey originatorIdentifierOrKey;
+-    SECItem ukm; /* optional */
++    SECItem *ukm; /* optional */
+     SECAlgorithmID keyEncAlg;
+     NSSCMSRecipientEncryptedKey **recipientEncryptedKeys;
+ };
diff --git a/nss-3.101-long-pwd-fix.patch b/nss-3.101-long-pwd-fix.patch
new file mode 100644
index 0000000..f5efcff
--- /dev/null
+++ b/nss-3.101-long-pwd-fix.patch
@@ -0,0 +1,12 @@
+diff -up ./lib/pkcs12/p12local.c.long_pw_fix ./lib/pkcs12/p12local.c
+--- ./lib/pkcs12/p12local.c.long_pw_fix	2024-09-06 17:58:39.905517185 -0700
++++ ./lib/pkcs12/p12local.c	2024-09-06 17:59:19.568985976 -0700
+@@ -102,7 +102,7 @@ sec_pkcs12_integrity_key(PK11SlotInfo *s
+         *hmacMech = PK11_AlgtagToMechanism(hmacAlg);
+         /* pkcs12v2 hmac uses UTF8 rather than unicode */
+         if (!sec_pkcs12_convert_item_to_unicode(NULL, &utf8Pw, pwitem,
+-                                                PR_TRUE, PR_FALSE, PR_FALSE)) {
++                                                PR_FALSE, PR_FALSE, PR_FALSE)) {
+             return NULL;
+         }
+         symKey = PK11_PBEKeyGen(slot, prfAlgid, &utf8Pw, PR_FALSE, pwarg);
diff --git a/nss.spec b/nss.spec
index de00508..3eabf5b 100644
--- a/nss.spec
+++ b/nss.spec
@@ -1,6 +1,6 @@
 %global nss_version 3.101.0
 %global nspr_version 4.35.0
-%global baserelease 6
+%global baserelease 7
 %global nss_release %baserelease
 # NOTE: To avoid NVR clashes of nspr* packages:
 # use "%%global nspr_release %%[%%baserelease+n]" to handle offsets when
@@ -196,6 +196,9 @@ Patch81:          nss-3.101-fix-missing-size-checks.patch
 Patch82:          nss-3.101-chacha-timing-fix.patch
 Patch83:          nss-3.101-add-certificate-compression-test.patch
 Patch84:          nss-3.101-fix-pkcs12-pbkdf1-encoding.patch
+# https://bugzilla.mozilla.org/show_bug.cgi?id=676100
+Patch85:          nss-3.101-fix-cms-abi-break.patch
+Patch86:          nss-3.101-long-pwd-fix.patch
 
 Patch100:         nspr-config-pc.patch
 Patch101:         nspr-gcc-atomics.patch
@@ -1197,6 +1200,10 @@ update-crypto-policies &> /dev/null || :
 
 
 %changelog
+* Wed Sep 4 2024 Bob Relyea <rrelyea@redhat.com> - 3.101.0-7
+- fix cms abi breakage
+- fix long password issue on pbmac encodings
+
 * Thu Aug 1 2024 Bob Relyea <rrelyea@redhat.com> - 3.101.0-6
 - fix param encoding in pkcs12 pbamac encoding
 - add support for certificate compression in selfserv and tstclient