diff --git a/nss-3.101-fix-cavs-test.patch b/nss-3.101-fix-cavs-test.patch new file mode 100644 index 0000000..66eb81e --- /dev/null +++ b/nss-3.101-fix-cavs-test.patch @@ -0,0 +1,12 @@ +diff -up ./tests/fips/cavs_scripts/validate1.sh.fix_cavs ./tests/fips/cavs_scripts/validate1.sh +--- ./tests/fips/cavs_scripts/validate1.sh.fix_cavs 2024-09-12 14:39:41.421586862 -0700 ++++ ./tests/fips/cavs_scripts/validate1.sh 2024-09-12 14:39:55.036747283 -0700 +@@ -21,7 +21,7 @@ name=`basename $request .req` + echo ">>>>> $name" + sed -e 's; ;;g' -e 's; ; ;g' -e '/^#/d' $extraneous_response ${TESTDIR}/resp/${name}.rsp > /tmp/y1 + # if we didn't generate any output, flag that as an error +-size=`sum /tmp/y1 | awk '{ print $NF }'` ++size=`sum /tmp/y1 | awk '{ print $1 }'` + if [ $size -eq 0 ]; then + echo "${TESTDIR}/resp/${name}.rsp: empty" + exit 1; diff --git a/nss-3.101-fix-cms-abi-break.patch b/nss-3.101-fix-cms-abi-break.patch new file mode 100644 index 0000000..c60fab6 --- /dev/null +++ b/nss-3.101-fix-cms-abi-break.patch @@ -0,0 +1,115 @@ +diff -up ./lib/smime/cmsasn1.c.restore_abi ./lib/smime/cmsasn1.c +--- ./lib/smime/cmsasn1.c.restore_abi 2024-06-07 09:26:03.000000000 -0700 ++++ ./lib/smime/cmsasn1.c 2024-09-06 18:05:27.808338289 -0700 +@@ -350,7 +350,7 @@ static const SEC_ASN1Template NSSCMSKeyA + { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_EXPLICIT | + SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 1, + offsetof(NSSCMSKeyAgreeRecipientInfo, ukm), +- SEC_ASN1_SUB(SEC_OctetStringTemplate) }, ++ SEC_ASN1_SUB(SEC_PointerToOctetStringTemplate) }, + { SEC_ASN1_INLINE | SEC_ASN1_XTRN, + offsetof(NSSCMSKeyAgreeRecipientInfo, keyEncAlg), + SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) }, +diff -up ./lib/smime/cmslocal.h.restore_abi ./lib/smime/cmslocal.h +--- ./lib/smime/cmslocal.h.restore_abi 2024-06-07 09:26:03.000000000 -0700 ++++ ./lib/smime/cmslocal.h 2024-09-06 18:04:47.647863624 -0700 +@@ -174,7 +174,7 @@ NSS_CMSUtil_DecryptSymKey_RSA_OAEP(SECKE + + extern SECStatus + NSS_CMSUtil_EncryptSymKey_ESECDH(PLArenaPool *poolp, CERTCertificate *cert, PK11SymKey *key, +- SECItem *encKey, PRBool genUkm, SECItem *ukm, ++ SECItem *encKey, PRBool genUkm, SECItem **ukm, + SECAlgorithmID *keyEncAlg, SECItem *originatorPubKey, void *wincx); + + PK11SymKey * +diff -up ./lib/smime/cmspubkey.c.restore_abi ./lib/smime/cmspubkey.c +--- ./lib/smime/cmspubkey.c.restore_abi 2024-06-07 09:26:03.000000000 -0700 ++++ ./lib/smime/cmspubkey.c 2024-09-06 18:04:47.647863624 -0700 +@@ -292,9 +292,15 @@ Create_ECC_CMS_SharedInfo(PLArenaPool *p + unsigned char suppPubInfo[4] = { 0 }; + + SI.keyInfo = keyInfo; +- SI.entityUInfo.type = ukm->type; +- SI.entityUInfo.data = ukm->data; +- SI.entityUInfo.len = ukm->len; ++ if (ukm) { ++ SI.entityUInfo.type = ukm->type; ++ SI.entityUInfo.data = ukm->data; ++ SI.entityUInfo.len = ukm->len; ++ } else { ++ SI.entityUInfo.type = siBuffer; ++ SI.entityUInfo.data = NULL; ++ SI.entityUInfo.len = 0; ++ } + + SI.suppPubInfo.type = siBuffer; + SI.suppPubInfo.data = suppPubInfo; +@@ -322,7 +328,7 @@ Create_ECC_CMS_SharedInfo(PLArenaPool *p + SECStatus + NSS_CMSUtil_EncryptSymKey_ESECDH(PLArenaPool *poolp, CERTCertificate *cert, + PK11SymKey *bulkkey, SECItem *encKey, +- PRBool genUkm, SECItem *ukm, ++ PRBool genUkm, SECItem **ukmp, + SECAlgorithmID *keyEncAlg, SECItem *pubKey, + void *wincx) + { +@@ -337,10 +343,11 @@ NSS_CMSUtil_EncryptSymKey_ESECDH(PLArena + SECAlgorithmID keyWrapAlg; + SECOidTag keyEncAlgtag; + SECItem keyWrapAlg_params, *keyEncAlg_params, *SharedInfo; ++ SECItem *ukm = *ukmp; + CK_MECHANISM_TYPE keyDerivationType, keyWrapMech; + CK_ULONG kdf; + +- if (genUkm && (ukm->len != 0 || ukm->data != NULL)) { ++ if (genUkm && (ukm != NULL)) { + PORT_SetError(PR_INVALID_ARGUMENT_ERROR); + return SECFailure; + } +@@ -427,17 +434,17 @@ NSS_CMSUtil_EncryptSymKey_ESECDH(PLArena + * contain 512 bits for Diffie-Hellman key agreement. */ + + if (genUkm) { +- ukm->type = siBuffer; +- ukm->len = 64; +- ukm->data = (unsigned char *)PORT_ArenaAlloc(poolp, ukm->len); +- +- if (ukm->data == NULL) { ++ ukm = SECITEM_AllocItem(poolp, NULL, 64); ++ if (ukm == NULL) { + goto loser; + } ++ ukm->type = siBuffer; ++ + rv = PK11_GenerateRandom(ukm->data, ukm->len); + if (rv != SECSuccess) { + goto loser; + } ++ *ukmp = ukm; /* return it */ + } + + SharedInfo = Create_ECC_CMS_SharedInfo(poolp, &keyWrapAlg, +diff -up ./lib/smime/cmsrecinfo.c.restore_abi ./lib/smime/cmsrecinfo.c +--- ./lib/smime/cmsrecinfo.c.restore_abi 2024-06-07 09:26:03.000000000 -0700 ++++ ./lib/smime/cmsrecinfo.c 2024-09-06 18:04:47.647863624 -0700 +@@ -582,7 +582,7 @@ NSS_CMSRecipientInfo_UnwrapBulkKey(NSSCM + parameters = &(ri->ri.keyAgreeRecipientInfo.keyEncAlg.parameters); + enckey = &(ri->ri.keyAgreeRecipientInfo.recipientEncryptedKeys[subIndex]->encKey); + oiok = &(ri->ri.keyAgreeRecipientInfo.originatorIdentifierOrKey); +- ukm = &(ri->ri.keyAgreeRecipientInfo.ukm); ++ ukm = ri->ri.keyAgreeRecipientInfo.ukm; + break; + case NSSCMSRecipientInfoID_KEK: + algid = &(ri->ri.kekRecipientInfo.keyEncAlg); +diff -up ./lib/smime/cmst.h.restore_abi ./lib/smime/cmst.h +--- ./lib/smime/cmst.h.restore_abi 2024-06-07 09:26:03.000000000 -0700 ++++ ./lib/smime/cmst.h 2024-09-06 18:04:47.647863624 -0700 +@@ -376,7 +376,7 @@ typedef struct NSSCMSRecipientEncryptedK + struct NSSCMSKeyAgreeRecipientInfoStr { + SECItem version; + NSSCMSOriginatorIdentifierOrKey originatorIdentifierOrKey; +- SECItem ukm; /* optional */ ++ SECItem *ukm; /* optional */ + SECAlgorithmID keyEncAlg; + NSSCMSRecipientEncryptedKey **recipientEncryptedKeys; + }; diff --git a/nss-3.101-long-pwd-fix.patch b/nss-3.101-long-pwd-fix.patch new file mode 100644 index 0000000..f5efcff --- /dev/null +++ b/nss-3.101-long-pwd-fix.patch @@ -0,0 +1,12 @@ +diff -up ./lib/pkcs12/p12local.c.long_pw_fix ./lib/pkcs12/p12local.c +--- ./lib/pkcs12/p12local.c.long_pw_fix 2024-09-06 17:58:39.905517185 -0700 ++++ ./lib/pkcs12/p12local.c 2024-09-06 17:59:19.568985976 -0700 +@@ -102,7 +102,7 @@ sec_pkcs12_integrity_key(PK11SlotInfo *s + *hmacMech = PK11_AlgtagToMechanism(hmacAlg); + /* pkcs12v2 hmac uses UTF8 rather than unicode */ + if (!sec_pkcs12_convert_item_to_unicode(NULL, &utf8Pw, pwitem, +- PR_TRUE, PR_FALSE, PR_FALSE)) { ++ PR_FALSE, PR_FALSE, PR_FALSE)) { + return NULL; + } + symKey = PK11_PBEKeyGen(slot, prfAlgid, &utf8Pw, PR_FALSE, pwarg); diff --git a/nss.spec b/nss.spec index 6f5c739..233909b 100644 --- a/nss.spec +++ b/nss.spec @@ -3,7 +3,7 @@ # NOTE: To avoid NVR clashes of nspr* packages: # - reset %%{nspr_release} to 1, when updating %%{nspr_version} # - increment %%{nspr_version}, when updating the NSS part only -%global baserelease 6 +%global baserelease 7 %global nss_release %baserelease # use "%%global nspr_release %%[%%baserelease+n]" to handle offsets when # release number between nss and nspr are different. @@ -186,6 +186,10 @@ Patch81: nss-3.101-fix-missing-size-checks.patch Patch82: nss-3.101-chacha-timing-fix.patch Patch83: nss-3.101-add-certificate-compression-test.patch Patch84: nss-3.101-fix-pkcs12-pbkdf1-encoding.patch +# https://bugzilla.mozilla.org/show_bug.cgi?id=676100 +Patch85: nss-3.101-fix-cms-abi-break.patch +Patch86: nss-3.101-long-pwd-fix.patch +Patch87: nss-3.101-fix-cavs-test.patch # RHEL-10 specific Patch90: nss-3.101-disable_dsa.patch @@ -1164,6 +1168,10 @@ fi %changelog +* Wed Sep 4 2024 Bob Relyea - 3.101.0-7 +- fix cms abi breakage +- fix long password issue on pbmac encodings + * Thu Aug 1 2024 Bob Relyea - 3.101.0-6 - fix param encoding in pkcs12 pbamac encoding - add support for certificate compression in selfserv and tstclient @@ -1230,7 +1238,7 @@ fi https://bugzilla.mozilla.org/show_bug.cgi?id=1836925 * Mon Jun 5 2023 Frantisek Krenzelok - 3.90.0-1 -- Update %patch syntax +- Update %%patch syntax * Mon Jun 5 2023 Frantisek Krenzelok - 3.90.0-1 - Update NSS to 3.90.0