Resolves: RHEL-57111

- Fix abi issue in S/MIME code.
 - Fix long password issue in pkcs12 when using pbmac

nss-3.101-fix-cavs-test.patch

@@ -0,0 +1,12 @@
+diff -up ./tests/fips/cavs_scripts/validate1.sh.fix_cavs ./tests/fips/cavs_scripts/validate1.sh
+--- ./tests/fips/cavs_scripts/validate1.sh.fix_cavs	2024-09-12 14:39:41.421586862 -0700
++++ ./tests/fips/cavs_scripts/validate1.sh	2024-09-12 14:39:55.036747283 -0700
+@@ -21,7 +21,7 @@ name=`basename $request .req`
+ echo ">>>>>  $name"
+ sed -e 's;
;;g' -e 's;	; ;g' -e '/^#/d' $extraneous_response ${TESTDIR}/resp/${name}.rsp > /tmp/y1
+ # if we didn't generate any output, flag that as an error
+-size=`sum /tmp/y1 | awk '{ print $NF }'`
++size=`sum /tmp/y1 | awk '{ print $1 }'`
+ if [ $size -eq 0 ]; then
+    echo "${TESTDIR}/resp/${name}.rsp: empty"
+    exit 1;

nss-3.101-fix-cms-abi-break.patch

@@ -0,0 +1,115 @@
+diff -up ./lib/smime/cmsasn1.c.restore_abi ./lib/smime/cmsasn1.c
+--- ./lib/smime/cmsasn1.c.restore_abi	2024-06-07 09:26:03.000000000 -0700
++++ ./lib/smime/cmsasn1.c	2024-09-06 18:05:27.808338289 -0700
+@@ -350,7 +350,7 @@ static const SEC_ASN1Template NSSCMSKeyA
+     { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_EXPLICIT |
+           SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 1,
+       offsetof(NSSCMSKeyAgreeRecipientInfo, ukm),
+-      SEC_ASN1_SUB(SEC_OctetStringTemplate) },
++      SEC_ASN1_SUB(SEC_PointerToOctetStringTemplate) },
+     { SEC_ASN1_INLINE | SEC_ASN1_XTRN,
+       offsetof(NSSCMSKeyAgreeRecipientInfo, keyEncAlg),
+       SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
+diff -up ./lib/smime/cmslocal.h.restore_abi ./lib/smime/cmslocal.h
+--- ./lib/smime/cmslocal.h.restore_abi	2024-06-07 09:26:03.000000000 -0700
++++ ./lib/smime/cmslocal.h	2024-09-06 18:04:47.647863624 -0700
+@@ -174,7 +174,7 @@ NSS_CMSUtil_DecryptSymKey_RSA_OAEP(SECKE
+ 
+ extern SECStatus
+ NSS_CMSUtil_EncryptSymKey_ESECDH(PLArenaPool *poolp, CERTCertificate *cert, PK11SymKey *key,
+-                                 SECItem *encKey, PRBool genUkm, SECItem *ukm,
++                                 SECItem *encKey, PRBool genUkm, SECItem **ukm,
+                                  SECAlgorithmID *keyEncAlg, SECItem *originatorPubKey, void *wincx);
+ 
+ PK11SymKey *
+diff -up ./lib/smime/cmspubkey.c.restore_abi ./lib/smime/cmspubkey.c
+--- ./lib/smime/cmspubkey.c.restore_abi	2024-06-07 09:26:03.000000000 -0700
++++ ./lib/smime/cmspubkey.c	2024-09-06 18:04:47.647863624 -0700
+@@ -292,9 +292,15 @@ Create_ECC_CMS_SharedInfo(PLArenaPool *p
+     unsigned char suppPubInfo[4] = { 0 };
+ 
+     SI.keyInfo = keyInfo;
+-    SI.entityUInfo.type = ukm->type;
+-    SI.entityUInfo.data = ukm->data;
+-    SI.entityUInfo.len = ukm->len;
++    if (ukm) {
++        SI.entityUInfo.type = ukm->type;
++        SI.entityUInfo.data = ukm->data;
++        SI.entityUInfo.len = ukm->len;
++    } else {
++        SI.entityUInfo.type = siBuffer;
++        SI.entityUInfo.data = NULL;
++        SI.entityUInfo.len = 0;
++    }
+ 
+     SI.suppPubInfo.type = siBuffer;
+     SI.suppPubInfo.data = suppPubInfo;
+@@ -322,7 +328,7 @@ Create_ECC_CMS_SharedInfo(PLArenaPool *p
+ SECStatus
+ NSS_CMSUtil_EncryptSymKey_ESECDH(PLArenaPool *poolp, CERTCertificate *cert,
+                                  PK11SymKey *bulkkey, SECItem *encKey,
+-                                 PRBool genUkm, SECItem *ukm,
++                                 PRBool genUkm, SECItem **ukmp,
+                                  SECAlgorithmID *keyEncAlg, SECItem *pubKey,
+                                  void *wincx)
+ {
+@@ -337,10 +343,11 @@ NSS_CMSUtil_EncryptSymKey_ESECDH(PLArena
+     SECAlgorithmID keyWrapAlg;
+     SECOidTag keyEncAlgtag;
+     SECItem keyWrapAlg_params, *keyEncAlg_params, *SharedInfo;
++    SECItem *ukm = *ukmp;
+     CK_MECHANISM_TYPE keyDerivationType, keyWrapMech;
+     CK_ULONG kdf;
+ 
+-    if (genUkm && (ukm->len != 0 || ukm->data != NULL)) {
++    if (genUkm && (ukm != NULL)) {
+         PORT_SetError(PR_INVALID_ARGUMENT_ERROR);
+         return SECFailure;
+     }
+@@ -427,17 +434,17 @@ NSS_CMSUtil_EncryptSymKey_ESECDH(PLArena
+      * contain 512 bits for Diffie-Hellman key agreement. */
+ 
+     if (genUkm) {
+-        ukm->type = siBuffer;
+-        ukm->len = 64;
+-        ukm->data = (unsigned char *)PORT_ArenaAlloc(poolp, ukm->len);
+-
+-        if (ukm->data == NULL) {
++        ukm = SECITEM_AllocItem(poolp, NULL, 64);
++        if (ukm == NULL) {
+             goto loser;
+         }
++        ukm->type = siBuffer;
++
+         rv = PK11_GenerateRandom(ukm->data, ukm->len);
+         if (rv != SECSuccess) {
+             goto loser;
+         }
++        *ukmp = ukm; /* return it */
+     }
+ 
+     SharedInfo = Create_ECC_CMS_SharedInfo(poolp, &keyWrapAlg,
+diff -up ./lib/smime/cmsrecinfo.c.restore_abi ./lib/smime/cmsrecinfo.c
+--- ./lib/smime/cmsrecinfo.c.restore_abi	2024-06-07 09:26:03.000000000 -0700
++++ ./lib/smime/cmsrecinfo.c	2024-09-06 18:04:47.647863624 -0700
+@@ -582,7 +582,7 @@ NSS_CMSRecipientInfo_UnwrapBulkKey(NSSCM
+             parameters = &(ri->ri.keyAgreeRecipientInfo.keyEncAlg.parameters);
+             enckey = &(ri->ri.keyAgreeRecipientInfo.recipientEncryptedKeys[subIndex]->encKey);
+             oiok = &(ri->ri.keyAgreeRecipientInfo.originatorIdentifierOrKey);
+-            ukm = &(ri->ri.keyAgreeRecipientInfo.ukm);
++            ukm = ri->ri.keyAgreeRecipientInfo.ukm;
+             break;
+         case NSSCMSRecipientInfoID_KEK:
+             algid = &(ri->ri.kekRecipientInfo.keyEncAlg);
+diff -up ./lib/smime/cmst.h.restore_abi ./lib/smime/cmst.h
+--- ./lib/smime/cmst.h.restore_abi	2024-06-07 09:26:03.000000000 -0700
++++ ./lib/smime/cmst.h	2024-09-06 18:04:47.647863624 -0700
+@@ -376,7 +376,7 @@ typedef struct NSSCMSRecipientEncryptedK
+ struct NSSCMSKeyAgreeRecipientInfoStr {
+     SECItem version;
+     NSSCMSOriginatorIdentifierOrKey originatorIdentifierOrKey;
+-    SECItem ukm; /* optional */
++    SECItem *ukm; /* optional */
+     SECAlgorithmID keyEncAlg;
+     NSSCMSRecipientEncryptedKey **recipientEncryptedKeys;
+ };

nss-3.101-long-pwd-fix.patch

@@ -0,0 +1,12 @@
+diff -up ./lib/pkcs12/p12local.c.long_pw_fix ./lib/pkcs12/p12local.c
+--- ./lib/pkcs12/p12local.c.long_pw_fix	2024-09-06 17:58:39.905517185 -0700
++++ ./lib/pkcs12/p12local.c	2024-09-06 17:59:19.568985976 -0700
+@@ -102,7 +102,7 @@ sec_pkcs12_integrity_key(PK11SlotInfo *s
+         *hmacMech = PK11_AlgtagToMechanism(hmacAlg);
+         /* pkcs12v2 hmac uses UTF8 rather than unicode */
+         if (!sec_pkcs12_convert_item_to_unicode(NULL, &utf8Pw, pwitem,
+-                                                PR_TRUE, PR_FALSE, PR_FALSE)) {
++                                                PR_FALSE, PR_FALSE, PR_FALSE)) {
+             return NULL;
+         }
+         symKey = PK11_PBEKeyGen(slot, prfAlgid, &utf8Pw, PR_FALSE, pwarg);

nss.spec

@@ -3,7 +3,7 @@
 # NOTE: To avoid NVR clashes of nspr* packages:
 # - reset %%{nspr_release} to 1, when updating %%{nspr_version}
 # - increment %%{nspr_version}, when updating the NSS part only
-%global baserelease 6
+%global baserelease 7
 %global nss_release %baserelease
 # use "%%global nspr_release %%[%%baserelease+n]" to handle offsets when
 # release number between nss and nspr are different.
@@ -186,6 +186,10 @@ Patch81:          nss-3.101-fix-missing-size-checks.patch
 Patch82:          nss-3.101-chacha-timing-fix.patch
 Patch83:          nss-3.101-add-certificate-compression-test.patch
 Patch84:          nss-3.101-fix-pkcs12-pbkdf1-encoding.patch
+# https://bugzilla.mozilla.org/show_bug.cgi?id=676100
+Patch85:          nss-3.101-fix-cms-abi-break.patch
+Patch86:          nss-3.101-long-pwd-fix.patch
+Patch87:          nss-3.101-fix-cavs-test.patch
 
 # RHEL-10 specific
 Patch90:          nss-3.101-disable_dsa.patch
@@ -1164,6 +1168,10 @@ fi
 
 
 %changelog
+* Wed Sep 4 2024 Bob Relyea <rrelyea@redhat.com> - 3.101.0-7
+- fix cms abi breakage
+- fix long password issue on pbmac encodings
+
 * Thu Aug 1 2024 Bob Relyea <rrelyea@redhat.com> - 3.101.0-6
 - fix param encoding in pkcs12 pbamac encoding
 - add support for certificate compression in selfserv and tstclient
@@ -1230,7 +1238,7 @@ fi
                 https://bugzilla.mozilla.org/show_bug.cgi?id=1836925
 
 * Mon Jun 5 2023 Frantisek Krenzelok <krenzelok.frantisek@gmail.com> - 3.90.0-1
-- Update %patch syntax
+- Update %%patch syntax
 
 * Mon Jun 5 2023 Frantisek Krenzelok <krenzelok.frantisek@gmail.com> - 3.90.0-1
 - Update NSS to 3.90.0