From 97cfe9ad72013ff0038c4cfad97a348ce3e624fb Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Mon, 25 Oct 2021 12:25:51 -0400 Subject: [PATCH 1/2] import firefox-91.2.0-5.el8_4 --- SOURCES/fips-quic.patch | 211 ++++++++++++++++++++++++++++++++++++++++ SPECS/firefox.spec | 10 +- 2 files changed, 219 insertions(+), 2 deletions(-) create mode 100644 SOURCES/fips-quic.patch diff --git a/SOURCES/fips-quic.patch b/SOURCES/fips-quic.patch new file mode 100644 index 0000000..777684b --- /dev/null +++ b/SOURCES/fips-quic.patch @@ -0,0 +1,211 @@ +diff -up firefox-91.2.0/Cargo.toml.fips-quic firefox-91.2.0/Cargo.toml +--- firefox-91.2.0/Cargo.toml.fips-quic 2021-10-21 09:40:17.235999423 +0200 ++++ firefox-91.2.0/Cargo.toml 2021-10-21 11:21:06.746558028 +0200 +@@ -109,3 +109,12 @@ path = "third_party/rust/failure" + + [patch.crates-io.prost-derive] + path = "third_party/rust/prost-derive" ++ ++[patch."https://github.com/mozilla/neqo"] ++neqo-crypto = { path = "third_party/rust/neqo-crypto" } ++neqo-transport = { path = "third_party/rust/neqo-transport" } ++neqo-qpack = { path = "third_party/rust/neqo-qpack" } ++neqo-common = { path = "third_party/rust/neqo-common" } ++ ++ ++ +diff -up firefox-91.2.0/third_party/rust/neqo-crypto/bindings/bindings.toml.fips-quic firefox-91.2.0/third_party/rust/neqo-crypto/bindings/bindings.toml +--- firefox-91.2.0/third_party/rust/neqo-crypto/bindings/bindings.toml.fips-quic 2021-09-28 18:41:34.000000000 +0200 ++++ firefox-91.2.0/third_party/rust/neqo-crypto/bindings/bindings.toml 2021-10-21 08:49:01.762221759 +0200 +@@ -163,7 +163,7 @@ functions = [ + "PK11_GetKeyData", + "PK11_GetMechanism", + "PK11_HPKE_Serialize", +- "PK11_ImportSymKey", ++ "PK11_ImportDataKey", + "PK11_ReadRawAttribute", + "PK11_ReferenceSymKey", + "SECITEM_FreeItem", +@@ -196,11 +196,10 @@ variables = [ + "CKM_AES_ECB", + "CKM_AES_GCM", + "CKM_EC_KEY_PAIR_GEN", ++ "CKM_HKDF_DERIVE", + "CKM_INVALID_MECHANISM", + "CKM_NSS_CHACHA20_CTR", + "CKM_NSS_CHACHA20_POLY1305", +- "CKM_NSS_HKDF_SHA256", +- "CKM_NSS_HKDF_SHA384", + "PK11_ATTR_INSENSITIVE", + "PK11_ATTR_PRIVATE", + "PK11_ATTR_PUBLIC", +diff -up firefox-91.2.0/third_party/rust/neqo-crypto/Cargo.toml.fips-quic firefox-91.2.0/third_party/rust/neqo-crypto/Cargo.toml +diff -up firefox-91.2.0/third_party/rust/neqo-crypto/src/hkdf.rs.fips-quic firefox-91.2.0/third_party/rust/neqo-crypto/src/hkdf.rs +--- firefox-91.2.0/third_party/rust/neqo-crypto/src/hkdf.rs.fips-quic 2021-09-28 18:41:44.000000000 +0200 ++++ firefox-91.2.0/third_party/rust/neqo-crypto/src/hkdf.rs 2021-10-21 08:49:01.763221763 +0200 +@@ -10,8 +10,8 @@ use crate::constants::{ + }; + use crate::err::{Error, Res}; + use crate::p11::{ +- random, Item, PK11Origin, PK11SymKey, PK11_ImportSymKey, Slot, SymKey, CKA_DERIVE, +- CKM_NSS_HKDF_SHA256, CKM_NSS_HKDF_SHA384, CK_ATTRIBUTE_TYPE, CK_MECHANISM_TYPE, ++ random, Item, PK11Origin, PK11SymKey, PK11_ImportDataKey, Slot, SymKey, CKA_DERIVE, ++ CKM_HKDF_DERIVE, CK_ATTRIBUTE_TYPE, CK_MECHANISM_TYPE, + }; + + use std::convert::TryFrom; +@@ -52,27 +52,22 @@ fn key_size(version: Version, cipher: Ci + /// # Errors + /// Only if NSS fails. + pub fn generate_key(version: Version, cipher: Cipher) -> Res { +- import_key(version, cipher, &random(key_size(version, cipher)?)) ++ import_key(version, &random(key_size(version, cipher)?)) + } + + /// Import a symmetric key for use with HKDF. + /// + /// # Errors + /// Errors returned if the key buffer is an incompatible size or the NSS functions fail. +-pub fn import_key(version: Version, cipher: Cipher, buf: &[u8]) -> Res { ++pub fn import_key(version: Version, buf: &[u8]) -> Res { + if version != TLS_VERSION_1_3 { + return Err(Error::UnsupportedVersion); + } +- let mech = match cipher { +- TLS_AES_128_GCM_SHA256 | TLS_CHACHA20_POLY1305_SHA256 => CKM_NSS_HKDF_SHA256, +- TLS_AES_256_GCM_SHA384 => CKM_NSS_HKDF_SHA384, +- _ => return Err(Error::UnsupportedCipher), +- }; + let slot = Slot::internal()?; + let key_ptr = unsafe { +- PK11_ImportSymKey( ++ PK11_ImportDataKey( + *slot, +- CK_MECHANISM_TYPE::from(mech), ++ CK_MECHANISM_TYPE::from(CKM_HKDF_DERIVE), + PK11Origin::PK11_OriginUnwrap, + CK_ATTRIBUTE_TYPE::from(CKA_DERIVE), + &mut Item::wrap(buf), +diff -up firefox-91.2.0/third_party/rust/neqo-crypto/src/selfencrypt.rs.fips-quic firefox-91.2.0/third_party/rust/neqo-crypto/src/selfencrypt.rs +--- firefox-91.2.0/third_party/rust/neqo-crypto/src/selfencrypt.rs.fips-quic 2021-09-28 18:41:41.000000000 +0200 ++++ firefox-91.2.0/third_party/rust/neqo-crypto/src/selfencrypt.rs 2021-10-21 08:49:01.763221763 +0200 +@@ -41,7 +41,7 @@ impl SelfEncrypt { + + fn make_aead(&self, k: &SymKey, salt: &[u8]) -> Res { + debug_assert_eq!(salt.len(), Self::SALT_LENGTH); +- let salt = hkdf::import_key(self.version, self.cipher, salt)?; ++ let salt = hkdf::import_key(self.version, salt)?; + let secret = hkdf::extract(self.version, self.cipher, Some(&salt), k)?; + Aead::new(self.version, self.cipher, &secret, "neqo self") + } +diff -up firefox-91.2.0/third_party/rust/neqo-crypto/tests/aead.rs.fips-quic firefox-91.2.0/third_party/rust/neqo-crypto/tests/aead.rs +--- firefox-91.2.0/third_party/rust/neqo-crypto/tests/aead.rs.fips-quic 2021-09-28 18:41:35.000000000 +0200 ++++ firefox-91.2.0/third_party/rust/neqo-crypto/tests/aead.rs 2021-10-21 08:49:01.764221767 +0200 +@@ -26,7 +26,6 @@ fn make_aead(cipher: Cipher) -> Aead { + + let secret = hkdf::import_key( + TLS_VERSION_1_3, +- cipher, + &[ + 0x47, 0xb2, 0xea, 0xea, 0x6c, 0x26, 0x6e, 0x32, 0xc0, 0x69, 0x7a, 0x9e, 0x2a, 0x89, + 0x8b, 0xdf, 0x5c, 0x4f, 0xb3, 0xe5, 0xac, 0x34, 0xf0, 0xe5, 0x49, 0xbf, 0x2c, 0x58, +diff -up firefox-91.2.0/third_party/rust/neqo-crypto/tests/hkdf.rs.fips-quic firefox-91.2.0/third_party/rust/neqo-crypto/tests/hkdf.rs +--- firefox-91.2.0/third_party/rust/neqo-crypto/tests/hkdf.rs.fips-quic 2021-09-28 18:41:44.000000000 +0200 ++++ firefox-91.2.0/third_party/rust/neqo-crypto/tests/hkdf.rs 2021-10-21 08:49:01.764221767 +0200 +@@ -38,8 +38,8 @@ fn cipher_hash_len(cipher: Cipher) -> us + fn import_keys(cipher: Cipher) -> (SymKey, SymKey) { + let l = cipher_hash_len(cipher); + ( +- hkdf::import_key(TLS_VERSION_1_3, cipher, &SALT[0..l]).expect("import salt"), +- hkdf::import_key(TLS_VERSION_1_3, cipher, &IKM[0..l]).expect("import IKM"), ++ hkdf::import_key(TLS_VERSION_1_3, &SALT[0..l]).expect("import salt"), ++ hkdf::import_key(TLS_VERSION_1_3, &IKM[0..l]).expect("import IKM"), + ) + } + +diff -up firefox-91.2.0/third_party/rust/neqo-crypto/tests/hp.rs.fips-quic firefox-91.2.0/third_party/rust/neqo-crypto/tests/hp.rs +--- firefox-91.2.0/third_party/rust/neqo-crypto/tests/hp.rs.fips-quic 2021-09-28 18:41:44.000000000 +0200 ++++ firefox-91.2.0/third_party/rust/neqo-crypto/tests/hp.rs 2021-10-21 08:49:01.764221767 +0200 +@@ -9,7 +9,7 @@ use neqo_crypto::hp::HpKey; + use test_fixture::fixture_init; + + fn make_hp(cipher: Cipher) -> HpKey { +- let ikm = hkdf::import_key(TLS_VERSION_1_3, cipher, &[0; 16]).expect("import IKM"); ++ let ikm = hkdf::import_key(TLS_VERSION_1_3, &[0; 16]).expect("import IKM"); + let prk = hkdf::extract(TLS_VERSION_1_3, cipher, None, &ikm).expect("extract works"); + HpKey::extract(TLS_VERSION_1_3, cipher, &prk, "hp").expect("extract label works") + } +diff -up firefox-91.2.0/third_party/rust/neqo-http3/Cargo.toml.fips-quic firefox-91.2.0/third_party/rust/neqo-http3/Cargo.toml +diff -up firefox-91.2.0/third_party/rust/neqo-qpack/Cargo.toml.fips-quic firefox-91.2.0/third_party/rust/neqo-qpack/Cargo.toml +diff -up firefox-91.2.0/third_party/rust/neqo-transport/Cargo.toml.fips-quic firefox-91.2.0/third_party/rust/neqo-transport/Cargo.toml +diff -up firefox-91.2.0/third_party/rust/neqo-transport/src/crypto.rs.fips-quic firefox-91.2.0/third_party/rust/neqo-transport/src/crypto.rs +--- firefox-91.2.0/third_party/rust/neqo-transport/src/crypto.rs.fips-quic 2021-09-28 18:41:44.000000000 +0200 ++++ firefox-91.2.0/third_party/rust/neqo-transport/src/crypto.rs 2021-10-21 08:49:01.765221771 +0200 +@@ -432,14 +432,8 @@ impl CryptoDxState { + let initial_secret = hkdf::extract( + TLS_VERSION_1_3, + cipher, +- Some( +- hkdf::import_key(TLS_VERSION_1_3, cipher, salt) +- .as_ref() +- .unwrap(), +- ), +- hkdf::import_key(TLS_VERSION_1_3, cipher, dcid) +- .as_ref() +- .unwrap(), ++ Some(hkdf::import_key(TLS_VERSION_1_3, salt).as_ref().unwrap()), ++ hkdf::import_key(TLS_VERSION_1_3, dcid).as_ref().unwrap(), + ) + .unwrap(); + +@@ -1094,8 +1088,7 @@ impl CryptoStates { + let app_read = |epoch| CryptoDxAppData { + dx: read(epoch), + cipher: TLS_AES_128_GCM_SHA256, +- next_secret: hkdf::import_key(TLS_VERSION_1_3, TLS_AES_128_GCM_SHA256, &[0xaa; 32]) +- .unwrap(), ++ next_secret: hkdf::import_key(TLS_VERSION_1_3, &[0xaa; 32]).unwrap(), + }; + Self { + initial: Some(CryptoState { +@@ -1120,8 +1113,7 @@ impl CryptoStates { + 0x00, 0xa1, 0x54, 0x43, 0xf1, 0x82, 0x03, 0xa0, 0x7d, 0x60, 0x60, 0xf6, 0x88, 0xf3, + 0x0f, 0x21, 0x63, 0x2b, + ]; +- let secret = +- hkdf::import_key(TLS_VERSION_1_3, TLS_CHACHA20_POLY1305_SHA256, SECRET).unwrap(); ++ let secret = hkdf::import_key(TLS_VERSION_1_3, SECRET).unwrap(); + let app_read = |epoch| CryptoDxAppData { + dx: CryptoDxState { + direction: CryptoDxDirection::Read, +diff -up firefox-91.2.0/third_party/rust/neqo-transport/src/packet/retry.rs.fips-quic firefox-91.2.0/third_party/rust/neqo-transport/src/packet/retry.rs +--- firefox-91.2.0/third_party/rust/neqo-transport/src/packet/retry.rs.fips-quic 2021-09-28 18:41:34.000000000 +0200 ++++ firefox-91.2.0/third_party/rust/neqo-transport/src/packet/retry.rs 2021-10-21 08:49:01.766221775 +0200 +@@ -28,7 +28,7 @@ fn make_aead(secret: &[u8]) -> Aead { + #[cfg(debug_assertions)] + ::neqo_crypto::assert_initialized(); + +- let secret = hkdf::import_key(TLS_VERSION_1_3, TLS_AES_128_GCM_SHA256, secret).unwrap(); ++ let secret = hkdf::import_key(TLS_VERSION_1_3, secret).unwrap(); + Aead::new(TLS_VERSION_1_3, TLS_AES_128_GCM_SHA256, &secret, "quic ").unwrap() + } + thread_local!(static RETRY_AEAD_29: RefCell = RefCell::new(make_aead(RETRY_SECRET_29))); +diff -up firefox-91.2.0/third_party/rust/neqo-transport/tests/common/mod.rs.fips-quic firefox-91.2.0/third_party/rust/neqo-transport/tests/common/mod.rs +--- firefox-91.2.0/third_party/rust/neqo-transport/tests/common/mod.rs.fips-quic 2021-09-28 18:41:34.000000000 +0200 ++++ firefox-91.2.0/third_party/rust/neqo-transport/tests/common/mod.rs 2021-10-21 08:49:01.766221775 +0200 +@@ -121,13 +121,11 @@ pub fn client_initial_aead_and_hp(dcid: + TLS_VERSION_1_3, + TLS_AES_128_GCM_SHA256, + Some( +- hkdf::import_key(TLS_VERSION_1_3, TLS_AES_128_GCM_SHA256, INITIAL_SALT) ++ hkdf::import_key(TLS_VERSION_1_3, INITIAL_SALT) + .as_ref() + .unwrap(), + ), +- hkdf::import_key(TLS_VERSION_1_3, TLS_AES_128_GCM_SHA256, dcid) +- .as_ref() +- .unwrap(), ++ hkdf::import_key(TLS_VERSION_1_3, dcid).as_ref().unwrap(), + ) + .unwrap(); + diff --git a/SPECS/firefox.spec b/SPECS/firefox.spec index ca75363..22f228e 100644 --- a/SPECS/firefox.spec +++ b/SPECS/firefox.spec @@ -18,7 +18,7 @@ function dist_to_rhel_minor(str, start) end match = string.match(str, ".el8") if match then - return 5 + return 6 end return -1 end} @@ -129,7 +129,7 @@ end} Summary: Mozilla Firefox Web browser Name: firefox Version: 91.2.0 -Release: 4%{?dist} +Release: 5%{?dist} URL: https://www.mozilla.org/firefox/ License: MPLv1.1 or GPLv2+ or LGPLv2+ %if 0%{?rhel} == 9 @@ -200,6 +200,8 @@ Patch513: mozilla-bmo998749.patch Patch514: mozilla-s390x-skia-gradient.patch Patch515: mozilla-bmo1626236.patch Patch518: D110204-fscreen.diff +# https://github.com/mozilla/neqo/commit/2e1785a6b3b85316a2451cdb2dc3027c192a7533 +Patch519: fips-quic.patch # Flatpak patches @@ -442,6 +444,7 @@ echo "use_rustts %{?use_rustts}" #%patch514 -p1 -b .mozilla-s390x-skia-gradient %patch515 -p1 -b .mozilla-bmo1626236 %patch518 -p1 -b .D110204-fscreen.diff +%patch519 -p1 -b .fips-quic %patch1001 -p1 -b .ppc64le-inline @@ -1247,6 +1250,9 @@ gtk-update-icon-cache %{_datadir}/icons/hicolor &>/dev/null || : #--------------------------------------------------------------------- %changelog +* Thu Oct 21 2021 Jan Horak - 91.2.0-5 +- Fixed crashes when FIPS is enabled. + * Mon Oct 04 2021 Jan Horak - 91.2.0-4 - Disable webrender on the s390x due to wrong colors: rhbz#2009503 From 216782976f767697298a9c1dd4f7b66c169f44f3 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Wed, 3 Nov 2021 15:24:38 -0400 Subject: [PATCH 2/2] import firefox-91.3.0-1.el8_4 --- .firefox.metadata | 4 +- .gitignore | 4 +- SOURCES/fips-quic.patch | 211 ---------------------------------------- SPECS/firefox.spec | 12 +-- 4 files changed, 10 insertions(+), 221 deletions(-) delete mode 100644 SOURCES/fips-quic.patch diff --git a/.firefox.metadata b/.firefox.metadata index 5773e30..96b97d2 100644 --- a/.firefox.metadata +++ b/.firefox.metadata @@ -1,5 +1,5 @@ c822547dbc12e2baebdfdfb38b665e23f0c2513a SOURCES/cbindgen-vendor.tar.xz -484a837aad8d9041e8d536422cf5a0eb114f3c4e SOURCES/firefox-91.2.0esr.processed-source.tar.xz -28ebce533aeffef68e80a389b2d7dfff43980e78 SOURCES/firefox-langpacks-91.2.0esr-20210929.tar.xz +736b0b4313f678de624c0124f61a86893385d110 SOURCES/firefox-91.3.0esr.processed-source.tar.xz +7b821f5b94cba12efc8a2b86dbd8c7321b453568 SOURCES/firefox-langpacks-91.3.0esr-20211101.tar.xz b5fd1332d8e0d37339ae170c7bebcb63a40b22e0 SOURCES/nspr-4.32.0-1.el8_1.src.rpm 29da2158892dc108a7a21fd8411fccf0061481b3 SOURCES/nss-3.67.0-6.el8_1.src.rpm diff --git a/.gitignore b/.gitignore index f88f3f9..1a94cd1 100644 --- a/.gitignore +++ b/.gitignore @@ -1,5 +1,5 @@ SOURCES/cbindgen-vendor.tar.xz -SOURCES/firefox-91.2.0esr.processed-source.tar.xz -SOURCES/firefox-langpacks-91.2.0esr-20210929.tar.xz +SOURCES/firefox-91.3.0esr.processed-source.tar.xz +SOURCES/firefox-langpacks-91.3.0esr-20211101.tar.xz SOURCES/nspr-4.32.0-1.el8_1.src.rpm SOURCES/nss-3.67.0-6.el8_1.src.rpm diff --git a/SOURCES/fips-quic.patch b/SOURCES/fips-quic.patch deleted file mode 100644 index 777684b..0000000 --- a/SOURCES/fips-quic.patch +++ /dev/null @@ -1,211 +0,0 @@ -diff -up firefox-91.2.0/Cargo.toml.fips-quic firefox-91.2.0/Cargo.toml ---- firefox-91.2.0/Cargo.toml.fips-quic 2021-10-21 09:40:17.235999423 +0200 -+++ firefox-91.2.0/Cargo.toml 2021-10-21 11:21:06.746558028 +0200 -@@ -109,3 +109,12 @@ path = "third_party/rust/failure" - - [patch.crates-io.prost-derive] - path = "third_party/rust/prost-derive" -+ -+[patch."https://github.com/mozilla/neqo"] -+neqo-crypto = { path = "third_party/rust/neqo-crypto" } -+neqo-transport = { path = "third_party/rust/neqo-transport" } -+neqo-qpack = { path = "third_party/rust/neqo-qpack" } -+neqo-common = { path = "third_party/rust/neqo-common" } -+ -+ -+ -diff -up firefox-91.2.0/third_party/rust/neqo-crypto/bindings/bindings.toml.fips-quic firefox-91.2.0/third_party/rust/neqo-crypto/bindings/bindings.toml ---- firefox-91.2.0/third_party/rust/neqo-crypto/bindings/bindings.toml.fips-quic 2021-09-28 18:41:34.000000000 +0200 -+++ firefox-91.2.0/third_party/rust/neqo-crypto/bindings/bindings.toml 2021-10-21 08:49:01.762221759 +0200 -@@ -163,7 +163,7 @@ functions = [ - "PK11_GetKeyData", - "PK11_GetMechanism", - "PK11_HPKE_Serialize", -- "PK11_ImportSymKey", -+ "PK11_ImportDataKey", - "PK11_ReadRawAttribute", - "PK11_ReferenceSymKey", - "SECITEM_FreeItem", -@@ -196,11 +196,10 @@ variables = [ - "CKM_AES_ECB", - "CKM_AES_GCM", - "CKM_EC_KEY_PAIR_GEN", -+ "CKM_HKDF_DERIVE", - "CKM_INVALID_MECHANISM", - "CKM_NSS_CHACHA20_CTR", - "CKM_NSS_CHACHA20_POLY1305", -- "CKM_NSS_HKDF_SHA256", -- "CKM_NSS_HKDF_SHA384", - "PK11_ATTR_INSENSITIVE", - "PK11_ATTR_PRIVATE", - "PK11_ATTR_PUBLIC", -diff -up firefox-91.2.0/third_party/rust/neqo-crypto/Cargo.toml.fips-quic firefox-91.2.0/third_party/rust/neqo-crypto/Cargo.toml -diff -up firefox-91.2.0/third_party/rust/neqo-crypto/src/hkdf.rs.fips-quic firefox-91.2.0/third_party/rust/neqo-crypto/src/hkdf.rs ---- firefox-91.2.0/third_party/rust/neqo-crypto/src/hkdf.rs.fips-quic 2021-09-28 18:41:44.000000000 +0200 -+++ firefox-91.2.0/third_party/rust/neqo-crypto/src/hkdf.rs 2021-10-21 08:49:01.763221763 +0200 -@@ -10,8 +10,8 @@ use crate::constants::{ - }; - use crate::err::{Error, Res}; - use crate::p11::{ -- random, Item, PK11Origin, PK11SymKey, PK11_ImportSymKey, Slot, SymKey, CKA_DERIVE, -- CKM_NSS_HKDF_SHA256, CKM_NSS_HKDF_SHA384, CK_ATTRIBUTE_TYPE, CK_MECHANISM_TYPE, -+ random, Item, PK11Origin, PK11SymKey, PK11_ImportDataKey, Slot, SymKey, CKA_DERIVE, -+ CKM_HKDF_DERIVE, CK_ATTRIBUTE_TYPE, CK_MECHANISM_TYPE, - }; - - use std::convert::TryFrom; -@@ -52,27 +52,22 @@ fn key_size(version: Version, cipher: Ci - /// # Errors - /// Only if NSS fails. - pub fn generate_key(version: Version, cipher: Cipher) -> Res { -- import_key(version, cipher, &random(key_size(version, cipher)?)) -+ import_key(version, &random(key_size(version, cipher)?)) - } - - /// Import a symmetric key for use with HKDF. - /// - /// # Errors - /// Errors returned if the key buffer is an incompatible size or the NSS functions fail. --pub fn import_key(version: Version, cipher: Cipher, buf: &[u8]) -> Res { -+pub fn import_key(version: Version, buf: &[u8]) -> Res { - if version != TLS_VERSION_1_3 { - return Err(Error::UnsupportedVersion); - } -- let mech = match cipher { -- TLS_AES_128_GCM_SHA256 | TLS_CHACHA20_POLY1305_SHA256 => CKM_NSS_HKDF_SHA256, -- TLS_AES_256_GCM_SHA384 => CKM_NSS_HKDF_SHA384, -- _ => return Err(Error::UnsupportedCipher), -- }; - let slot = Slot::internal()?; - let key_ptr = unsafe { -- PK11_ImportSymKey( -+ PK11_ImportDataKey( - *slot, -- CK_MECHANISM_TYPE::from(mech), -+ CK_MECHANISM_TYPE::from(CKM_HKDF_DERIVE), - PK11Origin::PK11_OriginUnwrap, - CK_ATTRIBUTE_TYPE::from(CKA_DERIVE), - &mut Item::wrap(buf), -diff -up firefox-91.2.0/third_party/rust/neqo-crypto/src/selfencrypt.rs.fips-quic firefox-91.2.0/third_party/rust/neqo-crypto/src/selfencrypt.rs ---- firefox-91.2.0/third_party/rust/neqo-crypto/src/selfencrypt.rs.fips-quic 2021-09-28 18:41:41.000000000 +0200 -+++ firefox-91.2.0/third_party/rust/neqo-crypto/src/selfencrypt.rs 2021-10-21 08:49:01.763221763 +0200 -@@ -41,7 +41,7 @@ impl SelfEncrypt { - - fn make_aead(&self, k: &SymKey, salt: &[u8]) -> Res { - debug_assert_eq!(salt.len(), Self::SALT_LENGTH); -- let salt = hkdf::import_key(self.version, self.cipher, salt)?; -+ let salt = hkdf::import_key(self.version, salt)?; - let secret = hkdf::extract(self.version, self.cipher, Some(&salt), k)?; - Aead::new(self.version, self.cipher, &secret, "neqo self") - } -diff -up firefox-91.2.0/third_party/rust/neqo-crypto/tests/aead.rs.fips-quic firefox-91.2.0/third_party/rust/neqo-crypto/tests/aead.rs ---- firefox-91.2.0/third_party/rust/neqo-crypto/tests/aead.rs.fips-quic 2021-09-28 18:41:35.000000000 +0200 -+++ firefox-91.2.0/third_party/rust/neqo-crypto/tests/aead.rs 2021-10-21 08:49:01.764221767 +0200 -@@ -26,7 +26,6 @@ fn make_aead(cipher: Cipher) -> Aead { - - let secret = hkdf::import_key( - TLS_VERSION_1_3, -- cipher, - &[ - 0x47, 0xb2, 0xea, 0xea, 0x6c, 0x26, 0x6e, 0x32, 0xc0, 0x69, 0x7a, 0x9e, 0x2a, 0x89, - 0x8b, 0xdf, 0x5c, 0x4f, 0xb3, 0xe5, 0xac, 0x34, 0xf0, 0xe5, 0x49, 0xbf, 0x2c, 0x58, -diff -up firefox-91.2.0/third_party/rust/neqo-crypto/tests/hkdf.rs.fips-quic firefox-91.2.0/third_party/rust/neqo-crypto/tests/hkdf.rs ---- firefox-91.2.0/third_party/rust/neqo-crypto/tests/hkdf.rs.fips-quic 2021-09-28 18:41:44.000000000 +0200 -+++ firefox-91.2.0/third_party/rust/neqo-crypto/tests/hkdf.rs 2021-10-21 08:49:01.764221767 +0200 -@@ -38,8 +38,8 @@ fn cipher_hash_len(cipher: Cipher) -> us - fn import_keys(cipher: Cipher) -> (SymKey, SymKey) { - let l = cipher_hash_len(cipher); - ( -- hkdf::import_key(TLS_VERSION_1_3, cipher, &SALT[0..l]).expect("import salt"), -- hkdf::import_key(TLS_VERSION_1_3, cipher, &IKM[0..l]).expect("import IKM"), -+ hkdf::import_key(TLS_VERSION_1_3, &SALT[0..l]).expect("import salt"), -+ hkdf::import_key(TLS_VERSION_1_3, &IKM[0..l]).expect("import IKM"), - ) - } - -diff -up firefox-91.2.0/third_party/rust/neqo-crypto/tests/hp.rs.fips-quic firefox-91.2.0/third_party/rust/neqo-crypto/tests/hp.rs ---- firefox-91.2.0/third_party/rust/neqo-crypto/tests/hp.rs.fips-quic 2021-09-28 18:41:44.000000000 +0200 -+++ firefox-91.2.0/third_party/rust/neqo-crypto/tests/hp.rs 2021-10-21 08:49:01.764221767 +0200 -@@ -9,7 +9,7 @@ use neqo_crypto::hp::HpKey; - use test_fixture::fixture_init; - - fn make_hp(cipher: Cipher) -> HpKey { -- let ikm = hkdf::import_key(TLS_VERSION_1_3, cipher, &[0; 16]).expect("import IKM"); -+ let ikm = hkdf::import_key(TLS_VERSION_1_3, &[0; 16]).expect("import IKM"); - let prk = hkdf::extract(TLS_VERSION_1_3, cipher, None, &ikm).expect("extract works"); - HpKey::extract(TLS_VERSION_1_3, cipher, &prk, "hp").expect("extract label works") - } -diff -up firefox-91.2.0/third_party/rust/neqo-http3/Cargo.toml.fips-quic firefox-91.2.0/third_party/rust/neqo-http3/Cargo.toml -diff -up firefox-91.2.0/third_party/rust/neqo-qpack/Cargo.toml.fips-quic firefox-91.2.0/third_party/rust/neqo-qpack/Cargo.toml -diff -up firefox-91.2.0/third_party/rust/neqo-transport/Cargo.toml.fips-quic firefox-91.2.0/third_party/rust/neqo-transport/Cargo.toml -diff -up firefox-91.2.0/third_party/rust/neqo-transport/src/crypto.rs.fips-quic firefox-91.2.0/third_party/rust/neqo-transport/src/crypto.rs ---- firefox-91.2.0/third_party/rust/neqo-transport/src/crypto.rs.fips-quic 2021-09-28 18:41:44.000000000 +0200 -+++ firefox-91.2.0/third_party/rust/neqo-transport/src/crypto.rs 2021-10-21 08:49:01.765221771 +0200 -@@ -432,14 +432,8 @@ impl CryptoDxState { - let initial_secret = hkdf::extract( - TLS_VERSION_1_3, - cipher, -- Some( -- hkdf::import_key(TLS_VERSION_1_3, cipher, salt) -- .as_ref() -- .unwrap(), -- ), -- hkdf::import_key(TLS_VERSION_1_3, cipher, dcid) -- .as_ref() -- .unwrap(), -+ Some(hkdf::import_key(TLS_VERSION_1_3, salt).as_ref().unwrap()), -+ hkdf::import_key(TLS_VERSION_1_3, dcid).as_ref().unwrap(), - ) - .unwrap(); - -@@ -1094,8 +1088,7 @@ impl CryptoStates { - let app_read = |epoch| CryptoDxAppData { - dx: read(epoch), - cipher: TLS_AES_128_GCM_SHA256, -- next_secret: hkdf::import_key(TLS_VERSION_1_3, TLS_AES_128_GCM_SHA256, &[0xaa; 32]) -- .unwrap(), -+ next_secret: hkdf::import_key(TLS_VERSION_1_3, &[0xaa; 32]).unwrap(), - }; - Self { - initial: Some(CryptoState { -@@ -1120,8 +1113,7 @@ impl CryptoStates { - 0x00, 0xa1, 0x54, 0x43, 0xf1, 0x82, 0x03, 0xa0, 0x7d, 0x60, 0x60, 0xf6, 0x88, 0xf3, - 0x0f, 0x21, 0x63, 0x2b, - ]; -- let secret = -- hkdf::import_key(TLS_VERSION_1_3, TLS_CHACHA20_POLY1305_SHA256, SECRET).unwrap(); -+ let secret = hkdf::import_key(TLS_VERSION_1_3, SECRET).unwrap(); - let app_read = |epoch| CryptoDxAppData { - dx: CryptoDxState { - direction: CryptoDxDirection::Read, -diff -up firefox-91.2.0/third_party/rust/neqo-transport/src/packet/retry.rs.fips-quic firefox-91.2.0/third_party/rust/neqo-transport/src/packet/retry.rs ---- firefox-91.2.0/third_party/rust/neqo-transport/src/packet/retry.rs.fips-quic 2021-09-28 18:41:34.000000000 +0200 -+++ firefox-91.2.0/third_party/rust/neqo-transport/src/packet/retry.rs 2021-10-21 08:49:01.766221775 +0200 -@@ -28,7 +28,7 @@ fn make_aead(secret: &[u8]) -> Aead { - #[cfg(debug_assertions)] - ::neqo_crypto::assert_initialized(); - -- let secret = hkdf::import_key(TLS_VERSION_1_3, TLS_AES_128_GCM_SHA256, secret).unwrap(); -+ let secret = hkdf::import_key(TLS_VERSION_1_3, secret).unwrap(); - Aead::new(TLS_VERSION_1_3, TLS_AES_128_GCM_SHA256, &secret, "quic ").unwrap() - } - thread_local!(static RETRY_AEAD_29: RefCell = RefCell::new(make_aead(RETRY_SECRET_29))); -diff -up firefox-91.2.0/third_party/rust/neqo-transport/tests/common/mod.rs.fips-quic firefox-91.2.0/third_party/rust/neqo-transport/tests/common/mod.rs ---- firefox-91.2.0/third_party/rust/neqo-transport/tests/common/mod.rs.fips-quic 2021-09-28 18:41:34.000000000 +0200 -+++ firefox-91.2.0/third_party/rust/neqo-transport/tests/common/mod.rs 2021-10-21 08:49:01.766221775 +0200 -@@ -121,13 +121,11 @@ pub fn client_initial_aead_and_hp(dcid: - TLS_VERSION_1_3, - TLS_AES_128_GCM_SHA256, - Some( -- hkdf::import_key(TLS_VERSION_1_3, TLS_AES_128_GCM_SHA256, INITIAL_SALT) -+ hkdf::import_key(TLS_VERSION_1_3, INITIAL_SALT) - .as_ref() - .unwrap(), - ), -- hkdf::import_key(TLS_VERSION_1_3, TLS_AES_128_GCM_SHA256, dcid) -- .as_ref() -- .unwrap(), -+ hkdf::import_key(TLS_VERSION_1_3, dcid).as_ref().unwrap(), - ) - .unwrap(); - diff --git a/SPECS/firefox.spec b/SPECS/firefox.spec index 22f228e..d7cb60e 100644 --- a/SPECS/firefox.spec +++ b/SPECS/firefox.spec @@ -128,8 +128,8 @@ end} Summary: Mozilla Firefox Web browser Name: firefox -Version: 91.2.0 -Release: 5%{?dist} +Version: 91.3.0 +Release: 1%{?dist} URL: https://www.mozilla.org/firefox/ License: MPLv1.1 or GPLv2+ or LGPLv2+ %if 0%{?rhel} == 9 @@ -149,7 +149,7 @@ ExcludeArch: s390 ppc # Link to official tarball: https://hg.mozilla.org/releases/mozilla-release/archive/firefox-%%{version}%%{?pre_version}.source.tar.xz Source0: firefox-%{version}%{?pre_version}.processed-source.tar.xz %if %{build_langpacks} -Source1: firefox-langpacks-%{version}%{?pre_version}-20210929.tar.xz +Source1: firefox-langpacks-%{version}%{?pre_version}-20211101.tar.xz %endif Source2: cbindgen-vendor.tar.xz Source3: process-official-tarball @@ -200,8 +200,6 @@ Patch513: mozilla-bmo998749.patch Patch514: mozilla-s390x-skia-gradient.patch Patch515: mozilla-bmo1626236.patch Patch518: D110204-fscreen.diff -# https://github.com/mozilla/neqo/commit/2e1785a6b3b85316a2451cdb2dc3027c192a7533 -Patch519: fips-quic.patch # Flatpak patches @@ -444,7 +442,6 @@ echo "use_rustts %{?use_rustts}" #%patch514 -p1 -b .mozilla-s390x-skia-gradient %patch515 -p1 -b .mozilla-bmo1626236 %patch518 -p1 -b .D110204-fscreen.diff -%patch519 -p1 -b .fips-quic %patch1001 -p1 -b .ppc64le-inline @@ -1250,6 +1247,9 @@ gtk-update-icon-cache %{_datadir}/icons/hicolor &>/dev/null || : #--------------------------------------------------------------------- %changelog +* Mon Nov 01 2021 Eike Rathke - 91.3.0-1 +- Update to 91.3.0 build1 + * Thu Oct 21 2021 Jan Horak - 91.2.0-5 - Fixed crashes when FIPS is enabled.