import CS firefox-128.4.0-1.el8

This commit is contained in:
Andrew Lukoshko 2024-10-31 23:12:45 +00:00
parent 2861f51e1f
commit 81091f5b96
8 changed files with 2682 additions and 25 deletions

View File

@ -1,6 +1,6 @@
5012b69e54cbebe3b5e74011dacf3a2097f49921 SOURCES/cbindgen-vendor.tar.xz 5012b69e54cbebe3b5e74011dacf3a2097f49921 SOURCES/cbindgen-vendor.tar.xz
6816817f0b3b42a13dfdc38af8c61dca46b54c13 SOURCES/firefox-128.3.1esr.processed-source.tar.xz 459de5a85a512c7dcc356937af6ab02ab916cfd2 SOURCES/firefox-128.4.0esr.processed-source.tar.xz
4641ad07664f375780e20200322bd5b45cd60ee8 SOURCES/firefox-langpacks-128.3.1esr-20241009.tar.xz 48712bb66e1ad7d2d969a230bbe5b6476a3e6fea SOURCES/firefox-langpacks-128.4.0esr-20241022.tar.xz
2d8a6b2b30d5496735f49ffe8c8a7ede3a78a5ca SOURCES/mochitest-python.tar.gz 2d8a6b2b30d5496735f49ffe8c8a7ede3a78a5ca SOURCES/mochitest-python.tar.gz
d744f92e874688cc4b5376477dfdd639a97a6cd4 SOURCES/nspr-4.35.0-1.el8_1.src.rpm d744f92e874688cc4b5376477dfdd639a97a6cd4 SOURCES/nspr-4.35.0-1.el8_1.src.rpm
f466d7213e85773e002c48897524eaf909480046 SOURCES/nss-3.101.0-7.el8_2.src.rpm f466d7213e85773e002c48897524eaf909480046 SOURCES/nss-3.101.0-7.el8_2.src.rpm

4
.gitignore vendored
View File

@ -1,6 +1,6 @@
SOURCES/cbindgen-vendor.tar.xz SOURCES/cbindgen-vendor.tar.xz
SOURCES/firefox-128.3.1esr.processed-source.tar.xz SOURCES/firefox-128.4.0esr.processed-source.tar.xz
SOURCES/firefox-langpacks-128.3.1esr-20241009.tar.xz SOURCES/firefox-langpacks-128.4.0esr-20241022.tar.xz
SOURCES/mochitest-python.tar.gz SOURCES/mochitest-python.tar.gz
SOURCES/nspr-4.35.0-1.el8_1.src.rpm SOURCES/nspr-4.35.0-1.el8_1.src.rpm
SOURCES/nss-3.101.0-7.el8_2.src.rpm SOURCES/nss-3.101.0-7.el8_2.src.rpm

View File

@ -0,0 +1,50 @@
diff --git a/dom/media/webrtc/transport/nricectx.cpp b/dom/media/webrtc/transport/nricectx.cpp
--- a/dom/media/webrtc/transport/nricectx.cpp
+++ b/dom/media/webrtc/transport/nricectx.cpp
@@ -124,23 +124,30 @@
static int nr_crypto_nss_hmac(UCHAR* key, size_t keyl, UCHAR* buf, size_t bufl,
UCHAR* result) {
CK_MECHANISM_TYPE mech = CKM_SHA_1_HMAC;
PK11SlotInfo* slot = nullptr;
MOZ_ASSERT(keyl > 0);
- SECItem keyi = {siBuffer, key, static_cast<unsigned int>(keyl)};
+ CK_KEY_DERIVATION_STRING_DATA idkey = {key, keyl};
+ SECItem keyi = {siBuffer, (unsigned char*)&idkey, sizeof(idkey)};
+ PK11SymKey* tmpKey = nullptr;
PK11SymKey* skey = nullptr;
PK11Context* hmac_ctx = nullptr;
SECStatus status;
unsigned int hmac_len;
SECItem param = {siBuffer, nullptr, 0};
int err = R_INTERNAL;
slot = PK11_GetInternalKeySlot();
if (!slot) goto abort;
- skey = PK11_ImportSymKey(slot, mech, PK11_OriginUnwrap, CKA_SIGN, &keyi,
- nullptr);
+ // HMAC is used for hash calculation only so use derive instead of import
+ // to be FIPS compliant.
+ tmpKey = PK11_KeyGen(slot, mech, NULL, keyl, nullptr);
+ if (!tmpKey) goto abort;
+
+ skey = PK11_Derive(tmpKey, CKM_CONCATENATE_DATA_AND_BASE, &keyi, mech,
+ CKA_SIGN, keyl);
if (!skey) goto abort;
hmac_ctx = PK11_CreateContextBySymKey(mech, CKA_SIGN, skey, &param);
if (!hmac_ctx) goto abort;
@@ -157,10 +164,11 @@
err = 0;
abort:
if (hmac_ctx) PK11_DestroyContext(hmac_ctx, PR_TRUE);
+ if (tmpKey) PK11_FreeSymKey(tmpKey);
if (skey) PK11_FreeSymKey(skey);
if (slot) PK11_FreeSlot(slot);
return err;
}

View File

@ -0,0 +1,224 @@
diff --git a/third_party/libsrtp/src/crypto/cipher/aes_gcm_nss.c b/third_party/libsrtp/src/crypto/cipher/aes_gcm_nss.c
--- a/third_party/libsrtp/src/crypto/cipher/aes_gcm_nss.c
+++ b/third_party/libsrtp/src/crypto/cipher/aes_gcm_nss.c
@@ -54,10 +54,11 @@
#include "crypto_types.h"
#include "cipher_types.h"
#include "cipher_test_cases.h"
#include <secerr.h>
#include <nspr.h>
+#include "nss_fips.h"
srtp_debug_module_t srtp_mod_aes_gcm = {
0, /* debugging is off by default */
"aes gcm nss" /* printable module name */
};
@@ -211,12 +212,17 @@
if (!slot) {
return (srtp_err_status_cipher_fail);
}
SECItem key_item = { siBuffer, (unsigned char *)key, c->key_size };
- c->key = PK11_ImportSymKey(slot, CKM_AES_GCM, PK11_OriginUnwrap,
- CKA_ENCRYPT, &key_item, NULL);
+ if (PK11_IsFIPS()) {
+ c->key = PK11_ImportSymKey_FIPS(slot, CKM_AES_GCM, PK11_OriginUnwrap,
+ CKA_ENCRYPT, &key_item, NULL);
+ } else {
+ c->key = PK11_ImportSymKey(slot, CKM_AES_GCM, PK11_OriginUnwrap,
+ CKA_ENCRYPT, &key_item, NULL);
+ }
PK11_FreeSlot(slot);
if (!c->key) {
return (srtp_err_status_cipher_fail);
}
diff --git a/third_party/libsrtp/src/crypto/cipher/aes_icm_nss.c b/third_party/libsrtp/src/crypto/cipher/aes_icm_nss.c
--- a/third_party/libsrtp/src/crypto/cipher/aes_icm_nss.c
+++ b/third_party/libsrtp/src/crypto/cipher/aes_icm_nss.c
@@ -51,10 +51,11 @@
#include "crypto_types.h"
#include "err.h" /* for srtp_debug */
#include "alloc.h"
#include "cipher_types.h"
#include "cipher_test_cases.h"
+#include "nss_fips.h"
srtp_debug_module_t srtp_mod_aes_icm = {
0, /* debugging is off by default */
"aes icm nss" /* printable module name */
};
@@ -252,12 +253,17 @@
if (!slot) {
return srtp_err_status_bad_param;
}
SECItem keyItem = { siBuffer, (unsigned char *)key, c->key_size };
- c->key = PK11_ImportSymKey(slot, CKM_AES_CTR, PK11_OriginUnwrap,
- CKA_ENCRYPT, &keyItem, NULL);
+ if (PK11_IsFIPS()) {
+ c->key = PK11_ImportSymKey_FIPS(slot, CKM_AES_CTR, PK11_OriginUnwrap,
+ CKA_ENCRYPT, &keyItem, NULL);
+ } else {
+ c->key = PK11_ImportSymKey(slot, CKM_AES_CTR, PK11_OriginUnwrap,
+ CKA_ENCRYPT, &keyItem, NULL);
+ }
PK11_FreeSlot(slot);
if (!c->key) {
return srtp_err_status_cipher_fail;
}
diff --git a/third_party/libsrtp/src/crypto/include/nss_fips.h b/third_party/libsrtp/src/crypto/include/nss_fips.h
new file mode 100644
--- /dev/null
+++ b/third_party/libsrtp/src/crypto/include/nss_fips.h
@@ -0,0 +1,148 @@
+/*
+ * Copyright (c) 2024, Red Hat, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * Redistributions in binary form must reproduce the above
+ * copyright notice, this list of conditions and the following
+ * disclaimer in the documentation and/or other materials provided
+ * with the distribution.
+ *
+ * Neither the name of the Red Hat, Inc. nor the names of its
+ * contributors may be used to endorse or promote products derived
+ * from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+*/
+
+/*
+ Adapted from Red Hat Ceph patch by
+ Radoslaw Zarzynski <rzarzyns@redhat.com>
+
+ PK11_ImportSymKey() is a part of NSS API that becomes unavailable
+ in the FIPS mode. Apparently NSS targets stricter restrictions
+ than those coming from Level 1 of FIPS 140-2. In the consequence,
+ loading a symmetric key from plain keyring or key db fails.
+
+ A raw crypto key is in-memory wrapped with fresh, random wrapping
+ key just before being imported via PK11_UnwrapSymKey(). Of course,
+ this effectively lowers to FIPS level 1. Still, this would be no
+ different from what OpenSSL gives in the matter.
+*/
+
+#ifndef NSS_FIPS_H
+#define NSS_FIPS_H
+
+static PK11SymKey *PK11_ImportSymKey_FIPS(
+ PK11SlotInfo * const slot,
+ const CK_MECHANISM_TYPE type,
+ const PK11Origin origin,
+ const CK_ATTRIBUTE_TYPE operation,
+ SECItem * const raw_key,
+ void * const wincx)
+{
+ PK11SymKey* wrapping_key = NULL;
+ PK11Context *wrap_key_crypt_context = NULL;
+ SECItem *raw_key_aligned = NULL;
+ CK_MECHANISM_TYPE wrap_mechanism = 0;
+
+ struct {
+ unsigned char data[256];
+ int len;
+ } wrapped_key;
+
+ #define SCOPE_DATA_FREE() \
+ { \
+ PK11_FreeSymKey(wrapping_key); \
+ PK11_DestroyContext(wrap_key_crypt_context, PR_TRUE); \
+ SECITEM_FreeItem(raw_key_aligned, PR_TRUE); \
+ }
+
+ if(raw_key->len > sizeof(wrapped_key.data)) {
+ return NULL;
+ }
+
+ // getting 306 on my system which is CKM_DES3_ECB.
+ wrap_mechanism = PK11_GetBestWrapMechanism(slot);
+
+ // Generate a wrapping key. It will be used exactly twice over the scope:
+ // * to encrypt raw_key giving wrapped_key,
+ // * to decrypt wrapped_key in the internals of PK11_UnwrapSymKey().
+ wrapping_key = PK11_KeyGen(slot, wrap_mechanism, NULL,
+ PK11_GetBestKeyLength(slot, wrap_mechanism), NULL);
+ if (wrapping_key == NULL) {
+ return NULL;
+ }
+
+ // Prepare a PK11 context for the raw_key -> wrapped_key encryption.
+ SECItem tmp_sec_item;
+ memset(&tmp_sec_item, 0, sizeof(tmp_sec_item));
+ wrap_key_crypt_context = PK11_CreateContextBySymKey(
+ wrap_mechanism,
+ CKA_ENCRYPT,
+ wrapping_key,
+ &tmp_sec_item);
+ if (wrap_key_crypt_context == NULL) {
+ SCOPE_DATA_FREE();
+ return NULL;
+ }
+
+ // Finally wrap the key. Important note is that the wrapping mechanism
+ // selection (read: just grabbing a cipher) offers, at least in my NSS
+ // copy, mostly CKM_*_ECB ciphers (with 3DES as the leading one, see
+ // wrapMechanismList[] in pk11mech.c). There is no CKM_*_*_PAD variant
+ // which means that plaintext we are providing to PK11_CipherOp() must
+ // be aligned to cipher's block size. For 3DES it's 64 bits.
+ raw_key_aligned = PK11_BlockData(raw_key, PK11_GetBlockSize(wrap_mechanism, NULL));
+ if (raw_key_aligned == NULL) {
+ SCOPE_DATA_FREE();
+ return NULL;
+ }
+
+ if (PK11_CipherOp(wrap_key_crypt_context, wrapped_key.data, &wrapped_key.len,
+ sizeof(wrapped_key.data), raw_key_aligned->data,
+ raw_key_aligned->len) != SECSuccess) {
+ SCOPE_DATA_FREE();
+ return NULL;
+ }
+
+ if (PK11_Finalize(wrap_key_crypt_context) != SECSuccess) {
+ SCOPE_DATA_FREE();
+ return NULL;
+ }
+
+ // Key is wrapped now so we can acquire the ultimate PK11SymKey through
+ // unwrapping it. Of course these two opposite operations form NOP with
+ // a side effect: FIPS level 1 compatibility.
+ memset(&tmp_sec_item, 0, sizeof(tmp_sec_item));
+
+ SECItem wrapped_key_item;
+ memset(&wrapped_key_item, 0, sizeof(wrapped_key_item));
+ wrapped_key_item.data = wrapped_key.data;
+ wrapped_key_item.len = wrapped_key.len;
+
+ PK11SymKey *ret = PK11_UnwrapSymKey(wrapping_key, wrap_mechanism,
+ &tmp_sec_item, &wrapped_key_item, type,
+ operation, raw_key->len);
+ SCOPE_DATA_FREE();
+ return ret;
+ }
+
+#endif // NSS_FIPS_H

View File

@ -1,9 +0,0 @@
[Global]
id=redhat
version=1.0
about=Mozilla Firefox for Red Hat Enterprise Linux
[Preferences]
app.distributor=redhat
app.distributor.channel=redhat
app.partner.redhat=redhat

View File

@ -0,0 +1,9 @@
[Global]
id=__ID__
version=1.0
about=Mozilla Firefox for __NAME__
[Preferences]
app.distributor=__ID__
app.distributor.channel=__ID__
app.partner.__ID__=__ID__

File diff suppressed because it is too large Load Diff

View File

@ -137,8 +137,8 @@ end}
Summary: Mozilla Firefox Web browser Summary: Mozilla Firefox Web browser
Name: firefox Name: firefox
Version: 128.3.1 Version: 128.4.0
Release: 2%{?dist} Release: 1%{?dist}
URL: https://www.mozilla.org/firefox/ URL: https://www.mozilla.org/firefox/
License: MPLv1.1 or GPLv2+ or LGPLv2+ License: MPLv1.1 or GPLv2+ or LGPLv2+
@ -168,7 +168,7 @@ ExcludeArch: aarch64 s390 ppc
# Link to original tarball: https://archive.mozilla.org/pub/firefox/releases/%%{version}%%{?pre_version}/source/firefox-%%{version}%%{?pre_version}.source.tar.xz # Link to original tarball: https://archive.mozilla.org/pub/firefox/releases/%%{version}%%{?pre_version}/source/firefox-%%{version}%%{?pre_version}.source.tar.xz
Source0: firefox-%{version}%{?pre_version}%{?buildnum}.processed-source.tar.xz Source0: firefox-%{version}%{?pre_version}%{?buildnum}.processed-source.tar.xz
%if %{with langpacks} %if %{with langpacks}
Source1: firefox-langpacks-%{version}%{?pre_version}-20241009.tar.xz Source1: firefox-langpacks-%{version}%{?pre_version}-20241022.tar.xz
%endif %endif
Source2: cbindgen-vendor.tar.xz Source2: cbindgen-vendor.tar.xz
Source3: process-official-tarball Source3: process-official-tarball
@ -179,7 +179,7 @@ Source21: firefox.sh.in
Source23: firefox.1 Source23: firefox.1
Source24: mozilla-api-key Source24: mozilla-api-key
Source25: firefox-symbolic.svg Source25: firefox-symbolic.svg
Source26: distribution.ini Source26: distribution.ini.in
Source27: google-api-key Source27: google-api-key
Source30: firefox-x11.sh.in Source30: firefox-x11.sh.in
Source31: firefox-x11.desktop Source31: firefox-x11.desktop
@ -236,6 +236,12 @@ Patch154: firefox-nss-addon-hack.patch
# ARM run-time patch # ARM run-time patch
Patch155: rhbz-1354671.patch Patch155: rhbz-1354671.patch
# --- fips webrtc fix
Patch200: webrtc-128.0.patch.patch
Patch201: D224587.1728128070.diff
Patch202: D224588.1728128098.diff
# ---- Test patches ---- # ---- Test patches ----
# Generate without context by # Generate without context by
# GENDIFF_DIFF_ARGS=-U0 gendiff firefox-xxxx .firefox-tests-xpcshell # GENDIFF_DIFF_ARGS=-U0 gendiff firefox-xxxx .firefox-tests-xpcshell
@ -1170,6 +1176,14 @@ echo "--------------------------------------------"
%patch -P155 -p1 -b .rhbz-1354671 %patch -P155 -p1 -b .rhbz-1354671
%endif %endif
# Fips webrtc patch
%ifnarch ppc64 ppc64le s390x
%patch -P200 -p1 -b .webrtc-128.0
%patch -P201 -p1 -b .D224587
%patch -P202 -p1 -b .D224588
%endif
# ---- Security patches ---- # ---- Security patches ----
%{__rm} -f .mozconfig %{__rm} -f .mozconfig
@ -1718,14 +1732,11 @@ ln -s %{_datadir}/myspell %{buildroot}%{mozappdir}/dictionaries
# Add distribution.ini # Add distribution.ini
%{__mkdir_p} %{buildroot}%{mozappdir}/distribution %{__mkdir_p} %{buildroot}%{mozappdir}/distribution
%{__cp} %{SOURCE26} %{buildroot}%{mozappdir}/distribution %{__sed} -e "s/__NAME__/%(source /etc/os-release; echo ${NAME})/g" \
-e "s/__ID__/%(source /etc/os-release; echo ${ID})/g" \
# CentOS -e "s/rhel/redhat/g" \
%if 0%{?centos} -e "s/Fedora.*/Fedora/g" \
%{__sed} -ie 's/redhat/centos/g' %{buildroot}%{mozappdir}/distribution %{SOURCE26} > %{buildroot}%{mozappdir}/distribution/distribution.ini
(source /etc/os-release; %{__sed} -ie 's/Red Hat Enterprise Linux/$NAME/' %{buildroot}%{mozappdir}/distribution)
cat %{buildroot}%{mozappdir}/distribution
%endif
# Install appdata file # Install appdata file
mkdir -p %{buildroot}%{_datadir}/metainfo mkdir -p %{buildroot}%{_datadir}/metainfo
@ -1860,6 +1871,9 @@ gtk-update-icon-cache %{_datadir}/icons/hicolor &>/dev/null || :
#--------------------------------------------------------------------- #---------------------------------------------------------------------
%changelog %changelog
* Tue Oct 22 2024 Eike Rathke <erack@redhat.com> - 128.4.0-1
- Update to 128.4.0 build1
* Wed Oct 09 2024 Jan Horak <jhorak@redhat.com> - 128.3.1-1 * Wed Oct 09 2024 Jan Horak <jhorak@redhat.com> - 128.3.1-1
- Update to 128.3.1 - Update to 128.3.1