rpms/firefox
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import firefox-91.2.0-5.el8_4

Browse Source
This commit is contained in:
CentOS Sources 2021-10-25 12:25:51 -04:00 committed by Stepan Oksanichenko
parent 8baeebdcc2
commit 97cfe9ad72
2 changed files with 219 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

211
SOURCES/fips-quic.patch Normal file
View File

@ -0,0 +1,211 @@
diff -up firefox-91.2.0/Cargo.toml.fips-quic firefox-91.2.0/Cargo.toml
--- firefox-91.2.0/Cargo.toml.fips-quic 2021-10-21 09:40:17.235999423 +0200
+++ firefox-91.2.0/Cargo.toml 2021-10-21 11:21:06.746558028 +0200
@@ -109,3 +109,12 @@ path = "third_party/rust/failure"
[patch.crates-io.prost-derive]
path = "third_party/rust/prost-derive"
+
+[patch."https://github.com/mozilla/neqo"]
+neqo-crypto = { path = "third_party/rust/neqo-crypto" }
+neqo-transport = { path = "third_party/rust/neqo-transport" }
+neqo-qpack = { path = "third_party/rust/neqo-qpack" }
+neqo-common = { path = "third_party/rust/neqo-common" }
+
+
+
diff -up firefox-91.2.0/third_party/rust/neqo-crypto/bindings/bindings.toml.fips-quic firefox-91.2.0/third_party/rust/neqo-crypto/bindings/bindings.toml
--- firefox-91.2.0/third_party/rust/neqo-crypto/bindings/bindings.toml.fips-quic 2021-09-28 18:41:34.000000000 +0200
+++ firefox-91.2.0/third_party/rust/neqo-crypto/bindings/bindings.toml 2021-10-21 08:49:01.762221759 +0200
@@ -163,7 +163,7 @@ functions = [
"PK11_GetKeyData",
"PK11_GetMechanism",
"PK11_HPKE_Serialize",
- "PK11_ImportSymKey",
+ "PK11_ImportDataKey",
"PK11_ReadRawAttribute",
"PK11_ReferenceSymKey",
"SECITEM_FreeItem",
@@ -196,11 +196,10 @@ variables = [
"CKM_AES_ECB",
"CKM_AES_GCM",
"CKM_EC_KEY_PAIR_GEN",
+ "CKM_HKDF_DERIVE",
"CKM_INVALID_MECHANISM",
"CKM_NSS_CHACHA20_CTR",
"CKM_NSS_CHACHA20_POLY1305",
- "CKM_NSS_HKDF_SHA256",
- "CKM_NSS_HKDF_SHA384",
"PK11_ATTR_INSENSITIVE",
"PK11_ATTR_PRIVATE",
"PK11_ATTR_PUBLIC",
diff -up firefox-91.2.0/third_party/rust/neqo-crypto/Cargo.toml.fips-quic firefox-91.2.0/third_party/rust/neqo-crypto/Cargo.toml
diff -up firefox-91.2.0/third_party/rust/neqo-crypto/src/hkdf.rs.fips-quic firefox-91.2.0/third_party/rust/neqo-crypto/src/hkdf.rs
--- firefox-91.2.0/third_party/rust/neqo-crypto/src/hkdf.rs.fips-quic 2021-09-28 18:41:44.000000000 +0200
+++ firefox-91.2.0/third_party/rust/neqo-crypto/src/hkdf.rs 2021-10-21 08:49:01.763221763 +0200
@@ -10,8 +10,8 @@ use crate::constants::{
};
use crate::err::{Error, Res};
use crate::p11::{
- random, Item, PK11Origin, PK11SymKey, PK11_ImportSymKey, Slot, SymKey, CKA_DERIVE,
- CKM_NSS_HKDF_SHA256, CKM_NSS_HKDF_SHA384, CK_ATTRIBUTE_TYPE, CK_MECHANISM_TYPE,
+ random, Item, PK11Origin, PK11SymKey, PK11_ImportDataKey, Slot, SymKey, CKA_DERIVE,
+ CKM_HKDF_DERIVE, CK_ATTRIBUTE_TYPE, CK_MECHANISM_TYPE,
};
use std::convert::TryFrom;
@@ -52,27 +52,22 @@ fn key_size(version: Version, cipher: Ci
/// # Errors
/// Only if NSS fails.
pub fn generate_key(version: Version, cipher: Cipher) -> Res<SymKey> {
- import_key(version, cipher, &random(key_size(version, cipher)?))
+ import_key(version, &random(key_size(version, cipher)?))
}
/// Import a symmetric key for use with HKDF.
///
/// # Errors
/// Errors returned if the key buffer is an incompatible size or the NSS functions fail.
-pub fn import_key(version: Version, cipher: Cipher, buf: &[u8]) -> Res<SymKey> {
+pub fn import_key(version: Version, buf: &[u8]) -> Res<SymKey> {
if version != TLS_VERSION_1_3 {
return Err(Error::UnsupportedVersion);
}
- let mech = match cipher {
- TLS_AES_128_GCM_SHA256 | TLS_CHACHA20_POLY1305_SHA256 => CKM_NSS_HKDF_SHA256,
- TLS_AES_256_GCM_SHA384 => CKM_NSS_HKDF_SHA384,
- _ => return Err(Error::UnsupportedCipher),
- };
let slot = Slot::internal()?;
let key_ptr = unsafe {
- PK11_ImportSymKey(
+ PK11_ImportDataKey(
*slot,
- CK_MECHANISM_TYPE::from(mech),
+ CK_MECHANISM_TYPE::from(CKM_HKDF_DERIVE),
PK11Origin::PK11_OriginUnwrap,
CK_ATTRIBUTE_TYPE::from(CKA_DERIVE),
&mut Item::wrap(buf),
diff -up firefox-91.2.0/third_party/rust/neqo-crypto/src/selfencrypt.rs.fips-quic firefox-91.2.0/third_party/rust/neqo-crypto/src/selfencrypt.rs
--- firefox-91.2.0/third_party/rust/neqo-crypto/src/selfencrypt.rs.fips-quic 2021-09-28 18:41:41.000000000 +0200
+++ firefox-91.2.0/third_party/rust/neqo-crypto/src/selfencrypt.rs 2021-10-21 08:49:01.763221763 +0200
@@ -41,7 +41,7 @@ impl SelfEncrypt {
fn make_aead(&self, k: &SymKey, salt: &[u8]) -> Res<Aead> {
debug_assert_eq!(salt.len(), Self::SALT_LENGTH);
- let salt = hkdf::import_key(self.version, self.cipher, salt)?;
+ let salt = hkdf::import_key(self.version, salt)?;
let secret = hkdf::extract(self.version, self.cipher, Some(&salt), k)?;
Aead::new(self.version, self.cipher, &secret, "neqo self")
}
diff -up firefox-91.2.0/third_party/rust/neqo-crypto/tests/aead.rs.fips-quic firefox-91.2.0/third_party/rust/neqo-crypto/tests/aead.rs
--- firefox-91.2.0/third_party/rust/neqo-crypto/tests/aead.rs.fips-quic 2021-09-28 18:41:35.000000000 +0200
+++ firefox-91.2.0/third_party/rust/neqo-crypto/tests/aead.rs 2021-10-21 08:49:01.764221767 +0200
@@ -26,7 +26,6 @@ fn make_aead(cipher: Cipher) -> Aead {
let secret = hkdf::import_key(
TLS_VERSION_1_3,
- cipher,
&[
0x47, 0xb2, 0xea, 0xea, 0x6c, 0x26, 0x6e, 0x32, 0xc0, 0x69, 0x7a, 0x9e, 0x2a, 0x89,
0x8b, 0xdf, 0x5c, 0x4f, 0xb3, 0xe5, 0xac, 0x34, 0xf0, 0xe5, 0x49, 0xbf, 0x2c, 0x58,
diff -up firefox-91.2.0/third_party/rust/neqo-crypto/tests/hkdf.rs.fips-quic firefox-91.2.0/third_party/rust/neqo-crypto/tests/hkdf.rs
--- firefox-91.2.0/third_party/rust/neqo-crypto/tests/hkdf.rs.fips-quic 2021-09-28 18:41:44.000000000 +0200
+++ firefox-91.2.0/third_party/rust/neqo-crypto/tests/hkdf.rs 2021-10-21 08:49:01.764221767 +0200
@@ -38,8 +38,8 @@ fn cipher_hash_len(cipher: Cipher) -> us
fn import_keys(cipher: Cipher) -> (SymKey, SymKey) {
let l = cipher_hash_len(cipher);
(
- hkdf::import_key(TLS_VERSION_1_3, cipher, &SALT[0..l]).expect("import salt"),
- hkdf::import_key(TLS_VERSION_1_3, cipher, &IKM[0..l]).expect("import IKM"),
+ hkdf::import_key(TLS_VERSION_1_3, &SALT[0..l]).expect("import salt"),
+ hkdf::import_key(TLS_VERSION_1_3, &IKM[0..l]).expect("import IKM"),
)
}
diff -up firefox-91.2.0/third_party/rust/neqo-crypto/tests/hp.rs.fips-quic firefox-91.2.0/third_party/rust/neqo-crypto/tests/hp.rs
--- firefox-91.2.0/third_party/rust/neqo-crypto/tests/hp.rs.fips-quic 2021-09-28 18:41:44.000000000 +0200
+++ firefox-91.2.0/third_party/rust/neqo-crypto/tests/hp.rs 2021-10-21 08:49:01.764221767 +0200
@@ -9,7 +9,7 @@ use neqo_crypto::hp::HpKey;
use test_fixture::fixture_init;
fn make_hp(cipher: Cipher) -> HpKey {
- let ikm = hkdf::import_key(TLS_VERSION_1_3, cipher, &[0; 16]).expect("import IKM");
+ let ikm = hkdf::import_key(TLS_VERSION_1_3, &[0; 16]).expect("import IKM");
let prk = hkdf::extract(TLS_VERSION_1_3, cipher, None, &ikm).expect("extract works");
HpKey::extract(TLS_VERSION_1_3, cipher, &prk, "hp").expect("extract label works")
}
diff -up firefox-91.2.0/third_party/rust/neqo-http3/Cargo.toml.fips-quic firefox-91.2.0/third_party/rust/neqo-http3/Cargo.toml
diff -up firefox-91.2.0/third_party/rust/neqo-qpack/Cargo.toml.fips-quic firefox-91.2.0/third_party/rust/neqo-qpack/Cargo.toml
diff -up firefox-91.2.0/third_party/rust/neqo-transport/Cargo.toml.fips-quic firefox-91.2.0/third_party/rust/neqo-transport/Cargo.toml
diff -up firefox-91.2.0/third_party/rust/neqo-transport/src/crypto.rs.fips-quic firefox-91.2.0/third_party/rust/neqo-transport/src/crypto.rs
--- firefox-91.2.0/third_party/rust/neqo-transport/src/crypto.rs.fips-quic 2021-09-28 18:41:44.000000000 +0200
+++ firefox-91.2.0/third_party/rust/neqo-transport/src/crypto.rs 2021-10-21 08:49:01.765221771 +0200
@@ -432,14 +432,8 @@ impl CryptoDxState {
let initial_secret = hkdf::extract(
TLS_VERSION_1_3,
cipher,
- Some(
- hkdf::import_key(TLS_VERSION_1_3, cipher, salt)
- .as_ref()
- .unwrap(),
- ),
- hkdf::import_key(TLS_VERSION_1_3, cipher, dcid)
- .as_ref()
- .unwrap(),
+ Some(hkdf::import_key(TLS_VERSION_1_3, salt).as_ref().unwrap()),
+ hkdf::import_key(TLS_VERSION_1_3, dcid).as_ref().unwrap(),
)
.unwrap();
@@ -1094,8 +1088,7 @@ impl CryptoStates {
let app_read = |epoch| CryptoDxAppData {
dx: read(epoch),
cipher: TLS_AES_128_GCM_SHA256,
- next_secret: hkdf::import_key(TLS_VERSION_1_3, TLS_AES_128_GCM_SHA256, &[0xaa; 32])
- .unwrap(),
+ next_secret: hkdf::import_key(TLS_VERSION_1_3, &[0xaa; 32]).unwrap(),
};
Self {
initial: Some(CryptoState {
@@ -1120,8 +1113,7 @@ impl CryptoStates {
0x00, 0xa1, 0x54, 0x43, 0xf1, 0x82, 0x03, 0xa0, 0x7d, 0x60, 0x60, 0xf6, 0x88, 0xf3,
0x0f, 0x21, 0x63, 0x2b,
];
- let secret =
- hkdf::import_key(TLS_VERSION_1_3, TLS_CHACHA20_POLY1305_SHA256, SECRET).unwrap();
+ let secret = hkdf::import_key(TLS_VERSION_1_3, SECRET).unwrap();
let app_read = |epoch| CryptoDxAppData {
dx: CryptoDxState {
direction: CryptoDxDirection::Read,
diff -up firefox-91.2.0/third_party/rust/neqo-transport/src/packet/retry.rs.fips-quic firefox-91.2.0/third_party/rust/neqo-transport/src/packet/retry.rs
--- firefox-91.2.0/third_party/rust/neqo-transport/src/packet/retry.rs.fips-quic 2021-09-28 18:41:34.000000000 +0200
+++ firefox-91.2.0/third_party/rust/neqo-transport/src/packet/retry.rs 2021-10-21 08:49:01.766221775 +0200
@@ -28,7 +28,7 @@ fn make_aead(secret: &[u8]) -> Aead {
#[cfg(debug_assertions)]
::neqo_crypto::assert_initialized();
- let secret = hkdf::import_key(TLS_VERSION_1_3, TLS_AES_128_GCM_SHA256, secret).unwrap();
+ let secret = hkdf::import_key(TLS_VERSION_1_3, secret).unwrap();
Aead::new(TLS_VERSION_1_3, TLS_AES_128_GCM_SHA256, &secret, "quic ").unwrap()
}
thread_local!(static RETRY_AEAD_29: RefCell<Aead> = RefCell::new(make_aead(RETRY_SECRET_29)));
diff -up firefox-91.2.0/third_party/rust/neqo-transport/tests/common/mod.rs.fips-quic firefox-91.2.0/third_party/rust/neqo-transport/tests/common/mod.rs
--- firefox-91.2.0/third_party/rust/neqo-transport/tests/common/mod.rs.fips-quic 2021-09-28 18:41:34.000000000 +0200
+++ firefox-91.2.0/third_party/rust/neqo-transport/tests/common/mod.rs 2021-10-21 08:49:01.766221775 +0200
@@ -121,13 +121,11 @@ pub fn client_initial_aead_and_hp(dcid:
TLS_VERSION_1_3,
TLS_AES_128_GCM_SHA256,
Some(
- hkdf::import_key(TLS_VERSION_1_3, TLS_AES_128_GCM_SHA256, INITIAL_SALT)
+ hkdf::import_key(TLS_VERSION_1_3, INITIAL_SALT)
.as_ref()
.unwrap(),
),
- hkdf::import_key(TLS_VERSION_1_3, TLS_AES_128_GCM_SHA256, dcid)
- .as_ref()
- .unwrap(),
+ hkdf::import_key(TLS_VERSION_1_3, dcid).as_ref().unwrap(),
)
.unwrap();

10
SPECS/firefox.spec
View File

@ -18,7 +18,7 @@ function dist_to_rhel_minor(str, start)
end end
match = string.match(str, ".el8") match = string.match(str, ".el8")
if match then if match then
return 5 return 6
end end
return -1 return -1
end} end}
@ -129,7 +129,7 @@ end}
Summary: Mozilla Firefox Web browser Summary: Mozilla Firefox Web browser
Name: firefox Name: firefox
Version: 91.2.0 Version: 91.2.0
Release: 4%{?dist} Release: 5%{?dist}
URL: https://www.mozilla.org/firefox/ URL: https://www.mozilla.org/firefox/
License: MPLv1.1 or GPLv2+ or LGPLv2+ License: MPLv1.1 or GPLv2+ or LGPLv2+
%if 0%{?rhel} == 9 %if 0%{?rhel} == 9
@ -200,6 +200,8 @@ Patch513: mozilla-bmo998749.patch
Patch514: mozilla-s390x-skia-gradient.patch Patch514: mozilla-s390x-skia-gradient.patch
Patch515: mozilla-bmo1626236.patch Patch515: mozilla-bmo1626236.patch
Patch518: D110204-fscreen.diff Patch518: D110204-fscreen.diff
# https://github.com/mozilla/neqo/commit/2e1785a6b3b85316a2451cdb2dc3027c192a7533
Patch519: fips-quic.patch
# Flatpak patches # Flatpak patches
@ -442,6 +444,7 @@ echo "use_rustts %{?use_rustts}"
#%patch514 -p1 -b .mozilla-s390x-skia-gradient #%patch514 -p1 -b .mozilla-s390x-skia-gradient
%patch515 -p1 -b .mozilla-bmo1626236 %patch515 -p1 -b .mozilla-bmo1626236
%patch518 -p1 -b .D110204-fscreen.diff %patch518 -p1 -b .D110204-fscreen.diff
%patch519 -p1 -b .fips-quic
%patch1001 -p1 -b .ppc64le-inline %patch1001 -p1 -b .ppc64le-inline
@ -1247,6 +1250,9 @@ gtk-update-icon-cache %{_datadir}/icons/hicolor &>/dev/null || :
#--------------------------------------------------------------------- #---------------------------------------------------------------------
%changelog %changelog
* Thu Oct 21 2021 Jan Horak <jhorak@redhat.com> - 91.2.0-5
- Fixed crashes when FIPS is enabled.
* Mon Oct 04 2021 Jan Horak <jhorak@redhat.com> - 91.2.0-4 * Mon Oct 04 2021 Jan Horak <jhorak@redhat.com> - 91.2.0-4
- Disable webrender on the s390x due to wrong colors: rhbz#2009503 - Disable webrender on the s390x due to wrong colors: rhbz#2009503