Compare commits
2 Commits
a8-depreca
...
c8
Author | SHA1 | Date | |
---|---|---|---|
a93844e05b | |||
81091f5b96 |
@ -1,7 +1,8 @@
|
|||||||
5012b69e54cbebe3b5e74011dacf3a2097f49921 SOURCES/cbindgen-vendor.tar.xz
|
5012b69e54cbebe3b5e74011dacf3a2097f49921 SOURCES/cbindgen-vendor.tar.xz
|
||||||
6816817f0b3b42a13dfdc38af8c61dca46b54c13 SOURCES/firefox-128.3.1esr.processed-source.tar.xz
|
2549991b68b27b820e92151e48f9f08da0cd55fb SOURCES/firefox-128.5.1esr.processed-source.tar.xz
|
||||||
4641ad07664f375780e20200322bd5b45cd60ee8 SOURCES/firefox-langpacks-128.3.1esr-20241009.tar.xz
|
76f0794bac607a730ea03dff8f804e09c9e0c962 SOURCES/firefox-langpacks-128.5.1esr-20241202.tar.xz
|
||||||
2d8a6b2b30d5496735f49ffe8c8a7ede3a78a5ca SOURCES/mochitest-python.tar.gz
|
2d8a6b2b30d5496735f49ffe8c8a7ede3a78a5ca SOURCES/mochitest-python.tar.gz
|
||||||
d744f92e874688cc4b5376477dfdd639a97a6cd4 SOURCES/nspr-4.35.0-1.el8_1.src.rpm
|
d744f92e874688cc4b5376477dfdd639a97a6cd4 SOURCES/nspr-4.35.0-1.el8_1.src.rpm
|
||||||
f466d7213e85773e002c48897524eaf909480046 SOURCES/nss-3.101.0-7.el8_2.src.rpm
|
f466d7213e85773e002c48897524eaf909480046 SOURCES/nss-3.101.0-7.el8_2.src.rpm
|
||||||
0413d22a58ba1bba99acec9c3c2a4db56a4100c7 SOURCES/nss-3.101.0-7.el9_2.src.rpm
|
0413d22a58ba1bba99acec9c3c2a4db56a4100c7 SOURCES/nss-3.101.0-7.el9_2.src.rpm
|
||||||
|
0332862626d2148648ff749078c223dbd859d901 SOURCES/wasi-sdk-20.tar.gz
|
||||||
|
5
.gitignore
vendored
5
.gitignore
vendored
@ -1,7 +1,8 @@
|
|||||||
SOURCES/cbindgen-vendor.tar.xz
|
SOURCES/cbindgen-vendor.tar.xz
|
||||||
SOURCES/firefox-128.3.1esr.processed-source.tar.xz
|
SOURCES/firefox-128.5.1esr.processed-source.tar.xz
|
||||||
SOURCES/firefox-langpacks-128.3.1esr-20241009.tar.xz
|
SOURCES/firefox-langpacks-128.5.1esr-20241202.tar.xz
|
||||||
SOURCES/mochitest-python.tar.gz
|
SOURCES/mochitest-python.tar.gz
|
||||||
SOURCES/nspr-4.35.0-1.el8_1.src.rpm
|
SOURCES/nspr-4.35.0-1.el8_1.src.rpm
|
||||||
SOURCES/nss-3.101.0-7.el8_2.src.rpm
|
SOURCES/nss-3.101.0-7.el8_2.src.rpm
|
||||||
SOURCES/nss-3.101.0-7.el9_2.src.rpm
|
SOURCES/nss-3.101.0-7.el9_2.src.rpm
|
||||||
|
SOURCES/wasi-sdk-20.tar.gz
|
||||||
|
50
SOURCES/D224587.1728128070.diff
Normal file
50
SOURCES/D224587.1728128070.diff
Normal file
@ -0,0 +1,50 @@
|
|||||||
|
diff --git a/dom/media/webrtc/transport/nricectx.cpp b/dom/media/webrtc/transport/nricectx.cpp
|
||||||
|
--- a/dom/media/webrtc/transport/nricectx.cpp
|
||||||
|
+++ b/dom/media/webrtc/transport/nricectx.cpp
|
||||||
|
@@ -124,23 +124,30 @@
|
||||||
|
static int nr_crypto_nss_hmac(UCHAR* key, size_t keyl, UCHAR* buf, size_t bufl,
|
||||||
|
UCHAR* result) {
|
||||||
|
CK_MECHANISM_TYPE mech = CKM_SHA_1_HMAC;
|
||||||
|
PK11SlotInfo* slot = nullptr;
|
||||||
|
MOZ_ASSERT(keyl > 0);
|
||||||
|
- SECItem keyi = {siBuffer, key, static_cast<unsigned int>(keyl)};
|
||||||
|
+ CK_KEY_DERIVATION_STRING_DATA idkey = {key, keyl};
|
||||||
|
+ SECItem keyi = {siBuffer, (unsigned char*)&idkey, sizeof(idkey)};
|
||||||
|
+ PK11SymKey* tmpKey = nullptr;
|
||||||
|
PK11SymKey* skey = nullptr;
|
||||||
|
PK11Context* hmac_ctx = nullptr;
|
||||||
|
SECStatus status;
|
||||||
|
unsigned int hmac_len;
|
||||||
|
SECItem param = {siBuffer, nullptr, 0};
|
||||||
|
int err = R_INTERNAL;
|
||||||
|
|
||||||
|
slot = PK11_GetInternalKeySlot();
|
||||||
|
if (!slot) goto abort;
|
||||||
|
|
||||||
|
- skey = PK11_ImportSymKey(slot, mech, PK11_OriginUnwrap, CKA_SIGN, &keyi,
|
||||||
|
- nullptr);
|
||||||
|
+ // HMAC is used for hash calculation only so use derive instead of import
|
||||||
|
+ // to be FIPS compliant.
|
||||||
|
+ tmpKey = PK11_KeyGen(slot, mech, NULL, keyl, nullptr);
|
||||||
|
+ if (!tmpKey) goto abort;
|
||||||
|
+
|
||||||
|
+ skey = PK11_Derive(tmpKey, CKM_CONCATENATE_DATA_AND_BASE, &keyi, mech,
|
||||||
|
+ CKA_SIGN, keyl);
|
||||||
|
if (!skey) goto abort;
|
||||||
|
|
||||||
|
hmac_ctx = PK11_CreateContextBySymKey(mech, CKA_SIGN, skey, ¶m);
|
||||||
|
if (!hmac_ctx) goto abort;
|
||||||
|
|
||||||
|
@@ -157,10 +164,11 @@
|
||||||
|
|
||||||
|
err = 0;
|
||||||
|
|
||||||
|
abort:
|
||||||
|
if (hmac_ctx) PK11_DestroyContext(hmac_ctx, PR_TRUE);
|
||||||
|
+ if (tmpKey) PK11_FreeSymKey(tmpKey);
|
||||||
|
if (skey) PK11_FreeSymKey(skey);
|
||||||
|
if (slot) PK11_FreeSlot(slot);
|
||||||
|
|
||||||
|
return err;
|
||||||
|
}
|
||||||
|
|
224
SOURCES/D224588.1728128098.diff
Normal file
224
SOURCES/D224588.1728128098.diff
Normal file
@ -0,0 +1,224 @@
|
|||||||
|
diff --git a/third_party/libsrtp/src/crypto/cipher/aes_gcm_nss.c b/third_party/libsrtp/src/crypto/cipher/aes_gcm_nss.c
|
||||||
|
--- a/third_party/libsrtp/src/crypto/cipher/aes_gcm_nss.c
|
||||||
|
+++ b/third_party/libsrtp/src/crypto/cipher/aes_gcm_nss.c
|
||||||
|
@@ -54,10 +54,11 @@
|
||||||
|
#include "crypto_types.h"
|
||||||
|
#include "cipher_types.h"
|
||||||
|
#include "cipher_test_cases.h"
|
||||||
|
#include <secerr.h>
|
||||||
|
#include <nspr.h>
|
||||||
|
+#include "nss_fips.h"
|
||||||
|
|
||||||
|
srtp_debug_module_t srtp_mod_aes_gcm = {
|
||||||
|
0, /* debugging is off by default */
|
||||||
|
"aes gcm nss" /* printable module name */
|
||||||
|
};
|
||||||
|
@@ -211,12 +212,17 @@
|
||||||
|
if (!slot) {
|
||||||
|
return (srtp_err_status_cipher_fail);
|
||||||
|
}
|
||||||
|
|
||||||
|
SECItem key_item = { siBuffer, (unsigned char *)key, c->key_size };
|
||||||
|
- c->key = PK11_ImportSymKey(slot, CKM_AES_GCM, PK11_OriginUnwrap,
|
||||||
|
- CKA_ENCRYPT, &key_item, NULL);
|
||||||
|
+ if (PK11_IsFIPS()) {
|
||||||
|
+ c->key = PK11_ImportSymKey_FIPS(slot, CKM_AES_GCM, PK11_OriginUnwrap,
|
||||||
|
+ CKA_ENCRYPT, &key_item, NULL);
|
||||||
|
+ } else {
|
||||||
|
+ c->key = PK11_ImportSymKey(slot, CKM_AES_GCM, PK11_OriginUnwrap,
|
||||||
|
+ CKA_ENCRYPT, &key_item, NULL);
|
||||||
|
+ }
|
||||||
|
PK11_FreeSlot(slot);
|
||||||
|
|
||||||
|
if (!c->key) {
|
||||||
|
return (srtp_err_status_cipher_fail);
|
||||||
|
}
|
||||||
|
diff --git a/third_party/libsrtp/src/crypto/cipher/aes_icm_nss.c b/third_party/libsrtp/src/crypto/cipher/aes_icm_nss.c
|
||||||
|
--- a/third_party/libsrtp/src/crypto/cipher/aes_icm_nss.c
|
||||||
|
+++ b/third_party/libsrtp/src/crypto/cipher/aes_icm_nss.c
|
||||||
|
@@ -51,10 +51,11 @@
|
||||||
|
#include "crypto_types.h"
|
||||||
|
#include "err.h" /* for srtp_debug */
|
||||||
|
#include "alloc.h"
|
||||||
|
#include "cipher_types.h"
|
||||||
|
#include "cipher_test_cases.h"
|
||||||
|
+#include "nss_fips.h"
|
||||||
|
|
||||||
|
srtp_debug_module_t srtp_mod_aes_icm = {
|
||||||
|
0, /* debugging is off by default */
|
||||||
|
"aes icm nss" /* printable module name */
|
||||||
|
};
|
||||||
|
@@ -252,12 +253,17 @@
|
||||||
|
if (!slot) {
|
||||||
|
return srtp_err_status_bad_param;
|
||||||
|
}
|
||||||
|
|
||||||
|
SECItem keyItem = { siBuffer, (unsigned char *)key, c->key_size };
|
||||||
|
- c->key = PK11_ImportSymKey(slot, CKM_AES_CTR, PK11_OriginUnwrap,
|
||||||
|
- CKA_ENCRYPT, &keyItem, NULL);
|
||||||
|
+ if (PK11_IsFIPS()) {
|
||||||
|
+ c->key = PK11_ImportSymKey_FIPS(slot, CKM_AES_CTR, PK11_OriginUnwrap,
|
||||||
|
+ CKA_ENCRYPT, &keyItem, NULL);
|
||||||
|
+ } else {
|
||||||
|
+ c->key = PK11_ImportSymKey(slot, CKM_AES_CTR, PK11_OriginUnwrap,
|
||||||
|
+ CKA_ENCRYPT, &keyItem, NULL);
|
||||||
|
+ }
|
||||||
|
PK11_FreeSlot(slot);
|
||||||
|
|
||||||
|
if (!c->key) {
|
||||||
|
return srtp_err_status_cipher_fail;
|
||||||
|
}
|
||||||
|
diff --git a/third_party/libsrtp/src/crypto/include/nss_fips.h b/third_party/libsrtp/src/crypto/include/nss_fips.h
|
||||||
|
new file mode 100644
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/third_party/libsrtp/src/crypto/include/nss_fips.h
|
||||||
|
@@ -0,0 +1,148 @@
|
||||||
|
+/*
|
||||||
|
+ * Copyright (c) 2024, Red Hat, Inc.
|
||||||
|
+ * All rights reserved.
|
||||||
|
+ *
|
||||||
|
+ * Redistribution and use in source and binary forms, with or without
|
||||||
|
+ * modification, are permitted provided that the following conditions
|
||||||
|
+ * are met:
|
||||||
|
+ *
|
||||||
|
+ * Redistributions of source code must retain the above copyright
|
||||||
|
+ * notice, this list of conditions and the following disclaimer.
|
||||||
|
+ *
|
||||||
|
+ * Redistributions in binary form must reproduce the above
|
||||||
|
+ * copyright notice, this list of conditions and the following
|
||||||
|
+ * disclaimer in the documentation and/or other materials provided
|
||||||
|
+ * with the distribution.
|
||||||
|
+ *
|
||||||
|
+ * Neither the name of the Red Hat, Inc. nor the names of its
|
||||||
|
+ * contributors may be used to endorse or promote products derived
|
||||||
|
+ * from this software without specific prior written permission.
|
||||||
|
+ *
|
||||||
|
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
|
||||||
|
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
|
||||||
|
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
|
||||||
|
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
|
||||||
|
+ * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
|
||||||
|
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
|
||||||
|
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
|
||||||
|
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
||||||
|
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
|
||||||
|
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
|
||||||
|
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
|
||||||
|
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||||
|
+*/
|
||||||
|
+
|
||||||
|
+/*
|
||||||
|
+ Adapted from Red Hat Ceph patch by
|
||||||
|
+ Radoslaw Zarzynski <rzarzyns@redhat.com>
|
||||||
|
+
|
||||||
|
+ PK11_ImportSymKey() is a part of NSS API that becomes unavailable
|
||||||
|
+ in the FIPS mode. Apparently NSS targets stricter restrictions
|
||||||
|
+ than those coming from Level 1 of FIPS 140-2. In the consequence,
|
||||||
|
+ loading a symmetric key from plain keyring or key db fails.
|
||||||
|
+
|
||||||
|
+ A raw crypto key is in-memory wrapped with fresh, random wrapping
|
||||||
|
+ key just before being imported via PK11_UnwrapSymKey(). Of course,
|
||||||
|
+ this effectively lowers to FIPS level 1. Still, this would be no
|
||||||
|
+ different from what OpenSSL gives in the matter.
|
||||||
|
+*/
|
||||||
|
+
|
||||||
|
+#ifndef NSS_FIPS_H
|
||||||
|
+#define NSS_FIPS_H
|
||||||
|
+
|
||||||
|
+static PK11SymKey *PK11_ImportSymKey_FIPS(
|
||||||
|
+ PK11SlotInfo * const slot,
|
||||||
|
+ const CK_MECHANISM_TYPE type,
|
||||||
|
+ const PK11Origin origin,
|
||||||
|
+ const CK_ATTRIBUTE_TYPE operation,
|
||||||
|
+ SECItem * const raw_key,
|
||||||
|
+ void * const wincx)
|
||||||
|
+{
|
||||||
|
+ PK11SymKey* wrapping_key = NULL;
|
||||||
|
+ PK11Context *wrap_key_crypt_context = NULL;
|
||||||
|
+ SECItem *raw_key_aligned = NULL;
|
||||||
|
+ CK_MECHANISM_TYPE wrap_mechanism = 0;
|
||||||
|
+
|
||||||
|
+ struct {
|
||||||
|
+ unsigned char data[256];
|
||||||
|
+ int len;
|
||||||
|
+ } wrapped_key;
|
||||||
|
+
|
||||||
|
+ #define SCOPE_DATA_FREE() \
|
||||||
|
+ { \
|
||||||
|
+ PK11_FreeSymKey(wrapping_key); \
|
||||||
|
+ PK11_DestroyContext(wrap_key_crypt_context, PR_TRUE); \
|
||||||
|
+ SECITEM_FreeItem(raw_key_aligned, PR_TRUE); \
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if(raw_key->len > sizeof(wrapped_key.data)) {
|
||||||
|
+ return NULL;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ // getting 306 on my system which is CKM_DES3_ECB.
|
||||||
|
+ wrap_mechanism = PK11_GetBestWrapMechanism(slot);
|
||||||
|
+
|
||||||
|
+ // Generate a wrapping key. It will be used exactly twice over the scope:
|
||||||
|
+ // * to encrypt raw_key giving wrapped_key,
|
||||||
|
+ // * to decrypt wrapped_key in the internals of PK11_UnwrapSymKey().
|
||||||
|
+ wrapping_key = PK11_KeyGen(slot, wrap_mechanism, NULL,
|
||||||
|
+ PK11_GetBestKeyLength(slot, wrap_mechanism), NULL);
|
||||||
|
+ if (wrapping_key == NULL) {
|
||||||
|
+ return NULL;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ // Prepare a PK11 context for the raw_key -> wrapped_key encryption.
|
||||||
|
+ SECItem tmp_sec_item;
|
||||||
|
+ memset(&tmp_sec_item, 0, sizeof(tmp_sec_item));
|
||||||
|
+ wrap_key_crypt_context = PK11_CreateContextBySymKey(
|
||||||
|
+ wrap_mechanism,
|
||||||
|
+ CKA_ENCRYPT,
|
||||||
|
+ wrapping_key,
|
||||||
|
+ &tmp_sec_item);
|
||||||
|
+ if (wrap_key_crypt_context == NULL) {
|
||||||
|
+ SCOPE_DATA_FREE();
|
||||||
|
+ return NULL;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ // Finally wrap the key. Important note is that the wrapping mechanism
|
||||||
|
+ // selection (read: just grabbing a cipher) offers, at least in my NSS
|
||||||
|
+ // copy, mostly CKM_*_ECB ciphers (with 3DES as the leading one, see
|
||||||
|
+ // wrapMechanismList[] in pk11mech.c). There is no CKM_*_*_PAD variant
|
||||||
|
+ // which means that plaintext we are providing to PK11_CipherOp() must
|
||||||
|
+ // be aligned to cipher's block size. For 3DES it's 64 bits.
|
||||||
|
+ raw_key_aligned = PK11_BlockData(raw_key, PK11_GetBlockSize(wrap_mechanism, NULL));
|
||||||
|
+ if (raw_key_aligned == NULL) {
|
||||||
|
+ SCOPE_DATA_FREE();
|
||||||
|
+ return NULL;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if (PK11_CipherOp(wrap_key_crypt_context, wrapped_key.data, &wrapped_key.len,
|
||||||
|
+ sizeof(wrapped_key.data), raw_key_aligned->data,
|
||||||
|
+ raw_key_aligned->len) != SECSuccess) {
|
||||||
|
+ SCOPE_DATA_FREE();
|
||||||
|
+ return NULL;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if (PK11_Finalize(wrap_key_crypt_context) != SECSuccess) {
|
||||||
|
+ SCOPE_DATA_FREE();
|
||||||
|
+ return NULL;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ // Key is wrapped now so we can acquire the ultimate PK11SymKey through
|
||||||
|
+ // unwrapping it. Of course these two opposite operations form NOP with
|
||||||
|
+ // a side effect: FIPS level 1 compatibility.
|
||||||
|
+ memset(&tmp_sec_item, 0, sizeof(tmp_sec_item));
|
||||||
|
+
|
||||||
|
+ SECItem wrapped_key_item;
|
||||||
|
+ memset(&wrapped_key_item, 0, sizeof(wrapped_key_item));
|
||||||
|
+ wrapped_key_item.data = wrapped_key.data;
|
||||||
|
+ wrapped_key_item.len = wrapped_key.len;
|
||||||
|
+
|
||||||
|
+ PK11SymKey *ret = PK11_UnwrapSymKey(wrapping_key, wrap_mechanism,
|
||||||
|
+ &tmp_sec_item, &wrapped_key_item, type,
|
||||||
|
+ operation, raw_key->len);
|
||||||
|
+ SCOPE_DATA_FREE();
|
||||||
|
+ return ret;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+#endif // NSS_FIPS_H
|
||||||
|
|
@ -1,9 +0,0 @@
|
|||||||
[Global]
|
|
||||||
id=almalinux
|
|
||||||
version=1.0
|
|
||||||
about=Mozilla Firefox for AlmaLinux
|
|
||||||
|
|
||||||
[Preferences]
|
|
||||||
app.distributor=almalinux
|
|
||||||
app.distributor.channel=almalinux
|
|
||||||
app.partner.fedora=almalinux
|
|
9
SOURCES/distribution.ini.in
Normal file
9
SOURCES/distribution.ini.in
Normal file
@ -0,0 +1,9 @@
|
|||||||
|
[Global]
|
||||||
|
id=__ID__
|
||||||
|
version=1.0
|
||||||
|
about=Mozilla Firefox for __NAME__
|
||||||
|
|
||||||
|
[Preferences]
|
||||||
|
app.distributor=__ID__
|
||||||
|
app.distributor.channel=__ID__
|
||||||
|
app.partner.__ID__=__ID__
|
@ -12,9 +12,7 @@ ac_add_options --enable-official-branding
|
|||||||
ac_add_options --enable-pulseaudio
|
ac_add_options --enable-pulseaudio
|
||||||
ac_add_options --enable-release
|
ac_add_options --enable-release
|
||||||
ac_add_options --enable-system-ffi
|
ac_add_options --enable-system-ffi
|
||||||
ac_add_options --without-sysroot
|
|
||||||
ac_add_options --without-system-icu
|
ac_add_options --without-system-icu
|
||||||
ac_add_options --without-wasm-sandboxed-libraries
|
|
||||||
ac_add_options --with-system-jpeg
|
ac_add_options --with-system-jpeg
|
||||||
ac_add_options --with-system-zlib
|
ac_add_options --with-system-zlib
|
||||||
ac_add_options --with-unsigned-addon-scopes=app,system
|
ac_add_options --with-unsigned-addon-scopes=app,system
|
||||||
|
12
SOURCES/wasi.patch
Normal file
12
SOURCES/wasi.patch
Normal file
@ -0,0 +1,12 @@
|
|||||||
|
diff -up firefox-121.0.1/toolkit/moz.configure.wasi firefox-121.0.1/toolkit/moz.configure
|
||||||
|
--- firefox-121.0.1/toolkit/moz.configure.wasi 2024-02-01 09:14:33.816548952 +0100
|
||||||
|
+++ firefox-121.0.1/toolkit/moz.configure 2024-02-01 09:15:53.264684309 +0100
|
||||||
|
@@ -2663,7 +2663,7 @@ with only_when(requires_wasm_sandboxing
|
||||||
|
def wasi_sysroot_flags(wasi_sysroot):
|
||||||
|
if wasi_sysroot:
|
||||||
|
log.info("Using wasi sysroot in %s", wasi_sysroot)
|
||||||
|
- return ["--sysroot=%s" % wasi_sysroot]
|
||||||
|
+ return ["--sysroot=%s" % wasi_sysroot, "-nodefaultlibs", "-lc", "-lwasi-emulated-process-clocks", "-lc++", "-lc++abi", "/home/jhorak/rpmbuild/BUILDROOT/usr/share/wasi-sysroot/lib/libclang_rt.builtins-wasm32.a"]
|
||||||
|
return []
|
||||||
|
|
||||||
|
set_config("WASI_SYSROOT", wasi_sysroot)
|
12
SOURCES/wasi.patch.template
Normal file
12
SOURCES/wasi.patch.template
Normal file
@ -0,0 +1,12 @@
|
|||||||
|
diff -up firefox-121.0.1/toolkit/moz.configure.wasi firefox-121.0.1/toolkit/moz.configure
|
||||||
|
--- firefox-121.0.1/toolkit/moz.configure.wasi 2024-02-01 09:14:33.816548952 +0100
|
||||||
|
+++ firefox-121.0.1/toolkit/moz.configure 2024-02-01 09:15:53.264684309 +0100
|
||||||
|
@@ -2663,7 +2663,7 @@ with only_when(requires_wasm_sandboxing
|
||||||
|
def wasi_sysroot_flags(wasi_sysroot):
|
||||||
|
if wasi_sysroot:
|
||||||
|
log.info("Using wasi sysroot in %s", wasi_sysroot)
|
||||||
|
- return ["--sysroot=%s" % wasi_sysroot]
|
||||||
|
+ return ["--sysroot=%s" % wasi_sysroot, "-nodefaultlibs", "-lc", "-lwasi-emulated-process-clocks", "-lc++", "-lc++abi", "$LIBCLANG_RT"]
|
||||||
|
return []
|
||||||
|
|
||||||
|
set_config("WASI_SYSROOT", wasi_sysroot)
|
2369
SOURCES/webrtc-128.0.patch.patch
Normal file
2369
SOURCES/webrtc-128.0.patch.patch
Normal file
File diff suppressed because it is too large
Load Diff
@ -12,41 +12,44 @@
|
|||||||
%global run_firefox_tests 0
|
%global run_firefox_tests 0
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
|
# wasi_sdk is for sandboxing third party c/c++ libs by using rlbox, exclude s390x on the f39.
|
||||||
|
%bcond_with wasi_sdk
|
||||||
|
|
||||||
%{lua:
|
%{lua:
|
||||||
function dist_to_rhel_minor(str, start)
|
function dist_to_rhel_minor(str, start)
|
||||||
match = string.match(str, ".module%+el8.%d+")
|
match = string.match(str, ".module%+el8.%d+")
|
||||||
if match then
|
if match then
|
||||||
return string.sub(match, 13)
|
return string.sub(match, 13)
|
||||||
end
|
end
|
||||||
match = string.match(str, ".el8_%d+")
|
match = string.match(str, ".el8_%d+")
|
||||||
if match then
|
if match then
|
||||||
return string.sub(match, 6)
|
return string.sub(match, 6)
|
||||||
end
|
end
|
||||||
match = string.match(str, ".el8")
|
match = string.match(str, ".el8")
|
||||||
if match then
|
if match then
|
||||||
return 10
|
return 10
|
||||||
end
|
end
|
||||||
match = string.match(str, ".module%+el9.%d+")
|
match = string.match(str, ".module%+el9.%d+")
|
||||||
if match then
|
if match then
|
||||||
return string.sub(match, 13)
|
return string.sub(match, 13)
|
||||||
end
|
end
|
||||||
match = string.match(str, ".el9_%d+")
|
match = string.match(str, ".el9_%d+")
|
||||||
if match then
|
if match then
|
||||||
return string.sub(match, 6)
|
return string.sub(match, 6)
|
||||||
end
|
end
|
||||||
match = string.match(str, ".el9")
|
match = string.match(str, ".el9")
|
||||||
if match then
|
if match then
|
||||||
return 5
|
return 6
|
||||||
end
|
end
|
||||||
match = string.match(str, ".el10_%d+")
|
match = string.match(str, ".el10_%d+")
|
||||||
if match then
|
if match then
|
||||||
return string.sub(match, 7)
|
return string.sub(match, 7)
|
||||||
end
|
end
|
||||||
match = string.match(str, ".el10")
|
match = string.match(str, ".el10")
|
||||||
if match then
|
if match then
|
||||||
return 0
|
return 0
|
||||||
end
|
end
|
||||||
return -1
|
return -1
|
||||||
end}
|
end}
|
||||||
|
|
||||||
%global rhel_minor_version %{lua:print(dist_to_rhel_minor(rpm.expand("%dist")))}
|
%global rhel_minor_version %{lua:print(dist_to_rhel_minor(rpm.expand("%dist")))}
|
||||||
@ -56,22 +59,31 @@ end}
|
|||||||
%global bundle_nss 0
|
%global bundle_nss 0
|
||||||
|
|
||||||
%if 0%{?rhel} == 7
|
%if 0%{?rhel} == 7
|
||||||
%global bundle_nss 0
|
%global bundle_nss 0
|
||||||
%global system_nss 0
|
%global system_nss 0
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
%if 0%{?rhel} == 8
|
%if 0%{?rhel} == 8
|
||||||
%if %{rhel_minor_version} < 8
|
%if %{rhel_minor_version} < 8
|
||||||
%global bundle_nss 1
|
%global bundle_nss 1
|
||||||
%global system_nss 1
|
%global system_nss 1
|
||||||
%endif
|
%endif
|
||||||
|
%if %{rhel_minor_version} >= 10
|
||||||
|
%global with_wasi_sdk 1
|
||||||
|
%endif
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
%if 0%{?rhel} == 9
|
%if 0%{?rhel} == 9
|
||||||
%if %{rhel_minor_version} < 2
|
%if %{rhel_minor_version} < 2
|
||||||
%global bundle_nss 1
|
%global bundle_nss 1
|
||||||
%global system_nss 1
|
%global system_nss 1
|
||||||
%endif
|
%endif
|
||||||
|
%if %{rhel_minor_version} > 5
|
||||||
|
%global with_wasi_sdk 1
|
||||||
|
%endif
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
|
|
||||||
%global dts_version 11
|
%global dts_version 11
|
||||||
%global llvm_version 7.0
|
%global llvm_version 7.0
|
||||||
%global nspr_version 4.35
|
%global nspr_version 4.35
|
||||||
@ -94,15 +106,21 @@ end}
|
|||||||
%global nodejs_build_req nodejs
|
%global nodejs_build_req nodejs
|
||||||
|
|
||||||
%if 0%{?rhel} > 7 && 0%{?rhel} < 10
|
%if 0%{?rhel} > 7 && 0%{?rhel} < 10
|
||||||
%global use_gcc_ts 1
|
%global use_gcc_ts 1
|
||||||
|
%if 0%{?rhel} == 9 && %{rhel_minor_version} >= 6
|
||||||
|
# clang depends on gcc-toolset-14-gcc-c++
|
||||||
|
%global gts_version 14
|
||||||
|
%else
|
||||||
|
%global gts_version 13
|
||||||
|
%endif
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
%if 0%{?rhel} == 7
|
%if 0%{?rhel} == 7
|
||||||
%global use_dts 1
|
%global use_dts 1
|
||||||
%global use_nodejs_scl 1
|
%global use_nodejs_scl 1
|
||||||
%global nodejs_build_req rh-nodejs10-nodejs
|
%global nodejs_build_req rh-nodejs10-nodejs
|
||||||
%global llvm_version 11.0
|
%global llvm_version 11.0
|
||||||
%global use_python3_scl 1
|
%global use_python3_scl 1
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
%if 0%{?disable_toolsets}
|
%if 0%{?disable_toolsets}
|
||||||
@ -113,9 +131,9 @@ end}
|
|||||||
|
|
||||||
%global launch_wayland_compositor 0
|
%global launch_wayland_compositor 0
|
||||||
%if 0%{?run_firefox_tests}
|
%if 0%{?run_firefox_tests}
|
||||||
%global test_on_wayland 1
|
%global test_on_wayland 1
|
||||||
%global launch_wayland_compositor 1
|
%global launch_wayland_compositor 1
|
||||||
%global build_tests 1
|
%global build_tests 1
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
|
|
||||||
@ -137,8 +155,8 @@ end}
|
|||||||
|
|
||||||
Summary: Mozilla Firefox Web browser
|
Summary: Mozilla Firefox Web browser
|
||||||
Name: firefox
|
Name: firefox
|
||||||
Version: 128.3.1
|
Version: 128.5.1
|
||||||
Release: 2%{?dist}.alma.1
|
Release: 1%{?dist}
|
||||||
URL: https://www.mozilla.org/firefox/
|
URL: https://www.mozilla.org/firefox/
|
||||||
License: MPLv1.1 or GPLv2+ or LGPLv2+
|
License: MPLv1.1 or GPLv2+ or LGPLv2+
|
||||||
|
|
||||||
@ -168,7 +186,7 @@ ExcludeArch: aarch64 s390 ppc
|
|||||||
# Link to original tarball: https://archive.mozilla.org/pub/firefox/releases/%%{version}%%{?pre_version}/source/firefox-%%{version}%%{?pre_version}.source.tar.xz
|
# Link to original tarball: https://archive.mozilla.org/pub/firefox/releases/%%{version}%%{?pre_version}/source/firefox-%%{version}%%{?pre_version}.source.tar.xz
|
||||||
Source0: firefox-%{version}%{?pre_version}%{?buildnum}.processed-source.tar.xz
|
Source0: firefox-%{version}%{?pre_version}%{?buildnum}.processed-source.tar.xz
|
||||||
%if %{with langpacks}
|
%if %{with langpacks}
|
||||||
Source1: firefox-langpacks-%{version}%{?pre_version}-20241009.tar.xz
|
Source1: firefox-langpacks-%{version}%{?pre_version}-20241202.tar.xz
|
||||||
%endif
|
%endif
|
||||||
Source2: cbindgen-vendor.tar.xz
|
Source2: cbindgen-vendor.tar.xz
|
||||||
Source3: process-official-tarball
|
Source3: process-official-tarball
|
||||||
@ -179,7 +197,7 @@ Source21: firefox.sh.in
|
|||||||
Source23: firefox.1
|
Source23: firefox.1
|
||||||
Source24: mozilla-api-key
|
Source24: mozilla-api-key
|
||||||
Source25: firefox-symbolic.svg
|
Source25: firefox-symbolic.svg
|
||||||
Source26: distribution.ini
|
Source26: distribution.ini.in
|
||||||
Source27: google-api-key
|
Source27: google-api-key
|
||||||
Source30: firefox-x11.sh.in
|
Source30: firefox-x11.sh.in
|
||||||
Source31: firefox-x11.desktop
|
Source31: firefox-x11.desktop
|
||||||
@ -189,6 +207,11 @@ Source34: firefox-search-provider.ini
|
|||||||
Source35: google-loc-api-key
|
Source35: google-loc-api-key
|
||||||
Source36: testing.sh
|
Source36: testing.sh
|
||||||
Source37: mochitest-python.tar.gz
|
Source37: mochitest-python.tar.gz
|
||||||
|
Source38: wasi.patch.template
|
||||||
|
# Created by:
|
||||||
|
# git clone --recursive https://github.com/WebAssembly/wasi-sdk.git
|
||||||
|
# cd wasi-sdk && git-archive-all --force-submodules wasi-sdk-20.tar.gz
|
||||||
|
Source50: wasi-sdk-20.tar.gz
|
||||||
|
|
||||||
# Bundled libraries
|
# Bundled libraries
|
||||||
Source401: nss-setup-flags-env.inc
|
Source401: nss-setup-flags-env.inc
|
||||||
@ -236,6 +259,12 @@ Patch154: firefox-nss-addon-hack.patch
|
|||||||
# ARM run-time patch
|
# ARM run-time patch
|
||||||
Patch155: rhbz-1354671.patch
|
Patch155: rhbz-1354671.patch
|
||||||
|
|
||||||
|
# --- fips webrtc fix
|
||||||
|
Patch200: webrtc-128.0.patch.patch
|
||||||
|
Patch201: D224587.1728128070.diff
|
||||||
|
Patch202: D224588.1728128098.diff
|
||||||
|
Patch203: wasi.patch
|
||||||
|
|
||||||
# ---- Test patches ----
|
# ---- Test patches ----
|
||||||
# Generate without context by
|
# Generate without context by
|
||||||
# GENDIFF_DIFF_ARGS=-U0 gendiff firefox-xxxx .firefox-tests-xpcshell
|
# GENDIFF_DIFF_ARGS=-U0 gendiff firefox-xxxx .firefox-tests-xpcshell
|
||||||
@ -353,6 +382,11 @@ BuildRequires: xmlto
|
|||||||
BuildRequires: zlib-devel
|
BuildRequires: zlib-devel
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
|
%if %{with wasi_sdk}
|
||||||
|
BuildRequires: lld
|
||||||
|
BuildRequires: clang cmake ninja-build
|
||||||
|
%endif
|
||||||
|
|
||||||
%if !0%{?flatpak}
|
%if !0%{?flatpak}
|
||||||
#TODO
|
#TODO
|
||||||
BuildRequires: system-bookmarks
|
BuildRequires: system-bookmarks
|
||||||
@ -407,10 +441,12 @@ BuildRequires: xorg-x11-server-Xvfb
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%if 0%{?use_gcc_ts}
|
%if 0%{?use_gcc_ts}
|
||||||
BuildRequires: gcc-toolset-13-runtime
|
BuildRequires: gcc-toolset-%{gts_version}-runtime
|
||||||
BuildRequires: gcc-toolset-13-binutils
|
BuildRequires: gcc-toolset-%{gts_version}-binutils
|
||||||
BuildRequires: gcc-toolset-13-gcc
|
BuildRequires: gcc-toolset-%{gts_version}-gcc
|
||||||
BuildRequires: gcc-toolset-13-gcc-plugin-annobin
|
BuildRequires: gcc-toolset-%{gts_version}-gcc-plugin-annobin
|
||||||
|
# Do not explicitly require gcc-toolset-%{gts_version}-gcc-g++ instead fail
|
||||||
|
# when clang is upgraded to depend on a later toolset and adjust version.
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
Requires: mozilla-filesystem
|
Requires: mozilla-filesystem
|
||||||
@ -1117,10 +1153,15 @@ echo "system_nss %{?system_nss}"
|
|||||||
echo "use_dts %{?use_dts}"
|
echo "use_dts %{?use_dts}"
|
||||||
echo "use_nodejs_scl %{?use_nodejs_scl}"
|
echo "use_nodejs_scl %{?use_nodejs_scl}"
|
||||||
echo "use_python3_scl %{?use_python3_scl}"
|
echo "use_python3_scl %{?use_python3_scl}"
|
||||||
|
echo "with_wasi_sdk %{?with_wasi_sdk}"
|
||||||
echo "--------------------------------------------"
|
echo "--------------------------------------------"
|
||||||
#clang -print-search-dirs
|
#clang -print-search-dirs
|
||||||
%setup -q -n %{name}-%{version}
|
%setup -q -n %{name}-%{version}
|
||||||
|
|
||||||
|
%if %{with wasi_sdk}
|
||||||
|
%setup -q -T -D -a 50
|
||||||
|
%endif
|
||||||
|
|
||||||
# ---- RHEL specific patches ---
|
# ---- RHEL specific patches ---
|
||||||
# -- Downstream only --
|
# -- Downstream only --
|
||||||
%patch -P1 -p1 -b .disable-elfhack
|
%patch -P1 -p1 -b .disable-elfhack
|
||||||
@ -1146,6 +1187,12 @@ echo "--------------------------------------------"
|
|||||||
%patch -P9 -p1 -b .rhbz-2131158-webrtc-nss-fix
|
%patch -P9 -p1 -b .rhbz-2131158-webrtc-nss-fix
|
||||||
%patch -P10 -p1 -b .build-ffvpx
|
%patch -P10 -p1 -b .build-ffvpx
|
||||||
|
|
||||||
|
# We need to create the wasi.patch with the correct path to the wasm libclang_rt.
|
||||||
|
%if %{with wasi_sdk}
|
||||||
|
export LIBCLANG_RT=`pwd`/wasi-sdk-20/build/compiler-rt/lib/wasi/libclang_rt.builtins-wasm32.a; cat %{SOURCE38} | envsubst > %{_sourcedir}/wasi.patch
|
||||||
|
%patch -P203 -p1 -b .wasi
|
||||||
|
%endif
|
||||||
|
|
||||||
# -- Upstreamed patches --
|
# -- Upstreamed patches --
|
||||||
%patch -P51 -p1 -b .mozilla-bmo1170092
|
%patch -P51 -p1 -b .mozilla-bmo1170092
|
||||||
|
|
||||||
@ -1170,6 +1217,13 @@ echo "--------------------------------------------"
|
|||||||
%patch -P155 -p1 -b .rhbz-1354671
|
%patch -P155 -p1 -b .rhbz-1354671
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
|
# Fips webrtc patch
|
||||||
|
%ifnarch ppc64 ppc64le s390x
|
||||||
|
%patch -P200 -p1 -b .webrtc-128.0
|
||||||
|
%patch -P201 -p1 -b .D224587
|
||||||
|
%patch -P202 -p1 -b .D224588
|
||||||
|
%endif
|
||||||
|
|
||||||
# ---- Security patches ----
|
# ---- Security patches ----
|
||||||
|
|
||||||
%{__rm} -f .mozconfig
|
%{__rm} -f .mozconfig
|
||||||
@ -1250,6 +1304,13 @@ echo "ac_add_options --with-google-safebrowsing-api-keyfile=`pwd`/google-api-key
|
|||||||
# Clang 17 upstream's detection fails, tell it where to look.
|
# Clang 17 upstream's detection fails, tell it where to look.
|
||||||
echo "ac_add_options --with-libclang-path=`llvm-config --libdir`" >> .mozconfig
|
echo "ac_add_options --with-libclang-path=`llvm-config --libdir`" >> .mozconfig
|
||||||
|
|
||||||
|
%if %{with wasi_sdk}
|
||||||
|
echo "ac_add_options --with-wasi-sysroot=`pwd`/wasi-sdk-20/build/install/opt/wasi-sdk/share/wasi-sysroot" >> .mozconfig
|
||||||
|
%else
|
||||||
|
echo "ac_add_options --without-sysroot" >> .mozconfig
|
||||||
|
echo "ac_add_options --without-wasm-sandboxed-libraries" >> .mozconfig
|
||||||
|
%endif
|
||||||
|
|
||||||
echo 'export NODEJS="%{_buildrootdir}/bin/node-stdout-nonblocking-wrapper"' >> .mozconfig
|
echo 'export NODEJS="%{_buildrootdir}/bin/node-stdout-nonblocking-wrapper"' >> .mozconfig
|
||||||
|
|
||||||
# Remove executable bit to make brp-mangle-shebangs happy.
|
# Remove executable bit to make brp-mangle-shebangs happy.
|
||||||
@ -1265,6 +1326,15 @@ chmod a-x third_party/rust/ash/src/extensions/nv/*.rs
|
|||||||
# Disable LTO to work around rhbz#1883904
|
# Disable LTO to work around rhbz#1883904
|
||||||
%define _lto_cflags %{nil}
|
%define _lto_cflags %{nil}
|
||||||
|
|
||||||
|
#WASI SDK
|
||||||
|
%if %{with wasi_sdk}
|
||||||
|
pushd wasi-sdk-20
|
||||||
|
sed -i -e "s|VERSION=.*|VERSION=20|g" tar_from_installation.sh
|
||||||
|
cat tar_from_installation.sh
|
||||||
|
NINJA_FLAGS=-v CC=clang CXX=clang++ env -u CFLAGS -u CXXFLAGS -u FFLAGS -u VALFLAGS -u RUSTFLAGS -u LDFLAGS -u LT_SYS_LIBRARY_PATH make package
|
||||||
|
popd
|
||||||
|
%endif
|
||||||
|
|
||||||
export PATH="%{_buildrootdir}/bin:$PATH"
|
export PATH="%{_buildrootdir}/bin:$PATH"
|
||||||
# Cleanup buildroot for existing rpms from bundled nss/nspr and other packages
|
# Cleanup buildroot for existing rpms from bundled nss/nspr and other packages
|
||||||
rm -rf %{_buildrootdir}/*
|
rm -rf %{_buildrootdir}/*
|
||||||
@ -1352,7 +1422,7 @@ function install_rpms_to_current_dir() {
|
|||||||
# Enable toolsets
|
# Enable toolsets
|
||||||
set +e
|
set +e
|
||||||
%if 0%{?use_gcc_ts}
|
%if 0%{?use_gcc_ts}
|
||||||
source scl_source enable gcc-toolset-13
|
source scl_source enable gcc-toolset-%{gts_version}
|
||||||
%endif
|
%endif
|
||||||
%if 0%{?use_dts}
|
%if 0%{?use_dts}
|
||||||
source scl_source enable devtoolset-%{dts_version}
|
source scl_source enable devtoolset-%{dts_version}
|
||||||
@ -1718,7 +1788,11 @@ ln -s %{_datadir}/myspell %{buildroot}%{mozappdir}/dictionaries
|
|||||||
|
|
||||||
# Add distribution.ini
|
# Add distribution.ini
|
||||||
%{__mkdir_p} %{buildroot}%{mozappdir}/distribution
|
%{__mkdir_p} %{buildroot}%{mozappdir}/distribution
|
||||||
%{__cp} %{SOURCE26} %{buildroot}%{mozappdir}/distribution
|
%{__sed} -e "s/__NAME__/%(source /etc/os-release; echo ${NAME})/g" \
|
||||||
|
-e "s/__ID__/%(source /etc/os-release; echo ${ID})/g" \
|
||||||
|
-e "s/rhel/redhat/g" \
|
||||||
|
-e "s/Fedora.*/Fedora/g" \
|
||||||
|
%{SOURCE26} > %{buildroot}%{mozappdir}/distribution/distribution.ini
|
||||||
|
|
||||||
# Install appdata file
|
# Install appdata file
|
||||||
mkdir -p %{buildroot}%{_datadir}/metainfo
|
mkdir -p %{buildroot}%{_datadir}/metainfo
|
||||||
@ -1853,8 +1927,14 @@ gtk-update-icon-cache %{_datadir}/icons/hicolor &>/dev/null || :
|
|||||||
#---------------------------------------------------------------------
|
#---------------------------------------------------------------------
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
* Fri Oct 11 2024 Eduard Abdullin <eabdullin@almalinux.org> - 128.3.1-1.alma.1
|
* Mon Dec 02 2024 Eike Rathke <erack@redhat.com> - 128.5.1-1
|
||||||
- Debrand for AlmaLinux
|
- Update to 128.5.1
|
||||||
|
|
||||||
|
* Tue Nov 19 2024 Eike Rathke <erack@redhat.com> - 128.5.0-1
|
||||||
|
- Update to 128.5.0 build1
|
||||||
|
|
||||||
|
* Tue Oct 22 2024 Eike Rathke <erack@redhat.com> - 128.4.0-1
|
||||||
|
- Update to 128.4.0 build1
|
||||||
|
|
||||||
* Wed Oct 09 2024 Jan Horak <jhorak@redhat.com> - 128.3.1-1
|
* Wed Oct 09 2024 Jan Horak <jhorak@redhat.com> - 128.3.1-1
|
||||||
- Update to 128.3.1
|
- Update to 128.3.1
|
||||||
@ -2364,3 +2444,4 @@ gtk-update-icon-cache %{_datadir}/icons/hicolor &>/dev/null || :
|
|||||||
|
|
||||||
* Thu Dec 8 2016 Jan Horak <jhorak@redhat.com> - 52.0-0.5
|
* Thu Dec 8 2016 Jan Horak <jhorak@redhat.com> - 52.0-0.5
|
||||||
- Firefox Aurora 52 testing build
|
- Firefox Aurora 52 testing build
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user