Compare commits
No commits in common. "c8s" and "c8" have entirely different histories.
7
.firefox.metadata
Normal file
7
.firefox.metadata
Normal file
@ -0,0 +1,7 @@
|
|||||||
|
5012b69e54cbebe3b5e74011dacf3a2097f49921 SOURCES/cbindgen-vendor.tar.xz
|
||||||
|
6816817f0b3b42a13dfdc38af8c61dca46b54c13 SOURCES/firefox-128.3.1esr.processed-source.tar.xz
|
||||||
|
4641ad07664f375780e20200322bd5b45cd60ee8 SOURCES/firefox-langpacks-128.3.1esr-20241009.tar.xz
|
||||||
|
2d8a6b2b30d5496735f49ffe8c8a7ede3a78a5ca SOURCES/mochitest-python.tar.gz
|
||||||
|
d744f92e874688cc4b5376477dfdd639a97a6cd4 SOURCES/nspr-4.35.0-1.el8_1.src.rpm
|
||||||
|
f466d7213e85773e002c48897524eaf909480046 SOURCES/nss-3.101.0-7.el8_2.src.rpm
|
||||||
|
0413d22a58ba1bba99acec9c3c2a4db56a4100c7 SOURCES/nss-3.101.0-7.el9_2.src.rpm
|
92
.gitignore
vendored
92
.gitignore
vendored
@ -1,87 +1,7 @@
|
|||||||
SOURCES/cbindgen-vendor.tar.xz
|
SOURCES/cbindgen-vendor.tar.xz
|
||||||
SOURCES/firefox-102.8.0esr.b2.processed-source.tar.xz
|
SOURCES/firefox-128.3.1esr.processed-source.tar.xz
|
||||||
SOURCES/firefox-langpacks-102.8.0esr-20230214.tar.xz
|
SOURCES/firefox-langpacks-128.3.1esr-20241009.tar.xz
|
||||||
SOURCES/nspr-4.34.0-3.el8_1.src.rpm
|
SOURCES/mochitest-python.tar.gz
|
||||||
SOURCES/nss-3.79.0-6.el8_1.src.rpm
|
SOURCES/nspr-4.35.0-1.el8_1.src.rpm
|
||||||
/cbindgen-vendor.tar.xz
|
SOURCES/nss-3.101.0-7.el8_2.src.rpm
|
||||||
/nspr-4.34.0-3.el8_1.src.rpm
|
SOURCES/nss-3.101.0-7.el9_2.src.rpm
|
||||||
/nss-3.79.0-6.el8_1.src.rpm
|
|
||||||
/firefox-102.9.0esr.processed-source.tar.xz
|
|
||||||
/firefox-langpacks-102.9.0esr-20230307.tar.xz
|
|
||||||
/firefox-102.9.0esr.b2.processed-source.tar.xz
|
|
||||||
/firefox-langpacks-102.9.0esr-20230310.tar.xz
|
|
||||||
/nss-3.79.0-11.el8_1.src.rpm
|
|
||||||
/firefox-114.0b5.processed-source.tar.xz
|
|
||||||
/firefox-langpacks-114.0b5-20230504.tar.xz
|
|
||||||
/firefox-115.0b2.processed-source.tar.xz
|
|
||||||
/firefox-langpacks-115.0b2-20230504.tar.xz
|
|
||||||
/firefox-115.0b5.processed-source.tar.xz
|
|
||||||
/firefox-115.0b8.source.tar.xz
|
|
||||||
/firefox-langpacks-115.0b8-20230621.tar.xz
|
|
||||||
/firefox-115.0b8.processed-source.tar.xz
|
|
||||||
/firefox-115.0.2esr.source.tar.xz
|
|
||||||
/firefox-langpacks-115.0.2esr-20230717.tar.xz
|
|
||||||
/firefox-115.0.2esr.processed-source.tar.xz
|
|
||||||
/firefox-115.1.0esr.source.tar.xz
|
|
||||||
/firefox-langpacks-115.1.0esr-20230802.tar.xz
|
|
||||||
/nspr-4.35.0-1.el8_1.src.rpm
|
|
||||||
/nss-3.90.0-2.el8_1.src.rpm
|
|
||||||
/firefox-115.1.0esr.processed-source.tar.xz
|
|
||||||
/nss-3.90.0-2.fc38.src.rpm
|
|
||||||
/nss-3.90.0-3.el8_1.src.rpm
|
|
||||||
/firefox-115.2.0esr.source.tar.xz
|
|
||||||
/firefox-langpacks-115.2.0esr-20230904.tar.xz
|
|
||||||
/firefox-115.2.0esr.processed-source.tar.xz
|
|
||||||
/mochitest-python.tar.gz
|
|
||||||
/nss-3.90.0-3.el9_0.src.rpm
|
|
||||||
/firefox-115.3.0esr.source.tar.xz
|
|
||||||
/firefox-langpacks-115.3.0esr-20230921.tar.xz
|
|
||||||
/firefox-115.3.0esr.processed-source.tar.xz
|
|
||||||
/firefox-langpacks-115.3.1esr-20230929.tar.xz
|
|
||||||
/firefox-115.3.1esr.processed-source.tar.xz
|
|
||||||
/firefox-langpacks-115.4.0esr-20231017.tar.xz
|
|
||||||
/firefox-115.4.0esr.processed-source.tar.xz
|
|
||||||
/firefox-115.5.0esr.processed-source.tar.xz
|
|
||||||
/firefox-langpacks-115.5.0esr-20231114.tar.xz
|
|
||||||
/firefox-115.6.0esr.processed-source.tar.xz
|
|
||||||
/firefox-langpacks-115.6.0esr-20231212.tar.xz
|
|
||||||
/firefox-115.7.0esr.processed-source.tar.xz
|
|
||||||
/firefox-langpacks-115.7.0esr-20240116.tar.xz
|
|
||||||
/firefox-115.8.0esr.processed-source.tar.xz
|
|
||||||
/firefox-langpacks-115.8.0esr-20240213.tar.xz
|
|
||||||
/firefox-115.9.0esr.processed-source.tar.xz
|
|
||||||
/firefox-langpacks-115.9.0esr-20240312.tar.xz
|
|
||||||
/firefox-115.9.0esr.b2.processed-source.tar.xz
|
|
||||||
/firefox-langpacks-115.9.0esr-20240315.tar.xz
|
|
||||||
/firefox-115.9.1esr.processed-source.tar.xz
|
|
||||||
/firefox-langpacks-115.9.1esr-20240322.tar.xz
|
|
||||||
/firefox-115.10.0esr.processed-source.tar.xz
|
|
||||||
/firefox-langpacks-115.10.0esr-20240409.tar.xz
|
|
||||||
/firefox-128.0b2.source.tar.xz
|
|
||||||
/firefox-langpacks-128.0b2-20240613.tar.xz
|
|
||||||
/firefox-128.0b2.processed-source.tar.xz
|
|
||||||
/firefox-128.0b5.processed-source.tar.xz
|
|
||||||
/firefox-langpacks-128.0b5-20240620.tar.xz
|
|
||||||
/firefox-128.0esr.processed-source.tar.xz
|
|
||||||
/firefox-langpacks-128.0esr-20240709.tar.xz
|
|
||||||
/nss-3.101.0-6.el8_8.src.rpm
|
|
||||||
/nss-3.101.0-6.el9_2.src.rpm
|
|
||||||
/nss-3.101.0-6.fc40.src.rpm
|
|
||||||
/firefox-128.1.0esr.processed-source.tar.xz
|
|
||||||
/firefox-langpacks-128.1.0esr-20240820.tar.xz
|
|
||||||
/nss-3.101.0-6.el9_0.src.rpm
|
|
||||||
/firefox-128.1esr.processed-source.tar.xz
|
|
||||||
/firefox-langpacks-128.1esr-20240820.tar.xz
|
|
||||||
/firefox-128.1.0esr.source.tar.xz
|
|
||||||
/firefox-128.2.0esr.processed-source.tar.xz
|
|
||||||
/firefox-langpacks-128.2.0esr-20240827.tar.xz
|
|
||||||
/nss-3.101.0-6.el8_0.src.rpm
|
|
||||||
/nss-3.101.0-6.el8_2.src.rpm
|
|
||||||
/firefox-128.3.0esr.processed-source.tar.xz
|
|
||||||
/firefox-langpacks-128.3.0esr-20240924.tar.xz
|
|
||||||
/nss-3.101.0-7.el9_2.src.rpm
|
|
||||||
/nss-3.101.0-7.el8_2.src.rpm
|
|
||||||
/firefox-128.3.1esr.processed-source.tar.xz
|
|
||||||
/firefox-langpacks-128.3.1esr-20241009.tar.xz
|
|
||||||
/firefox-128.4.0esr.processed-source.tar.xz
|
|
||||||
/firefox-langpacks-128.4.0esr-20241022.tar.xz
|
|
||||||
|
@ -1,50 +0,0 @@
|
|||||||
diff --git a/dom/media/webrtc/transport/nricectx.cpp b/dom/media/webrtc/transport/nricectx.cpp
|
|
||||||
--- a/dom/media/webrtc/transport/nricectx.cpp
|
|
||||||
+++ b/dom/media/webrtc/transport/nricectx.cpp
|
|
||||||
@@ -124,23 +124,30 @@
|
|
||||||
static int nr_crypto_nss_hmac(UCHAR* key, size_t keyl, UCHAR* buf, size_t bufl,
|
|
||||||
UCHAR* result) {
|
|
||||||
CK_MECHANISM_TYPE mech = CKM_SHA_1_HMAC;
|
|
||||||
PK11SlotInfo* slot = nullptr;
|
|
||||||
MOZ_ASSERT(keyl > 0);
|
|
||||||
- SECItem keyi = {siBuffer, key, static_cast<unsigned int>(keyl)};
|
|
||||||
+ CK_KEY_DERIVATION_STRING_DATA idkey = {key, keyl};
|
|
||||||
+ SECItem keyi = {siBuffer, (unsigned char*)&idkey, sizeof(idkey)};
|
|
||||||
+ PK11SymKey* tmpKey = nullptr;
|
|
||||||
PK11SymKey* skey = nullptr;
|
|
||||||
PK11Context* hmac_ctx = nullptr;
|
|
||||||
SECStatus status;
|
|
||||||
unsigned int hmac_len;
|
|
||||||
SECItem param = {siBuffer, nullptr, 0};
|
|
||||||
int err = R_INTERNAL;
|
|
||||||
|
|
||||||
slot = PK11_GetInternalKeySlot();
|
|
||||||
if (!slot) goto abort;
|
|
||||||
|
|
||||||
- skey = PK11_ImportSymKey(slot, mech, PK11_OriginUnwrap, CKA_SIGN, &keyi,
|
|
||||||
- nullptr);
|
|
||||||
+ // HMAC is used for hash calculation only so use derive instead of import
|
|
||||||
+ // to be FIPS compliant.
|
|
||||||
+ tmpKey = PK11_KeyGen(slot, mech, NULL, keyl, nullptr);
|
|
||||||
+ if (!tmpKey) goto abort;
|
|
||||||
+
|
|
||||||
+ skey = PK11_Derive(tmpKey, CKM_CONCATENATE_DATA_AND_BASE, &keyi, mech,
|
|
||||||
+ CKA_SIGN, keyl);
|
|
||||||
if (!skey) goto abort;
|
|
||||||
|
|
||||||
hmac_ctx = PK11_CreateContextBySymKey(mech, CKA_SIGN, skey, ¶m);
|
|
||||||
if (!hmac_ctx) goto abort;
|
|
||||||
|
|
||||||
@@ -157,10 +164,11 @@
|
|
||||||
|
|
||||||
err = 0;
|
|
||||||
|
|
||||||
abort:
|
|
||||||
if (hmac_ctx) PK11_DestroyContext(hmac_ctx, PR_TRUE);
|
|
||||||
+ if (tmpKey) PK11_FreeSymKey(tmpKey);
|
|
||||||
if (skey) PK11_FreeSymKey(skey);
|
|
||||||
if (slot) PK11_FreeSlot(slot);
|
|
||||||
|
|
||||||
return err;
|
|
||||||
}
|
|
||||||
|
|
@ -1,224 +0,0 @@
|
|||||||
diff --git a/third_party/libsrtp/src/crypto/cipher/aes_gcm_nss.c b/third_party/libsrtp/src/crypto/cipher/aes_gcm_nss.c
|
|
||||||
--- a/third_party/libsrtp/src/crypto/cipher/aes_gcm_nss.c
|
|
||||||
+++ b/third_party/libsrtp/src/crypto/cipher/aes_gcm_nss.c
|
|
||||||
@@ -54,10 +54,11 @@
|
|
||||||
#include "crypto_types.h"
|
|
||||||
#include "cipher_types.h"
|
|
||||||
#include "cipher_test_cases.h"
|
|
||||||
#include <secerr.h>
|
|
||||||
#include <nspr.h>
|
|
||||||
+#include "nss_fips.h"
|
|
||||||
|
|
||||||
srtp_debug_module_t srtp_mod_aes_gcm = {
|
|
||||||
0, /* debugging is off by default */
|
|
||||||
"aes gcm nss" /* printable module name */
|
|
||||||
};
|
|
||||||
@@ -211,12 +212,17 @@
|
|
||||||
if (!slot) {
|
|
||||||
return (srtp_err_status_cipher_fail);
|
|
||||||
}
|
|
||||||
|
|
||||||
SECItem key_item = { siBuffer, (unsigned char *)key, c->key_size };
|
|
||||||
- c->key = PK11_ImportSymKey(slot, CKM_AES_GCM, PK11_OriginUnwrap,
|
|
||||||
- CKA_ENCRYPT, &key_item, NULL);
|
|
||||||
+ if (PK11_IsFIPS()) {
|
|
||||||
+ c->key = PK11_ImportSymKey_FIPS(slot, CKM_AES_GCM, PK11_OriginUnwrap,
|
|
||||||
+ CKA_ENCRYPT, &key_item, NULL);
|
|
||||||
+ } else {
|
|
||||||
+ c->key = PK11_ImportSymKey(slot, CKM_AES_GCM, PK11_OriginUnwrap,
|
|
||||||
+ CKA_ENCRYPT, &key_item, NULL);
|
|
||||||
+ }
|
|
||||||
PK11_FreeSlot(slot);
|
|
||||||
|
|
||||||
if (!c->key) {
|
|
||||||
return (srtp_err_status_cipher_fail);
|
|
||||||
}
|
|
||||||
diff --git a/third_party/libsrtp/src/crypto/cipher/aes_icm_nss.c b/third_party/libsrtp/src/crypto/cipher/aes_icm_nss.c
|
|
||||||
--- a/third_party/libsrtp/src/crypto/cipher/aes_icm_nss.c
|
|
||||||
+++ b/third_party/libsrtp/src/crypto/cipher/aes_icm_nss.c
|
|
||||||
@@ -51,10 +51,11 @@
|
|
||||||
#include "crypto_types.h"
|
|
||||||
#include "err.h" /* for srtp_debug */
|
|
||||||
#include "alloc.h"
|
|
||||||
#include "cipher_types.h"
|
|
||||||
#include "cipher_test_cases.h"
|
|
||||||
+#include "nss_fips.h"
|
|
||||||
|
|
||||||
srtp_debug_module_t srtp_mod_aes_icm = {
|
|
||||||
0, /* debugging is off by default */
|
|
||||||
"aes icm nss" /* printable module name */
|
|
||||||
};
|
|
||||||
@@ -252,12 +253,17 @@
|
|
||||||
if (!slot) {
|
|
||||||
return srtp_err_status_bad_param;
|
|
||||||
}
|
|
||||||
|
|
||||||
SECItem keyItem = { siBuffer, (unsigned char *)key, c->key_size };
|
|
||||||
- c->key = PK11_ImportSymKey(slot, CKM_AES_CTR, PK11_OriginUnwrap,
|
|
||||||
- CKA_ENCRYPT, &keyItem, NULL);
|
|
||||||
+ if (PK11_IsFIPS()) {
|
|
||||||
+ c->key = PK11_ImportSymKey_FIPS(slot, CKM_AES_CTR, PK11_OriginUnwrap,
|
|
||||||
+ CKA_ENCRYPT, &keyItem, NULL);
|
|
||||||
+ } else {
|
|
||||||
+ c->key = PK11_ImportSymKey(slot, CKM_AES_CTR, PK11_OriginUnwrap,
|
|
||||||
+ CKA_ENCRYPT, &keyItem, NULL);
|
|
||||||
+ }
|
|
||||||
PK11_FreeSlot(slot);
|
|
||||||
|
|
||||||
if (!c->key) {
|
|
||||||
return srtp_err_status_cipher_fail;
|
|
||||||
}
|
|
||||||
diff --git a/third_party/libsrtp/src/crypto/include/nss_fips.h b/third_party/libsrtp/src/crypto/include/nss_fips.h
|
|
||||||
new file mode 100644
|
|
||||||
--- /dev/null
|
|
||||||
+++ b/third_party/libsrtp/src/crypto/include/nss_fips.h
|
|
||||||
@@ -0,0 +1,148 @@
|
|
||||||
+/*
|
|
||||||
+ * Copyright (c) 2024, Red Hat, Inc.
|
|
||||||
+ * All rights reserved.
|
|
||||||
+ *
|
|
||||||
+ * Redistribution and use in source and binary forms, with or without
|
|
||||||
+ * modification, are permitted provided that the following conditions
|
|
||||||
+ * are met:
|
|
||||||
+ *
|
|
||||||
+ * Redistributions of source code must retain the above copyright
|
|
||||||
+ * notice, this list of conditions and the following disclaimer.
|
|
||||||
+ *
|
|
||||||
+ * Redistributions in binary form must reproduce the above
|
|
||||||
+ * copyright notice, this list of conditions and the following
|
|
||||||
+ * disclaimer in the documentation and/or other materials provided
|
|
||||||
+ * with the distribution.
|
|
||||||
+ *
|
|
||||||
+ * Neither the name of the Red Hat, Inc. nor the names of its
|
|
||||||
+ * contributors may be used to endorse or promote products derived
|
|
||||||
+ * from this software without specific prior written permission.
|
|
||||||
+ *
|
|
||||||
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
|
|
||||||
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
|
|
||||||
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
|
|
||||||
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
|
|
||||||
+ * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
|
|
||||||
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
|
|
||||||
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
|
|
||||||
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
|
||||||
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
|
|
||||||
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
|
|
||||||
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
|
|
||||||
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
||||||
+*/
|
|
||||||
+
|
|
||||||
+/*
|
|
||||||
+ Adapted from Red Hat Ceph patch by
|
|
||||||
+ Radoslaw Zarzynski <rzarzyns@redhat.com>
|
|
||||||
+
|
|
||||||
+ PK11_ImportSymKey() is a part of NSS API that becomes unavailable
|
|
||||||
+ in the FIPS mode. Apparently NSS targets stricter restrictions
|
|
||||||
+ than those coming from Level 1 of FIPS 140-2. In the consequence,
|
|
||||||
+ loading a symmetric key from plain keyring or key db fails.
|
|
||||||
+
|
|
||||||
+ A raw crypto key is in-memory wrapped with fresh, random wrapping
|
|
||||||
+ key just before being imported via PK11_UnwrapSymKey(). Of course,
|
|
||||||
+ this effectively lowers to FIPS level 1. Still, this would be no
|
|
||||||
+ different from what OpenSSL gives in the matter.
|
|
||||||
+*/
|
|
||||||
+
|
|
||||||
+#ifndef NSS_FIPS_H
|
|
||||||
+#define NSS_FIPS_H
|
|
||||||
+
|
|
||||||
+static PK11SymKey *PK11_ImportSymKey_FIPS(
|
|
||||||
+ PK11SlotInfo * const slot,
|
|
||||||
+ const CK_MECHANISM_TYPE type,
|
|
||||||
+ const PK11Origin origin,
|
|
||||||
+ const CK_ATTRIBUTE_TYPE operation,
|
|
||||||
+ SECItem * const raw_key,
|
|
||||||
+ void * const wincx)
|
|
||||||
+{
|
|
||||||
+ PK11SymKey* wrapping_key = NULL;
|
|
||||||
+ PK11Context *wrap_key_crypt_context = NULL;
|
|
||||||
+ SECItem *raw_key_aligned = NULL;
|
|
||||||
+ CK_MECHANISM_TYPE wrap_mechanism = 0;
|
|
||||||
+
|
|
||||||
+ struct {
|
|
||||||
+ unsigned char data[256];
|
|
||||||
+ int len;
|
|
||||||
+ } wrapped_key;
|
|
||||||
+
|
|
||||||
+ #define SCOPE_DATA_FREE() \
|
|
||||||
+ { \
|
|
||||||
+ PK11_FreeSymKey(wrapping_key); \
|
|
||||||
+ PK11_DestroyContext(wrap_key_crypt_context, PR_TRUE); \
|
|
||||||
+ SECITEM_FreeItem(raw_key_aligned, PR_TRUE); \
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if(raw_key->len > sizeof(wrapped_key.data)) {
|
|
||||||
+ return NULL;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ // getting 306 on my system which is CKM_DES3_ECB.
|
|
||||||
+ wrap_mechanism = PK11_GetBestWrapMechanism(slot);
|
|
||||||
+
|
|
||||||
+ // Generate a wrapping key. It will be used exactly twice over the scope:
|
|
||||||
+ // * to encrypt raw_key giving wrapped_key,
|
|
||||||
+ // * to decrypt wrapped_key in the internals of PK11_UnwrapSymKey().
|
|
||||||
+ wrapping_key = PK11_KeyGen(slot, wrap_mechanism, NULL,
|
|
||||||
+ PK11_GetBestKeyLength(slot, wrap_mechanism), NULL);
|
|
||||||
+ if (wrapping_key == NULL) {
|
|
||||||
+ return NULL;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ // Prepare a PK11 context for the raw_key -> wrapped_key encryption.
|
|
||||||
+ SECItem tmp_sec_item;
|
|
||||||
+ memset(&tmp_sec_item, 0, sizeof(tmp_sec_item));
|
|
||||||
+ wrap_key_crypt_context = PK11_CreateContextBySymKey(
|
|
||||||
+ wrap_mechanism,
|
|
||||||
+ CKA_ENCRYPT,
|
|
||||||
+ wrapping_key,
|
|
||||||
+ &tmp_sec_item);
|
|
||||||
+ if (wrap_key_crypt_context == NULL) {
|
|
||||||
+ SCOPE_DATA_FREE();
|
|
||||||
+ return NULL;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ // Finally wrap the key. Important note is that the wrapping mechanism
|
|
||||||
+ // selection (read: just grabbing a cipher) offers, at least in my NSS
|
|
||||||
+ // copy, mostly CKM_*_ECB ciphers (with 3DES as the leading one, see
|
|
||||||
+ // wrapMechanismList[] in pk11mech.c). There is no CKM_*_*_PAD variant
|
|
||||||
+ // which means that plaintext we are providing to PK11_CipherOp() must
|
|
||||||
+ // be aligned to cipher's block size. For 3DES it's 64 bits.
|
|
||||||
+ raw_key_aligned = PK11_BlockData(raw_key, PK11_GetBlockSize(wrap_mechanism, NULL));
|
|
||||||
+ if (raw_key_aligned == NULL) {
|
|
||||||
+ SCOPE_DATA_FREE();
|
|
||||||
+ return NULL;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if (PK11_CipherOp(wrap_key_crypt_context, wrapped_key.data, &wrapped_key.len,
|
|
||||||
+ sizeof(wrapped_key.data), raw_key_aligned->data,
|
|
||||||
+ raw_key_aligned->len) != SECSuccess) {
|
|
||||||
+ SCOPE_DATA_FREE();
|
|
||||||
+ return NULL;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if (PK11_Finalize(wrap_key_crypt_context) != SECSuccess) {
|
|
||||||
+ SCOPE_DATA_FREE();
|
|
||||||
+ return NULL;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ // Key is wrapped now so we can acquire the ultimate PK11SymKey through
|
|
||||||
+ // unwrapping it. Of course these two opposite operations form NOP with
|
|
||||||
+ // a side effect: FIPS level 1 compatibility.
|
|
||||||
+ memset(&tmp_sec_item, 0, sizeof(tmp_sec_item));
|
|
||||||
+
|
|
||||||
+ SECItem wrapped_key_item;
|
|
||||||
+ memset(&wrapped_key_item, 0, sizeof(wrapped_key_item));
|
|
||||||
+ wrapped_key_item.data = wrapped_key.data;
|
|
||||||
+ wrapped_key_item.len = wrapped_key.len;
|
|
||||||
+
|
|
||||||
+ PK11SymKey *ret = PK11_UnwrapSymKey(wrapping_key, wrap_mechanism,
|
|
||||||
+ &tmp_sec_item, &wrapped_key_item, type,
|
|
||||||
+ operation, raw_key->len);
|
|
||||||
+ SCOPE_DATA_FREE();
|
|
||||||
+ return ret;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+#endif // NSS_FIPS_H
|
|
||||||
|
|
9
SOURCES/distribution.ini
Normal file
9
SOURCES/distribution.ini
Normal file
@ -0,0 +1,9 @@
|
|||||||
|
[Global]
|
||||||
|
id=redhat
|
||||||
|
version=1.0
|
||||||
|
about=Mozilla Firefox for Red Hat Enterprise Linux
|
||||||
|
|
||||||
|
[Preferences]
|
||||||
|
app.distributor=redhat
|
||||||
|
app.distributor.channel=redhat
|
||||||
|
app.partner.redhat=redhat
|
Before Width: | Height: | Size: 2.2 KiB After Width: | Height: | Size: 2.2 KiB |
@ -137,8 +137,8 @@ end}
|
|||||||
|
|
||||||
Summary: Mozilla Firefox Web browser
|
Summary: Mozilla Firefox Web browser
|
||||||
Name: firefox
|
Name: firefox
|
||||||
Version: 128.4.0
|
Version: 128.3.1
|
||||||
Release: 1%{?dist}
|
Release: 2%{?dist}
|
||||||
URL: https://www.mozilla.org/firefox/
|
URL: https://www.mozilla.org/firefox/
|
||||||
License: MPLv1.1 or GPLv2+ or LGPLv2+
|
License: MPLv1.1 or GPLv2+ or LGPLv2+
|
||||||
|
|
||||||
@ -168,7 +168,7 @@ ExcludeArch: aarch64 s390 ppc
|
|||||||
# Link to original tarball: https://archive.mozilla.org/pub/firefox/releases/%%{version}%%{?pre_version}/source/firefox-%%{version}%%{?pre_version}.source.tar.xz
|
# Link to original tarball: https://archive.mozilla.org/pub/firefox/releases/%%{version}%%{?pre_version}/source/firefox-%%{version}%%{?pre_version}.source.tar.xz
|
||||||
Source0: firefox-%{version}%{?pre_version}%{?buildnum}.processed-source.tar.xz
|
Source0: firefox-%{version}%{?pre_version}%{?buildnum}.processed-source.tar.xz
|
||||||
%if %{with langpacks}
|
%if %{with langpacks}
|
||||||
Source1: firefox-langpacks-%{version}%{?pre_version}-20241022.tar.xz
|
Source1: firefox-langpacks-%{version}%{?pre_version}-20241009.tar.xz
|
||||||
%endif
|
%endif
|
||||||
Source2: cbindgen-vendor.tar.xz
|
Source2: cbindgen-vendor.tar.xz
|
||||||
Source3: process-official-tarball
|
Source3: process-official-tarball
|
||||||
@ -179,7 +179,7 @@ Source21: firefox.sh.in
|
|||||||
Source23: firefox.1
|
Source23: firefox.1
|
||||||
Source24: mozilla-api-key
|
Source24: mozilla-api-key
|
||||||
Source25: firefox-symbolic.svg
|
Source25: firefox-symbolic.svg
|
||||||
Source26: distribution.ini.in
|
Source26: distribution.ini
|
||||||
Source27: google-api-key
|
Source27: google-api-key
|
||||||
Source30: firefox-x11.sh.in
|
Source30: firefox-x11.sh.in
|
||||||
Source31: firefox-x11.desktop
|
Source31: firefox-x11.desktop
|
||||||
@ -236,12 +236,6 @@ Patch154: firefox-nss-addon-hack.patch
|
|||||||
# ARM run-time patch
|
# ARM run-time patch
|
||||||
Patch155: rhbz-1354671.patch
|
Patch155: rhbz-1354671.patch
|
||||||
|
|
||||||
# --- fips webrtc fix
|
|
||||||
Patch200: webrtc-128.0.patch.patch
|
|
||||||
Patch201: D224587.1728128070.diff
|
|
||||||
Patch202: D224588.1728128098.diff
|
|
||||||
|
|
||||||
|
|
||||||
# ---- Test patches ----
|
# ---- Test patches ----
|
||||||
# Generate without context by
|
# Generate without context by
|
||||||
# GENDIFF_DIFF_ARGS=-U0 gendiff firefox-xxxx .firefox-tests-xpcshell
|
# GENDIFF_DIFF_ARGS=-U0 gendiff firefox-xxxx .firefox-tests-xpcshell
|
||||||
@ -1176,14 +1170,6 @@ echo "--------------------------------------------"
|
|||||||
%patch -P155 -p1 -b .rhbz-1354671
|
%patch -P155 -p1 -b .rhbz-1354671
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
# Fips webrtc patch
|
|
||||||
%ifnarch ppc64 ppc64le s390x
|
|
||||||
%patch -P200 -p1 -b .webrtc-128.0
|
|
||||||
%patch -P201 -p1 -b .D224587
|
|
||||||
%patch -P202 -p1 -b .D224588
|
|
||||||
%endif
|
|
||||||
|
|
||||||
|
|
||||||
# ---- Security patches ----
|
# ---- Security patches ----
|
||||||
|
|
||||||
%{__rm} -f .mozconfig
|
%{__rm} -f .mozconfig
|
||||||
@ -1732,11 +1718,14 @@ ln -s %{_datadir}/myspell %{buildroot}%{mozappdir}/dictionaries
|
|||||||
|
|
||||||
# Add distribution.ini
|
# Add distribution.ini
|
||||||
%{__mkdir_p} %{buildroot}%{mozappdir}/distribution
|
%{__mkdir_p} %{buildroot}%{mozappdir}/distribution
|
||||||
%{__sed} -e "s/__NAME__/%(source /etc/os-release; echo ${NAME})/g" \
|
%{__cp} %{SOURCE26} %{buildroot}%{mozappdir}/distribution
|
||||||
-e "s/__ID__/%(source /etc/os-release; echo ${ID})/g" \
|
|
||||||
-e "s/rhel/redhat/g" \
|
# CentOS
|
||||||
-e "s/Fedora.*/Fedora/g" \
|
%if 0%{?centos}
|
||||||
%{SOURCE26} > %{buildroot}%{mozappdir}/distribution/distribution.ini
|
%{__sed} -ie 's/redhat/centos/g' %{buildroot}%{mozappdir}/distribution
|
||||||
|
(source /etc/os-release; %{__sed} -ie 's/Red Hat Enterprise Linux/$NAME/' %{buildroot}%{mozappdir}/distribution)
|
||||||
|
cat %{buildroot}%{mozappdir}/distribution
|
||||||
|
%endif
|
||||||
|
|
||||||
# Install appdata file
|
# Install appdata file
|
||||||
mkdir -p %{buildroot}%{_datadir}/metainfo
|
mkdir -p %{buildroot}%{_datadir}/metainfo
|
||||||
@ -1871,9 +1860,6 @@ gtk-update-icon-cache %{_datadir}/icons/hicolor &>/dev/null || :
|
|||||||
#---------------------------------------------------------------------
|
#---------------------------------------------------------------------
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
* Tue Oct 22 2024 Eike Rathke <erack@redhat.com> - 128.4.0-1
|
|
||||||
- Update to 128.4.0 build1
|
|
||||||
|
|
||||||
* Wed Oct 09 2024 Jan Horak <jhorak@redhat.com> - 128.3.1-1
|
* Wed Oct 09 2024 Jan Horak <jhorak@redhat.com> - 128.3.1-1
|
||||||
- Update to 128.3.1
|
- Update to 128.3.1
|
||||||
|
|
@ -1,9 +0,0 @@
|
|||||||
[Global]
|
|
||||||
id=__ID__
|
|
||||||
version=1.0
|
|
||||||
about=Mozilla Firefox for __NAME__
|
|
||||||
|
|
||||||
[Preferences]
|
|
||||||
app.distributor=__ID__
|
|
||||||
app.distributor.channel=__ID__
|
|
||||||
app.partner.__ID__=__ID__
|
|
@ -1,6 +0,0 @@
|
|||||||
--- !Policy
|
|
||||||
product_versions:
|
|
||||||
- rhel-8
|
|
||||||
decision_context: osci_compose_gate
|
|
||||||
rules:
|
|
||||||
- !PassingTestCaseRule {test_case_name: desktop-qe.desktop-ci.tier1-gating.functional}
|
|
@ -1,32 +0,0 @@
|
|||||||
#!/bin/bash
|
|
||||||
set -x
|
|
||||||
|
|
||||||
# Dummy Cargo.toml file with cbindgen dependency
|
|
||||||
cat > Cargo.toml <<EOL
|
|
||||||
[package]
|
|
||||||
name = "dummy"
|
|
||||||
version = "0.0.1"
|
|
||||||
description = """
|
|
||||||
This is a dummy package which contains dependency on cbindgen
|
|
||||||
to be used with 'cargo vendor' commmand.
|
|
||||||
"""
|
|
||||||
|
|
||||||
[dependencies]
|
|
||||||
cbindgen = "0.26.0"
|
|
||||||
|
|
||||||
[[bin]]
|
|
||||||
name = "dummy"
|
|
||||||
path = "dummy.rs"
|
|
||||||
doc = false
|
|
||||||
EOL
|
|
||||||
|
|
||||||
cargo install cargo-vendor
|
|
||||||
cargo vendor
|
|
||||||
|
|
||||||
cd vendor
|
|
||||||
tar -cJf ../cbindgen-vendor.tar.xz *
|
|
||||||
cd ..
|
|
||||||
|
|
||||||
rm -f Cargo.toml
|
|
||||||
rm -rf vendor
|
|
||||||
|
|
@ -1,14 +0,0 @@
|
|||||||
#!/bin/bash
|
|
||||||
# Get the list of the compiled bundled rust crates.
|
|
||||||
# Usage: $0 build.log
|
|
||||||
|
|
||||||
if [ -z $1 ]; then
|
|
||||||
echo Get the list of the compiled bundled rust crates.
|
|
||||||
echo Usage: $0 build.log
|
|
||||||
exit
|
|
||||||
fi
|
|
||||||
while read LINE; do
|
|
||||||
name=`echo $LINE | cut -d\ -f1`
|
|
||||||
version=`echo $LINE | cut -d\ -f2|sed -e 's/^v//g'`
|
|
||||||
echo "Provides: bundled(crate($name)) = $version"
|
|
||||||
done < <(cat $1 |grep "[0-9]*[ ]*Compiling [a-z]"|sed -e 's/.*Compiling //'g| sort|uniq)
|
|
@ -1,19 +0,0 @@
|
|||||||
---
|
|
||||||
inspections:
|
|
||||||
# this inspection is taking way too long and causing timeouts
|
|
||||||
abidiff: off
|
|
||||||
# the badfunc is triggered by inet_addr and inet_ntoa which is in the third party
|
|
||||||
# libraries bundled to firefox sources.
|
|
||||||
badfuncs:
|
|
||||||
allowed:
|
|
||||||
/usr/lib64/firefox/libxul.so:
|
|
||||||
- inet_addr
|
|
||||||
- inet_ntoa
|
|
||||||
# We don't plan to build Firefox with the LTO because it brings more problems
|
|
||||||
# than benefits to the package.
|
|
||||||
annocheck:
|
|
||||||
- hardened: --ignore-unknown --verbose --skip-lto --skip-cf-protection --skip-property-note
|
|
||||||
runpath:
|
|
||||||
# rpath to bundled content
|
|
||||||
allowed_paths:
|
|
||||||
- /usr/lib64/firefox/bundled/lib64
|
|
7
sources
7
sources
@ -1,7 +0,0 @@
|
|||||||
SHA512 (mochitest-python.tar.gz) = 089b1593068b76f4572af0086eaccf52a6a1299bfffb58593206d19bf021ae381f2380bbfeb4371586cd53706ff6dde3d240238b2caf19b96c57dfc2f4524e36
|
|
||||||
SHA512 (cbindgen-vendor.tar.xz) = 0c7a40033ccd38dadd30ad064feef390444af4562be07d3dfd0c4cccc55821b01b5228ddee367d0af3bd1b4ef9b1552cdd104506579b020ac1940a7c536b8b68
|
|
||||||
SHA512 (nspr-4.35.0-1.el8_1.src.rpm) = 5123a443fcc42602e31104999be339ae899eb7b1f1e2f1ea87ba4f283eb894d08ab568e421dba1df4770f23be91ff88aa6a0748bce7feef31ed88bee5bdecb2c
|
|
||||||
SHA512 (nss-3.101.0-7.el9_2.src.rpm) = 7c325e0e437c1266031af02b3a026d20b789548ae435be6c39d710aa9d19c967ac0a79097fd50dd8ab878bf0d72c19e937d54863aa8cd0654ef2ef288e3102ec
|
|
||||||
SHA512 (nss-3.101.0-7.el8_2.src.rpm) = c25551b06cf9239bb54aaf3edaea2c60804b449de4e06af4f5192bc181b5c6468ea8a69ddeff9de1b11bfc123e894b1ce8fc5d6deddfd5062f8736b75db56f8d
|
|
||||||
SHA512 (firefox-128.4.0esr.processed-source.tar.xz) = b1bb73f1ba8a05a72717b0ebb3de5a7da5c55552e62c1a735e862e9dbfe77c7fc6aa201a722bdddd74b8f90e28d3b26b98417cf163c3b1398992fea45762ceaa
|
|
||||||
SHA512 (firefox-langpacks-128.4.0esr-20241022.tar.xz) = 6b2637b0b6785a5520af01e5ccd3f7fea1c50c33f88dcc5a915ec169f0c0a85d16eb92e732d2be97b0524f92cfacf136fde1dcd6679e84d75ebaba09bda2484c
|
|
File diff suppressed because it is too large
Load Diff
Loading…
Reference in New Issue
Block a user