Resolves: #2141558 Use openssl for the librnp crypto backend to enable the openpgp encryption

This commit is contained in:
Jan Horak 2022-11-29 13:29:57 +01:00 committed by Eike Rathke
parent 0c4499a3d5
commit 8eeb287107
17 changed files with 39853 additions and 4 deletions

322
D161379.diff Normal file
View File

@ -0,0 +1,322 @@
diff -up comm/third_party/moz.build.D161379.diff comm/third_party/moz.build
--- comm/third_party/moz.build.D161379.diff 2022-10-14 21:45:15.000000000 +0200
+++ comm/third_party/moz.build 2022-11-10 11:49:44.194016978 +0100
@@ -11,9 +11,11 @@ if CONFIG["TB_LIBOTR_PREBUILT"]:
if CONFIG["MZLA_LIBRNP"]:
DIRS += [
- "botan",
"bzip2",
"json-c",
"rnp",
"zlib",
]
+ if CONFIG["MZLA_LIBRNP_BACKEND"] == "botan":
+ DIRS += [ "botan" ]
+
diff -up comm/third_party/openpgp.configure.D161379.diff comm/third_party/openpgp.configure
--- comm/third_party/openpgp.configure.D161379.diff 2022-11-10 11:49:37.605024129 +0100
+++ comm/third_party/openpgp.configure 2022-11-10 11:49:44.194016978 +0100
@@ -199,16 +199,136 @@ with only_when(in_tree_librnp):
set_config("MZLA_BZIP2_CFLAGS", bzip2_flags.cflags)
set_config("MZLA_BZIP2_LIBS", bzip2_flags.ldflags)
- # BOTAN --with-system-botan
- system_lib_option(
- "--with-system-botan",
- help="Use system Botan for librnp (located with pkgconfig)",
- )
-
- botan_pkg = pkg_check_modules(
- "MZLA_BOTAN", "botan-2 >= 2.8.0", when="--with-system-botan"
- )
- set_config("MZLA_SYSTEM_BOTAN", depends_if(botan_pkg)(lambda _: True))
+ # librnp crypto backend selection
+ option("--with-librnp-backend",
+ help="Build librnp with the selected backend: {botan, openssl}",
+ default="botan")
+
+ @depends("--with-librnp-backend")
+ def librnp_backend(backend):
+ allowed = ("botan", "openssl")
+ if backend[0] in allowed:
+ return backend[0]
+ else:
+ die(f"Unsupported librnp backend {backend[0]}.")
+
+ set_config("MZLA_LIBRNP_BACKEND", librnp_backend)
+
+ @depends(librnp_backend)
+ def rnp_botan(backend):
+ return backend == "botan"
+
+ @depends(librnp_backend)
+ def rnp_openssl(backend):
+ return backend == "openssl"
+
+ # Botan backend (--with-system-botan)
+ with only_when(rnp_botan):
+ system_lib_option(
+ "--with-system-botan",
+ help="Use system Botan for librnp (located with pkgconfig)",
+ )
+
+ botan_pkg = pkg_check_modules(
+ "MZLA_BOTAN", "botan-2 >= 2.8.0", when="--with-system-botan"
+ )
+ set_config("MZLA_SYSTEM_BOTAN", depends_if(botan_pkg)(lambda _: True))
+
+
+ # OpenSSL backend
+ with only_when(rnp_openssl):
+ option(
+ "--with-openssl",
+ nargs=1,
+ help="OpenSSL library prefix (when not found by pkgconfig)"
+ )
+ openssl_pkg = pkg_check_modules(
+ "MZLA_LIBRNP_OPENSSL",
+ "openssl > 1.1.1",
+ allow_missing=True,
+ config=False
+ )
+ @depends_if("--with-openssl", openssl_pkg)
+ @imports(_from="os.path", _import="isdir")
+ @imports(_from="os.path", _import="join")
+ def openssl_flags(openssl_prefix, openssl_pkg):
+ if openssl_prefix:
+ openssl_prefix = openssl_prefix[0]
+ include = join(openssl_prefix, "include")
+ lib = join(openssl_prefix, "lib")
+ if not isdir(lib):
+ lib = join(openssl_prefix, "lib64")
+ if isdir(include) and isdir(lib):
+ log.info(f"Using OpenSSL at {openssl_prefix}.")
+ return namespace(
+ cflags=(f"-I{include}",),
+ ldflags=(f"-L{lib}", "-lssl", "-lcrypto"),
+ )
+ if openssl_pkg:
+ return namespace(
+ cflags=openssl_pkg.cflags,
+ ldflags=openssl_pkg.libs,
+ )
+ set_config("MZLA_LIBRNP_OPENSSL_CFLAGS", openssl_flags.cflags)
+ set_config("MZLA_LIBRNP_OPENSSL_LIBS", openssl_flags.ldflags)
+
+
+ @depends(c_compiler, openssl_flags)
+ @imports(_from="textwrap", _import="dedent")
+ def openssl_version(compiler, openssl_flags):
+ log.info("Checking for OpenSSL >= 1.1.1")
+ if openssl_flags is None:
+ die("OpenSSL not found. Must be locatable with pkg-config or use --with-openssl.")
+
+ def ossl_hexver(hex_str):
+ # See opensshlv.h for description of OPENSSL_VERSION_NUMBER
+ MIN_OSSL_VER = 0x1010100f # Version 1.1.1
+ ver_as_int = int(hex_str[:-1], 16)
+ ossl_major = (ver_as_int & 0xf0000000) >> 28
+ ossl_minor = (ver_as_int & 0x0ff00000) >> 20
+ ossl_fix = (ver_as_int & 0x000ff000) >> 12
+ ossl_patch = chr(96 + (ver_as_int & 0x00000ff0) >> 4) # as a letter a-z
+ ver_as_str = f"{ossl_major}.{ossl_minor}.{ossl_fix}{ossl_patch}"
+ if ver_as_int < MIN_OSSL_VER:
+ die(f"OpenSSL version {ver_as_str} is too old.")
+ return ver_as_str
+
+ check = dedent(
+ """\
+ #include <openssl/opensslv.h>
+ #ifdef OPENSSL_VERSION_STR
+ OPENSSL_VERSION_STR
+ #elif defined(OPENSSL_VERSION_NUMBER)
+ OPENSSL_VERSION_NUMBER
+ #else
+ #error Unable to determine OpenSSL version.
+ #endif
+ """
+ )
+ result = try_preprocess(
+ compiler.wrapper
+ + [compiler.compiler]
+ + compiler.flags
+ + list(openssl_flags.cflags),
+ "C",
+ check
+ )
+ if result:
+ openssl_ver = result.splitlines()[-1]
+ if openssl_ver.startswith("0x"):
+ # OpenSSL 1.x.x - like 0x1010107fL
+ openssl_ver = ossl_hexver(openssl_ver)
+ else:
+ # OpenSSL 3.x.x - quoted version like "3.0.7"
+ openssl_ver = openssl_ver.replace('"', "")
+ major_version = openssl_ver.split(".")[0]
+ if major_version != "3":
+ die("Unrecognized OpenSSL version {openssl_version} found. Require >= 1.1.1 or 3.x.x")
+
+ log.info(f"Found OpenSSL {openssl_ver}.")
+ return openssl_ver
+
+ set_config("MZLA_LIBRNP_OPENSSL_VERSION", openssl_version)
# Checks for building librnp itself
# =================================
diff -up comm/third_party/rnp/moz.build.D161379.diff comm/third_party/rnp/moz.build
--- comm/third_party/rnp/moz.build.D161379.diff 2022-11-10 11:49:43.682017534 +0100
+++ comm/third_party/rnp/moz.build 2022-11-10 11:51:22.878909880 +0100
@@ -36,17 +36,53 @@ if CONFIG["CC_TYPE"] == "clang-cl":
"/EHs",
]
+LOCAL_INCLUDES = [
+ "include",
+ "src",
+ "src/common",
+ "src/lib",
+]
+
+IQuote(
+ "{}/src/lib".format(OBJDIR),
+ "{}/src/lib".format(SRCDIR),
+)
+
+# Set up defines for src/lib/config.h
rnp_defines = {
"HAVE_BZLIB_H": True,
"HAVE_ZLIB_H": True,
- "CRYPTO_BACKEND_OPENSSL": True,
- "ENABLE_AEAD": True,
- "ENABLE_TWOFISH": True,
- "ENABLE_BRAINPOOL": True,
"ENABLE_IDEA": True,
"PACKAGE_BUGREPORT": '"https://bugzilla.mozilla.org/enter_bug.cgi?product=Thunderbird"',
"PACKAGE_STRING": '"rnp {}"'.format(CONFIG["MZLA_LIBRNP_FULL_VERSION"])
}
+if CONFIG["MZLA_LIBRNP_BACKEND"] == "botan":
+ LOCAL_INCLUDES += ["!../botan/build/include"]
+ if CONFIG["MZLA_SYSTEM_BOTAN"]:
+ CXXFLAGS += CONFIG["MZLA_BOTAN_CFLAGS"]
+
+ rnp_defines.update({
+ "CRYPTO_BACKEND_BOTAN": True,
+ "ENABLE_AEAD": True,
+ "ENABLE_TWOFISH": True,
+ "ENABLE_BRAINPOOL": True,
+ })
+elif CONFIG["MZLA_LIBRNP_BACKEND"] == "openssl":
+ CXXFLAGS += CONFIG["MZLA_LIBRNP_OPENSSL_CFLAGS"]
+ OS_LIBS += CONFIG["MZLA_LIBRNP_OPENSSL_LIBS"]
+
+ rnp_defines.update({
+ "CRYPTO_BACKEND_OPENSSL": True,
+ # Not supported with RNP+OpenSSL https://github.com/rnpgp/rnp/issues/1642
+ "ENABLE_AEAD": False,
+ # Not supported by OpenSSL https://github.com/openssl/openssl/issues/2046
+ "ENABLE_TWOFISH": False,
+ # Supported, but not with RHEL's OpenSSL, disabled for now;
+ "ENABLE_BRAINPOOL": False,
+ })
+ if CONFIG["MZLA_LIBRNP_OPENSSL_VERSION"][0] == "3":
+ rnp_defines["CRYPTO_BACKEND_OPENSSL3"] = True
+
GeneratedFile(
"src/lib/config.h",
script="/comm/python/rocbuild/process_cmake_define_files.py",
@@ -57,23 +93,6 @@ GeneratedFile(
],
)
-LOCAL_INCLUDES = [
- "include",
- "src",
- "src/common",
- "src/lib",
-]
-
-IQuote(
- "{}/src/lib".format(OBJDIR),
- "{}/src/lib".format(SRCDIR),
-)
-
-if CONFIG["MZLA_SYSTEM_BOTAN"]:
- CXXFLAGS += CONFIG["MZLA_BOTAN_CFLAGS"]
-else:
- LOCAL_INCLUDES += ["!../botan/build/include"]
-
if CONFIG["MOZ_SYSTEM_ZLIB"]:
CXXFLAGS += CONFIG["MOZ_ZLIB_CFLAGS"]
else:
@@ -109,29 +128,16 @@ SOURCES += [
"src/common/time-utils.cpp",
"src/lib/crypto.cpp",
"src/lib/crypto/backend_version.cpp",
- "src/lib/crypto/bn.cpp",
"src/lib/crypto/cipher.cpp",
- "src/lib/crypto/cipher_botan.cpp",
- "src/lib/crypto/dsa.cpp",
- "src/lib/crypto/ec.cpp",
"src/lib/crypto/ec_curves.cpp",
- "src/lib/crypto/ecdh.cpp",
"src/lib/crypto/ecdh_utils.cpp",
- "src/lib/crypto/ecdsa.cpp",
- "src/lib/crypto/eddsa.cpp",
- "src/lib/crypto/elgamal.cpp",
- "src/lib/crypto/hash.cpp",
"src/lib/crypto/hash_common.cpp",
"src/lib/crypto/hash_sha1cd.cpp",
- "src/lib/crypto/mem.cpp",
"src/lib/crypto/mpi.cpp",
- "src/lib/crypto/rng.cpp",
- "src/lib/crypto/rsa.cpp",
"src/lib/crypto/s2k.cpp",
"src/lib/crypto/sha1cd/sha1.c",
"src/lib/crypto/sha1cd/ubc_check.c",
"src/lib/crypto/signatures.cpp",
- "src/lib/crypto/symmetric.cpp",
"src/lib/fingerprint.cpp",
"src/lib/generate-key.cpp",
"src/lib/json-utils.cpp",
@@ -159,4 +165,40 @@ SOURCES += [
"src/librepgp/stream-write.cpp",
]
+if CONFIG["MZLA_LIBRNP_BACKEND"] == "botan":
+ SOURCES += [
+ "src/lib/crypto/bn.cpp",
+ "src/lib/crypto/cipher_botan.cpp",
+ "src/lib/crypto/dsa.cpp",
+ "src/lib/crypto/ec.cpp",
+ "src/lib/crypto/ecdh.cpp",
+ "src/lib/crypto/ecdsa.cpp",
+ "src/lib/crypto/eddsa.cpp",
+ "src/lib/crypto/elgamal.cpp",
+ "src/lib/crypto/hash.cpp",
+ "src/lib/crypto/mem.cpp",
+ "src/lib/crypto/rng.cpp",
+ "src/lib/crypto/rsa.cpp",
+ "src/lib/crypto/symmetric.cpp",
+ ]
+if CONFIG["MZLA_LIBRNP_BACKEND"] == "openssl":
+ SOURCES += [
+ "src/lib/crypto/bn_ossl.cpp",
+ "src/lib/crypto/cipher_ossl.cpp",
+ "src/lib/crypto/dl_ossl.cpp",
+ "src/lib/crypto/dsa_ossl.cpp",
+ "src/lib/crypto/ec_ossl.cpp",
+ "src/lib/crypto/ecdh_ossl.cpp",
+ "src/lib/crypto/ecdsa_ossl.cpp",
+ "src/lib/crypto/eddsa_ossl.cpp",
+ "src/lib/crypto/elgamal_ossl.cpp",
+ "src/lib/crypto/hash_crc24.cpp",
+ "src/lib/crypto/hash_ossl.cpp",
+ "src/lib/crypto/mem_ossl.cpp",
+ "src/lib/crypto/rng_ossl.cpp",
+ "src/lib/crypto/rsa_ossl.cpp",
+ "src/lib/crypto/s2k_ossl.cpp",
+ "src/lib/crypto/symmetric_ossl.cpp",
+ ]
+
DIRS += ["src/rnp", "src/rnpkeys"]

49
D161895.diff Normal file
View File

@ -0,0 +1,49 @@
diff --git a/third_party/openpgp.configure b/third_party/openpgp.configure
--- a/third_party/openpgp.configure
+++ b/third_party/openpgp.configure
@@ -198,21 +198,27 @@
)
set_config("MZLA_BZIP2_CFLAGS", bzip2_flags.cflags)
set_config("MZLA_BZIP2_LIBS", bzip2_flags.ldflags)
# librnp crypto backend selection
+ @depends(target_is_linux)
+ def librnp_backend_choices(is_linux):
+ if is_linux:
+ return ("botan", "openssl")
+ else:
+ return ("botan",)
+
option("--with-librnp-backend",
- help="Build librnp with the selected backend: {botan, openssl}",
+ help="Build librnp with the selected backend",
+ choices=librnp_backend_choices,
+ nargs=1,
default="botan")
@depends("--with-librnp-backend")
def librnp_backend(backend):
- allowed = ("botan", "openssl")
- if backend[0] in allowed:
+ if backend:
return backend[0]
- else:
- die(f"Unsupported librnp backend {backend[0]}.")
set_config("MZLA_LIBRNP_BACKEND", librnp_backend)
@depends(librnp_backend)
def rnp_botan(backend):
@@ -273,10 +279,11 @@
set_config("MZLA_LIBRNP_OPENSSL_LIBS", openssl_flags.ldflags)
@depends(c_compiler, openssl_flags)
@imports(_from="textwrap", _import="dedent")
+ @imports(_from="__builtin__", _import="chr")
def openssl_version(compiler, openssl_flags):
log.info("Checking for OpenSSL >= 1.1.1")
if openssl_flags is None:
die("OpenSSL not found. Must be locatable with pkg-config or use --with-openssl.")

View File

@ -0,0 +1,81 @@
# HG changeset patch
# User Daniel <daniel@thunderbird.net>
# Date 1658184582 0
# Mon Jul 18 22:49:42 2022 +0000
# Node ID 9998ed5c2bcee289b03828eba670053614fa26da
# Parent e572bc3cfa07492189aec439e98378b0811ae3bb
Bug 1753683 - Replace distutils (deprecated) with packaging. r=rjl
Differential Revision: https://phabricator.services.mozilla.com/D152123
diff --git a/comm/python/thirdroc/thirdroc/__init__.py b/comm/python/thirdroc/thirdroc/__init__.py
--- a/comm/python/thirdroc/thirdroc/__init__.py
+++ b/comm/python/thirdroc/thirdroc/__init__.py
@@ -3,11 +3,11 @@
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
from __future__ import print_function, absolute_import
import re
-from distutils.version import StrictVersion
+from packaging.version import parse
VTAG_RE = re.compile(r"^v\d+\.\d+\.\d+$")
def tag2version(tag):
@@ -22,16 +22,16 @@ def tag2version(tag):
raise Exception("Invalid tag {}".format(tag))
def get_latest_version(*versions):
"""
- Given a list of versions (that must parse with distutils.version.StrictVersion,
+ Given a list of versions (that must parse with packaging.version.parse),
return the latest/newest version.
:param list versions:
- :return StrictVersion:
+ :return Version:
"""
- version_list = [StrictVersion(tag2version(v)) for v in versions]
+ version_list = [parse(tag2version(v)) for v in versions]
version_list.sort()
return version_list[-1]
def latest_version(*versions):
diff --git a/comm/python/thirdroc/thirdroc/rnp.py b/comm/python/thirdroc/thirdroc/rnp.py
--- a/comm/python/thirdroc/thirdroc/rnp.py
+++ b/comm/python/thirdroc/thirdroc/rnp.py
@@ -6,11 +6,11 @@ from __future__ import absolute_import
import os
from io import StringIO
from datetime import date
import re
-from distutils.version import StrictVersion
+from packaging.version import parse
from mozbuild.preprocessor import Preprocessor
def rnp_source_update(rnp_root, version_str, revision, timestamp, bug_report):
@@ -21,14 +21,14 @@ def rnp_source_update(rnp_root, version_
:param string version_str: latest version
:param string revision: revision hash (short form)
:param float timestamp: UNIX timestamp from revision
:param string bug_report: where to report bugs for this RNP build
"""
- version = StrictVersion(version_str)
- version_major = version.version[0]
- version_minor = version.version[1]
- version_patch = version.version[2]
+ version = parse(version_str)
+ version_major = version.major
+ version_minor = version.minor
+ version_patch = version.micro
date_str = date.fromtimestamp(float(timestamp)).strftime("%Y%m%d")
revision_short = revision[:8]
version_full = "{}+git{}.{}.MZLA".format(version_str, date_str, revision_short)
defines = dict(

View File

@ -0,0 +1,118 @@
# HG changeset patch
# User Rob Lemley <rob@thunderbird.net>
# Date 1662996130 0
# Mon Sep 12 15:22:10 2022 +0000
# Node ID 5dfb405f325609c62215f9d74e01dba029b84611
# Parent 9998ed5c2bcee289b03828eba670053614fa26da
Bug 1790446 - Stop rewriting RNP config.h.in when updating the source from upstream. r=dandarnell
Differential Revision: https://phabricator.services.mozilla.com/D157151
diff --git a/comm/python/thirdroc/thirdroc/rnp.py b/comm/python/thirdroc/thirdroc/rnp.py
--- a/comm/python/thirdroc/thirdroc/rnp.py
+++ b/comm/python/thirdroc/thirdroc/rnp.py
@@ -11,19 +11,18 @@ import re
from packaging.version import parse
from mozbuild.preprocessor import Preprocessor
-def rnp_source_update(rnp_root, version_str, revision, timestamp, bug_report):
+def rnp_source_update(rnp_root, version_str, revision, timestamp):
"""
Update RNP source files: generate version.h and mangle config.h.in
:param rnp_root:
:type rnp_root:
:param string version_str: latest version
:param string revision: revision hash (short form)
:param float timestamp: UNIX timestamp from revision
- :param string bug_report: where to report bugs for this RNP build
"""
version = parse(version_str)
version_major = version.major
version_minor = version.minor
version_patch = version.micro
@@ -36,20 +35,17 @@ def rnp_source_update(rnp_root, version_
RNP_VERSION_MINOR=version_minor,
RNP_VERSION_PATCH=version_patch,
RNP_VERSION=version_str,
RNP_VERSION_FULL=version_full,
RNP_VERSION_COMMIT_TIMESTAMP=str(timestamp),
- BUGREPORT_EMAIL=bug_report,
)
src_lib = os.path.join(rnp_root, "src", "lib")
version_h_in = os.path.join(src_lib, "version.h.in")
version_h = os.path.join(src_lib, "version.h")
- config_h_in = os.path.join(src_lib, "config.h.in")
readme_rnp = os.path.join(rnp_root, "..", "README.rnp")
generate_version_h(version_h_in, version_h, defines)
- mangle_config_h_in(config_h_in, defines)
update_readme(readme_rnp, revision)
def rnp_preprocess(tmpl, dest, defines):
"""
@@ -79,30 +75,10 @@ def generate_version_h(template, destina
with open(template) as tmpl:
with open(destination, "w") as dest:
rnp_preprocess(tmpl, dest, defines)
-def mangle_config_h_in(template, defines):
- """
- Mangle RNP's config.h.in so that it will work with CONFIGURE_DEFINE_FILES
- :param string template: path to config.h.in
- :param dict defines: result of get_defines()
- """
- with open(template) as tmpl:
- tmp_string = StringIO()
- rnp_preprocess(tmpl, tmp_string, defines)
-
- tmp_string.seek(0)
-
- with open(template, "w") as dest:
- for line in tmp_string:
- if line.startswith("#cmakedefine"):
- line = line.replace("#cmakedefine", "#undef")
- dest.write(line)
- dest.write("\n")
-
-
def update_readme(path, revision):
"""
Updates the commit hash in README.rnp
:param string path: Path to README.rnp
:param string revision: revision to insert
diff --git a/comm/third_party/update_rnp.sh b/comm/third_party/update_rnp.sh
--- a/comm/third_party/update_rnp.sh
+++ b/comm/third_party/update_rnp.sh
@@ -42,26 +42,23 @@ TAGLIST=$(git -C "${RNPgit}" tag --list
LATEST_VERSION=$($THIRDROC latest_version $TAGLIST)
REVISION=$(git -C "${RNPgit}" rev-parse --verify HEAD)
TIMESTAMP=$(git -C "${RNPgit}" show -s --format=%ct)
-BUGREPORT="https://bugzilla.mozilla.org/enter_bug.cgi?product=Thunderbird"
-
# Cleanup rnp checkout
rm -rf ${RNPgit}/{.git,.github,.cirrus.yml,.clang-format,.gitignore}
rm -rf ${RNPgit}/{_config.yml,docker.sh,ci,cmake,git-hooks,travis.sh,vcpkg.txt}
rm -rf ${RNPgit}/{Brewfile,CMakeLists.txt,CMakeSettings.json}
# Do the switch
rm -rf rnp
mv "${RNPgit}" rnp
-# Build version.h/config.h.in
+# Build version.h
$THIRDROC rnp_source_update rnp/ \
"${LATEST_VERSION}" \
"${REVISION}" \
- "${TIMESTAMP}" \
- "${BUGREPORT}"
+ "${TIMESTAMP}"
# Restore moz.build
hg revert rnp/moz.build rnp/module.ver rnp/rnp.symbols rnp/src/lib/rnp/rnp_export.h \
rnp/src/rnp/moz.build rnp/src/rnpkeys/moz.build

View File

@ -0,0 +1,185 @@
# HG changeset patch
# User Rob Lemley <rob@thunderbird.net>
# Date 1662996529 0
# Mon Sep 12 15:28:49 2022 +0000
# Node ID c9e44c0a569253884961ad2e18fae23f5ed0f6dc
# Parent 5dfb405f325609c62215f9d74e01dba029b84611
Bug 1790446 - Add build script to preprocess CMake config.h templates. r=dandarnell
Right now config.h.in is rewritten when the RNP source is updated.
This has caused problems when new lines are added to it.
Depends on D157151
Differential Revision: https://phabricator.services.mozilla.com/D157152
diff --git a/comm/python/rocbuild/process_cmake_define_files.py b/python/rocb/commuild/process_cmake_define_files.py
new file mode 100644
--- /dev/null
+++ b/comm/python/rocbuild/process_cmake_define_files.py
@@ -0,0 +1,103 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+from __future__ import absolute_import, print_function, unicode_literals
+
+import argparse
+import os
+import re
+import sys
+from buildconfig import topsrcdir, topobjdir
+from mozbuild.backend.configenvironment import PartialConfigEnvironment
+
+
+def define_type(string):
+ vals = string.split("=", 1)
+ if len(vals) == 1:
+ vals.append(1)
+ elif vals[1].isdecimal():
+ vals[1] = int(vals[1])
+ return tuple(vals)
+
+
+def process_cmake_define_file(output, input_file, extra_defines):
+ """Creates the given config header. A config header is generated by
+ taking the corresponding source file and replacing some #define/#undef
+ occurences:
+ "#undef NAME" is turned into "#define NAME VALUE"
+ "#cmakedefine NAME" is turned into "#define NAME VALUE"
+ "#define NAME" is unchanged
+ "#define NAME ORIGINAL_VALUE" is turned into "#define NAME VALUE"
+ "#undef UNKNOWN_NAME" is turned into "/* #undef UNKNOWN_NAME */"
+ "#cmakedefine UNKNOWN_NAME" is turned into "/* #undef UNKNOWN_NAME */"
+ Whitespaces are preserved.
+ """
+
+ path = os.path.abspath(input_file)
+
+ config = PartialConfigEnvironment(topobjdir)
+
+ defines = dict(config.defines.iteritems())
+ defines.update(extra_defines)
+
+ with open(path, "r") as input_file:
+ r = re.compile(
+ r'^\s*#\s*(?P<cmd>[a-z]+)(?:\s+(?P<name>\S+)(?:\s+(?P<value>("[^"]+"|\S+)))?)?',
+ re.U,
+ )
+ for line in input_file:
+ m = r.match(line)
+ if m:
+ cmd = m.group("cmd")
+ name = m.group("name")
+ value = m.group("value")
+ if name:
+ if cmd == "define":
+ if value and name in defines:
+ line = (
+ line[: m.start("value")]
+ + str(defines[name])
+ + line[m.end("value") :]
+ )
+ elif cmd in ("undef", "cmakedefine"):
+ if name in defines:
+ line = (
+ line[: m.start("cmd")]
+ + "define"
+ + line[m.end("cmd") : m.end("name")]
+ + " "
+ + str(defines[name])
+ + line[m.end("name") :]
+ )
+ else:
+ line = (
+ "/* #undef "
+ + line[m.start("name") : m.end("name")]
+ + " */"
+ + line[m.end("name") :]
+ )
+
+ output.write(line)
+
+
+def main(output, *argv):
+ parser = argparse.ArgumentParser(description="Process define files.")
+
+ parser.add_argument("input", help="Input define file.")
+ parser.add_argument(
+ "-D",
+ type=define_type,
+ action="append",
+ dest="extra_defines",
+ default=[],
+ help="Additional defines not set at configure time.",
+ )
+
+ args = parser.parse_args(argv)
+
+ return process_cmake_define_file(output, args.input, args.extra_defines)
+
+
+if __name__ == "__main__":
+ sys.exit(main(*sys.argv))
diff --git a/comm/third_party/rnp/moz.build b/third_party/rnp/moz.b/commuild
--- a/comm/third_party/rnp/moz.build
+++ b/comm/third_party/rnp/moz.build
@@ -34,19 +34,27 @@ COMPILE_FLAGS["WARNINGS_CFLAGS"] += [
if CONFIG["CC_TYPE"] == "clang-cl":
CXXFLAGS += [
"/EHs",
]
-DEFINES["_GNU_SOURCE"] = True
-
-DEFINES["HAVE_BZLIB_H"] = True
-DEFINES["HAVE_ZLIB_H"] = True
-DEFINES["MOZ_RNP_DIST_INFO"] = rnp_dist_info
-
-CONFIGURE_DEFINE_FILES += [
+rnp_defines = {
+ "HAVE_BZLIB_H": True,
+ "HAVE_ZLIB_H": True,
+ "CRYPTO_BACKEND_BOTAN": True,
+ "ENABLE_AEAD": True,
+ "ENABLE_TWOFISH": True,
+ "ENABLE_BRAINPOOL": True,
+}
+GeneratedFile(
"src/lib/config.h",
-]
+ script="/comm/python/rocbuild/process_cmake_define_files.py",
+ inputs=["src/lib/config.h.in"],
+ flags=[
+ "-D%s=%s" % (k, "1" if v is True else v)
+ for k, v in rnp_defines.items()
+ ],
+)
LOCAL_INCLUDES = [
"include",
"src",
"src/common",
diff --git a/comm/third_party/rnpdefs.mozbuild b/third_party/rnpdefs.mozb/commuild
--- a/comm/third_party/rnpdefs.mozbuild
+++ b/comm/third_party/rnpdefs.mozbuild
@@ -16,17 +16,10 @@ rnp_dist_info = "{} {} rnp".format(
COMPILE_FLAGS["OS_CFLAGS"] = []
COMPILE_FLAGS["OS_CXXFLAGS"] = []
COMPILE_FLAGS["OS_INCLUDES"] = []
COMPILE_FLAGS["CLANG_PLUGIN"] = []
-DEFINES["RNP_NO_DEPRECATED"] = True
-DEFINES["CRYPTO_BACKEND_BOTAN"] = True
-DEFINES["ENABLE_AEAD"] = True
-DEFINES["ENABLE_TWOFISH"] = True
-DEFINES["ENABLE_BRAINPOOL"] = True
-
-
if CONFIG["COMPILE_ENVIRONMENT"]:
COMPILE_FLAGS["MOZ_HARDENING_CFLAGS"] = []
if CONFIG["CC_TYPE"] == "clang-cl":
CFLAGS += [

View File

@ -0,0 +1,77 @@
# HG changeset patch
# User Rob Lemley <rob@thunderbird.net>
# Date 1662997034 0
# Mon Sep 12 15:37:14 2022 +0000
# Node ID 17dc6bb322b5d40299bba0a90d59c0593137d4f6
# Parent c9e44c0a569253884961ad2e18fae23f5ed0f6dc
Bug 1790446 - Get RNP version during configure and set in config.h. r=dandarnell
Depends on D157152
Differential Revision: https://phabricator.services.mozilla.com/D157153
diff --git a/comm/third_party/openpgp.configure b/comm/third_party/openpgp.configure
--- a/comm/third_party/openpgp.configure
+++ b/comm/third_party/openpgp.configure
@@ -86,10 +86,42 @@ with only_when("--enable-compile-environ
set_config("MZLA_LIBRNP", depends_if(in_tree_librnp)(lambda _: True))
set_define("MZLA_LIBRNP", depends_if(in_tree_librnp)(lambda _: True))
with only_when(in_tree_librnp):
+
+ @depends(build_environment, c_compiler)
+ @imports(_from="textwrap", _import="dedent")
+ @imports(_from="os.path", _import="join")
+ def rnp_version_string(build_env, compiler):
+ log.info("Determining librnp version from version.h.")
+ include_path = join(
+ build_env.topsrcdir, "comm", "third_party", "rnp", "src", "lib"
+ )
+ check = dedent(
+ """\
+ #include "version.h"
+ RNP_VERSION_STRING_FULL
+ """
+ )
+ result = try_preprocess(
+ compiler.wrapper
+ + [compiler.compiler]
+ + compiler.flags
+ + ["-I", include_path],
+ "C",
+ check,
+ )
+ if result:
+ rnp_version = result.splitlines()[-1]
+ rnp_version = rnp_version.replace('"', "")
+ else:
+ raise FatalCheckError("Unable to determine RNP version string.")
+ return rnp_version
+
+ set_config("MZLA_LIBRNP_FULL_VERSION", rnp_version_string)
+
# JSON-C --with-system-json
system_lib_option(
"--with-system-jsonc",
help="Use system JSON-C for librnp (located with pkgconfig)",
)
diff --git a/comm/third_party/rnp/moz.build b/third_party/rnp/moz.b/commuild
--- a/comm/third_party/rnp/moz.build
+++ b/comm/third_party/rnp/moz.build
@@ -41,10 +41,12 @@ rnp_defines = {
"HAVE_ZLIB_H": True,
"CRYPTO_BACKEND_BOTAN": True,
"ENABLE_AEAD": True,
"ENABLE_TWOFISH": True,
"ENABLE_BRAINPOOL": True,
+ "PACKAGE_BUGREPORT": '"https://bugzilla.mozilla.org/enter_bug.cgi?product=Thunderbird"',
+ "PACKAGE_STRING": '"rnp {}"'.format(CONFIG["MZLA_LIBRNP_FULL_VERSION"])
}
GeneratedFile(
"src/lib/config.h",
script="/comm/python/rocbuild/process_cmake_define_files.py",
inputs=["src/lib/config.h.in"],

View File

@ -0,0 +1,58 @@
# HG changeset patch
# User Rob Lemley <rob@thunderbird.net>
# Date 1663866047 14400
# Thu Sep 22 13:00:47 2022 -0400
# Node ID 8c718243f4e83fc18dfc88bf5d817c5c18f13937
# Parent 17dc6bb322b5d40299bba0a90d59c0593137d4f6
Bug 1790116 - update_rnp.sh changes for RNP v0.16.2. r=kaie
The changes in bug_1768424.patch are now included upstream in
https://github.com/rnpgp/rnp/commit/ac6f58ef7ccea270b735b53f87da2c3ca5b34290.
bug_1763641.patch removed per bug 1790116 comment 26.
disable_obsolete_ciphers.patch no longer needed, use security rules instead.
Differential Revision: https://phabricator.services.mozilla.com/D157010
diff --git a/comm/third_party/update_rnp.sh b/comm/third_party/update_rnp.sh
--- a/comm/third_party/update_rnp.sh
+++ b/comm/third_party/update_rnp.sh
@@ -43,11 +43,11 @@ TAGLIST=$(git -C "${RNPgit}" tag --list
LATEST_VERSION=$($THIRDROC latest_version $TAGLIST)
REVISION=$(git -C "${RNPgit}" rev-parse --verify HEAD)
TIMESTAMP=$(git -C "${RNPgit}" show -s --format=%ct)
# Cleanup rnp checkout
-rm -rf ${RNPgit}/{.git,.github,.cirrus.yml,.clang-format,.gitignore}
+rm -rf ${RNPgit}/{.git,.github,.cirrus.yml,.clang-format,.gitignore,.codespellrc}
rm -rf ${RNPgit}/{_config.yml,docker.sh,ci,cmake,git-hooks,travis.sh,vcpkg.txt}
rm -rf ${RNPgit}/{Brewfile,CMakeLists.txt,CMakeSettings.json}
# Do the switch
rm -rf rnp
@@ -60,17 +60,17 @@ mv "${RNPgit}" rnp
# Restore moz.build
hg revert rnp/moz.build rnp/module.ver rnp/rnp.symbols rnp/src/lib/rnp/rnp_export.h \
rnp/src/rnp/moz.build rnp/src/rnpkeys/moz.build
-# Reapply Thunderbird patch to disable obsolete ciphers
-PATCH_FILES=("patches/rnp/disable_obsolete_ciphers.patch" \
- "patches/rnp/bug_1763641.patch" \
- "patches/rnp/bug_1768424.patch")
-for PATCH_FILE in "${PATCH_FILES[@]}"; do
- patch -p2 -i "${PATCH_FILE}" -N -r "${MY_TEMP_DIR}/${PATCH_FILE}.rej"
-done
+# Patch librnp - currently not needed
+#PATCH_FILES=("patches/rnp/disable_obsolete_ciphers.patch")
+#for PATCH_FILE in "${PATCH_FILES[@]}"; do
+# # shellcheck disable=SC2086
+# echo "Applying patch $(basename ${PATCH_FILE})"
+# patch -p2 -i "${PATCH_FILE}" -N -r "${MY_TEMP_DIR}/${PATCH_FILE}.rej"
+#done
# Patch sometimes creates backup files that are not wanted.
find rnp -name '*.orig' -exec rm -f '{}' \;
rm -rf "${MY_TEMP_DIR}"

File diff suppressed because one or more lines are too long

View File

@ -0,0 +1,77 @@
# HG changeset patch
# User Rob Lemley <rob@thunderbird.net>
# Date 1663866531 14400
# Thu Sep 22 13:08:51 2022 -0400
# Node ID a863c22903a3fa4c71360920ed77ac31f1fa5d01
# Parent 3625a887f020a9a3cb3ad96e5107bfeacd54386e
Bug 1790116 - Update rnp_export.h. r=kaie
The CMake code that generates this file changed with RNP 0.16. The local copy
needs to be regenerated.
File generated with CMake using clang.
Differential Revision: https://phabricator.services.mozilla.com/D157053
diff --git a/comm/third_party/rnp/src/lib/rnp/rnp_export.h b/third_party/rnp/src/lib/comm/rnp/rnp_export.h
--- a/comm/third_party/rnp/src/lib/rnp/rnp_export.h
+++ b/comm/third_party/rnp/src/lib/rnp/rnp_export.h
@@ -1,42 +1,42 @@
-#ifndef RNP_API_H
-#define RNP_API_H
+#ifndef RNP_EXPORT
+#define RNP_EXPORT
#ifdef RNP_STATIC
# define RNP_API
-# define RNP_RNP_NO_EXPORT
+# define RNP_NO_EXPORT
#else
# ifndef RNP_API
# ifdef librnp_EXPORTS
/* We are building this library */
-# define RNP_API __attribute__((visibility("default")))
+# define RNP_API
# else
/* We are using this library */
-# define RNP_API __attribute__((visibility("default")))
+# define RNP_API
# endif
# endif
-# ifndef RNP_RNP_NO_EXPORT
-# define RNP_RNP_NO_EXPORT __attribute__((visibility("hidden")))
+# ifndef RNP_NO_EXPORT
+# define RNP_NO_EXPORT
# endif
#endif
-#ifndef RNP_RNP_DEPRECATED
-# define RNP_RNP_DEPRECATED __attribute__ ((__deprecated__))
+#ifndef RNP_DEPRECATED
+# define RNP_DEPRECATED __attribute__ ((__deprecated__))
#endif
-#ifndef RNP_RNP_DEPRECATED_EXPORT
-# define RNP_RNP_DEPRECATED_EXPORT RNP_API RNP_RNP_DEPRECATED
+#ifndef RNP_DEPRECATED_EXPORT
+# define RNP_DEPRECATED_EXPORT RNP_API RNP_DEPRECATED
#endif
-#ifndef RNP_RNP_DEPRECATED_NO_EXPORT
-# define RNP_RNP_DEPRECATED_NO_EXPORT RNP_RNP_NO_EXPORT RNP_RNP_DEPRECATED
+#ifndef RNP_DEPRECATED_NO_EXPORT
+# define RNP_DEPRECATED_NO_EXPORT RNP_NO_EXPORT RNP_DEPRECATED
#endif
#if 0 /* DEFINE_NO_DEPRECATED */
-# ifndef RNP_RNP_NO_DEPRECATED
-# define RNP_RNP_NO_DEPRECATED
+# ifndef RNP_NO_DEPRECATED
+# define RNP_NO_DEPRECATED
# endif
#endif
-#endif /* RNP_API_H */
+#endif /* RNP_EXPORT */

View File

@ -0,0 +1,34 @@
# HG changeset patch
# User Rob Lemley <rob@thunderbird.net>
# Date 1663866531 14400
# Thu Sep 22 13:08:51 2022 -0400
# Node ID 0798506e89ab0ad98d5826effe2087c2e2560d0b
# Parent a863c22903a3fa4c71360920ed77ac31f1fa5d01
Bug 1790116 - Do not compile SM2 crypto with librnp. r=kaie
The CMake configuration in rnp/src/lib/CMakeLists.txt does not include
src/lib/crypto/sm2.cpp unless ENABLE_SM2 is defined.
Thunderbird builds do not set ENABLE_SM2, so there's no need to build this
file.
Depends on D157053
Differential Revision: https://phabricator.services.mozilla.com/D157154
diff --git a/comm/third_party/rnp/moz.build b/third_party/rnp/moz.b/commuild
--- a/comm/third_party/rnp/moz.build
+++ b/comm/third_party/rnp/moz.build
@@ -128,11 +128,10 @@ SOURCES += [
"src/lib/crypto/s2k.cpp",
"src/lib/crypto/sha1cd/hash_sha1cd.cpp",
"src/lib/crypto/sha1cd/sha1.c",
"src/lib/crypto/sha1cd/ubc_check.c",
"src/lib/crypto/signatures.cpp",
- "src/lib/crypto/sm2.cpp",
"src/lib/crypto/symmetric.cpp",
"src/lib/fingerprint.cpp",
"src/lib/generate-key.cpp",
"src/lib/json-utils.cpp",
"src/lib/key-provider.cpp",

View File

@ -0,0 +1,262 @@
# HG changeset patch
# User Rob Lemley <rob@thunderbird.net>
# Date 1663866557 14400
# Thu Sep 22 13:09:17 2022 -0400
# Node ID 121afb4ed9b0e282cf6690736ffadf1498578434
# Parent 0798506e89ab0ad98d5826effe2087c2e2560d0b
Bug 1790116 - mozbuild changes for RNP v0.16.2. r=kaie
hash_sha1cd.cpp moved up to its parent directory.
ENABLE_IDEA needs to be set to keep support enabled.
https://github.com/rnpgp/rnp/commit/17972d0238919d4abf88b04debce95844be4716d
Update rnp_symbols.py to not include deprecated functions.
Added new symbols to rnp.symbols for export.
Differential Revision: https://phabricator.services.mozilla.com/D157012
diff --git a/comm/python/thirdroc/thirdroc/rnp_symbols.py b/python/thirdroc/thirdroc/rnp_symb/commols.py
--- a/comm/python/thirdroc/thirdroc/rnp_symbols.py
+++ b/comm/python/thirdroc/thirdroc/rnp_symbols.py
@@ -14,30 +14,75 @@ the third_party/rnp/include/rnp/rnp.h fo
Also note that APIs that are marked deprecated are not checked for.
Dependencies: Only Python 3
Running:
- python3 rnp_symbols.py
+ python3 rnp_symbols.py [-h] [rnp.h path] [rnp.symbols path]
-Output will be on stdout, this is to give the developer the opportunity to compare the old and
-new versions and check for accuracy.
+Both file path arguments are optional. By default, the header file will be
+read from "comm/third_party/rnp/include/rnp/rnp.h" and the symbols file will
+be written to "comm/third_party/rnp/rnp.symbols".
+
+Path arguments are relative to the current working directory, the defaults
+will be determined based on the location of this script.
+
+Either path argument can be '-' to use stdin or stdout respectively.
"""
-from __future__ import absolute_import, print_function
-
+import argparse
import sys
import os
import re
HERE = os.path.dirname(__file__)
TOPSRCDIR = os.path.abspath(os.path.join(HERE, "../../../../"))
-RNPSRCDIR = os.path.join(TOPSRCDIR, "comm/third_party/rnp")
+THIRD_SRCDIR = os.path.join(TOPSRCDIR, "comm/third_party")
+HEADER_FILE_REL = "rnp/include/rnp/rnp.h"
+HEADER_FILE = os.path.join(THIRD_SRCDIR, HEADER_FILE_REL)
+SYMBOLS_FILE_REL = "rnp/rnp.symbols"
+SYMBOLS_FILE = os.path.join(THIRD_SRCDIR, SYMBOLS_FILE_REL)
FUNC_DECL_RE = re.compile(r"^RNP_API\s+.*?([a-zA-Z0-9_]+)\(.*$")
+class FileArg:
+ """Based on argparse.FileType from the Python standard library.
+ Modified to not open the filehandles until the open() method is
+ called.
+ """
+
+ def __init__(self, mode="r"):
+ self._mode = mode
+ self._fp = None
+ self._file = None
+
+ def __call__(self, string):
+ # the special argument "-" means sys.std{in,out}
+ if string == "-":
+ if "r" in self._mode:
+ self._fp = sys.stdin.buffer if "b" in self._mode else sys.stdin
+ elif "w" in self._mode:
+ self._fp = sys.stdout.buffer if "b" in self._mode else sys.stdout
+ else:
+ raise ValueError(f"Invalid mode {self._mode} for stdin/stdout")
+ else:
+ if "r" in self._mode:
+ if not os.path.isfile(string):
+ raise ValueError(f"Cannot read file {string}, does not exist.")
+ elif "w" in self._mode:
+ if not os.access(string, os.W_OK):
+ raise ValueError(f"Cannot write file {string}, permission denied.")
+ self._file = string
+ return self
+
+ def open(self):
+ if self._fp:
+ return self._fp
+ return open(self._file, self._mode)
+
+
def get_func_name(line):
"""
Extract the function name from a RNP_API function declaration.
Examples:
RNP_API rnp_result_t rnp_enable_debug(const char *file);
@@ -46,24 +91,41 @@ def get_func_name(line):
"""
m = FUNC_DECL_RE.match(line)
return m.group(1)
-def extract_func_defs(filename):
+def extract_func_defs(filearg):
"""
Look for RNP_API in the header file to find the names of the symbols that should be exported
"""
- with open(filename) as fp:
+ with filearg.open() as fp:
for line in fp:
- if line.startswith("RNP_API"):
+ if line.startswith("RNP_API") and "RNP_DEPRECATED" not in line:
func_name = get_func_name(line)
yield func_name
if __name__ == "__main__":
- if len(sys.argv) > 1:
- FILENAME = sys.argv[1]
- else:
- FILENAME = os.path.join(RNPSRCDIR, "include/rnp/rnp.h")
+ parser = argparse.ArgumentParser(
+ description="Update rnp.symbols file from rnp.h",
+ epilog="To use stdin or stdout pass '-' for the argument.",
+ )
+ parser.add_argument(
+ "header_file",
+ default=HEADER_FILE,
+ type=FileArg("r"),
+ nargs="?",
+ help=f"input path to rnp.h header file (default: {HEADER_FILE_REL})",
+ )
+ parser.add_argument(
+ "symbols_file",
+ default=SYMBOLS_FILE,
+ type=FileArg("w"),
+ nargs="?",
+ help=f"output path to symbols file (default: {SYMBOLS_FILE_REL})",
+ )
- for f in sorted(list(extract_func_defs(FILENAME))):
- print(f)
+ args = parser.parse_args()
+
+ with args.symbols_file.open() as out_fp:
+ for symbol in sorted(list(extract_func_defs(args.header_file))):
+ out_fp.write(f"{symbol}\n")
diff --git a/comm/third_party/rnp/moz.build b/third_party/rnp/moz.b/commuild
--- a/comm/third_party/rnp/moz.build
+++ b/comm/third_party/rnp/moz.build
@@ -41,10 +41,11 @@ rnp_defines = {
"HAVE_ZLIB_H": True,
"CRYPTO_BACKEND_BOTAN": True,
"ENABLE_AEAD": True,
"ENABLE_TWOFISH": True,
"ENABLE_BRAINPOOL": True,
+ "ENABLE_IDEA": True,
"PACKAGE_BUGREPORT": '"https://bugzilla.mozilla.org/enter_bug.cgi?product=Thunderbird"',
"PACKAGE_STRING": '"rnp {}"'.format(CONFIG["MZLA_LIBRNP_FULL_VERSION"])
}
GeneratedFile(
"src/lib/config.h",
@@ -119,16 +120,16 @@ SOURCES += [
"src/lib/crypto/ecdsa.cpp",
"src/lib/crypto/eddsa.cpp",
"src/lib/crypto/elgamal.cpp",
"src/lib/crypto/hash.cpp",
"src/lib/crypto/hash_common.cpp",
+ "src/lib/crypto/hash_sha1cd.cpp",
"src/lib/crypto/mem.cpp",
"src/lib/crypto/mpi.cpp",
"src/lib/crypto/rng.cpp",
"src/lib/crypto/rsa.cpp",
"src/lib/crypto/s2k.cpp",
- "src/lib/crypto/sha1cd/hash_sha1cd.cpp",
"src/lib/crypto/sha1cd/sha1.c",
"src/lib/crypto/sha1cd/ubc_check.c",
"src/lib/crypto/signatures.cpp",
"src/lib/crypto/symmetric.cpp",
"src/lib/fingerprint.cpp",
diff --git a/comm/third_party/rnp/rnp.symbols b/third_party/rnp/rnp.symb/commols
--- a/comm/third_party/rnp/rnp.symbols
+++ b/comm/third_party/rnp/rnp.symbols
@@ -37,10 +37,11 @@ rnp_import_keys
rnp_import_signatures
rnp_input_destroy
rnp_input_from_callback
rnp_input_from_memory
rnp_input_from_path
+rnp_input_from_stdin
rnp_key_25519_bits_tweak
rnp_key_25519_bits_tweaked
rnp_key_add_uid
rnp_key_allows_usage
rnp_key_export
@@ -75,10 +76,11 @@ rnp_key_get_uid_count
rnp_key_get_uid_handle_at
rnp_key_handle_destroy
rnp_key_have_public
rnp_key_have_secret
rnp_key_is_compromised
+rnp_key_is_expired
rnp_key_is_locked
rnp_key_is_primary
rnp_key_is_protected
rnp_key_is_retired
rnp_key_is_revoked
@@ -112,10 +114,11 @@ rnp_op_encrypt_set_cipher
rnp_op_encrypt_set_compression
rnp_op_encrypt_set_creation_time
rnp_op_encrypt_set_expiration_time
rnp_op_encrypt_set_file_mtime
rnp_op_encrypt_set_file_name
+rnp_op_encrypt_set_flags
rnp_op_encrypt_set_hash
rnp_op_generate_add_pref_cipher
rnp_op_generate_add_pref_compression
rnp_op_generate_add_pref_hash
rnp_op_generate_add_usage
@@ -169,10 +172,11 @@ rnp_op_verify_get_signature_at
rnp_op_verify_get_signature_count
rnp_op_verify_get_symenc_at
rnp_op_verify_get_symenc_count
rnp_op_verify_get_used_recipient
rnp_op_verify_get_used_symenc
+rnp_op_verify_set_flags
rnp_op_verify_signature_get_handle
rnp_op_verify_signature_get_hash
rnp_op_verify_signature_get_key
rnp_op_verify_signature_get_status
rnp_op_verify_signature_get_times
@@ -185,21 +189,24 @@ rnp_output_to_armor
rnp_output_to_callback
rnp_output_to_file
rnp_output_to_memory
rnp_output_to_null
rnp_output_to_path
+rnp_output_to_stdout
rnp_output_write
rnp_recipient_get_alg
rnp_recipient_get_keyid
rnp_remove_security_rule
rnp_request_password
rnp_result_to_string
rnp_save_keys
+rnp_set_timestamp
rnp_signature_get_alg
rnp_signature_get_creation
rnp_signature_get_expiration
rnp_signature_get_hash_alg
+rnp_signature_get_key_fprint
rnp_signature_get_keyid
rnp_signature_get_signer
rnp_signature_get_type
rnp_signature_handle_destroy
rnp_signature_is_valid

View File

@ -0,0 +1,32 @@
# HG changeset patch
# User Rob Lemley <rob@thunderbird.net>
# Date 1663091141 0
# Tue Sep 13 17:45:41 2022 +0000
# Node ID fbc2cf15893e40959b04d22c9efa4d424aeb5c4f
# Parent 121afb4ed9b0e282cf6690736ffadf1498578434
Bug 1790662 - Update librnp compiler include path for new location of json-c's json.h r=dandarnell
json.h from json-c is now a preprocessed file and is found in the object directory
rather than the source directory.
Depends on D157961
Differential Revision: https://phabricator.services.mozilla.com/D157962
diff --git a/comm/third_party/rnp/moz.build b/third_party/rnp/moz.b/commuild
--- a/comm/third_party/rnp/moz.build
+++ b/comm/third_party/rnp/moz.build
@@ -81,11 +81,11 @@ else:
if CONFIG["MZLA_SYSTEM_JSONC"]:
CXXFLAGS += CONFIG["MZLA_JSONC_CFLAGS"]
else:
IQuote("{}/../json-c".format(OBJDIR))
- LOCAL_INCLUDES += ["../json-c"]
+ LOCAL_INCLUDES += ["!../json-c", "../json-c"]
if CONFIG["MZLA_SYSTEM_BZIP2"]:
CXXFLAGS += CONFIG["MZLA_BZIP2_CFLAGS"]
else:
LOCAL_INCLUDES += ["../bzip2"]

File diff suppressed because it is too large Load Diff

View File

@ -0,0 +1,450 @@
# HG changeset patch
# User Kai Engert <kaie@kuix.de>
# Date 1666897160 -7200
# Thu Oct 27 20:59:20 2022 +0200
# Node ID af0b1f5e4c7710f824c6141103e516ca60bc78aa
# Parent adfbf6378df82c8b2e087427a48ddc5cbe13aadd
Bug 1791195 - Add RNP security rules to obsolete our patches to RNP. r=mkmelin,o.nickolay
diff --git a/comm/mail/extensions/openpgp/content/modules/RNP.jsm b/comm/mail/extensions/openpgp/content/modules/RNP.jsm
--- a/comm/mail/extensions/openpgp/content/modules/RNP.jsm
+++ b/comm/mail/extensions/openpgp/content/modules/RNP.jsm
@@ -1863,12 +1863,12 @@ var RNP = {
if (keyBlockStr.length > RNP.maxImportKeyBlockSize) {
throw new Error("rejecting big keyblock");
}
- let tempFFI = new RNPLib.rnp_ffi_t();
- if (RNPLib.rnp_ffi_create(tempFFI.address(), "GPG", "GPG")) {
+ let tempFFI = RNPLib.prepare_ffi();
+ if (!tempFFI) {
throw new Error("Couldn't initialize librnp.");
}
let pubKey;
if (!this.importToFFI(tempFFI, keyBlockStr, true, false, permissive)) {
@@ -1892,12 +1892,12 @@ var RNP = {
if (keyBlockStr.length > RNP.maxImportKeyBlockSize) {
throw new Error("rejecting big keyblock");
}
- let tempFFI = new RNPLib.rnp_ffi_t();
- if (RNPLib.rnp_ffi_create(tempFFI.address(), "GPG", "GPG")) {
+ let tempFFI = RNPLib.prepare_ffi();
+ if (!tempFFI) {
throw new Error("Couldn't initialize librnp.");
}
let keyList = null;
if (!this.importToFFI(tempFFI, keyBlockStr, pubkey, seckey, permissive)) {
@@ -1929,12 +1929,12 @@ var RNP = {
async mergePublicKeyBlocks(fingerprint, ...keyBlocks) {
if (keyBlocks.some(b => b.length > RNP.maxImportKeyBlockSize)) {
throw new Error("keyBlock too big");
}
- let tempFFI = new RNPLib.rnp_ffi_t();
- if (RNPLib.rnp_ffi_create(tempFFI.address(), "GPG", "GPG")) {
+ let tempFFI = RNPLib.prepare_ffi();
+ if (!tempFFI) {
throw new Error("Couldn't initialize librnp.");
}
const pubkey = true;
const seckey = false;
@@ -2067,12 +2067,12 @@ var RNP = {
let result = {};
result.exitCode = -1;
result.importedKeys = [];
result.errorMsg = "";
- let tempFFI = new RNPLib.rnp_ffi_t();
- if (RNPLib.rnp_ffi_create(tempFFI.address(), "GPG", "GPG")) {
+ let tempFFI = RNPLib.prepare_ffi();
+ if (!tempFFI) {
throw new Error("Couldn't initialize librnp.");
}
// TODO: check result
if (this.importToFFI(tempFFI, keyBlockStr, pubkey, seckey, permissive)) {
@@ -3115,12 +3115,12 @@ var RNP = {
*
*/
export_pubkey_strip_sigs_uids(expKey, keepUserIDs, out_binary) {
let expKeyId = this.getKeyIDFromHandle(expKey);
- let tempFFI = new RNPLib.rnp_ffi_t();
- if (RNPLib.rnp_ffi_create(tempFFI.address(), "GPG", "GPG")) {
+ let tempFFI = RNPLib.prepare_ffi();
+ if (!tempFFI) {
throw new Error("Couldn't initialize librnp.");
}
let exportFlags =
RNPLib.RNP_KEY_EXPORT_SUBKEYS | RNPLib.RNP_KEY_EXPORT_PUBLIC;
@@ -3399,12 +3399,12 @@ var RNP = {
))
) {
throw new Error("rnp_output_to_armor failed:" + rv);
}
- let tempFFI = new RNPLib.rnp_ffi_t();
- if (RNPLib.rnp_ffi_create(tempFFI.address(), "GPG", "GPG")) {
+ let tempFFI = RNPLib.prepare_ffi();
+ if (!tempFFI) {
throw new Error("Couldn't initialize librnp.");
}
let internalPassword = await OpenPGPMasterpass.retrieveOpenPGPPassword();
diff --git a/comm/mail/extensions/openpgp/content/modules/RNPLib.jsm b/mail/extensions/openpgp/content/modules/RNPLib/comm.jsm
--- a/comm/mail/extensions/openpgp/content/modules/RNPLib.jsm
+++ b/comm/mail/extensions/openpgp/content/modules/RNPLib.jsm
@@ -13,11 +13,11 @@ XPCOMUtils.defineLazyModuleGetters(this,
OpenPGPMasterpass: "chrome://openpgp/content/modules/masterpass.jsm",
Services: "resource://gre/modules/Services.jsm",
setTimeout: "resource://gre/modules/Timer.jsm",
});
-const MIN_RNP_VERSION = [0, 16, 0];
+const MIN_RNP_VERSION = [0, 16, 2];
var systemOS = Services.appinfo.OS.toLowerCase();
var abi = ctypes.default_abi;
// Open librnp. Determine the path to the chrome directory and look for it
@@ -149,10 +149,12 @@ function enableRNPLibJS() {
// this must be delayed until after "librnp" is initialized
RNPLib = {
path: librnpPath,
+ // Handle to the RNP library and primary key data store.
+ // Kept at null if init fails.
ffi: null,
// returns rnp_input_t, destroy using rnp_input_destroy
async createInputFromPath(path) {
// IOUtils.read always returns an array.
@@ -265,13 +267,204 @@ function enableRNPLibJS() {
const min_version = this.rnp_version_for(...MIN_RNP_VERSION);
const this_version = this.rnp_version();
return Boolean(this_version >= min_version);
},
+ /**
+ * Prepare an RNP library handle, and in addition set all the
+ * application's preferences for library behavior.
+ *
+ * Other application code should NOT call rnp_ffi_create directly,
+ * but obtain an RNP library handle from this function.
+ */
+ prepare_ffi() {
+ let ffi = new rnp_ffi_t();
+ if (this._rnp_ffi_create(ffi.address(), "GPG", "GPG")) {
+ return null;
+ }
+
+ // Treat MD5 as insecure.
+ if (
+ this.rnp_add_security_rule(
+ ffi,
+ this.RNP_FEATURE_HASH_ALG,
+ this.RNP_ALGNAME_MD5,
+ this.RNP_SECURITY_OVERRIDE,
+ 0,
+ this.RNP_SECURITY_INSECURE
+ )
+ ) {
+ return null;
+ }
+
+ // Use RNP's default rule for SHA1 used with data signatures,
+ // and use our override to allow it for key signatures.
+ if (
+ this.rnp_add_security_rule(
+ ffi,
+ this.RNP_FEATURE_HASH_ALG,
+ this.RNP_ALGNAME_SHA1,
+ this.RNP_SECURITY_VERIFY_KEY | this.RNP_SECURITY_OVERRIDE,
+ 0,
+ this.RNP_SECURITY_DEFAULT
+ )
+ ) {
+ return null;
+ }
+
+ /*
+ // Security rules API does not yet support PK and SYMM algs.
+ //
+ // If a hash algorithm is already disabled at build time,
+ // and an attempt is made to set a security rule for that
+ // algorithm, then RNP returns a failure.
+ //
+ // Ideally, RNP should allow these calls (regardless of build time
+ // settings) to define an application security rule, that is
+ // independent of the configuration used for building the
+ // RNP library.
+
+ if (
+ this.rnp_add_security_rule(
+ ffi,
+ this.RNP_FEATURE_HASH_ALG,
+ this.RNP_ALGNAME_SM3,
+ this.RNP_SECURITY_OVERRIDE,
+ 0,
+ this.RNP_SECURITY_PROHIBITED
+ )
+ ) {
+ return null;
+ }
+
+ if (
+ this.rnp_add_security_rule(
+ ffi,
+ this.RNP_FEATURE_PK_ALG,
+ this.RNP_ALGNAME_SM2,
+ this.RNP_SECURITY_OVERRIDE,
+ 0,
+ this.RNP_SECURITY_PROHIBITED
+ )
+ ) {
+ return null;
+ }
+
+ if (
+ this.rnp_add_security_rule(
+ ffi,
+ this.RNP_FEATURE_SYMM_ALG,
+ this.RNP_ALGNAME_SM4,
+ this.RNP_SECURITY_OVERRIDE,
+ 0,
+ this.RNP_SECURITY_PROHIBITED
+ )
+ ) {
+ return null;
+ }
+ */
+
+ return ffi;
+ },
+
+ /**
+ * Test the correctness of security rules, in particular, test
+ * if the given hash algorithm is allowed at the given time.
+ *
+ * This is an application consistency test. If the behavior isn't
+ * according to the expectation, the function throws an error.
+ *
+ * @param {string} hashAlg - Test this hash algorithm
+ * @param {time_t} time - Test status at this timestamp
+ * @param {boolean} keySigAllowed - Test if using the hash algorithm
+ * is allowed for signatures found inside OpenPGP keys.
+ * @param {boolean} dataSigAllowed - Test if using the hash algorithm
+ * is allowed for signatures on data.
+ */
+ _confirmSecurityRule(hashAlg, time, keySigAllowed, dataSigAllowed) {
+ let level = new ctypes.uint32_t();
+ let flag = new ctypes.uint32_t();
+
+ flag.value = this.RNP_SECURITY_VERIFY_DATA;
+ let testDataSuccess = false;
+ if (
+ !RNPLib.rnp_get_security_rule(
+ this.ffi,
+ this.RNP_FEATURE_HASH_ALG,
+ hashAlg,
+ time,
+ flag.address(),
+ null,
+ level.address()
+ )
+ ) {
+ if (dataSigAllowed) {
+ testDataSuccess = level.value == RNPLib.RNP_SECURITY_DEFAULT;
+ } else {
+ testDataSuccess = level.value < RNPLib.RNP_SECURITY_DEFAULT;
+ }
+ }
+
+ if (!testDataSuccess) {
+ throw new Error("security configuration for data signatures failed");
+ }
+
+ flag.value = this.RNP_SECURITY_VERIFY_KEY;
+ let testKeySuccess = false;
+ if (
+ !RNPLib.rnp_get_security_rule(
+ this.ffi,
+ this.RNP_FEATURE_HASH_ALG,
+ hashAlg,
+ time,
+ flag.address(),
+ null,
+ level.address()
+ )
+ ) {
+ if (keySigAllowed) {
+ testKeySuccess = level.value == RNPLib.RNP_SECURITY_DEFAULT;
+ } else {
+ testKeySuccess = level.value < RNPLib.RNP_SECURITY_DEFAULT;
+ }
+ }
+
+ if (!testKeySuccess) {
+ throw new Error("security configuration for key signatures failed");
+ }
+ },
+
+ /**
+ * Perform tests that the RNP library behaves according to the
+ * defined security rules.
+ * If a problem is found, the function throws an error.
+ */
+ _sanityCheckSecurityRules() {
+ let time_t_now = Math.round(Date.now() / 1000);
+ let ten_years_in_seconds = 10 * 365 * 24 * 60 * 60;
+ let ten_years_future = time_t_now + ten_years_in_seconds;
+
+ this._confirmSecurityRule(this.RNP_ALGNAME_MD5, time_t_now, false, false);
+ this._confirmSecurityRule(
+ this.RNP_ALGNAME_MD5,
+ ten_years_future,
+ false,
+ false
+ );
+
+ this._confirmSecurityRule(this.RNP_ALGNAME_SHA1, time_t_now, true, false);
+ this._confirmSecurityRule(
+ this.RNP_ALGNAME_SHA1,
+ ten_years_future,
+ true,
+ false
+ );
+ },
+
async init() {
- this.ffi = new rnp_ffi_t();
- if (this.rnp_ffi_create(this.ffi.address(), "GPG", "GPG")) {
+ this.ffi = this.prepare_ffi();
+ if (!this.ffi) {
throw new Error("Couldn't initialize librnp.");
}
this.rnp_ffi_set_log_fd(this.ffi, 2); // stderr
@@ -286,10 +479,18 @@ function enableRNPLibJS() {
null
);
let { pubRingPath, secRingPath } = this.getFilenames();
+ try {
+ this._sanityCheckSecurityRules();
+ } catch (e) {
+ // Disable all RNP operation
+ this.ffi = null;
+ throw e;
+ }
+
await this.loadWithFallback(pubRingPath, this.RNP_LOAD_SAVE_PUBLIC_KEYS);
await this.loadWithFallback(secRingPath, this.RNP_LOAD_SAVE_SECRET_KEYS);
let pubnum = new ctypes.size_t();
this.rnp_get_public_key_count(this.ffi, pubnum.address());
@@ -481,10 +682,14 @@ function enableRNPLibJS() {
* @param {string} path - The file path to save to.
* @param {number} keyRingFlag - RNP_LOAD_SAVE_PUBLIC_KEYS or
* RNP_LOAD_SAVE_SECRET_KEYS.
*/
async saveKeyRing(path, keyRingFlag) {
+ if (!this.ffi) {
+ return;
+ }
+
let oldPath = path + ".old";
// Ignore failure, oldPath might not exist yet.
await IOUtils.copy(path, oldPath).catch(() => {});
@@ -540,10 +745,13 @@ function enableRNPLibJS() {
tmpPath: path + ".tmp-new",
});
},
async saveKeys() {
+ if (!this.ffi) {
+ return;
+ }
let { pubRingPath, secRingPath } = this.getFilenames();
let saveThem = async () => {
await this.saveKeyRing(pubRingPath, this.RNP_LOAD_SAVE_PUBLIC_KEYS);
await this.saveKeyRing(secRingPath, this.RNP_LOAD_SAVE_SECRET_KEYS);
@@ -600,11 +808,13 @@ function enableRNPLibJS() {
abi,
ctypes.char.ptr
),
// Get a RNP library handle.
- rnp_ffi_create: librnp.declare(
+ // Mark with leading underscore, to clarify that this function
+ // shouldn't be called directly - you should call prepare_ffi().
+ _rnp_ffi_create: librnp.declare(
"rnp_ffi_create",
abi,
rnp_result_t,
rnp_ffi_t.ptr,
ctypes.char.ptr,
@@ -1713,10 +1923,22 @@ function enableRNPLibJS() {
ctypes.uint32_t.ptr,
ctypes.uint64_t.ptr,
ctypes.uint32_t.ptr
),
+ rnp_add_security_rule: librnp.declare(
+ "rnp_add_security_rule",
+ abi,
+ rnp_result_t,
+ rnp_ffi_t,
+ ctypes.char.ptr,
+ ctypes.char.ptr,
+ ctypes.uint32_t,
+ ctypes.uint64_t,
+ ctypes.uint32_t
+ ),
+
rnp_result_t,
rnp_ffi_t,
rnp_password_cb_t,
rnp_input_t,
rnp_output_t,
@@ -1748,11 +1970,26 @@ function enableRNPLibJS() {
RNP_KEY_SIGNATURE_NON_SELF_SIG: 4,
RNP_SUCCESS: 0x00000000,
+ RNP_FEATURE_SYMM_ALG: "symmetric algorithm",
RNP_FEATURE_HASH_ALG: "hash algorithm",
+ RNP_FEATURE_PK_ALG: "public key algorithm",
+ RNP_ALGNAME_MD5: "MD5",
+ RNP_ALGNAME_SHA1: "SHA1",
+ RNP_ALGNAME_SM2: "SM2",
+ RNP_ALGNAME_SM3: "SM3",
+ RNP_ALGNAME_SM4: "SM4",
+
+ RNP_SECURITY_OVERRIDE: 1,
+ RNP_SECURITY_VERIFY_KEY: 2,
+ RNP_SECURITY_VERIFY_DATA: 4,
+ RNP_SECURITY_REMOVE_ALL: 65536,
+
+ RNP_SECURITY_PROHIBITED: 0,
+ RNP_SECURITY_INSECURE: 1,
RNP_SECURITY_DEFAULT: 2,
/* Common error codes */
RNP_ERROR_GENERIC: 0x10000000, // 268435456
RNP_ERROR_BAD_FORMAT: 0x10000001, // 268435457

View File

@ -0,0 +1,85 @@
# HG changeset patch
# User Kai Engert <kaie@kuix.de>
# Date 1664378971 0
# Wed Sep 28 15:29:31 2022 +0000
# Node ID 98bde42cf14e966da1cdf098e2d0917032c0f327
# Parent af0b1f5e4c7710f824c6141103e516ca60bc78aa
Bug 1791195 - Adjust OpenPGP signature handling for RNP >= 0.16.2. r=mkmelin
Differential Revision: https://phabricator.services.mozilla.com/D158270
diff --git a/comm/mail/extensions/openpgp/content/modules/RNP.jsm b/comm/mail/extensions/openpgp/content/modules/RNP.jsm
--- a/comm/mail/extensions/openpgp/content/modules/RNP.jsm
+++ b/comm/mail/extensions/openpgp/content/modules/RNP.jsm
@@ -1150,22 +1150,25 @@ var RNP = {
result.exitCode = RNPLib.rnp_op_verify_execute(verify_op);
let rnpCannotDecrypt = false;
let queryAllEncryptionRecipients = false;
+ let stillUndecidedIfSignatureIsBad = false;
let useDecodedData;
let processSignature;
switch (result.exitCode) {
case RNPLib.RNP_SUCCESS:
useDecodedData = true;
processSignature = true;
break;
case RNPLib.RNP_ERROR_SIGNATURE_INVALID:
- result.statusFlags |= EnigmailConstants.BAD_SIGNATURE;
+ // Either the signing key is unavailable, or the signature is
+ // indeed bad. Must check signature status below.
+ stillUndecidedIfSignatureIsBad = true;
useDecodedData = true;
- processSignature = false;
+ processSignature = true;
break;
case RNPLib.RNP_ERROR_SIGNATURE_EXPIRED:
useDecodedData = true;
processSignature = false;
result.statusFlags |= EnigmailConstants.EXPIRED_SIGNATURE;
@@ -1320,13 +1323,30 @@ var RNP = {
options.fromAddr,
options.msgDate,
verify_op,
result
);
+
+ if (
+ (result.statusFlags &
+ (EnigmailConstants.GOOD_SIGNATURE |
+ EnigmailConstants.UNCERTAIN_SIGNATURE |
+ EnigmailConstants.EXPIRED_SIGNATURE |
+ EnigmailConstants.BAD_SIGNATURE)) !=
+ 0
+ ) {
+ // A decision was already made.
+ stillUndecidedIfSignatureIsBad = false;
+ }
}
}
+ if (stillUndecidedIfSignatureIsBad) {
+ // We didn't find more details above, so conclude it's bad.
+ result.statusFlags |= EnigmailConstants.BAD_SIGNATURE;
+ }
+
RNPLib.rnp_input_destroy(input_from_memory);
RNPLib.rnp_output_destroy(output_to_memory);
RNPLib.rnp_op_verify_destroy(verify_op);
if (
@@ -1458,10 +1478,12 @@ var RNP = {
let have_signer_key = false;
let use_signer_key = false;
if (query_signer) {
if (RNPLib.rnp_op_verify_signature_get_key(sig, signer_key.address())) {
+ // If sig_status isn't RNP_ERROR_KEY_NOT_FOUND then we must
+ // be able to obtain the signer key.
throw new Error("rnp_op_verify_signature_get_key");
}
have_signer_key = true;
use_signer_key = !this.isBadKey(signer_key);

View File

@ -0,0 +1,12 @@
diff -up thunderbird-102.4.0/comm/third_party/rnp/moz.build.rnp-openssl thunderbird-102.4.0/comm/third_party/rnp/moz.build
--- thunderbird-102.4.0/comm/third_party/rnp/moz.build.rnp-openssl 2022-11-01 14:36:02.940726858 +0100
+++ thunderbird-102.4.0/comm/third_party/rnp/moz.build 2022-11-01 14:36:23.091726917 +0100
@@ -39,7 +39,7 @@ if CONFIG["CC_TYPE"] == "clang-cl":
rnp_defines = {
"HAVE_BZLIB_H": True,
"HAVE_ZLIB_H": True,
- "CRYPTO_BACKEND_BOTAN": True,
+ "CRYPTO_BACKEND_OPENSSL": True,
"ENABLE_AEAD": True,
"ENABLE_TWOFISH": True,
"ENABLE_BRAINPOOL": True,

View File

@ -33,6 +33,10 @@ end}
%global system_nss 1 %global system_nss 1
%global bundle_nss 0 %global bundle_nss 0
%global build_langpacks 1 %global build_langpacks 1
%global use_openssl_for_librnp 1
%if 0%{?rhel} == 7
%global use_openssl_for_librnp 0
%endif
%if 0%{?rhel} == 8 %if 0%{?rhel} == 8
%if %{rhel_minor_version} <= 4 %if %{rhel_minor_version} <= 4
@ -159,7 +163,7 @@ end}
Summary: Mozilla Thunderbird mail/newsgroup client Summary: Mozilla Thunderbird mail/newsgroup client
Name: thunderbird Name: thunderbird
Version: 102.5.0 Version: 102.5.0
Release: 2%{?dist} Release: 3%{?dist}
URL: http://www.mozilla.org/projects/thunderbird/ URL: http://www.mozilla.org/projects/thunderbird/
License: MPLv1.1 or GPLv2+ or LGPLv2+ License: MPLv1.1 or GPLv2+ or LGPLv2+
@ -239,6 +243,22 @@ Patch422: mozilla-s390x-skia-gradient.patch
Patch423: one_swizzle_to_rule_them_all.patch Patch423: one_swizzle_to_rule_them_all.patch
Patch424: svg-rendering.patch Patch424: svg-rendering.patch
Patch425: D158770.diff Patch425: D158770.diff
Patch5426: backport-rnp-0.16.2-to-esr102-a-bug-1753683.patch
Patch5427: backport-rnp-0.16.2-to-esr102-b-bug-1790446.patch
Patch5428: backport-rnp-0.16.2-to-esr102-c-bug-1790446.patch
Patch5429: backport-rnp-0.16.2-to-esr102-d-bug-1790446.patch
Patch5430: backport-rnp-0.16.2-to-esr102-e-bug-1790116.patch
Patch5431: backport-rnp-0.16.2-to-esr102-f-bug-1790116.patch
Patch5432: backport-rnp-0.16.2-to-esr102-g-bug-1790116.patch
Patch5433: backport-rnp-0.16.2-to-esr102-h-bug-1790116.patch
Patch5434: backport-rnp-0.16.2-to-esr102-i-bug-1790116.patch
Patch5435: backport-rnp-0.16.2-to-esr102-j-bug-1790662.patch
Patch5436: backport-rnp-0.16.2-to-esr102-k-bug-1790662.patch
Patch5437: backport-rnp-0.16.2-to-esr102-l-bug-1791195.patch
Patch5438: backport-rnp-0.16.2-to-esr102-m-bug-1791195.patch
Patch5439: backport-rnp-use-openssl.patch
Patch5479: D161379.diff
Patch5480: D161895.diff
# PGO/LTO patches # PGO/LTO patches
Patch600: pgo.patch Patch600: pgo.patch
@ -274,6 +294,9 @@ BuildRequires: pkgconfig(libnotify) >= %{libnotify_version}
BuildRequires: pkgconfig(dri) BuildRequires: pkgconfig(dri)
BuildRequires: pkgconfig(libcurl) BuildRequires: pkgconfig(libcurl)
BuildRequires: pkgconfig(alsa) BuildRequires: pkgconfig(alsa)
%if %{?use_openssl_for_librnp}
BuildRequires: pkgconfig(openssl)
%endif
BuildRequires: libstdc++-devel BuildRequires: libstdc++-devel
BuildRequires: libstdc++-static BuildRequires: libstdc++-static
BuildRequires: dbus-glib-devel BuildRequires: dbus-glib-devel
@ -554,7 +577,6 @@ echo "use_rustts %{?use_rustts}"
%setup -q %setup -q
# Build patches # Build patches
#MISSING% patch9 -p2 -b .arm
%ifarch s390 %ifarch s390
%patch25 -p1 -b .rhbz-1219542-s390 %patch25 -p1 -b .rhbz-1219542-s390
%endif %endif
@ -593,7 +615,6 @@ echo "use_rustts %{?use_rustts}"
%endif %endif
%patch228 -p1 -b .disable-openh264-download %patch228 -p1 -b .disable-openh264-download
%patch229 -p1 -b .firefox-nss-addon-hack %patch229 -p1 -b .firefox-nss-addon-hack
%patch230 -p1 -b .disable-openpgp-in-thunderbird
%patch231 -p1 -b .cbindgen-already-covers %patch231 -p1 -b .cbindgen-already-covers
%patch415 -p1 -b .1670333 %patch415 -p1 -b .1670333
@ -608,6 +629,30 @@ echo "use_rustts %{?use_rustts}"
%patch424 -p1 -b .svg-rendering %patch424 -p1 -b .svg-rendering
%patch425 -p1 -b .D158770.diff %patch425 -p1 -b .D158770.diff
# librnp with openssl support, not available in RHEL7 because it requires openssl >= 1.1.1:
%if %{?use_openssl_for_librnp}
%patch5426 -p1 -b .backport-rnp-0.16.2-to-esr102-a-bug-1753683
%patch5427 -p1 -b .backport-rnp-0.16.2-to-esr102-b-bug-1790446
%patch5428 -p1 -b .backport-rnp-0.16.2-to-esr102-c-bug-1790446
%patch5429 -p1 -b .backport-rnp-0.16.2-to-esr102-d-bug-1790446
%patch5430 -p1 -b .backport-rnp-0.16.2-to-esr102-e-bug-1790116
%patch5431 -p1 -b .backport-rnp-0.16.2-to-esr102-f-bug-1790116
%patch5432 -p1 -b .backport-rnp-0.16.2-to-esr102-g-bug-1790116
%patch5433 -p1 -b .backport-rnp-0.16.2-to-esr102-h-bug-1790116
%patch5434 -p1 -b .backport-rnp-0.16.2-to-esr102-i-bug-1790116
%patch5435 -p1 -b .backport-rnp-0.16.2-to-esr102-j-bug-1790662
%patch5436 -p1 -b .backport-rnp-0.16.2-to-esr102-k-bug-1790662
%patch5437 -p1 -b .backport-rnp-0.16.2-to-esr102-l-bug-1791195
%patch5438 -p1 -b .backport-rnp-0.16.2-to-esr102-m-bug-1791195
%patch5439 -p1 -b .backport-rnp-use-openssl
pushd comm
%patch5479 -p1 -b .D161379.diff
%patch5480 -p1 -b .D161895.diff
popd
%else
%patch230 -p1 -b .disable-openpgp-in-thunderbird
%endif
# PGO patches # PGO patches
%if %{build_with_pgo} %if %{build_with_pgo}
%if !%{build_with_clang} %if !%{build_with_clang}
@ -708,6 +753,9 @@ echo "ac_add_options --disable-jemalloc" >> .mozconfig
%if !%{enable_mozilla_crashreporter} %if !%{enable_mozilla_crashreporter}
echo "ac_add_options --disable-crashreporter" >> .mozconfig echo "ac_add_options --disable-crashreporter" >> .mozconfig
%endif %endif
%if %{?use_openssl_for_librnp}
echo "ac_add_options --with-librnp-backend=openssl" >> .mozconfig
%endif
# AV1 requires newer nasm that was rebased in 8.4 # AV1 requires newer nasm that was rebased in 8.4
%if 0%{?rhel} == 7 || (0%{?rhel} == 8 && %{rhel_minor_version} < 4) %if 0%{?rhel} == 7 || (0%{?rhel} == 8 && %{rhel_minor_version} < 4)
@ -1127,8 +1175,11 @@ touch $RPM_BUILD_ROOT%{mozappdir}/components/xpti.dat
%{__cp} %{objdir}/dist/%{symbols_file_name} $RPM_BUILD_ROOT/%{moz_debug_dir} %{__cp} %{objdir}/dist/%{symbols_file_name} $RPM_BUILD_ROOT/%{moz_debug_dir}
%endif %endif
# Removing librnp.so - we cannot deliver that in RHELs # Removing librnp.so - we cannot deliver librnp with botan crypto backend RHELs
%if !%{?use_openssl_for_librnp}
%{__rm} -rf %{buildroot}%{mozappdir}/librnp.so %{buildroot}%{mozappdir}/rnp-cli %{buildroot}%{mozappdir}/rnpkeys %{__rm} -rf %{buildroot}%{mozappdir}/librnp.so %{buildroot}%{mozappdir}/rnp-cli %{buildroot}%{mozappdir}/rnpkeys
%endif
# Register as an application to be visible in the software center # Register as an application to be visible in the software center
mkdir -p $RPM_BUILD_ROOT%{_datadir}/metainfo mkdir -p $RPM_BUILD_ROOT%{_datadir}/metainfo
%{__cp} -p comm/mail/branding/%{name}/net.thunderbird.Thunderbird.appdata.xml $RPM_BUILD_ROOT%{_datadir}/metainfo/thunderbird.appdata.xml %{__cp} -p comm/mail/branding/%{name}/net.thunderbird.Thunderbird.appdata.xml $RPM_BUILD_ROOT%{_datadir}/metainfo/thunderbird.appdata.xml
@ -1211,6 +1262,11 @@ gtk-update-icon-cache %{_datadir}/icons/hicolor &>/dev/null || :
%{mozappdir}/dependentlibs.list %{mozappdir}/dependentlibs.list
%{mozappdir}/fonts %{mozappdir}/fonts
%{mozappdir}/pingsender %{mozappdir}/pingsender
%if %{?use_openssl_for_librnp}
%{mozappdir}/librnp.so
%{mozappdir}/rnp-cli
%{mozappdir}/rnpkeys
%endif
%if 0%{?bundle_nss} %if 0%{?bundle_nss}
%{mozappdir}/bundled/%{_lib}/libfreebl* %{mozappdir}/bundled/%{_lib}/libfreebl*
@ -1228,6 +1284,9 @@ gtk-update-icon-cache %{_datadir}/icons/hicolor &>/dev/null || :
#=============================================================================== #===============================================================================
%changelog %changelog
* Tue Nov 29 2022 Jan Horak <jhorak@redhat.com> - 102.5.0-3
- Use openssl for the librnp crypto backend to enable the openpgp encryption
* Tue Nov 15 2022 Eike Rathke <erack@redhat.com> - 102.5.0-2 * Tue Nov 15 2022 Eike Rathke <erack@redhat.com> - 102.5.0-2
- Update to 102.5.0 build2 - Update to 102.5.0 build2