From 04327a77004aa78f5944950e911ae16b0d8c649d Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Oct 25 2021 16:18:59 +0000 Subject: import firefox-91.2.0-5.el7_9 --- diff --git a/README.debrand b/README.debrand deleted file mode 100644 index 01c46d2..0000000 --- a/README.debrand +++ /dev/null @@ -1,2 +0,0 @@ -Warning: This package was configured for automatic debranding, but the changes -failed to apply. diff --git a/SOURCES/Bug-1238661---fix-mozillaSignalTrampoline-to-work-.patch b/SOURCES/Bug-1238661---fix-mozillaSignalTrampoline-to-work-.patch deleted file mode 100644 index 6dfe2ad..0000000 --- a/SOURCES/Bug-1238661---fix-mozillaSignalTrampoline-to-work-.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff -up firefox-60.0/mfbt/LinuxSignal.h.mozilla-1238661 firefox-60.0/mfbt/LinuxSignal.h ---- firefox-60.0/mfbt/LinuxSignal.h.mozilla-1238661 2018-04-27 08:55:38.848241768 +0200 -+++ firefox-60.0/mfbt/LinuxSignal.h 2018-04-27 09:06:47.946769859 +0200 -@@ -22,7 +22,7 @@ __attribute__((naked)) void SignalTrampo - void* aContext) { - asm volatile("nop; nop; nop; nop" : : : "memory"); - -- asm volatile("b %0" : : "X"(H) : "memory"); -+ asm volatile("bx %0" : : "r"(H), "l"(aSignal), "l"(aInfo), "l"(aContext) : "memory"); - } - - # define MOZ_SIGNAL_TRAMPOLINE(h) (mozilla::SignalTrampoline) diff --git a/SOURCES/Bug-1526653---fix_user_vfp_armv7.patch b/SOURCES/Bug-1526653---fix_user_vfp_armv7.patch deleted file mode 100644 index 3f84f95..0000000 --- a/SOURCES/Bug-1526653---fix_user_vfp_armv7.patch +++ /dev/null @@ -1,35 +0,0 @@ -From fd6847c9416f9eebde636e21d794d25d1be8791d Mon Sep 17 00:00:00 2001 -From: Mike Hommey -Date: Sat, 1 Jun 2019 09:06:01 +0900 -Subject: [PATCH] Bug 1526653 - Include struct definitions for user_vfp and - user_vfp_exc. - ---- - js/src/wasm/WasmSignalHandlers.cpp | 11 ++++++++++- - 1 file changed, 10 insertions(+), 1 deletion(-) - -diff --git a/js/src/wasm/WasmSignalHandlers.cpp b/js/src/wasm/WasmSignalHandlers.cpp -index 636537f8478..383c380f04c 100644 ---- a/js/src/wasm/WasmSignalHandlers.cpp -+++ b/js/src/wasm/WasmSignalHandlers.cpp -@@ -248,7 +248,16 @@ using mozilla::DebugOnly; - #endif - - #ifdef WASM_EMULATE_ARM_UNALIGNED_FP_ACCESS --# include -+struct user_vfp { -+ unsigned long long fpregs[32]; -+ unsigned long fpscr; -+}; -+ -+struct user_vfp_exc { -+ unsigned long fpexc; -+ unsigned long fpinst; -+ unsigned long fpinst2; -+}; - #endif - - #if defined(ANDROID) --- -2.20.1 - diff --git a/SOURCES/distribution.ini b/SOURCES/distribution.ini index 0a0429e..8bf461e 100644 --- a/SOURCES/distribution.ini +++ b/SOURCES/distribution.ini @@ -1,7 +1,7 @@ [Global] id=redhat version=1.0 -about=Mozilla Firefox for CentOS Linux +about=Mozilla Firefox for Red Hat Enterprise Linux [Preferences] app.distributor=redhat diff --git a/SOURCES/fips-quic.patch b/SOURCES/fips-quic.patch new file mode 100644 index 0000000..777684b --- /dev/null +++ b/SOURCES/fips-quic.patch @@ -0,0 +1,211 @@ +diff -up firefox-91.2.0/Cargo.toml.fips-quic firefox-91.2.0/Cargo.toml +--- firefox-91.2.0/Cargo.toml.fips-quic 2021-10-21 09:40:17.235999423 +0200 ++++ firefox-91.2.0/Cargo.toml 2021-10-21 11:21:06.746558028 +0200 +@@ -109,3 +109,12 @@ path = "third_party/rust/failure" + + [patch.crates-io.prost-derive] + path = "third_party/rust/prost-derive" ++ ++[patch."https://github.com/mozilla/neqo"] ++neqo-crypto = { path = "third_party/rust/neqo-crypto" } ++neqo-transport = { path = "third_party/rust/neqo-transport" } ++neqo-qpack = { path = "third_party/rust/neqo-qpack" } ++neqo-common = { path = "third_party/rust/neqo-common" } ++ ++ ++ +diff -up firefox-91.2.0/third_party/rust/neqo-crypto/bindings/bindings.toml.fips-quic firefox-91.2.0/third_party/rust/neqo-crypto/bindings/bindings.toml +--- firefox-91.2.0/third_party/rust/neqo-crypto/bindings/bindings.toml.fips-quic 2021-09-28 18:41:34.000000000 +0200 ++++ firefox-91.2.0/third_party/rust/neqo-crypto/bindings/bindings.toml 2021-10-21 08:49:01.762221759 +0200 +@@ -163,7 +163,7 @@ functions = [ + "PK11_GetKeyData", + "PK11_GetMechanism", + "PK11_HPKE_Serialize", +- "PK11_ImportSymKey", ++ "PK11_ImportDataKey", + "PK11_ReadRawAttribute", + "PK11_ReferenceSymKey", + "SECITEM_FreeItem", +@@ -196,11 +196,10 @@ variables = [ + "CKM_AES_ECB", + "CKM_AES_GCM", + "CKM_EC_KEY_PAIR_GEN", ++ "CKM_HKDF_DERIVE", + "CKM_INVALID_MECHANISM", + "CKM_NSS_CHACHA20_CTR", + "CKM_NSS_CHACHA20_POLY1305", +- "CKM_NSS_HKDF_SHA256", +- "CKM_NSS_HKDF_SHA384", + "PK11_ATTR_INSENSITIVE", + "PK11_ATTR_PRIVATE", + "PK11_ATTR_PUBLIC", +diff -up firefox-91.2.0/third_party/rust/neqo-crypto/Cargo.toml.fips-quic firefox-91.2.0/third_party/rust/neqo-crypto/Cargo.toml +diff -up firefox-91.2.0/third_party/rust/neqo-crypto/src/hkdf.rs.fips-quic firefox-91.2.0/third_party/rust/neqo-crypto/src/hkdf.rs +--- firefox-91.2.0/third_party/rust/neqo-crypto/src/hkdf.rs.fips-quic 2021-09-28 18:41:44.000000000 +0200 ++++ firefox-91.2.0/third_party/rust/neqo-crypto/src/hkdf.rs 2021-10-21 08:49:01.763221763 +0200 +@@ -10,8 +10,8 @@ use crate::constants::{ + }; + use crate::err::{Error, Res}; + use crate::p11::{ +- random, Item, PK11Origin, PK11SymKey, PK11_ImportSymKey, Slot, SymKey, CKA_DERIVE, +- CKM_NSS_HKDF_SHA256, CKM_NSS_HKDF_SHA384, CK_ATTRIBUTE_TYPE, CK_MECHANISM_TYPE, ++ random, Item, PK11Origin, PK11SymKey, PK11_ImportDataKey, Slot, SymKey, CKA_DERIVE, ++ CKM_HKDF_DERIVE, CK_ATTRIBUTE_TYPE, CK_MECHANISM_TYPE, + }; + + use std::convert::TryFrom; +@@ -52,27 +52,22 @@ fn key_size(version: Version, cipher: Ci + /// # Errors + /// Only if NSS fails. + pub fn generate_key(version: Version, cipher: Cipher) -> Res { +- import_key(version, cipher, &random(key_size(version, cipher)?)) ++ import_key(version, &random(key_size(version, cipher)?)) + } + + /// Import a symmetric key for use with HKDF. + /// + /// # Errors + /// Errors returned if the key buffer is an incompatible size or the NSS functions fail. +-pub fn import_key(version: Version, cipher: Cipher, buf: &[u8]) -> Res { ++pub fn import_key(version: Version, buf: &[u8]) -> Res { + if version != TLS_VERSION_1_3 { + return Err(Error::UnsupportedVersion); + } +- let mech = match cipher { +- TLS_AES_128_GCM_SHA256 | TLS_CHACHA20_POLY1305_SHA256 => CKM_NSS_HKDF_SHA256, +- TLS_AES_256_GCM_SHA384 => CKM_NSS_HKDF_SHA384, +- _ => return Err(Error::UnsupportedCipher), +- }; + let slot = Slot::internal()?; + let key_ptr = unsafe { +- PK11_ImportSymKey( ++ PK11_ImportDataKey( + *slot, +- CK_MECHANISM_TYPE::from(mech), ++ CK_MECHANISM_TYPE::from(CKM_HKDF_DERIVE), + PK11Origin::PK11_OriginUnwrap, + CK_ATTRIBUTE_TYPE::from(CKA_DERIVE), + &mut Item::wrap(buf), +diff -up firefox-91.2.0/third_party/rust/neqo-crypto/src/selfencrypt.rs.fips-quic firefox-91.2.0/third_party/rust/neqo-crypto/src/selfencrypt.rs +--- firefox-91.2.0/third_party/rust/neqo-crypto/src/selfencrypt.rs.fips-quic 2021-09-28 18:41:41.000000000 +0200 ++++ firefox-91.2.0/third_party/rust/neqo-crypto/src/selfencrypt.rs 2021-10-21 08:49:01.763221763 +0200 +@@ -41,7 +41,7 @@ impl SelfEncrypt { + + fn make_aead(&self, k: &SymKey, salt: &[u8]) -> Res { + debug_assert_eq!(salt.len(), Self::SALT_LENGTH); +- let salt = hkdf::import_key(self.version, self.cipher, salt)?; ++ let salt = hkdf::import_key(self.version, salt)?; + let secret = hkdf::extract(self.version, self.cipher, Some(&salt), k)?; + Aead::new(self.version, self.cipher, &secret, "neqo self") + } +diff -up firefox-91.2.0/third_party/rust/neqo-crypto/tests/aead.rs.fips-quic firefox-91.2.0/third_party/rust/neqo-crypto/tests/aead.rs +--- firefox-91.2.0/third_party/rust/neqo-crypto/tests/aead.rs.fips-quic 2021-09-28 18:41:35.000000000 +0200 ++++ firefox-91.2.0/third_party/rust/neqo-crypto/tests/aead.rs 2021-10-21 08:49:01.764221767 +0200 +@@ -26,7 +26,6 @@ fn make_aead(cipher: Cipher) -> Aead { + + let secret = hkdf::import_key( + TLS_VERSION_1_3, +- cipher, + &[ + 0x47, 0xb2, 0xea, 0xea, 0x6c, 0x26, 0x6e, 0x32, 0xc0, 0x69, 0x7a, 0x9e, 0x2a, 0x89, + 0x8b, 0xdf, 0x5c, 0x4f, 0xb3, 0xe5, 0xac, 0x34, 0xf0, 0xe5, 0x49, 0xbf, 0x2c, 0x58, +diff -up firefox-91.2.0/third_party/rust/neqo-crypto/tests/hkdf.rs.fips-quic firefox-91.2.0/third_party/rust/neqo-crypto/tests/hkdf.rs +--- firefox-91.2.0/third_party/rust/neqo-crypto/tests/hkdf.rs.fips-quic 2021-09-28 18:41:44.000000000 +0200 ++++ firefox-91.2.0/third_party/rust/neqo-crypto/tests/hkdf.rs 2021-10-21 08:49:01.764221767 +0200 +@@ -38,8 +38,8 @@ fn cipher_hash_len(cipher: Cipher) -> us + fn import_keys(cipher: Cipher) -> (SymKey, SymKey) { + let l = cipher_hash_len(cipher); + ( +- hkdf::import_key(TLS_VERSION_1_3, cipher, &SALT[0..l]).expect("import salt"), +- hkdf::import_key(TLS_VERSION_1_3, cipher, &IKM[0..l]).expect("import IKM"), ++ hkdf::import_key(TLS_VERSION_1_3, &SALT[0..l]).expect("import salt"), ++ hkdf::import_key(TLS_VERSION_1_3, &IKM[0..l]).expect("import IKM"), + ) + } + +diff -up firefox-91.2.0/third_party/rust/neqo-crypto/tests/hp.rs.fips-quic firefox-91.2.0/third_party/rust/neqo-crypto/tests/hp.rs +--- firefox-91.2.0/third_party/rust/neqo-crypto/tests/hp.rs.fips-quic 2021-09-28 18:41:44.000000000 +0200 ++++ firefox-91.2.0/third_party/rust/neqo-crypto/tests/hp.rs 2021-10-21 08:49:01.764221767 +0200 +@@ -9,7 +9,7 @@ use neqo_crypto::hp::HpKey; + use test_fixture::fixture_init; + + fn make_hp(cipher: Cipher) -> HpKey { +- let ikm = hkdf::import_key(TLS_VERSION_1_3, cipher, &[0; 16]).expect("import IKM"); ++ let ikm = hkdf::import_key(TLS_VERSION_1_3, &[0; 16]).expect("import IKM"); + let prk = hkdf::extract(TLS_VERSION_1_3, cipher, None, &ikm).expect("extract works"); + HpKey::extract(TLS_VERSION_1_3, cipher, &prk, "hp").expect("extract label works") + } +diff -up firefox-91.2.0/third_party/rust/neqo-http3/Cargo.toml.fips-quic firefox-91.2.0/third_party/rust/neqo-http3/Cargo.toml +diff -up firefox-91.2.0/third_party/rust/neqo-qpack/Cargo.toml.fips-quic firefox-91.2.0/third_party/rust/neqo-qpack/Cargo.toml +diff -up firefox-91.2.0/third_party/rust/neqo-transport/Cargo.toml.fips-quic firefox-91.2.0/third_party/rust/neqo-transport/Cargo.toml +diff -up firefox-91.2.0/third_party/rust/neqo-transport/src/crypto.rs.fips-quic firefox-91.2.0/third_party/rust/neqo-transport/src/crypto.rs +--- firefox-91.2.0/third_party/rust/neqo-transport/src/crypto.rs.fips-quic 2021-09-28 18:41:44.000000000 +0200 ++++ firefox-91.2.0/third_party/rust/neqo-transport/src/crypto.rs 2021-10-21 08:49:01.765221771 +0200 +@@ -432,14 +432,8 @@ impl CryptoDxState { + let initial_secret = hkdf::extract( + TLS_VERSION_1_3, + cipher, +- Some( +- hkdf::import_key(TLS_VERSION_1_3, cipher, salt) +- .as_ref() +- .unwrap(), +- ), +- hkdf::import_key(TLS_VERSION_1_3, cipher, dcid) +- .as_ref() +- .unwrap(), ++ Some(hkdf::import_key(TLS_VERSION_1_3, salt).as_ref().unwrap()), ++ hkdf::import_key(TLS_VERSION_1_3, dcid).as_ref().unwrap(), + ) + .unwrap(); + +@@ -1094,8 +1088,7 @@ impl CryptoStates { + let app_read = |epoch| CryptoDxAppData { + dx: read(epoch), + cipher: TLS_AES_128_GCM_SHA256, +- next_secret: hkdf::import_key(TLS_VERSION_1_3, TLS_AES_128_GCM_SHA256, &[0xaa; 32]) +- .unwrap(), ++ next_secret: hkdf::import_key(TLS_VERSION_1_3, &[0xaa; 32]).unwrap(), + }; + Self { + initial: Some(CryptoState { +@@ -1120,8 +1113,7 @@ impl CryptoStates { + 0x00, 0xa1, 0x54, 0x43, 0xf1, 0x82, 0x03, 0xa0, 0x7d, 0x60, 0x60, 0xf6, 0x88, 0xf3, + 0x0f, 0x21, 0x63, 0x2b, + ]; +- let secret = +- hkdf::import_key(TLS_VERSION_1_3, TLS_CHACHA20_POLY1305_SHA256, SECRET).unwrap(); ++ let secret = hkdf::import_key(TLS_VERSION_1_3, SECRET).unwrap(); + let app_read = |epoch| CryptoDxAppData { + dx: CryptoDxState { + direction: CryptoDxDirection::Read, +diff -up firefox-91.2.0/third_party/rust/neqo-transport/src/packet/retry.rs.fips-quic firefox-91.2.0/third_party/rust/neqo-transport/src/packet/retry.rs +--- firefox-91.2.0/third_party/rust/neqo-transport/src/packet/retry.rs.fips-quic 2021-09-28 18:41:34.000000000 +0200 ++++ firefox-91.2.0/third_party/rust/neqo-transport/src/packet/retry.rs 2021-10-21 08:49:01.766221775 +0200 +@@ -28,7 +28,7 @@ fn make_aead(secret: &[u8]) -> Aead { + #[cfg(debug_assertions)] + ::neqo_crypto::assert_initialized(); + +- let secret = hkdf::import_key(TLS_VERSION_1_3, TLS_AES_128_GCM_SHA256, secret).unwrap(); ++ let secret = hkdf::import_key(TLS_VERSION_1_3, secret).unwrap(); + Aead::new(TLS_VERSION_1_3, TLS_AES_128_GCM_SHA256, &secret, "quic ").unwrap() + } + thread_local!(static RETRY_AEAD_29: RefCell = RefCell::new(make_aead(RETRY_SECRET_29))); +diff -up firefox-91.2.0/third_party/rust/neqo-transport/tests/common/mod.rs.fips-quic firefox-91.2.0/third_party/rust/neqo-transport/tests/common/mod.rs +--- firefox-91.2.0/third_party/rust/neqo-transport/tests/common/mod.rs.fips-quic 2021-09-28 18:41:34.000000000 +0200 ++++ firefox-91.2.0/third_party/rust/neqo-transport/tests/common/mod.rs 2021-10-21 08:49:01.766221775 +0200 +@@ -121,13 +121,11 @@ pub fn client_initial_aead_and_hp(dcid: + TLS_VERSION_1_3, + TLS_AES_128_GCM_SHA256, + Some( +- hkdf::import_key(TLS_VERSION_1_3, TLS_AES_128_GCM_SHA256, INITIAL_SALT) ++ hkdf::import_key(TLS_VERSION_1_3, INITIAL_SALT) + .as_ref() + .unwrap(), + ), +- hkdf::import_key(TLS_VERSION_1_3, TLS_AES_128_GCM_SHA256, dcid) +- .as_ref() +- .unwrap(), ++ hkdf::import_key(TLS_VERSION_1_3, dcid).as_ref().unwrap(), + ) + .unwrap(); + diff --git a/SOURCES/firefox-centos-default-prefs.js b/SOURCES/firefox-centos-default-prefs.js deleted file mode 100644 index 039e27f..0000000 --- a/SOURCES/firefox-centos-default-prefs.js +++ /dev/null @@ -1,35 +0,0 @@ -pref("app.update.auto", false); -pref("app.update.enabled", false); -pref("app.update.autoInstallEnabled", false); -pref("general.smoothScroll", true); -pref("intl.locale.matchOS", true); -pref("toolkit.storage.synchronous", 0); -pref("toolkit.networkmanager.disable", false); -pref("offline.autoDetect", true); -pref("browser.backspace_action", 2); -pref("browser.display.use_system_colors", true); -pref("browser.download.folderList", 1); -pref("browser.link.open_external", 3); -pref("browser.shell.checkDefaultBrowser", false); -pref("network.manage-offline-status", true); -pref("extensions.shownSelectionUI", true); -pref("ui.SpellCheckerUnderlineStyle", 1); -pref("startup.homepage_override_url", "http://www.centos.org"); -pref("startup.homepage_welcome_url", "http://www.centos.org"); -pref("browser.startup.homepage", "data:text/plain,browser.startup.homepage=file:///%PREFIX%/share/doc/HTML/index.html"); -pref("geo.wifi.uri", "https://location.services.mozilla.com/v1/geolocate?key=%MOZILLA_API_KEY%"); -pref("media.gmp-gmpopenh264.provider.enabled",false); -pref("media.gmp-gmpopenh264.autoupdate",false); -pref("media.gmp-gmpopenh264.enabled",false); -pref("media.gmp-gmpopenh264.enabled",false); -pref("plugins.notifyMissingFlash", false); -/* See https://bugzilla.redhat.com/show_bug.cgi?id=1226489 */ -pref("browser.display.use_system_colors", false); -pref("layers.use-image-offscreen-surfaces", false); -/* Allow sending credetials to all https:// sites */ -pref("network.negotiate-auth.trusted-uris", "https://"); -pref("security.use_sqldb", false); -/* Use OS settings for UI language */ -pref("intl.locale.requested", ""); -/* See https://bugzilla.redhat.com/show_bug.cgi?id=1672424 */ -pref("storage.nfs_filesystem", true); diff --git a/SPECS/firefox.spec b/SPECS/firefox.spec index ca75363..1496b23 100644 --- a/SPECS/firefox.spec +++ b/SPECS/firefox.spec @@ -18,7 +18,7 @@ function dist_to_rhel_minor(str, start) end match = string.match(str, ".el8") if match then - return 5 + return 6 end return -1 end} @@ -129,7 +129,7 @@ end} Summary: Mozilla Firefox Web browser Name: firefox Version: 91.2.0 -Release: 4%{?dist} +Release: 5%{?dist} URL: https://www.mozilla.org/firefox/ License: MPLv1.1 or GPLv2+ or LGPLv2+ %if 0%{?rhel} == 9 @@ -200,6 +200,8 @@ Patch513: mozilla-bmo998749.patch Patch514: mozilla-s390x-skia-gradient.patch Patch515: mozilla-bmo1626236.patch Patch518: D110204-fscreen.diff +# https://github.com/mozilla/neqo/commit/2e1785a6b3b85316a2451cdb2dc3027c192a7533 +Patch519: fips-quic.patch # Flatpak patches @@ -442,6 +444,7 @@ echo "use_rustts %{?use_rustts}" #%patch514 -p1 -b .mozilla-s390x-skia-gradient %patch515 -p1 -b .mozilla-bmo1626236 %patch518 -p1 -b .D110204-fscreen.diff +%patch519 -p1 -b .fips-quic %patch1001 -p1 -b .ppc64le-inline @@ -1105,7 +1108,7 @@ sed -i -e 's|%PREFIX%|%{_prefix}|' %{buildroot}%{mozappdir}/defaults/preferences echo 'pref("security.pki.use_modern_crypto_with_pkcs12", true);' >> %{buildroot}%{mozappdir}/defaults/preferences/all-redhat.js %endif -%ifarch s390x +%ifarch s390x ppc64 echo 'pref("gfx.webrender.force-disabled", true);' >> %{buildroot}%{mozappdir}/defaults/preferences/all-redhat.js %endif @@ -1247,6 +1250,9 @@ gtk-update-icon-cache %{_datadir}/icons/hicolor &>/dev/null || : #--------------------------------------------------------------------- %changelog +* Thu Oct 21 2021 Jan Horak - 91.2.0-5 +- Fixed crashes when FIPS is enabled. + * Mon Oct 04 2021 Jan Horak - 91.2.0-4 - Disable webrender on the s390x due to wrong colors: rhbz#2009503