diff options
-rw-r--r-- | firefox-build-prbool.patch | 11 | ||||
-rw-r--r-- | firefox.spec | 4 | ||||
-rw-r--r-- | mozilla-1042889.patch | 81 |
3 files changed, 96 insertions, 0 deletions
diff --git a/firefox-build-prbool.patch b/firefox-build-prbool.patch new file mode 100644 index 0000000..c7424ea --- /dev/null +++ b/firefox-build-prbool.patch @@ -0,0 +1,11 @@ +diff -up mozilla-release/security/certverifier/OCSPCache.h.old mozilla-release/security/certverifier/OCSPCache.h +--- mozilla-release/security/certverifier/OCSPCache.h.old 2014-10-14 12:33:46.519970732 +0200 ++++ mozilla-release/security/certverifier/OCSPCache.h 2014-10-14 12:34:44.418000625 +0200 +@@ -25,6 +25,7 @@ + #ifndef mozilla_psm_OCSPCache_h + #define mozilla_psm_OCSPCache_h + ++#include "prtypes.h" + #include "hasht.h" + #include "mozilla/Mutex.h" + #include "mozilla/Vector.h" diff --git a/firefox.spec b/firefox.spec index ca4c800..98c9654 100644 --- a/firefox.spec +++ b/firefox.spec @@ -117,6 +117,7 @@ Patch3: mozilla-build-arm.patch Patch18: xulrunner-24.0-jemalloc-ppc.patch # workaround linking issue on s390 (JSContext::updateMallocCounter(size_t) not found) Patch19: xulrunner-24.0-s390-inlines.patch +Patch20: firefox-build-prbool.patch # Fedora specific patches # Unable to install addons from https pages @@ -127,6 +128,7 @@ Patch217: firefox-baseline-disable.patch # Upstream patches Patch300: mozilla-858919.patch +Patch301: mozilla-1042889.patch %if %{official_branding} # Required by Mozilla Corporation @@ -249,6 +251,7 @@ cd %{tarballdir} %endif %patch18 -p2 -b .jemalloc-ppc %patch19 -p2 -b .s390-inlines +%patch20 -p1 -b .prbool # For branding specific patches. @@ -263,6 +266,7 @@ cd %{tarballdir} # Upstream patches %patch300 -p1 -b .858919 +%patch301 -p1 -b .1042889 %if %{official_branding} # Required by Mozilla Corporation diff --git a/mozilla-1042889.patch b/mozilla-1042889.patch new file mode 100644 index 0000000..6061b9b --- /dev/null +++ b/mozilla-1042889.patch @@ -0,0 +1,81 @@ +diff --git a/dom/browser-element/BrowserElementChildPreload.js b/dom/browser-element/BrowserElementChildPreload.js +--- a/dom/browser-element/BrowserElementChildPreload.js ++++ b/dom/browser-element/BrowserElementChildPreload.js +@@ -90,16 +90,17 @@ function getErrorClass(errorCode) { + switch (NSPRCode) { + case SEC_ERROR_UNKNOWN_ISSUER: + case SEC_ERROR_UNTRUSTED_ISSUER: + case SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE: + case SEC_ERROR_UNTRUSTED_CERT: + case SSL_ERROR_BAD_CERT_DOMAIN: + case SEC_ERROR_EXPIRED_CERTIFICATE: + case SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED: ++ case SEC_ERROR_CA_CERT_INVALID: + case MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY: + return Ci.nsINSSErrorsService.ERROR_CLASS_BAD_CERT; + default: + return Ci.nsINSSErrorsService.ERROR_CLASS_SSL_PROTOCOL; + } + + return null; + } +diff --git a/security/manager/ssl/src/NSSErrorsService.cpp b/security/manager/ssl/src/NSSErrorsService.cpp +--- a/security/manager/ssl/src/NSSErrorsService.cpp ++++ b/security/manager/ssl/src/NSSErrorsService.cpp +@@ -136,16 +136,17 @@ NSSErrorsService::GetErrorClass(nsresult + // Overridable errors. + case SEC_ERROR_UNKNOWN_ISSUER: + case SEC_ERROR_UNTRUSTED_ISSUER: + case SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE: + case SEC_ERROR_UNTRUSTED_CERT: + case SSL_ERROR_BAD_CERT_DOMAIN: + case SEC_ERROR_EXPIRED_CERTIFICATE: + case SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED: ++ case SEC_ERROR_CA_CERT_INVALID: + case mozilla::pkix::MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY: + *aErrorClass = ERROR_CLASS_BAD_CERT; + break; + // Non-overridable errors. + default: + *aErrorClass = ERROR_CLASS_SSL_PROTOCOL; + break; + } +diff --git a/security/manager/ssl/src/SSLServerCertVerification.cpp b/security/manager/ssl/src/SSLServerCertVerification.cpp +--- a/security/manager/ssl/src/SSLServerCertVerification.cpp ++++ b/security/manager/ssl/src/SSLServerCertVerification.cpp +@@ -287,16 +287,17 @@ private: + + // A probe value of 1 means "no error". + uint32_t + MapCertErrorToProbeValue(PRErrorCode errorCode) + { + switch (errorCode) + { + case SEC_ERROR_UNKNOWN_ISSUER: return 2; ++ case SEC_ERROR_CA_CERT_INVALID: return 3; + case SEC_ERROR_UNTRUSTED_ISSUER: return 4; + case SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE: return 5; + case SEC_ERROR_UNTRUSTED_CERT: return 6; + case SEC_ERROR_INADEQUATE_KEY_USAGE: return 7; + case SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED: return 8; + case SSL_ERROR_BAD_CERT_DOMAIN: return 9; + case SEC_ERROR_EXPIRED_CERTIFICATE: return 10; + case mozilla::pkix::MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY: return 11; +@@ -321,16 +322,17 @@ DetermineCertOverrideErrors(CERTCertific + MOZ_ASSERT(errorCodeMismatch == 0); + MOZ_ASSERT(errorCodeExpired == 0); + + // Assumes the error prioritization described in mozilla::pkix's + // BuildForward function. Also assumes that CERT_VerifyCertName was only + // called if CertVerifier::VerifyCert succeeded. + switch (defaultErrorCodeToReport) { + case SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED: ++ case SEC_ERROR_CA_CERT_INVALID: + case SEC_ERROR_UNKNOWN_ISSUER: + case mozilla::pkix::MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY: + { + collectedErrors = nsICertOverrideService::ERROR_UNTRUSTED; + errorCodeTrust = defaultErrorCodeToReport; + + SECCertTimeValidity validity = CERT_CheckCertValidTimes(cert, now, false); + if (validity == secCertTimeUndetermined) { |