From 23da23838e07a20d8b95a4979ff97674a1281e2d Mon Sep 17 00:00:00 2001
From: Kai Engert <kaie@redhat.com>
Date: Thu, 2 Mar 2017 17:56:48 +0100
Subject: Enable upstream fix for rhbz#1400293 mozbz#1324096 on F26 and
 Rawhide. Keep the old workaround on F24/F25, required base packages aren't
 available yet.

---
 firefox.spec                           | 25 ++++++++++--
 rhbz-1400293-fix-mozilla-1324096.patch | 72 ++++++++++++++++++++++++++++++++++
 rhbz-1400293-workaround.patch          | 37 +++++++++++++++++
 rhbz-1414535.patch                     | 37 -----------------
 4 files changed, 131 insertions(+), 40 deletions(-)
 create mode 100644 rhbz-1400293-fix-mozilla-1324096.patch
 create mode 100644 rhbz-1400293-workaround.patch
 delete mode 100644 rhbz-1414535.patch

diff --git a/firefox.spec b/firefox.spec
index 9bd8f35..e503593 100644
--- a/firefox.spec
+++ b/firefox.spec
@@ -97,7 +97,7 @@
 Summary:        Mozilla Firefox Web browser
 Name:           firefox
 Version:        51.0.1
-Release:        10%{?pre_tag}%{?dist}
+Release:        11%{?pre_tag}%{?dist}
 URL:            https://www.mozilla.org/firefox/
 License:        MPLv1.1 or GPLv2+ or LGPLv2+
 Group:          Applications/Internet
@@ -135,7 +135,13 @@ Patch224:        mozilla-1170092.patch
 Patch225:        mozilla-1005640-accept-lang.patch
 #ARM run-time patch
 Patch226:        rhbz-1354671.patch
-Patch227:        rhbz-1414535.patch
+
+%if 0%{?fedora} > 25
+# Fix depends on p11-kit-trust 0.23.4 and enhanced ca-certificates.rpm
+Patch227:        rhbz-1400293-fix-mozilla-1324096.patch
+%else
+Patch227:        rhbz-1400293-workaround.patch
+%endif
 
 # Upstream patches
 Patch304:        mozilla-1253216.patch
@@ -195,6 +201,14 @@ Requires:       nspr >= %{nspr_build_version}
 Requires:       nss >= %{nss_build_version}
 %endif
 
+%if 0%{?fedora} > 25
+# For early testing of rhbz#1400293 mozbz#1324096 on F26 and Rawhide,
+# temporarily require the specific NSS build with the backports.
+# Can be removed after firefox is changed to require NSS 3.30.
+BuildRequires:  nss-devel >= 3.29.1-2.1
+Requires:       nss >= 3.29.1-2.1
+%endif
+
 BuildRequires:  desktop-file-utils
 BuildRequires:  system-bookmarks
 %if %{?system_sqlite}
@@ -287,7 +301,7 @@ cd %{tarballdir}
 %ifarch aarch64
 %patch226 -p1 -b .1354671
 %endif
-%patch227 -p1 -b .rh1414535
+%patch227 -p1 -b .rh1400293
 
 %patch304 -p1 -b .1253216
 %patch402 -p1 -b .1196777
@@ -801,6 +815,11 @@ gtk-update-icon-cache %{_datadir}/icons/hicolor &>/dev/null || :
 #---------------------------------------------------------------------
 
 %changelog
+* Thu Mar 02 2017 Kai Engert <kaie@redhat.com> - 51.0.1-11
+- Enable upstream fix for rhbz#1400293 mozbz#1324096 on F26 and Rawhide.
+  Keep the old workaround on F24/F25, required base packages aren't
+  available yet.
+
 * Thu Mar 2 2017 Martin Stransky <stransky@redhat.com> - 51.0.1-10
 - Test another ARMv7 build setup (rhbz#1426850)
 
diff --git a/rhbz-1400293-fix-mozilla-1324096.patch b/rhbz-1400293-fix-mozilla-1324096.patch
new file mode 100644
index 0000000..4a2691e
--- /dev/null
+++ b/rhbz-1400293-fix-mozilla-1324096.patch
@@ -0,0 +1,72 @@
+diff --git a/security/certverifier/CertVerifier.cpp b/security/certverifier/CertVerifier.cpp
+--- a/security/certverifier/CertVerifier.cpp
++++ b/security/certverifier/CertVerifier.cpp
+@@ -120,16 +120,20 @@ IsCertChainRootBuiltInRoot(const UniqueC
+   }
+   CERTCertificate* root = rootNode->cert;
+   if (!root) {
+     return Result::FATAL_ERROR_LIBRARY_FAILURE;
+   }
+   return IsCertBuiltInRoot(root, result);
+ }
+ 
++// The term "builtin root" traditionally refers to a root CA certificate that
++// has been added to the NSS trust store, because it has been approved
++// for inclusion according to the Mozilla CA policy, and might be accepted
++// by Mozilla applications as an issuer for certificates seen on the public web.
+ Result
+ IsCertBuiltInRoot(CERTCertificate* cert, bool& result)
+ {
+   result = false;
+ #ifdef DEBUG
+   nsCOMPtr<nsINSSComponent> component(do_GetService(PSM_COMPONENT_CONTRACTID));
+   if (!component) {
+     return Result::FATAL_ERROR_LIBRARY_FAILURE;
+@@ -142,25 +146,38 @@ IsCertBuiltInRoot(CERTCertificate* cert,
+     return Success;
+   }
+ #endif // DEBUG
+   AutoSECMODListReadLock lock;
+   for (SECMODModuleList* list = SECMOD_GetDefaultModuleList(); list;
+        list = list->next) {
+     for (int i = 0; i < list->module->slotCount; i++) {
+       PK11SlotInfo* slot = list->module->slots[i];
+-      // PK11_HasRootCerts should return true if and only if the given slot has
+-      // an object with a CKA_CLASS of CKO_NETSCAPE_BUILTIN_ROOT_LIST, which
+-      // should be true only of the builtin root list.
+-      // If we can find a copy of the given certificate on the slot with the
+-      // builtin root list, that certificate must be a builtin.
+-      if (PK11_IsPresent(slot) && PK11_HasRootCerts(slot) &&
+-          PK11_FindCertInSlot(slot, cert, nullptr) != CK_INVALID_HANDLE) {
+-        result = true;
+-        return Success;
++      // We're searching for the "builtin root module", which is a module that
++      // contains an object with a CKA_CLASS of CKO_NETSCAPE_BUILTIN_ROOT_LIST.
++      // We use PK11_HasRootCerts() to identify a module with that property.
++      // In the past, we exclusively used the PKCS#11 module named nssckbi,
++      // which is provided by the NSS library.
++      // Nowadays, some distributions use a replacement module, which contains
++      // the builtin roots, but which also contains additional CA certificates,
++      // such as CAs trusted in a local deployment.
++      // We want to be able to distinguish between these two categories,
++      // because a CA, which may issue certificates for the public web,
++      // is expected to comply with additional requirements.
++      // If the certificate has attribute CKA_NSS_MOZILLA_CA_POLICY set to true,
++      // then we treat it as a "builtin root".
++      if (PK11_IsPresent(slot) && PK11_HasRootCerts(slot)) {
++        CK_OBJECT_HANDLE handle = PK11_FindCertInSlot(slot, cert, nullptr);
++        if (handle != CK_INVALID_HANDLE &&
++            PK11_HasAttributeSet(slot, handle, CKA_NSS_MOZILLA_CA_POLICY,
++                                 false)) {
++          // Attribute was found, and is set to true
++          result = true;
++          break;
++        }
+       }
+     }
+   }
+   return Success;
+ }
+ 
+ static Result
+ BuildCertChainForOneKeyUsage(NSSCertDBTrustDomain& trustDomain, Input certDER,
diff --git a/rhbz-1400293-workaround.patch b/rhbz-1400293-workaround.patch
new file mode 100644
index 0000000..f9cc7c2
--- /dev/null
+++ b/rhbz-1400293-workaround.patch
@@ -0,0 +1,37 @@
+diff -up ./CertVerifier.cpp.ignoreBuiltinStatus ./CertVerifier.cpp
+--- ./security/certverifier/CertVerifier.cpp.ignoreBuiltinStatus	2016-10-31 21:15:28.000000000 +0100
++++ ./security/certverifier/CertVerifier.cpp	2016-12-16 21:35:32.155105623 +0100
+@@ -65,6 +65,9 @@ InitCertVerifierLog()
+ Result
+ IsCertChainRootBuiltInRoot(const UniqueCERTCertList& chain, bool& result)
+ {
++  result = false;
++  return Success;
++#if 0
+   if (!chain || CERT_LIST_EMPTY(chain)) {
+     return Result::FATAL_ERROR_LIBRARY_FAILURE;
+   }
+@@ -77,12 +80,15 @@ IsCertChainRootBuiltInRoot(const UniqueC
+     return Result::FATAL_ERROR_LIBRARY_FAILURE;
+   }
+   return IsCertBuiltInRoot(root, result);
++#endif
+ }
+ 
+ Result
+ IsCertBuiltInRoot(CERTCertificate* cert, bool& result)
+ {
+   result = false;
++  return Success;
++#if 0
+ #ifdef DEBUG
+   nsCOMPtr<nsINSSComponent> component(do_GetService(PSM_COMPONENT_CONTRACTID));
+   if (!component) {
+@@ -114,6 +120,7 @@ IsCertBuiltInRoot(CERTCertificate* cert,
+     }
+   }
+   return Success;
++#endif
+ }
+ 
+ static Result
diff --git a/rhbz-1414535.patch b/rhbz-1414535.patch
deleted file mode 100644
index f9cc7c2..0000000
--- a/rhbz-1414535.patch
+++ /dev/null
@@ -1,37 +0,0 @@
-diff -up ./CertVerifier.cpp.ignoreBuiltinStatus ./CertVerifier.cpp
---- ./security/certverifier/CertVerifier.cpp.ignoreBuiltinStatus	2016-10-31 21:15:28.000000000 +0100
-+++ ./security/certverifier/CertVerifier.cpp	2016-12-16 21:35:32.155105623 +0100
-@@ -65,6 +65,9 @@ InitCertVerifierLog()
- Result
- IsCertChainRootBuiltInRoot(const UniqueCERTCertList& chain, bool& result)
- {
-+  result = false;
-+  return Success;
-+#if 0
-   if (!chain || CERT_LIST_EMPTY(chain)) {
-     return Result::FATAL_ERROR_LIBRARY_FAILURE;
-   }
-@@ -77,12 +80,15 @@ IsCertChainRootBuiltInRoot(const UniqueC
-     return Result::FATAL_ERROR_LIBRARY_FAILURE;
-   }
-   return IsCertBuiltInRoot(root, result);
-+#endif
- }
- 
- Result
- IsCertBuiltInRoot(CERTCertificate* cert, bool& result)
- {
-   result = false;
-+  return Success;
-+#if 0
- #ifdef DEBUG
-   nsCOMPtr<nsINSSComponent> component(do_GetService(PSM_COMPONENT_CONTRACTID));
-   if (!component) {
-@@ -114,6 +120,7 @@ IsCertBuiltInRoot(CERTCertificate* cert,
-     }
-   }
-   return Success;
-+#endif
- }
- 
- static Result
-- 
cgit