3
0
Fork 0
forked from mirrors/nixpkgs
nixpkgs/pkgs/applications/networking/browsers
aszlig 8fb49973ce
firefox: Add patch to fix AES GCM IV bit size
Regression introduced by bce5268a21.

The bit size of the initialisation vector for AES GCM has been
introduced in NSS version 3.52 in the CK_GCM_PARMS struct via the
ulIvBits field.

Unfortunately, Firefox 68.8.0 and 76.0 do not set this field and thus it
gets initialised to zero, which in turn causes IV generation to fail.

I found out about this because WebRTC stopped working after updating to
NSS 3.52 and so I started bisecting.

Since there wasn't an obvious error in Firefox hinting towards NSS but
instead just the video stream ended up as a "null" stream, I didn't
suspect the NSS update to be the culprit at first. So I verified a few
times and then also started bisecting the actual commit in NSS that
caused the issue.

This turned out to be the problematic change:

https://phabricator.services.mozilla.com/D63241

> One notable change was caused by an inconsistancy between the spec and
> the released headers in PKCS#11 v2.40. CK_GCM_PARAMS had an extra
> field in the header that was not in the spec. OASIS considers the
> header file to be normative, so PKCS#11 v3.0 resolved the issue in
> favor of the header file definition.

Since the test I've used[1] was a bit flaky, I still didn't believe the
result of the bisect to be accurate, but after running the test several
times leading same results I dug through the above change line by line
to get more clues.

It fortunately didn't take that long to stumble upon the ulIvBits change
(which is actually documented in the NSS 3.52 release notes[4], but I
managed to blatantly ignore it for some reason) and started checking the
Firefox source tree for changes regarding that field.

Initialisation of that new field has been introduced[2] in preparation
for the 76 release, but subsequently got reverted[3] prior to the
release, because Firefox 76 is expected to be shipped with NSS 3.51,
which didn't have the ulIvBits field.

The patch I'm adding here is just a reintroduction of that change,
because we're using NSS 3.52. Not initialising that field will break
WebRTC and WebCrypto, which I think the former seems to gain in
popularity these days ;-)

Tested the change against the mentioned VM test[1] and also by testing
manually using Jitsi Meet and Nextcloud Talk.

[1]: https://github.com/aszlig/avonc/tree/884315838b6f0ebb32b/tests/talk
[2]: https://hg.mozilla.org/mozilla-central/rev/3ed30e6b6de1
[3]: https://hg.mozilla.org/mozilla-central/rev/665137da70ee
[4]: https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.52_release_notes

Signed-off-by: aszlig <aszlig@nix.build>
2020-05-13 02:23:12 +02:00
..
arora treewide: Per RFC45, remove all unquoted URLs 2020-04-10 17:54:53 +01:00
brave brave: 1.5.123 -> 1.7.92 2020-04-17 19:50:17 -04:00
browsh treewide: Per RFC45, remove all unquoted URLs 2020-04-10 17:54:53 +01:00
captive-browser treewide: Per RFC45, remove all unquoted URLs 2020-04-10 17:54:53 +01:00
chromium chromium: 81.0.4044.129 -> 81.0.4044.138 2020-05-06 01:11:53 +02:00
dillo treewide: Per RFC45, remove all unquoted URLs 2020-04-10 17:54:53 +01:00
elinks treewide: Per RFC45, remove all unquoted URLs 2020-04-10 17:54:53 +01:00
eolie treewide: Per RFC45, remove all unquoted URLs 2020-04-10 17:54:53 +01:00
ephemeral github username: kjuvi -> xiorcale 2020-05-09 09:08:18 +02:00
falkon treewide: Per RFC45, remove all unquoted URLs 2020-04-10 17:54:53 +01:00
firefox firefox: Add patch to fix AES GCM IV bit size 2020-05-13 02:23:12 +02:00
firefox-bin firefox-bin: 75.0 -> 76.0 2020-05-06 11:41:38 +02:00
google-chrome google-chrome-{beta,dev}: Fix one substituteInPlace pattern 2020-04-16 13:39:07 +02:00
links2 treewide: Per RFC45, remove all unquoted URLs 2020-04-10 17:54:53 +01:00
luakit treewide: Per RFC45, remove all unquoted URLs 2020-04-10 17:54:53 +01:00
lynx treewide: Per RFC45, remove all unquoted URLs 2020-04-10 17:54:53 +01:00
midori treewide: Per RFC45, remove all unquoted URLs 2020-04-10 17:54:53 +01:00
mozilla-plugins/flashplayer flashplayer: 32.0.0.344 -> 32.0.0.363 2020-04-18 23:08:58 +02:00
next treewide: Per RFC45, remove all unquoted URLs 2020-04-10 17:54:53 +01:00
opera
palemoon palemoon: 28.8.4 -> 28.9.1, add GTK3 option 2020-04-27 21:02:09 -07:00
qtchan
qutebrowser qutebrowser: 1.11.0 -> 1.11.1 2020-05-12 18:46:09 +02:00
surf treewide: Per RFC45, remove all unquoted URLs 2020-04-10 17:54:53 +01:00
tor-browser-bundle
tor-browser-bundle-bin tor-browser-bundle-bin: 9.0.7 -> 9.0.9 2020-04-09 18:51:59 +01:00
ungoogled-chromium treewide: per RFC45, remove more unquoted URLs 2020-05-08 15:20:47 +02:00
vimb treewide: Per RFC45, remove all unquoted URLs 2020-04-10 17:54:53 +01:00
vivaldi Merge pull request #81997 from eadwu/vivaldi-snapshot/fix-rpath-libdrm_gbm 2020-05-07 08:17:27 -04:00
w3m treewide: Per RFC45, remove all unquoted URLs 2020-04-10 17:54:53 +01:00
webmacs treewide: Per RFC45, remove all unquoted URLs 2020-04-10 17:54:53 +01:00