Drop nss321 backport, do an NSS/BoringSSL "chimera build" instead

* Thu Jan 14 2016 Kevin Kofler <Kevin@tigcc.ticalc.org> - 5.6.0-0.13.beta - Drop nss321 backport (and the related nss-headers patch), it did not help - Do an NSS/BoringSSL "chimera build" as will be the default in Chromium 47 - Update License accordingly (add "OpenSSL") - Fix the "chimera build" to call EnsureNSSHttpIOInit (backport from Chromium)
2016-01-14 17:37:36 +01:00 · 2016-01-14 17:37:36 +01:00 · 9a15e3c582
commit 9a15e3c582
parent 12c45adaf5
5 changed files with 69 additions and 8466 deletions
--- a/qt5-qtwebengine.spec
+++ b/qt5-qtwebengine.spec
@ -24,12 +24,12 @@
 Summary: Qt5 - QtWebEngine components
 Name:    qt5-qtwebengine
 Version: 5.6.0
-Release: 0.12.beta%{?dist}
+Release: 0.13.beta%{?dist}

 # See LICENSE.GPL LICENSE.LGPL LGPL_EXCEPTION.txt, for details
 # See also http://qt-project.org/doc/qt-5.0/qtdoc/licensing.html
 # The other licenses are from Chromium and the code it bundles
-License: (LGPLv2 with exceptions or GPLv3 with exceptions) and BSD and LGPLv2+ and ASL 2.0 and IJG and MIT and GPLv2+ and ISC and (MPLv1.1 or GPLv2 or LGPLv2)
+License: (LGPLv2 with exceptions or GPLv3 with exceptions) and BSD and LGPLv2+ and ASL 2.0 and IJG and MIT and GPLv2+ and ISC and OpenSSL and (MPLv1.1 or GPLv2 or LGPLv2)
 URL:     http://www.qt.io
 # cleaned tarball with patent-encumbered codecs removed from the bundled FFmpeg
 # wget http://download.qt.io/development_releases/qt/5.6/5.6.0-beta/submodules/qtwebengine-opensource-src-5.6.0-beta.7z
@ -41,7 +41,8 @@ Source2: clean_ffmpeg.sh
 Source3: process_ffmpeg_gyp.py
 # do not compile with -Wno-format, which also bypasses -Werror-format-security
 Patch0:  qtwebengine-opensource-src-5.6.0-beta-no-format.patch
-# some tweaks to linux.pri (system libs, link libpci, run unbundling script)
+# some tweaks to linux.pri (system libs, link libpci, run unbundling script,
+# do an NSS/BoringSSL "chimera build", see Provides: bundled(boringssl) comment)
 Patch1:  qtwebengine-opensource-src-5.6.0-beta-linux-pri.patch
 # don't require the time zone detection API backported from ICU 55 (thanks spot)
 Patch2:  qtwebengine-opensource-src-5.6.0-beta-system-icu54.patch
@ -60,11 +61,9 @@ Patch5:  qtwebengine-opensource-src-5.6.0-beta-system-nspr-prtime.patch
 # I checked the history of that directory, and other than the renames I am
 # undoing, there were no modifications at all. Must be applied after Patch5.
 Patch6:  qtwebengine-opensource-src-5.6.0-beta-system-icu-utf.patch
-# update the bundled patched NSS SSL implementation to NSS 3.21, matching the
-# system NSS (backport of https://codereview.chromium.org/1511123006)
-Patch7:  qtwebengine-opensource-src-5.6.0-beta-nss321.patch
-# add missing nssoptions.h and verref.h headers needed by the above, from NSS
-Patch8:  qtwebengine-opensource-src-5.6.0-beta-nss-headers.patch
+# fix the NSS/BoringSSL "chimera build" to call EnsureNSSHttpIOInit
+# backport of https://codereview.chromium.org/1385473003
+Patch7:  qtwebengine-opensource-src-5.6.0-beta-chimera-nss-init.patch

 # the architectures theoretically supported by the version of V8 used (#1298011)
 # You may need some minor patching to build on one of the secondary
@ -164,6 +163,15 @@ Provides: bundled(chromium) = 45
 # Check src/3rdparty/chromium/third_party/*/README.chromium for version numbers,
 # except where specified otherwise.
 Provides: bundled(angle) = 2422
+# Google's fork of OpenSSL
+# We cannot build against NSS instead because it no longer works with NSS 3.21:
+# HTTPS on, ironically, Google's sites (Google, YouTube, etc.) stops working
+# completely and produces only ERR_SSL_PROTOCOL_ERROR errors:
+# http://kaosx.us/phpBB3/viewtopic.php?t=1235
+# https://bugs.launchpad.net/ubuntu/+source/chromium-browser/+bug/1520568
+# So we have to do what Chromium 47 now defaults to: a "chimera build", i.e.,
+# use the BoringSSL code and the system NSS certificates.
+Provides: bundled(boringssl)
 Provides: bundled(brotli)
 # Don't get too excited. MPEG and other legally problematic stuff is stripped
 # out. See clean_qtwebengine.sh, clean_ffmpeg.sh, and process_ffmpeg_gyp.py.
@ -220,12 +228,6 @@ Provides: bundled(xdg-user-dirs) = 0.10
 # Check src/3rdparty/chromium/third_party/net/*/README.chromium for version
 # numbers, except where specified otherwise.
 Provides: bundled(mozilla_security_manager) = 1.9.2
-# Ewww... Chromium uses the system NSS, but bundles a heavily patched version of
-# its SSL implementation. This might crash and burn sooner or later!
-# See also Patch7, which updates it from 3.19 to 3.21, because the mix of
-# versions was indeed causing issues. (Ironically, HTTPS not working on Google's
-# own sites!)
-Provides: bundled(nss) = 3.21

 # Bundled in src/3rdparty/chromium/url/third_party:
 # Check src/3rdparty/chromium/third_party/url/*/README.chromium for version
@ -281,8 +283,7 @@ BuildArch: noarch
 %patch4 -p1 -b .no-neon
 %patch5 -p1 -b .system-nspr-prtime
 %patch6 -p1 -b .system-icu-utf
-%patch7 -p1 -b .nss321
-%patch8 -p1 -b .nss-headers
+%patch7 -p1 -b .chimera-nss-init

 %build
 export STRIP=strip
@ -352,6 +353,12 @@ popd


 %changelog
+* Thu Jan 14 2016 Kevin Kofler <Kevin@tigcc.ticalc.org> - 5.6.0-0.13.beta
+- Drop nss321 backport (and the related nss-headers patch), it did not help
+- Do an NSS/BoringSSL "chimera build" as will be the default in Chromium 47
+- Update License accordingly (add "OpenSSL")
+- Fix the "chimera build" to call EnsureNSSHttpIOInit (backport from Chromium)
+
 * Wed Jan 13 2016 Kevin Kofler <Kevin@tigcc.ticalc.org> - 5.6.0-0.12.beta
 - Update forked NSS SSL code to 3.21, match system NSS (backport from Chromium)

--- a/qtwebengine-opensource-src-5.6.0-beta-chimera-nss-init.patch
+++ b/qtwebengine-opensource-src-5.6.0-beta-chimera-nss-init.patch
@ -0,0 +1,29 @@
+diff -ur qtwebengine-opensource-src-5.6.0-beta/src/3rdparty/chromium/net/socket/ssl_client_socket_openssl.cc qtwebengine-opensource-src-5.6.0-beta-chimera-nss-init/src/3rdparty/chromium/net/socket/ssl_client_socket_openssl.cc
+--- qtwebengine-opensource-src-5.6.0-beta/src/3rdparty/chromium/net/socket/ssl_client_socket_openssl.cc	2015-12-10 18:17:21.000000000 +0100
+++ qtwebengine-opensource-src-5.6.0-beta-chimera-nss-init/src/3rdparty/chromium/net/socket/ssl_client_socket_openssl.cc	2016-01-14 17:11:38.432633534 +0100
+@@ -57,6 +57,10 @@
+ #include "net/ssl/ssl_platform_key.h"
+ #endif
+ 
+#if defined(USE_NSS_CERTS) || defined(OS_IOS)
+#include "net/cert_net/nss_ocsp.h"
+#endif
+
+ namespace net {
+ 
+ namespace {
+@@ -795,6 +799,14 @@
+   DCHECK(!ssl_);
+   DCHECK(!transport_bio_);
+ 
+#if defined(USE_NSS_CERTS) || defined(OS_IOS)
+  if (ssl_config_.cert_io_enabled) {
+    // TODO(davidben): Move this out of SSLClientSocket. See
+    // https://crbug.com/539520.
+    EnsureNSSHttpIOInit();
+  }
+#endif
+
+   SSLContext* context = SSLContext::GetInstance();
+   crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE);
+ 
--- a/qtwebengine-opensource-src-5.6.0-beta-linux-pri.patch
+++ b/qtwebengine-opensource-src-5.6.0-beta-linux-pri.patch
@ -1,7 +1,22 @@
 diff -ur qtwebengine-opensource-src-5.6.0-beta/src/core/config/linux.pri qtwebengine-opensource-src-5.6.0-beta-linux-pri/src/core/config/linux.pri
 --- qtwebengine-opensource-src-5.6.0-beta/src/core/config/linux.pri	2015-12-14 16:27:24.000000000 +0100
-+++ qtwebengine-opensource-src-5.6.0-beta-linux-pri/src/core/config/linux.pri	2016-01-06 04:43:23.115923478 +0100
-@@ -40,6 +40,28 @@
+++ qtwebengine-opensource-src-5.6.0-beta-linux-pri/src/core/config/linux.pri	2016-01-14 17:31:05.765975551 +0100
+@@ -18,7 +18,13 @@
+     use_kerberos=0 \
+     use_pango=0
+ 
+-!use?(nss) {
+use?(nss) {
+# do a "chimera build" (BoringSSL code, NSS certs): This is the default in
+# Chromium 47+, and it is the only variant that works with NSS 3.21.
+    GYP_CONFIG += use_nss_certs=1 \
+        use_openssl=1 \
+        use_openssl_certs=0
+} else {
+     GYP_CONFIG += use_nss_certs=0 \
+         use_openssl=1 \
+         use_openssl_certs=1
+@@ -40,6 +46,28 @@
 use?(system_snappy):   GYP_CONFIG += use_system_snappy=1
 use?(system_speex):    GYP_CONFIG += use_system_speex=1
 use?(system_vpx):      GYP_CONFIG += use_system_libvpx=1
--- a/qtwebengine-opensource-src-5.6.0-beta-nss-headers.patch
+++ b/qtwebengine-opensource-src-5.6.0-beta-nss-headers.patch
@ -1,69 +0,0 @@
-diff -Nur qtwebengine-opensource-src-5.6.0-beta/src/3rdparty/chromium/net/third_party/nss/ssl/bodge/nssoptions.h qtwebengine-opensource-src-5.6.0-beta-nss-headers/src/3rdparty/chromium/net/third_party/nss/ssl/bodge/nssoptions.h
--- qtwebengine-opensource-src-5.6.0-beta/src/3rdparty/chromium/net/third_party/nss/ssl/bodge/nssoptions.h	1970-01-01 01:00:00.000000000 +0100
-+++ qtwebengine-opensource-src-5.6.0-beta-nss-headers/src/3rdparty/chromium/net/third_party/nss/ssl/bodge/nssoptions.h	2016-01-13 23:34:30.880040223 +0100
-@@ -0,0 +1,21 @@
-+/*
-+ * NSS utility functions
-+ *
-+ * This Source Code Form is subject to the terms of the Mozilla Public
-+ * License, v. 2.0. If a copy of the MPL was not distributed with this
-+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-+/*
-+ *  Include the default limits here
-+ */
-+/* SSL default limits are here so we don't have to import a private SSL header 
-+ * file into NSS proper */
-+
-+/* The minimum server key sizes accepted by the clients.
-+ * Not 1024 to be conservative. */
-+#define SSL_RSA_MIN_MODULUS_BITS 1023
-+/* 1023 to avoid cases where p = 2q+1 for a 512-bit q turns out to be
-+ * only 1023 bits and similar.  We don't have good data on whether this
-+ * happens because NSS used to count bit lengths incorrectly. */
-+#define SSL_DH_MIN_P_BITS 1023
-+#define SSL_DSA_MIN_P_BITS 1023
-+
-diff -Nur qtwebengine-opensource-src-5.6.0-beta/src/3rdparty/chromium/net/third_party/nss/ssl/bodge/verref.h qtwebengine-opensource-src-5.6.0-beta-nss-headers/src/3rdparty/chromium/net/third_party/nss/ssl/bodge/verref.h
--- qtwebengine-opensource-src-5.6.0-beta/src/3rdparty/chromium/net/third_party/nss/ssl/bodge/verref.h	1970-01-01 01:00:00.000000000 +0100
-+++ qtwebengine-opensource-src-5.6.0-beta-nss-headers/src/3rdparty/chromium/net/third_party/nss/ssl/bodge/verref.h	2016-01-13 23:59:22.996128771 +0100
-@@ -0,0 +1,40 @@
-+/* This Source Code Form is subject to the terms of the Mozilla Public
-+ * License, v. 2.0. If a copy of the MPL was not distributed with this
-+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-+
-+/* This header is used inline in a function to ensure that a version string
-+ * symbol is linked in and not optimized out. A volatile reference is added to
-+ * the variable identified by NSS_VERSION_VARIABLE.
-+ *
-+ * Use this as follows:
-+ *
-+ * #define NSS_VERSION_VARIABLE __nss_ssl_version
-+ * #include "verref.h"
-+ */
-+
-+/* Suppress unused variable warnings. */
-+#ifdef _MSC_VER
-+#pragma warning(push)
-+#pragma warning(disable: 4101)
-+#endif
-+/* This works for both gcc and clang */
-+#if defined(__GNUC__) && !defined(NSS_NO_GCC48)
-+#pragma GCC diagnostic push
-+#pragma GCC diagnostic ignored "-Wunused-variable"
-+#endif
-+
-+#ifndef NSS_VERSION_VARIABLE
-+#error NSS_VERSION_VARIABLE must be set before including "verref.h"
-+#endif
-+{
-+    extern const char NSS_VERSION_VARIABLE[];
-+    volatile const char _nss_version_c = NSS_VERSION_VARIABLE[0];
-+}
-+#undef NSS_VERSION_VARIABLE
-+
-+#ifdef _MSC_VER
-+#pragma warning(pop)
-+#endif
-+#if defined(__GNUC__) && !defined(NSS_NO_GCC48)
-+#pragma GCC diagnostic pop
-+#endif
--- a/qtwebengine-opensource-src-5.6.0-beta-nss321.patch
+++ b/qtwebengine-opensource-src-5.6.0-beta-nss321.patch