Hello community, here is the log from the commit of package chromium for openSUSE:Factory checked in at 2019-09-17 13:37:52 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/chromium (Old) and /work/SRC/openSUSE:Factory/.chromium.new.7948 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "chromium" Tue Sep 17 13:37:52 2019 rev:230 rq:731231 version:77.0.3865.75 Changes: -------- --- /work/SRC/openSUSE:Factory/chromium/chromium.changes 2019-09-13 15:02:51.569288099 +0200 +++ /work/SRC/openSUSE:Factory/.chromium.new.7948/chromium.changes 2019-09-17 13:38:06.021836246 +0200 @@ -1,0 +2,20 @@ +Mon Sep 16 09:11:11 UTC 2019 - Tomáš Chvátal <[email protected]> + +- Add patch from Fedora for cert transparency: + * chromium-77.0.3865.75-certificate-transparency.patch + +------------------------------------------------------------------- +Mon Sep 16 08:06:10 UTC 2019 - Tomáš Chvátal <[email protected]> + +- Add patches from gentoo: + * chromium-77-clang.patch + * chromium-77-gcc-no-opt-safe-math.patch + * chromium-77-no-cups.patch + * chromium-77-std-string.patch + +------------------------------------------------------------------- +Thu Sep 12 10:29:13 UTC 2019 - Tomáš Chvátal <[email protected]> + +- Update patch old-libva.patch to build on openSUSE Leap 15.0 + +------------------------------------------------------------------- New: ---- chromium-77-clang.patch chromium-77-gcc-no-opt-safe-math.patch chromium-77-no-cups.patch chromium-77-std-string.patch chromium-77.0.3865.75-certificate-transparency.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ chromium.spec ++++++ --- /var/tmp/diff_new_pack.ZzSaCs/_old 2019-09-17 13:38:21.581833765 +0200 +++ /var/tmp/diff_new_pack.ZzSaCs/_new 2019-09-17 13:38:21.581833765 +0200 @@ -92,6 +92,11 @@ Patch17: chromium-77-gcc-abstract.patch Patch18: chromium-77-system-hb.patch Patch19: chromium-77-blink-include.patch +Patch20: chromium-77-clang.patch +Patch21: chromium-77-gcc-no-opt-safe-math.patch +Patch22: chromium-77-no-cups.patch +Patch23: chromium-77-std-string.patch +Patch24: chromium-77.0.3865.75-certificate-transparency.patch # Google seem not too keen on merging this but GPU accel is quite important # https://chromium-review.googlesource.com/c/chromium/src/+/532294 # https://github.com/saiarcot895/chromium-ubuntu-build/tree/master/debian/patches @@ -233,7 +238,7 @@ BuildRequires: pkgconfig(libtcmalloc) %endif %if %{with system_harfbuzz} -BuildRequires: pkgconfig(harfbuzz) > 2.3.0 +BuildRequires: pkgconfig(harfbuzz) > 2.4.0 %endif %if %{with system_libxml} BuildRequires: pkgconfig(libxml-2.0) >= 2.9.5 ++++++ chromium-77-clang.patch ++++++ diff --git a/base/location.h b/base/location.h index c07e747..924db1c 100644 --- a/base/location.h +++ b/base/location.h @@ -18,7 +18,7 @@ namespace base { -#if defined(__has_builtin) +#if defined(__clang__) // Clang allows detection of these builtins. #define SUPPORTS_LOCATION_BUILTINS \ (__has_builtin(__builtin_FUNCTION) && __has_builtin(__builtin_FILE) && \ ++++++ chromium-77-gcc-no-opt-safe-math.patch ++++++ diff -up chromium-77.0.3865.75/base/numerics/safe_math_shared_impl.h.nogccoptmath chromium-77.0.3865.75/base/numerics/safe_math_shared_impl.h --- chromium-77.0.3865.75/base/numerics/safe_math_shared_impl.h.nogccoptmath 2019-09-13 14:17:22.726738088 +0200 +++ chromium-77.0.3865.75/base/numerics/safe_math_shared_impl.h 2019-09-13 14:31:37.686898493 +0200 @@ -23,9 +23,8 @@ // Where available use builtin math overflow support on Clang and GCC. #elif !defined(__native_client__) && \ ((defined(__clang__) && \ - ((__clang_major__ > 3) || \ - (__clang_major__ == 3 && __clang_minor__ >= 4))) || \ - (defined(__GNUC__) && __GNUC__ >= 5)) + (__clang_major__ > 3) || \ + (__clang_major__ == 3 && __clang_minor__ >= 4))) #include "base/numerics/safe_math_clang_gcc_impl.h" #define BASE_HAS_OPTIMIZED_SAFE_MATH (1) #else ++++++ chromium-77-no-cups.patch ++++++ >From f768afdd3104e7da663aa82e1e8f969aea3f85c3 Mon Sep 17 00:00:00 2001 From: Lei Zhang <[email protected]> Date: Thu, 22 Aug 2019 11:44:27 -0700 Subject: [PATCH] Handle unsupported configs in CreatePrinterHandlerTaskRunner(). CreatePrinterHandlerTaskRunner(), which was added in https://crrev.com/658397, used ifdefs to only handle the supported build configs. Add a #else case as a catch-all to conservatively handle the unsupported configs. Since it is only a couple lines of trivial code, doing this does not create much of a maintenance burden. (backported to chromium-77) Bug: 990727 Change-Id: I07bd21abaeffc8223e88b519c3891185d5d2be12 --- diff --git a/chrome/browser/ui/webui/print_preview/local_printer_handler_default.cc b/chrome/browser/ui/webui/print_preview/local_printer_handler_default.cc index a1f3fd3..6e81f5e 100644 --- a/chrome/browser/ui/webui/print_preview/local_printer_handler_default.cc +++ b/chrome/browser/ui/webui/print_preview/local_printer_handler_default.cc @@ -33,12 +33,15 @@ scoped_refptr<base::TaskRunner> CreatePrinterHandlerTaskRunner() { static constexpr base::TaskTraits kTraits = { base::MayBlock(), base::TaskPriority::USER_VISIBLE}; -#if defined(OS_WIN) - // Windows drivers are likely not thread-safe. - return base::CreateSingleThreadTaskRunnerWithTraits(kTraits); -#elif defined(USE_CUPS) +#if defined(USE_CUPS) // CUPS is thread safe. - return base::CreateTaskRunnerWithTraits(kTraits); + return base::CreateTaskRunner(kTraits); +#elif defined(OS_WIN) + // Windows drivers are likely not thread-safe. + return base::CreateSingleThreadTaskRunner(kTraits); +#else + // Be conservative on unsupported platforms. + return base::CreateSingleThreadTaskRunner(kTraits); #endif } ++++++ chromium-77-std-string.patch ++++++ >From 74138b9febd37eac0fc26b8efb110014a83a52c6 Mon Sep 17 00:00:00 2001 From: Jeremy Roman <[email protected]> Date: Wed, 07 Aug 2019 13:26:48 +0000 Subject: [PATCH] WTF: Make LinkedHashSet understand values for which memset initialization would be bad. Includes a unit test which fails before, and uses this to fix FontCacheKeyTraits. Bug: 980025 Change-Id: If41f97444c7fd37b9b95d6dadaf3da5689079e9e Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1739948 Reviewed-by: Kentaro Hara <[email protected]> Reviewed-by: Yutaka Hirano <[email protected]> Commit-Queue: Jeremy Roman <[email protected]> Cr-Commit-Position: refs/heads/master@{#684731} --- diff --git a/third_party/blink/renderer/platform/fonts/font_cache_key.h b/third_party/blink/renderer/platform/fonts/font_cache_key.h index 0efc8fb..90063cb 100644 --- a/third_party/blink/renderer/platform/fonts/font_cache_key.h +++ b/third_party/blink/renderer/platform/fonts/font_cache_key.h @@ -133,6 +133,10 @@ struct FontCacheKeyTraits : WTF::SimpleClassHashTraits<FontCacheKey> { STATIC_ONLY(FontCacheKeyTraits); + + // std::string's empty state need not be zero in all implementations, + // and it is held within FontFaceCreationParams. + static const bool kEmptyValueIsZero = false; }; } // namespace blink diff --git a/third_party/blink/renderer/platform/wtf/linked_hash_set.h b/third_party/blink/renderer/platform/wtf/linked_hash_set.h index b35b6e9..77e524c 100644 --- a/third_party/blink/renderer/platform/wtf/linked_hash_set.h +++ b/third_party/blink/renderer/platform/wtf/linked_hash_set.h @@ -146,6 +146,11 @@ LinkedHashSetNodeBase* next) : LinkedHashSetNodeBase(prev, next), value_(value) {} + LinkedHashSetNode(ValueArg&& value, + LinkedHashSetNodeBase* prev, + LinkedHashSetNodeBase* next) + : LinkedHashSetNodeBase(prev, next), value_(std::move(value)) {} + LinkedHashSetNode(LinkedHashSetNode&& other) : LinkedHashSetNodeBase(std::move(other)), value_(std::move(other.value_)) {} @@ -445,10 +450,13 @@ // The slot is empty when the next_ field is zero so it's safe to zero // the backing. - static const bool kEmptyValueIsZero = true; + static const bool kEmptyValueIsZero = ValueTraits::kEmptyValueIsZero; static const bool kHasIsEmptyValueFunction = true; static bool IsEmptyValue(const Node& node) { return !node.next_; } + static Node EmptyValue() { + return Node(ValueTraits::EmptyValue(), nullptr, nullptr); + } static const int kDeletedValue = -1; diff --git a/third_party/blink/renderer/platform/wtf/list_hash_set_test.cc b/third_party/blink/renderer/platform/wtf/list_hash_set_test.cc index 4c3f899..cd1be00 100644 --- a/third_party/blink/renderer/platform/wtf/list_hash_set_test.cc +++ b/third_party/blink/renderer/platform/wtf/list_hash_set_test.cc @@ -487,6 +487,7 @@ }; struct Complicated { + Complicated() : Complicated(0) {} Complicated(int value) : simple_(value) { objects_constructed_++; } Complicated(const Complicated& other) : simple_(other.simple_) { @@ -495,9 +496,6 @@ Simple simple_; static int objects_constructed_; - - private: - Complicated() = delete; }; int Complicated::objects_constructed_ = 0; @@ -731,4 +729,45 @@ } // anonymous namespace +// A unit type which objects to its state being initialized wrong. +struct InvalidZeroValue { + InvalidZeroValue() = default; + InvalidZeroValue(WTF::HashTableDeletedValueType) : deleted_(true) {} + ~InvalidZeroValue() { CHECK(ok_); } + bool IsHashTableDeletedValue() const { return deleted_; } + + bool ok_ = true; + bool deleted_ = false; +}; + +template <> +struct HashTraits<InvalidZeroValue> : SimpleClassHashTraits<InvalidZeroValue> { + static const bool kEmptyValueIsZero = false; +}; + +template <> +struct DefaultHash<InvalidZeroValue> { + struct Hash { + static unsigned GetHash(const InvalidZeroValue&) { return 0; } + static bool Equal(const InvalidZeroValue&, const InvalidZeroValue&) { + return true; + } + }; +}; + +template <typename Set> +class ListOrLinkedHashSetInvalidZeroTest : public testing::Test {}; + +using InvalidZeroValueSetTypes = + testing::Types<ListHashSet<InvalidZeroValue>, + ListHashSet<InvalidZeroValue, 1>, + LinkedHashSet<InvalidZeroValue>>; +TYPED_TEST_SUITE(ListOrLinkedHashSetInvalidZeroTest, InvalidZeroValueSetTypes); + +TYPED_TEST(ListOrLinkedHashSetInvalidZeroTest, InvalidZeroValue) { + using Set = TypeParam; + Set set; + set.insert(InvalidZeroValue()); +} + } // namespace WTF ++++++ chromium-77.0.3865.75-certificate-transparency.patch ++++++ diff -up chromium-77.0.3865.75/chrome/browser/net/system_network_context_manager_browsertest.cc.certificate-transparency chromium-77.0.3865.75/chrome/browser/net/system_network_context_manager_browsertest.cc --- chromium-77.0.3865.75/chrome/browser/net/system_network_context_manager_browsertest.cc.certificate-transparency 2019-09-12 16:09:52.818635106 +0200 +++ chromium-77.0.3865.75/chrome/browser/net/system_network_context_manager_browsertest.cc 2019-09-12 16:11:07.662562005 +0200 @@ -21,6 +21,7 @@ #include "components/version_info/version_info.h" #include "content/public/common/content_switches.h" #include "content/public/common/user_agent.h" +#include "services/network/public/cpp/network_service_buildflags.h" #include "services/network/public/mojom/network_context.mojom.h" #include "services/network/public/mojom/network_service.mojom.h" #include "testing/gmock/include/gmock/gmock.h" @@ -356,3 +357,55 @@ IN_PROC_BROWSER_TEST_P(SystemNetworkCont INSTANTIATE_TEST_SUITE_P(, SystemNetworkContextManagerFreezeQUICUaBrowsertest, ::testing::Values(true, false)); + +class SystemNetworkContextManagerCertificateTransparencyBrowsertest + : public SystemNetworkContextManagerBrowsertest, + public testing::WithParamInterface<base::Optional<bool>> { + public: + SystemNetworkContextManagerCertificateTransparencyBrowsertest() { + SystemNetworkContextManager::SetEnableCertificateTransparencyForTesting( + GetParam()); + } + ~SystemNetworkContextManagerCertificateTransparencyBrowsertest() override { + SystemNetworkContextManager::SetEnableCertificateTransparencyForTesting( + base::nullopt); + } +}; + +#if BUILDFLAG(IS_CT_SUPPORTED) +IN_PROC_BROWSER_TEST_P( + SystemNetworkContextManagerCertificateTransparencyBrowsertest, + CertificateTransparencyConfig) { + network::mojom::NetworkContextParamsPtr context_params = + g_browser_process->system_network_context_manager() + ->CreateDefaultNetworkContextParams(); + + const bool kDefault = +#if defined(GOOGLE_CHROME_BUILD) && defined(OFFICIAL_BUILD) && \ + !defined(OS_ANDROID) + true; +#else + false; +#endif + + EXPECT_EQ(GetParam().value_or(kDefault), + context_params->enforce_chrome_ct_policy); + EXPECT_NE(GetParam().value_or(kDefault), context_params->ct_logs.empty()); + + if (GetParam().value_or(kDefault)) { + bool has_google_log = false; + bool has_disqualified_log = false; + for (const auto& ct_log : context_params->ct_logs) { + has_google_log |= ct_log->operated_by_google; + has_disqualified_log |= ct_log->disqualified_at.has_value(); + } + EXPECT_TRUE(has_google_log); + EXPECT_TRUE(has_disqualified_log); + } +} +#endif + +INSTANTIATE_TEST_SUITE_P( + , + SystemNetworkContextManagerCertificateTransparencyBrowsertest, + ::testing::Values(base::nullopt, true, false)); diff -up chromium-77.0.3865.75/chrome/browser/net/system_network_context_manager.cc.certificate-transparency chromium-77.0.3865.75/chrome/browser/net/system_network_context_manager.cc --- chromium-77.0.3865.75/chrome/browser/net/system_network_context_manager.cc.certificate-transparency 2019-09-09 23:55:09.000000000 +0200 +++ chromium-77.0.3865.75/chrome/browser/net/system_network_context_manager.cc 2019-09-12 16:09:52.819635118 +0200 @@ -4,11 +4,13 @@ #include "chrome/browser/net/system_network_context_manager.h" +#include <algorithm> #include <set> #include <unordered_map> #include <utility> #include "base/bind.h" +#include "base/build_time.h" #include "base/command_line.h" #include "base/feature_list.h" #include "base/logging.h" @@ -50,6 +52,7 @@ #include "content/public/common/mime_handler_view_mode.h" #include "content/public/common/service_names.mojom.h" #include "content/public/common/user_agent.h" +#include "crypto/sha2.h" #include "mojo/public/cpp/bindings/associated_interface_ptr.h" #include "net/dns/public/util.h" #include "net/net_buildflags.h" @@ -79,6 +82,20 @@ namespace { +constexpr bool kCertificateTransparencyEnabled = +#if defined(GOOGLE_CHROME_BUILD) && defined(OFFICIAL_BUILD) && \ + !defined(OS_ANDROID) + // Certificate Transparency is only enabled if: + // - Desktop (!OS_ANDROID); OS_IOS does not use this file + // - base::GetBuildTime() is deterministic to the source (OFFICIAL_BUILD) + // - The build in reliably updatable (GOOGLE_CHROME_BUILD) + true; +#else + false; +#endif + +bool g_enable_certificate_transparency = kCertificateTransparencyEnabled; + // The global instance of the SystemNetworkContextmanager. SystemNetworkContextManager* g_system_network_context_manager = nullptr; @@ -658,14 +675,35 @@ SystemNetworkContextManager::CreateDefau bool http_09_on_non_default_ports_enabled = false; #if !defined(OS_ANDROID) - // CT is only enabled on Desktop platforms for now. - network_context_params->enforce_chrome_ct_policy = true; - for (const auto& ct_log : certificate_transparency::GetKnownLogs()) { - // TODO(rsleevi): https://crbug.com/702062 - Remove this duplication. - network::mojom::CTLogInfoPtr log_info = network::mojom::CTLogInfo::New(); - log_info->public_key = std::string(ct_log.log_key, ct_log.log_key_length); - log_info->name = ct_log.log_name; - network_context_params->ct_logs.push_back(std::move(log_info)); + + if (g_enable_certificate_transparency) { + network_context_params->enforce_chrome_ct_policy = true; + network_context_params->ct_log_update_time = base::GetBuildTime(); + + std::vector<std::string> operated_by_google_logs = + certificate_transparency::GetLogsOperatedByGoogle(); + std::vector<std::pair<std::string, base::TimeDelta>> disqualified_logs = + certificate_transparency::GetDisqualifiedLogs(); + for (const auto& ct_log : certificate_transparency::GetKnownLogs()) { + // TODO(rsleevi): https://crbug.com/702062 - Remove this duplication. + network::mojom::CTLogInfoPtr log_info = network::mojom::CTLogInfo::New(); + log_info->public_key = std::string(ct_log.log_key, ct_log.log_key_length); + log_info->name = ct_log.log_name; + + std::string log_id = crypto::SHA256HashString(log_info->public_key); + log_info->operated_by_google = + std::binary_search(std::begin(operated_by_google_logs), + std::end(operated_by_google_logs), log_id); + auto it = std::lower_bound( + std::begin(disqualified_logs), std::end(disqualified_logs), log_id, + [](const auto& disqualified_log, const std::string& log_id) { + return disqualified_log.first < log_id; + }); + if (it != std::end(disqualified_logs) && it->first == log_id) { + log_info->disqualified_at = it->second; + } + network_context_params->ct_logs.push_back(std::move(log_info)); + } } const base::Value* value = @@ -723,6 +761,12 @@ SystemNetworkContextManager::GetHttpAuth return CreateHttpAuthDynamicParams(g_browser_process->local_state()); } +void SystemNetworkContextManager::SetEnableCertificateTransparencyForTesting( + base::Optional<bool> enabled) { + g_enable_certificate_transparency = + enabled.value_or(kCertificateTransparencyEnabled); +} + network::mojom::NetworkContextParamsPtr SystemNetworkContextManager::CreateNetworkContextParams() { // TODO(mmenke): Set up parameters here (in memory cookie store, etc). diff -up chromium-77.0.3865.75/chrome/browser/net/system_network_context_manager.h.certificate-transparency chromium-77.0.3865.75/chrome/browser/net/system_network_context_manager.h --- chromium-77.0.3865.75/chrome/browser/net/system_network_context_manager.h.certificate-transparency 2019-09-09 23:55:09.000000000 +0200 +++ chromium-77.0.3865.75/chrome/browser/net/system_network_context_manager.h 2019-09-12 16:09:52.819635118 +0200 @@ -139,6 +139,12 @@ class SystemNetworkContextManager { static network::mojom::HttpAuthDynamicParamsPtr GetHttpAuthDynamicParamsForTesting(); + // Enables Certificate Transparency and enforcing the Chrome Certificate + // Transparency Policy. For test use only. Use base::nullopt_t to reset to + // the default state. + static void SetEnableCertificateTransparencyForTesting( + base::Optional<bool> enabled); + private: class URLLoaderFactoryForSystem; diff -up chromium-77.0.3865.75/chrome/browser/policy/policy_browsertest.cc.certificate-transparency chromium-77.0.3865.75/chrome/browser/policy/policy_browsertest.cc --- chromium-77.0.3865.75/chrome/browser/policy/policy_browsertest.cc.certificate-transparency 2019-09-09 23:55:10.000000000 +0200 +++ chromium-77.0.3865.75/chrome/browser/policy/policy_browsertest.cc 2019-09-12 16:09:52.820635131 +0200 @@ -4836,7 +4836,7 @@ IN_PROC_BROWSER_TEST_F(PolicyTest, browser()->tab_strip_model()->GetActiveWebContents()->GetTitle()); } -IN_PROC_BROWSER_TEST_F(PolicyTest, +IN_PROC_BROWSER_TEST_F(CertificateTransparencyPolicyTest, CertificateTransparencyEnforcementDisabledForCas) { net::EmbeddedTestServer https_server_ok(net::EmbeddedTestServer::TYPE_HTTPS); https_server_ok.SetSSLConfig(net::EmbeddedTestServer::CERT_OK); diff -up chromium-77.0.3865.75/chrome/browser/ssl/chrome_expect_ct_reporter_browsertest.cc.certificate-transparency chromium-77.0.3865.75/chrome/browser/ssl/chrome_expect_ct_reporter_browsertest.cc --- chromium-77.0.3865.75/chrome/browser/ssl/chrome_expect_ct_reporter_browsertest.cc.certificate-transparency 2019-09-09 23:55:10.000000000 +0200 +++ chromium-77.0.3865.75/chrome/browser/ssl/chrome_expect_ct_reporter_browsertest.cc 2019-09-12 16:09:52.821635143 +0200 @@ -8,6 +8,7 @@ #include "base/callback.h" #include "base/run_loop.h" #include "base/test/scoped_feature_list.h" +#include "chrome/browser/net/system_network_context_manager.h" #include "chrome/browser/profiles/profile.h" #include "chrome/browser/ssl/cert_verifier_browser_test.h" #include "chrome/browser/ui/browser.h" @@ -27,7 +28,17 @@ namespace { // received by a server. class ExpectCTBrowserTest : public CertVerifierBrowserTest { public: - ExpectCTBrowserTest() : CertVerifierBrowserTest() {} + ExpectCTBrowserTest() : CertVerifierBrowserTest() { + // Expect-CT reporting depends on actually enforcing Certificate + // Transparency. + SystemNetworkContextManager::SetEnableCertificateTransparencyForTesting( + true); + } + + ~ExpectCTBrowserTest() override { + SystemNetworkContextManager::SetEnableCertificateTransparencyForTesting( + base::nullopt); + } void SetUpOnMainThread() override { run_loop_ = std::make_unique<base::RunLoop>(); diff -up chromium-77.0.3865.75/chrome/browser/ssl/security_state_tab_helper_browsertest.cc.certificate-transparency chromium-77.0.3865.75/chrome/browser/ssl/security_state_tab_helper_browsertest.cc --- chromium-77.0.3865.75/chrome/browser/ssl/security_state_tab_helper_browsertest.cc.certificate-transparency 2019-09-09 23:55:10.000000000 +0200 +++ chromium-77.0.3865.75/chrome/browser/ssl/security_state_tab_helper_browsertest.cc 2019-09-12 16:09:52.821635143 +0200 @@ -433,6 +433,13 @@ class SecurityStateTabHelperTest : publi SecurityStateTabHelperTest() : https_server_(net::EmbeddedTestServer::TYPE_HTTPS) { https_server_.ServeFilesFromSourceDirectory(GetChromeTestDataDir()); + SystemNetworkContextManager::SetEnableCertificateTransparencyForTesting( + true); + } + + ~SecurityStateTabHelperTest() override { + SystemNetworkContextManager::SetEnableCertificateTransparencyForTesting( + base::nullopt); } void SetUpOnMainThread() override { diff -up chromium-77.0.3865.75/chrome/browser/ssl/ssl_browsertest.cc.certificate-transparency chromium-77.0.3865.75/chrome/browser/ssl/ssl_browsertest.cc --- chromium-77.0.3865.75/chrome/browser/ssl/ssl_browsertest.cc.certificate-transparency 2019-09-09 23:55:10.000000000 +0200 +++ chromium-77.0.3865.75/chrome/browser/ssl/ssl_browsertest.cc 2019-09-12 16:09:52.822635155 +0200 @@ -1853,8 +1853,14 @@ class CertificateTransparencySSLUITest : public: CertificateTransparencySSLUITest() : CertVerifierBrowserTest(), - https_server_(net::EmbeddedTestServer::TYPE_HTTPS) {} - ~CertificateTransparencySSLUITest() override {} + https_server_(net::EmbeddedTestServer::TYPE_HTTPS) { + SystemNetworkContextManager::SetEnableCertificateTransparencyForTesting( + true); + } + ~CertificateTransparencySSLUITest() override { + SystemNetworkContextManager::SetEnableCertificateTransparencyForTesting( + base::nullopt); + } void SetUpOnMainThread() override { CertVerifierBrowserTest::SetUpOnMainThread(); diff -up chromium-77.0.3865.75/components/certificate_transparency/chrome_ct_policy_enforcer.h.certificate-transparency chromium-77.0.3865.75/components/certificate_transparency/chrome_ct_policy_enforcer.h --- chromium-77.0.3865.75/components/certificate_transparency/chrome_ct_policy_enforcer.h.certificate-transparency 2019-09-09 23:55:14.000000000 +0200 +++ chromium-77.0.3865.75/components/certificate_transparency/chrome_ct_policy_enforcer.h 2019-09-12 16:09:52.823635168 +0200 @@ -45,6 +45,19 @@ class ChromeCTPolicyEnforcer : public ne void SetClockForTesting(const base::Clock* clock) { clock_ = clock; } + // TODO(https://crbug.com/999240): These are exposed to allow end-to-end + // testing by higher layers (i.e. that the ChromeCTPolicyEnforcer is + // correctly constructed). When either this issue or https://crbug.com/848277 + // are fixed, the configuration can be tested independently, and these can + // be removed. + const std::vector<std::string>& operated_by_google_logs_for_testing() { + return operated_by_google_logs_; + } + const std::vector<std::pair<std::string, base::TimeDelta>>& + disqualified_logs_for_testing() { + return disqualified_logs_; + } + private: // Returns true if the log identified by |log_id| (the SHA-256 hash of the // log's DER-encoded SPKI) has been disqualified, and sets diff -up chromium-77.0.3865.75/services/network/network_context.cc.certificate-transparency chromium-77.0.3865.75/services/network/network_context.cc --- chromium-77.0.3865.75/services/network/network_context.cc.certificate-transparency 2019-09-09 23:55:22.000000000 +0200 +++ chromium-77.0.3865.75/services/network/network_context.cc 2019-09-12 16:09:52.823635168 +0200 @@ -36,6 +36,7 @@ #include "components/prefs/pref_registry_simple.h" #include "components/prefs/pref_service.h" #include "components/prefs/pref_service_factory.h" +#include "crypto/sha2.h" #include "mojo/public/cpp/bindings/strong_binding.h" #include "net/base/layered_network_delegate.h" #include "net/base/load_flags.h" @@ -1877,16 +1878,6 @@ URLRequestContextOwner NetworkContext::A base::FeatureList::IsEnabled(features::kNetworkErrorLogging)); #endif // BUILDFLAG(ENABLE_REPORTING) -#if BUILDFLAG(IS_CT_SUPPORTED) - if (params_->enforce_chrome_ct_policy) { - builder->set_ct_policy_enforcer( - std::make_unique<certificate_transparency::ChromeCTPolicyEnforcer>( - base::GetBuildTime(), - certificate_transparency::GetDisqualifiedLogs(), - certificate_transparency::GetLogsOperatedByGoogle())); - } -#endif // BUILDFLAG(IS_CT_SUPPORTED) - net::HttpNetworkSession::Params session_params; bool is_quic_force_disabled = false; if (network_service_ && network_service_->quic_disabled()) @@ -1936,8 +1927,20 @@ URLRequestContextOwner NetworkContext::A #if BUILDFLAG(IS_CT_SUPPORTED) std::vector<scoped_refptr<const net::CTLogVerifier>> ct_logs; + std::vector<std::pair<std::string, base::TimeDelta>> disqualified_logs; + std::vector<std::string> operated_by_google_logs; + if (!params_->ct_logs.empty()) { for (const auto& log : params_->ct_logs) { + if (log->operated_by_google || log->disqualified_at) { + std::string log_id = crypto::SHA256HashString(log->public_key); + if (log->operated_by_google) + operated_by_google_logs.push_back(log_id); + if (log->disqualified_at) { + disqualified_logs.push_back( + std::make_pair(log_id, log->disqualified_at.value())); + } + } scoped_refptr<const net::CTLogVerifier> log_verifier = net::CTLogVerifier::Create(log->public_key, log->name); if (!log_verifier) { @@ -1950,6 +1953,17 @@ URLRequestContextOwner NetworkContext::A ct_verifier->AddLogs(ct_logs); builder->set_ct_verifier(std::move(ct_verifier)); } + + if (params_->enforce_chrome_ct_policy) { + std::sort(std::begin(operated_by_google_logs), + std::end(operated_by_google_logs)); + std::sort(std::begin(disqualified_logs), std::end(disqualified_logs)); + + builder->set_ct_policy_enforcer( + std::make_unique<certificate_transparency::ChromeCTPolicyEnforcer>( + params_->ct_log_update_time, disqualified_logs, + operated_by_google_logs)); + } #endif // BUILDFLAG(IS_CT_SUPPORTED) const base::CommandLine* command_line = diff -up chromium-77.0.3865.75/services/network/network_context_unittest.cc.certificate-transparency chromium-77.0.3865.75/services/network/network_context_unittest.cc --- chromium-77.0.3865.75/services/network/network_context_unittest.cc.certificate-transparency 2019-09-09 23:55:22.000000000 +0200 +++ chromium-77.0.3865.75/services/network/network_context_unittest.cc 2019-09-12 16:13:10.479056669 +0200 @@ -2,6 +2,7 @@ // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. +#include <algorithm> #include <map> #include <memory> #include <string> @@ -38,10 +39,12 @@ #include "base/threading/thread_task_runner_handle.h" #include "base/time/default_clock.h" #include "base/time/default_tick_clock.h" +#include "base/time/time.h" #include "build/build_config.h" #include "components/network_session_configurator/browser/network_session_configurator.h" #include "components/network_session_configurator/common/network_switches.h" #include "components/prefs/testing_pref_service.h" +#include "crypto/sha2.h" #include "mojo/public/cpp/bindings/remote.h" #include "mojo/public/cpp/bindings/self_owned_receiver.h" #include "mojo/public/cpp/system/data_pipe_utils.h" @@ -115,6 +118,11 @@ #include "url/scheme_host_port.h" #include "url/url_constants.h" +#if BUILDFLAG(IS_CT_SUPPORTED) +#include "components/certificate_transparency/chrome_ct_policy_enforcer.h" +#include "services/network/public/mojom/ct_log_info.mojom.h" +#endif + #if !BUILDFLAG(DISABLE_FTP_SUPPORT) #include "net/ftp/ftp_auth_cache.h" #endif // !BUILDFLAG(DISABLE_FTP_SUPPORT) @@ -5958,6 +5966,72 @@ TEST_F(NetworkContextSplitCacheTest, true /* was_cached */, true /* is_navigation */); } +#if BUILDFLAG(IS_CT_SUPPORTED) +TEST_F(NetworkContextTest, CertificateTransparencyConfig) { + mojom::NetworkContextParamsPtr params = CreateContextParams(); + params->enforce_chrome_ct_policy = true; + params->ct_log_update_time = base::Time::Now(); + + // The log public keys do not matter for the test, so invalid keys are used. + // However, because the log IDs are derived from the SHA-256 hash of the log + // key, the log keys are generated such that qualified logs are in the form + // of four digits (e.g. "0000", "1111"), while disqualified logs are in the + // form of four letters (e.g. "AAAA", "BBBB"). + + for (int i = 0; i < 6; ++i) { + network::mojom::CTLogInfoPtr log_info = network::mojom::CTLogInfo::New(); + // Shift to ASCII '0' (0x30) + log_info->public_key = std::string(4, 0x30 + static_cast<char>(i)); + log_info->name = std::string(4, 0x30 + static_cast<char>(i)); + log_info->operated_by_google = i % 2; + + params->ct_logs.push_back(std::move(log_info)); + } + for (int i = 0; i < 3; ++i) { + network::mojom::CTLogInfoPtr log_info = network::mojom::CTLogInfo::New(); + // Shift to ASCII 'A' (0x41) + log_info->public_key = std::string(4, 0x41 + static_cast<char>(i)); + log_info->name = std::string(4, 0x41 + static_cast<char>(i)); + log_info->operated_by_google = false; + log_info->disqualified_at = base::TimeDelta::FromSeconds(i); + + params->ct_logs.push_back(std::move(log_info)); + } + std::unique_ptr<NetworkContext> network_context = + CreateContextWithParams(std::move(params)); + + net::CTPolicyEnforcer* request_enforcer = + network_context->url_request_context()->ct_policy_enforcer(); + ASSERT_TRUE(request_enforcer); + + // Completely unsafe if |enforce_chrome_ct_policy| is false. + certificate_transparency::ChromeCTPolicyEnforcer* policy_enforcer = + reinterpret_cast<certificate_transparency::ChromeCTPolicyEnforcer*>( + request_enforcer); + + EXPECT_TRUE(std::is_sorted( + policy_enforcer->operated_by_google_logs_for_testing().begin(), + policy_enforcer->operated_by_google_logs_for_testing().end())); + EXPECT_TRUE( + std::is_sorted(policy_enforcer->disqualified_logs_for_testing().begin(), + policy_enforcer->disqualified_logs_for_testing().end())); + + EXPECT_THAT( + policy_enforcer->operated_by_google_logs_for_testing(), + ::testing::UnorderedElementsAreArray({crypto::SHA256HashString("1111"), + crypto::SHA256HashString("3333"), + crypto::SHA256HashString("5555")})); + EXPECT_THAT(policy_enforcer->disqualified_logs_for_testing(), + ::testing::UnorderedElementsAre( + ::testing::Pair(crypto::SHA256HashString("AAAA"), + base::TimeDelta::FromSeconds(0)), + ::testing::Pair(crypto::SHA256HashString("BBBB"), + base::TimeDelta::FromSeconds(1)), + ::testing::Pair(crypto::SHA256HashString("CCCC"), + base::TimeDelta::FromSeconds(2)))); +} +#endif + } // namespace } // namespace network diff -up chromium-77.0.3865.75/services/network/public/mojom/ct_log_info.mojom.certificate-transparency chromium-77.0.3865.75/services/network/public/mojom/ct_log_info.mojom --- chromium-77.0.3865.75/services/network/public/mojom/ct_log_info.mojom.certificate-transparency 2019-09-09 23:55:22.000000000 +0200 +++ chromium-77.0.3865.75/services/network/public/mojom/ct_log_info.mojom 2019-09-12 16:09:52.824635180 +0200 @@ -4,6 +4,8 @@ module network.mojom; +import "mojo/public/mojom/base/time.mojom"; + // A single Certificate Transparency Log configuration. struct CTLogInfo { // The DER-encoded SubjectPublicKeyInfo of the log. @@ -14,4 +16,13 @@ struct CTLogInfo { // The human-readable, log-supplied log name. Note that this will not be // translated. string name; + + // Whether or not the log should should be considered a Google Log for the + // purposes of enforcing the "Certificate Transparency in Chrome" policy. + bool operated_by_google = false; + + // If set, the time since the Unix Epoch when the log was disqualified. This + // is used to determine the "once or currently qualified" status of the log. + // If the log is currently qualified, this will not be set. + mojo_base.mojom.TimeDelta? disqualified_at; }; diff -up chromium-77.0.3865.75/services/network/public/mojom/network_context.mojom.certificate-transparency chromium-77.0.3865.75/services/network/public/mojom/network_context.mojom --- chromium-77.0.3865.75/services/network/public/mojom/network_context.mojom.certificate-transparency 2019-09-09 23:55:22.000000000 +0200 +++ chromium-77.0.3865.75/services/network/public/mojom/network_context.mojom 2019-09-12 16:09:52.825635192 +0200 @@ -239,15 +239,6 @@ struct NetworkContextParams { [EnableIf=is_android] bool check_clear_text_permitted = false; - // True if the "Certificate Transparency in Chrome" policy (see - // https://github.com/chromium/ct-policy/blob/master/ct_policy.md) should - // be enforced for certificates and connections. - // - // See //net/docs/certificate-transparency.md before setting this flag to - // true. - [EnableIf=is_ct_supported] - bool enforce_chrome_ct_policy = false; - // Enables HTTP/0.9 on ports other than 80 for HTTP and 443 for HTTPS. bool http_09_on_non_default_ports_enabled = false; @@ -300,6 +291,15 @@ struct NetworkContextParams { // servers, so they can discover misconfigurations. bool enable_certificate_reporting = false; + // True if the "Certificate Transparency in Chrome" policy (see + // https://github.com/chromium/ct-policy/blob/master/ct_policy.md) should + // be enforced for certificates and connections. + // + // See //net/docs/certificate-transparency.md before setting this flag to + // true. + [EnableIf=is_ct_supported] + bool enforce_chrome_ct_policy = false; + // Enables Expect CT reporting, which sends reports for opted-in sites that // don't serve sufficient Certificate Transparency information. [EnableIf=is_ct_supported] @@ -311,6 +311,13 @@ struct NetworkContextParams { [EnableIf=is_ct_supported] array<CTLogInfo> ct_logs; + // When the Certificate Transparency logs in |ct_logs| were last updated. If + // |enforce_chrome_ct_policy| is set, and |ct_log_update_time| is not + // sufficiently recent, enforcement of the "Certificate Transparency in + // Chrome" policy will be disabled. + [EnableIf=is_ct_supported] + mojo_base.mojom.Time ct_log_update_time; + // Specifies the path to the directory where NSS will store its database. [EnableIf=is_chromeos] mojo_base.mojom.FilePath? nss_path; ++++++ old-libva.patch ++++++ --- /var/tmp/diff_new_pack.ZzSaCs/_old 2019-09-17 13:38:21.721833743 +0200 +++ /var/tmp/diff_new_pack.ZzSaCs/_new 2019-09-17 13:38:21.725833742 +0200 @@ -1,8 +1,8 @@ -Index: chromium-76.0.3809.12/media/gpu/vaapi/vaapi_wrapper.cc +Index: chromium-77.0.3865.75/media/gpu/vaapi/vaapi_wrapper.cc =================================================================== ---- chromium-76.0.3809.12.orig/media/gpu/vaapi/vaapi_wrapper.cc -+++ chromium-76.0.3809.12/media/gpu/vaapi/vaapi_wrapper.cc -@@ -63,6 +63,10 @@ +--- chromium-77.0.3865.75.orig/media/gpu/vaapi/vaapi_wrapper.cc ++++ chromium-77.0.3865.75/media/gpu/vaapi/vaapi_wrapper.cc +@@ -62,6 +62,10 @@ #include "ui/ozone/public/surface_factory_ozone.h" #endif @@ -13,7 +13,7 @@ using media_gpu_vaapi::kModuleVa; using media_gpu_vaapi::kModuleVa_drm; #if defined(USE_X11) -@@ -351,10 +355,6 @@ bool VADisplayState::Initialize() { +@@ -350,10 +354,6 @@ bool VADisplayState::Initialize() { } bool VADisplayState::InitializeOnce() { @@ -24,10 +24,29 @@ switch (gl::GetGLImplementation()) { case gl::kGLImplementationEGLGLES2: va_display_ = vaGetDisplayDRM(drm_fd_.get()); -Index: chromium-76.0.3809.12/media/gpu/vaapi/vaapi_jpeg_decoder.cc +@@ -1407,6 +1407,7 @@ scoped_refptr<VASurface> VaapiWrapper::C + + scoped_refptr<gfx::NativePixmapDmaBuf> + VaapiWrapper::ExportVASurfaceAsNativePixmapDmaBuf(VASurfaceID va_surface_id) { ++#if VA_MAJOR_VERSION >= 2 || (VA_MAJOR_VERSION == 1 && VA_MINOR_VERSION >= 2) + VADRMPRIMESurfaceDescriptor descriptor; + { + base::AutoLock auto_lock(*va_lock_); +@@ -1484,6 +1485,10 @@ VaapiWrapper::ExportVASurfaceAsNativePix + gfx::Size(base::checked_cast<int>(descriptor.width), + base::checked_cast<int>(descriptor.height)), + buffer_format, std::move(handle)); ++#else ++ LOG(ERROR) << "Exporting a surface with FOURCC has been disabled on old libva"; ++ return nullptr; ++#endif + } + + bool VaapiWrapper::SubmitBuffer(VABufferType va_buffer_type, +Index: chromium-77.0.3865.75/media/gpu/vaapi/vaapi_jpeg_decoder.cc =================================================================== ---- chromium-76.0.3809.12.orig/media/gpu/vaapi/vaapi_jpeg_decoder.cc -+++ chromium-76.0.3809.12/media/gpu/vaapi/vaapi_jpeg_decoder.cc +--- chromium-77.0.3865.75.orig/media/gpu/vaapi/vaapi_jpeg_decoder.cc ++++ chromium-77.0.3865.75/media/gpu/vaapi/vaapi_jpeg_decoder.cc @@ -20,6 +20,10 @@ #include "media/parsers/jpeg_parser.h" #include "ui/gfx/geometry/size.h" @@ -39,10 +58,10 @@ namespace media { namespace { -Index: chromium-76.0.3809.12/media/gpu/vaapi/vaapi_mjpeg_decode_accelerator.cc +Index: chromium-77.0.3865.75/media/gpu/vaapi/vaapi_mjpeg_decode_accelerator.cc =================================================================== ---- chromium-76.0.3809.12.orig/media/gpu/vaapi/vaapi_mjpeg_decode_accelerator.cc -+++ chromium-76.0.3809.12/media/gpu/vaapi/vaapi_mjpeg_decode_accelerator.cc +--- chromium-77.0.3865.75.orig/media/gpu/vaapi/vaapi_mjpeg_decode_accelerator.cc ++++ chromium-77.0.3865.75/media/gpu/vaapi/vaapi_mjpeg_decode_accelerator.cc @@ -30,6 +30,10 @@ #include "third_party/libyuv/include/libyuv.h" #include "ui/gfx/geometry/size.h"
