Fix for bug 1290037 - Update keybits in H2. r=mt, a=ritu

.SRCINFO

@@ -48,6 +48,7 @@ pkgbase = icecat
 	source = gcc6-fix-compilation-for-IceCat.patch
 	source = firefox-gcc-6.0.patch
 	source = icu_configure.patch
+	source = update_keybits_in_H2.patch
 	validpgpkeys = A57369A8BABC2542B5A0368C3C76EED7D7E04784
 	sha256sums = 8163e5bc53f69d9f9b0fc5e9f95fae33da8139ae0f902756751cadbaa27e6ee9
 	sha256sums = SKIP
@@ -58,6 +59,7 @@ pkgbase = icecat
 	sha256sums = 329cf6753d29ae64a4336a8a76ee71f0d331a39132159401e4d11de65b708a07
 	sha256sums = 4d1e1ddabc9e975ed39f49e134559a29e01cd49439e358233f1ede43bf5a52bf
 	sha256sums = ef2a7c41685f8e371d47909bf4cc071a349ef09b1421ab523c94057d85ca8f07
+	sha256sums = f99424950ae7493b5814d36279f4af49e89127731fde2b7938b2c10e403796e1
 
 pkgname = icecat
 

PKGBUILD

@@ -9,7 +9,7 @@ pkgname=icecat
 pkgver=45.5.1
 _pkgver=${pkgver}-gnu1
 _pkgverbase=${pkgver%%.*}
-pkgrel=5
+pkgrel=6
 pkgdesc="GNU version of the Firefox browser."
 arch=(i686 x86_64)
 url="http://www.gnu.org/software/gnuzilla/"
@@ -32,7 +32,8 @@ source=(http://ftpmirror.gnu.org/gnuzilla/${pkgver}/${pkgname}-${_pkgver}.tar.bz
         vendor.js
         gcc6-fix-compilation-for-IceCat.patch
         firefox-gcc-6.0.patch
-		icu_configure.patch)
+        icu_configure.patch
+        update_keybits_in_H2.patch)
 
 sha256sums=('8163e5bc53f69d9f9b0fc5e9f95fae33da8139ae0f902756751cadbaa27e6ee9'
             'SKIP'
@@ -42,7 +43,8 @@ sha256sums=('8163e5bc53f69d9f9b0fc5e9f95fae33da8139ae0f902756751cadbaa27e6ee9'
             '4b50e9aec03432e21b44d18c4c97b2630bace606b033f7d556c9d3e3eb0f4fa4'
             '329cf6753d29ae64a4336a8a76ee71f0d331a39132159401e4d11de65b708a07'
             '4d1e1ddabc9e975ed39f49e134559a29e01cd49439e358233f1ede43bf5a52bf'
-            'ef2a7c41685f8e371d47909bf4cc071a349ef09b1421ab523c94057d85ca8f07')
+            'ef2a7c41685f8e371d47909bf4cc071a349ef09b1421ab523c94057d85ca8f07'
+            'f99424950ae7493b5814d36279f4af49e89127731fde2b7938b2c10e403796e1')
 
 validpgpkeys=(A57369A8BABC2542B5A0368C3C76EED7D7E04784) # Ruben Rodriguez (GNU IceCat releases key) <ruben@gnu.org>
 
@@ -61,6 +63,10 @@ prepare() {
   # without fixing this, the build throws errors that it's unable to extract the icu version number from uvernum.h and aborts (Thanks jghodd)
   patch -Np0 -i ${srcdir}/icu_configure.patch
 
+  # Bug 1290037 - Update keybits in H2. r=mt, a=ritu
+  # https://hg.mozilla.org/releases/mozilla-esr45/rev/bf0dd9ae6807 - https://bbs.archlinux.org/viewtopic.php?id=222513
+  patch -Np1 -i ${srcdir}/update_keybits_in_H2.patch
+
   msg2 "Starting build..."
 
   cp -v ${srcdir}/mozconfig .mozconfig

update_keybits_in_H2.patch

@@ -0,0 +1,29 @@
+
+diff --git a/netwerk/protocol/http/Http2Session.cpp b/netwerk/protocol/http/Http2Session.cpp
+--- a/netwerk/protocol/http/Http2Session.cpp
++++ b/netwerk/protocol/http/Http2Session.cpp
+@@ -3516,18 +3516,18 @@ Http2Session::ConfirmTLSProfile()
+     RETURN_SESSION_ERROR(this, INADEQUATE_SECURITY);
+   }
+ 
+   uint32_t keybits = ssl->GetKEAKeyBits();
+   if (kea == ssl_kea_dh && keybits < 2048) {
+     LOG3(("Http2Session::ConfirmTLSProfile %p FAILED due to DH %d < 2048\n",
+           this, keybits));
+     RETURN_SESSION_ERROR(this, INADEQUATE_SECURITY);
+-  } else if (kea == ssl_kea_ecdh && keybits < 256) { // 256 bits is "security level" of 128
+-    LOG3(("Http2Session::ConfirmTLSProfile %p FAILED due to ECDH %d < 256\n",
++  } else if (kea == ssl_kea_ecdh && keybits < 224) { // see rfc7540 9.2.1.
++    LOG3(("Http2Session::ConfirmTLSProfile %p FAILED due to ECDH %d < 224\n",
+           this, keybits));
+     RETURN_SESSION_ERROR(this, INADEQUATE_SECURITY);
+   }
+ 
+   int16_t macAlgorithm = ssl->GetMACAlgorithmUsed();
+   LOG3(("Http2Session::ConfirmTLSProfile %p MAC Algortihm (aead==6) %d\n",
+         this, macAlgorithm));
+   if (macAlgorithm != nsISSLSocketControl::SSL_MAC_AEAD) {
+
+
+
+