[tbb-commits] [tor-browser-bundle/master] add hardening for Windows bundles
mikeperry at torproject.org
mikeperry at torproject.org
Fri Aug 29 22:21:32 UTC 2014
commit 9b138783e0f6e2423caba58bad777fc5622169db
Author: Erinn Clark <erinn at torproject.org>
Date: Thu Aug 21 19:21:43 2014 -0400
add hardening for Windows bundles
---
gitian/build-helpers/i686-w64-mingw32-g++ | 2 +-
gitian/build-helpers/i686-w64-mingw32-gcc | 2 +-
gitian/build-helpers/i686-w64-mingw32-ld | 7 +-----
gitian/descriptors/windows/gitian-firefox.yml | 24 ++++++++------------
.../windows/gitian-pluggable-transports.yml | 12 ++++++++--
gitian/descriptors/windows/gitian-tor.yml | 16 +++++++------
gitian/descriptors/windows/gitian-utils.yml | 24 +++++++++++---------
gitian/mkbundle-windows.sh | 6 ++---
8 files changed, 48 insertions(+), 45 deletions(-)
diff --git a/gitian/build-helpers/i686-w64-mingw32-g++ b/gitian/build-helpers/i686-w64-mingw32-g++
index e3c13fd..b73f107 100755
--- a/gitian/build-helpers/i686-w64-mingw32-g++
+++ b/gitian/build-helpers/i686-w64-mingw32-g++
@@ -1,4 +1,4 @@
#!/bin/sh
# Hardened mingw gcc wrapper
-/usr/bin/i686-w64-mingw32-g++ -Wl,--dynamicbase -Wl,--nxcompat -fstack-protector-all -pie -fPIE --param ssp-buffer-size=4 -fno-strict-overflow "$@"
+/home/ubuntu/install/mingw-w64/bin/i686-w64-mingw32-g++ -Wl,--dynamicbase -Wl,--nxcompat -Wl,--enable-reloc-section -fstack-protector --param ssp-buffer-size=4 -fno-strict-overflow "$@"
diff --git a/gitian/build-helpers/i686-w64-mingw32-gcc b/gitian/build-helpers/i686-w64-mingw32-gcc
index 830e11b..d4fd642 100755
--- a/gitian/build-helpers/i686-w64-mingw32-gcc
+++ b/gitian/build-helpers/i686-w64-mingw32-gcc
@@ -1,4 +1,4 @@
#!/bin/sh
# Hardened mingw gcc wrapper
-/usr/bin/i686-w64-mingw32-gcc -Wl,--dynamicbase -Wl,--nxcompat -fstack-protector-all -pie -fPIE --param ssp-buffer-size=4 -fno-strict-overflow "$@"
+/home/ubuntu/install/mingw-w64/bin/i686-w64-mingw32-gcc -Wl,--dynamicbase -Wl,--nxcompat -Wl,--enable-reloc-section -fstack-protector --param ssp-buffer-size=4 -fno-strict-overflow "$@"
diff --git a/gitian/build-helpers/i686-w64-mingw32-ld b/gitian/build-helpers/i686-w64-mingw32-ld
index e085bdd..f8c61fd 100755
--- a/gitian/build-helpers/i686-w64-mingw32-ld
+++ b/gitian/build-helpers/i686-w64-mingw32-ld
@@ -1,9 +1,4 @@
#!/bin/sh
# Hardened mingw gcc wrapper
-if [ -x /usr/bin/i686-w64-mingw32-ld.orig ];
-then
- /usr/bin/i686-w64-mingw32-ld.orig --dynamicbase --nxcompat -lssp -L/usr/lib/gcc/i686-w64-mingw32/4.6/ "$@"
-else
- /usr/bin/i686-w64-mingw32-ld --dynamicbase --nxcompat -lssp -L/usr/lib/gcc/i686-w64-mingw32/4.6/ "$@"
-fi
+/home/ubuntu/install/mingw-w64/bin/i686-w64-mingw32-ld --dynamicbase --nxcompat --enable-reloc-section -lssp -L$INSTDIR/gcclibs/ "$@"
diff --git a/gitian/descriptors/windows/gitian-firefox.yml b/gitian/descriptors/windows/gitian-firefox.yml
index 94b5eef..0968911 100644
--- a/gitian/descriptors/windows/gitian-firefox.yml
+++ b/gitian/descriptors/windows/gitian-firefox.yml
@@ -20,10 +20,10 @@ files:
- "mingw-w64-win32-utils.zip"
- "re-dzip.sh"
- "dzip.sh"
-# TODO: Hardening.
-#- "i686-w64-mingw32-gcc"
-#- "i686-w64-mingw32-g++"
-#- "i686-w64-mingw32-ld"
+- "gcclibs-win32-utils.zip"
+- "i686-w64-mingw32-gcc"
+- "i686-w64-mingw32-g++"
+- "i686-w64-mingw32-ld"
- "msvcr100.dll"
- "versions"
script: |
@@ -38,8 +38,10 @@ script: |
mkdir -p $INSTDIR/Browser/
mkdir -p $OUTDIR/
unzip -d $INSTDIR mingw-w64-win32-utils.zip
+ unzip -d $INSTDIR gcclibs-win32-utils.zip
# Make sure our custom mingw gets used.
export PATH=$INSTDIR/mingw-w64/bin:$PATH
+
# We don't want to link against msvcrt.dll due to bug 9084.
i686-w64-mingw32-g++ -dumpspecs > msvcr100.spec
sed 's/msvcrt/msvcr100/' -i msvcr100.spec
@@ -73,22 +75,16 @@ script: |
make -f client.mk configure
find -type f | xargs touch --date="$REFERENCE_DATETIME"
#
- # FIXME: MinGW doens't like being built with hardening, and Firefox doesn't
- # like being configured with it
- # XXX: These changes cause the exes to crash on launch.
- #mkdir -p ~/build/bin/
- #cp ~/build/i686* ~/build/bin/
- #export PATH=~/build/bin:$PATH
- # XXX: the path to ld is hardcoded in mingw.. This forces gcc's linking to
- # use our flags:
- #sudo mv /usr/bin/i686-w64-mingw32-ld /usr/bin/i686-w64-mingw32-ld.orig
- #sudo cp ~/build/bin/i686-w64-mingw32-ld /usr/bin/
+ mkdir -p ~/build/bin/
+ cp ~/build/i686* ~/build/bin/
+ export PATH=~/build/bin:$PATH
#
make $MAKEOPTS -f client.mk build
#
make -C obj-* package INNER_MAKE_PACKAGE=true
cp -a obj-*/dist/firefox/* $INSTDIR/Browser/
cp -a ~/build/msvcr100.dll $INSTDIR/Browser/
+ cp -a $INSTDIR/gcclibs/libssp-0.dll $INSTDIR/Browser/
#
# What the hell are these three bytes anyways?
# FIXME: This was probably fixed by patching binutils. If we get matching
diff --git a/gitian/descriptors/windows/gitian-pluggable-transports.yml b/gitian/descriptors/windows/gitian-pluggable-transports.yml
index 1580152..bac9bf0 100644
--- a/gitian/descriptors/windows/gitian-pluggable-transports.yml
+++ b/gitian/descriptors/windows/gitian-pluggable-transports.yml
@@ -50,8 +50,10 @@ files:
- "go.tar.gz"
- "dzip.sh"
- "pyc-timestamp.sh"
+- "binutils-win32-utils.zip"
- "openssl-win32-utils.zip"
- "gmp-win32-utils.zip"
+- "gcclibs-win32-utils.zip"
script: |
# Set the timestamp on every .pyc file in a zip file, and re-dzip the zip file.
function py2exe_zip_timestomp {
@@ -75,14 +77,20 @@ script: |
export FAKETIME=$REFERENCE_DATETIME
export TZ=UTC
export LC_ALL=C
- export CFLAGS="-mwindows"
- export LDFLAGS="-mwindows"
+ export CFLAGS="-mwindows -fstack-protector-all -Wstack-protector --param ssp-buffer-size=4 -fno-strict-overflow -Wno-missing-field-initializers -Wformat -Wformat-security"
+ export LDFLAGS="-mwindows -Wl,--dynamicbase -Wl,--nxcompat -Wl,--enable-reloc-section -lssp -L$INSTDIR/gcclibs"
umask 0022
+ unzip -d $INSTDIR binutils-win32-utils.zip
unzip -d $INSTDIR gmp-win32-utils.zip
unzip -d $INSTDIR openssl-win32-utils.zip
+ unzip -d $INSTDIR gcclibs-win32-utils.zip
cp $INSTDIR/gmp/bin/*dll* $INSTDIR/Tor
+ export PATH=$INSTDIR/mingw-w64/bin:$PATH
+ sudo mv /usr/bin/i686-w64-mingw32-ld /usr/bin/i686-w64-mingw32-ld.orig
+ sudo cp $INSTDIR/mingw-w64/bin/i686-w64-mingw32-ld /usr/bin/
+
# We need at least Wine 1.5.29 which is not in Ubuntu's main repository (see
# below). Thus, we resort to a PPA and need therefore to determine the correct
# network interface depending on the virtualization we use.
diff --git a/gitian/descriptors/windows/gitian-tor.yml b/gitian/descriptors/windows/gitian-tor.yml
index bc70839..65df589 100644
--- a/gitian/descriptors/windows/gitian-tor.yml
+++ b/gitian/descriptors/windows/gitian-tor.yml
@@ -35,6 +35,7 @@ files:
- "openssl-win32-utils.zip"
- "libevent-win32-utils.zip"
- "zlib-win32-utils.zip"
+- "gcclibs-win32-utils.zip"
script: |
INSTDIR="$HOME/install"
source versions
@@ -51,14 +52,17 @@ script: |
unzip -d $INSTDIR zlib-win32-utils.zip
unzip -d $INSTDIR libevent-win32-utils.zip
unzip -d $INSTDIR openssl-win32-utils.zip
+ unzip -d $INSTDIR gcclibs-win32-utils.zip
cp $INSTDIR/zlib/lib/*.dll $INSTDIR/Tor/
cp $INSTDIR/libevent/bin/*.dll $INSTDIR/Tor/
cp $INSTDIR/openssl/bin/*.dll $INSTDIR/Tor/
- # Make sure our custom ld gets used.
- # See the we-need-only-the-binutils-comment in gitian-utils.yml for the
- # reasoning behind the "mingw-w64" dir instead of an expected "binutils" one.
+ cp $INSTDIR/gcclibs/*.dll $INSTDIR/Tor/
+
export PATH=$INSTDIR/mingw-w64/bin:$PATH
+ sudo mv /usr/bin/i686-w64-mingw32-ld /usr/bin/i686-w64-mingw32-ld.orig
+ sudo cp $INSTDIR/mingw-w64/bin/i686-w64-mingw32-ld /usr/bin/
+
# Building tor
cd tor
git update-index --refresh -q
@@ -89,8 +93,8 @@ script: |
mkdir -p $OUTDIR/src
#git archive HEAD | tar -x -C $OUTDIR/src
# Let's avoid the console window popping up.
- export CFLAGS="-mwindows"
- export LDFLAGS="-mwindows"
+ export CFLAGS="-mwindows -fstack-protector-all -Wstack-protector --param ssp-buffer-size=4 -fno-strict-overflow -Wno-missing-field-initializers -Wformat -Wformat-security"
+ export LDFLAGS="-mwindows -Wl,--dynamicbase -Wl,--nxcompat -Wl,--enable-reloc-section -lssp -L$INSTDIR/gcclibs"
./autogen.sh
find -type f | xargs touch --date="$REFERENCE_DATETIME"
./configure --disable-asciidoc --host=i686-w64-mingw32 --with-libevent-dir=$INSTDIR/libevent --with-openssl-dir=$INSTDIR/openssl --prefix=$INSTDIR --with-zlib-dir=$INSTDIR/zlib/
@@ -100,8 +104,6 @@ script: |
install -s $INSTDIR/bin/tor.exe $INSTDIR/Tor/
cp $INSTDIR/share/tor/geoip $INSTDIR/Data/Tor/
cp $INSTDIR/share/tor/geoip6 $INSTDIR/Data/Tor/
- cp -a /usr/lib/gcc/i686-w64-mingw32/4.6/libgcc_s_sjlj-1.dll $INSTDIR/Tor/
- cp -a /usr/lib/gcc/i686-w64-mingw32/4.6/libssp*.dll $INSTDIR/Tor/
# Grabbing the result
cd $INSTDIR
diff --git a/gitian/descriptors/windows/gitian-utils.yml b/gitian/descriptors/windows/gitian-utils.yml
index 87dbe16..2d0b3db 100644
--- a/gitian/descriptors/windows/gitian-utils.yml
+++ b/gitian/descriptors/windows/gitian-utils.yml
@@ -31,6 +31,7 @@ files:
- "gcc.tar.bz2"
- "openssl.tar.gz"
- "gmp.tar.bz2"
+- "enable-reloc-section-ld.patch"
- "peXXigen.patch"
- "versions"
- "dzip.sh"
@@ -47,15 +48,11 @@ script: |
# XXX: This is needed due to bug 10102.
sed 's/= extern_rt_rel_d;/= extern_rt_rel_d;\n memset (extern_rt_rel_d, 0, PE_IDATA5_SIZE);/' -i ld/pe-dll.c
# Zeroing timestamps in PE headers reliably, see bug 12753.
+ patch -p1 < ../enable-reloc-section-ld.patch
patch -p1 < ../peXXigen.patch
./configure --prefix=$INSTDIR/mingw-w64 --target=i686-w64-mingw32 --disable-multilib
make $MAKEOPTS
make install
- # XXX: We currently do this as we are not using our own compiler but only our
- # own binutils for compiling tor. See bug 10077. Nevertheless, we need both
- # for cross-compiling Tor Browser.
- cd $INSTDIR
- ~/build/dzip.sh binutils-$BINUTILS_VER-win32-utils.zip mingw-w64
# Make sure our ld etc. is found and used.
export PATH=$INSTDIR/mingw-w64/bin:$PATH
cd ~/build
@@ -78,7 +75,7 @@ script: |
sed 's/msvcrt/msvcr100/' -i gcc-*/gcc/config/i386/t-mingw-w32
# LDFLAGS_FOR_TARGET does not work for some reason. Thus, we take
# CFLAGS_FOR_TARGET.
- export CFLAGS_FOR_TARGET="-specs=/home/ubuntu/build/msvcr100.spec"
+ export CFLAGS_FOR_TARGET="-specs=/home/ubuntu/build/msvcr100.spec -Wl,--nxcompat -Wl,--dynamicbase"
gcc-*/configure --prefix=$INSTDIR/mingw-w64 --target=i686-w64-mingw32 --disable-multilib --enable-languages=c,c++
make $MAKEOPTS all-gcc
make install-gcc
@@ -99,8 +96,12 @@ script: |
cd ..
# Second stage of gcc compilation
cd gcc
+ find -type f | xargs touch --date="$REFERENCE_DATETIME"
make $MAKEOPTS
make install
+ mkdir -p $INSTDIR/gcclibs
+ cp i686-w64-mingw32/libssp/.libs/libssp-0.dll $INSTDIR/gcclibs
+ cp i686-w64-mingw32/libgcc/shlib/libgcc_s_sjlj-1.dll $INSTDIR/gcclibs
cd ..
# XXX: Build the libraries we include into the bundles deterministically. As
@@ -111,12 +112,12 @@ script: |
export LD_PRELOAD=/usr/lib/faketime/libfaketime.so.1
export FAKETIME=$REFERENCE_DATETIME
# Building zlib
- export CFLAGS="-mwindows"
- export LDFLAGS="-mwindows"
+ export CFLAGS="-mwindows -fstack-protector-all -Wstack-protector --param ssp-buffer-size=4 -fno-strict-overflow -Wno-missing-field-initializers -Wformat -Wformat-security"
+ export LDFLAGS="-mwindows -Wl,--dynamicbase -Wl,--nxcompat -Wl,--enable-reloc-section -lssp -L$INSTDIR/gcclibs/"
cd zlib
find -type f | xargs touch --date="$REFERENCE_DATETIME"
- make BINARY_PATH=$INSTDIR/zlib/lib INCLUDE_PATH=$INSTDIR/zlib/include LIBRARY_PATH=$INSTDIR/zlib/lib -f win32/Makefile.gcc PREFIX=i686-w64-mingw32- $MAKEOPTS SHARED_MODE=1
- make BINARY_PATH=$INSTDIR/zlib/lib INCLUDE_PATH=$INSTDIR/zlib/include LIBRARY_PATH=$INSTDIR/zlib/lib -f win32/Makefile.gcc PREFIX=i686-w64-mingw32- $MAKEOPTS SHARED_MODE=1 install
+ make BINARY_PATH=$INSTDIR/zlib/lib INCLUDE_PATH=$INSTDIR/zlib/include LIBRARY_PATH=$INSTDIR/zlib/lib -f win32/Makefile.gcc PREFIX=i686-w64-mingw32- $MAKEOPTS SHARED_MODE=1 LOC="-fstack-protector-all -Wstack-protector --param ssp-buffer-size=4 -fno-strict-overflow -Wno-missing-field-initializers -Wformat -Wformat-security -Wl,--dynamicbase -Wl,--nxcompat -Wl,--enable-reloc-section -lssp -L$INSTDIR/gcclibs/"
+ make BINARY_PATH=$INSTDIR/zlib/lib INCLUDE_PATH=$INSTDIR/zlib/include LIBRARY_PATH=$INSTDIR/zlib/lib -f win32/Makefile.gcc PREFIX=i686-w64-mingw32- $MAKEOPTS SHARED_MODE=1 LOC="-fstack-protector-all -Wstack-protector --param ssp-buffer-size=4 -fno-strict-overflow -Wno-missing-field-initializers -Wformat -Wformat-security -Wl,--dynamicbase -Wl,--nxcompat -Wl,--enable-reloc-section -lssp -L$INSTDIR/gcclibs/" install
cd ..
# Building Libevent
@@ -133,7 +134,7 @@ script: |
cd openssl-*
find -type f | xargs touch --date="$REFERENCE_DATETIME"
# TODO: Add enable-ec_nistp_64_gcc_128 for 64bit Windows.
- ./Configure -shared --cross-compile-prefix=i686-w64-mingw32- mingw --prefix=$INSTDIR/openssl
+ ./Configure -shared --cross-compile-prefix=i686-w64-mingw32- mingw "-fstack-protector-all -Wstack-protector --param ssp-buffer-size=4 -fno-strict-overflow -Wno-missing-field-initializers -Wformat -Wformat-security -Wl,--dynamicbase -Wl,--nxcompat -Wl,--enable-reloc-section -lssp -L$INSTDIR/gcclibs/" --prefix=$INSTDIR/openssl
# Using $MAKEOPTS breaks the build. Might be the issue mentioned on
# http://cblfs.cross-lfs.org/index.php/OpenSSL.
make
@@ -156,4 +157,5 @@ script: |
~/build/dzip.sh libevent-${LIBEVENT_TAG#release-}-win32-utils.zip libevent
~/build/dzip.sh openssl-$OPENSSL_VER-win32-utils.zip openssl
~/build/dzip.sh gmp-$GMP_VER-win32-utils.zip gmp
+ ~/build/dzip.sh gcclibs-$GCC_VER-win32-utils.zip gcclibs
cp *-utils.zip $OUTDIR/
diff --git a/gitian/mkbundle-windows.sh b/gitian/mkbundle-windows.sh
index 0af015d..9ef5c41 100755
--- a/gitian/mkbundle-windows.sh
+++ b/gitian/mkbundle-windows.sh
@@ -97,7 +97,7 @@ fi
cd $GITIAN_DIR
-if [ ! -f inputs/binutils-$BINUTILS_VER-win32-utils.zip -o \
+if [ ! -f inputs/gcclibs-$GCC_VER-win32-utils.zip -o \
! -f inputs/mingw-w64-$GCC_VER-win32-utils.zip -o \
! -f inputs/zlib-${ZLIB_TAG_ORIG#v}-win32-utils.zip -o \
! -f inputs/libevent-${LIBEVENT_TAG_ORIG#release-}-win32-utils.zip -o \
@@ -117,12 +117,12 @@ then
cd inputs
cp -a ../build/out/*-utils.zip .
- ln -sf binutils-$BINUTILS_VER-win32-utils.zip binutils-win32-utils.zip
ln -sf mingw-w64-$GCC_VER-win32-utils.zip mingw-w64-win32-utils.zip
ln -sf zlib-${ZLIB_TAG_ORIG#v}-win32-utils.zip zlib-win32-utils.zip
ln -sf libevent-${LIBEVENT_TAG_ORIG#release-}-win32-utils.zip libevent-win32-utils.zip
ln -sf openssl-$OPENSSL_VER-win32-utils.zip openssl-win32-utils.zip
ln -sf gmp-$GMP_VER-win32-utils.zip gmp-win32-utils.zip
+ ln -sf gcclibs-$GCC_VER-win32-utils.zip gcclibs-win32-utils.zip
cd ..
#cp -a result/utils-win-res.yml inputs/
else
@@ -132,12 +132,12 @@ else
# We might have built the utilities in the past but maybe the links are
# pointing to the wrong version. Refresh them.
cd inputs
- ln -sf binutils-$BINUTILS_VER-win32-utils.zip binutils-win32-utils.zip
ln -sf mingw-w64-$GCC_VER-win32-utils.zip mingw-w64-win32-utils.zip
ln -sf zlib-${ZLIB_TAG_ORIG#v}-win32-utils.zip zlib-win32-utils.zip
ln -sf libevent-${LIBEVENT_TAG_ORIG#release-}-win32-utils.zip libevent-win32-utils.zip
ln -sf openssl-$OPENSSL_VER-win32-utils.zip openssl-win32-utils.zip
ln -sf gmp-$GMP_VER-win32-utils.zip gmp-win32-utils.zip
+ ln -sf gcclibs-$GCC_VER-win32-utils.zip gcclibs-win32-utils.zip
cd ..
fi
More information about the tbb-commits
mailing list