[tbb-commits] [tor-browser-bundle/master] add hardening for Windows bundles

mikeperry at torproject.org mikeperry at torproject.org
Fri Aug 29 22:21:32 UTC 2014


commit 9b138783e0f6e2423caba58bad777fc5622169db
Author: Erinn Clark <erinn at torproject.org>
Date:   Thu Aug 21 19:21:43 2014 -0400

    add hardening for Windows bundles
---
 gitian/build-helpers/i686-w64-mingw32-g++          |    2 +-
 gitian/build-helpers/i686-w64-mingw32-gcc          |    2 +-
 gitian/build-helpers/i686-w64-mingw32-ld           |    7 +-----
 gitian/descriptors/windows/gitian-firefox.yml      |   24 ++++++++------------
 .../windows/gitian-pluggable-transports.yml        |   12 ++++++++--
 gitian/descriptors/windows/gitian-tor.yml          |   16 +++++++------
 gitian/descriptors/windows/gitian-utils.yml        |   24 +++++++++++---------
 gitian/mkbundle-windows.sh                         |    6 ++---
 8 files changed, 48 insertions(+), 45 deletions(-)

diff --git a/gitian/build-helpers/i686-w64-mingw32-g++ b/gitian/build-helpers/i686-w64-mingw32-g++
index e3c13fd..b73f107 100755
--- a/gitian/build-helpers/i686-w64-mingw32-g++
+++ b/gitian/build-helpers/i686-w64-mingw32-g++
@@ -1,4 +1,4 @@
 #!/bin/sh
 # Hardened mingw gcc wrapper
 
-/usr/bin/i686-w64-mingw32-g++ -Wl,--dynamicbase -Wl,--nxcompat -fstack-protector-all -pie -fPIE --param ssp-buffer-size=4 -fno-strict-overflow "$@"
+/home/ubuntu/install/mingw-w64/bin/i686-w64-mingw32-g++ -Wl,--dynamicbase -Wl,--nxcompat -Wl,--enable-reloc-section -fstack-protector --param ssp-buffer-size=4 -fno-strict-overflow "$@"
diff --git a/gitian/build-helpers/i686-w64-mingw32-gcc b/gitian/build-helpers/i686-w64-mingw32-gcc
index 830e11b..d4fd642 100755
--- a/gitian/build-helpers/i686-w64-mingw32-gcc
+++ b/gitian/build-helpers/i686-w64-mingw32-gcc
@@ -1,4 +1,4 @@
 #!/bin/sh
 # Hardened mingw gcc wrapper
 
-/usr/bin/i686-w64-mingw32-gcc -Wl,--dynamicbase -Wl,--nxcompat -fstack-protector-all -pie -fPIE --param ssp-buffer-size=4 -fno-strict-overflow "$@"
+/home/ubuntu/install/mingw-w64/bin/i686-w64-mingw32-gcc -Wl,--dynamicbase -Wl,--nxcompat -Wl,--enable-reloc-section -fstack-protector --param ssp-buffer-size=4 -fno-strict-overflow "$@"
diff --git a/gitian/build-helpers/i686-w64-mingw32-ld b/gitian/build-helpers/i686-w64-mingw32-ld
index e085bdd..f8c61fd 100755
--- a/gitian/build-helpers/i686-w64-mingw32-ld
+++ b/gitian/build-helpers/i686-w64-mingw32-ld
@@ -1,9 +1,4 @@
 #!/bin/sh
 # Hardened mingw gcc wrapper
 
-if [ -x /usr/bin/i686-w64-mingw32-ld.orig ];
-then
-  /usr/bin/i686-w64-mingw32-ld.orig --dynamicbase --nxcompat -lssp -L/usr/lib/gcc/i686-w64-mingw32/4.6/ "$@"
-else
-  /usr/bin/i686-w64-mingw32-ld --dynamicbase --nxcompat -lssp -L/usr/lib/gcc/i686-w64-mingw32/4.6/ "$@"
-fi
+/home/ubuntu/install/mingw-w64/bin/i686-w64-mingw32-ld --dynamicbase --nxcompat --enable-reloc-section -lssp -L$INSTDIR/gcclibs/ "$@"
diff --git a/gitian/descriptors/windows/gitian-firefox.yml b/gitian/descriptors/windows/gitian-firefox.yml
index 94b5eef..0968911 100644
--- a/gitian/descriptors/windows/gitian-firefox.yml
+++ b/gitian/descriptors/windows/gitian-firefox.yml
@@ -20,10 +20,10 @@ files:
 - "mingw-w64-win32-utils.zip"
 - "re-dzip.sh"
 - "dzip.sh"
-# TODO: Hardening.
-#- "i686-w64-mingw32-gcc"
-#- "i686-w64-mingw32-g++"
-#- "i686-w64-mingw32-ld"
+- "gcclibs-win32-utils.zip"
+- "i686-w64-mingw32-gcc"
+- "i686-w64-mingw32-g++"
+- "i686-w64-mingw32-ld"
 - "msvcr100.dll"
 - "versions"
 script: |
@@ -38,8 +38,10 @@ script: |
   mkdir -p $INSTDIR/Browser/
   mkdir -p $OUTDIR/
   unzip -d $INSTDIR mingw-w64-win32-utils.zip
+  unzip -d $INSTDIR gcclibs-win32-utils.zip
   # Make sure our custom mingw gets used.
   export PATH=$INSTDIR/mingw-w64/bin:$PATH
+
   # We don't want to link against msvcrt.dll due to bug 9084.
   i686-w64-mingw32-g++ -dumpspecs > msvcr100.spec
   sed 's/msvcrt/msvcr100/' -i msvcr100.spec
@@ -73,22 +75,16 @@ script: |
   make -f client.mk configure
   find -type f | xargs touch --date="$REFERENCE_DATETIME"
   #
-  # FIXME: MinGW doens't like being built with hardening, and Firefox doesn't
-  # like being configured with it
-  # XXX: These changes cause the exes to crash on launch.
-  #mkdir -p ~/build/bin/
-  #cp ~/build/i686* ~/build/bin/
-  #export PATH=~/build/bin:$PATH
-  # XXX: the path to ld is hardcoded in mingw.. This forces gcc's linking to
-  # use our flags:
-  #sudo mv /usr/bin/i686-w64-mingw32-ld /usr/bin/i686-w64-mingw32-ld.orig
-  #sudo cp ~/build/bin/i686-w64-mingw32-ld /usr/bin/
+  mkdir -p ~/build/bin/
+  cp ~/build/i686* ~/build/bin/
+  export PATH=~/build/bin:$PATH
   #
   make $MAKEOPTS -f client.mk build
   #
   make -C obj-* package INNER_MAKE_PACKAGE=true
   cp -a obj-*/dist/firefox/* $INSTDIR/Browser/
   cp -a ~/build/msvcr100.dll $INSTDIR/Browser/
+  cp -a $INSTDIR/gcclibs/libssp-0.dll $INSTDIR/Browser/
   #
   # What the hell are these three bytes anyways?
   # FIXME: This was probably fixed by patching binutils. If we get matching
diff --git a/gitian/descriptors/windows/gitian-pluggable-transports.yml b/gitian/descriptors/windows/gitian-pluggable-transports.yml
index 1580152..bac9bf0 100644
--- a/gitian/descriptors/windows/gitian-pluggable-transports.yml
+++ b/gitian/descriptors/windows/gitian-pluggable-transports.yml
@@ -50,8 +50,10 @@ files:
 - "go.tar.gz"
 - "dzip.sh"
 - "pyc-timestamp.sh"
+- "binutils-win32-utils.zip"
 - "openssl-win32-utils.zip"
 - "gmp-win32-utils.zip"
+- "gcclibs-win32-utils.zip"
 script: |
   # Set the timestamp on every .pyc file in a zip file, and re-dzip the zip file.
   function py2exe_zip_timestomp {
@@ -75,14 +77,20 @@ script: |
   export FAKETIME=$REFERENCE_DATETIME
   export TZ=UTC
   export LC_ALL=C
-  export CFLAGS="-mwindows"
-  export LDFLAGS="-mwindows"
+  export CFLAGS="-mwindows -fstack-protector-all -Wstack-protector --param ssp-buffer-size=4 -fno-strict-overflow -Wno-missing-field-initializers -Wformat -Wformat-security"
+  export LDFLAGS="-mwindows -Wl,--dynamicbase -Wl,--nxcompat -Wl,--enable-reloc-section -lssp -L$INSTDIR/gcclibs"
   umask 0022
 
+  unzip -d $INSTDIR binutils-win32-utils.zip
   unzip -d $INSTDIR gmp-win32-utils.zip
   unzip -d $INSTDIR openssl-win32-utils.zip
+  unzip -d $INSTDIR gcclibs-win32-utils.zip
   cp $INSTDIR/gmp/bin/*dll* $INSTDIR/Tor
 
+  export PATH=$INSTDIR/mingw-w64/bin:$PATH
+  sudo mv /usr/bin/i686-w64-mingw32-ld /usr/bin/i686-w64-mingw32-ld.orig
+  sudo cp $INSTDIR/mingw-w64/bin/i686-w64-mingw32-ld /usr/bin/
+
   # We need at least Wine 1.5.29 which is not in Ubuntu's main repository (see
   # below). Thus, we resort to a PPA and need therefore to determine the correct
   # network interface depending on the virtualization we use.
diff --git a/gitian/descriptors/windows/gitian-tor.yml b/gitian/descriptors/windows/gitian-tor.yml
index bc70839..65df589 100644
--- a/gitian/descriptors/windows/gitian-tor.yml
+++ b/gitian/descriptors/windows/gitian-tor.yml
@@ -35,6 +35,7 @@ files:
 - "openssl-win32-utils.zip"
 - "libevent-win32-utils.zip"
 - "zlib-win32-utils.zip"
+- "gcclibs-win32-utils.zip"
 script: |
   INSTDIR="$HOME/install"
   source versions
@@ -51,14 +52,17 @@ script: |
   unzip -d $INSTDIR zlib-win32-utils.zip
   unzip -d $INSTDIR libevent-win32-utils.zip
   unzip -d $INSTDIR openssl-win32-utils.zip
+  unzip -d $INSTDIR gcclibs-win32-utils.zip
   cp $INSTDIR/zlib/lib/*.dll $INSTDIR/Tor/
   cp $INSTDIR/libevent/bin/*.dll $INSTDIR/Tor/
   cp $INSTDIR/openssl/bin/*.dll $INSTDIR/Tor/
-  # Make sure our custom ld gets used.
-  # See the we-need-only-the-binutils-comment in gitian-utils.yml for the
-  # reasoning behind the "mingw-w64" dir instead of an expected "binutils" one.
+  cp $INSTDIR/gcclibs/*.dll $INSTDIR/Tor/
+
   export PATH=$INSTDIR/mingw-w64/bin:$PATH
 
+  sudo mv /usr/bin/i686-w64-mingw32-ld /usr/bin/i686-w64-mingw32-ld.orig
+  sudo cp $INSTDIR/mingw-w64/bin/i686-w64-mingw32-ld /usr/bin/
+
   # Building tor
   cd tor
   git update-index --refresh -q
@@ -89,8 +93,8 @@ script: |
   mkdir -p $OUTDIR/src
   #git archive HEAD | tar -x -C $OUTDIR/src
   # Let's avoid the console window popping up.
-  export CFLAGS="-mwindows"
-  export LDFLAGS="-mwindows"
+  export CFLAGS="-mwindows -fstack-protector-all -Wstack-protector --param ssp-buffer-size=4 -fno-strict-overflow -Wno-missing-field-initializers -Wformat -Wformat-security"
+  export LDFLAGS="-mwindows -Wl,--dynamicbase -Wl,--nxcompat -Wl,--enable-reloc-section -lssp -L$INSTDIR/gcclibs"
   ./autogen.sh
   find -type f | xargs touch --date="$REFERENCE_DATETIME"
   ./configure --disable-asciidoc --host=i686-w64-mingw32 --with-libevent-dir=$INSTDIR/libevent --with-openssl-dir=$INSTDIR/openssl --prefix=$INSTDIR --with-zlib-dir=$INSTDIR/zlib/
@@ -100,8 +104,6 @@ script: |
   install -s $INSTDIR/bin/tor.exe $INSTDIR/Tor/
   cp $INSTDIR/share/tor/geoip $INSTDIR/Data/Tor/
   cp $INSTDIR/share/tor/geoip6 $INSTDIR/Data/Tor/
-  cp -a /usr/lib/gcc/i686-w64-mingw32/4.6/libgcc_s_sjlj-1.dll $INSTDIR/Tor/
-  cp -a /usr/lib/gcc/i686-w64-mingw32/4.6/libssp*.dll $INSTDIR/Tor/
 
   # Grabbing the result
   cd $INSTDIR
diff --git a/gitian/descriptors/windows/gitian-utils.yml b/gitian/descriptors/windows/gitian-utils.yml
index 87dbe16..2d0b3db 100644
--- a/gitian/descriptors/windows/gitian-utils.yml
+++ b/gitian/descriptors/windows/gitian-utils.yml
@@ -31,6 +31,7 @@ files:
 - "gcc.tar.bz2"
 - "openssl.tar.gz"
 - "gmp.tar.bz2"
+- "enable-reloc-section-ld.patch"
 - "peXXigen.patch"
 - "versions"
 - "dzip.sh"
@@ -47,15 +48,11 @@ script: |
   # XXX: This is needed due to bug 10102.
   sed 's/= extern_rt_rel_d;/= extern_rt_rel_d;\n  memset (extern_rt_rel_d, 0, PE_IDATA5_SIZE);/' -i ld/pe-dll.c
   # Zeroing timestamps in PE headers reliably, see bug 12753.
+  patch -p1 < ../enable-reloc-section-ld.patch
   patch -p1 < ../peXXigen.patch
   ./configure --prefix=$INSTDIR/mingw-w64 --target=i686-w64-mingw32 --disable-multilib
   make $MAKEOPTS
   make install
-  # XXX: We currently do this as we are not using our own compiler but only our
-  # own binutils for compiling tor. See bug 10077. Nevertheless, we need both
-  # for cross-compiling Tor Browser.
-  cd $INSTDIR
-  ~/build/dzip.sh binutils-$BINUTILS_VER-win32-utils.zip mingw-w64
   # Make sure our ld etc. is found and used.
   export PATH=$INSTDIR/mingw-w64/bin:$PATH
   cd ~/build
@@ -78,7 +75,7 @@ script: |
   sed 's/msvcrt/msvcr100/' -i gcc-*/gcc/config/i386/t-mingw-w32
   # LDFLAGS_FOR_TARGET does not work for some reason. Thus, we take
   # CFLAGS_FOR_TARGET.
-  export CFLAGS_FOR_TARGET="-specs=/home/ubuntu/build/msvcr100.spec"
+  export CFLAGS_FOR_TARGET="-specs=/home/ubuntu/build/msvcr100.spec -Wl,--nxcompat -Wl,--dynamicbase"
   gcc-*/configure --prefix=$INSTDIR/mingw-w64 --target=i686-w64-mingw32 --disable-multilib --enable-languages=c,c++
   make $MAKEOPTS all-gcc
   make install-gcc
@@ -99,8 +96,12 @@ script: |
   cd ..
   # Second stage of gcc compilation
   cd gcc
+  find -type f | xargs touch --date="$REFERENCE_DATETIME"
   make $MAKEOPTS
   make install
+  mkdir -p $INSTDIR/gcclibs
+  cp i686-w64-mingw32/libssp/.libs/libssp-0.dll $INSTDIR/gcclibs
+  cp i686-w64-mingw32/libgcc/shlib/libgcc_s_sjlj-1.dll $INSTDIR/gcclibs
   cd ..
 
   # XXX: Build the libraries we include into the bundles deterministically. As
@@ -111,12 +112,12 @@ script: |
   export LD_PRELOAD=/usr/lib/faketime/libfaketime.so.1
   export FAKETIME=$REFERENCE_DATETIME
   # Building zlib
-  export CFLAGS="-mwindows"
-  export LDFLAGS="-mwindows"
+  export CFLAGS="-mwindows -fstack-protector-all -Wstack-protector --param ssp-buffer-size=4 -fno-strict-overflow -Wno-missing-field-initializers -Wformat -Wformat-security"
+  export LDFLAGS="-mwindows -Wl,--dynamicbase -Wl,--nxcompat -Wl,--enable-reloc-section -lssp -L$INSTDIR/gcclibs/"
   cd zlib
   find -type f | xargs touch --date="$REFERENCE_DATETIME"
-  make BINARY_PATH=$INSTDIR/zlib/lib INCLUDE_PATH=$INSTDIR/zlib/include LIBRARY_PATH=$INSTDIR/zlib/lib -f win32/Makefile.gcc PREFIX=i686-w64-mingw32- $MAKEOPTS SHARED_MODE=1
-  make BINARY_PATH=$INSTDIR/zlib/lib INCLUDE_PATH=$INSTDIR/zlib/include LIBRARY_PATH=$INSTDIR/zlib/lib -f win32/Makefile.gcc PREFIX=i686-w64-mingw32- $MAKEOPTS SHARED_MODE=1 install
+  make BINARY_PATH=$INSTDIR/zlib/lib INCLUDE_PATH=$INSTDIR/zlib/include LIBRARY_PATH=$INSTDIR/zlib/lib -f win32/Makefile.gcc PREFIX=i686-w64-mingw32- $MAKEOPTS SHARED_MODE=1 LOC="-fstack-protector-all -Wstack-protector --param ssp-buffer-size=4 -fno-strict-overflow -Wno-missing-field-initializers -Wformat -Wformat-security -Wl,--dynamicbase -Wl,--nxcompat -Wl,--enable-reloc-section -lssp -L$INSTDIR/gcclibs/"
+  make BINARY_PATH=$INSTDIR/zlib/lib INCLUDE_PATH=$INSTDIR/zlib/include LIBRARY_PATH=$INSTDIR/zlib/lib -f win32/Makefile.gcc PREFIX=i686-w64-mingw32- $MAKEOPTS SHARED_MODE=1 LOC="-fstack-protector-all -Wstack-protector --param ssp-buffer-size=4 -fno-strict-overflow -Wno-missing-field-initializers -Wformat -Wformat-security -Wl,--dynamicbase -Wl,--nxcompat -Wl,--enable-reloc-section -lssp -L$INSTDIR/gcclibs/" install
   cd ..
 
   # Building Libevent
@@ -133,7 +134,7 @@ script: |
   cd openssl-*
   find -type f | xargs touch --date="$REFERENCE_DATETIME"
   # TODO: Add enable-ec_nistp_64_gcc_128 for 64bit Windows.
-  ./Configure -shared --cross-compile-prefix=i686-w64-mingw32- mingw --prefix=$INSTDIR/openssl
+  ./Configure -shared --cross-compile-prefix=i686-w64-mingw32- mingw "-fstack-protector-all -Wstack-protector --param ssp-buffer-size=4 -fno-strict-overflow -Wno-missing-field-initializers -Wformat -Wformat-security -Wl,--dynamicbase -Wl,--nxcompat -Wl,--enable-reloc-section -lssp -L$INSTDIR/gcclibs/" --prefix=$INSTDIR/openssl
   # Using $MAKEOPTS breaks the build. Might be the issue mentioned on
   # http://cblfs.cross-lfs.org/index.php/OpenSSL.
   make
@@ -156,4 +157,5 @@ script: |
   ~/build/dzip.sh libevent-${LIBEVENT_TAG#release-}-win32-utils.zip libevent
   ~/build/dzip.sh openssl-$OPENSSL_VER-win32-utils.zip openssl
   ~/build/dzip.sh gmp-$GMP_VER-win32-utils.zip gmp
+  ~/build/dzip.sh gcclibs-$GCC_VER-win32-utils.zip gcclibs
   cp *-utils.zip $OUTDIR/
diff --git a/gitian/mkbundle-windows.sh b/gitian/mkbundle-windows.sh
index 0af015d..9ef5c41 100755
--- a/gitian/mkbundle-windows.sh
+++ b/gitian/mkbundle-windows.sh
@@ -97,7 +97,7 @@ fi
 
 cd $GITIAN_DIR
 
-if [ ! -f inputs/binutils-$BINUTILS_VER-win32-utils.zip -o \
+if [ ! -f inputs/gcclibs-$GCC_VER-win32-utils.zip -o \
      ! -f inputs/mingw-w64-$GCC_VER-win32-utils.zip -o \
      ! -f inputs/zlib-${ZLIB_TAG_ORIG#v}-win32-utils.zip -o \
      ! -f inputs/libevent-${LIBEVENT_TAG_ORIG#release-}-win32-utils.zip -o \
@@ -117,12 +117,12 @@ then
 
   cd inputs
   cp -a ../build/out/*-utils.zip .
-  ln -sf binutils-$BINUTILS_VER-win32-utils.zip binutils-win32-utils.zip
   ln -sf mingw-w64-$GCC_VER-win32-utils.zip mingw-w64-win32-utils.zip
   ln -sf zlib-${ZLIB_TAG_ORIG#v}-win32-utils.zip zlib-win32-utils.zip
   ln -sf libevent-${LIBEVENT_TAG_ORIG#release-}-win32-utils.zip libevent-win32-utils.zip
   ln -sf openssl-$OPENSSL_VER-win32-utils.zip openssl-win32-utils.zip
   ln -sf gmp-$GMP_VER-win32-utils.zip gmp-win32-utils.zip
+  ln -sf gcclibs-$GCC_VER-win32-utils.zip gcclibs-win32-utils.zip
   cd ..
   #cp -a result/utils-win-res.yml inputs/
 else
@@ -132,12 +132,12 @@ else
   # We might have built the utilities in the past but maybe the links are
   # pointing to the wrong version. Refresh them.
   cd inputs
-  ln -sf binutils-$BINUTILS_VER-win32-utils.zip binutils-win32-utils.zip
   ln -sf mingw-w64-$GCC_VER-win32-utils.zip mingw-w64-win32-utils.zip
   ln -sf zlib-${ZLIB_TAG_ORIG#v}-win32-utils.zip zlib-win32-utils.zip
   ln -sf libevent-${LIBEVENT_TAG_ORIG#release-}-win32-utils.zip libevent-win32-utils.zip
   ln -sf openssl-$OPENSSL_VER-win32-utils.zip openssl-win32-utils.zip
   ln -sf gmp-$GMP_VER-win32-utils.zip gmp-win32-utils.zip
+  ln -sf gcclibs-$GCC_VER-win32-utils.zip gcclibs-win32-utils.zip
   cd ..
 fi
 





More information about the tbb-commits mailing list