[tbb-commits] [tor-browser-build/master] Bug 40010: Add NSS for application-services
sysrqb at torproject.org
sysrqb at torproject.org
Mon Aug 10 16:06:24 UTC 2020
commit 53131fdc6d54bdd3bda261c64aa81fc3e8fbe228
Author: Georg Koppen <gk at torproject.org>
Date: Tue Jun 30 10:12:32 2020 +0000
Bug 40010: Add NSS for application-services
---
projects/nss/bug_13028.patch | 79 ++++++++++++++++++++++++
projects/nss/build | 139 +++++++++++++++++++++++++++++++++++++++++++
projects/nss/config | 27 +++++++++
projects/nss/config.patch | 37 ++++++++++++
projects/nss/configure.patch | 11 ++++
5 files changed, 293 insertions(+)
diff --git a/projects/nss/bug_13028.patch b/projects/nss/bug_13028.patch
new file mode 100644
index 0000000..60bbd35
--- /dev/null
+++ b/projects/nss/bug_13028.patch
@@ -0,0 +1,79 @@
+From 2f0888c348561249d3083555db33c5619840dbfa Mon Sep 17 00:00:00 2001
+From: Mike Perry <mikeperry-git at torproject.org>
+Date: Mon, 29 Sep 2014 14:30:19 -0700
+Subject: [PATCH] Bug 13028: Prevent potential proxy bypass cases.
+
+It looks like these cases should only be invoked in the NSS command line
+tools, and not the browser, but I decided to patch them anyway because there
+literally is a maze of network function pointers being passed around, and it's
+very hard to tell if some random code might not pass in the proper proxied
+versions of the networking code here by accident.
+
+diff --git a/security/nss/lib/certhigh/ocsp.c b/security/nss/lib/certhigh/ocsp.c
+index cea8456606bf..86fa971cfbef 100644
+--- a/security/nss/lib/certhigh/ocsp.c
++++ b/security/nss/lib/certhigh/ocsp.c
+@@ -2932,6 +2932,14 @@ ocsp_ConnectToHost(const char *host, PRUint16 port)
+ PRNetAddr addr;
+ char *netdbbuf = NULL;
+
++ // XXX: Do we need a unittest ifdef here? We don't want to break the tests, but
++ // we want to ensure nothing can ever hit this code in production.
++#if 1
++ printf("Tor Browser BUG: Attempted OSCP direct connect to %s, port %u\n", host,
++ port);
++ goto loser;
++#endif
++
+ sock = PR_NewTCPSocket();
+ if (sock == NULL)
+ goto loser;
+diff --git a/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_socket.c b/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_socket.c
+index e8698376b5be..85791d84a932 100644
+--- a/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_socket.c
++++ b/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_socket.c
+@@ -1334,6 +1334,13 @@ pkix_pl_Socket_Create(
+ plContext),
+ PKIX_COULDNOTCREATESOCKETOBJECT);
+
++ // XXX: Do we need a unittest ifdef here? We don't want to break the tests, but
++ // we want to ensure nothing can ever hit this code in production.
++#if 1
++ printf("Tor Browser BUG: Attempted pkix direct socket connect\n");
++ PKIX_ERROR(PKIX_PRNEWTCPSOCKETFAILED);
++#endif
++
+ socket->isServer = isServer;
+ socket->timeout = timeout;
+ socket->clientSock = NULL;
+@@ -1433,6 +1440,13 @@ pkix_pl_Socket_CreateByName(
+
+ localCopyName = PL_strdup(serverName);
+
++ // XXX: Do we need a unittest ifdef here? We don't want to break the tests, but
++ // we want to ensure nothing can ever hit this code in production.
++#if 1
++ printf("Tor Browser BUG: Attempted pkix direct connect to %s\n", serverName);
++ PKIX_ERROR(PKIX_PRNEWTCPSOCKETFAILED);
++#endif
++
+ sepPtr = strchr(localCopyName, ':');
+ /* First strip off the portnum, if present, from the end of the name */
+ if (sepPtr) {
+@@ -1582,6 +1596,13 @@ pkix_pl_Socket_CreateByHostAndPort(
+ PKIX_ENTER(SOCKET, "pkix_pl_Socket_CreateByHostAndPort");
+ PKIX_NULLCHECK_THREE(hostname, pStatus, pSocket);
+
++ // XXX: Do we need a unittest ifdef here? We don't want to break the tests, but
++ // we want to ensure nothing can ever hit this code in production.
++#if 1
++ printf("Tor Browser BUG: Attempted pkix direct connect to %s, port %u\n", hostname,
++ portnum);
++ PKIX_ERROR(PKIX_PRNEWTCPSOCKETFAILED);
++#endif
+
+ prstatus = PR_GetHostByName(hostname, buf, sizeof(buf), &hostent);
+
+--
+2.27.0
+
diff --git a/projects/nss/build b/projects/nss/build
new file mode 100644
index 0000000..791a680
--- /dev/null
+++ b/projects/nss/build
@@ -0,0 +1,139 @@
+#!/bin/bash
+[% c("var/set_default_env") -%]
+[% pc(c('var/compiler'), 'var/setup', { compiler_tarfile => c('input_files_by_name/' _ c('var/compiler')) }) %]
+distdir=/var/tmp/dist/nss
+builddir=/var/tmp/build/[% project %]
+mkdir /var/tmp/build
+tar -C /var/tmp/dist -xf [% c('input_files_by_name/ninja') %]
+export PATH=/var/tmp/dist/ninja:$PATH
+
+# application-services uses a newer NDK, 21d, than all the other projects...
+export ANDROID_NDK_API_VERSION=[% pc("fenix-android-toolchain", "var/android_ndk_version") %][% pc('fenix-android-toolchain', 'var/android_ndk_revision') %]
+export ANDROID_NDK_HOME=/var/tmp/dist/[% c('var/compiler') %]/android-ndk/android-ndk-r$ANDROID_NDK_API_VERSION
+# We need to add the new path to our build tools to PATH
+export PATH=$ANDROID_NDK_HOME/toolchains/llvm/prebuilt/linux-x86_64/bin:$PATH
+export ANDROID_NDK_ROOT=$ANDROID_NDK_HOME
+export NDK_HOST_TAG=linux-x86_64
+
+nspr_64=""
+[% IF c("var/configure_host") == "arm-linux-androideabi" -%]
+ gyp_arch="arm"
+[% ELSIF c("var/configure_host") == "i686-linux-android" -%]
+ gyp_arch="ia32"
+[% ELSIF c("var/configure_host") == "x86_64-linux-android" -%]
+ gyp_arch="x64"
+ nspr_64="--enable-64bit"
+[% ELSIF c("var/configure_host") == "aarch64-linux-android" -%]
+ gyp_arch="arm64"
+ nspr_64="--enable-64bit"
+[% END -%]
+
+export AR="[% c('var/cross_prefix') %]-ar"
+# XXX: Mozilla really uses the NDK_API_VERSION here, which is weird.
+export CC="[% c('var/cross_prefix') %][% pc('fenix-android-toolchain', 'var/android_ndk_version') %]-clang"
+export CXX="[% c('var/cross_prefix') %][% pc('fenix-android-toolchain', 'var/android_ndk_version') %]-clang++"
+export LD="[% c('var/cross_prefix') %]-ld"
+export NM="[% c('var/cross_prefix') %]-nm"
+export RANLIB="[% c('var/cross_prefix') %]-ranlib"
+export READELF="[% c('var/cross_prefix') %]-readelf"
+
+tar -C /var/tmp/build -xf [% c('input_files_by_name/nss') %]
+mv /var/tmp/build/[% project %]-[% c('version') %] $builddir
+cd $builddir
+# Early return hack to prevent NSPR Android setup
+# which does not work with ndk unified headers and clang. See:
+# application-services/libs/build-all.sh
+cat $rootdir/configure.patch | patch nspr/configure
+# Some NSS symbols clash with OpenSSL symbols, rename them using
+# C preprocessor define macros. See:
+# application-services/libs/build-all.sh
+patch -p2 < $rootdir/config.patch
+# Let's apply our proxy bypass defense-in-depth here as well to be on the safe
+# side.
+patch -p2 < $rootdir/bug_13028.patch
+
+# Building NSPR
+mkdir $builddir/nspr_build
+cd $builddir/nspr_build
+../nspr/configure \
+ $nspr_64 \
+ --target=[% c("var/configure_host") %] \
+ --disable-debug \
+ --enable-optimize
+make
+cd ..
+
+# Building NSS
+mkdir $builddir/nss_build
+gyp -f ninja-android "$builddir/nss/nss.gyp" \
+ --depth "$builddir/nss/" \
+ --generator-output=. \
+ -DOS=android \
+ -Dnspr_lib_dir="$builddir/nspr_build/dist/lib" \
+ -Dnspr_include_dir="$builddir/nspr_build/dist/include/nspr" \
+ -Dnss_dist_dir="$builddir/nss_build" \
+ -Dnss_dist_obj_dir="$builddir/nss_build" \
+ -Dhost_arch="$gyp_arch" \
+ -Dtarget_arch="$gyp_arch" \
+ -Dstatic_libs=1 \
+ -Ddisable_dbm=1 \
+ -Dsign_libs=0 \
+ -Denable_sslkeylogfile=0 \
+ -Ddisable_tests=1 \
+ -Ddisable_libpkix=1
+
+gendir="$builddir/nss/out/Release"
+ninja -C "$gendir"
+
+mkdir -p $distdir/include/nss
+mkdir -p $distdir/lib
+cp -p -L "$builddir/nss_build/lib/libcertdb.a" "$distdir/lib"
+cp -p -L "$builddir/nss_build/lib/libcerthi.a" "$distdir/lib"
+cp -p -L "$builddir/nss_build/lib/libcryptohi.a" "$distdir/lib"
+cp -p -L "$builddir/nss_build/lib/libfreebl_static.a" "$distdir/lib"
+cp -p -L "$builddir/nss_build/lib/libnss_static.a" "$distdir/lib"
+cp -p -L "$builddir/nss_build/lib/libnssb.a" "$distdir/lib"
+cp -p -L "$builddir/nss_build/lib/libnssdev.a" "$distdir/lib"
+cp -p -L "$builddir/nss_build/lib/libnsspki.a" "$distdir/lib"
+cp -p -L "$builddir/nss_build/lib/libnssutil.a" "$distdir/lib"
+cp -p -L "$builddir/nss_build/lib/libpk11wrap_static.a" "$distdir/lib"
+cp -p -L "$builddir/nss_build/lib/libpkcs12.a" "$distdir/lib"
+cp -p -L "$builddir/nss_build/lib/libpkcs7.a" "$distdir/lib"
+cp -p -L "$builddir/nss_build/lib/libsmime.a" "$distdir/lib"
+cp -p -L "$builddir/nss_build/lib/libsoftokn_static.a" "$distdir/lib"
+cp -p -L "$builddir/nss_build/lib/libssl.a" "$distdir/lib"
+
+# HW specific.
+# https://searchfox.org/nss/rev/08c4d05078d00089f8d7540651b0717a9d66f87e/lib/freebl/freebl.gyp#278-296
+[% IF c("var/configure_host") == "i686-linux-android" || c("var/configure_host") == "x86_64-linux-android"-%]
+ cp -p -L "$builddir/nss_build/lib/libgcm-aes-x86_c_lib.a" "$distdir/lib"
+[% END %]
+[% IF c("var/configure_host") == "arm-linux-androideabi" || c("var/configure_host") == "aarch64-linux-android"-%]
+ cp -p -L "$builddir/nss_build/lib/libarmv8_c_lib.a" "$distdir/lib"
+[% END %]
+[% IF c("var/configure_host") == "aarch64-linux-android" -%]
+ cp -p -L "$builddir/nss_build/lib/libgcm-aes-aarch64_c_lib.a" "$distdir/lib"
+[% END %]
+[% IF c("var/configure_host") == "arm-linux-androideabi" -%]
+ cp -p -L "$builddir/nss_build/lib/libgcm-aes-arm32-neon_c_lib.a" "$distdir/lib"
+[% END %]
+# https://searchfox.org/nss/rev/08c4d05078d00089f8d7540651b0717a9d66f87e/lib/freebl/freebl.gyp#315-324
+# https://searchfox.org/nss/rev/08c4d05078d00089f8d7540651b0717a9d66f87e/lib/freebl/freebl.gyp#43-47
+[% IF c("var/configure_host") == "x86_64-linux-android"-%]
+ cp -p -L "$builddir/nss_build/lib/libintel-gcm-wrap_c_lib.a" "$distdir/lib"
+ cp -p -L "$builddir/nss_build/lib/libintel-gcm-s_lib.a" "$distdir/lib"
+ cp -p -L "$builddir/nss_build/lib/libhw-acc-crypto-avx.a" "$distdir/lib"
+ cp -p -L "$builddir/nss_build/lib/libhw-acc-crypto-avx2.a" "$distdir/lib"
+[% END %]
+cp -p -L "$builddir/nspr_build/dist/lib/libplc4.a" "$distdir/lib"
+cp -p -L "$builddir/nspr_build/dist/lib/libplds4.a" "$distdir/lib"
+cp -p -L "$builddir/nspr_build/dist/lib/libnspr4.a" "$distdir/lib"
+
+cp -p -L -R "$builddir/nss_build/public/nss/"* "$distdir/include/nss"
+cp -p -L -R "$builddir/nspr_build/dist/include/nspr/"* "$distdir/include/nss"
+
+cd /var/tmp/dist
+[% c('tar', {
+ tar_src => [ project ],
+ tar_args => '-czf ' _ dest_dir _ '/' _ c('filename'),
+ }) %]
diff --git a/projects/nss/config b/projects/nss/config
new file mode 100644
index 0000000..e2b875e
--- /dev/null
+++ b/projects/nss/config
@@ -0,0 +1,27 @@
+# vim: filetype=yaml sw=2
+filename: '[% project %]-[% c("version") %]-[% c("var/osname") %]-[% c("var/build_id") %].tar.gz'
+# The required versions for application-services can be found at the respective
+# commit in libs/build-all.sh
+version: 3.54
+# XXX: maybe that's extractable automatically from `version` somehow?
+version_path: 3_54
+nspr_version: 4.26
+var:
+ container:
+ use_container: 1
+ deps:
+ - build-essential
+ - gyp
+
+input_files:
+ - project: container-image
+ - name: '[% c("var/compiler") %]'
+ project: '[% c("var/compiler") %]'
+ - name: ninja
+ project: ninja
+ - URL: 'https://ftp.mozilla.org/pub/security/nss/releases/NSS_[% c("version_path") %]_RTM/src/nss-[% c("version") %]-with-nspr-[% c("nspr_version") %].tar.gz'
+ name: nss
+ sha256sum: e0e81f0ff264d810f130d3cd9334722f7f883c752430483131d1ca5ac62d3f70
+ - filename: configure.patch
+ - filename: config.patch
+ - filename: bug_13028.patch
diff --git a/projects/nss/config.patch b/projects/nss/config.patch
new file mode 100644
index 0000000..e7f5012
--- /dev/null
+++ b/projects/nss/config.patch
@@ -0,0 +1,37 @@
+From c11dc3a73349fc7d8fa451f9e3a4e3952aa54fd2 Mon Sep 17 00:00:00 2001
+From: Georg Koppen <gk at torproject.org>
+Date: Wed, 1 Jul 2020 09:57:01 +0000
+Subject: [PATCH] Patch for building NSS for application-services
+
+See: application-services/libs/build-all.sh
+
+diff --git a/security/nss/coreconf/config.gypi b/security/nss/coreconf/config.gypi
+index 62d3cc71ecaf..dd30de079081 100644
+--- a/security/nss/coreconf/config.gypi
++++ b/security/nss/coreconf/config.gypi
+@@ -144,6 +144,23 @@
+ '<(nspr_include_dir)',
+ '<(nss_dist_dir)/private/<(module)',
+ ],
++ 'defines': [
++ 'HMAC_Update=NSS_HMAC_Update',
++ 'HMAC_Init=NSS_HMAC_Init',
++ 'CMAC_Update=NSS_CMAC_Update',
++ 'CMAC_Init=NSS_CMAC_Init',
++ 'MD5_Update=NSS_MD5_Update',
++ 'SHA1_Update=NSS_SHA1_Update',
++ 'SHA256_Update=NSS_SHA256_Update',
++ 'SHA224_Update=NSS_SHA224_Update',
++ 'SHA512_Update=NSS_SHA512_Update',
++ 'SHA384_Update=NSS_SHA384_Update',
++ 'SEED_set_key=NSS_SEED_set_key',
++ 'SEED_encrypt=NSS_SEED_encrypt',
++ 'SEED_decrypt=NSS_SEED_decrypt',
++ 'SEED_ecb_encrypt=NSS_SEED_ecb_encrypt',
++ 'SEED_cbc_encrypt=NSS_SEED_cbc_encrypt',
++ ],
+ 'conditions': [
+ [ 'mozpkix_only==1 and OS=="linux"', {
+ 'include_dirs': [
+--
+2.27.0
diff --git a/projects/nss/configure.patch b/projects/nss/configure.patch
new file mode 100644
index 0000000..4ce8465
--- /dev/null
+++ b/projects/nss/configure.patch
@@ -0,0 +1,11 @@
+@@ -2662,6 +2662,9 @@
+
+ case "$target" in
+ *-android*|*-linuxandroid*)
++ $as_echo "#define ANDROID 1" >>confdefs.h
++ ;;
++ unreachable)
+ if test -z "$android_ndk" ; then
+ as_fn_error $? "You must specify --with-android-ndk=/path/to/ndk when targeting Android." "$LINENO" 5
+ fi
+
More information about the tbb-commits
mailing list