commit 9b138783e0f6e2423caba58bad777fc5622169db Author: Erinn Clark erinn@torproject.org Date: Thu Aug 21 19:21:43 2014 -0400
add hardening for Windows bundles --- gitian/build-helpers/i686-w64-mingw32-g++ | 2 +- gitian/build-helpers/i686-w64-mingw32-gcc | 2 +- gitian/build-helpers/i686-w64-mingw32-ld | 7 +----- gitian/descriptors/windows/gitian-firefox.yml | 24 ++++++++------------ .../windows/gitian-pluggable-transports.yml | 12 ++++++++-- gitian/descriptors/windows/gitian-tor.yml | 16 +++++++------ gitian/descriptors/windows/gitian-utils.yml | 24 +++++++++++--------- gitian/mkbundle-windows.sh | 6 ++--- 8 files changed, 48 insertions(+), 45 deletions(-)
diff --git a/gitian/build-helpers/i686-w64-mingw32-g++ b/gitian/build-helpers/i686-w64-mingw32-g++ index e3c13fd..b73f107 100755 --- a/gitian/build-helpers/i686-w64-mingw32-g++ +++ b/gitian/build-helpers/i686-w64-mingw32-g++ @@ -1,4 +1,4 @@ #!/bin/sh # Hardened mingw gcc wrapper
-/usr/bin/i686-w64-mingw32-g++ -Wl,--dynamicbase -Wl,--nxcompat -fstack-protector-all -pie -fPIE --param ssp-buffer-size=4 -fno-strict-overflow "$@" +/home/ubuntu/install/mingw-w64/bin/i686-w64-mingw32-g++ -Wl,--dynamicbase -Wl,--nxcompat -Wl,--enable-reloc-section -fstack-protector --param ssp-buffer-size=4 -fno-strict-overflow "$@" diff --git a/gitian/build-helpers/i686-w64-mingw32-gcc b/gitian/build-helpers/i686-w64-mingw32-gcc index 830e11b..d4fd642 100755 --- a/gitian/build-helpers/i686-w64-mingw32-gcc +++ b/gitian/build-helpers/i686-w64-mingw32-gcc @@ -1,4 +1,4 @@ #!/bin/sh # Hardened mingw gcc wrapper
-/usr/bin/i686-w64-mingw32-gcc -Wl,--dynamicbase -Wl,--nxcompat -fstack-protector-all -pie -fPIE --param ssp-buffer-size=4 -fno-strict-overflow "$@" +/home/ubuntu/install/mingw-w64/bin/i686-w64-mingw32-gcc -Wl,--dynamicbase -Wl,--nxcompat -Wl,--enable-reloc-section -fstack-protector --param ssp-buffer-size=4 -fno-strict-overflow "$@" diff --git a/gitian/build-helpers/i686-w64-mingw32-ld b/gitian/build-helpers/i686-w64-mingw32-ld index e085bdd..f8c61fd 100755 --- a/gitian/build-helpers/i686-w64-mingw32-ld +++ b/gitian/build-helpers/i686-w64-mingw32-ld @@ -1,9 +1,4 @@ #!/bin/sh # Hardened mingw gcc wrapper
-if [ -x /usr/bin/i686-w64-mingw32-ld.orig ]; -then - /usr/bin/i686-w64-mingw32-ld.orig --dynamicbase --nxcompat -lssp -L/usr/lib/gcc/i686-w64-mingw32/4.6/ "$@" -else - /usr/bin/i686-w64-mingw32-ld --dynamicbase --nxcompat -lssp -L/usr/lib/gcc/i686-w64-mingw32/4.6/ "$@" -fi +/home/ubuntu/install/mingw-w64/bin/i686-w64-mingw32-ld --dynamicbase --nxcompat --enable-reloc-section -lssp -L$INSTDIR/gcclibs/ "$@" diff --git a/gitian/descriptors/windows/gitian-firefox.yml b/gitian/descriptors/windows/gitian-firefox.yml index 94b5eef..0968911 100644 --- a/gitian/descriptors/windows/gitian-firefox.yml +++ b/gitian/descriptors/windows/gitian-firefox.yml @@ -20,10 +20,10 @@ files: - "mingw-w64-win32-utils.zip" - "re-dzip.sh" - "dzip.sh" -# TODO: Hardening. -#- "i686-w64-mingw32-gcc" -#- "i686-w64-mingw32-g++" -#- "i686-w64-mingw32-ld" +- "gcclibs-win32-utils.zip" +- "i686-w64-mingw32-gcc" +- "i686-w64-mingw32-g++" +- "i686-w64-mingw32-ld" - "msvcr100.dll" - "versions" script: | @@ -38,8 +38,10 @@ script: | mkdir -p $INSTDIR/Browser/ mkdir -p $OUTDIR/ unzip -d $INSTDIR mingw-w64-win32-utils.zip + unzip -d $INSTDIR gcclibs-win32-utils.zip # Make sure our custom mingw gets used. export PATH=$INSTDIR/mingw-w64/bin:$PATH + # We don't want to link against msvcrt.dll due to bug 9084. i686-w64-mingw32-g++ -dumpspecs > msvcr100.spec sed 's/msvcrt/msvcr100/' -i msvcr100.spec @@ -73,22 +75,16 @@ script: | make -f client.mk configure find -type f | xargs touch --date="$REFERENCE_DATETIME" # - # FIXME: MinGW doens't like being built with hardening, and Firefox doesn't - # like being configured with it - # XXX: These changes cause the exes to crash on launch. - #mkdir -p ~/build/bin/ - #cp ~/build/i686* ~/build/bin/ - #export PATH=~/build/bin:$PATH - # XXX: the path to ld is hardcoded in mingw.. This forces gcc's linking to - # use our flags: - #sudo mv /usr/bin/i686-w64-mingw32-ld /usr/bin/i686-w64-mingw32-ld.orig - #sudo cp ~/build/bin/i686-w64-mingw32-ld /usr/bin/ + mkdir -p ~/build/bin/ + cp ~/build/i686* ~/build/bin/ + export PATH=~/build/bin:$PATH # make $MAKEOPTS -f client.mk build # make -C obj-* package INNER_MAKE_PACKAGE=true cp -a obj-*/dist/firefox/* $INSTDIR/Browser/ cp -a ~/build/msvcr100.dll $INSTDIR/Browser/ + cp -a $INSTDIR/gcclibs/libssp-0.dll $INSTDIR/Browser/ # # What the hell are these three bytes anyways? # FIXME: This was probably fixed by patching binutils. If we get matching diff --git a/gitian/descriptors/windows/gitian-pluggable-transports.yml b/gitian/descriptors/windows/gitian-pluggable-transports.yml index 1580152..bac9bf0 100644 --- a/gitian/descriptors/windows/gitian-pluggable-transports.yml +++ b/gitian/descriptors/windows/gitian-pluggable-transports.yml @@ -50,8 +50,10 @@ files: - "go.tar.gz" - "dzip.sh" - "pyc-timestamp.sh" +- "binutils-win32-utils.zip" - "openssl-win32-utils.zip" - "gmp-win32-utils.zip" +- "gcclibs-win32-utils.zip" script: | # Set the timestamp on every .pyc file in a zip file, and re-dzip the zip file. function py2exe_zip_timestomp { @@ -75,14 +77,20 @@ script: | export FAKETIME=$REFERENCE_DATETIME export TZ=UTC export LC_ALL=C - export CFLAGS="-mwindows" - export LDFLAGS="-mwindows" + export CFLAGS="-mwindows -fstack-protector-all -Wstack-protector --param ssp-buffer-size=4 -fno-strict-overflow -Wno-missing-field-initializers -Wformat -Wformat-security" + export LDFLAGS="-mwindows -Wl,--dynamicbase -Wl,--nxcompat -Wl,--enable-reloc-section -lssp -L$INSTDIR/gcclibs" umask 0022
+ unzip -d $INSTDIR binutils-win32-utils.zip unzip -d $INSTDIR gmp-win32-utils.zip unzip -d $INSTDIR openssl-win32-utils.zip + unzip -d $INSTDIR gcclibs-win32-utils.zip cp $INSTDIR/gmp/bin/*dll* $INSTDIR/Tor
+ export PATH=$INSTDIR/mingw-w64/bin:$PATH + sudo mv /usr/bin/i686-w64-mingw32-ld /usr/bin/i686-w64-mingw32-ld.orig + sudo cp $INSTDIR/mingw-w64/bin/i686-w64-mingw32-ld /usr/bin/ + # We need at least Wine 1.5.29 which is not in Ubuntu's main repository (see # below). Thus, we resort to a PPA and need therefore to determine the correct # network interface depending on the virtualization we use. diff --git a/gitian/descriptors/windows/gitian-tor.yml b/gitian/descriptors/windows/gitian-tor.yml index bc70839..65df589 100644 --- a/gitian/descriptors/windows/gitian-tor.yml +++ b/gitian/descriptors/windows/gitian-tor.yml @@ -35,6 +35,7 @@ files: - "openssl-win32-utils.zip" - "libevent-win32-utils.zip" - "zlib-win32-utils.zip" +- "gcclibs-win32-utils.zip" script: | INSTDIR="$HOME/install" source versions @@ -51,14 +52,17 @@ script: | unzip -d $INSTDIR zlib-win32-utils.zip unzip -d $INSTDIR libevent-win32-utils.zip unzip -d $INSTDIR openssl-win32-utils.zip + unzip -d $INSTDIR gcclibs-win32-utils.zip cp $INSTDIR/zlib/lib/*.dll $INSTDIR/Tor/ cp $INSTDIR/libevent/bin/*.dll $INSTDIR/Tor/ cp $INSTDIR/openssl/bin/*.dll $INSTDIR/Tor/ - # Make sure our custom ld gets used. - # See the we-need-only-the-binutils-comment in gitian-utils.yml for the - # reasoning behind the "mingw-w64" dir instead of an expected "binutils" one. + cp $INSTDIR/gcclibs/*.dll $INSTDIR/Tor/ + export PATH=$INSTDIR/mingw-w64/bin:$PATH
+ sudo mv /usr/bin/i686-w64-mingw32-ld /usr/bin/i686-w64-mingw32-ld.orig + sudo cp $INSTDIR/mingw-w64/bin/i686-w64-mingw32-ld /usr/bin/ + # Building tor cd tor git update-index --refresh -q @@ -89,8 +93,8 @@ script: | mkdir -p $OUTDIR/src #git archive HEAD | tar -x -C $OUTDIR/src # Let's avoid the console window popping up. - export CFLAGS="-mwindows" - export LDFLAGS="-mwindows" + export CFLAGS="-mwindows -fstack-protector-all -Wstack-protector --param ssp-buffer-size=4 -fno-strict-overflow -Wno-missing-field-initializers -Wformat -Wformat-security" + export LDFLAGS="-mwindows -Wl,--dynamicbase -Wl,--nxcompat -Wl,--enable-reloc-section -lssp -L$INSTDIR/gcclibs" ./autogen.sh find -type f | xargs touch --date="$REFERENCE_DATETIME" ./configure --disable-asciidoc --host=i686-w64-mingw32 --with-libevent-dir=$INSTDIR/libevent --with-openssl-dir=$INSTDIR/openssl --prefix=$INSTDIR --with-zlib-dir=$INSTDIR/zlib/ @@ -100,8 +104,6 @@ script: | install -s $INSTDIR/bin/tor.exe $INSTDIR/Tor/ cp $INSTDIR/share/tor/geoip $INSTDIR/Data/Tor/ cp $INSTDIR/share/tor/geoip6 $INSTDIR/Data/Tor/ - cp -a /usr/lib/gcc/i686-w64-mingw32/4.6/libgcc_s_sjlj-1.dll $INSTDIR/Tor/ - cp -a /usr/lib/gcc/i686-w64-mingw32/4.6/libssp*.dll $INSTDIR/Tor/
# Grabbing the result cd $INSTDIR diff --git a/gitian/descriptors/windows/gitian-utils.yml b/gitian/descriptors/windows/gitian-utils.yml index 87dbe16..2d0b3db 100644 --- a/gitian/descriptors/windows/gitian-utils.yml +++ b/gitian/descriptors/windows/gitian-utils.yml @@ -31,6 +31,7 @@ files: - "gcc.tar.bz2" - "openssl.tar.gz" - "gmp.tar.bz2" +- "enable-reloc-section-ld.patch" - "peXXigen.patch" - "versions" - "dzip.sh" @@ -47,15 +48,11 @@ script: | # XXX: This is needed due to bug 10102. sed 's/= extern_rt_rel_d;/= extern_rt_rel_d;\n memset (extern_rt_rel_d, 0, PE_IDATA5_SIZE);/' -i ld/pe-dll.c # Zeroing timestamps in PE headers reliably, see bug 12753. + patch -p1 < ../enable-reloc-section-ld.patch patch -p1 < ../peXXigen.patch ./configure --prefix=$INSTDIR/mingw-w64 --target=i686-w64-mingw32 --disable-multilib make $MAKEOPTS make install - # XXX: We currently do this as we are not using our own compiler but only our - # own binutils for compiling tor. See bug 10077. Nevertheless, we need both - # for cross-compiling Tor Browser. - cd $INSTDIR - ~/build/dzip.sh binutils-$BINUTILS_VER-win32-utils.zip mingw-w64 # Make sure our ld etc. is found and used. export PATH=$INSTDIR/mingw-w64/bin:$PATH cd ~/build @@ -78,7 +75,7 @@ script: | sed 's/msvcrt/msvcr100/' -i gcc-*/gcc/config/i386/t-mingw-w32 # LDFLAGS_FOR_TARGET does not work for some reason. Thus, we take # CFLAGS_FOR_TARGET. - export CFLAGS_FOR_TARGET="-specs=/home/ubuntu/build/msvcr100.spec" + export CFLAGS_FOR_TARGET="-specs=/home/ubuntu/build/msvcr100.spec -Wl,--nxcompat -Wl,--dynamicbase" gcc-*/configure --prefix=$INSTDIR/mingw-w64 --target=i686-w64-mingw32 --disable-multilib --enable-languages=c,c++ make $MAKEOPTS all-gcc make install-gcc @@ -99,8 +96,12 @@ script: | cd .. # Second stage of gcc compilation cd gcc + find -type f | xargs touch --date="$REFERENCE_DATETIME" make $MAKEOPTS make install + mkdir -p $INSTDIR/gcclibs + cp i686-w64-mingw32/libssp/.libs/libssp-0.dll $INSTDIR/gcclibs + cp i686-w64-mingw32/libgcc/shlib/libgcc_s_sjlj-1.dll $INSTDIR/gcclibs cd ..
# XXX: Build the libraries we include into the bundles deterministically. As @@ -111,12 +112,12 @@ script: | export LD_PRELOAD=/usr/lib/faketime/libfaketime.so.1 export FAKETIME=$REFERENCE_DATETIME # Building zlib - export CFLAGS="-mwindows" - export LDFLAGS="-mwindows" + export CFLAGS="-mwindows -fstack-protector-all -Wstack-protector --param ssp-buffer-size=4 -fno-strict-overflow -Wno-missing-field-initializers -Wformat -Wformat-security" + export LDFLAGS="-mwindows -Wl,--dynamicbase -Wl,--nxcompat -Wl,--enable-reloc-section -lssp -L$INSTDIR/gcclibs/" cd zlib find -type f | xargs touch --date="$REFERENCE_DATETIME" - make BINARY_PATH=$INSTDIR/zlib/lib INCLUDE_PATH=$INSTDIR/zlib/include LIBRARY_PATH=$INSTDIR/zlib/lib -f win32/Makefile.gcc PREFIX=i686-w64-mingw32- $MAKEOPTS SHARED_MODE=1 - make BINARY_PATH=$INSTDIR/zlib/lib INCLUDE_PATH=$INSTDIR/zlib/include LIBRARY_PATH=$INSTDIR/zlib/lib -f win32/Makefile.gcc PREFIX=i686-w64-mingw32- $MAKEOPTS SHARED_MODE=1 install + make BINARY_PATH=$INSTDIR/zlib/lib INCLUDE_PATH=$INSTDIR/zlib/include LIBRARY_PATH=$INSTDIR/zlib/lib -f win32/Makefile.gcc PREFIX=i686-w64-mingw32- $MAKEOPTS SHARED_MODE=1 LOC="-fstack-protector-all -Wstack-protector --param ssp-buffer-size=4 -fno-strict-overflow -Wno-missing-field-initializers -Wformat -Wformat-security -Wl,--dynamicbase -Wl,--nxcompat -Wl,--enable-reloc-section -lssp -L$INSTDIR/gcclibs/" + make BINARY_PATH=$INSTDIR/zlib/lib INCLUDE_PATH=$INSTDIR/zlib/include LIBRARY_PATH=$INSTDIR/zlib/lib -f win32/Makefile.gcc PREFIX=i686-w64-mingw32- $MAKEOPTS SHARED_MODE=1 LOC="-fstack-protector-all -Wstack-protector --param ssp-buffer-size=4 -fno-strict-overflow -Wno-missing-field-initializers -Wformat -Wformat-security -Wl,--dynamicbase -Wl,--nxcompat -Wl,--enable-reloc-section -lssp -L$INSTDIR/gcclibs/" install cd ..
# Building Libevent @@ -133,7 +134,7 @@ script: | cd openssl-* find -type f | xargs touch --date="$REFERENCE_DATETIME" # TODO: Add enable-ec_nistp_64_gcc_128 for 64bit Windows. - ./Configure -shared --cross-compile-prefix=i686-w64-mingw32- mingw --prefix=$INSTDIR/openssl + ./Configure -shared --cross-compile-prefix=i686-w64-mingw32- mingw "-fstack-protector-all -Wstack-protector --param ssp-buffer-size=4 -fno-strict-overflow -Wno-missing-field-initializers -Wformat -Wformat-security -Wl,--dynamicbase -Wl,--nxcompat -Wl,--enable-reloc-section -lssp -L$INSTDIR/gcclibs/" --prefix=$INSTDIR/openssl # Using $MAKEOPTS breaks the build. Might be the issue mentioned on # http://cblfs.cross-lfs.org/index.php/OpenSSL. make @@ -156,4 +157,5 @@ script: | ~/build/dzip.sh libevent-${LIBEVENT_TAG#release-}-win32-utils.zip libevent ~/build/dzip.sh openssl-$OPENSSL_VER-win32-utils.zip openssl ~/build/dzip.sh gmp-$GMP_VER-win32-utils.zip gmp + ~/build/dzip.sh gcclibs-$GCC_VER-win32-utils.zip gcclibs cp *-utils.zip $OUTDIR/ diff --git a/gitian/mkbundle-windows.sh b/gitian/mkbundle-windows.sh index 0af015d..9ef5c41 100755 --- a/gitian/mkbundle-windows.sh +++ b/gitian/mkbundle-windows.sh @@ -97,7 +97,7 @@ fi
cd $GITIAN_DIR
-if [ ! -f inputs/binutils-$BINUTILS_VER-win32-utils.zip -o \ +if [ ! -f inputs/gcclibs-$GCC_VER-win32-utils.zip -o \ ! -f inputs/mingw-w64-$GCC_VER-win32-utils.zip -o \ ! -f inputs/zlib-${ZLIB_TAG_ORIG#v}-win32-utils.zip -o \ ! -f inputs/libevent-${LIBEVENT_TAG_ORIG#release-}-win32-utils.zip -o \ @@ -117,12 +117,12 @@ then
cd inputs cp -a ../build/out/*-utils.zip . - ln -sf binutils-$BINUTILS_VER-win32-utils.zip binutils-win32-utils.zip ln -sf mingw-w64-$GCC_VER-win32-utils.zip mingw-w64-win32-utils.zip ln -sf zlib-${ZLIB_TAG_ORIG#v}-win32-utils.zip zlib-win32-utils.zip ln -sf libevent-${LIBEVENT_TAG_ORIG#release-}-win32-utils.zip libevent-win32-utils.zip ln -sf openssl-$OPENSSL_VER-win32-utils.zip openssl-win32-utils.zip ln -sf gmp-$GMP_VER-win32-utils.zip gmp-win32-utils.zip + ln -sf gcclibs-$GCC_VER-win32-utils.zip gcclibs-win32-utils.zip cd .. #cp -a result/utils-win-res.yml inputs/ else @@ -132,12 +132,12 @@ else # We might have built the utilities in the past but maybe the links are # pointing to the wrong version. Refresh them. cd inputs - ln -sf binutils-$BINUTILS_VER-win32-utils.zip binutils-win32-utils.zip ln -sf mingw-w64-$GCC_VER-win32-utils.zip mingw-w64-win32-utils.zip ln -sf zlib-${ZLIB_TAG_ORIG#v}-win32-utils.zip zlib-win32-utils.zip ln -sf libevent-${LIBEVENT_TAG_ORIG#release-}-win32-utils.zip libevent-win32-utils.zip ln -sf openssl-$OPENSSL_VER-win32-utils.zip openssl-win32-utils.zip ln -sf gmp-$GMP_VER-win32-utils.zip gmp-win32-utils.zip + ln -sf gcclibs-$GCC_VER-win32-utils.zip gcclibs-win32-utils.zip cd .. fi