Pier Angelo Vendrame pushed to branch tor-browser-102.8.0esr-12.5-1 at The Tor Project / Applications / Tor Browser
Commits: bd011d63 by Pier Angelo Vendrame at 2023-03-10T10:39:17+01:00 Revert "Bug 13379: Sign our MAR files."
This reverts commit 778aa6cfc77d6b747bc7be1cd2d421861265d68d.
- - - - - 1a81a5cc by Pier Angelo Vendrame at 2023-03-10T10:39:17+01:00 fixup! Bug 4234: Use the Firefox Update Process for Tor Browser.
Bug 41668: Port some updater patches to Base Browser
Move the check on the update package version to this other commit.
- - - - - fcf0e668 by Kathy Brade at 2023-03-10T10:39:17+01:00 Bug 13379: Allow using NSS to sign and verify MAR signatures
Allow using NSS on all platforms for checking MAR signatures (instead of using OS-native APIs, the default on Mac OS and Windows). So that the NSS and NSPR libraries the updater depends on can be found at runtime, we add the firefox directory to the shared library search path on macOS. On Linux, rpath is used to solve that problem, but that approach won't work on macOS because the updater executable is copied during the update process to a location that can vary.
- - - - - 6209ee94 by Kathy Brade at 2023-03-10T10:39:18+01:00 Bug 19121: reinstate the update.xml hash check
This is a partial revert of commit f1241db6986e4b54473a1ed870f7584c75d51122.
Revert most changes from Mozilla Bug 862173 "don't verify mar file hash when using mar signing to verify the mar file (lessens main thread I/O)."
We kept the addition to the AppConstants API in case other JS code references it in the future.
- - - - - 7e05454e by Pier Angelo Vendrame at 2023-03-10T10:39:18+01:00 fixup! Bug 19121: reinstate the update.xml hash check
Bug 41668: Port some updater patches to Base Browser
Modernize the way to compute the hash digest.
- - - - - 5f27ed12 by Pier Angelo Vendrame at 2023-03-10T10:39:19+01:00 fixup! Bug 13379: Allow using NSS to sign and verify MAR signatures
Bug 41668: Port some updater patches to Base Browser
Use a configure-time flag to force using NSS for MARs signatures.
- - - - - 7caf293f by Pier Angelo Vendrame at 2023-03-10T10:39:19+01:00 fixup! Base Browser's .mozconfigs.
Bug 41668: Port some updater patches to Base Browser
- - - - -
10 changed files:
- browser/config/mozconfigs/base-browser - browser/config/mozconfigs/tor-browser - build/moz.configure/update-programs.configure - modules/libmar/tool/moz.build - modules/libmar/verify/moz.build - toolkit/mozapps/update/UpdateService.jsm - toolkit/mozapps/update/updater/updater-common.build - toolkit/mozapps/update/updater/updater.cpp - toolkit/xre/moz.build - toolkit/xre/nsUpdateDriver.cpp
Changes:
===================================== browser/config/mozconfigs/base-browser ===================================== @@ -14,6 +14,10 @@ export MOZILLA_OFFICIAL=1 ac_add_options --enable-optimize ac_add_options --enable-rust-simd
+# Bug 13379: Sign our MAR files. +ac_add_options --enable-verify-mar +ac_add_options --enable-nss-mar + ac_add_options --enable-bundled-fonts
ac_add_options --disable-tests
===================================== browser/config/mozconfigs/tor-browser ===================================== @@ -11,6 +11,5 @@ ac_add_options --with-relative-data-dir=TorBrowser/Data/Browser # ac_add_options --with-user-appdir=.torproject
ac_add_options --enable-tor-browser-update -ac_add_options --enable-verify-mar
ac_add_options --with-distribution-id=org.torproject
===================================== build/moz.configure/update-programs.configure ===================================== @@ -32,6 +32,14 @@ set_config( "MOZ_VERIFY_MAR_SIGNATURE", depends_if("--enable-verify-mar")(lambda _: True) )
+# Use NSS for MAR signatures even on platforms where system libraries are +# supported (currently Windows and macOS). +# ============================================================== + +option("--enable-nss-mar", help="Always use NSS for MAR signatures") + +set_config("MOZ_USE_NSS_FOR_MAR", True, when="--enable-nss-mar") + # Maintenance service (Windows only) # ==============================================================
===================================== modules/libmar/tool/moz.build ===================================== @@ -43,7 +43,7 @@ if CONFIG["MOZ_BUILD_APP"] != "tools/update-packaging": "verifymar", ]
- if CONFIG["TOR_BROWSER_UPDATE"]: + if CONFIG["MOZ_USE_NSS_FOR_MAR"]: DEFINES["MAR_NSS"] = True
if CONFIG["OS_ARCH"] == "WINNT": @@ -52,12 +52,12 @@ if CONFIG["MOZ_BUILD_APP"] != "tools/update-packaging": OS_LIBS += [ "ws2_32", ] - if not CONFIG["TOR_BROWSER_UPDATE"]: + if not CONFIG["MOZ_USE_NSS_FOR_MAR"]: OS_LIBS += [ "crypt32", "advapi32", ] - elif CONFIG["OS_ARCH"] == "Darwin" and not CONFIG["TOR_BROWSER_UPDATE"]: + elif CONFIG["OS_ARCH"] == "Darwin" and not CONFIG["MOZ_USE_NSS_FOR_MAR"]: OS_LIBS += [ "-framework CoreFoundation", "-framework Security",
===================================== modules/libmar/verify/moz.build ===================================== @@ -15,12 +15,15 @@ FORCE_STATIC_LIB = True
if CONFIG["OS_ARCH"] == "WINNT": USE_STATIC_LIBS = True -elif CONFIG["OS_ARCH"] == "Darwin": - USE_LIBS += [ - "nspr", - "nss", - "signmar", + use_nss = CONFIG["MOZ_USE_NSS_FOR_MAR"] +elif CONFIG["OS_ARCH"] == "Darwin" and not CONFIG["MOZ_USE_NSS_FOR_MAR"]: + UNIFIED_SOURCES += [ + "MacVerifyCrypto.cpp", ] + OS_LIBS += [ + "-framework Security", + ] + use_nss = False else: USE_LIBS += [ "nspr", @@ -34,14 +37,16 @@ else: OS_LIBS += [ "-Wl,-rpath=\$$ORIGIN", ] - -DEFINES["MAR_NSS"] = True -LOCAL_INCLUDES += ["../sign"] + use_nss = True
LOCAL_INCLUDES += [ "../src", ]
+if use_nss: + LOCAL_INCLUDES += ["../sign"] + DEFINES["MAR_NSS"] = True + # C11 for static_assert c11_flags = ["-std=gnu11"] if CONFIG["CC_TYPE"] == "clang-cl":
===================================== toolkit/mozapps/update/UpdateService.jsm ===================================== @@ -996,21 +996,6 @@ function LOG(string) { } }
-/** - * Convert a string containing binary values to hex. - */ -function binaryToHex(input) { - var result = ""; - for (var i = 0; i < input.length; ++i) { - var hex = input.charCodeAt(i).toString(16); - if (hex.length == 1) { - hex = "0" + hex; - } - result += hex; - } - return result; -} - /** * Gets the specified directory at the specified hierarchy under the * update root directory and creates it if it doesn't exist. @@ -5204,7 +5189,13 @@ Downloader.prototype = { // encoded binary (such as what is typically output by programs like // sha1sum). In the future, this may change to base64 depending on how // we choose to compute these hashes. - digest = binaryToHex(hash.finish(false)); + hash = hash.finish(false); + digest = Array.from(hash, (c, i) => + hash + .charCodeAt(i) + .toString(16) + .padStart(2, "0") + ).join(""); } catch (e) { LOG( "Downloader:_verifyDownload - failed to compute hash of the downloaded update archive"
===================================== toolkit/mozapps/update/updater/updater-common.build ===================================== @@ -4,9 +4,11 @@ # License, v. 2.0. If a copy of the MPL was not distributed with this # file, You can obtain one at http://mozilla.org/MPL/2.0/.
-DEFINES["MAR_NSS"] = True - -link_with_nss = DEFINES["MAR_NSS"] or (CONFIG["OS_ARCH"] == "Linux" and CONFIG["MOZ_VERIFY_MAR_SIGNATURE"]) +link_with_nss = CONFIG["MOZ_USE_NSS_FOR_MAR"] or ( + CONFIG["OS_ARCH"] == "Linux" and CONFIG["MOZ_VERIFY_MAR_SIGNATURE"] +) +if link_with_nss: + DEFINES["MAR_NSS"] = True
srcs = [ "archivereader.cpp",
===================================== toolkit/mozapps/update/updater/updater.cpp ===================================== @@ -2809,7 +2809,8 @@ static void UpdateThreadFunc(void* param) { if (ReadMARChannelIDs(updateSettingsPath, &MARStrings) != OK) { rv = UPDATE_SETTINGS_FILE_CHANNEL; } else { -# ifdef TOR_BROWSER_UPDATE +# ifdef BASE_BROWSER_VERSION_QUOTED + // Use the base browser version to prevent downgrade attacks. const char* appVersion = BASE_BROWSER_VERSION_QUOTED; # else const char* appVersion = MOZ_APP_VERSION;
===================================== toolkit/xre/moz.build ===================================== @@ -232,8 +232,8 @@ for var in ("APP_VERSION", "APP_ID"): if CONFIG["MOZ_BUILD_APP"] == "browser": DEFINES["MOZ_BUILD_APP_IS_BROWSER"] = True
-if CONFIG['TOR_BROWSER_UPDATE']: - DEFINES['MAR_NSS'] = True +if CONFIG["MOZ_USE_NSS_FOR_MAR"]: + DEFINES["MAR_NSS"] = True
LOCAL_INCLUDES += [ "../../other-licenses/nsis/Contrib/CityHash/cityhash",
===================================== toolkit/xre/nsUpdateDriver.cpp ===================================== @@ -342,8 +342,7 @@ static bool IsOlderVersion(nsIFile* versionFile, const char* appVersion) { return mozilla::Version(appVersion) > buf; }
-#if defined(TOR_BROWSER_UPDATE) && defined(MOZ_VERIFY_MAR_SIGNATURE) && \ - defined(MAR_NSS) && defined(XP_MACOSX) +#if defined(MOZ_VERIFY_MAR_SIGNATURE) && defined(MAR_NSS) && defined(XP_MACOSX) /** * Ideally we would save and restore the original library path value after * the updater finishes its work (and before firefox is re-launched). @@ -656,8 +655,7 @@ static void ApplyUpdate(nsIFile* greDir, nsIFile* updateDir, nsIFile* appDir, PR_SetEnv("MOZ_SAFE_MODE_RESTART=1"); }
-#if defined(TOR_BROWSER_UPDATE) && defined(MOZ_VERIFY_MAR_SIGNATURE) && \ - defined(MAR_NSS) && defined(XP_MACOSX) +#if defined(MOZ_VERIFY_MAR_SIGNATURE) && defined(MAR_NSS) && defined(XP_MACOSX) // On macOS, append the app directory to the shared library search path // so the system can locate the shared libraries that are needed by the // updater, e.g., libnss3.dylib).
View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser/-/compare/6b8aa1a...