commit 53131fdc6d54bdd3bda261c64aa81fc3e8fbe228 Author: Georg Koppen gk@torproject.org Date: Tue Jun 30 10:12:32 2020 +0000
Bug 40010: Add NSS for application-services --- projects/nss/bug_13028.patch | 79 ++++++++++++++++++++++++ projects/nss/build | 139 +++++++++++++++++++++++++++++++++++++++++++ projects/nss/config | 27 +++++++++ projects/nss/config.patch | 37 ++++++++++++ projects/nss/configure.patch | 11 ++++ 5 files changed, 293 insertions(+)
diff --git a/projects/nss/bug_13028.patch b/projects/nss/bug_13028.patch new file mode 100644 index 0000000..60bbd35 --- /dev/null +++ b/projects/nss/bug_13028.patch @@ -0,0 +1,79 @@ +From 2f0888c348561249d3083555db33c5619840dbfa Mon Sep 17 00:00:00 2001 +From: Mike Perry mikeperry-git@torproject.org +Date: Mon, 29 Sep 2014 14:30:19 -0700 +Subject: [PATCH] Bug 13028: Prevent potential proxy bypass cases. + +It looks like these cases should only be invoked in the NSS command line +tools, and not the browser, but I decided to patch them anyway because there +literally is a maze of network function pointers being passed around, and it's +very hard to tell if some random code might not pass in the proper proxied +versions of the networking code here by accident. + +diff --git a/security/nss/lib/certhigh/ocsp.c b/security/nss/lib/certhigh/ocsp.c +index cea8456606bf..86fa971cfbef 100644 +--- a/security/nss/lib/certhigh/ocsp.c ++++ b/security/nss/lib/certhigh/ocsp.c +@@ -2932,6 +2932,14 @@ ocsp_ConnectToHost(const char *host, PRUint16 port) + PRNetAddr addr; + char *netdbbuf = NULL; + ++ // XXX: Do we need a unittest ifdef here? We don't want to break the tests, but ++ // we want to ensure nothing can ever hit this code in production. ++#if 1 ++ printf("Tor Browser BUG: Attempted OSCP direct connect to %s, port %u\n", host, ++ port); ++ goto loser; ++#endif ++ + sock = PR_NewTCPSocket(); + if (sock == NULL) + goto loser; +diff --git a/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_socket.c b/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_socket.c +index e8698376b5be..85791d84a932 100644 +--- a/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_socket.c ++++ b/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_socket.c +@@ -1334,6 +1334,13 @@ pkix_pl_Socket_Create( + plContext), + PKIX_COULDNOTCREATESOCKETOBJECT); + ++ // XXX: Do we need a unittest ifdef here? We don't want to break the tests, but ++ // we want to ensure nothing can ever hit this code in production. ++#if 1 ++ printf("Tor Browser BUG: Attempted pkix direct socket connect\n"); ++ PKIX_ERROR(PKIX_PRNEWTCPSOCKETFAILED); ++#endif ++ + socket->isServer = isServer; + socket->timeout = timeout; + socket->clientSock = NULL; +@@ -1433,6 +1440,13 @@ pkix_pl_Socket_CreateByName( + + localCopyName = PL_strdup(serverName); + ++ // XXX: Do we need a unittest ifdef here? We don't want to break the tests, but ++ // we want to ensure nothing can ever hit this code in production. ++#if 1 ++ printf("Tor Browser BUG: Attempted pkix direct connect to %s\n", serverName); ++ PKIX_ERROR(PKIX_PRNEWTCPSOCKETFAILED); ++#endif ++ + sepPtr = strchr(localCopyName, ':'); + /* First strip off the portnum, if present, from the end of the name */ + if (sepPtr) { +@@ -1582,6 +1596,13 @@ pkix_pl_Socket_CreateByHostAndPort( + PKIX_ENTER(SOCKET, "pkix_pl_Socket_CreateByHostAndPort"); + PKIX_NULLCHECK_THREE(hostname, pStatus, pSocket); + ++ // XXX: Do we need a unittest ifdef here? We don't want to break the tests, but ++ // we want to ensure nothing can ever hit this code in production. ++#if 1 ++ printf("Tor Browser BUG: Attempted pkix direct connect to %s, port %u\n", hostname, ++ portnum); ++ PKIX_ERROR(PKIX_PRNEWTCPSOCKETFAILED); ++#endif + + prstatus = PR_GetHostByName(hostname, buf, sizeof(buf), &hostent); + +-- +2.27.0 + diff --git a/projects/nss/build b/projects/nss/build new file mode 100644 index 0000000..791a680 --- /dev/null +++ b/projects/nss/build @@ -0,0 +1,139 @@ +#!/bin/bash +[% c("var/set_default_env") -%] +[% pc(c('var/compiler'), 'var/setup', { compiler_tarfile => c('input_files_by_name/' _ c('var/compiler')) }) %] +distdir=/var/tmp/dist/nss +builddir=/var/tmp/build/[% project %] +mkdir /var/tmp/build +tar -C /var/tmp/dist -xf [% c('input_files_by_name/ninja') %] +export PATH=/var/tmp/dist/ninja:$PATH + +# application-services uses a newer NDK, 21d, than all the other projects... +export ANDROID_NDK_API_VERSION=[% pc("fenix-android-toolchain", "var/android_ndk_version") %][% pc('fenix-android-toolchain', 'var/android_ndk_revision') %] +export ANDROID_NDK_HOME=/var/tmp/dist/[% c('var/compiler') %]/android-ndk/android-ndk-r$ANDROID_NDK_API_VERSION +# We need to add the new path to our build tools to PATH +export PATH=$ANDROID_NDK_HOME/toolchains/llvm/prebuilt/linux-x86_64/bin:$PATH +export ANDROID_NDK_ROOT=$ANDROID_NDK_HOME +export NDK_HOST_TAG=linux-x86_64 + +nspr_64="" +[% IF c("var/configure_host") == "arm-linux-androideabi" -%] + gyp_arch="arm" +[% ELSIF c("var/configure_host") == "i686-linux-android" -%] + gyp_arch="ia32" +[% ELSIF c("var/configure_host") == "x86_64-linux-android" -%] + gyp_arch="x64" + nspr_64="--enable-64bit" +[% ELSIF c("var/configure_host") == "aarch64-linux-android" -%] + gyp_arch="arm64" + nspr_64="--enable-64bit" +[% END -%] + +export AR="[% c('var/cross_prefix') %]-ar" +# XXX: Mozilla really uses the NDK_API_VERSION here, which is weird. +export CC="[% c('var/cross_prefix') %][% pc('fenix-android-toolchain', 'var/android_ndk_version') %]-clang" +export CXX="[% c('var/cross_prefix') %][% pc('fenix-android-toolchain', 'var/android_ndk_version') %]-clang++" +export LD="[% c('var/cross_prefix') %]-ld" +export NM="[% c('var/cross_prefix') %]-nm" +export RANLIB="[% c('var/cross_prefix') %]-ranlib" +export READELF="[% c('var/cross_prefix') %]-readelf" + +tar -C /var/tmp/build -xf [% c('input_files_by_name/nss') %] +mv /var/tmp/build/[% project %]-[% c('version') %] $builddir +cd $builddir +# Early return hack to prevent NSPR Android setup +# which does not work with ndk unified headers and clang. See: +# application-services/libs/build-all.sh +cat $rootdir/configure.patch | patch nspr/configure +# Some NSS symbols clash with OpenSSL symbols, rename them using +# C preprocessor define macros. See: +# application-services/libs/build-all.sh +patch -p2 < $rootdir/config.patch +# Let's apply our proxy bypass defense-in-depth here as well to be on the safe +# side. +patch -p2 < $rootdir/bug_13028.patch + +# Building NSPR +mkdir $builddir/nspr_build +cd $builddir/nspr_build +../nspr/configure \ + $nspr_64 \ + --target=[% c("var/configure_host") %] \ + --disable-debug \ + --enable-optimize +make +cd .. + +# Building NSS +mkdir $builddir/nss_build +gyp -f ninja-android "$builddir/nss/nss.gyp" \ + --depth "$builddir/nss/" \ + --generator-output=. \ + -DOS=android \ + -Dnspr_lib_dir="$builddir/nspr_build/dist/lib" \ + -Dnspr_include_dir="$builddir/nspr_build/dist/include/nspr" \ + -Dnss_dist_dir="$builddir/nss_build" \ + -Dnss_dist_obj_dir="$builddir/nss_build" \ + -Dhost_arch="$gyp_arch" \ + -Dtarget_arch="$gyp_arch" \ + -Dstatic_libs=1 \ + -Ddisable_dbm=1 \ + -Dsign_libs=0 \ + -Denable_sslkeylogfile=0 \ + -Ddisable_tests=1 \ + -Ddisable_libpkix=1 + +gendir="$builddir/nss/out/Release" +ninja -C "$gendir" + +mkdir -p $distdir/include/nss +mkdir -p $distdir/lib +cp -p -L "$builddir/nss_build/lib/libcertdb.a" "$distdir/lib" +cp -p -L "$builddir/nss_build/lib/libcerthi.a" "$distdir/lib" +cp -p -L "$builddir/nss_build/lib/libcryptohi.a" "$distdir/lib" +cp -p -L "$builddir/nss_build/lib/libfreebl_static.a" "$distdir/lib" +cp -p -L "$builddir/nss_build/lib/libnss_static.a" "$distdir/lib" +cp -p -L "$builddir/nss_build/lib/libnssb.a" "$distdir/lib" +cp -p -L "$builddir/nss_build/lib/libnssdev.a" "$distdir/lib" +cp -p -L "$builddir/nss_build/lib/libnsspki.a" "$distdir/lib" +cp -p -L "$builddir/nss_build/lib/libnssutil.a" "$distdir/lib" +cp -p -L "$builddir/nss_build/lib/libpk11wrap_static.a" "$distdir/lib" +cp -p -L "$builddir/nss_build/lib/libpkcs12.a" "$distdir/lib" +cp -p -L "$builddir/nss_build/lib/libpkcs7.a" "$distdir/lib" +cp -p -L "$builddir/nss_build/lib/libsmime.a" "$distdir/lib" +cp -p -L "$builddir/nss_build/lib/libsoftokn_static.a" "$distdir/lib" +cp -p -L "$builddir/nss_build/lib/libssl.a" "$distdir/lib" + +# HW specific. +# https://searchfox.org/nss/rev/08c4d05078d00089f8d7540651b0717a9d66f87e/lib/f... +[% IF c("var/configure_host") == "i686-linux-android" || c("var/configure_host") == "x86_64-linux-android"-%] + cp -p -L "$builddir/nss_build/lib/libgcm-aes-x86_c_lib.a" "$distdir/lib" +[% END %] +[% IF c("var/configure_host") == "arm-linux-androideabi" || c("var/configure_host") == "aarch64-linux-android"-%] + cp -p -L "$builddir/nss_build/lib/libarmv8_c_lib.a" "$distdir/lib" +[% END %] +[% IF c("var/configure_host") == "aarch64-linux-android" -%] + cp -p -L "$builddir/nss_build/lib/libgcm-aes-aarch64_c_lib.a" "$distdir/lib" +[% END %] +[% IF c("var/configure_host") == "arm-linux-androideabi" -%] + cp -p -L "$builddir/nss_build/lib/libgcm-aes-arm32-neon_c_lib.a" "$distdir/lib" +[% END %] +# https://searchfox.org/nss/rev/08c4d05078d00089f8d7540651b0717a9d66f87e/lib/f... +# https://searchfox.org/nss/rev/08c4d05078d00089f8d7540651b0717a9d66f87e/lib/f... +[% IF c("var/configure_host") == "x86_64-linux-android"-%] + cp -p -L "$builddir/nss_build/lib/libintel-gcm-wrap_c_lib.a" "$distdir/lib" + cp -p -L "$builddir/nss_build/lib/libintel-gcm-s_lib.a" "$distdir/lib" + cp -p -L "$builddir/nss_build/lib/libhw-acc-crypto-avx.a" "$distdir/lib" + cp -p -L "$builddir/nss_build/lib/libhw-acc-crypto-avx2.a" "$distdir/lib" +[% END %] +cp -p -L "$builddir/nspr_build/dist/lib/libplc4.a" "$distdir/lib" +cp -p -L "$builddir/nspr_build/dist/lib/libplds4.a" "$distdir/lib" +cp -p -L "$builddir/nspr_build/dist/lib/libnspr4.a" "$distdir/lib" + +cp -p -L -R "$builddir/nss_build/public/nss/"* "$distdir/include/nss" +cp -p -L -R "$builddir/nspr_build/dist/include/nspr/"* "$distdir/include/nss" + +cd /var/tmp/dist +[% c('tar', { + tar_src => [ project ], + tar_args => '-czf ' _ dest_dir _ '/' _ c('filename'), + }) %] diff --git a/projects/nss/config b/projects/nss/config new file mode 100644 index 0000000..e2b875e --- /dev/null +++ b/projects/nss/config @@ -0,0 +1,27 @@ +# vim: filetype=yaml sw=2 +filename: '[% project %]-[% c("version") %]-[% c("var/osname") %]-[% c("var/build_id") %].tar.gz' +# The required versions for application-services can be found at the respective +# commit in libs/build-all.sh +version: 3.54 +# XXX: maybe that's extractable automatically from `version` somehow? +version_path: 3_54 +nspr_version: 4.26 +var: + container: + use_container: 1 + deps: + - build-essential + - gyp + +input_files: + - project: container-image + - name: '[% c("var/compiler") %]' + project: '[% c("var/compiler") %]' + - name: ninja + project: ninja + - URL: 'https://ftp.mozilla.org/pub/security/nss/releases/NSS_%5B% c("version_path") %]_RTM/src/nss-[% c("version") %]-with-nspr-[% c("nspr_version") %].tar.gz' + name: nss + sha256sum: e0e81f0ff264d810f130d3cd9334722f7f883c752430483131d1ca5ac62d3f70 + - filename: configure.patch + - filename: config.patch + - filename: bug_13028.patch diff --git a/projects/nss/config.patch b/projects/nss/config.patch new file mode 100644 index 0000000..e7f5012 --- /dev/null +++ b/projects/nss/config.patch @@ -0,0 +1,37 @@ +From c11dc3a73349fc7d8fa451f9e3a4e3952aa54fd2 Mon Sep 17 00:00:00 2001 +From: Georg Koppen gk@torproject.org +Date: Wed, 1 Jul 2020 09:57:01 +0000 +Subject: [PATCH] Patch for building NSS for application-services + +See: application-services/libs/build-all.sh + +diff --git a/security/nss/coreconf/config.gypi b/security/nss/coreconf/config.gypi +index 62d3cc71ecaf..dd30de079081 100644 +--- a/security/nss/coreconf/config.gypi ++++ b/security/nss/coreconf/config.gypi +@@ -144,6 +144,23 @@ + '<(nspr_include_dir)', + '<(nss_dist_dir)/private/<(module)', + ], ++ 'defines': [ ++ 'HMAC_Update=NSS_HMAC_Update', ++ 'HMAC_Init=NSS_HMAC_Init', ++ 'CMAC_Update=NSS_CMAC_Update', ++ 'CMAC_Init=NSS_CMAC_Init', ++ 'MD5_Update=NSS_MD5_Update', ++ 'SHA1_Update=NSS_SHA1_Update', ++ 'SHA256_Update=NSS_SHA256_Update', ++ 'SHA224_Update=NSS_SHA224_Update', ++ 'SHA512_Update=NSS_SHA512_Update', ++ 'SHA384_Update=NSS_SHA384_Update', ++ 'SEED_set_key=NSS_SEED_set_key', ++ 'SEED_encrypt=NSS_SEED_encrypt', ++ 'SEED_decrypt=NSS_SEED_decrypt', ++ 'SEED_ecb_encrypt=NSS_SEED_ecb_encrypt', ++ 'SEED_cbc_encrypt=NSS_SEED_cbc_encrypt', ++ ], + 'conditions': [ + [ 'mozpkix_only==1 and OS=="linux"', { + 'include_dirs': [ +-- +2.27.0 diff --git a/projects/nss/configure.patch b/projects/nss/configure.patch new file mode 100644 index 0000000..4ce8465 --- /dev/null +++ b/projects/nss/configure.patch @@ -0,0 +1,11 @@ +@@ -2662,6 +2662,9 @@ + + case "$target" in + *-android*|*-linuxandroid*) ++ $as_echo "#define ANDROID 1" >>confdefs.h ++ ;; ++ unreachable) + if test -z "$android_ndk" ; then + as_fn_error $? "You must specify --with-android-ndk=/path/to/ndk when targeting Android." "$LINENO" 5 + fi +