[Git][tpo/applications/tor-browser-build][main] 2 commits: Bug 41423: Partially revert 9345a6ea - tbb-commits

3 Apr 2025

brizental pushed to branch main at The Tor Project / Applications / tor-browser-build
Commits:
f455533a by Beatriz Rizental at 2025-04-03T09:20:42+02:00
Bug 41423: Partially revert 9345a6ea
We revert the removal of NSS and other things that allowed
building the rust libraries in the application-services project.
- - - - -
db912ff7 by Beatriz Rizental at 2025-04-03T09:20:52+02:00
Bug 41423: Update a-s noop patch to build places component
The places component is responsible for the backend of Bookmarks.
We cannot make it a no-op like the other components because we
actually want the bookmarks feature in our browsers.
- - - - -
8 changed files:
- projects/application-services/README.md
- projects/application-services/a-s-noop.diff
- + projects/application-services/apply-bug-13028.diff
- + projects/application-services/bug_13028.patch
- projects/application-services/build
- projects/application-services/config
- projects/application-services/list_toolchain_updates_checks
- + projects/application-services/no-ndk-lookup.diff
Changes:
=====================================
projects/application-services/README.md
=====================================
@@ -46,6 +46,15 @@ We keep the list of files to download in `gradle-dependencies-list.txt`.
 A procedure to create this file is documented in
 [tor-browser-build#40855](https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/40...).
+## Other dependencies
+
+Finally, Application Services depends on
+[NSS](https://firefox-source-docs.mozilla.org/security/nss/index.html).
+We used to have a separate tor-browser-build project for it, but it was
+almost an exact copy of the script included in this repository.
+Keeping it updated wasn't trivial, so we decided to run Mozilla's scripts
+instead.
+
 # Caveats
## Git repository information
=====================================
projects/application-services/a-s-noop.diff
=====================================
@@ -1,5 +1,5 @@
 diff --git a/components/fxa-client/android/src/main/java/mozilla/appservices/fxaclient/Config.kt b/components/fxa-client/android/src/main/java/mozilla/appservices/fxaclient/Config.kt
-index 78c16dd0..d2615fa7 100644
+index 78c16dd0a..d2615fa74 100644
 --- a/components/fxa-client/android/src/main/java/mozilla/appservices/fxaclient/Config.kt
 +++ b/components/fxa-client/android/src/main/java/mozilla/appservices/fxaclient/Config.kt
 @@ -13,4 +13,5 @@ fun FxaServer.contentUrl() = when (this) {
@@ -9,7 +9,7 @@ index 78c16dd0..d2615fa7 100644
 +    is FxaServer.__NOOP -> ""
  }
 diff --git a/components/nimbus/android/src/main/java/org/mozilla/experiments/nimbus/Nimbus.kt b/components/nimbus/android/src/main/java/org/mozilla/experiments/nimbus/Nimbus.kt
-index 8c05be9c..6bf2ec15 100644
+index 8c05be9cf..6bf2ec15d 100644
 --- a/components/nimbus/android/src/main/java/org/mozilla/experiments/nimbus/Nimbus.kt
 +++ b/components/nimbus/android/src/main/java/org/mozilla/experiments/nimbus/Nimbus.kt
 @@ -532,6 +532,8 @@ open class Nimbus(
@@ -21,41 +21,97 @@ index 8c05be9c..6bf2ec15 100644
              }
          }
      }
-diff --git a/components/places/android/src/main/java/mozilla/appservices/places/PlacesConnection.kt b/components/places/android/src/main/java/mozilla/appservices/places/PlacesConnection.kt
-index 282f4e90..db8b00a3 100644
---- a/components/places/android/src/main/java/mozilla/appservices/places/PlacesConnection.kt
-+++ b/components/places/android/src/main/java/mozilla/appservices/places/PlacesConnection.kt
-@@ -289,6 +289,7 @@ internal fun VisitType.toInt(): Int {
-         VisitType.FRAMED_LINK -> 8
-         VisitType.RELOAD -> 9
-         VisitType.UPDATE_PLACE -> 10
-+        VisitType.__NOOP -> -1
-     }
- }
+diff --git a/megazords/full/Cargo.toml b/megazords/full/Cargo.toml
+index 75f44a812..a51c0643b 100644
+--- a/megazords/full/Cargo.toml
++++ b/megazords/full/Cargo.toml
+@@ -9,21 +9,21 @@ license = "MPL-2.0"9345a6ea
+ crate-type = ["cdylib"]
-diff --git a/megazords/full/android/build.gradle b/megazords/full/android/build.gradle
-index 822ce180..ccdc6c8a 100644
---- a/megazords/full/android/build.gradle
-+++ b/megazords/full/android/build.gradle
-@@ -54,6 +54,8 @@ configurations {
- }
+ [dependencies]
+-fxa-client = { path = "../../components/fxa-client" }
+-logins = { path = "../../components/logins" }
+-tabs = { path = "../../components/tabs/" }
+-sync_manager = { path = "../../components/sync_manager/" }
++# fxa-client = { path = "../../components/fxa-client" }
++# logins = { path = "../../components/logins" }
++# tabs = { path = "../../components/tabs/" }
++# sync_manager = { path = "../../components/sync_manager/" }
+ # TODO: Uncomment this code when webext-storage component is integrated in android
+ # webext-storage = { path = "../../components/webext-storage/" }
+ places = { path = "../../components/places" }
+-push = { path = "../../components/push" }
+-remote_settings = { path = "../../components/remote_settings" }
+-rust-log-forwarder = { path = "../../components/support/rust-log-forwarder" }
+-viaduct = { path = "../../components/viaduct" }
+-nimbus-sdk = { path = "../../components/nimbus" }
+-autofill = { path = "../../components/autofill" }
+-crashtest = { path = "../../components/crashtest" }
+-error-support = { path = "../../components/support/error" }
+-suggest = { path = "../../components/suggest" }
++# push = { path = "../../components/push" }
++# remote_settings = { path = "../../components/remote_settings" }
++# rust-log-forwarder = { path = "../../components/support/rust-log-forwarder" }
++# viaduct = { path = "../../components/viaduct" }
++# nimbus-sdk = { path = "../../components/nimbus" }
++# autofill = { path = "../../components/autofill" }
++# crashtest = { path = "../../components/crashtest" }
++# error-support = { path = "../../components/support/error" }
++# suggest = { path = "../../components/suggest" }
- cargo {
-+    cargoCommand = "${rootDir}/megazords/full/android/cargo-no-build.sh"
-+
-     // The directory of the Cargo.toml to build.
-     module = '..'
+ lazy_static = "1.4"
+diff --git a/megazords/full/src/lib.rs b/megazords/full/src/lib.rs
+index 01d1be98b..a68eb647f 100644
+--- a/megazords/full/src/lib.rs
++++ b/megazords/full/src/lib.rs
+@@ -8,20 +8,20 @@
+ use std::ffi::CString;
+ use std::os::raw::c_char;
+
+-pub use autofill;
+-pub use crashtest;
+-pub use error_support;
+-pub use fxa_client;
+-pub use logins;
+-pub use nimbus;
++// pub use autofill;
++// pub use crashtest;
++// pub use error_support;
++// pub use fxa_client;
++// pub use logins;
++// pub use nimbus;
+ pub use places;
+-pub use push;
+-pub use remote_settings;
+-pub use rust_log_forwarder;
+-pub use suggest;
+-pub use sync_manager;
+-pub use tabs;
+-pub use viaduct;
++// pub use push;
++// pub use remote_settings;
++// pub use rust_log_forwarder;
++// pub use suggest;
++// pub use sync_manager;
++// pub use tabs;
++// pub use viaduct;
+ // TODO: Uncomment this code when webext-storage component is integrated in android
+ // pub use webext_storage;

diff --git a/publish.gradle b/publish.gradle
-index 71f5d55b..027665ff 100644
+index 71f5d55b9..659e26489 100644
 --- a/publish.gradle
 +++ b/publish.gradle
-@@ -194,7 +194,7 @@ ext.configureUniFFIBindgen = { udlFilePath ->
+@@ -194,7 +194,11 @@ ext.configureUniFFIBindgen = { udlFilePath ->
          def uniffiGeneratedPath = "generated/source/uniffi/${variant.name}/java"
          def t = tasks.register("generate${variant.name.capitalize()}UniFFIBindings", Exec) {
              workingDir project.rootDir
 -            commandLine '/usr/bin/env', 'cargo', 'uniffi-bindgen', 'generate', "${project.projectDir}/${udlFilePath}", '--language', 'kotlin', '--out-dir', "${buildDir}/${uniffiGeneratedPath}"
-+            commandLine '/usr/bin/env', "${rootProject.projectDir}/uniffi-rs/uniffi-bindgen", 'generate', "${project.projectDir}/${udlFilePath}", '--language', 'kotlin', '--out-dir', "${buildDir}/${uniffiGeneratedPath}"
++            if (udlFilePath.contains("places")) {
++                commandLine '/usr/bin/env', 'cargo', 'uniffi-bindgen', 'generate', "${project.projectDir}/${udlFilePath}", '--language', 'kotlin', '--out-dir', "${buildDir}/${uniffiGeneratedPath}"
++            } else {
++                commandLine '/usr/bin/env', "${rootProject.projectDir}/uniffi-rs/uniffi-bindgen", 'generate', "${project.projectDir}/${udlFilePath}", '--language', 'kotlin', '--out-dir', "${buildDir}/${uniffiGeneratedPath}"
++            }
              outputs.dir "${buildDir}/${uniffiGeneratedPath}"
              // Re-generate if the interface definition changes.
              inputs.file "${project.projectDir}/${udlFilePath}"
=====================================
projects/application-services/apply-bug-13028.diff
=====================================
@@ -0,0 +1,20 @@
+diff --git a/libs/build-all.sh b/libs/build-all.sh
+index 650c1299..6c4e5404 100755
+--- a/libs/build-all.sh
++++ b/libs/build-all.sh
+@@ -128,6 +128,15 @@ echo $'\
+      fi
+ ' | patch "${NSS_SRC_PATH}/nspr/configure"
+ 
++rm -f python
++ln -s /usr/bin/python3 python
++export PATH=$(pwd):$PATH
++patch_13028=$(realpath bug_13028.patch)
++pushd $NSS_SRC_PATH
++# Apply our proxy bypass defense-in-depth here as well to be on the safe side.
++patch -p2 < $patch_13028
++popd
++
+ if [[ "${PLATFORM}" == "ios" ]]
+ then
+   ./build-all-ios.sh "${SQLCIPHER_SRC_PATH}" "${NSS_SRC_PATH}"
=====================================
projects/application-services/bug_13028.patch
=====================================
@@ -0,0 +1,79 @@
+From 2f0888c348561249d3083555db33c5619840dbfa Mon Sep 17 00:00:00 2001
+From: Mike Perry mikeperry-git@torproject.org
+Date: Mon, 29 Sep 2014 14:30:19 -0700
+Subject: [PATCH] Bug 13028: Prevent potential proxy bypass cases.
+
+It looks like these cases should only be invoked in the NSS command line
+tools, and not the browser, but I decided to patch them anyway because there
+literally is a maze of network function pointers being passed around, and it's
+very hard to tell if some random code might not pass in the proper proxied
+versions of the networking code here by accident.
+
+diff --git a/security/nss/lib/certhigh/ocsp.c b/security/nss/lib/certhigh/ocsp.c
+index cea8456606bf..86fa971cfbef 100644
+--- a/security/nss/lib/certhigh/ocsp.c
++++ b/security/nss/lib/certhigh/ocsp.c
+@@ -2932,6 +2932,14 @@ ocsp_ConnectToHost(const char *host, PRUint16 port)
+     PRNetAddr addr;
+     char *netdbbuf = NULL;
+ 
++    // XXX: Do we need a unittest ifdef here? We don't want to break the tests, but
++    // we want to ensure nothing can ever hit this code in production.
++#if 1
++    printf("Tor Browser BUG: Attempted OSCP direct connect to %s, port %u\n", host,
++            port);
++    goto loser;
++#endif
++
+     sock = PR_NewTCPSocket();
+     if (sock == NULL)
+         goto loser;
+diff --git a/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_socket.c b/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_socket.c
+index e8698376b5be..85791d84a932 100644
+--- a/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_socket.c
++++ b/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_socket.c
+@@ -1334,6 +1334,13 @@ pkix_pl_Socket_Create(
+                     plContext),
+                     PKIX_COULDNOTCREATESOCKETOBJECT);
+ 
++        // XXX: Do we need a unittest ifdef here? We don't want to break the tests, but
++        // we want to ensure nothing can ever hit this code in production.
++#if 1
++        printf("Tor Browser BUG: Attempted pkix direct socket connect\n");
++        PKIX_ERROR(PKIX_PRNEWTCPSOCKETFAILED);
++#endif
++
+         socket->isServer = isServer;
+         socket->timeout = timeout;
+         socket->clientSock = NULL;
+@@ -1433,6 +1440,13 @@ pkix_pl_Socket_CreateByName(
+ 
+         localCopyName = PL_strdup(serverName);
+ 
++        // XXX: Do we need a unittest ifdef here? We don't want to break the tests, but
++        // we want to ensure nothing can ever hit this code in production.
++#if 1
++        printf("Tor Browser BUG: Attempted pkix direct connect to %s\n", serverName);
++        PKIX_ERROR(PKIX_PRNEWTCPSOCKETFAILED);
++#endif
++
+         sepPtr = strchr(localCopyName, ':');
+         /* First strip off the portnum, if present, from the end of the name */
+         if (sepPtr) {
+@@ -1582,6 +1596,13 @@ pkix_pl_Socket_CreateByHostAndPort(
+         PKIX_ENTER(SOCKET, "pkix_pl_Socket_CreateByHostAndPort");
+         PKIX_NULLCHECK_THREE(hostname, pStatus, pSocket);
+ 
++        // XXX: Do we need a unittest ifdef here? We don't want to break the tests, but
++        // we want to ensure nothing can ever hit this code in production.
++#if 1
++        printf("Tor Browser BUG: Attempted pkix direct connect to %s, port %u\n", hostname,
++                portnum);
++        PKIX_ERROR(PKIX_PRNEWTCPSOCKETFAILED);
++#endif
+ 
+         prstatus = PR_GetHostByName(hostname, buf, sizeof(buf), &hostent);
+ 
+-- 
+2.27.0
+
=====================================
projects/application-services/build
=====================================
@@ -83,6 +83,15 @@ cp $builddir/uniffi-rs/uniffi-bindgen glean-core/android-native/
 patch -p1 < $rootdir/glean-noop.diff
 popd
+pushd libs
+ln -s $rootdir/[% c("input_files_by_name/nss") %] ./
+ln -s $rootdir/bug_13028.patch
+patch -p2 < $rootdir/apply-bug-13028.diff
+patch -p2 < $rootdir/no-ndk-lookup.diff
+./build-all.sh desktop
+./build-all.sh android
+popd
+
 [% IF c('var/fetch_gradle_dependencies') %]
   # XXX: `assemble` is still not enough to see all fetched dependencies via
   # Gradle's --debug. See: tor-browser-build#40056.
=====================================
projects/application-services/config
=====================================
@@ -11,8 +11,8 @@ var:
   gradle_dependencies_version: 11
   gradle_version: 8.8
   glean_parser: 14.0.1
-  # This is the only project for which the rust lib will actually be built
-  cargo_vendor_subdir: components/support/nimbus-fml
+  nss_version: '3.101'
+  nspr_version: '4.35'
steps:
   build:
@@ -22,6 +22,9 @@ steps:
       # builds when build time differ a lot, we need to do periodic rebuilds:
       # https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/merge_req...
       rebuild_date: '2024-09-12'
+      arch_deps:
+        # Needed to build NSS
+        - gyp
     input_files:
       - project: container-image
         pkg_type: build
@@ -46,6 +49,10 @@ steps:
       - URL: 'https://dl.google.com/android/repository/build-tools_r30.0.3-linux.zip'
         name: build_tools_30
         sha256sum: 24593500aa95d2f99fb4f10658aae7e65cb519be6cd33fa164f15f27f3c4a2d6
+      # NSS version ans sha256 are in libs/build-all.sh.
+      - URL: 'https://ftp.mozilla.org/pub/security/nss/releases/NSS_%5B% c("var/nss_version") | replace("\.", "_") %]_RTM/src/nss-[% c("var/nss_version") %]-with-nspr-[% c("var/nspr_version") %].tar.gz'
+        name: nss
+        sha256sum: 566faa9283ff3d9a7d6c44272df6e4330e3e06ca4e841a68840d31b27c9161c4
       - filename: 'gradle-dependencies-[% c("var/gradle_dependencies_version") %]'
         name: gradle-dependencies
         exec: '[% INCLUDE "fetch-gradle-dependencies" %]'
@@ -63,10 +70,11 @@ steps:
         enable: '[% !c("var/fetch_gradle_dependencies") %]'
       - filename: gen_gradle_deps_file.sh
         enable: '[% c("var/fetch_gradle_dependencies") %]'
-      # tor-browser-build#40485: Make sure the Kotlin output of nimbus-fml
-      # has deterministic order for reproducibility.
-      # Delete when this patch is included upstream.
+      - filename: bug_13028.patch
+      - filename: apply-bug-13028.diff
+      # Delete when this patch is included upstream
       - filename: bug40485-nimbus-fml-reproducibility.diff
+      - filename: no-ndk-lookup.diff
       # as-ohttp-client lists both the version for ohttp and a git repo + rev,
       # but this breaks the vendoring for offline builds.
       - filename: ohttp-no-git.diff
=====================================
projects/application-services/list_toolchain_updates_checks
=====================================
@@ -36,6 +36,17 @@ current='[% c("var/gradle_version") %]'
 check_update_needed gradle "$needed" "$current"
+# nss-nspr
+read -d '' p << 'EOF' || true
+if (m/NSS_ARCHIVE="nss-(.*-with-nspr-.*)\.tar\.gz"/) {
+  print $1;
+  exit;
+}
+EOF
+needed=$(cat libs/build-all.sh | perl -ne "$p")
+current='[% c("var/nss_version") %]-with-nspr-[% c("var/nspr_version") %]'
+check_update_needed nss-nspr "$needed" "$current"
+
 # uniffi
 read -d '' p << 'EOF' || true
 if (m/^\s*uniffi\s*=\s*"([^"]*)"/) {
=====================================
projects/application-services/no-ndk-lookup.diff
=====================================
@@ -0,0 +1,18 @@
+diff --git a/libs/android_defaults.sh b/libs/android_defaults.sh
+index 2cfcc4206..9e3d3de97 100755
+--- a/libs/android_defaults.sh
++++ b/libs/android_defaults.sh
+@@ -1,11 +1,7 @@
+ #!/usr/bin/env bash
+ 
+-# Find the NDK.
+-pushd ..
+-NDK_VERSION=$(./gradlew -q printNdkVersion | tail -1)
+-export ANDROID_NDK_HOME="$ANDROID_HOME/ndk/$NDK_VERSION"
+-export ANDROID_NDK_ROOT="$ANDROID_NDK_HOME"
+-popd || exit
++# Do not try to find the NDK, as it does not work offline.
++# We already define the needed variables in our environment.
+ 
+ if [[ -z "${ANDROID_NDK_API_VERSION:-}" ]]; then
+     export ANDROID_NDK_API_VERSION=21
View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/compare/8...
-- 
View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/compare/8...
You're receiving this email because of your account on gitlab.torproject.org.





    