GitLab

at 2025-04-03T09:20:42+02:00

Bug 41423: Partially revert 9345a6ea

We revert the removal of NSS and other things that allowed
building the rust libraries in the application-services project.

Bug 41423: Update a-s noop patch to build places component

The places component is responsible for the backend of Bookmarks.
We cannot make it a no-op like the other components because we
actually want the bookmarks feature in our browsers.

 A procedure to create this file is documented in

 [tor-browser-build#40855](https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/40855#note_2906041).

+## Other dependencies

+

+Finally, Application Services depends on

+[NSS](https://firefox-source-docs.mozilla.org/security/nss/index.html).

+We used to have a separate tor-browser-build project for it, but it was

+almost an exact copy of the script included in this repository.

+Keeping it updated wasn't trivial, so we decided to run Mozilla's scripts

+instead.

+

 # Caveats

 ## Git repository information

 diff --git a/components/fxa-client/android/src/main/java/mozilla/appservices/fxaclient/Config.kt b/components/fxa-client/android/src/main/java/mozilla/appservices/fxaclient/Config.kt

-index 78c16dd0..d2615fa7 100644

+index 78c16dd0a..d2615fa74 100644

 --- a/components/fxa-client/android/src/main/java/mozilla/appservices/fxaclient/Config.kt

 +++ b/components/fxa-client/android/src/main/java/mozilla/appservices/fxaclient/Config.kt

 @@ -13,4 +13,5 @@ fun FxaServer.contentUrl() = when (this) {

 +    is FxaServer.__NOOP -> ""

  }

 diff --git a/components/nimbus/android/src/main/java/org/mozilla/experiments/nimbus/Nimbus.kt b/components/nimbus/android/src/main/java/org/mozilla/experiments/nimbus/Nimbus.kt

-index 8c05be9c..6bf2ec15 100644

+index 8c05be9cf..6bf2ec15d 100644

 --- a/components/nimbus/android/src/main/java/org/mozilla/experiments/nimbus/Nimbus.kt

 +++ b/components/nimbus/android/src/main/java/org/mozilla/experiments/nimbus/Nimbus.kt

 @@ -532,6 +532,8 @@ open class Nimbus(

              }

          }

      }

-diff --git a/components/places/android/src/main/java/mozilla/appservices/places/PlacesConnection.kt b/components/places/android/src/main/java/mozilla/appservices/places/PlacesConnection.kt

-index 282f4e90..db8b00a3 100644

---- a/components/places/android/src/main/java/mozilla/appservices/places/PlacesConnection.kt

-+++ b/components/places/android/src/main/java/mozilla/appservices/places/PlacesConnection.kt

-@@ -289,6 +289,7 @@ internal fun VisitType.toInt(): Int {

-         VisitType.FRAMED_LINK -> 8

-         VisitType.RELOAD -> 9

-         VisitType.UPDATE_PLACE -> 10

-+        VisitType.__NOOP -> -1

-     }

- }

+diff --git a/megazords/full/Cargo.toml b/megazords/full/Cargo.toml

+index 75f44a812..a51c0643b 100644

+--- a/megazords/full/Cargo.toml

++++ b/megazords/full/Cargo.toml

+@@ -9,21 +9,21 @@ license = "MPL-2.0"9345a6ea

+ crate-type = ["cdylib"]

-diff --git a/megazords/full/android/build.gradle b/megazords/full/android/build.gradle

-index 822ce180..ccdc6c8a 100644

---- a/megazords/full/android/build.gradle

-+++ b/megazords/full/android/build.gradle

-@@ -54,6 +54,8 @@ configurations {

- }

+ [dependencies]

+-fxa-client = { path = "../../components/fxa-client" }

+-logins = { path = "../../components/logins" }

+-tabs = { path = "../../components/tabs/" }

+-sync_manager = { path = "../../components/sync_manager/" }

++# fxa-client = { path = "../../components/fxa-client" }

++# logins = { path = "../../components/logins" }

++# tabs = { path = "../../components/tabs/" }

++# sync_manager = { path = "../../components/sync_manager/" }

+ # TODO: Uncomment this code when webext-storage component is integrated in android

+ # webext-storage = { path = "../../components/webext-storage/" }

+ places = { path = "../../components/places" }

+-push = { path = "../../components/push" }

+-remote_settings = { path = "../../components/remote_settings" }

+-rust-log-forwarder = { path = "../../components/support/rust-log-forwarder" }

+-viaduct = { path = "../../components/viaduct" }

+-nimbus-sdk = { path = "../../components/nimbus" }

+-autofill = { path = "../../components/autofill" }

+-crashtest = { path = "../../components/crashtest" }

+-error-support = { path = "../../components/support/error" }

+-suggest = { path = "../../components/suggest" }

++# push = { path = "../../components/push" }

++# remote_settings = { path = "../../components/remote_settings" }

++# rust-log-forwarder = { path = "../../components/support/rust-log-forwarder" }

++# viaduct = { path = "../../components/viaduct" }

++# nimbus-sdk = { path = "../../components/nimbus" }

++# autofill = { path = "../../components/autofill" }

++# crashtest = { path = "../../components/crashtest" }

++# error-support = { path = "../../components/support/error" }

++# suggest = { path = "../../components/suggest" }

- cargo {

-+    cargoCommand = "${rootDir}/megazords/full/android/cargo-no-build.sh"

-+

-     // The directory of the Cargo.toml to build.

-     module = '..'

+ lazy_static = "1.4"

+diff --git a/megazords/full/src/lib.rs b/megazords/full/src/lib.rs

+index 01d1be98b..a68eb647f 100644

+--- a/megazords/full/src/lib.rs

++++ b/megazords/full/src/lib.rs

+@@ -8,20 +8,20 @@

+ use std::ffi::CString;

+ use std::os::raw::c_char;

+

+-pub use autofill;

+-pub use crashtest;

+-pub use error_support;

+-pub use fxa_client;

+-pub use logins;

+-pub use nimbus;

++// pub use autofill;

++// pub use crashtest;

++// pub use error_support;

++// pub use fxa_client;

++// pub use logins;

++// pub use nimbus;

+ pub use places;

+-pub use push;

+-pub use remote_settings;

+-pub use rust_log_forwarder;

+-pub use suggest;

+-pub use sync_manager;

+-pub use tabs;

+-pub use viaduct;

++// pub use push;

++// pub use remote_settings;

++// pub use rust_log_forwarder;

++// pub use suggest;

++// pub use sync_manager;

++// pub use tabs;

++// pub use viaduct;

+ // TODO: Uncomment this code when webext-storage component is integrated in android

+ // pub use webext_storage;

 diff --git a/publish.gradle b/publish.gradle

-index 71f5d55b..027665ff 100644

+index 71f5d55b9..659e26489 100644

 --- a/publish.gradle

 +++ b/publish.gradle

-@@ -194,7 +194,7 @@ ext.configureUniFFIBindgen = { udlFilePath ->

+@@ -194,7 +194,11 @@ ext.configureUniFFIBindgen = { udlFilePath ->

          def uniffiGeneratedPath = "generated/source/uniffi/${variant.name}/java"

          def t = tasks.register("generate${variant.name.capitalize()}UniFFIBindings", Exec) {

              workingDir project.rootDir

 -            commandLine '/usr/bin/env', 'cargo', 'uniffi-bindgen', 'generate', "${project.projectDir}/${udlFilePath}", '--language', 'kotlin', '--out-dir', "${buildDir}/${uniffiGeneratedPath}"

-+            commandLine '/usr/bin/env', "${rootProject.projectDir}/uniffi-rs/uniffi-bindgen", 'generate', "${project.projectDir}/${udlFilePath}", '--language', 'kotlin', '--out-dir', "${buildDir}/${uniffiGeneratedPath}"

++            if (udlFilePath.contains("places")) {

++                commandLine '/usr/bin/env', 'cargo', 'uniffi-bindgen', 'generate', "${project.projectDir}/${udlFilePath}", '--language', 'kotlin', '--out-dir', "${buildDir}/${uniffiGeneratedPath}"

++            } else {

++                commandLine '/usr/bin/env', "${rootProject.projectDir}/uniffi-rs/uniffi-bindgen", 'generate', "${project.projectDir}/${udlFilePath}", '--language', 'kotlin', '--out-dir', "${buildDir}/${uniffiGeneratedPath}"

++            }

              outputs.dir "${buildDir}/${uniffiGeneratedPath}"

              // Re-generate if the interface definition changes.

              inputs.file "${project.projectDir}/${udlFilePath}"
+diff --git a/libs/build-all.sh b/libs/build-all.sh

+index 650c1299..6c4e5404 100755

+--- a/libs/build-all.sh

++++ b/libs/build-all.sh

+@@ -128,6 +128,15 @@ echo $'\

+      fi

+ ' | patch "${NSS_SRC_PATH}/nspr/configure"

+ 

++rm -f python

++ln -s /usr/bin/python3 python

++export PATH=$(pwd):$PATH

++patch_13028=$(realpath bug_13028.patch)

++pushd $NSS_SRC_PATH

++# Apply our proxy bypass defense-in-depth here as well to be on the safe side.

++patch -p2 < $patch_13028

++popd

++

+ if [[ "${PLATFORM}" == "ios" ]]

+ then

+   ./build-all-ios.sh "${SQLCIPHER_SRC_PATH}" "${NSS_SRC_PATH}"
+From 2f0888c348561249d3083555db33c5619840dbfa Mon Sep 17 00:00:00 2001

+From: Mike Perry <mikeperry-git@torproject.org>

+Date: Mon, 29 Sep 2014 14:30:19 -0700

+Subject: [PATCH] Bug 13028: Prevent potential proxy bypass cases.

+

+It looks like these cases should only be invoked in the NSS command line

+tools, and not the browser, but I decided to patch them anyway because there

+literally is a maze of network function pointers being passed around, and it's

+very hard to tell if some random code might not pass in the proper proxied

+versions of the networking code here by accident.

+

+diff --git a/security/nss/lib/certhigh/ocsp.c b/security/nss/lib/certhigh/ocsp.c

+index cea8456606bf..86fa971cfbef 100644

+--- a/security/nss/lib/certhigh/ocsp.c

++++ b/security/nss/lib/certhigh/ocsp.c

+@@ -2932,6 +2932,14 @@ ocsp_ConnectToHost(const char *host, PRUint16 port)

+     PRNetAddr addr;

+     char *netdbbuf = NULL;

+ 

++    // XXX: Do we need a unittest ifdef here? We don't want to break the tests, but

++    // we want to ensure nothing can ever hit this code in production.

++#if 1

++    printf("Tor Browser BUG: Attempted OSCP direct connect to %s, port %u\n", host,

++            port);

++    goto loser;

++#endif

++

+     sock = PR_NewTCPSocket();

+     if (sock == NULL)

+         goto loser;

+diff --git a/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_socket.c b/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_socket.c

+index e8698376b5be..85791d84a932 100644

+--- a/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_socket.c

++++ b/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_socket.c

+@@ -1334,6 +1334,13 @@ pkix_pl_Socket_Create(

+                     plContext),

+                     PKIX_COULDNOTCREATESOCKETOBJECT);

+ 

++        // XXX: Do we need a unittest ifdef here? We don't want to break the tests, but

++        // we want to ensure nothing can ever hit this code in production.

++#if 1

++        printf("Tor Browser BUG: Attempted pkix direct socket connect\n");

++        PKIX_ERROR(PKIX_PRNEWTCPSOCKETFAILED);

++#endif

++

+         socket->isServer = isServer;

+         socket->timeout = timeout;

+         socket->clientSock = NULL;

+@@ -1433,6 +1440,13 @@ pkix_pl_Socket_CreateByName(

+ 

+         localCopyName = PL_strdup(serverName);

+ 

++        // XXX: Do we need a unittest ifdef here? We don't want to break the tests, but

++        // we want to ensure nothing can ever hit this code in production.

++#if 1

++        printf("Tor Browser BUG: Attempted pkix direct connect to %s\n", serverName);

++        PKIX_ERROR(PKIX_PRNEWTCPSOCKETFAILED);

++#endif

++

+         sepPtr = strchr(localCopyName, ':');

+         /* First strip off the portnum, if present, from the end of the name */

+         if (sepPtr) {

+@@ -1582,6 +1596,13 @@ pkix_pl_Socket_CreateByHostAndPort(

+         PKIX_ENTER(SOCKET, "pkix_pl_Socket_CreateByHostAndPort");

+         PKIX_NULLCHECK_THREE(hostname, pStatus, pSocket);

+ 

++        // XXX: Do we need a unittest ifdef here? We don't want to break the tests, but

++        // we want to ensure nothing can ever hit this code in production.

++#if 1

++        printf("Tor Browser BUG: Attempted pkix direct connect to %s, port %u\n", hostname,

++                portnum);

++        PKIX_ERROR(PKIX_PRNEWTCPSOCKETFAILED);

++#endif

+ 

+         prstatus = PR_GetHostByName(hostname, buf, sizeof(buf), &hostent);

+ 

+-- 

+2.27.0

+
 patch -p1 < $rootdir/glean-noop.diff

 popd

+pushd libs

+ln -s $rootdir/[% c("input_files_by_name/nss") %] ./

+ln -s $rootdir/bug_13028.patch

+patch -p2 < $rootdir/apply-bug-13028.diff

+patch -p2 < $rootdir/no-ndk-lookup.diff

+./build-all.sh desktop

+./build-all.sh android

+popd

+

 [% IF c('var/fetch_gradle_dependencies') %]

   # XXX: `assemble` is still not enough to see all fetched dependencies via

   # Gradle's --debug. See: tor-browser-build#40056.

   gradle_dependencies_version: 11

   gradle_version: 8.8

   glean_parser: 14.0.1

-  # This is the only project for which the rust lib will actually be built

-  cargo_vendor_subdir: components/support/nimbus-fml

+  nss_version: '3.101'

+  nspr_version: '4.35'

 steps:

   build:

       # builds when build time differ a lot, we need to do periodic rebuilds:

       # https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/merge_requests/937#note_3009480

       rebuild_date: '2024-09-12'

+      arch_deps:

+        # Needed to build NSS

+        - gyp

     input_files:

       - project: container-image

         pkg_type: build

       - URL: 'https://dl.google.com/android/repository/build-tools_r30.0.3-linux.zip'

         name: build_tools_30

         sha256sum: 24593500aa95d2f99fb4f10658aae7e65cb519be6cd33fa164f15f27f3c4a2d6

+      # NSS version ans sha256 are in libs/build-all.sh.

+      - URL: 'https://ftp.mozilla.org/pub/security/nss/releases/NSS_[% c("var/nss_version") | replace("\\.", "_") %]_RTM/src/nss-[% c("var/nss_version") %]-with-nspr-[% c("var/nspr_version") %].tar.gz'

+        name: nss

+        sha256sum: 566faa9283ff3d9a7d6c44272df6e4330e3e06ca4e841a68840d31b27c9161c4

       - filename: 'gradle-dependencies-[% c("var/gradle_dependencies_version") %]'

         name: gradle-dependencies

         exec: '[% INCLUDE "fetch-gradle-dependencies" %]'

         enable: '[% !c("var/fetch_gradle_dependencies") %]'

       - filename: gen_gradle_deps_file.sh

         enable: '[% c("var/fetch_gradle_dependencies") %]'

-      # tor-browser-build#40485: Make sure the Kotlin output of nimbus-fml

-      # has deterministic order for reproducibility.

-      # Delete when this patch is included upstream.

+      - filename: bug_13028.patch

+      - filename: apply-bug-13028.diff

+      # Delete when this patch is included upstream

       - filename: bug40485-nimbus-fml-reproducibility.diff

+      - filename: no-ndk-lookup.diff

       # as-ohttp-client lists both the version for ohttp and a git repo + rev,

       # but this breaks the vendoring for offline builds.

       - filename: ohttp-no-git.diff

 check_update_needed gradle "$needed" "$current"

+# nss-nspr

+read -d '' p << 'EOF' || true

+if (m/NSS_ARCHIVE="nss-(.*-with-nspr-.*)\\.tar\\.gz"/) {

+  print $1;

+  exit;

+}

+EOF

+needed=$(cat libs/build-all.sh | perl -ne "$p")

+current='[% c("var/nss_version") %]-with-nspr-[% c("var/nspr_version") %]'

+check_update_needed nss-nspr "$needed" "$current"

+

 # uniffi

 read -d '' p << 'EOF' || true

 if (m/^\\s*uniffi\\s*=\\s*"([^"]*)"/) {

+diff --git a/libs/android_defaults.sh b/libs/android_defaults.sh

+index 2cfcc4206..9e3d3de97 100755

+--- a/libs/android_defaults.sh

++++ b/libs/android_defaults.sh

+@@ -1,11 +1,7 @@

+ #!/usr/bin/env bash

+ 

+-# Find the NDK.

+-pushd ..

+-NDK_VERSION=$(./gradlew -q printNdkVersion | tail -1)

+-export ANDROID_NDK_HOME="$ANDROID_HOME/ndk/$NDK_VERSION"

+-export ANDROID_NDK_ROOT="$ANDROID_NDK_HOME"

+-popd || exit

++# Do not try to find the NDK, as it does not work offline.

++# We already define the needed variables in our environment.

+ 

+ if [[ -z "${ANDROID_NDK_API_VERSION:-}" ]]; then

+     export ANDROID_NDK_API_VERSION=21

brizental pushed to branch main at The Tor Project / Applications / tor-browser-build

Commits:

8 changed files:

Changes: