 
            commit 7f083aadfe1fd9264c5a5022a3c47f06849eb1e6 Author: Nicolas Vigier <boklm@torproject.org> Date: Wed Feb 15 17:34:11 2017 +0100 Use binutils 2.24, and Ubuntu-12.04 for Windows builds To be closer to what we currently have in gitian, use binutils 2.24. We also change tho OS to Ubuntu 12.04 for Windows builds, except for the tor-browser bundle step, where we are staying with 14.10. We are using 14.10 in the tor-browser step because the version of python-pefile we use fails on Ubuntu 12.04. The reason for using a recent version of python-pefile is that the older versions don't work on x86_64. And we are using an x86_64 container because docker does not support i386 containers. The problem is not present in gitian where we are using an i386 VM. An other possible solution could be to build a recent version of python. --- projects/binutils/build | 4 +- projects/binutils/config | 7 +- projects/binutils/enable-reloc-section-ld.patch | 48 ++++----- projects/binutils/peXXigen.patch | 14 +++ projects/binutils/specify-timestamp.patch | 123 ------------------------ projects/firefox/build | 12 +++ projects/firefox/config | 3 + projects/gcc/config | 3 + projects/tor-browser/config | 1 + rbm.conf | 2 +- 10 files changed, 63 insertions(+), 154 deletions(-) diff --git a/projects/binutils/build b/projects/binutils/build index 3ff4bdb..b7a6e72 100644 --- a/projects/binutils/build +++ b/projects/binutils/build @@ -23,9 +23,7 @@ cd [% project %]-[% c("version") %] sed 's/= extern_rt_rel_d;/= extern_rt_rel_d;\n memset (extern_rt_rel_d, 0, PE_IDATA5_SIZE);/' -i ld/pe-dll.c # Needed for the hardening... patch -p1 < ../enable-reloc-section-ld.patch -# specify-timestamp patch from Stephen Kitt <steve@sk2.org> -# https://anonscm.debian.org/cgit/collab-maint/binutils-mingw-w64.git/ -patch -p2 < ../specify-timestamp.patch +patch -p1 < ../peXXigen.patch [% END -%] ./configure --prefix=$distdir [% c('var/configure_opt') %] make -j4 diff --git a/projects/binutils/config b/projects/binutils/config index dfb1483..c1e67df 100644 --- a/projects/binutils/config +++ b/projects/binutils/config @@ -1,5 +1,5 @@ # vim: filetype=yaml sw=2 -version: 2.25 +version: 2.24 filename: '[% project %]-[% c("version") %]-[% c("var/build_id") %].tar.gz' remote_docker: 1 var: @@ -18,8 +18,5 @@ input_files: - project: docker-image - filename: enable-reloc-section-ld.patch enable: '[% c("var/windows") %]' - - # specify-timestamp patch from Stephen Kitt <steve@sk2.org> - # https://anonscm.debian.org/cgit/collab-maint/binutils-mingw-w64.git/ - - filename: specify-timestamp.patch + - filename: peXXigen.patch enable: '[% c("var/windows") %]' diff --git a/projects/binutils/enable-reloc-section-ld.patch b/projects/binutils/enable-reloc-section-ld.patch index 15ab4d8..f393f51 100644 --- a/projects/binutils/enable-reloc-section-ld.patch +++ b/projects/binutils/enable-reloc-section-ld.patch @@ -1,9 +1,10 @@ -From 6ef8bae3d2a4f4704c4a32f786c9574db3e70f25 Mon Sep 17 00:00:00 2001 +From 093b08a9e7af23a258306b710ebc4556d12f94f7 Mon Sep 17 00:00:00 2001 From: Erinn Clark <erinn@torproject.org> Date: Fri, 8 Aug 2014 14:23:44 -0400 Subject: [PATCH] add relocation section so Windows bundles can have ASLR Patch by skruffy. + --- ld/emultempl/pe.em | 6 +++++ ld/emultempl/pep.em | 8 ++++++- @@ -12,18 +13,18 @@ Patch by skruffy. 4 files changed, 50 insertions(+), 28 deletions(-) diff --git a/ld/emultempl/pe.em b/ld/emultempl/pe.em -index 979cc8b8e960..4a63863289c8 100644 +index 5d6da9e..14c07f7 100644 --- a/ld/emultempl/pe.em +++ b/ld/emultempl/pe.em -@@ -274,6 +274,7 @@ fragment <<EOF +@@ -268,6 +268,7 @@ fragment <<EOF + #define OPTION_TERMINAL_SERVER_AWARE (OPTION_WDM_DRIVER + 1) + /* Determinism. */ #define OPTION_INSERT_TIMESTAMP (OPTION_TERMINAL_SERVER_AWARE + 1) - #define OPTION_NO_INSERT_TIMESTAMP (OPTION_INSERT_TIMESTAMP + 1) - #define OPTION_BUILD_ID (OPTION_NO_INSERT_TIMESTAMP + 1) -+#define OPTION_ENABLE_RELOC_SECTION (OPTION_BUILD_ID + 1) ++#define OPTION_ENABLE_RELOC_SECTION (OPTION_INSERT_TIMESTAMP + 1) static void gld${EMULATION_NAME}_add_options -@@ -317,6 +318,7 @@ gld${EMULATION_NAME}_add_options +@@ -310,6 +311,7 @@ gld${EMULATION_NAME}_add_options {"export-all-symbols", no_argument, NULL, OPTION_EXPORT_ALL}, {"exclude-symbols", required_argument, NULL, OPTION_EXCLUDE_SYMBOLS}, {"exclude-all-symbols", no_argument, NULL, OPTION_EXCLUDE_ALL_SYMBOLS}, @@ -31,7 +32,7 @@ index 979cc8b8e960..4a63863289c8 100644 {"exclude-libs", required_argument, NULL, OPTION_EXCLUDE_LIBS}, {"exclude-modules-for-implib", required_argument, NULL, OPTION_EXCLUDE_MODULES_FOR_IMPLIB}, {"kill-at", no_argument, NULL, OPTION_KILL_ATS}, -@@ -787,6 +789,9 @@ gld${EMULATION_NAME}_handle_option (int optc) +@@ -773,6 +775,9 @@ gld${EMULATION_NAME}_handle_option (int optc) case OPTION_EXCLUDE_ALL_SYMBOLS: pe_dll_exclude_all_symbols = 1; break; @@ -41,7 +42,7 @@ index 979cc8b8e960..4a63863289c8 100644 case OPTION_EXCLUDE_LIBS: pe_dll_add_excludes (optarg, EXCLUDELIBS); break; -@@ -2059,6 +2064,7 @@ gld_${EMULATION_NAME}_finish (void) +@@ -1839,6 +1844,7 @@ gld_${EMULATION_NAME}_finish (void) if (link_info.shared #if !defined(TARGET_IS_shpe) || (!link_info.relocatable && pe_def_file->num_exports != 0) @@ -50,20 +51,20 @@ index 979cc8b8e960..4a63863289c8 100644 ) { diff --git a/ld/emultempl/pep.em b/ld/emultempl/pep.em -index b24a60820237..caf294663a80 100644 +index b738800..b566903 100644 --- a/ld/emultempl/pep.em +++ b/ld/emultempl/pep.em -@@ -248,7 +248,8 @@ enum options +@@ -242,7 +242,8 @@ enum options + OPTION_NO_BIND, + OPTION_WDM_DRIVER, OPTION_INSERT_TIMESTAMP, - OPTION_NO_INSERT_TIMESTAMP, - OPTION_TERMINAL_SERVER_AWARE, -- OPTION_BUILD_ID -+ OPTION_BUILD_ID, +- OPTION_TERMINAL_SERVER_AWARE ++ OPTION_TERMINAL_SERVER_AWARE, + OPTION_ENABLE_RELOC_SECTION }; static void -@@ -290,6 +291,7 @@ gld${EMULATION_NAME}_add_options +@@ -284,6 +285,7 @@ gld${EMULATION_NAME}_add_options {"export-all-symbols", no_argument, NULL, OPTION_EXPORT_ALL}, {"exclude-symbols", required_argument, NULL, OPTION_EXCLUDE_SYMBOLS}, {"exclude-all-symbols", no_argument, NULL, OPTION_EXCLUDE_ALL_SYMBOLS}, @@ -71,7 +72,7 @@ index b24a60820237..caf294663a80 100644 {"exclude-libs", required_argument, NULL, OPTION_EXCLUDE_LIBS}, {"exclude-modules-for-implib", required_argument, NULL, OPTION_EXCLUDE_MODULES_FOR_IMPLIB}, {"kill-at", no_argument, NULL, OPTION_KILL_ATS}, -@@ -743,6 +745,9 @@ gld${EMULATION_NAME}_handle_option (int optc) +@@ -727,6 +729,9 @@ gld${EMULATION_NAME}_handle_option (int optc) case OPTION_EXCLUDE_ALL_SYMBOLS: pep_dll_exclude_all_symbols = 1; break; @@ -81,7 +82,7 @@ index b24a60820237..caf294663a80 100644 case OPTION_EXCLUDE_LIBS: pep_dll_add_excludes (optarg, EXCLUDELIBS); break; -@@ -1838,6 +1843,7 @@ gld_${EMULATION_NAME}_finish (void) +@@ -1618,6 +1623,7 @@ gld_${EMULATION_NAME}_finish (void) #ifdef DLL_SUPPORT if (link_info.shared @@ -90,10 +91,10 @@ index b24a60820237..caf294663a80 100644 { pep_dll_fill_sections (link_info.output_bfd, &link_info); diff --git a/ld/pe-dll.c b/ld/pe-dll.c -index 61d8fa5c7eea..24c0c72a6685 100644 +index e9e133b..4230dc3 100644 --- a/ld/pe-dll.c +++ b/ld/pe-dll.c -@@ -151,6 +151,7 @@ def_file * pe_def_file = 0; +@@ -152,6 +152,7 @@ def_file * pe_def_file = 0; int pe_dll_export_everything = 0; int pe_dll_exclude_all_symbols = 0; int pe_dll_do_default_excludes = 1; @@ -199,10 +200,10 @@ index 61d8fa5c7eea..24c0c72a6685 100644 bfd_boolean diff --git a/ld/pe-dll.h b/ld/pe-dll.h -index 24ea30237aeb..6a0d6338646b 100644 +index 4697390..2bf71d9 100644 --- a/ld/pe-dll.h +++ b/ld/pe-dll.h -@@ -30,6 +30,7 @@ extern def_file *pe_def_file; +@@ -31,6 +31,7 @@ extern def_file *pe_def_file; extern int pe_dll_export_everything; extern int pe_dll_exclude_all_symbols; extern int pe_dll_do_default_excludes; @@ -210,3 +211,6 @@ index 24ea30237aeb..6a0d6338646b 100644 extern int pe_dll_kill_ats; extern int pe_dll_stdcall_aliases; extern int pe_dll_warn_dup_exports; +-- +2.0.1 + diff --git a/projects/binutils/peXXigen.patch b/projects/binutils/peXXigen.patch new file mode 100644 index 0000000..785aa02 --- /dev/null +++ b/projects/binutils/peXXigen.patch @@ -0,0 +1,14 @@ +diff -crB binutils-2.24/bfd/peXXigen.c binutils-2.24/bfd/peXXigen.c +*** binutils-2.24/bfd/peXXigen.c Tue Nov 26 11:37:33 2013 +--- binutils-2.24/bfd/peXXigen.c Mon Aug 4 07:10:15 2014 +*************** +*** 795,800 **** +--- 795,802 ---- + /* Only use a real timestamp if the option was chosen. */ + if ((pe_data (abfd)->insert_timestamp)) + H_PUT_32 (abfd, time(0), filehdr_out->f_timdat); ++ else ++ H_PUT_32 (abfd, 0, filehdr_out->f_timdat); + + PUT_FILEHDR_SYMPTR (abfd, filehdr_in->f_symptr, + filehdr_out->f_symptr); diff --git a/projects/binutils/specify-timestamp.patch b/projects/binutils/specify-timestamp.patch deleted file mode 100644 index 37f4347..0000000 --- a/projects/binutils/specify-timestamp.patch +++ /dev/null @@ -1,123 +0,0 @@ ---- a/upstream/bfd/peXXigen.c -+++ b/upstream/bfd/peXXigen.c -@@ -66,6 +66,9 @@ - #include <wchar.h> - #endif - -+#include <errno.h> -+#include <limits.h> -+ - /* NOTE: it's strange to be including an architecture specific header - in what's supposed to be general (to PE/PEI) code. However, that's - where the definitions are, and they don't vary per architecture -@@ -873,8 +876,36 @@ - H_PUT_16 (abfd, filehdr_in->f_nscns, filehdr_out->f_nscns); - - /* Only use a real timestamp if the option was chosen. */ -- if ((pe_data (abfd)->insert_timestamp)) -- H_PUT_32 (abfd, time (0), filehdr_out->f_timdat); -+ if (pe_data (abfd)->insert_timestamp) { -+ time_t now; -+ char *source_date_epoch; -+ unsigned long long epoch; -+ char *endptr; -+ -+ now = time(NULL); -+ source_date_epoch = getenv("SOURCE_DATE_EPOCH"); -+ if (source_date_epoch) { -+ errno = 0; -+ epoch = strtoull(source_date_epoch, &endptr, 10); -+ if ((errno == ERANGE && (epoch == ULLONG_MAX || epoch == 0)) -+ || (errno != 0 && epoch == 0)) { -+ _bfd_error_handler("Environment variable $SOURCE_DATE_EPOCH: strtoull: %s\n", -+ strerror(errno)); -+ } else if (endptr == source_date_epoch) { -+ _bfd_error_handler("Environment variable $SOURCE_DATE_EPOCH: No digits were found: %s\n", -+ endptr); -+ } else if (*endptr != '\0') { -+ _bfd_error_handler("Environment variable $SOURCE_DATE_EPOCH: Trailing garbage: %s\n", -+ endptr); -+ } else if (epoch > ULONG_MAX) { -+ _bfd_error_handler("Environment variable $SOURCE_DATE_EPOCH: value must be smaller than or equal to: %lu but was found to be: %llu\n", -+ ULONG_MAX, epoch); -+ } else { -+ now = epoch; -+ } -+ } -+ H_PUT_32 (abfd, now, filehdr_out->f_timdat); -+ } - - PUT_FILEHDR_SYMPTR (abfd, filehdr_in->f_symptr, - filehdr_out->f_symptr); ---- a/upstream/ld/pe-dll.c -+++ b/upstream/ld/pe-dll.c -@@ -26,6 +26,8 @@ - #include "filenames.h" - #include "safe-ctype.h" - -+#include <errno.h> -+#include <limits.h> - #include <time.h> - - #include "ld.h" -@@ -1185,8 +1187,36 @@ - - memset (edata_d, 0, edata_sz); - -- if (pe_data (abfd)->insert_timestamp) -- H_PUT_32 (abfd, time (0), edata_d + 4); -+ if (pe_data (abfd)->insert_timestamp) { -+ time_t now; -+ char *source_date_epoch; -+ unsigned long long epoch; -+ char *endptr; -+ -+ now = time(NULL); -+ source_date_epoch = getenv("SOURCE_DATE_EPOCH"); -+ if (source_date_epoch) { -+ errno = 0; -+ epoch = strtoull(source_date_epoch, &endptr, 10); -+ if ((errno == ERANGE && (epoch == ULLONG_MAX || epoch == 0)) -+ || (errno != 0 && epoch == 0)) { -+ einfo("Environment variable $SOURCE_DATE_EPOCH: strtoull: %s\n", -+ strerror(errno)); -+ } else if (endptr == source_date_epoch) { -+ einfo("Environment variable $SOURCE_DATE_EPOCH: No digits were found: %s\n", -+ endptr); -+ } else if (*endptr != '\0') { -+ einfo("Environment variable $SOURCE_DATE_EPOCH: Trailing garbage: %s\n", -+ endptr); -+ } else if (epoch > ULONG_MAX) { -+ einfo("Environment variable $SOURCE_DATE_EPOCH: value must be smaller than or equal to: %lu but was found to be: %llu\n", -+ ULONG_MAX, epoch); -+ } else { -+ now = epoch; -+ } -+ } -+ H_PUT_32 (abfd, now, edata_d + 4); -+ } - - if (pe_def_file->version_major != -1) - { ---- a/upstream/ld/emultempl/pe.em -+++ b/upstream/ld/emultempl/pe.em -@@ -307,7 +307,7 @@ - OPTION_USE_NUL_PREFIXED_IMPORT_TABLES}, - {"no-leading-underscore", no_argument, NULL, OPTION_NO_LEADING_UNDERSCORE}, - {"leading-underscore", no_argument, NULL, OPTION_LEADING_UNDERSCORE}, -- {"insert-timestamp", no_argument, NULL, OPTION_INSERT_TIMESTAMP}, -+ {"insert-timestamp", optional_argument, NULL, OPTION_INSERT_TIMESTAMP}, - {"no-insert-timestamp", no_argument, NULL, OPTION_NO_INSERT_TIMESTAMP}, - #ifdef DLL_SUPPORT - /* getopt allows abbreviations, so we do this to stop it ---- a/upstream/ld/emultempl/pep.em -+++ b/upstream/ld/emultempl/pep.em -@@ -324,7 +324,7 @@ - {"no-bind", no_argument, NULL, OPTION_NO_BIND}, - {"wdmdriver", no_argument, NULL, OPTION_WDM_DRIVER}, - {"tsaware", no_argument, NULL, OPTION_TERMINAL_SERVER_AWARE}, -- {"insert-timestamp", no_argument, NULL, OPTION_INSERT_TIMESTAMP}, -+ {"insert-timestamp", optional_argument, NULL, OPTION_INSERT_TIMESTAMP}, - {"no-insert-timestamp", no_argument, NULL, OPTION_NO_INSERT_TIMESTAMP}, - {"build-id", optional_argument, NULL, OPTION_BUILD_ID}, - {NULL, no_argument, NULL, 0} diff --git a/projects/firefox/build b/projects/firefox/build index 67547f7..a8ef12f 100644 --- a/projects/firefox/build +++ b/projects/firefox/build @@ -1,6 +1,18 @@ #!/bin/bash set -e rootdir=$(pwd) +[% IF c("var/windows") -%] + mkdir -p /var/tmp/dist + tar -C /var/tmp/dist -xf $rootdir/[% c('input_files_by_name/gcc') %] + hgccdir=/var/tmp/dist/gcc + # We need a link to our GCC, otherwise the system cc gets used which points to + # /usr/bin/gcc. + ln -s gcc $hgccdir/bin/cc + # Make sure our GCC (as host compiler) get used. We do that before + # compiler setup so that mingw is first in the PATH. + export LD_LIBRARY_PATH=$hgccdir/lib64 + export PATH=$hgccdir/bin:$PATH +[% END -%] [% pc(c('var/compiler'), 'var/setup', { compiler_tarfile => c('input_files_by_name/' _ c('var/compiler')) }) %] distdir=/var/tmp/dist/[% project %] mkdir -p /var/tmp/build diff --git a/projects/firefox/config b/projects/firefox/config index 578d353..96be619 100644 --- a/projects/firefox/config +++ b/projects/firefox/config @@ -89,3 +89,6 @@ input_files: - URL: https://people.torproject.org/~mikeperry/mirrors/sources/msvcr100.dll sha256sum: 1221a09484964a6f38af5e34ee292b9afefccb3dc6e55435fd3aaf7c235d9067 enable: '[% c("var/windows") %]' + - project: gcc + name: gcc + enable: '[% c("var/windows") %]' diff --git a/projects/gcc/config b/projects/gcc/config index 7a89e44..bf73b7d 100644 --- a/projects/gcc/config +++ b/projects/gcc/config @@ -38,6 +38,9 @@ targets: osx-x86_64: var: configure_opt: --enable-multilib --enable-languages=c,c++ + windows-i686: + var: + configure_opt: --disable-multilib --enable-languages=c,c++ input_files: - URL: 'https://ftp.gnu.org/gnu/gcc/gcc-[% c("version") %]/gcc-[% c("version") %].tar.bz2' sha256sum: b7dafdf89cbb0e20333dbf5b5349319ae06e3d1a30bf3515b5488f7e89dca5ad diff --git a/projects/tor-browser/config b/projects/tor-browser/config index 5ee8be7..95f444d 100644 --- a/projects/tor-browser/config +++ b/projects/tor-browser/config @@ -24,6 +24,7 @@ targets: - bzip2 - faketime windows-i686: + distribution: Ubuntu-14.10 var: mar_osname: win32 diff --git a/rbm.conf b/rbm.conf index 802bb48..5faf4cb 100644 --- a/rbm.conf +++ b/rbm.conf @@ -107,7 +107,7 @@ targets: torbrowser-windows-i686: - windows-i686 windows-i686: - distribution: Ubuntu-14.10 + distribution: Ubuntu-12.04 arch: i686 var: windows: 1