commit c9ad5b5d63738d9bfe601ed2c8c91501aa59fb99 Author: Mike Perry mikeperry-git@torproject.org Date: Wed Nov 6 21:22:12 2013 -0800

Bug #7277: Switch to using Nick's OpenSSL branch w/ timestamp fix.

TBB's Tor client will now omit its timestamp in the TLS handshake. --- gitian/descriptors/linux/gitian-tor.yml | 6 ++--- gitian/descriptors/mac/gitian-tor.yml | 6 ++--- gitian/descriptors/windows/gitian-tor.yml | 6 ++--- gitian/fetch-inputs.sh | 34 ++++++++++++++--------------- gitian/mkbundle-linux.sh | 3 ++- gitian/mkbundle-mac.sh | 3 ++- gitian/mkbundle-windows.sh | 3 ++- gitian/verify-tags.sh | 1 + gitian/versions | 9 ++++---- gitian/versions.alpha | 9 ++++---- 10 files changed, 43 insertions(+), 37 deletions(-)

diff --git a/gitian/descriptors/linux/gitian-tor.yml b/gitian/descriptors/linux/gitian-tor.yml index dd17184..15437e2 100644 --- a/gitian/descriptors/linux/gitian-tor.yml +++ b/gitian/descriptors/linux/gitian-tor.yml @@ -23,8 +23,9 @@ remotes: "dir": "libevent" - "url": "https://github.com/madler/zlib.git" "dir": "zlib" +- "url": "https://github.com/nmathewson/openssl.git" + "dir": "openssl" files: -- "openssl.tar.gz" - "dzip.sh" script: | INSTDIR="$HOME/install" @@ -63,8 +64,7 @@ script: | cp $INSTDIR/libevent/lib/libevent-2.0.so.5 $INSTDIR/Tor/ cd .. # - tar xzf openssl.tar.gz - cd openssl-* + cd openssl find -type f | xargs touch --date="$REFERENCE_DATETIME" #./Configure -shared --prefix=$INSTDIR/openssl linux-elf ./config -shared --prefix=$INSTDIR/openssl diff --git a/gitian/descriptors/mac/gitian-tor.yml b/gitian/descriptors/mac/gitian-tor.yml index 7707555..c0b483b 100644 --- a/gitian/descriptors/mac/gitian-tor.yml +++ b/gitian/descriptors/mac/gitian-tor.yml @@ -22,8 +22,9 @@ remotes: "dir": "libevent" - "url": "https://github.com/madler/zlib.git" "dir": "zlib" +- "url": "https://github.com/nmathewson/openssl.git" + "dir": "openssl" files: -- "openssl.tar.gz" - "apple-uni-sdk-10.6_20110407-0.flosoft1_i386.deb" - "multiarch-darwin11-cctools127.2-gcc42-5666.3-llvmgcc42-2336.1-Linux-120724.tar.xz" - "dzip.sh" @@ -64,8 +65,7 @@ script: | #cp $INSTDIR/zlib/lib/*.dylib $INSTDIR/Tor/ #cd .. # - tar xzf openssl.tar.gz - cd openssl-* + cd openssl find -type f | xargs touch --date="$REFERENCE_DATETIME" ./Configure --cross-compile-prefix=i686-apple-darwin11- $CFLAGS darwin-i386-cc --prefix=$INSTDIR/openssl make # SHARED_LDFLAGS="-shared -dynamiclib -L/usr/lib/apple/SDKs/MacOSX10.6.sdk/usr/lib/" diff --git a/gitian/descriptors/windows/gitian-tor.yml b/gitian/descriptors/windows/gitian-tor.yml index ff32c2e..c1af6a8 100644 --- a/gitian/descriptors/windows/gitian-tor.yml +++ b/gitian/descriptors/windows/gitian-tor.yml @@ -22,8 +22,9 @@ remotes: "dir": "libevent" - "url": "https://github.com/madler/zlib.git" "dir": "zlib" +- "url": "https://github.com/nmathewson/openssl.git" + "dir": "openssl" files: -- "openssl.tar.gz" - "dzip.sh" script: | INSTDIR="$HOME/install" @@ -60,8 +61,7 @@ script: | cp $INSTDIR/libevent/bin/*.dll $INSTDIR/Tor/ cd .. # - tar xzf openssl.tar.gz - cd openssl-* + cd openssl find -type f | xargs touch --date="$REFERENCE_DATETIME" ./Configure -shared --cross-compile-prefix=i686-w64-mingw32- mingw --prefix=$INSTDIR/openssl make diff --git a/gitian/fetch-inputs.sh b/gitian/fetch-inputs.sh index 7c71772..9295a1f 100755 --- a/gitian/fetch-inputs.sh +++ b/gitian/fetch-inputs.sh @@ -103,20 +103,20 @@ update_git() { # Get package files from mirror

# Get+verify sigs that exist -for i in OPENSSL # OBFSPROXY -do - PACKAGE="${i}_PACKAGE" - URL="${MIRROR_URL}${!PACKAGE}" - SUFFIX="asc" - get "${!PACKAGE}" "$URL" - get "${!PACKAGE}.$SUFFIX" "$URL.$SUFFIX" - - if ! verify "${!PACKAGE}" "$WRAPPER_DIR/gpg/$i.gpg" $SUFFIX; then - echo "$i: GPG signature is broken for ${URL}" - mv "${!PACKAGE}" "${!PACKAGE}.badgpg" - exit 1 - fi -done +#for i in OPENSSL # OBFSPROXY +#do +# PACKAGE="${i}_PACKAGE" +# URL="${MIRROR_URL}${!PACKAGE}" +# SUFFIX="asc" +# get "${!PACKAGE}" "$URL" +# get "${!PACKAGE}.$SUFFIX" "$URL.$SUFFIX" +# +# if ! verify "${!PACKAGE}" "$WRAPPER_DIR/gpg/$i.gpg" $SUFFIX; then +# echo "$i: GPG signature is broken for ${URL}" +# mv "${!PACKAGE}" "${!PACKAGE}.badgpg" +# exit 1 +# fi +#done

for i in BINUTILS GCC do @@ -147,7 +147,7 @@ done # TOOLCHAIN4 each time. Rely only on SHA256 for now.. mkdir -p verify cd verify -for i in OPENSSL OSXSDK +for i in OSXSDK #OPENSSL do URL="${i}_URL" PACKAGE="${i}_PACKAGE" @@ -177,7 +177,7 @@ fi

# Verify packages with weak or no signatures via direct sha256 check # (OpenSSL is signed with MD5, and OSXSDK is not signed at all) -for i in OPENSSL OSXSDK TOOLCHAIN4 NOSCRIPT PDFJS MINGW MSVCR100 +for i in OSXSDK TOOLCHAIN4 NOSCRIPT PDFJS MINGW MSVCR100 # OPENSSL do PACKAGE="${i}_PACKAGE" HASH="${i}_HASH" @@ -214,7 +214,6 @@ cd ..

ln -sf "$NOSCRIPT_PACKAGE" noscript@noscript.net.xpi ln -sf "$PDFJS_PACKAGE" uriloader@pdf.js.xpi -ln -sf "$OPENSSL_PACKAGE" openssl.tar.gz ln -sf "$BINUTILS_PACKAGE" binutils.tar.bz2 ln -sf "$GCC_PACKAGE" gcc.tar.bz2

@@ -233,6 +232,7 @@ while read dir url tag; do update_git "$dir" "$url" "$tag" done << EOF tbb-windows-installer https://github.com/moba/tbb-windows-installer.git +openssl https://github.com/nmathewson/openssl.git zlib https://github.com/madler/zlib.git libevent https://github.com/libevent/libevent.git tor-launcher https://git.torproject.org/tor-launcher.git diff --git a/gitian/mkbundle-linux.sh b/gitian/mkbundle-linux.sh index dc73f96..7db7316 100755 --- a/gitian/mkbundle-linux.sh +++ b/gitian/mkbundle-linux.sh @@ -65,6 +65,7 @@ then GITIAN_TAG=refs/tags/$GITIAN_TAG TORLAUNCHER_TAG=refs/tags/$TORLAUNCHER_TAG TORBROWSER_TAG=refs/tags/$TORBROWSER_TAG + OPENSSL_TAG=refs/tags/$OPENSSL_TAG TORBUTTON_TAG=refs/tags/$TORBUTTON_TAG TOR_TAG=refs/tags/$TOR_TAG HTTPSE_TAG=refs/tags/$HTTPSE_TAG @@ -80,7 +81,7 @@ then echo "****** Starting Tor Component of Linux Bundle (1/3 for Linux) ******" echo

- ./bin/gbuild -j $NUM_PROCS --commit zlib=$ZLIB_TAG,libevent=$LIBEVENT_TAG,tor=$TOR_TAG $DESCRIPTOR_DIR/linux/gitian-tor.yml + ./bin/gbuild -j $NUM_PROCS --commit openssl=$OPENSSL_TAG,zlib=$ZLIB_TAG,libevent=$LIBEVENT_TAG,tor=$TOR_TAG $DESCRIPTOR_DIR/linux/gitian-tor.yml if [ $? -ne 0 ]; then #mv var/build.log ./tor-fail-linux.log.`date +%Y%m%d%H%M%S` diff --git a/gitian/mkbundle-mac.sh b/gitian/mkbundle-mac.sh index 42eb9ef..6ddcf24 100755 --- a/gitian/mkbundle-mac.sh +++ b/gitian/mkbundle-mac.sh @@ -65,6 +65,7 @@ then GITIAN_TAG=refs/tags/$GITIAN_TAG TORLAUNCHER_TAG=refs/tags/$TORLAUNCHER_TAG TORBROWSER_TAG=refs/tags/$TORBROWSER_TAG + OPENSSL_TAG=refs/tags/$OPENSSL_TAG TORBUTTON_TAG=refs/tags/$TORBUTTON_TAG TOR_TAG=refs/tags/$TOR_TAG HTTPSE_TAG=refs/tags/$HTTPSE_TAG @@ -80,7 +81,7 @@ then echo "****** Starting Tor Component of Mac Bundle (1/3 for Mac) ******" echo

- ./bin/gbuild -j $NUM_PROCS --commit zlib=$ZLIB_TAG,libevent=$LIBEVENT_TAG,tor=$TOR_TAG $DESCRIPTOR_DIR/mac/gitian-tor.yml + ./bin/gbuild -j $NUM_PROCS --commit openssl=$OPENSSL_TAG,zlib=$ZLIB_TAG,libevent=$LIBEVENT_TAG,tor=$TOR_TAG $DESCRIPTOR_DIR/mac/gitian-tor.yml if [ $? -ne 0 ]; then #mv var/build.log ./tor-fail-mac.log.`date +%Y%m%d%H%M%S` diff --git a/gitian/mkbundle-windows.sh b/gitian/mkbundle-windows.sh index 16a1454..5241722 100755 --- a/gitian/mkbundle-windows.sh +++ b/gitian/mkbundle-windows.sh @@ -66,6 +66,7 @@ then GITIAN_TAG=refs/tags/$GITIAN_TAG TORLAUNCHER_TAG=refs/tags/$TORLAUNCHER_TAG TORBROWSER_TAG=refs/tags/$TORBROWSER_TAG + OPENSSL_TAG=refs/tags/$OPENSSL_TAG TORBUTTON_TAG=refs/tags/$TORBUTTON_TAG TOR_TAG=refs/tags/$TOR_TAG HTTPSE_TAG=refs/tags/$HTTPSE_TAG @@ -81,7 +82,7 @@ then echo "****** Starting Tor Component of Windows Bundle (1/3 for Windows) ******" echo

- ./bin/gbuild -j $NUM_PROCS --commit zlib=$ZLIB_TAG,libevent=$LIBEVENT_TAG,tor=$TOR_TAG $DESCRIPTOR_DIR/windows/gitian-tor.yml + ./bin/gbuild -j $NUM_PROCS --commit openssl=$OPENSSL_TAG,zlib=$ZLIB_TAG,libevent=$LIBEVENT_TAG,tor=$TOR_TAG $DESCRIPTOR_DIR/windows/gitian-tor.yml if [ $? -ne 0 ]; then #mv var/build.log ./tor-fail-win32.log.`date +%Y%m%d%H%M%S` diff --git a/gitian/verify-tags.sh b/gitian/verify-tags.sh index 055cac5..73016a8 100755 --- a/gitian/verify-tags.sh +++ b/gitian/verify-tags.sh @@ -60,6 +60,7 @@ zlib zlib.gpg $ZLIB_TAG libevent libevent.gpg $LIBEVENT_TAG tor tor.gpg $TOR_TAG https-everywhere https-everywhere.gpg $HTTPSE_TAG +openssl tor.gpg $OPENSSL_TAG EOF

cd "$INPUTS_DIR" diff --git a/gitian/versions b/gitian/versions index 02afa2b..f2b712a 100755 --- a/gitian/versions +++ b/gitian/versions @@ -5,6 +5,7 @@ VERIFY_TAGS=1

TORBROWSER_TAG=tor-browser-17.0.10esr-3.0beta1-build2 TOR_TAG=tor-0.2.4.17-rc +OPENSSL_TAG=openssl-101e-no-gmt-time-v1 TORLAUNCHER_TAG=0.2.3.1-beta TORBUTTON_TAG=1.6.4 HTTPSE_TAG=3.4.2 @@ -15,13 +16,13 @@ MINGW_REV=5830

GITIAN_TAG=tor-browser-builder-3.0-4

-OPENSSL_VER=1.0.1e +# OPENSSL_VER=1.0.1e FIREFOX_LANG_VER=17.0.10esr BINUTILS_VER=2.22 GCC_VER=4.6.3

## File names for the source packages -OPENSSL_PACKAGE=openssl-${OPENSSL_VER}.tar.gz +# OPENSSL_PACKAGE=openssl-${OPENSSL_VER}.tar.gz NOSCRIPT_PACKAGE=noscript_security_suite-2.6.8.2-fx+fn+sm.xpi PDFJS_PACKAGE=pdf_viewer-0.8.1-sm+fx+an.xpi TOOLCHAIN4_PACKAGE=multiarch-darwin11-cctools127.2-gcc42-5666.3-llvmgcc42-2336.1-Linux-120724.tar.xz @@ -32,7 +33,7 @@ BINUTILS_PACKAGE=binutils-${BINUTILS_VER}.tar.bz2 GCC_PACKAGE=gcc-${GCC_VER}.tar.bz2

# Hashes for packages with weak sigs or no sigs -OPENSSL_HASH=f74f15e8c8ff11aa3d5bb5f276d202ec18d7246e95f961db76054199c69c1ae3 +# OPENSSL_HASH=f74f15e8c8ff11aa3d5bb5f276d202ec18d7246e95f961db76054199c69c1ae3 OSXSDK_HASH=6602d8d5ddb371fbc02e2a5967d9bd0cd7358d46f9417753c8234b923f2ea6fc TOOLCHAIN4_HASH=65c1b2d302358a6b95a26c6828a66908a199276193bb0b268f2dcc1a997731e9 NOSCRIPT_HASH=52b309f2e5ca1bee4d0f97cbb342fdac3be6a447c35f744a90348df55eea635f @@ -41,7 +42,7 @@ MINGW_HASH=457f11d29f6e95425d190711a73955fa54a98a2113ce2c2bfd76291be71e3e2b MSVCR100_HASH=1221a09484964a6f38af5e34ee292b9afefccb3dc6e55435fd3aaf7c235d9067

## Non-git package URLs -OPENSSL_URL=https://www.openssl.org/source/$%7BOPENSSL_PACKAGE%7D +# OPENSSL_URL=https://www.openssl.org/source/$%7BOPENSSL_PACKAGE%7D TOOLCHAIN4_URL=https://mingw-and-ndk.googlecode.com/files/$%7BTOOLCHAIN4_PACKAGE%7D OSXSDK_URL=https://launchpad.net/~flosoft/+archive/cross-apple/+files/$%7BOSXSDK_PACKAG... BINUTILS_URL=https://ftp.gnu.org/gnu/binutils/$%7BBINUTILS_PACKAGE%7D diff --git a/gitian/versions.alpha b/gitian/versions.alpha index 83d6b5d..07c1d8e 100755 --- a/gitian/versions.alpha +++ b/gitian/versions.alpha @@ -5,6 +5,7 @@ VERIFY_TAGS=0

TORBROWSER_TAG=tor-browser-24.1.0esr-1 TOR_TAG=tor-0.2.4.17-rc +OPENSSL_TAG=openssl-101e-no-gmt-time-v1 TORLAUNCHER_TAG=0.2.3.1-beta TORBUTTON_TAG=1.6.4 HTTPSE_TAG=3.4.2 @@ -15,13 +16,13 @@ MINGW_REV=5830

GITIAN_TAG=tor-browser-builder-3.0-4

-OPENSSL_VER=1.0.1e +# OPENSSL_VER=1.0.1e FIREFOX_LANG_VER=24.1.0esr BINUTILS_VER=2.22 GCC_VER=4.6.3

## File names for the source packages -OPENSSL_PACKAGE=openssl-${OPENSSL_VER}.tar.gz +# OPENSSL_PACKAGE=openssl-${OPENSSL_VER}.tar.gz NOSCRIPT_PACKAGE=noscript_security_suite-2.6.8.2-fx+fn+sm.xpi PDFJS_PACKAGE=pdf_viewer-0.8.1-sm+fx+an.xpi TOOLCHAIN4_PACKAGE=multiarch-darwin11-cctools127.2-gcc42-5666.3-llvmgcc42-2336.1-Linux-120724.tar.xz @@ -32,7 +33,7 @@ BINUTILS_PACKAGE=binutils-${BINUTILS_VER}.tar.bz2 GCC_PACKAGE=gcc-${GCC_VER}.tar.bz2

# Hashes for packages with weak sigs or no sigs -OPENSSL_HASH=f74f15e8c8ff11aa3d5bb5f276d202ec18d7246e95f961db76054199c69c1ae3 +# OPENSSL_HASH=f74f15e8c8ff11aa3d5bb5f276d202ec18d7246e95f961db76054199c69c1ae3 OSXSDK_HASH=6602d8d5ddb371fbc02e2a5967d9bd0cd7358d46f9417753c8234b923f2ea6fc TOOLCHAIN4_HASH=65c1b2d302358a6b95a26c6828a66908a199276193bb0b268f2dcc1a997731e9 NOSCRIPT_HASH=52b309f2e5ca1bee4d0f97cbb342fdac3be6a447c35f744a90348df55eea635f @@ -41,7 +42,7 @@ MINGW_HASH=457f11d29f6e95425d190711a73955fa54a98a2113ce2c2bfd76291be71e3e2b MSVCR100_HASH=1221a09484964a6f38af5e34ee292b9afefccb3dc6e55435fd3aaf7c235d9067

## Non-git package URLs -OPENSSL_URL=https://www.openssl.org/source/$%7BOPENSSL_PACKAGE%7D +# OPENSSL_URL=https://www.openssl.org/source/$%7BOPENSSL_PACKAGE%7D TOOLCHAIN4_URL=https://mingw-and-ndk.googlecode.com/files/$%7BTOOLCHAIN4_PACKAGE%7D OSXSDK_URL=https://launchpad.net/~flosoft/+archive/cross-apple/+files/$%7BOSXSDK_PACKAG... BINUTILS_URL=https://ftp.gnu.org/gnu/binutils/$%7BBINUTILS_PACKAGE%7D