[tor-commits] [tor-browser-build/master] Bug 40010: Add NSS for application-services

sysrqb at torproject.org sysrqb at torproject.org
Mon Aug 10 16:06:24 UTC 2020 

commit 53131fdc6d54bdd3bda261c64aa81fc3e8fbe228
Author: Georg Koppen <gk at torproject.org>
Date:   Tue Jun 30 10:12:32 2020 +0000

    Bug 40010: Add NSS for application-services
---
 projects/nss/bug_13028.patch |  79 ++++++++++++++++++++++++
 projects/nss/build           | 139 +++++++++++++++++++++++++++++++++++++++++++
 projects/nss/config          |  27 +++++++++
 projects/nss/config.patch    |  37 ++++++++++++
 projects/nss/configure.patch |  11 ++++
 5 files changed, 293 insertions(+)

diff --git a/projects/nss/bug_13028.patch b/projects/nss/bug_13028.patch
new file mode 100644
index 0000000..60bbd35
--- /dev/null
+++ b/projects/nss/bug_13028.patch
@@ -0,0 +1,79 @@
+From 2f0888c348561249d3083555db33c5619840dbfa Mon Sep 17 00:00:00 2001
+From: Mike Perry <mikeperry-git at torproject.org>
+Date: Mon, 29 Sep 2014 14:30:19 -0700
+Subject: [PATCH] Bug 13028: Prevent potential proxy bypass cases.
+
+It looks like these cases should only be invoked in the NSS command line
+tools, and not the browser, but I decided to patch them anyway because there
+literally is a maze of network function pointers being passed around, and it's
+very hard to tell if some random code might not pass in the proper proxied
+versions of the networking code here by accident.
+
+diff --git a/security/nss/lib/certhigh/ocsp.c b/security/nss/lib/certhigh/ocsp.c
+index cea8456606bf..86fa971cfbef 100644
+--- a/security/nss/lib/certhigh/ocsp.c
++++ b/security/nss/lib/certhigh/ocsp.c
+@@ -2932,6 +2932,14 @@ ocsp_ConnectToHost(const char *host, PRUint16 port)
+     PRNetAddr addr;
+     char *netdbbuf = NULL;
+ 
++    // XXX: Do we need a unittest ifdef here? We don't want to break the tests, but
++    // we want to ensure nothing can ever hit this code in production.
++#if 1
++    printf("Tor Browser BUG: Attempted OSCP direct connect to %s, port %u\n", host,
++            port);
++    goto loser;
++#endif
++
+     sock = PR_NewTCPSocket();
+     if (sock == NULL)
+         goto loser;
+diff --git a/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_socket.c b/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_socket.c
+index e8698376b5be..85791d84a932 100644
+--- a/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_socket.c
++++ b/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_socket.c
+@@ -1334,6 +1334,13 @@ pkix_pl_Socket_Create(
+                     plContext),
+                     PKIX_COULDNOTCREATESOCKETOBJECT);
+ 
++        // XXX: Do we need a unittest ifdef here? We don't want to break the tests, but
++        // we want to ensure nothing can ever hit this code in production.
++#if 1
++        printf("Tor Browser BUG: Attempted pkix direct socket connect\n");
++        PKIX_ERROR(PKIX_PRNEWTCPSOCKETFAILED);
++#endif
++
+         socket->isServer = isServer;
+         socket->timeout = timeout;
+         socket->clientSock = NULL;
+@@ -1433,6 +1440,13 @@ pkix_pl_Socket_CreateByName(
+ 
+         localCopyName = PL_strdup(serverName);
+ 
++        // XXX: Do we need a unittest ifdef here? We don't want to break the tests, but
++        // we want to ensure nothing can ever hit this code in production.
++#if 1
++        printf("Tor Browser BUG: Attempted pkix direct connect to %s\n", serverName);
++        PKIX_ERROR(PKIX_PRNEWTCPSOCKETFAILED);
++#endif
++
+         sepPtr = strchr(localCopyName, ':');
+         /* First strip off the portnum, if present, from the end of the name */
+         if (sepPtr) {
+@@ -1582,6 +1596,13 @@ pkix_pl_Socket_CreateByHostAndPort(
+         PKIX_ENTER(SOCKET, "pkix_pl_Socket_CreateByHostAndPort");
+         PKIX_NULLCHECK_THREE(hostname, pStatus, pSocket);
+ 
++        // XXX: Do we need a unittest ifdef here? We don't want to break the tests, but
++        // we want to ensure nothing can ever hit this code in production.
++#if 1
++        printf("Tor Browser BUG: Attempted pkix direct connect to %s, port %u\n", hostname,
++                portnum);
++        PKIX_ERROR(PKIX_PRNEWTCPSOCKETFAILED);
++#endif
+ 
+         prstatus = PR_GetHostByName(hostname, buf, sizeof(buf), &hostent);
+ 
+-- 
+2.27.0
+
diff --git a/projects/nss/build b/projects/nss/build
new file mode 100644
index 0000000..791a680
--- /dev/null
+++ b/projects/nss/build
@@ -0,0 +1,139 @@
+#!/bin/bash
+[% c("var/set_default_env") -%]
+[% pc(c('var/compiler'), 'var/setup', { compiler_tarfile => c('input_files_by_name/' _ c('var/compiler')) }) %]
+distdir=/var/tmp/dist/nss
+builddir=/var/tmp/build/[% project %]
+mkdir /var/tmp/build
+tar -C /var/tmp/dist -xf [% c('input_files_by_name/ninja') %]
+export PATH=/var/tmp/dist/ninja:$PATH
+
+# application-services uses a newer NDK, 21d, than all the other projects...
+export ANDROID_NDK_API_VERSION=[% pc("fenix-android-toolchain", "var/android_ndk_version") %][% pc('fenix-android-toolchain', 'var/android_ndk_revision') %]
+export ANDROID_NDK_HOME=/var/tmp/dist/[% c('var/compiler') %]/android-ndk/android-ndk-r$ANDROID_NDK_API_VERSION
+# We need to add the new path to our build tools to PATH
+export PATH=$ANDROID_NDK_HOME/toolchains/llvm/prebuilt/linux-x86_64/bin:$PATH
+export ANDROID_NDK_ROOT=$ANDROID_NDK_HOME
+export NDK_HOST_TAG=linux-x86_64
+
+nspr_64=""
+[% IF c("var/configure_host") == "arm-linux-androideabi" -%]
+  gyp_arch="arm"
+[% ELSIF c("var/configure_host") == "i686-linux-android" -%]
+  gyp_arch="ia32"
+[% ELSIF c("var/configure_host") == "x86_64-linux-android" -%]
+  gyp_arch="x64"
+  nspr_64="--enable-64bit"
+[% ELSIF c("var/configure_host") == "aarch64-linux-android" -%]
+  gyp_arch="arm64"
+  nspr_64="--enable-64bit"
+[% END -%]
+
+export AR="[% c('var/cross_prefix') %]-ar"
+# XXX: Mozilla really uses the NDK_API_VERSION here, which is weird.
+export CC="[% c('var/cross_prefix') %][% pc('fenix-android-toolchain', 'var/android_ndk_version') %]-clang"
+export CXX="[% c('var/cross_prefix') %][% pc('fenix-android-toolchain', 'var/android_ndk_version') %]-clang++"
+export LD="[% c('var/cross_prefix') %]-ld"
+export NM="[% c('var/cross_prefix') %]-nm"
+export RANLIB="[% c('var/cross_prefix') %]-ranlib"
+export READELF="[% c('var/cross_prefix') %]-readelf"
+
+tar -C /var/tmp/build -xf [% c('input_files_by_name/nss') %]
+mv /var/tmp/build/[% project %]-[% c('version') %] $builddir
+cd $builddir
+# Early return hack to prevent NSPR Android setup
+# which does not work with ndk unified headers and clang. See:
+# application-services/libs/build-all.sh
+cat $rootdir/configure.patch | patch nspr/configure
+# Some NSS symbols clash with OpenSSL symbols, rename them using
+# C preprocessor define macros. See:
+# application-services/libs/build-all.sh
+patch -p2 < $rootdir/config.patch
+# Let's apply our proxy bypass defense-in-depth here as well to be on the safe
+# side.
+patch -p2 < $rootdir/bug_13028.patch
+
+# Building NSPR
+mkdir $builddir/nspr_build
+cd $builddir/nspr_build
+../nspr/configure \
+  $nspr_64 \
+  --target=[% c("var/configure_host") %] \
+  --disable-debug \
+  --enable-optimize
+make
+cd ..
+
+# Building NSS
+mkdir $builddir/nss_build
+gyp -f ninja-android "$builddir/nss/nss.gyp" \
+  --depth "$builddir/nss/" \
+  --generator-output=. \
+  -DOS=android \
+  -Dnspr_lib_dir="$builddir/nspr_build/dist/lib" \
+  -Dnspr_include_dir="$builddir/nspr_build/dist/include/nspr" \
+  -Dnss_dist_dir="$builddir/nss_build" \
+  -Dnss_dist_obj_dir="$builddir/nss_build" \
+  -Dhost_arch="$gyp_arch" \
+  -Dtarget_arch="$gyp_arch" \
+  -Dstatic_libs=1 \
+  -Ddisable_dbm=1 \
+  -Dsign_libs=0 \
+  -Denable_sslkeylogfile=0 \
+  -Ddisable_tests=1 \
+  -Ddisable_libpkix=1
+
+gendir="$builddir/nss/out/Release"
+ninja -C "$gendir"
+
+mkdir -p $distdir/include/nss
+mkdir -p $distdir/lib
+cp -p -L "$builddir/nss_build/lib/libcertdb.a" "$distdir/lib"
+cp -p -L "$builddir/nss_build/lib/libcerthi.a" "$distdir/lib"
+cp -p -L "$builddir/nss_build/lib/libcryptohi.a" "$distdir/lib"
+cp -p -L "$builddir/nss_build/lib/libfreebl_static.a" "$distdir/lib"
+cp -p -L "$builddir/nss_build/lib/libnss_static.a" "$distdir/lib"
+cp -p -L "$builddir/nss_build/lib/libnssb.a" "$distdir/lib"
+cp -p -L "$builddir/nss_build/lib/libnssdev.a" "$distdir/lib"
+cp -p -L "$builddir/nss_build/lib/libnsspki.a" "$distdir/lib"
+cp -p -L "$builddir/nss_build/lib/libnssutil.a" "$distdir/lib"
+cp -p -L "$builddir/nss_build/lib/libpk11wrap_static.a" "$distdir/lib"
+cp -p -L "$builddir/nss_build/lib/libpkcs12.a" "$distdir/lib"
+cp -p -L "$builddir/nss_build/lib/libpkcs7.a" "$distdir/lib"
+cp -p -L "$builddir/nss_build/lib/libsmime.a" "$distdir/lib"
+cp -p -L "$builddir/nss_build/lib/libsoftokn_static.a" "$distdir/lib"
+cp -p -L "$builddir/nss_build/lib/libssl.a" "$distdir/lib"
+
+# HW specific.
+# https://searchfox.org/nss/rev/08c4d05078d00089f8d7540651b0717a9d66f87e/lib/freebl/freebl.gyp#278-296
+[% IF c("var/configure_host") == "i686-linux-android" || c("var/configure_host") == "x86_64-linux-android"-%]
+  cp -p -L "$builddir/nss_build/lib/libgcm-aes-x86_c_lib.a" "$distdir/lib"
+[% END %]
+[% IF c("var/configure_host") == "arm-linux-androideabi" || c("var/configure_host") == "aarch64-linux-android"-%]
+  cp -p -L "$builddir/nss_build/lib/libarmv8_c_lib.a" "$distdir/lib"
+[% END %]
+[% IF c("var/configure_host") == "aarch64-linux-android" -%]
+  cp -p -L "$builddir/nss_build/lib/libgcm-aes-aarch64_c_lib.a" "$distdir/lib"
+[% END %]
+[% IF c("var/configure_host") == "arm-linux-androideabi" -%]
+  cp -p -L "$builddir/nss_build/lib/libgcm-aes-arm32-neon_c_lib.a" "$distdir/lib"
+[% END %]
+# https://searchfox.org/nss/rev/08c4d05078d00089f8d7540651b0717a9d66f87e/lib/freebl/freebl.gyp#315-324
+# https://searchfox.org/nss/rev/08c4d05078d00089f8d7540651b0717a9d66f87e/lib/freebl/freebl.gyp#43-47
+[% IF c("var/configure_host") == "x86_64-linux-android"-%]
+  cp -p -L "$builddir/nss_build/lib/libintel-gcm-wrap_c_lib.a" "$distdir/lib"
+  cp -p -L "$builddir/nss_build/lib/libintel-gcm-s_lib.a" "$distdir/lib"
+  cp -p -L "$builddir/nss_build/lib/libhw-acc-crypto-avx.a" "$distdir/lib"
+  cp -p -L "$builddir/nss_build/lib/libhw-acc-crypto-avx2.a" "$distdir/lib"
+[% END %]
+cp -p -L "$builddir/nspr_build/dist/lib/libplc4.a" "$distdir/lib"
+cp -p -L "$builddir/nspr_build/dist/lib/libplds4.a" "$distdir/lib"
+cp -p -L "$builddir/nspr_build/dist/lib/libnspr4.a" "$distdir/lib"
+
+cp -p -L -R "$builddir/nss_build/public/nss/"* "$distdir/include/nss"
+cp -p -L -R "$builddir/nspr_build/dist/include/nspr/"* "$distdir/include/nss"
+
+cd /var/tmp/dist
+[% c('tar', {
+        tar_src => [ project ],
+        tar_args => '-czf ' _ dest_dir _ '/' _ c('filename'),
+    }) %]
diff --git a/projects/nss/config b/projects/nss/config
new file mode 100644
index 0000000..e2b875e
--- /dev/null
+++ b/projects/nss/config
@@ -0,0 +1,27 @@
+# vim: filetype=yaml sw=2
+filename: '[% project %]-[% c("version") %]-[% c("var/osname") %]-[% c("var/build_id") %].tar.gz'
+# The required versions for application-services can be found at the respective
+# commit in libs/build-all.sh
+version: 3.54
+# XXX: maybe that's extractable automatically from `version` somehow?
+version_path: 3_54
+nspr_version: 4.26
+var:
+  container:
+    use_container: 1
+  deps:
+    - build-essential
+    - gyp
+
+input_files:
+  - project: container-image
+  - name: '[% c("var/compiler") %]'
+    project: '[% c("var/compiler") %]'
+  - name: ninja
+    project: ninja
+  - URL: 'https://ftp.mozilla.org/pub/security/nss/releases/NSS_[% c("version_path") %]_RTM/src/nss-[% c("version") %]-with-nspr-[% c("nspr_version") %].tar.gz'
+    name: nss
+    sha256sum: e0e81f0ff264d810f130d3cd9334722f7f883c752430483131d1ca5ac62d3f70
+  - filename: configure.patch
+  - filename: config.patch
+  - filename: bug_13028.patch
diff --git a/projects/nss/config.patch b/projects/nss/config.patch
new file mode 100644
index 0000000..e7f5012
--- /dev/null
+++ b/projects/nss/config.patch
@@ -0,0 +1,37 @@
+From c11dc3a73349fc7d8fa451f9e3a4e3952aa54fd2 Mon Sep 17 00:00:00 2001
+From: Georg Koppen <gk at torproject.org>
+Date: Wed, 1 Jul 2020 09:57:01 +0000
+Subject: [PATCH] Patch for building NSS for application-services
+
+See: application-services/libs/build-all.sh
+
+diff --git a/security/nss/coreconf/config.gypi b/security/nss/coreconf/config.gypi
+index 62d3cc71ecaf..dd30de079081 100644
+--- a/security/nss/coreconf/config.gypi
++++ b/security/nss/coreconf/config.gypi
+@@ -144,6 +144,23 @@
+       '<(nspr_include_dir)',
+       '<(nss_dist_dir)/private/<(module)',
+     ],
++    'defines': [
++      'HMAC_Update=NSS_HMAC_Update',
++      'HMAC_Init=NSS_HMAC_Init',
++      'CMAC_Update=NSS_CMAC_Update',
++      'CMAC_Init=NSS_CMAC_Init',
++      'MD5_Update=NSS_MD5_Update',
++      'SHA1_Update=NSS_SHA1_Update',
++      'SHA256_Update=NSS_SHA256_Update',
++      'SHA224_Update=NSS_SHA224_Update',
++      'SHA512_Update=NSS_SHA512_Update',
++      'SHA384_Update=NSS_SHA384_Update',
++      'SEED_set_key=NSS_SEED_set_key',
++      'SEED_encrypt=NSS_SEED_encrypt',
++      'SEED_decrypt=NSS_SEED_decrypt',
++      'SEED_ecb_encrypt=NSS_SEED_ecb_encrypt',
++      'SEED_cbc_encrypt=NSS_SEED_cbc_encrypt',
++    ],
+     'conditions': [
+       [ 'mozpkix_only==1 and OS=="linux"', {
+         'include_dirs': [
+--
+2.27.0
diff --git a/projects/nss/configure.patch b/projects/nss/configure.patch
new file mode 100644
index 0000000..4ce8465
--- /dev/null
+++ b/projects/nss/configure.patch
@@ -0,0 +1,11 @@
+@@ -2662,6 +2662,9 @@
+
+ case "$target" in
+ *-android*|*-linuxandroid*)
++    $as_echo "#define ANDROID 1" >>confdefs.h
++    ;;
++    unreachable)
+     if test -z "$android_ndk" ; then
+        as_fn_error $? "You must specify --with-android-ndk=/path/to/ndk when targeting Android." "$LINENO" 5
+     fi
+

More information about the tor-commits mailing list