GitLab is used only for code review, issue tracking and project management. Canonical locations for source code are still https://gitweb.torproject.org/ https://git.torproject.org/ and git-rw.torproject.org.

Unverified Commit 53131fdc authored by Georg Koppen's avatar Georg Koppen
Browse files

Bug 40010: Add NSS for application-services

parent de185dd7
From 2f0888c348561249d3083555db33c5619840dbfa Mon Sep 17 00:00:00 2001
From: Mike Perry <mikeperry-git@torproject.org>
Date: Mon, 29 Sep 2014 14:30:19 -0700
Subject: [PATCH] Bug 13028: Prevent potential proxy bypass cases.
It looks like these cases should only be invoked in the NSS command line
tools, and not the browser, but I decided to patch them anyway because there
literally is a maze of network function pointers being passed around, and it's
very hard to tell if some random code might not pass in the proper proxied
versions of the networking code here by accident.
diff --git a/security/nss/lib/certhigh/ocsp.c b/security/nss/lib/certhigh/ocsp.c
index cea8456606bf..86fa971cfbef 100644
--- a/security/nss/lib/certhigh/ocsp.c
+++ b/security/nss/lib/certhigh/ocsp.c
@@ -2932,6 +2932,14 @@ ocsp_ConnectToHost(const char *host, PRUint16 port)
PRNetAddr addr;
char *netdbbuf = NULL;
+ // XXX: Do we need a unittest ifdef here? We don't want to break the tests, but
+ // we want to ensure nothing can ever hit this code in production.
+#if 1
+ printf("Tor Browser BUG: Attempted OSCP direct connect to %s, port %u\n", host,
+ port);
+ goto loser;
+#endif
+
sock = PR_NewTCPSocket();
if (sock == NULL)
goto loser;
diff --git a/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_socket.c b/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_socket.c
index e8698376b5be..85791d84a932 100644
--- a/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_socket.c
+++ b/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_socket.c
@@ -1334,6 +1334,13 @@ pkix_pl_Socket_Create(
plContext),
PKIX_COULDNOTCREATESOCKETOBJECT);
+ // XXX: Do we need a unittest ifdef here? We don't want to break the tests, but
+ // we want to ensure nothing can ever hit this code in production.
+#if 1
+ printf("Tor Browser BUG: Attempted pkix direct socket connect\n");
+ PKIX_ERROR(PKIX_PRNEWTCPSOCKETFAILED);
+#endif
+
socket->isServer = isServer;
socket->timeout = timeout;
socket->clientSock = NULL;
@@ -1433,6 +1440,13 @@ pkix_pl_Socket_CreateByName(
localCopyName = PL_strdup(serverName);
+ // XXX: Do we need a unittest ifdef here? We don't want to break the tests, but
+ // we want to ensure nothing can ever hit this code in production.
+#if 1
+ printf("Tor Browser BUG: Attempted pkix direct connect to %s\n", serverName);
+ PKIX_ERROR(PKIX_PRNEWTCPSOCKETFAILED);
+#endif
+
sepPtr = strchr(localCopyName, ':');
/* First strip off the portnum, if present, from the end of the name */
if (sepPtr) {
@@ -1582,6 +1596,13 @@ pkix_pl_Socket_CreateByHostAndPort(
PKIX_ENTER(SOCKET, "pkix_pl_Socket_CreateByHostAndPort");
PKIX_NULLCHECK_THREE(hostname, pStatus, pSocket);
+ // XXX: Do we need a unittest ifdef here? We don't want to break the tests, but
+ // we want to ensure nothing can ever hit this code in production.
+#if 1
+ printf("Tor Browser BUG: Attempted pkix direct connect to %s, port %u\n", hostname,
+ portnum);
+ PKIX_ERROR(PKIX_PRNEWTCPSOCKETFAILED);
+#endif
prstatus = PR_GetHostByName(hostname, buf, sizeof(buf), &hostent);
--
2.27.0
#!/bin/bash
[% c("var/set_default_env") -%]
[% pc(c('var/compiler'), 'var/setup', { compiler_tarfile => c('input_files_by_name/' _ c('var/compiler')) }) %]
distdir=/var/tmp/dist/nss
builddir=/var/tmp/build/[% project %]
mkdir /var/tmp/build
tar -C /var/tmp/dist -xf [% c('input_files_by_name/ninja') %]
export PATH=/var/tmp/dist/ninja:$PATH
# application-services uses a newer NDK, 21d, than all the other projects...
export ANDROID_NDK_API_VERSION=[% pc("fenix-android-toolchain", "var/android_ndk_version") %][% pc('fenix-android-toolchain', 'var/android_ndk_revision') %]
export ANDROID_NDK_HOME=/var/tmp/dist/[% c('var/compiler') %]/android-ndk/android-ndk-r$ANDROID_NDK_API_VERSION
# We need to add the new path to our build tools to PATH
export PATH=$ANDROID_NDK_HOME/toolchains/llvm/prebuilt/linux-x86_64/bin:$PATH
export ANDROID_NDK_ROOT=$ANDROID_NDK_HOME
export NDK_HOST_TAG=linux-x86_64
nspr_64=""
[% IF c("var/configure_host") == "arm-linux-androideabi" -%]
gyp_arch="arm"
[% ELSIF c("var/configure_host") == "i686-linux-android" -%]
gyp_arch="ia32"
[% ELSIF c("var/configure_host") == "x86_64-linux-android" -%]
gyp_arch="x64"
nspr_64="--enable-64bit"
[% ELSIF c("var/configure_host") == "aarch64-linux-android" -%]
gyp_arch="arm64"
nspr_64="--enable-64bit"
[% END -%]
export AR="[% c('var/cross_prefix') %]-ar"
# XXX: Mozilla really uses the NDK_API_VERSION here, which is weird.
export CC="[% c('var/cross_prefix') %][% pc('fenix-android-toolchain', 'var/android_ndk_version') %]-clang"
export CXX="[% c('var/cross_prefix') %][% pc('fenix-android-toolchain', 'var/android_ndk_version') %]-clang++"
export LD="[% c('var/cross_prefix') %]-ld"
export NM="[% c('var/cross_prefix') %]-nm"
export RANLIB="[% c('var/cross_prefix') %]-ranlib"
export READELF="[% c('var/cross_prefix') %]-readelf"
tar -C /var/tmp/build -xf [% c('input_files_by_name/nss') %]
mv /var/tmp/build/[% project %]-[% c('version') %] $builddir
cd $builddir
# Early return hack to prevent NSPR Android setup
# which does not work with ndk unified headers and clang. See:
# application-services/libs/build-all.sh
cat $rootdir/configure.patch | patch nspr/configure
# Some NSS symbols clash with OpenSSL symbols, rename them using
# C preprocessor define macros. See:
# application-services/libs/build-all.sh
patch -p2 < $rootdir/config.patch
# Let's apply our proxy bypass defense-in-depth here as well to be on the safe
# side.
patch -p2 < $rootdir/bug_13028.patch
# Building NSPR
mkdir $builddir/nspr_build
cd $builddir/nspr_build
../nspr/configure \
$nspr_64 \
--target=[% c("var/configure_host") %] \
--disable-debug \
--enable-optimize
make
cd ..
# Building NSS
mkdir $builddir/nss_build
gyp -f ninja-android "$builddir/nss/nss.gyp" \
--depth "$builddir/nss/" \
--generator-output=. \
-DOS=android \
-Dnspr_lib_dir="$builddir/nspr_build/dist/lib" \
-Dnspr_include_dir="$builddir/nspr_build/dist/include/nspr" \
-Dnss_dist_dir="$builddir/nss_build" \
-Dnss_dist_obj_dir="$builddir/nss_build" \
-Dhost_arch="$gyp_arch" \
-Dtarget_arch="$gyp_arch" \
-Dstatic_libs=1 \
-Ddisable_dbm=1 \
-Dsign_libs=0 \
-Denable_sslkeylogfile=0 \
-Ddisable_tests=1 \
-Ddisable_libpkix=1
gendir="$builddir/nss/out/Release"
ninja -C "$gendir"
mkdir -p $distdir/include/nss
mkdir -p $distdir/lib
cp -p -L "$builddir/nss_build/lib/libcertdb.a" "$distdir/lib"
cp -p -L "$builddir/nss_build/lib/libcerthi.a" "$distdir/lib"
cp -p -L "$builddir/nss_build/lib/libcryptohi.a" "$distdir/lib"
cp -p -L "$builddir/nss_build/lib/libfreebl_static.a" "$distdir/lib"
cp -p -L "$builddir/nss_build/lib/libnss_static.a" "$distdir/lib"
cp -p -L "$builddir/nss_build/lib/libnssb.a" "$distdir/lib"
cp -p -L "$builddir/nss_build/lib/libnssdev.a" "$distdir/lib"
cp -p -L "$builddir/nss_build/lib/libnsspki.a" "$distdir/lib"
cp -p -L "$builddir/nss_build/lib/libnssutil.a" "$distdir/lib"
cp -p -L "$builddir/nss_build/lib/libpk11wrap_static.a" "$distdir/lib"
cp -p -L "$builddir/nss_build/lib/libpkcs12.a" "$distdir/lib"
cp -p -L "$builddir/nss_build/lib/libpkcs7.a" "$distdir/lib"
cp -p -L "$builddir/nss_build/lib/libsmime.a" "$distdir/lib"
cp -p -L "$builddir/nss_build/lib/libsoftokn_static.a" "$distdir/lib"
cp -p -L "$builddir/nss_build/lib/libssl.a" "$distdir/lib"
# HW specific.
# https://searchfox.org/nss/rev/08c4d05078d00089f8d7540651b0717a9d66f87e/lib/freebl/freebl.gyp#278-296
[% IF c("var/configure_host") == "i686-linux-android" || c("var/configure_host") == "x86_64-linux-android"-%]
cp -p -L "$builddir/nss_build/lib/libgcm-aes-x86_c_lib.a" "$distdir/lib"
[% END %]
[% IF c("var/configure_host") == "arm-linux-androideabi" || c("var/configure_host") == "aarch64-linux-android"-%]
cp -p -L "$builddir/nss_build/lib/libarmv8_c_lib.a" "$distdir/lib"
[% END %]
[% IF c("var/configure_host") == "aarch64-linux-android" -%]
cp -p -L "$builddir/nss_build/lib/libgcm-aes-aarch64_c_lib.a" "$distdir/lib"
[% END %]
[% IF c("var/configure_host") == "arm-linux-androideabi" -%]
cp -p -L "$builddir/nss_build/lib/libgcm-aes-arm32-neon_c_lib.a" "$distdir/lib"
[% END %]
# https://searchfox.org/nss/rev/08c4d05078d00089f8d7540651b0717a9d66f87e/lib/freebl/freebl.gyp#315-324
# https://searchfox.org/nss/rev/08c4d05078d00089f8d7540651b0717a9d66f87e/lib/freebl/freebl.gyp#43-47
[% IF c("var/configure_host") == "x86_64-linux-android"-%]
cp -p -L "$builddir/nss_build/lib/libintel-gcm-wrap_c_lib.a" "$distdir/lib"
cp -p -L "$builddir/nss_build/lib/libintel-gcm-s_lib.a" "$distdir/lib"
cp -p -L "$builddir/nss_build/lib/libhw-acc-crypto-avx.a" "$distdir/lib"
cp -p -L "$builddir/nss_build/lib/libhw-acc-crypto-avx2.a" "$distdir/lib"
[% END %]
cp -p -L "$builddir/nspr_build/dist/lib/libplc4.a" "$distdir/lib"
cp -p -L "$builddir/nspr_build/dist/lib/libplds4.a" "$distdir/lib"
cp -p -L "$builddir/nspr_build/dist/lib/libnspr4.a" "$distdir/lib"
cp -p -L -R "$builddir/nss_build/public/nss/"* "$distdir/include/nss"
cp -p -L -R "$builddir/nspr_build/dist/include/nspr/"* "$distdir/include/nss"
cd /var/tmp/dist
[% c('tar', {
tar_src => [ project ],
tar_args => '-czf ' _ dest_dir _ '/' _ c('filename'),
}) %]
# vim: filetype=yaml sw=2
filename: '[% project %]-[% c("version") %]-[% c("var/osname") %]-[% c("var/build_id") %].tar.gz'
# The required versions for application-services can be found at the respective
# commit in libs/build-all.sh
version: 3.54
# XXX: maybe that's extractable automatically from `version` somehow?
version_path: 3_54
nspr_version: 4.26
var:
container:
use_container: 1
deps:
- build-essential
- gyp
input_files:
- project: container-image
- name: '[% c("var/compiler") %]'
project: '[% c("var/compiler") %]'
- name: ninja
project: ninja
- URL: 'https://ftp.mozilla.org/pub/security/nss/releases/NSS_[% c("version_path") %]_RTM/src/nss-[% c("version") %]-with-nspr-[% c("nspr_version") %].tar.gz'
name: nss
sha256sum: e0e81f0ff264d810f130d3cd9334722f7f883c752430483131d1ca5ac62d3f70
- filename: configure.patch
- filename: config.patch
- filename: bug_13028.patch
From c11dc3a73349fc7d8fa451f9e3a4e3952aa54fd2 Mon Sep 17 00:00:00 2001
From: Georg Koppen <gk@torproject.org>
Date: Wed, 1 Jul 2020 09:57:01 +0000
Subject: [PATCH] Patch for building NSS for application-services
See: application-services/libs/build-all.sh
diff --git a/security/nss/coreconf/config.gypi b/security/nss/coreconf/config.gypi
index 62d3cc71ecaf..dd30de079081 100644
--- a/security/nss/coreconf/config.gypi
+++ b/security/nss/coreconf/config.gypi
@@ -144,6 +144,23 @@
'<(nspr_include_dir)',
'<(nss_dist_dir)/private/<(module)',
],
+ 'defines': [
+ 'HMAC_Update=NSS_HMAC_Update',
+ 'HMAC_Init=NSS_HMAC_Init',
+ 'CMAC_Update=NSS_CMAC_Update',
+ 'CMAC_Init=NSS_CMAC_Init',
+ 'MD5_Update=NSS_MD5_Update',
+ 'SHA1_Update=NSS_SHA1_Update',
+ 'SHA256_Update=NSS_SHA256_Update',
+ 'SHA224_Update=NSS_SHA224_Update',
+ 'SHA512_Update=NSS_SHA512_Update',
+ 'SHA384_Update=NSS_SHA384_Update',
+ 'SEED_set_key=NSS_SEED_set_key',
+ 'SEED_encrypt=NSS_SEED_encrypt',
+ 'SEED_decrypt=NSS_SEED_decrypt',
+ 'SEED_ecb_encrypt=NSS_SEED_ecb_encrypt',
+ 'SEED_cbc_encrypt=NSS_SEED_cbc_encrypt',
+ ],
'conditions': [
[ 'mozpkix_only==1 and OS=="linux"', {
'include_dirs': [
--
2.27.0
@@ -2662,6 +2662,9 @@
case "$target" in
*-android*|*-linuxandroid*)
+ $as_echo "#define ANDROID 1" >>confdefs.h
+ ;;
+ unreachable)
if test -z "$android_ndk" ; then
as_fn_error $? "You must specify --with-android-ndk=/path/to/ndk when targeting Android." "$LINENO" 5
fi
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment