Bug 1832523 - Allow using NSS to sign and verify MAR signatures.... (9f5d76b6) · Commits · The Tor Project / Applications / Mullvad Browser

build/moz.configure/update-programs.configure

+23 −0

Original line number	Diff line number	Diff line
		@@ -54,6 +54,29 @@ set_config(
		depends_if("--enable-unverified-updates")(lambda _: True),
		)

		# Use NSS for MAR signatures even on platforms where system libraries are
		# supported (currently Windows and macOS).
		# ==============================================================

		can_toggle_nss_mar = target_is_windows \| target_is_osx

		option(
		"--enable-nss-mar",
		when=can_toggle_nss_mar,
		help="Enable using NSS to check MAR signatures instead of system crypto.",
		)


		@depends(
		depends("--enable-nss-mar", when=can_toggle_nss_mar)(lambda x: x),
		can_toggle_nss_mar,
		)
		def enable_nss_mar(enabled, can_toggle_nss_mar):
		return enabled or not can_toggle_nss_mar


		set_config("MOZ_USE_NSS_FOR_MAR", True, when=enable_nss_mar)

		# Maintenance service (Windows only)
		# ==============================================================

modules/libmar/tool/mar.c

+15 −16

Original line number	Diff line number	Diff line
		@@ -18,7 +18,7 @@
		# include <unistd.h>
		#endif

		#if !defined(NO_SIGN_VERIFY) && (!defined(XP_WIN) \|\| defined(MAR_NSS))
		#if !defined(NO_SIGN_VERIFY) && defined(MAR_NSS)
		# include "cert.h"
		# include "nss.h"
		# include "pk11pub.h"
		@@ -65,7 +65,7 @@ static void print_usage() {
		"signed_input_archive.mar base_64_encoded_signature_file "
		"changed_signed_output.mar\n");
		printf("(i) is the index of the certificate to extract\n");
		# if defined(XP_MACOSX) \|\| (defined(XP_WIN) && !defined(MAR_NSS))
		# if !defined(MAR_NSS)
		printf("Verify a MAR file:\n");
		printf(" mar [-C workingDir] -D DERFilePath -v signed_archive.mar\n");
		printf(
		@@ -135,23 +135,22 @@ int main(int argc, char** argv) {
		int32_t sigIndex = -1;
		uint32_t fileSizes[MAX_SIGNATURES];
		const uint8_t* certBuffers[MAX_SIGNATURES];
		# if ((!defined(MAR_NSS) && defined(XP_WIN)) \|\| defined(XP_MACOSX)) \|\| \
		((defined(XP_WIN) \|\| defined(XP_MACOSX)) && !defined(MAR_NSS))
		# if !defined(MAR_NSS)
		char* DERFilePaths[MAX_SIGNATURES];
		# endif
		# if (!defined(XP_WIN) && !defined(XP_MACOSX)) \|\| defined(MAR_NSS)
		# else
		CERTCertificate* certs[MAX_SIGNATURES];
		# endif
		#endif

		memset((void*)certNames, 0, sizeof(certNames));
		#if defined(XP_WIN) && !defined(MAR_NSS) && !defined(NO_SIGN_VERIFY)
		#if !defined(NO_SIGN_VERIFY)
		memset(fileSizes, 0, sizeof(fileSizes));
		memset((void*)certBuffers, 0, sizeof(certBuffers));
		#endif
		#if !defined(NO_SIGN_VERIFY) && \
		((!defined(MAR_NSS) && defined(XP_WIN)) \|\| defined(XP_MACOSX))
		# if !defined(MAR_NSS)
		memset(DERFilePaths, 0, sizeof(DERFilePaths));
		memset(fileSizes, 0, sizeof(fileSizes));
		# else
		memset(certs, 0, sizeof(certs));
		# endif
		#endif

		if (argc > 1 && 0 == strcmp(argv[1], "--version")) {
		@@ -181,7 +180,7 @@ int main(int argc, char** argv) {
		argc -= 2;
		}
		#if !defined(NO_SIGN_VERIFY)
		# if (!defined(MAR_NSS) && defined(XP_WIN)) \|\| defined(XP_MACOSX)
		# if !defined(MAR_NSS)
		/* -D DERFilePath, also matches -D[index] DERFilePath
		We allow an index for verifying to be symmetric
		with the import and export command line arguments. */
		@@ -348,7 +347,7 @@ int main(int argc, char** argv) {
		return -1;
		}

		# if (!defined(XP_WIN) && !defined(XP_MACOSX)) \|\| defined(MAR_NSS)
		# if defined(MAR_NSS)
		if (!NSSConfigDir \|\| certCount == 0) {
		print_usage();
		return -1;
		@@ -362,7 +361,7 @@ int main(int argc, char** argv) {

		rv = 0;
		for (k = 0; k < certCount; ++k) {
		# if (defined(XP_WIN) \|\| defined(XP_MACOSX)) && !defined(MAR_NSS)
		# if !defined(MAR_NSS)
		rv = mar_read_entire_file(DERFilePaths[k], MAR_MAX_CERT_SIZE,
		&certBuffers[k], &fileSizes[k]);

		@@ -404,7 +403,7 @@ int main(int argc, char** argv) {
		}
		}
		for (k = 0; k < certCount; ++k) {
		# if (defined(XP_WIN) \|\| defined(XP_MACOSX)) && !defined(MAR_NSS)
		# if !defined(MAR_NSS)
		free((void*)certBuffers[k]);
		# else
		/* certBuffers[k] is owned by certs[k] so don't free it */
		@@ -423,7 +422,7 @@ int main(int argc, char** argv) {
		" no signature to verify.\n");
		}
		}
		# if (!defined(XP_WIN) && !defined(XP_MACOSX)) \|\| defined(MAR_NSS)
		# if defined(MAR_NSS)
		(void)NSS_Shutdown();
		# endif
		return rv ? -1 : 0;

modules/libmar/tool/moz.build

+9 −3

Original line number	Diff line number	Diff line
		@@ -43,15 +43,21 @@ if CONFIG["MOZ_BUILD_APP"] != "tools/update-packaging":
		"verifymar",
		]

		if CONFIG["MOZ_USE_NSS_FOR_MAR"]:
		DEFINES["MAR_NSS"] = True

		if CONFIG["OS_ARCH"] == "WINNT":
		USE_STATIC_LIBS = True

		OS_LIBS += [
		"ws2_32",
		]
		if not CONFIG["MOZ_USE_NSS_FOR_MAR"]:
		OS_LIBS += [
		"crypt32",
		"advapi32",
		]
		elif CONFIG["OS_ARCH"] == "Darwin":
		elif CONFIG["OS_ARCH"] == "Darwin" and not CONFIG["MOZ_USE_NSS_FOR_MAR"]:
		OS_LIBS += [
		"-framework CoreFoundation",
		"-framework Security",

modules/libmar/verify/moz.build

+13 −10

Original line number	Diff line number	Diff line
		@@ -15,7 +15,7 @@ FORCE_STATIC_LIB = True

		if CONFIG["OS_ARCH"] == "WINNT":
		USE_STATIC_LIBS = True
		elif CONFIG["OS_ARCH"] == "Darwin":
		elif CONFIG["OS_ARCH"] == "Darwin" and not CONFIG["MOZ_USE_NSS_FOR_MAR"]:
		UNIFIED_SOURCES += [
		"MacVerifyCrypto.cpp",
		]
		@@ -23,17 +23,16 @@ elif CONFIG["OS_ARCH"] == "Darwin":
		"-framework Security",
		]
		else:
		DEFINES["MAR_NSS"] = True
		LOCAL_INCLUDES += ["../sign"]
		USE_LIBS += [
		"nspr",
		"nss",
		"signmar",
		]
		if CONFIG["OS_ARCH"] != "Darwin":
		# Ideally, this would be '-Wl,-rpath=$ORIGIN', but the build system
		# doesn't do the right escaping yet. Even more ideally, this would
		# be LDFLAGS, but the build system doesn't propagate those like USE_LIBS
		# and OS_LIBS. Bug #1041943.
		# be LDFLAGS, but the build system doesn't propagate those like
		# USE_LIBS and OS_LIBS. Bug #1041943.
		OS_LIBS += [
		"-Wl,-rpath=\\$$ORIGIN",
		]
		@@ -42,6 +41,10 @@ LOCAL_INCLUDES += [
		"../src",
		]

		if CONFIG["MOZ_USE_NSS_FOR_MAR"]:
		LOCAL_INCLUDES += ["../sign"]
		DEFINES["MAR_NSS"] = True

		# C11 for static_assert
		c11_flags = ["-std=gnu11"]
		if CONFIG["CC_TYPE"] == "clang-cl":

toolkit/mozapps/update/updater/updater-common.build

+25 −3

Original line number	Diff line number	Diff line
		@@ -4,6 +4,12 @@
		# License, v. 2.0. If a copy of the MPL was not distributed with this
		# file, You can obtain one at http://mozilla.org/MPL/2.0/.

		link_with_nss = CONFIG["MOZ_USE_NSS_FOR_MAR"] or (
		CONFIG["OS_ARCH"] == "Linux" and CONFIG["MOZ_VERIFY_MAR_SIGNATURE"]
		)
		if link_with_nss:
		DEFINES["MAR_NSS"] = True

		srcs = [
		"archivereader.cpp",
		"updater.cpp",
		@@ -36,14 +42,18 @@ if CONFIG["OS_ARCH"] == "WINNT":
		"ws2_32",
		"shell32",
		"shlwapi",
		"crypt32",
		"advapi32",
		"gdi32",
		"user32",
		"userenv",
		"uuid",
		]

		if not link_with_nss:
		OS_LIBS += [
		"crypt32",
		"advapi32",
		]

		USE_LIBS += [
		"bspatch",
		"mar",
		@@ -51,6 +61,13 @@ USE_LIBS += [
		"xz-embedded",
		]

		if link_with_nss:
		USE_LIBS += [
		"nspr",
		"nss",
		"signmar",
		]

		if CONFIG["MOZ_WIDGET_TOOLKIT"] == "gtk":
		have_progressui = 1
		srcs += [
		@@ -65,9 +82,14 @@ if CONFIG["MOZ_WIDGET_TOOLKIT"] == "cocoa":
		]
		OS_LIBS += [
		"-framework Cocoa",
		"-framework Security",
		"-framework SystemConfiguration",
		]
		if link_with_nss:
		LDFLAGS += ["-Wl,-rpath,@executable_path/../../../"]
		else:
		OS_LIBS += [
		"-framework Security",
		]
		UNIFIED_SOURCES += [
		"/toolkit/xre/updaterfileutils_osx.mm",
		]