Verified Commit 425758ac authored by Kathleen Brade's avatar Kathleen Brade Committed by ma1
Browse files

Bug 13379: Sign our MAR files. 

Configure with --enable-verify-mar (when updating, require a valid
  signature on the MAR file before it is applied).
Use the Tor Browser version instead of the Firefox version inside the
  MAR file info block (necessary to prevent downgrade attacks).
Use NSS on all platforms for checking MAR signatures (instead of using
  OS-native APIs, which Mozilla does on Mac OS and Windows). So that the
  NSS and NSPR libraries the updater depends on can be found at runtime,
  we add the firefox directory to the shared library search path on macOS.
  On Linux, rpath is used by Mozilla to solve that problem, but that
  approach won't work on macOS because the updater executable is copied
  during the update process to a location that is under TorBrowser-Data,
  and the location of TorBrowser-Data varies.

Also includes the fix for bug 18900.

Bug 19121: reinstate the update.xml hash check

Revert most changes from Mozilla Bug 1373267 "Remove hashFunction and
hashValue attributes from nsIUpdatePatch and code related to these
attributes." Changes to the tests were not reverted; the tests have
been changed significantly and we do not run automated updater tests
for Tor Browser at this time.

Also partial revert of commit f1241db6.

Revert the nsUpdateService.js changes from Mozilla Bug 862173 "don't
verify mar file hash when using mar signing to verify the mar file
(lessens main thread I/O)."

Changes to the tests were not reverted; the tests have been changed
significantly and we do not run automated updater tests for
Tor Browser at this time.

We kept the addition to the AppConstants API in case other JS code
references it in the future.
parent 6ebd3c35

browser/config/mozconfigs/tor-browser

+1 −0
Original line number Diff line number Diff line
@@ -5,5 +5,6 @@ mk_add_options MOZ_APP_DISPLAYNAME="Tor Browser" 
ac_add_options --with-relative-profile=TorBrowser/Data/Browser



ac_add_options --enable-tor-browser-update

ac_add_options --enable-verify-mar



ac_add_options --with-distribution-id=org.torproject

modules/libmar/tool/mar.c

+3 −3
Original line number Diff line number Diff line
@@ -65,7 +65,7 @@ static void print_usage() { 
      "signed_input_archive.mar base_64_encoded_signature_file "

      "changed_signed_output.mar\n");

  printf("(i) is the index of the certificate to extract\n");

#  if defined(XP_MACOSX) || (defined(XP_WIN) && !defined(MAR_NSS))

#  if (defined(XP_MACOSX) || defined(XP_WIN)) && !defined(MAR_NSS)

  printf("Verify a MAR file:\n");

  printf("  mar [-C workingDir] -D DERFilePath -v signed_archive.mar\n");

  printf(
@@ -149,7 +149,7 @@ int main(int argc, char** argv) { 
  memset((void*)certBuffers, 0, sizeof(certBuffers));

#endif

#if !defined(NO_SIGN_VERIFY) && \

    ((!defined(MAR_NSS) && defined(XP_WIN)) || defined(XP_MACOSX))

    (!defined(MAR_NSS) && (defined(XP_WIN) || defined(XP_MACOSX)))

  memset(DERFilePaths, 0, sizeof(DERFilePaths));

  memset(fileSizes, 0, sizeof(fileSizes));

#endif
@@ -181,7 +181,7 @@ int main(int argc, char** argv) { 
      argc -= 2;

    }

#if !defined(NO_SIGN_VERIFY)

#  if (!defined(MAR_NSS) && defined(XP_WIN)) || defined(XP_MACOSX)

#  if (!defined(MAR_NSS) && (defined(XP_WIN) || defined(XP_MACOSX)))

    /* -D DERFilePath, also matches -D[index] DERFilePath

       We allow an index for verifying to be symmetric

       with the import and export command line arguments. */

modules/libmar/tool/moz.build

+9 −3
Original line number Diff line number Diff line
@@ -43,15 +43,21 @@ if CONFIG["MOZ_BUILD_APP"] != "tools/update-packaging": 
        "verifymar",

    ]



    if CONFIG["TOR_BROWSER_UPDATE"]:

        DEFINES["MAR_NSS"] = True



    if CONFIG["OS_ARCH"] == "WINNT":

        USE_STATIC_LIBS = True



        OS_LIBS += [

            "ws2_32",

        ]

        if not CONFIG["TOR_BROWSER_UPDATE"]:

            OS_LIBS += [

                "crypt32",

                "advapi32",

            ]

    elif CONFIG["OS_ARCH"] == "Darwin":

    elif CONFIG["OS_ARCH"] == "Darwin" and not CONFIG["TOR_BROWSER_UPDATE"]:

        OS_LIBS += [

            "-framework CoreFoundation",

            "-framework Security",

modules/libmar/verify/moz.build

+7 −7
Original line number Diff line number Diff line
@@ -16,15 +16,12 @@ FORCE_STATIC_LIB = True 
if CONFIG["OS_ARCH"] == "WINNT":

    USE_STATIC_LIBS = True

elif CONFIG["OS_ARCH"] == "Darwin":

    UNIFIED_SOURCES += [

        "MacVerifyCrypto.cpp",

    ]

    OS_LIBS += [

        "-framework Security",

    USE_LIBS += [

        "nspr",

        "nss",

        "signmar",

    ]

else:

    DEFINES["MAR_NSS"] = True

    LOCAL_INCLUDES += ["../sign"]

    USE_LIBS += [

        "nspr",

        "nss",
@@ -38,6 +35,9 @@ else: 
        "-Wl,-rpath=\\$$ORIGIN",

    ]



DEFINES["MAR_NSS"] = True

LOCAL_INCLUDES += ["../sign"]



LOCAL_INCLUDES += [

    "../src",

]

toolkit/modules/AppConstants.jsm

+7 −0
Original line number Diff line number Diff line
@@ -212,6 +212,13 @@ this.AppConstants = Object.freeze({ 
  false,

#endif



  MOZ_VERIFY_MAR_SIGNATURE:

#ifdef MOZ_VERIFY_MAR_SIGNATURE

  true,

#else

  false,

#endif



  MOZ_MAINTENANCE_SERVICE:

#ifdef MOZ_MAINTENANCE_SERVICE

  true,