Commit b9e5504b authored by Kathleen Brade's avatar Kathleen Brade Committed by Matthew Finkel
Browse files

Bug 13379: Sign our MAR files. 

Configure with --enable-signmar (build the signmar tool).
Configure with --enable-verify-mar (when updating, require a valid
  signature on the MAR file before it is applied).
Use the Tor Browser version instead of the Firefox version inside the
  MAR file info block (necessary to prevent downgrade attacks).
Use NSS on all platforms for checking MAR signatures (instead of using
  OS-native APIs, which Mozilla does on Mac OS and Windows). So that the
  NSS and NSPR libraries the updater depends on can be found at runtime,
  we add the firefox directory to the shared library search path on macOS.
  On Linux, rpath is used by Mozilla to solve that problem, but that
  approach won't work on macOS because the updater executable is copied
  during the update process to a location that is under TorBrowser-Data,
  and the location of TorBrowser-Data varies.

Also includes the fix for bug 18900.
parent 4fe87b9a

.mozconfig-asan

+2 −0
Original line number Diff line number Diff line
@@ -28,6 +28,8 @@ ac_add_options --enable-official-branding 
ac_add_options --enable-default-toolkit=cairo-gtk3



ac_add_options --enable-tor-browser-update

ac_add_options --enable-signmar

ac_add_options --enable-verify-mar



ac_add_options --disable-strip

ac_add_options --disable-install-strip

.mozconfig-mac

+2 −0
Original line number Diff line number Diff line
@@ -42,6 +42,8 @@ ac_add_options --disable-debug 


ac_add_options --enable-tor-browser-data-outside-app-dir

ac_add_options --enable-tor-browser-update

ac_add_options --enable-signmar

ac_add_options --enable-verify-mar



ac_add_options --disable-crashreporter

ac_add_options --disable-webrtc

.mozconfig-mingw

+2 −0
Original line number Diff line number Diff line
@@ -14,6 +14,8 @@ ac_add_options --enable-strip 
ac_add_options --enable-official-branding



ac_add_options --enable-tor-browser-update

ac_add_options --enable-signmar

ac_add_options --enable-verify-mar

ac_add_options --disable-bits-download



# Let's make sure no preference is enabling either Adobe's or Google's CDM.

modules/libmar/tool/mar.c

+11 −3
Original line number Diff line number Diff line
@@ -30,7 +30,11 @@ int mar_repackage_and_sign(const char *NSSConfigDir, 
                           const char *src, const char *dest);



static void print_version() {

#ifdef TOR_BROWSER_UPDATE

  printf("Version: %s\n", TOR_BROWSER_VERSION_QUOTED);

#else

  printf("Version: %s\n", MOZ_APP_VERSION);

#endif

  printf("Default Channel ID: %s\n", MAR_CHANNEL_ID);

}
@@ -65,7 +69,7 @@ static void print_usage() { 
      "signed_input_archive.mar base_64_encoded_signature_file "

      "changed_signed_output.mar\n");

  printf("(i) is the index of the certificate to extract\n");

#if defined(XP_MACOSX) || (defined(XP_WIN) && !defined(MAR_NSS))

#if (defined(XP_MACOSX) || defined(XP_WIN)) && !defined(MAR_NSS)

  printf("Verify a MAR file:\n");

  printf("  mar [-C workingDir] -D DERFilePath -v signed_archive.mar\n");

  printf(
@@ -127,7 +131,11 @@ int main(int argc, char **argv) { 
  char *NSSConfigDir = NULL;

  const char *certNames[MAX_SIGNATURES];

  char *MARChannelID = MAR_CHANNEL_ID;

#ifdef TOR_BROWSER_UPDATE

  char *productVersion = TOR_BROWSER_VERSION_QUOTED;

#else

  char *productVersion = MOZ_APP_VERSION;

#endif

  uint32_t k;

  int rv = -1;

  uint32_t certCount = 0;
@@ -150,7 +158,7 @@ int main(int argc, char **argv) { 
  memset((void *)certBuffers, 0, sizeof(certBuffers));

#endif

#if !defined(NO_SIGN_VERIFY) && \

    ((!defined(MAR_NSS) && defined(XP_WIN)) || defined(XP_MACOSX))

    (!defined(MAR_NSS) && (defined(XP_WIN) || defined(XP_MACOSX)))

  memset(DERFilePaths, 0, sizeof(DERFilePaths));

  memset(fileSizes, 0, sizeof(fileSizes));

#endif
@@ -182,7 +190,7 @@ int main(int argc, char **argv) { 
      argc -= 2;

    }

#if !defined(NO_SIGN_VERIFY) && \

    ((!defined(MAR_NSS) && defined(XP_WIN)) || defined(XP_MACOSX))

    (!defined(MAR_NSS) && (defined(XP_WIN) || defined(XP_MACOSX)))

    /* -D DERFilePath, also matches -D[index] DERFilePath

       We allow an index for verifying to be symmetric

       with the import and export command line arguments. */

modules/libmar/tool/moz.build

+8 −2
Original line number Diff line number Diff line
@@ -34,7 +34,13 @@ for var in ('MAR_CHANNEL_ID', 'MOZ_APP_VERSION'): 
    DEFINES[var] = '"%s"' % CONFIG[var]

    HOST_DEFINES[var] = DEFINES[var]



if CONFIG['TOR_BROWSER_UPDATE']:

    DEFINES['TOR_BROWSER_UPDATE'] = '%s' % CONFIG['TOR_BROWSER_UPDATE']

if CONFIG['TOR_BROWSER_VERSION_QUOTED']:

    DEFINES['TOR_BROWSER_VERSION_QUOTED'] = '%s' % CONFIG['TOR_BROWSER_VERSION_QUOTED']



if CONFIG['MOZ_ENABLE_SIGNMAR']:

    DEFINES['MAR_NSS'] = True

    USE_LIBS += [

        'nspr',

        'nss',
@@ -48,12 +54,12 @@ if CONFIG['OS_ARCH'] == 'WINNT': 
    OS_LIBS += [

        'ws2_32',

    ]

    if CONFIG['MOZ_ENABLE_SIGNMAR']:

    if CONFIG['MOZ_ENABLE_SIGNMAR'] and not DEFINES['MAR_NSS']:

        OS_LIBS += [

            'crypt32',

            'advapi32',

        ]

elif CONFIG['OS_ARCH'] == 'Darwin':

elif CONFIG['OS_ARCH'] == 'Darwin' and not DEFINES['MAR_NSS']:

    OS_LIBS += [

      '-framework Security',

    ]