tbb-commits December 2014

tbb-commits@lists.torproject.org

2 participants
28 discussions

[tor-browser-bundle/master] Updating the README.build.
by gk＠torproject.org 19 Dec '14

19 Dec '14

commit fa3ac404e97e5dcb25e31e9ec7dfddf229714d22 Author: Georg Koppen <gk(a)torproject.org> Date: Fri Dec 19 10:38:33 2014 +0000 Updating the README.build. This update takes account of the changes landed in #13379 and earlier updater related bugs. It removes the section with spurious hangs during builds as the underlying libfaketime problems should be fixed with the switch to a newer libfaketime providing a more fine-grained control via FAKETIME_SKIP_CMDS and friends. --- gitian/README.build | 40 ++++++++++++++++++++++++---------------- 1 file changed, 24 insertions(+), 16 deletions(-) diff --git a/gitian/README.build b/gitian/README.build index 24a67a8..670e84c 100644 --- a/gitian/README.build +++ b/gitian/README.build @@ -46,15 +46,19 @@ Detailed Explanation of Scripts: several helper scripts to make things easier. 0. Makefile: The main Makefile. It has the following commands: + - all: The default. It calls the 'clean', 'prep' and 'build' rules - prep: Check OS prerequisites and download source dependency inputs - build: Build localized bundles for Linux, Windows, and Mac - clean: Remove prior partial build stages (see 'Partial Rebuilds' below for the usage of clean-* commands) - vmclean: Remove VM base images - - distclean: Remove source dependency inputs, and run clean and vmclean - - all: The default. It calls clean, prep, and then build. - - sign: Signs your build output and uploads it to people.torproject.org - - match: Checks your build output against public signed hashes + - distclean: Remove source dependency inputs, and run 'clean' and 'vmclean' + - sign: Sign your build output and uploads it to people.torproject.org + - match: Check your build output against public signed hashes + - hash: Create the SHA256 sums + - incrementals: Create the incremental update (.mar) files + - update_responses: Create .xml and .htaccess files for the updater + - signmars: Create the signatures for the update (.mar) files To build beta/alpha/nightly bundles, alternate targets are provided: - nightly: The equivalent to the 'all' rule for nightly packages - alpha: The equivalent to the 'all' rule for alpha packages @@ -71,6 +75,12 @@ Detailed Explanation of Scripts: - match-nightly: The equivalent to the 'match' rule for nightly packages - match-alpha: The equivalent to the 'match' rule for alpha packages - match-beta: The equivalent to the 'match' rule for beta packages + - hash-nightly: The equivalent to the 'hash' rule for nightly packages + - hash-alpha: The equivalent to the 'hash' rule for alpha packages + - hash-beta: The equivalent to the 'hash' rule for beta packages + - signmars-nightly: The equivalent to the 'signmars' rule for nightly packages + - signmars-alpha: The equivalent to the 'signmars' rule for alpha packages + - signmars-beta: The equivalent to the 'signmars' rule for beta packages 1. check-prerequisites.sh: This script checks if your system is capable of running Gitian, and if it is not, it tells you what you need to do. @@ -119,7 +129,13 @@ Detailed Explanation of Scripts: 12. upload-signature.sh: This script signs and uploads your 'sha256sums.txt' file (for use if you are an official builder). - + 13. signmars.sh: This script generates the signatures on the update (.mar) + files. It expects an nssdb directory, containing the key, in the same + directory (i.e. tor-browser-bundle/gitian where it is located, too) and + a certificate with "marsigner" as nickname. Both the default nssdb + directory and the default certificate nickname can get overwritten by + exporting 'NSS_DB_DIR' and 'NSS_CERTNAME' pointing to the directory and + the nickname to be used instead. Partial Rebuilds: @@ -174,22 +190,14 @@ Known Issues and Quirks: creation hangs in the future (or help us write a wrapper script that tests VMs and re-runs the VM creation step if they don't boot). - 2. One out of every 50 builds or so, 'make' locks up at some point during a - build, probably due to timestamp issues inside the Gitian VM. The - symptoms of this are a hung build where the VM or LXC container processes - are consuming no CPU. - - Simply re-running 'make build' will resume the appropriate bundle - component for you. - - 3. If you use git branches for any repos instead of tags (for example, for + 2. If you use git branches for any repos instead of tags (for example, for a development or nightly build), fresh commits will need to be merged manually (or better git-fu is needed in ./fetch-inputs.sh, as it is currently meant to deal with tags only). - 4. Running more than one instance of Gitian at a time is not supported. + 3. Running more than one instance of Gitian at a time is not supported. - 5. Related: If you perform a fresh Gitian checkout for purposes of + 4. Related: If you perform a fresh Gitian checkout for purposes of verification, be sure to kill any stray qemu VM processes before starting the new build (because the new Gitian checkout will not have the PID or SSH keys of the previous instances' VM, and VM startup will either hang

1 0

[tor-browser/tor-browser-31.3.0esr-4.5-1] Bug 13379: Adding our MAR signing keys.
by gk＠torproject.org 18 Dec '14

18 Dec '14

commit e1fdf99b8cf2d98e13ef5fa112935f96614d6af5 Author: Georg Koppen <gk(a)torproject.org> Date: Thu Dec 18 13:25:44 2014 +0000 Bug 13379: Adding our MAR signing keys. --- toolkit/mozapps/update/updater/release_primary.der | Bin 709 -> 1229 bytes toolkit/mozapps/update/updater/release_secondary.der | Bin 713 -> 1233 bytes 2 files changed, 0 insertions(+), 0 deletions(-) diff --git a/toolkit/mozapps/update/updater/release_primary.der b/toolkit/mozapps/update/updater/release_primary.der index 11417c3..542fb24 100644 Binary files a/toolkit/mozapps/update/updater/release_primary.der and b/toolkit/mozapps/update/updater/release_primary.der differ diff --git a/toolkit/mozapps/update/updater/release_secondary.der b/toolkit/mozapps/update/updater/release_secondary.der index 16a7ef6..334fad8 100644 Binary files a/toolkit/mozapps/update/updater/release_secondary.der and b/toolkit/mozapps/update/updater/release_secondary.der differ

1 0

[tor-browser-bundle/master] Bug 13379: Sign our MAR files.
by brade＠torproject.org 17 Dec '14

17 Dec '14

commit d852329ac0979d8005e9e8bdd9b3f8a049fc2db4 Author: Kathy Brade <brade(a)pearlcrescent.com> Date: Wed Dec 17 16:57:28 2014 -0500 Bug 13379: Sign our MAR files. In the Linux mar-tools package, include certutil, signmar, and the required NSS and NSPR libraries. Change update_responses to select the action to be done based on the program name, thereby separating the incremental MAR file generation (done via a new 'gen_incrementals' symlink) from the htdocs generation. Also added an 'update_responses' make target. Thanks to boklm for help with this. Add a series of 'signmar' make targets which run a new signmars.sh script, which does the following: 1. Prompts for an NSS password (the script assumes that an nssdb directory exists that contains the signing key/cert). 2. Moves original (unsigned) MAR files to a TORBROWSER_VERSION-unsigned/ directory. 3. Signs each of the MAR files, placing the signed files in the TORBROWSER_VERSION/ directory. You may set NSS_DB_DIR and/or NSS_CERTNAME before running signmars.sh; the defaults are ./nssdb and marsigner --- gitian/Makefile | 15 +++ gitian/descriptors/linux/gitian-firefox.yml | 11 +++ gitian/signmars.sh | 135 +++++++++++++++++++++++++++ tools/update-responses/gen_incrementals | 1 + tools/update-responses/update_responses | 34 +++++-- 5 files changed, 189 insertions(+), 7 deletions(-) diff --git a/gitian/Makefile b/gitian/Makefile index 2c17656..9613db6 100644 --- a/gitian/Makefile +++ b/gitian/Makefile @@ -33,6 +33,21 @@ build-beta: ./hash-bundles.sh versions.beta incrementals: + ../tools/update-responses/gen_incrementals + +signmars: + ./signmars.sh versions + +signmars-alpha: + ./signmars.sh versions.alpha + +signmars-beta: + ./signmars.sh versions.beta + +signmars-nightly: + ./signmars.sh versions.nightly + +update_responses: ../tools/update-responses/update_responses hash: diff --git a/gitian/descriptors/linux/gitian-firefox.yml b/gitian/descriptors/linux/gitian-firefox.yml index 5f96b6e..a1abf2e 100644 --- a/gitian/descriptors/linux/gitian-firefox.yml +++ b/gitian/descriptors/linux/gitian-firefox.yml @@ -136,12 +136,23 @@ script: | rm -f $INSTDIR/Browser/*.chk # # Make MAR-based update tools available for use during the bundle phase. + # Note that mar and mbsdiff are standalone tools, compiled for the build + # host's architecture. We also include signmar, certutil, and the libraries + # they require; these utilities and libraries are built for the target + # architecture. MARTOOLS=~/build/mar-tools mkdir -p $MARTOOLS cp -p config/createprecomplete.py $MARTOOLS/ cp -p tools/update-packaging/*.sh $MARTOOLS/ cp -p obj-*/dist/host/bin/mar $MARTOOLS/ cp -p obj-*/dist/host/bin/mbsdiff $MARTOOLS/ + cp -p obj-*/modules/libmar/tool/signmar $MARTOOLS/ + cp -p obj-*/security/nss/cmd/certutil/certutil $MARTOOLS/ + NSS_LIBS="libfreebl3.so libmozsqlite3.so libnss3.so libnssdbm3.so libnssutil3.so libsmime3.so libsoftokn3.so libssl3.so" + NSPR_LIBS="libnspr4.so libplc4.so libplds4.so" + for LIB in $NSS_LIBS $NSPR_LIBS; do + cp -p obj-*/dist/bin/$LIB $MARTOOLS/ + done cd ~/build zip -r mar-tools-linux${GBUILD_BITS}.zip mar-tools cp -p mar-tools-linux${GBUILD_BITS}.zip $OUTDIR/ diff --git a/gitian/signmars.sh b/gitian/signmars.sh new file mode 100755 index 0000000..fdb531e --- /dev/null +++ b/gitian/signmars.sh @@ -0,0 +1,135 @@ +#!/bin/bash +# +# +# You may set NSS_DB_DIR and/or NSS_CERTNAME before invoking this script. + +set -e +set -u + +WRAPPER_DIR=$(dirname "$0") +WRAPPER_DIR=$(readlink -e "$WRAPPER_DIR") + +if [ -z "${NSS_DB_DIR+x}" ]; then + NSS_DB_DIR=$WRAPPER_DIR/nssdb +fi + +if [ -z "${NSS_CERTNAME+x}" ]; then + NSS_CERTNAME=marsigner +fi + +# Incorporate definitions from the versions file. +if [ -z "$1" ]; then + VERSIONS_FILE=$WRAPPER_DIR/versions +else + VERSIONS_FILE=$1 +fi + +if ! [ -e $VERSIONS_FILE ]; then + echo >&2 "Error: $VERSIONS_FILE file does not exist" + exit 1 +fi + +. $VERSIONS_FILE + +export LC_ALL=C + +# Check some prerequisites. +if [ ! -r "$NSS_DB_DIR/cert8.db" ]; then + >&2 echo "Please create and populate the $NSS_DB_DIR directory" + exit 2 +fi + +OSNAME="" +ARCH="$(uname -s)-$(uname -m)" +case $ARCH in + Linux-x86_64) + OSNAME="linux64" + ;; + Linux-i*86) + OSNAME="linux32" + ;; + *) + >&2 echo "Unsupported architecture $ARCH" + exit 2 +esac + +# Extract the MAR tools so we can use the signmar program. +MARTOOLS_TMP_DIR=$(mktemp -d) +trap "rm -rf $MARTOOLS_TMP_DIR" EXIT +MARTOOLS_ZIP="$WRAPPER_DIR/../../gitian-builder/inputs/mar-tools-${OSNAME}.zip" +cd $MARTOOLS_TMP_DIR +unzip -q "$MARTOOLS_ZIP" +cd $WRAPPER_DIR +export PATH="$MARTOOLS_TMP_DIR/mar-tools:$PATH" +if [ -z "${LD_LIBRARY_PATH+x}" ]; then + export LD_LIBRARY_PATH="$MARTOOLS_TMP_DIR/mar-tools" +else + export LD_LIBRARY_PATH="$MARTOOLS_TMP_DIR/mar-tools:$LD_LIBRARY_PATH" +fi + +# Prompt for the NSS password. +# TODO: Test that the entered NSS password is correct. But how? Unfortunately, +# both certutil and signmar keep trying to read a new password when they are +# given an incorrect one. +read -s -p "NSS password:" NSSPASS +echo "" + +# Sign each MAR file. +# +# Our strategy is to first move all .mar files out of the TORBROWSER_VERSION +# directory into a TORBROWSER_VERSION-unsigned/ directory. Details: +# If a file has not been signed, we move it to the -unsigned/ directory. +# If a file has already been signed and a file with the same name exists in +# the -unsigned/ directory, we just delete the signed file. +# If a file has already been signed but no corresponding file exists in +# the -unsigned/ directory, we report an error and exit. +# +# Once the above is done, the -unsigned/ directory contains a set of .mar +# files that need to be signed, so we go ahead and sign them one-by-one. +SIGNED_DIR="$WRAPPER_DIR/$TORBROWSER_VERSION" +UNSIGNED_DIR="$WRAPPER_DIR/${TORBROWSER_VERSION}-unsigned" +mkdir -p "$UNSIGNED_DIR" +cd "$SIGNED_DIR" +for marfile in *.mar; do + if [ ! -f "$marfile" ]; then + continue; + fi + + # First, we check for an existing signature. The signmar -T output will + # include a line like "Signature block found with N signatures". + SIGINFO_PREFIX="Signature block found with " + SIGINFO=$(signmar -T "$marfile" | grep "^${SIGINFO_PREFIX}") + SIGCOUNT=0 + if [ ! -z "$SIGINFO" ]; then + SIGCOUNT=$(echo $SIGINFO | sed -e "s/${SIGINFO_PREFIX}//" -e 's/$[0-9]*$.*$/\1/') + fi + if [ $SIGCOUNT -eq 0 ]; then + # No signature; move this .mar file to the -unsigned/ directory. + mv "$marfile" "$UNSIGNED_DIR/" + elif [ -e "$UNSIGNED_DIR/$marfile" ]; then + # We have an -unsigned/ copy; discard this file. + rm "$marfile" + else + >&2 echo "Error: $SIGNED_DIR/$marfile is already signed but $UNSIGNED_DIR/$marfile is missing" + # TODO: Try to remove the existing signature(s) from marfile? + exit 1 + fi +done + +# Use signmar to sign each .mar file that is now in the -unsigned directory. +TMPMAR="$SIGNED_DIR/tmp.mar" +trap "rm -f $TMPMAR" EXIT +cd "$UNSIGNED_DIR" +COUNT=0 +for marfile in *.mar; do + if [ ! -f "$marfile" ]; then + continue; + fi + echo "$NSSPASS" | signmar -d "$NSS_DB_DIR" -n "$NSS_CERTNAME" -s \ + "$marfile" "$TMPMAR" + mv "$TMPMAR" "$SIGNED_DIR/$marfile" + COUNT=$((COUNT + 1)) +done + +echo "The $COUNT MAR files located in $SIGNED_DIR/ have been signed." +echo "The unsigned (original) MAR files are in $UNSIGNED_DIR/" diff --git a/tools/update-responses/gen_incrementals b/tools/update-responses/gen_incrementals new file mode 120000 index 0000000..3766925 --- /dev/null +++ b/tools/update-responses/gen_incrementals @@ -0,0 +1 @@ +update_responses \ No newline at end of file diff --git a/tools/update-responses/update_responses b/tools/update-responses/update_responses index b28b575..5b85037 100755 --- a/tools/update-responses/update_responses +++ b/tools/update-responses/update_responses @@ -1,6 +1,7 @@ #!/usr/bin/perl -w use strict; +use English; use FindBin; use YAML qw(LoadFile); use File::Slurp; @@ -13,6 +14,7 @@ use File::Which; use POSIX qw(setlocale LC_ALL); use IO::CaptureOutput qw(capture_exec); use Parallel::ForkManager; +use File::Basename; # Set umask and locale to provide a consistent environment for MAR file # generation, etc. @@ -158,7 +160,7 @@ sub create_incremental_mar { $pm->finish; } -sub create_missing_incremental_mars { +sub create_missing_incremental_mars_for_version { my ($config, $version) = @_; my $pm = Parallel::ForkManager->new(get_nbprocs); $pm->run_on_finish(sub { $_[2]->(@_) }); @@ -178,6 +180,14 @@ sub create_missing_incremental_mars { $pm->wait_all_children; } +sub create_all_missing_incremental_mars { + my ($config) = @_; + foreach my $version (values %{$config->{channels}}) { + get_version_files($config, $version); + create_missing_incremental_mars_for_version($config, $version); + } +} + sub get_config { my ($config, $version, $os, $name) = @_; return $config->{versions}{$version}{$os}{$name} @@ -224,7 +234,6 @@ sub write_responses { my ($config) = @_; foreach my $version (values %{$config->{channels}}) { get_version_files($config, $version); - create_missing_incremental_mars($config, $version); my $files = $config->{versions}{$version}{files}; my $migrate_archs = $config->{versions}{$version}{migrate_archs} // {}; foreach my $old_os (keys %$migrate_archs) { @@ -309,8 +318,19 @@ sub extract_martools { $ENV{PATH} .= ":$martools_tmpdir/mar-tools"; } -extract_martools; -check_deps; -write_responses($config); -write_htaccess($config); -clean_htdocs; +my %actions = ( + update_responses => sub { + write_responses(@_); + write_htaccess(@_); + clean_htdocs; + }, + gen_incrementals => sub { + extract_martools; + check_deps; + create_all_missing_incremental_mars(@_); + }, +); + +my $action = fileparse($PROGRAM_NAME); +exit_error "Unknown action $action" unless $actions{$action}; +$actions{$action}->($config);

1 0

[tor-browser/tor-browser-31.3.0esr-4.5-1] Bug 902761 - Build configuration for turning .der files into .h files. r=rstrong
by brade＠torproject.org 17 Dec '14

17 Dec '14

commit 7d87311b58709d8ab2a8ec052e0613b574b19a7b Author: Brian R. Bondy <netzen(a)gmail.com> Date: Wed Oct 15 23:00:23 2014 -0400 Bug 902761 - Build configuration for turning .der files into .h files. r=rstrong --- toolkit/mozapps/update/updater/Makefile.in | 16 +++++++++++++ toolkit/mozapps/update/updater/gen_cert_header.py | 25 +++++++++++++++++++++ toolkit/mozapps/update/updater/moz.build | 4 ---- 3 files changed, 41 insertions(+), 4 deletions(-) diff --git a/toolkit/mozapps/update/updater/Makefile.in b/toolkit/mozapps/update/updater/Makefile.in index d4c06b9..bd6716b 100644 --- a/toolkit/mozapps/update/updater/Makefile.in +++ b/toolkit/mozapps/update/updater/Makefile.in @@ -44,6 +44,22 @@ endif include $(topsrcdir)/config/rules.mk +ifneq (,$(filter beta release esr,$(MOZ_UPDATE_CHANNEL))) + PRIMARY_CERT = release_primary.der + SECONDARY_CERT = release_secondary.der +else ifneq (,$(filter nightly aurora nightly-elm nightly-profiling nightly-oak nightly-ux,$(MOZ_UPDATE_CHANNEL))) + PRIMARY_CERT = nightly_aurora_level3_primary.der + SECONDARY_CERT = nightly_aurora_level3_secondary.der +else + PRIMARY_CERT = dep1.der + SECONDARY_CERT = dep2.der +endif + +export:: + $(PYTHON) $(srcdir)/gen_cert_header.py primaryCertData $(srcdir)/$(PRIMARY_CERT) > primaryCert.h + $(PYTHON) $(srcdir)/gen_cert_header.py secondaryCertData $(srcdir)/$(SECONDARY_CERT) > secondaryCert.h + $(PYTHON) $(srcdir)/gen_cert_header.py xpcshellCertData $(srcdir)/xpcshellCertificate.der > xpcshellCert.h + ifdef MOZ_WIDGET_GTK libs:: updater.png $(NSINSTALL) -D $(DIST)/bin/icons diff --git a/toolkit/mozapps/update/updater/gen_cert_header.py b/toolkit/mozapps/update/updater/gen_cert_header.py new file mode 100644 index 0000000..182e98b --- /dev/null +++ b/toolkit/mozapps/update/updater/gen_cert_header.py @@ -0,0 +1,25 @@ +import sys +import binascii + +def file_byte_generator(filename, block_size = 512): + with open(filename, "rb") as f: + while True: + block = f.read(block_size) + if block: + for byte in block: + yield byte + else: + break + +def create_header(array_name, in_filename): + hexified = ["0x" + binascii.hexlify(byte) for byte in file_byte_generator(in_filename)] + print "const uint8_t " + array_name + "[] = {" + print ", ".join(hexified) + print "};" + return 0 + +if __name__ == '__main__': + if len(sys.argv) < 3: + print 'ERROR: usage: gen_cert_header.py array_name in_filename' + sys.exit(1); + sys.exit(create_header(sys.argv[1], sys.argv[2])) diff --git a/toolkit/mozapps/update/updater/moz.build b/toolkit/mozapps/update/updater/moz.build index ba1c088..833164a 100644 --- a/toolkit/mozapps/update/updater/moz.build +++ b/toolkit/mozapps/update/updater/moz.build @@ -78,7 +78,3 @@ if CONFIG['_MSC_VER']: elif CONFIG['OS_ARCH'] == 'WINNT': WIN32_EXE_LDFLAGS += ['-municode'] -if CONFIG['MOZ_UPDATE_CHANNEL'] in ('beta', 'release', 'esr'): - DEFINES['MAR_SIGNING_RELEASE_BETA'] = '1' -elif CONFIG['MOZ_UPDATE_CHANNEL'] in ('nightly', 'aurora', 'nightly-elm', 'nightly-profiling', 'nightly-oak', 'nightly-ux'): - DEFINES['MAR_SIGNING_AURORA_NIGHTLY'] = '1'

1 0

[tor-browser/tor-browser-31.3.0esr-4.5-1] Bug 902761 - Stop storing certs used for MAR verification in EXE resource files. r=rstrong
by brade＠torproject.org 17 Dec '14

17 Dec '14

commit 9c7ea1fb1df0545990a85aabcef8180ea287305f Author: Brian R. Bondy <netzen(a)gmail.com> Date: Wed Oct 15 23:01:11 2014 -0400 Bug 902761 - Stop storing certs used for MAR verification in EXE resource files. r=rstrong --- toolkit/mozapps/update/updater/archivereader.cpp | 70 ++++++---------------- toolkit/mozapps/update/updater/updater.rc | 19 ------ 2 files changed, 18 insertions(+), 71 deletions(-) diff --git a/toolkit/mozapps/update/updater/archivereader.cpp b/toolkit/mozapps/update/updater/archivereader.cpp index 271905d..f0e6ea3 100644 --- a/toolkit/mozapps/update/updater/archivereader.cpp +++ b/toolkit/mozapps/update/updater/archivereader.cpp @@ -15,6 +15,14 @@ #include "updatehelper.h" #endif +#ifdef XP_WIN +// These are generated at compile time based on the DER file for the channel +// being used +#include "primaryCert.h" +#include "secondaryCert.h" +#include "xpcshellCert.h" +#endif + #define UPDATER_NO_STRING_GLUE_STL #include "nsVersionComparator.cpp" #undef UPDATER_NO_STRING_GLUE_STL @@ -34,61 +42,19 @@ static char *outbuf = nullptr; #include "resource.h" /** - * Obtains the data of the specified resource name and type. - * - * @param name The name ID of the resource - * @param type The type ID of the resource - * @param data Out parameter which sets the pointer to a buffer containing - * the needed data. - * @param size Out parameter which sets the size of the returned data buffer - * @return TRUE on success -*/ -BOOL -LoadFileInResource(int name, int type, const uint8_t *&data, uint32_t& size) -{ - HMODULE handle = GetModuleHandle(nullptr); - if (!handle) { - return FALSE; - } - - HRSRC resourceInfoBlockHandle = FindResource(handle, - MAKEINTRESOURCE(name), - MAKEINTRESOURCE(type)); - if (!resourceInfoBlockHandle) { - FreeLibrary(handle); - return FALSE; - } - - HGLOBAL resourceHandle = LoadResource(handle, resourceInfoBlockHandle); - if (!resourceHandle) { - FreeLibrary(handle); - return FALSE; - } - - size = SizeofResource(handle, resourceInfoBlockHandle); - data = static_cast<const uint8_t*>(::LockResource(resourceHandle)); - FreeLibrary(handle); - return TRUE; -} - -/** * Performs a verification on the opened MAR file with the passed in * certificate name ID and type ID. * - * @param archive The MAR file to verify the signature on - * @param name The name ID of the resource - * @param type THe type ID of the resource - * @return OK on success, CERT_LOAD_ERROR or CERT_VERIFY_ERROR on failure. + * @param archive The MAR file to verify the signature on. + * @param certData The certificate data. + * @return OK on success, CERT_VERIFY_ERROR on failure. */ +template<uint32_t SIZE> int -VerifyLoadedCert(MarFile *archive, int name, int type) +VerifyLoadedCert(MarFile *archive, const uint8_t (&certData)[SIZE]) { - uint32_t size = 0; - const uint8_t *data = nullptr; - if (!LoadFileInResource(name, type, data, size) || !data || !size) { - return CERT_LOAD_ERROR; - } - + const uint32_t size = SIZE; + const uint8_t * const data = &certData[0]; if (mar_verify_signaturesW(archive, &data, &size, 1)) { return CERT_VERIFY_ERROR; } @@ -118,11 +84,11 @@ ArchiveReader::VerifySignature() // use the XPCShell specific cert for the signed MAR. int rv; if (DoesFallbackKeyExist()) { - rv = VerifyLoadedCert(mArchive, IDR_XPCSHELL_CERT, TYPE_CERT); + rv = VerifyLoadedCert(mArchive, xpcshellCertData); } else { - rv = VerifyLoadedCert(mArchive, IDR_PRIMARY_CERT, TYPE_CERT); + rv = VerifyLoadedCert(mArchive, primaryCertData); if (rv != OK) { - rv = VerifyLoadedCert(mArchive, IDR_BACKUP_CERT, TYPE_CERT); + rv = VerifyLoadedCert(mArchive, secondaryCertData); } } return rv; diff --git a/toolkit/mozapps/update/updater/updater.rc b/toolkit/mozapps/update/updater/updater.rc index acea427..5dc4c85 100644 --- a/toolkit/mozapps/update/updater/updater.rc +++ b/toolkit/mozapps/update/updater/updater.rc @@ -42,25 +42,6 @@ IDI_DIALOG ICON "updater.ico" ///////////////////////////////////////////////////////////////////////////// // -// Embedded certificates for allowed MARs -// - -#if defined(MAR_SIGNING_RELEASE_BETA) -IDR_PRIMARY_CERT TYPE_CERT "release_primary.der" -IDR_BACKUP_CERT TYPE_CERT "release_secondary.der" -#elif defined(MAR_SIGNING_AURORA_NIGHTLY) -IDR_PRIMARY_CERT TYPE_CERT "nightly_aurora_level3_primary.der" -IDR_BACKUP_CERT TYPE_CERT "nightly_aurora_level3_secondary.der" -#else -IDR_PRIMARY_CERT TYPE_CERT "dep1.der" -IDR_BACKUP_CERT TYPE_CERT "dep2.der" -#endif - -IDR_XPCSHELL_CERT TYPE_CERT "xpcshellCertificate.der" - - -///////////////////////////////////////////////////////////////////////////// -// // Embedded an identifier to uniquely identiy this as a Mozilla updater. //

1 0

[tor-browser/tor-browser-31.3.0esr-4.5-1] Bug 13379: Sign our MAR files.
by brade＠torproject.org 17 Dec '14

17 Dec '14

commit 7612aeba131f3eca1c80a369aab97da6fc249565 Author: Kathy Brade <brade(a)pearlcrescent.com> Date: Wed Dec 17 16:37:11 2014 -0500 Bug 13379: Sign our MAR files. Configure with --enable-signmar (build the signmar tool). Configure with --enable-verify-mar (when updating, require a valid signature on the MAR file before it is applied). Use the Tor Browser version instead of the Firefox version inside the MAR file info block (necessary to prevent downgrade attacks). Use NSS on all platforms for checking MAR signatures (Mozilla plans to use OS-native APIs on Mac OS and they already do so on Windows). So that the NSS and NSPR libraries the updater depends on can be found at runtime, we add the firefox directory to the shared library search path on all platforms. Use SHA512-based MAR signatures instead of the SHA1-based ones that Mozilla uses. This is implemented inside MAR_USE_SHA512_RSA_SIG #ifdef's and with a signature algorithm ID of 512 to help avoid collisions with future work Mozilla might do in this area. See: https://bugzilla.mozilla.org/show_bug.cgi?id=1105689 --- .mozconfig | 4 +-- .mozconfig-mac | 4 +-- .mozconfig-mingw | 4 +-- modules/libmar/sign/mar_sign.c | 15 ++++++++-- modules/libmar/sign/moz.build | 1 + modules/libmar/src/mar_private.h | 8 +++++ modules/libmar/tool/Makefile.in | 1 - modules/libmar/tool/mar.c | 26 +++++++++++----- modules/libmar/tool/moz.build | 7 +++++ modules/libmar/verify/cryptox.c | 8 +++-- modules/libmar/verify/cryptox.h | 9 ++++++ modules/libmar/verify/mar_verify.c | 21 +++++++++++-- modules/libmar/verify/moz.build | 14 +++------ security/build/Makefile.in | 2 +- toolkit/mozapps/update/updater/Makefile.in | 14 ++++++++- toolkit/mozapps/update/updater/moz.build | 1 + toolkit/mozapps/update/updater/updater.cpp | 21 ++++++++----- toolkit/xre/nsUpdateDriver.cpp | 44 +++++++++++++++++----------- 18 files changed, 147 insertions(+), 57 deletions(-) diff --git a/.mozconfig b/.mozconfig index f0c5510..f2874e8 100755 --- a/.mozconfig +++ b/.mozconfig @@ -11,8 +11,8 @@ ac_add_options --enable-optimize ac_add_options --enable-official-branding ac_add_options --enable-tor-browser-update ac_add_options --enable-update-packaging -# We do not use signed MAR files yet (Mozilla uses them on Windows only). -ac_add_options --disable-verify-mar +ac_add_options --enable-signmar +ac_add_options --enable-verify-mar ac_add_options --disable-strip ac_add_options --disable-install-strip ac_add_options --disable-tests diff --git a/.mozconfig-mac b/.mozconfig-mac index 2c06c34..06dc226 100644 --- a/.mozconfig-mac +++ b/.mozconfig-mac @@ -38,8 +38,8 @@ ac_add_options --disable-debug ac_add_options --enable-tor-browser-update ac_add_options --enable-update-packaging -# We do not use signed MAR files yet (Mozilla uses them on Windows only). -ac_add_options --disable-verify-mar +ac_add_options --enable-signmar +ac_add_options --enable-verify-mar # ICU seems still to have cross-compiling issues: ac_add_options --without-intl-api diff --git a/.mozconfig-mingw b/.mozconfig-mingw index 691178b..15954d7 100644 --- a/.mozconfig-mingw +++ b/.mozconfig-mingw @@ -16,8 +16,8 @@ ac_add_options --enable-strip ac_add_options --enable-official-branding ac_add_options --enable-tor-browser-update ac_add_options --enable-update-packaging -# We do not use signed MAR files yet (Mozilla uses them on Windows only). -ac_add_options --disable-verify-mar +ac_add_options --enable-signmar +ac_add_options --enable-verify-mar # ICU seems still to have cross-compiling issues: # https://bugzilla.mozilla.org/show_bug.cgi?id=1019744#c19 diff --git a/modules/libmar/sign/mar_sign.c b/modules/libmar/sign/mar_sign.c index 6f21a31..e867d28 100644 --- a/modules/libmar/sign/mar_sign.c +++ b/modules/libmar/sign/mar_sign.c @@ -95,7 +95,12 @@ NSSSignBegin(const char *certName, return -1; } - *ctx = SGN_NewContext (SEC_OID_ISO_SHA1_WITH_RSA_SIGNATURE, *privKey); +#ifdef MAR_USE_SHA512_RSA_SIG + SECOidTag sigAlg = SEC_OID_PKCS1_SHA512_WITH_RSA_ENCRYPTION; +#else + SECOidTag sigAlg = SEC_OID_ISO_SHA1_WITH_RSA_SIGNATURE; +#endif + *ctx = SGN_NewContext (sigAlg, *privKey); if (!*ctx) { fprintf(stderr, "ERROR: Could not create signature context\n"); return -1; @@ -991,8 +996,12 @@ mar_repackage_and_sign(const char *NSSConfigDir, signaturePlaceholderOffset = ftello(fpDest); for (k = 0; k < certCount; k++) { - /* Write out the signature algorithm ID, Only an ID of 1 is supported */ - signatureAlgorithmID = htonl(1); + /* Write out the signature algorithm ID. */ +#ifdef MAR_USE_SHA512_RSA_SIG + signatureAlgorithmID = htonl(SIGNATURE_ALGORITHM_ID_SHA512_RSA); +#else + signatureAlgorithmID = htonl(SIGNATURE_ALGORITHM_ID_SHA1_RSA); +#endif if (WriteAndUpdateSignatures(fpDest, &signatureAlgorithmID, sizeof(signatureAlgorithmID), ctxs, certCount, "num signatures")) { diff --git a/modules/libmar/sign/moz.build b/modules/libmar/sign/moz.build index a6d0308..2be6da2 100644 --- a/modules/libmar/sign/moz.build +++ b/modules/libmar/sign/moz.build @@ -19,6 +19,7 @@ LOCAL_INCLUDES += [ ] DEFINES['MAR_NSS'] = True +DEFINES['MAR_USE_SHA512_RSA_SIG'] = True if CONFIG['OS_ARCH'] == 'WINNT': USE_STATIC_LIBS = True diff --git a/modules/libmar/src/mar_private.h b/modules/libmar/src/mar_private.h index e0c2632..add03f5 100644 --- a/modules/libmar/src/mar_private.h +++ b/modules/libmar/src/mar_private.h @@ -21,6 +21,14 @@ which is 16 bytes */ #define SIGNATURE_BLOCK_OFFSET 16 +/* Signature algorithm IDs. */ +#define SIGNATURE_ALGORITHM_ID_SHA1_RSA 1 +#ifdef MAR_USE_SHA512_RSA_SIG +/* Use 512 as the algorithm ID so it is less likely that we will conflict with + whatever Mozilla chooses when they add support for a stronger signature. */ +#define SIGNATURE_ALGORITHM_ID_SHA512_RSA 512 +#endif + /* Make sure the file is less than 500MB. We do this to protect against invalid MAR files. */ #define MAX_SIZE_OF_MAR_FILE ((int64_t)524288000) diff --git a/modules/libmar/tool/Makefile.in b/modules/libmar/tool/Makefile.in index fb456726..06ec0ea 100644 --- a/modules/libmar/tool/Makefile.in +++ b/modules/libmar/tool/Makefile.in @@ -44,6 +44,5 @@ include $(topsrcdir)/config/rules.mk ifdef CROSS_COMPILE ifdef HOST_NSPR_MDCPUCFG HOST_CFLAGS += -DMDCPUCFG=$(HOST_NSPR_MDCPUCFG) -CFLAGS += -DMDCPUCFG=$(HOST_NSPR_MDCPUCFG) endif endif diff --git a/modules/libmar/tool/mar.c b/modules/libmar/tool/mar.c index 821813c..82701a9 100644 --- a/modules/libmar/tool/mar.c +++ b/modules/libmar/tool/mar.c @@ -31,7 +31,11 @@ int mar_repackage_and_sign(const char *NSSConfigDir, const char * dest); static void print_version() { +#ifdef TOR_BROWSER_UPDATE + printf("Version: %s\n", TOR_BROWSER_VERSION); +#else printf("Version: %s\n", MOZ_APP_VERSION); +#endif printf("Default Channel ID: %s\n", MAR_CHANNEL_ID); } @@ -61,7 +65,7 @@ static void print_usage() { "signed_input_archive.mar base_64_encoded_signature_file " "changed_signed_output.mar\n"); printf("(i) is the index of the certificate to extract\n"); -#if defined(XP_MACOSX) || (defined(XP_WIN) && !defined(MAR_NSS)) +#if (defined(XP_MACOSX) || defined(XP_WIN)) && !defined(MAR_NSS) printf("Verify a MAR file:\n"); printf(" mar [-C workingDir] -D DERFilePath -v signed_archive.mar\n"); printf("At most %d signature certificate DER files are specified by " @@ -116,7 +120,11 @@ int main(int argc, char **argv) { char *NSSConfigDir = NULL; const char *certNames[MAX_SIGNATURES]; char *MARChannelID = MAR_CHANNEL_ID; +#ifdef TOR_BROWSER_UPDATE + char *productVersion = TOR_BROWSER_VERSION; +#else char *productVersion = MOZ_APP_VERSION; +#endif uint32_t i, k; int rv = -1; uint32_t certCount = 0; @@ -135,8 +143,8 @@ int main(int argc, char **argv) { #if defined(XP_WIN) && !defined(MAR_NSS) && !defined(NO_SIGN_VERIFY) memset(certBuffers, 0, sizeof(certBuffers)); #endif -#if !defined(NO_SIGN_VERIFY) && ((!defined(MAR_NSS) && defined(XP_WIN)) || \ - defined(XP_MACOSX)) +#if !defined(NO_SIGN_VERIFY) && (!defined(MAR_NSS) && (defined(XP_WIN) || \ + defined(XP_MACOSX))) memset(DERFilePaths, 0, sizeof(DERFilePaths)); memset(fileSizes, 0, sizeof(fileSizes)); #endif @@ -165,8 +173,8 @@ int main(int argc, char **argv) { argv += 2; argc -= 2; } -#if !defined(NO_SIGN_VERIFY) && ((!defined(MAR_NSS) && defined(XP_WIN)) || \ - defined(XP_MACOSX)) +#if !defined(NO_SIGN_VERIFY) && (!defined(MAR_NSS) && (defined(XP_WIN) || \ + defined(XP_MACOSX))) /* -D DERFilePath, also matches -D[index] DERFilePath We allow an index for verifying to be symmetric with the import and export command line arguments. */ @@ -341,6 +349,10 @@ int main(int argc, char **argv) { #if (defined(XP_WIN) || defined(XP_MACOSX)) && !defined(MAR_NSS) rv = mar_read_entire_file(DERFilePaths[k], MAR_MAX_CERT_SIZE, &certBuffers[k], &fileSizes[k]); + if (rv) { + fprintf(stderr, "ERROR: could not read file %s", DERFilePaths[k]); + break; + } #else /* It is somewhat circuitous to look up a CERTCertificate and then pass * in its DER encoding just so we can later re-create that @@ -357,11 +369,11 @@ int main(int argc, char **argv) { } else { rv = -1; } -#endif if (rv) { - fprintf(stderr, "ERROR: could not read file %s", DERFilePaths[k]); + fprintf(stderr, "ERROR: no certificate named %s", certNames[k]); break; } +#endif } if (!rv) { diff --git a/modules/libmar/tool/moz.build b/modules/libmar/tool/moz.build index 9e739e0..6b14e00 100644 --- a/modules/libmar/tool/moz.build +++ b/modules/libmar/tool/moz.build @@ -17,8 +17,15 @@ HOST_PROGRAM = 'mar' for var in ('MAR_CHANNEL_ID', 'MOZ_APP_VERSION'): DEFINES[var] = '"%s"' % CONFIG[var] +if CONFIG['TOR_BROWSER_UPDATE']: + DEFINES['TOR_BROWSER_UPDATE'] = '%s' % CONFIG['TOR_BROWSER_UPDATE'] +if CONFIG['TOR_BROWSER_VERSION']: + DEFINES['TOR_BROWSER_VERSION'] = '"%s"' % CONFIG['TOR_BROWSER_VERSION'] + if not CONFIG['MOZ_ENABLE_SIGNMAR']: DEFINES['NO_SIGN_VERIFY'] = True +else: + DEFINES['MAR_NSS'] = True if CONFIG['OS_ARCH'] == 'WINNT': USE_STATIC_LIBS = True diff --git a/modules/libmar/verify/cryptox.c b/modules/libmar/verify/cryptox.c index af34210..f39669b 100644 --- a/modules/libmar/verify/cryptox.c +++ b/modules/libmar/verify/cryptox.c @@ -64,8 +64,12 @@ NSS_VerifyBegin(VFYContext **ctx, return CryptoX_Error; } - *ctx = VFY_CreateContext(*publicKey, NULL, - SEC_OID_ISO_SHA1_WITH_RSA_SIGNATURE, NULL); +#ifdef MAR_USE_SHA512_RSA_SIG + SECOidTag sigAlg = SEC_OID_PKCS1_SHA512_WITH_RSA_ENCRYPTION; +#else + SECOidTag sigAlg = SEC_OID_ISO_SHA1_WITH_RSA_SIGNATURE; +#endif + *ctx = VFY_CreateContext(*publicKey, NULL, sigAlg, NULL); if (*ctx == NULL) { return CryptoX_Error; } diff --git a/modules/libmar/verify/cryptox.h b/modules/libmar/verify/cryptox.h index ec8f5ac..8f579b6 100644 --- a/modules/libmar/verify/cryptox.h +++ b/modules/libmar/verify/cryptox.h @@ -59,6 +59,10 @@ CryptoX_Result NSS_VerifySignature(VFYContext * const *ctx , #elif XP_MACOSX +#ifdef MAR_USE_SHA512_RSA_SIG +#error MAR_USE_SHA512_RSA_SIG is not implemented. +#endif + #define CryptoX_InvalidHandleValue NULL #define CryptoX_ProviderHandle void* #define CryptoX_SignatureHandle void* @@ -105,6 +109,11 @@ void CryptoMac_FreePublicKey(CryptoX_PublicKey* aPublicKey); #elif defined(XP_WIN) +#ifdef MAR_USE_SHA512_RSA_SIG +#error MAR_USE_SHA512_RSA_SIG is not implemented. +#endif + + #include <windows.h> #include <wincrypt.h> diff --git a/modules/libmar/verify/mar_verify.c b/modules/libmar/verify/mar_verify.c index 165a802..78b3247 100644 --- a/modules/libmar/verify/mar_verify.c +++ b/modules/libmar/verify/mar_verify.c @@ -276,8 +276,25 @@ mar_extract_and_verify_signatures_fp(FILE *fp, } /* We don't try to verify signatures we don't know about */ - if (signatureAlgorithmIDs[i] != 1) { - fprintf(stderr, "ERROR: Unknown signature algorithm ID.\n"); +#ifdef MAR_USE_SHA512_RSA_SIG + const uint32_t kSupportedAlgID = SIGNATURE_ALGORITHM_ID_SHA512_RSA; +#else + const uint32_t kSupportedAlgID = SIGNATURE_ALGORITHM_ID_SHA1_RSA; +#endif + + if (signatureAlgorithmIDs[i] != kSupportedAlgID) { +#ifdef MAR_USE_SHA512_RSA_SIG + if (signatureAlgorithmIDs[i] == SIGNATURE_ALGORITHM_ID_SHA1_RSA) { + fprintf(stderr, + "ERROR: Unsupported signature algorithm (SHA1 with RSA).\n"); + } else { + fprintf(stderr, "ERROR: Unknown signature algorithm ID %u.\n", + signatureAlgorithmIDs[i]); + } +#else + fprintf(stderr, "ERROR: Unknown signature algorithm ID %u.\n", + signatureAlgorithmIDs[i]); +#endif for (i = 0; i < signatureCount; ++i) { free(extractedSignatures[i]); } diff --git a/modules/libmar/verify/moz.build b/modules/libmar/verify/moz.build index 6667bc1..ec5a3a2 100644 --- a/modules/libmar/verify/moz.build +++ b/modules/libmar/verify/moz.build @@ -15,16 +15,10 @@ FORCE_STATIC_LIB = True if CONFIG['OS_ARCH'] == 'WINNT': USE_STATIC_LIBS = True -elif CONFIG['OS_ARCH'] == 'Darwin': - UNIFIED_SOURCES += [ - 'MacVerifyCrypto.cpp', - ] - LDFLAGS += [ - '-framework Security', - ] -else: - DEFINES['MAR_NSS'] = True - LOCAL_INCLUDES += ['../sign'] + +DEFINES['MAR_NSS'] = True +DEFINES['MAR_USE_SHA512_RSA_SIG'] = True +LOCAL_INCLUDES += ['../sign'] LOCAL_INCLUDES += [ '../src', diff --git a/security/build/Makefile.in b/security/build/Makefile.in index 0453492..816acd9 100644 --- a/security/build/Makefile.in +++ b/security/build/Makefile.in @@ -289,11 +289,11 @@ endif NSS_DIRS += \ nss/cmd/lib \ nss/cmd/shlibsign \ + nss/cmd/certutil \ $(NULL) ifdef ENABLE_TESTS NSS_DIRS += \ - nss/cmd/certutil \ nss/cmd/pk12util \ nss/cmd/modutil \ $(NULL) diff --git a/toolkit/mozapps/update/updater/Makefile.in b/toolkit/mozapps/update/updater/Makefile.in index 52cdbeb..bdb9f27 100644 --- a/toolkit/mozapps/update/updater/Makefile.in +++ b/toolkit/mozapps/update/updater/Makefile.in @@ -3,6 +3,9 @@ # License, v. 2.0. If a copy of the MPL was not distributed with this # file, You can obtain one at http://mozilla.org/MPL/2.0/. +# Use NSS for MAR signature verification on all platforms: +MAR_NSS=1 + # Don't link the updater against libmozglue. See bug 687139 MOZ_GLUE_LDFLAGS = MOZ_GLUE_PROGRAM_LDFLAGS = @@ -22,7 +25,14 @@ LIBS += $(call EXPAND_LIBNAME_PATH,signmar,$(DEPTH)/modules/libmar/sign) LIBS += $(call EXPAND_LIBNAME_PATH,verifymar,$(DEPTH)/modules/libmar/verify) ifeq ($(OS_ARCH),WINNT) OS_LIBS += $(call EXPAND_LIBNAME,comctl32 ws2_32 shell32 shlwapi) +ifdef MAR_NSS +LINK_UPDATER_WITH_NSS=1 +endif else +LINK_UPDATER_WITH_NSS=1 +endif + +ifdef LINK_UPDATER_WITH_NSS LIBS += $(DIST)/lib/$(LIB_PREFIX)nss3.$(LIB_SUFFIX) \ $(DIST)/lib/$(LIB_PREFIX)nssutil3.$(LIB_SUFFIX) \ $(NSPR_LIBS) @@ -49,7 +59,7 @@ endif include $(topsrcdir)/config/rules.mk -ifneq (,$(filter beta release esr,$(MOZ_UPDATE_CHANNEL))) +ifneq (,$(filter alpha beta release esr,$(MOZ_UPDATE_CHANNEL))) PRIMARY_CERT = release_primary.der SECONDARY_CERT = release_secondary.der else ifneq (,$(filter nightly aurora nightly-elm nightly-profiling nightly-oak nightly-ux,$(MOZ_UPDATE_CHANNEL))) @@ -81,9 +91,11 @@ libs:: rm -f $(DIST)/bin/updater endif +ifndef LINK_UPDATER_WITH_NSS ifeq ($(OS_ARCH),WINNT) EXTRA_LIBS += $(call EXPAND_LIBNAME,crypt32) EXTRA_LIBS += $(call EXPAND_LIBNAME,advapi32) endif +endif CXXFLAGS += $(MOZ_BZ2_CFLAGS) diff --git a/toolkit/mozapps/update/updater/moz.build b/toolkit/mozapps/update/updater/moz.build index 833164a..950a6f8 100644 --- a/toolkit/mozapps/update/updater/moz.build +++ b/toolkit/mozapps/update/updater/moz.build @@ -57,6 +57,7 @@ if have_progressui == 0: 'progressui_null.cpp', ] +DEFINES['MAR_NSS'] = True DEFINES['NS_NO_XPCOM'] = True DISABLE_STL_WRAPPING = True for var in ('MAR_CHANNEL_ID', 'MOZ_APP_VERSION'): diff --git a/toolkit/mozapps/update/updater/updater.cpp b/toolkit/mozapps/update/updater/updater.cpp index 3a3968e..80de531 100644 --- a/toolkit/mozapps/update/updater/updater.cpp +++ b/toolkit/mozapps/update/updater/updater.cpp @@ -108,10 +108,12 @@ static bool sUseHardLinks = true; # define MAYBE_USE_HARD_LINKS 0 #endif -#if defined(MOZ_VERIFY_MAR_SIGNATURE) && !defined(XP_WIN) +#if defined(MOZ_VERIFY_MAR_SIGNATURE) +#if defined(MAR_NSS) || !defined(XP_WIN) #include "nss.h" #include "prerror.h" #endif +#endif #ifdef XP_WIN #include "updatehelper.h" @@ -2422,8 +2424,13 @@ UpdateThreadFunc(void *param) MARStrings.MARChannelID[0] = '\0'; } +#ifdef TOR_BROWSER_UPDATE + const char *appVersion = TOR_BROWSER_VERSION; +#else + const char *appVersion = MOZ_APP_VERSION; +#endif rv = gArchiveReader.VerifyProductInformation(MARStrings.MARChannelID, - MOZ_APP_VERSION); + appVersion); } } #endif @@ -2526,11 +2533,10 @@ int NS_main(int argc, NS_tchar **argv) } #endif -#if defined(MOZ_VERIFY_MAR_SIGNATURE) && !defined(XP_WIN) - // On Windows we rely on CyrptoAPI to do verifications so we don't need to - // initialize NSS at all there. - // Otherwise, minimize the amount of NSS we depend on by avoiding all the NSS - // databases. +#if defined(MOZ_VERIFY_MAR_SIGNATURE) +#if defined(MAR_NSS) || !defined(XP_WIN) + // If using NSS for signature verification, initialize NSS but minimize + // the portion we depend on by avoiding all of the NSS databases. if (NSS_NoDB_Init(NULL) != SECSuccess) { PRErrorCode error = PR_GetError(); fprintf(stderr, "Could not initialize NSS: %s (%d)", @@ -2538,6 +2544,7 @@ int NS_main(int argc, NS_tchar **argv) _exit(1); } #endif +#endif InitProgressUI(&argc, &argv); diff --git a/toolkit/xre/nsUpdateDriver.cpp b/toolkit/xre/nsUpdateDriver.cpp index 1188736..aeb2b6b 100644 --- a/toolkit/xre/nsUpdateDriver.cpp +++ b/toolkit/xre/nsUpdateDriver.cpp @@ -17,6 +17,7 @@ #include "prproces.h" #include "prlog.h" #include "prenv.h" +#include "prprf.h" #include "nsVersionComparator.h" #include "nsXREDirProvider.h" #include "SpecialSystemDirectory.h" @@ -39,7 +40,6 @@ # include <windows.h> # include <shlwapi.h> # include "nsWindowsHelpers.h" -# include "prprf.h" # define getcwd(path, size) _getcwd(path, size) # define getpid() GetCurrentProcessId() #elif defined(XP_UNIX) @@ -134,25 +134,39 @@ GetCurrentWorkingDir(char *buf, size_t size) } +// In Tor Browser, updater(.exe) depends on some shared libraries that are +// located in the app directory. To allow the updater to run when it has been +// copied into the update directory, we prepend the app directory to the +// appropriate environment variable so it will be searched by the dynamic +// linker. + #if defined(XP_WIN) #define PATH_SEPARATOR ";" +#define LD_LIBRARY_PATH_ENVVAR_NAME "PATH" +#else +#define PATH_SEPARATOR ":" +#if defined(XP_MACOSX) +#define LD_LIBRARY_PATH_ENVVAR_NAME "DYLD_LIBRARY_PATH" +#else +#define LD_LIBRARY_PATH_ENVVAR_NAME "LD_LIBRARY_PATH" +#endif +#endif -// In Tor Browser, updater.exe depends on some DLLs that are located in the -// app directory. To allow the updater to run when it has been copied into -// the update directory, we append the app directory to the PATH. static nsresult -AdjustPathForUpdater(nsIFile *appDir) +AdjustLibSearchPathForUpdater(nsIFile *appDir) { nsAutoCString appPath; nsresult rv = appDir->GetNativePath(appPath); NS_ENSURE_SUCCESS(rv, rv); char *s = nullptr; - char *pathValue = PR_GetEnv("PATH"); + char *pathValue = PR_GetEnv(LD_LIBRARY_PATH_ENVVAR_NAME); if ((nullptr == pathValue) || ('\0' == *pathValue)) { - s = PR_smprintf("PATH=%s", appPath.get()); + s = PR_smprintf("%s=%s", + LD_LIBRARY_PATH_ENVVAR_NAME, appPath.get()); } else { - s = PR_smprintf("PATH=%s" PATH_SEPARATOR "%s", pathValue, appPath.get()); + s = PR_smprintf("%s=%s" PATH_SEPARATOR "%s", + LD_LIBRARY_PATH_ENVVAR_NAME, appPath.get(), pathValue); } // We intentionally leak the value that is passed into PR_SetEnv() because @@ -162,7 +176,7 @@ AdjustPathForUpdater(nsIFile *appDir) return NS_OK; } -#endif + #ifdef DEBUG static void @@ -623,12 +637,10 @@ SwitchToUpdatedApp(nsIFile *greDir, nsIFile *updateDir, nsIFile *statusFile, PR_SetEnv("MOZ_SAFE_MODE_RESTART=1"); } -#if defined(XP_WIN) - nsresult rv2 = AdjustPathForUpdater(appDir); + nsresult rv2 = AdjustLibSearchPathForUpdater(appDir); if (NS_FAILED(rv2)) { - LOG(("SwitchToUpdatedApp -- AdjustPathForUpdater failed (0x%x)\n", rv2)); + LOG(("SwitchToUpdatedApp -- AdjustLibSearchPathForUpdater failed (0x%x)\n", rv2)); } -#endif LOG(("spawning updater process for replacing [%s]\n", updaterPath.get())); @@ -920,12 +932,10 @@ ApplyUpdate(nsIFile *greDir, nsIFile *updateDir, nsIFile *statusFile, PR_SetEnv("MOZ_OS_UPDATE=1"); } -#if defined(XP_WIN) - nsresult rv2 = AdjustPathForUpdater(appDir); + nsresult rv2 = AdjustLibSearchPathForUpdater(appDir); if (NS_FAILED(rv2)) { - LOG(("ApplyUpdate -- AdjustPathForUpdater failed (0x%x)\n", rv2)); + LOG(("ApplyUpdate -- AdjustLibSearchPathForUpdater failed (0x%x)\n", rv2)); } -#endif #if defined(MOZ_WIDGET_GONK) // We want the updater to be CPU friendly and not subject to being killed by

1 0

[tor-browser/tor-browser-31.3.0esr-4.5-1] Bug 13379: Sign our MAR files (backport Mozilla patches).
by brade＠torproject.org 17 Dec '14

17 Dec '14

commit 40b509e6d7408a73c5a81a3d971dfc6daf5f7510 Author: Kathy Brade <brade(a)pearlcrescent.com> Date: Fri Nov 14 11:24:14 2014 -0500 Bug 13379: Sign our MAR files (backport Mozilla patches). Backport reviewed patches from these two Mozilla bugs: 903135 - Link updater to NSS and enable MAR verification on Linux and OSX 903126 - Implement a platform independent way to determine which cert to use for verifying mars Configure browser build with --enable-signmar and --enable-verify-mar. --- browser/confvars.sh | 5 + configure.in | 6 +- modules/libmar/moz.build | 6 +- modules/libmar/src/mar.h | 30 ++++- modules/libmar/src/mar_cmdline.h | 32 ----- modules/libmar/tool/mar.c | 109 +++++++++-------- modules/libmar/verify/cryptox.c | 32 ++--- modules/libmar/verify/cryptox.h | 29 ++--- modules/libmar/verify/mar_verify.c | 143 +++++++--------------- toolkit/mozapps/update/updater/Makefile.in | 12 +- toolkit/mozapps/update/updater/archivereader.cpp | 29 +---- toolkit/mozapps/update/updater/updater.cpp | 19 +++ 12 files changed, 197 insertions(+), 255 deletions(-) diff --git a/browser/confvars.sh b/browser/confvars.sh index 8914379..8e7cf7e 100644 --- a/browser/confvars.sh +++ b/browser/confvars.sh @@ -8,6 +8,11 @@ MOZ_APP_VENDOR=Mozilla MOZ_UPDATER=1 MOZ_PHOENIX=1 +MOZ_VERIFY_MAR_SIGNATURE=1 + +# Enable building ./signmar and running libmar signature tests +MOZ_ENABLE_SIGNMAR=1 + MOZ_CHROME_FILE_FORMAT=omni MOZ_DISABLE_EXPORT_JS=1 MOZ_SAFE_BROWSING=1 diff --git a/configure.in b/configure.in index b97a1e6..3093a3f 100644 --- a/configure.in +++ b/configure.in @@ -6351,11 +6351,7 @@ MOZ_ARG_ENABLE_BOOL(verify-mar, MOZ_VERIFY_MAR_SIGNATURE= ) if test -n "$MOZ_VERIFY_MAR_SIGNATURE"; then - if test "$OS_ARCH" = "WINNT"; then - AC_DEFINE(MOZ_VERIFY_MAR_SIGNATURE) - else - AC_MSG_ERROR([Can only build with --enable-verify-mar with a Windows target]) - fi + AC_DEFINE(MOZ_VERIFY_MAR_SIGNATURE) fi dnl ======================================================== diff --git a/modules/libmar/moz.build b/modules/libmar/moz.build index 44191c3..d9a8b34 100644 --- a/modules/libmar/moz.build +++ b/modules/libmar/moz.build @@ -9,11 +9,7 @@ DIRS += ['src'] if CONFIG['MOZ_ENABLE_SIGNMAR']: DIRS += ['sign', 'verify'] TEST_DIRS += ['tests'] -elif CONFIG['OS_ARCH'] == 'WINNT': - # On Windows we don't verify with NSS and updater needs to link to it - DIRS += ['verify'] -elif CONFIG['OS_ARCH'] == 'Darwin': - # On OSX we don't verify with NSS and updater needs to link to it. +elif CONFIG['MOZ_VERIFY_MAR_SIGNATURE']: DIRS += ['verify'] # If we are building ./sign and ./verify then ./tool must come after it diff --git a/modules/libmar/src/mar.h b/modules/libmar/src/mar.h index 4e53d2c..98b454d 100644 --- a/modules/libmar/src/mar.h +++ b/modules/libmar/src/mar.h @@ -134,6 +134,26 @@ int mar_create(const char *dest, */ int mar_extract(const char *path); +#define MAR_MAX_CERT_SIZE (16*1024) // Way larger than necessary + +/* Read the entire file (not a MAR file) into a newly-allocated buffer. + * This function does not write to stderr. Instead, the caller should + * write whatever error messages it sees fit. The caller must free the returned + * buffer using free(). + * + * @param filePath The path to the file that should be read. + * @param maxSize The maximum valid file size. + * @param data On success, *data will point to a newly-allocated buffer + * with the file's contents in it. + * @param size On success, *size will be the size of the created buffer. + * + * @return 0 on success, -1 on error + */ +int mar_read_entire_file(const char * filePath, + uint32_t maxSize, + /*out*/ const uint8_t * *data, + /*out*/ uint32_t *size); + /** * Verifies a MAR file by verifying each signature with the corresponding * certificate. That is, the first signature will be verified using the first @@ -154,12 +174,10 @@ int mar_extract(const char *path); * a negative number if there was an error * a positive number if the signature does not verify */ -#ifdef XP_WIN -int mar_verify_signaturesW(MarFile *mar, - const uint8_t * const *certData, - const uint32_t *certDataSizes, - uint32_t certCount); -#endif +int mar_verify_signatures(MarFile *mar, + const uint8_t * const *certData, + const uint32_t *certDataSizes, + uint32_t certCount); /** * Reads the product info block from the MAR file's additional block section. diff --git a/modules/libmar/src/mar_cmdline.h b/modules/libmar/src/mar_cmdline.h index e8645ec..e2c9ed5 100644 --- a/modules/libmar/src/mar_cmdline.h +++ b/modules/libmar/src/mar_cmdline.h @@ -38,38 +38,6 @@ int get_mar_file_info(const char *path, uint32_t *offsetAdditionalBlocks, uint32_t *numAdditionalBlocks); -/** - * Verifies a MAR file by verifying each signature with the corresponding - * certificate. That is, the first signature will be verified using the first - * certificate given, the second signature will be verified using the second - * certificate given, etc. The signature count must exactly match the number of - * certificates given, and all signature verifications must succeed. - * This is only used by the signmar program when used with arguments to verify - * a MAR. This should not be used to verify a MAR that will be extracted in the - * same operation by updater code. This function prints the error message if - * verification fails. - * - * @param pathToMAR The path of the MAR file whose signature should be - * checked - * @param certData Pointer to the first element in an array of certificate - * file data. - * @param certDataSizes Pointer to the first element in an array for size of - * the cert data. - * @param certNames Pointer to the first element in an array of certificate - * names. - * Used only if compiled with NSS support - * @param certCount The number of elements in certData, certDataSizes, - * and certNames - * @return 0 on success - * a negative number if there was an error - * a positive number if the signature does not verify - */ -int mar_verify_signatures(const char *pathToMAR, - const uint8_t * const *certData, - const uint32_t *certDataSizes, - const char * const *certNames, - uint32_t certCount); - /** * Reads the product info block from the MAR file's additional block section. * The caller is responsible for freeing the fields in infoBlock diff --git a/modules/libmar/tool/mar.c b/modules/libmar/tool/mar.c index 8abbac7..821813c 100644 --- a/modules/libmar/tool/mar.c +++ b/modules/libmar/tool/mar.c @@ -19,6 +19,8 @@ #endif #if !defined(NO_SIGN_VERIFY) && (!defined(XP_WIN) || defined(MAR_NSS)) +#include "cert.h" +#include "pk11pub.h" int NSSInitCryptoContext(const char *NSSConfigDir); #endif @@ -120,15 +122,13 @@ int main(int argc, char **argv) { uint32_t certCount = 0; int32_t sigIndex = -1; -#if defined(XP_WIN) && !defined(MAR_NSS) && !defined(NO_SIGN_VERIFY) - HANDLE certFile; - uint8_t *certBuffers[MAX_SIGNATURES]; -#endif -#if !defined(NO_SIGN_VERIFY) && ((!defined(MAR_NSS) && defined(XP_WIN)) || \ - defined(XP_MACOSX)) - char* DERFilePaths[MAX_SIGNATURES]; +#if !defined(NO_SIGN_VERIFY) uint32_t fileSizes[MAX_SIGNATURES]; - uint32_t read; + uint8_t* certBuffers[MAX_SIGNATURES]; + char* DERFilePaths[MAX_SIGNATURES]; +#if (!defined(XP_WIN) && !defined(XP_MACOSX)) || defined(MAR_NSS) + CERTCertificate* certs[MAX_SIGNATURES]; +#endif #endif memset(certNames, 0, sizeof(certNames)); @@ -319,43 +319,68 @@ int main(int argc, char **argv) { return import_signature(argv[2], sigIndex, argv[3], argv[4]); case 'v': - -#if defined(XP_WIN) && !defined(MAR_NSS) if (certCount == 0) { print_usage(); return -1; } +#if (!defined(XP_WIN) && !defined(XP_MACOSX)) || defined(MAR_NSS) + if (!NSSConfigDir || certCount == 0) { + print_usage(); + return -1; + } + + if (NSSInitCryptoContext(NSSConfigDir)) { + fprintf(stderr, "ERROR: Could not initialize crypto library.\n"); + return -1; + } +#endif + + rv = 0; for (k = 0; k < certCount; ++k) { - /* If the mar program was built using CryptoAPI, then read in the buffer - containing the cert from disk. */ - certFile = CreateFileA(DERFilePaths[k], GENERIC_READ, - FILE_SHARE_READ | - FILE_SHARE_WRITE | - FILE_SHARE_DELETE, - NULL, - OPEN_EXISTING, - 0, NULL); - if (INVALID_HANDLE_VALUE == certFile) { - return -1; +#if (defined(XP_WIN) || defined(XP_MACOSX)) && !defined(MAR_NSS) + rv = mar_read_entire_file(DERFilePaths[k], MAR_MAX_CERT_SIZE, + &certBuffers[k], &fileSizes[k]); +#else + /* It is somewhat circuitous to look up a CERTCertificate and then pass + * in its DER encoding just so we can later re-create that + * CERTCertificate to extract the public key out of it. However, by doing + * things this way, we maximize the reuse of the mar_verify_signatures + * function and also we keep the control flow as similar as possible + * between programs and operating systems, at least for the functions + * that are critically important to security. + */ + certs[k] = PK11_FindCertFromNickname(certNames[k], NULL); + if (certs[k]) { + certBuffers[k] = certs[k]->derCert.data; + fileSizes[k] = certs[k]->derCert.len; + } else { + rv = -1; } - fileSizes[k] = GetFileSize(certFile, NULL); - certBuffers[k] = malloc(fileSizes[k]); - if (!ReadFile(certFile, certBuffers[k], fileSizes[k], &read, NULL) || - fileSizes[k] != read) { - CloseHandle(certFile); - for (i = 0; i <= k; i++) { - free(certBuffers[i]); - } - return -1; +#endif + if (rv) { + fprintf(stderr, "ERROR: could not read file %s", DERFilePaths[k]); + break; } - CloseHandle(certFile); } - rv = mar_verify_signatures(argv[2], certBuffers, fileSizes, - NULL, certCount); + if (!rv) { + MarFile *mar = mar_open(argv[2]); + if (mar) { + rv = mar_verify_signatures(mar, certBuffers, fileSizes, certCount); + mar_close(mar); + } else { + fprintf(stderr, "ERROR: Could not open MAR file.\n"); + rv = -1; + } + } for (k = 0; k < certCount; ++k) { +#if (defined(XP_WIN) || defined(XP_MACOSX)) && !defined(MAR_NSS) free(certBuffers[k]); +#else + /* certBuffers[k] is owned by certs[k] so don't free it */ + CERT_DestroyCertificate(certs[k]); +#endif } if (rv) { /* Determine if the source MAR file has the new fields for signing */ @@ -369,26 +394,8 @@ int main(int argc, char **argv) { } return -1; } - return 0; -#elif defined(XP_MACOSX) - return mar_verify_signatures(argv[2], (const uint8_t* const*)DERFilePaths, - 0, NULL, certCount); -#else - if (!NSSConfigDir || certCount == 0) { - print_usage(); - return -1; - } - - if (NSSInitCryptoContext(NSSConfigDir)) { - fprintf(stderr, "ERROR: Could not initialize crypto library.\n"); - return -1; - } - - return mar_verify_signatures(argv[2], NULL, 0, certNames, certCount); - -#endif /* defined(XP_WIN) && !defined(MAR_NSS) */ case 's': if (!NSSConfigDir || certCount == 0 || argc < 4) { print_usage(); diff --git a/modules/libmar/verify/cryptox.c b/modules/libmar/verify/cryptox.c index 48fbecd..af34210 100644 --- a/modules/libmar/verify/cryptox.c +++ b/modules/libmar/verify/cryptox.c @@ -16,29 +16,32 @@ /** * Loads the public key for the specified cert name from the NSS store. * - * @param certName The cert name to find. + * @param certData The DER-encoded X509 certificate to extract the key from. + * @param certDataSize The size of certData. * @param publicKey Out parameter for the public key to use. - * @param cert Out parameter for the certificate to use. * @return CryptoX_Success on success, CryptoX_Error on error. */ CryptoX_Result -NSS_LoadPublicKey(const char *certNickname, - SECKEYPublicKey **publicKey, - CERTCertificate **cert) +NSS_LoadPublicKey(const unsigned char *certData, unsigned int certDataSize, + SECKEYPublicKey **publicKey) { - secuPWData pwdata = { PW_NONE, 0 }; - if (!cert || !publicKey || !cert) { + CERTCertificate * cert; + SECItem certDataItem = { siBuffer, (unsigned char*) certData, certDataSize }; + + if (!certData || !publicKey) { return CryptoX_Error; } + cert = CERT_NewTempCertificate(CERT_GetDefaultCertDB(), &certDataItem, NULL, + PR_FALSE, PR_TRUE); /* Get the cert and embedded public key out of the database */ - *cert = PK11_FindCertFromNickname(certNickname, &pwdata); - if (!*cert) { + if (!cert) { return CryptoX_Error; } - *publicKey = CERT_ExtractPublicKey(*cert); + *publicKey = CERT_ExtractPublicKey(cert); + CERT_DestroyCertificate(cert); + if (!*publicKey) { - CERT_DestroyCertificate(*cert); return CryptoX_Error; } return CryptoX_Success; @@ -150,12 +153,11 @@ CryptoX_Result CryptoAPI_LoadPublicKey(HCRYPTPROV provider, BYTE *certData, DWORD sizeOfCertData, - HCRYPTKEY *publicKey, - HCERTSTORE *certStore) + HCRYPTKEY *publicKey) { CRYPT_DATA_BLOB blob; CERT_CONTEXT *context; - if (!provider || !certData || !publicKey || !certStore) { + if (!provider || !certData || !publicKey) { return CryptoX_Error; } @@ -165,7 +167,7 @@ CryptoAPI_LoadPublicKey(HCRYPTPROV provider, CERT_QUERY_CONTENT_FLAG_CERT, CERT_QUERY_FORMAT_FLAG_BINARY, 0, NULL, NULL, NULL, - certStore, NULL, (const void **)&context)) { + NULL, NULL, (const void **)&context)) { return CryptoX_Error; } diff --git a/modules/libmar/verify/cryptox.h b/modules/libmar/verify/cryptox.h index 2dd93ef..ec8f5ac 100644 --- a/modules/libmar/verify/cryptox.h +++ b/modules/libmar/verify/cryptox.h @@ -15,7 +15,9 @@ #if defined(MAR_NSS) -#include "nss_secutil.h" +#include "cert.h" +#include "keyhi.h" +#include "cryptohi.h" #define CryptoX_InvalidHandleValue NULL #define CryptoX_ProviderHandle void* @@ -26,9 +28,9 @@ #ifdef __cplusplus extern "C" { #endif -CryptoX_Result NSS_LoadPublicKey(const char *certNickname, - SECKEYPublicKey **publicKey, - CERTCertificate **cert); +CryptoX_Result NSS_LoadPublicKey(const unsigned char* certData, + unsigned int certDataSize, + SECKEYPublicKey** publicKey); CryptoX_Result NSS_VerifyBegin(VFYContext **ctx, SECKEYPublicKey * const *publicKey); CryptoX_Result NSS_VerifySignature(VFYContext * const *ctx , @@ -46,9 +48,8 @@ CryptoX_Result NSS_VerifySignature(VFYContext * const *ctx , VFY_DestroyContext(*SignatureHandle, PR_TRUE) #define CryptoX_VerifyUpdate(SignatureHandle, buf, len) \ VFY_Update(*SignatureHandle, (const unsigned char*)(buf), len) -#define CryptoX_LoadPublicKey(CryptoHandle, certData, dataSize, \ - publicKey, certName, cert) \ - NSS_LoadPublicKey(certName, publicKey, cert) +#define CryptoX_LoadPublicKey(CryptoHandle, certData, dataSize, publicKey) \ + NSS_LoadPublicKey(certData, dataSize, publicKey) #define CryptoX_VerifySignature(hash, publicKey, signedData, len) \ NSS_VerifySignature(hash, (const unsigned char *)(signedData), len) #define CryptoX_FreePublicKey(key) \ @@ -91,7 +92,7 @@ void CryptoMac_FreePublicKey(CryptoX_PublicKey* aPublicKey); #define CryptoX_VerifyUpdate(aInputData, aBuf, aLen) \ CryptoMac_VerifyUpdate(aInputData, aBuf, aLen) #define CryptoX_LoadPublicKey(aProviderHandle, aCertData, aDataSize, \ - aPublicKey, aCertName, aCert) \ + aPublicKey) \ CryptoMac_LoadPublicKey(aCertData, aPublicKey) #define CryptoX_VerifySignature(aInputData, aPublicKey, aSignature, \ aSignatureLen) \ @@ -111,8 +112,7 @@ CryptoX_Result CryptoAPI_InitCryptoContext(HCRYPTPROV *provider); CryptoX_Result CryptoAPI_LoadPublicKey(HCRYPTPROV hProv, BYTE *certData, DWORD sizeOfCertData, - HCRYPTKEY *publicKey, - HCERTSTORE *cert); + HCRYPTKEY *publicKey); CryptoX_Result CryptoAPI_VerifyBegin(HCRYPTPROV provider, HCRYPTHASH* hash); CryptoX_Result CryptoAPI_VerifyUpdate(HCRYPTHASH* hash, BYTE *buf, DWORD len); @@ -133,10 +133,8 @@ CryptoX_Result CyprtoAPI_VerifySignature(HCRYPTHASH *hash, #define CryptoX_FreeSignatureHandle(SignatureHandle) #define CryptoX_VerifyUpdate(SignatureHandle, buf, len) \ CryptoAPI_VerifyUpdate(SignatureHandle, (BYTE *)(buf), len) -#define CryptoX_LoadPublicKey(CryptoHandle, certData, dataSize, \ - publicKey, certName, cert) \ - CryptoAPI_LoadPublicKey(CryptoHandle, (BYTE*)(certData), \ - dataSize, publicKey, cert) +#define CryptoX_LoadPublicKey(CryptoHandle, certData, dataSize, publicKey) \ + CryptoAPI_LoadPublicKey(CryptoHandle, (BYTE*)(certData), dataSize, publicKey) #define CryptoX_VerifySignature(hash, publicKey, signedData, len) \ CyprtoAPI_VerifySignature(hash, publicKey, signedData, len) #define CryptoX_FreePublicKey(key) \ @@ -163,8 +161,7 @@ CryptoX_Result CyprtoAPI_VerifySignature(HCRYPTHASH *hash, CryptoX_Error #define CryptoX_FreeSignatureHandle(SignatureHandle) #define CryptoX_VerifyUpdate(SignatureHandle, buf, len) CryptoX_Error -#define CryptoX_LoadPublicKey(CryptoHandle, certData, dataSize, \ - publicKey, certName, cert) \ +#define CryptoX_LoadPublicKey(CryptoHandle, certData, dataSize, publicKey) \ CryptoX_Error #define CryptoX_VerifySignature(hash, publicKey, signedData, len) CryptoX_Error #define CryptoX_FreePublicKey(key) CryptoX_Error diff --git a/modules/libmar/verify/mar_verify.c b/modules/libmar/verify/mar_verify.c index 7578b62..165a802 100644 --- a/modules/libmar/verify/mar_verify.c +++ b/modules/libmar/verify/mar_verify.c @@ -17,6 +17,46 @@ #include "mar.h" #include "cryptox.h" +int +mar_read_entire_file(const char * filePath, uint32_t maxSize, + /*out*/ const uint8_t * *data, + /*out*/ uint32_t *size) +{ + int result; + FILE * f; + + if (!filePath || !data || !size) { + return -1; + } + + f = fopen(filePath, "rb"); + if (!f) { + return -1; + } + + result = -1; + if (!fseeko(f, 0, SEEK_END)) { + int64_t fileSize = ftello(f); + if (fileSize > 0 && fileSize <= maxSize && !fseeko(f, 0, SEEK_SET)) { + unsigned char * fileData; + + *size = (unsigned int) fileSize; + fileData = malloc(*size); + if (fileData) { + if (fread(fileData, *size, 1, f) == 1) { + *data = fileData; + result = 0; + } else { + free(fileData); + } + } + } + fclose(f); + } + + return result; +} + int mar_extract_and_verify_signatures_fp(FILE *fp, CryptoX_ProviderHandle provider, CryptoX_PublicKey *keys, @@ -81,92 +121,8 @@ ReadAndUpdateVerifyContext(FILE *fp, * certificate given, the second signature will be verified using the second * certificate given, etc. The signature count must exactly match the number of * certificates given, and all signature verifications must succeed. - * This is only used by the signmar program when used with arguments to verify - * a MAR. This should not be used to verify a MAR that will be extracted in the - * same operation by updater code. This function prints the error message if - * verification fails. * - * @param pathToMARFile The path of the MAR file to verify. - * @param certData Pointer to the first element in an array of certificate - * file data. - * @param certDataSizes Pointer to the first element in an array for size of the - * cert data. - * @param certNames Pointer to the first element in an array of certificate names. - * Used only if compiled as NSS, specifies the certificate names - * @param certCount The number of elements in certData, certDataSizes, and certNames - * @return 0 on success - * a negative number if there was an error - * a positive number if the signature does not verify - */ -int -mar_verify_signatures(const char *pathToMARFile, - const uint8_t * const *certData, - const uint32_t *certDataSizes, - const char * const *certNames, - uint32_t certCount) { - int rv; - CryptoX_ProviderHandle provider = CryptoX_InvalidHandleValue; - CryptoX_Certificate certs[MAX_SIGNATURES]; - CryptoX_PublicKey keys[MAX_SIGNATURES]; - FILE *fp; - uint32_t k; - - memset(certs, 0, sizeof(certs)); - memset(keys, 0, sizeof(keys)); - - if (!pathToMARFile || certCount == 0) { - fprintf(stderr, "ERROR: Invalid parameter specified.\n"); - return CryptoX_Error; - } - - fp = fopen(pathToMARFile, "rb"); - if (!fp) { - fprintf(stderr, "ERROR: Could not open MAR file.\n"); - return CryptoX_Error; - } - - if (CryptoX_Failed(CryptoX_InitCryptoProvider(&provider))) { - fclose(fp); - fprintf(stderr, "ERROR: Could not init crytpo library.\n"); - return CryptoX_Error; - } - - /* Load the certs and keys */ - for (k = 0; k < certCount; k++) { - if (CryptoX_Failed(CryptoX_LoadPublicKey(provider, certData[k], certDataSizes[k], - &keys[k], certNames[k], &certs[k]))) { - fclose(fp); - fprintf(stderr, "ERROR: Could not load public key.\n"); - return CryptoX_Error; - } - } - - rv = mar_extract_and_verify_signatures_fp(fp, provider, keys, certCount); - fclose(fp); - - /* Cleanup the allocated keys and certs */ - for (k = 0; k < certCount; k++) { - if (keys[k]) { - CryptoX_FreePublicKey(&keys[k]); - } - - if (certs[k]) { - CryptoX_FreeCertificate(&certs[k]); - } - } - return rv; -} - -#ifdef XP_WIN -/** - * Verifies a MAR file by verifying each signature with the corresponding - * certificate. That is, the first signature will be verified using the first - * certificate given, the second signature will be verified using the second - * certificate given, etc. The signature count must exactly match the number of - * certificates given, and all signature verifications must succeed. - * - * @param pathToMARFile The path of the MAR file who's signature - * should be calculated + * @param mar The file who's signature should be calculated * @param certData Pointer to the first element in an array of * certificate data * @param certDataSizes Pointer to the first element in an array for size of @@ -175,17 +131,15 @@ mar_verify_signatures(const char *pathToMARFile, * @return 0 on success */ int -mar_verify_signaturesW(MarFile *mar, - const uint8_t * const *certData, - const uint32_t *certDataSizes, - uint32_t certCount) { +mar_verify_signatures(MarFile *mar, + const uint8_t * const *certData, + const uint32_t *certDataSizes, + uint32_t certCount) { int rv = -1; CryptoX_ProviderHandle provider = CryptoX_InvalidHandleValue; - CryptoX_Certificate certs[MAX_SIGNATURES]; CryptoX_PublicKey keys[MAX_SIGNATURES]; uint32_t k; - memset(certs, 0, sizeof(certs)); memset(keys, 0, sizeof(keys)); if (!mar || !certData || !certDataSizes || certCount == 0) { @@ -205,7 +159,7 @@ mar_verify_signaturesW(MarFile *mar, for (k = 0; k < certCount; ++k) { if (CryptoX_Failed(CryptoX_LoadPublicKey(provider, certData[k], certDataSizes[k], - &keys[k], "", &certs[k]))) { + &keys[k]))) { fprintf(stderr, "ERROR: Could not load public key.\n"); goto failure; } @@ -219,15 +173,10 @@ failure: if (keys[k]) { CryptoX_FreePublicKey(&keys[k]); } - - if (certs[k]) { - CryptoX_FreeCertificate(&certs[k]); - } } return rv; } -#endif /** * Extracts each signature from the specified MAR file, diff --git a/toolkit/mozapps/update/updater/Makefile.in b/toolkit/mozapps/update/updater/Makefile.in index bd6716b..52cdbeb 100644 --- a/toolkit/mozapps/update/updater/Makefile.in +++ b/toolkit/mozapps/update/updater/Makefile.in @@ -18,9 +18,14 @@ LIBS += \ $(MOZ_BZ2_LIBS) \ $(NULL) -ifeq ($(OS_ARCH),WINNT) +LIBS += $(call EXPAND_LIBNAME_PATH,signmar,$(DEPTH)/modules/libmar/sign) LIBS += $(call EXPAND_LIBNAME_PATH,verifymar,$(DEPTH)/modules/libmar/verify) +ifeq ($(OS_ARCH),WINNT) OS_LIBS += $(call EXPAND_LIBNAME,comctl32 ws2_32 shell32 shlwapi) +else +LIBS += $(DIST)/lib/$(LIB_PREFIX)nss3.$(LIB_SUFFIX) \ + $(DIST)/lib/$(LIB_PREFIX)nssutil3.$(LIB_SUFFIX) \ + $(NSPR_LIBS) endif ifdef MOZ_WIDGET_GTK @@ -51,14 +56,13 @@ else ifneq (,$(filter nightly aurora nightly-elm nightly-profiling nightly-oak n PRIMARY_CERT = nightly_aurora_level3_primary.der SECONDARY_CERT = nightly_aurora_level3_secondary.der else - PRIMARY_CERT = dep1.der - SECONDARY_CERT = dep2.der + PRIMARY_CERT = xpcshellCertificate.der + SECONDARY_CERT = xpcshellCertificate.der endif export:: $(PYTHON) $(srcdir)/gen_cert_header.py primaryCertData $(srcdir)/$(PRIMARY_CERT) > primaryCert.h $(PYTHON) $(srcdir)/gen_cert_header.py secondaryCertData $(srcdir)/$(SECONDARY_CERT) > secondaryCert.h - $(PYTHON) $(srcdir)/gen_cert_header.py xpcshellCertData $(srcdir)/xpcshellCertificate.der > xpcshellCert.h ifdef MOZ_WIDGET_GTK libs:: updater.png diff --git a/toolkit/mozapps/update/updater/archivereader.cpp b/toolkit/mozapps/update/updater/archivereader.cpp index f0e6ea3..aa9ccc4 100644 --- a/toolkit/mozapps/update/updater/archivereader.cpp +++ b/toolkit/mozapps/update/updater/archivereader.cpp @@ -15,13 +15,10 @@ #include "updatehelper.h" #endif -#ifdef XP_WIN // These are generated at compile time based on the DER file for the channel // being used #include "primaryCert.h" #include "secondaryCert.h" -#include "xpcshellCert.h" -#endif #define UPDATER_NO_STRING_GLUE_STL #include "nsVersionComparator.cpp" @@ -38,9 +35,6 @@ static int outbuf_size = 262144; static char *inbuf = nullptr; static char *outbuf = nullptr; -#ifdef XP_WIN -#include "resource.h" - /** * Performs a verification on the opened MAR file with the passed in * certificate name ID and type ID. @@ -54,15 +48,13 @@ int VerifyLoadedCert(MarFile *archive, const uint8_t (&certData)[SIZE]) { const uint32_t size = SIZE; - const uint8_t * const data = &certData[0]; - if (mar_verify_signaturesW(archive, &data, &size, 1)) { + const uint8_t* const data = &certData[0]; + if (mar_verify_signatures(archive, &data, &size, 1)) { return CERT_VERIFY_ERROR; } return OK; } -#endif - /** * Performs a verification on the opened MAR file. Both the primary and backup @@ -79,22 +71,11 @@ ArchiveReader::VerifySignature() return ARCHIVE_NOT_OPEN; } -#ifdef XP_WIN - // If the fallback key exists we're running an XPCShell test and we should - // use the XPCShell specific cert for the signed MAR. - int rv; - if (DoesFallbackKeyExist()) { - rv = VerifyLoadedCert(mArchive, xpcshellCertData); - } else { - rv = VerifyLoadedCert(mArchive, primaryCertData); - if (rv != OK) { - rv = VerifyLoadedCert(mArchive, secondaryCertData); - } + int rv = VerifyLoadedCert(mArchive, primaryCertData); + if (rv != OK) { + rv = VerifyLoadedCert(mArchive, secondaryCertData); } return rv; -#else - return OK; -#endif } /** diff --git a/toolkit/mozapps/update/updater/updater.cpp b/toolkit/mozapps/update/updater/updater.cpp index 4cf24db..3a3968e 100644 --- a/toolkit/mozapps/update/updater/updater.cpp +++ b/toolkit/mozapps/update/updater/updater.cpp @@ -108,6 +108,11 @@ static bool sUseHardLinks = true; # define MAYBE_USE_HARD_LINKS 0 #endif +#if defined(MOZ_VERIFY_MAR_SIGNATURE) && !defined(XP_WIN) +#include "nss.h" +#include "prerror.h" +#endif + #ifdef XP_WIN #include "updatehelper.h" @@ -2520,6 +2525,20 @@ int NS_main(int argc, NS_tchar **argv) _exit(1); } #endif + +#if defined(MOZ_VERIFY_MAR_SIGNATURE) && !defined(XP_WIN) + // On Windows we rely on CyrptoAPI to do verifications so we don't need to + // initialize NSS at all there. + // Otherwise, minimize the amount of NSS we depend on by avoiding all the NSS + // databases. + if (NSS_NoDB_Init(NULL) != SECSuccess) { + PRErrorCode error = PR_GetError(); + fprintf(stderr, "Could not initialize NSS: %s (%d)", + PR_ErrorToName(error), (int) error); + _exit(1); + } +#endif + InitProgressUI(&argc, &argv); // To process an update the updater command line must at a minimum have the

1 0

[tor-browser-bundle/master] Bug #13776: Incremental MAR files not reproducible
by brade＠torproject.org 12 Dec '14

12 Dec '14

commit 5130f4ded3705e13f2d20fe49a502ec11e8d7cf2 Author: Kathy Brade <brade(a)pearlcrescent.com> Date: Fri Dec 12 11:54:40 2014 -0500 Bug #13776: Incremental MAR files not reproducible Set the locale and umask to avoid differences across systems and users when generating incremental MAR files. --- tools/update-responses/update_responses | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/tools/update-responses/update_responses b/tools/update-responses/update_responses index c788586..b28b575 100755 --- a/tools/update-responses/update_responses +++ b/tools/update-responses/update_responses @@ -10,9 +10,16 @@ use Cwd; use File::Temp; use File::Find; use File::Which; +use POSIX qw(setlocale LC_ALL); use IO::CaptureOutput qw(capture_exec); use Parallel::ForkManager; +# Set umask and locale to provide a consistent environment for MAR file +# generation, etc. +umask(0022); +$ENV{"LC_ALL"} = "C"; +setlocale(LC_ALL, "C"); + my $htdocsdir = "$FindBin::Bin/htdocs"; my $config = LoadFile("$FindBin::Bin/config.yml"); my %htdocsfiles = ( '.' => 1, '..' => 1, 'no-update.xml' => 1 );

1 0

[torbutton/master] Bug 11449: Avoid new identity error when NoScript disabled.
by brade＠torproject.org 11 Dec '14

11 Dec '14

commit 88dfaaaf325f5b86aba3d449b87320d0d962681d Author: Loic Bistuer <loic.bistuer(a)gmail.com> Date: Tue Oct 21 02:30:20 2014 +0700 Bug 11449: Avoid new identity error when NoScript disabled. --- src/chrome/content/torbutton.js | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/src/chrome/content/torbutton.js b/src/chrome/content/torbutton.js index 2ba4159..5aed682 100644 --- a/src/chrome/content/torbutton.js +++ b/src/chrome/content/torbutton.js @@ -1646,8 +1646,10 @@ function torbutton_do_new_identity() { torbutton_log(3, "New Identity: Clearing NoScript Temporary Permissions"); try { - var nsSvc = Components.classes["@maone.net/noscript-service;1"].getService().wrappedJSObject - nsSvc.eraseTemp(); + if ("@maone.net/noscript-service;1" in Components.classes) { + var nsSvc = Components.classes["@maone.net/noscript-service;1"].getService().wrappedJSObject + nsSvc.eraseTemp(); + } } catch(e) { torbutton_log(5, "New Identity: Error clearing NoScript Temporary Permissions: "+e); window.alert("Torbutton: Error clearing NoScript Temporary Permissions: "+e);

1 0

[tor-browser/tor-browser-31.3.0esr-4.5-1] Bug 13439: No canvas prompt for content-callers.
by gk＠torproject.org 09 Dec '14

09 Dec '14

commit fc1c9ff7c1b2defdbc039f12214767608f46423f Author: Gunes Acar <gunes.acar(a)esat.kuleuven.be> Date: Wed Dec 3 20:22:22 2014 +0100 Bug 13439: No canvas prompt for content-callers. Both the Inspector and PDF.js raise canvas prompts although they are no danger as they are delivered with the browser itself and are no untrusted content. This patch exempts both of them from canvas prompts, too. If calling `DescribeScriptedCaller` fails neither `scriptFile` nor `scriptLine` are logged. --- content/canvas/src/CanvasUtils.cpp | 30 ++++++++++++++++++++++-------- 1 file changed, 22 insertions(+), 8 deletions(-) diff --git a/content/canvas/src/CanvasUtils.cpp b/content/canvas/src/CanvasUtils.cpp index 9a7a441..5a6e05e 100644 --- a/content/canvas/src/CanvasUtils.cpp +++ b/content/canvas/src/CanvasUtils.cpp @@ -54,6 +54,20 @@ bool IsImageExtractionAllowed(nsIDocument *aDocument, JSContext *aCx) if (sop && nsContentUtils::IsSystemPrincipal(sop->GetPrincipal())) return true; + // Don't show canvas prompt for chrome scripts (e.g. Page Inspector) + if (nsContentUtils::IsCallerChrome()) + return true; + + JS::AutoFilename scriptFile; + unsigned scriptLine = 0; + bool isScriptKnown = false; + if (JS::DescribeScriptedCaller(aCx, &scriptFile, &scriptLine)) { + isScriptKnown = true; + // Don't show canvas prompt for PDF.js + if (scriptFile.get() && + strcmp(scriptFile.get(), "resource://pdf.js/build/pdf.js") == 0) + return true; + } bool isAllowed = false; nsCOMPtr<mozIThirdPartyUtil> thirdPartyUtil = do_GetService(THIRDPARTYUTIL_CONTRACTID); @@ -87,19 +101,19 @@ bool IsImageExtractionAllowed(nsIDocument *aDocument, JSContext *aCx) rv = thirdPartyUtil->IsThirdPartyURI(uri, docURI, &isThirdParty); NS_ENSURE_SUCCESS(rv, false); - JS::AutoFilename scriptFile;; - unsigned scriptLine = 0; - JS::DescribeScriptedCaller(aCx, &scriptFile, &scriptLine); - nsCString firstPartySpec; rv = uri->GetSpec(firstPartySpec); nsCString docSpec; docURI->GetSpec(docSpec); nsPrintfCString msg("On %s: blocked access to canvas image data" - " from document %s, script from %s:%u ", // L10n - firstPartySpec.get(), docSpec.get(), - scriptFile.get(), scriptLine); - + " from document %s, ", // L10n + firstPartySpec.get(), docSpec.get()); + if (isScriptKnown && scriptFile.get()) { + msg += nsPrintfCString("script from %s:%u", // L10n + scriptFile.get(), scriptLine); + } else { + msg += nsPrintfCString("unknown script"); // L10n + } nsCOMPtr<nsIConsoleService> console (do_GetService(NS_CONSOLESERVICE_CONTRACTID)); if (console)

1 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

tbb-commits December 2014