Source-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[pkgsrc/trunk]: pkgsrc/security/tor-browser security/tor-browser: Add U2F sup...



details:   https://anonhg.NetBSD.org/pkgsrc/rev/0b74dd6c2a0b
branches:  trunk
changeset: 437129:0b74dd6c2a0b
user:      riastradh <riastradh%pkgsrc.org@localhost>
date:      Mon Aug 17 06:58:32 2020 +0000

description:
security/tor-browser: Add U2F support to NetBSD.

The webauthn API is disabled by default in the Tor Browser:

https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/26614

In order to use it, risking the consequences since the Tor Project
has not audited its anonymity properties, you have to explicitly
enable security.webauthn.webauthn=true in about:config.

So if you definitely want to log into a web site using U2F in spite
of that, with location privacy but not anonymity, then these patches
now enable it to work on NetBSD (with the caveat that enabling
security.webauthn.webauthn=true applies also to any web site that
tries to use the webauthn API, not just the ones you want to log
into).

diffstat:

 security/tor-browser/distinfo                                                        |    9 +-
 security/tor-browser/patches/patch-dom_webauthn_u2f-hid-rs_src_lib.rs                |   34 ++
 security/tor-browser/patches/patch-dom_webauthn_u2f-hid-rs_src_netbsd_device.rs      |  141 ++++++++++
 security/tor-browser/patches/patch-dom_webauthn_u2f-hid-rs_src_netbsd_fd.rs          |   54 +++
 security/tor-browser/patches/patch-dom_webauthn_u2f-hid-rs_src_netbsd_mod.rs         |   17 +
 security/tor-browser/patches/patch-dom_webauthn_u2f-hid-rs_src_netbsd_monitor.rs     |   96 ++++++
 security/tor-browser/patches/patch-dom_webauthn_u2f-hid-rs_src_netbsd_transaction.rs |   57 ++++
 security/tor-browser/patches/patch-dom_webauthn_u2f-hid-rs_src_netbsd_uhid.rs        |   86 ++++++
 8 files changed, 493 insertions(+), 1 deletions(-)

diffs (truncated from 536 to 300 lines):

diff -r 77f87b134080 -r 0b74dd6c2a0b security/tor-browser/distinfo
--- a/security/tor-browser/distinfo     Mon Aug 17 06:58:02 2020 +0000
+++ b/security/tor-browser/distinfo     Mon Aug 17 06:58:32 2020 +0000
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.25 2020/07/29 07:46:37 wiz Exp $
+$NetBSD: distinfo,v 1.26 2020/08/17 06:58:32 riastradh Exp $
 
 SHA1 (src-firefox-tor-browser-68.11.0esr-9.5-1-build1.tar.xz) = be69e804180d7cc1fb500b1a497f79ab41c4f0db
 RMD160 (src-firefox-tor-browser-68.11.0esr-9.5-1-build1.tar.xz) = 625ab420108a64c3f50f2c482190ece3afcbd974
@@ -16,6 +16,13 @@
 SHA1 (patch-config_gcc-stl-wrapper.template.h) = 11b45e0c7a9399c5b74b170648280a388dd67d89
 SHA1 (patch-dom_base_nsAttrName.h) = ac7ba441a3b27df2855cf2673eea36b1cb44ad49
 SHA1 (patch-dom_media_CubebUtils.cpp) = 3cd2c65ab281d802c56216565970450767a3fb24
+SHA1 (patch-dom_webauthn_u2f-hid-rs_src_lib.rs) = c0dfe8b1e7ebbc7c1d6066c204030f13b063b8d7
+SHA1 (patch-dom_webauthn_u2f-hid-rs_src_netbsd_device.rs) = 091ffab5bd6a15425acb2ab023cc26f6b23324c6
+SHA1 (patch-dom_webauthn_u2f-hid-rs_src_netbsd_fd.rs) = 57f5c3c879b07375234e5cb0cbe0469b15105a6a
+SHA1 (patch-dom_webauthn_u2f-hid-rs_src_netbsd_mod.rs) = 7160fc9fe6d197b42104856b997337f823d2a791
+SHA1 (patch-dom_webauthn_u2f-hid-rs_src_netbsd_monitor.rs) = 527722bd4fbf0aca07d710e0a8b73f95b2adad40
+SHA1 (patch-dom_webauthn_u2f-hid-rs_src_netbsd_transaction.rs) = aeafe7c1df614bb5e46cb7fb1cb351001f292caf
+SHA1 (patch-dom_webauthn_u2f-hid-rs_src_netbsd_uhid.rs) = c1d2157350803fb3eaef6f7a00e7c81dd9cf708b
 SHA1 (patch-gfx_angle_checkout_src_common_third__party_smhasher_src_PMurHash.cpp) = e458c9c8dc66edc69c1874734af28a77fc5e3993
 SHA1 (patch-gfx_angle_checkout_src_compiler_translator_InfoSink.h) = 2f73c76c48852613e0c55c1680fcc2a9eb3cf4ef
 SHA1 (patch-gfx_gl_GLContextProviderGLX.cpp) = 2c909a10a341e600392417240ad0c556f495d6ba
diff -r 77f87b134080 -r 0b74dd6c2a0b security/tor-browser/patches/patch-dom_webauthn_u2f-hid-rs_src_lib.rs
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/security/tor-browser/patches/patch-dom_webauthn_u2f-hid-rs_src_lib.rs     Mon Aug 17 06:58:32 2020 +0000
@@ -0,0 +1,34 @@
+$NetBSD: patch-dom_webauthn_u2f-hid-rs_src_lib.rs,v 1.1 2020/08/17 06:58:32 riastradh Exp $
+
+Add NetBSD support for U2F.
+
+--- dom/webauthn/u2f-hid-rs/src/lib.rs.orig    2020-06-22 22:55:03.000000000 +0000
++++ dom/webauthn/u2f-hid-rs/src/lib.rs
+@@ -5,7 +5,7 @@
+ #[macro_use]
+ mod util;
+ 
+-#[cfg(any(target_os = "linux", target_os = "freebsd"))]
++#[cfg(any(target_os = "linux", target_os = "freebsd", target_os = "netbsd"))]
+ pub mod hidproto;
+ 
+ #[cfg(any(target_os = "linux"))]
+@@ -22,6 +22,10 @@ extern crate devd_rs;
+ #[path = "freebsd/mod.rs"]
+ pub mod platform;
+ 
++#[cfg(any(target_os = "netbsd"))]
++#[path = "netbsd/mod.rs"]
++pub mod platform;
++
+ #[cfg(any(target_os = "macos"))]
+ extern crate core_foundation;
+ 
+@@ -36,6 +40,7 @@ pub mod platform;
+ #[cfg(not(any(
+     target_os = "linux",
+     target_os = "freebsd",
++    target_os = "netbsd",
+     target_os = "macos",
+     target_os = "windows"
+ )))]
diff -r 77f87b134080 -r 0b74dd6c2a0b security/tor-browser/patches/patch-dom_webauthn_u2f-hid-rs_src_netbsd_device.rs
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/security/tor-browser/patches/patch-dom_webauthn_u2f-hid-rs_src_netbsd_device.rs   Mon Aug 17 06:58:32 2020 +0000
@@ -0,0 +1,141 @@
+$NetBSD: patch-dom_webauthn_u2f-hid-rs_src_netbsd_device.rs,v 1.1 2020/08/17 06:58:32 riastradh Exp $
+
+Add NetBSD support for U2F.
+
+--- dom/webauthn/u2f-hid-rs/src/netbsd/device.rs.orig  2020-07-15 16:19:08.142403669 +0000
++++ dom/webauthn/u2f-hid-rs/src/netbsd/device.rs
+@@ -0,0 +1,134 @@
++/* This Source Code Form is subject to the terms of the Mozilla Public
++ * License, v. 2.0. If a copy of the MPL was not distributed with this
++ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
++
++extern crate libc;
++
++use std::mem;
++use std::io::Read;
++use std::io::Write;
++use std::io;
++
++use consts::CID_BROADCAST;
++use consts::HID_RPT_SIZE;
++use platform::fd::Fd;
++use platform::uhid;
++use u2ftypes::U2FDevice;
++use util::io_err;
++
++#[derive(Debug)]
++pub struct Device {
++    fd: Fd,
++    cid: [u8; 4],
++}
++
++impl Device {
++    pub fn new(fd: Fd) -> io::Result<Self> {
++        Ok(Self { fd, cid: CID_BROADCAST })
++    }
++
++    pub fn is_u2f(&mut self) -> bool {
++        if !uhid::is_u2f_device(&self.fd) {
++            return false;
++        }
++        // This step is not strictly necessary -- NetBSD puts fido
++        // devices into raw mode automatically by default, but in
++        // principle that might change, and this serves as a test to
++        // verify that we're running on a kernel with support for raw
++        // mode at all so we don't get confused issuing writes that try
++        // to set the report descriptor rather than transfer data on
++        // the output interrupt pipe as we need.
++        match uhid::hid_set_raw(&self.fd, true) {
++            Ok(_) => (),
++            Err(_) => return false,
++        }
++        if let Err(_) = self.ping() {
++            return false;
++        }
++        true
++    }
++
++    fn ping(&mut self) -> io::Result<()> {
++        for i in 0..10 {
++            let mut buf = vec![0u8; 1 + HID_RPT_SIZE];
++
++            buf[0] = 0;         // report number
++            buf[1] = 0xff;      // CID_BROADCAST
++            buf[2] = 0xff;
++            buf[3] = 0xff;
++            buf[4] = 0xff;
++            buf[5] = 0x81;      // ping
++            buf[6] = 0;
++            buf[7] = 1;         // one byte
++
++            self.write(&buf[..])?;
++
++            // Wait for response
++            let mut pfd: libc::pollfd = unsafe { mem::zeroed() };
++            pfd.fd = self.fd.fileno;
++            pfd.events = libc::POLLIN;
++            let nfds = unsafe { libc::poll(&mut pfd, 1, 100) };
++            if nfds == -1 {
++                return Err(io::Error::last_os_error());
++            }
++            if nfds == 0 {
++                debug!("device timeout {}", i);
++                continue;
++            }
++
++            // Read response
++            self.read(&mut buf[..])?;
++
++            return Ok(());
++        }
++
++        Err(io_err("no response from device"))
++    }
++}
++
++impl PartialEq for Device {
++    fn eq(&self, other: &Device) -> bool {
++        self.fd == other.fd
++    }
++}
++
++impl Read for Device {
++    fn read(&mut self, buf: &mut [u8]) -> io::Result<usize> {
++        let bufp = buf.as_mut_ptr() as *mut libc::c_void;
++        let nread = unsafe { libc::read(self.fd.fileno, bufp, buf.len()) };
++        if nread == -1 {
++            return Err(io::Error::last_os_error());
++        }
++        Ok(nread as usize)
++    }
++}
++
++impl Write for Device {
++    fn write(&mut self, buf: &[u8]) -> io::Result<usize> {
++        // Always skip the first byte (report number)
++        let data = &buf[1..];
++        let data_ptr = data.as_ptr() as *const libc::c_void;
++        let nwrit = unsafe {
++            libc::write(self.fd.fileno, data_ptr, data.len())
++        };
++        if nwrit == -1 {
++            return Err(io::Error::last_os_error());
++        }
++        // Pretend we wrote the report number byte
++        Ok(nwrit as usize + 1)
++    }
++
++    fn flush(&mut self) -> io::Result<()> {
++        Ok(())
++    }
++}
++
++impl U2FDevice for Device {
++    fn get_cid<'a>(&'a self) -> &'a [u8; 4] {
++        &self.cid
++    }
++
++    fn set_cid(&mut self, cid: [u8; 4]) {
++        self.cid = cid;
++    }
++}
diff -r 77f87b134080 -r 0b74dd6c2a0b security/tor-browser/patches/patch-dom_webauthn_u2f-hid-rs_src_netbsd_fd.rs
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/security/tor-browser/patches/patch-dom_webauthn_u2f-hid-rs_src_netbsd_fd.rs       Mon Aug 17 06:58:32 2020 +0000
@@ -0,0 +1,54 @@
+$NetBSD: patch-dom_webauthn_u2f-hid-rs_src_netbsd_fd.rs,v 1.1 2020/08/17 06:58:32 riastradh Exp $
+
+Add NetBSD support for U2F.
+
+--- dom/webauthn/u2f-hid-rs/src/netbsd/fd.rs.orig      2020-07-15 16:19:08.142740434 +0000
++++ dom/webauthn/u2f-hid-rs/src/netbsd/fd.rs
+@@ -0,0 +1,47 @@
++/* This Source Code Form is subject to the terms of the Mozilla Public
++ * License, v. 2.0. If a copy of the MPL was not distributed with this
++ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
++
++extern crate libc;
++
++use std::ffi::CString;
++use std::io;
++use std::mem;
++use std::os::raw::c_int;
++use std::os::unix::io::RawFd;
++
++#[derive(Debug)]
++pub struct Fd {
++    pub fileno: RawFd,
++}
++
++impl Fd {
++    pub fn open(path: &str, flags: c_int) -> io::Result<Fd> {
++        let cpath = CString::new(path.as_bytes())?;
++        let rv = unsafe { libc::open(cpath.as_ptr(), flags) };
++        if rv == -1 {
++            return Err(io::Error::last_os_error());
++        }
++        Ok(Fd { fileno: rv })
++    }
++}
++
++impl Drop for Fd {
++    fn drop(&mut self) {
++        unsafe { libc::close(self.fileno) };
++    }
++}
++
++impl PartialEq for Fd {
++    fn eq(&self, other: &Fd) -> bool {
++        let mut st: libc::stat = unsafe { mem::zeroed() };
++        let mut sto: libc::stat = unsafe { mem::zeroed() };
++        if unsafe { libc::fstat(self.fileno, &mut st) } == -1 {
++            return false;
++        }
++        if unsafe { libc::fstat(other.fileno, &mut sto) } == -1 {
++            return false;
++        }
++        (st.st_dev == sto.st_dev) & (st.st_ino == sto.st_ino)
++    }
++}
diff -r 77f87b134080 -r 0b74dd6c2a0b security/tor-browser/patches/patch-dom_webauthn_u2f-hid-rs_src_netbsd_mod.rs
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/security/tor-browser/patches/patch-dom_webauthn_u2f-hid-rs_src_netbsd_mod.rs      Mon Aug 17 06:58:32 2020 +0000
@@ -0,0 +1,17 @@
+$NetBSD: patch-dom_webauthn_u2f-hid-rs_src_netbsd_mod.rs,v 1.1 2020/08/17 06:58:32 riastradh Exp $
+
+Add NetBSD support for U2F.
+
+--- dom/webauthn/u2f-hid-rs/src/netbsd/mod.rs.orig     2020-07-15 16:19:08.143016295 +0000
++++ dom/webauthn/u2f-hid-rs/src/netbsd/mod.rs
+@@ -0,0 +1,10 @@
++/* This Source Code Form is subject to the terms of the Mozilla Public
++ * License, v. 2.0. If a copy of the MPL was not distributed with this
++ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
++
++pub mod device;
++pub mod transaction;
++
++mod fd;
++mod monitor;
++mod uhid;
diff -r 77f87b134080 -r 0b74dd6c2a0b security/tor-browser/patches/patch-dom_webauthn_u2f-hid-rs_src_netbsd_monitor.rs
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/security/tor-browser/patches/patch-dom_webauthn_u2f-hid-rs_src_netbsd_monitor.rs  Mon Aug 17 06:58:32 2020 +0000
@@ -0,0 +1,96 @@
+$NetBSD: patch-dom_webauthn_u2f-hid-rs_src_netbsd_monitor.rs,v 1.1 2020/08/17 06:58:32 riastradh Exp $
+
+Add NetBSD support for U2F.
+
+--- dom/webauthn/u2f-hid-rs/src/netbsd/monitor.rs.orig 2020-07-15 16:19:08.143281894 +0000
++++ dom/webauthn/u2f-hid-rs/src/netbsd/monitor.rs
+@@ -0,0 +1,89 @@
++/* This Source Code Form is subject to the terms of the Mozilla Public
++ * License, v. 2.0. If a copy of the MPL was not distributed with this
++ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
++



Home | Main Index | Thread Index | Old Index