From 4eb04e7dfb313fe8178616b956de3f92bec71240 Mon Sep 17 00:00:00 2001
From: Kathy Brade <brade@pearlcrescent.com>
Date: Wed, 17 Dec 2014 16:37:11 -0500
Subject: [PATCH] Bug 13379: Sign our MAR files.

Replace Mozilla's MAR signing certificates with our own.
Configure with --enable-signmar (build the signmar tool).
Configure with --enable-verify-mar (when updating, require a valid signature
  on the MAR file before it is applied).
Use the Tor Browser version instead of the Firefox version inside the
  MAR file info block (necessary to prevent downgrade attacks).
Use NSS on all platforms for checking MAR signatures (Mozilla plans to use
  OS-native APIs on Mac OS and they already do so on Windows). So that the
  NSS and NSPR libraries the updater depends on can be found at runtime, we
  add the firefox directory to the shared library search path on all platforms.
Use SHA512-based MAR signatures instead of the SHA1-based ones that Mozilla
  uses. This is implemented inside MAR_USE_SHA512_RSA_SIG #ifdef's and with
  a signature algorithm ID of 512 to help avoid collisions with future work
  Mozilla might do in this area.
  See: https://bugzilla.mozilla.org/show_bug.cgi?id=1105689
---
 .mozconfig                                    |   2 +
 .mozconfig-asan                               |   2 +
 .mozconfig-mac                                |   2 +
 .mozconfig-mingw                              |   2 +
 config/external/nss/Makefile.in               |   2 +-
 modules/libmar/sign/mar_sign.c                |  15 ++-
 modules/libmar/sign/moz.build                 |   1 +
 modules/libmar/src/mar_private.h              |   8 ++
 modules/libmar/tool/mar.c                     |  18 +++-
 modules/libmar/tool/moz.build                 |  10 +-
 modules/libmar/verify/cryptox.c               |   8 +-
 modules/libmar/verify/cryptox.h               |   9 ++
 modules/libmar/verify/mar_verify.c            |  21 ++++-
 modules/libmar/verify/moz.build               |  14 +--
 .../update/updater/release_primary.der        | Bin 709 -> 1229 bytes
 .../update/updater/updater-common.build       |  29 ++++--
 toolkit/mozapps/update/updater/updater.cpp    |  25 +++--
 toolkit/xre/moz.build                         |   3 +
 toolkit/xre/nsUpdateDriver.cpp                |  87 ++++++++----------
 19 files changed, 164 insertions(+), 94 deletions(-)

diff --git a/.mozconfig b/.mozconfig
index 214ee2ee448d8..7d9ab1c721013 100755
--- a/.mozconfig
+++ b/.mozconfig
@@ -13,6 +13,8 @@ ac_add_options --enable-official-branding
 ac_add_options --enable-default-toolkit=cairo-gtk2
 
 ac_add_options --enable-tor-browser-update
+ac_add_options --enable-signmar
+ac_add_options --enable-verify-mar
 
 ac_add_options --disable-strip
 ac_add_options --disable-install-strip
diff --git a/.mozconfig-asan b/.mozconfig-asan
index 0d6595cdc2f96..096bcc6ef6346 100644
--- a/.mozconfig-asan
+++ b/.mozconfig-asan
@@ -29,6 +29,8 @@ ac_add_options --enable-official-branding
 ac_add_options --enable-default-toolkit=cairo-gtk2
 
 ac_add_options --enable-tor-browser-update
+ac_add_options --enable-signmar
+ac_add_options --enable-verify-mar
 
 ac_add_options --disable-strip
 ac_add_options --disable-install-strip
diff --git a/.mozconfig-mac b/.mozconfig-mac
index b595f0941309f..db6277d915ccb 100644
--- a/.mozconfig-mac
+++ b/.mozconfig-mac
@@ -42,6 +42,8 @@ ac_add_options --enable-optimize
 ac_add_options --disable-debug
 
 ac_add_options --enable-tor-browser-update
+ac_add_options --enable-signmar
+ac_add_options --enable-verify-mar
 
 ac_add_options --disable-crashreporter
 ac_add_options --disable-maintenance-service
diff --git a/.mozconfig-mingw b/.mozconfig-mingw
index 211c2770712c6..dfb33264d8a98 100644
--- a/.mozconfig-mingw
+++ b/.mozconfig-mingw
@@ -15,6 +15,8 @@ ac_add_options --enable-strip
 ac_add_options --enable-official-branding
 
 ac_add_options --enable-tor-browser-update
+ac_add_options --enable-signmar
+ac_add_options --enable-verify-mar
 
 # Let's make sure no preference is enabling either Adobe's or Google's CDM.
 ac_add_options --disable-eme
diff --git a/config/external/nss/Makefile.in b/config/external/nss/Makefile.in
index 4b95a32bdc0bf..939529e3cd880 100644
--- a/config/external/nss/Makefile.in
+++ b/config/external/nss/Makefile.in
@@ -299,11 +299,11 @@ endif
 NSS_DIRS += \
   nss/cmd/lib \
   nss/cmd/shlibsign \
+  nss/cmd/certutil \
   $(NULL)
 
 ifdef ENABLE_TESTS
 NSS_DIRS += \
-  nss/cmd/certutil \
   nss/cmd/pk12util \
   nss/cmd/modutil \
   $(NULL)
diff --git a/modules/libmar/sign/mar_sign.c b/modules/libmar/sign/mar_sign.c
index 84319651dba89..968d2affc20d4 100644
--- a/modules/libmar/sign/mar_sign.c
+++ b/modules/libmar/sign/mar_sign.c
@@ -95,7 +95,12 @@ NSSSignBegin(const char *certName,
     return -1;
   }
 
-  *ctx = SGN_NewContext (SEC_OID_ISO_SHA1_WITH_RSA_SIGNATURE, *privKey);
+#ifdef MAR_USE_SHA512_RSA_SIG
+  SECOidTag sigAlg = SEC_OID_PKCS1_SHA512_WITH_RSA_ENCRYPTION;
+#else
+  SECOidTag sigAlg = SEC_OID_ISO_SHA1_WITH_RSA_SIGNATURE;
+#endif
+  *ctx = SGN_NewContext(sigAlg, *privKey);
   if (!*ctx) {
     fprintf(stderr, "ERROR: Could not create signature context\n");
     return -1;
@@ -993,8 +998,12 @@ mar_repackage_and_sign(const char *NSSConfigDir,
   signaturePlaceholderOffset = ftello(fpDest);
 
   for (k = 0; k < certCount; k++) {
-    /* Write out the signature algorithm ID, Only an ID of 1 is supported */
-    signatureAlgorithmID = htonl(1);
+    /* Write out the signature algorithm ID. */
+#ifdef MAR_USE_SHA512_RSA_SIG
+    signatureAlgorithmID = htonl(SIGNATURE_ALGORITHM_ID_SHA512_RSA);
+#else
+    signatureAlgorithmID = htonl(SIGNATURE_ALGORITHM_ID_SHA1_RSA);
+#endif
     if (WriteAndUpdateSignatures(fpDest, &signatureAlgorithmID,
                                  sizeof(signatureAlgorithmID),
                                  ctxs, certCount, "num signatures")) {
diff --git a/modules/libmar/sign/moz.build b/modules/libmar/sign/moz.build
index e31ff50ab8564..0da9ade2a9aa6 100644
--- a/modules/libmar/sign/moz.build
+++ b/modules/libmar/sign/moz.build
@@ -19,6 +19,7 @@ LOCAL_INCLUDES += [
 ]
 
 DEFINES['MAR_NSS'] = True
+DEFINES['MAR_USE_SHA512_RSA_SIG'] = True
 
 if CONFIG['OS_ARCH'] == 'WINNT':
     USE_STATIC_LIBS = True
diff --git a/modules/libmar/src/mar_private.h b/modules/libmar/src/mar_private.h
index e0c263271ed09..add03f56ea6c4 100644
--- a/modules/libmar/src/mar_private.h
+++ b/modules/libmar/src/mar_private.h
@@ -21,6 +21,14 @@
    which is 16 bytes */
 #define SIGNATURE_BLOCK_OFFSET 16
 
+/* Signature algorithm IDs. */
+#define SIGNATURE_ALGORITHM_ID_SHA1_RSA 1
+#ifdef MAR_USE_SHA512_RSA_SIG
+/* Use 512 as the algorithm ID so it is less likely that we will conflict with
+   whatever Mozilla chooses when they add support for a stronger signature. */
+#define SIGNATURE_ALGORITHM_ID_SHA512_RSA 512
+#endif
+
 /* Make sure the file is less than 500MB.  We do this to protect against
    invalid MAR files. */
 #define MAX_SIZE_OF_MAR_FILE ((int64_t)524288000)
diff --git a/modules/libmar/tool/mar.c b/modules/libmar/tool/mar.c
index f1dd761367754..d80a7de2115fd 100644
--- a/modules/libmar/tool/mar.c
+++ b/modules/libmar/tool/mar.c
@@ -32,7 +32,11 @@ int mar_repackage_and_sign(const char *NSSConfigDir,
                            const char * dest);
 
 static void print_version() {
+#ifdef TOR_BROWSER_UPDATE
+  printf("Version: %s\n", TOR_BROWSER_VERSION);
+#else
   printf("Version: %s\n", MOZ_APP_VERSION);
+#endif
   printf("Default Channel ID: %s\n", MAR_CHANNEL_ID);
 }
 
@@ -62,7 +66,7 @@ static void print_usage() {
          "signed_input_archive.mar base_64_encoded_signature_file "
          "changed_signed_output.mar\n");
   printf("(i) is the index of the certificate to extract\n");
-#if defined(XP_MACOSX) || (defined(XP_WIN) && !defined(MAR_NSS))
+#if (defined(XP_MACOSX) || defined(XP_WIN)) && !defined(MAR_NSS)
   printf("Verify a MAR file:\n");
   printf("  mar [-C workingDir] -D DERFilePath -v signed_archive.mar\n");
   printf("At most %d signature certificate DER files are specified by "
@@ -117,7 +121,11 @@ int main(int argc, char **argv) {
   char *NSSConfigDir = NULL;
   const char *certNames[MAX_SIGNATURES];
   char *MARChannelID = MAR_CHANNEL_ID;
+#ifdef TOR_BROWSER_UPDATE
+  char *productVersion = TOR_BROWSER_VERSION;
+#else
   char *productVersion = MOZ_APP_VERSION;
+#endif
   uint32_t k;
   int rv = -1;
   uint32_t certCount = 0;
@@ -139,8 +147,8 @@ int main(int argc, char **argv) {
 #if defined(XP_WIN) && !defined(MAR_NSS) && !defined(NO_SIGN_VERIFY)
   memset((void*)certBuffers, 0, sizeof(certBuffers));
 #endif
-#if !defined(NO_SIGN_VERIFY) && ((!defined(MAR_NSS) && defined(XP_WIN)) || \
-                                 defined(XP_MACOSX))
+#if !defined(NO_SIGN_VERIFY) && (!defined(MAR_NSS) && (defined(XP_WIN) || \
+                                 defined(XP_MACOSX)))
   memset(DERFilePaths, 0, sizeof(DERFilePaths));
   memset(fileSizes, 0, sizeof(fileSizes));
 #endif
@@ -171,8 +179,8 @@ int main(int argc, char **argv) {
       argv += 2;
       argc -= 2;
     } 
-#if !defined(NO_SIGN_VERIFY) && ((!defined(MAR_NSS) && defined(XP_WIN)) || \
-                                 defined(XP_MACOSX))
+#if !defined(NO_SIGN_VERIFY) && (!defined(MAR_NSS) && (defined(XP_WIN) || \
+                                 defined(XP_MACOSX)))
     /* -D DERFilePath, also matches -D[index] DERFilePath
        We allow an index for verifying to be symmetric
        with the import and export command line arguments. */
diff --git a/modules/libmar/tool/moz.build b/modules/libmar/tool/moz.build
index 05f31d9183fdb..744557e0bb982 100644
--- a/modules/libmar/tool/moz.build
+++ b/modules/libmar/tool/moz.build
@@ -29,7 +29,13 @@ for var in ('MAR_CHANNEL_ID', 'MOZ_APP_VERSION'):
     DEFINES[var] = '"%s"' % CONFIG[var]
     HOST_DEFINES[var] = DEFINES[var]
 
+if CONFIG['TOR_BROWSER_UPDATE']:
+    DEFINES['TOR_BROWSER_UPDATE'] = '%s' % CONFIG['TOR_BROWSER_UPDATE']
+if CONFIG['TOR_BROWSER_VERSION']:
+    DEFINES['TOR_BROWSER_VERSION'] = '"%s"' % CONFIG['TOR_BROWSER_VERSION']
+
 if CONFIG['MOZ_ENABLE_SIGNMAR']:
+    DEFINES['MAR_NSS'] = True
     USE_LIBS += [
         'nspr',
         'nss',
@@ -43,12 +49,12 @@ if CONFIG['OS_ARCH'] == 'WINNT':
     OS_LIBS += [
         'ws2_32',
     ]
-    if CONFIG['MOZ_ENABLE_SIGNMAR']:
+    if CONFIG['MOZ_ENABLE_SIGNMAR'] and not DEFINES['MAR_NSS']:
         OS_LIBS += [
             'crypt32',
             'advapi32',
         ]
-elif CONFIG['OS_ARCH'] == 'Darwin':
+elif CONFIG['OS_ARCH'] == 'Darwin' and not DEFINES['MAR_NSS']:
     OS_LIBS += [
       '-framework Security',
     ]
diff --git a/modules/libmar/verify/cryptox.c b/modules/libmar/verify/cryptox.c
index af34210383df0..f39669ba0b61f 100644
--- a/modules/libmar/verify/cryptox.c
+++ b/modules/libmar/verify/cryptox.c
@@ -64,8 +64,12 @@ NSS_VerifyBegin(VFYContext **ctx,
     return CryptoX_Error;
   }
 
-  *ctx = VFY_CreateContext(*publicKey, NULL, 
-                           SEC_OID_ISO_SHA1_WITH_RSA_SIGNATURE, NULL);
+#ifdef MAR_USE_SHA512_RSA_SIG
+  SECOidTag sigAlg = SEC_OID_PKCS1_SHA512_WITH_RSA_ENCRYPTION;
+#else
+  SECOidTag sigAlg = SEC_OID_ISO_SHA1_WITH_RSA_SIGNATURE;
+#endif
+  *ctx = VFY_CreateContext(*publicKey, NULL, sigAlg, NULL);
   if (*ctx == NULL) {
     return CryptoX_Error;
   }
diff --git a/modules/libmar/verify/cryptox.h b/modules/libmar/verify/cryptox.h
index 2296b815f42e3..ab9b5a3579040 100644
--- a/modules/libmar/verify/cryptox.h
+++ b/modules/libmar/verify/cryptox.h
@@ -59,6 +59,10 @@ CryptoX_Result NSS_VerifySignature(VFYContext * const *ctx ,
 
 #elif XP_MACOSX
 
+#ifdef MAR_USE_SHA512_RSA_SIG
+#error MAR_USE_SHA512_RSA_SIG is not implemented.
+#endif
+
 #define CryptoX_InvalidHandleValue NULL
 #define CryptoX_ProviderHandle void*
 #define CryptoX_SignatureHandle void*
@@ -106,6 +110,11 @@ void CryptoMac_FreePublicKey(CryptoX_PublicKey* aPublicKey);
 
 #elif defined(XP_WIN) 
 
+#ifdef MAR_USE_SHA512_RSA_SIG
+#error MAR_USE_SHA512_RSA_SIG is not implemented.
+#endif
+
+
 #include <windows.h>
 #include <wincrypt.h>
 
diff --git a/modules/libmar/verify/mar_verify.c b/modules/libmar/verify/mar_verify.c
index 3e32ab2665d3f..2617bf879fa73 100644
--- a/modules/libmar/verify/mar_verify.c
+++ b/modules/libmar/verify/mar_verify.c
@@ -274,8 +274,25 @@ mar_extract_and_verify_signatures_fp(FILE *fp,
     }
 
     /* We don't try to verify signatures we don't know about */
-    if (signatureAlgorithmIDs[i] != 1) {
-      fprintf(stderr, "ERROR: Unknown signature algorithm ID.\n");
+#ifdef MAR_USE_SHA512_RSA_SIG
+    const uint32_t kSupportedAlgID = SIGNATURE_ALGORITHM_ID_SHA512_RSA;
+#else
+    const uint32_t kSupportedAlgID = SIGNATURE_ALGORITHM_ID_SHA1_RSA;
+#endif
+
+    if (signatureAlgorithmIDs[i] != kSupportedAlgID) {
+#ifdef MAR_USE_SHA512_RSA_SIG
+      if (signatureAlgorithmIDs[i] == SIGNATURE_ALGORITHM_ID_SHA1_RSA) {
+        fprintf(stderr,
+                "ERROR: Unsupported signature algorithm (SHA1 with RSA).\n");
+      } else {
+        fprintf(stderr, "ERROR: Unknown signature algorithm ID %u.\n",
+                        signatureAlgorithmIDs[i]);
+      }
+#else
+      fprintf(stderr, "ERROR: Unknown signature algorithm ID %u.\n",
+                      signatureAlgorithmIDs[i]);
+#endif
       for (i = 0; i < signatureCount; ++i) {
         free(extractedSignatures[i]);
       }
diff --git a/modules/libmar/verify/moz.build b/modules/libmar/verify/moz.build
index a2a6b03ec9085..def185c6cb2dc 100644
--- a/modules/libmar/verify/moz.build
+++ b/modules/libmar/verify/moz.build
@@ -15,16 +15,10 @@ FORCE_STATIC_LIB = True
 
 if CONFIG['OS_ARCH'] == 'WINNT':
     USE_STATIC_LIBS = True
-elif CONFIG['OS_ARCH'] == 'Darwin':
-    UNIFIED_SOURCES += [
-      'MacVerifyCrypto.cpp',
-    ]
-    OS_LIBS += [
-      '-framework Security',
-    ]
-else:
-    DEFINES['MAR_NSS'] = True
-    LOCAL_INCLUDES += ['../sign']
+
+DEFINES['MAR_NSS'] = True
+DEFINES['MAR_USE_SHA512_RSA_SIG'] = True
+LOCAL_INCLUDES += ['../sign']
 
 LOCAL_INCLUDES += [
     '../src',
diff --git a/toolkit/mozapps/update/updater/release_primary.der b/toolkit/mozapps/update/updater/release_primary.der
index 11417c35e7ffe8af28486e716722be8211bf865f..542fb24f552661aba4229d57024bc3ef14856ff9 100644
GIT binary patch
literal 1229
zcmXqLVmWEh#I$h%GZP~d6Dz|)|9}(&UN%mxHjlRNyo`*ztPBQfhAIY1Y|No7%)-(k
z`9%s&Mfv5$sYMFDjzJ2=ndy0%dFcw-sg(wD;=G0?hDL@K29~CV1}0HJuBm}BoJ+Jh
zO-xG2PGDqZU~XdKX8<~ri>Zl;k>R>-jb+1AXY+p_QcD)eW?$z!d{blLvx^;JKlfj#
zdC_AfneZpyR&mY3d(xo`BiNNUY|n{a^xVvLU4f*!l|jMR6WXz-cBcuiw@aR#H8Vzg
z^<`^+hZ!fF)^K;u`TXE~=d;gy_o?aZ6f0Tk{LpM$9q&A)t3@~Yyf5yFdfl=##Q$rz
zljE`wz9VTY9ihsx_RWW-Ywwj*>YkNNTIV4pnZ4zgLD9Cf{X#E9mStq}@dfu@iQLH3
zn0!msIz%~URh;@{hZ8XzFHBNv0{5yW%dHn!&!~InZ{7Fltf?hEzDuQwHv6(IE8>fp
za^g>M^v6|KQw_a}w@5eX#b<1maGLt%Lj3pjzXc|&+{u%@exq0OoEnEuGJzXk=P8$7
zYk#zT(_#_+iMN?;%@;q<5SCwat$&-&>ykj}dZtQ+r|agFHuE$nirs78+Lv=s@6Z2r
z1)2J>dz@2*3{Jn-&hT%W?4GsIo+0a=kYn+An?=mmZ$36JSYNzn?t8}2TA!pRU41MH
z%g^jqGB;7-l3T+&OX6<j9>v{kZ*&$cQ8zA(yk_HHIwdJzd~1jH{pO1%MhvX`Y|D>u
zvFKd-tTn$YQ@_OO(N7(ri;ebD5>p-D37nJEbuIDXv{rc`C*avvX#DnR%cKu?&g3Sg
zC4Ij9$hvp$*&yL{#y`F_E9t+Mh;&NiEZ(iOs;lPt#KN-yTg;i585tOnQwT7T0#gVh
z!@-4e<y>rR%SxO!8Z3zYCfB0K`{2r!hn4$&us?oiSI~F2dE14qu6_BE${N>;lk#ue
zzaZBjeJyt%!;-_>*GDd_Y;kyMc<ZK)y2ax?OBg5p34C^P)+P0lrVT4TNj*uBQdLwo
z{J=V=sVHAHS?@%?VDi-|>EE5?1Y*n+j;S8G(y-Xj;gfu0So^Lkg-_?d^>6GHuTt9P
z(tj$eP2vBFX&+tn@9#YA`f=*lx-4^_i<A5${@%J^G9miLvpe_JO)L9){{9_P`O~Y<
zoX>XqG^PD^?7RQ7ys{NkC!5^3YjER#ji|TtV(ClLJZft8#>tu8o*P{qjE@NTFP7hY
zU-a+_w*M&~TW{~rzNoXJlUd6!AffjO@0UML$yX0<oU?xgOOUK+$@g#{sRKcw)vG3F
zX}rIySNk|q({6%``;ikrHuOAHE@lu~%wGTJ;^ar~BU)yPU0ZAW{r|!w4;gmP3&6|~
zp`G`F&yo2+UuT5*LV<SUqV+246gQlDmAS%dCjYe~i}!Kxh)s=Iy5gdwoRSF7-rDzU
z2i)Rka!lOd@pF&v#>BoG6SwW0_gL8W{=K4;k`H_iJ)M0}D7&Us|8nEx+jrD1vAMSg
z*EH@n;qE-co3t>Y@KW0E$zt-oP8SuVIJPgk!ggV{;)3K*&jjPB|5+BFmn2IY3O<f}
ZcJTT_{ZId;6t1N7-Ib{Qc`|2dF#v1f9T5Nk

literal 709
zcmXqLVmfHh#JF++GZP~d6Dz~iZJ(tKc-c6$+C196^D;8BvN9Mb87dgau`!3TFbj(Z
zrRJn27N;usItD2eXQt<6=A|oSr&b!siSrs78dw^c7#SH`8XH7`xQ0e>E>UJQF)ATj
z&B)5Y+{DPw0CXM~QxhX2!=5_r?~R$x9{TGe5`Dkcnz~Q3ndfA_<fhxY_kYYS<~fzB
zH}PMQy&|Ns{n2$^tvOrgtX|nUd$RwMuV>kWf7=z_^<);mH6gFX#^u_77N7qGcVEo^
zbXlmZI#KJE%idDs<t*$c*Uy*}TcW77n`=&?*qfkJHIWY0JEgxKUZ6hp&2ICH^*X*u
zI)6B`jukDH{2aOWR??xOi-%b)d-hqD#xC<tU)i<Pq~rPab9xVMEPd(voOKhYsjDAn
zzkx--QnRm_J9nI)n6$O&df4fj`j)AdZWH*ludB;T?J)ji;psX#;_d7AI&w~m#~#dC
zQM{Y~nx#RHq>%L8H#|Ob>Y3+SwZ(6*;oZo@%*eoq974dz0frDGLy7ds+{$#ZEwx9B
z%&*!pB#6zKqxU36==OSVg+Jfp9Mrou#ogT?wX5RFzPF7V4t(LM*jMD~C-(l~XI{pu
z&H<CtC-T<XR`gG~bAJ8)(g)|}S(GdmZ-{f4ch&4dZFeF|f1{(*LFU{3Sr<H=mTJ$p
zobrA1CGGhS{d}Lte%JfC&*1fXW!>Kn(lOCX3XYiWtkXC)opa|(K?4^pn=O;mrK&RG
z1Fx-oy2Rf}dHT;E6HZxuT+WjI!Mlr1+rVS@q%9m>=L+`agg(9WWnRy9`ERaGjH}Q6
z@#z0~<FJjx_vJh(D$mX>N&G#*ZFx_S%!wCb*;+rpY<u@}#x(t24$Th-3zhpKrtG{3
E0G|pe;Q#;t

diff --git a/toolkit/mozapps/update/updater/updater-common.build b/toolkit/mozapps/update/updater/updater-common.build
index 02b7338bcc913..d2fb4e3a94fe9 100644
--- a/toolkit/mozapps/update/updater/updater-common.build
+++ b/toolkit/mozapps/update/updater/updater-common.build
@@ -4,6 +4,10 @@
 # License, v. 2.0. If a copy of the MPL was not distributed with this
 # file, You can obtain one at http://mozilla.org/MPL/2.0/.
 
+DEFINES['MAR_NSS'] = True
+
+link_with_nss = DEFINES['MAR_NSS'] or (CONFIG['OS_ARCH'] == 'Linux' and CONFIG['MOZ_VERIFY_MAR_SIGNATURE'])
+
 srcs = [
     'archivereader.cpp',
     'bspatch.cpp',
@@ -41,19 +45,23 @@ if CONFIG['OS_ARCH'] == 'WINNT':
         'ws2_32',
         'shell32',
         'shlwapi',
-        'crypt32',
-        'advapi32',
     ]
-elif CONFIG['OS_ARCH'] == 'Linux' and CONFIG['MOZ_VERIFY_MAR_SIGNATURE']:
+
+    if not link_with_nss:
+        OS_LIBS += [
+            'crypt32',
+            'advapi32',
+        ]
+else:
     USE_LIBS += [
-        'nss',
-        'signmar',
         'updatecommon',
     ]
-    OS_LIBS += CONFIG['NSPR_LIBS']
-else:
+
+if link_with_nss:
     USE_LIBS += [
-        'updatecommon',
+        'nspr',
+        'nss',
+        'signmar',
     ]
 
 USE_LIBS += [
@@ -81,9 +89,12 @@ if CONFIG['MOZ_WIDGET_TOOLKIT'] == 'cocoa':
     ]
     OS_LIBS += [
         '-framework Cocoa',
-        '-framework Security',
         '-framework SystemConfiguration',
     ]
+    if not link_with_nss:
+        OS_LIBS += [
+            '-framework Security',
+        ]
     UNIFIED_SOURCES += [
         '/toolkit/xre/updaterfileutils_osx.mm',
     ]
diff --git a/toolkit/mozapps/update/updater/updater.cpp b/toolkit/mozapps/update/updater/updater.cpp
index 19058842f1272..0b525570b54a4 100644
--- a/toolkit/mozapps/update/updater/updater.cpp
+++ b/toolkit/mozapps/update/updater/updater.cpp
@@ -137,11 +137,13 @@ static bool sUseHardLinks = true;
 # define MAYBE_USE_HARD_LINKS 0
 #endif
 
-#if defined(MOZ_VERIFY_MAR_SIGNATURE) && !defined(XP_WIN) && \
-    !defined(XP_MACOSX) && !defined(MOZ_WIDGET_GONK)
+#if defined(MOZ_VERIFY_MAR_SIGNATURE)
+#if defined(MAR_NSS) || (!defined(XP_WIN) && !defined(XP_MACOSX) && \
+    !defined(MOZ_WIDGET_GONK))
 #include "nss.h"
 #include "prerror.h"
 #endif
+#endif
 
 #ifdef XP_WIN
 #ifdef MOZ_MAINTENANCE_SERVICE
@@ -2841,8 +2843,13 @@ UpdateThreadFunc(void *param)
           MARStrings.MARChannelID[0] = '\0';
         }
 
+#ifdef TOR_BROWSER_UPDATE
+        const char *appVersion = TOR_BROWSER_VERSION;
+#else
+        const char *appVersion = MOZ_APP_VERSION;
+#endif
         rv = gArchiveReader.VerifyProductInformation(MARStrings.MARChannelID,
-                                                     MOZ_APP_VERSION);
+                                                     appVersion);
       }
     }
 #endif
@@ -3035,12 +3042,11 @@ int NS_main(int argc, NS_tchar **argv)
   }
 #endif
 
-#if defined(MOZ_VERIFY_MAR_SIGNATURE) && !defined(XP_WIN) && \
-    !defined(XP_MACOSX) && !defined(MOZ_WIDGET_GONK)
-  // On Windows and Mac we rely on native APIs to do verifications so we don't
-  // need to initialize NSS at all there.
-  // Otherwise, minimize the amount of NSS we depend on by avoiding all the NSS
-  // databases.
+#if defined(MOZ_VERIFY_MAR_SIGNATURE)
+#if defined(MAR_NSS) || (!defined(XP_WIN) && !defined(XP_MACOSX) && \
+    !defined(MOZ_WIDGET_GONK))
+  // If using NSS for signature verification, initialize NSS but minimize
+  // the portion we depend on by avoiding all of the NSS databases.
   if (NSS_NoDB_Init(NULL) != SECSuccess) {
    PRErrorCode error = PR_GetError();
    fprintf(stderr, "Could not initialize NSS: %s (%d)",
@@ -3048,6 +3054,7 @@ int NS_main(int argc, NS_tchar **argv)
     _exit(1);
   }
 #endif
+#endif
 
 #ifdef XP_MACOSX
   if (!isElevated) {
diff --git a/toolkit/xre/moz.build b/toolkit/xre/moz.build
index 72475dad9ab34..ab9f6840cfa85 100644
--- a/toolkit/xre/moz.build
+++ b/toolkit/xre/moz.build
@@ -139,6 +139,9 @@ for var in ('APP_VERSION', 'APP_ID'):
 if CONFIG['MOZ_BUILD_APP'] == 'browser':
     DEFINES['MOZ_BUILD_APP_IS_BROWSER'] = True
 
+if CONFIG['MOZ_ENABLE_SIGNMAR'] and CONFIG['TOR_BROWSER_UPDATE']:
+     DEFINES['MAR_NSS'] = True
+
 LOCAL_INCLUDES += [
     '../profile',
     '/config',
diff --git a/toolkit/xre/nsUpdateDriver.cpp b/toolkit/xre/nsUpdateDriver.cpp
index 789ffc16b5dd9..615aeb0e81ce3 100644
--- a/toolkit/xre/nsUpdateDriver.cpp
+++ b/toolkit/xre/nsUpdateDriver.cpp
@@ -40,7 +40,6 @@
 # include <windows.h>
 # include <shlwapi.h>
 # include "nsWindowsHelpers.h"
-# include "prprf.h"
 # define getcwd(path, size) _getcwd(path, size)
 # define getpid() GetCurrentProcessId()
 #elif defined(XP_UNIX)
@@ -149,36 +148,6 @@ GetInstallDirPath(nsIFile *appDir, nsACString& installDirPath)
   return NS_OK;
 }
 
-#if defined(TOR_BROWSER_UPDATE) && defined(XP_WIN)
-#define PATH_SEPARATOR ";"
-
-// In Tor Browser, updater.exe depends on some DLLs that are located in the
-// app directory.  To allow the updater to run when it has been copied into
-// the update directory, we append the app directory to the PATH.
-static nsresult
-AdjustPathForUpdater(nsIFile *appDir)
-{
-  nsAutoCString appPath;
-  nsresult rv = appDir->GetNativePath(appPath);
-  NS_ENSURE_SUCCESS(rv, rv);
-
-  char *s = nullptr;
-  char *pathValue = PR_GetEnv("PATH");
-  if ((nullptr == pathValue) || ('\0' == *pathValue)) {
-    s = PR_smprintf("PATH=%s", appPath.get());
-  } else {
-    s = PR_smprintf("PATH=%s" PATH_SEPARATOR "%s", pathValue, appPath.get());
-  }
-
-  // We intentionally leak the value that is passed into PR_SetEnv() because
-  // the environment will hold a pointer to it.
-  if ((nullptr == s) || (PR_SUCCESS != PR_SetEnv(s)))
-    return NS_ERROR_FAILURE;
-
-  return NS_OK;
-}
-#endif
-
 #ifdef DEBUG
 static void
 dump_argv(const char *aPrefix, char **argv, int argc)
@@ -487,13 +456,22 @@ CopyUpdaterIntoUpdateDir(nsIFile *greDir, nsIFile *appDir, nsIFile *updateDir,
  * Appends the specified path to the library path.
  * This is used so that updater can find libmozsqlite3.so and other shared libs.
  *
- * @param pathToAppend A new library path to prepend to LD_LIBRARY_PATH
+ * @param pathToAppend A new library path to prepend to the dynamic linker's search path.
  */
-#if defined(MOZ_VERIFY_MAR_SIGNATURE) && !defined(XP_WIN) && \
-    !defined(XP_MACOSX) && !defined(MOZ_WIDGET_GONK)
+#if defined(MOZ_VERIFY_MAR_SIGNATURE) && (defined(MAR_NSS) || \
+    (!defined(XP_WIN) && !defined(XP_MACOSX) && !defined(MOZ_WIDGET_GONK)))
 #include "prprf.h"
+#if defined(XP_WIN)
+#define PATH_SEPARATOR ";"
+#define LD_LIBRARY_PATH_ENVVAR_NAME "PATH"
+#else
 #define PATH_SEPARATOR ":"
+#if defined(XP_MACOSX)
+#define LD_LIBRARY_PATH_ENVVAR_NAME "DYLD_LIBRARY_PATH"
+#else
 #define LD_LIBRARY_PATH_ENVVAR_NAME "LD_LIBRARY_PATH"
+#endif
+#endif
 static void
 AppendToLibPath(const char *pathToAppend)
 {
@@ -724,16 +702,20 @@ SwitchToUpdatedApp(nsIFile *greDir, nsIFile *updateDir,
   if (gSafeMode) {
     PR_SetEnv("MOZ_SAFE_MODE_RESTART=1");
   }
-#if defined(MOZ_VERIFY_MAR_SIGNATURE) && !defined(XP_WIN) && \
-    !defined(XP_MACOSX) && !defined(MOZ_WIDGET_GONK)
-  AppendToLibPath(installDirPath.get());
-#endif
 
-#if defined(TOR_BROWSER_UPDATE) && defined(XP_WIN)
-  nsresult rv2 = AdjustPathForUpdater(appDir);
-  if (NS_FAILED(rv2)) {
-    LOG(("SwitchToUpdatedApp -- AdjustPathForUpdater failed (0x%x)\n", rv2));
+#if defined(MOZ_VERIFY_MAR_SIGNATURE) && (defined(MAR_NSS) || \
+    (!defined(XP_WIN) && !defined(XP_MACOSX) && !defined(MOZ_WIDGET_GONK)))
+#ifdef TOR_BROWSER_UPDATE
+  nsAutoCString appPath;
+  nsresult rv2 = appDir->GetNativePath(appPath);
+  if (NS_SUCCEEDED(rv2)) {
+    AppendToLibPath(appPath.get());
+  } else {
+    LOG(("SwitchToUpdatedApp -- appDir->GetNativePath() failed (0x%x)\n", rv2));
   }
+#else
+  AppendToLibPath(installDirPath.get());
+#endif
 #endif
 
   LOG(("spawning updater process for replacing [%s]\n", updaterPath.get()));
@@ -1019,22 +1001,25 @@ ApplyUpdate(nsIFile *greDir, nsIFile *updateDir, nsIFile *statusFile,
   if (gSafeMode) {
     PR_SetEnv("MOZ_SAFE_MODE_RESTART=1");
   }
-#if defined(MOZ_VERIFY_MAR_SIGNATURE) && !defined(XP_WIN) && \
-    !defined(XP_MACOSX) && !defined(MOZ_WIDGET_GONK)
+#if defined(MOZ_VERIFY_MAR_SIGNATURE) && (defined(MAR_NSS) || \
+    (!defined(XP_WIN) && !defined(XP_MACOSX) && !defined(MOZ_WIDGET_GONK)))
+#ifdef TOR_BROWSER_UPDATE
+  nsAutoCString appPath;
+  nsresult rv2 = appDir->GetNativePath(appPath);
+  if (NS_SUCCEEDED(rv2)) {
+    AppendToLibPath(appPath.get());
+  } else {
+    LOG(("ApplyUpdate -- appDir->GetNativePath() failed (0x%x)\n", rv2));
+  }
+#else
   AppendToLibPath(installDirPath.get());
+#endif
 #endif
 
   if (isOSUpdate) {
     PR_SetEnv("MOZ_OS_UPDATE=1");
   }
 
-#if defined(TOR_BROWSER_UPDATE) && defined(XP_WIN)
-  nsresult rv2 = AdjustPathForUpdater(appDir);
-  if (NS_FAILED(rv2)) {
-    LOG(("ApplyUpdate -- AdjustPathForUpdater failed (0x%x)\n", rv2));
-  }
-#endif
-
 #if defined(MOZ_WIDGET_GONK)
   // We want the updater to be CPU friendly and not subject to being killed by
   // the low memory killer, so we pass in some preferences to allow it to
-- 
GitLab