commit 989c423b71698e85421c6a85a5855506cea530d5 Author: Mike Perry mikeperry-git@torproject.org Date: Thu Jun 18 15:56:54 2015 -0700
Commit FF38 audit notes (incomplete).
Still need to finish XPCOM socket auditing. --- audits/FF38_NETWORK_AUDIT | 269 +++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 269 insertions(+)
diff --git a/audits/FF38_NETWORK_AUDIT b/audits/FF38_NETWORK_AUDIT new file mode 100644 index 0000000..dfcdf8c --- /dev/null +++ b/audits/FF38_NETWORK_AUDIT @@ -0,0 +1,269 @@ +Lowest level resolver calls: + + PR_GetHostByName + + ./profile/dirserviceprovider/src/nsProfileLock.cpp + + nsProfileLock::LockWithSymlink() looks up 127.0.0.1.. + + XXX: Should we remove this? It seems kind of silly. + + ./nsprpub/pr/src/cplus/rcnetdb.cpp + + RCHostLookup::ByName() + + Not used + + ./security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_socket.c + + XXX: pkix_pl_Socket_CreateByName and pkix_pl_Socket_CreateByHostAndPort + + Patched + + ./security/nss/lib/certhigh/ocsp.c + + XXX: ocsp_ConnectToHost + + Patched + + PR_GetIPNodeByName + + Used by tests only + + PR_StringToNetAddr + + Passes AI_NUMERICHOST to getaddrinfo. No resolution. + + PR_GetAddrInfoByName + + ./security/nss/cmd/ usage (NSS cli commands only) + + ./netwerk/dns/GetAddrInfo.cpp + + ./netwerk/dns/nsHostResolver.cpp + + nsHostResolver::ResolveHost() is entrypoint + + nsHostResolver::ThreadFunc() will resolve without SOCKS + + Only used by nsDNSService2 + +Direct paths to DNS resolution: + + nsDNSService::Resolve + + nsDNSService::AsyncResolve + + Patched for safety + + nsHostResolver::ResolveHost + + Only used by nsDNSService + +Misc UDP (SOCK_DGRAM, PR_DESC_SOCKET_UDP): + + PR_DESC_SOCKET_UDP + + ./nsprpub/pr/src/md/os2/os2io.c + + ./nsprpub/pr/src/cplus/rcio.h + + RCFileIO (not used) + + RCNetStreamIO (not used) + + ./nsprpub/pr/src/io/prsocket.c + + PR_GetUDPMethods + + ./nsprpub/pr/src/misc/prinit.c + + PR_GetInheritedFD + + ./nsprpub/pr/src/pthreads/ptio.c + + SOCK_DGRAM + + Android junk (not relevant): + + ./other-licenses/android/res_send.c + + ./other-licenses/android/res_init.c + + ./other-licenses/android/getaddrinfo.c + + ./hal/gonk/UeventPoller.cpp + + netlink stuff + + ./ipc/chromium/src/third_party/libevent/evdns.c + + evdns is unused + + ./ipc/chromium/src/third_party/libevent/evutil.c + + interface checking functions. Unused. + + ./media/webrtc/* + + Disabled + + ./media/mtransport/third_party/nICEr/src/stun/addrs.c + + boils down to NrIceCtx::StartGathering + + Used only for PeerConnection, which we disable + + SCTP is only enabled with WEBRTC (see configure.in, netwerk/moz.build, and ./dom/base/moz.build) + + ./netwerk/sctp/src/netinet/sctputil.c + + ./netwerk/sctp/src/netinet/sctp_userspace.c + + ./netwerk/sctp/src/netinet/sctp_pcb.c + + ./netwerk/sctp/src/ifaddrs_android.cpp + + ./netwerk/sctp/src/user_recv_thread.c + + ./netwerk/wifi/nsWifiScannerFreeBSD.cpp + + GeoIP stuff. Is disabled. + + ./nsprpub/pr/src/io/prsocket.c + + PR_NewUDPSocket + + PR_OpenUDPSocket + + PR_Socket + + ./nsprpub/pr/src/pthreads/ptio.c + + PR_NewUDPSocket + + ./media/mtransport/nr_socket_prsock.cpp + + Disabled with WebRTC + + PR_OpenUDPSocket + + RTSP is only on Android (see configure.in, pref: media.rtsp.enabled): + + ./netwerk/protocol/rtsp/rtsp/ARTPSession.cpp + + ./netwerk/protocol/rtsp/rtsp/ARTPConnection.cpp + + ./netwerk/protocol/rtsp/rtsp/ARTPWriter.cpp + + ./netwerk/protocol/rtsp/rtsp/UDPPusher.cpp + + ./netwerk/base/src/Tickler.cpp + + Sends UDP packets to DHCP gateway, but only on android + + ./netwerk/socket/nsUDPSocketProvider.cpp + + NewSocket(). Unused. + + ./netwerk/base/src/ProxyAutoConfig.cpp + + We don't use PAC. + + ./netwerk/base/src/nsUDPSocket.cpp + + Unused except for nsUDPSocketProvider + + PR_ImportUDPSocket + + Only called if NSPR_INHERIT_FDS in environment + +Misc TCP (SOCK_STREAM, PR_DESC_SOCKET_TCP): + + PR_DESC_SOCKET_TCP + + ./nsprpub/pr/src/md/os2/os2io.c + + OS/2 only + + ./nsprpub/pr/src/cplus/rcio.h + + RCFileIO (not used) + + RCNetStreamIO (not used) + + ./nsprpub/pr/src/io/pripv6.c + + Underlying wrapper for PR_Socket + + ./nsprpub/pr/src/io/prsocket.c + + ./nsprpub/pr/src/misc/prinit.c + + ./nsprpub/pr/src/pthreads/ptio.c + + ./netwerk/base/src/nsSocketTransportService2.cpp + + SOCK_STREAM + + ./dom/bluetooth/bluez/BluetoothUnixSocketConnector.cpp + + bluetooth sockets only + + ./dom/system/gonk/VolumeManager.cpp + + local only + + ./ipc/chromium/src/chrome/common/ipc_channel_posix.cc + + AF_UNIX/local only + + ./ipc/chromium/src/third_party/libevent/event.c + + ./ipc/chromium/src/third_party/libevent/evutil.c + + ./ipc/chromium/src/third_party/libevent/listener.c + + ./ipc/chromium/src/third_party/libevent/bufferevent_sock.c + + ./ipc/chromium/src/third_party/libevent/signal.c + + ./ipc/chromium/src/third_party/libevent/http.c + + ./ipc/chromium/src/third_party/libevent/event_iocp.c + + ./ipc/keystore/KeyStore.cpp + + AF_LOCAL only + + ./ipc/nfc/Nfc.cpp + + local/loopback only + + ./ipc/ril/Ril.cpp + + local/loopback only + + ./ipc/netd/Netd.cpp + + local only + + ./media/webrtc/* - disabled + + ./netwerk/dns/GetAddrInfo.cpp + + Only available through dns service + + ./mozglue/build/Nuwa.cpp + + Unix sockets only + + ./nsprpub/pr/src/misc/prnetdb.c + + RTSP and SCTP are disabled if WebRTC is compiled out + + ./netwerk/protocol/rtsp/rtsp/ARTSPConnection.cpp + + ./netwerk/sctp/src/netinet/sctp_pcb.c + + ./netwerk/sctp/src/user_socket.c + + ./netwerk/sctp/datachannel/DataChannel.cpp + + Android stuff: disabled + + ./other-licenses/android/res_send.c + + ./other-licenses/android/getaddrinfo.c + + ./nsprpub/pr/src/md/windows/ntio.c + + ./nsprpub/pr/src/cplus/rcnetio.cpp + + ./nsprpub/pr/src/io/prsocket.c + + ./nsprpub/pr/src/misc/prnetdb.c + + ./nsprpub/pr/src/pthreads/ptio.c + + ./toolkit/crashreporter/google-breakpad/src/client/linux/crash_generation/crash_generation_client.cc + + AF_UNIX socket.. + + PR_NewTCPSocket + + ./nsprpub/pr/src/cplus/rcnetio.cpp + + ./nsprpub/pr/src/io/prpolevt.c + + ./media/mtransport/nr_socket_prsock.cpp + + WebRTC only + + ./security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_socket.c + + pkix_pl_Socket_CreateClient + + pkix_pl_Socket_CreateByHostAndPort and pkix_pl_Socket_CreateByName + and pkix_pl_Socket_Create + + PKIX_PL_LdapDefaultClient_Create is unused. Other two noted above. + + Patched in pkix_pl_Socket_Create anyway. + + ./security/nss/lib/certhigh/ocsp.c + + ocsp_ConnectToHost. Patched for Defense in Depth + + PR_OpenTCPSocket + + ./security/manager/ssl/src/nsNSSIOLayer.cpp + + nsSSLIOLayerNewSocket + + ./security/manager/ssl/src/nsTLSSocketProvider.cpp + + nsTLSSocketProvider::NewSocket + + ./security/manager/ssl/src/nsSSLSocketProvider.cpp + + nsSSLSocketProvider::NewSocket (nsISocketProvider) + + nsISocketProvider.newSocket + + used with proxy settings (and only in nsSocketTransport::BuildSocket) + + ./netwerk/socket/nsSOCKSIOLayer.cpp + + ./netwerk/socket/nsSOCKSSocketProvider.cpp + + ./netwerk/base/src/nsSocketTransportService2.cpp + + ./netwerk/base/src/nsSocketTransport2.cpp + + ./netwerk/base/src/nsServerSocket.cpp + + PR_ImportTCPSocket + +Misc PR_Socket: + + ./nsprpub/pr/src/io/prmapopt.c + + ./nsprpub/pr/src/cplus/rcnetio.cpp + + RCNetStreamIO::RCNetStreamIO + +Misc XPCOM: + + *SocketProvider + + newSocket + + ./netwerk/base/src/nsSocketTransport2.cpp: + + used with proxy settings + + addToSocket + + @mozilla.org/*/udp-socket (grep for udp-socket) + + dom/push/PushService.jsm: + + WTF. _listenForUDPWakeup!!! + + Controlled by pref services.push.udp.wakeupEnabled + + And also services.push.enabled + + Currently false + + XXX: Verify false on android and in the future! + + dom/network/UDPSocket.cpp: + + dom.udpsocket.enabled prefs this off + + XXX: Watch this in the future! + + dom/apps/PermissionsTable.jsm + + dom/webidl/SocketCommon.webidl + + dom/webidl/UDPSocket.webidl + + layout/build/nsLayoutModule.cpp + + ./netwerk/build/nsNetCID.h + + NS_SOCKETTRANSPORTSERVICE_* + + Proxied if TCP + + Udp limited to mtransport and webrtc + + NS_UDPSOCKET_* + - toolkit/devtools/discovery/discovery.js + - XXX: Wtf is this thing? + - Part of "WebIDE", but seemingly not enabled until FF39? + - toolkit/modules/secondscreen/SimpleServiceDiscovery.jsm + - XXX: wtf is this thing? + + @mozilla.org/*/tcp-socket-* (grep for tcp-socket) + - ./toolkit/modules/secondscreen/RokuApp.jsm + - XXX: Android-only? But def proxy-bypass + + ./netwerk/protocol/rtsp/ (disabled) + - ./dom/network/TCPSocket.js + - XXX: possibly exposed via navigator.mozTCPSocket.. dom.mozTCPSocket.enabled pref control.. Android/FxOS only? + - https://developer.mozilla.org/en-US/docs/Web/API/Navigator/mozTCPSocket + - ./dom/network/TCPSocket.manifest + + ./dom/apps/tests/marketplace/marketplace_privileged_app.webapp + + ./dom/apps/PermissionsTable.jsm + - ./browser/extensions/shumway/chrome/RtmpUtils.jsm + - XXX: shumway.rtmp.enabled governs usage of createSocket + - ./browser/extensions/shumway/chrome/viewerWrapper.js + - ./browser/extensions/shumway/chrome/content.js + - ./browser/extensions/shumway/content/shumway.player.js can also use + mozTCPSocket + + ./layout/build/nsLayoutModule.cpp + - @mozilla.org/network/*socket* (grep -R "@mozilla.org/network/" . | grep socket | grep -v udp-socket) + + ./addon-sdk/source/lib/sdk/io/stream.js + + Addon APIs + + ./dom/ipc/preload.js + + ./dom/network/TCPServerSocket.js + - ./mobile/android/chrome/content/WebappRT.js + - Debugger? + - XXX: Pretty sure this is only for 'webapps', but it sets some scary + prefs that might impact other browser operation if an app is + installed? + + ./netwerk/build/nsNetCID.h + - Debugger stuff + - XXX: Has several prefs: + - devtools.debugger.enabled? + - devtools.debugger.remote-enabled + - devtools.debugger.force-local + - devtools.remote.tls-handshake-timeout + - ./toolkit/devtools/server/main.js + - ./toolkit/devtools/client/connection-manager.js + - ./toolkit/devtools/server/main.js + - ./toolkit/devtools/client/dbg-client.jsm + - ./toolkit/devtools/security/socket.js + - ./toolkit/modules/Sntp.jsm + - B2G ntp + - ./toolkit/xre/nsAppRunner.cpp + - createTransport() + + ./netwerk/protocol/http/nsHttpConnectionMgr.cpp + + ./netwerk/protocol/ftp/nsFtpConnectionThread.cpp + + ./netwerk/protocol/ftp/nsFtpControlConnection.cpp + +- Misc XPCOM Contract-ID/CID defines: + - NS_*SOCKET*_C should get them all (grep -R "NS_" | grep SOCKET | grep "_C") + ++ Gstreamer + + ./dom/media/gstreamer/GStreamerDecoder.cpp + + Uses ChannelMediaResource underneath, and ultimately an nsIChannel + + Only exception seems to be if an RtspMediaResource could be used, + but this appears to be FxOS-only. + + XXX: Note for FxOS tor support. This may be an issue.