[tor-commits] [tor-browser-spec/master] Adding the FF60 nework audit
gk at torproject.org
gk at torproject.org
Thu Jul 11 08:03:33 UTC 2019
commit 2ac466c637335af083b7b747b490979fb33f6a1c
Author: Georg Koppen <gk at torproject.org>
Date: Thu Jul 11 08:03:02 2019 +0000
Adding the FF60 nework audit
---
audits/FF60_NETWORK_AUDIT | 196 ++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 196 insertions(+)
diff --git a/audits/FF60_NETWORK_AUDIT b/audits/FF60_NETWORK_AUDIT
new file mode 100644
index 0000000..282df0a
--- /dev/null
+++ b/audits/FF60_NETWORK_AUDIT
@@ -0,0 +1,196 @@
+Things to grep for in general when investigating changes:
+
+PR_GetHostByName
+PR_GetIPNodeByName
+PR_GetAddrInfoByName
+PR_StringToNetAddr (itself is good as it passes AI_NUMERICHOST to getaddrinfo. No resolution.)
+
+MDNS
+TRR (DNS Trusted Recursive Resolver)
+
+Direct Paths to DNS resolution:
+nsDNSService::Resolve
+nsDNSService::AsyncResolve
+nsHostResolver::ResolveHost
+
+SOCK_
+SOCKET_
+_SOCKET
+UDPSocket
+PR_NewTCPSocket
+AsyncTCPSocket
+TCPSocket
+
+Rust
+
+Misc PR_Socket
+
+Misc XPCOM (including commands for pre-diff review approach)
+ *SocketProvider
+ grep -R udp-socket .
+ grep -R tcp-socket .
+ grep for tcpsocket
+ grep -R "NS_" | grep SOCKET | grep "_C"
+ grep -R "@mozilla.org/network/" . | grep socket | grep -v udp-socket
+
+Android Java calls
+
+-------------------------------------------------------------------------------
+I followed the diff approach by doing `git diff -U10 esr52 esr60` and then
+going over all the changes containing the above mentioned potentially dangerous
+calls and features. For additional details see: comment:15:ticket:22176.
+
+Direct Paths to DNS resolution:
++ changes mainly to take originAttributes into account
++ nsHostResolver::ResolveHost
+ + Only used by nsDNSService
++ nsDNSService::Resolve
+ - Patched for safety (XXX: Verify application)
++ nsDNSService::AsyncResolve
+ - Patched for safety (XXX: Verify application)
++ ChildDNSService::AsyncResolve and ChildDNSService::Resolve
+ + ./netwerk/dns/ChildDNSService.cpp
+ + Resolve is not implemented and AsyncResolve goes over NeckoParent and
+ DNSRequestParent to nsDNSService::AsyncResolve
+ nsDNSService.
+ + ./netwerk/ipc/NeckoParent.cpp
+ + Calls into DNS service via DNSRequestParent::DoAsyncResolve()
+ + ./netwerk/ipc/NeckoChild.cpp
+
+- TRR (DNS Trusted Recursive Resolver)
+ - off for now (`network.trr.mode` is `0`), should be unproblematic, though, as
+ we make sure to resolve DNS remotely anyway
+ - XXX verify when it gets enabled
+
++ FlyWeb
+ + removed in esr 60, bug 1374574
+
++ Mortar
+ + not compiled in as we are not compiling with --enable-mortar
+
+Strange things doing DNS:
+ - media/webrtc/trunk/webrtc/voice_engine/test/channel_transport/udp_transport_impl.cc
+ + (just a test; is using getaddrinfo)
+ - a bunch of gtest.cc inclusions
+ + (just a test; using getaddrinfo (via
+ StreamingListener::SocketWriter::MakeConnection() or
+ StreamingListener::MakeConnection))
+ + third_party/python/requests/requests/packages/urllib3/util/connection.py
+ (getaddrinfo)
+ - mtransport
+ + Not compiled in due to us using --disable-webrtc
+
+Rust
+ + Auditing Rust for proxy bypasses is tricky.
+ https://bugzilla.mozilla.org/show_bug.cgi?id=1376621
+ (https://hg.mozilla.org/mozilla-central/rev/435183826647) got some way to
+ enforce proxy safety for Linux at least (bug 1524408 is the bug for
+ macOS/Windows). I went backwards from the enabled features in
+ toolkit/library/rust/gkrust-features.mozbuild and think we are good here.
+ For a double-check of that approach and a different one, see: #27616.
+ See as well comment:11:ticket:21862.
+
+SOCK_
+ + media/webrtc/trunk/webrtc/base/network.cc,
+ media/webrtc/trunk/webrtc/base/physicalsocketserver.cc and other WebRTC
+ code
+ + disabled via WebRTC
+ - netwerk/srtp/src/test/rtpw.c (just a test)
+ - nsprpub/pr/src/md/windows/w95sock.c XXX part of TCP Fast Open implementation
+ (bug 1188435; disabled by pref right now)
+ - in a bunch of .py files in psutil update (which is used for unit tests)
+ - third_party/python/pyasn1-modules/tools/snmpget.py in pyasn1-modules update
+ (which is used for unit tests)
+
+UDPSocket
+ + Mortar (not compiled in as we are not compiling with --enable-mortar)
+
+PR_NewTCPSocket
+ - security/nss/fuzz/tls_server_target.cc (just used for fuzzing)
+
+AsyncTCPSocket
+ + /media/webrtc/trunk/webrtc/base/nat_unittest.cc (just test and we compile
+ WebRTC out)
+
+TCPSocket (test in bug 1329245 that ensures TCPSocket is not exposed to content)
+ + Mortar (not compiled in as we are not compiling with --enable-mortar)
+
+udp-socket
+ + netwerk/test/unit/test_udpsocket.js (test-only)
+ + netwerk/test/unit/test_udpsocket_offline.js (test-only)
+
+tcpsocket
+ + not exposed to content; test_tcpsocket_not_exposed_to_content.html checks
+ that (see bug 1329245)
+
+NS_*SOCKET*_C
+ - mtransport (media/mtransport/ipc/StunAddrsRequestParent.cpp)
+ + not compiled in via MOZ_WEBRTC not specified (nor MOZ_SCTP, which relies on
+ the former being available)
+
+ at mozilla.org/network/*socket
+ + browser/base/content/test/urlbar/browser_urlbar_search_no_speculative_connect_with_client_cert.js
+
+Android
+ - HttpURLConnection
+ + ch.boye.httpclientandroidlib.impl.client.* seems good
+ - ch.boye.httpclientandroidlib.impl.conn XXX: needs hard-coding proxy settings
+
+Android Java calls
+ + Uses ch.boye.httpclientandroidlib.impl.client.*:
+ + mobile/android/base/java/org/mozilla/gecko/telemetry/TelemetryUploadService.java
+ + mobile/android/services/src/main/java/org/mozilla/gecko/background/fxa/oauth/FxAccountAbstractClient.java
+ + mobile/android/services/src/main/java/org/mozilla/gecko/push/autopush/AutopushClient.java
+ + mobile/android/services/src/main/java/org/mozilla/gecko/sync/net/AbstractBearerTokenAuthHeaderProvider.java
+ + mobile/android/services/src/main/java/org/mozilla/gecko/sync/net/AuthHeaderProvider.java
+ + mobile/android/services/src/main/java/org/mozilla/gecko/sync/net/BaseResource.java
+ + mobile/android/services/src/main/java/org/mozilla/gecko/sync/net/BaseResourceDelegate.java
+ + mobile/android/services/src/main/java/org/mozilla/gecko/sync/net/BasicAuthHeaderProvider.java
+ + mobile/android/services/src/main/java/org/mozilla/gecko/sync/net/HMACAuthHeaderProvider.java
+ + mobile/android/services/src/main/java/org/mozilla/gecko/sync/net/HawkAuthHeaderProvider.java
+ + mobile/android/services/src/main/java/org/mozilla/gecko/sync/net/ResourceDelegate.java
+ + mobile/android/services/src/main/java/org/mozilla/gecko/sync/net/SyncStorageCollectionRequest.java
+ + mobile/android/services/src/main/java/org/mozilla/gecko/sync/net/SyncStorageRequest.java
+ + mobile/android/services/src/main/java/org/mozilla/gecko/tokenserver/TokenServerClient.java
+ + mobile/android/services/src/test/java/org/mozilla/android/sync/test/helpers/MockResourceDelegate.java
+ + mobile/android/services/src/test/java/org/mozilla/gecko/sync/net/test/TestHawkAuthHeaderProvider.java
+ + mobile/android/services/src/test/java/org/mozilla/gecko/sync/net/test/TestLiveHawkAuth.java
+
+ - Uses ch.boye.httpclientandroidlib.impl.conn.*
+ + mobile/android/base/java/org/mozilla/gecko/util/URIUtils.java
+ - mobile/android/services/src/main/java/org/mozilla/gecko/sync/net/BaseResource.java
+ - XXX: needs hard-coding proxy settings
+ + mobile/android/services/src/main/java/org/mozilla/gecko/sync/net/TLSSocketFactory.java
+
+ - Proxy bypass by mobile/android/services/src/main/java/org/mozilla/gecko/sync/net/BaseResource.java|Resource.java
+ - mobile/android/base/java/org/mozilla/gecko/telemetry/TelemetryUploadService.java
+ - mobile/android/services/src/main/java/org/mozilla/gecko/background/fxa/FxAccountClient20.java
+ - mobile/android/services/src/main/java/org/mozilla/gecko/background/fxa/oauth/FxAccountOAuthClient10.java
+ - mobile/android/services/src/main/java/org/mozilla/gecko/background/fxa/profile/FxAccountProfileClient10.java
+ - mobile/android/services/src/main/java/org/mozilla/gecko/browserid/verifier/BrowserIDRemoteVerifierClient10.java
+ - mobile/android/services/src/main/java/org/mozilla/gecko/browserid/verifier/BrowserIDRemoteVerifierClient20.java
+ - mobile/android/services/src/main/java/org/mozilla/gecko/push/autopush/AutopushClient.java
+ - mobile/android/services/src/main/java/org/mozilla/gecko/sync/net/SyncStorageRecordRequest.java
+ - mobile/android/services/src/main/java/org/mozilla/gecko/sync/net/SyncStorageRequest.java
+ - mobile/android/services/src/main/java/org/mozilla/gecko/sync/repositories/downloaders/BatchingDownloader.java
+ - mobile/android/services/src/main/java/org/mozilla/gecko/sync/repositories/uploaders/RecordUploadRunnable.java
+ - mobile/android/services/src/main/java/org/mozilla/gecko/sync/stage/EnsureCrypto5KeysStage.java
+ - mobile/android/services/src/main/java/org/mozilla/gecko/tokenserver/TokenServerClient.java
+
+ - Misc other issues
+ - mobile/android/geckoview/src/thirdparty/java/com/google/android/exoplayer2/upstream/DefaultHttpDataSource.java (fixed upstream in bug 1459420)
+ - mobile/android/geckoview/src/thirdparty/java/com/google/android/exoplayer2/upstream/UdpDataSource.java
+ - XXX: patch out
+ - mobile/android/services/src/main/java/org/mozilla/gecko/sync/MetaGlobal.java
+ - XXX likely proxy bypass
+ - mobile/android/services/src/main/java/org/mozilla/gecko/sync/net/TLSSocketFactory.java
+ - XXX possible bypass via ch.boye.httpclientandroidlib.conn.ssl.SSLSocketFactory.createSocket()
+ - mobile/android/services/src/main/java/org/mozilla/gecko/sync/stage/FetchInfoCollectionsStage.java
+ - XXX: likely proxy bypass
+ - mobile/android/stumbler/java/org/mozilla/mozstumbler/service/utils/AbstractCommunicator.java (URL.openConnection())
+ - mobile/android/thirdparty/com/leanplum/internal/WebSocketClient.java
+ - mobile/android/thirdparty/com/squareup/picasso
+ - XXX needs a patch (done in #27016)
+
+ - DNS leaks in Android core's library before Android O
+ - XXX: patched out in #28125 with duct tape
More information about the tor-commits
mailing list