[tor-commits] [Git][tpo/applications/tor-browser][tor-browser-102.8.0esr-12.5-1] 2 commits: Bug 1817756 - Add a seed to the network ID. r=valentin, necko-reviewers
Richard Pospesel (@richard)
git at gitlab.torproject.org
Wed Feb 22 11:15:00 UTC 2023
Richard Pospesel pushed to branch tor-browser-102.8.0esr-12.5-1 at The Tor Project / Applications / Tor Browser
Commits:
3dd7b20a by Pier Angelo Vendrame at 2023-02-22T09:55:31+01:00
Bug 1817756 - Add a seed to the network ID. r=valentin,necko-reviewers
This helps to prevent linkability of users in the same network.
Differential Revision: https://phabricator.services.mozilla.com/D170373
- - - - -
e8982629 by Pier Angelo Vendrame at 2023-02-22T09:59:38+01:00
Bug 41599: Always return an empty string as network ID
Firefox computes an internal network ID used to detect network changes
and act consequently (e.g., to improve WebSocket UX).
However, there are a few ways to get this internal network ID, so we
patch them out, to be sure any new code will not be able to use them and
possibly link users.
We also sent a patch to Mozilla to seed the internal network ID, to
prevent any accidental leak in the future.
Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1817756
- - - - -
8 changed files:
- + netwerk/system/LinkServiceCommon.cpp
- + netwerk/system/LinkServiceCommon.h
- netwerk/system/android/nsAndroidNetworkLinkService.cpp
- netwerk/system/linux/nsNetworkLinkService.cpp
- netwerk/system/mac/nsNetworkLinkService.mm
- netwerk/system/moz.build
- netwerk/system/netlink/NetlinkService.cpp
- netwerk/system/win32/nsNotifyAddrListener.cpp
Changes:
=====================================
netwerk/system/LinkServiceCommon.cpp
=====================================
@@ -0,0 +1,30 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "LinkServiceCommon.h"
+
+#include "mozilla/Maybe.h"
+#include "mozilla/SHA1.h"
+#include "mozilla/TimeStamp.h"
+#include "nsID.h"
+
+using namespace mozilla;
+
+void SeedNetworkId(SHA1Sum& aSha1) {
+ static Maybe<nsID> seed = ([]() {
+ Maybe<nsID> uuid(std::in_place);
+ if (NS_FAILED(nsID::GenerateUUIDInPlace(*uuid))) {
+ uuid.reset();
+ }
+ return uuid;
+ })();
+ if (seed) {
+ aSha1.update(seed.ptr(), sizeof(*seed));
+ } else {
+ TimeStamp timestamp = TimeStamp::ProcessCreation();
+ aSha1.update(×tamp, sizeof(timestamp));
+ }
+}
=====================================
netwerk/system/LinkServiceCommon.h
=====================================
@@ -0,0 +1,17 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef LINK_SERVICE_COMMON_H_
+#define LINK_SERVICE_COMMON_H_
+
+namespace mozilla {
+class SHA1Sum;
+}
+
+// Add a seed to the computed network ID to prevent user linkability.
+void SeedNetworkId(mozilla::SHA1Sum& aSha1);
+
+#endif // LINK_SERVICE_COMMON_H_
=====================================
netwerk/system/android/nsAndroidNetworkLinkService.cpp
=====================================
@@ -123,11 +123,15 @@ nsAndroidNetworkLinkService::GetLinkType(uint32_t* aLinkType) {
NS_IMETHODIMP
nsAndroidNetworkLinkService::GetNetworkID(nsACString& aNetworkID) {
+#ifdef BASE_BROWSER
+ aNetworkID.Truncate();
+#else
if (!mNetlinkSvc) {
return NS_ERROR_NOT_AVAILABLE;
}
mNetlinkSvc->GetNetworkID(aNetworkID);
+#endif
return NS_OK;
}
=====================================
netwerk/system/linux/nsNetworkLinkService.cpp
=====================================
@@ -50,11 +50,15 @@ nsNetworkLinkService::GetLinkType(uint32_t* aLinkType) {
NS_IMETHODIMP
nsNetworkLinkService::GetNetworkID(nsACString& aNetworkID) {
+#ifdef BASE_BROWSER
+ aNetworkID.Truncate();
+#else
if (!mNetlinkSvc) {
return NS_ERROR_NOT_AVAILABLE;
}
mNetlinkSvc->GetNetworkID(aNetworkID);
+#endif
return NS_OK;
}
=====================================
netwerk/system/mac/nsNetworkLinkService.mm
=====================================
@@ -35,6 +35,7 @@
#include "mozilla/Telemetry.h"
#include "nsNetworkLinkService.h"
#include "../../base/IPv6Utils.h"
+#include "../LinkServiceCommon.h"
#include "../NetworkLinkServiceDefines.h"
#import <Cocoa/Cocoa.h>
@@ -122,8 +123,12 @@ nsNetworkLinkService::GetLinkType(uint32_t* aLinkType) {
NS_IMETHODIMP
nsNetworkLinkService::GetNetworkID(nsACString& aNetworkID) {
+#ifdef BASE_BROWSER
+ aNetworkID.Truncate();
+#else
MutexAutoLock lock(mMutex);
aNetworkID = mNetworkId;
+#endif
return NS_OK;
}
@@ -600,11 +605,8 @@ void nsNetworkLinkService::calculateNetworkIdInternal(void) {
bool found6 = IPv6NetworkId(&sha1);
if (found4 || found6) {
- // This 'addition' could potentially be a fixed number from the
- // profile or something.
- nsAutoCString addition("local-rubbish");
nsAutoCString output;
- sha1.update(addition.get(), addition.Length());
+ SeedNetworkId(sha1);
uint8_t digest[SHA1Sum::kHashSize];
sha1.finish(digest);
nsAutoCString newString(reinterpret_cast<char*>(digest), SHA1Sum::kHashSize);
=====================================
netwerk/system/moz.build
=====================================
@@ -15,3 +15,9 @@ if CONFIG["MOZ_WIDGET_TOOLKIT"] == "android":
elif CONFIG["OS_ARCH"] == "Linux":
DIRS += ["linux", "netlink"]
+
+SOURCES += [
+ "LinkServiceCommon.cpp",
+]
+
+FINAL_LIBRARY = "xul"
=====================================
netwerk/system/netlink/NetlinkService.cpp
=====================================
@@ -18,6 +18,7 @@
#include "nsPrintfCString.h"
#include "mozilla/Logging.h"
#include "../../base/IPv6Utils.h"
+#include "../LinkServiceCommon.h"
#include "../NetworkLinkServiceDefines.h"
#include "mozilla/Base64.h"
@@ -1812,11 +1813,8 @@ void NetlinkService::CalculateNetworkID() {
bool found6 = CalculateIDForFamily(AF_INET6, &sha1);
if (found4 || found6) {
- // This 'addition' could potentially be a fixed number from the
- // profile or something.
- nsAutoCString addition("local-rubbish");
nsAutoCString output;
- sha1.update(addition.get(), addition.Length());
+ SeedNetworkId(sha1);
uint8_t digest[SHA1Sum::kHashSize];
sha1.finish(digest);
nsAutoCString newString(reinterpret_cast<char*>(digest),
@@ -1877,8 +1875,12 @@ void NetlinkService::CalculateNetworkID() {
}
void NetlinkService::GetNetworkID(nsACString& aNetworkID) {
+#ifdef BASE_BROWSER
+ aNetworkID.Truncate();
+#else
MutexAutoLock lock(mMutex);
aNetworkID = mNetworkId;
+#endif
}
nsresult NetlinkService::GetDnsSuffixList(nsTArray<nsCString>& aDnsSuffixList) {
=====================================
netwerk/system/win32/nsNotifyAddrListener.cpp
=====================================
@@ -45,6 +45,7 @@
#include "mozilla/Base64.h"
#include "mozilla/ScopeExit.h"
#include "mozilla/Telemetry.h"
+#include "../LinkServiceCommon.h"
#include <iptypes.h>
#include <iphlpapi.h>
@@ -104,8 +105,12 @@ nsNotifyAddrListener::GetLinkType(uint32_t* aLinkType) {
NS_IMETHODIMP
nsNotifyAddrListener::GetNetworkID(nsACString& aNetworkID) {
+#ifdef BASE_BROWSER
+ aNetworkID.Truncate();
+#else
MutexAutoLock lock(mMutex);
aNetworkID = mNetworkId;
+#endif
return NS_OK;
}
@@ -248,7 +253,7 @@ void nsNotifyAddrListener::calculateNetworkId(void) {
nsAutoCString output;
SHA1Sum::Hash digest;
HashSortedNetworkIds(nwGUIDS, sha1);
-
+ SeedNetworkId(sha1);
sha1.finish(digest);
nsCString newString(reinterpret_cast<char*>(digest), SHA1Sum::kHashSize);
nsresult rv = Base64Encode(newString, output);
View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser/-/compare/d80384f964bc474973ab335bcc9ff11fb56ccb44...e8982629a7837daa957b628afe1c08cfa96123d9
--
View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser/-/compare/d80384f964bc474973ab335bcc9ff11fb56ccb44...e8982629a7837daa957b628afe1c08cfa96123d9
You're receiving this email because of your account on gitlab.torproject.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-commits/attachments/20230222/c971991d/attachment-0001.htm>
More information about the tor-commits
mailing list