Closed Bug 1433509 Opened 7 years ago Closed 5 years ago

potential proxy bypasses in networking code

Categories

(Core :: Security: PSM, enhancement, P3)

Product:
Core
Component:
Security: PSM
Type:
enhancement

Tracking

()

Status:
RESOLVED WONTFIX

People

(Reporter: arthur, Assigned: pierov, NeedInfo)

References

(Blocks 1 open bug)

Details

(Whiteboard: [tor 13028][psm-backlog])

Attachments

(1 file)

The updated patch that is enabled by --enable-proxy-bypass-protection
(deleted), patch
Details | Diff | Splinter Review
In Tor Browser, a couple of locations in network code looked like they might cause the proxy to be bypassed. Here's the patch: https://torpat.ch/13028 Here is the original ticket: https://trac.torproject.org/13028 We'd like to propose uplifted this code, but controlled by a build flag (--enable-proxy-bypass-protection).
Assignee: nobody → nobody
Component: Networking → Libraries
Product: Core → NSS
We can ignore, and Tor could revert, the lib/libpkix changes. NSS has two different PKIX libraries but Firefox actually has its own (mozpkix). The ones in NSS aren't used and are slated for removal if we would ever get around to integrate mozpkix back into NSS...
The OCSP code isn't used by Firefox either, we have security/certverifier/OCSPRequestor.cpp. Dana, can you please confirm?
Flags: needinfo?(dkeeler)
If this is all correct, Tor wouldn't actually need this patch, but I understand that you would probably like to have more assurance. We unfortunately can't remove the code as NSS is a library used by many others. What would be a good way forward?
Flags: needinfo?(arthuredelstein)
(In reply to Tim Taubert [:ttaubert] from comment #1) > We can ignore, and Tor could revert, the lib/libpkix changes. NSS has two > different PKIX libraries but Firefox actually has its own (mozpkix). The > ones in NSS aren't used and are slated for removal if we would ever get > around to integrate mozpkix back into NSS... Some more information: we actually don't build libpkix anymore [1]. There still is the other verification library [2] that would probably(?) use the OCSP code mentioned above, however as long as Firefox calls SSL_AuthCertificateHook() we'll never get there. [1] https://searchfox.org/nss/source/coreconf/config.gypi#94 [2] https://searchfox.org/nss/source/lib/certhigh/certvfy.c#538
Tim's correct. If we want to be even more sure, I believe we can configure the classic cert verifier (not libpkix and not mozilla::pkix) to call application-supplied OCSP functions that just error out or abort or something (again, that should essentially be dead code in Firefox, though).
Flags: needinfo?(dkeeler)
There's even a function we can call to ensure OCSP checking is disabled. We'll never get there but it wouldn't hurt to call it either. [1] [1] https://searchfox.org/nss/source/lib/certhigh/ocsp.c#5683
Moving to PSM. If there's anything we want to do, it's probably there and not in NSS.
Priority: -- → P3
Assignee: nobody → nobody
Component: Libraries → Security: PSM
Product: NSS → Core
Whiteboard: [tor 13028] → [tor 13028][psm-backlog]
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → WONTFIX

Hello,
we updated Tor Browser's patch before noticing this ticket existed.
We would like to keep it for more assurance.

The new version uses --enable-proxy-bypass-protection.
Would you be interested in upstreaming it?
If so, I could create a Phabricator patch.

Thanks.

Assignee: nobody → pierov
Flags: needinfo?(dkeeler)

Thanks, but it's really not necessary, particularly for Firefox.

Flags: needinfo?(dkeeler)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: