Open
Bug 1216882
Opened 9 years ago
Updated 3 years ago
When "security.nocertdb" pref is true, HTTP Auth Dialog fails (Tor 14716)
Categories
(Core :: Networking: HTTP, defect, P5)
Core
Networking: HTTP
Tracking
()
NEW
People
(Reporter: arthur, Unassigned)
References
(Blocks 1 open bug)
Details
(Whiteboard: [tor][necko-backlog][tor-standalone])
Attachments
(2 files, 1 obsolete file)
681 bytes,
patch
|
rrelyea
:
review-
|
Details | Diff | Splinter Review |
1.50 KB,
patch
|
Dolske
:
review-
|
Details | Diff | Splinter Review |
In bug 629558, we introduced a boolean pref, "security.nocertdb", that when enabled ensures the intermediate certificate store is memory only. Unfortunately, this caused an unexpected bug, where the username/password prompt for HTTP Basic Authentication is not displayed a second time. Here's how to reproduce it (copied from https://trac.torproject.org/14716): 0. In about:config, add a boolean pref "security.nocertdb" and set to true. 1. Open https://www.httpwatch.com/httpgallery/authentication/ 2. Click the "Display Image" button within Example 10 on that page. 3. When prompted, enter "httpwatch" for the username and any password. 4. Click the "Display Image" button a second time. Expected result: a new username / password prompt. Actual result: no prompt.
Reporter | ||
Comment 1•9 years ago
|
||
The latest version of Tor Browser's fix for this issue is here: https://torpat.ch/14716
Reporter | ||
Comment 2•9 years ago
|
||
Here's Tor Browser's patch, rebased to the latest version of mozilla-central.
Attachment #8677747 -
Flags: review?(honzab.moz)
Comment on attachment 8677747 [details] [diff] [review] 0001-Bug-1216882-Fix-bug-in-HTTP-Auth-prompt-when-securit.patch Review of attachment 8677747 [details] [diff] [review]: ----------------------------------------------------------------- FWIW, I think this is the wrong level to fix this at. Something in PSM (probably nsSDR or one of the PKCS11 interfaces) is unexpectedly failing because of the lack of a permanent database, and it would be better to handle the problem there.
Reporter | ||
Comment 4•9 years ago
|
||
Comment on attachment 8677747 [details] [diff] [review] 0001-Bug-1216882-Fix-bug-in-HTTP-Auth-prompt-when-securit.patch (In reply to David Keeler [:keeler] (use needinfo?) from comment #3) > Comment on attachment 8677747 [details] [diff] [review] > 0001-Bug-1216882-Fix-bug-in-HTTP-Auth-prompt-when-securit.patch > > Review of attachment 8677747 [details] [diff] [review]: > ----------------------------------------------------------------- > > FWIW, I think this is the wrong level to fix this at. Something in PSM > (probably nsSDR or one of the PKCS11 interfaces) is unexpectedly failing > because of the lack of a permanent database, and it would be better to > handle the problem there. Thanks for pointing this out. I'm removing the review request while we look at problem again.
Attachment #8677747 -
Flags: review?(honzab.moz)
Reporter | ||
Comment 5•9 years ago
|
||
(In reply to David Keeler [:keeler] (use needinfo?) from comment #3) > Comment on attachment 8677747 [details] [diff] [review] > 0001-Bug-1216882-Fix-bug-in-HTTP-Auth-prompt-when-securit.patch > > Review of attachment 8677747 [details] [diff] [review]: > ----------------------------------------------------------------- > > FWIW, I think this is the wrong level to fix this at. Something in PSM > (probably nsSDR or one of the PKCS11 interfaces) is unexpectedly failing > because of the lack of a permanent database, and it would be better to > handle the problem there. I think this is correct. When Firefox starts up, I see the following error message: JavaScript error: ...dist/NightlyDebug.app/Contents/Resources/components/crypto-SDR.js, line 66: NS_ERROR_FAILURE: Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsIPK11Token.initPassword] I tracked the reason for this error to the following lines in pkcs11.c: https://dxr.mozilla.org/mozilla-central/rev/9a8f2342fb3116d23989087e026448d38a3768c5/security/nss/lib/softoken/pkcs11.c#3541 It turns out that sftk_getKeyDB(slot) returns NULL, so NSC_InitPIN returns the error code CKR_PIN_LEN_RANGE. The reason sftk_getKeyDB(slot) is returning NULL is that earlier we set slot->certDB to NULL and never initialized it because the following `if` statement returned false: https://dxr.mozilla.org/mozilla-central/rev/9a8f2342fb3116d23989087e026448d38a3768c5/security/nss/lib/softoken/pkcs11.c#2426 That's to be expected, as "security.nocertdb" is set to true. So here's a patch that appears to gracefully handle sftk_getKeyDB(slot) == NULL. It gets rid of the error messages, and also fixes the original HTTP Auth dialog bug. (I don't really understand the design of the PKCS11 library, so any advice here would be appreciated.)
Attachment #8677747 -
Attachment is obsolete: true
Attachment #8679748 -
Flags: review?(dkeeler)
Comment on attachment 8679748 [details] [diff] [review] 0001-Bug-1216882-Fix-incorrect-handling-of-key-DB-when-se.patch Review of attachment 8679748 [details] [diff] [review]: ----------------------------------------------------------------- This is NSS code, so even if I were familiar with it, I wouldn't be appropriate to review it. In any case, I think I've come up with a more compartmentalized solution that (hopefully) is less likely to have unintended side-effects.
Attachment #8679748 -
Flags: review?(dkeeler)
Attachment #8680289 -
Flags: review?(dolske)
Comment 8•9 years ago
|
||
I'm probably ok with this as a workaround in password manager... But does it actually work? In other words, what happens if the user saves a password and tries to later use it? In a new session? Seems like this is really a flaw in NSS/PSM, and it's not clear to me that bug 629558 should inherently have had any effect here (other than by somehow screwing up softtoken initialization?). In particular, I'm confused because the password manager really just uses this via SecretDecoderRing, which basically just uses a key from key3.db to do the crypto. No certs involved at all. Forcing all of NSS/PSM into "nodb" mode is a pretty big hammer for just avoiding intermediate certs. I didn't read through all the code, but it sounds like this entirely prevents creation of cert8.db and key3.db? And I wouldn't be surprised if that mode doesn't work well with Firefox or had never been tested...
Flags: needinfo?(arthuredelstein)
Reporter | ||
Comment 9•9 years ago
|
||
Comment on attachment 8679748 [details] [diff] [review] 0001-Bug-1216882-Fix-incorrect-handling-of-key-DB-when-se.patch Review of attachment 8679748 [details] [diff] [review]: ----------------------------------------------------------------- (In reply to Justin Dolske [:Dolske] from comment #8) > I'm probably ok with this as a workaround in password manager... But does it > actually work? In other words, what happens if the user saves a password and > tries to later use it? In a new session? We have been using "security.nocertdb" -> true in Tor Browser for a while, and it does work, in the sense that HTTP username/password are remembered within a session. However, in a new Firefox session, the credentials must be entered anew (which is the desired behavior). > Seems like this is really a flaw in NSS/PSM, and it's not clear to me that > bug 629558 should inherently have had any effect here (other than by somehow > screwing up softtoken initialization?). Yes, I agree. Does my patch make any sense at all? Unfortunately I have little understanding NSS/PSM, so I don't know what side effects there might be. If this isn't safe, then probably David's patch is a better approach.
Attachment #8679748 -
Flags: review?(dolske)
Comment 10•9 years ago
|
||
(In reply to Arthur Edelstein from comment #9) > > I'm probably ok with this as a workaround in password manager... But does it > > actually work? In other words, what happens if the user saves a password and > > tries to later use it? In a new session? > > We have been using "security.nocertdb" -> true in Tor Browser for a while, > and it does work, in the sense that HTTP username/password are remembered > within a session. However, in a new Firefox session, the credentials must be > entered anew (which is the desired behavior). No, I mean are the credentials being saved in the login manager database, and are those credentials readable in the next session? I ask because it _sounds_ like this isn't initializing any of the NSS databases, including key3.db, which would mean users with this enabled are saving bad entries in the password manager that can't be retrieved later.
Comment 11•9 years ago
|
||
Comment on attachment 8680289 [details] [diff] [review] 1216882-catch-initPassword-failure.diff Yeah, this might make HTTP auth work, but it leaves password manager broken. If I try to same a password from a web page (say, Gmail) with this, upon clicking "Remember" I get prompt to set a password on the software security device. Which doesn't actually work, attempting to do so results in an error and all the user can do is click cancel.
Attachment #8680289 -
Flags: review?(dolske) → review-
(In reply to Justin Dolske [:Dolske] from comment #11) > Comment on attachment 8680289 [details] [diff] [review] > 1216882-catch-initPassword-failure.diff > > Yeah, this might make HTTP auth work, but it leaves password manager broken. > > If I try to same a password from a web page (say, Gmail) with this, upon > clicking "Remember" I get prompt to set a password on the software security > device. Which doesn't actually work, attempting to do so results in an error > and all the user can do is click cancel. That's what I'm seeing too. In any case, I imagine if a user sets the "security.nocertdb" pref, they also wouldn't want to save any logins, so perhaps that whole subsystem should be disabled there. Going back to the big picture, "security.nocertdb" is not a first-class feature. It isn't tested and it isn't guaranteed to not break things. My understanding was our support of it would be limited to occasional, small-scope fixes to get specific things working (like http auth in this case). Now that I think about it, though, I'm not even sure what it's for. Presumably anyone who sets this pref doesn't want to save anything to disk (and perhaps blowing away the profile directory on exit isn't considered good enough). If that's the case, have they also disabled memory swapping? What about coldboot attacks? I realize that's a bit of a "prefect being the enemy of good" argument, but as we've seen, "security.nocertdb" isn't actually even that good.
Comment 13•9 years ago
|
||
Comment on attachment 8679748 [details] [diff] [review] 0001-Bug-1216882-Fix-incorrect-handling-of-key-DB-when-se.patch ...so I think fixing this down in NSS/PSM is probably the correct route. Although my experience has been that this code is really obtuse and fragile, so I'm not going to be able to spend enough time on it in the near future to plausibly review. How about Tim, who I hear has newly found enthusiasm for NSS/PSM?! :)
Attachment #8679748 -
Flags: review?(dolske) → review?(ttaubert)
Comment 14•9 years ago
|
||
Comment on attachment 8679748 [details] [diff] [review] 0001-Bug-1216882-Fix-incorrect-handling-of-key-DB-when-se.patch Sorry, I'll have to refer back to comment #6. David would probably be a way better fit to review this as I certainly know less than he does about NSS. But both of us can't review NSS patches, or know a lot about that part of the code as it seems.
Attachment #8679748 -
Flags: review?(ttaubert)
Reporter | ||
Updated•9 years ago
|
Flags: needinfo?(arthuredelstein)
Attachment #8679748 -
Flags: review?(wtc)
Comment 15•9 years ago
|
||
Comment on attachment 8679748 [details] [diff] [review] 0001-Bug-1216882-Fix-incorrect-handling-of-key-DB-when-se.patch Review of attachment 8679748 [details] [diff] [review]: ----------------------------------------------------------------- Bob: could you please review this patch? Thanks. Arthur: although I am not reviewing the patch, I took a quick look and have some suggestions and questions for you. ::: security/nss/lib/softoken/pkcs11.c @@ +3540,4 @@ > > handle = sftk_getKeyDB(slot); > if (handle == NULL) { > + return CKR_OK; Although I can't evaluate whether this change is correct, I think this should at least be accompanied with a comment, because it is not clear why this function should return successfully when the sftk_getKeyDB() fails. Also, I wonder if we should only return the sftk_getKeyDB() failure after checking the error code. It seems wrong to ignore the failure blindly. Perhaps we should only ignore the failure when we know the failure is caused by the security.nocertdb setting.
Attachment #8679748 -
Flags: review?(wtc) → review?(rrelyea)
Comment 16•9 years ago
|
||
Comment on attachment 8679748 [details] [diff] [review] 0001-Bug-1216882-Fix-incorrect-handling-of-key-DB-when-se.patch Review of attachment 8679748 [details] [diff] [review]: ----------------------------------------------------------------- ::: security/nss/lib/softoken/pkcs11.c @@ +3540,4 @@ > > handle = sftk_getKeyDB(slot); > if (handle == NULL) { > + return CKR_OK; So the reason we return the error on NSC_InitPIN() if there is not database is because you can't actually set the pin if there is not database. Why returning this error here is a problem is another matter. If the upper level code cares that the pin was set, then it should get an error here (we shouldn't silently succeed). If it doesn't care then it shouldn't blow up if we give it an error. I could be talked into a different error code (like function not supported or something), but return CRK_OK in this case is definately wrong.
Attachment #8679748 -
Flags: review?(rrelyea) → review-
Comment 17•9 years ago
|
||
We should look up the stack and see what is calling PK11_InitPin() and decide if we care if the pin was initialized or not. (It's usually used at database creation time, but we don't have a database, it may be the case it's being improperly called). There are a set of flags that tell you if the database is initialized or not. maybe those aren't being checked, or aren't being set correctly. bob
Comment 18•9 years ago
|
||
For what it's worth, the goal of the patch in attachment 8677747 [details] [diff] [review] is to disable login manager storage when security.nocertdb = true (if there is no secure storage available, the login manager cannot store anything). This is more consistent with Wan-Teh and Bob's desire to handle the error checking at a higher level, although technically the code in attachment 8677747 [details] [diff] [review] entirely skips initialization of the underlying systems when security.nocertdb = true.
Updated•8 years ago
|
Whiteboard: [tor] → [tor][necko-backlog]
Updated•8 years ago
|
Priority: -- → P3
Reporter | ||
Updated•8 years ago
|
Summary: When "security.nocertdb" pref is true, HTTP Auth Dialog fails → When "security.nocertdb" pref is true, HTTP Auth Dialog fails (Tor 14716)
Updated•8 years ago
|
Whiteboard: [tor][necko-backlog] → [tor][necko-backlog][tor-standalone]
Comment 19•7 years ago
|
||
Bulk change to priority: https://bugzilla.mozilla.org/show_bug.cgi?id=1399258
Priority: P3 → P1
Comment 20•7 years ago
|
||
Bulk change to priority: https://bugzilla.mozilla.org/show_bug.cgi?id=1399258
Priority: P1 → P3
Comment 21•3 years ago
|
||
Bulk-downgrade of unassigned, untouched DOM/Storage bug's priority.
If you have reason to believe, this is wrong, please write a comment and ni :jstutte.
Severity: normal → S4
Priority: P3 → P5
You need to log in
before you can comment on or make changes to this bug.
Description
•