Closed Bug 1315143 Opened 8 years ago Closed 8 years ago

Make OCSP use Origin Attribute framework

Categories

(Core :: DOM: Security, defect, P3)

Product:
Core
Component:
DOM: Security
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla53
Tracking Flags:
Tracking Status
firefox52 --- fixed
firefox53 --- fixed

People

(Reporter: jhao, Assigned: jhao)

References

Details

(Whiteboard: [OA][domsecurity-active])

Attachments

(3 files)

Bug 1315143 - Make OCSP use Origin Attribute framework (PSM).
58 bytes, text/x-review-board-request
jcristau
: approval-mozilla-aurora+
Details
Bug 1315143 - Make OCSP use Origin Attribute framework (Necko).
58 bytes, text/x-review-board-request
jcristau
: approval-mozilla-aurora+
Details
Bug 1315143 - Disable warnings caused by including BasePrincipal.h
58 bytes, text/x-review-board-request
Cykesiopka
: review+
keeler
: review+
jcristau
: approval-mozilla-aurora+
Details
In bug 1264562 and bug 1312794, we isolated OCSP cache and requests by first party domain only because we didn't want to isolate them by containers. However, we should still make them use origin attribute framework in case we need to isolated them by other attributes in the future.
Priority: -- → P3
Blocks: 1282279
Hi Honza and David, could you help review these patches? I replace the first party domain with origin attributes, but still use only first party domain to make hashes. I also added a small test in OCSPCacheTest.cpp to ensure that OCSP cache is not isolated by containers.
Blocks: 1316283
Assignee: nobody → jhao
Status: NEW → ASSIGNED
Whiteboard: [OA][domsecurity-backlog1] → [OA][domsecurity-active]
See Also: → 1264562
Comment on attachment 8808956 [details] Bug 1315143 - Make OCSP use Origin Attribute framework (Necko). https://reviewboard.mozilla.org/r/91664/#review91634 ::: netwerk/base/nsSocketTransport2.cpp:2410 (Diff revision 1) > +nsSocketTransport::SetScriptableOriginAttributes(JSContext* aCx, > + JS::Handle<JS::Value> aOriginAttributes) > +{ > + MutexAutoLock lock(mLock); > + NS_ENSURE_FALSE(mFD.IsInitialized(), NS_ERROR_FAILURE); > + ws
Attachment #8808956 - Flags: review?(honzab.moz) → review+
Comment on attachment 8808955 [details] Bug 1315143 - Make OCSP use Origin Attribute framework (PSM). https://reviewboard.mozilla.org/r/91662/#review91782 This looks good in general, although there are a few minor nits to address. I'd also like Cykesiopka to have a quick look (particularly for #include issues and namespace style concerns). ::: security/certverifier/NSSCertDBTrustDomain.h:187 (Diff revision 1) > CertVerifier::PinningMode mPinningMode; > const unsigned int mMinRSABits; > ValidityCheckingMode mValidityCheckingMode; > CertVerifier::SHA1Mode mSHA1Mode; > NetscapeStepUpPolicy mNetscapeStepUpPolicy; > - const char* mFirstPartyDomain; > + NeckoOriginAttributes mOriginAttributes; Should this maybe just be a non-owning const reference? ::: security/certverifier/OCSPCache.cpp:219 (Diff revision 1) > { > MutexAutoLock lock(mMutex); > > size_t index; > - if (!FindInternal(aCertID, aFirstPartyDomain, index, lock)) { > + if (!FindInternal(aCertID, aOriginAttributes, index, lock)) { > LogWithCertID("OCSPCache::Get(%p,\"%s\") not in cache", aCertID, I don't think "%s" works here any longer, since OriginAttributes.mFirstPartyDomain is a wide string, right? We should either convert to utf-8 or maybe "%S" will work? ::: security/manager/ssl/TransportSecurityInfo.cpp:102 (Diff revision 1) > *aPort = mPort; > return NS_OK; > } > > nsresult > -TransportSecurityInfo::SetFirstPartyDomain(const nsACString& aFirstPartyDomain) > +TransportSecurityInfo::SetOriginAttributes(const NeckoOriginAttributes& aOriginAttributes) style nit: this line is >80 characters. I guess just putting the whole 'const NeckoOriginAttributes& aOriginAttributes' on the next line indented two spaces would be best. ::: security/manager/ssl/nsNSSCallbacks.cpp:114 (Diff revision 1) > priorityChannel->AdjustPriority(nsISupportsPriority::PRIORITY_HIGHEST); > > chan->SetLoadFlags(nsIRequest::LOAD_ANONYMOUS | > nsIChannel::LOAD_BYPASS_SERVICE_WORKER); > > - if (!mRequestSession->mFirstPartyDomain.IsEmpty()) { > + // Only record first party domain on OCSP channels. I was a bit confused by this comment initially. It might help to restructure and expand it: "For OCSP requests, only the first party domain aspect of origin attributes is used. This means that OCSP requests are shared across different containers." ::: security/manager/ssl/tests/unit/head_psm.js:327 (Diff revision 1) > * A callback function that takes an nsITransportSecurityInfo, which is called > * after the TLS handshake succeeds. > * @param {Function} aAfterStreamOpen > * A callback function that is called with the nsISocketTransport once the > * output stream is ready. > - * @param {String} aFirstPartyDomain > + * @param {String} aOriginAttributes nit: this isn't a string any more, right? Also let's update the documentation to say this is optional. ::: security/manager/ssl/tests/unit/head_psm.js:328 (Diff revision 1) > * after the TLS handshake succeeds. > * @param {Function} aAfterStreamOpen > * A callback function that is called with the nsISocketTransport once the > * output stream is ready. > - * @param {String} aFirstPartyDomain > + * @param {String} aOriginAttributes > * The first party domain which will be used to double-key the OCSP cache. nit: should probably update this line to refer to the origin attribute's first party domain
Attachment #8808955 - Flags: review?(dkeeler) → review+
Attachment #8808955 - Flags: review?(cykesiopka.bmo)
Comment on attachment 8808955 [details] Bug 1315143 - Make OCSP use Origin Attribute framework (PSM). https://reviewboard.mozilla.org/r/91662/#review92582 This looks good, but FYI you're going to have to rebase and fix some resultant build errors. ::: security/certverifier/NSSCertDBTrustDomain.h:83 (Diff revision 1) > CertVerifier::PinningMode pinningMode, > unsigned int minRSABits, > ValidityCheckingMode validityCheckingMode, > CertVerifier::SHA1Mode sha1Mode, > NetscapeStepUpPolicy netscapeStepUpPolicy, > - const char* firstPartyDomain, > + const NeckoOriginAttributes& originAttributes, This needs an explicit `#include "mozilla/BasePrincipal.h"` or something. ::: security/certverifier/OCSPCache.h:63 (Diff revision 1) > - // The first party domain is only non-empty when "privacy.firstParty.isolate" > - // is enabled, in order to isolate OCSP cache by first party. > + // We only use the origin attributes' first party domain, which is only > + // non-empty when "privacy.firstParty.isolate" is enabled, in order to isolate > + // OCSP cache by first party. Nit: I would reword this and mention why we even need to pass in origin attributes first. Maybe something like this: ``` The passed in origin attributes are used to isolate the OCSP cache. We currently only use the first party domain portion of the attributes, and it is non-empty only when "privacy.firstParty.isolate" is enabled. ``` I would also move this comment after "If it is in the cache [...]". ::: security/certverifier/OCSPCache.h:74 (Diff revision 1) > - // The first party domain is only non-empty when "privacy.firstParty.isolate" > - // is enabled, in order to isolate OCSP cache by first party. > + // We only use the origin attributes' first party domain, which is only > + // non-empty when "privacy.firstParty.isolate" is enabled, in order to isolate > + // OCSP cache by first party. Same "reword" comment as above. ::: security/certverifier/OCSPCache.cpp:63 (Diff revision 1) > > // Let derIssuer be the DER encoding of the issuer of aCert. > // Let derPublicKey be the DER encoding of the public key of aIssuerCert. > // Let serialNumber be the bytes of the serial number of aCert. > // Let serialNumberLen be the number of bytes of serialNumber. > -// The first party domain is only non-empty when "privacy.firstParty.isolate" > +// Let firstPartyDomain be the first party domain of aOriginAttributes. Nit: The actual parameter is named `originAttributes`. It would also be nice to fix the out of date lines above that reference `aFoo` parameters while we're here, but up to you. ::: security/certverifier/OCSPCache.cpp:116 (Diff revision 1) > - rv = DigestLength(context, firstPartyDomainLen); > + nsCString firstPartyDomain = > + NS_ConvertUTF16toUTF8(originAttributes.mFirstPartyDomain); Nit: NS_ConvertUTF16toUTF8 is a class, so the following should work: ```cpp NS_ConvertUTF16toUTF8 firstPartyDomain(originAttributes.mFirstPartyDomain); ``` (This is apparently more efficient.) ::: security/certverifier/OCSPRequestor.h:17 (Diff revision 1) > > namespace mozilla { namespace psm { > > // The memory returned via |encodedResponse| is owned by the given arena. > Result DoOCSPRequest(const UniquePLArenaPool& arena, const char* url, > - const char* firstPartyDomain, > + const NeckoOriginAttributes& originAttributes, This should have a forward declaration or something. ::: security/manager/ssl/nsSSLSocketProvider.cpp:11 (Diff revision 1) > > #include "nsSSLSocketProvider.h" > #include "nsNSSIOLayer.h" > #include "nsError.h" > > +using mozilla::NeckoOriginAttributes; Needs an explicit include or something. ::: security/manager/ssl/nsTLSSocketProvider.cpp:11 (Diff revision 1) > > #include "nsTLSSocketProvider.h" > #include "nsNSSIOLayer.h" > #include "nsError.h" > > +using mozilla::NeckoOriginAttributes; Needs an explicit include or something.
Attachment #8808955 - Flags: review?(cykesiopka.bmo) → review+
Pushed by jhao@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/690c0cdddff7 Make OCSP use Origin Attribute framework (Necko). r=Cykesiopka,keeler https://hg.mozilla.org/integration/autoland/rev/81a11a25d25d Make OCSP use Origin Attribute framework (PSM). r=mayhemer
Attachment #8808956 - Flags: review?(dkeeler)
Attachment #8808956 - Flags: review?(cykesiopka.bmo)
Attachment #8808956 - Flags: review+
Attachment #8808955 - Flags: review?(honzab.moz) → review+
Thanks, Honza, David, and Cykesiopka.
sorry had to back this out for bustage like https://treeherder.mozilla.org/logviewer.html#?job_id=6577878&repo=autoland
Flags: needinfo?(jhao)
Backout by cbook@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/eaefbcd7fd7f Backed out changeset 81a11a25d25d https://hg.mozilla.org/integration/autoland/rev/0cb0af1888e3 Backed out changeset 690c0cdddff7 for bustage
Hi, David and Cykesiopka. I fixed the bustage that caused the backout, but then I got this. https://treeherder.mozilla.org/logviewer.html#?job_id=31095906&repo=try#L5831 Do you have any idea what could cause this error? Thanks.
Flags: needinfo?(jhao)
Flags: needinfo?(dkeeler)
Flags: needinfo?(cykesiopka.bmo)
(In reply to Jonathan Hao [:jhao] (Away until 11/21) from comment #15) > Hi, David and Cykesiopka. > > I fixed the bustage that caused the backout, but then I got this. > > https://treeherder.mozilla.org/logviewer.html#?job_id=31095906&repo=try#L5831 > > Do you have any idea what could cause this error? > > Thanks. Looks like you got bitten by different warnings being enabled in different directories. certverifier/ has quite a few warnings enabled. Here's the relevant section of the log: > 23:34:52 INFO - Unified_cpp_certverifier0.cpp > 23:34:52 INFO - c:\builds\moz2_slave\try-w32-0000000000000000000000\build\src\obj-firefox\dist\include\js/Value.h(448): error C2220: warning treated as error - no 'object' file generated > 23:34:52 INFO - Warning: C4365 in c:\builds\moz2_slave\try-w32-0000000000000000000000\build\src\obj-firefox\dist\include\js\Value.h: 'return': conversion from 'const int32_t' to 'JS::Value::PayloadType', signed/unsigned mismatch > 23:34:52 INFO - c:\builds\moz2_slave\try-w32-0000000000000000000000\build\src\obj-firefox\dist\include\js/Value.h(448): warning C4365: 'return': conversion from 'const int32_t' to 'JS::Value::PayloadType', signed/unsigned mismatch The code in question: https://hg.mozilla.org/mozilla-central/file/28e2a6dde76ab6ad4464a3662df1bd57af04398a/js/public/Value.h#l448 > PayloadType toNunboxPayload() const { > return data.s.payload.i32; > } This is getting triggered because of the new BasePrincipal.h includes. BasePrincipal.h includes nsJSPrincipals.h, which includes jsapi.h, which includes Value.h. I guess the proper fix here would be to address all these mismatches in Value.h. But, it would probably be easier to just surround the include with pragmas to disable the warnings being triggered (I think this is possible, but I'm not 100% sure), and file a bug to have the Value.h mismatches fixed.
Flags: needinfo?(cykesiopka.bmo)
That sounds like a good approach.
Flags: needinfo?(dkeeler)
Thanks, Cykesiopka and David. I disabled the one in Value.h, but I got two more in RootingAPI.h and Vector.h. And I can't use pragma warning push/pop because there's an unclosed pragma warning push in Vector.h ... So I think I have to use pragma default to re-enable those warning. https://treeherder.mozilla.org/logviewer.html#?job_id=31528230&repo=try#L4534
Comment on attachment 8812680 [details] Bug 1315143 - Disable warnings caused by including BasePrincipal.h https://reviewboard.mozilla.org/r/94342/#review94700 It's unfortunate but I think this is a fine workaround unless Cykesiopka has a better idea. ::: security/certverifier/CertVerifier.h:19 (Diff revision 1) > #include "mozilla/Telemetry.h" > #include "mozilla/UniquePtr.h" > #include "pkix/pkixtypes.h" > > +#if defined(_MSC_VER) > +#pragma warning( disable : 4324 4365 5032 ) style nit: from what I can see, it's more common to not have spaces before/after the parentheses and colon in these situations
Attachment #8812680 - Flags: review?(dkeeler) → review+
Comment on attachment 8812680 [details] Bug 1315143 - Disable warnings caused by including BasePrincipal.h https://reviewboard.mozilla.org/r/94342/#review94968 The general idea is fine; I don't have better suggestions at the moment. ::: security/certverifier/CertVerifier.h:18 (Diff revision 1) > -#include "mozilla/BasePrincipal.h" > #include "mozilla/Telemetry.h" > #include "mozilla/UniquePtr.h" > #include "pkix/pkixtypes.h" > > +#if defined(_MSC_VER) We should probably have a comment here noting what files are forcing us to disable the warnings. ::: security/certverifier/CertVerifier.h:23 (Diff revision 1) > +#if defined(_MSC_VER) > +#pragma warning( disable : 4324 4365 5032 ) > +#endif /* defined(_MSC_VER) */ > +#include "mozilla/BasePrincipal.h" > +#if defined(_MSC_VER) > +#pragma warning( default : 4324 4365 5032 ) https://msdn.microsoft.com/en-us/library/2c8f766e.aspx says "default" means: "[...] This also turns on a specified warning that is off by default [...]". So unless I'm misunderstanding, using "default" in a header file doesn't seem like a great idea. We should probably use the push, disable, pop pattern that's much more common in m-c instead.
Attachment #8812680 - Flags: review?(cykesiopka.bmo) → review+
Pushed by jhao@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/80a39e170b41 Make OCSP use Origin Attribute framework (PSM). r=Cykesiopka,keeler https://hg.mozilla.org/integration/autoland/rev/498b09513061 Make OCSP use Origin Attribute framework (Necko). r=mayhemer https://hg.mozilla.org/integration/autoland/rev/d7dd10403797 Disable warnings caused by including BasePrincipal.h r=Cykesiopka,keeler
Jonathan, can you request to uplift this bug to Aurora 52?
Flags: needinfo?(jhao)
Comment on attachment 8808955 [details] Bug 1315143 - Make OCSP use Origin Attribute framework (PSM). Approval Request Comment [Feature/regressing bug #]: [User impact if declined]: If declined, Firefox 52 will not have full first party isolation support. We need to get these patches in ESR 52, so that Tor Browser can take them. [Describe test coverage new/current, TreeHerder]: covered by test_ocsp_caching.js and OCSPCacheTest.cpp [Risks and why]: minimum because first party isolation is pref'ed off. [String/UUID change made/needed]: none
Flags: needinfo?(jhao)
Attachment #8808955 - Flags: approval-mozilla-aurora?
Comment on attachment 8808956 [details] Bug 1315143 - Make OCSP use Origin Attribute framework (Necko). Approval Request Comment [Feature/regressing bug #]: [User impact if declined]: If declined, Firefox 52 will not have full first party isolation support. We need to get these patches in ESR 52, so that Tor Browser can take them. [Describe test coverage new/current, TreeHerder]: covered by test_ocsp_caching.js and OCSPCacheTest.cpp [Risks and why]: minimum because first party isolation is pref'ed off. [String/UUID change made/needed]: none
Attachment #8808956 - Flags: approval-mozilla-aurora?
Comment on attachment 8812680 [details] Bug 1315143 - Disable warnings caused by including BasePrincipal.h Approval Request Comment [Feature/regressing bug #]: [User impact if declined]: If declined, Firefox 52 will not have full first party isolation support. We need to get these patches in ESR 52, so that Tor Browser can take them. [Describe test coverage new/current, TreeHerder]: covered by test_ocsp_caching.js and OCSPCacheTest.cpp [Risks and why]: minimum because first party isolation is pref'ed off. [String/UUID change made/needed]: none
Attachment #8812680 - Flags: approval-mozilla-aurora?
Also, these patches blocks bug 1316283, which is very critical for containers and first party isolation.
Comment on attachment 8808955 [details] Bug 1315143 - Make OCSP use Origin Attribute framework (PSM). use origin attribute framework, aurora52+
Attachment #8808955 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Comment on attachment 8808956 [details] Bug 1315143 - Make OCSP use Origin Attribute framework (Necko). use origin attribute framework, aurora52+
Attachment #8808956 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Comment on attachment 8812680 [details] Bug 1315143 - Disable warnings caused by including BasePrincipal.h use origin attribute framework, aurora52+
Attachment #8812680 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: