Closed
Bug 928227
Opened 11 years ago
Closed 11 years ago
[Wifi][WPA-EAP] prevent read built-in CAs through keystore socket.
Categories
(Firefox OS Graveyard :: Wifi, defect)
Tracking
(tracking-b2g:backlog, firefox32 fixed, firefox-esr31 unaffected)
Tracking | Status | |
---|---|---|
firefox32 | --- | fixed |
firefox-esr31 | --- | unaffected |
People
(Reporter: chucklee, Assigned: chucklee)
References
Details
(Whiteboard: [p=5][adv-main32-])
Attachments
(1 file, 5 obsolete files)
9.46 KB,
patch
|
Details | Diff | Splinter Review |
keystore socket doesn't put any limitation on getting CAs stored in NSS now.
So if you know the nickname of certain CA, you can get it out of NSS through keystore socket protocol.
Hence keystore is for wifi usage only, and it's CA must be imported first.
We can put some guard preventing users getting CAs they doesn't own.
For loose limitation, we can refuse request for getting CAs of nickname with prefix "Builtin Object Token:".
For strict limitation, we can only provide CA with prefix added by import function in bug 917102, maybe "WIFI_"
Assignee | ||
Comment 1•11 years ago
|
||
Comment 2•11 years ago
|
||
We should also limit the client belong wifi.wifi group to allow access to keyStore socket.
http://dxr.mozilla.org/mozilla-central/source/ipc/keystore/KeyStore.cpp?from=keystore.cpp#1
Group: mozilla-corporation-confidential
Updated•11 years ago
|
blocking-b2g: --- → backlog
Assignee | ||
Comment 3•11 years ago
|
||
1. Provide socket fd to receive handler for permission control.
2. Only accept getting certificate with certain nickname prefix.
Attachment #8340230 -
Attachment is obsolete: true
Attachment #8413601 -
Flags: feedback?(vchang)
Attachment #8413601 -
Flags: feedback?(khuey)
Comment 4•11 years ago
|
||
Comment on attachment 8413601 [details] [diff] [review]
WIP - Add access control for keystore.
Review of attachment 8413601 [details] [diff] [review]:
-----------------------------------------------------------------
I think you had the wrong Kyle there. However, since tzimmermann has been doing more work on unixsocket than I have lately, I'm deferring fb? to him.
Attachment #8413601 -
Flags: feedback?(khuey) → feedback?(tzimmermann)
Also, should this be a security bug instead of a MoCo-confidential bug?
Comment 6•11 years ago
|
||
Comment on attachment 8413601 [details] [diff] [review]
WIP - Add access control for keystore.
Review of attachment 8413601 [details] [diff] [review]:
-----------------------------------------------------------------
Hi,
please see my comments below.
::: ipc/keystore/KeyStore.cpp
@@ +340,5 @@
> + SendResponse(PERMISSION_DENIED);
> + ResetHandlerInfo();
> + return;
> + }
> +
The top of this function does not belong into the receive code. You will re-run it on every incoming piece of data.
Instead, you should validate credentials once after the socket got connected. You should extend KeyStore::OnConnectSuccess to receive the file descriptor as argument.
::: ipc/unixsocket/UnixSocket.h
@@ +24,5 @@
> // Number of octets in mData.
> size_t mSize;
> size_t mCurrentWriteOffset;
> nsAutoArrayPtr<uint8_t> mData;
> + int mFd;
The class is only for data.
Attachment #8413601 -
Flags: feedback?(tzimmermann) → feedback-
Comment 7•11 years ago
|
||
Argh, bugzilla removed most of the first comment's context! :( I was talking about moving validation out of |KeyStore::ReceiveSocketData|.
Assignee | ||
Comment 8•11 years ago
|
||
Address comment 7.
Attachment #8413601 -
Attachment is obsolete: true
Attachment #8413601 -
Flags: feedback?(vchang)
Attachment #8422180 -
Flags: review?(tzimmermann)
Assignee | ||
Comment 9•11 years ago
|
||
Add fd info as argument of UnixSocketConsumer::OnConnectSuccess(), ipcs using unixsocket are affected.
Attachment #8422181 -
Flags: review?(vyang)
Attachment #8422181 -
Flags: review?(echou)
Attachment #8422181 -
Flags: review?(allstars.chh)
Assignee | ||
Comment 10•11 years ago
|
||
(In reply to Kyle Huey [:khuey] (khuey@mozilla.com) from comment #5)
> Also, should this be a security bug instead of a MoCo-confidential bug?
I can't set bug into that group, so using MoCo-confidential instead...
Comment 11•11 years ago
|
||
Comment on attachment 8422181 [details] [diff] [review]
0002. IPC changes due to change of unixsocket.
Review of attachment 8422181 [details] [diff] [review]:
-----------------------------------------------------------------
Sorry, I think you can implement access control in KeyStoreConnector::SetUp() without touching any other UnixSocket users. Besides, as the name suggests, "a connector decides whether an just accepted socket should be valid" sounds reasonable for me.
Attachment #8422181 -
Flags: review?(vyang) → review-
Group: mozilla-employee-confidential → core-security
Comment 12•11 years ago
|
||
Comment on attachment 8422180 [details] [diff] [review]
0001. Add access control for keystore.
Review of attachment 8422180 [details] [diff] [review]:
-----------------------------------------------------------------
Hi Chuck,
In general f+ for the current code, but I like Vicamo's suggestion of moving the credential validation to the SetUp method. Please implement it this way and the end result should be even cleaner. Thanks.
Attachment #8422180 -
Flags: review?(tzimmermann) → review+
Comment 13•11 years ago
|
||
An can we please stop marking bugs as 'confidential,' just because they might contain a security-related bug?
Assignee | ||
Comment 14•11 years ago
|
||
Address comment 11.
Thanks, vicamo!
Attachment #8422180 -
Attachment is obsolete: true
Attachment #8422181 -
Attachment is obsolete: true
Attachment #8422181 -
Flags: review?(echou)
Attachment #8422181 -
Flags: review?(allstars.chh)
Attachment #8422312 -
Flags: review?(tzimmermann)
Comment 15•11 years ago
|
||
Comment on attachment 8422312 [details] [diff] [review]
Add access control for keystore. V2
Review of attachment 8422312 [details] [diff] [review]:
-----------------------------------------------------------------
Hi Chuck,
I'm not in charge of KeyStore.{cpp,h}, so I'm forwarding this to Kyle. Please have a look at my comments for things seem fix-worthy to me; nits mostly.
::: ipc/keystore/KeyStore.cpp
@@ +32,5 @@
> namespace ipc {
>
> static const char* KEYSTORE_SOCKET_NAME = "keystore";
> static const char* KEYSTORE_SOCKET_PATH = "/dev/socket/keystore";
> +static const char* allowedUsers[] = {
Since this is global static const, you might format this in all-capital letters, like KEYSTORE_* above.
@@ +37,5 @@
> + "root",
> + "wifi",
> + NULL
> +};
> +static const char* allowedCertificatePrefixs[] = {
Same here.
@@ +90,5 @@
> + // Socket permission check.
> + struct ucred userCred;
> + socklen_t len = sizeof(struct ucred);
> +
> + if (aFd < 0 ||
Not necessary. getsockopt will handle that case (if that can even happen).
@@ +363,5 @@
> + break;
> + }
> + int match = 0;
> + for (const char **prefix = allowedCertificatePrefixs; *prefix; prefix++ ) {
> + if (!strncmp(*prefix, certName, strlen(*prefix))) {
Use |strcmp| here. Currently, you're walking over *prefix twice.
@@ +368,5 @@
> + match = 1;
> + break;
> + }
> + }
> + if (!match) {
You might remove |match| completely and test for !(*prefix) here.
Attachment #8422312 -
Flags: review?(tzimmermann)
Attachment #8422312 -
Flags: review?(kyle)
Attachment #8422312 -
Flags: feedback+
Comment 16•11 years ago
|
||
Comment on attachment 8422312 [details] [diff] [review]
Add access control for keystore. V2
Review of attachment 8422312 [details] [diff] [review]:
-----------------------------------------------------------------
tzimmermann managed to cover most of the nits I'd have, so r=me.
Attachment #8422312 -
Flags: review?(kyle) → review+
Assignee | ||
Comment 17•11 years ago
|
||
Address comment 15.
Thanks to all reviewers.
Attachment #8422312 -
Attachment is obsolete: true
Assignee | ||
Comment 18•11 years ago
|
||
Assignee | ||
Comment 19•11 years ago
|
||
Build on all platform and run test on emulator : https://tbpl.mozilla.org/?tree=Try&rev=d5dc65066b35
Assignee | ||
Updated•11 years ago
|
Whiteboard: [p=5]
Target Milestone: --- → 2.0 S2 (23may)
Comment 21•11 years ago
|
||
Keywords: checkin-needed
Updated•10 years ago
|
Whiteboard: [p=5] → [p=5][adv-main32-]
Updated•10 years ago
|
status-firefox-esr31:
--- → unaffected
Updated•10 years ago
|
blocking-b2g: backlog → ---
tracking-b2g:
--- → backlog
Updated•9 years ago
|
Group: core-security → core-security-release
Updated•8 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•