Richard Pospesel pushed to branch tor-browser-102.8.0esr-12.5-1 at The Tor Project / Applications / Tor Browser
Commits: 3dd7b20a by Pier Angelo Vendrame at 2023-02-22T09:55:31+01:00 Bug 1817756 - Add a seed to the network ID. r=valentin,necko-reviewers
This helps to prevent linkability of users in the same network.
Differential Revision: https://phabricator.services.mozilla.com/D170373 - - - - - e8982629 by Pier Angelo Vendrame at 2023-02-22T09:59:38+01:00 Bug 41599: Always return an empty string as network ID
Firefox computes an internal network ID used to detect network changes and act consequently (e.g., to improve WebSocket UX). However, there are a few ways to get this internal network ID, so we patch them out, to be sure any new code will not be able to use them and possibly link users.
We also sent a patch to Mozilla to seed the internal network ID, to prevent any accidental leak in the future. Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1817756
- - - - -
8 changed files:
- + netwerk/system/LinkServiceCommon.cpp - + netwerk/system/LinkServiceCommon.h - netwerk/system/android/nsAndroidNetworkLinkService.cpp - netwerk/system/linux/nsNetworkLinkService.cpp - netwerk/system/mac/nsNetworkLinkService.mm - netwerk/system/moz.build - netwerk/system/netlink/NetlinkService.cpp - netwerk/system/win32/nsNotifyAddrListener.cpp
Changes:
===================================== netwerk/system/LinkServiceCommon.cpp ===================================== @@ -0,0 +1,30 @@ +/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ +/* vim: set ts=8 sts=2 et sw=2 tw=80: */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#include "LinkServiceCommon.h" + +#include "mozilla/Maybe.h" +#include "mozilla/SHA1.h" +#include "mozilla/TimeStamp.h" +#include "nsID.h" + +using namespace mozilla; + +void SeedNetworkId(SHA1Sum& aSha1) { + static Maybe<nsID> seed = ([]() { + Maybe<nsID> uuid(std::in_place); + if (NS_FAILED(nsID::GenerateUUIDInPlace(*uuid))) { + uuid.reset(); + } + return uuid; + })(); + if (seed) { + aSha1.update(seed.ptr(), sizeof(*seed)); + } else { + TimeStamp timestamp = TimeStamp::ProcessCreation(); + aSha1.update(×tamp, sizeof(timestamp)); + } +}
===================================== netwerk/system/LinkServiceCommon.h ===================================== @@ -0,0 +1,17 @@ +/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ +/* vim: set ts=8 sts=2 et sw=2 tw=80: */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#ifndef LINK_SERVICE_COMMON_H_ +#define LINK_SERVICE_COMMON_H_ + +namespace mozilla { +class SHA1Sum; +} + +// Add a seed to the computed network ID to prevent user linkability. +void SeedNetworkId(mozilla::SHA1Sum& aSha1); + +#endif // LINK_SERVICE_COMMON_H_
===================================== netwerk/system/android/nsAndroidNetworkLinkService.cpp ===================================== @@ -123,11 +123,15 @@ nsAndroidNetworkLinkService::GetLinkType(uint32_t* aLinkType) {
NS_IMETHODIMP nsAndroidNetworkLinkService::GetNetworkID(nsACString& aNetworkID) { +#ifdef BASE_BROWSER + aNetworkID.Truncate(); +#else if (!mNetlinkSvc) { return NS_ERROR_NOT_AVAILABLE; }
mNetlinkSvc->GetNetworkID(aNetworkID); +#endif return NS_OK; }
===================================== netwerk/system/linux/nsNetworkLinkService.cpp ===================================== @@ -50,11 +50,15 @@ nsNetworkLinkService::GetLinkType(uint32_t* aLinkType) {
NS_IMETHODIMP nsNetworkLinkService::GetNetworkID(nsACString& aNetworkID) { +#ifdef BASE_BROWSER + aNetworkID.Truncate(); +#else if (!mNetlinkSvc) { return NS_ERROR_NOT_AVAILABLE; }
mNetlinkSvc->GetNetworkID(aNetworkID); +#endif return NS_OK; }
===================================== netwerk/system/mac/nsNetworkLinkService.mm ===================================== @@ -35,6 +35,7 @@ #include "mozilla/Telemetry.h" #include "nsNetworkLinkService.h" #include "../../base/IPv6Utils.h" +#include "../LinkServiceCommon.h" #include "../NetworkLinkServiceDefines.h"
#import <Cocoa/Cocoa.h> @@ -122,8 +123,12 @@ nsNetworkLinkService::GetLinkType(uint32_t* aLinkType) {
NS_IMETHODIMP nsNetworkLinkService::GetNetworkID(nsACString& aNetworkID) { +#ifdef BASE_BROWSER + aNetworkID.Truncate(); +#else MutexAutoLock lock(mMutex); aNetworkID = mNetworkId; +#endif return NS_OK; }
@@ -600,11 +605,8 @@ void nsNetworkLinkService::calculateNetworkIdInternal(void) { bool found6 = IPv6NetworkId(&sha1);
if (found4 || found6) { - // This 'addition' could potentially be a fixed number from the - // profile or something. - nsAutoCString addition("local-rubbish"); nsAutoCString output; - sha1.update(addition.get(), addition.Length()); + SeedNetworkId(sha1); uint8_t digest[SHA1Sum::kHashSize]; sha1.finish(digest); nsAutoCString newString(reinterpret_cast<char*>(digest), SHA1Sum::kHashSize);
===================================== netwerk/system/moz.build ===================================== @@ -15,3 +15,9 @@ if CONFIG["MOZ_WIDGET_TOOLKIT"] == "android":
elif CONFIG["OS_ARCH"] == "Linux": DIRS += ["linux", "netlink"] + +SOURCES += [ + "LinkServiceCommon.cpp", +] + +FINAL_LIBRARY = "xul"
===================================== netwerk/system/netlink/NetlinkService.cpp ===================================== @@ -18,6 +18,7 @@ #include "nsPrintfCString.h" #include "mozilla/Logging.h" #include "../../base/IPv6Utils.h" +#include "../LinkServiceCommon.h" #include "../NetworkLinkServiceDefines.h"
#include "mozilla/Base64.h" @@ -1812,11 +1813,8 @@ void NetlinkService::CalculateNetworkID() { bool found6 = CalculateIDForFamily(AF_INET6, &sha1);
if (found4 || found6) { - // This 'addition' could potentially be a fixed number from the - // profile or something. - nsAutoCString addition("local-rubbish"); nsAutoCString output; - sha1.update(addition.get(), addition.Length()); + SeedNetworkId(sha1); uint8_t digest[SHA1Sum::kHashSize]; sha1.finish(digest); nsAutoCString newString(reinterpret_cast<char*>(digest), @@ -1877,8 +1875,12 @@ void NetlinkService::CalculateNetworkID() { }
void NetlinkService::GetNetworkID(nsACString& aNetworkID) { +#ifdef BASE_BROWSER + aNetworkID.Truncate(); +#else MutexAutoLock lock(mMutex); aNetworkID = mNetworkId; +#endif }
nsresult NetlinkService::GetDnsSuffixList(nsTArray<nsCString>& aDnsSuffixList) {
===================================== netwerk/system/win32/nsNotifyAddrListener.cpp ===================================== @@ -45,6 +45,7 @@ #include "mozilla/Base64.h" #include "mozilla/ScopeExit.h" #include "mozilla/Telemetry.h" +#include "../LinkServiceCommon.h" #include <iptypes.h> #include <iphlpapi.h>
@@ -104,8 +105,12 @@ nsNotifyAddrListener::GetLinkType(uint32_t* aLinkType) {
NS_IMETHODIMP nsNotifyAddrListener::GetNetworkID(nsACString& aNetworkID) { +#ifdef BASE_BROWSER + aNetworkID.Truncate(); +#else MutexAutoLock lock(mMutex); aNetworkID = mNetworkId; +#endif return NS_OK; }
@@ -248,7 +253,7 @@ void nsNotifyAddrListener::calculateNetworkId(void) { nsAutoCString output; SHA1Sum::Hash digest; HashSortedNetworkIds(nwGUIDS, sha1); - + SeedNetworkId(sha1); sha1.finish(digest); nsCString newString(reinterpret_cast<char*>(digest), SHA1Sum::kHashSize); nsresult rv = Base64Encode(newString, output);
View it on GitLab: https://gitlab.torproject.org/tpo/applications/tor-browser/-/compare/d80384f...