Bug 1908018
| Summary: | Firefox add-on installation uses sha1 signatures which are no longer approved by policy | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Adam Williamson <awilliam> |
| Component: | firefox | Assignee: | Martin Stransky <stransky> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | high | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | rawhide | CC: | agurenko, bugzilla.redhat.com, crypto-team, dominik, dueno, edpil02, elio.maldonado.batiz, elxreno, erack, fweimer, gecko-bugs-nobody, jesse.thilo, jhorak, kai-engert-fedora, kdudka, kevin, mrunge, onyeibo, pjasicek, rhughes, robatino, rrelyea, rstrode, samuel-rhbugs, sandmann, stransky, trpost, vondruch |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | openqa | ||
| Fixed In Version: | firefox-105.0.2-1.fc38 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-01-13 17:19:14 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 1829022, 1909386 | ||
|
Description
Adam Williamson
2020-12-15 17:20:16 UTC
*** Bug 1907731 has been marked as a duplicate of this bug. *** More info is at https://bodhi.fedoraproject.org/updates/FEDORA-2020-44d771d0ef As a temporary workaround I'm going to ship Firefox with in-tree nss until this one is solved. Comments from rrelyea:
OK, the issue is add-ons appear to be using sha1 signatures, which are not disabled by policy. NSS 3.59 is now enforcing general signatures. If you use update-crypto-policies -set LEGACY add-ons work will work.
The question is how we should deal with this. We shouldn't back out the enforcement in NSS. I'm not sure if we should hack around it in Firefox until add-ons update, or if we should just require LEGACY crypto policies if you want to load add-ons. Does anyone know if firefox is moving to using SHA-2 for add-ons anytime soon?
To turn SHA1 on for non-certificate signatures: / Sets the NSS_USE_ALG_IN_ANY_SIGNATURE bit. does not change NSS_USE_ALG_IN_CERT_SIGNATURE / rv = NSS_SetAlgorithmPolicy(SEC_OID_SHA1, NSS_USE_ALG_IN_ANY_SIGNATURE, 0); / checking rv is optional here, more likely to give a nice error message if policy is * locked /
To temporarily turn policy on for one function: / Get the previous state of the signature policy bit / policy=0; policy_rv = NSS_GetAlgorithmPolicy(SEC_OID_SHA1, &policy); if (policy_rv == SECSuccess) { / this sets policy to NSS_USE_ALG_IN_ANY_SIGNATURE if that bit was off, We'll use it to clear * that bit after we complete our command / policy = (~policy & NSS_USE_ALG_IN_ANY_SIGNATURE) ; / turn on policy / policy_rv = NSS_SetAlgorithmPolicy(SEC_OID_SHA1, NSS_USE_ALG_IN_ANY_SIGNATURE, 0); } / do function here / if (policy_rv == SECSuccess) { / clear the policy bit again if it was off before / NSS_SetAlgorithmPolicy(SEC_OID_SHA1, 0, policy); }
Probably the easiest is have a pref that enables sha1 signatures for add-ons and is it's set just flip the policy bit and not worry about saving and clearing it, since it only affects policy for firefox.
I see you pushed updates reverting this for stable releases. Could you also do so for rawhide? Or is there some reason there's not a rawhide build yet? (In reply to Kevin Fenzi from comment #5) > I see you pushed updates reverting this for stable releases. Could you also > do so for rawhide? Or is there some reason there's not a rawhide build yet? If you mean Firefox the builds with in-tree nss are here (firefox-84.0-4.*): https://koji.fedoraproject.org/koji/packageinfo?packageID=37 Ah, I see new nss builds with SHA-1 changes are 3.59.0-3. Will rebuild Firefox for it. Because we need the general NSS functionality (ability to turn off all signatures based on policy) in rawhide, so we need to deal with it separately going forward (either upstream or a ff patch). Since f32 and f33 are already released, they don't need that functionality so it's OK to disable it. Mozilla upstream bug for this: https://bugzilla.mozilla.org/show_bug.cgi?id=1682613 (In reply to Bob Relyea from comment #8) > Because we need the general NSS functionality (ability to turn off all > signatures based on policy) in rawhide, so we need to deal with it > separately going forward (either upstream or a ff patch). Since f32 and f33 > are already released, they don't need that functionality so it's OK to > disable it. Sure, but we should disable it _for now_ in rawhide until we have a plan. Or is the plan to have firefox not use system nss in rawhide? (That seems more divergent than just patching nss in rawhide like the release branches, but ok if thats the plan). (In reply to Kevin Fenzi from comment #10) > Sure, but we should disable it _for now_ in rawhide until we have a plan. > > Or is the plan to have firefox not use system nss in rawhide? (That seems > more divergent than just patching nss in rawhide like the release branches, > but ok if thats the plan). Yes, as a hotfix Firefox without system nss will be available there. It should be already but the build failed on x86_64: https://koji.fedoraproject.org/koji/buildinfo?buildID=1659542 I don't think that FF should ever provide libnss: ~~~ $ rpm -qPp https://kojipkgs.fedoraproject.org//packages/firefox/83.0/14.fc34/x86_64/firefox-83.0-14.fc34.x86_64.rpm application() application(firefox.desktop) firefox = 83.0-14.fc34 firefox(x86-64) = 83.0-14.fc34 libclearkey.so()(64bit) liblgpllibs.so()(64bit) libmozavcodec.so()(64bit) libmozavcodec.so(libmozavcodec.so)(64bit) libmozavutil.so()(64bit) libmozavutil.so(libmozavutil.so)(64bit) libmozgtk.so()(64bit) libmozsandbox.so()(64bit) libmozsqlite3.so()(64bit) libmozsqlite3.so(libmozsqlite3.so)(64bit) libmozwayland.so()(64bit) libxul.so()(64bit) libxul.so(xul83)(64bit) metainfo() metainfo(firefox.appdata.xml) mimehandler(application/vnd.mozilla.xul+xml) mimehandler(application/xhtml+xml) mimehandler(text/html) mimehandler(text/mml) mimehandler(text/xml) mimehandler(x-scheme-handler/http) mimehandler(x-scheme-handler/https) webclient $ rpm -qPp https://kojipkgs.fedoraproject.org//packages/firefox/84.0/6.fc34/x86_64/firefox-84.0-6.fc34.x86_64.rpm application() application(firefox.desktop) firefox = 84.0-6.fc34 firefox(x86-64) = 84.0-6.fc34 libclearkey.so()(64bit) libfreeblpriv3.so()(64bit) libfreeblpriv3.so(NSSprivate_3.11)(64bit) libfreeblpriv3.so(NSSprivate_3.16)(64bit) liblgpllibs.so()(64bit) libmozavcodec.so()(64bit) libmozavcodec.so(libmozavcodec.so)(64bit) libmozavutil.so()(64bit) libmozavutil.so(libmozavutil.so)(64bit) libmozgtk.so()(64bit) libmozsandbox.so()(64bit) libmozsqlite3.so()(64bit) libmozsqlite3.so(libmozsqlite3.so)(64bit) libmozwayland.so()(64bit) libnspr4.so()(64bit) libnss3.so()(64bit) libnss3.so(NSS_3.10)(64bit) libnss3.so(NSS_3.10.2)(64bit) libnss3.so(NSS_3.11)(64bit) libnss3.so(NSS_3.11.1)(64bit) libnss3.so(NSS_3.11.2)(64bit) libnss3.so(NSS_3.11.7)(64bit) libnss3.so(NSS_3.11.9)(64bit) libnss3.so(NSS_3.12)(64bit) libnss3.so(NSS_3.12.1)(64bit) libnss3.so(NSS_3.12.10)(64bit) libnss3.so(NSS_3.12.3)(64bit) libnss3.so(NSS_3.12.4)(64bit) libnss3.so(NSS_3.12.5)(64bit) libnss3.so(NSS_3.12.6)(64bit) libnss3.so(NSS_3.12.7)(64bit) libnss3.so(NSS_3.12.9)(64bit) libnss3.so(NSS_3.13)(64bit) libnss3.so(NSS_3.13.2)(64bit) libnss3.so(NSS_3.14)(64bit) libnss3.so(NSS_3.14.1)(64bit) libnss3.so(NSS_3.14.3)(64bit) libnss3.so(NSS_3.15)(64bit) libnss3.so(NSS_3.15.4)(64bit) libnss3.so(NSS_3.16.1)(64bit) libnss3.so(NSS_3.16.2)(64bit) libnss3.so(NSS_3.18)(64bit) libnss3.so(NSS_3.19)(64bit) libnss3.so(NSS_3.19.1)(64bit) libnss3.so(NSS_3.2)(64bit) libnss3.so(NSS_3.2.1)(64bit) libnss3.so(NSS_3.21)(64bit) libnss3.so(NSS_3.22)(64bit) libnss3.so(NSS_3.3)(64bit) libnss3.so(NSS_3.3.1)(64bit) libnss3.so(NSS_3.30)(64bit) libnss3.so(NSS_3.31)(64bit) libnss3.so(NSS_3.33)(64bit) libnss3.so(NSS_3.34)(64bit) libnss3.so(NSS_3.39)(64bit) libnss3.so(NSS_3.4)(64bit) libnss3.so(NSS_3.43)(64bit) libnss3.so(NSS_3.44)(64bit) libnss3.so(NSS_3.45)(64bit) libnss3.so(NSS_3.47)(64bit) libnss3.so(NSS_3.5)(64bit) libnss3.so(NSS_3.52)(64bit) libnss3.so(NSS_3.53)(64bit) libnss3.so(NSS_3.55)(64bit) libnss3.so(NSS_3.58)(64bit) libnss3.so(NSS_3.59)(64bit) libnss3.so(NSS_3.6)(64bit) libnss3.so(NSS_3.7)(64bit) libnss3.so(NSS_3.7.1)(64bit) libnss3.so(NSS_3.8)(64bit) libnss3.so(NSS_3.9)(64bit) libnss3.so(NSS_3.9.2)(64bit) libnss3.so(NSS_3.9.3)(64bit) libnssutil3.so()(64bit) libnssutil3.so(NSSUTIL_3.12)(64bit) libnssutil3.so(NSSUTIL_3.12.3)(64bit) libnssutil3.so(NSSUTIL_3.12.5)(64bit) libnssutil3.so(NSSUTIL_3.12.7)(64bit) libnssutil3.so(NSSUTIL_3.13)(64bit) libnssutil3.so(NSSUTIL_3.14)(64bit) libnssutil3.so(NSSUTIL_3.15)(64bit) libnssutil3.so(NSSUTIL_3.17.1)(64bit) libnssutil3.so(NSSUTIL_3.21)(64bit) libnssutil3.so(NSSUTIL_3.24)(64bit) libnssutil3.so(NSSUTIL_3.25)(64bit) libnssutil3.so(NSSUTIL_3.31)(64bit) libnssutil3.so(NSSUTIL_3.33)(64bit) libnssutil3.so(NSSUTIL_3.38)(64bit) libnssutil3.so(NSSUTIL_3.39)(64bit) libnssutil3.so(NSSUTIL_3.59)(64bit) libplc4.so()(64bit) libplds4.so()(64bit) libsmime3.so()(64bit) libsmime3.so(NSS_3.10)(64bit) libsmime3.so(NSS_3.12.10)(64bit) libsmime3.so(NSS_3.12.2)(64bit) libsmime3.so(NSS_3.13)(64bit) libsmime3.so(NSS_3.15)(64bit) libsmime3.so(NSS_3.16)(64bit) libsmime3.so(NSS_3.18)(64bit) libsmime3.so(NSS_3.2)(64bit) libsmime3.so(NSS_3.2.1)(64bit) libsmime3.so(NSS_3.3)(64bit) libsmime3.so(NSS_3.4)(64bit) libsmime3.so(NSS_3.4.1)(64bit) libsmime3.so(NSS_3.6)(64bit) libsmime3.so(NSS_3.7)(64bit) libsmime3.so(NSS_3.7.2)(64bit) libsmime3.so(NSS_3.8)(64bit) libsmime3.so(NSS_3.9)(64bit) libsmime3.so(NSS_3.9.3)(64bit) libsoftokn3.so()(64bit) libsoftokn3.so(NSS_3.4)(64bit) libsoftokn3.so(NSS_3.52)(64bit) libssl3.so()(64bit) libssl3.so(NSS_3.11.4)(64bit) libssl3.so(NSS_3.11.8)(64bit) libssl3.so(NSS_3.12.10)(64bit) libssl3.so(NSS_3.12.6)(64bit) libssl3.so(NSS_3.13)(64bit) libssl3.so(NSS_3.13.2)(64bit) libssl3.so(NSS_3.14)(64bit) libssl3.so(NSS_3.15)(64bit) libssl3.so(NSS_3.15.4)(64bit) libssl3.so(NSS_3.2)(64bit) libssl3.so(NSS_3.2.1)(64bit) libssl3.so(NSS_3.20)(64bit) libssl3.so(NSS_3.21)(64bit) libssl3.so(NSS_3.22)(64bit) libssl3.so(NSS_3.23)(64bit) libssl3.so(NSS_3.24)(64bit) libssl3.so(NSS_3.27)(64bit) libssl3.so(NSS_3.28)(64bit) libssl3.so(NSS_3.30)(64bit) libssl3.so(NSS_3.30.0.1)(64bit) libssl3.so(NSS_3.33)(64bit) libssl3.so(NSS_3.4)(64bit) libssl3.so(NSS_3.7.4)(64bit) libxul.so()(64bit) libxul.so(xul84)(64bit) metainfo() metainfo(firefox.appdata.xml) mimehandler(application/vnd.mozilla.xul+xml) mimehandler(application/xhtml+xml) mimehandler(text/html) mimehandler(text/mml) mimehandler(text/xml) mimehandler(x-scheme-handler/http) mimehandler(x-scheme-handler/https) webclient ~~~ In the buildroot, it now gets pulled in instead of `nss*`. It seems this might break rubygem-activestorage in some way: https://koschei.fedoraproject.org/package/rubygem-activestorage?collection=f34 And icecat is doing the same 🤦♂️ (In reply to Vít Ondruch from comment #12) Reported separately as bug 1908791 (In reply to Vít Ondruch from comment #13) Reported as bug 1908792 (In reply to Vít Ondruch from comment #14) > (In reply to Vít Ondruch from comment #12) > Reported separately as bug 1908791 This is essentially a duplicate of my bug 1582116 which I reported 2.5 years ago. No package should expose its private libraries in Provides:, bundled or not. Thunderbird also does this, see bug 1582120 . > (In reply to Vít Ondruch from comment #13) > Reported as bug 1908792 Thanks. (In reply to Vít Ondruch from comment #13) > And icecat is doing the same 🤦♂️ Fixed: https://src.fedoraproject.org/rpms/icecat/c/17a41178bbdb9436e98e1faf4fd47fe2e7f34d4d?branch=master I'm sorry for this drawback. No we definitely should not use bundled NSS. That turns off all policy controls. I recommended in the original nss-3.59-2 build a patch to firefox to turn SHA1 general signatures back on until Firefox stops signing add-ons with sha1. The code is: /* Sets the NSS_USE_ALG_IN_ANY_SIGNATURE bit. * does not change NSS_USE_ALG_IN_CERT_SIGNATURE, * so policy will still disable use of sha1 in * certificate related signature processing. */ rv = NSS_SetAlgorithmPolicy(SEC_OID_SHA1, NSS_USE_ALG_IN_ANY_SIGNATURE, 0); /* checking rv is optional here, more likely to give a nice * error message if policy is locked */ This will allow firefox to continue using sha1 signatures without affecting other application. Interesting consequence of this bug: https://bugzilla.redhat.com/show_bug.cgi?id=1909801 . :D So for the record this bug is back because mstransky switched Firefox back to building against system NSS, but did not patch it as Bob recommended to still allow SHA-1 signatures. I'll see if I can do that. (In reply to Adam Williamson from comment #19) > So for the record this bug is back because mstransky switched Firefox back > to building against system NSS, but did not patch it as Bob recommended to > still allow SHA-1 signatures. I'll see if I can do that. I'm going to look at it over weekend. I'd also like to open firefox/thunderbird commits for provenpackagers to allow to deliver such small changes. FWIW I did try to do it, but couldn't find the right place to patch so that add-on install was actually affected... (In reply to Martin Stransky from comment #20) > > I'm going to look at it over weekend. I'd also like to open > firefox/thunderbird commits for provenpackagers to allow to deliver such > small changes. If there's no longer any concerns about doing this, this is just a config change in fedora-infrastructure. :) I guess open a ticket in https://pagure.io/fedora-infrastructure and we can change it. Bob, I have no idea where to apply the policy change. Can you please create a patch for it or guide me here? Thanks. (In reply to Kevin Fenzi from comment #22) > If there's no longer any concerns about doing this, this is just a config > change in fedora-infrastructure. :) I guess open a ticket in > https://pagure.io/fedora-infrastructure and we can change it. Filed as https://pagure.io/fedora-infrastructure/issue/9557 Thanks. The simplest thing is to just put it after the NSS_Initialize (or NSS_Init or NSS_InitReadWrite. I'm not sure which one Firefox uses, I think it's NSS_InitReadWrite) call. Ideally it would be in the prefs system, but I'm not familiar with the prefs code in Mozilla. bob Looks like NSS_Initialize() is used, there's a backtrace:
#0 0x00007fffe3e0a360 in NSS_Initialize () at /lib64/libnss3.so
#1 0x00007fffe52a5f9b in mozilla::psm::InitializeNSS(nsTSubstring<char> const&, mozilla::psm::NSSDBConfig, mozilla::psm::PKCS11DBConfig)
(dir=..., nssDbConfig=mozilla::psm::NSSDBConfig::ReadWrite, pkcs11DbConfig=mozilla::psm::PKCS11DBConfig::LoadModules)
at /raid/CVS/firefox/firefox-84.0.2/security/certverifier/NSSCertDBTrustDomain.cpp:1617
#2 0x00007fffec6d41e8 in InitializeNSSWithFallbacks(nsACString const&, bool, bool) (profilePath=..., nocertdb=false, safeMode=false)
at /raid/CVS/firefox/firefox-84.0.2/security/manager/ssl/nsNSSComponent.cpp:1893
#3 0x00007fffec6d4b1a in nsNSSComponent::InitializeNSS() (this=0x7fffc4fbda80) at /raid/CVS/firefox/firefox-84.0.2/security/manager/ssl/nsNSSComponent.cpp:2029
#4 0x00007fffec6d6158 in nsNSSComponent::Init() (this=0x7fffc4fbda80) at /raid/CVS/firefox/firefox-84.0.2/security/manager/ssl/nsNSSComponent.cpp:2315
So you just need to add it in mozilla::psm::InitializeNSS, just after the NSS_Initialize call (it looks like it's in security/certverifier/NSSCertDBTrustDomain.cpp). Added to firefox-84.0.2-2. Thanks. *** Bug 1912234 has been marked as a duplicate of this bug. *** openQA tests passed in today's compose (with the fix). Thanks! FEDORA-2022-f0988ea008 has been submitted as an update to Fedora 38. https://bodhi.fedoraproject.org/updates/FEDORA-2022-f0988ea008 FEDORA-2022-f0988ea008 has been pushed to the Fedora 38 stable repository. If problem still persists, please make note of it in this bug report. |