You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
204 lines
7.4 KiB
204 lines
7.4 KiB
//
|
|
// Copyright (C) 2012 The Android Open Source Project
|
|
//
|
|
// Licensed under the Apache License, Version 2.0 (the "License");
|
|
// you may not use this file except in compliance with the License.
|
|
// You may obtain a copy of the License at
|
|
//
|
|
// http://www.apache.org/licenses/LICENSE-2.0
|
|
//
|
|
// Unless required by applicable law or agreed to in writing, software
|
|
// distributed under the License is distributed on an "AS IS" BASIS,
|
|
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
// See the License for the specific language governing permissions and
|
|
// limitations under the License.
|
|
//
|
|
|
|
#include "update_engine/certificate_checker.h"
|
|
|
|
#include <string>
|
|
|
|
#include <base/logging.h>
|
|
#include <base/strings/string_number_conversions.h>
|
|
#include <base/strings/string_util.h>
|
|
#include <base/strings/stringprintf.h>
|
|
#include <curl/curl.h>
|
|
#include <openssl/evp.h>
|
|
#include <openssl/ssl.h>
|
|
|
|
#include "update_engine/common/constants.h"
|
|
#include "update_engine/common/prefs_interface.h"
|
|
#include "update_engine/common/utils.h"
|
|
|
|
using std::string;
|
|
|
|
namespace chromeos_update_engine {
|
|
|
|
bool OpenSSLWrapper::GetCertificateDigest(X509_STORE_CTX* x509_ctx,
|
|
int* out_depth,
|
|
unsigned int* out_digest_length,
|
|
uint8_t* out_digest) const {
|
|
TEST_AND_RETURN_FALSE(out_digest);
|
|
X509* certificate = X509_STORE_CTX_get_current_cert(x509_ctx);
|
|
TEST_AND_RETURN_FALSE(certificate);
|
|
int depth = X509_STORE_CTX_get_error_depth(x509_ctx);
|
|
if (out_depth)
|
|
*out_depth = depth;
|
|
|
|
unsigned int len;
|
|
const EVP_MD* digest_function = EVP_sha256();
|
|
bool success = X509_digest(certificate, digest_function, out_digest, &len);
|
|
|
|
if (success && out_digest_length)
|
|
*out_digest_length = len;
|
|
return success;
|
|
}
|
|
|
|
// static
|
|
CertificateChecker* CertificateChecker::cert_checker_singleton_ = nullptr;
|
|
|
|
CertificateChecker::CertificateChecker(PrefsInterface* prefs,
|
|
OpenSSLWrapper* openssl_wrapper)
|
|
: prefs_(prefs), openssl_wrapper_(openssl_wrapper) {}
|
|
|
|
CertificateChecker::~CertificateChecker() {
|
|
if (cert_checker_singleton_ == this)
|
|
cert_checker_singleton_ = nullptr;
|
|
}
|
|
|
|
void CertificateChecker::Init() {
|
|
CHECK(cert_checker_singleton_ == nullptr);
|
|
cert_checker_singleton_ = this;
|
|
}
|
|
|
|
// static
|
|
CURLcode CertificateChecker::ProcessSSLContext(CURL* curl_handle,
|
|
SSL_CTX* ssl_ctx,
|
|
void* ptr) {
|
|
ServerToCheck* server_to_check = reinterpret_cast<ServerToCheck*>(ptr);
|
|
|
|
if (!cert_checker_singleton_) {
|
|
DLOG(WARNING) << "No CertificateChecker singleton initialized.";
|
|
return CURLE_FAILED_INIT;
|
|
}
|
|
|
|
// From here we set the SSL_CTX to another callback, from the openssl library,
|
|
// which will be called after each server certificate is validated. However,
|
|
// since openssl does not allow us to pass our own data pointer to the
|
|
// callback, the certificate check will have to be done statically. Since we
|
|
// need to know which update server we are using in order to check the
|
|
// certificate, we hardcode Chrome OS's two known update servers here, and
|
|
// define a different static callback for each. Since this code should only
|
|
// run in official builds, this should not be a problem. However, if an update
|
|
// server different from the ones listed here is used, the check will not
|
|
// take place.
|
|
int (*verify_callback)(int, X509_STORE_CTX*);
|
|
switch (*server_to_check) {
|
|
case ServerToCheck::kDownload:
|
|
verify_callback = &CertificateChecker::VerifySSLCallbackDownload;
|
|
break;
|
|
case ServerToCheck::kUpdate:
|
|
verify_callback = &CertificateChecker::VerifySSLCallbackUpdate;
|
|
break;
|
|
case ServerToCheck::kNone:
|
|
verify_callback = nullptr;
|
|
break;
|
|
}
|
|
|
|
SSL_CTX_set_verify(ssl_ctx, SSL_VERIFY_PEER, verify_callback);
|
|
return CURLE_OK;
|
|
}
|
|
|
|
// static
|
|
int CertificateChecker::VerifySSLCallbackDownload(int preverify_ok,
|
|
X509_STORE_CTX* x509_ctx) {
|
|
return VerifySSLCallback(preverify_ok, x509_ctx, ServerToCheck::kDownload);
|
|
}
|
|
|
|
// static
|
|
int CertificateChecker::VerifySSLCallbackUpdate(int preverify_ok,
|
|
X509_STORE_CTX* x509_ctx) {
|
|
return VerifySSLCallback(preverify_ok, x509_ctx, ServerToCheck::kUpdate);
|
|
}
|
|
|
|
// static
|
|
int CertificateChecker::VerifySSLCallback(int preverify_ok,
|
|
X509_STORE_CTX* x509_ctx,
|
|
ServerToCheck server_to_check) {
|
|
CHECK(cert_checker_singleton_ != nullptr);
|
|
return cert_checker_singleton_->CheckCertificateChange(
|
|
preverify_ok, x509_ctx, server_to_check)
|
|
? 1
|
|
: 0;
|
|
}
|
|
|
|
bool CertificateChecker::CheckCertificateChange(int preverify_ok,
|
|
X509_STORE_CTX* x509_ctx,
|
|
ServerToCheck server_to_check) {
|
|
TEST_AND_RETURN_FALSE(prefs_ != nullptr);
|
|
|
|
// If pre-verification failed, we are not interested in the current
|
|
// certificate. We store a report to UMA and just propagate the fail result.
|
|
if (!preverify_ok) {
|
|
NotifyCertificateChecked(server_to_check, CertificateCheckResult::kFailed);
|
|
return false;
|
|
}
|
|
|
|
int depth;
|
|
unsigned int digest_length;
|
|
uint8_t digest[EVP_MAX_MD_SIZE];
|
|
|
|
if (!openssl_wrapper_->GetCertificateDigest(
|
|
x509_ctx, &depth, &digest_length, digest)) {
|
|
LOG(WARNING) << "Failed to generate digest of X509 certificate "
|
|
<< "from update server.";
|
|
NotifyCertificateChecked(server_to_check, CertificateCheckResult::kValid);
|
|
return true;
|
|
}
|
|
|
|
// We convert the raw bytes of the digest to an hex string, for storage in
|
|
// prefs.
|
|
string digest_string = base::HexEncode(digest, digest_length);
|
|
|
|
string storage_key = base::StringPrintf("%s-%d-%d",
|
|
kPrefsUpdateServerCertificate,
|
|
static_cast<int>(server_to_check),
|
|
depth);
|
|
string stored_digest;
|
|
// If there's no stored certificate, we just store the current one and return.
|
|
if (!prefs_->GetString(storage_key, &stored_digest)) {
|
|
if (!prefs_->SetString(storage_key, digest_string)) {
|
|
LOG(WARNING) << "Failed to store server certificate on storage key "
|
|
<< storage_key;
|
|
}
|
|
NotifyCertificateChecked(server_to_check, CertificateCheckResult::kValid);
|
|
return true;
|
|
}
|
|
|
|
// Certificate changed, we store a report to UMA and store the most recent
|
|
// certificate.
|
|
if (stored_digest != digest_string) {
|
|
if (!prefs_->SetString(storage_key, digest_string)) {
|
|
LOG(WARNING) << "Failed to store server certificate on storage key "
|
|
<< storage_key;
|
|
}
|
|
LOG(INFO) << "Certificate changed from " << stored_digest << " to "
|
|
<< digest_string << ".";
|
|
NotifyCertificateChecked(server_to_check,
|
|
CertificateCheckResult::kValidChanged);
|
|
return true;
|
|
}
|
|
|
|
NotifyCertificateChecked(server_to_check, CertificateCheckResult::kValid);
|
|
// Since we don't perform actual SSL verification, we return success.
|
|
return true;
|
|
}
|
|
|
|
void CertificateChecker::NotifyCertificateChecked(
|
|
ServerToCheck server_to_check, CertificateCheckResult result) {
|
|
if (observer_)
|
|
observer_->CertificateChecked(server_to_check, result);
|
|
}
|
|
|
|
} // namespace chromeos_update_engine
|