blob: 938c66fdceb220141d3d5b1286556655c7b95e7d [file] [log] [blame]
Alex Deymoaea4c1c2015-08-19 20:24:43 -07001//
2// Copyright (C) 2012 The Android Open Source Project
3//
4// Licensed under the Apache License, Version 2.0 (the "License");
5// you may not use this file except in compliance with the License.
6// You may obtain a copy of the License at
7//
8// http://www.apache.org/licenses/LICENSE-2.0
9//
10// Unless required by applicable law or agreed to in writing, software
11// distributed under the License is distributed on an "AS IS" BASIS,
12// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13// See the License for the specific language governing permissions and
14// limitations under the License.
15//
Bruno Rocha7f9aea22011-09-12 14:31:24 -070016
Alex Deymo14c0da82016-07-20 16:45:45 -070017#include "update_engine/certificate_checker.h"
Bruno Rocha7f9aea22011-09-12 14:31:24 -070018
19#include <string>
20
Alex Deymo39910dc2015-11-09 17:04:30 -080021#include <base/logging.h>
Alex Vakulenko75039d72014-03-25 12:36:28 -070022#include <base/strings/string_number_conversions.h>
23#include <base/strings/string_util.h>
24#include <base/strings/stringprintf.h>
Bruno Rocha7f9aea22011-09-12 14:31:24 -070025#include <curl/curl.h>
Bruno Rocha7f9aea22011-09-12 14:31:24 -070026#include <openssl/evp.h>
27#include <openssl/ssl.h>
28
Alex Deymo39910dc2015-11-09 17:04:30 -080029#include "update_engine/common/constants.h"
30#include "update_engine/common/prefs_interface.h"
31#include "update_engine/common/utils.h"
Bruno Rocha7f9aea22011-09-12 14:31:24 -070032
33using std::string;
34
35namespace chromeos_update_engine {
36
Bruno Rocha7f9aea22011-09-12 14:31:24 -070037bool OpenSSLWrapper::GetCertificateDigest(X509_STORE_CTX* x509_ctx,
38 int* out_depth,
39 unsigned int* out_digest_length,
Alex Vakulenkof68bbbc2015-02-09 12:53:18 -080040 uint8_t* out_digest) const {
Bruno Rocha7f9aea22011-09-12 14:31:24 -070041 TEST_AND_RETURN_FALSE(out_digest);
42 X509* certificate = X509_STORE_CTX_get_current_cert(x509_ctx);
43 TEST_AND_RETURN_FALSE(certificate);
44 int depth = X509_STORE_CTX_get_error_depth(x509_ctx);
45 if (out_depth)
46 *out_depth = depth;
47
48 unsigned int len;
49 const EVP_MD* digest_function = EVP_sha256();
50 bool success = X509_digest(certificate, digest_function, out_digest, &len);
51
52 if (success && out_digest_length)
53 *out_digest_length = len;
54 return success;
55}
56
Alex Deymo33e91e72015-12-01 18:26:08 -030057// static
58CertificateChecker* CertificateChecker::cert_checker_singleton_ = nullptr;
59
Alex Deymoc1c17b42015-11-23 03:53:15 -030060CertificateChecker::CertificateChecker(PrefsInterface* prefs,
Alex Deymo33e91e72015-12-01 18:26:08 -030061 OpenSSLWrapper* openssl_wrapper)
Amin Hassani7cc8bb02019-01-14 16:29:47 -080062 : prefs_(prefs), openssl_wrapper_(openssl_wrapper) {}
Alex Deymo33e91e72015-12-01 18:26:08 -030063
64CertificateChecker::~CertificateChecker() {
65 if (cert_checker_singleton_ == this)
66 cert_checker_singleton_ = nullptr;
67}
68
69void CertificateChecker::Init() {
70 CHECK(cert_checker_singleton_ == nullptr);
71 cert_checker_singleton_ = this;
Alex Deymoc1c17b42015-11-23 03:53:15 -030072}
Bruno Rocha7f9aea22011-09-12 14:31:24 -070073
74// static
75CURLcode CertificateChecker::ProcessSSLContext(CURL* curl_handle,
76 SSL_CTX* ssl_ctx,
77 void* ptr) {
Alex Deymo33e91e72015-12-01 18:26:08 -030078 ServerToCheck* server_to_check = reinterpret_cast<ServerToCheck*>(ptr);
79
80 if (!cert_checker_singleton_) {
81 DLOG(WARNING) << "No CertificateChecker singleton initialized.";
82 return CURLE_FAILED_INIT;
83 }
Alex Deymoc1c17b42015-11-23 03:53:15 -030084
Bruno Rocha7f9aea22011-09-12 14:31:24 -070085 // From here we set the SSL_CTX to another callback, from the openssl library,
86 // which will be called after each server certificate is validated. However,
87 // since openssl does not allow us to pass our own data pointer to the
Alex Deymo33e91e72015-12-01 18:26:08 -030088 // callback, the certificate check will have to be done statically. Since we
89 // need to know which update server we are using in order to check the
90 // certificate, we hardcode Chrome OS's two known update servers here, and
91 // define a different static callback for each. Since this code should only
92 // run in official builds, this should not be a problem. However, if an update
93 // server different from the ones listed here is used, the check will not
94 // take place.
95 int (*verify_callback)(int, X509_STORE_CTX*);
96 switch (*server_to_check) {
97 case ServerToCheck::kDownload:
98 verify_callback = &CertificateChecker::VerifySSLCallbackDownload;
99 break;
100 case ServerToCheck::kUpdate:
101 verify_callback = &CertificateChecker::VerifySSLCallbackUpdate;
102 break;
103 case ServerToCheck::kNone:
104 verify_callback = nullptr;
105 break;
106 }
Bruno Rocha7f9aea22011-09-12 14:31:24 -0700107
Alex Deymo33e91e72015-12-01 18:26:08 -0300108 SSL_CTX_set_verify(ssl_ctx, SSL_VERIFY_PEER, verify_callback);
Bruno Rocha7f9aea22011-09-12 14:31:24 -0700109 return CURLE_OK;
110}
111
112// static
Alex Deymo33e91e72015-12-01 18:26:08 -0300113int CertificateChecker::VerifySSLCallbackDownload(int preverify_ok,
114 X509_STORE_CTX* x509_ctx) {
115 return VerifySSLCallback(preverify_ok, x509_ctx, ServerToCheck::kDownload);
116}
117
118// static
119int CertificateChecker::VerifySSLCallbackUpdate(int preverify_ok,
120 X509_STORE_CTX* x509_ctx) {
121 return VerifySSLCallback(preverify_ok, x509_ctx, ServerToCheck::kUpdate);
122}
123
124// static
Alex Deymoc1c17b42015-11-23 03:53:15 -0300125int CertificateChecker::VerifySSLCallback(int preverify_ok,
Alex Deymo33e91e72015-12-01 18:26:08 -0300126 X509_STORE_CTX* x509_ctx,
127 ServerToCheck server_to_check) {
128 CHECK(cert_checker_singleton_ != nullptr);
129 return cert_checker_singleton_->CheckCertificateChange(
Amin Hassani7cc8bb02019-01-14 16:29:47 -0800130 preverify_ok, x509_ctx, server_to_check)
131 ? 1
132 : 0;
Bruno Rocha7f9aea22011-09-12 14:31:24 -0700133}
134
Alex Deymoc1c17b42015-11-23 03:53:15 -0300135bool CertificateChecker::CheckCertificateChange(int preverify_ok,
Alex Deymo33e91e72015-12-01 18:26:08 -0300136 X509_STORE_CTX* x509_ctx,
137 ServerToCheck server_to_check) {
Alex Deymoc1c17b42015-11-23 03:53:15 -0300138 TEST_AND_RETURN_FALSE(prefs_ != nullptr);
Bruno Rocha7f9aea22011-09-12 14:31:24 -0700139
140 // If pre-verification failed, we are not interested in the current
141 // certificate. We store a report to UMA and just propagate the fail result.
142 if (!preverify_ok) {
Alex Deymo33e91e72015-12-01 18:26:08 -0300143 NotifyCertificateChecked(server_to_check, CertificateCheckResult::kFailed);
Bruno Rocha7f9aea22011-09-12 14:31:24 -0700144 return false;
145 }
146
147 int depth;
148 unsigned int digest_length;
Alex Vakulenkof68bbbc2015-02-09 12:53:18 -0800149 uint8_t digest[EVP_MAX_MD_SIZE];
Bruno Rocha7f9aea22011-09-12 14:31:24 -0700150
Amin Hassani7cc8bb02019-01-14 16:29:47 -0800151 if (!openssl_wrapper_->GetCertificateDigest(
152 x509_ctx, &depth, &digest_length, digest)) {
Bruno Rocha7f9aea22011-09-12 14:31:24 -0700153 LOG(WARNING) << "Failed to generate digest of X509 certificate "
154 << "from update server.";
Alex Deymo33e91e72015-12-01 18:26:08 -0300155 NotifyCertificateChecked(server_to_check, CertificateCheckResult::kValid);
Bruno Rocha7f9aea22011-09-12 14:31:24 -0700156 return true;
157 }
158
159 // We convert the raw bytes of the digest to an hex string, for storage in
160 // prefs.
161 string digest_string = base::HexEncode(digest, digest_length);
162
Amin Hassani7cc8bb02019-01-14 16:29:47 -0800163 string storage_key = base::StringPrintf("%s-%d-%d",
164 kPrefsUpdateServerCertificate,
165 static_cast<int>(server_to_check),
166 depth);
Bruno Rocha7f9aea22011-09-12 14:31:24 -0700167 string stored_digest;
168 // If there's no stored certificate, we just store the current one and return.
Alex Deymoc1c17b42015-11-23 03:53:15 -0300169 if (!prefs_->GetString(storage_key, &stored_digest)) {
170 if (!prefs_->SetString(storage_key, digest_string)) {
171 LOG(WARNING) << "Failed to store server certificate on storage key "
172 << storage_key;
173 }
Alex Deymo33e91e72015-12-01 18:26:08 -0300174 NotifyCertificateChecked(server_to_check, CertificateCheckResult::kValid);
Bruno Rocha7f9aea22011-09-12 14:31:24 -0700175 return true;
176 }
177
178 // Certificate changed, we store a report to UMA and store the most recent
179 // certificate.
180 if (stored_digest != digest_string) {
Alex Deymoc1c17b42015-11-23 03:53:15 -0300181 if (!prefs_->SetString(storage_key, digest_string)) {
182 LOG(WARNING) << "Failed to store server certificate on storage key "
183 << storage_key;
184 }
Alex Deymo33e91e72015-12-01 18:26:08 -0300185 LOG(INFO) << "Certificate changed from " << stored_digest << " to "
186 << digest_string << ".";
187 NotifyCertificateChecked(server_to_check,
188 CertificateCheckResult::kValidChanged);
Alex Deymoc1c17b42015-11-23 03:53:15 -0300189 return true;
Bruno Rocha7f9aea22011-09-12 14:31:24 -0700190 }
191
Alex Deymo33e91e72015-12-01 18:26:08 -0300192 NotifyCertificateChecked(server_to_check, CertificateCheckResult::kValid);
Bruno Rocha7f9aea22011-09-12 14:31:24 -0700193 // Since we don't perform actual SSL verification, we return success.
194 return true;
195}
196
Alex Deymoc1c17b42015-11-23 03:53:15 -0300197void CertificateChecker::NotifyCertificateChecked(
Amin Hassani7cc8bb02019-01-14 16:29:47 -0800198 ServerToCheck server_to_check, CertificateCheckResult result) {
Alex Deymoc1c17b42015-11-23 03:53:15 -0300199 if (observer_)
Alex Deymo33e91e72015-12-01 18:26:08 -0300200 observer_->CertificateChecked(server_to_check, result);
Bruno Rocha7f9aea22011-09-12 14:31:24 -0700201}
202
203} // namespace chromeos_update_engine