// // Copyright (C) 2012 The Android Open Source Project // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. // You may obtain a copy of the License at // // http://www.apache.org/licenses/LICENSE-2.0 // // Unless required by applicable law or agreed to in writing, software // distributed under the License is distributed on an "AS IS" BASIS, // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. // See the License for the specific language governing permissions and // limitations under the License. // #include "update_engine/certificate_checker.h" #include <string> #include <base/logging.h> #include <base/strings/string_number_conversions.h> #include <base/strings/string_util.h> #include <base/strings/stringprintf.h> #include <curl/curl.h> #include <openssl/evp.h> #include <openssl/ssl.h> #include "update_engine/common/constants.h" #include "update_engine/common/prefs_interface.h" #include "update_engine/common/utils.h" using std::string; namespace chromeos_update_engine { bool OpenSSLWrapper::GetCertificateDigest(X509_STORE_CTX* x509_ctx, int* out_depth, unsigned int* out_digest_length, uint8_t* out_digest) const { TEST_AND_RETURN_FALSE(out_digest); X509* certificate = X509_STORE_CTX_get_current_cert(x509_ctx); TEST_AND_RETURN_FALSE(certificate); int depth = X509_STORE_CTX_get_error_depth(x509_ctx); if (out_depth) *out_depth = depth; unsigned int len; const EVP_MD* digest_function = EVP_sha256(); bool success = X509_digest(certificate, digest_function, out_digest, &len); if (success && out_digest_length) *out_digest_length = len; return success; } // static CertificateChecker* CertificateChecker::cert_checker_singleton_ = nullptr; CertificateChecker::CertificateChecker(PrefsInterface* prefs, OpenSSLWrapper* openssl_wrapper) : prefs_(prefs), openssl_wrapper_(openssl_wrapper) { } CertificateChecker::~CertificateChecker() { if (cert_checker_singleton_ == this) cert_checker_singleton_ = nullptr; } void CertificateChecker::Init() { CHECK(cert_checker_singleton_ == nullptr); cert_checker_singleton_ = this; } // static CURLcode CertificateChecker::ProcessSSLContext(CURL* curl_handle, SSL_CTX* ssl_ctx, void* ptr) { ServerToCheck* server_to_check = reinterpret_cast<ServerToCheck*>(ptr); if (!cert_checker_singleton_) { DLOG(WARNING) << "No CertificateChecker singleton initialized."; return CURLE_FAILED_INIT; } // From here we set the SSL_CTX to another callback, from the openssl library, // which will be called after each server certificate is validated. However, // since openssl does not allow us to pass our own data pointer to the // callback, the certificate check will have to be done statically. Since we // need to know which update server we are using in order to check the // certificate, we hardcode Chrome OS's two known update servers here, and // define a different static callback for each. Since this code should only // run in official builds, this should not be a problem. However, if an update // server different from the ones listed here is used, the check will not // take place. int (*verify_callback)(int, X509_STORE_CTX*); switch (*server_to_check) { case ServerToCheck::kDownload: verify_callback = &CertificateChecker::VerifySSLCallbackDownload; break; case ServerToCheck::kUpdate: verify_callback = &CertificateChecker::VerifySSLCallbackUpdate; break; case ServerToCheck::kNone: verify_callback = nullptr; break; } SSL_CTX_set_verify(ssl_ctx, SSL_VERIFY_PEER, verify_callback); return CURLE_OK; } // static int CertificateChecker::VerifySSLCallbackDownload(int preverify_ok, X509_STORE_CTX* x509_ctx) { return VerifySSLCallback(preverify_ok, x509_ctx, ServerToCheck::kDownload); } // static int CertificateChecker::VerifySSLCallbackUpdate(int preverify_ok, X509_STORE_CTX* x509_ctx) { return VerifySSLCallback(preverify_ok, x509_ctx, ServerToCheck::kUpdate); } // static int CertificateChecker::VerifySSLCallback(int preverify_ok, X509_STORE_CTX* x509_ctx, ServerToCheck server_to_check) { CHECK(cert_checker_singleton_ != nullptr); return cert_checker_singleton_->CheckCertificateChange( preverify_ok, x509_ctx, server_to_check) ? 1 : 0; } bool CertificateChecker::CheckCertificateChange(int preverify_ok, X509_STORE_CTX* x509_ctx, ServerToCheck server_to_check) { TEST_AND_RETURN_FALSE(prefs_ != nullptr); // If pre-verification failed, we are not interested in the current // certificate. We store a report to UMA and just propagate the fail result. if (!preverify_ok) { NotifyCertificateChecked(server_to_check, CertificateCheckResult::kFailed); return false; } int depth; unsigned int digest_length; uint8_t digest[EVP_MAX_MD_SIZE]; if (!openssl_wrapper_->GetCertificateDigest(x509_ctx, &depth, &digest_length, digest)) { LOG(WARNING) << "Failed to generate digest of X509 certificate " << "from update server."; NotifyCertificateChecked(server_to_check, CertificateCheckResult::kValid); return true; } // We convert the raw bytes of the digest to an hex string, for storage in // prefs. string digest_string = base::HexEncode(digest, digest_length); string storage_key = base::StringPrintf("%s-%d-%d", kPrefsUpdateServerCertificate, static_cast<int>(server_to_check), depth); string stored_digest; // If there's no stored certificate, we just store the current one and return. if (!prefs_->GetString(storage_key, &stored_digest)) { if (!prefs_->SetString(storage_key, digest_string)) { LOG(WARNING) << "Failed to store server certificate on storage key " << storage_key; } NotifyCertificateChecked(server_to_check, CertificateCheckResult::kValid); return true; } // Certificate changed, we store a report to UMA and store the most recent // certificate. if (stored_digest != digest_string) { if (!prefs_->SetString(storage_key, digest_string)) { LOG(WARNING) << "Failed to store server certificate on storage key " << storage_key; } LOG(INFO) << "Certificate changed from " << stored_digest << " to " << digest_string << "."; NotifyCertificateChecked(server_to_check, CertificateCheckResult::kValidChanged); return true; } NotifyCertificateChecked(server_to_check, CertificateCheckResult::kValid); // Since we don't perform actual SSL verification, we return success. return true; } void CertificateChecker::NotifyCertificateChecked( ServerToCheck server_to_check, CertificateCheckResult result) { if (observer_) observer_->CertificateChecked(server_to_check, result); } } // namespace chromeos_update_engine