Home | History | Annotate | Download | only in update_engine
      1 //
      2 // Copyright (C) 2011 The Android Open Source Project
      3 //
      4 // Licensed under the Apache License, Version 2.0 (the "License");
      5 // you may not use this file except in compliance with the License.
      6 // You may obtain a copy of the License at
      7 //
      8 //      http://www.apache.org/licenses/LICENSE-2.0
      9 //
     10 // Unless required by applicable law or agreed to in writing, software
     11 // distributed under the License is distributed on an "AS IS" BASIS,
     12 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
     13 // See the License for the specific language governing permissions and
     14 // limitations under the License.
     15 //
     16 
     17 #ifndef UPDATE_ENGINE_CERTIFICATE_CHECKER_H_
     18 #define UPDATE_ENGINE_CERTIFICATE_CHECKER_H_
     19 
     20 #include <curl/curl.h>
     21 #include <openssl/ssl.h>
     22 
     23 #include <string>
     24 
     25 #include <base/macros.h>
     26 #include <gtest/gtest_prod.h>  // for FRIEND_TEST
     27 
     28 namespace chromeos_update_engine {
     29 
     30 class PrefsInterface;
     31 
     32 // Wrapper for openssl operations with the certificates.
     33 class OpenSSLWrapper {
     34  public:
     35   OpenSSLWrapper() = default;
     36   virtual ~OpenSSLWrapper() = default;
     37 
     38   // Takes an openssl X509_STORE_CTX, extracts the corresponding certificate
     39   // from it and calculates its fingerprint (SHA256 digest). Returns true on
     40   // success and false otherwise.
     41   //
     42   // |x509_ctx| is the pointer to the openssl object that holds the certificate.
     43   // |out_depth| is the depth of the current certificate, in the certificate
     44   // chain.
     45   // |out_digest_length| is the length of the generated digest.
     46   // |out_digest| is the byte array where the digest itself will be written.
     47   // It should be big enough to hold a SHA1 digest (e.g. EVP_MAX_MD_SIZE).
     48   virtual bool GetCertificateDigest(X509_STORE_CTX* x509_ctx,
     49                                     int* out_depth,
     50                                     unsigned int* out_digest_length,
     51                                     uint8_t* out_digest) const;
     52 
     53  private:
     54   DISALLOW_COPY_AND_ASSIGN(OpenSSLWrapper);
     55 };
     56 
     57 // The values in this enum are replicated in the metrics server. See metrics.h
     58 // for instructions on how to update these values in the server side.
     59 enum class CertificateCheckResult {
     60   // The certificate is valid and the same as seen before or the first time we
     61   // see a certificate.
     62   kValid,
     63   // The certificate is valid, but is different than a previously seen
     64   // certificate for the selected server.
     65   kValidChanged,
     66   // The certificate validation failed.
     67   kFailed,
     68 
     69   // This value must be the last entry.
     70   kNumConstants
     71 };
     72 
     73 // These values are used to generate the keys of files persisted via prefs.
     74 // This means that changing these will cause loss of information on metrics
     75 // reporting, during the transition. These values are also mapped to a metric
     76 // name in metrics.cc, so adding values here requires to assign a new metric
     77 // name in that file.
     78 enum class ServerToCheck {
     79   kUpdate = 0,
     80   kDownload,
     81 
     82   // Ignore this server.
     83   kNone,
     84 };
     85 
     86 // Responsible for checking whether update server certificates change, and
     87 // reporting to UMA when this happens. Since all state information is persisted,
     88 // and openssl forces us to use a static callback with no data pointer, this
     89 // class is entirely static.
     90 class CertificateChecker {
     91  public:
     92   class Observer {
     93    public:
     94     virtual ~Observer() = default;
     95 
     96     // Called whenever a certificate is checked for the server |server_to_check|
     97     // passing the result of said certificate check.
     98     virtual void CertificateChecked(ServerToCheck server_to_check,
     99                                     CertificateCheckResult result) = 0;
    100   };
    101 
    102   CertificateChecker(PrefsInterface* prefs, OpenSSLWrapper* openssl_wrapper);
    103   ~CertificateChecker();
    104 
    105   // This callback is called by libcurl just before the initialization of an
    106   // SSL connection after having processed all other SSL related options. Used
    107   // to check if server certificates change. |cert_checker| is expected to be a
    108   // pointer to the CertificateChecker instance.
    109   static CURLcode ProcessSSLContext(CURL* curl_handle,
    110                                     SSL_CTX* ssl_ctx,
    111                                     void* cert_checker);
    112 
    113   // Initialize this class as the singleton instance. Only one instance can be
    114   // initialized at a time and it should be initialized before other methods
    115   // can be used.
    116   void Init();
    117 
    118   // Set the certificate observer to the passed instance. To remove the
    119   // observer, pass a nullptr. The |observer| instance must be valid while this
    120   // CertificateChecker verifies certificates.
    121   void SetObserver(Observer* observer) { observer_ = observer; }
    122 
    123  private:
    124   FRIEND_TEST(CertificateCheckerTest, NewCertificate);
    125   FRIEND_TEST(CertificateCheckerTest, SameCertificate);
    126   FRIEND_TEST(CertificateCheckerTest, ChangedCertificate);
    127   FRIEND_TEST(CertificateCheckerTest, FailedCertificate);
    128 
    129   // These callbacks are asynchronously called by openssl after initial SSL
    130   // verification. They are used to perform any additional security verification
    131   // on the connection, but we use them here to get hold of the server
    132   // certificate, in order to determine if it has changed since the last
    133   // connection. Since openssl forces us to do this statically, we define two
    134   // different callbacks for the two different official update servers, and only
    135   // assign the correspondent one. The assigned callback is then called once per
    136   // each certificate on the server and returns 1 for success and 0 for failure.
    137   static int VerifySSLCallbackDownload(int preverify_ok,
    138                                        X509_STORE_CTX* x509_ctx);
    139   static int VerifySSLCallbackUpdate(int preverify_ok,
    140                                      X509_STORE_CTX* x509_ctx);
    141   static int VerifySSLCallback(int preverify_ok,
    142                                X509_STORE_CTX* x509_ctx,
    143                                ServerToCheck server_to_check);
    144 
    145   // Checks if server certificate stored in |x509_ctx| has changed since last
    146   // connection to that same server, specified by |server_to_check|.
    147   // This is called by the callbacks defined above. The result of the
    148   // certificate check is passed to the observer, if any. Returns true on
    149   // success and false otherwise.
    150   bool CheckCertificateChange(int preverify_ok,
    151                               X509_STORE_CTX* x509_ctx,
    152                               ServerToCheck server_to_check);
    153 
    154   // Notifies the observer, if any, of a certificate checking.
    155   void NotifyCertificateChecked(ServerToCheck server_to_check,
    156                                 CertificateCheckResult result);
    157 
    158   // The CertificateChecker singleton instance.
    159   static CertificateChecker* cert_checker_singleton_;
    160 
    161   // Prefs instance used to store the certificates seen in the past.
    162   PrefsInterface* prefs_;
    163 
    164   // The wrapper for openssl operations.
    165   OpenSSLWrapper* openssl_wrapper_;
    166 
    167   // The observer called whenever a certificate is checked, if not null.
    168   Observer* observer_{nullptr};
    169 
    170   DISALLOW_COPY_AND_ASSIGN(CertificateChecker);
    171 };
    172 
    173 }  // namespace chromeos_update_engine
    174 
    175 #endif  // UPDATE_ENGINE_CERTIFICATE_CHECKER_H_
    176