// // Copyright (C) 2011 The Android Open Source Project // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. // You may obtain a copy of the License at // // http://www.apache.org/licenses/LICENSE-2.0 // // Unless required by applicable law or agreed to in writing, software // distributed under the License is distributed on an "AS IS" BASIS, // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. // See the License for the specific language governing permissions and // limitations under the License. // #ifndef UPDATE_ENGINE_CERTIFICATE_CHECKER_H_ #define UPDATE_ENGINE_CERTIFICATE_CHECKER_H_ #include <curl/curl.h> #include <openssl/ssl.h> #include <string> #include <base/macros.h> #include <gtest/gtest_prod.h> // for FRIEND_TEST namespace chromeos_update_engine { class PrefsInterface; // Wrapper for openssl operations with the certificates. class OpenSSLWrapper { public: OpenSSLWrapper() = default; virtual ~OpenSSLWrapper() = default; // Takes an openssl X509_STORE_CTX, extracts the corresponding certificate // from it and calculates its fingerprint (SHA256 digest). Returns true on // success and false otherwise. // // |x509_ctx| is the pointer to the openssl object that holds the certificate. // |out_depth| is the depth of the current certificate, in the certificate // chain. // |out_digest_length| is the length of the generated digest. // |out_digest| is the byte array where the digest itself will be written. // It should be big enough to hold a SHA1 digest (e.g. EVP_MAX_MD_SIZE). virtual bool GetCertificateDigest(X509_STORE_CTX* x509_ctx, int* out_depth, unsigned int* out_digest_length, uint8_t* out_digest) const; private: DISALLOW_COPY_AND_ASSIGN(OpenSSLWrapper); }; // The values in this enum are replicated in the metrics server. See metrics.h // for instructions on how to update these values in the server side. enum class CertificateCheckResult { // The certificate is valid and the same as seen before or the first time we // see a certificate. kValid, // The certificate is valid, but is different than a previously seen // certificate for the selected server. kValidChanged, // The certificate validation failed. kFailed, // This value must be the last entry. kNumConstants }; // These values are used to generate the keys of files persisted via prefs. // This means that changing these will cause loss of information on metrics // reporting, during the transition. These values are also mapped to a metric // name in metrics.cc, so adding values here requires to assign a new metric // name in that file. enum class ServerToCheck { kUpdate = 0, kDownload, // Ignore this server. kNone, }; // Responsible for checking whether update server certificates change, and // reporting to UMA when this happens. Since all state information is persisted, // and openssl forces us to use a static callback with no data pointer, this // class is entirely static. class CertificateChecker { public: class Observer { public: virtual ~Observer() = default; // Called whenever a certificate is checked for the server |server_to_check| // passing the result of said certificate check. virtual void CertificateChecked(ServerToCheck server_to_check, CertificateCheckResult result) = 0; }; CertificateChecker(PrefsInterface* prefs, OpenSSLWrapper* openssl_wrapper); ~CertificateChecker(); // This callback is called by libcurl just before the initialization of an // SSL connection after having processed all other SSL related options. Used // to check if server certificates change. |cert_checker| is expected to be a // pointer to the CertificateChecker instance. static CURLcode ProcessSSLContext(CURL* curl_handle, SSL_CTX* ssl_ctx, void* cert_checker); // Initialize this class as the singleton instance. Only one instance can be // initialized at a time and it should be initialized before other methods // can be used. void Init(); // Set the certificate observer to the passed instance. To remove the // observer, pass a nullptr. The |observer| instance must be valid while this // CertificateChecker verifies certificates. void SetObserver(Observer* observer) { observer_ = observer; } private: FRIEND_TEST(CertificateCheckerTest, NewCertificate); FRIEND_TEST(CertificateCheckerTest, SameCertificate); FRIEND_TEST(CertificateCheckerTest, ChangedCertificate); FRIEND_TEST(CertificateCheckerTest, FailedCertificate); // These callbacks are asynchronously called by openssl after initial SSL // verification. They are used to perform any additional security verification // on the connection, but we use them here to get hold of the server // certificate, in order to determine if it has changed since the last // connection. Since openssl forces us to do this statically, we define two // different callbacks for the two different official update servers, and only // assign the correspondent one. The assigned callback is then called once per // each certificate on the server and returns 1 for success and 0 for failure. static int VerifySSLCallbackDownload(int preverify_ok, X509_STORE_CTX* x509_ctx); static int VerifySSLCallbackUpdate(int preverify_ok, X509_STORE_CTX* x509_ctx); static int VerifySSLCallback(int preverify_ok, X509_STORE_CTX* x509_ctx, ServerToCheck server_to_check); // Checks if server certificate stored in |x509_ctx| has changed since last // connection to that same server, specified by |server_to_check|. // This is called by the callbacks defined above. The result of the // certificate check is passed to the observer, if any. Returns true on // success and false otherwise. bool CheckCertificateChange(int preverify_ok, X509_STORE_CTX* x509_ctx, ServerToCheck server_to_check); // Notifies the observer, if any, of a certificate checking. void NotifyCertificateChecked(ServerToCheck server_to_check, CertificateCheckResult result); // The CertificateChecker singleton instance. static CertificateChecker* cert_checker_singleton_; // Prefs instance used to store the certificates seen in the past. PrefsInterface* prefs_; // The wrapper for openssl operations. OpenSSLWrapper* openssl_wrapper_; // The observer called whenever a certificate is checked, if not null. Observer* observer_{nullptr}; DISALLOW_COPY_AND_ASSIGN(CertificateChecker); }; } // namespace chromeos_update_engine #endif // UPDATE_ENGINE_CERTIFICATE_CHECKER_H_