1 // Copyright (c) 2012 The Chromium OS Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4 
5 #include "policy/device_policy_impl.h"
6 
7 #include <base/files/file_util.h>
8 #include <base/logging.h>
9 #include <base/macros.h>
10 #include <openssl/evp.h>
11 #include <openssl/x509.h>
12 
13 #include <set>
14 #include <string>
15 
16 #include "bindings/chrome_device_policy.pb.h"
17 #include "bindings/device_management_backend.pb.h"
18 
19 namespace policy {
20 
21 namespace {
22 const char kPolicyPath[] = "/var/lib/whitelist/policy";
23 const char kPublicKeyPath[] = "/var/lib/whitelist/owner.key";
24 
25 // Reads the public key used to sign the policy from |key_file| and stores it
26 // in |public_key|. Returns true on success.
ReadPublicKeyFromFile(const base::FilePath & key_file,std::string * public_key)27 bool ReadPublicKeyFromFile(const base::FilePath& key_file,
28                            std::string* public_key) {
29   if (!base::PathExists(key_file))
30     return false;
31   public_key->clear();
32   if (!base::ReadFileToString(key_file, public_key) || public_key->empty()) {
33     LOG(ERROR) << "Could not read public key off disk";
34     return false;
35   }
36   return true;
37 }
38 
39 // Verifies that the |signed_data| has correct |signature| with |public_key|.
VerifySignature(const std::string & signed_data,const std::string & signature,const std::string & public_key)40 bool VerifySignature(const std::string& signed_data,
41                      const std::string& signature,
42                      const std::string& public_key) {
43   EVP_MD_CTX ctx;
44   EVP_MD_CTX_init(&ctx);
45 
46   const EVP_MD* digest = EVP_sha1();
47 
48   char* key = const_cast<char*>(public_key.data());
49   BIO* bio = BIO_new_mem_buf(key, public_key.length());
50   if (!bio) {
51     EVP_MD_CTX_cleanup(&ctx);
52     return false;
53   }
54 
55   EVP_PKEY* public_key_ssl = d2i_PUBKEY_bio(bio, nullptr);
56   if (!public_key_ssl) {
57     BIO_free_all(bio);
58     EVP_MD_CTX_cleanup(&ctx);
59     return false;
60   }
61 
62   const unsigned char* sig =
63       reinterpret_cast<const unsigned char*>(signature.data());
64   int rv = EVP_VerifyInit_ex(&ctx, digest, nullptr);
65   if (rv == 1) {
66     EVP_VerifyUpdate(&ctx, signed_data.data(), signed_data.length());
67     rv = EVP_VerifyFinal(&ctx,
68                          sig, signature.length(),
69                          public_key_ssl);
70   }
71 
72   EVP_PKEY_free(public_key_ssl);
73   BIO_free_all(bio);
74   EVP_MD_CTX_cleanup(&ctx);
75 
76   return rv == 1;
77 }
78 
79 // Decodes the connection type enum from the device settings protobuf to string
80 // representations. The strings must match the connection manager definitions.
DecodeConnectionType(int type)81 std::string DecodeConnectionType(int type) {
82   static const char* const kConnectionTypes[] = {
83     "ethernet",
84     "wifi",
85     "wimax",
86     "bluetooth",
87     "cellular",
88   };
89 
90   if (type < 0 || type >= static_cast<int>(arraysize(kConnectionTypes)))
91     return std::string();
92 
93   return kConnectionTypes[type];
94 }
95 
96 }  // namespace
97 
DevicePolicyImpl()98 DevicePolicyImpl::DevicePolicyImpl()
99     : policy_path_(kPolicyPath),
100       keyfile_path_(kPublicKeyPath) {
101 }
102 
~DevicePolicyImpl()103 DevicePolicyImpl::~DevicePolicyImpl() {
104 }
105 
LoadPolicy()106 bool DevicePolicyImpl::LoadPolicy() {
107   if (!VerifyPolicyFiles()) {
108     return false;
109   }
110 
111   std::string polstr;
112   if (!base::ReadFileToString(policy_path_, &polstr) || polstr.empty()) {
113     LOG(ERROR) << "Could not read policy off disk";
114     return false;
115   }
116   if (!policy_.ParseFromString(polstr) || !policy_.has_policy_data()) {
117     LOG(ERROR) << "Policy on disk could not be parsed!";
118     return false;
119   }
120   policy_data_.ParseFromString(policy_.policy_data());
121   if (!policy_data_.has_policy_value()) {
122     LOG(ERROR) << "Policy on disk could not be parsed!";
123     return false;
124   }
125 
126   // Make sure the signature is still valid.
127   if (!VerifyPolicySignature()) {
128     LOG(ERROR) << "Policy signature verification failed!";
129     return false;
130   }
131 
132   device_policy_.ParseFromString(policy_data_.policy_value());
133   return true;
134 }
135 
GetPolicyRefreshRate(int * rate) const136 bool DevicePolicyImpl::GetPolicyRefreshRate(int* rate) const {
137   if (!device_policy_.has_device_policy_refresh_rate())
138     return false;
139   *rate = static_cast<int>(
140       device_policy_.device_policy_refresh_rate().device_policy_refresh_rate());
141   return true;
142 }
143 
GetUserWhitelist(std::vector<std::string> * user_whitelist) const144 bool DevicePolicyImpl::GetUserWhitelist(
145     std::vector<std::string>* user_whitelist) const {
146   if (!device_policy_.has_user_whitelist())
147     return false;
148   const enterprise_management::UserWhitelistProto& proto =
149       device_policy_.user_whitelist();
150   user_whitelist->clear();
151   for (int i = 0; i < proto.user_whitelist_size(); i++)
152     user_whitelist->push_back(proto.user_whitelist(i));
153   return true;
154 }
155 
GetGuestModeEnabled(bool * guest_mode_enabled) const156 bool DevicePolicyImpl::GetGuestModeEnabled(bool* guest_mode_enabled) const {
157   if (!device_policy_.has_guest_mode_enabled())
158     return false;
159   *guest_mode_enabled =
160       device_policy_.guest_mode_enabled().guest_mode_enabled();
161   return true;
162 }
163 
GetCameraEnabled(bool * camera_enabled) const164 bool DevicePolicyImpl::GetCameraEnabled(bool* camera_enabled) const {
165   if (!device_policy_.has_camera_enabled())
166     return false;
167   *camera_enabled = device_policy_.camera_enabled().camera_enabled();
168   return true;
169 }
170 
GetShowUserNames(bool * show_user_names) const171 bool DevicePolicyImpl::GetShowUserNames(bool* show_user_names) const {
172   if (!device_policy_.has_show_user_names())
173     return false;
174   *show_user_names = device_policy_.show_user_names().show_user_names();
175   return true;
176 }
177 
GetDataRoamingEnabled(bool * data_roaming_enabled) const178 bool DevicePolicyImpl::GetDataRoamingEnabled(bool* data_roaming_enabled) const {
179   if (!device_policy_.has_data_roaming_enabled())
180     return false;
181   *data_roaming_enabled =
182       device_policy_.data_roaming_enabled().data_roaming_enabled();
183   return true;
184 }
185 
GetAllowNewUsers(bool * allow_new_users) const186 bool DevicePolicyImpl::GetAllowNewUsers(bool* allow_new_users) const {
187   if (!device_policy_.has_allow_new_users())
188     return false;
189   *allow_new_users = device_policy_.allow_new_users().allow_new_users();
190   return true;
191 }
192 
GetMetricsEnabled(bool * metrics_enabled) const193 bool DevicePolicyImpl::GetMetricsEnabled(bool* metrics_enabled) const {
194   if (!device_policy_.has_metrics_enabled())
195     return false;
196   *metrics_enabled = device_policy_.metrics_enabled().metrics_enabled();
197   return true;
198 }
199 
GetReportVersionInfo(bool * report_version_info) const200 bool DevicePolicyImpl::GetReportVersionInfo(bool* report_version_info) const {
201   if (!device_policy_.has_device_reporting())
202     return false;
203 
204   const enterprise_management::DeviceReportingProto& proto =
205       device_policy_.device_reporting();
206   if (!proto.has_report_version_info())
207     return false;
208 
209   *report_version_info = proto.report_version_info();
210   return true;
211 }
212 
GetReportActivityTimes(bool * report_activity_times) const213 bool DevicePolicyImpl::GetReportActivityTimes(
214     bool* report_activity_times) const {
215   if (!device_policy_.has_device_reporting())
216     return false;
217 
218   const enterprise_management::DeviceReportingProto& proto =
219       device_policy_.device_reporting();
220   if (!proto.has_report_activity_times())
221     return false;
222 
223   *report_activity_times = proto.report_activity_times();
224   return true;
225 }
226 
GetReportBootMode(bool * report_boot_mode) const227 bool DevicePolicyImpl::GetReportBootMode(bool* report_boot_mode) const {
228   if (!device_policy_.has_device_reporting())
229     return false;
230 
231   const enterprise_management::DeviceReportingProto& proto =
232       device_policy_.device_reporting();
233   if (!proto.has_report_boot_mode())
234     return false;
235 
236   *report_boot_mode = proto.report_boot_mode();
237   return true;
238 }
239 
GetEphemeralUsersEnabled(bool * ephemeral_users_enabled) const240 bool DevicePolicyImpl::GetEphemeralUsersEnabled(
241     bool* ephemeral_users_enabled) const {
242   if (!device_policy_.has_ephemeral_users_enabled())
243     return false;
244   *ephemeral_users_enabled =
245       device_policy_.ephemeral_users_enabled().ephemeral_users_enabled();
246   return true;
247 }
248 
GetReleaseChannel(std::string * release_channel) const249 bool DevicePolicyImpl::GetReleaseChannel(
250     std::string* release_channel) const {
251   if (!device_policy_.has_release_channel())
252     return false;
253 
254   const enterprise_management::ReleaseChannelProto& proto =
255       device_policy_.release_channel();
256   if (!proto.has_release_channel())
257     return false;
258 
259   *release_channel = proto.release_channel();
260   return true;
261 }
262 
GetReleaseChannelDelegated(bool * release_channel_delegated) const263 bool DevicePolicyImpl::GetReleaseChannelDelegated(
264     bool* release_channel_delegated) const {
265   if (!device_policy_.has_release_channel())
266     return false;
267 
268   const enterprise_management::ReleaseChannelProto& proto =
269       device_policy_.release_channel();
270   if (!proto.has_release_channel_delegated())
271     return false;
272 
273   *release_channel_delegated = proto.release_channel_delegated();
274   return true;
275 }
276 
GetUpdateDisabled(bool * update_disabled) const277 bool DevicePolicyImpl::GetUpdateDisabled(
278     bool* update_disabled) const {
279   if (!device_policy_.has_auto_update_settings())
280     return false;
281 
282   const enterprise_management::AutoUpdateSettingsProto& proto =
283       device_policy_.auto_update_settings();
284   if (!proto.has_update_disabled())
285     return false;
286 
287   *update_disabled = proto.update_disabled();
288   return true;
289 }
290 
GetTargetVersionPrefix(std::string * target_version_prefix) const291 bool DevicePolicyImpl::GetTargetVersionPrefix(
292     std::string* target_version_prefix) const {
293   if (!device_policy_.has_auto_update_settings())
294     return false;
295 
296   const enterprise_management::AutoUpdateSettingsProto& proto =
297       device_policy_.auto_update_settings();
298   if (!proto.has_target_version_prefix())
299     return false;
300 
301   *target_version_prefix = proto.target_version_prefix();
302   return true;
303 }
304 
GetScatterFactorInSeconds(int64_t * scatter_factor_in_seconds) const305 bool DevicePolicyImpl::GetScatterFactorInSeconds(
306     int64_t* scatter_factor_in_seconds) const {
307   if (!device_policy_.has_auto_update_settings())
308     return false;
309 
310   const enterprise_management::AutoUpdateSettingsProto& proto =
311       device_policy_.auto_update_settings();
312   if (!proto.has_scatter_factor_in_seconds())
313     return false;
314 
315   *scatter_factor_in_seconds = proto.scatter_factor_in_seconds();
316   return true;
317 }
318 
GetAllowedConnectionTypesForUpdate(std::set<std::string> * connection_types) const319 bool DevicePolicyImpl::GetAllowedConnectionTypesForUpdate(
320       std::set<std::string>* connection_types) const {
321   if (!device_policy_.has_auto_update_settings())
322     return false;
323 
324   const enterprise_management::AutoUpdateSettingsProto& proto =
325       device_policy_.auto_update_settings();
326   if (proto.allowed_connection_types_size() <= 0)
327     return false;
328 
329   for (int i = 0; i < proto.allowed_connection_types_size(); i++) {
330     std::string type = DecodeConnectionType(proto.allowed_connection_types(i));
331     if (!type.empty())
332       connection_types->insert(type);
333   }
334   return true;
335 }
336 
GetOpenNetworkConfiguration(std::string * open_network_configuration) const337 bool DevicePolicyImpl::GetOpenNetworkConfiguration(
338     std::string* open_network_configuration) const {
339   if (!device_policy_.has_open_network_configuration())
340     return false;
341 
342   const enterprise_management::DeviceOpenNetworkConfigurationProto& proto =
343       device_policy_.open_network_configuration();
344   if (!proto.has_open_network_configuration())
345     return false;
346 
347   *open_network_configuration = proto.open_network_configuration();
348   return true;
349 }
350 
GetOwner(std::string * owner) const351 bool DevicePolicyImpl::GetOwner(std::string* owner) const {
352   // The device is enterprise enrolled iff a request token exists.
353   if (policy_data_.has_request_token()) {
354     *owner = "";
355     return true;
356   }
357   if (!policy_data_.has_username())
358     return false;
359   *owner = policy_data_.username();
360   return true;
361 }
362 
GetHttpDownloadsEnabled(bool * http_downloads_enabled) const363 bool DevicePolicyImpl::GetHttpDownloadsEnabled(
364     bool* http_downloads_enabled) const {
365   if (!device_policy_.has_auto_update_settings())
366     return false;
367 
368   const enterprise_management::AutoUpdateSettingsProto& proto =
369       device_policy_.auto_update_settings();
370 
371   if (!proto.has_http_downloads_enabled())
372     return false;
373 
374   *http_downloads_enabled = proto.http_downloads_enabled();
375   return true;
376 }
377 
GetAuP2PEnabled(bool * au_p2p_enabled) const378 bool DevicePolicyImpl::GetAuP2PEnabled(bool* au_p2p_enabled) const {
379   if (!device_policy_.has_auto_update_settings())
380     return false;
381 
382   const enterprise_management::AutoUpdateSettingsProto& proto =
383       device_policy_.auto_update_settings();
384 
385   if (!proto.has_p2p_enabled())
386     return false;
387 
388   *au_p2p_enabled = proto.p2p_enabled();
389   return true;
390 }
391 
VerifyPolicyFiles()392 bool DevicePolicyImpl::VerifyPolicyFiles() {
393   // Both the policy and its signature have to exist.
394   if (!base::PathExists(policy_path_) || !base::PathExists(keyfile_path_)) {
395     return false;
396   }
397 
398   // Check if the policy and signature file is owned by root.
399   struct stat file_stat;
400   stat(policy_path_.value().c_str(), &file_stat);
401   if (file_stat.st_uid != 0) {
402     LOG(ERROR) << "Policy file is not owned by root!";
403     return false;
404   }
405   stat(keyfile_path_.value().c_str(), &file_stat);
406   if (file_stat.st_uid != 0) {
407     LOG(ERROR) << "Policy signature file is not owned by root!";
408     return false;
409   }
410   return true;
411 }
412 
VerifyPolicySignature()413 bool DevicePolicyImpl::VerifyPolicySignature() {
414   if (policy_.has_policy_data_signature()) {
415     std::string policy_data = policy_.policy_data();
416     std::string policy_data_signature = policy_.policy_data_signature();
417     std::string public_key;
418     if (!ReadPublicKeyFromFile(base::FilePath(keyfile_path_), &public_key)) {
419       LOG(ERROR) << "Could not read owner key off disk";
420       return false;
421     }
422     if (!VerifySignature(policy_data, policy_data_signature, public_key)) {
423       LOG(ERROR) << "Signature does not match the data or can not be verified!";
424       return false;
425     }
426     return true;
427   }
428   LOG(ERROR) << "The policy blob is not signed!";
429   return false;
430 }
431 
432 }  // namespace policy
433