Validate hash_sha256 checksum on .crx update.

extensions/browser/sandboxed_unpacker.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "extensions/browser/sandboxed_unpacker.h"
 
 #include <set>
 
 #include "base/base64.h"
 #include "base/bind.h"
 #include "base/command_line.h"
 #include "base/files/file_util.h"
 #include "base/files/file_util_proxy.h"
 #include "base/files/scoped_file.h"
 #include "base/json/json_string_value_serializer.h"
 #include "base/message_loop/message_loop.h"
 #include "base/metrics/histogram.h"
 #include "base/numerics/safe_conversions.h"
 #include "base/path_service.h"
 #include "base/sequenced_task_runner.h"
+#include "base/strings/string_number_conversions.h"
 #include "base/strings/utf_string_conversions.h"
 #include "base/threading/sequenced_worker_pool.h"
 #include "components/crx_file/constants.h"
 #include "components/crx_file/crx_file.h"
 #include "components/crx_file/id_util.h"
 #include "content/public/browser/browser_thread.h"
 #include "content/public/browser/utility_process_host.h"
 #include "content/public/common/common_param_traits.h"
+#include "crypto/secure_hash.h"
+#include "crypto/sha2.h"
 #include "crypto/signature_verifier.h"
 #include "extensions/common/constants.h"
 #include "extensions/common/extension.h"
 #include "extensions/common/extension_l10n_util.h"
 #include "extensions/common/extension_utility_messages.h"
 #include "extensions/common/extensions_client.h"
 #include "extensions/common/file_util.h"
 #include "extensions/common/manifest_constants.h"
 #include "extensions/common/manifest_handlers/icons_handler.h"
+#include "extensions/common/switches.h"
 #include "grit/extensions_strings.h"
 #include "third_party/skia/include/core/SkBitmap.h"
 #include "ui/base/l10n/l10n_util.h"
 #include "ui/gfx/codec/png_codec.h"
 
 using base::ASCIIToUTF16;
 using content::BrowserThread;
 using content::UtilityProcessHost;
 using crx_file::CrxFile;
 
 // The following macro makes histograms that record the length of paths
 // in this file much easier to read.
 // Windows has a short max path length. If the path length to a
 // file being unpacked from a CRX exceeds the max length, we might
 // fail to install. To see if this is happening, see how long the
 // path to the temp unpack directory is. See crbug.com/69693 .
 #define PATH_LENGTH_HISTOGRAM(name, path) \
   UMA_HISTOGRAM_CUSTOM_COUNTS(name, path.value().length(), 0, 500, 100)
 
 // Record a rate (kB per second) at which extensions are unpacked.
 // Range from 1kB/s to 100mB/s.
 #define UNPACK_RATE_HISTOGRAM(name, rate) \
   UMA_HISTOGRAM_CUSTOM_COUNTS(name, rate, 1, 100000, 100);
 
+// Record if the .crx hash sum is the same as in the updater manifest.
+#define CRX_HASH_CHECK_HISTOGRAM(name, success) \

[Ilya Sherman, 2015/02/03 21:40:29]

Why do you need a wrapper macro?

+  UMA_HISTOGRAM_BOOLEAN(name, success)
+
 namespace extensions {
 namespace {
 
 void RecordSuccessfulUnpackTimeHistograms(const base::FilePath& crx_path,
                                           const base::TimeDelta unpack_time) {
   const int64 kBytesPerKb = 1024;
   const int64 kBytesPerMb = 1024 * 1024;
 
   UMA_HISTOGRAM_TIMES("Extensions.SandboxUnpackSuccessTime", unpack_time);
 
@@ skipping 130 matching lines @@
     return false;
 
   IPC::Message pickle(file_str.data(), file_str.size());
   PickleIterator iter(pickle);
   return IPC::ReadParam(&pickle, &iter, catalogs);
 }
 
 }  // namespace
 
 SandboxedUnpacker::SandboxedUnpacker(
-    const base::FilePath& crx_path,
+    const CRXFileInfo& file,
     Manifest::Location location,
     int creation_flags,
     const base::FilePath& extensions_dir,
     const scoped_refptr<base::SequencedTaskRunner>& unpacker_io_task_runner,
     SandboxedUnpackerClient* client)
-    : crx_path_(crx_path),
+    : crx_path_(file.path),
+      package_hash_(file.hash),
+      check_crx_hash_(false),
       client_(client),
       extensions_dir_(extensions_dir),
       got_response_(false),
       location_(location),
       creation_flags_(creation_flags),
       unpacker_io_task_runner_(unpacker_io_task_runner) {
+  if (!package_hash_.empty()) {
+    check_crx_hash_ = base::CommandLine::ForCurrentProcess()->HasSwitch(
+        extensions::switches::kEnableCrxHashCheck);
+  }
 }
 
 bool SandboxedUnpacker::CreateTempDirectory() {
   CHECK(unpacker_io_task_runner_->RunsTasksOnCurrentThread());
 
   base::FilePath temp_dir;
   if (!FindWritableTempLocation(extensions_dir_, &temp_dir)) {
     ReportFailure(COULD_NOT_GET_TEMP_DIRECTORY,
                   l10n_util::GetStringFUTF16(
                       IDS_EXTENSION_PACKAGE_INSTALL_ERROR,
@@ skipping 160 matching lines @@
 }
 
 void SandboxedUnpacker::OnUnpackExtensionFailed(const base::string16& error) {
   CHECK(unpacker_io_task_runner_->RunsTasksOnCurrentThread());
   got_response_ = true;
   ReportFailure(
       UNPACKER_CLIENT_FAILED,
       l10n_util::GetStringFUTF16(IDS_EXTENSION_PACKAGE_ERROR_MESSAGE, error));
 }
 
+static size_t ReadAndHash(void* ptr,
+                          size_t size,
+                          size_t nmemb,
+                          FILE* stream,
+                          scoped_ptr<crypto::SecureHash>& hash) {
+  size_t len = fread(ptr, size, nmemb, stream);
+  if (len > 0 && hash) {
+    hash->Update(ptr, len * size);
+  }
+  return len;
+}
+
+bool SandboxedUnpacker::FinalizeHash(scoped_ptr<crypto::SecureHash>& hash) {
+  if (hash) {
+    uint8 output[crypto::kSHA256Length];
+    hash->Finish(output, sizeof(output));
+    if (base::StringToLowerASCII(base::HexEncode(output, sizeof(output))) !=
+        package_hash_) {
+      // Package hash verification failed
+      CRX_HASH_CHECK_HISTOGRAM("Extensions.SandboxUnpackHashCheck", false);
+      if (check_crx_hash_) {
+        std::string name = crx_path_.BaseName().AsUTF8Unsafe();
+        LOG(ERROR) << "Hash check failed for extension: " << name;
+        ReportFailure(CRX_HASH_VERIFICATION_FAILED,
+                      l10n_util::GetStringFUTF16(
+                          IDS_EXTENSION_PACKAGE_ERROR_CODE,
+                          ASCIIToUTF16("CRX_HASH_VERIFICATION_FAILED")));
+        return false;
+      }
+    } else {
+      CRX_HASH_CHECK_HISTOGRAM("Extensions.SandboxUnpackHashCheck", true);

[Ilya Sherman, 2015/02/03 21:40:29]

I'd recommend having a single code path per histogram name, so that there's less
chance of typos.  Concretely, I'd recommend factoring out a helper function for
this logging.

+    }
+  }
+
+  return true;
+}
+
 bool SandboxedUnpacker::ValidateSignature() {
   base::ScopedFILE file(base::OpenFile(crx_path_, "rb"));
 
+  scoped_ptr<crypto::SecureHash> hash;
+
+  if (!package_hash_.empty()) {
+    hash.reset(crypto::SecureHash::Create(crypto::SecureHash::SHA256));
+  }
+
   if (!file.get()) {
 // Could not open crx file for reading.
 #if defined(OS_WIN)
     // On windows, get the error code.
     uint32 error_code = ::GetLastError();
     // TODO(skerner): Use this histogram to understand why so many
     // windows users hit this error.  crbug.com/69693
 
     // Windows errors are unit32s, but all of likely errors are in
     // [1, 1000].  See winerror.h for the meaning of specific values.
@@ skipping 12 matching lines @@
                                    ASCIIToUTF16("CRX_FILE_NOT_READABLE")));
     return false;
   }
 
   // Read and verify the header.
   // TODO(erikkay): Yuck.  I'm not a big fan of this kind of code, but it
   // appears that we don't have any endian/alignment aware serialization
   // code in the code base.  So for now, this assumes that we're running
   // on a little endian machine with 4 byte alignment.
   CrxFile::Header header;
-  size_t len = fread(&header, 1, sizeof(header), file.get());
+  size_t len = ReadAndHash(&header, 1, sizeof(header), file.get(), hash);
   if (len < sizeof(header)) {
     // Invalid crx header
     ReportFailure(CRX_HEADER_INVALID, l10n_util::GetStringFUTF16(
                                           IDS_EXTENSION_PACKAGE_ERROR_CODE,
                                           ASCIIToUTF16("CRX_HEADER_INVALID")));
     return false;
   }
 
   CrxFile::Error error;
   scoped_ptr<CrxFile> crx(CrxFile::Parse(header, &error));
@@ skipping 34 matching lines @@
                       l10n_util::GetStringFUTF16(
                           IDS_EXTENSION_PACKAGE_ERROR_CODE,
                           ASCIIToUTF16("CRX_ZERO_SIGNATURE_LENGTH")));
         break;
     }
     return false;
   }
 
   std::vector<uint8> key;
   key.resize(header.key_size);
-  len = fread(&key.front(), sizeof(uint8), header.key_size, file.get());
+  len = ReadAndHash(&key.front(), sizeof(uint8), header.key_size, file.get(),
+                    hash);
   if (len < header.key_size) {
     // Invalid public key
     ReportFailure(
         CRX_PUBLIC_KEY_INVALID,
         l10n_util::GetStringFUTF16(IDS_EXTENSION_PACKAGE_ERROR_CODE,
                                    ASCIIToUTF16("CRX_PUBLIC_KEY_INVALID")));
     return false;
   }
 
   std::vector<uint8> signature;
   signature.resize(header.signature_size);
-  len = fread(&signature.front(), sizeof(uint8), header.signature_size,
-              file.get());
+  len = ReadAndHash(&signature.front(), sizeof(uint8), header.signature_size,
+                    file.get(), hash);
   if (len < header.signature_size) {
     // Invalid signature
     ReportFailure(
         CRX_SIGNATURE_INVALID,
         l10n_util::GetStringFUTF16(IDS_EXTENSION_PACKAGE_ERROR_CODE,
                                    ASCIIToUTF16("CRX_SIGNATURE_INVALID")));
     return false;
   }
 
   crypto::SignatureVerifier verifier;
   if (!verifier.VerifyInit(
           crx_file::kSignatureAlgorithm, sizeof(crx_file::kSignatureAlgorithm),
           &signature.front(), signature.size(), &key.front(), key.size())) {
     // Signature verification initialization failed. This is most likely
     // caused by a public key in the wrong format (should encode algorithm).
     ReportFailure(
         CRX_SIGNATURE_VERIFICATION_INITIALIZATION_FAILED,
         l10n_util::GetStringFUTF16(
             IDS_EXTENSION_PACKAGE_ERROR_CODE,
             ASCIIToUTF16("CRX_SIGNATURE_VERIFICATION_INITIALIZATION_FAILED")));
     return false;
   }
 
   unsigned char buf[1 << 12];
-  while ((len = fread(buf, 1, sizeof(buf), file.get())) > 0)
+  while ((len = ReadAndHash(buf, 1, sizeof(buf), file.get(), hash)) > 0)
     verifier.VerifyUpdate(buf, len);
 
   if (!verifier.VerifyFinal()) {
     // Signature verification failed
     ReportFailure(CRX_SIGNATURE_VERIFICATION_FAILED,
                   l10n_util::GetStringFUTF16(
                       IDS_EXTENSION_PACKAGE_ERROR_CODE,
                       ASCIIToUTF16("CRX_SIGNATURE_VERIFICATION_FAILED")));
     return false;
   }
 
+  if (!FinalizeHash(hash)) {
+    return false;
+  }
+
   std::string public_key =
       std::string(reinterpret_cast<char*>(&key.front()), key.size());
   base::Base64Encode(public_key, &public_key_);
 
   extension_id_ = crx_file::id_util::GenerateId(public_key);
 
   return true;
 }
 
 void SandboxedUnpacker::ReportFailure(FailureReason reason,
@@ skipping 228 matching lines @@
 
 void SandboxedUnpacker::Cleanup() {
   DCHECK(unpacker_io_task_runner_->RunsTasksOnCurrentThread());
   if (!temp_dir_.Delete()) {
     LOG(WARNING) << "Can not delete temp directory at "
                  << temp_dir_.path().value();
   }
 }
 
 }  // namespace extensions