Age | Commit message (Collapse) | Author |
|
tlsdate has a "time_is_an_illusion" parameter which uses the server's
reported time (within some bounds) to check the certificate against. It
does this by configuring the time on the SSL's X509_VERIFY_PARAM when
one of the SSL3_ST_CR_SRVR_HELLO_A and SSL3_ST_CR_SRVR_HELLO_B states
passes.
In addition to depending on quirks of the OpenSSL state machine which
BoringSSL would otherwise need to emulate, this code is wrong. It needs
to run at a point after the server_random is filled in. In the original
OpenSSL code, SSL3_ST_CR_SRVR_HELLO_A is when the message header is
read, so this is too early. The _B also wouldn't work in a non-blocking
socket because state mcahine might pause halfway through reading the
body. This probably only worked because it only uses blocking BIOs.
This also depends on OpenSSL's info_callback hacking the state
transitions so SSL_state returned the previous state during the
callback.
Rather than ossify all these bugs, use SSL_CTX_set_cert_verify_callback.
This overrides OpenSSL's call to X509_verify_cert. By looking up the
server random immediately before verification, we are guaranteed
server_random is filled in. At this point we also have an X509_STORE_CTX
available, so we may set the time on it directly.
Change-Id: I0a830984539d7e9e53c78891dea07f27f71edcbf
Test: mma
|
|
am: 74ea02aa66
Change-Id: Icd52bce4997ee577ef096b82cfdf3f479064b381
|
|
am: cfb7a5c7aa
Change-Id: Ibd161dd4080b7d317cf3baeb34f14c404ae7351e
|
|
am: 5a3de7f113
Change-Id: I7b54b1c354934ed2dae616dc6e088f27a9c08ac5
|
|
Instead, use the corresponding accessor.
Note that SSL_get0_param is not quite what the old code was doing, but
is the correct way to do this. I've confirmed the time still gets set
either way. (The parameters ultimately used in the X509_STORE_CTX are
first seeded from the X509_STORE, where the old code was modifying
things, and then any parameters set via SSL_get0_param are applied.)
See upstream docs here:
https://www.openssl.org/docs/manmaster/ssl/SSL_get0_param.html
Test: mmma -j200 external/tlsdate
Change-Id: I6bffe27d1016ed4abad7f7c90ed72d5971fc7b23
|
|
am: 8e4be28465
* commit '8e4be28465ee3c7732074443359cad925a9bf264':
Fix mips64 build.
|
|
Change-Id: I2cdc6527921915005c630aba7a183c6523d7f2c6
|
|
am: ce31a91f92
* commit 'ce31a91f92f677e2712d1a7f03da607db17a6b82':
Add MIPS little endian architectures and fix preprocessor indentation
|
|
MIPS has distinct architecture identifiers for big endian and little
endian. This change adds the little endian identifiers and updates the
preprocessor indentation to consistently use 2 spaces.
Change-Id: Ia48ec946a5b4619cf29f83deef8de2adc0136af5
|
|
am: 75bc1ed95f
* commit '75bc1ed95f269e1274dee1c13a1ce63bb6065ddb':
tlsdate: prevent unnecessary rebuilds
|
|
tlsdate rebuilds every time the makefiles are reparsed because it embeds
the output of a shell date command into the command line, and ninja
reruns the command every time it changes. Replace $(shell date +%sL)
with $$$(BUILD_NUMBER_FROM_FILE)L, which will read the build date from
$(OUT_DIR)/build_date.txt. This date file will be updated on every
build, but will not cause a rebuild if it changes, so the date from the
most recent time the file was recompiled for other reasons will be used.
Bug: 24790431
Change-Id: Ib93ead6512706e13ae6dbd271e7560a3e8c00e8a
|
|
am: 46e11a8543
* commit '46e11a854350ef2e36aaef2d9daf34f8d7af31f1':
Fix /data dir creation, 'tlsdated' service class.
|
|
/data is not guaranteed to be mounted when 'boot' triggers.
'post-fs-data' guarantees that. Also, move the daemon to class
'late_start', since post-fs-data will not happen in time for class
'main'.
Bug: 25122706
Change-Id: I2a636df27461ebc21270dd2380c6d5d69f253d3d
|
|
* commit 'fa9e6d3cc3048f13a629e50808fc914a0f1a331a':
Remove verbose logging in 'tlsdated' and 'tlsdate'.
|
|
'tlsdated' and 'tlsdate' account for more than 50% of all logcat output
in any Brillo build. Now that tlsdate is working, remove verbose logging.
Bug: None
Change-Id: I7c0461620df66a6dcc3ed2b391b2bada577a6a07
|
|
* commit 'e690a81d99d4c1c88abf235b306ead73bbfaa012':
Use a dedicated UID/GID for unprivileged execution.
|
|
Bug: 23651876
Change-Id: Ie924bbe5cee74e3095876d6386a6ea21399b8d97
|
|
* commit '1632583d26b8e926d84afec05f0e0d9bdf9ab0ca':
Remove 'seclabel' option.
|
|
The executable is already labelled in the filesystem.
Bug: 24571067
Change-Id: Ic6b9f85628ca391fc8e9d3232bc74d2df730be35
|
|
* commit 'e9132c014d2a05e410f98cb777a4806dddde3e8e':
Make tlsdated persist and load last set time.
|
|
This enables use of a timestamp file. Note the fchmod(2) call after file
opening/creation, used for working around unfavorable umask settings.
Bug: 22373707
Change-Id: Id759d3eda55c9c2215991268291ceeac490373d6
|
|
* commit '4a0ae0177f07c62d336268082539dd64149aa288':
Relocate a function to fix a build failure.
|
|
* commit '727698b640dad91c1016d26e6cac74e5bc893598':
Free memory for supplementary groups as soon as possible.
|
|
needed.
* commit '9451a040340733ef044493ca396d8fb087df59e0':
Drop privileges to nobody:nobody, use supplementary groups as needed.
|
|
This ensures that parse_supp_groups() is only built with main().
Bug: 22373707
Change-Id: I81ab8b7718592d43a8ccccb1ee1e694367205463
|
|
Bug: 22373707
Bug: 23651876
Change-Id: I51112d65f53489ff04a0f14b31c198ee4f49c0a3
|
|
This ensures that, by default, tlsdated runs with the least privileges.
We use the new supplementary groups feature to allow use of specific
system resources (TCP sockets, DBus).
Bug: 22373707
Bug: 23651876
Change-Id: I157f40c0fb42158bbc8f5233af49fe368d23892b
|
|
* commit 'aab9382297008c1d1b7cef361159a44885d52af0':
Support for dropping privileges with supplementary groups.
|
|
* commit '98fc05cbb94eed6925d76de5a75e993296252e7c':
Run tlsdated without DBus.
|
|
* commit '5dc2a431699336ef28d568ca41563e9f6ab84093':
Run tlsdated as root.
|
|
* commit 'e779a4ea234801eb279f378b6999705f10cd5abc':
Check whether DBus is initialized before attempting platform init.
|
|
* commit 'b470cc18ef58c7c6d7e99f80559a69f65f5167e3':
Run as non-root; drop privileges to inet:inet.
|
|
* commit 'f73a0e44adc986e575e9cb8e92a70f406e9d88f9':
Do not open a BIO on stdout.
|
|
* commit '6b0a9342d07cce9b66dea2d3230f9bdadb9d44d9':
Build tlsdate-helper in AOSP.
|
|
* commit '5f27bddadbe222956e963686151a993ab07c7f94':
Better handling of EVP_PKEY types.
|
|
* commit '6b31c0f559f7e7e9f3ccf29b4ffc4e7dbde420f3':
Stop using SSL BIO.
|
|
On Android, we need support for supplementary groups when dropping
privileges in order to retain permissions for accessing system resources
such as the DBus socket. This CL:
1) Adds a flag -G to tlsdated for listing supplementary groups used when
dropping privileges.
2) Adds '-G dbus' to tlsdated Android init script.
Bug: 22373707
Bug: 23651876
Change-Id: I0769d5ef496d073c20016c3252c5edbfead2aaa5
|
|
Due to dropping privileges early on in its execution, and due to
Android's restricted access to DBus and limitations on supplementary GID
setup, we temporarily disable tlsdated's connection to DBus.
Bug: 22373707
Bug: 23651876
Change-Id: I392d41381e7515223a098457583d3019d65dc6e1
|
|
This is actually needed so it can drop privileges shortly after
starting.
Bug: 22373707
Change-Id: Ie114a96b80bc5e50525411904c1266fa7072ded0
|
|
Otherwise, we segfault.
Bug: 22373707
Change-Id: I94601696055e5f649334f470f4827f92614ff74a
|
|
1) We are adding a specific file capability (CAP_SYS_TIME) that allows
tlsdated to start as user 'system', like other services. Hence,
switching to use the standard init template.
2) Our unprivileged execution needs to connect a socket so we're reusing
the existing 'inet' user/group. In the long run, we should have
dedicated UID/GID for tlsdated that will provide these privileges.
Bug: 22373707
Change-Id: I85f9a5ee744be71691f1187030021d3178ca0861
|
|
The returned object isn't used anyway.
Bug: 22373707
Change-Id: I93fb7ef9c64ab4ffc60eed242264fe375ec55a95
|
|
Bug: 22373707
Change-Id: I3b6cc6febc272926edaaf0a98fdd2908155a9ec1
|
|
1) EVP_PKEY_bits already returns the number of bits of keys of any type,
so no need for case-by-case handling.
2) Some EVP_PKEY constants are not defined in BoringSSL, so we only test
them if they're defined.
The conversion from key types values to strings was moved to a separate
function.
Bug: 22373707
Change-Id: I73c383367147afb316fa6e92e456f24078d48c32
|
|
This type of BIO is not support in BoringSSL. Also, it is not really
needed: the same can achieved with an ordinary connect BIO that is added
to an SSL object. This form is backward compatible with OpenSSL and
therefore preferable.
Bug: 22373707
Change-Id: Ib140da3ce534c687dec1502c2cb1bb0b846bcad1
|
|
* commit '6198a2fae5cc4f2ccd3ee29160605cab75d7418c':
Rename init.tlsdated.rc and tie it to the correct build target.
|
|
1) With the new Android initrc installation schema, all init files are
simply named <daemon_name>.rc. No reason to be different.
2) Actually tie it to tlsdated (and not tlsdated_unittest).
Bug: 22373707
Change-Id: Icb0bc5794da81b81683982f5cae3056c2859877c
|
|
* commit '793a81172b131dda5b85e009496344e24cfeab9f':
Add init.tlsdated.rc.
|
|
Bug: 22373707
Change-Id: I6431bc535cbf19738c5b109f3ab56bcef1ad8fdd
|
|
* commit 'c31964b2951090a14d1135e4738fe724e6136403':
Use a group name that actually exists.
|