Merge branch 'master' into m36

doc/ClientLog.md

@@ -37,7 +37,6 @@ LC_REPORT=3
 
 [LoggingSettings]
 EnableLogging=1
-LogFilePath="C:\foo\GoogleUpdate.log"
 MaxLogFileSize=10000000
 
 ShowTime=1
@@ -52,4 +51,4 @@ NoSendDumpToServer=1
 NoSendStackToServer=1
 ```
 # Log Size Limits #
-Omaha tries to archive the log when the log size is greater than 10 MB. When the log is in use by more than one instance of Omaha the archiving operation will fail. However, there is a 100 MB limit to how big the log can be to prevent overfilling the hard drive. When this limit is reached the log file is cleared and the logging starts from the beginning.
+Omaha tries to archive the log when the log size is greater than 10 MB. When the log is in use by more than one instance of Omaha the archiving operation will fail. However, there is a 100 MB limit to how big the log can be to prevent overfilling the hard drive. When this limit is reached the log file is cleared and the logging starts from the beginning.

doc/DeveloperSetupGuide.md

@@ -40,8 +40,8 @@ The following packages are required to build Omaha:
   * The GO programming language
     * Download [here](https://golang.org/dl/) 
     * Change this line in hammer.bat if you installed to a different location: `set GOROOT=C:\go`.
-  * Google Protocol Buffers (3.13.0 or higher) [here](https://github.com/google/protobuf/releases).
-    * From the [release page](https://github.com/google/protobuf/releases), download the zip file `protoc-$VERSION-win32.zip`. It contains the protoc binary. Unzip the contents under `C:\protobuf`. After that, download the zip file `protobuf-cpp-$VERSION.zip`. Unzip the `src` sub-directory contents to `C:\protobuf\src`. If other directory is used, please edit the environment variables in the hammer.bat, specifically, `OMAHA_PROTOBUF_BIN_DIR` and `OMAHA_PROTOBUF_SRC_DIR`.
+  * Google Protocol Buffers (3.13.0 or higher) [here](https://github.com/protocolbuffers/protobuf/releases).
+    * From the [release page](https://github.com/protocolbuffers/protobuf/releases), download the zip file `protoc-$VERSION-win32.zip`. It contains the protoc binary. Unzip the contents under `C:\protobuf`. After that, download the zip file `protobuf-cpp-$VERSION.zip`. Unzip the `src` sub-directory contents to `C:\protobuf\src`. If other directory is used, please edit the environment variables in the hammer.bat, specifically, `OMAHA_PROTOBUF_BIN_DIR` and `OMAHA_PROTOBUF_SRC_DIR`.
   * Third-party dependencies:
     * breakpad. Download [here](https://codeload.github.com/google/breakpad/zip/master). 
       - Unzip everything inside `breakpad-master.zip\breakpad-master` to `third_party\breakpad`.

doc/OmahaOverview.html

@@ -1143,7 +1143,7 @@ <h3 id=s8>
 </h3>
 <p>
 <blockquote>The Google Update server is not part of the Omaha open source project. Providing updates for applications requires a server that implements the
-<a href=http://github.com/google/omaha/blob/master/doc/ServerProtocolV3.md target=_self>Omaha Server Protocol</a>.</blockquote>
+<a href=https://github.com/google/omaha/blob/master/doc/ServerProtocolV3.md target=_self>Omaha Server Protocol</a>.</blockquote>
 </p>
 <p>
   Omaha has two server components: autoupdate and download. This separation of server responsibilities is desirable because the requirements are different: downloading large binaries takes high bandwidth and can tolerate relatively high latency, whereas small transactions such as update pings may be much more frequent but require extremely low bandwidth per transaction. These differences allow Google to provision the two servers appropriately.

omaha/base/const_code_signing.h

@@ -50,51 +50,64 @@ const TCHAR* const kSha256CertificatePublicKeyHash =
 // provide below. The hash is the SHA256 hash of the raw certificate RSA public
 // key bytes in DER format.
 const TCHAR* const kPublicKeyHashes[] = {
-// Omaha certificate: (11/9/2011 to 11/9/2014).
-// thumbprint=8aed552a1387870a53f5f8aee17a3761232a4609
-_T("64637c145ee0b7888af408ec24f714242fc4da6b8ad7a04803254bf93f7d295f"),
-
-// Chrome certificate: (11/13/2011 to 11/13/2014) revoked on 1/28/2014.
-// thumbprint=06c92bec3bbf32068cb9208563d004169448ee21
-// serial=09E28B26DB593EC4E73286B66499C370
-// SHA1 Fingerprint=06:C9:2B:EC:3B:BF:32:06:8C:B9:20:85:63:D0:04:16:94:48:EE:21
-_T("c7b4d0bf956f7ebbbc7369786f111ee6caa225af173be135e1de9e5a1d11951a"),
-
-// Omaha and Chrome certificate: sha1 (01/28/2014 to 01/29/2016).
-// thumbprint=fcac7e666cc54341ca213becf2eb463f2b62adb0
-// serial=2912C70C9A2B8A3EF6F6074662D68B8D
-// SHA1 Fingerprint=FC:AC:7E:66:6C:C5:43:41:CA:21:3B:EC:F2:EB:46:3F:2B:62:AD:B0
-_T("4365c47f17727f2da65892b1f34c0cf418b0138b519b6864dd17300f21aa3144"),
-
-// Omaha and Chrome certificate: sha1 (12/13/2015 to 12/14/2016).
-// thumbprint=264e38570f882e5a0272423757741233a661b553
-// serial=4c40dba5f988fae57a57d6457495f98b
-// SHA1 Fingerprint=26:4E:38:57:0F:88:2E:5A:02:72:42:37:57:74:12:33:A6:61:B5:53
-_T("309bae1b466c4235e1daea9fe0e373b3415807ac667202f704d030ef33b519d6"),
-
-// Omaha and Chrome certificate: sha256 (12/15/2015 to 12/16/2018).
-// thumbprint=5a9272ce76a9415a4a3a5002a2589a049312aa40
-// serial=2a9c21acaaa63a3c58a7b9322bee948d
-// SHA1 Fingerprint=5A:92:72:CE:76:A9:41:5A:4A:3A:50:02:A2:58:9A:04:93:12:AA:40
-_T("cd623b2bf2c06940bd480b6bcf4a5c9e1cbe94626fbfa127d001bf19ae5ba9fe"),
-
-// Omaha and Chrome certificate: sha1 (11/28/2016 to 11/21/2019).
-// thumbprint=1a6ac0549a4a44264deb6ff003391da2f285b19f
-// serial=14F8FDD167F92402B1570B5DC495C815
-// SHA1 Fingerprint=1A:6A:C0:54:9A:4A:44:26:4D:EB:6F:F0:03:39:1D:A2:F2:85:B1:9F
-_T("d49de35a2e9fdbed09e2b9a6c1243df414d6aac13690ab221b0017a5cbe1351f"),
-
-// Omaha certificate: sha1 (11/07/2019 to 11/16/2022).
-// thumbprint=a3958ae522f3c54b878b20d7b0f63711e08666b2
-// serial=06aea76bac46a9e8cfe6d29e45aaf033
-// SHA1 Fingerprint=A3:95:8A:E5:22:F3:C5:4B:87:8B:20:D7:B0:F6:37:11:E0:86:66:B2
-kCertificatePublicKeyHash,
-
-// Omaha and Chrome certificate: sha256 (11/06/2018 to 11/17/2021).
-// thumbprint=cb7e84887f3c6015fe7edfb4f8f36df7dc10590e
-// serial=0c15be4a15bb0903c901b1d6c265302f
-// SHA1 Fingerprint=CB:7E:84:88:7F:3C:60:15:FE:7E:DF:B4:F8:F3:6D:F7:DC:10:59:0E
-kSha256CertificatePublicKeyHash,
+    // Omaha certificate: (11/9/2011 to 11/9/2014).
+    // thumbprint=8aed552a1387870a53f5f8aee17a3761232a4609
+    _T("64637c145ee0b7888af408ec24f714242fc4da6b8ad7a04803254bf93f7d295f"),
+
+    // Chrome certificate: (11/13/2011 to 11/13/2014) revoked on 1/28/2014.
+    // thumbprint=06c92bec3bbf32068cb9208563d004169448ee21
+    // serial=09E28B26DB593EC4E73286B66499C370
+    // SHA1
+    // Fingerprint=06:C9:2B:EC:3B:BF:32:06:8C:B9:20:85:63:D0:04:16:94:48:EE:21
+    _T("c7b4d0bf956f7ebbbc7369786f111ee6caa225af173be135e1de9e5a1d11951a"),
+
+    // Omaha and Chrome certificate: sha1 (01/28/2014 to 01/29/2016).
+    // thumbprint=fcac7e666cc54341ca213becf2eb463f2b62adb0
+    // serial=2912C70C9A2B8A3EF6F6074662D68B8D
+    // SHA1
+    // Fingerprint=FC:AC:7E:66:6C:C5:43:41:CA:21:3B:EC:F2:EB:46:3F:2B:62:AD:B0
+    _T("4365c47f17727f2da65892b1f34c0cf418b0138b519b6864dd17300f21aa3144"),
+
+    // Omaha and Chrome certificate: sha1 (12/13/2015 to 12/14/2016).
+    // thumbprint=264e38570f882e5a0272423757741233a661b553
+    // serial=4c40dba5f988fae57a57d6457495f98b
+    // SHA1
+    // Fingerprint=26:4E:38:57:0F:88:2E:5A:02:72:42:37:57:74:12:33:A6:61:B5:53
+    _T("309bae1b466c4235e1daea9fe0e373b3415807ac667202f704d030ef33b519d6"),
+
+    // Omaha and Chrome certificate: sha256 (12/15/2015 to 12/16/2018).
+    // thumbprint=5a9272ce76a9415a4a3a5002a2589a049312aa40
+    // serial=2a9c21acaaa63a3c58a7b9322bee948d
+    // SHA1
+    // Fingerprint=5A:92:72:CE:76:A9:41:5A:4A:3A:50:02:A2:58:9A:04:93:12:AA:40
+    _T("cd623b2bf2c06940bd480b6bcf4a5c9e1cbe94626fbfa127d001bf19ae5ba9fe"),
+
+    // Omaha and Chrome certificate: sha1 (11/28/2016 to 11/21/2019).
+    // thumbprint=1a6ac0549a4a44264deb6ff003391da2f285b19f
+    // serial=14F8FDD167F92402B1570B5DC495C815
+    // SHA1
+    // Fingerprint=1A:6A:C0:54:9A:4A:44:26:4D:EB:6F:F0:03:39:1D:A2:F2:85:B1:9F
+    _T("d49de35a2e9fdbed09e2b9a6c1243df414d6aac13690ab221b0017a5cbe1351f"),
+
+    // Omaha certificate: sha1 (11/07/2019 to 11/16/2022).
+    // thumbprint=a3958ae522f3c54b878b20d7b0f63711e08666b2
+    // serial=06aea76bac46a9e8cfe6d29e45aaf033
+    // SHA1
+    // Fingerprint=A3:95:8A:E5:22:F3:C5:4B:87:8B:20:D7:B0:F6:37:11:E0:86:66:B2
+    kCertificatePublicKeyHash,
+
+    // Omaha and Chrome certificate: sha256 (11/06/2018 to 11/17/2021).
+    // thumbprint=cb7e84887f3c6015fe7edfb4f8f36df7dc10590e
+    // serial=0c15be4a15bb0903c901b1d6c265302f
+    // SHA1
+    // Fingerprint=CB:7E:84:88:7F:3C:60:15:FE:7E:DF:B4:F8:F3:6D:F7:DC:10:59:0E
+    kSha256CertificatePublicKeyHash,
+
+    // Google LLC sha256 certificate valid from 07-01-2021 to 07-10-2024.
+    // Issued by DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1.
+    // thumbprint=2673ea6cc23beffda49ac715b121544098a1284c.
+    // serial=0e4418e2dede36dd2974c3443afb5ce5.
+    _T("3e9d92dfb3a046d49f53bab836f387177ac1ec075e8e3dd306b7c1764432f276"),
 };
 
 }  // namespace omaha

omaha/base/logging.cc

@@ -69,6 +69,27 @@
 
 namespace omaha {
 
+namespace {
+
+// Checks an open file handle to see if it is a reparse point.
+bool IsReparsePoint(HANDLE file) {
+  if (!file) {
+    return true;
+  }
+
+  BY_HANDLE_FILE_INFORMATION file_info = {};
+  if (!::GetFileInformationByHandle(file, &file_info)) {
+    ::OutputDebugString(SPRINTF(L"LOG_SYSTEM: ERROR - "
+                                L"[::GetFileInformationByHandle failed][%d]",
+                                ::GetLastError()));
+    return true;
+  }
+
+  return (file_info.dwFileAttributes & FILE_ATTRIBUTE_REPARSE_POINT) != 0;
+}
+
+}  // namespace
+
 // enforce ban on ASSERT/REPORT
 #undef ASSERT
 #undef REPORT
@@ -182,7 +203,6 @@ Logging::Logging()
       force_show_time_(false),
       show_time_(true),
       log_to_file_(true),
-      log_file_name_(kDefaultLogFileName),
       log_to_debug_out_(true),
       append_to_file_(true),
       logging_shutdown_(false),
@@ -286,20 +306,12 @@ void Logging::ReadLoggingSettings() {
         kConfigAttrAppendToFile,
         kDefaultAppendToFile,
         config_file) == 0 ? false : true;
-
-    ::GetPrivateProfileString(kConfigSectionLoggingSettings,
-                              kConfigAttrLogFilePath,
-                              kDefaultLogFileName,
-                              CStrBuf(log_file_name_, MAX_PATH),
-                              MAX_PATH,
-                              config_file);
   } else {
     logging_enabled_ = kDefaultLoggingEnabled;
     show_time_ = kDefaultShowTime;
     log_to_file_ = kDefaultLogToFile;
     log_to_debug_out_ = kDefaultLogToOutputDebug;
     append_to_file_ = kDefaultAppendToFile;
-    log_file_name_ = kDefaultLogFileName;
   }
 
   if (force_show_time_) {
@@ -337,20 +349,12 @@ CString Logging::GetDefaultLogDirectory() const {
 }
 
 CString Logging::GetLogFilePath() const {
-  if (log_file_name_.IsEmpty()) {
-    return CString();
-  }
-
-  if (!ATLPath::IsRelative(log_file_name_)) {
-    return log_file_name_;
-  }
-
   CString path = GetDefaultLogDirectory();
   if (path.IsEmpty()) {
     return CString();
   }
 
-  if (!::PathAppend(CStrBuf(path, MAX_PATH), log_file_name_)) {
+  if (!::PathAppend(CStrBuf(path, MAX_PATH), kDefaultLogFileName)) {
     return CString();
   }
 
@@ -386,8 +390,7 @@ void Logging::ConfigureFileLogWriter() {
       return;
     }
 
-    // Extract the final target directory which will not be what
-    // GetDefaultLogDirectory() returns if log_file_name_ is an absolute path.
+    // Extract the final target directory.
     CString log_file_dir = GetDirectoryFromPath(path);
     if (!File::Exists(log_file_dir)) {
       if (FAILED(CreateDir(log_file_dir, NULL))) {
@@ -1084,6 +1087,30 @@ bool FileLogWriter::CreateLoggingFile() {
     return false;
   }
 
+  // As a defense in depth measure, we check to make sure the parent directory
+  // has not been redirected. i.e., the %LocalAppData%\Google\Update directory.
+  // We do not check %LocalAppData%\Google and above for reparse points, since
+  // an attacker would need to reuse an existing directory structure which has
+  // "\Update", which narrows the attack surface considerably, and in addition,
+  // we only write to a "GoogleUpdate.log" file within, which is unlikely to
+  // affect most applications (such as GoogleUpdate, which has that directory
+  // structure under %ProgramFiles (x86)%).
+  const CString log_file_dir = GetDirectoryFromPath(file_name_);
+  bool is_log_file_dir_reparse_point = true;
+  File::IsReparsePoint(log_file_dir, &is_log_file_dir_reparse_point);
+
+  // Check whether the file or the parent directory are reparse points after
+  // opening the file. The checks are made after opening the file, so that the
+  // attacker does not get a chance to substitute a reparse point.
+  if (is_log_file_dir_reparse_point || IsReparsePoint(log_file_)) {
+    ::OutputDebugString(SPRINTF(L"LOG_SYSTEM: [%s]: ERROR - "
+                              L"Log path %s has a reparse point",
+                              proc_name_, file_name_));
+    ::CloseHandle(log_file_);
+    log_file_ = NULL;
+    return false;
+  }
+
   // Allow users to read, write, and delete the log file.
   ACCESS_MASK mask = GENERIC_READ | GENERIC_WRITE | DELETE;
   CDacl dacl;

omaha/base/logging.h

@@ -80,7 +80,6 @@ namespace omaha {
 #define kConfigAttrEnableLogging        L"EnableLogging"
 #define kConfigAttrShowTime             L"ShowTime"
 #define kConfigAttrLogToFile            L"LogToFile"
-#define kConfigAttrLogFilePath          L"LogFilePath"
 #define kConfigAttrLogFileWide          L"LogFileWide"
 #define kConfigAttrLogToOutputDebug     L"LogToOutputDebug"
 #define kConfigAttrAppendToFile         L"AppendToFile"
@@ -442,7 +441,6 @@ class Logging {
   bool force_show_time_;
   bool show_time_;
   bool log_to_file_;
-  CString log_file_name_;
   bool log_to_debug_out_;
   bool append_to_file_;
 

omaha/base/signaturevalidator.cc

@@ -394,6 +394,7 @@ void CertList::FindFirstCert(const CertInfo** result_cert_info,
 }
 
 void ExtractAllCertificatesFromSignature(const wchar_t* signed_file,
+                                         const wchar_t* subject_name,
                                          CertList* cert_list) {
   if ((!signed_file) || (!cert_list))
     return;
@@ -416,9 +417,10 @@ void ExtractAllCertificatesFromSignature(const wchar_t* signed_file,
 
   if (succeeded && (cert_store != NULL)) {
     PCCERT_CONTEXT   cert_context_ptr = NULL;
-    while ((cert_context_ptr =
-            CertEnumCertificatesInStore(cert_store, cert_context_ptr))
-           != NULL) {
+    while ((cert_context_ptr = ::CertFindCertificateInStore(
+                cert_store, X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, 0,
+                !subject_name ? CERT_FIND_ANY : CERT_FIND_SUBJECT_STR,
+                subject_name, cert_context_ptr)) != NULL) {
       CertInfo* cert_info = new CertInfo(cert_context_ptr);
       cert_list->AddCertificate(cert_info);
     }
@@ -437,7 +439,7 @@ HRESULT VerifyCertificate(const wchar_t* signed_file,
                           bool check_cert_is_valid_now,
                           const std::vector<CString>* expected_hashes) {
   CertList cert_list;
-  ExtractAllCertificatesFromSignature(signed_file, &cert_list);
+  ExtractAllCertificatesFromSignature(signed_file, NULL, &cert_list);
   if (cert_list.size() == 0) {
     return GOOPDATE_E_SIGNATURE_NOT_SIGNED;
   }

omaha/base/signaturevalidator.h

@@ -179,11 +179,12 @@ class CertList {
   CertInfoList cert_list_;
 };
 
-
 // ExtractAllCertificatesFromSignature() takes in a signed file, extracts all
 // the certificates related to its signature and returns them in a CertList
-// object.
+// object. `subject_name` can be used to narrow the list of certificates to only
+// those that match the given subject string.
 void ExtractAllCertificatesFromSignature(const wchar_t* signed_file,
+                                         const wchar_t* subject_name,
                                          CertList* cert_list);
 
 // Returns true if the subject of the certificate exactly matches the first CN