Component updater must fallback on using HTTP on Windows XPSP2 and below

BUG=411009 Review URL: https://codereview.chromium.org/581803002 Cr-Commit-Position: refs/heads/master@{#295633}
Denger-Network · Sep 19, 2014 · c512b7a · c512b7a
1 parent 52b435d
commit c512b7a
Show file tree

Hide file tree

Showing 6 changed files with 63 additions and 10 deletions.
diff --git a/base/win/win_util.cc b/base/win/win_util.cc
@@ -370,6 +370,25 @@ void SetDomainStateForTesting(bool state) {
   g_domain_state = state ? ENROLLED : NOT_ENROLLED;
 }
 
+bool MaybeHasSHA256Support() {
+  const base::win::OSInfo* os_info = base::win::OSInfo::GetInstance();
+
+  if (os_info->version() == base::win::VERSION_PRE_XP)
+    return false;  // Too old to have it and this OS is not supported anyway.
+
+  if (os_info->version() == base::win::VERSION_XP)
+    return os_info->service_pack().major >= 3;  // Windows XP SP3 has it.
+
+  // Assume it is missing in this case, although it may not be. This category
+  // includes Windows XP x64, and Windows Server, where a hotfix could be
+  // deployed.
+  if (os_info->version() == base::win::VERSION_SERVER_2003)
+    return false;
+
+  DCHECK(os_info->version() >= base::win::VERSION_VISTA);
+  return true;  // New enough to have SHA-256 support.
+}
+
 }  // namespace win
 }  // namespace base
 

diff --git a/base/win/win_util.h b/base/win/win_util.h
@@ -134,6 +134,13 @@ BASE_EXPORT bool IsEnrolledToDomain();
 // simulate being in a domain and false otherwise.
 BASE_EXPORT void SetDomainStateForTesting(bool state);
 
+// Returns true if the current operating system has support for SHA-256
+// certificates. As its name indicates, this function provides a best-effort
+// answer, which is solely based on comparing version numbers. The function
+// may be re-implemented in the future to return a reliable value, based on
+// run-time detection of this capability.
+BASE_EXPORT bool MaybeHasSHA256Support();
+
 }  // namespace win
 }  // namespace base
 

diff --git a/chrome/browser/component_updater/chrome_component_updater_configurator.cc b/chrome/browser/component_updater/chrome_component_updater_configurator.cc
@@ -12,6 +12,9 @@
 #include "base/compiler_specific.h"
 #include "base/strings/string_util.h"
 #include "base/version.h"
+#if defined(OS_WIN)
+#include "base/win/win_util.h"
+#endif  // OS_WIN
 #include "build/build_config.h"
 #include "chrome/browser/component_updater/component_patcher_operation_out_of_process.h"
 #include "chrome/browser/omaha_query_params/chrome_omaha_query_params_delegate.h"
@@ -47,10 +50,13 @@ const char kSwitchUrlSource[] = "url-source";
 #define COMPONENT_UPDATER_SERVICE_ENDPOINT \
   "//clients2.google.com/service/update2"
 
-// The default url for the v3 protocol service endpoint.
+// The default URL for the v3 protocol service endpoint. In some cases, the
+// component updater is allowed to fall back to and alternate URL source, if
+// the request to the default URL source fails.
 // The value of |kDefaultUrlSource| can be overridden with
 // --component-updater=url-source=someurl.
 const char kDefaultUrlSource[] = "https:" COMPONENT_UPDATER_SERVICE_ENDPOINT;
+const char kAltUrlSource[] = "http:" COMPONENT_UPDATER_SERVICE_ENDPOINT;
 
 // Disables differential updates.
 const char kSwitchDisableDeltaUpdates[] = "disable-delta-updates";
@@ -67,6 +73,19 @@ bool HasSwitchValue(const std::vector<std::string>& vec, const char* test) {
   return (std::find(vec.begin(), vec.end(), test) != vec.end());
 }
 
+// Returns true if falling back on an alternate, unsafe, service URL is
+// allowed. In the fallback case, the security of the component update relies
+// only on the integrity of the CRX payloads, which is self-validating.
+// This is allowed only for some of the pre-Windows Vista versions not including
+// Windows XP SP3. As a side note, pings could be sent to the alternate URL too.
+bool CanUseAltUrlSource() {
+#if defined(OS_WIN)
+  return !base::win::MaybeHasSHA256Support();
+#else
+  return false;
+#endif  // OS_WIN
+}
+
 // If there is an element of |vec| of the form |test|=.*, returns the right-
 // hand side of that assignment. Otherwise, returns an empty string.
 // The right-hand side may contain additional '=' characters, allowing for
@@ -127,6 +146,7 @@ class ChromeConfigurator : public Configurator {
   bool pings_enabled_;
   bool deltas_enabled_;
   bool background_downloads_enabled_;
+  bool fallback_to_alt_source_url_enabled_;
 };
 
 ChromeConfigurator::ChromeConfigurator(
@@ -136,7 +156,8 @@ ChromeConfigurator::ChromeConfigurator(
       fast_update_(false),
       pings_enabled_(false),
       deltas_enabled_(false),
-      background_downloads_enabled_(false) {
+      background_downloads_enabled_(false),
+      fallback_to_alt_source_url_enabled_(false) {
   // Parse comma-delimited debug flags.
   std::vector<std::string> switch_values;
   Tokenize(cmdline->GetSwitchValueASCII(switches::kComponentUpdater),
@@ -162,6 +183,8 @@ ChromeConfigurator::ChromeConfigurator(
 
   if (HasSwitchValue(switch_values, kSwitchRequestParam))
     extra_info_ += "testrequest=\"1\"";
+
+  fallback_to_alt_source_url_enabled_ = CanUseAltUrlSource();
 }
 
 int ChromeConfigurator::InitialDelay() const {
@@ -194,6 +217,9 @@ std::vector<GURL> ChromeConfigurator::UpdateUrl() const {
     urls.push_back(GURL(url_source_override_));
   } else {
     urls.push_back(GURL(kDefaultUrlSource));
+    if (fallback_to_alt_source_url_enabled_) {
+      urls.push_back(GURL(kAltUrlSource));
+    }
   }
   return urls;
 }

diff --git a/chrome/browser/ssl/ssl_blocking_page.cc b/chrome/browser/ssl/ssl_blocking_page.cc
@@ -471,7 +471,7 @@ std::string SSLBlockingPage::GetHTMLContents() {
     SSLErrorInfo::ErrorType type =
         SSLErrorInfo::NetErrorToErrorType(cert_error_);
     if (type == SSLErrorInfo::CERT_INVALID && SSLErrorClassification::
-        IsWindowsVersionSP3OrLower()) {
+        MaybeWindowsLacksSHA256Support()) {
       load_time_data.SetString(
           "explanationParagraph",
           l10n_util::GetStringFUTF16(

diff --git a/chrome/browser/ssl/ssl_error_classification.cc b/chrome/browser/ssl/ssl_error_classification.cc
@@ -30,6 +30,7 @@
 #endif
 
 #if defined(OS_WIN)
+#include "base/win/win_util.h"
 #include "base/win/windows_version.h"
 #endif
 
@@ -366,14 +367,12 @@ bool SSLErrorClassification::IsUserClockInTheFuture(
   return false;
 }
 
-bool SSLErrorClassification::IsWindowsVersionSP3OrLower() {
+bool SSLErrorClassification::MaybeWindowsLacksSHA256Support() {
 #if defined(OS_WIN)
-  const base::win::OSInfo* os_info = base::win::OSInfo::GetInstance();
-  base::win::OSInfo::ServicePack service_pack = os_info->service_pack();
-  if (os_info->version() < base::win::VERSION_VISTA && service_pack.major < 3)
-    return true;
-#endif
+  return !base::win::MaybeHasSHA256Support();
+#else
   return false;
+#endif
 }
 
 bool SSLErrorClassification::IsHostNameKnownTLD(const std::string& host_name) {

diff --git a/chrome/browser/ssl/ssl_error_classification.h b/chrome/browser/ssl/ssl_error_classification.h
@@ -40,7 +40,9 @@ class SSLErrorClassification : public content::NotificationObserver {
   // using a version of Chrome which is more than 1 year old.
   static bool IsUserClockInTheFuture(const base::Time& time_now);
 
-  static bool IsWindowsVersionSP3OrLower();
+  // Returns true if the Windows platform is likely to not have SHA-256 support.
+  // On other platforms, returns false always.
+  static bool MaybeWindowsLacksSHA256Support();
 
   // A function which calculates the severity score when the ssl error is
   // |CERT_DATE_INVALID|. The calculated score is between 0.0 and 1.0, higher