Bug 1902690 - More fully disable authenticode checks when using DISABLE_UPDATER_AUTHENTICODE_CHECK r=nalexander,application-update-reviewers

This should have no effect on any production code since no sane production configuration would turn this on. It is only for testing.

Differential Revision: https://phabricator.services.mozilla.com/D214212
This commit is contained in:
Robin Steuber 2024-06-21 16:46:25 +00:00
Родитель fe840f78bc
Коммит d7e38bb7e4
3 изменённых файлов: 30 добавлений и 11 удалений

Просмотреть файл

@ -394,11 +394,7 @@ static bool UpdaterIsValid(LPWSTR updater, LPWSTR installDir,
return false;
}
#ifndef DISABLE_UPDATER_AUTHENTICODE_CHECK
return DoesBinaryMatchAllowedCertificates(installDir, updater);
#else
return true;
#endif
}
/**

Просмотреть файл

@ -32,6 +32,9 @@ Library("updatecommon")
DEFINES["NS_NO_XPCOM"] = True
USE_STATIC_LIBS = True
if CONFIG["DISABLE_UPDATER_AUTHENTICODE_CHECK"]:
DEFINES["DISABLE_UPDATER_AUTHENTICODE_CHECK"] = True
if CONFIG["OS_ARCH"] == "WINNT":
# This forces the creation of updatecommon.lib, which the update agent needs
# in order to link to updatecommon library functions.

Просмотреть файл

@ -15,18 +15,38 @@
/**
* Verifies if the file path matches any certificate stored in the registry.
*
* @param filePath The file path of the application to check if allowed.
* @param allowFallbackKeySkip when this is TRUE the fallback registry key will
* be used to skip the certificate check. This is the default since the
* fallback registry key is located under HKEY_LOCAL_MACHINE which can't be
* written to by a low integrity process.
* Note: the maintenance service binary can be used to perform this check for
* testing or troubleshooting.
* @param filePath
* The file path of the application to check if allowed.
* @param allowFallbackKeySkip
* When this is TRUE the fallback registry key can be used to skip the
* certificate check. This is the default since the fallback registry
* key is located under HKEY_LOCAL_MACHINE which can't be written to by
* a low integrity process.
* Note: The maintenance service binary can be used to perform this
* check for testing or troubleshooting.
* Note: When this is `TRUE` and we are building with
* `DISABLE_UPDATER_AUTHENTICODE_CHECK`, this function will
* unconditionally return `TRUE` since that flag is meant to
* disable specifically this. We don't fall through in the `FALSE`
* case since currently the only time when we don't allow the
* fallback key is when we are running this for debugging purposes
* and, in that case, it's more helpful if we return something
* meaningful here.
*
* @return TRUE if the binary matches any of the allowed certificates.
*/
BOOL DoesBinaryMatchAllowedCertificates(LPCWSTR basePathForUpdate,
LPCWSTR filePath,
BOOL allowFallbackKeySkip) {
#ifdef DISABLE_UPDATER_AUTHENTICODE_CHECK
if (allowFallbackKeySkip) {
LOG_WARN(("Skipping authenticode check"));
return TRUE;
} else {
LOG(("Performing a diagnostic authenticode check"));
}
#endif
WCHAR maintenanceServiceKey[MAX_PATH + 1];
if (!CalculateRegistryPathFromFilePath(basePathForUpdate,
maintenanceServiceKey)) {