AU: Verify delta payload signature and signed hash.

delta_performer.cc

 // Copyright (c) 2010 The Chromium OS Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "update_engine/delta_performer.h"
+
 #include <endian.h>
 #include <errno.h>
+
 #include <algorithm>
 #include <cstring>
 #include <string>
 #include <vector>
 
+#include <base/scoped_ptr.h>
+#include <base/string_util.h>
 #include <google/protobuf/repeated_field.h>
 
-#include "base/scoped_ptr.h"
-#include "base/string_util.h"
 #include "update_engine/bzip_extent_writer.h"
 #include "update_engine/delta_diff_generator.h"
 #include "update_engine/extent_writer.h"
 #include "update_engine/graph_types.h"
+#include "update_engine/payload_signer.h"
 #include "update_engine/subprocess.h"
 
 using std::min;
 using std::string;
 using std::vector;
 using google::protobuf::RepeatedPtrField;
 
 namespace chromeos_update_engine {
 
 namespace {
 
 const int kDeltaVersionLength = 8;
 const int kDeltaProtobufLengthLength = 8;
-
-// Remove count bytes from the beginning of *buffer.
-void RemoveBufferHeadBytes(vector<char>* buffer, size_t count) {
-  buffer->erase(buffer->begin(), buffer->begin() + count);
-}
+const char kUpdatePayloadPublicKeyPath[] =
+    "/usr/share/update_engine/update-payload-key.pub.pem";
 
 // Converts extents to a human-readable string, for use by DumpUpdateProto().
 string ExtentsToString(const RepeatedPtrField<Extent>& extents) {
   string ret;
   for (int i = 0; i < extents.size(); i++) {
     const Extent& extent = extents.Get(i);
     if (extent.start_block() == kSparseHole) {
       ret += StringPrintf("{kSparseHole, %" PRIu64 "}, ", extent.num_blocks());
     } else {
       ret += StringPrintf("{%" PRIu64 ", %" PRIu64 "}, ",
@@ skipping 80 matching lines @@
   }
   int err = 0;
   if (close(kernel_fd_) == -1) {
     err = errno;
     PLOG(ERROR) << "Unable to close kernel fd:";
   }
   if (close(fd_) == -1) {
     err = errno;
     PLOG(ERROR) << "Unable to close rootfs fd:";
   }
+  LOG_IF(ERROR, !hash_calculator_.Finalize()) << "Unable to finalize the hash.";
   fd_ = -2;  // Set so that isn't not valid AND calls to Open() will fail.
   path_ = "";
   return -err;
 }
 
 // Wrapper around write. Returns bytes written on success or
 // -errno on error.
 // This function performs as many actions as it can, given the amount of
 // data received thus far.
 ssize_t DeltaPerformer::Write(const void* bytes, size_t count) {
@@ skipping 20 matching lines @@
     }
     // We have the full proto buffer in buffer_. Parse it.
     const int offset = strlen(kDeltaMagic) + kDeltaVersionLength +
         kDeltaProtobufLengthLength;
     if (!manifest_.ParseFromArray(&buffer_[offset], protobuf_length)) {
       LOG(ERROR) << "Unable to parse manifest in update file.";
       return -EINVAL;
     }
     // Remove protobuf and header info from buffer_, so buffer_ contains
     // just data blobs
-    RemoveBufferHeadBytes(&buffer_,
-                          strlen(kDeltaMagic) +
-                          kDeltaVersionLength +
-                          kDeltaProtobufLengthLength + protobuf_length);
+    DiscardBufferHeadBytes(strlen(kDeltaMagic) +
+                           kDeltaVersionLength +
+                           kDeltaProtobufLengthLength + protobuf_length,
+                           true);  // do_hash
     manifest_valid_ = true;
     block_size_ = manifest_.block_size();
   }
   ssize_t total_operations = manifest_.install_operations_size() +
       manifest_.kernel_install_operations_size();
   while (next_operation_num_ < total_operations) {
     const DeltaArchiveManifest_InstallOperation &op =
         next_operation_num_ < manifest_.install_operations_size() ?
         manifest_.install_operations(next_operation_num_) :
         manifest_.kernel_install_operations(
@@ skipping 39 matching lines @@
   // Move operations don't require any data blob, so they can always
   // be performed
   if (operation.type() == DeltaArchiveManifest_InstallOperation_Type_MOVE)
     return true;
 
   // See if we have the entire data blob in the buffer
   if (operation.data_offset() < buffer_offset_) {
     LOG(ERROR) << "we threw away data it seems?";
     return false;
   }
-  
+
   return (operation.data_offset() + operation.data_length()) <=
       (buffer_offset_ + buffer_.size());
 }
 
 bool DeltaPerformer::PerformReplaceOperation(
     const DeltaArchiveManifest_InstallOperation& operation,
     bool is_kernel_partition) {
   CHECK(operation.type() == \
         DeltaArchiveManifest_InstallOperation_Type_REPLACE || \
         operation.type() == \
         DeltaArchiveManifest_InstallOperation_Type_REPLACE_BZ);
 
   // Since we delete data off the beginning of the buffer as we use it,
   // the data we need should be exactly at the beginning of the buffer.
   CHECK_EQ(buffer_offset_, operation.data_offset());
   CHECK_GE(buffer_.size(), operation.data_length());
-  
+
+  // Don't include the signature data blob in the hash.
+  bool do_hash = !ExtractSignatureMessage(operation);
+
   DirectExtentWriter direct_writer;
   ZeroPadExtentWriter zero_pad_writer(&direct_writer);
   scoped_ptr<BzipExtentWriter> bzip_writer;
-  
+
   // Since bzip decompression is optional, we have a variable writer that will
   // point to one of the ExtentWriter objects above.
   ExtentWriter* writer = NULL;
   if (operation.type() == DeltaArchiveManifest_InstallOperation_Type_REPLACE) {
     writer = &zero_pad_writer;
   } else if (operation.type() ==
              DeltaArchiveManifest_InstallOperation_Type_REPLACE_BZ) {
     bzip_writer.reset(new BzipExtentWriter(&zero_pad_writer));
     writer = bzip_writer.get();
   } else {
     NOTREACHED();
   }
 
   // Create a vector of extents to pass to the ExtentWriter.
   vector<Extent> extents;
   for (int i = 0; i < operation.dst_extents_size(); i++) {
     extents.push_back(operation.dst_extents(i));
   }
 
   int fd = is_kernel_partition ? kernel_fd_ : fd_;
 
   TEST_AND_RETURN_FALSE(writer->Init(fd, extents, block_size_));
   TEST_AND_RETURN_FALSE(writer->Write(&buffer_[0], operation.data_length()));
   TEST_AND_RETURN_FALSE(writer->End());
-  
+
   // Update buffer
   buffer_offset_ += operation.data_length();
-  RemoveBufferHeadBytes(&buffer_, operation.data_length());
+  DiscardBufferHeadBytes(operation.data_length(), do_hash);
   return true;
 }
 
 bool DeltaPerformer::PerformMoveOperation(
     const DeltaArchiveManifest_InstallOperation& operation,
     bool is_kernel_partition) {
   // Calculate buffer size. Note, this function doesn't do a sliding
   // window to copy in case the source and destination blocks overlap.
   // If we wanted to do a sliding window, we could program the server
   // to generate deltas that effectively did a sliding window.
@@ skipping 122 matching lines @@
         (last_extent.start_block() + last_extent.num_blocks()) * block_size_;
     const uint64_t begin_byte =
         end_byte - (block_size_ - operation.dst_length() % block_size_);
     vector<char> zeros(end_byte - begin_byte);
     TEST_AND_RETURN_FALSE(
         utils::PWriteAll(fd, &zeros[0], end_byte - begin_byte, begin_byte));
   }
 
   // Update buffer.
   buffer_offset_ += operation.data_length();
-  RemoveBufferHeadBytes(&buffer_, operation.data_length());
+  DiscardBufferHeadBytes(operation.data_length(),
+                         true);  // do_hash
   return true;
 }
 
+bool DeltaPerformer::ExtractSignatureMessage(
+    const DeltaArchiveManifest_InstallOperation& operation) {
+  if (operation.type() != DeltaArchiveManifest_InstallOperation_Type_REPLACE ||
+      !manifest_.has_signatures_offset() ||
+      manifest_.signatures_offset() != operation.data_offset()) {
+    return false;
+  }
+  TEST_AND_RETURN_FALSE(manifest_.has_signatures_size() &&
+                        manifest_.signatures_size() == operation.data_length());
+  TEST_AND_RETURN_FALSE(signatures_message_data_.empty());
+  TEST_AND_RETURN_FALSE(buffer_offset_ == manifest_.signatures_offset());
+  TEST_AND_RETURN_FALSE(buffer_.size() >= manifest_.signatures_size());
+  signatures_message_data_.insert(
+      signatures_message_data_.begin(),
+      buffer_.begin(),
+      buffer_.begin() + manifest_.signatures_size());
+  LOG(INFO) << "Extracted signature data of size "
+            << manifest_.signatures_size() << " at "
+            << manifest_.signatures_offset();
+  return true;
+}
+
+bool DeltaPerformer::VerifyPayload(const string& public_key_path) {
+  string key_path = public_key_path;
+  if (key_path.empty()) {
+    key_path = kUpdatePayloadPublicKeyPath;
+  }
+  LOG(INFO) << "Verifying delta payload. Public key path: " << key_path;
+  if (!utils::FileExists(key_path.c_str())) {
+    LOG(WARNING) << "Not verifying delta payload due to missing public key.";
+    return true;
+  }
+  TEST_AND_RETURN_FALSE(!signatures_message_data_.empty());
+  vector<char> signed_hash_data;
+  TEST_AND_RETURN_FALSE(PayloadSigner::VerifySignature(signatures_message_data_,
+                                                       key_path,
+                                                       &signed_hash_data));
+  const vector<char>& hash_data = hash_calculator_.raw_hash();
+  TEST_AND_RETURN_FALSE(!hash_data.empty());
+  return hash_data == signed_hash_data;
+}
+
+void DeltaPerformer::DiscardBufferHeadBytes(size_t count, bool do_hash) {
+  if (do_hash) {
+    hash_calculator_.Update(&buffer_[0], count);
+  }
+  buffer_.erase(buffer_.begin(), buffer_.begin() + count);
+}
+
 }  // namespace chromeos_update_engine