Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(347)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: delta_performer.cc

Issue 6778029: AU: detect failure when using public key verification (Closed) Base URL: http://git.chromium.org/git/update_engine.git@master
Patch Set: merge master Created 9 years, 8 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch | Annotate | Revision Log
« no previous file with comments | « delta_performer.h ('k') | delta_performer_unittest.cc » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright (c) 2010 The Chromium OS Authors. All rights reserved. 1 // Copyright (c) 2010 The Chromium OS Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "update_engine/delta_performer.h" 5 #include "update_engine/delta_performer.h"
6 6
7 #include <endian.h> 7 #include <endian.h>
8 #include <errno.h> 8 #include <errno.h>
9 9
10 #include <algorithm> 10 #include <algorithm>
(...skipping 551 matching lines...) Expand 10 before | Expand all | Expand 10 after
562 signed_hash_context_ = hash_calculator_.GetContext(); 562 signed_hash_context_ = hash_calculator_.GetContext();
563 LOG_IF(WARNING, !prefs_->SetString(kPrefsUpdateStateSignedSHA256Context, 563 LOG_IF(WARNING, !prefs_->SetString(kPrefsUpdateStateSignedSHA256Context,
564 signed_hash_context_)) 564 signed_hash_context_))
565 << "Unable to store the signed hash context."; 565 << "Unable to store the signed hash context.";
566 LOG(INFO) << "Extracted signature data of size " 566 LOG(INFO) << "Extracted signature data of size "
567 << manifest_.signatures_size() << " at " 567 << manifest_.signatures_size() << " at "
568 << manifest_.signatures_offset(); 568 << manifest_.signatures_offset();
569 return true; 569 return true;
570 } 570 }
571 571
572 #define TEST_SET_TRUE_RET_TRUE(_ptr, _condition) \
573 do { \
574 if (!(_condition)) { \
575 LOG(ERROR) << "Non fatal public key verification: " << #_condition; \
576 if (_ptr) { \
577 *(_ptr) = true; \
578 } \
579 return true; \
580 } \
581 } while(0)
582
572 bool DeltaPerformer::VerifyPayload( 583 bool DeltaPerformer::VerifyPayload(
573 const string& public_key_path, 584 const string& public_key_path,
574 const std::string& update_check_response_hash, 585 const std::string& update_check_response_hash,
575 const uint64_t update_check_response_size) { 586 const uint64_t update_check_response_size,
587 bool* signature_failed) {
576 string key_path = public_key_path; 588 string key_path = public_key_path;
577 if (key_path.empty()) { 589 if (key_path.empty()) {
578 key_path = kUpdatePayloadPublicKeyPath; 590 key_path = kUpdatePayloadPublicKeyPath;
579 } 591 }
580 LOG(INFO) << "Verifying delta payload. Public key path: " << key_path; 592 LOG(INFO) << "Verifying delta payload. Public key path: " << key_path;
581 593
582 // Verifies the download hash. 594 // Verifies the download hash.
583 const string& download_hash_data = hash_calculator_.hash(); 595 const string& download_hash_data = hash_calculator_.hash();
584 TEST_AND_RETURN_FALSE(!download_hash_data.empty()); 596 TEST_AND_RETURN_FALSE(!download_hash_data.empty());
585 TEST_AND_RETURN_FALSE(download_hash_data == update_check_response_hash); 597 TEST_AND_RETURN_FALSE(download_hash_data == update_check_response_hash);
586 598
587 // Verifies the download size. 599 // Verifies the download size.
588 TEST_AND_RETURN_FALSE(update_check_response_size == 600 TEST_AND_RETURN_FALSE(update_check_response_size ==
589 manifest_metadata_size_ + buffer_offset_); 601 manifest_metadata_size_ + buffer_offset_);
590 602
591 // Verifies the signed payload hash. 603 // Verifies the signed payload hash.
592 if (!utils::FileExists(key_path.c_str())) { 604 if (!utils::FileExists(key_path.c_str())) {
593 LOG(WARNING) << "Not verifying signed delta payload -- missing public key."; 605 LOG(WARNING) << "Not verifying signed delta payload -- missing public key.";
594 return true; 606 return true;
595 } 607 }
596 TEST_AND_RETURN_FALSE(!signatures_message_data_.empty()); 608 TEST_SET_TRUE_RET_TRUE(signature_failed, !signatures_message_data_.empty());
597 vector<char> signed_hash_data; 609 vector<char> signed_hash_data;
598 TEST_AND_RETURN_FALSE(PayloadSigner::VerifySignature(signatures_message_data_, 610 TEST_SET_TRUE_RET_TRUE(signature_failed, PayloadSigner::VerifySignature(
599 key_path, 611 signatures_message_data_,
600 &signed_hash_data)); 612 key_path,
613 &signed_hash_data));
601 OmahaHashCalculator signed_hasher; 614 OmahaHashCalculator signed_hasher;
602 TEST_AND_RETURN_FALSE(signed_hasher.SetContext(signed_hash_context_)); 615 TEST_SET_TRUE_RET_TRUE(signature_failed,
603 TEST_AND_RETURN_FALSE(signed_hasher.Finalize()); 616 signed_hasher.SetContext(signed_hash_context_));
617 TEST_SET_TRUE_RET_TRUE(signature_failed,
618 signed_hasher.Finalize());
604 vector<char> hash_data = signed_hasher.raw_hash(); 619 vector<char> hash_data = signed_hasher.raw_hash();
605 PayloadSigner::PadRSA2048SHA256Hash(&hash_data); 620 PayloadSigner::PadRSA2048SHA256Hash(&hash_data);
606 TEST_AND_RETURN_FALSE(!hash_data.empty()); 621 TEST_SET_TRUE_RET_TRUE(signature_failed, !hash_data.empty());
607 TEST_AND_RETURN_FALSE(hash_data == signed_hash_data); 622 if (hash_data != signed_hash_data) {
623 LOG(ERROR) << "Public key verificaion failed. This is non-fatal. "
624 "Attached Signature:";
625 utils::HexDumpVector(signed_hash_data);
626 LOG(ERROR) << "Computed Signature:";
627 utils::HexDumpVector(hash_data);
628 if (signature_failed) {
629 *signature_failed = true;
630 }
631 }
608 return true; 632 return true;
609 } 633 }
610 634
635 #undef TEST_SET_TRUE_RET_TRUE
636
611 bool DeltaPerformer::GetNewPartitionInfo(uint64_t* kernel_size, 637 bool DeltaPerformer::GetNewPartitionInfo(uint64_t* kernel_size,
612 vector<char>* kernel_hash, 638 vector<char>* kernel_hash,
613 uint64_t* rootfs_size, 639 uint64_t* rootfs_size,
614 vector<char>* rootfs_hash) { 640 vector<char>* rootfs_hash) {
615 TEST_AND_RETURN_FALSE(manifest_valid_ && 641 TEST_AND_RETURN_FALSE(manifest_valid_ &&
616 manifest_.has_new_kernel_info() && 642 manifest_.has_new_kernel_info() &&
617 manifest_.has_new_rootfs_info()); 643 manifest_.has_new_rootfs_info());
618 *kernel_size = manifest_.new_kernel_info().size(); 644 *kernel_size = manifest_.new_kernel_info().size();
619 *rootfs_size = manifest_.new_rootfs_info().size(); 645 *rootfs_size = manifest_.new_rootfs_info().size();
620 vector<char> new_kernel_hash(manifest_.new_kernel_info().hash().begin(), 646 vector<char> new_kernel_hash(manifest_.new_kernel_info().hash().begin(),
(...skipping 143 matching lines...) Expand 10 before | Expand all | Expand 10 after
764 if (prefs_->GetInt64(kPrefsResumedUpdateFailures, &resumed_update_failures)) { 790 if (prefs_->GetInt64(kPrefsResumedUpdateFailures, &resumed_update_failures)) {
765 resumed_update_failures++; 791 resumed_update_failures++;
766 } else { 792 } else {
767 resumed_update_failures = 1; 793 resumed_update_failures = 1;
768 } 794 }
769 prefs_->SetInt64(kPrefsResumedUpdateFailures, resumed_update_failures); 795 prefs_->SetInt64(kPrefsResumedUpdateFailures, resumed_update_failures);
770 return true; 796 return true;
771 } 797 }
772 798
773 } // namespace chromeos_update_engine 799 } // namespace chromeos_update_engine
OLDNEW
« no previous file with comments | « delta_performer.h ('k') | delta_performer_unittest.cc » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698