OLD | NEW |
1 // Copyright (c) 2010 The Chromium OS Authors. All rights reserved. | 1 // Copyright (c) 2010 The Chromium OS Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "update_engine/delta_performer.h" | 5 #include "update_engine/delta_performer.h" |
6 | 6 |
7 #include <endian.h> | 7 #include <endian.h> |
8 #include <errno.h> | 8 #include <errno.h> |
9 | 9 |
10 #include <algorithm> | 10 #include <algorithm> |
(...skipping 551 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
562 signed_hash_context_ = hash_calculator_.GetContext(); | 562 signed_hash_context_ = hash_calculator_.GetContext(); |
563 LOG_IF(WARNING, !prefs_->SetString(kPrefsUpdateStateSignedSHA256Context, | 563 LOG_IF(WARNING, !prefs_->SetString(kPrefsUpdateStateSignedSHA256Context, |
564 signed_hash_context_)) | 564 signed_hash_context_)) |
565 << "Unable to store the signed hash context."; | 565 << "Unable to store the signed hash context."; |
566 LOG(INFO) << "Extracted signature data of size " | 566 LOG(INFO) << "Extracted signature data of size " |
567 << manifest_.signatures_size() << " at " | 567 << manifest_.signatures_size() << " at " |
568 << manifest_.signatures_offset(); | 568 << manifest_.signatures_offset(); |
569 return true; | 569 return true; |
570 } | 570 } |
571 | 571 |
| 572 #define TEST_SET_TRUE_RET_TRUE(_ptr, _condition) \ |
| 573 do { \ |
| 574 if (!(_condition)) { \ |
| 575 LOG(ERROR) << "Non fatal public key verification: " << #_condition; \ |
| 576 if (_ptr) { \ |
| 577 *(_ptr) = true; \ |
| 578 } \ |
| 579 return true; \ |
| 580 } \ |
| 581 } while(0) |
| 582 |
572 bool DeltaPerformer::VerifyPayload( | 583 bool DeltaPerformer::VerifyPayload( |
573 const string& public_key_path, | 584 const string& public_key_path, |
574 const std::string& update_check_response_hash, | 585 const std::string& update_check_response_hash, |
575 const uint64_t update_check_response_size) { | 586 const uint64_t update_check_response_size, |
| 587 bool* signature_failed) { |
576 string key_path = public_key_path; | 588 string key_path = public_key_path; |
577 if (key_path.empty()) { | 589 if (key_path.empty()) { |
578 key_path = kUpdatePayloadPublicKeyPath; | 590 key_path = kUpdatePayloadPublicKeyPath; |
579 } | 591 } |
580 LOG(INFO) << "Verifying delta payload. Public key path: " << key_path; | 592 LOG(INFO) << "Verifying delta payload. Public key path: " << key_path; |
581 | 593 |
582 // Verifies the download hash. | 594 // Verifies the download hash. |
583 const string& download_hash_data = hash_calculator_.hash(); | 595 const string& download_hash_data = hash_calculator_.hash(); |
584 TEST_AND_RETURN_FALSE(!download_hash_data.empty()); | 596 TEST_AND_RETURN_FALSE(!download_hash_data.empty()); |
585 TEST_AND_RETURN_FALSE(download_hash_data == update_check_response_hash); | 597 TEST_AND_RETURN_FALSE(download_hash_data == update_check_response_hash); |
586 | 598 |
587 // Verifies the download size. | 599 // Verifies the download size. |
588 TEST_AND_RETURN_FALSE(update_check_response_size == | 600 TEST_AND_RETURN_FALSE(update_check_response_size == |
589 manifest_metadata_size_ + buffer_offset_); | 601 manifest_metadata_size_ + buffer_offset_); |
590 | 602 |
591 // Verifies the signed payload hash. | 603 // Verifies the signed payload hash. |
592 if (!utils::FileExists(key_path.c_str())) { | 604 if (!utils::FileExists(key_path.c_str())) { |
593 LOG(WARNING) << "Not verifying signed delta payload -- missing public key."; | 605 LOG(WARNING) << "Not verifying signed delta payload -- missing public key."; |
594 return true; | 606 return true; |
595 } | 607 } |
596 TEST_AND_RETURN_FALSE(!signatures_message_data_.empty()); | 608 TEST_SET_TRUE_RET_TRUE(signature_failed, !signatures_message_data_.empty()); |
597 vector<char> signed_hash_data; | 609 vector<char> signed_hash_data; |
598 TEST_AND_RETURN_FALSE(PayloadSigner::VerifySignature(signatures_message_data_, | 610 TEST_SET_TRUE_RET_TRUE(signature_failed, PayloadSigner::VerifySignature( |
599 key_path, | 611 signatures_message_data_, |
600 &signed_hash_data)); | 612 key_path, |
| 613 &signed_hash_data)); |
601 OmahaHashCalculator signed_hasher; | 614 OmahaHashCalculator signed_hasher; |
602 TEST_AND_RETURN_FALSE(signed_hasher.SetContext(signed_hash_context_)); | 615 TEST_SET_TRUE_RET_TRUE(signature_failed, |
603 TEST_AND_RETURN_FALSE(signed_hasher.Finalize()); | 616 signed_hasher.SetContext(signed_hash_context_)); |
| 617 TEST_SET_TRUE_RET_TRUE(signature_failed, |
| 618 signed_hasher.Finalize()); |
604 vector<char> hash_data = signed_hasher.raw_hash(); | 619 vector<char> hash_data = signed_hasher.raw_hash(); |
605 PayloadSigner::PadRSA2048SHA256Hash(&hash_data); | 620 PayloadSigner::PadRSA2048SHA256Hash(&hash_data); |
606 TEST_AND_RETURN_FALSE(!hash_data.empty()); | 621 TEST_SET_TRUE_RET_TRUE(signature_failed, !hash_data.empty()); |
607 TEST_AND_RETURN_FALSE(hash_data == signed_hash_data); | 622 if (hash_data != signed_hash_data) { |
| 623 LOG(ERROR) << "Public key verificaion failed. This is non-fatal. " |
| 624 "Attached Signature:"; |
| 625 utils::HexDumpVector(signed_hash_data); |
| 626 LOG(ERROR) << "Computed Signature:"; |
| 627 utils::HexDumpVector(hash_data); |
| 628 if (signature_failed) { |
| 629 *signature_failed = true; |
| 630 } |
| 631 } |
608 return true; | 632 return true; |
609 } | 633 } |
610 | 634 |
| 635 #undef TEST_SET_TRUE_RET_TRUE |
| 636 |
611 bool DeltaPerformer::GetNewPartitionInfo(uint64_t* kernel_size, | 637 bool DeltaPerformer::GetNewPartitionInfo(uint64_t* kernel_size, |
612 vector<char>* kernel_hash, | 638 vector<char>* kernel_hash, |
613 uint64_t* rootfs_size, | 639 uint64_t* rootfs_size, |
614 vector<char>* rootfs_hash) { | 640 vector<char>* rootfs_hash) { |
615 TEST_AND_RETURN_FALSE(manifest_valid_ && | 641 TEST_AND_RETURN_FALSE(manifest_valid_ && |
616 manifest_.has_new_kernel_info() && | 642 manifest_.has_new_kernel_info() && |
617 manifest_.has_new_rootfs_info()); | 643 manifest_.has_new_rootfs_info()); |
618 *kernel_size = manifest_.new_kernel_info().size(); | 644 *kernel_size = manifest_.new_kernel_info().size(); |
619 *rootfs_size = manifest_.new_rootfs_info().size(); | 645 *rootfs_size = manifest_.new_rootfs_info().size(); |
620 vector<char> new_kernel_hash(manifest_.new_kernel_info().hash().begin(), | 646 vector<char> new_kernel_hash(manifest_.new_kernel_info().hash().begin(), |
(...skipping 143 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
764 if (prefs_->GetInt64(kPrefsResumedUpdateFailures, &resumed_update_failures)) { | 790 if (prefs_->GetInt64(kPrefsResumedUpdateFailures, &resumed_update_failures)) { |
765 resumed_update_failures++; | 791 resumed_update_failures++; |
766 } else { | 792 } else { |
767 resumed_update_failures = 1; | 793 resumed_update_failures = 1; |
768 } | 794 } |
769 prefs_->SetInt64(kPrefsResumedUpdateFailures, resumed_update_failures); | 795 prefs_->SetInt64(kPrefsResumedUpdateFailures, resumed_update_failures); |
770 return true; | 796 return true; |
771 } | 797 } |
772 | 798 |
773 } // namespace chromeos_update_engine | 799 } // namespace chromeos_update_engine |
OLD | NEW |