Split payload metadata logic from DeltaPerformer into its own class. am: b5f601d35d Change-Id: Ia4bd5dffd6f6327478b38c8936339b90f3fa2e97

commit: 7225f7557fb423226d43a6eb98cfe6b23ca283f5 [log] [tgz]
author: Sen Jiang <senj@google.com> Mon May 14 17:06:50 2018 -0700
committer: android-build-merger <android-build-merger@google.com> Mon May 14 17:06:50 2018 -0700
tree: 6022190804e956df1d35ca34eba812f87df0c693
parent: 7d8aa80dfe5846d6c8933663caa224b9f5cac6ee [diff]
parent: b5f601d35d80d6e90dae881bdfd31dcde1b75d35 [diff]
diff --git a/Android.mk b/Android.mk
index d57a6ce..1beada9 100644
--- a/Android.mk
+++ b/Android.mk

@@ -145,6 +145,7 @@
     payload_consumer/install_plan.cc \
     payload_consumer/mount_history.cc \
     payload_consumer/payload_constants.cc \
+    payload_consumer/payload_metadata.cc \
     payload_consumer/payload_verifier.cc \
     payload_consumer/postinstall_runner_action.cc \
     payload_consumer/xz_extent_writer.cc

diff --git a/payload_consumer/delta_performer.cc b/payload_consumer/delta_performer.cc
index 14b6fa8..5303e03 100644
--- a/payload_consumer/delta_performer.cc
+++ b/payload_consumer/delta_performer.cc

@@ -16,7 +16,6 @@
 
 #include "update_engine/payload_consumer/delta_performer.h"
 
-#include <endian.h>
 #include <errno.h>
 #include <linux/fs.h>
 
@@ -68,13 +67,6 @@
 
 namespace chromeos_update_engine {
 
-const uint64_t DeltaPerformer::kDeltaVersionOffset = sizeof(kDeltaMagic);
-const uint64_t DeltaPerformer::kDeltaVersionSize = 8;
-const uint64_t DeltaPerformer::kDeltaManifestSizeOffset =
-    kDeltaVersionOffset + kDeltaVersionSize;
-const uint64_t DeltaPerformer::kDeltaManifestSizeSize = 8;
-const uint64_t DeltaPerformer::kDeltaMetadataSignatureSizeSize = 4;
-const uint64_t DeltaPerformer::kMaxPayloadHeaderSize = 24;
 const uint64_t DeltaPerformer::kSupportedMajorPayloadVersion = 2;
 const uint32_t DeltaPerformer::kSupportedMinorPayloadVersion = 5;
 
@@ -473,39 +465,6 @@
 
 }  // namespace
 
-bool DeltaPerformer::GetMetadataSignatureSizeOffset(
-    uint64_t* out_offset) const {
-  if (GetMajorVersion() == kBrilloMajorPayloadVersion) {
-    *out_offset = kDeltaManifestSizeOffset + kDeltaManifestSizeSize;
-    return true;
-  }
-  return false;
-}
-
-bool DeltaPerformer::GetManifestOffset(uint64_t* out_offset) const {
-  // Actual manifest begins right after the manifest size field or
-  // metadata signature size field if major version >= 2.
-  if (major_payload_version_ == kChromeOSMajorPayloadVersion) {
-    *out_offset = kDeltaManifestSizeOffset + kDeltaManifestSizeSize;
-    return true;
-  }
-  if (major_payload_version_ == kBrilloMajorPayloadVersion) {
-    *out_offset = kDeltaManifestSizeOffset + kDeltaManifestSizeSize +
-                  kDeltaMetadataSignatureSizeSize;
-    return true;
-  }
-  LOG(ERROR) << "Unknown major payload version: " << major_payload_version_;
-  return false;
-}
-
-uint64_t DeltaPerformer::GetMetadataSize() const {
-  return metadata_size_;
-}
-
-uint64_t DeltaPerformer::GetMajorVersion() const {
-  return major_payload_version_;
-}
-
 uint32_t DeltaPerformer::GetMinorVersion() const {
   if (manifest_.has_minor_version()) {
     return manifest_.minor_version();
@@ -516,96 +475,35 @@
   }
 }
 
-bool DeltaPerformer::GetManifest(DeltaArchiveManifest* out_manifest_p) const {
-  if (!manifest_parsed_)
-    return false;
-  *out_manifest_p = manifest_;
-  return true;
-}
-
 bool DeltaPerformer::IsHeaderParsed() const {
   return metadata_size_ != 0;
 }
 
-DeltaPerformer::MetadataParseResult DeltaPerformer::ParsePayloadMetadata(
+MetadataParseResult DeltaPerformer::ParsePayloadMetadata(
     const brillo::Blob& payload, ErrorCode* error) {
   *error = ErrorCode::kSuccess;
-  uint64_t manifest_offset;
 
   if (!IsHeaderParsed()) {
-    // Ensure we have data to cover the major payload version.
-    if (payload.size() < kDeltaManifestSizeOffset)
-      return kMetadataParseInsufficientData;
+    MetadataParseResult result = payload_metadata_.ParsePayloadHeader(
+        payload, supported_major_version_, error);
+    if (result != MetadataParseResult::kSuccess)
+      return result;
 
-    // Validate the magic string.
-    if (memcmp(payload.data(), kDeltaMagic, sizeof(kDeltaMagic)) != 0) {
-      LOG(ERROR) << "Bad payload format -- invalid delta magic.";
-      *error = ErrorCode::kDownloadInvalidMetadataMagicString;
-      return kMetadataParseError;
-    }
-
-    // Extract the payload version from the metadata.
-    static_assert(sizeof(major_payload_version_) == kDeltaVersionSize,
-                  "Major payload version size mismatch");
-    memcpy(&major_payload_version_,
-           &payload[kDeltaVersionOffset],
-           kDeltaVersionSize);
-    // switch big endian to host
-    major_payload_version_ = be64toh(major_payload_version_);
-
-    if (major_payload_version_ != supported_major_version_ &&
-        major_payload_version_ != kChromeOSMajorPayloadVersion) {
-      LOG(ERROR) << "Bad payload format -- unsupported payload version: "
-          << major_payload_version_;
-      *error = ErrorCode::kUnsupportedMajorPayloadVersion;
-      return kMetadataParseError;
-    }
-
-    // Get the manifest offset now that we have payload version.
-    if (!GetManifestOffset(&manifest_offset)) {
-      *error = ErrorCode::kUnsupportedMajorPayloadVersion;
-      return kMetadataParseError;
-    }
-    // Check again with the manifest offset.
-    if (payload.size() < manifest_offset)
-      return kMetadataParseInsufficientData;
-
-    // Next, parse the manifest size.
-    static_assert(sizeof(manifest_size_) == kDeltaManifestSizeSize,
-                  "manifest_size size mismatch");
-    memcpy(&manifest_size_,
-           &payload[kDeltaManifestSizeOffset],
-           kDeltaManifestSizeSize);
-    manifest_size_ = be64toh(manifest_size_);  // switch big endian to host
-
-    if (GetMajorVersion() == kBrilloMajorPayloadVersion) {
-      // Parse the metadata signature size.
-      static_assert(sizeof(metadata_signature_size_) ==
-                    kDeltaMetadataSignatureSizeSize,
-                    "metadata_signature_size size mismatch");
-      uint64_t metadata_signature_size_offset;
-      if (!GetMetadataSignatureSizeOffset(&metadata_signature_size_offset)) {
-        *error = ErrorCode::kError;
-        return kMetadataParseError;
-      }
-      memcpy(&metadata_signature_size_,
-             &payload[metadata_signature_size_offset],
-             kDeltaMetadataSignatureSizeSize);
-      metadata_signature_size_ = be32toh(metadata_signature_size_);
-    }
+    metadata_size_ = payload_metadata_.GetMetadataSize();
+    metadata_signature_size_ = payload_metadata_.GetMetadataSignatureSize();
+    major_payload_version_ = payload_metadata_.GetMajorVersion();
 
     // If the metadata size is present in install plan, check for it immediately
     // even before waiting for that many number of bytes to be downloaded in the
     // payload. This will prevent any attack which relies on us downloading data
     // beyond the expected metadata size.
-    metadata_size_ = manifest_offset + manifest_size_;
     if (install_plan_->hash_checks_mandatory) {
       if (payload_->metadata_size != metadata_size_) {
         LOG(ERROR) << "Mandatory metadata size in Omaha response ("
                    << payload_->metadata_size
                    << ") is missing/incorrect, actual = " << metadata_size_;
         *error = ErrorCode::kDownloadInvalidMetadataSize;
-        return kMetadataParseError;
+        return MetadataParseResult::kError;
       }
     }
   }
@@ -613,7 +511,7 @@
   // Now that we have validated the metadata size, we should wait for the full
   // metadata and its signature (if exist) to be read in before we can parse it.
   if (payload.size() < metadata_size_ + metadata_signature_size_)
-    return kMetadataParseInsufficientData;
+    return MetadataParseResult::kInsufficientData;
 
   // Log whether we validated the size or simply trusting what's in the payload
   // here. This is logged here (after we received the full metadata data) so
@@ -630,15 +528,25 @@
                  << "Trusting metadata size in payload = " << metadata_size_;
   }
 
+  // See if we should use the public RSA key in the Omaha response.
+  base::FilePath path_to_public_key(public_key_path_);
+  base::FilePath tmp_key;
+  if (GetPublicKeyFromResponse(&tmp_key))
+    path_to_public_key = tmp_key;
+  ScopedPathUnlinker tmp_key_remover(tmp_key.value());
+  if (tmp_key.empty())
+    tmp_key_remover.set_should_remove(false);
+
   // We have the full metadata in |payload|. Verify its integrity
   // and authenticity based on the information we have in Omaha response.
-  *error = ValidateMetadataSignature(payload);
+  *error = payload_metadata_.ValidateMetadataSignature(
+      payload, payload_->metadata_signature, path_to_public_key);
   if (*error != ErrorCode::kSuccess) {
     if (install_plan_->hash_checks_mandatory) {
       // The autoupdate_CatchBadSignatures test checks for this string
       // in log-files. Keep in sync.
       LOG(ERROR) << "Mandatory metadata signature validation failed";
-      return kMetadataParseError;
+      return MetadataParseResult::kError;
     }
 
     // For non-mandatory cases, just send a UMA stat.
@@ -646,19 +554,15 @@
     *error = ErrorCode::kSuccess;
   }
 
-  if (!GetManifestOffset(&manifest_offset)) {
-    *error = ErrorCode::kUnsupportedMajorPayloadVersion;
-    return kMetadataParseError;
-  }
   // The payload metadata is deemed valid, it's safe to parse the protobuf.
-  if (!manifest_.ParseFromArray(&payload[manifest_offset], manifest_size_)) {
+  if (!payload_metadata_.GetManifest(payload, &manifest_)) {
     LOG(ERROR) << "Unable to parse manifest in update file.";
     *error = ErrorCode::kDownloadManifestParseError;
-    return kMetadataParseError;
+    return MetadataParseResult::kError;
   }
 
   manifest_parsed_ = true;
-  return kMetadataParseSuccess;
+  return MetadataParseResult::kSuccess;
 }
 
 #define OP_DURATION_HISTOGRAM(_op_name, _start_time)      \
@@ -690,9 +594,9 @@
                       metadata_size_ + metadata_signature_size_));
 
     MetadataParseResult result = ParsePayloadMetadata(buffer_, error);
-    if (result == kMetadataParseError)
+    if (result == MetadataParseResult::kError)
       return false;
-    if (result == kMetadataParseInsufficientData) {
+    if (result == MetadataParseResult::kInsufficientData) {
       // If we just processed the header, make an attempt on the manifest.
       if (do_read_header && IsHeaderParsed())
         continue;
@@ -1591,93 +1495,6 @@
   return true;
 }
 
-ErrorCode DeltaPerformer::ValidateMetadataSignature(
-    const brillo::Blob& payload) {
-  if (payload.size() < metadata_size_ + metadata_signature_size_)
-    return ErrorCode::kDownloadMetadataSignatureError;
-
-  brillo::Blob metadata_signature_blob, metadata_signature_protobuf_blob;
-  if (!payload_->metadata_signature.empty()) {
-    // Convert base64-encoded signature to raw bytes.
-    if (!brillo::data_encoding::Base64Decode(payload_->metadata_signature,
-                                             &metadata_signature_blob)) {
-      LOG(ERROR) << "Unable to decode base64 metadata signature: "
-                 << payload_->metadata_signature;
-      return ErrorCode::kDownloadMetadataSignatureError;
-    }
-  } else if (major_payload_version_ == kBrilloMajorPayloadVersion) {
-    metadata_signature_protobuf_blob.assign(
-        payload.begin() + metadata_size_,
-        payload.begin() + metadata_size_ + metadata_signature_size_);
-  }
-
-  if (metadata_signature_blob.empty() &&
-      metadata_signature_protobuf_blob.empty()) {
-    if (install_plan_->hash_checks_mandatory) {
-      LOG(ERROR) << "Missing mandatory metadata signature in both Omaha "
-                 << "response and payload.";
-      return ErrorCode::kDownloadMetadataSignatureMissingError;
-    }
-
-    LOG(WARNING) << "Cannot validate metadata as the signature is empty";
-    return ErrorCode::kSuccess;
-  }
-
-  // See if we should use the public RSA key in the Omaha response.
-  base::FilePath path_to_public_key(public_key_path_);
-  base::FilePath tmp_key;
-  if (GetPublicKeyFromResponse(&tmp_key))
-    path_to_public_key = tmp_key;
-  ScopedPathUnlinker tmp_key_remover(tmp_key.value());
-  if (tmp_key.empty())
-    tmp_key_remover.set_should_remove(false);
-
-  LOG(INFO) << "Verifying metadata hash signature using public key: "
-            << path_to_public_key.value();
-
-  brillo::Blob calculated_metadata_hash;
-  if (!HashCalculator::RawHashOfBytes(
-          payload.data(), metadata_size_, &calculated_metadata_hash)) {
-    LOG(ERROR) << "Unable to compute actual hash of manifest";
-    return ErrorCode::kDownloadMetadataSignatureVerificationError;
-  }
-
-  PayloadVerifier::PadRSA2048SHA256Hash(&calculated_metadata_hash);
-  if (calculated_metadata_hash.empty()) {
-    LOG(ERROR) << "Computed actual hash of metadata is empty.";
-    return ErrorCode::kDownloadMetadataSignatureVerificationError;
-  }
-
-  if (!metadata_signature_blob.empty()) {
-    brillo::Blob expected_metadata_hash;
-    if (!PayloadVerifier::GetRawHashFromSignature(metadata_signature_blob,
-                                                  path_to_public_key.value(),
-                                                  &expected_metadata_hash)) {
-      LOG(ERROR) << "Unable to compute expected hash from metadata signature";
-      return ErrorCode::kDownloadMetadataSignatureError;
-    }
-    if (calculated_metadata_hash != expected_metadata_hash) {
-      LOG(ERROR) << "Manifest hash verification failed. Expected hash = ";
-      utils::HexDumpVector(expected_metadata_hash);
-      LOG(ERROR) << "Calculated hash = ";
-      utils::HexDumpVector(calculated_metadata_hash);
-      return ErrorCode::kDownloadMetadataSignatureMismatch;
-    }
-  } else {
-    if (!PayloadVerifier::VerifySignature(metadata_signature_protobuf_blob,
-                                          path_to_public_key.value(),
-                                          calculated_metadata_hash)) {
-      LOG(ERROR) << "Manifest hash verification failed.";
-      return ErrorCode::kDownloadMetadataSignatureMismatch;
-    }
-  }
-
-  // The autoupdate_CatchBadSignatures test checks for this string in
-  // log-files. Keep in sync.
-  LOG(INFO) << "Metadata hash signature matches value in Omaha response.";
-  return ErrorCode::kSuccess;
-}
-
 ErrorCode DeltaPerformer::ValidateManifest() {
   // Perform assorted checks to sanity check the manifest, make sure it
   // matches data from other sources, and that it is a supported version.

diff --git a/payload_consumer/delta_performer.h b/payload_consumer/delta_performer.h
index 48b6aa5..55a19d8 100644
--- a/payload_consumer/delta_performer.h
+++ b/payload_consumer/delta_performer.h

@@ -33,6 +33,7 @@
 #include "update_engine/payload_consumer/file_descriptor.h"
 #include "update_engine/payload_consumer/file_writer.h"
 #include "update_engine/payload_consumer/install_plan.h"
+#include "update_engine/payload_consumer/payload_metadata.h"
 #include "update_engine/update_metadata.pb.h"
 
 namespace chromeos_update_engine {
@@ -47,18 +48,6 @@
 
 class DeltaPerformer : public FileWriter {
  public:
-  enum MetadataParseResult {
-    kMetadataParseSuccess,
-    kMetadataParseError,
-    kMetadataParseInsufficientData,
-  };
-
-  static const uint64_t kDeltaVersionOffset;
-  static const uint64_t kDeltaVersionSize;
-  static const uint64_t kDeltaManifestSizeOffset;
-  static const uint64_t kDeltaManifestSizeSize;
-  static const uint64_t kDeltaMetadataSignatureSizeSize;
-  static const uint64_t kMaxPayloadHeaderSize;
   static const uint64_t kSupportedMajorPayloadVersion;
   static const uint32_t kSupportedMinorPayloadVersion;
 
@@ -169,30 +158,9 @@
     public_key_path_ = public_key_path;
   }
 
-  // Set |*out_offset| to the byte offset where the size of the metadata
-  // signature is stored in a payload. Return true on success, if this field is
-  // not present in the payload, return false.
-  bool GetMetadataSignatureSizeOffset(uint64_t* out_offset) const;
-
-  // Set |*out_offset| to the byte offset at which the manifest protobuf begins
-  // in a payload. Return true on success, false if the offset is unknown.
-  bool GetManifestOffset(uint64_t* out_offset) const;
-
-  // Returns the size of the payload metadata, which includes the payload header
-  // and the manifest. If the header was not yet parsed, returns zero.
-  uint64_t GetMetadataSize() const;
-
-  // If the manifest was successfully parsed, copies it to |*out_manifest_p|.
-  // Returns true on success.
-  bool GetManifest(DeltaArchiveManifest* out_manifest_p) const;
-
   // Return true if header parsing is finished and no errors occurred.
   bool IsHeaderParsed() const;
 
-  // Returns the major payload version. If the version was not yet parsed,
-  // returns zero.
-  uint64_t GetMajorVersion() const;
-
   // Returns the delta minor version. If this value is defined in the manifest,
   // it returns that value, otherwise it returns the default value.
   uint32_t GetMinorVersion() const;
@@ -201,7 +169,7 @@
   friend class DeltaPerformerTest;
   friend class DeltaPerformerIntegrationTest;
   FRIEND_TEST(DeltaPerformerTest, BrilloMetadataSignatureSizeTest);
-  FRIEND_TEST(DeltaPerformerTest, BrilloVerifyMetadataSignatureTest);
+  FRIEND_TEST(DeltaPerformerTest, BrilloParsePayloadMetadataTest);
   FRIEND_TEST(DeltaPerformerTest, UsePublicKeyFromResponse);
 
   // Parse and move the update instructions of all partitions into our local
@@ -239,16 +207,6 @@
   // Returns ErrorCode::kSuccess on match or a suitable error code otherwise.
   ErrorCode ValidateOperationHash(const InstallOperation& operation);
 
-  // Given the |payload|, verifies that the signed hash of its metadata matches
-  // what's specified in the install plan from Omaha (if present) or the
-  // metadata signature in payload itself (if present). Returns
-  // ErrorCode::kSuccess on match or a suitable error code otherwise. This
-  // method must be called before any part of the metadata is parsed so that a
-  // man-in-the-middle attack on the SSL connection to the payload server
-  // doesn't exploit any vulnerability in the code that parses the protocol
-  // buffer.
-  ErrorCode ValidateMetadataSignature(const brillo::Blob& payload);
-
   // Returns true on success.
   bool PerformInstallOperation(const InstallOperation& operation);
 
@@ -345,13 +303,14 @@
   std::string source_path_;
   std::string target_path_;
 
+  PayloadMetadata payload_metadata_;
+
   // Parsed manifest. Set after enough bytes to parse the manifest were
   // downloaded.
   DeltaArchiveManifest manifest_;
   bool manifest_parsed_{false};
   bool manifest_valid_{false};
   uint64_t metadata_size_{0};
-  uint64_t manifest_size_{0};
   uint32_t metadata_signature_size_{0};
   uint64_t major_payload_version_{0};
 

diff --git a/payload_consumer/delta_performer_unittest.cc b/payload_consumer/delta_performer_unittest.cc
index 5e1d10f..0f19041 100644
--- a/payload_consumer/delta_performer_unittest.cc
+++ b/payload_consumer/delta_performer_unittest.cc

@@ -337,20 +337,20 @@
 
     install_plan_.hash_checks_mandatory = hash_checks_mandatory;
 
-    DeltaPerformer::MetadataParseResult expected_result, actual_result;
+    MetadataParseResult expected_result, actual_result;
     ErrorCode expected_error, actual_error;
 
     // Fill up the metadata signature in install plan according to the test.
     switch (metadata_signature_test) {
       case kEmptyMetadataSignature:
         payload_.metadata_signature.clear();
-        expected_result = DeltaPerformer::kMetadataParseError;
+        expected_result = MetadataParseResult::kError;
         expected_error = ErrorCode::kDownloadMetadataSignatureMissingError;
         break;
 
       case kInvalidMetadataSignature:
         payload_.metadata_signature = kBogusMetadataSignature1;
-        expected_result = DeltaPerformer::kMetadataParseError;
+        expected_result = MetadataParseResult::kError;
         expected_error = ErrorCode::kDownloadMetadataSignatureMismatch;
         break;
 
@@ -365,14 +365,14 @@
             GetBuildArtifactsPath(kUnittestPrivateKeyPath),
             &payload_.metadata_signature));
         EXPECT_FALSE(payload_.metadata_signature.empty());
-        expected_result = DeltaPerformer::kMetadataParseSuccess;
+        expected_result = MetadataParseResult::kSuccess;
         expected_error = ErrorCode::kSuccess;
         break;
     }
 
     // Ignore the expected result/error if hash checks are not mandatory.
     if (!hash_checks_mandatory) {
-      expected_result = DeltaPerformer::kMetadataParseSuccess;
+      expected_result = MetadataParseResult::kSuccess;
       expected_error = ErrorCode::kSuccess;
     }
 
@@ -392,7 +392,7 @@
 
     // Check that the parsed metadata size is what's expected. This test
     // implicitly confirms that the metadata signature is valid, if required.
-    EXPECT_EQ(payload_.metadata_size, performer_.GetMetadataSize());
+    EXPECT_EQ(payload_.metadata_size, performer_.metadata_size_);
   }
 
   // Helper function to pretend that the ECC file descriptor was already opened.
@@ -831,29 +831,21 @@
   EXPECT_LT(performer_.Close(), 0);
 
   EXPECT_TRUE(performer_.IsHeaderParsed());
-  EXPECT_EQ(kBrilloMajorPayloadVersion, performer_.GetMajorVersion());
-  uint64_t manifest_offset;
-  EXPECT_TRUE(performer_.GetManifestOffset(&manifest_offset));
-  EXPECT_EQ(24U, manifest_offset);  // 4 + 8 + 8 + 4
-  EXPECT_EQ(manifest_offset + manifest_size, performer_.GetMetadataSize());
+  EXPECT_EQ(kBrilloMajorPayloadVersion, performer_.major_payload_version_);
+  EXPECT_EQ(24 + manifest_size, performer_.metadata_size_);  // 4 + 8 + 8 + 4
   EXPECT_EQ(metadata_signature_size, performer_.metadata_signature_size_);
 }
 
-TEST_F(DeltaPerformerTest, BrilloVerifyMetadataSignatureTest) {
+TEST_F(DeltaPerformerTest, BrilloParsePayloadMetadataTest) {
   brillo::Blob payload_data = GeneratePayload({}, {}, true,
                                               kBrilloMajorPayloadVersion,
                                               kSourceMinorPayloadVersion);
   install_plan_.hash_checks_mandatory = true;
-  // Just set these value so that we can use ValidateMetadataSignature directly.
-  performer_.major_payload_version_ = kBrilloMajorPayloadVersion;
-  performer_.metadata_size_ = payload_.metadata_size;
-  uint64_t signature_length;
-  EXPECT_TRUE(PayloadSigner::SignatureBlobLength(
-      {GetBuildArtifactsPath(kUnittestPrivateKeyPath)}, &signature_length));
-  performer_.metadata_signature_size_ = signature_length;
   performer_.set_public_key_path(GetBuildArtifactsPath(kUnittestPublicKeyPath));
-  EXPECT_EQ(ErrorCode::kSuccess,
-            performer_.ValidateMetadataSignature(payload_data));
+  ErrorCode error;
+  EXPECT_EQ(MetadataParseResult::kSuccess,
+            performer_.ParsePayloadMetadata(payload_data, &error));
+  EXPECT_EQ(ErrorCode::kSuccess, error);
 }
 
 TEST_F(DeltaPerformerTest, BadDeltaMagicTest) {

diff --git a/payload_consumer/payload_constants.cc b/payload_consumer/payload_constants.cc
index 29daddc..e679316 100644
--- a/payload_consumer/payload_constants.cc
+++ b/payload_consumer/payload_constants.cc

@@ -28,6 +28,8 @@
 const uint32_t kBrotliBsdiffMinorPayloadVersion = 4;
 const uint32_t kPuffdiffMinorPayloadVersion = 5;
 
+const uint64_t kMaxPayloadHeaderSize = 24;
+
 const char kLegacyPartitionNameKernel[] = "boot";
 const char kLegacyPartitionNameRoot[] = "system";
 

diff --git a/payload_consumer/payload_constants.h b/payload_consumer/payload_constants.h
index 9d29afd..ac3e882 100644
--- a/payload_consumer/payload_constants.h
+++ b/payload_consumer/payload_constants.h

@@ -49,6 +49,9 @@
 // The minor version that allows PUFFDIFF operation.
 extern const uint32_t kPuffdiffMinorPayloadVersion;
 
+// The maximum size of the payload header (anything before the protobuf).
+extern const uint64_t kMaxPayloadHeaderSize;
+
 // The kernel and rootfs partition names used by the BootControlInterface when
 // handling update payloads with a major version 1. The names of the updated
 // partitions are include in the payload itself for major version 2.

diff --git a/payload_consumer/payload_metadata.cc b/payload_consumer/payload_metadata.cc
new file mode 100644
index 0000000..fe2df0a
--- /dev/null
+++ b/payload_consumer/payload_metadata.cc

@@ -0,0 +1,216 @@
+//
+// Copyright (C) 2018 The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+
+#include "update_engine/payload_consumer/payload_metadata.h"
+
+#include <endian.h>
+
+#include <brillo/data_encoding.h>
+
+#include "update_engine/common/hash_calculator.h"
+#include "update_engine/common/utils.h"
+#include "update_engine/payload_consumer/payload_constants.h"
+#include "update_engine/payload_consumer/payload_verifier.h"
+
+namespace chromeos_update_engine {
+
+const uint64_t PayloadMetadata::kDeltaVersionOffset = sizeof(kDeltaMagic);
+const uint64_t PayloadMetadata::kDeltaVersionSize = 8;
+const uint64_t PayloadMetadata::kDeltaManifestSizeOffset =
+    kDeltaVersionOffset + kDeltaVersionSize;
+const uint64_t PayloadMetadata::kDeltaManifestSizeSize = 8;
+const uint64_t PayloadMetadata::kDeltaMetadataSignatureSizeSize = 4;
+
+bool PayloadMetadata::GetMetadataSignatureSizeOffset(
+    uint64_t* out_offset) const {
+  if (GetMajorVersion() == kBrilloMajorPayloadVersion) {
+    *out_offset = kDeltaManifestSizeOffset + kDeltaManifestSizeSize;
+    return true;
+  }
+  return false;
+}
+
+bool PayloadMetadata::GetManifestOffset(uint64_t* out_offset) const {
+  // Actual manifest begins right after the manifest size field or
+  // metadata signature size field if major version >= 2.
+  if (major_payload_version_ == kChromeOSMajorPayloadVersion) {
+    *out_offset = kDeltaManifestSizeOffset + kDeltaManifestSizeSize;
+    return true;
+  }
+  if (major_payload_version_ == kBrilloMajorPayloadVersion) {
+    *out_offset = kDeltaManifestSizeOffset + kDeltaManifestSizeSize +
+                  kDeltaMetadataSignatureSizeSize;
+    return true;
+  }
+  LOG(ERROR) << "Unknown major payload version: " << major_payload_version_;
+  return false;
+}
+
+MetadataParseResult PayloadMetadata::ParsePayloadHeader(
+    const brillo::Blob& payload,
+    uint64_t supported_major_version,
+    ErrorCode* error) {
+  uint64_t manifest_offset;
+  // Ensure we have data to cover the major payload version.
+  if (payload.size() < kDeltaManifestSizeOffset)
+    return MetadataParseResult::kInsufficientData;
+
+  // Validate the magic string.
+  if (memcmp(payload.data(), kDeltaMagic, sizeof(kDeltaMagic)) != 0) {
+    LOG(ERROR) << "Bad payload format -- invalid delta magic.";
+    *error = ErrorCode::kDownloadInvalidMetadataMagicString;
+    return MetadataParseResult::kError;
+  }
+
+  // Extract the payload version from the metadata.
+  static_assert(sizeof(major_payload_version_) == kDeltaVersionSize,
+                "Major payload version size mismatch");
+  memcpy(&major_payload_version_,
+         &payload[kDeltaVersionOffset],
+         kDeltaVersionSize);
+  // Switch big endian to host.
+  major_payload_version_ = be64toh(major_payload_version_);
+
+  if (major_payload_version_ != supported_major_version &&
+      major_payload_version_ != kChromeOSMajorPayloadVersion) {
+    LOG(ERROR) << "Bad payload format -- unsupported payload version: "
+               << major_payload_version_;
+    *error = ErrorCode::kUnsupportedMajorPayloadVersion;
+    return MetadataParseResult::kError;
+  }
+
+  // Get the manifest offset now that we have payload version.
+  if (!GetManifestOffset(&manifest_offset)) {
+    *error = ErrorCode::kUnsupportedMajorPayloadVersion;
+    return MetadataParseResult::kError;
+  }
+  // Check again with the manifest offset.
+  if (payload.size() < manifest_offset)
+    return MetadataParseResult::kInsufficientData;
+
+  // Next, parse the manifest size.
+  static_assert(sizeof(manifest_size_) == kDeltaManifestSizeSize,
+                "manifest_size size mismatch");
+  memcpy(&manifest_size_,
+         &payload[kDeltaManifestSizeOffset],
+         kDeltaManifestSizeSize);
+  manifest_size_ = be64toh(manifest_size_);  // switch big endian to host
+
+  if (GetMajorVersion() == kBrilloMajorPayloadVersion) {
+    // Parse the metadata signature size.
+    static_assert(
+        sizeof(metadata_signature_size_) == kDeltaMetadataSignatureSizeSize,
+        "metadata_signature_size size mismatch");
+    uint64_t metadata_signature_size_offset;
+    if (!GetMetadataSignatureSizeOffset(&metadata_signature_size_offset)) {
+      *error = ErrorCode::kError;
+      return MetadataParseResult::kError;
+    }
+    memcpy(&metadata_signature_size_,
+           &payload[metadata_signature_size_offset],
+           kDeltaMetadataSignatureSizeSize);
+    metadata_signature_size_ = be32toh(metadata_signature_size_);
+  }
+  metadata_size_ = manifest_offset + manifest_size_;
+  return MetadataParseResult::kSuccess;
+}
+
+bool PayloadMetadata::GetManifest(const brillo::Blob& payload,
+                                  DeltaArchiveManifest* out_manifest) const {
+  uint64_t manifest_offset;
+  if (!GetManifestOffset(&manifest_offset))
+    return false;
+  CHECK_GE(payload.size(), manifest_offset + manifest_size_);
+  return out_manifest->ParseFromArray(&payload[manifest_offset],
+                                      manifest_size_);
+}
+
+ErrorCode PayloadMetadata::ValidateMetadataSignature(
+    const brillo::Blob& payload,
+    std::string metadata_signature,
+    base::FilePath path_to_public_key) const {
+  if (payload.size() < metadata_size_ + metadata_signature_size_)
+    return ErrorCode::kDownloadMetadataSignatureError;
+
+  brillo::Blob metadata_signature_blob, metadata_signature_protobuf_blob;
+  if (!metadata_signature.empty()) {
+    // Convert base64-encoded signature to raw bytes.
+    if (!brillo::data_encoding::Base64Decode(metadata_signature,
+                                             &metadata_signature_blob)) {
+      LOG(ERROR) << "Unable to decode base64 metadata signature: "
+                 << metadata_signature;
+      return ErrorCode::kDownloadMetadataSignatureError;
+    }
+  } else if (major_payload_version_ == kBrilloMajorPayloadVersion) {
+    metadata_signature_protobuf_blob.assign(
+        payload.begin() + metadata_size_,
+        payload.begin() + metadata_size_ + metadata_signature_size_);
+  }
+
+  if (metadata_signature_blob.empty() &&
+      metadata_signature_protobuf_blob.empty()) {
+    LOG(ERROR) << "Missing mandatory metadata signature in both Omaha "
+               << "response and payload.";
+    return ErrorCode::kDownloadMetadataSignatureMissingError;
+  }
+
+  LOG(INFO) << "Verifying metadata hash signature using public key: "
+            << path_to_public_key.value();
+
+  brillo::Blob calculated_metadata_hash;
+  if (!HashCalculator::RawHashOfBytes(
+          payload.data(), metadata_size_, &calculated_metadata_hash)) {
+    LOG(ERROR) << "Unable to compute actual hash of manifest";
+    return ErrorCode::kDownloadMetadataSignatureVerificationError;
+  }
+
+  PayloadVerifier::PadRSA2048SHA256Hash(&calculated_metadata_hash);
+  if (calculated_metadata_hash.empty()) {
+    LOG(ERROR) << "Computed actual hash of metadata is empty.";
+    return ErrorCode::kDownloadMetadataSignatureVerificationError;
+  }
+
+  if (!metadata_signature_blob.empty()) {
+    brillo::Blob expected_metadata_hash;
+    if (!PayloadVerifier::GetRawHashFromSignature(metadata_signature_blob,
+                                                  path_to_public_key.value(),
+                                                  &expected_metadata_hash)) {
+      LOG(ERROR) << "Unable to compute expected hash from metadata signature";
+      return ErrorCode::kDownloadMetadataSignatureError;
+    }
+    if (calculated_metadata_hash != expected_metadata_hash) {
+      LOG(ERROR) << "Manifest hash verification failed. Expected hash = ";
+      utils::HexDumpVector(expected_metadata_hash);
+      LOG(ERROR) << "Calculated hash = ";
+      utils::HexDumpVector(calculated_metadata_hash);
+      return ErrorCode::kDownloadMetadataSignatureMismatch;
+    }
+  } else {
+    if (!PayloadVerifier::VerifySignature(metadata_signature_protobuf_blob,
+                                          path_to_public_key.value(),
+                                          calculated_metadata_hash)) {
+      LOG(ERROR) << "Manifest hash verification failed.";
+      return ErrorCode::kDownloadMetadataSignatureMismatch;
+    }
+  }
+
+  // The autoupdate_CatchBadSignatures test checks for this string in
+  // log-files. Keep in sync.
+  LOG(INFO) << "Metadata hash signature matches value in Omaha response.";
+  return ErrorCode::kSuccess;
+}
+
+}  // namespace chromeos_update_engine

diff --git a/payload_consumer/payload_metadata.h b/payload_consumer/payload_metadata.h
new file mode 100644
index 0000000..e00b5c1
--- /dev/null
+++ b/payload_consumer/payload_metadata.h

@@ -0,0 +1,108 @@
+//
+// Copyright (C) 2018 The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+
+#ifndef UPDATE_ENGINE_PAYLOAD_CONSUMER_PAYLOAD_METADATA_H_
+#define UPDATE_ENGINE_PAYLOAD_CONSUMER_PAYLOAD_METADATA_H_
+
+#include <inttypes.h>
+
+#include <string>
+#include <vector>
+
+#include <base/files/file_path.h>
+#include <brillo/secure_blob.h>
+
+#include "update_engine/common/error_code.h"
+#include "update_engine/common/platform_constants.h"
+#include "update_engine/update_metadata.pb.h"
+
+namespace chromeos_update_engine {
+
+enum class MetadataParseResult {
+  kSuccess,
+  kError,
+  kInsufficientData,
+};
+
+// This class parses payload metadata and validate its signature.
+class PayloadMetadata {
+ public:
+  static const uint64_t kDeltaVersionOffset;
+  static const uint64_t kDeltaVersionSize;
+  static const uint64_t kDeltaManifestSizeOffset;
+  static const uint64_t kDeltaManifestSizeSize;
+  static const uint64_t kDeltaMetadataSignatureSizeSize;
+
+  PayloadMetadata() = default;
+
+  // Attempts to parse the update payload header starting from the beginning of
+  // |payload|. On success, returns kMetadataParseSuccess. Returns
+  // kMetadataParseInsufficientData if more data is needed to parse the complete
+  // metadata. Returns kMetadataParseError if the metadata can't be parsed given
+  // the payload.
+  MetadataParseResult ParsePayloadHeader(const brillo::Blob& payload,
+                                         uint64_t supported_major_version,
+                                         ErrorCode* error);
+
+  // Given the |payload|, verifies that the signed hash of its metadata matches
+  // |metadata_signature| (if present) or the metadata signature in payload
+  // itself (if present). Returns ErrorCode::kSuccess on match or a suitable
+  // error code otherwise. This method must be called before any part of the
+  // metadata is parsed so that a man-in-the-middle attack on the SSL connection
+  // to the payload server doesn't exploit any vulnerability in the code that
+  // parses the protocol buffer.
+  ErrorCode ValidateMetadataSignature(const brillo::Blob& payload,
+                                      std::string metadata_signature,
+                                      base::FilePath path_to_public_key) const;
+
+  // Returns the major payload version. If the version was not yet parsed,
+  // returns zero.
+  uint64_t GetMajorVersion() const { return major_payload_version_; }
+
+  // Returns the size of the payload metadata, which includes the payload header
+  // and the manifest. If the header was not yet parsed, returns zero.
+  uint64_t GetMetadataSize() const { return metadata_size_; }
+
+  // Returns the size of the payload metadata signature. If the header was not
+  // yet parsed, returns zero.
+  uint32_t GetMetadataSignatureSize() const { return metadata_signature_size_; }
+
+  // Set |*out_manifest| to the manifest in |payload|.
+  // Returns true on success.
+  bool GetManifest(const brillo::Blob& payload,
+                   DeltaArchiveManifest* out_manifest) const;
+
+ private:
+  // Set |*out_offset| to the byte offset at which the manifest protobuf begins
+  // in a payload. Return true on success, false if the offset is unknown.
+  bool GetManifestOffset(uint64_t* out_offset) const;
+
+  // Set |*out_offset| to the byte offset where the size of the metadata
+  // signature is stored in a payload. Return true on success, if this field is
+  // not present in the payload, return false.
+  bool GetMetadataSignatureSizeOffset(uint64_t* out_offset) const;
+
+  uint64_t metadata_size_{0};
+  uint64_t manifest_size_{0};
+  uint32_t metadata_signature_size_{0};
+  uint64_t major_payload_version_{0};
+
+  DISALLOW_COPY_AND_ASSIGN(PayloadMetadata);
+};
+
+}  // namespace chromeos_update_engine
+
+#endif  // UPDATE_ENGINE_PAYLOAD_CONSUMER_PAYLOAD_METADATA_H_

diff --git a/payload_generator/payload_signer.cc b/payload_generator/payload_signer.cc
index 824195d..0b47dd4 100644
--- a/payload_generator/payload_signer.cc
+++ b/payload_generator/payload_signer.cc

@@ -18,6 +18,8 @@
 
 #include <endian.h>
 
+#include <utility>
+
 #include <base/logging.h>
 #include <base/strings/string_number_conversions.h>
 #include <base/strings/string_split.h>
@@ -248,7 +250,7 @@
   TEST_AND_RETURN_FALSE(payload_file);
   brillo::Blob payload_metadata;
 
-  payload_metadata.resize(DeltaPerformer::kMaxPayloadHeaderSize);
+  payload_metadata.resize(kMaxPayloadHeaderSize);
   TEST_AND_RETURN_FALSE(payload_file->ReadAllBlocking(
       payload_metadata.data(), payload_metadata.size(), nullptr));
 

diff --git a/update_engine.gyp b/update_engine.gyp
index ff0e7f9..7cb2a7d 100644
--- a/update_engine.gyp
+++ b/update_engine.gyp

@@ -184,6 +184,7 @@
         'payload_consumer/install_plan.cc',
         'payload_consumer/mount_history.cc',
         'payload_consumer/payload_constants.cc',
+        'payload_consumer/payload_metadata.cc',
         'payload_consumer/payload_verifier.cc',
         'payload_consumer/postinstall_runner_action.cc',
         'payload_consumer/xz_extent_writer.cc',
commit	7225f7557fb423226d43a6eb98cfe6b23ca283f5	[log] [tgz]
author	Sen Jiang <senj@google.com>	Mon May 14 17:06:50 2018 -0700
committer	android-build-merger <android-build-merger@google.com>	Mon May 14 17:06:50 2018 -0700
tree	6022190804e956df1d35ca34eba812f87df0c693
parent	7d8aa80dfe5846d6c8933663caa224b9f5cac6ee [diff]
parent	b5f601d35d80d6e90dae881bdfd31dcde1b75d35 [diff]