commit 76bfa74e52aea188aaf17aec186b0ef4269d39b3
author Sen Jiang <senj@google.com> Mon Oct 12 17:13:26 2015 -0700
committer Gerrit Code Review <noreply-gerritcodereview@google.com> Wed Nov 04 19:12:41 2015 +0000
tree 1c5a60d0c68b6b13c8ae21b815d530f9e9cc5cb3
parent 1fbaac8c911ee484de521e8302d28543ad33cfe1

Verify metadata signature in major version 2.

Use metadata signature in payload version 2 if Omaha doesn't provide
metadata signature.

Bug: 23946683
TEST=unit test added.

Change-Id: I4f5e80019a8aeeaa4ff7daa82baa43a621c4ae98

delta_performer.h

diff --git a/delta_performer.h b/delta_performer.h
index 4f9881c..536dd83 100644
--- a/delta_performer.h
+++ b/delta_performer.h
@@ -185,6 +185,8 @@
  private:
   friend class DeltaPerformerTest;
   friend class DeltaPerformerIntegrationTest;
+  FRIEND_TEST(DeltaPerformerTest, BrilloMetadataSignatureSizeTest);
+  FRIEND_TEST(DeltaPerformerTest, BrilloVerifyMetadataSignatureTest);
   FRIEND_TEST(DeltaPerformerTest, UsePublicKeyFromResponse);
 
   // Parse and move the update instructions of all partitions into our local
@@ -228,16 +230,15 @@
   // Returns ErrorCode::kSuccess on match or a suitable error code otherwise.
   ErrorCode ValidateOperationHash(const InstallOperation& operation);
 
-  // Interprets the given |protobuf| as a DeltaArchiveManifest protocol buffer
-  // of the given protobuf_length and verifies that the signed hash of the
-  // metadata matches what's specified in the install plan from Omaha.
-  // Returns ErrorCode::kSuccess on match or a suitable error code otherwise.
-  // This method must be called before any part of the |protobuf| is parsed
-  // so that a man-in-the-middle attack on the SSL connection to the payload
-  // server doesn't exploit any vulnerability in the code that parses the
-  // protocol buffer.
-  ErrorCode ValidateMetadataSignature(const void* protobuf,
-                                      uint64_t protobuf_length);
+  // Given the |payload|, verifies that the signed hash of its metadata matches
+  // what's specified in the install plan from Omaha (if present) or the
+  // metadata signature in payload itself (if present). Returns
+  // ErrorCode::kSuccess on match or a suitable error code otherwise. This
+  // method must be called before any part of the metadata is parsed so that a
+  // man-in-the-middle attack on the SSL connection to the payload server
+  // doesn't exploit any vulnerability in the code that parses the protocol
+  // buffer.
+  ErrorCode ValidateMetadataSignature(const brillo::Blob& payload);
 
   // Returns true on success.
   bool PerformInstallOperation(const InstallOperation& operation);
@@ -304,6 +305,7 @@
   bool manifest_valid_{false};
   uint64_t metadata_size_{0};
   uint64_t manifest_size_{0};
+  uint32_t metadata_signature_size_{0};
   uint64_t major_payload_version_{0};
 
   // Accumulated number of operations per partition. The i-th element is the