| Sen Jiang | 9c89e84 | 2018-02-02 13:51:21 -0800 | [diff] [blame] | 1 | // |
| 2 | // Copyright (C) 2018 The Android Open Source Project |
| 3 | // |
| 4 | // Licensed under the Apache License, Version 2.0 (the "License"); |
| 5 | // you may not use this file except in compliance with the License. |
| 6 | // You may obtain a copy of the License at |
| 7 | // |
| 8 | // http://www.apache.org/licenses/LICENSE-2.0 |
| 9 | // |
| 10 | // Unless required by applicable law or agreed to in writing, software |
| 11 | // distributed under the License is distributed on an "AS IS" BASIS, |
| 12 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 13 | // See the License for the specific language governing permissions and |
| 14 | // limitations under the License. |
| 15 | // |
| 16 | |
| 17 | #ifndef UPDATE_ENGINE_PAYLOAD_CONSUMER_PAYLOAD_METADATA_H_ |
| 18 | #define UPDATE_ENGINE_PAYLOAD_CONSUMER_PAYLOAD_METADATA_H_ |
| 19 | |
| 20 | #include <inttypes.h> |
| 21 | |
| 22 | #include <string> |
| 23 | #include <vector> |
| 24 | |
| 25 | #include <base/files/file_path.h> |
| 26 | #include <brillo/secure_blob.h> |
| 27 | |
| 28 | #include "update_engine/common/error_code.h" |
| 29 | #include "update_engine/common/platform_constants.h" |
| 30 | #include "update_engine/update_metadata.pb.h" |
| 31 | |
| 32 | namespace chromeos_update_engine { |
| 33 | |
| 34 | enum class MetadataParseResult { |
| 35 | kSuccess, |
| 36 | kError, |
| 37 | kInsufficientData, |
| 38 | }; |
| 39 | |
| 40 | // This class parses payload metadata and validate its signature. |
| 41 | class PayloadMetadata { |
| 42 | public: |
| 43 | static const uint64_t kDeltaVersionOffset; |
| 44 | static const uint64_t kDeltaVersionSize; |
| 45 | static const uint64_t kDeltaManifestSizeOffset; |
| 46 | static const uint64_t kDeltaManifestSizeSize; |
| 47 | static const uint64_t kDeltaMetadataSignatureSizeSize; |
| 48 | |
| 49 | PayloadMetadata() = default; |
| 50 | |
| 51 | // Attempts to parse the update payload header starting from the beginning of |
| 52 | // |payload|. On success, returns kMetadataParseSuccess. Returns |
| 53 | // kMetadataParseInsufficientData if more data is needed to parse the complete |
| 54 | // metadata. Returns kMetadataParseError if the metadata can't be parsed given |
| 55 | // the payload. |
| 56 | MetadataParseResult ParsePayloadHeader(const brillo::Blob& payload, |
| Sen Jiang | 9c89e84 | 2018-02-02 13:51:21 -0800 | [diff] [blame] | 57 | ErrorCode* error); |
| 58 | |
| 59 | // Given the |payload|, verifies that the signed hash of its metadata matches |
| 60 | // |metadata_signature| (if present) or the metadata signature in payload |
| 61 | // itself (if present). Returns ErrorCode::kSuccess on match or a suitable |
| 62 | // error code otherwise. This method must be called before any part of the |
| 63 | // metadata is parsed so that a man-in-the-middle attack on the SSL connection |
| 64 | // to the payload server doesn't exploit any vulnerability in the code that |
| 65 | // parses the protocol buffer. |
| 66 | ErrorCode ValidateMetadataSignature(const brillo::Blob& payload, |
| 67 | std::string metadata_signature, |
| 68 | base::FilePath path_to_public_key) const; |
| 69 | |
| 70 | // Returns the major payload version. If the version was not yet parsed, |
| 71 | // returns zero. |
| 72 | uint64_t GetMajorVersion() const { return major_payload_version_; } |
| 73 | |
| 74 | // Returns the size of the payload metadata, which includes the payload header |
| 75 | // and the manifest. If the header was not yet parsed, returns zero. |
| 76 | uint64_t GetMetadataSize() const { return metadata_size_; } |
| 77 | |
| 78 | // Returns the size of the payload metadata signature. If the header was not |
| 79 | // yet parsed, returns zero. |
| 80 | uint32_t GetMetadataSignatureSize() const { return metadata_signature_size_; } |
| 81 | |
| 82 | // Set |*out_manifest| to the manifest in |payload|. |
| 83 | // Returns true on success. |
| 84 | bool GetManifest(const brillo::Blob& payload, |
| 85 | DeltaArchiveManifest* out_manifest) const; |
| 86 | |
| 87 | private: |
| 88 | // Set |*out_offset| to the byte offset at which the manifest protobuf begins |
| 89 | // in a payload. Return true on success, false if the offset is unknown. |
| 90 | bool GetManifestOffset(uint64_t* out_offset) const; |
| 91 | |
| 92 | // Set |*out_offset| to the byte offset where the size of the metadata |
| 93 | // signature is stored in a payload. Return true on success, if this field is |
| 94 | // not present in the payload, return false. |
| 95 | bool GetMetadataSignatureSizeOffset(uint64_t* out_offset) const; |
| 96 | |
| 97 | uint64_t metadata_size_{0}; |
| 98 | uint64_t manifest_size_{0}; |
| 99 | uint32_t metadata_signature_size_{0}; |
| 100 | uint64_t major_payload_version_{0}; |
| 101 | |
| 102 | DISALLOW_COPY_AND_ASSIGN(PayloadMetadata); |
| 103 | }; |
| 104 | |
| 105 | } // namespace chromeos_update_engine |
| 106 | |
| 107 | #endif // UPDATE_ENGINE_PAYLOAD_CONSUMER_PAYLOAD_METADATA_H_ |