Blame - payload_consumer/payload_metadata.cc - android_system_update_engine

blob: f7002282321ccfdbdc754ef15980f517ceb178a1 [file] [log] [blame]

Sen Jiang	9c89e84	2018-02-02 13:51:21 -0800	[diff] [blame]	1	//
				2	// Copyright (C) 2018 The Android Open Source Project
				3	//
				4	// Licensed under the Apache License, Version 2.0 (the "License");
				5	// you may not use this file except in compliance with the License.
				6	// You may obtain a copy of the License at
				7	//
				8	// http://www.apache.org/licenses/LICENSE-2.0
				9	//
				10	// Unless required by applicable law or agreed to in writing, software
				11	// distributed under the License is distributed on an "AS IS" BASIS,
				12	// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
				13	// See the License for the specific language governing permissions and
				14	// limitations under the License.
				15	//
				16
				17	#include "update_engine/payload_consumer/payload_metadata.h"
				18
				19	#include <endian.h>
				20
				21	#include <brillo/data_encoding.h>
				22
				23	#include "update_engine/common/hash_calculator.h"
				24	#include "update_engine/common/utils.h"
				25	#include "update_engine/payload_consumer/payload_constants.h"
				26	#include "update_engine/payload_consumer/payload_verifier.h"
				27
				28	namespace chromeos_update_engine {
				29
				30	const uint64_t PayloadMetadata::kDeltaVersionOffset = sizeof(kDeltaMagic);
				31	const uint64_t PayloadMetadata::kDeltaVersionSize = 8;
				32	const uint64_t PayloadMetadata::kDeltaManifestSizeOffset =
				33	kDeltaVersionOffset + kDeltaVersionSize;
				34	const uint64_t PayloadMetadata::kDeltaManifestSizeSize = 8;
				35	const uint64_t PayloadMetadata::kDeltaMetadataSignatureSizeSize = 4;
				36
				37	bool PayloadMetadata::GetMetadataSignatureSizeOffset(
				38	uint64_t* out_offset) const {
				39	if (GetMajorVersion() == kBrilloMajorPayloadVersion) {
				40	*out_offset = kDeltaManifestSizeOffset + kDeltaManifestSizeSize;
				41	return true;
				42	}
				43	return false;
				44	}
				45
				46	bool PayloadMetadata::GetManifestOffset(uint64_t* out_offset) const {
				47	// Actual manifest begins right after the manifest size field or
				48	// metadata signature size field if major version >= 2.
				49	if (major_payload_version_ == kChromeOSMajorPayloadVersion) {
				50	*out_offset = kDeltaManifestSizeOffset + kDeltaManifestSizeSize;
				51	return true;
				52	}
				53	if (major_payload_version_ == kBrilloMajorPayloadVersion) {
				54	*out_offset = kDeltaManifestSizeOffset + kDeltaManifestSizeSize +
				55	kDeltaMetadataSignatureSizeSize;
				56	return true;
				57	}
				58	LOG(ERROR) << "Unknown major payload version: " << major_payload_version_;
				59	return false;
				60	}
				61
				62	MetadataParseResult PayloadMetadata::ParsePayloadHeader(
Sen Jiang	f123663	2018-05-11 16:03:23 -0700	[diff] [blame^]	63	const brillo::Blob& payload, ErrorCode* error) {
Sen Jiang	9c89e84	2018-02-02 13:51:21 -0800	[diff] [blame]	64	uint64_t manifest_offset;
				65	// Ensure we have data to cover the major payload version.
				66	if (payload.size() < kDeltaManifestSizeOffset)
				67	return MetadataParseResult::kInsufficientData;
				68
				69	// Validate the magic string.
				70	if (memcmp(payload.data(), kDeltaMagic, sizeof(kDeltaMagic)) != 0) {
				71	LOG(ERROR) << "Bad payload format -- invalid delta magic.";
				72	*error = ErrorCode::kDownloadInvalidMetadataMagicString;
				73	return MetadataParseResult::kError;
				74	}
				75
				76	// Extract the payload version from the metadata.
				77	static_assert(sizeof(major_payload_version_) == kDeltaVersionSize,
				78	"Major payload version size mismatch");
				79	memcpy(&major_payload_version_,
				80	&payload[kDeltaVersionOffset],
				81	kDeltaVersionSize);
				82	// Switch big endian to host.
				83	major_payload_version_ = be64toh(major_payload_version_);
				84
Sen Jiang	f123663	2018-05-11 16:03:23 -0700	[diff] [blame^]	85	if (major_payload_version_ < kMinSupportedMajorPayloadVersion \|\|
				86	major_payload_version_ > kMaxSupportedMajorPayloadVersion) {
Sen Jiang	9c89e84	2018-02-02 13:51:21 -0800	[diff] [blame]	87	LOG(ERROR) << "Bad payload format -- unsupported payload version: "
				88	<< major_payload_version_;
				89	*error = ErrorCode::kUnsupportedMajorPayloadVersion;
				90	return MetadataParseResult::kError;
				91	}
				92
				93	// Get the manifest offset now that we have payload version.
				94	if (!GetManifestOffset(&manifest_offset)) {
				95	*error = ErrorCode::kUnsupportedMajorPayloadVersion;
				96	return MetadataParseResult::kError;
				97	}
				98	// Check again with the manifest offset.
				99	if (payload.size() < manifest_offset)
				100	return MetadataParseResult::kInsufficientData;
				101
				102	// Next, parse the manifest size.
				103	static_assert(sizeof(manifest_size_) == kDeltaManifestSizeSize,
				104	"manifest_size size mismatch");
				105	memcpy(&manifest_size_,
				106	&payload[kDeltaManifestSizeOffset],
				107	kDeltaManifestSizeSize);
				108	manifest_size_ = be64toh(manifest_size_); // switch big endian to host
				109
				110	if (GetMajorVersion() == kBrilloMajorPayloadVersion) {
				111	// Parse the metadata signature size.
				112	static_assert(
				113	sizeof(metadata_signature_size_) == kDeltaMetadataSignatureSizeSize,
				114	"metadata_signature_size size mismatch");
				115	uint64_t metadata_signature_size_offset;
				116	if (!GetMetadataSignatureSizeOffset(&metadata_signature_size_offset)) {
				117	*error = ErrorCode::kError;
				118	return MetadataParseResult::kError;
				119	}
				120	memcpy(&metadata_signature_size_,
				121	&payload[metadata_signature_size_offset],
				122	kDeltaMetadataSignatureSizeSize);
				123	metadata_signature_size_ = be32toh(metadata_signature_size_);
				124	}
				125	metadata_size_ = manifest_offset + manifest_size_;
				126	return MetadataParseResult::kSuccess;
				127	}
				128
				129	bool PayloadMetadata::GetManifest(const brillo::Blob& payload,
				130	DeltaArchiveManifest* out_manifest) const {
				131	uint64_t manifest_offset;
				132	if (!GetManifestOffset(&manifest_offset))
				133	return false;
				134	CHECK_GE(payload.size(), manifest_offset + manifest_size_);
				135	return out_manifest->ParseFromArray(&payload[manifest_offset],
				136	manifest_size_);
				137	}
				138
				139	ErrorCode PayloadMetadata::ValidateMetadataSignature(
				140	const brillo::Blob& payload,
				141	std::string metadata_signature,
				142	base::FilePath path_to_public_key) const {
				143	if (payload.size() < metadata_size_ + metadata_signature_size_)
				144	return ErrorCode::kDownloadMetadataSignatureError;
				145
				146	brillo::Blob metadata_signature_blob, metadata_signature_protobuf_blob;
				147	if (!metadata_signature.empty()) {
				148	// Convert base64-encoded signature to raw bytes.
				149	if (!brillo::data_encoding::Base64Decode(metadata_signature,
				150	&metadata_signature_blob)) {
				151	LOG(ERROR) << "Unable to decode base64 metadata signature: "
				152	<< metadata_signature;
				153	return ErrorCode::kDownloadMetadataSignatureError;
				154	}
				155	} else if (major_payload_version_ == kBrilloMajorPayloadVersion) {
				156	metadata_signature_protobuf_blob.assign(
				157	payload.begin() + metadata_size_,
				158	payload.begin() + metadata_size_ + metadata_signature_size_);
				159	}
				160
				161	if (metadata_signature_blob.empty() &&
				162	metadata_signature_protobuf_blob.empty()) {
				163	LOG(ERROR) << "Missing mandatory metadata signature in both Omaha "
				164	<< "response and payload.";
				165	return ErrorCode::kDownloadMetadataSignatureMissingError;
				166	}
				167
				168	LOG(INFO) << "Verifying metadata hash signature using public key: "
				169	<< path_to_public_key.value();
				170
				171	brillo::Blob calculated_metadata_hash;
				172	if (!HashCalculator::RawHashOfBytes(
				173	payload.data(), metadata_size_, &calculated_metadata_hash)) {
				174	LOG(ERROR) << "Unable to compute actual hash of manifest";
				175	return ErrorCode::kDownloadMetadataSignatureVerificationError;
				176	}
				177
				178	PayloadVerifier::PadRSA2048SHA256Hash(&calculated_metadata_hash);
				179	if (calculated_metadata_hash.empty()) {
				180	LOG(ERROR) << "Computed actual hash of metadata is empty.";
				181	return ErrorCode::kDownloadMetadataSignatureVerificationError;
				182	}
				183
				184	if (!metadata_signature_blob.empty()) {
				185	brillo::Blob expected_metadata_hash;
				186	if (!PayloadVerifier::GetRawHashFromSignature(metadata_signature_blob,
				187	path_to_public_key.value(),
				188	&expected_metadata_hash)) {
				189	LOG(ERROR) << "Unable to compute expected hash from metadata signature";
				190	return ErrorCode::kDownloadMetadataSignatureError;
				191	}
				192	if (calculated_metadata_hash != expected_metadata_hash) {
				193	LOG(ERROR) << "Manifest hash verification failed. Expected hash = ";
				194	utils::HexDumpVector(expected_metadata_hash);
				195	LOG(ERROR) << "Calculated hash = ";
				196	utils::HexDumpVector(calculated_metadata_hash);
				197	return ErrorCode::kDownloadMetadataSignatureMismatch;
				198	}
				199	} else {
				200	if (!PayloadVerifier::VerifySignature(metadata_signature_protobuf_blob,
				201	path_to_public_key.value(),
				202	calculated_metadata_hash)) {
				203	LOG(ERROR) << "Manifest hash verification failed.";
				204	return ErrorCode::kDownloadMetadataSignatureMismatch;
				205	}
				206	}
				207
				208	// The autoupdate_CatchBadSignatures test checks for this string in
				209	// log-files. Keep in sync.
				210	LOG(INFO) << "Metadata hash signature matches value in Omaha response.";
				211	return ErrorCode::kSuccess;
				212	}
				213
				214	} // namespace chromeos_update_engine