Browse Source

auc: sync with server API

Drop pre-ucert signature verification.
HTTPS is optional now as integrity can also be provided using ucert.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
lilik-openwrt-22.03
Daniel Golle 6 years ago
parent
commit
af68f43147
2 changed files with 17 additions and 173 deletions
  1. +3
    -3
      utils/auc/Makefile
  2. +14
    -170
      utils/auc/src/auc.c

+ 3
- 3
utils/auc/Makefile View File

@ -5,8 +5,8 @@
include $(TOPDIR)/rules.mk
PKG_NAME:=auc
PKG_VERSION:=0.0.9
PKG_RELEASE:=2
PKG_VERSION:=0.1.0
PKG_RELEASE:=1
PKG_LICENSE:=GPL-3.0
include $(INCLUDE_DIR)/package.mk
@ -17,7 +17,7 @@ define Package/auc
CATEGORY:=Base system
TITLE:=Attended sysUpgrade CLI (EXPERIMENTAL)
DEPENDS:=+attendedsysupgrade-common +libblobmsg-json +libubox +libubus \
+libuci +libuclient +rpcd-mod-rpcsys
+libuci +libuclient +rpcd-mod-rpcsys +ucert
endef
define Package/auc/description


+ 14
- 170
utils/auc/src/auc.c View File

@ -252,7 +252,7 @@ static void pkglist_check_cb(struct ubus_request *req, int type, struct blob_att
return;
}
blobmsg_add_field(buf, BLOBMSG_TYPE_TABLE, "packages", blobmsg_data(tb[PACKAGELIST_PACKAGES]), blobmsg_data_len(tb[PACKAGELIST_PACKAGES]));
blobmsg_add_field(buf, BLOBMSG_TYPE_TABLE, "installed", blobmsg_data(tb[PACKAGELIST_PACKAGES]), blobmsg_data_len(tb[PACKAGELIST_PACKAGES]));
};
/*
@ -703,98 +703,6 @@ static int init_ustream_ssl(void) {
return 0;
}
/**
* use busybox sha256sum to verify sha256sums file
*/
static int sha256sum_v(const char *sha256file, const char *msgfile) {
pid_t pid;
int fds[2];
int status;
FILE *f = fopen(sha256file, "r");
char sumline[512] = {};
char *fname;
unsigned int fnlen;
unsigned int cnt = 0;
if (pipe(fds))
return -1;
if (!f)
return -1;
pid = fork();
switch (pid) {
case -1:
return -1;
case 0:
uloop_done();
dup2(fds[0], 0);
close(1);
close(2);
close(fds[0]);
close(fds[1]);
if (execl("/bin/busybox", "/bin/busybox", "sha256sum", "-s", "-c", NULL));
return -1;
break;
default:
while (fgets(sumline, sizeof(sumline), f)) {
fname = &sumline[66];
fnlen = strlen(fname);
fname[fnlen-1] = '\0';
if (!strcmp(fname, msgfile)) {
fname[fnlen-1] = '\n';
write(fds[1], sumline, strlen(sumline));
cnt++;
}
}
fclose(f);
close(fds[1]);
waitpid(pid, &status, 0);
close(fds[0]);
if (cnt == 1)
return WEXITSTATUS(status);
else
return -1;
}
return -1;
}
/**
* use usign to verify sha256sums.sig
*/
static int usign_v(const char *file) {
pid_t pid;
int status;
pid = fork();
switch (pid) {
case -1:
return -1;
case 0:
uloop_done();
if (execl("/usr/bin/usign", "/usr/bin/usign",
"-V", "-q", "-P", PUBKEY_PATH, "-m", file, NULL));
return -1;
break;
default:
waitpid(pid, &status, 0);
return WEXITSTATUS(status);
}
return -1;
}
static int ask_user(void)
{
fprintf(stderr, "Are you sure you want to continue the upgrade process? [N/y] ");
@ -878,17 +786,19 @@ int main(int args, char *argv[]) {
goto freeconfig;
}
rc = init_ustream_ssl();
if (rc == -2) {
fprintf(stderr, "No CA certificates loaded, please install ca-certificates\n");
rc=-1;
goto freessl;
}
if (!strncmp(serverurl, "https", 5)) {
rc = init_ustream_ssl();
if (rc == -2) {
fprintf(stderr, "No CA certificates loaded, please install ca-certificates\n");
rc=-1;
goto freessl;
}
if (rc || !ssl_ctx) {
fprintf(stderr, "SSL support not available, please install ustream-ssl\n");
rc=-1;
goto freessl;
if (rc || !ssl_ctx) {
fprintf(stderr, "SSL support not available, please install ustream-ssl\n");
rc=-1;
goto freessl;
}
}
blobmsg_buf_init(&checkbuf);
@ -1057,73 +967,6 @@ int main(int args, char *argv[]) {
goto freeboard;
}
tmp=strrchr(url, '/');
strcpy(tmp, "/sha256sums");
server_request(url, NULL, NULL);
if (stat("sha256sums", &imgstat)) {
fprintf(stderr, "sha256sums download failed\n");
rc=-1;
goto freeboard;
}
if ((intmax_t)imgstat.st_size != out_len) {
fprintf(stderr, "sha256sums download incomplete\n");
unlink("sha256sums");
rc=-1;
goto freeboard;
}
if (out_len < 68) {
fprintf(stderr, "sha256sums size mismatch\n");
unlink("sha256sums");
rc=-1;
goto freeboard;
}
if (sha256sum_v("sha256sums", filename)) {
fprintf(stderr, "checksum verification failed\n");
unlink(filename);
unlink("sha256sums");
rc=-1;
goto freeboard;
}
strcpy(tmp, "/sha256sums.sig");
server_request(url, NULL, NULL);
if (stat("sha256sums.sig", &imgstat)) {
fprintf(stderr, "sha256sums.sig download failed\n");
rc=-1;
goto freeboard;
}
if ((intmax_t)imgstat.st_size != out_len) {
fprintf(stderr, "sha256sums.sig download incomplete\n");
unlink("sha256sums.sig");
rc=-1;
goto freeboard;
}
if (out_len < 16) {
fprintf(stderr, "sha256sums.sig size mismatch\n");
unlink("sha256sums.sig");
rc=-1;
goto freeboard;
}
if (usign_v("sha256sums")) {
fprintf(stderr, "signature verification failed\n");
if (!ignore_sig) {
unlink(filename);
unlink("sha256sums");
unlink("sha256sums.sig");
rc=-1;
goto freeboard;
}
};
if (strcmp(filename, "firmware.bin")) {
if (rename(filename, "firmware.bin")) {
fprintf(stderr, "can't rename to firmware.bin\n");
@ -1136,6 +979,7 @@ int main(int args, char *argv[]) {
valid = 0;
ubus_invoke(ctx, id, "upgrade_test", NULL, upgtest_cb, &valid, 3000);
if (!valid) {
fprintf(stdout, "image verification failed\n");
rc=-1;
goto freeboard;
}


Loading…
Cancel
Save