From af68f431474a7cb6816e77a46aea2eb6ef35026e Mon Sep 17 00:00:00 2001 From: Daniel Golle Date: Wed, 6 Mar 2019 15:08:29 +0100 Subject: [PATCH] auc: sync with server API Drop pre-ucert signature verification. HTTPS is optional now as integrity can also be provided using ucert. Signed-off-by: Daniel Golle --- utils/auc/Makefile | 6 +- utils/auc/src/auc.c | 184 ++++---------------------------------------- 2 files changed, 17 insertions(+), 173 deletions(-) diff --git a/utils/auc/Makefile b/utils/auc/Makefile index 444067010..4fecb7fca 100644 --- a/utils/auc/Makefile +++ b/utils/auc/Makefile @@ -5,8 +5,8 @@ include $(TOPDIR)/rules.mk PKG_NAME:=auc -PKG_VERSION:=0.0.9 -PKG_RELEASE:=2 +PKG_VERSION:=0.1.0 +PKG_RELEASE:=1 PKG_LICENSE:=GPL-3.0 include $(INCLUDE_DIR)/package.mk @@ -17,7 +17,7 @@ define Package/auc CATEGORY:=Base system TITLE:=Attended sysUpgrade CLI (EXPERIMENTAL) DEPENDS:=+attendedsysupgrade-common +libblobmsg-json +libubox +libubus \ - +libuci +libuclient +rpcd-mod-rpcsys + +libuci +libuclient +rpcd-mod-rpcsys +ucert endef define Package/auc/description diff --git a/utils/auc/src/auc.c b/utils/auc/src/auc.c index 6c53b1bb5..5373abd81 100644 --- a/utils/auc/src/auc.c +++ b/utils/auc/src/auc.c @@ -252,7 +252,7 @@ static void pkglist_check_cb(struct ubus_request *req, int type, struct blob_att return; } - blobmsg_add_field(buf, BLOBMSG_TYPE_TABLE, "packages", blobmsg_data(tb[PACKAGELIST_PACKAGES]), blobmsg_data_len(tb[PACKAGELIST_PACKAGES])); + blobmsg_add_field(buf, BLOBMSG_TYPE_TABLE, "installed", blobmsg_data(tb[PACKAGELIST_PACKAGES]), blobmsg_data_len(tb[PACKAGELIST_PACKAGES])); }; /* @@ -703,98 +703,6 @@ static int init_ustream_ssl(void) { return 0; } -/** - * use busybox sha256sum to verify sha256sums file - */ -static int sha256sum_v(const char *sha256file, const char *msgfile) { - pid_t pid; - int fds[2]; - int status; - FILE *f = fopen(sha256file, "r"); - char sumline[512] = {}; - char *fname; - unsigned int fnlen; - unsigned int cnt = 0; - - if (pipe(fds)) - return -1; - - if (!f) - return -1; - - - pid = fork(); - switch (pid) { - case -1: - return -1; - - case 0: - uloop_done(); - - dup2(fds[0], 0); - close(1); - close(2); - close(fds[0]); - close(fds[1]); - if (execl("/bin/busybox", "/bin/busybox", "sha256sum", "-s", "-c", NULL)); - return -1; - - break; - - default: - while (fgets(sumline, sizeof(sumline), f)) { - fname = &sumline[66]; - fnlen = strlen(fname); - fname[fnlen-1] = '\0'; - if (!strcmp(fname, msgfile)) { - fname[fnlen-1] = '\n'; - write(fds[1], sumline, strlen(sumline)); - cnt++; - } - } - fclose(f); - close(fds[1]); - waitpid(pid, &status, 0); - close(fds[0]); - - if (cnt == 1) - return WEXITSTATUS(status); - else - return -1; - } - - return -1; -} - -/** - * use usign to verify sha256sums.sig - */ -static int usign_v(const char *file) { - pid_t pid; - int status; - - pid = fork(); - switch (pid) { - case -1: - return -1; - - case 0: - uloop_done(); - - if (execl("/usr/bin/usign", "/usr/bin/usign", - "-V", "-q", "-P", PUBKEY_PATH, "-m", file, NULL)); - return -1; - - break; - - default: - waitpid(pid, &status, 0); - return WEXITSTATUS(status); - } - - return -1; -} - static int ask_user(void) { fprintf(stderr, "Are you sure you want to continue the upgrade process? [N/y] "); @@ -878,17 +786,19 @@ int main(int args, char *argv[]) { goto freeconfig; } - rc = init_ustream_ssl(); - if (rc == -2) { - fprintf(stderr, "No CA certificates loaded, please install ca-certificates\n"); - rc=-1; - goto freessl; - } + if (!strncmp(serverurl, "https", 5)) { + rc = init_ustream_ssl(); + if (rc == -2) { + fprintf(stderr, "No CA certificates loaded, please install ca-certificates\n"); + rc=-1; + goto freessl; + } - if (rc || !ssl_ctx) { - fprintf(stderr, "SSL support not available, please install ustream-ssl\n"); - rc=-1; - goto freessl; + if (rc || !ssl_ctx) { + fprintf(stderr, "SSL support not available, please install ustream-ssl\n"); + rc=-1; + goto freessl; + } } blobmsg_buf_init(&checkbuf); @@ -1057,73 +967,6 @@ int main(int args, char *argv[]) { goto freeboard; } - tmp=strrchr(url, '/'); - - strcpy(tmp, "/sha256sums"); - server_request(url, NULL, NULL); - - if (stat("sha256sums", &imgstat)) { - fprintf(stderr, "sha256sums download failed\n"); - rc=-1; - goto freeboard; - } - - if ((intmax_t)imgstat.st_size != out_len) { - fprintf(stderr, "sha256sums download incomplete\n"); - unlink("sha256sums"); - rc=-1; - goto freeboard; - } - - if (out_len < 68) { - fprintf(stderr, "sha256sums size mismatch\n"); - unlink("sha256sums"); - rc=-1; - goto freeboard; - } - - if (sha256sum_v("sha256sums", filename)) { - fprintf(stderr, "checksum verification failed\n"); - unlink(filename); - unlink("sha256sums"); - rc=-1; - goto freeboard; - } - - strcpy(tmp, "/sha256sums.sig"); - server_request(url, NULL, NULL); - - if (stat("sha256sums.sig", &imgstat)) { - fprintf(stderr, "sha256sums.sig download failed\n"); - rc=-1; - goto freeboard; - } - - if ((intmax_t)imgstat.st_size != out_len) { - fprintf(stderr, "sha256sums.sig download incomplete\n"); - unlink("sha256sums.sig"); - rc=-1; - goto freeboard; - } - - if (out_len < 16) { - fprintf(stderr, "sha256sums.sig size mismatch\n"); - unlink("sha256sums.sig"); - rc=-1; - goto freeboard; - } - - if (usign_v("sha256sums")) { - fprintf(stderr, "signature verification failed\n"); - if (!ignore_sig) { - unlink(filename); - unlink("sha256sums"); - unlink("sha256sums.sig"); - rc=-1; - goto freeboard; - } - }; - if (strcmp(filename, "firmware.bin")) { if (rename(filename, "firmware.bin")) { fprintf(stderr, "can't rename to firmware.bin\n"); @@ -1136,6 +979,7 @@ int main(int args, char *argv[]) { valid = 0; ubus_invoke(ctx, id, "upgrade_test", NULL, upgtest_cb, &valid, 3000); if (!valid) { + fprintf(stdout, "image verification failed\n"); rc=-1; goto freeboard; }