1 //
2 // Copyright (C) 2018 The Android Open Source Project
3 //
4 // Licensed under the Apache License, Version 2.0 (the "License");
5 // you may not use this file except in compliance with the License.
6 // You may obtain a copy of the License at
7 //
8 //      http://www.apache.org/licenses/LICENSE-2.0
9 //
10 // Unless required by applicable law or agreed to in writing, software
11 // distributed under the License is distributed on an "AS IS" BASIS,
12 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 // See the License for the specific language governing permissions and
14 // limitations under the License.
15 //
16 
17 #include "update_engine/payload_consumer/payload_metadata.h"
18 
19 #include <endian.h>
20 
21 #include <base/strings/stringprintf.h>
22 #include <brillo/data_encoding.h>
23 
24 #include "update_engine/common/constants.h"
25 #include "update_engine/common/hash_calculator.h"
26 #include "update_engine/common/utils.h"
27 #include "update_engine/payload_consumer/payload_constants.h"
28 #include "update_engine/payload_consumer/payload_verifier.h"
29 
30 using std::string;
31 
32 namespace chromeos_update_engine {
33 
34 const uint64_t PayloadMetadata::kDeltaVersionOffset = sizeof(kDeltaMagic);
35 const uint64_t PayloadMetadata::kDeltaVersionSize = 8;
36 const uint64_t PayloadMetadata::kDeltaManifestSizeOffset =
37     kDeltaVersionOffset + kDeltaVersionSize;
38 const uint64_t PayloadMetadata::kDeltaManifestSizeSize = 8;
39 const uint64_t PayloadMetadata::kDeltaMetadataSignatureSizeSize = 4;
40 
GetMetadataSignatureSizeOffset() const41 uint64_t PayloadMetadata::GetMetadataSignatureSizeOffset() const {
42   return kDeltaManifestSizeOffset + kDeltaManifestSizeSize;
43 }
44 
GetManifestOffset() const45 uint64_t PayloadMetadata::GetManifestOffset() const {
46   // Actual manifest begins right after the metadata signature size field.
47   return kDeltaManifestSizeOffset + kDeltaManifestSizeSize +
48          kDeltaMetadataSignatureSizeSize;
49 }
50 
ParsePayloadHeader(const brillo::Blob & payload,ErrorCode * error)51 MetadataParseResult PayloadMetadata::ParsePayloadHeader(
52     const brillo::Blob& payload, ErrorCode* error) {
53   return ParsePayloadHeader(payload.data(), payload.size(), error);
54 }
55 
ParsePayloadHeader(const unsigned char * payload,size_t size,ErrorCode * error)56 MetadataParseResult PayloadMetadata::ParsePayloadHeader(
57     const unsigned char* payload, size_t size, ErrorCode* error) {
58   // Ensure we have data to cover the major payload version.
59   if (size < kDeltaManifestSizeOffset)
60     return MetadataParseResult::kInsufficientData;
61 
62   // Validate the magic string.
63   if (memcmp(payload, kDeltaMagic, sizeof(kDeltaMagic)) != 0) {
64     LOG(ERROR) << "Bad payload format -- invalid delta magic: "
65                << base::StringPrintf("%02x%02x%02x%02x",
66                                      payload[0],
67                                      payload[1],
68                                      payload[2],
69                                      payload[3])
70                << " Expected: "
71                << base::StringPrintf("%02x%02x%02x%02x",
72                                      kDeltaMagic[0],
73                                      kDeltaMagic[1],
74                                      kDeltaMagic[2],
75                                      kDeltaMagic[3]);
76     *error = ErrorCode::kDownloadInvalidMetadataMagicString;
77     return MetadataParseResult::kError;
78   }
79 
80   uint64_t manifest_offset = GetManifestOffset();
81   // Check again with the manifest offset.
82   if (size < manifest_offset)
83     return MetadataParseResult::kInsufficientData;
84 
85   // Extract the payload version from the metadata.
86   static_assert(sizeof(major_payload_version_) == kDeltaVersionSize,
87                 "Major payload version size mismatch");
88   memcpy(&major_payload_version_,
89          &payload[kDeltaVersionOffset],
90          kDeltaVersionSize);
91   // Switch big endian to host.
92   major_payload_version_ = be64toh(major_payload_version_);
93 
94   if (major_payload_version_ < kMinSupportedMajorPayloadVersion ||
95       major_payload_version_ > kMaxSupportedMajorPayloadVersion) {
96     LOG(ERROR) << "Bad payload format -- unsupported payload version: "
97                << major_payload_version_;
98     *error = ErrorCode::kUnsupportedMajorPayloadVersion;
99     return MetadataParseResult::kError;
100   }
101 
102   // Next, parse the manifest size.
103   static_assert(sizeof(manifest_size_) == kDeltaManifestSizeSize,
104                 "manifest_size size mismatch");
105   memcpy(&manifest_size_,
106          &payload[kDeltaManifestSizeOffset],
107          kDeltaManifestSizeSize);
108   manifest_size_ = be64toh(manifest_size_);  // switch big endian to host
109 
110   metadata_size_ = manifest_offset + manifest_size_;
111   if (metadata_size_ < manifest_size_) {
112     // Overflow detected.
113     LOG(ERROR) << "Overflow detected on manifest size.";
114     *error = ErrorCode::kDownloadInvalidMetadataSize;
115     return MetadataParseResult::kError;
116   }
117 
118   // Parse the metadata signature size.
119   static_assert(
120       sizeof(metadata_signature_size_) == kDeltaMetadataSignatureSizeSize,
121       "metadata_signature_size size mismatch");
122   uint64_t metadata_signature_size_offset = GetMetadataSignatureSizeOffset();
123   memcpy(&metadata_signature_size_,
124          &payload[metadata_signature_size_offset],
125          kDeltaMetadataSignatureSizeSize);
126   metadata_signature_size_ = be32toh(metadata_signature_size_);
127 
128   if (metadata_size_ + metadata_signature_size_ < metadata_size_) {
129     // Overflow detected.
130     LOG(ERROR) << "Overflow detected on metadata and signature size.";
131     *error = ErrorCode::kDownloadInvalidMetadataSize;
132     return MetadataParseResult::kError;
133   }
134   return MetadataParseResult::kSuccess;
135 }
136 
ParsePayloadHeader(const brillo::Blob & payload)137 bool PayloadMetadata::ParsePayloadHeader(const brillo::Blob& payload) {
138   ErrorCode error;
139   return ParsePayloadHeader(payload, &error) == MetadataParseResult::kSuccess;
140 }
141 
GetManifest(const brillo::Blob & payload,DeltaArchiveManifest * out_manifest) const142 bool PayloadMetadata::GetManifest(const brillo::Blob& payload,
143                                   DeltaArchiveManifest* out_manifest) const {
144   return GetManifest(payload.data(), payload.size(), out_manifest);
145 }
146 
GetManifest(const unsigned char * payload,size_t size,DeltaArchiveManifest * out_manifest) const147 bool PayloadMetadata::GetManifest(const unsigned char* payload,
148                                   size_t size,
149                                   DeltaArchiveManifest* out_manifest) const {
150   uint64_t manifest_offset = GetManifestOffset();
151   CHECK_GE(size, manifest_offset + manifest_size_);
152   return out_manifest->ParseFromArray(&payload[manifest_offset],
153                                       manifest_size_);
154 }
155 
ValidateMetadataSignature(const brillo::Blob & payload,const string & metadata_signature,const PayloadVerifier & payload_verifier) const156 ErrorCode PayloadMetadata::ValidateMetadataSignature(
157     const brillo::Blob& payload,
158     const string& metadata_signature,
159     const PayloadVerifier& payload_verifier) const {
160   if (payload.size() < metadata_size_ + metadata_signature_size_)
161     return ErrorCode::kDownloadMetadataSignatureError;
162 
163   // A single signature in raw bytes.
164   brillo::Blob metadata_signature_blob;
165   // The serialized Signatures protobuf message stored in major version >=2
166   // payload, it may contain multiple signatures.
167   string metadata_signature_protobuf;
168   if (!metadata_signature.empty()) {
169     // Convert base64-encoded signature to raw bytes.
170     if (!brillo::data_encoding::Base64Decode(metadata_signature,
171                                              &metadata_signature_blob)) {
172       LOG(ERROR) << "Unable to decode base64 metadata signature: "
173                  << metadata_signature;
174       return ErrorCode::kDownloadMetadataSignatureError;
175     }
176   } else {
177     metadata_signature_protobuf.assign(
178         payload.begin() + metadata_size_,
179         payload.begin() + metadata_size_ + metadata_signature_size_);
180   }
181 
182   if (metadata_signature_blob.empty() && metadata_signature_protobuf.empty()) {
183     LOG(ERROR) << "Missing mandatory metadata signature in both Omaha "
184                << "response and payload.";
185     return ErrorCode::kDownloadMetadataSignatureMissingError;
186   }
187 
188   brillo::Blob metadata_hash;
189   if (!HashCalculator::RawHashOfBytes(
190           payload.data(), metadata_size_, &metadata_hash)) {
191     LOG(ERROR) << "Unable to compute actual hash of manifest";
192     return ErrorCode::kDownloadMetadataSignatureVerificationError;
193   }
194 
195   if (metadata_hash.size() != kSHA256Size) {
196     LOG(ERROR) << "Computed actual hash of metadata has incorrect size: "
197                << metadata_hash.size();
198     return ErrorCode::kDownloadMetadataSignatureVerificationError;
199   }
200 
201   if (!metadata_signature_blob.empty()) {
202     brillo::Blob decrypted_signature;
203     if (!payload_verifier.VerifyRawSignature(
204             metadata_signature_blob, metadata_hash, &decrypted_signature)) {
205       LOG(ERROR) << "Manifest hash verification failed. Decrypted hash = ";
206       utils::HexDumpVector(decrypted_signature);
207       LOG(ERROR) << "Calculated hash before padding = ";
208       utils::HexDumpVector(metadata_hash);
209       return ErrorCode::kDownloadMetadataSignatureMismatch;
210     }
211   } else {
212     if (!payload_verifier.VerifySignature(metadata_signature_protobuf,
213                                           metadata_hash)) {
214       LOG(ERROR) << "Manifest hash verification failed.";
215       return ErrorCode::kDownloadMetadataSignatureMismatch;
216     }
217   }
218 
219   // The autoupdate_CatchBadSignatures test checks for this string in
220   // log-files. Keep in sync.
221   LOG(INFO) << "Metadata hash signature matches value in Omaha response.";
222   return ErrorCode::kSuccess;
223 }
224 
ParsePayloadFile(const string & payload_path,DeltaArchiveManifest * manifest,Signatures * metadata_signatures)225 bool PayloadMetadata::ParsePayloadFile(const string& payload_path,
226                                        DeltaArchiveManifest* manifest,
227                                        Signatures* metadata_signatures) {
228   brillo::Blob payload;
229   TEST_AND_RETURN_FALSE(
230       utils::ReadFileChunk(payload_path, 0, kMaxPayloadHeaderSize, &payload));
231   TEST_AND_RETURN_FALSE(ParsePayloadHeader(payload));
232 
233   if (manifest != nullptr) {
234     TEST_AND_RETURN_FALSE(
235         utils::ReadFileChunk(payload_path,
236                              kMaxPayloadHeaderSize,
237                              GetMetadataSize() - kMaxPayloadHeaderSize,
238                              &payload));
239     TEST_AND_RETURN_FALSE(GetManifest(payload, manifest));
240   }
241 
242   if (metadata_signatures != nullptr) {
243     payload.clear();
244     TEST_AND_RETURN_FALSE(utils::ReadFileChunk(
245         payload_path, GetMetadataSize(), GetMetadataSignatureSize(), &payload));
246     TEST_AND_RETURN_FALSE(
247         metadata_signatures->ParseFromArray(payload.data(), payload.size()));
248   }
249 
250   return true;
251 }
252 
253 }  // namespace chromeos_update_engine
254