1 // 2 // Copyright (C) 2018 The Android Open Source Project 3 // 4 // Licensed under the Apache License, Version 2.0 (the "License"); 5 // you may not use this file except in compliance with the License. 6 // You may obtain a copy of the License at 7 // 8 // http://www.apache.org/licenses/LICENSE-2.0 9 // 10 // Unless required by applicable law or agreed to in writing, software 11 // distributed under the License is distributed on an "AS IS" BASIS, 12 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 // See the License for the specific language governing permissions and 14 // limitations under the License. 15 // 16 17 #ifndef UPDATE_ENGINE_PAYLOAD_CONSUMER_PAYLOAD_METADATA_H_ 18 #define UPDATE_ENGINE_PAYLOAD_CONSUMER_PAYLOAD_METADATA_H_ 19 20 #include <string> 21 22 #include <android-base/macros.h> 23 #include <brillo/secure_blob.h> 24 25 #include "update_engine/common/utils.h" 26 #include "update_engine/common/error_code.h" 27 #include "update_engine/payload_consumer/payload_verifier.h" 28 #include "update_engine/update_metadata.pb.h" 29 30 namespace chromeos_update_engine { 31 32 enum class MetadataParseResult { 33 kSuccess, 34 kError, 35 kInsufficientData, 36 }; 37 38 // This class parses payload metadata and validate its signature. 39 class PayloadMetadata { 40 public: 41 static const uint64_t kDeltaVersionOffset; 42 static const uint64_t kDeltaVersionSize; 43 static const uint64_t kDeltaManifestSizeOffset; 44 static const uint64_t kDeltaManifestSizeSize; 45 static const uint64_t kDeltaMetadataSignatureSizeSize; 46 47 PayloadMetadata() = default; 48 49 // Attempts to parse the update payload header starting from the beginning of 50 // |payload|. On success, returns kMetadataParseSuccess. Returns 51 // kMetadataParseInsufficientData if more data is needed to parse the complete 52 // metadata. Returns kMetadataParseError if the metadata can't be parsed given 53 // the payload. 54 MetadataParseResult ParsePayloadHeader(const brillo::Blob& payload, 55 ErrorCode* error); ParsePayloadHeader(std::string_view payload,ErrorCode * error)56 MetadataParseResult ParsePayloadHeader(std::string_view payload, 57 ErrorCode* error) { 58 return ParsePayloadHeader(reinterpret_cast<const uint8_t*>(payload.data()), 59 payload.size(), 60 error); 61 } 62 MetadataParseResult ParsePayloadHeader(const unsigned char* payload, 63 size_t size, 64 ErrorCode* error); 65 // Simpler version of the above, returns true on success. 66 bool ParsePayloadHeader(const brillo::Blob& payload); 67 68 // Given the |payload|, verifies that the signed hash of its metadata matches 69 // |metadata_signature| (if present) or the metadata signature in payload 70 // itself (if present). Returns ErrorCode::kSuccess on match or a suitable 71 // error code otherwise. This method must be called before any part of the 72 // metadata is parsed so that an on-path attack on the SSL connection 73 // to the payload server doesn't exploit any vulnerability in the code that 74 // parses the protocol buffer. 75 ErrorCode ValidateMetadataSignature( 76 std::string_view payload, 77 const std::string& metadata_signature, 78 const PayloadVerifier& payload_verifier) const; ValidateMetadataSignature(const std::vector<uint8_t> & payload,const std::string & metadata_signature,const PayloadVerifier & payload_verifier)79 ErrorCode ValidateMetadataSignature( 80 const std::vector<uint8_t>& payload, 81 const std::string& metadata_signature, 82 const PayloadVerifier& payload_verifier) const { 83 return ValidateMetadataSignature( 84 ToStringView(payload), metadata_signature, payload_verifier); 85 } 86 87 // Returns the major payload version. If the version was not yet parsed, 88 // returns zero. GetMajorVersion()89 uint64_t GetMajorVersion() const { return major_payload_version_; } 90 91 // Returns the size of the payload metadata, which includes the payload header 92 // and the manifest. If the header was not yet parsed, returns zero. GetMetadataSize()93 uint64_t GetMetadataSize() const { return metadata_size_; } 94 95 // Returns the size of the payload metadata signature. If the header was not 96 // yet parsed, returns zero. GetMetadataSignatureSize()97 uint32_t GetMetadataSignatureSize() const { return metadata_signature_size_; } 98 99 // Set |*out_manifest| to the manifest in |payload|. 100 // Returns true on success. 101 bool GetManifest(const brillo::Blob& payload, 102 DeltaArchiveManifest* out_manifest) const; 103 104 bool GetManifest(const unsigned char* payload, 105 size_t size, 106 DeltaArchiveManifest* out_manifest) const; GetManifest(std::string_view payload,DeltaArchiveManifest * out_manifest)107 bool GetManifest(std::string_view payload, 108 DeltaArchiveManifest* out_manifest) const { 109 return GetManifest(reinterpret_cast<const uint8_t*>(payload.data()), 110 payload.size(), 111 out_manifest); 112 } 113 114 // Parses a payload file |payload_path| and prepares the metadata properties, 115 // manifest and metadata signatures. Can be used as an easy to use utility to 116 // get the payload information without manually the process. 117 bool ParsePayloadFile(const std::string& payload_path, 118 DeltaArchiveManifest* manifest, 119 Signatures* metadata_signatures); 120 121 private: 122 // Returns the byte offset at which the manifest protobuf begins in a payload. 123 uint64_t GetManifestOffset() const; 124 125 // Returns the byte offset where the size of the metadata signature is stored 126 // in a payload. 127 uint64_t GetMetadataSignatureSizeOffset() const; 128 129 uint64_t metadata_size_{0}; 130 uint64_t manifest_size_{0}; 131 uint32_t metadata_signature_size_{0}; 132 uint64_t major_payload_version_{0}; 133 134 DISALLOW_COPY_AND_ASSIGN(PayloadMetadata); 135 }; 136 137 } // namespace chromeos_update_engine 138 139 #endif // UPDATE_ENGINE_PAYLOAD_CONSUMER_PAYLOAD_METADATA_H_ 140