Difuse/packages
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

auc: sync with server API

Browse source 
Drop pre-ucert signature verification.
HTTPS is optional now as integrity can also be provided using ucert.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
This commit is contained in:
Daniel Golle 2019-03-06 15:08:29 +01:00
parent 0c74b5952c
commit af68f43147
2 changed files with 17 additions and 173 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
utils/auc/Makefile
View file

@ -5,8 +5,8 @@
include $(TOPDIR)/rules.mk include $(TOPDIR)/rules.mk
PKG_NAME:=auc PKG_NAME:=auc
PKG_VERSION:=0.0.9 PKG_VERSION:=0.1.0
PKG_RELEASE:=2 PKG_RELEASE:=1
PKG_LICENSE:=GPL-3.0 PKG_LICENSE:=GPL-3.0
include $(INCLUDE_DIR)/package.mk include $(INCLUDE_DIR)/package.mk
@ -17,7 +17,7 @@ define Package/auc
CATEGORY:=Base system CATEGORY:=Base system
TITLE:=Attended sysUpgrade CLI (EXPERIMENTAL) TITLE:=Attended sysUpgrade CLI (EXPERIMENTAL)
DEPENDS:=+attendedsysupgrade-common +libblobmsg-json +libubox +libubus \ DEPENDS:=+attendedsysupgrade-common +libblobmsg-json +libubox +libubus \
+libuci +libuclient +rpcd-mod-rpcsys +libuci +libuclient +rpcd-mod-rpcsys +ucert
endef endef
define Package/auc/description define Package/auc/description

164
utils/auc/src/auc.c
View file

@ -252,7 +252,7 @@ static void pkglist_check_cb(struct ubus_request *req, int type, struct blob_att
return; return;
} }
blobmsg_add_field(buf, BLOBMSG_TYPE_TABLE, "packages", blobmsg_data(tb[PACKAGELIST_PACKAGES]), blobmsg_data_len(tb[PACKAGELIST_PACKAGES])); blobmsg_add_field(buf, BLOBMSG_TYPE_TABLE, "installed", blobmsg_data(tb[PACKAGELIST_PACKAGES]), blobmsg_data_len(tb[PACKAGELIST_PACKAGES]));
}; };
/* /*
@ -703,98 +703,6 @@ static int init_ustream_ssl(void) {
return 0; return 0;
} }
/**
* use busybox sha256sum to verify sha256sums file
*/
static int sha256sum_v(const char *sha256file, const char *msgfile) {
pid_t pid;
int fds[2];
int status;
FILE *f = fopen(sha256file, "r");
char sumline[512] = {};
char *fname;
unsigned int fnlen;
unsigned int cnt = 0;
if (pipe(fds))
return -1;
if (!f)
return -1;
pid = fork();
switch (pid) {
case -1:
return -1;
case 0:
uloop_done();
dup2(fds[0], 0);
close(1);
close(2);
close(fds[0]);
close(fds[1]);
if (execl("/bin/busybox", "/bin/busybox", "sha256sum", "-s", "-c", NULL));
return -1;
break;
default:
while (fgets(sumline, sizeof(sumline), f)) {
fname = &sumline[66];
fnlen = strlen(fname);
fname[fnlen-1] = '\0';
if (!strcmp(fname, msgfile)) {
fname[fnlen-1] = '\n';
write(fds[1], sumline, strlen(sumline));
cnt++;
}
}
fclose(f);
close(fds[1]);
waitpid(pid, &status, 0);
close(fds[0]);
if (cnt == 1)
return WEXITSTATUS(status);
else
return -1;
}
return -1;
}
/**
* use usign to verify sha256sums.sig
*/
static int usign_v(const char *file) {
pid_t pid;
int status;
pid = fork();
switch (pid) {
case -1:
return -1;
case 0:
uloop_done();
if (execl("/usr/bin/usign", "/usr/bin/usign",
"-V", "-q", "-P", PUBKEY_PATH, "-m", file, NULL));
return -1;
break;
default:
waitpid(pid, &status, 0);
return WEXITSTATUS(status);
}
return -1;
}
static int ask_user(void) static int ask_user(void)
{ {
fprintf(stderr, "Are you sure you want to continue the upgrade process? [N/y] "); fprintf(stderr, "Are you sure you want to continue the upgrade process? [N/y] ");
@ -878,6 +786,7 @@ int main(int args, char *argv[]) {
goto freeconfig; goto freeconfig;
} }
if (!strncmp(serverurl, "https", 5)) {
rc = init_ustream_ssl(); rc = init_ustream_ssl();
if (rc == -2) { if (rc == -2) {
fprintf(stderr, "No CA certificates loaded, please install ca-certificates\n"); fprintf(stderr, "No CA certificates loaded, please install ca-certificates\n");
@ -890,6 +799,7 @@ int main(int args, char *argv[]) {
rc=-1; rc=-1;
goto freessl; goto freessl;
} }
}
blobmsg_buf_init(&checkbuf); blobmsg_buf_init(&checkbuf);
blobmsg_buf_init(&infobuf); blobmsg_buf_init(&infobuf);
@ -1057,73 +967,6 @@ int main(int args, char *argv[]) {
goto freeboard; goto freeboard;
} }
tmp=strrchr(url, '/');
strcpy(tmp, "/sha256sums");
server_request(url, NULL, NULL);
if (stat("sha256sums", &imgstat)) {
fprintf(stderr, "sha256sums download failed\n");
rc=-1;
goto freeboard;
}
if ((intmax_t)imgstat.st_size != out_len) {
fprintf(stderr, "sha256sums download incomplete\n");
unlink("sha256sums");
rc=-1;
goto freeboard;
}
if (out_len < 68) {
fprintf(stderr, "sha256sums size mismatch\n");
unlink("sha256sums");
rc=-1;
goto freeboard;
}
if (sha256sum_v("sha256sums", filename)) {
fprintf(stderr, "checksum verification failed\n");
unlink(filename);
unlink("sha256sums");
rc=-1;
goto freeboard;
}
strcpy(tmp, "/sha256sums.sig");
server_request(url, NULL, NULL);
if (stat("sha256sums.sig", &imgstat)) {
fprintf(stderr, "sha256sums.sig download failed\n");
rc=-1;
goto freeboard;
}
if ((intmax_t)imgstat.st_size != out_len) {
fprintf(stderr, "sha256sums.sig download incomplete\n");
unlink("sha256sums.sig");
rc=-1;
goto freeboard;
}
if (out_len < 16) {
fprintf(stderr, "sha256sums.sig size mismatch\n");
unlink("sha256sums.sig");
rc=-1;
goto freeboard;
}
if (usign_v("sha256sums")) {
fprintf(stderr, "signature verification failed\n");
if (!ignore_sig) {
unlink(filename);
unlink("sha256sums");
unlink("sha256sums.sig");
rc=-1;
goto freeboard;
}
};
if (strcmp(filename, "firmware.bin")) { if (strcmp(filename, "firmware.bin")) {
if (rename(filename, "firmware.bin")) { if (rename(filename, "firmware.bin")) {
fprintf(stderr, "can't rename to firmware.bin\n"); fprintf(stderr, "can't rename to firmware.bin\n");
@ -1136,6 +979,7 @@ int main(int args, char *argv[]) {
valid = 0; valid = 0;
ubus_invoke(ctx, id, "upgrade_test", NULL, upgtest_cb, &valid, 3000); ubus_invoke(ctx, id, "upgrade_test", NULL, upgtest_cb, &valid, 3000);
if (!valid) { if (!valid) {
fprintf(stdout, "image verification failed\n");
rc=-1; rc=-1;
goto freeboard; goto freeboard;
} }