auc: sync with server API

Drop pre-ucert signature verification. HTTPS is optional now as integrity can also be provided using ucert. Signed-off-by: Daniel Golle <daniel@makrotopia.org>
openwrt · Mar 6, 2019 · af68f43 · af68f43
1 parent 0c74b59
commit af68f43
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 173 deletions.
diff --git a/utils/auc/Makefile b/utils/auc/Makefile
@@ -5,8 +5,8 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=auc
-PKG_VERSION:=0.0.9
-PKG_RELEASE:=2
+PKG_VERSION:=0.1.0
+PKG_RELEASE:=1
 PKG_LICENSE:=GPL-3.0
 
 include $(INCLUDE_DIR)/package.mk
@@ -17,7 +17,7 @@ define Package/auc
   CATEGORY:=Base system
   TITLE:=Attended sysUpgrade CLI (EXPERIMENTAL)
   DEPENDS:=+attendedsysupgrade-common +libblobmsg-json +libubox +libubus \
-           +libuci +libuclient +rpcd-mod-rpcsys
+           +libuci +libuclient +rpcd-mod-rpcsys +ucert
 endef
 
 define Package/auc/description

diff --git a/utils/auc/src/auc.c b/utils/auc/src/auc.c
@@ -252,7 +252,7 @@ static void pkglist_check_cb(struct ubus_request *req, int type, struct blob_att
 		return;
 	}
 
-	blobmsg_add_field(buf, BLOBMSG_TYPE_TABLE, "packages", blobmsg_data(tb[PACKAGELIST_PACKAGES]), blobmsg_data_len(tb[PACKAGELIST_PACKAGES]));
+	blobmsg_add_field(buf, BLOBMSG_TYPE_TABLE, "installed", blobmsg_data(tb[PACKAGELIST_PACKAGES]), blobmsg_data_len(tb[PACKAGELIST_PACKAGES]));
 };
 
 /*
@@ -703,98 +703,6 @@ static int init_ustream_ssl(void) {
 	return 0;
 }
 
-/**
- * use busybox sha256sum to verify sha256sums file
- */
-static int sha256sum_v(const char *sha256file, const char *msgfile) {
-	pid_t pid;
-	int fds[2];
-	int status;
-	FILE *f = fopen(sha256file, "r");
-	char sumline[512] = {};
-	char *fname;
-	unsigned int fnlen;
-	unsigned int cnt = 0;
-
-	if (pipe(fds))
-		return -1;
-
-	if (!f)
-		return -1;
-
-
-	pid = fork();
-	switch (pid) {
-	case -1:
-		return -1;
-
-	case 0:
-		uloop_done();
-
-		dup2(fds[0], 0);
-		close(1);
-		close(2);
-		close(fds[0]);
-		close(fds[1]);
-		if (execl("/bin/busybox", "/bin/busybox", "sha256sum", "-s", "-c", NULL));
-			return -1;
-
-		break;
-
-	default:
-		while (fgets(sumline, sizeof(sumline), f)) {
-			fname = &sumline[66];
-			fnlen = strlen(fname);
-			fname[fnlen-1] = '\0';
-			if (!strcmp(fname, msgfile)) {
-				fname[fnlen-1] = '\n';
-				write(fds[1], sumline, strlen(sumline));
-				cnt++;
-			}
-		}
-		fclose(f);
-		close(fds[1]);
-		waitpid(pid, &status, 0);
-		close(fds[0]);
-
-		if (cnt == 1)
-			return WEXITSTATUS(status);
-		else
-			return -1;
-	}
-
-	return -1;
-}
-
-/**
- * use usign to verify sha256sums.sig
- */
-static int usign_v(const char *file) {
-	pid_t pid;
-	int status;
-
-	pid = fork();
-	switch (pid) {
-	case -1:
-		return -1;
-
-	case 0:
-		uloop_done();
-
-		if (execl("/usr/bin/usign", "/usr/bin/usign",
-		          "-V", "-q", "-P", PUBKEY_PATH, "-m", file, NULL));
-			return -1;
-
-		break;
-
-	default:
-		waitpid(pid, &status, 0);
-		return WEXITSTATUS(status);
-	}
-
-	return -1;
-}
-
 static int ask_user(void)
 {
 	fprintf(stderr, "Are you sure you want to continue the upgrade process? [N/y] ");
@@ -878,17 +786,19 @@ int main(int args, char *argv[]) {
 		goto freeconfig;
 	}
 
-	rc = init_ustream_ssl();
-	if (rc == -2) {
-		fprintf(stderr, "No CA certificates loaded, please install ca-certificates\n");
-		rc=-1;
-		goto freessl;
-	}
+	if (!strncmp(serverurl, "https", 5)) {
+		rc = init_ustream_ssl();
+		if (rc == -2) {
+			fprintf(stderr, "No CA certificates loaded, please install ca-certificates\n");
+			rc=-1;
+			goto freessl;
+		}
 
-	if (rc || !ssl_ctx) {
-		fprintf(stderr, "SSL support not available, please install ustream-ssl\n");
-		rc=-1;
-		goto freessl;
+		if (rc || !ssl_ctx) {
+			fprintf(stderr, "SSL support not available, please install ustream-ssl\n");
+			rc=-1;
+			goto freessl;
+		}
 	}
 
 	blobmsg_buf_init(&checkbuf);
@@ -1057,73 +967,6 @@ int main(int args, char *argv[]) {
 		goto freeboard;
 	}
 
-	tmp=strrchr(url, '/');
-
-	strcpy(tmp, "/sha256sums");
-	server_request(url, NULL, NULL);
-
-	if (stat("sha256sums", &imgstat)) {
-		fprintf(stderr, "sha256sums download failed\n");
-		rc=-1;
-		goto freeboard;
-	}
-
-	if ((intmax_t)imgstat.st_size != out_len) {
-		fprintf(stderr, "sha256sums download incomplete\n");
-		unlink("sha256sums");
-		rc=-1;
-		goto freeboard;
-	}
-
-	if (out_len < 68) {
-		fprintf(stderr, "sha256sums size mismatch\n");
-		unlink("sha256sums");
-		rc=-1;
-		goto freeboard;
-	}
-
-	if (sha256sum_v("sha256sums", filename)) {
-		fprintf(stderr, "checksum verification failed\n");
-		unlink(filename);
-		unlink("sha256sums");
-		rc=-1;
-		goto freeboard;
-	}
-
-	strcpy(tmp, "/sha256sums.sig");
-	server_request(url, NULL, NULL);
-
-	if (stat("sha256sums.sig", &imgstat)) {
-		fprintf(stderr, "sha256sums.sig download failed\n");
-		rc=-1;
-		goto freeboard;
-	}
-
-	if ((intmax_t)imgstat.st_size != out_len) {
-		fprintf(stderr, "sha256sums.sig download incomplete\n");
-		unlink("sha256sums.sig");
-		rc=-1;
-		goto freeboard;
-	}
-
-	if (out_len < 16) {
-		fprintf(stderr, "sha256sums.sig size mismatch\n");
-		unlink("sha256sums.sig");
-		rc=-1;
-		goto freeboard;
-	}
-
-	if (usign_v("sha256sums")) {
-		fprintf(stderr, "signature verification failed\n");
-		if (!ignore_sig) {
-			unlink(filename);
-			unlink("sha256sums");
-			unlink("sha256sums.sig");
-			rc=-1;
-			goto freeboard;
-		}
-	};
-
 	if (strcmp(filename, "firmware.bin")) {
 		if (rename(filename, "firmware.bin")) {
 			fprintf(stderr, "can't rename to firmware.bin\n");
@@ -1136,6 +979,7 @@ int main(int args, char *argv[]) {
 	valid = 0;
 	ubus_invoke(ctx, id, "upgrade_test", NULL, upgtest_cb, &valid, 3000);
 	if (!valid) {
+		fprintf(stdout, "image verification failed\n");
 		rc=-1;
 		goto freeboard;
 	}