| Age | Commit message (Collapse) | Author |
|---|
|
Some of the unit tests have been leaking temp files because they don't
properly unlink them. In this CL, we did some rearrangement of the
ScopedTempFile class and moved it into the utils.h (instead of testing
only location) so it can be used everywhere and more efficiently. Also
added functionality to open an file descriptor too so users don't have
to keep a different object for the file descriptor.
BUG=b:162766400
TEST=cros_workon_make --board reef --test; Then looked at the
/build/reef/tmp directory and no files were leaked.
Change-Id: Id64a2923d30f27628120497fdefe16bf65fa3fb0
Reviewed-on: https://chromium-review.googlesource.com/c/aosp/platform/system/update_engine/+/2500772
Tested-by: Amin Hassani <ahassani@chromium.org>
Reviewed-by: Jae Hoon Kim <kimjae@chromium.org>
Commit-Queue: Amin Hassani <ahassani@chromium.org>
|
|
It's a merge from chrome OS with some reverts.
1. the fd watcher change, because the libbrillo version isn't
compatible in aosp.
commit 6955bcc4ffe4cc9d62a88186b9a7e75d095a7897
commit 493fecb3f48c8478fd3ef244d631d857730dd14d
2. two libcurl unittest. Because the RunOnce() of the fake message
loop seems to have different behavior in aosp.
commit d3d84218cafbc1a95e7d6bbb775b495d1bebf4d2
Put preprocessor guards to use the old code in aosp. And we can
switch to the new code in the other path after adopting the new
libbrillo & libchrome.
Test: unit tests pass, apply an OTA
Change-Id: Id613599834b0f44f92841dbeae6303601db5490d
|
|
Changes applied include:
Replace arraysize by base::size.
Replace base::MessageLoop::current()->task_runner by
base::ThreadTaskRunnerHandle::Get, and
base::MessageLoopForIO::current by base::MessageLoopCurrent::IsSet.
Remove use of base::ContainsKey.
Replace base::Int{,64}ToString by base::NumberTostring.
The changes are all compatible with current libchrome r576279.
BUG=chromium:1054279
TEST=unittest
Change-Id: Ibb6027a5070e0e2d4554a6684350168542fedf5e
Reviewed-on: https://chromium-review.googlesource.com/c/aosp/platform/system/update_engine/+/2065691
Reviewed-by: Amin Hassani <ahassani@chromium.org>
Tested-by: Qijiang Fan <fqj@google.com>
Commit-Queue: Qijiang Fan <fqj@google.com>
|
|
The DER encoded signature size of ECDSA with P-256 NIST CURVE is
nondeterministic for different input of sha256 hash. For example,
the signature size can be 70, 71, 72 bytes with the maximum
possible size of 72 bytes. However, we need the size of the
serialized signatures protobuf string to be fixed before signing;
because the size is part of the content to be signed.
To achieve that, we can add padding to the signature; and update the
definition of the signature proto to include the unpadded signature
size.
message Signatures {
message Signature {
optional uint32 version = 1;
optional bytes data = 2;
optional fixed32 unpadded_signature_size = 3;
}
repeated Signature signatures = 1;
}
Therefore the payload verifier will read the unpadded signature
and use it to verify against the public keys. For RSA signatures, the
signature data already has the correct size. So the legacy update_engine
on the old devices will still be able to verify these signatures in new
proto format.
We also need to update the version in signature proto, and the minor
version of update_engine.
The EC key in the unittest is generated with the command:
openssl ecparam -name prime256v1 -genkey -noout -out prime256v1-key.pem
openssl pkey -in prime256v1-key.pem -out unittest_key_EC.pem
Bug: 141244025
Test: unit tests pass, sign a package with EC key and and install on sailfish
Change-Id: I0a16c9f2f2c7fe9ccc1070c87fbbd6b94bc1f542
|
|
Right now, the payload is always signed with a RSA key, and the payload
verifier takes the public key as a PEM encoded string.
As we want to support payload signing with EC keys, we need to figure
out the key types first in the verifier. So, add an overload function in
payload verifier to accept EVP_PKEY as the public key.
Bug: 141244025
Test: unittests pass
Change-Id: Ibbdac5a7a3de48347100861aeac0013bff43da6f
|
|
Signature size shouldn't have negative values. Make its usage more
consistent.
Test: mma
Change-Id: Ie6cbf49694fcbe0348d6338373423d77d3edfdd4
|
|
The 32 bytes sha256 hash was padded to 256 bytes before payload signing
and verification. During the padding, we appended a hard coded header
according to RFC3447 spec.
As we want to support signing with 4096 bits keys, the format of the
padding doesn't change but the length needs adjustion. Now callers will
pass in the RSA size in bytes in the padding function. And the
verification function will now take the raw 32 bytes sha256 hash instead
of the padded value.
The new key for unittest is generated by:
openssl genrsa -out unittest_key_RSA4096.pem 4096
Bug: 129163830
Test: unit tests pass, create and install an update signed by 4096 bits key.
Change-Id: I8e0d02ddb1472e22976c0f170e8bf2b8b094c7d4
|
|
To avoid conversion between brillo::Blob and string.
Also use SerializeToString() instead of AppendToString().
Test: update_engine_unittests
Change-Id: I0ad0fb5f45223f9f51f940de727660a9e62052bb
|
|
BUG=none
TEST=unittest
Change-Id: I00cafb1fc709d8f02119cb0058cfcb0b573ef25d
Reviewed-on: https://chromium-review.googlesource.com/1409927
Commit-Ready: Amin Hassani <ahassani@chromium.org>
Tested-by: Amin Hassani <ahassani@chromium.org>
Reviewed-by: Sen Jiang <senj@chromium.org>
|
|
If using public key from Omaha response, we wrote it to a temp file
which will be read back, this is unnecessary since we can keep it in
memory.
Test: update_engine_unittests
Change-Id: Ib9f7a9292b71b9d91a0b24c687cc989b79d3812b
|
|
Removed duplicated payload header parsing logic.
Test: update_engine_unittests
Change-Id: I457c5cb86fa16e97b7a0c34d4039c46b86cd2957
|
|
Replace these 3 lines of code:
string path;
ASSERT_TRUE(utils::MakeTempFile("name-XXXXXX", &path, nullptr));
ScopedPathUnlinker path_unlinker(path);
with one liner:
test_utils::ScopedTempFile file("name-XXXXXX");
Bug: None
Test: unit test
Change-Id: Ic5be7dc8339842270023055bcc3a97e526953f04
|
|
* Use const reference type for parameters, local variables,
and for-loop index variables to avoid unnecessary copy.
* Convert some for-loops to for-rang loops.
Bug: 30407689
Bug: 30413223
Bug: 30413862
Change-Id: I78996b3f799639fc57ced45e110807625be7dcce
Test: build with WITH_TIDY=1
|
|
This new little struct encapsulates the version information (major and
minor version numbers) and the zlib fingerprint information. Now,
instead of querying throughout if the version number is certain value,
we ask the PayloadVersion struct whether certain operation is allowed in
that version or not. This moves the logic of what's supported and
what's not to a single place and eliminates the need to pass several
booleans to the helper functions.
Bug: None
TEST=Unittest still pass.
Change-Id: Iaa6e7bc032db6479fdeab72255d7062fca1c07e5
|
|
The unittests weren't able to find the keys if it's not run from the
update_engine_unittests directory.
Test: /data/nativetest/update_engine_unittests/update_engine_unittests
Bug: 26955860
Change-Id: I4c189cca2714986d3d2b2669b54a5dff9a488964
|
|
Many unittests do not pass for simple reasons that will be addressed
later. This CL includes all the changes to make the unittests build.
In particular, the generated DBus mocks, required to build several
unittests are now included here.
The dbus-constants.h files were moved to the system_api repo, so they
can be removed from here.
The unittest build is only enabled for Brillo targets, since non-Brillo
targets don't even build DBus.
Bug: 26955860
TEST=`mmma` on edison-eng (and aosp_arm-eng).
Change-Id: Ib38241f0a6eb99b1d60d72db6bcfd125d38e3fad
|
|
The new brillo_update_payload sub-command "properties" dumps a list of
properties for a given signed or unsigned payload. These properties are
normally included in the Omaha response, and extracted from python in
chromite.
This new sub-command helps to encapsulate the properties used by the
server side wehn serving a payload and to let the Android application
pass these required properties.
The properties include the payload and metadata hash and size.
Bug: 26991255
TEST=FEATURES=test emerge-link update_engine
TEST=mmma system/update_engine
TEST=`brillo_update_payload properties` for signed and unsigned payloads.
Change-Id: I4602ea4b8dc269e4cc66df4293ef9765d8dd031d
|
|
This patch splits from the main libupdate_engine code the part that
is strictly used to download and apply a payload into a new static
library, moving the code to subdirectories. The new library is divided
in two subdirectories: common/ and payload_consumer/, and should not
depend on other update_engine files outside those two subdirectories.
The main difference between those two is that the common/ tools are more
generic and not tied to the payload consumer process, but otherwise they
are both compiled together.
There are still dependencies from the new libpayload_consumer library
into the main directory files and DBus generated files. Those will be
addressed in follow up CLs.
Bug: 25197634
Test: FEATURES=test emerge-link update_engine; `mm` on Brillo.
Change-Id: Id8d0204ea573627e6e26ca9ea17b9592ca95bc23
|
|
--metadata_signature_file flag does what it should now.
Note that you should only pass this flag if the payload you are signing is
version 2.
Bug: 23981164
TEST=unit test added.
Change-Id: I613cd6a5fef188eca37c46c3f8a0a41d1c22f2fd
|
|
We should skip metadata signature when hashing the payload, so that the
payload signature won't depend on metadata signature.
VerifySignedPayload will also verify metadata signature now if it exist.
Bug: 23981164
TEST=cros_workon_make update_engine --test
Change-Id: I3e52b7bf8ddf1539bbb6934e8a5ec1112b94ae62
|
|
The implementation in DeltaPerformer is designed for situation that payload
might only partially available, but in PayloadVerifier we already have the
whole payload. So I implemented LoadPayload in PayloadSigner which logic is
simpler and supports both version 1 and 2.
VerifySignedPayload is also moved to PayloadSigner since it's not used in
update engine daemon.
This patch also fixed wrong metadata size out in version 2 and misspelling
of metadata in WritePayload in PayloadFile.
Bug: 23981164
TEST=unit test added.
Change-Id: Id1917fc891dbf2075978a273d1a4ee3c4ecf0571
|
|
libchromeos is transitioning to libbrillo and chromeos namespaces
and include directory is changing to brillo.
Bug: 24872993
Change-Id: I770659a95be380a50fe3b2ba9f91d65818f40945
|
|
The update_engine daemon had a fixed version number for the public key
used to verify both the metadata and whole payload signatures. The
public key itself is installed by the signer, implying that the source
code and the signer need to be in sync if we ever need to roll the
payload key.
This situation becomes more of a problem if we don't control when the
version number included in the source code is updated in the built
image sent for payload generation and signing.
This patch makes update_engine ignore the version number associated
with a signature and instead tries to verify all the signatures
included in the payload against the public key found in the code. This
effectively deprecates the key version number. To be compatible with
old versions, the version number 1 is included in all signatures.
Bug: 23601118
Test: Added unittests.
Change-Id: I4f96cc207ad6b9c011def5ce586d0e0e85af28ab
|
|
This patch automatically replaced the license on all text files from
Chromium OS (BSD style) to AOSP (Apache2), keeping the original year as
a reference.
The license header was added to .gyp and .gypi files, the NOTICE was
replaced with a copy of the Apache2 license and MODULE_LICENSE_* file
was updated.
BUG=b/23084294
TEST=grep 'Chromium OS Authors' doesn't find anything.
Change-Id: Ie5083750755f5180a8a785b24fe67dbf9195cd10
|
|
To make update engine consistent with the rest of platform2 code
replaced std::vector<char> as the container of binary data with
chromeos::Blob.
BUG=None
TEST=`FEATURES=test emerge-link update_engine`
Change-Id: I6385fd2257d15aa24bfa74ac35512c2a06c33012
Reviewed-on: https://chromium-review.googlesource.com/247793
Reviewed-by: Gilad Arnold <garnold@chromium.org>
Reviewed-by: Alex Deymo <deymo@chromium.org>
Tested-by: Alex Vakulenko <avakulenko@chromium.org>
Commit-Queue: Alex Vakulenko <avakulenko@chromium.org>
|
|
Replaced the usage of NULL with nullptr. This also makes it possible to
use standard gtest macros to compare pointers in Update Manager's unit tests.
So, there is no need in custom UMTEST_... macros which are replaced with the
gtest macros (see change in update_engine/update_manager/umtest_utils.h):
UMTEST_ASSERT_NULL(p) => ASSERT_EQ(nullptr, p)
UMTEST_ASSERT_NOT_NULL(p) => ASSERT_NE(nullptr, p)
UMTEST_EXPECT_NULL(p) => EXPECT_EQ(nullptr, p)
UMTEST_EXPECT_NOT_NULL(p) => EXPECT_NE(nullptr, p)
BUG=None
TEST=FEATURES=test emerge-link update_engine
USE="clang asan" FEATURES=test emerge-link update_engine
Change-Id: I77a42a1e9ce992bb2f9f263db5cf75fe6110a4ec
Reviewed-on: https://chromium-review.googlesource.com/215136
Tested-by: Alex Vakulenko <avakulenko@chromium.org>
Reviewed-by: Alex Deymo <deymo@chromium.org>
Commit-Queue: Alex Vakulenko <avakulenko@chromium.org>
|
|
Payloads are only signed on server-side code (delta_generator) and
verified on both sides and unittest. This removes the dependency of
payload_generator/ code from delta_performer.cc by spliting the
payload signing and verification in two files.
Currently, both files are still included on all the built files.
This patch also includes some minor linter fixes.
BUG=chromium:394184
TEST=FEATURES="test" emerge-link update_engine; sudo emerge update_engine
Change-Id: Ia4268257f4260902bc37612f429f44ba7e8f65fd
Reviewed-on: https://chromium-review.googlesource.com/208540
Tested-by: Alex Deymo <deymo@chromium.org>
Reviewed-by: Alex Vakulenko <avakulenko@chromium.org>
Commit-Queue: Alex Deymo <deymo@chromium.org>
|
