Gitiles
Code Review Sign In
gerrit.twrp.me / android_bootable_recovery / 32c8eb81af916f04fd42e7294f699b10474beef6 / . / twinstall.cpp
blob: 0c3d8375cd45427d8e787f436a8a17e32474ce44 [file] [log] [blame]
Dees_Troy32c8eb82012-09-11 15:28:06 -0400[diff] [blame^]1/*
2 * Copyright (C) 2007 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17#include <ctype.h>
18#include <errno.h>
19#include <fcntl.h>
20#include <limits.h>
21#include <sys/stat.h>
22#include <sys/wait.h>
23#include <unistd.h>
24
25#include <string.h>
26#include <stdio.h>
27
28#include "common.h"
29#include "twmincrypt/twrsa.h"
30#include "twmincrypt/twsha.h"
31#include "minui/minui.h"
32#include "minzip/SysUtil.h"
33#include "minzip/Zip.h"
34#include "mtdutils/mounts.h"
35#include "mtdutils/mtdutils.h"
36#include "roots.h"
37#include "verifier.h"
38#include "ui.h"
39#include "variables.h"
40#include "data.hpp"
41#include "partitions.hpp"
42
43extern "C" {
44#include "extra-functions.h"
45int __system(const char *command);
46};
47
48extern RecoveryUI* ui;
49
50#define ASSUMED_UPDATE_BINARY_NAME "META-INF/com/google/android/update-binary"
51#define PUBLIC_KEYS_FILE "/res/keys"
52
53// Default allocation of progress bar segments to operations
54static const int VERIFICATION_PROGRESS_TIME = 60;
55static const float VERIFICATION_PROGRESS_FRACTION = 0.25;
56static const float DEFAULT_FILES_PROGRESS_FRACTION = 0.4;
57static const float DEFAULT_IMAGE_PROGRESS_FRACTION = 0.1;
58
59enum { INSTALL_SUCCESS, INSTALL_ERROR, INSTALL_CORRUPT };
60
61// Look for an RSA signature embedded in the .ZIP file comment given
62// the path to the zip. Verify it matches one of the given public
63// keys.
64//
65// Return VERIFY_SUCCESS, VERIFY_FAILURE (if any error is encountered
66// or no key matches the signature).
67
68int TWverify_file(const char* path, const RSAPublicKey *pKeys, unsigned int numKeys) {
69 ui->SetProgress(0.0);
70
71 FILE* f = fopen(path, "rb");
72 if (f == NULL) {
73 LOGE("failed to open %s (%s)\n", path, strerror(errno));
74 return VERIFY_FAILURE;
75 }
76
77 // An archive with a whole-file signature will end in six bytes:
78 //
79 // (2-byte signature start) $ff $ff (2-byte comment size)
80 //
81 // (As far as the ZIP format is concerned, these are part of the
82 // archive comment.) We start by reading this footer, this tells
83 // us how far back from the end we have to start reading to find
84 // the whole comment.
85
86#define FOOTER_SIZE 6
87
88 if (fseek(f, -FOOTER_SIZE, SEEK_END) != 0) {
89 LOGE("failed to seek in %s (%s)\n", path, strerror(errno));
90 fclose(f);
91 return VERIFY_FAILURE;
92 }
93
94 unsigned char footer[FOOTER_SIZE];
95 if (fread(footer, 1, FOOTER_SIZE, f) != FOOTER_SIZE) {
96 LOGE("failed to read footer from %s (%s)\n", path, strerror(errno));
97 fclose(f);
98 return VERIFY_FAILURE;
99 }
100
101 if (footer[2] != 0xff || footer[3] != 0xff) {
102 fclose(f);
103 return VERIFY_FAILURE;
104 }
105
106 size_t comment_size = footer[4] + (footer[5] << 8);
107 size_t signature_start = footer[0] + (footer[1] << 8);
108 LOGI("comment is %d bytes; signature %d bytes from end\n",
109 comment_size, signature_start);
110
111 if (signature_start - FOOTER_SIZE < RSANUMBYTES) {
112 // "signature" block isn't big enough to contain an RSA block.
113 LOGE("signature is too short\n");
114 fclose(f);
115 return VERIFY_FAILURE;
116 }
117
118#define EOCD_HEADER_SIZE 22
119
120 // The end-of-central-directory record is 22 bytes plus any
121 // comment length.
122 size_t eocd_size = comment_size + EOCD_HEADER_SIZE;
123
124 if (fseek(f, -eocd_size, SEEK_END) != 0) {
125 LOGE("failed to seek in %s (%s)\n", path, strerror(errno));
126 fclose(f);
127 return VERIFY_FAILURE;
128 }
129
130 // Determine how much of the file is covered by the signature.
131 // This is everything except the signature data and length, which
132 // includes all of the EOCD except for the comment length field (2
133 // bytes) and the comment data.
134 size_t signed_len = ftell(f) + EOCD_HEADER_SIZE - 2;
135
136 unsigned char* eocd = (unsigned char*)malloc(eocd_size);
137 if (eocd == NULL) {
138 LOGE("malloc for EOCD record failed\n");
139 fclose(f);
140 return VERIFY_FAILURE;
141 }
142 if (fread(eocd, 1, eocd_size, f) != eocd_size) {
143 LOGE("failed to read eocd from %s (%s)\n", path, strerror(errno));
144 fclose(f);
145 return VERIFY_FAILURE;
146 }
147
148 // If this is really is the EOCD record, it will begin with the
149 // magic number $50 $4b $05 $06.
150 if (eocd[0] != 0x50 || eocd[1] != 0x4b ||
151 eocd[2] != 0x05 || eocd[3] != 0x06) {
152 LOGE("signature length doesn't match EOCD marker\n");
153 fclose(f);
154 return VERIFY_FAILURE;
155 }
156
157 size_t i;
158 for (i = 4; i < eocd_size-3; ++i) {
159 if (eocd[i ] == 0x50 && eocd[i+1] == 0x4b &&
160 eocd[i+2] == 0x05 && eocd[i+3] == 0x06) {
161 // if the sequence $50 $4b $05 $06 appears anywhere after
162 // the real one, minzip will find the later (wrong) one,
163 // which could be exploitable. Fail verification if
164 // this sequence occurs anywhere after the real one.
165 LOGE("EOCD marker occurs after start of EOCD\n");
166 fclose(f);
167 return VERIFY_FAILURE;
168 }
169 }
170
171#define BUFFER_SIZE 4096
172
173 SHA_CTX ctx;
174 SHA_init(&ctx);
175 unsigned char* buffer = (unsigned char*)malloc(BUFFER_SIZE);
176 if (buffer == NULL) {
177 LOGE("failed to alloc memory for sha1 buffer\n");
178 fclose(f);
179 return VERIFY_FAILURE;
180 }
181
182 double frac = -1.0;
183 size_t so_far = 0;
184 fseek(f, 0, SEEK_SET);
185 while (so_far < signed_len) {
186 size_t size = BUFFER_SIZE;
187 if (signed_len - so_far < size) size = signed_len - so_far;
188 if (fread(buffer, 1, size, f) != size) {
189 LOGE("failed to read data from %s (%s)\n", path, strerror(errno));
190 fclose(f);
191 return VERIFY_FAILURE;
192 }
193 SHA_update(&ctx, buffer, size);
194 so_far += size;
195 double f = so_far / (double)signed_len;
196 if (f > frac + 0.02 || size == so_far) {
197 ui->SetProgress(f);
198 frac = f;
199 }
200 }
201 fclose(f);
202 free(buffer);
203
204 const uint8_t* sha1 = SHA_final(&ctx);
205 for (i = 0; i < numKeys; ++i) {
206 // The 6 bytes is the "(signature_start) $ff $ff (comment_size)" that
207 // the signing tool appends after the signature itself.
208 if (RSA_verify(pKeys+i, eocd + eocd_size - 6 - RSANUMBYTES,
209 RSANUMBYTES, sha1)) {
210 LOGI("whole-file signature verified against key %d\n", i);
211 free(eocd);
212 return VERIFY_SUCCESS;
213 }
214 }
215 free(eocd);
216 LOGE("failed to verify whole-file signature\n");
217 return VERIFY_FAILURE;
218}
219
220// If the package contains an update binary, extract it and run it.
221static int
222try_update_binary(const char *path, ZipArchive *zip, int* wipe_cache) {
223 const ZipEntry* binary_entry =
224 mzFindZipEntry(zip, ASSUMED_UPDATE_BINARY_NAME);
225 if (binary_entry == NULL) {
226 mzCloseZipArchive(zip);
227 return INSTALL_CORRUPT;
228 }
229
230 const char* binary = "/tmp/update_binary";
231 unlink(binary);
232 int fd = creat(binary, 0755);
233 if (fd < 0) {
234 mzCloseZipArchive(zip);
235 LOGE("Can't make %s\n", binary);
236 return INSTALL_ERROR;
237 }
238 bool ok = mzExtractZipEntryToFile(zip, binary_entry, fd);
239 close(fd);
240 mzCloseZipArchive(zip);
241
242 if (!ok) {
243 LOGE("Can't copy %s\n", ASSUMED_UPDATE_BINARY_NAME);
244 return INSTALL_ERROR;
245 }
246
247 int pipefd[2];
248 pipe(pipefd);
249
250 // When executing the update binary contained in the package, the
251 // arguments passed are:
252 //
253 // - the version number for this interface
254 //
255 // - an fd to which the program can write in order to update the
256 // progress bar. The program can write single-line commands:
257 //
258 // progress <frac> <secs>
259 // fill up the next <frac> part of of the progress bar
260 // over <secs> seconds. If <secs> is zero, use
261 // set_progress commands to manually control the
262 // progress of this segment of the bar
263 //
264 // set_progress <frac>
265 // <frac> should be between 0.0 and 1.0; sets the
266 // progress bar within the segment defined by the most
267 // recent progress command.
268 //
269 // firmware <"hboot"|"radio"> <filename>
270 // arrange to install the contents of <filename> in the
271 // given partition on reboot.
272 //
273 // (API v2: <filename> may start with "PACKAGE:" to
274 // indicate taking a file from the OTA package.)
275 //
276 // (API v3: this command no longer exists.)
277 //
278 // ui_print <string>
279 // display <string> on the screen.
280 //
281 // - the name of the package zip file.
282 //
283
284 const char** args = (const char**)malloc(sizeof(char*) * 5);
285 args[0] = binary;
286 args[1] = EXPAND(RECOVERY_API_VERSION); // defined in Android.mk
287 char* temp = (char*)malloc(10);
288 sprintf(temp, "%d", pipefd[1]);
289 args[2] = temp;
290 args[3] = (char*)path;
291 args[4] = NULL;
292
293 pid_t pid = fork();
294 if (pid == 0) {
295 close(pipefd[0]);
296 execv(binary, (char* const*)args);
297 fprintf(stdout, "E:Can't run %s (%s)\n", binary, strerror(errno));
298 _exit(-1);
299 }
300 close(pipefd[1]);
301
302 *wipe_cache = 0;
303
304 char buffer[1024];
305 FILE* from_child = fdopen(pipefd[0], "r");
306 while (fgets(buffer, sizeof(buffer), from_child) != NULL) {
307 char* command = strtok(buffer, " \n");
308 if (command == NULL) {
309 continue;
310 } else if (strcmp(command, "progress") == 0) {
311 char* fraction_s = strtok(NULL, " \n");
312 char* seconds_s = strtok(NULL, " \n");
313
314 float fraction = strtof(fraction_s, NULL);
315 int seconds = strtol(seconds_s, NULL, 10);
316
317 ui->ShowProgress(fraction * (1-VERIFICATION_PROGRESS_FRACTION), seconds);
318 } else if (strcmp(command, "set_progress") == 0) {
319 char* fraction_s = strtok(NULL, " \n");
320 float fraction = strtof(fraction_s, NULL);
321 ui->SetProgress(fraction);
322 } else if (strcmp(command, "ui_print") == 0) {
323 char* str = strtok(NULL, "\n");
324 if (str) {
325 ui->Print("%s", str);
326 } else {
327 ui->Print("\n");
328 }
329 } else if (strcmp(command, "wipe_cache") == 0) {
330 *wipe_cache = 1;
331 } else if (strcmp(command, "clear_display") == 0) {
332 //ui->SetBackground(RecoveryUI::NONE);
333 } else {
334 LOGE("unknown command [%s]\n", command);
335 }
336 }
337 fclose(from_child);
338
339 int status;
340 waitpid(pid, &status, 0);
341 if (!WIFEXITED(status) || WEXITSTATUS(status) != 0) {
342 LOGE("Error in %s\n(Status %d)\n", path, WEXITSTATUS(status));
343 return INSTALL_ERROR;
344 }
345
346 return INSTALL_SUCCESS;
347}
348
349// Reads a file containing one or more public keys as produced by
350// DumpPublicKey: this is an RSAPublicKey struct as it would appear
351// as a C source literal, eg:
352//
353// "{64,0xc926ad21,{1795090719,...,-695002876},{-857949815,...,1175080310}}"
354//
355// (Note that the braces and commas in this example are actual
356// characters the parser expects to find in the file; the ellipses
357// indicate more numbers omitted from this example.)
358//
359// The file may contain multiple keys in this format, separated by
360// commas. The last key must not be followed by a comma.
361//
362// Returns NULL if the file failed to parse, or if it contain zero keys.
363static RSAPublicKey*
364load_keys(const char* filename, int* numKeys) {
365 RSAPublicKey* out = NULL;
366 *numKeys = 0;
367
368 FILE* f = fopen(filename, "r");
369 if (f == NULL) {
370 LOGE("opening %s: %s\n", filename, strerror(errno));
371 goto exit;
372 }
373
374 {
375 int i;
376 bool done = false;
377 while (!done) {
378 ++*numKeys;
379 out = (RSAPublicKey*)realloc(out, *numKeys * sizeof(RSAPublicKey));
380 RSAPublicKey* key = out + (*numKeys - 1);
381 if (fscanf(f, " { %i , 0x%x , { %u",
382 &(key->len), &(key->n0inv), &(key->n[0])) != 3) {
383 goto exit;
384 }
385 if (key->len != RSANUMWORDS) {
386 LOGE("key length (%d) does not match expected size\n", key->len);
387 goto exit;
388 }
389 for (i = 1; i < key->len; ++i) {
390 if (fscanf(f, " , %u", &(key->n[i])) != 1) goto exit;
391 }
392 if (fscanf(f, " } , { %u", &(key->rr[0])) != 1) goto exit;
393 for (i = 1; i < key->len; ++i) {
394 if (fscanf(f, " , %u", &(key->rr[i])) != 1) goto exit;
395 }
396 fscanf(f, " } } ");
397
398 // if the line ends in a comma, this file has more keys.
399 switch (fgetc(f)) {
400 case ',':
401 // more keys to come.
402 break;
403
404 case EOF:
405 done = true;
406 break;
407
408 default:
409 LOGE("unexpected character between keys\n");
410 goto exit;
411 }
412 }
413 }
414
415 fclose(f);
416 return out;
417
418exit:
419 if (f) fclose(f);
420 free(out);
421 *numKeys = 0;
422 return NULL;
423}
424
425char* get_path (char* path) {
426 char *s;
427
428 /* Go to the end of the string. */
429 s = path + strlen(path) - 1;
430
431 /* Strip off trailing /s (unless it is also the leading /). */
432 while (path < s && s[0] == '/')
433 s--;
434
435 /* Strip the last component. */
436 while (path <= s && s[0] != '/')
437 s--;
438
439 while (path < s && s[0] == '/')
440 s--;
441
442 if (s < path)
443 return (char*)(".");
444
445 s[1] = '\0';
446 return path;
447}
448
449/*
450 Checks md5 for a path
451 Return values:
452 -1 : MD5 does not exist
453 0 : Failed
454 1 : Success
455*/
456int check_md5(const char* path) {
457 FILE* fp;
458 char command[255], line[512], actual_md5[512], md5[512];
459 char md5file[PATH_MAX + 40];
460 char *ptr;
461 unsigned int line_len, index = 0;
462 struct stat st;
463
464 // Check to see if the filename.zip.md5 file exists
465 strcpy(md5file, path);
466 strcat(md5file, ".md5");
467 if (stat(md5file, &st) != 0)
468 return -1; // no MD5 file found
469
470 // Dump the md5 of the zip to a text file for reading
471 sprintf(command, "md5sum '%s' > /tmp/md5output.txt", path);
472 __system(command);
473 fp = fopen("/tmp/md5output.txt", "rt");
474 if (fp == NULL) {
475 LOGI("Unable to open /tmp/md5output.txt.\n");
476 return false;
477 }
478
479 while (fgets(line, sizeof(line), fp) != NULL)
480 {
481 line_len = strlen(line);
482 for (index = 0; index < line_len; index++) {
483 if (line[index] <= 32)
484 line[index] = '\0';
485 }
486 strcpy(actual_md5, line);
487 break;
488 }
489 fclose(fp);
490
491 // Read the filename.zip.md5 file
492 fp = fopen(md5file, "rt");
493 if (fp == NULL) {
494 LOGI("Unable to open '%s'.\n", md5file);
495 return false;
496 }
497
498 while (fgets(line, sizeof(line), fp) != NULL)
499 {
500 line_len = strlen(line);
501 for (index = 0; index < line_len; index++) {
502 if (line[index] <= 32)
503 line[index] = '\0';
504 }
505 strcpy(md5, line);
506 break;
507 }
508 fclose(fp);
509
510 // Comare the 2 MD5 values
511 if (strcmp(actual_md5, md5) == 0)
512 return 1;
513 LOGI("MD5 did not match: '%s' != '%s'\n", actual_md5, md5);
514 return 0;
515}
516
517extern "C" int TWinstall_zip(const char* path, int* wipe_cache) {
518 int err, zip_verify, md5_return, md5_verify;
519
520 ui_print("Installing '%s'...\n", path);
521
522 if (!PartitionManager.Mount_By_Path(path, 0)) {
523 LOGE("Failed to mount '%s'\n", path);
524 return -1;
525 }
526
527 ui_print("Checking for MD5 file...\n");
528 md5_return = check_md5(path);
529 if (md5_return == 0) {
530 // MD5 did not match.
531 LOGE("Zip MD5 does not match.\nUnable to install zip.\n");
532 return INSTALL_CORRUPT;
533 } else if (md5_return == -1) {
534 DataManager::GetValue(TW_FORCE_MD5_CHECK_VAR, md5_verify);
535 if (md5_verify == 1) {
536 // Forced MD5 checking is on and no MD5 file found.
537 LOGE("No MD5 file found for '%s'.\nDisable force MD5 check to avoid this error.\n", path);
538 return INSTALL_CORRUPT;
539 } else
540 ui_print("No MD5 file found, this is not an error.\n");
541 } else if (md5_return == 1)
542 ui_print("Zip MD5 matched.\n"); // MD5 found and matched.
543
544 DataManager::GetValue(TW_SIGNED_ZIP_VERIFY_VAR, zip_verify);
545 if (zip_verify) {
546 ui_print("Verifying zip signature...\n");
547 int numKeys;
548 RSAPublicKey* loadedKeys = load_keys(PUBLIC_KEYS_FILE, &numKeys);
549 if (loadedKeys == NULL) {
550 LOGE("Failed to load keys\n");
551 return -1;
552 }
553 LOGI("%d key(s) loaded from %s\n", numKeys, PUBLIC_KEYS_FILE);
554
555 // Give verification half the progress bar...
556 ui->Print("Verifying update package...\n");
557 ui->SetProgressType(RecoveryUI::DETERMINATE);
558 ui->ShowProgress(VERIFICATION_PROGRESS_FRACTION, VERIFICATION_PROGRESS_TIME);
559
560 err = TWverify_file(path, loadedKeys, numKeys);
561 free(loadedKeys);
562 LOGI("verify_file returned %d\n", err);
563 if (err != VERIFY_SUCCESS) {
564 LOGE("signature verification failed\n");
565 return -1;
566 }
567 }
568 /* Try to open the package.
569 */
570 ZipArchive zip;
571 err = mzOpenZipArchive(path, &zip);
572 if (err != 0) {
573 LOGE("Can't open %s\n(%s)\n", path, err != -1 ? strerror(err) : "bad");
574 return INSTALL_CORRUPT;
575 }
576
577 /* Verify and install the contents of the package.
578 */
579 return try_update_binary(path, &zip, wipe_cache);
580}