From fd99a318fe630b49ba35f9a19a1866e8b1a42b7e Mon Sep 17 00:00:00 2001
From: Yabin Cui <yabinc@google.com>
Date: Thu, 9 Jun 2016 14:09:39 -0700
Subject: Verify wipe package when wiping A/B device in recovery.

To increase the security of wiping A/B devices, let uncrypt write
wipe package in misc partition. Then recovery verifies the wipe
package before wiping the device.

Based on the original cherrypick, this CL also has additional changes to
address the LOG statements and libziparchive changes.

Bug: 29159185
Test: Build and boot into recovery.

Change-Id: I186691bab1928d3dc036bc5542abd64a81bc2168
(cherry picked from commit 6faf0265c9b58db2c15b53f6d29025629d52f882)
---
 install.cpp | 66 ++++++++++++++++++++++++++++++++++++++-----------------------
 1 file changed, 41 insertions(+), 25 deletions(-)

(limited to 'install.cpp')

diff --git a/install.cpp b/install.cpp
index c98715231..0f9088a7a 100644
--- a/install.cpp
+++ b/install.cpp
@@ -71,22 +71,33 @@ static int parse_build_number(const std::string& str) {
     return -1;
 }
 
-// Read the build.version.incremental of src/tgt from the metadata and log it to last_install.
-static void read_source_target_build(ZipArchiveHandle zip, std::vector<std::string>& log_buffer) {
+bool read_metadata_from_package(ZipArchiveHandle zip, std::string* meta_data) {
     ZipString metadata_path(METADATA_PATH);
     ZipEntry meta_entry;
+    if (meta_data == nullptr) {
+        LOG(ERROR) << "string* meta_data can't be nullptr";
+        return false;
+    }
     if (FindEntry(zip, metadata_path, &meta_entry) != 0) {
         LOG(ERROR) << "Failed to find " << METADATA_PATH << " in update package";
-        return;
+        return false;
     }
 
-    std::string meta_data(meta_entry.uncompressed_length, '\0');
-    if (ExtractToMemory(zip, &meta_entry, reinterpret_cast<uint8_t*>(&meta_data[0]),
+    meta_data->resize(meta_entry.uncompressed_length, '\0');
+    if (ExtractToMemory(zip, &meta_entry, reinterpret_cast<uint8_t*>(&(*meta_data)[0]),
                         meta_entry.uncompressed_length) != 0) {
         LOG(ERROR) << "Failed to read metadata in update package";
-        return;
+        return false;
     }
+    return true;
+}
 
+// Read the build.version.incremental of src/tgt from the metadata and log it to last_install.
+static void read_source_target_build(ZipArchiveHandle zip, std::vector<std::string>& log_buffer) {
+    std::string meta_data;
+    if (!read_metadata_from_package(zip, &meta_data)) {
+        return;
+    }
     // Examples of the pre-build and post-build strings in metadata:
     // pre-build-incremental=2943039
     // post-build-incremental=2951741
@@ -301,33 +312,16 @@ really_install_package(const char *path, bool* wipe_cache, bool needs_mount,
         return INSTALL_CORRUPT;
     }
 
-    // Load keys.
-    std::vector<Certificate> loadedKeys;
-    if (!load_keys(PUBLIC_KEYS_FILE, loadedKeys)) {
-        LOG(ERROR) << "Failed to load keys";
-        sysReleaseMap(&map);
-        return INSTALL_CORRUPT;
-    }
-    LOG(INFO) << loadedKeys.size() << " key(s) loaded from " << PUBLIC_KEYS_FILE;
-
     // Verify package.
-    ui->Print("Verifying update package...\n");
-
-    auto t0 = std::chrono::system_clock::now();
-    int err = verify_file(map.addr, map.length, loadedKeys);
-    std::chrono::duration<double> duration = std::chrono::system_clock::now() - t0;
-    ui->Print("Update package verification took %.1f s (result %d).\n", duration.count(), err);
-    if (err != VERIFY_SUCCESS) {
-        LOG(ERROR) << "signature verification failed";
+    if (!verify_package(map.addr, map.length)) {
         log_buffer.push_back(android::base::StringPrintf("error: %d", kZipVerificationFailure));
-
         sysReleaseMap(&map);
         return INSTALL_CORRUPT;
     }
 
     // Try to open the package.
     ZipArchiveHandle zip;
-    err = OpenArchiveFromMemory(map.addr, map.length, path, &zip);
+    int err = OpenArchiveFromMemory(map.addr, map.length, path, &zip);
     if (err != 0) {
         LOG(ERROR) << "Can't open " << path << " : " << ErrorCodeString(err);
         log_buffer.push_back(android::base::StringPrintf("error: %d", kZipOpenFailure));
@@ -403,3 +397,25 @@ install_package(const char* path, bool* wipe_cache, const char* install_file,
 
     return result;
 }
+
+bool verify_package(const unsigned char* package_data, size_t package_size) {
+    std::vector<Certificate> loadedKeys;
+    if (!load_keys(PUBLIC_KEYS_FILE, loadedKeys)) {
+        LOG(ERROR) << "Failed to load keys";
+        return false;
+    }
+    LOG(INFO) << loadedKeys.size() << " key(s) loaded from " << PUBLIC_KEYS_FILE;
+
+    // Verify package.
+    ui->Print("Verifying update package...\n");
+    auto t0 = std::chrono::system_clock::now();
+    int err = verify_file(const_cast<unsigned char*>(package_data), package_size, loadedKeys);
+    std::chrono::duration<double> duration = std::chrono::system_clock::now() - t0;
+    ui->Print("Update package verification took %.1f s (result %d).\n", duration.count(), err);
+    if (err != VERIFY_SUCCESS) {
+        LOG(ERROR) << "Signature verification failed";
+        LOG(ERROR) << "error: " << kZipVerificationFailure;
+        return false;
+    }
+    return true;
+}
-- 
cgit v1.2.3