mirror of
https://github.com/octoleo/syncthing.git
synced 2024-12-22 19:08:58 +00:00
lib/upgrade: Auto upgrade signature should cover version & arch (fixes #3044)
New signature is the HMAC of archive name (which includes the release version and architecture) plus the contents of the binary. This is expected in a new file "release.sig" which may be present in a subdirectory. The new release tools put this in [.]metadata/release.sig. GitHub-Pull-Request: https://github.com/syncthing/syncthing/pull/3043
This commit is contained in:
parent
2ebc6996a2
commit
d6a7ffe0d4
@ -10,6 +10,7 @@ package upgrade
|
||||
import (
|
||||
"errors"
|
||||
"fmt"
|
||||
"path"
|
||||
"runtime"
|
||||
"strconv"
|
||||
"strings"
|
||||
@ -63,12 +64,12 @@ func To(rel Release) error {
|
||||
func ToURL(url string) error {
|
||||
select {
|
||||
case <-upgradeUnlocked:
|
||||
path, err := osext.Executable()
|
||||
binary, err := osext.Executable()
|
||||
if err != nil {
|
||||
upgradeUnlocked <- true
|
||||
return err
|
||||
}
|
||||
err = upgradeToURL(path, url)
|
||||
err = upgradeToURL(path.Base(url), binary, url)
|
||||
// If we've failed to upgrade, unlock so that another attempt could be made
|
||||
if err != nil {
|
||||
upgradeUnlocked <- true
|
||||
@ -219,6 +220,10 @@ func versionParts(v string) ([]int, []interface{}) {
|
||||
}
|
||||
|
||||
func releaseName(tag string) string {
|
||||
// We must ensure that the release asset matches the expected naming
|
||||
// standard, containing both the architecture/OS and the tag name we
|
||||
// expect. This protects against malformed release data potentially
|
||||
// tricking us into doing a downgrade.
|
||||
switch runtime.GOOS {
|
||||
case "darwin":
|
||||
return fmt.Sprintf("syncthing-macosx-%s-%s.", runtime.GOARCH, tag)
|
||||
|
@ -120,7 +120,7 @@ func upgradeTo(binary string, rel Release) error {
|
||||
l.Debugln("considering release", assetName)
|
||||
|
||||
if strings.HasPrefix(assetName, expectedRelease) {
|
||||
return upgradeToURL(binary, asset.URL)
|
||||
return upgradeToURL(assetName, binary, asset.URL)
|
||||
}
|
||||
}
|
||||
|
||||
@ -128,8 +128,8 @@ func upgradeTo(binary string, rel Release) error {
|
||||
}
|
||||
|
||||
// Upgrade to the given release, saving the previous binary with a ".old" extension.
|
||||
func upgradeToURL(binary string, url string) error {
|
||||
fname, err := readRelease(filepath.Dir(binary), url)
|
||||
func upgradeToURL(archiveName, binary string, url string) error {
|
||||
fname, err := readRelease(archiveName, filepath.Dir(binary), url)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
@ -147,7 +147,7 @@ func upgradeToURL(binary string, url string) error {
|
||||
return nil
|
||||
}
|
||||
|
||||
func readRelease(dir, url string) (string, error) {
|
||||
func readRelease(archiveName, dir, url string) (string, error) {
|
||||
l.Debugf("loading %q", url)
|
||||
|
||||
req, err := http.NewRequest("GET", url, nil)
|
||||
@ -164,13 +164,13 @@ func readRelease(dir, url string) (string, error) {
|
||||
|
||||
switch runtime.GOOS {
|
||||
case "windows":
|
||||
return readZip(dir, resp.Body)
|
||||
return readZip(archiveName, dir, resp.Body)
|
||||
default:
|
||||
return readTarGz(dir, resp.Body)
|
||||
return readTarGz(archiveName, dir, resp.Body)
|
||||
}
|
||||
}
|
||||
|
||||
func readTarGz(dir string, r io.Reader) (string, error) {
|
||||
func readTarGz(archiveName, dir string, r io.Reader) (string, error) {
|
||||
gr, err := gzip.NewReader(r)
|
||||
if err != nil {
|
||||
return "", err
|
||||
@ -202,14 +202,14 @@ func readTarGz(dir string, r io.Reader) (string, error) {
|
||||
}
|
||||
}
|
||||
|
||||
if err := verifyUpgrade(tempName, sig); err != nil {
|
||||
if err := verifyUpgrade(archiveName, tempName, sig); err != nil {
|
||||
return "", err
|
||||
}
|
||||
|
||||
return tempName, nil
|
||||
}
|
||||
|
||||
func readZip(dir string, r io.Reader) (string, error) {
|
||||
func readZip(archiveName, dir string, r io.Reader) (string, error) {
|
||||
body, err := ioutil.ReadAll(r)
|
||||
if err != nil {
|
||||
return "", err
|
||||
@ -241,7 +241,7 @@ func readZip(dir string, r io.Reader) (string, error) {
|
||||
}
|
||||
}
|
||||
|
||||
if err := verifyUpgrade(tempName, sig); err != nil {
|
||||
if err := verifyUpgrade(archiveName, tempName, sig); err != nil {
|
||||
return "", err
|
||||
}
|
||||
|
||||
@ -254,21 +254,22 @@ func archiveFileVisitor(dir string, tempFile *string, signature *[]byte, archive
|
||||
var err error
|
||||
filename := path.Base(archivePath)
|
||||
archiveDir := path.Dir(archivePath)
|
||||
archiveDirs := strings.Split(archiveDir, "/")
|
||||
if len(archiveDirs) > 1 {
|
||||
//don't consider files in subfolders
|
||||
return nil
|
||||
}
|
||||
l.Debugf("considering file %s", archivePath)
|
||||
switch filename {
|
||||
case "syncthing", "syncthing.exe":
|
||||
archiveDirs := strings.Split(archiveDir, "/")
|
||||
if len(archiveDirs) > 1 {
|
||||
// Don't consider "syncthing" files found too deeply, as they may be
|
||||
// other things.
|
||||
return nil
|
||||
}
|
||||
l.Debugf("found upgrade binary %s", archivePath)
|
||||
*tempFile, err = writeBinary(dir, filedata)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
case "syncthing.sig", "syncthing.exe.sig":
|
||||
case "release.sig":
|
||||
l.Debugf("found signature %s", archivePath)
|
||||
*signature, err = ioutil.ReadAll(filedata)
|
||||
if err != nil {
|
||||
@ -279,7 +280,7 @@ func archiveFileVisitor(dir string, tempFile *string, signature *[]byte, archive
|
||||
return nil
|
||||
}
|
||||
|
||||
func verifyUpgrade(tempName string, sig []byte) error {
|
||||
func verifyUpgrade(archiveName, tempName string, sig []byte) error {
|
||||
if tempName == "" {
|
||||
return fmt.Errorf("no upgrade found")
|
||||
}
|
||||
@ -293,7 +294,20 @@ func verifyUpgrade(tempName string, sig []byte) error {
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
err = signature.Verify(SigningKey, sig, fd)
|
||||
|
||||
// Create a new reader that will serve reads from, in order:
|
||||
//
|
||||
// - the archive name ("syncthing-linux-amd64-v0.13.0-beta.4.tar.gz")
|
||||
// followed by a newline
|
||||
//
|
||||
// - the temp file contents
|
||||
//
|
||||
// We then verify the release signature against the contents of this
|
||||
// multireader. This ensures that it is not only a bonafide syncthing
|
||||
// binary, but it it also of exactly the platform and version we expect.
|
||||
|
||||
mr := io.MultiReader(bytes.NewBufferString(archiveName+"\n"), fd)
|
||||
err = signature.Verify(SigningKey, sig, mr)
|
||||
fd.Close()
|
||||
|
||||
if err != nil {
|
||||
|
@ -14,7 +14,7 @@ func upgradeTo(binary string, rel Release) error {
|
||||
return ErrUpgradeUnsupported
|
||||
}
|
||||
|
||||
func upgradeToURL(binary, url string) error {
|
||||
func upgradeToURL(archiveName, binary, url string) error {
|
||||
return ErrUpgradeUnsupported
|
||||
}
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user