Re: OpenWRT (ucert) signature check during upgrade

2020-08-07 Thread Henrique de Moraes Holschuh 

On 07/08/2020 09:47, Andrii Voloshyn wrote:

I'd like to use signature verification during sysupgrade, but at the moment I get 
"Image check failed" message.
Similar to what guys mentioned here: 
https://forum.openwrt.org/t/possible-bug-in-ucert/57704


Keep in mind that, for security purposes, optional signatures are useless.

You will have to change things so that your firmware *requires* the 
signature to be always present.  No backwards compatibility with 
unsigned images is possible.


As a rule, an optional metadata field at the *end* of an image is 
useless for either security or corruption checking purposes.  All it 
takes is the most common download issue of them all: truncation. The end 
of the file isn't there (because it was truncated early enough), the 
*optional* metadata isn't there, but enough of the headers made it 
through to look like a valid image to sysupgrade.  The corrupt 
(incomplete) file is accepted and used, despise the fact that the 
original had checksum metadata and signatures.  Not Good[tm].


Prepending the metadata allows it to protect properly against download 
truncation, but if the presence of signature metadata is still optional, 
prepended or not it will still be useless as far as *security* goes.


The proper answer is *requiring* the metadata and signature to be 
present.  It resolves both issues, regardless of whether the metadata is 
prepended or appended to the image.


What you're going to do about "sysupgrade -F" and direct flashing is 
another angle to think about, as well...


--
Henrique de Moraes Holschuh

___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel

Re: OpenWRT (ucert) signature check during upgrade

2020-08-07 Thread Daniel Golle 
On Fri, Aug 07, 2020 at 03:47:57PM +0300, Andrii Voloshyn wrote:
> Hi there,
> 
> I'd like to use signature verification during sysupgrade, but at the moment I 
> get "Image check failed" message.
> Similar to what guys mentioned here: 
> https://forum.openwrt.org/t/possible-bug-in-ucert/57704
> By digging around, I found out that:
> 
> fwtool -q -T -s /dev/null /tmp/sysupgrade.bin | ucert -V -m - -c 
> "/tmp/sysupgrade.ucert" -P /etc/opkg/keys
> 
> command fails, with the following message "cert_verify: cannot parse cert".
> My assumption is that it is because of a signature of the upgrade file that 
> we add at the end of the certificate, while appending metadata to the upgrade 
> file. line below (ucert -A -c "$@.ucert" -x "$@.sig")
> 
> define Build/append-metadata
> >---$(if $(SUPPORTED_DEVICES),-echo $(call 
> >metadata_json,$(SUPPORTED_DEVICES)) | fwtool -I - $@)
> >---[ ! -s "$(BUILD_KEY)" -o ! -s "$(BUILD_KEY).ucert" -o ! -s "$@" ] || { \
> >--->---cp "$(BUILD_KEY).ucert" "$@.ucert" ;\
> >--->---usign -S -m "$@" -s "$(BUILD_KEY)" -x "$@.sig" ;\
> >--->---ucert -A -c "$@.ucert" -x "$@.sig" ;\
> >--->---fwtool -S "$@.ucert" "$@" ;\
> >---}
> endef
> 
> Would (ucert -V -m) expect appended upgrade image file signature in the 
> certificate passed with -c?
> Or this functionality has not been implemented yet?
> In other words how to check upgtade file signature prior to upgrade with 
> ucert tool?

Yes, this is exactly how it is supposed to work.
There has been a bug caused by libubox security improvements which made
ucert always fail to parse certificates, it should have been fixed by

commit 96c42c5ed3207b8ad1ce836a4426c8700c13b655
Author: Matthias Schiffer 
Date:   Sat May 16 22:29:24 2020 +0200

Fix length checks in cert_load()


Please verify manually if ucert can parse the certificate, ie.
extract it into a file /tmp/sysupgrade.ucert using fwtool, then install
ucert-full and use `ucert -D -c /tmp/sysupgrade.ucert` and see what
happends.


Cheers


Daniel



> 
> 
> Cheers,
> Andrew
> 
> 
> 
> ___
> openwrt-devel mailing list
> openwrt-devel@lists.openwrt.org
> https://lists.openwrt.org/mailman/listinfo/openwrt-devel

___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel

OpenWRT (ucert) signature check during upgrade

2020-08-07 Thread Andrii Voloshyn 
Hi there,

I'd like to use signature verification during sysupgrade, but at the moment I 
get "Image check failed" message.
Similar to what guys mentioned here: 
https://forum.openwrt.org/t/possible-bug-in-ucert/57704
By digging around, I found out that:

fwtool -q -T -s /dev/null /tmp/sysupgrade.bin | ucert -V -m - -c 
"/tmp/sysupgrade.ucert" -P /etc/opkg/keys

command fails, with the following message "cert_verify: cannot parse cert".
My assumption is that it is because of a signature of the upgrade file that we 
add at the end of the certificate, while appending metadata to the upgrade 
file. line below (ucert -A -c "$@.ucert" -x "$@.sig")

define Build/append-metadata
>---$(if $(SUPPORTED_DEVICES),-echo $(call metadata_json,$(SUPPORTED_DEVICES)) 
>| fwtool -I - $@)
>---[ ! -s "$(BUILD_KEY)" -o ! -s "$(BUILD_KEY).ucert" -o ! -s "$@" ] || { \
>--->---cp "$(BUILD_KEY).ucert" "$@.ucert" ;\
>--->---usign -S -m "$@" -s "$(BUILD_KEY)" -x "$@.sig" ;\
>--->---ucert -A -c "$@.ucert" -x "$@.sig" ;\
>--->---fwtool -S "$@.ucert" "$@" ;\
>---}
endef

Would (ucert -V -m) expect appended upgrade image file signature in the 
certificate passed with -c?
Or this functionality has not been implemented yet?
In other words how to check upgtade file signature prior to upgrade with ucert 
tool?


Cheers,
Andrew



___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel