Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Permit using the Updater _hash function, even if we don't have a signature appended to the image #8507

Merged
merged 2 commits into from
Apr 11, 2022
Merged

Permit using the Updater _hash function, even if we don't have a signature appended to the image #8507

merged 2 commits into from
Apr 11, 2022

Conversation

einglis
Copy link
Contributor

@einglis einglis commented Mar 11, 2022

NOTE: Re-submission of PR #8472 due to user error :(

The _hash and _verify functionality of the Updater class are pretty much entwined. But it might be useful to calculate the hash, even without a signature present in the image itself. This change permits that by allowing a zero-length signature.

For reference, one possible use case is where the expected hash is provided separately to the uploaded image. Another is to provide generic post-upload validation of the image: the hash function permits a convenient way of inspecting the complete image against arbitrary conditions; this is particularly useful after HTTP client OTA updates.

(It's fair that reading the whole image back out of flash is not very efficient, but that's not the concern of this PR.)

d-a-v
d-a-v approved these changes Mar 13, 2022
View reviewed changes
Copy link
Collaborator

@d-a-v d-a-v left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@einglis
Copy link
Contributor Author

einglis commented Mar 14, 2022

Ty

@mcspr mcspr merged commit f78c633 into esp8266:master Apr 11, 2022
@blue-wind-25
Copy link

After comparing with the old code, I would like to clarify line 247:
_size -= (sigLen + sizeof(uint32_t) /* The siglen word */);

shouldn't it be:
binSize -= (sigLen + sizeof(uint32_t) /* The siglen word */);

because the former will cause line 276 to read from the wrong address.

Thank you.

@einglis einglis deleted the updater_hash branch April 12, 2022 19:51
@einglis
Copy link
Contributor Author

einglis commented Apr 12, 2022

Good spot, @blue-wind-25. I think you're right.

@blue-wind-25
Copy link

Great, thank you for the confirmation :-)

@mcspr mcspr mentioned this pull request Apr 19, 2022
Merged
@earlephilhower earlephilhower mentioned this pull request Aug 21, 2022
Closed
mcspr added a commit that referenced this pull request Sep 13, 2022
@mcspr
Fix Updater non-zero _verify->length() once again (#8545)
a0c7a85 
Amends #8507
I took the liberty to also do some refactoring; specifically, fixing signed vs. unsigned mismatch in len, using pointer object vs. the original manual malloc & free, try to have named constants for certain addresses and lengths, plus localize printing of u8 arrays.

The suggested test to have a 'dummy' verifier works just fine. (...how it actually works and gets the hash to compare with is a whole other question, though)

Another issue noticed while testing, in the underlying bearssl api there's an actual limit for hash length.
https://github.com/earlephilhower/bearssl-esp8266/blob/6105635531027f5b298aa656d44be2289b2d434f/inc/bearssl_rsa.h#L257
@mcspr mcspr mentioned this pull request Nov 3, 2022
Closed
6 tasks
# for free to join this conversation on GitHub. Already have an account? # to comment
Reviewers

@d-a-v d-a-v d-a-v approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@einglis @blue-wind-25 @d-a-v @mcspr