feat: added integrity checks for artifact data files

The client now performs integrity checks on the data files in the artifact by comparing its computed checksum to the one in the artifact manifest. Ticket: MEN-7483 Changelog: Commit Signed-off-by: Lars Erik Wik <[email protected]>
mendersoftware · Oct 3, 2024 · 0c12ac1 · 0c12ac1
1 parent 81f1617
commit 0c12ac1
Showing 1 changed file with 33 additions and 1 deletion.
diff --git a/core/src/mender-artifact.c b/core/src/mender-artifact.c
@@ -211,7 +211,8 @@ mender_artifact_check_integrity(mender_artifact_ctx_t *ctx) {
     for (mender_artifact_checksum_t *checksum = ctx->artifact_info.checksums; NULL != checksum; checksum = checksum->next) {
         unsigned char computed[MENDER_DIGEST_BUFFER_SIZE];
 
-        if (!StringEqual(checksum->filename, "version") && !StringEqual(checksum->filename, "header.tar")) {
+        if (!StringEqual(checksum->filename, "version") && !StringEqual(checksum->filename, "header.tar")
+            && !mender_utils_strbeginwith(checksum->filename, "data/")) {
             /* Whenever we introduce a new file to the artifact manifest, we
              * need to skip integrity checks for that file until it's
              * implemented. Otherwise, the client will get stuck trying to
@@ -1072,6 +1073,37 @@ mender_artifact_read_data(mender_artifact_ctx_t *ctx, mender_err_t (*callback)(c
         size_t length
             = ((ctx->file.size - ctx->file.index) > MENDER_ARTIFACT_STREAM_BLOCK_SIZE) ? MENDER_ARTIFACT_STREAM_BLOCK_SIZE : (ctx->file.size - ctx->file.index);
 
+#ifdef CONFIG_MENDER_FULL_PARSE_ARTIFACT
+        mender_artifact_checksum_t *checksum;
+        {
+            /* The filename will be something like
+             * 'data/0000.tar/zephyr.signed.bin'. But the manifest will hold
+             * 'data/0000/zephyr.signed.bin'. Hence, we need to remove the
+             * '.tar' extension from the string.
+             */
+            char filename[strlen(ctx->file.name) + 1];
+            strcpy(filename, ctx->file.name);
+
+            for (char *ch = strstr(filename, ".tar"); (NULL != ch) && (*ch != '\0'); ch++) {
+                /* Don't worry! The call to strlen() on a static string should
+                 * be optimized out by the compiler */
+                *ch = ch[strlen(".tar")];
+            }
+
+            /* Get checksum entry (create one if needed) */
+            if (NULL == (checksum = mender_artifact_checksum_get_or_create(ctx, filename))) {
+                /* Error already logged */
+                return MENDER_FAIL;
+            }
+        }
+
+        /* Update SHA-256 checksum */
+        if (MENDER_OK != mender_sha256_update(checksum->context, ctx->input.data, length)) {
+            mender_log_error("Failed to update update checksum");
+            return MENDER_FAIL;
+        }
+#endif /* CONFIG_MENDER_FULL_PARSE_ARTIFACT */
+
         /* Invoke callback */
         if (MENDER_OK
             != (ret = callback(ctx->payloads.values[index].type,