/* * ZeroTier One - Global Peer to Peer Ethernet * Copyright (C) 2011-2015 ZeroTier Networks * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program. If not, see . * * -- * * ZeroTier may be used and distributed under the terms of the GPLv3, which * are available at: http://www.gnu.org/licenses/gpl-3.0.html * * If you would like to embed ZeroTier into a commercial application or * redistribute it in a modified binary form, please contact ZeroTier Networks * LLC. Start here: http://www.zerotier.com/ */ #include #include #include #include #include "../version.h" #include "Constants.hpp" #include "SoftwareUpdater.hpp" #include "Dictionary.hpp" #include "C25519.hpp" #include "Identity.hpp" #include "Logger.hpp" #include "RuntimeEnvironment.hpp" #include "Thread.hpp" #include "Node.hpp" #include "Utils.hpp" #include "HttpClient.hpp" #ifdef __UNIX_LIKE__ #include #include #include #include #endif namespace ZeroTier { SoftwareUpdater::SoftwareUpdater(const RuntimeEnvironment *renv) : RR(renv), _myVersion(packVersion(ZEROTIER_ONE_VERSION_MAJOR,ZEROTIER_ONE_VERSION_MINOR,ZEROTIER_ONE_VERSION_REVISION)), _lastUpdateAttempt(0), _status(UPDATE_STATUS_IDLE), _die(false), _lock() { } SoftwareUpdater::~SoftwareUpdater() { _die = true; for(;;) { _lock.lock(); bool ip = (_status != UPDATE_STATUS_IDLE); _lock.unlock(); if (ip) Thread::sleep(500); else break; } } void SoftwareUpdater::cleanOldUpdates() { std::string updatesDir(RR->homePath + ZT_PATH_SEPARATOR_S + "updates.d"); std::map dl(Utils::listDirectory(updatesDir.c_str())); for(std::map::iterator i(dl.begin());i!=dl.end();++i) { if (!i->second) Utils::rm((updatesDir + ZT_PATH_SEPARATOR_S + i->first).c_str()); } } void SoftwareUpdater::sawRemoteVersion(unsigned int vmaj,unsigned int vmin,unsigned int rev) { const uint64_t tmp = packVersion(vmaj,vmin,rev); if (tmp > _myVersion) { Mutex::Lock _l(_lock); if ((_status == UPDATE_STATUS_IDLE)&&(!_die)&&(ZT_DEFAULTS.updateLatestNfoURL.length())) { const uint64_t now = Utils::now(); if ((now - _lastUpdateAttempt) >= ZT_UPDATE_MIN_INTERVAL) { _lastUpdateAttempt = now; _status = UPDATE_STATUS_GETTING_NFO; RR->http->GET(ZT_DEFAULTS.updateLatestNfoURL,HttpClient::NO_HEADERS,ZT_UPDATE_HTTP_TIMEOUT,&_cbHandleGetLatestVersionInfo,this); } } } } void SoftwareUpdater::checkNow() { Mutex::Lock _l(_lock); if (_status == UPDATE_STATUS_IDLE) { _lastUpdateAttempt = Utils::now(); _status = UPDATE_STATUS_GETTING_NFO; RR->http->GET(ZT_DEFAULTS.updateLatestNfoURL,HttpClient::NO_HEADERS,ZT_UPDATE_HTTP_TIMEOUT,&_cbHandleGetLatestVersionInfo,this); } } const char *SoftwareUpdater::parseNfo( const char *nfoText, unsigned int &vMajor, unsigned int &vMinor, unsigned int &vRevision, Address &signedBy, std::string &signature, std::string &url) { try { Dictionary nfo(nfoText); vMajor = Utils::strToUInt(nfo.get("vMajor").c_str()); vMinor = Utils::strToUInt(nfo.get("vMinor").c_str()); vRevision = Utils::strToUInt(nfo.get("vRevision").c_str()); signedBy = nfo.get("signedBy"); signature = Utils::unhex(nfo.get("ed25519")); url = nfo.get("url"); if (signature.length() != ZT_C25519_SIGNATURE_LEN) return "bad ed25519 signature, invalid length"; if ((url.length() <= 7)||(url.substr(0,7) != "http://")) return "invalid URL, must begin with http://"; return (const char *)0; } catch ( ... ) { return "invalid NFO file format or one or more required fields missing"; } } bool SoftwareUpdater::validateUpdate( const void *data, unsigned int len, const Address &signedBy, const std::string &signature) { std::map< Address,Identity >::const_iterator updateAuthority = ZT_DEFAULTS.updateAuthorities.find(signedBy); if (updateAuthority == ZT_DEFAULTS.updateAuthorities.end()) return false; return updateAuthority->second.verify(data,len,signature.data(),(unsigned int)signature.length()); } void SoftwareUpdater::_cbHandleGetLatestVersionInfo(void *arg,int code,const std::string &url,const std::string &body) { SoftwareUpdater *upd = (SoftwareUpdater *)arg; const RuntimeEnvironment *RR = (const RuntimeEnvironment *)upd->RR; Mutex::Lock _l(upd->_lock); if ((upd->_die)||(upd->_status != UPDATE_STATUS_GETTING_NFO)) { upd->_status = UPDATE_STATUS_IDLE; return; } if (code != 200) { LOG("software update check failed: server responded with code %d",code); upd->_status = UPDATE_STATUS_IDLE; return; } try { unsigned int vMajor = 0,vMinor = 0,vRevision = 0; Address signedBy; std::string signature,url; const char *err = parseNfo(body.c_str(),vMajor,vMinor,vRevision,signedBy,signature,url); if (err) { LOG("software update check aborted: .nfo file parse error: %s",err); upd->_status = UPDATE_STATUS_IDLE; return; } if (!ZT_DEFAULTS.updateAuthorities.count(signedBy)) { LOG("software update check aborted: .nfo file specifies unknown signing authority"); upd->_status = UPDATE_STATUS_IDLE; return; } #ifndef ZT_ALWAYS_UPDATE /* for testing */ if (packVersion(vMajor,vMinor,vRevision) <= upd->_myVersion) { TRACE("software update check complete: version on update site is not newer than my version, no update necessary"); upd->_status = UPDATE_STATUS_IDLE; return; } #endif upd->_status = UPDATE_STATUS_GETTING_FILE; upd->_signedBy = signedBy; upd->_signature = signature; RR->http->GET(url,HttpClient::NO_HEADERS,ZT_UPDATE_HTTP_TIMEOUT,&_cbHandleGetLatestVersionBinary,arg); } catch ( ... ) { LOG("software update check failed: .nfo file invalid or missing field(s)"); upd->_status = UPDATE_STATUS_IDLE; } } void SoftwareUpdater::_cbHandleGetLatestVersionBinary(void *arg,int code,const std::string &url,const std::string &body) { SoftwareUpdater *upd = (SoftwareUpdater *)arg; const RuntimeEnvironment *RR = (const RuntimeEnvironment *)upd->RR; Mutex::Lock _l(upd->_lock); if (!validateUpdate(body.data(),(unsigned int)body.length(),upd->_signedBy,upd->_signature)) { LOG("software update failed: update fetched from '%s' failed signature check (image size: %u)",url.c_str(),(unsigned int)body.length()); upd->_status = UPDATE_STATUS_IDLE; return; } size_t lastSlash = url.rfind('/'); if (lastSlash == std::string::npos) { // sanity check, shouldn't happen LOG("software update failed: invalid URL"); upd->_status = UPDATE_STATUS_IDLE; return; } std::string updatesDir(RR->homePath + ZT_PATH_SEPARATOR_S + "updates.d"); std::string updateFilename(url.substr(lastSlash + 1)); if ((updateFilename.length() < 3)||(updateFilename.find("..") != std::string::npos)) { LOG("software update failed: invalid URL: filename contains invalid characters"); upd->_status = UPDATE_STATUS_IDLE; return; } for(std::string::iterator c(updateFilename.begin());c!=updateFilename.end();++c) { // Only allow a list of whitelisted characters to make up the filename to prevent any // path shenanigans, esp on Windows where / is not the path separator. if (!strchr("abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ-_.0123456789",*c)) { LOG("software update failed: invalid URL: filename contains invalid characters"); upd->_status = UPDATE_STATUS_IDLE; return; } } std::string updatePath(updatesDir + ZT_PATH_SEPARATOR_S + updateFilename); #ifdef __WINDOWS__ CreateDirectoryA(updatesDir.c_str(),NULL); #else mkdir(updatesDir.c_str(),0755); #endif FILE *upf = fopen(updatePath.c_str(),"wb"); if (!upf) { LOG("software update failed: unable to open %s for writing",updatePath.c_str()); upd->_status = UPDATE_STATUS_IDLE; return; } if (fwrite(body.data(),body.length(),1,upf) != 1) { LOG("software update failed: unable to write to %s",updatePath.c_str()); upd->_status = UPDATE_STATUS_IDLE; fclose(upf); Utils::rm(updatePath); return; } fclose(upf); #ifdef __UNIX_LIKE__ ::chmod(updatePath.c_str(),0755); #endif // We exit with this reason code and the path as the text. It is the // caller's responsibility (main.c) to pick this up and do the right // thing. upd->_status = UPDATE_STATUS_IDLE; RR->node->terminate(Node::NODE_RESTART_FOR_UPGRADE,updatePath.c_str()); } } // namespace ZeroTier