From 75a08cb2c3bd133a33d3feeb3b31621af96150bc Mon Sep 17 00:00:00 2001 From: Franco Fichtner Date: Wed, 11 Mar 2015 13:43:45 +0100 Subject: [PATCH] firmware: remove gzsig utility usage We have moved on to other means of firmware upgrades. Gives us the opportunity to do a little spring clean here. (Plus I don't have to fix the gzsig port anymore.) --- src/etc/inc/util.inc | 10 ---------- src/etc/pubkey.pem | 1 - src/www/system_firmware.php | 14 +------------- src/www/system_firmware_auto.php | 21 --------------------- src/www/system_firmware_settings.php | 24 ++++++------------------ 5 files changed, 7 insertions(+), 63 deletions(-) delete mode 100644 src/etc/pubkey.pem diff --git a/src/etc/inc/util.inc b/src/etc/inc/util.inc index b1fae19e2..aee40bf33 100644 --- a/src/etc/inc/util.inc +++ b/src/etc/inc/util.inc @@ -1287,16 +1287,6 @@ function ip_in_subnet($addr,$subnet) { } } -/* verify (and remove) the digital signature on a file - returns 0 if OK */ -function verify_digital_signature($fname) { - global $g; - - if(!file_exists("/usr/local/sbin/gzsig")) - return 4; - - return mwexec("/usr/local/sbin/gzsig verify /usr/local/pubkey.pem < " . escapeshellarg($fname)); -} - /* obtain MAC address given an IP address by looking at the ARP table */ function arp_get_mac_by_ip($ip) { mwexec("/sbin/ping -c 1 -t 1 " . escapeshellarg($ip), true); diff --git a/src/etc/pubkey.pem b/src/etc/pubkey.pem deleted file mode 100644 index 7dd575d00..000000000 --- a/src/etc/pubkey.pem +++ /dev/null @@ -1 +0,0 @@ -ssh-dss AAAAB3NzaC1kc3MAAACBAN08c22jym3KCRUF8/rKNXgU/J0vv6UC9eCta/ATTNgeW/z2rp/HsjcPkMLx9dLaqufShC0VzsUbGlqCsdQT8jfwBiLG2pjUkX20qTStRG/rs9Tv0rS/8eVNT/DbQ6zL3PTdp+XAIq+KQLucqcBazTqSzyF7ghZ7OVmsX1/ixTP3AAAAFQCYcP378X/dQ08l6u8O5uvEtxbvEwAAAIEAyOOuWttXGrprzBhKrjhop58bZTOZp0J0IMHMwi/J+K3HUuPZnaltGoW21MjqSvVor4m22r/3b8aUIom+jp4I/bmpxTOUgO6owTlCVX614fGPWcCw2M017aghQ/vUa/92DaMLO//FYD8X2b7WgyPNrJh9ckZ14oncBleJUfXmue8AAACBAKw00/IkoMJzTumFfT9+Jb442O1KZvtGyj1YWpyYXf3xbQFGXND7m4rTIS2zPvTcOauCHbZwZ9uBxE4zTdlGJ4XirPEbWwOl1TU71bZ3OqonVesyqSC04LLiuLGlIHyXxyc/UCzg1UL8mCBlLzqmPUkJoL0ZINo8Raqip8WM63KM root@freebsd-nexus-computers.pfsense.org diff --git a/src/www/system_firmware.php b/src/www/system_firmware.php index cbe2812f3..7f93c764d 100644 --- a/src/www/system_firmware.php +++ b/src/www/system_firmware.php @@ -1,10 +1,8 @@ - All rights reserved. - - originally part of m0n0wall (http://m0n0.ch/wall) Copyright (C) 2003-2004 Manuel Kasper . All rights reserved. @@ -142,16 +140,6 @@ if ($_POST && !is_subsystem_dirty('firmwarelock')) { /* move the image so PHP won't delete it */ rename($_FILES['ulfile']['tmp_name'], "{$g['upload_path']}/firmware.tgz"); - /* check digital signature */ - $sigchk = verify_digital_signature("{$g['upload_path']}/firmware.tgz"); - - if ($sigchk == 1) - $sig_warning = gettext("The digital signature on this image is invalid."); - else if ($sigchk == 2 && !isset($config['system']['firmware']['allowinvalidsig'])) - $sig_warning = gettext("This image is not digitally signed."); - else if (($sigchk >= 3)) - $sig_warning = gettext("There has been an error verifying the signature on this image."); - if (!verify_gzip_file("{$g['upload_path']}/firmware.tgz")) { $input_errors[] = gettext("The image file is corrupt."); unlink("{$g['upload_path']}/firmware.tgz"); diff --git a/src/www/system_firmware_auto.php b/src/www/system_firmware_auto.php index 7e29e8a63..588ea519b 100755 --- a/src/www/system_firmware_auto.php +++ b/src/www/system_firmware_auto.php @@ -184,32 +184,11 @@ $external_upgrade_helper_text .= "{$g['upload_path']}/latest.tgz"; $downloaded_latest_tgz_sha256 = str_replace("\n", "", `/sbin/sha256 -q {$g['upload_path']}/latest.tgz`); $upgrade_latest_tgz_sha256 = str_replace("\n", "", `/bin/cat {$g['upload_path']}/latest.tgz.sha256 | awk '{ print $4 }'`); -$sigchk = 0; - -if(!isset($curcfg['alturl']['enable'])) - $sigchk = verify_digital_signature("{$g['upload_path']}/latest.tgz"); - -$exitstatus = 0; -if ($sigchk == 1) { - $sig_warning = gettext("The digital signature on this image is invalid."); - $exitstatus = 1; -} else if ($sigchk == 2) { - $sig_warning = gettext("This image is not digitally signed."); - if (!isset($config['system']['firmware']['allowinvalidsig'])) - $exitstatus = 1; -} else if (($sigchk >= 3)) { - $sig_warning = gettext("There has been an error verifying the signature on this image."); - $exitstatus = 1; -} - if ($exitstatus) { update_status($sig_warning); update_output_window(gettext("Update cannot continue. You can disable this check on the Updater Settings tab.")); require("fend.inc"); exit; -} else if ($sigchk == 2) { - update_status("Upgrade in progress..."); - update_output_window("\n" . gettext("Upgrade Image does not contain a signature but the system has been configured to allow unsigned images. One moment please...") . "\n"); } if (!verify_gzip_file("{$g['upload_path']}/latest.tgz")) { diff --git a/src/www/system_firmware_settings.php b/src/www/system_firmware_settings.php index e9fb01a9c..4c4787219 100644 --- a/src/www/system_firmware_settings.php +++ b/src/www/system_firmware_settings.php @@ -1,9 +1,10 @@ - Copyright (C) 2005 Colin Smith - All rights reserved. + Copyright (C) 2014 Deciso B.V. + Copyright (C) 2008 Scott Ullrich + Copyright (C) 2005 Colin Smith + All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: @@ -27,7 +28,7 @@ POSSIBILITY OF SUCH DAMAGE. */ -require("guiconfig.inc"); +require_once('guiconfig.inc'); if ($_POST) { if (!$input_errors) { @@ -40,10 +41,6 @@ if ($_POST) { unset($config['system']['firmware']['alturl']); unset($config['system']['firmware']); } - if($_POST['allowinvalidsig'] == "yes") - $config['system']['firmware']['allowinvalidsig'] = true; - else - unset($config['system']['firmware']['allowinvalidsig']); if($_POST['disablecheck'] == "yes") $config['system']['firmware']['disablecheck'] = true; @@ -173,15 +170,6 @@ function enable_altfirmwareurl(enable_over) { - - - - /> -
- - - -