scottk/wlan-ap
1
0
Fork 0
mirror of https://github.com/Telecominfraproject/wlan-ap.git synced 2025-10-31 18:38:10 +00:00
Code Issues Packages Projects Releases 10 Wiki Activity

est_client: prevent downgrades to FW not supporting EST

Browse Source 
Fixes: WIFI-14694
Signed-off-by: John Crispin <john@phrozen.org>
This commit is contained in:
John Crispin
2025-06-13 14:28:02 +02:00
parent a375b9f774
commit f75a36f89f
2 changed files with 71 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

28
feeds/tip/cloud_discovery/files/usr/bin/est_client
View File

@@ -126,6 +126,31 @@ function load_operational_ca() {
return 0; return 0;
} }
function fwtool() {
let pipe = fs.popen(`openssl x509 -in /etc/ucentral/cert.pem -noout -issuer`);
let issuer = pipe.read("all");
pipe.close();
if (!(match(issuer, /OpenLAN/) && match(issuer, /Birth CA/)))
return 0;
ulog(LOG_INFO, 'The issuer is insta\n');
let metadata = fs.readfile('/tmp/sysupgrade.meta');
if (metadata)
metadata = json(metadata);
if (!metadata)
return 0;
if (!metadata.est_supported) {
ulog(LOG_INFO, 'The image does not support EST\n');
return 1;
}
ulog(LOG_INFO, 'The image supports EST\n');
return 0;
}
switch(ARGV[0]) { switch(ARGV[0]) {
case 'enroll': case 'enroll':
if (simpleenroll()) if (simpleenroll())
@@ -140,4 +165,7 @@ case 'reenroll':
if (simplereenroll()) if (simplereenroll())
exit(1); exit(1);
exit(0); exit(0);
case 'fwtool':
exit(fwtool());
} }

43
patches/0091-fwtool-check-for-EST-support-if-the-cert-was-issued-.patch Normal file
View File

@@ -0,0 +1,43 @@
From 8e70ae7c71fb0a31b3b95f156b2d865ba8a07ae8 Mon Sep 17 00:00:00 2001
From: John Crispin <john@phrozen.org>
Date: Fri, 13 Jun 2025 12:06:48 +0200
Subject: [PATCH] fwtool: check for EST support if the cert was issued by insta
Signed-off-by: John Crispin <john@phrozen.org>
---
include/image-commands.mk | 3 ++-
package/base-files/files/lib/upgrade/fwtool.sh | 4 ++++
2 files changed, 6 insertions(+), 1 deletion(-)
diff --git a/include/image-commands.mk b/include/image-commands.mk
index d3c9cea293..b7a0d98d3d 100644
--- a/include/image-commands.mk
+++ b/include/image-commands.mk
@@ -85,7 +85,8 @@ metadata_json = \
"revision": "$(call json_quote,$(REVISION))", \
"target": "$(call json_quote,$(TARGETID))", \
"board": "$(call json_quote,$(if $(BOARD_NAME),$(BOARD_NAME),$(DEVICE_NAME)))" \
- } \
+ }, \
+ "est_supported": 1 \
}'
define Build/append-metadata
diff --git a/package/base-files/files/lib/upgrade/fwtool.sh b/package/base-files/files/lib/upgrade/fwtool.sh
index 8bd00a3332..a84eb96baf 100644
--- a/package/base-files/files/lib/upgrade/fwtool.sh
+++ b/package/base-files/files/lib/upgrade/fwtool.sh
@@ -51,6 +51,10 @@ fwtool_check_image() {
json_get_var compatmessage compat_message
[ -n "$imagecompat" ] || imagecompat="1.0"
+ if ! est_client fwtool; then
+ return 1
+ fi
+
# select correct supported list based on compat_version
# (using this ensures that compatibility check works for devices
# not knowing about compat-version)
--
2.34.1