aboutsummaryrefslogtreecommitdiffstatshomepage
path: root/updater
diff options
context:
space:
mode:
authorJason A. Donenfeld <Jason@zx2c4.com>2019-05-07 11:21:25 +0200
committerJason A. Donenfeld <Jason@zx2c4.com>2019-05-07 11:21:25 +0200
commitd65632e5b49f1c81bbe6dc6b0e4efa5e260289f1 (patch)
treeb0f9f43154aaa4797a6c19c3b02a55db5fb115a5 /updater
parentservice: delay restart for one second (diff)
downloadwireguard-windows-d65632e5b49f1c81bbe6dc6b0e4efa5e260289f1.tar.xz
wireguard-windows-d65632e5b49f1c81bbe6dc6b0e4efa5e260289f1.zip
updater: use hsm key and check header match
Diffstat (limited to 'updater')
-rw-r--r--updater/constants.go2
-rw-r--r--updater/signify.go8
2 files changed, 4 insertions, 6 deletions
diff --git a/updater/constants.go b/updater/constants.go
index ae3988bd..2ae78c8d 100644
--- a/updater/constants.go
+++ b/updater/constants.go
@@ -6,7 +6,7 @@
package updater
const (
- releasePublicKeyBase64 = "RWQGxwD+15iPpnPCEijYJ3CWYFgojWwBJZNg0OnJfICVu/CfyKeQ0vIA"
+ releasePublicKeyBase64 = "RWRNqGKtBXftKTKPpBPGDMe8jHLnFQ0EdRy8Wg0apV6vTDFLAODD83G4"
latestVersionURL = "https://download.wireguard.com/windows-client/latest.sig"
msiURL = "https://download.wireguard.com/windows-client/%s"
msiArchPrefix = "wireguard-%s-"
diff --git a/updater/signify.go b/updater/signify.go
index d4605cbb..5fc16ba2 100644
--- a/updater/signify.go
+++ b/updater/signify.go
@@ -29,7 +29,6 @@ func readFileList(input []byte) (fileList, error) {
if err != nil || len(publicKeyBytes) != ed25519.PublicKeySize+10 || publicKeyBytes[0] != 'E' || publicKeyBytes[1] != 'd' {
return nil, errors.New("Invalid public key")
}
- publicKeyBytes = publicKeyBytes[10:]
lines := bytes.SplitN(input, []byte{'\n'}, 3)
if len(lines) != 3 {
return nil, errors.New("Signature input has too few lines")
@@ -41,11 +40,10 @@ func readFileList(input []byte) (fileList, error) {
if err != nil {
return nil, errors.New("Signature input is not valid base64")
}
- if len(signatureBytes) != ed25519.SignatureSize+10 || signatureBytes[0] != 'E' || signatureBytes[1] != 'd' {
- return nil, errors.New("Signature input bytes are incorrect length or represent invalid signature type")
+ if len(signatureBytes) != ed25519.SignatureSize+10 || !bytes.Equal(signatureBytes[:10], publicKeyBytes[:10]) {
+ return nil, errors.New("Signature input bytes are incorrect length, type, or keyid")
}
- signatureBytes = signatureBytes[10:]
- if !ed25519.Verify(publicKeyBytes, lines[2], signatureBytes) {
+ if !ed25519.Verify(publicKeyBytes[10:], lines[2], signatureBytes[10:]) {
return nil, errors.New("Signature is invalid")
}
fileLines := strings.Split(string(lines[2]), "\n")