]>
Commit | Line | Data |
---|---|---|
a032b68d | 1 | /* SPDX-License-Identifier: LGPL-2.1-or-later */ |
e3bff60a MP |
2 | |
3 | #include <sys/prctl.h> | |
4 | ||
db2df898 | 5 | #include "alloc-util.h" |
e3bff60a | 6 | #include "btrfs-util.h" |
db2df898 MP |
7 | #include "capability-util.h" |
8 | #include "copy.h" | |
9 | #include "dirent-util.h" | |
10 | #include "escape.h" | |
11 | #include "fd-util.h" | |
ea0999c9 | 12 | #include "hostname-util.h" |
db2df898 | 13 | #include "io-util.h" |
ea0999c9 | 14 | #include "memory-util.h" |
db2df898 | 15 | #include "path-util.h" |
e3bff60a | 16 | #include "process-util.h" |
db2df898 MP |
17 | #include "pull-common.h" |
18 | #include "pull-job.h" | |
6e866b33 | 19 | #include "rlimit-util.h" |
db2df898 | 20 | #include "rm-rf.h" |
86f210e9 | 21 | #include "signal-util.h" |
6300502b | 22 | #include "siphash24.h" |
db2df898 MP |
23 | #include "string-util.h" |
24 | #include "strv.h" | |
25 | #include "util.h" | |
26 | #include "web-util.h" | |
e3bff60a MP |
27 | |
28 | #define FILENAME_ESCAPE "/.#\"\'" | |
6300502b MP |
29 | #define HASH_URL_THRESHOLD_LENGTH (_POSIX_PATH_MAX - 16) |
30 | ||
31 | int pull_find_old_etags( | |
32 | const char *url, | |
33 | const char *image_root, | |
34 | int dt, | |
35 | const char *prefix, | |
36 | const char *suffix, | |
37 | char ***etags) { | |
e3bff60a | 38 | |
e3bff60a MP |
39 | int r; |
40 | ||
41 | assert(url); | |
42 | assert(etags); | |
43 | ||
44 | if (!image_root) | |
45 | image_root = "/var/lib/machines"; | |
46 | ||
ea0999c9 | 47 | _cleanup_free_ char *escaped_url = xescape(url, FILENAME_ESCAPE); |
e3bff60a MP |
48 | if (!escaped_url) |
49 | return -ENOMEM; | |
50 | ||
ea0999c9 | 51 | _cleanup_closedir_ DIR *d = opendir(image_root); |
e3bff60a MP |
52 | if (!d) { |
53 | if (errno == ENOENT) { | |
54 | *etags = NULL; | |
55 | return 0; | |
56 | } | |
57 | ||
58 | return -errno; | |
59 | } | |
60 | ||
ea0999c9 MB |
61 | _cleanup_strv_free_ char **ans = NULL; |
62 | ||
e3bff60a | 63 | FOREACH_DIRENT_ALL(de, d, return -errno) { |
f2dec872 | 64 | _cleanup_free_ char *u = NULL; |
e3bff60a | 65 | const char *a, *b; |
e3bff60a MP |
66 | |
67 | if (de->d_type != DT_UNKNOWN && | |
68 | de->d_type != dt) | |
69 | continue; | |
70 | ||
71 | if (prefix) { | |
72 | a = startswith(de->d_name, prefix); | |
73 | if (!a) | |
74 | continue; | |
75 | } else | |
76 | a = de->d_name; | |
77 | ||
78 | a = startswith(a, escaped_url); | |
79 | if (!a) | |
80 | continue; | |
81 | ||
82 | a = startswith(a, "."); | |
83 | if (!a) | |
84 | continue; | |
85 | ||
86 | if (suffix) { | |
87 | b = endswith(de->d_name, suffix); | |
88 | if (!b) | |
89 | continue; | |
90 | } else | |
91 | b = strchr(de->d_name, 0); | |
92 | ||
93 | if (a >= b) | |
94 | continue; | |
95 | ||
ea0999c9 MB |
96 | ssize_t l = cunescape_length(a, b - a, 0, &u); |
97 | if (l < 0) { | |
98 | assert(l >= INT8_MIN); | |
99 | return l; | |
100 | } | |
e3bff60a | 101 | |
f2dec872 | 102 | if (!http_etag_is_valid(u)) |
e3bff60a | 103 | continue; |
e3bff60a | 104 | |
ea0999c9 | 105 | r = strv_consume(&ans, TAKE_PTR(u)); |
e3bff60a MP |
106 | if (r < 0) |
107 | return r; | |
108 | } | |
109 | ||
ea0999c9 | 110 | *etags = TAKE_PTR(ans); |
e3bff60a MP |
111 | |
112 | return 0; | |
113 | } | |
114 | ||
6300502b MP |
115 | static int hash_url(const char *url, char **ret) { |
116 | uint64_t h; | |
117 | static const sd_id128_t k = SD_ID128_ARRAY(df,89,16,87,01,cc,42,30,98,ab,4a,19,a6,a5,63,4f); | |
118 | ||
119 | assert(url); | |
120 | ||
db2df898 | 121 | h = siphash24(url, strlen(url), k.bytes); |
6300502b MP |
122 | if (asprintf(ret, "%"PRIx64, h) < 0) |
123 | return -ENOMEM; | |
124 | ||
125 | return 0; | |
126 | } | |
127 | ||
e3bff60a | 128 | int pull_make_path(const char *url, const char *etag, const char *image_root, const char *prefix, const char *suffix, char **ret) { |
6300502b | 129 | _cleanup_free_ char *escaped_url = NULL, *escaped_etag = NULL; |
e3bff60a MP |
130 | char *path; |
131 | ||
132 | assert(url); | |
133 | assert(ret); | |
134 | ||
135 | if (!image_root) | |
136 | image_root = "/var/lib/machines"; | |
137 | ||
138 | escaped_url = xescape(url, FILENAME_ESCAPE); | |
139 | if (!escaped_url) | |
140 | return -ENOMEM; | |
141 | ||
142 | if (etag) { | |
e3bff60a MP |
143 | escaped_etag = xescape(etag, FILENAME_ESCAPE); |
144 | if (!escaped_etag) | |
145 | return -ENOMEM; | |
6300502b | 146 | } |
e3bff60a | 147 | |
6300502b | 148 | path = strjoin(image_root, "/", strempty(prefix), escaped_url, escaped_etag ? "." : "", |
52ad194e | 149 | strempty(escaped_etag), strempty(suffix)); |
e3bff60a MP |
150 | if (!path) |
151 | return -ENOMEM; | |
152 | ||
6300502b MP |
153 | /* URLs might make the path longer than the maximum allowed length for a file name. |
154 | * When that happens, a URL hash is used instead. Paths returned by this function | |
155 | * can be later used with tempfn_random() which adds 16 bytes to the resulting name. */ | |
156 | if (strlen(path) >= HASH_URL_THRESHOLD_LENGTH) { | |
157 | _cleanup_free_ char *hash = NULL; | |
158 | int r; | |
159 | ||
160 | free(path); | |
161 | ||
162 | r = hash_url(url, &hash); | |
163 | if (r < 0) | |
164 | return r; | |
165 | ||
166 | path = strjoin(image_root, "/", strempty(prefix), hash, escaped_etag ? "." : "", | |
52ad194e | 167 | strempty(escaped_etag), strempty(suffix)); |
6300502b MP |
168 | if (!path) |
169 | return -ENOMEM; | |
170 | } | |
171 | ||
e3bff60a MP |
172 | *ret = path; |
173 | return 0; | |
174 | } | |
175 | ||
2897b343 | 176 | int pull_make_auxiliary_job( |
6300502b MP |
177 | PullJob **ret, |
178 | const char *url, | |
2897b343 MP |
179 | int (*strip_suffixes)(const char *name, char **ret), |
180 | const char *suffix, | |
ea0999c9 | 181 | ImportVerify verify, |
6300502b | 182 | CurlGlue *glue, |
ea0999c9 | 183 | PullJobOpenDisk on_open_disk, |
6300502b MP |
184 | PullJobFinished on_finished, |
185 | void *userdata) { | |
186 | ||
2897b343 | 187 | _cleanup_free_ char *last_component = NULL, *ll = NULL, *auxiliary_url = NULL; |
6300502b MP |
188 | _cleanup_(pull_job_unrefp) PullJob *job = NULL; |
189 | const char *q; | |
190 | int r; | |
191 | ||
192 | assert(ret); | |
193 | assert(url); | |
2897b343 | 194 | assert(strip_suffixes); |
6300502b MP |
195 | assert(glue); |
196 | ||
197 | r = import_url_last_component(url, &last_component); | |
198 | if (r < 0) | |
199 | return r; | |
200 | ||
2897b343 | 201 | r = strip_suffixes(last_component, &ll); |
6300502b MP |
202 | if (r < 0) |
203 | return r; | |
204 | ||
2897b343 | 205 | q = strjoina(ll, suffix); |
6300502b | 206 | |
2897b343 | 207 | r = import_url_change_last_component(url, q, &auxiliary_url); |
6300502b MP |
208 | if (r < 0) |
209 | return r; | |
210 | ||
2897b343 | 211 | r = pull_job_new(&job, auxiliary_url, glue, userdata); |
6300502b MP |
212 | if (r < 0) |
213 | return r; | |
214 | ||
ea0999c9 | 215 | job->on_open_disk = on_open_disk; |
6300502b MP |
216 | job->on_finished = on_finished; |
217 | job->compressed_max = job->uncompressed_max = 1ULL * 1024ULL * 1024ULL; | |
ea0999c9 | 218 | job->calc_checksum = IN_SET(verify, IMPORT_VERIFY_CHECKSUM, IMPORT_VERIFY_SIGNATURE); |
6300502b | 219 | |
b012e921 | 220 | *ret = TAKE_PTR(job); |
6300502b MP |
221 | return 0; |
222 | } | |
223 | ||
ea0999c9 MB |
224 | static bool is_checksum_file(const char *fn) { |
225 | /* Returns true if the specified filename refers to a checksum file we grok */ | |
226 | ||
227 | if (!fn) | |
228 | return false; | |
229 | ||
230 | return streq(fn, "SHA256SUMS") || endswith(fn, ".sha256"); | |
231 | } | |
232 | ||
233 | static bool is_signature_file(const char *fn) { | |
234 | /* Returns true if the specified filename refers to a signature file we grok (reminder: | |
235 | * suse-style .sha256 files are inline signed) */ | |
236 | ||
237 | if (!fn) | |
238 | return false; | |
239 | ||
240 | return streq(fn, "SHA256SUMS.gpg") || endswith(fn, ".sha256"); | |
241 | } | |
242 | ||
e3bff60a MP |
243 | int pull_make_verification_jobs( |
244 | PullJob **ret_checksum_job, | |
245 | PullJob **ret_signature_job, | |
246 | ImportVerify verify, | |
ea0999c9 | 247 | const char *checksum, /* set if literal checksum verification is requested, in which case 'verify' is set to _IMPORT_VERIFY_INVALID */ |
e3bff60a MP |
248 | const char *url, |
249 | CurlGlue *glue, | |
250 | PullJobFinished on_finished, | |
251 | void *userdata) { | |
252 | ||
253 | _cleanup_(pull_job_unrefp) PullJob *checksum_job = NULL, *signature_job = NULL; | |
ea0999c9 | 254 | _cleanup_free_ char *fn = NULL; |
e3bff60a MP |
255 | int r; |
256 | ||
257 | assert(ret_checksum_job); | |
258 | assert(ret_signature_job); | |
ea0999c9 MB |
259 | assert(verify == _IMPORT_VERIFY_INVALID || verify < _IMPORT_VERIFY_MAX); |
260 | assert(verify == _IMPORT_VERIFY_INVALID || verify >= 0); | |
261 | assert((verify < 0) || !checksum); | |
e3bff60a MP |
262 | assert(url); |
263 | assert(glue); | |
264 | ||
ea0999c9 MB |
265 | /* If verification is turned off, or if the checksum to validate is already specified we don't need |
266 | * to download a checksum file or signature, hence shortcut things */ | |
267 | if (verify == IMPORT_VERIFY_NO || checksum) { | |
268 | *ret_checksum_job = *ret_signature_job = NULL; | |
269 | return 0; | |
270 | } | |
271 | ||
272 | r = import_url_last_component(url, &fn); | |
273 | if (r < 0 && r != -EADDRNOTAVAIL) /* EADDRNOTAVAIL means there was no last component, which is OK for | |
274 | * us, we'll just assume it's not a checksum/signature file */ | |
275 | return r; | |
276 | ||
277 | /* Acquire the checksum file if verification or signature verification is requested and the main file | |
278 | * to acquire isn't a checksum or signature file anyway */ | |
279 | if (verify != IMPORT_VERIFY_NO && !is_checksum_file(fn) && !is_signature_file(fn)) { | |
280 | _cleanup_free_ char *checksum_url = NULL; | |
281 | const char *suffixed = NULL; | |
e3bff60a | 282 | |
81c58355 | 283 | /* Queue jobs for the checksum file for the image. */ |
81c58355 | 284 | |
ea0999c9 MB |
285 | if (fn) |
286 | suffixed = strjoina(fn, ".sha256"); /* Start with the suse-style checksum (if there's a base filename) */ | |
287 | else | |
288 | suffixed = "SHA256SUMS"; | |
81c58355 | 289 | |
ea0999c9 | 290 | r = import_url_change_last_component(url, suffixed, &checksum_url); |
e3bff60a MP |
291 | if (r < 0) |
292 | return r; | |
293 | ||
294 | r = pull_job_new(&checksum_job, checksum_url, glue, userdata); | |
295 | if (r < 0) | |
296 | return r; | |
297 | ||
298 | checksum_job->on_finished = on_finished; | |
299 | checksum_job->uncompressed_max = checksum_job->compressed_max = 1ULL * 1024ULL * 1024ULL; | |
ea0999c9 | 300 | checksum_job->on_not_found = pull_job_restart_with_sha256sum; /* if this fails, look for ubuntu-style checksum */ |
e3bff60a MP |
301 | } |
302 | ||
ea0999c9 | 303 | if (verify == IMPORT_VERIFY_SIGNATURE && !is_signature_file(fn)) { |
e3bff60a MP |
304 | _cleanup_free_ char *signature_url = NULL; |
305 | ||
306 | /* Queue job for the SHA256SUMS.gpg file for the image. */ | |
307 | r = import_url_change_last_component(url, "SHA256SUMS.gpg", &signature_url); | |
308 | if (r < 0) | |
309 | return r; | |
310 | ||
311 | r = pull_job_new(&signature_job, signature_url, glue, userdata); | |
312 | if (r < 0) | |
313 | return r; | |
314 | ||
315 | signature_job->on_finished = on_finished; | |
316 | signature_job->uncompressed_max = signature_job->compressed_max = 1ULL * 1024ULL * 1024ULL; | |
317 | } | |
318 | ||
3a6ce677 BR |
319 | *ret_checksum_job = TAKE_PTR(checksum_job); |
320 | *ret_signature_job = TAKE_PTR(signature_job); | |
e3bff60a MP |
321 | return 0; |
322 | } | |
323 | ||
2897b343 | 324 | static int verify_one(PullJob *checksum_job, PullJob *job) { |
e3bff60a | 325 | _cleanup_free_ char *fn = NULL; |
2897b343 | 326 | const char *line, *p; |
e3bff60a MP |
327 | int r; |
328 | ||
2897b343 | 329 | assert(checksum_job); |
e3bff60a | 330 | |
2897b343 | 331 | if (!job) |
e3bff60a MP |
332 | return 0; |
333 | ||
2897b343 | 334 | assert(IN_SET(job->state, PULL_JOB_DONE, PULL_JOB_FAILED)); |
e3bff60a | 335 | |
2897b343 MP |
336 | /* Don't verify the checksum if we didn't actually successfully download something new */ |
337 | if (job->state != PULL_JOB_DONE) | |
338 | return 0; | |
339 | if (job->error != 0) | |
340 | return 0; | |
341 | if (job->etag_exists) | |
342 | return 0; | |
343 | ||
344 | assert(job->calc_checksum); | |
345 | assert(job->checksum); | |
e3bff60a | 346 | |
2897b343 | 347 | r = import_url_last_component(job->url, &fn); |
e3bff60a | 348 | if (r < 0) |
ea0999c9 | 349 | return log_error_errno(r, "Failed to extract filename from URL '%s': %m", job->url); |
e3bff60a | 350 | |
6e866b33 MB |
351 | if (!filename_is_valid(fn)) |
352 | return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), | |
353 | "Cannot verify checksum, could not determine server-side file name."); | |
e3bff60a | 354 | |
ea0999c9 MB |
355 | if (is_checksum_file(fn) || is_signature_file(fn)) /* We cannot verify checksum files or signature files with a checksum file */ |
356 | return log_error_errno(SYNTHETIC_ERRNO(ELOOP), | |
357 | "Cannot verify checksum/signature files via themselves."); | |
e3bff60a | 358 | |
ea0999c9 MB |
359 | line = strjoina(job->checksum, " *", fn, "\n"); /* string for binary mode */ |
360 | p = memmem_safe(checksum_job->payload, | |
81c58355 MB |
361 | checksum_job->payload_size, |
362 | line, | |
363 | strlen(line)); | |
ea0999c9 MB |
364 | if (!p) { |
365 | line = strjoina(job->checksum, " ", fn, "\n"); /* string for text mode */ | |
366 | p = memmem_safe(checksum_job->payload, | |
367 | checksum_job->payload_size, | |
368 | line, | |
369 | strlen(line)); | |
81c58355 MB |
370 | } |
371 | ||
ea0999c9 | 372 | /* Only counts if found at beginning of a line */ |
6e866b33 MB |
373 | if (!p || (p != (char*) checksum_job->payload && p[-1] != '\n')) |
374 | return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), | |
ea0999c9 | 375 | "DOWNLOAD INVALID: Checksum of %s file did not check out, file has been tampered with.", fn); |
e3bff60a | 376 | |
2897b343 MP |
377 | log_info("SHA256 checksum of %s is valid.", job->url); |
378 | return 1; | |
379 | } | |
e3bff60a | 380 | |
3a6ce677 BR |
381 | static int verify_gpg( |
382 | const void *payload, size_t payload_size, | |
383 | const void *signature, size_t signature_size) { | |
6300502b | 384 | |
2897b343 | 385 | _cleanup_close_pair_ int gpg_pipe[2] = { -1, -1 }; |
2897b343 MP |
386 | char sig_file_path[] = "/tmp/sigXXXXXX", gpg_home[] = "/tmp/gpghomeXXXXXX"; |
387 | _cleanup_(sigkill_waitp) pid_t pid = 0; | |
388 | bool gpg_home_created = false; | |
389 | int r; | |
6300502b | 390 | |
3a6ce677 BR |
391 | assert(payload || payload_size == 0); |
392 | assert(signature || signature_size == 0); | |
e3bff60a MP |
393 | |
394 | r = pipe2(gpg_pipe, O_CLOEXEC); | |
395 | if (r < 0) | |
396 | return log_error_errno(errno, "Failed to create pipe for gpg: %m"); | |
397 | ||
3a6ce677 BR |
398 | if (signature_size > 0) { |
399 | _cleanup_close_ int sig_file = -1; | |
e3bff60a | 400 | |
3a6ce677 BR |
401 | sig_file = mkostemp(sig_file_path, O_RDWR); |
402 | if (sig_file < 0) | |
403 | return log_error_errno(errno, "Failed to create temporary file: %m"); | |
404 | ||
405 | r = loop_write(sig_file, signature, signature_size, false); | |
406 | if (r < 0) { | |
407 | log_error_errno(r, "Failed to write to temporary file: %m"); | |
408 | goto finish; | |
409 | } | |
e3bff60a MP |
410 | } |
411 | ||
412 | if (!mkdtemp(gpg_home)) { | |
f2dec872 | 413 | r = log_error_errno(errno, "Failed to create temporary home for gpg: %m"); |
e3bff60a MP |
414 | goto finish; |
415 | } | |
416 | ||
417 | gpg_home_created = true; | |
418 | ||
1d42b86d MB |
419 | r = safe_fork("(gpg)", FORK_RESET_SIGNALS|FORK_DEATHSIG|FORK_LOG, &pid); |
420 | if (r < 0) | |
421 | return r; | |
422 | if (r == 0) { | |
e3bff60a MP |
423 | const char *cmd[] = { |
424 | "gpg", | |
425 | "--no-options", | |
426 | "--no-default-keyring", | |
427 | "--no-auto-key-locate", | |
428 | "--no-auto-check-trustdb", | |
429 | "--batch", | |
430 | "--trust-model=always", | |
431 | NULL, /* --homedir= */ | |
432 | NULL, /* --keyring= */ | |
433 | NULL, /* --verify */ | |
434 | NULL, /* signature file */ | |
435 | NULL, /* dash */ | |
436 | NULL /* trailing NULL */ | |
437 | }; | |
3a6ce677 | 438 | size_t k = ELEMENTSOF(cmd) - 6; |
e3bff60a MP |
439 | |
440 | /* Child */ | |
441 | ||
e3bff60a MP |
442 | gpg_pipe[1] = safe_close(gpg_pipe[1]); |
443 | ||
ea0999c9 | 444 | r = rearrange_stdio(TAKE_FD(gpg_pipe[0]), -1, STDERR_FILENO); |
52ad194e | 445 | if (r < 0) { |
98393f85 | 446 | log_error_errno(r, "Failed to rearrange stdin/stdout: %m"); |
e3bff60a MP |
447 | _exit(EXIT_FAILURE); |
448 | } | |
449 | ||
6e866b33 MB |
450 | (void) rlimit_nofile_safe(); |
451 | ||
e3bff60a MP |
452 | cmd[k++] = strjoina("--homedir=", gpg_home); |
453 | ||
3a6ce677 | 454 | /* We add the user keyring only to the command line arguments, if it's around since gpg fails |
e3bff60a MP |
455 | * otherwise. */ |
456 | if (access(USER_KEYRING_PATH, F_OK) >= 0) | |
457 | cmd[k++] = "--keyring=" USER_KEYRING_PATH; | |
458 | else | |
459 | cmd[k++] = "--keyring=" VENDOR_KEYRING_PATH; | |
460 | ||
461 | cmd[k++] = "--verify"; | |
3a6ce677 | 462 | if (signature) { |
81c58355 MB |
463 | cmd[k++] = sig_file_path; |
464 | cmd[k++] = "-"; | |
465 | cmd[k++] = NULL; | |
466 | } | |
e3bff60a | 467 | |
e3bff60a MP |
468 | execvp("gpg2", (char * const *) cmd); |
469 | execvp("gpg", (char * const *) cmd); | |
470 | log_error_errno(errno, "Failed to execute gpg: %m"); | |
471 | _exit(EXIT_FAILURE); | |
472 | } | |
473 | ||
474 | gpg_pipe[0] = safe_close(gpg_pipe[0]); | |
475 | ||
3a6ce677 | 476 | r = loop_write(gpg_pipe[1], payload, payload_size, false); |
e3bff60a MP |
477 | if (r < 0) { |
478 | log_error_errno(r, "Failed to write to pipe: %m"); | |
479 | goto finish; | |
480 | } | |
481 | ||
482 | gpg_pipe[1] = safe_close(gpg_pipe[1]); | |
483 | ||
ea0999c9 | 484 | r = wait_for_terminate_and_check("gpg", TAKE_PID(pid), WAIT_LOG_ABNORMAL); |
e3bff60a MP |
485 | if (r < 0) |
486 | goto finish; | |
ea0999c9 MB |
487 | if (r != EXIT_SUCCESS) |
488 | r = log_error_errno(SYNTHETIC_ERRNO(EBADMSG), | |
489 | "DOWNLOAD INVALID: Signature verification failed."); | |
490 | else { | |
e3bff60a MP |
491 | log_info("Signature verification succeeded."); |
492 | r = 0; | |
493 | } | |
494 | ||
495 | finish: | |
3a6ce677 BR |
496 | if (signature_size > 0) |
497 | (void) unlink(sig_file_path); | |
e3bff60a MP |
498 | |
499 | if (gpg_home_created) | |
500 | (void) rm_rf(gpg_home, REMOVE_ROOT|REMOVE_PHYSICAL); | |
501 | ||
502 | return r; | |
503 | } | |
3a6ce677 BR |
504 | |
505 | int pull_verify(ImportVerify verify, | |
ea0999c9 | 506 | const char *checksum, /* Verify with literal checksum */ |
3a6ce677 BR |
507 | PullJob *main_job, |
508 | PullJob *checksum_job, | |
509 | PullJob *signature_job, | |
510 | PullJob *settings_job, | |
511 | PullJob *roothash_job, | |
512 | PullJob *roothash_signature_job, | |
513 | PullJob *verity_job) { | |
514 | ||
ea0999c9 | 515 | _cleanup_free_ char *fn = NULL; |
3a6ce677 | 516 | VerificationStyle style; |
ea0999c9 | 517 | PullJob *verify_job; |
3a6ce677 BR |
518 | int r; |
519 | ||
ea0999c9 MB |
520 | assert(verify == _IMPORT_VERIFY_INVALID || verify < _IMPORT_VERIFY_MAX); |
521 | assert(verify == _IMPORT_VERIFY_INVALID || verify >= 0); | |
522 | assert((verify < 0) || !checksum); | |
3a6ce677 BR |
523 | assert(main_job); |
524 | assert(main_job->state == PULL_JOB_DONE); | |
525 | ||
ea0999c9 | 526 | if (verify == IMPORT_VERIFY_NO) /* verification turned off */ |
3a6ce677 BR |
527 | return 0; |
528 | ||
ea0999c9 MB |
529 | if (checksum) { |
530 | /* Verification by literal checksum */ | |
531 | assert(!checksum_job); | |
532 | assert(!signature_job); | |
533 | assert(!settings_job); | |
534 | assert(!roothash_job); | |
535 | assert(!roothash_signature_job); | |
536 | assert(!verity_job); | |
3a6ce677 | 537 | |
ea0999c9 MB |
538 | assert(main_job->calc_checksum); |
539 | assert(main_job->checksum); | |
3a6ce677 | 540 | |
ea0999c9 MB |
541 | if (!strcaseeq(checksum, main_job->checksum)) |
542 | return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), | |
543 | "DOWNLOAD INVALID: Checksum of %s file did not check out, file has been tampered with.", | |
544 | main_job->url); | |
545 | ||
546 | return 0; | |
547 | } | |
548 | ||
549 | r = import_url_last_component(main_job->url, &fn); | |
550 | if (r < 0) | |
551 | return log_error_errno(r, "Failed to extract filename from URL '%s': %m", main_job->url); | |
552 | ||
553 | if (is_signature_file(fn)) | |
554 | return log_error_errno(SYNTHETIC_ERRNO(ELOOP), | |
555 | "Main download is a signature file, can't verify it."); | |
556 | ||
557 | if (is_checksum_file(fn)) { | |
558 | log_debug("Main download is a checksum file, can't validate its checksum with itself, skipping."); | |
559 | verify_job = main_job; | |
560 | } else { | |
561 | PullJob *j; | |
562 | assert(main_job->calc_checksum); | |
563 | assert(main_job->checksum); | |
564 | assert(checksum_job); | |
565 | assert(checksum_job->state == PULL_JOB_DONE); | |
566 | ||
567 | if (!checksum_job->payload || checksum_job->payload_size <= 0) | |
568 | return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), | |
569 | "Checksum is empty, cannot verify."); | |
570 | ||
571 | FOREACH_POINTER(j, main_job, settings_job, roothash_job, roothash_signature_job, verity_job) { | |
572 | r = verify_one(checksum_job, j); | |
573 | if (r < 0) | |
574 | return r; | |
575 | } | |
576 | ||
577 | verify_job = checksum_job; | |
3a6ce677 BR |
578 | } |
579 | ||
ea0999c9 | 580 | if (verify != IMPORT_VERIFY_SIGNATURE) |
3a6ce677 BR |
581 | return 0; |
582 | ||
ea0999c9 MB |
583 | assert(verify_job); |
584 | ||
585 | r = verification_style_from_url(verify_job->url, &style); | |
3a6ce677 | 586 | if (r < 0) |
ea0999c9 | 587 | return log_error_errno(r, "Failed to determine verification style from URL '%s': %m", verify_job->url); |
3a6ce677 BR |
588 | |
589 | if (style == VERIFICATION_PER_DIRECTORY) { | |
590 | assert(signature_job); | |
591 | assert(signature_job->state == PULL_JOB_DONE); | |
592 | ||
593 | if (!signature_job->payload || signature_job->payload_size <= 0) | |
594 | return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), | |
595 | "Signature is empty, cannot verify."); | |
596 | ||
ea0999c9 | 597 | return verify_gpg(verify_job->payload, verify_job->payload_size, signature_job->payload, signature_job->payload_size); |
3a6ce677 | 598 | } else |
ea0999c9 | 599 | return verify_gpg(verify_job->payload, verify_job->payload_size, NULL, 0); |
3a6ce677 BR |
600 | } |
601 | ||
602 | int verification_style_from_url(const char *url, VerificationStyle *ret) { | |
603 | _cleanup_free_ char *last = NULL; | |
604 | int r; | |
605 | ||
606 | assert(url); | |
607 | assert(ret); | |
608 | ||
609 | /* Determines which kind of verification style is appropriate for this url */ | |
610 | ||
611 | r = import_url_last_component(url, &last); | |
612 | if (r < 0) | |
613 | return r; | |
614 | ||
615 | if (streq(last, "SHA256SUMS")) { | |
616 | *ret = VERIFICATION_PER_DIRECTORY; | |
617 | return 0; | |
618 | } | |
619 | ||
620 | if (endswith(last, ".sha256")) { | |
621 | *ret = VERIFICATION_PER_FILE; | |
622 | return 0; | |
623 | } | |
624 | ||
625 | return -EINVAL; | |
626 | } | |
627 | ||
628 | int pull_job_restart_with_sha256sum(PullJob *j, char **ret) { | |
629 | VerificationStyle style; | |
630 | int r; | |
631 | ||
632 | assert(j); | |
633 | ||
634 | /* Generic implementation of a PullJobNotFound handler, that restarts the job requesting SHA256SUMS */ | |
635 | ||
636 | r = verification_style_from_url(j->url, &style); | |
637 | if (r < 0) | |
638 | return log_error_errno(r, "Failed to determine verification style of URL '%s': %m", j->url); | |
639 | ||
640 | if (style == VERIFICATION_PER_DIRECTORY) /* Nothing to do anymore */ | |
641 | return 0; | |
642 | ||
643 | assert(style == VERIFICATION_PER_FILE); /* This must have been .sha256 style URL before */ | |
644 | ||
645 | log_debug("Got 404 for %s, now trying to get SHA256SUMS instead.", j->url); | |
646 | ||
647 | r = import_url_change_last_component(j->url, "SHA256SUMS", ret); | |
648 | if (r < 0) | |
649 | return log_error_errno(r, "Failed to replace SHA256SUMS suffix: %m"); | |
650 | ||
651 | return 1; | |
652 | } | |
ea0999c9 MB |
653 | |
654 | bool pull_validate_local(const char *name, PullFlags flags) { | |
655 | ||
656 | if (FLAGS_SET(flags, PULL_DIRECT)) | |
657 | return path_is_valid(name); | |
658 | ||
659 | return hostname_is_valid(name, 0); | |
660 | } | |
661 | ||
662 | int pull_url_needs_checksum(const char *url) { | |
663 | _cleanup_free_ char *fn = NULL; | |
664 | int r; | |
665 | ||
666 | /* Returns true if we need to validate this resource via a hash value. This returns true for all | |
667 | * files — except for gpg signature files and SHA256SUMS files and the like, which are validated with | |
668 | * a validation tool like gpg. */ | |
669 | ||
670 | r = import_url_last_component(url, &fn); | |
671 | if (r == -EADDRNOTAVAIL) /* no last component? then let's assume it's not a signature/checksum file */ | |
672 | return false; | |
673 | if (r < 0) | |
674 | return r; | |
675 | ||
676 | return !is_checksum_file(fn) && !is_signature_file(fn); | |
677 | } |