]>
Commit | Line | Data |
---|---|---|
db9ecf05 | 1 | /* SPDX-License-Identifier: LGPL-2.1-or-later */ |
56ebfaf1 | 2 | |
98c38001 LP |
3 | #include <sys/prctl.h> |
4 | ||
b5efdb8a | 5 | #include "alloc-util.h" |
56ebfaf1 | 6 | #include "btrfs-util.h" |
430f0182 | 7 | #include "capability-util.h" |
4f5dd394 | 8 | #include "copy.h" |
a0956174 | 9 | #include "dirent-util.h" |
4f5dd394 | 10 | #include "escape.h" |
3ffd4af2 | 11 | #include "fd-util.h" |
c004493c | 12 | #include "io-util.h" |
bb15fafe | 13 | #include "path-util.h" |
0b452006 | 14 | #include "process-util.h" |
3ffd4af2 | 15 | #include "pull-common.h" |
4f5dd394 | 16 | #include "pull-job.h" |
595225af | 17 | #include "rlimit-util.h" |
4f5dd394 | 18 | #include "rm-rf.h" |
24882e06 | 19 | #include "signal-util.h" |
9818005d | 20 | #include "siphash24.h" |
07630cea | 21 | #include "string-util.h" |
4f5dd394 LP |
22 | #include "strv.h" |
23 | #include "util.h" | |
49cf4170 | 24 | #include "web-util.h" |
56ebfaf1 LP |
25 | |
26 | #define FILENAME_ESCAPE "/.#\"\'" | |
9818005d | 27 | #define HASH_URL_THRESHOLD_LENGTH (_POSIX_PATH_MAX - 16) |
56ebfaf1 | 28 | |
9854730b LP |
29 | int pull_find_old_etags( |
30 | const char *url, | |
31 | const char *image_root, | |
32 | int dt, | |
33 | const char *prefix, | |
34 | const char *suffix, | |
35 | char ***etags) { | |
36 | ||
56ebfaf1 LP |
37 | _cleanup_free_ char *escaped_url = NULL; |
38 | _cleanup_closedir_ DIR *d = NULL; | |
39 | _cleanup_strv_free_ char **l = NULL; | |
40 | struct dirent *de; | |
41 | int r; | |
42 | ||
43 | assert(url); | |
44 | assert(etags); | |
45 | ||
46 | if (!image_root) | |
47 | image_root = "/var/lib/machines"; | |
48 | ||
49 | escaped_url = xescape(url, FILENAME_ESCAPE); | |
50 | if (!escaped_url) | |
51 | return -ENOMEM; | |
52 | ||
53 | d = opendir(image_root); | |
54 | if (!d) { | |
55 | if (errno == ENOENT) { | |
56 | *etags = NULL; | |
57 | return 0; | |
58 | } | |
59 | ||
60 | return -errno; | |
61 | } | |
62 | ||
63 | FOREACH_DIRENT_ALL(de, d, return -errno) { | |
6abdec98 | 64 | _cleanup_free_ char *u = NULL; |
56ebfaf1 | 65 | const char *a, *b; |
56ebfaf1 LP |
66 | |
67 | if (de->d_type != DT_UNKNOWN && | |
68 | de->d_type != dt) | |
69 | continue; | |
70 | ||
71 | if (prefix) { | |
72 | a = startswith(de->d_name, prefix); | |
73 | if (!a) | |
74 | continue; | |
75 | } else | |
76 | a = de->d_name; | |
77 | ||
78 | a = startswith(a, escaped_url); | |
79 | if (!a) | |
80 | continue; | |
81 | ||
82 | a = startswith(a, "."); | |
83 | if (!a) | |
84 | continue; | |
85 | ||
86 | if (suffix) { | |
87 | b = endswith(de->d_name, suffix); | |
88 | if (!b) | |
89 | continue; | |
90 | } else | |
91 | b = strchr(de->d_name, 0); | |
92 | ||
93 | if (a >= b) | |
94 | continue; | |
95 | ||
527b7a42 LP |
96 | r = cunescape_length(a, b - a, 0, &u); |
97 | if (r < 0) | |
98 | return r; | |
56ebfaf1 | 99 | |
6abdec98 | 100 | if (!http_etag_is_valid(u)) |
56ebfaf1 | 101 | continue; |
56ebfaf1 | 102 | |
6abdec98 | 103 | r = strv_consume(&l, TAKE_PTR(u)); |
56ebfaf1 LP |
104 | if (r < 0) |
105 | return r; | |
106 | } | |
107 | ||
ae2a15bc | 108 | *etags = TAKE_PTR(l); |
56ebfaf1 LP |
109 | |
110 | return 0; | |
111 | } | |
112 | ||
133b34f6 | 113 | int pull_make_local_copy(const char *final, const char *image_root, const char *local, PullFlags flags) { |
56ebfaf1 LP |
114 | const char *p; |
115 | int r; | |
116 | ||
117 | assert(final); | |
118 | assert(local); | |
119 | ||
120 | if (!image_root) | |
121 | image_root = "/var/lib/machines"; | |
122 | ||
270384b2 | 123 | p = prefix_roota(image_root, local); |
56ebfaf1 | 124 | |
133b34f6 | 125 | if (FLAGS_SET(flags, PULL_FORCE)) |
d9e2daaf | 126 | (void) rm_rf(p, REMOVE_ROOT|REMOVE_PHYSICAL|REMOVE_SUBVOLUME); |
56ebfaf1 | 127 | |
17cbb288 LP |
128 | r = btrfs_subvol_snapshot(final, p, |
129 | BTRFS_SNAPSHOT_QUOTA| | |
130 | BTRFS_SNAPSHOT_FALLBACK_COPY| | |
131 | BTRFS_SNAPSHOT_FALLBACK_DIRECTORY| | |
132 | BTRFS_SNAPSHOT_RECURSIVE); | |
133 | if (r < 0) | |
56ebfaf1 LP |
134 | return log_error_errno(r, "Failed to create local image: %m"); |
135 | ||
136 | log_info("Created new local image '%s'.", local); | |
137 | ||
138 | return 0; | |
139 | } | |
140 | ||
9818005d JS |
141 | static int hash_url(const char *url, char **ret) { |
142 | uint64_t h; | |
143 | static const sd_id128_t k = SD_ID128_ARRAY(df,89,16,87,01,cc,42,30,98,ab,4a,19,a6,a5,63,4f); | |
144 | ||
145 | assert(url); | |
146 | ||
933f9cae | 147 | h = siphash24(url, strlen(url), k.bytes); |
9818005d JS |
148 | if (asprintf(ret, "%"PRIx64, h) < 0) |
149 | return -ENOMEM; | |
150 | ||
151 | return 0; | |
152 | } | |
153 | ||
dc2c282b | 154 | int pull_make_path(const char *url, const char *etag, const char *image_root, const char *prefix, const char *suffix, char **ret) { |
9818005d | 155 | _cleanup_free_ char *escaped_url = NULL, *escaped_etag = NULL; |
56ebfaf1 LP |
156 | char *path; |
157 | ||
158 | assert(url); | |
159 | assert(ret); | |
160 | ||
161 | if (!image_root) | |
162 | image_root = "/var/lib/machines"; | |
163 | ||
164 | escaped_url = xescape(url, FILENAME_ESCAPE); | |
165 | if (!escaped_url) | |
166 | return -ENOMEM; | |
167 | ||
168 | if (etag) { | |
56ebfaf1 LP |
169 | escaped_etag = xescape(etag, FILENAME_ESCAPE); |
170 | if (!escaped_etag) | |
171 | return -ENOMEM; | |
9818005d | 172 | } |
56ebfaf1 | 173 | |
9818005d | 174 | path = strjoin(image_root, "/", strempty(prefix), escaped_url, escaped_etag ? "." : "", |
4600a396 | 175 | strempty(escaped_etag), strempty(suffix)); |
56ebfaf1 LP |
176 | if (!path) |
177 | return -ENOMEM; | |
178 | ||
9818005d JS |
179 | /* URLs might make the path longer than the maximum allowed length for a file name. |
180 | * When that happens, a URL hash is used instead. Paths returned by this function | |
181 | * can be later used with tempfn_random() which adds 16 bytes to the resulting name. */ | |
182 | if (strlen(path) >= HASH_URL_THRESHOLD_LENGTH) { | |
183 | _cleanup_free_ char *hash = NULL; | |
184 | int r; | |
185 | ||
186 | free(path); | |
187 | ||
188 | r = hash_url(url, &hash); | |
189 | if (r < 0) | |
190 | return r; | |
191 | ||
192 | path = strjoin(image_root, "/", strempty(prefix), hash, escaped_etag ? "." : "", | |
4600a396 | 193 | strempty(escaped_etag), strempty(suffix)); |
9818005d JS |
194 | if (!path) |
195 | return -ENOMEM; | |
196 | } | |
197 | ||
56ebfaf1 LP |
198 | *ret = path; |
199 | return 0; | |
200 | } | |
85dbc41d | 201 | |
91359193 | 202 | int pull_make_auxiliary_job( |
9854730b LP |
203 | PullJob **ret, |
204 | const char *url, | |
91359193 LP |
205 | int (*strip_suffixes)(const char *name, char **ret), |
206 | const char *suffix, | |
9854730b LP |
207 | CurlGlue *glue, |
208 | PullJobFinished on_finished, | |
209 | void *userdata) { | |
210 | ||
91359193 | 211 | _cleanup_free_ char *last_component = NULL, *ll = NULL, *auxiliary_url = NULL; |
9854730b LP |
212 | _cleanup_(pull_job_unrefp) PullJob *job = NULL; |
213 | const char *q; | |
214 | int r; | |
215 | ||
216 | assert(ret); | |
217 | assert(url); | |
91359193 | 218 | assert(strip_suffixes); |
9854730b LP |
219 | assert(glue); |
220 | ||
221 | r = import_url_last_component(url, &last_component); | |
222 | if (r < 0) | |
223 | return r; | |
224 | ||
91359193 | 225 | r = strip_suffixes(last_component, &ll); |
9854730b LP |
226 | if (r < 0) |
227 | return r; | |
228 | ||
91359193 | 229 | q = strjoina(ll, suffix); |
9854730b | 230 | |
91359193 | 231 | r = import_url_change_last_component(url, q, &auxiliary_url); |
9854730b LP |
232 | if (r < 0) |
233 | return r; | |
234 | ||
91359193 | 235 | r = pull_job_new(&job, auxiliary_url, glue, userdata); |
9854730b LP |
236 | if (r < 0) |
237 | return r; | |
238 | ||
239 | job->on_finished = on_finished; | |
240 | job->compressed_max = job->uncompressed_max = 1ULL * 1024ULL * 1024ULL; | |
241 | ||
1cc6c93a | 242 | *ret = TAKE_PTR(job); |
9854730b LP |
243 | |
244 | return 0; | |
245 | } | |
246 | ||
dc2c282b LP |
247 | int pull_make_verification_jobs( |
248 | PullJob **ret_checksum_job, | |
249 | PullJob **ret_signature_job, | |
98c38001 LP |
250 | ImportVerify verify, |
251 | const char *url, | |
252 | CurlGlue *glue, | |
dc2c282b | 253 | PullJobFinished on_finished, |
98c38001 LP |
254 | void *userdata) { |
255 | ||
dc2c282b | 256 | _cleanup_(pull_job_unrefp) PullJob *checksum_job = NULL, *signature_job = NULL; |
98c38001 LP |
257 | int r; |
258 | ||
259 | assert(ret_checksum_job); | |
260 | assert(ret_signature_job); | |
261 | assert(verify >= 0); | |
262 | assert(verify < _IMPORT_VERIFY_MAX); | |
263 | assert(url); | |
264 | assert(glue); | |
265 | ||
266 | if (verify != IMPORT_VERIFY_NO) { | |
697be0be | 267 | _cleanup_free_ char *checksum_url = NULL, *fn = NULL; |
c6cb8daf | 268 | const char *chksums = NULL; |
98c38001 | 269 | |
697be0be TB |
270 | /* Queue jobs for the checksum file for the image. */ |
271 | r = import_url_last_component(url, &fn); | |
272 | if (r < 0) | |
273 | return r; | |
274 | ||
275 | chksums = strjoina(fn, ".sha256"); | |
276 | ||
277 | r = import_url_change_last_component(url, chksums, &checksum_url); | |
98c38001 LP |
278 | if (r < 0) |
279 | return r; | |
280 | ||
dc2c282b | 281 | r = pull_job_new(&checksum_job, checksum_url, glue, userdata); |
98c38001 LP |
282 | if (r < 0) |
283 | return r; | |
284 | ||
285 | checksum_job->on_finished = on_finished; | |
286 | checksum_job->uncompressed_max = checksum_job->compressed_max = 1ULL * 1024ULL * 1024ULL; | |
287 | } | |
288 | ||
289 | if (verify == IMPORT_VERIFY_SIGNATURE) { | |
290 | _cleanup_free_ char *signature_url = NULL; | |
291 | ||
292 | /* Queue job for the SHA256SUMS.gpg file for the image. */ | |
293 | r = import_url_change_last_component(url, "SHA256SUMS.gpg", &signature_url); | |
294 | if (r < 0) | |
295 | return r; | |
296 | ||
dc2c282b | 297 | r = pull_job_new(&signature_job, signature_url, glue, userdata); |
98c38001 LP |
298 | if (r < 0) |
299 | return r; | |
300 | ||
301 | signature_job->on_finished = on_finished; | |
302 | signature_job->uncompressed_max = signature_job->compressed_max = 1ULL * 1024ULL * 1024ULL; | |
303 | } | |
304 | ||
c20307fd LP |
305 | *ret_checksum_job = TAKE_PTR(checksum_job); |
306 | *ret_signature_job = TAKE_PTR(signature_job); | |
98c38001 LP |
307 | |
308 | return 0; | |
309 | } | |
310 | ||
91359193 | 311 | static int verify_one(PullJob *checksum_job, PullJob *job) { |
98c38001 | 312 | _cleanup_free_ char *fn = NULL; |
91359193 | 313 | const char *line, *p; |
98c38001 LP |
314 | int r; |
315 | ||
91359193 | 316 | assert(checksum_job); |
98c38001 | 317 | |
91359193 | 318 | if (!job) |
98c38001 LP |
319 | return 0; |
320 | ||
91359193 | 321 | assert(IN_SET(job->state, PULL_JOB_DONE, PULL_JOB_FAILED)); |
98c38001 | 322 | |
91359193 LP |
323 | /* Don't verify the checksum if we didn't actually successfully download something new */ |
324 | if (job->state != PULL_JOB_DONE) | |
325 | return 0; | |
326 | if (job->error != 0) | |
327 | return 0; | |
328 | if (job->etag_exists) | |
329 | return 0; | |
98c38001 | 330 | |
91359193 LP |
331 | assert(job->calc_checksum); |
332 | assert(job->checksum); | |
333 | ||
334 | r = import_url_last_component(job->url, &fn); | |
98c38001 LP |
335 | if (r < 0) |
336 | return log_oom(); | |
337 | ||
baaa35ad ZJS |
338 | if (!filename_is_valid(fn)) |
339 | return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), | |
340 | "Cannot verify checksum, could not determine server-side file name."); | |
98c38001 | 341 | |
91359193 | 342 | line = strjoina(job->checksum, " *", fn, "\n"); |
98c38001 LP |
343 | |
344 | p = memmem(checksum_job->payload, | |
345 | checksum_job->payload_size, | |
346 | line, | |
347 | strlen(line)); | |
348 | ||
697be0be TB |
349 | if (!p) { |
350 | line = strjoina(job->checksum, " ", fn, "\n"); | |
351 | ||
352 | p = memmem(checksum_job->payload, | |
353 | checksum_job->payload_size, | |
354 | line, | |
355 | strlen(line)); | |
356 | } | |
357 | ||
baaa35ad ZJS |
358 | if (!p || (p != (char*) checksum_job->payload && p[-1] != '\n')) |
359 | return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), | |
360 | "DOWNLOAD INVALID: Checksum of %s file did not checkout, file has been tampered with.", fn); | |
98c38001 | 361 | |
91359193 LP |
362 | log_info("SHA256 checksum of %s is valid.", job->url); |
363 | return 1; | |
364 | } | |
98c38001 | 365 | |
ac71ece3 LP |
366 | static int verify_gpg( |
367 | const void *payload, size_t payload_size, | |
368 | const void *signature, size_t signature_size) { | |
9854730b | 369 | |
91359193 | 370 | _cleanup_close_pair_ int gpg_pipe[2] = { -1, -1 }; |
91359193 LP |
371 | char sig_file_path[] = "/tmp/sigXXXXXX", gpg_home[] = "/tmp/gpghomeXXXXXX"; |
372 | _cleanup_(sigkill_waitp) pid_t pid = 0; | |
373 | bool gpg_home_created = false; | |
374 | int r; | |
9854730b | 375 | |
ac71ece3 LP |
376 | assert(payload || payload_size == 0); |
377 | assert(signature || signature_size == 0); | |
98c38001 LP |
378 | |
379 | r = pipe2(gpg_pipe, O_CLOEXEC); | |
380 | if (r < 0) | |
0100b6e1 | 381 | return log_error_errno(errno, "Failed to create pipe for gpg: %m"); |
98c38001 | 382 | |
ac71ece3 LP |
383 | if (signature_size > 0) { |
384 | _cleanup_close_ int sig_file = -1; | |
98c38001 | 385 | |
ac71ece3 LP |
386 | sig_file = mkostemp(sig_file_path, O_RDWR); |
387 | if (sig_file < 0) | |
388 | return log_error_errno(errno, "Failed to create temporary file: %m"); | |
389 | ||
390 | r = loop_write(sig_file, signature, signature_size, false); | |
391 | if (r < 0) { | |
392 | log_error_errno(r, "Failed to write to temporary file: %m"); | |
393 | goto finish; | |
394 | } | |
98c38001 LP |
395 | } |
396 | ||
0acfdffe | 397 | if (!mkdtemp(gpg_home)) { |
5238e957 | 398 | r = log_error_errno(errno, "Failed to create temporary home for gpg: %m"); |
0acfdffe LP |
399 | goto finish; |
400 | } | |
401 | ||
402 | gpg_home_created = true; | |
403 | ||
b6e1fff1 | 404 | r = safe_fork("(gpg)", FORK_RESET_SIGNALS|FORK_DEATHSIG|FORK_LOG, &pid); |
4c253ed1 | 405 | if (r < 0) |
b6e1fff1 | 406 | return r; |
4c253ed1 | 407 | if (r == 0) { |
98c38001 LP |
408 | const char *cmd[] = { |
409 | "gpg", | |
410 | "--no-options", | |
411 | "--no-default-keyring", | |
412 | "--no-auto-key-locate", | |
413 | "--no-auto-check-trustdb", | |
414 | "--batch", | |
415 | "--trust-model=always", | |
0acfdffe LP |
416 | NULL, /* --homedir= */ |
417 | NULL, /* --keyring= */ | |
98c38001 LP |
418 | NULL, /* --verify */ |
419 | NULL, /* signature file */ | |
420 | NULL, /* dash */ | |
421 | NULL /* trailing NULL */ | |
422 | }; | |
ac71ece3 | 423 | size_t k = ELEMENTSOF(cmd) - 6; |
98c38001 LP |
424 | |
425 | /* Child */ | |
426 | ||
98c38001 LP |
427 | gpg_pipe[1] = safe_close(gpg_pipe[1]); |
428 | ||
2b33ab09 | 429 | r = rearrange_stdio(gpg_pipe[0], -1, STDERR_FILENO); |
046a82c1 | 430 | if (r < 0) { |
2b33ab09 | 431 | log_error_errno(r, "Failed to rearrange stdin/stdout: %m"); |
98c38001 LP |
432 | _exit(EXIT_FAILURE); |
433 | } | |
434 | ||
595225af LP |
435 | (void) rlimit_nofile_safe(); |
436 | ||
0acfdffe LP |
437 | cmd[k++] = strjoina("--homedir=", gpg_home); |
438 | ||
ac71ece3 | 439 | /* We add the user keyring only to the command line arguments, if it's around since gpg fails |
98c38001 LP |
440 | * otherwise. */ |
441 | if (access(USER_KEYRING_PATH, F_OK) >= 0) | |
442 | cmd[k++] = "--keyring=" USER_KEYRING_PATH; | |
1c49d1ba LP |
443 | else |
444 | cmd[k++] = "--keyring=" VENDOR_KEYRING_PATH; | |
98c38001 LP |
445 | |
446 | cmd[k++] = "--verify"; | |
ac71ece3 | 447 | if (signature) { |
697be0be TB |
448 | cmd[k++] = sig_file_path; |
449 | cmd[k++] = "-"; | |
450 | cmd[k++] = NULL; | |
451 | } | |
98c38001 | 452 | |
0acfdffe | 453 | execvp("gpg2", (char * const *) cmd); |
98c38001 LP |
454 | execvp("gpg", (char * const *) cmd); |
455 | log_error_errno(errno, "Failed to execute gpg: %m"); | |
456 | _exit(EXIT_FAILURE); | |
457 | } | |
458 | ||
459 | gpg_pipe[0] = safe_close(gpg_pipe[0]); | |
460 | ||
ac71ece3 | 461 | r = loop_write(gpg_pipe[1], payload, payload_size, false); |
98c38001 LP |
462 | if (r < 0) { |
463 | log_error_errno(r, "Failed to write to pipe: %m"); | |
464 | goto finish; | |
465 | } | |
466 | ||
467 | gpg_pipe[1] = safe_close(gpg_pipe[1]); | |
468 | ||
7d4904fe | 469 | r = wait_for_terminate_and_check("gpg", pid, WAIT_LOG_ABNORMAL); |
98c38001 LP |
470 | pid = 0; |
471 | if (r < 0) | |
472 | goto finish; | |
b4a34311 | 473 | if (r != EXIT_SUCCESS) { |
9854730b | 474 | log_error("DOWNLOAD INVALID: Signature verification failed."); |
98c38001 LP |
475 | r = -EBADMSG; |
476 | } else { | |
477 | log_info("Signature verification succeeded."); | |
478 | r = 0; | |
479 | } | |
480 | ||
481 | finish: | |
ac71ece3 LP |
482 | if (signature_size > 0) |
483 | (void) unlink(sig_file_path); | |
98c38001 | 484 | |
0acfdffe | 485 | if (gpg_home_created) |
c6878637 | 486 | (void) rm_rf(gpg_home, REMOVE_ROOT|REMOVE_PHYSICAL); |
0acfdffe | 487 | |
98c38001 LP |
488 | return r; |
489 | } | |
f14717a7 | 490 | |
ac71ece3 LP |
491 | int pull_verify(ImportVerify verify, |
492 | PullJob *main_job, | |
493 | PullJob *roothash_job, | |
494 | PullJob *settings_job, | |
495 | PullJob *checksum_job, | |
496 | PullJob *signature_job) { | |
497 | ||
498 | VerificationStyle style; | |
499 | int r; | |
500 | ||
501 | assert(main_job); | |
502 | assert(main_job->state == PULL_JOB_DONE); | |
503 | ||
504 | if (verify == IMPORT_VERIFY_NO) | |
505 | return 0; | |
506 | ||
507 | assert(main_job->calc_checksum); | |
508 | assert(main_job->checksum); | |
509 | assert(checksum_job); | |
510 | assert(checksum_job->state == PULL_JOB_DONE); | |
511 | ||
512 | if (!checksum_job->payload || checksum_job->payload_size <= 0) | |
513 | return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), | |
514 | "Checksum is empty, cannot verify."); | |
515 | ||
516 | r = verify_one(checksum_job, main_job); | |
517 | if (r < 0) | |
518 | return r; | |
519 | ||
520 | r = verify_one(checksum_job, roothash_job); | |
521 | if (r < 0) | |
522 | return r; | |
523 | ||
524 | r = verify_one(checksum_job, settings_job); | |
525 | if (r < 0) | |
526 | return r; | |
527 | ||
528 | if (verify == IMPORT_VERIFY_CHECKSUM) | |
529 | return 0; | |
530 | ||
531 | r = verification_style_from_url(checksum_job->url, &style); | |
532 | if (r < 0) | |
533 | return log_error_errno(r, "Failed to determine verification style from URL '%s': %m", checksum_job->url); | |
534 | ||
535 | if (style == VERIFICATION_PER_DIRECTORY) { | |
536 | assert(signature_job); | |
537 | assert(signature_job->state == PULL_JOB_DONE); | |
538 | ||
539 | if (!signature_job->payload || signature_job->payload_size <= 0) | |
540 | return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), | |
541 | "Signature is empty, cannot verify."); | |
542 | ||
543 | return verify_gpg(checksum_job->payload, checksum_job->payload_size, signature_job->payload, signature_job->payload_size); | |
544 | } else | |
545 | return verify_gpg(checksum_job->payload, checksum_job->payload_size, NULL, 0); | |
546 | } | |
547 | ||
f14717a7 LP |
548 | int verification_style_from_url(const char *url, VerificationStyle *ret) { |
549 | _cleanup_free_ char *last = NULL; | |
550 | int r; | |
551 | ||
552 | assert(url); | |
553 | assert(ret); | |
554 | ||
555 | /* Determines which kind of verification style is appropriate for this url */ | |
556 | ||
557 | r = import_url_last_component(url, &last); | |
558 | if (r < 0) | |
559 | return r; | |
560 | ||
561 | if (streq(last, "SHA256SUMS")) { | |
562 | *ret = VERIFICATION_PER_DIRECTORY; | |
563 | return 0; | |
564 | } | |
565 | ||
566 | if (endswith(last, ".sha256")) { | |
567 | *ret = VERIFICATION_PER_FILE; | |
568 | return 0; | |
569 | } | |
570 | ||
571 | return -EINVAL; | |
572 | } | |
573 | ||
574 | int pull_job_restart_with_sha256sum(PullJob *j, char **ret) { | |
575 | VerificationStyle style; | |
576 | int r; | |
577 | ||
578 | assert(j); | |
579 | ||
580 | /* Generic implementation of a PullJobNotFound handler, that restarts the job requesting SHA256SUMS */ | |
581 | ||
582 | r = verification_style_from_url(j->url, &style); | |
583 | if (r < 0) | |
584 | return log_error_errno(r, "Failed to determine verification style of URL '%s': %m", j->url); | |
585 | ||
586 | if (style == VERIFICATION_PER_DIRECTORY) /* Nothing to do anymore */ | |
587 | return 0; | |
588 | ||
589 | assert(style == VERIFICATION_PER_FILE); /* This must have been .sha256 style URL before */ | |
590 | ||
591 | log_debug("Got 404 for %s, now trying to get SHA256SUMS instead.", j->url); | |
592 | ||
593 | r = import_url_change_last_component(j->url, "SHA256SUMS", ret); | |
594 | if (r < 0) | |
595 | return log_error_errno(r, "Failed to replace SHA256SUMS suffix: %m"); | |
596 | ||
597 | return 1; | |
598 | } |