]> git.ipfire.org Git - thirdparty/systemd.git/blob - src/import/pull-common.c
projects / thirdparty / systemd.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
import: properly verify roothash_signature + verity download, too
[thirdparty/systemd.git] / src / import / pull-common.c
1 /* SPDX-License-Identifier: LGPL-2.1-or-later */
2
3 #include <sys/prctl.h>
4
5 #include "alloc-util.h"
6 #include "btrfs-util.h"
7 #include "capability-util.h"
8 #include "copy.h"
9 #include "dirent-util.h"
10 #include "escape.h"
11 #include "fd-util.h"
12 #include "io-util.h"
13 #include "path-util.h"
14 #include "process-util.h"
15 #include "pull-common.h"
16 #include "pull-job.h"
17 #include "rlimit-util.h"
18 #include "rm-rf.h"
19 #include "signal-util.h"
20 #include "siphash24.h"
21 #include "string-util.h"
22 #include "strv.h"
23 #include "util.h"
24 #include "web-util.h"
25
26 #define FILENAME_ESCAPE "/.#\"\'"
27 #define HASH_URL_THRESHOLD_LENGTH (_POSIX_PATH_MAX - 16)
28
29 int pull_find_old_etags(
30 const char *url,
31 const char *image_root,
32 int dt,
33 const char *prefix,
34 const char *suffix,
35 char ***etags) {
36
37 _cleanup_free_ char *escaped_url = NULL;
38 _cleanup_closedir_ DIR *d = NULL;
39 _cleanup_strv_free_ char **l = NULL;
40 struct dirent *de;
41 int r;
42
43 assert(url);
44 assert(etags);
45
46 if (!image_root)
47 image_root = "/var/lib/machines";
48
49 escaped_url = xescape(url, FILENAME_ESCAPE);
50 if (!escaped_url)
51 return -ENOMEM;
52
53 d = opendir(image_root);
54 if (!d) {
55 if (errno == ENOENT) {
56 *etags = NULL;
57 return 0;
58 }
59
60 return -errno;
61 }
62
63 FOREACH_DIRENT_ALL(de, d, return -errno) {
64 _cleanup_free_ char *u = NULL;
65 const char *a, *b;
66
67 if (de->d_type != DT_UNKNOWN &&
68 de->d_type != dt)
69 continue;
70
71 if (prefix) {
72 a = startswith(de->d_name, prefix);
73 if (!a)
74 continue;
75 } else
76 a = de->d_name;
77
78 a = startswith(a, escaped_url);
79 if (!a)
80 continue;
81
82 a = startswith(a, ".");
83 if (!a)
84 continue;
85
86 if (suffix) {
87 b = endswith(de->d_name, suffix);
88 if (!b)
89 continue;
90 } else
91 b = strchr(de->d_name, 0);
92
93 if (a >= b)
94 continue;
95
96 r = cunescape_length(a, b - a, 0, &u);
97 if (r < 0)
98 return r;
99
100 if (!http_etag_is_valid(u))
101 continue;
102
103 r = strv_consume(&l, TAKE_PTR(u));
104 if (r < 0)
105 return r;
106 }
107
108 *etags = TAKE_PTR(l);
109
110 return 0;
111 }
112
113 int pull_make_local_copy(const char *final, const char *image_root, const char *local, PullFlags flags) {
114 const char *p;
115 int r;
116
117 assert(final);
118 assert(local);
119
120 if (!image_root)
121 image_root = "/var/lib/machines";
122
123 p = prefix_roota(image_root, local);
124
125 if (FLAGS_SET(flags, PULL_FORCE))
126 (void) rm_rf(p, REMOVE_ROOT|REMOVE_PHYSICAL|REMOVE_SUBVOLUME);
127
128 r = btrfs_subvol_snapshot(final, p,
129 BTRFS_SNAPSHOT_QUOTA|
130 BTRFS_SNAPSHOT_FALLBACK_COPY|
131 BTRFS_SNAPSHOT_FALLBACK_DIRECTORY|
132 BTRFS_SNAPSHOT_RECURSIVE);
133 if (r < 0)
134 return log_error_errno(r, "Failed to create local image: %m");
135
136 log_info("Created new local image '%s'.", local);
137
138 return 0;
139 }
140
141 static int hash_url(const char *url, char **ret) {
142 uint64_t h;
143 static const sd_id128_t k = SD_ID128_ARRAY(df,89,16,87,01,cc,42,30,98,ab,4a,19,a6,a5,63,4f);
144
145 assert(url);
146
147 h = siphash24(url, strlen(url), k.bytes);
148 if (asprintf(ret, "%"PRIx64, h) < 0)
149 return -ENOMEM;
150
151 return 0;
152 }
153
154 int pull_make_path(const char *url, const char *etag, const char *image_root, const char *prefix, const char *suffix, char **ret) {
155 _cleanup_free_ char *escaped_url = NULL, *escaped_etag = NULL;
156 char *path;
157
158 assert(url);
159 assert(ret);
160
161 if (!image_root)
162 image_root = "/var/lib/machines";
163
164 escaped_url = xescape(url, FILENAME_ESCAPE);
165 if (!escaped_url)
166 return -ENOMEM;
167
168 if (etag) {
169 escaped_etag = xescape(etag, FILENAME_ESCAPE);
170 if (!escaped_etag)
171 return -ENOMEM;
172 }
173
174 path = strjoin(image_root, "/", strempty(prefix), escaped_url, escaped_etag ? "." : "",
175 strempty(escaped_etag), strempty(suffix));
176 if (!path)
177 return -ENOMEM;
178
179 /* URLs might make the path longer than the maximum allowed length for a file name.
180 * When that happens, a URL hash is used instead. Paths returned by this function
181 * can be later used with tempfn_random() which adds 16 bytes to the resulting name. */
182 if (strlen(path) >= HASH_URL_THRESHOLD_LENGTH) {
183 _cleanup_free_ char *hash = NULL;
184 int r;
185
186 free(path);
187
188 r = hash_url(url, &hash);
189 if (r < 0)
190 return r;
191
192 path = strjoin(image_root, "/", strempty(prefix), hash, escaped_etag ? "." : "",
193 strempty(escaped_etag), strempty(suffix));
194 if (!path)
195 return -ENOMEM;
196 }
197
198 *ret = path;
199 return 0;
200 }
201
202 int pull_make_auxiliary_job(
203 PullJob **ret,
204 const char *url,
205 int (*strip_suffixes)(const char *name, char **ret),
206 const char *suffix,
207 CurlGlue *glue,
208 PullJobFinished on_finished,
209 void *userdata) {
210
211 _cleanup_free_ char *last_component = NULL, *ll = NULL, *auxiliary_url = NULL;
212 _cleanup_(pull_job_unrefp) PullJob *job = NULL;
213 const char *q;
214 int r;
215
216 assert(ret);
217 assert(url);
218 assert(strip_suffixes);
219 assert(glue);
220
221 r = import_url_last_component(url, &last_component);
222 if (r < 0)
223 return r;
224
225 r = strip_suffixes(last_component, &ll);
226 if (r < 0)
227 return r;
228
229 q = strjoina(ll, suffix);
230
231 r = import_url_change_last_component(url, q, &auxiliary_url);
232 if (r < 0)
233 return r;
234
235 r = pull_job_new(&job, auxiliary_url, glue, userdata);
236 if (r < 0)
237 return r;
238
239 job->on_finished = on_finished;
240 job->compressed_max = job->uncompressed_max = 1ULL * 1024ULL * 1024ULL;
241
242 *ret = TAKE_PTR(job);
243
244 return 0;
245 }
246
247 int pull_make_verification_jobs(
248 PullJob **ret_checksum_job,
249 PullJob **ret_signature_job,
250 ImportVerify verify,
251 const char *url,
252 CurlGlue *glue,
253 PullJobFinished on_finished,
254 void *userdata) {
255
256 _cleanup_(pull_job_unrefp) PullJob *checksum_job = NULL, *signature_job = NULL;
257 int r;
258
259 assert(ret_checksum_job);
260 assert(ret_signature_job);
261 assert(verify >= 0);
262 assert(verify < _IMPORT_VERIFY_MAX);
263 assert(url);
264 assert(glue);
265
266 if (verify != IMPORT_VERIFY_NO) {
267 _cleanup_free_ char *checksum_url = NULL, *fn = NULL;
268 const char *chksums = NULL;
269
270 /* Queue jobs for the checksum file for the image. */
271 r = import_url_last_component(url, &fn);
272 if (r < 0)
273 return r;
274
275 chksums = strjoina(fn, ".sha256");
276
277 r = import_url_change_last_component(url, chksums, &checksum_url);
278 if (r < 0)
279 return r;
280
281 r = pull_job_new(&checksum_job, checksum_url, glue, userdata);
282 if (r < 0)
283 return r;
284
285 checksum_job->on_finished = on_finished;
286 checksum_job->uncompressed_max = checksum_job->compressed_max = 1ULL * 1024ULL * 1024ULL;
287 }
288
289 if (verify == IMPORT_VERIFY_SIGNATURE) {
290 _cleanup_free_ char *signature_url = NULL;
291
292 /* Queue job for the SHA256SUMS.gpg file for the image. */
293 r = import_url_change_last_component(url, "SHA256SUMS.gpg", &signature_url);
294 if (r < 0)
295 return r;
296
297 r = pull_job_new(&signature_job, signature_url, glue, userdata);
298 if (r < 0)
299 return r;
300
301 signature_job->on_finished = on_finished;
302 signature_job->uncompressed_max = signature_job->compressed_max = 1ULL * 1024ULL * 1024ULL;
303 }
304
305 *ret_checksum_job = TAKE_PTR(checksum_job);
306 *ret_signature_job = TAKE_PTR(signature_job);
307
308 return 0;
309 }
310
311 static int verify_one(PullJob *checksum_job, PullJob *job) {
312 _cleanup_free_ char *fn = NULL;
313 const char *line, *p;
314 int r;
315
316 assert(checksum_job);
317
318 if (!job)
319 return 0;
320
321 assert(IN_SET(job->state, PULL_JOB_DONE, PULL_JOB_FAILED));
322
323 /* Don't verify the checksum if we didn't actually successfully download something new */
324 if (job->state != PULL_JOB_DONE)
325 return 0;
326 if (job->error != 0)
327 return 0;
328 if (job->etag_exists)
329 return 0;
330
331 assert(job->calc_checksum);
332 assert(job->checksum);
333
334 r = import_url_last_component(job->url, &fn);
335 if (r < 0)
336 return log_oom();
337
338 if (!filename_is_valid(fn))
339 return log_error_errno(SYNTHETIC_ERRNO(EBADMSG),
340 "Cannot verify checksum, could not determine server-side file name.");
341
342 line = strjoina(job->checksum, " *", fn, "\n");
343
344 p = memmem(checksum_job->payload,
345 checksum_job->payload_size,
346 line,
347 strlen(line));
348
349 if (!p) {
350 line = strjoina(job->checksum, " ", fn, "\n");
351
352 p = memmem(checksum_job->payload,
353 checksum_job->payload_size,
354 line,
355 strlen(line));
356 }
357
358 if (!p || (p != (char*) checksum_job->payload && p[-1] != '\n'))
359 return log_error_errno(SYNTHETIC_ERRNO(EBADMSG),
360 "DOWNLOAD INVALID: Checksum of %s file did not checkout, file has been tampered with.", fn);
361
362 log_info("SHA256 checksum of %s is valid.", job->url);
363 return 1;
364 }
365
366 static int verify_gpg(
367 const void *payload, size_t payload_size,
368 const void *signature, size_t signature_size) {
369
370 _cleanup_close_pair_ int gpg_pipe[2] = { -1, -1 };
371 char sig_file_path[] = "/tmp/sigXXXXXX", gpg_home[] = "/tmp/gpghomeXXXXXX";
372 _cleanup_(sigkill_waitp) pid_t pid = 0;
373 bool gpg_home_created = false;
374 int r;
375
376 assert(payload || payload_size == 0);
377 assert(signature || signature_size == 0);
378
379 r = pipe2(gpg_pipe, O_CLOEXEC);
380 if (r < 0)
381 return log_error_errno(errno, "Failed to create pipe for gpg: %m");
382
383 if (signature_size > 0) {
384 _cleanup_close_ int sig_file = -1;
385
386 sig_file = mkostemp(sig_file_path, O_RDWR);
387 if (sig_file < 0)
388 return log_error_errno(errno, "Failed to create temporary file: %m");
389
390 r = loop_write(sig_file, signature, signature_size, false);
391 if (r < 0) {
392 log_error_errno(r, "Failed to write to temporary file: %m");
393 goto finish;
394 }
395 }
396
397 if (!mkdtemp(gpg_home)) {
398 r = log_error_errno(errno, "Failed to create temporary home for gpg: %m");
399 goto finish;
400 }
401
402 gpg_home_created = true;
403
404 r = safe_fork("(gpg)", FORK_RESET_SIGNALS|FORK_DEATHSIG|FORK_LOG, &pid);
405 if (r < 0)
406 return r;
407 if (r == 0) {
408 const char *cmd[] = {
409 "gpg",
410 "--no-options",
411 "--no-default-keyring",
412 "--no-auto-key-locate",
413 "--no-auto-check-trustdb",
414 "--batch",
415 "--trust-model=always",
416 NULL, /* --homedir= */
417 NULL, /* --keyring= */
418 NULL, /* --verify */
419 NULL, /* signature file */
420 NULL, /* dash */
421 NULL /* trailing NULL */
422 };
423 size_t k = ELEMENTSOF(cmd) - 6;
424
425 /* Child */
426
427 gpg_pipe[1] = safe_close(gpg_pipe[1]);
428
429 r = rearrange_stdio(gpg_pipe[0], -1, STDERR_FILENO);
430 if (r < 0) {
431 log_error_errno(r, "Failed to rearrange stdin/stdout: %m");
432 _exit(EXIT_FAILURE);
433 }
434
435 (void) rlimit_nofile_safe();
436
437 cmd[k++] = strjoina("--homedir=", gpg_home);
438
439 /* We add the user keyring only to the command line arguments, if it's around since gpg fails
440 * otherwise. */
441 if (access(USER_KEYRING_PATH, F_OK) >= 0)
442 cmd[k++] = "--keyring=" USER_KEYRING_PATH;
443 else
444 cmd[k++] = "--keyring=" VENDOR_KEYRING_PATH;
445
446 cmd[k++] = "--verify";
447 if (signature) {
448 cmd[k++] = sig_file_path;
449 cmd[k++] = "-";
450 cmd[k++] = NULL;
451 }
452
453 execvp("gpg2", (char * const *) cmd);
454 execvp("gpg", (char * const *) cmd);
455 log_error_errno(errno, "Failed to execute gpg: %m");
456 _exit(EXIT_FAILURE);
457 }
458
459 gpg_pipe[0] = safe_close(gpg_pipe[0]);
460
461 r = loop_write(gpg_pipe[1], payload, payload_size, false);
462 if (r < 0) {
463 log_error_errno(r, "Failed to write to pipe: %m");
464 goto finish;
465 }
466
467 gpg_pipe[1] = safe_close(gpg_pipe[1]);
468
469 r = wait_for_terminate_and_check("gpg", pid, WAIT_LOG_ABNORMAL);
470 pid = 0;
471 if (r < 0)
472 goto finish;
473 if (r != EXIT_SUCCESS) {
474 log_error("DOWNLOAD INVALID: Signature verification failed.");
475 r = -EBADMSG;
476 } else {
477 log_info("Signature verification succeeded.");
478 r = 0;
479 }
480
481 finish:
482 if (signature_size > 0)
483 (void) unlink(sig_file_path);
484
485 if (gpg_home_created)
486 (void) rm_rf(gpg_home, REMOVE_ROOT|REMOVE_PHYSICAL);
487
488 return r;
489 }
490
491 int pull_verify(ImportVerify verify,
492 PullJob *main_job,
493 PullJob *checksum_job,
494 PullJob *signature_job,
495 PullJob *settings_job,
496 PullJob *roothash_job,
497 PullJob *roothash_signature_job,
498 PullJob *verity_job) {
499
500 VerificationStyle style;
501 PullJob *j;
502 int r;
503
504 assert(main_job);
505 assert(main_job->state == PULL_JOB_DONE);
506
507 if (verify == IMPORT_VERIFY_NO)
508 return 0;
509
510 assert(main_job->calc_checksum);
511 assert(main_job->checksum);
512 assert(checksum_job);
513 assert(checksum_job->state == PULL_JOB_DONE);
514
515 if (!checksum_job->payload || checksum_job->payload_size <= 0)
516 return log_error_errno(SYNTHETIC_ERRNO(EBADMSG),
517 "Checksum is empty, cannot verify.");
518
519 FOREACH_POINTER(j, main_job, settings_job, roothash_job, roothash_signature_job, verity_job) {
520 r = verify_one(checksum_job, j);
521 if (r < 0)
522 return r;
523 }
524
525 if (verify == IMPORT_VERIFY_CHECKSUM)
526 return 0;
527
528 r = verification_style_from_url(checksum_job->url, &style);
529 if (r < 0)
530 return log_error_errno(r, "Failed to determine verification style from URL '%s': %m", checksum_job->url);
531
532 if (style == VERIFICATION_PER_DIRECTORY) {
533 assert(signature_job);
534 assert(signature_job->state == PULL_JOB_DONE);
535
536 if (!signature_job->payload || signature_job->payload_size <= 0)
537 return log_error_errno(SYNTHETIC_ERRNO(EBADMSG),
538 "Signature is empty, cannot verify.");
539
540 return verify_gpg(checksum_job->payload, checksum_job->payload_size, signature_job->payload, signature_job->payload_size);
541 } else
542 return verify_gpg(checksum_job->payload, checksum_job->payload_size, NULL, 0);
543 }
544
545 int verification_style_from_url(const char *url, VerificationStyle *ret) {
546 _cleanup_free_ char *last = NULL;
547 int r;
548
549 assert(url);
550 assert(ret);
551
552 /* Determines which kind of verification style is appropriate for this url */
553
554 r = import_url_last_component(url, &last);
555 if (r < 0)
556 return r;
557
558 if (streq(last, "SHA256SUMS")) {
559 *ret = VERIFICATION_PER_DIRECTORY;
560 return 0;
561 }
562
563 if (endswith(last, ".sha256")) {
564 *ret = VERIFICATION_PER_FILE;
565 return 0;
566 }
567
568 return -EINVAL;
569 }
570
571 int pull_job_restart_with_sha256sum(PullJob *j, char **ret) {
572 VerificationStyle style;
573 int r;
574
575 assert(j);
576
577 /* Generic implementation of a PullJobNotFound handler, that restarts the job requesting SHA256SUMS */
578
579 r = verification_style_from_url(j->url, &style);
580 if (r < 0)
581 return log_error_errno(r, "Failed to determine verification style of URL '%s': %m", j->url);
582
583 if (style == VERIFICATION_PER_DIRECTORY) /* Nothing to do anymore */
584 return 0;
585
586 assert(style == VERIFICATION_PER_FILE); /* This must have been .sha256 style URL before */
587
588 log_debug("Got 404 for %s, now trying to get SHA256SUMS instead.", j->url);
589
590 r = import_url_change_last_component(j->url, "SHA256SUMS", ret);
591 if (r < 0)
592 return log_error_errno(r, "Failed to replace SHA256SUMS suffix: %m");
593
594 return 1;
595 }
Unnamed repository; edit this file 'description' to name the repository.