]>
Commit | Line | Data |
---|---|---|
db9ecf05 | 1 | /* SPDX-License-Identifier: LGPL-2.1-or-later */ |
56ebfaf1 | 2 | |
98c38001 LP |
3 | #include <sys/prctl.h> |
4 | ||
b5efdb8a | 5 | #include "alloc-util.h" |
56ebfaf1 | 6 | #include "btrfs-util.h" |
430f0182 | 7 | #include "capability-util.h" |
4f5dd394 | 8 | #include "copy.h" |
a0956174 | 9 | #include "dirent-util.h" |
4f5dd394 | 10 | #include "escape.h" |
3ffd4af2 | 11 | #include "fd-util.h" |
c40d82ab | 12 | #include "hostname-util.h" |
c004493c | 13 | #include "io-util.h" |
e8b08edc | 14 | #include "memory-util.h" |
bb15fafe | 15 | #include "path-util.h" |
0b452006 | 16 | #include "process-util.h" |
3ffd4af2 | 17 | #include "pull-common.h" |
4f5dd394 LP |
18 | #include "pull-job.h" |
19 | #include "rm-rf.h" | |
24882e06 | 20 | #include "signal-util.h" |
9818005d | 21 | #include "siphash24.h" |
07630cea | 22 | #include "string-util.h" |
4f5dd394 | 23 | #include "strv.h" |
49cf4170 | 24 | #include "web-util.h" |
56ebfaf1 LP |
25 | |
26 | #define FILENAME_ESCAPE "/.#\"\'" | |
9818005d | 27 | #define HASH_URL_THRESHOLD_LENGTH (_POSIX_PATH_MAX - 16) |
56ebfaf1 | 28 | |
9854730b LP |
29 | int pull_find_old_etags( |
30 | const char *url, | |
31 | const char *image_root, | |
32 | int dt, | |
33 | const char *prefix, | |
34 | const char *suffix, | |
35 | char ***etags) { | |
36 | ||
56ebfaf1 LP |
37 | int r; |
38 | ||
39 | assert(url); | |
40 | assert(etags); | |
41 | ||
42 | if (!image_root) | |
43 | image_root = "/var/lib/machines"; | |
44 | ||
e437538f | 45 | _cleanup_free_ char *escaped_url = xescape(url, FILENAME_ESCAPE); |
56ebfaf1 LP |
46 | if (!escaped_url) |
47 | return -ENOMEM; | |
48 | ||
e437538f | 49 | _cleanup_closedir_ DIR *d = opendir(image_root); |
56ebfaf1 LP |
50 | if (!d) { |
51 | if (errno == ENOENT) { | |
52 | *etags = NULL; | |
53 | return 0; | |
54 | } | |
55 | ||
56 | return -errno; | |
57 | } | |
58 | ||
e437538f | 59 | _cleanup_strv_free_ char **ans = NULL; |
e437538f | 60 | |
56ebfaf1 | 61 | FOREACH_DIRENT_ALL(de, d, return -errno) { |
6abdec98 | 62 | _cleanup_free_ char *u = NULL; |
56ebfaf1 | 63 | const char *a, *b; |
56ebfaf1 LP |
64 | |
65 | if (de->d_type != DT_UNKNOWN && | |
66 | de->d_type != dt) | |
67 | continue; | |
68 | ||
69 | if (prefix) { | |
70 | a = startswith(de->d_name, prefix); | |
71 | if (!a) | |
72 | continue; | |
73 | } else | |
74 | a = de->d_name; | |
75 | ||
76 | a = startswith(a, escaped_url); | |
77 | if (!a) | |
78 | continue; | |
79 | ||
80 | a = startswith(a, "."); | |
81 | if (!a) | |
82 | continue; | |
83 | ||
84 | if (suffix) { | |
85 | b = endswith(de->d_name, suffix); | |
86 | if (!b) | |
87 | continue; | |
88 | } else | |
89 | b = strchr(de->d_name, 0); | |
90 | ||
91 | if (a >= b) | |
92 | continue; | |
93 | ||
e437538f ZJS |
94 | ssize_t l = cunescape_length(a, b - a, 0, &u); |
95 | if (l < 0) { | |
96 | assert(l >= INT8_MIN); | |
97 | return l; | |
98 | } | |
56ebfaf1 | 99 | |
6abdec98 | 100 | if (!http_etag_is_valid(u)) |
56ebfaf1 | 101 | continue; |
56ebfaf1 | 102 | |
e437538f | 103 | r = strv_consume(&ans, TAKE_PTR(u)); |
56ebfaf1 LP |
104 | if (r < 0) |
105 | return r; | |
106 | } | |
107 | ||
e437538f | 108 | *etags = TAKE_PTR(ans); |
56ebfaf1 LP |
109 | |
110 | return 0; | |
111 | } | |
112 | ||
9818005d JS |
113 | static int hash_url(const char *url, char **ret) { |
114 | uint64_t h; | |
115 | static const sd_id128_t k = SD_ID128_ARRAY(df,89,16,87,01,cc,42,30,98,ab,4a,19,a6,a5,63,4f); | |
116 | ||
117 | assert(url); | |
118 | ||
933f9cae | 119 | h = siphash24(url, strlen(url), k.bytes); |
9818005d JS |
120 | if (asprintf(ret, "%"PRIx64, h) < 0) |
121 | return -ENOMEM; | |
122 | ||
123 | return 0; | |
124 | } | |
125 | ||
dc2c282b | 126 | int pull_make_path(const char *url, const char *etag, const char *image_root, const char *prefix, const char *suffix, char **ret) { |
9818005d | 127 | _cleanup_free_ char *escaped_url = NULL, *escaped_etag = NULL; |
56ebfaf1 LP |
128 | char *path; |
129 | ||
130 | assert(url); | |
131 | assert(ret); | |
132 | ||
133 | if (!image_root) | |
134 | image_root = "/var/lib/machines"; | |
135 | ||
136 | escaped_url = xescape(url, FILENAME_ESCAPE); | |
137 | if (!escaped_url) | |
138 | return -ENOMEM; | |
139 | ||
140 | if (etag) { | |
56ebfaf1 LP |
141 | escaped_etag = xescape(etag, FILENAME_ESCAPE); |
142 | if (!escaped_etag) | |
143 | return -ENOMEM; | |
9818005d | 144 | } |
56ebfaf1 | 145 | |
9818005d | 146 | path = strjoin(image_root, "/", strempty(prefix), escaped_url, escaped_etag ? "." : "", |
4600a396 | 147 | strempty(escaped_etag), strempty(suffix)); |
56ebfaf1 LP |
148 | if (!path) |
149 | return -ENOMEM; | |
150 | ||
9818005d JS |
151 | /* URLs might make the path longer than the maximum allowed length for a file name. |
152 | * When that happens, a URL hash is used instead. Paths returned by this function | |
153 | * can be later used with tempfn_random() which adds 16 bytes to the resulting name. */ | |
154 | if (strlen(path) >= HASH_URL_THRESHOLD_LENGTH) { | |
155 | _cleanup_free_ char *hash = NULL; | |
156 | int r; | |
157 | ||
158 | free(path); | |
159 | ||
160 | r = hash_url(url, &hash); | |
161 | if (r < 0) | |
162 | return r; | |
163 | ||
164 | path = strjoin(image_root, "/", strempty(prefix), hash, escaped_etag ? "." : "", | |
4600a396 | 165 | strempty(escaped_etag), strempty(suffix)); |
9818005d JS |
166 | if (!path) |
167 | return -ENOMEM; | |
168 | } | |
169 | ||
56ebfaf1 LP |
170 | *ret = path; |
171 | return 0; | |
172 | } | |
85dbc41d | 173 | |
91359193 | 174 | int pull_make_auxiliary_job( |
9854730b LP |
175 | PullJob **ret, |
176 | const char *url, | |
91359193 LP |
177 | int (*strip_suffixes)(const char *name, char **ret), |
178 | const char *suffix, | |
c40d82ab | 179 | ImportVerify verify, |
9854730b | 180 | CurlGlue *glue, |
c40d82ab | 181 | PullJobOpenDisk on_open_disk, |
9854730b LP |
182 | PullJobFinished on_finished, |
183 | void *userdata) { | |
184 | ||
91359193 | 185 | _cleanup_free_ char *last_component = NULL, *ll = NULL, *auxiliary_url = NULL; |
9854730b LP |
186 | _cleanup_(pull_job_unrefp) PullJob *job = NULL; |
187 | const char *q; | |
188 | int r; | |
189 | ||
190 | assert(ret); | |
191 | assert(url); | |
91359193 | 192 | assert(strip_suffixes); |
9854730b LP |
193 | assert(glue); |
194 | ||
195 | r = import_url_last_component(url, &last_component); | |
196 | if (r < 0) | |
197 | return r; | |
198 | ||
91359193 | 199 | r = strip_suffixes(last_component, &ll); |
9854730b LP |
200 | if (r < 0) |
201 | return r; | |
202 | ||
91359193 | 203 | q = strjoina(ll, suffix); |
9854730b | 204 | |
91359193 | 205 | r = import_url_change_last_component(url, q, &auxiliary_url); |
9854730b LP |
206 | if (r < 0) |
207 | return r; | |
208 | ||
91359193 | 209 | r = pull_job_new(&job, auxiliary_url, glue, userdata); |
9854730b LP |
210 | if (r < 0) |
211 | return r; | |
212 | ||
c40d82ab | 213 | job->on_open_disk = on_open_disk; |
9854730b LP |
214 | job->on_finished = on_finished; |
215 | job->compressed_max = job->uncompressed_max = 1ULL * 1024ULL * 1024ULL; | |
c40d82ab | 216 | job->calc_checksum = IN_SET(verify, IMPORT_VERIFY_CHECKSUM, IMPORT_VERIFY_SIGNATURE); |
9854730b | 217 | |
1cc6c93a | 218 | *ret = TAKE_PTR(job); |
9854730b LP |
219 | return 0; |
220 | } | |
221 | ||
c40d82ab LP |
222 | static bool is_checksum_file(const char *fn) { |
223 | /* Returns true if the specified filename refers to a checksum file we grok */ | |
224 | ||
225 | if (!fn) | |
226 | return false; | |
227 | ||
228 | return streq(fn, "SHA256SUMS") || endswith(fn, ".sha256"); | |
229 | } | |
230 | ||
231 | static bool is_signature_file(const char *fn) { | |
232 | /* Returns true if the specified filename refers to a signature file we grok (reminder: | |
233 | * suse-style .sha256 files are inline signed) */ | |
234 | ||
235 | if (!fn) | |
236 | return false; | |
237 | ||
238 | return streq(fn, "SHA256SUMS.gpg") || endswith(fn, ".sha256"); | |
239 | } | |
240 | ||
dc2c282b LP |
241 | int pull_make_verification_jobs( |
242 | PullJob **ret_checksum_job, | |
243 | PullJob **ret_signature_job, | |
98c38001 | 244 | ImportVerify verify, |
c40d82ab | 245 | const char *checksum, /* set if literal checksum verification is requested, in which case 'verify' is set to _IMPORT_VERIFY_INVALID */ |
98c38001 LP |
246 | const char *url, |
247 | CurlGlue *glue, | |
dc2c282b | 248 | PullJobFinished on_finished, |
98c38001 LP |
249 | void *userdata) { |
250 | ||
dc2c282b | 251 | _cleanup_(pull_job_unrefp) PullJob *checksum_job = NULL, *signature_job = NULL; |
c40d82ab | 252 | _cleanup_free_ char *fn = NULL; |
98c38001 LP |
253 | int r; |
254 | ||
255 | assert(ret_checksum_job); | |
256 | assert(ret_signature_job); | |
c40d82ab LP |
257 | assert(verify == _IMPORT_VERIFY_INVALID || verify < _IMPORT_VERIFY_MAX); |
258 | assert(verify == _IMPORT_VERIFY_INVALID || verify >= 0); | |
259 | assert((verify < 0) || !checksum); | |
98c38001 LP |
260 | assert(url); |
261 | assert(glue); | |
262 | ||
c40d82ab LP |
263 | /* If verification is turned off, or if the checksum to validate is already specified we don't need |
264 | * to download a checksum file or signature, hence shortcut things */ | |
265 | if (verify == IMPORT_VERIFY_NO || checksum) { | |
266 | *ret_checksum_job = *ret_signature_job = NULL; | |
267 | return 0; | |
268 | } | |
269 | ||
270 | r = import_url_last_component(url, &fn); | |
271 | if (r < 0 && r != -EADDRNOTAVAIL) /* EADDRNOTAVAIL means there was no last component, which is OK for | |
272 | * us, we'll just assume it's not a checksum/signature file */ | |
273 | return r; | |
274 | ||
275 | /* Acquire the checksum file if verification or signature verification is requested and the main file | |
276 | * to acquire isn't a checksum or signature file anyway */ | |
277 | if (verify != IMPORT_VERIFY_NO && !is_checksum_file(fn) && !is_signature_file(fn)) { | |
278 | _cleanup_free_ char *checksum_url = NULL; | |
279 | const char *suffixed = NULL; | |
98c38001 | 280 | |
697be0be | 281 | /* Queue jobs for the checksum file for the image. */ |
697be0be | 282 | |
c40d82ab LP |
283 | if (fn) |
284 | suffixed = strjoina(fn, ".sha256"); /* Start with the suse-style checksum (if there's a base filename) */ | |
285 | else | |
286 | suffixed = "SHA256SUMS"; | |
697be0be | 287 | |
c40d82ab | 288 | r = import_url_change_last_component(url, suffixed, &checksum_url); |
98c38001 LP |
289 | if (r < 0) |
290 | return r; | |
291 | ||
dc2c282b | 292 | r = pull_job_new(&checksum_job, checksum_url, glue, userdata); |
98c38001 LP |
293 | if (r < 0) |
294 | return r; | |
295 | ||
296 | checksum_job->on_finished = on_finished; | |
297 | checksum_job->uncompressed_max = checksum_job->compressed_max = 1ULL * 1024ULL * 1024ULL; | |
c40d82ab | 298 | checksum_job->on_not_found = pull_job_restart_with_sha256sum; /* if this fails, look for ubuntu-style checksum */ |
98c38001 LP |
299 | } |
300 | ||
c40d82ab | 301 | if (verify == IMPORT_VERIFY_SIGNATURE && !is_signature_file(fn)) { |
98c38001 LP |
302 | _cleanup_free_ char *signature_url = NULL; |
303 | ||
304 | /* Queue job for the SHA256SUMS.gpg file for the image. */ | |
305 | r = import_url_change_last_component(url, "SHA256SUMS.gpg", &signature_url); | |
306 | if (r < 0) | |
307 | return r; | |
308 | ||
dc2c282b | 309 | r = pull_job_new(&signature_job, signature_url, glue, userdata); |
98c38001 LP |
310 | if (r < 0) |
311 | return r; | |
312 | ||
313 | signature_job->on_finished = on_finished; | |
314 | signature_job->uncompressed_max = signature_job->compressed_max = 1ULL * 1024ULL * 1024ULL; | |
315 | } | |
316 | ||
c20307fd LP |
317 | *ret_checksum_job = TAKE_PTR(checksum_job); |
318 | *ret_signature_job = TAKE_PTR(signature_job); | |
98c38001 LP |
319 | return 0; |
320 | } | |
321 | ||
91359193 | 322 | static int verify_one(PullJob *checksum_job, PullJob *job) { |
98c38001 | 323 | _cleanup_free_ char *fn = NULL; |
91359193 | 324 | const char *line, *p; |
98c38001 LP |
325 | int r; |
326 | ||
91359193 | 327 | assert(checksum_job); |
98c38001 | 328 | |
91359193 | 329 | if (!job) |
98c38001 LP |
330 | return 0; |
331 | ||
91359193 | 332 | assert(IN_SET(job->state, PULL_JOB_DONE, PULL_JOB_FAILED)); |
98c38001 | 333 | |
91359193 LP |
334 | /* Don't verify the checksum if we didn't actually successfully download something new */ |
335 | if (job->state != PULL_JOB_DONE) | |
336 | return 0; | |
337 | if (job->error != 0) | |
338 | return 0; | |
339 | if (job->etag_exists) | |
340 | return 0; | |
98c38001 | 341 | |
91359193 LP |
342 | assert(job->calc_checksum); |
343 | assert(job->checksum); | |
344 | ||
345 | r = import_url_last_component(job->url, &fn); | |
98c38001 | 346 | if (r < 0) |
c40d82ab | 347 | return log_error_errno(r, "Failed to extract filename from URL '%s': %m", job->url); |
98c38001 | 348 | |
baaa35ad ZJS |
349 | if (!filename_is_valid(fn)) |
350 | return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), | |
351 | "Cannot verify checksum, could not determine server-side file name."); | |
98c38001 | 352 | |
c40d82ab LP |
353 | if (is_checksum_file(fn) || is_signature_file(fn)) /* We cannot verify checksum files or signature files with a checksum file */ |
354 | return log_error_errno(SYNTHETIC_ERRNO(ELOOP), | |
355 | "Cannot verify checksum/signature files via themselves."); | |
98c38001 | 356 | |
c40d82ab | 357 | line = strjoina(job->checksum, " *", fn, "\n"); /* string for binary mode */ |
e8b08edc LP |
358 | p = memmem_safe(checksum_job->payload, |
359 | checksum_job->payload_size, | |
360 | line, | |
361 | strlen(line)); | |
697be0be | 362 | if (!p) { |
c40d82ab | 363 | line = strjoina(job->checksum, " ", fn, "\n"); /* string for text mode */ |
e8b08edc LP |
364 | p = memmem_safe(checksum_job->payload, |
365 | checksum_job->payload_size, | |
366 | line, | |
367 | strlen(line)); | |
697be0be TB |
368 | } |
369 | ||
c40d82ab | 370 | /* Only counts if found at beginning of a line */ |
baaa35ad ZJS |
371 | if (!p || (p != (char*) checksum_job->payload && p[-1] != '\n')) |
372 | return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), | |
c40d82ab | 373 | "DOWNLOAD INVALID: Checksum of %s file did not check out, file has been tampered with.", fn); |
98c38001 | 374 | |
91359193 LP |
375 | log_info("SHA256 checksum of %s is valid.", job->url); |
376 | return 1; | |
377 | } | |
98c38001 | 378 | |
ac71ece3 LP |
379 | static int verify_gpg( |
380 | const void *payload, size_t payload_size, | |
381 | const void *signature, size_t signature_size) { | |
9854730b | 382 | |
71136404 | 383 | _cleanup_close_pair_ int gpg_pipe[2] = EBADF_PAIR; |
91359193 LP |
384 | char sig_file_path[] = "/tmp/sigXXXXXX", gpg_home[] = "/tmp/gpghomeXXXXXX"; |
385 | _cleanup_(sigkill_waitp) pid_t pid = 0; | |
386 | bool gpg_home_created = false; | |
387 | int r; | |
9854730b | 388 | |
ac71ece3 LP |
389 | assert(payload || payload_size == 0); |
390 | assert(signature || signature_size == 0); | |
98c38001 LP |
391 | |
392 | r = pipe2(gpg_pipe, O_CLOEXEC); | |
393 | if (r < 0) | |
0100b6e1 | 394 | return log_error_errno(errno, "Failed to create pipe for gpg: %m"); |
98c38001 | 395 | |
ac71ece3 | 396 | if (signature_size > 0) { |
5bb1d7fb | 397 | _cleanup_close_ int sig_file = -EBADF; |
98c38001 | 398 | |
ac71ece3 LP |
399 | sig_file = mkostemp(sig_file_path, O_RDWR); |
400 | if (sig_file < 0) | |
401 | return log_error_errno(errno, "Failed to create temporary file: %m"); | |
402 | ||
e22c60a9 | 403 | r = loop_write(sig_file, signature, signature_size); |
ac71ece3 LP |
404 | if (r < 0) { |
405 | log_error_errno(r, "Failed to write to temporary file: %m"); | |
406 | goto finish; | |
407 | } | |
98c38001 LP |
408 | } |
409 | ||
0acfdffe | 410 | if (!mkdtemp(gpg_home)) { |
5238e957 | 411 | r = log_error_errno(errno, "Failed to create temporary home for gpg: %m"); |
0acfdffe LP |
412 | goto finish; |
413 | } | |
414 | ||
415 | gpg_home_created = true; | |
416 | ||
0c2aedb4 YW |
417 | r = safe_fork_full("(gpg)", |
418 | (int[]) { gpg_pipe[0], -EBADF, STDERR_FILENO }, | |
419 | NULL, 0, | |
e9ccae31 | 420 | FORK_RESET_SIGNALS|FORK_CLOSE_ALL_FDS|FORK_DEATHSIG_SIGTERM|FORK_REARRANGE_STDIO|FORK_LOG|FORK_RLIMIT_NOFILE_SAFE, |
0c2aedb4 | 421 | &pid); |
4c253ed1 | 422 | if (r < 0) |
b6e1fff1 | 423 | return r; |
4c253ed1 | 424 | if (r == 0) { |
98c38001 LP |
425 | const char *cmd[] = { |
426 | "gpg", | |
427 | "--no-options", | |
428 | "--no-default-keyring", | |
429 | "--no-auto-key-locate", | |
430 | "--no-auto-check-trustdb", | |
431 | "--batch", | |
432 | "--trust-model=always", | |
0acfdffe LP |
433 | NULL, /* --homedir= */ |
434 | NULL, /* --keyring= */ | |
98c38001 LP |
435 | NULL, /* --verify */ |
436 | NULL, /* signature file */ | |
437 | NULL, /* dash */ | |
438 | NULL /* trailing NULL */ | |
439 | }; | |
ac71ece3 | 440 | size_t k = ELEMENTSOF(cmd) - 6; |
98c38001 LP |
441 | |
442 | /* Child */ | |
443 | ||
0acfdffe LP |
444 | cmd[k++] = strjoina("--homedir=", gpg_home); |
445 | ||
ac71ece3 | 446 | /* We add the user keyring only to the command line arguments, if it's around since gpg fails |
98c38001 LP |
447 | * otherwise. */ |
448 | if (access(USER_KEYRING_PATH, F_OK) >= 0) | |
449 | cmd[k++] = "--keyring=" USER_KEYRING_PATH; | |
1c49d1ba LP |
450 | else |
451 | cmd[k++] = "--keyring=" VENDOR_KEYRING_PATH; | |
98c38001 LP |
452 | |
453 | cmd[k++] = "--verify"; | |
ac71ece3 | 454 | if (signature) { |
697be0be TB |
455 | cmd[k++] = sig_file_path; |
456 | cmd[k++] = "-"; | |
457 | cmd[k++] = NULL; | |
458 | } | |
98c38001 | 459 | |
0acfdffe | 460 | execvp("gpg2", (char * const *) cmd); |
98c38001 LP |
461 | execvp("gpg", (char * const *) cmd); |
462 | log_error_errno(errno, "Failed to execute gpg: %m"); | |
463 | _exit(EXIT_FAILURE); | |
464 | } | |
465 | ||
466 | gpg_pipe[0] = safe_close(gpg_pipe[0]); | |
467 | ||
e22c60a9 | 468 | r = loop_write(gpg_pipe[1], payload, payload_size); |
98c38001 LP |
469 | if (r < 0) { |
470 | log_error_errno(r, "Failed to write to pipe: %m"); | |
471 | goto finish; | |
472 | } | |
473 | ||
474 | gpg_pipe[1] = safe_close(gpg_pipe[1]); | |
475 | ||
8f03de53 | 476 | r = wait_for_terminate_and_check("gpg", TAKE_PID(pid), WAIT_LOG_ABNORMAL); |
98c38001 LP |
477 | if (r < 0) |
478 | goto finish; | |
c40d82ab LP |
479 | if (r != EXIT_SUCCESS) |
480 | r = log_error_errno(SYNTHETIC_ERRNO(EBADMSG), | |
481 | "DOWNLOAD INVALID: Signature verification failed."); | |
482 | else { | |
98c38001 LP |
483 | log_info("Signature verification succeeded."); |
484 | r = 0; | |
485 | } | |
486 | ||
487 | finish: | |
ac71ece3 LP |
488 | if (signature_size > 0) |
489 | (void) unlink(sig_file_path); | |
98c38001 | 490 | |
0acfdffe | 491 | if (gpg_home_created) |
c6878637 | 492 | (void) rm_rf(gpg_home, REMOVE_ROOT|REMOVE_PHYSICAL); |
0acfdffe | 493 | |
98c38001 LP |
494 | return r; |
495 | } | |
f14717a7 | 496 | |
ac71ece3 | 497 | int pull_verify(ImportVerify verify, |
c40d82ab | 498 | const char *checksum, /* Verify with literal checksum */ |
ac71ece3 | 499 | PullJob *main_job, |
ac71ece3 | 500 | PullJob *checksum_job, |
ff2f7797 LP |
501 | PullJob *signature_job, |
502 | PullJob *settings_job, | |
503 | PullJob *roothash_job, | |
504 | PullJob *roothash_signature_job, | |
505 | PullJob *verity_job) { | |
ac71ece3 | 506 | |
c40d82ab | 507 | _cleanup_free_ char *fn = NULL; |
ac71ece3 | 508 | VerificationStyle style; |
c40d82ab | 509 | PullJob *verify_job; |
ac71ece3 LP |
510 | int r; |
511 | ||
c40d82ab LP |
512 | assert(verify == _IMPORT_VERIFY_INVALID || verify < _IMPORT_VERIFY_MAX); |
513 | assert(verify == _IMPORT_VERIFY_INVALID || verify >= 0); | |
514 | assert((verify < 0) || !checksum); | |
ac71ece3 LP |
515 | assert(main_job); |
516 | assert(main_job->state == PULL_JOB_DONE); | |
517 | ||
c40d82ab | 518 | if (verify == IMPORT_VERIFY_NO) /* verification turned off */ |
ac71ece3 LP |
519 | return 0; |
520 | ||
c40d82ab LP |
521 | if (checksum) { |
522 | /* Verification by literal checksum */ | |
523 | assert(!checksum_job); | |
524 | assert(!signature_job); | |
525 | assert(!settings_job); | |
526 | assert(!roothash_job); | |
527 | assert(!roothash_signature_job); | |
528 | assert(!verity_job); | |
ac71ece3 | 529 | |
c40d82ab LP |
530 | assert(main_job->calc_checksum); |
531 | assert(main_job->checksum); | |
ac71ece3 | 532 | |
c40d82ab LP |
533 | if (!strcaseeq(checksum, main_job->checksum)) |
534 | return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), | |
535 | "DOWNLOAD INVALID: Checksum of %s file did not check out, file has been tampered with.", | |
536 | main_job->url); | |
537 | ||
538 | return 0; | |
ff2f7797 | 539 | } |
ac71ece3 | 540 | |
c40d82ab LP |
541 | r = import_url_last_component(main_job->url, &fn); |
542 | if (r < 0) | |
543 | return log_error_errno(r, "Failed to extract filename from URL '%s': %m", main_job->url); | |
544 | ||
545 | if (is_signature_file(fn)) | |
546 | return log_error_errno(SYNTHETIC_ERRNO(ELOOP), | |
547 | "Main download is a signature file, can't verify it."); | |
548 | ||
549 | if (is_checksum_file(fn)) { | |
550 | log_debug("Main download is a checksum file, can't validate its checksum with itself, skipping."); | |
551 | verify_job = main_job; | |
552 | } else { | |
c40d82ab LP |
553 | assert(main_job->calc_checksum); |
554 | assert(main_job->checksum); | |
555 | assert(checksum_job); | |
556 | assert(checksum_job->state == PULL_JOB_DONE); | |
557 | ||
558 | if (!checksum_job->payload || checksum_job->payload_size <= 0) | |
559 | return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), | |
560 | "Checksum is empty, cannot verify."); | |
561 | ||
2d708781 MY |
562 | PullJob *j; |
563 | FOREACH_ARGUMENT(j, main_job, settings_job, roothash_job, roothash_signature_job, verity_job) { | |
c40d82ab LP |
564 | r = verify_one(checksum_job, j); |
565 | if (r < 0) | |
566 | return r; | |
567 | } | |
568 | ||
569 | verify_job = checksum_job; | |
570 | } | |
571 | ||
572 | if (verify != IMPORT_VERIFY_SIGNATURE) | |
ac71ece3 LP |
573 | return 0; |
574 | ||
c40d82ab LP |
575 | assert(verify_job); |
576 | ||
577 | r = verification_style_from_url(verify_job->url, &style); | |
ac71ece3 | 578 | if (r < 0) |
c40d82ab | 579 | return log_error_errno(r, "Failed to determine verification style from URL '%s': %m", verify_job->url); |
ac71ece3 LP |
580 | |
581 | if (style == VERIFICATION_PER_DIRECTORY) { | |
582 | assert(signature_job); | |
583 | assert(signature_job->state == PULL_JOB_DONE); | |
584 | ||
585 | if (!signature_job->payload || signature_job->payload_size <= 0) | |
586 | return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), | |
587 | "Signature is empty, cannot verify."); | |
588 | ||
c40d82ab | 589 | return verify_gpg(verify_job->payload, verify_job->payload_size, signature_job->payload, signature_job->payload_size); |
ac71ece3 | 590 | } else |
c40d82ab | 591 | return verify_gpg(verify_job->payload, verify_job->payload_size, NULL, 0); |
ac71ece3 LP |
592 | } |
593 | ||
f14717a7 LP |
594 | int verification_style_from_url(const char *url, VerificationStyle *ret) { |
595 | _cleanup_free_ char *last = NULL; | |
596 | int r; | |
597 | ||
598 | assert(url); | |
599 | assert(ret); | |
600 | ||
601 | /* Determines which kind of verification style is appropriate for this url */ | |
602 | ||
603 | r = import_url_last_component(url, &last); | |
604 | if (r < 0) | |
605 | return r; | |
606 | ||
607 | if (streq(last, "SHA256SUMS")) { | |
608 | *ret = VERIFICATION_PER_DIRECTORY; | |
609 | return 0; | |
610 | } | |
611 | ||
612 | if (endswith(last, ".sha256")) { | |
613 | *ret = VERIFICATION_PER_FILE; | |
614 | return 0; | |
615 | } | |
616 | ||
617 | return -EINVAL; | |
618 | } | |
619 | ||
620 | int pull_job_restart_with_sha256sum(PullJob *j, char **ret) { | |
621 | VerificationStyle style; | |
622 | int r; | |
623 | ||
624 | assert(j); | |
625 | ||
626 | /* Generic implementation of a PullJobNotFound handler, that restarts the job requesting SHA256SUMS */ | |
627 | ||
628 | r = verification_style_from_url(j->url, &style); | |
629 | if (r < 0) | |
630 | return log_error_errno(r, "Failed to determine verification style of URL '%s': %m", j->url); | |
631 | ||
632 | if (style == VERIFICATION_PER_DIRECTORY) /* Nothing to do anymore */ | |
633 | return 0; | |
634 | ||
635 | assert(style == VERIFICATION_PER_FILE); /* This must have been .sha256 style URL before */ | |
636 | ||
637 | log_debug("Got 404 for %s, now trying to get SHA256SUMS instead.", j->url); | |
638 | ||
639 | r = import_url_change_last_component(j->url, "SHA256SUMS", ret); | |
640 | if (r < 0) | |
641 | return log_error_errno(r, "Failed to replace SHA256SUMS suffix: %m"); | |
642 | ||
643 | return 1; | |
644 | } | |
c40d82ab LP |
645 | |
646 | bool pull_validate_local(const char *name, PullFlags flags) { | |
647 | ||
648 | if (FLAGS_SET(flags, PULL_DIRECT)) | |
649 | return path_is_valid(name); | |
650 | ||
651 | return hostname_is_valid(name, 0); | |
652 | } | |
653 | ||
654 | int pull_url_needs_checksum(const char *url) { | |
655 | _cleanup_free_ char *fn = NULL; | |
656 | int r; | |
657 | ||
658 | /* Returns true if we need to validate this resource via a hash value. This returns true for all | |
659 | * files — except for gpg signature files and SHA256SUMS files and the like, which are validated with | |
660 | * a validation tool like gpg. */ | |
661 | ||
662 | r = import_url_last_component(url, &fn); | |
663 | if (r == -EADDRNOTAVAIL) /* no last component? then let's assume it's not a signature/checksum file */ | |
664 | return false; | |
665 | if (r < 0) | |
666 | return r; | |
667 | ||
668 | return !is_checksum_file(fn) && !is_signature_file(fn); | |
669 | } |